diff options
| -rw-r--r-- | include/linux/security.h | 3 | ||||
| -rw-r--r-- | security/selinux/hooks.c | 35 | ||||
| -rw-r--r-- | security/selinux/include/security.h | 2 | ||||
| -rw-r--r-- | security/selinux/ss/policydb.c | 5 |
4 files changed, 35 insertions, 10 deletions
diff --git a/include/linux/security.h b/include/linux/security.h index aa656fbc4308..a585a9085e46 100644 --- a/include/linux/security.h +++ b/include/linux/security.h | |||
| @@ -61,6 +61,9 @@ struct mm_struct; | |||
| 61 | #define SECURITY_CAP_NOAUDIT 0 | 61 | #define SECURITY_CAP_NOAUDIT 0 |
| 62 | #define SECURITY_CAP_AUDIT 1 | 62 | #define SECURITY_CAP_AUDIT 1 |
| 63 | 63 | ||
| 64 | /* LSM Agnostic defines for sb_set_mnt_opts */ | ||
| 65 | #define SECURITY_LSM_NATIVE_LABELS 1 | ||
| 66 | |||
| 64 | struct ctl_table; | 67 | struct ctl_table; |
| 65 | struct audit_krule; | 68 | struct audit_krule; |
| 66 | struct user_namespace; | 69 | struct user_namespace; |
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index f3b54466a037..6149633ff715 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c | |||
| @@ -81,6 +81,7 @@ | |||
| 81 | #include <linux/syslog.h> | 81 | #include <linux/syslog.h> |
| 82 | #include <linux/user_namespace.h> | 82 | #include <linux/user_namespace.h> |
| 83 | #include <linux/export.h> | 83 | #include <linux/export.h> |
| 84 | #include <linux/security.h> | ||
| 84 | #include <linux/msg.h> | 85 | #include <linux/msg.h> |
| 85 | #include <linux/shm.h> | 86 | #include <linux/shm.h> |
| 86 | 87 | ||
| @@ -284,13 +285,14 @@ static void superblock_free_security(struct super_block *sb) | |||
| 284 | 285 | ||
| 285 | /* The file system's label must be initialized prior to use. */ | 286 | /* The file system's label must be initialized prior to use. */ |
| 286 | 287 | ||
| 287 | static const char *labeling_behaviors[6] = { | 288 | static const char *labeling_behaviors[7] = { |
| 288 | "uses xattr", | 289 | "uses xattr", |
| 289 | "uses transition SIDs", | 290 | "uses transition SIDs", |
| 290 | "uses task SIDs", | 291 | "uses task SIDs", |
| 291 | "uses genfs_contexts", | 292 | "uses genfs_contexts", |
| 292 | "not configured for labeling", | 293 | "not configured for labeling", |
| 293 | "uses mountpoint labeling", | 294 | "uses mountpoint labeling", |
| 295 | "uses native labeling", | ||
| 294 | }; | 296 | }; |
| 295 | 297 | ||
| 296 | static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry); | 298 | static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry); |
| @@ -678,14 +680,21 @@ static int selinux_set_mnt_opts(struct super_block *sb, | |||
| 678 | if (strcmp(sb->s_type->name, "proc") == 0) | 680 | if (strcmp(sb->s_type->name, "proc") == 0) |
| 679 | sbsec->flags |= SE_SBPROC; | 681 | sbsec->flags |= SE_SBPROC; |
| 680 | 682 | ||
| 681 | /* Determine the labeling behavior to use for this filesystem type. */ | 683 | if (!sbsec->behavior) { |
| 682 | rc = security_fs_use((sbsec->flags & SE_SBPROC) ? "proc" : sb->s_type->name, &sbsec->behavior, &sbsec->sid); | 684 | /* |
| 683 | if (rc) { | 685 | * Determine the labeling behavior to use for this |
| 684 | printk(KERN_WARNING "%s: security_fs_use(%s) returned %d\n", | 686 | * filesystem type. |
| 685 | __func__, sb->s_type->name, rc); | 687 | */ |
| 686 | goto out; | 688 | rc = security_fs_use((sbsec->flags & SE_SBPROC) ? |
| 689 | "proc" : sb->s_type->name, | ||
| 690 | &sbsec->behavior, &sbsec->sid); | ||
| 691 | if (rc) { | ||
| 692 | printk(KERN_WARNING | ||
| 693 | "%s: security_fs_use(%s) returned %d\n", | ||
| 694 | __func__, sb->s_type->name, rc); | ||
| 695 | goto out; | ||
| 696 | } | ||
| 687 | } | 697 | } |
| 688 | |||
| 689 | /* sets the context of the superblock for the fs being mounted. */ | 698 | /* sets the context of the superblock for the fs being mounted. */ |
| 690 | if (fscontext_sid) { | 699 | if (fscontext_sid) { |
| 691 | rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred); | 700 | rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred); |
| @@ -700,6 +709,11 @@ static int selinux_set_mnt_opts(struct super_block *sb, | |||
| 700 | * sets the label used on all file below the mountpoint, and will set | 709 | * sets the label used on all file below the mountpoint, and will set |
| 701 | * the superblock context if not already set. | 710 | * the superblock context if not already set. |
| 702 | */ | 711 | */ |
| 712 | if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !context_sid) { | ||
| 713 | sbsec->behavior = SECURITY_FS_USE_NATIVE; | ||
| 714 | *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS; | ||
| 715 | } | ||
| 716 | |||
| 703 | if (context_sid) { | 717 | if (context_sid) { |
| 704 | if (!fscontext_sid) { | 718 | if (!fscontext_sid) { |
| 705 | rc = may_context_mount_sb_relabel(context_sid, sbsec, | 719 | rc = may_context_mount_sb_relabel(context_sid, sbsec, |
| @@ -731,7 +745,8 @@ static int selinux_set_mnt_opts(struct super_block *sb, | |||
| 731 | } | 745 | } |
| 732 | 746 | ||
| 733 | if (defcontext_sid) { | 747 | if (defcontext_sid) { |
| 734 | if (sbsec->behavior != SECURITY_FS_USE_XATTR) { | 748 | if (sbsec->behavior != SECURITY_FS_USE_XATTR && |
| 749 | sbsec->behavior != SECURITY_FS_USE_NATIVE) { | ||
| 735 | rc = -EINVAL; | 750 | rc = -EINVAL; |
| 736 | printk(KERN_WARNING "SELinux: defcontext option is " | 751 | printk(KERN_WARNING "SELinux: defcontext option is " |
| 737 | "invalid for this filesystem type\n"); | 752 | "invalid for this filesystem type\n"); |
| @@ -1230,6 +1245,8 @@ static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dent | |||
| 1230 | } | 1245 | } |
| 1231 | 1246 | ||
| 1232 | switch (sbsec->behavior) { | 1247 | switch (sbsec->behavior) { |
| 1248 | case SECURITY_FS_USE_NATIVE: | ||
| 1249 | break; | ||
| 1233 | case SECURITY_FS_USE_XATTR: | 1250 | case SECURITY_FS_USE_XATTR: |
| 1234 | if (!inode->i_op->getxattr) { | 1251 | if (!inode->i_op->getxattr) { |
| 1235 | isec->sid = sbsec->def_sid; | 1252 | isec->sid = sbsec->def_sid; |
diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h index 6d3885165d14..8fd8e18ea340 100644 --- a/security/selinux/include/security.h +++ b/security/selinux/include/security.h | |||
| @@ -169,6 +169,8 @@ int security_get_allow_unknown(void); | |||
| 169 | #define SECURITY_FS_USE_GENFS 4 /* use the genfs support */ | 169 | #define SECURITY_FS_USE_GENFS 4 /* use the genfs support */ |
| 170 | #define SECURITY_FS_USE_NONE 5 /* no labeling support */ | 170 | #define SECURITY_FS_USE_NONE 5 /* no labeling support */ |
| 171 | #define SECURITY_FS_USE_MNTPOINT 6 /* use mountpoint labeling */ | 171 | #define SECURITY_FS_USE_MNTPOINT 6 /* use mountpoint labeling */ |
| 172 | #define SECURITY_FS_USE_NATIVE 7 /* use native label support */ | ||
| 173 | #define SECURITY_FS_USE_MAX 7 /* Highest SECURITY_FS_USE_XXX */ | ||
| 172 | 174 | ||
| 173 | int security_fs_use(const char *fstype, unsigned int *behavior, | 175 | int security_fs_use(const char *fstype, unsigned int *behavior, |
| 174 | u32 *sid); | 176 | u32 *sid); |
diff --git a/security/selinux/ss/policydb.c b/security/selinux/ss/policydb.c index 9cd9b7c661ec..c8adde3aff8f 100644 --- a/security/selinux/ss/policydb.c +++ b/security/selinux/ss/policydb.c | |||
| @@ -2168,7 +2168,10 @@ static int ocontext_read(struct policydb *p, struct policydb_compat_info *info, | |||
| 2168 | 2168 | ||
| 2169 | rc = -EINVAL; | 2169 | rc = -EINVAL; |
| 2170 | c->v.behavior = le32_to_cpu(buf[0]); | 2170 | c->v.behavior = le32_to_cpu(buf[0]); |
| 2171 | if (c->v.behavior > SECURITY_FS_USE_NONE) | 2171 | /* Determined at runtime, not in policy DB. */ |
| 2172 | if (c->v.behavior == SECURITY_FS_USE_MNTPOINT) | ||
| 2173 | goto out; | ||
| 2174 | if (c->v.behavior > SECURITY_FS_USE_MAX) | ||
| 2172 | goto out; | 2175 | goto out; |
| 2173 | 2176 | ||
| 2174 | rc = -ENOMEM; | 2177 | rc = -ENOMEM; |