aboutsummaryrefslogtreecommitdiffstats
path: root/security/selinux/hooks.c
diff options
context:
space:
mode:
authorStephen Smalley <sds@tycho.nsa.gov>2008-05-07 13:03:20 -0400
committerJames Morris <jmorris@namei.org>2008-07-14 01:01:34 -0400
commit12b29f34558b9b45a2c6eabd4f3c6be939a3980f (patch)
tree9b7921724226cd81901070026572bf05014dc41c /security/selinux/hooks.c
parentbce7f793daec3e65ec5c5705d2457b81fe7b5725 (diff)
selinux: support deferred mapping of contexts
Introduce SELinux support for deferred mapping of security contexts in the SID table upon policy reload, and use this support for inode security contexts when the context is not yet valid under the current policy. Only processes with CAP_MAC_ADMIN + mac_admin permission in policy can set undefined security contexts on inodes. Inodes with such undefined contexts are treated as having the unlabeled context until the context becomes valid upon a policy reload that defines the context. Context invalidation upon policy reload also uses this support to save the context information in the SID table and later recover it upon a subsequent policy reload that defines the context again. This support is to enable package managers and similar programs to set down file contexts unknown to the system policy at the time the file is created in order to better support placing loadable policy modules in packages and to support build systems that need to create images of different distro releases with different policies w/o requiring all of the contexts to be defined or legal in the build host policy. With this patch applied, the following sequence is possible, although in practice it is recommended that this permission only be allowed to specific program domains such as the package manager. # rmdir baz # rm bar # touch bar # chcon -t foo_exec_t bar # foo_exec_t is not yet defined chcon: failed to change context of `bar' to `system_u:object_r:foo_exec_t': Invalid argument # mkdir -Z system_u:object_r:foo_exec_t baz mkdir: failed to set default file creation context to `system_u:object_r:foo_exec_t': Invalid argument # cat setundefined.te policy_module(setundefined, 1.0) require { type unconfined_t; type unlabeled_t; } files_type(unlabeled_t) allow unconfined_t self:capability2 mac_admin; # make -f /usr/share/selinux/devel/Makefile setundefined.pp # semodule -i setundefined.pp # chcon -t foo_exec_t bar # foo_exec_t is not yet defined # mkdir -Z system_u:object_r:foo_exec_t baz # ls -Zd bar baz -rw-r--r-- root root system_u:object_r:unlabeled_t bar drwxr-xr-x root root system_u:object_r:unlabeled_t baz # cat foo.te policy_module(foo, 1.0) type foo_exec_t; files_type(foo_exec_t) # make -f /usr/share/selinux/devel/Makefile foo.pp # semodule -i foo.pp # defines foo_exec_t # ls -Zd bar baz -rw-r--r-- root root user_u:object_r:foo_exec_t bar drwxr-xr-x root root system_u:object_r:foo_exec_t baz # semodule -r foo # ls -Zd bar baz -rw-r--r-- root root system_u:object_r:unlabeled_t bar drwxr-xr-x root root system_u:object_r:unlabeled_t baz # semodule -i foo.pp # ls -Zd bar baz -rw-r--r-- root root user_u:object_r:foo_exec_t bar drwxr-xr-x root root system_u:object_r:foo_exec_t baz # semodule -r setundefined foo # chcon -t foo_exec_t bar # no longer defined and not allowed chcon: failed to change context of `bar' to `system_u:object_r:foo_exec_t': Invalid argument # rmdir baz # mkdir -Z system_u:object_r:foo_exec_t baz mkdir: failed to set default file creation context to `system_u:object_r:foo_exec_t': Invalid argument Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: James Morris <jmorris@namei.org>
Diffstat (limited to 'security/selinux/hooks.c')
-rw-r--r--security/selinux/hooks.c20
1 files changed, 16 insertions, 4 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 1c864c0efe2b..59c6e98f7bea 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -2495,7 +2495,7 @@ static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2495 } 2495 }
2496 2496
2497 if (value && len) { 2497 if (value && len) {
2498 rc = security_sid_to_context(newsid, &context, &clen); 2498 rc = security_sid_to_context_force(newsid, &context, &clen);
2499 if (rc) { 2499 if (rc) {
2500 kfree(namep); 2500 kfree(namep);
2501 return rc; 2501 return rc;
@@ -2669,6 +2669,11 @@ static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
2669 return rc; 2669 return rc;
2670 2670
2671 rc = security_context_to_sid(value, size, &newsid); 2671 rc = security_context_to_sid(value, size, &newsid);
2672 if (rc == -EINVAL) {
2673 if (!capable(CAP_MAC_ADMIN))
2674 return rc;
2675 rc = security_context_to_sid_force(value, size, &newsid);
2676 }
2672 if (rc) 2677 if (rc)
2673 return rc; 2678 return rc;
2674 2679
@@ -2703,10 +2708,11 @@ static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
2703 return; 2708 return;
2704 } 2709 }
2705 2710
2706 rc = security_context_to_sid(value, size, &newsid); 2711 rc = security_context_to_sid_force(value, size, &newsid);
2707 if (rc) { 2712 if (rc) {
2708 printk(KERN_WARNING "%s: unable to obtain SID for context " 2713 printk(KERN_ERR "SELinux: unable to map context to SID"
2709 "%s, rc=%d\n", __func__, (char *)value, -rc); 2714 "for (%s, %lu), rc=%d\n",
2715 inode->i_sb->s_id, inode->i_ino, -rc);
2710 return; 2716 return;
2711 } 2717 }
2712 2718
@@ -5153,6 +5159,12 @@ static int selinux_setprocattr(struct task_struct *p,
5153 size--; 5159 size--;
5154 } 5160 }
5155 error = security_context_to_sid(value, size, &sid); 5161 error = security_context_to_sid(value, size, &sid);
5162 if (error == -EINVAL && !strcmp(name, "fscreate")) {
5163 if (!capable(CAP_MAC_ADMIN))
5164 return error;
5165 error = security_context_to_sid_force(value, size,
5166 &sid);
5167 }
5156 if (error) 5168 if (error)
5157 return error; 5169 return error;
5158 } 5170 }