1. 08 3月, 2010 1 次提交
  2. 07 10月, 2009 1 次提交
    • S
      selinux: dynamic class/perm discovery · c6d3aaa4
      Stephen Smalley 提交于
      Modify SELinux to dynamically discover class and permission values
      upon policy load, based on the dynamic object class/perm discovery
      logic from libselinux.  A mapping is created between kernel-private
      class and permission indices used outside the security server and the
      policy values used within the security server.
      
      The mappings are only applied upon kernel-internal computations;
      similar mappings for the private indices of userspace object managers
      is handled on a per-object manager basis by the userspace AVC.  The
      interfaces for compute_av and transition_sid are split for kernel
      vs. userspace; the userspace functions are distinguished by a _user
      suffix.
      
      The kernel-private class indices are no longer tied to the policy
      values and thus do not need to skip indices for userspace classes;
      thus the kernel class index values are compressed.  The flask.h
      definitions were regenerated by deleting the userspace classes from
      refpolicy's definitions and then regenerating the headers.  Going
      forward, we can just maintain the flask.h, av_permissions.h, and
      classmap.h definitions separately from policy as they are no longer
      tied to the policy values.  The next patch introduces a utility to
      automate generation of flask.h and av_permissions.h from the
      classmap.h definitions.
      
      The older kernel class and permission string tables are removed and
      replaced by a single security class mapping table that is walked at
      policy load to generate the mapping.  The old kernel class validation
      logic is completely replaced by the mapping logic.
      
      The handle unknown logic is reworked.  reject_unknown=1 is handled
      when the mappings are computed at policy load time, similar to the old
      handling by the class validation logic.  allow_unknown=1 is handled
      when computing and mapping decisions - if the permission was not able
      to be mapped (i.e. undefined, mapped to zero), then it is
      automatically added to the allowed vector.  If the class was not able
      to be mapped (i.e. undefined, mapped to zero), then all permissions
      are allowed for it if allow_unknown=1.
      
      avc_audit leverages the new security class mapping table to lookup the
      class and permission names from the kernel-private indices.
      
      The mdp program is updated to use the new table when generating the
      class definitions and allow rules for a minimal boot policy for the
      kernel.  It should be noted that this policy will not include any
      userspace classes, nor will its policy index values for the kernel
      classes correspond with the ones in refpolicy (they will instead match
      the kernel-private indices).
      Signed-off-by: NStephen Smalley <sds@tycho.nsa.gov>
      Signed-off-by: NJames Morris <jmorris@namei.org>
      c6d3aaa4
  3. 28 8月, 2008 1 次提交
    • K
      SELinux: add boundary support and thread context assignment · d9250dea
      KaiGai Kohei 提交于
      The purpose of this patch is to assign per-thread security context
      under a constraint. It enables multi-threaded server application
      to kick a request handler with its fair security context, and
      helps some of userspace object managers to handle user's request.
      
      When we assign a per-thread security context, it must not have wider
      permissions than the original one. Because a multi-threaded process
      shares a single local memory, an arbitary per-thread security context
      also means another thread can easily refer violated information.
      
      The constraint on a per-thread security context requires a new domain
      has to be equal or weaker than its original one, when it tries to assign
      a per-thread security context.
      
      Bounds relationship between two types is a way to ensure a domain can
      never have wider permission than its bounds. We can define it in two
      explicit or implicit ways.
      
      The first way is using new TYPEBOUNDS statement. It enables to define
      a boundary of types explicitly. The other one expand the concept of
      existing named based hierarchy. If we defines a type with "." separated
      name like "httpd_t.php", toolchain implicitly set its bounds on "httpd_t".
      
      This feature requires a new policy version.
      The 24th version (POLICYDB_VERSION_BOUNDARY) enables to ship them into
      kernel space, and the following patch enables to handle it.
      Signed-off-by: NKaiGai Kohei <kaigai@ak.jp.nec.com>
      Acked-by: NStephen Smalley <sds@tycho.nsa.gov>
      Signed-off-by: NJames Morris <jmorris@namei.org>
      d9250dea
  4. 05 8月, 2008 1 次提交
  5. 14 7月, 2008 1 次提交
    • S
      selinux: fix endianness bug in network node address handling · 59dbd1ba
      Stephen Smalley 提交于
      Fix an endianness bug in the handling of network node addresses by
      SELinux.  This yields no change on little endian hardware but fixes
      the incorrect handling on big endian hardware.  The network node
      addresses are stored in network order in memory by checkpolicy, not in
      cpu/host order, and thus should not have cpu_to_le32/le32_to_cpu
      conversions applied upon policy write/read unlike other data in the
      policy.
      
