tjh.dev
Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel
os
linux
Merge git://git.infradead.org/users/eparis/selinux
Conflicts:
security/selinux/hooks.c
Pull Eric's existing SELinux tree as there are a number of patches in
there that are not yet upstream. There was some minor fixup needed to
resolve a conflict in security/selinux/hooks.c:selinux_set_mnt_opts()
between the labeled NFS patches and Eric's security_fs_use()
simplification patch.
+449
-397
+18
-8
include/linux/security.h
+18
-8
include/linux/security.h
···
1052
1052
* @xfrm_policy_delete_security:
1053
1053
* @ctx contains the xfrm_sec_ctx.
1054
1054
* Authorize deletion of xp->security.
1055
-
* @xfrm_state_alloc_security:
1055
+
* @xfrm_state_alloc:
1056
1056
* @x contains the xfrm_state being added to the Security Association
1057
1057
* Database by the XFRM system.
1058
1058
* @sec_ctx contains the security context information being provided by
1059
1059
* the user-level SA generation program (e.g., setkey or racoon).
1060
-
* @secid contains the secid from which to take the mls portion of the context.
1061
1060
* Allocate a security structure to the x->security field; the security
1062
1061
* field is initialized to NULL when the xfrm_state is allocated. Set the
1063
-
* context to correspond to either sec_ctx or polsec, with the mls portion
1064
-
* taken from secid in the latter case.
1065
-
* Return 0 if operation was successful (memory to allocate, legal context).
1062
+
* context to correspond to sec_ctx. Return 0 if operation was successful
1063
+
* (memory to allocate, legal context).
1064
+
* @xfrm_state_alloc_acquire:
1065
+
* @x contains the xfrm_state being added to the Security Association
1066
+
* Database by the XFRM system.
1067
+
* @polsec contains the policy's security context.
1068
+
* @secid contains the secid from which to take the mls portion of the
1069
+
* context.
1070
+
* Allocate a security structure to the x->security field; the security
1071
+
* field is initialized to NULL when the xfrm_state is allocated. Set the
1072
+
* context to correspond to secid. Return 0 if operation was successful
1073
+
* (memory to allocate, legal context).
1066
1074
* @xfrm_state_free_security:
1067
1075
* @x contains the xfrm_state.
1068
1076
* Deallocate x->security.
···
1687
1679
int (*xfrm_policy_clone_security) (struct xfrm_sec_ctx *old_ctx, struct xfrm_sec_ctx **new_ctx);
1688
1680
void (*xfrm_policy_free_security) (struct xfrm_sec_ctx *ctx);
1689
1681
int (*xfrm_policy_delete_security) (struct xfrm_sec_ctx *ctx);
1690
-
int (*xfrm_state_alloc_security) (struct xfrm_state *x,
1691
-
struct xfrm_user_sec_ctx *sec_ctx,
1692
-
u32 secid);
1682
+
int (*xfrm_state_alloc) (struct xfrm_state *x,
1683
+
struct xfrm_user_sec_ctx *sec_ctx);
1684
+
int (*xfrm_state_alloc_acquire) (struct xfrm_state *x,
1685
+
struct xfrm_sec_ctx *polsec,
1686
+
u32 secid);
1693
1687
void (*xfrm_state_free_security) (struct xfrm_state *x);
1694
1688
int (*xfrm_state_delete_security) (struct xfrm_state *x);
1695
1689
int (*xfrm_policy_lookup) (struct xfrm_sec_ctx *ctx, u32 fl_secid, u8 dir);
+11
-4
security/capability.c
+11
-4
security/capability.c
···
777
777
return 0;
778
778
}
779
779
780
-
static int cap_xfrm_state_alloc_security(struct xfrm_state *x,
781
-
struct xfrm_user_sec_ctx *sec_ctx,
782
-
u32 secid)
780
+
static int cap_xfrm_state_alloc(struct xfrm_state *x,
781
+
struct xfrm_user_sec_ctx *sec_ctx)
782
+
{
783
+
return 0;
784
+
}
785
+
786
+
static int cap_xfrm_state_alloc_acquire(struct xfrm_state *x,
787
+
struct xfrm_sec_ctx *polsec,
788
+
u32 secid)
783
789
{
784
790
return 0;
785
791
}
···
1107
1101
set_to_cap_if_null(ops, xfrm_policy_clone_security);
1108
1102
set_to_cap_if_null(ops, xfrm_policy_free_security);
1109
1103
set_to_cap_if_null(ops, xfrm_policy_delete_security);
1110
-
set_to_cap_if_null(ops, xfrm_state_alloc_security);
1104
+
set_to_cap_if_null(ops, xfrm_state_alloc);
1105
+
set_to_cap_if_null(ops, xfrm_state_alloc_acquire);
1111
1106
set_to_cap_if_null(ops, xfrm_state_free_security);
1112
1107
set_to_cap_if_null(ops, xfrm_state_delete_security);
1113
1108
set_to_cap_if_null(ops, xfrm_policy_lookup);
+4
-9
security/security.c
+4
-9
security/security.c
···
1342
1342
return security_ops->xfrm_policy_delete_security(ctx);
1343
1343
}
1344
1344
1345
-
int security_xfrm_state_alloc(struct xfrm_state *x, struct xfrm_user_sec_ctx *sec_ctx)
1345
+
int security_xfrm_state_alloc(struct xfrm_state *x,
1346
+
struct xfrm_user_sec_ctx *sec_ctx)
1346
1347
{
1347
-
return security_ops->xfrm_state_alloc_security(x, sec_ctx, 0);
1348
+
return security_ops->xfrm_state_alloc(x, sec_ctx);
1348
1349
}
1349
1350
EXPORT_SYMBOL(security_xfrm_state_alloc);
1350
1351
1351
1352
int security_xfrm_state_alloc_acquire(struct xfrm_state *x,
1352
1353
struct xfrm_sec_ctx *polsec, u32 secid)
1353
1354
{
1354
-
if (!polsec)
1355
-
return 0;
1356
-
/*
1357
-
* We want the context to be taken from secid which is usually
1358
-
* from the sock.
1359
-
*/
1360
-
return security_ops->xfrm_state_alloc_security(x, NULL, secid);
1355
+
return security_ops->xfrm_state_alloc_acquire(x, polsec, secid);
1361
1356
}
1362
1357
1363
1358
int security_xfrm_state_delete(struct xfrm_state *x)
+94
-52
security/selinux/hooks.c
+94
-52
security/selinux/hooks.c
···
95
95
#include "audit.h"
96
96
#include "avc_ss.h"
97
97
98
-
#define NUM_SEL_MNT_OPTS 5
98
+
#define SB_TYPE_FMT "%s%s%s"
99
+
#define SB_SUBTYPE(sb) (sb->s_subtype && sb->s_subtype[0])
100
+
#define SB_TYPE_ARGS(sb) sb->s_type->name, SB_SUBTYPE(sb) ? "." : "", SB_SUBTYPE(sb) ? sb->s_subtype : ""
99
101
100
102
extern struct security_operations *security_ops;
101
103
···
141
139
* This function checks the SECMARK reference counter to see if any SECMARK
142
140
* targets are currently configured, if the reference counter is greater than
143
141
* zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is
144
-
* enabled, false (0) if SECMARK is disabled.
142
+
* enabled, false (0) if SECMARK is disabled. If the always_check_network
143
+
* policy capability is enabled, SECMARK is always considered enabled.
145
144
*
146
145
*/
147
146
static int selinux_secmark_enabled(void)
148
147
{
149
-
return (atomic_read(&selinux_secmark_refcount) > 0);
148
+
return (selinux_policycap_alwaysnetwork || atomic_read(&selinux_secmark_refcount));
149
+
}
150
+
151
+
/**
152
+
* selinux_peerlbl_enabled - Check to see if peer labeling is currently enabled
153
+
*
154
+
* Description:
155
+
* This function checks if NetLabel or labeled IPSEC is enabled. Returns true
156
+
* (1) if any are enabled or false (0) if neither are enabled. If the
157
+
* always_check_network policy capability is enabled, peer labeling
158
+
* is always considered enabled.
159
+
*
160
+
*/
161
+
static int selinux_peerlbl_enabled(void)
162
+
{
163
+
return (selinux_policycap_alwaysnetwork || netlbl_enabled() || selinux_xfrm_enabled());
150
164
}
151
165
152
166
/*
···
327
309
Opt_defcontext = 3,
328
310
Opt_rootcontext = 4,
329
311
Opt_labelsupport = 5,
312
+
Opt_nextmntopt = 6,
330
313
};
314
+
315
+
#define NUM_SEL_MNT_OPTS (Opt_nextmntopt - 1)
331
316
332
317
static const match_table_t tokens = {
333
318
{Opt_context, CONTEXT_STR "%s"},
···
376
355
return rc;
377
356
}
378
357
358
+
static int selinux_is_sblabel_mnt(struct super_block *sb)
359
+
{
360
+
struct superblock_security_struct *sbsec = sb->s_security;
361
+
362
+
if (sbsec->behavior == SECURITY_FS_USE_XATTR ||
363
+
sbsec->behavior == SECURITY_FS_USE_TRANS ||
364
+
sbsec->behavior == SECURITY_FS_USE_TASK)
365
+
return 1;
366
+
367
+
/* Special handling for sysfs. Is genfs but also has setxattr handler*/
368
+
if (strncmp(sb->s_type->name, "sysfs", sizeof("sysfs")) == 0)
369
+
return 1;
370
+
371
+
/*
372
+
* Special handling for rootfs. Is genfs but supports
373
+
* setting SELinux context on in-core inodes.
374
+
*/
375
+
if (strncmp(sb->s_type->name, "rootfs", sizeof("rootfs")) == 0)
376
+
return 1;
377
+
378
+
return 0;
379
+
}
380
+
379
381
static int sb_finish_set_opts(struct super_block *sb)
380
382
{
381
383
struct superblock_security_struct *sbsec = sb->s_security;
···
413
369
the first boot of the SELinux kernel before we have
414
370
assigned xattr values to the filesystem. */
415
371
if (!root_inode->i_op->getxattr) {
416
-
printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
417
-
"xattr support\n", sb->s_id, sb->s_type->name);
372
+
printk(KERN_WARNING "SELinux: (dev %s, type "SB_TYPE_FMT") has no "
373
+
"xattr support\n", sb->s_id, SB_TYPE_ARGS(sb));
418
374
rc = -EOPNOTSUPP;
419
375
goto out;
420
376
}
···
422
378
if (rc < 0 && rc != -ENODATA) {
423
379
if (rc == -EOPNOTSUPP)
424
380
printk(KERN_WARNING "SELinux: (dev %s, type "
425
-
"%s) has no security xattr handler\n",
426
-
sb->s_id, sb->s_type->name);
381
+
SB_TYPE_FMT") has no security xattr handler\n",
382
+
sb->s_id, SB_TYPE_ARGS(sb));
427
383
else
428
384
printk(KERN_WARNING "SELinux: (dev %s, type "
429
-
"%s) getxattr errno %d\n", sb->s_id,
430
-
sb->s_type->name, -rc);
385
+
SB_TYPE_FMT") getxattr errno %d\n", sb->s_id,
386
+
SB_TYPE_ARGS(sb), -rc);
431
387
goto out;
432
388
}
433
389
}
434
390
435
-
sbsec->flags |= (SE_SBINITIALIZED | SE_SBLABELSUPP);
436
-
437
391
if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
438
-
printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n",
439
-
sb->s_id, sb->s_type->name);
392
+
printk(KERN_ERR "SELinux: initialized (dev %s, type "SB_TYPE_FMT"), unknown behavior\n",
393
+
sb->s_id, SB_TYPE_ARGS(sb));
440
394
else
441
-
printk(KERN_DEBUG "SELinux: initialized (dev %s, type %s), %s\n",
442
-
sb->s_id, sb->s_type->name,
395
+
printk(KERN_DEBUG "SELinux: initialized (dev %s, type "SB_TYPE_FMT"), %s\n",
396
+
sb->s_id, SB_TYPE_ARGS(sb),
443
397
labeling_behaviors[sbsec->behavior-1]);
444
398
445
-
if (sbsec->behavior == SECURITY_FS_USE_GENFS ||
446
-
sbsec->behavior == SECURITY_FS_USE_MNTPOINT ||
447
-
sbsec->behavior == SECURITY_FS_USE_NONE ||
448
-
sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
449
-
sbsec->flags &= ~SE_SBLABELSUPP;
450
-
451
-
/* Special handling for sysfs. Is genfs but also has setxattr handler*/
452
-
if (strncmp(sb->s_type->name, "sysfs", sizeof("sysfs")) == 0)
453
-
sbsec->flags |= SE_SBLABELSUPP;
399
+
sbsec->flags |= SE_SBINITIALIZED;
400
+
if (selinux_is_sblabel_mnt(sb))
401
+
sbsec->flags |= SBLABEL_MNT;
454
402
455
403
/* Initialize the root inode. */
456
404
rc = inode_doinit_with_dentry(root_inode, root);
···
496
460
if (!ss_initialized)
497
461
return -EINVAL;
498
462
463
+
/* make sure we always check enough bits to cover the mask */
464
+
BUILD_BUG_ON(SE_MNTMASK >= (1 << NUM_SEL_MNT_OPTS));
465
+
499
466
tmp = sbsec->flags & SE_MNTMASK;
500
467
/* count the number of mount options for this sb */
501
-
for (i = 0; i < 8; i++) {
468
+
for (i = 0; i < NUM_SEL_MNT_OPTS; i++) {
502
469
if (tmp & 0x01)
503
470
opts->num_mnt_opts++;
504
471
tmp >>= 1;
505
472
}
506
473
/* Check if the Label support flag is set */
507
-
if (sbsec->flags & SE_SBLABELSUPP)
474
+
if (sbsec->flags & SBLABEL_MNT)
508
475
opts->num_mnt_opts++;
509
476
510
477
opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
···
554
515
opts->mnt_opts[i] = context;
555
516
opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
556
517
}
557
-
if (sbsec->flags & SE_SBLABELSUPP) {
518
+
if (sbsec->flags & SBLABEL_MNT) {
558
519
opts->mnt_opts[i] = NULL;
559
-
opts->mnt_opts_flags[i++] = SE_SBLABELSUPP;
520
+
opts->mnt_opts_flags[i++] = SBLABEL_MNT;
560
521
}
561
522
562
523
BUG_ON(i != opts->num_mnt_opts);
···
600
561
const struct cred *cred = current_cred();
601
562
int rc = 0, i;
602
563
struct superblock_security_struct *sbsec = sb->s_security;
603
-
const char *name = sb->s_type->name;
604
564
struct inode *inode = sbsec->sb->s_root->d_inode;
605
565
struct inode_security_struct *root_isec = inode->i_security;
606
566
u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
···
652
614
for (i = 0; i < num_opts; i++) {
653
615
u32 sid;
654
616
655
-
if (flags[i] == SE_SBLABELSUPP)
617
+
if (flags[i] == SBLABEL_MNT)
656
618
continue;
657
619
rc = security_context_to_sid(mount_options[i],
658
620
strlen(mount_options[i]), &sid);
659
621
if (rc) {
660
622
printk(KERN_WARNING "SELinux: security_context_to_sid"
661
-
"(%s) failed for (dev %s, type %s) errno=%d\n",
662
-
mount_options[i], sb->s_id, name, rc);
623
+
"(%s) failed for (dev %s, type "SB_TYPE_FMT") errno=%d\n",
624
+
mount_options[i], sb->s_id, SB_TYPE_ARGS(sb), rc);
663
625
goto out;
664
626
}
665
627
switch (flags[i]) {
···
723
685
* Determine the labeling behavior to use for this
724
686
* filesystem type.
725
687
*/
726
-
rc = security_fs_use((sbsec->flags & SE_SBPROC) ?
