Merge branch 'next' into for-linus

author: James Morris <jmorris@namei.org> 2009-01-06 17:58:22 -0500
committer: James Morris <jmorris@namei.org> 2009-01-06 17:58:22 -0500
commit: ac8cc0fa5395fe2278e305a4cbed48e90d88d878 (patch)
tree: 515f577bfddd054ee4373228be7c974dfb8133af /security/selinux
parent: 238c6d54830c624f34ac9cf123ac04aebfca5013 (diff)
parent: 3699c53c485bf0168e6500d0ed18bf931584dd7c (diff)
6 files changed, 33 insertions, 54 deletions
diff --git a/security/selinux/Kconfig b/security/selinux/Kconfig
index 26301dd651d3..bca1b74a4a2f 100644
--- a/security/selinux/Kconfig
+++ b/security/selinux/Kconfig
@@ -94,33 +94,6 @@ config SECURITY_SELINUX_CHECKREQPROT_VALUE
          If you are unsure how to answer this question, answer 1.
-config SECURITY_SELINUX_ENABLE_SECMARK_DEFAULT
-        bool "NSA SELinux enable new secmark network controls by default"
-        depends on SECURITY_SELINUX
-        default n
-        help
-          This option determines whether the new secmark-based network
-          controls will be enabled by default.  If not, the old internal
-          per-packet controls will be enabled by default, preserving
-          old behavior.
-          If you enable the new controls, you will need updated
-          SELinux userspace libraries, tools and policy.  Typically,
-          your distribution will provide these and enable the new controls
-          in the kernel they also distribute.
-          Note that this option can be overridden at boot with the
-          selinux_compat_net parameter, and after boot via
-          /selinux/compat_net.  See Documentation/kernel-parameters.txt
-          for details on this parameter.
-          If you enable the new network controls, you will likely
-          also require the SECMARK and CONNSECMARK targets, as
-          well as any conntrack helpers for protocols which you
-          wish to control.
-          If you are unsure what to do here, select N.
 config SECURITY_SELINUX_POLICYDB_VERSION_MAX
        bool "NSA SELinux maximum supported policy format version"
        depends on SECURITY_SELINUX
diff --git a/security/selinux/avc.c b/security/selinux/avc.c
index d43bd6baeeaa..eb41f43e2772 100644
--- a/security/selinux/avc.c
+++ b/security/selinux/avc.c
@@ -53,18 +53,20 @@ static const char *class_to_string[] = {
 #undef S_
 static const struct av_inherit av_inherit[] = {
-#define S_(c, i, b) { c, common_##i##_perm_to_string, b },
+#define S_(c, i, b) {   .tclass = c,\
+                        .common_pts = common_##i##_perm_to_string,\
+                        .common_base =  b },
 #include "av_inherit.h"
 #undef S_
 };
 const struct selinux_class_perm selinux_class_perm = {
-        av_perm_to_string,
+        .av_perm_to_string = av_perm_to_string,
-        ARRAY_SIZE(av_perm_to_string),
+        .av_pts_len = ARRAY_SIZE(av_perm_to_string),
-        class_to_string,
+        .class_to_string = class_to_string,
-        ARRAY_SIZE(class_to_string),
+        .cts_len = ARRAY_SIZE(class_to_string),
-        av_inherit,
+        .av_inherit = av_inherit,
-        ARRAY_SIZE(av_inherit)
+        .av_inherit_len = ARRAY_SIZE(av_inherit)
 };
 #define AVC_CACHE_SLOTS                 512
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index dbeaa783b2a9..00815973d412 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -1433,12 +1433,13 @@ static int current_has_perm(const struct task_struct *tsk,
 /* Check whether a task is allowed to use a capability. */
 static int task_has_capability(struct task_struct *tsk,
+                               const struct cred *cred,
                               int cap, int audit)
 {
        struct avc_audit_data ad;
        struct av_decision avd;
        u16 sclass;
-        u32 sid = task_sid(tsk);
+        u32 sid = cred_sid(cred);
        u32 av = CAP_TO_MASK(cap);
        int rc;
@@ -1865,15 +1866,16 @@ static int selinux_capset(struct cred *new, const struct cred *old,
        return cred_has_perm(old, new, PROCESS__SETCAP);
 }
-static int selinux_capable(struct task_struct *tsk, int cap, int audit)
+static int selinux_capable(struct task_struct *tsk, const struct cred *cred,
+                           int cap, int audit)
 {
        int rc;
-        rc = secondary_ops->capable(tsk, cap, audit);
+        rc = secondary_ops->capable(tsk, cred, cap, audit);
        if (rc)
                return rc;
-        return task_has_capability(tsk, cap, audit);
+        return task_has_capability(tsk, cred, cap, audit);
 }
 static int selinux_sysctl_get_sid(ctl_table *table, u16 tclass, u32 *sid)
@@ -2037,7 +2039,8 @@ static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
 {
        int rc, cap_sys_admin = 0;
-        rc = selinux_capable(current, CAP_SYS_ADMIN, SECURITY_CAP_NOAUDIT);
+        rc = selinux_capable(current, current_cred(), CAP_SYS_ADMIN,
+                             SECURITY_CAP_NOAUDIT);
        if (rc == 0)
                cap_sys_admin = 1;
@@ -2880,7 +2883,8 @@ static int selinux_inode_getsecurity(const struct inode *inode, const char *name
         * and lack of permission just means that we fall back to the
         * in-core context value, not a denial.
         */
-        error = selinux_capable(current, CAP_MAC_ADMIN, SECURITY_CAP_NOAUDIT);
+        error = selinux_capable(current, current_cred(), CAP_MAC_ADMIN,
+                                SECURITY_CAP_NOAUDIT);
        if (!error)
                error = security_sid_to_context_force(isec->sid, &context,
                                                      &size);
@@ -4185,7 +4189,7 @@ static int selinux_sock_rcv_skb_iptables_compat(struct sock *sk,
 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
                                       u16 family)
 {
-        int err;
+        int err = 0;
        struct sk_security_struct *sksec = sk->sk_security;
        u32 peer_sid;
        u32 sk_sid = sksec->sid;
@@ -4202,7 +4206,7 @@ static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
        if (selinux_compat_net)
                err = selinux_sock_rcv_skb_iptables_compat(sk, skb, &ad,
                                                           family, addrp);
-        else
+        else if (selinux_secmark_enabled())
                err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
                                   PACKET__RECV, &ad);
        if (err)
@@ -4705,7 +4709,7 @@ static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
                if (selinux_ip_postroute_iptables_compat(skb->sk, ifindex,
                                                         &ad, family, addrp))
                        return NF_DROP;
-        } else {
+        } else if (selinux_secmark_enabled()) {
                if (avc_has_perm(sksec->sid, skb->secmark,
                                 SECCLASS_PACKET, PACKET__SEND, &ad))
                        return NF_DROP;
diff --git a/security/selinux/include/avc_ss.h b/security/selinux/include/avc_ss.h
index c0d314d9f8e1..bb1ec801bdfe 100644
--- a/security/selinux/include/avc_ss.h
+++ b/security/selinux/include/avc_ss.h
@@ -17,16 +17,16 @@ struct av_perm_to_string {
 };
 struct av_inherit {
-        u16 tclass;
        const char **common_pts;
        u32 common_base;
+        u16 tclass;
 };
 struct selinux_class_perm {
        const struct av_perm_to_string *av_perm_to_string;
        u32 av_pts_len;
-        const char **class_to_string;
        u32 cts_len;
+        const char **class_to_string;
        const struct av_inherit *av_inherit;
        u32 av_inherit_len;
 };
diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c
index 8f612c8becb5..01ec6d2c6b97 100644
--- a/security/selinux/selinuxfs.c
+++ b/security/selinux/selinuxfs.c
@@ -47,13 +47,7 @@ static char *policycap_names[] = {
 unsigned int selinux_checkreqprot = CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE;
-#ifdef CONFIG_SECURITY_SELINUX_ENABLE_SECMARK_DEFAULT
+int selinux_compat_net = 0;
-#define SELINUX_COMPAT_NET_VALUE 0
-#else
-#define SELINUX_COMPAT_NET_VALUE 1
-#endif
-int selinux_compat_net = SELINUX_COMPAT_NET_VALUE;
 static int __init checkreqprot_setup(char *str)
 {
@@ -494,7 +488,13 @@ static ssize_t sel_write_compat_net(struct file *file, const char __user *buf,
        if (sscanf(page, "%d", &new_value) != 1)
                goto out;
-        selinux_compat_net = new_value ? 1 : 0;
+        if (new_value) {
+                printk(KERN_NOTICE
+                       "SELinux: compat_net is deprecated, please use secmark"
+                       " instead\n");
+                selinux_compat_net = 1;
+        } else
+                selinux_compat_net = 0;
        length = count;
 out:
        free_page((unsigned long) page);
diff --git a/security/selinux/ss/context.h b/security/selinux/ss/context.h
index 658c2bd17da8..d9dd7a2f6a8a 100644
--- a/security/selinux/ss/context.h
+++ b/security/selinux/ss/context.h
@@ -27,9 +27,9 @@ struct context {
        u32 user;
        u32 role;
        u32 type;
+        u32 len;        /* length of string in bytes */
        struct mls_range range;
        char *str;      /* string representation if context cannot be mapped. */
-        u32 len;        /* length of string in bytes */
 };
 static inline void mls_context_init(struct context *c)
author	James Morris <jmorris@namei.org>	2009-01-06 17:58:22 -0500
committer	James Morris <jmorris@namei.org>	2009-01-06 17:58:22 -0500
commit	ac8cc0fa5395fe2278e305a4cbed48e90d88d878 (patch)
tree	515f577bfddd054ee4373228be7c974dfb8133af /security/selinux
parent	238c6d54830c624f34ac9cf123ac04aebfca5013 (diff)
parent	3699c53c485bf0168e6500d0ed18bf931584dd7c (diff)