Commit ba75082efc18ced6def42e8f85c494aa2578760e
Merge tag 'selinux-pr-20191126' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux
Pull selinux updates from Paul Moore: "Only three SELinux patches for v5.5: - Remove the size limit on SELinux policies, the limitation was a lingering vestige and no longer necessary. - Allow file labeling before the policy is loaded. This should ease some of the burden when the policy is initially loaded (no need to relabel files), but it should also help enable some new system concepts which dynamically create the root filesystem in the initrd. - Add support for the "greatest lower bound" policy construct which is defined as the intersection of the MLS range of two SELinux labels" * tag 'selinux-pr-20191126' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux: selinux: default_range glblub implementation selinux: allow labeling before policy is loaded selinux: remove load size limit
Showing 9 changed files Side-by-side Diff
security/selinux/hooks.c
... | ... | @@ -3144,6 +3144,9 @@ |
3144 | 3144 | return dentry_has_perm(current_cred(), dentry, FILE__SETATTR); |
3145 | 3145 | } |
3146 | 3146 | |
3147 | + if (!selinux_state.initialized) | |
3148 | + return (inode_owner_or_capable(inode) ? 0 : -EPERM); | |
3149 | + | |
3147 | 3150 | sbsec = inode->i_sb->s_security; |
3148 | 3151 | if (!(sbsec->flags & SBLABEL_MNT)) |
3149 | 3152 | return -EOPNOTSUPP; |
... | ... | @@ -3224,6 +3227,15 @@ |
3224 | 3227 | |
3225 | 3228 | if (strcmp(name, XATTR_NAME_SELINUX)) { |
3226 | 3229 | /* Not an attribute we recognize, so nothing to do. */ |
3230 | + return; | |
3231 | + } | |
3232 | + | |
3233 | + if (!selinux_state.initialized) { | |
3234 | + /* If we haven't even been initialized, then we can't validate | |
3235 | + * against a policy, so leave the label as invalid. It may | |
3236 | + * resolve to a valid label on the next revalidation try if | |
3237 | + * we've since initialized. | |
3238 | + */ | |
3227 | 3239 | return; |
3228 | 3240 | } |
3229 | 3241 |
security/selinux/include/security.h
... | ... | @@ -40,10 +40,11 @@ |
40 | 40 | #define POLICYDB_VERSION_CONSTRAINT_NAMES 29 |
41 | 41 | #define POLICYDB_VERSION_XPERMS_IOCTL 30 |
42 | 42 | #define POLICYDB_VERSION_INFINIBAND 31 |
43 | +#define POLICYDB_VERSION_GLBLUB 32 | |
43 | 44 | |
44 | 45 | /* Range of policy versions we understand*/ |
45 | 46 | #define POLICYDB_VERSION_MIN POLICYDB_VERSION_BASE |
46 | -#define POLICYDB_VERSION_MAX POLICYDB_VERSION_INFINIBAND | |
47 | +#define POLICYDB_VERSION_MAX POLICYDB_VERSION_GLBLUB | |
47 | 48 | |
48 | 49 | /* Mask for just the mount related flags */ |
49 | 50 | #define SE_MNTMASK 0x0f |
security/selinux/selinuxfs.c
security/selinux/ss/context.h
... | ... | @@ -95,6 +95,38 @@ |
95 | 95 | return rc; |
96 | 96 | } |
97 | 97 | |
98 | + | |
99 | +static inline int mls_context_glblub(struct context *dst, | |
100 | + struct context *c1, struct context *c2) | |
101 | +{ | |
102 | + struct mls_range *dr = &dst->range, *r1 = &c1->range, *r2 = &c2->range; | |
103 | + int rc = 0; | |
104 | + | |
105 | + if (r1->level[1].sens < r2->level[0].sens || | |
106 | + r2->level[1].sens < r1->level[0].sens) | |
107 | + /* These ranges have no common sensitivities */ | |
108 | + return -EINVAL; | |
109 | + | |
110 | + /* Take the greatest of the low */ | |
111 | + dr->level[0].sens = max(r1->level[0].sens, r2->level[0].sens); | |
112 | + | |
113 | + /* Take the least of the high */ | |
114 | + dr->level[1].sens = min(r1->level[1].sens, r2->level[1].sens); | |
115 | + | |
116 | + rc = ebitmap_and(&dr->level[0].cat, | |
117 | + &r1->level[0].cat, &r2->level[0].cat); | |
118 | + if (rc) | |
119 | + goto out; | |
120 | + | |
121 | + rc = ebitmap_and(&dr->level[1].cat, | |
122 | + &r1->level[1].cat, &r2->level[1].cat); | |
123 | + if (rc) | |
124 | + goto out; | |
125 | + | |
126 | +out: | |
127 | + return rc; | |
128 | +} | |
129 | + | |
98 | 130 | static inline int mls_context_cmp(struct context *c1, struct context *c2) |
99 | 131 | { |
100 | 132 | return ((c1->range.level[0].sens == c2->range.level[0].sens) && |
security/selinux/ss/ebitmap.c
... | ... | @@ -77,6 +77,24 @@ |
77 | 77 | return 0; |
78 | 78 | } |
79 | 79 | |
80 | +int ebitmap_and(struct ebitmap *dst, struct ebitmap *e1, struct ebitmap *e2) | |
81 | +{ | |
82 | + struct ebitmap_node *n; | |
83 | + int bit, rc; | |
84 | + | |
85 | + ebitmap_init(dst); | |
86 | + | |
87 | + ebitmap_for_each_positive_bit(e1, n, bit) { | |
88 | + if (ebitmap_get_bit(e2, bit)) { | |
89 | + rc = ebitmap_set_bit(dst, bit, 1); | |
90 | + if (rc < 0) | |
91 | + return rc; | |
92 | + } | |
93 | + } | |
94 | + return 0; | |
95 | +} | |
96 | + | |
97 | + | |
80 | 98 | #ifdef CONFIG_NETLABEL |
81 | 99 | /** |
82 | 100 | * ebitmap_netlbl_export - Export an ebitmap into a NetLabel category bitmap |
security/selinux/ss/ebitmap.h
... | ... | @@ -124,6 +124,7 @@ |
124 | 124 | |
125 | 125 | int ebitmap_cmp(struct ebitmap *e1, struct ebitmap *e2); |
126 | 126 | int ebitmap_cpy(struct ebitmap *dst, struct ebitmap *src); |
127 | +int ebitmap_and(struct ebitmap *dst, struct ebitmap *e1, struct ebitmap *e2); | |
127 | 128 | int ebitmap_contains(struct ebitmap *e1, struct ebitmap *e2, u32 last_e2bit); |
128 | 129 | int ebitmap_get_bit(struct ebitmap *e, unsigned long bit); |
129 | 130 | int ebitmap_set_bit(struct ebitmap *e, unsigned long bit, int value); |
security/selinux/ss/mls.c
... | ... | @@ -529,6 +529,9 @@ |
529 | 529 | return mls_context_cpy_high(newcontext, tcontext); |
530 | 530 | case DEFAULT_TARGET_LOW_HIGH: |
531 | 531 | return mls_context_cpy(newcontext, tcontext); |
532 | + case DEFAULT_GLBLUB: | |
533 | + return mls_context_glblub(newcontext, | |
534 | + scontext, tcontext); | |
532 | 535 | } |
533 | 536 | |
534 | 537 | /* Fallthrough */ |
security/selinux/ss/policydb.c
... | ... | @@ -160,6 +160,11 @@ |
160 | 160 | .sym_num = SYM_NUM, |
161 | 161 | .ocon_num = OCON_NUM, |
162 | 162 | }, |
163 | + { | |
164 | + .version = POLICYDB_VERSION_GLBLUB, | |
165 | + .sym_num = SYM_NUM, | |
166 | + .ocon_num = OCON_NUM, | |
167 | + }, | |
163 | 168 | }; |
164 | 169 | |
165 | 170 | static struct policydb_compat_info *policydb_lookup_compat(int version) |