diff options
| -rw-r--r-- | Documentation/feature-removal-schedule.txt | 12 | ||||
| -rw-r--r-- | security/selinux/Kconfig | 27 | ||||
| -rw-r--r-- | security/selinux/hooks.c | 6 | ||||
| -rw-r--r-- | security/selinux/selinuxfs.c | 16 |
4 files changed, 23 insertions, 38 deletions
diff --git a/Documentation/feature-removal-schedule.txt b/Documentation/feature-removal-schedule.txt index dc7c681e532c..a0ed3964a219 100644 --- a/Documentation/feature-removal-schedule.txt +++ b/Documentation/feature-removal-schedule.txt | |||
| @@ -324,3 +324,15 @@ When: 2.6.29 (ideally) or 2.6.30 (more likely) | |||
| 324 | Why: Deprecated by the new (standard) device driver binding model. Use | 324 | Why: Deprecated by the new (standard) device driver binding model. Use |
| 325 | i2c_driver->probe() and ->remove() instead. | 325 | i2c_driver->probe() and ->remove() instead. |
| 326 | Who: Jean Delvare <khali@linux-fr.org> | 326 | Who: Jean Delvare <khali@linux-fr.org> |
| 327 | |||
| 328 | --------------------------- | ||
| 329 | |||
| 330 | What: SELinux "compat_net" functionality | ||
| 331 | When: 2.6.30 at the earliest | ||
| 332 | Why: In 2.6.18 the Secmark concept was introduced to replace the "compat_net" | ||
| 333 | network access control functionality of SELinux. Secmark offers both | ||
| 334 | better performance and greater flexibility than the "compat_net" | ||
| 335 | mechanism. Now that the major Linux distributions have moved to | ||
| 336 | Secmark, it is time to deprecate the older mechanism and start the | ||
| 337 | process of removing the old code. | ||
| 338 | Who: Paul Moore <paul.moore@hp.com> | ||
diff --git a/security/selinux/Kconfig b/security/selinux/Kconfig index 26301dd651d3..bca1b74a4a2f 100644 --- a/security/selinux/Kconfig +++ b/security/selinux/Kconfig | |||
| @@ -94,33 +94,6 @@ config SECURITY_SELINUX_CHECKREQPROT_VALUE | |||
| 94 | 94 | ||
| 95 | If you are unsure how to answer this question, answer 1. | 95 | If you are unsure how to answer this question, answer 1. |
| 96 | 96 | ||
| 97 | config SECURITY_SELINUX_ENABLE_SECMARK_DEFAULT | ||
| 98 | bool "NSA SELinux enable new secmark network controls by default" | ||
| 99 | depends on SECURITY_SELINUX | ||
| 100 | default n | ||
| 101 | help | ||
| 102 | This option determines whether the new secmark-based network | ||
| 103 | controls will be enabled by default. If not, the old internal | ||
| 104 | per-packet controls will be enabled by default, preserving | ||
| 105 | old behavior. | ||
| 106 | |||
| 107 | If you enable the new controls, you will need updated | ||
| 108 | SELinux userspace libraries, tools and policy. Typically, | ||
| 109 | your distribution will provide these and enable the new controls | ||
| 110 | in the kernel they also distribute. | ||
| 111 | |||
| 112 | Note that this option can be overridden at boot with the | ||
| 113 | selinux_compat_net parameter, and after boot via | ||
| 114 | /selinux/compat_net. See Documentation/kernel-parameters.txt | ||
| 115 | for details on this parameter. | ||
| 116 | |||
| 117 | If you enable the new network controls, you will likely | ||
| 118 | also require the SECMARK and CONNSECMARK targets, as | ||
| 119 | well as any conntrack helpers for protocols which you | ||
| 120 | wish to control. | ||
| 121 | |||
| 122 | If you are unsure what to do here, select N. | ||
| 123 | |||
| 124 | config SECURITY_SELINUX_POLICYDB_VERSION_MAX | 97 | config SECURITY_SELINUX_POLICYDB_VERSION_MAX |
| 125 | bool "NSA SELinux maximum supported policy format version" | 98 | bool "NSA SELinux maximum supported policy format version" |
| 126 | depends on SECURITY_SELINUX | 99 | depends on SECURITY_SELINUX |
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index dbeaa783b2a9..df30a7555d8a 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c | |||
| @@ -4185,7 +4185,7 @@ static int selinux_sock_rcv_skb_iptables_compat(struct sock *sk, | |||
| 4185 | static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb, | 4185 | static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb, |
| 4186 | u16 family) | 4186 | u16 family) |
| 4187 | { | 4187 | { |
| 4188 | int err; | 4188 | int err = 0; |
| 4189 | struct sk_security_struct *sksec = sk->sk_security; | 4189 | struct sk_security_struct *sksec = sk->sk_security; |
| 4190 | u32 peer_sid; | 4190 | u32 peer_sid; |
| 4191 | u32 sk_sid = sksec->sid; | 4191 | u32 sk_sid = sksec->sid; |
| @@ -4202,7 +4202,7 @@ static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb, | |||
| 4202 | if (selinux_compat_net) | 4202 | if (selinux_compat_net) |
| 4203 | err = selinux_sock_rcv_skb_iptables_compat(sk, skb, &ad, | 4203 | err = selinux_sock_rcv_skb_iptables_compat(sk, skb, &ad, |
| 4204 | family, addrp); | 4204 | family, addrp); |
| 4205 | else | 4205 | else if (selinux_secmark_enabled()) |
| 4206 | err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET, | 4206 | err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET, |
| 4207 | PACKET__RECV, &ad); | 4207 | PACKET__RECV, &ad); |
| 4208 | if (err) | 4208 | if (err) |
| @@ -4705,7 +4705,7 @@ static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb, | |||
| 4705 | if (selinux_ip_postroute_iptables_compat(skb->sk, ifindex, | 4705 | if (selinux_ip_postroute_iptables_compat(skb->sk, ifindex, |
| 4706 | &ad, family, addrp)) | 4706 | &ad, family, addrp)) |
| 4707 | return NF_DROP; | 4707 | return NF_DROP; |
| 4708 | } else { | 4708 | } else if (selinux_secmark_enabled()) { |
| 4709 | if (avc_has_perm(sksec->sid, skb->secmark, | 4709 | if (avc_has_perm(sksec->sid, skb->secmark, |
| 4710 | SECCLASS_PACKET, PACKET__SEND, &ad)) | 4710 | SECCLASS_PACKET, PACKET__SEND, &ad)) |
| 4711 | return NF_DROP; | 4711 | return NF_DROP; |
diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c index c86303638235..77fb3c8d9267 100644 --- a/security/selinux/selinuxfs.c +++ b/security/selinux/selinuxfs.c | |||
| @@ -47,13 +47,7 @@ static char *policycap_names[] = { | |||
| 47 | 47 | ||
| 48 | unsigned int selinux_checkreqprot = CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE; | 48 | unsigned int selinux_checkreqprot = CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE; |
| 49 | 49 | ||
| 50 | #ifdef CONFIG_SECURITY_SELINUX_ENABLE_SECMARK_DEFAULT | 50 | int selinux_compat_net = 0; |
| 51 | #define SELINUX_COMPAT_NET_VALUE 0 | ||
| 52 | #else | ||
| 53 | #define SELINUX_COMPAT_NET_VALUE 1 | ||
| 54 | #endif | ||
| 55 | |||
| 56 | int selinux_compat_net = SELINUX_COMPAT_NET_VALUE; | ||
| 57 | 51 | ||
| 58 | static int __init checkreqprot_setup(char *str) | 52 | static int __init checkreqprot_setup(char *str) |
| 59 | { | 53 | { |
| @@ -494,7 +488,13 @@ static ssize_t sel_write_compat_net(struct file *file, const char __user *buf, | |||
| 494 | if (sscanf(page, "%d", &new_value) != 1) | 488 | if (sscanf(page, "%d", &new_value) != 1) |
| 495 | goto out; | 489 | goto out; |
| 496 | 490 | ||
| 497 | selinux_compat_net = new_value ? 1 : 0; | 491 | if (new_value) { |
| 492 | printk(KERN_NOTICE | ||
| 493 | "SELinux: compat_net is deprecated, please use secmark" | ||
| 494 | " instead\n"); | ||
| 495 | selinux_compat_net = 1; | ||
| 496 | } else | ||
| 497 | selinux_compat_net = 0; | ||
| 498 | length = count; | 498 | length = count; |
| 499 | out: | 499 | out: |
| 500 | free_page((unsigned long) page); | 500 | free_page((unsigned long) page); |