diff options
| author | Linus Torvalds <torvalds@linux-foundation.org> | 2014-10-12 10:13:55 -0400 |
|---|---|---|
| committer | Linus Torvalds <torvalds@linux-foundation.org> | 2014-10-12 10:13:55 -0400 |
| commit | 5e40d331bd72447197f26525f21711c4a265b6a6 (patch) | |
| tree | cfbf5efba46b0c5c5b3c8149395f721eab839945 /security/selinux | |
| parent | d0ca47575ab3b41bb7f0fe5feec13c6cddb2913a (diff) | |
| parent | 594081ee7145cc30a3977cb4e218f81213b63dc5 (diff) | |
Merge branch 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security
Pull security subsystem updates from James Morris.
Mostly ima, selinux, smack and key handling updates.
* 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security: (65 commits)
integrity: do zero padding of the key id
KEYS: output last portion of fingerprint in /proc/keys
KEYS: strip 'id:' from ca_keyid
KEYS: use swapped SKID for performing partial matching
KEYS: Restore partial ID matching functionality for asymmetric keys
X.509: If available, use the raw subjKeyId to form the key description
KEYS: handle error code encoded in pointer
selinux: normalize audit log formatting
selinux: cleanup error reporting in selinux_nlmsg_perm()
KEYS: Check hex2bin()'s return when generating an asymmetric key ID
ima: detect violations for mmaped files
ima: fix race condition on ima_rdwr_violation_check and process_measurement
ima: added ima_policy_flag variable
ima: return an error code from ima_add_boot_aggregate()
ima: provide 'ima_appraise=log' kernel option
ima: move keyring initialization to ima_init()
PKCS#7: Handle PKCS#7 messages that contain no X.509 certs
PKCS#7: Better handling of unsupported crypto
KEYS: Overhaul key identification when searching for asymmetric keys
KEYS: Implement binary asymmetric key ID handling
...
Diffstat (limited to 'security/selinux')
| -rw-r--r-- | security/selinux/hooks.c | 135 | ||||
| -rw-r--r-- | security/selinux/include/netif.h | 4 | ||||
| -rw-r--r-- | security/selinux/include/objsec.h | 2 | ||||
| -rw-r--r-- | security/selinux/netif.c | 43 | ||||
| -rw-r--r-- | security/selinux/ss/services.c | 14 |
5 files changed, 115 insertions, 83 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index ada0d0bf3463..8426a2aa8dce 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c | |||
| @@ -2097,6 +2097,41 @@ static int selinux_vm_enough_memory(struct mm_struct *mm, long pages) | |||
| 2097 | 2097 | ||
| 2098 | /* binprm security operations */ | 2098 | /* binprm security operations */ |
| 2099 | 2099 | ||
| 2100 | static int check_nnp_nosuid(const struct linux_binprm *bprm, | ||
| 2101 | const struct task_security_struct *old_tsec, | ||
| 2102 | const struct task_security_struct *new_tsec) | ||
| 2103 | { | ||
| 2104 | int nnp = (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS); | ||
| 2105 | int nosuid = (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID); | ||
| 2106 | int rc; | ||
| 2107 | |||
| 2108 | if (!nnp && !nosuid) | ||
| 2109 | return 0; /* neither NNP nor nosuid */ | ||
| 2110 | |||
| 2111 | if (new_tsec->sid == old_tsec->sid) | ||
| 2112 | return 0; /* No change in credentials */ | ||
| 2113 | |||
| 2114 | /* | ||
| 2115 | * The only transitions we permit under NNP or nosuid | ||
| 2116 | * are transitions to bounded SIDs, i.e. SIDs that are | ||
| 2117 | * guaranteed to only be allowed a subset of the permissions | ||
| 2118 | * of the current SID. | ||
| 2119 | */ | ||
| 2120 | rc = security_bounded_transition(old_tsec->sid, new_tsec->sid); | ||
| 2121 | if (rc) { | ||
| 2122 | /* | ||
| 2123 | * On failure, preserve the errno values for NNP vs nosuid. | ||
| 2124 | * NNP: Operation not permitted for caller. | ||
| 2125 | * nosuid: Permission denied to file. | ||
| 2126 | */ | ||
| 2127 | if (nnp) | ||
| 2128 | return -EPERM; | ||
| 2129 | else | ||
| 2130 | return -EACCES; | ||
| 2131 | } | ||
| 2132 | return 0; | ||
| 2133 | } | ||
| 2134 | |||
| 2100 | static int selinux_bprm_set_creds(struct linux_binprm *bprm) | 2135 | static int selinux_bprm_set_creds(struct linux_binprm *bprm) |
