Commit 8c38fb5c authored by Linus Torvalds's avatar Linus Torvalds

Merge tag 'selinux-pr-20171113' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux

Pull SELinux updates from Paul Moore:
 "Seven SELinux patches for v4.15, although five of the seven are small
  build fixes and cleanups.

  Of the remaining two patches, the only one worth really calling out is
  Eric's fix for the SELinux filesystem xattr set/remove code; the other
  patch simply converts the SELinux hash table implementation to use
  kmem_cache.

  Eric's setxattr/removexattr tweak converts SELinux back to calling the
  commoncap implementations when the xattr is not SELinux related. The
  immediate win is to fixup filesystem capabilities in user namespaces,
  but it makes things a bit saner overall; more information in the
  commit description"

* tag 'selinux-pr-20171113' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux:
  selinux: remove extraneous initialization of slots_used and max_chain_len
  selinux: remove redundant assignment to len
  selinux: remove redundant assignment to str
  selinux: fix build warning
  selinux: fix build warning by removing the unused sid variable
  selinux: Perform both commoncap and selinux xattr checks
  selinux: Use kmem_cache for hashtab_node
parents f9bab267 5794ed76
...@@ -2935,13 +2935,12 @@ static int selinux_inode_init_security(struct inode *inode, struct inode *dir, ...@@ -2935,13 +2935,12 @@ static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
{ {
const struct task_security_struct *tsec = current_security(); const struct task_security_struct *tsec = current_security();
struct superblock_security_struct *sbsec; struct superblock_security_struct *sbsec;
u32 sid, newsid, clen; u32 newsid, clen;
int rc; int rc;
char *context; char *context;
sbsec = dir->i_sb->s_security; sbsec = dir->i_sb->s_security;
sid = tsec->sid;
newsid = tsec->create_sid; newsid = tsec->create_sid;
rc = selinux_determine_inode_label(current_security(), rc = selinux_determine_inode_label(current_security(),
...@@ -3141,27 +3140,6 @@ static int selinux_inode_getattr(const struct path *path) ...@@ -3141,27 +3140,6 @@ static int selinux_inode_getattr(const struct path *path)
return path_has_perm(current_cred(), path, FILE__GETATTR); return path_has_perm(current_cred(), path, FILE__GETATTR);
} }
static int selinux_inode_setotherxattr(struct dentry *dentry, const char *name)
{
const struct cred *cred = current_cred();
if (!strncmp(name, XATTR_SECURITY_PREFIX,
sizeof XATTR_SECURITY_PREFIX - 1)) {
if (!strcmp(name, XATTR_NAME_CAPS)) {
if (!capable(CAP_SETFCAP))
return -EPERM;
} else if (!capable(CAP_SYS_ADMIN)) {
/* A different attribute in the security namespace.
Restrict to administrator. */
return -EPERM;
}
}
/* Not an attribute we recognize, so just check the
ordinary setattr permission. */
return dentry_has_perm(cred, dentry, FILE__SETATTR);
}
static bool has_cap_mac_admin(bool audit) static bool has_cap_mac_admin(bool audit)
{ {
const struct cred *cred = current_cred(); const struct cred *cred = current_cred();
...@@ -3184,8 +3162,15 @@ static int selinux_inode_setxattr(struct dentry *dentry, const char *name, ...@@ -3184,8 +3162,15 @@ static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
u32 newsid, sid = current_sid(); u32 newsid, sid = current_sid();
int rc = 0; int rc = 0;
if (strcmp(name, XATTR_NAME_SELINUX)) if (strcmp(name, XATTR_NAME_SELINUX)) {
return selinux_inode_setotherxattr(dentry, name); rc = cap_inode_setxattr(dentry, name, value, size, flags);
if (rc)
return rc;
/* Not an attribute we recognize, so just check the
ordinary setattr permission. */
return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
}
sbsec = inode->i_sb->s_security; sbsec = inode->i_sb->s_security;
if (!(sbsec->flags & SBLABEL_MNT)) if (!(sbsec->flags & SBLABEL_MNT))
...@@ -3208,18 +3193,17 @@ static int selinux_inode_setxattr(struct dentry *dentry, const char *name, ...@@ -3208,18 +3193,17 @@ static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
if (!has_cap_mac_admin(true)) { if (!has_cap_mac_admin(true)) {
struct audit_buffer *ab; struct audit_buffer *ab;
size_t audit_size; size_t audit_size;
const char *str;
/* We strip a nul only if it is at the end, otherwise the /* We strip a nul only if it is at the end, otherwise the
* context contains a nul and we should audit that */ * context contains a nul and we should audit that */
if (value) { if (value) {
str = value; const char *str = value;
if (str[size - 1] == '\0') if (str[size - 1] == '\0')
audit_size = size - 1; audit_size = size - 1;
else else
audit_size = size; audit_size = size;
} else { } else {
str = "";
audit_size = 0; audit_size = 0;
} }
ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR); ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR);
...@@ -3299,8 +3283,15 @@ static int selinux_inode_listxattr(struct dentry *dentry) ...@@ -3299,8 +3283,15 @@ static int selinux_inode_listxattr(struct dentry *dentry)
static int selinux_inode_removexattr(struct dentry *dentry, const char *name) static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
{ {
if (strcmp(name, XATTR_NAME_SELINUX)) if (strcmp(name, XATTR_NAME_SELINUX)) {
return selinux_inode_setotherxattr(dentry, name); int rc = cap_inode_removexattr(dentry, name);
if (rc)
return rc;
/* Not an attribute we recognize, so just check the
ordinary setattr permission. */
return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
}
/* No one is allowed to remove a SELinux security label. /* No one is allowed to remove a SELinux security label.
You can change the label, but all data must be labeled. */ You can change the label, but all data must be labeled. */
...@@ -3995,8 +3986,8 @@ static int selinux_task_getioprio(struct task_struct *p) ...@@ -3995,8 +3986,8 @@ static int selinux_task_getioprio(struct task_struct *p)
PROCESS__GETSCHED, NULL); PROCESS__GETSCHED, NULL);
} }
int selinux_task_prlimit(const struct cred *cred, const struct cred *tcred, static int selinux_task_prlimit(const struct cred *cred, const struct cred *tcred,
unsigned int flags) unsigned int flags)
{ {
u32 av = 0; u32 av = 0;
......
...@@ -361,7 +361,6 @@ static int cond_read_av_list(struct policydb *p, void *fp, struct cond_av_list * ...@@ -361,7 +361,6 @@ static int cond_read_av_list(struct policydb *p, void *fp, struct cond_av_list *
*ret_list = NULL; *ret_list = NULL;
len = 0;
rc = next_entry(buf, fp, sizeof(u32)); rc = next_entry(buf, fp, sizeof(u32));
if (rc) if (rc)
return rc; return rc;
......
...@@ -10,6 +10,8 @@ ...@@ -10,6 +10,8 @@
#include <linux/sched.h> #include <linux/sched.h>
#include "hashtab.h" #include "hashtab.h"
static struct kmem_cache *hashtab_node_cachep;
struct hashtab *hashtab_create(u32 (*hash_value)(struct hashtab *h, const void *key), struct hashtab *hashtab_create(u32 (*hash_value)(struct hashtab *h, const void *key),
int (*keycmp)(struct hashtab *h, const void *key1, const void *key2), int (*keycmp)(struct hashtab *h, const void *key1, const void *key2),
u32 size) u32 size)
...@@ -58,7 +60,7 @@ int hashtab_insert(struct hashtab *h, void *key, void *datum) ...@@ -58,7 +60,7 @@ int hashtab_insert(struct hashtab *h, void *key, void *datum)
if (cur && (h->keycmp(h, key, cur->key) == 0)) if (cur && (h->keycmp(h, key, cur->key) == 0))
return -EEXIST; return -EEXIST;
newnode = kzalloc(sizeof(*newnode), GFP_KERNEL); newnode = kmem_cache_zalloc(hashtab_node_cachep, GFP_KERNEL);
if (!newnode) if (!newnode)
return -ENOMEM; return -ENOMEM;
newnode->key = key; newnode->key = key;
...@@ -107,7 +109,7 @@ void hashtab_destroy(struct hashtab *h) ...@@ -107,7 +109,7 @@ void hashtab_destroy(struct hashtab *h)
while (cur) { while (cur) {
temp = cur; temp = cur;
cur = cur->next; cur = cur->next;
kfree(temp); kmem_cache_free(hashtab_node_cachep, temp);
} }
h->htable[i] = NULL; h->htable[i] = NULL;
} }
...@@ -149,7 +151,7 @@ void hashtab_stat(struct hashtab *h, struct hashtab_info *info) ...@@ -149,7 +151,7 @@ void hashtab_stat(struct hashtab *h, struct hashtab_info *info)
slots_used = 0; slots_used = 0;
max_chain_len = 0; max_chain_len = 0;
for (slots_used = max_chain_len = i = 0; i < h->size; i++) { for (i = 0; i < h->size; i++) {
cur = h->htable[i]; cur = h->htable[i];
if (cur) { if (cur) {
slots_used++; slots_used++;
...@@ -167,3 +169,14 @@ void hashtab_stat(struct hashtab *h, struct hashtab_info *info) ...@@ -167,3 +169,14 @@ void hashtab_stat(struct hashtab *h, struct hashtab_info *info)
info->slots_used = slots_used; info->slots_used = slots_used;
info->max_chain_len = max_chain_len; info->max_chain_len = max_chain_len;
} }
void hashtab_cache_init(void)
{
hashtab_node_cachep = kmem_cache_create("hashtab_node",
sizeof(struct hashtab_node),
0, SLAB_PANIC, NULL);
}
void hashtab_cache_destroy(void)
{
kmem_cache_destroy(hashtab_node_cachep);
}
...@@ -85,4 +85,8 @@ int hashtab_map(struct hashtab *h, ...@@ -85,4 +85,8 @@ int hashtab_map(struct hashtab *h,
/* Fill info with some hash table statistics */ /* Fill info with some hash table statistics */
void hashtab_stat(struct hashtab *h, struct hashtab_info *info); void hashtab_stat(struct hashtab *h, struct hashtab_info *info);
/* Use kmem_cache for hashtab_node */
void hashtab_cache_init(void);
void hashtab_cache_destroy(void);
#endif /* _SS_HASHTAB_H */ #endif /* _SS_HASHTAB_H */
...@@ -2060,10 +2060,12 @@ int security_load_policy(void *data, size_t len) ...@@ -2060,10 +2060,12 @@ int security_load_policy(void *data, size_t len)
if (!ss_initialized) { if (!ss_initialized) {
avtab_cache_init(); avtab_cache_init();
ebitmap_cache_init(); ebitmap_cache_init();
hashtab_cache_init();
rc = policydb_read(&policydb, fp); rc = policydb_read(&policydb, fp);
if (rc) { if (rc) {
avtab_cache_destroy(); avtab_cache_destroy();
ebitmap_cache_destroy(); ebitmap_cache_destroy();
hashtab_cache_destroy();
goto out; goto out;
} }
...@@ -2075,6 +2077,7 @@ int security_load_policy(void *data, size_t len) ...@@ -2075,6 +2077,7 @@ int security_load_policy(void *data, size_t len)
policydb_destroy(&policydb); policydb_destroy(&policydb);
avtab_cache_destroy(); avtab_cache_destroy();
ebitmap_cache_destroy(); ebitmap_cache_destroy();
hashtab_cache_destroy();
goto out; goto out;
} }
...@@ -2083,6 +2086,7 @@ int security_load_policy(void *data, size_t len) ...@@ -2083,6 +2086,7 @@ int security_load_policy(void *data, size_t len)
policydb_destroy(&policydb); policydb_destroy(&policydb);
avtab_cache_destroy(); avtab_cache_destroy();
ebitmap_cache_destroy(); ebitmap_cache_destroy();
hashtab_cache_destroy();
goto out; goto out;
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment