From patchwork Sat Jan 13 12:15:51 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Fedor Pchelkin X-Patchwork-Id: 187896 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a05:693c:2614:b0:101:6a76:bbe3 with SMTP id mm20csp729750dyc; Sat, 13 Jan 2024 04:17:22 -0800 (PST) X-Google-Smtp-Source: AGHT+IFq9C+InxEZdxwwONXRnHpVIW1+AviiFB4vCqr3YxLxvpgF/wynjP0PtL2FcpUv3LfkAtmK X-Received: by 2002:aa7:c507:0:b0:557:d3f8:ce04 with SMTP id o7-20020aa7c507000000b00557d3f8ce04mr1180241edq.78.1705148241970; Sat, 13 Jan 2024 04:17:21 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1705148241; cv=none; d=google.com; s=arc-20160816; b=hIeCul24cNrq0JuJoegOOXfKRRFtmeODcV4OJICwK/fSlnVUzVNQ8lxSdRr24u9Gpy p06tJU0JA4tuEDqonK/drzM0wnFXwlxhfH4DQ1emANRMeB6gw3mLOuLT/iPwzIRWfdca tot8pIKC0qy1fd5yoSQf3i2KlrE3wjbuNa3nX1yVyXEhPgVBphw6WRkEcN5MwQvoAi41 0ePeKp7Sx8qJEJ7rqSWWWzQ0m/siJEpsEvF6BDKKwov1Sat2+3BQXzxmtl4kB/Uhayj3 PG9EQTvnKPTMGT4l5fwQEu4P3dORxCM3DkRsBhWl8cCqgYeLYXi/aW/x7vuMMIj7kiy7 0rGw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:references:in-reply-to:message-id :date:subject:cc:to:from:dkim-signature:dkim-filter; bh=EFLq5SwB1lpeS8irlCEfCM3yljqBF66A4Htq4s8Jbwk=; fh=Rd6HdvXkAQOeO9wzvJ4xPYhZ10H20VMbGiok+pAFBP0=; b=Fmh7bMyqR3P3wl1m8meqiXTbLfxEjnA5oyp2pJZb2ZrtQhaqHRMLqLba63zzdfliq9 XdIZsLaJFYx5lr7KknI+1IqeWNEuS9Ggh0C+qGIpM4cZNaqvYcMINUbpDpdxx/Vc8ITp ztbqdJ+wua3wvoE16sFc0eo5jyDc6etckCaRtHqkyuvCSJXfJvEv7tuQ63sv5wLTCk6A 5nbVXoqJfteXCKmnFJwNPdHeGH+ZrDZvQxsrSzmihgg9Iv2zVOdx78IB+af8/KA8eZ4v RttnrIZ/CDxf0n9GYungiDQghyC7CmXrJOZ4WJ+b9CHkKxwYGN71IZ/KQ6WmQd5YBDN5 90ow== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@ispras.ru header.s=default header.b=IcjNV4gE; spf=pass (google.com: domain of linux-kernel+bounces-25282-ouuuleilei=gmail.com@vger.kernel.org designates 2604:1380:4601:e00::3 as permitted sender) smtp.mailfrom="linux-kernel+bounces-25282-ouuuleilei=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=ispras.ru Received: from am.mirrors.kernel.org (am.mirrors.kernel.org. [2604:1380:4601:e00::3]) by mx.google.com with ESMTPS id c30-20020a50d65e000000b00551198f8d36si2248102edj.428.2024.01.13.04.17.21 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 13 Jan 2024 04:17:21 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel+bounces-25282-ouuuleilei=gmail.com@vger.kernel.org designates 2604:1380:4601:e00::3 as permitted sender) client-ip=2604:1380:4601:e00::3; Authentication-Results: mx.google.com; dkim=pass header.i=@ispras.ru header.s=default header.b=IcjNV4gE; spf=pass (google.com: domain of linux-kernel+bounces-25282-ouuuleilei=gmail.com@vger.kernel.org designates 2604:1380:4601:e00::3 as permitted sender) smtp.mailfrom="linux-kernel+bounces-25282-ouuuleilei=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=ispras.ru Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by am.mirrors.kernel.org (Postfix) with ESMTPS id 947D51F22E57 for ; Sat, 13 Jan 2024 12:17:21 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id B4901219F4; Sat, 13 Jan 2024 12:16:26 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=ispras.ru header.i=@ispras.ru header.b="IcjNV4gE" Received: from mail.ispras.ru (mail.ispras.ru [83.149.199.84]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 23AF2210E6; Sat, 13 Jan 2024 12:16:20 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=ispras.ru Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=ispras.ru Received: from localhost.ispras.ru (unknown [10.10.165.8]) by mail.ispras.ru (Postfix) with ESMTPSA id 2D59540755C7; Sat, 13 Jan 2024 12:16:12 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 mail.ispras.ru 2D59540755C7 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ispras.ru; s=default; t=1705148172; bh=EFLq5SwB1lpeS8irlCEfCM3yljqBF66A4Htq4s8Jbwk=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=IcjNV4gEYD4c1PhlXXPgCA9F+AI/IRDzgOkqCAgb01Zj4HpQDzQJrOvTZMNoc0V8z FkicwgCCKq4hgE1/er5sUzNdZ7Ww4bSfRbJUyDoOqkkyErpZG2bYPW1XmnhiIAvzOM 1bUJQ/OhjzOP/NMKEnXlKthB2AUPRm1/Beh3qqfQ= From: Fedor Pchelkin To: John Johansen Cc: Fedor Pchelkin , Paul Moore , James Morris , "Serge E. Hallyn" , apparmor@lists.ubuntu.com, linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, Alexey Khoroshilov , lvc-project@linuxtesting.org Subject: [PATCH 1/2] apparmor: rename the data start flag inside verify_header Date: Sat, 13 Jan 2024 15:15:51 +0300 Message-ID: <20240113121556.12948-2-pchelkin@ispras.ru> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20240113121556.12948-1-pchelkin@ispras.ru> References: <20240113121556.12948-1-pchelkin@ispras.ru> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-getmail-retrieved-from-mailbox: INBOX X-GMAIL-THRID: 1787977523197627814 X-GMAIL-MSGID: 1787977523197627814 The current `required` flag indicates the packed data start thus requiring the header to be unpacked at this position. For the purposes of verify_header() refinement, rename that flag to `start` so that it can be used with this meaning in other part of the function. Found by Linux Verification Center (linuxtesting.org). Signed-off-by: Fedor Pchelkin --- security/apparmor/policy_unpack.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/security/apparmor/policy_unpack.c b/security/apparmor/policy_unpack.c index a91b30100b77..54f7b4346506 100644 --- a/security/apparmor/policy_unpack.c +++ b/security/apparmor/policy_unpack.c @@ -1111,12 +1111,12 @@ static struct aa_profile *unpack_profile(struct aa_ext *e, char **ns_name) /** * verify_header - unpack serialized stream header * @e: serialized data read head (NOT NULL) - * @required: whether the header is required or optional + * @start: whether the header is located at the start of data * @ns: Returns - namespace if one is specified else NULL (NOT NULL) * * Returns: error or 0 if header is good */ -static int verify_header(struct aa_ext *e, int required, const char **ns) +static int verify_header(struct aa_ext *e, int start, const char **ns) { int error = -EPROTONOSUPPORT; const char *name = NULL; @@ -1124,7 +1124,8 @@ static int verify_header(struct aa_ext *e, int required, const char **ns) /* get the interface version */ if (!aa_unpack_u32(e, &e->version, "version")) { - if (required) { + /* the header is required at the start of data */ + if (start) { audit_iface(NULL, NULL, NULL, "invalid profile format", e, error); return error; From patchwork Sat Jan 13 12:15:52 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Fedor Pchelkin X-Patchwork-Id: 187897 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a05:693c:2614:b0:101:6a76:bbe3 with SMTP id mm20csp729781dyc; Sat, 13 Jan 2024 04:17:26 -0800 (PST) X-Google-Smtp-Source: AGHT+IGyNUPwhmoUQ+BE3CVKAlRh2PSn3EYabTzYvx6n5yXCDMGUWEBrA0wJPY/s5LPJw/V8jDX2 X-Received: by 2002:a05:6214:c26:b0:681:2362:dda8 with SMTP id a6-20020a0562140c2600b006812362dda8mr2876457qvd.39.1705148246383; Sat, 13 Jan 2024 04:17:26 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1705148246; cv=none; d=google.com; s=arc-20160816; b=ojgVeC+bty7xyxdZujR5BNYogkQisPZ+pIsLZgy4Q5Xs7Kt4g0JKj929BsuZe4VW11 zpq4cOpr11/xweOe8o3gaLzyJssAVkQdoQ+61/EvWDCMcbQLEn76Y21JVP4fkH8QBlc3 u2Jbca2z0pmDfaIRBovuiLZwGsumLieLyed/RMyW0SxQMGI851xF/IWrz1toH0mFzwil WlN7RD9N0yOsMuOD1aGJ7Luft94XADykaGauOayy/7auJ4JtJuitNHzu3x8NWh90I2Vs yuX12zsPxwVsT66Ny6OtHBco01qRQM/+4i2liNAISEhwuXius2zSzcF0pfx8JZP5X/Io yplA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:references:in-reply-to:message-id :date:subject:cc:to:from:dkim-signature:dkim-filter; bh=UXsO+FATYJuTPtjVESRdxfPqcMfgJ+Z5TRk9Ig/cU7s=; fh=Rd6HdvXkAQOeO9wzvJ4xPYhZ10H20VMbGiok+pAFBP0=; b=rW7mngrucQYonhuJNpm7cSHs279Bob6Yn7spXW7OPSiMf941VeVrUrTXFtXN1oIXkW yf09rXkmQV74ztta860YGmlN9JjvU6mq+unOzmnJJh/FnM6KDJeIbr5yS4UhjKO5pq59 lDLcv/TpiEqnN5mxVsXcBitVriYShdmfnm9ZKYRxN2j0D9b/AFKkiJiBG8L5WjAebnnS UH6N9PeRXlTH8KfHgUChVrsWfXkWEv8++mKV1+IOlNCFIb0E3LpIyJBRXh/BGi6fMuTl RN4IN5DUmGERE1DNAkLnWMif8jabGX58QUnTGtdJR1SkzPcfaX6MZaXXhbIuYRvYBZV3 mItw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@ispras.ru header.s=default header.b=rBdODkxM; spf=pass (google.com: domain of linux-kernel+bounces-25283-ouuuleilei=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) smtp.mailfrom="linux-kernel+bounces-25283-ouuuleilei=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=ispras.ru Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org. [147.75.199.223]) by mx.google.com with ESMTPS id ou31-20020a05620a621f00b007832941b17csi4596751qkn.173.2024.01.13.04.17.26 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 13 Jan 2024 04:17:26 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel+bounces-25283-ouuuleilei=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) client-ip=147.75.199.223; Authentication-Results: mx.google.com; dkim=pass header.i=@ispras.ru header.s=default header.b=rBdODkxM; spf=pass (google.com: domain of linux-kernel+bounces-25283-ouuuleilei=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) smtp.mailfrom="linux-kernel+bounces-25283-ouuuleilei=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=ispras.ru Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ny.mirrors.kernel.org (Postfix) with ESMTPS id 30D931C215ED for ; Sat, 13 Jan 2024 12:17:26 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 3D11821A09; Sat, 13 Jan 2024 12:16:27 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=ispras.ru header.i=@ispras.ru header.b="rBdODkxM" Received: from mail.ispras.ru (mail.ispras.ru [83.149.199.84]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 0DE3220DF7; Sat, 13 Jan 2024 12:16:22 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=ispras.ru Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=ispras.ru Received: from localhost.ispras.ru (unknown [10.10.165.8]) by mail.ispras.ru (Postfix) with ESMTPSA id E84F740762E4; Sat, 13 Jan 2024 12:16:14 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 mail.ispras.ru E84F740762E4 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ispras.ru; s=default; t=1705148175; bh=UXsO+FATYJuTPtjVESRdxfPqcMfgJ+Z5TRk9Ig/cU7s=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=rBdODkxMg1L5H2zTmGYLSPw2S0CURDXH1HU32selNRUiQC7bDtQiED74SYYfHrq+G 6qL+D97qMSSKzxcWDtVNeZCWKugYZ+eB4jMUvCaDc3TjBixl3RikLhIYO4YlSvIZt6 weSxaEwRWSQ3XwZdgAJK0FCQ2VOZhkjGb8zdm3yA= From: Fedor Pchelkin To: John Johansen Cc: Fedor Pchelkin , Paul Moore , James Morris , "Serge E. Hallyn" , apparmor@lists.ubuntu.com, linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, Alexey Khoroshilov , lvc-project@linuxtesting.org Subject: [PATCH 2/2] apparmor: fix namespace check in serialized stream headers from the same policy load Date: Sat, 13 Jan 2024 15:15:52 +0300 Message-ID: <20240113121556.12948-3-pchelkin@ispras.ru> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20240113121556.12948-1-pchelkin@ispras.ru> References: <20240113121556.12948-1-pchelkin@ispras.ru> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-getmail-retrieved-from-mailbox: INBOX X-GMAIL-THRID: 1787977513581801099 X-GMAIL-MSGID: 1787977527348144344 Per commit 04dc715e24d0 ("apparmor: audit policy ns specified in policy load"), profiles in a single load must specify the same namespace. It is supposed to be detected inside aa_replace_profiles() and verify_header(), but seems not to be implemented correctly in the second function. Consider we have the following profile load profile :ns1:profile1 ... {} profile :ns2:profile2 ... {} The profiles specify different policy namespaces but if they are loaded as a single binary where the serialized stream headers contain different namespace values, it eventually leads to the profiles specified with different namespaces be included into the same one without any specific indication to user. *ns is assigned NULL in verify_header(), and the branch indicating an "invalid ns change" message is a dead code. Moreover, some of *ns strings is leaked as they are allocated every time verify_header() reads a namespace string. Actually, *ns is already assigned NULL in aa_unpack(), before the multiple profiles unpacking loop. So make verify_header() check if every new unpacked namespace declaration differs from the previous one in the same load. Note that similar to the namespace check in aa_replace_profiles(), if one profile in the load specifies some namespace declaration in the header and the other one doesn't specify any namespace in the header - it is also considered invalid, e.g. the following multiple profiles load will fail after this patch profile profile1 ... {} profile :ns:profile2 ... {} Found by Linux Verification Center (linuxtesting.org). Fixes: dd51c8485763 ("apparmor: provide base for multiple profiles to be replaced at once") Signed-off-by: Fedor Pchelkin --- security/apparmor/policy_unpack.c | 22 ++++++++++++++++++---- 1 file changed, 18 insertions(+), 4 deletions(-) diff --git a/security/apparmor/policy_unpack.c b/security/apparmor/policy_unpack.c index 54f7b4346506..5bd8ab7f1c88 100644 --- a/security/apparmor/policy_unpack.c +++ b/security/apparmor/policy_unpack.c @@ -1120,7 +1120,6 @@ static int verify_header(struct aa_ext *e, int start, const char **ns) { int error = -EPROTONOSUPPORT; const char *name = NULL; - *ns = NULL; /* get the interface version */ if (!aa_unpack_u32(e, &e->version, "version")) { @@ -1142,20 +1141,35 @@ static int verify_header(struct aa_ext *e, int start, const char **ns) return error; } - /* read the namespace if present */ + /* read the namespace if present and check it against policy load + * namespace specified in the data start header + */ if (aa_unpack_str(e, &name, "namespace")) { if (*name == '\0') { audit_iface(NULL, NULL, NULL, "invalid namespace name", e, error); return error; } + + /* don't allow different namespaces be specified in the same + * policy load set + */ + error = -EACCES; if (*ns && strcmp(*ns, name)) { - audit_iface(NULL, NULL, NULL, "invalid ns change", e, + audit_iface(NULL, NULL, NULL, + "policy load has mixed namespaces", e, error); - } else if (!*ns) { + return error; + } else if (!*ns && start) { + /* fill current policy load namespace at data start */ *ns = kstrdup(name, GFP_KERNEL); if (!*ns) return -ENOMEM; + } else if (!*ns) { + audit_iface(NULL, NULL, NULL, + "policy load has mixed namespaces", e, + error); + return error; } }