[PATCH 5.1 017/115] selinux: log raw contexts as untrusted strings

From: Greg Kroah-Hartman
Date: Mon Jun 17 2019 - 17:43:15 EST


From: Ondrej Mosnacek <omosnace@xxxxxxxxxx>

commit aff7ed4851680d0d28ad9f52cd2f99213e1371b2 upstream.

These strings may come from untrusted sources (e.g. file xattrs) so they
need to be properly escaped.

Reproducer:
# setenforce 0
# touch /tmp/test
# setfattr -n security.selinux -v 'kuÅecà ÅÃzek' /tmp/test
# runcon system_u:system_r:sshd_t:s0 cat /tmp/test
(look at the generated AVCs)

Actual result:
type=AVC [...] trawcon=kuÅecà ÅÃzek

Expected result:
type=AVC [...] trawcon=6B75C5996563C3AD20C599C3AD7A656B

Fixes: fede148324c3 ("selinux: log invalid contexts in AVCs")
Cc: stable@xxxxxxxxxxxxxxx # v5.1+
Signed-off-by: Ondrej Mosnacek <omosnace@xxxxxxxxxx>
Acked-by: Richard Guy Briggs <rgb@xxxxxxxxxx>
Signed-off-by: Paul Moore <paul@xxxxxxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>

---
security/selinux/avc.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)

--- a/security/selinux/avc.c
+++ b/security/selinux/avc.c
@@ -739,14 +739,20 @@ static void avc_audit_post_callback(stru
rc = security_sid_to_context_inval(sad->state, sad->ssid, &scontext,
&scontext_len);
if (!rc && scontext) {
- audit_log_format(ab, " srawcon=%s", scontext);
+ if (scontext_len && scontext[scontext_len - 1] == '\0')
+ scontext_len--;
+ audit_log_format(ab, " srawcon=");
+ audit_log_n_untrustedstring(ab, scontext, scontext_len);
kfree(scontext);
}

rc = security_sid_to_context_inval(sad->state, sad->tsid, &scontext,
&scontext_len);
if (!rc && scontext) {
- audit_log_format(ab, " trawcon=%s", scontext);
+ if (scontext_len && scontext[scontext_len - 1] == '\0')
+ scontext_len--;
+ audit_log_format(ab, " trawcon=");
+ audit_log_n_untrustedstring(ab, scontext, scontext_len);
kfree(scontext);
}
}