From 4d1e24514d80cb266231d0c1b6c02161970ad019 Mon Sep 17 00:00:00 2001 From: Paul Moore Date: Thu, 22 Apr 2010 14:46:18 -0400 Subject: selinux: Set the peer label correctly on connected UNIX domain sockets Correct a problem where we weren't setting the peer label correctly on the client end of a pair of connected UNIX sockets. Signed-off-by: Paul Moore Acked-by: Eric Paris Signed-off-by: James Morris --- security/selinux/hooks.c | 30 ++++++++++++++---------------- 1 file changed, 14 insertions(+), 16 deletions(-) (limited to 'security/selinux/hooks.c') diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 5c9f25ba1c9..190fd0ffb13 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -3980,34 +3980,32 @@ static int selinux_socket_unix_stream_connect(struct socket *sock, struct socket *other, struct sock *newsk) { - struct sk_security_struct *sksec; - struct inode_security_struct *isec; - struct inode_security_struct *other_isec; + struct sk_security_struct *sksec_sock = sock->sk->sk_security; + struct sk_security_struct *sksec_other = other->sk->sk_security; + struct sk_security_struct *sksec_new = newsk->sk_security; struct common_audit_data ad; int err; - isec = SOCK_INODE(sock)->i_security; - other_isec = SOCK_INODE(other)->i_security; - COMMON_AUDIT_DATA_INIT(&ad, NET); ad.u.net.sk = other->sk; - err = avc_has_perm(isec->sid, other_isec->sid, - isec->sclass, + err = avc_has_perm(sksec_sock->sid, sksec_other->sid, + sksec_other->sclass, UNIX_STREAM_SOCKET__CONNECTTO, &ad); if (err) return err; - /* connecting socket */ - sksec = sock->sk->sk_security; - sksec->peer_sid = other_isec->sid; - /* server child socket */ - sksec = newsk->sk_security; - sksec->peer_sid = isec->sid; - err = security_sid_mls_copy(other_isec->sid, sksec->peer_sid, &sksec->sid); + sksec_new->peer_sid = sksec_sock->sid; + err = security_sid_mls_copy(sksec_other->sid, sksec_sock->sid, + &sksec_new->sid); + if (err) + return err; - return err; + /* connecting socket */ + sksec_sock->peer_sid = sksec_new->sid; + + return 0; } static int selinux_socket_unix_may_send(struct socket *sock, -- cgit v1.2.3-70-g09d2 From d4f2d97841827cb876da8b607df05a3dab812416 Mon Sep 17 00:00:00 2001 From: Paul Moore Date: Thu, 22 Apr 2010 14:46:18 -0400 Subject: selinux: Consolidate sockcreate_sid logic Consolidate the basic sockcreate_sid logic into a single helper function which allows us to do some cleanups in the related code. Signed-off-by: Paul Moore Acked-by: Eric Paris Signed-off-by: James Morris --- security/selinux/hooks.c | 32 ++++++++++++-------------------- 1 file changed, 12 insertions(+), 20 deletions(-) (limited to 'security/selinux/hooks.c') diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 190fd0ffb13..2d94a406574 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -3671,6 +3671,12 @@ static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid) } /* socket security operations */ + +static u32 socket_sockcreate_sid(const struct task_security_struct *tsec) +{ + return tsec->sockcreate_sid ? : tsec->sid; +} + static int socket_has_perm(struct task_struct *task, struct socket *sock, u32 perms) { @@ -3698,21 +3704,15 @@ static int selinux_socket_create(int family, int type, { const struct cred *cred = current_cred(); const struct task_security_struct *tsec = cred->security; - u32 sid, newsid; + u32 newsid; u16 secclass; - int err = 0; if (kern) - goto out; - - sid = tsec->sid; - newsid = tsec->sockcreate_sid ?: sid; + return 0; + newsid = socket_sockcreate_sid(tsec); secclass = socket_type_to_security_class(family, type, protocol); - err = avc_has_perm(sid, newsid, secclass, SOCKET__CREATE, NULL); - -out: - return err; + return avc_has_perm(tsec->sid, newsid, secclass, SOCKET__CREATE, NULL); } static int selinux_socket_post_create(struct socket *sock, int family, @@ -3720,22 +3720,14 @@ static int selinux_socket_post_create(struct socket *sock, int family, { const struct cred *cred = current_cred(); const struct task_security_struct *tsec = cred->security; - struct inode_security_struct *isec; + struct inode_security_struct *isec = SOCK_INODE(sock)->i_security; struct sk_security_struct *sksec; - u32 sid, newsid; int err = 0; - sid = tsec->sid; - newsid = tsec->sockcreate_sid; - - isec = SOCK_INODE(sock)->i_security; - if (kern) isec->sid = SECINITSID_KERNEL; - else if (newsid) - isec->sid = newsid; else - isec->sid = sid; + isec->sid = socket_sockcreate_sid(tsec); isec->sclass = socket_type_to_security_class(family, type, protocol); isec->initialized = 1; -- cgit v1.2.3-70-g09d2 From 84914b7ed1c5e0f3199a5a6997022758a70fcaff Mon Sep 17 00:00:00 2001 From: Paul Moore Date: Thu, 22 Apr 2010 14:46:18 -0400 Subject: selinux: Shuffle the sk_security_struct alloc and free routines The sk_alloc_security() and sk_free_security() functions were only being called by the selinux_sk_alloc_security() and selinux_sk_free_security() functions so we just move the guts of the alloc/free routines to the callers and eliminate a layer of indirection. Signed-off-by: Paul Moore Acked-by: Eric Paris Signed-off-by: James Morris --- security/selinux/hooks.c | 45 +++++++++++++++++---------------------------- 1 file changed, 17 insertions(+), 28 deletions(-) (limited to 'security/selinux/hooks.c') diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 2d94a406574..01f52424cfe 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -279,32 +279,6 @@ static void superblock_free_security(struct super_block *sb) kfree(sbsec); } -static int sk_alloc_security(struct sock *sk, int family, gfp_t priority) -{ - struct sk_security_struct *sksec; - - sksec = kzalloc(sizeof(*sksec), priority); - if (!sksec) - return -ENOMEM; - - sksec->peer_sid = SECINITSID_UNLABELED; - sksec->sid = SECINITSID_UNLABELED; - sk->sk_security = sksec; - - selinux_netlbl_sk_security_reset(sksec); - - return 0; -} - -static void sk_free_security(struct sock *sk) -{ - struct sk_security_struct *sksec = sk->sk_security; - - sk->sk_security = NULL; - selinux_netlbl_sk_security_free(sksec); - kfree(sksec); -} - /* The security server must be initialized before any labeling or access decisions can be provided. */ extern int ss_initialized; @@ -4224,12 +4198,27 @@ out: static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority) { - return sk_alloc_security(sk, family, priority); + struct sk_security_struct *sksec; + + sksec = kzalloc(sizeof(*sksec), priority); + if (!sksec) + return -ENOMEM; + + sksec->peer_sid = SECINITSID_UNLABELED; + sksec->sid = SECINITSID_UNLABELED; + selinux_netlbl_sk_security_reset(sksec); + sk->sk_security = sksec; + + return 0; } static void selinux_sk_free_security(struct sock *sk) { - sk_free_security(sk); + struct sk_security_struct *sksec = sk->sk_security; + + sk->sk_security = NULL; + selinux_netlbl_sk_security_free(sksec); + kfree(sksec); } static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk) -- cgit v1.2.3-70-g09d2 From 253bfae6e0ad97554799affa0266052968a45808 Mon Sep 17 00:00:00 2001 From: Paul Moore Date: Thu, 22 Apr 2010 14:46:19 -0400 Subject: selinux: Convert socket related access controls to use socket labels At present, the socket related access controls use a mix of inode and socket labels; while there should be no practical difference (they _should_ always be the same), it makes the code more confusing. This patch attempts to convert all of the socket related access control points (with the exception of some of the inode/fd based controls) to use the socket's own label. In the process, I also converted the socket_has_perm() function to take a 'sock' argument instead of a 'socket' since that was adding a bit more overhead in some cases. Signed-off-by: Paul Moore Acked-by: Eric Paris Signed-off-by: James Morris --- security/selinux/hooks.c | 119 ++++++++++++++++++----------------------------- 1 file changed, 45 insertions(+), 74 deletions(-) (limited to 'security/selinux/hooks.c') diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 01f52424cfe..e95004010c8 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -3651,26 +3651,19 @@ static u32 socket_sockcreate_sid(const struct task_security_struct *tsec) return tsec->sockcreate_sid ? : tsec->sid; } -static int socket_has_perm(struct task_struct *task, struct socket *sock, - u32 perms) +static int sock_has_perm(struct task_struct *task, struct sock *sk, u32 perms) { - struct inode_security_struct *isec; + struct sk_security_struct *sksec = sk->sk_security; struct common_audit_data ad; - u32 sid; - int err = 0; + u32 tsid = task_sid(task); - isec = SOCK_INODE(sock)->i_security; - - if (isec->sid == SECINITSID_KERNEL) - goto out; - sid = task_sid(task); + if (sksec->sid == SECINITSID_KERNEL) + return 0; COMMON_AUDIT_DATA_INIT(&ad, NET); - ad.u.net.sk = sock->sk; - err = avc_has_perm(sid, isec->sid, isec->sclass, perms, &ad); + ad.u.net.sk = sk; -out: - return err; + return avc_has_perm(tsid, sksec->sid, sksec->sclass, perms, &ad); } static int selinux_socket_create(int family, int type, @@ -3722,10 +3715,11 @@ static int selinux_socket_post_create(struct socket *sock, int family, static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen) { + struct sock *sk = sock->sk; u16 family; int err; - err = socket_has_perm(current, sock, SOCKET__BIND); + err = sock_has_perm(current, sk, SOCKET__BIND); if (err) goto out; @@ -3734,19 +3728,16 @@ static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, in * Multiple address binding for SCTP is not supported yet: we just * check the first address now. */ - family = sock->sk->sk_family; + family = sk->sk_family; if (family == PF_INET || family == PF_INET6) { char *addrp; - struct inode_security_struct *isec; + struct sk_security_struct *sksec = sk->sk_security; struct common_audit_data ad; struct sockaddr_in *addr4 = NULL; struct sockaddr_in6 *addr6 = NULL; unsigned short snum; - struct sock *sk = sock->sk; u32 sid, node_perm; - isec = SOCK_INODE(sock)->i_security; - if (family == PF_INET) { addr4 = (struct sockaddr_in *)address; snum = ntohs(addr4->sin_port); @@ -3770,15 +3761,15 @@ static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, in COMMON_AUDIT_DATA_INIT(&ad, NET); ad.u.net.sport = htons(snum); ad.u.net.family = family; - err = avc_has_perm(isec->sid, sid, - isec->sclass, + err = avc_has_perm(sksec->sid, sid, + sksec->sclass, SOCKET__NAME_BIND, &ad); if (err) goto out; } } - switch (isec->sclass) { + switch (sksec->sclass) { case SECCLASS_TCP_SOCKET: node_perm = TCP_SOCKET__NODE_BIND; break; @@ -3809,8 +3800,8 @@ static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, in else ipv6_addr_copy(&ad.u.net.v6info.saddr, &addr6->sin6_addr); - err = avc_has_perm(isec->sid, sid, - isec->sclass, node_perm, &ad); + err = avc_has_perm(sksec->sid, sid, + sksec->sclass, node_perm, &ad); if (err) goto out; } @@ -3821,19 +3812,18 @@ out: static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen) { struct sock *sk = sock->sk; - struct inode_security_struct *isec; + struct sk_security_struct *sksec = sk->sk_security; int err; - err = socket_has_perm(current, sock, SOCKET__CONNECT); + err = sock_has_perm(current, sk, SOCKET__CONNECT); if (err) return err; /* * If a TCP or DCCP socket, check name_connect permission for the port. */ - isec = SOCK_INODE(sock)->i_security; - if (isec->sclass == SECCLASS_TCP_SOCKET || - isec->sclass == SECCLASS_DCCP_SOCKET) { + if (sksec->sclass == SECCLASS_TCP_SOCKET || + sksec->sclass == SECCLASS_DCCP_SOCKET) { struct common_audit_data ad; struct sockaddr_in *addr4 = NULL; struct sockaddr_in6 *addr6 = NULL; @@ -3856,13 +3846,13 @@ static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, if (err) goto out; - perm = (isec->sclass == SECCLASS_TCP_SOCKET) ? + perm = (sksec->sclass == SECCLASS_TCP_SOCKET) ? TCP_SOCKET__NAME_CONNECT : DCCP_SOCKET__NAME_CONNECT; COMMON_AUDIT_DATA_INIT(&ad, NET); ad.u.net.dport = htons(snum); ad.u.net.family = sk->sk_family; - err = avc_has_perm(isec->sid, sid, isec->sclass, perm, &ad); + err = avc_has_perm(sksec->sid, sid, sksec->sclass, perm, &ad); if (err) goto out; } @@ -3875,7 +3865,7 @@ out: static int selinux_socket_listen(struct socket *sock, int backlog) { - return socket_has_perm(current, sock, SOCKET__LISTEN); + return sock_has_perm(current, sock->sk, SOCKET__LISTEN); } static int selinux_socket_accept(struct socket *sock, struct socket *newsock) @@ -3884,7 +3874,7 @@ static int selinux_socket_accept(struct socket *sock, struct socket *newsock) struct inode_security_struct *isec; struct inode_security_struct *newisec; - err = socket_has_perm(current, sock, SOCKET__ACCEPT); + err = sock_has_perm(current, sock->sk, SOCKET__ACCEPT); if (err) return err; @@ -3901,30 +3891,30 @@ static int selinux_socket_accept(struct socket *sock, struct socket *newsock) static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg, int size) { - return socket_has_perm(current, sock, SOCKET__WRITE); + return sock_has_perm(current, sock->sk, SOCKET__WRITE); } static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg, int size, int flags) { - return socket_has_perm(current, sock, SOCKET__READ); + return sock_has_perm(current, sock->sk, SOCKET__READ); } static int selinux_socket_getsockname(struct socket *sock) { - return socket_has_perm(current, sock, SOCKET__GETATTR); + return sock_has_perm(current, sock->sk, SOCKET__GETATTR); } static int selinux_socket_getpeername(struct socket *sock) { - return socket_has_perm(current, sock, SOCKET__GETATTR); + return sock_has_perm(current, sock->sk, SOCKET__GETATTR); } static int selinux_socket_setsockopt(struct socket *sock, int level, int optname) { int err; - err = socket_has_perm(current, sock, SOCKET__SETOPT); + err = sock_has_perm(current, sock->sk, SOCKET__SETOPT); if (err) return err; @@ -3934,12 +3924,12 @@ static int selinux_socket_setsockopt(struct socket *sock, int level, int optname static int selinux_socket_getsockopt(struct socket *sock, int level, int optname) { - return socket_has_perm(current, sock, SOCKET__GETOPT); + return sock_has_perm(current, sock->sk, SOCKET__GETOPT); } static int selinux_socket_shutdown(struct socket *sock, int how) { - return socket_has_perm(current, sock, SOCKET__SHUTDOWN); + return sock_has_perm(current, sock->sk, SOCKET__SHUTDOWN); } static int selinux_socket_unix_stream_connect(struct socket *sock, @@ -3977,23 +3967,15 @@ static int selinux_socket_unix_stream_connect(struct socket *sock, static int selinux_socket_unix_may_send(struct socket *sock, struct socket *other) { - struct inode_security_struct *isec; - struct inode_security_struct *other_isec; + struct sk_security_struct *ssec = sock->sk->sk_security; + struct sk_security_struct *osec = other->sk->sk_security; struct common_audit_data ad; - int err; - - isec = SOCK_INODE(sock)->i_security; - other_isec = SOCK_INODE(other)->i_security; COMMON_AUDIT_DATA_INIT(&ad, NET); ad.u.net.sk = other->sk; - err = avc_has_perm(isec->sid, other_isec->sid, - isec->sclass, SOCKET__SENDTO, &ad); - if (err) - return err; - - return 0; + return avc_has_perm(ssec->sid, osec->sid, osec->sclass, SOCKET__SENDTO, + &ad); } static int selinux_inet_sys_rcv_skb(int ifindex, char *addrp, u16 family, @@ -4132,26 +4114,18 @@ static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *op int err = 0; char *scontext; u32 scontext_len; - struct sk_security_struct *sksec; - struct inode_security_struct *isec; + struct sk_security_struct *sksec = sock->sk->sk_security; u32 peer_sid = SECSID_NULL; - isec = SOCK_INODE(sock)->i_security; - - if (isec->sclass == SECCLASS_UNIX_STREAM_SOCKET || - isec->sclass == SECCLASS_TCP_SOCKET) { - sksec = sock->sk->sk_security; + if (sksec->sclass == SECCLASS_UNIX_STREAM_SOCKET || + sksec->sclass == SECCLASS_TCP_SOCKET) peer_sid = sksec->peer_sid; - } - if (peer_sid == SECSID_NULL) { - err = -ENOPROTOOPT; - goto out; - } + if (peer_sid == SECSID_NULL) + return -ENOPROTOOPT; err = security_sid_to_context(peer_sid, &scontext, &scontext_len); - if (err) - goto out; + return err; if (scontext_len > len) { err = -ERANGE; @@ -4164,9 +4138,7 @@ static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *op out_len: if (put_user(scontext_len, optlen)) err = -EFAULT; - kfree(scontext); -out: return err; } @@ -4378,8 +4350,7 @@ static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb) int err = 0; u32 perm; struct nlmsghdr *nlh; - struct socket *sock = sk->sk_socket; - struct inode_security_struct *isec = SOCK_INODE(sock)->i_security; + struct sk_security_struct *sksec = sk->sk_security; if (skb->len < NLMSG_SPACE(0)) { err = -EINVAL; @@ -4387,13 +4358,13 @@ static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb) } nlh = nlmsg_hdr(skb); - err = selinux_nlmsg_lookup(isec->sclass, nlh->nlmsg_type, &perm); + err = selinux_nlmsg_lookup(sksec->sclass, nlh->nlmsg_type, &perm); if (err) { if (err == -EINVAL) { audit_log(current->audit_context, GFP_KERNEL, AUDIT_SELINUX_ERR, "SELinux: unrecognized netlink message" " type=%hu for sclass=%hu\n", - nlh->nlmsg_type, isec->sclass); + nlh->nlmsg_type, sksec->sclass); if (!selinux_enforcing || security_get_allow_unknown()) err = 0; } @@ -4404,7 +4375,7 @@ static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb) goto out; } - err = socket_has_perm(current, sock, perm); + err = sock_has_perm(current, sk, perm); out: return err; } -- cgit v1.2.3-70-g09d2 From 5fb49870e6d48d81d8ca0e1ef979073dc9a820f7 Mon Sep 17 00:00:00 2001 From: Paul Moore Date: Thu, 22 Apr 2010 14:46:19 -0400 Subject: selinux: Use current_security() when possible There were a number of places using the following code pattern: struct cred *cred = current_cred(); struct task_security_struct *tsec = cred->security; ... which were simplified to the following: struct task_security_struct *tsec = current_security(); Signed-off-by: Paul Moore Acked-by: Eric Paris Signed-off-by: James Morris --- security/selinux/hooks.c | 17 ++++++----------- 1 file changed, 6 insertions(+), 11 deletions(-) (limited to 'security/selinux/hooks.c') diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index e95004010c8..0f524b7d102 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -188,7 +188,7 @@ static inline u32 task_sid(const struct task_struct *task) */ static inline u32 current_sid(void) { - const struct task_security_struct *tsec = current_cred()->security; + const struct task_security_struct *tsec = current_security(); return tsec->sid; } @@ -1558,8 +1558,7 @@ static int may_create(struct inode *dir, struct dentry *dentry, u16 tclass) { - const struct cred *cred = current_cred(); - const struct task_security_struct *tsec = cred->security; + const struct task_security_struct *tsec = current_security(); struct inode_security_struct *dsec; struct superblock_security_struct *sbsec; u32 sid, newsid; @@ -2157,8 +2156,7 @@ static int selinux_bprm_set_creds(struct linux_binprm *bprm) static int selinux_bprm_secureexec(struct linux_binprm *bprm) { - const struct cred *cred = current_cred(); - const struct task_security_struct *tsec = cred->security; + const struct task_security_struct *tsec = current_security(); u32 sid, osid; int atsecure = 0; @@ -2533,8 +2531,7 @@ static int selinux_inode_init_security(struct inode *inode, struct inode *dir, char **name, void **value, size_t *len) { - const struct cred *cred = current_cred(); - const struct task_security_struct *tsec = cred->security; + const struct task_security_struct *tsec = current_security(); struct inode_security_struct *dsec; struct superblock_security_struct *sbsec; u32 sid, newsid, clen; @@ -3669,8 +3666,7 @@ static int sock_has_perm(struct task_struct *task, struct sock *sk, u32 perms) static int selinux_socket_create(int family, int type, int protocol, int kern) { - const struct cred *cred = current_cred(); - const struct task_security_struct *tsec = cred->security; + const struct task_security_struct *tsec = current_security(); u32 newsid; u16 secclass; @@ -3685,8 +3681,7 @@ static int selinux_socket_create(int family, int type, static int selinux_socket_post_create(struct socket *sock, int family, int type, int protocol, int kern) { - const struct cred *cred = current_cred(); - const struct task_security_struct *tsec = cred->security; + const struct task_security_struct *tsec = current_security(); struct inode_security_struct *isec = SOCK_INODE(sock)->i_security; struct sk_security_struct *sksec; int err = 0; -- cgit v1.2.3-70-g09d2 From af4f136056c984b0aa67feed7d3170b958370b2f Mon Sep 17 00:00:00 2001 From: Mimi Zohar Date: Thu, 1 Jul 2010 15:07:43 -0400 Subject: security: move LSM xattrnames to xattr.h Make the security extended attributes names global. Updated to move the remaining Smack xattrs. Signed-off-by: Mimi Zohar Acked-by: Serge Hallyn Signed-off-by: James Morris --- include/linux/capability.h | 3 --- include/linux/xattr.h | 14 ++++++++++++++ security/selinux/hooks.c | 3 --- security/smack/smack.h | 10 ---------- 4 files changed, 14 insertions(+), 16 deletions(-) (limited to 'security/selinux/hooks.c') diff --git a/include/linux/capability.h b/include/linux/capability.h index 39e5ff512fb..90012b9ddbf 100644 --- a/include/linux/capability.h +++ b/include/linux/capability.h @@ -49,9 +49,6 @@ typedef struct __user_cap_data_struct { } __user *cap_user_data_t; -#define XATTR_CAPS_SUFFIX "capability" -#define XATTR_NAME_CAPS XATTR_SECURITY_PREFIX XATTR_CAPS_SUFFIX - #define VFS_CAP_REVISION_MASK 0xFF000000 #define VFS_CAP_REVISION_SHIFT 24 #define VFS_CAP_FLAGS_MASK ~VFS_CAP_REVISION_MASK diff --git a/include/linux/xattr.h b/include/linux/xattr.h index 0cfa1e9c4cc..f1e5bde4b35 100644 --- a/include/linux/xattr.h +++ b/include/linux/xattr.h @@ -33,6 +33,20 @@ #define XATTR_USER_PREFIX "user." #define XATTR_USER_PREFIX_LEN (sizeof (XATTR_USER_PREFIX) - 1) +/* Security namespace */ +#define XATTR_SELINUX_SUFFIX "selinux" +#define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX + +#define XATTR_SMACK_SUFFIX "SMACK64" +#define XATTR_SMACK_IPIN "SMACK64IPIN" +#define XATTR_SMACK_IPOUT "SMACK64IPOUT" +#define XATTR_NAME_SMACK XATTR_SECURITY_PREFIX XATTR_SMACK_SUFFIX +#define XATTR_NAME_SMACKIPIN XATTR_SECURITY_PREFIX XATTR_SMACK_IPIN +#define XATTR_NAME_SMACKIPOUT XATTR_SECURITY_PREFIX XATTR_SMACK_IPOUT + +#define XATTR_CAPS_SUFFIX "capability" +#define XATTR_NAME_CAPS XATTR_SECURITY_PREFIX XATTR_CAPS_SUFFIX + struct inode; struct dentry; diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 0f524b7d102..85338f0c048 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -87,9 +87,6 @@ #include "netlabel.h" #include "audit.h" -#define XATTR_SELINUX_SUFFIX "selinux" -#define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX - #define NUM_SEL_MNT_OPTS 5 extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm); diff --git a/security/smack/smack.h b/security/smack/smack.h index c6e9acae72e..43ae747a5aa 100644 --- a/security/smack/smack.h +++ b/security/smack/smack.h @@ -123,16 +123,6 @@ struct smack_known { #define SMK_FSHAT "smackfshat=" #define SMK_FSROOT "smackfsroot=" -/* - * xattr names - */ -#define XATTR_SMACK_SUFFIX "SMACK64" -#define XATTR_SMACK_IPIN "SMACK64IPIN" -#define XATTR_SMACK_IPOUT "SMACK64IPOUT" -#define XATTR_NAME_SMACK XATTR_SECURITY_PREFIX XATTR_SMACK_SUFFIX -#define XATTR_NAME_SMACKIPIN XATTR_SECURITY_PREFIX XATTR_SMACK_IPIN -#define XATTR_NAME_SMACKIPOUT XATTR_SECURITY_PREFIX XATTR_SMACK_IPOUT - #define SMACK_CIPSO_OPTION "-CIPSO" /* -- cgit v1.2.3-70-g09d2 From d09ca73979460b96d5d4684d588b188be9a1f57d Mon Sep 17 00:00:00 2001 From: Eric Paris Date: Fri, 23 Jul 2010 11:43:57 -0400 Subject: security: make LSMs explicitly mask off permissions SELinux needs to pass the MAY_ACCESS flag so it can handle auditting correctly. Presently the masking of MAY_* flags is done in the VFS. In order to allow LSMs to decide what flags they care about and what flags they don't just pass them all and the each LSM mask off what they don't need. This patch should contain no functional changes to either the VFS or any LSM. Signed-off-by: Eric Paris Acked-by: Stephen D. Smalley Signed-off-by: James Morris --- fs/namei.c | 3 +-- security/selinux/hooks.c | 2 ++ security/smack/smack_lsm.c | 2 ++ 3 files changed, 5 insertions(+), 2 deletions(-) (limited to 'security/selinux/hooks.c') diff --git a/fs/namei.c b/fs/namei.c index fe34c2b879f..42d2d28fb82 100644 --- a/fs/namei.c +++ b/fs/namei.c @@ -282,8 +282,7 @@ int inode_permission(struct inode *inode, int mask) if (retval) return retval; - return security_inode_permission(inode, - mask & (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND)); + return security_inode_permission(inode, mask); } /** diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 85338f0c048..0c98846f188 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -2645,6 +2645,8 @@ static int selinux_inode_permission(struct inode *inode, int mask) { const struct cred *cred = current_cred(); + mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND); + if (!mask) { /* No permission to check. Existence test. */ return 0; diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index 07abc9ce72f..9192ba366a4 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c @@ -598,6 +598,8 @@ static int smack_inode_rename(struct inode *old_inode, static int smack_inode_permission(struct inode *inode, int mask) { struct smk_audit_info ad; + + mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND); /* * No permission to check. Existence test. Yup, it's there. */ -- cgit v1.2.3-70-g09d2 From b782e0a68d17894d9a618ffea55b33639faa6bb4 Mon Sep 17 00:00:00 2001 From: Eric Paris Date: Fri, 23 Jul 2010 11:44:03 -0400 Subject: SELinux: special dontaudit for access checks Currently there are a number of applications (nautilus being the main one) which calls access() on files in order to determine how they should be displayed. It is normal and expected that nautilus will want to see if files are executable or if they are really read/write-able. access() should return the real permission. SELinux policy checks are done in access() and can result in lots of AVC denials as policy denies RWX on files which DAC allows. Currently SELinux must dontaudit actual attempts to read/write/execute a file in order to silence these messages (and not flood the logs.) But dontaudit rules like that can hide real attacks. This patch addes a new common file permission audit_access. This permission is special in that it is meaningless and should never show up in an allow rule. Instead the only place this permission has meaning is in a dontaudit rule like so: dontaudit nautilus_t sbin_t:file audit_access With such a rule if nautilus just checks access() we will still get denied and thus userspace will still get the correct answer but we will not log the denial. If nautilus attempted to actually perform one of the forbidden actions (rather than just querying access(2) about it) we would still log a denial. This type of dontaudit rule should be used sparingly, as it could be a method for an attacker to probe the system permissions without detection. Signed-off-by: Eric Paris Acked-by: Stephen D. Smalley Signed-off-by: James Morris --- include/linux/lsm_audit.h | 5 +++++ security/selinux/avc.c | 24 ++++++++++++++++++++++-- security/selinux/hooks.c | 20 +++++++++++++++----- security/selinux/include/classmap.h | 2 +- 4 files changed, 43 insertions(+), 8 deletions(-) (limited to 'security/selinux/hooks.c') diff --git a/include/linux/lsm_audit.h b/include/linux/lsm_audit.h index 6907251d520..788f0ab937a 100644 --- a/include/linux/lsm_audit.h +++ b/include/linux/lsm_audit.h @@ -90,6 +90,11 @@ struct common_audit_data { u32 requested; u32 audited; u32 denied; + /* + * auditdeny is a bit tricky and unintuitive. See the + * comments in avc.c for it's meaning and usage. + */ + u32 auditdeny; struct av_decision *avd; int result; } selinux_audit_data; diff --git a/security/selinux/avc.c b/security/selinux/avc.c index 3662b0f15ec..9da6420e205 100644 --- a/security/selinux/avc.c +++ b/security/selinux/avc.c @@ -488,9 +488,29 @@ void avc_audit(u32 ssid, u32 tsid, struct common_audit_data stack_data; u32 denied, audited; denied = requested & ~avd->allowed; - if (denied) + if (denied) { audited = denied & avd->auditdeny; - else if (result) + /* + * a->selinux_audit_data.auditdeny is TRICKY! Setting a bit in + * this field means that ANY denials should NOT be audited if + * the policy contains an explicit dontaudit rule for that + * permission. Take notice that this is unrelated to the + * actual permissions that were denied. As an example lets + * assume: + * + * denied == READ + * avd.auditdeny & ACCESS == 0 (not set means explicit rule) + * selinux_audit_data.auditdeny & ACCESS == 1 + * + * We will NOT audit the denial even though the denied + * permission was READ and the auditdeny checks were for + * ACCESS + */ + if (a && + a->selinux_audit_data.auditdeny && + !(a->selinux_audit_data.auditdeny & avd->auditdeny)) + audited = 0; + } else if (result) audited = denied = requested; else audited = requested & avd->auditallow; diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 0c98846f188..650947a72a2 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -2644,16 +2644,26 @@ static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *na static int selinux_inode_permission(struct inode *inode, int mask) { const struct cred *cred = current_cred(); + struct common_audit_data ad; + u32 perms; + bool from_access; + from_access = mask & MAY_ACCESS; mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND); - if (!mask) { - /* No permission to check. Existence test. */ + /* No permission to check. Existence test. */ + if (!mask) return 0; - } - return inode_has_perm(cred, inode, - file_mask_to_av(inode->i_mode, mask), NULL); + COMMON_AUDIT_DATA_INIT(&ad, FS); + ad.u.fs.inode = inode; + + if (from_access) + ad.selinux_audit_data.auditdeny |= FILE__AUDIT_ACCESS; + + perms = file_mask_to_av(inode->i_mode, mask); + + return inode_has_perm(cred, inode, perms, &ad); } static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr) diff --git a/security/selinux/include/classmap.h b/security/selinux/include/classmap.h index 8b32e959bb2..d64603e10db 100644 --- a/security/selinux/include/classmap.h +++ b/security/selinux/include/classmap.h @@ -2,7 +2,7 @@ "getattr", "setattr", "lock", "relabelfrom", "relabelto", "append" #define COMMON_FILE_PERMS COMMON_FILE_SOCK_PERMS, "unlink", "link", \ - "rename", "execute", "swapon", "quotaon", "mounton" + "rename", "execute", "swapon", "quotaon", "mounton", "audit_access" #define COMMON_SOCK_PERMS COMMON_FILE_SOCK_PERMS, "bind", "connect", \ "listen", "accept", "getopt", "setopt", "shutdown", "recvfrom", \ -- cgit v1.2.3-70-g09d2 From 49b7b8de46d293113a0a0bb026ff7bd833c73367 Mon Sep 17 00:00:00 2001 From: Eric Paris Date: Fri, 23 Jul 2010 11:44:09 -0400 Subject: selinux: place open in the common file perms kernel can dynamically remap perms. Drop the open lookup table and put open in the common file perms. Signed-off-by: Eric Paris Acked-by: Stephen D. Smalley Signed-off-by: James Morris --- security/selinux/hooks.c | 24 +++--------------------- security/selinux/include/classmap.h | 15 ++++++++------- 2 files changed, 11 insertions(+), 28 deletions(-) (limited to 'security/selinux/hooks.c') diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 650947a72a2..9b40f4c0ac7 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -1776,27 +1776,9 @@ static inline u32 open_file_to_av(struct file *file) { u32 av = file_to_av(file); - if (selinux_policycap_openperm) { - mode_t mode = file->f_path.dentry->d_inode->i_mode; - /* - * lnk files and socks do not really have an 'open' - */ - if (S_ISREG(mode)) - av |= FILE__OPEN; - else if (S_ISCHR(mode)) - av |= CHR_FILE__OPEN; - else if (S_ISBLK(mode)) - av |= BLK_FILE__OPEN; - else if (S_ISFIFO(mode)) - av |= FIFO_FILE__OPEN; - else if (S_ISDIR(mode)) - av |= DIR__OPEN; - else if (S_ISSOCK(mode)) - av |= SOCK_FILE__OPEN; - else - printk(KERN_ERR "SELinux: WARNING: inside %s with " - "unknown mode:%o\n", __func__, mode); - } + if (selinux_policycap_openperm) + av |= FILE__OPEN; + return av; } diff --git a/security/selinux/include/classmap.h b/security/selinux/include/classmap.h index d64603e10db..41990cbba76 100644 --- a/security/selinux/include/classmap.h +++ b/security/selinux/include/classmap.h @@ -2,7 +2,8 @@ "getattr", "setattr", "lock", "relabelfrom", "relabelto", "append" #define COMMON_FILE_PERMS COMMON_FILE_SOCK_PERMS, "unlink", "link", \ - "rename", "execute", "swapon", "quotaon", "mounton", "audit_access" + "rename", "execute", "swapon", "quotaon", "mounton", "audit_access", \ + "open" #define COMMON_SOCK_PERMS COMMON_FILE_SOCK_PERMS, "bind", "connect", \ "listen", "accept", "getopt", "setopt", "shutdown", "recvfrom", \ @@ -43,22 +44,22 @@ struct security_class_mapping secclass_map[] = { "quotaget", NULL } }, { "file", { COMMON_FILE_PERMS, - "execute_no_trans", "entrypoint", "execmod", "open", NULL } }, + "execute_no_trans", "entrypoint", "execmod", NULL } }, { "dir", { COMMON_FILE_PERMS, "add_name", "remove_name", - "reparent", "search", "rmdir", "open", NULL } }, + "reparent", "search", "rmdir", NULL } }, { "fd", { "use", NULL } }, { "lnk_file", { COMMON_FILE_PERMS, NULL } }, { "chr_file", { COMMON_FILE_PERMS, - "execute_no_trans", "entrypoint", "execmod", "open", NULL } }, + "execute_no_trans", "entrypoint", "execmod", NULL } }, { "blk_file", - { COMMON_FILE_PERMS, "open", NULL } }, + { COMMON_FILE_PERMS, NULL } }, { "sock_file", - { COMMON_FILE_PERMS, "open", NULL } }, + { COMMON_FILE_PERMS, NULL } }, { "fifo_file", - { COMMON_FILE_PERMS, "open", NULL } }, + { COMMON_FILE_PERMS, NULL } }, { "socket", { COMMON_SOCK_PERMS, NULL } }, { "tcp_socket", -- cgit v1.2.3-70-g09d2