aboutsummaryrefslogtreecommitdiffstats
path: root/security/selinux
diff options
context:
space:
mode:
authorRichard Haines <richard_c_haines@btinternet.com>2013-11-19 17:34:23 -0500
committerPaul Moore <pmoore@redhat.com>2013-11-19 17:34:23 -0500
commita660bec1d84ad19a39e380af129e207b3b8f609e (patch)
tree7dce6178a20225dacb833cec5d3b781d1b3626ac /security/selinux
parent94851b18d4eb94f8bbf0d9176f7429bd8e371f62 (diff)
SELinux: Update policy version to support constraints info
Update the policy version (POLICYDB_VERSION_CONSTRAINT_NAMES) to allow holding of policy source info for constraints. Signed-off-by: Richard Haines <richard_c_haines@btinternet.com> Acked-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: Paul Moore <pmoore@redhat.com>
Diffstat (limited to 'security/selinux')
-rw-r--r--security/selinux/include/security.h3
-rw-r--r--security/selinux/ss/constraint.h1
-rw-r--r--security/selinux/ss/policydb.c96
-rw-r--r--security/selinux/ss/policydb.h11
4 files changed, 101 insertions, 10 deletions
diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h
index fe341ae37004..8ed8daf7f1ee 100644
--- a/security/selinux/include/security.h
+++ b/security/selinux/include/security.h
@@ -33,13 +33,14 @@
33#define POLICYDB_VERSION_ROLETRANS 26 33#define POLICYDB_VERSION_ROLETRANS 26
34#define POLICYDB_VERSION_NEW_OBJECT_DEFAULTS 27 34#define POLICYDB_VERSION_NEW_OBJECT_DEFAULTS 27
35#define POLICYDB_VERSION_DEFAULT_TYPE 28 35#define POLICYDB_VERSION_DEFAULT_TYPE 28
36#define POLICYDB_VERSION_CONSTRAINT_NAMES 29
36 37
37/* Range of policy versions we understand*/ 38/* Range of policy versions we understand*/
38#define POLICYDB_VERSION_MIN POLICYDB_VERSION_BASE 39#define POLICYDB_VERSION_MIN POLICYDB_VERSION_BASE
39#ifdef CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX 40#ifdef CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX
40#define POLICYDB_VERSION_MAX CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX_VALUE 41#define POLICYDB_VERSION_MAX CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX_VALUE
41#else 42#else
42#define POLICYDB_VERSION_MAX POLICYDB_VERSION_DEFAULT_TYPE 43#define POLICYDB_VERSION_MAX POLICYDB_VERSION_CONSTRAINT_NAMES
43#endif 44#endif
44 45
45/* Mask for just the mount related flags */ 46/* Mask for just the mount related flags */
diff --git a/security/selinux/ss/constraint.h b/security/selinux/ss/constraint.h
index 149dda731fd3..96fd947c494b 100644
--- a/security/selinux/ss/constraint.h
+++ b/security/selinux/ss/constraint.h
@@ -48,6 +48,7 @@ struct constraint_expr {
48 u32 op; /* operator */ 48 u32 op; /* operator */
49 49
50 struct ebitmap names; /* names */ 50 struct ebitmap names; /* names */
51 struct type_set *type_names;
51 52
52 struct constraint_expr *next; /* next expression */ 53 struct constraint_expr *next; /* next expression */
53}; 54};
diff --git a/security/selinux/ss/policydb.c b/security/selinux/ss/policydb.c
index f6195ebde3c9..dc4011643b55 100644
--- a/security/selinux/ss/policydb.c
+++ b/security/selinux/ss/policydb.c
@@ -143,6 +143,11 @@ static struct policydb_compat_info policydb_compat[] = {
143 .sym_num = SYM_NUM, 143 .sym_num = SYM_NUM,
144 .ocon_num = OCON_NUM, 144 .ocon_num = OCON_NUM,
145 }, 145 },
146 {
147 .version = POLICYDB_VERSION_CONSTRAINT_NAMES,
148 .sym_num = SYM_NUM,
149 .ocon_num = OCON_NUM,
150 },
146}; 151};
147 152
148static struct policydb_compat_info *policydb_lookup_compat(int version) 153static struct policydb_compat_info *policydb_lookup_compat(int version)
@@ -613,6 +618,19 @@ static int common_destroy(void *key, void *datum, void *p)
613 return 0; 618 return 0;
614} 619}
615 620
621static void constraint_expr_destroy(struct constraint_expr *expr)
622{
623 if (expr) {
624 ebitmap_destroy(&expr->names);
625 if (expr->type_names) {
626 ebitmap_destroy(&expr->type_names->types);
627 ebitmap_destroy(&expr->type_names->negset);
628 kfree(expr->type_names);
629 }
630 kfree(expr);
631 }
632}
633
616static int cls_destroy(void *key, void *datum, void *p) 634static int cls_destroy(void *key, void *datum, void *p)
617{ 635{
618 struct class_datum *cladatum; 636 struct class_datum *cladatum;
@@ -628,10 +646,9 @@ static int cls_destroy(void *key, void *datum, void *p)
628 while (constraint) { 646 while (constraint) {
629 e = constraint->expr; 647 e = constraint->expr;
630 while (e) { 648 while (e) {
631 ebitmap_destroy(&e->names);
632 etmp = e; 649 etmp = e;
633 e = e->next; 650 e = e->next;
634 kfree(etmp); 651 constraint_expr_destroy(etmp);
635 } 652 }
636 ctemp = constraint; 653 ctemp = constraint;
637 constraint = constraint->next; 654 constraint = constraint->next;
@@ -642,16 +659,14 @@ static int cls_destroy(void *key, void *datum, void *p)
642 while (constraint) { 659 while (constraint) {
643 e = constraint->expr; 660 e = constraint->expr;
644 while (e) { 661 while (e) {
645 ebitmap_destroy(&e->names);
646 etmp = e; 662 etmp = e;
647 e = e->next; 663 e = e->next;
648 kfree(etmp); 664 constraint_expr_destroy(etmp);
649 } 665 }
650 ctemp = constraint; 666 ctemp = constraint;
651 constraint = constraint->next; 667 constraint = constraint->next;
652 kfree(ctemp); 668 kfree(ctemp);
653 } 669 }
654
655 kfree(cladatum->comkey); 670 kfree(cladatum->comkey);
656 } 671 }
657 kfree(datum); 672 kfree(datum);
@@ -1156,8 +1171,34 @@ bad:
1156 return rc; 1171 return rc;
1157} 1172}
1158 1173
1159static int read_cons_helper(struct constraint_node **nodep, int ncons, 1174static void type_set_init(struct type_set *t)
1160 int allowxtarget, void *fp) 1175{
1176 ebitmap_init(&t->types);
1177 ebitmap_init(&t->negset);
1178}
1179
1180static int type_set_read(struct type_set *t, void *fp)
1181{
1182 __le32 buf[1];
1183 int rc;
1184
1185 if (ebitmap_read(&t->types, fp))
1186 return -EINVAL;
1187 if (ebitmap_read(&t->negset, fp))
1188 return -EINVAL;
1189
1190 rc = next_entry(buf, fp, sizeof(u32));
1191 if (rc < 0)
1192 return -EINVAL;
1193 t->flags = le32_to_cpu(buf[0]);
1194
1195 return 0;
1196}
1197
1198
1199static int read_cons_helper(struct policydb *p,
1200 struct constraint_node **nodep,
1201 int ncons, int allowxtarget, void *fp)
1161{ 1202{
1162 struct constraint_node *c, *lc; 1203 struct constraint_node *c, *lc;
1163 struct constraint_expr *e, *le; 1204 struct constraint_expr *e, *le;
@@ -1225,6 +1266,18 @@ static int read_cons_helper(struct constraint_node **nodep, int ncons,
1225 rc = ebitmap_read(&e->names, fp); 1266 rc = ebitmap_read(&e->names, fp);
1226 if (rc) 1267 if (rc)
1227 return rc; 1268 return rc;
1269 if (p->policyvers >=
1270 POLICYDB_VERSION_CONSTRAINT_NAMES) {
1271 e->type_names = kzalloc(sizeof
1272 (*e->type_names),
1273 GFP_KERNEL);
1274 if (!e->type_names)
1275 return -ENOMEM;
1276 type_set_init(e->type_names);
1277 rc = type_set_read(e->type_names, fp);
1278 if (rc)
1279 return rc;
1280 }
1228 break; 1281 break;
1229 default: 1282 default:
1230 return -EINVAL; 1283 return -EINVAL;
@@ -1301,7 +1354,7 @@ static int class_read(struct policydb *p, struct hashtab *h, void *fp)
1301 goto bad; 1354 goto bad;
1302 } 1355 }
1303 1356
1304 rc = read_cons_helper(&cladatum->constraints, ncons, 0, fp); 1357 rc = read_cons_helper(p, &cladatum->constraints, ncons, 0, fp);
1305 if (rc) 1358 if (rc)
1306 goto bad; 1359 goto bad;
1307 1360
@@ -1311,7 +1364,8 @@ static int class_read(struct policydb *p, struct hashtab *h, void *fp)
1311 if (rc) 1364 if (rc)
1312 goto bad; 1365 goto bad;
1313 ncons = le32_to_cpu(buf[0]); 1366 ncons = le32_to_cpu(buf[0]);
1314 rc = read_cons_helper(&cladatum->validatetrans, ncons, 1, fp); 1367 rc = read_cons_helper(p, &cladatum->validatetrans,
1368 ncons, 1, fp);
1315 if (rc) 1369 if (rc)
1316 goto bad; 1370 goto bad;
1317 } 1371 }
@@ -2753,6 +2807,24 @@ static int common_write(void *vkey, void *datum, void *ptr)
2753 return 0; 2807 return 0;
2754} 2808}
2755 2809
2810static int type_set_write(struct type_set *t, void *fp)
2811{
2812 int rc;
2813 __le32 buf[1];
2814
2815 if (ebitmap_write(&t->types, fp))
2816 return -EINVAL;
2817 if (ebitmap_write(&t->negset, fp))
2818 return -EINVAL;
2819
2820 buf[0] = cpu_to_le32(t->flags);
2821 rc = put_entry(buf, sizeof(u32), 1, fp);
2822 if (rc)
2823 return -EINVAL;
2824
2825 return 0;
2826}
2827
2756static int write_cons_helper(struct policydb *p, struct constraint_node *node, 2828static int write_cons_helper(struct policydb *p, struct constraint_node *node,
2757 void *fp) 2829 void *fp)
2758{ 2830{
@@ -2784,6 +2856,12 @@ static int write_cons_helper(struct policydb *p, struct constraint_node *node,
2784 rc = ebitmap_write(&e->names, fp); 2856 rc = ebitmap_write(&e->names, fp);
2785 if (rc) 2857 if (rc)
2786 return rc; 2858 return rc;
2859 if (p->policyvers >=
2860 POLICYDB_VERSION_CONSTRAINT_NAMES) {
2861 rc = type_set_write(e->type_names, fp);
2862 if (rc)
2863 return rc;
2864 }
2787 break; 2865 break;
2788 default: 2866 default:
2789 break; 2867 break;
diff --git a/security/selinux/ss/policydb.h b/security/selinux/ss/policydb.h
index da637471d4ce..725d5945a97e 100644
--- a/security/selinux/ss/policydb.h
+++ b/security/selinux/ss/policydb.h
@@ -154,6 +154,17 @@ struct cond_bool_datum {
154struct cond_node; 154struct cond_node;
155 155
156/* 156/*
157 * type set preserves data needed to determine constraint info from
158 * policy source. This is not used by the kernel policy but allows
159 * utilities such as audit2allow to determine constraint denials.
160 */
161struct type_set {
162 struct ebitmap types;
163 struct ebitmap negset;
164 u32 flags;
165};
166
167/*
157 * The configuration data includes security contexts for 168 * The configuration data includes security contexts for
158 * initial SIDs, unlabeled file systems, TCP and UDP port numbers, 169 * initial SIDs, unlabeled file systems, TCP and UDP port numbers,
159 * network interfaces, and nodes. This structure stores the 170 * network interfaces, and nodes. This structure stores the