diff options
author | KaiGai Kohei <kaigai@ak.jp.nec.com> | 2009-03-31 21:07:57 -0400 |
---|---|---|
committer | James Morris <jmorris@namei.org> | 2009-04-01 18:23:45 -0400 |
commit | 8a6f83afd0c5355db6d11394a798e94950306239 (patch) | |
tree | f7cb84de87f67eeba0dd68681907696f8a5774d1 | |
parent | c31f403de62415c738ddc9e673cf8e722c82f861 (diff) |
Permissive domain in userspace object manager
This patch enables applications to handle permissive domain correctly.
Since the v2.6.26 kernel, SELinux has supported an idea of permissive
domain which allows certain processes to work as if permissive mode,
even if the global setting is enforcing mode.
However, we don't have an application program interface to inform
what domains are permissive one, and what domains are not.
It means applications focuses on SELinux (XACE/SELinux, SE-PostgreSQL
and so on) cannot handle permissive domain correctly.
This patch add the sixth field (flags) on the reply of the /selinux/access
interface which is used to make an access control decision from userspace.
If the first bit of the flags field is positive, it means the required
access control decision is on permissive domain, so application should
allow any required actions, as the kernel doing.
This patch also has a side benefit. The av_decision.flags is set at
context_struct_compute_av(). It enables to check required permissions
without read_lock(&policy_rwlock).
Signed-off-by: KaiGai Kohei <kaigai@ak.jp.nec.com>
Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
Acked-by: Eric Paris <eparis@redhat.com>
--
security/selinux/avc.c | 2 +-
security/selinux/include/security.h | 4 +++-
security/selinux/selinuxfs.c | 4 ++--
security/selinux/ss/services.c | 30 +++++-------------------------
4 files changed, 11 insertions(+), 29 deletions(-)
Signed-off-by: James Morris <jmorris@namei.org>
-rw-r--r-- | security/selinux/avc.c | 2 | ||||
-rw-r--r-- | security/selinux/include/security.h | 4 | ||||
-rw-r--r-- | security/selinux/selinuxfs.c | 4 | ||||
-rw-r--r-- | security/selinux/ss/services.c | 30 |
4 files changed, 11 insertions, 29 deletions
diff --git a/security/selinux/avc.c b/security/selinux/avc.c index 7f9b5fac8779..b2ab60859832 100644 --- a/security/selinux/avc.c +++ b/security/selinux/avc.c | |||
@@ -927,7 +927,7 @@ int avc_has_perm_noaudit(u32 ssid, u32 tsid, | |||
927 | if (denied) { | 927 | if (denied) { |
928 | if (flags & AVC_STRICT) | 928 | if (flags & AVC_STRICT) |
929 | rc = -EACCES; | 929 | rc = -EACCES; |
930 | else if (!selinux_enforcing || security_permissive_sid(ssid)) | 930 | else if (!selinux_enforcing || (avd->flags & AVD_FLAGS_PERMISSIVE)) |
931 | avc_update_node(AVC_CALLBACK_GRANT, requested, ssid, | 931 | avc_update_node(AVC_CALLBACK_GRANT, requested, ssid, |
932 | tsid, tclass, avd->seqno); | 932 | tsid, tclass, avd->seqno); |
933 | else | 933 | else |
diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h index 5c3434f7626f..a7be3f01fb08 100644 --- a/security/selinux/include/security.h +++ b/security/selinux/include/security.h | |||
@@ -91,9 +91,11 @@ struct av_decision { | |||
91 | u32 auditallow; | 91 | u32 auditallow; |
92 | u32 auditdeny; | 92 | u32 auditdeny; |
93 | u32 seqno; | 93 | u32 seqno; |
94 | u32 flags; | ||
94 | }; | 95 | }; |
95 | 96 | ||
96 | int security_permissive_sid(u32 sid); | 97 | /* definitions of av_decision.flags */ |
98 | #define AVD_FLAGS_PERMISSIVE 0x0001 | ||
97 | 99 | ||
98 | int security_compute_av(u32 ssid, u32 tsid, | 100 | int security_compute_av(u32 ssid, u32 tsid, |
99 | u16 tclass, u32 requested, | 101 | u16 tclass, u32 requested, |
diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c index 2d5136ec3d54..8d4007fbe0e9 100644 --- a/security/selinux/selinuxfs.c +++ b/security/selinux/selinuxfs.c | |||
@@ -527,10 +527,10 @@ static ssize_t sel_write_access(struct file *file, char *buf, size_t size) | |||
527 | goto out2; | 527 | goto out2; |
528 | 528 | ||
529 | length = scnprintf(buf, SIMPLE_TRANSACTION_LIMIT, | 529 | length = scnprintf(buf, SIMPLE_TRANSACTION_LIMIT, |
530 | "%x %x %x %x %u", | 530 | "%x %x %x %x %u %x", |
531 | avd.allowed, 0xffffffff, | 531 | avd.allowed, 0xffffffff, |
532 | avd.auditallow, avd.auditdeny, | 532 | avd.auditallow, avd.auditdeny, |
533 | avd.seqno); | 533 | avd.seqno, avd.flags); |
534 | out2: | 534 | out2: |
535 | kfree(tcon); | 535 | kfree(tcon); |
536 | out: | 536 | out: |
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c index deeec6c013ae..500e6f78e115 100644 --- a/security/selinux/ss/services.c +++ b/security/selinux/ss/services.c | |||
@@ -410,6 +410,7 @@ static int context_struct_compute_av(struct context *scontext, | |||
410 | avd->auditallow = 0; | 410 | avd->auditallow = 0; |
411 | avd->auditdeny = 0xffffffff; | 411 | avd->auditdeny = 0xffffffff; |
412 | avd->seqno = latest_granting; | 412 | avd->seqno = latest_granting; |
413 | avd->flags = 0; | ||
413 | 414 | ||
414 | /* | 415 | /* |
415 | * Check for all the invalid cases. | 416 | * Check for all the invalid cases. |
@@ -528,31 +529,6 @@ inval_class: | |||
528 | return 0; | 529 | return 0; |
529 | } | 530 | } |
530 | 531 | ||
531 | /* | ||
532 | * Given a sid find if the type has the permissive flag set | ||
533 | */ | ||
534 | int security_permissive_sid(u32 sid) | ||
535 | { | ||
536 | struct context *context; | ||
537 | u32 type; | ||
538 | int rc; | ||
539 | |||
540 | read_lock(&policy_rwlock); | ||
541 | |||
542 | context = sidtab_search(&sidtab, sid); | ||
543 | BUG_ON(!context); | ||
544 | |||
545 | type = context->type; | ||
546 | /* | ||
547 | * we are intentionally using type here, not type-1, the 0th bit may | ||
548 | * someday indicate that we are globally setting permissive in policy. | ||
549 | */ | ||
550 | rc = ebitmap_get_bit(&policydb.permissive_map, type); | ||
551 | |||
552 | read_unlock(&policy_rwlock); | ||
553 | return rc; | ||
554 | } | ||
555 | |||
556 | static int security_validtrans_handle_fail(struct context *ocontext, | 532 | static int security_validtrans_handle_fail(struct context *ocontext, |
557 | struct context *ncontext, | 533 | struct context *ncontext, |
558 | struct context *tcontext, | 534 | struct context *tcontext, |
@@ -767,6 +743,10 @@ int security_compute_av(u32 ssid, | |||
767 | 743 | ||
768 | rc = context_struct_compute_av(scontext, tcontext, tclass, | 744 | rc = context_struct_compute_av(scontext, tcontext, tclass, |
769 | requested, avd); | 745 | requested, avd); |
746 | |||
747 | /* permissive domain? */ | ||
748 | if (ebitmap_get_bit(&policydb.permissive_map, scontext->type)) | ||
749 | avd->flags |= AVD_FLAGS_PERMISSIVE; | ||
770 | out: | 750 | out: |
771 | read_unlock(&policy_rwlock); | 751 | read_unlock(&policy_rwlock); |
772 | return rc; | 752 | return rc; |