diff options
author | Kohei Kaigai <Kohei.Kaigai@emea.nec.com> | 2011-05-26 14:59:25 -0400 |
---|---|---|
committer | Eric Paris <eparis@redhat.com> | 2011-05-26 17:20:53 -0400 |
commit | 0f7e4c33eb2c40b1e9cc24d2eab6de5921bc619c (patch) | |
tree | 793c5f834751215dfc93b05540fa9ed46c64ee07 /security/selinux/selinuxfs.c | |
parent | ea77f7a2e8561012cf100c530170f12351c3b53e (diff) |
selinux: fix case of names with whitespace/multibytes on /selinux/create
I submit the patch again, according to patch submission convension.
This patch enables to accept percent-encoded object names as forth
argument of /selinux/create interface to avoid possible bugs when we
give an object name including whitespace or multibutes.
E.g) if and when a userspace object manager tries to create a new object
named as "resolve.conf but fake", it shall give this name as the forth
argument of the /selinux/create. But sscanf() logic in kernel space
fetches only the part earlier than the first whitespace.
In this case, selinux may unexpectedly answer a default security context
configured to "resolve.conf", but it is bug.
Although I could not test this patch on named TYPE_TRANSITION rules
actually, But debug printk() message seems to me the logic works
correctly.
I assume the libselinux provides an interface to apply this logic
transparently, so nothing shall not be changed from the viewpoint of
application.
Signed-off-by: KaiGai Kohei <kohei.kaigai@emea.nec.com>
Signed-off-by: Eric Paris <eparis@redhat.com>
Diffstat (limited to 'security/selinux/selinuxfs.c')
-rw-r--r-- | security/selinux/selinuxfs.c | 37 |
1 files changed, 36 insertions, 1 deletions
diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c index fde4e9d64bfd..19489042fdf7 100644 --- a/security/selinux/selinuxfs.c +++ b/security/selinux/selinuxfs.c | |||
@@ -29,6 +29,7 @@ | |||
29 | #include <linux/audit.h> | 29 | #include <linux/audit.h> |
30 | #include <linux/uaccess.h> | 30 | #include <linux/uaccess.h> |
31 | #include <linux/kobject.h> | 31 | #include <linux/kobject.h> |
32 | #include <linux/ctype.h> | ||
32 | 33 | ||
33 | /* selinuxfs pseudo filesystem for exporting the security policy API. | 34 | /* selinuxfs pseudo filesystem for exporting the security policy API. |
34 | Based on the proc code and the fs/nfsd/nfsctl.c code. */ | 35 | Based on the proc code and the fs/nfsd/nfsctl.c code. */ |
@@ -751,6 +752,14 @@ out: | |||
751 | return length; | 752 | return length; |
752 | } | 753 | } |
753 | 754 | ||
755 | static inline int hexcode_to_int(int code) { | ||
756 | if (code == '\0' || !isxdigit(code)) | ||
757 | return -1; | ||
758 | if (isdigit(code)) | ||
759 | return code - '0'; | ||
760 | return tolower(code) - 'a' + 10; | ||
761 | } | ||
762 | |||
754 | static ssize_t sel_write_create(struct file *file, char *buf, size_t size) | 763 | static ssize_t sel_write_create(struct file *file, char *buf, size_t size) |
755 | { | 764 | { |
756 | char *scon = NULL, *tcon = NULL; | 765 | char *scon = NULL, *tcon = NULL; |
@@ -785,8 +794,34 @@ static ssize_t sel_write_create(struct file *file, char *buf, size_t size) | |||
785 | nargs = sscanf(buf, "%s %s %hu %s", scon, tcon, &tclass, namebuf); | 794 | nargs = sscanf(buf, "%s %s %hu %s", scon, tcon, &tclass, namebuf); |
786 | if (nargs < 3 || nargs > 4) | 795 | if (nargs < 3 || nargs > 4) |
787 | goto out; | 796 | goto out; |
788 | if (nargs == 4) | 797 | if (nargs == 4) { |
798 | /* | ||
799 | * If and when the name of new object to be queried contains | ||
800 | * either whitespace or multibyte characters, they shall be | ||
801 | * encoded based on the percentage-encoding rule. | ||
802 | * If not encoded, the sscanf logic picks up only left-half | ||
803 | * of the supplied name; splitted by a whitespace unexpectedly. | ||
804 | */ | ||
805 | char *r, *w; | ||
806 | int c1, c2; | ||
807 | |||
808 | r = w = namebuf; | ||
809 | do { | ||
810 | c1 = *r++; | ||
811 | if (c1 == '+') | ||
812 | c1 = ' '; | ||
813 | else if (c1 == '%') { | ||
814 | if ((c1 = hexcode_to_int(*r++)) < 0) | ||
815 | goto out; | ||
816 | if ((c2 = hexcode_to_int(*r++)) < 0) | ||
817 | goto out; | ||
818 | c1 = (c1 << 4) | c2; | ||
819 | } | ||
820 | *w++ = c1; | ||
821 | } while (c1 != '\0'); | ||
822 | |||
789 | objname = namebuf; | 823 | objname = namebuf; |
824 | } | ||
790 | 825 | ||
791 | length = security_context_to_sid(scon, strlen(scon) + 1, &ssid); | 826 | length = security_context_to_sid(scon, strlen(scon) + 1, &ssid); |
792 | if (length) | 827 | if (length) |