From 139b3cd7efe622948c0344da1d0ef23311dfec2c Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Fri, 12 Nov 2021 17:41:25 +0100 Subject: [PATCH] 4.14-stable patches added patches: binder-use-cred-instead-of-task-for-selinux-checks.patch binder-use-euid-from-cred-instead-of-using-task.patch --- ...d-instead-of-task-for-selinux-checks.patch | 287 ++++++++++++++++++ ...euid-from-cred-instead-of-using-task.patch | 77 +++++ queue-4.14/series | 2 + 3 files changed, 366 insertions(+) create mode 100644 queue-4.14/binder-use-cred-instead-of-task-for-selinux-checks.patch create mode 100644 queue-4.14/binder-use-euid-from-cred-instead-of-using-task.patch diff --git a/queue-4.14/binder-use-cred-instead-of-task-for-selinux-checks.patch b/queue-4.14/binder-use-cred-instead-of-task-for-selinux-checks.patch new file mode 100644 index 00000000000..3aaf6f7785b --- /dev/null +++ b/queue-4.14/binder-use-cred-instead-of-task-for-selinux-checks.patch @@ -0,0 +1,287 @@ +From 52f88693378a58094c538662ba652aff0253c4fe Mon Sep 17 00:00:00 2001 +From: Todd Kjos +Date: Tue, 12 Oct 2021 09:56:13 -0700 +Subject: binder: use cred instead of task for selinux checks + +From: Todd Kjos + +commit 52f88693378a58094c538662ba652aff0253c4fe upstream. + +Since binder was integrated with selinux, it has passed +'struct task_struct' associated with the binder_proc +to represent the source and target of transactions. +The conversion of task to SID was then done in the hook +implementations. It turns out that there are race conditions +which can result in an incorrect security context being used. + +Fix by using the 'struct cred' saved during binder_open and pass +it to the selinux subsystem. + +Cc: stable@vger.kernel.org # 5.14 (need backport for earlier stables) +Fixes: 79af73079d75 ("Add security hooks to binder and implement the hooks for SELinux.") +Suggested-by: Jann Horn +Signed-off-by: Todd Kjos +Acked-by: Casey Schaufler +Signed-off-by: Paul Moore +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/android/binder.c | 12 ++++++------ + include/linux/lsm_hooks.h | 28 ++++++++++++++-------------- + include/linux/security.h | 28 ++++++++++++++-------------- + security/security.c | 14 +++++++------- + security/selinux/hooks.c | 31 +++++++++++++------------------ + 5 files changed, 54 insertions(+), 59 deletions(-) + +--- a/drivers/android/binder.c ++++ b/drivers/android/binder.c +@@ -2285,7 +2285,7 @@ static int binder_translate_binder(struc + ret = -EINVAL; + goto done; + } +- if (security_binder_transfer_binder(proc->tsk, target_proc->tsk)) { ++ if (security_binder_transfer_binder(proc->cred, target_proc->cred)) { + ret = -EPERM; + goto done; + } +@@ -2331,7 +2331,7 @@ static int binder_translate_handle(struc + proc->pid, thread->pid, fp->handle); + return -EINVAL; + } +- if (security_binder_transfer_binder(proc->tsk, target_proc->tsk)) { ++ if (security_binder_transfer_binder(proc->cred, target_proc->cred)) { + ret = -EPERM; + goto done; + } +@@ -2415,7 +2415,7 @@ static int binder_translate_fd(int fd, + ret = -EBADF; + goto err_fget; + } +- ret = security_binder_transfer_file(proc->tsk, target_proc->tsk, file); ++ ret = security_binder_transfer_file(proc->cred, target_proc->cred, file); + if (ret < 0) { + ret = -EPERM; + goto err_security; +@@ -2802,8 +2802,8 @@ static void binder_transaction(struct bi + return_error_line = __LINE__; + goto err_invalid_target_handle; + } +- if (security_binder_transaction(proc->tsk, +- target_proc->tsk) < 0) { ++ if (security_binder_transaction(proc->cred, ++ target_proc->cred) < 0) { + return_error = BR_FAILED_REPLY; + return_error_param = -EPERM; + return_error_line = __LINE__; +@@ -4469,7 +4469,7 @@ static int binder_ioctl_set_ctx_mgr(stru + ret = -EBUSY; + goto out; + } +- ret = security_binder_set_context_mgr(proc->tsk); ++ ret = security_binder_set_context_mgr(proc->cred); + if (ret < 0) + goto out; + if (uid_valid(context->binder_context_mgr_uid)) { +--- a/include/linux/lsm_hooks.h ++++ b/include/linux/lsm_hooks.h +@@ -1170,22 +1170,22 @@ + * + * @binder_set_context_mgr: + * Check whether @mgr is allowed to be the binder context manager. +- * @mgr contains the task_struct for the task being registered. ++ * @mgr contains the struct cred for the current binder process. + * Return 0 if permission is granted. + * @binder_transaction: + * Check whether @from is allowed to invoke a binder transaction call + * to @to. +- * @from contains the task_struct for the sending task. +- * @to contains the task_struct for the receiving task. ++ * @from contains the struct cred for the sending process. ++ * @to contains the struct cred for the receiving process. + * @binder_transfer_binder: + * Check whether @from is allowed to transfer a binder reference to @to. +- * @from contains the task_struct for the sending task. +- * @to contains the task_struct for the receiving task. ++ * @from contains the struct cred for the sending process. ++ * @to contains the struct cred for the receiving process. + * @binder_transfer_file: + * Check whether @from is allowed to transfer @file to @to. +- * @from contains the task_struct for the sending task. ++ * @from contains the struct cred for the sending process. + * @file contains the struct file being transferred. +- * @to contains the task_struct for the receiving task. ++ * @to contains the struct cred for the receiving process. + * + * @ptrace_access_check: + * Check permission before allowing the current process to trace the +@@ -1353,13 +1353,13 @@ + * @ctxlen points to the place to put the length of @ctx. + */ + union security_list_options { +- int (*binder_set_context_mgr)(struct task_struct *mgr); +- int (*binder_transaction)(struct task_struct *from, +- struct task_struct *to); +- int (*binder_transfer_binder)(struct task_struct *from, +- struct task_struct *to); +- int (*binder_transfer_file)(struct task_struct *from, +- struct task_struct *to, ++ int (*binder_set_context_mgr)(const struct cred *mgr); ++ int (*binder_transaction)(const struct cred *from, ++ const struct cred *to); ++ int (*binder_transfer_binder)(const struct cred *from, ++ const struct cred *to); ++ int (*binder_transfer_file)(const struct cred *from, ++ const struct cred *to, + struct file *file); + + int (*ptrace_access_check)(struct task_struct *child, +--- a/include/linux/security.h ++++ b/include/linux/security.h +@@ -197,13 +197,13 @@ static inline void security_free_mnt_opt + extern int security_init(void); + + /* Security operations */ +-int security_binder_set_context_mgr(struct task_struct *mgr); +-int security_binder_transaction(struct task_struct *from, +- struct task_struct *to); +-int security_binder_transfer_binder(struct task_struct *from, +- struct task_struct *to); +-int security_binder_transfer_file(struct task_struct *from, +- struct task_struct *to, struct file *file); ++int security_binder_set_context_mgr(const struct cred *mgr); ++int security_binder_transaction(const struct cred *from, ++ const struct cred *to); ++int security_binder_transfer_binder(const struct cred *from, ++ const struct cred *to); ++int security_binder_transfer_file(const struct cred *from, ++ const struct cred *to, struct file *file); + int security_ptrace_access_check(struct task_struct *child, unsigned int mode); + int security_ptrace_traceme(struct