[PATCH] selinux merge

From Stephen Smalley <sds@epoch.ncsc.mil>

This has been in -mm for a few weeks and James Morris has been
regression testing each release.

security/Kconfig

@@ -44,5 +44,7 @@ config SECURITY_ROOTPLUG
 	  
 	  If you are unsure how to answer this question, answer N.
 
+source security/selinux/Kconfig
+
 endmenu
 

security/Makefile

@@ -2,6 +2,8 @@
 # Makefile for the kernel security code
 #
 
+subdir-$(CONFIG_SECURITY_SELINUX)	+= selinux
+
 # if we don't select a security model, use the default capabilities
 ifneq ($(CONFIG_SECURITY),y)
 obj-y		+= capability.o
@@ -9,5 +11,9 @@ endif
 
 # Object file lists
 obj-$(CONFIG_SECURITY)			+= security.o dummy.o
+# Must precede capability.o in order to stack properly.
+ifeq ($(CONFIG_SECURITY_SELINUX),y)
+	obj-$(CONFIG_SECURITY_SELINUX)	+= selinux/built-in.o
+endif
 obj-$(CONFIG_SECURITY_CAPABILITIES)	+= capability.o
 obj-$(CONFIG_SECURITY_ROOTPLUG)		+= root_plug.o

security/selinux/Kconfig

+config SECURITY_SELINUX
+	bool "NSA SELinux Support"
+	depends on SECURITY
+	default n
+	help
+	  This enables NSA Security-Enhanced Linux (SELinux).
+	  You will also need a policy configuration and a labeled filesystem.
+	  You can obtain the policy compiler (checkpolicy), the utility for
+	  labeling filesystems (setfiles), and an example policy configuration
+	  from http://www.nsa.gov/selinux.
+	  If you are unsure how to answer this question, answer N.
+
+config SECURITY_SELINUX_DEVELOP
+	bool "NSA SELinux Development Support"
+	depends on SECURITY_SELINUX
+	default y
+	help
+	  This enables the development support option of NSA SELinux,
+	  which is useful for experimenting with SELinux and developing
+	  policies.  If unsure, say Y.  With this option enabled, the
+	  kernel will start in permissive mode (log everything, deny nothing)
+	  unless you specify enforcing=1 on the kernel command line.  You
+	  can interactively toggle the kernel between enforcing mode and
+	  permissive mode (if permitted by the policy) via /selinux/enforce.
+
+config SECURITY_SELINUX_MLS
+	bool "NSA SELinux MLS policy (EXPERIMENTAL)"
+	depends on SECURITY_SELINUX && EXPERIMENTAL
+	default n
+	help
+	  This enables the NSA SELinux Multi-Level Security (MLS) policy in
+	  addition to the default RBAC/TE policy.  This policy is
+	  experimental and has not been configured for use.  Unless you
+	  specifically want to experiment with MLS, say N.

security/selinux/Makefile

+#
+# Makefile for building the SELinux module as part of the kernel tree.
+#
+
+obj-$(CONFIG_SECURITY_SELINUX) := selinux.o ss/
+
+selinux-objs := avc.o hooks.o selinuxfs.o
+
+EXTRA_CFLAGS += -Isecurity/selinux/include
+

security/selinux/include/av_inherit.h

+/* This file is automatically generated.  Do not edit. */
+/* FLASK */
+
+struct av_inherit
+{
+    u16 tclass;
+    char **common_pts;
+    u32 common_base;
+};
+
+static struct av_inherit av_inherit[] = {
+   { SECCLASS_DIR, common_file_perm_to_string, 0x00020000UL },
+   { SECCLASS_FILE, common_file_perm_to_string, 0x00020000UL },
+   { SECCLASS_LNK_FILE, common_file_perm_to_string, 0x00020000UL },
+   { SECCLASS_CHR_FILE, common_file_perm_to_string, 0x00020000UL },
+   { SECCLASS_BLK_FILE, common_file_perm_to_string, 0x00020000UL },
+   { SECCLASS_SOCK_FILE, common_file_perm_to_string, 0x00020000UL },
+   { SECCLASS_FIFO_FILE, common_file_perm_to_string, 0x00020000UL },
+   { SECCLASS_SOCKET, common_socket_perm_to_string, 0x00400000UL },
+   { SECCLASS_TCP_SOCKET, common_socket_perm_to_string, 0x00400000UL },
+   { SECCLASS_UDP_SOCKET, common_socket_perm_to_string, 0x00400000UL },
+   { SECCLASS_RAWIP_SOCKET, common_socket_perm_to_string, 0x00400000UL },
+   { SECCLASS_NETLINK_SOCKET, common_socket_perm_to_string, 0x00400000UL },
+   { SECCLASS_PACKET_SOCKET, common_socket_perm_to_string, 0x00400000UL },
+   { SECCLASS_KEY_SOCKET, common_socket_perm_to_string, 0x00400000UL },
+   { SECCLASS_UNIX_STREAM_SOCKET, common_socket_perm_to_string, 0x00400000UL },
+   { SECCLASS_UNIX_DGRAM_SOCKET, common_socket_perm_to_string, 0x00400000UL },
+   { SECCLASS_IPC, common_ipc_perm_to_string, 0x00000200UL },
+   { SECCLASS_SEM, common_ipc_perm_to_string, 0x00000200UL },
+   { SECCLASS_MSGQ, common_ipc_perm_to_string, 0x00000200UL },
+   { SECCLASS_SHM, common_ipc_perm_to_string, 0x00000200UL },
+};
+
+
+/* FLASK */

security/selinux/include/av_perm_to_string.h

+/* This file is automatically generated.  Do not edit. */
+/* FLASK */
+
+struct av_perm_to_string
+{
+    u16 tclass;
+    u32 value;
+    char *name;
+};
+
+static struct av_perm_to_string av_perm_to_string[] = {
+   { SECCLASS_FILESYSTEM, FILESYSTEM__MOUNT, "mount" },
+   { SECCLASS_FILESYSTEM, FILESYSTEM__REMOUNT, "remount" },
+   { SECCLASS_FILESYSTEM, FILESYSTEM__UNMOUNT, "unmount" },
+   { SECCLASS_FILESYSTEM, FILESYSTEM__GETATTR, "getattr" },
+   { SECCLASS_FILESYSTEM, FILESYSTEM__RELABELFROM, "relabelfrom" },
+   { SECCLASS_FILESYSTEM, FILESYSTEM__RELABELTO, "relabelto" },
+   { SECCLASS_FILESYSTEM, FILESYSTEM__TRANSITION, "transition" },
+   { SECCLASS_FILESYSTEM, FILESYSTEM__ASSOCIATE, "associate" },
+   { SECCLASS_FILESYSTEM, FILESYSTEM__QUOTAMOD, "quotamod" },
+   { SECCLASS_FILESYSTEM, FILESYSTEM__QUOTAGET, "quotaget" },
+   { SECCLASS_DIR, DIR__ADD_NAME, "add_name" },
+   { SECCLASS_DIR, DIR__REMOVE_NAME, "remove_name" },
+   { SECCLASS_DIR, DIR__REPARENT, "reparent" },
+   { SECCLASS_DIR, DIR__SEARCH, "search" },
+   { SECCLASS_DIR, DIR__RMDIR, "rmdir" },
+   { SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, "execute_no_trans" },
+   { SECCLASS_FILE, FILE__ENTRYPOINT, "entrypoint" },
+   { SECCLASS_FD, FD__USE, "use" },
+   { SECCLASS_TCP_SOCKET, TCP_SOCKET__CONNECTTO, "connectto" },
+   { SECCLASS_TCP_SOCKET, TCP_SOCKET__NEWCONN, "newconn" },
+   { SECCLASS_TCP_SOCKET, TCP_SOCKET__ACCEPTFROM, "acceptfrom" },
+   { SECCLASS_NODE, NODE__TCP_RECV, "tcp_recv" },
+   { SECCLASS_NODE, NODE__TCP_SEND, "tcp_send" },
+   { SECCLASS_NODE, NODE__UDP_RECV, "udp_recv" },
+   { SECCLASS_NODE, NODE__UDP_SEND, "udp_send" },
+   { SECCLASS_NODE, NODE__RAWIP_RECV, "rawip_recv" },
+   { SECCLASS_NODE, NODE__RAWIP_SEND, "rawip_send" },
+   { SECCLASS_NODE, NODE__ENFORCE_DEST, "enforce_dest" },
+   { SECCLASS_NETIF, NETIF__TCP_RECV, "tcp_recv" },
+   { SECCLASS_NETIF, NETIF__TCP_SEND, "tcp_send" },
+   { SECCLASS_NETIF, NETIF__UDP_RECV, "udp_recv" },
+   { SECCLASS_NETIF, NETIF__UDP_SEND, "udp_send" },
+   { SECCLASS_NETIF, NETIF__RAWIP_RECV, "rawip_recv" },
+   { SECCLASS_NETIF, NETIF__RAWIP_SEND, "rawip_send" },
+   { SECCLASS_UNIX_STREAM_SOCKET, UNIX_STREAM_SOCKET__CONNECTTO, "connectto" },
+   { SECCLASS_UNIX_STREAM_SOCKET, UNIX_STREAM_SOCKET__NEWCONN, "newconn" },
+   { SECCLASS_UNIX_STREAM_SOCKET, UNIX_STREAM_SOCKET__ACCEPTFROM, "acceptfrom" },
+   { SECCLASS_PROCESS, PROCESS__FORK, "fork" },
+   { SECCLASS_PROCESS, PROCESS__TRANSITION, "transition" },
+   { SECCLASS_PROCESS, PROCESS__SIGCHLD, "sigchld" },
+   { SECCLASS_PROCESS, PROCESS__SIGKILL, "sigkill" },
+   { SECCLASS_PROCESS, PROCESS__SIGSTOP, "sigstop" },
+   { SECCLASS_PROCESS, PROCESS__SIGNULL, "signull" },
+   { SECCLASS_PROCESS, PROCESS__SIGNAL, "signal" },
+   { SECCLASS_PROCESS, PROCESS__PTRACE, "ptrace" },
+   { SECCLASS_PROCESS, PROCESS__GETSCHED, "getsched" },
+   { SECCLASS_PROCESS, PROCESS__SETSCHED, "setsched" },
+   { SECCLASS_PROCESS, PROCESS__GETSESSION, "getsession" },
+   { SECCLASS_PROCESS, PROCESS__GETPGID, "getpgid" },
+   { SECCLASS_PROCESS, PROCESS__SETPGID, "setpgid" },
+   { SECCLASS_PROCESS, PROCESS__GETCAP, "getcap" },
+   { SECCLASS_PROCESS, PROCESS__SETCAP, "setcap" },
+   { SECCLASS_PROCESS, PROCESS__SHARE, "share" },
+   { SECCLASS_PROCESS, PROCESS__GETATTR, "getattr" },
+   { SECCLASS_PROCESS, PROCESS__SETEXEC, "setexec" },
+   { SECCLASS_PROCESS, PROCESS__SETFSCREATE, "setfscreate" },
+   { SECCLASS_PROCESS, PROCESS__NOATSECURE, "noatsecure" },
+   { SECCLASS_MSGQ, MSGQ__ENQUEUE, "enqueue" },
+   { SECCLASS_MSG, MSG__SEND, "send" },
+   { SECCLASS_MSG, MSG__RECEIVE, "receive" },
+   { SECCLASS_SHM, SHM__LOCK, "lock" },
+   { SECCLASS_SECURITY, SECURITY__COMPUTE_AV, "compute_av" },
+   { SECCLASS_SECURITY, SECURITY__COMPUTE_CREATE, "compute_create" },
+   { SECCLASS_SECURITY, SECURITY__COMPUTE_MEMBER, "compute_member" },
+   { SECCLASS_SECURITY, SECURITY__CHECK_CONTEXT, "check_context" },
+   { SECCLASS_SECURITY, SECURITY__LOAD_POLICY, "load_policy" },
+   { SECCLASS_SECURITY, SECURITY__COMPUTE_RELABEL, "compute_relabel" },
+   { SECCLASS_SECURITY, SECURITY__COMPUTE_USER, "compute_user" },
+   { SECCLASS_SECURITY, SECURITY__SETENFORCE, "setenforce" },
+   { SECCLASS_SYSTEM, SYSTEM__IPC_INFO, "ipc_info" },
+   { SECCLASS_SYSTEM, SYSTEM__SYSLOG_READ, "syslog_read" },
+   { SECCLASS_SYSTEM, SYSTEM__SYSLOG_MOD, "syslog_mod" },
+   { SECCLASS_SYSTEM, SYSTEM__SYSLOG_CONSOLE, "syslog_console" },
+   { SECCLASS_CAPABILITY, CAPABILITY__CHOWN, "chown" },
+   { SECCLASS_CAPABILITY, CAPABILITY__DAC_OVERRIDE, "dac_override" },
+   { SECCLASS_CAPABILITY, CAPABILITY__DAC_READ_SEARCH, "dac_read_search" },
+   { SECCLASS_CAPABILITY, CAPABILITY__FOWNER, "fowner" },
+   { SECCLASS_CAPABILITY, CAPABILITY__FSETID, "fsetid" },
+   { SECCLASS_CAPABILITY, CAPABILITY__KILL, "kill" },
+   { SECCLASS_CAPABILITY, CAPABILITY__SETGID, "setgid" },
+   { SECCLASS_CAPABILITY, CAPABILITY__SETUID, "setuid" },
+   { SECCLASS_CAPABILITY, CAPABILITY__SETPCAP, "setpcap" },
+   { SECCLASS_CAPABILITY, CAPABILITY__LINUX_IMMUTABLE, "linux_immutable" },
+   { SECCLASS_CAPABILITY, CAPABILITY__NET_BIND_SERVICE, "net_bind_service" },
+   { SECCLASS_CAPABILITY, CAPABILITY__NET_BROADCAST, "net_broadcast" },
+   { SECCLASS_CAPABILITY, CAPABILITY__NET_ADMIN, "net_admin" },
+   { SECCLASS_CAPABILITY, CAPABILITY__NET_RAW, "net_raw" },
+   { SECCLASS_CAPABILITY, CAPABILITY__IPC_LOCK, "ipc_lock" },
+   { SECCLASS_CAPABILITY, CAPABILITY__IPC_OWNER, "ipc_owner" },
+   { SECCLASS_CAPABILITY, CAPABILITY__SYS_MODULE, "sys_module" },
+   { SECCLASS_CAPABILITY, CAPABILITY__SYS_RAWIO, "sys_rawio" },
+   { SECCLASS_CAPABILITY, CAPABILITY__SYS_CHROOT, "sys_chroot" },
+   { SECCLASS_CAPABILITY, CAPABILITY__SYS_PTRACE, "sys_ptrace" },
+   { SECCLASS_CAPABILITY, CAPABILITY__SYS_PACCT, "sys_pacct" },
+   { SECCLASS_CAPABILITY, CAPABILITY__SYS_ADMIN, "sys_admin" },
+   { SECCLASS_CAPABILITY, CAPABILITY__SYS_BOOT, "sys_boot" },
+   { SECCLASS_CAPABILITY, CAPABILITY__SYS_NICE, "sys_nice" },
+   { SECCLASS_CAPABILITY, CAPABILITY__SYS_RESOURCE, "sys_resource" },
+   { SECCLASS_CAPABILITY, CAPABILITY__SYS_TIME, "sys_time" },
+   { SECCLASS_CAPABILITY, CAPABILITY__SYS_TTY_CONFIG, "sys_tty_config" },
+   { SECCLASS_CAPABILITY, CAPABILITY__MKNOD, "mknod" },
+   { SECCLASS_CAPABILITY, CAPABILITY__LEASE, "lease" },
+   { SECCLASS_PASSWD, PASSWD__PASSWD, "passwd" },
+   { SECCLASS_PASSWD, PASSWD__CHFN, "chfn" },
+   { SECCLASS_PASSWD, PASSWD__CHSH, "chsh" },
+};
+
+
+/* FLASK */

security/selinux/include/avc.h

+/*
+ * Access vector cache interface for object managers.
+ *
+ * Author : Stephen Smalley, <sds@epoch.ncsc.mil>
+ */
+#ifndef _SELINUX_AVC_H_
+#define _SELINUX_AVC_H_
+
+#include <linux/stddef.h>
+#include <linux/errno.h>
+#include <linux/kernel.h>
+#include <linux/kdev_t.h>
+#include <linux/spinlock.h>
+#include <asm/system.h>
+#include "flask.h"
+#include "av_permissions.h"
+#include "security.h"
+
+#ifdef CONFIG_SECURITY_SELINUX_DEVELOP
+extern int selinux_enforcing;
+#else
+#define selinux_enforcing 1
+#endif
+
+/*
+ * An entry in the AVC.
+ */
+struct avc_entry;
+
+/*
+ * A reference to an AVC entry.
+ */
+struct avc_entry_ref {
+	struct avc_entry *ae;
+};
+
+/* Initialize an AVC entry reference before first use. */
+static inline void avc_entry_ref_init(struct avc_entry_ref *h)
+{
+	h->ae = NULL;
+}
+
+struct task_struct;
+struct vfsmount;
+struct dentry;
+struct inode;
+struct sock;
+struct sk_buff;
+
+/* Auxiliary data to use in generating the audit record. */
+struct avc_audit_data {
+	char    type;
+#define AVC_AUDIT_DATA_FS   1
+#define AVC_AUDIT_DATA_NET  2
+#define AVC_AUDIT_DATA_CAP  3
+#define AVC_AUDIT_DATA_IPC  4
+	struct task_struct *tsk;
+	union 	{
+		struct {
+			struct vfsmount *mnt;
+			struct dentry *dentry;
+			struct inode *inode;
+		} fs;
+		struct {
+			char *netif;
+			struct sk_buff *skb;
+			struct sock *sk;
+			u16 port;
+			u32 daddr;
+		} net;
+		int cap;
+		int ipc_id;
+	} u;
+};
+
+/* Initialize an AVC audit data structure. */
+#define AVC_AUDIT_DATA_INIT(_d,_t) \
+        { memset((_d), 0, sizeof(struct avc_audit_data)); (_d)->type = AVC_AUDIT_DATA_##_t; }
+
+/*
+ * AVC statistics
+ */
+#define AVC_ENTRY_LOOKUPS        0
+#define AVC_ENTRY_HITS	         1
+#define AVC_ENTRY_MISSES         2
+#define AVC_ENTRY_DISCARDS       3
+#define AVC_CAV_LOOKUPS          4
+#define AVC_CAV_HITS             5
+#define AVC_CAV_PROBES           6
+#define AVC_CAV_MISSES           7
+#define AVC_NSTATS               8
+extern unsigned avc_cache_stats[AVC_NSTATS];
+
+#ifdef AVC_CACHE_STATS
+static inline void avc_cache_stats_incr(int type)
+{
+	avc_cache_stats[type]++;
+}
+
+static inline void avc_cache_stats_add(int type, unsigned val)
+{
+	avc_cache_stats[type] += val;
+}
+#else
+static inline void avc_cache_stats_incr(int type)
+{ }
+
+static inline void avc_cache_stats_add(int type, unsigned val)
+{ }
+#endif
+
+/*
+ * AVC display support
+ */
+void avc_dump_av(u16 tclass, u32 av);
+void avc_dump_query(u32 ssid, u32 tsid, u16 tclass);
+void avc_dump_cache(char *tag);
+
+/*
+ * AVC operations
+ */
+
+void avc_init(void);
+
+int avc_lookup(u32 ssid, u32 tsid, u16 tclass,
+               u32 requested, struct avc_entry_ref *aeref);
+
+int avc_insert(u32 ssid, u32 tsid, u16 tclass,
+               struct avc_entry *ae, struct avc_entry_ref *out_aeref);
+
+void avc_audit(u32 ssid, u32 tsid,
+               u16 tclass, u32 requested,
+               struct av_decision *avd, int result, struct avc_audit_data *auditdata);
+
+int avc_has_perm_noaudit(u32 ssid, u32 tsid,
+                         u16 tclass, u32 requested,
+                         struct avc_entry_ref *aeref, struct av_decision *avd);
+
+int avc_has_perm(u32 ssid, u32 tsid,
+                 u16 tclass, u32 requested,
+                 struct avc_entry_ref *aeref, struct avc_audit_data *auditdata);
+
+#define AVC_CALLBACK_GRANT		1
+#define AVC_CALLBACK_TRY_REVOKE		2
+#define AVC_CALLBACK_REVOKE		4
+#define AVC_CALLBACK_RESET		8
+#define AVC_CALLBACK_AUDITALLOW_ENABLE	16
+#define AVC_CALLBACK_AUDITALLOW_DISABLE	32
+#define AVC_CALLBACK_AUDITDENY_ENABLE	64
+#define AVC_CALLBACK_AUDITDENY_DISABLE	128
+
+int avc_add_callback(int (*callback)(u32 event, u32 ssid, u32 tsid,
+                                     u16 tclass, u32 perms,
+				     u32 *out_retained),
+		     u32 events, u32 ssid, u32 tsid,
+		     u16 tclass, u32 perms);
+
+#endif /* _SELINUX_AVC_H_ */
+

security/selinux/include/avc_ss.h

+/*
+ * Access vector cache interface for the security server.
+ *
+ * Author : Stephen Smalley, <sds@epoch.ncsc.mil>
+ */
+#ifndef _SELINUX_AVC_SS_H_
+#define _SELINUX_AVC_SS_H_
+
+#include "flask.h"
+
+int avc_ss_grant(u32 ssid, u32 tsid, u16 tclass, u32 perms, u32 seqno);
+
+int avc_ss_try_revoke(u32 ssid, u32 tsid, u16 tclass, u32 perms, u32 seqno,
+		      u32 *out_retained);
+
+int avc_ss_revoke(u32 ssid, u32 tsid, u16 tclass, u32 perms, u32 seqno);
+
+int avc_ss_reset(u32 seqno);
+
+int avc_ss_set_auditallow(u32 ssid, u32 tsid, u16 tclass, u32 perms,
+			  u32 seqno, u32 enable);
+
+int avc_ss_set_auditdeny(u32 ssid, u32 tsid, u16 tclass, u32 perms,
+			 u32 seqno, u32 enable);
+
+#endif /* _SELINUX_AVC_SS_H_ */
+

security/selinux/include/class_to_string.h

+/* This file is automatically generated.  Do not edit. */
+/*
+ * Security object class definitions
+ */
+static char *class_to_string[] =
+{
+    "null",
+    "security",
+    "process",
+    "system",
+    "capability",
+    "filesystem",
+    "file",
+    "dir",
+    "fd",
+    "lnk_file",
+    "chr_file",
+    "blk_file",
+    "sock_file",
+    "fifo_file",
+    "socket",
+    "tcp_socket",
+    "udp_socket",
+    "rawip_socket",
+    "node",
+    "netif",
+    "netlink_socket",
+    "packet_socket",
+    "key_socket",
+    "unix_stream_socket",
+    "unix_dgram_socket",
+    "sem",
+    "msg",
+    "msgq",
+    "shm",
+    "ipc",
+    "passwd",
+};
+

security/selinux/include/initial_sid_to_string.h

+/* This file is automatically generated.  Do not edit. */
+static char *initial_sid_to_string[] =
+{
+    "null",
+    "kernel",
+    "security",
+    "unlabeled",
+    "fs",
+    "file",
+    "file_labels",
+    "init",
+    "any_socket",
+    "port",
+    "netif",
+    "netmsg",
+    "node",
+    "igmp_packet",
+    "icmp_socket",
+    "tcp_socket",
+    "sysctl_modprobe",
+    "sysctl",
+    "sysctl_fs",
+    "sysctl_kernel",
+    "sysctl_net",
+    "sysctl_net_unix",
+    "sysctl_vm",
+    "sysctl_dev",
+    "kmod",
+    "policy",
+    "scmp_packet",
+};
+