aboutsummaryrefslogtreecommitdiffstats
path: root/security/selinux
diff options
context:
space:
mode:
authorLinus Torvalds <torvalds@linux-foundation.org>2014-10-12 10:13:55 -0400
committerLinus Torvalds <torvalds@linux-foundation.org>2014-10-12 10:13:55 -0400
commit5e40d331bd72447197f26525f21711c4a265b6a6 (patch)
treecfbf5efba46b0c5c5b3c8149395f721eab839945 /security/selinux
parentd0ca47575ab3b41bb7f0fe5feec13c6cddb2913a (diff)
parent594081ee7145cc30a3977cb4e218f81213b63dc5 (diff)
Merge branch 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security
Pull security subsystem updates from James Morris. Mostly ima, selinux, smack and key handling updates. * 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security: (65 commits) integrity: do zero padding of the key id KEYS: output last portion of fingerprint in /proc/keys KEYS: strip 'id:' from ca_keyid KEYS: use swapped SKID for performing partial matching KEYS: Restore partial ID matching functionality for asymmetric keys X.509: If available, use the raw subjKeyId to form the key description KEYS: handle error code encoded in pointer selinux: normalize audit log formatting selinux: cleanup error reporting in selinux_nlmsg_perm() KEYS: Check hex2bin()'s return when generating an asymmetric key ID ima: detect violations for mmaped files ima: fix race condition on ima_rdwr_violation_check and process_measurement ima: added ima_policy_flag variable ima: return an error code from ima_add_boot_aggregate() ima: provide 'ima_appraise=log' kernel option ima: move keyring initialization to ima_init() PKCS#7: Handle PKCS#7 messages that contain no X.509 certs PKCS#7: Better handling of unsupported crypto KEYS: Overhaul key identification when searching for asymmetric keys KEYS: Implement binary asymmetric key ID handling ...
Diffstat (limited to 'security/selinux')
-rw-r--r--security/selinux/hooks.c135
-rw-r--r--security/selinux/include/netif.h4
-rw-r--r--security/selinux/include/objsec.h2
-rw-r--r--security/selinux/netif.c43
-rw-r--r--security/selinux/ss/services.c14
5 files changed, 115 insertions, 83 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index ada0d0bf3463..8426a2aa8dce 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -2097,6 +2097,41 @@ static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
2097 2097
2098/* binprm security operations */ 2098/* binprm security operations */
2099 2099
2100static int check_nnp_nosuid(const struct linux_binprm *bprm,
2101 const struct task_security_struct *old_tsec,
2102 const struct task_security_struct *new_tsec)
2103{
2104 int nnp = (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS);
2105 int nosuid = (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID);
2106 int rc;
2107
2108 if (!nnp && !nosuid)
2109 return 0; /* neither NNP nor nosuid */
2110
2111 if (new_tsec->sid == old_tsec->sid)
2112 return 0; /* No change in credentials */
2113
2114 /*
2115 * The only transitions we permit under NNP or nosuid
2116 * are transitions to bounded SIDs, i.e. SIDs that are
2117 * guaranteed to only be allowed a subset of the permissions
2118 * of the current SID.
2119 */
2120 rc = security_bounded_transition(old_tsec->sid, new_tsec->sid);
2121 if (rc) {
2122 /*
2123 * On failure, preserve the errno values for NNP vs nosuid.
2124 * NNP: Operation not permitted for caller.
2125 * nosuid: Permission denied to file.
