Commit fb2a624d authored by Linus Torvalds's avatar Linus Torvalds

Merge tag 'selinux-pr-20181224' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux

Pull selinux patches from Paul Moore:
 "I already used my best holiday pull request lines in the audit pull
  request, so this one is going to be a bit more boring, sorry about
  that. To make up for this, we do have a birthday of sorts to
  celebrate: SELinux turns 18 years old this December. Perhaps not the
  most exciting thing in the world for most people, but I think it's
  safe to say that anyone reading this email doesn't exactly fall into
  the "most people" category.

  Back to business and the pull request itself:

  Ondrej has five patches in this pull request and I lump them into
  three categories: one patch to always allow submounts (using similar
  logic to elsewhere in the kernel), one to fix some issues with the
  SELinux policydb, and the others to cleanup and improve the SELinux
  sidtab.

  The other patches from Alexey and Petr and trivial fixes that are
  adequately described in their respective subject lines.

  With this last pull request of the year, I want to thank everyone who
  has contributed patches, testing, and reviews to the SELinux project
  this year, and the past 18 years. Like any good open source effort,
  SELinux is only as good as the community which supports it, and I'm
  very happy that we have the community we do - thank you all!"

* tag 'selinux-pr-20181224' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux:
  selinux: overhaul sidtab to fix bug and improve performance
  selinux: use separate table for initial SID lookup
  selinux: make "selinux_policycap_names[]" const char *
  selinux: always allow mounting submounts
  selinux: refactor sidtab conversion
  Documentation: Update SELinux reference policy URL
  selinux: policydb - fix byte order and alignment issues
parents 047ce6d3 ee1a84fd
...@@ -6,7 +6,7 @@ If you want to use SELinux, chances are you will want ...@@ -6,7 +6,7 @@ If you want to use SELinux, chances are you will want
to use the distro-provided policies, or install the to use the distro-provided policies, or install the
latest reference policy release from latest reference policy release from
http://oss.tresys.com/projects/refpolicy https://github.com/SELinuxProject/refpolicy
However, if you want to install a dummy policy for However, if you want to install a dummy policy for
testing, you can do using ``mdp`` provided under testing, you can do using ``mdp`` provided under
......
...@@ -2934,7 +2934,7 @@ static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data) ...@@ -2934,7 +2934,7 @@ static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data)
return rc; return rc;
/* Allow all mounts performed by the kernel */ /* Allow all mounts performed by the kernel */
if (flags & MS_KERNMOUNT) if (flags & (MS_KERNMOUNT | MS_SUBMOUNT))
return 0; return 0;
ad.type = LSM_AUDIT_DATA_DENTRY; ad.type = LSM_AUDIT_DATA_DENTRY;
......
...@@ -81,7 +81,7 @@ enum { ...@@ -81,7 +81,7 @@ enum {
}; };
#define POLICYDB_CAPABILITY_MAX (__POLICYDB_CAPABILITY_MAX - 1) #define POLICYDB_CAPABILITY_MAX (__POLICYDB_CAPABILITY_MAX - 1)
extern char *selinux_policycap_names[__POLICYDB_CAPABILITY_MAX]; extern const char *selinux_policycap_names[__POLICYDB_CAPABILITY_MAX];
/* /*
* type_datum properties * type_datum properties
......
...@@ -440,16 +440,17 @@ int mls_setup_user_range(struct policydb *p, ...@@ -440,16 +440,17 @@ int mls_setup_user_range(struct policydb *p,
/* /*
* Convert the MLS fields in the security context * Convert the MLS fields in the security context
* structure `c' from the values specified in the * structure `oldc' from the values specified in the
* policy `oldp' to the values specified in the policy `newp'. * policy `oldp' to the values specified in the policy `newp',
* storing the resulting context in `newc'.
