On Wed, 2007-02-07 at 15:21 -0700, Eric W. Biederman wrote:
> Stephen Smalley <[EMAIL PROTECTED]> writes:
>
> > Actually, on further inspection, it looks like the real issue is the
> > "path" name generation; "cat /proc/sys/kernel/modprobe" yields a call to
> > security_genfs_sid() with just "/modprobe" rather than the expected
> > "/sys/kernel/modprobe". Which likewise leaves us with the generic proc
> > label, just as with the inode permission check, so I end up seeing
> > checks against it only.
>
> Ok. It looks like two silly thing are going on here.
> I failed to register the root sysctl table, so none of the parent
> pointers got set.
>
> I didn't prepend /sys in the compatibility code, so for something with
> the parent pointers set you would have gotten "/kernel/modprobe" instead
> of /sys/kernel/modprobe"
>
> Sorry about that.
>
> I think the patch below will fix it.
Yes, thanks - this appears to correct the name generation and thus the
resulting SID computation for the selinux sysctl checks.
> Eric
>
> diff --git a/include/linux/sysctl.h b/include/linux/sysctl.h
> index 24f36f1..f316854 100644
> --- a/include/linux/sysctl.h
> +++ b/include/linux/sysctl.h
> @@ -929,8 +929,6 @@ extern struct ctl_table_header *sysctl_head_next(struct
> ctl_table_header *prev);
> extern void sysctl_head_finish(struct ctl_table_header *prev);
> extern int sysctl_perm(struct ctl_table *table, int op);
>
> -extern void sysctl_init(void);
> -
> typedef struct ctl_table ctl_table;
>
> typedef int ctl_handler (ctl_table *table, int __user *name, int nlen,
> diff --git a/kernel/sysctl.c b/kernel/sysctl.c
> index 0a5499f..0bb2c5f 100644
> --- a/kernel/sysctl.c
> +++ b/kernel/sysctl.c
> @@ -1241,6 +1241,14 @@ static void sysctl_set_parent(struct ctl_table
> *parent, struct ctl_table *table)
> }
> }
>
> +static __init int sysctl_init(void)
> +{
> + sysctl_set_parent(NULL, root_table);
> + return 0;
> +}
> +
> +core_initcall(sysctl_init);
> +
> /**
> * register_sysctl_table - register a sysctl hierarchy
> * @table: the top-level table structure
> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
> index c17a8dd..aad2697 100644
> --- a/security/selinux/hooks.c
> +++ b/security/selinux/hooks.c
> @@ -1452,6 +1452,12 @@ static int selinux_sysctl_get_sid(ctl_table *table,
> u16 tclass, u32 *sid)
> path = end;
> table = table->parent;
> }
> + buflen -= 4;
> + if (buflen < 0)
> + goto out_free;
> + end -= 4;
> + memcpy(end, "/sys", 4);
> + path = end;
> rc = security_genfs_sid("proc", path, tclass, sid);
> out_free:
> free_page((unsigned long)buffer);
>
--
Stephen Smalley
National Security Agency
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
