diff options
Diffstat (limited to 'security/selinux')
-rw-r--r-- | security/selinux/avc.c | 2 | ||||
-rw-r--r-- | security/selinux/hooks.c | 24 | ||||
-rw-r--r-- | security/selinux/include/security.h | 7 | ||||
-rw-r--r-- | security/selinux/nlmsgtab.c | 2 | ||||
-rw-r--r-- | security/selinux/selinuxfs.c | 8 | ||||
-rw-r--r-- | security/selinux/ss/services.c | 30 |
6 files changed, 22 insertions, 51 deletions
diff --git a/security/selinux/avc.c b/security/selinux/avc.c index 7f9b5fac8779..b2ab60859832 100644 --- a/security/selinux/avc.c +++ b/security/selinux/avc.c | |||
@@ -927,7 +927,7 @@ int avc_has_perm_noaudit(u32 ssid, u32 tsid, | |||
927 | if (denied) { | 927 | if (denied) { |
928 | if (flags & AVC_STRICT) | 928 | if (flags & AVC_STRICT) |
929 | rc = -EACCES; | 929 | rc = -EACCES; |
930 | else if (!selinux_enforcing || security_permissive_sid(ssid)) | 930 | else if (!selinux_enforcing || (avd->flags & AVD_FLAGS_PERMISSIVE)) |
931 | avc_update_node(AVC_CALLBACK_GRANT, requested, ssid, | 931 | avc_update_node(AVC_CALLBACK_GRANT, requested, ssid, |
932 | tsid, tclass, avd->seqno); | 932 | tsid, tclass, avd->seqno); |
933 | else | 933 | else |
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 2fcad7c33eaf..195906bce266 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c | |||
@@ -1980,10 +1980,6 @@ static int selinux_sysctl(ctl_table *table, int op) | |||
1980 | u32 tsid, sid; | 1980 | u32 tsid, sid; |
1981 | int rc; | 1981 | int rc; |
1982 | 1982 | ||
1983 | rc = secondary_ops->sysctl(table, op); | ||
1984 | if (rc) | ||
1985 | return rc; | ||
1986 | |||
1987 | sid = current_sid(); | 1983 | sid = current_sid(); |
1988 | 1984 | ||
1989 | rc = selinux_sysctl_get_sid(table, (op == 0001) ? | 1985 | rc = selinux_sysctl_get_sid(table, (op == 0001) ? |
@@ -2375,10 +2371,8 @@ static void selinux_bprm_committed_creds(struct linux_binprm *bprm) | |||
2375 | { | 2371 | { |
2376 | const struct task_security_struct *tsec = current_security(); | 2372 | const struct task_security_struct *tsec = current_security(); |
2377 | struct itimerval itimer; | 2373 | struct itimerval itimer; |
2378 | struct sighand_struct *psig; | ||
2379 | u32 osid, sid; | 2374 | u32 osid, sid; |
2380 | int rc, i; | 2375 | int rc, i; |
2381 | unsigned long flags; | ||
2382 | 2376 | ||
2383 | osid = tsec->osid; | 2377 | osid = tsec->osid; |
2384 | sid = tsec->sid; | 2378 | sid = tsec->sid; |
@@ -2398,22 +2392,20 @@ static void selinux_bprm_committed_creds(struct linux_binprm *bprm) | |||
2398 | memset(&itimer, 0, sizeof itimer); | 2392 | memset(&itimer, 0, sizeof itimer); |
2399 | for (i = 0; i < 3; i++) | 2393 | for (i = 0; i < 3; i++) |
2400 | do_setitimer(i, &itimer, NULL); | 2394 | do_setitimer(i, &itimer, NULL); |
2401 | flush_signals(current); | ||
2402 | spin_lock_irq(¤t->sighand->siglock); | 2395 | spin_lock_irq(¤t->sighand->siglock); |
2403 | flush_signal_handlers(current, 1); | 2396 | if (!(current->signal->flags & SIGNAL_GROUP_EXIT)) { |
2404 | sigemptyset(¤t->blocked); | 2397 | __flush_signals(current); |
2405 | recalc_sigpending(); | 2398 | flush_signal_handlers(current, 1); |
2399 | sigemptyset(¤t->blocked); | ||
2400 | } | ||
2406 | spin_unlock_irq(¤t->sighand->siglock); | 2401 | spin_unlock_irq(¤t->sighand->siglock); |
2407 | } | 2402 | } |
2408 | 2403 | ||
2409 | /* Wake up the parent if it is waiting so that it can recheck | 2404 | /* Wake up the parent if it is waiting so that it can recheck |
2410 | * wait permission to the new task SID. */ | 2405 | * wait permission to the new task SID. */ |
2411 | read_lock_irq(&tasklist_lock); | 2406 | read_lock(&tasklist_lock); |
2412 | psig = current->parent->sighand; | 2407 | wake_up_interruptible(¤t->real_parent->signal->wait_chldexit); |
2413 | spin_lock_irqsave(&psig->siglock, flags); | 2408 | read_unlock(&tasklist_lock); |
2414 | wake_up_interruptible(¤t->parent->signal->wait_chldexit); | ||
2415 | spin_unlock_irqrestore(&psig->siglock, flags); | ||
2416 | read_unlock_irq(&tasklist_lock); | ||
2417 | } | 2409 | } |
2418 | 2410 | ||
2419 | /* superblock security operations */ | 2411 | /* superblock security operations */ |
diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h index 5c3434f7626f..ca835795a8b3 100644 --- a/security/selinux/include/security.h +++ b/security/selinux/include/security.h | |||
@@ -8,14 +8,13 @@ | |||
8 | #ifndef _SELINUX_SECURITY_H_ | 8 | #ifndef _SELINUX_SECURITY_H_ |
9 | #define _SELINUX_SECURITY_H_ | 9 | #define _SELINUX_SECURITY_H_ |
10 | 10 | ||
11 | #include <linux/magic.h> | ||
11 | #include "flask.h" | 12 | #include "flask.h" |
12 | 13 | ||
13 | #define SECSID_NULL 0x00000000 /* unspecified SID */ | 14 | #define SECSID_NULL 0x00000000 /* unspecified SID */ |
14 | #define SECSID_WILD 0xffffffff /* wildcard SID */ | 15 | #define SECSID_WILD 0xffffffff /* wildcard SID */ |
15 | #define SECCLASS_NULL 0x0000 /* no class */ | 16 | #define SECCLASS_NULL 0x0000 /* no class */ |
16 | 17 | ||
17 | #define SELINUX_MAGIC 0xf97cff8c | ||
18 | |||
19 | /* Identify specific policy version changes */ | 18 | /* Identify specific policy version changes */ |
20 | #define POLICYDB_VERSION_BASE 15 | 19 | #define POLICYDB_VERSION_BASE 15 |
21 | #define POLICYDB_VERSION_BOOL 16 | 20 | #define POLICYDB_VERSION_BOOL 16 |
@@ -91,9 +90,11 @@ struct av_decision { | |||
91 | u32 auditallow; | 90 | u32 auditallow; |
92 | u32 auditdeny; | 91 | u32 auditdeny; |
93 | u32 seqno; | 92 | u32 seqno; |
93 | u32 flags; | ||
94 | }; | 94 | }; |
95 | 95 | ||
96 | int security_permissive_sid(u32 sid); | 96 | /* definitions of av_decision.flags */ |
97 | #define AVD_FLAGS_PERMISSIVE 0x0001 | ||
97 | 98 | ||
98 | int security_compute_av(u32 ssid, u32 tsid, | 99 | int security_compute_av(u32 ssid, u32 tsid, |
99 | u16 tclass, u32 requested, | 100 | u16 tclass, u32 requested, |
diff --git a/security/selinux/nlmsgtab.c b/security/selinux/nlmsgtab.c index c6875fd3b9d6..dd7cc6de77f9 100644 --- a/security/selinux/nlmsgtab.c +++ b/security/selinux/nlmsgtab.c | |||
@@ -112,6 +112,8 @@ static struct nlmsg_perm nlmsg_audit_perms[] = | |||
112 | { AUDIT_DEL_RULE, NETLINK_AUDIT_SOCKET__NLMSG_WRITE }, | 112 | { AUDIT_DEL_RULE, NETLINK_AUDIT_SOCKET__NLMSG_WRITE }, |
113 | { AUDIT_USER, NETLINK_AUDIT_SOCKET__NLMSG_RELAY }, | 113 | { AUDIT_USER, NETLINK_AUDIT_SOCKET__NLMSG_RELAY }, |
114 | { AUDIT_SIGNAL_INFO, NETLINK_AUDIT_SOCKET__NLMSG_READ }, | 114 | { AUDIT_SIGNAL_INFO, NETLINK_AUDIT_SOCKET__NLMSG_READ }, |
115 | { AUDIT_TRIM, NETLINK_AUDIT_SOCKET__NLMSG_WRITE }, | ||
116 | { AUDIT_MAKE_EQUIV, NETLINK_AUDIT_SOCKET__NLMSG_WRITE }, | ||
115 | { AUDIT_TTY_GET, NETLINK_AUDIT_SOCKET__NLMSG_READ }, | 117 | { AUDIT_TTY_GET, NETLINK_AUDIT_SOCKET__NLMSG_READ }, |
116 | { AUDIT_TTY_SET, NETLINK_AUDIT_SOCKET__NLMSG_TTY_AUDIT }, | 118 | { AUDIT_TTY_SET, NETLINK_AUDIT_SOCKET__NLMSG_TTY_AUDIT }, |
117 | }; | 119 | }; |
diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c index 2d5136ec3d54..b4fc506e7a87 100644 --- a/security/selinux/selinuxfs.c +++ b/security/selinux/selinuxfs.c | |||
@@ -527,10 +527,10 @@ static ssize_t sel_write_access(struct file *file, char *buf, size_t size) | |||
527 | goto out2; | 527 | goto out2; |
528 | 528 | ||
529 | length = scnprintf(buf, SIMPLE_TRANSACTION_LIMIT, | 529 | length = scnprintf(buf, SIMPLE_TRANSACTION_LIMIT, |
530 | "%x %x %x %x %u", | 530 | "%x %x %x %x %u %x", |
531 | avd.allowed, 0xffffffff, | 531 | avd.allowed, 0xffffffff, |
532 | avd.auditallow, avd.auditdeny, | 532 | avd.auditallow, avd.auditdeny, |
533 | avd.seqno); | 533 | avd.seqno, avd.flags); |
534 | out2: | 534 | out2: |
535 | kfree(tcon); | 535 | kfree(tcon); |
536 | out: | 536 | out: |
@@ -803,10 +803,6 @@ static ssize_t sel_read_bool(struct file *filep, char __user *buf, | |||
803 | goto out; | 803 | goto out; |
804 | } | 804 | } |
805 | 805 | ||
806 | if (count > PAGE_SIZE) { | ||
807 | ret = -EINVAL; | ||
808 | goto out; | ||
809 | } | ||
810 | page = (char *)get_zeroed_page(GFP_KERNEL); | 806 | page = (char *)get_zeroed_page(GFP_KERNEL); |
811 | if (!page) { | 807 | if (!page) { |
812 | ret = -ENOMEM; | 808 | ret = -ENOMEM; |
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c index deeec6c013ae..500e6f78e115 100644 --- a/security/selinux/ss/services.c +++ b/security/selinux/ss/services.c | |||
@@ -410,6 +410,7 @@ static int context_struct_compute_av(struct context *scontext, | |||
410 | avd->auditallow = 0; | 410 | avd->auditallow = 0; |
411 | avd->auditdeny = 0xffffffff; | 411 | avd->auditdeny = 0xffffffff; |
412 | avd->seqno = latest_granting; | 412 | avd->seqno = latest_granting; |
413 | avd->flags = 0; | ||
413 | 414 | ||
414 | /* | 415 | /* |
415 | * Check for all the invalid cases. | 416 | * Check for all the invalid cases. |
@@ -528,31 +529,6 @@ inval_class: | |||
528 | return 0; | 529 | return 0; |
529 | } | 530 | } |
530 | 531 | ||
531 | /* | ||
532 | * Given a sid find if the type has the permissive flag set | ||
533 | */ | ||
534 | int security_permissive_sid(u32 sid) | ||
535 | { | ||
536 | struct context *context; | ||
537 | u32 type; | ||
538 | int rc; | ||
539 | |||
540 | read_lock(&policy_rwlock); | ||
541 | |||
542 | context = sidtab_search(&sidtab, sid); | ||
543 | BUG_ON(!context); | ||
544 | |||
545 | type = context->type; | ||
546 | /* | ||
547 | * we are intentionally using type here, not type-1, the 0th bit may | ||
548 | * someday indicate that we are globally setting permissive in policy. | ||
549 | */ | ||
550 | rc = ebitmap_get_bit(&policydb.permissive_map, type); | ||
551 | |||
552 | read_unlock(&policy_rwlock); | ||
553 | return rc; | ||
554 | } | ||
555 | |||
556 | static int security_validtrans_handle_fail(struct context *ocontext, | 532 | static int security_validtrans_handle_fail(struct context *ocontext, |
557 | struct context *ncontext, | 533 | struct context *ncontext, |
558 | struct context *tcontext, | 534 | struct context *tcontext, |
@@ -767,6 +743,10 @@ int security_compute_av(u32 ssid, | |||
767 | 743 | ||
768 | rc = context_struct_compute_av(scontext, tcontext, tclass, | 744 | rc = context_struct_compute_av(scontext, tcontext, tclass, |
769 | requested, avd); | 745 | requested, avd); |
746 | |||
747 | /* permissive domain? */ | ||
748 | if (ebitmap_get_bit(&policydb.permissive_map, scontext->type)) | ||
749 | avd->flags |= AVD_FLAGS_PERMISSIVE; | ||
770 | out: | 750 | out: |
771 | read_unlock(&policy_rwlock); | 751 | read_unlock(&policy_rwlock); |
772 | return rc; | 752 | return rc; |