aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorPaul Moore <paul.moore@hp.com>2009-03-27 17:10:41 -0400
committerJames Morris <jmorris@namei.org>2009-03-28 00:01:37 -0400
commit58bfbb51ff2b0fdc6c732ff3d72f50aa632b67a2 (patch)
tree41132587adbb6816b56b9d28105826b8ef0fd7b9
parent389fb800ac8be2832efedd19978a2b8ced37eb61 (diff)
selinux: Remove the "compat_net" compatibility code
The SELinux "compat_net" is marked as deprecated, the time has come to finally remove it from the kernel. Further code simplifications are likely in the future, but this patch was intended to be a simple, straight-up removal of the compat_net code. Signed-off-by: Paul Moore <paul.moore@hp.com> Signed-off-by: James Morris <jmorris@namei.org>
-rw-r--r--Documentation/feature-removal-schedule.txt11
-rw-r--r--Documentation/kernel-parameters.txt9
-rw-r--r--security/selinux/hooks.c153
-rw-r--r--security/selinux/selinuxfs.c68
4 files changed, 7 insertions, 234 deletions
diff --git a/Documentation/feature-removal-schedule.txt b/Documentation/feature-removal-schedule.txt
index 02ea3773535e..049a96247f58 100644
--- a/Documentation/feature-removal-schedule.txt
+++ b/Documentation/feature-removal-schedule.txt
@@ -355,17 +355,6 @@ Who: Hans de Goede <hdegoede@redhat.com>
355 355
356--------------------------- 356---------------------------
357 357
358What: SELinux "compat_net" functionality
359When: 2.6.30 at the earliest
360Why: In 2.6.18 the Secmark concept was introduced to replace the "compat_net"
361 network access control functionality of SELinux. Secmark offers both
362 better performance and greater flexibility than the "compat_net"
363 mechanism. Now that the major Linux distributions have moved to
364 Secmark, it is time to deprecate the older mechanism and start the
365 process of removing the old code.
366Who: Paul Moore <paul.moore@hp.com>
367---------------------------
368
369What: sysfs ui for changing p4-clockmod parameters 358What: sysfs ui for changing p4-clockmod parameters
370When: September 2009 359When: September 2009
371Why: See commits 129f8ae9b1b5be94517da76009ea956e89104ce8 and 360Why: See commits 129f8ae9b1b5be94517da76009ea956e89104ce8 and
diff --git a/Documentation/kernel-parameters.txt b/Documentation/kernel-parameters.txt
index fa4e1239a8fa..d1b082772e39 100644
--- a/Documentation/kernel-parameters.txt
+++ b/Documentation/kernel-parameters.txt
@@ -2019,15 +2019,6 @@ and is between 256 and 4096 characters. It is defined in the file
2019 If enabled at boot time, /selinux/disable can be used 2019 If enabled at boot time, /selinux/disable can be used
2020 later to disable prior to initial policy load. 2020 later to disable prior to initial policy load.
2021 2021
2022 selinux_compat_net =
2023 [SELINUX] Set initial selinux_compat_net flag value.
2024 Format: { "0" | "1" }
2025 0 -- use new secmark-based packet controls
2026 1 -- use legacy packet controls
2027 Default value is 0 (preferred).
2028 Value can be changed at runtime via
2029 /selinux/compat_net.
2030
2031 serialnumber [BUGS=X86-32] 2022 serialnumber [BUGS=X86-32]
2032 2023
2033 shapers= [NET] 2024 shapers= [NET]
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index ee2e781d11d7..ba808ef6babb 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -93,7 +93,6 @@
93 93
94extern unsigned int policydb_loaded_version; 94extern unsigned int policydb_loaded_version;
95extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm); 95extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm);
96extern int selinux_compat_net;
97extern struct security_operations *security_ops; 96extern struct security_operations *security_ops;
98 97
99/* SECMARK reference count */ 98/* SECMARK reference count */
@@ -4019,72 +4018,6 @@ static int selinux_inet_sys_rcv_skb(int ifindex, char *addrp, u16 family,
4019 SECCLASS_NODE, NODE__RECVFROM, ad); 4018 SECCLASS_NODE, NODE__RECVFROM, ad);
4020} 4019}
4021 4020
4022static int selinux_sock_rcv_skb_iptables_compat(struct sock *sk,
4023 struct sk_buff *skb,
4024 struct avc_audit_data *ad,
4025 u16 family,
4026 char *addrp)
4027{
4028 int err;
4029 struct sk_security_struct *sksec = sk->sk_security;
4030 u16 sk_class;
4031 u32 netif_perm, node_perm, recv_perm;
4032 u32 port_sid, node_sid, if_sid, sk_sid;
4033
4034 sk_sid = sksec->sid;
4035 sk_class = sksec->sclass;
4036
4037 switch (sk_class) {
4038 case SECCLASS_UDP_SOCKET:
4039 netif_perm = NETIF__UDP_RECV;
4040 node_perm = NODE__UDP_RECV;
4041 recv_perm = UDP_SOCKET__RECV_MSG;
4042 break;
4043 case SECCLASS_TCP_SOCKET:
4044 netif_perm = NETIF__TCP_RECV;
4045 node_perm = NODE__TCP_RECV;
4046 recv_perm = TCP_SOCKET__RECV_MSG;
4047 break;
4048 case SECCLASS_DCCP_SOCKET:
4049 netif_perm = NETIF__DCCP_RECV;
4050 node_perm = NODE__DCCP_RECV;
4051 recv_perm = DCCP_SOCKET__RECV_MSG;
4052 break;
4053 default:
4054 netif_perm = NETIF__RAWIP_RECV;
4055 node_perm = NODE__RAWIP_RECV;
4056 recv_perm = 0;
4057 break;
4058 }
4059
4060 err = sel_netif_sid(skb->iif, &if_sid);
4061 if (err)
4062 return err;
4063 err = avc_has_perm(sk_sid, if_sid, SECCLASS_NETIF, netif_perm, ad);
4064 if (err)
4065 return err;
4066
4067 err = sel_netnode_sid(addrp, family, &node_sid);
4068 if (err)
4069 return err;
4070 err = avc_has_perm(sk_sid, node_sid, SECCLASS_NODE, node_perm, ad);
4071 if (err)
4072 return err;
4073
4074 if (!recv_perm)
4075 return 0;
4076 err = sel_netport_sid(sk->sk_protocol,
4077 ntohs(ad->u.net.sport), &port_sid);
4078 if (unlikely(err)) {
4079 printk(KERN_WARNING
4080 "SELinux: failure in"
4081 " selinux_sock_rcv_skb_iptables_compat(),"
4082 " network port label not found\n");
4083 return err;
4084 }
4085 return avc_has_perm(sk_sid, port_sid, sk_class, recv_perm, ad);
4086}
4087
4088static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb, 4021static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
4089 u16 family) 4022 u16 family)
4090{ 4023{
@@ -4102,14 +4035,12 @@ static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
4102 if (err) 4035 if (err)
4103 return err; 4036 return err;
4104 4037
4105 if (selinux_compat_net) 4038 if (selinux_secmark_enabled()) {
4106 err = selinux_sock_rcv_skb_iptables_compat(sk, skb, &ad,
4107 family, addrp);
4108 else if (selinux_secmark_enabled())
4109 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET, 4039 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4110 PACKET__RECV, &ad); 4040 PACKET__RECV, &ad);
4111 if (err) 4041 if (err)
4112 return err; 4042 return err;
4043 }
4113 4044
4114 if (selinux_policycap_netpeer) { 4045 if (selinux_policycap_netpeer) {
4115 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid); 4046 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
@@ -4151,7 +4082,7 @@ static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
4151 * to the selinux_sock_rcv_skb_compat() function to deal with the 4082 * to the selinux_sock_rcv_skb_compat() function to deal with the
4152 * special handling. We do this in an attempt to keep this function 4083 * special handling. We do this in an attempt to keep this function
4153 * as fast and as clean as possible. */ 4084 * as fast and as clean as possible. */
4154 if (selinux_compat_net || !selinux_policycap_netpeer) 4085 if (!selinux_policycap_netpeer)
4155 return selinux_sock_rcv_skb_compat(sk, skb, family); 4086 return selinux_sock_rcv_skb_compat(sk, skb, family);
4156 4087
4157 secmark_active = selinux_secmark_enabled(); 4088 secmark_active = selinux_secmark_enabled();
@@ -4516,71 +4447,6 @@ static unsigned int selinux_ipv4_output(unsigned int hooknum,
4516 return selinux_ip_output(skb, PF_INET); 4447 return selinux_ip_output(skb, PF_INET);
4517} 4448}
4518 4449
4519static int selinux_ip_postroute_iptables_compat(struct sock *sk,
4520 int ifindex,
4521 struct avc_audit_data *ad,
4522 u16 family, char *addrp)
4523{
4524 int err;
4525 struct sk_security_struct *sksec = sk->sk_security;
4526 u16 sk_class;
4527 u32 netif_perm, node_perm, send_perm;
4528 u32 port_sid, node_sid, if_sid, sk_sid;
4529
4530 sk_sid = sksec->sid;
4531 sk_class = sksec->sclass;
4532
4533 switch (sk_class) {
4534 case SECCLASS_UDP_SOCKET:
4535 netif_perm = NETIF__UDP_SEND;
4536 node_perm = NODE__UDP_SEND;
4537 send_perm = UDP_SOCKET__SEND_MSG;
4538 break;
4539 case SECCLASS_TCP_SOCKET:
4540 netif_perm = NETIF__TCP_SEND;
4541 node_perm = NODE__TCP_SEND;
4542 send_perm = TCP_SOCKET__SEND_MSG;
4543 break;
4544 case SECCLASS_DCCP_SOCKET:
4545 netif_perm = NETIF__DCCP_SEND;
4546 node_perm = NODE__DCCP_SEND;
4547 send_perm = DCCP_SOCKET__SEND_MSG;
4548 break;
4549 default:
4550 netif_perm = NETIF__RAWIP_SEND;
4551 node_perm = NODE__RAWIP_SEND;
4552 send_perm = 0;
4553 break;
4554 }
4555
4556 err = sel_netif_sid(ifindex, &if_sid);
4557 if (err)
4558 return err;
4559 err = avc_has_perm(sk_sid, if_sid, SECCLASS_NETIF, netif_perm, ad);
4560 return err;
4561
4562 err = sel_netnode_sid(addrp, family, &node_sid);
4563 if (err)
4564 return err;
4565 err = avc_has_perm(sk_sid, node_sid, SECCLASS_NODE, node_perm, ad);
4566 if (err)
4567 return err;
4568
4569 if (send_perm != 0)
4570 return 0;
4571
4572 err = sel_netport_sid(sk->sk_protocol,
4573 ntohs(ad->u.net.dport), &port_sid);
4574 if (unlikely(err)) {
4575 printk(KERN_WARNING
4576 "SELinux: failure in"
4577 " selinux_ip_postroute_iptables_compat(),"
4578 " network port label not found\n");
4579 return err;
4580 }
4581 return avc_has_perm(sk_sid, port_sid, sk_class, send_perm, ad);
4582}
4583
4584static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb, 4450static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
4585 int ifindex, 4451 int ifindex,
4586 u16 family) 4452 u16 family)
@@ -4601,15 +4467,10 @@ static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
4601 if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto)) 4467 if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto))
4602 return NF_DROP; 4468 return NF_DROP;
4603 4469
4604 if (selinux_compat_net) { 4470 if (selinux_secmark_enabled())
4605 if (selinux_ip_postroute_iptables_compat(skb->sk, ifindex,
4606 &ad, family, addrp))
4607 return NF_DROP;
4608 } else if (selinux_secmark_enabled()) {
4609 if (avc_has_perm(sksec->sid, skb->secmark, 4471 if (avc_has_perm(sksec->sid, skb->secmark,
4610 SECCLASS_PACKET, PACKET__SEND, &ad)) 4472 SECCLASS_PACKET, PACKET__SEND, &ad))
4611 return NF_DROP; 4473 return NF_DROP;
4612 }
4613 4474
4614 if (selinux_policycap_netpeer) 4475 if (selinux_policycap_netpeer)
4615 if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto)) 4476 if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto))
@@ -4633,7 +4494,7 @@ static unsigned int selinux_ip_postroute(struct sk_buff *skb, int ifindex,
4633 * to the selinux_ip_postroute_compat() function to deal with the 4494 * to the selinux_ip_postroute_compat() function to deal with the
4634 * special handling. We do this in an attempt to keep this function 4495 * special handling. We do this in an attempt to keep this function
4635 * as fast and as clean as possible. */ 4496 * as fast and as clean as possible. */
4636 if (selinux_compat_net || !selinux_policycap_netpeer) 4497 if (!selinux_policycap_netpeer)
4637 return selinux_ip_postroute_compat(skb, ifindex, family); 4498 return selinux_ip_postroute_compat(skb, ifindex, family);
4638#ifdef CONFIG_XFRM 4499#ifdef CONFIG_XFRM
4639 /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec 4500 /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec
diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c
index d3c8b982cfb0..2d5136ec3d54 100644
--- a/security/selinux/selinuxfs.c
+++ b/security/selinux/selinuxfs.c
@@ -47,8 +47,6 @@ static char *policycap_names[] = {
47 47
48unsigned int selinux_checkreqprot = CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE; 48unsigned int selinux_checkreqprot = CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE;
49 49
50int selinux_compat_net = 0;
51
52static int __init checkreqprot_setup(char *str) 50static int __init checkreqprot_setup(char *str)
53{ 51{
54 unsigned long checkreqprot; 52 unsigned long checkreqprot;
@@ -58,16 +56,6 @@ static int __init checkreqprot_setup(char *str)
58} 56}
59__setup("checkreqprot=", checkreqprot_setup); 57__setup("checkreqprot=", checkreqprot_setup);
60 58
61static int __init selinux_compat_net_setup(char *str)
62{
63 unsigned long compat_net;
64 if (!strict_strtoul(str, 0, &compat_net))
65 selinux_compat_net = compat_net ? 1 : 0;
66 return 1;
67}
68__setup("selinux_compat_net=", selinux_compat_net_setup);
69
70
71static DEFINE_MUTEX(sel_mutex); 59static DEFINE_MUTEX(sel_mutex);
72 60
73/* global data for booleans */ 61/* global data for booleans */
@@ -450,61 +438,6 @@ static const struct file_operations sel_checkreqprot_ops = {
450 .write = sel_write_checkreqprot, 438 .write = sel_write_checkreqprot,
451}; 439};
452 440
453static ssize_t sel_read_compat_net(struct file *filp, char __user *buf,
454 size_t count, loff_t *ppos)
455{
456 char tmpbuf[TMPBUFLEN];
457 ssize_t length;
458
459 length = scnprintf(tmpbuf, TMPBUFLEN, "%d", selinux_compat_net);
460 return simple_read_from_buffer(buf, count, ppos, tmpbuf, length);
461}
462
463static ssize_t sel_write_compat_net(struct file *file, const char __user *buf,
464 size_t count, loff_t *ppos)
465{
466 char *page;
467 ssize_t length;
468 int new_value;
469
470 length = task_has_security(current, SECURITY__LOAD_POLICY);
471 if (length)
472 return length;
473
474 if (count >= PAGE_SIZE)
475 return -ENOMEM;
476 if (*ppos != 0) {
477 /* No partial writes. */
478 return -EINVAL;
479 }
480 page = (char *)get_zeroed_page(GFP_KERNEL);
481 if (!page)
482 return -ENOMEM;
483 length = -EFAULT;
484 if (copy_from_user(page, buf, count))
485 goto out;
486
487 length = -EINVAL;
488 if (sscanf(page, "%d", &new_value) != 1)
489 goto out;
490
491 if (new_value) {
492 printk(KERN_NOTICE
493 "SELinux: compat_net is deprecated, please use secmark"
494 " instead\n");
495 selinux_compat_net = 1;
496 } else
497 selinux_compat_net = 0;
498 length = count;
499out:
500 free_page((unsigned long) page);
501 return length;
502}
503static const struct file_operations sel_compat_net_ops = {
504 .read = sel_read_compat_net,
505 .write = sel_write_compat_net,
506};
507
508/* 441/*
509 * Remaining nodes use transaction based IO methods like nfsd/nfsctl.c 442 * Remaining nodes use transaction based IO methods like nfsd/nfsctl.c
510 */ 443 */
@@ -1665,7 +1598,6 @@ static int sel_fill_super(struct super_block *sb, void *data, int silent)
1665 [SEL_DISABLE] = {"disable", &sel_disable_ops, S_IWUSR}, 1598 [SEL_DISABLE] = {"disable", &sel_disable_ops, S_IWUSR},
1666 [SEL_MEMBER] = {"member", &transaction_ops, S_IRUGO|S_IWUGO}, 1599 [SEL_MEMBER] = {"member", &transaction_ops, S_IRUGO|S_IWUGO},
1667 [SEL_CHECKREQPROT] = {"checkreqprot", &sel_checkreqprot_ops, S_IRUGO|S_IWUSR}, 1600 [SEL_CHECKREQPROT] = {"checkreqprot", &sel_checkreqprot_ops, S_IRUGO|S_IWUSR},
1668 [SEL_COMPAT_NET] = {"compat_net", &sel_compat_net_ops, S_IRUGO|S_IWUSR},
1669 [SEL_REJECT_UNKNOWN] = {"reject_unknown", &sel_handle_unknown_ops, S_IRUGO}, 1601 [SEL_REJECT_UNKNOWN] = {"reject_unknown", &sel_handle_unknown_ops, S_IRUGO},
1670 [SEL_DENY_UNKNOWN] = {"deny_unknown", &sel_handle_unknown_ops, S_IRUGO}, 1602 [SEL_DENY_UNKNOWN] = {"deny_unknown", &sel_handle_unknown_ops, S_IRUGO},
1671 /* last one */ {""} 1603 /* last one */ {""}