tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

selinux: dynamic class/perm discovery

Modify SELinux to dynamically discover class and permission values
upon policy load, based on the dynamic object class/perm discovery
logic from libselinux. A mapping is created between kernel-private
class and permission indices used outside the security server and the
policy values used within the security server.

The mappings are only applied upon kernel-internal computations;
similar mappings for the private indices of userspace object managers
is handled on a per-object manager basis by the userspace AVC. The
interfaces for compute_av and transition_sid are split for kernel
vs. userspace; the userspace functions are distinguished by a _user
suffix.

The kernel-private class indices are no longer tied to the policy
values and thus do not need to skip indices for userspace classes;
thus the kernel class index values are compressed. The flask.h
definitions were regenerated by deleting the userspace classes from
refpolicy's definitions and then regenerating the headers. Going
forward, we can just maintain the flask.h, av_permissions.h, and
classmap.h definitions separately from policy as they are no longer
tied to the policy values. The next patch introduces a utility to
automate generation of flask.h and av_permissions.h from the
classmap.h definitions.

The older kernel class and permission string tables are removed and
replaced by a single security class mapping table that is walked at
policy load to generate the mapping. The old kernel class validation
logic is completely replaced by the mapping logic.

The handle unknown logic is reworked. reject_unknown=1 is handled
when the mappings are computed at policy load time, similar to the old
handling by the class validation logic. allow_unknown=1 is handled
when computing and mapping decisions - if the permission was not able
to be mapped (i.e. undefined, mapped to zero), then it is
automatically added to the allowed vector. If the class was not able
to be mapped (i.e. undefined, mapped to zero), then all permissions
are allowed for it if allow_unknown=1.

avc_audit leverages the new security class mapping table to lookup the
class and permission names from the kernel-private indices.

The mdp program is updated to use the new table when generating the
class definitions and allow rules for a minimal boot policy for the
kernel. It should be noted that this policy will not include any
userspace classes, nor will its policy index values for the kernel
classes correspond with the ones in refpolicy (they will instead match
the kernel-private indices).

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: James Morris <jmorris@namei.org>

authored by

Stephen Smalley and committed by
James Morris c6d3aaa4 23acb98d

+583 -867
+28 -123
scripts/selinux/mdp/mdp.c
··· 29 29 #include <unistd.h> 30 30 #include <string.h> 31 31 32 - #include "flask.h" 33 - 34 32 static void usage(char *name) 35 33 { 36 34 printf("usage: %s [-m] policy_file context_file\n", name); 37 35 exit(1); 38 36 } 39 37 40 - static void find_common_name(char *cname, char *dest, int len) 41 - { 42 - char *start, *end; 43 - 44 - start = strchr(cname, '_')+1; 45 - end = strchr(start, '_'); 46 - if (!start || !end || start-cname > len || end-start > len) { 47 - printf("Error with commons defines\n"); 48 - exit(1); 49 - } 50 - strncpy(dest, start, end-start); 51 - dest[end-start] = '\0'; 52 - } 53 - 54 - #define S_(x) x, 55 - static char *classlist[] = { 56 - #include "class_to_string.h" 57 - NULL 38 + /* Class/perm mapping support */ 39 + struct security_class_mapping { 40 + const char *name; 41 + const char *perms[sizeof(unsigned) * 8 + 1]; 58 42 }; 59 - #undef S_ 60 43 44 + #include "classmap.h" 61 45 #include "initial_sid_to_string.h" 62 - 63 - #define TB_(x) char *x[] = { 64 - #define TE_(x) NULL }; 65 - #define S_(x) x, 66 - #include "common_perm_to_string.h" 67 - #undef TB_ 68 - #undef TE_ 69 - #undef S_ 70 - 71 - struct common { 72 - char *cname; 73 - char **perms; 74 - }; 75 - struct common common[] = { 76 - #define TB_(x) { #x, x }, 77 - #define S_(x) 78 - #define TE_(x) 79 - #include "common_perm_to_string.h" 80 - #undef TB_ 81 - #undef TE_ 82 - #undef S_ 83 - }; 84 - 85 - #define S_(x, y, z) {x, #y}, 86 - struct av_inherit { 87 - int class; 88 - char *common; 89 - }; 90 - struct av_inherit av_inherit[] = { 91 - #include "av_inherit.h" 92 - }; 93 - #undef S_ 94 - 95 - #include "av_permissions.h" 96 - #define S_(x, y, z) {x, y, z}, 97 - struct av_perms { 98 - int class; 99 - int perm_i; 100 - char *perm_s; 101 - }; 102 - struct av_perms av_perms[] = { 103 - #include "av_perm_to_string.h" 104 - }; 105 - #undef S_ 106 46 107 47 int main(int argc, char *argv[]) 108 48 { 109 49 int i, j, mls = 0; 50 + int initial_sid_to_string_len; 110 51 char **arg, *polout, *ctxout; 111 - int classlist_len, initial_sid_to_string_len; 52 + 112 53 FILE *fout; 113 54 114 55 if (argc < 3) ··· 68 127 usage(argv[0]); 69 128 } 70 129 71 - classlist_len = sizeof(classlist) / sizeof(char *); 72 130 /* print out the classes */ 73 - for (i=1; i < classlist_len; i++) { 74 - if(classlist[i]) 75 - fprintf(fout, "class %s\n", classlist[i]); 76 - else 77 - fprintf(fout, "class user%d\n", i); 78 - } 131 + for (i = 0; secclass_map[i].name; i++) 132 + fprintf(fout, "class %s\n", secclass_map[i].name); 79 133 fprintf(fout, "\n"); 80 134 81 135 initial_sid_to_string_len = sizeof(initial_sid_to_string) / sizeof (char *); 82 136 /* print out the sids */ 83 - for (i=1; i < initial_sid_to_string_len; i++) 137 + for (i = 1; i < initial_sid_to_string_len; i++) 84 138 fprintf(fout, "sid %s\n", initial_sid_to_string[i]); 85 139 fprintf(fout, "\n"); 86 140 87 - /* print out the commons */ 88 - for (i=0; i< sizeof(common)/sizeof(struct common); i++) { 89 - char cname[101]; 90 - find_common_name(common[i].cname, cname, 100); 91 - cname[100] = '\0'; 92 - fprintf(fout, "common %s\n{\n", cname); 93 - for (j=0; common[i].perms[j]; j++) 94 - fprintf(fout, "\t%s\n", common[i].perms[j]); 95 - fprintf(fout, "}\n\n"); 96 - } 97 - fprintf(fout, "\n"); 98 - 99 141 /* print out the class permissions */ 100 - for (i=1; i < classlist_len; i++) { 101 - if (classlist[i]) { 102 - int firstperm = -1, numperms = 0; 103 - 104 - fprintf(fout, "class %s\n", classlist[i]); 105 - /* does it inherit from a common? */ 106 - for (j=0; j < sizeof(av_inherit)/sizeof(struct av_inherit); j++) 107 - if (av_inherit[j].class == i) 108 - fprintf(fout, "inherits %s\n", av_inherit[j].common); 109 - 110 - for (j=0; j < sizeof(av_perms)/sizeof(struct av_perms); j++) { 111 - if (av_perms[j].class == i) { 112 - if (firstperm == -1) 113 - firstperm = j; 114 - numperms++; 115 - } 116 - } 117 - if (!numperms) { 118 - fprintf(fout, "\n"); 119 - continue; 120 - } 121 - 122 - fprintf(fout, "{\n"); 123 - /* print out the av_perms */ 124 - for (j=0; j < numperms; j++) { 125 - fprintf(fout, "\t%s\n", av_perms[firstperm+j].perm_s); 126 - } 127 - fprintf(fout, "}\n\n"); 128 - } 142 + for (i = 0; secclass_map[i].name; i++) { 143 + struct security_class_mapping *map = &secclass_map[i]; 144 + fprintf(fout, "class %s\n", map->name); 145 + fprintf(fout, "{\n"); 146 + for (j = 0; map->perms[j]; j++) 147 + fprintf(fout, "\t%s\n", map->perms[j]); 148 + fprintf(fout, "}\n\n"); 129 149 } 130 150 fprintf(fout, "\n"); 131 151 ··· 99 197 /* types, roles, and allows */ 100 198 fprintf(fout, "type base_t;\n"); 101 199 fprintf(fout, "role base_r types { base_t };\n"); 102 - for (i=1; i < classlist_len; i++) { 103 - if (classlist[i]) 104 - fprintf(fout, "allow base_t base_t:%s *;\n", classlist[i]); 105 - else 106 - fprintf(fout, "allow base_t base_t:user%d *;\n", i); 107 - } 200 + for (i = 0; secclass_map[i].name; i++) 201 + fprintf(fout, "allow base_t base_t:%s *;\n", 202 + secclass_map[i].name); 108 203 fprintf(fout, "user user_u roles { base_r };\n"); 109 204 fprintf(fout, "\n"); 110 205 111 206 /* default sids */ 112 - for (i=1; i < initial_sid_to_string_len; i++) 207 + for (i = 1; i < initial_sid_to_string_len; i++) 113 208 fprintf(fout, "sid %s user_u:base_r:base_t\n", initial_sid_to_string[i]); 114 209 fprintf(fout, "\n"); 115 210 116 - 117 211 fprintf(fout, "fs_use_xattr ext2 user_u:base_r:base_t;\n"); 118 212 fprintf(fout, "fs_use_xattr ext3 user_u:base_r:base_t;\n"); 213 + fprintf(fout, "fs_use_xattr ext4 user_u:base_r:base_t;\n"); 119 214 fprintf(fout, "fs_use_xattr jfs user_u:base_r:base_t;\n"); 120 215 fprintf(fout, "fs_use_xattr xfs user_u:base_r:base_t;\n"); 121 216 fprintf(fout, "fs_use_xattr reiserfs user_u:base_r:base_t;\n"); 217 + fprintf(fout, "fs_use_xattr jffs2 user_u:base_r:base_t;\n"); 218 + fprintf(fout, "fs_use_xattr gfs2 user_u:base_r:base_t;\n"); 219 + fprintf(fout, "fs_use_xattr lustre user_u:base_r:base_t;\n"); 122 220 221 + fprintf(fout, "fs_use_task eventpollfs user_u:base_r:base_t;\n"); 123 222 fprintf(fout, "fs_use_task pipefs user_u:base_r:base_t;\n"); 124 223 fprintf(fout, "fs_use_task sockfs user_u:base_r:base_t;\n"); 125 224 225 + fprintf(fout, "fs_use_trans mqueue user_u:base_r:base_t;\n"); 126 226 fprintf(fout, "fs_use_trans devpts user_u:base_r:base_t;\n"); 227 + fprintf(fout, "fs_use_trans hugetlbfs user_u:base_r:base_t;\n"); 127 228 fprintf(fout, "fs_use_trans tmpfs user_u:base_r:base_t;\n"); 128 229 fprintf(fout, "fs_use_trans shm user_u:base_r:base_t;\n"); 129 230
