Merge tag 'selinux-pr-20191126' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux

Pull selinux updates from Paul Moore: "Only three SELinux patches for v5.5: - Remove the size limit on SELinux policies, the limitation was a lingering vestige and no longer necessary. - Allow file labeling before the policy is loaded. This should ease some of the burden when the policy is initially loaded (no need to relabel files), but it should also help enable some new system concepts which dynamically create the root filesystem in the initrd. - Add support for the "greatest lower bound" policy construct which is defined as the intersection of the MLS range of two SELinux labels" * tag 'selinux-pr-20191126' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux: selinux: default_range glblub implementation selinux: allow labeling before policy is loaded selinux: remove load size limit

Merge tag 'selinux-pr-20191126' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux
Pull selinux updates from Paul Moore: "Only three SELinux patches for v5.5: - Remove the size limit on SELinux policies, the limitation was a lingering vestige and no longer necessary. - Allow file labeling before the policy is loaded. This should ease some of the burden when the policy is initially loaded (no need to relabel files), but it should also help enable some new system concepts which dynamically create the root filesystem in the initrd. - Add support for the "greatest lower bound" policy construct which is defined as the intersection of the MLS range of two SELinux labels" * tag 'selinux-pr-20191126' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux: selinux: default_range glblub implementation selinux: allow labeling before policy is loaded selinux: remove load size limit
Linus Torvalds
2 parents 8a99117f6e 42345b68c2
Showing 9 changed files Side-by-side Diff
security/selinux/hooks.c
security/selinux/include/security.h
security/selinux/selinuxfs.c
security/selinux/ss/context.h
security/selinux/ss/ebitmap.c
security/selinux/ss/ebitmap.h
security/selinux/ss/mls.c
security/selinux/ss/policydb.c
security/selinux/ss/policydb.h
@@ -3144,6 +3144,9 @@
 		return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
 	}
  
+	if (!selinux_state.initialized)
+		return (inode_owner_or_capable(inode) ? 0 : -EPERM);
+
 	sbsec = inode->i_sb->s_security;
 	if (!(sbsec->flags & SBLABEL_MNT))
 		return -EOPNOTSUPP;
@@ -3224,6 +3227,15 @@
  
 	if (strcmp(name, XATTR_NAME_SELINUX)) {
 		/* Not an attribute we recognize, so nothing to do. */
+		return;
+	}
+
+	if (!selinux_state.initialized) {
+		/* If we haven't even been initialized, then we can't validate
+		 * against a policy, so leave the label as invalid. It may
+		 * resolve to a valid label on the next revalidation try if
+		 * we've since initialized.
+		 */
 		return;
 	}
  
@@ -40,10 +40,11 @@
 #define POLICYDB_VERSION_CONSTRAINT_NAMES	29
 #define POLICYDB_VERSION_XPERMS_IOCTL	30
 #define POLICYDB_VERSION_INFINIBAND		31
+#define POLICYDB_VERSION_GLBLUB		32
  
 /* Range of policy versions we understand*/
 #define POLICYDB_VERSION_MIN   POLICYDB_VERSION_BASE
-#define POLICYDB_VERSION_MAX   POLICYDB_VERSION_INFINIBAND
+#define POLICYDB_VERSION_MAX   POLICYDB_VERSION_GLBLUB
  
 /* Mask for just the mount related flags */
 #define SE_MNTMASK	0x0f
@@ -548,10 +548,6 @@
 	if (*ppos != 0)
 		goto out;
  
-	length = -EFBIG;
-	if (count > 64 * 1024 * 1024)
-		goto out;
-
 	length = -ENOMEM;
 	data = vmalloc(count);
 	if (!data)
@@ -95,6 +95,38 @@
 	return rc;
 }
  
+
+static inline int mls_context_glblub(struct context *dst,
+				     struct context *c1, struct context *c2)
+{
+	struct mls_range *dr = &dst->range, *r1 = &c1->range, *r2 = &c2->range;
+	int rc = 0;
+
+	if (r1->level[1].sens < r2->level[0].sens ||
+	    r2->level[1].sens < r1->level[0].sens)
+		/* These ranges have no common sensitivities */
+		return -EINVAL;
+
+	/* Take the greatest of the low */
+	dr->level[0].sens = max(r1->level[0].sens, r2->level[0].sens);
+
+	/* Take the least of the high */
+	dr->level[1].sens = min(r1->level[1].sens, r2->level[1].sens);
+
+	rc = ebitmap_and(&dr->level[0].cat,
+			 &r1->level[0].cat, &r2->level[0].cat);
+	if (rc)
+		goto out;
+
+	rc = ebitmap_and(&dr->level[1].cat,
+			 &r1->level[1].cat, &r2->level[1].cat);
+	if (rc)
+		goto out;
+
+out:
+	return rc;
+}
+
 static inline int mls_context_cmp(struct context *c1, struct context *c2)
 {
 	return ((c1->range.level[0].sens == c2->range.level[0].sens) &&
@@ -77,6 +77,24 @@
 	return 0;
 }
  
+int ebitmap_and(struct ebitmap *dst, struct ebitmap *e1, struct ebitmap *e2)
+{
+	struct ebitmap_node *n;
+	int bit, rc;
+
+	ebitmap_init(dst);
+
+	ebitmap_for_each_positive_bit(e1, n, bit) {
+		if (ebitmap_get_bit(e2, bit)) {
+			rc = ebitmap_set_bit(dst, bit, 1);
+			if (rc < 0)
+				return rc;
+		}
+	}
+	return 0;
+}
+
+
 #ifdef CONFIG_NETLABEL
 /**
  * ebitmap_netlbl_export - Export an ebitmap into a NetLabel category bitmap
@@ -124,6 +124,7 @@
  
 int ebitmap_cmp(struct ebitmap *e1, struct ebitmap *e2);
 int ebitmap_cpy(struct ebitmap *dst, struct ebitmap *src);
+int ebitmap_and(struct ebitmap *dst, struct ebitmap *e1, struct ebitmap *e2);
 int ebitmap_contains(struct ebitmap *e1, struct ebitmap *e2, u32 last_e2bit);
 int ebitmap_get_bit(struct ebitmap *e, unsigned long bit);
 int ebitmap_set_bit(struct ebitmap *e, unsigned long bit, int value);
@@ -529,6 +529,9 @@
 			return mls_context_cpy_high(newcontext, tcontext);
 		case DEFAULT_TARGET_LOW_HIGH:
 			return mls_context_cpy(newcontext, tcontext);
+		case DEFAULT_GLBLUB:
+			return mls_context_glblub(newcontext,
+						  scontext, tcontext);
 		}
  
 		/* Fallthrough */
@@ -160,6 +160,11 @@
 		.sym_num	= SYM_NUM,
 		.ocon_num	= OCON_NUM,
 	},
+	{
+		.version	= POLICYDB_VERSION_GLBLUB,
+		.sym_num	= SYM_NUM,
+		.ocon_num	= OCON_NUM,
+	},
 };
  
 static struct policydb_compat_info *policydb_lookup_compat(int version)
@@ -69,6 +69,7 @@
 #define DEFAULT_TARGET_LOW     4
 #define DEFAULT_TARGET_HIGH    5
 #define DEFAULT_TARGET_LOW_HIGH        6
+#define DEFAULT_GLBLUB		7
 	char default_range;
 };
...	...	@@ -3144,6 +3144,9 @@
3144	3144	return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3145	3145	}
3146	3146
	3147	+ if (!selinux_state.initialized)
	3148	+ return (inode_owner_or_capable(inode) ? 0 : -EPERM);
	3149	+
3147	3150	sbsec = inode->i_sb->s_security;
3148	3151	if (!(sbsec->flags & SBLABEL_MNT))
3149	3152	return -EOPNOTSUPP;
...	...	@@ -3224,6 +3227,15 @@
3224	3227
3225	3228	if (strcmp(name, XATTR_NAME_SELINUX)) {
3226	3229	/* Not an attribute we recognize, so nothing to do. */
	3230	+ return;
	3231	+ }
	3232	+
	3233	+ if (!selinux_state.initialized) {
	3234	+ /* If we haven't even been initialized, then we can't validate
	3235	+ * against a policy, so leave the label as invalid. It may
	3236	+ * resolve to a valid label on the next revalidation try if
	3237	+ * we've since initialized.
	3238	+ */
3227	3239	return;
3228	3240	}
3229	3241
...	...	@@ -40,10 +40,11 @@
40	40	#define POLICYDB_VERSION_CONSTRAINT_NAMES 29
41	41	#define POLICYDB_VERSION_XPERMS_IOCTL 30
42	42	#define POLICYDB_VERSION_INFINIBAND 31
	43	+#define POLICYDB_VERSION_GLBLUB 32
43	44
44	45	/* Range of policy versions we understand*/
45	46	#define POLICYDB_VERSION_MIN POLICYDB_VERSION_BASE
46		-#define POLICYDB_VERSION_MAX POLICYDB_VERSION_INFINIBAND
	47	+#define POLICYDB_VERSION_MAX POLICYDB_VERSION_GLBLUB
47	48
48	49	/* Mask for just the mount related flags */
49	50	#define SE_MNTMASK 0x0f
...	...	@@ -548,10 +548,6 @@
548	548	if (*ppos != 0)
549	549	goto out;
550	550
551		- length = -EFBIG;
552		- if (count > 64 * 1024 * 1024)
553		- goto out;
554		-
555	551	length = -ENOMEM;
556	552	data = vmalloc(count);
557	553	if (!data)
...	...	@@ -95,6 +95,38 @@
95	95	return rc;
96	96	}
97	97
	98	+
	99	+static inline int mls_context_glblub(struct context *dst,
	100	+ struct context c1, struct context c2)
	101	+{
	102	+ struct mls_range dr = &dst->range, r1 = &c1->range, *r2 = &c2->range;
	103	+ int rc = 0;
	104	+
	105	+ if (r1->level[1].sens < r2->level[0].sens \|\|
	106	+ r2->level[1].sens < r1->level[0].sens)
	107	+ /* These ranges have no common sensitivities */
	108	+ return -EINVAL;
	109	+
	110	+ /* Take the greatest of the low */
	111	+ dr->level[0].sens = max(r1->level[0].sens, r2->level[0].sens);
	112	+
	113	+ /* Take the least of the high */
	114	+ dr->level[1].sens = min(r1->level[1].sens, r2->level[1].sens);
	115	+
	116	+ rc = ebitmap_and(&dr->level[0].cat,
	117	+ &r1->level[0].cat, &r2->level[0].cat);
	118	+ if (rc)
	119	+ goto out;
	120	+
	121	+ rc = ebitmap_and(&dr->level[1].cat,
	122	+ &r1->level[1].cat, &r2->level[1].cat);
	123	+ if (rc)
	124	+ goto out;
	125	+
	126	+out:
	127	+ return rc;
	128	+}
	129	+
98	130	static inline int mls_context_cmp(struct context c1, struct context c2)
99	131	{
100	132	return ((c1->range.level[0].sens == c2->range.level[0].sens) &&
...	...	@@ -77,6 +77,24 @@
77	77	return 0;
78	78	}
79	79
	80	+int ebitmap_and(struct ebitmap dst, struct ebitmap e1, struct ebitmap *e2)
	81	+{
	82	+ struct ebitmap_node *n;
	83	+ int bit, rc;
	84	+
	85	+ ebitmap_init(dst);
	86	+
	87	+ ebitmap_for_each_positive_bit(e1, n, bit) {
	88	+ if (ebitmap_get_bit(e2, bit)) {
	89	+ rc = ebitmap_set_bit(dst, bit, 1);
	90	+ if (rc < 0)
	91	+ return rc;
	92	+ }
	93	+ }
	94	+ return 0;
	95	+}
	96	+
	97	+
80	98	#ifdef CONFIG_NETLABEL
81	99	/**
82	100	* ebitmap_netlbl_export - Export an ebitmap into a NetLabel category bitmap
...	...	@@ -124,6 +124,7 @@
124	124
125	125	int ebitmap_cmp(struct ebitmap e1, struct ebitmap e2);
126	126	int ebitmap_cpy(struct ebitmap dst, struct ebitmap src);
	127	+int ebitmap_and(struct ebitmap dst, struct ebitmap e1, struct ebitmap *e2);
127	128	int ebitmap_contains(struct ebitmap e1, struct ebitmap e2, u32 last_e2bit);
128	129	int ebitmap_get_bit(struct ebitmap *e, unsigned long bit);
129	130	int ebitmap_set_bit(struct ebitmap *e, unsigned long bit, int value);
...	...	@@ -529,6 +529,9 @@
529	529	return mls_context_cpy_high(newcontext, tcontext);
530	530	case DEFAULT_TARGET_LOW_HIGH:
531	531	return mls_context_cpy(newcontext, tcontext);
	532	+ case DEFAULT_GLBLUB:
	533	+ return mls_context_glblub(newcontext,
	534	+ scontext, tcontext);
532	535	}
533	536
534	537	/* Fallthrough */
...	...	@@ -160,6 +160,11 @@
160	160	.sym_num = SYM_NUM,
161	161	.ocon_num = OCON_NUM,
162	162	},
	163	+ {
	164	+ .version = POLICYDB_VERSION_GLBLUB,
	165	+ .sym_num = SYM_NUM,
	166	+ .ocon_num = OCON_NUM,
	167	+ },
163	168	};
164	169
165	170	static struct policydb_compat_info *policydb_lookup_compat(int version)
...	...	@@ -69,6 +69,7 @@
69	69	#define DEFAULT_TARGET_LOW 4
70	70	#define DEFAULT_TARGET_HIGH 5
71	71	#define DEFAULT_TARGET_LOW_HIGH 6
	72	+#define DEFAULT_GLBLUB 7
72	73	char default_range;
73	74	};
74	75