| 2101 | { | 2136 | { |
| 2102 | const struct task_security_struct *old_tsec; | 2137 | const struct task_security_struct *old_tsec; |
| @@ -2133,14 +2168,10 @@ static int selinux_bprm_set_creds(struct linux_binprm *bprm) | |||
| 2133 | /* Reset exec SID on execve. */ | 2168 | /* Reset exec SID on execve. */ |
| 2134 | new_tsec->exec_sid = 0; | 2169 | new_tsec->exec_sid = 0; |
| 2135 | 2170 | ||
| 2136 | /* | 2171 | /* Fail on NNP or nosuid if not an allowed transition. */ |
| 2137 | * Minimize confusion: if no_new_privs or nosuid and a | 2172 | rc = check_nnp_nosuid(bprm, old_tsec, new_tsec); |
| 2138 | * transition is explicitly requested, then fail the exec. | 2173 | if (rc) |
| 2139 | */ | 2174 | return rc; |
| 2140 | if (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS) | ||
| 2141 | return -EPERM; | ||
| 2142 | if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID) | ||
| 2143 | return -EACCES; | ||
| 2144 | } else { | 2175 | } else { |
| 2145 | /* Check for a default transition on this program. */ | 2176 | /* Check for a default transition on this program. */ |
| 2146 | rc = security_transition_sid(old_tsec->sid, isec->sid, | 2177 | rc = security_transition_sid(old_tsec->sid, isec->sid, |
| @@ -2148,15 +2179,19 @@ static int selinux_bprm_set_creds(struct linux_binprm *bprm) | |||
| 2148 | &new_tsec->sid); | 2179 | &new_tsec->sid); |
| 2149 | if (rc) | 2180 | if (rc) |
| 2150 | return rc; | 2181 | return rc; |
| 2182 | |||
| 2183 | /* | ||
| 2184 | * Fallback to old SID on NNP or nosuid if not an allowed | ||
| 2185 | * transition. | ||
| 2186 | */ | ||
| 2187 | rc = check_nnp_nosuid(bprm, old_tsec, new_tsec); | ||
| 2188 | if (rc) | ||
| 2189 | new_tsec->sid = old_tsec->sid; | ||
| 2151 | } | 2190 | } |
| 2152 | 2191 | ||
| 2153 | ad.type = LSM_AUDIT_DATA_PATH; | 2192 | ad.type = LSM_AUDIT_DATA_PATH; |
| 2154 | ad.u.path = bprm->file->f_path; | 2193 | ad.u.path = bprm->file->f_path; |
| 2155 | 2194 | ||
| 2156 | if ((bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID) || | ||
| 2157 | (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS)) | ||
| 2158 | new_tsec->sid = old_tsec->sid; | ||
| 2159 | |||
| 2160 | if (new_tsec->sid == old_tsec->sid) { | 2195 | if (new_tsec->sid == old_tsec->sid) { |
| 2161 | rc = avc_has_perm(old_tsec->sid, isec->sid, | 2196 | rc = avc_has_perm(old_tsec->sid, isec->sid, |
| 2162 | SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad); | 2197 | SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad); |
| @@ -4270,15 +4305,15 @@ static int selinux_socket_unix_may_send(struct socket *sock, | |||
| 4270 | &ad); | 4305 | &ad); |
| 4271 | } | 4306 | } |
| 4272 | 4307 | ||
| 4273 | static int selinux_inet_sys_rcv_skb(int ifindex, char *addrp, u16 family, | 4308 | static int selinux_inet_sys_rcv_skb(struct net *ns, int ifindex, |
| 4274 | u32 peer_sid, | 4309 | char *addrp, u16 family, u32 peer_sid, |
| 4275 | struct common_audit_data *ad) | 4310 | struct common_audit_data *ad) |
| 4276 | { | 4311 | { |
| 4277 | int err; | 4312 | int err; |
| 4278 | u32 if_sid; | 4313 | u32 if_sid; |
| 4279 | u32 node_sid; | 4314 | u32 node_sid; |
| 4280 | 4315 | ||
| 4281 | err = sel_netif_sid(ifindex, &if_sid); | 4316 | err = sel_netif_sid(ns, ifindex, &if_sid); |
| 4282 | if (err) | 4317 | if (err) |
| 4283 | return err; | 4318 | return err; |
| 4284 | err = avc_has_perm(peer_sid, if_sid, | 4319 | err = avc_has_perm(peer_sid, if_sid, |
| @@ -4371,8 +4406,8 @@ static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb) | |||
| 4371 | err = selinux_skb_peerlbl_sid(skb, family, &peer_sid); | 4406 | err = selinux_skb_peerlbl_sid(skb, family, &peer_sid); |
| 4372 | if (err) | 4407 | if (err) |
| 4373 | return err; | 4408 | return err; |
| 4374 | err = selinux_inet_sys_rcv_skb(skb->skb_iif, addrp, family, | 4409 | err = selinux_inet_sys_rcv_skb(sock_net(sk), skb->skb_iif, |
| 4375 | peer_sid, &ad); | 4410 | addrp, family, peer_sid, &ad); |
| 4376 | if (err) { | 4411 | if (err) { |
| 4377 | selinux_netlbl_err(skb, err, 0); | 4412 | selinux_netlbl_err(skb, err, 0); |
| 4378 | return err; | 4413 | return err; |
| @@ -4690,10 +4725,9 @@ static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb) | |||
| 4690 | err = selinux_nlmsg_lookup(sksec->sclass, nlh->nlmsg_type, &perm); | 4725 | err = selinux_nlmsg_lookup(sksec->sclass, nlh->nlmsg_type, &perm); |
| 4691 | if (err) { | 4726 | if (err) { |
| 4692 | if (err == -EINVAL) { | 4727 | if (err == -EINVAL) { |
| 4693 | audit_log(current->audit_context, GFP_KERNEL, AUDIT_SELINUX_ERR, | 4728 | WARN_ONCE(1, "selinux_nlmsg_perm: unrecognized netlink message:" |
| 4694 | "SELinux: unrecognized netlink message" | 4729 | " protocol=%hu nlmsg_type=%hu sclass=%hu\n", |
| 4695 | " type=%hu for sclass=%hu\n", | 4730 | sk->sk_protocol, nlh->nlmsg_type, sksec->sclass); |
| 4696 | nlh->nlmsg_type, sksec->sclass); | ||
| 4697 | if (!selinux_enforcing || security_get_allow_unknown()) | 4731 | if (!selinux_enforcing || security_get_allow_unknown()) |
| 4698 | err = 0; | 4732 | err = 0; |
| 4699 | } | 4733 | } |
| @@ -4711,7 +4745,8 @@ out: | |||
| 4711 | 4745 | ||
| 4712 | #ifdef CONFIG_NETFILTER | 4746 | #ifdef CONFIG_NETFILTER |
| 4713 | 4747 | ||
| 4714 | static unsigned int selinux_ip_forward(struct sk_buff *skb, int ifindex, | 4748 | static unsigned int selinux_ip_forward(struct sk_buff *skb, |
| 4749 | const struct net_device *indev, | ||
| 4715 | u16 family) | 4750 | u16 family) |
| 4716 | { | 4751 | { |
| 4717 | int err; | 4752 | int err; |
| @@ -4737,14 +4772,14 @@ static unsigned int selinux_ip_forward(struct sk_buff *skb, int ifindex, | |||
| 4737 | 4772 | ||
| 4738 | ad.type = LSM_AUDIT_DATA_NET; | 4773 | ad.type = LSM_AUDIT_DATA_NET; |
| 4739 | ad.u.net = &net; | 4774 | ad.u.net = &net; |
| 4740 | ad.u.net->netif = ifindex; | 4775 | ad.u.net->netif = indev->ifindex; |
| 4741 | ad.u.net->family = family; | 4776 | ad.u.net->family = family; |
| 4742 | if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0) | 4777 | if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0) |
| 4743 | return NF_DROP; | 4778 | return NF_DROP; |
| 4744 | 4779 | ||
| 4745 | if (peerlbl_active) { | 4780 | if (peerlbl_active) { |
| 4746 | err = selinux_inet_sys_rcv_skb(ifindex, addrp, family, | 4781 | err = selinux_inet_sys_rcv_skb(dev_net(indev), indev->ifindex, |
| 4747 | peer_sid, &ad); | 4782 | addrp, family, peer_sid, &ad); |
| 4748 | if (err) { | 4783 | if (err) { |
| 4749 | selinux_netlbl_err(skb, err, 1); | 4784 | selinux_netlbl_err(skb, err, 1); |
| 4750 | return NF_DROP; | 4785 | return NF_DROP; |
| @@ -4773,7 +4808,7 @@ static unsigned int selinux_ipv4_forward(const struct nf_hook_ops *ops, | |||
| 4773 | const struct net_device *out, | 4808 | const struct net_device *out, |
| 4774 | int (*okfn)(struct sk_buff *)) | 4809 | int (*okfn)(struct sk_buff *)) |
| 4775 | { | 4810 | { |
| 4776 | return selinux_ip_forward(skb, in->ifindex, PF_INET); | 4811 | return selinux_ip_forward(skb, in, PF_INET); |
| 4777 | } | 4812 | } |
| 4778 | 4813 | ||
| 4779 | #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) | 4814 | #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) |
| @@ -4783,7 +4818,7 @@ static unsigned int selinux_ipv6_forward(const struct nf_hook_ops *ops, | |||
| 4783 | const struct net_device *out, | 4818 | const struct net_device *out, |
| 4784 | int (*okfn)(struct sk_buff *)) | 4819 | int (*okfn)(struct sk_buff *)) |
| 4785 | { | 4820 | { |
| 4786 | return selinux_ip_forward(skb, in->ifindex, PF_INET6); | 4821 | return selinux_ip_forward(skb, in, PF_INET6); |
| 4787 | } | 4822 | } |
| 4788 | #endif /* IPV6 */ | 4823 | #endif /* IPV6 */ |
| 4789 | 4824 | ||
| @@ -4871,11 +4906,13 @@ static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb, | |||
| 4871 | return NF_ACCEPT; | 4906 | return NF_ACCEPT; |
| 4872 | } | 4907 | } |
| 4873 | 4908 | ||
| 4874 | static unsigned int selinux_ip_postroute(struct sk_buff *skb, int ifindex, | 4909 | static unsigned int selinux_ip_postroute(struct sk_buff *skb, |
| 4910 | const struct net_device *outdev, | ||
