Commit b68e418c authored by Stephen Smalley's avatar Stephen Smalley Committed by James Morris

selinux: support 64-bit capabilities

Fix SELinux to handle 64-bit capabilities correctly, and to catch
future extensions of capabilities beyond 64 bits to ensure that SELinux
is properly updated.
Signed-off-by: default avatarStephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: default avatarJames Morris <jmorris@namei.org>
parent 19af3554
...@@ -1272,12 +1272,18 @@ static int task_has_perm(struct task_struct *tsk1, ...@@ -1272,12 +1272,18 @@ static int task_has_perm(struct task_struct *tsk1,
SECCLASS_PROCESS, perms, NULL); SECCLASS_PROCESS, perms, NULL);
} }
#if CAP_LAST_CAP > 63
#error Fix SELinux to handle capabilities > 63.
#endif
/* Check whether a task is allowed to use a capability. */ /* Check whether a task is allowed to use a capability. */
static int task_has_capability(struct task_struct *tsk, static int task_has_capability(struct task_struct *tsk,
int cap) int cap)
{ {
struct task_security_struct *tsec; struct task_security_struct *tsec;
struct avc_audit_data ad; struct avc_audit_data ad;
u16 sclass;
u32 av = CAP_TO_MASK(cap);
tsec = tsk->security; tsec = tsk->security;
...@@ -1285,8 +1291,19 @@ static int task_has_capability(struct task_struct *tsk, ...@@ -1285,8 +1291,19 @@ static int task_has_capability(struct task_struct *tsk,
ad.tsk = tsk; ad.tsk = tsk;
ad.u.cap = cap; ad.u.cap = cap;
return avc_has_perm(tsec->sid, tsec->sid, switch (CAP_TO_INDEX(cap)) {
SECCLASS_CAPABILITY, CAP_TO_MASK(cap), &ad); case 0:
sclass = SECCLASS_CAPABILITY;
break;
case 1:
sclass = SECCLASS_CAPABILITY2;
break;
default:
printk(KERN_ERR
"SELinux: out of range capability %d\n", cap);
BUG();
}
return avc_has_perm(tsec->sid, tsec->sid, sclass, av, &ad);
} }
/* Check whether a task is allowed to use a system operation. */ /* Check whether a task is allowed to use a system operation. */
......
...@@ -132,6 +132,9 @@ ...@@ -132,6 +132,9 @@
S_(SECCLASS_CAPABILITY, CAPABILITY__LEASE, "lease") S_(SECCLASS_CAPABILITY, CAPABILITY__LEASE, "lease")
S_(SECCLASS_CAPABILITY, CAPABILITY__AUDIT_WRITE, "audit_write") S_(SECCLASS_CAPABILITY, CAPABILITY__AUDIT_WRITE, "audit_write")
S_(SECCLASS_CAPABILITY, CAPABILITY__AUDIT_CONTROL, "audit_control") S_(SECCLASS_CAPABILITY, CAPABILITY__AUDIT_CONTROL, "audit_control")
S_(SECCLASS_CAPABILITY, CAPABILITY__SETFCAP, "setfcap")
S_(SECCLASS_CAPABILITY2, CAPABILITY2__MAC_OVERRIDE, "mac_override")
S_(SECCLASS_CAPABILITY2, CAPABILITY2__MAC_ADMIN, "mac_admin")
S_(SECCLASS_NETLINK_ROUTE_SOCKET, NETLINK_ROUTE_SOCKET__NLMSG_READ, "nlmsg_read") S_(SECCLASS_NETLINK_ROUTE_SOCKET, NETLINK_ROUTE_SOCKET__NLMSG_READ, "nlmsg_read")
S_(SECCLASS_NETLINK_ROUTE_SOCKET, NETLINK_ROUTE_SOCKET__NLMSG_WRITE, "nlmsg_write") S_(SECCLASS_NETLINK_ROUTE_SOCKET, NETLINK_ROUTE_SOCKET__NLMSG_WRITE, "nlmsg_write")
S_(SECCLASS_NETLINK_FIREWALL_SOCKET, NETLINK_FIREWALL_SOCKET__NLMSG_READ, "nlmsg_read") S_(SECCLASS_NETLINK_FIREWALL_SOCKET, NETLINK_FIREWALL_SOCKET__NLMSG_READ, "nlmsg_read")
......
...@@ -533,6 +533,9 @@ ...@@ -533,6 +533,9 @@
#define CAPABILITY__LEASE 0x10000000UL #define CAPABILITY__LEASE 0x10000000UL
#define CAPABILITY__AUDIT_WRITE 0x20000000UL #define CAPABILITY__AUDIT_WRITE 0x20000000UL
#define CAPABILITY__AUDIT_CONTROL 0x40000000UL #define CAPABILITY__AUDIT_CONTROL 0x40000000UL
#define CAPABILITY__SETFCAP 0x80000000UL
#define CAPABILITY2__MAC_OVERRIDE 0x00000001UL
#define CAPABILITY2__MAC_ADMIN 0x00000002UL
#define NETLINK_ROUTE_SOCKET__IOCTL 0x00000001UL #define NETLINK_ROUTE_SOCKET__IOCTL 0x00000001UL
#define NETLINK_ROUTE_SOCKET__READ 0x00000002UL #define NETLINK_ROUTE_SOCKET__READ 0x00000002UL
#define NETLINK_ROUTE_SOCKET__WRITE 0x00000004UL #define NETLINK_ROUTE_SOCKET__WRITE 0x00000004UL
......
...@@ -71,3 +71,4 @@ ...@@ -71,3 +71,4 @@
S_(NULL) S_(NULL)
S_(NULL) S_(NULL)
S_("peer") S_("peer")
S_("capability2")
...@@ -51,6 +51,7 @@ ...@@ -51,6 +51,7 @@
#define SECCLASS_DCCP_SOCKET 60 #define SECCLASS_DCCP_SOCKET 60
#define SECCLASS_MEMPROTECT 61 #define SECCLASS_MEMPROTECT 61
#define SECCLASS_PEER 68 #define SECCLASS_PEER 68
#define SECCLASS_CAPABILITY2 69
/* /*
* Security identifier indices for initial entities * Security identifier indices for initial entities
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment