selinux/stable-6.11 PR 20240814

-----BEGIN PGP SIGNATURE----- iQJIBAABCAAyFiEES0KozwfymdVUl37v6iDy2pc3iXMFAma8yoAUHHBhdWxAcGF1 bC1tb29yZS5jb20ACgkQ6iDy2pc3iXOJWw/8D8ZhOLdK9HFKpywIA855CHXbTVHz VSM9avEykSHTPqWhGx9dqaS8hG/xG7Fh5t3Me2goh0E7dAZjJQCGf/PXyh8Ntotj 5QJB3CEzi9o4yM5yCgNgEYtnVdP52Y8SxfzE9TQWST7EbWsrWDjE68a/08h0cRkr XTScFIB+SVHOJGBcdSKdYyVqnpgoE8OeWOxVa2OnThug8VPB5WMmJIPkMQ2ykOR4 4dGykI8ULNSiZ+0skfdhxXaykYDdajzCSrk21OP2iaD/41X+I627HaJzCxa3m9s0 z04XtaOV31Jye8McPF6dCHtloFQvZ/deXXeow2yytR7WnT5/KDwBt+8A7mDcKL0V uhW9DiwxCit6Pao4a/YuEerXqxSH4DdJmTCbqrHITnQWdAW9UQ0jsY1msxwal/aq l9kK1SJoB3/5A0Dcsc57TFCvh2dhwRnAU3Ik00SCW2LlZrsCmBSPMRCsTHDBVg49 R5ya6qFB9+KEcAjZgJqa15X8WC8cmx+/96mDScd6VjS2Eyh57tZmJgonjlUwJplH A1erboJtlo2NHzMaxmIXEsaxJYvrOcwKDeQ80H81SBIDPLweW2FYDVZpp4/nx++2 +8myHz9KM7iWFVceJuqvNRix4iR3RkXxvgocm1CzUedgXYUJOVM/li+0pjgJ/bUM gPo7Sr3BAk9T43k= =B712 -----END PGP SIGNATURE----- Merge tag 'selinux-pr-20240814' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux Pull selinux fixes from Paul Moore: - Fix a xperms counting problem where we adding to the xperms count even if we failed to add the xperm. - Propogate errors from avc_add_xperms_decision() back to the caller so that we can trigger the proper cleanup and error handling. - Revert our use of vma_is_initial_heap() in favor of our older logic as vma_is_initial_heap() doesn't correctly handle the no-heap case and it is causing issues with the SELinux process/execheap access control. While the older SELinux logic may not be perfect, it restores the expected user visible behavior. Hopefully we will be able to resolve the problem with the vma_is_initial_heap() macro with the mm folks, but we need to fix this in the meantime. * tag 'selinux-pr-20240814' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux: selinux: revert our use of vma_is_initial_heap() selinux: add the processing of the failure of avc_add_xperms_decision() selinux: fix potential counting error in avc_add_xperms_decision()
2024-11-10 14:11:52 +00:00 · 2024-08-14 09:23:20 -07:00 · 2024-08-14 09:23:20 -07:00 · 9d5906799f
commit 9d5906799f
parent 4ac0f08f44 05a3d6e930
2 changed files with 17 additions and 3 deletions
--- a/security/selinux/avc.c
+++ b/security/selinux/avc.c
@ -330,12 +330,12 @@ static int avc_add_xperms_decision(struct avc_node *node,
 {
 	struct avc_xperms_decision_node *dest_xpd;

-	node->ae.xp_node->xp.len++;
 	dest_xpd = avc_xperms_decision_alloc(src->used);
 	if (!dest_xpd)
 		return -ENOMEM;
 	avc_copy_xperms_decision(&dest_xpd->xpd, src);
 	list_add(&dest_xpd->xpd_list, &node->ae.xp_node->xpd_head);
+	node->ae.xp_node->xp.len++;
 	return 0;
 }

@ -907,7 +907,11 @@ static int avc_update_node(u32 event, u32 perms, u8 driver, u8 xperm, u32 ssid,
 		node->ae.avd.auditdeny &= ~perms;
 		break;
 	case AVC_CALLBACK_ADD_XPERMS:
-		avc_add_xperms_decision(node, xpd);
+		rc = avc_add_xperms_decision(node, xpd);
+		if (rc) {
+			avc_node_kill(node);
+			goto out_unlock;
+		}
 		break;
 	}
 	avc_node_replace(node, orig);
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@ -3852,7 +3852,17 @@ static int selinux_file_mprotect(struct vm_area_struct *vma,
 	if (default_noexec &&
 	    (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
 		int rc = 0;
-		if (vma_is_initial_heap(vma)) {
+		/*
+		 * We don't use the vma_is_initial_heap() helper as it has
+		 * a history of problems and is currently broken on systems
+		 * where there is no heap, e.g. brk == start_brk.  Before
+		 * replacing the conditional below with vma_is_initial_heap(),
+		 * or something similar, please ensure that the logic is the
+		 * same as what we have below or you have tested every possible
+		 * corner case you can think to test.
+		 */
+		if (vma->vm_start >= vma->vm_mm->start_brk &&
+		    vma->vm_end <= vma->vm_mm->brk) {
 			rc = avc_has_perm(sid, sid, SECCLASS_PROCESS,
 					  PROCESS__EXECHEAP, NULL);
 		} else if (!vma->vm_file && (vma_is_initial_stack(vma) ||