diff options
Diffstat (limited to 'security/selinux/include')
-rw-r--r-- | security/selinux/include/av_perm_to_string.h | 5 | ||||
-rw-r--r-- | security/selinux/include/av_permissions.h | 5 | ||||
-rw-r--r-- | security/selinux/include/netlabel.h | 16 | ||||
-rw-r--r-- | security/selinux/include/netport.h | 31 | ||||
-rw-r--r-- | security/selinux/include/objsec.h | 15 | ||||
-rw-r--r-- | security/selinux/include/security.h | 15 |
6 files changed, 59 insertions, 28 deletions
diff --git a/security/selinux/include/av_perm_to_string.h b/security/selinux/include/av_perm_to_string.h index d5696690d3a2..1223b4ff9bee 100644 --- a/security/selinux/include/av_perm_to_string.h +++ b/security/selinux/include/av_perm_to_string.h | |||
@@ -14,12 +14,17 @@ | |||
14 | S_(SECCLASS_DIR, DIR__REPARENT, "reparent") | 14 | S_(SECCLASS_DIR, DIR__REPARENT, "reparent") |
15 | S_(SECCLASS_DIR, DIR__SEARCH, "search") | 15 | S_(SECCLASS_DIR, DIR__SEARCH, "search") |
16 | S_(SECCLASS_DIR, DIR__RMDIR, "rmdir") | 16 | S_(SECCLASS_DIR, DIR__RMDIR, "rmdir") |
17 | S_(SECCLASS_DIR, DIR__OPEN, "open") | ||
17 | S_(SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, "execute_no_trans") | 18 | S_(SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, "execute_no_trans") |
18 | S_(SECCLASS_FILE, FILE__ENTRYPOINT, "entrypoint") | 19 | S_(SECCLASS_FILE, FILE__ENTRYPOINT, "entrypoint") |
19 | S_(SECCLASS_FILE, FILE__EXECMOD, "execmod") | 20 | S_(SECCLASS_FILE, FILE__EXECMOD, "execmod") |
21 | S_(SECCLASS_FILE, FILE__OPEN, "open") | ||
20 | S_(SECCLASS_CHR_FILE, CHR_FILE__EXECUTE_NO_TRANS, "execute_no_trans") | 22 | S_(SECCLASS_CHR_FILE, CHR_FILE__EXECUTE_NO_TRANS, "execute_no_trans") |
21 | S_(SECCLASS_CHR_FILE, CHR_FILE__ENTRYPOINT, "entrypoint") | 23 | S_(SECCLASS_CHR_FILE, CHR_FILE__ENTRYPOINT, "entrypoint") |
22 | S_(SECCLASS_CHR_FILE, CHR_FILE__EXECMOD, "execmod") | 24 | S_(SECCLASS_CHR_FILE, CHR_FILE__EXECMOD, "execmod") |
25 | S_(SECCLASS_CHR_FILE, CHR_FILE__OPEN, "open") | ||
26 | S_(SECCLASS_BLK_FILE, BLK_FILE__OPEN, "open") | ||
27 | S_(SECCLASS_FIFO_FILE, FIFO_FILE__OPEN, "open") | ||
23 | S_(SECCLASS_FD, FD__USE, "use") | 28 | S_(SECCLASS_FD, FD__USE, "use") |
24 | S_(SECCLASS_TCP_SOCKET, TCP_SOCKET__CONNECTTO, "connectto") | 29 | S_(SECCLASS_TCP_SOCKET, TCP_SOCKET__CONNECTTO, "connectto") |
25 | S_(SECCLASS_TCP_SOCKET, TCP_SOCKET__NEWCONN, "newconn") | 30 | S_(SECCLASS_TCP_SOCKET, TCP_SOCKET__NEWCONN, "newconn") |
diff --git a/security/selinux/include/av_permissions.h b/security/selinux/include/av_permissions.h index 75b41311ab86..c4c51165c505 100644 --- a/security/selinux/include/av_permissions.h +++ b/security/selinux/include/av_permissions.h | |||
@@ -79,6 +79,7 @@ | |||
79 | #define DIR__REPARENT 0x00080000UL | 79 | #define DIR__REPARENT 0x00080000UL |
80 | #define DIR__SEARCH 0x00100000UL | 80 | #define DIR__SEARCH 0x00100000UL |
81 | #define DIR__RMDIR 0x00200000UL | 81 | #define DIR__RMDIR 0x00200000UL |
82 | #define DIR__OPEN 0x00400000UL | ||
82 | #define FILE__IOCTL 0x00000001UL | 83 | #define FILE__IOCTL 0x00000001UL |
83 | #define FILE__READ 0x00000002UL | 84 | #define FILE__READ 0x00000002UL |
84 | #define FILE__WRITE 0x00000004UL | 85 | #define FILE__WRITE 0x00000004UL |
@@ -99,6 +100,7 @@ | |||
99 | #define FILE__EXECUTE_NO_TRANS 0x00020000UL | 100 | #define FILE__EXECUTE_NO_TRANS 0x00020000UL |
100 | #define FILE__ENTRYPOINT 0x00040000UL | 101 | #define FILE__ENTRYPOINT 0x00040000UL |
101 | #define FILE__EXECMOD 0x00080000UL | 102 | #define FILE__EXECMOD 0x00080000UL |
103 | #define FILE__OPEN 0x00100000UL | ||
102 | #define LNK_FILE__IOCTL 0x00000001UL | 104 | #define LNK_FILE__IOCTL 0x00000001UL |
103 | #define LNK_FILE__READ 0x00000002UL | 105 | #define LNK_FILE__READ 0x00000002UL |
104 | #define LNK_FILE__WRITE 0x00000004UL | 106 | #define LNK_FILE__WRITE 0x00000004UL |
@@ -136,6 +138,7 @@ | |||
136 | #define CHR_FILE__EXECUTE_NO_TRANS 0x00020000UL | 138 | #define CHR_FILE__EXECUTE_NO_TRANS 0x00020000UL |
137 | #define CHR_FILE__ENTRYPOINT 0x00040000UL | 139 | #define CHR_FILE__ENTRYPOINT 0x00040000UL |
138 | #define CHR_FILE__EXECMOD 0x00080000UL | 140 | #define CHR_FILE__EXECMOD 0x00080000UL |
141 | #define CHR_FILE__OPEN 0x00100000UL | ||
139 | #define BLK_FILE__IOCTL 0x00000001UL | 142 | #define BLK_FILE__IOCTL 0x00000001UL |
140 | #define BLK_FILE__READ 0x00000002UL | 143 | #define BLK_FILE__READ 0x00000002UL |
141 | #define BLK_FILE__WRITE 0x00000004UL | 144 | #define BLK_FILE__WRITE 0x00000004UL |
@@ -153,6 +156,7 @@ | |||
153 | #define BLK_FILE__SWAPON 0x00004000UL | 156 | #define BLK_FILE__SWAPON 0x00004000UL |
154 | #define BLK_FILE__QUOTAON 0x00008000UL | 157 | #define BLK_FILE__QUOTAON 0x00008000UL |
155 | #define BLK_FILE__MOUNTON 0x00010000UL | 158 | #define BLK_FILE__MOUNTON 0x00010000UL |
159 | #define BLK_FILE__OPEN 0x00020000UL | ||
156 | #define SOCK_FILE__IOCTL 0x00000001UL | 160 | #define SOCK_FILE__IOCTL 0x00000001UL |
157 | #define SOCK_FILE__READ 0x00000002UL | 161 | #define SOCK_FILE__READ 0x00000002UL |
158 | #define SOCK_FILE__WRITE 0x00000004UL | 162 | #define SOCK_FILE__WRITE 0x00000004UL |
@@ -187,6 +191,7 @@ | |||
187 | #define FIFO_FILE__SWAPON 0x00004000UL | 191 | #define FIFO_FILE__SWAPON 0x00004000UL |
188 | #define FIFO_FILE__QUOTAON 0x00008000UL | 192 | #define FIFO_FILE__QUOTAON 0x00008000UL |
189 | #define FIFO_FILE__MOUNTON 0x00010000UL | 193 | #define FIFO_FILE__MOUNTON 0x00010000UL |
194 | #define FIFO_FILE__OPEN 0x00020000UL | ||
190 | #define FD__USE 0x00000001UL | 195 | #define FD__USE 0x00000001UL |
191 | #define SOCKET__IOCTL 0x00000001UL | 196 | #define SOCKET__IOCTL 0x00000001UL |
192 | #define SOCKET__READ 0x00000002UL | 197 | #define SOCKET__READ 0x00000002UL |
diff --git a/security/selinux/include/netlabel.h b/security/selinux/include/netlabel.h index 00a2809c8506..9a9e7cd9a379 100644 --- a/security/selinux/include/netlabel.h +++ b/security/selinux/include/netlabel.h | |||
@@ -41,10 +41,6 @@ void selinux_netlbl_cache_invalidate(void); | |||
41 | 41 | ||
42 | void selinux_netlbl_sk_security_reset(struct sk_security_struct *ssec, | 42 | void selinux_netlbl_sk_security_reset(struct sk_security_struct *ssec, |
43 | int family); | 43 | int family); |
44 | void selinux_netlbl_sk_security_init(struct sk_security_struct *ssec, | ||
45 | int family); | ||
46 | void selinux_netlbl_sk_security_clone(struct sk_security_struct *ssec, | ||
47 | struct sk_security_struct *newssec); | ||
48 | 44 | ||
49 | int selinux_netlbl_skbuff_getsid(struct sk_buff *skb, | 45 | int selinux_netlbl_skbuff_getsid(struct sk_buff *skb, |
50 | u16 family, | 46 | u16 family, |
@@ -73,18 +69,6 @@ static inline void selinux_netlbl_sk_security_reset( | |||
73 | { | 69 | { |
74 | return; | 70 | return; |
75 | } | 71 | } |
76 | static inline void selinux_netlbl_sk_security_init( | ||
77 | struct sk_security_struct *ssec, | ||
78 | int family) | ||
79 | { | ||
80 | return; | ||
81 | } | ||
82 | static inline void selinux_netlbl_sk_security_clone( | ||
83 | struct sk_security_struct *ssec, | ||
84 | struct sk_security_struct *newssec) | ||
85 | { | ||
86 | return; | ||
87 | } | ||
88 | 72 | ||
89 | static inline int selinux_netlbl_skbuff_getsid(struct sk_buff *skb, | 73 | static inline int selinux_netlbl_skbuff_getsid(struct sk_buff *skb, |
90 | u16 family, | 74 | u16 family, |
diff --git a/security/selinux/include/netport.h b/security/selinux/include/netport.h new file mode 100644 index 000000000000..8991752eaf93 --- /dev/null +++ b/security/selinux/include/netport.h | |||
@@ -0,0 +1,31 @@ | |||
1 | /* | ||
2 | * Network port table | ||
3 | * | ||
4 | * SELinux must keep a mapping of network ports to labels/SIDs. This | ||
5 | * mapping is maintained as part of the normal policy but a fast cache is | ||
6 | * needed to reduce the lookup overhead. | ||
7 | * | ||
8 | * Author: Paul Moore <paul.moore@hp.com> | ||
9 | * | ||
10 | */ | ||
11 | |||
12 | /* | ||
13 | * (c) Copyright Hewlett-Packard Development Company, L.P., 2008 | ||
14 | * | ||
15 | * This program is free software: you can redistribute it and/or modify | ||
16 | * it under the terms of version 2 of the GNU General Public License as | ||
17 | * published by the Free Software Foundation. | ||
18 | * | ||
19 | * This program is distributed in the hope that it will be useful, | ||
20 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
21 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
22 | * GNU General Public License for more details. | ||
23 | * | ||
24 | */ | ||
25 | |||
26 | #ifndef _SELINUX_NETPORT_H | ||
27 | #define _SELINUX_NETPORT_H | ||
28 | |||
29 | int sel_netport_sid(u8 protocol, u16 pnum, u32 *sid); | ||
30 | |||
31 | #endif | ||
diff --git a/security/selinux/include/objsec.h b/security/selinux/include/objsec.h index c6c2bb4ebacc..300b61bad7b3 100644 --- a/security/selinux/include/objsec.h +++ b/security/selinux/include/objsec.h | |||
@@ -28,14 +28,12 @@ | |||
28 | #include "avc.h" | 28 | #include "avc.h" |
29 | 29 | ||
30 | struct task_security_struct { | 30 | struct task_security_struct { |
31 | struct task_struct *task; /* back pointer to task object */ | ||
32 | u32 osid; /* SID prior to last execve */ | 31 | u32 osid; /* SID prior to last execve */ |
33 | u32 sid; /* current SID */ | 32 | u32 sid; /* current SID */ |
34 | u32 exec_sid; /* exec SID */ | 33 | u32 exec_sid; /* exec SID */ |
35 | u32 create_sid; /* fscreate SID */ | 34 | u32 create_sid; /* fscreate SID */ |
36 | u32 keycreate_sid; /* keycreate SID */ | 35 | u32 keycreate_sid; /* keycreate SID */ |
37 | u32 sockcreate_sid; /* fscreate SID */ | 36 | u32 sockcreate_sid; /* fscreate SID */ |
38 | u32 ptrace_sid; /* SID of ptrace parent */ | ||
39 | }; | 37 | }; |
40 | 38 | ||
41 | struct inode_security_struct { | 39 | struct inode_security_struct { |
@@ -50,7 +48,6 @@ struct inode_security_struct { | |||
50 | }; | 48 | }; |
51 | 49 | ||
52 | struct file_security_struct { | 50 | struct file_security_struct { |
53 | struct file *file; /* back pointer to file object */ | ||
54 | u32 sid; /* SID of open file description */ | 51 | u32 sid; /* SID of open file description */ |
55 | u32 fown_sid; /* SID of file owner (for SIGIO) */ | 52 | u32 fown_sid; /* SID of file owner (for SIGIO) */ |
56 | u32 isid; /* SID of inode at the time of file open */ | 53 | u32 isid; /* SID of inode at the time of file open */ |
@@ -73,18 +70,15 @@ struct superblock_security_struct { | |||
73 | }; | 70 | }; |
74 | 71 | ||
75 | struct msg_security_struct { | 72 | struct msg_security_struct { |
76 | struct msg_msg *msg; /* back pointer */ | ||
77 | u32 sid; /* SID of message */ | 73 | u32 sid; /* SID of message */ |
78 | }; | 74 | }; |
79 | 75 | ||
80 | struct ipc_security_struct { | 76 | struct ipc_security_struct { |
81 | struct kern_ipc_perm *ipc_perm; /* back pointer */ | ||
82 | u16 sclass; /* security class of this object */ | 77 | u16 sclass; /* security class of this object */ |
83 | u32 sid; /* SID of IPC resource */ | 78 | u32 sid; /* SID of IPC resource */ |
84 | }; | 79 | }; |
85 | 80 | ||
86 | struct bprm_security_struct { | 81 | struct bprm_security_struct { |
87 | struct linux_binprm *bprm; /* back pointer to bprm object */ | ||
88 | u32 sid; /* SID for transformed process */ | 82 | u32 sid; /* SID for transformed process */ |
89 | unsigned char set; | 83 | unsigned char set; |
90 | 84 | ||
@@ -109,8 +103,13 @@ struct netnode_security_struct { | |||
109 | u16 family; /* address family */ | 103 | u16 family; /* address family */ |
110 | }; | 104 | }; |
111 | 105 | ||
106 | struct netport_security_struct { | ||
107 | u32 sid; /* SID for this node */ | ||
108 | u16 port; /* port number */ | ||
109 | u8 protocol; /* transport protocol */ | ||
110 | }; | ||
111 | |||
112 | struct sk_security_struct { | 112 | struct sk_security_struct { |
113 | struct sock *sk; /* back pointer to sk object */ | ||
114 | u32 sid; /* SID of this object */ | 113 | u32 sid; /* SID of this object */ |
115 | u32 peer_sid; /* SID of peer */ | 114 | u32 peer_sid; /* SID of peer */ |
116 | u16 sclass; /* sock security class */ | 115 | u16 sclass; /* sock security class */ |
@@ -120,12 +119,10 @@ struct sk_security_struct { | |||
120 | NLBL_REQUIRE, | 119 | NLBL_REQUIRE, |
121 | NLBL_LABELED, | 120 | NLBL_LABELED, |
122 | } nlbl_state; | 121 | } nlbl_state; |
123 | spinlock_t nlbl_lock; /* protects nlbl_state */ | ||
124 | #endif | 122 | #endif |
125 | }; | 123 | }; |
126 | 124 | ||
127 | struct key_security_struct { | 125 | struct key_security_struct { |
128 | struct key *obj; /* back pointer */ | ||
129 | u32 sid; /* SID of key */ | 126 | u32 sid; /* SID of key */ |
130 | }; | 127 | }; |
131 | 128 | ||
diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h index 44e12ec88090..1904c462a605 100644 --- a/security/selinux/include/security.h +++ b/security/selinux/include/security.h | |||
@@ -26,13 +26,14 @@ | |||
26 | #define POLICYDB_VERSION_AVTAB 20 | 26 | #define POLICYDB_VERSION_AVTAB 20 |
27 | #define POLICYDB_VERSION_RANGETRANS 21 | 27 | #define POLICYDB_VERSION_RANGETRANS 21 |
28 | #define POLICYDB_VERSION_POLCAP 22 | 28 | #define POLICYDB_VERSION_POLCAP 22 |
29 | #define POLICYDB_VERSION_PERMISSIVE 23 | ||
29 | 30 | ||
30 | /* Range of policy versions we understand*/ | 31 | /* Range of policy versions we understand*/ |
31 | #define POLICYDB_VERSION_MIN POLICYDB_VERSION_BASE | 32 | #define POLICYDB_VERSION_MIN POLICYDB_VERSION_BASE |
32 | #ifdef CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX | 33 | #ifdef CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX |
33 | #define POLICYDB_VERSION_MAX CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX_VALUE | 34 | #define POLICYDB_VERSION_MAX CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX_VALUE |
34 | #else | 35 | #else |
35 | #define POLICYDB_VERSION_MAX POLICYDB_VERSION_POLCAP | 36 | #define POLICYDB_VERSION_MAX POLICYDB_VERSION_PERMISSIVE |
36 | #endif | 37 | #endif |
37 | 38 | ||
38 | #define CONTEXT_MNT 0x01 | 39 | #define CONTEXT_MNT 0x01 |
@@ -40,6 +41,11 @@ | |||
40 | #define ROOTCONTEXT_MNT 0x04 | 41 | #define ROOTCONTEXT_MNT 0x04 |
41 | #define DEFCONTEXT_MNT 0x08 | 42 | #define DEFCONTEXT_MNT 0x08 |
42 | 43 | ||
44 | #define CONTEXT_STR "context=" | ||
45 | #define FSCONTEXT_STR "fscontext=" | ||
46 | #define ROOTCONTEXT_STR "rootcontext=" | ||
47 | #define DEFCONTEXT_STR "defcontext=" | ||
48 | |||
43 | struct netlbl_lsm_secattr; | 49 | struct netlbl_lsm_secattr; |
44 | 50 | ||
45 | extern int selinux_enabled; | 51 | extern int selinux_enabled; |
@@ -48,11 +54,13 @@ extern int selinux_mls_enabled; | |||
48 | /* Policy capabilities */ | 54 | /* Policy capabilities */ |
49 | enum { | 55 | enum { |
50 | POLICYDB_CAPABILITY_NETPEER, | 56 | POLICYDB_CAPABILITY_NETPEER, |
57 | POLICYDB_CAPABILITY_OPENPERM, | ||
51 | __POLICYDB_CAPABILITY_MAX | 58 | __POLICYDB_CAPABILITY_MAX |
52 | }; | 59 | }; |
53 | #define POLICYDB_CAPABILITY_MAX (__POLICYDB_CAPABILITY_MAX - 1) | 60 | #define POLICYDB_CAPABILITY_MAX (__POLICYDB_CAPABILITY_MAX - 1) |
54 | 61 | ||
55 | extern int selinux_policycap_netpeer; | 62 | extern int selinux_policycap_netpeer; |
63 | extern int selinux_policycap_openperm; | ||
56 | 64 | ||
57 | int security_load_policy(void * data, size_t len); | 65 | int security_load_policy(void * data, size_t len); |
58 | 66 | ||
@@ -67,6 +75,8 @@ struct av_decision { | |||
67 | u32 seqno; | 75 | u32 seqno; |
68 | }; | 76 | }; |
69 | 77 | ||
78 | int security_permissive_sid(u32 sid); | ||
79 | |||
70 | int security_compute_av(u32 ssid, u32 tsid, | 80 | int security_compute_av(u32 ssid, u32 tsid, |
71 | u16 tclass, u32 requested, | 81 | u16 tclass, u32 requested, |
72 | struct av_decision *avd); | 82 | struct av_decision *avd); |
@@ -92,8 +102,7 @@ int security_context_to_sid_default(char *scontext, u32 scontext_len, | |||
92 | int security_get_user_sids(u32 callsid, char *username, | 102 | int security_get_user_sids(u32 callsid, char *username, |
93 | u32 **sids, u32 *nel); | 103 | u32 **sids, u32 *nel); |
94 | 104 | ||
95 | int security_port_sid(u16 domain, u16 type, u8 protocol, u16 port, | 105 | int security_port_sid(u8 protocol, u16 port, u32 *out_sid); |
96 | u32 *out_sid); | ||
97 | 106 | ||
98 | int security_netif_sid(char *name, u32 *if_sid); | 107 | int security_netif_sid(char *name, u32 *if_sid); |
99 | 108 | ||