aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorKaiGai Kohei <kaigai@ak.jp.nec.com>2009-03-31 21:07:57 -0400
committerJames Morris <jmorris@namei.org>2009-04-01 18:23:45 -0400
commit8a6f83afd0c5355db6d11394a798e94950306239 (patch)
treef7cb84de87f67eeba0dd68681907696f8a5774d1
parentc31f403de62415c738ddc9e673cf8e722c82f861 (diff)
Permissive domain in userspace object manager
This patch enables applications to handle permissive domain correctly. Since the v2.6.26 kernel, SELinux has supported an idea of permissive domain which allows certain processes to work as if permissive mode, even if the global setting is enforcing mode. However, we don't have an application program interface to inform what domains are permissive one, and what domains are not. It means applications focuses on SELinux (XACE/SELinux, SE-PostgreSQL and so on) cannot handle permissive domain correctly. This patch add the sixth field (flags) on the reply of the /selinux/access interface which is used to make an access control decision from userspace. If the first bit of the flags field is positive, it means the required access control decision is on permissive domain, so application should allow any required actions, as the kernel doing. This patch also has a side benefit. The av_decision.flags is set at context_struct_compute_av(). It enables to check required permissions without read_lock(&policy_rwlock). Signed-off-by: KaiGai Kohei <kaigai@ak.jp.nec.com> Acked-by: Stephen Smalley <sds@tycho.nsa.gov> Acked-by: Eric Paris <eparis@redhat.com> -- security/selinux/avc.c | 2 +- security/selinux/include/security.h | 4 +++- security/selinux/selinuxfs.c | 4 ++-- security/selinux/ss/services.c | 30 +++++------------------------- 4 files changed, 11 insertions(+), 29 deletions(-) Signed-off-by: James Morris <jmorris@namei.org>
-rw-r--r--security/selinux/avc.c2
-rw-r--r--security/selinux/include/security.h4
-rw-r--r--security/selinux/selinuxfs.c4
-rw-r--r--security/selinux/ss/services.c30
4 files changed, 11 insertions, 29 deletions
diff --git a/security/selinux/avc.c b/security/selinux/avc.c
index 7f9b5fac8779..b2ab60859832 100644
--- a/security/selinux/avc.c
+++ b/security/selinux/avc.c
@@ -927,7 +927,7 @@ int avc_has_perm_noaudit(u32 ssid, u32 tsid,
927 if (denied) { 927 if (denied) {
928 if (flags & AVC_STRICT) 928 if (flags & AVC_STRICT)
929 rc = -EACCES; 929 rc = -EACCES;
930 else if (!selinux_enforcing || security_permissive_sid(ssid)) 930 else if (!selinux_enforcing || (avd->flags & AVD_FLAGS_PERMISSIVE))
931 avc_update_node(AVC_CALLBACK_GRANT, requested, ssid, 931 avc_update_node(AVC_CALLBACK_GRANT, requested, ssid,
932 tsid, tclass, avd->seqno); 932 tsid, tclass, avd->seqno);
933 else 933 else
diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h
index 5c3434f7626f..a7be3f01fb08 100644
--- a/security/selinux/include/security.h
+++ b/security/selinux/include/security.h
@@ -91,9 +91,11 @@ struct av_decision {
91 u32 auditallow; 91 u32 auditallow;
92 u32 auditdeny; 92 u32 auditdeny;
93 u32 seqno; 93 u32 seqno;
94 u32 flags;
94}; 95};
95 96
96int security_permissive_sid(u32 sid); 97/* definitions of av_decision.flags */
98#define AVD_FLAGS_PERMISSIVE 0x0001
97 99
98int security_compute_av(u32 ssid, u32 tsid, 100int security_compute_av(u32 ssid, u32 tsid,
99 u16 tclass, u32 requested, 101 u16 tclass, u32 requested,
diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c
index 2d5136ec3d54..8d4007fbe0e9 100644
--- a/security/selinux/selinuxfs.c
+++ b/security/selinux/selinuxfs.c
@@ -527,10 +527,10 @@ static ssize_t sel_write_access(struct file *file, char *buf, size_t size)
527 goto out2; 527 goto out2;
528 528
529 length = scnprintf(buf, SIMPLE_TRANSACTION_LIMIT, 529 length = scnprintf(buf, SIMPLE_TRANSACTION_LIMIT,
530 "%x %x %x %x %u", 530 "%x %x %x %x %u %x",
531 avd.allowed, 0xffffffff, 531 avd.allowed, 0xffffffff,
532 avd.auditallow, avd.auditdeny, 532 avd.auditallow, avd.auditdeny,
533 avd.seqno); 533 avd.seqno, avd.flags);
534out2: 534out2:
535 kfree(tcon); 535 kfree(tcon);
536out: 536out:
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
index deeec6c013ae..500e6f78e115 100644
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@@ -410,6 +410,7 @@ static int context_struct_compute_av(struct context *scontext,
410 avd->auditallow = 0; 410 avd->auditallow = 0;
411 avd->auditdeny = 0xffffffff; 411 avd->auditdeny = 0xffffffff;
412 avd->seqno = latest_granting; 412 avd->seqno = latest_granting;
413 avd->flags = 0;
413 414
414 /* 415 /*
415 * Check for all the invalid cases. 416 * Check for all the invalid cases.
@@ -528,31 +529,6 @@ inval_class:
528 return 0; 529 return 0;
529} 530}
530 531
531/*
532 * Given a sid find if the type has the permissive flag set
533 */
534int security_permissive_sid(u32 sid)
535{
536 struct context *context;
537 u32 type;
538 int rc;
539
540 read_lock(&policy_rwlock);
541
542 context = sidtab_search(&sidtab, sid);
543 BUG_ON(!context);
544
545 type = context->type;
546 /*
547 * we are intentionally using type here, not type-1, the 0th bit may
548 * someday indicate that we are globally setting permissive in policy.
549 */
550 rc = ebitmap_get_bit(&policydb.permissive_map, type);
551
552 read_unlock(&policy_rwlock);
553 return rc;
554}
555
556static int security_validtrans_handle_fail(struct context *ocontext, 532static int security_validtrans_handle_fail(struct context *ocontext,
557 struct context *ncontext, 533 struct context *ncontext,
558 struct context *tcontext, 534 struct context *tcontext,
@@ -767,6 +743,10 @@ int security_compute_av(u32 ssid,
767 743
768 rc = context_struct_compute_av(scontext, tcontext, tclass, 744 rc = context_struct_compute_av(scontext, tcontext, tclass,
769 requested, avd); 745 requested, avd);
746
747 /* permissive domain? */
748 if (ebitmap_get_bit(&policydb.permissive_map, scontext->type))
749 avd->flags |= AVD_FLAGS_PERMISSIVE;
770out: 750out:
771 read_unlock(&policy_rwlock); 751 read_unlock(&policy_rwlock);
772 return rc; 752 return rc;