Merge branch 'next' into for-linus
This commit is contained in:
James Morris
@@ -94,33 +94,6 @@ config SECURITY_SELINUX_CHECKREQPROT_VALUE
|
||||
|
||||
If you are unsure how to answer this question, answer 1.
|
||||
|
||||
config SECURITY_SELINUX_ENABLE_SECMARK_DEFAULT
|
||||
bool "NSA SELinux enable new secmark network controls by default"
|
||||
depends on SECURITY_SELINUX
|
||||
default n
|
||||
help
|
||||
This option determines whether the new secmark-based network
|
||||
controls will be enabled by default. If not, the old internal
|
||||
per-packet controls will be enabled by default, preserving
|
||||
old behavior.
|
||||
|
||||
If you enable the new controls, you will need updated
|
||||
SELinux userspace libraries, tools and policy. Typically,
|
||||
your distribution will provide these and enable the new controls
|
||||
in the kernel they also distribute.
|
||||
|
||||
Note that this option can be overridden at boot with the
|
||||
selinux_compat_net parameter, and after boot via
|
||||
/selinux/compat_net. See Documentation/kernel-parameters.txt
|
||||
for details on this parameter.
|
||||
|
||||
If you enable the new network controls, you will likely
|
||||
also require the SECMARK and CONNSECMARK targets, as
|
||||
well as any conntrack helpers for protocols which you
|
||||
wish to control.
|
||||
|
||||
If you are unsure what to do here, select N.
|
||||
|
||||
config SECURITY_SELINUX_POLICYDB_VERSION_MAX
|
||||
bool "NSA SELinux maximum supported policy format version"
|
||||
depends on SECURITY_SELINUX
|
||||
|
||||
@@ -53,18 +53,20 @@ static const char *class_to_string[] = {
|
||||
#undef S_
|
||||
|
||||
static const struct av_inherit av_inherit[] = {
|
||||
#define S_(c, i, b) { c, common_##i##_perm_to_string, b },
|
||||
#define S_(c, i, b) { .tclass = c,\
|
||||
.common_pts = common_##i##_perm_to_string,\
|
||||
.common_base = b },
|
||||
#include "av_inherit.h"
|
||||
#undef S_
|
||||
};
|
||||
|
||||
const struct selinux_class_perm selinux_class_perm = {
|
||||
av_perm_to_string,
|
||||
ARRAY_SIZE(av_perm_to_string),
|
||||
class_to_string,
|
||||
ARRAY_SIZE(class_to_string),
|
||||
av_inherit,
|
||||
ARRAY_SIZE(av_inherit)
|
||||
.av_perm_to_string = av_perm_to_string,
|
||||
.av_pts_len = ARRAY_SIZE(av_perm_to_string),
|
||||
.class_to_string = class_to_string,
|
||||
.cts_len = ARRAY_SIZE(class_to_string),
|
||||
.av_inherit = av_inherit,
|
||||
.av_inherit_len = ARRAY_SIZE(av_inherit)
|
||||
};
|
||||
|
||||
#define AVC_CACHE_SLOTS 512
|
||||
|
||||
@@ -1433,12 +1433,13 @@ static int current_has_perm(const struct task_struct *tsk,
|
||||
|
||||
/* Check whether a task is allowed to use a capability. */
|
||||
static int task_has_capability(struct task_struct *tsk,
|
||||
const struct cred *cred,
|
||||
int cap, int audit)
|
||||
{
|
||||
struct avc_audit_data ad;
|
||||
struct av_decision avd;
|
||||
u16 sclass;
|
||||
u32 sid = task_sid(tsk);
|
||||
u32 sid = cred_sid(cred);
|
||||
u32 av = CAP_TO_MASK(cap);
|
||||
int rc;
|
||||
|
||||
@@ -1865,15 +1866,16 @@ static int selinux_capset(struct cred *new, const struct cred *old,
|
||||
return cred_has_perm(old, new, PROCESS__SETCAP);
|
||||
}
|
||||
|
||||
static int selinux_capable(struct task_struct *tsk, int cap, int audit)
|
||||
static int selinux_capable(struct task_struct *tsk, const struct cred *cred,
|
||||
int cap, int audit)
|
||||
{
|
||||
int rc;
|
||||
|
||||
rc = secondary_ops->capable(tsk, cap, audit);
|
||||
rc = secondary_ops->capable(tsk, cred, cap, audit);
|
||||
if (rc)
|
||||
return rc;
|
||||
|
||||
return task_has_capability(tsk, cap, audit);
|
||||
return task_has_capability(tsk, cred, cap, audit);
|
||||
}
|
||||
|
||||
static int selinux_sysctl_get_sid(ctl_table *table, u16 tclass, u32 *sid)
|
||||
@@ -2037,7 +2039,8 @@ static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
|
||||
{
|
||||
int rc, cap_sys_admin = 0;
|
||||
|
||||
rc = selinux_capable(current, CAP_SYS_ADMIN, SECURITY_CAP_NOAUDIT);
|
||||
rc = selinux_capable(current, current_cred(), CAP_SYS_ADMIN,
|
||||
SECURITY_CAP_NOAUDIT);
|
||||
if (rc == 0)
|
||||
cap_sys_admin = 1;
|
||||
|
||||
@@ -2880,7 +2883,8 @@ static int selinux_inode_getsecurity(const struct inode *inode, const char *name
|
||||
* and lack of permission just means that we fall back to the
|
||||
* in-core context value, not a denial.
|
||||
*/
|
||||
error = selinux_capable(current, CAP_MAC_ADMIN, SECURITY_CAP_NOAUDIT);
|
||||
error = selinux_capable(current, current_cred(), CAP_MAC_ADMIN,
|
||||
SECURITY_CAP_NOAUDIT);
|
||||
if (!error)
|
||||
error = security_sid_to_context_force(isec->sid, &context,
|
||||
&size);
|
||||
@@ -4185,7 +4189,7 @@ static int selinux_sock_rcv_skb_iptables_compat(struct sock *sk,
|
||||
static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
|
||||
u16 family)
|
||||
{
|
||||
int err;
|
||||
int err = 0;
|
||||
struct sk_security_struct *sksec = sk->sk_security;
|
||||
u32 peer_sid;
|
||||
u32 sk_sid = sksec->sid;
|
||||
@@ -4202,7 +4206,7 @@ static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
|
||||
if (selinux_compat_net)
|
||||
err = selinux_sock_rcv_skb_iptables_compat(sk, skb, &ad,
|
||||
family, addrp);
|
||||
else
|
||||
else if (selinux_secmark_enabled())
|
||||
err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
|
||||
PACKET__RECV, &ad);
|
||||
if (err)
|
||||
@@ -4705,7 +4709,7 @@ static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
|
||||
if (selinux_ip_postroute_iptables_compat(skb->sk, ifindex,
|
||||
&ad, family, addrp))
|
||||
return NF_DROP;
|
||||
} else {
|
||||
} else if (selinux_secmark_enabled()) {
|
||||
if (avc_has_perm(sksec->sid, skb->secmark,
|
||||
SECCLASS_PACKET, PACKET__SEND, &ad))
|
||||
return NF_DROP;
|
||||
|
||||
@@ -17,16 +17,16 @@ struct av_perm_to_string {
|
||||
};
|
||||
|
||||
struct av_inherit {
|
||||
u16 tclass;
|
||||
const char **common_pts;
|
||||
u32 common_base;
|
||||
u16 tclass;
|
||||
};
|
||||
|
||||
struct selinux_class_perm {
|
||||
const struct av_perm_to_string *av_perm_to_string;
|
||||
u32 av_pts_len;
|
||||
const char **class_to_string;
|
||||
u32 cts_len;
|
||||
const char **class_to_string;
|
||||
const struct av_inherit *av_inherit;
|
||||
u32 av_inherit_len;
|
||||
};
|
||||
|
||||
@@ -47,13 +47,7 @@ static char *policycap_names[] = {
|
||||
|
||||
unsigned int selinux_checkreqprot = CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE;
|
||||
|
||||
#ifdef CONFIG_SECURITY_SELINUX_ENABLE_SECMARK_DEFAULT
|
||||
#define SELINUX_COMPAT_NET_VALUE 0
|
||||
#else
|
||||
#define SELINUX_COMPAT_NET_VALUE 1
|
||||
#endif
|
||||
|
||||
int selinux_compat_net = SELINUX_COMPAT_NET_VALUE;
|
||||
int selinux_compat_net = 0;
|
||||
|
||||
static int __init checkreqprot_setup(char *str)
|
||||
{
|
||||
@@ -494,7 +488,13 @@ static ssize_t sel_write_compat_net(struct file *file, const char __user *buf,
|
||||
if (sscanf(page, "%d", &new_value) != 1)
|
||||
goto out;
|
||||
|
||||
selinux_compat_net = new_value ? 1 : 0;
|
||||
if (new_value) {
|
||||
printk(KERN_NOTICE
|
||||
"SELinux: compat_net is deprecated, please use secmark"
|
||||
" instead\n");
|
||||
selinux_compat_net = 1;
|
||||
} else
|
||||
selinux_compat_net = 0;
|
||||
length = count;
|
||||
out:
|
||||
free_page((unsigned long) page);
|
||||
|
||||
@@ -27,9 +27,9 @@ struct context {
|
||||
u32 user;
|
||||
u32 role;
|
||||
u32 type;
|
||||
u32 len; /* length of string in bytes */
|
||||
struct mls_range range;
|
||||
char *str; /* string representation if context cannot be mapped. */
|
||||
u32 len; /* length of string in bytes */
|
||||
};
|
||||
|
||||
static inline void mls_context_init(struct context *c)
|
||||
|
||||
Reference in New Issue
Block a user