aboutsummaryrefslogtreecommitdiffstats
path: root/security/selinux/ss
Commit message (Collapse)AuthorAgeFilesLines
* SELinux: Add new labeling type native labelsDavid Quigley2013-06-081-1/+4
| | | | | | | | | | | | | | | | | There currently doesn't exist a labeling type that is adequate for use with labeled NFS. Since NFS doesn't really support xattrs we can't use the use xattr labeling behavior. For this we developed a new labeling type. The native labeling type is used solely by NFS to ensure NFS inodes are labeled at runtime by the NFS code instead of relying on the SELinux security server on the client end. Acked-by: Eric Paris <eparis@redhat.com> Acked-by: James Morris <james.l.morris@oracle.com> Signed-off-by: Matthew N. Dodd <Matthew.Dodd@sparta.com> Signed-off-by: Miguel Rodel Felipe <Rodel_FM@dsi.a-star.edu.sg> Signed-off-by: Phua Eu Gene <PHUA_Eu_Gene@dsi.a-star.edu.sg> Signed-off-by: Khin Mi Mi Aung <Mi_Mi_AUNG@dsi.a-star.edu.sg> Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
* userns: Convert selinux to use kuid and kgid where appropriateEric W. Biederman2012-09-211-1/+1
| | | | | | | Cc: Stephen Smalley <sds@tycho.nsa.gov> Cc: James Morris <james.l.morris@oracle.com> Cc: Eric Paris <eparis@parisplace.org> Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
* SELinux: avc: remove the useless fields in avc_add_callbackWanlong Gao2012-04-091-4/+2
| | | | | | | | | avc_add_callback now just used for registering reset functions in initcalls, and the callback functions just did reset operations. So, reducing the arguments to only one event is enough now. Signed-off-by: Wanlong Gao <gaowanlong@cn.fujitsu.com> Signed-off-by: Eric Paris <eparis@redhat.com>
* SELinux: possible NULL deref in context_struct_to_stringEric Paris2012-04-091-3/+5
| | | | | | | | It's possible that the caller passed a NULL for scontext. However if this is a defered mapping we might still attempt to call *scontext=kstrdup(). This is bad. Instead just return the len. Signed-off-by: Eric Paris <eparis@redhat.com>
* SELinux: add default_type statementsEric Paris2012-04-093-5/+31
| | | | | | | | Because Fedora shipped userspace based on my development tree we now have policy version 27 in the wild defining only default user, role, and range. Thus to add default_type we need a policy.28. Signed-off-by: Eric Paris <eparis@redhat.com>
* SELinux: allow default source/target selectors for user/role/rangeEric Paris2012-04-095-7/+107
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When new objects are created we have great and flexible rules to determine the type of the new object. We aren't quite as flexible or mature when it comes to determining the user, role, and range. This patch adds a new ability to specify the place a new objects user, role, and range should come from. For users and roles it can come from either the source or the target of the operation. aka for files the user can either come from the source (the running process and todays default) or it can come from the target (aka the parent directory of the new file) examples always are done with directory context: system_u:object_r:mnt_t:s0-s0:c0.c512 process context: unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 [no rule] unconfined_u:object_r:mnt_t:s0 test_none [default user source] unconfined_u:object_r:mnt_t:s0 test_user_source [default user target] system_u:object_r:mnt_t:s0 test_user_target [default role source] unconfined_u:unconfined_r:mnt_t:s0 test_role_source [default role target] unconfined_u:object_r:mnt_t:s0 test_role_target [default range source low] unconfined_u:object_r:mnt_t:s0 test_range_source_low [default range source high] unconfined_u:object_r:mnt_t:s0:c0.c1023 test_range_source_high [default range source low-high] unconfined_u:object_r:mnt_t:s0-s0:c0.c1023 test_range_source_low-high [default range target low] unconfined_u:object_r:mnt_t:s0 test_range_target_low [default range target high] unconfined_u:object_r:mnt_t:s0:c0.c512 test_range_target_high [default range target low-high] unconfined_u:object_r:mnt_t:s0-s0:c0.c512 test_range_target_low-high Signed-off-by: Eric Paris <eparis@redhat.com>
* selinux: Casting (void *) value returned by kmalloc is uselessThomas Meyer2011-12-191-1/+1
| | | | | | | | The semantic patch that makes this change is available in scripts/coccinelle/api/alloc/drop_kmalloc_cast.cocci. Signed-off-by: Thomas Meyer <thomas@m3y3r.de> Signed-off-by: James Morris <jmorris@namei.org>
* selinux: sparse fix: fix several warnings in the security server codeJames Morris2011-09-093-3/+2
| | | | | | Fix several sparse warnings in the SELinux security server code. Signed-off-by: James Morris <jmorris@namei.org>
* selinux: sparse fix: fix warnings in netlink codeJames Morris2011-09-091-2/+0
| | | | | | Fix sparse warnings in SELinux Netlink code. Signed-off-by: James Morris <jmorris@namei.org>
* selinux: sparse fix: move selinux_complete_initJames Morris2011-09-091-1/+0
| | | | | | Sparse fix: move selinux_complete_init Signed-off-by: James Morris <jmorris@namei.org>
* doc: Update the email address for Paul Moore in various source filesPaul Moore2011-08-015-5/+5
| | | | | | | | | | My @hp.com will no longer be valid starting August 5, 2011 so an update is necessary. My new email address is employer independent so we don't have to worry about doing this again any time soon. Signed-off-by: Paul Moore <paul.moore@hp.com> Signed-off-by: Paul Moore <paul@paul-moore.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* Merge branch 'for-linus' of git://git.infradead.org/users/eparis/selinux ↵James Morris2011-06-151-0/+3
|\ | | | | | | into for-linus
| * SELinux: skip file_name_trans_write() when policy downgraded.Roy.Li2011-06-141-0/+3
| | | | | | | | | | | | | | | | When policy version is less than POLICYDB_VERSION_FILENAME_TRANS, skip file_name_trans_write(). Signed-off-by: Roy.Li <rongqing.li@windriver.com> Signed-off-by: Eric Paris <eparis@redhat.com>
| * Merge commit 'v2.6.39' into 20110526Eric Paris2011-05-261-2/+2
| |\ | | | | | | | | | | | | | | | | | | | | | | | | Conflicts: lib/flex_array.c security/selinux/avc.c security/selinux/hooks.c security/selinux/ss/policydb.c security/smack/smack_lsm.c
* | | selinux: don't pass in NULL avd to avc_has_perm_noauditLinus Torvalds2011-05-261-1/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Right now security_get_user_sids() will pass in a NULL avd pointer to avc_has_perm_noaudit(), which then forces that function to have a dummy entry for that case and just generally test it. Don't do it. The normal callers all pass a real avd pointer, and this helper function is incredibly hot. So don't make avc_has_perm_noaudit() do conditional stuff that isn't needed for the common case. This also avoids some duplicated stack space. Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
* | | Merge branch 'master' of git://git.infradead.org/users/eparis/selinux into ↵James Morris2011-05-243-111/+217
|\ \ \ | |/ / | | / | |/ |/| | | | | | | | | | | | | | | | | | | | | for-linus Conflicts: lib/flex_array.c security/selinux/avc.c security/selinux/hooks.c security/selinux/ss/policydb.c security/smack/smack_lsm.c Manually resolve conflicts. Signed-off-by: James Morris <jmorris@namei.org>
| * flex_array: flex_array_prealloc takes a number of elements, not an endEric Paris2011-04-281-3/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Change flex_array_prealloc to take the number of elements for which space should be allocated instead of the last (inclusive) element. Users and documentation are updated accordingly. flex_arrays got introduced before they had users. When folks started using it, they ended up needing a different API than was coded up originally. This swaps over to the API that folks apparently need. Based-on-patch-by: Steffen Klassert <steffen.klassert@secunet.com> Signed-off-by: Eric Paris <eparis@redhat.com> Tested-by: Chris Richards <gizmo@giz-works.com> Acked-by: Dave Hansen <dave@linux.vnet.ibm.com> Cc: stable@kernel.org [2.6.38+]
| * SELinux: put name based create rules in a hashtableEric Paris2011-04-283-61/+135
| | | | | | | | | | | | | | | | | | | | To shorten the list we need to run if filename trans rules exist for the type of the given parent directory I put them in a hashtable. Given the policy we are expecting to use in Fedora this takes the worst case list run from about 5,000 entries to 17. Signed-off-by: Eric Paris <eparis@redhat.com> Reviewed-by: James Morris <jmorris@namei.org>
| * SELinux: generic hashtab entry counterEric Paris2011-04-281-2/+2
| | | | | | | | | | | | | | | | Instead of a hashtab entry counter function only useful for range transition rules make a function generic for any hashtable to use. Signed-off-by: Eric Paris <eparis@redhat.com> Reviewed-by: James Morris <jmorris@namei.org>
| * SELinux: calculate and print hashtab stats with a generic functionEric Paris2011-04-281-19/+13
| | | | | | | | | | | | | | | | | | We have custom debug functions like rangetr_hash_eval and symtab_hash_eval which do the same thing. Just create a generic function that takes the name of the hash table as an argument instead of having custom functions. Signed-off-by: Eric Paris <eparis@redhat.com> Reviewed-by: James Morris <jmorris@namei.org>
| * SELinux: skip filename trans rules if ttype does not match parent dirEric Paris2011-04-283-0/+17
| | | | | | | | | | | | | | | | | | | | | | | | | | | | Right now we walk to filename trans rule list for every inode that is created. First passes at policy using this facility creates around 5000 filename trans rules. Running a list of 5000 entries every time is a bad idea. This patch adds a new ebitmap to policy which has a bit set for each ttype that has at least 1 filename trans rule. Thus when an inode is created we can quickly determine if any rules exist for this parent directory type and can skip the list if we know there is definitely no relevant entry. Signed-off-by: Eric Paris <eparis@redhat.com> Reviewed-by: James Morris <jmorris@namei.org>
| * SELinux: rename filename_compute_type argument to *type instead of *conEric Paris2011-04-281-3/+3
| | | | | | | | | | | | | | | | | | filename_compute_type() takes as arguments the numeric value of the type of the subject and target. It does not take a context. Thus the names are misleading. Fix the argument names. Signed-off-by: Eric Paris <eparis@redhat.com> Reviewed-by: James Morris <jmorris@namei.org>
| * SELinux: fix comment to state filename_compute_type takes an objname not a qstrEric Paris2011-04-281-1/+1
| | | | | | | | | | | | | | filename_compute_type used to take a qstr, but it now takes just a name. Fix the comments to indicate it is an objname, not a qstr. Signed-off-by: Eric Paris <eparis@redhat.com>
| * SELinux: security_read_policy should take a size_t not ssize_tEric Paris2011-04-251-1/+1
| | | | | | | | | | | | | | | | The len should be an size_t but is a ssize_t. Easy enough fix to silence build warnings. We have no need for signed-ness. Signed-off-by: Eric Paris <eparis@redhat.com> Reviewed-by: James Morris <jmorris@namei.org>
| * SELinux: delete debugging printks from filename_trans rule processingEric Paris2011-04-201-4/+0
| | | | | | | | | | | | | | | | The filename_trans rule processing has some printk(KERN_ERR ) messages which were intended as debug aids in creating the code but weren't removed before it was submitted. Remove them. Signed-off-by: Eric Paris <eparis@redhat.com>
| * Initialize policydb.process_class eariler.Harry Ciao2011-04-071-5/+5
| | | | | | | | | | | | | | | | | | Initialize policydb.process_class once all symtabs read from policy image, so that it could be used to setup the role_trans.tclass field when a lower version policy.X is loaded. Signed-off-by: Harry Ciao <qingtao.cao@windriver.com> Signed-off-by: Eric Paris <eparis@redhat.com>
| * selinux: Fix regression for XorgStephen Smalley2011-04-071-1/+1
| | | | | | | | | | | | | | | | | | | | | | Commit 6f5317e730505d5cbc851c435a2dfe3d5a21d343 introduced a bug in the handling of userspace object classes that is causing breakage for Xorg when XSELinux is enabled. Fix the bug by changing map_class() to return SECCLASS_NULL when the class cannot be mapped to a kernel object class. Reported-by: "Justin P. Mattock" <justinmattock@gmail.com> Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: James Morris <jmorris@namei.org>
| * selinux: add type_transition with name extension support for selinuxfsKohei Kaigai2011-04-011-8/+9
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The attached patch allows /selinux/create takes optional 4th argument to support TYPE_TRANSITION with name extension for userspace object managers. If 4th argument is not supplied, it shall perform as existing kernel. In fact, the regression test of SE-PostgreSQL works well on the patched kernel. Thanks, Signed-off-by: KaiGai Kohei <kohei.kaigai@eu.nec.com> [manually verify fuzz was not an issue, and it wasn't: eparis] Signed-off-by: Eric Paris <eparis@redhat.com>
| * SELinux: Write class field in role_trans_write.Harry Ciao2011-03-281-2/+9
| | | | | | | | | | | | | | | | | | If kernel policy version is >= 26, then write the class field of the role_trans structure into the binary reprensentation. Signed-off-by: Harry Ciao <qingtao.cao@windriver.com> Acked-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: Eric Paris <eparis@redhat.com>
| * SELinux: Compute role in newcontext for all classesHarry Ciao2011-03-281-11/+9
| | | | | | | | | | | | | | | | Apply role_transition rules for all kinds of classes. Signed-off-by: Harry Ciao <qingtao.cao@windriver.com> Acked-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: Eric Paris <eparis@redhat.com>
| * SELinux: Add class support to the role_trans structureHarry Ciao2011-03-282-1/+16
| | | | | | | | | | | | | | | | | | | | | | | | | | If kernel policy version is >= 26, then the binary representation of the role_trans structure supports specifying the class for the current subject or the newly created object. If kernel policy version is < 26, then the class field would be default to the process class. Signed-off-by: Harry Ciao <qingtao.cao@windriver.com> Acked-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: Eric Paris <eparis@redhat.com>
* | Merge branch 'for-linus' of git://git.infradead.org/users/eparis/selinux ↵James Morris2011-05-131-4/+0
|\ \ | | | | | | | | | into for-linus
| * | SELinux: delete debugging printks from filename_trans rule processingEric Paris2011-05-121-4/+0
| | | | | | | | | | | | | | | | | | | | | | | | | | | The filename_trans rule processing has some printk(KERN_ERR ) messages which were intended as debug aids in creating the code but weren't removed before it was submitted. Remove them. Reported-by: Paul Bolle <pebolle@tiscali.nl> Signed-off-by: Eric Paris <eparis@redhat.com>
* | | Merge branch 'for-linus' of git://git.infradead.org/users/eparis/selinux ↵James Morris2011-05-041-3/+3
|\ \ \ | |/ / | | | | | | into for-linus
| * | flex_array: flex_array_prealloc takes a number of elements, not an endEric Paris2011-04-281-3/+3
| |/ | | | | | | | | | | | | | | | | | | | | | | | | | | | | Change flex_array_prealloc to take the number of elements for which space should be allocated instead of the last (inclusive) element. Users and documentation are updated accordingly. flex_arrays got introduced before they had users. When folks started using it, they ended up needing a different API than was coded up originally. This swaps over to the API that folks apparently need. Based-on-patch-by: Steffen Klassert <steffen.klassert@secunet.com> Signed-off-by: Eric Paris <eparis@redhat.com> Tested-by: Chris Richards <gizmo@giz-works.com> Acked-by: Dave Hansen <dave@linux.vnet.ibm.com> Cc: stable@kernel.org [2.6.38+]
* | Fix common misspellingsLucas De Marchi2011-03-311-2/+2
| | | | | | | | | | | | Fixes generated by 'codespell' and manually reviewed. Signed-off-by: Lucas De Marchi <lucas.demarchi@profusion.mobi>
* | selinux: Fix regression for XorgStephen Smalley2011-03-291-1/+1
|/ | | | | | | | | | | Commit 6f5317e730505d5cbc851c435a2dfe3d5a21d343 introduced a bug in the handling of userspace object classes that is causing breakage for Xorg when XSELinux is enabled. Fix the bug by changing map_class() to return SECCLASS_NULL when the class cannot be mapped to a kernel object class. Reported-by: "Justin P. Mattock" <justinmattock@gmail.com> Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: James Morris <jmorris@namei.org>
* Merge branch 'master' of git://git.infradead.org/users/eparis/selinux into nextJames Morris2011-03-086-33/+214
|\
| * SELinux: Socket retains creator role and MLS attributeHarry Ciao2011-03-033-7/+29
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The socket SID would be computed on creation and no longer inherit its creator's SID by default. Socket may have a different type but needs to retain the creator's role and MLS attribute in order not to break labeled networking and network access control. The kernel value for a class would be used to determine if the class if one of socket classes. If security_compute_sid is called from userspace the policy value for a class would be mapped to the relevant kernel value first. Signed-off-by: Harry Ciao <qingtao.cao@windriver.com> Signed-off-by: Eric Paris <eparis@redhat.com> Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
| * SELinux: Use dentry name in new object labelingEric Paris2011-02-014-26/+185
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Currently SELinux has rules which label new objects according to 3 criteria. The label of the process creating the object, the label of the parent directory, and the type of object (reg, dir, char, block, etc.) This patch adds a 4th criteria, the dentry name, thus we can distinguish between creating a file in an etc_t directory called shadow and one called motd. There is no file globbing, regex parsing, or anything mystical. Either the policy exactly (strcmp) matches the dentry name of the object or it doesn't. This patch has no changes from today if policy does not implement the new rules. Signed-off-by: Eric Paris <eparis@redhat.com>
* | Merge branch 'master'; commit 'v2.6.38-rc7' into nextJames Morris2011-03-082-3/+3
|\ \ | |/ |/|
| * selinux: return -ENOMEM when memory allocation failsDavidlohr Bueso2011-01-242-3/+3
| | | | | | | | | | | | | | | | Return -ENOMEM when memory allocation fails in cond_init_bool_indexes, correctly propagating error code to caller. Signed-off-by: Davidlohr Bueso <dave@gnu.org> Signed-off-by: James Morris <jmorris@namei.org>
* | security:selinux: kill unused MAX_AVTAB_HASH_MASK and ebitmap_startbitShan Wei2011-01-242-2/+0
|/ | | | | | | Kill unused MAX_AVTAB_HASH_MASK and ebitmap_startbit. Signed-off-by: Shan Wei <shanwei@cn.fujitsu.com> Signed-off-by: James Morris <jmorris@namei.org>
* selinux: cache sidtab_context_to_sid resultsEric Paris2010-12-072-2/+39
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | sidtab_context_to_sid takes up a large share of time when creating large numbers of new inodes (~30-40% in oprofile runs). This patch implements a cache of 3 entries which is checked before we do a full context_to_sid lookup. On one system this showed over a x3 improvement in the number of inodes that could be created per second and around a 20% improvement on another system. Any time we look up the same context string sucessivly (imagine ls -lZ) we should hit this cache hot. A cache miss should have a relatively minor affect on performance next to doing the full table search. All operations on the cache are done COMPLETELY lockless. We know that all struct sidtab_node objects created will never be deleted until a new policy is loaded thus we never have to worry about a pointer being dereferenced. Since we also know that pointer assignment is atomic we know that the cache will always have valid pointers. Given this information we implement a FIFO cache in an array of 3 pointers. Every result (whether a cache hit or table lookup) will be places in the 0 spot of the cache and the rest of the entries moved down one spot. The 3rd entry will be lost. Races are possible and are even likely to happen. Lets assume that 4 tasks are hitting sidtab_context_to_sid. The first task checks against the first entry in the cache and it is a miss. Now lets assume a second task updates the cache with a new entry. This will push the first entry back to the second spot. Now the first task might check against the second entry (which it already checked) and will miss again. Now say some third task updates the cache and push the second entry to the third spot. The first task my check the third entry (for the third time!) and again have a miss. At which point it will just do a full table lookup. No big deal! Signed-off-by: Eric Paris <eparis@redhat.com>
* SELinux: merge policydb_index_classes and policydb_index_othersEric Paris2010-11-301-59/+10
| | | | | | | | We duplicate functionality in policydb_index_classes() and policydb_index_others(). This patch merges those functions just to make it clear there is nothing special happening here. Signed-off-by: Eric Paris <eparis@redhat.com>
* selinux: convert part of the sym_val_to_name array to use flex_arrayEric Paris2010-11-305-68/+127
| | | | | | | | | The sym_val_to_name type array can be quite large as it grows linearly with the number of types. With known policies having over 5k types these allocations are growing large enough that they are likely to fail. Convert those to flex_array so no allocation is larger than PAGE_SIZE Signed-off-by: Eric Paris <eparis@redhat.com>
* selinux: convert type_val_to_struct to flex_arrayEric Paris2010-11-303-13/+34
| | | | | | | | | In rawhide type_val_to_struct will allocate 26848 bytes, an order 3 allocations. While this hasn't been seen to fail it isn't outside the realm of possibiliy on systems with severe memory fragmentation. Convert to flex_array so no allocation will ever be bigger than PAGE_SIZE. Signed-off-by: Eric Paris <eparis@redhat.com>
* selinux: rework security_netlbl_secattr_to_sidEric Paris2010-11-301-21/+21
| | | | | | | security_netlbl_secattr_to_sid is difficult to follow, especially the return codes. Try to make the function obvious. Signed-off-by: Eric Paris <eparis@redhat.com>
* SELinux: standardize return code handling in selinuxfs.cEric Paris2010-11-301-171/+157
| | | | | | | | | | | | | | | | | | | selinuxfs.c has lots of different standards on how to handle return paths on error. For the most part transition to rc=errno if (failure) goto out; [...] out: cleanup() return rc; Instead of doing cleanup mid function, or having multiple returns or other options. This doesn't do that for every function, but most of the complex functions which have cleanup routines on error. Signed-off-by: Eric Paris <eparis@redhat.com>
* SELinux: standardize return code handling in policydb.cEric Paris2010-11-301-287/+268
| | | | | | | | | | | | | | | | | | | policydb.c has lots of different standards on how to handle return paths on error. For the most part transition to rc=errno if (failure) goto out; [...] out: cleanup() return rc; Instead of doing cleanup mid function, or having multiple returns or other options. This doesn't do that for every function, but most of the complex functions which have cleanup routines on error. Signed-off-by: Eric Paris <eparis@redhat.com>