diff options
author | James Morris <jmorris@namei.org> | 2009-06-18 18:20:55 -0400 |
---|---|---|
committer | James Morris <jmorris@namei.org> | 2009-06-18 18:20:55 -0400 |
commit | d905163c5b23f6d8511971e06081a1b525e8a0bd (patch) | |
tree | f76918c1be802ec068d37763466f5518efdb690e /security/selinux | |
parent | 44c2d9bdd7022ca7d240d5adc009296fc1c6ce08 (diff) | |
parent | 0732f87761dbe417cb6e084b712d07e879e876ef (diff) |
Merge branch 'master' into next
Diffstat (limited to 'security/selinux')
-rw-r--r-- | security/selinux/avc.c | 2 | ||||
-rw-r--r-- | security/selinux/hooks.c | 26 | ||||
-rw-r--r-- | security/selinux/include/security.h | 7 | ||||
-rw-r--r-- | security/selinux/nlmsgtab.c | 2 | ||||
-rw-r--r-- | security/selinux/selinuxfs.c | 8 | ||||
-rw-r--r-- | security/selinux/ss/services.c | 30 | ||||
-rw-r--r-- | security/selinux/xfrm.c | 2 |
7 files changed, 24 insertions, 53 deletions
diff --git a/security/selinux/avc.c b/security/selinux/avc.c index 4bf5d08a1f5c..7823e84dbe8d 100644 --- a/security/selinux/avc.c +++ b/security/selinux/avc.c | |||
@@ -927,7 +927,7 @@ int avc_has_perm_noaudit(u32 ssid, u32 tsid, | |||
927 | if (denied) { | 927 | if (denied) { |
928 | if (flags & AVC_STRICT) | 928 | if (flags & AVC_STRICT) |
929 | rc = -EACCES; | 929 | rc = -EACCES; |
930 | else if (!selinux_enforcing || security_permissive_sid(ssid)) | 930 | else if (!selinux_enforcing || (avd->flags & AVD_FLAGS_PERMISSIVE)) |
931 | avc_update_node(AVC_CALLBACK_GRANT, requested, ssid, | 931 | avc_update_node(AVC_CALLBACK_GRANT, requested, ssid, |
932 | tsid, tclass, avd->seqno); | 932 | tsid, tclass, avd->seqno); |
933 | else | 933 | else |
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 2fcad7c33eaf..15c2a08a66f1 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c | |||
@@ -1980,10 +1980,6 @@ static int selinux_sysctl(ctl_table *table, int op) | |||
1980 | u32 tsid, sid; | 1980 | u32 tsid, sid; |
1981 | int rc; | 1981 | int rc; |
1982 | 1982 | ||
1983 | rc = secondary_ops->sysctl(table, op); | ||
1984 | if (rc) | ||
1985 | return rc; | ||
1986 | |||
1987 | sid = current_sid(); | 1983 | sid = current_sid(); |
1988 | 1984 | ||
1989 | rc = selinux_sysctl_get_sid(table, (op == 0001) ? | 1985 | rc = selinux_sysctl_get_sid(table, (op == 0001) ? |
@@ -2375,10 +2371,8 @@ static void selinux_bprm_committed_creds(struct linux_binprm *bprm) | |||
2375 | { | 2371 | { |
2376 | const struct task_security_struct *tsec = current_security(); | 2372 | const struct task_security_struct *tsec = current_security(); |
2377 | struct itimerval itimer; | 2373 | struct itimerval itimer; |
2378 | struct sighand_struct *psig; | ||
2379 | u32 osid, sid; | 2374 | u32 osid, sid; |
2380 | int rc, i; | 2375 | int rc, i; |
2381 | unsigned long flags; | ||
2382 | 2376 | ||
2383 | osid = tsec->osid; | 2377 | osid = tsec->osid; |
2384 | sid = tsec->sid; | 2378 | sid = tsec->sid; |
@@ -2398,22 +2392,20 @@ static void selinux_bprm_committed_creds(struct linux_binprm *bprm) | |||
2398 | memset(&itimer, 0, sizeof itimer); | 2392 | memset(&itimer, 0, sizeof itimer); |
2399 | for (i = 0; i < 3; i++) | 2393 | for (i = 0; i < 3; i++) |
2400 | do_setitimer(i, &itimer, NULL); | 2394 | do_setitimer(i, &itimer, NULL); |
2401 | flush_signals(current); | ||
2402 | spin_lock_irq(¤t->sighand->siglock); | 2395 | spin_lock_irq(¤t->sighand->siglock); |
2403 | flush_signal_handlers(current, 1); | 2396 | if (!(current->signal->flags & SIGNAL_GROUP_EXIT)) { |
2404 | sigemptyset(¤t->blocked); | 2397 | __flush_signals(current); |
2405 | recalc_sigpending(); | 2398 | flush_signal_handlers(current, 1); |
2399 | sigemptyset(¤t->blocked); | ||
2400 | } | ||
2406 | spin_unlock_irq(¤t->sighand->siglock); | 2401 | spin_unlock_irq(¤t->sighand->siglock); |
2407 | } | 2402 | } |
2408 | 2403 | ||
2409 | /* Wake up the parent if it is waiting so that it can recheck | 2404 | /* Wake up the parent if it is waiting so that it can recheck |
2410 | * wait permission to the new task SID. */ | 2405 | * wait permission to the new task SID. */ |
2411 | read_lock_irq(&tasklist_lock); | 2406 | read_lock(&tasklist_lock); |
2412 | psig = current->parent->sighand; | 2407 | wake_up_interruptible(¤t->real_parent->signal->wait_chldexit); |
2413 | spin_lock_irqsave(&psig->siglock, flags); | 2408 | read_unlock(&tasklist_lock); |
2414 | wake_up_interruptible(¤t->parent->signal->wait_chldexit); | ||
2415 | spin_unlock_irqrestore(&psig->siglock, flags); | ||
2416 | read_unlock_irq(&tasklist_lock); | ||
2417 | } | 2409 | } |
2418 | 2410 | ||
2419 | /* superblock security operations */ | 2411 | /* superblock security operations */ |
@@ -4503,7 +4495,7 @@ static unsigned int selinux_ip_postroute(struct sk_buff *skb, int ifindex, | |||
4503 | * when the packet is on it's final way out. | 4495 | * when the packet is on it's final way out. |
4504 | * NOTE: there appear to be some IPv6 multicast cases where skb->dst | 4496 | * NOTE: there appear to be some IPv6 multicast cases where skb->dst |
4505 | * is NULL, in this case go ahead and apply access control. */ | 4497 | * is NULL, in this case go ahead and apply access control. */ |
4506 | if (skb->dst != NULL && skb->dst->xfrm != NULL) | 4498 | if (skb_dst(skb) != NULL && skb_dst(skb)->xfrm != NULL) |
4507 | return NF_ACCEPT; | 4499 | return NF_ACCEPT; |
4508 | #endif | 4500 | #endif |
4509 | secmark_active = selinux_secmark_enabled(); | 4501 | secmark_active = selinux_secmark_enabled(); |
diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h index 5c3434f7626f..ca835795a8b3 100644 --- a/security/selinux/include/security.h +++ b/security/selinux/include/security.h | |||
@@ -8,14 +8,13 @@ | |||
8 | #ifndef _SELINUX_SECURITY_H_ | 8 | #ifndef _SELINUX_SECURITY_H_ |
9 | #define _SELINUX_SECURITY_H_ | 9 | #define _SELINUX_SECURITY_H_ |
10 | 10 | ||
11 | #include <linux/magic.h> | ||
11 | #include "flask.h" | 12 | #include "flask.h" |
12 | 13 | ||
13 | #define SECSID_NULL 0x00000000 /* unspecified SID */ | 14 | #define SECSID_NULL 0x00000000 /* unspecified SID */ |
14 | #define SECSID_WILD 0xffffffff /* wildcard SID */ | 15 | #define SECSID_WILD 0xffffffff /* wildcard SID */ |
15 | #define SECCLASS_NULL 0x0000 /* no class */ | 16 | #define SECCLASS_NULL 0x0000 /* no class */ |
16 | 17 | ||
17 | #define SELINUX_MAGIC 0xf97cff8c | ||
18 | |||
19 | /* Identify specific policy version changes */ | 18 | /* Identify specific policy version changes */ |
20 | #define POLICYDB_VERSION_BASE 15 | 19 | #define POLICYDB_VERSION_BASE 15 |
21 | #define POLICYDB_VERSION_BOOL 16 | 20 | #define POLICYDB_VERSION_BOOL 16 |
@@ -91,9 +90,11 @@ struct av_decision { | |||
91 | u32 auditallow; | 90 | u32 auditallow; |
92 | u32 auditdeny; | 91 | u32 auditdeny; |
93 | u32 seqno; | 92 | u32 seqno; |
93 | u32 flags; | ||
94 | }; | 94 | }; |
95 | 95 | ||
96 | int security_permissive_sid(u32 sid); | 96 | /* definitions of av_decision.flags */ |
97 | #define AVD_FLAGS_PERMISSIVE 0x0001 | ||
97 | 98 | ||
98 | int security_compute_av(u32 ssid, u32 tsid, | 99 | int security_compute_av(u32 ssid, u32 tsid, |
99 | u16 tclass, u32 requested, | 100 | u16 tclass, u32 requested, |
diff --git a/security/selinux/nlmsgtab.c b/security/selinux/nlmsgtab.c index c6875fd3b9d6..dd7cc6de77f9 100644 --- a/security/selinux/nlmsgtab.c +++ b/security/selinux/nlmsgtab.c | |||
@@ -112,6 +112,8 @@ static struct nlmsg_perm nlmsg_audit_perms[] = | |||
112 | { AUDIT_DEL_RULE, NETLINK_AUDIT_SOCKET__NLMSG_WRITE }, | 112 | { AUDIT_DEL_RULE, NETLINK_AUDIT_SOCKET__NLMSG_WRITE }, |
113 | { AUDIT_USER, NETLINK_AUDIT_SOCKET__NLMSG_RELAY }, | 113 | { AUDIT_USER, NETLINK_AUDIT_SOCKET__NLMSG_RELAY }, |
114 | { AUDIT_SIGNAL_INFO, NETLINK_AUDIT_SOCKET__NLMSG_READ }, | 114 | { AUDIT_SIGNAL_INFO, NETLINK_AUDIT_SOCKET__NLMSG_READ }, |
115 | { AUDIT_TRIM, NETLINK_AUDIT_SOCKET__NLMSG_WRITE }, | ||
116 | { AUDIT_MAKE_EQUIV, NETLINK_AUDIT_SOCKET__NLMSG_WRITE }, | ||
115 | { AUDIT_TTY_GET, NETLINK_AUDIT_SOCKET__NLMSG_READ }, | 117 | { AUDIT_TTY_GET, NETLINK_AUDIT_SOCKET__NLMSG_READ }, |
116 | { AUDIT_TTY_SET, NETLINK_AUDIT_SOCKET__NLMSG_TTY_AUDIT }, | 118 | { AUDIT_TTY_SET, NETLINK_AUDIT_SOCKET__NLMSG_TTY_AUDIT }, |
117 | }; | 119 | }; |
diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c index 2d5136ec3d54..b4fc506e7a87 100644 --- a/security/selinux/selinuxfs.c +++ b/security/selinux/selinuxfs.c | |||
@@ -527,10 +527,10 @@ static ssize_t sel_write_access(struct file *file, char *buf, size_t size) | |||
527 | goto out2; | 527 | goto out2; |
528 | 528 | ||
529 | length = scnprintf(buf, SIMPLE_TRANSACTION_LIMIT, | 529 | length = scnprintf(buf, SIMPLE_TRANSACTION_LIMIT, |
530 | "%x %x %x %x %u", | 530 | "%x %x %x %x %u %x", |
531 | avd.allowed, 0xffffffff, | 531 | avd.allowed, 0xffffffff, |
532 | avd.auditallow, avd.auditdeny, | 532 | avd.auditallow, avd.auditdeny, |
533 | avd.seqno); | 533 | avd.seqno, avd.flags); |
534 | out2: | 534 | out2: |
535 | kfree(tcon); | 535 | kfree(tcon); |
536 | out: | 536 | out: |
@@ -803,10 +803,6 @@ static ssize_t sel_read_bool(struct file *filep, char __user *buf, | |||
803 | goto out; | 803 | goto out; |
804 | } | 804 | } |
805 | 805 | ||
806 | if (count > PAGE_SIZE) { | ||
807 | ret = -EINVAL; | ||
808 | goto out; | ||
809 | } | ||
810 | page = (char *)get_zeroed_page(GFP_KERNEL); | 806 | page = (char *)get_zeroed_page(GFP_KERNEL); |
811 | if (!page) { | 807 | if (!page) { |
812 | ret = -ENOMEM; | 808 | ret = -ENOMEM; |
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c index a90cab207d9a..ff17820d35ec 100644 --- a/security/selinux/ss/services.c +++ b/security/selinux/ss/services.c | |||
@@ -488,6 +488,7 @@ static int context_struct_compute_av(struct context *scontext, | |||
488 | avd->auditallow = 0; | 488 | avd->auditallow = 0; |
489 | avd->auditdeny = 0xffffffff; | 489 | avd->auditdeny = 0xffffffff; |
490 | avd->seqno = latest_granting; | 490 | avd->seqno = latest_granting; |
491 | avd->flags = 0; | ||
491 | 492 | ||
492 | /* | 493 | /* |
493 | * Check for all the invalid cases. | 494 | * Check for all the invalid cases. |
@@ -606,31 +607,6 @@ inval_class: | |||
606 | return 0; | 607 | return 0; |
607 | } | 608 | } |
608 | 609 | ||
609 | /* | ||
610 | * Given a sid find if the type has the permissive flag set | ||
611 | */ | ||
612 | int security_permissive_sid(u32 sid) | ||
613 | { | ||
614 | struct context *context; | ||
615 | u32 type; | ||
616 | int rc; | ||
617 | |||
618 | read_lock(&policy_rwlock); | ||
619 | |||
620 | context = sidtab_search(&sidtab, sid); | ||
621 | BUG_ON(!context); | ||
622 | |||
623 | type = context->type; | ||
624 | /* | ||
625 | * we are intentionally using type here, not type-1, the 0th bit may | ||
626 | * someday indicate that we are globally setting permissive in policy. | ||
627 | */ | ||
628 | rc = ebitmap_get_bit(&policydb.permissive_map, type); | ||
629 | |||
630 | read_unlock(&policy_rwlock); | ||
631 | return rc; | ||
632 | } | ||
633 | |||
634 | static int security_validtrans_handle_fail(struct context *ocontext, | 610 | static int security_validtrans_handle_fail(struct context *ocontext, |
635 | struct context *ncontext, | 611 | struct context *ncontext, |
636 | struct context *tcontext, | 612 | struct context *tcontext, |
@@ -865,6 +841,10 @@ int security_compute_av(u32 ssid, | |||
865 | 841 | ||
866 | rc = context_struct_compute_av(scontext, tcontext, tclass, | 842 | rc = context_struct_compute_av(scontext, tcontext, tclass, |
867 | requested, avd); | 843 | requested, avd); |
844 | |||
845 | /* permissive domain? */ | ||
846 | if (ebitmap_get_bit(&policydb.permissive_map, scontext->type)) | ||
847 | avd->flags |= AVD_FLAGS_PERMISSIVE; | ||
868 | out: | 848 | out: |
869 | read_unlock(&policy_rwlock); | 849 | read_unlock(&policy_rwlock); |
870 | return rc; | 850 | return rc; |
diff --git a/security/selinux/xfrm.c b/security/selinux/xfrm.c index c0eb72013d67..72b18452e1a1 100644 --- a/security/selinux/xfrm.c +++ b/security/selinux/xfrm.c | |||
@@ -447,7 +447,7 @@ int selinux_xfrm_postroute_last(u32 isec_sid, struct sk_buff *skb, | |||
447 | struct dst_entry *dst; | 447 | struct dst_entry *dst; |
448 | int rc = 0; | 448 | int rc = 0; |
449 | 449 | ||
450 | dst = skb->dst; | 450 | dst = skb_dst(skb); |
451 | 451 | ||
452 | if (dst) { | 452 | if (dst) { |
453 | struct dst_entry *dst_test; | 453 | struct dst_entry *dst_test; |