1. 14 Jul, 2008 25 commits
    • James Morris's avatar
      security: remove register_security hook · 6f0f0fd4
      James Morris authored
      The register security hook is no longer required, as the capability
      module is always registered.  LSMs wishing to stack capability as
      a secondary module should do so explicitly.
      Signed-off-by: default avatarJames Morris <jmorris@namei.org>
      Acked-by: default avatarStephen Smalley <sds@tycho.nsa.gov>
      Acked-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
      6f0f0fd4
    • Miklos Szeredi's avatar
      security: remove dummy module fix · 93cbace7
      Miklos Szeredi authored
      Fix small oversight in "security: remove dummy module":
      CONFIG_SECURITY_FILE_CAPABILITIES doesn't depend on CONFIG_SECURITY
      Signed-off-by: default avatarMiklos Szeredi <mszeredi@suse.cz>
      Signed-off-by: default avatarJames Morris <jmorris@namei.org>
      93cbace7
    • Miklos Szeredi's avatar
      security: remove dummy module · 5915eb53
      Miklos Szeredi authored
      Remove the dummy module and make the "capability" module the default.
      
      Compile and boot tested.
      Signed-off-by: default avatarMiklos Szeredi <mszeredi@suse.cz>
      Acked-by: default avatarSerge Hallyn <serue@us.ibm.com>
      Signed-off-by: default avatarJames Morris <jmorris@namei.org>
      5915eb53
    • Miklos Szeredi's avatar
      security: remove unused sb_get_mnt_opts hook · b478a9f9
      Miklos Szeredi authored
      The sb_get_mnt_opts() hook is unused, and is superseded by the
      sb_show_options() hook.
      Signed-off-by: default avatarMiklos Szeredi <mszeredi@suse.cz>
      Acked-by: default avatarJames Morris <jmorris@namei.org>
      b478a9f9
    • Eric Paris's avatar
      LSM/SELinux: show LSM mount options in /proc/mounts · 2069f457
      Eric Paris authored
      This patch causes SELinux mount options to show up in /proc/mounts.  As
      with other code in the area seq_put errors are ignored.  Other LSM's
      will not have their mount options displayed until they fill in their own
      security_sb_show_options() function.
      Signed-off-by: default avatarEric Paris <eparis@redhat.com>
      Signed-off-by: default avatarMiklos Szeredi <mszeredi@suse.cz>
      Signed-off-by: default avatarJames Morris <jmorris@namei.org>
      2069f457
    • Eric Paris's avatar
      SELinux: allow fstype unknown to policy to use xattrs if present · 811f3799
      Eric Paris authored
      Currently if a FS is mounted for which SELinux policy does not define an
      fs_use_* that FS will either be genfs labeled or not labeled at all.
      This decision is based on the existence of a genfscon rule in policy and
      is irrespective of the capabilities of the filesystem itself.  This
      patch allows the kernel to check if the filesystem supports security
      xattrs and if so will use those if there is no fs_use_* rule in policy.
      An fstype with a no fs_use_* rule but with a genfs rule will use xattrs
      if available and will follow the genfs rule.
      
      This can be particularly interesting for things like ecryptfs which
      actually overlays a real underlying FS.  If we define excryptfs in
      policy to use xattrs we will likely get this wrong at times, so with
      this path we just don't need to define it!
      
      Overlay ecryptfs on top of NFS with no xattr support:
      SELinux: initialized (dev ecryptfs, type ecryptfs), uses genfs_contexts
      Overlay ecryptfs on top of ext4 with xattr support:
      SELinux: initialized (dev ecryptfs, type ecryptfs), uses xattr
      
      It is also useful as the kernel adds new FS we don't need to add them in
      policy if they support xattrs and that is how we want to handle them.
      Signed-off-by: default avatarEric Paris <eparis@redhat.com>
      Acked-by: default avatarStephen Smalley <sds@tycho.nsa.gov>
      Signed-off-by: default avatarJames Morris <jmorris@namei.org>
      811f3799
    • James Morris's avatar
      security: fix return of void-valued expressions · 65fc7668
      James Morris authored
      Fix several warnings generated by sparse of the form
      "returning void-valued expression".
      Signed-off-by: default avatarJames Morris <jmorris@namei.org>
      Acked-by: default avatarCasey Schaufler <casey@schaufler-ca.com>
      Acked-by: default avatarSerge Hallyn <serue@us.ibm.com>
      65fc7668
    • James Morris's avatar
      SELinux: use do_each_thread as a proper do/while block · 2baf06df
      James Morris authored
      Use do_each_thread as a proper do/while block.  Sparse complained.
      Signed-off-by: default avatarJames Morris <jmorris@namei.org>
      Acked-by: default avatarStephen Smalley <sds@tycho.nsa.gov>
      2baf06df
    • James Morris's avatar
      SELinux: remove unused and shadowed addrlen variable · e399f982
      James Morris authored
      Remove unused and shadowed addrlen variable.  Picked up by sparse.
      Signed-off-by: default avatarJames Morris <jmorris@namei.org>
      Acked-by: default avatarStephen Smalley <sds@tycho.nsa.gov>
      Acked-by: default avatarPaul Moore <paul.moore@hp.com>
      e399f982
    • Eric Paris's avatar
      SELinux: more user friendly unknown handling printk · 6cbe2706
      Eric Paris authored
      I've gotten complaints and reports about people not understanding the
      meaning of the current unknown class/perm handling the kernel emits on
      every policy load.  Hopefully this will make make it clear to everyone
      the meaning of the message and won't waste a printk the user won't care
      about anyway on systems where the kernel and the policy agree on
      everything.
      Signed-off-by: default avatarEric Paris <eparis@redhat.com>
      Signed-off-by: default avatarJames Morris <jmorris@namei.org>
      6cbe2706
    • Stephen Smalley's avatar
      selinux: change handling of invalid classes (Was: Re: 2.6.26-rc5-mm1 selinux whine) · 22df4adb
      Stephen Smalley authored
      On Mon, 2008-06-09 at 01:24 -0700, Andrew Morton wrote:
      > Getting a few of these with FC5:
      >
      > SELinux: context_struct_compute_av:  unrecognized class 69
      > SELinux: context_struct_compute_av:  unrecognized class 69
      >
      > one came out when I logged in.
      >
      > No other symptoms, yet.
      
      Change handling of invalid classes by SELinux, reporting class values
      unknown to the kernel as errors (w/ ratelimit applied) and handling
      class values unknown to policy as normal denials.
      Signed-off-by: default avatarStephen Smalley <sds@tycho.nsa.gov>
      Acked-by: default avatarEric Paris <eparis@redhat.com>
      Signed-off-by: default avatarJames Morris <jmorris@namei.org>
      22df4adb
    • Eric Paris's avatar
      SELinux: drop load_mutex in security_load_policy · 89abd0ac
      Eric Paris authored
      We used to protect against races of policy load in security_load_policy
      by using the load_mutex.  Since then we have added a new mutex,
      sel_mutex, in sel_write_load() which is always held across all calls to
      security_load_policy we are covered and can safely just drop this one.
      Signed-off-by: default avatarEric Paris <eparis@redhat.com>
      Acked-by: default avatarStephen Smalley <sds@tycho.nsa.gov>
      Signed-off-by: default avatarJames Morris <jmorris@namei.org>
      89abd0ac
    • Eric Paris's avatar
      SELinux: fix off by 1 reference of class_to_string in context_struct_compute_av · cea78dc4
      Eric Paris authored
      The class_to_string array is referenced by tclass.  My code mistakenly
      was using tclass - 1.  If the proceeding class is a userspace class
      rather than kernel class this may cause a denial/EINVAL even if unknown
      handling is set to allow.  The bug shouldn't be allowing excess
      privileges since those are given based on the contents of another array
      which should be correctly referenced.
      
