From 3313343ba7803bff077af5d87df2260cdcd2d678 Mon Sep 17 00:00:00 2001

From: Adrian Reber <areber@redhat.com>

Date: Thu, 2 May 2019 13:41:46 +0000

Subject: [PATCH 1/4] lsm: also dump and restore sockcreate

The file /proc/PID/attr/sockcreate is used by SELinux to label newly

created sockets with the label available at sockcreate.

If it is NULL, the default label of the process will be used.

This reads out that file during checkpoint and restores the value during

restore.

This value is irrelevant for existing sockets as they might have been

created with another context. This is only to make sure that newly

created sockets have the correct context.

Signed-off-by: Adrian Reber <areber@redhat.com>

---

 criu/cr-restore.c       | 36 ++++++++++++++++++++++++++++++++++++

 criu/include/restorer.h |  2 ++

 criu/lsm.c              | 32 ++++++++++++++++++++++++++++++++

 criu/pie/restorer.c     | 15 ++++++++++-----

 images/creds.proto      |  1 +

 5 files changed, 81 insertions(+), 5 deletions(-)

diff --git a/criu/cr-restore.c b/criu/cr-restore.c

index 5fd22e9246..f254cbc0eb 100644

--- a/criu/cr-restore.c

+++ b/criu/cr-restore.c

@@ -2997,6 +2997,8 @@ static void rst_reloc_creds(struct thread_restore_args *thread_args,

 	if (args->lsm_profile)

 		args->lsm_profile = rst_mem_remap_ptr(args->mem_lsm_profile_pos, RM_PRIVATE);

+	if (args->lsm_sockcreate)

+		args->lsm_sockcreate = rst_mem_remap_ptr(args->mem_lsm_sockcreate_pos, RM_PRIVATE);

 	if (args->groups)

 		args->groups = rst_mem_remap_ptr(args->mem_groups_pos, RM_PRIVATE);

@@ -3062,6 +3064,40 @@ rst_prep_creds_args(CredsEntry *ce, unsigned long *prev_pos)

 		args->mem_lsm_profile_pos = 0;

 	}

+	if (ce->lsm_sockcreate) {

+		char *rendered = NULL;

+		char *profile;

+

+		profile = ce->lsm_sockcreate;

+

+		if (validate_lsm(profile) < 0)

+			return ERR_PTR(-EINVAL);

+

+		if (profile && render_lsm_profile(profile, &rendered)) {

+			return ERR_PTR(-EINVAL);

+		}

+		if (rendered) {

+			size_t lsm_sockcreate_len;

+			char *lsm_sockcreate;

+

+			args->mem_lsm_sockcreate_pos = rst_mem_align_cpos(RM_PRIVATE);

+			lsm_sockcreate_len = strlen(rendered);

+			lsm_sockcreate = rst_mem_alloc(lsm_sockcreate_len + 1, RM_PRIVATE);

+			if (!lsm_sockcreate) {

+				xfree(rendered);

+				return ERR_PTR(-ENOMEM);

+			}

+

+			args = rst_mem_remap_ptr(this_pos, RM_PRIVATE);

+			args->lsm_sockcreate = lsm_sockcreate;

+			strncpy(args->lsm_sockcreate, rendered, lsm_sockcreate_len);

+			xfree(rendered);

+		}

+	} else {

+		args->lsm_sockcreate = NULL;

+		args->mem_lsm_sockcreate_pos = 0;

+	}

+

 	/*

 	 * Zap fields which we can't use.

 	 */

diff --git a/criu/include/restorer.h b/criu/include/restorer.h

index 2884ce9e6d..b83e9130c5 100644

--- a/criu/include/restorer.h

+++ b/criu/include/restorer.h

@@ -69,8 +69,10 @@ struct thread_creds_args {

 	unsigned int			secbits;

 	char				*lsm_profile;

 	unsigned int			*groups;

+	char				*lsm_sockcreate;

 	unsigned long			mem_lsm_profile_pos;

+	unsigned long			mem_lsm_sockcreate_pos;

 	unsigned long			mem_groups_pos;

 	unsigned long			mem_pos_next;

diff --git a/criu/lsm.c b/criu/lsm.c

index 849ec37cde..b0ef0c396c 100644

--- a/criu/lsm.c

+++ b/criu/lsm.c

@@ -98,6 +98,32 @@ static int selinux_get_label(pid_t pid, char **output)

 	freecon(ctx);

 	return ret;

 }

+

+/*

+ * selinux_get_sockcreate_label reads /proc/PID/attr/sockcreate

+ * to see if the PID has a special label specified for sockets.

