Commit 858f61c4 authored by James Morris's avatar James Morris

Merge branch 'next' of git://git.infradead.org/users/pcmoore/selinux into next

parents 6c8ff877 4093a844
...@@ -2097,6 +2097,41 @@ static int selinux_vm_enough_memory(struct mm_struct *mm, long pages) ...@@ -2097,6 +2097,41 @@ static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
/* binprm security operations */ /* binprm security operations */
static int check_nnp_nosuid(const struct linux_binprm *bprm,
const struct task_security_struct *old_tsec,
const struct task_security_struct *new_tsec)
{
int nnp = (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS);
int nosuid = (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID);
int rc;
if (!nnp && !nosuid)
return 0; /* neither NNP nor nosuid */
if (new_tsec->sid == old_tsec->sid)
return 0; /* No change in credentials */
/*
* The only transitions we permit under NNP or nosuid
* are transitions to bounded SIDs, i.e. SIDs that are
* guaranteed to only be allowed a subset of the permissions
* of the current SID.
*/
rc = security_bounded_transition(old_tsec->sid, new_tsec->sid);
if (rc) {
/*
* On failure, preserve the errno values for NNP vs nosuid.
* NNP: Operation not permitted for caller.
* nosuid: Permission denied to file.
*/
if (nnp)
return -EPERM;
else
return -EACCES;
}
return 0;
}
static int selinux_bprm_set_creds(struct linux_binprm *bprm) static int selinux_bprm_set_creds(struct linux_binprm *bprm)
{ {
const struct task_security_struct *old_tsec; const struct task_security_struct *old_tsec;
...@@ -2133,14 +2168,10 @@ static int selinux_bprm_set_creds(struct linux_binprm *bprm) ...@@ -2133,14 +2168,10 @@ static int selinux_bprm_set_creds(struct linux_binprm *bprm)
/* Reset exec SID on execve. */ /* Reset exec SID on execve. */
new_tsec->exec_sid = 0; new_tsec->exec_sid = 0;
/* /* Fail on NNP or nosuid if not an allowed transition. */
* Minimize confusion: if no_new_privs or nosuid and a rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
* transition is explicitly requested, then fail the exec. if (rc)
*/ return rc;
if (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS)
return -EPERM;
if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID)
return -EACCES;
} else { } else {
/* Check for a default transition on this program. */ /* Check for a default transition on this program. */
rc = security_transition_sid(old_tsec->sid, isec->sid, rc = security_transition_sid(old_tsec->sid, isec->sid,
...@@ -2148,15 +2179,19 @@ static int selinux_bprm_set_creds(struct linux_binprm *bprm) ...@@ -2148,15 +2179,19 @@ static int selinux_bprm_set_creds(struct linux_binprm *bprm)
&new_tsec->sid); &new_tsec->sid);
if (rc) if (rc)
return rc; return rc;
/*
* Fallback to old SID on NNP or nosuid if not an allowed
* transition.
*/
rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
if (rc)
new_tsec->sid = old_tsec->sid;
} }
ad.type = LSM_AUDIT_DATA_PATH; ad.type = LSM_AUDIT_DATA_PATH;
ad.u.path = bprm->file->f_path; ad.u.path = bprm->file->f_path;
if ((bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID) ||
(bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS))
new_tsec->sid = old_tsec->sid;
if (new_tsec->sid == old_tsec->sid) { if (new_tsec->sid == old_tsec->sid) {
rc = avc_has_perm(old_tsec->sid, isec->sid, rc = avc_has_perm(old_tsec->sid, isec->sid,
SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad); SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
...@@ -4272,15 +4307,15 @@ static int selinux_socket_unix_may_send(struct socket *sock, ...@@ -4272,15 +4307,15 @@ static int selinux_socket_unix_may_send(struct socket *sock,
&ad); &ad);
} }
static int selinux_inet_sys_rcv_skb(int ifindex, char *addrp, u16 family, static int selinux_inet_sys_rcv_skb(struct net *ns, int ifindex,
u32 peer_sid, char *addrp, u16 family, u32 peer_sid,
struct common_audit_data *ad) struct common_audit_data *ad)
{ {
int err; int err;
u32 if_sid; u32 if_sid;
u32 node_sid; u32 node_sid;
err = sel_netif_sid(ifindex, &if_sid); err = sel_netif_sid(ns, ifindex, &if_sid);
if (err) if (err)
return err; return err;
err = avc_has_perm(peer_sid, if_sid, err = avc_has_perm(peer_sid, if_sid,
...@@ -4373,8 +4408,8 @@ static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb) ...@@ -4373,8 +4408,8 @@ static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
err = selinux_skb_peerlbl_sid(skb, family, &peer_sid); err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
if (err) if (err)
return err; return err;
err = selinux_inet_sys_rcv_skb(skb->skb_iif, addrp, family, err = selinux_inet_sys_rcv_skb(sock_net(sk), skb->skb_iif,
peer_sid, &ad); addrp, family, peer_sid, &ad);
if (err) { if (err) {
selinux_netlbl_err(skb, err, 0); selinux_netlbl_err(skb, err, 0);
return err; return err;
...@@ -4692,10 +4727,9 @@ static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb) ...@@ -4692,10 +4727,9 @@ static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
err = selinux_nlmsg_lookup(sksec->sclass, nlh->nlmsg_type, &perm); err = selinux_nlmsg_lookup(sksec->sclass, nlh->nlmsg_type, &perm);
if (err) { if (err) {
if (err == -EINVAL) { if (err == -EINVAL) {
audit_log(current->audit_context, GFP_KERNEL, AUDIT_SELINUX_ERR, WARN_ONCE(1, "selinux_nlmsg_perm: unrecognized netlink message:"
"SELinux: unrecognized netlink message" " protocol=%hu nlmsg_type=%hu sclass=%hu\n",
" type=%hu for sclass=%hu\n", sk->sk_protocol, nlh->nlmsg_type, sksec->sclass);
nlh->nlmsg_type, sksec->sclass);
if (!selinux_enforcing || security_get_allow_unknown()) if (!selinux_enforcing || security_get_allow_unknown())
err = 0; err = 0;
} }
...@@ -4713,7 +4747,8 @@ static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb) ...@@ -4713,7 +4747,8 @@ static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
#ifdef CONFIG_NETFILTER #ifdef CONFIG_NETFILTER
static unsigned int selinux_ip_forward(struct sk_buff *skb, int ifindex, static unsigned int selinux_ip_forward(struct sk_buff *skb,
const struct net_device *indev,
u16 family) u16 family)
{ {
int err; int err;
...@@ -4739,14 +4774,14 @@ static unsigned int selinux_ip_forward(struct sk_buff *skb, int ifindex, ...@@ -4739,14 +4774,14 @@ static unsigned int selinux_ip_forward(struct sk_buff *skb, int ifindex,
ad.type = LSM_AUDIT_DATA_NET; ad.type = LSM_AUDIT_DATA_NET;
ad.u.net = &net; ad.u.net = &net;
ad.u.net->netif = ifindex; ad.u.net->netif = indev->ifindex;
ad.u.net->family = family; ad.u.net->family = family;
if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0) if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0)
return NF_DROP; return NF_DROP;
if (peerlbl_active) { if (peerlbl_active) {
err = selinux_inet_sys_rcv_skb(ifindex, addrp, family, err = selinux_inet_sys_rcv_skb(dev_net(indev), indev->ifindex,
peer_sid, &ad); addrp, family, peer_sid, &ad);
if (err) { if (err) {
selinux_netlbl_err(skb, err, 1); selinux_netlbl_err(skb, err, 1);
return NF_DROP; return NF_DROP;
...@@ -4775,7 +4810,7 @@ static unsigned int selinux_ipv4_forward(const struct nf_hook_ops *ops, ...@@ -4775,7 +4810,7 @@ static unsigned int selinux_ipv4_forward(const struct nf_hook_ops *ops,
const struct net_device *out, const struct net_device *out,
int (*okfn)(struct sk_buff *)) int (*okfn)(struct sk_buff *))
{ {
return selinux_ip_forward(skb, in->ifindex, PF_INET); return selinux_ip_forward(skb, in, PF_INET);
} }
#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
...@@ -4785,7 +4820,7 @@ static unsigned int selinux_ipv6_forward(const struct nf_hook_ops *ops, ...@@ -4785,7 +4820,7 @@ static unsigned int selinux_ipv6_forward(const struct nf_hook_ops *ops,
const struct net_device *out, const struct net_device *out,
int (*okfn)(struct sk_buff *)) int (*okfn)(struct sk_buff *))
{ {
return selinux_ip_forward(skb, in->ifindex, PF_INET6); return selinux_ip_forward(skb, in, PF_INET6);
} }
#endif /* IPV6 */ #endif /* IPV6 */
...@@ -4873,11 +4908,13 @@ static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb, ...@@ -4873,11 +4908,13 @@ static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
return NF_ACCEPT; return NF_ACCEPT;
} }
static unsigned int selinux_ip_postroute(struct sk_buff *skb, int ifindex, static unsigned int selinux_ip_postroute(struct sk_buff *skb,
const struct net_device *outdev,
u16 family) u16 family)
{ {
u32 secmark_perm; u32 secmark_perm;
u32 peer_sid; u32 peer_sid;
int ifindex = outdev->ifindex;
struct sock *sk; struct sock *sk;
struct common_audit_data ad; struct common_audit_data ad;
struct lsm_network_audit net = {0,}; struct lsm_network_audit net = {0,};
...@@ -4958,6 +4995,7 @@ static unsigned int selinux_ip_postroute(struct sk_buff *skb, int ifindex, ...@@ -4958,6 +4995,7 @@ static unsigned int selinux_ip_postroute(struct sk_buff *skb, int ifindex,
case PF_INET6: case PF_INET6:
if (IP6CB(skb)->flags & IP6SKB_XFRM_TRANSFORMED) if (IP6CB(skb)->flags & IP6SKB_XFRM_TRANSFORMED)
return NF_ACCEPT; return NF_ACCEPT;
break;
default: default:
return NF_DROP_ERR(-ECONNREFUSED); return NF_DROP_ERR(-ECONNREFUSED);
} }
...@@ -4989,7 +5027,7 @@ static unsigned int selinux_ip_postroute(struct sk_buff *skb, int ifindex, ...@@ -4989,7 +5027,7 @@ static unsigned int selinux_ip_postroute(struct sk_buff *skb, int ifindex,
u32 if_sid; u32 if_sid;
u32 node_sid; u32 node_sid;
if (sel_netif_sid(ifindex, &if_sid)) if (sel_netif_sid(dev_net(outdev), ifindex, &if_sid))
return NF_DROP; return NF_DROP;
if (avc_has_perm(peer_sid, if_sid, if (avc_has_perm(peer_sid, if_sid,
SECCLASS_NETIF, NETIF__EGRESS, &ad)) SECCLASS_NETIF, NETIF__EGRESS, &ad))
...@@ -5011,7 +5049,7 @@ static unsigned int selinux_ipv4_postroute(const struct nf_hook_ops *ops, ...@@ -5011,7 +5049,7 @@ static unsigned int selinux_ipv4_postroute(const struct nf_hook_ops *ops,
const struct net_device *out, const struct net_device *out,
int (*okfn)(struct sk_buff *)) int (*okfn)(struct sk_buff *))
{ {
return selinux_ip_postroute(skb, out->ifindex, PF_INET); return selinux_ip_postroute(skb, out, PF_INET);
} }
#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
...@@ -5021,7 +5059,7 @@ static unsigned int selinux_ipv6_postroute(const struct nf_hook_ops *ops, ...@@ -5021,7 +5059,7 @@ static unsigned int selinux_ipv6_postroute(const struct nf_hook_ops *ops,
const struct net_device *out, const struct net_device *out,
int (*okfn)(struct sk_buff *)) int (*okfn)(struct sk_buff *))
{ {
return selinux_ip_postroute(skb, out->ifindex, PF_INET6); return selinux_ip_postroute(skb, out, PF_INET6);
} }
#endif /* IPV6 */ #endif /* IPV6 */
...@@ -6035,7 +6073,7 @@ security_initcall(selinux_init); ...@@ -6035,7 +6073,7 @@ security_initcall(selinux_init);
#if defined(CONFIG_NETFILTER) #if defined(CONFIG_NETFILTER)
static struct nf_hook_ops selinux_ipv4_ops[] = { static struct nf_hook_ops selinux_nf_ops[] = {
{ {
.hook = selinux_ipv4_postroute, .hook = selinux_ipv4_postroute,
.owner = THIS_MODULE, .owner = THIS_MODULE,
...@@ -6056,12 +6094,8 @@ static struct nf_hook_ops selinux_ipv4_ops[] = { ...@@ -6056,12 +6094,8 @@ static struct nf_hook_ops selinux_ipv4_ops[] = {
.pf = NFPROTO_IPV4, .pf = NFPROTO_IPV4,
.hooknum = NF_INET_LOCAL_OUT, .hooknum = NF_INET_LOCAL_OUT,
.priority = NF_IP_PRI_SELINUX_FIRST, .priority = NF_IP_PRI_SELINUX_FIRST,
} },
};
#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
static struct nf_hook_ops selinux_ipv6_ops[] = {
{ {
.hook = selinux_ipv6_postroute, .hook = selinux_ipv6_postroute,
.owner = THIS_MODULE, .owner = THIS_MODULE,
...@@ -6075,32 +6109,24 @@ static struct nf_hook_ops selinux_ipv6_ops[] = { ...@@ -6075,32 +6109,24 @@ static struct nf_hook_ops selinux_ipv6_ops[] = {
.pf = NFPROTO_IPV6, .pf = NFPROTO_IPV6,
.hooknum = NF_INET_FORWARD, .hooknum = NF_INET_FORWARD,
.priority = NF_IP6_PRI_SELINUX_FIRST, .priority = NF_IP6_PRI_SELINUX_FIRST,
} },
};
#endif /* IPV6 */ #endif /* IPV6 */
};
static int __init selinux_nf_ip_init(void) static int __init selinux_nf_ip_init(void)
{ {
int err = 0; int err;
if (!selinux_enabled) if (!selinux_enabled)
goto out; return 0;
printk(KERN_DEBUG "SELinux: Registering netfilter hooks\n"); printk(KERN_DEBUG "SELinux: Registering netfilter hooks\n");
err = nf_register_hooks(selinux_ipv4_ops, ARRAY_SIZE(selinux_ipv4_ops)); err = nf_register_hooks(selinux_nf_ops, ARRAY_SIZE(selinux_nf_ops));
if (err) if (err)
panic("SELinux: nf_register_hooks for IPv4: error %d\n", err); panic("SELinux: nf_register_hooks: error %d\n", err);
#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) return 0;
err = nf_register_hooks(selinux_ipv6_ops, ARRAY_SIZE(selinux_ipv6_ops));
if (err)
panic("SELinux: nf_register_hooks for IPv6: error %d\n", err);
#endif /* IPV6 */
out:
return err;
} }
__initcall(selinux_nf_ip_init); __initcall(selinux_nf_ip_init);
...@@ -6110,10 +6136,7 @@ static void selinux_nf_ip_exit(void) ...@@ -6110,10 +6136,7 @@ static void selinux_nf_ip_exit(void)
{ {
printk(KERN_DEBUG "SELinux: Unregistering netfilter hooks\n"); printk(KERN_DEBUG "SELinux: Unregistering netfilter hooks\n");
nf_unregister_hooks(selinux_ipv4_ops, ARRAY_SIZE(selinux_ipv4_ops)); nf_unregister_hooks(selinux_nf_ops, ARRAY_SIZE(selinux_nf_ops));
#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
nf_unregister_hooks(selinux_ipv6_ops, ARRAY_SIZE(selinux_ipv6_ops));
#endif /* IPV6 */
} }
#endif #endif
......
...@@ -17,9 +17,11 @@ ...@@ -17,9 +17,11 @@
#ifndef _SELINUX_NETIF_H_ #ifndef _SELINUX_NETIF_H_
#define _SELINUX_NETIF_H_ #define _SELINUX_NETIF_H_
#include <net/net_namespace.h>
void sel_netif_flush(void); void sel_netif_flush(void);
int sel_netif_sid(int ifindex, u32 *sid); int sel_netif_sid(struct net *ns, int ifindex, u32 *sid);
#endif /* _SELINUX_NETIF_H_ */ #endif /* _SELINUX_NETIF_H_ */
...@@ -24,6 +24,7 @@ ...@@ -24,6 +24,7 @@
#include <linux/binfmts.h> #include <linux/binfmts.h>
#include <linux/in.h> #include <linux/in.h>
#include <linux/spinlock.h> #include <linux/spinlock.h>
#include <net/net_namespace.h>
#include "flask.h" #include "flask.h"
#include "avc.h" #include "avc.h"
...@@ -78,6 +79,7 @@ struct ipc_security_struct { ...@@ -78,6 +79,7 @@ struct ipc_security_struct {
}; };
struct netif_security_struct { struct netif_security_struct {
struct net *ns; /* network namespace */
int ifindex; /* device index */ int ifindex; /* device index */
u32 sid; /* SID for this interface */ u32 sid; /* SID for this interface */
}; };
......
...@@ -45,6 +45,7 @@ static struct list_head sel_netif_hash[SEL_NETIF_HASH_SIZE]; ...@@ -45,6 +45,7 @@ static struct list_head sel_netif_hash[SEL_NETIF_HASH_SIZE];
/** /**
* sel_netif_hashfn - Hashing function for the interface table * sel_netif_hashfn - Hashing function for the interface table
* @ns: the network namespace
* @ifindex: the network interface * @ifindex: the network interface
* *
* Description: * Description:
...@@ -52,13 +53,14 @@ static struct list_head sel_netif_hash[SEL_NETIF_HASH_SIZE]; ...@@ -52,13 +53,14 @@ static struct list_head sel_netif_hash[SEL_NETIF_HASH_SIZE];
* bucket number for the given interface. * bucket number for the given interface.
* *
*/ */
static inline u32 sel_netif_hashfn(int ifindex) static inline u32 sel_netif_hashfn(const struct net *ns, int ifindex)
{ {
return (ifindex & (SEL_NETIF_HASH_SIZE - 1)); return (((uintptr_t)ns + ifindex) & (SEL_NETIF_HASH_SIZE - 1));
} }
/** /**
* sel_netif_find - Search for an interface record * sel_netif_find - Search for an interface record
* @ns: the network namespace
* @ifindex: the network interface * @ifindex: the network interface
* *
* Description: * Description:
...@@ -66,15 +68,15 @@ static inline u32 sel_netif_hashfn(int ifindex) ...@@ -66,15 +68,15 @@ static inline u32 sel_netif_hashfn(int ifindex)
* If an entry can not be found in the table return NULL. * If an entry can not be found in the table return NULL.
* *
*/ */
static inline struct sel_netif *sel_netif_find(int ifindex) static inline struct sel_netif *sel_netif_find(const struct net *ns,
int ifindex)
{ {
int idx = sel_netif_hashfn(ifindex); int idx = sel_netif_hashfn(ns, ifindex);
struct sel_netif *netif; struct sel_netif *netif;
list_for_each_entry_rcu(netif, &sel_netif_hash[idx], list) list_for_each_entry_rcu(netif, &sel_netif_hash[idx], list)
/* all of the devices should normally fit in the hash, so we if (net_eq(netif->nsec.ns, ns) &&
* optimize for that case */ netif->nsec.ifindex == ifindex)
if (likely(netif->nsec.ifindex == ifindex))
return netif; return netif;
return NULL; return NULL;
...@@ -96,7 +98,7 @@ static int sel_netif_insert(struct sel_netif *netif) ...@@ -96,7 +98,7 @@ static int sel_netif_insert(struct sel_netif *netif)
if (sel_netif_total >= SEL_NETIF_HASH_MAX) if (sel_netif_total >= SEL_NETIF_HASH_MAX)
return -ENOSPC; return -ENOSPC;
idx = sel_netif_hashfn(netif->nsec.ifindex); idx = sel_netif_hashfn(netif->nsec.ns, netif->nsec.ifindex);
list_add_rcu(&netif->list, &sel_netif_hash[idx]); list_add_rcu(&netif->list, &sel_netif_hash[idx]);
sel_netif_total++; sel_netif_total++;
...@@ -120,6 +122,7 @@ static void sel_netif_destroy(struct sel_netif *netif) ...@@ -120,6 +122,7 @@ static void sel_netif_destroy(struct sel_netif *netif)
/** /**
* sel_netif_sid_slow - Lookup the SID of a network interface using the policy * sel_netif_sid_slow - Lookup the SID of a network interface using the policy
* @ns: the network namespace
* @ifindex: the network interface * @ifindex: the network interface
* @sid: interface SID * @sid: interface SID
* *
...@@ -130,7 +133,7 @@ static void sel_netif_destroy(struct sel_netif *netif) ...@@ -130,7 +133,7 @@ static void sel_netif_destroy(struct sel_netif *netif)
* failure. * failure.
* *
*/ */
static int sel_netif_sid_slow(int ifindex, u32 *sid) static int sel_netif_sid_slow(struct net *ns, int ifindex, u32 *sid)
{ {
int ret; int ret;
struct sel_netif *netif; struct sel_netif *netif;
...@@ -140,7 +143,7 @@ static int sel_netif_sid_slow(int ifindex, u32 *sid) ...@@ -140,7 +143,7 @@ static int sel_netif_sid_slow(int ifindex, u32 *sid)
/* NOTE: we always use init's network namespace since we don't /* NOTE: we always use init's network namespace since we don't
* currently support containers */ * currently support containers */
dev = dev_get_by_index(&init_net, ifindex); dev = dev_get_by_index(ns, ifindex);
if (unlikely(dev == NULL)) { if (unlikely(dev == NULL)) {
printk(KERN_WARNING printk(KERN_WARNING
"SELinux: failure in sel_netif_sid_slow()," "SELinux: failure in sel_netif_sid_slow(),"
...@@ -149,7 +152,7 @@ static int sel_netif_sid_slow(int ifindex, u32 *sid) ...@@ -149,7 +152,7 @@ static int sel_netif_sid_slow(int ifindex, u32 *sid)
} }
spin_lock_bh(&sel_netif_lock); spin_lock_bh(&sel_netif_lock);
netif = sel_netif_find(ifindex); netif = sel_netif_find(ns, ifindex);
if (netif != NULL) { if (netif != NULL) {
*sid = netif->nsec.sid; *sid = netif->nsec.sid;
ret = 0; ret = 0;
...@@ -163,6 +166,7 @@ static int sel_netif_sid_slow(int ifindex, u32 *sid) ...@@ -163,6 +166,7 @@ static int sel_netif_sid_slow(int ifindex, u32 *sid)
ret = security_netif_sid(dev->name, &new->nsec.sid); ret = security_netif_sid(dev->name, &new->nsec.sid);
if (ret != 0) if (ret != 0)
goto out; goto out;
new->nsec.ns = ns;
new->nsec.ifindex = ifindex; new->nsec.ifindex = ifindex;
ret = sel_netif_insert(new); ret = sel_netif_insert(new);
if (ret != 0) if (ret != 0)
...@@ -184,6 +188,7 @@ static int sel_netif_sid_slow(int ifindex, u32 *sid) ...@@ -184,6 +188,7 @@ static int sel_netif_sid_slow(int ifindex, u32 *sid)
/** /**
* sel_netif_sid - Lookup the SID of a network interface * sel_netif_sid - Lookup the SID of a network interface
* @ns: the network namespace
* @ifindex: the network interface * @ifindex: the network interface
* @sid: interface SID * @sid: interface SID
* *
...@@ -195,12 +200,12 @@ static int sel_netif_sid_slow(int ifindex, u32 *sid) ...@@ -195,12 +200,12 @@ static int sel_netif_sid_slow(int ifindex, u32 *sid)
* on failure. * on failure.
* *
*/ */
int sel_netif_sid(int ifindex, u32 *sid) int sel_netif_sid(struct net *ns, int ifindex, u32 *sid)
{ {
struct sel_netif *netif; struct sel_netif *netif;
rcu_read_lock(); rcu_read_lock();
netif = sel_netif_find(ifindex); netif = sel_netif_find(ns, ifindex);
if (likely(netif != NULL)) { if (likely(netif != NULL)) {
*sid = netif->nsec.sid; *sid = netif->nsec.sid;
rcu_read_unlock(); rcu_read_unlock();
...@@ -208,11 +213,12 @@ int sel_netif_sid(int ifindex, u32 *sid) ...@@ -208,11 +213,12 @@ int sel_netif_sid(int ifindex, u32 *sid)
} }
rcu_read_unlock(); rcu_read_unlock();
return sel_netif_sid_slow(ifindex, sid); return sel_netif_sid_slow(ns, ifindex, sid);
} }
/** /**
* sel_netif_kill - Remove an entry from the network interface table * sel_netif_kill - Remove an entry from the network interface table
* @ns: the network namespace
* @ifindex: the network interface * @ifindex: the network interface
* *
* Description: * Description:
...@@ -220,13 +226,13 @@ int sel_netif_sid(int ifindex, u32 *sid) ...@@ -220,13 +226,13 @@ int sel_netif_sid(int ifindex, u32 *sid)
* table if it exists. * table if it exists.
* *
*/ */
static void sel_netif_kill(int ifindex) static void sel_netif_kill(const struct net *ns, int ifindex)
{ {
struct sel_netif *netif; struct sel_netif *netif;
rcu_read_lock(); rcu_read_lock();
spin_lock_bh(&sel_netif_lock); spin_lock_bh(&sel_netif_lock);
netif = sel_netif_find(ifindex); netif = sel_netif_find(ns, ifindex);
if (netif) if (netif)
sel_netif_destroy(netif); sel_netif_destroy(netif);
spin_unlock_bh(&sel_netif_lock); spin_unlock_bh(&sel_netif_lock);
...@@ -257,11 +263,8 @@ static int sel_netif_netdev_notifier_handler(struct notifier_block *this, ...@@ -257,11 +263,8 @@ static int sel_netif_netdev_notifier_handler(struct notifier_block *this,
{ {
struct net_device *dev = netdev_notifier_info_to_dev(ptr); struct net_device *dev = netdev_notifier_info_to_dev(ptr);
if (dev_net(dev) != &init_net)
return NOTIFY_DONE;
if (event == NETDEV_DOWN) if (event == NETDEV_DOWN)
sel_netif_kill(dev->ifindex); sel_netif_kill(dev_net(dev), dev->ifindex);
return NOTIFY_DONE; return NOTIFY_DONE;
} }
......
...@@ -728,7 +728,7 @@ static int security_validtrans_handle_fail(struct context *ocontext, ...@@ -728,7 +728,7 @@ static int security_validtrans_handle_fail(struct context *ocontext,
if (context_struct_to_string(tcontext, &t, &tlen)) if (context_struct_to_string(tcontext, &t, &tlen))
goto out; goto out;
audit_log(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR, audit_log(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR,
"security_validate_transition: denied for" "op=security_validate_transition seresult=denied"
" oldcontext=%s newcontext=%s taskcontext=%s tclass=%s", " oldcontext=%s newcontext=%s taskcontext=%s tclass=%s",
o, n, t, sym_name(&policydb, SYM_CLASSES, tclass-1)); o, n, t, sym_name(&policydb, SYM_CLASSES, tclass-1));
out: out:
...@@ -877,7 +877,7 @@ int security_bounded_transition(u32 old_sid, u32 new_sid) ...@@ -877,7 +877,7 @@ int security_bounded_transition(u32 old_sid, u32 new_sid)
audit_log(current->audit_context, audit_log(current->audit_context,
GFP_ATOMIC, AUDIT_SELINUX_ERR, GFP_ATOMIC, AUDIT_SELINUX_ERR,
"op=security_bounded_transition " "op=security_bounded_transition "
"result=denied " "seresult=denied "
"oldcontext=%s newcontext=%s", "oldcontext=%s newcontext=%s",
old_name, new_name); old_name, new_name);
} }
...@@ -1351,8 +1351,8 @@ static int compute_sid_handle_invalid_context( ...@@ -1351,8 +1351,8 @@ static int compute_sid_handle_invalid_context(
if (context_struct_to_string(newcontext, &n, &nlen)) if (context_struct_to_string(newcontext, &n, &nlen))
goto out; goto out;
audit_log(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR, audit_log(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR,
"security_compute_sid: invalid context %s" "op=security_compute_sid invalid_context=%s"
" for scontext=%s" " scontext=%s"
" tcontext=%s" " tcontext=%s"
" tclass=%s", " tclass=%s",
n, s, t, sym_name(&policydb, SYM_CLASSES, tclass-1)); n, s, t, sym_name(&policydb, SYM_CLASSES, tclass-1));
...@@ -2607,8 +2607,10 @@ int security_sid_mls_copy(u32 sid, u32 mls_sid, u32 *new_sid) ...@@ -2607,8 +2607,10 @@ int security_sid_mls_copy(u32 sid, u32 mls_sid, u32 *new_sid)
rc = convert_context_handle_invalid_context(&newcon); rc = convert_context_handle_invalid_context(&newcon);
if (rc) { if (rc) {
if (!context_struct_to_string(&newcon, &s, &len)) { if (!context_struct_to_string(&newcon, &s, &len)) {
audit_log(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR, audit_log(current->audit_context,
"security_sid_mls_copy: invalid context %s", s); GFP_ATOMIC, AUDIT_SELINUX_ERR,
"op=security_sid_mls_copy "
"invalid_context=%s", s);
kfree(s); kfree(s);
} }
goto out_unlock; goto out_unlock;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment