tjh.dev
Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel
os
linux
Merge tag 'selinux-pr-20190507' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux
Pull selinux updates from Paul Moore:
"We've got a few SELinux patches for the v5.2 merge window, the
highlights are below:
- Add LSM hooks, and the SELinux implementation, for proper labeling
of kernfs. While we are only including the SELinux implementation
here, the rest of the LSM folks have given the hooks a thumbs-up.
- Update the SELinux mdp (Make Dummy Policy) script to actually work
on a modern system.
- Disallow userspace to change the LSM credentials via
/proc/self/attr when the task's credentials are already overridden.
The change was made in procfs because all the LSM folks agreed this
was the Right Thing To Do and duplicating it across each LSM was
going to be annoying"
* tag 'selinux-pr-20190507' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux:
proc: prevent changes to overridden credentials
selinux: Check address length before reading address family
kernfs: fix xattr name handling in LSM helpers
MAINTAINERS: update SELinux file patterns
selinux: avoid uninitialized variable warning
selinux: remove useless assignments
LSM: lsm_hooks.h - fix missing colon in docstring
selinux: Make selinux_kernfs_init_security static
kernfs: initialize security of newly created nodes
selinux: implement the kernfs_init_security hook
LSM: add new hook for kernfs node initialization
kernfs: use simple_xattrs for security attributes
selinux: try security xattr after genfs for kernfs filesystems
kernfs: do not alloc iattrs in kernfs_xattr_get
kernfs: clean up struct kernfs_iattrs
scripts/selinux: fix build
selinux: use kernel linux/socket.h for genheaders and mdp
scripts/selinux: modernize mdp
+492
-274
+1
-1
MAINTAINERS
+1
-1
MAINTAINERS
···
13994
13994
W: https://github.com/SELinuxProject
13995
13995
T: git git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux.git
13996
13996
S: Supported
13997
-
F: include/linux/selinux*
13997
+
F: include/uapi/linux/selinux_netlink.h
13998
13998
F: security/selinux/
13999
13999
F: scripts/selinux/
14000
14000
F: Documentation/admin-guide/LSM/SELinux.rst
+13
-11
fs/kernfs/dir.c
+13
-11
fs/kernfs/dir.c
···
532
532
kfree_const(kn->name);
533
533
534
534
if (kn->iattr) {
535
-
if (kn->iattr->ia_secdata)
536
-
security_release_secctx(kn->iattr->ia_secdata,
537
-
kn->iattr->ia_secdata_len);
538
535
simple_xattrs_free(&kn->iattr->xattrs);
539
536
kmem_cache_free(kernfs_iattrs_cache, kn->iattr);
540
537
}
···
615
618
}
616
619
617
620
static struct kernfs_node *__kernfs_new_node(struct kernfs_root *root,
621
+
struct kernfs_node *parent,
618
622
const char *name, umode_t mode,
619
623
kuid_t uid, kgid_t gid,
620
624
unsigned flags)
···
671
673
goto err_out3;
672
674
}
673
675
676
+
if (parent) {
677
+
ret = security_kernfs_init_security(parent, kn);
678
+
if (ret)
679
+
goto err_out3;
680
+
}
681
+
674
682
return kn;
675
683
676
684
err_out3:
···
695
691
{
696
692
struct kernfs_node *kn;
697
693
698
-
kn = __kernfs_new_node(kernfs_root(parent),
694
+
kn = __kernfs_new_node(kernfs_root(parent), parent,
699
695
name, mode, uid, gid, flags);
700
696
if (kn) {
701
697
kernfs_get(parent);
···
798
794
/* Update timestamps on the parent */
799
795
ps_iattr = parent->iattr;
800
796
if (ps_iattr) {
801
-
struct iattr *ps_iattrs = &ps_iattr->ia_iattr;
802
-
ktime_get_real_ts64(&ps_iattrs->ia_ctime);
803
-
ps_iattrs->ia_mtime = ps_iattrs->ia_ctime;
797
+
ktime_get_real_ts64(&ps_iattr->ia_ctime);
798
+
ps_iattr->ia_mtime = ps_iattr->ia_ctime;
804
799
}
805
800
806
801
mutex_unlock(&kernfs_mutex);
···
964
961
INIT_LIST_HEAD(&root->supers);
965
962
root->next_generation = 1;
966
963
967
-
kn = __kernfs_new_node(root, "", S_IFDIR | S_IRUGO | S_IXUGO,
964
+
kn = __kernfs_new_node(root, NULL, "", S_IFDIR | S_IRUGO | S_IXUGO,
968
965
GLOBAL_ROOT_UID, GLOBAL_ROOT_GID,
969
966
KERNFS_DIR);
970
967
if (!kn) {
···
1331
1328
1332
1329
/* update timestamps on the parent */
1333
1330
if (ps_iattr) {
1334
-
ktime_get_real_ts64(&ps_iattr->ia_iattr.ia_ctime);
1335
-
ps_iattr->ia_iattr.ia_mtime =
1336
-
ps_iattr->ia_iattr.ia_ctime;
1331
+
ktime_get_real_ts64(&ps_iattr->ia_ctime);
1332
+
ps_iattr->ia_mtime = ps_iattr->ia_ctime;
1337
1333
}
1338
1334
1339
1335
kernfs_put(pos);
+65
-103
fs/kernfs/inode.c
+65
-103
fs/kernfs/inode.c
···
31
31
.listxattr = kernfs_iop_listxattr,
32
32
};
33
33
34
-
static struct kernfs_iattrs *kernfs_iattrs(struct kernfs_node *kn)
34
+
static struct kernfs_iattrs *__kernfs_iattrs(struct kernfs_node *kn, int alloc)
35
35
{
36
36
static DEFINE_MUTEX(iattr_mutex);
37
37
struct kernfs_iattrs *ret;
38
-
struct iattr *iattrs;
39
38
40
39
mutex_lock(&iattr_mutex);
41
40
42
-
if (kn->iattr)
41
+
if (kn->iattr || !alloc)
43
42
goto out_unlock;
44
43
45
44
kn->iattr = kmem_cache_zalloc(kernfs_iattrs_cache, GFP_KERNEL);
46
45
if (!kn->iattr)
47
46
goto out_unlock;
48
-
iattrs = &kn->iattr->ia_iattr;
49
47
50
48
/* assign default attributes */
51
-
iattrs->ia_mode = kn->mode;
52
-
iattrs->ia_uid = GLOBAL_ROOT_UID;
53
-
iattrs->ia_gid = GLOBAL_ROOT_GID;
49
+
kn->iattr->ia_uid = GLOBAL_ROOT_UID;
50
+
kn->iattr->ia_gid = GLOBAL_ROOT_GID;
54
51
55
-
ktime_get_real_ts64(&iattrs->ia_atime);
56
-
iattrs->ia_mtime = iattrs->ia_atime;
57
-
iattrs->ia_ctime = iattrs->ia_atime;
52
+
ktime_get_real_ts64(&kn->iattr->ia_atime);
53
+
kn->iattr->ia_mtime = kn->iattr->ia_atime;
54
+
kn->iattr->ia_ctime = kn->iattr->ia_atime;
58
55
59
56
simple_xattrs_init(&kn->iattr->xattrs);
60
57
out_unlock:
···
60
63
return ret;
61
64
}
62
65
66
+
static struct kernfs_iattrs *kernfs_iattrs(struct kernfs_node *kn)
67
+
{
68
+
return __kernfs_iattrs(kn, 1);
69
+
}
70
+
71
+
static struct kernfs_iattrs *kernfs_iattrs_noalloc(struct kernfs_node *kn)
72
+
{
73
+
return __kernfs_iattrs(kn, 0);
74
+
}
75
+
63
76
int __kernfs_setattr(struct kernfs_node *kn, const struct iattr *iattr)
64
77
{
65
78
struct kernfs_iattrs *attrs;
66
-
struct iattr *iattrs;
67
79
unsigned int ia_valid = iattr->ia_valid;
68
80
69
81
attrs = kernfs_iattrs(kn);
70
82
if (!attrs)
71
83
return -ENOMEM;
72
84
73
-
iattrs = &attrs->ia_iattr;
74
-
75
85
if (ia_valid & ATTR_UID)
76
-
iattrs->ia_uid = iattr->ia_uid;
86
+
attrs->ia_uid = iattr->ia_uid;
77
87
if (ia_valid & ATTR_GID)
78
-
iattrs->ia_gid = iattr->ia_gid;
88
+
attrs->ia_gid = iattr->ia_gid;
79
89
if (ia_valid & ATTR_ATIME)
80
-
iattrs->ia_atime = iattr->ia_atime;
90
+
attrs->ia_atime = iattr->ia_atime;
81
91
if (ia_valid & ATTR_MTIME)
82
-
iattrs->ia_mtime = iattr->ia_mtime;
92
+
attrs->ia_mtime = iattr->ia_mtime;
83
93
if (ia_valid & ATTR_CTIME)
84
-
iattrs->ia_ctime = iattr->ia_ctime;
85
-
if (ia_valid & ATTR_MODE) {
86
-
umode_t mode = iattr->ia_mode;
87
-
iattrs->ia_mode = kn->mode = mode;
88
-
}
94
+
attrs->ia_ctime = iattr->ia_ctime;
95
+
if (ia_valid & ATTR_MODE)
96
+
kn->mode = iattr->ia_mode;
89
97
return 0;
90
98
}
91
99
···
137
135
return error;
138
136
}
139
137
140
-
static int kernfs_node_setsecdata(struct kernfs_iattrs *attrs, void **secdata,
141
-
u32 *secdata_len)
142
-
{
143
-
void *old_secdata;
144
-
size_t old_secdata_len;
145
-
146
-
old_secdata = attrs->ia_secdata;
147
-
old_secdata_len = attrs->ia_secdata_len;
148
-
149
-
attrs->ia_secdata = *secdata;
150
-
attrs->ia_secdata_len = *secdata_len;
151
-
152
-
*secdata = old_secdata;
153
-
*secdata_len = old_secdata_len;
154
-
return 0;
155
-
}
156
-
157
138
ssize_t kernfs_iop_listxattr(struct dentry *dentry, char *buf, size_t size)
158
139
{
159
140
struct kernfs_node *kn = kernfs_dentry_node(dentry);
···
156
171
inode->i_ctime = current_time(inode);
157
172
}
158
173
159
-
static inline void set_inode_attr(struct inode *inode, struct iattr *iattr)
174
+
static inline void set_inode_attr(struct inode *inode,
175
+
struct kernfs_iattrs *attrs)
160
176
{
161
177
struct super_block *sb = inode->i_sb;
162
-
inode->i_uid = iattr->ia_uid;
163
-
inode->i_gid = iattr->ia_gid;
164
-
inode->i_atime = timespec64_trunc(iattr->ia_atime, sb->s_time_gran);
165
-
inode->i_mtime = timespec64_trunc(iattr->ia_mtime, sb->s_time_gran);
166
-
inode->i_ctime = timespec64_trunc(iattr->ia_ctime, sb->s_time_gran);
178
+
inode->i_uid = attrs->ia_uid;
179
+
inode->i_gid = attrs->ia_gid;
180
+
inode->i_atime = timespec64_trunc(attrs->ia_atime, sb->s_time_gran);
181
+
inode->i_mtime = timespec64_trunc(attrs->ia_mtime, sb->s_time_gran);
182
+
inode->i_ctime = timespec64_trunc(attrs->ia_ctime, sb->s_time_gran);
167
183
}
168
184
169
185
static void kernfs_refresh_inode(struct kernfs_node *kn, struct inode *inode)
···
172
186
struct kernfs_iattrs *attrs = kn->iattr;
173
187
174
188
inode->i_mode = kn->mode;
175
-
if (attrs) {
189
+
if (attrs)
176
190
/*
177
191
* kernfs_node has non-default attributes get them from
178
192
* persistent copy in kernfs_node.
179
193
*/
180
-
set_inode_attr(inode, &attrs->ia_iattr);
181
-
security_inode_notifysecctx(inode, attrs->ia_secdata,
182
-
attrs->ia_secdata_len);
183
-
}
194
+
set_inode_attr(inode, attrs);
184
195
185
196
if (kernfs_type(kn) == KERNFS_DIR)
186
197
set_nlink(inode, kn->dir.subdirs + 2);
···
288
305
return generic_permission(inode, mask);
289
306
}
290
307
291
-
static int kernfs_xattr_get(const struct xattr_handler *handler,
292
-
struct dentry *unused, struct inode *inode,
293
-
const char *suffix, void *value, size_t size)
308
+
int kernfs_xattr_get(struct kernfs_node *kn, const char *name,
309
+
void *value, size_t size)
294
310
{
295
-
const char *name = xattr_full_name(handler, suffix);
296
-
struct kernfs_node *kn = inode->i_private;
297
-
struct kernfs_iattrs *attrs;
298
-
299
-
attrs = kernfs_iattrs(kn);
311
+
struct kernfs_iattrs *attrs = kernfs_iattrs_noalloc(kn);
300
312
if (!attrs)
301
-
return -ENOMEM;
313
+
return -ENODATA;
302
314
303
315
return simple_xattr_get(&attrs->xattrs, name, value, size);
304
316
}
305
317
306
-
static int kernfs_xattr_set(const struct xattr_handler *handler,
307
-
struct dentry *unused, struct inode *inode,
308
-
const char *suffix, const void *value,
309
-
size_t size, int flags)
318
+
int kernfs_xattr_set(struct kernfs_node *kn, const char *name,
319
+
const void *value, size_t size, int flags)
310
320
{
311
-
const char *name = xattr_full_name(handler, suffix);
312
-
struct kernfs_node *kn = inode->i_private;
313
-
struct kernfs_iattrs *attrs;
314
-
315
-
attrs = kernfs_iattrs(kn);
321
+
struct kernfs_iattrs *attrs = kernfs_iattrs(kn);
316
322
if (!attrs)
317
323
return -ENOMEM;
318
324
319
325
return simple_xattr_set(&attrs->xattrs, name, value, size, flags);
320
326
}
321
327
328
+
static int kernfs_vfs_xattr_get(const struct xattr_handler *handler,
329
+
struct dentry *unused, struct inode *inode,
330
+
const char *suffix, void *value, size_t size)
331
+
{
332
+
const char *name = xattr_full_name(handler, suffix);
333
+
struct kernfs_node *kn = inode->i_private;
334
+
335
+
return kernfs_xattr_get(kn, name, value, size);
336
+
}
337
+
338
+
static int kernfs_vfs_xattr_set(const struct xattr_handler *handler,
339
+
struct dentry *unused, struct inode *inode,
340
+
const char *suffix, const void *value,
341
+
size_t size, int flags)
342
+
{
343
+
const char *name = xattr_full_name(handler, suffix);
344
+
struct kernfs_node *kn = inode->i_private;
345
+
346
+
return kernfs_xattr_set(kn, name, value, size, flags);
347
+
}
348
+
322
349
static const struct xattr_handler kernfs_trusted_xattr_handler = {
323
350
.prefix = XATTR_TRUSTED_PREFIX,
324
-
.get = kernfs_xattr_get,
325
-
.set = kernfs_xattr_set,
351
+
.get = kernfs_vfs_xattr_get,
352
+
.set = kernfs_vfs_xattr_set,
326
353
};
327
-
328
-
static int kernfs_security_xattr_set(const struct xattr_handler *handler,
329
-
struct dentry *unused, struct inode *inode,
330
-
const char *suffix, const void *value,
331
-
size_t size, int flags)
332
-
{
333
-
struct kernfs_node *kn = inode->i_private;
334
-
struct kernfs_iattrs *attrs;
335
-
void *secdata;
336
-
u32 secdata_len = 0;
337
-
int error;
338
-
339
-
attrs = kernfs_iattrs(kn);
340
-
if (!attrs)
341
-
return -ENOMEM;
342
-
343
-
error = security_inode_setsecurity(inode, suffix, value, size, flags);
344
-
if (error)
345
-
return error;
346
-
error = security_inode_getsecctx(inode, &secdata, &secdata_len);
347
-
if (error)
348
-
return error;
349
-
350
-
mutex_lock(&kernfs_mutex);
351
-
error = kernfs_node_setsecdata(attrs, &secdata, &secdata_len);
352
-
mutex_unlock(&kernfs_mutex);
353
-
354
-
if (secdata)
355
-
security_release_secctx(secdata, secdata_len);
356
-
return error;
357
-
}
358
354
359
355
static const struct xattr_handler kernfs_security_xattr_handler = {
360
356
.prefix = XATTR_SECURITY_PREFIX,
361
-
.get = kernfs_xattr_get,
362
-
.set = kernfs_security_xattr_set,
357
+
.get = kernfs_vfs_xattr_get,
358
+
.set = kernfs_vfs_xattr_set,
363
359
};
364
360
365
361
const struct xattr_handler *kernfs_xattr_handlers[] = {
+5
-3
fs/kernfs/kernfs-internal.h
+5
-3
fs/kernfs/kernfs-internal.h
···
20
20
#include <linux/fs_context.h>
21
21
22
22
struct kernfs_iattrs {
23
-
struct iattr ia_iattr;
24
-
void *ia_secdata;
25
-
u32 ia_secdata_len;
23
+
kuid_t ia_uid;
24
+
kgid_t ia_gid;
25
+
struct timespec64 ia_atime;
26
+
struct timespec64 ia_mtime;
27
+
struct timespec64 ia_ctime;
26
28
27
29
struct simple_xattrs xattrs;
28
30
};
+2
-2
fs/kernfs/symlink.c
+2
-2
fs/kernfs/symlink.c
···
33
33
kgid_t gid = GLOBAL_ROOT_GID;
34
34
35
35
if (target->iattr) {
36
-
uid = target->iattr->ia_iattr.ia_uid;
37
-
gid = target->iattr->ia_iattr.ia_gid;
36
+
uid = target->iattr->ia_uid;
37
+
gid = target->iattr->ia_gid;
38
38
}
39
39
40
40
kn = kernfs_new_node(parent, name, S_IFLNK|S_IRWXUGO, uid, gid,
+5
fs/proc/base.c
+5
fs/proc/base.c
···
2535
2535
rcu_read_unlock();
2536
2536
return -EACCES;
2537
2537
}
2538
+
/* Prevent changes to overridden credentials. */
2539
+
if (current_cred() != current_real_cred()) {
2540
+
rcu_read_unlock();
2541
+
return -EBUSY;
2542
+
}
2538
2543
rcu_read_unlock();
2539
2544
2540
2545
if (count > PAGE_SIZE)
+13
include/linux/kernfs.h
+13
include/linux/kernfs.h
···
371
371
struct poll_table_struct *pt);
372
372
void kernfs_notify(struct kernfs_node *kn);
373
373
374
+
int kernfs_xattr_get(struct kernfs_node *kn, const char *name,
375
+
void *value, size_t size);
376
+
int kernfs_xattr_set(struct kernfs_node *kn, const char *name,
377
+
const void *value, size_t size, int flags);
378
+
374
379
const void *kernfs_super_ns(struct super_block *sb);
375
380
int kernfs_get_tree(struct fs_context *fc);
376
381
void kernfs_free_fs_context(struct fs_context *fc);
···
477
472
{ return -ENOSYS; }
478
473
479
474
static inline void kernfs_notify(struct kernfs_node *kn) { }
475
+
476
+
static inline int kernfs_xattr_get(struct kernfs_node *kn, const char *name,
477
+
void *value, size_t size)
478
+
{ return -ENOSYS; }
479
+
480
+
static inline int kernfs_xattr_set(struct kernfs_node *kn, const char *name,
481
+
const void *value, size_t size, int flags)
482
+
{ return -ENOSYS; }
480
483
481
484
static inline const void *kernfs_super_ns(struct super_block *sb)
482
485
{ return NULL; }
+13
include/linux/lsm_hooks.h
+13
include/linux/lsm_hooks.h
···
445
445
* to abort the copy up. Note that the caller is responsible for reading
446
446
* and writing the xattrs as this hook is merely a filter.
447
447
*
448
+
* Security hooks for kernfs node operations
449
+
*
450
+
* @kernfs_init_security:
451
+
* Initialize the security context of a newly created kernfs node based
452
+
* on its own and its parent's attributes.
453
+
*
454
+
* @kn_dir the parent kernfs node
455
+
* @kn the new child kernfs node
456
+
*
448
457
* Security hooks for file operations
449
458
*
450
459
* @file_permission:
···
1579
1570
int (*inode_copy_up)(struct dentry *src, struct cred **new);
1580
1571
int (*inode_copy_up_xattr)(const char *name);
1581
1572
1573
+
int (*kernfs_init_security)(struct kernfs_node *kn_dir,
1574
+
struct kernfs_node *kn);
1575
+
1582
1576
int (*file_permission)(struct file *file, int mask);
1583
1577
int (*file_alloc_security)(struct file *file);
1584
1578
void (*file_free_security)(struct file *file);
···
1883
1871
struct hlist_head inode_getsecid;
1884
1872
struct hlist_head inode_copy_up;
1885
1873
struct hlist_head inode_copy_up_xattr;
1874
+
struct hlist_head kernfs_init_security;
1886
1875
struct hlist_head file_permission;
1887
1876
struct hlist_head file_alloc_security;
1888
1877
struct hlist_head file_free_security;
+9
include/linux/security.h
+9
include/linux/security.h
···
51
51
struct file_operations;
52
52
struct msg_msg;
53
53
struct xattr;
54
+
struct kernfs_node;
54
55
struct xfrm_sec_ctx;
55
56
struct mm_struct;
56
57
struct fs_context;
···
300
299
void security_inode_getsecid(struct inode *inode, u32 *secid);
301
300
int security_inode_copy_up(struct dentry *src, struct cred **new);
302
301
int security_inode_copy_up_xattr(const char *name);
302
+
int security_kernfs_init_security(struct kernfs_node *kn_dir,
303
+
struct kernfs_node *kn);
303
304
int security_file_permission(struct file *file, int mask);
304
305
int security_file_alloc(struct file *file);
305
306
void security_file_free(struct file *file);
···
800
797
}
801
798
802
799
static inline int security_inode_copy_up(struct dentry *src, struct cred **new)
800
+
{
801
+
return 0;
802
+
}
803
+
804
+
static inline int security_kernfs_init_security(struct kernfs_node *kn_dir,
805
+
struct kernfs_node *kn)
803
806
{
804
807
return 0;
805
808
}
+56
-40
scripts/selinux/install_policy.sh
+56
-40
scripts/selinux/install_policy.sh
···
1
1
#!/bin/sh
2
2
# SPDX-License-Identifier: GPL-2.0
3
+
set -e
3
4
if [ `id -u` -ne 0 ]; then
4
5
echo "$0: must be root to install the selinux policy"
5
6
exit 1
6
7
fi
8
+
7
9
SF=`which setfiles`
8
10
if [ $? -eq 1 ]; then
9
-
if [ -f /sbin/setfiles ]; then
10
-
SF="/usr/setfiles"
11
-
else
12
-
echo "no selinux tools installed: setfiles"
13
-
exit 1
14
-
fi
11
+
echo "Could not find setfiles"
12
+
echo "Do you have policycoreutils installed?"
13
+
exit 1
14
+
fi
15
+
16
+
CP=`which checkpolicy`
17
+
if [ $? -eq 1 ]; then
18
+
echo "Could not find checkpolicy"
19
+
echo "Do you have checkpolicy installed?"
20
+
exit 1
21
+
fi
22
+
VERS=`$CP -V | awk '{print $1}'`
23
+
24
+
ENABLED=`which selinuxenabled`
25
+
if [ $? -eq 1 ]; then
26
+
echo "Could not find selinuxenabled"
27
+
echo "Do you have libselinux-utils installed?"
28
+
exit 1
29
+
fi
30
+
31
+
if selinuxenabled; then
32
+
echo "SELinux is already enabled"
33
+
echo "This prevents safely relabeling all files."
34
+
echo "Boot with selinux=0 on the kernel command-line or"
35
+
echo "SELINUX=disabled in /etc/selinux/config."
36
+
exit 1
15
37
fi
16
38
17
39
cd mdp
18
-
19
-
CP=`which checkpolicy`
20
-
VERS=`$CP -V | awk '{print $1}'`
21
-
22
-
./mdp policy.conf file_contexts
23
-
$CP -o policy.$VERS policy.conf
40
+
./mdp -m policy.conf file_contexts
41
+
$CP -U allow -M -o policy.$VERS policy.conf
24
42
25
43
mkdir -p /etc/selinux/dummy/policy
26
44
mkdir -p /etc/selinux/dummy/contexts/files
45
+
46
+
echo "__default__:user_u:s0" > /etc/selinux/dummy/seusers
47
+
echo "base_r:base_t:s0" > /etc/selinux/dummy/contexts/failsafe_context
48
+
echo "base_r:base_t:s0 base_r:base_t:s0" > /etc/selinux/dummy/default_contexts
49
+
cat > /etc/selinux/dummy/contexts/x_contexts <<EOF
50
+
client * user_u:base_r:base_t:s0
51
+
property * user_u:object_r:base_t:s0
52
+
extension * user_u:object_r:base_t:s0
53
+
selection * user_u:object_r:base_t:s0
54
+
event * user_u:object_r:base_t:s0
55
+
EOF
56
+
touch /etc/selinux/dummy/contexts/virtual_domain_context
57
+
touch /etc/selinux/dummy/contexts/virtual_image_context
27
58
28
59
cp file_contexts /etc/selinux/dummy/contexts/files
29
60
cp dbus_contexts /etc/selinux/dummy/contexts
···
64
33
if [ ! -d /etc/selinux ]; then
65
34
mkdir -p /etc/selinux
66
35
fi
67
-
if [ ! -f /etc/selinux/config ]; then
68
-
cat > /etc/selinux/config << EOF
69
-
SELINUX=enforcing
36
+
if [ -f /etc/selinux/config ]; then
37
+
echo "/etc/selinux/config exists, moving to /etc/selinux/config.bak."
38
+
mv /etc/selinux/config /etc/selinux/config.bak
39
+
fi
40
+
echo "Creating new /etc/selinux/config for dummy policy."
41
+
cat > /etc/selinux/config << EOF
42
+
SELINUX=permissive
70
43
SELINUXTYPE=dummy
71
44
EOF
72
-
else
73
-
TYPE=`cat /etc/selinux/config | grep "^SELINUXTYPE" | tail -1 | awk -F= '{ print $2 '}`
74
-
if [ "eq$TYPE" != "eqdummy" ]; then
75
-
selinuxenabled
76
-
if [ $? -eq 0 ]; then
77
-
echo "SELinux already enabled with a non-dummy policy."
78
-
echo "Exiting. Please install policy by hand if that"
79
-
echo "is what you REALLY want."
80
-
exit 1
81
-
fi
82
-
mv /etc/selinux/config /etc/selinux/config.mdpbak
83
-
grep -v "^SELINUXTYPE" /etc/selinux/config.mdpbak >> /etc/selinux/config
84
-
echo "SELINUXTYPE=dummy" >> /etc/selinux/config
85
-
fi
86
-
fi
87
45
88
46
cd /etc/selinux/dummy/contexts/files
89
-
$SF file_contexts /
47
+
$SF -F file_contexts /
90
48
91
-
mounts=`cat /proc/$$/mounts | egrep "ext2|ext3|xfs|jfs|ext4|ext4dev|gfs2" | awk '{ print $2 '}`
92
-
$SF file_contexts $mounts
49
+
mounts=`cat /proc/$$/mounts | \
50
+
egrep "ext[234]|jfs|xfs|reiserfs|jffs2|gfs2|btrfs|f2fs|ocfs2" | \
51
+
awk '{ print $2 '}`
52
+
$SF -F file_contexts $mounts
93
53
94
-
95
-
dodev=`cat /proc/$$/mounts | grep "/dev "`
96
-
if [ "eq$dodev" != "eq" ]; then
97
-
mount --move /dev /mnt
98
-
$SF file_contexts /dev
99
-
mount --move /mnt /dev
100
-
fi
54
+
echo "-F" > /.autorelabel
+1
-1
scripts/selinux/mdp/Makefile
+1
-1
scripts/selinux/mdp/Makefile
+140
-25
scripts/selinux/mdp/mdp.c
+140
-25
scripts/selinux/mdp/mdp.c
···
32
32
#include <stdlib.h>
33
33
#include <unistd.h>
34
34
#include <string.h>
35
+
#include <linux/kconfig.h>
35
36
36
37
static void usage(char *name)
37
38
{
···
95
94
}
96
95
fprintf(fout, "\n");
97
96
98
-
/* NOW PRINT OUT MLS STUFF */
97
+
/* print out mls declarations and constraints */
99
98
if (mls) {
100
-
printf("MLS not yet implemented\n");
101
-
exit(1);
99
+
fprintf(fout, "sensitivity s0;\n");
100
+
fprintf(fout, "sensitivity s1;\n");
101
+
fprintf(fout, "dominance { s0 s1 }\n");
102
+
fprintf(fout, "category c0;\n");
103
+
fprintf(fout, "category c1;\n");
104
+
fprintf(fout, "level s0:c0.c1;\n");
105
+
fprintf(fout, "level s1:c0.c1;\n");
106
+
#define SYSTEMLOW "s0"
107
+
#define SYSTEMHIGH "s1:c0.c1"
108
+
for (i = 0; secclass_map[i].name; i++) {
109
+
struct security_class_mapping *map = &secclass_map[i];
110
+
111
+
fprintf(fout, "mlsconstrain %s {\n", map->name);
112
+
for (j = 0; map->perms[j]; j++)
113
+
fprintf(fout, "\t%s\n", map->perms[j]);
114
+
/*
115
+
* This requires all subjects and objects to be
116
+
* single-level (l2 eq h2), and that the subject
117
+
* level dominate the object level (h1 dom h2)
118
+
* in order to have any permissions to it.
119
+
*/
120
+
fprintf(fout, "} (l2 eq h2 and h1 dom h2);\n\n");
121
+
}
102
122
}
103
123
104
124
/* types, roles, and allows */
···
129
107
for (i = 0; secclass_map[i].name; i++)
130
108
fprintf(fout, "allow base_t base_t:%s *;\n",
131
109
secclass_map[i].name);
132
-
fprintf(fout, "user user_u roles { base_r };\n");
133
-
fprintf(fout, "\n");
110
+
fprintf(fout, "user user_u roles { base_r }");
111
+
if (mls)
112
+
fprintf(fout, " level %s range %s - %s", SYSTEMLOW,
113
+
SYSTEMLOW, SYSTEMHIGH);
114
+
fprintf(fout, ";\n");
115
+
116
+
#define SUBJUSERROLETYPE "user_u:base_r:base_t"
117
+
#define OBJUSERROLETYPE "user_u:object_r:base_t"
134
118
135
119
/* default sids */
136
120
for (i = 1; i < initial_sid_to_string_len; i++)
137
-
fprintf(fout, "sid %s user_u:base_r:base_t\n", initial_sid_to_string[i]);
121
+
fprintf(fout, "sid %s " SUBJUSERROLETYPE "%s\n",
122
+
initial_sid_to_string[i], mls ? ":" SYSTEMLOW : "");
138
123
fprintf(fout, "\n");
139
124
140
-
fprintf(fout, "fs_use_xattr ext2 user_u:base_r:base_t;\n");
141
-
fprintf(fout, "fs_use_xattr ext3 user_u:base_r:base_t;\n");
142
-
fprintf(fout, "fs_use_xattr ext4 user_u:base_r:base_t;\n");
143
-
fprintf(fout, "fs_use_xattr jfs user_u:base_r:base_t;\n");
144
-
fprintf(fout, "fs_use_xattr xfs user_u:base_r:base_t;\n");
145
-
fprintf(fout, "fs_use_xattr reiserfs user_u:base_r:base_t;\n");
146
-
fprintf(fout, "fs_use_xattr jffs2 user_u:base_r:base_t;\n");
147
-
fprintf(fout, "fs_use_xattr gfs2 user_u:base_r:base_t;\n");
125
+
#define FS_USE(behavior, fstype) \
126
+
fprintf(fout, "fs_use_%s %s " OBJUSERROLETYPE "%s;\n", \
127
+
behavior, fstype, mls ? ":" SYSTEMLOW : "")
148
128
149
-
fprintf(fout, "fs_use_task eventpollfs user_u:base_r:base_t;\n");
150
-
fprintf(fout, "fs_use_task pipefs user_u:base_r:base_t;\n");
151
-
fprintf(fout, "fs_use_task sockfs user_u:base_r:base_t;\n");
129
+
/*
130
+
* Filesystems whose inode labels can be fetched via getxattr.
131
+
*/
132
+
#ifdef CONFIG_EXT2_FS_SECURITY
133
+
FS_USE("xattr", "ext2");
134
+
#endif
135
+
#ifdef CONFIG_EXT4_FS_SECURITY
136
+
#ifdef CONFIG_EXT4_USE_FOR_EXT2
137
+
FS_USE("xattr", "ext2");
138
+
#endif
139
+
FS_USE("xattr", "ext3");
140
+
FS_USE("xattr", "ext4");
141
+
#endif
142
+
#ifdef CONFIG_JFS_SECURITY
143
+
FS_USE("xattr", "jfs");
144
+
#endif
145
+
#ifdef CONFIG_REISERFS_FS_SECURITY
146
+
FS_USE("xattr", "reiserfs");
147
+
#endif
148
+
#ifdef CONFIG_JFFS2_FS_SECURITY
149
+
FS_USE("xattr", "jffs2");
150
+
#endif
151
+
#ifdef CONFIG_XFS_FS
152
+
FS_USE("xattr", "xfs");
153
+
#endif
154
+
#ifdef CONFIG_GFS2_FS
155
+
FS_USE("xattr", "gfs2");
156
+
#endif
157
+
#ifdef CONFIG_BTRFS_FS
158
+
FS_USE("xattr", "btrfs");
159
+
#endif
160
+
#ifdef CONFIG_F2FS_FS_SECURITY
161
+
FS_USE("xattr", "f2fs");
162
+
#endif
163
+
#ifdef CONFIG_OCFS2_FS
164
+
FS_USE("xattr", "ocsfs2");
165
+
#endif
166
+
#ifdef CONFIG_OVERLAY_FS
167
+
FS_USE("xattr", "overlay");
168
+
#endif
169
+
#ifdef CONFIG_SQUASHFS_XATTR
170
+
FS_USE("xattr", "squashfs");
171
+
#endif
152
172
153
-
fprintf(fout, "fs_use_trans mqueue user_u:base_r:base_t;\n");
154
-
fprintf(fout, "fs_use_trans devpts user_u:base_r:base_t;\n");
155
-
fprintf(fout, "fs_use_trans hugetlbfs user_u:base_r:base_t;\n");
156
-
fprintf(fout, "fs_use_trans tmpfs user_u:base_r:base_t;\n");
157
-
fprintf(fout, "fs_use_trans shm user_u:base_r:base_t;\n");
173
+
/*
174
+
* Filesystems whose inodes are labeled from allocating task.
175
+
*/
176
+
FS_USE("task", "pipefs");
177
+
FS_USE("task", "sockfs");
158
178
159
-
fprintf(fout, "genfscon proc / user_u:base_r:base_t\n");
179
+
/*
180
+
* Filesystems whose inode labels are computed from both
181
+
* the allocating task and the superblock label.
182
+
*/
183
+
#ifdef CONFIG_UNIX98_PTYS
184
+
FS_USE("trans", "devpts");
185
+
#endif
186
+
#ifdef CONFIG_HUGETLBFS
187
+
FS_USE("trans", "hugetlbfs");
188
+
#endif
189
+
#ifdef CONFIG_TMPFS
190
+
FS_USE("trans", "tmpfs");
191
+
#endif
192
+
#ifdef CONFIG_DEVTMPFS
193
+
FS_USE("trans", "devtmpfs");
194
+
#endif
195
+
#ifdef CONFIG_POSIX_MQUEUE
196
+
FS_USE("trans", "mqueue");
197
+
#endif
198
+
199
+
#define GENFSCON(fstype, prefix) \
200
+
fprintf(fout, "genfscon %s %s " OBJUSERROLETYPE "%s\n", \
201
+
fstype, prefix, mls ? ":" SYSTEMLOW : "")
202
+
203
+
/*
204
+
* Filesystems whose inodes are labeled from path prefix match
205
+
* relative to the filesystem root. Depending on the filesystem,
206
+
* only a single label for all inodes may be supported. Here
207
+
* we list the filesystem types for which per-file labeling is
208
+
* supported using genfscon; any other filesystem type can also
209
+
* be added by only with a single entry for all of its inodes.
210
+
*/
211
+
#ifdef CONFIG_PROC_FS
212
+
GENFSCON("proc", "/");
213
+
#endif
214
+
#ifdef CONFIG_SECURITY_SELINUX
215
+
GENFSCON("selinuxfs", "/");
216
+
#endif
217
+
#ifdef CONFIG_SYSFS
218
+
GENFSCON("sysfs", "/");
219
+
#endif
220
+
#ifdef CONFIG_DEBUG_FS
221
+
GENFSCON("debugfs", "/");
222
+
#endif
223
+
#ifdef CONFIG_TRACING
224
+
GENFSCON("tracefs", "/");
225
+
#endif
226
+
#ifdef CONFIG_PSTORE
227
+
GENFSCON("pstore", "/");
228
+
#endif
229
+
GENFSCON("cgroup", "/");
230
+
GENFSCON("cgroup2", "/");
160
231
161
232
fclose(fout);
162
233
···
258
143
printf("Wrote policy, but cannot open %s for writing\n", ctxout);
259
144
usage(argv[0]);
260
145
}
261
-
fprintf(fout, "/ user_u:base_r:base_t\n");
262
-
fprintf(fout, "/.* user_u:base_r:base_t\n");
146
+
fprintf(fout, "/ " OBJUSERROLETYPE "%s\n", mls ? ":" SYSTEMLOW : "");
147
+
fprintf(fout, "/.* " OBJUSERROLETYPE "%s\n", mls ? ":" SYSTEMLOW : "");
263
148
fclose(fout);
264
149
265
150
return 0;
+6
security/security.c
+6
security/security.c
···
1318
1318
}
1319
1319
EXPORT_SYMBOL(security_inode_copy_up_xattr);
1320
1320
1321
+
int security_kernfs_init_security(struct kernfs_node *kn_dir,
1322
+
struct kernfs_node *kn)
1323
+
{
1324
+
return call_int_hook(kernfs_init_security, 0, kn_dir, kn);
1325
+
}
1326
+
1321
1327
int security_file_permission(struct file *file, int mask)
1322
1328
{
1323
1329
int ret;
+155
-74
security/selinux/hooks.c
+155
-74
security/selinux/hooks.c
···
89
89
#include <linux/msg.h>
90
90
#include <linux/shm.h>
91
91
#include <linux/bpf.h>
92
+
#include <linux/kernfs.h>
93
+
#include <linux/stringhash.h> /* for hashlen_string() */
92
94
#include <uapi/linux/mount.h>
93
95
94
96
#include "avc.h"
···
753
751
754
752
if (!strcmp(sb->s_type->name, "debugfs") ||
755
753
!strcmp(sb->s_type->name, "tracefs") ||
756
-
!strcmp(sb->s_type->name, "sysfs") ||
757
-
!strcmp(sb->s_type->name, "pstore") ||
754
+
!strcmp(sb->s_type->name, "pstore"))
755
+
sbsec->flags |= SE_SBGENFS;
756
+
757
+
if (!strcmp(sb->s_type->name, "sysfs") ||
758
758
!strcmp(sb->s_type->name, "cgroup") ||
759
759
!strcmp(sb->s_type->name, "cgroup2"))
760
-
sbsec->flags |= SE_SBGENFS;
760
+
sbsec->flags |= SE_SBGENFS | SE_SBGENFS_XATTR;
761
761
762
762
if (!sbsec->behavior) {
763
763
/*
···
1358
1354
return rc;
1359
1355
}
1360
1356
1357
+
static int inode_doinit_use_xattr(struct inode *inode, struct dentry *dentry,
1358
+
u32 def_sid, u32 *sid)
1359
+
{
1360
+
#define INITCONTEXTLEN 255
1361
+
char *context;
1362
+
unsigned int len;
1363
+
int rc;
1364
+
1365
+
len = INITCONTEXTLEN;
1366
+
context = kmalloc(len + 1, GFP_NOFS);
1367
+
if (!context)
1368
+
return -ENOMEM;
1369
+
1370
+
context[len] = '\0';
1371
+
rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len);
1372
+
if (rc == -ERANGE) {
1373
+
kfree(context);
1374
+
1375
+
/* Need a larger buffer. Query for the right size. */
1376
+
rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, NULL, 0);
1377
+
if (rc < 0)
1378
+
return rc;
1379
+
1380
+
len = rc;
1381
+
context = kmalloc(len + 1, GFP_NOFS);
1382
+
if (!context)
1383
+
return -ENOMEM;
1384
+
1385
+
context[len] = '\0';
1386
+
rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX,
1387
+
context, len);
1388
+
}
1389
+
if (rc < 0) {
1390
+
kfree(context);
1391
+
if (rc != -ENODATA) {
1392
+
pr_warn("SELinux: %s: getxattr returned %d for dev=%s ino=%ld\n",
1393
+
__func__, -rc, inode->i_sb->s_id, inode->i_ino);
1394
+
return rc;
1395
+
}
1396
+
*sid = def_sid;
1397
+
return 0;
1398
+
}
1399
+
1400
+
rc = security_context_to_sid_default(&selinux_state, context, rc, sid,
1401
+
def_sid, GFP_NOFS);
1402
+
if (rc) {
1403
+
char *dev = inode->i_sb->s_id;
1404
+
unsigned long ino = inode->i_ino;
1405
+
1406
+
if (rc == -EINVAL) {
1407
+
pr_notice_ratelimited("SELinux: inode=%lu on dev=%s was found to have an invalid context=%s. This indicates you may need to relabel the inode or the filesystem in question.\n",
1408
+
ino, dev, context);
1409
+
} else {
1410
+
pr_warn("SELinux: %s: context_to_sid(%s) returned %d for dev=%s ino=%ld\n",
1411
+
__func__, context, -rc, dev, ino);
1412
+
}
1413
+
}
1414
+
kfree(context);
1415
+
return 0;
1416
+
}
1417
+
1361
1418
/* The inode's security attributes must be initialized before first use. */
1362
1419
static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1363
1420
{
···
1427
1362
u32 task_sid, sid = 0;
1428
1363
u16 sclass;
1429
1364
struct dentry *dentry;
1430
-
#define INITCONTEXTLEN 255
1431
-
char *context = NULL;
1432
-
unsigned len = 0;
1433
1365
int rc = 0;
1434
1366
1435
1367
if (isec->initialized == LABEL_INITIALIZED)
···
1494
1432
goto out;
1495
1433
}
1496
1434
1497
-
len = INITCONTEXTLEN;
1498
-
context = kmalloc(len+1, GFP_NOFS);
1499
-
if (!context) {
1500
-
rc = -ENOMEM;
1501
-
dput(dentry);
1502
-
goto out;
1503
-
}
1504
-
context[len] = '\0';
1505
-
rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len);
1506
-
if (rc == -ERANGE) {
1507
-
kfree(context);
1508
-
1509
-
/* Need a larger buffer. Query for the right size. */
1510
-
rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, NULL, 0);
1511
-
if (rc < 0) {
1512
-
dput(dentry);
1513
-
goto out;
1514
-
}
1515
-
len = rc;
1516
-
context = kmalloc(len+1, GFP_NOFS);
1517
-
if (!context) {
1518
-
rc = -ENOMEM;
1519
-
dput(dentry);
1520
-
goto out;
1521
-
}
1522
-
context[len] = '\0';
1523
-
rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len);
1524
-
}
1435
+
rc = inode_doinit_use_xattr(inode, dentry, sbsec->def_sid,
1436
+
&sid);
1525
1437
dput(dentry);
1526
-
if (rc < 0) {
1527
-
if (rc != -ENODATA) {
1528
-
pr_warn("SELinux: %s: getxattr returned "
1529
-
"%d for dev=%s ino=%ld\n", __func__,
1530
-
-rc, inode->i_sb->s_id, inode->i_ino);
1531
-
kfree(context);
1532
-
goto out;
1533
-
}
1534
-
/* Map ENODATA to the default file SID */
1535
-
sid = sbsec->def_sid;
1536
-
rc = 0;
1537
-
} else {
1538
-
rc = security_context_to_sid_default(&selinux_state,
1539
-
context, rc, &sid,
1540
-
sbsec->def_sid,
1541
-
GFP_NOFS);
1542
-
if (rc) {
1543
-
char *dev = inode->i_sb->s_id;
1544
-
unsigned long ino = inode->i_ino;
1545
-
1546
-
if (rc == -EINVAL) {
1547
-
if (printk_ratelimit())
1548
-
pr_notice("SELinux: inode=%lu on dev=%s was found to have an invalid "
1549
-
"context=%s. This indicates you may need to relabel the inode or the "
1550
-
"filesystem in question.\n", ino, dev, context);
1551
-
} else {
1552
-
pr_warn("SELinux: %s: context_to_sid(%s) "
1553
-
"returned %d for dev=%s ino=%ld\n",
1554
-
__func__, context, -rc, dev, ino);
1555
-
}
1556
-
kfree(context);
1557
-
/* Leave with the unlabeled SID */
1558
-
rc = 0;
1559
-
break;
1560
-
}
1561
-
}
1562
-
kfree(context);
1438
+
if (rc)
1439
+
goto out;
1563
1440
break;
1564
1441
case SECURITY_FS_USE_TASK:
1565
1442
sid = task_sid;
···
1549
1548
goto out;
1550
1549
rc = selinux_genfs_get_sid(dentry, sclass,
1551
1550
sbsec->flags, &sid);
1552
-
dput(dentry);
1553
-
if (rc)
1551
+
if (rc) {
1552
+
dput(dentry);
1554
1553
goto out;
1554
+
}
1555
+
1556
+
if ((sbsec->flags & SE_SBGENFS_XATTR) &&
1557
+
(inode->i_opflags & IOP_XATTR)) {
1558
+
rc = inode_doinit_use_xattr(inode, dentry,
1559
+
sid, &sid);
1560
+
if (rc) {
1561
+
dput(dentry);
1562
+
goto out;
1563
+
}
1564
+
}
1565
+
dput(dentry);
1555
1566
}
1556
1567
break;
1557
1568
}
···
3384
3371
return -EOPNOTSUPP;
3385
3372
}
3386
3373
3374
+
/* kernfs node operations */
3375
+
3376
+
static int selinux_kernfs_init_security(struct kernfs_node *kn_dir,
3377
+
struct kernfs_node *kn)
3378
+
{
3379
+
const struct task_security_struct *tsec = current_security();
3380
+
u32 parent_sid, newsid, clen;
3381
+
int rc;
3382
+
char *context;
3383
+
3384
+
rc = kernfs_xattr_get(kn_dir, XATTR_NAME_SELINUX, NULL, 0);
3385
+
if (rc == -ENODATA)
3386
+
return 0;
3387
+
else if (rc < 0)
3388
+
return rc;
3389
+
3390
+
clen = (u32)rc;
3391
+
context = kmalloc(clen, GFP_KERNEL);
3392
+
if (!context)
3393
+
return -ENOMEM;
3394
+
3395
+
rc = kernfs_xattr_get(kn_dir, XATTR_NAME_SELINUX, context, clen);
3396
+
if (rc < 0) {
3397
+
kfree(context);
3398
+
return rc;
3399
+
}
3400
+
3401
+
rc = security_context_to_sid(&selinux_state, context, clen, &parent_sid,
3402
+
GFP_KERNEL);
3403
+
kfree(context);
3404
+
if (rc)
3405
+
return rc;
3406
+
3407
+
if (tsec->create_sid) {
3408
+
newsid = tsec->create_sid;
3409
+
} else {
3410
+
u16 secclass = inode_mode_to_security_class(kn->mode);
3411
+
struct qstr q;
3412
+
3413
+
q.name = kn->name;
3414
+
q.hash_len = hashlen_string(kn_dir, kn->name);
3415
+
3416
+
rc = security_transition_sid(&selinux_state, tsec->sid,
3417
+
parent_sid, secclass, &q,
3418
+
&newsid);
3419
+
if (rc)
3420
+
return rc;
3421
+
}
3422
+
3423
+
rc = security_sid_to_context_force(&selinux_state, newsid,
3424
+
&context, &clen);
3425
+
if (rc)
3426
+
return rc;
3427
+
3428
+
rc = kernfs_xattr_set(kn, XATTR_NAME_SELINUX, context, clen,
3429
+
XATTR_CREATE);
3430
+
kfree(context);
3431
+
return rc;
3432
+
}
3433
+
3434
+
3387
3435
/* file security operations */
3388
3436
3389
3437
static int selinux_revalidate_file_permission(struct file *file, int mask)
···
4512
4438
struct lsm_network_audit net = {0,};
4513
4439
struct sockaddr_in *addr4 = NULL;
4514
4440
struct sockaddr_in6 *addr6 = NULL;
4515
-
u16 family_sa = address->sa_family;
4441
+
u16 family_sa;
4516
4442
unsigned short snum;
4517
4443
u32 sid, node_perm;
4518
4444
···
4522
4448
* need to check address->sa_family as it is possible to have
4523
4449
* sk->sk_family = PF_INET6 with addr->sa_family = AF_INET.
4524
4450
*/
4451
+
if (addrlen < offsetofend(struct sockaddr, sa_family))
4452
+
return -EINVAL;
4453
+
family_sa = address->sa_family;
4525
4454
switch (family_sa) {
4526
4455
case AF_UNSPEC:
4527
4456
case AF_INET:
···
4657
4580
* need to check address->sa_family as it is possible to have
4658
4581
* sk->sk_family = PF_INET6 with addr->sa_family = AF_INET.
4659
4582
*/
4583
+
if (addrlen < offsetofend(struct sockaddr, sa_family))
4584
+
return -EINVAL;
4660
4585
switch (address->sa_family) {
4661
4586
case AF_INET:
4662
4587
addr4 = (struct sockaddr_in *)address;
···
6797
6718
LSM_HOOK_INIT(inode_getsecid, selinux_inode_getsecid),
6798
6719
LSM_HOOK_INIT(inode_copy_up, selinux_inode_copy_up),
6799
6720
LSM_HOOK_INIT(inode_copy_up_xattr, selinux_inode_copy_up_xattr),
6721
+
6722
+
LSM_HOOK_INIT(kernfs_init_security, selinux_kernfs_init_security),
6800
6723
6801
6724
LSM_HOOK_INIT(file_permission, selinux_file_permission),
6802
6725
LSM_HOOK_INIT(file_alloc_security, selinux_file_alloc_security),
+1
security/selinux/include/security.h
+1
security/selinux/include/security.h
+5
-9
security/selinux/netlabel.c
+5
-9
security/selinux/netlabel.c
···
288
288
int rc;
289
289
struct netlbl_lsm_secattr secattr;
290
290
struct sk_security_struct *sksec = ep->base.sk->sk_security;
291
-
struct sockaddr *addr;
292
291
struct sockaddr_in addr4;
293
-
#if IS_ENABLED(CONFIG_IPV6)
294
292
struct sockaddr_in6 addr6;
295
-
#endif
296
293
297
294
if (ep->base.sk->sk_family != PF_INET &&
298
295
ep->base.sk->sk_family != PF_INET6)
···
307
310
if (ip_hdr(skb)->version == 4) {
308
311
addr4.sin_family = AF_INET;
309
312
addr4.sin_addr.s_addr = ip_hdr(skb)->saddr;
310
-
addr = (struct sockaddr *)&addr4;
311
-
#if IS_ENABLED(CONFIG_IPV6)
312
-
} else {
313
+
rc = netlbl_conn_setattr(ep->base.sk, (void *)&addr4, &secattr);
314
+
} else if (IS_ENABLED(CONFIG_IPV6) && ip_hdr(skb)->version == 6) {
313
315
addr6.sin6_family = AF_INET6;
314
316
addr6.sin6_addr = ipv6_hdr(skb)->saddr;
315
-
addr = (struct sockaddr *)&addr6;
316
-
#endif
317
+
rc = netlbl_conn_setattr(ep->base.sk, (void *)&addr6, &secattr);
318
+
} else {
319
+
rc = -EAFNOSUPPORT;
317
320
}
318
321
319
-
rc = netlbl_conn_setattr(ep->base.sk, addr, &secattr);
320
322
if (rc == 0)
321
323
sksec->nlbl_state = NLBL_LABELED;
322
324
+2
-5
security/selinux/ss/services.c
+2
-5
security/selinux/ss/services.c
···
1318
1318
rc = -EINVAL;
1319
1319
goto out_unlock;
1320
1320
}
1321
-
if (only_invalid && !context->len) {
1322
-
scontext = NULL;
1323
-
scontext_len = 0;
1321
+
if (only_invalid && !context->len)
1324
1322
rc = 0;
1325
-
} else {
1323
+
else
1326
1324
rc = context_struct_to_string(policydb, context, scontext,
1327
1325
scontext_len);
1328
-
}
1329
1326
out_unlock:
1330
1327
read_unlock(&state->ss->policy_rwlock);
1331
1328
out: