subject:"\[Xen\-devel\] \[PATCH\] flask\: Add check for io\{port, mem\}con sorting"

Re: [Xen-devel] [PATCH] flask: Add check for io{port, mem}con sorting

2018-10-03 Thread Jan Beulich

>>> "DeGraaf, Daniel G"  10/02/18 7:39 PM >>>
>> From: Jan Beulich 
>> >>> On 28.09.18 at 21:13,  wrote:
>> > These entries are not always sorted by checkpolicy.  Enforce the sorting
>> > (which can be done manually if using an unpatched checkpolicy) when
>> > loading the policy so that later uses by the security server do not
>> > incorrectly use the initial sid.
>> 
>> "Enforce the sorting" could mean two things - sorting what's unsorted,
>> or (as you do) raise an error. Isn't raising an error here possibly going
>> to impact systems which currently work?
>
>A system whose iomemcon entries are unsorted is currently not enforcing the
>intended security policy.  It normally ends up enforcing a more restrictive 
>policy,
>but not always (it depends on what you allow access to the default label). My
>guess is that anyone impacted by this problem would have noticed when they
>added the rule and it had no effect. However, I do agree this could cause an
>error on currently-working systems that do things like add iomemcon entries
>that they don't use.
>
>Are you suggesting an update to the commit message to make this breakage
>clear, or does the problem need to be fixed in the hypervisor? It would be
>possible to sort the entries as they're added, but that's not as easy as just
>detecting the mis-sort (since they're a linked list), and the policy creation
>process should have already sorted them (except that that part was missing).

I think resolving the ambiguity in the description is the minimal adjustment. If
that's what you want to go with (you're the maintainer after all), I think it 
would
suffice to suggest revised wording (or even merely your agreement for the
committer to make a respective adjustment), without necessarily re-submitting
the patch. Personally (but again, I'm not the maintainer of this code) I think 
it
would be better if the actual issue was addressed by doing the sorting. It could
be done with a warning logged, and perhaps with the warning suggesting that
the built-in sorting will/might go away again in a later release.

Jan



___
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel

Re: [Xen-devel] [PATCH] flask: Add check for io{port, mem}con sorting

2018-10-02 Thread DeGraaf, Daniel G

> From: Jan Beulich 
> >>> On 28.09.18 at 21:13,  wrote:
> > These entries are not always sorted by checkpolicy.  Enforce the sorting
> > (which can be done manually if using an unpatched checkpolicy) when
> > loading the policy so that later uses by the security server do not
> > incorrectly use the initial sid.
> 
> "Enforce the sorting" could mean two things - sorting what's unsorted,
> or (as you do) raise an error. Isn't raising an error here possibly going
> to impact systems which currently work?
> 
> Jan

A system whose iomemcon entries are unsorted is currently not enforcing the 
intended security policy.  It normally ends up enforcing a more restrictive 
policy, but not always (it depends on what you allow access to the default 
label). My guess is that anyone impacted by this problem would have noticed 
when they added the rule and it had no effect. However, I do agree this could 
cause an error on currently-working systems that do things like add iomemcon 
entries that they don't use.

Are you suggesting an update to the commit message to make this breakage clear, 
or does the problem need to be fixed in the hypervisor? It would be possible to 
sort the entries as they're added, but that's not as easy as just detecting the 
mis-sort (since they're a linked list), and the policy creation process should 
have already sorted them (except that that part was missing).
___
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel

Re: [Xen-devel] [PATCH] flask: Add check for io{port, mem}con sorting

2018-10-02 Thread nicolas . poirot

> To: xen-devel@lists.xenproject.org
> From: Daniel De Graaf 
> Sent by: "Xen-devel" 
> Date: 09/28/2018 09:13PM
> Cc: George Dunlap , Daniel De Graaf 
> Subject: [Xen-devel] [PATCH] flask: Add check for io{port,mem}con sorting
>
> These entries are not always sorted by checkpolicy.  Enforce the sorting
> (which can be done manually if using an unpatched checkpolicy) when
> loading the policy so that later uses by the security server do not
> incorrectly use the initial sid.
>
> Reported-by: Nicolas Poirot 
> Signed-off-by: Daniel De Graaf 
> ---
>  xen/xsm/flask/ss/policydb.c | 14 +-
>  1 file changed, 13 insertions(+), 1 deletion(-)
>
> diff --git a/xen/xsm/flask/ss/policydb.c b/xen/xsm/flask/ss/policydb.c
> index 3a12d96ef9..fcf63693b9 100644
> --- a/xen/xsm/flask/ss/policydb.c
> +++ b/xen/xsm/flask/ss/policydb.c
> @@ -2007,7 +2007,6 @@ int policydb_read(struct policydb *p, void *fp)
>                  l->next = c;
>              else
>                  p->ocontexts[i] = c;
> -            l = c;
>              rc = -EINVAL;
>              switch ( i )
>              {
> @@ -2050,6 +2049,12 @@ int policydb_read(struct policydb *p, void *fp)
>                  rc = context_read_and_validate(>context, p, fp);
>                  if ( rc )
>                      goto bad;
> +                if ( l && l->u.ioport.high_ioport > c->u.ioport.low_ioport )
> +                {
> +                    printk(KERN_ERR
> +                        "Flask: Invalid policy, ioportcon not sorted\n");
> +                    goto bad;
> +                }
>                  break;
>              case OCON_IOMEM:
>                  if ( p->target_type != TARGET_XEN )
> @@ -2078,6 +2083,12 @@ int policydb_read(struct policydb *p, void *fp)
>                  rc = context_read_and_validate(>context, p, fp);
>                  if ( rc )
>                      goto bad;
> +                if ( l && l->u.iomem.high_iomem > c->u.iomem.low_iomem )
> +                {
> +                    printk(KERN_ERR
> +                        "Flask: Invalid policy, iomemcon not sorted\n");
> +                    goto bad;
> +                }
>                  break;
>              case OCON_DEVICE:
>                  if ( p->target_type != TARGET_XEN )
> @@ -2123,6 +2134,7 @@ int policydb_read(struct policydb *p, void *fp)
>                  rc = -EINVAL;
>                  goto bad;
>              }
> +            l = c;
>          }
>      }
> 
> -- 
> 2.14.4

Looks good to me.
Tested on RELEASE-4.11.0 on a juno-r2 platform, with checkpolicy 2.5.
Thank you.

Tested-by: Nicolas Poirot 
Reviewed-by: Nicolas Poirot 
.


___
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel

Re: [Xen-devel] [PATCH] flask: Add check for io{port, mem}con sorting

2018-10-02 Thread Jan Beulich

>>> On 28.09.18 at 21:13,  wrote:
> These entries are not always sorted by checkpolicy.  Enforce the sorting
> (which can be done manually if using an unpatched checkpolicy) when
> loading the policy so that later uses by the security server do not
> incorrectly use the initial sid.

"Enforce the sorting" could mean two things - sorting what's unsorted,
or (as you do) raise an error. Isn't raising an error here possibly going
to impact systems which currently work?

Jan

___
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel

[Xen-devel] [PATCH] flask: Add check for io{port,mem}con sorting

2018-09-28 Thread Daniel De Graaf

These entries are not always sorted by checkpolicy.  Enforce the sorting
(which can be done manually if using an unpatched checkpolicy) when
loading the policy so that later uses by the security server do not
incorrectly use the initial sid.

Reported-by: Nicolas Poirot 
Signed-off-by: Daniel De Graaf 
---
 xen/xsm/flask/ss/policydb.c | 14 +-
 1 file changed, 13 insertions(+), 1 deletion(-)

diff --git a/xen/xsm/flask/ss/policydb.c b/xen/xsm/flask/ss/policydb.c
index 3a12d96ef9..fcf63693b9 100644
--- a/xen/xsm/flask/ss/policydb.c
+++ b/xen/xsm/flask/ss/policydb.c
@@ -2007,7 +2007,6 @@ int policydb_read(struct policydb *p, void *fp)
 l->next = c;
 else
 p->ocontexts[i] = c;
-l = c;
 rc = -EINVAL;
 switch ( i )
 {
@@ -2050,6 +2049,12 @@ int policydb_read(struct policydb *p, void *fp)
 rc = context_read_and_validate(>context, p, fp);
 if ( rc )
 goto bad;
+if ( l && l->u.ioport.high_ioport > c->u.ioport.low_ioport )
+{
+printk(KERN_ERR
+"Flask: Invalid policy, ioportcon not sorted\n");
+goto bad;
+}
 break;
 case OCON_IOMEM:
 if ( p->target_type != TARGET_XEN )
@@ -2078,6 +2083,12 @@ int policydb_read(struct policydb *p, void *fp)
 rc = context_read_and_validate(>context, p, fp);
 if ( rc )
 goto bad;
+if ( l && l->u.iomem.high_iomem > c->u.iomem.low_iomem )
+{
+printk(KERN_ERR
+"Flask: Invalid policy, iomemcon not sorted\n");
+goto bad;
+}
 break;
 case OCON_DEVICE:
 if ( p->target_type != TARGET_XEN )
@@ -2123,6 +2134,7 @@ int policydb_read(struct policydb *p, void *fp)
 rc = -EINVAL;
 goto bad;
 }
+l = c;
 }
 }
 
-- 
2.14.4


___
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel

Re: [Xen-devel] [PATCH] flask: Add check for io{port, mem}con sorting

Re: [Xen-devel] [PATCH] flask: Add check for io{port, mem}con sorting

Re: [Xen-devel] [PATCH] flask: Add check for io{port, mem}con sorting

Re: [Xen-devel] [PATCH] flask: Add check for io{port, mem}con sorting

[Xen-devel] [PATCH] flask: Add check for io{port,mem}con sorting

5 matches

Site Navigation

Mail list logo

Footer information