+ * Most of the time this will be empty and the process will use

+ * the process context also for sockets.

+ */

+static int selinux_get_sockcreate_label(pid_t pid, char **output)

+{

+	FILE *f;

+

+	f = fopen_proc(pid, "attr/sockcreate");

+	if (!f)

+		return -1;

+

+	fscanf(f, "%ms", output);

+	/*

+	 * No need to check the result of fscanf(). If there is something

+	 * in /proc/PID/attr/sockcreate it will be copied to *output. If

+	 * there is nothing it will stay NULL. So whatever fscanf() does

+	 * it should be correct.

+	 */

+

+	fclose(f);

+	return 0;

+}

 #endif

 void kerndat_lsm(void)

@@ -132,6 +158,7 @@ int collect_lsm_profile(pid_t pid, CredsEntry *ce)

 	int ret;

 	ce->lsm_profile = NULL;

+	ce->lsm_sockcreate = NULL;

 	switch (kdat.lsm) {

 	case LSMTYPE__NO_LSM:

@@ -143,6 +170,9 @@ int collect_lsm_profile(pid_t pid, CredsEntry *ce)

 #ifdef CONFIG_HAS_SELINUX

 	case LSMTYPE__SELINUX:

 		ret = selinux_get_label(pid, &ce->lsm_profile);

+		if (ret)

+			break;

+		ret = selinux_get_sockcreate_label(pid, &ce->lsm_sockcreate);

 		break;

 #endif

 	default:

@@ -153,6 +183,8 @@ int collect_lsm_profile(pid_t pid, CredsEntry *ce)

 	if (ce->lsm_profile)

 		pr_info("%d has lsm profile %s\n", pid, ce->lsm_profile);

+	if (ce->lsm_sockcreate)

+		pr_info("%d has lsm sockcreate label %s\n", pid, ce->lsm_sockcreate);

 	return ret;

 }

diff --git a/criu/pie/restorer.c b/criu/pie/restorer.c

index 6e18cc2606..4f42605a09 100644

--- a/criu/pie/restorer.c

+++ b/criu/pie/restorer.c

@@ -149,7 +149,7 @@ static void sigchld_handler(int signal, siginfo_t *siginfo, void *data)

 	sys_exit_group(1);

 }

-static int lsm_set_label(char *label, int procfd)

+static int lsm_set_label(char *label, char *type, int procfd)

 {

 	int ret = -1, len, lsmfd;

 	char path[STD_LOG_SIMPLE_CHUNK];

@@ -157,9 +157,9 @@ static int lsm_set_label(char *label, int procfd)

 	if (!label)

 		return 0;

-	pr_info("restoring lsm profile %s\n", label);

+	pr_info("restoring lsm profile (%s) %s\n", type, label);

-	std_sprintf(path, "self/task/%ld/attr/current", sys_gettid());

+	std_sprintf(path, "self/task/%ld/attr/%s", sys_gettid(), type);

 	lsmfd = sys_openat(procfd, path, O_WRONLY, 0);

 	if (lsmfd < 0) {

@@ -305,9 +305,14 @@ static int restore_creds(struct thread_creds_args *args, int procfd,

 		 * SELinux and instead the process context is set before the

 		 * threads are created.

 		 */

-		if (lsm_set_label(args->lsm_profile, procfd) < 0)

+		if (lsm_set_label(args->lsm_profile, "current", procfd) < 0)

 			return -1;

 	}

+

+	/* Also set the sockcreate label for all threads */

+	if (lsm_set_label(args->lsm_sockcreate, "sockcreate", procfd) < 0)

+		return -1;

+

 	return 0;

 }

@@ -1571,7 +1576,7 @@ long __export_restore_task(struct task_restore_args *args)

 	if (args->lsm_type == LSMTYPE__SELINUX) {

 		/* Only for SELinux */

 		if (lsm_set_label(args->t->creds_args->lsm_profile,

-				  args->proc_fd) < 0)

+				  "current", args->proc_fd) < 0)

 			goto core_restore_end;

 	}

diff --git a/images/creds.proto b/images/creds.proto

index 29fb8652eb..23b84c7e50 100644

--- a/images/creds.proto

+++ b/images/creds.proto

@@ -20,4 +20,5 @@ message creds_entry {

 	repeated uint32	groups	= 14;

 	optional string lsm_profile = 15;

+	optional string lsm_sockcreate = 16;

 }

From 495e6aa7ac51fcb36e6bc5f6c97f44cab7649b9c Mon Sep 17 00:00:00 2001

From: Adrian Reber <areber@redhat.com>

Date: Thu, 2 May 2019 13:47:29 +0000

Subject: [PATCH 2/4] test: Verify that sockcreate does not change during

 restore

This makes sure that sockcreate stays empty for selinux00 before and

after checkpoint/restore.

Signed-off-by: Adrian Reber <areber@redhat.com>

---

 test/zdtm/static/selinux00.c | 34 ++++++++++++++++++++++++++++++++++

 1 file changed, 34 insertions(+)

diff --git a/test/zdtm/static/selinux00.c b/test/zdtm/static/selinux00.c

index dd9096a6fc..db8420eacb 100644

--- a/test/zdtm/static/selinux00.c

+++ b/test/zdtm/static/selinux00.c

@@ -83,6 +83,31 @@ int checkprofile()

 	return 0;

 }

+int check_sockcreate()

+{

+	char *output = NULL;

+	FILE *f = fopen("/proc/self/attr/sockcreate", "r");

+	int ret = fscanf(f, "%ms", &output);

+	fclose(f);

+

+	if (ret >= 1) {

+		free(output);

+		/* sockcreate should be empty, if fscanf found something

+		 * it is wrong.*/

+		fail("sockcreate should be empty\n");

+		return -1;

+	}

+

+	if (output) {

+		free(output);

+		/* Same here, output should still be NULL. */

+		fail("sockcreate should be empty\n");

+		return -1;

+	}

+

+	return 0;

+}

+

 int main(int argc, char **argv)

 {

 	test_init(argc, argv);

@@ -95,12 +120,21 @@ int main(int argc, char **argv)

 		return 0;

 	}

+	if (check_sockcreate())

+		return -1;

+

 	if (setprofile())

 		return -1;

+	if (check_sockcreate())

+		return -1;

+

 	test_daemon();

 	test_waitsig();

+	if (check_sockcreate())

+		return -1;

+

 	if (checkprofile() == 0)

 		pass();

From fe52cf66b38a261846ff40fc425085724b2acc15 Mon Sep 17 00:00:00 2001

From: Adrian Reber <areber@redhat.com>

Date: Mon, 29 Apr 2019 15:21:59 +0200

Subject: [PATCH 3/4] sockets: dump and restore xattr security labels

Restoring a SELinux process also requires to correctly label sockets.

During checkpointing fgetxattr() is used to retrieve the

"security.selinux" xattr and during restore setsockcreatecon() is used

before a socket is created.

Previous commits are already restoring the sockcreate SELinux setting if

set by the process.

Signed-off-by: Adrian Reber <areber@redhat.com>

---

 criu/include/lsm.h  | 18 +++++++++++++++

 criu/lsm.c          | 56 +++++++++++++++++++++++++++++++++++++++++++++

 criu/sk-inet.c      | 12 ++++++++++

 criu/sockets.c      |  4 ++++

 images/fdinfo.proto |  1 +

 5 files changed, 91 insertions(+)

diff --git a/criu/include/lsm.h b/criu/include/lsm.h

index b4fce13039..3b82712829 100644

--- a/criu/include/lsm.h

+++ b/criu/include/lsm.h

@@ -3,6 +3,7 @@

 #include "images/inventory.pb-c.h"

 #include "images/creds.pb-c.h"

+#include "images/fdinfo.pb-c.h"

 #define AA_SECURITYFS_PATH "/sys/kernel/security/apparmor"

@@ -34,4 +35,21 @@ int validate_lsm(char *profile);

 int render_lsm_profile(char *profile, char **val);

 extern int lsm_check_opts(void);

+

+#ifdef CONFIG_HAS_SELINUX

+int dump_xattr_security_selinux(int fd, FdinfoEntry *e);