2126 */
2127 if (nnp)
2128 return -EPERM;
2129 else
2130 return -EACCES;
2131 }
2132 return 0;
2133}
2134
2100static int selinux_bprm_set_creds(struct linux_binprm *bprm) 2135static int selinux_bprm_set_creds(struct linux_binprm *bprm)
2101{ 2136{
2102 const struct task_security_struct *old_tsec; 2137 const struct task_security_struct *old_tsec;
@@ -2133,14 +2168,10 @@ static int selinux_bprm_set_creds(struct linux_binprm *bprm)
2133 /* Reset exec SID on execve. */ 2168 /* Reset exec SID on execve. */
2134 new_tsec->exec_sid = 0; 2169 new_tsec->exec_sid = 0;
2135 2170
2136 /* 2171 /* Fail on NNP or nosuid if not an allowed transition. */
2137 * Minimize confusion: if no_new_privs or nosuid and a 2172 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2138 * transition is explicitly requested, then fail the exec. 2173 if (rc)
2139 */ 2174 return rc;
2140 if (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS)
2141 return -EPERM;
2142 if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID)
2143 return -EACCES;
2144 } else { 2175 } else {
2145 /* Check for a default transition on this program. */ 2176 /* Check for a default transition on this program. */
2146 rc = security_transition_sid(old_tsec->sid, isec->sid, 2177 rc = security_transition_sid(old_tsec->sid, isec->sid,
@@ -2148,15 +2179,19 @@ static int selinux_bprm_set_creds(struct linux_binprm *bprm)
2148 &new_tsec->sid); 2179 &new_tsec->sid);
2149 if (rc) 2180 if (rc)
2150 return rc; 2181 return rc;
2182
2183 /*
2184 * Fallback to old SID on NNP or nosuid if not an allowed
2185 * transition.
2186 */
2187 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2188 if (rc)
2189 new_tsec->sid = old_tsec->sid;
2151 } 2190 }
2152 2191
2153 ad.type = LSM_AUDIT_DATA_PATH; 2192 ad.type = LSM_AUDIT_DATA_PATH;
2154 ad.u.path = bprm->file->f_path; 2193 ad.u.path = bprm->file->f_path;
2155 2194
2156 if ((bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID) ||
2157 (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS))
2158 new_tsec->sid = old_tsec->sid;
2159
2160 if (new_tsec->sid == old_tsec->sid) { 2195 if (new_tsec->sid == old_tsec->sid) {
2161 rc = avc_has_perm(old_tsec->sid, isec->sid, 2196 rc = avc_has_perm(old_tsec->sid, isec->sid,
2162 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad); 2197 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
@@ -4270,15 +4305,15 @@ static int selinux_socket_unix_may_send(struct socket *sock,
4270 &ad); 4305 &ad);
4271} 4306}
4272 4307
4273static int selinux_inet_sys_rcv_skb(int ifindex, char *addrp, u16 family, 4308static int selinux_inet_sys_rcv_skb(struct net *ns, int ifindex,
4274 u32 peer_sid, 4309 char *addrp, u16 family, u32 peer_sid,
4275 struct common_audit_data *ad) 4310 struct common_audit_data *ad)
4276{ 4311{
4277 int err; 4312 int err;
4278 u32 if_sid; 4313 u32 if_sid;
4279 u32 node_sid; 4314 u32 node_sid;
4280 4315
4281 err = sel_netif_sid(ifindex, &if_sid); 4316 err = sel_netif_sid(ns, ifindex, &if_sid);
4282 if (err) 4317 if (err)
4283 return err; 4318 return err;
4284 err = avc_has_perm(peer_sid, if_sid, 4319 err = avc_has_perm(peer_sid, if_sid,
@@ -4371,8 +4406,8 @@ static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
4371 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid); 4406 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
4372 if (err) 4407 if (err)
4373 return err; 4408 return err;
4374 err = selinux_inet_sys_rcv_skb(skb->skb_iif, addrp, family, 4409 err = selinux_inet_sys_rcv_skb(sock_net(sk), skb->skb_iif,
4375 peer_sid, &ad); 4410 addrp, family, peer_sid, &ad);
4376 if (err) { 4411 if (err) {
4377 selinux_netlbl_err(skb, err, 0); 4412 selinux_netlbl_err(skb, err, 0);
4378 return err; 4413 return err;
@@ -4690,10 +4725,9 @@ static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
4690 err = selinux_nlmsg_lookup(sksec->sclass, nlh->nlmsg_type, &perm); 4725 err = selinux_nlmsg_lookup(sksec->sclass, nlh->nlmsg_type, &perm);
4691 if (err) { 4726 if (err) {
4692 if (err == -EINVAL) { 4727 if (err == -EINVAL) {
4693 audit_log(current->audit_context, GFP_KERNEL, AUDIT_SELINUX_ERR, 4728 WARN_ONCE(1, "selinux_nlmsg_perm: unrecognized netlink message:"
4694 "SELinux: unrecognized netlink message" 4729 " protocol=%hu nlmsg_type=%hu sclass=%hu\n",
4695 " type=%hu for sclass=%hu\n", 4730 sk->sk_protocol, nlh->nlmsg_type, sksec->sclass);
4696 nlh->nlmsg_type, sksec->sclass);
4697 if (!selinux_enforcing || security_get_allow_unknown()) 4731 if (!selinux_enforcing || security_get_allow_unknown())
4698 err = 0; 4732 err = 0;
4699 } 4733 }
@@ -4711,7 +4745,8 @@ out:
4711 4745
4712#ifdef CONFIG_NETFILTER 4746#ifdef CONFIG_NETFILTER
4713 4747
4714static unsigned int selinux_ip_forward(struct sk_buff *skb, int ifindex, 4748static unsigned int selinux_ip_forward(struct sk_buff *skb,
4749 const struct net_device *indev,
4715 u16 family) 4750 u16 family)
4716{ 4751{
4717 int err; 4752 int err;
@@ -4737,14 +4772,14 @@ static unsigned int selinux_ip_forward(struct sk_buff *skb, int ifindex,
4737 4772
4738 ad.type = LSM_AUDIT_DATA_NET; 4773 ad.type = LSM_AUDIT_DATA_NET;
4739 ad.u.net = &net; 4774 ad.u.net = &net;
4740 ad.u.net->netif = ifindex; 4775 ad.u.net->netif = indev->ifindex;
4741 ad.u.net->family = family; 4776 ad.u.net->family = family;
4742 if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0) 4777 if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0)
4743 return NF_DROP; 4778 return NF_DROP;
4744 4779
4745 if (peerlbl_active) { 4780 if (peerlbl_active) {
4746 err = selinux_inet_sys_rcv_skb(ifindex, addrp, family, 4781 err = selinux_inet_sys_rcv_skb(dev_net(indev), indev->ifindex,
4747 peer_sid, &ad); 4782 addrp, family, peer_sid, &ad);
4748 if (err) { 4783 if (err) {
4749 selinux_netlbl_err(skb, err, 1); 4784 selinux_netlbl_err(skb, err, 1);
4750 return NF_DROP; 4785 return NF_DROP;
@@ -4773,7 +4808,7 @@ static unsigned int selinux_ipv4_forward(const struct nf_hook_ops *ops,
4773 const struct net_device *out, 4808 const struct net_device *out,
4774 int (*okfn)(struct sk_buff *)) 4809 int (*okfn)(struct sk_buff *))
4775{ 4810{
4776 return selinux_ip_forward(skb, in->ifindex, PF_INET); 4811 return selinux_ip_forward(skb, in, PF_INET);
4777} 4812}
4778 4813
4779#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) 4814#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
@@ -4783,7 +4818,7 @@ static unsigned int selinux_ipv6_forward(const struct nf_hook_ops *ops,
4783 const struct net_device *out, 4818 const struct net_device *out,
4784 int (*okfn)(struct sk_buff *)) 4819 int (*okfn)(struct sk_buff *))
4785{ 4820{
4786 return selinux_ip_forward(skb, in->ifindex, PF_INET6); 4821 return selinux_ip_forward(skb, in, PF_INET6);
4787} 4822}
4788#endif /* IPV6 */ 4823#endif /* IPV6 */
4789 4824
@@ -4871,11 +4906,13 @@ static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
4871 return NF_ACCEPT; 4906 return NF_ACCEPT;
4872} 4907}
4873 4908
4874static unsigned int selinux_ip_postroute(struct sk_buff *skb, int ifindex, 4909static unsigned int selinux_ip_postroute(struct sk_buff *skb,
4910 const struct net_device *outdev,
4875 u16 family) 4911 u16 family)
4876{ 4912{
4877 u32 secmark_perm; 4913 u32 secmark_perm;
4878 u32 peer_sid; 4914 u32 peer_sid;
4915 int ifindex = outdev->ifindex;
4879 struct sock *sk; 4916 struct sock *sk;
4880 struct common_audit_data ad; 4917 struct common_audit_data ad;
4881 struct lsm_network_audit net = {0,}; 4918 struct lsm_network_audit net = {0,};
@@ -4956,6 +4993,7 @@ static unsigned int selinux_ip_postroute(struct sk_buff *skb, int ifindex,
4956 case PF_INET6: 4993 case PF_INET6:
4957 if (IP6CB(skb)->flags & IP6SKB_XFRM_TRANSFORMED) 4994 if (IP6CB(skb)->flags & IP6SKB_XFRM_TRANSFORMED)
4958 return NF_ACCEPT; 4995 return NF_ACCEPT;
4996 break;
4959 default: 4997 default:
4960 return NF_DROP_ERR(-ECONNREFUSED); 4998 return NF_DROP_ERR(-ECONNREFUSED);
4961 } 4999 }
@@ -4987,7 +5025,7 @@ static unsigned int selinux_ip_postroute(struct sk_buff *skb, int ifindex,
4987 u32 if_sid; 5025 u32 if_sid;
4988 u32 node_sid; 5026 u32 node_sid;
4989 5027
4990 if (sel_netif_sid(ifindex, &if_sid)) 5028 if (sel_netif_sid(dev_net(outdev), ifindex, &if_sid))
4991 return NF_DROP; 5029 return NF_DROP;
4992 if (avc_has_perm(peer_sid, if_sid, 5030 if (avc_has_perm(peer_sid, if_sid,
4993 SECCLASS_NETIF, NETIF__EGRESS, &ad)) 5031 SECCLASS_NETIF, NETIF__EGRESS, &ad))
@@ -5009,7 +5047,7 @@ static unsigned int selinux_ipv4_postroute(const struct nf_hook_ops *ops,
5009 const struct net_device *out, 5047 const struct net_device *out,
5010 int (*okfn)(struct sk_buff *)) 5048 int (*okfn)(struct sk_buff *))
5011{ 5049{
5012 return selinux_ip_postroute(skb, out->ifindex, PF_INET); 5050 return selinux_ip_postroute(skb, out, PF_INET);
5013} 5051}
5014 5052
5015#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) 5053#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
@@ -5019,7 +5057,7 @@ static unsigned int selinux_ipv6_postroute(const struct nf_hook_ops *ops,
5019 const struct net_device *out, 5057 const struct net_device *out,
5020 int (*okfn)(struct sk_buff *)) 5058 int (*okfn)(struct sk_buff *))
5021{ 5059{
5022 return selinux_ip_postroute(skb, out->ifindex, PF_INET6); 5060 return selinux_ip_postroute(skb, out, PF_INET6);
5023} 5061}
5024#endif /* IPV6 */ 5062#endif /* IPV6 */
5025 5063
@@ -6033,7 +6071,7 @@ security_initcall(selinux_init);
6033 6071
6034#if defined(CONFIG_NETFILTER) 6072#if defined(CONFIG_NETFILTER)
6035 6073
6036static struct nf_hook_ops selinux_ipv4_ops[] = { 6074static struct nf_hook_ops selinux_nf_ops[] = {
6037 { 6075 {
6038 .hook = selinux_ipv4_postroute, 6076 .hook = selinux_ipv4_postroute,
6039 .owner = THIS_MODULE, 6077 .owner = THIS_MODULE,
@@ -6054,12 +6092,8 @@ static struct nf_hook_ops selinux_ipv4_ops[] = {
6054 .pf = NFPROTO_IPV4, 6092 .pf = NFPROTO_IPV4,
6055 .hooknum = NF_INET_LOCAL_OUT, 6093 .hooknum = NF_INET_LOCAL_OUT,
6056 .priority = NF_IP_PRI_SELINUX_FIRST, 6094 .priority = NF_IP_PRI_SELINUX_FIRST,
6057 } 6095 },
6058};
6059
6060#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) 6096#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
6061
6062static struct nf_hook_ops selinux_ipv6_ops[] = {
6063 { 6097 {
6064 .hook = selinux_ipv6_postroute, 6098 .hook = selinux_ipv6_postroute,
6065 .owner = THIS_MODULE, 6099 .owner = THIS_MODULE,
@@ -6073,32 +6107,24 @@ static struct nf_hook_ops selinux_ipv6_ops[] = {
6073 .pf = NFPROTO_IPV6, 6107 .pf = NFPROTO_IPV6,
6074 .hooknum = NF_INET_FORWARD, 6108 .hooknum = NF_INET_FORWARD,
6075 .priority = NF_IP6_PRI_SELINUX_FIRST, 6109 .priority = NF_IP6_PRI_SELINUX_FIRST,
6076 } 6110 },
6077};
6078
6079#endif /* IPV6 */ 6111#endif /* IPV6 */
6112};
6080 6113
6081static int __init selinux_nf_ip_init(void) 6114static int __init selinux_nf_ip_init(void)
6082{ 6115{
6083 int err = 0; 6116 int err;
6084 6117
6085 if (!selinux_enabled) 6118 if (!selinux_enabled)
6086 goto out; 6119 return 0;
6087 6120
6088 printk(KERN_DEBUG "SELinux: Registering netfilter hooks\n"); 6121 printk(KERN_DEBUG "SELinux: Registering netfilter hooks\n");
6089 6122
6090 err = nf_register_hooks(selinux_ipv4_ops, ARRAY_SIZE(selinux_ipv4_ops)); 6123 err = nf_register_hooks(selinux_nf_ops, ARRAY_SIZE(selinux_nf_ops));
6091 if (err) 6124 if (err)
6092 panic("SELinux: nf_register_hooks for IPv4: error %d\n", err); 6125 panic("SELinux: nf_register_hooks: error %d\n", err);
6093 6126
6094#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) 6127 return 0;
6095 err = nf_register_hooks(selinux_ipv6_ops, ARRAY_SIZE(selinux_ipv6_ops));
6096 if (err)
6097 panic("SELinux: nf_register_hooks for IPv6: error %d\n", err);
6098#endif /* IPV6 */
6099
6100out:
6101 return err;
6102} 6128}
6103 6129
6104__initcall(selinux_nf_ip_init); 6130__initcall(selinux_nf_ip_init);
@@ -6108,10 +6134,7 @@ static void selinux_nf_ip_exit(void)
6108{ 6134{
6109 printk(KERN_DEBUG "SELinux: Unregistering netfilter hooks\n"); 6135 printk(KERN_DEBUG "SELinux: Unregistering netfilter hooks\n");
6110 6136
6111 nf_unregister_hooks(selinux_ipv4_ops, ARRAY_SIZE(selinux_ipv4_ops)); 6137 nf_unregister_hooks(selinux_nf_ops, ARRAY_SIZE(selinux_nf_ops));
6112#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
6113 nf_unregister_hooks(selinux_ipv6_ops, ARRAY_SIZE(selinux_ipv6_ops));
6114#endif /* IPV6 */
6115} 6138}
6116#endif 6139#endif
6117 6140
diff --git a/security/selinux/include/netif.h b/security/selinux/include/netif.h
index 57c6eae81eac..c72145444090 100644
--- a/security/selinux/include/netif.h
+++ b/security/selinux/include/netif.h
@@ -17,9 +17,11 @@
17#ifndef _SELINUX_NETIF_H_ 17#ifndef _SELINUX_NETIF_H_
18#define _SELINUX_NETIF_H_ 18#define _SELINUX_NETIF_H_
19 19
20#include <net/net_namespace.h>
21
20void sel_netif_flush(void); 22void sel_netif_flush(void);
21 23
22int sel_netif_sid(int ifindex, u32 *sid); 24int sel_netif_sid(struct net *ns, int ifindex, u32 *sid);
23 25
24#endif /* _SELINUX_NETIF_H_ */ 26#endif /* _SELINUX_NETIF_H_ */
25 27
diff --git a/security/selinux/include/objsec.h b/security/selinux/include/objsec.h
index 078e553f52f2..81fa718d5cb3 100644
--- a/security/selinux/include/objsec.h
+++ b/security/selinux/include/objsec.h
@@ -24,6 +24,7 @@
24#include <linux/binfmts.h> 24#include <linux/binfmts.h>
25#include <linux/in.h> 25#include <linux/in.h>
26#include <linux/spinlock.h> 26#include <linux/spinlock.h>
27#include <net/net_namespace.h>
27#include "flask.h" 28#include "flask.h"
28#include "avc.h" 29#include "avc.h"
29 30
@@ -78,6 +79,7 @@ struct ipc_security_struct {
78}; 79};
79 80
80struct netif_security_struct { 81struct netif_security_struct {
82 struct net *ns; /* network namespace */
81 int ifindex; /* device index */ 83 int ifindex; /* device index */
82 u32 sid; /* SID for this interface */ 84 u32 sid; /* SID for this interface */
83}; 85};
diff --git a/security/selinux/netif.c b/security/selinux/netif.c
index 50ce177d71a0..e607b4473ef6 100644
--- a/security/selinux/netif.c
+++ b/security/selinux/netif.c
@@ -45,6 +45,7 @@ static struct list_head sel_netif_hash[SEL_NETIF_HASH_SIZE];
45 45
46/** 46/**
47 * sel_netif_hashfn - Hashing function for the interface table 47 * sel_netif_hashfn - Hashing function for the interface table
48 * @ns: the network namespace
48 * @ifindex: the network interface 49 * @ifindex: the network interface
49 * 50 *
50 * Description: 51 * Description:
@@ -52,13 +53,14 @@ static struct list_head sel_netif_hash[SEL_NETIF_HASH_SIZE];
52 * bucket number for the given interface. 53 * bucket number for the given interface.
53 * 54 *
54 */ 55 */
55static inline u32 sel_netif_hashfn(int ifindex) 56static inline u32 sel_netif_hashfn(const struct net *ns, int ifindex)
56{ 57{
57 return (ifindex & (SEL_NETIF_HASH_SIZE - 1)); 58 return (((uintptr_t)ns + ifindex) & (SEL_NETIF_HASH_SIZE - 1));
58} 59}
59 60
60/** 61/**
61 * sel_netif_find - Search for an interface record 62 * sel_netif_find - Search for an interface record
63 * @ns: the network namespace
62 * @ifindex: the network interface 64 * @ifindex: the network interface
63 * 65 *
64 * Description: 66 * Description:
@@ -66,15 +68,15 @@ static inline u32 sel_netif_hashfn(int ifindex)
66 * If an entry can not be found in the table return NULL. 68 * If an entry can not be found in the table return NULL.
67 * 69 *
68 */ 70 */
69static inline struct sel_netif *sel_netif_find(int ifindex) 71static inline struct sel_netif *sel_netif_find(const struct net *ns,
72 int ifindex)
70{ 73{
71 int idx = sel_netif_hashfn(ifindex); 74 int idx = sel_netif_hashfn(ns, ifindex);
72 struct sel_netif *netif; 75 struct sel_netif *netif;
73 76
74 list_for_each_entry_rcu(netif, &sel_netif_hash[idx], list) 77 list_for_each_entry_rcu(netif, &sel_netif_hash[idx], list)
75 /* all of the devices should normally fit in the hash, so we 78 if (net_eq(netif->nsec.ns, ns) &&
76 * optimize for that case */ 79 netif->nsec.ifindex == ifindex)
77 if (likely(netif->nsec.ifindex == ifindex))
78 return netif; 80 return netif;
79 81
80 return NULL; 82 return NULL;
@@ -96,7 +98,7 @@ static int sel_netif_insert(struct sel_netif *netif)
96 if (sel_netif_total >= SEL_NETIF_HASH_MAX) 98 if (sel_netif_total >= SEL_NETIF_HASH_MAX)
97 return -ENOSPC; 99 return -ENOSPC;
98 100
99 idx = sel_netif_hashfn(netif->nsec.ifindex); 101 idx = sel_netif_hashfn(netif->nsec.ns, netif->nsec.ifindex);
100 list_add_rcu(&netif->list, &sel_netif_hash[idx]); 102 list_add_rcu(&netif->list, &sel_netif_hash[idx]);
101 sel_netif_total++; 103 sel_netif_total++;
102 104
@@ -120,6 +122,7 @@ static void sel_netif_destroy(struct sel_netif *netif)
120 122
121/** 123/**
122 * sel_netif_sid_slow - Lookup the SID of a network interface using the policy 124 * sel_netif_sid_slow - Lookup the SID of a network interface using the policy
125 * @ns: the network namespace
123 * @ifindex: the network interface 126 * @ifindex: the network interface
124 * @sid: interface SID 127 * @sid: interface SID
125 * 128 *
@@ -130,7 +133,7 @@ static void sel_netif_destroy(struct sel_netif *netif)
130 * failure. 133 * failure.
131 * 134 *
132 */ 135 */
133static int sel_netif_sid_slow(int ifindex, u32 *sid) 136static int sel_netif_sid_slow(struct net *ns, int ifindex, u32 *sid)
134{ 137{
135 int ret; 138 int ret;
136 struct sel_netif *netif; 139 struct sel_netif *netif;
@@ -140,7 +143,7 @@ static int sel_netif_sid_slow(int ifindex, u32 *sid)
140 /* NOTE: we always use init's network namespace since we don't 143 /* NOTE: we always use init's network namespace since we don't
141 * currently support containers */ 144 * currently support containers */
142 145
143 dev = dev_get_by_index(&init_net, ifindex); 146 dev = dev_get_by_index(ns, ifindex);
144 if (unlikely(dev == NULL)) { 147 if (unlikely(dev == NULL)) {
145 printk(KERN_WARNING 148 printk(KERN_WARNING
146 "SELinux: failure in sel_netif_sid_slow()," 149 "SELinux: failure in sel_netif_sid_slow(),"
@@ -149,7 +152,7 @@ static int sel_netif_sid_slow(int ifindex, u32 *sid)
149 } 152 }
150 153
151 spin_lock_bh(&sel_netif_lock); 154 spin_lock_bh(&sel_netif_lock);
152 netif = sel_netif_find(ifindex); 155 netif = sel_netif_find(ns, ifindex);
153 if (netif != NULL) { 156 if (netif != NULL) {
154 *sid = netif->nsec.sid; 157 *sid = netif->nsec.sid;
155 ret = 0; 158 ret = 0;
@@ -163,6 +166,7 @@ static int sel_netif_sid_slow(int ifindex, u32 *sid)
163 ret = security_netif_sid(dev->name, &new->nsec.sid); 166 ret = security_netif_sid(dev->name, &new->nsec.sid);
164 if (ret != 0) 167 if (ret != 0)
165 goto out; 168 goto out;
169 new->nsec.ns = ns;
166 new->nsec.ifindex = ifindex; 170 new->nsec.ifindex = ifindex;
167 ret = sel_netif_insert(new); 171 ret = sel_netif_insert(new);
168 if (ret != 0) 172 if (ret != 0)
@@ -184,6 +188,7 @@ out:
184 188
185/** 189/**
186 * sel_netif_sid - Lookup the SID of a network interface 190 * sel_netif_sid - Lookup the SID of a network interface
191 * @ns: the network namespace
187 * @ifindex: the network interface 192 * @ifindex: the network interface
188 * @sid: interface SID 193 * @sid: interface SID
189 * 194 *
@@ -195,12 +200,12 @@ out:
195 * on failure. 200 * on failure.
196 * 201 *
197 */ 202 */
198int sel_netif_sid(int ifindex, u32 *sid) 203int sel_netif_sid(struct net *ns, int ifindex, u32 *sid)
199{ 204{
200 struct sel_netif *netif; 205 struct sel_netif *netif;
201 206
202 rcu_read_lock(); 207 rcu_read_lock();
203 netif = sel_netif_find(ifindex); 208 netif = sel_netif_find(ns, ifindex);
204 if (likely(netif != NULL)) { 209 if (likely(netif != NULL)) {
205 *sid = netif->nsec.sid; 210 *sid = netif->nsec.sid;
206 rcu_read_unlock(); 211 rcu_read_unlock();
@@ -208,11 +213,12 @@ int sel_netif_sid(int ifindex, u32 *sid)
208 } 213 }
209 rcu_read_unlock(); 214 rcu_read_unlock();
210 215
211 return sel_netif_sid_slow(ifindex, sid); 216 return sel_netif_sid_slow(ns, ifindex, sid);
212} 217}
213 218
214/** 219/**
215 * sel_netif_kill - Remove an entry from the network interface table 220 * sel_netif_kill - Remove an entry from the network interface table
221 * @ns: the network namespace
216 * @ifindex: the network interface 222 * @ifindex: the network interface
217 * 223 *
218 * Description: 224 * Description:
@@ -220,13 +226,13 @@ int sel_netif_sid(int ifindex, u32 *sid)
220 * table if it exists. 226 * table if it exists.
221 * 227 *
222 */ 228 */
223static void sel_netif_kill(int ifindex) 229static void sel_netif_kill(const struct net *ns, int ifindex)
224{ 230{
225 struct sel_netif *netif; 231 struct sel_netif *netif;
226 232
227 rcu_read_lock(); 233 rcu_read_lock();
228 spin_lock_bh(&sel_netif_lock); 234 spin_lock_bh(&sel_netif_lock);
229 netif = sel_netif_find(ifindex); 235 netif = sel_netif_find(ns, ifindex);
230 if (netif) 236 if (netif)
231 sel_netif_destroy(netif); 237 sel_netif_destroy(netif);
232 spin_unlock_bh(&sel_netif_lock); 238 spin_unlock_bh(&sel_netif_lock);
@@ -257,11 +263,8 @@ static int sel_netif_netdev_notifier_handler(struct notifier_block *this,
257{ 263{
258 struct net_device *dev = netdev_notifier_info_to_dev(ptr); 264 struct net_device *dev = netdev_notifier_info_to_dev(ptr);
259 265
260 if (dev_net(dev) != &init_net)
261 return NOTIFY_DONE;
262
263 if (event == NETDEV_DOWN) 266 if (event == NETDEV_DOWN)
264 sel_netif_kill(dev->ifindex); 267 sel_netif_kill(dev_net(dev), dev->ifindex);
265 268
266 return NOTIFY_DONE; 269 return NOTIFY_DONE;
267} 270}
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
index 2aa9d172dc7e..a1d3944751b9 100644
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@@ -728,7 +728,7 @@ static int security_validtrans_handle_fail(struct context *ocontext,
728 if (context_struct_to_string(tcontext, &t, &tlen)) 728 if (context_struct_to_string(tcontext, &t, &tlen))
729 goto out; 729 goto out;
730 audit_log(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR, 730 audit_log(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR,
731 "security_validate_transition: denied for" 731 "op=security_validate_transition seresult=denied"
732 " oldcontext=%s newcontext=%s taskcontext=%s tclass=%s", 732 " oldcontext=%s newcontext=%s taskcontext=%s tclass=%s",
733 o, n, t, sym_name(&policydb, SYM_CLASSES, tclass-1)); 733 o, n, t, sym_name(&policydb, SYM_CLASSES, tclass-1));
734out: 734out:
@@ -877,7 +877,7 @@ int security_bounded_transition(u32 old_sid, u32 new_sid)
877 audit_log(current->audit_context, 877 audit_log(current->audit_context,
878 GFP_ATOMIC, AUDIT_SELINUX_ERR, 878 GFP_ATOMIC, AUDIT_SELINUX_ERR,
879 "op=security_bounded_transition " 879 "op=security_bounded_transition "
880 "result=denied " 880 "seresult=denied "
881 "oldcontext=%s newcontext=%s", 881 "oldcontext=%s newcontext=%s",
882 old_name, new_name); 882 old_name, new_name);
883 } 883 }
@@ -1351,8 +1351,8 @@ static int compute_sid_handle_invalid_context(
1351 if (context_struct_to_string(newcontext, &n, &nlen)) 1351 if (context_struct_to_string(newcontext, &n, &nlen))
1352 goto out; 1352 goto out;
1353 audit_log(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR, 1353 audit_log(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR,
1354 "security_compute_sid: invalid context %s" 1354 "op=security_compute_sid invalid_context=%s"
1355 " for scontext=%s" 1355 " scontext=%s"
1356 " tcontext=%s" 1356 " tcontext=%s"
1357 " tclass=%s", 1357 " tclass=%s",
1358 n, s, t, sym_name(&policydb, SYM_CLASSES, tclass-1)); 1358 n, s, t, sym_name(&policydb, SYM_CLASSES, tclass-1));
@@ -2607,8 +2607,10 @@ int security_sid_mls_copy(u32 sid, u32 mls_sid, u32 *new_sid)
2607 rc = convert_context_handle_invalid_context(&newcon); 2607 rc = convert_context_handle_invalid_context(&newcon);
2608 if (rc) { 2608 if (rc) {
2609 if (!context_struct_to_string(&newcon, &s, &len)) { 2609 if (!context_struct_to_string(&newcon, &s, &len)) {
2610 audit_log(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR, 2610 audit_log(current->audit_context,
2611 "security_sid_mls_copy: invalid context %s", s); 2611 GFP_ATOMIC, AUDIT_SELINUX_ERR,
2612 "op=security_sid_mls_copy "
2613 "invalid_context=%s", s);
2612 kfree(s); 2614 kfree(s);
2613 } 2615 }
2614 goto out_unlock; 2616 goto out_unlock;