From 0d90a7ec48c704025307b129413bc62451b20ab3 Mon Sep 17 00:00:00 2001 From: "David P. Quigley" Date: Fri, 16 Jan 2009 09:22:02 -0500 Subject: SELinux: Condense super block security structure flags and cleanup necessary code. The super block security structure currently has three fields for what are essentially flags. The flags field is used for mount options while two other char fields are used for initialization and proc flags. These latter two fields are essentially bit fields since the only used values are 0 and 1. These fields have been collapsed into the flags field and new bit masks have been added for them. The code is also fixed to work with these new flags. Signed-off-by: David P. Quigley Acked-by: Eric Paris Signed-off-by: James Morris --- security/selinux/hooks.c | 38 ++++++++++++++++++-------------------- 1 file changed, 18 insertions(+), 20 deletions(-) (limited to 'security/selinux/hooks.c') diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 00815973d41..473adc5f4f9 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -431,7 +431,7 @@ static int sb_finish_set_opts(struct super_block *sb) } } - sbsec->initialized = 1; + sbsec->flags |= SE_SBINITIALIZED; if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors)) printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n", @@ -487,17 +487,13 @@ static int selinux_get_mnt_opts(const struct super_block *sb, security_init_mnt_opts(opts); - if (!sbsec->initialized) + if (!(sbsec->flags & SE_SBINITIALIZED)) return -EINVAL; if (!ss_initialized) return -EINVAL; - /* - * if we ever use sbsec flags for anything other than tracking mount - * settings this is going to need a mask - */ - tmp = sbsec->flags; + tmp = sbsec->flags & SE_MNTMASK; /* count the number of mount options for this sb */ for (i = 0; i < 8; i++) { if (tmp & 0x01) @@ -562,8 +558,10 @@ out_free: static int bad_option(struct superblock_security_struct *sbsec, char flag, u32 old_sid, u32 new_sid) { + char mnt_flags = sbsec->flags & SE_MNTMASK; + /* check if the old mount command had the same options */ - if (sbsec->initialized) + if (sbsec->flags & SE_SBINITIALIZED) if (!(sbsec->flags & flag) || (old_sid != new_sid)) return 1; @@ -571,8 +569,8 @@ static int bad_option(struct superblock_security_struct *sbsec, char flag, /* check if we were passed the same options twice, * aka someone passed context=a,context=b */ - if (!sbsec->initialized) - if (sbsec->flags & flag) + if (!(sbsec->flags & SE_SBINITIALIZED)) + if (mnt_flags & flag) return 1; return 0; } @@ -626,7 +624,7 @@ static int selinux_set_mnt_opts(struct super_block *sb, * this sb does not set any security options. (The first options * will be used for both mounts) */ - if (sbsec->initialized && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA) + if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA) && (num_opts == 0)) goto out; @@ -690,19 +688,19 @@ static int selinux_set_mnt_opts(struct super_block *sb, } } - if (sbsec->initialized) { + if (sbsec->flags & SE_SBINITIALIZED) { /* previously mounted with options, but not on this attempt? */ - if (sbsec->flags && !num_opts) + if ((sbsec->flags & SE_MNTMASK) && !num_opts) goto out_double_mount; rc = 0; goto out; } if (strcmp(sb->s_type->name, "proc") == 0) - sbsec->proc = 1; + sbsec->flags |= SE_SBPROC; /* Determine the labeling behavior to use for this filesystem type. */ - rc = security_fs_use(sbsec->proc ? "proc" : sb->s_type->name, &sbsec->behavior, &sbsec->sid); + rc = security_fs_use((sbsec->flags & SE_SBPROC) ? "proc" : sb->s_type->name, &sbsec->behavior, &sbsec->sid); if (rc) { printk(KERN_WARNING "%s: security_fs_use(%s) returned %d\n", __func__, sb->s_type->name, rc); @@ -806,10 +804,10 @@ static void selinux_sb_clone_mnt_opts(const struct super_block *oldsb, } /* how can we clone if the old one wasn't set up?? */ - BUG_ON(!oldsbsec->initialized); + BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED)); /* if fs is reusing a sb, just let its options stand... */ - if (newsbsec->initialized) + if (newsbsec->flags & SE_SBINITIALIZED) return; mutex_lock(&newsbsec->lock); @@ -1209,7 +1207,7 @@ static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dent goto out_unlock; sbsec = inode->i_sb->s_security; - if (!sbsec->initialized) { + if (!(sbsec->flags & SE_SBINITIALIZED)) { /* Defer initialization until selinux_complete_init, after the initial policy is loaded and the security server is ready to handle calls. */ @@ -1326,7 +1324,7 @@ static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dent /* Default to the fs superblock SID. */ isec->sid = sbsec->sid; - if (sbsec->proc && !S_ISLNK(inode->i_mode)) { + if ((sbsec->flags & SE_SBPROC) && !S_ISLNK(inode->i_mode)) { struct proc_inode *proci = PROC_I(inode); if (proci->pde) { isec->sclass = inode_mode_to_security_class(inode->i_mode); @@ -2585,7 +2583,7 @@ static int selinux_inode_init_security(struct inode *inode, struct inode *dir, } /* Possibly defer initialization to selinux_complete_init. */ - if (sbsec->initialized) { + if (sbsec->flags & SE_SBINITIALIZED) { struct inode_security_struct *isec = inode->i_security; isec->sclass = inode_mode_to_security_class(inode->i_mode); isec->sid = newsid; -- cgit v1.2.3-70-g09d2 From 11689d47f0957121920c9ec646eb5d838755853a Mon Sep 17 00:00:00 2001 From: "David P. Quigley" Date: Fri, 16 Jan 2009 09:22:03 -0500 Subject: SELinux: Add new security mount option to indicate security label support. There is no easy way to tell if a file system supports SELinux security labeling. Because of this a new flag is being added to the super block security structure to indicate that the particular super block supports labeling. This flag is set for file systems using the xattr, task, and transition labeling methods unless that behavior is overridden by context mounts. Signed-off-by: David P. Quigley Acked-by: Eric Paris Signed-off-by: James Morris --- security/selinux/hooks.c | 39 ++++++++++++++++++++++++++++++++----- security/selinux/include/security.h | 2 ++ 2 files changed, 36 insertions(+), 5 deletions(-) (limited to 'security/selinux/hooks.c') diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 473adc5f4f9..1a9768a8b64 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -89,7 +89,7 @@ #define XATTR_SELINUX_SUFFIX "selinux" #define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX -#define NUM_SEL_MNT_OPTS 4 +#define NUM_SEL_MNT_OPTS 5 extern unsigned int policydb_loaded_version; extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm); @@ -353,6 +353,7 @@ enum { Opt_fscontext = 2, Opt_defcontext = 3, Opt_rootcontext = 4, + Opt_labelsupport = 5, }; static const match_table_t tokens = { @@ -360,6 +361,7 @@ static const match_table_t tokens = { {Opt_fscontext, FSCONTEXT_STR "%s"}, {Opt_defcontext, DEFCONTEXT_STR "%s"}, {Opt_rootcontext, ROOTCONTEXT_STR "%s"}, + {Opt_labelsupport, LABELSUPP_STR}, {Opt_error, NULL}, }; @@ -431,7 +433,7 @@ static int sb_finish_set_opts(struct super_block *sb) } } - sbsec->flags |= SE_SBINITIALIZED; + sbsec->flags |= (SE_SBINITIALIZED | SE_SBLABELSUPP); if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors)) printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n", @@ -441,6 +443,12 @@ static int sb_finish_set_opts(struct super_block *sb) sb->s_id, sb->s_type->name, labeling_behaviors[sbsec->behavior-1]); + if (sbsec->behavior == SECURITY_FS_USE_GENFS || + sbsec->behavior == SECURITY_FS_USE_MNTPOINT || + sbsec->behavior == SECURITY_FS_USE_NONE || + sbsec->behavior > ARRAY_SIZE(labeling_behaviors)) + sbsec->flags &= ~SE_SBLABELSUPP; + /* Initialize the root inode. */ rc = inode_doinit_with_dentry(root_inode, root); @@ -500,6 +508,9 @@ static int selinux_get_mnt_opts(const struct super_block *sb, opts->num_mnt_opts++; tmp >>= 1; } + /* Check if the Label support flag is set */ + if (sbsec->flags & SE_SBLABELSUPP) + opts->num_mnt_opts++; opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC); if (!opts->mnt_opts) { @@ -545,6 +556,10 @@ static int selinux_get_mnt_opts(const struct super_block *sb, opts->mnt_opts[i] = context; opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT; } + if (sbsec->flags & SE_SBLABELSUPP) { + opts->mnt_opts[i] = NULL; + opts->mnt_opts_flags[i++] = SE_SBLABELSUPP; + } BUG_ON(i != opts->num_mnt_opts); @@ -635,6 +650,9 @@ static int selinux_set_mnt_opts(struct super_block *sb, */ for (i = 0; i < num_opts; i++) { u32 sid; + + if (flags[i] == SE_SBLABELSUPP) + continue; rc = security_context_to_sid(mount_options[i], strlen(mount_options[i]), &sid); if (rc) { @@ -915,7 +933,8 @@ static int selinux_parse_opts_str(char *options, goto out_err; } break; - + case Opt_labelsupport: + break; default: rc = -EINVAL; printk(KERN_WARNING "SELinux: unknown mount option\n"); @@ -997,7 +1016,12 @@ static void selinux_write_opts(struct seq_file *m, char *prefix; for (i = 0; i < opts->num_mnt_opts; i++) { - char *has_comma = strchr(opts->mnt_opts[i], ','); + char *has_comma; + + if (opts->mnt_opts[i]) + has_comma = strchr(opts->mnt_opts[i], ','); + else + has_comma = NULL; switch (opts->mnt_opts_flags[i]) { case CONTEXT_MNT: @@ -1012,6 +1036,10 @@ static void selinux_write_opts(struct seq_file *m, case DEFCONTEXT_MNT: prefix = DEFCONTEXT_STR; break; + case SE_SBLABELSUPP: + seq_putc(m, ','); + seq_puts(m, LABELSUPP_STR); + continue; default: BUG(); }; @@ -2398,7 +2426,8 @@ static inline int selinux_option(char *option, int len) return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) || match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) || match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) || - match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len)); + match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len) || + match_prefix(LABELSUPP_STR, sizeof(LABELSUPP_STR)-1, option, len)); } static inline void take_option(char **to, char *from, int *first, int len) diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h index ff4e19ccd8f..e1d9db77998 100644 --- a/security/selinux/include/security.h +++ b/security/selinux/include/security.h @@ -47,11 +47,13 @@ /* Non-mount related flags */ #define SE_SBINITIALIZED 0x10 #define SE_SBPROC 0x20 +#define SE_SBLABELSUPP 0x40 #define CONTEXT_STR "context=" #define FSCONTEXT_STR "fscontext=" #define ROOTCONTEXT_STR "rootcontext=" #define DEFCONTEXT_STR "defcontext=" +#define LABELSUPP_STR "seclabel" struct netlbl_lsm_secattr; -- cgit v1.2.3-70-g09d2 From cd89596f0ccfa3ccb8a81ce47782231cf7ea7296 Mon Sep 17 00:00:00 2001 From: "David P. Quigley" Date: Fri, 16 Jan 2009 09:22:04 -0500 Subject: SELinux: Unify context mount and genfs behavior Context mounts and genfs labeled file systems behave differently with respect to setting file system labels. This patch brings genfs labeled file systems in line with context mounts in that setxattr calls to them should return EOPNOTSUPP and fscreate calls will be ignored. Signed-off-by: David P. Quigley Acked-by: Eric Paris Signed-off-by: James Morris --- security/selinux/hooks.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'security/selinux/hooks.c') diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 1a9768a8b64..3bb4942e39c 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -1613,7 +1613,7 @@ static int may_create(struct inode *dir, if (rc) return rc; - if (!newsid || sbsec->behavior == SECURITY_FS_USE_MNTPOINT) { + if (!newsid || !(sbsec->flags & SE_SBLABELSUPP)) { rc = security_transition_sid(sid, dsec->sid, tclass, &newsid); if (rc) return rc; @@ -2597,7 +2597,7 @@ static int selinux_inode_init_security(struct inode *inode, struct inode *dir, sid = tsec->sid; newsid = tsec->create_sid; - if (!newsid || sbsec->behavior == SECURITY_FS_USE_MNTPOINT) { + if (!newsid || !(sbsec->flags & SE_SBLABELSUPP)) { rc = security_transition_sid(sid, dsec->sid, inode_mode_to_security_class(inode->i_mode), &newsid); @@ -2619,7 +2619,7 @@ static int selinux_inode_init_security(struct inode *inode, struct inode *dir, isec->initialized = 1; } - if (!ss_initialized || sbsec->behavior == SECURITY_FS_USE_MNTPOINT) + if (!ss_initialized || !(sbsec->flags & SE_SBLABELSUPP)) return -EOPNOTSUPP; if (name) { @@ -2796,7 +2796,7 @@ static int selinux_inode_setxattr(struct dentry *dentry, const char *name, return selinux_inode_setotherxattr(dentry, name); sbsec = inode->i_sb->s_security; - if (sbsec->behavior == SECURITY_FS_USE_MNTPOINT) + if (!(sbsec->flags & SE_SBLABELSUPP)) return -EOPNOTSUPP; if (!is_owner_or_cap(inode)) -- cgit v1.2.3-70-g09d2 From bc05595845f58c065adc0763a678187647ec040f Mon Sep 17 00:00:00 2001 From: James Morris Date: Thu, 29 Jan 2009 11:28:33 +1100 Subject: selinux: remove unused bprm_check_security hook Remove unused bprm_check_security hook from SELinux. This currently calls into the capabilities hook, which is a noop. Acked-by: Eric Paris Acked-by: Serge Hallyn Signed-off-by: James Morris --- security/selinux/hooks.c | 6 ------ 1 file changed, 6 deletions(-) (limited to 'security/selinux/hooks.c') diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 3bb4942e39c..8251c6ba36c 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -2182,11 +2182,6 @@ static int selinux_bprm_set_creds(struct linux_binprm *bprm) return 0; } -static int selinux_bprm_check_security(struct linux_binprm *bprm) -{ - return secondary_ops->bprm_check_security(bprm); -} - static int selinux_bprm_secureexec(struct linux_binprm *bprm) { const struct cred *cred = current_cred(); @@ -5608,7 +5603,6 @@ static struct security_operations selinux_ops = { .netlink_recv = selinux_netlink_recv, .bprm_set_creds = selinux_bprm_set_creds, - .bprm_check_security = selinux_bprm_check_security, .bprm_committing_creds = selinux_bprm_committing_creds, .bprm_committed_creds = selinux_bprm_committed_creds, .bprm_secureexec = selinux_bprm_secureexec, -- cgit v1.2.3-70-g09d2 From 2ec5dbe23d68bddc043a85d1226bfc499a724b1c Mon Sep 17 00:00:00 2001 From: James Morris Date: Thu, 29 Jan 2009 11:46:14 +1100 Subject: selinux: remove secondary ops call to bprm_committing_creds Remove secondary ops call to bprm_committing_creds, which is a noop in capabilities. Acked-by: Serge Hallyn Acked-by: Eric Paris Signed-off-by: James Morris --- security/selinux/hooks.c | 2 -- 1 file changed, 2 deletions(-) (limited to 'security/selinux/hooks.c') diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 8251c6ba36c..fc01ffa0b69 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -2311,8 +2311,6 @@ static void selinux_bprm_committing_creds(struct linux_binprm *bprm) struct rlimit *rlim, *initrlim; int rc, i; - secondary_ops->bprm_committing_creds(bprm); - new_tsec = bprm->cred->security; if (new_tsec->sid == new_tsec->osid) return; -- cgit v1.2.3-70-g09d2 From 5565b0b865f672e3d7e31936ad1d40710ab7bfc4 Mon Sep 17 00:00:00 2001 From: James Morris Date: Thu, 29 Jan 2009 11:47:49 +1100 Subject: selinux: remove secondary ops call to bprm_committed_creds Remove secondary ops call to bprm_committed_creds, which is a noop in capabilities. Acked-by: Serge Hallyn Acked-by: Eric Paris Signed-off-by: James Morris --- security/selinux/hooks.c | 2 -- 1 file changed, 2 deletions(-) (limited to 'security/selinux/hooks.c') diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index fc01ffa0b69..516058ff063 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -2356,8 +2356,6 @@ static void selinux_bprm_committed_creds(struct linux_binprm *bprm) int rc, i; unsigned long flags; - secondary_ops->bprm_committed_creds(bprm); - osid = tsec->osid; sid = tsec->sid; -- cgit v1.2.3-70-g09d2 From ef935b9136eeaa203f75bf0b4d6e398c29f44d27 Mon Sep 17 00:00:00 2001 From: James Morris Date: Thu, 29 Jan 2009 11:51:11 +1100 Subject: selinux: remove secondary ops call to sb_mount Remove secondary ops call to sb_mount, which is a noop in capabilities. Acked-by: Serge Hallyn Acked-by: Eric Paris Signed-off-by: James Morris --- security/selinux/hooks.c | 5 ----- 1 file changed, 5 deletions(-) (limited to 'security/selinux/hooks.c') diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 516058ff063..bdd483096b3 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -2531,11 +2531,6 @@ static int selinux_mount(char *dev_name, void *data) { const struct cred *cred = current_cred(); - int rc; - - rc = secondary_ops->sb_mount(dev_name, path, type, flags, data); - if (rc) - return rc; if (flags & MS_REMOUNT) return superblock_has_perm(cred, path->mnt->mnt_sb, -- cgit v1.2.3-70-g09d2 From 97422ab9ef45118cb7418d799dc69040f17108ce Mon Sep 17 00:00:00 2001 From: James Morris Date: Thu, 29 Jan 2009 11:55:02 +1100 Subject: selinux: remove secondary ops call to sb_umount Remove secondary ops call to sb_umount, which is a noop in capabilities. Acked-by: Serge Hallyn Acked-by: Eric Paris Signed-off-by: James Morris --- security/selinux/hooks.c | 5 ----- 1 file changed, 5 deletions(-) (limited to 'security/selinux/hooks.c') diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index bdd483096b3..42aa8de5f59 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -2543,11 +2543,6 @@ static int selinux_mount(char *dev_name, static int selinux_umount(struct vfsmount *mnt, int flags) { const struct cred *cred = current_cred(); - int rc; - - rc = secondary_ops->sb_umount(mnt, flags); - if (rc) - return rc; return superblock_has_perm(cred, mnt->mnt_sb, FILESYSTEM__UNMOUNT, NULL); -- cgit v1.2.3-70-g09d2 From efdfac437607e4acfed66c383091a376525eaec4 Mon Sep 17 00:00:00 2001 From: James Morris Date: Thu, 29 Jan 2009 11:57:34 +1100 Subject: selinux: remove secondary ops call to inode_link Remove secondary ops call to inode_link, which is a noop in capabilities. Acked-by: Serge Hallyn Acked-by: Eric Paris Signed-off-by: James Morris --- security/selinux/hooks.c | 5 ----- 1 file changed, 5 deletions(-) (limited to 'security/selinux/hooks.c') diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 42aa8de5f59..da0e523157d 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -2630,11 +2630,6 @@ static int selinux_inode_create(struct inode *dir, struct dentry *dentry, int ma static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry) { - int rc; - - rc = secondary_ops->inode_link(old_dentry, dir, new_dentry); - if (rc) - return rc; return may_link(dir, old_dentry, MAY_LINK); } -- cgit v1.2.3-70-g09d2 From e4737250b751b4e0e802adae9a4d3ae0227b580b Mon Sep 17 00:00:00 2001 From: James Morris Date: Thu, 29 Jan 2009 12:00:08 +1100 Subject: selinux: remove secondary ops call to inode_unlink Remove secondary ops call to inode_unlink, which is a noop in capabilities. Acked-by: Serge Hallyn Acked-by: Eric Paris Signed-off-by: James Morris --- security/selinux/hooks.c | 5 ----- 1 file changed, 5 deletions(-) (limited to 'security/selinux/hooks.c') diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index da0e523157d..ec834dc0b41 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -2635,11 +2635,6 @@ static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, stru static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry) { - int rc; - - rc = secondary_ops->inode_unlink(dir, dentry); - if (rc) - return rc; return may_link(dir, dentry, MAY_UNLINK); } -- cgit v1.2.3-70-g09d2 From dd4907a6d4e038dc65839fcd4030ebefe2f5f439 Mon Sep 17 00:00:00 2001 From: James Morris Date: Thu, 29 Jan 2009 12:08:34 +1100 Subject: selinux: remove secondary ops call to inode_mknod Remove secondary ops call to inode_mknod, which is a noop in capabilities. Acked-by: Serge Hallyn Acked-by: Eric Paris Signed-off-by: James Morris --- security/selinux/hooks.c | 6 ------ 1 file changed, 6 deletions(-) (limited to 'security/selinux/hooks.c') diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index ec834dc0b41..03621928f1b 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -2655,12 +2655,6 @@ static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry) static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev) { - int rc; - - rc = secondary_ops->inode_mknod(dir, dentry, mode, dev); - if (rc) - return rc; - return may_create(dir, dentry, inode_mode_to_security_class(mode)); } -- cgit v1.2.3-70-g09d2 From f51115b9ab5b9cfd0b7be1cce75afbf3ffbcdd87 Mon Sep 17 00:00:00 2001 From: James Morris Date: Thu, 29 Jan 2009 12:10:56 +1100 Subject: selinux: remove secondary ops call to inode_follow_link Remove secondary ops call to inode_follow_link, which is a noop in capabilities. Acked-by: Serge Hallyn Signed-off-by: James Morris --- security/selinux/hooks.c | 4 ---- 1 file changed, 4 deletions(-) (limited to 'security/selinux/hooks.c') diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 03621928f1b..67291a385c7 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -2674,11 +2674,7 @@ static int selinux_inode_readlink(struct dentry *dentry) static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata) { const struct cred *cred = current_cred(); - int rc; - rc = secondary_ops->inode_follow_link(dentry, nameidata); - if (rc) - return rc; return dentry_has_perm(cred, NULL, dentry, FILE__READ); } -- cgit v1.2.3-70-g09d2 From 188fbcca9dd02f15dcf45cfc51ce0dd6c13993f6 Mon Sep 17 00:00:00 2001 From: James Morris Date: Thu, 29 Jan 2009 12:14:03 +1100 Subject: selinux: remove secondary ops call to inode_permission Remove secondary ops call to inode_permission, which is a noop in capabilities. Acked-by: Serge Hallyn Acked-by: Eric Paris Signed-off-by: James Morris --- security/selinux/hooks.c | 5 ----- 1 file changed, 5 deletions(-) (limited to 'security/selinux/hooks.c') diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 67291a385c7..7e90c9e5865 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -2681,11 +2681,6 @@ static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *na static int selinux_inode_permission(struct inode *inode, int mask) { const struct cred *cred = current_cred(); - int rc; - - rc = secondary_ops->inode_permission(inode, mask); - if (rc) - return rc; if (!mask) { /* No permission to check. Existence test. */ -- cgit v1.2.3-70-g09d2 From 438add6b32d9295db6e3ecd4d9e137086ec5b5d9 Mon Sep 17 00:00:00 2001 From: James Morris Date: Thu, 29 Jan 2009 12:15:59 +1100 Subject: selinux: remove secondary ops call to inode_setattr Remove secondary ops call to inode_setattr, which is a noop in capabilities. Acked-by: Serge Hallyn Acked-by: Eric Paris Signed-off-by: James Morris --- security/selinux/hooks.c | 5 ----- 1 file changed, 5 deletions(-) (limited to 'security/selinux/hooks.c') diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 7e90c9e5865..08b506846a1 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -2694,11 +2694,6 @@ static int selinux_inode_permission(struct inode *inode, int mask) static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr) { const struct cred *cred = current_cred(); - int rc; - - rc = secondary_ops->inode_setattr(dentry, iattr); - if (rc) - return rc; if (iattr->ia_valid & ATTR_FORCE) return 0; -- cgit v1.2.3-70-g09d2 From d541bbee6902d5ffb8a03d63ac8f4b1364c2ff93 Mon Sep 17 00:00:00 2001 From: James Morris Date: Thu, 29 Jan 2009 12:19:51 +1100 Subject: selinux: remove secondary ops call to file_mprotect Remove secondary ops call to file_mprotect, which is a noop in capabilities. Acked-by: Serge Hallyn Acked-by: Eric Paris Signed-off-by: James Morris --- security/selinux/hooks.c | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) (limited to 'security/selinux/hooks.c') diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 08b506846a1..2c98071fba8 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -3056,18 +3056,13 @@ static int selinux_file_mprotect(struct vm_area_struct *vma, unsigned long prot) { const struct cred *cred = current_cred(); - int rc; - - rc = secondary_ops->file_mprotect(vma, reqprot, prot); - if (rc) - return rc; if (selinux_checkreqprot) prot = reqprot; #ifndef CONFIG_PPC32 if ((prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) { - rc = 0; + int rc = 0; if (vma->vm_start >= vma->vm_mm->start_brk && vma->vm_end <= vma->vm_mm->brk) { rc = cred_has_perm(cred, cred, PROCESS__EXECHEAP); -- cgit v1.2.3-70-g09d2 From af294e41d0c95a291cc821a1b43ec2cd13976a8b Mon Sep 17 00:00:00 2001 From: James Morris Date: Thu, 29 Jan 2009 12:23:36 +1100 Subject: selinux: remove secondary ops call to task_create Remove secondary ops call to task_create, which is a noop in capabilities. Acked-by: Serge Hallyn Acked-by: Eric Paris Signed-off-by: James Morris --- security/selinux/hooks.c | 6 ------ 1 file changed, 6 deletions(-) (limited to 'security/selinux/hooks.c') diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 2c98071fba8..72c1e5cd26d 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -3212,12 +3212,6 @@ static int selinux_dentry_open(struct file *file, const struct cred *cred) static int selinux_task_create(unsigned long clone_flags) { - int rc; - - rc = secondary_ops->task_create(clone_flags); - if (rc) - return rc; - return current_has_perm(current, PROCESS__FORK); } -- cgit v1.2.3-70-g09d2 From ca5143d3ff3c7a4e1c2c8bdcf0f53aea227a7722 Mon Sep 17 00:00:00 2001 From: James Morris Date: Thu, 29 Jan 2009 12:26:14 +1100 Subject: selinux: remove unused cred_commit hook Remove unused cred_commit hook from SELinux. This currently calls into the capabilities hook, which is a noop. Acked-by: Serge Hallyn Acked-by: Eric Paris Signed-off-by: James Morris --- security/selinux/hooks.c | 9 --------- 1 file changed, 9 deletions(-) (limited to 'security/selinux/hooks.c') diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 72c1e5cd26d..afccada1f26 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -3244,14 +3244,6 @@ static int selinux_cred_prepare(struct cred *new, const struct cred *old, return 0; } -/* - * commit new credentials - */ -static void selinux_cred_commit(struct cred *new, const struct cred *old) -{ - secondary_ops->cred_commit(new, old); -} - /* * set the security data for a kernel service * - all the creation contexts are set to unlabelled @@ -5610,7 +5602,6 @@ static struct security_operations selinux_ops = { .task_create = selinux_task_create, .cred_free = selinux_cred_free, .cred_prepare = selinux_cred_prepare, - .cred_commit = selinux_cred_commit, .kernel_act_as = selinux_kernel_act_as, .kernel_create_files_as = selinux_kernel_create_files_as, .task_setuid = selinux_task_setuid, -- cgit v1.2.3-70-g09d2 From ef76e748faa823a738d632ee4c8ed9adaabc8a40 Mon Sep 17 00:00:00 2001 From: James Morris Date: Thu, 29 Jan 2009 12:30:28 +1100 Subject: selinux: remove secondary ops call to task_setrlimit Remove secondary ops call to task_setrlimit, which is a noop in capabilities. Acked-by: Serge Hallyn Acked-by: Eric Paris Signed-off-by: James Morris --- security/selinux/hooks.c | 5 ----- 1 file changed, 5 deletions(-) (limited to 'security/selinux/hooks.c') diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index afccada1f26..3aaa63cc5c7 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -3367,11 +3367,6 @@ static int selinux_task_getioprio(struct task_struct *p) static int selinux_task_setrlimit(unsigned int resource, struct rlimit *new_rlim) { struct rlimit *old_rlim = current->signal->rlim + resource; - int rc; - - rc = secondary_ops->task_setrlimit(resource, new_rlim); - if (rc) - return rc; /* Control the ability to change the hard limit (whether lowering or raising it), so that the hard limit can -- cgit v1.2.3-70-g09d2 From 2cbbd19812b7636c1c37bcf50c403e7af5278d73 Mon Sep 17 00:00:00 2001 From: James Morris Date: Thu, 29 Jan 2009 12:32:50 +1100 Subject: selinux: remove secondary ops call to task_kill Remove secondary ops call to task_kill, which is a noop in capabilities. Acked-by: Serge Hallyn Acked-by: Eric Paris Signed-off-by: James Morris --- security/selinux/hooks.c | 4 ---- 1 file changed, 4 deletions(-) (limited to 'security/selinux/hooks.c') diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 3aaa63cc5c7..0bd36a17587 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -3405,10 +3405,6 @@ static int selinux_task_kill(struct task_struct *p, struct siginfo *info, u32 perm; int rc; - rc = secondary_ops->task_kill(p, info, sig, secid); - if (rc) - return rc; - if (!sig) perm = PROCESS__SIGNULL; /* null signal; existence test */ else -- cgit v1.2.3-70-g09d2 From 5c4054ccfafb6a446e9b65c524af1741656c6c60 Mon Sep 17 00:00:00 2001 From: James Morris Date: Thu, 29 Jan 2009 12:34:53 +1100 Subject: selinux: remove secondary ops call to unix_stream_connect Remove secondary ops call to unix_stream_connect, which is a noop in capabilities. Acked-by: Serge Hallyn Acked-by: Eric Paris Signed-off-by: James Morris --- security/selinux/hooks.c | 4 ---- 1 file changed, 4 deletions(-) (limited to 'security/selinux/hooks.c') diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 0bd36a17587..25198e9896f 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -3997,10 +3997,6 @@ static int selinux_socket_unix_stream_connect(struct socket *sock, struct avc_audit_data ad; int err; - err = secondary_ops->unix_stream_connect(sock, other, newsk); - if (err) - return err; - isec = SOCK_INODE(sock)->i_security; other_isec = SOCK_INODE(other)->i_security; -- cgit v1.2.3-70-g09d2 From 95c14904b6f6f8a35365f0c58d530c85b4fb96b4 Mon Sep 17 00:00:00 2001 From: James Morris Date: Thu, 29 Jan 2009 12:37:58 +1100 Subject: selinux: remove secondary ops call to shm_shmat Remove secondary ops call to shm_shmat, which is a noop in capabilities. Acked-by: Serge Hallyn Acked-by: Eric Paris Signed-off-by: James Morris --- security/selinux/hooks.c | 5 ----- 1 file changed, 5 deletions(-) (limited to 'security/selinux/hooks.c') diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 25198e9896f..d9604794a4d 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -5113,11 +5113,6 @@ static int selinux_shm_shmat(struct shmid_kernel *shp, char __user *shmaddr, int shmflg) { u32 perms; - int rc; - - rc = secondary_ops->shm_shmat(shp, shmaddr, shmflg); - if (rc) - return rc; if (shmflg & SHM_RDONLY) perms = SHM__READ; -- cgit v1.2.3-70-g09d2 From 5626d3e86141390c8efc7bcb929b6a4b58b00480 Mon Sep 17 00:00:00 2001 From: James Morris Date: Fri, 30 Jan 2009 10:05:06 +1100 Subject: selinux: remove hooks which simply defer to capabilities Remove SELinux hooks which do nothing except defer to the capabilites hooks (or in one case, replicates the function). Signed-off-by: James Morris Acked-by: Stephen Smalley --- security/selinux/hooks.c | 68 +++++++----------------------------------------- 1 file changed, 10 insertions(+), 58 deletions(-) (limited to 'security/selinux/hooks.c') diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index d9604794a4d..a69d6f8970c 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -1892,6 +1892,16 @@ static int selinux_capset(struct cred *new, const struct cred *old, return cred_has_perm(old, new, PROCESS__SETCAP); } +/* + * (This comment used to live with the selinux_task_setuid hook, + * which was removed). + * + * Since setuid only affects the current process, and since the SELinux + * controls are not based on the Linux identity attributes, SELinux does not + * need to control this operation. However, SELinux does control the use of + * the CAP_SETUID and CAP_SETGID capabilities using the capable hook. + */ + static int selinux_capable(struct task_struct *tsk, const struct cred *cred, int cap, int audit) { @@ -2909,16 +2919,6 @@ static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t return len; } -static int selinux_inode_need_killpriv(struct dentry *dentry) -{ - return secondary_ops->inode_need_killpriv(dentry); -} - -static int selinux_inode_killpriv(struct dentry *dentry) -{ - return secondary_ops->inode_killpriv(dentry); -} - static void selinux_inode_getsecid(const struct inode *inode, u32 *secid) { struct inode_security_struct *isec = inode->i_security; @@ -3288,29 +3288,6 @@ static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode) return 0; } -static int selinux_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags) -{ - /* Since setuid only affects the current process, and - since the SELinux controls are not based on the Linux - identity attributes, SELinux does not need to control - this operation. However, SELinux does control the use - of the CAP_SETUID and CAP_SETGID capabilities using the - capable hook. */ - return 0; -} - -static int selinux_task_fix_setuid(struct cred *new, const struct cred *old, - int flags) -{ - return secondary_ops->task_fix_setuid(new, old, flags); -} - -static int selinux_task_setgid(gid_t id0, gid_t id1, gid_t id2, int flags) -{ - /* See the comment for setuid above. */ - return 0; -} - static int selinux_task_setpgid(struct task_struct *p, pid_t pgid) { return current_has_perm(p, PROCESS__SETPGID); @@ -3331,12 +3308,6 @@ static void selinux_task_getsecid(struct task_struct *p, u32 *secid) *secid = task_sid(p); } -static int selinux_task_setgroups(struct group_info *group_info) -{ - /* See the comment for setuid above. */ - return 0; -} - static int selinux_task_setnice(struct task_struct *p, int nice) { int rc; @@ -3417,18 +3388,6 @@ static int selinux_task_kill(struct task_struct *p, struct siginfo *info, return rc; } -static int selinux_task_prctl(int option, - unsigned long arg2, - unsigned long arg3, - unsigned long arg4, - unsigned long arg5) -{ - /* The current prctl operations do not appear to require - any SELinux controls since they merely observe or modify - the state of the current process. */ - return secondary_ops->task_prctl(option, arg2, arg3, arg4, arg5); -} - static int selinux_task_wait(struct task_struct *p) { return task_has_perm(p, current, PROCESS__SIGCHLD); @@ -5563,8 +5522,6 @@ static struct security_operations selinux_ops = { .inode_getsecurity = selinux_inode_getsecurity, .inode_setsecurity = selinux_inode_setsecurity, .inode_listsecurity = selinux_inode_listsecurity, - .inode_need_killpriv = selinux_inode_need_killpriv, - .inode_killpriv = selinux_inode_killpriv, .inode_getsecid = selinux_inode_getsecid, .file_permission = selinux_file_permission, @@ -5586,14 +5543,10 @@ static struct security_operations selinux_ops = { .cred_prepare = selinux_cred_prepare, .kernel_act_as = selinux_kernel_act_as, .kernel_create_files_as = selinux_kernel_create_files_as, - .task_setuid = selinux_task_setuid, - .task_fix_setuid = selinux_task_fix_setuid, - .task_setgid = selinux_task_setgid, .task_setpgid = selinux_task_setpgid, .task_getpgid = selinux_task_getpgid, .task_getsid = selinux_task_getsid, .task_getsecid = selinux_task_getsecid, - .task_setgroups = selinux_task_setgroups, .task_setnice = selinux_task_setnice, .task_setioprio = selinux_task_setioprio, .task_getioprio = selinux_task_getioprio, @@ -5603,7 +5556,6 @@ static struct security_operations selinux_ops = { .task_movememory = selinux_task_movememory, .task_kill = selinux_task_kill, .task_wait = selinux_task_wait, - .task_prctl = selinux_task_prctl, .task_to_inode = selinux_task_to_inode, .ipc_permission = selinux_ipc_permission, -- cgit v1.2.3-70-g09d2 From 200ac532a4bc3134147ca06686c56a6420e66c46 Mon Sep 17 00:00:00 2001 From: Eric Paris Date: Thu, 12 Feb 2009 15:01:04 -0500 Subject: SELinux: call capabilities code directory For cleanliness and efficiency remove all calls to secondary-> and instead call capabilities code directly. capabilities are the only module that selinux stacks with and so the code should not indicate that other stacking might be possible. Signed-off-by: Eric Paris Acked-by: Stephen Smalley Signed-off-by: James Morris --- security/selinux/hooks.c | 30 +++++++++++++----------------- 1 file changed, 13 insertions(+), 17 deletions(-) (limited to 'security/selinux/hooks.c') diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index a69d6f8970c..e9011e5f5ff 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -1841,7 +1841,7 @@ static int selinux_ptrace_may_access(struct task_struct *child, { int rc; - rc = secondary_ops->ptrace_may_access(child, mode); + rc = cap_ptrace_may_access(child, mode); if (rc) return rc; @@ -1858,7 +1858,7 @@ static int selinux_ptrace_traceme(struct task_struct *parent) { int rc; - rc = secondary_ops->ptrace_traceme(parent); + rc = cap_ptrace_traceme(parent); if (rc) return rc; @@ -1874,7 +1874,7 @@ static int selinux_capget(struct task_struct *target, kernel_cap_t *effective, if (error) return error; - return secondary_ops->capget(target, effective, inheritable, permitted); + return cap_capget(target, effective, inheritable, permitted); } static int selinux_capset(struct cred *new, const struct cred *old, @@ -1884,7 +1884,7 @@ static int selinux_capset(struct cred *new, const struct cred *old, { int error; - error = secondary_ops->capset(new, old, + error = cap_capset(new, old, effective, inheritable, permitted); if (error) return error; @@ -1907,7 +1907,7 @@ static int selinux_capable(struct task_struct *tsk, const struct cred *cred, { int rc; - rc = secondary_ops->capable(tsk, cred, cap, audit); + rc = cap_capable(tsk, cred, cap, audit); if (rc) return rc; @@ -2033,7 +2033,7 @@ static int selinux_syslog(int type) { int rc; - rc = secondary_ops->syslog(type); + rc = cap_syslog(type); if (rc) return rc; @@ -2064,10 +2064,6 @@ static int selinux_syslog(int type) * mapping. 0 means there is enough memory for the allocation to * succeed and -ENOMEM implies there is not. * - * Note that secondary_ops->capable and task_has_perm_noaudit return 0 - * if the capability is granted, but __vm_enough_memory requires 1 if - * the capability is granted. - * * Do not audit the selinux permission check, as this is applied to all * processes that allocate mappings. */ @@ -2094,7 +2090,7 @@ static int selinux_bprm_set_creds(struct linux_binprm *bprm) struct inode *inode = bprm->file->f_path.dentry->d_inode; int rc; - rc = secondary_ops->bprm_set_creds(bprm); + rc = cap_bprm_set_creds(bprm); if (rc) return rc; @@ -2211,7 +2207,7 @@ static int selinux_bprm_secureexec(struct linux_binprm *bprm) PROCESS__NOATSECURE, NULL); } - return (atsecure || secondary_ops->bprm_secureexec(bprm)); + return (atsecure || cap_bprm_secureexec(bprm)); } extern struct vfsmount *selinuxfs_mount; @@ -3312,7 +3308,7 @@ static int selinux_task_setnice(struct task_struct *p, int nice) { int rc; - rc = secondary_ops->task_setnice(p, nice); + rc = cap_task_setnice(p, nice); if (rc) return rc; @@ -3323,7 +3319,7 @@ static int selinux_task_setioprio(struct task_struct *p, int ioprio) { int rc; - rc = secondary_ops->task_setioprio(p, ioprio); + rc = cap_task_setioprio(p, ioprio); if (rc) return rc; @@ -3353,7 +3349,7 @@ static int selinux_task_setscheduler(struct task_struct *p, int policy, struct s { int rc; - rc = secondary_ops->task_setscheduler(p, policy, lp); + rc = cap_task_setscheduler(p, policy, lp); if (rc) return rc; @@ -4749,7 +4745,7 @@ static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb) { int err; - err = secondary_ops->netlink_send(sk, skb); + err = cap_netlink_send(sk, skb); if (err) return err; @@ -4764,7 +4760,7 @@ static int selinux_netlink_recv(struct sk_buff *skb, int capability) int err; struct avc_audit_data ad; - err = secondary_ops->netlink_recv(skb, capability); + err = cap_netlink_recv(skb, capability); if (err) return err; -- cgit v1.2.3-70-g09d2 From 4ba0a8ad63e12a03ae01c039482967cc496b9174 Mon Sep 17 00:00:00 2001 From: Eric Paris Date: Thu, 12 Feb 2009 15:01:10 -0500 Subject: SELinux: better printk when file with invalid label found Currently when an inode is read into the kernel with an invalid label string (can often happen with removable media) we output a string like: SELinux: inode_doinit_with_dentry: context_to_sid([SOME INVALID LABEL]) returned -22 dor dev=[blah] ino=[blah] Which is all but incomprehensible to all but a couple of us. Instead, on EINVAL only, I plan to output a much more user friendly string and I plan to ratelimit the printk since many of these could be generated very rapidly. Signed-off-by: Eric Paris Acked-by: Stephen Smalley Signed-off-by: James Morris --- security/selinux/hooks.c | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) (limited to 'security/selinux/hooks.c') diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index e9011e5f5ff..aebcfad5613 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -1315,10 +1315,19 @@ static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dent sbsec->def_sid, GFP_NOFS); if (rc) { - printk(KERN_WARNING "SELinux: %s: context_to_sid(%s) " - "returned %d for dev=%s ino=%ld\n", - __func__, context, -rc, - inode->i_sb->s_id, inode->i_ino); + char *dev = inode->i_sb->s_id; + unsigned long ino = inode->i_ino; + + if (rc == -EINVAL) { + if (printk_ratelimit()) + printk(KERN_NOTICE "SELinux: inode=%lu on dev=%s was found to have an invalid " + "context=%s. This indicates you may need to relabel the inode or the " + "filesystem in question.\n", ino, dev, context); + } else { + printk(KERN_WARNING "SELinux: %s: context_to_sid(%s) " + "returned %d for dev=%s ino=%ld\n", + __func__, context, -rc, dev, ino); + } kfree(context); /* Leave with the unlabeled SID */ rc = 0; -- cgit v1.2.3-70-g09d2 From 4cb912f1d1447077160ace9ce3b3a10696dd74e5 Mon Sep 17 00:00:00 2001 From: Eric Paris Date: Thu, 12 Feb 2009 14:50:05 -0500 Subject: SELinux: NULL terminate al contexts from disk When a context is pulled in from disk we don't know that it is null terminated. This patch forecebly null terminates contexts when we pull them from disk. Signed-off-by: Eric Paris Acked-by: Stephen Smalley Signed-off-by: James Morris --- security/selinux/hooks.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) (limited to 'security/selinux/hooks.c') diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index aebcfad5613..309648c573d 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -1270,12 +1270,13 @@ static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dent } len = INITCONTEXTLEN; - context = kmalloc(len, GFP_NOFS); + context = kmalloc(len+1, GFP_NOFS); if (!context) { rc = -ENOMEM; dput(dentry); goto out_unlock; } + context[len] = '\0'; rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX, context, len); if (rc == -ERANGE) { @@ -1288,12 +1289,13 @@ static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dent } kfree(context); len = rc; - context = kmalloc(len, GFP_NOFS); + context = kmalloc(len+1, GFP_NOFS); if (!context) { rc = -ENOMEM; dput(dentry); goto out_unlock; } + context[len] = '\0'; rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX, context, len); -- cgit v1.2.3-70-g09d2 From 6a25b27d602aac24f3c642722377ba5d778417ec Mon Sep 17 00:00:00 2001 From: Eric Paris Date: Thu, 5 Mar 2009 13:40:35 -0500 Subject: SELinux: open perm for sock files When I did open permissions I didn't think any sockets would have an open. Turns out AF_UNIX sockets can have an open when they are bound to the filesystem namespace. This patch adds a new SOCK_FILE__OPEN permission. It's safe to add this as the open perms are already predicated on capabilities and capabilities means we have unknown perm handling so systems should be as backwards compatible as the policy wants them to be. https://bugzilla.redhat.com/show_bug.cgi?id=475224 Signed-off-by: Eric Paris Acked-by: Stephen Smalley Signed-off-by: James Morris --- security/selinux/hooks.c | 2 ++ security/selinux/include/av_perm_to_string.h | 1 + security/selinux/include/av_permissions.h | 1 + 3 files changed, 4 insertions(+) (limited to 'security/selinux/hooks.c') diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 309648c573d..cd3307a26d1 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -1838,6 +1838,8 @@ static inline u32 open_file_to_av(struct file *file) av |= FIFO_FILE__OPEN; else if (S_ISDIR(mode)) av |= DIR__OPEN; + else if (S_ISSOCK(mode)) + av |= SOCK_FILE__OPEN; else printk(KERN_ERR "SELinux: WARNING: inside %s with " "unknown mode:%o\n", __func__, mode); diff --git a/security/selinux/include/av_perm_to_string.h b/security/selinux/include/av_perm_to_string.h index c0c885427b9..c7531ee9c7b 100644 --- a/security/selinux/include/av_perm_to_string.h +++ b/security/selinux/include/av_perm_to_string.h @@ -24,6 +24,7 @@ S_(SECCLASS_CHR_FILE, CHR_FILE__EXECMOD, "execmod") S_(SECCLASS_CHR_FILE, CHR_FILE__OPEN, "open") S_(SECCLASS_BLK_FILE, BLK_FILE__OPEN, "open") + S_(SECCLASS_SOCK_FILE, SOCK_FILE__OPEN, "open") S_(SECCLASS_FIFO_FILE, FIFO_FILE__OPEN, "open") S_(SECCLASS_FD, FD__USE, "use") S_(SECCLASS_TCP_SOCKET, TCP_SOCKET__CONNECTTO, "connectto") diff --git a/security/selinux/include/av_permissions.h b/security/selinux/include/av_permissions.h index 0ba79fe00e1..0b8f9b2bbde 100644 --- a/security/selinux/include/av_permissions.h +++ b/security/selinux/include/av_permissions.h @@ -174,6 +174,7 @@ #define SOCK_FILE__SWAPON 0x00004000UL #define SOCK_FILE__QUOTAON 0x00008000UL #define SOCK_FILE__MOUNTON 0x00010000UL +#define SOCK_FILE__OPEN 0x00020000UL #define FIFO_FILE__IOCTL 0x00000001UL #define FIFO_FILE__READ 0x00000002UL #define FIFO_FILE__WRITE 0x00000004UL -- cgit v1.2.3-70-g09d2 From df7f54c012b92ec93d56b68547351dcdf8a163d3 Mon Sep 17 00:00:00 2001 From: Eric Paris Date: Mon, 9 Mar 2009 14:35:58 -0400 Subject: SELinux: inode_doinit_with_dentry drop no dentry printk Drop the printk message when an inode is found without an associated dentry. This should only happen when userspace can't be accessing those inodes and those labels will get set correctly on the next d_instantiate. Thus there is no reason to send this message. Signed-off-by: Eric Paris Signed-off-by: James Morris --- security/selinux/hooks.c | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) (limited to 'security/selinux/hooks.c') diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index cd3307a26d1..7c52ba243c6 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -1263,9 +1263,15 @@ static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dent dentry = d_find_alias(inode); } if (!dentry) { - printk(KERN_WARNING "SELinux: %s: no dentry for dev=%s " - "ino=%ld\n", __func__, inode->i_sb->s_id, - inode->i_ino); + /* + * this is can be hit on boot when a file is accessed + * before the policy is loaded. When we load policy we + * may find inodes that have no dentry on the + * sbsec->isec_head list. No reason to complain as these + * will get fixed up the next time we go through + * inode_doinit with a dentry, before these inodes could + * be used again by userspace. + */ goto out_unlock; } -- cgit v1.2.3-70-g09d2 From 389fb800ac8be2832efedd19978a2b8ced37eb61 Mon Sep 17 00:00:00 2001 From: Paul Moore Date: Fri, 27 Mar 2009 17:10:34 -0400 Subject: netlabel: Label incoming TCP connections correctly in SELinux The current NetLabel/SELinux behavior for incoming TCP connections works but only through a series of happy coincidences that rely on the limited nature of standard CIPSO (only able to convey MLS attributes) and the write equality imposed by the SELinux MLS constraints. The problem is that network sockets created as the result of an incoming TCP connection were not on-the-wire labeled based on the security attributes of the parent socket but rather based on the wire label of the remote peer. The issue had to do with how IP options were managed as part of the network stack and where the LSM hooks were in relation to the code which set the IP options on these newly created child sockets. While NetLabel/SELinux did correctly set the socket's on-the-wire label it was promptly cleared by the network stack and reset based on the IP options of the remote peer. This patch, in conjunction with a prior patch that adjusted the LSM hook locations, works to set the correct on-the-wire label format for new incoming connections through the security_inet_conn_request() hook. Besides the correct behavior there are many advantages to this change, the most significant is that all of the NetLabel socket labeling code in SELinux now lives in hooks which can return error codes to the core stack which allows us to finally get ride of the selinux_netlbl_inode_permission() logic which greatly simplfies the NetLabel/SELinux glue code. In the process of developing this patch I also ran into a small handful of AF_INET6 cleanliness issues that have been fixed which should make the code safer and easier to extend in the future. Signed-off-by: Paul Moore Acked-by: Casey Schaufler Signed-off-by: James Morris --- include/net/cipso_ipv4.h | 17 ++++ include/net/netlabel.h | 12 ++- net/ipv4/cipso_ipv4.c | 130 ++++++++++++++++++++++--- net/netlabel/netlabel_kapi.c | 152 +++++++++++++++++++++++++---- security/selinux/hooks.c | 54 +++-------- security/selinux/include/netlabel.h | 27 +++--- security/selinux/netlabel.c | 186 ++++++++++-------------------------- security/smack/smack_lsm.c | 2 +- 8 files changed, 360 insertions(+), 220 deletions(-) (limited to 'security/selinux/hooks.c') diff --git a/include/net/cipso_ipv4.h b/include/net/cipso_ipv4.h index bedc7f62e35..abd443604c9 100644 --- a/include/net/cipso_ipv4.h +++ b/include/net/cipso_ipv4.h @@ -40,6 +40,7 @@ #include #include #include +#include #include /* known doi values */ @@ -215,6 +216,10 @@ int cipso_v4_sock_setattr(struct sock *sk, const struct netlbl_lsm_secattr *secattr); void cipso_v4_sock_delattr(struct sock *sk); int cipso_v4_sock_getattr(struct sock *sk, struct netlbl_lsm_secattr *secattr); +int cipso_v4_req_setattr(struct request_sock *req, + const struct cipso_v4_doi *doi_def, + const struct netlbl_lsm_secattr *secattr); +void cipso_v4_req_delattr(struct request_sock *req); int cipso_v4_skbuff_setattr(struct sk_buff *skb, const struct cipso_v4_doi *doi_def, const struct netlbl_lsm_secattr *secattr); @@ -247,6 +252,18 @@ static inline int cipso_v4_sock_getattr(struct sock *sk, return -ENOSYS; } +static inline int cipso_v4_req_setattr(struct request_sock *req, + const struct cipso_v4_doi *doi_def, + const struct netlbl_lsm_secattr *secattr) +{ + return -ENOSYS; +} + +static inline void cipso_v4_req_delattr(struct request_sock *req) +{ + return; +} + static inline int cipso_v4_skbuff_setattr(struct sk_buff *skb, const struct cipso_v4_doi *doi_def, const struct netlbl_lsm_secattr *secattr) diff --git a/include/net/netlabel.h b/include/net/netlabel.h index 749011eedc0..bdb10e5183d 100644 --- a/include/net/netlabel.h +++ b/include/net/netlabel.h @@ -36,6 +36,7 @@ #include #include #include +#include #include struct cipso_v4_doi; @@ -406,6 +407,7 @@ int netlbl_secattr_catmap_setrng(struct netlbl_lsm_secattr_catmap *catmap, */ int netlbl_enabled(void); int netlbl_sock_setattr(struct sock *sk, + u16 family, const struct netlbl_lsm_secattr *secattr); void netlbl_sock_delattr(struct sock *sk); int netlbl_sock_getattr(struct sock *sk, @@ -413,6 +415,8 @@ int netlbl_sock_getattr(struct sock *sk, int netlbl_conn_setattr(struct sock *sk, struct sockaddr *addr, const struct netlbl_lsm_secattr *secattr); +int netlbl_req_setattr(struct request_sock *req, + const struct netlbl_lsm_secattr *secattr); int netlbl_skbuff_setattr(struct sk_buff *skb, u16 family, const struct netlbl_lsm_secattr *secattr); @@ -519,7 +523,8 @@ static inline int netlbl_enabled(void) return 0; } static inline int netlbl_sock_setattr(struct sock *sk, - const struct netlbl_lsm_secattr *secattr) + u16 family, + const struct netlbl_lsm_secattr *secattr) { return -ENOSYS; } @@ -537,6 +542,11 @@ static inline int netlbl_conn_setattr(struct sock *sk, { return -ENOSYS; } +static inline int netlbl_req_setattr(struct request_sock *req, + const struct netlbl_lsm_secattr *secattr) +{ + return -ENOSYS; +} static inline int netlbl_skbuff_setattr(struct sk_buff *skb, u16 family, const struct netlbl_lsm_secattr *secattr) diff --git a/net/ipv4/cipso_ipv4.c b/net/ipv4/cipso_ipv4.c index 7bc992976d2..039cc1ffe97 100644 --- a/net/ipv4/cipso_ipv4.c +++ b/net/ipv4/cipso_ipv4.c @@ -1942,23 +1942,85 @@ socket_setattr_failure: } /** - * cipso_v4_sock_delattr - Delete the CIPSO option from a socket - * @sk: the socket + * cipso_v4_req_setattr - Add a CIPSO option to a connection request socket + * @req: the connection request socket + * @doi_def: the CIPSO DOI to use + * @secattr: the specific security attributes of the socket * * Description: - * Removes the CIPSO option from a socket, if present. + * Set the CIPSO option on the given socket using the DOI definition and + * security attributes passed to the function. Returns zero on success and + * negative values on failure. * */ -void cipso_v4_sock_delattr(struct sock *sk) +int cipso_v4_req_setattr(struct request_sock *req, + const struct cipso_v4_doi *doi_def, + const struct netlbl_lsm_secattr *secattr) { - u8 hdr_delta; - struct ip_options *opt; - struct inet_sock *sk_inet; + int ret_val = -EPERM; + unsigned char *buf = NULL; + u32 buf_len; + u32 opt_len; + struct ip_options *opt = NULL; + struct inet_request_sock *req_inet; - sk_inet = inet_sk(sk); - opt = sk_inet->opt; - if (opt == NULL || opt->cipso == 0) - return; + /* We allocate the maximum CIPSO option size here so we are probably + * being a little wasteful, but it makes our life _much_ easier later + * on and after all we are only talking about 40 bytes. */ + buf_len = CIPSO_V4_OPT_LEN_MAX; + buf = kmalloc(buf_len, GFP_ATOMIC); + if (buf == NULL) { + ret_val = -ENOMEM; + goto req_setattr_failure; + } + + ret_val = cipso_v4_genopt(buf, buf_len, doi_def, secattr); + if (ret_val < 0) + goto req_setattr_failure; + buf_len = ret_val; + + /* We can't use ip_options_get() directly because it makes a call to + * ip_options_get_alloc() which allocates memory with GFP_KERNEL and + * we won't always have CAP_NET_RAW even though we _always_ want to + * set the IPOPT_CIPSO option. */ + opt_len = (buf_len + 3) & ~3; + opt = kzalloc(sizeof(*opt) + opt_len, GFP_ATOMIC); + if (opt == NULL) { + ret_val = -ENOMEM; + goto req_setattr_failure; + } + memcpy(opt->__data, buf, buf_len); + opt->optlen = opt_len; + opt->cipso = sizeof(struct iphdr); + kfree(buf); + buf = NULL; + + req_inet = inet_rsk(req); + opt = xchg(&req_inet->opt, opt); + kfree(opt); + + return 0; + +req_setattr_failure: + kfree(buf); + kfree(opt); + return ret_val; +} + +/** + * cipso_v4_delopt - Delete the CIPSO option from a set of IP options + * @opt_ptr: IP option pointer + * + * Description: + * Deletes the CIPSO IP option from a set of IP options and makes the necessary + * adjustments to the IP option structure. Returns zero on success, negative + * values on failure. + * + */ +int cipso_v4_delopt(struct ip_options **opt_ptr) +{ + int hdr_delta = 0; + struct ip_options *opt = *opt_ptr; if (opt->srr || opt->rr || opt->ts || opt->router_alert) { u8 cipso_len; @@ -2003,11 +2065,34 @@ void cipso_v4_sock_delattr(struct sock *sk) } else { /* only the cipso option was present on the socket so we can * remove the entire option struct */ - sk_inet->opt = NULL; + *opt_ptr = NULL; hdr_delta = opt->optlen; kfree(opt); } + return hdr_delta; +} + +/** + * cipso_v4_sock_delattr - Delete the CIPSO option from a socket + * @sk: the socket + * + * Description: + * Removes the CIPSO option from a socket, if present. + * + */ +void cipso_v4_sock_delattr(struct sock *sk) +{ + int hdr_delta; + struct ip_options *opt; + struct inet_sock *sk_inet; + + sk_inet = inet_sk(sk); + opt = sk_inet->opt; + if (opt == NULL || opt->cipso == 0) + return; + + hdr_delta = cipso_v4_delopt(&sk_inet->opt); if (sk_inet->is_icsk && hdr_delta > 0) { struct inet_connection_sock *sk_conn = inet_csk(sk); sk_conn->icsk_ext_hdr_len -= hdr_delta; @@ -2015,6 +2100,27 @@ void cipso_v4_sock_delattr(struct sock *sk) } } +/** + * cipso_v4_req_delattr - Delete the CIPSO option from a request socket + * @reg: the request socket + * + * Description: + * Removes the CIPSO option from a request socket, if present. + * + */ +void cipso_v4_req_delattr(struct request_sock *req) +{ + struct ip_options *opt; + struct inet_request_sock *req_inet; + + req_inet = inet_rsk(req); + opt = req_inet->opt; + if (opt == NULL || opt->cipso == 0) + return; + + cipso_v4_delopt(&req_inet->opt); +} + /** * cipso_v4_getattr - Helper function for the cipso_v4_*_getattr functions * @cipso: the CIPSO v4 option diff --git a/net/netlabel/netlabel_kapi.c b/net/netlabel/netlabel_kapi.c index fd9229db075..cae2f5f4cac 100644 --- a/net/netlabel/netlabel_kapi.c +++ b/net/netlabel/netlabel_kapi.c @@ -619,8 +619,9 @@ int netlbl_enabled(void) } /** - * netlbl_socket_setattr - Label a socket using the correct protocol + * netlbl_sock_setattr - Label a socket using the correct protocol * @sk: the socket to label + * @family: protocol family * @secattr: the security attributes * * Description: @@ -633,29 +634,45 @@ int netlbl_enabled(void) * */ int netlbl_sock_setattr(struct sock *sk, + u16 family, const struct netlbl_lsm_secattr *secattr) { - int ret_val = -ENOENT; + int ret_val; struct netlbl_dom_map *dom_entry; rcu_read_lock(); dom_entry = netlbl_domhsh_getentry(secattr->domain); - if (dom_entry == NULL) + if (dom_entry == NULL) { + ret_val = -ENOENT; goto socket_setattr_return; - switch (dom_entry->type) { - case NETLBL_NLTYPE_ADDRSELECT: - ret_val = -EDESTADDRREQ; - break; - case NETLBL_NLTYPE_CIPSOV4: - ret_val = cipso_v4_sock_setattr(sk, - dom_entry->type_def.cipsov4, - secattr); + } + switch (family) { + case AF_INET: + switch (dom_entry->type) { + case NETLBL_NLTYPE_ADDRSELECT: + ret_val = -EDESTADDRREQ; + break; + case NETLBL_NLTYPE_CIPSOV4: + ret_val = cipso_v4_sock_setattr(sk, + dom_entry->type_def.cipsov4, + secattr); + break; + case NETLBL_NLTYPE_UNLABELED: + ret_val = 0; + break; + default: + ret_val = -ENOENT; + } break; - case NETLBL_NLTYPE_UNLABELED: +#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) + case AF_INET6: + /* since we don't support any IPv6 labeling protocols right + * now we can optimize everything away until we do */ ret_val = 0; break; +#endif /* IPv6 */ default: - ret_val = -ENOENT; + ret_val = -EPROTONOSUPPORT; } socket_setattr_return: @@ -689,9 +706,25 @@ void netlbl_sock_delattr(struct sock *sk) * on failure. * */ -int netlbl_sock_getattr(struct sock *sk, struct netlbl_lsm_secattr *secattr) +int netlbl_sock_getattr(struct sock *sk, + struct netlbl_lsm_secattr *secattr) { - return cipso_v4_sock_getattr(sk, secattr); + int ret_val; + + switch (sk->sk_family) { + case AF_INET: + ret_val = cipso_v4_sock_getattr(sk, secattr); + break; +#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) + case AF_INET6: + ret_val = -ENOMSG; + break; +#endif /* IPv6 */ + default: + ret_val = -EPROTONOSUPPORT; + } + + return ret_val; } /** @@ -748,7 +781,7 @@ int netlbl_conn_setattr(struct sock *sk, break; #endif /* IPv6 */ default: - ret_val = 0; + ret_val = -EPROTONOSUPPORT; } conn_setattr_return: @@ -756,6 +789,77 @@ conn_setattr_return: return ret_val; } +/** + * netlbl_req_setattr - Label a request socket using the correct protocol + * @req: the request socket to label + * @secattr: the security attributes + * + * Description: + * Attach the correct label to the given socket using the security attributes + * specified in @secattr. Returns zero on success, negative values on failure. + * + */ +int netlbl_req_setattr(struct request_sock *req, + const struct netlbl_lsm_secattr *secattr) +{ + int ret_val; + struct netlbl_dom_map *dom_entry; + struct netlbl_domaddr4_map *af4_entry; + u32 proto_type; + struct cipso_v4_doi *proto_cv4; + + rcu_read_lock(); + dom_entry = netlbl_domhsh_getentry(secattr->domain); + if (dom_entry == NULL) { + ret_val = -ENOENT; + goto req_setattr_return; + } + switch (req->rsk_ops->family) { + case AF_INET: + if (dom_entry->type == NETLBL_NLTYPE_ADDRSELECT) { + struct inet_request_sock *req_inet = inet_rsk(req); + af4_entry = netlbl_domhsh_getentry_af4(secattr->domain, + req_inet->rmt_addr); + if (af4_entry == NULL) { + ret_val = -ENOENT; + goto req_setattr_return; + } + proto_type = af4_entry->type; + proto_cv4 = af4_entry->type_def.cipsov4; + } else { + proto_type = dom_entry->type; + proto_cv4 = dom_entry->type_def.cipsov4; + } + switch (proto_type) { + case NETLBL_NLTYPE_CIPSOV4: + ret_val = cipso_v4_req_setattr(req, proto_cv4, secattr); + break; + case NETLBL_NLTYPE_UNLABELED: + /* just delete the protocols we support for right now + * but we could remove other protocols if needed */ + cipso_v4_req_delattr(req); + ret_val = 0; + break; + default: + ret_val = -ENOENT; + } + break; +#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) + case AF_INET6: + /* since we don't support any IPv6 labeling protocols right + * now we can optimize everything away until we do */ + ret_val = 0; + break; +#endif /* IPv6 */ + default: + ret_val = -EPROTONOSUPPORT; + } + +req_setattr_return: + rcu_read_unlock(); + return ret_val; +} + /** * netlbl_skbuff_setattr - Label a packet using the correct protocol * @skb: the packet @@ -808,7 +912,7 @@ int netlbl_skbuff_setattr(struct sk_buff *skb, break; #endif /* IPv6 */ default: - ret_val = 0; + ret_val = -EPROTONOSUPPORT; } skbuff_setattr_return: @@ -833,9 +937,17 @@ int netlbl_skbuff_getattr(const struct sk_buff *skb, u16 family, struct netlbl_lsm_secattr *secattr) { - if (CIPSO_V4_OPTEXIST(skb) && - cipso_v4_skbuff_getattr(skb, secattr) == 0) - return 0; + switch (family) { + case AF_INET: + if (CIPSO_V4_OPTEXIST(skb) && + cipso_v4_skbuff_getattr(skb, secattr) == 0) + return 0; + break; +#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) + case AF_INET6: + break; +#endif /* IPv6 */ + } return netlbl_unlabel_getattr(skb, family, secattr); } diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 7c52ba243c6..ee2e781d11d 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -311,7 +311,7 @@ static int sk_alloc_security(struct sock *sk, int family, gfp_t priority) ssec->sid = SECINITSID_UNLABELED; sk->sk_security = ssec; - selinux_netlbl_sk_security_reset(ssec, family); + selinux_netlbl_sk_security_reset(ssec); return 0; } @@ -2945,7 +2945,6 @@ static void selinux_inode_getsecid(const struct inode *inode, u32 *secid) static int selinux_revalidate_file_permission(struct file *file, int mask) { const struct cred *cred = current_cred(); - int rc; struct inode *inode = file->f_path.dentry->d_inode; if (!mask) { @@ -2957,29 +2956,15 @@ static int selinux_revalidate_file_permission(struct file *file, int mask) if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE)) mask |= MAY_APPEND; - rc = file_has_perm(cred, file, - file_mask_to_av(inode->i_mode, mask)); - if (rc) - return rc; - - return selinux_netlbl_inode_permission(inode, mask); + return file_has_perm(cred, file, + file_mask_to_av(inode->i_mode, mask)); } static int selinux_file_permission(struct file *file, int mask) { - struct inode *inode = file->f_path.dentry->d_inode; - struct file_security_struct *fsec = file->f_security; - struct inode_security_struct *isec = inode->i_security; - u32 sid = current_sid(); - - if (!mask) { + if (!mask) /* No permission to check. Existence test. */ return 0; - } - - if (sid == fsec->sid && fsec->isid == isec->sid - && fsec->pseqno == avc_policy_seqno()) - return selinux_netlbl_inode_permission(inode, mask); return selinux_revalidate_file_permission(file, mask); } @@ -3723,7 +3708,7 @@ static int selinux_socket_post_create(struct socket *sock, int family, sksec = sock->sk->sk_security; sksec->sid = isec->sid; sksec->sclass = isec->sclass; - err = selinux_netlbl_socket_post_create(sock); + err = selinux_netlbl_socket_post_create(sock->sk, family); } return err; @@ -3914,13 +3899,7 @@ static int selinux_socket_accept(struct socket *sock, struct socket *newsock) static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg, int size) { - int rc; - - rc = socket_has_perm(current, sock, SOCKET__WRITE); - if (rc) - return rc; - - return selinux_netlbl_inode_permission(SOCK_INODE(sock), MAY_WRITE); + return socket_has_perm(current, sock, SOCKET__WRITE); } static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg, @@ -4304,7 +4283,7 @@ static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk) newssec->peer_sid = ssec->peer_sid; newssec->sclass = ssec->sclass; - selinux_netlbl_sk_security_reset(newssec, newsk->sk_family); + selinux_netlbl_sk_security_reset(newssec); } static void selinux_sk_getsecid(struct sock *sk, u32 *secid) @@ -4348,16 +4327,15 @@ static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb, if (peersid == SECSID_NULL) { req->secid = sksec->sid; req->peer_secid = SECSID_NULL; - return 0; + } else { + err = security_sid_mls_copy(sksec->sid, peersid, &newsid); + if (err) + return err; + req->secid = newsid; + req->peer_secid = peersid; } - err = security_sid_mls_copy(sksec->sid, peersid, &newsid); - if (err) - return err; - - req->secid = newsid; - req->peer_secid = peersid; - return 0; + return selinux_netlbl_inet_conn_request(req, family); } static void selinux_inet_csk_clone(struct sock *newsk, @@ -4374,7 +4352,7 @@ static void selinux_inet_csk_clone(struct sock *newsk, /* We don't need to take any sort of lock here as we are the only * thread with access to newsksec */ - selinux_netlbl_sk_security_reset(newsksec, req->rsk_ops->family); + selinux_netlbl_inet_csk_clone(newsk, req->rsk_ops->family); } static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb) @@ -4387,8 +4365,6 @@ static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb) family = PF_INET; selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid); - - selinux_netlbl_inet_conn_established(sk, family); } static void selinux_req_classify_flow(const struct request_sock *req, diff --git a/security/selinux/include/netlabel.h b/security/selinux/include/netlabel.h index b913c8d0603..b4b5b9b2f0b 100644 --- a/security/selinux/include/netlabel.h +++ b/security/selinux/include/netlabel.h @@ -32,6 +32,7 @@ #include #include #include +#include #include "avc.h" #include "objsec.h" @@ -42,8 +43,7 @@ void selinux_netlbl_cache_invalidate(void); void selinux_netlbl_err(struct sk_buff *skb, int error, int gateway); void selinux_netlbl_sk_security_free(struct sk_security_struct *ssec); -void selinux_netlbl_sk_security_reset(struct sk_security_struct *ssec, - int family); +void selinux_netlbl_sk_security_reset(struct sk_security_struct *ssec); int selinux_netlbl_skbuff_getsid(struct sk_buff *skb, u16 family, @@ -53,9 +53,9 @@ int selinux_netlbl_skbuff_setsid(struct sk_buff *skb, u16 family, u32 sid); -void selinux_netlbl_inet_conn_established(struct sock *sk, u16 family); -int selinux_netlbl_socket_post_create(struct socket *sock); -int selinux_netlbl_inode_permission(struct inode *inode, int mask); +int selinux_netlbl_inet_conn_request(struct request_sock *req, u16 family); +void selinux_netlbl_inet_csk_clone(struct sock *sk, u16 family); +int selinux_netlbl_socket_post_create(struct sock *sk, u16 family); int selinux_netlbl_sock_rcv_skb(struct sk_security_struct *sksec, struct sk_buff *skb, u16 family, @@ -85,8 +85,7 @@ static inline void selinux_netlbl_sk_security_free( } static inline void selinux_netlbl_sk_security_reset( - struct sk_security_struct *ssec, - int family) + struct sk_security_struct *ssec) { return; } @@ -113,17 +112,17 @@ static inline int selinux_netlbl_conn_setsid(struct sock *sk, return 0; } -static inline void selinux_netlbl_inet_conn_established(struct sock *sk, - u16 family) +static inline int selinux_netlbl_inet_conn_request(struct request_sock *req, + u16 family) { - return; + return 0; } -static inline int selinux_netlbl_socket_post_create(struct socket *sock) +static inline void selinux_netlbl_inet_csk_clone(struct sock *sk, u16 family) { - return 0; + return; } -static inline int selinux_netlbl_inode_permission(struct inode *inode, - int mask) +static inline int selinux_netlbl_socket_post_create(struct sock *sk, + u16 family) { return 0; } diff --git a/security/selinux/netlabel.c b/security/selinux/netlabel.c index 350794ab9b4..2e984413c7b 100644 --- a/security/selinux/netlabel.c +++ b/security/selinux/netlabel.c @@ -99,41 +99,6 @@ static struct netlbl_lsm_secattr *selinux_netlbl_sock_genattr(struct sock *sk) return secattr; } -/** - * selinux_netlbl_sock_setsid - Label a socket using the NetLabel mechanism - * @sk: the socket to label - * - * Description: - * Attempt to label a socket using the NetLabel mechanism. Returns zero values - * on success, negative values on failure. - * - */ -static int selinux_netlbl_sock_setsid(struct sock *sk) -{ - int rc; - struct sk_security_struct *sksec = sk->sk_security; - struct netlbl_lsm_secattr *secattr; - - if (sksec->nlbl_state != NLBL_REQUIRE) - return 0; - - secattr = selinux_netlbl_sock_genattr(sk); - if (secattr == NULL) - return -ENOMEM; - rc = netlbl_sock_setattr(sk, secattr); - switch (rc) { - case 0: - sksec->nlbl_state = NLBL_LABELED; - break; - case -EDESTADDRREQ: - sksec->nlbl_state = NLBL_REQSKB; - rc = 0; - break; - } - - return rc; -} - /** * selinux_netlbl_cache_invalidate - Invalidate the NetLabel cache * @@ -188,13 +153,9 @@ void selinux_netlbl_sk_security_free(struct sk_security_struct *ssec) * The caller is responsibile for all the NetLabel sk_security_struct locking. * */ -void selinux_netlbl_sk_security_reset(struct sk_security_struct *ssec, - int family) +void selinux_netlbl_sk_security_reset(struct sk_security_struct *ssec) { - if (family == PF_INET) - ssec->nlbl_state = NLBL_REQUIRE; - else - ssec->nlbl_state = NLBL_UNSET; + ssec->nlbl_state = NLBL_UNSET; } /** @@ -281,127 +242,86 @@ skbuff_setsid_return: } /** - * selinux_netlbl_inet_conn_established - Netlabel the newly accepted connection - * @sk: the new connection + * selinux_netlbl_inet_conn_request - Label an incoming stream connection + * @req: incoming connection request socket * * Description: - * A new connection has been established on @sk so make sure it is labeled - * correctly with the NetLabel susbsystem. + * A new incoming connection request is represented by @req, we need to label + * the new request_sock here and the stack will ensure the on-the-wire label + * will get preserved when a full sock is created once the connection handshake + * is complete. Returns zero on success, negative values on failure. * */ -void selinux_netlbl_inet_conn_established(struct sock *sk, u16 family) +int selinux_netlbl_inet_conn_request(struct request_sock *req, u16 family) { int rc; - struct sk_security_struct *sksec = sk->sk_security; - struct netlbl_lsm_secattr *secattr; - struct inet_sock *sk_inet = inet_sk(sk); - struct sockaddr_in addr; - - if (sksec->nlbl_state != NLBL_REQUIRE) - return; + struct netlbl_lsm_secattr secattr; - secattr = selinux_netlbl_sock_genattr(sk); - if (secattr == NULL) - return; + if (family != PF_INET) + return 0; - rc = netlbl_sock_setattr(sk, secattr); - switch (rc) { - case 0: - sksec->nlbl_state = NLBL_LABELED; - break; - case -EDESTADDRREQ: - /* no PF_INET6 support yet because we don't support any IPv6 - * labeling protocols */ - if (family != PF_INET) { - sksec->nlbl_state = NLBL_UNSET; - return; - } - - addr.sin_family = family; - addr.sin_addr.s_addr = sk_inet->daddr; - if (netlbl_conn_setattr(sk, (struct sockaddr *)&addr, - secattr) != 0) { - /* we failed to label the connected socket (could be - * for a variety of reasons, the actual "why" isn't - * important here) so we have to go to our backup plan, - * labeling the packets individually in the netfilter - * local output hook. this is okay but we need to - * adjust the MSS of the connection to take into - * account any labeling overhead, since we don't know - * the exact overhead at this point we'll use the worst - * case value which is 40 bytes for IPv4 */ - struct inet_connection_sock *sk_conn = inet_csk(sk); - sk_conn->icsk_ext_hdr_len += 40 - - (sk_inet->opt ? sk_inet->opt->optlen : 0); - sk_conn->icsk_sync_mss(sk, sk_conn->icsk_pmtu_cookie); - - sksec->nlbl_state = NLBL_REQSKB; - } else - sksec->nlbl_state = NLBL_CONNLABELED; - break; - default: - /* note that we are failing to label the socket which could be - * a bad thing since it means traffic could leave the system - * without the desired labeling, however, all is not lost as - * we have a check in selinux_netlbl_inode_permission() to - * pick up the pieces that we might drop here because we can't - * return an error code */ - break; - } + netlbl_secattr_init(&secattr); + rc = security_netlbl_sid_to_secattr(req->secid, &secattr); + if (rc != 0) + goto inet_conn_request_return; + rc = netlbl_req_setattr(req, &secattr); +inet_conn_request_return: + netlbl_secattr_destroy(&secattr); + return rc; } /** - * selinux_netlbl_socket_post_create - Label a socket using NetLabel - * @sock: the socket to label + * selinux_netlbl_inet_csk_clone - Initialize the newly created sock + * @sk: the new sock * * Description: - * Attempt to label a socket using the NetLabel mechanism using the given - * SID. Returns zero values on success, negative values on failure. + * A new connection has been established using @sk, we've already labeled the + * socket via the request_sock struct in selinux_netlbl_inet_conn_request() but + * we need to set the NetLabel state here since we now have a sock structure. * */ -int selinux_netlbl_socket_post_create(struct socket *sock) +void selinux_netlbl_inet_csk_clone(struct sock *sk, u16 family) { - return selinux_netlbl_sock_setsid(sock->sk); + struct sk_security_struct *sksec = sk->sk_security; + + if (family == PF_INET) + sksec->nlbl_state = NLBL_LABELED; + else + sksec->nlbl_state = NLBL_UNSET; } /** - * selinux_netlbl_inode_permission - Verify the socket is NetLabel labeled - * @inode: the file descriptor's inode - * @mask: the permission mask + * selinux_netlbl_socket_post_create - Label a socket using NetLabel + * @sock: the socket to label + * @family: protocol family * * Description: - * Looks at a file's inode and if it is marked as a socket protected by - * NetLabel then verify that the socket has been labeled, if not try to label - * the socket now with the inode's SID. Returns zero on success, negative - * values on failure. + * Attempt to label a socket using the NetLabel mechanism using the given + * SID. Returns zero values on success, negative values on failure. * */ -int selinux_netlbl_inode_permission(struct inode *inode, int mask) +int selinux_netlbl_socket_post_create(struct sock *sk, u16 family) { int rc; - struct sock *sk; - struct socket *sock; - struct sk_security_struct *sksec; + struct sk_security_struct *sksec = sk->sk_security; + struct netlbl_lsm_secattr *secattr; - if (!S_ISSOCK(inode->i_mode) || - ((mask & (MAY_WRITE | MAY_APPEND)) == 0)) - return 0; - sock = SOCKET_I(inode); - sk = sock->sk; - if (sk == NULL) - return 0; - sksec = sk->sk_security; - if (sksec == NULL || sksec->nlbl_state != NLBL_REQUIRE) + if (family != PF_INET) return 0; - local_bh_disable(); - bh_lock_sock_nested(sk); - if (likely(sksec->nlbl_state == NLBL_REQUIRE)) - rc = selinux_netlbl_sock_setsid(sk); - else + secattr = selinux_netlbl_sock_genattr(sk); + if (secattr == NULL) + return -ENOMEM; + rc = netlbl_sock_setattr(sk, family, secattr); + switch (rc) { + case 0: + sksec->nlbl_state = NLBL_LABELED; + break; + case -EDESTADDRREQ: + sksec->nlbl_state = NLBL_REQSKB; rc = 0; - bh_unlock_sock(sk); - local_bh_enable(); + break; + } return rc; } diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index fd20d15f5b9..23ad420a49a 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c @@ -1387,7 +1387,7 @@ static int smack_netlabel(struct sock *sk, int labeled) else { netlbl_secattr_init(&secattr); smack_to_secattr(ssp->smk_out, &secattr); - rc = netlbl_sock_setattr(sk, &secattr); + rc = netlbl_sock_setattr(sk, sk->sk_family, &secattr); netlbl_secattr_destroy(&secattr); } -- cgit v1.2.3-70-g09d2 From 58bfbb51ff2b0fdc6c732ff3d72f50aa632b67a2 Mon Sep 17 00:00:00 2001 From: Paul Moore Date: Fri, 27 Mar 2009 17:10:41 -0400 Subject: selinux: Remove the "compat_net" compatibility code The SELinux "compat_net" is marked as deprecated, the time has come to finally remove it from the kernel. Further code simplifications are likely in the future, but this patch was intended to be a simple, straight-up removal of the compat_net code. Signed-off-by: Paul Moore Signed-off-by: James Morris --- Documentation/feature-removal-schedule.txt | 11 --- Documentation/kernel-parameters.txt | 9 -- security/selinux/hooks.c | 153 ++--------------------------- security/selinux/selinuxfs.c | 68 ------------- 4 files changed, 7 insertions(+), 234 deletions(-) (limited to 'security/selinux/hooks.c') diff --git a/Documentation/feature-removal-schedule.txt b/Documentation/feature-removal-schedule.txt index 02ea3773535..049a96247f5 100644 --- a/Documentation/feature-removal-schedule.txt +++ b/Documentation/feature-removal-schedule.txt @@ -355,17 +355,6 @@ Who: Hans de Goede --------------------------- -What: SELinux "compat_net" functionality -When: 2.6.30 at the earliest -Why: In 2.6.18 the Secmark concept was introduced to replace the "compat_net" - network access control functionality of SELinux. Secmark offers both - better performance and greater flexibility than the "compat_net" - mechanism. Now that the major Linux distributions have moved to - Secmark, it is time to deprecate the older mechanism and start the - process of removing the old code. -Who: Paul Moore ---------------------------- - What: sysfs ui for changing p4-clockmod parameters When: September 2009 Why: See commits 129f8ae9b1b5be94517da76009ea956e89104ce8 and diff --git a/Documentation/kernel-parameters.txt b/Documentation/kernel-parameters.txt index fa4e1239a8f..d1b082772e3 100644 --- a/Documentation/kernel-parameters.txt +++ b/Documentation/kernel-parameters.txt @@ -2019,15 +2019,6 @@ and is between 256 and 4096 characters. It is defined in the file If enabled at boot time, /selinux/disable can be used later to disable prior to initial policy load. - selinux_compat_net = - [SELINUX] Set initial selinux_compat_net flag value. - Format: { "0" | "1" } - 0 -- use new secmark-based packet controls - 1 -- use legacy packet controls - Default value is 0 (preferred). - Value can be changed at runtime via - /selinux/compat_net. - serialnumber [BUGS=X86-32] shapers= [NET] diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index ee2e781d11d..ba808ef6bab 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -93,7 +93,6 @@ extern unsigned int policydb_loaded_version; extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm); -extern int selinux_compat_net; extern struct security_operations *security_ops; /* SECMARK reference count */ @@ -4019,72 +4018,6 @@ static int selinux_inet_sys_rcv_skb(int ifindex, char *addrp, u16 family, SECCLASS_NODE, NODE__RECVFROM, ad); } -static int selinux_sock_rcv_skb_iptables_compat(struct sock *sk, - struct sk_buff *skb, - struct avc_audit_data *ad, - u16 family, - char *addrp) -{ - int err; - struct sk_security_struct *sksec = sk->sk_security; - u16 sk_class; - u32 netif_perm, node_perm, recv_perm; - u32 port_sid, node_sid, if_sid, sk_sid; - - sk_sid = sksec->sid; - sk_class = sksec->sclass; - - switch (sk_class) { - case SECCLASS_UDP_SOCKET: - netif_perm = NETIF__UDP_RECV; - node_perm = NODE__UDP_RECV; - recv_perm = UDP_SOCKET__RECV_MSG; - break; - case SECCLASS_TCP_SOCKET: - netif_perm = NETIF__TCP_RECV; - node_perm = NODE__TCP_RECV; - recv_perm = TCP_SOCKET__RECV_MSG; - break; - case SECCLASS_DCCP_SOCKET: - netif_perm = NETIF__DCCP_RECV; - node_perm = NODE__DCCP_RECV; - recv_perm = DCCP_SOCKET__RECV_MSG; - break; - default: - netif_perm = NETIF__RAWIP_RECV; - node_perm = NODE__RAWIP_RECV; - recv_perm = 0; - break; - } - - err = sel_netif_sid(skb->iif, &if_sid); - if (err) - return err; - err = avc_has_perm(sk_sid, if_sid, SECCLASS_NETIF, netif_perm, ad); - if (err) - return err; - - err = sel_netnode_sid(addrp, family, &node_sid); - if (err) - return err; - err = avc_has_perm(sk_sid, node_sid, SECCLASS_NODE, node_perm, ad); - if (err) - return err; - - if (!recv_perm) - return 0; - err = sel_netport_sid(sk->sk_protocol, - ntohs(ad->u.net.sport), &port_sid); - if (unlikely(err)) { - printk(KERN_WARNING - "SELinux: failure in" - " selinux_sock_rcv_skb_iptables_compat()," - " network port label not found\n"); - return err; - } - return avc_has_perm(sk_sid, port_sid, sk_class, recv_perm, ad); -} - static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb, u16 family) { @@ -4102,14 +4035,12 @@ static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb, if (err) return err; - if (selinux_compat_net) - err = selinux_sock_rcv_skb_iptables_compat(sk, skb, &ad, - family, addrp); - else if (selinux_secmark_enabled()) + if (selinux_secmark_enabled()) { err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET, PACKET__RECV, &ad); - if (err) - return err; + if (err) + return err; + } if (selinux_policycap_netpeer) { err = selinux_skb_peerlbl_sid(skb, family, &peer_sid); @@ -4151,7 +4082,7 @@ static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb) * to the selinux_sock_rcv_skb_compat() function to deal with the * special handling. We do this in an attempt to keep this function * as fast and as clean as possible. */ - if (selinux_compat_net || !selinux_policycap_netpeer) + if (!selinux_policycap_netpeer) return selinux_sock_rcv_skb_compat(sk, skb, family); secmark_active = selinux_secmark_enabled(); @@ -4516,71 +4447,6 @@ static unsigned int selinux_ipv4_output(unsigned int hooknum, return selinux_ip_output(skb, PF_INET); } -static int selinux_ip_postroute_iptables_compat(struct sock *sk, - int ifindex, - struct avc_audit_data *ad, - u16 family, char *addrp) -{ - int err; - struct sk_security_struct *sksec = sk->sk_security; - u16 sk_class; - u32 netif_perm, node_perm, send_perm; - u32 port_sid, node_sid, if_sid, sk_sid; - - sk_sid = sksec->sid; - sk_class = sksec->sclass; - - switch (sk_class) { - case SECCLASS_UDP_SOCKET: - netif_perm = NETIF__UDP_SEND; - node_perm = NODE__UDP_SEND; - send_perm = UDP_SOCKET__SEND_MSG; - break; - case SECCLASS_TCP_SOCKET: - netif_perm = NETIF__TCP_SEND; - node_perm = NODE__TCP_SEND; - send_perm = TCP_SOCKET__SEND_MSG; - break; - case SECCLASS_DCCP_SOCKET: - netif_perm = NETIF__DCCP_SEND; - node_perm = NODE__DCCP_SEND; - send_perm = DCCP_SOCKET__SEND_MSG; - break; - default: - netif_perm = NETIF__RAWIP_SEND; - node_perm = NODE__RAWIP_SEND; - send_perm = 0; - break; - } - - err = sel_netif_sid(ifindex, &if_sid); - if (err) - return err; - err = avc_has_perm(sk_sid, if_sid, SECCLASS_NETIF, netif_perm, ad); - return err; - - err = sel_netnode_sid(addrp, family, &node_sid); - if (err) - return err; - err = avc_has_perm(sk_sid, node_sid, SECCLASS_NODE, node_perm, ad); - if (err) - return err; - - if (send_perm != 0) - return 0; - - err = sel_netport_sid(sk->sk_protocol, - ntohs(ad->u.net.dport), &port_sid); - if (unlikely(err)) { - printk(KERN_WARNING - "SELinux: failure in" - " selinux_ip_postroute_iptables_compat()," - " network port label not found\n"); - return err; - } - return avc_has_perm(sk_sid, port_sid, sk_class, send_perm, ad); -} - static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb, int ifindex, u16 family) @@ -4601,15 +4467,10 @@ static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb, if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto)) return NF_DROP; - if (selinux_compat_net) { - if (selinux_ip_postroute_iptables_compat(skb->sk, ifindex, - &ad, family, addrp)) - return NF_DROP; - } else if (selinux_secmark_enabled()) { + if (selinux_secmark_enabled()) if (avc_has_perm(sksec->sid, skb->secmark, SECCLASS_PACKET, PACKET__SEND, &ad)) return NF_DROP; - } if (selinux_policycap_netpeer) if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto)) @@ -4633,7 +4494,7 @@ static unsigned int selinux_ip_postroute(struct sk_buff *skb, int ifindex, * to the selinux_ip_postroute_compat() function to deal with the * special handling. We do this in an attempt to keep this function * as fast and as clean as possible. */ - if (selinux_compat_net || !selinux_policycap_netpeer) + if (!selinux_policycap_netpeer) return selinux_ip_postroute_compat(skb, ifindex, family); #ifdef CONFIG_XFRM /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c index d3c8b982cfb..2d5136ec3d5 100644 --- a/security/selinux/selinuxfs.c +++ b/security/selinux/selinuxfs.c @@ -47,8 +47,6 @@ static char *policycap_names[] = { unsigned int selinux_checkreqprot = CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE; -int selinux_compat_net = 0; - static int __init checkreqprot_setup(char *str) { unsigned long checkreqprot; @@ -58,16 +56,6 @@ static int __init checkreqprot_setup(char *str) } __setup("checkreqprot=", checkreqprot_setup); -static int __init selinux_compat_net_setup(char *str) -{ - unsigned long compat_net; - if (!strict_strtoul(str, 0, &compat_net)) - selinux_compat_net = compat_net ? 1 : 0; - return 1; -} -__setup("selinux_compat_net=", selinux_compat_net_setup); - - static DEFINE_MUTEX(sel_mutex); /* global data for booleans */ @@ -450,61 +438,6 @@ static const struct file_operations sel_checkreqprot_ops = { .write = sel_write_checkreqprot, }; -static ssize_t sel_read_compat_net(struct file *filp, char __user *buf, - size_t count, loff_t *ppos) -{ - char tmpbuf[TMPBUFLEN]; - ssize_t length; - - length = scnprintf(tmpbuf, TMPBUFLEN, "%d", selinux_compat_net); - return simple_read_from_buffer(buf, count, ppos, tmpbuf, length); -} - -static ssize_t sel_write_compat_net(struct file *file, const char __user *buf, - size_t count, loff_t *ppos) -{ - char *page; - ssize_t length; - int new_value; - - length = task_has_security(current, SECURITY__LOAD_POLICY); - if (length) - return length; - - if (count >= PAGE_SIZE) - return -ENOMEM; - if (*ppos != 0) { - /* No partial writes. */ - return -EINVAL; - } - page = (char *)get_zeroed_page(GFP_KERNEL); - if (!page) - return -ENOMEM; - length = -EFAULT; - if (copy_from_user(page, buf, count)) - goto out; - - length = -EINVAL; - if (sscanf(page, "%d", &new_value) != 1) - goto out; - - if (new_value) { - printk(KERN_NOTICE - "SELinux: compat_net is deprecated, please use secmark" - " instead\n"); - selinux_compat_net = 1; - } else - selinux_compat_net = 0; - length = count; -out: - free_page((unsigned long) page); - return length; -} -static const struct file_operations sel_compat_net_ops = { - .read = sel_read_compat_net, - .write = sel_write_compat_net, -}; - /* * Remaining nodes use transaction based IO methods like nfsd/nfsctl.c */ @@ -1665,7 +1598,6 @@ static int sel_fill_super(struct super_block *sb, void *data, int silent) [SEL_DISABLE] = {"disable", &sel_disable_ops, S_IWUSR}, [SEL_MEMBER] = {"member", &transaction_ops, S_IRUGO|S_IWUGO}, [SEL_CHECKREQPROT] = {"checkreqprot", &sel_checkreqprot_ops, S_IRUGO|S_IWUSR}, - [SEL_COMPAT_NET] = {"compat_net", &sel_compat_net_ops, S_IRUGO|S_IWUSR}, [SEL_REJECT_UNKNOWN] = {"reject_unknown", &sel_handle_unknown_ops, S_IRUGO}, [SEL_DENY_UNKNOWN] = {"deny_unknown", &sel_handle_unknown_ops, S_IRUGO}, /* last one */ {""} -- cgit v1.2.3-70-g09d2