task_struct *parent); + int security_capget(struct task_struct *target, +@@ -424,25 +424,25 @@ static inline int security_init(void) + return 0; + } + +-static inline int security_binder_set_context_mgr(struct task_struct *mgr) ++static inline int security_binder_set_context_mgr(const struct cred *mgr) + { + return 0; + } + +-static inline int security_binder_transaction(struct task_struct *from, +- struct task_struct *to) ++static inline int security_binder_transaction(const struct cred *from, ++ const struct cred *to) + { + return 0; + } + +-static inline int security_binder_transfer_binder(struct task_struct *from, +- struct task_struct *to) ++static inline int security_binder_transfer_binder(const struct cred *from, ++ const struct cred *to) + { + return 0; + } + +-static inline int security_binder_transfer_file(struct task_struct *from, +- struct task_struct *to, ++static inline int security_binder_transfer_file(const struct cred *from, ++ const struct cred *to, + struct file *file) + { + return 0; +--- a/security/security.c ++++ b/security/security.c +@@ -222,25 +222,25 @@ EXPORT_SYMBOL(unregister_lsm_notifier); + + /* Security operations */ + +-int security_binder_set_context_mgr(struct task_struct *mgr) ++int security_binder_set_context_mgr(const struct cred *mgr) + { + return call_int_hook(binder_set_context_mgr, 0, mgr); + } + +-int security_binder_transaction(struct task_struct *from, +- struct task_struct *to) ++int security_binder_transaction(const struct cred *from, ++ const struct cred *to) + { + return call_int_hook(binder_transaction, 0, from, to); + } + +-int security_binder_transfer_binder(struct task_struct *from, +- struct task_struct *to) ++int security_binder_transfer_binder(const struct cred *from, ++ const struct cred *to) + { + return call_int_hook(binder_transfer_binder, 0, from, to); + } + +-int security_binder_transfer_file(struct task_struct *from, +- struct task_struct *to, struct file *file) ++int security_binder_transfer_file(const struct cred *from, ++ const struct cred *to, struct file *file) + { + return call_int_hook(binder_transfer_file, 0, from, to, file); + } +--- a/security/selinux/hooks.c ++++ b/security/selinux/hooks.c +@@ -2136,21 +2136,18 @@ static inline u32 open_file_to_av(struct + + /* Hook functions begin here. */ + +-static int selinux_binder_set_context_mgr(struct task_struct *mgr) ++static int selinux_binder_set_context_mgr(const struct cred *mgr) + { +- u32 mysid = current_sid(); +- u32 mgrsid = task_sid(mgr); +- +- return avc_has_perm(mysid, mgrsid, SECCLASS_BINDER, ++ return avc_has_perm(current_sid(), cred_sid(mgr), SECCLASS_BINDER, + BINDER__SET_CONTEXT_MGR, NULL); + } + +-static int selinux_binder_transaction(struct task_struct *from, +- struct task_struct *to) ++static int selinux_binder_transaction(const struct cred *from, ++ const struct cred *to) + { + u32 mysid = current_sid(); +- u32 fromsid = task_sid(from); +- u32 tosid = task_sid(to); ++ u32 fromsid = cred_sid(from); ++ u32 tosid = cred_sid(to); + int rc; + + if (mysid != fromsid) { +@@ -2164,21 +2161,19 @@ static int selinux_binder_transaction(st + NULL); + } + +-static int selinux_binder_transfer_binder(struct task_struct *from, +- struct task_struct *to) ++static int selinux_binder_transfer_binder(const struct cred *from, ++ const struct cred *to) + { +- u32 fromsid = task_sid(from); +- u32 tosid = task_sid(to); +- +- return avc_has_perm(fromsid, tosid, SECCLASS_BINDER, BINDER__TRANSFER, ++ return avc_has_perm(cred_sid(from), cred_sid(to), ++ SECCLASS_BINDER, BINDER__TRANSFER, + NULL); + } + +-static int selinux_binder_transfer_file(struct task_struct *from, +- struct task_struct *to, ++static int selinux_binder_transfer_file(const struct cred *from, ++ const struct cred *to, + struct file *file) + { +- u32 sid = task_sid(to); ++ u32 sid = cred_sid(to); + struct file_security_struct *fsec = file->f_security; + struct dentry *dentry = file->f_path.dentry; + struct inode_security_struct *isec; diff --git a/queue-4.14/binder-use-euid-from-cred-instead-of-using-task.patch b/queue-4.14/binder-use-euid-from-cred-instead-of-using-task.patch new file mode 100644 index 00000000000..ee6a7aa458e --- /dev/null +++ b/queue-4.14/binder-use-euid-from-cred-instead-of-using-task.patch @@ -0,0 +1,77 @@ +From 29bc22ac5e5bc63275e850f0c8fc549e3d0e306b Mon Sep 17 00:00:00 2001 +From: Todd Kjos +Date: Tue, 12 Oct 2021 09:56:12 -0700 +Subject: binder: use euid from cred instead of using task + +From: Todd Kjos + +commit 29bc22ac5e5bc63275e850f0c8fc549e3d0e306b upstream. + +Save the 'struct cred' associated with a binder process +at initial open to avoid potential race conditions +when converting to an euid. + +Set a transaction's sender_euid from the 'struct cred' +saved at binder_open() instead of looking up the euid +from the binder proc's 'struct task'. This ensures +the euid is associated with the security context that +of the task that opened binder. + +Cc: stable@vger.kernel.org # 4.4+ +Fixes: 457b9a6f09f0 ("Staging: android: add binder driver") +Signed-off-by: Todd Kjos +Suggested-by: Stephen Smalley +Suggested-by: Jann Horn +Acked-by: Casey Schaufler +Signed-off-by: Paul Moore +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/android/binder.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +--- a/drivers/android/binder.c ++++ b/drivers/android/binder.c +@@ -484,6 +484,9 @@ enum binder_deferred_state { + * @files files_struct for process + * (protected by @files_lock) + * @files_lock mutex to protect @files ++ * @cred struct cred associated with the `struct file` ++ * in binder_open() ++ * (invariant after initialized) + * @deferred_work_node: element for binder_deferred_list + * (protected by binder_deferred_lock) + * @deferred_work: bitmap of deferred work to perform +@@ -532,6 +535,7 @@ struct binder_proc { + struct task_struct *tsk; + struct files_struct *files; + struct mutex files_lock; ++ const struct cred *cred; + struct hlist_node deferred_work_node; + int deferred_work; + bool is_dead; +@@ -2890,7 +2894,7 @@ static void binder_transaction(struct bi + t->from = thread; + else + t->from = NULL; +- t->sender_euid = task_euid(proc->tsk); ++ t->sender_euid = proc->cred->euid; + t->to_proc = target_proc; + t->to_thread = target_thread; + t->code = tr->code; +@@ -4261,6 +4265,7 @@ static void binder_free_proc(struct bind + BUG_ON(!list_empty(&proc->delivered_death)); + binder_alloc_deferred_release(&proc->alloc); + put_task_struct(proc->tsk); ++ put_cred(proc->cred); + binder_stats_deleted(BINDER_STAT_PROC); + kfree(proc); + } +@@ -4717,6 +4722,7 @@ static int binder_open(struct inode *nod + get_task_struct(current->group_leader); + proc->tsk = current->group_leader; + mutex_init(&proc->files_lock); ++ proc->cred = get_cred(filp->f_cred); + INIT_LIST_HEAD(&proc->todo); + proc->default_priority = task_nice(current); + binder_dev = container_of(filp->private_data, struct binder_device, diff --git a/queue-4.14/series b/queue-4.14/series index 091fe778cd2..8b3b1a4413a 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -1 +1,3 @@ xhci-fix-usb-3.1-enumeration-issues-by-increasing-roothub-power-on-good-delay.patch +binder-use-euid-from-cred-instead-of-using-task.patch +binder-use-cred-instead-of-task-for-selinux-checks.patch -- 2.47.3