diff options
Diffstat (limited to 'security/selinux')
-rw-r--r-- | security/selinux/exports.c | 20 | ||||
-rw-r--r-- | security/selinux/hooks.c | 46 | ||||
-rw-r--r-- | security/selinux/include/xfrm.h | 12 | ||||
-rw-r--r-- | security/selinux/xfrm.c | 18 |
4 files changed, 83 insertions, 13 deletions
diff --git a/security/selinux/exports.c b/security/selinux/exports.c index b6f96943be1f..87d2bb3ea355 100644 --- a/security/selinux/exports.c +++ b/security/selinux/exports.c | |||
@@ -17,10 +17,14 @@ | |||
17 | #include <linux/selinux.h> | 17 | #include <linux/selinux.h> |
18 | #include <linux/fs.h> | 18 | #include <linux/fs.h> |
19 | #include <linux/ipc.h> | 19 | #include <linux/ipc.h> |
20 | #include <asm/atomic.h> | ||
20 | 21 | ||
21 | #include "security.h" | 22 | #include "security.h" |
22 | #include "objsec.h" | 23 | #include "objsec.h" |
23 | 24 | ||
25 | /* SECMARK reference count */ | ||
26 | extern atomic_t selinux_secmark_refcount; | ||
27 | |||
24 | int selinux_sid_to_string(u32 sid, char **ctx, u32 *ctxlen) | 28 | int selinux_sid_to_string(u32 sid, char **ctx, u32 *ctxlen) |
25 | { | 29 | { |
26 | if (selinux_enabled) | 30 | if (selinux_enabled) |
@@ -74,7 +78,7 @@ int selinux_string_to_sid(char *str, u32 *sid) | |||
74 | } | 78 | } |
75 | EXPORT_SYMBOL_GPL(selinux_string_to_sid); | 79 | EXPORT_SYMBOL_GPL(selinux_string_to_sid); |
76 | 80 | ||
77 | int selinux_relabel_packet_permission(u32 sid) | 81 | int selinux_secmark_relabel_packet_permission(u32 sid) |
78 | { | 82 | { |
79 | if (selinux_enabled) { | 83 | if (selinux_enabled) { |
80 | struct task_security_struct *tsec = current->security; | 84 | struct task_security_struct *tsec = current->security; |
@@ -84,4 +88,16 @@ int selinux_relabel_packet_permission(u32 sid) | |||
84 | } | 88 | } |
85 | return 0; | 89 | return 0; |
86 | } | 90 | } |
87 | EXPORT_SYMBOL_GPL(selinux_relabel_packet_permission); | 91 | EXPORT_SYMBOL_GPL(selinux_secmark_relabel_packet_permission); |
92 | |||
93 | void selinux_secmark_refcount_inc(void) | ||
94 | { | ||
95 | atomic_inc(&selinux_secmark_refcount); | ||
96 | } | ||
97 | EXPORT_SYMBOL_GPL(selinux_secmark_refcount_inc); | ||
98 | |||
99 | void selinux_secmark_refcount_dec(void) | ||
100 | { | ||
101 | atomic_dec(&selinux_secmark_refcount); | ||
102 | } | ||
103 | EXPORT_SYMBOL_GPL(selinux_secmark_refcount_dec); | ||
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index bfe9a05db3a2..6156241c8770 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c | |||
@@ -51,8 +51,10 @@ | |||
51 | #include <net/ip.h> /* for local_port_range[] */ | 51 | #include <net/ip.h> /* for local_port_range[] */ |
52 | #include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */ | 52 | #include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */ |
53 | #include <net/net_namespace.h> | 53 | #include <net/net_namespace.h> |
54 | #include <net/netlabel.h> | ||
54 | #include <asm/uaccess.h> | 55 | #include <asm/uaccess.h> |
55 | #include <asm/ioctls.h> | 56 | #include <asm/ioctls.h> |
57 | #include <asm/atomic.h> | ||
56 | #include <linux/bitops.h> | 58 | #include <linux/bitops.h> |
57 | #include <linux/interrupt.h> | 59 | #include <linux/interrupt.h> |
58 | #include <linux/netdevice.h> /* for network interface checks */ | 60 | #include <linux/netdevice.h> /* for network interface checks */ |
@@ -91,6 +93,9 @@ extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm); | |||
91 | extern int selinux_compat_net; | 93 | extern int selinux_compat_net; |
92 | extern struct security_operations *security_ops; | 94 | extern struct security_operations *security_ops; |
93 | 95 | ||
96 | /* SECMARK reference count */ | ||
97 | atomic_t selinux_secmark_refcount = ATOMIC_INIT(0); | ||
98 | |||
94 | #ifdef CONFIG_SECURITY_SELINUX_DEVELOP | 99 | #ifdef CONFIG_SECURITY_SELINUX_DEVELOP |
95 | int selinux_enforcing = 0; | 100 | int selinux_enforcing = 0; |
96 | 101 | ||
@@ -157,6 +162,21 @@ getsecurity_exit: | |||
157 | return len; | 162 | return len; |
158 | } | 163 | } |
159 | 164 | ||
165 | /** | ||
166 | * selinux_secmark_enabled - Check to see if SECMARK is currently enabled | ||
167 | * | ||
168 | * Description: | ||
169 | * This function checks the SECMARK reference counter to see if any SECMARK | ||
170 | * targets are currently configured, if the reference counter is greater than | ||
171 | * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is | ||
172 | * enabled, false (0) if SECMARK is disabled. | ||
173 | * | ||
174 | */ | ||
175 | static int selinux_secmark_enabled(void) | ||
176 | { | ||
177 | return (atomic_read(&selinux_secmark_refcount) > 0); | ||
178 | } | ||
179 | |||
160 | /* Allocate and free functions for each kind of security blob. */ | 180 | /* Allocate and free functions for each kind of security blob. */ |
161 | 181 | ||
162 | static int task_alloc_security(struct task_struct *task) | 182 | static int task_alloc_security(struct task_struct *task) |
@@ -3931,7 +3951,6 @@ static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb) | |||
3931 | struct sk_security_struct *sksec = sk->sk_security; | 3951 | struct sk_security_struct *sksec = sk->sk_security; |
3932 | u16 family = sk->sk_family; | 3952 | u16 family = sk->sk_family; |
3933 | u32 sk_sid = sksec->sid; | 3953 | u32 sk_sid = sksec->sid; |
3934 | u32 peer_sid; | ||
3935 | struct avc_audit_data ad; | 3954 | struct avc_audit_data ad; |
3936 | char *addrp; | 3955 | char *addrp; |
3937 | 3956 | ||
@@ -3957,15 +3976,24 @@ static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb) | |||
3957 | return selinux_sock_rcv_skb_compat(sk, skb, &ad, | 3976 | return selinux_sock_rcv_skb_compat(sk, skb, &ad, |
3958 | family, addrp); | 3977 | family, addrp); |
3959 | 3978 | ||
3960 | err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET, | 3979 | if (selinux_secmark_enabled()) { |
3961 | PACKET__RECV, &ad); | 3980 | err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET, |
3962 | if (err) | 3981 | PACKET__RECV, &ad); |
3963 | return err; | 3982 | if (err) |
3983 | return err; | ||
3984 | } | ||
3964 | 3985 | ||
3965 | err = selinux_skb_peerlbl_sid(skb, family, &peer_sid); | 3986 | if (netlbl_enabled() || selinux_xfrm_enabled()) { |
3966 | if (err) | 3987 | u32 peer_sid; |
3967 | return err; | 3988 | |
3968 | return avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER, PEER__RECV, &ad); | 3989 | err = selinux_skb_peerlbl_sid(skb, family, &peer_sid); |
3990 | if (err) | ||
3991 | return err; | ||
3992 | err = avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER, | ||
3993 | PEER__RECV, &ad); | ||
3994 | } | ||
3995 | |||
3996 | return err; | ||
3969 | } | 3997 | } |
3970 | 3998 | ||
3971 | static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval, | 3999 | static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval, |
diff --git a/security/selinux/include/xfrm.h b/security/selinux/include/xfrm.h index 31929e39f5ca..36b0510efa7b 100644 --- a/security/selinux/include/xfrm.h +++ b/security/selinux/include/xfrm.h | |||
@@ -32,6 +32,13 @@ static inline struct inode_security_struct *get_sock_isec(struct sock *sk) | |||
32 | } | 32 | } |
33 | 33 | ||
34 | #ifdef CONFIG_SECURITY_NETWORK_XFRM | 34 | #ifdef CONFIG_SECURITY_NETWORK_XFRM |
35 | extern atomic_t selinux_xfrm_refcount; | ||
36 | |||
37 | static inline int selinux_xfrm_enabled(void) | ||
38 | { | ||
39 | return (atomic_read(&selinux_xfrm_refcount) > 0); | ||
40 | } | ||
41 | |||
35 | int selinux_xfrm_sock_rcv_skb(u32 sid, struct sk_buff *skb, | 42 | int selinux_xfrm_sock_rcv_skb(u32 sid, struct sk_buff *skb, |
36 | struct avc_audit_data *ad); | 43 | struct avc_audit_data *ad); |
37 | int selinux_xfrm_postroute_last(u32 isec_sid, struct sk_buff *skb, | 44 | int selinux_xfrm_postroute_last(u32 isec_sid, struct sk_buff *skb, |
@@ -43,6 +50,11 @@ static inline void selinux_xfrm_notify_policyload(void) | |||
43 | atomic_inc(&flow_cache_genid); | 50 | atomic_inc(&flow_cache_genid); |
44 | } | 51 | } |
45 | #else | 52 | #else |
53 | static inline int selinux_xfrm_enabled(void) | ||
54 | { | ||
55 | return 0; | ||
56 | } | ||
57 | |||
46 | static inline int selinux_xfrm_sock_rcv_skb(u32 isec_sid, struct sk_buff *skb, | 58 | static inline int selinux_xfrm_sock_rcv_skb(u32 isec_sid, struct sk_buff *skb, |
47 | struct avc_audit_data *ad) | 59 | struct avc_audit_data *ad) |
48 | { | 60 | { |
diff --git a/security/selinux/xfrm.c b/security/selinux/xfrm.c index e07603969033..7e158205d081 100644 --- a/security/selinux/xfrm.c +++ b/security/selinux/xfrm.c | |||
@@ -46,11 +46,14 @@ | |||
46 | #include <net/checksum.h> | 46 | #include <net/checksum.h> |
47 | #include <net/udp.h> | 47 | #include <net/udp.h> |
48 | #include <asm/semaphore.h> | 48 | #include <asm/semaphore.h> |
49 | #include <asm/atomic.h> | ||
49 | 50 | ||
50 | #include "avc.h" | 51 | #include "avc.h" |
51 | #include "objsec.h" | 52 | #include "objsec.h" |
52 | #include "xfrm.h" | 53 | #include "xfrm.h" |
53 | 54 | ||
55 | /* Labeled XFRM instance counter */ | ||
56 | atomic_t selinux_xfrm_refcount = ATOMIC_INIT(0); | ||
54 | 57 | ||
55 | /* | 58 | /* |
56 | * Returns true if an LSM/SELinux context | 59 | * Returns true if an LSM/SELinux context |
@@ -293,6 +296,9 @@ int selinux_xfrm_policy_alloc(struct xfrm_policy *xp, | |||
293 | BUG_ON(!uctx); | 296 | BUG_ON(!uctx); |
294 | 297 | ||
295 | err = selinux_xfrm_sec_ctx_alloc(&xp->security, uctx, 0); | 298 | err = selinux_xfrm_sec_ctx_alloc(&xp->security, uctx, 0); |
299 | if (err == 0) | ||
300 | atomic_inc(&selinux_xfrm_refcount); | ||
301 | |||
296 | return err; | 302 | return err; |
297 | } | 303 | } |
298 | 304 | ||
@@ -340,10 +346,13 @@ int selinux_xfrm_policy_delete(struct xfrm_policy *xp) | |||
340 | struct xfrm_sec_ctx *ctx = xp->security; | 346 | struct xfrm_sec_ctx *ctx = xp->security; |
341 | int rc = 0; | 347 | int rc = 0; |
342 | 348 | ||
343 | if (ctx) | 349 | if (ctx) { |
344 | rc = avc_has_perm(tsec->sid, ctx->ctx_sid, | 350 | rc = avc_has_perm(tsec->sid, ctx->ctx_sid, |
345 | SECCLASS_ASSOCIATION, | 351 | SECCLASS_ASSOCIATION, |
346 | ASSOCIATION__SETCONTEXT, NULL); | 352 | ASSOCIATION__SETCONTEXT, NULL); |
353 | if (rc == 0) | ||
354 | atomic_dec(&selinux_xfrm_refcount); | ||
355 | } | ||
347 | 356 | ||
348 | return rc; | 357 | return rc; |
349 | } | 358 | } |
@@ -360,6 +369,8 @@ int selinux_xfrm_state_alloc(struct xfrm_state *x, struct xfrm_user_sec_ctx *uct | |||
360 | BUG_ON(!x); | 369 | BUG_ON(!x); |
361 | 370 | ||
362 | err = selinux_xfrm_sec_ctx_alloc(&x->security, uctx, secid); | 371 | err = selinux_xfrm_sec_ctx_alloc(&x->security, uctx, secid); |
372 | if (err == 0) | ||
373 | atomic_inc(&selinux_xfrm_refcount); | ||
363 | return err; | 374 | return err; |
364 | } | 375 | } |
365 | 376 | ||
@@ -382,10 +393,13 @@ int selinux_xfrm_state_delete(struct xfrm_state *x) | |||
382 | struct xfrm_sec_ctx *ctx = x->security; | 393 | struct xfrm_sec_ctx *ctx = x->security; |
383 | int rc = 0; | 394 | int rc = 0; |
384 | 395 | ||
385 | if (ctx) | 396 | if (ctx) { |
386 | rc = avc_has_perm(tsec->sid, ctx->ctx_sid, | 397 | rc = avc_has_perm(tsec->sid, ctx->ctx_sid, |
387 | SECCLASS_ASSOCIATION, | 398 | SECCLASS_ASSOCIATION, |
388 | ASSOCIATION__SETCONTEXT, NULL); | 399 | ASSOCIATION__SETCONTEXT, NULL); |
400 | if (rc == 0) | ||
401 | atomic_dec(&selinux_xfrm_refcount); | ||
402 | } | ||
389 | 403 | ||
390 | return rc; | 404 | return rc; |
391 | } | 405 | } |