+1 -6

security/selinux/hooks.c

reviewed

··· 82 82 #include <linux/syslog.h> 83 83 #include <linux/user_namespace.h> 84 84 #include <linux/export.h> 85 85 - #include <linux/security.h> 86 85 #include <linux/msg.h> 87 86 #include <linux/shm.h> 88 87 ··· 4473 4474 { 4474 4475 struct sk_security_struct *sksec = sk->sk_security; 4475 4476 int err; 4476 4476 - u16 family = sk->sk_family; 4477 4477 + u16 family = req->rsk_ops->family; 4477 4478 u32 connsid; 4478 4479 u32 peersid; 4479 4479 - 4480 4480 - /* handle mapped IPv4 packets arriving via IPv6 sockets */ 4481 4481 - if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP)) 4482 4482 - family = PF_INET; 4483 4480 4484 4481 err = selinux_skb_peerlbl_sid(skb, family, &peersid); 4485 4482 if (err)

+2 -1

security/selinux/include/security.h

reviewed

··· 33 33 #define POLICYDB_VERSION_ROLETRANS 26 34 34 #define POLICYDB_VERSION_NEW_OBJECT_DEFAULTS 27 35 35 #define POLICYDB_VERSION_DEFAULT_TYPE 28 36 36 + #define POLICYDB_VERSION_CONSTRAINT_NAMES 29 36 37 37 38 /* Range of policy versions we understand*/ 38 39 #define POLICYDB_VERSION_MIN POLICYDB_VERSION_BASE 39 40 #ifdef CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX 40 41 #define POLICYDB_VERSION_MAX CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX_VALUE 41 42 #else 42 42 - #define POLICYDB_VERSION_MAX POLICYDB_VERSION_DEFAULT_TYPE 43 43 + #define POLICYDB_VERSION_MAX POLICYDB_VERSION_CONSTRAINT_NAMES 43 44 #endif 44 45 45 46 /* Mask for just the mount related flags */

+30 -1

security/selinux/netlabel.c

reviewed

··· 101 101 } 102 102 103 103 /** 104 104 + * selinux_netlbl_sock_getattr - Get the cached NetLabel secattr 105 105 + * @sk: the socket 106 106 + * @sid: the SID 107 107 + * 108 108 + * Query the socket's cached secattr and if the SID matches the cached value 109 109 + * return the cache, otherwise return NULL. 110 110 + * 111 111 + */ 112 112 + static struct netlbl_lsm_secattr *selinux_netlbl_sock_getattr( 113 113 + const struct sock *sk, 114 114 + u32 sid) 115 115 + { 116 116 + struct sk_security_struct *sksec = sk->sk_security; 117 117 + struct netlbl_lsm_secattr *secattr = sksec->nlbl_secattr; 118 118 + 119 119 + if (secattr == NULL) 120 120 + return NULL; 121 121 + 122 122 + if ((secattr->flags & NETLBL_SECATTR_SECID) && 123 123 + (secattr->attr.secid == sid)) 124 124 + return secattr; 125 125 + 126 126 + return NULL; 127 127 + } 128 128 + 129 129 + /** 104 130 * selinux_netlbl_cache_invalidate - Invalidate the NetLabel cache 105 131 * 106 132 * Description: ··· 250 224 struct sk_security_struct *sksec = sk->sk_security; 251 225 if (sksec->nlbl_state != NLBL_REQSKB) 252 226 return 0; 253 253 - secattr = sksec->nlbl_secattr; 227 227 + secattr = selinux_netlbl_sock_getattr(sk, sid); 254 228 } 255 229 if (secattr == NULL) { 256 230 secattr = &secattr_storage; ··· 436 410 sksec->nlbl_state == NLBL_CONNLABELED)) { 437 411 netlbl_secattr_init(&secattr); 438 412 lock_sock(sk); 413 413 + /* call the netlabel function directly as we want to see the 414 414 + * on-the-wire label that is assigned via the socket's options 415 415 + * and not the cached netlabel/lsm attributes */ 439 416 rc = netlbl_sock_getattr(sk, &secattr); 440 417 release_sock(sk); 441 418 if (rc == 0)

+1

security/selinux/ss/constraint.h

reviewed

··· 48 48 u32 op; /* operator */ 49 49 50 50 struct ebitmap names; /* names */ 51 51 + struct type_set *type_names; 51 52 52 53 struct constraint_expr *next; /* next expression */ 53 54 };

+87 -9

security/selinux/ss/policydb.c

reviewed

··· 143 143 .sym_num = SYM_NUM, 144 144 .ocon_num = OCON_NUM, 145 145 }, 146 146 + { 147 147 + .version = POLICYDB_VERSION_CONSTRAINT_NAMES, 148 148 + .sym_num = SYM_NUM, 149 149 + .ocon_num = OCON_NUM, 150 150 + }, 146 151 }; 147 152 148 153 static struct policydb_compat_info *policydb_lookup_compat(int version) ··· 618 613 return 0; 619 614 } 620 615 616 616 + static void constraint_expr_destroy(struct constraint_expr *expr) 617 617 + { 618 618 + if (expr) { 619 619 + ebitmap_destroy(&expr->names); 620 620 + if (expr->type_names) { 621 621 + ebitmap_destroy(&expr->type_names->types); 622 622 + ebitmap_destroy(&expr->type_names->negset); 623 623 + kfree(expr->type_names); 624 624 + } 625 625 + kfree(expr); 626 626 + } 627 627 + } 628 628 + 621 629 static int cls_destroy(void *key, void *datum, void *p) 622 630 { 623 631 struct class_datum *cladatum; ··· 646 628 while (constraint) { 647 629 e = constraint->expr; 648 630 while (e) { 649 649 - ebitmap_destroy(&e->names); 650 631 etmp = e; 651 632 e = e->next; 652 652 - kfree(etmp); 633 633 + constraint_expr_destroy(etmp); 653 634 } 654 635 ctemp = constraint; 655 636 constraint = constraint->next; ··· 659 642 while (constraint) { 660 643 e = constraint->expr; 661 644 while (e) { 662 662 - ebitmap_destroy(&e->names); 663 645 etmp = e; 664 646 e = e->next; 665 665 - kfree(etmp); 647 647 + constraint_expr_destroy(etmp); 666 648 } 667 649 ctemp = constraint; 668 650 constraint = constraint->next; 669 651 kfree(ctemp); 670 652 } 671 671 - 672 653 kfree(cladatum->comkey); 673 654 } 674 655 kfree(datum); ··· 1171 1156 return rc; 1172 1157 } 1173 1158 1174 1174 - static int read_cons_helper(struct constraint_node **nodep, int ncons, 1175 1175 - int allowxtarget, void *fp) 1159 1159 + static void type_set_init(struct type_set *t) 1160 1160 + { 1161 1161 + ebitmap_init(&t->types); 1162 1162 + ebitmap_init(&t->negset); 1163 1163 + } 1164 1164 + 1165 1165 + static int type_set_read(struct type_set *t, void *fp) 1166 1166 + { 1167 1167 + __le32 buf[1]; 1168 1168 + int rc; 1169 1169 + 1170 1170 + if (ebitmap_read(&t->types, fp)) 1171 1171 + return -EINVAL; 1172 1172 + if (ebitmap_read(&t->negset, fp)) 1173 1173 + return -EINVAL; 1174 1174 + 1175 1175 + rc = next_entry(buf, fp, sizeof(u32)); 1176 1176 + if (rc < 0) 1177 1177 + return -EINVAL; 1178 1178 + t->flags = le32_to_cpu(buf[0]); 1179 1179 + 1180 1180 + return 0; 1181 1181 + } 1182 1182 + 1183 1183 + 1184 1184 + static int read_cons_helper(struct policydb *p, 1185 1185 + struct constraint_node **nodep, 1186 1186 + int ncons, int allowxtarget, void *fp) 1176 1187 { 1177 1188 struct constraint_node *c, *lc; 1178 1189 struct constraint_expr *e, *le; ··· 1266 1225 rc = ebitmap_read(&e->names, fp); 1267 1226 if (rc) 1268 1227 return rc; 1228 1228 + if (p->policyvers >= 1229 1229 + POLICYDB_VERSION_CONSTRAINT_NAMES) { 1230 1230 + e->type_names = kzalloc(sizeof 1231 1231 + (*e->type_names), 1232 1232 + GFP_KERNEL); 1233 1233 + if (!e->type_names) 1234 1234 + return -ENOMEM; 1235 1235 + type_set_init(e->type_names); 1236 1236 + rc = type_set_read(e->type_names, fp); 1237 1237 + if (rc) 1238 1238 + return rc; 1239 1239 + } 1269 1240 break; 1270 1241 default: 1271 1242 return -EINVAL; ··· 1354 1301 goto bad; 1355 1302 } 1356 1303 1357 1357 - rc = read_cons_helper(&cladatum->constraints, ncons, 0, fp); 1304 1304 + rc = read_cons_helper(p, &cladatum->constraints, ncons, 0, fp); 1358 1305 if (rc) 1359 1306 goto bad; 1360 1307 ··· 1364 1311 if (rc) 1365 1312 goto bad; 1366 1313 ncons = le32_to_cpu(buf[0]); 1367 1367 - rc = read_cons_helper(&cladatum->validatetrans, ncons, 1, fp); 1314 1314 + rc = read_cons_helper(p, &cladatum->validatetrans, 1315 1315 + ncons, 1, fp); 1368 1316 if (rc) 1369 1317 goto bad; 1370 1318 } ··· 2807 2753 return 0; 2808 2754 } 2809 2755 2756 2756 + static int type_set_write(struct type_set *t, void *fp) 2757 2757 + { 2758 2758 + int rc; 2759 2759 + __le32 buf[1]; 2760 2760 + 2761 2761 + if (ebitmap_write(&t->types, fp)) 2762 2762 + return -EINVAL; 2763 2763 + if (ebitmap_write(&t->negset, fp)) 2764 2764 + return -EINVAL; 2765 2765 + 2766 2766 + buf[0] = cpu_to_le32(t->flags); 2767 2767 + rc = put_entry(buf, sizeof(u32), 1, fp); 2768 2768 + if (rc) 2769 2769 + return -EINVAL; 2770 2770 + 2771 2771 + return 0; 2772 2772 + } 2773 2773 + 2810 2774 static int write_cons_helper(struct policydb *p, struct constraint_node *node, 2811 2775 void *fp) 2812 2776 { ··· 2856 2784 rc = ebitmap_write(&e->names, fp); 2857 2785 if (rc) 2858 2786 return rc; 2787 2787 + if (p->policyvers >= 2788 2788 + POLICYDB_VERSION_CONSTRAINT_NAMES) { 2789 2789 + rc = type_set_write(e->type_names, fp); 2790 2790 + if (rc) 2791 2791 + return rc; 2792 2792 + } 2859 2793 break; 2860 2794 default: 2861 2795 break;

+11

security/selinux/ss/policydb.h

reviewed

··· 154 154 struct cond_node; 155 155 156 156 /* 157 157 + * type set preserves data needed to determine constraint info from 158 158 + * policy source. This is not used by the kernel policy but allows 159 159 + * utilities such as audit2allow to determine constraint denials. 160 160 + */ 161 161 + struct type_set { 162 162 + struct ebitmap types; 163 163 + struct ebitmap negset; 164 164 + u32 flags; 165 165 + }; 166 166 + 167 167 + /* 157 168 * The configuration data includes security contexts for 158 169 * initial SIDs, unlabeled file systems, TCP and UDP port numbers, 159 170 * network interfaces, and nodes. This structure stores the

+32 -22

security/selinux/ss/services.c

reviewed

··· 1831 1831 */ 1832 1832 int security_load_policy(void *data, size_t len) 1833 1833 { 1834 1834 - struct policydb oldpolicydb, newpolicydb; 1834 1834 + struct policydb *oldpolicydb, *newpolicydb; 1835 1835 struct sidtab oldsidtab, newsidtab; 1836 1836 struct selinux_mapping *oldmap, *map = NULL; 1837 1837 struct convert_context_args args; ··· 1840 1840 int rc = 0; 1841 1841 struct policy_file file = { data, len }, *fp = &file; 1842 1842 1843 1843 + oldpolicydb = kzalloc(2 * sizeof(*oldpolicydb), GFP_KERNEL); 1844 1844 + if (!oldpolicydb) { 1845 1845 + rc = -ENOMEM; 1846 1846 + goto out; 1847 1847 + } 1848 1848 + newpolicydb = oldpolicydb + 1; 1849 1849 + 1843 1850 if (!ss_initialized) { 1844 1851 avtab_cache_init(); 1845 1852 rc = policydb_read(&policydb, fp); 1846 1853 if (rc) { 1847 1854 avtab_cache_destroy(); 1848 1848 - return rc; 1855 1855 + goto out; 1849 1856 } 1850 1857 1851 1858 policydb.len = len; ··· 1862 1855 if (rc) { 1863 1856 policydb_destroy(&policydb); 1864 1857 avtab_cache_destroy(); 1865 1865 - return rc; 1858 1858 + goto out; 1866 1859 } 1867 1860 1868 1861 rc = policydb_load_isids(&policydb, &sidtab); 1869 1862 if (rc) { 1870 1863 policydb_destroy(&policydb); 1871 1864 avtab_cache_destroy(); 1872 1872 - return rc; 1865 1865 + goto out; 1873 1866 } 1874 1867 1875 1868 security_load_policycaps(); ··· 1881 1874 selinux_status_update_policyload(seqno); 1882 1875 selinux_netlbl_cache_invalidate(); 1883 1876 selinux_xfrm_notify_policyload(); 1884 1884 - return 0; 1877 1877 + goto out; 1885 1878 } 1886 1879 1887 1880 #if 0 1888 1881 sidtab_hash_eval(&sidtab, "sids"); 1889 1882 #endif 1890 1883 1891 1891 - rc = policydb_read(&newpolicydb, fp); 1884 1884 + rc = policydb_read(newpolicydb, fp); 1892 1885 if (rc) 1893 1893 - return rc; 1886 1886 + goto out; 1894 1887 1895 1895 - newpolicydb.len = len; 1888 1888 + newpolicydb->len = len; 1896 1889 /* If switching between different policy types, log MLS status */ 1897 1897 - if (policydb.mls_enabled && !newpolicydb.mls_enabled) 1890 1890 + if (policydb.mls_enabled && !newpolicydb->mls_enabled) 1898 1891 printk(KERN_INFO "SELinux: Disabling MLS support...\n"); 1899 1899 - else if (!policydb.mls_enabled && newpolicydb.mls_enabled) 1892 1892 + else if (!policydb.mls_enabled && newpolicydb->mls_enabled) 1900 1893 printk(KERN_INFO "SELinux: Enabling MLS support...\n"); 1901 1894 1902 1902 - rc = policydb_load_isids(&newpolicydb, &newsidtab); 1895 1895 + rc = policydb_load_isids(newpolicydb, &newsidtab); 1903 1896 if (rc) { 1904 1897 printk(KERN_ERR "SELinux: unable to load the initial SIDs\n"); 1905 1905 - policydb_destroy(&newpolicydb); 1906 1906 - return rc; 1898 1898 + policydb_destroy(newpolicydb); 1899 1899 + goto out; 1907 1900 } 1908 1901 1909 1909 - rc = selinux_set_mapping(&newpolicydb, secclass_map, &map, &map_size); 1902 1902 + rc = selinux_set_mapping(newpolicydb, secclass_map, &map, &map_size); 1910 1903 if (rc) 1911 1904 goto err; 1912 1905 1913 1913 - rc = security_preserve_bools(&newpolicydb); 1906 1906 + rc = security_preserve_bools(newpolicydb); 1914 1907 if (rc) { 1915 1908 printk(KERN_ERR "SELinux: unable to preserve booleans\n"); 1916 1909 goto err; ··· 1928 1921 * in the new SID table. 1929 1922 */ 1930 1923 args.oldp = &policydb; 1931 1931 - args.newp = &newpolicydb; 1924 1924 + args.newp = newpolicydb; 1932 1925 rc = sidtab_map(&newsidtab, convert_context, &args); 1933 1926 if (rc) { 1934 1927 printk(KERN_ERR "SELinux: unable to convert the internal" ··· 1938 1931 } 1939 1932 1940 1933 /* Save the old policydb and SID table to free later. */ 1941 1941 - memcpy(&oldpolicydb, &policydb, sizeof policydb); 1934 1934 + memcpy(oldpolicydb, &policydb, sizeof(policydb)); 1942 1935 sidtab_set(&oldsidtab, &sidtab); 1943 1936 1944 1937 /* Install the new policydb and SID table. */ 1945 1938 write_lock_irq(&policy_rwlock); 1946 1946 - memcpy(&policydb, &newpolicydb, sizeof policydb); 1939 1939 + memcpy(&policydb, newpolicydb, sizeof(policydb)); 1947 1940 sidtab_set(&sidtab, &newsidtab); 1948 1941 security_load_policycaps(); 1949 1942 oldmap = current_mapping; ··· 1953 1946 write_unlock_irq(&policy_rwlock); 1954 1947 1955 1948 /* Free the old policydb and SID table. */ 1956 1956 - policydb_destroy(&oldpolicydb); 1949 1949 + policydb_destroy(oldpolicydb); 1957 1950 sidtab_destroy(&oldsidtab); 1958 1951 kfree(oldmap); 1959 1952 ··· 1963 1956 selinux_netlbl_cache_invalidate(); 1964 1957 selinux_xfrm_notify_policyload(); 1965 1958 1966 1966 - return 0; 1959 1959 + rc = 0; 1960 1960 + goto out; 1967 1961 1968 1962 err: 1969 1963 kfree(map); 1970 1964 sidtab_destroy(&newsidtab); 1971 1971 - policydb_destroy(&newpolicydb); 1972 1972 - return rc; 1965 1965 + policydb_destroy(newpolicydb); 1973 1966 1967 1967 + out: 1968 1968 + kfree(oldpolicydb); 1969 1969 + return rc; 1974 1970 } 1975 1971 1976 1972 size_t security_policydb_len(void)