aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorPaul Moore <paul.moore@hp.com>2008-12-31 12:54:11 -0500
committerPaul Moore <paul.moore@hp.com>2008-12-31 12:54:11 -0500
commit277d342fc423fca5e66e677fe629d1b2f8f1b9e2 (patch)
tree733f8694020df6ff8d9e21e2419b0df71aeb4351
parent6c2e8ac0953fccdd24dc6c4b9e08e8f1cd68cf07 (diff)
selinux: Deprecate and schedule the removal of the the compat_net functionality
This patch is the first step towards removing the old "compat_net" code from the kernel. Secmark, the "compat_net" replacement was first introduced in 2.6.18 (September 2006) and the major Linux distributions with SELinux support have transitioned to Secmark so it is time to start deprecating the "compat_net" mechanism. Testing a patched version of 2.6.28-rc6 with the initial release of Fedora Core 5 did not show any problems when running in enforcing mode. This patch adds an entry to the feature-removal-schedule.txt file and removes the SECURITY_SELINUX_ENABLE_SECMARK_DEFAULT configuration option, forcing Secmark on by default although it can still be disabled at runtime. The patch also makes the Secmark permission checks "dynamic" in the sense that they are only executed when Secmark is configured; this should help prevent problems with older distributions that have not yet migrated to Secmark. Signed-off-by: Paul Moore <paul.moore@hp.com> Acked-by: James Morris <jmorris@namei.org>
-rw-r--r--Documentation/feature-removal-schedule.txt12
-rw-r--r--security/selinux/Kconfig27
-rw-r--r--security/selinux/hooks.c6
-rw-r--r--security/selinux/selinuxfs.c16
4 files changed, 23 insertions, 38 deletions
diff --git a/Documentation/feature-removal-schedule.txt b/Documentation/feature-removal-schedule.txt
index dc7c681e532c..a0ed3964a219 100644
--- a/Documentation/feature-removal-schedule.txt
+++ b/Documentation/feature-removal-schedule.txt
@@ -324,3 +324,15 @@ When: 2.6.29 (ideally) or 2.6.30 (more likely)
324Why: Deprecated by the new (standard) device driver binding model. Use 324Why: Deprecated by the new (standard) device driver binding model. Use
325 i2c_driver->probe() and ->remove() instead. 325 i2c_driver->probe() and ->remove() instead.
326Who: Jean Delvare <khali@linux-fr.org> 326Who: Jean Delvare <khali@linux-fr.org>
327
328---------------------------
329
330What: SELinux "compat_net" functionality
331When: 2.6.30 at the earliest
332Why: In 2.6.18 the Secmark concept was introduced to replace the "compat_net"
333 network access control functionality of SELinux. Secmark offers both
334 better performance and greater flexibility than the "compat_net"
335 mechanism. Now that the major Linux distributions have moved to
336 Secmark, it is time to deprecate the older mechanism and start the
337 process of removing the old code.
338Who: Paul Moore <paul.moore@hp.com>
diff --git a/security/selinux/Kconfig b/security/selinux/Kconfig
index 26301dd651d3..bca1b74a4a2f 100644
--- a/security/selinux/Kconfig
+++ b/security/selinux/Kconfig
@@ -94,33 +94,6 @@ config SECURITY_SELINUX_CHECKREQPROT_VALUE
94 94
95 If you are unsure how to answer this question, answer 1. 95 If you are unsure how to answer this question, answer 1.
96 96
97config SECURITY_SELINUX_ENABLE_SECMARK_DEFAULT
98 bool "NSA SELinux enable new secmark network controls by default"
99 depends on SECURITY_SELINUX
100 default n
101 help
102 This option determines whether the new secmark-based network
103 controls will be enabled by default. If not, the old internal
104 per-packet controls will be enabled by default, preserving
105 old behavior.
106
107 If you enable the new controls, you will need updated
108 SELinux userspace libraries, tools and policy. Typically,
109 your distribution will provide these and enable the new controls
110 in the kernel they also distribute.
111
112 Note that this option can be overridden at boot with the
113 selinux_compat_net parameter, and after boot via
114 /selinux/compat_net. See Documentation/kernel-parameters.txt
115 for details on this parameter.
116
117 If you enable the new network controls, you will likely
118 also require the SECMARK and CONNSECMARK targets, as
119 well as any conntrack helpers for protocols which you
120 wish to control.
121
122 If you are unsure what to do here, select N.
123
124config SECURITY_SELINUX_POLICYDB_VERSION_MAX 97config SECURITY_SELINUX_POLICYDB_VERSION_MAX
125 bool "NSA SELinux maximum supported policy format version" 98 bool "NSA SELinux maximum supported policy format version"
126 depends on SECURITY_SELINUX 99 depends on SECURITY_SELINUX
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index dbeaa783b2a9..df30a7555d8a 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -4185,7 +4185,7 @@ static int selinux_sock_rcv_skb_iptables_compat(struct sock *sk,
4185static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb, 4185static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
4186 u16 family) 4186 u16 family)
4187{ 4187{
4188 int err; 4188 int err = 0;
4189 struct sk_security_struct *sksec = sk->sk_security; 4189 struct sk_security_struct *sksec = sk->sk_security;
4190 u32 peer_sid; 4190 u32 peer_sid;
4191 u32 sk_sid = sksec->sid; 4191 u32 sk_sid = sksec->sid;
@@ -4202,7 +4202,7 @@ static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
4202 if (selinux_compat_net) 4202 if (selinux_compat_net)
4203 err = selinux_sock_rcv_skb_iptables_compat(sk, skb, &ad, 4203 err = selinux_sock_rcv_skb_iptables_compat(sk, skb, &ad,
4204 family, addrp); 4204 family, addrp);
4205 else 4205 else if (selinux_secmark_enabled())
4206 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET, 4206 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4207 PACKET__RECV, &ad); 4207 PACKET__RECV, &ad);
4208 if (err) 4208 if (err)
@@ -4705,7 +4705,7 @@ static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
4705 if (selinux_ip_postroute_iptables_compat(skb->sk, ifindex, 4705 if (selinux_ip_postroute_iptables_compat(skb->sk, ifindex,
4706 &ad, family, addrp)) 4706 &ad, family, addrp))
4707 return NF_DROP; 4707 return NF_DROP;
4708 } else { 4708 } else if (selinux_secmark_enabled()) {
4709 if (avc_has_perm(sksec->sid, skb->secmark, 4709 if (avc_has_perm(sksec->sid, skb->secmark,
4710 SECCLASS_PACKET, PACKET__SEND, &ad)) 4710 SECCLASS_PACKET, PACKET__SEND, &ad))
4711 return NF_DROP; 4711 return NF_DROP;
diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c
index c86303638235..77fb3c8d9267 100644
--- a/security/selinux/selinuxfs.c
+++ b/security/selinux/selinuxfs.c
@@ -47,13 +47,7 @@ static char *policycap_names[] = {
47 47
48unsigned int selinux_checkreqprot = CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE; 48unsigned int selinux_checkreqprot = CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE;
49 49
50#ifdef CONFIG_SECURITY_SELINUX_ENABLE_SECMARK_DEFAULT 50int selinux_compat_net = 0;
51#define SELINUX_COMPAT_NET_VALUE 0
52#else
53#define SELINUX_COMPAT_NET_VALUE 1
54#endif
55
56int selinux_compat_net = SELINUX_COMPAT_NET_VALUE;
57 51
58static int __init checkreqprot_setup(char *str) 52static int __init checkreqprot_setup(char *str)
59{ 53{
@@ -494,7 +488,13 @@ static ssize_t sel_write_compat_net(struct file *file, const char __user *buf,
494 if (sscanf(page, "%d", &new_value) != 1) 488 if (sscanf(page, "%d", &new_value) != 1)
495 goto out; 489 goto out;
496 490
497 selinux_compat_net = new_value ? 1 : 0; 491 if (new_value) {
492 printk(KERN_NOTICE
493 "SELinux: compat_net is deprecated, please use secmark"
494 " instead\n");
495 selinux_compat_net = 1;
496 } else
497 selinux_compat_net = 0;
498 length = count; 498 length = count;
499out: 499out:
500 free_page((unsigned long) page); 500 free_page((unsigned long) page);