Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

RFE: add test for validatetrans #76

Open
ghost opened this issue Jul 1, 2021 · 9 comments
Open

RFE: add test for validatetrans #76

ghost opened this issue Jul 1, 2021 · 9 comments

Comments

@ghost
Copy link

ghost commented Jul 1, 2021

There is actually a bug in this functionality as of at least SELinux 3.2/Linux 5.13 that causes a kernel oops when a validatetrans event is triggered.

@bauen1
Copy link

bauen1 commented Jul 1, 2021

Some additional context on the kernel oops:

I discovered the kernel bug on a debian installation (linux-image-5.10.0-8-amd64, libsepol: 3.1, selinux policy version 32).
The original policy that caused the crash was

(validatetrans chr_file
    (or
        (neq t1 .virt.doaemon.type)
        (eq t2 t3)
    )
)

But the exact policy doesn't seem to matter, you just need to be sure to actually trigger the evaluation of the validatetrans rule, then causing a BUG in security_compute_validatetrans.part.0+0x124/0x260 or similiar.

@pcmoore
Copy link
Member

pcmoore commented Jul 1, 2021

That's ... interesting. I'm replying here before I've tried to reproduce this, I'm just looking at the kernel code and the only thing that immediately jumps out at me is the explicit BUG() call in constraint_expr_eval() in the CEXPR_NAMES / CEXPR_XTARGET case. Although it's entirely possible that is not the problem.

Any chance you can convert the panic/oops func+offset into a file+line for us for your kernel?

@bauen1
Copy link

bauen1 commented Jul 1, 2021

Does this help a bit more ?

sysadmin@glados:~$ uname -a
Linux glados 5.10.0-8-amd64 #1 SMP Debian 5.10.46-1 (2021-06-24) x86_64 GNU/Linux
-- Journal begins at Sun 2021-06-27 17:24:52 UTC, ends at Thu 2021-07-01 21:33:11 UTC. --
Jul 01 18:35:17 glados audit[5788]: AVC avc:  denied  { getattr } for  pid=5788 comm="sudo" path="/dev/gpiochip0" dev="devtmpfs" ino=84 scontext=staff.user:staff.role:user.sudo.type:s0-s0:c0.c63 tcontext=system.user:system.role:fs.devtmp.type:s0-s0:c0.c63 tclass=chr_file permissive=0
Jul 01 18:35:17 glados audit[5788]: USER_ACCT pid=5788 uid=1000 auid=1000 ses=4 subj=staff.user:staff.role:user.sudo.type:s0-s0:c0.c63 msg='op=PAM:accounting grantors=pam_permit acct="sysadmin" exe="/usr/bin/sudo" hostname=glados addr=? terminal=/dev/tty2 res=success'
Jul 01 18:35:17 glados audit[5788]: USER_CMD pid=5788 uid=1000 auid=1000 ses=4 subj=staff.user:staff.role:user.sudo.type:s0-s0:c0.c63 msg='cwd="/home/sysadmin" cmd=73656D6F64756C65202D2D696E7374616C6C206C6F63616C2E63696C exe="/usr/bin/sudo" terminal=tty2 res=success'
Jul 01 18:35:17 glados sudo[5788]: sysadmin : TTY=tty2 ; PWD=/home/sysadmin ; USER=root ; COMMAND=/usr/sbin/semodule --install local.cil
Jul 01 18:35:17 glados audit[5788]: CRED_REFR pid=5788 uid=1000 auid=1000 ses=4 subj=staff.user:staff.role:user.sudo.type:s0-s0:c0.c63 msg='op=PAM:setcred grantors=pam_permit acct="root" exe="/usr/bin/sudo" hostname=glados addr=? terminal=/dev/tty2 res=success'
Jul 01 18:35:17 glados audit[5788]: USER_START pid=5788 uid=1000 auid=1000 ses=4 subj=staff.user:staff.role:user.sudo.type:s0-s0:c0.c63 msg='op=PAM:session_open grantors=pam_permit,pam_unix acct="root" exe="/usr/bin/sudo" hostname=glados addr=? terminal=/dev/tty2 res=success'
Jul 01 18:35:17 glados audit[5788]: USER_ROLE_CHANGE pid=5788 uid=1000 auid=1000 ses=4 subj=staff.user:staff.role:user.sudo.type:s0-s0:c0.c63 msg='newrole: old-context=staff.user:staff.role:user.type:s0-s0:c0.c63 new-context=staff.user:sysadm.role:sysadm.type:s0-s0:c0.c63 exe="/usr/bin/sudo" hostname=glados addr=? terminal=/dev/tty2 res=success'
Jul 01 18:35:17 glados sudo[5788]: pam_unix(sudo:session): session opened for user root(uid=0) by sysadmin(uid=1000)
Jul 01 18:35:19 glados kernel: SELinux:  Converting 572 SID table entries...
Jul 01 18:35:19 glados kernel: SELinux:  policy capability network_peer_controls=1
Jul 01 18:35:19 glados kernel: SELinux:  policy capability open_perms=1
Jul 01 18:35:19 glados kernel: SELinux:  policy capability extended_socket_class=1
Jul 01 18:35:19 glados kernel: SELinux:  policy capability always_check_network=0
Jul 01 18:35:19 glados kernel: SELinux:  policy capability cgroup_seclabel=1
Jul 01 18:35:19 glados kernel: SELinux:  policy capability nnp_nosuid_transition=1
Jul 01 18:35:19 glados kernel: SELinux:  policy capability genfs_seclabel_symlinks=1
Jul 01 18:35:19 glados audit: MAC_POLICY_LOAD auid=1000 ses=4 lsm=selinux res=1
Jul 01 18:35:19 glados audit[556]: USER_AVC pid=556 uid=105 auid=4294967295 ses=4294967295 subj=system.user:system.role:dbus.type:s0-s0:c0.c63 msg='avc:  received policyload notice (seqno=21)
                                    exe="/usr/bin/dbus-daemon" sauid=105 hostname=? addr=? terminal=?'
Jul 01 18:35:19 glados dbus-daemon[556]: [system] Reloaded configuration
Jul 01 18:35:19 glados kernel: ------------[ cut here ]------------
Jul 01 18:35:19 glados kernel: kernel BUG at security/selinux/ss/services.c:381!
Jul 01 18:35:19 glados kernel: invalid opcode: 0000 [#1] SMP NOPTI
Jul 01 18:35:19 glados kernel: CPU: 0 PID: 5788 Comm: sudo Not tainted 5.10.0-8-amd64 #1 Debian 5.10.46-1
Jul 01 18:35:19 glados kernel: Hardware name: TUXEDO InfinityBook S 14 v5/L140CU                          , BIOS 1.07.09RTR1 07/28/2020
Jul 01 18:35:19 glados kernel: RIP: 0010:constraint_expr_eval+0x53c/0x550
Jul 01 18:35:19 glados kernel: Code: ff 48 8d 71 08 49 8d 78 08 e8 40 5f ff ff 85 c0 0f 95 c0 0f b6 c0 e9 1f fc ff ff 31 c0 e9 87 fb ff ff 0f 0b 0f 0b 0f 0b 0f 0b <0f> 0b 0f 0b 0f 0b e8 49 4b 4f 00 0f 0b 0f 1f 80 00 00 00 00 0f 1f
Jul 01 18:35:19 glados kernel: RSP: 0018:ffffaacd00f4fb80 EFLAGS: 00010283
Jul 01 18:35:19 glados kernel: RAX: 000000000000000c RBX: ffff9e7d4444cb40 RCX: 0000000000000000
Jul 01 18:35:19 glados kernel: RDX: 0000000000000001 RSI: 0000000000000080 RDI: ffff9e7d45730900
Jul 01 18:35:19 glados kernel: RBP: ffff9e81fe3fdf78 R08: 0000000000000000 R09: 000000000000000a
Jul 01 18:35:19 glados kernel: R10: 0000000000000000 R11: 00000000ffffffdf R12: ffff9e7d4202c278
Jul 01 18:35:19 glados kernel: R13: ffff9e7d4202c070 R14: ffff9e7d41cb7408 R15: 0000000000000000
Jul 01 18:35:19 glados kernel: FS:  00007fd434c42e00(0000) GS:ffff9e82aa600000(0000) knlGS:0000000000000000
Jul 01 18:35:19 glados kernel: CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
Jul 01 18:35:19 glados kernel: CR2: 00007fd434ece228 CR3: 000000010836e006 CR4: 00000000003726f0
Jul 01 18:35:19 glados kernel: Call Trace:
Jul 01 18:35:19 glados kernel:  security_compute_validatetrans.part.0+0x148/0x290
Jul 01 18:35:19 glados kernel:  selinux_inode_setxattr+0x174/0x2f0
Jul 01 18:35:19 glados kernel:  ? aurule_avc_callback+0xa/0x20
Jul 01 18:35:19 glados kernel:  security_inode_setxattr+0x4c/0x90
Jul 01 18:35:19 glados kernel:  __vfs_setxattr_locked+0x5e/0xf0
Jul 01 18:35:19 glados kernel:  vfs_setxattr+0x8f/0x170
Jul 01 18:35:19 glados kernel:  setxattr+0xfb/0x1d0
Jul 01 18:35:19 glados kernel:  ? wait_consider_task+0x9c7/0xa80
Jul 01 18:35:19 glados kernel:  ? remove_wait_queue+0x20/0x60
Jul 01 18:35:19 glados kernel:  ? do_wait+0x10d/0x210
Jul 01 18:35:19 glados kernel:  ? kernel_wait4+0xc7/0x140
Jul 01 18:35:19 glados kernel:  __x64_sys_fsetxattr+0x9d/0xc0
Jul 01 18:35:19 glados kernel:  do_syscall_64+0x33/0x80
Jul 01 18:35:19 glados kernel:  entry_SYSCALL_64_after_hwframe+0x44/0xa9
Jul 01 18:35:19 glados kernel: RIP: 0033:0x7fd434de7b1a
Jul 01 18:35:19 glados kernel: Code: 48 8b 0d 79 23 0c 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 be 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 46 23 0c 00 f7 d8 64 89 01 48
Jul 01 18:35:19 glados kernel: RSP: 002b:00007fffeae01608 EFLAGS: 00000246 ORIG_RAX: 00000000000000be
Jul 01 18:35:19 glados kernel: RAX: ffffffffffffffda RBX: 00007fffeae01870 RCX: 00007fd434de7b1a
Jul 01 18:35:19 glados kernel: RDX: 000055b565d9e5f0 RSI: 00007fd434f16753 RDI: 0000000000000009
Jul 01 18:35:19 glados kernel: RBP: 000055b565d9e5f0 R08: 0000000000000000 R09: 00007fd434eaabe0
Jul 01 18:35:19 glados kernel: R10: 0000000000000027 R11: 0000000000000246 R12: 0000000000000000
Jul 01 18:35:19 glados kernel: R13: 0000000000000009 R14: 0000000000000007 R15: 000055b565d917a0
Jul 01 18:35:19 glados kernel: Modules linked in: nfnetlink snd_hda_codec_hdmi snd_hda_codec_realtek snd_hda_codec_generic intel_rapl_msr x86_pkg_temp_thermal intel_powerclamp snd_sof_pci snd_sof_intel_byt snd_sof_intel_ipc snd_sof_intel_hda_common snd_sof_xtensa_dsp snd_sof snd_sof_intel_hda coretemp snd_soc_hdac_hda snd_hda_ext_core snd_soc_acpi_intel_match snd_soc_acpi ledtrig_audio snd_hda_intel kvm_intel snd_intel_dspcfg soundwire_intel kvm soundwire_generic_allocation snd_soc_core irqbypass rapl btusb intel_cstate btrtl btbcm snd_compress btintel intel_uncore soundwire_cadence bluetooth snd_hda_codec nls_ascii snd_hda_core nls_cp437 iwlwifi pcspkr uvcvideo joydev evdev i915 jitterentropy_rng vfat snd_hwdep videobuf2_vmalloc serio_raw cfg80211 fat iTCO_wdt videobuf2_memops soundwire_bus efi_pstore videobuf2_v4l2 drbg intel_pmc_bxt videobuf2_common intel_wmi_thunderbolt iTCO_vendor_support snd_pcm videodev cdc_ether watchdog usbnet snd_timer ansi_cprng r8152 tpm_crb ecdh_generic drm_kms_helper snd mc ecc
Jul 01 18:35:19 glados kernel:  mii soundcore rfkill cec processor_thermal_device i2c_algo_bit sg intel_rapl_common hid_multitouch intel_soc_dts_iosf intel_pch_thermal int3400_thermal int3403_thermal intel_pmc_core int340x_thermal_zone tpm_tis tpm_tis_core acpi_thermal_rel intel_hid tpm acpi_pad sparse_keymap rng_core ac button drm fuse configfs efivarfs ip_tables x_tables autofs4 ext4 crc16 mbcache jbd2 crc32c_generic dm_crypt dm_mod sd_mod t10_pi crc_t10dif hid_generic crct10dif_generic crct10dif_pclmul crct10dif_common crc32_pclmul crc32c_intel ghash_clmulni_intel ahci rtsx_pci_sdmmc mmc_core libahci xhci_pci xhci_hcd aesni_intel libata i2c_i801 i2c_smbus usbcore libaes crypto_simd scsi_mod psmouse cryptd glue_helper i2c_hid rtsx_pci intel_lpss_pci hid intel_lpss idma64 wmi usb_common battery video
Jul 01 18:35:19 glados kernel: ---[ end trace bf3785f388f849d3 ]---
Jul 01 18:35:20 glados kernel: RIP: 0010:constraint_expr_eval+0x53c/0x550
Jul 01 18:35:20 glados kernel: Code: ff 48 8d 71 08 49 8d 78 08 e8 40 5f ff ff 85 c0 0f 95 c0 0f b6 c0 e9 1f fc ff ff 31 c0 e9 87 fb ff ff 0f 0b 0f 0b 0f 0b 0f 0b <0f> 0b 0f 0b 0f 0b e8 49 4b 4f 00 0f 0b 0f 1f 80 00 00 00 00 0f 1f
Jul 01 18:35:20 glados kernel: RSP: 0018:ffffaacd00f4fb80 EFLAGS: 00010283
Jul 01 18:35:20 glados kernel: RAX: 000000000000000c RBX: ffff9e7d4444cb40 RCX: 0000000000000000
Jul 01 18:35:20 glados kernel: RDX: 0000000000000001 RSI: 0000000000000080 RDI: ffff9e7d45730900
Jul 01 18:35:20 glados kernel: RBP: ffff9e81fe3fdf78 R08: 0000000000000000 R09: 000000000000000a
Jul 01 18:35:20 glados kernel: R10: 0000000000000000 R11: 00000000ffffffdf R12: ffff9e7d4202c278
Jul 01 18:35:20 glados kernel: R13: ffff9e7d4202c070 R14: ffff9e7d41cb7408 R15: 0000000000000000
Jul 01 18:35:20 glados kernel: FS:  00007fd434c42e00(0000) GS:ffff9e82aa600000(0000) knlGS:0000000000000000
