diff options
| author | Olof Johansson <olof@lixom.net> | 2013-02-05 01:56:41 -0500 |
|---|---|---|
| committer | Olof Johansson <olof@lixom.net> | 2013-02-05 01:56:41 -0500 |
| commit | 469da62096e23adc755c1268b00b5fc7a214151b (patch) | |
| tree | fefd055fdae584e38d551f44d1339eb22cee4ed9 /security/selinux | |
| parent | 4227961650884a06757f80877d5dce0bddc723d4 (diff) | |
| parent | 88b62b915b0b7e25870eb0604ed9a92ba4bfc9f7 (diff) | |
Merge tag 'v3.8-rc6' into next/soc
Linux 3.8-rc6
Diffstat (limited to 'security/selinux')
| -rw-r--r-- | security/selinux/hooks.c | 50 | ||||
| -rw-r--r-- | security/selinux/include/classmap.h | 2 | ||||
| -rw-r--r-- | security/selinux/include/objsec.h | 4 |
3 files changed, 44 insertions, 12 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 61a53367d029..ef26e9611ffb 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c | |||
| @@ -4399,6 +4399,24 @@ static void selinux_req_classify_flow(const struct request_sock *req, | |||
| 4399 | fl->flowi_secid = req->secid; | 4399 | fl->flowi_secid = req->secid; |
| 4400 | } | 4400 | } |
| 4401 | 4401 | ||
| 4402 | static int selinux_tun_dev_alloc_security(void **security) | ||
| 4403 | { | ||
| 4404 | struct tun_security_struct *tunsec; | ||
| 4405 | |||
| 4406 | tunsec = kzalloc(sizeof(*tunsec), GFP_KERNEL); | ||
| 4407 | if (!tunsec) | ||
| 4408 | return -ENOMEM; | ||
| 4409 | tunsec->sid = current_sid(); | ||
| 4410 | |||
| 4411 | *security = tunsec; | ||
| 4412 | return 0; | ||
| 4413 | } | ||
| 4414 | |||
| 4415 | static void selinux_tun_dev_free_security(void *security) | ||
| 4416 | { | ||
| 4417 | kfree(security); | ||
| 4418 | } | ||
| 4419 | |||
| 4402 | static int selinux_tun_dev_create(void) | 4420 | static int selinux_tun_dev_create(void) |
| 4403 | { | 4421 | { |
| 4404 | u32 sid = current_sid(); | 4422 | u32 sid = current_sid(); |
| @@ -4414,8 +4432,17 @@ static int selinux_tun_dev_create(void) | |||
| 4414 | NULL); | 4432 | NULL); |
| 4415 | } | 4433 | } |
| 4416 | 4434 | ||
| 4417 | static void selinux_tun_dev_post_create(struct sock *sk) | 4435 | static int selinux_tun_dev_attach_queue(void *security) |
| 4418 | { | 4436 | { |
| 4437 | struct tun_security_struct *tunsec = security; | ||
| 4438 | |||
| 4439 | return avc_has_perm(current_sid(), tunsec->sid, SECCLASS_TUN_SOCKET, | ||
| 4440 | TUN_SOCKET__ATTACH_QUEUE, NULL); | ||
| 4441 | } | ||
| 4442 | |||
| 4443 | static int selinux_tun_dev_attach(struct sock *sk, void *security) | ||
| 4444 | { | ||
| 4445 | struct tun_security_struct *tunsec = security; | ||
| 4419 | struct sk_security_struct *sksec = sk->sk_security; | 4446 | struct sk_security_struct *sksec = sk->sk_security; |
| 4420 | 4447 | ||
| 4421 | /* we don't currently perform any NetLabel based labeling here and it | 4448 | /* we don't currently perform any NetLabel based labeling here and it |
| @@ -4425,20 +4452,19 @@ static void selinux_tun_dev_post_create(struct sock *sk) | |||
| 4425 | * cause confusion to the TUN user that had no idea network labeling | 4452 | * cause confusion to the TUN user that had no idea network labeling |
| 4426 | * protocols were being used */ | 4453 | * protocols were being used */ |
| 4427 | 4454 | ||
| 4428 | /* see the comments in selinux_tun_dev_create() about why we don't use | 4455 | sksec->sid = tunsec->sid; |
| 4429 | * the sockcreate SID here */ | ||
| 4430 | |||
| 4431 | sksec->sid = current_sid(); | ||
| 4432 | sksec->sclass = SECCLASS_TUN_SOCKET; | 4456 | sksec->sclass = SECCLASS_TUN_SOCKET; |
| 4457 | |||
| 4458 | return 0; | ||
| 4433 | } | 4459 | } |
| 4434 | 4460 | ||
| 4435 | static int selinux_tun_dev_attach(struct sock *sk) | 4461 | static int selinux_tun_dev_open(void *security) |
| 4436 | { | 4462 | { |
| 4437 | struct sk_security_struct *sksec = sk->sk_security; | 4463 | struct tun_security_struct *tunsec = security; |
| 4438 | u32 sid = current_sid(); | 4464 | u32 sid = current_sid(); |
| 4439 | int err; | 4465 | int err; |
| 4440 | 4466 | ||
| 4441 | err = avc_has_perm(sid, sksec->sid, SECCLASS_TUN_SOCKET, | 4467 | err = avc_has_perm(sid, tunsec->sid, SECCLASS_TUN_SOCKET, |
| 4442 | TUN_SOCKET__RELABELFROM, NULL); | 4468 | TUN_SOCKET__RELABELFROM, NULL); |
| 4443 | if (err) | 4469 | if (err) |
| 4444 | return err; | 4470 | return err; |
| @@ -4446,8 +4472,7 @@ static int selinux_tun_dev_attach(struct sock *sk) | |||
| 4446 | TUN_SOCKET__RELABELTO, NULL); | 4472 | TUN_SOCKET__RELABELTO, NULL); |
| 4447 | if (err) | 4473 | if (err) |
| 4448 | return err; | 4474 | return err; |
| 4449 | 4475 | tunsec->sid = sid; | |
| 4450 | sksec->sid = sid; | ||
| 4451 | 4476 | ||
| 4452 | return 0; | 4477 | return 0; |
| 4453 | } | 4478 | } |
| @@ -5642,9 +5667,12 @@ static struct security_operations selinux_ops = { | |||
| 5642 | .secmark_refcount_inc = selinux_secmark_refcount_inc, | 5667 | .secmark_refcount_inc = selinux_secmark_refcount_inc, |
| 5643 | .secmark_refcount_dec = selinux_secmark_refcount_dec, | 5668 | .secmark_refcount_dec = selinux_secmark_refcount_dec, |
| 5644 | .req_classify_flow = selinux_req_classify_flow, | 5669 | .req_classify_flow = selinux_req_classify_flow, |
| 5670 | .tun_dev_alloc_security = selinux_tun_dev_alloc_security, | ||
| 5671 | .tun_dev_free_security = selinux_tun_dev_free_security, | ||
| 5645 | .tun_dev_create = selinux_tun_dev_create, | 5672 | .tun_dev_create = selinux_tun_dev_create, |
| 5646 | .tun_dev_post_create = selinux_tun_dev_post_create, | 5673 | .tun_dev_attach_queue = selinux_tun_dev_attach_queue, |
| 5647 | .tun_dev_attach = selinux_tun_dev_attach, | 5674 | .tun_dev_attach = selinux_tun_dev_attach, |
| 5675 | .tun_dev_open = selinux_tun_dev_open, | ||
| 5648 | 5676 | ||
| 5649 | #ifdef CONFIG_SECURITY_NETWORK_XFRM | 5677 | #ifdef CONFIG_SECURITY_NETWORK_XFRM |
| 5650 | .xfrm_policy_alloc_security = selinux_xfrm_policy_alloc, | 5678 | .xfrm_policy_alloc_security = selinux_xfrm_policy_alloc, |
diff --git a/security/selinux/include/classmap.h b/security/selinux/include/classmap.h index df2de54a958d..14d04e63b1f0 100644 --- a/security/selinux/include/classmap.h +++ b/security/selinux/include/classmap.h | |||
| @@ -150,6 +150,6 @@ struct security_class_mapping secclass_map[] = { | |||
| 150 | NULL } }, | 150 | NULL } }, |
| 151 | { "kernel_service", { "use_as_override", "create_files_as", NULL } }, | 151 | { "kernel_service", { "use_as_override", "create_files_as", NULL } }, |
| 152 | { "tun_socket", | 152 | { "tun_socket", |
| 153 | { COMMON_SOCK_PERMS, NULL } }, | 153 | { COMMON_SOCK_PERMS, "attach_queue", NULL } }, |
| 154 | { NULL } | 154 | { NULL } |
| 155 | }; | 155 | }; |
diff --git a/security/selinux/include/objsec.h b/security/selinux/include/objsec.h index 26c7eee1c309..aa47bcabb5f6 100644 --- a/security/selinux/include/objsec.h +++ b/security/selinux/include/objsec.h | |||
| @@ -110,6 +110,10 @@ struct sk_security_struct { | |||
| 110 | u16 sclass; /* sock security class */ | 110 | u16 sclass; /* sock security class */ |
| 111 | }; | 111 | }; |
| 112 | 112 | ||
| 113 | struct tun_security_struct { | ||
| 114 | u32 sid; /* SID for the tun device sockets */ | ||
| 115 | }; | ||
| 116 | |||
| 113 | struct key_security_struct { | 117 | struct key_security_struct { |
| 114 | u32 sid; /* SID of key */ | 118 | u32 sid; /* SID of key */ |
| 115 | }; | 119 | }; |