diff options
author | Paul Moore <paul.moore@hp.com> | 2009-03-27 17:10:41 -0400 |
---|---|---|
committer | James Morris <jmorris@namei.org> | 2009-03-28 00:01:37 -0400 |
commit | 58bfbb51ff2b0fdc6c732ff3d72f50aa632b67a2 (patch) | |
tree | 41132587adbb6816b56b9d28105826b8ef0fd7b9 | |
parent | 389fb800ac8be2832efedd19978a2b8ced37eb61 (diff) |
selinux: Remove the "compat_net" compatibility code
The SELinux "compat_net" is marked as deprecated, the time has come to
finally remove it from the kernel. Further code simplifications are
likely in the future, but this patch was intended to be a simple,
straight-up removal of the compat_net code.
Signed-off-by: Paul Moore <paul.moore@hp.com>
Signed-off-by: James Morris <jmorris@namei.org>
-rw-r--r-- | Documentation/feature-removal-schedule.txt | 11 | ||||
-rw-r--r-- | Documentation/kernel-parameters.txt | 9 | ||||
-rw-r--r-- | security/selinux/hooks.c | 153 | ||||
-rw-r--r-- | security/selinux/selinuxfs.c | 68 |
4 files changed, 7 insertions, 234 deletions
diff --git a/Documentation/feature-removal-schedule.txt b/Documentation/feature-removal-schedule.txt index 02ea3773535e..049a96247f58 100644 --- a/Documentation/feature-removal-schedule.txt +++ b/Documentation/feature-removal-schedule.txt | |||
@@ -355,17 +355,6 @@ Who: Hans de Goede <hdegoede@redhat.com> | |||
355 | 355 | ||
356 | --------------------------- | 356 | --------------------------- |
357 | 357 | ||
358 | What: SELinux "compat_net" functionality | ||
359 | When: 2.6.30 at the earliest | ||
360 | Why: In 2.6.18 the Secmark concept was introduced to replace the "compat_net" | ||
361 | network access control functionality of SELinux. Secmark offers both | ||
362 | better performance and greater flexibility than the "compat_net" | ||
363 | mechanism. Now that the major Linux distributions have moved to | ||
364 | Secmark, it is time to deprecate the older mechanism and start the | ||
365 | process of removing the old code. | ||
366 | Who: Paul Moore <paul.moore@hp.com> | ||
367 | --------------------------- | ||
368 | |||
369 | What: sysfs ui for changing p4-clockmod parameters | 358 | What: sysfs ui for changing p4-clockmod parameters |
370 | When: September 2009 | 359 | When: September 2009 |
371 | Why: See commits 129f8ae9b1b5be94517da76009ea956e89104ce8 and | 360 | Why: See commits 129f8ae9b1b5be94517da76009ea956e89104ce8 and |
diff --git a/Documentation/kernel-parameters.txt b/Documentation/kernel-parameters.txt index fa4e1239a8fa..d1b082772e39 100644 --- a/Documentation/kernel-parameters.txt +++ b/Documentation/kernel-parameters.txt | |||
@@ -2019,15 +2019,6 @@ and is between 256 and 4096 characters. It is defined in the file | |||
2019 | If enabled at boot time, /selinux/disable can be used | 2019 | If enabled at boot time, /selinux/disable can be used |
2020 | later to disable prior to initial policy load. | 2020 | later to disable prior to initial policy load. |
2021 | 2021 | ||
2022 | selinux_compat_net = | ||
2023 | [SELINUX] Set initial selinux_compat_net flag value. | ||
2024 | Format: { "0" | "1" } | ||
2025 | 0 -- use new secmark-based packet controls | ||
2026 | 1 -- use legacy packet controls | ||
2027 | Default value is 0 (preferred). | ||
2028 | Value can be changed at runtime via | ||
2029 | /selinux/compat_net. | ||
2030 | |||
2031 | serialnumber [BUGS=X86-32] | 2022 | serialnumber [BUGS=X86-32] |
2032 | 2023 | ||
2033 | shapers= [NET] | 2024 | shapers= [NET] |
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index ee2e781d11d7..ba808ef6babb 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c | |||