+8 -68
security/selinux/avc.c
··· 31 31 #include <net/ipv6.h> 32 32 #include "avc.h" 33 33 #include "avc_ss.h" 34 - 35 - static const struct av_perm_to_string av_perm_to_string[] = { 36 - #define S_(c, v, s) { c, v, s }, 37 - #include "av_perm_to_string.h" 38 - #undef S_ 39 - }; 40 - 41 - static const char *class_to_string[] = { 42 - #define S_(s) s, 43 - #include "class_to_string.h" 44 - #undef S_ 45 - }; 46 - 47 - #define TB_(s) static const char *s[] = { 48 - #define TE_(s) }; 49 - #define S_(s) s, 50 - #include "common_perm_to_string.h" 51 - #undef TB_ 52 - #undef TE_ 53 - #undef S_ 54 - 55 - static const struct av_inherit av_inherit[] = { 56 - #define S_(c, i, b) { .tclass = c,\ 57 - .common_pts = common_##i##_perm_to_string,\ 58 - .common_base = b }, 59 - #include "av_inherit.h" 60 - #undef S_ 61 - }; 62 - 63 - const struct selinux_class_perm selinux_class_perm = { 64 - .av_perm_to_string = av_perm_to_string, 65 - .av_pts_len = ARRAY_SIZE(av_perm_to_string), 66 - .class_to_string = class_to_string, 67 - .cts_len = ARRAY_SIZE(class_to_string), 68 - .av_inherit = av_inherit, 69 - .av_inherit_len = ARRAY_SIZE(av_inherit) 70 - }; 34 + #include "classmap.h" 71 35 72 36 #define AVC_CACHE_SLOTS 512 73 37 #define AVC_DEF_CACHE_THRESHOLD 512 ··· 103 139 */ 104 140 static void avc_dump_av(struct audit_buffer *ab, u16 tclass, u32 av) 105 141 { 106 - const char **common_pts = NULL; 107 - u32 common_base = 0; 108 - int i, i2, perm; 142 + const char **perms; 143 + int i, perm; 109 144 110 145 if (av == 0) { 111 146 audit_log_format(ab, " null"); 112 147 return; 113 148 } 114 149 115 - for (i = 0; i < ARRAY_SIZE(av_inherit); i++) { 116 - if (av_inherit[i].tclass == tclass) { 117 - common_pts = av_inherit[i].common_pts; 118 - common_base = av_inherit[i].common_base; 119 - break; 120 - } 121 - } 150 + perms = secclass_map[tclass-1].perms; 122 151 123 152 audit_log_format(ab, " {"); 124 153 i = 0; 125 154 perm = 1; 126 - while (perm < common_base) { 155 + while (i < (sizeof(av) * 8)) { 127 156 if (perm & av) { 128 - audit_log_format(ab, " %s", common_pts[i]); 157 + audit_log_format(ab, " %s", perms[i]); 129 158 av &= ~perm; 130 - } 131 - i++; 132 - perm <<= 1; 133 - } 134 - 135 - while (i < sizeof(av) * 8) { 136 - if (perm & av) { 137 - for (i2 = 0; i2 < ARRAY_SIZE(av_perm_to_string); i2++) { 138 - if ((av_perm_to_string[i2].tclass == tclass) && 139 - (av_perm_to_string[i2].value == perm)) 140 - break; 141 - } 142 - if (i2 < ARRAY_SIZE(av_perm_to_string)) { 143 - audit_log_format(ab, " %s", 144 - av_perm_to_string[i2].name); 145 - av &= ~perm; 146 - } 147 159 } 148 160 i++; 149 161 perm <<= 1; ··· 159 219 kfree(scontext); 160 220 } 161 221 162 - BUG_ON(tclass >= ARRAY_SIZE(class_to_string) || !class_to_string[tclass]); 163 - audit_log_format(ab, " tclass=%s", class_to_string[tclass]); 222 + BUG_ON(tclass >= ARRAY_SIZE(secclass_map)); 223 + audit_log_format(ab, " tclass=%s", secclass_map[tclass-1].name); 164 224 } 165 225 166 226 /**
-34
security/selinux/include/av_inherit.h
··· 1 - /* This file is automatically generated. Do not edit. */ 2 - S_(SECCLASS_DIR, file, 0x00020000UL) 3 - S_(SECCLASS_FILE, file, 0x00020000UL) 4 - S_(SECCLASS_LNK_FILE, file, 0x00020000UL) 5 - S_(SECCLASS_CHR_FILE, file, 0x00020000UL) 6 - S_(SECCLASS_BLK_FILE, file, 0x00020000UL) 7 - S_(SECCLASS_SOCK_FILE, file, 0x00020000UL) 8 - S_(SECCLASS_FIFO_FILE, file, 0x00020000UL) 9 - S_(SECCLASS_SOCKET, socket, 0x00400000UL) 10 - S_(SECCLASS_TCP_SOCKET, socket, 0x00400000UL) 11 - S_(SECCLASS_UDP_SOCKET, socket, 0x00400000UL) 12 - S_(SECCLASS_RAWIP_SOCKET, socket, 0x00400000UL) 13 - S_(SECCLASS_NETLINK_SOCKET, socket, 0x00400000UL) 14 - S_(SECCLASS_PACKET_SOCKET, socket, 0x00400000UL) 15 - S_(SECCLASS_KEY_SOCKET, socket, 0x00400000UL) 16 - S_(SECCLASS_UNIX_STREAM_SOCKET, socket, 0x00400000UL) 17 - S_(SECCLASS_UNIX_DGRAM_SOCKET, socket, 0x00400000UL) 18 - S_(SECCLASS_TUN_SOCKET, socket, 0x00400000UL) 19 - S_(SECCLASS_IPC, ipc, 0x00000200UL) 20 - S_(SECCLASS_SEM, ipc, 0x00000200UL) 21 - S_(SECCLASS_MSGQ, ipc, 0x00000200UL) 22 - S_(SECCLASS_SHM, ipc, 0x00000200UL) 23 - S_(SECCLASS_NETLINK_ROUTE_SOCKET, socket, 0x00400000UL) 24 - S_(SECCLASS_NETLINK_FIREWALL_SOCKET, socket, 0x00400000UL) 25 - S_(SECCLASS_NETLINK_TCPDIAG_SOCKET, socket, 0x00400000UL) 26 - S_(SECCLASS_NETLINK_NFLOG_SOCKET, socket, 0x00400000UL) 27 - S_(SECCLASS_NETLINK_XFRM_SOCKET, socket, 0x00400000UL) 28 - S_(SECCLASS_NETLINK_SELINUX_SOCKET, socket, 0x00400000UL) 29 - S_(SECCLASS_NETLINK_AUDIT_SOCKET, socket, 0x00400000UL) 30 - S_(SECCLASS_NETLINK_IP6FW_SOCKET, socket, 0x00400000UL) 31 - S_(SECCLASS_NETLINK_DNRT_SOCKET, socket, 0x00400000UL) 32 - S_(SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET, socket, 0x00400000UL) 33 - S_(SECCLASS_APPLETALK_SOCKET, socket, 0x00400000UL) 34 - S_(SECCLASS_DCCP_SOCKET, socket, 0x00400000UL)
-183
security/selinux/include/av_perm_to_string.h
··· 1 - /* This file is automatically generated. Do not edit. */ 2 - S_(SECCLASS_FILESYSTEM, FILESYSTEM__MOUNT, "mount") 3 - S_(SECCLASS_FILESYSTEM, FILESYSTEM__REMOUNT, "remount") 4 - S_(SECCLASS_FILESYSTEM, FILESYSTEM__UNMOUNT, "unmount") 5 - S_(SECCLASS_FILESYSTEM, FILESYSTEM__GETATTR, "getattr") 6 - S_(SECCLASS_FILESYSTEM, FILESYSTEM__RELABELFROM, "relabelfrom") 7 - S_(SECCLASS_FILESYSTEM, FILESYSTEM__RELABELTO, "relabelto") 8 - S_(SECCLASS_FILESYSTEM, FILESYSTEM__TRANSITION, "transition") 9 - S_(SECCLASS_FILESYSTEM, FILESYSTEM__ASSOCIATE, "associate") 10 - S_(SECCLASS_FILESYSTEM, FILESYSTEM__QUOTAMOD, "quotamod") 11 - S_(SECCLASS_FILESYSTEM, FILESYSTEM__QUOTAGET, "quotaget") 12 - S_(SECCLASS_DIR, DIR__ADD_NAME, "add_name") 13 - S_(SECCLASS_DIR, DIR__REMOVE_NAME, "remove_name") 14 - S_(SECCLASS_DIR, DIR__REPARENT, "reparent") 15 - S_(SECCLASS_DIR, DIR__SEARCH, "search") 16 - S_(SECCLASS_DIR, DIR__RMDIR, "rmdir") 17 - S_(SECCLASS_DIR, DIR__OPEN, "open") 18 - S_(SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, "execute_no_trans") 19 - S_(SECCLASS_FILE, FILE__ENTRYPOINT, "entrypoint") 20 - S_(SECCLASS_FILE, FILE__EXECMOD, "execmod") 21 - S_(SECCLASS_FILE, FILE__OPEN, "open") 22 - S_(SECCLASS_CHR_FILE, CHR_FILE__EXECUTE_NO_TRANS, "execute_no_trans") 23 - S_(SECCLASS_CHR_FILE, CHR_FILE__ENTRYPOINT, "entrypoint") 24 - S_(SECCLASS_CHR_FILE, CHR_FILE__EXECMOD, "execmod") 25 - S_(SECCLASS_CHR_FILE, CHR_FILE__OPEN, "open") 26 - S_(SECCLASS_BLK_FILE, BLK_FILE__OPEN, "open") 27 - S_(SECCLASS_SOCK_FILE, SOCK_FILE__OPEN, "open") 28 - S_(SECCLASS_FIFO_FILE, FIFO_FILE__OPEN, "open") 29 - S_(SECCLASS_FD, FD__USE, "use") 30 - S_(SECCLASS_TCP_SOCKET, TCP_SOCKET__CONNECTTO, "connectto") 31 - S_(SECCLASS_TCP_SOCKET, TCP_SOCKET__NEWCONN, "newconn") 32 - S_(SECCLASS_TCP_SOCKET, TCP_SOCKET__ACCEPTFROM, "acceptfrom") 33 - S_(SECCLASS_TCP_SOCKET, TCP_SOCKET__NODE_BIND, "node_bind") 34 - S_(SECCLASS_TCP_SOCKET, TCP_SOCKET__NAME_CONNECT, "name_connect") 35 - S_(SECCLASS_UDP_SOCKET, UDP_SOCKET__NODE_BIND, "node_bind") 36 - S_(SECCLASS_RAWIP_SOCKET, RAWIP_SOCKET__NODE_BIND, "node_bind") 37 - S_(SECCLASS_NODE, NODE__TCP_RECV, "tcp_recv") 38 - S_(SECCLASS_NODE, NODE__TCP_SEND, "tcp_send") 39 - S_(SECCLASS_NODE, NODE__UDP_RECV, "udp_recv") 40 - S_(SECCLASS_NODE, NODE__UDP_SEND, "udp_send") 41 - S_(SECCLASS_NODE, NODE__RAWIP_RECV, "rawip_recv") 42 - S_(SECCLASS_NODE, NODE__RAWIP_SEND, "rawip_send") 43 - S_(SECCLASS_NODE, NODE__ENFORCE_DEST, "enforce_dest") 44 - S_(SECCLASS_NODE, NODE__DCCP_RECV, "dccp_recv") 45 - S_(SECCLASS_NODE, NODE__DCCP_SEND, "dccp_send") 46 - S_(SECCLASS_NODE, NODE__RECVFROM, "recvfrom") 47 - S_(SECCLASS_NODE, NODE__SENDTO, "sendto") 48 - S_(SECCLASS_NETIF, NETIF__TCP_RECV, "tcp_recv") 49 - S_(SECCLASS_NETIF, NETIF__TCP_SEND, "tcp_send") 50 - S_(SECCLASS_NETIF, NETIF__UDP_RECV, "udp_recv") 51 - S_(SECCLASS_NETIF, NETIF__UDP_SEND, "udp_send") 52 - S_(SECCLASS_NETIF, NETIF__RAWIP_RECV, "rawip_recv") 53 - S_(SECCLASS_NETIF, NETIF__RAWIP_SEND, "rawip_send") 54 - S_(SECCLASS_NETIF, NETIF__DCCP_RECV, "dccp_recv") 55 - S_(SECCLASS_NETIF, NETIF__DCCP_SEND, "dccp_send") 56 - S_(SECCLASS_NETIF, NETIF__INGRESS, "ingress") 57 - S_(SECCLASS_NETIF, NETIF__EGRESS, "egress") 58 - S_(SECCLASS_UNIX_STREAM_SOCKET, UNIX_STREAM_SOCKET__CONNECTTO, "connectto") 59 - S_(SECCLASS_UNIX_STREAM_SOCKET, UNIX_STREAM_SOCKET__NEWCONN, "newconn") 60 - S_(SECCLASS_UNIX_STREAM_SOCKET, UNIX_STREAM_SOCKET__ACCEPTFROM, "acceptfrom") 61 - S_(SECCLASS_PROCESS, PROCESS__FORK, "fork") 62 - S_(SECCLASS_PROCESS, PROCESS__TRANSITION, "transition") 63 - S_(SECCLASS_PROCESS, PROCESS__SIGCHLD, "sigchld") 64 - S_(SECCLASS_PROCESS, PROCESS__SIGKILL, "sigkill") 65 - S_(SECCLASS_PROCESS, PROCESS__SIGSTOP, "sigstop") 66 - S_(SECCLASS_PROCESS, PROCESS__SIGNULL, "signull") 67 - S_(SECCLASS_PROCESS, PROCESS__SIGNAL, "signal") 68 - S_(SECCLASS_PROCESS, PROCESS__PTRACE, "ptrace") 69 - S_(SECCLASS_PROCESS, PROCESS__GETSCHED, "getsched") 70 - S_(SECCLASS_PROCESS, PROCESS__SETSCHED, "setsched") 71 - S_(SECCLASS_PROCESS, PROCESS__GETSESSION, "getsession") 72 - S_(SECCLASS_PROCESS, PROCESS__GETPGID, "getpgid") 73 - S_(SECCLASS_PROCESS, PROCESS__SETPGID, "setpgid") 74 - S_(SECCLASS_PROCESS, PROCESS__GETCAP, "getcap") 75 - S_(SECCLASS_PROCESS, PROCESS__SETCAP, "setcap") 76 - S_(SECCLASS_PROCESS, PROCESS__SHARE, "share") 77 - S_(SECCLASS_PROCESS, PROCESS__GETATTR, "getattr") 78 - S_(SECCLASS_PROCESS, PROCESS__SETEXEC, "setexec") 79 - S_(SECCLASS_PROCESS, PROCESS__SETFSCREATE, "setfscreate") 80 - S_(SECCLASS_PROCESS, PROCESS__NOATSECURE, "noatsecure") 81 - S_(SECCLASS_PROCESS, PROCESS__SIGINH, "siginh") 82 - S_(SECCLASS_PROCESS, PROCESS__SETRLIMIT, "setrlimit") 83 - S_(SECCLASS_PROCESS, PROCESS__RLIMITINH, "rlimitinh") 84 - S_(SECCLASS_PROCESS, PROCESS__DYNTRANSITION, "dyntransition") 85 - S_(SECCLASS_PROCESS, PROCESS__SETCURRENT, "setcurrent") 86 - S_(SECCLASS_PROCESS, PROCESS__EXECMEM, "execmem") 87 - S_(SECCLASS_PROCESS, PROCESS__EXECSTACK, "execstack") 88 - S_(SECCLASS_PROCESS, PROCESS__EXECHEAP, "execheap") 89 - S_(SECCLASS_PROCESS, PROCESS__SETKEYCREATE, "setkeycreate") 90 - S_(SECCLASS_PROCESS, PROCESS__SETSOCKCREATE, "setsockcreate") 91 - S_(SECCLASS_MSGQ, MSGQ__ENQUEUE, "enqueue") 92 - S_(SECCLASS_MSG, MSG__SEND, "send") 93 - S_(SECCLASS_MSG, MSG__RECEIVE, "receive") 94 - S_(SECCLASS_SHM, SHM__LOCK, "lock") 95 - S_(SECCLASS_SECURITY, SECURITY__COMPUTE_AV, "compute_av") 96 - S_(SECCLASS_SECURITY, SECURITY__COMPUTE_CREATE, "compute_create") 97 - S_(SECCLASS_SECURITY, SECURITY__COMPUTE_MEMBER, "compute_member") 98 - S_(SECCLASS_SECURITY, SECURITY__CHECK_CONTEXT, "check_context") 99 - S_(SECCLASS_SECURITY, SECURITY__LOAD_POLICY, "load_policy") 100 - S_(SECCLASS_SECURITY, SECURITY__COMPUTE_RELABEL, "compute_relabel") 101 - S_(SECCLASS_SECURITY, SECURITY__COMPUTE_USER, "compute_user") 102 - S_(SECCLASS_SECURITY, SECURITY__SETENFORCE, "setenforce") 103 - S_(SECCLASS_SECURITY, SECURITY__SETBOOL, "setbool") 104 - S_(SECCLASS_SECURITY, SECURITY__SETSECPARAM, "setsecparam") 105 - S_(SECCLASS_SECURITY, SECURITY__SETCHECKREQPROT, "setcheckreqprot") 106 - S_(SECCLASS_SYSTEM, SYSTEM__IPC_INFO, "ipc_info") 107 - S_(SECCLASS_SYSTEM, SYSTEM__SYSLOG_READ, "syslog_read") 108 - S_(SECCLASS_SYSTEM, SYSTEM__SYSLOG_MOD, "syslog_mod") 109 - S_(SECCLASS_SYSTEM, SYSTEM__SYSLOG_CONSOLE, "syslog_console") 110 - S_(SECCLASS_SYSTEM, SYSTEM__MODULE_REQUEST, "module_request") 111 - S_(SECCLASS_CAPABILITY, CAPABILITY__CHOWN, "chown") 112 - S_(SECCLASS_CAPABILITY, CAPABILITY__DAC_OVERRIDE, "dac_override") 113 - S_(SECCLASS_CAPABILITY, CAPABILITY__DAC_READ_SEARCH, "dac_read_search") 114 - S_(SECCLASS_CAPABILITY, CAPABILITY__FOWNER, "fowner") 115 - S_(SECCLASS_CAPABILITY, CAPABILITY__FSETID, "fsetid") 116 - S_(SECCLASS_CAPABILITY, CAPABILITY__KILL, "kill") 117 - S_(SECCLASS_CAPABILITY, CAPABILITY__SETGID, "setgid") 118 - S_(SECCLASS_CAPABILITY, CAPABILITY__SETUID, "setuid") 119 - S_(SECCLASS_CAPABILITY, CAPABILITY__SETPCAP, "setpcap") 120 - S_(SECCLASS_CAPABILITY, CAPABILITY__LINUX_IMMUTABLE, "linux_immutable") 121 - S_(SECCLASS_CAPABILITY, CAPABILITY__NET_BIND_SERVICE, "net_bind_service") 122 - S_(SECCLASS_CAPABILITY, CAPABILITY__NET_BROADCAST, "net_broadcast") 123 - S_(SECCLASS_CAPABILITY, CAPABILITY__NET_ADMIN, "net_admin") 124 - S_(SECCLASS_CAPABILITY, CAPABILITY__NET_RAW, "net_raw") 125 - S_(SECCLASS_CAPABILITY, CAPABILITY__IPC_LOCK, "ipc_lock") 126 - S_(SECCLASS_CAPABILITY, CAPABILITY__IPC_OWNER, "ipc_owner") 127 - S_(SECCLASS_CAPABILITY, CAPABILITY__SYS_MODULE, "sys_module") 128 - S_(SECCLASS_CAPABILITY, CAPABILITY__SYS_RAWIO, "sys_rawio") 129 - S_(SECCLASS_CAPABILITY, CAPABILITY__SYS_CHROOT, "sys_chroot") 130 - S_(SECCLASS_CAPABILITY, CAPABILITY__SYS_PTRACE, "sys_ptrace") 131 - S_(SECCLASS_CAPABILITY, CAPABILITY__SYS_PACCT, "sys_pacct") 132 - S_(SECCLASS_CAPABILITY, CAPABILITY__SYS_ADMIN, "sys_admin") 133 - S_(SECCLASS_CAPABILITY, CAPABILITY__SYS_BOOT, "sys_boot") 134 - S_(SECCLASS_CAPABILITY, CAPABILITY__SYS_NICE, "sys_nice") 135 - S_(SECCLASS_CAPABILITY, CAPABILITY__SYS_RESOURCE, "sys_resource") 136 - S_(SECCLASS_CAPABILITY, CAPABILITY__SYS_TIME, "sys_time") 137 - S_(SECCLASS_CAPABILITY, CAPABILITY__SYS_TTY_CONFIG, "sys_tty_config") 138 - S_(SECCLASS_CAPABILITY, CAPABILITY__MKNOD, "mknod") 139 - S_(SECCLASS_CAPABILITY, CAPABILITY__LEASE, "lease") 140 - S_(SECCLASS_CAPABILITY, CAPABILITY__AUDIT_WRITE, "audit_write") 141 - S_(SECCLASS_CAPABILITY, CAPABILITY__AUDIT_CONTROL, "audit_control") 142 - S_(SECCLASS_CAPABILITY, CAPABILITY__SETFCAP, "setfcap") 143 - S_(SECCLASS_CAPABILITY2, CAPABILITY2__MAC_OVERRIDE, "mac_override") 144 - S_(SECCLASS_CAPABILITY2, CAPABILITY2__MAC_ADMIN, "mac_admin") 145 - S_(SECCLASS_NETLINK_ROUTE_SOCKET, NETLINK_ROUTE_SOCKET__NLMSG_READ, "nlmsg_read") 146 - S_(SECCLASS_NETLINK_ROUTE_SOCKET, NETLINK_ROUTE_SOCKET__NLMSG_WRITE, "nlmsg_write") 147 - S_(SECCLASS_NETLINK_FIREWALL_SOCKET, NETLINK_FIREWALL_SOCKET__NLMSG_READ, "nlmsg_read") 148 - S_(SECCLASS_NETLINK_FIREWALL_SOCKET, NETLINK_FIREWALL_SOCKET__NLMSG_WRITE, "nlmsg_write") 149 - S_(SECCLASS_NETLINK_TCPDIAG_SOCKET, NETLINK_TCPDIAG_SOCKET__NLMSG_READ, "nlmsg_read") 150 - S_(SECCLASS_NETLINK_TCPDIAG_SOCKET, NETLINK_TCPDIAG_SOCKET__NLMSG_WRITE, "nlmsg_write") 151 - S_(SECCLASS_NETLINK_XFRM_SOCKET, NETLINK_XFRM_SOCKET__NLMSG_READ, "nlmsg_read") 152 - S_(SECCLASS_NETLINK_XFRM_SOCKET, NETLINK_XFRM_SOCKET__NLMSG_WRITE, "nlmsg_write") 153 - S_(SECCLASS_NETLINK_AUDIT_SOCKET, NETLINK_AUDIT_SOCKET__NLMSG_READ, "nlmsg_read") 154 - S_(SECCLASS_NETLINK_AUDIT_SOCKET, NETLINK_AUDIT_SOCKET__NLMSG_WRITE, "nlmsg_write") 155 - S_(SECCLASS_NETLINK_AUDIT_SOCKET, NETLINK_AUDIT_SOCKET__NLMSG_RELAY, "nlmsg_relay") 156 - S_(SECCLASS_NETLINK_AUDIT_SOCKET, NETLINK_AUDIT_SOCKET__NLMSG_READPRIV, "nlmsg_readpriv") 157 - S_(SECCLASS_NETLINK_AUDIT_SOCKET, NETLINK_AUDIT_SOCKET__NLMSG_TTY_AUDIT, "nlmsg_tty_audit") 158 - S_(SECCLASS_NETLINK_IP6FW_SOCKET, NETLINK_IP6FW_SOCKET__NLMSG_READ, "nlmsg_read") 159 - S_(SECCLASS_NETLINK_IP6FW_SOCKET, NETLINK_IP6FW_SOCKET__NLMSG_WRITE, "nlmsg_write") 160 - S_(SECCLASS_ASSOCIATION, ASSOCIATION__SENDTO, "sendto") 161 - S_(SECCLASS_ASSOCIATION, ASSOCIATION__RECVFROM, "recvfrom") 162 - S_(SECCLASS_ASSOCIATION, ASSOCIATION__SETCONTEXT, "setcontext") 163 - S_(SECCLASS_ASSOCIATION, ASSOCIATION__POLMATCH, "polmatch") 164 - S_(SECCLASS_PACKET, PACKET__SEND, "send") 165 - S_(SECCLASS_PACKET, PACKET__RECV, "recv") 166 - S_(SECCLASS_PACKET, PACKET__RELABELTO, "relabelto") 167 - S_(SECCLASS_PACKET, PACKET__FLOW_IN, "flow_in") 168 - S_(SECCLASS_PACKET, PACKET__FLOW_OUT, "flow_out") 169 - S_(SECCLASS_PACKET, PACKET__FORWARD_IN, "forward_in") 170 - S_(SECCLASS_PACKET, PACKET__FORWARD_OUT, "forward_out") 171 - S_(SECCLASS_KEY, KEY__VIEW, "view") 172 - S_(SECCLASS_KEY, KEY__READ, "read") 173 - S_(SECCLASS_KEY, KEY__WRITE, "write") 174 - S_(SECCLASS_KEY, KEY__SEARCH, "search") 175 - S_(SECCLASS_KEY, KEY__LINK, "link") 176 - S_(SECCLASS_KEY, KEY__SETATTR, "setattr") 177 - S_(SECCLASS_KEY, KEY__CREATE, "create") 178 - S_(SECCLASS_DCCP_SOCKET, DCCP_SOCKET__NODE_BIND, "node_bind") 179 - S_(SECCLASS_DCCP_SOCKET, DCCP_SOCKET__NAME_CONNECT, "name_connect") 180 - S_(SECCLASS_MEMPROTECT, MEMPROTECT__MMAP_ZERO, "mmap_zero") 181 - S_(SECCLASS_PEER, PEER__RECV, "recv") 182 - S_(SECCLASS_KERNEL_SERVICE, KERNEL_SERVICE__USE_AS_OVERRIDE, "use_as_override") 183 - S_(SECCLASS_KERNEL_SERVICE, KERNEL_SERVICE__CREATE_FILES_AS, "create_files_as")
+22 -22
security/selinux/include/av_permissions.h
··· 423 423 #define UNIX_DGRAM_SOCKET__RECV_MSG 0x00080000UL 424 424 #define UNIX_DGRAM_SOCKET__SEND_MSG 0x00100000UL 425 425 #define UNIX_DGRAM_SOCKET__NAME_BIND 0x00200000UL 426 - #define TUN_SOCKET__IOCTL 0x00000001UL 427 - #define TUN_SOCKET__READ 0x00000002UL 428 - #define TUN_SOCKET__WRITE 0x00000004UL 429 - #define TUN_SOCKET__CREATE 0x00000008UL 430 - #define TUN_SOCKET__GETATTR 0x00000010UL 431 - #define TUN_SOCKET__SETATTR 0x00000020UL 432 - #define TUN_SOCKET__LOCK 0x00000040UL 433 - #define TUN_SOCKET__RELABELFROM 0x00000080UL 434 - #define TUN_SOCKET__RELABELTO 0x00000100UL 435 - #define TUN_SOCKET__APPEND 0x00000200UL 436 - #define TUN_SOCKET__BIND 0x00000400UL 437 - #define TUN_SOCKET__CONNECT 0x00000800UL 438 - #define TUN_SOCKET__LISTEN 0x00001000UL 439 - #define TUN_SOCKET__ACCEPT 0x00002000UL 440 - #define TUN_SOCKET__GETOPT 0x00004000UL 441 - #define TUN_SOCKET__SETOPT 0x00008000UL 442 - #define TUN_SOCKET__SHUTDOWN 0x00010000UL 443 - #define TUN_SOCKET__RECVFROM 0x00020000UL 444 - #define TUN_SOCKET__SENDTO 0x00040000UL 445 - #define TUN_SOCKET__RECV_MSG 0x00080000UL 446 - #define TUN_SOCKET__SEND_MSG 0x00100000UL 447 - #define TUN_SOCKET__NAME_BIND 0x00200000UL 448 426 #define PROCESS__FORK 0x00000001UL 449 427 #define PROCESS__TRANSITION 0x00000002UL 450 428 #define PROCESS__SIGCHLD 0x00000004UL ··· 846 868 #define PEER__RECV 0x00000001UL 847 869 #define KERNEL_SERVICE__USE_AS_OVERRIDE 0x00000001UL 848 870 #define KERNEL_SERVICE__CREATE_FILES_AS 0x00000002UL 871 + #define TUN_SOCKET__IOCTL 0x00000001UL 872 + #define TUN_SOCKET__READ 0x00000002UL 873 + #define TUN_SOCKET__WRITE 0x00000004UL 874 + #define TUN_SOCKET__CREATE 0x00000008UL 875 + #define TUN_SOCKET__GETATTR 0x00000010UL 876 + #define TUN_SOCKET__SETATTR 0x00000020UL 877 + #define TUN_SOCKET__LOCK 0x00000040UL 878 + #define TUN_SOCKET__RELABELFROM 0x00000080UL 879 + #define TUN_SOCKET__RELABELTO 0x00000100UL 880 + #define TUN_SOCKET__APPEND 0x00000200UL 881 + #define TUN_SOCKET__BIND 0x00000400UL 882 + #define TUN_SOCKET__CONNECT 0x00000800UL 883 + #define TUN_SOCKET__LISTEN 0x00001000UL 884 + #define TUN_SOCKET__ACCEPT 0x00002000UL 885 + #define TUN_SOCKET__GETOPT 0x00004000UL 886 + #define TUN_SOCKET__SETOPT 0x00008000UL 887 + #define TUN_SOCKET__SHUTDOWN 0x00010000UL 888 + #define TUN_SOCKET__RECVFROM 0x00020000UL 889 + #define TUN_SOCKET__SENDTO 0x00040000UL 890 + #define TUN_SOCKET__RECV_MSG 0x00080000UL 891 + #define TUN_SOCKET__SEND_MSG 0x00100000UL 892 + #define TUN_SOCKET__NAME_BIND 0x00200000UL
+4 -17
security/selinux/include/avc_ss.h
··· 10 10 11 11 int avc_ss_reset(u32 seqno); 12 12 13 - struct av_perm_to_string { 14 - u16 tclass; 15 - u32 value; 13 + /* Class/perm mapping support */ 14 + struct security_class_mapping { 16 15 const char *name; 16 + const char *perms[sizeof(u32) * 8 + 1]; 17 17 }; 18 18 19 - struct av_inherit { 20 - const char **common_pts; 21 - u32 common_base; 22 - u16 tclass; 23 - }; 24 - 25 - struct selinux_class_perm { 26 - const struct av_perm_to_string *av_perm_to_string; 27 - u32 av_pts_len; 28 - u32 cts_len; 29 - const char **class_to_string; 30 - const struct av_inherit *av_inherit; 31 - u32 av_inherit_len; 32 - }; 19 + extern struct security_class_mapping secclass_map[]; 33 20 34 21 #endif /* _SELINUX_AVC_SS_H_ */ 35 22
-80
security/selinux/include/class_to_string.h
··· 1 - /* This file is automatically generated. Do not edit. */ 2 - /* 3 - * Security object class definitions 4 - */ 5 - S_(NULL) 6 - S_("security") 7 - S_("process") 8 - S_("system") 9 - S_("capability") 10 - S_("filesystem") 11 - S_("file") 12 - S_("dir") 13 - S_("fd") 14 - S_("lnk_file") 15 - S_("chr_file") 16 - S_("blk_file") 17 - S_("sock_file") 18 - S_("fifo_file") 19 - S_("socket") 20 - S_("tcp_socket") 21 - S_("udp_socket") 22 - S_("rawip_socket") 23 - S_("node") 24 - S_("netif") 25 - S_("netlink_socket") 26 - S_("packet_socket") 27 - S_("key_socket") 28 - S_("unix_stream_socket") 29 - S_("unix_dgram_socket") 30 - S_("sem") 31 - S_("msg") 32 - S_("msgq") 33 - S_("shm") 34 - S_("ipc") 35 - S_(NULL) 36 - S_(NULL) 37 - S_(NULL) 38 - S_(NULL) 39 - S_(NULL) 40 - S_(NULL) 41 - S_(NULL) 42 - S_(NULL) 43 - S_(NULL) 44 - S_(NULL) 45 - S_(NULL) 46 - S_(NULL) 47 - S_(NULL) 48 - S_("netlink_route_socket") 49 - S_("netlink_firewall_socket") 50 - S_("netlink_tcpdiag_socket") 51 - S_("netlink_nflog_socket") 52 - S_("netlink_xfrm_socket") 53 - S_("netlink_selinux_socket") 54 - S_("netlink_audit_socket") 55 - S_("netlink_ip6fw_socket") 56 - S_("netlink_dnrt_socket") 57 - S_(NULL) 58 - S_(NULL) 59 - S_("association") 60 - S_("netlink_kobject_uevent_socket") 61 - S_("appletalk_socket") 62 - S_("packet") 63 - S_("key") 64 - S_(NULL) 65 - S_("dccp_socket") 66 - S_("memprotect") 67 - S_(NULL) 68 - S_(NULL) 69 - S_(NULL) 70 - S_(NULL) 71 - S_(NULL) 72 - S_(NULL) 73 - S_("peer") 74 - S_("capability2") 75 - S_(NULL) 76 - S_(NULL) 77 - S_(NULL) 78 - S_(NULL) 79 - S_("kernel_service") 80 - S_("tun_socket")
+150
security/selinux/include/classmap.h
··· 1 + #define COMMON_FILE_SOCK_PERMS "ioctl", "read", "write", "create", \ 2 + "getattr", "setattr", "lock", "relabelfrom", "relabelto", "append" 3 + 4 + #define COMMON_FILE_PERMS COMMON_FILE_SOCK_PERMS, "unlink", "link", \ 5 + "rename", "execute", "swapon", "quotaon", "mounton" 6 + 7 + #define COMMON_SOCK_PERMS COMMON_FILE_SOCK_PERMS, "bind", "connect", \ 8 + "listen", "accept", "getopt", "setopt", "shutdown", "recvfrom", \ 9 + "sendto", "recv_msg", "send_msg", "name_bind" 10 + 11 + #define COMMON_IPC_PERMS "create", "destroy", "getattr", "setattr", "read", \ 12 + "write", "associate", "unix_read", "unix_write" 13 + 14 + struct security_class_mapping secclass_map[] = { 15 + { "security", 16 + { "compute_av", "compute_create", "compute_member", 17 + "check_context", "load_policy", "compute_relabel", 18 + "compute_user", "setenforce", "setbool", "setsecparam", 19 + "setcheckreqprot", NULL } }, 20 + { "process", 21 + { "fork", "transition", "sigchld", "sigkill", 22 + "sigstop", "signull", "signal", "ptrace", "getsched", "setsched", 23 + "getsession", "getpgid", "setpgid", "getcap", "setcap", "share", 24 + "getattr", "setexec", "setfscreate", "noatsecure", "siginh", 25 + "setrlimit", "rlimitinh", "dyntransition", "setcurrent", 26 + "execmem", "execstack", "execheap", "setkeycreate", 27 + "setsockcreate", NULL } }, 28 + { "system", 29 + { "ipc_info", "syslog_read", "syslog_mod", 30 + "syslog_console", "module_request", NULL } }, 31 + { "capability", 32 + { "chown", "dac_override", "dac_read_search", 33 + "fowner", "fsetid", "kill", "setgid", "setuid", "setpcap", 34 + "linux_immutable", "net_bind_service", "net_broadcast", 35 + "net_admin", "net_raw", "ipc_lock", "ipc_owner", "sys_module", 36 + "sys_rawio", "sys_chroot", "sys_ptrace", "sys_pacct", "sys_admin", 37 + "sys_boot", "sys_nice", "sys_resource", "sys_time", 38 + "sys_tty_config", "mknod", "lease", "audit_write", 39 + "audit_control", "setfcap", NULL } }, 40 + { "filesystem", 41 + { "mount", "remount", "unmount", "getattr", 42 + "relabelfrom", "relabelto", "transition", "associate", "quotamod", 43 + "quotaget", NULL } }, 44 + { "file", 45 + { COMMON_FILE_PERMS, 46 + "execute_no_trans", "entrypoint", "execmod", "open", NULL } }, 47 + { "dir", 48 + { COMMON_FILE_PERMS, "add_name", "remove_name", 49 + "reparent", "search", "rmdir", "open", NULL } }, 50 + { "fd", { "use", NULL } }, 51 + { "lnk_file", 52 + { COMMON_FILE_PERMS, NULL } }, 53 + { "chr_file", 54 + { COMMON_FILE_PERMS, 55 + "execute_no_trans", "entrypoint", "execmod", "open", NULL } }, 56 + { "blk_file", 57 + { COMMON_FILE_PERMS, "open", NULL } }, 58 + { "sock_file", 59 + { COMMON_FILE_PERMS, "open", NULL } }, 60 + { "fifo_file", 61 + { COMMON_FILE_PERMS, "open", NULL } }, 62 + { "socket", 63 + { COMMON_SOCK_PERMS, NULL } }, 64 + { "tcp_socket", 65 + { COMMON_SOCK_PERMS, 66 + "connectto", "newconn", "acceptfrom", "node_bind", "name_connect", 67 + NULL } }, 68 + { "udp_socket", 69 + { COMMON_SOCK_PERMS, 70 + "node_bind", NULL } }, 71 + { "rawip_socket", 72 + { COMMON_SOCK_PERMS, 73 + "node_bind", NULL } }, 74 + { "node", 75 + { "tcp_recv", "tcp_send", "udp_recv", "udp_send", 76 + "rawip_recv", "rawip_send", "enforce_dest", 77 + "dccp_recv", "dccp_send", "recvfrom", "sendto", NULL } }, 78 + { "netif", 79 + { "tcp_recv", "tcp_send", "udp_recv", "udp_send", 80 + "rawip_recv", "rawip_send", "dccp_recv", "dccp_send", 81 + "ingress", "egress", NULL } }, 82 + { "netlink_socket", 83 + { COMMON_SOCK_PERMS, NULL } }, 84 + { "packet_socket", 85 + { COMMON_SOCK_PERMS, NULL } }, 86 + { "key_socket", 87 + { COMMON_SOCK_PERMS, NULL } }, 88 + { "unix_stream_socket", 89 + { COMMON_SOCK_PERMS, "connectto", "newconn", "acceptfrom", NULL 90 + } }, 91 + { "unix_dgram_socket", 92 + { COMMON_SOCK_PERMS, NULL 93 + } }, 94 + { "sem", 95 + { COMMON_IPC_PERMS, NULL } }, 96 + { "msg", { "send", "receive", NULL } }, 97 + { "msgq", 98 + { COMMON_IPC_PERMS, "enqueue", NULL } }, 99 + { "shm", 100 + { COMMON_IPC_PERMS, "lock", NULL } }, 101 + { "ipc", 102 + { COMMON_IPC_PERMS, NULL } }, 103 + { "netlink_route_socket", 104 + { COMMON_SOCK_PERMS, 105 + "nlmsg_read", "nlmsg_write", NULL } }, 106 + { "netlink_firewall_socket", 107 + { COMMON_SOCK_PERMS, 108 + "nlmsg_read", "nlmsg_write", NULL } }, 109 + { "netlink_tcpdiag_socket", 110 + { COMMON_SOCK_PERMS, 111 + "nlmsg_read", "nlmsg_write", NULL } }, 112 + { "netlink_nflog_socket", 113 + { COMMON_SOCK_PERMS, NULL } }, 114 + { "netlink_xfrm_socket", 115 + { COMMON_SOCK_PERMS, 116 + "nlmsg_read", "nlmsg_write", NULL } }, 117 + { "netlink_selinux_socket", 118 + { COMMON_SOCK_PERMS, NULL } }, 119 + { "netlink_audit_socket", 120 + { COMMON_SOCK_PERMS, 121 + "nlmsg_read", "nlmsg_write", "nlmsg_relay", "nlmsg_readpriv", 122 + "nlmsg_tty_audit", NULL } }, 123 + { "netlink_ip6fw_socket", 124 + { COMMON_SOCK_PERMS, 125 + "nlmsg_read", "nlmsg_write", NULL } }, 126 + { "netlink_dnrt_socket", 127 + { COMMON_SOCK_PERMS, NULL } }, 128 + { "association", 129 + { "sendto", "recvfrom", "setcontext", "polmatch", NULL } }, 130 + { "netlink_kobject_uevent_socket", 131 + { COMMON_SOCK_PERMS, NULL } }, 132 + { "appletalk_socket", 133 + { COMMON_SOCK_PERMS, NULL } }, 134 + { "packet", 135 + { "send", "recv", "relabelto", "flow_in", "flow_out", 136 + "forward_in", "forward_out", NULL } }, 137 + { "key", 138 + { "view", "read", "write", "search", "link", "setattr", "create", 139 + NULL } }, 140 + { "dccp_socket", 141 + { COMMON_SOCK_PERMS, 142 + "node_bind", "name_connect", NULL } }, 143 + { "memprotect", { "mmap_zero", NULL } }, 144 + { "peer", { "recv", NULL } }, 145 + { "capability2", { "mac_override", "mac_admin", NULL } }, 146 + { "kernel_service", { "use_as_override", "create_files_as", NULL } }, 147 + { "tun_socket", 148 + { COMMON_SOCK_PERMS, NULL } }, 149 + { NULL } 150 + };
-58
security/selinux/include/common_perm_to_string.h
··· 1 - /* This file is automatically generated. Do not edit. */ 2 - TB_(common_file_perm_to_string) 3 - S_("ioctl") 4 - S_("read") 5 - S_("write") 6 - S_("create") 7 - S_("getattr") 8 - S_("setattr") 9 - S_("lock") 10 - S_("relabelfrom") 11 - S_("relabelto") 12 - S_("append") 13 - S_("unlink") 14 - S_("link") 15 - S_("rename") 16 - S_("execute") 17 - S_("swapon") 18 - S_("quotaon") 19 - S_("mounton") 20 - TE_(common_file_perm_to_string) 21 - 22 - TB_(common_socket_perm_to_string) 23 - S_("ioctl") 24 - S_("read") 25 - S_("write") 26 - S_("create") 27 - S_("getattr") 28 - S_("setattr") 29 - S_("lock") 30 - S_("relabelfrom") 31 - S_("relabelto") 32 - S_("append") 33 - S_("bind") 34 - S_("connect") 35 - S_("listen") 36 - S_("accept") 37 - S_("getopt") 38 - S_("setopt") 39 - S_("shutdown") 40 - S_("recvfrom") 41 - S_("sendto") 42 - S_("recv_msg") 43 - S_("send_msg") 44 - S_("name_bind") 45 - TE_(common_socket_perm_to_string) 46 - 47 - TB_(common_ipc_perm_to_string) 48 - S_("create") 49 - S_("destroy") 50 - S_("getattr") 51 - S_("setattr") 52 - S_("read") 53 - S_("write") 54 - S_("associate") 55 - S_("unix_read") 56 - S_("unix_write") 57 - TE_(common_ipc_perm_to_string) 58 -
+20 -20
security/selinux/include/flask.h
··· 34 34 #define SECCLASS_MSGQ 27 35 35 #define SECCLASS_SHM 28 36 36 #define SECCLASS_IPC 29 37 - #define SECCLASS_NETLINK_ROUTE_SOCKET 43 38 - #define SECCLASS_NETLINK_FIREWALL_SOCKET 44 39 - #define SECCLASS_NETLINK_TCPDIAG_SOCKET 45 40 - #define SECCLASS_NETLINK_NFLOG_SOCKET 46 41 - #define SECCLASS_NETLINK_XFRM_SOCKET 47 42 - #define SECCLASS_NETLINK_SELINUX_SOCKET 48 43 - #define SECCLASS_NETLINK_AUDIT_SOCKET 49 44 - #define SECCLASS_NETLINK_IP6FW_SOCKET 50 45 - #define SECCLASS_NETLINK_DNRT_SOCKET 51 46 - #define SECCLASS_ASSOCIATION 54 47 - #define SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET 55 48 - #define SECCLASS_APPLETALK_SOCKET 56 49 - #define SECCLASS_PACKET 57 50 - #define SECCLASS_KEY 58 51 - #define SECCLASS_DCCP_SOCKET 60 52 - #define SECCLASS_MEMPROTECT 61 53 - #define SECCLASS_PEER 68 54 - #define SECCLASS_CAPABILITY2 69 55 - #define SECCLASS_KERNEL_SERVICE 74 56 - #define SECCLASS_TUN_SOCKET 75 37 + #define SECCLASS_NETLINK_ROUTE_SOCKET 30 38 + #define SECCLASS_NETLINK_FIREWALL_SOCKET 31 39 + #define SECCLASS_NETLINK_TCPDIAG_SOCKET 32 40 + #define SECCLASS_NETLINK_NFLOG_SOCKET 33 41 + #define SECCLASS_NETLINK_XFRM_SOCKET 34 42 + #define SECCLASS_NETLINK_SELINUX_SOCKET 35 43 + #define SECCLASS_NETLINK_AUDIT_SOCKET 36 44 + #define SECCLASS_NETLINK_IP6FW_SOCKET 37 45 + #define SECCLASS_NETLINK_DNRT_SOCKET 38 46 + #define SECCLASS_ASSOCIATION 39 47 + #define SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET 40 48 + #define SECCLASS_APPLETALK_SOCKET 41 49 + #define SECCLASS_PACKET 42 50 + #define SECCLASS_KEY 43 51 + #define SECCLASS_DCCP_SOCKET 44 52 + #define SECCLASS_MEMPROTECT 45 53 + #define SECCLASS_PEER 46 54 + #define SECCLASS_CAPABILITY2 47 55 + #define SECCLASS_KERNEL_SERVICE 48 56 + #define SECCLASS_TUN_SOCKET 49 57 57 58 58 /* 59 59 * Security identifier indices for initial entities
+10 -3
security/selinux/include/security.h
··· 97 97 #define AVD_FLAGS_PERMISSIVE 0x0001 98 98 99 99 int security_compute_av(u32 ssid, u32 tsid, 100 - u16 tclass, u32 requested, 101 - struct av_decision *avd); 100 + u16 tclass, u32 requested, 101 + struct av_decision *avd); 102 + 103 + int security_compute_av_user(u32 ssid, u32 tsid, 104 + u16 tclass, u32 requested, 105 + struct av_decision *avd); 102 106 103 107 int security_transition_sid(u32 ssid, u32 tsid, 104 - u16 tclass, u32 *out_sid); 108 + u16 tclass, u32 *out_sid); 109 + 110 + int security_transition_sid_user(u32 ssid, u32 tsid, 111 + u16 tclass, u32 *out_sid); 105 112 106 113 int security_member_sid(u32 ssid, u32 tsid, 107 114 u16 tclass, u32 *out_sid);
+2 -2
security/selinux/selinuxfs.c
··· 522 522 if (length < 0) 523 523 goto out2; 524 524 525 - length = security_compute_av(ssid, tsid, tclass, req, &avd); 525 + length = security_compute_av_user(ssid, tsid, tclass, req, &avd); 526 526 if (length < 0) 527 527 goto out2; 528 528 ··· 571 571 if (length < 0) 572 572 goto out2; 573 573 574 - length = security_transition_sid(ssid, tsid, tclass, &newsid); 574 + length = security_transition_sid_user(ssid, tsid, tclass, &newsid); 575 575 if (length < 0) 576 576 goto out2; 577 577
+1 -1
security/selinux/ss/mls.c
··· 532 532 } 533 533 /* Fallthrough */ 534 534 case AVTAB_CHANGE: 535 - if (tclass == SECCLASS_PROCESS) 535 + if (tclass == policydb.process_class) 536 536 /* Use the process MLS attributes. */ 537 537 return mls_context_cpy(newcontext, scontext); 538 538 else
+45 -2
security/selinux/ss/policydb.c