+int run_setsockcreatecon(FdinfoEntry *e);

+int reset_setsockcreatecon();

+#else

+static inline int dump_xattr_security_selinux(int fd, FdinfoEntry *e) {

+	return 0;

+}

+static inline int run_setsockcreatecon(FdinfoEntry *e) {

+	return 0;

+}

+static inline int reset_setsockcreatecon() {

+	return 0;

+}

+#endif

+

 #endif /* __CR_LSM_H__ */

diff --git a/criu/lsm.c b/criu/lsm.c

index b0ef0c396c..ef6ba112b3 100644

--- a/criu/lsm.c

+++ b/criu/lsm.c

@@ -3,6 +3,7 @@

 #include <stdlib.h>

 #include <fcntl.h>

 #include <sys/types.h>

+#include <sys/xattr.h>

 #include <unistd.h>

 #include "common/config.h"

@@ -11,10 +12,12 @@

 #include "util.h"

 #include "cr_options.h"

 #include "lsm.h"

+#include "fdstore.h"

 #include "protobuf.h"

 #include "images/inventory.pb-c.h"

 #include "images/creds.pb-c.h"

+#include "images/fdinfo.pb-c.h"

 #ifdef CONFIG_HAS_SELINUX

 #include <selinux/selinux.h>

@@ -124,6 +127,59 @@ static int selinux_get_sockcreate_label(pid_t pid, char **output)

 	fclose(f);

 	return 0;

 }

+

+int reset_setsockcreatecon()

+{

+	return setsockcreatecon_raw(NULL);

+}

+

+int run_setsockcreatecon(FdinfoEntry *e)

+{

+	char *ctx = NULL;

+

+	/* Currently this only works for SELinux. */

+	if (kdat.lsm != LSMTYPE__SELINUX)

+		return 0;

+

+	ctx = e->xattr_security_selinux;

+	/* Writing to the FD using fsetxattr() did not work for some reason. */

+	return setsockcreatecon_raw(ctx);

+}

+

+int dump_xattr_security_selinux(int fd, FdinfoEntry *e)

+{

+	char *ctx = NULL;

+	int len;

+	int ret;

+

+	/* Currently this only works for SELinux. */

+	if (kdat.lsm != LSMTYPE__SELINUX)

+		return 0;

+

+	/* Get the size of the xattr. */

+	len = fgetxattr(fd, "security.selinux", ctx, 0);

+	if (len == -1) {

+		pr_err("Reading xattr %s to FD %d failed\n", ctx, fd);

+		return -1;

+	}

+

+	ctx = xmalloc(len);

+	if (!ctx) {

+		pr_err("xmalloc to read xattr for FD %d failed\n", fd);

+		return -1;

+	}

+

+	ret = fgetxattr(fd, "security.selinux", ctx, len);

+	if (len != ret) {

+		pr_err("Reading xattr %s to FD %d failed\n", ctx, fd);

+		return -1;

+	}

+

+	e->xattr_security_selinux = ctx;

+

+	return 0;

+}

+

 #endif

 void kerndat_lsm(void)

diff --git a/criu/sk-inet.c b/criu/sk-inet.c

index 60ee4c3155..ca5c9bf2cd 100644

--- a/criu/sk-inet.c

+++ b/criu/sk-inet.c

@@ -23,6 +23,9 @@

 #include "files.h"

 #include "image.h"

 #include "log.h"

+#include "lsm.h"

+#include "kerndat.h"

+#include "pstree.h"

 #include "rst-malloc.h"

 #include "sockets.h"

 #include "sk-inet.h"

@@ -30,6 +33,8 @@

 #include "util.h"

 #include "namespaces.h"

+#include "images/inventory.pb-c.h"

+

 #undef  LOG_PREFIX

 #define LOG_PREFIX "inet: "

@@ -804,12 +809,18 @@ static int open_inet_sk(struct file_desc *d, int *new_fd)

 	if (set_netns(ie->ns_id))

 		return -1;

+	if (run_setsockcreatecon(fle->fe))

+		return -1;

+

 	sk = socket(ie->family, ie->type, ie->proto);

 	if (sk < 0) {

 		pr_perror("Can't create inet socket");

 		return -1;

 	}

+	if (reset_setsockcreatecon())

+		return -1;

+

 	if (ie->v6only) {

 		if (restore_opt(sk, SOL_IPV6, IPV6_V6ONLY, &yes) == -1)

 			goto err;

@@ -895,6 +906,7 @@ static int open_inet_sk(struct file_desc *d, int *new_fd)

 	}

 	*new_fd = sk;

+

 	return 1;

 err:

 	close(sk);

diff --git a/criu/sockets.c b/criu/sockets.c

index 30072ac737..7f7453ca1d 100644

--- a/criu/sockets.c

+++ b/criu/sockets.c

@@ -22,6 +22,7 @@

 #include "util-pie.h"

 #include "sk-packet.h"

 #include "namespaces.h"

+#include "lsm.h"

 #include "net.h"

 #include "xmalloc.h"

 #include "fs-magic.h"

@@ -663,6 +664,9 @@ int dump_socket(struct fd_parms *p, int lfd, FdinfoEntry *e)

 	int family;

 	const struct fdtype_ops *ops;

+	if (dump_xattr_security_selinux(lfd, e))

+		return -1;

+

 	if (dump_opt(lfd, SOL_SOCKET, SO_DOMAIN, &family))

 		return -1;

diff --git a/images/fdinfo.proto b/images/fdinfo.proto

index ed82ceffe7..77e375aa94 100644

--- a/images/fdinfo.proto

+++ b/images/fdinfo.proto

@@ -47,6 +47,7 @@ message fdinfo_entry {

 	required uint32		flags	= 2;

 	required fd_types	type	= 3;

 	required uint32		fd	= 4;

+	optional string		xattr_security_selinux = 5;

 }

 message file_entry {

From ba42d30fad82f17a66617a33f03d3da05cc73bfe Mon Sep 17 00:00:00 2001

From: Adrian Reber <areber@redhat.com>

Date: Tue, 30 Apr 2019 09:47:32 +0000

Subject: [PATCH 4/4] selinux: add socket label test

This adds two more SELinux test to verfy that checkpointing and

restoring SELinux socket labels works correctly, if the process uses

setsockcreatecon() or if the process leaves the default context for

newly created sockets.

Signed-off-by: Adrian Reber <areber@redhat.com>

---

 test/zdtm/static/Makefile            |   3 +

 test/zdtm/static/selinux01.c         | 200 +++++++++++++++++++++++++++

 test/zdtm/static/selinux01.checkskip |   1 +

 test/zdtm/static/selinux01.desc      |   1 +

 test/zdtm/static/selinux01.hook      |   1 +

 test/zdtm/static/selinux02.c         |   1 +

 test/zdtm/static/selinux02.checkskip |   1 +

 test/zdtm/static/selinux02.desc      |   1 +

 test/zdtm/static/selinux02.hook      |   1 +

 9 files changed, 210 insertions(+)

 create mode 100644 test/zdtm/static/selinux01.c

 create mode 120000 test/zdtm/static/selinux01.checkskip

 create mode 120000 test/zdtm/static/selinux01.desc

 create mode 120000 test/zdtm/static/selinux01.hook

 create mode 120000 test/zdtm/static/selinux02.c

 create mode 120000 test/zdtm/static/selinux02.checkskip

 create mode 120000 test/zdtm/static/selinux02.desc

 create mode 120000 test/zdtm/static/selinux02.hook

diff --git a/test/zdtm/static/Makefile b/test/zdtm/static/Makefile

index 8e3f39276a..1ffaa90394 100644

--- a/test/zdtm/static/Makefile

+++ b/test/zdtm/static/Makefile

@@ -211,6 +211,8 @@ TST_NOFILE	:=				\

 		thp_disable			\

 		pid_file			\

 		selinux00			\

+		selinux01			\

+		selinux02			\

 #		jobctl00			\

 ifneq ($(SRCARCH),arm)

@@ -513,6 +515,7 @@ unlink_fstat041:		CFLAGS += -DUNLINK_FSTAT041 -DUNLINK_FSTAT04

 ghost_holes01:		CFLAGS += -DTAIL_HOLE

 ghost_holes02:		CFLAGS += -DHEAD_HOLE

 sk-freebind-false:	CFLAGS += -DZDTM_FREEBIND_FALSE

+selinux02:		CFLAGS += -DUSING_SOCKCREATE

 stopped01:		CFLAGS += -DZDTM_STOPPED_KILL

 stopped02:		CFLAGS += -DZDTM_STOPPED_TKILL

 stopped12:		CFLAGS += -DZDTM_STOPPED_KILL -DZDTM_STOPPED_TKILL

diff --git a/test/zdtm/static/selinux01.c b/test/zdtm/static/selinux01.c

new file mode 100644

index 0000000000..9966455c47

--- /dev/null

+++ b/test/zdtm/static/selinux01.c

@@ -0,0 +1,200 @@

+#include <unistd.h>

+#include <stdio.h>

+#include <stdlib.h>

+#include <string.h>

+#include <fcntl.h>

+#include <sys/stat.h>

+#include <sys/types.h>

+#include <sys/mount.h>

+#include <sys/socket.h>

+#include <sys/xattr.h>

+#include <linux/limits.h>

+#include <signal.h>

+#include "zdtmtst.h"

+

+/* Enabling the right policy happens in selinux00.hook and selinx00.checkskip */

+

+const char *test_doc	= "Check that a SELinux socket context is restored";

+const char *test_author	= "Adrian Reber <areber@redhat.com>";

+

+/* This is all based on Tycho's apparmor code */

+

+#define CONTEXT "unconfined_u:unconfined_r:unconfined_dbusd_t:s0"

+

+/*

+ * This is used to store the state of SELinux. For this test

+ * SELinux is switched to permissive mode and later the previous

+ * SELinux state is restored.

+ */

+char state;

+

+int check_for_selinux()

+{

+	if (access("/sys/fs/selinux", F_OK) == 0)

+		return 0;

+	return 1;

+}

+

+int setprofile()

+{

+	int fd, len;

+

+	fd = open("/proc/self/attr/current", O_WRONLY);

+	if (fd < 0) {

+		fail("Could not open /proc/self/attr/current\n");

+		return -1;

+	}

+

+	len = write(fd, CONTEXT, strlen(CONTEXT));

+	close(fd);

+

+	if (len < 0) {

+		fail("Could not write context\n");

+		return -1;

+	}

+

+	return 0;

+}

+

+int set_sockcreate()

+{

+	int fd, len;

+

+	fd = open("/proc/self/attr/sockcreate", O_WRONLY);

+	if (fd < 0) {

+		fail("Could not open /proc/self/attr/sockcreate\n");

+		return -1;

+	}

+

+	len = write(fd, CONTEXT, strlen(CONTEXT));

+	close(fd);

+

+	if (len < 0) {

+		fail("Could not write context\n");

+		return -1;

+	}

+

+	return 0;

+}

+

+int check_sockcreate()

+{

+	int fd;

+	char context[1024];

+	int len;

+

+

+	fd = open("/proc/self/attr/sockcreate", O_RDONLY);

+	if (fd < 0) {

+		fail("Could not open /proc/self/attr/sockcreate\n");

+		return -1;

+	}

+

+	len = read(fd, context, strlen(CONTEXT));

+	close(fd);

+	if (len != strlen(CONTEXT)) {

+		fail("SELinux context has unexpected length %d, expected %zd\n",

+			len, strlen(CONTEXT));

+		return -1;

+	}

+

+	if (strncmp(context, CONTEXT, strlen(CONTEXT)) != 0) {

+		fail("Wrong SELinux context %s expected %s\n", context, CONTEXT);

+		return -1;

+	}

+

+	return 0;

+}

+

+int check_sockcreate_empty()

+{

+	char *output = NULL;

+	FILE *f = fopen("/proc/self/attr/sockcreate", "r");

+	int ret = fscanf(f, "%ms", &output);

+	fclose(f);

+

+	if (ret >= 1) {

+		free(output);

+		/* sockcreate should be empty, if fscanf found something

+		 * it is wrong.*/

+		fail("sockcreate should be empty\n");

+		return -1;

+	}

+

+	if (output) {

+		free(output);

+		/* Same here, output should still be NULL. */

+		fail("sockcreate should be empty\n");

+		return -1;

+	}

+

+	return 0;

+}

+

+int main(int argc, char **argv)

+{

+	char ctx[1024];

+	test_init(argc, argv);

+

+	if (check_for_selinux()) {

+		skip("SELinux not found on this system.");