diff options
author | Paul Moore <pmoore@redhat.com> | 2013-09-18 13:52:20 -0400 |
---|---|---|
committer | Paul Moore <pmoore@redhat.com> | 2013-09-18 13:52:20 -0400 |
commit | 98f700f317967d45cf60c9843b3c42ce3c286f7c (patch) | |
tree | 2e68b189ceb954182af56b8f6febe644119b7cd7 /security/selinux/include | |
parent | 6e4664525b1db28f8c4e1130957f70a94c19213e (diff) | |
parent | 0b4bdb3573a86a88c829b9e4ad702859eb923e7e (diff) |
Merge git://git.infradead.org/users/eparis/selinux
Conflicts:
security/selinux/hooks.c
Pull Eric's existing SELinux tree as there are a number of patches in
there that are not yet upstream. There was some minor fixup needed to
resolve a conflict in security/selinux/hooks.c:selinux_set_mnt_opts()
between the labeled NFS patches and Eric's security_fs_use()
simplification patch.
Diffstat (limited to 'security/selinux/include')
-rw-r--r-- | security/selinux/include/objsec.h | 4 | ||||
-rw-r--r-- | security/selinux/include/security.h | 13 | ||||
-rw-r--r-- | security/selinux/include/xfrm.h | 45 |
3 files changed, 29 insertions, 33 deletions
diff --git a/security/selinux/include/objsec.h b/security/selinux/include/objsec.h index aa47bcabb5f6..b1dfe1049450 100644 --- a/security/selinux/include/objsec.h +++ b/security/selinux/include/objsec.h | |||
@@ -58,8 +58,8 @@ struct superblock_security_struct { | |||
58 | u32 sid; /* SID of file system superblock */ | 58 | u32 sid; /* SID of file system superblock */ |
59 | u32 def_sid; /* default SID for labeling */ | 59 | u32 def_sid; /* default SID for labeling */ |
60 | u32 mntpoint_sid; /* SECURITY_FS_USE_MNTPOINT context for files */ | 60 | u32 mntpoint_sid; /* SECURITY_FS_USE_MNTPOINT context for files */ |
61 | unsigned int behavior; /* labeling behavior */ | 61 | unsigned short behavior; /* labeling behavior */ |
62 | unsigned char flags; /* which mount options were specified */ | 62 | unsigned short flags; /* which mount options were specified */ |
63 | struct mutex lock; | 63 | struct mutex lock; |
64 | struct list_head isec_head; | 64 | struct list_head isec_head; |
65 | spinlock_t isec_lock; | 65 | spinlock_t isec_lock; |
diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h index 8fd8e18ea340..fe341ae37004 100644 --- a/security/selinux/include/security.h +++ b/security/selinux/include/security.h | |||
@@ -45,14 +45,15 @@ | |||
45 | /* Mask for just the mount related flags */ | 45 | /* Mask for just the mount related flags */ |
46 | #define SE_MNTMASK 0x0f | 46 | #define SE_MNTMASK 0x0f |
47 | /* Super block security struct flags for mount options */ | 47 | /* Super block security struct flags for mount options */ |
48 | /* BE CAREFUL, these need to be the low order bits for selinux_get_mnt_opts */ | ||
48 | #define CONTEXT_MNT 0x01 | 49 | #define CONTEXT_MNT 0x01 |
49 | #define FSCONTEXT_MNT 0x02 | 50 | #define FSCONTEXT_MNT 0x02 |
50 | #define ROOTCONTEXT_MNT 0x04 | 51 | #define ROOTCONTEXT_MNT 0x04 |
51 | #define DEFCONTEXT_MNT 0x08 | 52 | #define DEFCONTEXT_MNT 0x08 |
53 | #define SBLABEL_MNT 0x10 | ||
52 | /* Non-mount related flags */ | 54 | /* Non-mount related flags */ |
53 | #define SE_SBINITIALIZED 0x10 | 55 | #define SE_SBINITIALIZED 0x0100 |
54 | #define SE_SBPROC 0x20 | 56 | #define SE_SBPROC 0x0200 |
55 | #define SE_SBLABELSUPP 0x40 | ||
56 | 57 | ||
57 | #define CONTEXT_STR "context=" | 58 | #define CONTEXT_STR "context=" |
