Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
L
linux
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
Kirill Smelkov
linux
Commits
858f61c4
Commit
858f61c4
authored
Oct 01, 2014
by
James Morris
Browse files
Options
Browse Files
Download
Plain Diff
Merge branch 'next' of
git://git.infradead.org/users/pcmoore/selinux
into next
parents
6c8ff877
4093a844
Changes
5
Show whitespace changes
Inline
Side-by-side
Showing
5 changed files
with
115 additions
and
83 deletions
+115
-83
security/selinux/hooks.c
security/selinux/hooks.c
+79
-56
security/selinux/include/netif.h
security/selinux/include/netif.h
+3
-1
security/selinux/include/objsec.h
security/selinux/include/objsec.h
+2
-0
security/selinux/netif.c
security/selinux/netif.c
+23
-20
security/selinux/ss/services.c
security/selinux/ss/services.c
+8
-6
No files found.
security/selinux/hooks.c
View file @
858f61c4
...
@@ -2097,6 +2097,41 @@ static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
...
@@ -2097,6 +2097,41 @@ static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
/* binprm security operations */
/* binprm security operations */
static
int
check_nnp_nosuid
(
const
struct
linux_binprm
*
bprm
,
const
struct
task_security_struct
*
old_tsec
,
const
struct
task_security_struct
*
new_tsec
)
{
int
nnp
=
(
bprm
->
unsafe
&
LSM_UNSAFE_NO_NEW_PRIVS
);
int
nosuid
=
(
bprm
->
file
->
f_path
.
mnt
->
mnt_flags
&
MNT_NOSUID
);
int
rc
;
if
(
!
nnp
&&
!
nosuid
)
return
0
;
/* neither NNP nor nosuid */
if
(
new_tsec
->
sid
==
old_tsec
->
sid
)
return
0
;
/* No change in credentials */
/*
* The only transitions we permit under NNP or nosuid
* are transitions to bounded SIDs, i.e. SIDs that are
* guaranteed to only be allowed a subset of the permissions
* of the current SID.
*/
rc
=
security_bounded_transition
(
old_tsec
->
sid
,
new_tsec
->
sid
);
if
(
rc
)
{
/*
* On failure, preserve the errno values for NNP vs nosuid.
* NNP: Operation not permitted for caller.
* nosuid: Permission denied to file.
*/
if
(
nnp
)
return
-
EPERM
;
else
return
-
EACCES
;
}
return
0
;
}
static
int
selinux_bprm_set_creds
(
struct
linux_binprm
*
bprm
)
static
int
selinux_bprm_set_creds
(
struct
linux_binprm
*
bprm
)
{
{
const
struct
task_security_struct
*
old_tsec
;
const
struct
task_security_struct
*
old_tsec
;
...
@@ -2133,14 +2168,10 @@ static int selinux_bprm_set_creds(struct linux_binprm *bprm)
...
@@ -2133,14 +2168,10 @@ static int selinux_bprm_set_creds(struct linux_binprm *bprm)
/* Reset exec SID on execve. */
/* Reset exec SID on execve. */
new_tsec
->
exec_sid
=
0
;
new_tsec
->
exec_sid
=
0
;
/*
/* Fail on NNP or nosuid if not an allowed transition. */
* Minimize confusion: if no_new_privs or nosuid and a
rc
=
check_nnp_nosuid
(
bprm
,
old_tsec
,
new_tsec
);
* transition is explicitly requested, then fail the exec.
if
(
rc
)
*/
return
rc
;
if
(
bprm
->
unsafe
&
LSM_UNSAFE_NO_NEW_PRIVS
)
return
-
EPERM
;
if
(
bprm
->
file
->
f_path
.
mnt
->
mnt_flags
&
MNT_NOSUID
)
return
-
EACCES
;
}
else
{
}
else
{
/* Check for a default transition on this program. */
/* Check for a default transition on this program. */
rc
=
security_transition_sid
(
old_tsec
->
sid
,
isec
->
sid
,
rc
=
security_transition_sid
(
old_tsec
->
sid
,
isec
->
sid
,
...
@@ -2148,15 +2179,19 @@ static int selinux_bprm_set_creds(struct linux_binprm *bprm)
...
@@ -2148,15 +2179,19 @@ static int selinux_bprm_set_creds(struct linux_binprm *bprm)
&
new_tsec
->
sid
);
&
new_tsec
->
sid
);
if
(
rc
)
if
(
rc
)
return
rc
;
return
rc
;
/*
* Fallback to old SID on NNP or nosuid if not an allowed
* transition.
*/
rc
=
check_nnp_nosuid
(
bprm
,
old_tsec
,
new_tsec
);
if
(
rc
)
new_tsec
->
sid
=
old_tsec
->
sid
;
}
}
ad
.
type
=
LSM_AUDIT_DATA_PATH
;
ad
.
type
=
LSM_AUDIT_DATA_PATH
;
ad
.
u
.
path
=
bprm
->
file
->
f_path
;
ad
.
u
.
path
=
bprm
->
file
->
f_path
;
if
((
bprm
->
file
->
f_path
.
mnt
->
mnt_flags
&
MNT_NOSUID
)
||
(
bprm
->
unsafe
&
LSM_UNSAFE_NO_NEW_PRIVS
))
new_tsec
->
sid
=
old_tsec
->
sid
;
if
(
new_tsec
->
sid
==
old_tsec
->
sid
)
{
if
(
new_tsec
->
sid
==
old_tsec
->
sid
)
{
rc
=
avc_has_perm
(
old_tsec
->
sid
,
isec
->
sid
,
rc
=
avc_has_perm
(
old_tsec
->
sid
,
isec
->
sid
,
SECCLASS_FILE
,
FILE__EXECUTE_NO_TRANS
,
&
ad
);
SECCLASS_FILE
,
FILE__EXECUTE_NO_TRANS
,
&
ad
);
...
@@ -4272,15 +4307,15 @@ static int selinux_socket_unix_may_send(struct socket *sock,
...
@@ -4272,15 +4307,15 @@ static int selinux_socket_unix_may_send(struct socket *sock,
&
ad
);
&
ad
);
}
}
static
int
selinux_inet_sys_rcv_skb
(
int
ifindex
,
char
*
addrp
,
u16
family
,
static
int
selinux_inet_sys_rcv_skb
(
struct
net
*
ns
,
int
ifindex
,
u32
peer_sid
,
char
*
addrp
,
u16
family
,
u32
peer_sid
,
struct
common_audit_data
*
ad
)
struct
common_audit_data
*
ad
)
{
{
int
err
;
int
err
;
u32
if_sid
;
u32
if_sid
;
u32
node_sid
;
u32
node_sid
;
err
=
sel_netif_sid
(
ifindex
,
&
if_sid
);
err
=
sel_netif_sid
(
ns
,
ifindex
,
&
if_sid
);
if
(
err
)
if
(
err
)
return
err
;
return
err
;
err
=
avc_has_perm
(
peer_sid
,
if_sid
,
err
=
avc_has_perm
(
peer_sid
,
if_sid
,
...
@@ -4373,8 +4408,8 @@ static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
...
@@ -4373,8 +4408,8 @@ static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
err
=
selinux_skb_peerlbl_sid
(
skb
,
family
,
&
peer_sid
);
err
=
selinux_skb_peerlbl_sid
(
skb
,
family
,
&
peer_sid
);
if
(
err
)
if
(
err
)
return
err
;
return
err
;
err
=
selinux_inet_sys_rcv_skb
(
s
kb
->
skb_iif
,
addrp
,
family
,
err
=
selinux_inet_sys_rcv_skb
(
s
ock_net
(
sk
),
skb
->
skb_iif
,
peer_sid
,
&
ad
);
addrp
,
family
,
peer_sid
,
&
ad
);
if
(
err
)
{
if
(
err
)
{
selinux_netlbl_err
(
skb
,
err
,
0
);
selinux_netlbl_err
(
skb
,
err
,
0
);
return
err
;
return
err
;
...
@@ -4692,10 +4727,9 @@ static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
...
@@ -4692,10 +4727,9 @@ static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
err
=
selinux_nlmsg_lookup
(
sksec
->
sclass
,
nlh
->
nlmsg_type
,
&
perm
);
err
=
selinux_nlmsg_lookup
(
sksec
->
sclass
,
nlh
->
nlmsg_type
,
&
perm
);
if
(
err
)
{
if
(
err
)
{
if
(
err
==
-
EINVAL
)
{
if
(
err
==
-
EINVAL
)
{
audit_log
(
current
->
audit_context
,
GFP_KERNEL
,
AUDIT_SELINUX_ERR
,
WARN_ONCE
(
1
,
"selinux_nlmsg_perm: unrecognized netlink message:"
"SELinux: unrecognized netlink message"
" protocol=%hu nlmsg_type=%hu sclass=%hu
\n
"
,
" type=%hu for sclass=%hu
\n
"
,
sk
->
sk_protocol
,
nlh
->
nlmsg_type
,
sksec
->
sclass
);
nlh
->
nlmsg_type
,
sksec
->
sclass
);
if
(
!
selinux_enforcing
||
security_get_allow_unknown
())
if
(
!
selinux_enforcing
||
security_get_allow_unknown
())
err
=
0
;
err
=
0
;
}
}
...
@@ -4713,7 +4747,8 @@ static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
...
@@ -4713,7 +4747,8 @@ static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
#ifdef CONFIG_NETFILTER
#ifdef CONFIG_NETFILTER
static
unsigned
int
selinux_ip_forward
(
struct
sk_buff
*
skb
,
int
ifindex
,
static
unsigned
int
selinux_ip_forward
(
struct
sk_buff
*
skb
,
const
struct
net_device
*
indev
,
u16
family
)
u16
family
)
{
{
int
err
;
int
err
;
...
@@ -4739,14 +4774,14 @@ static unsigned int selinux_ip_forward(struct sk_buff *skb, int ifindex,
...
@@ -4739,14 +4774,14 @@ static unsigned int selinux_ip_forward(struct sk_buff *skb, int ifindex,
ad
.
type
=
LSM_AUDIT_DATA_NET
;
ad
.
type
=
LSM_AUDIT_DATA_NET
;
ad
.
u
.
net
=
&
net
;
ad
.
u
.
net
=
&
net
;
ad
.
u
.
net
->
netif
=
ifindex
;
ad
.
u
.
net
->
netif
=
i
ndev
->
i
findex
;
ad
.
u
.
net
->
family
=
family
;
ad
.
u
.
net
->
family
=
family
;
if
(
selinux_parse_skb
(
skb
,
&
ad
,
&
addrp
,
1
,
NULL
)
!=
0
)
if
(
selinux_parse_skb
(
skb
,
&
ad
,
&
addrp
,
1
,
NULL
)
!=
0
)
return
NF_DROP
;
return
NF_DROP
;
if
(
peerlbl_active
)
{
if
(
peerlbl_active
)
{
err
=
selinux_inet_sys_rcv_skb
(
ifindex
,
addrp
,
family
,
err
=
selinux_inet_sys_rcv_skb
(
dev_net
(
indev
),
indev
->
ifindex
,
peer_sid
,
&
ad
);
addrp
,
family
,
peer_sid
,
&
ad
);
if
(
err
)
{
if
(
err
)
{
selinux_netlbl_err
(
skb
,
err
,
1
);
selinux_netlbl_err
(
skb
,
err
,
1
);
return
NF_DROP
;
return
NF_DROP
;
...
@@ -4775,7 +4810,7 @@ static unsigned int selinux_ipv4_forward(const struct nf_hook_ops *ops,
...
@@ -4775,7 +4810,7 @@ static unsigned int selinux_ipv4_forward(const struct nf_hook_ops *ops,
const
struct
net_device
*
out
,
const
struct
net_device
*
out
,
int
(
*
okfn
)(
struct
sk_buff
*
))
int
(
*
okfn
)(
struct
sk_buff
*
))
{
{
return
selinux_ip_forward
(
skb
,
in
->
ifindex
,
PF_INET
);
return
selinux_ip_forward
(
skb
,
in
,
PF_INET
);
}
}
#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
...
@@ -4785,7 +4820,7 @@ static unsigned int selinux_ipv6_forward(const struct nf_hook_ops *ops,
...
@@ -4785,7 +4820,7 @@ static unsigned int selinux_ipv6_forward(const struct nf_hook_ops *ops,
const
struct
net_device
*
out
,
const
struct
net_device
*
out
,
int
(
*
okfn
)(
struct
sk_buff
*
))
int
(
*
okfn
)(
struct
sk_buff
*
))
{
{
return
selinux_ip_forward
(
skb
,
in
->
ifindex
,
PF_INET6
);
return
selinux_ip_forward
(
skb
,
in
,
PF_INET6
);
}
}
#endif
/* IPV6 */
#endif
/* IPV6 */
...
@@ -4873,11 +4908,13 @@ static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
...
@@ -4873,11 +4908,13 @@ static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
return
NF_ACCEPT
;
return
NF_ACCEPT
;
}
}
static
unsigned
int
selinux_ip_postroute
(
struct
sk_buff
*
skb
,
int
ifindex
,
static
unsigned
int
selinux_ip_postroute
(
struct
sk_buff
*
skb
,
const
struct
net_device
*
outdev
,
u16
family
)
u16
family
)
{
{
u32
secmark_perm
;
u32
secmark_perm
;
u32
peer_sid
;
u32
peer_sid
;
int
ifindex
=
outdev
->
ifindex
;
struct
sock
*
sk
;
struct
sock
*
sk
;
struct
common_audit_data
ad
;
struct
common_audit_data
ad
;
struct
lsm_network_audit
net
=
{
0
,};
struct
lsm_network_audit
net
=
{
0
,};
...
@@ -4958,6 +4995,7 @@ static unsigned int selinux_ip_postroute(struct sk_buff *skb, int ifindex,
...
@@ -4958,6 +4995,7 @@ static unsigned int selinux_ip_postroute(struct sk_buff *skb, int ifindex,
case
PF_INET6
:
case
PF_INET6
:
if
(
IP6CB
(
skb
)
->
flags
&
IP6SKB_XFRM_TRANSFORMED
)
if
(
IP6CB
(
skb
)
->
flags
&
IP6SKB_XFRM_TRANSFORMED
)
return
NF_ACCEPT
;
return
NF_ACCEPT
;
break
;
default:
default:
return
NF_DROP_ERR
(
-
ECONNREFUSED
);
return
NF_DROP_ERR
(
-
ECONNREFUSED
);
}
}
...
@@ -4989,7 +5027,7 @@ static unsigned int selinux_ip_postroute(struct sk_buff *skb, int ifindex,
...
@@ -4989,7 +5027,7 @@ static unsigned int selinux_ip_postroute(struct sk_buff *skb, int ifindex,
u32
if_sid
;
u32
if_sid
;
u32
node_sid
;
u32
node_sid
;
if
(
sel_netif_sid
(
ifindex
,
&
if_sid
))
if
(
sel_netif_sid
(
dev_net
(
outdev
),
ifindex
,
&
if_sid
))
return
NF_DROP
;
return
NF_DROP
;
if
(
avc_has_perm
(
peer_sid
,
if_sid
,
if
(
avc_has_perm
(
peer_sid
,
if_sid
,
SECCLASS_NETIF
,
NETIF__EGRESS
,
&
ad
))
SECCLASS_NETIF
,
NETIF__EGRESS
,
&
ad
))
...
@@ -5011,7 +5049,7 @@ static unsigned int selinux_ipv4_postroute(const struct nf_hook_ops *ops,
...
@@ -5011,7 +5049,7 @@ static unsigned int selinux_ipv4_postroute(const struct nf_hook_ops *ops,
const
struct
net_device
*
out
,
const
struct
net_device
*
out
,
int
(
*
okfn
)(
struct
sk_buff
*
))
int
(
*
okfn
)(
struct
sk_buff
*
))
{
{
return
selinux_ip_postroute
(
skb
,
out
->
ifindex
,
PF_INET
);
return
selinux_ip_postroute
(
skb
,
out
,
PF_INET
);
}
}
#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
...
@@ -5021,7 +5059,7 @@ static unsigned int selinux_ipv6_postroute(const struct nf_hook_ops *ops,
...
@@ -5021,7 +5059,7 @@ static unsigned int selinux_ipv6_postroute(const struct nf_hook_ops *ops,
const
struct
net_device
*
out
,
const
struct
net_device
*
out
,
int
(
*
okfn
)(
struct
sk_buff
*
))
int
(
*
okfn
)(
struct
sk_buff
*
))
{
{
return
selinux_ip_postroute
(
skb
,
out
->
ifindex
,
PF_INET6
);
return
selinux_ip_postroute
(
skb
,
out
,
PF_INET6
);
}
}
#endif
/* IPV6 */
#endif
/* IPV6 */
...
@@ -6035,7 +6073,7 @@ security_initcall(selinux_init);
...
@@ -6035,7 +6073,7 @@ security_initcall(selinux_init);
#if defined(CONFIG_NETFILTER)
#if defined(CONFIG_NETFILTER)
static
struct
nf_hook_ops
selinux_
ipv4
_ops
[]
=
{
static
struct
nf_hook_ops
selinux_
nf
_ops
[]
=
{
{
{
.
hook
=
selinux_ipv4_postroute
,
.
hook
=
selinux_ipv4_postroute
,
.
owner
=
THIS_MODULE
,
.
owner
=
THIS_MODULE
,
...
@@ -6056,12 +6094,8 @@ static struct nf_hook_ops selinux_ipv4_ops[] = {
...
@@ -6056,12 +6094,8 @@ static struct nf_hook_ops selinux_ipv4_ops[] = {
.
pf
=
NFPROTO_IPV4
,
.
pf
=
NFPROTO_IPV4
,
.
hooknum
=
NF_INET_LOCAL_OUT
,
.
hooknum
=
NF_INET_LOCAL_OUT
,
.
priority
=
NF_IP_PRI_SELINUX_FIRST
,
.
priority
=
NF_IP_PRI_SELINUX_FIRST
,
}
},
};
#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
static
struct
nf_hook_ops
selinux_ipv6_ops
[]
=
{
{
{
.
hook
=
selinux_ipv6_postroute
,
.
hook
=
selinux_ipv6_postroute
,
.
owner
=
THIS_MODULE
,
.
owner
=
THIS_MODULE
,
...
@@ -6075,32 +6109,24 @@ static struct nf_hook_ops selinux_ipv6_ops[] = {
...
@@ -6075,32 +6109,24 @@ static struct nf_hook_ops selinux_ipv6_ops[] = {
.
pf
=
NFPROTO_IPV6
,
.
pf
=
NFPROTO_IPV6
,
.
hooknum
=
NF_INET_FORWARD
,
.
hooknum
=
NF_INET_FORWARD
,
.
priority
=
NF_IP6_PRI_SELINUX_FIRST
,
.
priority
=
NF_IP6_PRI_SELINUX_FIRST
,
}
},
};
#endif
/* IPV6 */
#endif
/* IPV6 */
};
static
int
__init
selinux_nf_ip_init
(
void
)
static
int
__init
selinux_nf_ip_init
(
void
)
{
{
int
err
=
0
;
int
err
;
if
(
!
selinux_enabled
)
if
(
!
