Commit 29cd6591 authored by Daniel Colascione's avatar Daniel Colascione Committed by Paul Moore

selinux: teach SELinux about anonymous inodes

This change uses the anon_inodes and LSM infrastructure introduced in
the previous patches to give SELinux the ability to control
anonymous-inode files that are created using the new
anon_inode_getfd_secure() function.

A SELinux policy author detects and controls these anonymous inodes by
adding a name-based type_transition rule that assigns a new security
type to anonymous-inode files created in some domain. The name used
for the name-based transition is the name associated with the
anonymous inode for file listings --- e.g., "[userfaultfd]" or
"[perf_event]".

Example:

type uffd_t;
type_transition sysadm_t sysadm_t : anon_inode uffd_t "[userfaultfd]";
allow sysadm_t uffd_t:anon_inode { create };

(The next patch in this series is necessary for making userfaultfd
support this new interface.  The example above is just
for exposition.)
Signed-off-by: default avatarDaniel Colascione <dancol@google.com>
Signed-off-by: default avatarLokesh Gidra <lokeshgidra@google.com>
Signed-off-by: default avatarPaul Moore <paul@paul-moore.com>
parent e7e832ce
......@@ -2962,6 +2962,62 @@ static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
return 0;
}
static int selinux_inode_init_security_anon(struct inode *inode,
const struct qstr *name,
const struct inode *context_inode)
{
const struct task_security_struct *tsec = selinux_cred(current_cred());
struct common_audit_data ad;
struct inode_security_struct *isec;
int rc;
if (unlikely(!selinux_initialized(&selinux_state)))
return 0;
isec = selinux_inode(inode);
/*
* We only get here once per ephemeral inode. The inode has
* been initialized via inode_alloc_security but is otherwise
* untouched.
*/
if (context_inode) {
struct inode_security_struct *context_isec =
selinux_inode(context_inode);
if (context_isec->initialized != LABEL_INITIALIZED) {
pr_err("SELinux: context_inode is not initialized");
return -EACCES;
}
isec->sclass = context_isec->sclass;
isec->sid = context_isec->sid;
} else {
isec->sclass = SECCLASS_ANON_INODE;
rc = security_transition_sid(
&selinux_state, tsec->sid, tsec->sid,
isec->sclass, name, &isec->sid);
if (rc)
return rc;
}
isec->initialized = LABEL_INITIALIZED;
/*
* Now that we've initialized security, check whether we're
* allowed to actually create this type of anonymous inode.
*/
ad.type = LSM_AUDIT_DATA_INODE;
ad.u.inode = inode;
return avc_has_perm(&selinux_state,
tsec->sid,
isec->sid,
isec->sclass,
FILE__CREATE,
&ad);
}
static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode)
{
return may_create(dir, dentry, SECCLASS_FILE);
......@@ -7032,6 +7088,7 @@ static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = {
LSM_HOOK_INIT(inode_free_security, selinux_inode_free_security),
LSM_HOOK_INIT(inode_init_security, selinux_inode_init_security),
LSM_HOOK_INIT(inode_init_security_anon, selinux_inode_init_security_anon),
LSM_HOOK_INIT(inode_create, selinux_inode_create),
LSM_HOOK_INIT(inode_link, selinux_inode_link),
LSM_HOOK_INIT(inode_unlink, selinux_inode_unlink),
......
......@@ -249,6 +249,8 @@ struct security_class_mapping secclass_map[] = {
{"open", "cpu", "kernel", "tracepoint", "read", "write"} },
{ "lockdown",
{ "integrity", "confidentiality", NULL } },
{ "anon_inode",
{ COMMON_FILE_PERMS, NULL } },
{ NULL }
};
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment