diff options
Diffstat (limited to 'security/selinux')
-rw-r--r-- | security/selinux/avc.c | 76 | ||||
-rw-r--r-- | security/selinux/include/av_inherit.h | 34 | ||||
-rw-r--r-- | security/selinux/include/av_perm_to_string.h | 183 | ||||
-rw-r--r-- | security/selinux/include/av_permissions.h | 44 | ||||
-rw-r--r-- | security/selinux/include/avc_ss.h | 21 | ||||
-rw-r--r-- | security/selinux/include/class_to_string.h | 80 | ||||
-rw-r--r-- | security/selinux/include/classmap.h | 150 | ||||
-rw-r--r-- | security/selinux/include/common_perm_to_string.h | 58 | ||||
-rw-r--r-- | security/selinux/include/flask.h | 40 | ||||
-rw-r--r-- | security/selinux/include/security.h | 13 | ||||
-rw-r--r-- | security/selinux/selinuxfs.c | 4 | ||||
-rw-r--r-- | security/selinux/ss/mls.c | 2 | ||||
-rw-r--r-- | security/selinux/ss/policydb.c | 47 | ||||
-rw-r--r-- | security/selinux/ss/policydb.h | 7 | ||||
-rw-r--r-- | security/selinux/ss/services.c | 540 |
15 files changed, 555 insertions, 744 deletions
diff --git a/security/selinux/avc.c b/security/selinux/avc.c index b4b5da1c0a42..18f4103e02b7 100644 --- a/security/selinux/avc.c +++ b/security/selinux/avc.c | |||
@@ -31,43 +31,7 @@ | |||
31 | #include <net/ipv6.h> | 31 | #include <net/ipv6.h> |
32 | #include "avc.h" | 32 | #include "avc.h" |
33 | #include "avc_ss.h" | 33 | #include "avc_ss.h" |
34 | 34 | #include "classmap.h" | |
35 | static const struct av_perm_to_string av_perm_to_string[] = { | ||
36 | #define S_(c, v, s) { c, v, s }, | ||
37 | #include "av_perm_to_string.h" | ||
38 | #undef S_ | ||
39 | }; | ||
40 | |||
41 | static const char *class_to_string[] = { | ||
42 | #define S_(s) s, | ||
43 | #include "class_to_string.h" | ||
44 | #undef S_ | ||
45 | }; | ||
46 | |||
47 | #define TB_(s) static const char *s[] = { | ||
48 | #define TE_(s) }; | ||
49 | #define S_(s) s, | ||
50 | #include "common_perm_to_string.h" | ||
51 | #undef TB_ | ||
52 | #undef TE_ | ||
53 | #undef S_ | ||
54 | |||
55 | static const struct av_inherit av_inherit[] = { | ||
56 | #define S_(c, i, b) { .tclass = c,\ | ||
57 | .common_pts = common_##i##_perm_to_string,\ | ||
58 | .common_base = b }, | ||
59 | #include "av_inherit.h" | ||
60 | #undef S_ | ||
61 | }; | ||
62 | |||
63 | const struct selinux_class_perm selinux_class_perm = { | ||
64 | .av_perm_to_string = av_perm_to_string, | ||
65 | .av_pts_len = ARRAY_SIZE(av_perm_to_string), | ||
66 | .class_to_string = class_to_string, | ||
67 | .cts_len = ARRAY_SIZE(class_to_string), | ||
68 | .av_inherit = av_inherit, | ||
69 | .av_inherit_len = ARRAY_SIZE(av_inherit) | ||
70 | }; | ||
71 | 35 | ||
72 | #define AVC_CACHE_SLOTS 512 | 36 | #define AVC_CACHE_SLOTS 512 |
73 | #define AVC_DEF_CACHE_THRESHOLD 512 | 37 | #define AVC_DEF_CACHE_THRESHOLD 512 |
@@ -139,52 +103,28 @@ static inline int avc_hash(u32 ssid, u32 tsid, u16 tclass) | |||
139 | */ | 103 | */ |
140 | static void avc_dump_av(struct audit_buffer *ab, u16 tclass, u32 av) | 104 | static void avc_dump_av(struct audit_buffer *ab, u16 tclass, u32 av) |
141 | { | 105 | { |
142 | const char **common_pts = NULL; | 106 | const char **perms; |
143 | u32 common_base = 0; | 107 | int i, perm; |
144 | int i, i2, perm; | ||
145 | 108 | ||
146 | if (av == 0) { | 109 | if (av == 0) { |
147 | audit_log_format(ab, " null"); | 110 | audit_log_format(ab, " null"); |
148 | return; | 111 | return; |
149 | } | 112 | } |
150 | 113 | ||
151 | for (i = 0; i < ARRAY_SIZE(av_inherit); i++) { | 114 | perms = secclass_map[tclass-1].perms; |
152 | if (av_inherit[i].tclass == tclass) { | ||
153 | common_pts = av_inherit[i].common_pts; | ||
154 | common_base = av_inherit[i].common_base; | ||
155 | break; | ||
156 | } | ||
157 | } | ||
158 | 115 | ||
159 | audit_log_format(ab, " {"); | 116 | audit_log_format(ab, " {"); |
160 | i = 0; | 117 | i = 0; |
161 | perm = 1; | 118 | perm = 1; |
162 | while (perm < common_base) { | 119 | while (i < (sizeof(av) * 8)) { |
163 | if (perm & av) { | 120 | if (perm & av) { |
164 | audit_log_format(ab, " %s", common_pts[i]); | 121 | audit_log_format(ab, " %s", perms[i]); |
165 | av &= ~perm; | 122 | av &= ~perm; |
166 | } | 123 | } |
167 | i++; | 124 | i++; |
168 | perm <<= 1; | 125 | perm <<= 1; |
169 | } | 126 | } |
170 | 127 | ||
171 | while (i < sizeof(av) * 8) { | ||
172 | if (perm & av) { | ||
173 | for (i2 = 0; i2 < ARRAY_SIZE(av_perm_to_string); i2++) { | ||
174 | if ((av_perm_to_string[i2].tclass == tclass) && | ||
175 | (av_perm_to_string[i2].value == perm)) | ||
176 | break; | ||
177 | } | ||
178 | if (i2 < ARRAY_SIZE(av_perm_to_string)) { | ||
179 | audit_log_format(ab, " %s", | ||
180 | av_perm_to_string[i2].name); | ||
181 | av &= ~perm; | ||
182 | } | ||
183 | } | ||
184 | i++; | ||
185 | perm <<= 1; | ||
186 | } | ||
187 | |||
188 | if (av) | 128 | if (av) |
189 | audit_log_format(ab, " 0x%x", av); | 129 | audit_log_format(ab, " 0x%x", av); |
190 | 130 | ||
@@ -219,8 +159,8 @@ static void avc_dump_query(struct audit_buffer *ab, u32 ssid, u32 tsid, u16 tcla | |||
219 | kfree(scontext); | 159 | kfree(scontext); |
220 | } | 160 | } |
221 | 161 | ||
222 | BUG_ON(tclass >= ARRAY_SIZE(class_to_string) || !class_to_string[tclass]); | 162 | BUG_ON(tclass >= ARRAY_SIZE(secclass_map)); |
223 | audit_log_format(ab, " tclass=%s", class_to_string[tclass]); | 163 | audit_log_format(ab, " tclass=%s", secclass_map[tclass-1].name); |
224 | } | 164 | } |
225 | 165 | ||
226 | /** | 166 | /** |
diff --git a/security/selinux/include/av_inherit.h b/security/selinux/include/av_inherit.h deleted file mode 100644 index abedcd704dae..000000000000 --- a/security/selinux/include/av_inherit.h +++ /dev/null | |||
@@ -1,34 +0,0 @@ | |||
1 | /* This file is automatically generated. Do not edit. */ | ||
2 | S_(SECCLASS_DIR, file, 0x00020000UL) | ||
3 | S_(SECCLASS_FILE, file, 0x00020000UL) | ||
4 | S_(SECCLASS_LNK_FILE, file, 0x00020000UL) | ||
5 | S_(SECCLASS_CHR_FILE, file, 0x00020000UL) | ||
6 | S_(SECCLASS_BLK_FILE, file, 0x00020000UL) | ||
7 | S_(SECCLASS_SOCK_FILE, file, 0x00020000UL) | ||
8 | S_(SECCLASS_FIFO_FILE, file, 0x00020000UL) | ||
9 | S_(SECCLASS_SOCKET, socket, 0x00400000UL) | ||
10 | S_(SECCLASS_TCP_SOCKET, socket, 0x00400000UL) | ||
11 | S_(SECCLASS_UDP_SOCKET, socket, 0x00400000UL) | ||
12 | S_(SECCLASS_RAWIP_SOCKET, socket, 0x00400000UL) | ||
13 | S_(SECCLASS_NETLINK_SOCKET, socket, 0x00400000UL) | ||
14 | S_(SECCLASS_PACKET_SOCKET, socket, 0x00400000UL) | ||
15 | S_(SECCLASS_KEY_SOCKET, socket, 0x00400000UL) | ||
16 | S_(SECCLASS_UNIX_STREAM_SOCKET, socket, 0x00400000UL) | ||
17 | S_(SECCLASS_UNIX_DGRAM_SOCKET, socket, 0x00400000UL) | ||
18 | S_(SECCLASS_TUN_SOCKET, socket, 0x00400000UL) | ||
19 | S_(SECCLASS_IPC, ipc, 0x00000200UL) | ||
20 | S_(SECCLASS_SEM, ipc, 0x00000200UL) | ||
21 | S_(SECCLASS_MSGQ, ipc, 0x00000200UL) | ||
22 | S_(SECCLASS_SHM, ipc, 0x00000200UL) | ||
23 | S_(SECCLASS_NETLINK_ROUTE_SOCKET, socket, 0x00400000UL) | ||
24 | S_(SECCLASS_NETLINK_FIREWALL_SOCKET, socket, 0x00400000UL) | ||
25 | S_(SECCLASS_NETLINK_TCPDIAG_SOCKET, socket, 0x00400000UL) | ||
26 | S_(SECCLASS_NETLINK_NFLOG_SOCKET, socket, 0x00400000UL) | ||
27 | S_(SECCLASS_NETLINK_XFRM_SOCKET, socket, 0x00400000UL) | ||
28 | S_(SECCLASS_NETLINK_SELINUX_SOCKET, socket, 0x00400000UL) | ||
29 | S_(SECCLASS_NETLINK_AUDIT_SOCKET, socket, 0x00400000UL) | ||
30 | S_(SECCLASS_NETLINK_IP6FW_SOCKET, socket, 0x00400000UL) | ||
31 | S_(SECCLASS_NETLINK_DNRT_SOCKET, socket, 0x00400000UL) | ||
32 | S_(SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET, socket, 0x00400000UL) | ||
33 | S_(SECCLASS_APPLETALK_SOCKET, socket, 0x00400000UL) | ||
34 | S_(SECCLASS_DCCP_SOCKET, socket, 0x00400000UL) | ||
diff --git a/security/selinux/include/av_perm_to_string.h b/security/selinux/include/av_perm_to_string.h deleted file mode 100644 index 2b683ad83d21..000000000000 --- a/security/selinux/include/av_perm_to_string.h +++ /dev/null | |||
@@ -1,183 +0,0 @@ | |||
1 | /* This file is automatically generated. Do not edit. */ | ||
2 | S_(SECCLASS_FILESYSTEM, FILESYSTEM__MOUNT, "mount") | ||
3 | S_(SECCLASS_FILESYSTEM, FILESYSTEM__REMOUNT, "remount") | ||
4 | S_(SECCLASS_FILESYSTEM, FILESYSTEM__UNMOUNT, "unmount") | ||
5 | S_(SECCLASS_FILESYSTEM, FILESYSTEM__GETATTR, "getattr") | ||
6 | S_(SECCLASS_FILESYSTEM, FILESYSTEM__RELABELFROM, "relabelfrom") | ||
7 | S_(SECCLASS_FILESYSTEM, FILESYSTEM__RELABELTO, "relabelto") | ||
8 | S_(SECCLASS_FILESYSTEM, FILESYSTEM__TRANSITION, "transition") | ||
9 | S_(SECCLASS_FILESYSTEM, FILESYSTEM__ASSOCIATE, "associate") | ||
10 | S_(SECCLASS_FILESYSTEM, FILESYSTEM__QUOTAMOD, "quotamod") | ||
11 | S_(SECCLASS_FILESYSTEM, FILESYSTEM__QUOTAGET, "quotaget") | ||
12 | S_(SECCLASS_DIR, DIR__ADD_NAME, "add_name") | ||
13 | S_(SECCLASS_DIR, DIR__REMOVE_NAME, "remove_name") | ||
14 | S_(SECCLASS_DIR, DIR__REPARENT, "reparent") | ||
15 | S_(SECCLASS_DIR, DIR__SEARCH, "search") | ||
16 | S_(SECCLASS_DIR, DIR__RMDIR, "rmdir") | ||
17 | S_(SECCLASS_DIR, DIR__OPEN, "open") | ||
18 | S_(SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, "execute_no_trans") | ||
19 | S_(SECCLASS_FILE, FILE__ENTRYPOINT, "entrypoint") | ||
20 | S_(SECCLASS_FILE, FILE__EXECMOD, "execmod") | ||
21 | S_(SECCLASS_FILE, FILE__OPEN, "open") | ||
22 | S_(SECCLASS_CHR_FILE, CHR_FILE__EXECUTE_NO_TRANS, "execute_no_trans") | ||
23 | S_(SECCLASS_CHR_FILE, CHR_FILE__ENTRYPOINT, "entrypoint") | ||
24 | S_(SECCLASS_CHR_FILE, CHR_FILE__EXECMOD, "execmod") | ||
25 | S_(SECCLASS_CHR_FILE, CHR_FILE__OPEN, "open") | ||
26 | S_(SECCLASS_BLK_FILE, BLK_FILE__OPEN, "open") | ||
27 | S_(SECCLASS_SOCK_FILE, SOCK_FILE__OPEN, "open") | ||
28 | S_(SECCLASS_FIFO_FILE, FIFO_FILE__OPEN, "open") | ||
29 | S_(SECCLASS_FD, FD__USE, "use") | ||
30 | S_(SECCLASS_TCP_SOCKET, TCP_SOCKET__CONNECTTO, "connectto") | ||
31 | S_(SECCLASS_TCP_SOCKET, TCP_SOCKET__NEWCONN, "newconn") | ||
32 | S_(SECCLASS_TCP_SOCKET, TCP_SOCKET__ACCEPTFROM, "acceptfrom") | ||
33 | S_(SECCLASS_TCP_SOCKET, TCP_SOCKET__NODE_BIND, "node_bind") | ||
34 | S_(SECCLASS_TCP_SOCKET, TCP_SOCKET__NAME_CONNECT, "name_connect") | ||
35 | S_(SECCLASS_UDP_SOCKET, UDP_SOCKET__NODE_BIND, "node_bind") | ||
36 | S_(SECCLASS_RAWIP_SOCKET, RAWIP_SOCKET__NODE_BIND, "node_bind") | ||
37 | S_(SECCLASS_NODE, NODE__TCP_RECV, "tcp_recv") | ||
38 | S_(SECCLASS_NODE, NODE__TCP_SEND, "tcp_send") | ||
39 | S_(SECCLASS_NODE, NODE__UDP_RECV, "udp_recv") | ||
40 | S_(SECCLASS_NODE, NODE__UDP_SEND, "udp_send") | ||
41 | S_(SECCLASS_NODE, NODE__RAWIP_RECV, "rawip_recv") | ||
42 | S_(SECCLASS_NODE, NODE__RAWIP_SEND, "rawip_send") | ||
43 | S_(SECCLASS_NODE, NODE__ENFORCE_DEST, "enforce_dest") | ||
44 | S_(SECCLASS_NODE, NODE__DCCP_RECV, "dccp_recv") | ||
45 | S_(SECCLASS_NODE, NODE__DCCP_SEND, "dccp_send") | ||
46 | S_(SECCLASS_NODE, NODE__RECVFROM, "recvfrom") | ||
47 | S_(SECCLASS_NODE, NODE__SENDTO, "sendto") | ||
48 | S_(SECCLASS_NETIF, NETIF__TCP_RECV, "tcp_recv") | ||
49 | S_(SECCLASS_NETIF, NETIF__TCP_SEND, "tcp_send") | ||
50 | S_(SECCLASS_NETIF, NETIF__UDP_RECV, "udp_recv") | ||
51 | S_(SECCLASS_NETIF, NETIF__UDP_SEND, "udp_send") | ||
52 | S_(SECCLASS_NETIF, NETIF__RAWIP_RECV, "rawip_recv") | ||
53 | S_(SECCLASS_NETIF, NETIF__RAWIP_SEND, "rawip_send") | ||
54 | S_(SECCLASS_NETIF, NETIF__DCCP_RECV, "dccp_recv") | ||
55 | S_(SECCLASS_NETIF, NETIF__DCCP_SEND, "dccp_send") | ||
56 | S_(SECCLASS_NETIF, NETIF__INGRESS, "ingress") | ||
57 | S_(SECCLASS_NETIF, NETIF__EGRESS, "egress") | ||
58 | S_(SECCLASS_UNIX_STREAM_SOCKET, UNIX_STREAM_SOCKET__CONNECTTO, "connectto") | ||
59 | S_(SECCLASS_UNIX_STREAM_SOCKET, UNIX_STREAM_SOCKET__NEWCONN, "newconn") | ||
60 | S_(SECCLASS_UNIX_STREAM_SOCKET, UNIX_STREAM_SOCKET__ACCEPTFROM, "acceptfrom") | ||
61 | S_(SECCLASS_PROCESS, PROCESS__FORK, "fork") | ||
62 | S_(SECCLASS_PROCESS, PROCESS__TRANSITION, "transition") | ||
63 | S_(SECCLASS_PROCESS, PROCESS__SIGCHLD, "sigchld") | ||
64 | S_(SECCLASS_PROCESS, PROCESS__SIGKILL, "sigkill") | ||
65 | S_(SECCLASS_PROCESS, PROCESS__SIGSTOP, "sigstop") | ||
66 | S_(SECCLASS_PROCESS, PROCESS__SIGNULL, "signull") | ||
67 | S_(SECCLASS_PROCESS, PROCESS__SIGNAL, "signal") | ||
68 | S_(SECCLASS_PROCESS, PROCESS__PTRACE, "ptrace") | ||
69 | S_(SECCLASS_PROCESS, PROCESS__GETSCHED, "getsched") | ||
70 | S_(SECCLASS_PROCESS, PROCESS__SETSCHED, "setsched") | ||
71 | S_(SECCLASS_PROCESS, PROCESS__GETSESSION, "getsession") | ||
72 | S_(SECCLASS_PROCESS, PROCESS__GETPGID, "getpgid") | ||
73 | S_(SECCLASS_PROCESS, PROCESS__SETPGID, "setpgid") | ||
74 | S_(SECCLASS_PROCESS, PROCESS__GETCAP, "getcap") | ||
75 | S_(SECCLASS_PROCESS, PROCESS__SETCAP, "setcap") | ||
76 | S_(SECCLASS_PROCESS, PROCESS__SHARE, "share") | ||
77 | S_(SECCLASS_PROCESS, PROCESS__GETATTR, "getattr") | ||
78 | S_(SECCLASS_PROCESS, PROCESS__SETEXEC, "setexec") | ||
79 | S_(SECCLASS_PROCESS, PROCESS__SETFSCREATE, "setfscreate") | ||
80 | S_(SECCLASS_PROCESS, PROCESS__NOATSECURE, "noatsecure") | ||
81 | S_(SECCLASS_PROCESS, PROCESS__SIGINH, "siginh") | ||
82 | S_(SECCLASS_PROCESS, PROCESS__SETRLIMIT, "setrlimit") | ||
83 | S_(SECCLASS_PROCESS, PROCESS__RLIMITINH, "rlimitinh") | ||
84 | S_(SECCLASS_PROCESS, PROCESS__DYNTRANSITION, "dyntransition") | ||
85 | S_(SECCLASS_PROCESS, PROCESS__SETCURRENT, "setcurrent") | ||
86 | S_(SECCLASS_PROCESS, PROCESS__EXECMEM, "execmem") | ||
87 | S_(SECCLASS_PROCESS, PROCESS__EXECSTACK, "execstack") | ||
88 | S_(SECCLASS_PROCESS, PROCESS__EXECHEAP, "execheap") | ||
89 | S_(SECCLASS_PROCESS, PROCESS__SETKEYCREATE, "setkeycreate") | ||
90 | S_(SECCLASS_PROCESS, PROCESS__SETSOCKCREATE, "setsockcreate") | ||
91 | S_(SECCLASS_MSGQ, MSGQ__ENQUEUE, "enqueue") | ||
92 | S_(SECCLASS_MSG, MSG__SEND, "send") | ||
93 | S_(SECCLASS_MSG, MSG__RECEIVE, "receive") | ||
94 | S_(SECCLASS_SHM, SHM__LOCK, "lock") | ||
95 | S_(SECCLASS_SECURITY, SECURITY__COMPUTE_AV, "compute_av") | ||
96 | S_(SECCLASS_SECURITY, SECURITY__COMPUTE_CREATE, "compute_create") | ||
97 | S_(SECCLASS_SECURITY, SECURITY__COMPUTE_MEMBER, "compute_member") | ||
98 | S_(SECCLASS_SECURITY, SECURITY__CHECK_CONTEXT, "check_context") | ||
99 | S_(SECCLASS_SECURITY, SECURITY__LOAD_POLICY, "load_policy") | ||
100 | S_(SECCLASS_SECURITY, SECURITY__COMPUTE_RELABEL, "compute_relabel") | ||
101 | S_(SECCLASS_SECURITY, SECURITY__COMPUTE_USER, "compute_user") | ||
102 | S_(SECCLASS_SECURITY, SECURITY__SETENFORCE, "setenforce") | ||
103 | S_(SECCLASS_SECURITY, SECURITY__SETBOOL, "setbool") | ||
104 | S_(SECCLASS_SECURITY, SECURITY__SETSECPARAM, "setsecparam") | ||
105 | S_(SECCLASS_SECURITY, SECURITY__SETCHECKREQPROT, "setcheckreqprot") | ||
106 | S_(SECCLASS_SYSTEM, SYSTEM__IPC_INFO, "ipc_info") | ||
107 | S_(SECCLASS_SYSTEM, SYSTEM__SYSLOG_READ, "syslog_read") | ||
108 | S_(SECCLASS_SYSTEM, SYSTEM__SYSLOG_MOD, "syslog_mod") | ||
109 | S_(SECCLASS_SYSTEM, SYSTEM__SYSLOG_CONSOLE, "syslog_console") | ||
110 | S_(SECCLASS_SYSTEM, SYSTEM__MODULE_REQUEST, "module_request") | ||
111 | S_(SECCLASS_CAPABILITY, CAPABILITY__CHOWN, "chown") | ||
112 | S_(SECCLASS_CAPABILITY, CAPABILITY__DAC_OVERRIDE, "dac_override") | ||
113 | S_(SECCLASS_CAPABILITY, CAPABILITY__DAC_READ_SEARCH, "dac_read_search") | ||
114 | S_(SECCLASS_CAPABILITY, CAPABILITY__FOWNER, "fowner") | ||
115 | S_(SECCLASS_CAPABILITY, CAPABILITY__FSETID, "fsetid") | ||
116 | S_(SECCLASS_CAPABILITY, CAPABILITY__KILL, "kill") | ||
117 | S_(SECCLASS_CAPABILITY, CAPABILITY__SETGID, "setgid") | ||
118 | S_(SECCLASS_CAPABILITY, CAPABILITY__SETUID, "setuid") | ||
119 | S_(SECCLASS_CAPABILITY, CAPABILITY__SETPCAP, "setpcap") | ||
120 | S_(SECCLASS_CAPABILITY, CAPABILITY__LINUX_IMMUTABLE, "linux_immutable") | ||
121 | S_(SECCLASS_CAPABILITY, CAPABILITY__NET_BIND_SERVICE, "net_bind_service") | ||
122 | S_(SECCLASS_CAPABILITY, CAPABILITY__NET_BROADCAST, "net_broadcast") | ||
123 | S_(SECCLASS_CAPABILITY, CAPABILITY__NET_ADMIN, "net_admin") | ||
124 | S_(SECCLASS_CAPABILITY, CAPABILITY__NET_RAW, "net_raw") | ||
125 | S_(SECCLASS_CAPABILITY, CAPABILITY__IPC_LOCK, "ipc_lock") | ||
126 | S_(SECCLASS_CAPABILITY, CAPABILITY__IPC_OWNER, "ipc_owner") | ||
127 | S_(SECCLASS_CAPABILITY, CAPABILITY__SYS_MODULE, "sys_module") | ||
128 | S_(SECCLASS_CAPABILITY, CAPABILITY__SYS_RAWIO, "sys_rawio") | ||
129 | S_(SECCLASS_CAPABILITY, CAPABILITY__SYS_CHROOT, "sys_chroot") | ||
130 | S_(SECCLASS_CAPABILITY, CAPABILITY__SYS_PTRACE, "sys_ptrace") | ||
131 | S_(SECCLASS_CAPABILITY, CAPABILITY__SYS_PACCT, "sys_pacct") | ||
132 | S_(SECCLASS_CAPABILITY, CAPABILITY__SYS_ADMIN, "sys_admin") | ||
133 | S_(SECCLASS_CAPABILITY, CAPABILITY__SYS_BOOT, "sys_boot") | ||
134 | S_(SECCLASS_CAPABILITY, CAPABILITY__SYS_NICE, "sys_nice") | ||
135 | S_(SECCLASS_CAPABILITY, CAPABILITY__SYS_RESOURCE, "sys_resource") | ||
136 | S_(SECCLASS_CAPABILITY, CAPABILITY__SYS_TIME, "sys_time") | ||
137 | S_(SECCLASS_CAPABILITY, CAPABILITY__SYS_TTY_CONFIG, "sys_tty_config") | ||
138 | S_(SECCLASS_CAPABILITY, CAPABILITY__MKNOD, "mknod") | ||
139 | S_(SECCLASS_CAPABILITY, CAPABILITY__LEASE, "lease") | ||
140 | S_(SECCLASS_CAPABILITY, CAPABILITY__AUDIT_WRITE, "audit_write") | ||
141 | S_(SECCLASS_CAPABILITY, CAPABILITY__AUDIT_CONTROL, "audit_control") | ||
142 | S_(SECCLASS_CAPABILITY, CAPABILITY__SETFCAP, "setfcap") | ||
143 | S_(SECCLASS_CAPABILITY2, CAPABILITY2__MAC_OVERRIDE, "mac_override") | ||
144 | S_(SECCLASS_CAPABILITY2, CAPABILITY2__MAC_ADMIN, "mac_admin") | ||
145 | S_(SECCLASS_NETLINK_ROUTE_SOCKET, NETLINK_ROUTE_SOCKET__NLMSG_READ, "nlmsg_read") | ||
146 | S_(SECCLASS_NETLINK_ROUTE_SOCKET, NETLINK_ROUTE_SOCKET__NLMSG_WRITE, "nlmsg_write") | ||
147 | S_(SECCLASS_NETLINK_FIREWALL_SOCKET, NETLINK_FIREWALL_SOCKET__NLMSG_READ, "nlmsg_read") | ||
148 | S_(SECCLASS_NETLINK_FIREWALL_SOCKET, NETLINK_FIREWALL_SOCKET__NLMSG_WRITE, "nlmsg_write") | ||
149 | S_(SECCLASS_NETLINK_TCPDIAG_SOCKET, NETLINK_TCPDIAG_SOCKET__NLMSG_READ, "nlmsg_read") | ||
150 | S_(SECCLASS_NETLINK_TCPDIAG_SOCKET, NETLINK_TCPDIAG_SOCKET__NLMSG_WRITE, "nlmsg_write") | ||
151 | S_(SECCLASS_NETLINK_XFRM_SOCKET, NETLINK_XFRM_SOCKET__NLMSG_READ, "nlmsg_read") | ||
152 | S_(SECCLASS_NETLINK_XFRM_SOCKET, NETLINK_XFRM_SOCKET__NLMSG_WRITE, "nlmsg_write") | ||
153 | S_(SECCLASS_NETLINK_AUDIT_SOCKET, NETLINK_AUDIT_SOCKET__NLMSG_READ, "nlmsg_read") | ||
154 | S_(SECCLASS_NETLINK_AUDIT_SOCKET, NETLINK_AUDIT_SOCKET__NLMSG_WRITE, "nlmsg_write") | ||
155 | S_(SECCLASS_NETLINK_AUDIT_SOCKET, NETLINK_AUDIT_SOCKET__NLMSG_RELAY, "nlmsg_relay") | ||
156 | S_(SECCLASS_NETLINK_AUDIT_SOCKET, NETLINK_AUDIT_SOCKET__NLMSG_READPRIV, "nlmsg_readpriv") | ||
157 | S_(SECCLASS_NETLINK_AUDIT_SOCKET, NETLINK_AUDIT_SOCKET__NLMSG_TTY_AUDIT, "nlmsg_tty_audit") | ||
158 | S_(SECCLASS_NETLINK_IP6FW_SOCKET, NETLINK_IP6FW_SOCKET__NLMSG_READ, "nlmsg_read") | ||
159 | S_(SECCLASS_NETLINK_IP6FW_SOCKET, NETLINK_IP6FW_SOCKET__NLMSG_WRITE, "nlmsg_write") | ||
160 | S_(SECCLASS_ASSOCIATION, ASSOCIATION__SENDTO, "sendto") | ||
161 | S_(SECCLASS_ASSOCIATION, ASSOCIATION__RECVFROM, "recvfrom") | ||
162 | S_(SECCLASS_ASSOCIATION, ASSOCIATION__SETCONTEXT, "setcontext") | ||
163 | S_(SECCLASS_ASSOCIATION, ASSOCIATION__POLMATCH, "polmatch") | ||
164 | S_(SECCLASS_PACKET, PACKET__SEND, "send") | ||
165 | S_(SECCLASS_PACKET, PACKET__RECV, "recv") | ||
166 | S_(SECCLASS_PACKET, PACKET__RELABELTO, "relabelto") | ||
167 | S_(SECCLASS_PACKET, PACKET__FLOW_IN, "flow_in") | ||
168 | S_(SECCLASS_PACKET, PACKET__FLOW_OUT, "flow_out") | ||
169 | S_(SECCLASS_PACKET, PACKET__FORWARD_IN, "forward_in") | ||
170 | S_(SECCLASS_PACKET, PACKET__FORWARD_OUT, "forward_out") | ||
171 | S_(SECCLASS_KEY, KEY__VIEW, "view") | ||
172 | S_(SECCLASS_KEY, KEY__READ, "read") | ||
173 | S_(SECCLASS_KEY, KEY__WRITE, "write") | ||
174 | S_(SECCLASS_KEY, KEY__SEARCH, "search") | ||
175 | S_(SECCLASS_KEY, KEY__LINK, "link") | ||
176 | S_(SECCLASS_KEY, KEY__SETATTR, "setattr") | ||
177 | S_(SECCLASS_KEY, KEY__CREATE, "create") | ||
178 | S_(SECCLASS_DCCP_SOCKET, DCCP_SOCKET__NODE_BIND, "node_bind") | ||
179 | S_(SECCLASS_DCCP_SOCKET, DCCP_SOCKET__NAME_CONNECT, "name_connect") | ||
180 | S_(SECCLASS_MEMPROTECT, MEMPROTECT__MMAP_ZERO, "mmap_zero") | ||
181 | S_(SECCLASS_PEER, PEER__RECV, "recv") | ||
182 | S_(SECCLASS_KERNEL_SERVICE, KERNEL_SERVICE__USE_AS_OVERRIDE, "use_as_override") | ||
183 | S_(SECCLASS_KERNEL_SERVICE, KERNEL_SERVICE__CREATE_FILES_AS, "create_files_as") | ||
diff --git a/security/selinux/include/av_permissions.h b/security/selinux/include/av_permissions.h index 0546d616ccac..fef2582b734d 100644 --- a/security/selinux/include/av_permissions.h +++ b/security/selinux/include/av_permissions.h | |||
@@ -423,28 +423,6 @@ | |||
423 | #define UNIX_DGRAM_SOCKET__RECV_MSG 0x00080000UL | 423 | #define UNIX_DGRAM_SOCKET__RECV_MSG 0x00080000UL |
424 | #define UNIX_DGRAM_SOCKET__SEND_MSG 0x00100000UL | 424 | #define UNIX_DGRAM_SOCKET__SEND_MSG 0x00100000UL |
425 | #define UNIX_DGRAM_SOCKET__NAME_BIND 0x00200000UL | 425 | #define UNIX_DGRAM_SOCKET__NAME_BIND 0x00200000UL |
426 | #define TUN_SOCKET__IOCTL 0x00000001UL | ||
427 | #define TUN_SOCKET__READ 0x00000002UL | ||
428 | #define TUN_SOCKET__WRITE 0x00000004UL | ||
429 | #define TUN_SOCKET__CREATE 0x00000008UL | ||
430 | #define TUN_SOCKET__GETATTR 0x00000010UL | ||
431 | #define TUN_SOCKET__SETATTR 0x00000020UL | ||
432 | #define TUN_SOCKET__LOCK 0x00000040UL | ||
433 | #define TUN_SOCKET__RELABELFROM 0x00000080UL | ||
434 | #define TUN_SOCKET__RELABELTO 0x00000100UL | ||
435 | #define TUN_SOCKET__APPEND 0x00000200UL | ||
436 | #define TUN_SOCKET__BIND 0x00000400UL | ||
437 | #define TUN_SOCKET__CONNECT 0x00000800UL | ||
438 | #define TUN_SOCKET__LISTEN 0x00001000UL | ||
439 | #define TUN_SOCKET__ACCEPT 0x00002000UL | ||
440 | #define TUN_SOCKET__GETOPT 0x00004000UL | ||
441 | #define TUN_SOCKET__SETOPT 0x00008000UL | ||
442 | #define TUN_SOCKET__SHUTDOWN 0x00010000UL | ||
443 | #define TUN_SOCKET__RECVFROM 0x00020000UL | ||
444 | #define TUN_SOCKET__SENDTO 0x00040000UL | ||
445 | #define TUN_SOCKET__RECV_MSG 0x00080000UL | ||
446 | #define TUN_SOCKET__SEND_MSG 0x00100000UL | ||
447 | #define TUN_SOCKET__NAME_BIND 0x00200000UL | ||
448 | #define PROCESS__FORK 0x00000001UL | 426 | #define PROCESS__FORK 0x00000001UL |
449 | #define PROCESS__TRANSITION 0x00000002UL | 427 | #define PROCESS__TRANSITION 0x00000002UL |
450 | #define PROCESS__SIGCHLD 0x00000004UL | 428 | #define PROCESS__SIGCHLD 0x00000004UL |
@@ -868,3 +846,25 @@ | |||
868 | #define PEER__RECV 0x00000001UL | 846 | #define PEER__RECV 0x00000001UL |
869 | #define KERNEL_SERVICE__USE_AS_OVERRIDE 0x00000001UL | 847 | #define KERNEL_SERVICE__USE_AS_OVERRIDE 0x00000001UL |
870 | #define KERNEL_SERVICE__CREATE_FILES_AS 0x00000002UL | 848 | #define KERNEL_SERVICE__CREATE_FILES_AS 0x00000002UL |
849 | #define TUN_SOCKET__IOCTL 0x00000001UL | ||
850 | #define TUN_SOCKET__READ 0x00000002UL | ||
851 | #define TUN_SOCKET__WRITE 0x00000004UL | ||
852 | #define TUN_SOCKET__CREATE 0x00000008UL | ||
853 | #define TUN_SOCKET__GETATTR 0x00000010UL | ||
854 | #define TUN_SOCKET__SETATTR 0x00000020UL | ||
855 | #define TUN_SOCKET__LOCK 0x00000040UL | ||
856 | #define TUN_SOCKET__RELABELFROM 0x00000080UL | ||
857 | #define TUN_SOCKET__RELABELTO 0x00000100UL | ||
858 | #define TUN_SOCKET__APPEND 0x00000200UL | ||
859 | #define TUN_SOCKET__BIND 0x00000400UL | ||
860 | #define TUN_SOCKET__CONNECT 0x00000800UL | ||
861 | #define TUN_SOCKET__LISTEN 0x00001000UL | ||
862 | #define TUN_SOCKET__ACCEPT 0x00002000UL | ||
863 | #define TUN_SOCKET__GETOPT 0x00004000UL | ||
864 | #define TUN_SOCKET__SETOPT 0x00008000UL | ||
865 | #define TUN_SOCKET__SHUTDOWN 0x00010000UL | ||
866 | #define TUN_SOCKET__RECVFROM 0x00020000UL | ||
867 | #define TUN_SOCKET__SENDTO 0x00040000UL | ||
868 | #define TUN_SOCKET__RECV_MSG 0x00080000UL | ||
869 | #define TUN_SOCKET__SEND_MSG 0x00100000UL | ||
870 | #define TUN_SOCKET__NAME_BIND 0x00200000UL | ||
diff --git a/security/selinux/include/avc_ss.h b/security/selinux/include/avc_ss.h index bb1ec801bdfe..4677aa519b04 100644 --- a/security/selinux/include/avc_ss.h +++ b/security/selinux/include/avc_ss.h | |||
@@ -10,26 +10,13 @@ | |||
10 | 10 | ||
11 | int avc_ss_reset(u32 seqno); | 11 | int avc_ss_reset(u32 seqno); |
12 | 12 | ||
13 | struct av_perm_to_string { | 13 | /* Class/perm mapping support */ |
14 | u16 tclass; | 14 | struct security_class_mapping { |
15 | u32 value; | ||
16 | const char *name; | 15 | const char *name; |
16 | const char *perms[sizeof(u32) * 8 + 1]; | ||
17 | }; | 17 | }; |
18 | 18 | ||
19 | struct av_inherit { | 19 | extern struct security_class_mapping secclass_map[]; |
20 | const char **common_pts; | ||
21 | u32 common_base; | ||
22 | u16 tclass; | ||
23 | }; | ||
24 | |||
25 | struct selinux_class_perm { | ||
26 | const struct av_perm_to_string *av_perm_to_string; | ||
27 | u32 av_pts_len; | ||
28 | u32 cts_len; | ||
29 | const char **class_to_string; | ||
30 | const struct av_inherit *av_inherit; | ||
31 | u32 av_inherit_len; | ||
32 | }; | ||
33 | 20 | ||
34 | #endif /* _SELINUX_AVC_SS_H_ */ | 21 | #endif /* _SELINUX_AVC_SS_H_ */ |
35 | 22 | ||
diff --git a/security/selinux/include/class_to_string.h b/security/selinux/include/class_to_string.h deleted file mode 100644 index 7ab9299bfb6b..000000000000 --- a/security/selinux/include/class_to_string.h +++ /dev/null | |||
@@ -1,80 +0,0 @@ | |||
1 | /* This file is automatically generated. Do not edit. */ | ||
2 | /* | ||
3 | * Security object class definitions | ||
4 | */ | ||
5 | S_(NULL) | ||
6 | S_("security") | ||
7 | S_("process") | ||
8 | S_("system") | ||
9 | S_("capability") | ||
10 | S_("filesystem") | ||
11 | S_("file") | ||
12 | S_("dir") | ||
13 | S_("fd") | ||
14 | S_("lnk_file") | ||
15 | S_("chr_file") | ||
16 | S_("blk_file") | ||
17 | S_("sock_file") | ||
18 | S_("fifo_file") | ||
19 | S_("socket") | ||
20 | S_("tcp_socket") | ||
21 | S_("udp_socket") | ||
22 | S_("rawip_socket") | ||
23 | S_("node") | ||
24 | S_("netif") | ||
25 | S_("netlink_socket") | ||
26 | S_("packet_socket") | ||
27 | S_("key_socket") | ||
28 | S_("unix_stream_socket") | ||
29 | S_("unix_dgram_socket") | ||
30 | S_("sem") | ||
31 | S_("msg") | ||
32 | S_("msgq") | ||
33 | S_("shm") | ||
34 | S_("ipc") | ||
35 | S_(NULL) | ||
36 | S_(NULL) | ||
37 | S_(NULL) | ||
38 | S_(NULL) | ||
39 | S_(NULL) | ||
40 | S_(NULL) | ||
41 | S_(NULL) | ||
42 | S_(NULL) | ||
43 | S_(NULL) | ||
44 | S_(NULL) | ||
45 | S_(NULL) | ||
46 | S_(NULL) | ||
47 | S_(NULL) | ||
48 | S_("netlink_route_socket") | ||
49 | S_("netlink_firewall_socket") | ||
50 | S_("netlink_tcpdiag_socket") | ||
51 | S_("netlink_nflog_socket") | ||
52 | S_("netlink_xfrm_socket") | ||
53 | S_("netlink_selinux_socket") | ||
54 | S_("netlink_audit_socket") | ||
55 | S_("netlink_ip6fw_socket") | ||
56 | S_("netlink_dnrt_socket") | ||
57 | S_(NULL) | ||
58 | S_(NULL) | ||
59 | S_("association") | ||
60 | S_("netlink_kobject_uevent_socket") | ||
61 | S_("appletalk_socket") | ||
62 | S_("packet") | ||
63 | S_("key") | ||
64 | S_(NULL) | ||
65 | S_("dccp_socket") | ||
66 | S_("memprotect") | ||
67 | S_(NULL) | ||
68 | S_(NULL) | ||
69 | S_(NULL) | ||
70 | S_(NULL) | ||
71 | S_(NULL) | ||
72 | S_(NULL) | ||
73 | S_("peer") | ||
74 | S_("capability2") | ||
75 | S_(NULL) | ||
76 | S_(NULL) | ||
77 | S_(NULL) | ||
78 | S_(NULL) | ||
79 | S_("kernel_service") | ||
80 | S_("tun_socket") | ||
diff --git a/security/selinux/include/classmap.h b/security/selinux/include/classmap.h new file mode 100644 index 000000000000..8b32e959bb2e --- /dev/null +++ b/security/selinux/include/classmap.h | |||
@@ -0,0 +1,150 @@ | |||
1 | #define COMMON_FILE_SOCK_PERMS "ioctl", "read", "write", "create", \ | ||
2 | "getattr", "setattr", "lock", "relabelfrom", "relabelto", "append" | ||
3 | |||
4 | #define COMMON_FILE_PERMS COMMON_FILE_SOCK_PERMS, "unlink", "link", \ | ||
5 | "rename", "execute", "swapon", "quotaon", "mounton" | ||
6 | |||
7 | #define COMMON_SOCK_PERMS COMMON_FILE_SOCK_PERMS, "bind", "connect", \ | ||
8 | "listen", "accept", "getopt", "setopt", "shutdown", "recvfrom", \ | ||
9 | "sendto", "recv_msg", "send_msg", "name_bind" | ||
10 | |||
11 | #define COMMON_IPC_PERMS "create", "destroy", "getattr", "setattr", "read", \ | ||
12 | "write", "associate", "unix_read", "unix_write" | ||
13 | |||
14 | struct security_class_mapping secclass_map[] = { | ||
15 | { "security", | ||
16 | { "compute_av", "compute_create", "compute_member", | ||
17 | "check_context", "load_policy", "compute_relabel", | ||
18 | "compute_user", "setenforce", "setbool", "setsecparam", | ||
19 | "setcheckreqprot", NULL } }, | ||
20 | { "process", | ||
21 | { "fork", "transition", "sigchld", "sigkill", | ||
22 | "sigstop", "signull", "signal", "ptrace", "getsched", "setsched", | ||
23 | "getsession", "getpgid", "setpgid", "getcap", "setcap", "share", | ||
24 | "getattr", "setexec", "setfscreate", "noatsecure", "siginh", | ||
25 | "setrlimit", "rlimitinh", "dyntransition", "setcurrent", | ||
26 | "execmem", "execstack", "execheap", "setkeycreate", | ||
27 | "setsockcreate", NULL } }, | ||
28 | { "system", | ||
29 | { "ipc_info", "syslog_read", "syslog_mod", | ||
30 | "syslog_console", "module_request", NULL } }, | ||
31 | { "capability", | ||
32 | { "chown", "dac_override", "dac_read_search", | ||
33 | "fowner", "fsetid", "kill", "setgid", "setuid", "setpcap", | ||
34 | "linux_immutable", "net_bind_service", "net_broadcast", | ||
35 | "net_admin", "net_raw", "ipc_lock", "ipc_owner", "sys_module", | ||
36 | "sys_rawio", "sys_chroot", "sys_ptrace", "sys_pacct", "sys_admin", | ||
37 | "sys_boot", "sys_nice", "sys_resource", "sys_time", | ||
38 | "sys_tty_config", "mknod", "lease", "audit_write", | ||
39 | "audit_control", "setfcap", NULL } }, | ||
40 | { "filesystem", | ||
41 | { "mount", "remount", "unmount", "getattr", | ||
42 | "relabelfrom", "relabelto", "transition", "associate", "quotamod", | ||
43 | "quotaget", NULL } }, | ||
44 | { "file", | ||
45 | { COMMON_FILE_PERMS, | ||
46 | "execute_no_trans", "entrypoint", "execmod", "open", NULL } }, | ||
47 | { "dir", | ||
48 | { COMMON_FILE_PERMS, "add_name", "remove_name", | ||
49 | "reparent", "search", "rmdir", "open", NULL } }, | ||
50 | { "fd", { "use", NULL } }, | ||
51 | { "lnk_file", | ||
52 | { COMMON_FILE_PERMS, NULL } }, | ||
53 | { "chr_file", | ||
54 | { COMMON_FILE_PERMS, | ||
55 | "execute_no_trans", "entrypoint", "execmod", "open", NULL } }, | ||
56 | { "blk_file", | ||
57 | { COMMON_FILE_PERMS, "open", NULL } }, | ||
58 | { "sock_file", | ||
59 | { COMMON_FILE_PERMS, "open", NULL } }, | ||
60 | { "fifo_file", | ||
61 | { COMMON_FILE_PERMS, "open", NULL } }, | ||
62 | { "socket", | ||
63 | { COMMON_SOCK_PERMS, NULL } }, | ||
64 | { "tcp_socket", | ||
65 | { COMMON_SOCK_PERMS, | ||
66 | "connectto", "newconn", "acceptfrom", "node_bind", "name_connect", | ||
67 | NULL } }, | ||
68 | { "udp_socket", | ||
69 | { COMMON_SOCK_PERMS, | ||
70 | "node_bind", NULL } }, | ||
71 | { "rawip_socket", | ||
72 | { COMMON_SOCK_PERMS, | ||
73 | "node_bind", NULL } }, | ||
74 | { "node", | ||
75 | { "tcp_recv", "tcp_send", "udp_recv", "udp_send", | ||
76 | "rawip_recv", "rawip_send", "enforce_dest", | ||
77 | "dccp_recv", "dccp_send", "recvfrom", "sendto", NULL } }, | ||
78 | { "netif", | ||
79 | { "tcp_recv", "tcp_send", "udp_recv", "udp_send", | ||
80 | "rawip_recv", "rawip_send", "dccp_recv", "dccp_send", | ||
81 | "ingress", "egress", NULL } }, | ||
82 | { "netlink_socket", | ||
83 | { COMMON_SOCK_PERMS, NULL } }, | ||
84 | { "packet_socket", | ||
85 | { COMMON_SOCK_PERMS, NULL } }, | ||
86 | { "key_socket", | ||
87 | { COMMON_SOCK_PERMS, NULL } }, | ||
88 | { "unix_stream_socket", | ||
89 | { COMMON_SOCK_PERMS, "connectto", "newconn", "acceptfrom", NULL | ||
90 | } }, | ||
91 | { "unix_dgram_socket", | ||
92 | { COMMON_SOCK_PERMS, NULL | ||
93 | } }, | ||
94 | { "sem", | ||
95 | { COMMON_IPC_PERMS, NULL } }, | ||
96 | { "msg", { "send", "receive", NULL } }, | ||
97 | { "msgq", | ||
98 | { COMMON_IPC_PERMS, "enqueue", NULL } }, | ||
99 | { "shm", | ||
100 | { COMMON_IPC_PERMS, "lock", NULL } }, | ||
101 | { "ipc", | ||
102 | { COMMON_IPC_PERMS, NULL } }, | ||
103 | { "netlink_route_socket", | ||
104 | { COMMON_SOCK_PERMS, | ||
105 | "nlmsg_read", "nlmsg_write", NULL } }, | ||
106 | { "netlink_firewall_socket", | ||
107 | { COMMON_SOCK_PERMS, | ||
108 | "nlmsg_read", "nlmsg_write", NULL } }, | ||
109 | { "netlink_tcpdiag_socket", | ||
110 | { COMMON_SOCK_PERMS, | ||
111 | "nlmsg_read", "nlmsg_write", NULL } }, | ||
112 | { "netlink_nflog_socket", | ||
113 | { COMMON_SOCK_PERMS, NULL } }, | ||
114 | { "netlink_xfrm_socket", | ||
115 | { COMMON_SOCK_PERMS, | ||
116 | "nlmsg_read", "nlmsg_write", NULL } }, | ||
117 | { "netlink_selinux_socket", | ||
118 | { COMMON_SOCK_PERMS, NULL } }, | ||
119 | { "netlink_audit_socket", | ||
120 | { COMMON_SOCK_PERMS, | ||
121 | "nlmsg_read", "nlmsg_write", "nlmsg_relay", "nlmsg_readpriv", | ||
122 | "nlmsg_tty_audit", NULL } }, | ||
123 | { "netlink_ip6fw_socket", | ||
124 | { COMMON_SOCK_PERMS, | ||
125 | "nlmsg_read", "nlmsg_write", NULL } }, | ||
126 | { "netlink_dnrt_socket", | ||
127 | { COMMON_SOCK_PERMS, NULL } }, | ||
128 | { "association", | ||
129 | { "sendto", "recvfrom", "setcontext", "polmatch", NULL } }, | ||
130 | { "netlink_kobject_uevent_socket", | ||
131 | { COMMON_SOCK_PERMS, NULL } }, | ||
132 | { "appletalk_socket", | ||
133 | { COMMON_SOCK_PERMS, NULL } }, | ||
134 | { "packet", | ||
135 | { "send", "recv", "relabelto", "flow_in", "flow_out", | ||
136 | "forward_in", "forward_out", NULL } }, | ||
137 | { "key", | ||
138 | { "view", "read", "write", "search", "link", "setattr", "create", | ||
139 | NULL } }, | ||
140 | { "dccp_socket", | ||
141 | { COMMON_SOCK_PERMS, | ||
142 | "node_bind", "name_connect", NULL } }, | ||
143 | { "memprotect", { "mmap_zero", NULL } }, | ||
144 | { "peer", { "recv", NULL } }, | ||
145 | { "capability2", { "mac_override", "mac_admin", NULL } }, | ||
146 | { "kernel_service", { "use_as_override", "create_files_as", NULL } }, | ||
147 | { "tun_socket", | ||
148 | { COMMON_SOCK_PERMS, NULL } }, | ||
149 | { NULL } | ||
150 | }; | ||
diff --git a/security/selinux/include/common_perm_to_string.h b/security/selinux/include/common_perm_to_string.h deleted file mode 100644 index ce5b6e2fe9dd..000000000000 --- a/security/selinux/include/common_perm_to_string.h +++ /dev/null | |||
@@ -1,58 +0,0 @@ | |||
1 | /* This file is automatically generated. Do not edit. */ | ||
2 | TB_(common_file_perm_to_string) | ||
3 | S_("ioctl") | ||
4 | S_("read") | ||
5 | S_("write") | ||
6 | S_("create") | ||
7 | S_("getattr") | ||
8 | S_("setattr") | ||
9 | S_("lock") | ||
10 | S_("relabelfrom") | ||
11 | S_("relabelto") | ||
12 | S_("append") | ||
13 | S_("unlink") | ||
14 | S_("link") | ||
15 | S_("rename") | ||
16 | S_("execute") | ||
17 | S_("swapon") | ||
18 | S_("quotaon") | ||
19 | S_("mounton") | ||
20 | TE_(common_file_perm_to_string) | ||
21 | |||
22 | TB_(common_socket_perm_to_string) | ||
23 | S_("ioctl") | ||
24 | S_("read") | ||
25 | S_("write") | ||
26 | S_("create") | ||
27 | S_("getattr") | ||
28 | S_("setattr") | ||
29 | S_("lock") | ||
30 | S_("relabelfrom") | ||
31 | S_("relabelto") | ||
32 | S_("append") | ||
33 | S_("bind") | ||
34 | S_("connect") | ||
35 | S_("listen") | ||
36 | S_("accept") | ||
37 | S_("getopt") | ||
38 | S_("setopt") | ||
39 | S_("shutdown") | ||
40 | S_("recvfrom") | ||
41 | S_("sendto") | ||
42 | S_("recv_msg") | ||
43 | S_("send_msg") | ||
44 | S_("name_bind") | ||
45 | TE_(common_socket_perm_to_string) | ||
46 | |||
47 | TB_(common_ipc_perm_to_string) | ||
48 | S_("create") | ||
49 | S_("destroy") | ||
50 | S_("getattr") | ||
51 | S_("setattr") | ||
52 | S_("read") | ||
53 | S_("write") | ||
54 | S_("associate") | ||
55 | S_("unix_read") | ||
56 | S_("unix_write") | ||
57 | TE_(common_ipc_perm_to_string) | ||
58 | |||
diff --git a/security/selinux/include/flask.h b/security/selinux/include/flask.h index f248500a1e3c..5359ca2abf21 100644 --- a/security/selinux/include/flask.h +++ b/security/selinux/include/flask.h | |||
@@ -34,26 +34,26 @@ | |||
34 | #define SECCLASS_MSGQ 27 | 34 | #define SECCLASS_MSGQ 27 |
35 | #define SECCLASS_SHM 28 | 35 | #define SECCLASS_SHM 28 |
36 | #define SECCLASS_IPC 29 | 36 | #define SECCLASS_IPC 29 |
37 | #define SECCLASS_NETLINK_ROUTE_SOCKET 43 | 37 | #define SECCLASS_NETLINK_ROUTE_SOCKET 30 |
38 | #define SECCLASS_NETLINK_FIREWALL_SOCKET 44 | 38 | #define SECCLASS_NETLINK_FIREWALL_SOCKET 31 |
39 | #define SECCLASS_NETLINK_TCPDIAG_SOCKET 45 | 39 | #define SECCLASS_NETLINK_TCPDIAG_SOCKET 32 |
40 | #define SECCLASS_NETLINK_NFLOG_SOCKET 46 | 40 | #define SECCLASS_NETLINK_NFLOG_SOCKET 33 |
41 | #define SECCLASS_NETLINK_XFRM_SOCKET 47 | 41 | #define SECCLASS_NETLINK_XFRM_SOCKET 34 |
42 | #define SECCLASS_NETLINK_SELINUX_SOCKET 48 | 42 | #define SECCLASS_NETLINK_SELINUX_SOCKET 35 |
43 | #define SECCLASS_NETLINK_AUDIT_SOCKET 49 | 43 | #define SECCLASS_NETLINK_AUDIT_SOCKET 36 |
44 | #define SECCLASS_NETLINK_IP6FW_SOCKET 50 | 44 | #define SECCLASS_NETLINK_IP6FW_SOCKET 37 |
45 | #define SECCLASS_NETLINK_DNRT_SOCKET 51 | 45 | #define SECCLASS_NETLINK_DNRT_SOCKET 38 |
46 | #define SECCLASS_ASSOCIATION 54 | 46 | #define SECCLASS_ASSOCIATION 39 |
47 | #define SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET 55 | 47 | #define SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET 40 |
48 | #define SECCLASS_APPLETALK_SOCKET 56 | 48 | #define SECCLASS_APPLETALK_SOCKET 41 |
49 | #define SECCLASS_PACKET 57 | 49 | #define SECCLASS_PACKET 42 |
50 | #define SECCLASS_KEY 58 | 50 | #define SECCLASS_KEY 43 |
51 | #define SECCLASS_DCCP_SOCKET 60 | 51 | #define SECCLASS_DCCP_SOCKET 44 |
52 | #define SECCLASS_MEMPROTECT 61 | 52 | #define SECCLASS_MEMPROTECT 45 |
53 | #define SECCLASS_PEER 68 | 53 | #define SECCLASS_PEER 46 |
54 | #define SECCLASS_CAPABILITY2 69 | 54 | #define SECCLASS_CAPABILITY2 47 |
55 | #define SECCLASS_KERNEL_SERVICE 74 | 55 | #define SECCLASS_KERNEL_SERVICE 48 |
56 | #define SECCLASS_TUN_SOCKET 75 | 56 | #define SECCLASS_TUN_SOCKET 49 |
57 | 57 | ||
58 | /* | 58 | /* |
59 | * Security identifier indices for initial entities | 59 | * Security identifier indices for initial entities |
diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h index ca835795a8b3..2553266ad793 100644 --- a/security/selinux/include/security.h +++ b/security/selinux/include/security.h | |||
@@ -97,11 +97,18 @@ struct av_decision { | |||
97 | #define AVD_FLAGS_PERMISSIVE 0x0001 | 97 | #define AVD_FLAGS_PERMISSIVE 0x0001 |
98 | 98 | ||
99 | int security_compute_av(u32 ssid, u32 tsid, | 99 | int security_compute_av(u32 ssid, u32 tsid, |
100 | u16 tclass, u32 requested, | 100 | u16 tclass, u32 requested, |
101 | struct av_decision *avd); | 101 | struct av_decision *avd); |
102 | |||
103 | int security_compute_av_user(u32 ssid, u32 tsid, | ||
104 | u16 tclass, u32 requested, | ||
105 | struct av_decision *avd); | ||
102 | 106 | ||
103 | int security_transition_sid(u32 ssid, u32 tsid, | 107 | int security_transition_sid(u32 ssid, u32 tsid, |
104 | u16 tclass, u32 *out_sid); | 108 | u16 tclass, u32 *out_sid); |
109 | |||
110 | int security_transition_sid_user(u32 ssid, u32 tsid, | ||
111 | u16 tclass, u32 *out_sid); | ||
105 | 112 | ||
106 | int security_member_sid(u32 ssid, u32 tsid, | 113 | int security_member_sid(u32 ssid, u32 tsid, |
107 | u16 tclass, u32 *out_sid); | 114 | u16 tclass, u32 *out_sid); |
diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c index b4fc506e7a87..fab36fdf2769 100644 --- a/security/selinux/selinuxfs.c +++ b/security/selinux/selinuxfs.c | |||
@@ -522,7 +522,7 @@ static ssize_t sel_write_access(struct file *file, char *buf, size_t size) | |||
522 | if (length < 0) | 522 | if (length < 0) |
523 | goto out2; | 523 | goto out2; |
524 | 524 | ||
525 | length = security_compute_av(ssid, tsid, tclass, req, &avd); | 525 | length = security_compute_av_user(ssid, tsid, tclass, req, &avd); |
526 | if (length < 0) | 526 | if (length < 0) |
527 | goto out2; | 527 | goto out2; |
528 | 528 | ||
@@ -571,7 +571,7 @@ static ssize_t sel_write_create(struct file *file, char *buf, size_t size) | |||
571 | if (length < 0) | 571 | if (length < 0) |
572 | goto out2; | 572 | goto out2; |
573 | 573 | ||
574 | length = security_transition_sid(ssid, tsid, tclass, &newsid); | 574 | length = security_transition_sid_user(ssid, tsid, tclass, &newsid); |
575 | if (length < 0) | 575 | if (length < 0) |
576 | goto out2; | 576 | goto out2; |
577 | 577 | ||
diff --git a/security/selinux/ss/mls.c b/security/selinux/ss/mls.c index b5407f16c2a4..3f2b2706b5bb 100644 --- a/security/selinux/ss/mls.c +++ b/security/selinux/ss/mls.c | |||
@@ -532,7 +532,7 @@ int mls_compute_sid(struct context *scontext, | |||
532 | } | 532 | } |
533 | /* Fallthrough */ | 533 | /* Fallthrough */ |
534 | case AVTAB_CHANGE: | 534 | case AVTAB_CHANGE: |
535 | if (tclass == SECCLASS_PROCESS) | 535 | if (tclass == policydb.process_class) |
536 | /* Use the process MLS attributes. */ | 536 | /* Use the process MLS attributes. */ |
537 | return mls_context_cpy(newcontext, scontext); | 537 | return mls_context_cpy(newcontext, scontext); |
538 | else | 538 | else |
diff --git a/security/selinux/ss/policydb.c b/security/selinux/ss/policydb.c index 72e4a54973aa..f03667213ea8 100644 --- a/security/selinux/ss/policydb.c +++ b/security/selinux/ss/policydb.c | |||
@@ -713,7 +713,6 @@ void policydb_destroy(struct policydb *p) | |||
713 | ebitmap_destroy(&p->type_attr_map[i]); | 713 | ebitmap_destroy(&p->type_attr_map[i]); |
714 | } | 714 | } |
715 | kfree(p->type_attr_map); | 715 | kfree(p->type_attr_map); |
716 | kfree(p->undefined_perms); | ||
717 | ebitmap_destroy(&p->policycaps); | 716 | ebitmap_destroy(&p->policycaps); |
718 | ebitmap_destroy(&p->permissive_map); | 717 | ebitmap_destroy(&p->permissive_map); |
719 | 718 | ||
@@ -1640,6 +1639,40 @@ static int policydb_bounds_sanity_check(struct policydb *p) | |||
1640 | 1639 | ||
1641 | extern int ss_initialized; | 1640 | extern int ss_initialized; |
1642 | 1641 | ||
1642 | u16 string_to_security_class(struct policydb *p, const char *name) | ||
1643 | { | ||
1644 | struct class_datum *cladatum; | ||
1645 | |||
1646 | cladatum = hashtab_search(p->p_classes.table, name); | ||
1647 | if (!cladatum) | ||
1648 | return 0; | ||
1649 | |||
1650 | return cladatum->value; | ||
1651 | } | ||
1652 | |||
1653 | u32 string_to_av_perm(struct policydb *p, u16 tclass, const char *name) | ||
1654 | { | ||
1655 | struct class_datum *cladatum; | ||
1656 | struct perm_datum *perdatum = NULL; | ||
1657 | struct common_datum *comdatum; | ||
1658 | |||
1659 | if (!tclass || tclass > p->p_classes.nprim) | ||
1660 | return 0; | ||
1661 | |||
1662 | cladatum = p->class_val_to_struct[tclass-1]; | ||
1663 | comdatum = cladatum->comdatum; | ||
1664 | if (comdatum) | ||
1665 | perdatum = hashtab_search(comdatum->permissions.table, | ||
1666 | name); | ||
1667 | if (!perdatum) | ||
1668 | perdatum = hashtab_search(cladatum->permissions.table, | ||
1669 | name); | ||
1670 | if (!perdatum) | ||
1671 | return 0; | ||
1672 | |||
1673 | return 1U << (perdatum->value-1); | ||
1674 | } | ||
1675 | |||
1643 | /* | 1676 | /* |
1644 | * Read the configuration data from a policy database binary | 1677 | * Read the configuration data from a policy database binary |
1645 | * representation file into a policy database structure. | 1678 | * representation file into a policy database structure. |
@@ -1861,6 +1894,16 @@ int policydb_read(struct policydb *p, void *fp) | |||
1861 | if (rc) | 1894 | if (rc) |
1862 | goto bad; | 1895 | goto bad; |
1863 | 1896 | ||
1897 | p->process_class = string_to_security_class(p, "process"); | ||
1898 | if (!p->process_class) | ||
1899 | goto bad; | ||
1900 | p->process_trans_perms = string_to_av_perm(p, p->process_class, | ||
1901 | "transition"); | ||
1902 | p->process_trans_perms |= string_to_av_perm(p, p->process_class, | ||
1903 | "dyntransition"); | ||
1904 | if (!p->process_trans_perms) | ||
1905 | goto bad; | ||
1906 | |||
1864 | for (i = 0; i < info->ocon_num; i++) { | 1907 | for (i = 0; i < info->ocon_num; i++) { |
1865 | rc = next_entry(buf, fp, sizeof(u32)); | 1908 | rc = next_entry(buf, fp, sizeof(u32)); |
1866 | if (rc < 0) | 1909 | if (rc < 0) |
@@ -2101,7 +2144,7 @@ int policydb_read(struct policydb *p, void *fp) | |||
2101 | goto bad; | 2144 | goto bad; |
2102 | rt->target_class = le32_to_cpu(buf[0]); | 2145 | rt->target_class = le32_to_cpu(buf[0]); |
2103 | } else | 2146 | } else |
2104 | rt->target_class = SECCLASS_PROCESS; | 2147 | rt->target_class = p->process_class; |
2105 | if (!policydb_type_isvalid(p, rt->source_type) || | 2148 | if (!policydb_type_isvalid(p, rt->source_type) || |
2106 | !policydb_type_isvalid(p, rt->target_type) || | 2149 | !policydb_type_isvalid(p, rt->target_type) || |
2107 | !policydb_class_isvalid(p, rt->target_class)) { | 2150 | !policydb_class_isvalid(p, rt->target_class)) { |
diff --git a/security/selinux/ss/policydb.h b/security/selinux/ss/policydb.h index 55152d498b53..cdcc5700946f 100644 --- a/security/selinux/ss/policydb.h +++ b/security/selinux/ss/policydb.h | |||
@@ -254,7 +254,9 @@ struct policydb { | |||
254 | 254 | ||
255 | unsigned int reject_unknown : 1; | 255 | unsigned int reject_unknown : 1; |
256 | unsigned int allow_unknown : 1; | 256 | unsigned int allow_unknown : 1; |
257 | u32 *undefined_perms; | 257 | |
258 | u16 process_class; | ||
259 | u32 process_trans_perms; | ||
258 | }; | 260 | }; |
259 | 261 | ||
260 | extern void policydb_destroy(struct policydb *p); | 262 | extern void policydb_destroy(struct policydb *p); |
@@ -295,5 +297,8 @@ static inline int next_entry(void *buf, struct policy_file *fp, size_t bytes) | |||
295 | return 0; | 297 | return 0; |
296 | } | 298 | } |
297 | 299 | ||
300 | extern u16 string_to_security_class(struct policydb *p, const char *name); | ||
301 | extern u32 string_to_av_perm(struct policydb *p, u16 tclass, const char *name); | ||
302 | |||
298 | #endif /* _SS_POLICYDB_H_ */ | 303 | #endif /* _SS_POLICYDB_H_ */ |
299 | 304 | ||
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c index ff17820d35ec..e19baa81fdec 100644 --- a/security/selinux/ss/services.c +++ b/security/selinux/ss/services.c | |||
@@ -70,11 +70,6 @@ unsigned int policydb_loaded_version; | |||
70 | int selinux_policycap_netpeer; | 70 | int selinux_policycap_netpeer; |
71 | int selinux_policycap_openperm; | 71 | int selinux_policycap_openperm; |
72 | 72 | ||
73 | /* | ||
74 | * This is declared in avc.c | ||
75 | */ | ||
76 | extern const struct selinux_class_perm selinux_class_perm; | ||
77 | |||
78 | static DEFINE_RWLOCK(policy_rwlock); | 73 | static DEFINE_RWLOCK(policy_rwlock); |
79 | 74 | ||
80 | static struct sidtab sidtab; | 75 | static struct sidtab sidtab; |
@@ -98,6 +93,158 @@ static int context_struct_compute_av(struct context *scontext, | |||
98 | u16 tclass, | 93 | u16 tclass, |
99 | u32 requested, | 94 | u32 requested, |
100 | struct av_decision *avd); | 95 | struct av_decision *avd); |
96 | |||
97 | struct selinux_mapping { | ||
98 | u16 value; /* policy value */ | ||
99 | unsigned num_perms; | ||
100 | u32 perms[sizeof(u32) * 8]; | ||
101 | }; | ||
102 | |||
103 | static struct selinux_mapping *current_mapping; | ||
104 | static u16 current_mapping_size; | ||
105 | |||
106 | static int selinux_set_mapping(struct policydb *pol, | ||
107 | struct security_class_mapping *map, | ||
108 | struct selinux_mapping **out_map_p, | ||
109 | u16 *out_map_size) | ||
110 | { | ||
111 | struct selinux_mapping *out_map = NULL; | ||
112 | size_t size = sizeof(struct selinux_mapping); | ||
113 | u16 i, j; | ||
114 | unsigned k; | ||
115 | bool print_unknown_handle = false; | ||
116 | |||
117 | /* Find number of classes in the input mapping */ | ||
118 | if (!map) | ||
119 | return -EINVAL; | ||
120 | i = 0; | ||
121 | while (map[i].name) | ||
122 | i++; | ||
123 | |||
124 | /* Allocate space for the class records, plus one for class zero */ | ||
125 | out_map = kcalloc(++i, size, GFP_ATOMIC); | ||
126 | if (!out_map) | ||
127 | return -ENOMEM; | ||
128 | |||
129 | /* Store the raw class and permission values */ | ||
130 | j = 0; | ||
131 | while (map[j].name) { | ||
132 | struct security_class_mapping *p_in = map + (j++); | ||
133 | struct selinux_mapping *p_out = out_map + j; | ||
134 | |||
135 | /* An empty class string skips ahead */ | ||
136 | if (!strcmp(p_in->name, "")) { | ||
137 | p_out->num_perms = 0; | ||
138 | continue; | ||
139 | } | ||
140 | |||
141 | p_out->value = string_to_security_class(pol, p_in->name); | ||
142 | if (!p_out->value) { | ||
143 | printk(KERN_INFO | ||
144 | "SELinux: Class %s not defined in policy.\n", | ||
145 | p_in->name); | ||
146 | if (pol->reject_unknown) | ||
147 | goto err; | ||
148 | p_out->num_perms = 0; | ||
149 | print_unknown_handle = true; | ||
150 | continue; | ||
151 | } | ||
152 | |||
153 | k = 0; | ||
154 | while (p_in->perms && p_in->perms[k]) { | ||
155 | /* An empty permission string skips ahead */ | ||
156 | if (!*p_in->perms[k]) { | ||
157 | k++; | ||
158 | continue; | ||
159 | } | ||
160 | p_out->perms[k] = string_to_av_perm(pol, p_out->value, | ||
161 | p_in->perms[k]); | ||
162 | if (!p_out->perms[k]) { | ||
163 | printk(KERN_INFO | ||
164 | "SELinux: Permission %s in class %s not defined in policy.\n", | ||
165 | p_in->perms[k], p_in->name); | ||
166 | if (pol->reject_unknown) | ||
167 | goto err; | ||
168 | print_unknown_handle = true; | ||
169 | } | ||
170 | |||
171 | k++; | ||
172 | } | ||
173 | p_out->num_perms = k; | ||
174 | } | ||
175 | |||
176 | if (print_unknown_handle) | ||
177 | printk(KERN_INFO "SELinux: the above unknown classes and permissions will be %s\n", | ||
178 | pol->allow_unknown ? "allowed" : "denied"); | ||
179 | |||
180 | *out_map_p = out_map; | ||
181 | *out_map_size = i; | ||
182 | return 0; | ||
183 | err: | ||
184 | kfree(out_map); | ||
185 | return -EINVAL; | ||
186 | } | ||
187 | |||
188 | /* | ||
189 | * Get real, policy values from mapped values | ||
190 | */ | ||
191 | |||
192 | static u16 unmap_class(u16 tclass) | ||
193 | { | ||
194 | if (tclass < current_mapping_size) | ||
195 | return current_mapping[tclass].value; | ||
196 | |||
197 | return tclass; | ||
198 | } | ||
199 | |||
200 | static u32 unmap_perm(u16 tclass, u32 tperm) | ||
201 | { | ||
202 | if (tclass < current_mapping_size) { | ||
203 | unsigned i; | ||
204 | u32 kperm = 0; | ||
205 | |||
206 | for (i = 0; i < current_mapping[tclass].num_perms; i++) | ||
207 | if (tperm & (1<<i)) { | ||
208 | kperm |= current_mapping[tclass].perms[i]; | ||
209 | tperm &= ~(1<<i); | ||
210 | } | ||
211 | return kperm; | ||
212 | } | ||
213 | |||
214 | return tperm; | ||
215 | } | ||
216 | |||
217 | static void map_decision(u16 tclass, struct av_decision *avd, | ||
218 | int allow_unknown) | ||
219 | { | ||
220 | if (tclass < current_mapping_size) { | ||
221 | unsigned i, n = current_mapping[tclass].num_perms; | ||
222 | u32 result; | ||
223 | |||
224 | for (i = 0, result = 0; i < n; i++) { | ||
225 | if (avd->allowed & current_mapping[tclass].perms[i]) | ||
226 | result |= 1<<i; | ||
227 | if (allow_unknown && !current_mapping[tclass].perms[i]) | ||
228 | result |= 1<<i; | ||
229 | } | ||
230 | avd->allowed = result; | ||
231 | |||
232 | for (i = 0, result = 0; i < n; i++) | ||
233 | if (avd->auditallow & current_mapping[tclass].perms[i]) | ||
234 | result |= 1<<i; | ||
235 | avd->auditallow = result; | ||
236 | |||
237 | for (i = 0, result = 0; i < n; i++) { | ||
238 | if (avd->auditdeny & current_mapping[tclass].perms[i]) | ||
239 | result |= 1<<i; | ||
240 | if (!allow_unknown && !current_mapping[tclass].perms[i]) | ||
241 | result |= 1<<i; | ||
242 | } | ||
243 | avd->auditdeny = result; | ||
244 | } | ||
245 | } | ||
246 | |||
247 | |||
101 | /* | 248 | /* |
102 | * Return the boolean value of a constraint expression | 249 | * Return the boolean value of a constraint expression |
103 | * when it is applied to the specified source and target | 250 | * when it is applied to the specified source and target |
@@ -467,7 +614,6 @@ static int context_struct_compute_av(struct context *scontext, | |||
467 | struct class_datum *tclass_datum; | 614 | struct class_datum *tclass_datum; |
468 | struct ebitmap *sattr, *tattr; | 615 | struct ebitmap *sattr, *tattr; |
469 | struct ebitmap_node *snode, *tnode; | 616 | struct ebitmap_node *snode, *tnode; |
470 | const struct selinux_class_perm *kdefs = &selinux_class_perm; | ||
471 | unsigned int i, j; | 617 | unsigned int i, j; |
472 | 618 | ||
473 | /* | 619 | /* |
@@ -477,9 +623,9 @@ static int context_struct_compute_av(struct context *scontext, | |||
477 | * to remain in the correct class. | 623 | * to remain in the correct class. |
478 | */ | 624 | */ |
479 | if (policydb_loaded_version < POLICYDB_VERSION_NLCLASS) | 625 | if (policydb_loaded_version < POLICYDB_VERSION_NLCLASS) |
480 | if (tclass >= SECCLASS_NETLINK_ROUTE_SOCKET && | 626 | if (tclass >= unmap_class(SECCLASS_NETLINK_ROUTE_SOCKET) && |
481 | tclass <= SECCLASS_NETLINK_DNRT_SOCKET) | 627 | tclass <= unmap_class(SECCLASS_NETLINK_DNRT_SOCKET)) |
482 | tclass = SECCLASS_NETLINK_SOCKET; | 628 | tclass = unmap_class(SECCLASS_NETLINK_SOCKET); |
483 | 629 | ||
484 | /* | 630 | /* |
485 | * Initialize the access vectors to the default values. | 631 | * Initialize the access vectors to the default values. |
@@ -490,33 +636,11 @@ static int context_struct_compute_av(struct context *scontext, | |||
490 | avd->seqno = latest_granting; | 636 | avd->seqno = latest_granting; |
491 | avd->flags = 0; | 637 | avd->flags = 0; |
492 | 638 | ||
493 | /* | 639 | if (unlikely(!tclass || tclass > policydb.p_classes.nprim)) { |
494 | * Check for all the invalid cases. | 640 | if (printk_ratelimit()) |
495 | * - tclass 0 | 641 | printk(KERN_WARNING "SELinux: Invalid class %hu\n", tclass); |
496 | * - tclass > policy and > kernel | 642 | return -EINVAL; |
497 | * - tclass > policy but is a userspace class | 643 | } |
498 | * - tclass > policy but we do not allow unknowns | ||
499 | */ | ||
500 | if (unlikely(!tclass)) | ||
501 | goto inval_class; | ||
502 | if (unlikely(tclass > policydb.p_classes.nprim)) | ||
503 | if (tclass > kdefs->cts_len || | ||
504 | !kdefs->class_to_string[tclass] || | ||
505 | !policydb.allow_unknown) | ||
506 | goto inval_class; | ||
507 | |||
508 | /* | ||
509 | * Kernel class and we allow unknown so pad the allow decision | ||
510 | * the pad will be all 1 for unknown classes. | ||
511 | */ | ||
512 | if (tclass <= kdefs->cts_len && policydb.allow_unknown) | ||
513 | avd->allowed = policydb.undefined_perms[tclass - 1]; | ||
514 | |||
515 | /* | ||
516 | * Not in policy. Since decision is completed (all 1 or all 0) return. | ||
517 | */ | ||
518 | if (unlikely(tclass > policydb.p_classes.nprim)) | ||
519 | return 0; | ||
520 | 644 | ||
521 | tclass_datum = policydb.class_val_to_struct[tclass - 1]; | 645 | tclass_datum = policydb.class_val_to_struct[tclass - 1]; |
522 | 646 | ||
@@ -568,8 +692,8 @@ static int context_struct_compute_av(struct context *scontext, | |||
568 | * role is changing, then check the (current_role, new_role) | 692 | * role is changing, then check the (current_role, new_role) |
569 | * pair. | 693 | * pair. |
570 | */ | 694 | */ |
571 | if (tclass == SECCLASS_PROCESS && | 695 | if (tclass == policydb.process_class && |
572 | (avd->allowed & (PROCESS__TRANSITION | PROCESS__DYNTRANSITION)) && | 696 | (avd->allowed & policydb.process_trans_perms) && |
573 | scontext->role != tcontext->role) { | 697 | scontext->role != tcontext->role) { |
574 | for (ra = policydb.role_allow; ra; ra = ra->next) { | 698 | for (ra = policydb.role_allow; ra; ra = ra->next) { |
575 | if (scontext->role == ra->role && | 699 | if (scontext->role == ra->role && |
@@ -577,8 +701,7 @@ static int context_struct_compute_av(struct context *scontext, | |||
577 | break; | 701 | break; |
578 | } | 702 | } |
579 | if (!ra) | 703 | if (!ra) |
580 | avd->allowed &= ~(PROCESS__TRANSITION | | 704 | avd->allowed &= ~policydb.process_trans_perms; |
581 | PROCESS__DYNTRANSITION); | ||
582 | } | 705 | } |
583 | 706 | ||
584 | /* | 707 | /* |
@@ -590,21 +713,6 @@ static int context_struct_compute_av(struct context *scontext, | |||
590 | tclass, requested, avd); | 713 | tclass, requested, avd); |
591 | 714 | ||
592 | return 0; | 715 | return 0; |
593 | |||
594 | inval_class: | ||
595 | if (!tclass || tclass > kdefs->cts_len || | ||
596 | !kdefs->class_to_string[tclass]) { | ||
597 | if (printk_ratelimit()) | ||
598 | printk(KERN_ERR "SELinux: %s: unrecognized class %d\n", | ||
599 | __func__, tclass); | ||
600 | return -EINVAL; | ||
601 | } | ||
602 | |||
603 | /* | ||
604 | * Known to the kernel, but not to the policy. | ||
605 | * Handle as a denial (allowed is 0). | ||
606 | */ | ||
607 | return 0; | ||
608 | } | 716 | } |
609 | 717 | ||
610 | static int security_validtrans_handle_fail(struct context *ocontext, | 718 | static int security_validtrans_handle_fail(struct context *ocontext, |
@@ -636,13 +744,14 @@ out: | |||
636 | } | 744 | } |
637 | 745 | ||
638 | int security_validate_transition(u32 oldsid, u32 newsid, u32 tasksid, | 746 | int security_validate_transition(u32 oldsid, u32 newsid, u32 tasksid, |
639 | u16 tclass) | 747 | u16 orig_tclass) |
640 | { | 748 | { |
641 | struct context *ocontext; | 749 | struct context *ocontext; |
642 | struct context *ncontext; | 750 | struct context *ncontext; |
643 | struct context *tcontext; | 751 | struct context *tcontext; |
644 | struct class_datum *tclass_datum; | 752 | struct class_datum *tclass_datum; |
645 | struct constraint_node *constraint; | 753 | struct constraint_node *constraint; |
754 | u16 tclass; | ||
646 | int rc = 0; | 755 | int rc = 0; |
647 | 756 | ||
648 | if (!ss_initialized) | 757 | if (!ss_initialized) |
@@ -650,6 +759,8 @@ int security_validate_transition(u32 oldsid, u32 newsid, u32 tasksid, | |||
650 | 759 | ||
651 | read_lock(&policy_rwlock); | 760 | read_lock(&policy_rwlock); |
652 | 761 | ||
762 | tclass = unmap_class(orig_tclass); | ||
763 | |||
653 | /* | 764 | /* |
654 | * Remap extended Netlink classes for old policy versions. | 765 | * Remap extended Netlink classes for old policy versions. |
655 | * Do this here rather than socket_type_to_security_class() | 766 | * Do this here rather than socket_type_to_security_class() |
@@ -657,9 +768,9 @@ int security_validate_transition(u32 oldsid, u32 newsid, u32 tasksid, | |||
657 | * to remain in the correct class. | 768 | * to remain in the correct class. |
658 | */ | 769 | */ |
659 | if (policydb_loaded_version < POLICYDB_VERSION_NLCLASS) | 770 | if (policydb_loaded_version < POLICYDB_VERSION_NLCLASS) |
660 | if (tclass >= SECCLASS_NETLINK_ROUTE_SOCKET && | 771 | if (tclass >= unmap_class(SECCLASS_NETLINK_ROUTE_SOCKET) && |
661 | tclass <= SECCLASS_NETLINK_DNRT_SOCKET) | 772 | tclass <= unmap_class(SECCLASS_NETLINK_DNRT_SOCKET)) |
662 | tclass = SECCLASS_NETLINK_SOCKET; | 773 | tclass = unmap_class(SECCLASS_NETLINK_SOCKET); |
663 | 774 | ||
664 | if (!tclass || tclass > policydb.p_classes.nprim) { | 775 | if (!tclass || tclass > policydb.p_classes.nprim) { |
665 | printk(KERN_ERR "SELinux: %s: unrecognized class %d\n", | 776 | printk(KERN_ERR "SELinux: %s: unrecognized class %d\n", |
@@ -792,6 +903,38 @@ out: | |||
792 | } | 903 | } |
793 | 904 | ||
794 | 905 | ||
906 | static int security_compute_av_core(u32 ssid, | ||
907 | u32 tsid, | ||
908 | u16 tclass, | ||
909 | u32 requested, | ||
910 | struct av_decision *avd) | ||
911 | { | ||
912 | struct context *scontext = NULL, *tcontext = NULL; | ||
913 | int rc = 0; | ||
914 | |||
915 | scontext = sidtab_search(&sidtab, ssid); | ||
916 | if (!scontext) { | ||
917 | printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n", | ||
918 | __func__, ssid); | ||
919 | return -EINVAL; | ||
920 | } | ||
921 | tcontext = sidtab_search(&sidtab, tsid); | ||
922 | if (!tcontext) { | ||
923 | printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n", | ||
924 | __func__, tsid); | ||
925 | return -EINVAL; | ||
926 | } | ||
927 | |||
928 | rc = context_struct_compute_av(scontext, tcontext, tclass, | ||
929 | requested, avd); | ||
930 | |||
931 | /* permissive domain? */ | ||
932 | if (ebitmap_get_bit(&policydb.permissive_map, scontext->type)) | ||
933 | avd->flags |= AVD_FLAGS_PERMISSIVE; | ||
934 | |||
935 | return rc; | ||
936 | } | ||
937 | |||
795 | /** | 938 | /** |
796 | * security_compute_av - Compute access vector decisions. | 939 | * security_compute_av - Compute access vector decisions. |
797 | * @ssid: source security identifier | 940 | * @ssid: source security identifier |
@@ -807,12 +950,45 @@ out: | |||
807 | */ | 950 | */ |
808 | int security_compute_av(u32 ssid, | 951 | int security_compute_av(u32 ssid, |
809 | u32 tsid, | 952 | u32 tsid, |
810 | u16 tclass, | 953 | u16 orig_tclass, |
811 | u32 requested, | 954 | u32 orig_requested, |
812 | struct av_decision *avd) | 955 | struct av_decision *avd) |
813 | { | 956 | { |
814 | struct context *scontext = NULL, *tcontext = NULL; | 957 | u16 tclass; |
815 | int rc = 0; | 958 | u32 requested; |
959 | int rc; | ||
960 | |||
961 | if (!ss_initialized) | ||
962 | goto allow; | ||
963 | |||
964 | read_lock(&policy_rwlock); | ||
965 | requested = unmap_perm(orig_tclass, orig_requested); | ||
966 | tclass = unmap_class(orig_tclass); | ||
967 | if (unlikely(orig_tclass && !tclass)) { | ||
968 | if (policydb.allow_unknown) | ||
969 | goto allow; | ||
970 | return -EINVAL; | ||
971 | } | ||
972 | rc = security_compute_av_core(ssid, tsid, tclass, requested, avd); | ||
973 | map_decision(orig_tclass, avd, policydb.allow_unknown); | ||
974 | read_unlock(&policy_rwlock); | ||
975 | return rc; | ||
976 | allow: | ||
977 | avd->allowed = 0xffffffff; | ||
978 | avd->auditallow = 0; | ||
979 | avd->auditdeny = 0xffffffff; | ||
980 | avd->seqno = latest_granting; | ||
981 | avd->flags = 0; | ||
982 | return 0; | ||
983 | } | ||
984 | |||
985 | int security_compute_av_user(u32 ssid, | ||
986 | u32 tsid, | ||
987 | u16 tclass, | ||
988 | u32 requested, | ||
989 | struct av_decision *avd) | ||
990 | { | ||
991 | int rc; | ||
816 | 992 | ||
817 | if (!ss_initialized) { | 993 | if (!ss_initialized) { |
818 | avd->allowed = 0xffffffff; | 994 | avd->allowed = 0xffffffff; |
@@ -823,29 +999,7 @@ int security_compute_av(u32 ssid, | |||
823 | } | 999 | } |
824 | 1000 | ||
825 | read_lock(&policy_rwlock); | 1001 | read_lock(&policy_rwlock); |
826 | 1002 | rc = security_compute_av_core(ssid, tsid, tclass, requested, avd); | |
827 | scontext = sidtab_search(&sidtab, ssid); | ||
828 | if (!scontext) { | ||
829 | printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n", | ||
830 | __func__, ssid); | ||
831 | rc = -EINVAL; | ||
832 | goto out; | ||
833 | } | ||
834 | tcontext = sidtab_search(&sidtab, tsid); | ||
835 | if (!tcontext) { | ||
836 | printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n", | ||
837 | __func__, tsid); | ||
838 | rc = -EINVAL; | ||
839 | goto out; | ||
840 | } | ||
841 | |||
842 | rc = context_struct_compute_av(scontext, tcontext, tclass, | ||
843 | requested, avd); | ||
844 | |||
845 | /* permissive domain? */ | ||
846 | if (ebitmap_get_bit(&policydb.permissive_map, scontext->type)) | ||
847 | avd->flags |= AVD_FLAGS_PERMISSIVE; | ||
848 | out: | ||
849 | read_unlock(&policy_rwlock); | 1003 | read_unlock(&policy_rwlock); |
850 | return rc; | 1004 | return rc; |
851 | } | 1005 | } |
@@ -1204,20 +1358,22 @@ out: | |||
1204 | 1358 | ||
1205 | static int security_compute_sid(u32 ssid, | 1359 | static int security_compute_sid(u32 ssid, |
1206 | u32 tsid, | 1360 | u32 tsid, |
1207 | u16 tclass, | 1361 | u16 orig_tclass, |
1208 | u32 specified, | 1362 | u32 specified, |
1209 | u32 *out_sid) | 1363 | u32 *out_sid, |
1364 | bool kern) | ||
1210 | { | 1365 | { |
1211 | struct context *scontext = NULL, *tcontext = NULL, newcontext; | 1366 | struct context *scontext = NULL, *tcontext = NULL, newcontext; |
1212 | struct role_trans *roletr = NULL; | 1367 | struct role_trans *roletr = NULL; |
1213 | struct avtab_key avkey; | 1368 | struct avtab_key avkey; |
1214 | struct avtab_datum *avdatum; | 1369 | struct avtab_datum *avdatum; |
1215 | struct avtab_node *node; | 1370 | struct avtab_node *node; |
1371 | u16 tclass; | ||
1216 | int rc = 0; | 1372 | int rc = 0; |
1217 | 1373 | ||
1218 | if (!ss_initialized) { | 1374 | if (!ss_initialized) { |
1219 | switch (tclass) { | 1375 | switch (orig_tclass) { |
1220 | case SECCLASS_PROCESS: | 1376 | case SECCLASS_PROCESS: /* kernel value */ |
1221 | *out_sid = ssid; | 1377 | *out_sid = ssid; |
1222 | break; | 1378 | break; |
1223 | default: | 1379 | default: |
@@ -1231,6 +1387,11 @@ static int security_compute_sid(u32 ssid, | |||
1231 | 1387 | ||
1232 | read_lock(&policy_rwlock); | 1388 | read_lock(&policy_rwlock); |
1233 | 1389 | ||
1390 | if (kern) | ||
1391 | tclass = unmap_class(orig_tclass); | ||
1392 | else | ||
1393 | tclass = orig_tclass; | ||
1394 | |||
1234 | scontext = sidtab_search(&sidtab, ssid); | 1395 | scontext = sidtab_search(&sidtab, ssid); |
1235 | if (!scontext) { | 1396 | if (!scontext) { |
1236 | printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n", | 1397 | printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n", |
@@ -1260,13 +1421,11 @@ static int security_compute_sid(u32 ssid, | |||
1260 | } | 1421 | } |
1261 | 1422 | ||
1262 | /* Set the role and type to default values. */ | 1423 | /* Set the role and type to default values. */ |
1263 | switch (tclass) { | 1424 | if (tclass == policydb.process_class) { |
1264 | case SECCLASS_PROCESS: | ||
1265 | /* Use the current role and type of process. */ | 1425 | /* Use the current role and type of process. */ |
1266 | newcontext.role = scontext->role; | 1426 | newcontext.role = scontext->role; |
1267 | newcontext.type = scontext->type; | 1427 | newcontext.type = scontext->type; |
1268 | break; | 1428 | } else { |
1269 | default: | ||
1270 | /* Use the well-defined object role. */ | 1429 | /* Use the well-defined object role. */ |
1271 | newcontext.role = OBJECT_R_VAL; | 1430 | newcontext.role = OBJECT_R_VAL; |
1272 | /* Use the type of the related object. */ | 1431 | /* Use the type of the related object. */ |
@@ -1297,8 +1456,7 @@ static int security_compute_sid(u32 ssid, | |||
1297 | } | 1456 | } |
1298 | 1457 | ||
1299 | /* Check for class-specific changes. */ | 1458 | /* Check for class-specific changes. */ |
1300 | switch (tclass) { | 1459 | if (tclass == policydb.process_class) { |
1301 | case SECCLASS_PROCESS: | ||
1302 | if (specified & AVTAB_TRANSITION) { | 1460 | if (specified & AVTAB_TRANSITION) { |
1303 | /* Look for a role transition rule. */ | 1461 | /* Look for a role transition rule. */ |
1304 | for (roletr = policydb.role_tr; roletr; | 1462 | for (roletr = policydb.role_tr; roletr; |
@@ -1311,9 +1469,6 @@ static int security_compute_sid(u32 ssid, | |||
1311 | } | 1469 | } |
1312 | } | 1470 | } |
1313 | } | 1471 | } |
1314 | break; | ||
1315 | default: | ||
1316 | break; | ||
1317 | } | 1472 | } |
1318 | 1473 | ||
1319 | /* Set the MLS attributes. | 1474 | /* Set the MLS attributes. |
@@ -1358,7 +1513,17 @@ int security_transition_sid(u32 ssid, | |||
1358 | u16 tclass, | 1513 | u16 tclass, |
1359 | u32 *out_sid) | 1514 | u32 *out_sid) |
1360 | { | 1515 | { |
1361 | return security_compute_sid(ssid, tsid, tclass, AVTAB_TRANSITION, out_sid); | 1516 | return security_compute_sid(ssid, tsid, tclass, AVTAB_TRANSITION, |
1517 | out_sid, true); | ||
1518 | } | ||
1519 | |||
1520 | int security_transition_sid_user(u32 ssid, | ||
1521 | u32 tsid, | ||
1522 | u16 tclass, | ||
1523 | u32 *out_sid) | ||
1524 | { | ||
1525 | return security_compute_sid(ssid, tsid, tclass, AVTAB_TRANSITION, | ||
1526 | out_sid, false); | ||
1362 | } | 1527 | } |
1363 | 1528 | ||
1364 | /** | 1529 | /** |
@@ -1379,7 +1544,8 @@ int security_member_sid(u32 ssid, | |||
1379 | u16 tclass, | 1544 | u16 tclass, |
1380 | u32 *out_sid) | 1545 | u32 *out_sid) |
1381 | { | 1546 | { |
1382 | return security_compute_sid(ssid, tsid, tclass, AVTAB_MEMBER, out_sid); | 1547 | return security_compute_sid(ssid, tsid, tclass, AVTAB_MEMBER, out_sid, |
1548 | false); | ||
1383 | } | 1549 | } |
1384 | 1550 | ||
1385 | /** | 1551 | /** |
@@ -1400,144 +1566,8 @@ int security_change_sid(u32 ssid, | |||
1400 | u16 tclass, | 1566 | u16 tclass, |
1401 | u32 *out_sid) | 1567 | u32 *out_sid) |
1402 | { | 1568 | { |
1403 | return security_compute_sid(ssid, tsid, tclass, AVTAB_CHANGE, out_sid); | 1569 | return security_compute_sid(ssid, tsid, tclass, AVTAB_CHANGE, out_sid, |
1404 | } | 1570 | false); |
1405 | |||
1406 | /* | ||
1407 | * Verify that each kernel class that is defined in the | ||
1408 | * policy is correct | ||
1409 | */ | ||
1410 | static int validate_classes(struct policydb *p) | ||
1411 | { | ||
1412 | int i, j; | ||
1413 | struct class_datum *cladatum; | ||
1414 | struct perm_datum *perdatum; | ||
1415 | u32 nprim, tmp, common_pts_len, perm_val, pol_val; | ||
1416 | u16 class_val; | ||
1417 | const struct selinux_class_perm *kdefs = &selinux_class_perm; | ||
1418 | const char *def_class, *def_perm, *pol_class; | ||
1419 | struct symtab *perms; | ||
1420 | bool print_unknown_handle = 0; | ||
1421 | |||
1422 | if (p->allow_unknown) { | ||
1423 | u32 num_classes = kdefs->cts_len; | ||
1424 | p->undefined_perms = kcalloc(num_classes, sizeof(u32), GFP_KERNEL); | ||
1425 | if (!p->undefined_perms) | ||
1426 | return -ENOMEM; | ||
1427 | } | ||
1428 | |||
1429 | for (i = 1; i < kdefs->cts_len; i++) { | ||
1430 | def_class = kdefs->class_to_string[i]; | ||
1431 | if (!def_class) | ||
1432 | continue; | ||
1433 | if (i > p->p_classes.nprim) { | ||
1434 | printk(KERN_INFO | ||
1435 | "SELinux: class %s not defined in policy\n", | ||
1436 | def_class); | ||
1437 | if (p->reject_unknown) | ||
1438 | return -EINVAL; | ||
1439 | if (p->allow_unknown) | ||
1440 | p->undefined_perms[i-1] = ~0U; | ||
1441 | print_unknown_handle = 1; | ||
1442 | continue; | ||
1443 | } | ||
1444 | pol_class = p->p_class_val_to_name[i-1]; | ||
1445 | if (strcmp(pol_class, def_class)) { | ||
1446 | printk(KERN_ERR | ||
1447 | "SELinux: class %d is incorrect, found %s but should be %s\n", | ||
1448 | i, pol_class, def_class); | ||
1449 | return -EINVAL; | ||
1450 | } | ||
1451 | } | ||
1452 | for (i = 0; i < kdefs->av_pts_len; i++) { | ||
1453 | class_val = kdefs->av_perm_to_string[i].tclass; | ||
1454 | perm_val = kdefs->av_perm_to_string[i].value; | ||
1455 | def_perm = kdefs->av_perm_to_string[i].name; | ||
1456 | if (class_val > p->p_classes.nprim) | ||
1457 | continue; | ||
1458 | pol_class = p->p_class_val_to_name[class_val-1]; | ||
1459 | cladatum = hashtab_search(p->p_classes.table, pol_class); | ||
1460 | BUG_ON(!cladatum); | ||
1461 | perms = &cladatum->permissions; | ||
1462 | nprim = 1 << (perms->nprim - 1); | ||
1463 | if (perm_val > nprim) { | ||
1464 | printk(KERN_INFO | ||
1465 | "SELinux: permission %s in class %s not defined in policy\n", | ||
1466 | def_perm, pol_class); | ||
1467 | if (p->reject_unknown) | ||
1468 | return -EINVAL; | ||
1469 | if (p->allow_unknown) | ||
1470 | p->undefined_perms[class_val-1] |= perm_val; | ||
1471 | print_unknown_handle = 1; | ||
1472 | continue; | ||
1473 | } | ||
1474 | perdatum = hashtab_search(perms->table, def_perm); | ||
1475 | if (perdatum == NULL) { | ||
1476 | printk(KERN_ERR | ||
1477 | "SELinux: permission %s in class %s not found in policy, bad policy\n", | ||
1478 | def_perm, pol_class); | ||
1479 | return -EINVAL; | ||
1480 | } | ||
1481 | pol_val = 1 << (perdatum->value - 1); | ||
1482 | if (pol_val != perm_val) { | ||
1483 | printk(KERN_ERR | ||
1484 | "SELinux: permission %s in class %s has incorrect value\n", | ||
1485 | def_perm, pol_class); | ||
1486 | return -EINVAL; | ||
1487 | } | ||
1488 | } | ||
1489 | for (i = 0; i < kdefs->av_inherit_len; i++) { | ||
1490 | class_val = kdefs->av_inherit[i].tclass; | ||
1491 | if (class_val > p->p_classes.nprim) | ||
1492 | continue; | ||
1493 | pol_class = p->p_class_val_to_name[class_val-1]; | ||
1494 | cladatum = hashtab_search(p->p_classes.table, pol_class); | ||
1495 | BUG_ON(!cladatum); | ||
1496 | if (!cladatum->comdatum) { | ||
1497 | printk(KERN_ERR | ||
1498 | "SELinux: class %s should have an inherits clause but does not\n", | ||
1499 | pol_class); | ||
1500 | return -EINVAL; | ||
1501 | } | ||
1502 | tmp = kdefs->av_inherit[i].common_base; | ||
1503 | common_pts_len = 0; | ||
1504 | while (!(tmp & 0x01)) { | ||
1505 | common_pts_len++; | ||
1506 | tmp >>= 1; | ||
1507 | } | ||
1508 | perms = &cladatum->comdatum->permissions; | ||
1509 | for (j = 0; j < common_pts_len; j++) { | ||
1510 | def_perm = kdefs->av_inherit[i].common_pts[j]; | ||
1511 | if (j >= perms->nprim) { | ||
1512 | printk(KERN_INFO | ||
1513 | "SELinux: permission %s in class %s not defined in policy\n", | ||
1514 | def_perm, pol_class); | ||
1515 | if (p->reject_unknown) | ||
1516 | return -EINVAL; | ||
1517 | if (p->allow_unknown) | ||
1518 | p->undefined_perms[class_val-1] |= (1 << j); | ||
1519 | print_unknown_handle = 1; | ||
1520 | continue; | ||
1521 | } | ||
1522 | perdatum = hashtab_search(perms->table, def_perm); | ||
1523 | if (perdatum == NULL) { | ||
1524 | printk(KERN_ERR | ||
1525 | "SELinux: permission %s in class %s not found in policy, bad policy\n", | ||
1526 | def_perm, pol_class); | ||
1527 | return -EINVAL; | ||
1528 | } | ||
1529 | if (perdatum->value != j + 1) { | ||
1530 | printk(KERN_ERR | ||
1531 | "SELinux: permission %s in class %s has incorrect value\n", | ||
1532 | def_perm, pol_class); | ||
1533 | return -EINVAL; | ||
1534 | } | ||
1535 | } | ||
1536 | } | ||
1537 | if (print_unknown_handle) | ||
1538 | printk(KERN_INFO "SELinux: the above unknown classes and permissions will be %s\n", | ||
1539 | (security_get_allow_unknown() ? "allowed" : "denied")); | ||
1540 | return 0; | ||
1541 | } | 1571 | } |
1542 | 1572 | ||
1543 | /* Clone the SID into the new SID table. */ | 1573 | /* Clone the SID into the new SID table. */ |
@@ -1710,8 +1740,10 @@ int security_load_policy(void *data, size_t len) | |||
1710 | { | 1740 | { |
1711 | struct policydb oldpolicydb, newpolicydb; | 1741 | struct policydb oldpolicydb, newpolicydb; |
1712 | struct sidtab oldsidtab, newsidtab; | 1742 | struct sidtab oldsidtab, newsidtab; |
1743 | struct selinux_mapping *oldmap, *map = NULL; | ||
1713 | struct convert_context_args args; | 1744 | struct convert_context_args args; |
1714 | u32 seqno; | 1745 | u32 seqno; |
1746 | u16 map_size; | ||
1715 | int rc = 0; | 1747 | int rc = 0; |
1716 | struct policy_file file = { data, len }, *fp = &file; | 1748 | struct policy_file file = { data, len }, *fp = &file; |
1717 | 1749 | ||
@@ -1721,16 +1753,14 @@ int security_load_policy(void *data, size_t len) | |||
1721 | avtab_cache_destroy(); | 1753 | avtab_cache_destroy(); |
1722 | return -EINVAL; | 1754 | return -EINVAL; |
1723 | } | 1755 | } |
1724 | if (policydb_load_isids(&policydb, &sidtab)) { | 1756 | if (selinux_set_mapping(&policydb, secclass_map, |
1757 | ¤t_mapping, | ||
1758 | ¤t_mapping_size)) { | ||
1725 | policydb_destroy(&policydb); | 1759 | policydb_destroy(&policydb); |
1726 | avtab_cache_destroy(); | 1760 | avtab_cache_destroy(); |
1727 | return -EINVAL; | 1761 | return -EINVAL; |
1728 | } | 1762 | } |
1729 | /* Verify that the kernel defined classes are correct. */ | 1763 | if (policydb_load_isids(&policydb, &sidtab)) { |
1730 | if (validate_classes(&policydb)) { | ||
1731 | printk(KERN_ERR | ||
1732 | "SELinux: the definition of a class is incorrect\n"); | ||
1733 | sidtab_destroy(&sidtab); | ||
1734 | policydb_destroy(&policydb); | 1764 | policydb_destroy(&policydb); |
1735 | avtab_cache_destroy(); | 1765 | avtab_cache_destroy(); |
1736 | return -EINVAL; | 1766 | return -EINVAL; |
@@ -1759,13 +1789,9 @@ int security_load_policy(void *data, size_t len) | |||
1759 | return -ENOMEM; | 1789 | return -ENOMEM; |
1760 | } | 1790 | } |
1761 | 1791 | ||
1762 | /* Verify that the kernel defined classes are correct. */ | 1792 | if (selinux_set_mapping(&newpolicydb, secclass_map, |
1763 | if (validate_classes(&newpolicydb)) { | 1793 | &map, &map_size)) |
1764 | printk(KERN_ERR | ||
1765 | "SELinux: the definition of a class is incorrect\n"); | ||
1766 | rc = -EINVAL; | ||
1767 | goto err; | 1794 | goto err; |
1768 | } | ||
1769 | 1795 | ||
1770 | rc = security_preserve_bools(&newpolicydb); | 1796 | rc = security_preserve_bools(&newpolicydb); |
1771 | if (rc) { | 1797 | if (rc) { |
@@ -1799,6 +1825,9 @@ int security_load_policy(void *data, size_t len) | |||
1799 | memcpy(&policydb, &newpolicydb, sizeof policydb); | 1825 | memcpy(&policydb, &newpolicydb, sizeof policydb); |
1800 | sidtab_set(&sidtab, &newsidtab); | 1826 | sidtab_set(&sidtab, &newsidtab); |
1801 | security_load_policycaps(); | 1827 | security_load_policycaps(); |
1828 | oldmap = current_mapping; | ||
1829 | current_mapping = map; | ||
1830 | current_mapping_size = map_size; | ||
1802 | seqno = ++latest_granting; | 1831 | seqno = ++latest_granting; |
1803 | policydb_loaded_version = policydb.policyvers; | 1832 | policydb_loaded_version = policydb.policyvers; |
1804 | write_unlock_irq(&policy_rwlock); | 1833 | write_unlock_irq(&policy_rwlock); |
@@ -1806,6 +1835,7 @@ int security_load_policy(void *data, size_t len) | |||
1806 | /* Free the old policydb and SID table. */ | 1835 | /* Free the old policydb and SID table. */ |
1807 | policydb_destroy(&oldpolicydb); | 1836 | policydb_destroy(&oldpolicydb); |
1808 | sidtab_destroy(&oldsidtab); | 1837 | sidtab_destroy(&oldsidtab); |
1838 | kfree(oldmap); | ||
1809 | 1839 | ||
1810 | avc_ss_reset(seqno); | 1840 | avc_ss_reset(seqno); |
1811 | selnl_notify_policyload(seqno); | 1841 | selnl_notify_policyload(seqno); |
@@ -1815,6 +1845,7 @@ int security_load_policy(void *data, size_t len) | |||
1815 | return 0; | 1845 | return 0; |
1816 | 1846 | ||
1817 | err: | 1847 | err: |
1848 | kfree(map); | ||
1818 | sidtab_destroy(&newsidtab); | 1849 | sidtab_destroy(&newsidtab); |
1819 | policydb_destroy(&newpolicydb); | 1850 | policydb_destroy(&newpolicydb); |
1820 | return rc; | 1851 | return rc; |
@@ -2091,7 +2122,7 @@ out_unlock: | |||
2091 | } | 2122 | } |
2092 | for (i = 0, j = 0; i < mynel; i++) { | 2123 | for (i = 0, j = 0; i < mynel; i++) { |
2093 | rc = avc_has_perm_noaudit(fromsid, mysids[i], | 2124 | rc = avc_has_perm_noaudit(fromsid, mysids[i], |
2094 | SECCLASS_PROCESS, | 2125 | SECCLASS_PROCESS, /* kernel value */ |
2095 | PROCESS__TRANSITION, AVC_STRICT, | 2126 | PROCESS__TRANSITION, AVC_STRICT, |
2096 | NULL); | 2127 | NULL); |
2097 | if (!rc) | 2128 | if (!rc) |
@@ -2119,10 +2150,11 @@ out: | |||
2119 | */ | 2150 | */ |
2120 | int security_genfs_sid(const char *fstype, | 2151 | int security_genfs_sid(const char *fstype, |
2121 | char *path, | 2152 | char *path, |
2122 | u16 sclass, | 2153 | u16 orig_sclass, |
2123 | u32 *sid) | 2154 | u32 *sid) |
2124 | { | 2155 | { |
2125 | int len; | 2156 | int len; |
2157 | u16 sclass; | ||
2126 | struct genfs *genfs; | 2158 | struct genfs *genfs; |
2127 | struct ocontext *c; | 2159 | struct ocontext *c; |
2128 | int rc = 0, cmp = 0; | 2160 | int rc = 0, cmp = 0; |
@@ -2132,6 +2164,8 @@ int security_genfs_sid(const char *fstype, | |||
2132 | 2164 | ||
2133 | read_lock(&policy_rwlock); | 2165 | read_lock(&policy_rwlock); |
2134 | 2166 | ||
2167 | sclass = unmap_class(orig_sclass); | ||
2168 | |||
2135 | for (genfs = policydb.genfs; genfs; genfs = genfs->next) { | 2169 | for (genfs = policydb.genfs; genfs; genfs = genfs->next) { |
2136 | cmp = strcmp(fstype, genfs->fstype); | 2170 | cmp = strcmp(fstype, genfs->fstype); |
2137 | if (cmp <= 0) | 2171 | if (cmp <= 0) |