| 4875 | u16 family) | 4911 | u16 family) |
| 4876 | { | 4912 | { |
| 4877 | u32 secmark_perm; | 4913 | u32 secmark_perm; |
| 4878 | u32 peer_sid; | 4914 | u32 peer_sid; |
| 4915 | int ifindex = outdev->ifindex; | ||
| 4879 | struct sock *sk; | 4916 | struct sock *sk; |
| 4880 | struct common_audit_data ad; | 4917 | struct common_audit_data ad; |
| 4881 | struct lsm_network_audit net = {0,}; | 4918 | struct lsm_network_audit net = {0,}; |
| @@ -4956,6 +4993,7 @@ static unsigned int selinux_ip_postroute(struct sk_buff *skb, int ifindex, | |||
| 4956 | case PF_INET6: | 4993 | case PF_INET6: |
| 4957 | if (IP6CB(skb)->flags & IP6SKB_XFRM_TRANSFORMED) | 4994 | if (IP6CB(skb)->flags & IP6SKB_XFRM_TRANSFORMED) |
| 4958 | return NF_ACCEPT; | 4995 | return NF_ACCEPT; |
| 4996 | break; | ||
| 4959 | default: | 4997 | default: |
| 4960 | return NF_DROP_ERR(-ECONNREFUSED); | 4998 | return NF_DROP_ERR(-ECONNREFUSED); |
| 4961 | } | 4999 | } |
| @@ -4987,7 +5025,7 @@ static unsigned int selinux_ip_postroute(struct sk_buff *skb, int ifindex, | |||
| 4987 | u32 if_sid; | 5025 | u32 if_sid; |
| 4988 | u32 node_sid; | 5026 | u32 node_sid; |
| 4989 | 5027 | ||
| 4990 | if (sel_netif_sid(ifindex, &if_sid)) | 5028 | if (sel_netif_sid(dev_net(outdev), ifindex, &if_sid)) |
| 4991 | return NF_DROP; | 5029 | return NF_DROP; |
| 4992 | if (avc_has_perm(peer_sid, if_sid, | 5030 | if (avc_has_perm(peer_sid, if_sid, |
| 4993 | SECCLASS_NETIF, NETIF__EGRESS, &ad)) | 5031 | SECCLASS_NETIF, NETIF__EGRESS, &ad)) |
| @@ -5009,7 +5047,7 @@ static unsigned int selinux_ipv4_postroute(const struct nf_hook_ops *ops, | |||
| 5009 | const struct net_device *out, | 5047 | const struct net_device *out, |
| 5010 | int (*okfn)(struct sk_buff *)) | 5048 | int (*okfn)(struct sk_buff *)) |
| 5011 | { | 5049 | { |
| 5012 | return selinux_ip_postroute(skb, out->ifindex, PF_INET); | 5050 | return selinux_ip_postroute(skb, out, PF_INET); |
| 5013 | } | 5051 | } |
| 5014 | 5052 | ||
| 5015 | #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) | 5053 | #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) |
| @@ -5019,7 +5057,7 @@ static unsigned int selinux_ipv6_postroute(const struct nf_hook_ops *ops, | |||
| 5019 | const struct net_device *out, | 5057 | const struct net_device *out, |
| 5020 | int (*okfn)(struct sk_buff *)) | 5058 | int (*okfn)(struct sk_buff *)) |
| 5021 | { | 5059 | { |
| 5022 | return selinux_ip_postroute(skb, out->ifindex, PF_INET6); | 5060 | return selinux_ip_postroute(skb, out, PF_INET6); |
| 5023 | } | 5061 | } |
| 5024 | #endif /* IPV6 */ | 5062 | #endif /* IPV6 */ |
| 5025 | 5063 | ||
| @@ -6033,7 +6071,7 @@ security_initcall(selinux_init); | |||
| 6033 | 6071 | ||
| 6034 | #if defined(CONFIG_NETFILTER) | 6072 | #if defined(CONFIG_NETFILTER) |
| 6035 | 6073 | ||
| 6036 | static struct nf_hook_ops selinux_ipv4_ops[] = { | 6074 | static struct nf_hook_ops selinux_nf_ops[] = { |
| 6037 | { | 6075 | { |
| 6038 | .hook = selinux_ipv4_postroute, | 6076 | .hook = selinux_ipv4_postroute, |
| 6039 | .owner = THIS_MODULE, | 6077 | .owner = THIS_MODULE, |
| @@ -6054,12 +6092,8 @@ static struct nf_hook_ops selinux_ipv4_ops[] = { | |||
| 6054 | .pf = NFPROTO_IPV4, | 6092 | .pf = NFPROTO_IPV4, |
| 6055 | .hooknum = NF_INET_LOCAL_OUT, | 6093 | .hooknum = NF_INET_LOCAL_OUT, |
| 6056 | .priority = NF_IP_PRI_SELINUX_FIRST, | 6094 | .priority = NF_IP_PRI_SELINUX_FIRST, |
| 6057 | } | 6095 | }, |
| 6058 | }; | ||
| 6059 | |||
| 6060 | #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) | 6096 | #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) |
| 6061 | |||
| 6062 | static struct nf_hook_ops selinux_ipv6_ops[] = { | ||
| 6063 | { | 6097 | { |
| 6064 | .hook = selinux_ipv6_postroute, | 6098 | .hook = selinux_ipv6_postroute, |
| 6065 | .owner = THIS_MODULE, | 6099 | .owner = THIS_MODULE, |
| @@ -6073,32 +6107,24 @@ static struct nf_hook_ops selinux_ipv6_ops[] = { | |||
| 6073 | .pf = NFPROTO_IPV6, | 6107 | .pf = NFPROTO_IPV6, |
| 6074 | .hooknum = NF_INET_FORWARD, | 6108 | .hooknum = NF_INET_FORWARD, |
| 6075 | .priority = NF_IP6_PRI_SELINUX_FIRST, | 6109 | .priority = NF_IP6_PRI_SELINUX_FIRST, |
| 6076 | } | 6110 | }, |
| 6077 | }; | ||
| 6078 | |||
| 6079 | #endif /* IPV6 */ | 6111 | #endif /* IPV6 */ |
| 6112 | }; | ||
| 6080 | 6113 | ||
| 6081 | static int __init selinux_nf_ip_init(void) | 6114 | static int __init selinux_nf_ip_init(void) |
| 6082 | { | 6115 | { |
| 6083 | int err = 0; | 6116 | int err; |
| 6084 | 6117 | ||
| 6085 | if (!selinux_enabled) | 6118 | if (!selinux_enabled) |
| 6086 | goto out; | 6119 | return 0; |
| 6087 | 6120 | ||
| 6088 | printk(KERN_DEBUG "SELinux: Registering netfilter hooks\n"); | 6121 | printk(KERN_DEBUG "SELinux: Registering netfilter hooks\n"); |
| 6089 | 6122 | ||
| 6090 | err = nf_register_hooks(selinux_ipv4_ops, ARRAY_SIZE(selinux_ipv4_ops)); | 6123 | err = nf_register_hooks(selinux_nf_ops, ARRAY_SIZE(selinux_nf_ops)); |
| 6091 | if (err) | 6124 | if (err) |
| 6092 | panic("SELinux: nf_register_hooks for IPv4: error %d\n", err); | 6125 | panic("SELinux: nf_register_hooks: error %d\n", err); |
| 6093 | 6126 | ||
| 6094 | #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) | 6127 | return 0; |
| 6095 | err = nf_register_hooks(selinux_ipv6_ops, ARRAY_SIZE(selinux_ipv6_ops)); | ||
| 6096 | if (err) | ||
| 6097 | panic("SELinux: nf_register_hooks for IPv6: error %d\n", err); | ||
| 6098 | #endif /* IPV6 */ | ||
| 6099 | |||
| 6100 | out: | ||
| 6101 | return err; | ||
| 6102 | } | 6128 | } |
| 6103 | 6129 | ||
| 6104 | __initcall(selinux_nf_ip_init); | 6130 | __initcall(selinux_nf_ip_init); |
| @@ -6108,10 +6134,7 @@ static void selinux_nf_ip_exit(void) | |||
| 6108 | { | 6134 | { |
| 6109 | printk(KERN_DEBUG "SELinux: Unregistering netfilter hooks\n"); | 6135 | printk(KERN_DEBUG "SELinux: Unregistering netfilter hooks\n"); |
| 6110 | 6136 | ||
| 6111 | nf_unregister_hooks(selinux_ipv4_ops, ARRAY_SIZE(selinux_ipv4_ops)); | 6137 | nf_unregister_hooks(selinux_nf_ops, ARRAY_SIZE(selinux_nf_ops)); |
| 6112 | #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) | ||
| 6113 | nf_unregister_hooks(selinux_ipv6_ops, ARRAY_SIZE(selinux_ipv6_ops)); | ||
| 6114 | #endif /* IPV6 */ | ||
| 6115 | } | 6138 | } |
| 6116 | #endif | 6139 | #endif |
| 6117 | 6140 | ||
diff --git a/security/selinux/include/netif.h b/security/selinux/include/netif.h index 57c6eae81eac..c72145444090 100644 --- a/security/selinux/include/netif.h +++ b/security/selinux/include/netif.h | |||
| @@ -17,9 +17,11 @@ | |||
| 17 | #ifndef _SELINUX_NETIF_H_ | 17 | #ifndef _SELINUX_NETIF_H_ |
| 18 | #define _SELINUX_NETIF_H_ | 18 | #define _SELINUX_NETIF_H_ |
| 19 | 19 | ||
| 20 | #include <net/net_namespace.h> | ||
| 21 | |||
| 20 | void sel_netif_flush(void); | 22 | void sel_netif_flush(void); |
| 21 | 23 | ||
| 22 | int sel_netif_sid(int ifindex, u32 *sid); | 24 | int sel_netif_sid(struct net *ns, int ifindex, u32 *sid); |
| 23 | 25 | ||
| 24 | #endif /* _SELINUX_NETIF_H_ */ | 26 | #endif /* _SELINUX_NETIF_H_ */ |
| 25 | 27 | ||
diff --git a/security/selinux/include/objsec.h b/security/selinux/include/objsec.h index 078e553f52f2..81fa718d5cb3 100644 --- a/security/selinux/include/objsec.h +++ b/security/selinux/include/objsec.h | |||
| @@ -24,6 +24,7 @@ | |||
| 24 | #include <linux/binfmts.h> | 24 | #include <linux/binfmts.h> |
| 25 | #include <linux/in.h> | 25 | #include <linux/in.h> |
| 26 | #include <linux/spinlock.h> | 26 | #include <linux/spinlock.h> |
| 27 | #include <net/net_namespace.h> | ||
| 27 | #include "flask.h" | 28 | #include "flask.h" |
| 28 | #include "avc.h" | 29 | #include "avc.h" |
| 29 | 30 | ||
| @@ -78,6 +79,7 @@ struct ipc_security_struct { | |||
| 78 | }; | 79 | }; |
| 79 | 80 | ||
| 80 | struct netif_security_struct { | 81 | struct netif_security_struct { |
| 82 | struct net *ns; /* network namespace */ | ||
| 81 | int ifindex; /* device index */ | 83 | int ifindex; /* device index */ |
| 82 | u32 sid; /* SID for this interface */ | 84 | u32 sid; /* SID for this interface */ |
| 83 | }; | 85 | }; |
diff --git a/security/selinux/netif.c b/security/selinux/netif.c index 50ce177d71a0..e607b4473ef6 100644 --- a/security/selinux/netif.c +++ b/security/selinux/netif.c | |||
| @@ -45,6 +45,7 @@ static struct list_head sel_netif_hash[SEL_NETIF_HASH_SIZE]; | |||
| 45 | 45 | ||
| 46 | /** | 46 | /** |
| 47 | * sel_netif_hashfn - Hashing function for the interface table | 47 | * sel_netif_hashfn - Hashing function for the interface table |
| 48 | * @ns: the network namespace | ||
| 48 | * @ifindex: the network interface | 49 | * @ifindex: the network interface |
| 49 | * | 50 | * |
| 50 | * Description: | 51 | * Description: |
| @@ -52,13 +53,14 @@ static struct list_head sel_netif_hash[SEL_NETIF_HASH_SIZE]; | |||
| 52 | * bucket number for the given interface. | 53 | * bucket number for the given interface. |
| 53 | * | 54 | * |
| 54 | */ | 55 | */ |
| 55 | static inline u32 sel_netif_hashfn(int ifindex) | 56 | static inline u32 sel_netif_hashfn(const struct net *ns, int ifindex) |
| 56 | { | 57 | { |
| 57 | return (ifindex & (SEL_NETIF_HASH_SIZE - 1)); | 58 | return (((uintptr_t)ns + ifindex) & (SEL_NETIF_HASH_SIZE - 1)); |
| 58 | } | 59 | } |
| 59 | 60 | ||
| 60 | /** | 61 | /** |
| 61 | * sel_netif_find - Search for an interface record | 62 | * sel_netif_find - Search for an interface record |
| 63 | * @ns: the network namespace | ||
| 62 | * @ifindex: the network interface | 64 | * @ifindex: the network interface |
| 63 | * | 65 | * |
| 64 | * Description: | 66 | * Description: |
| @@ -66,15 +68,15 @@ static inline u32 sel_netif_hashfn(int ifindex) | |||
| 66 | * If an entry can not be found in the table return NULL. | 68 | * If an entry can not be found in the table return NULL. |
| 67 | * | 69 | * |
| 68 | */ | 70 | */ |
| 69 | static inline struct sel_netif *sel_netif_find(int ifindex) | 71 | static inline struct sel_netif *sel_netif_find(const struct net *ns, |
| 72 | int ifindex) | ||
| 70 | { | 73 | { |
| 71 | int idx = sel_netif_hashfn(ifindex); | 74 | int idx = sel_netif_hashfn(ns, ifindex); |
| 72 | struct sel_netif *netif; | 75 | struct sel_netif *netif; |
| 73 | 76 | ||
| 74 | list_for_each_entry_rcu(netif, &sel_netif_hash[idx], list) | 77 | list_for_each_entry_rcu(netif, &sel_netif_hash[idx], list) |
| 75 | /* all of the devices should normally fit in the hash, so we | 78 | if (net_eq(netif->nsec.ns, ns) && |
| 76 | * optimize for that case */ | 79 | netif->nsec.ifindex == ifindex) |
| 77 | if (likely(netif->nsec.ifindex == ifindex)) | ||
| 78 | return netif; | 80 | return netif; |
| 79 | 81 | ||
| 80 | return NULL; | 82 | return NULL; |
| @@ -96,7 +98,7 @@ static int sel_netif_insert(struct sel_netif *netif) | |||
| 96 | if (sel_netif_total >= SEL_NETIF_HASH_MAX) | 98 | if (sel_netif_total >= SEL_NETIF_HASH_MAX) |
| 97 | return -ENOSPC; | 99 | return -ENOSPC; |
| 98 | 100 | ||
| 99 | idx = sel_netif_hashfn(netif->nsec.ifindex); | 101 | idx = sel_netif_hashfn(netif->nsec.ns, netif->nsec.ifindex); |
| 100 | list_add_rcu(&netif->list, &sel_netif_hash[idx]); | 102 | list_add_rcu(&netif->list, &sel_netif_hash[idx]); |
| 101 | sel_netif_total++; | 103 | sel_netif_total++; |
| 102 | 104 | ||
| @@ -120,6 +122,7 @@ static void sel_netif_destroy(struct sel_netif *netif) | |||
| 120 | 122 | ||
| 121 | /** | 123 | /** |
| 122 | * sel_netif_sid_slow - Lookup the SID of a network interface using the policy | 124 | * sel_netif_sid_slow - Lookup the SID of a network interface using the policy |
| 125 | * @ns: the network namespace | ||
| 123 | * @ifindex: the network interface | 126 | * @ifindex: the network interface |
| 124 | * @sid: interface SID | 127 | * @sid: interface SID |
| 125 | * | 128 | * |
| @@ -130,7 +133,7 @@ static void sel_netif_destroy(struct sel_netif *netif) | |||
| 130 | * failure. | 133 | * failure. |
| 131 | * | 134 | * |
| 132 | */ | 135 | */ |
| 133 | static int sel_netif_sid_slow(int ifindex, u32 *sid) | 136 | static int sel_netif_sid_slow(struct net *ns, int ifindex, u32 *sid) |
| 134 | { | 137 | { |
| 135 | int ret; | 138 | int ret; |
| 136 | struct sel_netif *netif; | 139 | struct sel_netif *netif; |
| @@ -140,7 +143,7 @@ static int sel_netif_sid_slow(int ifindex, u32 *sid) | |||
| 140 | /* NOTE: we always use init's network namespace since we don't | 143 | /* NOTE: we always use init's network namespace since we don't |
| 141 | * currently support containers */ | 144 | * currently support containers */ |
| 142 | 145 | ||
| 143 | dev = dev_get_by_index(&init_net, ifindex); | 146 | dev = dev_get_by_index(ns, ifindex); |
| 144 | if (unlikely(dev == NULL)) { | 147 | if (unlikely(dev == NULL)) { |
| 145 | printk(KERN_WARNING | 148 | printk(KERN_WARNING |
| 146 | "SELinux: failure in sel_netif_sid_slow()," | 149 | "SELinux: failure in sel_netif_sid_slow()," |
| @@ -149,7 +152,7 @@ static int sel_netif_sid_slow(int ifindex, u32 *sid) | |||
| 149 | } | 152 | } |
| 150 | 153 | ||
| 151 | spin_lock_bh(&sel_netif_lock); | 154 | spin_lock_bh(&sel_netif_lock); |
| 152 | netif = sel_netif_find(ifindex); | 155 | netif = sel_netif_find(ns, ifindex); |
| 153 | if (netif != NULL) { | 156 | if (netif != NULL) { |
| 154 | *sid = netif->nsec.sid; | 157 | *sid = netif->nsec.sid; |
| 155 | ret = 0; | 158 | ret = 0; |
| @@ -163,6 +166,7 @@ static int sel_netif_sid_slow(int ifindex, u32 *sid) | |||
| 163 | ret = security_netif_sid(dev->name, &new->nsec.sid); | 166 | ret = security_netif_sid(dev->name, &new->nsec.sid); |
| 164 | if (ret != 0) | 167 | if (ret != 0) |
| 165 | goto out; | 168 | goto out; |
| 169 | new->nsec.ns = ns; | ||
| 166 | new->nsec.ifindex = ifindex; | 170 | new->nsec.ifindex = ifindex; |
| 167 | ret = sel_netif_insert(new); | 171 | ret = sel_netif_insert(new); |
| 168 | if (ret != 0) | 172 | if (ret != 0) |
| @@ -184,6 +188,7 @@ out: | |||
| 184 | 188 | ||
| 185 | /** | 189 | /** |
| 186 | * sel_netif_sid - Lookup the SID of a network interface | 190 | * sel_netif_sid - Lookup the SID of a network interface |
| 191 | * @ns: the network namespace | ||
| 187 | * @ifindex: the network interface | 192 | * @ifindex: the network interface |
| 188 | * @sid: interface SID | 193 | * @sid: interface SID |
| 189 | * | 194 | * |
| @@ -195,12 +200,12 @@ out: | |||
| 195 | * on failure. | 200 | * on failure. |
| 196 | * | 201 | * |
| 197 | */ | 202 | */ |
| 198 | int sel_netif_sid(int ifindex, u32 *sid) | 203 | int sel_netif_sid(struct net *ns, int ifindex, u32 *sid) |
| 199 | { | 204 | { |
| 200 | struct sel_netif *netif; | 205 | struct sel_netif *netif; |
| 201 | 206 | ||
| 202 | rcu_read_lock(); | 207 | rcu_read_lock(); |
| 203 | netif = sel_netif_find(ifindex); | 208 | netif = sel_netif_find(ns, ifindex); |
| 204 | if (likely(netif != NULL)) { | 209 | if (likely(netif != NULL)) { |
| 205 | *sid = netif->nsec.sid; | 210 | *sid = netif->nsec.sid; |
| 206 | rcu_read_unlock(); | 211 | rcu_read_unlock(); |
| @@ -208,11 +213,12 @@ int sel_netif_sid(int ifindex, u32 *sid) | |||
| 208 | } | 213 | } |
| 209 | rcu_read_unlock(); | 214 | rcu_read_unlock(); |
| 210 | 215 | ||
| 211 | return sel_netif_sid_slow(ifindex, sid); | 216 | return sel_netif_sid_slow(ns, ifindex, sid); |
| 212 | } | 217 | } |
| 213 | 218 | ||
| 214 | /** | 219 | /** |
| 215 | * sel_netif_kill - Remove an entry from the network interface table | 220 | * sel_netif_kill - Remove an entry from the network interface table |
| 221 | * @ns: the network namespace | ||
| 216 | * @ifindex: the network interface | 222 | * @ifindex: the network interface |
| 217 | * | 223 | * |
| 218 | * Description: | 224 | * Description: |
| @@ -220,13 +226,13 @@ int sel_netif_sid(int ifindex, u32 *sid) | |||
| 220 | * table if it exists. | 226 | * table if it exists. |
| 221 | * | 227 | * |
| 222 | */ | 228 | */ |
| 223 | static void sel_netif_kill(int ifindex) | 229 | static void sel_netif_kill(const struct net *ns, int ifindex) |
| 224 | { | 230 | { |
| 225 | struct sel_netif *netif; | 231 | struct sel_netif *netif; |
| 226 | 232 | ||
| 227 | rcu_read_lock(); | 233 | rcu_read_lock(); |
| 228 | spin_lock_bh(&sel_netif_lock); | 234 | spin_lock_bh(&sel_netif_lock); |
| 229 | netif = sel_netif_find(ifindex); | 235 | netif = sel_netif_find(ns, ifindex); |
| 230 | if (netif) | 236 | if (netif) |
| 231 | sel_netif_destroy(netif); | 237 | sel_netif_destroy(netif); |
| 232 | spin_unlock_bh(&sel_netif_lock); | 238 | spin_unlock_bh(&sel_netif_lock); |
| @@ -257,11 +263,8 @@ static int sel_netif_netdev_notifier_handler(struct notifier_block *this, | |||
| 257 | { | 263 | { |
| 258 | struct net_device *dev = netdev_notifier_info_to_dev(ptr); | 264 | struct net_device *dev = netdev_notifier_info_to_dev(ptr); |
| 259 | 265 | ||
| 260 | if (dev_net(dev) != &init_net) | ||
| 261 | return NOTIFY_DONE; | ||
| 262 | |||
| 263 | if (event == NETDEV_DOWN) | 266 | if (event == NETDEV_DOWN) |
| 264 | sel_netif_kill(dev->ifindex); | 267 | sel_netif_kill(dev_net(dev), dev->ifindex); |
| 265 | 268 | ||
| 266 | return NOTIFY_DONE; | 269 | return NOTIFY_DONE; |
| 267 | } | 270 | } |
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c index 2aa9d172dc7e..a1d3944751b9 100644 --- a/security/selinux/ss/services.c +++ b/security/selinux/ss/services.c | |||
| @@ -728,7 +728,7 @@ static int security_validtrans_handle_fail(struct context *ocontext, | |||
| 728 | if (context_struct_to_string(tcontext, &t, &tlen)) | 728 | if (context_struct_to_string(tcontext, &t, &tlen)) |
| 729 | goto out; | 729 | goto out; |
| 730 | audit_log(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR, | 730 | audit_log(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR, |
| 731 | "security_validate_transition: denied for" | 731 | "op=security_validate_transition seresult=denied" |
| 732 | " oldcontext=%s newcontext=%s taskcontext=%s tclass=%s", | 732 | " oldcontext=%s newcontext=%s taskcontext=%s tclass=%s", |
| 733 | o, n, t, sym_name(&policydb, SYM_CLASSES, tclass-1)); | 733 | o, n, t, sym_name(&policydb, SYM_CLASSES, tclass-1)); |
| 734 | out: | 734 | out: |
| @@ -877,7 +877,7 @@ int security_bounded_transition(u32 old_sid, u32 new_sid) | |||
| 877 | audit_log(current->audit_context, | 877 | audit_log(current->audit_context, |
| 878 | GFP_ATOMIC, AUDIT_SELINUX_ERR, | 878 | GFP_ATOMIC, AUDIT_SELINUX_ERR, |
| 879 | "op=security_bounded_transition " | 879 | "op=security_bounded_transition " |
| 880 | "result=denied " | 880 | "seresult=denied " |
| 881 | "oldcontext=%s newcontext=%s", | 881 | "oldcontext=%s newcontext=%s", |
| 882 | old_name, new_name); | 882 | old_name, new_name); |
| 883 | } | 883 | } |
| @@ -1351,8 +1351,8 @@ static int compute_sid_handle_invalid_context( | |||
| 1351 | if (context_struct_to_string(newcontext, &n, &nlen)) | 1351 | if (context_struct_to_string(newcontext, &n, &nlen)) |
| 1352 | goto out; | 1352 | goto out; |
| 1353 | audit_log(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR, | 1353 | audit_log(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR, |
| 1354 | "security_compute_sid: invalid context %s" | 1354 | "op=security_compute_sid invalid_context=%s" |
| 1355 | " for scontext=%s" | 1355 | " scontext=%s" |
| 1356 | " tcontext=%s" | 1356 | " tcontext=%s" |
| 1357 | " tclass=%s", | 1357 | " tclass=%s", |
| 1358 | n, s, t, sym_name(&policydb, SYM_CLASSES, tclass-1)); | 1358 | n, s, t, sym_name(&policydb, SYM_CLASSES, tclass-1)); |
| @@ -2607,8 +2607,10 @@ int security_sid_mls_copy(u32 sid, u32 mls_sid, u32 *new_sid) | |||
| 2607 | rc = convert_context_handle_invalid_context(&newcon); | 2607 | rc = convert_context_handle_invalid_context(&newcon); |
| 2608 | if (rc) { | 2608 | if (rc) { |
| 2609 | if (!context_struct_to_string(&newcon, &s, &len)) { | 2609 | if (!context_struct_to_string(&newcon, &s, &len)) { |
| 2610 | audit_log(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR, | 2610 | audit_log(current->audit_context, |
| 2611 | "security_sid_mls_copy: invalid context %s", s); | 2611 | GFP_ATOMIC, AUDIT_SELINUX_ERR, |
| 2612 | "op=security_sid_mls_copy " | ||
| 2613 | "invalid_context=%s", s); | ||
| 2612 | kfree(s); | 2614 | kfree(s); |
| 2613 | } | 2615 | } |
| 2614 | goto out_unlock; | 2616 | goto out_unlock; |