727
-
"proc" : sb->s_type->name,
728
-
&sbsec->behavior, &sbsec->sid);
688
+
rc = security_fs_use(sb);
729
689
if (rc) {
730
690
printk(KERN_WARNING
731
691
"%s: security_fs_use(%s) returned %d\n",
···
806
770
out_double_mount:
807
771
rc = -EINVAL;
808
772
printk(KERN_WARNING "SELinux: mount invalid. Same superblock, different "
809
-
"security settings for (dev %s, type %s)\n", sb->s_id, name);
773
+
"security settings for (dev %s, type "SB_TYPE_FMT")\n", sb->s_id,
774
+
SB_TYPE_ARGS(sb));
810
775
goto out;
811
776
}
812
777
···
1074
1037
case DEFCONTEXT_MNT:
1075
1038
prefix = DEFCONTEXT_STR;
1076
1039
break;
1077
-
case SE_SBLABELSUPP:
1040
+
case SBLABEL_MNT:
1078
1041
seq_putc(m, ',');
1079
1042
seq_puts(m, LABELSUPP_STR);
1080
1043
continue;
···
1687
1650
if (rc)
1688
1651
return rc;
1689
1652
1690
-
if (!newsid || !(sbsec->flags & SE_SBLABELSUPP)) {
1653
+
if (!newsid || !(sbsec->flags & SBLABEL_MNT)) {
1691
1654
rc = security_transition_sid(sid, dsec->sid, tclass,
1692
1655
&dentry->d_name, &newsid);
1693
1656
if (rc)
···
2475
2438
u32 sid;
2476
2439
size_t len;
2477
2440
2478
-
if (flags[i] == SE_SBLABELSUPP)
2441
+
if (flags[i] == SBLABEL_MNT)
2479
2442
continue;
2480
2443
len = strlen(mount_options[i]);
2481
2444
rc = security_context_to_sid(mount_options[i], len, &sid);
2482
2445
if (rc) {
2483
2446
printk(KERN_WARNING "SELinux: security_context_to_sid"
2484
-
"(%s) failed for (dev %s, type %s) errno=%d\n",
2485
-
mount_options[i], sb->s_id, sb->s_type->name, rc);
2447
+
"(%s) failed for (dev %s, type "SB_TYPE_FMT") errno=%d\n",
2448
+
mount_options[i], sb->s_id, SB_TYPE_ARGS(sb), rc);
2486
2449
goto out_free_opts;
2487
2450
}
2488
2451
rc = -EINVAL;
···
2520
2483
return rc;
2521
2484
out_bad_option:
2522
2485
printk(KERN_WARNING "SELinux: unable to change security options "
2523
-
"during remount (dev %s, type=%s)\n", sb->s_id,
2524
-
sb->s_type->name);
2486
+
"during remount (dev %s, type "SB_TYPE_FMT")\n", sb->s_id,
2487
+
SB_TYPE_ARGS(sb));
2525
2488
goto out_free_opts;
2526
2489
}
2527
2490
···
2643
2606
if ((sbsec->flags & SE_SBINITIALIZED) &&
2644
2607
(sbsec->behavior == SECURITY_FS_USE_MNTPOINT))
2645
2608
newsid = sbsec->mntpoint_sid;
2646
-
else if (!newsid || !(sbsec->flags & SE_SBLABELSUPP)) {
2609
+
else if (!newsid || !(sbsec->flags & SBLABEL_MNT)) {
2647
2610
rc = security_transition_sid(sid, dsec->sid,
2648
2611
inode_mode_to_security_class(inode->i_mode),
2649
2612
qstr, &newsid);
···
2665
2628
isec->initialized = 1;
2666
2629
}
2667
2630
2668
-
if (!ss_initialized || !(sbsec->flags & SE_SBLABELSUPP))
2631
+
if (!ss_initialized || !(sbsec->flags & SBLABEL_MNT))
2669
2632
return -EOPNOTSUPP;
2670
2633
2671
2634
if (name) {
···
2873
2836
return selinux_inode_setotherxattr(dentry, name);
2874
2837
2875
2838
sbsec = inode->i_sb->s_security;
2876
-
if (!(sbsec->flags & SE_SBLABELSUPP))
2839
+
if (!(sbsec->flags & SBLABEL_MNT))
2877
2840
return -EOPNOTSUPP;
2878
2841
2879
2842
if (!inode_owner_or_capable(inode))
···
3834
3797
u32 nlbl_sid;
3835
3798
u32 nlbl_type;
3836
3799
3837
-
selinux_skb_xfrm_sid(skb, &xfrm_sid);
3838
-
selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid);
3800
+
err = selinux_skb_xfrm_sid(skb, &xfrm_sid);
3801
+
if (unlikely(err))
3802
+
return -EACCES;
3803
+
err = selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid);
3804
+
if (unlikely(err))
3805
+
return -EACCES;
3839
3806
3840
3807
err = security_net_peersid_resolve(nlbl_sid, nlbl_type, xfrm_sid, sid);
3841
3808
if (unlikely(err)) {
···
4293
4252
return selinux_sock_rcv_skb_compat(sk, skb, family);
4294
4253
4295
4254
secmark_active = selinux_secmark_enabled();
4296
-
peerlbl_active = netlbl_enabled() || selinux_xfrm_enabled();
4255
+
peerlbl_active = selinux_peerlbl_enabled();
4297
4256
if (!secmark_active && !peerlbl_active)
4298
4257
return 0;
4299
4258
···
4675
4634
4676
4635
secmark_active = selinux_secmark_enabled();
4677
4636
netlbl_active = netlbl_enabled();
4678
-
peerlbl_active = netlbl_active || selinux_xfrm_enabled();
4637
+
peerlbl_active = selinux_peerlbl_enabled();
4679
4638
if (!secmark_active && !peerlbl_active)
4680
4639
return NF_ACCEPT;
4681
4640
···
4827
4786
return NF_ACCEPT;
4828
4787
#endif
4829
4788
secmark_active = selinux_secmark_enabled();
4830
-
peerlbl_active = netlbl_enabled() || selinux_xfrm_enabled();
4789
+
peerlbl_active = selinux_peerlbl_enabled();
4831
4790
if (!secmark_active && !peerlbl_active)
4832
4791
return NF_ACCEPT;
4833
4792
···
5831
5790
.xfrm_policy_clone_security = selinux_xfrm_policy_clone,
5832
5791
.xfrm_policy_free_security = selinux_xfrm_policy_free,
5833
5792
.xfrm_policy_delete_security = selinux_xfrm_policy_delete,
5834
-
.xfrm_state_alloc_security = selinux_xfrm_state_alloc,
5793
+
.xfrm_state_alloc = selinux_xfrm_state_alloc,
5794
+
.xfrm_state_alloc_acquire = selinux_xfrm_state_alloc_acquire,
5835
5795
.xfrm_state_free_security = selinux_xfrm_state_free,
5836
5796
.xfrm_state_delete_security = selinux_xfrm_state_delete,
5837
5797
.xfrm_policy_lookup = selinux_xfrm_policy_lookup,
+2
-2
security/selinux/include/objsec.h
+2
-2
security/selinux/include/objsec.h
···
58
58
u32 sid; /* SID of file system superblock */
59
59
u32 def_sid; /* default SID for labeling */
60
60
u32 mntpoint_sid; /* SECURITY_FS_USE_MNTPOINT context for files */
61
-
unsigned int behavior; /* labeling behavior */
62
-
unsigned char flags; /* which mount options were specified */
61
+
unsigned short behavior; /* labeling behavior */
62
+
unsigned short flags; /* which mount options were specified */
63
63
struct mutex lock;
64
64
struct list_head isec_head;
65
65
spinlock_t isec_lock;
+8
-5
security/selinux/include/security.h
+8
-5
security/selinux/include/security.h
···
45
45
/* Mask for just the mount related flags */
46
46
#define SE_MNTMASK 0x0f
47
47
/* Super block security struct flags for mount options */
48
+
/* BE CAREFUL, these need to be the low order bits for selinux_get_mnt_opts */
48
49
#define CONTEXT_MNT 0x01
49
50
#define FSCONTEXT_MNT 0x02
50
51
#define ROOTCONTEXT_MNT 0x04
51
52
#define DEFCONTEXT_MNT 0x08
53
+
#define SBLABEL_MNT 0x10
52
54
/* Non-mount related flags */
53
-
#define SE_SBINITIALIZED 0x10
54
-
#define SE_SBPROC 0x20
55
-
#define SE_SBLABELSUPP 0x40
55
+
#define SE_SBINITIALIZED 0x0100
56
+
#define SE_SBPROC 0x0200
56
57
57
58
#define CONTEXT_STR "context="
58
59
#define FSCONTEXT_STR "fscontext="
···
69
68
enum {
70
69
POLICYDB_CAPABILITY_NETPEER,
71
70
POLICYDB_CAPABILITY_OPENPERM,
71
+
POLICYDB_CAPABILITY_REDHAT1,
72
+
POLICYDB_CAPABILITY_ALWAYSNETWORK,
72
73
__POLICYDB_CAPABILITY_MAX
73
74
};
74
75
#define POLICYDB_CAPABILITY_MAX (__POLICYDB_CAPABILITY_MAX - 1)
75
76
76
77
extern int selinux_policycap_netpeer;
77
78
extern int selinux_policycap_openperm;
79
+
extern int selinux_policycap_alwaysnetwork;
78
80
79
81
/*
80
82
* type_datum properties
···
176
172
#define SECURITY_FS_USE_NATIVE 7 /* use native label support */
177
173
#define SECURITY_FS_USE_MAX 7 /* Highest SECURITY_FS_USE_XXX */
178
174
179
-
int security_fs_use(const char *fstype, unsigned int *behavior,
180
-
u32 *sid);
175
+
int security_fs_use(struct super_block *sb);
181
176
182
177
int security_genfs_sid(const char *fstype, char *name, u16 sclass,
183
178
u32 *sid);
+19
-26
security/selinux/include/xfrm.h
+19
-26
security/selinux/include/xfrm.h
···
10
10
#include <net/flow.h>
11
11
12
12
int selinux_xfrm_policy_alloc(struct xfrm_sec_ctx **ctxp,
13
-
struct xfrm_user_sec_ctx *sec_ctx);
13
+
struct xfrm_user_sec_ctx *uctx);
14
14
int selinux_xfrm_policy_clone(struct xfrm_sec_ctx *old_ctx,
15
15
struct xfrm_sec_ctx **new_ctxp);
16
16
void selinux_xfrm_policy_free(struct xfrm_sec_ctx *ctx);
17
17
int selinux_xfrm_policy_delete(struct xfrm_sec_ctx *ctx);
18
18
int selinux_xfrm_state_alloc(struct xfrm_state *x,
19
-
struct xfrm_user_sec_ctx *sec_ctx, u32 secid);
19
+
struct xfrm_user_sec_ctx *uctx);
20
+
int selinux_xfrm_state_alloc_acquire(struct xfrm_state *x,
21
+
struct xfrm_sec_ctx *polsec, u32 secid);
20
22
void selinux_xfrm_state_free(struct xfrm_state *x);
21
23
int selinux_xfrm_state_delete(struct xfrm_state *x);
22
24
int selinux_xfrm_policy_lookup(struct xfrm_sec_ctx *ctx, u32 fl_secid, u8 dir);
23
25
int selinux_xfrm_state_pol_flow_match(struct xfrm_state *x,
24
-
struct xfrm_policy *xp, const struct flowi *fl);
25
-
26
-
/*
27
-
* Extract the security blob from the sock (it's actually on the socket)
28
-
*/
29
-
static inline struct inode_security_struct *get_sock_isec(struct sock *sk)
30
-
{
31
-
if (!sk->sk_socket)
32
-
return NULL;
33
-
34
-
return SOCK_INODE(sk->sk_socket)->i_security;
35
-
}
26
+
struct xfrm_policy *xp,
27
+
const struct flowi *fl);
36
28
37
29
#ifdef CONFIG_SECURITY_NETWORK_XFRM
38
30
extern atomic_t selinux_xfrm_refcount;
···
34
42
return (atomic_read(&selinux_xfrm_refcount) > 0);
35
43
}
36
44
37
-
int selinux_xfrm_sock_rcv_skb(u32 sid, struct sk_buff *skb,
38
-
struct common_audit_data *ad);
39
-
int selinux_xfrm_postroute_last(u32 isec_sid, struct sk_buff *skb,
40
-
struct common_audit_data *ad, u8 proto);
45
+
int selinux_xfrm_sock_rcv_skb(u32 sk_sid, struct sk_buff *skb,
46
+
struct common_audit_data *ad);
47
+
int selinux_xfrm_postroute_last(u32 sk_sid, struct sk_buff *skb,
48
+
struct common_audit_data *ad, u8 proto);
41
49
int selinux_xfrm_decode_session(struct sk_buff *skb, u32 *sid, int ckall);
42
50
43
51
static inline void selinux_xfrm_notify_policyload(void)
···
51
59
return 0;
52
60
}
53
61
54
-
static inline int selinux_xfrm_sock_rcv_skb(u32 isec_sid, struct sk_buff *skb,
55
-
struct common_audit_data *ad)
62
+
static inline int selinux_xfrm_sock_rcv_skb(u32 sk_sid, struct sk_buff *skb,
63
+
struct common_audit_data *ad)
56
64
{
57
65
return 0;
58
66
}
59
67
60
-
static inline int selinux_xfrm_postroute_last(u32 isec_sid, struct sk_buff *skb,
61
-
struct common_audit_data *ad, u8 proto)
68
+
static inline int selinux_xfrm_postroute_last(u32 sk_sid, struct sk_buff *skb,
69
+
struct common_audit_data *ad,
70
+
u8 proto)
62
71
{
63
72
return 0;
64
73
}
65
74
66
-
static inline int selinux_xfrm_decode_session(struct sk_buff *skb, u32 *sid, int ckall)
75
+
static inline int selinux_xfrm_decode_session(struct sk_buff *skb, u32 *sid,
76
+
int ckall)
67
77
{
68
78
*sid = SECSID_NULL;
69
79
return 0;
···
76
82
}
77
83
#endif
78
84
79
-
static inline void selinux_skb_xfrm_sid(struct sk_buff *skb, u32 *sid)
85
+
static inline int selinux_skb_xfrm_sid(struct sk_buff *skb, u32 *sid)
80
86
{
81
-
int err = selinux_xfrm_decode_session(skb, sid, 0);
82
-
BUG_ON(err);
87
+
return selinux_xfrm_decode_session(skb, sid, 0);
83
88
}
84
89
85
90
#endif /* _SELINUX_XFRM_H_ */
+2
security/selinux/netnode.c
+2
security/selinux/netnode.c
+3
-1
security/selinux/selinuxfs.c
+3
-1
security/selinux/selinuxfs.c
+18
-2
security/selinux/ss/ebitmap.c
+18
-2
security/selinux/ss/ebitmap.c
···
213
213
}
214
214
#endif /* CONFIG_NETLABEL */
215
215
216
-
int ebitmap_contains(struct ebitmap *e1, struct ebitmap *e2)
216
+
/*
217
+
* Check to see if all the bits set in e2 are also set in e1. Optionally,
218
+
* if last_e2bit is non-zero, the highest set bit in e2 cannot exceed
219
+
* last_e2bit.