Jul 01 18:35:20 glados kernel: CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
Jul 01 18:35:20 glados kernel: CR2: 00007fd434ece228 CR3: 000000010836e006 CR4: 00000000003726f0
Jul 01 18:39:21 glados audit[5803]: AVC avc:  denied  { getattr } for  pid=5803 comm="sudo" path="/dev/gpiochip0" dev="devtmpfs" ino=84 scontext=staff.user:staff.role:user.sudo.type:s0-s0:c0.c63 tcontext=system.user:system.role:fs.devtmp.type:s0-s0:c0.c63 tclass=chr_file permissive=0
Jul 01 18:39:21 glados audit[5803]: USER_ACCT pid=5803 uid=1000 auid=1000 ses=4 subj=staff.user:staff.role:user.sudo.type:s0-s0:c0.c63 msg='op=PAM:accounting grantors=pam_permit acct="sysadmin" exe="/usr/bin/sudo" hostname=glados addr=? terminal=/dev/tty2 res=success'
Jul 01 18:39:21 glados audit[5803]: USER_CMD pid=5803 uid=1000 auid=1000 ses=4 subj=staff.user:staff.role:user.sudo.type:s0-s0:c0.c63 msg='cwd="/home/sysadmin" cmd=6A6F75726E616C63746C202D622030202D65 exe="/usr/bin/sudo" terminal=tty2 res=success'
Jul 01 18:39:21 glados sudo[5803]: sysadmin : TTY=tty2 ; PWD=/home/sysadmin ; USER=root ; COMMAND=/usr/bin/journalctl -b 0 -e
Jul 01 18:39:21 glados audit[5803]: CRED_REFR pid=5803 uid=1000 auid=1000 ses=4 subj=staff.user:staff.role:user.sudo.type:s0-s0:c0.c63 msg='op=PAM:setcred grantors=pam_permit acct="root" exe="/usr/bin/sudo" hostname=glados addr=? terminal=/dev/tty2 res=success'
Jul 01 18:39:21 glados audit[5803]: USER_START pid=5803 uid=1000 auid=1000 ses=4 subj=staff.user:staff.role:user.sudo.type:s0-s0:c0.c63 msg='op=PAM:session_open grantors=pam_permit,pam_unix acct="root" exe="/usr/bin/sudo" hostname=glados addr=? terminal=/dev/tty2 res=success'
Jul 01 18:39:21 glados sudo[5803]: pam_unix(sudo:session): session opened for user root(uid=0) by sysadmin(uid=1000)
Jul 01 18:39:25 glados systemd[1]: Started Getty on tty3.
Jul 01 18:39:25 glados audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system.user:system.role:init.type:s0-s0:c0.c63 msg='unit=getty@tty3 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Jul 01 18:39:51 glados kernel: sysrq: This sysrq operation is disabled.
Jul 01 18:39:52 glados kernel: sysrq: SAK
Jul 01 18:39:52 glados systemd[1]: [email protected]: Succeeded.
Jul 01 18:39:52 glados audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system.user:system.role:init.type:s0-s0:c0.c63 msg='unit=getty@tty2 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Jul 01 18:39:52 glados kernel: tty tty2: SAK: killed process 5803 (sudo): by session
Jul 01 18:39:52 glados kernel: tty tty2: SAK: killed process 5709 (bash): by session
Jul 01 18:39:52 glados kernel: tty tty2: SAK: killed process 5692 (login): by session
Jul 01 18:39:52 glados kernel: tty tty2: SAK: killed process 5692 (login): by controlling tty
Jul 01 18:39:52 glados kernel: tty tty2: SAK: killed process 5709 (bash): by controlling tty
Jul 01 18:39:52 glados kernel: tty tty2: SAK: killed process 5803 (sudo): by controlling tty
Jul 01 18:39:55 glados kernel: sysrq: Emergency Sync
Jul 01 18:39:55 glados kernel: Emergency Sync complete
Jul 01 18:39:58 glados kernel: sysrq: Emergency Remount R/O

If not then I might take a stab at converting the offset properly tomorrow.

@pcmoore
Copy link
Member

pcmoore commented Jul 1, 2021

Hmm, so this happened pretty early during boot after the policy is loaded. Did you see this on v5.9 or earlier kernels? I'm beginning to wonder if this may be related to the policy RCU change ...

@pcmoore
Copy link
Member

pcmoore commented Jul 1, 2021

Okay, so on v5.10.46 security/selinux/ss/services.c:381 is this: https://elixir.bootlin.com/linux/v5.10.46/source/security/selinux/ss/services.c#L381 ... which is a little confusing to read because the indenting appears to be messed up there (sigh).

Unfortunately I need to turn off my computer for the evening right now, but if I'm reading this correctly it looks like the switch statement is all messed up - likely missed due to the bad indenting - and the CEXPR_NAMES case is being missed because of the default/BUG() starting at line 380.

@bauen1
Copy link

bauen1 commented Jul 1, 2021

The log I posted is from a system that was already running for some time (uptime of maybe an hour, but more than 20m).

You can still see is the audit entry for my sudo semodule --install local.cil command that reloaded the policy with the newly added validatetrans rule

The BUG is then hit, probably when sudo tries to relabel the pty back to the user context.

I'm not sure if this also occured prior to v5.9 as I don't think I've ever tried validatetrans.

@pcmoore
Copy link
Member

pcmoore commented Jul 1, 2021

I couldn't resist a quick hack - that code is truly awful, and it looks to go back to at least 2005 (!) - this code is completely uncompiled, untested, etc. and even if it boots it basically short-circuits the constraint so it isn't a real fix, but it should at least not panic/BUG if you want to give it a shot.

diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
index d84c77f370dc..275eb676185d 100644
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@@ -356,29 +356,31 @@ static int constraint_expr_eval(struct policydb *policydb,
                        case CEXPR_L2H2:
                                l1 = &(tcontext->range.level[0]);
                                l2 = &(tcontext->range.level[1]);
-                               goto mls_ops;
 mls_ops:
-                       switch (e->op) {
-                       case CEXPR_EQ:
-                               s[++sp] = mls_level_eq(l1, l2);
-                               continue;
-                       case CEXPR_NEQ:
-                               s[++sp] = !mls_level_eq(l1, l2);
-                               continue;
-                       case CEXPR_DOM:
-                               s[++sp] = mls_level_dom(l1, l2);
-                               continue;
-                       case CEXPR_DOMBY:
-                               s[++sp] = mls_level_dom(l2, l1);
-                               continue;
-                       case CEXPR_INCOMP:
-                               s[++sp] = mls_level_incomp(l2, l1);
-                               continue;
-                       default:
-                               BUG();
-                               return 0;
-                       }
-                       break;
+                               switch (e->op) {
+                               case CEXPR_EQ:
+                                       s[++sp] = mls_level_eq(l1, l2);
+                                       continue;
+                               case CEXPR_NEQ:
+                                       s[++sp] = !mls_level_eq(l1, l2);
+                                       continue;
+                               case CEXPR_DOM:
+                                       s[++sp] = mls_level_dom(l1, l2);
+                                       continue;
+                               case CEXPR_DOMBY:
+                                       s[++sp] = mls_level_dom(l2, l1);
+                                       continue;
+                               case CEXPR_INCOMP:
+                                       s[++sp] = mls_level_incomp(l2, l1);
+                                       continue;
+                               default:
+                                       BUG();
+                                       return 0;
+                               }
+                               break;
+                       case CEXPR_NAMES:
+                               /* XXX - do something here */
+                               return 1;
                        default:
                                BUG();
                                return 0;

Okay, now I really need to go for the evening ... sorry :(

@bauen1
Copy link

bauen1 commented Jul 2, 2021

I'm sorry, right now I don't have any infrastructure in place to compile a new kernel, nor do I really have the time for that 😞

@cgzones
Copy link
Contributor

cgzones commented Feb 22, 2022

The culprit is the expression in question is invalid:

(validatetrans chr_file
    (or
        (neq t1 .virt.doaemon.type)
        (eq t2 t3)            ;;  <-- t2 and t3 are not allowed to be compared
    )
)

Probably the constraint shoud have been:

(validatetrans chr_file
    (or
        (neq t3 .virt.doaemon.type)
        (eq t1 t2)
    )
)

since t1 is the old type, t2 is the new type and t3 is the task type.

Checkpolicy(8) rejects such expressions and nowadays also secilc(8), since 3.3: SELinuxProject/selinux@e978e76.

Nevertheless the kernel should not stop: either it should reject loading policies containing such invalid expressions, see https://patchwork.kernel.org/project/selinux/patch/[email protected]/ for a userland equivalent, or/and use pr_warn_ratelimited() with a return 0;.
This might become critical if, e.g via namespacing, unprivileged users can one day load custom policies.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

3 participants