@@ -93,7 +93,6 @@ | |||
93 | 93 | ||
94 | extern unsigned int policydb_loaded_version; | 94 | extern unsigned int policydb_loaded_version; |
95 | extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm); | 95 | extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm); |
96 | extern int selinux_compat_net; | ||
97 | extern struct security_operations *security_ops; | 96 | extern struct security_operations *security_ops; |
98 | 97 | ||
99 | /* SECMARK reference count */ | 98 | /* SECMARK reference count */ |
@@ -4019,72 +4018,6 @@ static int selinux_inet_sys_rcv_skb(int ifindex, char *addrp, u16 family, | |||
4019 | SECCLASS_NODE, NODE__RECVFROM, ad); | 4018 | SECCLASS_NODE, NODE__RECVFROM, ad); |
4020 | } | 4019 | } |
4021 | 4020 | ||
4022 | static int selinux_sock_rcv_skb_iptables_compat(struct sock *sk, | ||
4023 | struct sk_buff *skb, | ||
4024 | struct avc_audit_data *ad, | ||
4025 | u16 family, | ||
4026 | char *addrp) | ||
4027 | { | ||
4028 | int err; | ||
4029 | struct sk_security_struct *sksec = sk->sk_security; | ||
4030 | u16 sk_class; | ||
4031 | u32 netif_perm, node_perm, recv_perm; | ||
4032 | u32 port_sid, node_sid, if_sid, sk_sid; | ||
4033 | |||
4034 | sk_sid = sksec->sid; | ||
4035 | sk_class = sksec->sclass; | ||
4036 | |||
4037 | switch (sk_class) { | ||
4038 | case SECCLASS_UDP_SOCKET: | ||
4039 | netif_perm = NETIF__UDP_RECV; | ||
4040 | node_perm = NODE__UDP_RECV; | ||
4041 | recv_perm = UDP_SOCKET__RECV_MSG; | ||
4042 | break; | ||
4043 | case SECCLASS_TCP_SOCKET: | ||
4044 | netif_perm = NETIF__TCP_RECV; | ||
4045 | node_perm = NODE__TCP_RECV; | ||
4046 | recv_perm = TCP_SOCKET__RECV_MSG; | ||
4047 | break; | ||
4048 | case SECCLASS_DCCP_SOCKET: | ||
4049 | netif_perm = NETIF__DCCP_RECV; | ||
4050 | node_perm = NODE__DCCP_RECV; | ||
4051 | recv_perm = DCCP_SOCKET__RECV_MSG; | ||
4052 | break; | ||
4053 | default: | ||
4054 | netif_perm = NETIF__RAWIP_RECV; | ||
4055 | node_perm = NODE__RAWIP_RECV; | ||
4056 | recv_perm = 0; | ||
4057 | break; | ||
4058 | } | ||
4059 | |||
4060 | err = sel_netif_sid(skb->iif, &if_sid); | ||
4061 | if (err) | ||
4062 | return err; | ||
4063 | err = avc_has_perm(sk_sid, if_sid, SECCLASS_NETIF, netif_perm, ad); | ||
4064 | if (err) | ||
4065 | return err; | ||
4066 | |||
4067 | err = sel_netnode_sid(addrp, family, &node_sid); | ||
4068 | if (err) | ||
4069 | return err; | ||
4070 | err = avc_has_perm(sk_sid, node_sid, SECCLASS_NODE, node_perm, ad); | ||
4071 | if (err) | ||
4072 | return err; | ||
4073 | |||
4074 | if (!recv_perm) | ||
4075 | return 0; | ||
4076 | err = sel_netport_sid(sk->sk_protocol, | ||
4077 | ntohs(ad->u.net.sport), &port_sid); | ||
4078 | if (unlikely(err)) { | ||
4079 | printk(KERN_WARNING | ||
4080 | "SELinux: failure in" | ||
4081 | " selinux_sock_rcv_skb_iptables_compat()," | ||
4082 | " network port label not found\n"); | ||
4083 | return err; | ||
4084 | } | ||
4085 | return avc_has_perm(sk_sid, port_sid, sk_class, recv_perm, ad); | ||
4086 | } | ||
4087 | |||
4088 | static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb, | 4021 | static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb, |
4089 | u16 family) | 4022 | u16 family) |
4090 | { | 4023 | { |
@@ -4102,14 +4035,12 @@ static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb, | |||
4102 | if (err) | 4035 | if (err) |
4103 | return err; | 4036 | return err; |
4104 | 4037 | ||
4105 | if (selinux_compat_net) | 4038 | if (selinux_secmark_enabled()) { |
4106 | err = selinux_sock_rcv_skb_iptables_compat(sk, skb, &ad, | ||
4107 | family, addrp); | ||
4108 | else if (selinux_secmark_enabled()) | ||
4109 | err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET, | 4039 | err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET, |
4110 | PACKET__RECV, &ad); | 4040 | PACKET__RECV, &ad); |
4111 | if (err) | 4041 | if (err) |
4112 | return err; | 4042 | return err; |
4043 | } | ||
4113 | 4044 | ||
4114 | if (selinux_policycap_netpeer) { | 4045 | if (selinux_policycap_netpeer) { |
4115 | err = selinux_skb_peerlbl_sid(skb, family, &peer_sid); | 4046 | err = selinux_skb_peerlbl_sid(skb, family, &peer_sid); |
@@ -4151,7 +4082,7 @@ static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb) | |||
4151 | * to the selinux_sock_rcv_skb_compat() function to deal with the | 4082 | * to the selinux_sock_rcv_skb_compat() function to deal with the |
4152 | * special handling. We do this in an attempt to keep this function | 4083 | * special handling. We do this in an attempt to keep this function |
4153 | * as fast and as clean as possible. */ | 4084 | * as fast and as clean as possible. */ |
4154 | if (selinux_compat_net || !selinux_policycap_netpeer) | 4085 | if (!selinux_policycap_netpeer) |
4155 | return selinux_sock_rcv_skb_compat(sk, skb, family); | 4086 | return selinux_sock_rcv_skb_compat(sk, skb, family); |
4156 | 4087 | ||
4157 | secmark_active = selinux_secmark_enabled(); | 4088 | secmark_active = selinux_secmark_enabled(); |
@@ -4516,71 +4447,6 @@ static unsigned int selinux_ipv4_output(unsigned int hooknum, | |||
4516 | return selinux_ip_output(skb, PF_INET); | 4447 | return selinux_ip_output(skb, PF_INET); |
4517 | } | 4448 | } |
4518 | 4449 | ||
4519 | static int selinux_ip_postroute_iptables_compat(struct sock *sk, | ||
4520 | int ifindex, | ||
4521 | struct avc_audit_data *ad, | ||
4522 | u16 family, char *addrp) | ||
4523 | { | ||
4524 | int err; | ||
4525 | struct sk_security_struct *sksec = sk->sk_security; | ||
4526 | u16 sk_class; | ||
4527 | u32 netif_perm, node_perm, send_perm; | ||
4528 | u32 port_sid, node_sid, if_sid, sk_sid; | ||
4529 | |||
4530 | sk_sid = sksec->sid; | ||
4531 | sk_class = sksec->sclass; | ||
4532 | |||
4533 | switch (sk_class) { | ||
4534 | case SECCLASS_UDP_SOCKET: | ||
4535 | netif_perm = NETIF__UDP_SEND; | ||
4536 | node_perm = NODE__UDP_SEND; | ||
4537 | send_perm = UDP_SOCKET__SEND_MSG; | ||
4538 | break; | ||
4539 | case SECCLASS_TCP_SOCKET: | ||
4540 | netif_perm = NETIF__TCP_SEND; | ||
4541 | node_perm = NODE__TCP_SEND; | ||
4542 | send_perm = TCP_SOCKET__SEND_MSG; | ||
4543 | break; | ||
4544 | case SECCLASS_DCCP_SOCKET: | ||
4545 | netif_perm = NETIF__DCCP_SEND; | ||
4546 | node_perm = NODE__DCCP_SEND; | ||
4547 | send_perm = DCCP_SOCKET__SEND_MSG; | ||
4548 | break; | ||
4549 | default: | ||
4550 | netif_perm = NETIF__RAWIP_SEND; | ||
4551 | node_perm = NODE__RAWIP_SEND; | ||
4552 | send_perm = 0; | ||
4553 | break; | ||
4554 | } | ||
4555 | |||
4556 | err = sel_netif_sid(ifindex, &if_sid); | ||
4557 | if (err) | ||
4558 | return err; | ||
4559 | err = avc_has_perm(sk_sid, if_sid, SECCLASS_NETIF, netif_perm, ad); | ||
4560 | return err; | ||
4561 | |||
4562 | err = sel_netnode_sid(addrp, family, &node_sid); | ||
4563 | if (err) | ||
4564 | return err; | ||
4565 | err = avc_has_perm(sk_sid, node_sid, SECCLASS_NODE, node_perm, ad); | ||
4566 | if (err) | ||
4567 | return err; | ||
4568 | |||
4569 | if (send_perm != 0) | ||
4570 | return 0; | ||
4571 | |||
4572 | err = sel_netport_sid(sk->sk_protocol, | ||
4573 | ntohs(ad->u.net.dport), &port_sid); | ||
4574 | if (unlikely(err)) { | ||
