selinux: extended permissions for ioctls

Add extended permissions logic to selinux. Extended permissions provides additional permissions in 256 bit increments. Extend the generic ioctl permission check to use the extended permissions for per-command filtering. Source/target/class sets including the ioctl permission may additionally include a set of commands. Example: allowxperm <source> <target>:<class> ioctl unpriv_app_socket_cmds auditallowxperm <source> <target>:<class> ioctl priv_gpu_cmds Where unpriv_app_socket_cmds and priv_gpu_cmds are macros representing commonly granted sets of ioctl commands. When ioctl commands are omitted only the permissions are checked. This feature is intended to provide finer granularity for the ioctl permission that may be too imprecise. For example, the same driver may use ioctls to provide important and benign functionality such as driver version or socket type as well as dangerous capabilities such as debugging features, read/write/execute to physical memory or access to sensitive data. Per-command filtering provides a mechanism to reduce the attack surface of the kernel, and limit applications to the subset of commands required. The format of the policy binary has been modified to include ioctl commands, and the policy version number has been incremented to POLICYDB_VERSION_XPERMS_IOCTL=30 to account for the format change. The extended permissions logic is deliberately generic to allow components to be reused e.g. netlink filters Signed-off-by: Jeff Vander Stoep <jeffv@google.com> Acked-by: Nick Kralevich <nnk@google.com> Signed-off-by: Paul Moore <pmoore@redhat.com>
author: Jeff Vander Stoep <jeffv@google.com> 2015-07-10 17:19:56 -0400
committer: Paul Moore <pmoore@redhat.com> 2015-07-13 13:31:58 -0400
commit: fa1aa143ac4a682c7f5fd52a3cf05f5a6fe44a0a (patch)
tree: 3f53aa6f35af83370aa7cd7bc25a2f6a2b6b8bbd /security/selinux/ss/conditional.c
parent: 671a2781ff01abf4fdc8904881fc3abd3a8279af (diff)
1 files changed, 27 insertions, 5 deletions
diff --git a/security/selinux/ss/conditional.c b/security/selinux/ss/conditional.c
index 62c6773be0b7..18643bf9894d 100644
--- a/security/selinux/ss/conditional.c
+++ b/security/selinux/ss/conditional.c
@@ -15,6 +15,7 @@
 #include "security.h"
 #include "conditional.h"
+#include "services.h"
 /*
 * cond_evaluate_expr evaluates a conditional expr
@@ -612,21 +613,39 @@ int cond_write_list(struct policydb *p, struct cond_node *list, void *fp)
        return 0;
 }
+void cond_compute_xperms(struct avtab *ctab, struct avtab_key *key,
+                struct extended_perms_decision *xpermd)
+{
+        struct avtab_node *node;
+        if (!ctab || !key || !xpermd)
+                return;
+        for (node = avtab_search_node(ctab, key); node;
+                        node = avtab_search_node_next(node, key->specified)) {
+                if (node->key.specified & AVTAB_ENABLED)
+                        services_compute_xperms_decision(xpermd, node);
+        }
+        return;
+}
 /* Determine whether additional permissions are granted by the conditional
 * av table, and if so, add them to the result
 */
-void cond_compute_av(struct avtab *ctab, struct avtab_key *key, struct av_decision *avd)
+void cond_compute_av(struct avtab *ctab, struct avtab_key *key,
+                struct av_decision *avd, struct extended_perms *xperms)
 {
        struct avtab_node *node;
-        if (!ctab || !key || !avd)
+        if (!ctab || !key || !avd || !xperms)
                return;
        for (node = avtab_search_node(ctab, key); node;
                                node = avtab_search_node_next(node, key->specified)) {
                if ((u16)(AVTAB_ALLOWED|AVTAB_ENABLED) ==
                    (node->key.specified & (AVTAB_ALLOWED|AVTAB_ENABLED)))
-                        avd->allowed |= node->datum.data;
+                        avd->allowed |= node->datum.u.data;
                if ((u16)(AVTAB_AUDITDENY|AVTAB_ENABLED) ==
                    (node->key.specified & (AVTAB_AUDITDENY|AVTAB_ENABLED)))
                        /* Since a '0' in an auditdeny mask represents a
@@ -634,10 +653,13 @@ void cond_compute_av(struct avtab *ctab, struct avtab_key *key, struct av_decisi
                         * the '&' operand to ensure that all '0's in the mask
                         * are retained (much unlike the allow and auditallow cases).
                         */
-                        avd->auditdeny &= node->datum.data;
+                        avd->auditdeny &= node->datum.u.data;
                if ((u16)(AVTAB_AUDITALLOW|AVTAB_ENABLED) ==
                    (node->key.specified & (AVTAB_AUDITALLOW|AVTAB_ENABLED)))
-                        avd->auditallow |= node->datum.data;
+                        avd->auditallow |= node->datum.u.data;
+                if ((node->key.specified & AVTAB_ENABLED) &&
+                                (node->key.specified & AVTAB_XPERMS))
+                        services_compute_xperms_drivers(xperms, node);
        }
        return;
 }
author	Jeff Vander Stoep <jeffv@google.com>	2015-07-10 17:19:56 -0400
committer	Paul Moore <pmoore@redhat.com>	2015-07-13 13:31:58 -0400
commit	fa1aa143ac4a682c7f5fd52a3cf05f5a6fe44a0a (patch)
tree	3f53aa6f35af83370aa7cd7bc25a2f6a2b6b8bbd /security/selinux/ss/conditional.c
parent	671a2781ff01abf4fdc8904881fc3abd3a8279af (diff)