summaryrefslogtreecommitdiffstats
path: root/security/selinux/include (follow)
Commit message (Collapse)AuthorAgeFilesLines
* selinux: sparse fix: fix several warnings in the security server codeJames Morris2011-09-101-0/+6
| | | | | | Fix several sparse warnings in the SELinux security server code. Signed-off-by: James Morris <jmorris@namei.org>
* selinux: sparse fix: fix warnings in netlink codeJames Morris2011-09-101-0/+3
| | | | | | Fix sparse warnings in SELinux Netlink code. Signed-off-by: James Morris <jmorris@namei.org>
* selinux: sparse fix: eliminate warnings for selinuxfsJames Morris2011-09-101-0/+3
| | | | | | Fixes several sparse warnings for selinuxfs.c Signed-off-by: James Morris <jmorris@namei.org>
* selinux: sparse fix: declare selinux_disable() in security.hJames Morris2011-09-101-0/+1
| | | | | | Sparse fix: declare selinux_disable() in security.h Signed-off-by: James Morris <jmorris@namei.org>
* selinux: sparse fix: move selinux_complete_initJames Morris2011-09-101-0/+1
| | | | | | Sparse fix: move selinux_complete_init Signed-off-by: James Morris <jmorris@namei.org>
* doc: Update the email address for Paul Moore in various source filesPaul Moore2011-08-024-4/+4
| | | | | | | | | | My @hp.com will no longer be valid starting August 5, 2011 so an update is necessary. My new email address is employer independent so we don't have to worry about doing this again any time soon. Signed-off-by: Paul Moore <paul.moore@hp.com> Signed-off-by: Paul Moore <paul@paul-moore.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* Merge branch 'master' of git://git.infradead.org/users/eparis/selinux into ↵James Morris2011-05-241-4/+5
|\ | | | | | | | | | | | | | | | | | | | | | | | | | | | | for-linus Conflicts: lib/flex_array.c security/selinux/avc.c security/selinux/hooks.c security/selinux/ss/policydb.c security/smack/smack_lsm.c Manually resolve conflicts. Signed-off-by: James Morris <jmorris@namei.org>
| * SELINUX: Make selinux cache VFS RCU walks safeEric Paris2011-04-251-5/+13
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Now that the security modules can decide whether they support the dcache RCU walk or not it's possible to make selinux a bit more RCU friendly. The SELinux AVC and security server access decision code is RCU safe. A specific piece of the LSM audit code may not be RCU safe. This patch makes the VFS RCU walk retry if it would hit the non RCU safe chunk of code. It will normally just work under RCU. This is done simply by passing the VFS RCU state as a flag down into the avc_audit() code and returning ECHILD there if it would have an issue. Based-on-patch-by: Andi Kleen <ak@linux.intel.com> Signed-off-by: Eric Paris <eparis@redhat.com>
| * SELinux: security_read_policy should take a size_t not ssize_tEric Paris2011-04-251-1/+1
| | | | | | | | | | | | | | | | The len should be an size_t but is a ssize_t. Easy enough fix to silence build warnings. We have no need for signed-ness. Signed-off-by: Eric Paris <eparis@redhat.com> Reviewed-by: James Morris <jmorris@namei.org>
| * selinux: add type_transition with name extension support for selinuxfsKohei Kaigai2011-04-011-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The attached patch allows /selinux/create takes optional 4th argument to support TYPE_TRANSITION with name extension for userspace object managers. If 4th argument is not supplied, it shall perform as existing kernel. In fact, the regression test of SE-PostgreSQL works well on the patched kernel. Thanks, Signed-off-by: KaiGai Kohei <kohei.kaigai@eu.nec.com> [manually verify fuzz was not an issue, and it wasn't: eparis] Signed-off-by: Eric Paris <eparis@redhat.com>
| * SELinux: Add class support to the role_trans structureHarry Ciao2011-03-281-1/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | If kernel policy version is >= 26, then the binary representation of the role_trans structure supports specifying the class for the current subject or the newly created object. If kernel policy version is < 26, then the class field would be default to the process class. Signed-off-by: Harry Ciao <qingtao.cao@windriver.com> Acked-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: Eric Paris <eparis@redhat.com>
* | selinux: avoid unnecessary avc cache stat hit countLinus Torvalds2011-05-201-1/+0
| | | | | | | | | | | | | | | | | | | | There is no point in counting hits - we can calculate it from the number of lookups and misses. This makes the avc statistics a bit smaller, and makes the code generation better too. Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
* | SELINUX: Make selinux cache VFS RCU walks safeEric Paris2011-04-261-5/+13
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Now that the security modules can decide whether they support the dcache RCU walk or not it's possible to make selinux a bit more RCU friendly. The SELinux AVC and security server access decision code is RCU safe. A specific piece of the LSM audit code may not be RCU safe. This patch makes the VFS RCU walk retry if it would hit the non RCU safe chunk of code. It will normally just work under RCU. This is done simply by passing the VFS RCU state as a flag down into the avc_audit() code and returning ECHILD there if it would have an issue. Based-on-patch-by: Andi Kleen <ak@linux.intel.com> Signed-off-by: Eric Paris <eparis@redhat.com> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
* | Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next-2.6Linus Torvalds2011-03-171-1/+1
|\ \ | |/ |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next-2.6: (1480 commits) bonding: enable netpoll without checking link status xfrm: Refcount destination entry on xfrm_lookup net: introduce rx_handler results and logic around that bonding: get rid of IFF_SLAVE_INACTIVE netdev->priv_flag bonding: wrap slave state work net: get rid of multiple bond-related netdevice->priv_flags bonding: register slave pointer for rx_handler be2net: Bump up the version number be2net: Copyright notice change. Update to Emulex instead of ServerEngines e1000e: fix kconfig for crc32 dependency netfilter ebtables: fix xt_AUDIT to work with ebtables xen network backend driver bonding: Improve syslog message at device creation time bonding: Call netif_carrier_off after register_netdevice bonding: Incorrect TX queue offset net_sched: fix ip_tos2prio xfrm: fix __xfrm_route_forward() be2net: Fix UDP packet detected status in RX compl Phonet: fix aligned-mode pipe socket buffer header reserve netxen: support for GbE port settings ... Fix up conflicts in drivers/staging/brcm80211/brcmsmac/wl_mac80211.c with the staging updates.
| * xfrm: Mark flowi arg to security_xfrm_state_pol_flow_match() const.David S. Miller2011-02-231-1/+1
| | | | | | | | Signed-off-by: David S. Miller <davem@davemloft.net>
* | Merge branch 'master' of git://git.infradead.org/users/eparis/selinux into nextJames Morris2011-03-082-5/+10
|\ \ | |/ |/|
| * SELinux: Auto-generate security_is_socket_classHarry Ciao2011-03-031-0/+4
| | | | | | | | | | | | | | | | | | | | | | The security_is_socket_class() is auto-generated by genheaders based on classmap.h to reduce maintenance effort when a new class is defined in SELinux kernel. The name for any socket class should be suffixed by "socket" and doesn't contain more than one substr of "socket". Signed-off-by: Harry Ciao <qingtao.cao@windriver.com> Signed-off-by: Eric Paris <eparis@redhat.com> Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
| * selinux: drop unused packet flow permissionsEric Paris2011-02-251-2/+1
| | | | | | | | | | | | | | | | | | These permissions are not used and can be dropped in the kernel definitions. Suggested-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: Eric Paris <eparis@redhat.com> Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
| * SELinux: Use dentry name in new object labelingEric Paris2011-02-011-3/+5
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Currently SELinux has rules which label new objects according to 3 criteria. The label of the process creating the object, the label of the parent directory, and the type of object (reg, dir, char, block, etc.) This patch adds a 4th criteria, the dentry name, thus we can distinguish between creating a file in an etc_t directory called shadow and one called motd. There is no file globbing, regex parsing, or anything mystical. Either the policy exactly (strcmp) matches the dentry name of the object or it doesn't. This patch has no changes from today if policy does not implement the new rules. Signed-off-by: Eric Paris <eparis@redhat.com>
* | Merge branch 'for-linus' of ↵Linus Torvalds2011-01-101-1/+1
|\| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/security-testing-2.6 * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/security-testing-2.6: (30 commits) MAINTAINERS: Add tomoyo-dev-en ML. SELinux: define permissions for DCB netlink messages encrypted-keys: style and other cleanup encrypted-keys: verify datablob size before converting to binary trusted-keys: kzalloc and other cleanup trusted-keys: additional TSS return code and other error handling syslog: check cap_syslog when dmesg_restrict Smack: Transmute labels on specified directories selinux: cache sidtab_context_to_sid results SELinux: do not compute transition labels on mountpoint labeled filesystems This patch adds a new security attribute to Smack called SMACK64EXEC. It defines label that is used while task is running. SELinux: merge policydb_index_classes and policydb_index_others selinux: convert part of the sym_val_to_name array to use flex_array selinux: convert type_val_to_struct to flex_array flex_array: fix flex_array_put_ptr macro to be valid C SELinux: do not set automatic i_ino in selinuxfs selinux: rework security_netlbl_secattr_to_sid SELinux: standardize return code handling in selinuxfs.c SELinux: standardize return code handling in selinuxfs.c SELinux: standardize return code handling in policydb.c ...
| * security: Define CAP_SYSLOGSerge E. Hallyn2010-11-281-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Privileged syslog operations currently require CAP_SYS_ADMIN. Split this off into a new CAP_SYSLOG privilege which we can sanely take away from a container through the capability bounding set. With this patch, an lxc container can be prevented from messing with the host's syslog (i.e. dmesg -c). Changelog: mar 12 2010: add selinux capability2:cap_syslog perm Changelog: nov 22 2010: . port to new kernel . add a WARN_ONCE if userspace isn't using CAP_SYSLOG Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com> Acked-by: Andrew G. Morgan <morgan@kernel.org> Acked-By: Kees Cook <kees.cook@canonical.com> Cc: James Morris <jmorris@namei.org> Cc: Michael Kerrisk <mtk.manpages@gmail.com> Cc: Stephen Smalley <sds@tycho.nsa.gov> Cc: "Christopher J. PeBenito" <cpebenito@tresys.com> Cc: Eric Paris <eparis@parisplace.org> Signed-off-by: James Morris <jmorris@namei.org>
* | headers: path.h reduxAlexey Dobriyan2011-01-101-1/+0
|/ | | | | | | Remove path.h from sched.h and other files. Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
* SELinux: allow userspace to read policy back out of the kernelEric Paris2010-10-212-1/+3
| | | | | | | | | | There is interest in being able to see what the actual policy is that was loaded into the kernel. The patch creates a new selinuxfs file /selinux/policy which can be read by userspace. The actual policy that is loaded into the kernel will be written back out to userspace. Signed-off-by: Eric Paris <eparis@redhat.com> Signed-off-by: James Morris <jmorris@namei.org>
* secmark: make secmark object handling genericEric Paris2010-10-211-0/+1
| | | | | | | | | | | | | Right now secmark has lots of direct selinux calls. Use all LSM calls and remove all SELinux specific knowledge. The only SELinux specific knowledge we leave is the mode. The only point is to make sure that other LSMs at least test this generic code before they assume it works. (They may also have to make changes if they do not represent labels as strings) Signed-off-by: Eric Paris <eparis@redhat.com> Acked-by: Paul Moore <paul.moore@hp.com> Acked-by: Patrick McHardy <kaber@trash.net> Signed-off-by: James Morris <jmorris@namei.org>
* selinux: fix up style problem on /selinux/statusKaiGai Kohei2010-10-211-2/+1
| | | | | | | | | | This patch fixes up coding-style problem at this commit: 4f27a7d49789b04404eca26ccde5f527231d01d5 selinux: fast status update interface (/selinux/status) Signed-off-by: KaiGai Kohei <kaigai@ak.jp.nec.com> Signed-off-by: James Morris <jmorris@namei.org>
* selinux: fast status update interface (/selinux/status)KaiGai Kohei2010-10-211-0/+21
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch provides a new /selinux/status entry which allows applications read-only mmap(2). This region reflects selinux_kernel_status structure in kernel space. struct selinux_kernel_status { u32 length; /* length of this structure */ u32 sequence; /* sequence number of seqlock logic */ u32 enforcing; /* current setting of enforcing mode */ u32 policyload; /* times of policy reloaded */ u32 deny_unknown; /* current setting of deny_unknown */ }; When userspace object manager caches access control decisions provided by SELinux, it needs to invalidate the cache on policy reload and setenforce to keep consistency. However, the applications need to check the kernel state for each accesses on userspace avc, or launch a background worker process. In heuristic, frequency of invalidation is much less than frequency of making access control decision, so it is annoying to invoke a system call to check we don't need to invalidate the userspace cache. If we can use a background worker thread, it allows to receive invalidation messages from the kernel. But it requires us an invasive coding toward the base application in some cases; E.g, when we provide a feature performing with SELinux as a plugin module, it is unwelcome manner to launch its own worker thread from the module. If we could map /selinux/status to process memory space, application can know updates of selinux status; policy reload or setenforce. A typical application checks selinux_kernel_status::sequence when it tries to reference userspace avc. If it was changed from the last time when it checked userspace avc, it means something was updated in the kernel space. Then, the application can reset userspace avc or update current enforcing mode, without any system call invocations. This sequence number is updated according to the seqlock logic, so we need to wait for a while if it is odd number. Signed-off-by: KaiGai Kohei <kaigai@ak.jp.nec.com> Acked-by: Eric Paris <eparis@redhat.com> -- security/selinux/include/security.h | 21 ++++++ security/selinux/selinuxfs.c | 56 +++++++++++++++ security/selinux/ss/Makefile | 2 +- security/selinux/ss/services.c | 3 + security/selinux/ss/status.c | 129 +++++++++++++++++++++++++++++++++++ 5 files changed, 210 insertions(+), 1 deletions(-) Signed-off-by: James Morris <jmorris@namei.org>
* SELinux: Move execmod to the common permsEric Paris2010-08-021-4/+3
| | | | | | | | | | | | | | execmod "could" show up on non regular files and non chr files. The current implementation would actually make these checks against non-existant bits since the code assumes the execmod permission is same for all file types. To make this line up for chr files we had to define execute_no_trans and entrypoint permissions. These permissions are unreachable and only existed to to make FILE__EXECMOD and CHR_FILE__EXECMOD the same. This patch drops those needless perms as well. Signed-off-by: Eric Paris <eparis@redhat.com> Acked-by: Stephen D. Smalley <sds@tycho.nsa.gov> Signed-off-by: James Morris <jmorris@namei.org>
* selinux: place open in the common file permsEric Paris2010-08-021-7/+8
| | | | | | | | | kernel can dynamically remap perms. Drop the open lookup table and put open in the common file perms. Signed-off-by: Eric Paris <eparis@redhat.com> Acked-by: Stephen D. Smalley <sds@tycho.nsa.gov> Signed-off-by: James Morris <jmorris@namei.org>
* SELinux: special dontaudit for access checksEric Paris2010-08-021-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | Currently there are a number of applications (nautilus being the main one) which calls access() on files in order to determine how they should be displayed. It is normal and expected that nautilus will want to see if files are executable or if they are really read/write-able. access() should return the real permission. SELinux policy checks are done in access() and can result in lots of AVC denials as policy denies RWX on files which DAC allows. Currently SELinux must dontaudit actual attempts to read/write/execute a file in order to silence these messages (and not flood the logs.) But dontaudit rules like that can hide real attacks. This patch addes a new common file permission audit_access. This permission is special in that it is meaningless and should never show up in an allow rule. Instead the only place this permission has meaning is in a dontaudit rule like so: dontaudit nautilus_t sbin_t:file audit_access With such a rule if nautilus just checks access() we will still get denied and thus userspace will still get the correct answer but we will not log the denial. If nautilus attempted to actually perform one of the forbidden actions (rather than just querying access(2) about it) we would still log a denial. This type of dontaudit rule should be used sparingly, as it could be a method for an attacker to probe the system permissions without detection. Signed-off-by: Eric Paris <eparis@redhat.com> Acked-by: Stephen D. Smalley <sds@tycho.nsa.gov> Signed-off-by: James Morris <jmorris@namei.org>
* switch selinux delayed superblock handling to iterate_supers()Al Viro2010-05-221-1/+0
| | | | | | ... kill their private list, while we are at it Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
* selinux: always call sk_security_struct sksecEric Paris2010-04-081-4/+4
| | | | | | | | trying to grep everything that messes with a sk_security_struct isn't easy since we don't always call it sksec. Just rename everything sksec. Signed-off-by: Eric Paris <eparis@redhat.com> Signed-off-by: James Morris <jmorris@namei.org>
* Merge branch 'next-queue' into nextJames Morris2010-03-091-1/+1
|\
| * selinux: const strings in tablesStephen Hemminger2010-03-071-1/+1
| | | | | | | | | | | | | | | | Several places strings tables are used that should be declared const. Signed-off-by: Stephen Hemminger <shemminger@vyatta.com> Signed-off-by: James Morris <jmorris@namei.org>
* | selinux: allow MLS->non-MLS and vice versa upon policy reloadGuido Trentalancia2010-02-031-1/+2
| | | | | | | | | | | | | | | | | | Allow runtime switching between different policy types (e.g. from a MLS/MCS policy to a non-MLS/non-MCS policy or viceversa). Signed-off-by: Guido Trentalancia <guido@trentalancia.com> Acked-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: James Morris <jmorris@namei.org>
* | selinux: change the handling of unknown classesStephen Smalley2010-01-171-6/+4
|/ | | | | | | | | | | | | | | | | | | | | | | | | | | | | If allow_unknown==deny, SELinux treats an undefined kernel security class as an error condition rather than as a typical permission denial and thus does not allow permissions on undefined classes even when in permissive mode. Change the SELinux logic so that this case is handled as a typical permission denial, subject to the usual permissive mode and permissive domain handling. Also drop the 'requested' argument from security_compute_av() and helpers as it is a legacy of the original security server interface and is unused. Changes: - Handle permissive domains consistently by moving up the test for a permissive domain. - Make security_compute_av_user() consistent with security_compute_av(); the only difference now is that security_compute_av() performs mapping between the kernel-private class and permission indices and the policy values. In the userspace case, this mapping is handled by libselinux. - Moved avd_init inside the policy lock. Based in part on a patch by Paul Moore <paul.moore@hp.com>. Reported-by: Andrew Worsley <amworsley@gmail.com> Signed-off-by: Stephen D. Smalley <sds@tycho.nsa.gov> Reviewed-by: Paul Moore <paul.moore@hp.com> Signed-off-by: James Morris <jmorris@namei.org>
* selinux: generate flask headers during kernel buildStephen Smalley2009-10-072-961/+0
| | | | | | | | | | | Add a simple utility (scripts/selinux/genheaders) and invoke it to generate the kernel-private class and permission indices in flask.h and av_permissions.h automatically during the kernel build from the security class mapping definitions in classmap.h. Adding new kernel classes and permissions can then be done just by adding them to classmap.h. Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: James Morris <jmorris@namei.org>
* selinux: dynamic class/perm discoveryStephen Smalley2009-10-079-417/+206
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Modify SELinux to dynamically discover class and permission values upon policy load, based on the dynamic object class/perm discovery logic from libselinux. A mapping is created between kernel-private class and permission indices used outside the security server and the policy values used within the security server. The mappings are only applied upon kernel-internal computations; similar mappings for the private indices of userspace object managers is handled on a per-object manager basis by the userspace AVC. The interfaces for compute_av and transition_sid are split for kernel vs. userspace; the userspace functions are distinguished by a _user suffix. The kernel-private class indices are no longer tied to the policy values and thus do not need to skip indices for userspace classes; thus the kernel class index values are compressed. The flask.h definitions were regenerated by deleting the userspace classes from refpolicy's definitions and then regenerating the headers. Going forward, we can just maintain the flask.h, av_permissions.h, and classmap.h definitions separately from policy as they are no longer tied to the policy values. The next patch introduces a utility to automate generation of flask.h and av_permissions.h from the classmap.h definitions. The older kernel class and permission string tables are removed and replaced by a single security class mapping table that is walked at policy load to generate the mapping. The old kernel class validation logic is completely replaced by the mapping logic. The handle unknown logic is reworked. reject_unknown=1 is handled when the mappings are computed at policy load time, similar to the old handling by the class validation logic. allow_unknown=1 is handled when computing and mapping decisions - if the permission was not able to be mapped (i.e. undefined, mapped to zero), then it is automatically added to the allowed vector. If the class was not able to be mapped (i.e. undefined, mapped to zero), then all permissions are allowed for it if allow_unknown=1. avc_audit leverages the new security class mapping table to lookup the class and permission names from the kernel-private indices. The mdp program is updated to use the new table when generating the class definitions and allow rules for a minimal boot policy for the kernel. It should be noted that this policy will not include any userspace classes, nor will its policy index values for the kernel classes correspond with the ones in refpolicy (they will instead match the kernel-private indices). Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: James Morris <jmorris@namei.org>
* selinux: Support for the new TUN LSM hooksPaul Moore2009-09-014-0/+25
| | | | | | | | | | | | | | | | Add support for the new TUN LSM hooks: security_tun_dev_create(), security_tun_dev_post_create() and security_tun_dev_attach(). This includes the addition of a new object class, tun_socket, which represents the socks associated with TUN devices. The _tun_dev_create() and _tun_dev_post_create() hooks are fairly similar to the standard socket functions but _tun_dev_attach() is a bit special. The _tun_dev_attach() is unique because it involves a domain attaching to an existing TUN device and its associated tun_socket object, an operation which does not exist with standard sockets and most closely resembles a relabel operation. Signed-off-by: Paul Moore <paul.moore@hp.com> Acked-by: Eric Paris <eparis@parisplace.org> Signed-off-by: James Morris <jmorris@namei.org>
* SELinux: Convert avc_audit to use lsm_audit.hThomas Liu2009-08-173-50/+11
| | | | | | | | | | | | | | | | | | | | | | | | | Convert avc_audit in security/selinux/avc.c to use lsm_audit.h, for better maintainability. - changed selinux to use common_audit_data instead of avc_audit_data - eliminated code in avc.c and used code from lsm_audit.h instead. Had to add a LSM_AUDIT_NO_AUDIT to lsm_audit.h so that avc_audit can call common_lsm_audit and do the pre and post callbacks without doing the actual dump. This makes it so that the patched version behaves the same way as the unpatched version. Also added a denied field to the selinux_audit_data private space, once again to make it so that the patched version behaves like the unpatched. I've tested and confirmed that AVCs look the same before and after this patch. Signed-off-by: Thomas Liu <tliu@redhat.com> Acked-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: James Morris <jmorris@namei.org>
* SELinux: add selinux_kernel_module_requestEric Paris2009-08-142-0/+2
| | | | | | | | | | | This patch adds a new selinux hook so SELinux can arbitrate if a given process should be allowed to trigger a request for the kernel to try to load a module. This is a different operation than a process trying to load a module itself, which is already protected by CAP_SYS_MODULE. Signed-off-by: Eric Paris <eparis@redhat.com> Acked-by: Serge Hallyn <serue@us.ibm.com> Signed-off-by: James Morris <jmorris@namei.org>
* Revert "SELinux: Convert avc_audit to use lsm_audit.h"James Morris2009-07-133-11/+50
| | | | | | | | This reverts commit 8113a8d80f4c6a3dc3724b39b470f3fee9c426b6. The patch causes a stack overflow on my system during boot. Signed-off-by: James Morris <jmorris@namei.org>
* SELinux: Convert avc_audit to use lsm_audit.hThomas Liu2009-07-123-50/+11
| | | | | | | | | | | | | | | | Convert avc_audit in security/selinux/avc.c to use lsm_audit.h, for better maintainability and for less code duplication. - changed selinux to use common_audit_data instead of avc_audit_data - eliminated code in avc.c and used code from lsm_audit.h instead. I have tested to make sure that the avcs look the same before and after this patch. Signed-off-by: Thomas Liu <tliu@redhat.com> Acked-by: Eric Paris <eparis@redhat.com> Signed-off-by: James Morris <jmorris@namei.org>
* selinux: clean up avc node cache when disabling selinuxThomas Liu2009-06-251-0/+3
| | | | | | | | | | Added a call to free the avc_node_cache when inside selinux_disable because it should not waste resources allocated during avc_init if SELinux is disabled and the cache will never be used. Signed-off-by: Thomas Liu <tliu@redhat.com> Acked-by: Eric Paris <eparis@redhat.com> Signed-off-by: James Morris <jmorris@namei.org>
* Merge branch 'master' into nextJames Morris2009-06-191-3/+4
|\
| * SELinux: move SELINUX_MAGIC into magic.hEric Paris2009-05-191-2/+1
| | | | | | | | | | | | | | | | | | The selinuxfs superblock magic is used inside the IMA code, but is being defined in two places and could someday get out of sync. This patch moves the declaration into magic.h so it is only done once. Signed-off-by: Eric Paris <eparis@redhat.com> Signed-off-by: James Morris <jmorris@namei.org>
| * Permissive domain in userspace object managerKaiGai Kohei2009-04-021-1/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch enables applications to handle permissive domain correctly. Since the v2.6.26 kernel, SELinux has supported an idea of permissive domain which allows certain processes to work as if permissive mode, even if the global setting is enforcing mode. However, we don't have an application program interface to inform what domains are permissive one, and what domains are not. It means applications focuses on SELinux (XACE/SELinux, SE-PostgreSQL and so on) cannot handle permissive domain correctly. This patch add the sixth field (flags) on the reply of the /selinux/access interface which is used to make an access control decision from userspace. If the first bit of the flags field is positive, it means the required access control decision is on permissive domain, so application should allow any required actions, as the kernel doing. This patch also has a side benefit. The av_decision.flags is set at context_struct_compute_av(). It enables to check required permissions without read_lock(&policy_rwlock). Signed-off-by: KaiGai Kohei <kaigai@ak.jp.nec.com> Acked-by: Stephen Smalley <sds@tycho.nsa.gov> Acked-by: Eric Paris <eparis@redhat.com> -- security/selinux/avc.c | 2 +- security/selinux/include/security.h | 4 +++- security/selinux/selinuxfs.c | 4 ++-- security/selinux/ss/services.c | 30 +++++------------------------- 4 files changed, 11 insertions(+), 29 deletions(-) Signed-off-by: James Morris <jmorris@namei.org>
* | Add audit messages on type boundary violationsKaiGai Kohei2009-06-181-3/+0
|/ | | | | | | | | | | | | | | | | | | | | | | | | | The attached patch adds support to generate audit messages on two cases. The first one is a case when a multi-thread process tries to switch its performing security context using setcon(3), but new security context is not bounded by the old one. type=SELINUX_ERR msg=audit(1245311998.599:17): \ op=security_bounded_transition result=denied \ oldcontext=system_u:system_r:httpd_t:s0 \ newcontext=system_u:system_r:guest_webapp_t:s0 The other one is a case when security_compute_av() masked any permissions due to the type boundary violation. type=SELINUX_ERR msg=audit(1245312836.035:32): \ op=security_compute_av reason=bounds \ scontext=system_u:object_r:user_webapp_t:s0 \ tcontext=system_u:object_r:shadow_t:s0:c0 \ tclass=file perms=getattr,open Signed-off-by: KaiGai Kohei <kaigai@ak.jp.nec.com> Acked-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: James Morris <jmorris@namei.org>
* netlabel: Label incoming TCP connections correctly in SELinuxPaul Moore2009-03-281-14/+13
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The current NetLabel/SELinux behavior for incoming TCP connections works but only through a series of happy coincidences that rely on the limited nature of standard CIPSO (only able to convey MLS attributes) and the write equality imposed by the SELinux MLS constraints. The problem is that network sockets created as the result of an incoming TCP connection were not on-the-wire labeled based on the security attributes of the parent socket but rather based on the wire label of the remote peer. The issue had to do with how IP options were managed as part of the network stack and where the LSM hooks were in relation to the code which set the IP options on these newly created child sockets. While NetLabel/SELinux did correctly set the socket's on-the-wire label it was promptly cleared by the network stack and reset based on the IP options of the remote peer. This patch, in conjunction with a prior patch that adjusted the LSM hook locations, works to set the correct on-the-wire label format for new incoming connections through the security_inet_conn_request() hook. Besides the correct behavior there are many advantages to this change, the most significant is that all of the NetLabel socket labeling code in SELinux now lives in hooks which can return error codes to the core stack which allows us to finally get ride of the selinux_netlbl_inode_permission() logic which greatly simplfies the NetLabel/SELinux glue code. In the process of developing this patch I also ran into a small handful of AF_INET6 cleanliness issues that have been fixed which should make the code safer and easier to extend in the future. Signed-off-by: Paul Moore <paul.moore@hp.com> Acked-by: Casey Schaufler <casey@schaufler-ca.com> Signed-off-by: James Morris <jmorris@namei.org>
* SELinux: new permission between tty audit and audit socketEric Paris2009-03-052-0/+2
| | | | | | | | | New selinux permission to separate the ability to turn on tty auditing from the ability to set audit rules. Signed-off-by: Eric Paris <eparis@redhat.com> Acked-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: James Morris <jmorris@namei.org>
* SELinux: open perm for sock filesEric Paris2009-03-052-0/+2
| | | | | | | | | | | | | | | | When I did open permissions I didn't think any sockets would have an open. Turns out AF_UNIX sockets can have an open when they are bound to the filesystem namespace. This patch adds a new SOCK_FILE__OPEN permission. It's safe to add this as the open perms are already predicated on capabilities and capabilities means we have unknown perm handling so systems should be as backwards compatible as the policy wants them to be. https://bugzilla.redhat.com/show_bug.cgi?id=475224 Signed-off-by: Eric Paris <eparis@redhat.com> Acked-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: James Morris <jmorris@namei.org>