SELinux: add boundary support and thread context assignment

The purpose of this patch is to assign per-thread security context under a constraint. It enables multi-threaded server application to kick a request handler with its fair security context, and helps some of userspace object managers to handle user's request. When we assign a per-thread security context, it must not have wider permissions than the original one. Because a multi-threaded process shares a single local memory, an arbitary per-thread security context also means another thread can easily refer violated information. The constraint on a per-thread security context requires a new domain has to be equal or weaker than its original one, when it tries to assign a per-thread security context. Bounds relationship between two types is a way to ensure a domain can never have wider permission than its bounds. We can define it in two explicit or implicit ways. The first way is using new TYPEBOUNDS statement. It enables to define a boundary of types explicitly. The other one expand the concept of existing named based hierarchy. If we defines a type with "." separated name like "httpd_t.php", toolchain implicitly set its bounds on "httpd_t". This feature requires a new policy version. The 24th version (POLICYDB_VERSION_BOUNDARY) enables to ship them into kernel space, and the following patch enables to handle it. Signed-off-by: KaiGai Kohei <kaigai@ak.jp.nec.com> Acked-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: James Morris <jmorris@namei.org>
author: KaiGai Kohei <kaigai@ak.jp.nec.com> 2008-08-28 03:35:57 -0400
committer: James Morris <jmorris@namei.org> 2008-08-28 10:33:33 -0400
commit: d9250dea3f89fe808a525f08888016b495240ed4 (patch)
tree: c4b039ce0b29714e8f4c3bbc6d407adc361cc122 /security/selinux/hooks.c
parent: da31894ed7b654e2e1741e7ac4ef6c15be0dd14b (diff)
1 files changed, 12 insertions, 3 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 6b5790bba8f9..89f446d86054 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -5226,8 +5226,12 @@ static int selinux_setprocattr(struct task_struct *p,
                if (sid == 0)
                        return -EINVAL;
+                /*
-                /* Only allow single threaded processes to change context */
+                 * SELinux allows to change context in the following case only.
+                 *  - Single threaded processes.
+                 *  - Multi threaded processes intend to change its context into
+                 *    more restricted domain (defined by TYPEBOUNDS statement).
+                 */
                if (atomic_read(&p->mm->mm_users) != 1) {
                        struct task_struct *g, *t;
                        struct mm_struct *mm = p->mm;
@@ -5235,11 +5239,16 @@ static int selinux_setprocattr(struct task_struct *p,
                        do_each_thread(g, t) {
                                if (t->mm == mm && t != p) {
                                        read_unlock(&tasklist_lock);
-                                        return -EPERM;
+                                        error = security_bounded_transition(tsec->sid, sid);
+                                        if (!error)
+                                                goto boundary_ok;
+                                        return error;
                                }
                        } while_each_thread(g, t);
                        read_unlock(&tasklist_lock);
                }
+boundary_ok:
                /* Check permissions for the transition. */
                error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
author	KaiGai Kohei <kaigai@ak.jp.nec.com>	2008-08-28 03:35:57 -0400
committer	James Morris <jmorris@namei.org>	2008-08-28 10:33:33 -0400
commit	d9250dea3f89fe808a525f08888016b495240ed4 (patch)
tree	c4b039ce0b29714e8f4c3bbc6d407adc361cc122 /security/selinux/hooks.c
parent	da31894ed7b654e2e1741e7ac4ef6c15be0dd14b (diff)

diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 6b5790bba8f9..89f446d86054 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c
@@ -5226,8 +5226,12 @@ static int selinux_setprocattr(struct task_struct *p,
5226		5226
5227	if (sid == 0)	5227	if (sid == 0)
5228	return -EINVAL;	5228	return -EINVAL;
5229		5229	/*
5230	/* Only allow single threaded processes to change context */	5230	* SELinux allows to change context in the following case only.
		5231	* - Single threaded processes.
		5232	* - Multi threaded processes intend to change its context into
		5233	* more restricted domain (defined by TYPEBOUNDS statement).
		5234	*/
5231	if (atomic_read(&p->mm->mm_users) != 1) {	5235	if (atomic_read(&p->mm->mm_users) != 1) {
5232	struct task_struct g, t;	5236	struct task_struct g, t;
5233	struct mm_struct *mm = p->mm;	5237	struct mm_struct *mm = p->mm;
@@ -5235,11 +5239,16 @@ static int selinux_setprocattr(struct task_struct *p,
5235	do_each_thread(g, t) {	5239	do_each_thread(g, t) {
5236	if (t->mm == mm && t != p) {	5240	if (t->mm == mm && t != p) {
5237	read_unlock(&tasklist_lock);	5241	read_unlock(&tasklist_lock);
5238	return -EPERM;	5242	error = security_bounded_transition(tsec->sid, sid);
		5243	if (!error)
		5244	goto boundary_ok;
		5245
		5246	return error;
5239	}	5247	}
5240	} while_each_thread(g, t);	5248	} while_each_thread(g, t);
5241	read_unlock(&tasklist_lock);	5249	read_unlock(&tasklist_lock);
5242	}	5250	}
		5251	boundary_ok:
5243		5252
5244	/* Check permissions for the transition. */	5253	/* Check permissions for the transition. */
5245	error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,	5254	error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,