Commit Graph

162 Commits

Author SHA1 Message Date
Eric W. Biederman 581abc09c2 userns: Convert selinux to use kuid and kgid where appropriate
Cc: Stephen Smalley <sds@tycho.nsa.gov>
Cc: James Morris <james.l.morris@oracle.com>
Cc: Eric Paris <eparis@parisplace.org>
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
2012-09-21 03:13:22 -07:00
Wanlong Gao 562c99f20d SELinux: avc: remove the useless fields in avc_add_callback
avc_add_callback now just used for registering reset functions
in initcalls, and the callback functions just did reset operations.
So, reducing the arguments to only one event is enough now.

Signed-off-by: Wanlong Gao <gaowanlong@cn.fujitsu.com>
Signed-off-by: Eric Paris <eparis@redhat.com>
2012-04-09 12:23:44 -04:00
Eric Paris bb7081ab93 SELinux: possible NULL deref in context_struct_to_string
It's possible that the caller passed a NULL for scontext.  However if this
is a defered mapping we might still attempt to call *scontext=kstrdup().
This is bad.  Instead just return the len.

Signed-off-by: Eric Paris <eparis@redhat.com>
2012-04-09 12:22:56 -04:00
Eric Paris eed7795d0a SELinux: add default_type statements
Because Fedora shipped userspace based on my development tree we now
have policy version 27 in the wild defining only default user, role, and
range.  Thus to add default_type we need a policy.28.

Signed-off-by: Eric Paris <eparis@redhat.com>
2012-04-09 12:22:48 -04:00
Eric Paris aa893269de SELinux: allow default source/target selectors for user/role/range
When new objects are created we have great and flexible rules to
determine the type of the new object.  We aren't quite as flexible or
mature when it comes to determining the user, role, and range.  This
patch adds a new ability to specify the place a new objects user, role,
and range should come from.  For users and roles it can come from either
the source or the target of the operation.  aka for files the user can
either come from the source (the running process and todays default) or
it can come from the target (aka the parent directory of the new file)

examples always are done with
directory context: system_u:object_r:mnt_t:s0-s0:c0.c512
process context: unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

[no rule]
	unconfined_u:object_r:mnt_t:s0   test_none
[default user source]
	unconfined_u:object_r:mnt_t:s0   test_user_source
[default user target]
	system_u:object_r:mnt_t:s0       test_user_target
[default role source]
	unconfined_u:unconfined_r:mnt_t:s0 test_role_source
[default role target]
	unconfined_u:object_r:mnt_t:s0   test_role_target
[default range source low]
	unconfined_u:object_r:mnt_t:s0 test_range_source_low
[default range source high]
	unconfined_u:object_r:mnt_t:s0:c0.c1023 test_range_source_high
[default range source low-high]
	unconfined_u:object_r:mnt_t:s0-s0:c0.c1023 test_range_source_low-high
[default range target low]
	unconfined_u:object_r:mnt_t:s0 test_range_target_low
[default range target high]
	unconfined_u:object_r:mnt_t:s0:c0.c512 test_range_target_high
[default range target low-high]
	unconfined_u:object_r:mnt_t:s0-s0:c0.c512 test_range_target_low-high

Signed-off-by: Eric Paris <eparis@redhat.com>
2012-04-09 12:22:47 -04:00
James Morris 6a3fbe8117 selinux: sparse fix: fix warnings in netlink code
Fix sparse warnings in SELinux Netlink code.

Signed-off-by: James Morris <jmorris@namei.org>
2011-09-09 16:56:31 -07:00
James Morris cc59a582d6 selinux: sparse fix: move selinux_complete_init
Sparse fix: move selinux_complete_init

Signed-off-by: James Morris <jmorris@namei.org>
2011-09-09 16:56:26 -07:00
Paul Moore 82c21bfab4 doc: Update the email address for Paul Moore in various source files
My @hp.com will no longer be valid starting August 5, 2011 so an update is
necessary.  My new email address is employer independent so we don't have
to worry about doing this again any time soon.

Signed-off-by: Paul Moore <paul.moore@hp.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2011-08-01 17:58:33 -07:00
Linus Torvalds f01e1af445 selinux: don't pass in NULL avd to avc_has_perm_noaudit
Right now security_get_user_sids() will pass in a NULL avd pointer to
avc_has_perm_noaudit(), which then forces that function to have a dummy
entry for that case and just generally test it.

Don't do it.  The normal callers all pass a real avd pointer, and this
helper function is incredibly hot.  So don't make avc_has_perm_noaudit()
do conditional stuff that isn't needed for the common case.

This also avoids some duplicated stack space.

Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2011-05-26 18:13:57 -07:00
James Morris b7b57551bb Merge branch 'master' of git://git.infradead.org/users/eparis/selinux into for-linus
Conflicts:
	lib/flex_array.c
	security/selinux/avc.c
	security/selinux/hooks.c
	security/selinux/ss/policydb.c
	security/smack/smack_lsm.c

Manually resolve conflicts.

Signed-off-by: James Morris <jmorris@namei.org>
2011-05-24 23:20:19 +10:00
Eric Paris 2463c26d50 SELinux: put name based create rules in a hashtable
To shorten the list we need to run if filename trans rules exist for the type
of the given parent directory I put them in a hashtable.  Given the policy we
are expecting to use in Fedora this takes the worst case list run from about
5,000 entries to 17.

Signed-off-by: Eric Paris <eparis@redhat.com>
Reviewed-by: James Morris <jmorris@namei.org>
2011-04-28 15:15:53 -04:00
Eric Paris 03a4c0182a SELinux: skip filename trans rules if ttype does not match parent dir
Right now we walk to filename trans rule list for every inode that is
created.  First passes at policy using this facility creates around 5000
filename trans rules.  Running a list of 5000 entries every time is a bad
idea.  This patch adds a new ebitmap to policy which has a bit set for each
ttype that has at least 1 filename trans rule.  Thus when an inode is
created we can quickly determine if any rules exist for this parent
directory type and can skip the list if we know there is definitely no
relevant entry.

Signed-off-by: Eric Paris <eparis@redhat.com>
Reviewed-by: James Morris <jmorris@namei.org>
2011-04-28 15:15:52 -04:00
Eric Paris 2667991f60 SELinux: rename filename_compute_type argument to *type instead of *con
filename_compute_type() takes as arguments the numeric value of the type of
the subject and target.  It does not take a context.  Thus the names are
misleading.  Fix the argument names.

Signed-off-by: Eric Paris <eparis@redhat.com>
Reviewed-by: James Morris <jmorris@namei.org>
2011-04-28 15:15:51 -04:00
Eric Paris 4742600cf5 SELinux: fix comment to state filename_compute_type takes an objname not a qstr
filename_compute_type used to take a qstr, but it now takes just a name.
Fix the comments to indicate it is an objname, not a qstr.

Signed-off-by: Eric Paris <eparis@redhat.com>
2011-04-28 15:15:51 -04:00
Eric Paris 6b697323a7 SELinux: security_read_policy should take a size_t not ssize_t
The len should be an size_t but is a ssize_t.  Easy enough fix to silence
build warnings.  We have no need for signed-ness.

Signed-off-by: Eric Paris <eparis@redhat.com>
Reviewed-by: James Morris <jmorris@namei.org>
2011-04-25 10:19:02 -04:00
Stephen Smalley eba71de2cb selinux: Fix regression for Xorg
Commit 6f5317e730 introduced a bug in the
handling of userspace object classes that is causing breakage for Xorg
when XSELinux is enabled.  Fix the bug by changing map_class() to return
SECCLASS_NULL when the class cannot be mapped to a kernel object class.

Reported-by:  "Justin P. Mattock" <justinmattock@gmail.com>
Signed-off-by:  Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: James Morris <jmorris@namei.org>
2011-04-07 12:00:12 -04:00
Kohei Kaigai f50a3ec961 selinux: add type_transition with name extension support for selinuxfs
The attached patch allows /selinux/create takes optional 4th argument
to support TYPE_TRANSITION with name extension for userspace object
managers.
If 4th argument is not supplied, it shall perform as existing kernel.
In fact, the regression test of SE-PostgreSQL works well on the patched
kernel.

Thanks,

Signed-off-by: KaiGai Kohei <kohei.kaigai@eu.nec.com>
[manually verify fuzz was not an issue, and it wasn't: eparis]
Signed-off-by: Eric Paris <eparis@redhat.com>
2011-04-01 17:13:23 -04:00
Lucas De Marchi 25985edced Fix common misspellings
Fixes generated by 'codespell' and manually reviewed.

Signed-off-by: Lucas De Marchi <lucas.demarchi@profusion.mobi>
2011-03-31 11:26:23 -03:00
Stephen Smalley 85cd6da53a selinux: Fix regression for Xorg
Commit 6f5317e730 introduced a bug in the
handling of userspace object classes that is causing breakage for Xorg
when XSELinux is enabled.  Fix the bug by changing map_class() to return
SECCLASS_NULL when the class cannot be mapped to a kernel object class.

Reported-by:  "Justin P. Mattock" <justinmattock@gmail.com>
Signed-off-by:  Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: James Morris <jmorris@namei.org>
2011-03-29 10:26:30 +11:00
Harry Ciao 63a312ca55 SELinux: Compute role in newcontext for all classes
Apply role_transition rules for all kinds of classes.

Signed-off-by: Harry Ciao <qingtao.cao@windriver.com>
Acked-by:  Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: Eric Paris <eparis@redhat.com>
2011-03-28 14:21:01 -04:00
Harry Ciao 6f5317e730 SELinux: Socket retains creator role and MLS attribute
The socket SID would be computed on creation and no longer inherit
its creator's SID by default. Socket may have a different type but
needs to retain the creator's role and MLS attribute in order not
to break labeled networking and network access control.

The kernel value for a class would be used to determine if the class
if one of socket classes. If security_compute_sid is called from
userspace the policy value for a class would be mapped to the relevant
kernel value first.

Signed-off-by: Harry Ciao <qingtao.cao@windriver.com>
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
2011-03-03 15:19:43 -05:00
Eric Paris 652bb9b0d6 SELinux: Use dentry name in new object labeling
Currently SELinux has rules which label new objects according to 3 criteria.
The label of the process creating the object, the label of the parent
directory, and the type of object (reg, dir, char, block, etc.)  This patch
adds a 4th criteria, the dentry name, thus we can distinguish between
creating a file in an etc_t directory called shadow and one called motd.

There is no file globbing, regex parsing, or anything mystical.  Either the
policy exactly (strcmp) matches the dentry name of the object or it doesn't.
This patch has no changes from today if policy does not implement the new
rules.

Signed-off-by: Eric Paris <eparis@redhat.com>
2011-02-01 11:12:30 -05:00
Eric Paris ac76c05bec selinux: convert part of the sym_val_to_name array to use flex_array
The sym_val_to_name type array can be quite large as it grows linearly with
the number of types.  With known policies having over 5k types these
allocations are growing large enough that they are likely to fail.  Convert
those to flex_array so no allocation is larger than PAGE_SIZE

Signed-off-by: Eric Paris <eparis@redhat.com>
2010-11-30 17:28:58 -05:00
Eric Paris 23bdecb000 selinux: convert type_val_to_struct to flex_array
In rawhide type_val_to_struct will allocate 26848 bytes, an order 3
allocations.  While this hasn't been seen to fail it isn't outside the
realm of possibiliy on systems with severe memory fragmentation.  Convert
to flex_array so no allocation will ever be bigger than PAGE_SIZE.

Signed-off-by: Eric Paris <eparis@redhat.com>
2010-11-30 17:28:57 -05:00
Eric Paris 7ae9f23cbd selinux: rework security_netlbl_secattr_to_sid
security_netlbl_secattr_to_sid is difficult to follow, especially the
return codes.  Try to make the function obvious.

Signed-off-by: Eric Paris <eparis@redhat.com>
2010-11-30 17:28:57 -05:00
Eric Paris 4b02b52448 SELinux: standardize return code handling in selinuxfs.c
selinuxfs.c has lots of different standards on how to handle return paths on
error.  For the most part transition to

	rc=errno
	if (failure)
		goto out;
[...]
out:
	cleanup()
	return rc;

Instead of doing cleanup mid function, or having multiple returns or other
options.  This doesn't do that for every function, but most of the complex
functions which have cleanup routines on error.

Signed-off-by: Eric Paris <eparis@redhat.com>
2010-11-30 17:28:57 -05:00
Stephen Rothwell f0d3d9894e selinux: include vmalloc.h for vmalloc_user
Include vmalloc.h for vmalloc_user (fixes ppc build warning).
Acked-by: Eric Paris <eparis@redhat.com>

Signed-off-by: James Morris <jmorris@namei.org>
2010-10-21 10:13:01 +11:00
Eric Paris 845ca30fe9 selinux: implement mmap on /selinux/policy
/selinux/policy allows a user to copy the policy back out of the kernel.
This patch allows userspace to actually mmap that file and use it directly.

Signed-off-by: Eric Paris <eparis@redhat.com>
Signed-off-by: James Morris <jmorris@namei.org>
2010-10-21 10:12:59 +11:00
Eric Paris cee74f47a6 SELinux: allow userspace to read policy back out of the kernel
There is interest in being able to see what the actual policy is that was
loaded into the kernel.  The patch creates a new selinuxfs file
/selinux/policy which can be read by userspace.  The actual policy that is
loaded into the kernel will be written back out to userspace.

Signed-off-by: Eric Paris <eparis@redhat.com>
Signed-off-by: James Morris <jmorris@namei.org>
2010-10-21 10:12:58 +11:00
Eric Paris d5630b9d27 security: secid_to_secctx returns len when data is NULL
With the (long ago) interface change to have the secid_to_secctx functions
do the string allocation instead of having the caller do the allocation we
lost the ability to query the security server for the length of the
upcoming string.  The SECMARK code would like to allocate a netlink skb
with enough length to hold the string but it is just too unclean to do the
string allocation twice or to do the allocation the first time and hold
onto the string and slen.  This patch adds the ability to call
security_secid_to_secctx() with a NULL data pointer and it will just set
the slen pointer.

Signed-off-by: Eric Paris <eparis@redhat.com>
Reviewed-by: Paul Moore <paul.moore@hp.com>
Signed-off-by: James Morris <jmorris@namei.org>
2010-10-21 10:12:50 +11:00
KaiGai Kohei 1190416725 selinux: fast status update interface (/selinux/status)
This patch provides a new /selinux/status entry which allows applications
read-only mmap(2).
This region reflects selinux_kernel_status structure in kernel space.
  struct selinux_kernel_status
  {
          u32     length;         /* length of this structure */
          u32     sequence;       /* sequence number of seqlock logic */
          u32     enforcing;      /* current setting of enforcing mode */
          u32     policyload;     /* times of policy reloaded */
          u32     deny_unknown;   /* current setting of deny_unknown */
  };

When userspace object manager caches access control decisions provided
by SELinux, it needs to invalidate the cache on policy reload and setenforce
to keep consistency.
However, the applications need to check the kernel state for each accesses
on userspace avc, or launch a background worker process.
In heuristic, frequency of invalidation is much less than frequency of
making access control decision, so it is annoying to invoke a system call
to check we don't need to invalidate the userspace cache.
If we can use a background worker thread, it allows to receive invalidation
messages from the kernel. But it requires us an invasive coding toward the
base application in some cases; E.g, when we provide a feature performing
with SELinux as a plugin module, it is unwelcome manner to launch its own
worker thread from the module.

If we could map /selinux/status to process memory space, application can
know updates of selinux status; policy reload or setenforce.

A typical application checks selinux_kernel_status::sequence when it tries
to reference userspace avc. If it was changed from the last time when it
checked userspace avc, it means something was updated in the kernel space.
Then, the application can reset userspace avc or update current enforcing
mode, without any system call invocations.
This sequence number is updated according to the seqlock logic, so we need
to wait for a while if it is odd number.

Signed-off-by: KaiGai Kohei <kaigai@ak.jp.nec.com>
Acked-by: Eric Paris <eparis@redhat.com>
--
 security/selinux/include/security.h |   21 ++++++
 security/selinux/selinuxfs.c        |   56 +++++++++++++++
 security/selinux/ss/Makefile        |    2 +-
 security/selinux/ss/services.c      |    3 +
 security/selinux/ss/status.c        |  129 +++++++++++++++++++++++++++++++++++
 5 files changed, 210 insertions(+), 1 deletions(-)
Signed-off-by: James Morris <jmorris@namei.org>
2010-10-21 10:12:36 +11:00
Eric Paris 6371dcd36f selinux: convert the policy type_attr_map to flex_array
Current selinux policy can have over 3000 types.  The type_attr_map in
policy is an array sized by the number of types times sizeof(struct ebitmap)
(12 on x86_64).  Basic math tells us the array is going to be of length
3000 x 12 = 36,000 bytes.  The largest 'safe' allocation on a long running
system is 16k.  Most of the time a 32k allocation will work.  But on long
running systems a 64k allocation (what we need) can fail quite regularly.
In order to deal with this I am converting the type_attr_map to use
flex_arrays.  Let the library code deal with breaking this into PAGE_SIZE
pieces.

-v2
rework some of the if(!obj) BUG() to be BUG_ON(!obj)
drop flex_array_put() calls and just use a _get() object directly

-v3
make apply to James' tree (drop the policydb_write changes)

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by:  Stephen D. Smalley <sds@tycho.nsa.gov>
Signed-off-by: James Morris <jmorris@namei.org>
2010-08-02 15:38:39 +10:00
Eric Paris a200005038 SELinux: return error codes on policy load failure
policy load failure always return EINVAL even if the failure was for some
other reason (usually ENOMEM).  This patch passes error codes back up the
stack where they will make their way to userspace.  This might help in
debugging future problems with policy load.

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by:  Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: James Morris <jmorris@namei.org>
2010-04-21 08:58:49 +10:00
wzt.wzt@gmail.com c1a7368a6f Security: Fix coding style in security/
Fix coding style in security/

Signed-off-by: Zhitong Wang <zhitong.wangzt@alibaba-inc.com>
Signed-off-by: James Morris <jmorris@namei.org>
2010-04-09 15:13:48 +10:00
KaiGai Kohei 2ae3ba3938 selinux: libsepol: remove dead code in check_avtab_hierarchy_callback()
This patch revert the commit of 7d52a155e3
which removed a part of type_attribute_bounds_av as a dead code.
However, at that time, we didn't find out the target side boundary allows
to handle some of pseudo /proc/<pid>/* entries with its process's security
context well.

Signed-off-by: KaiGai Kohei <kaigai@ak.jp.nec.com>
Acked-by:  Stephen Smalley <sds@tycho.nsa.gov>

--
 security/selinux/ss/services.c |   43 ++++++++++++++++++++++++++++++++++++---
 1 files changed, 39 insertions(+), 4 deletions(-)
Signed-off-by: James Morris <jmorris@namei.org>
2010-02-22 08:27:41 +11:00
James Morris 2da5d31bc7 security: fix a couple of sparse warnings
Fix a couple of sparse warnings for callers of
context_struct_to_string, which takes a *u32, not an *int.

These cases are harmless as the values are not used.

Signed-off-by: James Morris <jmorris@namei.org>
Acked-by: KaiGai Kohei <kaigai@ak.jp.nec.com>
2010-02-16 17:29:06 +11:00
Guido Trentalancia 0719aaf5ea selinux: allow MLS->non-MLS and vice versa upon policy reload
Allow runtime switching between different policy types (e.g. from a MLS/MCS
policy to a non-MLS/non-MCS policy or viceversa).

Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: James Morris <jmorris@namei.org>
2010-02-04 09:06:36 +11:00
Guido Trentalancia 42596eafdd selinux: load the initial SIDs upon every policy load
Always load the initial SIDs, even in the case of a policy
reload and not just at the initial policy load. This comes
particularly handy after the introduction of a recent
patch for enabling runtime switching between different
policy types, although this patch is in theory independent
from that feature.

Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: James Morris <jmorris@namei.org>
2010-02-04 08:48:17 +11:00
KaiGai Kohei 7d52a155e3 selinux: remove dead code in type_attribute_bounds_av()
This patch removes dead code in type_attribute_bounds_av().

Due to the historical reason, the type boundary feature is delivered
from hierarchical types in libsepol, it has supported boundary features
both of subject type (domain; in most cases) and target type.

However, we don't have any actual use cases in bounded target types,
and it tended to make conceptual confusion.
So, this patch removes the dead code to apply boundary checks on the
target types. I makes clear the TYPEBOUNDS restricts privileges of
a certain domain bounded to any other domain.

Signed-off-by: KaiGai Kohei <kaigai@ak.jp.nec.com>
Acked-by:  Stephen Smalley <sds@tycho.nsa.gov>

--
 security/selinux/ss/services.c |   43 +++------------------------------------
 1 files changed, 4 insertions(+), 39 deletions(-)
Signed-off-by: James Morris <jmorris@namei.org>
2010-01-25 08:31:38 +11:00
James Morris 2457552d1e Merge branch 'master' into next 2010-01-18 09:56:22 +11:00
Stephen Smalley 19439d05b8 selinux: change the handling of unknown classes
If allow_unknown==deny, SELinux treats an undefined kernel security
class as an error condition rather than as a typical permission denial
and thus does not allow permissions on undefined classes even when in
permissive mode.  Change the SELinux logic so that this case is handled
as a typical permission denial, subject to the usual permissive mode and
permissive domain handling.

Also drop the 'requested' argument from security_compute_av() and
helpers as it is a legacy of the original security server interface and
is unused.

Changes:
- Handle permissive domains consistently by moving up the test for a
permissive domain.
- Make security_compute_av_user() consistent with security_compute_av();
the only difference now is that security_compute_av() performs mapping
between the kernel-private class and permission indices and the policy
values.  In the userspace case, this mapping is handled by libselinux.
- Moved avd_init inside the policy lock.

Based in part on a patch by Paul Moore <paul.moore@hp.com>.

Reported-by: Andrew Worsley <amworsley@gmail.com>
Signed-off-by:  Stephen D. Smalley <sds@tycho.nsa.gov>
Reviewed-by: Paul Moore <paul.moore@hp.com>
Signed-off-by: James Morris <jmorris@namei.org>
2010-01-18 09:54:26 +11:00
Julia Lawall 9f59f90bf5 security/selinux/ss: correct size computation
The size argument to kcalloc should be the size of desired structure,
not the pointer to it.

The semantic patch that makes this change is as follows:
(http://coccinelle.lip6.fr/)

// <smpl>
@expression@
expression *x;
@@

x =
 <+...
-sizeof(x)
+sizeof(*x)
...+>// </smpl>

Signed-off-by: Julia Lawall <julia@diku.dk>
Acked-by: Eric Paris <eparis@redhat.com>
Signed-off-by: James Morris <jmorris@namei.org>
2009-12-08 14:57:54 +11:00
Jiri Kosina d014d04386 Merge branch 'for-next' into for-linus
Conflicts:

	kernel/irq/chip.c
2009-12-07 18:36:35 +01:00
André Goddard Rosa af901ca181 tree-wide: fix assorted typos all over the place
That is "success", "unknown", "through", "performance", "[re|un]mapping"
, "access", "default", "reasonable", "[con]currently", "temperature"
, "channel", "[un]used", "application", "example","hierarchy", "therefore"
, "[over|under]flow", "contiguous", "threshold", "enough" and others.

Signed-off-by: André Goddard Rosa <andre.goddard@gmail.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
2009-12-04 15:39:55 +01:00
Eric Paris 0bce952799 SELinux: print denials for buggy kernel with unknown perms
Historically we've seen cases where permissions are requested for classes
where they do not exist.  In particular we have seen CIFS forget to set
i_mode to indicate it is a directory so when we later check something like
remove_name we have problems since it wasn't defined in tclass file.  This
used to result in a avc which included the permission 0x2000 or something.
Currently the kernel will deny the operations (good thing) but will not
print ANY information (bad thing).  First the auditdeny field is no
extended to include unknown permissions.  After that is fixed the logic in
avc_dump_query to output this information isn't right since it will remove
the permission from the av and print the phrase "<NULL>".  This takes us
back to the behavior before the classmap rewrite.

Signed-off-by: Eric Paris <eparis@redhat.com>
Signed-off-by: James Morris <jmorris@namei.org>
2009-11-24 14:30:49 +11:00
Stephen Smalley b7f3008ad1 SELinux: fix locking issue introduced with c6d3aaa4e3
Ensure that we release the policy read lock on all exit paths from
security_compute_av.

Signed-off-by:  Stephen D. Smalley <sds@tycho.nsa.gov>
Signed-off-by: James Morris <jmorris@namei.org>
2009-10-20 09:22:07 +09:00
Stephen Smalley 941fc5b2bf selinux: drop remapping of netlink classes
Drop remapping of netlink classes and bypass of permission checking
based on netlink message type for policy version < 18.  This removes
compatibility code introduced when the original single netlink
security class used for all netlink sockets was split into
finer-grained netlink classes based on netlink protocol and when
permission checking was added based on netlink message type in Linux
2.6.8.  The only known distribution that shipped with SELinux and
policy < 18 was Fedora Core 2, which was EOL'd on 2005-04-11.

Given that the remapping code was never updated to address the
addition of newer netlink classes, that the corresponding userland
support was dropped in 2005, and that the assumptions made by the
remapping code about the fixed ordering among netlink classes in the
policy may be violated in the future due to the dynamic class/perm
discovery support, we should drop this compatibility code now.

Signed-off-by:  Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: James Morris <jmorris@namei.org>
2009-10-07 21:56:46 +11:00
Stephen Smalley c6d3aaa4e3 selinux: dynamic class/perm discovery
Modify SELinux to dynamically discover class and permission values
upon policy load, based on the dynamic object class/perm discovery
logic from libselinux.  A mapping is created between kernel-private
class and permission indices used outside the security server and the
policy values used within the security server.

The mappings are only applied upon kernel-internal computations;
similar mappings for the private indices of userspace object managers
is handled on a per-object manager basis by the userspace AVC.  The
interfaces for compute_av and transition_sid are split for kernel
vs. userspace; the userspace functions are distinguished by a _user
suffix.

The kernel-private class indices are no longer tied to the policy
values and thus do not need to skip indices for userspace classes;
thus the kernel class index values are compressed.  The flask.h
definitions were regenerated by deleting the userspace classes from
refpolicy's definitions and then regenerating the headers.  Going
forward, we can just maintain the flask.h, av_permissions.h, and
classmap.h definitions separately from policy as they are no longer
tied to the policy values.  The next patch introduces a utility to
automate generation of flask.h and av_permissions.h from the
classmap.h definitions.

The older kernel class and permission string tables are removed and
replaced by a single security class mapping table that is walked at
policy load to generate the mapping.  The old kernel class validation
logic is completely replaced by the mapping logic.

The handle unknown logic is reworked.  reject_unknown=1 is handled
when the mappings are computed at policy load time, similar to the old
handling by the class validation logic.  allow_unknown=1 is handled
when computing and mapping decisions - if the permission was not able
to be mapped (i.e. undefined, mapped to zero), then it is
automatically added to the allowed vector.  If the class was not able
to be mapped (i.e. undefined, mapped to zero), then all permissions
are allowed for it if allow_unknown=1.

avc_audit leverages the new security class mapping table to lookup the
class and permission names from the kernel-private indices.

The mdp program is updated to use the new table when generating the
class definitions and allow rules for a minimal boot policy for the
kernel.  It should be noted that this policy will not include any
userspace classes, nor will its policy index values for the kernel
classes correspond with the ones in refpolicy (they will instead match
the kernel-private indices).

Signed-off-by:  Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: James Morris <jmorris@namei.org>
2009-10-07 21:56:42 +11:00
James Morris d905163c5b Merge branch 'master' into next 2009-06-19 08:20:55 +10:00
KaiGai Kohei 44c2d9bdd7 Add audit messages on type boundary violations
The attached patch adds support to generate audit messages on two cases.

The first one is a case when a multi-thread process tries to switch its
performing security context using setcon(3), but new security context is
not bounded by the old one.

  type=SELINUX_ERR msg=audit(1245311998.599:17):        \
      op=security_bounded_transition result=denied      \
      oldcontext=system_u:system_r:httpd_t:s0           \
      newcontext=system_u:system_r:guest_webapp_t:s0

The other one is a case when security_compute_av() masked any permissions
due to the type boundary violation.

  type=SELINUX_ERR msg=audit(1245312836.035:32):	\
      op=security_compute_av reason=bounds              \
      scontext=system_u:object_r:user_webapp_t:s0       \
      tcontext=system_u:object_r:shadow_t:s0:c0         \
      tclass=file perms=getattr,open

Signed-off-by: KaiGai Kohei <kaigai@ak.jp.nec.com>
Acked-by:  Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: James Morris <jmorris@namei.org>
2009-06-19 00:12:28 +10:00