aboutsummaryrefslogtreecommitdiff
path: root/security/selinux/ss
AgeCommit message (Collapse)Author
2010-03-01Merge branch 'next' into for-linusJames Morris
2010-02-25netlabel: fix export of SELinux categories > 127Joshua Roys
This fixes corrupted CIPSO packets when SELinux categories greater than 127 are used. The bug occured on the second (and later) loops through the while; the inner for loop through the ebitmap->maps array used the same index as the NetLabel catmap->bitmap array, even though the NetLabel bitmap is twice as long as the SELinux bitmap. Signed-off-by: Joshua Roys <joshua.roys@gtri.gatech.edu> Acked-by: Paul Moore <paul.moore@hp.com> Signed-off-by: James Morris <jmorris@namei.org>
2010-02-22selinux: libsepol: remove dead code in check_avtab_hierarchy_callback()KaiGai Kohei
This patch revert the commit of 7d52a155e38d5a165759dbbee656455861bf7801 which removed a part of type_attribute_bounds_av as a dead code. However, at that time, we didn't find out the target side boundary allows to handle some of pseudo /proc/<pid>/* entries with its process's security context well. Signed-off-by: KaiGai Kohei <kaigai@ak.jp.nec.com> Acked-by: Stephen Smalley <sds@tycho.nsa.gov> -- security/selinux/ss/services.c | 43 ++++++++++++++++++++++++++++++++++++--- 1 files changed, 39 insertions(+), 4 deletions(-) Signed-off-by: James Morris <jmorris@namei.org>
2010-02-16security: fix a couple of sparse warningsJames Morris
Fix a couple of sparse warnings for callers of context_struct_to_string, which takes a *u32, not an *int. These cases are harmless as the values are not used. Signed-off-by: James Morris <jmorris@namei.org> Acked-by: KaiGai Kohei <kaigai@ak.jp.nec.com>
2010-02-04selinux: allow MLS->non-MLS and vice versa upon policy reloadGuido Trentalancia
Allow runtime switching between different policy types (e.g. from a MLS/MCS policy to a non-MLS/non-MCS policy or viceversa). Signed-off-by: Guido Trentalancia <guido@trentalancia.com> Acked-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: James Morris <jmorris@namei.org>
2010-02-04selinux: load the initial SIDs upon every policy loadGuido Trentalancia
Always load the initial SIDs, even in the case of a policy reload and not just at the initial policy load. This comes particularly handy after the introduction of a recent patch for enabling runtime switching between different policy types, although this patch is in theory independent from that feature. Signed-off-by: Guido Trentalancia <guido@trentalancia.com> Acked-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: James Morris <jmorris@namei.org>
2010-01-25selinux: remove dead code in type_attribute_bounds_av()KaiGai Kohei
This patch removes dead code in type_attribute_bounds_av(). Due to the historical reason, the type boundary feature is delivered from hierarchical types in libsepol, it has supported boundary features both of subject type (domain; in most cases) and target type. However, we don't have any actual use cases in bounded target types, and it tended to make conceptual confusion. So, this patch removes the dead code to apply boundary checks on the target types. I makes clear the TYPEBOUNDS restricts privileges of a certain domain bounded to any other domain. Signed-off-by: KaiGai Kohei <kaigai@ak.jp.nec.com> Acked-by: Stephen Smalley <sds@tycho.nsa.gov> -- security/selinux/ss/services.c | 43 +++------------------------------------ 1 files changed, 4 insertions(+), 39 deletions(-) Signed-off-by: James Morris <jmorris@namei.org>
2010-01-25selinux: convert range transition list to a hashtabStephen Smalley
Per https://bugzilla.redhat.com/show_bug.cgi?id=548145 there are sufficient range transition rules in modern (Fedora) policy to make mls_compute_sid a significant factor on the shmem file setup path due to the length of the range_tr list. Replace the simple range_tr list with a hashtab inside the security server to help mitigate this problem. Signed-off-by: Stephen D. Smalley <sds@tycho.nsa.gov> Signed-off-by: James Morris <jmorris@namei.org>
2010-01-18Merge branch 'master' into nextJames Morris
2010-01-18selinux: change the handling of unknown classesStephen Smalley
If allow_unknown==deny, SELinux treats an undefined kernel security class as an error condition rather than as a typical permission denial and thus does not allow permissions on undefined classes even when in permissive mode. Change the SELinux logic so that this case is handled as a typical permission denial, subject to the usual permissive mode and permissive domain handling. Also drop the 'requested' argument from security_compute_av() and helpers as it is a legacy of the original security server interface and is unused. Changes: - Handle permissive domains consistently by moving up the test for a permissive domain. - Make security_compute_av_user() consistent with security_compute_av(); the only difference now is that security_compute_av() performs mapping between the kernel-private class and permission indices and the policy values. In the userspace case, this mapping is handled by libselinux. - Moved avd_init inside the policy lock. Based in part on a patch by Paul Moore <paul.moore@hp.com>. Reported-by: Andrew Worsley <amworsley@gmail.com> Signed-off-by: Stephen D. Smalley <sds@tycho.nsa.gov> Reviewed-by: Paul Moore <paul.moore@hp.com> Signed-off-by: James Morris <jmorris@namei.org>
2009-12-08selinux: remove a useless returnAmerigo Wang
The last return is unreachable, remove the 'return' in default, let it fall through. Signed-off-by: WANG Cong <amwang@redhat.com> Acked-by: Eric Paris <eparis@redhat.com> Signed-off-by: James Morris <jmorris@namei.org>
2009-12-08security/selinux/ss: correct size computationJulia Lawall
The size argument to kcalloc should be the size of desired structure, not the pointer to it. The semantic patch that makes this change is as follows: (http://coccinelle.lip6.fr/) // <smpl> @expression@ expression *x; @@ x = <+... -sizeof(x) +sizeof(*x) ...+>// </smpl> Signed-off-by: Julia Lawall <julia@diku.dk> Acked-by: Eric Paris <eparis@redhat.com> Signed-off-by: James Morris <jmorris@namei.org>
2009-12-07Merge branch 'for-next' into for-linusJiri Kosina
Conflicts: kernel/irq/chip.c
2009-12-04tree-wide: fix assorted typos all over the placeAndré Goddard Rosa
That is "success", "unknown", "through", "performance", "[re|un]mapping" , "access", "default", "reasonable", "[con]currently", "temperature" , "channel", "[un]used", "application", "example","hierarchy", "therefore" , "[over|under]flow", "contiguous", "threshold", "enough" and others. Signed-off-by: André Goddard Rosa <andre.goddard@gmail.com> Signed-off-by: Jiri Kosina <jkosina@suse.cz>
2009-11-24SELinux: print denials for buggy kernel with unknown permsEric Paris
Historically we've seen cases where permissions are requested for classes where they do not exist. In particular we have seen CIFS forget to set i_mode to indicate it is a directory so when we later check something like remove_name we have problems since it wasn't defined in tclass file. This used to result in a avc which included the permission 0x2000 or something. Currently the kernel will deny the operations (good thing) but will not print ANY information (bad thing). First the auditdeny field is no extended to include unknown permissions. After that is fixed the logic in avc_dump_query to output this information isn't right since it will remove the permission from the av and print the phrase "<NULL>". This takes us back to the behavior before the classmap rewrite. Signed-off-by: Eric Paris <eparis@redhat.com> Signed-off-by: James Morris <jmorris@namei.org>
2009-10-20SELinux: fix locking issue introduced with c6d3aaa4e35c71a3Stephen Smalley
Ensure that we release the policy read lock on all exit paths from security_compute_av. Signed-off-by: Stephen D. Smalley <sds@tycho.nsa.gov> Signed-off-by: James Morris <jmorris@namei.org>
2009-10-07selinux: drop remapping of netlink classesStephen Smalley
Drop remapping of netlink classes and bypass of permission checking based on netlink message type for policy version < 18. This removes compatibility code introduced when the original single netlink security class used for all netlink sockets was split into finer-grained netlink classes based on netlink protocol and when permission checking was added based on netlink message type in Linux 2.6.8. The only known distribution that shipped with SELinux and policy < 18 was Fedora Core 2, which was EOL'd on 2005-04-11. Given that the remapping code was never updated to address the addition of newer netlink classes, that the corresponding userland support was dropped in 2005, and that the assumptions made by the remapping code about the fixed ordering among netlink classes in the policy may be violated in the future due to the dynamic class/perm discovery support, we should drop this compatibility code now. Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: James Morris <jmorris@namei.org>
2009-10-07selinux: generate flask headers during kernel buildStephen Smalley
Add a simple utility (scripts/selinux/genheaders) and invoke it to generate the kernel-private class and permission indices in flask.h and av_permissions.h automatically during the kernel build from the security class mapping definitions in classmap.h. Adding new kernel classes and permissions can then be done just by adding them to classmap.h. Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: James Morris <jmorris@namei.org>
2009-10-07selinux: dynamic class/perm discoveryStephen Smalley
Modify SELinux to dynamically discover class and permission values upon policy load, based on the dynamic object class/perm discovery logic from libselinux. A mapping is created between kernel-private class and permission indices used outside the security server and the policy values used within the security server. The mappings are only applied upon kernel-internal computations; similar mappings for the private indices of userspace object managers is handled on a per-object manager basis by the userspace AVC. The interfaces for compute_av and transition_sid are split for kernel vs. userspace; the userspace functions are distinguished by a _user suffix. The kernel-private class indices are no longer tied to the policy values and thus do not need to skip indices for userspace classes; thus the kernel class index values are compressed. The flask.h definitions were regenerated by deleting the userspace classes from refpolicy's definitions and then regenerating the headers. Going forward, we can just maintain the flask.h, av_permissions.h, and classmap.h definitions separately from policy as they are no longer tied to the policy values. The next patch introduces a utility to automate generation of flask.h and av_permissions.h from the classmap.h definitions. The older kernel class and permission string tables are removed and replaced by a single security class mapping table that is walked at policy load to generate the mapping. The old kernel class validation logic is completely replaced by the mapping logic. The handle unknown logic is reworked. reject_unknown=1 is handled when the mappings are computed at policy load time, similar to the old handling by the class validation logic. allow_unknown=1 is handled when computing and mapping decisions - if the permission was not able to be mapped (i.e. undefined, mapped to zero), then it is automatically added to the allowed vector. If the class was not able to be mapped (i.e. undefined, mapped to zero), then all permissions are allowed for it if allow_unknown=1. avc_audit leverages the new security class mapping table to lookup the class and permission names from the kernel-private indices. The mdp program is updated to use the new table when generating the class definitions and allow rules for a minimal boot policy for the kernel. It should be noted that this policy will not include any userspace classes, nor will its policy index values for the kernel classes correspond with the ones in refpolicy (they will instead match the kernel-private indices). Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: James Morris <jmorris@namei.org>
2009-06-19Merge branch 'master' into nextJames Morris
2009-06-19Add audit messages on type boundary violationsKaiGai Kohei
The attached patch adds support to generate audit messages on two cases. The first one is a case when a multi-thread process tries to switch its performing security context using setcon(3), but new security context is not bounded by the old one. type=SELINUX_ERR msg=audit(1245311998.599:17): \ op=security_bounded_transition result=denied \ oldcontext=system_u:system_r:httpd_t:s0 \ newcontext=system_u:system_r:guest_webapp_t:s0 The other one is a case when security_compute_av() masked any permissions due to the type boundary violation. type=SELINUX_ERR msg=audit(1245312836.035:32): \ op=security_compute_av reason=bounds \ scontext=system_u:object_r:user_webapp_t:s0 \ tcontext=system_u:object_r:shadow_t:s0:c0 \ tclass=file perms=getattr,open Signed-off-by: KaiGai Kohei <kaigai@ak.jp.nec.com> Acked-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: James Morris <jmorris@namei.org>
2009-06-18cleanup in ss/services.cKaiGai Kohei
It is a cleanup patch to cut down a line within 80 columns. Signed-off-by: KaiGai Kohei <kaigai@ak.jp.nec.com> -- security/selinux/ss/services.c | 6 +++--- 1 files changed, 3 insertions(+), 3 deletions(-) Signed-off-by: James Morris <jmorris@namei.org>
2009-04-02Permissive domain in userspace object managerKaiGai Kohei
This patch enables applications to handle permissive domain correctly. Since the v2.6.26 kernel, SELinux has supported an idea of permissive domain which allows certain processes to work as if permissive mode, even if the global setting is enforcing mode. However, we don't have an application program interface to inform what domains are permissive one, and what domains are not. It means applications focuses on SELinux (XACE/SELinux, SE-PostgreSQL and so on) cannot handle permissive domain correctly. This patch add the sixth field (flags) on the reply of the /selinux/access interface which is used to make an access control decision from userspace. If the first bit of the flags field is positive, it means the required access control decision is on permissive domain, so application should allow any required actions, as the kernel doing. This patch also has a side benefit. The av_decision.flags is set at context_struct_compute_av(). It enables to check required permissions without read_lock(&policy_rwlock). Signed-off-by: KaiGai Kohei <kaigai@ak.jp.nec.com> Acked-by: Stephen Smalley <sds@tycho.nsa.gov> Acked-by: Eric Paris <eparis@redhat.com> -- security/selinux/avc.c | 2 +- security/selinux/include/security.h | 4 +++- security/selinux/selinuxfs.c | 4 ++-- security/selinux/ss/services.c | 30 +++++------------------------- 4 files changed, 11 insertions(+), 29 deletions(-) Signed-off-by: James Morris <jmorris@namei.org>
2009-02-14SELinux: remove unused av.decided fieldEric Paris
It appears there was an intention to have the security server only decide certain permissions and leave other for later as some sort of a portential performance win. We are currently always deciding all 32 bits of permissions and this is a useless couple of branches and wasted space. This patch completely drops the av.decided concept. This in a 17% reduction in the time spent in avc_has_perm_noaudit based on oprofile sampling of a tbench benchmark. Signed-off-by: Eric Paris <eparis@redhat.com> Reviewed-by: Paul Moore <paul.moore@hp.com> Acked-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: James Morris <jmorris@namei.org>
2009-01-07Merge branch 'next' into for-linusJames Morris
2009-01-05SELinux: shrink sizeof av_inhert selinux_class_perm and contextEric Paris
I started playing with pahole today and decided to put it against the selinux structures. Found we could save a little bit of space on x86_64 (and no harm on i686) just reorganizing some structs. Object size changes: av_inherit: 24 -> 16 selinux_class_perm: 48 -> 40 context: 80 -> 72 Admittedly there aren't many of av_inherit or selinux_class_perm's in the kernel (33 and 1 respectively) But the change to the size of struct context reverberate out a bit. I can get some hard number if they are needed, but I don't see why they would be. We do change which cacheline context->len and context->str would be on, but I don't see that as a problem since we are clearly going to have to load both if the context is to be of any value. I've run with the patch and don't seem to be having any problems. An example of what's going on using struct av_inherit would be: form: to: struct av_inherit { struct av_inherit { u16 tclass; const char **common_pts; const char **common_pts; u32 common_base; u32 common_base; u16 tclass; }; (notice all I did was move u16 tclass to the end of the struct instead of the beginning) Memory layout before the change: struct av_inherit { u16 tclass; /* 2 */ /* 6 bytes hole */ const char** common_pts; /* 8 */ u32 common_base; /* 4 */ /* 4 byes padding */ /* size: 24, cachelines: 1 */ /* sum members: 14, holes: 1, sum holes: 6 */ /* padding: 4 */ }; Memory layout after the change: struct av_inherit { const char ** common_pts; /* 8 */ u32 common_base; /* 4 */ u16 tclass; /* 2 */ /* 2 bytes padding */ /* size: 16, cachelines: 1 */ /* sum members: 14, holes: 0, sum holes: 0 */ /* padding: 2 */ }; Signed-off-by: Eric Paris <eparis@redhat.com> Signed-off-by: James Morris <jmorris@namei.org>
2009-01-04audit: validate comparison operations, store them in sane formAl Viro
Don't store the field->op in the messy (and very inconvenient for e.g. audit_comparator()) form; translate to dense set of values and do full validation of userland-submitted value while we are at it. ->audit_init_rule() and ->audit_match_rule() get new values now; in-tree instances updated. Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2008-10-11Merge branch 'master' of ↵James Morris
git://git.infradead.org/users/pcmoore/lblnet-2.6_next into next
2008-10-10netlabel: Changes to the NetLabel security attributes to allow LSMs to pass ↵Paul Moore
full contexts This patch provides support for including the LSM's secid in addition to the LSM's MLS information in the NetLabel security attributes structure. Signed-off-by: Paul Moore <paul.moore@hp.com> Acked-by: James Morris <jmorris@namei.org>
2008-10-10selinux: Fix a problem in security_netlbl_sid_to_secattr()Paul Moore
Currently when SELinux fails to allocate memory in security_netlbl_sid_to_secattr() the NetLabel LSM domain field is set to NULL which triggers the default NetLabel LSM domain mapping which may not always be the desired mapping. This patch fixes this by returning an error when the kernel is unable to allocate memory. This could result in more failures on a system with heavy memory pressure but it is the "correct" thing to do. Signed-off-by: Paul Moore <paul.moore@hp.com> Acked-by: James Morris <jmorris@namei.org>
2008-10-04selinux: Fix an uninitialized variable BUG/panic in selinux_secattr_to_sid()Paul Moore
At some point during the 2.6.27 development cycle two new fields were added to the SELinux context structure, a string pointer and a length field. The code in selinux_secattr_to_sid() was not modified and as a result these two fields were left uninitialized which could result in erratic behavior, including kernel panics, when NetLabel is used. This patch fixes the problem by fully initializing the context in selinux_secattr_to_sid() before use and reducing the level of direct context manipulation done to help prevent future problems. Please apply this to the 2.6.27-rcX release stream. Signed-off-by: Paul Moore <paul.moore@hp.com> Signed-off-by: James Morris <jmorris@namei.org>
2008-10-04selinux: Fix an uninitialized variable BUG/panic in selinux_secattr_to_sid()Paul Moore
At some point during the 2.6.27 development cycle two new fields were added to the SELinux context structure, a string pointer and a length field. The code in selinux_secattr_to_sid() was not modified and as a result these two fields were left uninitialized which could result in erratic behavior, including kernel panics, when NetLabel is used. This patch fixes the problem by fully initializing the context in selinux_secattr_to_sid() before use and reducing the level of direct context manipulation done to help prevent future problems. Please apply this to the 2.6.27-rcX release stream. Signed-off-by: Paul Moore <paul.moore@hp.com> Signed-off-by: James Morris <jmorris@namei.org>
2008-09-21Merge branch 'master' into nextJames Morris
Conflicts: MAINTAINERS Thanks for breaking my tree :-) Signed-off-by: James Morris <jmorris@namei.org>
2008-09-04SELinux: memory leak in security_context_to_sid_coreEric Paris
Fix a bug and a philosophical decision about who handles errors. security_context_to_sid_core() was leaking a context in the common case. This was causing problems on fedora systems which recently have started making extensive use of this function. In discussion it was decided that if string_to_context_struct() had an error it was its own responsibility to clean up any mess it created along the way. Signed-off-by: Eric Paris <eparis@redhat.com> Acked-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: James Morris <jmorris@namei.org>
2008-08-29SELinux: add boundary support and thread context assignmentKaiGai Kohei
The purpose of this patch is to assign per-thread security context under a constraint. It enables multi-threaded server application to kick a request handler with its fair security context, and helps some of userspace object managers to handle user's request. When we assign a per-thread security context, it must not have wider permissions than the original one. Because a multi-threaded process shares a single local memory, an arbitary per-thread security context also means another thread can easily refer violated information. The constraint on a per-thread security context requires a new domain has to be equal or weaker than its original one, when it tries to assign a per-thread security context. Bounds relationship between two types is a way to ensure a domain can never have wider permission than its bounds. We can define it in two explicit or implicit ways. The first way is using new TYPEBOUNDS statement. It enables to define a boundary of types explicitly. The other one expand the concept of existing named based hierarchy. If we defines a type with "." separated name like "httpd_t.php", toolchain implicitly set its bounds on "httpd_t". This feature requires a new policy version. The 24th version (POLICYDB_VERSION_BOUNDARY) enables to ship them into kernel space, and the following patch enables to handle it. Signed-off-by: KaiGai Kohei <kaigai@ak.jp.nec.com> Acked-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: James Morris <jmorris@namei.org>
2008-08-15selinux: Unify for- and while-loop styleVesa-Matti Kari
Replace "thing != NULL" comparisons with just "thing" to make the code look more uniform (mixed styles were used even in the same source file). Signed-off-by: Vesa-Matti Kari <vmkari@cc.helsinki.fi> Acked-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: James Morris <jmorris@namei.org>
2008-08-07selinux: conditional expression type validation was off-by-oneVesa-Matti Kari
expr_isvalid() in conditional.c was off-by-one and allowed invalid expression type COND_LAST. However, it is this header file that needs to be fixed. That way the if-statement's disjunction's second component reads more naturally, "if expr type is greater than the last allowed value" ( rather than using ">=" in conditional.c): if (expr->expr_type <= 0 || expr->expr_type > COND_LAST) Signed-off-by: Vesa-Matti Kari <vmkari@cc.helsinki.fi> Signed-off-by: James Morris <jmorris@namei.org>
2008-08-05SELinux: trivial, remove unneeded local variableVesa-Matti J Kari
Hello, Remove unneeded local variable: struct avtab_node *newnode Signed-off-by: Vesa-Matti Kari <vmkari@cc.helsinki.fi> Signed-off-by: James Morris <jmorris@namei.org>
2008-08-05SELinux: Trivial minor fixes that change C null character styleVesa-Matti J Kari
Trivial minor fixes that change C null character style. Signed-off-by: Vesa-Matti Kari <vmkari@cc.helsinki.fi> Signed-off-by: James Morris <jmorris@namei.org>
2008-07-15Revert "SELinux: allow fstype unknown to policy to use xattrs if present"James Morris
This reverts commit 811f3799279e567aa354c649ce22688d949ac7a9. From Eric Paris: "Please drop this patch for now. It deadlocks on ntfs-3g. I need to rework it to handle fuse filesystems better. (casey was right)"
2008-07-14SELinux: allow fstype unknown to policy to use xattrs if presentEric Paris
Currently if a FS is mounted for which SELinux policy does not define an fs_use_* that FS will either be genfs labeled or not labeled at all. This decision is based on the existence of a genfscon rule in policy and is irrespective of the capabilities of the filesystem itself. This patch allows the kernel to check if the filesystem supports security xattrs and if so will use those if there is no fs_use_* rule in policy. An fstype with a no fs_use_* rule but with a genfs rule will use xattrs if available and will follow the genfs rule. This can be particularly interesting for things like ecryptfs which actually overlays a real underlying FS. If we define excryptfs in policy to use xattrs we will likely get this wrong at times, so with this path we just don't need to define it! Overlay ecryptfs on top of NFS with no xattr support: SELinux: initialized (dev ecryptfs, type ecryptfs), uses genfs_contexts Overlay ecryptfs on top of ext4 with xattr support: SELinux: initialized (dev ecryptfs, type ecryptfs), uses xattr It is also useful as the kernel adds new FS we don't need to add them in policy if they support xattrs and that is how we want to handle them. Signed-off-by: Eric Paris <eparis@redhat.com> Acked-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: James Morris <jmorris@namei.org>
2008-07-14SELinux: more user friendly unknown handling printkEric Paris
I've gotten complaints and reports about people not understanding the meaning of the current unknown class/perm handling the kernel emits on every policy load. Hopefully this will make make it clear to everyone the meaning of the message and won't waste a printk the user won't care about anyway on systems where the kernel and the policy agree on everything. Signed-off-by: Eric Paris <eparis@redhat.com> Signed-off-by: James Morris <jmorris@namei.org>
2008-07-14selinux: change handling of invalid classes (Was: Re: 2.6.26-rc5-mm1 selinux ↵Stephen Smalley
whine) On Mon, 2008-06-09 at 01:24 -0700, Andrew Morton wrote: > Getting a few of these with FC5: > > SELinux: context_struct_compute_av: unrecognized class 69 > SELinux: context_struct_compute_av: unrecognized class 69 > > one came out when I logged in. > > No other symptoms, yet. Change handling of invalid classes by SELinux, reporting class values unknown to the kernel as errors (w/ ratelimit applied) and handling class values unknown to policy as normal denials. Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> Acked-by: Eric Paris <eparis@redhat.com> Signed-off-by: James Morris <jmorris@namei.org>
2008-07-14SELinux: drop load_mutex in security_load_policyEric Paris
We used to protect against races of policy load in security_load_policy by using the load_mutex. Since then we have added a new mutex, sel_mutex, in sel_write_load() which is always held across all calls to security_load_policy we are covered and can safely just drop this one. Signed-off-by: Eric Paris <eparis@redhat.com> Acked-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: James Morris <jmorris@namei.org>
2008-07-14SELinux: fix off by 1 reference of class_to_string in context_struct_compute_avEric Paris
The class_to_string array is referenced by tclass. My code mistakenly was using tclass - 1. If the proceeding class is a userspace class rather than kernel class this may cause a denial/EINVAL even if unknown handling is set to allow. The bug shouldn't be allowing excess privileges since those are given based on the contents of another array which should be correctly referenced. At this point in time its pretty unlikely this is going to cause problems. The most recently added kernel classes which could be affected are association, dccp_socket, and peer. Its pretty unlikely any policy with handle_unknown=allow doesn't have association and dccp_socket undefined (they've been around longer than unknown handling) and peer is conditionalized on a policy cap which should only be defined if that class exists in policy. Signed-off-by: Eric Paris <eparis@redhat.com> Acked-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: James Morris <jmorris@namei.org>
2008-07-14SELinux: open code sidtab lockJames Morris
Open code sidtab lock to make Andrew Morton happy. Signed-off-by: James Morris <jmorris@namei.org> Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
2008-07-14SELinux: open code load_mutexJames Morris
Open code load_mutex as suggested by Andrew Morton. Signed-off-by: James Morris <jmorris@namei.org>
2008-07-14SELinux: open code policy_rwlockJames Morris
Open code policy_rwlock, as suggested by Andrew Morton. Signed-off-by: James Morris <jmorris@namei.org> Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
2008-07-14selinux: fix endianness bug in network node address handlingStephen Smalley
Fix an endianness bug in the handling of network node addresses by SELinux. This yields no change on little endian hardware but fixes the incorrect handling on big endian hardware. The network node addresses are stored in network order in memory by checkpolicy, not in cpu/host order, and thus should not have cpu_to_le32/le32_to_cpu conversions applied upon policy write/read unlike other data in the policy. Bug reported by John Weeks of Sun, who noticed that binary policy files built from the same policy source on x86 and sparc differed and tracked it down to the ipv4 address handling in checkpolicy. Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: James Morris <jmorris@namei.org>
2008-07-14SELinux: keep the code clean formating and syntaxEric Paris
Formatting and syntax changes whitespace, tabs to spaces, trailing space put open { on same line as struct def remove unneeded {} after if statements change printk("Lu") to printk("llu") convert asm/uaccess.h to linux/uaacess.h includes remove unnecessary asm/bug.h includes convert all users of simple_strtol to strict_strtol Signed-off-by: Eric Paris <eparis@redhat.com> Signed-off-by: James Morris <jmorris@namei.org>