Convert the strings used for mount options into #defines rather than
retyping the string throughout the SELinux code.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: James Morris <jmorris@namei.org>
Every file should include the headers containing the externs for its global
code.
Signed-off-by: Adrian Bunk <bunk@kernel.org>
Signed-off-by: James Morris <jmorris@namei.org>
Introduce the concept of a permissive type. A new ebitmap is introduced to
the policy database which indicates if a given type has the permissive bit
set or not. This bit is tested for the scontext of any denial. The bit is
meaningless on types which only appear as the target of a decision and never
the source. A domain running with a permissive type will be allowed to
perform any action similarly to when the system is globally set permissive.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: James Morris <jmorris@namei.org>
This changes checks related to ptrace to get rid of the ptrace_sid tracking.
It's good to disentangle the security model from the ptrace implementation
internals. It's sufficient to check against the SID of the ptracer at the
time a tracee attempts a transition.
Signed-off-by: Roland McGrath <roland@redhat.com>
Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: James Morris <jmorris@namei.org>
This patch turns the case where we have a call into avc_has_perm with no
requested permissions into a BUG_ON. All callers to this should be in
the kernel and thus should be a function we need to fix if we ever hit
this. The /selinux/access permission checking it done directly in the
security server and not through the avc, so those requests which we
cannot control from userspace should not be able to trigger this BUG_ON.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Stephen D. Smalley <sds@tycho.nsa.gov>
Signed-off-by: James Morris <jmorris@namei.org>
ERROR: "(foo*)" should be "(foo *)"
#168: FILE: security/selinux/hooks.c:2656:
+ "%s, rc=%d\n", __func__, (char*)value, -rc);
total: 1 errors, 0 warnings, 195 lines checked
./patches/security-replace-remaining-__function__-occurences.patch has style problems, please review. If any of these errors
are false positives report them to the maintainer, see
CHECKPATCH in MAINTAINERS.
Please run checkpatch prior to sending patches
Cc: Harvey Harrison <harvey.harrison@gmail.com>
Cc: James Morris <jmorris@namei.org>
Cc: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: James Morris <jmorris@namei.org>
Adds a new open permission inside SELinux when 'opening' a file. The idea
is that opening a file and reading/writing to that file are not the same
thing. Its different if a program had its stdout redirected to /tmp/output
than if the program tried to directly open /tmp/output. This should allow
policy writers to more liberally give read/write permissions across the
policy while still blocking many design and programing flaws SELinux is so
good at catching today.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
Reviewed-by: Paul Moore <paul.moore@hp.com>
Signed-off-by: James Morris <jmorris@namei.org>
Every file should include the headers containing the externs for its
global code.
Signed-off-by: Adrian Bunk <bunk@kernel.org>
Acked-by: Paul Moore <paul.moore@hp.com>
Signed-off-by: James Morris <jmorris@namei.org>
Replace "security:" prefixes in printk messages with "SELinux"
to help users identify the source of the messages. Also fix a
couple of minor formatting issues.
Signed-off-by: James Morris <jmorris@namei.org>
The RCU/spinlock locking approach for the nlbl_state in the sk_security_struct
was almost certainly overkill. This patch removes both the RCU and spinlock
locking, relying on the existing socket locks to handle the case of multiple
writers. This change also makes several code reductions possible.
Less locking, less code - it's a Good Thing.
Signed-off-by: Paul Moore <paul.moore@hp.com>
Signed-off-by: James Morris <jmorris@namei.org>
The xfrm_get_policy() and xfrm_add_pol_expire() put some rather large structs
on the stack to work around the LSM API. This patch attempts to fix that
problem by changing the LSM API to require only the relevant "security"
pointers instead of the entire SPD entry; we do this for all of the
security_xfrm_policy*() functions to keep things consistent.
Signed-off-by: Paul Moore <paul.moore@hp.com>
Acked-by: James Morris <jmorris@namei.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Smack doesn't have the need to create a private copy of the LSM "domain" when
setting NetLabel security attributes like SELinux, however, the current
NetLabel code requires a private copy of the LSM "domain". This patches fixes
that by letting the LSM determine how it wants to pass the domain value.