*/ */
int mls_convert_context(struct policydb *oldp, int mls_convert_context(struct policydb *oldp,
struct policydb *newp, struct policydb *newp,
struct context *c) struct context *oldc,
struct context *newc)
{ {
struct level_datum *levdatum; struct level_datum *levdatum;
struct cat_datum *catdatum; struct cat_datum *catdatum;
struct ebitmap bitmap;
struct ebitmap_node *node; struct ebitmap_node *node;
int l, i; int l, i;
...@@ -459,28 +460,25 @@ int mls_convert_context(struct policydb *oldp, ...@@ -459,28 +460,25 @@ int mls_convert_context(struct policydb *oldp,
for (l = 0; l < 2; l++) { for (l = 0; l < 2; l++) {
levdatum = hashtab_search(newp->p_levels.table, levdatum = hashtab_search(newp->p_levels.table,
sym_name(oldp, SYM_LEVELS, sym_name(oldp, SYM_LEVELS,
c->range.level[l].sens - 1)); oldc->range.level[l].sens - 1));
if (!levdatum) if (!levdatum)
return -EINVAL; return -EINVAL;
c->range.level[l].sens = levdatum->level->sens; newc->range.level[l].sens = levdatum->level->sens;
ebitmap_init(&bitmap); ebitmap_for_each_positive_bit(&oldc->range.level[l].cat,
ebitmap_for_each_positive_bit(&c->range.level[l].cat, node, i) { node, i) {
int rc; int rc;
catdatum = hashtab_search(newp->p_cats.table, catdatum = hashtab_search(newp->p_cats.table,
sym_name(oldp, SYM_CATS, i)); sym_name(oldp, SYM_CATS, i));
if (!catdatum) if (!catdatum)
return -EINVAL; return -EINVAL;
rc = ebitmap_set_bit(&bitmap, catdatum->value - 1, 1); rc = ebitmap_set_bit(&newc->range.level[l].cat,
catdatum->value - 1, 1);
if (rc) if (rc)
return rc; return rc;
cond_resched();
} }
ebitmap_destroy(&c->range.level[l].cat);
c->range.level[l].cat = bitmap;
} }
return 0; return 0;
......
...@@ -46,7 +46,8 @@ int mls_range_set(struct context *context, struct mls_range *range); ...@@ -46,7 +46,8 @@ int mls_range_set(struct context *context, struct mls_range *range);
int mls_convert_context(struct policydb *oldp, int mls_convert_context(struct policydb *oldp,
struct policydb *newp, struct policydb *newp,
struct context *context); struct context *oldc,
struct context *newc);
int mls_compute_sid(struct policydb *p, int mls_compute_sid(struct policydb *p,
struct context *scontext, struct context *scontext,
......
...@@ -909,13 +909,21 @@ int policydb_load_isids(struct policydb *p, struct sidtab *s) ...@@ -909,13 +909,21 @@ int policydb_load_isids(struct policydb *p, struct sidtab *s)
if (!c->context[0].user) { if (!c->context[0].user) {
pr_err("SELinux: SID %s was never defined.\n", pr_err("SELinux: SID %s was never defined.\n",
c->u.name); c->u.name);
sidtab_destroy(s);
goto out;
}
if (c->sid[0] == SECSID_NULL || c->sid[0] > SECINITSID_NUM) {
pr_err("SELinux: Initial SID %s out of range.\n",
c->u.name);
