aboutsummaryrefslogtreecommitdiffstats
path: root/security/selinux
Commit message (Collapse)AuthorAgeFilesLines
* selinux: cleanup return codes in avtab_read_item()Dan Carpenter2010-08-021-20/+19
| | | | | | | | | | | | | | | | | | | | | The avtab_read_item() function tends to return -1 as a default error code which is wrong (-1 means -EPERM). I modified it to return appropriate error codes which is -EINVAL or the error code from next_entry() or insertf(). next_entry() returns -EINVAL. insertf() is a function pointer to either avtab_insert() or cond_insertf(). avtab_insert() returns -EINVAL, -ENOMEM, and -EEXIST. cond_insertf() currently returns -1, but I will fix it in a later patch. There is code in avtab_read() which translates the -1 returns from avtab_read_item() to -EINVAL. The translation is no longer needed, so I removed it. Signed-off-by: Dan Carpenter <error27@gmail.com> Acked-by: Stephen D. Smalley <sds@tycho.nsa.gov> Signed-off-by: James Morris <jmorris@namei.org>
* selinux: use generic_file_llseekArnd Bergmann2010-08-021-0/+16
| | | | | | | | | | | | The default for llseek will change to no_llseek, so selinuxfs needs to add explicit .llseek assignments. Since we're dealing with regular files from a VFS perspective, use generic_file_llseek. Signed-off-by: Arnd Bergmann <arnd@arndb.de> Cc: Stephen Smalley <sds@tycho.nsa.gov> Cc: Eric Paris <eparis@parisplace.org> Signed-off-by: James Morris <jmorris@namei.org>
* security: move LSM xattrnames to xattr.hMimi Zohar2010-08-021-3/+0
| | | | | | | | | Make the security extended attributes names global. Updated to move the remaining Smack xattrs. Signed-off-by: Mimi Zohar <zohar@us.ibm.com> Acked-by: Serge Hallyn <serue@us.ibm.com> Signed-off-by: James Morris <jmorris@namei.org>
* selinux: Use current_security() when possiblePaul Moore2010-08-021-11/+6
| | | | | | | | | | | | | | | There were a number of places using the following code pattern: struct cred *cred = current_cred(); struct task_security_struct *tsec = cred->security; ... which were simplified to the following: struct task_security_struct *tsec = current_security(); Signed-off-by: Paul Moore <paul.moore@hp.com> Acked-by: Eric Paris <eparis@redhat.com> Signed-off-by: James Morris <jmorris@namei.org>
* selinux: Convert socket related access controls to use socket labelsPaul Moore2010-08-021-74/+45
| | | | | | | | | | | | | | | At present, the socket related access controls use a mix of inode and socket labels; while there should be no practical difference (they _should_ always be the same), it makes the code more confusing. This patch attempts to convert all of the socket related access control points (with the exception of some of the inode/fd based controls) to use the socket's own label. In the process, I also converted the socket_has_perm() function to take a 'sock' argument instead of a 'socket' since that was adding a bit more overhead in some cases. Signed-off-by: Paul Moore <paul.moore@hp.com> Acked-by: Eric Paris <eparis@redhat.com> Signed-off-by: James Morris <jmorris@namei.org>
* selinux: Shuffle the sk_security_struct alloc and free routinesPaul Moore2010-08-021-28/+17
| | | | | | | | | | | The sk_alloc_security() and sk_free_security() functions were only being called by the selinux_sk_alloc_security() and selinux_sk_free_security() functions so we just move the guts of the alloc/free routines to the callers and eliminate a layer of indirection. Signed-off-by: Paul Moore <paul.moore@hp.com> Acked-by: Eric Paris <eparis@redhat.com> Signed-off-by: James Morris <jmorris@namei.org>
* selinux: Consolidate sockcreate_sid logicPaul Moore2010-08-021-20/+12
| | | | | | | | | Consolidate the basic sockcreate_sid logic into a single helper function which allows us to do some cleanups in the related code. Signed-off-by: Paul Moore <paul.moore@hp.com> Acked-by: Eric Paris <eparis@redhat.com> Signed-off-by: James Morris <jmorris@namei.org>
* selinux: Set the peer label correctly on connected UNIX domain socketsPaul Moore2010-08-021-16/+14
| | | | | | | | | Correct a problem where we weren't setting the peer label correctly on the client end of a pair of connected UNIX sockets. Signed-off-by: Paul Moore <paul.moore@hp.com> Acked-by: Eric Paris <eparis@redhat.com> Signed-off-by: James Morris <jmorris@namei.org>
* SELinux: seperate range transition rules to a seperate functionEric Paris2010-08-021-64/+75
| | | | | | | | | Move the range transition rule to a separate function, range_read(), rather than doing it all in policydb_read() Signed-off-by: Eric Paris <eparis@redhat.com> Acked-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: James Morris <jmorris@namei.org>
* selinux: remove all rcu head initializationsPaul E. McKenney2010-08-022-3/+0
| | | | | | | | | | | | | Remove all rcu head inits. We don't care about the RCU head state before passing it to call_rcu() anyway. Only leave the "on_stack" variants so debugobjects can keep track of objects on stack. Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com> Signed-off-by: Paul E. McKenney <paulmck@linux.vnet.ibm.com> Cc: Stephen Smalley <sds@tycho.nsa.gov> Reviewed-by: James Morris <jmorris@namei.org> Cc: Eric Paris <eparis@parisplace.org> Signed-off-by: James Morris <jmorris@namei.org>
* switch selinux delayed superblock handling to iterate_supers()Al Viro2010-05-212-48/+8
| | | | | | ... kill their private list, while we are at it Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
* security/selinux/ss: Use kstrdupJulia Lawall2010-05-171-2/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | Use kstrdup when the goal of an allocation is copy a string into the allocated region. The semantic patch that makes this change is as follows: (http://coccinelle.lip6.fr/) // <smpl> @@ expression from,to; expression flag,E1,E2; statement S; @@ - to = kmalloc(strlen(from) + 1,flag); + to = kstrdup(from, flag); ... when != \(from = E1 \| to = E1 \) if (to==NULL || ...) S ... when != \(from = E2 \| to = E2 \) - strcpy(to, from); // </smpl> Signed-off-by: Julia Lawall <julia@diku.dk> Acked-by: Eric Paris <eparis@redhat.com> Signed-off-by: James Morris <jmorris@namei.org>
* Merge branch 'master' into nextJames Morris2010-05-066-0/+6
|\
| * SELinux: Reduce max avtab size to avoid page allocation failuresStephen Smalley2010-04-151-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | Reduce MAX_AVTAB_HASH_BITS so that the avtab allocation is an order 2 allocation rather than an order 4 allocation on x86_64. This addresses reports of page allocation failures: http://marc.info/?l=selinux&m=126757230625867&w=2 https://bugzilla.redhat.com/show_bug.cgi?id=570433 Reported-by: Russell Coker <russell@coker.com.au> Signed-off-by: Stephen D. Smalley <sds@tycho.nsa.gov> Acked-by: Eric Paris <eparis@redhat.com> Signed-off-by: James Morris <jmorris@namei.org>
| * include cleanup: Update gfp.h and slab.h includes to prepare for breaking ↵Tejun Heo2010-03-307-1/+6
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | implicit slab.h inclusion from percpu.h percpu.h is included by sched.h and module.h and thus ends up being included when building most .c files. percpu.h includes slab.h which in turn includes gfp.h making everything defined by the two files universally available and complicating inclusion dependencies. percpu.h -> slab.h dependency is about to be removed. Prepare for this change by updating users of gfp and slab facilities include those headers directly instead of assuming availability. As this conversion needs to touch large number of source files, the following script is used as the basis of conversion. http://userweb.kernel.org/~tj/misc/slabh-sweep.py The script does the followings. * Scan files for gfp and slab usages and update includes such that only the necessary includes are there. ie. if only gfp is used, gfp.h, if slab is used, slab.h. * When the script inserts a new include, it looks at the include blocks and try to put the new include such that its order conforms to its surrounding. It's put in the include block which contains core kernel includes, in the same order that the rest are ordered - alphabetical, Christmas tree, rev-Xmas-tree or at the end if there doesn't seem to be any matching order. * If the script can't find a place to put a new include (mostly because the file doesn't have fitting include block), it prints out an error message indicating which .h file needs to be added to the file. The conversion was done in the following steps. 1. The initial automatic conversion of all .c files updated slightly over 4000 files, deleting around 700 includes and adding ~480 gfp.h and ~3000 slab.h inclusions. The script emitted errors for ~400 files. 