1. 10 4月, 2012 12 次提交
    • E
      SELinux: remove inode_has_perm_noadp · 602a8dd6
      Eric Paris 提交于
      Both callers could better be using file_has_perm() to get better audit
      results.
      Signed-off-by: NEric Paris <eparis@redhat.com>
      602a8dd6
    • E
      SELinux: delay initialization of audit data in selinux_inode_permission · 2e334057
      Eric Paris 提交于
      We pay a rather large overhead initializing the common_audit_data.
      Since we only need this information if we actually emit an audit
      message there is little need to set it up in the hot path.  This patch
      splits the functionality of avc_has_perm() into avc_has_perm_noaudit(),
      avc_audit_required() and slow_avc_audit().  But we take care of setting
      up to audit between required() and the actual audit call.  Thus saving
      measurable time in a hot path.
      Signed-off-by: NStephen Smalley <sds@tycho.nsa.gov>
      Signed-off-by: NEric Paris <eparis@redhat.com>
      2e334057
    • E
      SELinux: if sel_make_bools errors don't leave inconsistent state · 154c50ca
      Eric Paris 提交于
      We reset the bool names and values array to NULL, but do not reset the
      number of entries in these arrays to 0.  If we error out and then get back
      into this function we will walk these NULL pointers based on the belief
      that they are non-zero length.
      Signed-off-by: NEric Paris <eparis@redhat.com>
      cc: stable@kernel.org
      154c50ca
    • E
      SELinux: remove needless sel_div function · 92ae9e82
      Eric Paris 提交于
      I'm not really sure what the idea behind the sel_div function is, but it's
      useless.  Since a and b are both unsigned, it's impossible for a % b < 0.
      That means that part of the function never does anything.  Thus it's just a
      normal /.  Just do that instead.  I don't even understand what that operation
      was supposed to mean in the signed case however....
      
      If it was signed:
      sel_div(-2, 4) == ((-2 / 4) - ((-2 % 4) < 0))
      		  ((0)      - ((-2)     < 0))
      		  ((0)      - (1))
      		  (-1)
      
      What actually happens:
      sel_div(-2, 4) == ((18446744073709551614 / 4) - ((18446744073709551614 % 4) < 0))
      		  ((4611686018427387903)      - ((2 < 0))
      		  (4611686018427387903        - 0)
      		  ((unsigned int)4611686018427387903)
      		  (4294967295)
      
      Neither makes a whole ton of sense to me.  So I'm getting rid of the
      function entirely.
      Signed-off-by: NEric Paris <eparis@redhat.com>
      92ae9e82
    • E
      SELinux: possible NULL deref in context_struct_to_string · bb7081ab
      Eric Paris 提交于
      It's possible that the caller passed a NULL for scontext.  However if this
      is a defered mapping we might still attempt to call *scontext=kstrdup().
      This is bad.  Instead just return the len.
      Signed-off-by: NEric Paris <eparis@redhat.com>
      bb7081ab
    • E
      SELinux: audit failed attempts to set invalid labels · d6ea83ec
      Eric Paris 提交于
      We know that some yum operation is causing CAP_MAC_ADMIN failures.  This
      implies that an RPM is laying down (or attempting to lay down) a file with
      an invalid label.  The problem is that we don't have any information to
      track down the cause.  This patch will cause such a failure to report the
      failed label in an SELINUX_ERR audit message.  This is similar to the
      SELINUX_ERR reports on invalid transitions and things like that.  It should
      help run down problems on what is trying to set invalid labels in the
      future.
      
      Resulting records look something like:
      type=AVC msg=audit(1319659241.138:71): avc:  denied  { mac_admin } for pid=2594 comm="chcon" capability=33 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=capability2
      type=SELINUX_ERR msg=audit(1319659241.138:71): op=setxattr invalid_context=unconfined_u:object_r:hello:s0
      type=SYSCALL msg=audit(1319659241.138:71): arch=c000003e syscall=188 success=no exit=-22 a0=a2c0e0 a1=390341b79b a2=a2d620 a3=1f items=1 ppid=2519 pid=2594 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="chcon" exe="/usr/bin/chcon" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
      type=CWD msg=audit(1319659241.138:71):  cwd="/root" type=PATH msg=audit(1319659241.138:71): item=0 name="test" inode=785879 dev=fc:03 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:admin_home_t:s0
      Signed-off-by: NEric Paris <eparis@redhat.com>
      d6ea83ec
    • E
      SELinux: rename dentry_open to file_open · 83d49856
      Eric Paris 提交于
      dentry_open takes a file, rename it to file_open
      Signed-off-by: NEric Paris <eparis@redhat.com>
      83d49856
    • E
      SELinux: check OPEN on truncate calls · 95dbf739
      Eric Paris 提交于
      In RH BZ 578841 we realized that the SELinux sandbox program was allowed to
      truncate files outside of the sandbox.  The reason is because sandbox
      confinement is determined almost entirely by the 'open' permission.  The idea
      was that if the sandbox was unable to open() files it would be unable to do
      harm to those files.  This turns out to be false in light of syscalls like
      truncate() and chmod() which don't require a previous open() call.  I looked
      at the syscalls that did not have an associated 'open' check and found that
      truncate(), did not have a seperate permission and even if it did have a
      separate permission such a permission owuld be inadequate for use by
      sandbox (since it owuld have to be granted so liberally as to be useless).
      This patch checks the OPEN permission on truncate.  I think a better solution
      for sandbox is a whole new permission, but at least this fixes what we have
      today.
      Signed-off-by: NEric Paris <eparis@redhat.com>
      95dbf739
    • E
      SELinux: add default_type statements · eed7795d
      Eric Paris 提交于
      Because Fedora shipped userspace based on my development tree we now
      have policy version 27 in the wild defining only default user, role, and
      range.  Thus to add default_type we need a policy.28.
      Signed-off-by: NEric Paris <eparis@redhat.com>
      eed7795d
    • E
      SELinux: allow default source/target selectors for user/role/range · aa893269
      Eric Paris 提交于
      When new objects are created we have great and flexible rules to
      determine the type of the new object.  We aren't quite as flexible or
      mature when it comes to determining the user, role, and range.  This
      patch adds a new ability to specify the place a new objects user, role,
      and range should come from.  For users and roles it can come from either
      the source or the target of the operation.  aka for files the user can
      either come from the source (the running process and todays default) or
      it can come from the target (aka the parent directory of the new file)
      
      examples always are done with
      directory context: system_u:object_r:mnt_t:s0-s0:c0.c512
      process context: unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
      
      [no rule]
      	unconfined_u:object_r:mnt_t:s0   test_none
      [default user source]
      	unconfined_u:object_r:mnt_t:s0   test_user_source
      [default user target]
      	system_u:object_r:mnt_t:s0       test_user_target
      [default role source]
      	unconfined_u:unconfined_r:mnt_t:s0 test_role_source
      [default role target]
      	unconfined_u:object_r:mnt_t:s0   test_role_target
      [default range source low]
      	unconfined_u:object_r:mnt_t:s0 test_range_source_low
      [default range source high]
      	unconfined_u:object_r:mnt_t:s0:c0.c1023 test_range_source_high
      [default range source low-high]
      	unconfined_u:object_r:mnt_t:s0-s0:c0.c1023 test_range_source_low-high
      [default range target low]
      	unconfined_u:object_r:mnt_t:s0 test_range_target_low
      [default range target high]
      	unconfined_u:object_r:mnt_t:s0:c0.c512 test_range_target_high
      [default range target low-high]
      	unconfined_u:object_r:mnt_t:s0-s0:c0.c512 test_range_target_low-high
      Signed-off-by: NEric Paris <eparis@redhat.com>
      aa893269
    • E
      SELinux: loosen DAC perms on reading policy · 72e8c859
      Eric Paris 提交于
      There is no reason the DAC perms on reading the policy file need to be root
      only.  There are selinux checks which should control this access.
      Signed-off-by: NEric Paris <eparis@redhat.com>
      72e8c859
    • E
      SELinux: allow seek operations on the file exposing policy · 47a93a5b
      Eric Paris 提交于
      sesearch uses:
      lseek(3, 0, SEEK_SET)                   = -1 ESPIPE (Illegal seek)
      
      Make that work.
      Signed-off-by: NEric Paris <eparis@redhat.com>
      47a93a5b
  2. 04 4月, 2012 6 次提交
  3. 01 4月, 2012 4 次提交
    • A
      get rid of pointless includes of ext2_fs.h · 2f99c369
      Al Viro 提交于
      Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
      2f99c369
    • A
      selinuxfs: merge dentry allocation into sel_make_dir() · a1c2aa1e
      Al Viro 提交于
      Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
      a1c2aa1e
    • L
      selinux: inline avc_audit() and avc_has_perm_noaudit() into caller · cdb0f9a1
      Linus Torvalds 提交于
      Now that all the slow-path code is gone from these functions, we can
      inline them into the main caller - avc_has_perm_flags().
      
      Now the compiler can see that 'avc' is allocated on the stack for this
      case, which helps register pressure a bit.  It also actually shrinks the
      total stack frame, because the stack frame that avc_has_perm_flags()
      always needed (for that 'avc' allocation) is now sufficient for the
      inlined functions too.
      
      Inlining isn't bad - but mindless inlining of cold code (see the
      previous commit) is.
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      cdb0f9a1
    • L
      selinux: don't inline slow-path code into avc_has_perm_noaudit() · a554bea8
      Linus Torvalds 提交于
      The selinux AVC paths remain some of the hottest (and deepest) codepaths
      at filename lookup time, and we make it worse by having the slow path
      cases take up I$ and stack space even when they don't trigger.  Gcc
      tends to always want to inline functions that are just called once -
      never mind that this might make for slower and worse code in the caller.
      
      So this tries to improve on it a bit by making the slow-path cases
      explicitly separate functions that are marked noinline, causing gcc to
      at least no longer allocate stack space for them unless they are
      actually called.  It also seems to help register allocation a tiny bit,
      since gcc now doesn't take the slow case code into account.
      
      Uninlining the slow path may also allow us to inline the remaining hot
      path into the one caller that actually matters: avc_has_perm_flags().
      I'll have to look at that separately, but both avc_audit() and
      avc_has_perm_noaudit() are now small and lean enough that inlining them
      may make sense.
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      a554bea8
  4. 29 3月, 2012 1 次提交
  5. 26 3月, 2012 1 次提交
    • D
      SELinux: selinux/xfrm.h needs net/flow.h · 778aae84
      David Howells 提交于
      selinux/xfrm.h needs to #include net/flow.h or else suffer:
      
      In file included from security/selinux/ss/services.c:69:0:
      security/selinux/include/xfrm.h: In function 'selinux_xfrm_notify_policyload':
      security/selinux/include/xfrm.h:53:14: error: 'flow_cache_genid' undeclared (first use in this function)
      security/selinux/include/xfrm.h:53:14: note: each undeclared identifier is reported only once for each function it appears in
      Signed-off-by: NDavid Howells <dhowells@redhat.com>
      778aae84
  6. 23 3月, 2012 1 次提交
    • L
      security: optimize avc_audit() common path · 48aab2f7
      Linus Torvalds 提交于
      avc_audit() did a lot of jumping around and had a big stack frame, all
      for the uncommon case.
      
      Split up the uncommon case (which we really can't make go fast anyway)
      into its own slow function, and mark the conditional branches
      appropriately for the common likely case.
      
      This causes avc_audit() to no longer show up as one of the hottest
      functions on the branch profiles (the new "perf -b" thing), and makes
      the cycle profiles look really nice and dense too.
      
      The whole audit path is still annoyingly very much one of the biggest
      costs of name lookup, so these things are worth optimizing for.  I wish
      we could just tell people to turn it off, but realistically we do need
      it: we just need to make sure that the overhead of the necessary evil is
      as low as possible.
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      48aab2f7
  7. 20 2月, 2012 1 次提交
    • D
      Replace the fd_sets in struct fdtable with an array of unsigned longs · 1fd36adc
      David Howells 提交于
      Replace the fd_sets in struct fdtable with an array of unsigned longs and then
      use the standard non-atomic bit operations rather than the FD_* macros.
      
      This:
      
       (1) Removes the abuses of struct fd_set:
      
           (a) Since we don't want to allocate a full fd_set the vast majority of the
           	 time, we actually, in effect, just allocate a just-big-enough array of
           	 unsigned longs and cast it to an fd_set type - so why bother with the
           	 fd_set at all?
      
           (b) Some places outside of the core fdtable handling code (such as
           	 SELinux) want to look inside the array of unsigned longs hidden inside
           	 the fd_set struct for more efficient iteration over the entire set.
      
       (2) Eliminates the use of FD_*() macros in the kernel completely.
      
       (3) Permits the __FD_*() macros to be deleted entirely where not exposed to
           userspace.
      Signed-off-by: NDavid Howells <dhowells@redhat.com>
      Link: http://lkml.kernel.org/r/20120216174954.23314.48147.stgit@warthog.procyon.org.ukSigned-off-by: NH. Peter Anvin <hpa@zytor.com>
      Cc: Al Viro <viro@zeniv.linux.org.uk>
      1fd36adc
  8. 14 2月, 2012 1 次提交
  9. 07 1月, 2012 1 次提交
  10. 06 1月, 2012 9 次提交
  11. 04 1月, 2012 3 次提交