4575 | printk(KERN_WARNING | ||
4576 | "SELinux: failure in" | ||
4577 | " selinux_ip_postroute_iptables_compat()," | ||
4578 | " network port label not found\n"); | ||
4579 | return err; | ||
4580 | } | ||
4581 | return avc_has_perm(sk_sid, port_sid, sk_class, send_perm, ad); | ||
4582 | } | ||
4583 | |||
4584 | static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb, | 4450 | static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb, |
4585 | int ifindex, | 4451 | int ifindex, |
4586 | u16 family) | 4452 | u16 family) |
@@ -4601,15 +4467,10 @@ static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb, | |||
4601 | if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto)) | 4467 | if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto)) |
4602 | return NF_DROP; | 4468 | return NF_DROP; |
4603 | 4469 | ||
4604 | if (selinux_compat_net) { | 4470 | if (selinux_secmark_enabled()) |
4605 | if (selinux_ip_postroute_iptables_compat(skb->sk, ifindex, | ||
4606 | &ad, family, addrp)) | ||
4607 | return NF_DROP; | ||
4608 | } else if (selinux_secmark_enabled()) { | ||
4609 | if (avc_has_perm(sksec->sid, skb->secmark, | 4471 | if (avc_has_perm(sksec->sid, skb->secmark, |
4610 | SECCLASS_PACKET, PACKET__SEND, &ad)) | 4472 | SECCLASS_PACKET, PACKET__SEND, &ad)) |
4611 | return NF_DROP; | 4473 | return NF_DROP; |
4612 | } | ||
4613 | 4474 | ||
4614 | if (selinux_policycap_netpeer) | 4475 | if (selinux_policycap_netpeer) |
4615 | if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto)) | 4476 | if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto)) |
@@ -4633,7 +4494,7 @@ static unsigned int selinux_ip_postroute(struct sk_buff *skb, int ifindex, | |||
4633 | * to the selinux_ip_postroute_compat() function to deal with the | 4494 | * to the selinux_ip_postroute_compat() function to deal with the |
4634 | * special handling. We do this in an attempt to keep this function | 4495 | * special handling. We do this in an attempt to keep this function |
4635 | * as fast and as clean as possible. */ | 4496 | * as fast and as clean as possible. */ |
4636 | if (selinux_compat_net || !selinux_policycap_netpeer) | 4497 | if (!selinux_policycap_netpeer) |
4637 | return selinux_ip_postroute_compat(skb, ifindex, family); | 4498 | return selinux_ip_postroute_compat(skb, ifindex, family); |
4638 | #ifdef CONFIG_XFRM | 4499 | #ifdef CONFIG_XFRM |
4639 | /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec | 4500 | /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec |
diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c index d3c8b982cfb0..2d5136ec3d54 100644 --- a/security/selinux/selinuxfs.c +++ b/security/selinux/selinuxfs.c | |||
@@ -47,8 +47,6 @@ static char *policycap_names[] = { | |||
47 | 47 | ||
48 | unsigned int selinux_checkreqprot = CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE; | 48 | unsigned int selinux_checkreqprot = CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE; |
49 | 49 | ||
50 | int selinux_compat_net = 0; | ||
51 | |||
52 | static int __init checkreqprot_setup(char *str) | 50 | static int __init checkreqprot_setup(char *str) |
53 | { | 51 | { |
54 | unsigned long checkreqprot; | 52 | unsigned long checkreqprot; |
@@ -58,16 +56,6 @@ static int __init checkreqprot_setup(char *str) | |||
58 | } | 56 | } |
59 | __setup("checkreqprot=", checkreqprot_setup); | 57 | __setup("checkreqprot=", checkreqprot_setup); |
60 | 58 | ||
61 | static int __init selinux_compat_net_setup(char *str) | ||
62 | { | ||
63 | unsigned long compat_net; | ||
64 | if (!strict_strtoul(str, 0, &compat_net)) | ||
65 | selinux_compat_net = compat_net ? 1 : 0; | ||
66 | return 1; | ||
67 | } | ||
68 | __setup("selinux_compat_net=", selinux_compat_net_setup); | ||
69 | |||
70 | |||
71 | static DEFINE_MUTEX(sel_mutex); | 59 | static DEFINE_MUTEX(sel_mutex); |
72 | 60 | ||
73 | /* global data for booleans */ | 61 | /* global data for booleans */ |
@@ -450,61 +438,6 @@ static const struct file_operations sel_checkreqprot_ops = { | |||
450 | .write = sel_write_checkreqprot, | 438 | .write = sel_write_checkreqprot, |
451 | }; | 439 | }; |
452 | 440 | ||
453 | static ssize_t sel_read_compat_net(struct file *filp, char __user *buf, | ||
454 | size_t count, loff_t *ppos) | ||
455 | { | ||
456 | char tmpbuf[TMPBUFLEN]; | ||
457 | ssize_t length; | ||
458 | |||
459 | length = scnprintf(tmpbuf, TMPBUFLEN, "%d", selinux_compat_net); | ||
460 | return simple_read_from_buffer(buf, count, ppos, tmpbuf, length); | ||
461 | } | ||
462 | |||
463 | static ssize_t sel_write_compat_net(struct file *file, const char __user *buf, | ||
464 | size_t count, loff_t *ppos) | ||
465 | { | ||
466 | char *page; | ||
467 | ssize_t length; | ||
468 | int new_value; | ||
469 | |||
470 | length = task_has_security(current, SECURITY__LOAD_POLICY); | ||
471 | if (length) | ||
472 | return length; | ||
473 | |||
474 | if (count >= PAGE_SIZE) | ||
475 | return -ENOMEM; | ||
476 | if (*ppos != 0) { | ||
477 | /* No partial writes. */ | ||
478 | return -EINVAL; | ||
479 | } | ||
480 | page = (char *)get_zeroed_page(GFP_KERNEL); | ||
481 | if (!page) | ||
482 | return -ENOMEM; | ||
483 | length = -EFAULT; | ||
484 | if (copy_from_user(page, buf, count)) | ||
485 | goto out; | ||
486 | |||
487 | length = -EINVAL; | ||
488 | if (sscanf(page, "%d", &new_value) != 1) | ||
489 | goto out; | ||
490 | |||
491 | if (new_value) { | ||
492 | printk(KERN_NOTICE | ||
493 | "SELinux: compat_net is deprecated, please use secmark" | ||
494 | " instead\n"); | ||
495 | selinux_compat_net = 1; | ||
496 | } else | ||
497 | selinux_compat_net = 0; | ||
498 | length = count; | ||
499 | out: | ||
500 | free_page((unsigned long) page); | ||
501 | return length; | ||
502 | } | ||
503 | static const struct file_operations sel_compat_net_ops = { | ||
504 | .read = sel_read_compat_net, | ||
505 | .write = sel_write_compat_net, | ||
506 | }; | ||
507 | |||
508 | /* | 441 | /* |
509 | * Remaining nodes use transaction based IO methods like nfsd/nfsctl.c | 442 | * Remaining nodes use transaction based IO methods like nfsd/nfsctl.c |
510 | */ | 443 | */ |
@@ -1665,7 +1598,6 @@ static int sel_fill_super(struct super_block *sb, void *data, int silent) | |||
1665 | [SEL_DISABLE] = {"disable", &sel_disable_ops, S_IWUSR}, | 1598 | [SEL_DISABLE] = {"disable", &sel_disable_ops, S_IWUSR}, |
1666 | [SEL_MEMBER] = {"member", &transaction_ops, S_IRUGO|S_IWUGO}, | 1599 | [SEL_MEMBER] = {"member", &transaction_ops, S_IRUGO|S_IWUGO}, |
1667 | [SEL_CHECKREQPROT] = {"checkreqprot", &sel_checkreqprot_ops, S_IRUGO|S_IWUSR}, | 1600 | [SEL_CHECKREQPROT] = {"checkreqprot", &sel_checkreqprot_ops, S_IRUGO|S_IWUSR}, |
1668 | [SEL_COMPAT_NET] = {"compat_net", &sel_compat_net_ops, S_IRUGO|S_IWUSR}, | ||
1669 | [SEL_REJECT_UNKNOWN] = {"reject_unknown", &sel_handle_unknown_ops, S_IRUGO}, | 1601 | [SEL_REJECT_UNKNOWN] = {"reject_unknown", &sel_handle_unknown_ops, S_IRUGO}, |
1670 | [SEL_DENY_UNKNOWN] = {"deny_unknown", &sel_handle_unknown_ops, S_IRUGO}, | 1602 | [SEL_DENY_UNKNOWN] = {"deny_unknown", &sel_handle_unknown_ops, S_IRUGO}, |
1671 | /* last one */ {""} | 1603 | /* last one */ {""} |