diff options
-rw-r--r-- | Documentation/feature-removal-schedule.txt | 12 | ||||
-rw-r--r-- | security/selinux/Kconfig | 27 | ||||
-rw-r--r-- | security/selinux/hooks.c | 6 | ||||
-rw-r--r-- | security/selinux/selinuxfs.c | 16 |
4 files changed, 23 insertions, 38 deletions
diff --git a/Documentation/feature-removal-schedule.txt b/Documentation/feature-removal-schedule.txt index dc7c681e532c..a0ed3964a219 100644 --- a/Documentation/feature-removal-schedule.txt +++ b/Documentation/feature-removal-schedule.txt | |||
@@ -324,3 +324,15 @@ When: 2.6.29 (ideally) or 2.6.30 (more likely) | |||
324 | Why: Deprecated by the new (standard) device driver binding model. Use | 324 | Why: Deprecated by the new (standard) device driver binding model. Use |
325 | i2c_driver->probe() and ->remove() instead. | 325 | i2c_driver->probe() and ->remove() instead. |
326 | Who: Jean Delvare <khali@linux-fr.org> | 326 | Who: Jean Delvare <khali@linux-fr.org> |
327 | |||
328 | --------------------------- | ||
329 | |||
330 | What: SELinux "compat_net" functionality | ||
331 | When: 2.6.30 at the earliest | ||
332 | Why: In 2.6.18 the Secmark concept was introduced to replace the "compat_net" | ||
333 | network access control functionality of SELinux. Secmark offers both | ||
334 | better performance and greater flexibility than the "compat_net" | ||
335 | mechanism. Now that the major Linux distributions have moved to | ||
336 | Secmark, it is time to deprecate the older mechanism and start the | ||
337 | process of removing the old code. | ||
338 | Who: Paul Moore <paul.moore@hp.com> | ||
diff --git a/security/selinux/Kconfig b/security/selinux/Kconfig index 26301dd651d3..bca1b74a4a2f 100644 --- a/security/selinux/Kconfig +++ b/security/selinux/Kconfig | |||
@@ -94,33 +94,6 @@ config SECURITY_SELINUX_CHECKREQPROT_VALUE | |||
94 | 94 | ||
95 | If you are unsure how to answer this question, answer 1. | 95 | If you are unsure how to answer this question, answer 1. |
96 | 96 | ||
97 | config SECURITY_SELINUX_ENABLE_SECMARK_DEFAULT | ||
98 | bool "NSA SELinux enable new secmark network controls by default" | ||
99 | depends on SECURITY_SELINUX | ||
100 | default n | ||
101 | help | ||
102 | This option determines whether the new secmark-based network | ||
103 | controls will be enabled by default. If not, the old internal | ||
104 | per-packet controls will be enabled by default, preserving | ||
105 | old behavior. | ||
106 | |||
107 | If you enable the new controls, you will need updated | ||
108 | SELinux userspace libraries, tools and policy. Typically, | ||
109 | your distribution will provide these and enable the new controls | ||
110 | in the kernel they also distribute. | ||
111 | |||
112 | Note that this option can be overridden at boot with the | ||
113 | selinux_compat_net parameter, and after boot via | ||
114 | /selinux/compat_net. See Documentation/kernel-parameters.txt | ||
115 | for details on this parameter. | ||
116 | |||
117 | If you enable the new network controls, you will likely | ||
118 | also require the SECMARK and CONNSECMARK targets, as | ||
119 | well as any conntrack helpers for protocols which you | ||
120 | wish to control. | ||
121 | |||
122 | If you are unsure what to do here, select N. | ||
123 | |||
124 | config SECURITY_SELINUX_POLICYDB_VERSION_MAX | 97 | config SECURITY_SELINUX_POLICYDB_VERSION_MAX |
125 | bool "NSA SELinux maximum supported policy format version" | 98 | bool "NSA SELinux maximum supported policy format version" |
126 | depends on SECURITY_SELINUX | 99 | depends on SECURITY_SELINUX |
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index dbeaa783b2a9..df30a7555d8a 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c | |||
@@ -4185,7 +4185,7 @@ static int selinux_sock_rcv_skb_iptables_compat(struct sock *sk, | |||
4185 | static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb, | 4185 | static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb, |
4186 | u16 family) | 4186 | u16 family) |
4187 | { | 4187 | { |
4188 | int err; | 4188 | int err = 0; |
4189 | struct sk_security_struct *sksec = sk->sk_security; | 4189 | struct sk_security_struct *sksec = sk->sk_security; |
4190 | u32 peer_sid; | 4190 | u32 peer_sid; |
4191 | u32 sk_sid = sksec->sid; | 4191 | u32 sk_sid = sksec->sid; |
@@ -4202,7 +4202,7 @@ static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb, | |||
4202 | if (selinux_compat_net) | 4202 | if (selinux_compat_net) |
4203 | err = selinux_sock_rcv_skb_iptables_compat(sk, skb, &ad, | 4203 | err = selinux_sock_rcv_skb_iptables_compat(sk, skb, &ad, |
4204 | family, addrp); | 4204 | family, addrp); |
4205 | else | 4205 | else if (selinux_secmark_enabled()) |
4206 | err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET, | 4206 | err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET, |
4207 | PACKET__RECV, &ad); | 4207 | PACKET__RECV, &ad); |
4208 | if (err) | 4208 | if (err) |
@@ -4705,7 +4705,7 @@ static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb, | |||
4705 | if (selinux_ip_postroute_iptables_compat(skb->sk, ifindex, | 4705 | if (selinux_ip_postroute_iptables_compat(skb->sk, ifindex, |
4706 | &ad, family, addrp)) | 4706 | &ad, family, addrp)) |
4707 | return NF_DROP; | 4707 | return NF_DROP; |
4708 | } else { | 4708 | } else if (selinux_secmark_enabled()) { |
4709 | if (avc_has_perm(sksec->sid, skb->secmark, | 4709 | if (avc_has_perm(sksec->sid, skb->secmark, |
4710 | SECCLASS_PACKET, PACKET__SEND, &ad)) | 4710 | SECCLASS_PACKET, PACKET__SEND, &ad)) |
4711 | return NF_DROP; | 4711 | return NF_DROP; |
diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c index c86303638235..77fb3c8d9267 100644 --- a/security/selinux/selinuxfs.c +++ b/security/selinux/selinuxfs.c | |||
@@ -47,13 +47,7 @@ static char *policycap_names[] = { | |||
47 | 47 | ||
48 | unsigned int selinux_checkreqprot = CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE; | 48 | unsigned int selinux_checkreqprot = CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE; |
49 | 49 | ||
50 | #ifdef CONFIG_SECURITY_SELINUX_ENABLE_SECMARK_DEFAULT | 50 | int selinux_compat_net = 0; |
51 | #define SELINUX_COMPAT_NET_VALUE 0 | ||
52 | #else | ||
53 | #define SELINUX_COMPAT_NET_VALUE 1 | ||
54 | #endif | ||
55 | |||
56 | int selinux_compat_net = SELINUX_COMPAT_NET_VALUE; | ||
57 | 51 | ||
58 | static int __init checkreqprot_setup(char *str) | 52 | static int __init checkreqprot_setup(char *str) |
59 | { | 53 | { |
@@ -494,7 +488,13 @@ static ssize_t sel_write_compat_net(struct file *file, const char __user *buf, | |||
494 | if (sscanf(page, "%d", &new_value) != 1) | 488 | if (sscanf(page, "%d", &new_value) != 1) |
495 | goto out; | 489 | goto out; |
496 | 490 | ||
497 | selinux_compat_net = new_value ? 1 : 0; | 491 | if (new_value) { |
492 | printk(KERN_NOTICE | ||
493 | "SELinux: compat_net is deprecated, please use secmark" | ||
494 | " instead\n"); | ||
495 | selinux_compat_net = 1; | ||
496 | } else | ||
497 | selinux_compat_net = 0; | ||
498 | length = count; | 498 | length = count; |
499 | out: | 499 | out: |
500 | free_page((unsigned long) page); | 500 | free_page((unsigned long) page); |