220
+
*/
221
+
int ebitmap_contains(struct ebitmap *e1, struct ebitmap *e2, u32 last_e2bit)
217
222
{
218
223
struct ebitmap_node *n1, *n2;
219
224
int i;
···
228
223
229
224
n1 = e1->node;
230
225
n2 = e2->node;
226
+
231
227
while (n1 && n2 && (n1->startbit <= n2->startbit)) {
232
228
if (n1->startbit < n2->startbit) {
233
229
n1 = n1->next;
234
230
continue;
235
231
}
236
-
for (i = 0; i < EBITMAP_UNIT_NUMS; i++) {
232
+
for (i = EBITMAP_UNIT_NUMS - 1; (i >= 0) && !n2->maps[i]; )
233
+
i--; /* Skip trailing NULL map entries */
234
+
if (last_e2bit && (i >= 0)) {
235
+
u32 lastsetbit = n2->startbit + i * EBITMAP_UNIT_SIZE +
236
+
__fls(n2->maps[i]);
237
+
if (lastsetbit > last_e2bit)
238
+
return 0;
239
+
}
240
+
241
+
while (i >= 0) {
237
242
if ((n1->maps[i] & n2->maps[i]) != n2->maps[i])
238
243
return 0;
244
+
i--;
239
245
}
240
246
241
247
n1 = n1->next;
+8
-2
security/selinux/ss/ebitmap.h
+8
-2
security/selinux/ss/ebitmap.h
···
16
16
17
17
#include <net/netlabel.h>
18
18
19
-
#define EBITMAP_UNIT_NUMS ((32 - sizeof(void *) - sizeof(u32)) \
19
+
#ifdef CONFIG_64BIT
20
+
#define EBITMAP_NODE_SIZE 64
21
+
#else
22
+
#define EBITMAP_NODE_SIZE 32
23
+
#endif
24
+
25
+
#define EBITMAP_UNIT_NUMS ((EBITMAP_NODE_SIZE-sizeof(void *)-sizeof(u32))\
20
26
/ sizeof(unsigned long))
21
27
#define EBITMAP_UNIT_SIZE BITS_PER_LONG
22
28
#define EBITMAP_SIZE (EBITMAP_UNIT_NUMS * EBITMAP_UNIT_SIZE)
···
123
117
124
118
int ebitmap_cmp(struct ebitmap *e1, struct ebitmap *e2);
125
119
int ebitmap_cpy(struct ebitmap *dst, struct ebitmap *src);
126
-
int ebitmap_contains(struct ebitmap *e1, struct ebitmap *e2);
120
+
int ebitmap_contains(struct ebitmap *e1, struct ebitmap *e2, u32 last_e2bit);
127
121
int ebitmap_get_bit(struct ebitmap *e, unsigned long bit);
128
122
int ebitmap_set_bit(struct ebitmap *e, unsigned long bit, int value);
129
123
void ebitmap_destroy(struct ebitmap *e);
+7
-15
security/selinux/ss/mls.c
+7
-15
security/selinux/ss/mls.c
···
160
160
int mls_level_isvalid(struct policydb *p, struct mls_level *l)
161
161
{
162
162
struct level_datum *levdatum;
163
-
struct ebitmap_node *node;
164
-
int i;
165
163
166
164
if (!l->sens || l->sens > p->p_levels.nprim)
167
165
return 0;
···
168
170
if (!levdatum)
169
171
return 0;
170
172
171
-
ebitmap_for_each_positive_bit(&l->cat, node, i) {
172
-
if (i > p->p_cats.nprim)
173
-
return 0;
174
-
if (!ebitmap_get_bit(&levdatum->level->cat, i)) {
175
-
/*
176
-
* Category may not be associated with
177
-
* sensitivity.
178
-
*/
179
-
return 0;
180
-
}
181
-
}
182
-
183
-
return 1;
173
+
/*
174
+
* Return 1 iff all the bits set in l->cat are also be set in
175
+
* levdatum->level->cat and no bit in l->cat is larger than
176
+
* p->p_cats.nprim.
177
+
*/
178
+
return ebitmap_contains(&levdatum->level->cat, &l->cat,
179
+
p->p_cats.nprim);
184
180
}
185
181
186
182
int mls_range_isvalid(struct policydb *p, struct mls_range *r)
+1
-1
security/selinux/ss/mls_types.h
+1
-1
security/selinux/ss/mls_types.h
+1
-2
security/selinux/ss/policydb.c
+1
-2
security/selinux/ss/policydb.c
+50
-16
security/selinux/ss/services.c
+50
-16
security/selinux/ss/services.c
···
72
72
73
73
int selinux_policycap_netpeer;
74
74
int selinux_policycap_openperm;
75
+
int selinux_policycap_alwaysnetwork;
75
76
76
77
static DEFINE_RWLOCK(policy_rwlock);
77
78
···
1813
1812
POLICYDB_CAPABILITY_NETPEER);
1814
1813
selinux_policycap_openperm = ebitmap_get_bit(&policydb.policycaps,
1815
1814
POLICYDB_CAPABILITY_OPENPERM);
1815
+
selinux_policycap_alwaysnetwork = ebitmap_get_bit(&policydb.policycaps,
1816
+
POLICYDB_CAPABILITY_ALWAYSNETWORK);
1816
1817
}
1817
1818
1818
1819
static int security_preserve_bools(struct policydb *p);
···
2326
2323
2327
2324
/**
2328
2325
* security_fs_use - Determine how to handle labeling for a filesystem.
2329
-
* @fstype: filesystem type
2330
-
* @behavior: labeling behavior
2331
-
* @sid: SID for filesystem (superblock)
2326
+
* @sb: superblock in question
2332
2327
*/
2333
-
int security_fs_use(
2334
-
const char *fstype,
2335
-
unsigned int *behavior,
2336
-
u32 *sid)
2328
+
int security_fs_use(struct super_block *sb)
2337
2329
{
2338
2330
int rc = 0;
2339
2331
struct ocontext *c;
2332
+
struct superblock_security_struct *sbsec = sb->s_security;
2333
+
const char *fstype = sb->s_type->name;
2334
+
const char *subtype = (sb->s_subtype && sb->s_subtype[0]) ? sb->s_subtype : NULL;
2335
+
struct ocontext *base = NULL;
2340
2336
2341
2337
read_lock(&policy_rwlock);
2342
2338
2343
-
c = policydb.ocontexts[OCON_FSUSE];
2344
-
while (c) {
2345
-
if (strcmp(fstype, c->u.name) == 0)
2339
+
for (c = policydb.ocontexts[OCON_FSUSE]; c; c = c->next) {
2340
+
char *sub;
2341
+
int baselen;
2342
+
2343
+
baselen = strlen(fstype);
2344
+
2345
+
/* if base does not match, this is not the one */
2346
+
if (strncmp(fstype, c->u.name, baselen))
2347
+
continue;
2348
+
2349
+
/* if there is no subtype, this is the one! */
2350
+
if (!subtype)
2346
2351
break;
2347
-
c = c->next;
2352
+
2353
+
/* skip past the base in this entry */
2354
+
sub = c->u.name + baselen;
2355
+
2356
+
/* entry is only a base. save it. keep looking for subtype */
2357
+
if (sub[0] == '\0') {
2358
+
base = c;
2359
+
continue;
2360
+
}
2361
+
2362
+
/* entry is not followed by a subtype, so it is not a match */
2363
+
if (sub[0] != '.')
2364
+
continue;
2365
+
2366
+
/* whew, we found a subtype of this fstype */
2367
+
sub++; /* move past '.' */
2368
+
2369
+
/* exact match of fstype AND subtype */
2370
+
if (!strcmp(subtype, sub))
2371
+
break;
2348
2372
}
2349
2373
2374
+
/* in case we had found an fstype match but no subtype match */
2375
+
if (!c)
2376
+
c = base;
2377
+
2350
2378
if (c) {
2351
-
*behavior = c->v.behavior;
2379
+
sbsec->behavior = c->v.behavior;
2352
2380
if (!c->sid[0]) {
2353
2381
rc = sidtab_context_to_sid(&sidtab, &c->context[0],
2354
2382
&c->sid[0]);
2355
2383
if (rc)
2356
2384
goto out;
2357
2385
}
2358
-
*sid = c->sid[0];
2386
+
sbsec->sid = c->sid[0];
2359
2387
} else {
2360
-
rc = security_genfs_sid(fstype, "/", SECCLASS_DIR, sid);
2388
+
rc = security_genfs_sid(fstype, "/", SECCLASS_DIR, &sbsec->sid);
2361
2389
if (rc) {
2362
-
*behavior = SECURITY_FS_USE_NONE;
2390
+
sbsec->behavior = SECURITY_FS_USE_NONE;
2363
2391
rc = 0;
2364
2392
} else {
2365
-
*behavior = SECURITY_FS_USE_GENFS;
2393
+
sbsec->behavior = SECURITY_FS_USE_GENFS;
2366
2394
}
2367
2395
}
2368
2396
+203
-252
security/selinux/xfrm.c
+203
-252
security/selinux/xfrm.c
···
56
56
atomic_t selinux_xfrm_refcount = ATOMIC_INIT(0);
57
57
58
58
/*
59
-
* Returns true if an LSM/SELinux context
59
+
* Returns true if the context is an LSM/SELinux context.
60
60
*/
61
61
static inline int selinux_authorizable_ctx(struct xfrm_sec_ctx *ctx)
62
62
{
···
66
66
}
67
67
68
68
/*
69
-
* Returns true if the xfrm contains a security blob for SELinux
69
+
* Returns true if the xfrm contains a security blob for SELinux.
70
70
*/
71
71
static inline int selinux_authorizable_xfrm(struct xfrm_state *x)
72
72
{
···
74
74
}
75
75
76
76
/*
77
-
* LSM hook implementation that authorizes that a flow can use
78
-
* a xfrm policy rule.
77
+
* Allocates a xfrm_sec_state and populates it using the supplied security
78
+
* xfrm_user_sec_ctx context.
79
+
*/
80
+
static int selinux_xfrm_alloc_user(struct xfrm_sec_ctx **ctxp,
81
+
struct xfrm_user_sec_ctx *uctx)
82
+
{
83
+
int rc;
84
+
const struct task_security_struct *tsec = current_security();
85
+
struct xfrm_sec_ctx *ctx = NULL;
86
+
u32 str_len;
87
+
88
+
if (ctxp == NULL || uctx == NULL ||
89
+
uctx->ctx_doi != XFRM_SC_DOI_LSM ||
90
+
uctx->ctx_alg != XFRM_SC_ALG_SELINUX)
91
+
return -EINVAL;
92
+
93
+
str_len = uctx->ctx_len;
94
+
if (str_len >= PAGE_SIZE)
95
+
return -ENOMEM;
96
+
97
+
ctx = kmalloc(sizeof(*ctx) + str_len + 1, GFP_KERNEL);
98
+
if (!ctx)
99
+
return -ENOMEM;
100
+
101
+
ctx->ctx_doi = XFRM_SC_DOI_LSM;
102
+
ctx->ctx_alg = XFRM_SC_ALG_SELINUX;
103
+
ctx->ctx_len = str_len;
104
+
memcpy(ctx->ctx_str, &uctx[1], str_len);
105
+
ctx->ctx_str[str_len] = '\0';
106
+
rc = security_context_to_sid(ctx->ctx_str, str_len, &ctx->ctx_sid);
107
+
if (rc)
108
+
goto err;
109
+
110
+
rc = avc_has_perm(tsec->sid, ctx->ctx_sid,
111
+
SECCLASS_ASSOCIATION, ASSOCIATION__SETCONTEXT, NULL);
112
+
if (rc)
113
+
goto err;
114
+
115
+
*ctxp = ctx;
116
+
atomic_inc(&selinux_xfrm_refcount);
117
+
return 0;
118
+
119
+
err:
120
+
kfree(ctx);
121
+
return rc;
122
+
}
123
+
124
+
/*
125
+
* Free the xfrm_sec_ctx structure.
126
+
*/
127
+
static void selinux_xfrm_free(struct xfrm_sec_ctx *ctx)
128
+
{
129
+
if (!ctx)
130
+
return;
131
+
132
+
atomic_dec(&selinux_xfrm_refcount);
133
+
kfree(ctx);
134
+
}
135
+
136
+
/*
137
+
* Authorize the deletion of a labeled SA or policy rule.
138
+
*/
139
+
static int selinux_xfrm_delete(struct xfrm_sec_ctx *ctx)
140
+
{
141
+
const struct task_security_struct *tsec = current_security();
142
+
143
+
if (!ctx)
144
+
return 0;
145
+
146
+
return avc_has_perm(tsec->sid, ctx->ctx_sid,
147
+
SECCLASS_ASSOCIATION, ASSOCIATION__SETCONTEXT,
148
+
NULL);
149
+
}
150
+
151
+
/*
152
+
* LSM hook implementation that authorizes that a flow can use a xfrm policy
153
+
* rule.
79
154
*/
80
155
int selinux_xfrm_policy_lookup(struct xfrm_sec_ctx *ctx, u32 fl_secid, u8 dir)
81
156
{
82
157
int rc;
83
-
u32 sel_sid;
84
158
85
-
/* Context sid is either set to label or ANY_ASSOC */
86
-
if (ctx) {
87
-
if (!selinux_authorizable_ctx(ctx))
88
-
return -EINVAL;
89
-
90
-
sel_sid = ctx->ctx_sid;
91
-
} else
92
-
/*
93
-
* All flows should be treated as polmatch'ing an
94
-
* otherwise applicable "non-labeled" policy. This
95
-
* would prevent inadvertent "leaks".
96
-
*/
159
+
/* All flows should be treated as polmatch'ing an otherwise applicable
160
+
* "non-labeled" policy. This would prevent inadvertent "leaks". */
161
+
if (!ctx)
97
162
return 0;
98
163
99
-
rc = avc_has_perm(fl_secid, sel_sid, SECCLASS_ASSOCIATION,
100
-
ASSOCIATION__POLMATCH,
101
-
NULL);
164
+
/* Context sid is either set to label or ANY_ASSOC */
165
+
if (!selinux_authorizable_ctx(ctx))
166
+
return -EINVAL;
102
167
103
-
if (rc == -EACCES)
104
-
return -ESRCH;
105
-
106
-
return rc;
168
+
rc = avc_has_perm(fl_secid, ctx->ctx_sid,
169
+
SECCLASS_ASSOCIATION, ASSOCIATION__POLMATCH, NULL);
170
+
return (rc == -EACCES ? -ESRCH : rc);
107
171
}
108
172
109
173
/*
110
174
* LSM hook implementation that authorizes that a state matches
111
175
* the given policy, flow combo.
112
176
*/
113
-
114
-
int selinux_xfrm_state_pol_flow_match(struct xfrm_state *x, struct xfrm_policy *xp,
115
-
const struct flowi *fl)
177
+
int selinux_xfrm_state_pol_flow_match(struct xfrm_state *x,
178
+
struct xfrm_policy *xp,
179
+
const struct flowi *fl)
116
180
{
117
181
u32 state_sid;
118
-
int rc;
119
182
120
183
if (!xp->security)
121
184
if (x->security)
···
201
138
if (fl->flowi_secid != state_sid)
202
139
return 0;
203
140
204
-
rc = avc_has_perm(fl->flowi_secid, state_sid, SECCLASS_ASSOCIATION,
205
-
ASSOCIATION__SENDTO,
206
-
NULL)? 0:1;
207
-
208
-
/*
209
-
* We don't need a separate SA Vs. policy polmatch check
210
-
* since the SA is now of the same label as the flow and
211
-
* a flow Vs. policy polmatch check had already happened
212
-
* in selinux_xfrm_policy_lookup() above.
213
-
*/
214
-
215
-
return rc;
141
+
/* We don't need a separate SA Vs. policy polmatch check since the SA
142
+
* is now of the same label as the flow and a flow Vs. policy polmatch
143
+
* check had already happened in selinux_xfrm_policy_lookup() above. */
144
+
return (avc_has_perm(fl->flowi_secid, state_sid,
145
+
SECCLASS_ASSOCIATION, ASSOCIATION__SENDTO,
146
+
NULL) ? 0 : 1);
216
147
}
217
148
218
149
/*
219
150
* LSM hook implementation that checks and/or returns the xfrm sid for the
220
151
* incoming packet.
221
152
*/
222
-
223
153
int selinux_xfrm_decode_session(struct sk_buff *skb, u32 *sid, int ckall)
224
154
{
155
+
u32 sid_session = SECSID_NULL;
225
156
struct sec_path *sp;
226
157
227
-
*sid = SECSID_NULL;
228
-
229
158
if (skb == NULL)
230
-
return 0;
159
+
goto out;
231
160
232
161
sp = skb->sp;
233
162
if (sp) {
234
-
int i, sid_set = 0;
163
+
int i;
235
164
236
-
for (i = sp->len-1; i >= 0; i--) {
165
+
for (i = sp->len - 1; i >= 0; i--) {
237
166
struct xfrm_state *x = sp->xvec[i];
238
167
if (selinux_authorizable_xfrm(x)) {
239
168
struct xfrm_sec_ctx *ctx = x->security;
240
169
241
-
if (!sid_set) {
242
-
*sid = ctx->ctx_sid;
243
-
sid_set = 1;
244
-
170
+
if (sid_session == SECSID_NULL) {
171
+
sid_session = ctx->ctx_sid;
245
172
if (!ckall)
246
-
break;
247
-
} else if (*sid != ctx->ctx_sid)
173
+
goto out;
174
+
} else if (sid_session != ctx->ctx_sid) {
175
+
*sid = SECSID_NULL;
248
176
return -EINVAL;
177
+
}
249
178
}
250
179
}
251
180
}
252
181
182
+
out:
183
+
*sid = sid_session;
253
184
return 0;
254
185
}
255
186
256
187
/*
257
-
* Security blob allocation for xfrm_policy and xfrm_state
258
-
* CTX does not have a meaningful value on input
259
-
*/
260
-
static int selinux_xfrm_sec_ctx_alloc(struct xfrm_sec_ctx **ctxp,
261
-
struct xfrm_user_sec_ctx *uctx, u32 sid)
262
-
{
263
-
int rc = 0;
264
-
const struct task_security_struct *tsec = current_security();
265
-
struct xfrm_sec_ctx *ctx = NULL;
266
-
char *ctx_str = NULL;
267
-
u32 str_len;
268
-
269
-
BUG_ON(uctx && sid);
270
-
271
-
if (!uctx)
272
-
goto not_from_user;
273
-
274
-
if (uctx->ctx_alg != XFRM_SC_ALG_SELINUX)
275
-
return -EINVAL;
276
-
277
-
str_len = uctx->ctx_len;
278
-
if (str_len >= PAGE_SIZE)
279
-
return -ENOMEM;
280
-
281
-
*ctxp = ctx = kmalloc(sizeof(*ctx) +
282
-
str_len + 1,
283
-
GFP_KERNEL);
284
-
285
-
if (!ctx)
286
-
return -ENOMEM;
287
-
288
-
ctx->ctx_doi = uctx->ctx_doi;
289
-
ctx->ctx_len = str_len;
290
-
ctx->ctx_alg = uctx->ctx_alg;
291
-
292
-
memcpy(ctx->ctx_str,
293
-
uctx+1,
294
-
str_len);
295
-
ctx->ctx_str[str_len] = 0;
296
-
rc = security_context_to_sid(ctx->ctx_str,
297
-
str_len,
298
-
&ctx->ctx_sid);
299
-
300
-
if (rc)
301
-
goto out;
302
-
303
-
/*
304
-
* Does the subject have permission to set security context?
305
-
*/
306
-
rc = avc_has_perm(tsec->sid, ctx->ctx_sid,
307
-
SECCLASS_ASSOCIATION,
308
-
ASSOCIATION__SETCONTEXT, NULL);
309
-
if (rc)
310
-
goto out;
311
-
312
-
return rc;
313
-
314
-
not_from_user:
315
-
rc = security_sid_to_context(sid, &ctx_str, &str_len);
316
-
if (rc)
317
-
goto out;
318
-
319
-
*ctxp = ctx = kmalloc(sizeof(*ctx) +
320
-
str_len,
321
-
GFP_ATOMIC);
322
-
323
-
if (!ctx) {
324
-
rc = -ENOMEM;
325
-
goto out;
326
-
}
327
-
328
-
ctx->ctx_doi = XFRM_SC_DOI_LSM;
329
-
ctx->ctx_alg = XFRM_SC_ALG_SELINUX;
330
-
ctx->ctx_sid = sid;
331
-
ctx->ctx_len = str_len;
332
-
memcpy(ctx->ctx_str,
333
-
ctx_str,
334
-
str_len);
335
-
336
-
goto out2;
337
-
338
-
out:
339
-
*ctxp = NULL;
340
-
kfree(ctx);
341
-
out2:
342
-
kfree(ctx_str);
343
-
return rc;
344
-
}
345
-
346
-
/*
347
-
* LSM hook implementation that allocs and transfers uctx spec to
348
-
* xfrm_policy.
188
+
* LSM hook implementation that allocs and transfers uctx spec to xfrm_policy.
349
189
*/
350
190
int selinux_xfrm_policy_alloc(struct xfrm_sec_ctx **ctxp,
351
191
struct xfrm_user_sec_ctx *uctx)
352
192
{
353
-
int err;
354
-
355
-
BUG_ON(!uctx);
356
-
357
-
err = selinux_xfrm_sec_ctx_alloc(ctxp, uctx, 0);
358
-
if (err == 0)
359
-
atomic_inc(&selinux_xfrm_refcount);
360
-
361
-
return err;
193
+
return selinux_xfrm_alloc_user(ctxp, uctx);
362
194
}
363
195
364
-
365
196
/*
366
-
* LSM hook implementation that copies security data structure from old to
367
-
* new for policy cloning.
197
+
* LSM hook implementation that copies security data structure from old to new
198
+
* for policy cloning.
368
199
*/
369
200
int selinux_xfrm_policy_clone(struct xfrm_sec_ctx *old_ctx,
370
201
struct xfrm_sec_ctx **new_ctxp)
371
202
{
372
203
struct xfrm_sec_ctx *new_ctx;
373
204
374
-
if (old_ctx) {
375
-
new_ctx = kmalloc(sizeof(*old_ctx) + old_ctx->ctx_len,
376
-
GFP_ATOMIC);
377
-
if (!new_ctx)
378
-
return -ENOMEM;
205
+
if (!old_ctx)
206
+
return 0;
379
207
380
-
memcpy(new_ctx, old_ctx, sizeof(*new_ctx));
381
-
memcpy(new_ctx->ctx_str, old_ctx->ctx_str, new_ctx->ctx_len);
382
-
atomic_inc(&selinux_xfrm_refcount);
383
-
*new_ctxp = new_ctx;
384
-
}
208
+
new_ctx = kmalloc(sizeof(*old_ctx) + old_ctx->ctx_len, GFP_ATOMIC);
209
+
if (!new_ctx)
210
+
return -ENOMEM;
211
+
memcpy(new_ctx, old_ctx, sizeof(*old_ctx) + old_ctx->ctx_len);
212
+
atomic_inc(&selinux_xfrm_refcount);
213
+
*new_ctxp = new_ctx;
214
+
385
215
return 0;
386
216
}
387
217
···
283
327
*/
284
328
void selinux_xfrm_policy_free(struct xfrm_sec_ctx *ctx)
285
329
{
286
-
atomic_dec(&selinux_xfrm_refcount);
287
-
kfree(ctx);
330
+
selinux_xfrm_free(ctx);
288
331
}
289
332
290
333
/*
···
291
336
*/
292
337
int selinux_xfrm_policy_delete(struct xfrm_sec_ctx *ctx)
293
338
{
294
-
const struct task_security_struct *tsec = current_security();
295
-
296
-
if (!ctx)
297
-
return 0;
298
-
299
-
return avc_has_perm(tsec->sid, ctx->ctx_sid,
300
-
SECCLASS_ASSOCIATION, ASSOCIATION__SETCONTEXT,
301
-
NULL);
339
+
return selinux_xfrm_delete(ctx);
302
340
}
303
341
304
342
/*
305
-
* LSM hook implementation that allocs and transfers sec_ctx spec to
306
-
* xfrm_state.
343
+
* LSM hook implementation that allocates a xfrm_sec_state, populates it using
344
+
* the supplied security context, and assigns it to the xfrm_state.
307
345
*/
308
-
int selinux_xfrm_state_alloc(struct xfrm_state *x, struct xfrm_user_sec_ctx *uctx,
309
-
u32 secid)
346
+
int selinux_xfrm_state_alloc(struct xfrm_state *x,
347
+
struct xfrm_user_sec_ctx *uctx)
310
348
{
311
-
int err;
349
+
return selinux_xfrm_alloc_user(&x->security, uctx);
350
+
}
312
351
313
-
BUG_ON(!x);
352
+
/*
353
+
* LSM hook implementation that allocates a xfrm_sec_state and populates based
354
+
* on a secid.
355
+
*/
356
+
int selinux_xfrm_state_alloc_acquire(struct xfrm_state *x,
357
+
struct xfrm_sec_ctx *polsec, u32 secid)
358
+
{
359
+
int rc;
360
+
struct xfrm_sec_ctx *ctx;
361
+
char *ctx_str = NULL;
362
+
int str_len;
314
363
315
-
err = selinux_xfrm_sec_ctx_alloc(&x->security, uctx, secid);
316
-
if (err == 0)
317
-
atomic_inc(&selinux_xfrm_refcount);
318
-
return err;
364
+
if (!polsec)
365
+
return 0;
366
+
367
+
if (secid == 0)
368
+
return -EINVAL;
369
+
370
+
rc = security_sid_to_context(secid, &ctx_str, &str_len);
371
+
if (rc)
372
+
return rc;
373
+
374
+
ctx = kmalloc(sizeof(*ctx) + str_len, GFP_ATOMIC);
375
+
if (!ctx)
376
+
return -ENOMEM;
377
+
378
+
ctx->ctx_doi = XFRM_SC_DOI_LSM;
379
+
ctx->ctx_alg = XFRM_SC_ALG_SELINUX;
380
+
ctx->ctx_sid = secid;
381
+
ctx->ctx_len = str_len;
382
+
memcpy(ctx->ctx_str, ctx_str, str_len);
383
+
kfree(ctx_str);
384
+
385
+
x->security = ctx;
386
+
atomic_inc(&selinux_xfrm_refcount);
387
+
return 0;
319
388
}
320
389
321
390
/*
···
347
368
*/
348
369
void selinux_xfrm_state_free(struct xfrm_state *x)
349
370
{
350
-
atomic_dec(&selinux_xfrm_refcount);
351
-
kfree(x->security);
371
+
selinux_xfrm_free(x->security);
352
372
}
353
373
354
-
/*
355
-
* LSM hook implementation that authorizes deletion of labeled SAs.
356
-
*/
374
+
/*
375
+
* LSM hook implementation that authorizes deletion of labeled SAs.
376
+
*/
357
377
int selinux_xfrm_state_delete(struct xfrm_state *x)
358
378
{
359
-
const struct task_security_struct *tsec = current_security();
360
-
struct xfrm_sec_ctx *ctx = x->security;
361
-
362
-
if (!ctx)
363
-
return 0;
364
-
365
-
return avc_has_perm(tsec->sid, ctx->ctx_sid,
366
-
SECCLASS_ASSOCIATION, ASSOCIATION__SETCONTEXT,
367
-
NULL);
379
+
return selinux_xfrm_delete(x->security);
368
380
}
369
381
370
382
/*
···
365
395
* we need to check for unlabelled access since this may not have
366
396
* gone thru the IPSec process.
367
397
*/
368
-
int selinux_xfrm_sock_rcv_skb(u32 isec_sid, struct sk_buff *skb,
369
-
struct common_audit_data *ad)
398
+
int selinux_xfrm_sock_rcv_skb(u32 sk_sid, struct sk_buff *skb,
399
+
struct common_audit_data *ad)
370
400
{
371
-
int i, rc = 0;
372
-
struct sec_path *sp;
373
-
u32 sel_sid = SECINITSID_UNLABELED;
374
-
375
-
sp = skb->sp;
401
+
int i;
402
+
struct sec_path *sp = skb->sp;
403
+
u32 peer_sid = SECINITSID_UNLABELED;
376
404
377
405
if (sp) {
378
406
for (i = 0; i < sp->len; i++) {
···
378
410
379
411
if (x && selinux_authorizable_xfrm(x)) {
380
412
struct xfrm_sec_ctx *ctx = x->security;
381
-
sel_sid = ctx->ctx_sid;
413
+
peer_sid = ctx->ctx_sid;
382
414
break;
383
415
}
384
416
}
385
417
}
386
418
387
-
/*
388
-
* This check even when there's no association involved is
389
-
* intended, according to Trent Jaeger, to make sure a
390
-
* process can't engage in non-ipsec communication unless
391
-
* explicitly allowed by policy.
392
-
*/
393
-
394
-
rc = avc_has_perm(isec_sid, sel_sid, SECCLASS_ASSOCIATION,
395
-
ASSOCIATION__RECVFROM, ad);
396
-
397
-
return rc;
419
+
/* This check even when there's no association involved is intended,
420
+
* according to Trent Jaeger, to make sure a process can't engage in
421
+
* non-IPsec communication unless explicitly allowed by policy. */
422
+
return avc_has_perm(sk_sid, peer_sid,
423
+
SECCLASS_ASSOCIATION, ASSOCIATION__RECVFROM, ad);
398
424
}
399
425
400
426
/*
···
398
436
* If we do have a authorizable security association, then it has already been
399
437
* checked in the selinux_xfrm_state_pol_flow_match hook above.
400
438
*/
401
-
int selinux_xfrm_postroute_last(u32 isec_sid, struct sk_buff *skb,
402
-
struct common_audit_data *ad, u8 proto)
439
+
int selinux_xfrm_postroute_last(u32 sk_sid, struct sk_buff *skb,
440
+
struct common_audit_data *ad, u8 proto)
403
441
{
404
442
struct dst_entry *dst;
405
-
int rc = 0;
406
-
407
-
dst = skb_dst(skb);
408
-
409
-
if (dst) {
410
-
struct dst_entry *dst_test;
411
-
412
-
for (dst_test = dst; dst_test != NULL;
413
-
dst_test = dst_test->child) {
414
-
struct xfrm_state *x = dst_test->xfrm;
415
-
416
-
if (x && selinux_authorizable_xfrm(x))
417
-
goto out;
418
-
}
419
-
}
420
443
421
444
switch (proto) {
422
445
case IPPROTO_AH:
423
446
case IPPROTO_ESP:
424
447
case IPPROTO_COMP:
425
-
/*
426
-
* We should have already seen this packet once before
427
-
* it underwent xfrm(s). No need to subject it to the
428
-
* unlabeled check.
429
-
*/
430
-
goto out;
448
+
/* We should have already seen this packet once before it
449
+
* underwent xfrm(s). No need to subject it to the unlabeled
450
+
* check. */
451
+
return 0;
431
452
default:
432
453
break;
433
454
}
434
455
435
-
/*
436
-
* This check even when there's no association involved is
437
-
* intended, according to Trent Jaeger, to make sure a
438
-
* process can't engage in non-ipsec communication unless
439
-
* explicitly allowed by policy.
440
-
*/
456
+
dst = skb_dst(skb);
457
+
if (dst) {
458
+
struct dst_entry *iter;
441
459
442
-
rc = avc_has_perm(isec_sid, SECINITSID_UNLABELED, SECCLASS_ASSOCIATION,
443
-
ASSOCIATION__SENDTO, ad);
444
-
out:
445
-
return rc;
460
+
for (iter = dst; iter != NULL; iter = iter->child) {
461
+
struct xfrm_state *x = iter->xfrm;
462
+
463
+
if (x && selinux_authorizable_xfrm(x))
464
+
return 0;
465
+
}
466
+
}
467
+
468
+
/* This check even when there's no association involved is intended,
469
+
* according to Trent Jaeger, to make sure a process can't engage in
470
+
* non-IPsec communication unless explicitly allowed by policy. */
471
+
return avc_has_perm(sk_sid, SECINITSID_UNLABELED,
472
+
SECCLASS_ASSOCIATION, ASSOCIATION__SENDTO, ad);
446
473
}