diff options
| author | Eric Paris <eparis@redhat.com> | 2010-10-13 16:24:41 -0400 |
|---|---|---|
| committer | James Morris <jmorris@namei.org> | 2010-10-20 19:12:48 -0400 |
| commit | 2606fd1fa5710205b23ee859563502aa18362447 (patch) | |
| tree | f79becd7010a2da1a765829fce0e09327cd50531 /security | |
| parent | 15714f7b58011cf3948cab2988abea560240c74f (diff) | |
secmark: make secmark object handling generic
Right now secmark has lots of direct selinux calls. Use all LSM calls and
remove all SELinux specific knowledge. The only SELinux specific knowledge
we leave is the mode. The only point is to make sure that other LSMs at
least test this generic code before they assume it works. (They may also
have to make changes if they do not represent labels as strings)
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Paul Moore <paul.moore@hp.com>
Acked-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: James Morris <jmorris@namei.org>
Diffstat (limited to 'security')
| -rw-r--r-- | security/capability.c | 17 | ||||
| -rw-r--r-- | security/security.c | 18 | ||||
| -rw-r--r-- | security/selinux/exports.c | 49 | ||||
| -rw-r--r-- | security/selinux/hooks.c | 24 | ||||
| -rw-r--r-- | security/selinux/include/security.h | 1 |
5 files changed, 59 insertions, 50 deletions
diff --git a/security/capability.c b/security/capability.c index 95a6599a37bb..30ae00fbecd5 100644 --- a/security/capability.c +++ b/security/capability.c | |||
| @@ -677,7 +677,18 @@ static void cap_inet_conn_established(struct sock *sk, struct sk_buff *skb) | |||
| 677 | { | 677 | { |
| 678 | } | 678 | } |
| 679 | 679 | ||
| 680 | static int cap_secmark_relabel_packet(u32 secid) | ||
| 681 | { | ||
| 682 | return 0; | ||
| 683 | } | ||
| 680 | 684 | ||
| 685 | static void cap_secmark_refcount_inc(void) | ||
| 686 | { | ||
| 687 | } | ||
| 688 | |||
| 689 | static void cap_secmark_refcount_dec(void) | ||
| 690 | { | ||
| 691 | } | ||
| 681 | 692 | ||
| 682 | static void cap_req_classify_flow(const struct request_sock *req, | 693 | static void cap_req_classify_flow(const struct request_sock *req, |
| 683 | struct flowi *fl) | 694 | struct flowi *fl) |
| @@ -777,7 +788,8 @@ static int cap_secid_to_secctx(u32 secid, char **secdata, u32 *seclen) | |||
| 777 | 788 | ||
| 778 | static int cap_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid) | 789 | static int cap_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid) |
| 779 | { | 790 | { |
| 780 | return -EOPNOTSUPP; | 791 | *secid = 0; |
| 792 | return 0; | ||
| 781 | } | 793 | } |
| 782 | 794 | ||
| 783 | static void cap_release_secctx(char *secdata, u32 seclen) | 795 | static void cap_release_secctx(char *secdata, u32 seclen) |
| @@ -1018,6 +1030,9 @@ void __init security_fixup_ops(struct security_operations *ops) | |||
| 1018 | set_to_cap_if_null(ops, inet_conn_request); | 1030 | set_to_cap_if_null(ops, inet_conn_request); |
| 1019 | set_to_cap_if_null(ops, inet_csk_clone); | 1031 | set_to_cap_if_null(ops, inet_csk_clone); |
| 1020 | set_to_cap_if_null(ops, inet_conn_established); | 1032 | set_to_cap_if_null(ops, inet_conn_established); |
| 1033 | set_to_cap_if_null(ops, secmark_relabel_packet); | ||
| 1034 | set_to_cap_if_null(ops, secmark_refcount_inc); | ||
| 1035 | set_to_cap_if_null(ops, secmark_refcount_dec); | ||
| 1021 | set_to_cap_if_null(ops, req_classify_flow); | 1036 | set_to_cap_if_null(ops, req_classify_flow); |
| 1022 | set_to_cap_if_null(ops, tun_dev_create); | 1037 | set_to_cap_if_null(ops, tun_dev_create); |
| 1023 | set_to_cap_if_null(ops, tun_dev_post_create); | 1038 | set_to_cap_if_null(ops, tun_dev_post_create); |
diff --git a/security/security.c b/security/security.c index 1cbcdfa4b015..b50f472061a4 100644 --- a/security/security.c +++ b/security/security.c | |||
| @@ -1136,6 +1136,24 @@ void security_inet_conn_established(struct sock *sk, | |||
| 1136 | security_ops->inet_conn_established(sk, skb); | 1136 | security_ops->inet_conn_established(sk, skb); |
| 1137 | } | 1137 | } |
| 1138 | 1138 | ||
| 1139 | int security_secmark_relabel_packet(u32 secid) | ||
| 1140 | { | ||
| 1141 | return security_ops->secmark_relabel_packet(secid); | ||
| 1142 | } | ||
| 1143 | EXPORT_SYMBOL(security_secmark_relabel_packet); | ||
| 1144 | |||
| 1145 | void security_secmark_refcount_inc(void) | ||
| 1146 | { | ||
| 1147 | security_ops->secmark_refcount_inc(); | ||
| 1148 | } | ||
| 1149 | EXPORT_SYMBOL(security_secmark_refcount_inc); | ||
| 1150 | |||
| 1151 | void security_secmark_refcount_dec(void) | ||
| 1152 | { | ||
| 1153 | security_ops->secmark_refcount_dec(); | ||
| 1154 | } | ||
| 1155 | EXPORT_SYMBOL(security_secmark_refcount_dec); | ||
| 1156 | |||
| 1139 | int security_tun_dev_create(void) | 1157 | int security_tun_dev_create(void) |
| 1140 | { | 1158 | { |
| 1141 | return security_ops->tun_dev_create(); | 1159 | return security_ops->tun_dev_create(); |
diff --git a/security/selinux/exports.c b/security/selinux/exports.c index c0a454aee1e0..90664385dead 100644 --- a/security/selinux/exports.c +++ b/security/selinux/exports.c | |||
| @@ -11,58 +11,9 @@ | |||
| 11 | * it under the terms of the GNU General Public License version 2, | 11 | * it under the terms of the GNU General Public License version 2, |
| 12 | * as published by the Free Software Foundation. | 12 | * as published by the Free Software Foundation. |
| 13 | */ | 13 | */ |
| 14 | #include <linux/types.h> | ||
| 15 | #include <linux/kernel.h> | ||
| 16 | #include <linux/module.h> | 14 | #include <linux/module.h> |
| 17 | #include <linux/selinux.h> | ||
| 18 | #include <linux/fs.h> | ||
| 19 | #include <linux/ipc.h> | ||
| 20 | #include <asm/atomic.h> | ||
| 21 | 15 | ||
| 22 | #include "security.h" | 16 | #include "security.h" |
| 23 | #include "objsec.h" | ||
| 24 | |||
| 25 | /* SECMARK reference count */ | ||
| 26 | extern atomic_t selinux_secmark_refcount; | ||
| 27 | |||
| 28 | int selinux_string_to_sid(char *str, u32 *sid) | ||
| 29 | { | ||
| 30 | if (selinux_enabled) | ||
| 31 | return security_context_to_sid(str, strlen(str), sid); | ||
| 32 | else { | ||
| 33 | *sid = 0; | ||
| 34 | return 0; | ||
| 35 | } | ||
| 36 | } | ||
| 37 | EXPORT_SYMBOL_GPL(selinux_string_to_sid); | ||
| 38 | |||
| 39 | int selinux_secmark_relabel_packet_permission(u32 sid) | ||
| 40 | { | ||
| 41 | if (selinux_enabled) { | ||
| 42 | const struct task_security_struct *__tsec; | ||
| 43 | u32 tsid; | ||
| 44 | |||
| 45 | __tsec = current_security(); | ||
| 46 | tsid = __tsec->sid; | ||
| 47 | |||
| 48 | return avc_has_perm(tsid, sid, SECCLASS_PACKET, | ||
| 49 | PACKET__RELABELTO, NULL); | ||
| 50 | } | ||
| 51 | return 0; | ||
| 52 | } | ||
| 53 | EXPORT_SYMBOL_GPL(selinux_secmark_relabel_packet_permission); | ||
| 54 | |||
| 55 | void selinux_secmark_refcount_inc(void) | ||
| 56 | { | ||
| 57 | atomic_inc(&selinux_secmark_refcount); | ||
| 58 | } | ||
| 59 | EXPORT_SYMBOL_GPL(selinux_secmark_refcount_inc); | ||
| 60 | |||
| 61 | void selinux_secmark_refcount_dec(void) | ||
| 62 | { | ||
| 63 | atomic_dec(&selinux_secmark_refcount); | ||
| 64 | } | ||
| 65 | EXPORT_SYMBOL_GPL(selinux_secmark_refcount_dec); | ||
| 66 | 17 | ||
| 67 | bool selinux_is_enabled(void) | 18 | bool selinux_is_enabled(void) |
| 68 | { | 19 | { |
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index db2b331de89a..d9154cf90ae1 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c | |||
| @@ -4279,6 +4279,27 @@ static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb) | |||
| 4279 | selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid); | 4279 | selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid); |
| 4280 | } | 4280 | } |
| 4281 | 4281 | ||
| 4282 | static int selinux_secmark_relabel_packet(u32 sid) | ||
| 4283 | { | ||
| 4284 | const struct task_security_struct *__tsec; | ||
| 4285 | u32 tsid; | ||
| 4286 | |||
| 4287 | __tsec = current_security(); | ||
| 4288 | tsid = __tsec->sid; | ||
| 4289 | |||
| 4290 | return avc_has_perm(tsid, sid, SECCLASS_PACKET, PACKET__RELABELTO, NULL); | ||
| 4291 | } | ||
| 4292 | |||
| 4293 | static void selinux_secmark_refcount_inc(void) | ||
| 4294 | { | ||
| 4295 | atomic_inc(&selinux_secmark_refcount); | ||
| 4296 | } | ||
| 4297 | |||
| 4298 | static void selinux_secmark_refcount_dec(void) | ||
| 4299 | { | ||
| 4300 | atomic_dec(&selinux_secmark_refcount); | ||
| 4301 | } | ||
| 4302 | |||
| 4282 | static void selinux_req_classify_flow(const struct request_sock *req, | 4303 | static void selinux_req_classify_flow(const struct request_sock *req, |
| 4283 | struct flowi *fl) | 4304 | struct flowi *fl) |
| 4284 | { | 4305 | { |
| @@ -5533,6 +5554,9 @@ static struct security_operations selinux_ops = { | |||
| 5533 | .inet_conn_request = selinux_inet_conn_request, | 5554 | .inet_conn_request = selinux_inet_conn_request, |
| 5534 | .inet_csk_clone = selinux_inet_csk_clone, | 5555 | .inet_csk_clone = selinux_inet_csk_clone, |
| 5535 | .inet_conn_established = selinux_inet_conn_established, | 5556 | .inet_conn_established = selinux_inet_conn_established, |
| 5557 | .secmark_relabel_packet = selinux_secmark_relabel_packet, | ||
| 5558 | .secmark_refcount_inc = selinux_secmark_refcount_inc, | ||
| 5559 | .secmark_refcount_dec = selinux_secmark_refcount_dec, | ||
| 5536 | .req_classify_flow = selinux_req_classify_flow, | 5560 | .req_classify_flow = selinux_req_classify_flow, |
| 5537 | .tun_dev_create = selinux_tun_dev_create, | 5561 | .tun_dev_create = selinux_tun_dev_create, |
| 5538 | .tun_dev_post_create = selinux_tun_dev_post_create, | 5562 | .tun_dev_post_create = selinux_tun_dev_post_create, |
diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h index 4b66f19bb1f3..611a526afae7 100644 --- a/security/selinux/include/security.h +++ b/security/selinux/include/security.h | |||
| @@ -9,6 +9,7 @@ | |||
| 9 | #define _SELINUX_SECURITY_H_ | 9 | #define _SELINUX_SECURITY_H_ |
| 10 | 10 | ||
| 11 | #include <linux/magic.h> | 11 | #include <linux/magic.h> |
| 12 | #include <linux/types.h> | ||
| 12 | #include "flask.h" | 13 | #include "flask.h" |
| 13 | 14 | ||
| 14 | #define SECSID_NULL 0x00000000 /* unspecified SID */ | 15 | #define SECSID_NULL 0x00000000 /* unspecified SID */ |