diff options
Diffstat (limited to 'security/selinux')
| -rw-r--r-- | security/selinux/avc.c | 2 | ||||
| -rw-r--r-- | security/selinux/hooks.c | 26 | ||||
| -rw-r--r-- | security/selinux/include/security.h | 7 | ||||
| -rw-r--r-- | security/selinux/nlmsgtab.c | 2 | ||||
| -rw-r--r-- | security/selinux/selinuxfs.c | 8 | ||||
| -rw-r--r-- | security/selinux/ss/services.c | 30 | ||||
| -rw-r--r-- | security/selinux/xfrm.c | 2 |
7 files changed, 24 insertions, 53 deletions
diff --git a/security/selinux/avc.c b/security/selinux/avc.c index 4bf5d08a1f5c..7823e84dbe8d 100644 --- a/security/selinux/avc.c +++ b/security/selinux/avc.c | |||
| @@ -927,7 +927,7 @@ int avc_has_perm_noaudit(u32 ssid, u32 tsid, | |||
| 927 | if (denied) { | 927 | if (denied) { |
| 928 | if (flags & AVC_STRICT) | 928 | if (flags & AVC_STRICT) |
| 929 | rc = -EACCES; | 929 | rc = -EACCES; |
| 930 | else if (!selinux_enforcing || security_permissive_sid(ssid)) | 930 | else if (!selinux_enforcing || (avd->flags & AVD_FLAGS_PERMISSIVE)) |
| 931 | avc_update_node(AVC_CALLBACK_GRANT, requested, ssid, | 931 | avc_update_node(AVC_CALLBACK_GRANT, requested, ssid, |
| 932 | tsid, tclass, avd->seqno); | 932 | tsid, tclass, avd->seqno); |
| 933 | else | 933 | else |
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 2fcad7c33eaf..15c2a08a66f1 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c | |||
| @@ -1980,10 +1980,6 @@ static int selinux_sysctl(ctl_table *table, int op) | |||
| 1980 | u32 tsid, sid; | 1980 | u32 tsid, sid; |
| 1981 | int rc; | 1981 | int rc; |
| 1982 | 1982 | ||
| 1983 | rc = secondary_ops->sysctl(table, op); | ||
| 1984 | if (rc) | ||
| 1985 | return rc; | ||
| 1986 | |||
| 1987 | sid = current_sid(); | 1983 | sid = current_sid(); |
| 1988 | 1984 | ||
| 1989 | rc = selinux_sysctl_get_sid(table, (op == 0001) ? | 1985 | rc = selinux_sysctl_get_sid(table, (op == 0001) ? |
| @@ -2375,10 +2371,8 @@ static void selinux_bprm_committed_creds(struct linux_binprm *bprm) | |||
| 2375 | { | 2371 | { |
| 2376 | const struct task_security_struct *tsec = current_security(); | 2372 | const struct task_security_struct *tsec = current_security(); |
| 2377 | struct itimerval itimer; | 2373 | struct itimerval itimer; |
| 2378 | struct sighand_struct *psig; | ||
| 2379 | u32 osid, sid; | 2374 | u32 osid, sid; |
| 2380 | int rc, i; | 2375 | int rc, i; |
| 2381 | unsigned long flags; | ||
| 2382 | 2376 | ||
| 2383 | osid = tsec->osid; | 2377 | osid = tsec->osid; |
| 2384 | sid = tsec->sid; | 2378 | sid = tsec->sid; |
| @@ -2398,22 +2392,20 @@ static void selinux_bprm_committed_creds(struct linux_binprm *bprm) | |||
| 2398 | memset(&itimer, 0, sizeof itimer); | 2392 | memset(&itimer, 0, sizeof itimer); |
| 2399 | for (i = 0; i < 3; i++) | 2393 | for (i = 0; i < 3; i++) |
| 2400 | do_setitimer(i, &itimer, NULL); | 2394 | do_setitimer(i, &itimer, NULL); |
| 2401 | flush_signals(current); | ||
| 2402 | spin_lock_irq(¤t->sighand->siglock); | 2395 | spin_lock_irq(¤t->sighand->siglock); |
| 2403 | flush_signal_handlers(current, 1); | 2396 | if (!(current->signal->flags & SIGNAL_GROUP_EXIT)) { |
| 2404 | sigemptyset(¤t->blocked); | 2397 | __flush_signals(current); |
| 2405 | recalc_sigpending(); | 2398 | flush_signal_handlers(current, 1); |
| 2399 | sigemptyset(¤t->blocked); | ||
| 2400 | } | ||
| 2406 | spin_unlock_irq(¤t->sighand->siglock); | 2401 | spin_unlock_irq(¤t->sighand->siglock); |
| 2407 | } | 2402 | } |
| 2408 | 2403 | ||
| 2409 | /* Wake up the parent if it is waiting so that it can recheck | 2404 | /* Wake up the parent if it is waiting so that it can recheck |
| 2410 | * wait permission to the new task SID. */ | 2405 | * wait permission to the new task SID. */ |
| 2411 | read_lock_irq(&tasklist_lock); | 2406 | read_lock(&tasklist_lock); |
| 2412 | psig = current->parent->sighand; | 2407 | wake_up_interruptible(¤t->real_parent->signal->wait_chldexit); |
| 2413 | spin_lock_irqsave(&psig->siglock, flags); | 2408 | read_unlock(&tasklist_lock); |
| 2414 | wake_up_interruptible(¤t->parent->signal->wait_chldexit); | ||
| 2415 | spin_unlock_irqrestore(&psig->siglock, flags); | ||
| 2416 | read_unlock_irq(&tasklist_lock); | ||
| 2417 | } | 2409 | } |
| 2418 | 2410 | ||
| 2419 | /* superblock security operations */ | 2411 | /* superblock security operations */ |
| @@ -4503,7 +4495,7 @@ static unsigned int selinux_ip_postroute(struct sk_buff *skb, int ifindex, | |||
| 4503 | * when the packet is on it's final way out. | 4495 | * when the packet is on it's final way out. |
| 4504 | * NOTE: there appear to be some IPv6 multicast cases where skb->dst | 4496 | * NOTE: there appear to be some IPv6 multicast cases where skb->dst |
| 4505 | * is NULL, in this case go ahead and apply access control. */ | 4497 | * is NULL, in this case go ahead and apply access control. */ |
| 4506 | if (skb->dst != NULL && skb->dst->xfrm != NULL) | 4498 | if (skb_dst(skb) != NULL && skb_dst(skb)->xfrm != NULL) |
| 4507 | return NF_ACCEPT; | 4499 | return NF_ACCEPT; |
| 4508 | #endif | 4500 | #endif |
| 4509 | secmark_active = selinux_secmark_enabled(); | 4501 | secmark_active = selinux_secmark_enabled(); |
diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h index 5c3434f7626f..ca835795a8b3 100644 --- a/security/selinux/include/security.h +++ b/security/selinux/include/security.h | |||
| @@ -8,14 +8,13 @@ | |||
| 8 | #ifndef _SELINUX_SECURITY_H_ | 8 | #ifndef _SELINUX_SECURITY_H_ |
| 9 | #define _SELINUX_SECURITY_H_ | 9 | #define _SELINUX_SECURITY_H_ |
| 10 | 10 | ||
| 11 | #include <linux/magic.h> | ||
| 11 | #include "flask.h" | 12 | #include "flask.h" |
| 12 | 13 | ||
| 13 | #define SECSID_NULL 0x00000000 /* unspecified SID */ | 14 | #define SECSID_NULL 0x00000000 /* unspecified SID */ |
| 14 | #define SECSID_WILD 0xffffffff /* wildcard SID */ | 15 | #define SECSID_WILD 0xffffffff /* wildcard SID */ |
| 15 | #define SECCLASS_NULL 0x0000 /* no class */ | 16 | #define SECCLASS_NULL 0x0000 /* no class */ |
| 16 | 17 | ||
| 17 | #define SELINUX_MAGIC 0xf97cff8c | ||
| 18 | |||
| 19 | /* Identify specific policy version changes */ | 18 | /* Identify specific policy version changes */ |
| 20 | #define POLICYDB_VERSION_BASE 15 | 19 | #define POLICYDB_VERSION_BASE 15 |
| 21 | #define POLICYDB_VERSION_BOOL 16 | 20 | #define POLICYDB_VERSION_BOOL 16 |
| @@ -91,9 +90,11 @@ struct av_decision { | |||
| 91 | u32 auditallow; | 90 | u32 auditallow; |
| 92 | u32 auditdeny; | 91 | u32 auditdeny; |
| 93 | u32 seqno; | 92 | u32 seqno; |
| 93 | u32 flags; | ||
| 94 | }; | 94 | }; |
| 95 | 95 | ||
| 96 | int security_permissive_sid(u32 sid); | 96 | /* definitions of av_decision.flags */ |
| 97 | #define AVD_FLAGS_PERMISSIVE 0x0001 | ||
| 97 | 98 | ||
| 98 | int security_compute_av(u32 ssid, u32 tsid, | 99 | int security_compute_av(u32 ssid, u32 tsid, |
| 99 | u16 tclass, u32 requested, | 100 | u16 tclass, u32 requested, |
diff --git a/security/selinux/nlmsgtab.c b/security/selinux/nlmsgtab.c index c6875fd3b9d6..dd7cc6de77f9 100644 --- a/security/selinux/nlmsgtab.c +++ b/security/selinux/nlmsgtab.c | |||
| @@ -112,6 +112,8 @@ static struct nlmsg_perm nlmsg_audit_perms[] = | |||
| 112 | { AUDIT_DEL_RULE, NETLINK_AUDIT_SOCKET__NLMSG_WRITE }, | 112 | { AUDIT_DEL_RULE, NETLINK_AUDIT_SOCKET__NLMSG_WRITE }, |
| 113 | { AUDIT_USER, NETLINK_AUDIT_SOCKET__NLMSG_RELAY }, | 113 | { AUDIT_USER, NETLINK_AUDIT_SOCKET__NLMSG_RELAY }, |
| 114 | { AUDIT_SIGNAL_INFO, NETLINK_AUDIT_SOCKET__NLMSG_READ }, | 114 | { AUDIT_SIGNAL_INFO, NETLINK_AUDIT_SOCKET__NLMSG_READ }, |
| 115 | { AUDIT_TRIM, NETLINK_AUDIT_SOCKET__NLMSG_WRITE }, | ||
| 116 | { AUDIT_MAKE_EQUIV, NETLINK_AUDIT_SOCKET__NLMSG_WRITE }, | ||
| 115 | { AUDIT_TTY_GET, NETLINK_AUDIT_SOCKET__NLMSG_READ }, | 117 | { AUDIT_TTY_GET, NETLINK_AUDIT_SOCKET__NLMSG_READ }, |
| 116 | { AUDIT_TTY_SET, NETLINK_AUDIT_SOCKET__NLMSG_TTY_AUDIT }, | 118 | { AUDIT_TTY_SET, NETLINK_AUDIT_SOCKET__NLMSG_TTY_AUDIT }, |
| 117 | }; | 119 | }; |
diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c index 2d5136ec3d54..b4fc506e7a87 100644 --- a/security/selinux/selinuxfs.c +++ b/security/selinux/selinuxfs.c | |||
| @@ -527,10 +527,10 @@ static ssize_t sel_write_access(struct file *file, char *buf, size_t size) | |||
| 527 | goto out2; | 527 | goto out2; |
| 528 | 528 | ||
| 529 | length = scnprintf(buf, SIMPLE_TRANSACTION_LIMIT, | 529 | length = scnprintf(buf, SIMPLE_TRANSACTION_LIMIT, |
| 530 | "%x %x %x %x %u", | 530 | "%x %x %x %x %u %x", |
| 531 | avd.allowed, 0xffffffff, | 531 | avd.allowed, 0xffffffff, |
| 532 | avd.auditallow, avd.auditdeny, | 532 | avd.auditallow, avd.auditdeny, |
| 533 | avd.seqno); | 533 | avd.seqno, avd.flags); |
| 534 | out2: | 534 | out2: |
| 535 | kfree(tcon); | 535 | kfree(tcon); |
| 536 | out: | 536 | out: |
| @@ -803,10 +803,6 @@ static ssize_t sel_read_bool(struct file *filep, char __user *buf, | |||
| 803 | goto out; | 803 | goto out; |
| 804 | } | 804 | } |
| 805 | 805 | ||
| 806 | if (count > PAGE_SIZE) { | ||
| 807 | ret = -EINVAL; | ||
| 808 | goto out; | ||
| 809 | } | ||
| 810 | page = (char *)get_zeroed_page(GFP_KERNEL); | 806 | page = (char *)get_zeroed_page(GFP_KERNEL); |
| 811 | if (!page) { | 807 | if (!page) { |
| 812 | ret = -ENOMEM; | 808 | ret = -ENOMEM; |
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c index a90cab207d9a..ff17820d35ec 100644 --- a/security/selinux/ss/services.c +++ b/security/selinux/ss/services.c | |||
| @@ -488,6 +488,7 @@ static int context_struct_compute_av(struct context *scontext, | |||
| 488 | avd->auditallow = 0; | 488 | avd->auditallow = 0; |
| 489 | avd->auditdeny = 0xffffffff; | 489 | avd->auditdeny = 0xffffffff; |
| 490 | avd->seqno = latest_granting; | 490 | avd->seqno = latest_granting; |
| 491 | avd->flags = 0; | ||
| 491 | 492 | ||
| 492 | /* | 493 | /* |
| 493 | * Check for all the invalid cases. | 494 | * Check for all the invalid cases. |
| @@ -606,31 +607,6 @@ inval_class: | |||
| 606 | return 0; | 607 | return 0; |
| 607 | } | 608 | } |
| 608 | 609 | ||
| 609 | /* | ||
| 610 | * Given a sid find if the type has the permissive flag set | ||
| 611 | */ | ||
| 612 | int security_permissive_sid(u32 sid) | ||
| 613 | { | ||
| 614 | struct context *context; | ||
| 615 | u32 type; | ||
| 616 | int rc; | ||
| 617 | |||
| 618 | read_lock(&policy_rwlock); | ||
| 619 | |||
| 620 | context = sidtab_search(&sidtab, sid); | ||
| 621 | BUG_ON(!context); | ||
| 622 | |||
| 623 | type = context->type; | ||
| 624 | /* | ||
| 625 | * we are intentionally using type here, not type-1, the 0th bit may | ||
| 626 | * someday indicate that we are globally setting permissive in policy. | ||
| 627 | */ | ||
| 628 | rc = ebitmap_get_bit(&policydb.permissive_map, type); | ||
| 629 | |||
| 630 | read_unlock(&policy_rwlock); | ||
| 631 | return rc; | ||
| 632 | } | ||
| 633 | |||
| 634 | static int security_validtrans_handle_fail(struct context *ocontext, | 610 | static int security_validtrans_handle_fail(struct context *ocontext, |
| 635 | struct context *ncontext, | 611 | struct context *ncontext, |
| 636 | struct context *tcontext, | 612 | struct context *tcontext, |
| @@ -865,6 +841,10 @@ int security_compute_av(u32 ssid, | |||
| 865 | 841 | ||
| 866 | rc = context_struct_compute_av(scontext, tcontext, tclass, | 842 | rc = context_struct_compute_av(scontext, tcontext, tclass, |
| 867 | requested, avd); | 843 | requested, avd); |
| 844 | |||
| 845 | /* permissive domain? */ | ||
| 846 | if (ebitmap_get_bit(&policydb.permissive_map, scontext->type)) | ||
| 847 | avd->flags |= AVD_FLAGS_PERMISSIVE; | ||
| 868 | out: | 848 | out: |
| 869 | read_unlock(&policy_rwlock); | 849 | read_unlock(&policy_rwlock); |
| 870 | return rc; | 850 | return rc; |
diff --git a/security/selinux/xfrm.c b/security/selinux/xfrm.c index c0eb72013d67..72b18452e1a1 100644 --- a/security/selinux/xfrm.c +++ b/security/selinux/xfrm.c | |||
| @@ -447,7 +447,7 @@ int selinux_xfrm_postroute_last(u32 isec_sid, struct sk_buff *skb, | |||
| 447 | struct dst_entry *dst; | 447 | struct dst_entry *dst; |
| 448 | int rc = 0; | 448 | int rc = 0; |
| 449 | 449 | ||
| 450 | dst = skb->dst; | 450 | dst = skb_dst(skb); |
| 451 | 451 | ||
| 452 | if (dst) { | 452 | if (dst) { |
| 453 | struct dst_entry *dst_test; | 453 | struct dst_entry *dst_test; |