From 4f4acf3a478d5cada688f336f2229ab580f56113 Mon Sep 17 00:00:00 2001 From: Stephen Smalley Date: Mon, 26 Feb 2007 12:02:34 -0500 Subject: Always initialize scontext and scontext_len Always initialize *scontext and *scontext_len in security_sid_to_context. (via http://lkml.org/lkml/2007/2/23/135) Signed-off-by: Stephen Smalley Signed-off-by: James Morris --- security/selinux/ss/services.c | 3 +++ 1 file changed, 3 insertions(+) (limited to 'security/selinux/ss/services.c') diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c index ca9154dc5d82..1e52356664d6 100644 --- a/security/selinux/ss/services.c +++ b/security/selinux/ss/services.c @@ -609,6 +609,9 @@ int security_sid_to_context(u32 sid, char **scontext, u32 *scontext_len) struct context *context; int rc = 0; + *scontext = NULL; + *scontext_len = 0; + if (!ss_initialized) { if (sid <= SECINITSID_NUM) { char *scontextp; -- cgit v1.2.3 From 5778eabd9cdbf16ea3e40248c452b4fd25554d11 Mon Sep 17 00:00:00 2001 From: Paul Moore Date: Wed, 28 Feb 2007 15:14:22 -0500 Subject: SELinux: extract the NetLabel SELinux support from the security server Up until this patch the functions which have provided NetLabel support to SELinux have been integrated into the SELinux security server, which for various reasons is not really ideal. This patch makes an effort to extract as much of the NetLabel support from the security server as possibile and move it into it's own file within the SELinux directory structure. Signed-off-by: Paul Moore Signed-off-by: James Morris --- security/selinux/ss/services.c | 423 ++++++----------------------------------- 1 file changed, 58 insertions(+), 365 deletions(-) (limited to 'security/selinux/ss/services.c') diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c index 1e52356664d6..c8913c5dbe21 100644 --- a/security/selinux/ss/services.c +++ b/security/selinux/ss/services.c @@ -2226,13 +2226,13 @@ void security_skb_extlbl_sid(struct sk_buff *skb, u32 base_sid, u32 *sid) #ifdef CONFIG_NETLABEL /* - * This is the structure we store inside the NetLabel cache block. + * NetLabel cache structure */ -#define NETLBL_CACHE(x) ((struct netlbl_cache *)(x)) +#define NETLBL_CACHE(x) ((struct selinux_netlbl_cache *)(x)) #define NETLBL_CACHE_T_NONE 0 #define NETLBL_CACHE_T_SID 1 #define NETLBL_CACHE_T_MLS 2 -struct netlbl_cache { +struct selinux_netlbl_cache { u32 type; union { u32 sid; @@ -2241,7 +2241,7 @@ struct netlbl_cache { }; /** - * selinux_netlbl_cache_free - Free the NetLabel cached data + * security_netlbl_cache_free - Free the NetLabel cached data * @data: the data to free * * Description: @@ -2249,9 +2249,9 @@ struct netlbl_cache { * netlbl_lsm_cache structure. * */ -static void selinux_netlbl_cache_free(const void *data) +static void security_netlbl_cache_free(const void *data) { - struct netlbl_cache *cache; + struct selinux_netlbl_cache *cache; if (data == NULL) return; @@ -2266,33 +2266,33 @@ static void selinux_netlbl_cache_free(const void *data) } /** - * selinux_netlbl_cache_add - Add an entry to the NetLabel cache - * @skb: the packet + * security_netlbl_cache_add - Add an entry to the NetLabel cache + * @secattr: the NetLabel packet security attributes * @ctx: the SELinux context * * Description: * Attempt to cache the context in @ctx, which was derived from the packet in - * @skb, in the NetLabel subsystem cache. + * @skb, in the NetLabel subsystem cache. This function assumes @secattr has + * already been initialized. * */ -static void selinux_netlbl_cache_add(struct sk_buff *skb, struct context *ctx) +static void security_netlbl_cache_add(struct netlbl_lsm_secattr *secattr, + struct context *ctx) { - struct netlbl_cache *cache = NULL; - struct netlbl_lsm_secattr secattr; + struct selinux_netlbl_cache *cache = NULL; - netlbl_secattr_init(&secattr); - secattr.cache = netlbl_secattr_cache_alloc(GFP_ATOMIC); - if (secattr.cache == NULL) - goto netlbl_cache_add_return; + secattr->cache = netlbl_secattr_cache_alloc(GFP_ATOMIC); + if (secattr->cache == NULL) + return; cache = kzalloc(sizeof(*cache), GFP_ATOMIC); if (cache == NULL) - goto netlbl_cache_add_return; + return; cache->type = NETLBL_CACHE_T_MLS; if (ebitmap_cpy(&cache->data.mls_label.level[0].cat, &ctx->range.level[0].cat) != 0) - goto netlbl_cache_add_return; + return; cache->data.mls_label.level[1].cat.highbit = cache->data.mls_label.level[0].cat.highbit; cache->data.mls_label.level[1].cat.node = @@ -2300,52 +2300,40 @@ static void selinux_netlbl_cache_add(struct sk_buff *skb, struct context *ctx) cache->data.mls_label.level[0].sens = ctx->range.level[0].sens; cache->data.mls_label.level[1].sens = ctx->range.level[0].sens; - secattr.cache->free = selinux_netlbl_cache_free; - secattr.cache->data = (void *)cache; - secattr.flags = NETLBL_SECATTR_CACHE; - - netlbl_cache_add(skb, &secattr); - -netlbl_cache_add_return: - netlbl_secattr_destroy(&secattr); + secattr->cache->free = security_netlbl_cache_free; + secattr->cache->data = (void *)cache; + secattr->flags |= NETLBL_SECATTR_CACHE; } /** - * selinux_netlbl_cache_invalidate - Invalidate the NetLabel cache - * - * Description: - * Invalidate the NetLabel security attribute mapping cache. - * - */ -void selinux_netlbl_cache_invalidate(void) -{ - netlbl_cache_invalidate(); -} - -/** - * selinux_netlbl_secattr_to_sid - Convert a NetLabel secattr to a SELinux SID - * @skb: the network packet + * security_netlbl_secattr_to_sid - Convert a NetLabel secattr to a SELinux SID * @secattr: the NetLabel packet security attributes * @base_sid: the SELinux SID to use as a context for MLS only attributes * @sid: the SELinux SID * * Description: - * Convert the given NetLabel packet security attributes in @secattr into a + * Convert the given NetLabel security attributes in @secattr into a * SELinux SID. If the @secattr field does not contain a full SELinux - * SID/context then use the context in @base_sid as the foundation. If @skb - * is not NULL attempt to cache as much data as possibile. Returns zero on - * success, negative values on failure. + * SID/context then use the context in @base_sid as the foundation. If + * possibile the 'cache' field of @secattr is set and the CACHE flag is set; + * this is to allow the @secattr to be used by NetLabel to cache the secattr to + * SID conversion for future lookups. Returns zero on success, negative + * values on failure. * */ -static int selinux_netlbl_secattr_to_sid(struct sk_buff *skb, - struct netlbl_lsm_secattr *secattr, - u32 base_sid, - u32 *sid) +int security_netlbl_secattr_to_sid(struct netlbl_lsm_secattr *secattr, + u32 base_sid, + u32 *sid) { int rc = -EIDRM; struct context *ctx; struct context ctx_new; - struct netlbl_cache *cache; + struct selinux_netlbl_cache *cache; + + if (!ss_initialized) { + *sid = SECSID_NULL; + return 0; + } POLICY_RDLOCK; @@ -2410,8 +2398,8 @@ static int selinux_netlbl_secattr_to_sid(struct sk_buff *skb, if (rc != 0) goto