mirror of
https://github.com/torvalds/linux.git
synced 2024-11-21 19:41:42 +00:00
selinux/stable-6.13 PR 20241112
-----BEGIN PGP SIGNATURE----- iQJIBAABCAAyFiEES0KozwfymdVUl37v6iDy2pc3iXMFAmcztEsUHHBhdWxAcGF1 bC1tb29yZS5jb20ACgkQ6iDy2pc3iXN8qg//eUYYuhO4LWY3Qq5P4pNbaJ40Mx8Y MSjYoN345nwLnWN1T3JTFik6Se6RKQmqMTd5xtdphnaP1NP3dtxTiV3nWWdP+/Ak JNwGAGrjX8JOep8KNEkUbH219iuFgUvvYIfIXaEswe6AAgtK1A7VDwAkSVdeoenD Ll0xpwKiZppxnDrwHtyB7JwPFVxsx4ctUOz8u7HBEyGDXPbiDmAGvLNwWbcmPSb1 EndFPdxIOsNaipl8NcQEBz5x5t/r/qVhXkSbalx5o5eAouXHfr4ArurgGV69TRDM 3Xqr8RkS6nkA+/rvTUxe2JF4IZ7MTD61+iAFxgsj4cnVavI3oszTfCy1j45auAt9 QoRVAIQgJv/f7DI15A/0u2ZuGwCBAPFn6lG34jHauI/LQ1f9s1w/anSLYXOzxw74 NmC2eYedznqemDP1DUPUjpp06/Nm88eEvrfsl9lTCY3cN8wAaFWEDhAFCu2IbDQM bpl8/rNoVKE1v2+p3WmXnug9DRs2JF6gvjlo/HPEHxv/hfO0rbTrb6cPcMd7BUXB ZM1D45oj5lPaOR+by7AaFzSL0zZiyMa5f59Jib7cvIXTy9t2aXGiHps2kbnRdIgx 3JfJIWf7TSA8HPzkU766nGvBaEWUumWbKka+SVuSv/I2A9lP2RskprfSEEvCP/5P ysmXzAwulqfDY30= =Jo+V -----END PGP SIGNATURE----- Merge tag 'selinux-pr-20241112' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux Pull selinux updates from Paul Moore: - Add support for netlink xperms Some time ago we added the concept of "xperms" to the SELinux policy so that we could write policy for individual ioctls, this builds upon this by using extending xperms to netlink so that we can write SELinux policy for individual netlnk message types and not rely on the fairly coarse read/write mapping tables we currently have. There are limitations involving generic netlink due to the multiplexing that is done, but it's no worse that what we currently have. As usual, more information can be found in the commit message. - Deprecate /sys/fs/selinux/user We removed the only known userspace use of this back in 2020 and now that several years have elapsed we're starting down the path of deprecating it in the kernel. - Cleanup the build under scripts/selinux A couple of patches to move the genheaders tool under security/selinux and correct our usage of kernel headers in the tools located under scripts/selinux. While these changes originated out of an effort to build Linux on different systems, they are arguably the right thing to do regardless. - Minor code cleanups and style fixes Not much to say here, two minor cleanup patches that came out of the netlink xperms work * tag 'selinux-pr-20241112' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux: selinux: Deprecate /sys/fs/selinux/user selinux: apply clang format to security/selinux/nlmsgtab.c selinux: streamline selinux_nlmsg_lookup() selinux: Add netlink xperm support selinux: move genheaders to security/selinux/ selinux: do not include <linux/*.h> headers from host programs
This commit is contained in:
Linus Torvalds
commit
8ffc7dbce2
12
Documentation/ABI/obsolete/sysfs-selinux-user
Normal file
12
Documentation/ABI/obsolete/sysfs-selinux-user
Normal file
@ -0,0 +1,12 @@
|
||||
What: /sys/fs/selinux/user
|
||||
Date: April 2005 (predates git)
|
||||
KernelVersion: 2.6.12-rc2 (predates git)
|
||||
Contact: selinux@vger.kernel.org
|
||||
Description:
|
||||
|
||||
The selinuxfs "user" node allows userspace to request a list
|
||||
of security contexts that can be reached for a given SELinux
|
||||
user from a given starting context. This was used by libselinux
|
||||
when various login-style programs requested contexts for
|
||||
users, but libselinux stopped using it in 2020.
|
||||
Kernel support will be removed no sooner than Dec 2025.
|
||||
@ -20,6 +20,9 @@ set -e
|
||||
# yard. Stale files stay in this file for a while (for some release cycles?),
|
||||
# then will be really dead and removed from the code base entirely.
|
||||
|
||||
# moved to security/selinux/genheaders
|
||||
rm -f scripts/selinux/genheaders/genheaders
|
||||
|
||||
rm -f *.spec
|
||||
|
||||
rm -f lib/test_fortify.log
|
||||
|
||||
@ -1,2 +1,2 @@
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
subdir-y := mdp genheaders
|
||||
subdir-y := mdp
|
||||
|
||||
2
scripts/selinux/genheaders/.gitignore
vendored
2
scripts/selinux/genheaders/.gitignore
vendored
@ -1,2 +0,0 @@
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
genheaders
|
||||
@ -1,5 +0,0 @@
|
||||
# SPDX-License-Identifier: GPL-2.0
|
||||
hostprogs-always-y += genheaders
|
||||
HOST_EXTRACFLAGS += \
|
||||
-I$(srctree)/include/uapi -I$(srctree)/include \
|
||||
-I$(srctree)/security/selinux/include
|
||||
@ -1,7 +1,7 @@
|
||||
# SPDX-License-Identifier: GPL-2.0
|
||||
hostprogs-always-y += mdp
|
||||
HOST_EXTRACFLAGS += \
|
||||
-I$(srctree)/include/uapi -I$(srctree)/include \
|
||||
-I$(srctree)/include \
|
||||
-I$(srctree)/security/selinux/include -I$(objtree)/include
|
||||
|
||||
clean-files := policy.* file_contexts
|
||||
|
||||
@ -11,10 +11,6 @@
|
||||
* Authors: Serge E. Hallyn <serue@us.ibm.com>
|
||||
*/
|
||||
|
||||
|
||||
/* NOTE: we really do want to use the kernel headers here */
|
||||
#define __EXPORTED_HEADERS__
|
||||
|
||||
#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
#include <unistd.h>
|
||||
|
||||
1
security/selinux/.gitignore
vendored
1
security/selinux/.gitignore
vendored
@ -1,3 +1,4 @@
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
av_permissions.h
|
||||
flask.h
|
||||
/genheaders
|
||||
|
||||
@ -36,7 +36,10 @@ quiet_cmd_genhdrs = GEN $(addprefix $(obj)/,$(genhdrs))
|
||||
# see the note above, replace the $targets and 'flask.h' rule with the lines
|
||||
# below:
|
||||
# targets += $(genhdrs)
|
||||
# $(addprefix $(obj)/,$(genhdrs)) &: scripts/selinux/...
|
||||
# $(addprefix $(obj)/,$(genhdrs)) &: $(obj)/genheaders FORCE
|
||||
targets += flask.h
|
||||
$(obj)/flask.h: scripts/selinux/genheaders/genheaders FORCE
|
||||
$(obj)/flask.h: $(obj)/genheaders FORCE
|
||||
$(call if_changed,genhdrs)
|
||||
|
||||
hostprogs := genheaders
|
||||
HOST_EXTRACFLAGS += -I$(srctree)/security/selinux/include
|
||||
|
||||
@ -1,8 +1,5 @@
|
||||
// SPDX-License-Identifier: GPL-2.0
|
||||
|
||||
/* NOTE: we really do want to use the kernel headers here */
|
||||
#define __EXPORTED_HEADERS__
|
||||
|
||||
#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
#include <unistd.h>
|
||||
@ -4590,14 +4590,10 @@ static int socket_sockcreate_sid(const struct task_security_struct *tsec,
|
||||
secclass, NULL, socksid);
|
||||
}
|
||||
|
||||
static int sock_has_perm(struct sock *sk, u32 perms)
|
||||
static bool sock_skip_has_perm(u32 sid)
|
||||
{
|
||||
struct sk_security_struct *sksec = selinux_sock(sk);
|
||||
struct common_audit_data ad;
|
||||
struct lsm_network_audit net;
|
||||
|
||||
if (sksec->sid == SECINITSID_KERNEL)
|
||||
return 0;
|
||||
if (sid == SECINITSID_KERNEL)
|
||||
return true;
|
||||
|
||||
/*
|
||||
* Before POLICYDB_CAP_USERSPACE_INITIAL_CONTEXT, sockets that
|
||||
@ -4611,7 +4607,19 @@ static int sock_has_perm(struct sock *sk, u32 perms)
|
||||
* setting.
|
||||
*/
|
||||
if (!selinux_policycap_userspace_initial_context() &&
|
||||
sksec->sid == SECINITSID_INIT)
|
||||
sid == SECINITSID_INIT)
|
||||
return true;
|
||||
return false;
|
||||
}
|
||||
|
||||
|
||||
static int sock_has_perm(struct sock *sk, u32 perms)
|
||||
{
|
||||
struct sk_security_struct *sksec = sk->sk_security;
|
||||
struct common_audit_data ad;
|
||||
struct lsm_network_audit net;
|
||||
|
||||
if (sock_skip_has_perm(sksec->sid))
|
||||
return 0;
|
||||
|
||||
ad_net_init_from_sk(&ad, &net, sk);
|
||||
@ -5920,6 +5928,26 @@ static unsigned int selinux_ip_postroute(void *priv,
|
||||
}
|
||||
#endif /* CONFIG_NETFILTER */
|
||||
|
||||
static int nlmsg_sock_has_extended_perms(struct sock *sk, u32 perms, u16 nlmsg_type)
|
||||
{
|
||||
struct sk_security_struct *sksec = sk->sk_security;
|
||||
struct common_audit_data ad;
|
||||
struct lsm_network_audit net;
|
||||
u8 driver;
|
||||
u8 xperm;
|
||||
|
||||
if (sock_skip_has_perm(sksec->sid))
|
||||
return 0;
|
||||
|
||||
ad_net_init_from_sk(&ad, &net, sk);
|
||||
|
||||
driver = nlmsg_type >> 8;
|
||||
xperm = nlmsg_type & 0xff;
|
||||
|
||||
return avc_has_extended_perms(current_sid(), sksec->sid, sksec->sclass,
|
||||
perms, driver, xperm, &ad);
|
||||
}
|
||||
|
||||
static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
|
||||
{
|
||||
int rc = 0;
|
||||
@ -5945,7 +5973,12 @@ static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
|
||||
|
||||
rc = selinux_nlmsg_lookup(sclass, nlh->nlmsg_type, &perm);
|
||||
if (rc == 0) {
|
||||
rc = sock_has_perm(sk, perm);
|
||||
if (selinux_policycap_netlink_xperm()) {
|
||||
rc = nlmsg_sock_has_extended_perms(
|
||||
sk, perm, nlh->nlmsg_type);
|
||||
} else {
|
||||
rc = sock_has_perm(sk, perm);
|
||||
}
|
||||
if (rc)
|
||||
return rc;
|
||||
} else if (rc == -EINVAL) {
|
||||
|
||||
@ -1,8 +1,5 @@
|
||||
/* SPDX-License-Identifier: GPL-2.0 */
|
||||
|
||||
#include <linux/capability.h>
|
||||
#include <linux/socket.h>
|
||||
|
||||
#define COMMON_FILE_SOCK_PERMS \
|
||||
"ioctl", "read", "write", "create", "getattr", "setattr", "lock", \
|
||||
"relabelfrom", "relabelto", "append", "map"
|
||||
@ -36,9 +33,13 @@
|
||||
"mac_override", "mac_admin", "syslog", "wake_alarm", "block_suspend", \
|
||||
"audit_read", "perfmon", "bpf", "checkpoint_restore"
|
||||
|
||||
#ifdef __KERNEL__ /* avoid this check when building host programs */
|
||||
#include <linux/capability.h>
|
||||
|
||||
#if CAP_LAST_CAP > CAP_CHECKPOINT_RESTORE
|
||||
#error New capability defined, please update COMMON_CAP2_PERMS.
|
||||
#endif
|
||||
#endif
|
||||
|
||||
/*
|
||||
* Note: The name for any socket class should be suffixed by "socket",
|
||||
@ -96,17 +97,17 @@ const struct security_class_mapping secclass_map[] = {
|
||||
{ "shm", { COMMON_IPC_PERMS, "lock", NULL } },
|
||||
{ "ipc", { COMMON_IPC_PERMS, NULL } },
|
||||
{ "netlink_route_socket",
|
||||
{ COMMON_SOCK_PERMS, "nlmsg_read", "nlmsg_write", NULL } },
|
||||
{ COMMON_SOCK_PERMS, "nlmsg_read", "nlmsg_write", "nlmsg", NULL } },
|
||||
{ "netlink_tcpdiag_socket",
|
||||
{ COMMON_SOCK_PERMS, "nlmsg_read", "nlmsg_write", NULL } },
|
||||
{ COMMON_SOCK_PERMS, "nlmsg_read", "nlmsg_write", "nlmsg", NULL } },
|
||||
{ "netlink_nflog_socket", { COMMON_SOCK_PERMS, NULL } },
|
||||
{ "netlink_xfrm_socket",
|
||||
{ COMMON_SOCK_PERMS, "nlmsg_read", "nlmsg_write", NULL } },
|
||||
{ COMMON_SOCK_PERMS, "nlmsg_read", "nlmsg_write", "nlmsg", NULL } },
|
||||
{ "netlink_selinux_socket", { COMMON_SOCK_PERMS, NULL } },
|
||||
{ "netlink_iscsi_socket", { COMMON_SOCK_PERMS, NULL } },
|
||||
{ "netlink_audit_socket",
|
||||
{ COMMON_SOCK_PERMS, "nlmsg_read", "nlmsg_write", "nlmsg_relay",
|
||||
"nlmsg_readpriv", "nlmsg_tty_audit", NULL } },
|
||||
"nlmsg_readpriv", "nlmsg_tty_audit", "nlmsg", NULL } },
|
||||
{ "netlink_fib_lookup_socket", { COMMON_SOCK_PERMS, NULL } },
|
||||
{ "netlink_connector_socket", { COMMON_SOCK_PERMS, NULL } },
|
||||
{ "netlink_netfilter_socket", { COMMON_SOCK_PERMS, NULL } },
|
||||
@ -181,6 +182,10 @@ const struct security_class_mapping secclass_map[] = {
|
||||
{ NULL }
|
||||
};
|
||||
|
||||
#ifdef __KERNEL__ /* avoid this check when building host programs */
|
||||
#include <linux/socket.h>
|
||||
|
||||
#if PF_MAX > 46
|
||||
#error New address family defined, please update secclass_map.
|
||||
#endif
|
||||
#endif
|
||||
|
||||
@ -1,6 +1,10 @@
|
||||
/* SPDX-License-Identifier: GPL-2.0 */
|
||||
|
||||
#ifdef __KERNEL__
|
||||
#include <linux/stddef.h>
|
||||
#else
|
||||
#include <stddef.h>
|
||||
#endif
|
||||
|
||||
static const char *const initial_sid_to_string[] = {
|
||||
NULL, /* zero placeholder, not used */
|
||||
|
||||
@ -14,6 +14,7 @@ enum {
|
||||
POLICYDB_CAP_GENFS_SECLABEL_SYMLINKS,
|
||||
POLICYDB_CAP_IOCTL_SKIP_CLOEXEC,
|
||||
POLICYDB_CAP_USERSPACE_INITIAL_CONTEXT,
|
||||
POLICYDB_CAP_NETLINK_XPERM,
|
||||
__POLICYDB_CAP_MAX
|
||||
};
|
||||
#define POLICYDB_CAP_MAX (__POLICYDB_CAP_MAX - 1)
|
||||
|
||||
@ -17,6 +17,7 @@ const char *const selinux_policycap_names[__POLICYDB_CAP_MAX] = {
|
||||
"genfs_seclabel_symlinks",
|
||||
"ioctl_skip_cloexec",
|
||||
"userspace_initial_context",
|
||||
"netlink_xperm",
|
||||
};
|
||||
/* clang-format on */
|
||||
|
||||
|
||||
@ -195,6 +195,12 @@ static inline bool selinux_policycap_userspace_initial_context(void)
|
||||
selinux_state.policycap[POLICYDB_CAP_USERSPACE_INITIAL_CONTEXT]);
|
||||
}
|
||||
|
||||
static inline bool selinux_policycap_netlink_xperm(void)
|
||||
{
|
||||
return READ_ONCE(
|
||||
selinux_state.policycap[POLICYDB_CAP_NETLINK_XPERM]);
|
||||
}
|
||||
|
||||
struct selinux_policy_convert_data;
|
||||
|
||||
struct selinux_load_state {
|
||||
|
||||
@ -21,142 +21,142 @@
|
||||
#include "security.h"
|
||||
|
||||
struct nlmsg_perm {
|
||||
u16 nlmsg_type;
|
||||
u32 perm;
|
||||
u16 nlmsg_type;
|
||||
u32 perm;
|
||||
};
|
||||
|
||||
static const struct nlmsg_perm nlmsg_route_perms[] = {
|
||||
{ RTM_NEWLINK, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
|
||||
{ RTM_DELLINK, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
|
||||
{ RTM_GETLINK, NETLINK_ROUTE_SOCKET__NLMSG_READ },
|
||||
{ RTM_SETLINK, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
|
||||
{ RTM_NEWADDR, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
|
||||
{ RTM_DELADDR, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
|
||||
{ RTM_GETADDR, NETLINK_ROUTE_SOCKET__NLMSG_READ },
|
||||
{ RTM_NEWROUTE, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
|
||||
{ RTM_DELROUTE, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
|
||||
{ RTM_GETROUTE, NETLINK_ROUTE_SOCKET__NLMSG_READ },
|
||||
{ RTM_NEWNEIGH, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
|
||||
{ RTM_DELNEIGH, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
|
||||
{ RTM_GETNEIGH, NETLINK_ROUTE_SOCKET__NLMSG_READ },
|
||||
{ RTM_NEWRULE, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
|
||||
{ RTM_DELRULE, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
|
||||
{ RTM_GETRULE, NETLINK_ROUTE_SOCKET__NLMSG_READ },
|
||||
{ RTM_NEWQDISC, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
|
||||
{ RTM_DELQDISC, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
|
||||
{ RTM_GETQDISC, NETLINK_ROUTE_SOCKET__NLMSG_READ },
|
||||
{ RTM_NEWTCLASS, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
|
||||
{ RTM_DELTCLASS, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
|
||||
{ RTM_GETTCLASS, NETLINK_ROUTE_SOCKET__NLMSG_READ },
|
||||
{ RTM_NEWTFILTER, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
|
||||
{ RTM_DELTFILTER, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
|
||||
{ RTM_GETTFILTER, NETLINK_ROUTE_SOCKET__NLMSG_READ },
|
||||
{ RTM_NEWACTION, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
|
||||
{ RTM_DELACTION, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
|
||||
{ RTM_GETACTION, NETLINK_ROUTE_SOCKET__NLMSG_READ },
|
||||
{ RTM_NEWPREFIX, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
|
||||
{ RTM_GETMULTICAST, NETLINK_ROUTE_SOCKET__NLMSG_READ },
|
||||
{ RTM_GETANYCAST, NETLINK_ROUTE_SOCKET__NLMSG_READ },
|
||||
{ RTM_GETNEIGHTBL, NETLINK_ROUTE_SOCKET__NLMSG_READ },
|
||||
{ RTM_SETNEIGHTBL, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
|
||||
{ RTM_NEWADDRLABEL, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
|
||||
{ RTM_DELADDRLABEL, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
|
||||
{ RTM_GETADDRLABEL, NETLINK_ROUTE_SOCKET__NLMSG_READ },
|
||||
{ RTM_GETDCB, NETLINK_ROUTE_SOCKET__NLMSG_READ },
|
||||
{ RTM_SETDCB, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
|
||||
{ RTM_NEWNETCONF, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
|
||||
{ RTM_DELNETCONF, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
|
||||
{ RTM_GETNETCONF, NETLINK_ROUTE_SOCKET__NLMSG_READ },
|
||||
{ RTM_NEWMDB, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
|
||||
{ RTM_DELMDB, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
|
||||
{ RTM_GETMDB, NETLINK_ROUTE_SOCKET__NLMSG_READ },
|
||||
{ RTM_NEWNSID, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
|
||||
{ RTM_DELNSID, NETLINK_ROUTE_SOCKET__NLMSG_READ },
|
||||
{ RTM_GETNSID, NETLINK_ROUTE_SOCKET__NLMSG_READ },
|
||||
{ RTM_NEWSTATS, NETLINK_ROUTE_SOCKET__NLMSG_READ },
|
||||
{ RTM_GETSTATS, NETLINK_ROUTE_SOCKET__NLMSG_READ },
|
||||
{ RTM_SETSTATS, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
|
||||
{ RTM_NEWCACHEREPORT, NETLINK_ROUTE_SOCKET__NLMSG_READ },
|
||||
{ RTM_NEWCHAIN, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
|
||||
{ RTM_DELCHAIN, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
|
||||
{ RTM_GETCHAIN, NETLINK_ROUTE_SOCKET__NLMSG_READ },
|
||||
{ RTM_NEWNEXTHOP, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
|
||||
{ RTM_DELNEXTHOP, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
|
||||
{ RTM_GETNEXTHOP, NETLINK_ROUTE_SOCKET__NLMSG_READ },
|
||||
{ RTM_NEWLINKPROP, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
|
||||
{ RTM_DELLINKPROP, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
|
||||
{ RTM_NEWVLAN, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
|
||||
{ RTM_DELVLAN, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
|
||||
{ RTM_GETVLAN, NETLINK_ROUTE_SOCKET__NLMSG_READ },
|
||||
{ RTM_NEWNEXTHOPBUCKET, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
|
||||
{ RTM_DELNEXTHOPBUCKET, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
|
||||
{ RTM_GETNEXTHOPBUCKET, NETLINK_ROUTE_SOCKET__NLMSG_READ },
|
||||
{ RTM_NEWTUNNEL, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
|
||||
{ RTM_DELTUNNEL, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
|
||||
{ RTM_GETTUNNEL, NETLINK_ROUTE_SOCKET__NLMSG_READ },
|
||||
{ RTM_NEWLINK, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
|
||||
{ RTM_DELLINK, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
|
||||
{ RTM_GETLINK, NETLINK_ROUTE_SOCKET__NLMSG_READ },
|
||||
{ RTM_SETLINK, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
|
||||
{ RTM_NEWADDR, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
|
||||
{ RTM_DELADDR, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
|
||||
{ RTM_GETADDR, NETLINK_ROUTE_SOCKET__NLMSG_READ },
|
||||
{ RTM_NEWROUTE, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
|
||||
{ RTM_DELROUTE, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
|
||||
{ RTM_GETROUTE, NETLINK_ROUTE_SOCKET__NLMSG_READ },
|
||||
{ RTM_NEWNEIGH, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
|
||||
{ RTM_DELNEIGH, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
|
||||
{ RTM_GETNEIGH, NETLINK_ROUTE_SOCKET__NLMSG_READ },
|
||||
{ RTM_NEWRULE, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
|
||||
{ RTM_DELRULE, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
|
||||
{ RTM_GETRULE, NETLINK_ROUTE_SOCKET__NLMSG_READ },
|
||||
{ RTM_NEWQDISC, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
|
||||
{ RTM_DELQDISC, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
|
||||
{ RTM_GETQDISC, NETLINK_ROUTE_SOCKET__NLMSG_READ },
|
||||
{ RTM_NEWTCLASS, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
|
||||
{ RTM_DELTCLASS, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
|
||||
{ RTM_GETTCLASS, NETLINK_ROUTE_SOCKET__NLMSG_READ },
|
||||
{ RTM_NEWTFILTER, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
|
||||
{ RTM_DELTFILTER, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
|
||||
{ RTM_GETTFILTER, NETLINK_ROUTE_SOCKET__NLMSG_READ },
|
||||
{ RTM_NEWACTION, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
|
||||
{ RTM_DELACTION, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
|
||||
{ RTM_GETACTION, NETLINK_ROUTE_SOCKET__NLMSG_READ },
|
||||
{ RTM_NEWPREFIX, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
|
||||
{ RTM_GETMULTICAST, NETLINK_ROUTE_SOCKET__NLMSG_READ },
|
||||
{ RTM_GETANYCAST, NETLINK_ROUTE_SOCKET__NLMSG_READ },
|
||||
{ RTM_GETNEIGHTBL, NETLINK_ROUTE_SOCKET__NLMSG_READ },
|
||||
{ RTM_SETNEIGHTBL, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
|
||||
{ RTM_NEWADDRLABEL, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
|
||||
{ RTM_DELADDRLABEL, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
|
||||
{ RTM_GETADDRLABEL, NETLINK_ROUTE_SOCKET__NLMSG_READ },
|
||||
{ RTM_GETDCB, NETLINK_ROUTE_SOCKET__NLMSG_READ },
|
||||
{ RTM_SETDCB, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
|
||||
{ RTM_NEWNETCONF, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
|
||||
{ RTM_DELNETCONF, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
|
||||
{ RTM_GETNETCONF, NETLINK_ROUTE_SOCKET__NLMSG_READ },
|
||||
{ RTM_NEWMDB, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
|
||||
{ RTM_DELMDB, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
|
||||
{ RTM_GETMDB, NETLINK_ROUTE_SOCKET__NLMSG_READ },
|
||||
{ RTM_NEWNSID, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
|
||||
{ RTM_DELNSID, NETLINK_ROUTE_SOCKET__NLMSG_READ },
|
||||
{ RTM_GETNSID, NETLINK_ROUTE_SOCKET__NLMSG_READ },
|
||||
{ RTM_NEWSTATS, NETLINK_ROUTE_SOCKET__NLMSG_READ },
|
||||
{ RTM_GETSTATS, NETLINK_ROUTE_SOCKET__NLMSG_READ },
|
||||
{ RTM_SETSTATS, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
|
||||
{ RTM_NEWCACHEREPORT, NETLINK_ROUTE_SOCKET__NLMSG_READ },
|
||||
{ RTM_NEWCHAIN, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
|
||||
{ RTM_DELCHAIN, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
|
||||
{ RTM_GETCHAIN, NETLINK_ROUTE_SOCKET__NLMSG_READ },
|
||||
{ RTM_NEWNEXTHOP, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
|
||||
{ RTM_DELNEXTHOP, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
|
||||
{ RTM_GETNEXTHOP, NETLINK_ROUTE_SOCKET__NLMSG_READ },
|
||||
{ RTM_NEWLINKPROP, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
|
||||
{ RTM_DELLINKPROP, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
|
||||
{ RTM_NEWVLAN, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
|
||||
{ RTM_DELVLAN, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
|
||||
{ RTM_GETVLAN, NETLINK_ROUTE_SOCKET__NLMSG_READ },
|
||||
{ RTM_NEWNEXTHOPBUCKET, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
|
||||
{ RTM_DELNEXTHOPBUCKET, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
|
||||
{ RTM_GETNEXTHOPBUCKET, NETLINK_ROUTE_SOCKET__NLMSG_READ },
|
||||
{ RTM_NEWTUNNEL, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
|
||||
{ RTM_DELTUNNEL, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
|
||||
{ RTM_GETTUNNEL, NETLINK_ROUTE_SOCKET__NLMSG_READ },
|
||||
};
|
||||
|
||||
static const struct nlmsg_perm nlmsg_tcpdiag_perms[] = {
|
||||
{ TCPDIAG_GETSOCK, NETLINK_TCPDIAG_SOCKET__NLMSG_READ },
|
||||
{ DCCPDIAG_GETSOCK, NETLINK_TCPDIAG_SOCKET__NLMSG_READ },
|
||||
{ SOCK_DIAG_BY_FAMILY, NETLINK_TCPDIAG_SOCKET__NLMSG_READ },
|
||||
{ SOCK_DESTROY, NETLINK_TCPDIAG_SOCKET__NLMSG_WRITE },
|
||||
{ TCPDIAG_GETSOCK, NETLINK_TCPDIAG_SOCKET__NLMSG_READ },
|
||||
{ DCCPDIAG_GETSOCK, NETLINK_TCPDIAG_SOCKET__NLMSG_READ },
|
||||
{ SOCK_DIAG_BY_FAMILY, NETLINK_TCPDIAG_SOCKET__NLMSG_READ },
|
||||
{ SOCK_DESTROY, NETLINK_TCPDIAG_SOCKET__NLMSG_WRITE },
|
||||
};
|
||||
|
||||
static const struct nlmsg_perm nlmsg_xfrm_perms[] = {
|
||||
{ XFRM_MSG_NEWSA, NETLINK_XFRM_SOCKET__NLMSG_WRITE },
|
||||
{ XFRM_MSG_DELSA, NETLINK_XFRM_SOCKET__NLMSG_WRITE },
|
||||
{ XFRM_MSG_GETSA, NETLINK_XFRM_SOCKET__NLMSG_READ },
|
||||
{ XFRM_MSG_NEWPOLICY, NETLINK_XFRM_SOCKET__NLMSG_WRITE },
|
||||
{ XFRM_MSG_DELPOLICY, NETLINK_XFRM_SOCKET__NLMSG_WRITE },
|
||||
{ XFRM_MSG_GETPOLICY, NETLINK_XFRM_SOCKET__NLMSG_READ },
|
||||
{ XFRM_MSG_ALLOCSPI, NETLINK_XFRM_SOCKET__NLMSG_WRITE },
|
||||
{ XFRM_MSG_ACQUIRE, NETLINK_XFRM_SOCKET__NLMSG_WRITE },
|
||||
{ XFRM_MSG_EXPIRE, NETLINK_XFRM_SOCKET__NLMSG_WRITE },
|
||||
{ XFRM_MSG_UPDPOLICY, NETLINK_XFRM_SOCKET__NLMSG_WRITE },
|
||||
{ XFRM_MSG_UPDSA, NETLINK_XFRM_SOCKET__NLMSG_WRITE },
|
||||
{ XFRM_MSG_POLEXPIRE, NETLINK_XFRM_SOCKET__NLMSG_WRITE },
|
||||
{ XFRM_MSG_FLUSHSA, NETLINK_XFRM_SOCKET__NLMSG_WRITE },
|
||||
{ XFRM_MSG_FLUSHPOLICY, NETLINK_XFRM_SOCKET__NLMSG_WRITE },
|
||||
{ XFRM_MSG_NEWAE, NETLINK_XFRM_SOCKET__NLMSG_WRITE },
|
||||
{ XFRM_MSG_GETAE, NETLINK_XFRM_SOCKET__NLMSG_READ },
|
||||
{ XFRM_MSG_REPORT, NETLINK_XFRM_SOCKET__NLMSG_READ },
|
||||
{ XFRM_MSG_MIGRATE, NETLINK_XFRM_SOCKET__NLMSG_WRITE },
|
||||
{ XFRM_MSG_NEWSADINFO, NETLINK_XFRM_SOCKET__NLMSG_READ },
|
||||
{ XFRM_MSG_GETSADINFO, NETLINK_XFRM_SOCKET__NLMSG_READ },
|
||||
{ XFRM_MSG_NEWSPDINFO, NETLINK_XFRM_SOCKET__NLMSG_WRITE },
|
||||
{ XFRM_MSG_GETSPDINFO, NETLINK_XFRM_SOCKET__NLMSG_READ },
|
||||
{ XFRM_MSG_MAPPING, NETLINK_XFRM_SOCKET__NLMSG_READ },
|
||||
{ XFRM_MSG_SETDEFAULT, NETLINK_XFRM_SOCKET__NLMSG_WRITE },
|
||||
{ XFRM_MSG_GETDEFAULT, NETLINK_XFRM_SOCKET__NLMSG_READ },
|
||||
{ XFRM_MSG_NEWSA, NETLINK_XFRM_SOCKET__NLMSG_WRITE },
|
||||
{ XFRM_MSG_DELSA, NETLINK_XFRM_SOCKET__NLMSG_WRITE },
|
||||
{ XFRM_MSG_GETSA, NETLINK_XFRM_SOCKET__NLMSG_READ },
|
||||
{ XFRM_MSG_NEWPOLICY, NETLINK_XFRM_SOCKET__NLMSG_WRITE },
|
||||
{ XFRM_MSG_DELPOLICY, NETLINK_XFRM_SOCKET__NLMSG_WRITE },
|
||||
{ XFRM_MSG_GETPOLICY, NETLINK_XFRM_SOCKET__NLMSG_READ },
|
||||
{ XFRM_MSG_ALLOCSPI, NETLINK_XFRM_SOCKET__NLMSG_WRITE },
|
||||
{ XFRM_MSG_ACQUIRE, NETLINK_XFRM_SOCKET__NLMSG_WRITE },
|
||||
{ XFRM_MSG_EXPIRE, NETLINK_XFRM_SOCKET__NLMSG_WRITE },
|
||||
{ XFRM_MSG_UPDPOLICY, NETLINK_XFRM_SOCKET__NLMSG_WRITE },
|
||||
{ XFRM_MSG_UPDSA, NETLINK_XFRM_SOCKET__NLMSG_WRITE },
|
||||
{ XFRM_MSG_POLEXPIRE, NETLINK_XFRM_SOCKET__NLMSG_WRITE },
|
||||
{ XFRM_MSG_FLUSHSA, NETLINK_XFRM_SOCKET__NLMSG_WRITE },
|
||||
{ XFRM_MSG_FLUSHPOLICY, NETLINK_XFRM_SOCKET__NLMSG_WRITE },
|
||||
{ XFRM_MSG_NEWAE, NETLINK_XFRM_SOCKET__NLMSG_WRITE },
|
||||
{ XFRM_MSG_GETAE, NETLINK_XFRM_SOCKET__NLMSG_READ },
|
||||
{ XFRM_MSG_REPORT, NETLINK_XFRM_SOCKET__NLMSG_READ },
|
||||
{ XFRM_MSG_MIGRATE, NETLINK_XFRM_SOCKET__NLMSG_WRITE },
|
||||
{ XFRM_MSG_NEWSADINFO, NETLINK_XFRM_SOCKET__NLMSG_READ },
|
||||
{ XFRM_MSG_GETSADINFO, NETLINK_XFRM_SOCKET__NLMSG_READ },
|
||||
{ XFRM_MSG_NEWSPDINFO, NETLINK_XFRM_SOCKET__NLMSG_WRITE },
|
||||
{ XFRM_MSG_GETSPDINFO, NETLINK_XFRM_SOCKET__NLMSG_READ },
|
||||
{ XFRM_MSG_MAPPING, NETLINK_XFRM_SOCKET__NLMSG_READ },
|
||||
{ XFRM_MSG_SETDEFAULT, NETLINK_XFRM_SOCKET__NLMSG_WRITE },
|
||||
{ XFRM_MSG_GETDEFAULT, NETLINK_XFRM_SOCKET__NLMSG_READ },
|
||||
};
|
||||
|
||||
static const struct nlmsg_perm nlmsg_audit_perms[] = {
|
||||
{ AUDIT_GET, NETLINK_AUDIT_SOCKET__NLMSG_READ },
|
||||
{ AUDIT_SET, NETLINK_AUDIT_SOCKET__NLMSG_WRITE },
|
||||
{ AUDIT_LIST, NETLINK_AUDIT_SOCKET__NLMSG_READPRIV },
|
||||
{ AUDIT_ADD, NETLINK_AUDIT_SOCKET__NLMSG_WRITE },
|
||||
{ AUDIT_DEL, NETLINK_AUDIT_SOCKET__NLMSG_WRITE },
|
||||
{ AUDIT_LIST_RULES, NETLINK_AUDIT_SOCKET__NLMSG_READPRIV },
|
||||
{ AUDIT_ADD_RULE, NETLINK_AUDIT_SOCKET__NLMSG_WRITE },
|
||||
{ AUDIT_DEL_RULE, NETLINK_AUDIT_SOCKET__NLMSG_WRITE },
|
||||
{ AUDIT_USER, NETLINK_AUDIT_SOCKET__NLMSG_RELAY },
|
||||
{ AUDIT_SIGNAL_INFO, NETLINK_AUDIT_SOCKET__NLMSG_READ },
|
||||
{ AUDIT_TRIM, NETLINK_AUDIT_SOCKET__NLMSG_WRITE },
|
||||
{ AUDIT_MAKE_EQUIV, NETLINK_AUDIT_SOCKET__NLMSG_WRITE },
|
||||
{ AUDIT_TTY_GET, NETLINK_AUDIT_SOCKET__NLMSG_READ },
|
||||
{ AUDIT_TTY_SET, NETLINK_AUDIT_SOCKET__NLMSG_TTY_AUDIT },
|
||||
{ AUDIT_GET_FEATURE, NETLINK_AUDIT_SOCKET__NLMSG_READ },
|
||||
{ AUDIT_SET_FEATURE, NETLINK_AUDIT_SOCKET__NLMSG_WRITE },
|
||||
{ AUDIT_GET, NETLINK_AUDIT_SOCKET__NLMSG_READ },
|
||||
{ AUDIT_SET, NETLINK_AUDIT_SOCKET__NLMSG_WRITE },
|
||||
{ AUDIT_LIST, NETLINK_AUDIT_SOCKET__NLMSG_READPRIV },
|
||||
{ AUDIT_ADD, NETLINK_AUDIT_SOCKET__NLMSG_WRITE },
|
||||
{ AUDIT_DEL, NETLINK_AUDIT_SOCKET__NLMSG_WRITE },
|
||||
{ AUDIT_LIST_RULES, NETLINK_AUDIT_SOCKET__NLMSG_READPRIV },
|
||||
{ AUDIT_ADD_RULE, NETLINK_AUDIT_SOCKET__NLMSG_WRITE },
|
||||
{ AUDIT_DEL_RULE, NETLINK_AUDIT_SOCKET__NLMSG_WRITE },
|
||||
{ AUDIT_USER, NETLINK_AUDIT_SOCKET__NLMSG_RELAY },
|
||||
{ AUDIT_SIGNAL_INFO, NETLINK_AUDIT_SOCKET__NLMSG_READ },
|
||||
{ AUDIT_TRIM, NETLINK_AUDIT_SOCKET__NLMSG_WRITE },
|
||||
{ AUDIT_MAKE_EQUIV, NETLINK_AUDIT_SOCKET__NLMSG_WRITE },
|
||||
{ AUDIT_TTY_GET, NETLINK_AUDIT_SOCKET__NLMSG_READ },
|
||||
{ AUDIT_TTY_SET, NETLINK_AUDIT_SOCKET__NLMSG_TTY_AUDIT },
|
||||
{ AUDIT_GET_FEATURE, NETLINK_AUDIT_SOCKET__NLMSG_READ },
|
||||
{ AUDIT_SET_FEATURE, NETLINK_AUDIT_SOCKET__NLMSG_WRITE },
|
||||
};
|
||||
|
||||
|
||||
static int nlmsg_perm(u16 nlmsg_type, u32 *perm, const struct nlmsg_perm *tab, size_t tabsize)
|
||||
static int nlmsg_perm(u16 nlmsg_type, u32 *perm, const struct nlmsg_perm *tab,
|
||||
size_t tabsize)
|
||||
{
|
||||
unsigned int i;
|
||||
int err = -EINVAL;
|
||||
|
||||
for (i = 0; i < tabsize/sizeof(struct nlmsg_perm); i++)
|
||||
for (i = 0; i < tabsize / sizeof(struct nlmsg_perm); i++)
|
||||
if (nlmsg_type == tab[i].nlmsg_type) {
|
||||
*perm = tab[i].perm;
|
||||
err = 0;
|
||||
@ -168,7 +168,12 @@ static int nlmsg_perm(u16 nlmsg_type, u32 *perm, const struct nlmsg_perm *tab, s
|
||||
|
||||
int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm)
|
||||
{
|
||||
int err = 0;
|
||||
/* While it is possible to add a similar permission to other netlink
|
||||
* classes, note that the extended permission value is matched against
|
||||
* the nlmsg_type field. Notably, SECCLASS_NETLINK_GENERIC_SOCKET uses
|
||||
* dynamic values for this field, which means that it cannot be added
|
||||
* as-is.
|
||||
*/
|
||||
|
||||
switch (sclass) {
|
||||
case SECCLASS_NETLINK_ROUTE_SOCKET:
|
||||
@ -178,42 +183,52 @@ int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm)
|
||||
* before updating the BUILD_BUG_ON() macro!
|
||||
*/
|
||||
BUILD_BUG_ON(RTM_MAX != (RTM_NEWTUNNEL + 3));
|
||||
err = nlmsg_perm(nlmsg_type, perm, nlmsg_route_perms,
|
||||
sizeof(nlmsg_route_perms));
|
||||
break;
|
||||
|
||||
if (selinux_policycap_netlink_xperm()) {
|
||||
*perm = NETLINK_ROUTE_SOCKET__NLMSG;
|
||||
return 0;
|
||||
}
|
||||
return nlmsg_perm(nlmsg_type, perm, nlmsg_route_perms,
|
||||
sizeof(nlmsg_route_perms));
|
||||
break;
|
||||
case SECCLASS_NETLINK_TCPDIAG_SOCKET:
|
||||
err = nlmsg_perm(nlmsg_type, perm, nlmsg_tcpdiag_perms,
|
||||
sizeof(nlmsg_tcpdiag_perms));
|
||||
if (selinux_policycap_netlink_xperm()) {
|
||||
*perm = NETLINK_TCPDIAG_SOCKET__NLMSG;
|
||||
return 0;
|
||||
}
|
||||
return nlmsg_perm(nlmsg_type, perm, nlmsg_tcpdiag_perms,
|
||||
sizeof(nlmsg_tcpdiag_perms));
|
||||
break;
|
||||
|
||||
case SECCLASS_NETLINK_XFRM_SOCKET:
|
||||
/* If the BUILD_BUG_ON() below fails you must update the
|
||||
* structures at the top of this file with the new mappings
|
||||
* before updating the BUILD_BUG_ON() macro!
|
||||
*/
|
||||
BUILD_BUG_ON(XFRM_MSG_MAX != XFRM_MSG_GETDEFAULT);
|
||||
err = nlmsg_perm(nlmsg_type, perm, nlmsg_xfrm_perms,
|
||||
sizeof(nlmsg_xfrm_perms));
|
||||
break;
|
||||
|
||||
case SECCLASS_NETLINK_AUDIT_SOCKET:
|
||||
if ((nlmsg_type >= AUDIT_FIRST_USER_MSG &&
|
||||
nlmsg_type <= AUDIT_LAST_USER_MSG) ||
|
||||
(nlmsg_type >= AUDIT_FIRST_USER_MSG2 &&
|
||||
nlmsg_type <= AUDIT_LAST_USER_MSG2)) {
|
||||
*perm = NETLINK_AUDIT_SOCKET__NLMSG_RELAY;
|
||||
} else {
|
||||
err = nlmsg_perm(nlmsg_type, perm, nlmsg_audit_perms,
|
||||
sizeof(nlmsg_audit_perms));
|
||||
if (selinux_policycap_netlink_xperm()) {
|
||||
*perm = NETLINK_XFRM_SOCKET__NLMSG;
|
||||
return 0;
|
||||
}
|
||||
return nlmsg_perm(nlmsg_type, perm, nlmsg_xfrm_perms,
|
||||
sizeof(nlmsg_xfrm_perms));
|
||||
break;
|
||||
|
||||
/* No messaging from userspace, or class unknown/unhandled */
|
||||
default:
|
||||
err = -ENOENT;
|
||||
case SECCLASS_NETLINK_AUDIT_SOCKET:
|
||||
if (selinux_policycap_netlink_xperm()) {
|
||||
*perm = NETLINK_AUDIT_SOCKET__NLMSG;
|
||||
return 0;
|
||||
} else if ((nlmsg_type >= AUDIT_FIRST_USER_MSG &&
|
||||
nlmsg_type <= AUDIT_LAST_USER_MSG) ||
|
||||
(nlmsg_type >= AUDIT_FIRST_USER_MSG2 &&
|
||||
nlmsg_type <= AUDIT_LAST_USER_MSG2)) {
|
||||
*perm = NETLINK_AUDIT_SOCKET__NLMSG_RELAY;
|
||||
return 0;
|
||||
}
|
||||
return nlmsg_perm(nlmsg_type, perm, nlmsg_audit_perms,
|
||||
sizeof(nlmsg_audit_perms));
|
||||
break;
|
||||
}
|
||||
|
||||
return err;
|
||||
/* No messaging from userspace, or class unknown/unhandled */
|
||||
return -ENOENT;
|
||||
}
|
||||
|
||||
@ -1069,6 +1069,10 @@ static ssize_t sel_write_user(struct file *file, char *buf, size_t size)
|
||||
int rc;
|
||||
u32 i, len, nsids;
|
||||
|
||||
pr_warn_ratelimited("SELinux: %s (%d) wrote to /sys/fs/selinux/user!"
|
||||
" This will not be supported in the future; please update your"
|
||||
" userspace.\n", current->comm, current->pid);
|
||||
|
||||
length = avc_has_perm(current_sid(), SECINITSID_SECURITY,
|
||||
SECCLASS_SECURITY, SECURITY__COMPUTE_USER,
|
||||
NULL);
|
||||
|
||||
@ -53,8 +53,9 @@ struct avtab_key {
|
||||
*/
|
||||
struct avtab_extended_perms {
|
||||
/* These are not flags. All 256 values may be used */
|
||||
#define AVTAB_XPERMS_IOCTLFUNCTION 0x01
|
||||
#define AVTAB_XPERMS_IOCTLDRIVER 0x02
|
||||
#define AVTAB_XPERMS_IOCTLFUNCTION 0x01
|
||||
#define AVTAB_XPERMS_IOCTLDRIVER 0x02
|
||||
#define AVTAB_XPERMS_NLMSG 0x03
|
||||
/* extension of the avtab_key specified */
|
||||
u8 specified; /* ioctl, netfilter, ... */
|
||||
/*
|
||||
|
||||
@ -582,8 +582,7 @@ static void type_attribute_bounds_av(struct policydb *policydb,
|
||||
}
|
||||
|
||||
/*
|
||||
* flag which drivers have permissions
|
||||
* only looking for ioctl based extended permissions
|
||||
* Flag which drivers have permissions.
|
||||
*/
|
||||
void services_compute_xperms_drivers(
|
||||
struct extended_perms *xperms,
|
||||
@ -591,14 +590,18 @@ void services_compute_xperms_drivers(
|
||||
{
|
||||
unsigned int i;
|
||||
|
||||
if (node->datum.u.xperms->specified == AVTAB_XPERMS_IOCTLDRIVER) {
|
||||
switch (node->datum.u.xperms->specified) {
|
||||
case AVTAB_XPERMS_IOCTLDRIVER:
|
||||
/* if one or more driver has all permissions allowed */
|
||||
for (i = 0; i < ARRAY_SIZE(xperms->drivers.p); i++)
|
||||
xperms->drivers.p[i] |= node->datum.u.xperms->perms.p[i];
|
||||
} else if (node->datum.u.xperms->specified == AVTAB_XPERMS_IOCTLFUNCTION) {
|
||||
break;
|
||||
case AVTAB_XPERMS_IOCTLFUNCTION:
|
||||
case AVTAB_XPERMS_NLMSG:
|
||||
/* if allowing permissions within a driver */
|
||||
security_xperm_set(xperms->drivers.p,
|
||||
node->datum.u.xperms->driver);
|
||||
break;
|
||||
}
|
||||
|
||||
xperms->len = 1;
|
||||
@ -942,55 +945,58 @@ static void avd_init(struct selinux_policy *policy, struct av_decision *avd)
|
||||
avd->flags = 0;
|
||||
}
|
||||
|
||||
void services_compute_xperms_decision(struct extended_perms_decision *xpermd,
|
||||
struct avtab_node *node)
|
||||
static void update_xperms_extended_data(u8 specified,
|
||||
struct extended_perms_data *from,
|
||||
struct extended_perms_data *xp_data)
|
||||
{
|
||||
unsigned int i;
|
||||
|
||||
if (node->datum.u.xperms->specified == AVTAB_XPERMS_IOCTLFUNCTION) {
|
||||
switch (specified) {
|
||||
case AVTAB_XPERMS_IOCTLDRIVER:
|
||||
memset(xp_data->p, 0xff, sizeof(xp_data->p));
|
||||
break;
|
||||
case AVTAB_XPERMS_IOCTLFUNCTION:
|
||||
case AVTAB_XPERMS_NLMSG:
|
||||
for (i = 0; i < ARRAY_SIZE(xp_data->p); i++)
|
||||
xp_data->p[i] |= from->p[i];
|
||||
break;
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
void services_compute_xperms_decision(struct extended_perms_decision *xpermd,
|
||||
struct avtab_node *node)
|
||||
{
|
||||
switch (node->datum.u.xperms->specified) {
|
||||
case AVTAB_XPERMS_IOCTLFUNCTION:
|
||||
case AVTAB_XPERMS_NLMSG:
|
||||
if (xpermd->driver != node->datum.u.xperms->driver)
|
||||
return;
|
||||
} else if (node->datum.u.xperms->specified == AVTAB_XPERMS_IOCTLDRIVER) {
|
||||
break;
|
||||
case AVTAB_XPERMS_IOCTLDRIVER:
|
||||
if (!security_xperm_test(node->datum.u.xperms->perms.p,
|
||||
xpermd->driver))
|
||||
return;
|
||||
} else {
|
||||
break;
|
||||
default:
|
||||
BUG();
|
||||
}
|
||||
|
||||
if (node->key.specified == AVTAB_XPERMS_ALLOWED) {
|
||||
xpermd->used |= XPERMS_ALLOWED;
|
||||
if (node->datum.u.xperms->specified == AVTAB_XPERMS_IOCTLDRIVER) {
|
||||
memset(xpermd->allowed->p, 0xff,
|
||||
sizeof(xpermd->allowed->p));
|
||||
}
|
||||
if (node->datum.u.xperms->specified == AVTAB_XPERMS_IOCTLFUNCTION) {
|
||||
for (i = 0; i < ARRAY_SIZE(xpermd->allowed->p); i++)
|
||||
xpermd->allowed->p[i] |=
|
||||
node->datum.u.xperms->perms.p[i];
|
||||
}
|
||||
update_xperms_extended_data(node->datum.u.xperms->specified,
|
||||
&node->datum.u.xperms->perms,
|
||||
xpermd->allowed);
|
||||
} else if (node->key.specified == AVTAB_XPERMS_AUDITALLOW) {
|
||||
xpermd->used |= XPERMS_AUDITALLOW;
|
||||
if (node->datum.u.xperms->specified == AVTAB_XPERMS_IOCTLDRIVER) {
|
||||
memset(xpermd->auditallow->p, 0xff,
|
||||
sizeof(xpermd->auditallow->p));
|
||||
}
|
||||
if (node->datum.u.xperms->specified == AVTAB_XPERMS_IOCTLFUNCTION) {
|
||||
for (i = 0; i < ARRAY_SIZE(xpermd->auditallow->p); i++)
|
||||
xpermd->auditallow->p[i] |=
|
||||
node->datum.u.xperms->perms.p[i];
|
||||
}
|
||||
update_xperms_extended_data(node->datum.u.xperms->specified,
|
||||
&node->datum.u.xperms->perms,
|
||||
xpermd->auditallow);
|
||||
} else if (node->key.specified == AVTAB_XPERMS_DONTAUDIT) {
|
||||
xpermd->used |= XPERMS_DONTAUDIT;
|
||||
if (node->datum.u.xperms->specified == AVTAB_XPERMS_IOCTLDRIVER) {
|
||||
memset(xpermd->dontaudit->p, 0xff,
|
||||
sizeof(xpermd->dontaudit->p));
|
||||
}
|
||||
if (node->datum.u.xperms->specified == AVTAB_XPERMS_IOCTLFUNCTION) {
|
||||
for (i = 0; i < ARRAY_SIZE(xpermd->dontaudit->p); i++)
|
||||
xpermd->dontaudit->p[i] |=
|
||||
node->datum.u.xperms->perms.p[i];
|
||||
}
|
||||
update_xperms_extended_data(node->datum.u.xperms->specified,
|
||||
&node->datum.u.xperms->perms,
|
||||
xpermd->dontaudit);
|
||||
} else {
|
||||
BUG();
|
||||
}
|
||||
|
||||
Loading…
Reference in New Issue
Block a user