* NETLBL_SECATTR_DOMAIN_CPY
The current behavior, NetLabel assumes that the domain value is a copy and
frees it when done
* NETLBL_SECATTR_DOMAIN
New, Smack-friendly behavior, NetLabel assumes that the domain value is a
reference to a string managed by the LSM and does not free it when done
Signed-off-by: Paul Moore <paul.moore@hp.com>
Acked-by: James Morris <jmorris@namei.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
I (wrongly) assumed that nfs_xdev_get_sb() would not ever share a superblock
and so cloning mount options would always be correct. Turns out that isn't
the case and we could fall over a BUG_ON() that wasn't a BUG at all. Since
there is little we can do to reconcile different mount options this patch
just leaves the sb alone and the first set of options wins.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
Acked-by: Trond Myklebust <trond.myklebust@fys.uio.no>
Signed-off-by: James Morris <jmorris@namei.org>
More cases where SELinux must not re-enter the fs code. Called from the
d_instantiate security hook.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: James Morris <jmorris@namei.org>
Handle files opened with flags 3 by checking ioctl permission.
Default to returning FILE__IOCTL from file_to_av() if the f_mode has neither
FMODE_READ nor FMODE_WRITE, and thus check ioctl permission on exec or
transfer, thereby validating such descriptors early as with normal r/w
descriptors and catching leaks of them prior to attempted usage.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Acked-by: Eric Paris <eparis@redhat.com>
Signed-off-by: James Morris <jmorris@namei.org>
Introduce per-net_device inlines: dev_net(), dev_net_set().
Without CONFIG_NET_NS, no namespace other than &init_net exists.
Let's explicitly define them to help compiler optimizations.
Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
Older smackfs was parsing MAC rules by characters, thus a need of locking
write sessions on open() was needed. This lock is no longer useful now since
each rule is handled by a single write() call.
This is also a bugfix since seq_open() was not called if an open() O_RDWR flag
was given, leading to a seq_read() without an initialized seq_file, thus an
Oops.
Signed-off-by: Ahmed S. Darwish <darwish.07@gmail.com>
Reported-by: Jonathan Corbet <corbet@lwn.net>
Acked-by: Casey Schaufler <casey@schaufler-ca.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
The original justification for cap_task_kill() was as follows:
check_kill_permission() does appropriate uid equivalence checks.
However with file capabilities it becomes possible for an
unprivileged user to execute a file with file capabilities
resulting in a more privileged task with the same uid.
However now that cap_task_kill() always returns 0 (permission
granted) when p->uid==current->uid, the whole hook is worthless,
and only likely to create more subtle problems in the corner cases
where it might still be called but return -EPERM. Those cases
are basically when uids are different but euid/suid is equivalent
as per the check in check_kill_permission().
One example of a still-broken application is 'at' for non-root users.
This patch removes cap_task_kill().
Signed-off-by: Serge Hallyn <serge@hallyn.com>
Acked-by: Andrew G. Morgan <morgan@kernel.org>
Earlier-version-tested-by: Luiz Fernando N. Capitulino <lcapitulino@mandriva.com.br>
Acked-by: Casey Schaufler <casey@schaufler-ca.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
In the SYSV ipc msgctl(),semctl(),shmctl() family, if the user passed *_INFO
as the desired operation, no specific object is meant to be controlled and
only system-wide information is returned. This leads to a NULL IPC object in
the LSM hooks if the _INFO flag is given.
Avoid dereferencing this NULL pointer in Smack ipc *ctl() methods.
Signed-off-by: Ahmed S. Darwish <darwish.07@gmail.com>
Acked-by: Casey Schaufler <casey@schaufler-ca.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
This patch makes the needlessly global selinux_parse_opts_str() static.
Signed-off-by: Adrian Bunk <bunk@kernel.org>
Acked-by: Eric Paris <eparis@redhat.com>
Signed-off-by: James Morris <jmorris@namei.org>
