summaryrefslogtreecommitdiffstats
path: root/security
diff options
context:
space:
mode:
authorStephen Smalley <sds@tycho.nsa.gov>2015-06-04 16:22:17 -0400
committerPaul Moore <pmoore@redhat.com>2015-06-04 16:22:17 -0400
commit134509d54e4e98888be2697a92cb4b48957b792b (patch)
treebd4d47b5287f2b3e846d377e21bb5ad77486d774 /security
parent6c6d2e9bde1c1c87a7ead806f8f5e2181d41a652 (diff)
selinux: enable per-file labeling for debugfs files.
Add support for per-file labeling of debugfs files so that we can distinguish them in policy. This is particularly important in Android where certain debugfs files have to be writable by apps and therefore the debugfs directory tree can be read and searched by all. Since debugfs is entirely kernel-generated, the directory tree is immutable by userspace, and the inodes are pinned in memory, we can simply use the same approach as with proc and label the inodes from policy based on pathname from the root of the debugfs filesystem. Generalize the existing labeling support used for proc and reuse it for debugfs too. Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: Paul Moore <pmoore@redhat.com>
Diffstat (limited to 'security')
-rw-r--r--security/selinux/hooks.c43
-rw-r--r--security/selinux/include/security.h1
2 files changed, 22 insertions, 22 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index cf2cc0dca9b7..ec39b9ab6569 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -724,7 +724,10 @@ static int selinux_set_mnt_opts(struct super_block *sb,
724 } 724 }
725 725
726 if (strcmp(sb->s_type->name, "proc") == 0) 726 if (strcmp(sb->s_type->name, "proc") == 0)
727 sbsec->flags |= SE_SBPROC; 727 sbsec->flags |= SE_SBPROC | SE_SBGENFS;
728
729 if (strcmp(sb->s_type->name, "debugfs") == 0)
730 sbsec->flags |= SE_SBGENFS;
728 731
729 if (!sbsec->behavior) { 732 if (!sbsec->behavior) {
730 /* 733 /*
@@ -1232,12 +1235,13 @@ static inline u16 socket_type_to_security_class(int family, int type, int protoc
1232 return SECCLASS_SOCKET; 1235 return SECCLASS_SOCKET;
1233} 1236}
1234 1237
1235#ifdef CONFIG_PROC_FS 1238static int selinux_genfs_get_sid(struct dentry *dentry,
1236static int selinux_proc_get_sid(struct dentry *dentry, 1239 u16 tclass,
1237 u16 tclass, 1240 u16 flags,
1238 u32 *sid) 1241 u32 *sid)
1239{ 1242{
1240 int rc; 1243 int rc;
1244 struct super_block *sb = dentry->d_inode->i_sb;
1241 char *buffer, *path; 1245 char *buffer, *path;
1242 1246
1243 buffer = (char *)__get_free_page(GFP_KERNEL); 1247 buffer = (char *)__get_free_page(GFP_KERNEL);
@@ -1248,26 +1252,20 @@ static int selinux_proc_get_sid(struct dentry *dentry,
1248 if (IS_ERR(path)) 1252 if (IS_ERR(path))
1249 rc = PTR_ERR(path); 1253 rc = PTR_ERR(path);
1250 else { 1254 else {
1251 /* each process gets a /proc/PID/ entry. Strip off the 1255 if (flags & SE_SBPROC) {
1252 * PID part to get a valid selinux labeling. 1256 /* each process gets a /proc/PID/ entry. Strip off the
1253 * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */ 1257 * PID part to get a valid selinux labeling.
1254 while (path[1] >= '0' && path[1] <= '9') { 1258 * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
1255 path[1] = '/'; 1259 while (path[1] >= '0' && path[1] <= '9') {
1256 path++; 1260 path[1] = '/';
1261 path++;
1262 }
1257 } 1263 }
1258 rc = security_genfs_sid("proc", path, tclass, sid); 1264 rc = security_genfs_sid(sb->s_type->name, path, tclass, sid);
1259 } 1265 }
1260 free_page((unsigned long)buffer); 1266 free_page((unsigned long)buffer);
1261 return rc; 1267 return rc;
1262} 1268}
1263#else
1264static int selinux_proc_get_sid(struct dentry *dentry,
1265 u16 tclass,
1266 u32 *sid)
1267{
1268 return -EINVAL;
1269}
1270#endif
1271 1269
1272/* The inode's security attributes must be initialized before first use. */ 1270/* The inode's security attributes must be initialized before first use. */
1273static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry) 1271static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
@@ -1424,7 +1422,7 @@ static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dent
1424 /* Default to the fs superblock SID. */ 1422 /* Default to the fs superblock SID. */
1425 isec->sid = sbsec->sid; 1423 isec->sid = sbsec->sid;
1426 1424
1427 if ((sbsec->flags & SE_SBPROC) && !S_ISLNK(inode->i_mode)) { 1425 if ((sbsec->flags & SE_SBGENFS) && !S_ISLNK(inode->i_mode)) {
1428 /* We must have a dentry to determine the label on 1426 /* We must have a dentry to determine the label on
1429 * procfs inodes */ 1427 * procfs inodes */
1430 if (opt_dentry) 1428 if (opt_dentry)
@@ -1447,7 +1445,8 @@ static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dent
1447 if (!dentry) 1445 if (!dentry)
1448 goto out_unlock; 1446 goto out_unlock;
1449 isec->sclass = inode_mode_to_security_class(inode->i_mode); 1447 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1450 rc = selinux_proc_get_sid(dentry, isec->sclass, &sid); 1448 rc = selinux_genfs_get_sid(dentry, isec->sclass,
1449 sbsec->flags, &sid);
1451 dput(dentry); 1450 dput(dentry);
1452 if (rc) 1451 if (rc)
1453 goto out_unlock; 1452 goto out_unlock;
diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h
index d1e0b239b602..36993ad1c067 100644
--- a/security/selinux/include/security.h
+++ b/security/selinux/include/security.h
@@ -56,6 +56,7 @@
56/* Non-mount related flags */ 56/* Non-mount related flags */
57#define SE_SBINITIALIZED 0x0100 57#define SE_SBINITIALIZED 0x0100
58#define SE_SBPROC 0x0200 58#define SE_SBPROC 0x0200
59#define SE_SBGENFS 0x0400
59 60
60#define CONTEXT_STR "context=" 61#define CONTEXT_STR "context="
61#define FSCONTEXT_STR "fscontext=" 62#define FSCONTEXT_STR "fscontext="
generated by cgit v1.2.2 (git 2.25.0) at 2025-02-21 19:14:12 -0500