From 652bb9b0d6ce007f37c098947b2cc0c45efa3f66 Mon Sep 17 00:00:00 2001 From: Eric Paris Date: Tue, 1 Feb 2011 11:05:40 -0500 Subject: SELinux: Use dentry name in new object labeling Currently SELinux has rules which label new objects according to 3 criteria. The label of the process creating the object, the label of the parent directory, and the type of object (reg, dir, char, block, etc.) This patch adds a 4th criteria, the dentry name, thus we can distinguish between creating a file in an etc_t directory called shadow and one called motd. There is no file globbing, regex parsing, or anything mystical. Either the policy exactly (strcmp) matches the dentry name of the object or it doesn't. This patch has no changes from today if policy does not implement the new rules. Signed-off-by: Eric Paris --- security/selinux/include/security.h | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) (limited to 'security/selinux/include') diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h index 671273eb1115..348eb00cb668 100644 --- a/security/selinux/include/security.h +++ b/security/selinux/include/security.h @@ -8,6 +8,7 @@ #ifndef _SELINUX_SECURITY_H_ #define _SELINUX_SECURITY_H_ +#include #include #include #include "flask.h" @@ -28,13 +29,14 @@ #define POLICYDB_VERSION_POLCAP 22 #define POLICYDB_VERSION_PERMISSIVE 23 #define POLICYDB_VERSION_BOUNDARY 24 +#define POLICYDB_VERSION_FILENAME_TRANS 25 /* Range of policy versions we understand*/ #define POLICYDB_VERSION_MIN POLICYDB_VERSION_BASE #ifdef CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX #define POLICYDB_VERSION_MAX CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX_VALUE #else -#define POLICYDB_VERSION_MAX POLICYDB_VERSION_BOUNDARY +#define POLICYDB_VERSION_MAX POLICYDB_VERSION_FILENAME_TRANS #endif /* Mask for just the mount related flags */ @@ -106,8 +108,8 @@ void security_compute_av(u32 ssid, u32 tsid, void security_compute_av_user(u32 ssid, u32 tsid, u16 tclass, struct av_decision *avd); -int security_transition_sid(u32 ssid, u32 tsid, - u16 tclass, u32 *out_sid); +int security_transition_sid(u32 ssid, u32 tsid, u16 tclass, + const struct qstr *qstr, u32 *out_sid); int security_transition_sid_user(u32 ssid, u32 tsid, u16 tclass, u32 *out_sid); -- cgit v1.2.3 From 47ac19ea429aee561f66e9cd05b908e8ffbc498a Mon Sep 17 00:00:00 2001 From: Eric Paris Date: Fri, 25 Feb 2011 15:39:20 -0500 Subject: selinux: drop unused packet flow permissions These permissions are not used and can be dropped in the kernel definitions. Suggested-by: Stephen Smalley Signed-off-by: Eric Paris Acked-by: Stephen Smalley --- security/selinux/include/classmap.h | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) (limited to 'security/selinux/include') diff --git a/security/selinux/include/classmap.h b/security/selinux/include/classmap.h index 7ed3663332ec..4227e5fa7861 100644 --- a/security/selinux/include/classmap.h +++ b/security/selinux/include/classmap.h @@ -132,8 +132,7 @@ struct security_class_mapping secclass_map[] = { { "appletalk_socket", { COMMON_SOCK_PERMS, NULL } }, { "packet", - { "send", "recv", "relabelto", "flow_in", "flow_out", - "forward_in", "forward_out", NULL } }, + { "send", "recv", "relabelto", "forward_in", "forward_out", NULL } }, { "key", { "view", "read", "write", "search", "link", "setattr", "create", NULL } }, -- cgit v1.2.3 From 4bc6c2d5d8386800fde23a8e78cd4f04a0ade0ad Mon Sep 17 00:00:00 2001 From: Harry Ciao Date: Wed, 2 Mar 2011 13:46:08 +0800 Subject: SELinux: Auto-generate security_is_socket_class The security_is_socket_class() is auto-generated by genheaders based on classmap.h to reduce maintenance effort when a new class is defined in SELinux kernel. The name for any socket class should be suffixed by "socket" and doesn't contain more than one substr of "socket". Signed-off-by: Harry Ciao Signed-off-by: Eric Paris Acked-by: Stephen Smalley --- scripts/selinux/genheaders/genheaders.c | 20 ++++++++++++++++++++ security/selinux/include/classmap.h | 4 ++++ 2 files changed, 24 insertions(+) (limited to 'security/selinux/include') diff --git a/scripts/selinux/genheaders/genheaders.c b/scripts/selinux/genheaders/genheaders.c index 58a12c278706..539855ff31f9 100644 --- a/scripts/selinux/genheaders/genheaders.c +++ b/scripts/selinux/genheaders/genheaders.c @@ -43,6 +43,8 @@ int main(int argc, char *argv[]) int i, j, k; int isids_len; FILE *fout; + const char *needle = "SOCKET"; + char *substr; progname = argv[0]; @@ -88,6 +90,24 @@ int main(int argc, char *argv[]) fprintf(fout, "%2d\n", i); } fprintf(fout, "\n#define SECINITSID_NUM %d\n", i-1); + fprintf(fout, "\nstatic inline bool security_is_socket_class(u16 kern_tclass)\n"); + fprintf(fout, "{\n"); + fprintf(fout, "\tbool sock = false;\n\n"); + fprintf(fout, "\tswitch (kern_tclass) {\n"); + for (i = 0; secclass_map[i].name; i++) { + struct security_class_mapping *map = &secclass_map[i]; + substr = strstr(map->name, needle); + if (substr && strcmp(substr, needle) == 0) + fprintf(fout, "\tcase SECCLASS_%s:\n", map->name); + } + fprintf(fout, "\t\tsock = true;\n"); + fprintf(fout, "\t\tbreak;\n"); + fprintf(fout, "\tdefault:\n"); + fprintf(fout, "\t\tbreak;\n"); + fprintf(fout, "\t}\n\n"); + fprintf(fout, "\treturn sock;\n"); + fprintf(fout, "}\n"); + fprintf(fout, "\n#endif\n"); fclose(fout); diff --git a/security/selinux/include/classmap.h b/security/selinux/include/classmap.h index 4227e5fa7861..b8c53723e09b 100644 --- a/security/selinux/include/classmap.h +++ b/security/selinux/include/classmap.h @@ -12,6 +12,10 @@ #define COMMON_IPC_PERMS "create", "destroy", "getattr", "setattr", "read", \ "write", "associate", "unix_read", "unix_write" +/* + * Note: The name for any socket class should be suffixed by "socket", + * and doesn't contain more than one substr of "socket". + */ struct security_class_mapping secclass_map[] = { { "security", { "compute_av", "compute_create", "compute_member", -- cgit v1.2.3