Commit 7bbf0e05 authored by Andrew Morton's avatar Andrew Morton Committed by Linus Torvalds

[PATCH] selinux merge

From Stephen Smalley <sds@epoch.ncsc.mil>

This has been in -mm for a few weeks and James Morris has been
regression testing each release.
parent ad55c575
...@@ -44,5 +44,7 @@ config SECURITY_ROOTPLUG ...@@ -44,5 +44,7 @@ config SECURITY_ROOTPLUG
If you are unsure how to answer this question, answer N. If you are unsure how to answer this question, answer N.
source security/selinux/Kconfig
endmenu endmenu
...@@ -2,6 +2,8 @@ ...@@ -2,6 +2,8 @@
# Makefile for the kernel security code # Makefile for the kernel security code
# #
subdir-$(CONFIG_SECURITY_SELINUX) += selinux
# if we don't select a security model, use the default capabilities # if we don't select a security model, use the default capabilities
ifneq ($(CONFIG_SECURITY),y) ifneq ($(CONFIG_SECURITY),y)
obj-y += capability.o obj-y += capability.o
...@@ -9,5 +11,9 @@ endif ...@@ -9,5 +11,9 @@ endif
# Object file lists # Object file lists
obj-$(CONFIG_SECURITY) += security.o dummy.o obj-$(CONFIG_SECURITY) += security.o dummy.o
# Must precede capability.o in order to stack properly.
ifeq ($(CONFIG_SECURITY_SELINUX),y)
obj-$(CONFIG_SECURITY_SELINUX) += selinux/built-in.o
endif
obj-$(CONFIG_SECURITY_CAPABILITIES) += capability.o obj-$(CONFIG_SECURITY_CAPABILITIES) += capability.o
obj-$(CONFIG_SECURITY_ROOTPLUG) += root_plug.o obj-$(CONFIG_SECURITY_ROOTPLUG) += root_plug.o
config SECURITY_SELINUX
bool "NSA SELinux Support"
depends on SECURITY
default n
help
This enables NSA Security-Enhanced Linux (SELinux).
You will also need a policy configuration and a labeled filesystem.
You can obtain the policy compiler (checkpolicy), the utility for
labeling filesystems (setfiles), and an example policy configuration
from http://www.nsa.gov/selinux.
If you are unsure how to answer this question, answer N.
config SECURITY_SELINUX_DEVELOP
bool "NSA SELinux Development Support"
depends on SECURITY_SELINUX
default y
help
This enables the development support option of NSA SELinux,
which is useful for experimenting with SELinux and developing
policies. If unsure, say Y. With this option enabled, the
kernel will start in permissive mode (log everything, deny nothing)
unless you specify enforcing=1 on the kernel command line. You
can interactively toggle the kernel between enforcing mode and
permissive mode (if permitted by the policy) via /selinux/enforce.
config SECURITY_SELINUX_MLS
bool "NSA SELinux MLS policy (EXPERIMENTAL)"
depends on SECURITY_SELINUX && EXPERIMENTAL
default n
help
This enables the NSA SELinux Multi-Level Security (MLS) policy in
addition to the default RBAC/TE policy. This policy is
experimental and has not been configured for use. Unless you
specifically want to experiment with MLS, say N.
#
# Makefile for building the SELinux module as part of the kernel tree.
#
obj-$(CONFIG_SECURITY_SELINUX) := selinux.o ss/
selinux-objs := avc.o hooks.o selinuxfs.o
EXTRA_CFLAGS += -Isecurity/selinux/include
This diff is collapsed.
This diff is collapsed.
/* This file is automatically generated. Do not edit. */
/* FLASK */
struct av_inherit
{
u16 tclass;
char **common_pts;
u32 common_base;
};
static struct av_inherit av_inherit[] = {
{ SECCLASS_DIR, common_file_perm_to_string, 0x00020000UL },
{ SECCLASS_FILE, common_file_perm_to_string, 0x00020000UL },
{ SECCLASS_LNK_FILE, common_file_perm_to_string, 0x00020000UL },
{ SECCLASS_CHR_FILE, common_file_perm_to_string, 0x00020000UL },
{ SECCLASS_BLK_FILE, common_file_perm_to_string, 0x00020000UL },
{ SECCLASS_SOCK_FILE, common_file_perm_to_string, 0x00020000UL },
{ SECCLASS_FIFO_FILE, common_file_perm_to_string, 0x00020000UL },
{ SECCLASS_SOCKET, common_socket_perm_to_string, 0x00400000UL },
{ SECCLASS_TCP_SOCKET, common_socket_perm_to_string, 0x00400000UL },
{ SECCLASS_UDP_SOCKET, common_socket_perm_to_string, 0x00400000UL },
{ SECCLASS_RAWIP_SOCKET, common_socket_perm_to_string, 0x00400000UL },
{ SECCLASS_NETLINK_SOCKET, common_socket_perm_to_string, 0x00400000UL },
{ SECCLASS_PACKET_SOCKET, common_socket_perm_to_string, 0x00400000UL },
{ SECCLASS_KEY_SOCKET, common_socket_perm_to_string, 0x00400000UL },
{ SECCLASS_UNIX_STREAM_SOCKET, common_socket_perm_to_string, 0x00400000UL },
{ SECCLASS_UNIX_DGRAM_SOCKET, common_socket_perm_to_string, 0x00400000UL },
{ SECCLASS_IPC, common_ipc_perm_to_string, 0x00000200UL },
{ SECCLASS_SEM, common_ipc_perm_to_string, 0x00000200UL },
{ SECCLASS_MSGQ, common_ipc_perm_to_string, 0x00000200UL },
{ SECCLASS_SHM, common_ipc_perm_to_string, 0x00000200UL },
};
/* FLASK */
/* This file is automatically generated. Do not edit. */
/* FLASK */
struct av_perm_to_string
{
u16 tclass;
u32 value;
char *name;
};
static struct av_perm_to_string av_perm_to_string[] = {
{ SECCLASS_FILESYSTEM, FILESYSTEM__MOUNT, "mount" },
{ SECCLASS_FILESYSTEM, FILESYSTEM__REMOUNT, "remount" },
{ SECCLASS_FILESYSTEM, FILESYSTEM__UNMOUNT, "unmount" },
{ SECCLASS_FILESYSTEM, FILESYSTEM__GETATTR, "getattr" },
{ SECCLASS_FILESYSTEM, FILESYSTEM__RELABELFROM, "relabelfrom" },
{ SECCLASS_FILESYSTEM, FILESYSTEM__RELABELTO, "relabelto" },
{ SECCLASS_FILESYSTEM, FILESYSTEM__TRANSITION, "transition" },
{ SECCLASS_FILESYSTEM, FILESYSTEM__ASSOCIATE, "associate" },
{ SECCLASS_FILESYSTEM, FILESYSTEM__QUOTAMOD, "quotamod" },
{ SECCLASS_FILESYSTEM, FILESYSTEM__QUOTAGET, "quotaget" },
{ SECCLASS_DIR, DIR__ADD_NAME, "add_name" },
{ SECCLASS_DIR, DIR__REMOVE_NAME, "remove_name" },
{ SECCLASS_DIR, DIR__REPARENT, "reparent" },
{ SECCLASS_DIR, DIR__SEARCH, "search" },
{ SECCLASS_DIR, DIR__RMDIR, "rmdir" },
{ SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, "execute_no_trans" },
{ SECCLASS_FILE, FILE__ENTRYPOINT, "entrypoint" },
{ SECCLASS_FD, FD__USE, "use" },
{ SECCLASS_TCP_SOCKET, TCP_SOCKET__CONNECTTO, "connectto" },
{ SECCLASS_TCP_SOCKET, TCP_SOCKET__NEWCONN, "newconn" },
{ SECCLASS_TCP_SOCKET, TCP_SOCKET__ACCEPTFROM, "acceptfrom" },
{ SECCLASS_NODE, NODE__TCP_RECV, "tcp_recv" },
{ SECCLASS_NODE, NODE__TCP_SEND, "tcp_send" },
{ SECCLASS_NODE, NODE__UDP_RECV, "udp_recv" },
{ SECCLASS_NODE, NODE__UDP_SEND, "udp_send" },
{ SECCLASS_NODE, NODE__RAWIP_RECV, "rawip_recv" },
{ SECCLASS_NODE, NODE__RAWIP_SEND, "rawip_send" },
{ SECCLASS_NODE, NODE__ENFORCE_DEST, "enforce_dest" },
{ SECCLASS_NETIF, NETIF__TCP_RECV, "tcp_recv" },
{ SECCLASS_NETIF, NETIF__TCP_SEND, "tcp_send" },
{ SECCLASS_NETIF, NETIF__UDP_RECV, "udp_recv" },
{ SECCLASS_NETIF, NETIF__UDP_SEND, "udp_send" },
{ SECCLASS_NETIF, NETIF__RAWIP_RECV, "rawip_recv" },
{ SECCLASS_NETIF, NETIF__RAWIP_SEND, "rawip_send" },
{ SECCLASS_UNIX_STREAM_SOCKET, UNIX_STREAM_SOCKET__CONNECTTO, "connectto" },
{ SECCLASS_UNIX_STREAM_SOCKET, UNIX_STREAM_SOCKET__NEWCONN, "newconn" },
{ SECCLASS_UNIX_STREAM_SOCKET, UNIX_STREAM_SOCKET__ACCEPTFROM, "acceptfrom" },
{ SECCLASS_PROCESS, PROCESS__FORK, "fork" },
{ SECCLASS_PROCESS, PROCESS__TRANSITION, "transition" },
{ SECCLASS_PROCESS, PROCESS__SIGCHLD, "sigchld" },
{ SECCLASS_PROCESS, PROCESS__SIGKILL, "sigkill" },
{ SECCLASS_PROCESS, PROCESS__SIGSTOP, "sigstop" },
{ SECCLASS_PROCESS, PROCESS__SIGNULL, "signull" },
{ SECCLASS_PROCESS, PROCESS__SIGNAL, "signal" },
{ SECCLASS_PROCESS, PROCESS__PTRACE, "ptrace" },
{ SECCLASS_PROCESS, PROCESS__GETSCHED, "getsched" },
{ SECCLASS_PROCESS, PROCESS__SETSCHED, "setsched" },
{ SECCLASS_PROCESS, PROCESS__GETSESSION, "getsession" },
{ SECCLASS_PROCESS, PROCESS__GETPGID, "getpgid" },
{ SECCLASS_PROCESS, PROCESS__SETPGID, "setpgid" },
{ SECCLASS_PROCESS, PROCESS__GETCAP, "getcap" },
{ SECCLASS_PROCESS, PROCESS__SETCAP, "setcap" },
{ SECCLASS_PROCESS, PROCESS__SHARE, "share" },
{ SECCLASS_PROCESS, PROCESS__GETATTR, "getattr" },
{ SECCLASS_PROCESS, PROCESS__SETEXEC, "setexec" },
{ SECCLASS_PROCESS, PROCESS__SETFSCREATE, "setfscreate" },
{ SECCLASS_PROCESS, PROCESS__NOATSECURE, "noatsecure" },
{ SECCLASS_MSGQ, MSGQ__ENQUEUE, "enqueue" },
{ SECCLASS_MSG, MSG__SEND, "send" },
{ SECCLASS_MSG, MSG__RECEIVE, "receive" },
{ SECCLASS_SHM, SHM__LOCK, "lock" },
{ SECCLASS_SECURITY, SECURITY__COMPUTE_AV, "compute_av" },
{ SECCLASS_SECURITY, SECURITY__COMPUTE_CREATE, "compute_create" },
{ SECCLASS_SECURITY, SECURITY__COMPUTE_MEMBER, "compute_member" },
{ SECCLASS_SECURITY, SECURITY__CHECK_CONTEXT, "check_context" },
{ SECCLASS_SECURITY, SECURITY__LOAD_POLICY, "load_policy" },
{ SECCLASS_SECURITY, SECURITY__COMPUTE_RELABEL, "compute_relabel" },
{ SECCLASS_SECURITY, SECURITY__COMPUTE_USER, "compute_user" },
{ SECCLASS_SECURITY, SECURITY__SETENFORCE, "setenforce" },
{ SECCLASS_SYSTEM, SYSTEM__IPC_INFO, "ipc_info" },
{ SECCLASS_SYSTEM, SYSTEM__SYSLOG_READ, "syslog_read" },
{ SECCLASS_SYSTEM, SYSTEM__SYSLOG_MOD, "syslog_mod" },
{ SECCLASS_SYSTEM, SYSTEM__SYSLOG_CONSOLE, "syslog_console" },
{ SECCLASS_CAPABILITY, CAPABILITY__CHOWN, "chown" },
{ SECCLASS_CAPABILITY, CAPABILITY__DAC_OVERRIDE, "dac_override" },
{ SECCLASS_CAPABILITY, CAPABILITY__DAC_READ_SEARCH, "dac_read_search" },
{ SECCLASS_CAPABILITY, CAPABILITY__FOWNER, "fowner" },
{ SECCLASS_CAPABILITY, CAPABILITY__FSETID, "fsetid" },
{ SECCLASS_CAPABILITY, CAPABILITY__KILL, "kill" },
{ SECCLASS_CAPABILITY, CAPABILITY__SETGID, "setgid" },
{ SECCLASS_CAPABILITY, CAPABILITY__SETUID, "setuid" },
{ SECCLASS_CAPABILITY, CAPABILITY__SETPCAP, "setpcap" },
{ SECCLASS_CAPABILITY, CAPABILITY__LINUX_IMMUTABLE, "linux_immutable" },
{ SECCLASS_CAPABILITY, CAPABILITY__NET_BIND_SERVICE, "net_bind_service" },
{ SECCLASS_CAPABILITY, CAPABILITY__NET_BROADCAST, "net_broadcast" },
{ SECCLASS_CAPABILITY, CAPABILITY__NET_ADMIN, "net_admin" },
{ SECCLASS_CAPABILITY, CAPABILITY__NET_RAW, "net_raw" },
{ SECCLASS_CAPABILITY, CAPABILITY__IPC_LOCK, "ipc_lock" },
{ SECCLASS_CAPABILITY, CAPABILITY__IPC_OWNER, "ipc_owner" },
{ SECCLASS_CAPABILITY, CAPABILITY__SYS_MODULE, "sys_module" },
{ SECCLASS_CAPABILITY, CAPABILITY__SYS_RAWIO, "sys_rawio" },
{ SECCLASS_CAPABILITY, CAPABILITY__SYS_CHROOT, "sys_chroot" },
{ SECCLASS_CAPABILITY, CAPABILITY__SYS_PTRACE, "sys_ptrace" },
{ SECCLASS_CAPABILITY, CAPABILITY__SYS_PACCT, "sys_pacct" },
{ SECCLASS_CAPABILITY, CAPABILITY__SYS_ADMIN, "sys_admin" },
{ SECCLASS_CAPABILITY, CAPABILITY__SYS_BOOT, "sys_boot" },
{ SECCLASS_CAPABILITY, CAPABILITY__SYS_NICE, "sys_nice" },
{ SECCLASS_CAPABILITY, CAPABILITY__SYS_RESOURCE, "sys_resource" },
{ SECCLASS_CAPABILITY, CAPABILITY__SYS_TIME, "sys_time" },
{ SECCLASS_CAPABILITY, CAPABILITY__SYS_TTY_CONFIG, "sys_tty_config" },
{ SECCLASS_CAPABILITY, CAPABILITY__MKNOD, "mknod" },
{ SECCLASS_CAPABILITY, CAPABILITY__LEASE, "lease" },
{ SECCLASS_PASSWD, PASSWD__PASSWD, "passwd" },
{ SECCLASS_PASSWD, PASSWD__CHFN, "chfn" },
{ SECCLASS_PASSWD, PASSWD__CHSH, "chsh" },
};
/* FLASK */
This diff is collapsed.
/*
* Access vector cache interface for object managers.
*
* Author : Stephen Smalley, <sds@epoch.ncsc.mil>
*/
#ifndef _SELINUX_AVC_H_
#define _SELINUX_AVC_H_
#include <linux/stddef.h>
#include <linux/errno.h>
#include <linux/kernel.h>
#include <linux/kdev_t.h>
#include <linux/spinlock.h>
#include <asm/system.h>
#include "flask.h"
#include "av_permissions.h"
#include "security.h"
#ifdef CONFIG_SECURITY_SELINUX_DEVELOP
extern int selinux_enforcing;
#else
#define selinux_enforcing 1
#endif
/*
* An entry in the AVC.
*/
struct avc_entry;
/*
* A reference to an AVC entry.
*/
struct avc_entry_ref {
struct avc_entry *ae;
};
/* Initialize an AVC entry reference before first use. */
static inline void avc_entry_ref_init(struct avc_entry_ref *h)
{
h->ae = NULL;
}
struct task_struct;
struct vfsmount;
struct dentry;
struct inode;
struct sock;
struct sk_buff;
/* Auxiliary data to use in generating the audit record. */
struct avc_audit_data {
char type;
#define AVC_AUDIT_DATA_FS 1
#define AVC_AUDIT_DATA_NET 2
#define AVC_AUDIT_DATA_CAP 3
#define AVC_AUDIT_DATA_IPC 4
struct task_struct *tsk;
union {
struct {
struct vfsmount *mnt;
struct dentry *dentry;
struct inode *inode;
} fs;
struct {
char *netif;
struct sk_buff *skb;
struct sock *sk;
u16 port;
u32 daddr;
} net;
int cap;
int ipc_id;
} u;
};
/* Initialize an AVC audit data structure. */
#define AVC_AUDIT_DATA_INIT(_d,_t) \
{ memset((_d), 0, sizeof(struct avc_audit_data)); (_d)->type = AVC_AUDIT_DATA_##_t; }
/*
* AVC statistics
*/
#define AVC_ENTRY_LOOKUPS 0
#define AVC_ENTRY_HITS 1
#define AVC_ENTRY_MISSES 2
#define AVC_ENTRY_DISCARDS 3
#define AVC_CAV_LOOKUPS 4
#define AVC_CAV_HITS 5
#define AVC_CAV_PROBES 6
#define AVC_CAV_MISSES 7
#define AVC_NSTATS 8
extern unsigned avc_cache_stats[AVC_NSTATS];
#ifdef AVC_CACHE_STATS
static inline void avc_cache_stats_incr(int type)
{
avc_cache_stats[type]++;
}
static inline void avc_cache_stats_add(int type, unsigned val)
{
avc_cache_stats[type] += val;
}
#else
static inline void avc_cache_stats_incr(int type)
{ }
static inline void avc_cache_stats_add(int type, unsigned val)
{ }
#endif
/*
* AVC display support
*/
void avc_dump_av(u16 tclass, u32 av);
void avc_dump_query(u32 ssid, u32 tsid, u16 tclass);
void avc_dump_cache(char *tag);
/*
* AVC operations
*/
void avc_init(void);
int avc_lookup(u32 ssid, u32 tsid, u16 tclass,
u32 requested, struct avc_entry_ref *aeref);
int avc_insert(u32 ssid, u32 tsid, u16 tclass,
struct avc_entry *ae, struct avc_entry_ref *out_aeref);
void avc_audit(u32 ssid, u32 tsid,
u16 tclass, u32 requested,
struct av_decision *avd, int result, struct avc_audit_data *auditdata);
int avc_has_perm_noaudit(u32 ssid, u32 tsid,
u16 tclass, u32 requested,
struct avc_entry_ref *aeref, struct av_decision *avd);
int avc_has_perm(u32 ssid, u32 tsid,
u16 tclass, u32 requested,
struct avc_entry_ref *aeref, struct avc_audit_data *auditdata);
#define AVC_CALLBACK_GRANT 1
#define AVC_CALLBACK_TRY_REVOKE 2
#define AVC_CALLBACK_REVOKE 4
#define AVC_CALLBACK_RESET 8
#define AVC_CALLBACK_AUDITALLOW_ENABLE 16
#define AVC_CALLBACK_AUDITALLOW_DISABLE 32
#define AVC_CALLBACK_AUDITDENY_ENABLE 64
#define AVC_CALLBACK_AUDITDENY_DISABLE 128
int avc_add_callback(int (*callback)(u32 event, u32 ssid, u32 tsid,
u16 tclass, u32 perms,
u32 *out_retained),
u32 events, u32 ssid, u32 tsid,
u16 tclass, u32 perms);
#endif /* _SELINUX_AVC_H_ */
/*
* Access vector cache interface for the security server.
*
* Author : Stephen Smalley, <sds@epoch.ncsc.mil>
*/
#ifndef _SELINUX_AVC_SS_H_
#define _SELINUX_AVC_SS_H_
#include "flask.h"
int avc_ss_grant(u32 ssid, u32 tsid, u16 tclass, u32 perms, u32 seqno);
int avc_ss_try_revoke(u32 ssid, u32 tsid, u16 tclass, u32 perms, u32 seqno,
u32 *out_retained);
int avc_ss_revoke(u32 ssid, u32 tsid, u16 tclass, u32 perms, u32 seqno);
int avc_ss_reset(u32 seqno);
int avc_ss_set_auditallow(u32 ssid, u32 tsid, u16 tclass, u32 perms,
u32 seqno, u32 enable);
int avc_ss_set_auditdeny(u32 ssid, u32 tsid, u16 tclass, u32 perms,
u32 seqno, u32 enable);
#endif /* _SELINUX_AVC_SS_H_ */
/* This file is automatically generated. Do not edit. */
/*
* Security object class definitions
*/
static char *class_to_string[] =
{
"null",
"security",
"process",
"system",
"capability",
"filesystem",
"file",
"dir",
"fd",
"lnk_file",
"chr_file",
"blk_file",
"sock_file",
"fifo_file",
"socket",
"tcp_socket",
"udp_socket",
"rawip_socket",
"node",
"netif",
"netlink_socket",
"packet_socket",
"key_socket",
"unix_stream_socket",
"unix_dgram_socket",
"sem",
"msg",
"msgq",
"shm",
"ipc",
"passwd",
};
This diff is collapsed.
This diff is collapsed.
/* This file is automatically generated. Do not edit. */
static char *initial_sid_to_string[] =
{
"null",
"kernel",
"security",
"unlabeled",
"fs",
"file",
"file_labels",
"init",
"any_socket",
"port",
"netif",
"netmsg",
"node",
"igmp_packet",
"icmp_socket",
"tcp_socket",
"sysctl_modprobe",
"sysctl",
"sysctl_fs",
"sysctl_kernel",
"sysctl_net",
"sysctl_net_unix",
"sysctl_vm",
"sysctl_dev",
"kmod",
"policy",
"scmp_packet",
};
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment