Merge branch 'master' of git://git.infradead.org/users/eparis/selinux into next
This commit is contained in:
James Morris
@@ -24,9 +24,11 @@
|
||||
*/
|
||||
|
||||
#include <linux/init.h>
|
||||
#include <linux/kd.h>
|
||||
#include <linux/kernel.h>
|
||||
#include <linux/tracehook.h>
|
||||
#include <linux/errno.h>
|
||||
#include <linux/ext2_fs.h>
|
||||
#include <linux/sched.h>
|
||||
#include <linux/security.h>
|
||||
#include <linux/xattr.h>
|
||||
@@ -36,14 +38,15 @@
|
||||
#include <linux/mman.h>
|
||||
#include <linux/slab.h>
|
||||
#include <linux/pagemap.h>
|
||||
#include <linux/proc_fs.h>
|
||||
#include <linux/swap.h>
|
||||
#include <linux/spinlock.h>
|
||||
#include <linux/syscalls.h>
|
||||
#include <linux/dcache.h>
|
||||
#include <linux/file.h>
|
||||
#include <linux/fdtable.h>
|
||||
#include <linux/namei.h>
|
||||
#include <linux/mount.h>
|
||||
#include <linux/proc_fs.h>
|
||||
#include <linux/netfilter_ipv4.h>
|
||||
#include <linux/netfilter_ipv6.h>
|
||||
#include <linux/tty.h>
|
||||
@@ -70,7 +73,6 @@
|
||||
#include <net/ipv6.h>
|
||||
#include <linux/hugetlb.h>
|
||||
#include <linux/personality.h>
|
||||
#include <linux/sysctl.h>
|
||||
#include <linux/audit.h>
|
||||
#include <linux/string.h>
|
||||
#include <linux/selinux.h>
|
||||
@@ -1120,39 +1122,35 @@ static inline u16 socket_type_to_security_class(int family, int type, int protoc
|
||||
}
|
||||
|
||||
#ifdef CONFIG_PROC_FS
|
||||
static int selinux_proc_get_sid(struct proc_dir_entry *de,
|
||||
static int selinux_proc_get_sid(struct dentry *dentry,
|
||||
u16 tclass,
|
||||
u32 *sid)
|
||||
{
|
||||
int buflen, rc;
|
||||
char *buffer, *path, *end;
|
||||
int rc;
|
||||
char *buffer, *path;
|
||||
|
||||
buffer = (char *)__get_free_page(GFP_KERNEL);
|
||||
if (!buffer)
|
||||
return -ENOMEM;
|
||||
|
||||
buflen = PAGE_SIZE;
|
||||
end = buffer+buflen;
|
||||
*--end = '\0';
|
||||
buflen--;
|
||||
path = end-1;
|
||||
*path = '/';
|
||||
while (de && de != de->parent) {
|
||||
buflen -= de->namelen + 1;
|
||||
if (buflen < 0)
|
||||
break;
|
||||
end -= de->namelen;
|
||||
memcpy(end, de->name, de->namelen);
|
||||
*--end = '/';
|
||||
path = end;
|
||||
de = de->parent;
|
||||
path = dentry_path_raw(dentry, buffer, PAGE_SIZE);
|
||||
if (IS_ERR(path))
|
||||
rc = PTR_ERR(path);
|
||||
else {
|
||||
/* each process gets a /proc/PID/ entry. Strip off the
|
||||
* PID part to get a valid selinux labeling.
|
||||
* e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
|
||||
while (path[1] >= '0' && path[1] <= '9') {
|
||||
path[1] = '/';
|
||||
path++;
|
||||
}
|
||||
rc = security_genfs_sid("proc", path, tclass, sid);
|
||||
}
|
||||
rc = security_genfs_sid("proc", path, tclass, sid);
|
||||
free_page((unsigned long)buffer);
|
||||
return rc;
|
||||
}
|
||||
#else
|
||||
static int selinux_proc_get_sid(struct proc_dir_entry *de,
|
||||
static int selinux_proc_get_sid(struct dentry *dentry,
|
||||
u16 tclass,
|
||||
u32 *sid)
|
||||
{
|
||||
@@ -1300,10 +1298,8 @@ static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dent
|
||||
|
||||
/* Try to obtain a transition SID. */
|
||||
isec->sclass = inode_mode_to_security_class(inode->i_mode);
|
||||
rc = security_transition_sid(isec->task_sid,
|
||||
sbsec->sid,
|
||||
isec->sclass,
|
||||
&sid);
|
||||
rc = security_transition_sid(isec->task_sid, sbsec->sid,
|
||||
isec->sclass, NULL, &sid);
|
||||
if (rc)
|
||||
goto out_unlock;
|
||||
isec->sid = sid;
|
||||
@@ -1316,10 +1312,9 @@ static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dent
|
||||
isec->sid = sbsec->sid;
|
||||
|
||||
if ((sbsec->flags & SE_SBPROC) && !S_ISLNK(inode->i_mode)) {
|
||||
struct proc_inode *proci = PROC_I(inode);
|
||||
if (proci->pde) {
|
||||
if (opt_dentry) {
|
||||
isec->sclass = inode_mode_to_security_class(inode->i_mode);
|
||||
rc = selinux_proc_get_sid(proci->pde,
|
||||
rc = selinux_proc_get_sid(opt_dentry,
|
||||
isec->sclass,
|
||||
&sid);
|
||||
if (rc)
|
||||
@@ -1578,7 +1573,7 @@ static int may_create(struct inode *dir,
|
||||
return rc;
|
||||
|
||||
if (!newsid || !(sbsec->flags & SE_SBLABELSUPP)) {
|
||||
rc = security_transition_sid(sid, dsec->sid, tclass, &newsid);
|
||||
rc = security_transition_sid(sid, dsec->sid, tclass, NULL, &newsid);
|
||||
if (rc)
|
||||
return rc;
|
||||
}
|
||||
@@ -1862,82 +1857,6 @@ static int selinux_capable(struct task_struct *tsk, const struct cred *cred,
|
||||
return task_has_capability(tsk, cred, cap, audit);
|
||||
}
|
||||
|
||||
static int selinux_sysctl_get_sid(ctl_table *table, u16 tclass, u32 *sid)
|
||||
{
|
||||
int buflen, rc;
|
||||
char *buffer, *path, *end;
|
||||
|
||||
rc = -ENOMEM;
|
||||
buffer = (char *)__get_free_page(GFP_KERNEL);
|
||||
if (!buffer)
|
||||
goto out;
|
||||
|
||||
buflen = PAGE_SIZE;
|
||||
end = buffer+buflen;
|
||||
*--end = '\0';
|
||||
buflen--;
|
||||
path = end-1;
|
||||
*path = '/';
|
||||
while (table) {
|
||||
const char *name = table->procname;
|
||||
size_t namelen = strlen(name);
|
||||
buflen -= namelen + 1;
|
||||
if (buflen < 0)
|
||||
goto out_free;
|
||||
end -= namelen;
|
||||
memcpy(end, name, namelen);
|
||||
*--end = '/';
|
||||
path = end;
|
||||
table = table->parent;
|
||||
}
|
||||
buflen -= 4;
|
||||
if (buflen < 0)
|
||||
goto out_free;
|
||||
end -= 4;
|
||||
memcpy(end, "/sys", 4);
|
||||
path = end;
|
||||
rc = security_genfs_sid("proc", path, tclass, sid);
|
||||
out_free:
|
||||
free_page((unsigned long)buffer);
|
||||
out:
|
||||
return rc;
|
||||
}
|
||||
|
||||
static int selinux_sysctl(ctl_table *table, int op)
|
||||
{
|
||||
int error = 0;
|
||||
u32 av;
|
||||
u32 tsid, sid;
|
||||
int rc;
|
||||
|
||||
sid = current_sid();
|
||||
|
||||
rc = selinux_sysctl_get_sid(table, (op == 0001) ?
|
||||
SECCLASS_DIR : SECCLASS_FILE, &tsid);
|
||||
if (rc) {
|
||||
/* Default to the well-defined sysctl SID. */
|
||||
tsid = SECINITSID_SYSCTL;
|
||||
}
|
||||
|
||||
/* The op values are "defined" in sysctl.c, thereby creating
|
||||
* a bad coupling between this module and sysctl.c */
|
||||
if (op == 001) {
|
||||
error = avc_has_perm(sid, tsid,
|
||||
SECCLASS_DIR, DIR__SEARCH, NULL);
|
||||
} else {
|
||||
av = 0;
|
||||
if (op & 004)
|
||||
av |= FILE__READ;
|
||||
if (op & 002)
|
||||
av |= FILE__WRITE;
|
||||
if (av)
|
||||
error = avc_has_perm(sid, tsid,
|
||||
SECCLASS_FILE, av, NULL);
|
||||
}
|
||||
|
||||
return error;
|
||||
}
|
||||
|
||||
static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
|
||||
{
|
||||
const struct cred *cred = current_cred();
|
||||
@@ -2060,7 +1979,8 @@ static int selinux_bprm_set_creds(struct linux_binprm *bprm)
|
||||
} else {
|
||||
/* Check for a default transition on this program. */
|
||||
rc = security_transition_sid(old_tsec->sid, isec->sid,
|
||||
SECCLASS_PROCESS, &new_tsec->sid);
|
||||
SECCLASS_PROCESS, NULL,
|
||||
&new_tsec->sid);
|
||||
if (rc)
|
||||
return rc;
|
||||
}
|
||||
@@ -2443,6 +2363,91 @@ out:
|
||||
return rc;
|
||||
}
|
||||
|
||||
static int selinux_sb_remount(struct super_block *sb, void *data)
|
||||
{
|
||||
int rc, i, *flags;
|
||||
struct security_mnt_opts opts;
|
||||
char *secdata, **mount_options;
|
||||
struct superblock_security_struct *sbsec = sb->s_security;
|
||||
|
||||
if (!(sbsec->flags & SE_SBINITIALIZED))
|
||||
return 0;
|
||||
|
||||
if (!data)
|
||||
return 0;
|
||||
|
||||
if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
|
||||
return 0;
|
||||
|
||||
security_init_mnt_opts(&opts);
|
||||
secdata = alloc_secdata();
|
||||
if (!secdata)
|
||||
return -ENOMEM;
|
||||
rc = selinux_sb_copy_data(data, secdata);
|
||||
if (rc)
|
||||
goto out_free_secdata;
|
||||
|
||||
rc = selinux_parse_opts_str(secdata, &opts);
|
||||
if (rc)
|
||||
goto out_free_secdata;
|
||||
|
||||
mount_options = opts.mnt_opts;
|
||||
flags = opts.mnt_opts_flags;
|
||||
|
||||
for (i = 0; i < opts.num_mnt_opts; i++) {
|
||||
u32 sid;
|
||||
size_t len;
|
||||
|
||||
if (flags[i] == SE_SBLABELSUPP)
|
||||
continue;
|
||||
len = strlen(mount_options[i]);
|
||||
rc = security_context_to_sid(mount_options[i], len, &sid);
|
||||
if (rc) {
|
||||
printk(KERN_WARNING "SELinux: security_context_to_sid"
|
||||
"(%s) failed for (dev %s, type %s) errno=%d\n",
|
||||
mount_options[i], sb->s_id, sb->s_type->name, rc);
|
||||
goto out_free_opts;
|
||||
}
|
||||
rc = -EINVAL;
|
||||
switch (flags[i]) {
|
||||
case FSCONTEXT_MNT:
|
||||
if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid))
|
||||
goto out_bad_option;
|
||||
break;
|
||||
case CONTEXT_MNT:
|
||||
if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid))
|
||||
goto out_bad_option;
|
||||
break;
|
||||
case ROOTCONTEXT_MNT: {
|
||||
struct inode_security_struct *root_isec;
|
||||
root_isec = sb->s_root->d_inode->i_security;
|
||||
|
||||
if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid))
|
||||
goto out_bad_option;
|
||||
break;
|
||||
}
|
||||
case DEFCONTEXT_MNT:
|
||||
if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid))
|
||||
goto out_bad_option;
|
||||
break;
|
||||
default:
|
||||
goto out_free_opts;
|
||||
}
|
||||
}
|
||||
|
||||
rc = 0;
|
||||
out_free_opts:
|
||||
security_free_mnt_opts(&opts);
|
||||
out_free_secdata:
|
||||
free_secdata(secdata);
|
||||
return rc;
|
||||
out_bad_option:
|
||||
printk(KERN_WARNING "SELinux: unable to change security options "
|
||||
"during remount (dev %s, type=%s)\n", sb->s_id,
|
||||
sb->s_type->name);
|
||||
goto out_free_opts;
|
||||
}
|
||||
|
||||
static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data)
|
||||
{
|
||||
const struct cred *cred = current_cred();
|
||||
@@ -2509,8 +2514,8 @@ static void selinux_inode_free_security(struct inode *inode)
|
||||
}
|
||||
|
||||
static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
|
||||
char **name, void **value,
|
||||
size_t *len)
|
||||
const struct qstr *qstr, char **name,
|
||||
void **value, size_t *len)
|
||||
{
|
||||
const struct task_security_struct *tsec = current_security();
|
||||
struct inode_security_struct *dsec;
|
||||
@@ -2531,7 +2536,7 @@ static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
|
||||
else if (!newsid || !(sbsec->flags & SE_SBLABELSUPP)) {
|
||||
rc = security_transition_sid(sid, dsec->sid,
|
||||
inode_mode_to_security_class(inode->i_mode),
|
||||
&newsid);
|
||||
qstr, &newsid);
|
||||
if (rc) {
|
||||
printk(KERN_WARNING "%s: "
|
||||
"security_transition_sid failed, rc=%d (dev=%s "
|
||||
@@ -2932,16 +2937,47 @@ static int selinux_file_ioctl(struct file *file, unsigned int cmd,
|
||||
unsigned long arg)
|
||||
{
|
||||
const struct cred *cred = current_cred();
|
||||
u32 av = 0;
|
||||
int error = 0;
|
||||
|
||||
if (_IOC_DIR(cmd) & _IOC_WRITE)
|
||||
av |= FILE__WRITE;
|
||||
if (_IOC_DIR(cmd) & _IOC_READ)
|
||||
av |= FILE__READ;
|
||||
if (!av)
|
||||
av = FILE__IOCTL;
|
||||
switch (cmd) {
|
||||
case FIONREAD:
|
||||
/* fall through */
|
||||
case FIBMAP:
|
||||
/* fall through */
|
||||
case FIGETBSZ:
|
||||
/* fall through */
|
||||
case EXT2_IOC_GETFLAGS:
|
||||
/* fall through */
|
||||
case EXT2_IOC_GETVERSION:
|
||||
error = file_has_perm(cred, file, FILE__GETATTR);
|
||||
break;
|
||||
|
||||
return file_has_perm(cred, file, av);
|
||||
case EXT2_IOC_SETFLAGS:
|
||||
/* fall through */
|
||||
case EXT2_IOC_SETVERSION:
|
||||
error = file_has_perm(cred, file, FILE__SETATTR);
|
||||
break;
|
||||
|
||||
/* sys_ioctl() checks */
|
||||
case FIONBIO:
|
||||
/* fall through */
|
||||
case FIOASYNC:
|
||||
error = file_has_perm(cred, file, 0);
|
||||
break;
|
||||
|
||||
case KDSKBENT:
|
||||
case KDSKBSENT:
|
||||
error = task_has_capability(current, cred, CAP_SYS_TTY_CONFIG,
|
||||
SECURITY_CAP_AUDIT);
|
||||
break;
|
||||
|
||||
/* default case assumes that the command will go
|
||||
* to the file's ioctl() function.
|
||||
*/
|
||||
default:
|
||||
error = file_has_perm(cred, file, FILE__IOCTL);
|
||||
}
|
||||
return error;
|
||||
}
|
||||
|
||||
static int default_noexec;
|
||||
@@ -3644,9 +3680,16 @@ static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
|
||||
|
||||
/* socket security operations */
|
||||
|
||||
static u32 socket_sockcreate_sid(const struct task_security_struct *tsec)
|
||||
static int socket_sockcreate_sid(const struct task_security_struct *tsec,
|
||||
u16 secclass, u32 *socksid)
|
||||
{
|
||||
return tsec->sockcreate_sid ? : tsec->sid;
|
||||
if (tsec->sockcreate_sid > SECSID_NULL) {
|
||||
*socksid = tsec->sockcreate_sid;
|
||||
return 0;
|
||||
}
|
||||
|
||||
return security_transition_sid(tsec->sid, tsec->sid, secclass, NULL,
|
||||
socksid);
|
||||
}
|
||||
|
||||
static int sock_has_perm(struct task_struct *task, struct sock *sk, u32 perms)
|
||||
@@ -3670,12 +3713,16 @@ static int selinux_socket_create(int family, int type,
|
||||
const struct task_security_struct *tsec = current_security();
|
||||
u32 newsid;
|
||||
u16 secclass;
|
||||
int rc;
|
||||
|
||||
if (kern)
|
||||
return 0;
|
||||
|
||||
newsid = socket_sockcreate_sid(tsec);
|
||||
secclass = socket_type_to_security_class(family, type, protocol);
|
||||
rc = socket_sockcreate_sid(tsec, secclass, &newsid);
|
||||
if (rc)
|
||||
return rc;
|
||||
|
||||
return avc_has_perm(tsec->sid, newsid, secclass, SOCKET__CREATE, NULL);
|
||||
}
|
||||
|
||||
@@ -3687,12 +3734,16 @@ static int selinux_socket_post_create(struct socket *sock, int family,
|
||||
struct sk_security_struct *sksec;
|
||||
int err = 0;
|
||||
|
||||
isec->sclass = socket_type_to_security_class(family, type, protocol);
|
||||
|
||||
if (kern)
|
||||
isec->sid = SECINITSID_KERNEL;
|
||||
else
|
||||
isec->sid = socket_sockcreate_sid(tsec);
|
||||
else {
|
||||
err = socket_sockcreate_sid(tsec, isec->sclass, &(isec->sid));
|
||||
if (err)
|
||||
return err;
|
||||
}
|
||||
|
||||
isec->sclass = socket_type_to_security_class(family, type, protocol);
|
||||
isec->initialized = 1;
|
||||
|
||||
if (sock->sk) {
|
||||
@@ -4002,7 +4053,6 @@ static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
|
||||
{
|
||||
int err = 0;
|
||||
struct sk_security_struct *sksec = sk->sk_security;
|
||||
u32 peer_sid;
|
||||
u32 sk_sid = sksec->sid;
|
||||
struct common_audit_data ad;
|
||||
char *addrp;
|
||||
@@ -4021,20 +4071,10 @@ static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
|
||||
return err;
|
||||
}
|
||||
|
||||
if (selinux_policycap_netpeer) {
|
||||
err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
|
||||
if (err)
|
||||
return err;
|
||||
err = avc_has_perm(sk_sid, peer_sid,
|
||||
SECCLASS_PEER, PEER__RECV, &ad);
|
||||
if (err)
|
||||
selinux_netlbl_err(skb, err, 0);
|
||||
} else {
|
||||
err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, &ad);
|
||||
if (err)
|
||||
return err;
|
||||
err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad);
|
||||
}
|
||||
err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, &ad);
|
||||
if (err)
|
||||
return err;
|
||||
err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad);
|
||||
|
||||
return err;
|
||||
}
|
||||
@@ -4529,9 +4569,8 @@ static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
|
||||
SECCLASS_PACKET, PACKET__SEND, &ad))
|
||||
return NF_DROP_ERR(-ECONNREFUSED);
|
||||
|
||||
if (selinux_policycap_netpeer)
|
||||
if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto))
|
||||
return NF_DROP_ERR(-ECONNREFUSED);
|
||||
if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto))
|
||||
return NF_DROP_ERR(-ECONNREFUSED);
|
||||
|
||||
return NF_ACCEPT;
|
||||
}
|
||||
@@ -4574,27 +4613,14 @@ static unsigned int selinux_ip_postroute(struct sk_buff *skb, int ifindex,
|
||||
* from the sending socket, otherwise use the kernel's sid */
|
||||
sk = skb->sk;
|
||||
if (sk == NULL) {
|
||||
switch (family) {
|
||||
case PF_INET:
|
||||
if (IPCB(skb)->flags & IPSKB_FORWARDED)
|
||||
secmark_perm = PACKET__FORWARD_OUT;
|
||||
else
|
||||
secmark_perm = PACKET__SEND;
|
||||
break;
|
||||
case PF_INET6:
|
||||
if (IP6CB(skb)->flags & IP6SKB_FORWARDED)
|
||||
secmark_perm = PACKET__FORWARD_OUT;
|
||||
else
|
||||
secmark_perm = PACKET__SEND;
|
||||
break;
|
||||
default:
|
||||
return NF_DROP_ERR(-ECONNREFUSED);
|
||||
}
|
||||
if (secmark_perm == PACKET__FORWARD_OUT) {
|
||||
if (skb->skb_iif) {
|
||||
secmark_perm = PACKET__FORWARD_OUT;
|
||||
if (selinux_skb_peerlbl_sid(skb, family, &peer_sid))
|
||||
return NF_DROP;
|
||||
} else
|
||||
} else {
|
||||
secmark_perm = PACKET__SEND;
|
||||
peer_sid = SECINITSID_KERNEL;
|
||||
}
|
||||
} else {
|
||||
struct sk_security_struct *sksec = sk->sk_security;
|
||||
peer_sid = sksec->sid;
|
||||
@@ -4848,7 +4874,7 @@ static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg,
|
||||
* message queue this message will be stored in
|
||||
*/
|
||||
rc = security_transition_sid(sid, isec->sid, SECCLASS_MSG,
|
||||
&msec->sid);
|
||||
NULL, &msec->sid);
|
||||
if (rc)
|
||||
return rc;
|
||||
}
|
||||
@@ -5402,7 +5428,6 @@ static struct security_operations selinux_ops = {
|
||||
.ptrace_traceme = selinux_ptrace_traceme,
|
||||
.capget = selinux_capget,
|
||||
.capset = selinux_capset,
|
||||
.sysctl = selinux_sysctl,
|
||||
.capable = selinux_capable,
|
||||
.quotactl = selinux_quotactl,
|
||||
.quota_on = selinux_quota_on,
|
||||
@@ -5420,6 +5445,7 @@ static struct security_operations selinux_ops = {
|
||||
.sb_alloc_security = selinux_sb_alloc_security,
|
||||
.sb_free_security = selinux_sb_free_security,
|
||||
.sb_copy_data = selinux_sb_copy_data,
|
||||
.sb_remount = selinux_sb_remount,
|
||||
.sb_kern_mount = selinux_sb_kern_mount,
|
||||
.sb_show_options = selinux_sb_show_options,
|
||||
.sb_statfs = selinux_sb_statfs,
|
||||
|
||||
Reference in New Issue
Block a user