From af8ff04917169805b151280155bf772d3ca9bec0 Mon Sep 17 00:00:00 2001 From: Eric Paris Date: Sun, 20 Sep 2009 21:23:01 -0400 Subject: SELinux: reset the security_ops before flushing the avc cache This patch resets the security_ops to the secondary_ops before it flushes the avc. It's still possible that a task on another processor could have already passed the security_ops dereference and be executing an selinux hook function which would add a new avc entry. That entry would still not be freed. This should however help to reduce the number of needless avcs the kernel has when selinux is disabled at run time. There is no wasted memory if selinux is disabled on the command line or not compiled. Signed-off-by: Eric Paris Signed-off-by: James Morris --- security/selinux/hooks.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'security') diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index bb230d5d7085..a985d0bc59bb 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -5830,12 +5830,12 @@ int selinux_disable(void) selinux_disabled = 1; selinux_enabled = 0; - /* Try to destroy the avc node cache */ - avc_disable(); - /* Reset security_ops to the secondary module, dummy or capability. */ security_ops = secondary_ops; + /* Try to destroy the avc node cache */ + avc_disable(); + /* Unregister netfilter hooks. */ selinux_nf_ip_exit(); -- cgit From c6d3aaa4e35c71a32a86ececacd4eea7ecfc316c Mon Sep 17 00:00:00 2001 From: Stephen Smalley Date: Wed, 30 Sep 2009 13:37:50 -0400 Subject: selinux: dynamic class/perm discovery Modify SELinux to dynamically discover class and permission values upon policy load, based on the dynamic object class/perm discovery logic from libselinux. A mapping is created between kernel-private class and permission indices used outside the security server and the policy values used within the security server. The mappings are only applied upon kernel-internal computations; similar mappings for the private indices of userspace object managers is handled on a per-object manager basis by the userspace AVC. The interfaces for compute_av and transition_sid are split for kernel vs. userspace; the userspace functions are distinguished by a _user suffix. The kernel-private class indices are no longer tied to the policy values and thus do not need to skip indices for userspace classes; thus the kernel class index values are compressed. The flask.h definitions were regenerated by deleting the userspace classes from refpolicy's definitions and then regenerating the headers. Going forward, we can just maintain the flask.h, av_permissions.h, and classmap.h definitions separately from policy as they are no longer tied to the policy values. The next patch introduces a utility to automate generation of flask.h and av_permissions.h from the classmap.h definitions. The older kernel class and permission string tables are removed and replaced by a single security class mapping table that is walked at policy load to generate the mapping. The old kernel class validation logic is completely replaced by the mapping logic. The handle unknown logic is reworked. reject_unknown=1 is handled when the mappings are computed at policy load time, similar to the old handling by the class validation logic. allow_unknown=1 is handled when computing and mapping decisions - if the permission was not able to be mapped (i.e. undefined, mapped to zero), then it is automatically added to the allowed vector. If the class was not able to be mapped (i.e. undefined, mapped to zero), then all permissions are allowed for it if allow_unknown=1. avc_audit leverages the new security class mapping table to lookup the class and permission names from the kernel-private indices. The mdp program is updated to use the new table when generating the class definitions and allow rules for a minimal boot policy for the kernel. It should be noted that this policy will not include any userspace classes, nor will its policy index values for the kernel classes correspond with the ones in refpolicy (they will instead match the kernel-private indices). Signed-off-by: Stephen Smalley Signed-off-by: James Morris --- security/selinux/avc.c | 76 +--- security/selinux/include/av_inherit.h | 34 -- security/selinux/include/av_perm_to_string.h | 183 -------- security/selinux/include/av_permissions.h | 44 +- security/selinux/include/avc_ss.h | 21 +- security/selinux/include/class_to_string.h | 80 ---- security/selinux/include/classmap.h | 150 +++++++ security/selinux/include/common_perm_to_string.h | 58 --- security/selinux/include/flask.h | 40 +- security/selinux/include/security.h | 13 +- security/selinux/selinuxfs.c | 4 +- security/selinux/ss/mls.c | 2 +- security/selinux/ss/policydb.c | 47 +- security/selinux/ss/policydb.h | 7 +- security/selinux/ss/services.c | 540 ++++++++++++----------- 15 files changed, 555 insertions(+), 744 deletions(-) delete mode 100644 security/selinux/include/av_inherit.h delete mode 100644 security/selinux/include/av_perm_to_string.h delete mode 100644 security/selinux/include/class_to_string.h create mode 100644 security/selinux/include/classmap.h delete mode 100644 security/selinux/include/common_perm_to_string.h (limited to 'security') diff --git a/security/selinux/avc.c b/security/selinux/avc.c index b4b5da1c0a42..18f4103e02b7 100644 --- a/security/selinux/avc.c +++ b/security/selinux/avc.c @@ -31,43 +31,7 @@ #include #include "avc.h" #include "avc_ss.h" - -static const struct av_perm_to_string av_perm_to_string[] = { -#define S_(c, v, s) { c, v, s }, -#include "av_perm_to_string.h" -#undef S_ -}; - -static const char *class_to_string[] = { -#define S_(s) s, -#include "class_to_string.h" -#undef S_ -}; - -#define TB_(s) static const char *s[] = { -#define TE_(s) }; -#define S_(s) s, -#include "common_perm_to_string.h" -#undef TB_ -#undef TE_ -#undef S_ - -static const struct av_inherit av_inherit[] = { -#define S_(c, i, b) { .tclass = c,\ - .common_pts = common_##i##_perm_to_string,\ - .common_base = b }, -#include "av_inherit.h" -#undef S_ -}; - -const struct selinux_class_perm selinux_class_perm = { - .av_perm_to_string = av_perm_to_string, - .av_pts_len = ARRAY_SIZE(av_perm_to_string), - .class_to_string = class_to_string, - .cts_len = ARRAY_SIZE(class_to_string), - .av_inherit = av_inherit, - .av_inherit_len = ARRAY_SIZE(av_inherit) -}; +#include "classmap.h" #define AVC_CACHE_SLOTS 512 #define AVC_DEF_CACHE_THRESHOLD 512 @@ -139,52 +103,28 @@ static inline int avc_hash(u32 ssid, u32 tsid, u16 tclass) */ static void avc_dump_av(struct audit_buffer *ab, u16 tclass, u32 av) { - const char **common_pts = NULL; - u32 common_base = 0; - int i, i2, perm; + const char **perms; + int i, perm; if (av == 0) { audit_log_format(ab, " null"); return; } - for (i = 0; i < ARRAY_SIZE(av_inherit); i++) { - if (av_inherit[i].tclass == tclass) { - common_pts = av_inherit[i].common_pts; - common_base = av_inherit[i].common_base; - break; - } - } + perms = secclass_map[tclass-1].perms; audit_log_format(ab, " {"); i = 0; perm = 1; - while (perm < common_base) { + while (i < (sizeof(av) * 8)) { if (perm & av) { - audit_log_format(ab, " %s", common_pts[i]); + audit_log_format(ab, " %s", perms[i]); av &= ~perm; } i++; perm <<= 1; } - while (i < sizeof(av) * 8) { - if (perm & av) { - for (i2 = 0; i2 < ARRAY_SIZE(av_perm_to_string); i2++) { - if ((av_perm_to_string[i2].tclass == tclass) && - (av_perm_to_string[i2].value == perm)) - break; - } - if (i2 < ARRAY_SIZE(av_perm_to_string)) { - audit_log_format(ab, " %s", - av_perm_to_string[i2].name); - av &= ~perm; - } - } - i++; - perm <<= 1; - } - if (av) audit_log_format(ab, " 0x%x", av); @@ -219,8 +159,8 @@ static void avc_dump_query(struct audit_buffer *ab, u32 ssid, u32 tsid, u16 tcla kfree(scontext); } - BUG_ON(tclass >= ARRAY_SIZE(class_to_string) || !class_to_string[tclass]); - audit_log_format(ab, " tclass=%s", class_to_string[tclass]); + BUG_ON(tclass >= ARRAY_SIZE(secclass_map)); + audit_log_format(ab, " tclass=%s", secclass_map[tclass-1].name); } /** diff --git a/security/selinux/include/av_inherit.h b/security/selinux/include/av_inherit.h deleted file mode 100644 index abedcd704dae..000000000000 --- a/security/selinux/include/av_inherit.h +++ /dev/null @@ -1,34 +0,0 @@ -/* This file is automatically generated. Do not edit. */ - S_(SECCLASS_DIR, file, 0x00020000UL) - S_(SECCLASS_FILE, file, 0x00020000UL) - S_(SECCLASS_LNK_FILE, file, 0x00020000UL) - S_(SECCLASS_CHR_FILE, file, 0x00020000UL) - S_(SECCLASS_BLK_FILE, file, 0x00020000UL) - S_(SECCLASS_SOCK_FILE, file, 0x00020000UL) - S_(SECCLASS_FIFO_FILE, file, 0x00020000UL) - S_(SECCLASS_SOCKET, socket, 0x00400000UL) - S_(SECCLASS_TCP_SOCKET, socket, 0x00400000UL) - S_(SECCLASS_UDP_SOCKET, socket, 0x00400000UL) - S_(SECCLASS_RAWIP_SOCKET, socket, 0x00400000UL) - S_(SECCLASS_NETLINK_SOCKET, socket, 0x00400000UL) - S_(SECCLASS_PACKET_SOCKET, socket, 0x00400000UL) - S_(SECCLASS_KEY_SOCKET, socket, 0x00400000UL) - S_(SECCLASS_UNIX_STREAM_SOCKET, socket, 0x00400000UL) - S_(SECCLASS_UNIX_DGRAM_SOCKET, socket, 0x00400000UL) - S_(SECCLASS_TUN_SOCKET, socket, 0x00400000UL) - S_(SECCLASS_IPC, ipc, 0x00000200UL) - S_(SECCLASS_SEM, ipc, 0x00000200UL) - S_(SECCLASS_MSGQ, ipc, 0x00000200UL) - S_(SECCLASS_SHM, ipc, 0x00000200UL) - S_(SECCLASS_NETLINK_ROUTE_SOCKET, socket, 0x00400000UL) - S_(SECCLASS_NETLINK_FIREWALL_SOCKET, socket, 0x00400000UL) - S_(SECCLASS_NETLINK_TCPDIAG_SOCKET, socket, 0x00400000UL) - S_(SECCLASS_NETLINK_NFLOG_SOCKET, socket, 0x00400000UL) - S_(SECCLASS_NETLINK_XFRM_SOCKET, socket, 0x00400000UL) - S_(SECCLASS_NETLINK_SELINUX_SOCKET, socket, 0x00400000UL) - S_(SECCLASS_NETLINK_AUDIT_SOCKET, socket, 0x00400000UL) - S_(SECCLASS_NETLINK_IP6FW_SOCKET, socket, 0x00400000UL) - S_(SECCLASS_NETLINK_DNRT_SOCKET, socket, 0x00400000UL) - S_(SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET, socket, 0x00400000UL) - S_(SECCLASS_APPLETALK_SOCKET, socket, 0x00400000UL) - S_(SECCLASS_DCCP_SOCKET, socket, 0x00400000UL) diff --git a/security/selinux/include/av_perm_to_string.h b/security/selinux/include/av_perm_to_string.h deleted file mode 100644 index 2b683ad83d21..000000000000 --- a/security/selinux/include/av_perm_to_string.h +++ /dev/null @@ -1,183 +0,0 @@ -/* This file is automatically generated. Do not edit. */ - S_(SECCLASS_FILESYSTEM, FILESYSTEM__MOUNT, "mount") - S_(SECCLASS_FILESYSTEM, FILESYSTEM__REMOUNT, "remount") - S_(SECCLASS_FILESYSTEM, FILESYSTEM__UNMOUNT, "unmount") - S_(SECCLASS_FILESYSTEM, FILESYSTEM__GETATTR, "getattr") - S_(SECCLASS_FILESYSTEM, FILESYSTEM__RELABELFROM, "relabelfrom") - S_(SECCLASS_FILESYSTEM, FILESYSTEM__RELABELTO, "relabelto") - S_(SECCLASS_FILESYSTEM, FILESYSTEM__TRANSITION, "transition") - S_(SECCLASS_FILESYSTEM, FILESYSTEM__ASSOCIATE, "associate") - S_(SECCLASS_FILESYSTEM, FILESYSTEM__QUOTAMOD, "quotamod") - S_(SECCLASS_FILESYSTEM, FILESYSTEM__QUOTAGET, "quotaget") - S_(SECCLASS_DIR, DIR__ADD_NAME, "add_name") - S_(SECCLASS_DIR, DIR__REMOVE_NAME, "remove_name") - S_(SECCLASS_DIR, DIR__REPARENT, "reparent") - S_(SECCLASS_DIR, DIR__SEARCH, "search") - S_(SECCLASS_DIR, DIR__RMDIR, "rmdir") - S_(SECCLASS_DIR, DIR__OPEN, "open") - S_(SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, "execute_no_trans") - S_(SECCLASS_FILE, FILE__ENTRYPOINT, "entrypoint") - S_(SECCLASS_FILE, FILE__EXECMOD, "execmod") - S_(SECCLASS_FILE, FILE__OPEN, "open") - S_(SECCLASS_CHR_FILE, CHR_FILE__EXECUTE_NO_TRANS, "execute_no_trans") - S_(SECCLASS_CHR_FILE, CHR_FILE__ENTRYPOINT, "entrypoint") - S_(SECCLASS_CHR_FILE, CHR_FILE__EXECMOD, "execmod") - S_(SECCLASS_CHR_FILE, CHR_FILE__OPEN, "open") - S_(SECCLASS_BLK_FILE, BLK_FILE__OPEN, "open") - S_(SECCLASS_SOCK_FILE, SOCK_FILE__OPEN, "open") - S_(SECCLASS_FIFO_FILE, FIFO_FILE__OPEN, "open") - S_(SECCLASS_FD, FD__USE, "use") - S_(SECCLASS_TCP_SOCKET, TCP_SOCKET__CONNECTTO, "connectto") - S_(SECCLASS_TCP_SOCKET, TCP_SOCKET__NEWCONN, "newconn") - S_(SECCLASS_TCP_SOCKET, TCP_SOCKET__ACCEPTFROM, "acceptfrom") - S_(SECCLASS_TCP_SOCKET, TCP_SOCKET__NODE_BIND, "node_bind") - S_(SECCLASS_TCP_SOCKET, TCP_SOCKET__NAME_CONNECT, "name_connect") - S_(SECCLASS_UDP_SOCKET, UDP_SOCKET__NODE_BIND, "node_bind") - S_(SECCLASS_RAWIP_SOCKET, RAWIP_SOCKET__NODE_BIND, "node_bind") - S_(SECCLASS_NODE, NODE__TCP_RECV, "tcp_recv") - S_(SECCLASS_NODE, NODE__TCP_SEND, "tcp_send") - S_(SECCLASS_NODE, NODE__UDP_RECV, "udp_recv") - S_(SECCLASS_NODE, NODE__UDP_SEND, "udp_send") - S_(SECCLASS_NODE, NODE__RAWIP_RECV, "rawip_recv") - S_(SECCLASS_NODE, NODE__RAWIP_SEND, "rawip_send") - S_(SECCLASS_NODE, NODE__ENFORCE_DEST, "enforce_dest") - S_(SECCLASS_NODE, NODE__DCCP_RECV, "dccp_recv") - S_(SECCLASS_NODE, NODE__DCCP_SEND, "dccp_send") - S_(SECCLASS_NODE, NODE__RECVFROM, "recvfrom") - S_(SECCLASS_NODE, NODE__SENDTO, "sendto") - S_(SECCLASS_NETIF, NETIF__TCP_RECV, "tcp_recv") - S_(SECCLASS_NETIF, NETIF__TCP_SEND, "tcp_send") - S_(SECCLASS_NETIF, NETIF__UDP_RECV, "udp_recv") - S_(SECCLASS_NETIF, NETIF__UDP_SEND, "udp_send") - S_(SECCLASS_NETIF, NETIF__RAWIP_RECV, "rawip_recv") - S_(SECCLASS_NETIF, NETIF__RAWIP_SEND, "rawip_send") - S_(SECCLASS_NETIF, NETIF__DCCP_RECV, "dccp_recv") - S_(SECCLASS_NETIF, NETIF__DCCP_SEND, "dccp_send") - S_(SECCLASS_NETIF, NETIF__INGRESS, "ingress") - S_(SECCLASS_NETIF, NETIF__EGRESS, "egress") - S_(SECCLASS_UNIX_STREAM_SOCKET, UNIX_STREAM_SOCKET__CONNECTTO, "connectto") - S_(SECCLASS_UNIX_STREAM_SOCKET, UNIX_STREAM_SOCKET__NEWCONN, "newconn") - S_(SECCLASS_UNIX_STREAM_SOCKET, UNIX_STREAM_SOCKET__ACCEPTFROM, "acceptfrom") - S_(SECCLASS_PROCESS, PROCESS__FORK, "fork") - S_(SECCLASS_PROCESS, PROCESS__TRANSITION, "transition") - S_(SECCLASS_PROCESS, PROCESS__SIGCHLD, "sigchld") - S_(SECCLASS_PROCESS, PROCESS__SIGKILL, "sigkill") - S_(SECCLASS_PROCESS, PROCESS__SIGSTOP, "sigstop") - S_(SECCLASS_PROCESS, PROCESS__SIGNULL, "signull") - S_(SECCLASS_PROCESS, PROCESS__SIGNAL, "signal") - S_(SECCLASS_PROCESS, PROCESS__PTRACE, "ptrace") - S_(SECCLASS_PROCESS, PROCESS__GETSCHED, "getsched") - S_(SECCLASS_PROCESS, PROCESS__SETSCHED, "setsched") - S_(SECCLASS_PROCESS, PROCESS__GETSESSION, "getsession") - S_(SECCLASS_PROCESS, PROCESS__GETPGID, "getpgid") - S_(SECCLASS_PROCESS, PROCESS__SETPGID, "setpgid") - S_(SECCLASS_PROCESS, PROCESS__GETCAP, "getcap") - S_(SECCLASS_PROCESS, PROCESS__SETCAP, "setcap") - S_(SECCLASS_PROCESS, PROCESS__SHARE, "share") - S_(SECCLASS_PROCESS, PROCESS__GETATTR, "getattr") - S_(SECCLASS_PROCESS, PROCESS__SETEXEC, "setexec") - S_(SECCLASS_PROCESS, PROCESS__SETFSCREATE, "setfscreate") - S_(SECCLASS_PROCESS, PROCESS__NOATSECURE, "noatsecure") - S_(SECCLASS_PROCESS, PROCESS__SIGINH, "siginh") - S_(SECCLASS_PROCESS, PROCESS__SETRLIMIT, "setrlimit") - S_(SECCLASS_PROCESS, PROCESS__RLIMITINH, "rlimitinh") - S_(SECCLASS_PROCESS, PROCESS__DYNTRANSITION, "dyntransition") - S_(SECCLASS_PROCESS, PROCESS__SETCURRENT, "setcurrent") - S_(SECCLASS_PROCESS, PROCESS__EXECMEM, "execmem") - S_(SECCLASS_PROCESS, PROCESS__EXECSTACK, "execstack") - S_(SECCLASS_PROCESS, PROCESS__EXECHEAP, "execheap") - S_(SECCLASS_PROCESS, PROCESS__SETKEYCREATE, "setkeycreate") - S_(SECCLASS_PROCESS, PROCESS__SETSOCKCREATE, "setsockcreate") - S_(SECCLASS_MSGQ, MSGQ__ENQUEUE, "enqueue") - S_(SECCLASS_MSG, MSG__SEND, "send") - S_(SECCLASS_MSG, MSG__RECEIVE, "receive") - S_(SECCLASS_SHM, SHM__LOCK, "lock") - S_(SECCLASS_SECURITY, SECURITY__COMPUTE_AV, "compute_av") - S_(SECCLASS_SECURITY, SECURITY__COMPUTE_CREATE, "compute_create") - S_(SECCLASS_SECURITY, SECURITY__COMPUTE_MEMBER, "compute_member") - S_(SECCLASS_SECURITY, SECURITY__CHECK_CONTEXT, "check_context") - S_(SECCLASS_SECURITY, SECURITY__LOAD_POLICY, "load_policy") - S_(SECCLASS_SECURITY, SECURITY__COMPUTE_RELABEL, "compute_relabel") - S_(SECCLASS_SECURITY, SECURITY__COMPUTE_USER, "compute_user") - S_(SECCLASS_SECURITY, SECURITY__SETENFORCE, "setenforce") - S_(SECCLASS_SECURITY, SECURITY__SETBOOL, "setbool") - S_(SECCLASS_SECURITY, SECURITY__SETSECPARAM, "setsecparam") - S_(SECCLASS_SECURITY, SECURITY__SETCHECKREQPROT, "setcheckreqprot") - S_(SECCLASS_SYSTEM, SYSTEM__IPC_INFO, "ipc_info") - S_(SECCLASS_SYSTEM, SYSTEM__SYSLOG_READ, "syslog_read") - S_(SECCLASS_SYSTEM, SYSTEM__SYSLOG_MOD, "syslog_mod") - S_(SECCLASS_SYSTEM, SYSTEM__SYSLOG_CONSOLE, "syslog_console") - S_(SECCLASS_SYSTEM, SYSTEM__MODULE_REQUEST, "module_request") - S_(SECCLASS_CAPABILITY, CAPABILITY__CHOWN, "chown") - S_(SECCLASS_CAPABILITY, CAPABILITY__DAC_OVERRIDE, "dac_override") - S_(SECCLASS_CAPABILITY, CAPABILITY__DAC_READ_SEARCH, "dac_read_search") - S_(SECCLASS_CAPABILITY, CAPABILITY__FOWNER, "fowner") - S_(SECCLASS_CAPABILITY, CAPABILITY__FSETID, "fsetid") - S_(SECCLASS_CAPABILITY, CAPABILITY__KILL, "kill") - S_(SECCLASS_CAPABILITY, CAPABILITY__SETGID, "setgid") - S_(SECCLASS_CAPABILITY, CAPABILITY__SETUID, "setuid") - S_(SECCLASS_CAPABILITY, CAPABILITY__SETPCAP, "setpcap") - S_(SECCLASS_CAPABILITY, CAPABILITY__LINUX_IMMUTABLE, "linux_immutable") - S_(SECCLASS_CAPABILITY, CAPABILITY__NET_BIND_SERVICE, "net_bind_service") - S_(SECCLASS_CAPABILITY, CAPABILITY__NET_BROADCAST, "net_broadcast") - S_(SECCLASS_CAPABILITY, CAPABILITY__NET_ADMIN, "net_admin") - S_(SECCLASS_CAPABILITY, CAPABILITY__NET_RAW, "net_raw") - S_(SECCLASS_CAPABILITY, CAPABILITY__IPC_LOCK, "ipc_lock") - S_(SECCLASS_CAPABILITY, CAPABILITY__IPC_OWNER, "ipc_owner") - S_(SECCLASS_CAPABILITY, CAPABILITY__SYS_MODULE, "sys_module") - S_(SECCLASS_CAPABILITY, CAPABILITY__SYS_RAWIO, "sys_rawio") - S_(SECCLASS_CAPABILITY, CAPABILITY__SYS_CHROOT, "sys_chroot") - S_(SECCLASS_CAPABILITY, CAPABILITY__SYS_PTRACE, "sys_ptrace") - S_(SECCLASS_CAPABILITY, CAPABILITY__SYS_PACCT, "sys_pacct") - S_(SECCLASS_CAPABILITY, CAPABILITY__SYS_ADMIN, "sys_admin") - S_(SECCLASS_CAPABILITY, CAPABILITY__SYS_BOOT, "sys_boot") - S_(SECCLASS_CAPABILITY, CAPABILITY__SYS_NICE, "sys_nice") - S_(SECCLASS_CAPABILITY, CAPABILITY__SYS_RESOURCE, "sys_resource") - S_(SECCLASS_CAPABILITY, CAPABILITY__SYS_TIME, "sys_time") - S_(SECCLASS_CAPABILITY, CAPABILITY__SYS_TTY_CONFIG, "sys_tty_config") - S_(SECCLASS_CAPABILITY, CAPABILITY__MKNOD, "mknod") - S_(SECCLASS_CAPABILITY, CAPABILITY__LEASE, "lease") - S_(SECCLASS_CAPABILITY, CAPABILITY__AUDIT_WRITE, "audit_write") - S_(SECCLASS_CAPABILITY, CAPABILITY__AUDIT_CONTROL, "audit_control") - S_(SECCLASS_CAPABILITY, CAPABILITY__SETFCAP, "setfcap") - S_(SECCLASS_CAPABILITY2, CAPABILITY2__MAC_OVERRIDE, "mac_override") - S_(SECCLASS_CAPABILITY2, CAPABILITY2__MAC_ADMIN, "mac_admin") - S_(SECCLASS_NETLINK_ROUTE_SOCKET, NETLINK_ROUTE_SOCKET__NLMSG_READ, "nlmsg_read") - S_(SECCLASS_NETLINK_ROUTE_SOCKET, NETLINK_ROUTE_SOCKET__NLMSG_WRITE, "nlmsg_write") - S_(SECCLASS_NETLINK_FIREWALL_SOCKET, NETLINK_FIREWALL_SOCKET__NLMSG_READ, "nlmsg_read") - S_(SECCLASS_NETLINK_FIREWALL_SOCKET, NETLINK_FIREWALL_SOCKET__NLMSG_WRITE, "nlmsg_write") - S_(SECCLASS_NETLINK_TCPDIAG_SOCKET, NETLINK_TCPDIAG_SOCKET__NLMSG_READ, "nlmsg_read") - S_(SECCLASS_NETLINK_TCPDIAG_SOCKET, NETLINK_TCPDIAG_SOCKET__NLMSG_WRITE, "nlmsg_write") - S_(SECCLASS_NETLINK_XFRM_SOCKET, NETLINK_XFRM_SOCKET__NLMSG_READ, "nlmsg_read") - S_(SECCLASS_NETLINK_XFRM_SOCKET, NETLINK_XFRM_SOCKET__NLMSG_WRITE, "nlmsg_write") - S_(SECCLASS_NETLINK_AUDIT_SOCKET, NETLINK_AUDIT_SOCKET__NLMSG_READ, "nlmsg_read") - S_(SECCLASS_NETLINK_AUDIT_SOCKET, NETLINK_AUDIT_SOCKET__NLMSG_WRITE, "nlmsg_write") - S_(SECCLASS_NETLINK_AUDIT_SOCKET, NETLINK_AUDIT_SOCKET__NLMSG_RELAY, "nlmsg_relay") - S_(SECCLASS_NETLINK_AUDIT_SOCKET, NETLINK_AUDIT_SOCKET__NLMSG_READPRIV, "nlmsg_readpriv") - S_(SECCLASS_NETLINK_AUDIT_SOCKET, NETLINK_AUDIT_SOCKET__NLMSG_TTY_AUDIT, "nlmsg_tty_audit") - S_(SECCLASS_NETLINK_IP6FW_SOCKET, NETLINK_IP6FW_SOCKET__NLMSG_READ, "nlmsg_read") - S_(SECCLASS_NETLINK_IP6FW_SOCKET, NETLINK_IP6FW_SOCKET__NLMSG_WRITE, "nlmsg_write") - S_(SECCLASS_ASSOCIATION, ASSOCIATION__SENDTO, "sendto") - S_(SECCLASS_ASSOCIATION, ASSOCIATION__RECVFROM, "recvfrom") - S_(SECCLASS_ASSOCIATION, ASSOCIATION__SETCONTEXT, "setcontext") - S_(SECCLASS_ASSOCIATION, ASSOCIATION__POLMATCH, "polmatch") - S_(SECCLASS_PACKET, PACKET__SEND, "send") - S_(SECCLASS_PACKET, PACKET__RECV, "recv") - S_(SECCLASS_PACKET, PACKET__RELABELTO, "relabelto") - S_(SECCLASS_PACKET, PACKET__FLOW_IN, "flow_in") - S_(SECCLASS_PACKET, PACKET__FLOW_OUT, "flow_out") - S_(SECCLASS_PACKET, PACKET__FORWARD_IN, "forward_in") - S_(SECCLASS_PACKET, PACKET__FORWARD_OUT, "forward_out") - S_(SECCLASS_KEY, KEY__VIEW, "view") - S_(SECCLASS_KEY, KEY__READ, "read") - S_(SECCLASS_KEY, KEY__WRITE, "write") - S_(SECCLASS_KEY, KEY__SEARCH, "search") - S_(SECCLASS_KEY, KEY__LINK, "link") - S_(SECCLASS_KEY, KEY__SETATTR, "setattr") - S_(SECCLASS_KEY, KEY__CREATE, "create") - S_(SECCLASS_DCCP_SOCKET, DCCP_SOCKET__NODE_BIND, "node_bind") - S_(SECCLASS_DCCP_SOCKET, DCCP_SOCKET__NAME_CONNECT, "name_connect") - S_(SECCLASS_MEMPROTECT, MEMPROTECT__MMAP_ZERO, "mmap_zero") - S_(SECCLASS_PEER, PEER__RECV, "recv") - S_(SECCLASS_KERNEL_SERVICE, KERNEL_SERVICE__USE_AS_OVERRIDE, "use_as_override") - S_(SECCLASS_KERNEL_SERVICE, KERNEL_SERVICE__CREATE_FILES_AS, "create_files_as") diff --git a/security/selinux/include/av_permissions.h b/security/selinux/include/av_permissions.h index 0546d616ccac..fef2582b734d 100644 --- a/security/selinux/include/av_permissions.h +++ b/security/selinux/include/av_permissions.h @@ -423,28 +423,6 @@ #define UNIX_DGRAM_SOCKET__RECV_MSG 0x00080000UL #define UNIX_DGRAM_SOCKET__SEND_MSG 0x00100000UL #define UNIX_DGRAM_SOCKET__NAME_BIND 0x00200000UL -#define TUN_SOCKET__IOCTL 0x00000001UL -#define TUN_SOCKET__READ 0x00000002UL -#define TUN_SOCKET__WRITE 0x00000004UL -#define TUN_SOCKET__CREATE 0x00000008UL -#define TUN_SOCKET__GETATTR 0x00000010UL -#define TUN_SOCKET__SETATTR 0x00000020UL -#define TUN_SOCKET__LOCK 0x00000040UL -#define TUN_SOCKET__RELABELFROM 0x00000080UL -#define TUN_SOCKET__RELABELTO 0x00000100UL -#define TUN_SOCKET__APPEND 0x00000200UL -#define TUN_SOCKET__BIND 0x00000400UL -#define TUN_SOCKET__CONNECT 0x00000800UL -#define TUN_SOCKET__LISTEN 0x00001000UL -#define TUN_SOCKET__ACCEPT 0x00002000UL -#define TUN_SOCKET__GETOPT 0x00004000UL -#define TUN_SOCKET__SETOPT 0x00008000UL -#define TUN_SOCKET__SHUTDOWN 0x00010000UL -#define TUN_SOCKET__RECVFROM 0x00020000UL -#define TUN_SOCKET__SENDTO 0x00040000UL -#define TUN_SOCKET__RECV_MSG 0x00080000UL -#define TUN_SOCKET__SEND_MSG 0x00100000UL -#define TUN_SOCKET__NAME_BIND 0x00200000UL #define PROCESS__FORK 0x00000001UL #define PROCESS__TRANSITION 0x00000002UL #define PROCESS__SIGCHLD 0x00000004UL @@ -868,3 +846,25 @@ #define PEER__RECV 0x00000001UL #define KERNEL_SERVICE__USE_AS_OVERRIDE 0x00000001UL #define KERNEL_SERVICE__CREATE_FILES_AS 0x00000002UL +#define TUN_SOCKET__IOCTL 0x00000001UL +#define TUN_SOCKET__READ 0x00000002UL +#define TUN_SOCKET__WRITE 0x00000004UL +#define TUN_SOCKET__CREATE 0x00000008UL +#define TUN_SOCKET__GETATTR 0x00000010UL +#define TUN_SOCKET__SETATTR 0x00000020UL +#define TUN_SOCKET__LOCK 0x00000040UL +#define TUN_SOCKET__RELABELFROM 0x00000080UL +#define TUN_SOCKET__RELABELTO 0x00000100UL +#define TUN_SOCKET__APPEND 0x00000200UL +#define TUN_SOCKET__BIND 0x00000400UL +#define TUN_SOCKET__CONNECT 0x00000800UL +#define TUN_SOCKET__LISTEN 0x00001000UL +#define TUN_SOCKET__ACCEPT 0x00002000UL +#define TUN_SOCKET__GETOPT 0x00004000UL +#define TUN_SOCKET__SETOPT 0x00008000UL +#define TUN_SOCKET__SHUTDOWN 0x00010000UL +#define TUN_SOCKET__RECVFROM 0x00020000UL +#define TUN_SOCKET__SENDTO 0x00040000UL +#define TUN_SOCKET__RECV_MSG 0x00080000UL +#define TUN_SOCKET__SEND_MSG 0x00100000UL +#define TUN_SOCKET__NAME_BIND 0x00200000UL diff --git a/security/selinux/include/avc_ss.h b/security/selinux/include/avc_ss.h index bb1ec801bdfe..4677aa519b04 100644 --- a/security/selinux/include/avc_ss.h +++ b/security/selinux/include/avc_ss.h @@ -10,26 +10,13 @@ int avc_ss_reset(u32 seqno); -struct av_perm_to_string { - u16 tclass; - u32 value; +/* Class/perm mapping support */ +struct security_class_mapping { const char *name; + const char *perms[sizeof(u32) * 8 + 1]; }; -struct av_inherit { - const char **common_pts; - u32 common_base; - u16 tclass; -}; - -struct selinux_class_perm { - const struct av_perm_to_string *av_perm_to_string; - u32 av_pts_len; - u32 cts_len; - const char **class_to_string; - const struct av_inherit *av_inherit; - u32 av_inherit_len; -}; +extern struct security_class_mapping secclass_map[]; #endif /* _SELINUX_AVC_SS_H_ */ diff --git a/security/selinux/include/class_to_string.h b/security/selinux/include/class_to_string.h deleted file mode 100644 index 7ab9299bfb6b..000000000000 --- a/security/selinux/include/class_to_string.h +++ /dev/null @@ -1,80 +0,0 @@ -/* This file is automatically generated. Do not edit. */ -/* - * Security object class definitions - */ - S_(NULL) - S_("security") - S_("process") - S_("system") - S_("capability") - S_("filesystem") - S_("file") - S_("dir") - S_("fd") - S_("lnk_file") - S_("chr_file") - S_("blk_file") - S_("sock_file") - S_("fifo_file") - S_("socket") - S_("tcp_socket") - S_("udp_socket") - S_("rawip_socket") - S_("node") - S_("netif") - S_("netlink_socket") - S_("packet_socket") - S_("key_socket") - S_("unix_stream_socket") - S_("unix_dgram_socket") - S_("sem") - S_("msg") - S_("msgq") - S_("shm") - S_("ipc") - S_(NULL) - S_(NULL) - S_(NULL) - S_(NULL) - S_(NULL) - S_(NULL) - S_(NULL) - S_(NULL) - S_(NULL) - S_(NULL) - S_(NULL) - S_(NULL) - S_(NULL) - S_("netlink_route_socket") - S_("netlink_firewall_socket") - S_("netlink_tcpdiag_socket") - S_("netlink_nflog_socket") - S_("netlink_xfrm_socket") - S_("netlink_selinux_socket") - S_("netlink_audit_socket") - S_("netlink_ip6fw_socket") - S_("netlink_dnrt_socket") - S_(NULL) - S_(NULL) - S_("association") - S_("netlink_kobject_uevent_socket") - S_("appletalk_socket") - S_("packet") - S_("key") - S_(NULL) - S_("dccp_socket") - S_("memprotect") - S_(NULL) - S_(NULL) - S_(NULL) - S_(NULL) - S_(NULL) - S_(NULL) - S_("peer") - S_("capability2") - S_(NULL) - S_(NULL) - S_(NULL) - S_(NULL) - S_("kernel_service") - S_("tun_socket") diff --git a/security/selinux/include/classmap.h b/security/selinux/include/classmap.h new file mode 100644 index 000000000000..8b32e959bb2e --- /dev/null +++ b/security/selinux/include/classmap.h @@ -0,0 +1,150 @@ +#define COMMON_FILE_SOCK_PERMS "ioctl", "read", "write", "create", \ + "getattr", "setattr", "lock", "relabelfrom", "relabelto", "append" + +#define COMMON_FILE_PERMS COMMON_FILE_SOCK_PERMS, "unlink", "link", \ + "rename", "execute", "swapon", "quotaon", "mounton" + +#define COMMON_SOCK_PERMS COMMON_FILE_SOCK_PERMS, "bind", "connect", \ + "listen", "accept", "getopt", "setopt", "shutdown", "recvfrom", \ + "sendto", "recv_msg", "send_msg", "name_bind" + +#define COMMON_IPC_PERMS "create", "destroy", "getattr", "setattr", "read", \ + "write", "associate", "unix_read", "unix_write" + +struct security_class_mapping secclass_map[] = { + { "security", + { "compute_av", "compute_create", "compute_member", + "check_context", "load_policy", "compute_relabel", + "compute_user", "setenforce", "setbool", "setsecparam", + "setcheckreqprot", NULL } }, + { "process", + { "fork", "transition", "sigchld", "sigkill", + "sigstop", "signull", "signal", "ptrace", "getsched", "setsched", + "getsession", "getpgid", "setpgid", "getcap", "setcap", "share", + "getattr", "setexec", "setfscreate", "noatsecure", "siginh", + "setrlimit", "rlimitinh", "dyntransition", "setcurrent", + "execmem", "execstack", "execheap", "setkeycreate", + "setsockcreate", NULL } }, + { "system", + { "ipc_info", "syslog_read", "syslog_mod", + "syslog_console", "module_request", NULL } }, + { "capability", + { "chown", "dac_override", "dac_read_search", + "fowner", "fsetid", "kill", "setgid", "setuid", "setpcap", + "linux_immutable", "net_bind_service", "net_broadcast", + "net_admin", "net_raw", "ipc_lock", "ipc_owner", "sys_module", + "sys_rawio", "sys_chroot", "sys_ptrace", "sys_pacct", "sys_admin", + "sys_boot", "sys_nice", "sys_resource", "sys_time", + "sys_tty_config", "mknod", "lease", "audit_write", + "audit_control", "setfcap", NULL } }, + { "filesystem", + { "mount", "remount", "unmount", "getattr", + "relabelfrom", "relabelto", "transition", "associate", "quotamod", + "quotaget", NULL } }, + { "file", + { COMMON_FILE_PERMS, + "execute_no_trans", "entrypoint", "execmod", "open", NULL } }, + { "dir", + { COMMON_FILE_PERMS, "add_name", "remove_name", + "reparent", "search", "rmdir", "open", NULL } }, + { "fd", { "use", NULL } }, + { "lnk_file", + { COMMON_FILE_PERMS, NULL } }, + { "chr_file", + { COMMON_FILE_PERMS, + "execute_no_trans", "entrypoint", "execmod", "open", NULL } }, + { "blk_file", + { COMMON_FILE_PERMS, "open", NULL } }, + { "sock_file", + { COMMON_FILE_PERMS, "open", NULL } }, + { "fifo_file", + { COMMON_FILE_PERMS, "open", NULL } }, + { "socket", + { COMMON_SOCK_PERMS, NULL } }, + { "tcp_socket", + { COMMON_SOCK_PERMS, + "connectto", "newconn", "acceptfrom", "node_bind", "name_connect", + NULL } }, + { "udp_socket", + { COMMON_SOCK_PERMS, + "node_bind", NULL } }, + { "rawip_socket", + { COMMON_SOCK_PERMS, + "node_bind", NULL } }, + { "node", + { "tcp_recv", "tcp_send", "udp_recv", "udp_send", + "rawip_recv", "rawip_send", "enforce_dest", + "dccp_recv", "dccp_send", "recvfrom", "sendto", NULL } }, + { "netif", + { "tcp_recv", "tcp_send", "udp_recv", "udp_send", + "rawip_recv", "rawip_send", "dccp_recv", "dccp_send", + "ingress", "egress", NULL } }, + { "netlink_socket", + { COMMON_SOCK_PERMS, NULL } }, + { "packet_socket", + { COMMON_SOCK_PERMS, NULL } }, + { "key_socket", + { COMMON_SOCK_PERMS, NULL } }, + { "unix_stream_socket", + { COMMON_SOCK_PERMS, "connectto", "newconn", "acceptfrom", NULL + } }, + { "unix_dgram_socket", + { COMMON_SOCK_PERMS, NULL + } }, + { "sem", + { COMMON_IPC_PERMS, NULL } }, + { "msg", { "send", "receive", NULL } }, + { "msgq", + { COMMON_IPC_PERMS, "enqueue", NULL } }, + { "shm", + { COMMON_IPC_PERMS, "lock", NULL } }, + { "ipc", + { COMMON_IPC_PERMS, NULL } }, + { "netlink_route_socket", + { COMMON_SOCK_PERMS, + "nlmsg_read", "nlmsg_write", NULL } }, + { "netlink_firewall_socket", + { COMMON_SOCK_PERMS, + "nlmsg_read", "nlmsg_write", NULL } }, + { "netlink_tcpdiag_socket", + { COMMON_SOCK_PERMS, + "nlmsg_read", "nlmsg_write", NULL } }, + { "netlink_nflog_socket", + { COMMON_SOCK_PERMS, NULL } }, + { "netlink_xfrm_socket", + { COMMON_SOCK_PERMS, + "nlmsg_read", "nlmsg_write", NULL } }, + { "netlink_selinux_socket", + { COMMON_SOCK_PERMS, NULL } }, + { "netlink_audit_socket", + { COMMON_SOCK_PERMS, + "nlmsg_read", "nlmsg_write", "nlmsg_relay", "nlmsg_readpriv", + "nlmsg_tty_audit", NULL } }, + { "netlink_ip6fw_socket", + { COMMON_SOCK_PERMS, + "nlmsg_read", "nlmsg_write", NULL } }, + { "netlink_dnrt_socket", + { COMMON_SOCK_PERMS, NULL } }, + { "association", + { "sendto", "recvfrom", "setcontext", "polmatch", NULL } }, + { "netlink_kobject_uevent_socket", + { COMMON_SOCK_PERMS, NULL } }, + { "appletalk_socket", + { COMMON_SOCK_PERMS, NULL } }, + { "packet", + { "send", "recv", "relabelto", "flow_in", "flow_out", + "forward_in", "forward_out", NULL } }, + { "key", + { "view", "read", "write", "search", "link", "setattr", "create", + NULL } }, + { "dccp_socket", + { COMMON_SOCK_PERMS, + "node_bind", "name_connect", NULL } }, + { "memprotect", { "mmap_zero", NULL } }, + { "peer", { "recv", NULL } }, + { "capability2", { "mac_override", "mac_admin", NULL } }, + { "kernel_service", { "use_as_override", "create_files_as", NULL } }, + { "tun_socket", + { COMMON_SOCK_PERMS, NULL } }, + { NULL } + }; diff --git a/security/selinux/include/common_perm_to_string.h b/security/selinux/include/common_perm_to_string.h deleted file mode 100644 index ce5b6e2fe9dd..000000000000 --- a/security/selinux/include/common_perm_to_string.h +++ /dev/null @@ -1,58 +0,0 @@ -/* This file is automatically generated. Do not edit. */ -TB_(common_file_perm_to_string) - S_("ioctl") - S_("read") - S_("write") - S_("create") - S_("getattr") - S_("setattr") - S_("lock") - S_("relabelfrom") - S_("relabelto") - S_("append") - S_("unlink") - S_("link") - S_("rename") - S_("execute") - S_("swapon") - S_("quotaon") - S_("mounton") -TE_(common_file_perm_to_string) - -TB_(common_socket_perm_to_string) - S_("ioctl") - S_("read") - S_("write") - S_("create") - S_("getattr") - S_("setattr") - S_("lock") - S_("relabelfrom") - S_("relabelto") - S_("append") - S_("bind") - S_("connect") - S_("listen") - S_("accept") - S_("getopt") - S_("setopt") - S_("shutdown") - S_("recvfrom") - S_("sendto") - S_("recv_msg") - S_("send_msg") - S_("name_bind") -TE_(common_socket_perm_to_string) - -TB_(common_ipc_perm_to_string) - S_("create") - S_("destroy") - S_("getattr") - S_("setattr") - S_("read") - S_("write") - S_("associate") - S_("unix_read") - S_("unix_write") -TE_(common_ipc_perm_to_string) - diff --git a/security/selinux/include/flask.h b/security/selinux/include/flask.h index f248500a1e3c..5359ca2abf21 100644 --- a/security/selinux/include/flask.h +++ b/security/selinux/include/flask.h @@ -34,26 +34,26 @@ #define SECCLASS_MSGQ 27 #define SECCLASS_SHM 28 #define SECCLASS_IPC 29 -#define SECCLASS_NETLINK_ROUTE_SOCKET 43 -#define SECCLASS_NETLINK_FIREWALL_SOCKET 44 -#define SECCLASS_NETLINK_TCPDIAG_SOCKET 45 -#define SECCLASS_NETLINK_NFLOG_SOCKET 46 -#define SECCLASS_NETLINK_XFRM_SOCKET 47 -#define SECCLASS_NETLINK_SELINUX_SOCKET 48 -#define SECCLASS_NETLINK_AUDIT_SOCKET 49 -#define SECCLASS_NETLINK_IP6FW_SOCKET 50 -#define SECCLASS_NETLINK_DNRT_SOCKET 51 -#define SECCLASS_ASSOCIATION 54 -#define SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET 55 -#define SECCLASS_APPLETALK_SOCKET 56 -#define SECCLASS_PACKET 57 -#define SECCLASS_KEY 58 -#define SECCLASS_DCCP_SOCKET 60 -#define SECCLASS_MEMPROTECT 61 -#define SECCLASS_PEER 68 -#define SECCLASS_CAPABILITY2 69 -#define SECCLASS_KERNEL_SERVICE 74 -#define SECCLASS_TUN_SOCKET 75 +#define SECCLASS_NETLINK_ROUTE_SOCKET 30 +#define SECCLASS_NETLINK_FIREWALL_SOCKET 31 +#define SECCLASS_NETLINK_TCPDIAG_SOCKET 32 +#define SECCLASS_NETLINK_NFLOG_SOCKET 33 +#define SECCLASS_NETLINK_XFRM_SOCKET 34 +#define SECCLASS_NETLINK_SELINUX_SOCKET 35 +#define SECCLASS_NETLINK_AUDIT_SOCKET 36 +#define SECCLASS_NETLINK_IP6FW_SOCKET 37 +#define SECCLASS_NETLINK_DNRT_SOCKET 38 +#define SECCLASS_ASSOCIATION 39 +#define SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET 40 +#define SECCLASS_APPLETALK_SOCKET 41 +#define SECCLASS_PACKET 42 +#define SECCLASS_KEY 43 +#define SECCLASS_DCCP_SOCKET 44 +#define SECCLASS_MEMPROTECT 45 +#define SECCLASS_PEER 46 +#define SECCLASS_CAPABILITY2 47 +#define SECCLASS_KERNEL_SERVICE 48 +#define SECCLASS_TUN_SOCKET 49 /* * Security identifier indices for initial entities diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h index ca835795a8b3..2553266ad793 100644 --- a/security/selinux/include/security.h +++ b/security/selinux/include/security.h @@ -97,11 +97,18 @@ struct av_decision { #define AVD_FLAGS_PERMISSIVE 0x0001 int security_compute_av(u32 ssid, u32 tsid, - u16 tclass, u32 requested, - struct av_decision *avd); + u16 tclass, u32 requested, + struct av_decision *avd); + +int security_compute_av_user(u32 ssid, u32 tsid, + u16 tclass, u32 requested, + struct av_decision *avd); int security_transition_sid(u32 ssid, u32 tsid, - u16 tclass, u32 *out_sid); + u16 tclass, u32 *out_sid); + +int security_transition_sid_user(u32 ssid, u32 tsid, + u16 tclass, u32 *out_sid); int security_member_sid(u32 ssid, u32 tsid, u16 tclass, u32 *out_sid); diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c index b4fc506e7a87..fab36fdf2769 100644 --- a/security/selinux/selinuxfs.c +++ b/security/selinux/selinuxfs.c @@ -522,7 +522,7 @@ static ssize_t sel_write_access(struct file *file, char *buf, size_t size) if (length < 0) goto out2; - length = security_compute_av(ssid, tsid, tclass, req, &avd); + length = security_compute_av_user(ssid, tsid, tclass, req, &avd); if (length < 0) goto out2; @@ -571,7 +571,7 @@ static ssize_t sel_write_create(struct file *file, char *buf, size_t size) if (length < 0) goto out2; - length = security_transition_sid(ssid, tsid, tclass, &newsid); + length = security_transition_sid_user(ssid, tsid, tclass, &newsid); if (length < 0) goto out2; diff --git a/security/selinux/ss/mls.c b/security/selinux/ss/mls.c index b5407f16c2a4..3f2b2706b5bb 100644 --- a/security/selinux/ss/mls.c +++ b/security/selinux/ss/mls.c @@ -532,7 +532,7 @@ int mls_compute_sid(struct context *scontext, } /* Fallthrough */ case AVTAB_CHANGE: - if (tclass == SECCLASS_PROCESS) + if (tclass == policydb.process_class) /* Use the process MLS attributes. */ return mls_context_cpy(newcontext, scontext); else diff --git a/security/selinux/ss/policydb.c b/security/selinux/ss/policydb.c index 72e4a54973aa..f03667213ea8 100644 --- a/security/selinux/ss/policydb.c +++ b/security/selinux/ss/policydb.c @@ -713,7 +713,6 @@ void policydb_destroy(struct policydb *p) ebitmap_destroy(&p->type_attr_map[i]); } kfree(p->type_attr_map); - kfree(p->undefined_perms); ebitmap_destroy(&p->policycaps); ebitmap_destroy(&p->permissive_map); @@ -1640,6 +1639,40 @@ static int policydb_bounds_sanity_check(struct policydb *p) extern int ss_initialized; +u16 string_to_security_class(struct policydb *p, const char *name) +{ + struct class_datum *cladatum; + + cladatum = hashtab_search(p->p_classes.table, name); + if (!cladatum) + return 0; + + return cladatum->value; +} + +u32 string_to_av_perm(struct policydb *p, u16 tclass, const char *name) +{ + struct class_datum *cladatum; + struct perm_datum *perdatum = NULL; + struct common_datum *comdatum; + + if (!tclass || tclass > p->p_classes.nprim) + return 0; + + cladatum = p->class_val_to_struct[tclass-1]; + comdatum = cladatum->comdatum; + if (comdatum) + perdatum = hashtab_search(comdatum->permissions.table, + name); + if (!perdatum) + perdatum = hashtab_search(cladatum->permissions.table, + name); + if (!perdatum) + return 0; + + return 1U << (perdatum->value-1); +} + /* * Read the configuration data from a policy database binary * representation file into a policy database structure. @@ -1861,6 +1894,16 @@ int policydb_read(struct policydb *p, void *fp) if (rc) goto bad; + p->process_class = string_to_security_class(p, "process"); + if (!p->process_class) + goto bad; + p->process_trans_perms = string_to_av_perm(p, p->process_class, + "transition"); + p->process_trans_perms |= string_to_av_perm(p, p->process_class, + "dyntransition"); + if (!p->process_trans_perms) + goto bad; + for (i = 0; i < info->ocon_num; i++) { rc = next_entry(buf, fp, sizeof(u32)); if (rc < 0) @@ -2101,7 +2144,7 @@ int policydb_read(struct policydb *p, void *fp) goto bad; rt->target_class = le32_to_cpu(buf[0]); } else - rt->target_class = SECCLASS_PROCESS; + rt->target_class = p->process_class; if (!policydb_type_isvalid(p, rt->source_type) || !policydb_type_isvalid(p, rt->target_type) || !policydb_class_isvalid(p, rt->target_class)) { diff --git a/security/selinux/ss/policydb.h b/security/selinux/ss/policydb.h index 55152d498b53..cdcc5700946f 100644 --- a/security/selinux/ss/policydb.h +++ b/security/selinux/ss/policydb.h @@ -254,7 +254,9 @@ struct policydb { unsigned int reject_unknown : 1; unsigned int allow_unknown : 1; - u32 *undefined_perms; + + u16 process_class; + u32 process_trans_perms; }; extern void policydb_destroy(struct policydb *p); @@ -295,5 +297,8 @@ static inline int next_entry(void *buf, struct policy_file *fp, size_t bytes) return 0; } +extern u16 string_to_security_class(struct policydb *p, const char *name); +extern u32 string_to_av_perm(struct policydb *p, u16 tclass, const char *name); + #endif /* _SS_POLICYDB_H_ */ diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c index ff17820d35ec..e19baa81fdec 100644 --- a/security/selinux/ss/services.c +++ b/security/selinux/ss/services.c @@ -70,11 +70,6 @@ unsigned int policydb_loaded_version; int selinux_policycap_netpeer; int selinux_policycap_openperm; -/* - * This is declared in avc.c - */ -extern const struct selinux_class_perm selinux_class_perm; - static DEFINE_RWLOCK(policy_rwlock); static struct sidtab sidtab; @@ -98,6 +93,158 @@ static int context_struct_compute_av(struct context *scontext, u16 tclass, u32 requested, struct av_decision *avd); + +struct selinux_mapping { + u16 value; /* policy value */ + unsigned num_perms; + u32 perms[sizeof(u32) * 8]; +}; + +static struct selinux_mapping *current_mapping; +static u16 current_mapping_size; + +static int selinux_set_mapping(struct policydb *pol, + struct security_class_mapping *map, + struct selinux_mapping **out_map_p, + u16 *out_map_size) +{ + struct selinux_mapping *out_map = NULL; + size_t size = sizeof(struct selinux_mapping); + u16 i, j; + unsigned k; + bool print_unknown_handle = false; + + /* Find number of classes in the input mapping */ + if (!map) + return -EINVAL; + i = 0; + while (map[i].name) + i++; + + /* Allocate space for the class records, plus one for class zero */ + out_map = kcalloc(++i, size, GFP_ATOMIC); + if (!out_map) + return -ENOMEM; + + /* Store the raw class and permission values */ + j = 0; + while (map[j].name) { + struct security_class_mapping *p_in = map + (j++); + struct selinux_mapping *p_out = out_map + j; + + /* An empty class string skips ahead */ + if (!strcmp(p_in->name, "")) { + p_out->num_perms = 0; + continue; + } + + p_out->value = string_to_security_class(pol, p_in->name); + if (!p_out->value) { + printk(KERN_INFO + "SELinux: Class %s not defined in policy.\n", + p_in->name); + if (pol->reject_unknown) + goto err; + p_out->num_perms = 0; + print_unknown_handle = true; + continue; + } + + k = 0; + while (p_in->perms && p_in->perms[k]) { + /* An empty permission string skips ahead */ + if (!*p_in->perms[k]) { + k++; + continue; + } + p_out->perms[k] = string_to_av_perm(pol, p_out->value, + p_in->perms[k]); + if (!p_out->perms[k]) { + printk(KERN_INFO + "SELinux: Permission %s in class %s not defined in policy.\n", + p_in->perms[k], p_in->name); + if (pol->reject_unknown) + goto err; + print_unknown_handle = true; + } + + k++; + } + p_out->num_perms = k; + } + + if (print_unknown_handle) + printk(KERN_INFO "SELinux: the above unknown classes and permissions will be %s\n", + pol->allow_unknown ? "allowed" : "denied"); + + *out_map_p = out_map; + *out_map_size = i; + return 0; +err: + kfree(out_map); + return -EINVAL; +} + +/* + * Get real, policy values from mapped values + */ + +static u16 unmap_class(u16 tclass) +{ + if (tclass < current_mapping_size) + return current_mapping[tclass].value; + + return tclass; +} + +static u32 unmap_perm(u16 tclass, u32 tperm) +{ + if (tclass < current_mapping_size) { + unsigned i; + u32 kperm = 0; + + for (i = 0; i < current_mapping[tclass].num_perms; i++) + if (tperm & (1<allowed & current_mapping[tclass].perms[i]) + result |= 1<allowed = result; + + for (i = 0, result = 0; i < n; i++) + if (avd->auditallow & current_mapping[tclass].perms[i]) + result |= 1<auditallow = result; + + for (i = 0, result = 0; i < n; i++) { + if (avd->auditdeny & current_mapping[tclass].perms[i]) + result |= 1<auditdeny = result; + } +} + + /* * Return the boolean value of a constraint expression * when it is applied to the specified source and target @@ -467,7 +614,6 @@ static int context_struct_compute_av(struct context *scontext, struct class_datum *tclass_datum; struct ebitmap *sattr, *tattr; struct ebitmap_node *snode, *tnode; - const struct selinux_class_perm *kdefs = &selinux_class_perm; unsigned int i, j; /* @@ -477,9 +623,9 @@ static int context_struct_compute_av(struct context *scontext, * to remain in the correct class. */ if (policydb_loaded_version < POLICYDB_VERSION_NLCLASS) - if (tclass >= SECCLASS_NETLINK_ROUTE_SOCKET && - tclass <= SECCLASS_NETLINK_DNRT_SOCKET) - tclass = SECCLASS_NETLINK_SOCKET; + if (tclass >= unmap_class(SECCLASS_NETLINK_ROUTE_SOCKET) && + tclass <= unmap_class(SECCLASS_NETLINK_DNRT_SOCKET)) + tclass = unmap_class(SECCLASS_NETLINK_SOCKET); /* * Initialize the access vectors to the default values. @@ -490,33 +636,11 @@ static int context_struct_compute_av(struct context *scontext, avd->seqno = latest_granting; avd->flags = 0; - /* - * Check for all the invalid cases. - * - tclass 0 - * - tclass > policy and > kernel - * - tclass > policy but is a userspace class - * - tclass > policy but we do not allow unknowns - */ - if (unlikely(!tclass)) - goto inval_class; - if (unlikely(tclass > policydb.p_classes.nprim)) - if (tclass > kdefs->cts_len || - !kdefs->class_to_string[tclass] || - !policydb.allow_unknown) - goto inval_class; - - /* - * Kernel class and we allow unknown so pad the allow decision - * the pad will be all 1 for unknown classes. - */ - if (tclass <= kdefs->cts_len && policydb.allow_unknown) - avd->allowed = policydb.undefined_perms[tclass - 1]; - - /* - * Not in policy. Since decision is completed (all 1 or all 0) return. - */ - if (unlikely(tclass > policydb.p_classes.nprim)) - return 0; + if (unlikely(!tclass || tclass > policydb.p_classes.nprim)) { + if (printk_ratelimit()) + printk(KERN_WARNING "SELinux: Invalid class %hu\n", tclass); + return -EINVAL; + } tclass_datum = policydb.class_val_to_struct[tclass - 1]; @@ -568,8 +692,8 @@ static int context_struct_compute_av(struct context *scontext, * role is changing, then check the (current_role, new_role) * pair. */ - if (tclass == SECCLASS_PROCESS && - (avd->allowed & (PROCESS__TRANSITION | PROCESS__DYNTRANSITION)) && + if (tclass == policydb.process_class && + (avd->allowed & policydb.process_trans_perms) && scontext->role != tcontext->role) { for (ra = policydb.role_allow; ra; ra = ra->next) { if (scontext->role == ra->role && @@ -577,8 +701,7 @@ static int context_struct_compute_av(struct context *scontext, break; } if (!ra) - avd->allowed &= ~(PROCESS__TRANSITION | - PROCESS__DYNTRANSITION); + avd->allowed &= ~policydb.process_trans_perms; } /* @@ -590,21 +713,6 @@ static int context_struct_compute_av(struct context *scontext, tclass, requested, avd); return 0; - -inval_class: - if (!tclass || tclass > kdefs->cts_len || - !kdefs->class_to_string[tclass]) { - if (printk_ratelimit()) - printk(KERN_ERR "SELinux: %s: unrecognized class %d\n", - __func__, tclass); - return -EINVAL; - } - - /* - * Known to the kernel, but not to the policy. - * Handle as a denial (allowed is 0). - */ - return 0; } static int security_validtrans_handle_fail(struct context *ocontext, @@ -636,13 +744,14 @@ out: } int security_validate_transition(u32 oldsid, u32 newsid, u32 tasksid, - u16 tclass) + u16 orig_tclass) { struct context *ocontext; struct context *ncontext; struct context *tcontext; struct class_datum *tclass_datum; struct constraint_node *constraint; + u16 tclass; int rc = 0; if (!ss_initialized) @@ -650,6 +759,8 @@ int security_validate_transition(u32 oldsid, u32 newsid, u32 tasksid, read_lock(&policy_rwlock); + tclass = unmap_class(orig_tclass); + /* * Remap extended Netlink classes for old policy versions. * Do this here rather than socket_type_to_security_class() @@ -657,9 +768,9 @@ int security_validate_transition(u32 oldsid, u32 newsid, u32 tasksid, * to remain in the correct class. */ if (policydb_loaded_version < POLICYDB_VERSION_NLCLASS) - if (tclass >= SECCLASS_NETLINK_ROUTE_SOCKET && - tclass <= SECCLASS_NETLINK_DNRT_SOCKET) - tclass = SECCLASS_NETLINK_SOCKET; + if (tclass >= unmap_class(SECCLASS_NETLINK_ROUTE_SOCKET) && + tclass <= unmap_class(SECCLASS_NETLINK_DNRT_SOCKET)) + tclass = unmap_class(SECCLASS_NETLINK_SOCKET); if (!tclass || tclass > policydb.p_classes.nprim) { printk(KERN_ERR "SELinux: %s: unrecognized class %d\n", @@ -792,6 +903,38 @@ out: } +static int security_compute_av_core(u32 ssid, + u32 tsid, + u16 tclass, + u32 requested, + struct av_decision *avd) +{ + struct context *scontext = NULL, *tcontext = NULL; + int rc = 0; + + scontext = sidtab_search(&sidtab, ssid); + if (!scontext) { + printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n", + __func__, ssid); + return -EINVAL; + } + tcontext = sidtab_search(&sidtab, tsid); + if (!tcontext) { + printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n", + __func__, tsid); + return -EINVAL; + } + + rc = context_struct_compute_av(scontext, tcontext, tclass, + requested, avd); + + /* permissive domain? */ + if (ebitmap_get_bit(&policydb.permissive_map, scontext->type)) + avd->flags |= AVD_FLAGS_PERMISSIVE; + + return rc; +} + /** * security_compute_av - Compute access vector decisions. * @ssid: source security identifier @@ -807,12 +950,45 @@ out: */ int security_compute_av(u32 ssid, u32 tsid, - u16 tclass, - u32 requested, + u16 orig_tclass, + u32 orig_requested, struct av_decision *avd) { - struct context *scontext = NULL, *tcontext = NULL; - int rc = 0; + u16 tclass; + u32 requested; + int rc; + + if (!ss_initialized) + goto allow; + + read_lock(&policy_rwlock); + requested = unmap_perm(orig_tclass, orig_requested); + tclass = unmap_class(orig_tclass); + if (unlikely(orig_tclass && !tclass)) { + if (policydb.allow_unknown) + goto allow; + return -EINVAL; + } + rc = security_compute_av_core(ssid, tsid, tclass, requested, avd); + map_decision(orig_tclass, avd, policydb.allow_unknown); + read_unlock(&policy_rwlock); + return rc; +allow: + avd->allowed = 0xffffffff; + avd->auditallow = 0; + avd->auditdeny = 0xffffffff; + avd->seqno = latest_granting; + avd->flags = 0; + return 0; +} + +int security_compute_av_user(u32 ssid, + u32 tsid, + u16 tclass, + u32 requested, + struct av_decision *avd) +{ + int rc; if (!ss_initialized) { avd->allowed = 0xffffffff; @@ -823,29 +999,7 @@ int security_compute_av(u32 ssid, } read_lock(&policy_rwlock); - - scontext = sidtab_search(&sidtab, ssid); - if (!scontext) { - printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n", - __func__, ssid); - rc = -EINVAL; - goto out; - } - tcontext = sidtab_search(&sidtab, tsid); - if (!tcontext) { - printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n", - __func__, tsid); - rc = -EINVAL; - goto out; - } - - rc = context_struct_compute_av(scontext, tcontext, tclass, - requested, avd); - - /* permissive domain? */ - if (ebitmap_get_bit(&policydb.permissive_map, scontext->type)) - avd->flags |= AVD_FLAGS_PERMISSIVE; -out: + rc = security_compute_av_core(ssid, tsid, tclass, requested, avd); read_unlock(&policy_rwlock); return rc; } @@ -1204,20 +1358,22 @@ out: static int security_compute_sid(u32 ssid, u32 tsid, - u16 tclass, + u16 orig_tclass, u32 specified, - u32 *out_sid) + u32 *out_sid, + bool kern) { struct context *scontext = NULL, *tcontext = NULL, newcontext; struct role_trans *roletr = NULL; struct avtab_key avkey; struct avtab_datum *avdatum; struct avtab_node *node; + u16 tclass; int rc = 0; if (!ss_initialized) { - switch (tclass) { - case SECCLASS_PROCESS: + switch (orig_tclass) { + case SECCLASS_PROCESS: /* kernel value */ *out_sid = ssid; break; default: @@ -1231,6 +1387,11 @@ static int security_compute_sid(u32 ssid, read_lock(&policy_rwlock); + if (kern) + tclass = unmap_class(orig_tclass); + else + tclass = orig_tclass; + scontext = sidtab_search(&sidtab, ssid); if (!scontext) { printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n", @@ -1260,13 +1421,11 @@ static int security_compute_sid(u32 ssid, } /* Set the role and type to default values. */ - switch (tclass) { - case SECCLASS_PROCESS: + if (tclass == policydb.process_class) { /* Use the current role and type of process. */ newcontext.role = scontext->role; newcontext.type = scontext->type; - break; - default: + } else { /* Use the well-defined object role. */ newcontext.role = OBJECT_R_VAL; /* Use the type of the related object. */ @@ -1297,8 +1456,7 @@ static int security_compute_sid(u32 ssid, } /* Check for class-specific changes. */ - switch (tclass) { - case SECCLASS_PROCESS: + if (tclass == policydb.process_class) { if (specified & AVTAB_TRANSITION) { /* Look for a role transition rule. */ for (roletr = policydb.role_tr; roletr; @@ -1311,9 +1469,6 @@ static int security_compute_sid(u32 ssid, } } } - break; - default: - break; } /* Set the MLS attributes. @@ -1358,7 +1513,17 @@ int security_transition_sid(u32 ssid, u16 tclass, u32 *out_sid) { - return security_compute_sid(ssid, tsid, tclass, AVTAB_TRANSITION, out_sid); + return security_compute_sid(ssid, tsid, tclass, AVTAB_TRANSITION, + out_sid, true); +} + +int security_transition_sid_user(u32 ssid, + u32 tsid, + u16 tclass, + u32 *out_sid) +{ + return security_compute_sid(ssid, tsid, tclass, AVTAB_TRANSITION, + out_sid, false); } /** @@ -1379,7 +1544,8 @@ int security_member_sid(u32 ssid, u16 tclass, u32 *out_sid) { - return security_compute_sid(ssid, tsid, tclass, AVTAB_MEMBER, out_sid); + return security_compute_sid(ssid, tsid, tclass, AVTAB_MEMBER, out_sid, + false); } /** @@ -1400,144 +1566,8 @@ int security_change_sid(u32 ssid, u16 tclass, u32 *out_sid) { - return security_compute_sid(ssid, tsid, tclass, AVTAB_CHANGE, out_sid); -} - -/* - * Verify that each kernel class that is defined in the - * policy is correct - */ -static int validate_classes(struct policydb *p) -{ - int i, j; - struct class_datum *cladatum; - struct perm_datum *perdatum; - u32 nprim, tmp, common_pts_len, perm_val, pol_val; - u16 class_val; - const struct selinux_class_perm *kdefs = &selinux_class_perm; - const char *def_class, *def_perm, *pol_class; - struct symtab *perms; - bool print_unknown_handle = 0; - - if (p->allow_unknown) { - u32 num_classes = kdefs->cts_len; - p->undefined_perms = kcalloc(num_classes, sizeof(u32), GFP_KERNEL); - if (!p->undefined_perms) - return -ENOMEM; - } - - for (i = 1; i < kdefs->cts_len; i++) { - def_class = kdefs->class_to_string[i]; - if (!def_class) - continue; - if (i > p->p_classes.nprim) { - printk(KERN_INFO - "SELinux: class %s not defined in policy\n", - def_class); - if (p->reject_unknown) - return -EINVAL; - if (p->allow_unknown) - p->undefined_perms[i-1] = ~0U; - print_unknown_handle = 1; - continue; - } - pol_class = p->p_class_val_to_name[i-1]; - if (strcmp(pol_class, def_class)) { - printk(KERN_ERR - "SELinux: class %d is incorrect, found %s but should be %s\n", - i, pol_class, def_class); - return -EINVAL; - } - } - for (i = 0; i < kdefs->av_pts_len; i++) { - class_val = kdefs->av_perm_to_string[i].tclass; - perm_val = kdefs->av_perm_to_string[i].value; - def_perm = kdefs->av_perm_to_string[i].name; - if (class_val > p->p_classes.nprim) - continue; - pol_class = p->p_class_val_to_name[class_val-1]; - cladatum = hashtab_search(p->p_classes.table, pol_class); - BUG_ON(!cladatum); - perms = &cladatum->permissions; - nprim = 1 << (perms->nprim - 1); - if (perm_val > nprim) { - printk(KERN_INFO - "SELinux: permission %s in class %s not defined in policy\n", - def_perm, pol_class); - if (p->reject_unknown) - return -EINVAL; - if (p->allow_unknown) - p->undefined_perms[class_val-1] |= perm_val; - print_unknown_handle = 1; - continue; - } - perdatum = hashtab_search(perms->table, def_perm); - if (perdatum == NULL) { - printk(KERN_ERR - "SELinux: permission %s in class %s not found in policy, bad policy\n", - def_perm, pol_class); - return -EINVAL; - } - pol_val = 1 << (perdatum->value - 1); - if (pol_val != perm_val) { - printk(KERN_ERR - "SELinux: permission %s in class %s has incorrect value\n", - def_perm, pol_class); - return -EINVAL; - } - } - for (i = 0; i < kdefs->av_inherit_len; i++) { - class_val = kdefs->av_inherit[i].tclass; - if (class_val > p->p_classes.nprim) - continue; - pol_class = p->p_class_val_to_name[class_val-1]; - cladatum = hashtab_search(p->p_classes.table, pol_class); - BUG_ON(!cladatum); - if (!cladatum->comdatum) { - printk(KERN_ERR - "SELinux: class %s should have an inherits clause but does not\n", - pol_class); - return -EINVAL; - } - tmp = kdefs->av_inherit[i].common_base; - common_pts_len = 0; - while (!(tmp & 0x01)) { - common_pts_len++; - tmp >>= 1; - } - perms = &cladatum->comdatum->permissions; - for (j = 0; j < common_pts_len; j++) { - def_perm = kdefs->av_inherit[i].common_pts[j]; - if (j >= perms->nprim) { - printk(KERN_INFO - "SELinux: permission %s in class %s not defined in policy\n", - def_perm, pol_class); - if (p->reject_unknown) - return -EINVAL; - if (p->allow_unknown) - p->undefined_perms[class_val-1] |= (1 << j); - print_unknown_handle = 1; - continue; - } - perdatum = hashtab_search(perms->table, def_perm); - if (perdatum == NULL) { - printk(KERN_ERR - "SELinux: permission %s in class %s not found in policy, bad policy\n", - def_perm, pol_class); - return -EINVAL; - } - if (perdatum->value != j + 1) { - printk(KERN_ERR - "SELinux: permission %s in class %s has incorrect value\n", - def_perm, pol_class); - return -EINVAL; - } - } - } - if (print_unknown_handle) - printk(KERN_INFO "SELinux: the above unknown classes and permissions will be %s\n", - (security_get_allow_unknown() ? "allowed" : "denied")); - return 0; + return security_compute_sid(ssid, tsid, tclass, AVTAB_CHANGE, out_sid, + false); } /* Clone the SID into the new SID table. */ @@ -1710,8 +1740,10 @@ int security_load_policy(void *data, size_t len) { struct policydb oldpolicydb, newpolicydb; struct sidtab oldsidtab, newsidtab; + struct selinux_mapping *oldmap, *map = NULL; struct convert_context_args args; u32 seqno; + u16 map_size; int rc = 0; struct policy_file file = { data, len }, *fp = &file; @@ -1721,16 +1753,14 @@ int security_load_policy(void *data, size_t len) avtab_cache_destroy(); return -EINVAL; } - if (policydb_load_isids(&policydb, &sidtab)) { + if (selinux_set_mapping(&policydb, secclass_map, + ¤t_mapping, + ¤t_mapping_size)) { policydb_destroy(&policydb); avtab_cache_destroy(); return -EINVAL; } - /* Verify that the kernel defined classes are correct. */ - if (validate_classes(&policydb)) { - printk(KERN_ERR - "SELinux: the definition of a class is incorrect\n"); - sidtab_destroy(&sidtab); + if (policydb_load_isids(&policydb, &sidtab)) { policydb_destroy(&policydb); avtab_cache_destroy(); return -EINVAL; @@ -1759,13 +1789,9 @@ int security_load_policy(void *data, size_t len) return -ENOMEM; } - /* Verify that the kernel defined classes are correct. */ - if (validate_classes(&newpolicydb)) { - printk(KERN_ERR - "SELinux: the definition of a class is incorrect\n"); - rc = -EINVAL; + if (selinux_set_mapping(&newpolicydb, secclass_map, + &map, &map_size)) goto err; - } rc = security_preserve_bools(&newpolicydb); if (rc) { @@ -1799,6 +1825,9 @@ int security_load_policy(void *data, size_t len) memcpy(&policydb, &newpolicydb, sizeof policydb); sidtab_set(&sidtab, &newsidtab); security_load_policycaps(); + oldmap = current_mapping; + current_mapping = map; + current_mapping_size = map_size; seqno = ++latest_granting; policydb_loaded_version = policydb.policyvers; write_unlock_irq(&policy_rwlock); @@ -1806,6 +1835,7 @@ int security_load_policy(void *data, size_t len) /* Free the old policydb and SID table. */ policydb_destroy(&oldpolicydb); sidtab_destroy(&oldsidtab); + kfree(oldmap); avc_ss_reset(seqno); selnl_notify_policyload(seqno); @@ -1815,6 +1845,7 @@ int security_load_policy(void *data, size_t len) return 0; err: + kfree(map); sidtab_destroy(&newsidtab); policydb_destroy(&newpolicydb); return rc; @@ -2091,7 +2122,7 @@ out_unlock: } for (i = 0, j = 0; i < mynel; i++) { rc = avc_has_perm_noaudit(fromsid, mysids[i], - SECCLASS_PROCESS, + SECCLASS_PROCESS, /* kernel value */ PROCESS__TRANSITION, AVC_STRICT, NULL); if (!rc) @@ -2119,10 +2150,11 @@ out: */ int security_genfs_sid(const char *fstype, char *path, - u16 sclass, + u16 orig_sclass, u32 *sid) { int len; + u16 sclass; struct genfs *genfs; struct ocontext *c; int rc = 0, cmp = 0; @@ -2132,6 +2164,8 @@ int security_genfs_sid(const char *fstype, read_lock(&policy_rwlock); + sclass = unmap_class(orig_sclass); + for (genfs = policydb.genfs; genfs; genfs = genfs->next) { cmp = strcmp(fstype, genfs->fstype); if (cmp <= 0) -- cgit From 8753f6bec352392b52ed9b5e290afb34379f4612 Mon Sep 17 00:00:00 2001 From: Stephen Smalley Date: Wed, 30 Sep 2009 13:41:02 -0400 Subject: selinux: generate flask headers during kernel build Add a simple utility (scripts/selinux/genheaders) and invoke it to generate the kernel-private class and permission indices in flask.h and av_permissions.h automatically during the kernel build from the security class mapping definitions in classmap.h. Adding new kernel classes and permissions can then be done just by adding them to classmap.h. Signed-off-by: Stephen Smalley Signed-off-by: James Morris --- security/selinux/Makefile | 10 +- security/selinux/include/av_permissions.h | 870 ------------------------------ security/selinux/include/flask.h | 91 ---- security/selinux/ss/Makefile | 2 +- 4 files changed, 10 insertions(+), 963 deletions(-) delete mode 100644 security/selinux/include/av_permissions.h delete mode 100644 security/selinux/include/flask.h (limited to 'security') diff --git a/security/selinux/Makefile b/security/selinux/Makefile index d47fc5e545e0..f013982df417 100644 --- a/security/selinux/Makefile +++ b/security/selinux/Makefile @@ -18,5 +18,13 @@ selinux-$(CONFIG_SECURITY_NETWORK_XFRM) += xfrm.o selinux-$(CONFIG_NETLABEL) += netlabel.o -EXTRA_CFLAGS += -Isecurity/selinux/include +EXTRA_CFLAGS += -Isecurity/selinux -Isecurity/selinux/include +$(obj)/avc.o: $(obj)/flask.h + +quiet_cmd_flask = GEN $(obj)/flask.h $(obj)/av_permissions.h + cmd_flask = scripts/selinux/genheaders/genheaders $(obj)/flask.h $(obj)/av_permissions.h + +targets += flask.h +$(obj)/flask.h: $(src)/include/classmap.h FORCE + $(call if_changed,flask) diff --git a/security/selinux/include/av_permissions.h b/security/selinux/include/av_permissions.h deleted file mode 100644 index fef2582b734d..000000000000 --- a/security/selinux/include/av_permissions.h +++ /dev/null @@ -1,870 +0,0 @@ -/* This file is automatically generated. Do not edit. */ -#define COMMON_FILE__IOCTL 0x00000001UL -#define COMMON_FILE__READ 0x00000002UL -#define COMMON_FILE__WRITE 0x00000004UL -#define COMMON_FILE__CREATE 0x00000008UL -#define COMMON_FILE__GETATTR 0x00000010UL -#define COMMON_FILE__SETATTR 0x00000020UL -#define COMMON_FILE__LOCK 0x00000040UL -#define COMMON_FILE__RELABELFROM 0x00000080UL -#define COMMON_FILE__RELABELTO 0x00000100UL -#define COMMON_FILE__APPEND 0x00000200UL -#define COMMON_FILE__UNLINK 0x00000400UL -#define COMMON_FILE__LINK 0x00000800UL -#define COMMON_FILE__RENAME 0x00001000UL -#define COMMON_FILE__EXECUTE 0x00002000UL -#define COMMON_FILE__SWAPON 0x00004000UL -#define COMMON_FILE__QUOTAON 0x00008000UL -#define COMMON_FILE__MOUNTON 0x00010000UL -#define COMMON_SOCKET__IOCTL 0x00000001UL -#define COMMON_SOCKET__READ 0x00000002UL -#define COMMON_SOCKET__WRITE 0x00000004UL -#define COMMON_SOCKET__CREATE 0x00000008UL -#define COMMON_SOCKET__GETATTR 0x00000010UL -#define COMMON_SOCKET__SETATTR 0x00000020UL -#define COMMON_SOCKET__LOCK 0x00000040UL -#define COMMON_SOCKET__RELABELFROM 0x00000080UL -#define COMMON_SOCKET__RELABELTO 0x00000100UL -#define COMMON_SOCKET__APPEND 0x00000200UL -#define COMMON_SOCKET__BIND 0x00000400UL -#define COMMON_SOCKET__CONNECT 0x00000800UL -#define COMMON_SOCKET__LISTEN 0x00001000UL -#define COMMON_SOCKET__ACCEPT 0x00002000UL -#define COMMON_SOCKET__GETOPT 0x00004000UL -#define COMMON_SOCKET__SETOPT 0x00008000UL -#define COMMON_SOCKET__SHUTDOWN 0x00010000UL -#define COMMON_SOCKET__RECVFROM 0x00020000UL -#define COMMON_SOCKET__SENDTO 0x00040000UL -#define COMMON_SOCKET__RECV_MSG 0x00080000UL -#define COMMON_SOCKET__SEND_MSG 0x00100000UL -#define COMMON_SOCKET__NAME_BIND 0x00200000UL -#define COMMON_IPC__CREATE 0x00000001UL -#define COMMON_IPC__DESTROY 0x00000002UL -#define COMMON_IPC__GETATTR 0x00000004UL -#define COMMON_IPC__SETATTR 0x00000008UL -#define COMMON_IPC__READ 0x00000010UL -#define COMMON_IPC__WRITE 0x00000020UL -#define COMMON_IPC__ASSOCIATE 0x00000040UL -#define COMMON_IPC__UNIX_READ 0x00000080UL -#define COMMON_IPC__UNIX_WRITE 0x00000100UL -#define FILESYSTEM__MOUNT 0x00000001UL -#define FILESYSTEM__REMOUNT 0x00000002UL -#define FILESYSTEM__UNMOUNT 0x00000004UL -#define FILESYSTEM__GETATTR 0x00000008UL -#define FILESYSTEM__RELABELFROM 0x00000010UL -#define FILESYSTEM__RELABELTO 0x00000020UL -#define FILESYSTEM__TRANSITION 0x00000040UL -#define FILESYSTEM__ASSOCIATE 0x00000080UL -#define FILESYSTEM__QUOTAMOD 0x00000100UL -#define FILESYSTEM__QUOTAGET 0x00000200UL -#define DIR__IOCTL 0x00000001UL -#define DIR__READ 0x00000002UL -#define DIR__WRITE 0x00000004UL -#define DIR__CREATE 0x00000008UL -#define DIR__GETATTR 0x00000010UL -#define DIR__SETATTR 0x00000020UL -#define DIR__LOCK 0x00000040UL -#define DIR__RELABELFROM 0x00000080UL -#define DIR__RELABELTO 0x00000100UL -#define DIR__APPEND 0x00000200UL -#define DIR__UNLINK 0x00000400UL -#define DIR__LINK 0x00000800UL -#define DIR__RENAME 0x00001000UL -#define DIR__EXECUTE 0x00002000UL -#define DIR__SWAPON 0x00004000UL -#define DIR__QUOTAON 0x00008000UL -#define DIR__MOUNTON 0x00010000UL -#define DIR__ADD_NAME 0x00020000UL -#define DIR__REMOVE_NAME 0x00040000UL -#define DIR__REPARENT 0x00080000UL -#define DIR__SEARCH 0x00100000UL -#define DIR__RMDIR 0x00200000UL -#define DIR__OPEN 0x00400000UL -#define FILE__IOCTL 0x00000001UL -#define FILE__READ 0x00000002UL -#define FILE__WRITE 0x00000004UL -#define FILE__CREATE 0x00000008UL -#define FILE__GETATTR 0x00000010UL -#define FILE__SETATTR 0x00000020UL -#define FILE__LOCK 0x00000040UL -#define FILE__RELABELFROM 0x00000080UL -#define FILE__RELABELTO 0x00000100UL -#define FILE__APPEND 0x00000200UL -#define FILE__UNLINK 0x00000400UL -#define FILE__LINK 0x00000800UL -#define FILE__RENAME 0x00001000UL -#define FILE__EXECUTE 0x00002000UL -#define FILE__SWAPON 0x00004000UL -#define FILE__QUOTAON 0x00008000UL -#define FILE__MOUNTON 0x00010000UL -#define FILE__EXECUTE_NO_TRANS 0x00020000UL -#define FILE__ENTRYPOINT 0x00040000UL -#define FILE__EXECMOD 0x00080000UL -#define FILE__OPEN 0x00100000UL -#define LNK_FILE__IOCTL 0x00000001UL -#define LNK_FILE__READ 0x00000002UL -#define LNK_FILE__WRITE 0x00000004UL -#define LNK_FILE__CREATE 0x00000008UL -#define LNK_FILE__GETATTR 0x00000010UL -#define LNK_FILE__SETATTR 0x00000020UL -#define LNK_FILE__LOCK 0x00000040UL -#define LNK_FILE__RELABELFROM 0x00000080UL -#define LNK_FILE__RELABELTO 0x00000100UL -#define LNK_FILE__APPEND 0x00000200UL -#define LNK_FILE__UNLINK 0x00000400UL -#define LNK_FILE__LINK 0x00000800UL -#define LNK_FILE__RENAME 0x00001000UL -#define LNK_FILE__EXECUTE 0x00002000UL -#define LNK_FILE__SWAPON 0x00004000UL -#define LNK_FILE__QUOTAON 0x00008000UL -#define LNK_FILE__MOUNTON 0x00010000UL -#define CHR_FILE__IOCTL 0x00000001UL -#define CHR_FILE__READ 0x00000002UL -#define CHR_FILE__WRITE 0x00000004UL -#define CHR_FILE__CREATE 0x00000008UL -#define CHR_FILE__GETATTR 0x00000010UL -#define CHR_FILE__SETATTR 0x00000020UL -#define CHR_FILE__LOCK 0x00000040UL -#define CHR_FILE__RELABELFROM 0x00000080UL -#define CHR_FILE__RELABELTO 0x00000100UL -#define CHR_FILE__APPEND 0x00000200UL -#define CHR_FILE__UNLINK 0x00000400UL -#define CHR_FILE__LINK 0x00000800UL -#define CHR_FILE__RENAME 0x00001000UL -#define CHR_FILE__EXECUTE 0x00002000UL -#define CHR_FILE__SWAPON 0x00004000UL -#define CHR_FILE__QUOTAON 0x00008000UL -#define CHR_FILE__MOUNTON 0x00010000UL -#define CHR_FILE__EXECUTE_NO_TRANS 0x00020000UL -#define CHR_FILE__ENTRYPOINT 0x00040000UL -#define CHR_FILE__EXECMOD 0x00080000UL -#define CHR_FILE__OPEN 0x00100000UL -#define BLK_FILE__IOCTL 0x00000001UL -#define BLK_FILE__READ 0x00000002UL -#define BLK_FILE__WRITE 0x00000004UL -#define BLK_FILE__CREATE 0x00000008UL -#define BLK_FILE__GETATTR 0x00000010UL -#define BLK_FILE__SETATTR 0x00000020UL -#define BLK_FILE__LOCK 0x00000040UL -#define BLK_FILE__RELABELFROM 0x00000080UL -#define BLK_FILE__RELABELTO 0x00000100UL -#define BLK_FILE__APPEND 0x00000200UL -#define BLK_FILE__UNLINK 0x00000400UL -#define BLK_FILE__LINK 0x00000800UL -#define BLK_FILE__RENAME 0x00001000UL -#define BLK_FILE__EXECUTE 0x00002000UL -#define BLK_FILE__SWAPON 0x00004000UL -#define BLK_FILE__QUOTAON 0x00008000UL -#define BLK_FILE__MOUNTON 0x00010000UL -#define BLK_FILE__OPEN 0x00020000UL -#define SOCK_FILE__IOCTL 0x00000001UL -#define SOCK_FILE__READ 0x00000002UL -#define SOCK_FILE__WRITE 0x00000004UL -#define SOCK_FILE__CREATE 0x00000008UL -#define SOCK_FILE__GETATTR 0x00000010UL -#define SOCK_FILE__SETATTR 0x00000020UL -#define SOCK_FILE__LOCK 0x00000040UL -#define SOCK_FILE__RELABELFROM 0x00000080UL -#define SOCK_FILE__RELABELTO 0x00000100UL -#define SOCK_FILE__APPEND 0x00000200UL -#define SOCK_FILE__UNLINK 0x00000400UL -#define SOCK_FILE__LINK 0x00000800UL -#define SOCK_FILE__RENAME 0x00001000UL -#define SOCK_FILE__EXECUTE 0x00002000UL -#define SOCK_FILE__SWAPON 0x00004000UL -#define SOCK_FILE__QUOTAON 0x00008000UL -#define SOCK_FILE__MOUNTON 0x00010000UL -#define SOCK_FILE__OPEN 0x00020000UL -#define FIFO_FILE__IOCTL 0x00000001UL -#define FIFO_FILE__READ 0x00000002UL -#define FIFO_FILE__WRITE 0x00000004UL -#define FIFO_FILE__CREATE 0x00000008UL -#define FIFO_FILE__GETATTR 0x00000010UL -#define FIFO_FILE__SETATTR 0x00000020UL -#define FIFO_FILE__LOCK 0x00000040UL -#define FIFO_FILE__RELABELFROM 0x00000080UL -#define FIFO_FILE__RELABELTO 0x00000100UL -#define FIFO_FILE__APPEND 0x00000200UL -#define FIFO_FILE__UNLINK 0x00000400UL -#define FIFO_FILE__LINK 0x00000800UL -#define FIFO_FILE__RENAME 0x00001000UL -#define FIFO_FILE__EXECUTE 0x00002000UL -#define FIFO_FILE__SWAPON 0x00004000UL -#define FIFO_FILE__QUOTAON 0x00008000UL -#define FIFO_FILE__MOUNTON 0x00010000UL -#define FIFO_FILE__OPEN 0x00020000UL -#define FD__USE 0x00000001UL -#define SOCKET__IOCTL 0x00000001UL -#define SOCKET__READ 0x00000002UL -#define SOCKET__WRITE 0x00000004UL -#define SOCKET__CREATE 0x00000008UL -#define SOCKET__GETATTR 0x00000010UL -#define SOCKET__SETATTR 0x00000020UL -#define SOCKET__LOCK 0x00000040UL -#define SOCKET__RELABELFROM 0x00000080UL -#define SOCKET__RELABELTO 0x00000100UL -#define SOCKET__APPEND 0x00000200UL -#define SOCKET__BIND 0x00000400UL -#define SOCKET__CONNECT 0x00000800UL -#define SOCKET__LISTEN 0x00001000UL -#define SOCKET__ACCEPT 0x00002000UL -#define SOCKET__GETOPT 0x00004000UL -#define SOCKET__SETOPT 0x00008000UL -#define SOCKET__SHUTDOWN 0x00010000UL -#define SOCKET__RECVFROM 0x00020000UL -#define SOCKET__SENDTO 0x00040000UL -#define SOCKET__RECV_MSG 0x00080000UL -#define SOCKET__SEND_MSG 0x00100000UL -#define SOCKET__NAME_BIND 0x00200000UL -#define TCP_SOCKET__IOCTL 0x00000001UL -#define TCP_SOCKET__READ 0x00000002UL -#define TCP_SOCKET__WRITE 0x00000004UL -#define TCP_SOCKET__CREATE 0x00000008UL -#define TCP_SOCKET__GETATTR 0x00000010UL -#define TCP_SOCKET__SETATTR 0x00000020UL -#define TCP_SOCKET__LOCK 0x00000040UL -#define TCP_SOCKET__RELABELFROM 0x00000080UL -#define TCP_SOCKET__RELABELTO 0x00000100UL -#define TCP_SOCKET__APPEND 0x00000200UL -#define TCP_SOCKET__BIND 0x00000400UL -#define TCP_SOCKET__CONNECT 0x00000800UL -#define TCP_SOCKET__LISTEN 0x00001000UL -#define TCP_SOCKET__ACCEPT 0x00002000UL -#define TCP_SOCKET__GETOPT 0x00004000UL -#define TCP_SOCKET__SETOPT 0x00008000UL -#define TCP_SOCKET__SHUTDOWN 0x00010000UL -#define TCP_SOCKET__RECVFROM 0x00020000UL -#define TCP_SOCKET__SENDTO 0x00040000UL -#define TCP_SOCKET__RECV_MSG 0x00080000UL -#define TCP_SOCKET__SEND_MSG 0x00100000UL -#define TCP_SOCKET__NAME_BIND 0x00200000UL -#define TCP_SOCKET__CONNECTTO 0x00400000UL -#define TCP_SOCKET__NEWCONN 0x00800000UL -#define TCP_SOCKET__ACCEPTFROM 0x01000000UL -#define TCP_SOCKET__NODE_BIND 0x02000000UL -#define TCP_SOCKET__NAME_CONNECT 0x04000000UL -#define UDP_SOCKET__IOCTL 0x00000001UL -#define UDP_SOCKET__READ 0x00000002UL -#define UDP_SOCKET__WRITE 0x00000004UL -#define UDP_SOCKET__CREATE 0x00000008UL -#define UDP_SOCKET__GETATTR 0x00000010UL -#define UDP_SOCKET__SETATTR 0x00000020UL -#define UDP_SOCKET__LOCK 0x00000040UL -#define UDP_SOCKET__RELABELFROM 0x00000080UL -#define UDP_SOCKET__RELABELTO 0x00000100UL -#define UDP_SOCKET__APPEND 0x00000200UL -#define UDP_SOCKET__BIND 0x00000400UL -#define UDP_SOCKET__CONNECT 0x00000800UL -#define UDP_SOCKET__LISTEN 0x00001000UL -#define UDP_SOCKET__ACCEPT 0x00002000UL -#define UDP_SOCKET__GETOPT 0x00004000UL -#define UDP_SOCKET__SETOPT 0x00008000UL -#define UDP_SOCKET__SHUTDOWN 0x00010000UL -#define UDP_SOCKET__RECVFROM 0x00020000UL -#define UDP_SOCKET__SENDTO 0x00040000UL -#define UDP_SOCKET__RECV_MSG 0x00080000UL -#define UDP_SOCKET__SEND_MSG 0x00100000UL -#define UDP_SOCKET__NAME_BIND 0x00200000UL -#define UDP_SOCKET__NODE_BIND 0x00400000UL -#define RAWIP_SOCKET__IOCTL 0x00000001UL -#define RAWIP_SOCKET__READ 0x00000002UL -#define RAWIP_SOCKET__WRITE 0x00000004UL -#define RAWIP_SOCKET__CREATE 0x00000008UL -#define RAWIP_SOCKET__GETATTR 0x00000010UL -#define RAWIP_SOCKET__SETATTR 0x00000020UL -#define RAWIP_SOCKET__LOCK 0x00000040UL -#define RAWIP_SOCKET__RELABELFROM 0x00000080UL -#define RAWIP_SOCKET__RELABELTO 0x00000100UL -#define RAWIP_SOCKET__APPEND 0x00000200UL -#define RAWIP_SOCKET__BIND 0x00000400UL -#define RAWIP_SOCKET__CONNECT 0x00000800UL -#define RAWIP_SOCKET__LISTEN 0x00001000UL -#define RAWIP_SOCKET__ACCEPT 0x00002000UL -#define RAWIP_SOCKET__GETOPT 0x00004000UL -#define RAWIP_SOCKET__SETOPT 0x00008000UL -#define RAWIP_SOCKET__SHUTDOWN 0x00010000UL -#define RAWIP_SOCKET__RECVFROM 0x00020000UL -#define RAWIP_SOCKET__SENDTO 0x00040000UL -#define RAWIP_SOCKET__RECV_MSG 0x00080000UL -#define RAWIP_SOCKET__SEND_MSG 0x00100000UL -#define RAWIP_SOCKET__NAME_BIND 0x00200000UL -#define RAWIP_SOCKET__NODE_BIND 0x00400000UL -#define NODE__TCP_RECV 0x00000001UL -#define NODE__TCP_SEND 0x00000002UL -#define NODE__UDP_RECV 0x00000004UL -#define NODE__UDP_SEND 0x00000008UL -#define NODE__RAWIP_RECV 0x00000010UL -#define NODE__RAWIP_SEND 0x00000020UL -#define NODE__ENFORCE_DEST 0x00000040UL -#define NODE__DCCP_RECV 0x00000080UL -#define NODE__DCCP_SEND 0x00000100UL -#define NODE__RECVFROM 0x00000200UL -#define NODE__SENDTO 0x00000400UL -#define NETIF__TCP_RECV 0x00000001UL -#define NETIF__TCP_SEND 0x00000002UL -#define NETIF__UDP_RECV 0x00000004UL -#define NETIF__UDP_SEND 0x00000008UL -#define NETIF__RAWIP_RECV 0x00000010UL -#define NETIF__RAWIP_SEND 0x00000020UL -#define NETIF__DCCP_RECV 0x00000040UL -#define NETIF__DCCP_SEND 0x00000080UL -#define NETIF__INGRESS 0x00000100UL -#define NETIF__EGRESS 0x00000200UL -#define NETLINK_SOCKET__IOCTL 0x00000001UL -#define NETLINK_SOCKET__READ 0x00000002UL -#define NETLINK_SOCKET__WRITE 0x00000004UL -#define NETLINK_SOCKET__CREATE 0x00000008UL -#define NETLINK_SOCKET__GETATTR 0x00000010UL -#define NETLINK_SOCKET__SETATTR 0x00000020UL -#define NETLINK_SOCKET__LOCK 0x00000040UL -#define NETLINK_SOCKET__RELABELFROM 0x00000080UL -#define NETLINK_SOCKET__RELABELTO 0x00000100UL -#define NETLINK_SOCKET__APPEND 0x00000200UL -#define NETLINK_SOCKET__BIND 0x00000400UL -#define NETLINK_SOCKET__CONNECT 0x00000800UL -#define NETLINK_SOCKET__LISTEN 0x00001000UL -#define NETLINK_SOCKET__ACCEPT 0x00002000UL -#define NETLINK_SOCKET__GETOPT 0x00004000UL -#define NETLINK_SOCKET__SETOPT 0x00008000UL -#define NETLINK_SOCKET__SHUTDOWN 0x00010000UL -#define NETLINK_SOCKET__RECVFROM 0x00020000UL -#define NETLINK_SOCKET__SENDTO 0x00040000UL -#define NETLINK_SOCKET__RECV_MSG 0x00080000UL -#define NETLINK_SOCKET__SEND_MSG 0x00100000UL -#define NETLINK_SOCKET__NAME_BIND 0x00200000UL -#define PACKET_SOCKET__IOCTL 0x00000001UL -#define PACKET_SOCKET__READ 0x00000002UL -#define PACKET_SOCKET__WRITE 0x00000004UL -#define PACKET_SOCKET__CREATE 0x00000008UL -#define PACKET_SOCKET__GETATTR 0x00000010UL -#define PACKET_SOCKET__SETATTR 0x00000020UL -#define PACKET_SOCKET__LOCK 0x00000040UL -#define PACKET_SOCKET__RELABELFROM 0x00000080UL -#define PACKET_SOCKET__RELABELTO 0x00000100UL -#define PACKET_SOCKET__APPEND 0x00000200UL -#define PACKET_SOCKET__BIND 0x00000400UL -#define PACKET_SOCKET__CONNECT 0x00000800UL -#define PACKET_SOCKET__LISTEN 0x00001000UL -#define PACKET_SOCKET__ACCEPT 0x00002000UL -#define PACKET_SOCKET__GETOPT 0x00004000UL -#define PACKET_SOCKET__SETOPT 0x00008000UL -#define PACKET_SOCKET__SHUTDOWN 0x00010000UL -#define PACKET_SOCKET__RECVFROM 0x00020000UL -#define PACKET_SOCKET__SENDTO 0x00040000UL -#define PACKET_SOCKET__RECV_MSG 0x00080000UL -#define PACKET_SOCKET__SEND_MSG 0x00100000UL -#define PACKET_SOCKET__NAME_BIND 0x00200000UL -#define KEY_SOCKET__IOCTL 0x00000001UL -#define KEY_SOCKET__READ 0x00000002UL -#define KEY_SOCKET__WRITE 0x00000004UL -#define KEY_SOCKET__CREATE 0x00000008UL -#define KEY_SOCKET__GETATTR 0x00000010UL -#define KEY_SOCKET__SETATTR 0x00000020UL -#define KEY_SOCKET__LOCK 0x00000040UL -#define KEY_SOCKET__RELABELFROM 0x00000080UL -#define KEY_SOCKET__RELABELTO 0x00000100UL -#define KEY_SOCKET__APPEND 0x00000200UL -#define KEY_SOCKET__BIND 0x00000400UL -#define KEY_SOCKET__CONNECT 0x00000800UL -#define KEY_SOCKET__LISTEN 0x00001000UL -#define KEY_SOCKET__ACCEPT 0x00002000UL -#define KEY_SOCKET__GETOPT 0x00004000UL -#define KEY_SOCKET__SETOPT 0x00008000UL -#define KEY_SOCKET__SHUTDOWN 0x00010000UL -#define KEY_SOCKET__RECVFROM 0x00020000UL -#define KEY_SOCKET__SENDTO 0x00040000UL -#define KEY_SOCKET__RECV_MSG 0x00080000UL -#define KEY_SOCKET__SEND_MSG 0x00100000UL -#define KEY_SOCKET__NAME_BIND 0x00200000UL -#define UNIX_STREAM_SOCKET__IOCTL 0x00000001UL -#define UNIX_STREAM_SOCKET__READ 0x00000002UL -#define UNIX_STREAM_SOCKET__WRITE 0x00000004UL -#define UNIX_STREAM_SOCKET__CREATE 0x00000008UL -#define UNIX_STREAM_SOCKET__GETATTR 0x00000010UL -#define UNIX_STREAM_SOCKET__SETATTR 0x00000020UL -#define UNIX_STREAM_SOCKET__LOCK 0x00000040UL -#define UNIX_STREAM_SOCKET__RELABELFROM 0x00000080UL -#define UNIX_STREAM_SOCKET__RELABELTO 0x00000100UL -#define UNIX_STREAM_SOCKET__APPEND 0x00000200UL -#define UNIX_STREAM_SOCKET__BIND 0x00000400UL -#define UNIX_STREAM_SOCKET__CONNECT 0x00000800UL -#define UNIX_STREAM_SOCKET__LISTEN 0x00001000UL -#define UNIX_STREAM_SOCKET__ACCEPT 0x00002000UL -#define UNIX_STREAM_SOCKET__GETOPT 0x00004000UL -#define UNIX_STREAM_SOCKET__SETOPT 0x00008000UL -#define UNIX_STREAM_SOCKET__SHUTDOWN 0x00010000UL -#define UNIX_STREAM_SOCKET__RECVFROM 0x00020000UL -#define UNIX_STREAM_SOCKET__SENDTO 0x00040000UL -#define UNIX_STREAM_SOCKET__RECV_MSG 0x00080000UL -#define UNIX_STREAM_SOCKET__SEND_MSG 0x00100000UL -#define UNIX_STREAM_SOCKET__NAME_BIND 0x00200000UL -#define UNIX_STREAM_SOCKET__CONNECTTO 0x00400000UL -#define UNIX_STREAM_SOCKET__NEWCONN 0x00800000UL -#define UNIX_STREAM_SOCKET__ACCEPTFROM 0x01000000UL -#define UNIX_DGRAM_SOCKET__IOCTL 0x00000001UL -#define UNIX_DGRAM_SOCKET__READ 0x00000002UL -#define UNIX_DGRAM_SOCKET__WRITE 0x00000004UL -#define UNIX_DGRAM_SOCKET__CREATE 0x00000008UL -#define UNIX_DGRAM_SOCKET__GETATTR 0x00000010UL -#define UNIX_DGRAM_SOCKET__SETATTR 0x00000020UL -#define UNIX_DGRAM_SOCKET__LOCK 0x00000040UL -#define UNIX_DGRAM_SOCKET__RELABELFROM 0x00000080UL -#define UNIX_DGRAM_SOCKET__RELABELTO 0x00000100UL -#define UNIX_DGRAM_SOCKET__APPEND 0x00000200UL -#define UNIX_DGRAM_SOCKET__BIND 0x00000400UL -#define UNIX_DGRAM_SOCKET__CONNECT 0x00000800UL -#define UNIX_DGRAM_SOCKET__LISTEN 0x00001000UL -#define UNIX_DGRAM_SOCKET__ACCEPT 0x00002000UL -#define UNIX_DGRAM_SOCKET__GETOPT 0x00004000UL -#define UNIX_DGRAM_SOCKET__SETOPT 0x00008000UL -#define UNIX_DGRAM_SOCKET__SHUTDOWN 0x00010000UL -#define UNIX_DGRAM_SOCKET__RECVFROM 0x00020000UL -#define UNIX_DGRAM_SOCKET__SENDTO 0x00040000UL -#define UNIX_DGRAM_SOCKET__RECV_MSG 0x00080000UL -#define UNIX_DGRAM_SOCKET__SEND_MSG 0x00100000UL -#define UNIX_DGRAM_SOCKET__NAME_BIND 0x00200000UL -#define PROCESS__FORK 0x00000001UL -#define PROCESS__TRANSITION 0x00000002UL -#define PROCESS__SIGCHLD 0x00000004UL -#define PROCESS__SIGKILL 0x00000008UL -#define PROCESS__SIGSTOP 0x00000010UL -#define PROCESS__SIGNULL 0x00000020UL -#define PROCESS__SIGNAL 0x00000040UL -#define PROCESS__PTRACE 0x00000080UL -#define PROCESS__GETSCHED 0x00000100UL -#define PROCESS__SETSCHED 0x00000200UL -#define PROCESS__GETSESSION 0x00000400UL -#define PROCESS__GETPGID 0x00000800UL -#define PROCESS__SETPGID 0x00001000UL -#define PROCESS__GETCAP 0x00002000UL -#define PROCESS__SETCAP 0x00004000UL -#define PROCESS__SHARE 0x00008000UL -#define PROCESS__GETATTR 0x00010000UL -#define PROCESS__SETEXEC 0x00020000UL -#define PROCESS__SETFSCREATE 0x00040000UL -#define PROCESS__NOATSECURE 0x00080000UL -#define PROCESS__SIGINH 0x00100000UL -#define PROCESS__SETRLIMIT 0x00200000UL -#define PROCESS__RLIMITINH 0x00400000UL -#define PROCESS__DYNTRANSITION 0x00800000UL -#define PROCESS__SETCURRENT 0x01000000UL -#define PROCESS__EXECMEM 0x02000000UL -#define PROCESS__EXECSTACK 0x04000000UL -#define PROCESS__EXECHEAP 0x08000000UL -#define PROCESS__SETKEYCREATE 0x10000000UL -#define PROCESS__SETSOCKCREATE 0x20000000UL -#define IPC__CREATE 0x00000001UL -#define IPC__DESTROY 0x00000002UL -#define IPC__GETATTR 0x00000004UL -#define IPC__SETATTR 0x00000008UL -#define IPC__READ 0x00000010UL -#define IPC__WRITE 0x00000020UL -#define IPC__ASSOCIATE 0x00000040UL -#define IPC__UNIX_READ 0x00000080UL -#define IPC__UNIX_WRITE 0x00000100UL -#define SEM__CREATE 0x00000001UL -#define SEM__DESTROY 0x00000002UL -#define SEM__GETATTR 0x00000004UL -#define SEM__SETATTR 0x00000008UL -#define SEM__READ 0x00000010UL -#define SEM__WRITE 0x00000020UL -#define SEM__ASSOCIATE 0x00000040UL -#define SEM__UNIX_READ 0x00000080UL -#define SEM__UNIX_WRITE 0x00000100UL -#define MSGQ__CREATE 0x00000001UL -#define MSGQ__DESTROY 0x00000002UL -#define MSGQ__GETATTR 0x00000004UL -#define MSGQ__SETATTR 0x00000008UL -#define MSGQ__READ 0x00000010UL -#define MSGQ__WRITE 0x00000020UL -#define MSGQ__ASSOCIATE 0x00000040UL -#define MSGQ__UNIX_READ 0x00000080UL -#define MSGQ__UNIX_WRITE 0x00000100UL -#define MSGQ__ENQUEUE 0x00000200UL -#define MSG__SEND 0x00000001UL -#define MSG__RECEIVE 0x00000002UL -#define SHM__CREATE 0x00000001UL -#define SHM__DESTROY 0x00000002UL -#define SHM__GETATTR 0x00000004UL -#define SHM__SETATTR 0x00000008UL -#define SHM__READ 0x00000010UL -#define SHM__WRITE 0x00000020UL -#define SHM__ASSOCIATE 0x00000040UL -#define SHM__UNIX_READ 0x00000080UL -#define SHM__UNIX_WRITE 0x00000100UL -#define SHM__LOCK 0x00000200UL -#define SECURITY__COMPUTE_AV 0x00000001UL -#define SECURITY__COMPUTE_CREATE 0x00000002UL -#define SECURITY__COMPUTE_MEMBER 0x00000004UL -#define SECURITY__CHECK_CONTEXT 0x00000008UL -#define SECURITY__LOAD_POLICY 0x00000010UL -#define SECURITY__COMPUTE_RELABEL 0x00000020UL -#define SECURITY__COMPUTE_USER 0x00000040UL -#define SECURITY__SETENFORCE 0x00000080UL -#define SECURITY__SETBOOL 0x00000100UL -#define SECURITY__SETSECPARAM 0x00000200UL -#define SECURITY__SETCHECKREQPROT 0x00000400UL -#define SYSTEM__IPC_INFO 0x00000001UL -#define SYSTEM__SYSLOG_READ 0x00000002UL -#define SYSTEM__SYSLOG_MOD 0x00000004UL -#define SYSTEM__SYSLOG_CONSOLE 0x00000008UL -#define SYSTEM__MODULE_REQUEST 0x00000010UL -#define CAPABILITY__CHOWN 0x00000001UL -#define CAPABILITY__DAC_OVERRIDE 0x00000002UL -#define CAPABILITY__DAC_READ_SEARCH 0x00000004UL -#define CAPABILITY__FOWNER 0x00000008UL -#define CAPABILITY__FSETID 0x00000010UL -#define CAPABILITY__KILL 0x00000020UL -#define CAPABILITY__SETGID 0x00000040UL -#define CAPABILITY__SETUID 0x00000080UL -#define CAPABILITY__SETPCAP 0x00000100UL -#define CAPABILITY__LINUX_IMMUTABLE 0x00000200UL -#define CAPABILITY__NET_BIND_SERVICE 0x00000400UL -#define CAPABILITY__NET_BROADCAST 0x00000800UL -#define CAPABILITY__NET_ADMIN 0x00001000UL -#define CAPABILITY__NET_RAW 0x00002000UL -#define CAPABILITY__IPC_LOCK 0x00004000UL -#define CAPABILITY__IPC_OWNER 0x00008000UL -#define CAPABILITY__SYS_MODULE 0x00010000UL -#define CAPABILITY__SYS_RAWIO 0x00020000UL -#define CAPABILITY__SYS_CHROOT 0x00040000UL -#define CAPABILITY__SYS_PTRACE 0x00080000UL -#define CAPABILITY__SYS_PACCT 0x00100000UL -#define CAPABILITY__SYS_ADMIN 0x00200000UL -#define CAPABILITY__SYS_BOOT 0x00400000UL -#define CAPABILITY__SYS_NICE 0x00800000UL -#define CAPABILITY__SYS_RESOURCE 0x01000000UL -#define CAPABILITY__SYS_TIME 0x02000000UL -#define CAPABILITY__SYS_TTY_CONFIG 0x04000000UL -#define CAPABILITY__MKNOD 0x08000000UL -#define CAPABILITY__LEASE 0x10000000UL -#define CAPABILITY__AUDIT_WRITE 0x20000000UL -#define CAPABILITY__AUDIT_CONTROL 0x40000000UL -#define CAPABILITY__SETFCAP 0x80000000UL -#define CAPABILITY2__MAC_OVERRIDE 0x00000001UL -#define CAPABILITY2__MAC_ADMIN 0x00000002UL -#define NETLINK_ROUTE_SOCKET__IOCTL 0x00000001UL -#define NETLINK_ROUTE_SOCKET__READ 0x00000002UL -#define NETLINK_ROUTE_SOCKET__WRITE 0x00000004UL -#define NETLINK_ROUTE_SOCKET__CREATE 0x00000008UL -#define NETLINK_ROUTE_SOCKET__GETATTR 0x00000010UL -#define NETLINK_ROUTE_SOCKET__SETATTR 0x00000020UL -#define NETLINK_ROUTE_SOCKET__LOCK 0x00000040UL -#define NETLINK_ROUTE_SOCKET__RELABELFROM 0x00000080UL -#define NETLINK_ROUTE_SOCKET__RELABELTO 0x00000100UL -#define NETLINK_ROUTE_SOCKET__APPEND 0x00000200UL -#define NETLINK_ROUTE_SOCKET__BIND 0x00000400UL -#define NETLINK_ROUTE_SOCKET__CONNECT 0x00000800UL -#define NETLINK_ROUTE_SOCKET__LISTEN 0x00001000UL -#define NETLINK_ROUTE_SOCKET__ACCEPT 0x00002000UL -#define NETLINK_ROUTE_SOCKET__GETOPT 0x00004000UL -#define NETLINK_ROUTE_SOCKET__SETOPT 0x00008000UL -#define NETLINK_ROUTE_SOCKET__SHUTDOWN 0x00010000UL -#define NETLINK_ROUTE_SOCKET__RECVFROM 0x00020000UL -#define NETLINK_ROUTE_SOCKET__SENDTO 0x00040000UL -#define NETLINK_ROUTE_SOCKET__RECV_MSG 0x00080000UL -#define NETLINK_ROUTE_SOCKET__SEND_MSG 0x00100000UL -#define NETLINK_ROUTE_SOCKET__NAME_BIND 0x00200000UL -#define NETLINK_ROUTE_SOCKET__NLMSG_READ 0x00400000UL -#define NETLINK_ROUTE_SOCKET__NLMSG_WRITE 0x00800000UL -#define NETLINK_FIREWALL_SOCKET__IOCTL 0x00000001UL -#define NETLINK_FIREWALL_SOCKET__READ 0x00000002UL -#define NETLINK_FIREWALL_SOCKET__WRITE 0x00000004UL -#define NETLINK_FIREWALL_SOCKET__CREATE 0x00000008UL -#define NETLINK_FIREWALL_SOCKET__GETATTR 0x00000010UL -#define NETLINK_FIREWALL_SOCKET__SETATTR 0x00000020UL -#define NETLINK_FIREWALL_SOCKET__LOCK 0x00000040UL -#define NETLINK_FIREWALL_SOCKET__RELABELFROM 0x00000080UL -#define NETLINK_FIREWALL_SOCKET__RELABELTO 0x00000100UL -#define NETLINK_FIREWALL_SOCKET__APPEND 0x00000200UL -#define NETLINK_FIREWALL_SOCKET__BIND 0x00000400UL -#define NETLINK_FIREWALL_SOCKET__CONNECT 0x00000800UL -#define NETLINK_FIREWALL_SOCKET__LISTEN 0x00001000UL -#define NETLINK_FIREWALL_SOCKET__ACCEPT 0x00002000UL -#define NETLINK_FIREWALL_SOCKET__GETOPT 0x00004000UL -#define NETLINK_FIREWALL_SOCKET__SETOPT 0x00008000UL -#define NETLINK_FIREWALL_SOCKET__SHUTDOWN 0x00010000UL -#define NETLINK_FIREWALL_SOCKET__RECVFROM 0x00020000UL -#define NETLINK_FIREWALL_SOCKET__SENDTO 0x00040000UL -#define NETLINK_FIREWALL_SOCKET__RECV_MSG 0x00080000UL -#define NETLINK_FIREWALL_SOCKET__SEND_MSG 0x00100000UL -#define NETLINK_FIREWALL_SOCKET__NAME_BIND 0x00200000UL -#define NETLINK_FIREWALL_SOCKET__NLMSG_READ 0x00400000UL -#define NETLINK_FIREWALL_SOCKET__NLMSG_WRITE 0x00800000UL -#define NETLINK_TCPDIAG_SOCKET__IOCTL 0x00000001UL -#define NETLINK_TCPDIAG_SOCKET__READ 0x00000002UL -#define NETLINK_TCPDIAG_SOCKET__WRITE 0x00000004UL -#define NETLINK_TCPDIAG_SOCKET__CREATE 0x00000008UL -#define NETLINK_TCPDIAG_SOCKET__GETATTR 0x00000010UL -#define NETLINK_TCPDIAG_SOCKET__SETATTR 0x00000020UL -#define NETLINK_TCPDIAG_SOCKET__LOCK 0x00000040UL -#define NETLINK_TCPDIAG_SOCKET__RELABELFROM 0x00000080UL -#define NETLINK_TCPDIAG_SOCKET__RELABELTO 0x00000100UL -#define NETLINK_TCPDIAG_SOCKET__APPEND 0x00000200UL -#define NETLINK_TCPDIAG_SOCKET__BIND 0x00000400UL -#define NETLINK_TCPDIAG_SOCKET__CONNECT 0x00000800UL -#define NETLINK_TCPDIAG_SOCKET__LISTEN 0x00001000UL -#define NETLINK_TCPDIAG_SOCKET__ACCEPT 0x00002000UL -#define NETLINK_TCPDIAG_SOCKET__GETOPT 0x00004000UL -#define NETLINK_TCPDIAG_SOCKET__SETOPT 0x00008000UL -#define NETLINK_TCPDIAG_SOCKET__SHUTDOWN 0x00010000UL -#define NETLINK_TCPDIAG_SOCKET__RECVFROM 0x00020000UL -#define NETLINK_TCPDIAG_SOCKET__SENDTO 0x00040000UL -#define NETLINK_TCPDIAG_SOCKET__RECV_MSG 0x00080000UL -#define NETLINK_TCPDIAG_SOCKET__SEND_MSG 0x00100000UL -#define NETLINK_TCPDIAG_SOCKET__NAME_BIND 0x00200000UL -#define NETLINK_TCPDIAG_SOCKET__NLMSG_READ 0x00400000UL -#define NETLINK_TCPDIAG_SOCKET__NLMSG_WRITE 0x00800000UL -#define NETLINK_NFLOG_SOCKET__IOCTL 0x00000001UL -#define NETLINK_NFLOG_SOCKET__READ 0x00000002UL -#define NETLINK_NFLOG_SOCKET__WRITE 0x00000004UL -#define NETLINK_NFLOG_SOCKET__CREATE 0x00000008UL -#define NETLINK_NFLOG_SOCKET__GETATTR 0x00000010UL -#define NETLINK_NFLOG_SOCKET__SETATTR 0x00000020UL -#define NETLINK_NFLOG_SOCKET__LOCK 0x00000040UL -#define NETLINK_NFLOG_SOCKET__RELABELFROM 0x00000080UL -#define NETLINK_NFLOG_SOCKET__RELABELTO 0x00000100UL -#define NETLINK_NFLOG_SOCKET__APPEND 0x00000200UL -#define NETLINK_NFLOG_SOCKET__BIND 0x00000400UL -#define NETLINK_NFLOG_SOCKET__CONNECT 0x00000800UL -#define NETLINK_NFLOG_SOCKET__LISTEN 0x00001000UL -#define NETLINK_NFLOG_SOCKET__ACCEPT 0x00002000UL -#define NETLINK_NFLOG_SOCKET__GETOPT 0x00004000UL -#define NETLINK_NFLOG_SOCKET__SETOPT 0x00008000UL -#define NETLINK_NFLOG_SOCKET__SHUTDOWN 0x00010000UL -#define NETLINK_NFLOG_SOCKET__RECVFROM 0x00020000UL -#define NETLINK_NFLOG_SOCKET__SENDTO 0x00040000UL -#define NETLINK_NFLOG_SOCKET__RECV_MSG 0x00080000UL -#define NETLINK_NFLOG_SOCKET__SEND_MSG 0x00100000UL -#define NETLINK_NFLOG_SOCKET__NAME_BIND 0x00200000UL -#define NETLINK_XFRM_SOCKET__IOCTL 0x00000001UL -#define NETLINK_XFRM_SOCKET__READ 0x00000002UL -#define NETLINK_XFRM_SOCKET__WRITE 0x00000004UL -#define NETLINK_XFRM_SOCKET__CREATE 0x00000008UL -#define NETLINK_XFRM_SOCKET__GETATTR 0x00000010UL -#define NETLINK_XFRM_SOCKET__SETATTR 0x00000020UL -#define NETLINK_XFRM_SOCKET__LOCK 0x00000040UL -#define NETLINK_XFRM_SOCKET__RELABELFROM 0x00000080UL -#define NETLINK_XFRM_SOCKET__RELABELTO 0x00000100UL -#define NETLINK_XFRM_SOCKET__APPEND 0x00000200UL -#define NETLINK_XFRM_SOCKET__BIND 0x00000400UL -#define NETLINK_XFRM_SOCKET__CONNECT 0x00000800UL -#define NETLINK_XFRM_SOCKET__LISTEN 0x00001000UL -#define NETLINK_XFRM_SOCKET__ACCEPT 0x00002000UL -#define NETLINK_XFRM_SOCKET__GETOPT 0x00004000UL -#define NETLINK_XFRM_SOCKET__SETOPT 0x00008000UL -#define NETLINK_XFRM_SOCKET__SHUTDOWN 0x00010000UL -#define NETLINK_XFRM_SOCKET__RECVFROM 0x00020000UL -#define NETLINK_XFRM_SOCKET__SENDTO 0x00040000UL -#define NETLINK_XFRM_SOCKET__RECV_MSG 0x00080000UL -#define NETLINK_XFRM_SOCKET__SEND_MSG 0x00100000UL -#define NETLINK_XFRM_SOCKET__NAME_BIND 0x00200000UL -#define NETLINK_XFRM_SOCKET__NLMSG_READ 0x00400000UL -#define NETLINK_XFRM_SOCKET__NLMSG_WRITE 0x00800000UL -#define NETLINK_SELINUX_SOCKET__IOCTL 0x00000001UL -#define NETLINK_SELINUX_SOCKET__READ 0x00000002UL -#define NETLINK_SELINUX_SOCKET__WRITE 0x00000004UL -#define NETLINK_SELINUX_SOCKET__CREATE 0x00000008UL -#define NETLINK_SELINUX_SOCKET__GETATTR 0x00000010UL -#define NETLINK_SELINUX_SOCKET__SETATTR 0x00000020UL -#define NETLINK_SELINUX_SOCKET__LOCK 0x00000040UL -#define NETLINK_SELINUX_SOCKET__RELABELFROM 0x00000080UL -#define NETLINK_SELINUX_SOCKET__RELABELTO 0x00000100UL -#define NETLINK_SELINUX_SOCKET__APPEND 0x00000200UL -#define NETLINK_SELINUX_SOCKET__BIND 0x00000400UL -#define NETLINK_SELINUX_SOCKET__CONNECT 0x00000800UL -#define NETLINK_SELINUX_SOCKET__LISTEN 0x00001000UL -#define NETLINK_SELINUX_SOCKET__ACCEPT 0x00002000UL -#define NETLINK_SELINUX_SOCKET__GETOPT 0x00004000UL -#define NETLINK_SELINUX_SOCKET__SETOPT 0x00008000UL -#define NETLINK_SELINUX_SOCKET__SHUTDOWN 0x00010000UL -#define NETLINK_SELINUX_SOCKET__RECVFROM 0x00020000UL -#define NETLINK_SELINUX_SOCKET__SENDTO 0x00040000UL -#define NETLINK_SELINUX_SOCKET__RECV_MSG 0x00080000UL -#define NETLINK_SELINUX_SOCKET__SEND_MSG 0x00100000UL -#define NETLINK_SELINUX_SOCKET__NAME_BIND 0x00200000UL -#define NETLINK_AUDIT_SOCKET__IOCTL 0x00000001UL -#define NETLINK_AUDIT_SOCKET__READ 0x00000002UL -#define NETLINK_AUDIT_SOCKET__WRITE 0x00000004UL -#define NETLINK_AUDIT_SOCKET__CREATE 0x00000008UL -#define NETLINK_AUDIT_SOCKET__GETATTR 0x00000010UL -#define NETLINK_AUDIT_SOCKET__SETATTR 0x00000020UL -#define NETLINK_AUDIT_SOCKET__LOCK 0x00000040UL -#define NETLINK_AUDIT_SOCKET__RELABELFROM 0x00000080UL -#define NETLINK_AUDIT_SOCKET__RELABELTO 0x00000100UL -#define NETLINK_AUDIT_SOCKET__APPEND 0x00000200UL -#define NETLINK_AUDIT_SOCKET__BIND 0x00000400UL -#define NETLINK_AUDIT_SOCKET__CONNECT 0x00000800UL -#define NETLINK_AUDIT_SOCKET__LISTEN 0x00001000UL -#define NETLINK_AUDIT_SOCKET__ACCEPT 0x00002000UL -#define NETLINK_AUDIT_SOCKET__GETOPT 0x00004000UL -#define NETLINK_AUDIT_SOCKET__SETOPT 0x00008000UL -#define NETLINK_AUDIT_SOCKET__SHUTDOWN 0x00010000UL -#define NETLINK_AUDIT_SOCKET__RECVFROM 0x00020000UL -#define NETLINK_AUDIT_SOCKET__SENDTO 0x00040000UL -#define NETLINK_AUDIT_SOCKET__RECV_MSG 0x00080000UL -#define NETLINK_AUDIT_SOCKET__SEND_MSG 0x00100000UL -#define NETLINK_AUDIT_SOCKET__NAME_BIND 0x00200000UL -#define NETLINK_AUDIT_SOCKET__NLMSG_READ 0x00400000UL -#define NETLINK_AUDIT_SOCKET__NLMSG_WRITE 0x00800000UL -#define NETLINK_AUDIT_SOCKET__NLMSG_RELAY 0x01000000UL -#define NETLINK_AUDIT_SOCKET__NLMSG_READPRIV 0x02000000UL -#define NETLINK_AUDIT_SOCKET__NLMSG_TTY_AUDIT 0x04000000UL -#define NETLINK_IP6FW_SOCKET__IOCTL 0x00000001UL -#define NETLINK_IP6FW_SOCKET__READ 0x00000002UL -#define NETLINK_IP6FW_SOCKET__WRITE 0x00000004UL -#define NETLINK_IP6FW_SOCKET__CREATE 0x00000008UL -#define NETLINK_IP6FW_SOCKET__GETATTR 0x00000010UL -#define NETLINK_IP6FW_SOCKET__SETATTR 0x00000020UL -#define NETLINK_IP6FW_SOCKET__LOCK 0x00000040UL -#define NETLINK_IP6FW_SOCKET__RELABELFROM 0x00000080UL -#define NETLINK_IP6FW_SOCKET__RELABELTO 0x00000100UL -#define NETLINK_IP6FW_SOCKET__APPEND 0x00000200UL -#define NETLINK_IP6FW_SOCKET__BIND 0x00000400UL -#define NETLINK_IP6FW_SOCKET__CONNECT 0x00000800UL -#define NETLINK_IP6FW_SOCKET__LISTEN 0x00001000UL -#define NETLINK_IP6FW_SOCKET__ACCEPT 0x00002000UL -#define NETLINK_IP6FW_SOCKET__GETOPT 0x00004000UL -#define NETLINK_IP6FW_SOCKET__SETOPT 0x00008000UL -#define NETLINK_IP6FW_SOCKET__SHUTDOWN 0x00010000UL -#define NETLINK_IP6FW_SOCKET__RECVFROM 0x00020000UL -#define NETLINK_IP6FW_SOCKET__SENDTO 0x00040000UL -#define NETLINK_IP6FW_SOCKET__RECV_MSG 0x00080000UL -#define NETLINK_IP6FW_SOCKET__SEND_MSG 0x00100000UL -#define NETLINK_IP6FW_SOCKET__NAME_BIND 0x00200000UL -#define NETLINK_IP6FW_SOCKET__NLMSG_READ 0x00400000UL -#define NETLINK_IP6FW_SOCKET__NLMSG_WRITE 0x00800000UL -#define NETLINK_DNRT_SOCKET__IOCTL 0x00000001UL -#define NETLINK_DNRT_SOCKET__READ 0x00000002UL -#define NETLINK_DNRT_SOCKET__WRITE 0x00000004UL -#define NETLINK_DNRT_SOCKET__CREATE 0x00000008UL -#define NETLINK_DNRT_SOCKET__GETATTR 0x00000010UL -#define NETLINK_DNRT_SOCKET__SETATTR 0x00000020UL -#define NETLINK_DNRT_SOCKET__LOCK 0x00000040UL -#define NETLINK_DNRT_SOCKET__RELABELFROM 0x00000080UL -#define NETLINK_DNRT_SOCKET__RELABELTO 0x00000100UL -#define NETLINK_DNRT_SOCKET__APPEND 0x00000200UL -#define NETLINK_DNRT_SOCKET__BIND 0x00000400UL -#define NETLINK_DNRT_SOCKET__CONNECT 0x00000800UL -#define NETLINK_DNRT_SOCKET__LISTEN 0x00001000UL -#define NETLINK_DNRT_SOCKET__ACCEPT 0x00002000UL -#define NETLINK_DNRT_SOCKET__GETOPT 0x00004000UL -#define NETLINK_DNRT_SOCKET__SETOPT 0x00008000UL -#define NETLINK_DNRT_SOCKET__SHUTDOWN 0x00010000UL -#define NETLINK_DNRT_SOCKET__RECVFROM 0x00020000UL -#define NETLINK_DNRT_SOCKET__SENDTO 0x00040000UL -#define NETLINK_DNRT_SOCKET__RECV_MSG 0x00080000UL -#define NETLINK_DNRT_SOCKET__SEND_MSG 0x00100000UL -#define NETLINK_DNRT_SOCKET__NAME_BIND 0x00200000UL -#define ASSOCIATION__SENDTO 0x00000001UL -#define ASSOCIATION__RECVFROM 0x00000002UL -#define ASSOCIATION__SETCONTEXT 0x00000004UL -#define ASSOCIATION__POLMATCH 0x00000008UL -#define NETLINK_KOBJECT_UEVENT_SOCKET__IOCTL 0x00000001UL -#define NETLINK_KOBJECT_UEVENT_SOCKET__READ 0x00000002UL -#define NETLINK_KOBJECT_UEVENT_SOCKET__WRITE 0x00000004UL -#define NETLINK_KOBJECT_UEVENT_SOCKET__CREATE 0x00000008UL -#define NETLINK_KOBJECT_UEVENT_SOCKET__GETATTR 0x00000010UL -#define NETLINK_KOBJECT_UEVENT_SOCKET__SETATTR 0x00000020UL -#define NETLINK_KOBJECT_UEVENT_SOCKET__LOCK 0x00000040UL -#define NETLINK_KOBJECT_UEVENT_SOCKET__RELABELFROM 0x00000080UL -#define NETLINK_KOBJECT_UEVENT_SOCKET__RELABELTO 0x00000100UL -#define NETLINK_KOBJECT_UEVENT_SOCKET__APPEND 0x00000200UL -#define NETLINK_KOBJECT_UEVENT_SOCKET__BIND 0x00000400UL -#define NETLINK_KOBJECT_UEVENT_SOCKET__CONNECT 0x00000800UL -#define NETLINK_KOBJECT_UEVENT_SOCKET__LISTEN 0x00001000UL -#define NETLINK_KOBJECT_UEVENT_SOCKET__ACCEPT 0x00002000UL -#define NETLINK_KOBJECT_UEVENT_SOCKET__GETOPT 0x00004000UL -#define NETLINK_KOBJECT_UEVENT_SOCKET__SETOPT 0x00008000UL -#define NETLINK_KOBJECT_UEVENT_SOCKET__SHUTDOWN 0x00010000UL -#define NETLINK_KOBJECT_UEVENT_SOCKET__RECVFROM 0x00020000UL -#define NETLINK_KOBJECT_UEVENT_SOCKET__SENDTO 0x00040000UL -#define NETLINK_KOBJECT_UEVENT_SOCKET__RECV_MSG 0x00080000UL -#define NETLINK_KOBJECT_UEVENT_SOCKET__SEND_MSG 0x00100000UL -#define NETLINK_KOBJECT_UEVENT_SOCKET__NAME_BIND 0x00200000UL -#define APPLETALK_SOCKET__IOCTL 0x00000001UL -#define APPLETALK_SOCKET__READ 0x00000002UL -#define APPLETALK_SOCKET__WRITE 0x00000004UL -#define APPLETALK_SOCKET__CREATE 0x00000008UL -#define APPLETALK_SOCKET__GETATTR 0x00000010UL -#define APPLETALK_SOCKET__SETATTR 0x00000020UL -#define APPLETALK_SOCKET__LOCK 0x00000040UL -#define APPLETALK_SOCKET__RELABELFROM 0x00000080UL -#define APPLETALK_SOCKET__RELABELTO 0x00000100UL -#define APPLETALK_SOCKET__APPEND 0x00000200UL -#define APPLETALK_SOCKET__BIND 0x00000400UL -#define APPLETALK_SOCKET__CONNECT 0x00000800UL -#define APPLETALK_SOCKET__LISTEN 0x00001000UL -#define APPLETALK_SOCKET__ACCEPT 0x00002000UL -#define APPLETALK_SOCKET__GETOPT 0x00004000UL -#define APPLETALK_SOCKET__SETOPT 0x00008000UL -#define APPLETALK_SOCKET__SHUTDOWN 0x00010000UL -#define APPLETALK_SOCKET__RECVFROM 0x00020000UL -#define APPLETALK_SOCKET__SENDTO 0x00040000UL -#define APPLETALK_SOCKET__RECV_MSG 0x00080000UL -#define APPLETALK_SOCKET__SEND_MSG 0x00100000UL -#define APPLETALK_SOCKET__NAME_BIND 0x00200000UL -#define PACKET__SEND 0x00000001UL -#define PACKET__RECV 0x00000002UL -#define PACKET__RELABELTO 0x00000004UL -#define PACKET__FLOW_IN 0x00000008UL -#define PACKET__FLOW_OUT 0x00000010UL -#define PACKET__FORWARD_IN 0x00000020UL -#define PACKET__FORWARD_OUT 0x00000040UL -#define KEY__VIEW 0x00000001UL -#define KEY__READ 0x00000002UL -#define KEY__WRITE 0x00000004UL -#define KEY__SEARCH 0x00000008UL -#define KEY__LINK 0x00000010UL -#define KEY__SETATTR 0x00000020UL -#define KEY__CREATE 0x00000040UL -#define DCCP_SOCKET__IOCTL 0x00000001UL -#define DCCP_SOCKET__READ 0x00000002UL -#define DCCP_SOCKET__WRITE 0x00000004UL -#define DCCP_SOCKET__CREATE 0x00000008UL -#define DCCP_SOCKET__GETATTR 0x00000010UL -#define DCCP_SOCKET__SETATTR 0x00000020UL -#define DCCP_SOCKET__LOCK 0x00000040UL -#define DCCP_SOCKET__RELABELFROM 0x00000080UL -#define DCCP_SOCKET__RELABELTO 0x00000100UL -#define DCCP_SOCKET__APPEND 0x00000200UL -#define DCCP_SOCKET__BIND 0x00000400UL -#define DCCP_SOCKET__CONNECT 0x00000800UL -#define DCCP_SOCKET__LISTEN 0x00001000UL -#define DCCP_SOCKET__ACCEPT 0x00002000UL -#define DCCP_SOCKET__GETOPT 0x00004000UL -#define DCCP_SOCKET__SETOPT 0x00008000UL -#define DCCP_SOCKET__SHUTDOWN 0x00010000UL -#define DCCP_SOCKET__RECVFROM 0x00020000UL -#define DCCP_SOCKET__SENDTO 0x00040000UL -#define DCCP_SOCKET__RECV_MSG 0x00080000UL -#define DCCP_SOCKET__SEND_MSG 0x00100000UL -#define DCCP_SOCKET__NAME_BIND 0x00200000UL -#define DCCP_SOCKET__NODE_BIND 0x00400000UL -#define DCCP_SOCKET__NAME_CONNECT 0x00800000UL -#define MEMPROTECT__MMAP_ZERO 0x00000001UL -#define PEER__RECV 0x00000001UL -#define KERNEL_SERVICE__USE_AS_OVERRIDE 0x00000001UL -#define KERNEL_SERVICE__CREATE_FILES_AS 0x00000002UL -#define TUN_SOCKET__IOCTL 0x00000001UL -#define TUN_SOCKET__READ 0x00000002UL -#define TUN_SOCKET__WRITE 0x00000004UL -#define TUN_SOCKET__CREATE 0x00000008UL -#define TUN_SOCKET__GETATTR 0x00000010UL -#define TUN_SOCKET__SETATTR 0x00000020UL -#define TUN_SOCKET__LOCK 0x00000040UL -#define TUN_SOCKET__RELABELFROM 0x00000080UL -#define TUN_SOCKET__RELABELTO 0x00000100UL -#define TUN_SOCKET__APPEND 0x00000200UL -#define TUN_SOCKET__BIND 0x00000400UL -#define TUN_SOCKET__CONNECT 0x00000800UL -#define TUN_SOCKET__LISTEN 0x00001000UL -#define TUN_SOCKET__ACCEPT 0x00002000UL -#define TUN_SOCKET__GETOPT 0x00004000UL -#define TUN_SOCKET__SETOPT 0x00008000UL -#define TUN_SOCKET__SHUTDOWN 0x00010000UL -#define TUN_SOCKET__RECVFROM 0x00020000UL -#define TUN_SOCKET__SENDTO 0x00040000UL -#define TUN_SOCKET__RECV_MSG 0x00080000UL -#define TUN_SOCKET__SEND_MSG 0x00100000UL -#define TUN_SOCKET__NAME_BIND 0x00200000UL diff --git a/security/selinux/include/flask.h b/security/selinux/include/flask.h deleted file mode 100644 index 5359ca2abf21..000000000000 --- a/security/selinux/include/flask.h +++ /dev/null @@ -1,91 +0,0 @@ -/* This file is automatically generated. Do not edit. */ -#ifndef _SELINUX_FLASK_H_ -#define _SELINUX_FLASK_H_ - -/* - * Security object class definitions - */ -#define SECCLASS_SECURITY 1 -#define SECCLASS_PROCESS 2 -#define SECCLASS_SYSTEM 3 -#define SECCLASS_CAPABILITY 4 -#define SECCLASS_FILESYSTEM 5 -#define SECCLASS_FILE 6 -#define SECCLASS_DIR 7 -#define SECCLASS_FD 8 -#define SECCLASS_LNK_FILE 9 -#define SECCLASS_CHR_FILE 10 -#define SECCLASS_BLK_FILE 11 -#define SECCLASS_SOCK_FILE 12 -#define SECCLASS_FIFO_FILE 13 -#define SECCLASS_SOCKET 14 -#define SECCLASS_TCP_SOCKET 15 -#define SECCLASS_UDP_SOCKET 16 -#define SECCLASS_RAWIP_SOCKET 17 -#define SECCLASS_NODE 18 -#define SECCLASS_NETIF 19 -#define SECCLASS_NETLINK_SOCKET 20 -#define SECCLASS_PACKET_SOCKET 21 -#define SECCLASS_KEY_SOCKET 22 -#define SECCLASS_UNIX_STREAM_SOCKET 23 -#define SECCLASS_UNIX_DGRAM_SOCKET 24 -#define SECCLASS_SEM 25 -#define SECCLASS_MSG 26 -#define SECCLASS_MSGQ 27 -#define SECCLASS_SHM 28 -#define SECCLASS_IPC 29 -#define SECCLASS_NETLINK_ROUTE_SOCKET 30 -#define SECCLASS_NETLINK_FIREWALL_SOCKET 31 -#define SECCLASS_NETLINK_TCPDIAG_SOCKET 32 -#define SECCLASS_NETLINK_NFLOG_SOCKET 33 -#define SECCLASS_NETLINK_XFRM_SOCKET 34 -#define SECCLASS_NETLINK_SELINUX_SOCKET 35 -#define SECCLASS_NETLINK_AUDIT_SOCKET 36 -#define SECCLASS_NETLINK_IP6FW_SOCKET 37 -#define SECCLASS_NETLINK_DNRT_SOCKET 38 -#define SECCLASS_ASSOCIATION 39 -#define SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET 40 -#define SECCLASS_APPLETALK_SOCKET 41 -#define SECCLASS_PACKET 42 -#define SECCLASS_KEY 43 -#define SECCLASS_DCCP_SOCKET 44 -#define SECCLASS_MEMPROTECT 45 -#define SECCLASS_PEER 46 -#define SECCLASS_CAPABILITY2 47 -#define SECCLASS_KERNEL_SERVICE 48 -#define SECCLASS_TUN_SOCKET 49 - -/* - * Security identifier indices for initial entities - */ -#define SECINITSID_KERNEL 1 -#define SECINITSID_SECURITY 2 -#define SECINITSID_UNLABELED 3 -#define SECINITSID_FS 4 -#define SECINITSID_FILE 5 -#define SECINITSID_FILE_LABELS 6 -#define SECINITSID_INIT 7 -#define SECINITSID_ANY_SOCKET 8 -#define SECINITSID_PORT 9 -#define SECINITSID_NETIF 10 -#define SECINITSID_NETMSG 11 -#define SECINITSID_NODE 12 -#define SECINITSID_IGMP_PACKET 13 -#define SECINITSID_ICMP_SOCKET 14 -#define SECINITSID_TCP_SOCKET 15 -#define SECINITSID_SYSCTL_MODPROBE 16 -#define SECINITSID_SYSCTL 17 -#define SECINITSID_SYSCTL_FS 18 -#define SECINITSID_SYSCTL_KERNEL 19 -#define SECINITSID_SYSCTL_NET 20 -#define SECINITSID_SYSCTL_NET_UNIX 21 -#define SECINITSID_SYSCTL_VM 22 -#define SECINITSID_SYSCTL_DEV 23 -#define SECINITSID_KMOD 24 -#define SECINITSID_POLICY 25 -#define SECINITSID_SCMP_PACKET 26 -#define SECINITSID_DEVNULL 27 - -#define SECINITSID_NUM 27 - -#endif diff --git a/security/selinux/ss/Makefile b/security/selinux/ss/Makefile index bad78779b9b0..15d4e62917de 100644 --- a/security/selinux/ss/Makefile +++ b/security/selinux/ss/Makefile @@ -2,7 +2,7 @@ # Makefile for building the SELinux security server as part of the kernel tree. # -EXTRA_CFLAGS += -Isecurity/selinux/include +EXTRA_CFLAGS += -Isecurity/selinux -Isecurity/selinux/include obj-y := ss.o ss-y := ebitmap.o hashtab.o symtab.o sidtab.o avtab.o policydb.o services.o conditional.o mls.o -- cgit From 941fc5b2bf8f7dd1d0a9c502e152fa719ff6578e Mon Sep 17 00:00:00 2001 From: Stephen Smalley Date: Thu, 1 Oct 2009 14:48:23 -0400 Subject: selinux: drop remapping of netlink classes Drop remapping of netlink classes and bypass of permission checking based on netlink message type for policy version < 18. This removes compatibility code introduced when the original single netlink security class used for all netlink sockets was split into finer-grained netlink classes based on netlink protocol and when permission checking was added based on netlink message type in Linux 2.6.8. The only known distribution that shipped with SELinux and policy < 18 was Fedora Core 2, which was EOL'd on 2005-04-11. Given that the remapping code was never updated to address the addition of newer netlink classes, that the corresponding userland support was dropped in 2005, and that the assumptions made by the remapping code about the fixed ordering among netlink classes in the policy may be violated in the future due to the dynamic class/perm discovery support, we should drop this compatibility code now. Signed-off-by: Stephen Smalley Signed-off-by: James Morris --- security/selinux/hooks.c | 6 +----- security/selinux/ss/services.c | 25 ------------------------- 2 files changed, 1 insertion(+), 30 deletions(-) (limited to 'security') diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index a985d0bc59bb..a29d6612a328 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -91,7 +91,6 @@ #define NUM_SEL_MNT_OPTS 5 -extern unsigned int policydb_loaded_version; extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm); extern struct security_operations *security_ops; @@ -4714,10 +4713,7 @@ static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb) if (err) return err; - if (policydb_loaded_version >= POLICYDB_VERSION_NLCLASS) - err = selinux_nlmsg_perm(sk, skb); - - return err; + return selinux_nlmsg_perm(sk, skb); } static int selinux_netlink_recv(struct sk_buff *skb, int capability) diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c index e19baa81fdec..f270e378c0e4 100644 --- a/security/selinux/ss/services.c +++ b/security/selinux/ss/services.c @@ -65,7 +65,6 @@ #include "audit.h" extern void selnl_notify_policyload(u32 seqno); -unsigned int policydb_loaded_version; int selinux_policycap_netpeer; int selinux_policycap_openperm; @@ -616,17 +615,6 @@ static int context_struct_compute_av(struct context *scontext, struct ebitmap_node *snode, *tnode; unsigned int i, j; - /* - * Remap extended Netlink classes for old policy versions. - * Do this here rather than socket_type_to_security_class() - * in case a newer policy version is loaded, allowing sockets - * to remain in the correct class. - */ - if (policydb_loaded_version < POLICYDB_VERSION_NLCLASS) - if (tclass >= unmap_class(SECCLASS_NETLINK_ROUTE_SOCKET) && - tclass <= unmap_class(SECCLASS_NETLINK_DNRT_SOCKET)) - tclass = unmap_class(SECCLASS_NETLINK_SOCKET); - /* * Initialize the access vectors to the default values. */ @@ -761,17 +749,6 @@ int security_validate_transition(u32 oldsid, u32 newsid, u32 tasksid, tclass = unmap_class(orig_tclass); - /* - * Remap extended Netlink classes for old policy versions. - * Do this here rather than socket_type_to_security_class() - * in case a newer policy version is loaded, allowing sockets - * to remain in the correct class. - */ - if (policydb_loaded_version < POLICYDB_VERSION_NLCLASS) - if (tclass >= unmap_class(SECCLASS_NETLINK_ROUTE_SOCKET) && - tclass <= unmap_class(SECCLASS_NETLINK_DNRT_SOCKET)) - tclass = unmap_class(SECCLASS_NETLINK_SOCKET); - if (!tclass || tclass > policydb.p_classes.nprim) { printk(KERN_ERR "SELinux: %s: unrecognized class %d\n", __func__, tclass); @@ -1766,7 +1743,6 @@ int security_load_policy(void *data, size_t len) return -EINVAL; } security_load_policycaps(); - policydb_loaded_version = policydb.policyvers; ss_initialized = 1; seqno = ++latest_granting; selinux_complete_init(); @@ -1829,7 +1805,6 @@ int security_load_policy(void *data, size_t len) current_mapping = map; current_mapping_size = map_size; seqno = ++latest_granting; - policydb_loaded_version = policydb.policyvers; write_unlock_irq(&policy_rwlock); /* Free the old policydb and SID table. */ -- cgit From 89eda06837094ce9f34fae269b8773fcfd70f046 Mon Sep 17 00:00:00 2001 From: Tetsuo Handa Date: Sun, 4 Oct 2009 21:49:47 +0900 Subject: LSM: Add security_path_chmod() and security_path_chown(). This patch allows pathname based LSM modules to check chmod()/chown() operations. Since notify_change() does not receive "struct vfsmount *", we add security_path_chmod() and security_path_chown() to the caller of notify_change(). These hooks are used by TOMOYO. Signed-off-by: Tetsuo Handa Signed-off-by: James Morris --- security/capability.c | 13 +++++++++++++ security/security.c | 15 +++++++++++++++ 2 files changed, 28 insertions(+) (limited to 'security') diff --git a/security/capability.c b/security/capability.c index fce07a7bc825..09279a8d4a14 100644 --- a/security/capability.c +++ b/security/capability.c @@ -308,6 +308,17 @@ static int cap_path_truncate(struct path *path, loff_t length, { return 0; } + +static int cap_path_chmod(struct dentry *dentry, struct vfsmount *mnt, + mode_t mode) +{ + return 0; +} + +static int cap_path_chown(struct path *path, uid_t uid, gid_t gid) +{ + return 0; +} #endif static int cap_file_permission(struct file *file, int mask) @@ -977,6 +988,8 @@ void security_fixup_ops(struct security_operations *ops) set_to_cap_if_null(ops, path_link); set_to_cap_if_null(ops, path_rename); set_to_cap_if_null(ops, path_truncate); + set_to_cap_if_null(ops, path_chmod); + set_to_cap_if_null(ops, path_chown); #endif set_to_cap_if_null(ops, file_permission); set_to_cap_if_null(ops, file_alloc_security); diff --git a/security/security.c b/security/security.c index c4c673240c1c..5259270e558f 100644 --- a/security/security.c +++ b/security/security.c @@ -434,6 +434,21 @@ int security_path_truncate(struct path *path, loff_t length, return 0; return security_ops->path_truncate(path, length, time_attrs); } + +int security_path_chmod(struct dentry *dentry, struct vfsmount *mnt, + mode_t mode) +{ + if (unlikely(IS_PRIVATE(dentry->d_inode))) + return 0; + return security_ops->path_chmod(dentry, mnt, mode); +} + +int security_path_chown(struct path *path, uid_t uid, gid_t gid) +{ + if (unlikely(IS_PRIVATE(path->dentry->d_inode))) + return 0; + return security_ops->path_chown(path, uid, gid); +} #endif int security_inode_create(struct inode *dir, struct dentry *dentry, int mode) -- cgit From 8b8efb44033c7e86b3dc76f825c693ec92ae30e9 Mon Sep 17 00:00:00 2001 From: Tetsuo Handa Date: Sun, 4 Oct 2009 21:49:48 +0900 Subject: LSM: Add security_path_chroot(). This patch allows pathname based LSM modules to check chroot() operations. This hook is used by TOMOYO. Signed-off-by: Tetsuo Handa Signed-off-by: James Morris --- security/capability.c | 6 ++++++ security/security.c | 5 +++++ 2 files changed, 11 insertions(+) (limited to 'security') diff --git a/security/capability.c b/security/capability.c index 09279a8d4a14..4f3ab476937f 100644 --- a/security/capability.c +++ b/security/capability.c @@ -319,6 +319,11 @@ static int cap_path_chown(struct path *path, uid_t uid, gid_t gid) { return 0; } + +static int cap_path_chroot(struct path *root) +{ + return 0; +} #endif static int cap_file_permission(struct file *file, int mask) @@ -990,6 +995,7 @@ void security_fixup_ops(struct security_operations *ops) set_to_cap_if_null(ops, path_truncate); set_to_cap_if_null(ops, path_chmod); set_to_cap_if_null(ops, path_chown); + set_to_cap_if_null(ops, path_chroot); #endif set_to_cap_if_null(ops, file_permission); set_to_cap_if_null(ops, file_alloc_security); diff --git a/security/security.c b/security/security.c index 5259270e558f..279757314a05 100644 --- a/security/security.c +++ b/security/security.c @@ -449,6 +449,11 @@ int security_path_chown(struct path *path, uid_t uid, gid_t gid) return 0; return security_ops->path_chown(path, uid, gid); } + +int security_path_chroot(struct path *path) +{ + return security_ops->path_chroot(path); +} #endif int security_inode_create(struct inode *dir, struct dentry *dentry, int mode) -- cgit From b7f3008ad1d795935551e4dd810b0255a7bfa3c9 Mon Sep 17 00:00:00 2001 From: Stephen Smalley Date: Mon, 19 Oct 2009 10:08:50 -0400 Subject: SELinux: fix locking issue introduced with c6d3aaa4e35c71a3 Ensure that we release the policy read lock on all exit paths from security_compute_av. Signed-off-by: Stephen D. Smalley Signed-off-by: James Morris --- security/selinux/ss/services.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) (limited to 'security') diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c index f270e378c0e4..77f6e54bb43f 100644 --- a/security/selinux/ss/services.c +++ b/security/selinux/ss/services.c @@ -935,19 +935,22 @@ int security_compute_av(u32 ssid, u32 requested; int rc; + read_lock(&policy_rwlock); + if (!ss_initialized) goto allow; - read_lock(&policy_rwlock); requested = unmap_perm(orig_tclass, orig_requested); tclass = unmap_class(orig_tclass); if (unlikely(orig_tclass && !tclass)) { if (policydb.allow_unknown) goto allow; - return -EINVAL; + rc = -EINVAL; + goto out; } rc = security_compute_av_core(ssid, tsid, tclass, requested, avd); map_decision(orig_tclass, avd, policydb.allow_unknown); +out: read_unlock(&policy_rwlock); return rc; allow: @@ -956,7 +959,8 @@ allow: avd->auditdeny = 0xffffffff; avd->seqno = latest_granting; avd->flags = 0; - return 0; + rc = 0; + goto out; } int security_compute_av_user(u32 ssid, -- cgit From 3e1c2515acf70448cad1ae3ab835ca80be043d33 Mon Sep 17 00:00:00 2001 From: James Morris Date: Tue, 20 Oct 2009 13:48:33 +0900 Subject: security: remove root_plug Remove the root_plug example LSM code. It's unmaintained and increasingly broken in various ways. Made at the 2009 Kernel Summit in Tokyo! Acked-by: Greg Kroah-Hartman Signed-off-by: James Morris --- security/Kconfig | 13 -------- security/Makefile | 1 - security/commoncap.c | 2 +- security/root_plug.c | 90 ---------------------------------------------------- 4 files changed, 1 insertion(+), 105 deletions(-) delete mode 100644 security/root_plug.c (limited to 'security') diff --git a/security/Kconfig b/security/Kconfig index fb363cd81cf6..aeea8c2bb59c 100644 --- a/security/Kconfig +++ b/security/Kconfig @@ -100,19 +100,6 @@ config SECURITY_FILE_CAPABILITIES If in doubt, answer N. -config SECURITY_ROOTPLUG - bool "Root Plug Support" - depends on USB=y && SECURITY - help - This is a sample LSM module that should only be used as such. - It prevents any programs running with egid == 0 if a specific - USB device is not present in the system. - - See for - more information about this module. - - If you are unsure how to answer this question, answer N. - config INTEL_TXT bool "Enable Intel(R) Trusted Execution Technology (Intel(R) TXT)" depends on HAVE_INTEL_TXT diff --git a/security/Makefile b/security/Makefile index 95ecc06392d7..bb44e350c618 100644 --- a/security/Makefile +++ b/security/Makefile @@ -18,7 +18,6 @@ obj-$(CONFIG_SECURITY_SELINUX) += selinux/built-in.o obj-$(CONFIG_SECURITY_SMACK) += smack/built-in.o obj-$(CONFIG_AUDIT) += lsm_audit.o obj-$(CONFIG_SECURITY_TOMOYO) += tomoyo/built-in.o -obj-$(CONFIG_SECURITY_ROOTPLUG) += root_plug.o obj-$(CONFIG_CGROUP_DEVICE) += device_cgroup.o # Object integrity file lists diff --git a/security/commoncap.c b/security/commoncap.c index fe30751a6cd9..45b87af4ae5d 100644 --- a/security/commoncap.c +++ b/security/commoncap.c @@ -1,4 +1,4 @@ -/* Common capabilities, needed by capability.o and root_plug.o +/* Common capabilities, needed by capability.o. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by diff --git a/security/root_plug.c b/security/root_plug.c deleted file mode 100644 index 2f7ffa67c4d2..000000000000 --- a/security/root_plug.c +++ /dev/null @@ -1,90 +0,0 @@ -/* - * Root Plug sample LSM module - * - * Originally written for a Linux Journal. - * - * Copyright (C) 2002 Greg Kroah-Hartman - * - * Prevents any programs running with egid == 0 if a specific USB device - * is not present in the system. Yes, it can be gotten around, but is a - * nice starting point for people to play with, and learn the LSM - * interface. - * - * If you want to turn this into something with a semblance of security, - * you need to hook the task_* functions also. - * - * See http://www.linuxjournal.com/article.php?sid=6279 for more information - * about this code. - * - * This program is free software; you can redistribute it and/or - * modify it under the terms of the GNU General Public License as - * published by the Free Software Foundation, version 2 of the - * License. - */ - -#include -#include -#include -#include -#include - -/* default is a generic type of usb to serial converter */ -static int vendor_id = 0x0557; -static int product_id = 0x2008; - -module_param(vendor_id, uint, 0400); -module_param(product_id, uint, 0400); - -/* should we print out debug messages */ -static int debug = 0; - -module_param(debug, bool, 0600); - -#define MY_NAME "root_plug" - -#define root_dbg(fmt, arg...) \ - do { \ - if (debug) \ - printk(KERN_DEBUG "%s: %s: " fmt , \ - MY_NAME , __func__ , \ - ## arg); \ - } while (0) - -static int rootplug_bprm_check_security (struct linux_binprm *bprm) -{ - struct usb_device *dev; - - root_dbg("file %s, e_uid = %d, e_gid = %d\n", - bprm->filename, bprm->cred->euid, bprm->cred->egid); - - if (bprm->cred->egid == 0) { - dev = usb_find_device(vendor_id, product_id); - if (!dev) { - root_dbg("e_gid = 0, and device not found, " - "task not allowed to run...\n"); - return -EPERM; - } - usb_put_dev(dev); - } - - return 0; -} - -static struct security_operations rootplug_security_ops = { - .bprm_check_security = rootplug_bprm_check_security, -}; - -static int __init rootplug_init (void) -{ - /* register ourselves with the security framework */ - if (register_security (&rootplug_security_ops)) { - printk (KERN_INFO - "Failure registering Root Plug module with the kernel\n"); - return -EINVAL; - } - printk (KERN_INFO "Root Plug module initialized, " - "vendor_id = %4.4x, product id = %4.4x\n", vendor_id, product_id); - return 0; -} - -security_initcall (rootplug_init); -- cgit From 6e8e16c7bc298d7887584c3d027e05db3e86eed9 Mon Sep 17 00:00:00 2001 From: Eric Paris Date: Thu, 22 Oct 2009 15:38:26 -0400 Subject: SELinux: add .gitignore files for dynamic classes The SELinux dynamic class work in c6d3aaa4e35c71a32a86ececacd4eea7ecfc316c creates a number of dynamic header files and scripts. Add .gitignore files so git doesn't complain about these. Signed-off-by: Eric Paris Acked-by: Stephen D. Smalley Signed-off-by: James Morris --- security/selinux/.gitignore | 2 ++ 1 file changed, 2 insertions(+) create mode 100644 security/selinux/.gitignore (limited to 'security') diff --git a/security/selinux/.gitignore b/security/selinux/.gitignore new file mode 100644 index 000000000000..2e5040a3d48b --- /dev/null +++ b/security/selinux/.gitignore @@ -0,0 +1,2 @@ +av_permissions.h +flask.h -- cgit From 6c21a7fb492bf7e2c4985937082ce58ddeca84bd Mon Sep 17 00:00:00 2001 From: Mimi Zohar Date: Thu, 22 Oct 2009 17:30:13 -0400 Subject: LSM: imbed ima calls in the security hooks Based on discussions on LKML and LSM, where there are consecutive security_ and ima_ calls in the vfs layer, move the ima_ calls to the existing security_ hooks. Signed-off-by: Mimi Zohar Signed-off-by: James Morris --- security/integrity/ima/Kconfig | 1 + security/security.c | 28 +++++++++++++++++++++++++--- 2 files changed, 26 insertions(+), 3 deletions(-) (limited to 'security') diff --git a/security/integrity/ima/Kconfig b/security/integrity/ima/Kconfig index 53d9764e8f09..3d7846de8069 100644 --- a/security/integrity/ima/Kconfig +++ b/security/integrity/ima/Kconfig @@ -3,6 +3,7 @@ config IMA bool "Integrity Measurement Architecture(IMA)" depends on ACPI + depends on SECURITY select SECURITYFS select CRYPTO select CRYPTO_HMAC diff --git a/security/security.c b/security/security.c index 279757314a05..684d5ee655da 100644 --- a/security/security.c +++ b/security/security.c @@ -16,6 +16,7 @@ #include #include #include +#include /* Boot-time LSM user choice */ static __initdata char chosen_lsm[SECURITY_NAME_MAX + 1]; @@ -235,7 +236,12 @@ int security_bprm_set_creds(struct linux_binprm *bprm) int security_bprm_check(struct linux_binprm *bprm) { - return security_ops->bprm_check_security(bprm); + int ret; + + ret = security_ops->bprm_check_security(bprm); + if (ret) + return ret; + return ima_bprm_check(bprm); } void security_bprm_committing_creds(struct linux_binprm *bprm) @@ -352,12 +358,21 @@ EXPORT_SYMBOL(security_sb_parse_opts_str); int security_inode_alloc(struct inode *inode) { + int ret; + inode->i_security = NULL; - return security_ops->inode_alloc_security(inode); + ret = security_ops->inode_alloc_security(inode); + if (ret) + return ret; + ret = ima_inode_alloc(inode); + if (ret) + security_inode_free(inode); + return ret; } void security_inode_free(struct inode *inode) { + ima_inode_free(inode); security_ops->inode_free_security(inode); } @@ -648,6 +663,8 @@ int security_file_alloc(struct file *file) void security_file_free(struct file *file) { security_ops->file_free_security(file); + if (file->f_dentry) + ima_file_free(file); } int security_file_ioctl(struct file *file, unsigned int cmd, unsigned long arg) @@ -659,7 +676,12 @@ int security_file_mmap(struct file *file, unsigned long reqprot, unsigned long prot, unsigned long flags, unsigned long addr, unsigned long addr_only) { - return security_ops->file_mmap(file, reqprot, prot, flags, addr, addr_only); + int ret; + + ret = security_ops->file_mmap(file, reqprot, prot, flags, addr, addr_only); + if (ret) + return ret; + return ima_file_mmap(file, prot); } int security_file_mprotect(struct vm_area_struct *vma, unsigned long reqprot, -- cgit From 024e1a49411a1a7363e65db48edf1b09e9ee68ad Mon Sep 17 00:00:00 2001 From: Stephen Hemminger Date: Tue, 27 Oct 2009 19:24:46 -0700 Subject: tomoyo: improve hash bucket dispersion When examining the network device name hash, it was discovered that the low order bits of full_name_hash() are not very well dispersed across the possible values. When used by filesystem code, this is handled by folding with the function hash_long(). The only other non-filesystem usage of full_name_hash() at this time appears to be in TOMOYO. This patch should fix that. I do not use TOMOYO at this time, so this patch is build tested only. Signed-off-by: Stephen Hemminger Acked-by: Tetsuo Handa Signed-off-by: James Morris --- security/tomoyo/realpath.c | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) (limited to 'security') diff --git a/security/tomoyo/realpath.c b/security/tomoyo/realpath.c index 5f2e33263371..917f564cdab1 100644 --- a/security/tomoyo/realpath.c +++ b/security/tomoyo/realpath.c @@ -13,6 +13,8 @@ #include #include #include +#include + #include "common.h" #include "realpath.h" @@ -263,7 +265,8 @@ static unsigned int tomoyo_quota_for_savename; * table. Frequency of appending strings is very low. So we don't need * large (e.g. 64k) hash size. 256 will be sufficient. */ -#define TOMOYO_MAX_HASH 256 +#define TOMOYO_HASH_BITS 8 +#define TOMOYO_MAX_HASH (1u<entry.hash && !strcmp(name, ptr->entry.name)) goto out; } @@ -365,7 +370,7 @@ const struct tomoyo_path_info *tomoyo_save_name(const char *name) tomoyo_fill_path_info(&ptr->entry); fmb->ptr += len; fmb->len -= len; - list_add_tail(&ptr->list, &tomoyo_name_list[hash % TOMOYO_MAX_HASH]); + list_add_tail(&ptr->list, head); if (fmb->len == 0) { list_del(&fmb->list); kfree(fmb); -- cgit From 0e1a6ef2dea88101b056b6d9984f3325c5efced3 Mon Sep 17 00:00:00 2001 From: Kees Cook Date: Sun, 8 Nov 2009 09:37:00 -0800 Subject: sysctl: require CAP_SYS_RAWIO to set mmap_min_addr Currently the mmap_min_addr value can only be bypassed during mmap when the task has CAP_SYS_RAWIO. However, the mmap_min_addr sysctl value itself can be adjusted to 0 if euid == 0, allowing a bypass without CAP_SYS_RAWIO. This patch adds a check for the capability before allowing mmap_min_addr to be changed. Signed-off-by: Kees Cook Acked-by: Serge Hallyn Signed-off-by: James Morris --- security/min_addr.c | 3 +++ 1 file changed, 3 insertions(+) (limited to 'security') diff --git a/security/min_addr.c b/security/min_addr.c index c844eed7915d..fc43c9d37084 100644 --- a/security/min_addr.c +++ b/security/min_addr.c @@ -33,6 +33,9 @@ int mmap_min_addr_handler(struct ctl_table *table, int write, { int ret; + if (!capable(CAP_SYS_RAWIO)) + return -EPERM; + ret = proc_doulongvec_minmax(table, write, buffer, lenp, ppos); update_mmap_min_addr(); -- cgit From 6e65f92ff0d6f18580737321718d09035085a3fb Mon Sep 17 00:00:00 2001 From: John Johansen Date: Thu, 5 Nov 2009 17:03:20 -0800 Subject: Config option to set a default LSM The LSM currently requires setting a kernel parameter at boot to select a specific LSM. This adds a config option that allows specifying a default LSM that is used unless overridden with the security= kernel parameter. If the the config option is not set the current behavior of first LSM to register is used. Signed-off-by: John Johansen Acked-by: Serge Hallyn Signed-off-by: James Morris --- security/Kconfig | 32 ++++++++++++++++++++++++++++++++ security/security.c | 9 ++++++--- 2 files changed, 38 insertions(+), 3 deletions(-) (limited to 'security') diff --git a/security/Kconfig b/security/Kconfig index aeea8c2bb59c..95cc08913ca1 100644 --- a/security/Kconfig +++ b/security/Kconfig @@ -152,5 +152,37 @@ source security/tomoyo/Kconfig source security/integrity/ima/Kconfig +choice + prompt "Default security module" + default DEFAULT_SECURITY_SELINUX if SECURITY_SELINUX + default DEFAULT_SECURITY_SMACK if SECURITY_SMACK + default DEFAULT_SECURITY_TOMOYO if SECURITY_TOMOYO + default DEFAULT_SECURITY_DAC + + help + Select the security module that will be used by default if the + kernel parameter security= is not specified. + + config DEFAULT_SECURITY_SELINUX + bool "SELinux" if SECURITY_SELINUX=y + + config DEFAULT_SECURITY_SMACK + bool "Simplified Mandatory Access Control" if SECURITY_SMACK=y + + config DEFAULT_SECURITY_TOMOYO + bool "TOMOYO" if SECURITY_TOMOYO=y + + config DEFAULT_SECURITY_DAC + bool "Unix Discretionary Access Controls" + +endchoice + +config DEFAULT_SECURITY + string + default "selinux" if DEFAULT_SECURITY_SELINUX + default "smack" if DEFAULT_SECURITY_SMACK + default "tomoyo" if DEFAULT_SECURITY_TOMOYO + default "" if DEFAULT_SECURITY_DAC + endmenu diff --git a/security/security.c b/security/security.c index 684d5ee655da..aad71b2ca195 100644 --- a/security/security.c +++ b/security/security.c @@ -19,7 +19,8 @@ #include /* Boot-time LSM user choice */ -static __initdata char chosen_lsm[SECURITY_NAME_MAX + 1]; +static __initdata char chosen_lsm[SECURITY_NAME_MAX + 1] = + CONFIG_DEFAULT_SECURITY; /* things that live in capability.c */ extern struct security_operations default_security_ops; @@ -80,8 +81,10 @@ __setup("security=", choose_lsm); * * Return true if: * -The passed LSM is the one chosen by user at boot time, - * -or user didn't specify a specific LSM and we're the first to ask - * for registration permission, + * -or the passed LSM is configured as the default and the user did not + * choose an alternate LSM at boot time, + * -or there is no default LSM set and the user didn't specify a + * specific LSM and we're the first to ask for registration permission, * -or the passed LSM is currently loaded. * Otherwise, return false. */ -- cgit From dd8dbf2e6880e30c00b18600c962d0cb5a03c555 Mon Sep 17 00:00:00 2001 From: Eric Paris Date: Tue, 3 Nov 2009 16:35:32 +1100 Subject: security: report the module name to security_module_request For SELinux to do better filtering in userspace we send the name of the module along with the AVC denial when a program is denied module_request. Example output: type=SYSCALL msg=audit(11/03/2009 10:59:43.510:9) : arch=x86_64 syscall=write success=yes exit=2 a0=3 a1=7fc28c0d56c0 a2=2 a3=7fffca0d7440 items=0 ppid=1727 pid=1729 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=rpc.nfsd exe=/usr/sbin/rpc.nfsd subj=system_u:system_r:nfsd_t:s0 key=(null) type=AVC msg=audit(11/03/2009 10:59:43.510:9) : avc: denied { module_request } for pid=1729 comm=rpc.nfsd kmod="net-pf-10" scontext=system_u:system_r:nfsd_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=system Signed-off-by: Eric Paris Signed-off-by: James Morris --- security/capability.c | 2 +- security/lsm_audit.c | 4 ++++ security/security.c | 4 ++-- security/selinux/hooks.c | 13 +++++++++++-- 4 files changed, 18 insertions(+), 5 deletions(-) (limited to 'security') diff --git a/security/capability.c b/security/capability.c index 4f3ab476937f..5c700e1a4fd3 100644 --- a/security/capability.c +++ b/security/capability.c @@ -421,7 +421,7 @@ static int cap_kernel_create_files_as(struct cred *new, struct inode *inode) return 0; } -static int cap_kernel_module_request(void) +static int cap_kernel_module_request(char *kmod_name) { return 0; } diff --git a/security/lsm_audit.c b/security/lsm_audit.c index 3bb90b6f1dd3..51bd0fd9c9f0 100644 --- a/security/lsm_audit.c +++ b/security/lsm_audit.c @@ -354,6 +354,10 @@ static void dump_common_audit_data(struct audit_buffer *ab, } break; #endif + case LSM_AUDIT_DATA_KMOD: + audit_log_format(ab, " kmod="); + audit_log_untrustedstring(ab, a->u.kmod_name); + break; } /* switch (a->type) */ } diff --git a/security/security.c b/security/security.c index aad71b2ca195..24e060be9fa5 100644 --- a/security/security.c +++ b/security/security.c @@ -764,9 +764,9 @@ int security_kernel_create_files_as(struct cred *new, struct inode *inode) return security_ops->kernel_create_files_as(new, inode); } -int security_kernel_module_request(void) +int security_kernel_module_request(char *kmod_name) { - return security_ops->kernel_module_request(); + return security_ops->kernel_module_request(kmod_name); } int security_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags) diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index a29d6612a328..c96d63ec4753 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -3337,9 +3337,18 @@ static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode) return 0; } -static int selinux_kernel_module_request(void) +static int selinux_kernel_module_request(char *kmod_name) { - return task_has_system(current, SYSTEM__MODULE_REQUEST); + u32 sid; + struct common_audit_data ad; + + sid = task_sid(current); + + COMMON_AUDIT_DATA_INIT(&ad, KMOD); + ad.u.kmod_name = kmod_name; + + return avc_has_perm(sid, SECINITSID_KERNEL, SECCLASS_SYSTEM, + SYSTEM__MODULE_REQUEST, &ad); } static int selinux_task_setpgid(struct task_struct *p, pid_t pgid) -- cgit From 0bce95279909aa4cc401a2e3140b4295ca22e72a Mon Sep 17 00:00:00 2001 From: Eric Paris Date: Mon, 23 Nov 2009 16:47:23 -0500 Subject: SELinux: print denials for buggy kernel with unknown perms Historically we've seen cases where permissions are requested for classes where they do not exist. In particular we have seen CIFS forget to set i_mode to indicate it is a directory so when we later check something like remove_name we have problems since it wasn't defined in tclass file. This used to result in a avc which included the permission 0x2000 or something. Currently the kernel will deny the operations (good thing) but will not print ANY information (bad thing). First the auditdeny field is no extended to include unknown permissions. After that is fixed the logic in avc_dump_query to output this information isn't right since it will remove the permission from the av and print the phrase "". This takes us back to the behavior before the classmap rewrite. Signed-off-by: Eric Paris Signed-off-by: James Morris --- security/selinux/avc.c | 2 +- security/selinux/ss/services.c | 7 +++++++ 2 files changed, 8 insertions(+), 1 deletion(-) (limited to 'security') diff --git a/security/selinux/avc.c b/security/selinux/avc.c index 18f4103e02b7..f2dde268165a 100644 --- a/security/selinux/avc.c +++ b/security/selinux/avc.c @@ -117,7 +117,7 @@ static void avc_dump_av(struct audit_buffer *ab, u16 tclass, u32 av) i = 0; perm = 1; while (i < (sizeof(av) * 8)) { - if (perm & av) { + if ((perm & av) && perms[i]) { audit_log_format(ab, " %s", perms[i]); av &= ~perm; } diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c index 77f6e54bb43f..d6bb20cbad62 100644 --- a/security/selinux/ss/services.c +++ b/security/selinux/ss/services.c @@ -239,6 +239,13 @@ static void map_decision(u16 tclass, struct av_decision *avd, if (!allow_unknown && !current_mapping[tclass].perms[i]) result |= 1<auditdeny = result; } } -- cgit From b3a222e52e4d4be77cc4520a57af1a4a0d8222d1 Mon Sep 17 00:00:00 2001 From: "Serge E. Hallyn" Date: Mon, 23 Nov 2009 16:21:30 -0600 Subject: remove CONFIG_SECURITY_FILE_CAPABILITIES compile option As far as I know, all distros currently ship kernels with default CONFIG_SECURITY_FILE_CAPABILITIES=y. Since having the option on leaves a 'no_file_caps' option to boot without file capabilities, the main reason to keep the option is that turning it off saves you (on my s390x partition) 5k. In particular, vmlinux sizes came to: without patch fscaps=n: 53598392 without patch fscaps=y: 53603406 with this patch applied: 53603342 with the security-next tree. Against this we must weigh the fact that there is no simple way for userspace to figure out whether file capabilities are supported, while things like per-process securebits, capability bounding sets, and adding bits to pI if CAP_SETPCAP is in pE are not supported with SECURITY_FILE_CAPABILITIES=n, leaving a bit of a problem for applications wanting to know whether they can use them and/or why something failed. It also adds another subtly different set of semantics which we must maintain at the risk of severe security regressions. So this patch removes the SECURITY_FILE_CAPABILITIES compile option. It drops the kernel size by about 50k over the stock SECURITY_FILE_CAPABILITIES=y kernel, by removing the cap_limit_ptraced_target() function. Changelog: Nov 20: remove cap_limit_ptraced_target() as it's logic was ifndef'ed. Signed-off-by: Serge E. Hallyn Acked-by: Andrew G. Morgan" Signed-off-by: James Morris --- security/Kconfig | 9 ------- security/commoncap.c | 72 ++-------------------------------------------------- 2 files changed, 2 insertions(+), 79 deletions(-) (limited to 'security') diff --git a/security/Kconfig b/security/Kconfig index 95cc08913ca1..226b9556b25f 100644 --- a/security/Kconfig +++ b/security/Kconfig @@ -91,15 +91,6 @@ config SECURITY_PATH implement pathname based access controls. If you are unsure how to answer this question, answer N. -config SECURITY_FILE_CAPABILITIES - bool "File POSIX Capabilities" - default n - help - This enables filesystem capabilities, allowing you to give - binaries a subset of root's powers without using setuid 0. - - If in doubt, answer N. - config INTEL_TXT bool "Enable Intel(R) Trusted Execution Technology (Intel(R) TXT)" depends on HAVE_INTEL_TXT diff --git a/security/commoncap.c b/security/commoncap.c index 45b87af4ae5d..f800fdb3de94 100644 --- a/security/commoncap.c +++ b/security/commoncap.c @@ -173,7 +173,6 @@ int cap_capget(struct task_struct *target, kernel_cap_t *effective, */ static inline int cap_inh_is_capped(void) { -#ifdef CONFIG_SECURITY_FILE_CAPABILITIES /* they are so limited unless the current task has the CAP_SETPCAP * capability @@ -181,7 +180,6 @@ static inline int cap_inh_is_capped(void) if (cap_capable(current, current_cred(), CAP_SETPCAP, SECURITY_CAP_AUDIT) == 0) return 0; -#endif return 1; } @@ -239,8 +237,6 @@ static inline void bprm_clear_caps(struct linux_binprm *bprm) bprm->cap_effective = false; } -#ifdef CONFIG_SECURITY_FILE_CAPABILITIES - /** * cap_inode_need_killpriv - Determine if inode change affects privileges * @dentry: The inode/dentry in being changed with change marked ATTR_KILL_PRIV @@ -421,49 +417,6 @@ out: return rc; } -#else -int cap_inode_need_killpriv(struct dentry *dentry) -{ - return 0; -} - -int cap_inode_killpriv(struct dentry *dentry) -{ - return 0; -} - -int get_vfs_caps_from_disk(const struct dentry *dentry, struct cpu_vfs_cap_data *cpu_caps) -{ - memset(cpu_caps, 0, sizeof(struct cpu_vfs_cap_data)); - return -ENODATA; -} - -static inline int get_file_caps(struct linux_binprm *bprm, bool *effective) -{ - bprm_clear_caps(bprm); - return 0; -} -#endif - -/* - * Determine whether a exec'ing process's new permitted capabilities should be - * limited to just what it already has. - * - * This prevents processes that are being ptraced from gaining access to - * CAP_SETPCAP, unless the process they're tracing already has it, and the - * binary they're executing has filecaps that elevate it. - * - * Returns 1 if they should be limited, 0 if they are not. - */ -static inline int cap_limit_ptraced_target(void) -{ -#ifndef CONFIG_SECURITY_FILE_CAPABILITIES - if (capable(CAP_SETPCAP)) - return 0; -#endif - return 1; -} - /** * cap_bprm_set_creds - Set up the proposed credentials for execve(). * @bprm: The execution parameters, including the proposed creds @@ -523,9 +476,8 @@ skip: new->euid = new->uid; new->egid = new->gid; } - if (cap_limit_ptraced_target()) - new->cap_permitted = cap_intersect(new->cap_permitted, - old->cap_permitted); + new->cap_permitted = cap_intersect(new->cap_permitted, + old->cap_permitted); } new->suid = new->fsuid = new->euid; @@ -739,7 +691,6 @@ int cap_task_fix_setuid(struct cred *new, const struct cred *old, int flags) return 0; } -#ifdef CONFIG_SECURITY_FILE_CAPABILITIES /* * Rationale: code calling task_setscheduler, task_setioprio, and * task_setnice, assumes that @@ -820,22 +771,6 @@ static long cap_prctl_drop(struct cred *new, unsigned long cap) return 0; } -#else -int cap_task_setscheduler (struct task_struct *p, int policy, - struct sched_param *lp) -{ - return 0; -} -int cap_task_setioprio (struct task_struct *p, int ioprio) -{ - return 0; -} -int cap_task_setnice (struct task_struct *p, int nice) -{ - return 0; -} -#endif - /** * cap_task_prctl - Implement process control functions for this security module * @option: The process control function requested @@ -866,7 +801,6 @@ int cap_task_prctl(int option, unsigned long arg2, unsigned long arg3, error = !!cap_raised(new->cap_bset, arg2); goto no_change; -#ifdef CONFIG_SECURITY_FILE_CAPABILITIES case PR_CAPBSET_DROP: error = cap_prctl_drop(new, arg2); if (error < 0) @@ -917,8 +851,6 @@ int cap_task_prctl(int option, unsigned long arg2, unsigned long arg3, error = new->securebits; goto no_change; -#endif /* def CONFIG_SECURITY_FILE_CAPABILITIES */ - case PR_GET_KEEPCAPS: if (issecure(SECURE_KEEP_CAPS)) error = 1; -- cgit From 7539cf4b92be4aecc573ea962135f246a7a33401 Mon Sep 17 00:00:00 2001 From: Tetsuo Handa Date: Tue, 24 Nov 2009 22:00:05 +0900 Subject: TOMOYO: Add recursive directory matching operator support. TOMOYO 1.7.1 has recursive directory matching operator support. I want to add it to TOMOYO for Linux 2.6.33 . ---------- [PATCH] TOMOYO: Add recursive directory matching operator support. This patch introduces new operator /\{dir\}/ which matches '/' + 'One or more repetitions of dir/' (e.g. /dir/ /dir/dir/ /dir/dir/dir/ ). Signed-off-by: Tetsuo Handa Acked-by: John Johansen Signed-off-by: James Morris --- security/tomoyo/common.c | 200 ++++++++++++++++++++++++++++------------------- security/tomoyo/common.h | 4 - 2 files changed, 121 insertions(+), 83 deletions(-) (limited to 'security') diff --git a/security/tomoyo/common.c b/security/tomoyo/common.c index 3c8bd8ee0b95..e0d0354008b7 100644 --- a/security/tomoyo/common.c +++ b/security/tomoyo/common.c @@ -187,6 +187,8 @@ bool tomoyo_is_correct_path(const char *filename, const s8 start_type, const s8 pattern_type, const s8 end_type, const char *function) { + const char *const start = filename; + bool in_repetition = false; bool contains_pattern = false; unsigned char c; unsigned char d; @@ -212,9 +214,13 @@ bool tomoyo_is_correct_path(const char *filename, const s8 start_type, if (c == '/') goto out; } - while ((c = *filename++) != '\0') { + while (1) { + c = *filename++; + if (!c) + break; if (c == '\\') { - switch ((c = *filename++)) { + c = *filename++; + switch (c) { case '\\': /* "\\" */ continue; case '$': /* "\$" */ @@ -231,6 +237,22 @@ bool tomoyo_is_correct_path(const char *filename, const s8 start_type, break; /* Must not contain pattern */ contains_pattern = true; continue; + case '{': /* "/\{" */ + if (filename - 3 < start || + *(filename - 3) != '/') + break; + if (pattern_type == -1) + break; /* Must not contain pattern */ + contains_pattern = true; + in_repetition = true; + continue; + case '}': /* "\}/" */ + if (*filename != '/') + break; + if (!in_repetition) + break; + in_repetition = false; + continue; case '0': /* "\ooo" */ case '1': case '2': @@ -246,6 +268,8 @@ bool tomoyo_is_correct_path(const char *filename, const s8 start_type, continue; /* pattern is not \000 */ } goto out; + } else if (in_repetition && c == '/') { + goto out; } else if (tomoyo_is_invalid(c)) { goto out; } @@ -254,6 +278,8 @@ bool tomoyo_is_correct_path(const char *filename, const s8 start_type, if (!contains_pattern) goto out; } + if (in_repetition) + goto out; return true; out: printk(KERN_DEBUG "%s: Invalid pathname '%s'\n", function, @@ -359,33 +385,6 @@ struct tomoyo_domain_info *tomoyo_find_domain(const char *domainname) return NULL; } -/** - * tomoyo_path_depth - Evaluate the number of '/' in a string. - * - * @pathname: The string to evaluate. - * - * Returns path depth of the string. - * - * I score 2 for each of the '/' in the @pathname - * and score 1 if the @pathname ends with '/'. - */ -static int tomoyo_path_depth(const char *pathname) -{ - int i = 0; - - if (pathname) { - const char *ep = pathname + strlen(pathname); - if (pathname < ep--) { - if (*ep != '/') - i++; - while (pathname <= ep) - if (*ep-- == '/') - i += 2; - } - } - return i; -} - /** * tomoyo_const_part_length - Evaluate the initial length without a pattern in a token. * @@ -444,11 +443,10 @@ void tomoyo_fill_path_info(struct tomoyo_path_info *ptr) ptr->is_dir = len && (name[len - 1] == '/'); ptr->is_patterned = (ptr->const_len < len); ptr->hash = full_name_hash(name, len); - ptr->depth = tomoyo_path_depth(name); } /** - * tomoyo_file_matches_to_pattern2 - Pattern matching without '/' character + * tomoyo_file_matches_pattern2 - Pattern matching without '/' character * and "\-" pattern. * * @filename: The start of string to check. @@ -458,10 +456,10 @@ void tomoyo_fill_path_info(struct tomoyo_path_info *ptr) * * Returns true if @filename matches @pattern, false otherwise. */ -static bool tomoyo_file_matches_to_pattern2(const char *filename, - const char *filename_end, - const char *pattern, - const char *pattern_end) +static bool tomoyo_file_matches_pattern2(const char *filename, + const char *filename_end, + const char *pattern, + const char *pattern_end) { while (filename < filename_end && pattern < pattern_end) { char c; @@ -519,7 +517,7 @@ static bool tomoyo_file_matches_to_pattern2(const char *filename, case '*': case '@': for (i = 0; i <= filename_end - filename; i++) { - if (tomoyo_file_matches_to_pattern2( + if (tomoyo_file_matches_pattern2( filename + i, filename_end, pattern + 1, pattern_end)) return true; @@ -550,7 +548,7 @@ static bool tomoyo_file_matches_to_pattern2(const char *filename, j++; } for (i = 1; i <= j; i++) { - if (tomoyo_file_matches_to_pattern2( + if (tomoyo_file_matches_pattern2( filename + i, filename_end, pattern + 1, pattern_end)) return true; @@ -567,7 +565,7 @@ static bool tomoyo_file_matches_to_pattern2(const char *filename, } /** - * tomoyo_file_matches_to_pattern - Pattern matching without without '/' character. + * tomoyo_file_matches_pattern - Pattern matching without without '/' character. * * @filename: The start of string to check. * @filename_end: The end of string to check. @@ -576,7 +574,7 @@ static bool tomoyo_file_matches_to_pattern2(const char *filename, * * Returns true if @filename matches @pattern, false otherwise. */ -static bool tomoyo_file_matches_to_pattern(const char *filename, +static bool tomoyo_file_matches_pattern(const char *filename, const char *filename_end, const char *pattern, const char *pattern_end) @@ -589,10 +587,10 @@ static bool tomoyo_file_matches_to_pattern(const char *filename, /* Split at "\-" pattern. */ if (*pattern++ != '\\' || *pattern++ != '-') continue; - result = tomoyo_file_matches_to_pattern2(filename, - filename_end, - pattern_start, - pattern - 2); + result = tomoyo_file_matches_pattern2(filename, + filename_end, + pattern_start, + pattern - 2); if (first) result = !result; if (result) @@ -600,13 +598,79 @@ static bool tomoyo_file_matches_to_pattern(const char *filename, first = false; pattern_start = pattern; } - result = tomoyo_file_matches_to_pattern2(filename, filename_end, - pattern_start, pattern_end); + result = tomoyo_file_matches_pattern2(filename, filename_end, + pattern_start, pattern_end); return first ? result : !result; } +/** + * tomoyo_path_matches_pattern2 - Do pathname pattern matching. + * + * @f: The start of string to check. + * @p: The start of pattern to compare. + * + * Returns true if @f matches @p, false otherwise. + */ +static bool tomoyo_path_matches_pattern2(const char *f, const char *p) +{ + const char *f_delimiter; + const char *p_delimiter; + + while (*f && *p) { + f_delimiter = strchr(f, '/'); + if (!f_delimiter) + f_delimiter = f + strlen(f); + p_delimiter = strchr(p, '/'); + if (!p_delimiter) + p_delimiter = p + strlen(p); + if (*p == '\\' && *(p + 1) == '{') + goto recursive; + if (!tomoyo_file_matches_pattern(f, f_delimiter, p, + p_delimiter)) + return false; + f = f_delimiter; + if (*f) + f++; + p = p_delimiter; + if (*p) + p++; + } + /* Ignore trailing "\*" and "\@" in @pattern. */ + while (*p == '\\' && + (*(p + 1) == '*' || *(p + 1) == '@')) + p += 2; + return !*f && !*p; + recursive: + /* + * The "\{" pattern is permitted only after '/' character. + * This guarantees that below "*(p - 1)" is safe. + * Also, the "\}" pattern is permitted only before '/' character + * so that "\{" + "\}" pair will not break the "\-" operator. + */ + if (*(p - 1) != '/' || p_delimiter <= p + 3 || *p_delimiter != '/' || + *(p_delimiter - 1) != '}' || *(p_delimiter - 2) != '\\') + return false; /* Bad pattern. */ + do { + /* Compare current component with pattern. */ + if (!tomoyo_file_matches_pattern(f, f_delimiter, p + 2, + p_delimiter - 2)) + break; + /* Proceed to next component. */ + f = f_delimiter; + if (!*f) + break; + f++; + /* Continue comparison. */ + if (tomoyo_path_matches_pattern2(f, p_delimiter + 1)) + return true; + f_delimiter = strchr(f, '/'); + } while (f_delimiter); + return false; /* Not matched. */ +} + /** * tomoyo_path_matches_pattern - Check whether the given filename matches the given pattern. + * * @filename: The filename to check. * @pattern: The pattern to compare. * @@ -615,24 +679,24 @@ static bool tomoyo_file_matches_to_pattern(const char *filename, * The following patterns are available. * \\ \ itself. * \ooo Octal representation of a byte. - * \* More than or equals to 0 character other than '/'. - * \@ More than or equals to 0 character other than '/' or '.'. + * \* Zero or more repetitions of characters other than '/'. + * \@ Zero or more repetitions of characters other than '/' or '.'. * \? 1 byte character other than '/'. - * \$ More than or equals to 1 decimal digit. + * \$ One or more repetitions of decimal digits. * \+ 1 decimal digit. - * \X More than or equals to 1 hexadecimal digit. + * \X One or more repetitions of hexadecimal digits. * \x 1 hexadecimal digit. - * \A More than or equals to 1 alphabet character. + * \A One or more repetitions of alphabet characters. * \a 1 alphabet character. + * * \- Subtraction operator. + * + * /\{dir\}/ '/' + 'One or more repetitions of dir/' (e.g. /dir/ /dir/dir/ + * /dir/dir/dir/ ). */ bool tomoyo_path_matches_pattern(const struct tomoyo_path_info *filename, const struct tomoyo_path_info *pattern) { - /* - if (!filename || !pattern) - return false; - */ const char *f = filename->name; const char *p = pattern->name; const int len = pattern->const_len; @@ -640,37 +704,15 @@ bool tomoyo_path_matches_pattern(const struct tomoyo_path_info *filename, /* If @pattern doesn't contain pattern, I can use strcmp(). */ if (!pattern->is_patterned) return !tomoyo_pathcmp(filename, pattern); - /* Dont compare if the number of '/' differs. */ - if (filename->depth != pattern->depth) + /* Don't compare directory and non-directory. */ + if (filename->is_dir != pattern->is_dir) return false; /* Compare the initial length without patterns. */ if (strncmp(f, p, len)) return false; f += len; p += len; - /* Main loop. Compare each directory component. */ - while (*f && *p) { - const char *f_delimiter = strchr(f, '/'); - const char *p_delimiter = strchr(p, '/'); - if (!f_delimiter) - f_delimiter = f + strlen(f); - if (!p_delimiter) - p_delimiter = p + strlen(p); - if (!tomoyo_file_matches_to_pattern(f, f_delimiter, - p, p_delimiter)) - return false; - f = f_delimiter; - if (*f) - f++; - p = p_delimiter; - if (*p) - p++; - } - /* Ignore trailing "\*" and "\@" in @pattern. */ - while (*p == '\\' && - (*(p + 1) == '*' || *(p + 1) == '@')) - p += 2; - return !*f && !*p; + return tomoyo_path_matches_pattern2(f, p); } /** diff --git a/security/tomoyo/common.h b/security/tomoyo/common.h index 31df541911f7..92169d29b2db 100644 --- a/security/tomoyo/common.h +++ b/security/tomoyo/common.h @@ -56,9 +56,6 @@ struct tomoyo_page_buffer { * (5) "is_patterned" is a bool which is true if "name" contains wildcard * characters, false otherwise. This allows TOMOYO to use "hash" and * strcmp() for string comparison if "is_patterned" is false. - * (6) "depth" is calculated using the number of "/" characters in "name". - * This allows TOMOYO to avoid comparing two pathnames which never match - * (e.g. whether "/var/www/html/index.html" matches "/tmp/sh-thd-\$"). */ struct tomoyo_path_info { const char *name; @@ -66,7 +63,6 @@ struct tomoyo_path_info { u16 const_len; /* = tomoyo_const_part_length(name) */ bool is_dir; /* = tomoyo_strendswith(name, "/") */ bool is_patterned; /* = tomoyo_path_contains_pattern(name) */ - u16 depth; /* = tomoyo_path_depth(name) */ }; /* -- cgit