Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

RFE: introduce LSM specific fanotify flags for the "path_notify" hook #53

Open
pcmoore opened this issue Sep 23, 2020 · 0 comments
Open

RFE: introduce LSM specific fanotify flags for the "path_notify" hook #53

pcmoore opened this issue Sep 23, 2020 · 0 comments
Labels
enhancement priority/low

Comments

@pcmoore
Copy link
Member

pcmoore commented Sep 23, 2020

From the mailing list:

From: @stephensmalley
To: @WOnder93
Cc: @bachradsusi, SElinux list, @pcmoore
Subject: Re: [RFC PATCH] selinux: runtime disable is deprecated, add some ssleep() discomfort
Date: Thu, 10 Sep 2020 10:54:38 -0400

On Thu, Sep 10, 2020 at 10:36 AM Stephen Smalley wrote:

On Thu, Sep 10, 2020 at 9:31 AM Stephen Smalley wrote:

  1. For cases where an error is returned by SELinux that is not already
    governed by a selinux_initialized() or enforcing_enabled() check, we
    just need to ensure that all such cases are gated by such a check. We
    fixed that recently for the removexattr security.selinux case and
    there were some earlier cases fixed with respect to setting labels
    before policy load. The specific concern raised in the thread
    appeared to be due to denials silenced via dontaudit rules, which
    won't happen if there is no policy loaded so I don't think that's
    relevant. There are other cases where SELinux might return an error
    if a new case is introduced in another kernel subsystem without
    updating SELinux to handle it, e.g. a new type for
    selinux_perf_event_open(), a new obj_type in selinux_path_notify().
    It would be better if we could introduce build-time guards to catch
    these as we have done for e.g. new capabilities, new socket address
    families, new netlink message types, in order to ensure that they are
    always in sync.

On second look, selinux_perf_event_open() is ok because the type
values are specifically (and only) for the security hook, so anyone
adding new PERF_SECURITY_* types should see the need to update the
hook implementation too. selinux_path_notify() case is different.

For selinux_path_notify(), there are in fact other fsnotify object
types defined in fsnotify_backend.h but
fs/notify/fanotify_user.c:do_fanotify_mark() only ever sets obj_type
that is later passed to the hook to one of the three values it handles
(inode, vfsmount, sb). Since that could potentially change in the
future, we should likely change the security framework to define its
own set of SECURITY_NOTIFY_OBJ_TYPE_* values and have the hook callers
explicitly translate to one of those.
stephensmalley pushed a commit to stephensmalley/selinux-kernel that referenced this issue May 2, 2024
@gregkh
usb: typec: tcpm: fix double-free issue in tcpm_port_unregister_pd()
b63f904 
When unregister pd capabilitie in tcpm, KASAN will capture below double
-free issue. The root cause is the same capabilitiy will be kfreed twice,
the first time is kfreed by pd_capabilities_release() and the second time
is explicitly kfreed by tcpm_port_unregister_pd().

[    3.988059] BUG: KASAN: double-free in tcpm_port_unregister_pd+0x1a4/0x3dc
[    3.995001] Free of addr ffff0008164d3000 by task kworker/u16:0/10
[    4.001206]
[    4.002712] CPU: 2 PID: 10 Comm: kworker/u16:0 Not tainted 6.8.0-rc5-next-20240220-05616-g52728c567a55 SELinuxProject#53
[    4.012402] Hardware name: Freescale i.MX8QXP MEK (DT)
[    4.017569] Workqueue: events_unbound deferred_probe_work_func
[    4.023456] Call trace:
[    4.025920]  dump_backtrace+0x94/0xec
[    4.029629]  show_stack+0x18/0x24
[    4.032974]  dump_stack_lvl+0x78/0x90
[    4.036675]  print_report+0xfc/0x5c0
[    4.040289]  kasan_report_invalid_free+0xa0/0xc0
[    4.044937]  __kasan_slab_free+0x124/0x154
[    4.049072]  kfree+0xb4/0x1e8
[    4.052069]  tcpm_port_unregister_pd+0x1a4/0x3dc
[    4.056725]  tcpm_register_port+0x1dd0/0x2558
[    4.061121]  tcpci_register_port+0x420/0x71c
[    4.065430]  tcpci_probe+0x118/0x2e0

To fix the issue, this will remove kree() from tcpm_port_unregister_pd().

Fixes: cd099cd ("usb: typec: tcpm: Support multiple capabilities")
cc: stable@vger.kernel.org
Suggested-by: Aisheng Dong <aisheng.dong@nxp.com>
Signed-off-by: Xu Yang <xu.yang_2@nxp.com>
Acked-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
Link: https://lore.kernel.org/r/20240311065219.777037-1-xu.yang_2@nxp.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement priority/low
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@pcmoore