      At this point in time its pretty unlikely this is going to cause
      problems.  The most recently added kernel classes which could be
      affected are association, dccp_socket, and peer.  Its pretty unlikely
      any policy with handle_unknown=allow doesn't have association and
      dccp_socket undefined (they've been around longer than unknown handling)
      and peer is conditionalized on a policy cap which should only be defined
      if that class exists in policy.
      Signed-off-by: default avatarEric Paris <eparis@redhat.com>
      Acked-by: default avatarStephen Smalley <sds@tycho.nsa.gov>
      Signed-off-by: default avatarJames Morris <jmorris@namei.org>
      cea78dc4
    • James Morris's avatar
      SELinux: open code sidtab lock · bdd581c1
      James Morris authored
      Open code sidtab lock to make Andrew Morton happy.
      Signed-off-by: default avatarJames Morris <jmorris@namei.org>
      Acked-by: default avatarStephen Smalley <sds@tycho.nsa.gov>
      bdd581c1
    • James Morris's avatar
      SELinux: open code load_mutex · 972ccac2
      James Morris authored
      Open code load_mutex as suggested by Andrew Morton.
      Signed-off-by: default avatarJames Morris <jmorris@namei.org>
      972ccac2
    • James Morris's avatar
      SELinux: open code policy_rwlock · 0804d113
      James Morris authored
      Open code policy_rwlock, as suggested by Andrew Morton.
      Signed-off-by: default avatarJames Morris <jmorris@namei.org>
      Acked-by: default avatarStephen Smalley <sds@tycho.nsa.gov>
      0804d113
    • Stephen Smalley's avatar
      selinux: fix endianness bug in network node address handling · 59dbd1ba
      Stephen Smalley authored
      Fix an endianness bug in the handling of network node addresses by
      SELinux.  This yields no change on little endian hardware but fixes
      the incorrect handling on big endian hardware.  The network node
      addresses are stored in network order in memory by checkpolicy, not in
      cpu/host order, and thus should not have cpu_to_le32/le32_to_cpu
      conversions applied upon policy write/read unlike other data in the
      policy.
      
      Bug reported by John Weeks of Sun, who noticed that binary policy
      files built from the same policy source on x86 and sparc differed and
      tracked it down to the ipv4 address handling in checkpolicy.
      Signed-off-by: default avatarStephen Smalley <sds@tycho.nsa.gov>
      Signed-off-by: default avatarJames Morris <jmorris@namei.org>
      59dbd1ba
    • Stephen Smalley's avatar
      selinux: simplify ioctl checking · 242631c4
      Stephen Smalley authored
      Simplify and improve the robustness of the SELinux ioctl checking by
      using the "access mode" bits of the ioctl command to determine the
      permission check rather than dealing with individual command values.
      This removes any knowledge of specific ioctl commands from SELinux
      and follows the same guidance we gave to Smack earlier.
      Signed-off-by: default avatarStephen Smalley <sds@tycho.nsa.gov>
      Signed-off-by: default avatarJames Morris <jmorris@namei.org>
      242631c4
    • Stephen Smalley's avatar
      SELinux: enable processes with mac_admin to get the raw inode contexts · abc69bb6
      Stephen Smalley authored
      Enable processes with CAP_MAC_ADMIN + mac_admin permission in policy
      to get undefined contexts on inodes.  This extends the support for
      deferred mapping of security contexts in order to permit restorecon
      and similar programs to see the raw file contexts unknown to the
      system policy in order to check them.
      Signed-off-by: default avatarStephen Smalley <sds@tycho.nsa.gov>
      Signed-off-by: default avatarJames Morris <jmorris@namei.org>
      abc69bb6
    • Stephen Smalley's avatar
      Security: split proc ptrace checking into read vs. attach · 006ebb40
      Stephen Smalley authored
      Enable security modules to distinguish reading of process state via
      proc from full ptrace access by renaming ptrace_may_attach to
      ptrace_may_access and adding a mode argument indicating whether only
      read access or full attach access is requested.  This allows security
      modules to permit access to reading process state without granting
      full ptrace access.  The base DAC/capability checking remains unchanged.
      
      Read access to /proc/pid/mem continues to apply a full ptrace attach
      check since check_mem_permission() already requires the current task
      to already be ptracing the target.  The other ptrace checks within
      proc for elements like environ, maps, and fds are changed to pass the
      read mode instead of attach.
      
      In the SELinux case, we model such reading of process state as a
      reading of a proc file labeled with the target process' label.  This
      enables SELinux policy to permit such reading of process state without
      permitting control or manipulation of the target process, as there are
      a number of cases where programs probe for such information via proc
      but do not need to be able to control the target (e.g. procps,
      lsof, PolicyKit, ConsoleKit).  At present we have to choose between
      allowing full ptrace in policy (more permissive than required/desired)
      or breaking functionality (or in some cases just silencing the denials
      via dontaudit rules but this can hide genuine attacks).
      
      This version of the patch incorporates comments from Casey Schaufler
      (change/replace existing ptrace_may_attach interface, pass access
      mode), and Chris Wright (provide greater consistency in the checking).
      
      Note that like their predecessors __ptrace_may_attach and
      ptrace_may_attach, the __ptrace_may_access and ptrace_may_access
      interfaces use different return value conventions from each other (0
      or -errno vs. 1 or 0).  I retained this difference to avoid any
      changes to the caller logic but made the difference clearer by
      changing the latter interface to return a bool rather than an int and
      by adding a comment about it to ptrace.h for any future callers.
      Signed-off-by: default avatarStephen Smalley <sds@tycho.nsa.gov>
      Acked-by: default avatarChris Wright <chrisw@sous-sol.org>
      Signed-off-by: default avatarJames Morris <jmorris@namei.org>
      006ebb40
    • James Morris's avatar
      SELinux: remove inherit field from inode_security_struct · feb2a5b8
      James Morris authored
      Remove inherit field from inode_security_struct, per Stephen Smalley:
      "Let's just drop inherit altogether - dead field."
      Signed-off-by: default avatarJames Morris <jmorris@namei.org>
      feb2a5b8
    • Richard Kennedy's avatar
      SELinux: reorder inode_security_struct to increase objs/slab on 64bit · fdeb0518
      Richard Kennedy authored
      reorder inode_security_struct to remove padding on 64 bit builds
      
      size reduced from 72 to 64 bytes increasing objects per slab to 64.
      Signed-off-by: default avatarRichard Kennedy <richard@rsk.demon.co.uk>
      Signed-off-by: default avatarJames Morris <jmorris@namei.org>
      fdeb0518
    • Eric Paris's avatar
      SELinux: keep the code clean formating and syntax · f5269710
      Eric Paris authored
      Formatting and syntax changes
      
      whitespace, tabs to spaces, trailing space
      put open { on same line as struct def
      remove unneeded {} after if statements
      change printk("Lu") to printk("llu")
      convert asm/uaccess.h to linux/uaacess.h includes
      remove unnecessary asm/bug.h includes
      convert all users of simple_strtol to strict_strtol
      Signed-off-by: default avatarEric Paris <eparis@redhat.com>
      Signed-off-by: default avatarJames Morris <jmorris@namei.org>
      f5269710
    • Stephen Smalley's avatar
      SELinux: fix sleeping allocation in security_context_to_sid · 9a59daa0
      Stephen Smalley authored
      Fix a sleeping function called from invalid context bug by moving allocation
      to the callers prior to taking the policy rdlock.
      Signed-off-by: default avatarStephen Smalley <sds@tycho.nsa.gov>
      Signed-off-by: default avatarJames Morris <jmorris@namei.org>
      9a59daa0
    • Stephen Smalley's avatar
      selinux: support deferred mapping of contexts · 12b29f34
      Stephen Smalley authored
      Introduce SELinux support for deferred mapping of security contexts in
      the SID table upon policy reload, and use this support for inode
      security contexts when the context is not yet valid under the current
      policy.  Only processes with CAP_MAC_ADMIN + mac_admin permission in
      policy can set undefined security contexts on inodes.  Inodes with
      such undefined contexts are treated as having the unlabeled context
      until the context becomes valid upon a policy reload that defines the
      context.  Context invalidation upon policy reload also uses this
      support to save the context information in the SID table and later
      recover it upon a subsequent policy reload that defines the context
      again.
      
      This support is to enable package managers and similar programs to set
      down file contexts unknown to the system policy at the time the file
      is created in order to better support placing loadable policy modules
      in packages and to support build systems that need to create images of
      different distro releases with different policies w/o requiring all of
      the contexts to be defined or legal in the build host policy.
      
      With this patch applied, the following sequence is possible, although
      in practice it is recommended that this permission only be allowed to
      specific program domains such as the package manager.
      
      # rmdir baz
      # rm bar
      # touch bar
      # chcon -t foo_exec_t bar # foo_exec_t is not yet defined
      chcon: failed to change context of `bar' to `system_u:object_r:foo_exec_t': Invalid argument
      # mkdir -Z system_u:object_r:foo_exec_t baz
      mkdir: failed to set default file creation context to `system_u:object_r:foo_exec_t': Invalid argument
      # cat setundefined.te
      policy_module(setundefined, 1.0)
      require {
      	type unconfined_t;
      	type unlabeled_t;
      }
      files_type(unlabeled_t)
      allow unconfined_t self:capability2 mac_admin;
      # make -f /usr/share/selinux/devel/Makefile setundefined.pp
      # semodule -i setundefined.pp
      # chcon -t foo_exec_t bar # foo_exec_t is not yet defined
      # mkdir -Z system_u:object_r:foo_exec_t baz
      # ls -Zd bar baz
      -rw-r--r--  root root system_u:object_r:unlabeled_t    bar
      drwxr-xr-x  root root system_u:object_r:unlabeled_t    baz
      # cat foo.te
      policy_module(foo, 1.0)
      type foo_exec_t;
      files_type(foo_exec_t)
      # make -f /usr/share/selinux/devel/Makefile foo.pp
      # semodule -i foo.pp # defines foo_exec_t
      # ls -Zd bar baz
      -rw-r--r--  root root user_u:object_r:foo_exec_t       bar
      drwxr-xr-x  root root system_u:object_r:foo_exec_t    baz
      # semodule -r foo
      # ls -Zd bar baz
      -rw-r--r--  root root system_u:object_r:unlabeled_t    bar
      drwxr-xr-x  root root system_u:object_r:unlabeled_t    baz
      # semodule -i foo.pp
      # ls -Zd bar baz
      -rw-r--r--  root root user_u:object_r:foo_exec_t       bar
      drwxr-xr-x  root root system_u:object_r:foo_exec_t    baz
      # semodule -r setundefined foo
      # chcon -t foo_exec_t bar # no longer defined and not allowed
      chcon: failed to change context of `bar' to `system_u:object_r:foo_exec_t': Invalid argument
      # rmdir baz
      # mkdir -Z system_u:object_r:foo_exec_t baz
      mkdir: failed to set default file creation context to `system_u:object_r:foo_exec_t': Invalid argument
      Signed-off-by: default avatarStephen Smalley <sds@tycho.nsa.gov>
      Signed-off-by: default avatarJames Morris <jmorris@namei.org>
      12b29f34
  2. 13 Jul, 2008 6 commits
  3. 12 Jul, 2008 9 commits