58 | #define FSCONTEXT_STR "fscontext=" | 59 | #define FSCONTEXT_STR "fscontext=" |
@@ -68,12 +69,15 @@ extern int selinux_enabled; | |||
68 | enum { | 69 | enum { |
69 | POLICYDB_CAPABILITY_NETPEER, | 70 | POLICYDB_CAPABILITY_NETPEER, |
70 | POLICYDB_CAPABILITY_OPENPERM, | 71 | POLICYDB_CAPABILITY_OPENPERM, |
72 | POLICYDB_CAPABILITY_REDHAT1, | ||
73 | POLICYDB_CAPABILITY_ALWAYSNETWORK, | ||
71 | __POLICYDB_CAPABILITY_MAX | 74 | __POLICYDB_CAPABILITY_MAX |
72 | }; | 75 | }; |
73 | #define POLICYDB_CAPABILITY_MAX (__POLICYDB_CAPABILITY_MAX - 1) | 76 | #define POLICYDB_CAPABILITY_MAX (__POLICYDB_CAPABILITY_MAX - 1) |
74 | 77 | ||
75 | extern int selinux_policycap_netpeer; | 78 | extern int selinux_policycap_netpeer; |
76 | extern int selinux_policycap_openperm; | 79 | extern int selinux_policycap_openperm; |
80 | extern int selinux_policycap_alwaysnetwork; | ||
77 | 81 | ||
78 | /* | 82 | /* |
79 | * type_datum properties | 83 | * type_datum properties |
@@ -172,8 +176,7 @@ int security_get_allow_unknown(void); | |||
172 | #define SECURITY_FS_USE_NATIVE 7 /* use native label support */ | 176 | #define SECURITY_FS_USE_NATIVE 7 /* use native label support */ |
173 | #define SECURITY_FS_USE_MAX 7 /* Highest SECURITY_FS_USE_XXX */ | 177 | #define SECURITY_FS_USE_MAX 7 /* Highest SECURITY_FS_USE_XXX */ |
174 | 178 | ||
175 | int security_fs_use(const char *fstype, unsigned int *behavior, | 179 | int security_fs_use(struct super_block *sb); |
176 | u32 *sid); | ||
177 | 180 | ||
178 | int security_genfs_sid(const char *fstype, char *name, u16 sclass, | 181 | int security_genfs_sid(const char *fstype, char *name, u16 sclass, |
179 | u32 *sid); | 182 | u32 *sid); |
diff --git a/security/selinux/include/xfrm.h b/security/selinux/include/xfrm.h index 65f67cb0aefb..7605251936f5 100644 --- a/security/selinux/include/xfrm.h +++ b/security/selinux/include/xfrm.h | |||
@@ -10,29 +10,21 @@ | |||
10 | #include <net/flow.h> | 10 | #include <net/flow.h> |
11 | 11 | ||
12 | int selinux_xfrm_policy_alloc(struct xfrm_sec_ctx **ctxp, | 12 | int selinux_xfrm_policy_alloc(struct xfrm_sec_ctx **ctxp, |
13 | struct xfrm_user_sec_ctx *sec_ctx); | 13 | struct xfrm_user_sec_ctx *uctx); |
14 | int selinux_xfrm_policy_clone(struct xfrm_sec_ctx *old_ctx, | 14 | int selinux_xfrm_policy_clone(struct xfrm_sec_ctx *old_ctx, |
15 | struct xfrm_sec_ctx **new_ctxp); | 15 | struct xfrm_sec_ctx **new_ctxp); |
16 | void selinux_xfrm_policy_free(struct xfrm_sec_ctx *ctx); | 16 | void selinux_xfrm_policy_free(struct xfrm_sec_ctx *ctx); |
17 | int selinux_xfrm_policy_delete(struct xfrm_sec_ctx *ctx); | 17 | int selinux_xfrm_policy_delete(struct xfrm_sec_ctx *ctx); |
18 | int selinux_xfrm_state_alloc(struct xfrm_state *x, | 18 | int selinux_xfrm_state_alloc(struct xfrm_state *x, |
19 | struct xfrm_user_sec_ctx *sec_ctx, u32 secid); | 19 | struct xfrm_user_sec_ctx *uctx); |
20 | int selinux_xfrm_state_alloc_acquire(struct xfrm_state *x, | ||
21 | struct xfrm_sec_ctx *polsec, u32 secid); | ||
20 | void selinux_xfrm_state_free(struct xfrm_state *x); | 22 | void selinux_xfrm_state_free(struct xfrm_state *x); |
21 | int selinux_xfrm_state_delete(struct xfrm_state *x); | 23 | int selinux_xfrm_state_delete(struct xfrm_state *x); |
22 | int selinux_xfrm_policy_lookup(struct xfrm_sec_ctx *ctx, u32 fl_secid, u8 dir); | 24 | int selinux_xfrm_policy_lookup(struct xfrm_sec_ctx *ctx, u32 fl_secid, u8 dir); |
23 | int selinux_xfrm_state_pol_flow_match(struct xfrm_state *x, | 25 | int selinux_xfrm_state_pol_flow_match(struct xfrm_state *x, |
24 | struct xfrm_policy *xp, const struct flowi *fl); | 26 | struct xfrm_policy *xp, |
25 | 27 | const struct flowi *fl); | |
26 | /* | ||
27 | * Extract the security blob from the sock (it's actually on the socket) | ||
28 | */ | ||
29 | static inline struct inode_security_struct *get_sock_isec(struct sock *sk) | ||
30 | { | ||
31 | if (!sk->sk_socket) | ||
32 | return NULL; | ||
33 | |||
34 | return SOCK_INODE(sk->sk_socket)->i_security; | ||
35 | } | ||
36 | 28 | ||
37 | #ifdef CONFIG_SECURITY_NETWORK_XFRM | 29 | #ifdef CONFIG_SECURITY_NETWORK_XFRM |
38 | extern atomic_t selinux_xfrm_refcount; | 30 | extern atomic_t selinux_xfrm_refcount; |
@@ -42,10 +34,10 @@ static inline int selinux_xfrm_enabled(void) | |||
42 | return (atomic_read(&selinux_xfrm_refcount) > 0); | 34 | return (atomic_read(&selinux_xfrm_refcount) > 0); |
43 | } | 35 | } |
44 | 36 | ||
45 | int selinux_xfrm_sock_rcv_skb(u32 sid, struct sk_buff *skb, | 37 | int selinux_xfrm_sock_rcv_skb(u32 sk_sid, struct sk_buff *skb, |
46 | struct common_audit_data *ad); | 38 | struct common_audit_data *ad); |
47 | int selinux_xfrm_postroute_last(u32 isec_sid, struct sk_buff *skb, | 39 | int selinux_xfrm_postroute_last(u32 sk_sid, struct sk_buff *skb, |
48 | struct common_audit_data *ad, u8 proto); | 40 | struct common_audit_data *ad, u8 proto); |
49 | int selinux_xfrm_decode_session(struct sk_buff *skb, u32 *sid, int ckall); | 41 | int selinux_xfrm_decode_session(struct sk_buff *skb, u32 *sid, int ckall); |
50 | 42 | ||
51 | static inline void selinux_xfrm_notify_policyload(void) | 43 | static inline void selinux_xfrm_notify_policyload(void) |
@@ -59,19 +51,21 @@ static inline int selinux_xfrm_enabled(void) | |||
59 | return 0; | 51 | return 0; |
60 | } | 52 | } |
61 | 53 | ||
62 | static inline int selinux_xfrm_sock_rcv_skb(u32 isec_sid, struct sk_buff *skb, | 54 | static inline int selinux_xfrm_sock_rcv_skb(u32 sk_sid, struct sk_buff *skb, |
63 | struct common_audit_data *ad) | 55 | struct common_audit_data *ad) |
64 | { | 56 | { |
65 | return 0; | 57 | return 0; |
66 | } | 58 | } |
67 | 59 | ||
68 | static inline int selinux_xfrm_postroute_last(u32 isec_sid, struct sk_buff *skb, | 60 | static inline int selinux_xfrm_postroute_last(u32 sk_sid, struct sk_buff *skb, |
69 | struct common_audit_data *ad, u8 proto) | 61 | struct common_audit_data *ad, |
62 | u8 proto) | ||
70 | { | 63 | { |
71 | return 0; | 64 | return 0; |
72 | } | 65 | } |
73 | 66 | ||
74 | static inline int selinux_xfrm_decode_session(struct sk_buff *skb, u32 *sid, int ckall) | 67 | static inline int selinux_xfrm_decode_session(struct sk_buff *skb, u32 *sid, |
68 | int ckall) | ||
75 | { | 69 | { |
76 | *sid = SECSID_NULL; | 70 | *sid = SECSID_NULL; |
77 | return 0; | 71 | return 0; |
@@ -82,10 +76,9 @@ static inline void selinux_xfrm_notify_policyload(void) | |||
82 | } | 76 | } |
83 | #endif | 77 | #endif |
84 | 78 | ||
85 | static inline void selinux_skb_xfrm_sid(struct sk_buff *skb, u32 *sid) | 79 | static inline int selinux_skb_xfrm_sid(struct sk_buff *skb, u32 *sid) |
86 | { | 80 | { |
87 | int err = selinux_xfrm_decode_session(skb, sid, 0); | 81 | return selinux_xfrm_decode_session(skb, sid, 0); |
88 | BUG_ON(err); | ||
89 | } | 82 | } |
90 | 83 | ||
91 | #endif /* _SELINUX_XFRM_H_ */ | 84 | #endif /* _SELINUX_XFRM_H_ */ |