1 files changed, 66 insertions, 0 deletions
diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c
index a4efc966f065..2e73d3279f2d 100644
--- a/security/selinux/selinuxfs.c
+++ b/security/selinux/selinuxfs.c
@@ -38,6 +38,14 @@
 unsigned int selinux_checkreqprot = CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE;
+#ifdef CONFIG_SECURITY_SELINUX_ENABLE_SECMARK_DEFAULT
+#define SELINUX_COMPAT_NET_VALUE 0
+#else
+#define SELINUX_COMPAT_NET_VALUE 1
+#endif
+int selinux_compat_net = SELINUX_COMPAT_NET_VALUE;
 static int __init checkreqprot_setup(char *str)
 {
        selinux_checkreqprot = simple_strtoul(str,NULL,0) ? 1 : 0;
@@ -45,6 +53,13 @@ static int __init checkreqprot_setup(char *str)
 }
 __setup("checkreqprot=", checkreqprot_setup);
+static int __init selinux_compat_net_setup(char *str)
+{
+        selinux_compat_net = simple_strtoul(str,NULL,0) ? 1 : 0;
+        return 1;
+}
+__setup("selinux_compat_net=", selinux_compat_net_setup);
 static DEFINE_MUTEX(sel_mutex);
@@ -85,6 +100,7 @@ enum sel_inos {
        SEL_AVC,        /* AVC management directory */
        SEL_MEMBER,     /* compute polyinstantiation membership decision */
        SEL_CHECKREQPROT, /* check requested protection, not kernel-applied one */
+        SEL_COMPAT_NET, /* whether to use old compat network packet controls */
 };
 #define TMPBUFLEN       12
@@ -364,6 +380,55 @@ static struct file_operations sel_checkreqprot_ops = {
        .write          = sel_write_checkreqprot,
 };
+static ssize_t sel_read_compat_net(struct file *filp, char __user *buf,
+                                   size_t count, loff_t *ppos)
+{
+        char tmpbuf[TMPBUFLEN];
+        ssize_t length;
+        length = scnprintf(tmpbuf, TMPBUFLEN, "%d", selinux_compat_net);
+        return simple_read_from_buffer(buf, count, ppos, tmpbuf, length);
+}
+static ssize_t sel_write_compat_net(struct file * file, const char __user * buf,
+                                    size_t count, loff_t *ppos)
+{
+        char *page;
+        ssize_t length;
+        int new_value;
+        length = task_has_security(current, SECURITY__LOAD_POLICY);
+        if (length)
+                return length;
+        if (count >= PAGE_SIZE)
+                return -ENOMEM;
+        if (*ppos != 0) {
+                /* No partial writes. */
+                return -EINVAL;
+        }
+        page = (char*)get_zeroed_page(GFP_KERNEL);
+        if (!page)
+                return -ENOMEM;
+        length = -EFAULT;
+        if (copy_from_user(page, buf, count))
+                goto out;
+        length = -EINVAL;
+        if (sscanf(page, "%d", &new_value) != 1)
+                goto out;
+        selinux_compat_net = new_value ? 1 : 0;
+        length = count;
+out:
+        free_page((unsigned long) page);
+        return length;
+}
+static struct file_operations sel_compat_net_ops = {
+        .read           = sel_read_compat_net,
+        .write          = sel_write_compat_net,
+};
 /*
 * Remaining nodes use transaction based IO methods like nfsd/nfsctl.c
 */
@@ -1219,6 +1284,7 @@ static int sel_fill_super(struct super_block * sb, void * data, int silent)
                [SEL_DISABLE] = {"disable", &sel_disable_ops, S_IWUSR},
                [SEL_MEMBER] = {"member", &transaction_ops, S_IRUGO|S_IWUGO},
                [SEL_CHECKREQPROT] = {"checkreqprot", &sel_checkreqprot_ops, S_IRUGO|S_IWUSR},
+                [SEL_COMPAT_NET] = {"compat_net", &sel_compat_net_ops, S_IRUGO|S_IWUSR},
                /* last one */ {""}
        };
        ret = simple_fill_super(sb, SELINUX_MAGIC, selinux_files);

diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c index a4efc966f065..2e73d3279f2d 100644 --- a/security/selinux/selinuxfs.c +++ b/security/selinux/selinuxfs.c
@@ -38,6 +38,14 @@
38		38
39	unsigned int selinux_checkreqprot = CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE;	39	unsigned int selinux_checkreqprot = CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE;
40		40
		41	#ifdef CONFIG_SECURITY_SELINUX_ENABLE_SECMARK_DEFAULT
		42	#define SELINUX_COMPAT_NET_VALUE 0
		43	#else
		44	#define SELINUX_COMPAT_NET_VALUE 1
		45	#endif
		46
		47	int selinux_compat_net = SELINUX_COMPAT_NET_VALUE;
		48
41	static int __init checkreqprot_setup(char *str)	49	static int __init checkreqprot_setup(char *str)
42	{	50	{
43	selinux_checkreqprot = simple_strtoul(str,NULL,0) ? 1 : 0;	51	selinux_checkreqprot = simple_strtoul(str,NULL,0) ? 1 : 0;
@@ -45,6 +53,13 @@ static int __init checkreqprot_setup(char *str)
45	}	53	}
46	__setup("checkreqprot=", checkreqprot_setup);	54	__setup("checkreqprot=", checkreqprot_setup);
47		55
		56	static int __init selinux_compat_net_setup(char *str)
		57	{
		58	selinux_compat_net = simple_strtoul(str,NULL,0) ? 1 : 0;
		59	return 1;
		60	}
		61	__setup("selinux_compat_net=", selinux_compat_net_setup);
		62
48		63
49	static DEFINE_MUTEX(sel_mutex);	64	static DEFINE_MUTEX(sel_mutex);
50		65
@@ -85,6 +100,7 @@ enum sel_inos {
85	SEL_AVC, /* AVC management directory */	100	SEL_AVC, /* AVC management directory */
86	SEL_MEMBER, /* compute polyinstantiation membership decision */	101	SEL_MEMBER, /* compute polyinstantiation membership decision */
87	SEL_CHECKREQPROT, /* check requested protection, not kernel-applied one */	102	SEL_CHECKREQPROT, /* check requested protection, not kernel-applied one */
		103	SEL_COMPAT_NET, /* whether to use old compat network packet controls */
88	};	104	};
89		105
90	#define TMPBUFLEN 12	106	#define TMPBUFLEN 12
@@ -364,6 +380,55 @@ static struct file_operations sel_checkreqprot_ops = {
364	.write = sel_write_checkreqprot,	380	.write = sel_write_checkreqprot,
365	};	381	};
366		382
		383	static ssize_t sel_read_compat_net(struct file filp, char __user buf,
		384	size_t count, loff_t *ppos)
		385	{
		386	char tmpbuf[TMPBUFLEN];
		387	ssize_t length;
		388
		389	length = scnprintf(tmpbuf, TMPBUFLEN, "%d", selinux_compat_net);
		390	return simple_read_from_buffer(buf, count, ppos, tmpbuf, length);
		391	}
		392
		393	static ssize_t sel_write_compat_net(struct file * file, const char __user * buf,
		394	size_t count, loff_t *ppos)
		395	{
		396	char *page;
		397	ssize_t length;
		398	int new_value;
		399
		400	length = task_has_security(current, SECURITY__LOAD_POLICY);
		401	if (length)
		402	return length;
		403
		404	if (count >= PAGE_SIZE)
		405	return -ENOMEM;
		406	if (*ppos != 0) {
		407	/* No partial writes. */
		408	return -EINVAL;
		409	}
		410	page = (char*)get_zeroed_page(GFP_KERNEL);
		411	if (!page)
		412	return -ENOMEM;
		413	length = -EFAULT;
		414	if (copy_from_user(page, buf, count))
		415	goto out;
		416
		417	length = -EINVAL;
		418	if (sscanf(page, "%d", &new_value) != 1)
		419	goto out;
		420
		421	selinux_compat_net = new_value ? 1 : 0;
		422	length = count;
		423	out:
		424	free_page((unsigned long) page);
		425	return length;
		426	}
		427	static struct file_operations sel_compat_net_ops = {
		428	.read = sel_read_compat_net,
		429	.write = sel_write_compat_net,
		430	};
		431
367	/*	432	/*
368	* Remaining nodes use transaction based IO methods like nfsd/nfsctl.c	433	* Remaining nodes use transaction based IO methods like nfsd/nfsctl.c
369	*/	434	*/
@@ -1219,6 +1284,7 @@ static int sel_fill_super(struct super_block * sb, void * data, int silent)
1219	[SEL_DISABLE] = {"disable", &sel_disable_ops, S_IWUSR},	1284	[SEL_DISABLE] = {"disable", &sel_disable_ops, S_IWUSR},
1220	[SEL_MEMBER] = {"member", &transaction_ops, S_IRUGO\|S_IWUGO},	1285	[SEL_MEMBER] = {"member", &transaction_ops, S_IRUGO\|S_IWUGO},
1221	[SEL_CHECKREQPROT] = {"checkreqprot", &sel_checkreqprot_ops, S_IRUGO\|S_IWUSR},	1286	[SEL_CHECKREQPROT] = {"checkreqprot", &sel_checkreqprot_ops, S_IRUGO\|S_IWUSR},
		1287	[SEL_COMPAT_NET] = {"compat_net", &sel_compat_net_ops, S_IRUGO\|S_IWUSR},
1222	/* last one */ {""}	1288	/* last one */ {""}
1223	};	1289	};
1224	ret = simple_fill_super(sb, SELINUX_MAGIC, selinux_files);	1290	ret = simple_fill_super(sb, SELINUX_MAGIC, selinux_files);