From 0d90a7ec48c704025307b129413bc62451b20ab3 Mon Sep 17 00:00:00 2001 From: "David P. Quigley" Date: Fri, 16 Jan 2009 09:22:02 -0500 Subject: SELinux: Condense super block security structure flags and cleanup necessary code. The super block security structure currently has three fields for what are essentially flags. The flags field is used for mount options while two other char fields are used for initialization and proc flags. These latter two fields are essentially bit fields since the only used values are 0 and 1. These fields have been collapsed into the flags field and new bit masks have been added for them. The code is also fixed to work with these new flags. Signed-off-by: David P. Quigley Acked-by: Eric Paris Signed-off-by: James Morris --- security/selinux/hooks.c | 38 ++++++++++++++++++-------------------- 1 file changed, 18 insertions(+), 20 deletions(-) (limited to 'security/selinux/hooks.c') diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 00815973d41..473adc5f4f9 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -431,7 +431,7 @@ static int sb_finish_set_opts(struct super_block *sb) } } - sbsec->initialized = 1; + sbsec->flags |= SE_SBINITIALIZED; if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors)) printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n", @@ -487,17 +487,13 @@ static int selinux_get_mnt_opts(const struct super_block *sb, security_init_mnt_opts(opts); - if (!sbsec->initialized) + if (!(sbsec->flags & SE_SBINITIALIZED)) return -EINVAL; if (!ss_initialized) return -EINVAL; - /* - * if we ever use sbsec flags for anything other than tracking mount - * settings this is going to need a mask - */ - tmp = sbsec->flags; + tmp = sbsec->flags & SE_MNTMASK; /* count the number of mount options for this sb */ for (i = 0; i < 8; i++) { if (tmp & 0x01) @@ -562,8 +558,10 @@ out_free: static int bad_option(struct superblock_security_struct *sbsec, char flag, u32 old_sid, u32 new_sid) { + char mnt_flags = sbsec->flags & SE_MNTMASK; + /* check if the old mount command had the same options */ - if (sbsec->initialized) + if (sbsec->flags & SE_SBINITIALIZED) if (!(sbsec->flags & flag) || (old_sid != new_sid)) return 1; @@ -571,8 +569,8 @@ static int bad_option(struct superblock_security_struct *sbsec, char flag, /* check if we were passed the same options twice, * aka someone passed context=a,context=b */ - if (!sbsec->initialized) - if (sbsec->flags & flag) + if (!(sbsec->flags & SE_SBINITIALIZED)) + if (mnt_flags & flag) return 1; return 0; } @@ -626,7 +624,7 @@ static int selinux_set_mnt_opts(struct super_block *sb, * this sb does not set any security options. (The first options * will be used for both mounts) */ - if (sbsec->initialized && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA) + if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA) && (num_opts == 0)) goto out; @@ -690,19 +688,19 @@ static int selinux_set_mnt_opts(struct super_block *sb, } } - if (sbsec->initialized) { + if (sbsec->flags & SE_SBINITIALIZED) { /* previously mounted with options, but not on this attempt? */ - if (sbsec->flags && !num_opts) + if ((sbsec->flags & SE_MNTMASK) && !num_opts) goto out_double_mount; rc = 0; goto out; } if (strcmp(sb->s_type->name, "proc") == 0) - sbsec->proc = 1; + sbsec->flags |= SE_SBPROC; /* Determine the labeling behavior to use for this filesystem type. */ - rc = security_fs_use(sbsec->proc ? "proc" : sb->s_type->name, &sbsec->behavior, &sbsec->sid); + rc = security_fs_use((sbsec->flags & SE_SBPROC) ? "proc" : sb->s_type->name, &sbsec->behavior, &sbsec->sid); if (rc) { printk(KERN_WARNING "%s: security_fs_use(%s) returned %d\n", __func__, sb->s_type->name, rc); @@ -806,10 +804,10 @@ static void selinux_sb_clone_mnt_opts(const struct super_block *oldsb, } /* how can we clone if the old one wasn't set up?? */ - BUG_ON(!oldsbsec->initialized); + BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED)); /* if fs is reusing a sb, just let its options stand... */ - if (newsbsec->initialized) + if (newsbsec->flags & SE_SBINITIALIZED) return; mutex_lock(&newsbsec->lock); @@ -1209,7 +1207,7 @@ static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dent goto out_unlock; sbsec = inode->i_sb->s_security; - if (!sbsec->initialized) { + if (!(sbsec->flags & SE_SBINITIALIZED)) { /* Defer initialization until selinux_complete_init, after the initial policy is loaded and the security server is ready to handle calls. */ @@ -1326,7 +1324,7 @@ static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dent /* Default to the fs superblock SID. */ isec->sid = sbsec->sid; - if (sbsec->proc && !S_ISLNK(inode->i_mode)) { + if ((sbsec->flags & SE_SBPROC) && !S_ISLNK(inode->i_mode)) { struct proc_inode *proci = PROC_I(inode); if (proci->pde) { isec->sclass = inode_mode_to_security_class(inode->i_mode); @@ -2585,7 +2583,7 @@ static int selinux_inode_init_security(struct inode *inode, struct inode *dir, } /* Possibly defer initialization to selinux_complete_init. */ - if (sbsec->initialized) { + if (sbsec->flags & SE_SBINITIALIZED) { struct inode_security_struct *isec = inode->i_security; isec->sclass = inode_mode_to_security_class(inode->i_mode); isec->sid = newsid; -- cgit v1.2.3-70-g09d2 From 11689d47f0957121920c9ec646eb5d838755853a Mon Sep 17 00:00:00 2001 From: "David P. Quigley" Date: Fri, 16 Jan 2009 09:22:03 -0500 Subject: SELinux: Add new security mount option to indicate security label support. There is no easy way to tell if a file system supports SELinux security labeling. Because of this a new flag is being added to the super block security structure to indicate that the particular super block supports labeling. This flag is set for file systems using the xattr, task, and transition labeling methods unless that behavior is overridden by context mounts. Signed-off-by: David P. Quigley Acked-by: Eric Paris Signed-off-by: James Morris --- security/selinux/hooks.c | 39 ++++++++++++++++++++++++++++++++----- security/selinux/include/security.h | 2 ++ 2 files changed, 36 insertions(+), 5 deletions(-) (limited to 'security/selinux/hooks.c') diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 473adc5f4f9..1a9768a8b64 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -89,7 +89,7 @@ #define XATTR_SELINUX_SUFFIX "selinux" #define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX -#define NUM_SEL_MNT_OPTS 4 +#define NUM_SEL_MNT_OPTS 5 extern unsigned int policydb_loaded_version; extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm); @@ -353,6 +353,7 @@ enum { Opt_fscontext = 2, Opt_defcontext = 3, Opt_rootcontext = 4, + Opt_labelsupport = 5, }; static const match_table_t tokens = { @@ -360,6 +361,7 @@ static const match_table_t tokens = { {Opt_fscontext, FSCONTEXT_STR "%s"}, {Opt_defcontext, DEFCONTEXT_STR "%s"}, {Opt_rootcontext, ROOTCONTEXT_STR "%s"}, + {Opt_labelsupport, LABELSUPP_STR}, {Opt_error, NULL}, }; @@ -431,7 +433,7 @@ static int sb_finish_set_opts(struct super_block *sb) } } - sbsec->flags |= SE_SBINITIALIZED; + sbsec->flags |= (SE_SBINITIALIZED | SE_SBLABELSUPP); if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors)) printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n", @@ -441,6 +443,12 @@ static int sb_finish_set_opts(struct super_block *sb) sb->s_id, sb->s_type->name, labeling_behaviors[sbsec->behavior-1]); + if (sbsec->behavior == SECURITY_FS_USE_GENFS || + sbsec->behavior == SECURITY_FS_USE_MNTPOINT || + sbsec->behavior == SECURITY_FS_USE_NONE || + sbsec->behavior > ARRAY_SIZE(labeling_behaviors)) + sbsec->flags &= ~SE_SBLABELSUPP; + /* Initialize the root inode. */ rc = inode_doinit_with_dentry(root_inode, root); @@ -500,6 +508,9 @@ static int selinux_get_mnt_opts(const struct super_block *sb, opts->num_mnt_opts++; tmp >>= 1; } + /* Check if the Label support flag is set */ + if (sbsec->flags & SE_SBLABELSUPP) + opts->num_mnt_opts++; opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC); if (!opts->mnt_opts) { @@ -545,6 +556,10 @@ static int selinux_get_mnt_opts(const struct super_block *sb, opts->mnt_opts[i] = context; opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT; } + if (sbsec->flags & SE_SBLABELSUPP) { + opts->mnt_opts[i] = NULL; + opts->mnt_opts_flags[i++] = SE_SBLABELSUPP; + } BUG_ON(i != opts->num_mnt_opts); @@ -635,6 +650,9 @@ static int selinux_set_mnt_opts(struct super_block *sb, */ for (i = 0; i < num_opts; i++) { u32 sid; + + if (flags[i] == SE_SBLABELSUPP) + continue; rc = security_context_to_sid(mount_options[i], strlen(mount_options[i]), &sid); if (rc) { @@ -915,7 +933,8 @@ static int selinux_parse_opts_str(char *options, goto out_err; } break; - + case Opt_labelsupport: + break; default: rc = -EINVAL; printk(KERN_WARNING "SELinux: unknown mount option\n"); @@ -997,7 +1016,12 @@ static void selinux_write_opts(struct seq_file *m, char *prefix; for (i = 0; i < opts->num_mnt_opts; i++) { - char *has_comma = strchr(opts->mnt_opts[i], ','); + char *has_comma; + + if (opts->mnt_opts[i]) + has_comma = strchr(opts->mnt_opts[i], ','); + else + has_comma = NULL; switch (opts->mnt_opts_flags[i]) { case CONTEXT_MNT: @@ -1012,6 +1036,10 @@ static void selinux_write_opts(struct seq_file *m, case DEFCONTEXT_MNT: prefix = DEFCONTEXT_STR; break; + case SE_SBLABELSUPP: + seq_putc(m, ','); + seq_puts(m, LABELSUPP_STR); + continue; default: BUG(); }; @@ -2398,7 +2426,8 @@ static inline int selinux_option(char *option, int len) return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) || match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) || match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) || - match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len)); + match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len) || + match_prefix(LABELSUPP_STR, sizeof(LABELSUPP_STR)-1, option, len)); } static inline void take_option(char **to, char *from, int *first, int len) diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h index ff4e19ccd8f..e1d9db77998 100644 --- a/security/selinux/include/security.h +++ b/security/selinux/include/security.h @@ -47,11 +47,13 @@ /* Non-mount related flags */ #define SE_SBINITIALIZED 0x10 #define SE_SBPROC 0x20 +#define SE_SBLABELSUPP 0x40 #define CONTEXT_STR "context=" #define FSCONTEXT_STR "fscontext=" #define ROOTCONTEXT_STR "rootcontext=" #define DEFCONTEXT_STR "defcontext=" +#define LABELSUPP_STR "seclabel" struct netlbl_lsm_secattr; -- cgit v1.2.3-70-g09d2 From cd89596f0ccfa3ccb8a81ce47782231cf7ea7296 Mon Sep 17 00:00:00 2001 From: "David P. Quigley" Date: Fri, 16 Jan 2009 09:22:04 -0500 Subject: SELinux: Unify context mount and genfs behavior Context mounts and genfs labeled file systems behave differently with respect to setting file system labels. This patch brings genfs labeled file systems in line with context mounts in that setxattr calls to them should return EOPNOTSUPP and fscreate calls will be ignored. Signed-off-by: David P. Quigley Acked-by: Eric Paris Signed-off-by: James Morris --- security/selinux/hooks.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'security/selinux/hooks.c') diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 1a9768a8b64..3bb4942e39c 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -1613,7 +1613,7 @@ static int may_create(struct inode *dir, if (rc) return rc; - if (!newsid || sbsec->behavior == SECURITY_FS_USE_MNTPOINT) { + if (!newsid || !(sbsec->flags & SE_SBLABELSUPP)) { rc = security_transition_sid(sid, dsec->sid, tclass, &newsid); if (rc) return rc; @@ -2597,7 +2597,7 @@ static int selinux_inode_init_security(struct inode *inode, struct inode *dir, sid = tsec->sid; newsid = tsec->create_sid; - if (!newsid || sbsec->behavior == SECURITY_FS_USE_MNTPOINT) { + if (!newsid || !(sbsec->flags & SE_SBLABELSUPP)) { rc = security_transition_sid(sid, dsec->sid, inode_mode_to_security_class(inode->i_mode), &newsid); @@ -2619,7 +2619,7 @@ static int selinux_inode_init_security(struct inode *inode, struct inode *dir, isec->initialized = 1; } - if (!ss_initialized || sbsec->behavior == SECURITY_FS_USE_MNTPOINT) + if (!ss_initialized || !(sbsec->flags & SE_SBLABELSUPP)) return -EOPNOTSUPP; if (name) { @@ -2796,7 +2796,7 @@ static int selinux_inode_setxattr(struct dentry *dentry, const char *name, return selinux_inode_setotherxattr(dentry, name); sbsec = inode->i_sb->s_security; - if (sbsec->behavior == SECURITY_FS_USE_MNTPOINT) + if (!(sbsec->flags & SE_SBLABELSUPP)) return -EOPNOTSUPP; if (!is_owner_or_cap(inode)) -- cgit v1.2.3-70-g09d2 From bc05595845f58c065adc0763a678187647ec040f Mon Sep 17 00:00:00 2001 From: James Morris Date: Thu, 29 Jan 2009 11:28:33 +1100 Subject: selinux: remove unused bprm_check_security hook Remove unused bprm_check_security hook from SELinux. This currently calls into the capabilities hook, which is a noop. Acked-by: Eric Paris Acked-by: Serge Hallyn Signed-off-by: James Morris --- security/selinux/hooks.c | 6 ------ 1 file changed, 6 deletions(-) (limited to 'security/selinux/hooks.c') diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 3bb4942e39c..8251c6ba36c 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -2182,11 +2182,6 @@ static int selinux_bprm_set_creds(struct linux_binprm *bprm) return 0; } -static int selinux_bprm_check_security(struct linux_binprm *bprm) -{ - return secondary_ops->bprm_check_security(bprm); -} - static int selinux_bprm_secureexec(struct linux_binprm *bprm) { const struct cred *cred = current_cred(); @@ -5608,7 +5603,6 @@ static struct security_operations selinux_ops = { .netlink_recv = selinux_netlink_recv, .bprm_set_creds = selinux_bprm_set_creds, - .bprm_check_security = selinux_bprm_check_security, .bprm_committing_creds = selinux_bprm_committing_creds, .bprm_committed_creds = selinux_bprm_committed_creds, .bprm_secureexec = selinux_bprm_secureexec, -- cgit v1.2.3-70-g09d2 From 2ec5dbe23d68bddc043a85d1226bfc499a724b1c Mon Sep 17 00:00:00 2001 From: James Morris Date: Thu, 29 Jan 2009 11:46:14 +1100 Subject: selinux: remove secondary ops call to bprm_committing_creds Remove secondary ops call to bprm_committing_creds, which is a noop in capabilities. Acked-by: Serge Hallyn Acked-by: Eric Paris Signed-off-by: James Morris --- security/selinux/hooks.c | 2 -- 1 file changed, 2 deletions(-) (limited to 'security/selinux/hooks.c') diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 8251c6ba36c..fc01ffa0b69 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -2311,8 +2311,6 @@ static void selinux_bprm_committing_creds(struct linux_binprm *bprm) struct rlimit *rlim, *initrlim; int rc, i; - secondary_ops->bprm_committing_creds(bprm); - new_tsec = bprm->cred->security; if (new_tsec->sid == new_tsec->osid) return; -- cgit v1.2.3-70-g09d2 From 5565b0b865f672e3d7e31936ad1d40710ab7bfc4 Mon Sep 17 00:00:00 2001 From: James Morris Date: Thu, 29 Jan 2009 11:47:49 +1100 Subject: selinux: remove secondary ops call to bprm_committed_creds Remove secondary ops call to bprm_committed_creds, which is a noop in capabilities. Acked-by: Serge Hallyn Acked-by: Eric Paris Signed-off-by: James Morris --- security/selinux/hooks.c | 2 -- 1 file changed, 2 deletions(-) (limited to 'security/selinux/hooks.c') diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index fc01ffa0b69..516058ff063 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -2356,8 +2356,6 @@ static void selinux_bprm_committed_creds(struct linux_binprm *bprm) int rc, i; unsigned long flags; - secondary_ops->bprm_committed_creds(bprm); - osid = tsec->osid; sid = tsec->sid; -- cgit v1.2.3-70-g09d2 From ef935b9136eeaa203f75bf0b4d6e398c29f44d27 Mon Sep 17 00:00:00 2001 From: James Morris Date: Thu, 29 Jan 2009 11:51:11 +1100 Subject: selinux: remove secondary ops call to sb_mount Remove secondary ops call to sb_mount, which is a noop in capabilities. Acked-by: Serge Hallyn Acked-by: Eric Paris Signed-off-by: James Morris --- security/selinux/hooks.c | 5 ----- 1 file changed, 5 deletions(-) (limited to 'security/selinux/hooks.c') diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 516058ff063..bdd483096b3 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -2531,11 +2531,6 @@ static int selinux_mount(char *dev_name, void *data) { const struct cred *cred = current_cred(); - int rc; - - rc = secondary_ops->sb_mount(dev_name, path, type, flags, data); - if (rc) - return rc; if (flags & MS_REMOUNT) return superblock_has_perm(cred, path->mnt->mnt_sb, -- cgit v1.2.3-70-g09d2 From 97422ab9ef45118cb7418d799dc69040f17108ce Mon Sep 17 00:00:00 2001 From: James Morris Date: Thu, 29 Jan 2009 11:55:02 +1100 Subject: selinux: remove secondary ops call to sb_umount Remove secondary ops call to sb_umount, which is a noop in capabilities. Acked-by: Serge Hallyn Acked-by: Eric Paris Signed-off-by: James Morris --- security/selinux/hooks.c | 5 ----- 1 file changed, 5 deletions(-) (limited to 'security/selinux/hooks.c') diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index bdd483096b3..42aa8de5f59 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -2543,11 +2543,6 @@ static int selinux_mount(char *dev_name, static int selinux_umount(struct vfsmount *mnt, int flags) { const struct cred *cred = current_cred(); - int rc; - - rc = secondary_ops->sb_umount(mnt, flags); - if (rc) - return rc; return superblock_has_perm(cred, mnt->mnt_sb, FILESYSTEM__UNMOUNT, NULL); -- cgit v1.2.3-70-g09d2 From efdfac437607e4acfed66c383091a376525eaec4 Mon Sep 17 00:00:00 2001 From: James Morris Date: Thu, 29 Jan 2009 11:57:34 +1100 Subject: selinux: remove secondary ops call to inode_link Remove secondary ops call to inode_link, which is a noop in capabilities. Acked-by: Serge Hallyn Acked-by: Eric Paris Signed-off-by: James Morris --- security/selinux/hooks.c | 5 ----- 1 file changed, 5 deletions(-) (limited to 'security/selinux/hooks.c') diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 42aa8de5f59..da0e523157d 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -2630,11 +2630,6 @@ static int selinux_inode_create(struct inode *dir, struct dentry *dentry, int ma static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry) { - int rc; - - rc = secondary_ops->inode_link(old_dentry, dir, new_dentry); - if (rc) - return rc; return may_link(dir, old_dentry, MAY_LINK); } -- cgit v1.2.3-70-g09d2 From e4737250b751b4e0e802adae9a4d3ae0227b580b Mon Sep 17 00:00:00 2001 From: James Morris Date: Thu, 29 Jan 2009 12:00:08 +1100 Subject: selinux: remove secondary ops call to inode_unlink Remove secondary ops call to inode_unlink, which is a noop in capabilities. Acked-by: Serge Hallyn Acked-by: Eric Paris Signed-off-by: James Morris --- security/selinux/hooks.c | 5 ----- 1 file changed, 5 deletions(-) (limited to 'security/selinux/hooks.c') diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index da0e523157d..ec834dc0b41 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -2635,11 +2635,6 @@ static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, stru static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry) { - int rc; - - rc = secondary_ops->inode_unlink(dir, dentry); - if (rc) - return rc; return may_link(dir, dentry, MAY_UNLINK); } -- cgit v1.2.3-70-g09d2 From dd4907a6d4e038dc65839fcd4030ebefe2f5f439 Mon Sep 17 00:00:00 2001 From: James Morris Date: Thu, 29 Jan 2009 12:08:34 +1100 Subject: selinux: remove secondary ops call to inode_mknod Remove secondary ops call to inode_mknod, which is a noop in capabilities. Acked-by: Serge Hallyn Acked-by: Eric Paris Signed-off-by: James Morris --- security/selinux/hooks.c | 6 ------ 1 file changed, 6 deletions(-) (limited to 'security/selinux/hooks.c') diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index ec834dc0b41..03621928f1b 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -2655,12 +2655,6 @@ static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry) static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev) { - int rc; - - rc = secondary_ops->inode_mknod(dir, dentry, mode, dev); - if (rc) - return rc; - return may_create(dir, dentry, inode_mode_to_security_class(mode)); } -- cgit v1.2.3-70-g09d2 From f51115b9ab5b9cfd0b7be1cce75afbf3ffbcdd87 Mon Sep 17 00:00:00 2001 From: James Morris Date: Thu, 29 Jan 2009 12:10:56 +1100 Subject: selinux: remove secondary ops call to inode_follow_link Remove secondary ops call to inode_follow_link, which is a noop in capabilities. Acked-by: Serge Hallyn Signed-off-by: James Morris --- security/selinux/hooks.c | 4 ---- 1 file changed, 4 deletions(-) (limited to 'security/selinux/hooks.c') diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 03621928f1b..67291a385c7 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -2674,11 +2674,7 @@ static int selinux_inode_readlink(struct dentry *dentry) static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata) { const struct cred *cred = current_cred(); - int rc; - rc = secondary_ops->inode_follow_link(dentry, nameidata); - if (rc) - return rc; return dentry_has_perm(cred, NULL, dentry, FILE__READ); } -- cgit v1.2.3-70-g09d2 From 188fbcca9dd02f15dcf45cfc51ce0dd6c13993f6 Mon Sep 17 00:00:00 2001 From: James Morris Date: Thu, 29 Jan 2009 12:14:03 +1100 Subject: selinux: remove secondary ops call to inode_permission Remove secondary ops call to inode_permission, which is a noop in capabilities. Acked-by: Serge Hallyn Acked-by: Eric Paris Signed-off-by: James Morris --- security/selinux/hooks.c | 5 ----- 1 file changed, 5 deletions(-) (limited to 'security/selinux/hooks.c') diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 67291a385c7..7e90c9e5865 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -2681,11 +2681,6 @@ static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *na static int selinux_inode_permission(struct inode *inode, int mask) { const struct cred *cred = current_cred(); - int rc; - - rc = secondary_ops->inode_permission(inode, mask); - if (rc) - return rc; if (!mask) { /* No permission to check. Existence test. */ -- cgit v1.2.3-70-g09d2 From 438add6b32d9295db6e3ecd4d9e137086ec5b5d9 Mon Sep 17 00:00:00 2001 From: James Morris Date: Thu, 29 Jan 2009 12:15:59 +1100 Subject: selinux: remove secondary ops call to inode_setattr Remove secondary ops call to inode_setattr, which is a noop in capabilities. Acked-by: Serge Hallyn Acked-by: Eric Paris Signed-off-by: James Morris --- security/selinux/hooks.c | 5 ----- 1 file changed, 5 deletions(-) (limited to 'security/selinux/hooks.c') diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 7e90c9e5865..08b506846a1 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -2694,11 +2694,6 @@ static int selinux_inode_permission(struct inode *inode, int mask) static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr) { const struct cred *cred = current_cred(); - int rc; - - rc = secondary_ops->inode_setattr(dentry, iattr); - if (rc) - return rc; if (iattr->ia_valid & ATTR_FORCE) return 0; -- cgit v1.2.3-70-g09d2 From d541bbee6902d5ffb8a03d63ac8f4b1364c2ff93 Mon Sep 17 00:00:00 2001 From: James Morris Date: Thu, 29 Jan 2009 12:19:51 +1100 Subject: selinux: remove secondary ops call to file_mprotect Remove secondary ops call to file_mprotect, which is a noop in capabilities. Acked-by: Serge Hallyn Acked-by: Eric Paris Signed-off-by: James Morris --- security/selinux/hooks.c | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) (limited to 'security/selinux/hooks.c') diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 08b506846a1..2c98071fba8 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -3056,18 +3056,13 @@ static int selinux_file_mprotect(struct vm_area_struct *vma, unsigned long prot) { const struct cred *cred = current_cred(); - int rc; - - rc = secondary_ops->file_mprotect(vma, reqprot, prot); - if (rc) - return rc; if (selinux_checkreqprot) prot = reqprot; #ifndef CONFIG_PPC32 if ((prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) { - rc = 0; + int rc = 0; if (vma->vm_start >= vma->vm_mm->start_brk && vma->vm_end <= vma->vm_mm->brk) { rc = cred_has_perm(cred, cred, PROCESS__EXECHEAP); -- cgit v1.2.3-70-g09d2 From af294e41d0c95a291cc821a1b43ec2cd13976a8b Mon Sep 17 00:00:00 2001 From: James Morris Date: Thu, 29 Jan 2009 12:23:36 +1100 Subject: selinux: remove secondary ops call to task_create Remove secondary ops call to task_create, which is a noop in capabilities. Acked-by: Serge Hallyn Acked-by: Eric Paris Signed-off-by: James Morris --- security/selinux/hooks.c | 6 ------ 1 file changed, 6 deletions(-) (limited to 'security/selinux/hooks.c') diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 2c98071fba8..72c1e5cd26d 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -3212,12 +3212,6 @@ static int selinux_dentry_open(struct file *file, const struct cred *cred) static int selinux_task_create(unsigned long clone_flags) { - int rc; - - rc = secondary_ops->task_create(clone_flags); - if (rc) - return rc; - return current_has_perm(current, PROCESS__FORK); } -- cgit v1.2.3-70-g09d2 From ca5143d3ff3c7a4e1c2c8bdcf0f53aea227a7722 Mon Sep 17 00:00:00 2001 From: James Morris Date: Thu, 29 Jan 2009 12:26:14 +1100 Subject: selinux: remove unused cred_commit hook Remove unused cred_commit hook from SELinux. This currently calls into the capabilities hook, which is a noop. Acked-by: Serge Hallyn Acked-by: Eric Paris Signed-off-by: James Morris --- security/selinux/hooks.c | 9 --------- 1 file changed, 9 deletions(-) (limited to 'security/selinux/hooks.c') diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 72c1e5cd26d..afccada1f26 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -3244,14 +3244,6 @@ static int selinux_cred_prepare(struct cred *new, const struct cred *old, return 0; } -/* - * commit new credentials - */ -static void selinux_cred_commit(struct cred *new, const struct cred *old) -{ - secondary_ops->cred_commit(new, old); -} - /* * set the security data for a kernel service * - all the creation contexts are set to unlabelled @@ -5610,7 +5602,6 @@ static struct security_operations selinux_ops = { .task_create = selinux_task_create, .cred_free = selinux_cred_free, .cred_prepare = selinux_cred_prepare, - .cred_commit = selinux_cred_commit, .kernel_act_as = selinux_kernel_act_as, .kernel_create_files_as = selinux_kernel_create_files_as, .task_setuid = selinux_task_setuid, -- cgit v1.2.3-70-g09d2 From ef76e748faa823a738d632ee4c8ed9adaabc8a40 Mon Sep 17 00:00:00 2001 From: James Morris Date: Thu, 29 Jan 2009 12:30:28 +1100 Subject: selinux: remove secondary ops call to task_setrlimit Remove secondary ops call to task_setrlimit, which is a noop in capabilities. Acked-by: Serge Hallyn Acked-by: Eric Paris Signed-off-by: James Morris --- security/selinux/hooks.c | 5 ----- 1 file changed, 5 deletions(-) (limited to 'security/selinux/hooks.c') diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index afccada1f26..3aaa63cc5c7 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -3367,11 +3367,6 @@ static int selinux_task_getioprio(struct task_struct *p) static int selinux_task_setrlimit(unsigned int resource, struct rlimit *new_rlim) { struct rlimit *old_rlim = current->signal->rlim + resource; - int rc; - - rc = secondary_ops->task_setrlimit(resource, new_rlim); - if (rc) - return rc; /* Control the ability to change the hard limit (whether lowering or raising it), so that the hard limit can -- cgit v1.2.3-70-g09d2 From 2cbbd19812b7636c1c37bcf50c403e7af5278d73 Mon Sep 17 00:00:00 2001 From: James Morris Date: Thu, 29 Jan 2009 12:32:50 +1100 Subject: selinux: remove secondary ops call to task_kill Remove secondary ops call to task_kill, which is a noop in capabilities. Acked-by: Serge Hallyn Acked-by: Eric Paris Signed-off-by: James Morris --- security/selinux/hooks.c | 4 ---- 1 file changed, 4 deletions(-) (limited to 'security/selinux/hooks.c') diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 3aaa63cc5c7..0bd36a17587 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -3405,10 +3405,6 @@ static int selinux_task_kill(struct task_struct *p, struct siginfo *info, u32 perm; int rc; - rc = secondary_ops->task_kill(p, info, sig, secid); - if (rc) - return rc; - if (!sig) perm = PROCESS__SIGNULL; /* null signal; existence test */ else -- cgit v1.2.3-70-g09d2 From 5c4054ccfafb6a446e9b65c524af1741656c6c60 Mon Sep 17 00:00:00 2001 From: James Morris Date: Thu, 29 Jan 2009 12:34:53 +1100 Subject: selinux: remove secondary ops call to unix_stream_connect Remove secondary ops call to unix_stream_connect, which is a noop in capabilities. Acked-by: Serge Hallyn Acked-by: Eric Paris Signed-off-by: James Morris --- security/selinux/hooks.c | 4 ---- 1 file changed, 4 deletions(-) (limited to 'security/selinux/hooks.c') diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 0bd36a17587..25198e9896f 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -3997,10 +3997,6 @@ static int selinux_socket_unix_stream_connect(struct socket *sock, struct avc_audit_data ad; int err; - err = secondary_ops->unix_stream_connect(sock, other, newsk); - if (err) - return err; - isec = SOCK_INODE(sock)->i_security; other_isec = SOCK_INODE(other)->i_security; -- cgit v1.2.3-70-g09d2 From 95c14904b6f6f8a35365f0c58d530c85b4fb96b4 Mon Sep 17 00:00:00 2001 From: James Morris Date: Thu, 29 Jan 2009 12:37:58 +1100 Subject: selinux: remove secondary ops call to shm_shmat Remove secondary ops call to shm_shmat, which is a noop in capabilities. Acked-by: Serge Hallyn Acked-by: Eric Paris Signed-off-by: James Morris --- security/selinux/hooks.c | 5 ----- 1 file changed, 5 deletions(-) (limited to 'security/selinux/hooks.c') diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 25198e9896f..d9604794a4d 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -5113,11 +5113,6 @@ static int selinux_shm_shmat(struct shmid_kernel *shp, char __user *shmaddr, int shmflg) { u32 perms; - int rc; - - rc = secondary_ops->shm_shmat(shp, shmaddr, shmflg); - if (rc) - return rc; if (shmflg & SHM_RDONLY) perms = SHM__READ; -- cgit v1.2.3-70-g09d2 From 5626d3e86141390c8efc7bcb929b6a4b58b00480 Mon Sep 17 00:00:00 2001 From: James Morris Date: Fri, 30 Jan 2009 10:05:06 +1100 Subject: selinux: remove hooks which simply defer to capabilities Remove SELinux hooks which do nothing except defer to the capabilites hooks (or in one case, replicates the function). Signed-off-by: James Morris Acked-by: Stephen Smalley --- security/selinux/hooks.c | 68 +++++++----------------------------------------- 1 file changed, 10 insertions(+), 58 deletions(-) (limited to 'security/selinux/hooks.c') diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index d9604794a4d..a69d6f8970c 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -1892,6 +1892,16 @@ static int selinux_capset(struct cred *new, const struct cred *old, return cred_has_perm(old, new, PROCESS__SETCAP); } +/* + * (This comment used to live with the selinux_task_setuid hook, + * which was removed). + * + * Since setuid only affects the current process, and since the SELinux + * controls are not based on the Linux identity attributes, SELinux does not + * need to control this operation. However, SELinux does control the use of + * the CAP_SETUID and CAP_SETGID capabilities using the capable hook. + */ + static int selinux_capable(struct task_struct *tsk, const struct cred *cred, int cap, int audit) { @@ -2909,16 +2919,6 @@ static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t return len; } -static int selinux_inode_need_killpriv(struct dentry *dentry) -{ - return secondary_ops->inode_need_killpriv(dentry); -} - -static int selinux_inode_killpriv(struct dentry *dentry) -{ - return secondary_ops->inode_killpriv(dentry); -} - static void selinux_inode_getsecid(const struct inode *inode, u32 *secid) { struct inode_security_struct *isec = inode->i_security; @@ -3288,29 +3288,6 @@ static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode) return 0; } -static int selinux_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags) -{ - /* Since setuid only affects the current process, and - since the SELinux controls are not based on the Linux - identity attributes, SELinux does not need to control - this operation. However, SELinux does control the use - of the CAP_SETUID and CAP_SETGID capabilities using the - capable hook. */ - return 0; -} - -static int selinux_task_fix_setuid(struct cred *new, const struct cred *old, - int flags) -{ - return secondary_ops->task_fix_setuid(new, old, flags); -} - -static int selinux_task_setgid(gid_t id0, gid_t id1, gid_t id2, int flags) -{ - /* See the comment for setuid above. */ - return 0; -} - static int selinux_task_setpgid(struct task_struct *p, pid_t pgid) { return current_has_perm(p, PROCESS__SETPGID); @@ -3331,12 +3308,6 @@ static void selinux_task_getsecid(struct task_struct *p, u32 *secid) *secid = task_sid(p); } -static int selinux_task_setgroups(struct group_info *group_info) -{ - /* See the comment for setuid above. */ - return 0; -} - static int selinux_task_setnice(struct task_struct *p, int nice) { int rc; @@ -3417,18 +3388,6 @@ static int selinux_task_kill(struct task_struct *p, struct siginfo *info, return rc; } -static int selinux_task_prctl(int option, - unsigned long arg2, - unsigned long arg3, - unsigned long arg4, - unsigned long arg5) -{ - /* The current prctl operations do not appear to require - any SELinux controls since they merely observe or modify - the state of the current process. */ - return secondary_ops->task_prctl(option, arg2, arg3, arg4, arg5); -} - static int selinux_task_wait(struct task_struct *p) { return task_has_perm(p, current, PROCESS__SIGCHLD); @@ -5563,8 +5522,6 @@ static struct security_operations selinux_ops = { .inode_getsecurity = selinux_inode_getsecurity, .inode_setsecurity = selinux_inode_setsecurity, .inode_listsecurity = selinux_inode_listsecurity, - .inode_need_killpriv = selinux_inode_need_killpriv, - .inode_killpriv = selinux_inode_killpriv, .inode_getsecid = selinux_inode_getsecid, .file_permission = selinux_file_permission, @@ -5586,14 +5543,10 @@ static struct security_operations selinux_ops = { .cred_prepare = selinux_cred_prepare, .kernel_act_as = selinux_kernel_act_as, .kernel_create_files_as = selinux_kernel_create_files_as, - .task_setuid = selinux_task_setuid, - .task_fix_setuid = selinux_task_fix_setuid, - .task_setgid = selinux_task_setgid, .task_setpgid = selinux_task_setpgid, .task_getpgid = selinux_task_getpgid, .task_getsid = selinux_task_getsid, .task_getsecid = selinux_task_getsecid, - .task_setgroups = selinux_task_setgroups, .task_setnice = selinux_task_setnice, .task_setioprio = selinux_task_setioprio, .task_getioprio = selinux_task_getioprio, @@ -5603,7 +5556,6 @@ static struct security_operations selinux_ops = { .task_movememory = selinux_task_movememory, .task_kill = selinux_task_kill, .task_wait = selinux_task_wait, - .task_prctl = selinux_task_prctl, .task_to_inode = selinux_task_to_inode, .ipc_permission = selinux_ipc_permission, -- cgit v1.2.3-70-g09d2 From 200ac532a4bc3134147ca06686c56a6420e66c46 Mon Sep 17 00:00:00 2001 From: Eric Paris Date: Thu, 12 Feb 2009 15:01:04 -0500 Subject: SELinux: call capabilities code directory For cleanliness and efficiency remove all calls to secondary-> and instead call capabilities code directly. capabilities are the only module that selinux stacks with and so the code should not indicate that other stacking might be possible. Signed-off-by: Eric Paris Acked-by: Stephen Smalley Signed-off-by: James Morris --- security/selinux/hooks.c | 30 +++++++++++++----------------- 1 file changed, 13 insertions(+), 17 deletions(-) (limited to 'security/selinux/hooks.c') diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index a69d6f8970c..e9011e5f5ff 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -1841,7 +1841,7 @@ static int selinux_ptrace_may_access(struct task_struct *child, { int rc; - rc = secondary_ops->ptrace_may_access(child, mode); + rc = cap_ptrace_may_access(child, mode); if (rc) return rc; @@ -1858,7 +1858,7 @@ static int selinux_ptrace_traceme(struct task_struct *parent) { int rc; - rc = secondary_ops->ptrace_traceme(parent); + rc = cap_ptrace_traceme(parent); if (rc) return rc; @@ -1874,7 +1874,7 @@ static int selinux_capget(struct task_struct *target, kernel_cap_t *effective, if (error) return error; - return secondary_ops->capget(target, effective, inheritable, permitted); + return cap_capget(target, effective, inheritable, permitted); } static int selinux_capset(struct cred *new, const struct cred *old, @@ -1884,7 +1884,7 @@ static int selinux_capset(struct cred *new, const struct cred *old, { int error; - error = secondary_ops->capset(new, old, + error = cap_capset(new, old, effective, inheritable, permitted); if (error) return error; @@ -1907,7 +1907,7 @@ static int selinux_capable(struct task_struct *tsk, const struct cred *cred, { int rc; - rc = secondary_ops->capable(tsk, cred, cap, audit); + rc = cap_capable(tsk, cred, cap, audit); if (rc) return rc; @@ -2033,7 +2033,7 @@ static int selinux_syslog(int type) { int rc; - rc = secondary_ops->syslog(type); + rc = cap_syslog(type); if (rc) return rc; @@ -2064,10 +2064,6 @@ static int selinux_syslog(int type) * mapping. 0 means there is enough memory for the allocation to * succeed and -ENOMEM implies there is not. * - * Note that secondary_ops->capable and task_has_perm_noaudit return 0 - * if the capability is granted, but __vm_enough_memory requires 1 if - * the capability is granted. - * * Do not audit the selinux permission check, as this is applied to all * processes that allocate mappings. */ @@ -2094,7 +2090,7 @@ static int selinux_bprm_set_creds(struct linux_binprm *bprm) struct inode *inode = bprm->file->f_path.dentry->d_inode; int rc; - rc = secondary_ops->bprm_set_creds(bprm); + rc = cap_bprm_set_creds(bprm); if (rc) return rc; @@ -2211,7 +2207,7 @@ static int selinux_bprm_secureexec(struct linux_binprm *bprm) PROCESS__NOATSECURE, NULL); } - return (atsecure || secondary_ops->bprm_secureexec(bprm)); + return (atsecure || cap_bprm_secureexec(bprm)); } extern struct vfsmount *selinuxfs_mount; @@ -3312,7 +3308,7 @@ static int selinux_task_setnice(struct task_struct *p, int nice) { int rc; - rc = secondary_ops->task_setnice(p, nice); + rc = cap_task_setnice(p, nice); if (rc) return rc; @@ -3323,7 +3319,7 @@ static int selinux_task_setioprio(struct task_struct *p, int ioprio) { int rc; - rc = secondary_ops->task_setioprio(p, ioprio); + rc = cap_task_setioprio(p, ioprio); if (rc) return rc; @@ -3353,7 +3349,7 @@ static int selinux_task_setscheduler(struct task_struct *p, int policy, struct s { int rc; - rc = secondary_ops->task_setscheduler(p, policy, lp); + rc = cap_task_setscheduler(p, policy, lp); if (rc) return rc; @@ -4749,7 +4745,7 @@ static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb) { int err; - err = secondary_ops->netlink_send(sk, skb); + err = cap_netlink_send(sk, skb); if (err) return err; @@ -4764,7 +4760,7 @@ static int selinux_netlink_recv(struct sk_buff *skb, int capability) int err; struct avc_audit_data ad; - err = secondary_ops->netlink_recv(skb, capability); + err = cap_netlink_recv(skb, capability); if (err) return err; -- cgit v1.2.3-70-g09d2 From 4ba0a8ad63e12a03ae01c039482967cc496b9174 Mon Sep 17 00:00:00 2001 From: Eric Paris Date: Thu, 12 Feb 2009 15:01:10 -0500 Subject: SELinux: better printk when file with invalid label found Currently when an inode is read into the kernel with an invalid label string (can often happen with removable media) we output a string like: SELinux: inode_doinit_with_dentry: context_to_sid([SOME INVALID LABEL]) returned -22 dor dev=[blah] ino=[blah] Which is all but incomprehensible to all but a couple of us. Instead, on EINVAL only, I plan to output a much more user friendly string and I plan to ratelimit the printk since many of these could be generated very rapidly. Signed-off-by: Eric Paris Acked-by: Stephen Smalley Signed-off-by: James Morris --- security/selinux/hooks.c | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) (limited to 'security/selinux/hooks.c') diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index e9011e5f5ff..aebcfad5613 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -1315,10 +1315,19 @@ static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dent sbsec->def_sid, GFP_NOFS); if (rc) { - printk(KERN_WARNING "SELinux: %s: context_to_sid(%s) " - "returned %d for dev=%s ino=%ld\n", - __func__, context, -rc, - inode->i_sb->s_id, inode->i_ino); + char *dev = inode->i_sb->s_id; + unsigned long ino = inode->i_ino; + + if (rc == -EINVAL) { + if (printk_ratelimit()) + printk(KERN_NOTICE "SELinux: inode=%lu on dev=%s was found to have an invalid " + "context=%s. This indicates you may need to relabel the inode or the " + "filesystem in question.\n", ino, dev, context); + } else { + printk(KERN_WARNING "SELinux: %s: context_to_sid(%s) " + "returned %d for dev=%s ino=%ld\n", + __func__, context, -rc, dev, ino); + } kfree(context); /* Leave with the unlabeled SID */ rc = 0; -- cgit v1.2.3-70-g09d2 From 4cb912f1d1447077160ace9ce3b3a10696dd74e5 Mon Sep 17 00:00:00 2001 From: Eric Paris Date: Thu, 12 Feb 2009 14:50:05 -0500 Subject: SELinux: NULL terminate al contexts from disk When a context is pulled in from disk we don't know that it is null terminated. This patch forecebly null terminates contexts when we pull them from disk. Signed-off-by: Eric Paris Acked-by: Stephen Smalley Signed-off-by: James Morris --- security/selinux/hooks.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) (limited to 'security/selinux/hooks.c') diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index aebcfad5613..309648c573d 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -1270,12 +1270,13 @@ static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dent } len = INITCONTEXTLEN; - context = kmalloc(len, GFP_NOFS); + context = kmalloc(len+1, GFP_NOFS); if (!context) { rc = -ENOMEM; dput(dentry); goto out_unlock; } + context[len] = '\0'; rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX, context, len); if (rc == -ERANGE) { @@ -1288,12 +1289,13 @@ static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dent } kfree(context); len = rc; - context = kmalloc(len, GFP_NOFS); + context = kmalloc(len+1, GFP_NOFS); if (!context) { rc = -ENOMEM; dput(dentry); goto out_unlock; } + context[len] = '\0'; rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX, context, len); -- cgit v1.2.3-70-g09d2 From 6a25b27d602aac24f3c642722377ba5d778417ec Mon Sep 17 00:00:00 2001 From: Eric Paris Date: Thu, 5 Mar 2009 13:40:35 -0500 Subject: SELinux: open perm for sock files When I did open permissions I didn't think any sockets would have an open. Turns out AF_UNIX sockets can have an open when they are bound to the filesystem namespace. This patch adds a new SOCK_FILE__OPEN permission. It's safe to add this as the open perms are already predicated on capabilities and capabilities means we have unknown perm handling so systems should be as backwards compatible as the policy wants them to be. https://bugzilla.redhat.com/show_bug.cgi?id=475224 Signed-off-by: Eric Paris Acked-by: Stephen Smalley Signed-off-by: James Morris --- security/selinux/hooks.c | 2 ++ security/selinux/include/av_perm_to_string.h | 1 + security/selinux/include/av_permissions.h | 1 + 3 files changed, 4 insertions(+) (limited to 'security/selinux/hooks.c') diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 309648c573d..cd3307a26d1 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -1838,6 +1838,8 @@ static inline u32 open_file_to_av(struct file *file) av |= FIFO_FILE__OPEN; else if (S_ISDIR(mode)) av |= DIR__OPEN; + else if (S_ISSOCK(mode)) + av |= SOCK_FILE__OPEN; else printk(KERN_ERR "SELinux: WARNING: inside %s with " "unknown mode:%o\n", __func__, mode); diff --git a/security/selinux/include/av_perm_to_string.h b/security/selinux/include/av_perm_to_string.h index c0c885427b9..c7531ee9c7b 100644 --- a/security/selinux/include/av_perm_to_string.h +++ b/security/selinux/include/av_perm_to_string.h @@ -24,6 +24,7 @@ S_(SECCLASS_CHR_FILE, CHR_FILE__EXECMOD, "execmod") S_(SECCLASS_CHR_FILE, CHR_FILE__OPEN, "open") S_(SECCLASS_BLK_FILE, BLK_FILE__OPEN, "open") + S_(SECCLASS_SOCK_FILE, SOCK_FILE__OPEN, "open") S_(SECCLASS_FIFO_FILE, FIFO_FILE__OPEN, "open") S_(SECCLASS_FD, FD__USE, "use") S_(SECCLASS_TCP_SOCKET, TCP_SOCKET__CONNECTTO, "connectto") diff --git a/security/selinux/include/av_permissions.h b/security/selinux/include/av_permissions.h index 0ba79fe00e1..0b8f9b2bbde 100644 --- a/security/selinux/include/av_permissions.h +++ b/security/selinux/include/av_permissions.h @@ -174,6 +174,7 @@ #define SOCK_FILE__SWAPON 0x00004000UL #define SOCK_FILE__QUOTAON 0x00008000UL #define SOCK_FILE__MOUNTON 0x00010000UL +#define SOCK_FILE__OPEN 0x00020000UL #define FIFO_FILE__IOCTL 0x00000001UL #define FIFO_FILE__READ 0x00000002UL #define FIFO_FILE__WRITE 0x00000004UL -- cgit v1.2.3-70-g09d2 From df7f54c012b92ec93d56b68547351dcdf8a163d3 Mon Sep 17 00:00:00 2001 From: Eric Paris Date: Mon, 9 Mar 2009 14:35:58 -0400 Subject: SELinux: inode_doinit_with_dentry drop no dentry printk Drop the printk message when an inode is found without an associated dentry. This should only happen when userspace can't be accessing those inodes and those labels will get set correctly on the next d_instantiate. Thus there is no reason to send this message. Signed-off-by: Eric Paris Signed-off-by: James Morris --- security/selinux/hooks.c | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) (limited to 'security/selinux/hooks.c') diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index cd3307a26d1..7c52ba243c6 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -1263,9 +1263,15 @@ static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dent dentry = d_find_alias(inode); } if (!dentry) { - printk(KERN_WARNING "SELinux: %s: no dentry for dev=%s " - "ino=%ld\n", __func__, inode->i_sb->s_id, - inode->i_ino); + /* + * this is can be hit on boot when a file is accessed + * before the policy is loaded. When we load policy we + * may find inodes that have no dentry on the + * sbsec->isec_head list. No reason to complain as these + * will get fixed up the next time we go through + * inode_doinit with a dentry, before these inodes could + * be used again by userspace. + */ goto out_unlock; } -- cgit v1.2.3-70-g09d2