      Bug reported by John Weeks of Sun, who noticed that binary policy
      files built from the same policy source on x86 and sparc differed and
      tracked it down to the ipv4 address handling in checkpolicy.
      Signed-off-by: NStephen Smalley <sds@tycho.nsa.gov>
      Signed-off-by: NJames Morris <jmorris@namei.org>
      59dbd1ba
  6. 21 4月, 2008 2 次提交
  7. 18 4月, 2008 2 次提交
  8. 30 1月, 2008 1 次提交
  9. 08 11月, 2007 1 次提交
  10. 17 10月, 2007 2 次提交
  11. 12 7月, 2007 1 次提交
    • E
      selinux: introduce schedule points in policydb_destroy() · 9dc99780
      Eric Paris 提交于
      During the LSPP testing we found that it was possible for
      policydb_destroy() to take 10+ seconds of kernel time to complete.
      Basically all policydb_destroy() does is walk some (possibly long) lists
      and free the memory it finds.  Turning off slab debugging config options
      made the problem go away since the actual functions which took most of
      the time were (as seen by oprofile)
      
      > 121202   23.9879  .check_poison_obj
      > 78247    15.4864  .check_slabp
      
      were caused by that.  So I decided to also add some voluntary schedule
      points in that code so config voluntary preempt would be enough to solve
      the problem.  Something similar was done in places like
      shmem_free_pages() when we have to walk a list of memory and free it.
      This was tested by the LSPP group on the hardware which could reproduce
      the problem just loading a new policy and was found to not trigger the
      softlock detector.  It takes just as much processing time, but the
      kernel doesn't spend all that time stuck doing one thing and never
      scheduling.
      
      Someday a better way to handle memory might make the time needed in this
      function a lot less, but this fixes the current issue as it stands
      today.
      Signed-off-by: NEric Paris <eparis@redhat.com>
      Signed-off-by: NJames Morris <jmorris@namei.org>
      9dc99780
  12. 27 2月, 2007 1 次提交
    • E
      Reassign printk levels in selinux kernel code · fadcdb45
      Eric Paris 提交于
      Below is a patch which demotes many printk lines to KERN_DEBUG from
      KERN_INFO.  It should help stop the spamming of logs with messages in
      which users are not interested nor is there any action that users should
      take.  It also promotes some KERN_INFO to KERN_ERR such as when there
      are improper attempts to register/unregister security modules.
      
      A similar patch was discussed a while back on list:
      http://marc.theaimsgroup.com/?t=116656343500003&r=1&w=2
      This patch addresses almost all of the issues raised.  I believe the
      only advice not taken was in the demoting of messages related to
      undefined permissions and classes.
      Signed-off-by: NEric Paris <eparis@redhat.com>
      Acked-by: NStephen Smalley <sds@tycho.nsa.gov>
      
       security/selinux/hooks.c       |   20 ++++++++++----------
       security/selinux/ss/avtab.c    |    2 +-
       security/selinux/ss/policydb.c |    6 +++---
       security/selinux/ss/sidtab.c   |    2 +-
       4 files changed, 15 insertions(+), 15 deletions(-)
      Signed-off-by: NJames Morris <jmorris@namei.org>
      fadcdb45
  13. 03 12月, 2006 1 次提交
  14. 12 10月, 2006 1 次提交
    • C
      SELinux: Bug fix in polidydb_destroy · 6e8c751e
      Chad Sellers 提交于
      This patch fixes two bugs in policydb_destroy. Two list pointers
      (policydb.ocontexts[i] and policydb.genfs) were not being reset to NULL when
      the lists they pointed to were being freed. This caused a problem when the
      initial policy load failed, as the policydb being destroyed was not a
      temporary new policydb that was thrown away, but rather was the global
      (active) policydb. Consequently, later functions, particularly
      sys_bind->selinux_socket_bind->security_node_sid and
      do_rw_proc->selinux_sysctl->selinux_proc_get_sid->security_genfs_sid tried
      to dereference memory that had previously been freed.
      Signed-off-by: NChad Sellers <csellers@tresys.com>
      Signed-off-by: NJames Morris <jmorris@namei.org>
      6e8c751e
  15. 26 9月, 2006 1 次提交
  16. 01 8月, 2006 1 次提交
  17. 07 1月, 2006 1 次提交
  18. 07 11月, 2005 1 次提交
  19. 31 10月, 2005 1 次提交
  20. 24 10月, 2005 1 次提交
  21. 05 9月, 2005 2 次提交
  22. 26 6月, 2005 1 次提交
  23. 17 4月, 2005 1 次提交
    • L
      Linux-2.6.12-rc2 · 1da177e4
      Linus Torvalds 提交于
      Initial git repository build. I'm not bothering with the full history,
      even though we have it. We can create a separate "historical" git
      archive of that later if we want to, and in the meantime it's about
      3.2GB when imported into git - space that would just make the early
      git days unnecessarily complicated, when we don't have a lot of good
      infrastructure for it.
      
      Let it rip!
      1da177e4