- 23 6月, 2006 1 次提交
-
-
由 Michael LeMay 提交于
Introduce SELinux hooks to support the access key retention subsystem within the kernel. Incorporate new flask headers from a modified version of the SELinux reference policy, with support for the new security class representing retained keys. Extend the "key_alloc" security hook with a task parameter representing the intended ownership context for the key being allocated. Attach security information to root's default keyrings within the SELinux initialization routine. Has passed David's testsuite. Signed-off-by: NMichael LeMay <mdlemay@epoch.ncsc.mil> Signed-off-by: NDavid Howells <dhowells@redhat.com> Signed-off-by: NJames Morris <jmorris@namei.org> Acked-by: NChris Wright <chrisw@sous-sol.org> Signed-off-by: NAndrew Morton <akpm@osdl.org> Signed-off-by: NLinus Torvalds <torvalds@osdl.org>
-
- 18 6月, 2006 3 次提交
-
-
由 James Morris 提交于
Add new per-packet access controls to SELinux, replacing the old packet controls. Packets are labeled with the iptables SECMARK and CONNSECMARK targets, then security policy for the packets is enforced with these controls. To allow for a smooth transition to the new controls, the old code is still present, but not active by default. To restore previous behavior, the old controls may be activated at runtime by writing a '1' to /selinux/compat_net, and also via the kernel boot parameter selinux_compat_net. Switching between the network control models requires the security load_policy permission. The old controls will probably eventually be removed and any continued use is discouraged. With this patch, the new secmark controls for SElinux are disabled by default, so existing behavior is entirely preserved, and the user is not affected at all. It also provides a config option to enable the secmark controls by default (which can always be overridden at boot and runtime). It is also noted in the kconfig help that the user will need updated userspace if enabling secmark controls for SELinux and that they'll probably need the SECMARK and CONNMARK targets, and conntrack protocol helpers, although such decisions are beyond the scope of kernel configuration. Signed-off-by: NJames Morris <jmorris@namei.org> Signed-off-by: NAndrew Morton <akpm@osdl.org> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 Christopher J. PeBenito 提交于
Add a security class for appletalk sockets so that they can be distinguished in SELinux policy. Please apply. Signed-off-by: NStephen Smalley <sds@tycho.nsa.gov> Acked-by: NJames Morris <jmorris@namei.org> Signed-off-by: NAndrew Morton <akpm@osdl.org> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 Catherine Zhang 提交于
This patch contains a fix for the previous patch that adds security contexts to IPsec policies and security associations. In the previous patch, no authorization (besides the check for write permissions to SAD and SPD) is required to delete IPsec policies and security assocations with security contexts. Thus a user authorized to change SAD and SPD can bypass the IPsec policy authorization by simply deleteing policies with security contexts. To fix this security hole, an additional authorization check is added for removing security policies and security associations with security contexts. Note that if no security context is supplied on add or present on policy to be deleted, the SELinux module allows the change unconditionally. The hook is called on deletion when no context is present, which we may want to change. At present, I left it up to the module. LSM changes: The patch adds two new LSM hooks: xfrm_policy_delete and xfrm_state_delete. The new hooks are necessary to authorize deletion of IPsec policies that have security contexts. The existing hooks xfrm_policy_free and xfrm_state_free lack the context to do the authorization, so I decided to split authorization of deletion and memory management of security data, as is typical in the LSM interface. Use: The new delete hooks are checked when xfrm_policy or xfrm_state are deleted by either the xfrm_user interface (xfrm_get_policy, xfrm_del_sa) or the pfkey interface (pfkey_spddelete, pfkey_delete). SELinux changes: The new policy_delete and state_delete functions are added. Signed-off-by: NCatherine Zhang <cxzhang@watson.ibm.com> Signed-off-by: NTrent Jaeger <tjaeger@cse.psu.edu> Acked-by: NJames Morris <jmorris@namei.org> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
- 06 6月, 2006 1 次提交
-
-
由 Stephen Smalley 提交于
From: Stephen Smalley <sds@tycho.nsa.gov> Fix unsafe nesting of sb_lock inside sb_security_lock in selinux_complete_init. Detected by the kernel locking validator. Signed-off-by: NStephen Smalley <sds@tycho.nsa.gov> Acked-by: NJames Morris <jmorris@namei.org> Signed-off-by: NAndrew Morton <akpm@osdl.org> Signed-off-by: NLinus Torvalds <torvalds@osdl.org>
-
- 22 5月, 2006 1 次提交
-
-
由 Alexey Dobriyan 提交于
Signed-off-by: NAlexey Dobriyan <adobriyan@gmail.com> Cc: Stephen Smalley <sds@tycho.nsa.gov> Acked-by: NJames Morris <jmorris@namei.org> Signed-off-by: NAndrew Morton <akpm@osdl.org> Signed-off-by: NLinus Torvalds <torvalds@osdl.org>
-
- 04 5月, 2006 1 次提交
-
-
由 Stephen Smalley 提交于
Clear selinux_enabled flag upon runtime disable of SELinux by userspace, and make sure it is defined even if selinux= boot parameter support is not enabled in configuration. Signed-off-by: NStephen Smalley <sds@tycho.nsa.gov> Acked-by: NJames Morris <jmorris@namei.org> Tested-by: NJon Smirl <jonsmirl@gmail.com> Acked-by: NAl Viro <viro@zeniv.linux.org.uk> Signed-off-by: NLinus Torvalds <torvalds@osdl.org>
-
- 01 5月, 2006 1 次提交
-
-
由 Steve Grubb 提交于
Hi, The patch below converts IPC auditing to collect sid's and convert to context string only if it needs to output an audit record. This patch depends on the inode audit change patch already being applied. Signed-off-by: NSteve Grubb <sgrubb@redhat.com> Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
-
- 22 3月, 2006 3 次提交
-
-
由 James Morris 提交于
Add a slab cache for the SELinux inode security struct, one of which is allocated for every inode instantiated by the system. The memory savings are considerable. On 64-bit, instead of the size-128 cache, we have a slab object of 96 bytes, saving 32 bytes per object. After booting, I see about 4000 of these and then about 17,000 after a kernel compile. With this patch, we save around 530KB of kernel memory in the latter case. On 32-bit, the savings are about half of this. Signed-off-by: NJames Morris <jmorris@namei.org> Acked-by: NStephen Smalley <sds@tycho.nsa.gov> Signed-off-by: NAndrew Morton <akpm@osdl.org> Signed-off-by: NLinus Torvalds <torvalds@osdl.org>
-
由 James Morris 提交于
Remove an unneded pointer variable in selinux_inode_init_security(). Signed-off-by: NJames Morris <jmorris@namei.org> Acked-by: NStephen Smalley <sds@tycho.nsa.gov> Signed-off-by: NAndrew Morton <akpm@osdl.org> Signed-off-by: NLinus Torvalds <torvalds@osdl.org>
-
由 Stephen Smalley 提交于
This patch disables the automatic labeling of new inodes on disk when no policy is loaded. Discussion is here: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=180296 In short, we're changing the behavior so that when no policy is loaded, SELinux does not label files at all. Currently it does add an 'unlabeled' label in this case, which we've found causes problems later. SELinux always maintains a safe internal label if there is none, so with this patch, we just stick with that and wait until a policy is loaded before adding a persistent label on disk. The effect is simply that if you boot with SELinux enabled but no policy loaded and create a file in that state, SELinux won't try to set a security extended attribute on the new inode on the disk. This is the only sane behavior for SELinux in that state, as it cannot determine the right label to assign in the absence of a policy. That state usually doesn't occur, but the rawhide installer seemed to be misbehaving temporarily so it happened to show up on a test install. Signed-off-by: NStephen Smalley <sds@tycho.nsa.gov> Acked-by: NJames Morris <jmorris@namei.org> Signed-off-by: NAndrew Morton <akpm@osdl.org> Signed-off-by: NLinus Torvalds <torvalds@osdl.org>
-
- 21 3月, 2006 3 次提交
-
-
由 Catherine Zhang 提交于
This patch implements an application of the LSM-IPSec networking controls whereby an application can determine the label of the security association its TCP or UDP sockets are currently connected to via getsockopt and the auxiliary data mechanism of recvmsg. Patch purpose: This patch enables a security-aware application to retrieve the security context of an IPSec security association a particular TCP or UDP socket is using. The application can then use this security context to determine the security context for processing on behalf of the peer at the other end of this connection. In the case of UDP, the security context is for each individual packet. An example application is the inetd daemon, which could be modified to start daemons running at security contexts dependent on the remote client. Patch design approach: - Design for TCP The patch enables the SELinux LSM to set the peer security context for a socket based on the security context of the IPSec security association. The application may retrieve this context using getsockopt. When called, the kernel determines if the socket is a connected (TCP_ESTABLISHED) TCP socket and, if so, uses the dst_entry cache on the socket to retrieve the security associations. If a security association has a security context, the context string is returned, as for UNIX domain sockets. - Design for UDP Unlike TCP, UDP is connectionless. This requires a somewhat different API to retrieve the peer security context. With TCP, the peer security context stays the same throughout the connection, thus it can be retrieved at any time between when the connection is established and when it is torn down. With UDP, each read/write can have different peer and thus the security context might change every time. As a result the security context retrieval must be done TOGETHER with the packet retrieval. The solution is to build upon the existing Unix domain socket API for retrieving user credentials. Linux offers the API for obtaining user credentials via ancillary messages (i.e., out of band/control messages that are bundled together with a normal message). Patch implementation details: - Implementation for TCP The security context can be retrieved by applications using getsockopt with the existing SO_PEERSEC flag. As an example (ignoring error checking): getsockopt(sockfd, SOL_SOCKET, SO_PEERSEC, optbuf, &optlen); printf("Socket peer context is: %s\n", optbuf); The SELinux function, selinux_socket_getpeersec, is extended to check for labeled security associations for connected (TCP_ESTABLISHED == sk->sk_state) TCP sockets only. If so, the socket has a dst_cache of struct dst_entry values that may refer to security associations. If these have security associations with security contexts, the security context is returned. getsockopt returns a buffer that contains a security context string or the buffer is unmodified. - Implementation for UDP To retrieve the security context, the application first indicates to the kernel such desire by setting the IP_PASSSEC option via getsockopt. Then the application retrieves the security context using the auxiliary data mechanism. An example server application for UDP should look like this: toggle = 1; toggle_len = sizeof(toggle); setsockopt(sockfd, SOL_IP, IP_PASSSEC, &toggle, &toggle_len); recvmsg(sockfd, &msg_hdr, 0); if (msg_hdr.msg_controllen > sizeof(struct cmsghdr)) { cmsg_hdr = CMSG_FIRSTHDR(&msg_hdr); if (cmsg_hdr->cmsg_len <= CMSG_LEN(sizeof(scontext)) && cmsg_hdr->cmsg_level == SOL_IP && cmsg_hdr->cmsg_type == SCM_SECURITY) { memcpy(&scontext, CMSG_DATA(cmsg_hdr), sizeof(scontext)); } } ip_setsockopt is enhanced with a new socket option IP_PASSSEC to allow a server socket to receive security context of the peer. A new ancillary message type SCM_SECURITY. When the packet is received we get the security context from the sec_path pointer which is contained in the sk_buff, and copy it to the ancillary message space. An additional LSM hook, selinux_socket_getpeersec_udp, is defined to retrieve the security context from the SELinux space. The existing function, selinux_socket_getpeersec does not suit our purpose, because the security context is copied directly to user space, rather than to kernel space. Testing: We have tested the patch by setting up TCP and UDP connections between applications on two machines using the IPSec policies that result in labeled security associations being built. For TCP, we can then extract the peer security context using getsockopt on either end. For UDP, the receiving end can retrieve the security context using the auxiliary data mechanism of recvmsg. Signed-off-by: NCatherine Zhang <cxzhang@watson.ibm.com> Acked-by: NJames Morris <jmorris@namei.org> Acked-by: NHerbert Xu <herbert@gondor.apana.org.au> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 Dustin Kirkland 提交于
This patch fixes a couple of bugs revealed in new features recently added to -mm1: * fixes warnings due to inconsistent use of const struct inode *inode * fixes bug that prevent a kernel from booting with audit on, and SELinux off due to a missing function in security/dummy.c * fixes a bug that throws spurious audit_panic() messages due to a missing return just before an error_path label * some reasonable house cleaning in audit_ipc_context(), audit_inode_context(), and audit_log_task_context() Signed-off-by: NDustin Kirkland <dustin.kirkland@us.ibm.com> Signed-off-by: NDavid Woodhouse <dwmw2@infradead.org>
-
由 Dustin Kirkland 提交于
This patch extends existing audit records with subject/object context information. Audit records associated with filesystem inodes, ipc, and tasks now contain SELinux label information in the field "subj" if the item is performing the action, or in "obj" if the item is the receiver of an action. These labels are collected via hooks in SELinux and appended to the appropriate record in the audit code. This additional information is required for Common Criteria Labeled Security Protection Profile (LSPP). [AV: fixed kmalloc flags use] [folded leak fixes] [folded cleanup from akpm (kfree(NULL)] [folded audit_inode_context() leak fix] [folded akpm's fix for audit_ipc_perm() definition in case of !CONFIG_AUDIT] Signed-off-by: NDustin Kirkland <dustin.kirkland@us.ibm.com> Signed-off-by: NDavid Woodhouse <dwmw2@infradead.org> Signed-off-by: NAndrew Morton <akpm@osdl.org> Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
-
- 12 3月, 2006 1 次提交
-
-
由 Stephen Smalley 提交于
Fix SELinux to not reset the tracer SID when the child is already being traced, since selinux_ptrace is also called by proc for access checking outside of the context of a ptrace attach. Signed-off-by: NStephen Smalley <sds@tycho.nsa.gov> Acked-by: NJames Morris <jmorris@namei.org> Acked-by: NChris Wright <chrisw@sous-sol.org> Signed-off-by: NAndrew Morton <akpm@osdl.org> Signed-off-by: NLinus Torvalds <torvalds@osdl.org>
-
- 06 2月, 2006 1 次提交
-
-
由 Stephen Smalley 提交于
Make SELinux depend on SECURITY_NETWORK (which depends on SECURITY), as it requires the socket hooks for proper operation even in the local case. Signed-off-by: NStephen Smalley <sds@tycho.nsa.gov> Acked-by: NJames Morris <jmorris@namei.org> Signed-off-by: NAndrew Morton <akpm@osdl.org> Signed-off-by: NLinus Torvalds <torvalds@osdl.org>
-
- 02 2月, 2006 3 次提交
-
-
由 Stephen Smalley 提交于
Remove the SELinux security structure magic number fields and tests, along with some unnecessary tests for NULL security pointers. These fields and tests are leftovers from the early attempts to support SELinux as a loadable module during LSM development. Signed-off-by: NStephen Smalley <sds@tycho.nsa.gov> Acked-by: NJames Morris <jmorris@namei.org> Signed-off-by: NAndrew Morton <akpm@osdl.org> Signed-off-by: NLinus Torvalds <torvalds@osdl.org>
-
由 Stephen Smalley 提交于
This patch changes the SELinux file_alloc_security function to use GFP_KERNEL rather than GFP_ATOMIC; the use of GFP_ATOMIC appears to be a remnant of when this function was being called with the files_lock spinlock held, and is no longer necessary. Please apply. Signed-off-by: NStephen Smalley <sds@tycho.nsa.gov> Acked-by: NJames Morris <jmorris@namei.org> Signed-off-by: NAndrew Morton <akpm@osdl.org> Signed-off-by: NLinus Torvalds <torvalds@osdl.org>
-
由 Stephen Smalley 提交于
Fix the SELinux mprotect checks on executable mappings so that they are not re-applied when the mapping is already executable as well as cleaning up the code. This avoids a situation where e.g. an application is prevented from removing PROT_WRITE on an already executable mapping previously authorized via execmem permission due to an execmod denial. Signed-off-by: NStephen Smalley <sds@tycho.nsa.gov> Acked-by: NJames Morris <jmorris@namei.org> Signed-off-by: NAndrew Morton <akpm@osdl.org> Signed-off-by: NLinus Torvalds <torvalds@osdl.org>
-
- 15 1月, 2006 1 次提交
-
-
由 Arjan van de Ven 提交于
Remove the "inline" keyword from a bunch of big functions in the kernel with the goal of shrinking it by 30kb to 40kb Signed-off-by: NArjan van de Ven <arjan@infradead.org> Signed-off-by: NIngo Molnar <mingo@elte.hu> Acked-by: NJeff Garzik <jgarzik@pobox.com> Signed-off-by: NAndrew Morton <akpm@osdl.org> Signed-off-by: NLinus Torvalds <torvalds@osdl.org>
-
- 09 1月, 2006 1 次提交
-
-
由 Nick Piggin 提交于
Use atomic_inc_not_zero for rcu files instead of special case rcuref. Signed-off-by: NNick Piggin <npiggin@suse.de> Cc: "Paul E. McKenney" <paulmck@us.ibm.com> Signed-off-by: NAndrew Morton <akpm@osdl.org> Signed-off-by: NLinus Torvalds <torvalds@osdl.org>
-
- 04 1月, 2006 1 次提交
-
-
由 Trent Jaeger 提交于
This patch series implements per packet access control via the extension of the Linux Security Modules (LSM) interface by hooks in the XFRM and pfkey subsystems that leverage IPSec security associations to label packets. Extensions to the SELinux LSM are included that leverage the patch for this purpose. This patch implements the changes necessary to the SELinux LSM to create, deallocate, and use security contexts for policies (xfrm_policy) and security associations (xfrm_state) that enable control of a socket's ability to send and receive packets. Patch purpose: The patch is designed to enable the SELinux LSM to implement access control on individual packets based on the strongly authenticated IPSec security association. Such access controls augment the existing ones in SELinux based on network interface and IP address. The former are very coarse-grained, and the latter can be spoofed. By using IPSec, the SELinux can control access to remote hosts based on cryptographic keys generated using the IPSec mechanism. This enables access control on a per-machine basis or per-application if the remote machine is running the same mechanism and trusted to enforce the access control policy. Patch design approach: The patch's main function is to authorize a socket's access to a IPSec policy based on their security contexts. Since the communication is implemented by a security association, the patch ensures that the security association's negotiated and used have the same security context. The patch enables allocation and deallocation of such security contexts for policies and security associations. It also enables copying of the security context when policies are cloned. Lastly, the patch ensures that packets that are sent without using a IPSec security assocation with a security context are allowed to be sent in that manner. A presentation available at www.selinux-symposium.org/2005/presentations/session2/2-3-jaeger.pdf from the SELinux symposium describes the overall approach. Patch implementation details: The function which authorizes a socket to perform a requested operation (send/receive) on a IPSec policy (xfrm_policy) is selinux_xfrm_policy_lookup. The Netfilter and rcv_skb hooks ensure that if a IPSec SA with a securit y association has not been used, then the socket is allowed to send or receive the packet, respectively. The patch implements SELinux function for allocating security contexts when policies (xfrm_policy) are created via the pfkey or xfrm_user interfaces via selinux_xfrm_policy_alloc. When a security association is built, SELinux allocates the security context designated by the XFRM subsystem which is based on that of the authorized policy via selinux_xfrm_state_alloc. When a xfrm_policy is cloned, the security context of that policy, if any, is copied to the clone via selinux_xfrm_policy_clone. When a xfrm_policy or xfrm_state is freed, its security context, if any is also freed at selinux_xfrm_policy_free or selinux_xfrm_state_free. Testing: The SELinux authorization function is tested using ipsec-tools. We created policies and security associations with particular security contexts and added SELinux access control policy entries to verify the authorization decision. We also made sure that packets for which no security context was supplied (which either did or did not use security associations) were authorized using an unlabelled context. Signed-off-by: NTrent Jaeger <tjaeger@cse.psu.edu> Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
- 09 11月, 2005 1 次提交
-
-
由 Stephen Smalley 提交于
This patch disables the setting of SELinux xattrs on files created in filesystems labeled via mountpoint labeling (mounted with the context= option). selinux_inode_setxattr already prevents explicit setxattr from userspace on such filesystems, so this provides consistent behavior for file creation. Signed-off-by: NStephen Smalley <sds@tycho.nsa.gov> Signed-off-by: NJames Morris <jmorris@namei.org> Signed-off-by: NAndrew Morton <akpm@osdl.org> Signed-off-by: NLinus Torvalds <torvalds@osdl.org>
-
- 31 10月, 2005 6 次提交
-
-
由 Oleg Nesterov 提交于
This patch simplifies some checks for magic siginfo values. It should not change the behaviour in any way. Signed-off-by: NOleg Nesterov <oleg@tv-sign.ru> Signed-off-by: NAndrew Morton <akpm@osdl.org> Signed-off-by: NLinus Torvalds <torvalds@osdl.org>
-
由 Oleg Nesterov 提交于
This patch replaces hardcoded SEND_SIG_xxx constants with their symbolic names. No changes in affected .o files. Signed-off-by: NOleg Nesterov <oleg@tv-sign.ru> Signed-off-by: NAndrew Morton <akpm@osdl.org> Signed-off-by: NLinus Torvalds <torvalds@osdl.org>
-
由 Eric Dumazet 提交于
Now that RCU applied on 'struct file' seems stable, we can place f_rcuhead in a memory location that is not anymore used at call_rcu(&f->f_rcuhead, file_free_rcu) time, to reduce the size of this critical kernel object. The trick I used is to move f_rcuhead and f_list in an union called f_u The callers are changed so that f_rcuhead becomes f_u.fu_rcuhead and f_list becomes f_u.f_list Signed-off-by: NEric Dumazet <dada1@cosmosbay.com> Signed-off-by: NAndrew Morton <akpm@osdl.org> Signed-off-by: NLinus Torvalds <torvalds@osdl.org>
-
由 Andrew Morton 提交于
security/selinux/hooks.c: In function `selinux_inode_getxattr': security/selinux/hooks.c:2193: warning: unused variable `sbsec' Cc: James Morris <jmorris@namei.org> Cc: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: NAndrew Morton <akpm@osdl.org> Signed-off-by: NLinus Torvalds <torvalds@osdl.org>
-
由 James Morris 提交于
This patch allows SELinux to canonicalize the value returned from getxattr() via the security_inode_getsecurity() hook, which is called after the fs level getxattr() function. The purpose of this is to allow the in-core security context for an inode to override the on-disk value. This could happen in cases such as upgrading a system to a different labeling form (e.g. standard SELinux to MLS) without needing to do a full relabel of the filesystem. In such cases, we want getxattr() to return the canonical security context that the kernel is using rather than what is stored on disk. The implementation hooks into the inode_getsecurity(), adding another parameter to indicate the result of the preceding fs-level getxattr() call, so that SELinux knows whether to compare a value obtained from disk with the kernel value. We also now allow getxattr() to work for mountpoint labeled filesystems (i.e. mount with option context=foo_t), as we are able to return the kernel value to the user. Signed-off-by: NJames Morris <jmorris@namei.org> Signed-off-by: NStephen Smalley <sds@tycho.nsa.gov> Signed-off-by: NAndrew Morton <akpm@osdl.org> Signed-off-by: NLinus Torvalds <torvalds@osdl.org>
-
由 James Morris 提交于
This patch converts SELinux code from kmalloc/memset to the new kazalloc unction. On i386, this results in a text saving of over 1K. Before: text data bss dec hex filename 86319 4642 15236 106197 19ed5 security/selinux/built-in.o After: text data bss dec hex filename 85278 4642 15236 105156 19ac4 security/selinux/built-in.o Signed-off-by: NJames Morris <jmorris@namei.org> Signed-off-by: NAndrew Morton <akpm@osdl.org> Signed-off-by: NLinus Torvalds <torvalds@osdl.org>
-
- 28 10月, 2005 1 次提交
-
-
由 Al Viro 提交于
Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk> Signed-off-by: NLinus Torvalds <torvalds@osdl.org>
-
- 01 10月, 2005 1 次提交
-
-
由 James Morris 提交于
The following patch updates the way SELinux classifies and handles IP based protocols. Currently, IP sockets are classified by SELinux as being either TCP, UDP or 'Raw', the latter being a default for IP socket that is not TCP or UDP. The classification code is out of date and uses only the socket type parameter to socket(2) to determine the class of IP socket. So, any socket created with SOCK_STREAM will be classified by SELinux as TCP, and SOCK_DGRAM as UDP. Also, other socket types such as SOCK_SEQPACKET and SOCK_DCCP are currently ignored by SELinux, which classifies them as generic sockets, which means they don't even get basic IP level checking. This patch changes the SELinux IP socket classification logic, so that only an IPPROTO_IP protocol value passed to socket(2) classify the socket as TCP or UDP. The patch also drops the check for SOCK_RAW and converts it into a default, so that socket types like SOCK_DCCP and SOCK_SEQPACKET are classified as SECCLASS_RAWIP_SOCKET (instead of generic sockets). Note that protocol-specific support for SCTP, DCCP etc. is not addressed here, we're just getting these protocols checked at the IP layer. This fixes a reported problem where SCTP sockets were being recognized as generic SELinux sockets yet still being passed in one case to an IP level check, which then fails for generic sockets. It will also fix bugs where any SOCK_STREAM socket is classified as TCP or any SOCK_DGRAM socket is classified as UDP. This patch also unifies the way IP sockets classes are determined in selinux_socket_bind(), so we use the already calculated value instead of trying to recalculate it. Signed-off-by: NJames Morris <jmorris@namei.org> Signed-off-by: NStephen Smalley <sds@tycho.nsa.gov> Signed-off-by: NLinus Torvalds <torvalds@osdl.org>
-
- 10 9月, 2005 6 次提交
-
-
由 Dipankar Sarma 提交于
With the use of RCU in files structure, the look-up of files using fds can now be lock-free. The lookup is protected by rcu_read_lock()/rcu_read_unlock(). This patch changes the readers to use lock-free lookup. Signed-off-by: NManeesh Soni <maneesh@in.ibm.com> Signed-off-by: NRavikiran Thirumalai <kiran_th@gmail.com> Signed-off-by: NDipankar Sarma <dipankar@in.ibm.com> Signed-off-by: NAndrew Morton <akpm@osdl.org> Signed-off-by: NLinus Torvalds <torvalds@osdl.org>
-
由 Dipankar Sarma 提交于
In order for the RCU to work, the file table array, sets and their sizes must be updated atomically. Instead of ensuring this through too many memory barriers, we put the arrays and their sizes in a separate structure. This patch takes the first step of putting the file table elements in a separate structure fdtable that is embedded withing files_struct. It also changes all the users to refer to the file table using files_fdtable() macro. Subsequent applciation of RCU becomes easier after this. Signed-off-by: NDipankar Sarma <dipankar@in.ibm.com> Signed-Off-By: NDavid Howells <dhowells@redhat.com> Signed-off-by: NAndrew Morton <akpm@osdl.org> Signed-off-by: NLinus Torvalds <torvalds@osdl.org>
-
由 Stephen Smalley 提交于
This patch removes the inode_post_link and inode_post_rename LSM hooks as they are unused (and likely useless). Signed-off-by: NStephen Smalley <sds@tycho.nsa.gov> Signed-off-by: NAndrew Morton <akpm@osdl.org> Signed-off-by: NLinus Torvalds <torvalds@osdl.org>
-
由 Stephen Smalley 提交于
This patch removes the inode_post_create/mkdir/mknod/symlink LSM hooks as they are obsoleted by the new inode_init_security hook that enables atomic inode security labeling. If anyone sees any reason to retain these hooks, please speak now. Also, is anyone using the post_rename/link hooks; if not, those could also be removed. Signed-off-by: NStephen Smalley <sds@tycho.nsa.gov> Signed-off-by: NAndrew Morton <akpm@osdl.org> Signed-off-by: NLinus Torvalds <torvalds@osdl.org>
-
由 Stephen Smalley 提交于
This patch modifies tmpfs to call the inode_init_security LSM hook to set up the incore inode security state for new inodes before the inode becomes accessible via the dcache. As there is no underlying storage of security xattrs in this case, it is not necessary for the hook to return the (name, value, len) triple to the tmpfs code, so this patch also modifies the SELinux hook function to correctly handle the case where the (name, value, len) pointers are NULL. The hook call is needed in tmpfs in order to support proper security labeling of tmpfs inodes (e.g. for udev with tmpfs /dev in Fedora). With this change in place, we should then be able to remove the security_inode_post_create/mkdir/... hooks safely. Signed-off-by: NStephen Smalley <sds@tycho.nsa.gov> Cc: Hugh Dickins <hugh@veritas.com> Signed-off-by: NAndrew Morton <akpm@osdl.org> Signed-off-by: NLinus Torvalds <torvalds@osdl.org>
-
由 Stephen Smalley 提交于
The following patch set enables atomic security labeling of newly created inodes by altering the fs code to invoke a new LSM hook to obtain the security attribute to apply to a newly created inode and to set up the incore inode security state during the inode creation transaction. This parallels the existing processing for setting ACLs on newly created inodes. Otherwise, it is possible for new inodes to be accessed by another thread via the dcache prior to complete security setup (presently handled by the post_create/mkdir/... LSM hooks in the VFS) and a newly created inode may be left unlabeled on the disk in the event of a crash. SELinux presently works around the issue by ensuring that the incore inode security label is initialized to a special SID that is inaccessible to unprivileged processes (in accordance with policy), thereby preventing inappropriate access but potentially causing false denials on legitimate accesses. A simple test program demonstrates such false denials on SELinux, and the patch solves the problem. Similar such false denials have been encountered in real applications. This patch defines a new inode_init_security LSM hook to obtain the security attribute to apply to a newly created inode and to set up the incore inode security state for it, and adds a corresponding hook function implementation to SELinux. Signed-off-by: NStephen Smalley <sds@tycho.nsa.gov> Signed-off-by: NAndrew Morton <akpm@osdl.org> Signed-off-by: NLinus Torvalds <torvalds@osdl.org>
-
- 30 8月, 2005 1 次提交
-
-
由 James Morris 提交于
Also, support dccp sockets. Signed-off-by: NJames Morris <jmorris@namei.org> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
- 29 7月, 2005 1 次提交
-
-
由 Stephen Smalley 提交于
This patch fixes the address length checks in the selinux_socket_connect hook to be no more restrictive than the underlying ipv4 and ipv6 code; otherwise, this hook can reject valid connect calls. This patch is in response to a bug report where an application was calling connect on an INET6 socket with an address that didn't include the optional scope id and failing due to these checks. Signed-off-by: NStephen Smalley <sds@tycho.nsa.gov> Signed-off-by: NJames Morris <jmorris@redhat.com> Signed-off-by: NAndrew Morton <akpm@osdl.org> Signed-off-by: NLinus Torvalds <torvalds@osdl.org>
-
- 28 7月, 2005 1 次提交
-
-
由 James Morris 提交于
Implement kernel labeling of the MLS (multilevel security) field of security contexts for files which have no existing MLS field. This is to enable upgrades of a system from non-MLS to MLS without performing a full filesystem relabel including all of the mountpoints, which would be quite painful for users. With this patch, with MLS enabled, if a file has no MLS field, the kernel internally adds an MLS field to the in-core inode (but not to the on-disk file). This MLS field added is the default for the superblock, allowing per-mountpoint control over the values via fixed policy or mount options. This patch has been tested by enabling MLS without relabeling its filesystem, and seems to be working correctly. Signed-off-by: NJames Morris <jmorris@redhat.com> Signed-off-by: NStephen Smalley <sds@epoch.ncsc.mil> Signed-off-by: NAndrew Morton <akpm@osdl.org> Signed-off-by: NLinus Torvalds <torvalds@osdl.org>
-