··· 713 713 ebitmap_destroy(&p->type_attr_map[i]); 714 714 } 715 715 kfree(p->type_attr_map); 716 - kfree(p->undefined_perms); 717 716 ebitmap_destroy(&p->policycaps); 718 717 ebitmap_destroy(&p->permissive_map); 719 718 ··· 1639 1640 1640 1641 extern int ss_initialized; 1641 1642 1643 + u16 string_to_security_class(struct policydb *p, const char *name) 1644 + { 1645 + struct class_datum *cladatum; 1646 + 1647 + cladatum = hashtab_search(p->p_classes.table, name); 1648 + if (!cladatum) 1649 + return 0; 1650 + 1651 + return cladatum->value; 1652 + } 1653 + 1654 + u32 string_to_av_perm(struct policydb *p, u16 tclass, const char *name) 1655 + { 1656 + struct class_datum *cladatum; 1657 + struct perm_datum *perdatum = NULL; 1658 + struct common_datum *comdatum; 1659 + 1660 + if (!tclass || tclass > p->p_classes.nprim) 1661 + return 0; 1662 + 1663 + cladatum = p->class_val_to_struct[tclass-1]; 1664 + comdatum = cladatum->comdatum; 1665 + if (comdatum) 1666 + perdatum = hashtab_search(comdatum->permissions.table, 1667 + name); 1668 + if (!perdatum) 1669 + perdatum = hashtab_search(cladatum->permissions.table, 1670 + name); 1671 + if (!perdatum) 1672 + return 0; 1673 + 1674 + return 1U << (perdatum->value-1); 1675 + } 1676 + 1642 1677 /* 1643 1678 * Read the configuration data from a policy database binary 1644 1679 * representation file into a policy database structure. ··· 1892 1859 1893 1860 rc = policydb_index_others(p); 1894 1861 if (rc) 1862 + goto bad; 1863 + 1864 + p->process_class = string_to_security_class(p, "process"); 1865 + if (!p->process_class) 1866 + goto bad; 1867 + p->process_trans_perms = string_to_av_perm(p, p->process_class, 1868 + "transition"); 1869 + p->process_trans_perms |= string_to_av_perm(p, p->process_class, 1870 + "dyntransition"); 1871 + if (!p->process_trans_perms) 1895 1872 goto bad; 1896 1873 1897 1874 for (i = 0; i < info->ocon_num; i++) { ··· 2144 2101 goto bad; 2145 2102 rt->target_class = le32_to_cpu(buf[0]); 2146 2103 } else 2147 - rt->target_class = SECCLASS_PROCESS; 2104 + rt->target_class = p->process_class; 2148 2105 if (!policydb_type_isvalid(p, rt->source_type) || 2149 2106 !policydb_type_isvalid(p, rt->target_type) || 2150 2107 !policydb_class_isvalid(p, rt->target_class)) {
+6 -1
security/selinux/ss/policydb.h
··· 254 254 255 255 unsigned int reject_unknown : 1; 256 256 unsigned int allow_unknown : 1; 257 - u32 *undefined_perms; 257 + 258 + u16 process_class; 259 + u32 process_trans_perms; 258 260 }; 259 261 260 262 extern void policydb_destroy(struct policydb *p); ··· 296 294 fp->len -= bytes; 297 295 return 0; 298 296 } 297 + 298 + extern u16 string_to_security_class(struct policydb *p, const char *name); 299 + extern u32 string_to_av_perm(struct policydb *p, u16 tclass, const char *name); 299 300 300 301 #endif /* _SS_POLICYDB_H_ */ 301 302
+287 -253
security/selinux/ss/services.c
··· 70 70 int selinux_policycap_netpeer; 71 71 int selinux_policycap_openperm; 72 72 73 - /* 74 - * This is declared in avc.c 75 - */ 76 - extern const struct selinux_class_perm selinux_class_perm; 77 - 78 73 static DEFINE_RWLOCK(policy_rwlock); 79 74 80 75 static struct sidtab sidtab; ··· 93 98 u16 tclass, 94 99 u32 requested, 95 100 struct av_decision *avd); 101 + 102 + struct selinux_mapping { 103 + u16 value; /* policy value */ 104 + unsigned num_perms; 105 + u32 perms[sizeof(u32) * 8]; 106 + }; 107 + 108 + static struct selinux_mapping *current_mapping; 109 + static u16 current_mapping_size; 110 + 111 + static int selinux_set_mapping(struct policydb *pol, 112 + struct security_class_mapping *map, 113 + struct selinux_mapping **out_map_p, 114 + u16 *out_map_size) 115 + { 116 + struct selinux_mapping *out_map = NULL; 117 + size_t size = sizeof(struct selinux_mapping); 118 + u16 i, j; 119 + unsigned k; 120 + bool print_unknown_handle = false; 121 + 122 + /* Find number of classes in the input mapping */ 123 + if (!map) 124 + return -EINVAL; 125 + i = 0; 126 + while (map[i].name) 127 + i++; 128 + 129 + /* Allocate space for the class records, plus one for class zero */ 130 + out_map = kcalloc(++i, size, GFP_ATOMIC); 131 + if (!out_map) 132 + return -ENOMEM; 133 + 134 + /* Store the raw class and permission values */ 135 + j = 0; 136 + while (map[j].name) { 137 + struct security_class_mapping *p_in = map + (j++); 138 + struct selinux_mapping *p_out = out_map + j; 139 + 140 + /* An empty class string skips ahead */ 141 + if (!strcmp(p_in->name, "")) { 142 + p_out->num_perms = 0; 143 + continue; 144 + } 145 + 146 + p_out->value = string_to_security_class(pol, p_in->name); 147 + if (!p_out->value) { 148 + printk(KERN_INFO 149 + "SELinux: Class %s not defined in policy.\n", 150 + p_in->name); 151 + if (pol->reject_unknown) 152 + goto err; 153 + p_out->num_perms = 0; 154 + print_unknown_handle = true; 155 + continue; 156 + } 157 + 158 + k = 0; 159 + while (p_in->perms && p_in->perms[k]) { 160 + /* An empty permission string skips ahead */ 161 + if (!*p_in->perms[k]) { 162 + k++; 163 + continue; 164 + } 165 + p_out->perms[k] = string_to_av_perm(pol, p_out->value, 166 + p_in->perms[k]); 167 + if (!p_out->perms[k]) { 168 + printk(KERN_INFO 169 + "SELinux: Permission %s in class %s not defined in policy.\n", 170 + p_in->perms[k], p_in->name); 171 + if (pol->reject_unknown) 172 + goto err; 173 + print_unknown_handle = true; 174 + } 175 + 176 + k++; 177 + } 178 + p_out->num_perms = k; 179 + } 180 + 181 + if (print_unknown_handle) 182 + printk(KERN_INFO "SELinux: the above unknown classes and permissions will be %s\n", 183 + pol->allow_unknown ? "allowed" : "denied"); 184 + 185 + *out_map_p = out_map; 186 + *out_map_size = i; 187 + return 0; 188 + err: 189 + kfree(out_map); 190 + return -EINVAL; 191 + } 192 + 193 + /* 194 + * Get real, policy values from mapped values 195 + */ 196 + 197 + static u16 unmap_class(u16 tclass) 198 + { 199 + if (tclass < current_mapping_size) 200 + return current_mapping[tclass].value; 201 + 202 + return tclass; 203 + } 204 + 205 + static u32 unmap_perm(u16 tclass, u32 tperm) 206 + { 207 + if (tclass < current_mapping_size) { 208 + unsigned i; 209 + u32 kperm = 0; 210 + 211 + for (i = 0; i < current_mapping[tclass].num_perms; i++) 212 + if (tperm & (1<<i)) { 213 + kperm |= current_mapping[tclass].perms[i]; 214 + tperm &= ~(1<<i); 215 + } 216 + return kperm; 217 + } 218 + 219 + return tperm; 220 + } 221 + 222 + static void map_decision(u16 tclass, struct av_decision *avd, 223 + int allow_unknown) 224 + { 225 + if (tclass < current_mapping_size) { 226 + unsigned i, n = current_mapping[tclass].num_perms; 227 + u32 result; 228 + 229 + for (i = 0, result = 0; i < n; i++) { 230 + if (avd->allowed & current_mapping[tclass].perms[i]) 231 + result |= 1<<i; 232 + if (allow_unknown && !current_mapping[tclass].perms[i]) 233 + result |= 1<<i; 234 + } 235 + avd->allowed = result; 236 + 237 + for (i = 0, result = 0; i < n; i++) 238 + if (avd->auditallow & current_mapping[tclass].perms[i]) 239 + result |= 1<<i; 240 + avd->auditallow = result; 241 + 242 + for (i = 0, result = 0; i < n; i++) { 243 + if (avd->auditdeny & current_mapping[tclass].perms[i]) 244 + result |= 1<<i; 245 + if (!allow_unknown && !current_mapping[tclass].perms[i]) 246 + result |= 1<<i; 247 + } 248 + avd->auditdeny = result; 249 + } 250 + } 251 + 252 + 96 253 /* 97 254 * Return the boolean value of a constraint expression 98 255 * when it is applied to the specified source and target ··· 614 467 struct class_datum *tclass_datum; 615 468 struct ebitmap *sattr, *tattr; 616 469 struct ebitmap_node *snode, *tnode; 617 - const struct selinux_class_perm *kdefs = &selinux_class_perm; 618 470 unsigned int i, j; 619 471 620 472 /* ··· 623 477 * to remain in the correct class. 624 478 */ 625 479 if (policydb_loaded_version < POLICYDB_VERSION_NLCLASS) 626 - if (tclass >= SECCLASS_NETLINK_ROUTE_SOCKET && 627 - tclass <= SECCLASS_NETLINK_DNRT_SOCKET) 628 - tclass = SECCLASS_NETLINK_SOCKET; 480 + if (tclass >= unmap_class(SECCLASS_NETLINK_ROUTE_SOCKET) && 481 + tclass <= unmap_class(SECCLASS_NETLINK_DNRT_SOCKET)) 482 + tclass = unmap_class(SECCLASS_NETLINK_SOCKET); 629 483 630 484 /* 631 485 * Initialize the access vectors to the default values. ··· 636 490 avd->seqno = latest_granting; 637 491 avd->flags = 0; 638 492 639 - /* 640 - * Check for all the invalid cases. 641 - * - tclass 0 642 - * - tclass > policy and > kernel 643 - * - tclass > policy but is a userspace class 644 - * - tclass > policy but we do not allow unknowns 645 - */ 646 - if (unlikely(!tclass)) 647 - goto inval_class; 648 - if (unlikely(tclass > policydb.p_classes.nprim)) 649 - if (tclass > kdefs->cts_len || 650 - !kdefs->class_to_string[tclass] || 651 - !policydb.allow_unknown) 652 - goto inval_class; 653 - 654 - /* 655 - * Kernel class and we allow unknown so pad the allow decision 656 - * the pad will be all 1 for unknown classes. 657 - */ 658 - if (tclass <= kdefs->cts_len && policydb.allow_unknown) 659 - avd->allowed = policydb.undefined_perms[tclass - 1]; 660 - 661 - /* 662 - * Not in policy. Since decision is completed (all 1 or all 0) return. 663 - */ 664 - if (unlikely(tclass > policydb.p_classes.nprim)) 665 - return 0; 493 + if (unlikely(!tclass || tclass > policydb.p_classes.nprim)) { 494 + if (printk_ratelimit()) 495 + printk(KERN_WARNING "SELinux: Invalid class %hu\n", tclass); 496 + return -EINVAL; 497 + } 666 498 667 499 tclass_datum = policydb.class_val_to_struct[tclass - 1]; 668 500 ··· 692 568 * role is changing, then check the (current_role, new_role) 693 569 * pair. 694 570 */ 695 - if (tclass == SECCLASS_PROCESS && 696 - (avd->allowed & (PROCESS__TRANSITION | PROCESS__DYNTRANSITION)) && 571 + if (tclass == policydb.process_class && 572 + (avd->allowed & policydb.process_trans_perms) && 697 573 scontext->role != tcontext->role) { 698 574 for (ra = policydb.role_allow; ra; ra = ra->next) { 699 575 if (scontext->role == ra->role && ··· 701 577 break; 702 578 } 703 579 if (!ra) 704 - avd->allowed &= ~(PROCESS__TRANSITION | 705 - PROCESS__DYNTRANSITION); 580 + avd->allowed &= ~policydb.process_trans_perms; 706 581 } 707 582 708 583 /* ··· 712 589 type_attribute_bounds_av(scontext, tcontext, 713 590 tclass, requested, avd); 714 591 715 - return 0; 716 - 717 - inval_class: 718 - if (!tclass || tclass > kdefs->cts_len || 719 - !kdefs->class_to_string[tclass]) { 720 - if (printk_ratelimit()) 721 - printk(KERN_ERR "SELinux: %s: unrecognized class %d\n", 722 - __func__, tclass); 723 - return -EINVAL; 724 - } 725 - 726 - /* 727 - * Known to the kernel, but not to the policy. 728 - * Handle as a denial (allowed is 0). 729 - */ 730 592 return 0; 731 593 } 732 594 ··· 744 636 } 745 637 746 638 int security_validate_transition(u32 oldsid, u32 newsid, u32 tasksid, 747 - u16 tclass) 639 + u16 orig_tclass) 748 640 { 749 641 struct context *ocontext; 750 642 struct context *ncontext; 751 643 struct context *tcontext; 752 644 struct class_datum *tclass_datum; 753 645 struct constraint_node *constraint; 646 + u16 tclass; 754 647 int rc = 0; 755 648 756 649 if (!ss_initialized) 757 650 return 0; 758 651 759 652 read_lock(&policy_rwlock); 653 + 654 + tclass = unmap_class(orig_tclass); 760 655 761 656 /* 762 657 * Remap extended Netlink classes for old policy versions. ··· 768 657 * to remain in the correct class. 769 658 */ 770 659 if (policydb_loaded_version < POLICYDB_VERSION_NLCLASS) 771 - if (tclass >= SECCLASS_NETLINK_ROUTE_SOCKET && 772 - tclass <= SECCLASS_NETLINK_DNRT_SOCKET) 773 - tclass = SECCLASS_NETLINK_SOCKET; 660 + if (tclass >= unmap_class(SECCLASS_NETLINK_ROUTE_SOCKET) && 661 + tclass <= unmap_class(SECCLASS_NETLINK_DNRT_SOCKET)) 662 + tclass = unmap_class(SECCLASS_NETLINK_SOCKET); 774 663 775 664 if (!tclass || tclass > policydb.p_classes.nprim) { 776 665 printk(KERN_ERR "SELinux: %s: unrecognized class %d\n", ··· 903 792 } 904 793 905 794 795 + static int security_compute_av_core(u32 ssid, 796 + u32 tsid, 797 + u16 tclass, 798 + u32 requested, 799 + struct av_decision *avd) 800 + { 801 + struct context *scontext = NULL, *tcontext = NULL; 802 + int rc = 0; 803 + 804 + scontext = sidtab_search(&sidtab, ssid); 805 + if (!scontext) { 806 + printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n", 807 + __func__, ssid); 808 + return -EINVAL; 809 + } 810 + tcontext = sidtab_search(&sidtab, tsid); 811 + if (!tcontext) { 812 + printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n", 813 + __func__, tsid); 814 + return -EINVAL; 815 + } 816 + 817 + rc = context_struct_compute_av(scontext, tcontext, tclass, 818 + requested, avd); 819 + 820 + /* permissive domain? */ 821 + if (ebitmap_get_bit(&policydb.permissive_map, scontext->type)) 822 + avd->flags |= AVD_FLAGS_PERMISSIVE; 823 + 824 + return rc; 825 + } 826 + 906 827 /** 907 828 * security_compute_av - Compute access vector decisions. 908 829 * @ssid: source security identifier ··· 950 807 */ 951 808 int security_compute_av(u32 ssid, 952 809 u32 tsid, 953 - u16 tclass, 954 - u32 requested, 810 + u16 orig_tclass, 811 + u32 orig_requested, 955 812 struct av_decision *avd) 956 813 { 957 - struct context *scontext = NULL, *tcontext = NULL; 958 - int rc = 0; 814 + u16 tclass; 815 + u32 requested; 816 + int rc; 817 + 818 + if (!ss_initialized) 819 + goto allow; 820 + 821 + read_lock(&policy_rwlock); 822 + requested = unmap_perm(orig_tclass, orig_requested); 823 + tclass = unmap_class(orig_tclass); 824 + if (unlikely(orig_tclass && !tclass)) { 825 + if (policydb.allow_unknown) 826 + goto allow; 827 + return -EINVAL; 828 + } 829 + rc = security_compute_av_core(ssid, tsid, tclass, requested, avd); 830 + map_decision(orig_tclass, avd, policydb.allow_unknown); 831 + read_unlock(&policy_rwlock); 832 + return rc; 833 + allow: 834 + avd->allowed = 0xffffffff; 835 + avd->auditallow = 0; 836 + avd->auditdeny = 0xffffffff; 837 + avd->seqno = latest_granting; 838 + avd->flags = 0; 839 + return 0; 840 + } 841 + 842 + int security_compute_av_user(u32 ssid, 843 + u32 tsid, 844 + u16 tclass, 845 + u32 requested, 846 + struct av_decision *avd) 847 + { 848 + int rc; 959 849 960 850 if (!ss_initialized) { 961 851 avd->allowed = 0xffffffff; ··· 999 823 } 1000 824 1001 825 read_lock(&policy_rwlock); 1002 - 1003 - scontext = sidtab_search(&sidtab, ssid); 1004 - if (!scontext) { 1005 - printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n", 1006 - __func__, ssid); 1007 - rc = -EINVAL; 1008 - goto out; 1009 - } 1010 - tcontext = sidtab_search(&sidtab, tsid); 1011 - if (!tcontext) { 1012 - printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n", 1013 - __func__, tsid); 1014 - rc = -EINVAL; 1015 - goto out; 1016 - } 1017 - 1018 - rc = context_struct_compute_av(scontext, tcontext, tclass, 1019 - requested, avd); 1020 - 1021 - /* permissive domain? */ 1022 - if (ebitmap_get_bit(&policydb.permissive_map, scontext->type)) 1023 - avd->flags |= AVD_FLAGS_PERMISSIVE; 1024 - out: 826 + rc = security_compute_av_core(ssid, tsid, tclass, requested, avd); 1025 827 read_unlock(&policy_rwlock); 1026 828 return rc; 1027 829 } ··· 1358 1204 1359 1205 static int security_compute_sid(u32 ssid, 1360 1206 u32 tsid, 1361 - u16 tclass, 1207 + u16 orig_tclass, 1362 1208 u32 specified, 1363 - u32 *out_sid) 1209 + u32 *out_sid, 1210 + bool kern) 1364 1211 { 1365 1212 struct context *scontext = NULL, *tcontext = NULL, newcontext; 1366 1213 struct role_trans *roletr = NULL; 1367 1214 struct avtab_key avkey; 1368 1215 struct avtab_datum *avdatum; 1369 1216 struct avtab_node *node; 1217 + u16 tclass; 1370 1218 int rc = 0; 1371 1219 1372 1220 if (!ss_initialized) { 1373 - switch (tclass) { 1374 - case SECCLASS_PROCESS: 1221 + switch (orig_tclass) { 1222 + case SECCLASS_PROCESS: /* kernel value */ 1375 1223 *out_sid = ssid; 1376 1224 break; 1377 1225 default: ··· 1386 1230 context_init(&newcontext); 1387 1231 1388 1232 read_lock(&policy_rwlock); 1233 + 1234 + if (kern) 1235 + tclass = unmap_class(orig_tclass); 1236 + else 1237 + tclass = orig_tclass; 1389 1238 1390 1239 scontext = sidtab_search(&sidtab, ssid); 1391 1240 if (!scontext) { ··· 1421 1260 } 1422 1261 1423 1262 /* Set the role and type to default values. */ 1424 - switch (tclass) { 1425 - case SECCLASS_PROCESS: 1263 + if (tclass == policydb.process_class) { 1426 1264 /* Use the current role and type of process. */ 1427 1265 newcontext.role = scontext->role; 1428 1266 newcontext.type = scontext->type; 1429 - break; 1430 - default: 1267 + } else { 1431 1268 /* Use the well-defined object role. */ 1432 1269 newcontext.role = OBJECT_R_VAL; 1433 1270 /* Use the type of the related object. */ ··· 1456 1297 } 1457 1298 1458 1299 /* Check for class-specific changes. */ 1459 - switch (tclass) { 1460 - case SECCLASS_PROCESS: 1300 + if (tclass == policydb.process_class) { 1461 1301 if (specified & AVTAB_TRANSITION) { 1462 1302 /* Look for a role transition rule. */ 1463 1303 for (roletr = policydb.role_tr; roletr; ··· 1469 1311 } 1470 1312 } 1471 1313 } 1472 - break; 1473 - default: 1474 - break; 1475 1314 } 1476 1315 1477 1316 /* Set the MLS attributes. ··· 1513 1358 u16 tclass, 1514 1359 u32 *out_sid) 1515 1360 { 1516 - return security_compute_sid(ssid, tsid, tclass, AVTAB_TRANSITION, out_sid); 1361 + return security_compute_sid(ssid, tsid, tclass, AVTAB_TRANSITION, 1362 + out_sid, true); 1363 + } 1364 + 1365 + int security_transition_sid_user(u32 ssid, 1366 + u32 tsid, 1367 + u16 tclass, 1368 + u32 *out_sid) 1369 + { 1370 + return security_compute_sid(ssid, tsid, tclass, AVTAB_TRANSITION, 1371 + out_sid, false); 1517 1372 } 1518 1373 1519 1374 /** ··· 1544 1379 u16 tclass, 1545 1380 u32 *out_sid) 1546 1381 { 1547 - return security_compute_sid(ssid, tsid, tclass, AVTAB_MEMBER, out_sid); 1382 + return security_compute_sid(ssid, tsid, tclass, AVTAB_MEMBER, out_sid, 1383 + false); 1548 1384 } 1549 1385 1550 1386 /** ··· 1566 1400 u16 tclass, 1567 1401 u32 *out_sid) 1568 1402 { 1569 - return security_compute_sid(ssid, tsid, tclass, AVTAB_CHANGE, out_sid); 1570 - } 1571 - 1572 - /* 1573 - * Verify that each kernel class that is defined in the 1574 - * policy is correct 1575 - */ 1576 - static int validate_classes(struct policydb *p) 1577 - { 1578 - int i, j; 1579 - struct class_datum *cladatum; 1580 - struct perm_datum *perdatum; 1581 - u32 nprim, tmp, common_pts_len, perm_val, pol_val; 1582 - u16 class_val; 1583 - const struct selinux_class_perm *kdefs = &selinux_class_perm; 1584 - const char *def_class, *def_perm, *pol_class; 1585 - struct symtab *perms; 1586 - bool print_unknown_handle = 0; 1587 - 1588 - if (p->allow_unknown) { 1589 - u32 num_classes = kdefs->cts_len; 1590 - p->undefined_perms = kcalloc(num_classes, sizeof(u32), GFP_KERNEL); 1591 - if (!p->undefined_perms) 1592 - return -ENOMEM; 1593 - } 1594 - 1595 - for (i = 1; i < kdefs->cts_len; i++) { 1596 - def_class = kdefs->class_to_string[i]; 1597 - if (!def_class) 1598 - continue; 1599 - if (i > p->p_classes.nprim) { 1600 - printk(KERN_INFO 1601 - "SELinux: class %s not defined in policy\n", 1602 - def_class); 1603 - if (p->reject_unknown) 1604 - return -EINVAL; 1605 - if (p->allow_unknown) 1606 - p->undefined_perms[i-1] = ~0U; 1607 - print_unknown_handle = 1; 1608 - continue; 1609 - } 1610 - pol_class = p->p_class_val_to_name[i-1]; 1611 - if (strcmp(pol_class, def_class)) { 1612 - printk(KERN_ERR 1613 - "SELinux: class %d is incorrect, found %s but should be %s\n", 1614 - i, pol_class, def_class); 1615 - return -EINVAL; 1616 - } 1617 - } 1618 - for (i = 0; i < kdefs->av_pts_len; i++) { 1619 - class_val = kdefs->av_perm_to_string[i].tclass; 1620 - perm_val = kdefs->av_perm_to_string[i].value; 1621 - def_perm = kdefs->av_perm_to_string[i].name; 1622 - if (class_val > p->p_classes.nprim) 1623 - continue; 1624 - pol_class = p->p_class_val_to_name[class_val-1]; 1625 - cladatum = hashtab_search(p->p_classes.table, pol_class); 1626 - BUG_ON(!cladatum); 1627 - perms = &cladatum->permissions; 1628 - nprim = 1 << (perms->nprim - 1); 1629 - if (perm_val > nprim) { 1630 - printk(KERN_INFO 1631 - "SELinux: permission %s in class %s not defined in policy\n", 1632 - def_perm, pol_class); 1633 - if (p->reject_unknown) 1634 - return -EINVAL; 1635 - if (p->allow_unknown) 1636 - p->undefined_perms[class_val-1] |= perm_val; 1637 - print_unknown_handle = 1; 1638 - continue; 1639 - } 1640 - perdatum = hashtab_search(perms->table, def_perm); 1641 - if (perdatum == NULL) { 1642 - printk(KERN_ERR 1643 - "SELinux: permission %s in class %s not found in policy, bad policy\n", 1644 - def_perm, pol_class); 1645 - return -EINVAL; 1646 - } 1647 - pol_val = 1 << (perdatum->value - 1); 1648 - if (pol_val != perm_val) { 1649 - printk(KERN_ERR 1650 - "SELinux: permission %s in class %s has incorrect value\n", 1651 - def_perm, pol_class); 1652 - return -EINVAL; 1653 - } 1654 - } 1655 - for (i = 0; i < kdefs->av_inherit_len; i++) { 1656 - class_val = kdefs->av_inherit[i].tclass; 1657 - if (class_val > p->p_classes.nprim) 1658 - continue; 1659 - pol_class = p->p_class_val_to_name[class_val-1]; 1660 - cladatum = hashtab_search(p->p_classes.table, pol_class); 1661 - BUG_ON(!cladatum); 1662 - if (!cladatum->comdatum) { 1663 - printk(KERN_ERR 1664 - "SELinux: class %s should have an inherits clause but does not\n", 1665 - pol_class); 1666 - return -EINVAL; 1667 - } 1668 - tmp = kdefs->av_inherit[i].common_base; 1669 - common_pts_len = 0; 1670 - while (!(tmp & 0x01)) { 1671 - common_pts_len++; 1672 - tmp >>= 1; 1673 - } 1674 - perms = &cladatum->comdatum->permissions; 1675 - for (j = 0; j < common_pts_len; j++) { 1676 - def_perm = kdefs->av_inherit[i].common_pts[j]; 1677 - if (j >= perms->nprim) { 1678 - printk(KERN_INFO 1679 - "SELinux: permission %s in class %s not defined in policy\n", 1680 - def_perm, pol_class); 1681 - if (p->reject_unknown) 1682 - return -EINVAL; 1683 - if (p->allow_unknown) 1684 - p->undefined_perms[class_val-1] |= (1 << j); 1685 - print_unknown_handle = 1; 1686 - continue; 1687 - } 1688 - perdatum = hashtab_search(perms->table, def_perm); 1689 - if (perdatum == NULL) { 1690 - printk(KERN_ERR 1691 - "SELinux: permission %s in class %s not found in policy, bad policy\n", 1692 - def_perm, pol_class); 1693 - return -EINVAL; 1694 - } 1695 - if (perdatum->value != j + 1) { 1696 - printk(KERN_ERR 1697 - "SELinux: permission %s in class %s has incorrect value\n", 1698 - def_perm, pol_class); 1699 - return -EINVAL; 1700 - } 1701 - } 1702 - } 1703 - if (print_unknown_handle) 1704 - printk(KERN_INFO "SELinux: the above unknown classes and permissions will be %s\n", 1705 - (security_get_allow_unknown() ? "allowed" : "denied")); 1706 - return 0; 1403 + return security_compute_sid(ssid, tsid, tclass, AVTAB_CHANGE, out_sid, 1404 + false); 1707 1405 } 1708 1406 1709 1407 /* Clone the SID into the new SID table. */ ··· 1740 1710 { 1741 1711 struct policydb oldpolicydb, newpolicydb; 1742 1712 struct sidtab oldsidtab, newsidtab; 1713 + struct selinux_mapping *oldmap, *map = NULL; 1743 1714 struct convert_context_args args; 1744 1715 u32 seqno; 1716 + u16 map_size; 1745 1717 int rc = 0; 1746 1718 struct policy_file file = { data, len }, *fp = &file; 1747 1719 ··· 1753 1721 avtab_cache_destroy(); 1754 1722 return -EINVAL; 1755 1723 } 1756 - if (policydb_load_isids(&policydb, &sidtab)) { 1724 + if (selinux_set_mapping(&policydb, secclass_map, 1725 + &current_mapping, 1726 + &current_mapping_size)) { 1757 1727 policydb_destroy(&policydb); 1758 1728 avtab_cache_destroy(); 1759 1729 return -EINVAL; 1760 1730 } 1761 - /* Verify that the kernel defined classes are correct. */ 1762 - if (validate_classes(&policydb)) { 1763 - printk(KERN_ERR 1764 - "SELinux: the definition of a class is incorrect\n"); 1765 - sidtab_destroy(&sidtab); 1731 + if (policydb_load_isids(&policydb, &sidtab)) { 1766 1732 policydb_destroy(&policydb); 1767 1733 avtab_cache_destroy(); 1768 1734 return -EINVAL; ··· 1789 1759 return -ENOMEM; 1790 1760 } 1791 1761 1792 - /* Verify that the kernel defined classes are correct. */ 1793 - if (validate_classes(&newpolicydb)) { 1794 - printk(KERN_ERR 1795 - "SELinux: the definition of a class is incorrect\n"); 1796 - rc = -EINVAL; 1762 + if (selinux_set_mapping(&newpolicydb, secclass_map, 1763 + &map, &map_size)) 1797 1764 goto err; 1798 - } 1799 1765 1800 1766 rc = security_preserve_bools(&newpolicydb); 1801 1767 if (rc) { ··· 1825 1799 memcpy(&policydb, &newpolicydb, sizeof policydb); 1826 1800 sidtab_set(&sidtab, &newsidtab); 1827 1801 security_load_policycaps(); 1802 + oldmap = current_mapping; 1803 + current_mapping = map; 1804 + current_mapping_size = map_size; 1828 1805 seqno = ++latest_granting; 1829 1806 policydb_loaded_version = policydb.policyvers; 1830 1807 write_unlock_irq(&policy_rwlock); ··· 1835 1806 /* Free the old policydb and SID table. */ 1836 1807 policydb_destroy(&oldpolicydb); 1837 1808 sidtab_destroy(&oldsidtab); 1809 + kfree(oldmap); 1838 1810 1839 1811 avc_ss_reset(seqno); 1840 1812 selnl_notify_policyload(seqno); ··· 1845 1815 return 0; 1846 1816 1847 1817 err: 1818 + kfree(map); 1848 1819 sidtab_destroy(&newsidtab); 1849 1820 policydb_destroy(&newpolicydb); 1850 1821 return rc; ··· 2122 2091 } 2123 2092 for (i = 0, j = 0; i < mynel; i++) { 2124 2093 rc = avc_has_perm_noaudit(fromsid, mysids[i], 2125 - SECCLASS_PROCESS, 2094 + SECCLASS_PROCESS, /* kernel value */ 2126 2095 PROCESS__TRANSITION, AVC_STRICT, 2127 2096 NULL); 2128 2097 if (!rc) ··· 2150 2119 */ 2151 2120 int security_genfs_sid(const char *fstype, 2152 2121 char *path, 2153 - u16 sclass, 2122 + u16 orig_sclass, 2154 2123 u32 *sid) 2155 2124 { 2156 2125 int len; 2126 + u16 sclass; 2157 2127 struct genfs *genfs; 2158 2128 struct ocontext *c; 2159 2129 int rc = 0, cmp = 0; ··· 2163 2131 path++; 2164 2132 2165 2133 read_lock(&policy_rwlock); 2134 + 2135 + sclass = unmap_class(orig_sclass); 2166 2136 2167 2137 for (genfs = policydb.genfs; genfs; genfs = genfs->next) { 2168 2138 cmp = strcmp(fstype, genfs->fstype);