aboutsummaryrefslogtreecommitdiffstats
path: root/security/selinux
diff options
context:
space:
mode:
Diffstat (limited to 'security/selinux')
-rw-r--r--security/selinux/Kconfig27
-rw-r--r--security/selinux/avc.c16
-rw-r--r--security/selinux/hooks.c22
-rw-r--r--security/selinux/include/avc_ss.h4
-rw-r--r--security/selinux/selinuxfs.c16
-rw-r--r--security/selinux/ss/context.h2
6 files changed, 33 insertions, 54 deletions
diff --git a/security/selinux/Kconfig b/security/selinux/Kconfig
index 26301dd651d3..bca1b74a4a2f 100644
--- a/security/selinux/Kconfig
+++ b/security/selinux/Kconfig
@@ -94,33 +94,6 @@ config SECURITY_SELINUX_CHECKREQPROT_VALUE
94 94
95 If you are unsure how to answer this question, answer 1. 95 If you are unsure how to answer this question, answer 1.
96 96
97config SECURITY_SELINUX_ENABLE_SECMARK_DEFAULT
98 bool "NSA SELinux enable new secmark network controls by default"
99 depends on SECURITY_SELINUX
100 default n
101 help
102 This option determines whether the new secmark-based network
103 controls will be enabled by default. If not, the old internal
104 per-packet controls will be enabled by default, preserving
105 old behavior.
106
107 If you enable the new controls, you will need updated
108 SELinux userspace libraries, tools and policy. Typically,
109 your distribution will provide these and enable the new controls
110 in the kernel they also distribute.
111
112 Note that this option can be overridden at boot with the
113 selinux_compat_net parameter, and after boot via
114 /selinux/compat_net. See Documentation/kernel-parameters.txt
115 for details on this parameter.
116
117 If you enable the new network controls, you will likely
118 also require the SECMARK and CONNSECMARK targets, as
119 well as any conntrack helpers for protocols which you
120 wish to control.
121
122 If you are unsure what to do here, select N.
123
124config SECURITY_SELINUX_POLICYDB_VERSION_MAX 97config SECURITY_SELINUX_POLICYDB_VERSION_MAX
125 bool "NSA SELinux maximum supported policy format version" 98 bool "NSA SELinux maximum supported policy format version"
126 depends on SECURITY_SELINUX 99 depends on SECURITY_SELINUX
diff --git a/security/selinux/avc.c b/security/selinux/avc.c
index d43bd6baeeaa..eb41f43e2772 100644
--- a/security/selinux/avc.c
+++ b/security/selinux/avc.c
@@ -53,18 +53,20 @@ static const char *class_to_string[] = {
53#undef S_ 53#undef S_
54 54
55static const struct av_inherit av_inherit[] = { 55static const struct av_inherit av_inherit[] = {
56#define S_(c, i, b) { c, common_##i##_perm_to_string, b }, 56#define S_(c, i, b) { .tclass = c,\
57 .common_pts = common_##i##_perm_to_string,\
58 .common_base = b },
57#include "av_inherit.h" 59#include "av_inherit.h"
58#undef S_ 60#undef S_
59}; 61};
60 62
61const struct selinux_class_perm selinux_class_perm = { 63const struct selinux_class_perm selinux_class_perm = {
62 av_perm_to_string, 64 .av_perm_to_string = av_perm_to_string,
63 ARRAY_SIZE(av_perm_to_string), 65 .av_pts_len = ARRAY_SIZE(av_perm_to_string),
64 class_to_string, 66 .class_to_string = class_to_string,
65 ARRAY_SIZE(class_to_string), 67 .cts_len = ARRAY_SIZE(class_to_string),
66 av_inherit, 68 .av_inherit = av_inherit,
67 ARRAY_SIZE(av_inherit) 69 .av_inherit_len = ARRAY_SIZE(av_inherit)
68}; 70};
69 71
70#define AVC_CACHE_SLOTS 512 72#define AVC_CACHE_SLOTS 512
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index dbeaa783b2a9..00815973d412 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -1433,12 +1433,13 @@ static int current_has_perm(const struct task_struct *tsk,
1433 1433
1434/* Check whether a task is allowed to use a capability. */ 1434/* Check whether a task is allowed to use a capability. */
1435static int task_has_capability(struct task_struct *tsk, 1435static int task_has_capability(struct task_struct *tsk,
1436 const struct cred *cred,
1436 int cap, int audit) 1437 int cap, int audit)
1437{ 1438{
1438 struct avc_audit_data ad; 1439 struct avc_audit_data ad;
1439 struct av_decision avd; 1440 struct av_decision avd;
1440 u16 sclass; 1441 u16 sclass;
1441 u32 sid = task_sid(tsk); 1442 u32 sid = cred_sid(cred);
1442 u32 av = CAP_TO_MASK(cap); 1443 u32 av = CAP_TO_MASK(cap);
1443 int rc; 1444 int rc;
1444 1445
@@ -1865,15 +1866,16 @@ static int selinux_capset(struct cred *new, const struct cred *old,
1865 return cred_has_perm(old, new, PROCESS__SETCAP); 1866 return cred_has_perm(old, new, PROCESS__SETCAP);
1866} 1867}
1867 1868
1868static int selinux_capable(struct task_struct *tsk, int cap, int audit) 1869static int selinux_capable(struct task_struct *tsk, const struct cred *cred,
1870 int cap, int audit)
1869{ 1871{
1870 int rc; 1872 int rc;
1871 1873
1872 rc = secondary_ops->capable(tsk, cap, audit); 1874 rc = secondary_ops->capable(tsk, cred, cap, audit);
1873 if (rc) 1875 if (rc)
1874 return rc; 1876 return rc;
1875 1877
1876 return task_has_capability(tsk, cap, audit); 1878 return task_has_capability(tsk, cred, cap, audit);
1877} 1879}
1878 1880
1879static int selinux_sysctl_get_sid(ctl_table *table, u16 tclass, u32 *sid) 1881static int selinux_sysctl_get_sid(ctl_table *table, u16 tclass, u32 *sid)
@@ -2037,7 +2039,8 @@ static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
2037{ 2039{
2038 int rc, cap_sys_admin = 0; 2040 int rc, cap_sys_admin = 0;
2039 2041
2040 rc = selinux_capable(current, CAP_SYS_ADMIN, SECURITY_CAP_NOAUDIT); 2042 rc = selinux_capable(current, current_cred(), CAP_SYS_ADMIN,
2043 SECURITY_CAP_NOAUDIT);
2041 if (rc == 0) 2044 if (rc == 0)
2042 cap_sys_admin = 1; 2045 cap_sys_admin = 1;
2043 2046
@@ -2880,7 +2883,8 @@ static int selinux_inode_getsecurity(const struct inode *inode, const char *name
2880 * and lack of permission just means that we fall back to the 2883 * and lack of permission just means that we fall back to the
2881 * in-core context value, not a denial. 2884 * in-core context value, not a denial.
2882 */ 2885 */
2883 error = selinux_capable(current, CAP_MAC_ADMIN, SECURITY_CAP_NOAUDIT); 2886 error = selinux_capable(current, current_cred(), CAP_MAC_ADMIN,
2887 SECURITY_CAP_NOAUDIT);
2884 if (!error) 2888 if (!error)
2885 error = security_sid_to_context_force(isec->sid, &context, 2889 error = security_sid_to_context_force(isec->sid, &context,
2886 &size); 2890 &size);
@@ -4185,7 +4189,7 @@ static int selinux_sock_rcv_skb_iptables_compat(struct sock *sk,
4185static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb, 4189static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
4186 u16 family) 4190 u16 family)
4187{ 4191{
4188 int err; 4192 int err = 0;
4189 struct sk_security_struct *sksec = sk->sk_security; 4193 struct sk_security_struct *sksec = sk->sk_security;
4190 u32 peer_sid; 4194 u32 peer_sid;
4191 u32 sk_sid = sksec->sid; 4195 u32 sk_sid = sksec->sid;
@@ -4202,7 +4206,7 @@ static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
4202 if (selinux_compat_net) 4206 if (selinux_compat_net)
4203 err = selinux_sock_rcv_skb_iptables_compat(sk, skb, &ad, 4207 err = selinux_sock_rcv_skb_iptables_compat(sk, skb, &ad,
4204 family, addrp); 4208 family, addrp);
4205 else 4209 else if (selinux_secmark_enabled())
4206 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET, 4210 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4207 PACKET__RECV, &ad); 4211 PACKET__RECV, &ad);
4208 if (err) 4212 if (err)
@@ -4705,7 +4709,7 @@ static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
4705 if (selinux_ip_postroute_iptables_compat(skb->sk, ifindex, 4709 if (selinux_ip_postroute_iptables_compat(skb->sk, ifindex,
4706 &ad, family, addrp)) 4710 &ad, family, addrp))
4707 return NF_DROP; 4711 return NF_DROP;
4708 } else { 4712 } else if (selinux_secmark_enabled()) {
4709 if (avc_has_perm(sksec->sid, skb->secmark, 4713 if (avc_has_perm(sksec->sid, skb->secmark,
4710 SECCLASS_PACKET, PACKET__SEND, &ad)) 4714 SECCLASS_PACKET, PACKET__SEND, &ad))
4711 return NF_DROP; 4715 return NF_DROP;
diff --git a/security/selinux/include/avc_ss.h b/security/selinux/include/avc_ss.h
index c0d314d9f8e1..bb1ec801bdfe 100644
--- a/security/selinux/include/avc_ss.h
+++ b/security/selinux/include/avc_ss.h
@@ -17,16 +17,16 @@ struct av_perm_to_string {
17}; 17};
18 18
19struct av_inherit { 19struct av_inherit {
20 u16 tclass;
21 const char **common_pts; 20 const char **common_pts;
22 u32 common_base; 21 u32 common_base;
22 u16 tclass;
23}; 23};
24 24
25struct selinux_class_perm { 25struct selinux_class_perm {
26 const struct av_perm_to_string *av_perm_to_string; 26 const struct av_perm_to_string *av_perm_to_string;
27 u32 av_pts_len; 27 u32 av_pts_len;
28 const char **class_to_string;
29 u32 cts_len; 28 u32 cts_len;
29 const char **class_to_string;
30 const struct av_inherit *av_inherit; 30 const struct av_inherit *av_inherit;
31 u32 av_inherit_len; 31 u32 av_inherit_len;
32}; 32};
diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c
index 8f612c8becb5..01ec6d2c6b97 100644
--- a/security/selinux/selinuxfs.c
+++ b/security/selinux/selinuxfs.c
@@ -47,13 +47,7 @@ static char *policycap_names[] = {
47 47
48unsigned int selinux_checkreqprot = CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE; 48unsigned int selinux_checkreqprot = CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE;
49 49
50#ifdef CONFIG_SECURITY_SELINUX_ENABLE_SECMARK_DEFAULT 50int selinux_compat_net = 0;
51#define SELINUX_COMPAT_NET_VALUE 0
52#else
53#define SELINUX_COMPAT_NET_VALUE 1
54#endif
55
56int selinux_compat_net = SELINUX_COMPAT_NET_VALUE;
57 51
58static int __init checkreqprot_setup(char *str) 52static int __init checkreqprot_setup(char *str)
59{ 53{
@@ -494,7 +488,13 @@ static ssize_t sel_write_compat_net(struct file *file, const char __user *buf,
494 if (sscanf(page, "%d", &new_value) != 1) 488 if (sscanf(page, "%d", &new_value) != 1)
495 goto out; 489 goto out;
496 490
497 selinux_compat_net = new_value ? 1 : 0; 491 if (new_value) {
492 printk(KERN_NOTICE
493 "SELinux: compat_net is deprecated, please use secmark"
494 " instead\n");
495 selinux_compat_net = 1;
496 } else
497 selinux_compat_net = 0;
498 length = count; 498 length = count;
499out: 499out:
500 free_page((unsigned long) page); 500 free_page((unsigned long) page);
diff --git a/security/selinux/ss/context.h b/security/selinux/ss/context.h
index 658c2bd17da8..d9dd7a2f6a8a 100644
--- a/security/selinux/ss/context.h
+++ b/security/selinux/ss/context.h
@@ -27,9 +27,9 @@ struct context {
27 u32 user; 27 u32 user;
28 u32 role; 28 u32 role;
29 u32 type; 29 u32 type;
30 u32 len; /* length of string in bytes */
30 struct mls_range range; 31 struct mls_range range;
31 char *str; /* string representation if context cannot be mapped. */ 32 char *str; /* string representation if context cannot be mapped. */
32 u32 len; /* length of string in bytes */
33}; 33};
34 34
35static inline void mls_context_init(struct context *c) 35static inline void mls_context_init(struct context *c)