From patchwork Wed Jun 7 00:45:24 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: John Stultz X-Patchwork-Id: 103201 Delivered-To: patch@linaro.org Received: by 10.140.91.77 with SMTP id y71csp1694844qgd; Tue, 6 Jun 2017 17:45:43 -0700 (PDT) X-Received: by 10.98.131.134 with SMTP id h128mr28716661pfe.0.1496796343273; Tue, 06 Jun 2017 17:45:43 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1496796343; cv=none; d=google.com; s=arc-20160816; b=RxLAKjgbXUDcAL2wSfKvKaxffgoF7vb/SP66QVDyout+lLP5fiR63pNvnCkf3hahTc 1xIqK1zC07VaXK6q6Y9ZwnNsesvzT7yr78NYx7ZKojwCKGi/Mf36gaZmDyi64JYAIEVY X0T0qOz1zLaAdo5o/WdJ+0RYRb40+Vv4KvBRWd77t0wNr137MLgPFAIS74YHeiS4FS8Z VPgNsgALC4yZk4D/fYBZAGUpHtVqC2HwLdvH6zIliw6AE4dNYdK8fZ8d6jLKPEtJzW2r 3i25uPYl5J002qYCe6HMX1cLoQm+O1xt+hOBYU5Ok6vR4k4ticbco8et7nxc82AjEMf5 seXg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :mime-version:dkim-signature:arc-authentication-results; bh=WGQZAHbyIn5uCNP0x5+sX7SRwqOE/bnBM7F3z33hr+o=; b=u9XPsO7G9bddWqcYhzpJ0OjE8Q/gwsArBcfrtDBpuikgXy37u27rbuvV74392EppAA 4OjYac30bz/+3oqeatltM9YHskHwdMAVDwUbsvc+PVwmozXT9MrwGcFAv1WargUSQhDy AWHIL20q9ciCOai+N4zNSSTsCBz7xKsW9quSfK9Cm73LmkaU+0dPfxVTw1EHrqA2VTWL BOK8/Sqk37TAmkGpAZzDJisaFd1DKyhtz+zRTo7rrsQuA7G05zMJukfL+7mAh/Vaxf28 an8AGz8kQbp+y9LtRwrRhV2eE8Fwv+McLUlPT+kehOJ4FZMUPE/uingRJpxF4lel5s/I N34w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id o61si84090plb.187.2017.06.06.17.45.42; Tue, 06 Jun 2017 17:45:43 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751502AbdFGAp1 (ORCPT + 25 others); Tue, 6 Jun 2017 20:45:27 -0400 Received: from mail-wr0-f181.google.com ([209.85.128.181]:35518 "EHLO mail-wr0-f181.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750766AbdFGAp0 (ORCPT ); Tue, 6 Jun 2017 20:45:26 -0400 Received: by mail-wr0-f181.google.com with SMTP id q97so60740487wrb.2 for ; Tue, 06 Jun 2017 17:45:25 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=mime-version:from:date:message-id:subject:to:cc; bh=WGQZAHbyIn5uCNP0x5+sX7SRwqOE/bnBM7F3z33hr+o=; b=M2dSD8Or77XIx/PC8+ZlmYc8rJs/5DU3Mdj7SZVNrjODA876h4PTrjgk9wBMTm4wQU bvAsk7vrWyv++0hnEwLvwq+QaoZqQOfGQ5ZNrTIuN+KLtpG5Zn/BTMxJKZ4NC/DSjqIb e5vkUv1us4/ZsYSZYXgCSSwTMxmMxGzNovEYY= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to:cc; bh=WGQZAHbyIn5uCNP0x5+sX7SRwqOE/bnBM7F3z33hr+o=; b=meGfPIYJ0gox7lS/Pw2DOQEcvEpX1FCoGgnaBzINn9rP85vo6TW0MsAGJ8sAUYSL1W zeTfvtgC2zwgYbwDYUOweLlXwlbTia2lvMq0LPBhg/RVdqvMxqVV782VN8VNHoRaP52f 5rLRHmU2LFoi4zM/6Oh7zk5vho5pNYXOs6Ed8SA1kxCExXH8/z0ERfVlcpuoihuZFrXG f0iVOYSP03vTF1M2hDlsuZK69zv3MQqvs/P1hsWAE4Frle6EbDYdKu3qMAZmSKokDO0d OTJhM8gZBXcnxQPu9JXbvAWxgB60MUuh4vOzKqaI38iyNJIZuvqvWE3mW+rS0J6hMH4k aL4w== X-Gm-Message-State: AODbwcAkPQN+ash98nvYZQCGSoehc7ecsW3zU25G5vbynXLJcLN7B7JC Noff607x5sHEdAU8hPfTZkLmuXjImQQC X-Received: by 10.223.157.25 with SMTP id k25mr12808671wre.156.1496796325174; Tue, 06 Jun 2017 17:45:25 -0700 (PDT) MIME-Version: 1.0 Received: by 10.223.163.28 with HTTP; Tue, 6 Jun 2017 17:45:24 -0700 (PDT) From: John Stultz Date: Tue, 6 Jun 2017 17:45:24 -0700 Message-ID: Subject: "selinux: support distinctions among all network address families" causing existing bluetooth sepolicies to not work properly with Android? To: Stephen Smalley , Paul Moore Cc: Jeffrey Vander Stoep , Android Kernel Team , Nick Kralevich , lkml , Satish Patel , Rob Herring Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hey folks, Recently I was working to validate/enable a new bluetooth HAL on HiKey with Android, and after getting it working properly with a 4.9 based kernel, I found that I was seeing failures trying to run with an upstream (4.12-rc3 based) kernel. It seemed a call to: socket(AF_BLUETOOTH, SOCK_RAW, BTPROTO_HCI); was suddenly failing, and running "setenforce 0" would allow it to continue properly. I chased the issue down to da69a5306ab9 ("selinux: support distinctions among all network address families"). And work around it with the following (whitespace corrupted, sorry) hack: case PF_RXRPC: Obviously this isn't ideal. The commit message claims that " Backward compatibility is provided by only enabling the finer-grained socket classes if a new policy capability is set in the policy; older policies will behave as before." Which makes it seem like the older sepolicy should be fine with newer kernels, but this doesn't seem to be the case here? Am I missing something? Is Android doing something odd with their POLICYDB that is causing the kernel to think the sepolicy is newer? thanks -john diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index e67a526..42dfd0f 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -1379,8 +1379,8 @@ static inline u16 socket_type_to_security_class(int family, int type, int protoc return SECCLASS_CAN_SOCKET; case PF_TIPC: return SECCLASS_TIPC_SOCKET; - case PF_BLUETOOTH: - return SECCLASS_BLUETOOTH_SOCKET; +// case PF_BLUETOOTH: +// return SECCLASS_BLUETOOTH_SOCKET; case PF_IUCV: return SECCLASS_IUCV_SOCKET;