selinux_enabled
)
goto
out
;
return
0
;
printk
(
KERN_DEBUG
"SELinux: Registering netfilter hooks
\n
"
);
printk
(
KERN_DEBUG
"SELinux: Registering netfilter hooks
\n
"
);
err
=
nf_register_hooks
(
selinux_
ipv4_ops
,
ARRAY_SIZE
(
selinux_ipv4
_ops
));
err
=
nf_register_hooks
(
selinux_
nf_ops
,
ARRAY_SIZE
(
selinux_nf
_ops
));
if
(
err
)
if
(
err
)
panic
(
"SELinux: nf_register_hooks
for IPv4
: error %d
\n
"
,
err
);
panic
(
"SELinux: nf_register_hooks: error %d
\n
"
,
err
);
#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
return
0
;
err
=
nf_register_hooks
(
selinux_ipv6_ops
,
ARRAY_SIZE
(
selinux_ipv6_ops
));
if
(
err
)
panic
(
"SELinux: nf_register_hooks for IPv6: error %d
\n
"
,
err
);
#endif
/* IPV6 */
out:
return
err
;
}
}
__initcall
(
selinux_nf_ip_init
);
__initcall
(
selinux_nf_ip_init
);
...
@@ -6110,10 +6136,7 @@ static void selinux_nf_ip_exit(void)
...
@@ -6110,10 +6136,7 @@ static void selinux_nf_ip_exit(void)
{
{
printk
(
KERN_DEBUG
"SELinux: Unregistering netfilter hooks
\n
"
);
printk
(
KERN_DEBUG
"SELinux: Unregistering netfilter hooks
\n
"
);
nf_unregister_hooks
(
selinux_ipv4_ops
,
ARRAY_SIZE
(
selinux_ipv4_ops
));
nf_unregister_hooks
(
selinux_nf_ops
,
ARRAY_SIZE
(
selinux_nf_ops
));
#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
nf_unregister_hooks
(
selinux_ipv6_ops
,
ARRAY_SIZE
(
selinux_ipv6_ops
));
#endif
/* IPV6 */
}
}
#endif
#endif
...
...
security/selinux/include/netif.h
View file @
858f61c4
...
@@ -17,9 +17,11 @@
...
@@ -17,9 +17,11 @@
#ifndef _SELINUX_NETIF_H_
#ifndef _SELINUX_NETIF_H_
#define _SELINUX_NETIF_H_
#define _SELINUX_NETIF_H_
#include <net/net_namespace.h>
void
sel_netif_flush
(
void
);
void
sel_netif_flush
(
void
);
int
sel_netif_sid
(
int
ifindex
,
u32
*
sid
);
int
sel_netif_sid
(
struct
net
*
ns
,
int
ifindex
,
u32
*
sid
);
#endif
/* _SELINUX_NETIF_H_ */
#endif
/* _SELINUX_NETIF_H_ */
security/selinux/include/objsec.h
View file @
858f61c4
...
@@ -24,6 +24,7 @@
...
@@ -24,6 +24,7 @@
#include <linux/binfmts.h>
#include <linux/binfmts.h>
#include <linux/in.h>
#include <linux/in.h>
#include <linux/spinlock.h>
#include <linux/spinlock.h>
#include <net/net_namespace.h>
#include "flask.h"
#include "flask.h"
#include "avc.h"
#include "avc.h"
...
@@ -78,6 +79,7 @@ struct ipc_security_struct {
...
@@ -78,6 +79,7 @@ struct ipc_security_struct {
};
};
struct
netif_security_struct
{
struct
netif_security_struct
{
struct
net
*
ns
;
/* network namespace */
int
ifindex
;
/* device index */
int
ifindex
;
/* device index */
u32
sid
;
/* SID for this interface */
u32
sid
;
/* SID for this interface */
};
};
...
...
security/selinux/netif.c
View file @
858f61c4
...
@@ -45,6 +45,7 @@ static struct list_head sel_netif_hash[SEL_NETIF_HASH_SIZE];
...
@@ -45,6 +45,7 @@ static struct list_head sel_netif_hash[SEL_NETIF_HASH_SIZE];
/**
/**
* sel_netif_hashfn - Hashing function for the interface table
* sel_netif_hashfn - Hashing function for the interface table
* @ns: the network namespace
* @ifindex: the network interface
* @ifindex: the network interface
*
*
* Description:
* Description:
...
@@ -52,13 +53,14 @@ static struct list_head sel_netif_hash[SEL_NETIF_HASH_SIZE];
...
@@ -52,13 +53,14 @@ static struct list_head sel_netif_hash[SEL_NETIF_HASH_SIZE];
* bucket number for the given interface.
* bucket number for the given interface.
*
*
*/
*/
static
inline
u32
sel_netif_hashfn
(
int
ifindex
)
static
inline
u32
sel_netif_hashfn
(
const
struct
net
*
ns
,
int
ifindex
)
{
{
return
(
ifindex
&
(
SEL_NETIF_HASH_SIZE
-
1
));
return
(
((
uintptr_t
)
ns
+
ifindex
)
&
(
SEL_NETIF_HASH_SIZE
-
1
));
}
}
/**
/**
* sel_netif_find - Search for an interface record
* sel_netif_find - Search for an interface record
* @ns: the network namespace
* @ifindex: the network interface
* @ifindex: the network interface
*
*
* Description:
* Description:
...
@@ -66,15 +68,15 @@ static inline u32 sel_netif_hashfn(int ifindex)
...
@@ -66,15 +68,15 @@ static inline u32 sel_netif_hashfn(int ifindex)
* If an entry can not be found in the table return NULL.
* If an entry can not be found in the table return NULL.
*
*
*/
*/
static
inline
struct
sel_netif
*
sel_netif_find
(
int
ifindex
)
static
inline
struct
sel_netif
*
sel_netif_find
(
const
struct
net
*
ns
,
int
ifindex
)
{
{
int
idx
=
sel_netif_hashfn
(
ifindex
);
int
idx
=
sel_netif_hashfn
(
ns
,
ifindex
);
struct
sel_netif
*
netif
;
struct
sel_netif
*
netif
;
list_for_each_entry_rcu
(
netif
,
&
sel_netif_hash
[
idx
],
list
)
list_for_each_entry_rcu
(
netif
,
&
sel_netif_hash
[
idx
],
list
)
/* all of the devices should normally fit in the hash, so we
if
(
net_eq
(
netif
->
nsec
.
ns
,
ns
)
&&
* optimize for that case */
netif
->
nsec
.
ifindex
==
ifindex
)
if
(
likely
(
netif
->
nsec
.
ifindex
==
ifindex
))
return
netif
;
return
netif
;
return
NULL
;
return
NULL
;
...
@@ -96,7 +98,7 @@ static int sel_netif_insert(struct sel_netif *netif)
...
@@ -96,7 +98,7 @@ static int sel_netif_insert(struct sel_netif *netif)
if
(
sel_netif_total
>=
SEL_NETIF_HASH_MAX
)
if
(
sel_netif_total
>=
SEL_NETIF_HASH_MAX
)
return
-
ENOSPC
;
return
-
ENOSPC
;
idx
=
sel_netif_hashfn
(
netif
->
nsec
.
ifindex
);
idx
=
sel_netif_hashfn
(
netif
->
nsec
.
ns
,
netif
->
nsec
.
ifindex
);
list_add_rcu
(
&
netif
->
list
,
&
sel_netif_hash
[
idx
]);
list_add_rcu
(
&
netif
->
list
,
&
sel_netif_hash
[
idx
]);
sel_netif_total
++
;
sel_netif_total
++
;
...
@@ -120,6 +122,7 @@ static void sel_netif_destroy(struct sel_netif *netif)
...
@@ -120,6 +122,7 @@ static void sel_netif_destroy(struct sel_netif *netif)
/**
/**
* sel_netif_sid_slow - Lookup the SID of a network interface using the policy
* sel_netif_sid_slow - Lookup the SID of a network interface using the policy
* @ns: the network namespace
* @ifindex: the network interface
* @ifindex: the network interface
* @sid: interface SID
* @sid: interface SID
*
*
...
@@ -130,7 +133,7 @@ static void sel_netif_destroy(struct sel_netif *netif)
...
@@ -130,7 +133,7 @@ static void sel_netif_destroy(struct sel_netif *netif)
* failure.
* failure.
*
*
*/
*/
static
int
sel_netif_sid_slow
(
int
ifindex
,
u32
*
sid
)
static
int
sel_netif_sid_slow
(
struct
net
*
ns
,
int
ifindex
,
u32
*
sid
)
{
{
int
ret
;
int
ret
;
struct
sel_netif
*
netif
;
struct
sel_netif
*
netif
;
...
@@ -140,7 +143,7 @@ static int sel_netif_sid_slow(int ifindex, u32 *sid)
...
@@ -140,7 +143,7 @@ static int sel_netif_sid_slow(int ifindex, u32 *sid)
/* NOTE: we always use init's network namespace since we don't
/* NOTE: we always use init's network namespace since we don't
* currently support containers */
* currently support containers */
dev
=
dev_get_by_index
(
&
init_net
,
ifindex
);
dev
=
dev_get_by_index
(
ns
,
ifindex
);
if
(
unlikely
(
dev
==
NULL
))
{
if
(
unlikely
(
dev
==
NULL
))
{
printk
(
KERN_WARNING
printk
(
KERN_WARNING
"SELinux: failure in sel_netif_sid_slow(),"
"SELinux: failure in sel_netif_sid_slow(),"
...
@@ -149,7 +152,7 @@ static int sel_netif_sid_slow(int ifindex, u32 *sid)
...
@@ -149,7 +152,7 @@ static int sel_netif_sid_slow(int ifindex, u32 *sid)
}
}
spin_lock_bh
(
&
sel_netif_lock
);
spin_lock_bh
(
&
sel_netif_lock
);
netif
=
sel_netif_find
(
ifindex
);
netif
=
sel_netif_find
(
ns
,
ifindex
);
if
(
netif
!=
NULL
)
{
if
(
netif
!=
NULL
)
{
*
sid
=
netif
->
nsec
.
sid
;
*
sid
=
netif
->
nsec
.
sid
;
ret
=
0
;
ret
=
0
;
...
@@ -163,6 +166,7 @@ static int sel_netif_sid_slow(int ifindex, u32 *sid)
...
@@ -163,6 +166,7 @@ static int sel_netif_sid_slow(int ifindex, u32 *sid)
ret
=
security_netif_sid
(
dev
->
name
,
&
new
->
nsec
.
sid
);
ret
=
security_netif_sid
(
dev
->
name
,
&
new
->
nsec
.
sid
);
if
(
ret
!=
0
)
if
(
ret
!=
0
)
goto
out
;
goto
out
;
new
->
nsec
.
ns
=
ns
;
new
->
nsec
.
ifindex
=
ifindex
;
new
->
nsec
.
ifindex
=
ifindex
;
ret
=
sel_netif_insert
(
new
);
ret
=
sel_netif_insert
(
new
);
if
(
ret
!=
0
)
if
(
ret
!=
0
)
...
@@ -184,6 +188,7 @@ static int sel_netif_sid_slow(int ifindex, u32 *sid)
...
@@ -184,6 +188,7 @@ static int sel_netif_sid_slow(int ifindex, u32 *sid)
/**
/**
* sel_netif_sid - Lookup the SID of a network interface
* sel_netif_sid - Lookup the SID of a network interface
* @ns: the network namespace
* @ifindex: the network interface
* @ifindex: the network interface
* @sid: interface SID
* @sid: interface SID
*
*
...
@@ -195,12 +200,12 @@ static int sel_netif_sid_slow(int ifindex, u32 *sid)
...
@@ -195,12 +200,12 @@ static int sel_netif_sid_slow(int ifindex, u32 *sid)
* on failure.
* on failure.
*
*
*/
*/
int
sel_netif_sid
(
int
ifindex
,
u32
*
sid
)
int
sel_netif_sid
(
struct
net
*
ns
,
int
ifindex
,
u32
*
sid
)
{
{
struct
sel_netif
*
netif
;
struct
sel_netif
*
netif
;
rcu_read_lock
();
rcu_read_lock
();
netif
=
sel_netif_find
(
ifindex
);
netif
=
sel_netif_find
(
ns
,
ifindex
);
if
(
likely
(
netif
!=
NULL
))
{
if
(
likely
(
netif
!=
NULL
))
{
*
sid
=
netif
->
nsec
.
sid
;
*
sid
=
netif
->
nsec
.
sid
;
rcu_read_unlock
();
rcu_read_unlock
();
...
@@ -208,11 +213,12 @@ int sel_netif_sid(int ifindex, u32 *sid)
...
@@ -208,11 +213,12 @@ int sel_netif_sid(int ifindex, u32 *sid)
}
}
rcu_read_unlock
();
rcu_read_unlock
();
return
sel_netif_sid_slow
(
ifindex
,
sid
);
return
sel_netif_sid_slow
(
ns
,
ifindex
,
sid
);
}
}
/**
/**
* sel_netif_kill - Remove an entry from the network interface table
* sel_netif_kill - Remove an entry from the network interface table
* @ns: the network namespace
* @ifindex: the network interface
* @ifindex: the network interface
*
*
* Description:
* Description:
...
@@ -220,13 +226,13 @@ int sel_netif_sid(int ifindex, u32 *sid)
...
@@ -220,13 +226,13 @@ int sel_netif_sid(int ifindex, u32 *sid)
* table if it exists.
* table if it exists.
*
*
*/
*/
static
void
sel_netif_kill
(
int
ifindex
)
static
void
sel_netif_kill
(
const
struct
net
*
ns
,
int
ifindex
)
{
{
struct
sel_netif
*
netif
;
struct
sel_netif
*
netif
;
rcu_read_lock
();
rcu_read_lock
();
spin_lock_bh
(
&
sel_netif_lock
);
spin_lock_bh
(
&
sel_netif_lock
);
netif
=
sel_netif_find
(
ifindex
);
netif
=
sel_netif_find
(
ns
,
ifindex
);
if
(
netif
)
if
(
netif
)
sel_netif_destroy
(
netif
);
sel_netif_destroy
(
netif
);
spin_unlock_bh
(
&
sel_netif_lock
);
spin_unlock_bh
(
&
sel_netif_lock
);
...
@@ -257,11 +263,8 @@ static int sel_netif_netdev_notifier_handler(struct notifier_block *this,
...
@@ -257,11 +263,8 @@ static int sel_netif_netdev_notifier_handler(struct notifier_block *this,
{
{
struct
net_device
*
dev
=
netdev_notifier_info_to_dev
(
ptr
);
struct
net_device
*
dev
=
netdev_notifier_info_to_dev
(
ptr
);
if
(
dev_net
(
dev
)
!=
&
init_net
)
return
NOTIFY_DONE
;
if
(
event
==
NETDEV_DOWN
)
if
(
event
==
NETDEV_DOWN
)
sel_netif_kill
(
dev
->
ifindex
);
sel_netif_kill
(
dev
_net
(
dev
),
dev
->
ifindex
);
return
NOTIFY_DONE
;
return
NOTIFY_DONE
;
}
}
...
...
security/selinux/ss/services.c
View file @
858f61c4
...
@@ -728,7 +728,7 @@ static int security_validtrans_handle_fail(struct context *ocontext,
...
@@ -728,7 +728,7 @@ static int security_validtrans_handle_fail(struct context *ocontext,
if
(
context_struct_to_string
(
tcontext
,
&
t
,
&
tlen
))
if
(
context_struct_to_string
(
tcontext
,
&
t
,
&
tlen
))
goto
out
;
goto
out
;
audit_log
(
current
->
audit_context
,
GFP_ATOMIC
,
AUDIT_SELINUX_ERR
,
audit_log
(
current
->
audit_context
,
GFP_ATOMIC
,
AUDIT_SELINUX_ERR
,
"
security_validate_transition: denied for
"
"
op=security_validate_transition seresult=denied
"
" oldcontext=%s newcontext=%s taskcontext=%s tclass=%s"
,
" oldcontext=%s newcontext=%s taskcontext=%s tclass=%s"
,
o
,
n
,
t
,
sym_name
(
&
policydb
,
SYM_CLASSES
,
tclass
-
1
));
o
,
n
,
t
,
sym_name
(
&
policydb
,
SYM_CLASSES
,
tclass
-
1
));
out:
out:
...
@@ -877,7 +877,7 @@ int security_bounded_transition(u32 old_sid, u32 new_sid)
...
@@ -877,7 +877,7 @@ int security_bounded_transition(u32 old_sid, u32 new_sid)
audit_log
(
current
->
audit_context
,
audit_log
(
current
->
audit_context
,
GFP_ATOMIC
,
AUDIT_SELINUX_ERR
,
GFP_ATOMIC
,
AUDIT_SELINUX_ERR
,
"op=security_bounded_transition "
"op=security_bounded_transition "
"result=denied "
"
se
result=denied "
"oldcontext=%s newcontext=%s"
,
"oldcontext=%s newcontext=%s"
,
old_name
,
new_name
);
old_name
,
new_name
);
}
}
...
@@ -1351,8 +1351,8 @@ static int compute_sid_handle_invalid_context(
...
@@ -1351,8 +1351,8 @@ static int compute_sid_handle_invalid_context(
if
(
context_struct_to_string
(
newcontext
,
&
n
,
&
nlen
))
if
(
context_struct_to_string
(
newcontext
,
&
n
,
&
nlen
))
goto
out
;
goto
out
;
audit_log
(
current
->
audit_context
,
GFP_ATOMIC
,
AUDIT_SELINUX_ERR
,
audit_log
(
current
->
audit_context
,
GFP_ATOMIC
,
AUDIT_SELINUX_ERR
,
"
security_compute_sid: invalid context
%s"
"
op=security_compute_sid invalid_context=
%s"
"
for
scontext=%s"
" scontext=%s"
" tcontext=%s"
" tcontext=%s"
" tclass=%s"
,
" tclass=%s"
,
n
,
s
,
t
,
sym_name
(
&
policydb
,
SYM_CLASSES
,
tclass
-
1
));
n
,
s
,
t
,
sym_name
(
&
policydb
,
SYM_CLASSES
,
tclass
-
1
));
...
@@ -2607,8 +2607,10 @@ int security_sid_mls_copy(u32 sid, u32 mls_sid, u32 *new_sid)
...
@@ -2607,8 +2607,10 @@ int security_sid_mls_copy(u32 sid, u32 mls_sid, u32 *new_sid)
rc
=
convert_context_handle_invalid_context
(
&
newcon
);
rc
=
convert_context_handle_invalid_context
(
&
newcon
);
if
(
rc
)
{
if
(
rc
)
{
if
(
!
context_struct_to_string
(
&
newcon
,
&
s
,
&
len
))
{
if
(
!
context_struct_to_string
(
&
newcon
,
&
s
,
&
len
))
{
audit_log
(
current
->
audit_context
,
GFP_ATOMIC
,
AUDIT_SELINUX_ERR
,
audit_log
(
current
->
audit_context
,
"security_sid_mls_copy: invalid context %s"
,
s
);
GFP_ATOMIC
,
AUDIT_SELINUX_ERR
,
"op=security_sid_mls_copy "
"invalid_context=%s"
,
s
);
kfree
(
s
);
kfree
(
s
);
}
}
goto
out_unlock
;
goto
out_unlock
;
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment