1. 14 Jul, 2008 8 commits
    • Stephen Smalley's avatar
      selinux: simplify ioctl checking · 242631c4
      Stephen Smalley authored
      Simplify and improve the robustness of the SELinux ioctl checking by
      using the "access mode" bits of the ioctl command to determine the
      permission check rather than dealing with individual command values.
      This removes any knowledge of specific ioctl commands from SELinux
      and follows the same guidance we gave to Smack earlier.
      Signed-off-by: default avatarStephen Smalley <sds@tycho.nsa.gov>
      Signed-off-by: default avatarJames Morris <jmorris@namei.org>
      242631c4
    • Stephen Smalley's avatar
      SELinux: enable processes with mac_admin to get the raw inode contexts · abc69bb6
      Stephen Smalley authored
      Enable processes with CAP_MAC_ADMIN + mac_admin permission in policy
      to get undefined contexts on inodes.  This extends the support for
      deferred mapping of security contexts in order to permit restorecon
      and similar programs to see the raw file contexts unknown to the
      system policy in order to check them.
      Signed-off-by: default avatarStephen Smalley <sds@tycho.nsa.gov>
      Signed-off-by: default avatarJames Morris <jmorris@namei.org>
      abc69bb6
    • Stephen Smalley's avatar
      Security: split proc ptrace checking into read vs. attach · 006ebb40
      Stephen Smalley authored
      Enable security modules to distinguish reading of process state via
      proc from full ptrace access by renaming ptrace_may_attach to
      ptrace_may_access and adding a mode argument indicating whether only
      read access or full attach access is requested.  This allows security
      modules to permit access to reading process state without granting
      full ptrace access.  The base DAC/capability checking remains unchanged.
      
      Read access to /proc/pid/mem continues to apply a full ptrace attach
      check since check_mem_permission() already requires the current task
      to already be ptracing the target.  The other ptrace checks within
      proc for elements like environ, maps, and fds are changed to pass the
      read mode instead of attach.
      
      In the SELinux case, we model such reading of process state as a
      reading of a proc file labeled with the target process' label.  This
      enables SELinux policy to permit such reading of process state without
      permitting control or manipulation of the target process, as there are
      a number of cases where programs probe for such information via proc
      but do not need to be able to control the target (e.g. procps,
      lsof, PolicyKit, ConsoleKit).  At present we have to choose between
      allowing full ptrace in policy (more permissive than required/desired)
      or breaking functionality (or in some cases just silencing the denials
      via dontaudit rules but this can hide genuine attacks).
      
      This version of the patch incorporates comments from Casey Schaufler
      (change/replace existing ptrace_may_attach interface, pass access
      mode), and Chris Wright (provide greater consistency in the checking).
      
      Note that like their predecessors __ptrace_may_attach and
      ptrace_may_attach, the __ptrace_may_access and ptrace_may_access
      interfaces use different return value conventions from each other (0
      or -errno vs. 1 or 0).  I retained this difference to avoid any
      changes to the caller logic but made the difference clearer by
      changing the latter interface to return a bool rather than an int and
      by adding a comment about it to ptrace.h for any future callers.
      Signed-off-by: default avatarStephen Smalley <sds@tycho.nsa.gov>
      Acked-by: default avatarChris Wright <chrisw@sous-sol.org>
      Signed-off-by: default avatarJames Morris <jmorris@namei.org>
      006ebb40
    • James Morris's avatar
      SELinux: remove inherit field from inode_security_struct · feb2a5b8
      James Morris authored
      Remove inherit field from inode_security_struct, per Stephen Smalley:
      "Let's just drop inherit altogether - dead field."
      Signed-off-by: default avatarJames Morris <jmorris@namei.org>
      feb2a5b8
    • Richard Kennedy's avatar
      SELinux: reorder inode_security_struct to increase objs/slab on 64bit · fdeb0518
      Richard Kennedy authored
      reorder inode_security_struct to remove padding on 64 bit builds
      
      size reduced from 72 to 64 bytes increasing objects per slab to 64.
      Signed-off-by: default avatarRichard Kennedy <richard@rsk.demon.co.uk>
      Signed-off-by: default avatarJames Morris <jmorris@namei.org>
      fdeb0518
    • Eric Paris's avatar
      SELinux: keep the code clean formating and syntax · f5269710
      Eric Paris authored
      Formatting and syntax changes
      
      whitespace, tabs to spaces, trailing space
      put open { on same line as struct def
      remove unneeded {} after if statements
      change printk("Lu") to printk("llu")
      convert asm/uaccess.h to linux/uaacess.h includes
      remove unnecessary asm/bug.h includes
      convert all users of simple_strtol to strict_strtol
      Signed-off-by: default avatarEric Paris <eparis@redhat.com>
      Signed-off-by: default avatarJames Morris <jmorris@namei.org>
      f5269710
    • Stephen Smalley's avatar
      SELinux: fix sleeping allocation in security_context_to_sid · 9a59daa0
      Stephen Smalley authored
      Fix a sleeping function called from invalid context bug by moving allocation
      to the callers prior to taking the policy rdlock.
      Signed-off-by: default avatarStephen Smalley <sds@tycho.nsa.gov>
      Signed-off-by: default avatarJames Morris <jmorris@namei.org>
      9a59daa0
    • Stephen Smalley's avatar
      selinux: support deferred mapping of contexts · 12b29f34
      Stephen Smalley authored
      Introduce SELinux support for deferred mapping of security contexts in
      the SID table upon policy reload, and use this support for inode
      security contexts when the context is not yet valid under the current
      policy.  Only processes with CAP_MAC_ADMIN + mac_admin permission in
      policy can set undefined security contexts on inodes.  Inodes with
      such undefined contexts are treated as having the unlabeled context
      until the context becomes valid upon a policy reload that defines the
      context.  Context invalidation upon policy reload also uses this
      support to save the context information in the SID table and later
      recover it upon a subsequent policy reload that defines the context
      again.
      
      This support is to enable package managers and similar programs to set
      down file contexts unknown to the system policy at the time the file
      is created in order to better support placing loadable policy modules
      in packages and to support build systems that need to create images of
      different distro releases with different policies w/o requiring all of
      the contexts to be defined or legal in the build host policy.
      
      With this patch applied, the following sequence is possible, although
      in practice it is recommended that this permission only be allowed to
      specific program domains such as the package manager.
      
      # rmdir baz
      # rm bar
      # touch bar
      # chcon -t foo_exec_t bar # foo_exec_t is not yet defined
      chcon: failed to change context of `bar' to `system_u:object_r:foo_exec_t': Invalid argument
      # mkdir -Z system_u:object_r:foo_exec_t baz
      mkdir: failed to set default file creation context to `system_u:object_r:foo_exec_t': Invalid argument
      # cat setundefined.te
      policy_module(setundefined, 1.0)
      require {
      	type unconfined_t;
      	type unlabeled_t;
      }
      files_type(unlabeled_t)
      allow unconfined_t self:capability2 mac_admin;
      # make -f /usr/share/selinux/devel/Makefile setundefined.pp
      # semodule -i setundefined.pp
      # chcon -t foo_exec_t bar # foo_exec_t is not yet defined
      # mkdir -Z system_u:object_r:foo_exec_t baz
      # ls -Zd bar baz
      -rw-r--r--  root root system_u:object_r:unlabeled_t    bar
      drwxr-xr-x  root root system_u:object_r:unlabeled_t    baz
      # cat foo.te
      policy_module(foo, 1.0)
      type foo_exec_t;
      files_type(foo_exec_t)
      # make -f /usr/share/selinux/devel/Makefile foo.pp
      # semodule -i foo.pp # defines foo_exec_t
      # ls -Zd bar baz
      -rw-r--r--  root root user_u:object_r:foo_exec_t       bar
      drwxr-xr-x  root root system_u:object_r:foo_exec_t    baz
      # semodule -r foo
      # ls -Zd bar baz
      -rw-r--r--  root root system_u:object_r:unlabeled_t    bar
      drwxr-xr-x  root root system_u:object_r:unlabeled_t    baz
      # semodule -i foo.pp
      # ls -Zd bar baz
      -rw-r--r--  root root user_u:object_r:foo_exec_t       bar
      drwxr-xr-x  root root system_u:object_r:foo_exec_t    baz
      # semodule -r setundefined foo
      # chcon -t foo_exec_t bar # no longer defined and not allowed
      chcon: failed to change context of `bar' to `system_u:object_r:foo_exec_t': Invalid argument
      # rmdir baz
      # mkdir -Z system_u:object_r:foo_exec_t baz
      mkdir: failed to set default file creation context to `system_u:object_r:foo_exec_t': Invalid argument
      Signed-off-by: default avatarStephen Smalley <sds@tycho.nsa.gov>
      Signed-off-by: default avatarJames Morris <jmorris@namei.org>
      12b29f34
  2. 13 Jul, 2008 6 commits
  3. 12 Jul, 2008 17 commits
  4. 11 Jul, 2008 9 commits