netlbl_secattr_to_sid_return_cleanup; - if (skb != NULL) - selinux_netlbl_cache_add(skb, &ctx_new); + security_netlbl_cache_add(secattr, &ctx_new); + ebitmap_destroy(&ctx_new.range.level[0].cat); } else { *sid = SECSID_NULL; @@ -2427,338 +2415,43 @@ netlbl_secattr_to_sid_return_cleanup: } /** - * selinux_netlbl_skbuff_getsid - Get the sid of a packet using NetLabel - * @skb: the packet - * @base_sid: the SELinux SID to use as a context for MLS only attributes - * @sid: the SID - * - * Description: - * Call the NetLabel mechanism to get the security attributes of the given - * packet and use those attributes to determine the correct context/SID to - * assign to the packet. Returns zero on success, negative values on failure. - * - */ -int selinux_netlbl_skbuff_getsid(struct sk_buff *skb, u32 base_sid, u32 *sid) -{ - int rc; - struct netlbl_lsm_secattr secattr; - - netlbl_secattr_init(&secattr); - rc = netlbl_skbuff_getattr(skb, &secattr); - if (rc == 0 && secattr.flags != NETLBL_SECATTR_NONE) - rc = selinux_netlbl_secattr_to_sid(skb, - &secattr, - base_sid, - sid); - else - *sid = SECSID_NULL; - netlbl_secattr_destroy(&secattr); - - return rc; -} - -/** - * selinux_netlbl_socket_setsid - Label a socket using the NetLabel mechanism - * @sock: the socket to label - * @sid: the SID to use + * security_netlbl_sid_to_secattr - Convert a SELinux SID to a NetLabel secattr + * @sid: the SELinux SID + * @secattr: the NetLabel packet security attributes * * Description: - * Attempt to label a socket using the NetLabel mechanism using the given - * SID. Returns zero values on success, negative values on failure. The - * caller is responsibile for calling rcu_read_lock() before calling this - * this function and rcu_read_unlock() after this function returns. + * Convert the given SELinux SID in @sid into a NetLabel security attribute. + * Returns zero on success, negative values on failure. * */ -static int selinux_netlbl_socket_setsid(struct socket *sock, u32 sid) +int security_netlbl_sid_to_secattr(u32 sid, struct netlbl_lsm_secattr *secattr) { int rc = -ENOENT; - struct sk_security_struct *sksec = sock->sk->sk_security; - struct netlbl_lsm_secattr secattr; struct context *ctx; + netlbl_secattr_init(secattr); + if (!ss_initialized) return 0; - netlbl_secattr_init(&secattr); - POLICY_RDLOCK; - ctx = sidtab_search(&sidtab, sid); if (ctx == NULL) - goto netlbl_socket_setsid_return; - - secattr.domain = kstrdup(policydb.p_type_val_to_name[ctx->type - 1], - GFP_ATOMIC); - secattr.flags |= NETLBL_SECATTR_DOMAIN; - mls_export_netlbl_lvl(ctx, &secattr); - rc = mls_export_netlbl_cat(ctx, &secattr); + goto netlbl_sid_to_secattr_failure; + secattr->domain = kstrdup(policydb.p_type_val_to_name[ctx->type - 1], + GFP_ATOMIC); + secattr->flags |= NETLBL_SECATTR_DOMAIN; + mls_export_netlbl_lvl(ctx, secattr); + rc = mls_export_netlbl_cat(ctx, secattr); if (rc != 0) - goto netlbl_socket_setsid_return; - - rc = netlbl_socket_setattr(sock, &secattr); - if (rc == 0) { - spin_lock_bh(&sksec->nlbl_lock); - sksec->nlbl_state = NLBL_LABELED; - spin_unlock_bh(&sksec->nlbl_lock); - } - -netlbl_socket_setsid_return: + goto netlbl_sid_to_secattr_failure; POLICY_RDUNLOCK; - netlbl_secattr_destroy(&secattr); - return rc; -} - -/** - * selinux_netlbl_sk_security_reset - Reset the NetLabel fields - * @ssec: the sk_security_struct - * @family: the socket family - * - * Description: - * Called when the NetLabel state of a sk_security_struct needs to be reset. - * The caller is responsibile for all the NetLabel sk_security_struct locking. - * - */ -void selinux_netlbl_sk_security_reset(struct sk_security_struct *ssec, - int family) -{ - if (family == PF_INET) - ssec->nlbl_state = NLBL_REQUIRE; - else - ssec->nlbl_state = NLBL_UNSET; -} - -/** - * selinux_netlbl_sk_security_init - Setup the NetLabel fields - * @ssec: the sk_security_struct - * @family: the socket family - * - * Description: - * Called when a new sk_security_struct is allocated to initialize the NetLabel - * fields. - * - */ -void selinux_netlbl_sk_security_init(struct sk_security_struct *ssec, - int family) -{ - /* No locking needed, we are the only one who has access to ssec */ - selinux_netlbl_sk_security_reset(ssec, family); - spin_lock_init(&ssec->nlbl_lock); -} -/** - * selinux_netlbl_sk_security_clone - Copy the NetLabel fields - * @ssec: the original sk_security_struct - * @newssec: the cloned sk_security_struct - * - * Description: - * Clone the NetLabel specific sk_security_struct fields from @ssec to - * @newssec. - * - */ -void selinux_netlbl_sk_security_clone(struct sk_security_struct *ssec, - struct sk_security_struct *newssec) -{ - /* We don't need to take newssec->nlbl_lock because we are the only - * thread with access to newssec, but we do need to take the RCU read - * lock as other threads could have access to ssec */ - rcu_read_lock(); - selinux_netlbl_sk_security_reset(newssec, ssec->sk->sk_family); - newssec->sclass = ssec->sclass; - rcu_read_unlock(); -} - -/** - * selinux_netlbl_socket_post_create - Label a socket using NetLabel - * @sock: the socket to label - * - * Description: - * Attempt to label a socket using the NetLabel mechanism using the given - * SID. Returns zero values on success, negative values on failure. - * - */ -int selinux_netlbl_socket_post_create(struct socket *sock) -{ - int rc = 0; - struct inode_security_struct *isec = SOCK_INODE(sock)->i_security; - struct sk_security_struct *sksec = sock->sk->sk_security; - - sksec->sclass = isec->sclass; - - rcu_read_lock(); - if (sksec->nlbl_state == NLBL_REQUIRE) - rc = selinux_netlbl_socket_setsid(sock, sksec->sid); - rcu_read_unlock(); - - return rc; -} - -/** - * selinux_netlbl_sock_graft - Netlabel the new socket - * @sk: the new connection - * @sock: the new socket - * - * Description: - * The connection represented by @sk is being grafted onto @sock so set the - * socket's NetLabel to match the SID of @sk. - * - */ -void selinux_netlbl_sock_graft(struct sock *sk, struct socket *sock) -{ - struct inode_security_struct *isec = SOCK_INODE(sock)->i_security; - struct sk_security_struct *sksec = sk->sk_security; - struct netlbl_lsm_secattr secattr; - u32 nlbl_peer_sid; - - sksec->sclass = isec->sclass; - - rcu_read_lock(); - - if (sksec->nlbl_state != NLBL_REQUIRE) { - rcu_read_unlock(); - return; - } - - netlbl_secattr_init(&secattr); - if (netlbl_sock_getattr(sk, &secattr) == 0 && - secattr.flags != NETLBL_SECATTR_NONE && - selinux_netlbl_secattr_to_sid(NULL, - &secattr, - SECINITSID_UNLABELED, - &nlbl_peer_sid) == 0) - sksec->peer_sid = nlbl_peer_sid; - netlbl_secattr_destroy(&secattr); - - /* Try to set the NetLabel on the socket to save time later, if we fail - * here we will pick up the pieces in later calls to - * selinux_netlbl_inode_permission(). */ - selinux_netlbl_socket_setsid(sock, sksec->sid); - - rcu_read_unlock(); -} - -/** - * selinux_netlbl_inode_permission - Verify the socket is NetLabel labeled - * @inode: the file descriptor's inode - * @mask: the permission mask - * - * Description: - * Looks at a file's inode and if it is marked as a socket protected by - * NetLabel then verify that the socket has been labeled, if not try to label - * the socket now with the inode's SID. Returns zero on success, negative - * values on failure. - * - */ -int selinux_netlbl_inode_permission(struct inode *inode, int mask) -{ - int rc; - struct sk_security_struct *sksec; - struct socket *sock; - - if (!S_ISSOCK(inode->i_mode) || - ((mask & (MAY_WRITE | MAY_APPEND)) == 0)) - return 0; - sock = SOCKET_I(inode); - sksec = sock->sk->sk_security; - - rcu_read_lock(); - if (sksec->nlbl_state != NLBL_REQUIRE) { - rcu_read_unlock(); - return 0; - } - local_bh_disable(); - bh_lock_sock_nested(sock->sk); - rc = selinux_netlbl_socket_setsid(sock, sksec->sid); - bh_unlock_sock(sock->sk); - local_bh_enable(); - rcu_read_unlock(); - - return rc; -} - -/** - * selinux_netlbl_sock_rcv_skb - Do an inbound access check using NetLabel - * @sksec: the sock's sk_security_struct - * @skb: the packet - * @ad: the audit data - * - * Description: - * Fetch the NetLabel security attributes from @skb and perform an access check - * against the receiving socket. Returns zero on success, negative values on - * error. - * - */ -int selinux_netlbl_sock_rcv_skb(struct sk_security_struct *sksec, - struct sk_buff *skb, - struct avc_audit_data *ad) -{ - int rc; - u32 netlbl_sid; - u32 recv_perm; - - rc = selinux_netlbl_skbuff_getsid(skb, - SECINITSID_UNLABELED, - &netlbl_sid); - if (rc != 0) - return rc; - - if (netlbl_sid == SECSID_NULL) - return 0; - - switch (sksec->sclass) { - case SECCLASS_UDP_SOCKET: - recv_perm = UDP_SOCKET__RECVFROM; - break; - case SECCLASS_TCP_SOCKET: - recv_perm = TCP_SOCKET__RECVFROM; - break; - default: - recv_perm = RAWIP_SOCKET__RECVFROM; - } - - rc = avc_has_perm(sksec->sid, - netlbl_sid, - sksec->sclass, - recv_perm, - ad); - if (rc == 0) - return 0; - - netlbl_skbuff_err(skb, rc); - return rc; -} - -/** - * selinux_netlbl_socket_setsockopt - Do not allow users to remove a NetLabel - * @sock: the socket - * @level: the socket level or protocol - * @optname: the socket option name - * - * Description: - * Check the setsockopt() call and if the user is trying to replace the IP - * options on a socket and a NetLabel is in place for the socket deny the - * access; otherwise allow the access. Returns zero when the access is - * allowed, -EACCES when denied, and other negative values on error. - * - */ -int selinux_netlbl_socket_setsockopt(struct socket *sock, - int level, - int optname) -{ - int rc = 0; - struct sk_security_struct *sksec = sock->sk->sk_security; - struct netlbl_lsm_secattr secattr; - - rcu_read_lock(); - if (level == IPPROTO_IP && optname == IP_OPTIONS && - sksec->nlbl_state == NLBL_LABELED) { - netlbl_secattr_init(&secattr); - rc = netlbl_socket_getattr(sock, &secattr); - if (rc == 0 && secattr.flags != NETLBL_SECATTR_NONE) - rc = -EACCES; - netlbl_secattr_destroy(&secattr); - } - rcu_read_unlock(); + return 0; +netlbl_sid_to_secattr_failure: + POLICY_RDUNLOCK; + netlbl_secattr_destroy(secattr); return rc; } #endif /* CONFIG_NETLABEL */ -- cgit v1.2.3 From c60475bf35fc5fa10198df89187ab148527e72f7 Mon Sep 17 00:00:00 2001 From: Paul Moore Date: Wed, 28 Feb 2007 15:14:23 -0500 Subject: SELinux: rename selinux_netlabel.h to netlabel.h In the beginning I named the file selinux_netlabel.h to avoid potential namespace colisions. However, over time I have realized that there are several other similar cases of multiple header files with the same name so I'm changing the name to something which better fits with existing naming conventions. Signed-off-by: Paul Moore Signed-off-by: James Morris --- security/selinux/ss/services.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'security/selinux/ss/services.c') diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c index c8913c5dbe21..f4129f589313 100644 --- a/security/selinux/ss/services.c +++ b/security/selinux/ss/services.c @@ -53,7 +53,7 @@ #include "conditional.h" #include "mls.h" #include "objsec.h" -#include "selinux_netlabel.h" +#include "netlabel.h" #include "xfrm.h" #include "ebitmap.h" -- cgit v1.2.3 From 4f6a993f96a256e83b9be7612f958c7bc4ca9f00 Mon Sep 17 00:00:00 2001 From: Paul Moore Date: Thu, 1 Mar 2007 14:35:22 -0500 Subject: SELinux: move security_skb_extlbl_sid() out of the security server As suggested, move the security_skb_extlbl_sid() function out of the security server and into the SELinux hooks file. Signed-off-by: Paul Moore Acked-by: Stephen Smalley Signed-off-by: James Morris --- security/selinux/ss/services.c | 27 --------------------------- 1 file changed, 27 deletions(-) (limited to 'security/selinux/ss/services.c') diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c index f4129f589313..8ee4aaef1094 100644 --- a/security/selinux/ss/services.c +++ b/security/selinux/ss/services.c @@ -39,7 +39,6 @@ #include #include #include -#include #include #include "flask.h" @@ -2198,32 +2197,6 @@ void selinux_audit_set_callback(int (*callback)(void)) aurule_callback = callback; } -/** - * security_skb_extlbl_sid - Determine the external label of a packet - * @skb: the packet - * @base_sid: the SELinux SID to use as a context for MLS only external labels - * @sid: the packet's SID - * - * Description: - * Check the various different forms of external packet labeling and determine - * the external SID for the packet. - * - */ -void security_skb_extlbl_sid(struct sk_buff *skb, u32 base_sid, u32 *sid) -{ - u32 xfrm_sid; - u32 nlbl_sid; - - selinux_skb_xfrm_sid(skb, &xfrm_sid); - if (selinux_netlbl_skbuff_getsid(skb, - (xfrm_sid == SECSID_NULL ? - base_sid : xfrm_sid), - &nlbl_sid) != 0) - nlbl_sid = SECSID_NULL; - - *sid = (nlbl_sid == SECSID_NULL ? xfrm_sid : nlbl_sid); -} - #ifdef CONFIG_NETLABEL /* * NetLabel cache structure -- cgit v1.2.3 From a764ae4b0781fac75f9657bc737c37ae59888389 Mon Sep 17 00:00:00 2001 From: Stephen Smalley Date: Mon, 26 Mar 2007 13:36:26 -0400 Subject: selinux: remove userland security class and permission definitions Remove userland security class and permission definitions from the kernel as the kernel only needs to use and validate its own class and permission definitions and userland definitions may change. Signed-off-by: Stephen Smalley Signed-off-by: James Morris --- security/selinux/ss/services.c | 2 ++ 1 file changed, 2 insertions(+) (limited to 'security/selinux/ss/services.c') diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c index 8ee4aaef1094..d3698568a213 100644 --- a/security/selinux/ss/services.c +++ b/security/selinux/ss/services.c @@ -1049,6 +1049,8 @@ static int validate_classes(struct policydb *p) for (i = 1; i < kdefs->cts_len; i++) { def_class = kdefs->class_to_string[i]; + if (!def_class) + continue; if (i > p->p_classes.nprim) { printk(KERN_INFO "security: class %s not defined in policy\n", -- cgit v1.2.3 From f0ee2e467ffa68c3122128b704c1540ee294b748 Mon Sep 17 00:00:00 2001 From: James Carter Date: Wed, 4 Apr 2007 10:11:29 -0400 Subject: selinux: export initial SID contexts via selinuxfs Make the initial SID contexts accessible to userspace via selinuxfs. An initial use of this support will be to make the unlabeled context available to libselinux for use for invalidated userspace SIDs. Signed-off-by: James Carter Acked-by: Stephen Smalley Signed-off-by: James Morris --- security/selinux/ss/services.c | 7 +++++++ 1 file changed, 7 insertions(+) (limited to 'security/selinux/ss/services.c') diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c index d3698568a213..21b8318979e3 100644 --- a/security/selinux/ss/services.c +++ b/security/selinux/ss/services.c @@ -593,6 +593,13 @@ static int context_struct_to_string(struct context *context, char **scontext, u3 #include "initial_sid_to_string.h" +const char *security_get_initial_sid_context(u32 sid) +{ + if (unlikely(sid > SECINITSID_NUM)) + return NULL; + return initial_sid_to_string[sid]; +} + /** * security_sid_to_context - Obtain a context for a given SID. * @sid: security identifier, SID -- cgit v1.2.3 From e900a7d90ae1486ac95c10e0b7337fc2c2eda529 Mon Sep 17 00:00:00 2001 From: Stephen Smalley Date: Thu, 19 Apr 2007 14:16:19 -0400 Subject: selinux: preserve boolean values across policy reloads At present, the userland policy loading code has to go through contortions to preserve boolean values across policy reloads, and cannot do so atomically. As this is what we always want to do for reloads, let the kernel preserve them instead. Signed-off-by: Stephen Smalley Acked-by: Karl MacMillan Signed-off-by: James Morris --- security/selinux/ss/services.c | 38 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 38 insertions(+) (limited to 'security/selinux/ss/services.c') diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c index 21b8318979e3..40660ffd49b6 100644 --- a/security/selinux/ss/services.c +++ b/security/selinux/ss/services.c @@ -1257,6 +1257,7 @@ bad: } extern void selinux_complete_init(void); +static int security_preserve_bools(struct policydb *p); /** * security_load_policy - Load a security policy configuration. @@ -1333,6 +1334,12 @@ int security_load_policy(void *data, size_t len) goto err; } + rc = security_preserve_bools(&newpolicydb); + if (rc) { + printk(KERN_ERR "security: unable to preserve booleans\n"); + goto err; + } + /* Clone the SID table. */ sidtab_shutdown(&sidtab); if (sidtab_map(&sidtab, clone_sid, &newsidtab)) { @@ -1890,6 +1897,37 @@ out: return rc; } +static int security_preserve_bools(struct policydb *p) +{ + int rc, nbools = 0, *bvalues = NULL, i; + char **bnames = NULL; + struct cond_bool_datum *booldatum; + struct cond_node *cur; + + rc = security_get_bools(&nbools, &bnames, &bvalues); + if (rc) + goto out; + for (i = 0; i < nbools; i++) { + booldatum = hashtab_search(p->p_bools.table, bnames[i]); + if (booldatum) + booldatum->state = bvalues[i]; + } + for (cur = p->cond_list; cur != NULL; cur = cur->next) { + rc = evaluate_cond_node(p, cur); + if (rc) + goto out; + } + +out: + if (bnames) { + for (i = 0; i < nbools; i++) + kfree(bnames[i]); + } + kfree(bnames); + kfree(bvalues); + return rc; +} + /* * security_sid_mls_copy() - computes a new sid based on the given * sid and the mls portion of mls_sid. -- cgit v1.2.3