From 2a7dba391e5628ad665ce84ef9a6648da541ebab Mon Sep 17 00:00:00 2001 From: Eric Paris Date: Tue, 1 Feb 2011 11:05:39 -0500 Subject: fs/vfs/security: pass last path component to LSM on inode creation SELinux would like to implement a new labeling behavior of newly created inodes. We currently label new inodes based on the parent and the creating process. This new behavior would also take into account the name of the new object when deciding the new label. This is not the (supposed) full path, just the last component of the path. This is very useful because creating /etc/shadow is different than creating /etc/passwd but the kernel hooks are unable to differentiate these operations. We currently require that userspace realize it is doing some difficult operation like that and than userspace jumps through SELinux hoops to get things set up correctly. This patch does not implement new behavior, that is obviously contained in a seperate SELinux patch, but it does pass the needed name down to the correct LSM hook. If no such name exists it is fine to pass NULL. Signed-off-by: Eric Paris --- security/capability.c | 3 ++- security/security.c | 6 ++++-- security/selinux/hooks.c | 5 +++-- security/smack/smack_lsm.c | 5 ++++- 4 files changed, 13 insertions(+), 6 deletions(-) (limited to 'security') diff --git a/security/capability.c b/security/capability.c index 2a5df2b..383d14d 100644 --- a/security/capability.c +++ b/security/capability.c @@ -118,7 +118,8 @@ static void cap_inode_free_security(struct inode *inode) } static int cap_inode_init_security(struct inode *inode, struct inode *dir, - char **name, void **value, size_t *len) + const struct qstr *qstr, char **name, + void **value, size_t *len) { return -EOPNOTSUPP; } diff --git a/security/security.c b/security/security.c index b84a89d..4830f36 100644 --- a/security/security.c +++ b/security/security.c @@ -336,11 +336,13 @@ void security_inode_free(struct inode *inode) } int security_inode_init_security(struct inode *inode, struct inode *dir, - char **name, void **value, size_t *len) + const struct qstr *qstr, char **name, + void **value, size_t *len) { if (unlikely(IS_PRIVATE(inode))) return -EOPNOTSUPP; - return security_ops->inode_init_security(inode, dir, name, value, len); + return security_ops->inode_init_security(inode, dir, qstr, name, value, + len); } EXPORT_SYMBOL(security_inode_init_security); diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index e276eb4..099bbd0 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -39,6 +39,7 @@ #include #include #include +#include #include #include #include @@ -2509,8 +2510,8 @@ static void selinux_inode_free_security(struct inode *inode) } static int selinux_inode_init_security(struct inode *inode, struct inode *dir, - char **name, void **value, - size_t *len) + const struct qstr *qstr, char **name, + void **value, size_t *len) { const struct task_security_struct *tsec = current_security(); struct inode_security_struct *dsec; diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index 123a499..0c91a90 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c @@ -33,6 +33,7 @@ #include #include #include +#include #include "smack.h" #define task_security(task) (task_cred_xxx((task), security)) @@ -501,6 +502,7 @@ static void smack_inode_free_security(struct inode *inode) * smack_inode_init_security - copy out the smack from an inode * @inode: the inode * @dir: unused + * @qstr: unused * @name: where to put the attribute name * @value: where to put the attribute value * @len: where to put the length of the attribute @@ -508,7 +510,8 @@ static void smack_inode_free_security(struct inode *inode) * Returns 0 if it all works out, -ENOMEM if there's no memory */ static int smack_inode_init_security(struct inode *inode, struct inode *dir, - char **name, void **value, size_t *len) + const struct qstr *qstr, char **name, + void **value, size_t *len) { char *isp = smk_of_inode(inode); char *dsp = smk_of_inode(dir); -- cgit v1.1 From 652bb9b0d6ce007f37c098947b2cc0c45efa3f66 Mon Sep 17 00:00:00 2001 From: Eric Paris Date: Tue, 1 Feb 2011 11:05:40 -0500 Subject: SELinux: Use dentry name in new object labeling Currently SELinux has rules which label new objects according to 3 criteria. The label of the process creating the object, the label of the parent directory, and the type of object (reg, dir, char, block, etc.) This patch adds a 4th criteria, the dentry name, thus we can distinguish between creating a file in an etc_t directory called shadow and one called motd. There is no file globbing, regex parsing, or anything mystical. Either the policy exactly (strcmp) matches the dentry name of the object or it doesn't. This patch has no changes from today if policy does not implement the new rules. Signed-off-by: Eric Paris --- security/selinux/hooks.c | 15 ++--- security/selinux/include/security.h | 8 ++- security/selinux/ss/avtab.h | 22 +++--- security/selinux/ss/policydb.c | 130 ++++++++++++++++++++++++++++++++++++ security/selinux/ss/policydb.h | 14 +++- security/selinux/ss/services.c | 45 +++++++++---- 6 files changed, 197 insertions(+), 37 deletions(-) (limited to 'security') diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 099bbd0..6ae19fd 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -1301,10 +1301,8 @@ static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dent /* Try to obtain a transition SID. */ isec->sclass = inode_mode_to_security_class(inode->i_mode); - rc = security_transition_sid(isec->task_sid, - sbsec->sid, - isec->sclass, - &sid); + rc = security_transition_sid(isec->task_sid, sbsec->sid, + isec->sclass, NULL, &sid); if (rc) goto out_unlock; isec->sid = sid; @@ -1579,7 +1577,7 @@ static int may_create(struct inode *dir, return rc; if (!newsid || !(sbsec->flags & SE_SBLABELSUPP)) { - rc = security_transition_sid(sid, dsec->sid, tclass, &newsid); + rc = security_transition_sid(sid, dsec->sid, tclass, NULL, &newsid); if (rc) return rc; } @@ -2061,7 +2059,8 @@ static int selinux_bprm_set_creds(struct linux_binprm *bprm) } else { /* Check for a default transition on this program. */ rc = security_transition_sid(old_tsec->sid, isec->sid, - SECCLASS_PROCESS, &new_tsec->sid); + SECCLASS_PROCESS, NULL, + &new_tsec->sid); if (rc) return rc; } @@ -2532,7 +2531,7 @@ static int selinux_inode_init_security(struct inode *inode, struct inode *dir, else if (!newsid || !(sbsec->flags & SE_SBLABELSUPP)) { rc = security_transition_sid(sid, dsec->sid, inode_mode_to_security_class(inode->i_mode), - &newsid); + qstr, &newsid); if (rc) { printk(KERN_WARNING "%s: " "security_transition_sid failed, rc=%d (dev=%s " @@ -4845,7 +4844,7 @@ static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, * message queue this message will be stored in */ rc = security_transition_sid(sid, isec->sid, SECCLASS_MSG, - &msec->sid); + NULL, &msec->sid); if (rc) return rc; } diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h index 671273e..348eb00 100644 --- a/security/selinux/include/security.h +++ b/security/selinux/include/security.h @@ -8,6 +8,7 @@ #ifndef _SELINUX_SECURITY_H_ #define _SELINUX_SECURITY_H_ +#include #include #include #include "flask.h" @@ -28,13 +29,14 @@ #define POLICYDB_VERSION_POLCAP 22 #define POLICYDB_VERSION_PERMISSIVE 23 #define POLICYDB_VERSION_BOUNDARY 24 +#define POLICYDB_VERSION_FILENAME_TRANS 25 /* Range of policy versions we understand*/ #define POLICYDB_VERSION_MIN POLICYDB_VERSION_BASE #ifdef CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX #define POLICYDB_VERSION_MAX CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX_VALUE #else -#define POLICYDB_VERSION_MAX POLICYDB_VERSION_BOUNDARY +#define POLICYDB_VERSION_MAX POLICYDB_VERSION_FILENAME_TRANS #endif /* Mask for just the mount related flags */ @@ -106,8 +108,8 @@ void security_compute_av(u32 ssid, u32 tsid, void security_compute_av_user(u32 ssid, u32 tsid, u16 tclass, struct av_decision *avd); -int security_transition_sid(u32 ssid, u32 tsid, - u16 tclass, u32 *out_sid); +int security_transition_sid(u32 ssid, u32 tsid, u16 tclass, + const struct qstr *qstr, u32 *out_sid); int security_transition_sid_user(u32 ssid, u32 tsid, u16 tclass, u32 *out_sid); diff --git a/security/selinux/ss/avtab.h b/security/selinux/ss/avtab.h index 3417f9c..63ce2f9 100644 --- a/security/selinux/ss/avtab.h +++ b/security/selinux/ss/avtab.h @@ -14,7 +14,7 @@ * * Copyright (C) 2003 Tresys Technology, LLC * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by + * it under the terms of the GNU General Public License as published by * the Free Software Foundation, version 2. * * Updated: Yuichi Nakamura @@ -27,16 +27,16 @@ struct avtab_key { u16 source_type; /* source type */ u16 target_type; /* target type */ u16 target_class; /* target object class */ -#define AVTAB_ALLOWED 1 -#define AVTAB_AUDITALLOW 2 -#define AVTAB_AUDITDENY 4 -#define AVTAB_AV (AVTAB_ALLOWED | AVTAB_AUDITALLOW | AVTAB_AUDITDENY) -#define AVTAB_TRANSITION 16 -#define AVTAB_MEMBER 32 -#define AVTAB_CHANGE 64 -#define AVTAB_TYPE (AVTAB_TRANSITION | AVTAB_MEMBER | AVTAB_CHANGE) -#define AVTAB_ENABLED_OLD 0x80000000 /* reserved for used in cond_avtab */ -#define AVTAB_ENABLED 0x8000 /* reserved for used in cond_avtab */ +#define AVTAB_ALLOWED 0x0001 +#define AVTAB_AUDITALLOW 0x0002 +#define AVTAB_AUDITDENY 0x0004 +#define AVTAB_AV (AVTAB_ALLOWED | AVTAB_AUDITALLOW | AVTAB_AUDITDENY) +#define AVTAB_TRANSITION 0x0010 +#define AVTAB_MEMBER 0x0020 +#define AVTAB_CHANGE 0x0040 +#define AVTAB_TYPE (AVTAB_TRANSITION | AVTAB_MEMBER | AVTAB_CHANGE) +#define AVTAB_ENABLED_OLD 0x80000000 /* reserved for used in cond_avtab */ +#define AVTAB_ENABLED 0x8000 /* reserved for used in cond_avtab */ u16 specified; /* what field is specified */ }; diff --git a/security/selinux/ss/policydb.c b/security/selinux/ss/policydb.c index be9de38..159c818 100644 --- a/security/selinux/ss/policydb.c +++ b/security/selinux/ss/policydb.c @@ -123,6 +123,11 @@ static struct policydb_compat_info policydb_compat[] = { .sym_num = SYM_NUM, .ocon_num = OCON_NUM, }, + { + .version = POLICYDB_VERSION_FILENAME_TRANS, + .sym_num = SYM_NUM, + .ocon_num = OCON_NUM, + }, }; static struct policydb_compat_info *policydb_lookup_compat(int version) @@ -704,6 +709,7 @@ void policydb_destroy(struct policydb *p) int i; struct role_allow *ra, *lra = NULL; struct role_trans *tr, *ltr = NULL; + struct filename_trans *ft, *nft; for (i = 0; i < SYM_NUM; i++) { cond_resched(); @@ -781,6 +787,15 @@ void policydb_destroy(struct policydb *p) } flex_array_free(p->type_attr_map_array); } + + ft = p->filename_trans; + while (ft) { + nft = ft->next; + kfree(ft->name); + kfree(ft); + ft = nft; + } + ebitmap_destroy(&p->policycaps); ebitmap_destroy(&p->permissive_map); @@ -1788,6 +1803,76 @@ out: return rc; } +static int filename_trans_read(struct policydb *p, void *fp) +{ + struct filename_trans *ft, *last; + u32 nel, len; + char *name; + __le32 buf[4]; + int rc, i; + + if (p->policyvers < POLICYDB_VERSION_FILENAME_TRANS) + return 0; + + rc = next_entry(buf, fp, sizeof(u32)); + if (rc) + goto out; + nel = le32_to_cpu(buf[0]); + + printk(KERN_ERR "%s: nel=%d\n", __func__, nel); + + last = p->filename_trans; + while (last && last->next) + last = last->next; + + for (i = 0; i < nel; i++) { + rc = -ENOMEM; + ft = kzalloc(sizeof(*ft), GFP_KERNEL); + if (!ft) + goto out; + + /* add it to the tail of the list */ + if (!last) + p->filename_trans = ft; + else + last->next = ft; + last = ft; + + /* length of the path component string */ + rc = next_entry(buf, fp, sizeof(u32)); + if (rc) + goto out; + len = le32_to_cpu(buf[0]); + + rc = -ENOMEM; + name = kmalloc(len + 1, GFP_KERNEL); + if (!name) + goto out; + + ft->name = name; + + /* path component string */ + rc = next_entry(name, fp, len); + if (rc) + goto out; + name[len] = 0; + + printk(KERN_ERR "%s: ft=%p ft->name=%p ft->name=%s\n", __func__, ft, ft->name, ft->name); + + rc = next_entry(buf, fp, sizeof(u32) * 4); + if (rc) + goto out; + + ft->stype = le32_to_cpu(buf[0]); + ft->ttype = le32_to_cpu(buf[1]); + ft->tclass = le32_to_cpu(buf[2]); + ft->otype = le32_to_cpu(buf[3]); + } + rc = 0; +out: + return rc; +} + static int genfs_read(struct policydb *p, void *fp) { int i, j, rc; @@ -2251,6 +2336,10 @@ int policydb_read(struct policydb *p, void *fp) lra = ra; } + rc = filename_trans_read(p, fp); + if (rc) + goto bad; + rc = policydb_index(p); if (rc) goto bad; @@ -3025,6 +3114,43 @@ static int range_write(struct policydb *p, void *fp) return 0; } +static int filename_trans_write(struct policydb *p, void *fp) +{ + struct filename_trans *ft; + u32 len, nel = 0; + __le32 buf[4]; + int rc; + + for (ft = p->filename_trans; ft; ft = ft->next) + nel++; + + buf[0] = cpu_to_le32(nel); + rc = put_entry(buf, sizeof(u32), 1, fp); + if (rc) + return rc; + + for (ft = p->filename_trans; ft; ft = ft->next) { + len = strlen(ft->name); + buf[0] = cpu_to_le32(len); + rc = put_entry(buf, sizeof(u32), 1, fp); + if (rc) + return rc; + + rc = put_entry(ft->name, sizeof(char), len, fp); + if (rc) + return rc; + + buf[0] = ft->stype; + buf[1] = ft->ttype; + buf[2] = ft->tclass; + buf[3] = ft->otype; + + rc = put_entry(buf, sizeof(u32), 4, fp); + if (rc) + return rc; + } + return 0; +} /* * Write the configuration data in a policy database * structure to a policy database binary representation @@ -3135,6 +3261,10 @@ int policydb_write(struct policydb *p, void *fp) if (rc) return rc; + rc = filename_trans_write(p, fp); + if (rc) + return rc; + rc = ocontext_write(p, info, fp); if (rc) return rc; diff --git a/security/selinux/ss/policydb.h b/security/selinux/ss/policydb.h index 4e3ab9d..732ea4a 100644 --- a/security/selinux/ss/policydb.h +++ b/security/selinux/ss/policydb.h @@ -77,6 +77,15 @@ struct role_trans { struct role_trans *next; }; +struct filename_trans { + struct filename_trans *next; + u32 stype; /* current process */ + u32 ttype; /* parent dir context */ + u16 tclass; /* class of new object */ + const char *name; /* last path component */ + u32 otype; /* expected of new object */ +}; + struct role_allow { u32 role; /* current role */ u32 new_role; /* new role */ @@ -217,6 +226,9 @@ struct policydb { /* role transitions */ struct role_trans *role_tr; + /* file transitions with the last path component */ + struct filename_trans *filename_trans; + /* bools indexed by (value - 1) */ struct cond_bool_datum **bool_val_to_struct; /* type enforcement conditional access vectors and transitions */ @@ -302,7 +314,7 @@ static inline int next_entry(void *buf, struct policy_file *fp, size_t bytes) return 0; } -static inline int put_entry(void *buf, size_t bytes, int num, struct policy_file *fp) +static inline int put_entry(const void *buf, size_t bytes, int num, struct policy_file *fp) { size_t len = bytes * num; diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c index a03cfaf..2e36e03 100644 --- a/security/selinux/ss/services.c +++ b/security/selinux/ss/services.c @@ -1343,10 +1343,27 @@ out: return -EACCES; } +static void filename_compute_type(struct policydb *p, struct context *newcontext, + u32 scon, u32 tcon, u16 tclass, + const struct qstr *qstr) +{ + struct filename_trans *ft; + for (ft = p->filename_trans; ft; ft = ft->next) { + if (ft->stype == scon && + ft->ttype == tcon && + ft->tclass == tclass && + !strcmp(ft->name, qstr->name)) { + newcontext->type = ft->otype; + return; + } + } +} + static int security_compute_sid(u32 ssid, u32 tsid, u16 orig_tclass, u32 specified, + const struct qstr *qstr, u32 *out_sid, bool kern) { @@ -1442,6 +1459,11 @@ static int security_compute_sid(u32 ssid, newcontext.type = avdatum->data; } + /* if we have a qstr this is a file trans check so check those rules */ + if (qstr) + filename_compute_type(&policydb, &newcontext, scontext->type, + tcontext->type, tclass, qstr); + /* Check for class-specific changes. */ if (tclass == policydb.process_class) { if (specified & AVTAB_TRANSITION) { @@ -1495,22 +1517,17 @@ out: * if insufficient memory is available, or %0 if the new SID was * computed successfully. */ -int security_transition_sid(u32 ssid, - u32 tsid, - u16 tclass, - u32 *out_sid) +int security_transition_sid(u32 ssid, u32 tsid, u16 tclass, + const struct qstr *qstr, u32 *out_sid) { return security_compute_sid(ssid, tsid, tclass, AVTAB_TRANSITION, - out_sid, true); + qstr, out_sid, true); } -int security_transition_sid_user(u32 ssid, - u32 tsid, - u16 tclass, - u32 *out_sid) +int security_transition_sid_user(u32 ssid, u32 tsid, u16 tclass, u32 *out_sid) { return security_compute_sid(ssid, tsid, tclass, AVTAB_TRANSITION, - out_sid, false); + NULL, out_sid, false); } /** @@ -1531,8 +1548,8 @@ int security_member_sid(u32 ssid, u16 tclass, u32 *out_sid) { - return security_compute_sid(ssid, tsid, tclass, AVTAB_MEMBER, out_sid, - false); + return security_compute_sid(ssid, tsid, tclass, AVTAB_MEMBER, NULL, + out_sid, false); } /** @@ -1553,8 +1570,8 @@ int security_change_sid(u32 ssid, u16 tclass, u32 *out_sid) { - return security_compute_sid(ssid, tsid, tclass, AVTAB_CHANGE, out_sid, - false); + return security_compute_sid(ssid, tsid, tclass, AVTAB_CHANGE, NULL, + out_sid, false); } /* Clone the SID into the new SID table. */ -- cgit v1.1 From 8e6c96935fcc1ed3dbebc96fddfef3f2f2395afc Mon Sep 17 00:00:00 2001 From: Lucian Adrian Grijincu Date: Tue, 1 Feb 2011 18:42:22 +0200 Subject: security/selinux: fix /proc/sys/ labeling This fixes an old (2007) selinux regression: filesystem labeling for /proc/sys returned -r--r--r-- unknown /proc/sys/fs/file-nr instead of -r--r--r-- system_u:object_r:sysctl_fs_t:s0 /proc/sys/fs/file-nr Events that lead to breaking of /proc/sys/ selinux labeling: 1) sysctl was reimplemented to route all calls through /proc/sys/ commit 77b14db502cb85a031fe8fde6c85d52f3e0acb63 [PATCH] sysctl: reimplement the sysctl proc support 2) proc_dir_entry was removed from ctl_table: commit 3fbfa98112fc3962c416452a0baf2214381030e6 [PATCH] sysctl: remove the proc_dir_entry member for the sysctl tables 3) selinux still walked the proc_dir_entry tree to apply labeling. Because ctl_tables don't have a proc_dir_entry, we did not label /proc/sys/ inodes any more. To achieve this the /proc/sys/ inodes were marked private and private inodes were ignored by selinux. commit bbaca6c2e7ef0f663bc31be4dad7cf530f6c4962 [PATCH] selinux: enhance selinux to always ignore private inodes commit 86a71dbd3e81e8870d0f0e56b87875f57e58222b [PATCH] sysctl: hide the sysctl proc inodes from selinux Access control checks have been done by means of a special sysctl hook that was called for read/write accesses to any /proc/sys/ entry. We don't have to do this because, instead of walking the proc_dir_entry tree we can walk the dentry tree (as done in this patch). With this patch: * we don't mark /proc/sys/ inodes as private * we don't need the sysclt security hook * we walk the dentry tree to find the path to the inode. We have to strip the PID in /proc/PID/ entries that have a proc_dir_entry because selinux does not know how to label paths like '/1/net/rpc/nfsd.fh' (and defaults to 'proc_t' labeling). Selinux does know of '/net/rpc/nfsd.fh' (and applies the 'sysctl_rpc_t' label). PID stripping from the path was done implicitly in the previous code because the proc_dir_entry tree had the root in '/net' in the example from above. The dentry tree has the root in '/1'. Signed-off-by: Eric W. Biederman Signed-off-by: Lucian Adrian Grijincu Signed-off-by: Eric Paris --- security/selinux/hooks.c | 120 +++++++---------------------------------------- 1 file changed, 18 insertions(+), 102 deletions(-) (limited to 'security') diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 6ae19fd..c8b359f 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -44,7 +44,6 @@ #include #include #include -#include #include #include #include @@ -71,7 +70,6 @@ #include #include #include -#include #include #include #include @@ -1121,39 +1119,35 @@ static inline u16 socket_type_to_security_class(int family, int type, int protoc } #ifdef CONFIG_PROC_FS -static int selinux_proc_get_sid(struct proc_dir_entry *de, +static int selinux_proc_get_sid(struct dentry *dentry, u16 tclass, u32 *sid) { - int buflen, rc; - char *buffer, *path, *end; + int rc; + char *buffer, *path; buffer = (char *)__get_free_page(GFP_KERNEL); if (!buffer) return -ENOMEM; - buflen = PAGE_SIZE; - end = buffer+buflen; - *--end = '\0'; - buflen--; - path = end-1; - *path = '/'; - while (de && de != de->parent) { - buflen -= de->namelen + 1; - if (buflen < 0) - break; - end -= de->namelen; - memcpy(end, de->name, de->namelen); - *--end = '/'; - path = end; - de = de->parent; + path = dentry_path_raw(dentry, buffer, PAGE_SIZE); + if (IS_ERR(path)) + rc = PTR_ERR(path); + else { + /* each process gets a /proc/PID/ entry. Strip off the + * PID part to get a valid selinux labeling. + * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */ + while (path[1] >= '0' && path[1] <= '9') { + path[1] = '/'; + path++; + } + rc = security_genfs_sid("proc", path, tclass, sid); } - rc = security_genfs_sid("proc", path, tclass, sid); free_page((unsigned long)buffer); return rc; } #else -static int selinux_proc_get_sid(struct proc_dir_entry *de, +static int selinux_proc_get_sid(struct dentry *dentry, u16 tclass, u32 *sid) { @@ -1315,10 +1309,9 @@ static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dent isec->sid = sbsec->sid; if ((sbsec->flags & SE_SBPROC) && !S_ISLNK(inode->i_mode)) { - struct proc_inode *proci = PROC_I(inode); - if (proci->pde) { + if (opt_dentry) { isec->sclass = inode_mode_to_security_class(inode->i_mode); - rc = selinux_proc_get_sid(proci->pde, + rc = selinux_proc_get_sid(opt_dentry, isec->sclass, &sid); if (rc) @@ -1861,82 +1854,6 @@ static int selinux_capable(struct task_struct *tsk, const struct cred *cred, return task_has_capability(tsk, cred, cap, audit); } -static int selinux_sysctl_get_sid(ctl_table *table, u16 tclass, u32 *sid) -{ - int buflen, rc; - char *buffer, *path, *end; - - rc = -ENOMEM; - buffer = (char *)__get_free_page(GFP_KERNEL); - if (!buffer) - goto out; - - buflen = PAGE_SIZE; - end = buffer+buflen; - *--end = '\0'; - buflen--; - path = end-1; - *path = '/'; - while (table) { - const char *name = table->procname; - size_t namelen = strlen(name); - buflen -= namelen + 1; - if (buflen < 0) - goto out_free; - end -= namelen; - memcpy(end, name, namelen); - *--end = '/'; - path = end; - table = table->parent; - } - buflen -= 4; - if (buflen < 0) - goto out_free; - end -= 4; - memcpy(end, "/sys", 4); - path = end; - rc = security_genfs_sid("proc", path, tclass, sid); -out_free: - free_page((unsigned long)buffer); -out: - return rc; -} - -static int selinux_sysctl(ctl_table *table, int op) -{ - int error = 0; - u32 av; - u32 tsid, sid; - int rc; - - sid = current_sid(); - - rc = selinux_sysctl_get_sid(table, (op == 0001) ? - SECCLASS_DIR : SECCLASS_FILE, &tsid); - if (rc) { - /* Default to the well-defined sysctl SID. */ - tsid = SECINITSID_SYSCTL; - } - - /* The op values are "defined" in sysctl.c, thereby creating - * a bad coupling between this module and sysctl.c */ - if (op == 001) { - error = avc_has_perm(sid, tsid, - SECCLASS_DIR, DIR__SEARCH, NULL); - } else { - av = 0; - if (op & 004) - av |= FILE__READ; - if (op & 002) - av |= FILE__WRITE; - if (av) - error = avc_has_perm(sid, tsid, - SECCLASS_FILE, av, NULL); - } - - return error; -} - static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb) { const struct cred *cred = current_cred(); @@ -5398,7 +5315,6 @@ static struct security_operations selinux_ops = { .ptrace_traceme = selinux_ptrace_traceme, .capget = selinux_capget, .capset = selinux_capset, - .sysctl = selinux_sysctl, .capable = selinux_capable, .quotactl = selinux_quotactl, .quota_on = selinux_quota_on, -- cgit v1.1 From 4916ca401e3051dad326ddd69765bd0e3f32fb9b Mon Sep 17 00:00:00 2001 From: Lucian Adrian Grijincu Date: Tue, 1 Feb 2011 18:44:56 +0200 Subject: security: remove unused security_sysctl hook The only user for this hook was selinux. sysctl routes every call through /proc/sys/. Selinux and other security modules use the file system checks for sysctl too, so no need for this hook any more. Signed-off-by: Lucian Adrian Grijincu Signed-off-by: Eric Paris --- security/capability.c | 6 ------ security/security.c | 5 ----- 2 files changed, 11 deletions(-) (limited to 'security') diff --git a/security/capability.c b/security/capability.c index 383d14d..85b67c8 100644 --- a/security/capability.c +++ b/security/capability.c @@ -12,11 +12,6 @@ #include -static int cap_sysctl(ctl_table *table, int op) -{ - return 0; -} - static int cap_syslog(int type) { return 0; @@ -881,7 +876,6 @@ void __init security_fixup_ops(struct security_operations *ops) set_to_cap_if_null(ops, capable); set_to_cap_if_null(ops, quotactl); set_to_cap_if_null(ops, quota_on); - set_to_cap_if_null(ops, sysctl); set_to_cap_if_null(ops, syslog); set_to_cap_if_null(ops, settime); set_to_cap_if_null(ops, vm_enough_memory); diff --git a/security/security.c b/security/security.c index 4830f36..8f28685 100644 --- a/security/security.c +++ b/security/security.c @@ -182,11 +182,6 @@ int security_real_capable_noaudit(struct task_struct *tsk, int cap) return ret; } -int security_sysctl(struct ctl_table *table, int op) -{ - return security_ops->sysctl(table, op); -} - int security_quotactl(int cmds, int type, int id, struct super_block *sb) { return security_ops->quotactl(cmds, type, id, sb); -- cgit v1.1 From 8f82a6880d8d03961181d973388e1df2772a8b24 Mon Sep 17 00:00:00 2001 From: Steffen Klassert Date: Wed, 23 Feb 2011 12:54:33 +0100 Subject: selinux: Fix check for xfrm selinux context algorithm selinux_xfrm_sec_ctx_alloc accidentally checks the xfrm domain of interpretation against the selinux context algorithm. This patch fixes this by checking ctx_alg against the selinux context algorithm. Signed-off-by: Steffen Klassert Acked-by: Paul Moore Signed-off-by: Eric Paris --- security/selinux/xfrm.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'security') diff --git a/security/selinux/xfrm.c b/security/selinux/xfrm.c index fff78d3..728c57e 100644 --- a/security/selinux/xfrm.c +++ b/security/selinux/xfrm.c @@ -208,7 +208,7 @@ static int selinux_xfrm_sec_ctx_alloc(struct xfrm_sec_ctx **ctxp, if (!uctx) goto not_from_user; - if (uctx->ctx_doi != XFRM_SC_ALG_SELINUX) + if (uctx->ctx_alg != XFRM_SC_ALG_SELINUX) return -EINVAL; str_len = uctx->ctx_len; -- cgit v1.1 From b9679a76187694138099e09d7f5091b73086e6d7 Mon Sep 17 00:00:00 2001 From: Steffen Klassert Date: Wed, 23 Feb 2011 12:55:21 +0100 Subject: selinux: Fix wrong checks for selinux_policycap_netpeer selinux_sock_rcv_skb_compat and selinux_ip_postroute_compat are just called if selinux_policycap_netpeer is not set. However in these functions we check if selinux_policycap_netpeer is set. This leads to some dead code and to the fact that selinux_xfrm_postroute_last is never executed. This patch removes the dead code and the checks for selinux_policycap_netpeer in the compatibility functions. Signed-off-by: Steffen Klassert Acked-by: Paul Moore Signed-off-by: Eric Paris --- security/selinux/hooks.c | 24 ++++++------------------ 1 file changed, 6 insertions(+), 18 deletions(-) (limited to 'security') diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index c8b359f..b4e1ca0 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -3915,7 +3915,6 @@ static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb, { int err = 0; struct sk_security_struct *sksec = sk->sk_security; - u32 peer_sid; u32 sk_sid = sksec->sid; struct common_audit_data ad; char *addrp; @@ -3934,20 +3933,10 @@ static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb, return err; } - if (selinux_policycap_netpeer) { - err = selinux_skb_peerlbl_sid(skb, family, &peer_sid); - if (err) - return err; - err = avc_has_perm(sk_sid, peer_sid, - SECCLASS_PEER, PEER__RECV, &ad); - if (err) - selinux_netlbl_err(skb, err, 0); - } else { - err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, &ad); - if (err) - return err; - err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad); - } + err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, &ad); + if (err) + return err; + err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad); return err; } @@ -4442,9 +4431,8 @@ static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb, SECCLASS_PACKET, PACKET__SEND, &ad)) return NF_DROP_ERR(-ECONNREFUSED); - if (selinux_policycap_netpeer) - if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto)) - return NF_DROP_ERR(-ECONNREFUSED); + if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto)) + return NF_DROP_ERR(-ECONNREFUSED); return NF_ACCEPT; } -- cgit v1.1 From 4a7ab3dcad0b66a486c468ccf0d6197c5dbe3326 Mon Sep 17 00:00:00 2001 From: Steffen Klassert Date: Wed, 23 Feb 2011 12:56:23 +0100 Subject: selinux: Fix packet forwarding checks on postrouting The IPSKB_FORWARDED and IP6SKB_FORWARDED flags are used only in the multicast forwarding case to indicate that a packet looped back after forward. So these flags are not a good indicator for packet forwarding. A better indicator is the incoming interface. If we have no socket context, but an incoming interface and we see the packet in the ip postroute hook, the packet is going to be forwarded. With this patch we use the incoming interface as an indicator on packet forwarding. Signed-off-by: Steffen Klassert Acked-by: Paul Moore Signed-off-by: Eric Paris --- security/selinux/hooks.c | 23 +++++------------------ 1 file changed, 5 insertions(+), 18 deletions(-) (limited to 'security') diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index b4e1ca0..8ffed9f 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -4475,27 +4475,14 @@ static unsigned int selinux_ip_postroute(struct sk_buff *skb, int ifindex, * from the sending socket, otherwise use the kernel's sid */ sk = skb->sk; if (sk == NULL) { - switch (family) { - case PF_INET: - if (IPCB(skb)->flags & IPSKB_FORWARDED) - secmark_perm = PACKET__FORWARD_OUT; - else - secmark_perm = PACKET__SEND; - break; - case PF_INET6: - if (IP6CB(skb)->flags & IP6SKB_FORWARDED) - secmark_perm = PACKET__FORWARD_OUT; - else - secmark_perm = PACKET__SEND; - break; - default: - return NF_DROP_ERR(-ECONNREFUSED); - } - if (secmark_perm == PACKET__FORWARD_OUT) { + if (skb->skb_iif) { + secmark_perm = PACKET__FORWARD_OUT; if (selinux_skb_peerlbl_sid(skb, family, &peer_sid)) return NF_DROP; - } else + } else { + secmark_perm = PACKET__SEND; peer_sid = SECINITSID_KERNEL; + } } else { struct sk_security_struct *sksec = sk->sk_security; peer_sid = sksec->sid; -- cgit v1.1 From 47ac19ea429aee561f66e9cd05b908e8ffbc498a Mon Sep 17 00:00:00 2001 From: Eric Paris Date: Fri, 25 Feb 2011 15:39:20 -0500 Subject: selinux: drop unused packet flow permissions These permissions are not used and can be dropped in the kernel definitions. Suggested-by: Stephen Smalley Signed-off-by: Eric Paris Acked-by: Stephen Smalley --- security/selinux/include/classmap.h | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) (limited to 'security') diff --git a/security/selinux/include/classmap.h b/security/selinux/include/classmap.h index 7ed3663..4227e5f 100644 --- a/security/selinux/include/classmap.h +++ b/security/selinux/include/classmap.h @@ -132,8 +132,7 @@ struct security_class_mapping secclass_map[] = { { "appletalk_socket", { COMMON_SOCK_PERMS, NULL } }, { "packet", - { "send", "recv", "relabelto", "flow_in", "flow_out", - "forward_in", "forward_out", NULL } }, + { "send", "recv", "relabelto", "forward_in", "forward_out", NULL } }, { "key", { "view", "read", "write", "search", "link", "setattr", "create", NULL } }, -- cgit v1.1 From 0b24dcb7f2f7a0ce9b762eef0362c21c88f47b32 Mon Sep 17 00:00:00 2001 From: Eric Paris Date: Fri, 25 Feb 2011 15:39:20 -0500 Subject: Revert "selinux: simplify ioctl checking" This reverts commit 242631c49d4cf39642741d6627750151b058233b. Conflicts: security/selinux/hooks.c SELinux used to recognize certain individual ioctls and check permissions based on the knowledge of the individual ioctl. In commit 242631c49d4cf396 the SELinux code stopped trying to understand individual ioctls and to instead looked at the ioctl access bits to determine in we should check read or write for that operation. This same suggestion was made to SMACK (and I believe copied into TOMOYO). But this suggestion is total rubbish. The ioctl access bits are actually the access requirements for the structure being passed into the ioctl, and are completely unrelated to the operation of the ioctl or the object the ioctl is being performed upon. Take FS_IOC_FIEMAP as an example. FS_IOC_FIEMAP is defined as: FS_IOC_FIEMAP _IOWR('f', 11, struct fiemap) So it has access bits R and W. What this really means is that the kernel is going to both read and write to the struct fiemap. It has nothing at all to do with the operations that this ioctl might perform on the file itself! Signed-off-by: Eric Paris Acked-by: Stephen Smalley --- security/selinux/hooks.c | 50 ++++++++++++++++++++++++++++++++++++++++-------- 1 file changed, 42 insertions(+), 8 deletions(-) (limited to 'security') diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 8ffed9f..8294dbf 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -24,9 +24,11 @@ */ #include +#include #include #include #include +#include #include #include #include @@ -36,6 +38,7 @@ #include #include #include +#include #include #include #include @@ -2849,16 +2852,47 @@ static int selinux_file_ioctl(struct file *file, unsigned int cmd, unsigned long arg) { const struct cred *cred = current_cred(); - u32 av = 0; + int error = 0; - if (_IOC_DIR(cmd) & _IOC_WRITE) - av |= FILE__WRITE; - if (_IOC_DIR(cmd) & _IOC_READ) - av |= FILE__READ; - if (!av) - av = FILE__IOCTL; + switch (cmd) { + case FIONREAD: + /* fall through */ + case FIBMAP: + /* fall through */ + case FIGETBSZ: + /* fall through */ + case EXT2_IOC_GETFLAGS: + /* fall through */ + case EXT2_IOC_GETVERSION: + error = file_has_perm(cred, file, FILE__GETATTR); + break; + + case EXT2_IOC_SETFLAGS: + /* fall through */ + case EXT2_IOC_SETVERSION: + error = file_has_perm(cred, file, FILE__SETATTR); + break; - return file_has_perm(cred, file, av); + /* sys_ioctl() checks */ + case FIONBIO: + /* fall through */ + case FIOASYNC: + error = file_has_perm(cred, file, 0); + break; + + case KDSKBENT: + case KDSKBSENT: + error = task_has_capability(current, cred, CAP_SYS_TTY_CONFIG, + SECURITY_CAP_AUDIT); + break; + + /* default case assumes that the command will go + * to the file's ioctl() function. + */ + default: + error = file_has_perm(cred, file, FILE__IOCTL); + } + return error; } static int default_noexec; -- cgit v1.1 From 4bc6c2d5d8386800fde23a8e78cd4f04a0ade0ad Mon Sep 17 00:00:00 2001 From: Harry Ciao Date: Wed, 2 Mar 2011 13:46:08 +0800 Subject: SELinux: Auto-generate security_is_socket_class The security_is_socket_class() is auto-generated by genheaders based on classmap.h to reduce maintenance effort when a new class is defined in SELinux kernel. The name for any socket class should be suffixed by "socket" and doesn't contain more than one substr of "socket". Signed-off-by: Harry Ciao Signed-off-by: Eric Paris Acked-by: Stephen Smalley --- security/selinux/include/classmap.h | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'security') diff --git a/security/selinux/include/classmap.h b/security/selinux/include/classmap.h index 4227e5f..b8c5372 100644 --- a/security/selinux/include/classmap.h +++ b/security/selinux/include/classmap.h @@ -12,6 +12,10 @@ #define COMMON_IPC_PERMS "create", "destroy", "getattr", "setattr", "read", \ "write", "associate", "unix_read", "unix_write" +/* + * Note: The name for any socket class should be suffixed by "socket", + * and doesn't contain more than one substr of "socket". + */ struct security_class_mapping secclass_map[] = { { "security", { "compute_av", "compute_create", "compute_member", -- cgit v1.1 From 6f5317e730505d5cbc851c435a2dfe3d5a21d343 Mon Sep 17 00:00:00 2001 From: Harry Ciao Date: Wed, 2 Mar 2011 13:32:33 +0800 Subject: SELinux: Socket retains creator role and MLS attribute The socket SID would be computed on creation and no longer inherit its creator's SID by default. Socket may have a different type but needs to retain the creator's role and MLS attribute in order not to break labeled networking and network access control. The kernel value for a class would be used to determine if the class if one of socket classes. If security_compute_sid is called from userspace the policy value for a class would be mapped to the relevant kernel value first. Signed-off-by: Harry Ciao Signed-off-by: Eric Paris Acked-by: Stephen Smalley --- security/selinux/ss/mls.c | 5 +++-- security/selinux/ss/mls.h | 3 ++- security/selinux/ss/services.c | 28 ++++++++++++++++++++++++---- 3 files changed, 29 insertions(+), 7 deletions(-) (limited to 'security') diff --git a/security/selinux/ss/mls.c b/security/selinux/ss/mls.c index 1ef8e4e..e961742 100644 --- a/security/selinux/ss/mls.c +++ b/security/selinux/ss/mls.c @@ -512,7 +512,8 @@ int mls_compute_sid(struct context *scontext, struct context *tcontext, u16 tclass, u32 specified, - struct context *newcontext) + struct context *newcontext, + bool sock) { struct range_trans rtr; struct mls_range *r; @@ -531,7 +532,7 @@ int mls_compute_sid(struct context *scontext, return mls_range_set(newcontext, r); /* Fallthrough */ case AVTAB_CHANGE: - if (tclass == policydb.process_class) + if ((tclass == policydb.process_class) || (sock == true)) /* Use the process MLS attributes. */ return mls_context_cpy(newcontext, scontext); else diff --git a/security/selinux/ss/mls.h b/security/selinux/ss/mls.h index cd91526..037bf9d 100644 --- a/security/selinux/ss/mls.h +++ b/security/selinux/ss/mls.h @@ -49,7 +49,8 @@ int mls_compute_sid(struct context *scontext, struct context *tcontext, u16 tclass, u32 specified, - struct context *newcontext); + struct context *newcontext, + bool sock); int mls_setup_user_range(struct context *fromcon, struct user_datum *user, struct context *usercon); diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c index 2e36e03..3e7544d 100644 --- a/security/selinux/ss/services.c +++ b/security/selinux/ss/services.c @@ -201,6 +201,21 @@ static u16 unmap_class(u16 tclass) return tclass; } +/* + * Get kernel value for class from its policy value + */ +static u16 map_class(u16 pol_value) +{ + u16 i; + + for (i = 1; i < current_mapping_size; i++) { + if (current_mapping[i].value == pol_value) + return i; + } + + return pol_value; +} + static void map_decision(u16 tclass, struct av_decision *avd, int allow_unknown) { @@ -1374,6 +1389,7 @@ static int security_compute_sid(u32 ssid, struct avtab_node *node; u16 tclass; int rc = 0; + bool sock; if (!ss_initialized) { switch (orig_tclass) { @@ -1391,10 +1407,13 @@ static int security_compute_sid(u32 ssid, read_lock(&policy_rwlock); - if (kern) + if (kern) { tclass = unmap_class(orig_tclass); - else + sock = security_is_socket_class(orig_tclass); + } else { tclass = orig_tclass; + sock = security_is_socket_class(map_class(tclass)); + } scontext = sidtab_search(&sidtab, ssid); if (!scontext) { @@ -1425,7 +1444,7 @@ static int security_compute_sid(u32 ssid, } /* Set the role and type to default values. */ - if (tclass == policydb.process_class) { + if ((tclass == policydb.process_class) || (sock == true)) { /* Use the current role and type of process. */ newcontext.role = scontext->role; newcontext.type = scontext->type; @@ -1482,7 +1501,8 @@ static int security_compute_sid(u32 ssid, /* Set the MLS attributes. This is done last because it may allocate memory. */ - rc = mls_compute_sid(scontext, tcontext, tclass, specified, &newcontext); + rc = mls_compute_sid(scontext, tcontext, tclass, specified, + &newcontext, sock); if (rc) goto out_unlock; -- cgit v1.1 From 2ad18bdf3b8f84c85c7da7e4de365f7c5701fb3f Mon Sep 17 00:00:00 2001 From: Harry Ciao Date: Wed, 2 Mar 2011 13:32:34 +0800 Subject: SELinux: Compute SID for the newly created socket The security context for the newly created socket shares the same user, role and MLS attribute as its creator but may have a different type, which could be specified by a type_transition rule in the relevant policy package. Signed-off-by: Harry Ciao [fix call to security_transition_sid to include qstr, Eric Paris] Signed-off-by: Eric Paris Acked-by: Stephen Smalley --- security/selinux/hooks.c | 27 +++++++++++++++++++++------ 1 file changed, 21 insertions(+), 6 deletions(-) (limited to 'security') diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 8294dbf..3decf07 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -3591,9 +3591,16 @@ static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid) /* socket security operations */ -static u32 socket_sockcreate_sid(const struct task_security_struct *tsec) +static int socket_sockcreate_sid(const struct task_security_struct *tsec, + u16 secclass, u32 *socksid) { - return tsec->sockcreate_sid ? : tsec->sid; + if (tsec->sockcreate_sid > SECSID_NULL) { + *socksid = tsec->sockcreate_sid; + return 0; + } + + return security_transition_sid(tsec->sid, tsec->sid, secclass, NULL, + socksid); } static int sock_has_perm(struct task_struct *task, struct sock *sk, u32 perms) @@ -3617,12 +3624,16 @@ static int selinux_socket_create(int family, int type, const struct task_security_struct *tsec = current_security(); u32 newsid; u16 secclass; + int rc; if (kern) return 0; - newsid = socket_sockcreate_sid(tsec); secclass = socket_type_to_security_class(family, type, protocol); + rc = socket_sockcreate_sid(tsec, secclass, &newsid); + if (rc) + return rc; + return avc_has_perm(tsec->sid, newsid, secclass, SOCKET__CREATE, NULL); } @@ -3634,12 +3645,16 @@ static int selinux_socket_post_create(struct socket *sock, int family, struct sk_security_struct *sksec; int err = 0; + isec->sclass = socket_type_to_security_class(family, type, protocol); + if (kern) isec->sid = SECINITSID_KERNEL; - else - isec->sid = socket_sockcreate_sid(tsec); + else { + err = socket_sockcreate_sid(tsec, isec->sclass, &(isec->sid)); + if (err) + return err; + } - isec->sclass = socket_type_to_security_class(family, type, protocol); isec->initialized = 1; if (sock->sk) { -- cgit v1.1 From ff36fe2c845cab2102e4826c1ffa0a6ebf487c65 Mon Sep 17 00:00:00 2001 From: Eric Paris Date: Thu, 3 Mar 2011 16:09:14 -0500 Subject: LSM: Pass -o remount options to the LSM The VFS mount code passes the mount options to the LSM. The LSM will remove options it understands from the data and the VFS will then pass the remaining options onto the underlying filesystem. This is how options like the SELinux context= work. The problem comes in that -o remount never calls into LSM code. So if you include an LSM specific option it will get passed to the filesystem and will cause the remount to fail. An example of where this is a problem is the 'seclabel' option. The SELinux LSM hook will print this word in /proc/mounts if the filesystem is being labeled using xattrs. If you pass this word on mount it will be silently stripped and ignored. But if you pass this word on remount the LSM never gets called and it will be passed to the FS. The FS doesn't know what seclabel means and thus should fail the mount. For example an ext3 fs mounted over loop # mount -o loop /tmp/fs /mnt/tmp # cat /proc/mounts | grep /mnt/tmp /dev/loop0 /mnt/tmp ext3 rw,seclabel,relatime,errors=continue,barrier=0,data=ordered 0 0 # mount -o remount /mnt/tmp mount: /mnt/tmp not mounted already, or bad option # dmesg EXT3-fs (loop0): error: unrecognized mount option "seclabel" or missing value This patch passes the remount mount options to an new LSM hook. Signed-off-by: Eric Paris Reviewed-by: James Morris --- security/capability.c | 6 ++++++ security/security.c | 5 +++++ 2 files changed, 11 insertions(+) (limited to 'security') diff --git a/security/capability.c b/security/capability.c index 85b67c8..ab3d807 100644 --- a/security/capability.c +++ b/security/capability.c @@ -54,6 +54,11 @@ static int cap_sb_copy_data(char *orig, char *copy) return 0; } +static int cap_sb_remount(struct super_block *sb, void *data) +{ + return 0; +} + static int cap_sb_kern_mount(struct super_block *sb, int flags, void *data) { return 0; @@ -887,6 +892,7 @@ void __init security_fixup_ops(struct security_operations *ops) set_to_cap_if_null(ops, sb_alloc_security); set_to_cap_if_null(ops, sb_free_security); set_to_cap_if_null(ops, sb_copy_data); + set_to_cap_if_null(ops, sb_remount); set_to_cap_if_null(ops, sb_kern_mount); set_to_cap_if_null(ops, sb_show_options); set_to_cap_if_null(ops, sb_statfs); diff --git a/security/security.c b/security/security.c index 8f28685..b1d6134 100644 --- a/security/security.c +++ b/security/security.c @@ -267,6 +267,11 @@ int security_sb_copy_data(char *orig, char *copy) } EXPORT_SYMBOL(security_sb_copy_data); +int security_sb_remount(struct super_block *sb, void *data) +{ + return security_ops->sb_remount(sb, data); +} + int security_sb_kern_mount(struct super_block *sb, int flags, void *data) { return security_ops->sb_kern_mount(sb, flags, data); -- cgit v1.1 From 026eb167ae77244458fa4b4b9fc171209c079ba7 Mon Sep 17 00:00:00 2001 From: Eric Paris Date: Thu, 3 Mar 2011 16:09:14 -0500 Subject: SELinux: implement the new sb_remount LSM hook For SELinux we do not allow security information to change during a remount operation. Thus this hook simply strips the security module options from the data and verifies that those are the same options as exist on the current superblock. Signed-off-by: Eric Paris Reviewed-by: James Morris --- security/selinux/hooks.c | 86 ++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 86 insertions(+) (limited to 'security') diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 3decf07..f2f3cf2 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -2363,6 +2363,91 @@ out: return rc; } +static int selinux_sb_remount(struct super_block *sb, void *data) +{ + int rc, i, *flags; + struct security_mnt_opts opts; + char *secdata, **mount_options; + struct superblock_security_struct *sbsec = sb->s_security; + + if (!(sbsec->flags & SE_SBINITIALIZED)) + return 0; + + if (!data) + return 0; + + if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA) + return 0; + + security_init_mnt_opts(&opts); + secdata = alloc_secdata(); + if (!secdata) + return -ENOMEM; + rc = selinux_sb_copy_data(data, secdata); + if (rc) + goto out_free_secdata; + + rc = selinux_parse_opts_str(secdata, &opts); + if (rc) + goto out_free_secdata; + + mount_options = opts.mnt_opts; + flags = opts.mnt_opts_flags; + + for (i = 0; i < opts.num_mnt_opts; i++) { + u32 sid; + size_t len; + + if (flags[i] == SE_SBLABELSUPP) + continue; + len = strlen(mount_options[i]); + rc = security_context_to_sid(mount_options[i], len, &sid); + if (rc) { + printk(KERN_WARNING "SELinux: security_context_to_sid" + "(%s) failed for (dev %s, type %s) errno=%d\n", + mount_options[i], sb->s_id, sb->s_type->name, rc); + goto out_free_opts; + } + rc = -EINVAL; + switch (flags[i]) { + case FSCONTEXT_MNT: + if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid)) + goto out_bad_option; + break; + case CONTEXT_MNT: + if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid)) + goto out_bad_option; + break; + case ROOTCONTEXT_MNT: { + struct inode_security_struct *root_isec; + root_isec = sb->s_root->d_inode->i_security; + + if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid)) + goto out_bad_option; + break; + } + case DEFCONTEXT_MNT: + if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid)) + goto out_bad_option; + break; + default: + goto out_free_opts; + } + } + + rc = 0; +out_free_opts: + security_free_mnt_opts(&opts); +out_free_secdata: + free_secdata(secdata); + return rc; +out_bad_option: + printk(KERN_WARNING "SELinux: unable to change security options " + "during remount (dev %s, type=%s)\n", sb->s_id, + sb->s_type->name); + goto out_free_opts; +} + static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data) { const struct cred *cred = current_cred(); @@ -5356,6 +5441,7 @@ static struct security_operations selinux_ops = { .sb_alloc_security = selinux_sb_alloc_security, .sb_free_security = selinux_sb_free_security, .sb_copy_data = selinux_sb_copy_data, + .sb_remount = selinux_sb_remount, .sb_kern_mount = selinux_sb_kern_mount, .sb_show_options = selinux_sb_show_options, .sb_statfs = selinux_sb_statfs, -- cgit v1.1