diff options
Diffstat (limited to 'security/selinux')
-rw-r--r-- | security/selinux/Kconfig | 27 | ||||
-rw-r--r-- | security/selinux/avc.c | 16 | ||||
-rw-r--r-- | security/selinux/hooks.c | 22 | ||||
-rw-r--r-- | security/selinux/include/avc_ss.h | 4 | ||||
-rw-r--r-- | security/selinux/selinuxfs.c | 16 | ||||
-rw-r--r-- | security/selinux/ss/context.h | 2 |
6 files changed, 33 insertions, 54 deletions
diff --git a/security/selinux/Kconfig b/security/selinux/Kconfig index 26301dd651d3..bca1b74a4a2f 100644 --- a/security/selinux/Kconfig +++ b/security/selinux/Kconfig | |||
@@ -94,33 +94,6 @@ config SECURITY_SELINUX_CHECKREQPROT_VALUE | |||
94 | 94 | ||
95 | If you are unsure how to answer this question, answer 1. | 95 | If you are unsure how to answer this question, answer 1. |
96 | 96 | ||
97 | config SECURITY_SELINUX_ENABLE_SECMARK_DEFAULT | ||
98 | bool "NSA SELinux enable new secmark network controls by default" | ||
99 | depends on SECURITY_SELINUX | ||
100 | default n | ||
101 | help | ||
102 | This option determines whether the new secmark-based network | ||
103 | controls will be enabled by default. If not, the old internal | ||
104 | per-packet controls will be enabled by default, preserving | ||
105 | old behavior. | ||
106 | |||
107 | If you enable the new controls, you will need updated | ||
108 | SELinux userspace libraries, tools and policy. Typically, | ||
109 | your distribution will provide these and enable the new controls | ||
110 | in the kernel they also distribute. | ||
111 | |||
112 | Note that this option can be overridden at boot with the | ||
113 | selinux_compat_net parameter, and after boot via | ||
114 | /selinux/compat_net. See Documentation/kernel-parameters.txt | ||
115 | for details on this parameter. | ||
116 | |||
117 | If you enable the new network controls, you will likely | ||
118 | also require the SECMARK and CONNSECMARK targets, as | ||
119 | well as any conntrack helpers for protocols which you | ||
120 | wish to control. | ||
121 | |||
122 | If you are unsure what to do here, select N. | ||
123 | |||
124 | config SECURITY_SELINUX_POLICYDB_VERSION_MAX | 97 | config SECURITY_SELINUX_POLICYDB_VERSION_MAX |
125 | bool "NSA SELinux maximum supported policy format version" | 98 | bool "NSA SELinux maximum supported policy format version" |
126 | depends on SECURITY_SELINUX | 99 | depends on SECURITY_SELINUX |
diff --git a/security/selinux/avc.c b/security/selinux/avc.c index d43bd6baeeaa..eb41f43e2772 100644 --- a/security/selinux/avc.c +++ b/security/selinux/avc.c | |||
@@ -53,18 +53,20 @@ static const char *class_to_string[] = { | |||
53 | #undef S_ | 53 | #undef S_ |
54 | 54 | ||
55 | static const struct av_inherit av_inherit[] = { | 55 | static const struct av_inherit av_inherit[] = { |
56 | #define S_(c, i, b) { c, common_##i##_perm_to_string, b }, | 56 | #define S_(c, i, b) { .tclass = c,\ |
57 | .common_pts = common_##i##_perm_to_string,\ | ||
58 | .common_base = b }, | ||
57 | #include "av_inherit.h" | 59 | #include "av_inherit.h" |
58 | #undef S_ | 60 | #undef S_ |
59 | }; | 61 | }; |
60 | 62 | ||
61 | const struct selinux_class_perm selinux_class_perm = { | 63 | const struct selinux_class_perm selinux_class_perm = { |
62 | av_perm_to_string, | 64 | .av_perm_to_string = av_perm_to_string, |
63 | ARRAY_SIZE(av_perm_to_string), | 65 | .av_pts_len = ARRAY_SIZE(av_perm_to_string), |
64 | class_to_string, | 66 | .class_to_string = class_to_string, |
65 | ARRAY_SIZE(class_to_string), | 67 | .cts_len = ARRAY_SIZE(class_to_string), |
66 | av_inherit, | 68 | .av_inherit = av_inherit, |
67 | ARRAY_SIZE(av_inherit) | 69 | .av_inherit_len = ARRAY_SIZE(av_inherit) |
68 | }; | 70 | }; |
69 | 71 | ||
70 | #define AVC_CACHE_SLOTS 512 | 72 | #define AVC_CACHE_SLOTS 512 |
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index dbeaa783b2a9..00815973d412 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c | |||
@@ -1433,12 +1433,13 @@ static int current_has_perm(const struct task_struct *tsk, | |||
1433 | 1433 | ||
1434 | /* Check whether a task is allowed to use a capability. */ | 1434 | /* Check whether a task is allowed to use a capability. */ |
1435 | static int task_has_capability(struct task_struct *tsk, | 1435 | static int task_has_capability(struct task_struct *tsk, |
1436 | const struct cred *cred, | ||
1436 | int cap, int audit) | 1437 | int cap, int audit) |
1437 | { | 1438 | { |
1438 | struct avc_audit_data ad; | 1439 | struct avc_audit_data ad; |
1439 | struct av_decision avd; | 1440 | struct av_decision avd; |
1440 | u16 sclass; | 1441 | u16 sclass; |
1441 | u32 sid = task_sid(tsk); | 1442 | u32 sid = cred_sid(cred); |
1442 | u32 av = CAP_TO_MASK(cap); | 1443 | u32 av = CAP_TO_MASK(cap); |
1443 | int rc; | 1444 | int rc; |
1444 | 1445 | ||
@@ -1865,15 +1866,16 @@ static int selinux_capset(struct cred *new, const struct cred *old, | |||
1865 | return cred_has_perm(old, new, PROCESS__SETCAP); | 1866 | return cred_has_perm(old, new, PROCESS__SETCAP); |
1866 | } | 1867 | } |
1867 | 1868 | ||
1868 | static int selinux_capable(struct task_struct *tsk, int cap, int audit) | 1869 | static int selinux_capable(struct task_struct *tsk, const struct cred *cred, |
1870 | int cap, int audit) | ||
1869 | { | 1871 | { |
1870 | int rc; | 1872 | int rc; |
1871 | 1873 | ||
1872 | rc = secondary_ops->capable(tsk, cap, audit); | 1874 | rc = secondary_ops->capable(tsk, cred, cap, audit); |
1873 | if (rc) | 1875 | if (rc) |
1874 | return rc; | 1876 | return rc; |
1875 | 1877 | ||
1876 | return task_has_capability(tsk, cap, audit); | 1878 | return task_has_capability(tsk, cred, cap, audit); |
1877 | } | 1879 | } |
1878 | 1880 | ||
1879 | static int selinux_sysctl_get_sid(ctl_table *table, u16 tclass, u32 *sid) | 1881 | static int selinux_sysctl_get_sid(ctl_table *table, u16 tclass, u32 *sid) |
@@ -2037,7 +2039,8 @@ static int selinux_vm_enough_memory(struct mm_struct *mm, long pages) | |||
2037 | { | 2039 | { |
2038 | int rc, cap_sys_admin = 0; | 2040 | int rc, cap_sys_admin = 0; |
2039 | 2041 | ||
2040 | rc = selinux_capable(current, CAP_SYS_ADMIN, SECURITY_CAP_NOAUDIT); | 2042 | rc = selinux_capable(current, current_cred(), CAP_SYS_ADMIN, |
2043 | SECURITY_CAP_NOAUDIT); | ||
2041 | if (rc == 0) | 2044 | if (rc == 0) |
2042 | cap_sys_admin = 1; | 2045 | cap_sys_admin = 1; |
2043 | 2046 | ||
@@ -2880,7 +2883,8 @@ static int selinux_inode_getsecurity(const struct inode *inode, const char *name | |||
2880 | * and lack of permission just means that we fall back to the | 2883 | * and lack of permission just means that we fall back to the |
2881 | * in-core context value, not a denial. | 2884 | * in-core context value, not a denial. |
2882 | */ | 2885 | */ |
2883 | error = selinux_capable(current, CAP_MAC_ADMIN, SECURITY_CAP_NOAUDIT); | 2886 | error = selinux_capable(current, current_cred(), CAP_MAC_ADMIN, |
2887 | SECURITY_CAP_NOAUDIT); | ||
2884 | if (!error) | 2888 | if (!error) |
2885 | error = security_sid_to_context_force(isec->sid, &context, | 2889 | error = security_sid_to_context_force(isec->sid, &context, |
2886 | &size); | 2890 | &size); |
@@ -4185,7 +4189,7 @@ static int selinux_sock_rcv_skb_iptables_compat(struct sock *sk, | |||
4185 | static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb, | 4189 | static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb, |
4186 | u16 family) | 4190 | u16 family) |
4187 | { | 4191 | { |
4188 | int err; | 4192 | int err = 0; |
4189 | struct sk_security_struct *sksec = sk->sk_security; | 4193 | struct sk_security_struct *sksec = sk->sk_security; |
4190 | u32 peer_sid; | 4194 | u32 peer_sid; |
4191 | u32 sk_sid = sksec->sid; | 4195 | u32 sk_sid = sksec->sid; |
@@ -4202,7 +4206,7 @@ static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb, | |||
4202 | if (selinux_compat_net) | 4206 | if (selinux_compat_net) |
4203 | err = selinux_sock_rcv_skb_iptables_compat(sk, skb, &ad, | 4207 | err = selinux_sock_rcv_skb_iptables_compat(sk, skb, &ad, |
4204 | family, addrp); | 4208 | family, addrp); |
4205 | else | 4209 | else if (selinux_secmark_enabled()) |
4206 | err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET, | 4210 | err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET, |
4207 | PACKET__RECV, &ad); | 4211 | PACKET__RECV, &ad); |
4208 | if (err) | 4212 | if (err) |
@@ -4705,7 +4709,7 @@ static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb, | |||
4705 | if (selinux_ip_postroute_iptables_compat(skb->sk, ifindex, | 4709 | if (selinux_ip_postroute_iptables_compat(skb->sk, ifindex, |
4706 | &ad, family, addrp)) | 4710 | &ad, family, addrp)) |
4707 | return NF_DROP; | 4711 | return NF_DROP; |
4708 | } else { | 4712 | } else if (selinux_secmark_enabled()) { |
4709 | if (avc_has_perm(sksec->sid, skb->secmark, | 4713 | if (avc_has_perm(sksec->sid, skb->secmark, |
4710 | SECCLASS_PACKET, PACKET__SEND, &ad)) | 4714 | SECCLASS_PACKET, PACKET__SEND, &ad)) |
4711 | return NF_DROP; | 4715 | return NF_DROP; |
diff --git a/security/selinux/include/avc_ss.h b/security/selinux/include/avc_ss.h index c0d314d9f8e1..bb1ec801bdfe 100644 --- a/security/selinux/include/avc_ss.h +++ b/security/selinux/include/avc_ss.h | |||
@@ -17,16 +17,16 @@ struct av_perm_to_string { | |||
17 | }; | 17 | }; |
18 | 18 | ||
19 | struct av_inherit { | 19 | struct av_inherit { |
20 | u16 tclass; | ||
21 | const char **common_pts; | 20 | const char **common_pts; |
22 | u32 common_base; | 21 | u32 common_base; |
22 | u16 tclass; | ||
23 | }; | 23 | }; |
24 | 24 | ||
25 | struct selinux_class_perm { | 25 | struct selinux_class_perm { |
26 | const struct av_perm_to_string *av_perm_to_string; | 26 | const struct av_perm_to_string *av_perm_to_string; |
27 | u32 av_pts_len; | 27 | u32 av_pts_len; |
28 | const char **class_to_string; | ||
29 | u32 cts_len; | 28 | u32 cts_len; |
29 | const char **class_to_string; | ||
30 | const struct av_inherit *av_inherit; | 30 | const struct av_inherit *av_inherit; |
31 | u32 av_inherit_len; | 31 | u32 av_inherit_len; |
32 | }; | 32 | }; |
diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c index 8f612c8becb5..01ec6d2c6b97 100644 --- a/security/selinux/selinuxfs.c +++ b/security/selinux/selinuxfs.c | |||
@@ -47,13 +47,7 @@ static char *policycap_names[] = { | |||
47 | 47 | ||
48 | unsigned int selinux_checkreqprot = CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE; | 48 | unsigned int selinux_checkreqprot = CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE; |
49 | 49 | ||
50 | #ifdef CONFIG_SECURITY_SELINUX_ENABLE_SECMARK_DEFAULT | 50 | int selinux_compat_net = 0; |
51 | #define SELINUX_COMPAT_NET_VALUE 0 | ||
52 | #else | ||
53 | #define SELINUX_COMPAT_NET_VALUE 1 | ||
54 | #endif | ||
55 | |||
56 | int selinux_compat_net = SELINUX_COMPAT_NET_VALUE; | ||
57 | 51 | ||
58 | static int __init checkreqprot_setup(char *str) | 52 | static int __init checkreqprot_setup(char *str) |
59 | { | 53 | { |
@@ -494,7 +488,13 @@ static ssize_t sel_write_compat_net(struct file *file, const char __user *buf, | |||
494 | if (sscanf(page, "%d", &new_value) != 1) | 488 | if (sscanf(page, "%d", &new_value) != 1) |
495 | goto out; | 489 | goto out; |
496 | 490 | ||
497 | selinux_compat_net = new_value ? 1 : 0; | 491 | if (new_value) { |
492 | printk(KERN_NOTICE | ||
493 | "SELinux: compat_net is deprecated, please use secmark" | ||
494 | " instead\n"); | ||
495 | selinux_compat_net = 1; | ||
496 | } else | ||
497 | selinux_compat_net = 0; | ||
498 | length = count; | 498 | length = count; |
499 | out: | 499 | out: |
500 | free_page((unsigned long) page); | 500 | free_page((unsigned long) page); |
diff --git a/security/selinux/ss/context.h b/security/selinux/ss/context.h index 658c2bd17da8..d9dd7a2f6a8a 100644 --- a/security/selinux/ss/context.h +++ b/security/selinux/ss/context.h | |||
@@ -27,9 +27,9 @@ struct context { | |||
27 | u32 user; | 27 | u32 user; |
28 | u32 role; | 28 | u32 role; |
29 | u32 type; | 29 | u32 type; |
30 | u32 len; /* length of string in bytes */ | ||
30 | struct mls_range range; | 31 | struct mls_range range; |
31 | char *str; /* string representation if context cannot be mapped. */ | 32 | char *str; /* string representation if context cannot be mapped. */ |
32 | u32 len; /* length of string in bytes */ | ||
33 | }; | 33 | }; |
34 | 34 | ||
35 | static inline void mls_context_init(struct context *c) | 35 | static inline void mls_context_init(struct context *c) |