diff options
author | Paul Moore <paul.moore@hp.com> | 2008-12-31 12:54:11 -0500 |
---|---|---|
committer | Paul Moore <paul.moore@hp.com> | 2008-12-31 12:54:11 -0500 |
commit | 277d342fc423fca5e66e677fe629d1b2f8f1b9e2 (patch) | |
tree | 733f8694020df6ff8d9e21e2419b0df71aeb4351 | |
parent | 6c2e8ac0953fccdd24dc6c4b9e08e8f1cd68cf07 (diff) |
selinux: Deprecate and schedule the removal of the the compat_net functionality
This patch is the first step towards removing the old "compat_net" code from
the kernel. Secmark, the "compat_net" replacement was first introduced in
2.6.18 (September 2006) and the major Linux distributions with SELinux support
have transitioned to Secmark so it is time to start deprecating the "compat_net"
mechanism. Testing a patched version of 2.6.28-rc6 with the initial release of
Fedora Core 5 did not show any problems when running in enforcing mode.
This patch adds an entry to the feature-removal-schedule.txt file and removes
the SECURITY_SELINUX_ENABLE_SECMARK_DEFAULT configuration option, forcing
Secmark on by default although it can still be disabled at runtime. The patch
also makes the Secmark permission checks "dynamic" in the sense that they are
only executed when Secmark is configured; this should help prevent problems
with older distributions that have not yet migrated to Secmark.
Signed-off-by: Paul Moore <paul.moore@hp.com>
Acked-by: James Morris <jmorris@namei.org>
-rw-r--r-- | Documentation/feature-removal-schedule.txt | 12 | ||||
-rw-r--r-- | security/selinux/Kconfig | 27 | ||||
-rw-r--r-- | security/selinux/hooks.c | 6 | ||||
-rw-r--r-- | security/selinux/selinuxfs.c | 16 |
4 files changed, 23 insertions, 38 deletions
diff --git a/Documentation/feature-removal-schedule.txt b/Documentation/feature-removal-schedule.txt index dc7c681e532c..a0ed3964a219 100644 --- a/Documentation/feature-removal-schedule.txt +++ b/Documentation/feature-removal-schedule.txt | |||
@@ -324,3 +324,15 @@ When: 2.6.29 (ideally) or 2.6.30 (more likely) | |||
324 | Why: Deprecated by the new (standard) device driver binding model. Use | 324 | Why: Deprecated by the new (standard) device driver binding model. Use |
325 | i2c_driver->probe() and ->remove() instead. | 325 | i2c_driver->probe() and ->remove() instead. |
326 | Who: Jean Delvare <khali@linux-fr.org> | 326 | Who: Jean Delvare <khali@linux-fr.org> |
327 | |||
328 | --------------------------- | ||
329 | |||
330 | What: SELinux "compat_net" functionality | ||
331 | When: 2.6.30 at the earliest | ||
332 | Why: In 2.6.18 the Secmark concept was introduced to replace the "compat_net" | ||
333 | network access control functionality of SELinux. Secmark offers both | ||
334 | better performance and greater flexibility than the "compat_net" | ||
335 | mechanism. Now that the major Linux distributions have moved to | ||
336 | Secmark, it is time to deprecate the older mechanism and start the | ||
337 | process of removing the old code. | ||
338 | Who: Paul Moore <paul.moore@hp.com> | ||
diff --git a/security/selinux/Kconfig b/security/selinux/Kconfig index 26301dd651d3..bca1b74a4a2f 100644 --- a/security/selinux/Kconfig +++ b/security/selinux/Kconfig | |||
@@ -94,33 +94,6 @@ config SECURITY_SELINUX_CHECKREQPROT_VALUE | |||
94 | 94 | ||
95 | If you are unsure how to answer this question, answer 1. | 95 | If you are unsure how to answer this question, answer 1. |
96 | 96 | ||
97 | config SECURITY_SELINUX_ENABLE_SECMARK_DEFAULT | ||
98 | bool "NSA SELinux enable new secmark network controls by default" | ||
99 | depends on SECURITY_SELINUX | ||
100 | default n | ||
101 | help | ||
102 | This option determines whether the new secmark-based network | ||
103 | controls will be enabled by default. If not, the old internal | ||
104 | per-packet controls will be enabled by default, preserving | ||
105 | old behavior. | ||
106 | |||
107 | If you enable the new controls, you will need updated | ||
108 | SELinux userspace libraries, tools and policy. Typically, | ||
109 | your distribution will provide these and enable the new controls | ||
110 | in the kernel they also distribute. | ||
111 | |||
112 | Note that this option can be overridden at boot with the | ||
113 | selinux_compat_net parameter, and after boot via | ||
114 | /selinux/compat_net. See Documentation/kernel-parameters.txt | ||
115 | for details on this parameter. | ||
116 | |||
117 | If you enable the new network controls, you will likely | ||
118 | also require the SECMARK and CONNSECMARK targets, as | ||
119 | well as any conntrack helpers for protocols which you | ||
120 | wish to control. | ||
121 | |||
122 | If you are unsure what to do here, select N. | ||
123 | |||
124 | config SECURITY_SELINUX_POLICYDB_VERSION_MAX | 97 | config SECURITY_SELINUX_POLICYDB_VERSION_MAX |
125 | bool "NSA SELinux maximum supported policy format version" | 98 | bool "NSA SELinux maximum supported policy format version" |
126 | depends on SECURITY_SELINUX | 99 | depends on SECURITY_SELINUX |
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index dbeaa783b2a9..df30a7555d8a 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c | |||
@@ -4185,7 +4185,7 @@ static int selinux_sock_rcv_skb_iptables_compat(struct sock *sk, | |||
4185 | static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb, | 4185 | static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb, |
4186 | u16 family) | 4186 | u16 family) |
4187 | { | 4187 | { |
4188 | int err; | 4188 | int err = 0; |
4189 | struct sk_security_struct *sksec = sk->sk_security; | 4189 | struct sk_security_struct *sksec = sk->sk_security; |
4190 | u32 peer_sid; | 4190 | u32 peer_sid; |
4191 | u32 sk_sid = sksec->sid; | 4191 | u32 sk_sid = sksec->sid; |
@@ -4202,7 +4202,7 @@ static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb, | |||
4202 | if (selinux_compat_net) | 4202 | if (selinux_compat_net) |
4203 | err = selinux_sock_rcv_skb_iptables_compat(sk, skb, &ad, | 4203 | err = selinux_sock_rcv_skb_iptables_compat(sk, skb, &ad, |
4204 | family, addrp); | 4204 | family, addrp); |
4205 | else | 4205 | else if (selinux_secmark_enabled()) |
4206 | err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET, | 4206 | err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET, |
4207 | PACKET__RECV, &ad); | 4207 | PACKET__RECV, &ad); |
4208 | if (err) | 4208 | if (err) |
@@ -4705,7 +4705,7 @@ static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb, | |||
4705 | if (selinux_ip_postroute_iptables_compat(skb->sk, ifindex, | 4705 | if (selinux_ip_postroute_iptables_compat(skb->sk, ifindex, |
4706 | &ad, family, addrp)) | 4706 | &ad, family, addrp)) |
4707 | return NF_DROP; | 4707 | return NF_DROP; |
4708 | } else { | 4708 | } else if (selinux_secmark_enabled()) { |
4709 | if (avc_has_perm(sksec->sid, skb->secmark, | 4709 | if (avc_has_perm(sksec->sid, skb->secmark, |
4710 | SECCLASS_PACKET, PACKET__SEND, &ad)) | 4710 | SECCLASS_PACKET, PACKET__SEND, &ad)) |
4711 | return NF_DROP; | 4711 | return NF_DROP; |
diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c index c86303638235..77fb3c8d9267 100644 --- a/security/selinux/selinuxfs.c +++ b/security/selinux/selinuxfs.c | |||
@@ -47,13 +47,7 @@ static char *policycap_names[] = { | |||
47 | 47 | ||
48 | unsigned int selinux_checkreqprot = CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE; | 48 | unsigned int selinux_checkreqprot = CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE; |
49 | 49 | ||
50 | #ifdef CONFIG_SECURITY_SELINUX_ENABLE_SECMARK_DEFAULT | 50 | int selinux_compat_net = 0; |
51 | #define SELINUX_COMPAT_NET_VALUE 0 | ||
52 | #else | ||
53 | #define SELINUX_COMPAT_NET_VALUE 1 | ||
54 | #endif | ||
55 | |||
56 | int selinux_compat_net = SELINUX_COMPAT_NET_VALUE; | ||
57 | 51 | ||
58 | static int __init checkreqprot_setup(char *str) | 52 | static int __init checkreqprot_setup(char *str) |
59 | { | 53 | { |
@@ -494,7 +488,13 @@ static ssize_t sel_write_compat_net(struct file *file, const char __user *buf, | |||
494 | if (sscanf(page, "%d", &new_value) != 1) | 488 | if (sscanf(page, "%d", &new_value) != 1) |
495 | goto out; | 489 | goto out; |
496 | 490 | ||
497 | selinux_compat_net = new_value ? 1 : 0; | 491 | if (new_value) { |
492 | printk(KERN_NOTICE | ||
493 | "SELinux: compat_net is deprecated, please use secmark" | ||
494 | " instead\n"); | ||
495 | selinux_compat_net = 1; | ||
496 | } else | ||
497 | selinux_compat_net = 0; | ||
498 | length = count; | 498 | length = count; |
499 | out: | 499 | out: |
500 | free_page((unsigned long) page); | 500 | free_page((unsigned long) page); |