2. Each error was manually checked. Some didn't need the inclusion, some needed manual addition while adding it to implementation .h or embedding .c file was more appropriate for others. This step added inclusions to around 150 files. 3. The script was run again and the output was compared to the edits from #2 to make sure no file was left behind. 4. Several build tests were done and a couple of problems were fixed. e.g. lib/decompress_*.c used malloc/free() wrappers around slab APIs requiring slab.h to be added manually. 5. The script was run on all .h files but without automatically editing them as sprinkling gfp.h and slab.h inclusions around .h files could easily lead to inclusion dependency hell. Most gfp.h inclusion directives were ignored as stuff from gfp.h was usually wildly available and often used in preprocessor macros. Each slab.h inclusion directive was examined and added manually as necessary. 6. percpu.h was updated not to include slab.h. 7. Build test were done on the following configurations and failures were fixed. CONFIG_GCOV_KERNEL was turned off for all tests (as my distributed build env didn't work with gcov compiles) and a few more options had to be turned off depending on archs to make things build (like ipr on powerpc/64 which failed due to missing writeq). * x86 and x86_64 UP and SMP allmodconfig and a custom test config. * powerpc and powerpc64 SMP allmodconfig * sparc and sparc64 SMP allmodconfig * ia64 SMP allmodconfig * s390 SMP allmodconfig * alpha SMP allmodconfig * um on x86_64 SMP allmodconfig 8. percpu.h modifications were reverted so that it could be applied as a separate patch and serve as bisection point. Given the fact that I had only a couple of failures from tests on step 6, I'm fairly confident about the coverage of this conversion patch. If there is a breakage, it's likely to be something in one of the arch headers which should be easily discoverable easily on most builds of the specific arch. Signed-off-by: Tejun Heo <tj@kernel.org> Guess-its-ok-by: Christoph Lameter <cl@linux-foundation.org> Cc: Ingo Molnar <mingo@redhat.com> Cc: Lee Schermerhorn <Lee.Schermerhorn@hp.com>
* | selinux: generalize disabling of execmem for plt-in-heap archsStephen Smalley2010-04-291-6/+8
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | On Tue, 2010-04-27 at 11:47 -0700, David Miller wrote: > From: "Tom \"spot\" Callaway" <tcallawa@redhat.com> > Date: Tue, 27 Apr 2010 14:20:21 -0400 > > > [root@apollo ~]$ cat /proc/2174/maps > > 00010000-00014000 r-xp 00000000 fd:00 15466577 > > /sbin/mingetty > > 00022000-00024000 rwxp 00002000 fd:00 15466577 > > /sbin/mingetty > > 00024000-00046000 rwxp 00000000 00:00 0 > > [heap] > > SELINUX probably barfs on the executable heap, the PLT is in the HEAP > just like powerpc32 and that's why VM_DATA_DEFAULT_FLAGS has to set > both executable and writable. > > You also can't remove the CONFIG_PPC32 ifdefs in selinux, since > because of the VM_DATA_DEFAULT_FLAGS setting used still in that arch, > the heap will always have executable permission, just like sparc does. > You have to support those binaries forever, whether you like it or not. > > Let's just replace the CONFIG_PPC32 ifdef in SELINUX with CONFIG_PPC32 > || CONFIG_SPARC as in Tom's original patch and let's be done with > this. > > In fact I would go through all the arch/ header files and check the > VM_DATA_DEFAULT_FLAGS settings and add the necessary new ifdefs to the > SELINUX code so that other platforms don't have the pain of having to > go through this process too. To avoid maintaining per-arch ifdefs, it seems that we could just directly use (VM_DATA_DEFAULT_FLAGS & VM_EXEC) as the basis for deciding whether to enable or disable these checks. VM_DATA_DEFAULT_FLAGS isn't constant on some architectures but instead depends on current->personality, but we want this applied uniformly. So we'll just use the initial task state to determine whether or not to enable these checks. Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> Acked-by: David S. Miller <davem@davemloft.net> Signed-off-by: James Morris <jmorris@namei.org>
* | LSM Audit: rename LSM_AUDIT_NO_AUDIT to LSM_AUDIT_DATA_NONEEric Paris2010-04-281-2/+1
| | | | | | | | | | | | | | | | | | | | Most of the LSM common audit work uses LSM_AUDIT_DATA_* for the naming. This was not so for LSM_AUDIT_NO_AUDIT which means the generic initializer cannot be used. This patch just renames the flag so the generic initializer can be used. Signed-off-by: Eric Paris <eparis@redhat.com> Signed-off-by: James Morris <jmorris@namei.org>
* | SELinux: return error codes on policy load failureEric Paris2010-04-211-15/+22
| | | | | | | | | | | | | | | | | | | | | | policy load failure always return EINVAL even if the failure was for some other reason (usually ENOMEM). This patch passes error codes back up the stack where they will make their way to userspace. This might help in debugging future problems with policy load. Signed-off-by: Eric Paris <eparis@redhat.com> Acked-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: James Morris <jmorris@namei.org>
* | Security: Fix coding style in security/wzt.wzt@gmail.com2010-04-094-31/+31
| | | | | | | | | | | | | | Fix coding style in security/ Signed-off-by: Zhitong Wang <zhitong.wangzt@alibaba-inc.com> Signed-off-by: James Morris <jmorris@namei.org>
* | selinux: always call sk_security_struct sksecEric Paris2010-04-083-36/+36
| | | | | | | | | | | | | | | | trying to grep everything that messes with a sk_security_struct isn't easy since we don't always call it sksec. Just rename everything sksec. Signed-off-by: Eric Paris <eparis@redhat.com> Signed-off-by: James Morris <jmorris@namei.org>
* | Merge branch 'master' into nextJames Morris2010-03-311-3/+3
|\|
| * Merge branch 'for-next' into for-linusJiri Kosina2010-03-081-3/+3
| |\ | | | | | | | | | | | | | | | | | | | | | | | | Conflicts: Documentation/filesystems/proc.txt arch/arm/mach-u300/include/mach/debug-macro.S drivers/net/qlge/qlge_ethtool.c drivers/net/qlge/qlge_main.c drivers/net/typhoon.c
| | * fix comment typos in avc.cJustin P. Mattock2010-02-051-3/+3
| | | | | | | | | | | | | | | Signed-off-by: Justin P. Mattock <justinmattock@gmail.com> Signed-off-by: Jiri Kosina <jkosina@suse.cz>
* | | SELinux: Reduce max avtab size to avoid page allocation failuresStephen Smalley2010-03-161-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Reduce MAX_AVTAB_HASH_BITS so that the avtab allocation is an order 2 allocation rather than an order 4 allocation on x86_64. This addresses reports of page allocation failures: http://marc.info/?l=selinux&m=126757230625867&w=2 https://bugzilla.redhat.com/show_bug.cgi?id=570433 Reported-by: Russell Coker <russell@coker.com.au> Signed-off-by: Stephen D. Smalley <sds@tycho.nsa.gov> Acked-by: Eric Paris <eparis@redhat.com> Signed-off-by: James Morris <jmorris@namei.org>
* | | Merge branch 'next-queue' into nextJames Morris2010-03-096-6/+3
|\ \ \ | |/ / |/| |
| * | selinux: const strings in tablesStephen Hemminger2010-03-083-3/+3
| | | | | | | | | | | | | | | | | | | | | | | | Several places strings tables are used that should be declared const. Signed-off-by: Stephen Hemminger <shemminger@vyatta.com> Signed-off-by: James Morris <jmorris@namei.org>
| * | Selinux: Remove unused headers skbuff.h in selinux/nlmsgtab.cwzt.wzt@gmail.com2010-03-041-1/+0
| | | | | | | | | | | | | | | | | | | | | skbuff.h is already included by netlink.h, so remove it. Signed-off-by: Zhitong Wang <zhitong.wangzt@alibaba-inc.com> Signed-off-by: James Morris <jmorris@namei.org>
| * | Selinux: Remove unused headers slab.h in selinux/ss/symtab.cwzt.wzt@gmail.com2010-03-031-1/+0
| | | | | | | | | | | | | | | | | | | | | slab.h is unused in symtab.c, so remove it. Signed-off-by: Zhitong Wang <zhitong.wangzt@alibaba-inc.com> Signed-off-by: James Morris <jmorris@namei.org>
| * | Selinux: Remove unused headers list.h in selinux/netlink.cwzt.wzt@gmail.com2010-03-031-1/+0
| | | | | | | | | | | | | | | | | | | | | list.h is unused in netlink.c, so remove it. Signed-off-by: Zhitong Wang <zhitong.wangzt@alibaba-inc.com> Signed-off-by: James Morris <jmorris@namei.org>
* | | Merge branch 'next' into for-linusJames Morris2010-03-0111-265/+302
|\ \ \ | |/ / |/| |
| * | SELinux: Make selinux_kernel_create_files_as() shouldn't just always return 0David Howells2010-02-261-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Make selinux_kernel_create_files_as() return an error when it gets one, rather than unconditionally returning 0. Without this, cachefiles doesn't return an error if the SELinux policy doesn't let it create files with the label of the directory at the base of the cache. Signed-off-by: David Howells <dhowells@redhat.com> Signed-off-by: James Morris <jmorris@namei.org>
| * | Security: add static to security_ops and default_security_ops variablewzt.wzt@gmail.com2010-02-241-12/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Enhance the security framework to support resetting the active security module. This eliminates the need for direct use of the security_ops and default_security_ops variables outside of security.c, so make security_ops and default_security_ops static. Also remove the secondary_ops variable as a cleanup since there is no use for that. secondary_ops was originally used by SELinux to call the "secondary" security module (capability or dummy), but that was replaced by direct calls to capability and the only remaining use is to save and restore the original security ops pointer value if SELinux is disabled by early userspace based on /etc/selinux/config. Further, if we support this directly in the security framework, then we can just use &default_security_ops for this purpose since that is now available. Signed-off-by: Zhitong Wang <zhitong.wangzt@alibaba-inc.com> Acked-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: James Morris <jmorris@namei.org>
| * | selinux: libsepol: remove dead code in check_avtab_hierarchy_callback()KaiGai Kohei2010-02-221-4/+39
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch revert the commit of 7d52a155e38d5a165759dbbee656455861bf7801 which removed a part of type_attribute_bounds_av as a dead code. However, at that time, we didn't find out the target side boundary allows to handle some of pseudo /proc/<pid>/* entries with its process's security context well. Signed-off-by: KaiGai Kohei <kaigai@ak.jp.nec.com> Acked-by: Stephen Smalley <sds@tycho.nsa.gov> -- security/selinux/ss/services.c | 43 ++++++++++++++++++++++++++++++++++++--- 1 files changed, 39 insertions(+), 4 deletions(-) Signed-off-by: James Morris <jmorris@namei.org>
| * | security: fix a couple of sparse warningsJames Morris2010-02-161-2/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Fix a couple of sparse warnings for callers of context_struct_to_string, which takes a *u32, not an *int. These cases are harmless as the values are not used. Signed-off-by: James Morris <jmorris@namei.org> Acked-by: KaiGai Kohei <kaigai@ak.jp.nec.com>
| * | selinux: fix memory leak in sel_make_boolsXiaotian Feng2010-02-091-0/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | In sel_make_bools, kernel allocates memory for bool_pending_names[i] with security_get_bools. So if we just free bool_pending_names, those memories for bool_pending_names[i] will be leaked. This patch resolves dozens of following kmemleak report after resuming from suspend: unreferenced object 0xffff88022e4c7380 (size 32): comm "init", pid 1, jiffies 4294677173 backtrace: [<ffffffff810f76b5>] create_object+0x1a2/0x2a9 [<ffffffff810f78bb>] kmemleak_alloc+0x26/0x4b [<ffffffff810ef3eb>] __kmalloc+0x18f/0x1b8 [<ffffffff811cd511>] security_get_bools+0xd7/0x16f [<ffffffff811c48c0>] sel_write_load+0x12e/0x62b [<ffffffff810f9a39>] vfs_write+0xae/0x10b [<ffffffff810f9b56>] sys_write+0x4a/0x6e [<ffffffff81011b82>] system_call_fastpath+0x16/0x1b [<ffffffffffffffff>] 0xffffffffffffffff Signed-off-by: Xiaotian Feng <dfeng@redhat.com> Signed-off-by: James Morris <jmorris@namei.org>
| * | syslog: use defined constants instead of raw numbersKees Cook2010-02-041-10/+11
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Right now the syslog "type" action are just raw numbers which makes the source difficult to follow. This patch replaces the raw numbers with defined constants for some level of sanity. Signed-off-by: Kees Cook <kees.cook@canonical.com> Acked-by: John Johansen <john.johansen@canonical.com> Acked-by: Serge Hallyn <serue@us.ibm.com> Signed-off-by: James Morris <jmorris@namei.org>
| * | syslog: distinguish between /proc/kmsg and syscallsKees Cook2010-02-041-2/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This allows the LSM to distinguish between syslog functions originating from /proc/kmsg access and direct syscalls. By default, the commoncaps will now no longer require CAP_SYS_ADMIN to read an opened /proc/kmsg file descriptor. For example the kernel syslog reader can now drop privileges after opening /proc/kmsg, instead of staying privileged with CAP_SYS_ADMIN. MAC systems that implement security_syslog have unchanged behavior. Signed-off-by: Kees Cook <kees.cook@canonical.com> Acked-by: Serge Hallyn <serue@us.ibm.com> Acked-by: John Johansen <john.johansen@canonical.com> Signed-off-by: James Morris <jmorris@namei.org>
| * | selinux: allow MLS->non-MLS and vice versa upon policy reloadGuido Trentalancia2010-02-049-59/+84
| | | | | | | | | | | | | | | | | | | | | | | | | | | Allow runtime switching between different policy types (e.g. from a MLS/MCS policy to a non-MLS/non-MCS policy or viceversa). Signed-off-by: Guido Trentalancia <guido@trentalancia.com> Acked-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: James Morris <jmorris@namei.org>
| * | selinux: load the initial SIDs upon every policy loadGuido Trentalancia2010-02-041-4/+12
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Always load the initial SIDs, even in the case of a policy reload and not just at the initial policy load. This comes particularly handy after the introduction of a recent patch for enabling runtime switching between different policy types, although this patch is in theory independent from that feature. Signed-off-by: Guido Trentalancia <guido@trentalancia.com> Acked-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: James Morris <jmorris@namei.org>
| * | selinux: Only audit permissions specified in policyStephen Smalley2010-02-031-10/+7
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Only audit the permissions specified by the policy rules. Before: type=AVC msg=audit(01/28/2010 14:30:46.690:3250) : avc: denied { read append } for pid=14092 comm=foo name=test_file dev=dm-1 ino=132932 scontext=unconfined_u:unconfined_r:load_policy_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:rpm_tmp_t:s0 tclass=file After: type=AVC msg=audit(01/28/2010 14:52:37.448:26) : avc: denied { append } for pid=1917 comm=foo name=test_file dev=dm-1 ino=132932 scontext=unconfined_u:unconfined_r:load_policy_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:rpm_tmp_t:s0 tclass=file Reference: https://bugzilla.redhat.com/show_bug.cgi?id=558499 Reported-by: Tom London <selinux@gmail.com> Signed-off-by: Stephen D. Smalley <sds@tycho.nsa.gov> Signed-off-by: James Morris <jmorris@namei.org>
| * | selinux: remove dead code in type_attribute_bounds_av()KaiGai Kohei2010-01-251-39/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch removes dead code in type_attribute_bounds_av(). Due to the historical reason, the type boundary feature is delivered from hierarchical types in libsepol, it has supported boundary features both of subject type (domain; in most cases) and target type. However, we don't have any actual use cases in bounded target types, and it tended to make conceptual confusion. So, this patch removes the dead code to apply boundary checks on the target types. I makes clear the TYPEBOUNDS restricts privileges of a certain domain bounded to any other domain. Signed-off-by: KaiGai Kohei <kaigai@ak.jp.nec.com> Acked-by: Stephen Smalley <sds@tycho.nsa.gov> -- security/selinux/ss/services.c | 43 +++------------------------------------ 1 files changed, 4 insertions(+), 39 deletions(-) Signed-off-by: James Morris <jmorris@namei.org>
| * | selinux: convert range transition list to a hashtabStephen Smalley2010-01-253-41/+86
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Per https://bugzilla.redhat.com/show_bug.cgi?id=548145 there are sufficient range transition rules in modern (Fedora) policy to make mls_compute_sid a significant factor on the shmem file setup path due to the length of the range_tr list. Replace the simple range_tr list with a hashtab inside the security server to help mitigate this problem. Signed-off-by: Stephen D. Smalley <sds@tycho.nsa.gov> Signed-off-by: James Morris <jmorris@namei.org>
| * | Merge branch 'master' into nextJames Morris2010-01-183-3/+3
| |\|
| * | selinux: change the handling of unknown classesStephen Smalley2010-01-184-120/+88
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | If allow_unknown==deny, SELinux treats an undefined kernel security class as an error condition rather than as a typical permission denial and thus does not allow permissions on undefined classes even when in permissive mode. Change the SELinux logic so that this case is handled as a typical permission denial, subject to the usual permissive mode and permissive domain handling. Also drop the 'requested' argument from security_compute_av() and helpers as it is a legacy of the original security server interface and is unused. Changes: - Handle permissive domains consistently by moving up the test for a permissive domain. - Make security_compute_av_user() consistent with security_compute_av(); the only difference now is that security_compute_av() performs mapping between the kernel-private class and permission indices and the policy values. In the userspace case, this mapping is handled by libselinux. - Moved avd_init inside the policy lock. Based in part on a patch by Paul Moore <paul.moore@hp.com>. Reported-by: Andrew Worsley <amworsley@gmail.com> Signed-off-by: Stephen D. Smalley <sds@tycho.nsa.gov> Reviewed-by: Paul Moore <paul.moore@hp.com> Signed-off-by: James Morris <jmorris@namei.org>
| * | Merge branch 'master' into nextJames Morris2009-12-091-3/+3
| |\ \
| * | | selinux: remove a useless returnAmerigo Wang2009-12-081-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The last return is unreachable, remove the 'return' in default, let it fall through. Signed-off-by: WANG Cong <amwang@redhat.com> Acked-by: Eric Paris <eparis@redhat.com> Signed-off-by: James Morris <jmorris@namei.org>
| * | | security/selinux/ss: correct size computationJulia Lawall2009-12-081-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The size argument to kcalloc should be the size of desired structure, not the pointer to it. The semantic patch that makes this change is as follows: (http://coccinelle.lip6.fr/) // <smpl> @expression@ expression *x; @@ x = <+... -sizeof(x) +sizeof(*x) ...+>// </smpl> Signed-off-by: Julia Lawall <julia@diku.dk> Acked-by: Eric Paris <eparis@redhat.com> Signed-off-by: James Morris <jmorris@namei.org>
* | | | netlabel: fix export of SELinux categories > 127Joshua Roys2010-02-251-1/+1
| |_|/ |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This fixes corrupted CIPSO packets when SELinux categories greater than 127 are used. The bug occured on the second (and later) loops through the while; the inner for loop through the ebitmap->maps array used the same index as the NetLabel catmap->bitmap array, even though the NetLabel bitmap is twice as long as the SELinux bitmap. Signed-off-by: Joshua Roys <joshua.roys@gtri.gatech.edu> Acked-by: Paul Moore <paul.moore@hp.com> Signed-off-by: James Morris <jmorris@namei.org>
* | | SECURITY: selinux, fix update_rlimit_cpu parameterJiri Slaby2010-01-041-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Don't pass current RLIMIT_RTTIME to update_rlimit_cpu() in selinux_bprm_committing_creds, since update_rlimit_cpu expects RLIMIT_CPU limit. Use proper rlim[RLIMIT_CPU].rlim_cur instead to fix that. Signed-off-by: Jiri Slaby <jirislaby@gmail.com> Acked-by: James Morris <jmorris@namei.org> Cc: Stephen Smalley <sds@tycho.nsa.gov> Cc: Eric Paris <eparis@parisplace.org> Cc: David Howells <dhowells@redhat.com>
* | | Merge branch 'for-linus' of ↵Linus Torvalds2009-12-092-2/+2
|\ \ \ | |_|/ |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | git://git.kernel.org/pub/scm/linux/kernel/git/jikos/trivial * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/trivial: (42 commits) tree-wide: fix misspelling of "definition" in comments reiserfs: fix misspelling of "journaled" doc: Fix a typo in slub.txt. inotify: remove superfluous return code check hdlc: spelling fix in find_pvc() comment doc: fix regulator docs cut-and-pasteism mtd: Fix comment in Kconfig doc: Fix IRQ chip docs tree-wide: fix assorted typos all over the place drivers/ata/libata-sff.c: comment spelling fixes fix typos/grammos in Documentation/edac.txt sysctl: add missing comments fs/debugfs/inode.c: fix comment typos sgivwfb: Make use of ARRAY_SIZE. sky2: fix sky2_link_down copy/paste comment error tree-wide: fix typos "couter" -> "counter" tree-wide: fix typos "offest" -> "offset" fix kerneldoc for set_irq_msi() spidev: fix double "of of" in comment comment typo fix: sybsystem -> subsystem ...