sidtab_destroy(s);
goto out; goto out;
} }
rc = sidtab_insert(s, c->sid[0], &c->context[0]); rc = sidtab_set_initial(s, c->sid[0], &c->context[0]);
if (rc) { if (rc) {
pr_err("SELinux: unable to load initial SID %s.\n", pr_err("SELinux: unable to load initial SID %s.\n",
c->u.name); c->u.name);
sidtab_destroy(s);
goto out; goto out;
} }
} }
...@@ -2108,6 +2116,7 @@ static int ocontext_read(struct policydb *p, struct policydb_compat_info *info, ...@@ -2108,6 +2116,7 @@ static int ocontext_read(struct policydb *p, struct policydb_compat_info *info,
{ {
int i, j, rc; int i, j, rc;
u32 nel, len; u32 nel, len;
__be64 prefixbuf[1];
__le32 buf[3]; __le32 buf[3];
struct ocontext *l, *c; struct ocontext *l, *c;
u32 nodebuf[8]; u32 nodebuf[8];
...@@ -2217,21 +2226,30 @@ static int ocontext_read(struct policydb *p, struct policydb_compat_info *info, ...@@ -2217,21 +2226,30 @@ static int ocontext_read(struct policydb *p, struct policydb_compat_info *info,
goto out; goto out;
break; break;
} }
case OCON_IBPKEY: case OCON_IBPKEY: {
rc = next_entry(nodebuf, fp, sizeof(u32) * 4); u32 pkey_lo, pkey_hi;
rc = next_entry(prefixbuf, fp, sizeof(u64));
if (rc)
goto out;
/* we need to have subnet_prefix in CPU order */
c->u.ibpkey.subnet_prefix = be64_to_cpu(prefixbuf[0]);
rc = next_entry(buf, fp, sizeof(u32) * 2);
if (rc) if (rc)
goto out; goto out;
c->u.ibpkey.subnet_prefix = be64_to_cpu(*((__be64 *)nodebuf)); pkey_lo = le32_to_cpu(buf[0]);
pkey_hi = le32_to_cpu(buf[1]);
if (nodebuf[2] > 0xffff || if (pkey_lo > U16_MAX || pkey_hi > U16_MAX) {
nodebuf[3] > 0xffff) {
rc = -EINVAL; rc = -EINVAL;
goto out; goto out;
} }
c->u.ibpkey.low_pkey = le32_to_cpu(nodebuf[2]); c->u.ibpkey.low_pkey = pkey_lo;
c->u.ibpkey.high_pkey = le32_to_cpu(nodebuf[3]); c->u.ibpkey.high_pkey = pkey_hi;
rc = context_read_and_validate(&c->context[0], rc = context_read_and_validate(&c->context[0],
p, p,
...@@ -2239,7 +2257,10 @@ static int ocontext_read(struct policydb *p, struct policydb_compat_info *info, ...@@ -2239,7 +2257,10 @@ static int ocontext_read(struct policydb *p, struct policydb_compat_info *info,
if (rc) if (rc)
goto out; goto out;
break; break;
case OCON_IBENDPORT: }
case OCON_IBENDPORT: {
u32 port;
rc = next_entry(buf, fp, sizeof(u32) * 2); rc = next_entry(buf, fp, sizeof(u32) * 2);
if (rc) if (rc)
goto out; goto out;
...@@ -2249,12 +2270,13 @@ static int ocontext_read(struct policydb *p, struct policydb_compat_info *info, ...@@ -2249,12 +2270,13 @@ static int ocontext_read(struct policydb *p, struct policydb_compat_info *info,
if (rc) if (rc)
goto out; goto out;
if (buf[1] > 0xff || buf[1] == 0) { port = le32_to_cpu(buf[1]);
if (port > U8_MAX || port == 0) {
rc = -EINVAL; rc = -EINVAL;
goto out; goto out;
} }
c->u.ibendport.port = le32_to_cpu(buf[1]); c->u.ibendport.port = port;
rc = context_read_and_validate(&c->context[0], rc = context_read_and_validate(&c->context[0],
p, p,
...@@ -2262,7 +2284,8 @@ static int ocontext_read(struct policydb *p, struct policydb_compat_info *info, ...@@ -2262,7 +2284,8 @@ static int ocontext_read(struct policydb *p, struct policydb_compat_info *info,
if (rc) if (rc)
goto out; goto out;
break; break;
} } /* end case */
} /* end switch */
} }
} }
rc = 0; rc = 0;
...@@ -3105,6 +3128,7 @@ static int ocontext_write(struct policydb *p, struct policydb_compat_info *info, ...@@ -3105,6 +3128,7 @@ static int ocontext_write(struct policydb *p, struct policydb_compat_info *info,
{ {
unsigned int i, j, rc; unsigned int i, j, rc;
size_t nel, len; size_t nel, len;
__be64 prefixbuf[1];
__le32 buf[3]; __le32 buf[3];
u32 nodebuf[8]; u32 nodebuf[8];
struct ocontext *c; struct ocontext *c;
...@@ -3192,12 +3216,17 @@ static int ocontext_write(struct policydb *p, struct policydb_compat_info *info, ...@@ -3192,12 +3216,17 @@ static int ocontext_write(struct policydb *p, struct policydb_compat_info *info,
return rc; return rc;
break; break;
case OCON_IBPKEY: case OCON_IBPKEY:
*((__be64 *)nodebuf) = cpu_to_be64(c->u.ibpkey.subnet_prefix); /* subnet_prefix is in CPU order */
prefixbuf[0] = cpu_to_be64(c->u.ibpkey.subnet_prefix);
nodebuf[2] = cpu_to_le32(c->u.ibpkey.low_pkey); rc = put_entry(prefixbuf, sizeof(u64), 1, fp);
nodebuf[3] = cpu_to_le32(c->u.ibpkey.high_pkey); if (rc)
return rc;
rc = put_entry(nodebuf, sizeof(u32), 4, fp); buf[0] = cpu_to_le32(c->u.ibpkey.low_pkey);
buf[1] = cpu_to_le32(c->u.ibpkey.high_pkey);
rc = put_entry(buf, sizeof(u32), 2, fp);
if (rc) if (rc)
return rc; return rc;
rc = context_write(p, &c->context[0], fp); rc = context_write(p, &c->context[0], fp);
......
This diff is collapsed.
...@@ -24,7 +24,7 @@ struct selinux_map { ...@@ -24,7 +24,7 @@ struct selinux_map {
}; };
struct selinux_ss { struct selinux_ss {
struct sidtab sidtab; struct sidtab *sidtab;
struct policydb policydb; struct policydb policydb;
rwlock_t policy_rwlock; rwlock_t policy_rwlock;
u32 latest_granting; u32 latest_granting;
......
This diff is collapsed.
/* SPDX-License-Identifier: GPL-2.0 */ /* SPDX-License-Identifier: GPL-2.0 */
/* /*
* A security identifier table (sidtab) is a hash table * A security identifier table (sidtab) is a lookup table
* of security context structures indexed by SID value. * of security context structures indexed by SID value.
* *
* Author : Stephen Smalley, <sds@tycho.nsa.gov> * Original author: Stephen Smalley, <sds@tycho.nsa.gov>
* Author: Ondrej Mosnacek, <omosnacek@gmail.com>
*
* Copyright (C) 2018 Red Hat, Inc.
*/ */
#ifndef _SS_SIDTAB_H_ #ifndef _SS_SIDTAB_H_
#define _SS_SIDTAB_H_ #define _SS_SIDTAB_H_
#include <linux/spinlock_types.h>
#include <linux/log2.h>
#include "context.h" #include "context.h"
struct sidtab_node { struct sidtab_entry_leaf {
u32 sid; /* security identifier */ struct context context;
struct context context; /* security context structure */ };
struct sidtab_node *next;
struct sidtab_node_inner;
struct sidtab_node_leaf;
union sidtab_entry_inner {
struct sidtab_node_inner *ptr_inner;
struct sidtab_node_leaf *ptr_leaf;
};
/* align node size to page boundary */
#define SIDTAB_NODE_ALLOC_SHIFT PAGE_SHIFT
#define SIDTAB_NODE_ALLOC_SIZE PAGE_SIZE
#define size_to_shift(size) ((size) == 1 ? 1 : (const_ilog2((size) - 1) + 1))
#define SIDTAB_INNER_SHIFT \
(SIDTAB_NODE_ALLOC_SHIFT - size_to_shift(sizeof(union sidtab_entry_inner)))
#define SIDTAB_INNER_ENTRIES ((size_t)1 << SIDTAB_INNER_SHIFT)
#define SIDTAB_LEAF_ENTRIES \
(SIDTAB_NODE_ALLOC_SIZE / sizeof(struct sidtab_entry_leaf))
#define SIDTAB_MAX_BITS 31 /* limited to INT_MAX due to atomic_t range */
#define SIDTAB_MAX (((u32)1 << SIDTAB_MAX_BITS) - 1)
/* ensure enough tree levels for SIDTAB_MAX entries */
#define SIDTAB_MAX_LEVEL \
DIV_ROUND_UP(SIDTAB_MAX_BITS - size_to_shift(SIDTAB_LEAF_ENTRIES), \
SIDTAB_INNER_SHIFT)
struct sidtab_node_leaf {
struct sidtab_entry_leaf entries[SIDTAB_LEAF_ENTRIES];
}; };
#define SIDTAB_HASH_BITS 7 struct sidtab_node_inner {
#define SIDTAB_HASH_BUCKETS (1 << SIDTAB_HASH_BITS) union sidtab_entry_inner entries[SIDTAB_INNER_ENTRIES];
#define SIDTAB_HASH_MASK (SIDTAB_HASH_BUCKETS-1) };
#define SIDTAB_SIZE SIDTAB_HASH_BUCKETS struct sidtab_isid_entry {
int set;
struct context context;
};
struct sidtab_convert_params {
int (*func)(struct context *oldc, struct context *newc, void *args);
void *args;
struct sidtab *target;
};
#define SIDTAB_RCACHE_SIZE 3
struct sidtab { struct sidtab {
struct sidtab_node **htable; union sidtab_entry_inner roots[SIDTAB_MAX_LEVEL + 1];
unsigned int nel; /* number of elements */ atomic_t count;
unsigned int next_sid; /* next SID to allocate */ struct sidtab_convert_params *convert;
unsigned char shutdown;
#define SIDTAB_CACHE_LEN 3
struct sidtab_node *cache[SIDTAB_CACHE_LEN];
spinlock_t lock; spinlock_t lock;
/* reverse lookup cache */
atomic_t rcache[SIDTAB_RCACHE_SIZE];
/* index == SID - 1 (no entry for SECSID_NULL) */
struct sidtab_isid_entry isids[SECINITSID_NUM];
}; };
int sidtab_init(struct sidtab *s); int sidtab_init(struct sidtab *s);
int sidtab_insert(struct sidtab *s, u32 sid, struct context *context); int sidtab_set_initial(struct sidtab *s, u32 sid, struct context *context);
struct context *sidtab_search(struct sidtab *s, u32 sid); struct context *sidtab_search(struct sidtab *s, u32 sid);
struct context *sidtab_search_force(struct sidtab *s, u32 sid); struct context *sidtab_search_force(struct sidtab *s, u32 sid);
int sidtab_map(struct sidtab *s, int sidtab_convert(struct sidtab *s, struct sidtab_convert_params *params);
int (*apply) (u32 sid,
struct context *context,
void *args),
void *args);
int sidtab_context_to_sid(struct sidtab *s, int sidtab_context_to_sid(struct sidtab *s, struct context *context, u32 *sid);
struct context *context,
u32 *sid);
void sidtab_hash_eval(struct sidtab *h, char *tag);
void sidtab_destroy(struct sidtab *s); void sidtab_destroy(struct sidtab *s);
void sidtab_set(struct sidtab *dst, struct sidtab *src);
void sidtab_shutdown(struct sidtab *s);
#endif /* _SS_SIDTAB_H_ */ #endif /* _SS_SIDTAB_H_ */
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment