Eric Lee / smarc-fsl-linux-kernel

Download as
Browse Code ยป

Commit c6d3aaa4e35c71a32a86ececacd4eea7ecfc316c

Authored by Stephen Smalley
Committed by James Morris
1 parent 23acb98de5
Exists in master and in 39 other branches 8mp-imx_5.4.70_2.3.0, 8qm-imx_5.4.70_2.3.0, emb_imx_lf-5.15.y, emb_lf-6.1.y, imx_3.0.35_4.1.0, imx_3.10.17_1.0.1_ga, imx_3.10.53_1.1.0_ga, imx_3.14.28_1.0.0_ga, imx_4.1.15_1.0.0_ga, pitx_8mp_lf-5.10.y, rt-smarc-imx_4.1.15_1.0.0_ga, rt_linux_5.15.71, smarc-8m-android-11.0.0_2.0.0, smarc-imx6_4.14.98_2.0.0_ga, smarc-imx6_4.9.88_2.0.0_ga, smarc-imx7_4.14.98_2.0.0_ga, smarc-imx7_4.9.11_1.0.0_ga, smarc-imx7_4.9.88_2.0.0_ga, smarc-imx_3.10.53_1.1.0_ga, smarc-imx_3.14.28_1.0.0_ga, smarc-imx_4.1.15_1.0.0_ga, smarc-imx_4.9.11_1.0.0_ga, smarc-imx_4.9.51_imx8m_ga, smarc-imx_4.9.88_2.0.0_ga, smarc-m6.0.1_2.1.0-ga, smarc-n7.1.2_2.0.0-ga, smarc-rel_imx_4.1.15_1.2.0_ga, smarc_8m_00d0_imx_4.14.98_2.0.0_ga, smarc_8m_imx_4.14.78_1.0.0_ga, smarc_8m_imx_4.14.98_2.0.0_ga, smarc_8m_imx_4.19.35_1.1.0, smarc_8mm_imx_4.14.78_1.0.0_ga, smarc_8mm_imx_4.14.98_2.0.0_ga, smarc_8mm_imx_4.19.35_1.1.0, smarc_8mm_imx_5.4.24_2.1.0, smarc_8mp_lf-5.10.y, smarc_8mq_imx_5.4.24_2.1.0, smarc_8mq_lf-5.10.y, smarc_imx_lf-5.15.y

selinux: dynamic class/perm discovery 

Modify SELinux to dynamically discover class and permission values
upon policy load, based on the dynamic object class/perm discovery
logic from libselinux.  A mapping is created between kernel-private
class and permission indices used outside the security server and the
policy values used within the security server.

The mappings are only applied upon kernel-internal computations;
similar mappings for the private indices of userspace object managers
is handled on a per-object manager basis by the userspace AVC.  The
interfaces for compute_av and transition_sid are split for kernel
vs. userspace; the userspace functions are distinguished by a _user
suffix.

The kernel-private class indices are no longer tied to the policy
values and thus do not need to skip indices for userspace classes;
thus the kernel class index values are compressed.  The flask.h
definitions were regenerated by deleting the userspace classes from
refpolicy's definitions and then regenerating the headers.  Going
forward, we can just maintain the flask.h, av_permissions.h, and
classmap.h definitions separately from policy as they are no longer
tied to the policy values.  The next patch introduces a utility to
automate generation of flask.h and av_permissions.h from the
classmap.h definitions.

The older kernel class and permission string tables are removed and
replaced by a single security class mapping table that is walked at
policy load to generate the mapping.  The old kernel class validation
logic is completely replaced by the mapping logic.

The handle unknown logic is reworked.  reject_unknown=1 is handled
when the mappings are computed at policy load time, similar to the old
handling by the class validation logic.  allow_unknown=1 is handled
when computing and mapping decisions - if the permission was not able
to be mapped (i.e. undefined, mapped to zero), then it is
automatically added to the allowed vector.  If the class was not able
to be mapped (i.e. undefined, mapped to zero), then all permissions
are allowed for it if allow_unknown=1.

avc_audit leverages the new security class mapping table to lookup the
class and permission names from the kernel-private indices.

The mdp program is updated to use the new table when generating the
class definitions and allow rules for a minimal boot policy for the
kernel.  It should be noted that this policy will not include any
userspace classes, nor will its policy index values for the kernel
classes correspond with the ones in refpolicy (they will instead match
the kernel-private indices).

Signed-off-by:  Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: James Morris <jmorris@namei.org>

Showing 16 changed files with 583 additions and 867 deletions Side-by-side Diff

scripts/selinux/mdp/mdp.c
Diff comments   View file @ c6d3aaa
... ... @@ -29,86 +29,27 @@
29 29 #include <unistd.h>
30 30 #include <string.h>
31 31  
32   -#include "flask.h"
33   -
34 32 static void usage(char *name)
35 33 {
36 34 printf("usage: %s [-m] policy_file context_file\n", name);
37 35 exit(1);
38 36 }
39 37  
40   -static void find_common_name(char *cname, char *dest, int len)
41   -{
42   - char *start, *end;
43   -
44   - start = strchr(cname, '_')+1;
45   - end = strchr(start, '_');
46   - if (!start || !end || start-cname > len || end-start > len) {
47   - printf("Error with commons defines\n");
48   - exit(1);
49   - }
50   - strncpy(dest, start, end-start);
51   - dest[end-start] = '\0';
52   -}
53   -
54   -#define S_(x) x,
55   -static char *classlist[] = {
56   -#include "class_to_string.h"
57   - NULL
  38 +/* Class/perm mapping support */
  39 +struct security_class_mapping {
  40 + const char *name;
  41 + const char *perms[sizeof(unsigned) * 8 + 1];
58 42 };
59   -#undef S_
60 43  
  44 +#include "classmap.h"
61 45 #include "initial_sid_to_string.h"
62 46  
63   -#define TB_(x) char *x[] = {
64   -#define TE_(x) NULL };
65   -#define S_(x) x,
66   -#include "common_perm_to_string.h"
67   -#undef TB_
68   -#undef TE_
69   -#undef S_
70   -
71   -struct common {
72   - char *cname;
73   - char **perms;
74   -};
75   -struct common common[] = {
76   -#define TB_(x) { #x, x },
77   -#define S_(x)
78   -#define TE_(x)
79   -#include "common_perm_to_string.h"
80   -#undef TB_
81   -#undef TE_
82   -#undef S_
83   -};
84   -
85   -#define S_(x, y, z) {x, #y},
86   -struct av_inherit {
87   - int class;
88   - char *common;
89   -};
90   -struct av_inherit av_inherit[] = {
91   -#include "av_inherit.h"
92   -};
93   -#undef S_
94   -
95   -#include "av_permissions.h"
96   -#define S_(x, y, z) {x, y, z},
97   -struct av_perms {
98   - int class;
99   - int perm_i;
100   - char *perm_s;
101   -};
102   -struct av_perms av_perms[] = {
103   -#include "av_perm_to_string.h"
104   -};
105   -#undef S_
106   -
107 47 int main(int argc, char *argv[])
108 48 {
109 49 int i, j, mls = 0;
  50 + int initial_sid_to_string_len;
110 51 char **arg, *polout, *ctxout;
111   - int classlist_len, initial_sid_to_string_len;
  52 +
112 53 FILE *fout;
113 54  
114 55 if (argc < 3)
115 56  
116 57  
117 58  
118 59  
... ... @@ -127,67 +68,28 @@
127 68 usage(argv[0]);
128 69 }
129 70  
130   - classlist_len = sizeof(classlist) / sizeof(char *);
131 71 /* print out the classes */
132   - for (i=1; i < classlist_len; i++) {
133   - if(classlist[i])
134   - fprintf(fout, "class %s\n", classlist[i]);
135   - else
136   - fprintf(fout, "class user%d\n", i);
137   - }
  72 + for (i = 0; secclass_map[i].name; i++)
  73 + fprintf(fout, "class %s\n", secclass_map[i].name);
138 74 fprintf(fout, "\n");
139 75  
140 76 initial_sid_to_string_len = sizeof(initial_sid_to_string) / sizeof (char *);
141 77 /* print out the sids */
142   - for (i=1; i < initial_sid_to_string_len; i++)
  78 + for (i = 1; i < initial_sid_to_string_len; i++)
143 79 fprintf(fout, "sid %s\n", initial_sid_to_string[i]);
144 80 fprintf(fout, "\n");
145 81  
146   - /* print out the commons */
147   - for (i=0; i< sizeof(common)/sizeof(struct common); i++) {
148   - char cname[101];
149   - find_common_name(common[i].cname, cname, 100);
150   - cname[100] = '\0';
151   - fprintf(fout, "common %s\n{\n", cname);
152   - for (j=0; common[i].perms[j]; j++)
153   - fprintf(fout, "\t%s\n", common[i].perms[j]);
  82 + /* print out the class permissions */
  83 + for (i = 0; secclass_map[i].name; i++) {
  84 + struct security_class_mapping *map = &secclass_map[i];
  85 + fprintf(fout, "class %s\n", map->name);
  86 + fprintf(fout, "{\n");
  87 + for (j = 0; map->perms[j]; j++)
  88 + fprintf(fout, "\t%s\n", map->perms[j]);
154 89 fprintf(fout, "}\n\n");
155 90 }
156 91 fprintf(fout, "\n");
157 92  
158   - /* print out the class permissions */
159   - for (i=1; i < classlist_len; i++) {
160   - if (classlist[i]) {
161   - int firstperm = -1, numperms = 0;
162   -
163   - fprintf(fout, "class %s\n", classlist[i]);
164   - /* does it inherit from a common? */
165   - for (j=0; j < sizeof(av_inherit)/sizeof(struct av_inherit); j++)
166   - if (av_inherit[j].class == i)
167   - fprintf(fout, "inherits %s\n", av_inherit[j].common);
168   -
169   - for (j=0; j < sizeof(av_perms)/sizeof(struct av_perms); j++) {
170   - if (av_perms[j].class == i) {
171   - if (firstperm == -1)
172   - firstperm = j;
173   - numperms++;
174   - }
175   - }
176   - if (!numperms) {
177   - fprintf(fout, "\n");
178   - continue;
179   - }
180   -
181   - fprintf(fout, "{\n");
182   - /* print out the av_perms */
183   - for (j=0; j < numperms; j++) {
184   - fprintf(fout, "\t%s\n", av_perms[firstperm+j].perm_s);
185   - }
186   - fprintf(fout, "}\n\n");
187   - }
188   - }
189   - fprintf(fout, "\n");
190   -
191 93 /* NOW PRINT OUT MLS STUFF */
192 94 if (mls) {
193 95 printf("MLS not yet implemented\n");
194 96  
195 97  
196 98  
197 99  
198 100  
199 101  
200 102  
... ... @@ -197,31 +99,34 @@
197 99 /* types, roles, and allows */
198 100 fprintf(fout, "type base_t;\n");
199 101 fprintf(fout, "role base_r types { base_t };\n");
200   - for (i=1; i < classlist_len; i++) {
201   - if (classlist[i])
202   - fprintf(fout, "allow base_t base_t:%s *;\n", classlist[i]);
203   - else
204   - fprintf(fout, "allow base_t base_t:user%d *;\n", i);
205   - }
  102 + for (i = 0; secclass_map[i].name; i++)
  103 + fprintf(fout, "allow base_t base_t:%s *;\n",
  104 + secclass_map[i].name);
206 105 fprintf(fout, "user user_u roles { base_r };\n");
207 106 fprintf(fout, "\n");
208 107  
209 108 /* default sids */
210   - for (i=1; i < initial_sid_to_string_len; i++)
  109 + for (i = 1; i < initial_sid_to_string_len; i++)
211 110 fprintf(fout, "sid %s user_u:base_r:base_t\n", initial_sid_to_string[i]);
212 111 fprintf(fout, "\n");
213 112  
214   -
215 113 fprintf(fout, "fs_use_xattr ext2 user_u:base_r:base_t;\n");
216 114 fprintf(fout, "fs_use_xattr ext3 user_u:base_r:base_t;\n");
  115 + fprintf(fout, "fs_use_xattr ext4 user_u:base_r:base_t;\n");
217 116 fprintf(fout, "fs_use_xattr jfs user_u:base_r:base_t;\n");
218 117 fprintf(fout, "fs_use_xattr xfs user_u:base_r:base_t;\n");
219 118 fprintf(fout, "fs_use_xattr reiserfs user_u:base_r:base_t;\n");
  119 + fprintf(fout, "fs_use_xattr jffs2 user_u:base_r:base_t;\n");
  120 + fprintf(fout, "fs_use_xattr gfs2 user_u:base_r:base_t;\n");
  121 + fprintf(fout, "fs_use_xattr lustre user_u:base_r:base_t;\n");
220 122  
  123 + fprintf(fout, "fs_use_task eventpollfs user_u:base_r:base_t;\n");
221 124 fprintf(fout, "fs_use_task pipefs user_u:base_r:base_t;\n");
222 125 fprintf(fout, "fs_use_task sockfs user_u:base_r:base_t;\n");
223 126  
  127 + fprintf(fout, "fs_use_trans mqueue user_u:base_r:base_t;\n");
224 128 fprintf(fout, "fs_use_trans devpts user_u:base_r:base_t;\n");
  129 + fprintf(fout, "fs_use_trans hugetlbfs user_u:base_r:base_t;\n");
225 130 fprintf(fout, "fs_use_trans tmpfs user_u:base_r:base_t;\n");
226 131 fprintf(fout, "fs_use_trans shm user_u:base_r:base_t;\n");
227 132  
security/selinux/avc.c
Diff comments   View file @ c6d3aaa
... ... @@ -31,44 +31,8 @@
31 31 #include <net/ipv6.h>
32 32 #include "avc.h"
33 33 #include "avc_ss.h"
  34 +#include "classmap.h"
34 35  
35   -static const struct av_perm_to_string av_perm_to_string[] = {
36   -#define S_(c, v, s) { c, v, s },
37   -#include "av_perm_to_string.h"
38   -#undef S_
39   -};
40   -
41   -static const char *class_to_string[] = {
42   -#define S_(s) s,
43   -#include "class_to_string.h"
44   -#undef S_
45   -};
46   -
47   -#define TB_(s) static const char *s[] = {
48   -#define TE_(s) };
49   -#define S_(s) s,
50   -#include "common_perm_to_string.h"
51   -#undef TB_
52   -#undef TE_
53   -#undef S_
54   -
55   -static const struct av_inherit av_inherit[] = {
56   -#define S_(c, i, b) { .tclass = c,\
57   - .common_pts = common_##i##_perm_to_string,\
58   - .common_base = b },
59   -#include "av_inherit.h"
60   -#undef S_
61   -};
62   -
63   -const struct selinux_class_perm selinux_class_perm = {
64   - .av_perm_to_string = av_perm_to_string,
65   - .av_pts_len = ARRAY_SIZE(av_perm_to_string),
66   - .class_to_string = class_to_string,
67   - .cts_len = ARRAY_SIZE(class_to_string),
68   - .av_inherit = av_inherit,
69   - .av_inherit_len = ARRAY_SIZE(av_inherit)
70   -};
71   -
72 36 #define AVC_CACHE_SLOTS 512
73 37 #define AVC_DEF_CACHE_THRESHOLD 512
74 38 #define AVC_CACHE_RECLAIM 16
75 39  
76 40  
77 41  
78 42  
... ... @@ -139,52 +103,28 @@
139 103 */
140 104 static void avc_dump_av(struct audit_buffer *ab, u16 tclass, u32 av)
141 105 {
142   - const char **common_pts = NULL;
143   - u32 common_base = 0;
144   - int i, i2, perm;
  106 + const char **perms;
  107 + int i, perm;
145 108  
146 109 if (av == 0) {
147 110 audit_log_format(ab, " null");
148 111 return;
149 112 }
150 113  
151   - for (i = 0; i < ARRAY_SIZE(av_inherit); i++) {
152   - if (av_inherit[i].tclass == tclass) {
153   - common_pts = av_inherit[i].common_pts;
154   - common_base = av_inherit[i].common_base;
155   - break;
156   - }
157   - }
  114 + perms = secclass_map[tclass-1].perms;
158 115  
159 116 audit_log_format(ab, " {");
160 117 i = 0;
161 118 perm = 1;
162   - while (perm < common_base) {
  119 + while (i < (sizeof(av) * 8)) {
163 120 if (perm & av) {
164   - audit_log_format(ab, " %s", common_pts[i]);
  121 + audit_log_format(ab, " %s", perms[i]);
165 122 av &= ~perm;
166 123 }
167 124 i++;
168 125 perm <<= 1;
169 126 }
170 127  
171   - while (i < sizeof(av) * 8) {
172   - if (perm & av) {
173   - for (i2 = 0; i2 < ARRAY_SIZE(av_perm_to_string); i2++) {
174   - if ((av_perm_to_string[i2].tclass == tclass) &&
175   - (av_perm_to_string[i2].value == perm))
176   - break;
177   - }
178   - if (i2 < ARRAY_SIZE(av_perm_to_string)) {
179   - audit_log_format(ab, " %s",
180   - av_perm_to_string[i2].name);
181   - av &= ~perm;
182   - }
183   - }
184   - i++;
185   - perm <<= 1;
186   - }
187   -
188 128 if (av)
189 129 audit_log_format(ab, " 0x%x", av);
190 130  
... ... @@ -219,8 +159,8 @@
219 159 kfree(scontext);
220 160 }
221 161  
222   - BUG_ON(tclass >= ARRAY_SIZE(class_to_string) || !class_to_string[tclass]);
223   - audit_log_format(ab, " tclass=%s", class_to_string[tclass]);
  162 + BUG_ON(tclass >= ARRAY_SIZE(secclass_map));
  163 + audit_log_format(ab, " tclass=%s", secclass_map[tclass-1].name);
224 164 }
225 165  
226 166 /**
security/selinux/include/av_inherit.h
View file @ c6d3aaa
1   -/* This file is automatically generated. Do not edit. */
2   - S_(SECCLASS_DIR, file, 0x00020000UL)
3   - S_(SECCLASS_FILE, file, 0x00020000UL)
4   - S_(SECCLASS_LNK_FILE, file, 0x00020000UL)
5   - S_(SECCLASS_CHR_FILE, file, 0x00020000UL)
6   - S_(SECCLASS_BLK_FILE, file, 0x00020000UL)
7   - S_(SECCLASS_SOCK_FILE, file, 0x00020000UL)
8   - S_(SECCLASS_FIFO_FILE, file, 0x00020000UL)
9   - S_(SECCLASS_SOCKET, socket, 0x00400000UL)
10   - S_(SECCLASS_TCP_SOCKET, socket, 0x00400000UL)
11   - S_(SECCLASS_UDP_SOCKET, socket, 0x00400000UL)
12   - S_(SECCLASS_RAWIP_SOCKET, socket, 0x00400000UL)
13   - S_(SECCLASS_NETLINK_SOCKET, socket, 0x00400000UL)
14   - S_(SECCLASS_PACKET_SOCKET, socket, 0x00400000UL)
15   - S_(SECCLASS_KEY_SOCKET, socket, 0x00400000UL)
16   - S_(SECCLASS_UNIX_STREAM_SOCKET, socket, 0x00400000UL)
17   - S_(SECCLASS_UNIX_DGRAM_SOCKET, socket, 0x00400000UL)
18   - S_(SECCLASS_TUN_SOCKET, socket, 0x00400000UL)
19   - S_(SECCLASS_IPC, ipc, 0x00000200UL)
20   - S_(SECCLASS_SEM, ipc, 0x00000200UL)
21   - S_(SECCLASS_MSGQ, ipc, 0x00000200UL)
22   - S_(SECCLASS_SHM, ipc, 0x00000200UL)
23   - S_(SECCLASS_NETLINK_ROUTE_SOCKET, socket, 0x00400000UL)
24   - S_(SECCLASS_NETLINK_FIREWALL_SOCKET, socket, 0x00400000UL)
25   - S_(SECCLASS_NETLINK_TCPDIAG_SOCKET, socket, 0x00400000UL)
26   - S_(SECCLASS_NETLINK_NFLOG_SOCKET, socket, 0x00400000UL)
27   - S_(SECCLASS_NETLINK_XFRM_SOCKET, socket, 0x00400000UL)
28   - S_(SECCLASS_NETLINK_SELINUX_SOCKET, socket, 0x00400000UL)
29   - S_(SECCLASS_NETLINK_AUDIT_SOCKET, socket, 0x00400000UL)
30   - S_(SECCLASS_NETLINK_IP6FW_SOCKET, socket, 0x00400000UL)
31   - S_(SECCLASS_NETLINK_DNRT_SOCKET, socket, 0x00400000UL)
32   - S_(SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET, socket, 0x00400000UL)
33   - S_(SECCLASS_APPLETALK_SOCKET, socket, 0x00400000UL)
34   - S_(SECCLASS_DCCP_SOCKET, socket, 0x00400000UL)
security/selinux/include/av_perm_to_string.h
View file @ c6d3aaa
1   -/* This file is automatically generated. Do not edit. */
2   - S_(SECCLASS_FILESYSTEM, FILESYSTEM__MOUNT, "mount")
3   - S_(SECCLASS_FILESYSTEM, FILESYSTEM__REMOUNT, "remount")
4   - S_(SECCLASS_FILESYSTEM, FILESYSTEM__UNMOUNT, "unmount")
5   - S_(SECCLASS_FILESYSTEM, FILESYSTEM__GETATTR, "getattr")
6   - S_(SECCLASS_FILESYSTEM, FILESYSTEM__RELABELFROM, "relabelfrom")
7   - S_(SECCLASS_FILESYSTEM, FILESYSTEM__RELABELTO, "relabelto")
8   - S_(SECCLASS_FILESYSTEM, FILESYSTEM__TRANSITION, "transition")
9   - S_(SECCLASS_FILESYSTEM, FILESYSTEM__ASSOCIATE, "associate")
10   - S_(SECCLASS_FILESYSTEM, FILESYSTEM__QUOTAMOD, "quotamod")
11   - S_(SECCLASS_FILESYSTEM, FILESYSTEM__QUOTAGET, "quotaget")
12   - S_(SECCLASS_DIR, DIR__ADD_NAME, "add_name")
13   - S_(SECCLASS_DIR, DIR__REMOVE_NAME, "remove_name")
14   - S_(SECCLASS_DIR, DIR__REPARENT, "reparent")
15   - S_(SECCLASS_DIR, DIR__SEARCH, "search")
16   - S_(SECCLASS_DIR, DIR__RMDIR, "rmdir")
17   - S_(SECCLASS_DIR, DIR__OPEN, "open")
18   - S_(SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, "execute_no_trans")
19   - S_(SECCLASS_FILE, FILE__ENTRYPOINT, "entrypoint")
20   - S_(SECCLASS_FILE, FILE__EXECMOD, "execmod")
21   - S_(SECCLASS_FILE, FILE__OPEN, "open")
22   - S_(SECCLASS_CHR_FILE, CHR_FILE__EXECUTE_NO_TRANS, "execute_no_trans")
23   - S_(SECCLASS_CHR_FILE, CHR_FILE__ENTRYPOINT, "entrypoint")
24   - S_(SECCLASS_CHR_FILE, CHR_FILE__EXECMOD, "execmod")
25   - S_(SECCLASS_CHR_FILE, CHR_FILE__OPEN, "open")
26   - S_(SECCLASS_BLK_FILE, BLK_FILE__OPEN, "open")
27   - S_(SECCLASS_SOCK_FILE, SOCK_FILE__OPEN, "open")
28   - S_(SECCLASS_FIFO_FILE, FIFO_FILE__OPEN, "open")
29   - S_(SECCLASS_FD, FD__USE, "use")
30   - S_(SECCLASS_TCP_SOCKET, TCP_SOCKET__CONNECTTO, "connectto")
31   - S_(SECCLASS_TCP_SOCKET, TCP_SOCKET__NEWCONN, "newconn")
32   - S_(SECCLASS_TCP_SOCKET, TCP_SOCKET__ACCEPTFROM, "acceptfrom")
33   - S_(SECCLASS_TCP_SOCKET, TCP_SOCKET__NODE_BIND, "node_bind")
34   - S_(SECCLASS_TCP_SOCKET, TCP_SOCKET__NAME_CONNECT, "name_connect")
35   - S_(SECCLASS_UDP_SOCKET, UDP_SOCKET__NODE_BIND, "node_bind")
36   - S_(SECCLASS_RAWIP_SOCKET, RAWIP_SOCKET__NODE_BIND, "node_bind")
37   - S_(SECCLASS_NODE, NODE__TCP_RECV, "tcp_recv")
38   - S_(SECCLASS_NODE, NODE__TCP_SEND, "tcp_send")
39   - S_(SECCLASS_NODE, NODE__UDP_RECV, "udp_recv")
40   - S_(SECCLASS_NODE, NODE__UDP_SEND, "udp_send")
41   - S_(SECCLASS_NODE, NODE__RAWIP_RECV, "rawip_recv")
42   - S_(SECCLASS_NODE, NODE__RAWIP_SEND, "rawip_send")
43   - S_(SECCLASS_NODE, NODE__ENFORCE_DEST, "enforce_dest")
44   - S_(SECCLASS_NODE, NODE__DCCP_RECV, "dccp_recv")
45   - S_(SECCLASS_NODE, NODE__DCCP_SEND, "dccp_send")
46   - S_(SECCLASS_NODE, NODE__RECVFROM, "recvfrom")
47   - S_(SECCLASS_NODE, NODE__SENDTO, "sendto")
48   - S_(SECCLASS_NETIF, NETIF__TCP_RECV, "tcp_recv")
49   - S_(SECCLASS_NETIF, NETIF__TCP_SEND, "tcp_send")
50   - S_(SECCLASS_NETIF, NETIF__UDP_RECV, "udp_recv")
51   - S_(SECCLASS_NETIF, NETIF__UDP_SEND, "udp_send")
52   - S_(SECCLASS_NETIF, NETIF__RAWIP_RECV, "rawip_recv")
53   - S_(SECCLASS_NETIF, NETIF__RAWIP_SEND, "rawip_send")
54   - S_(SECCLASS_NETIF, NETIF__DCCP_RECV, "dccp_recv")
55   - S_(SECCLASS_NETIF, NETIF__DCCP_SEND, "dccp_send")
56   - S_(SECCLASS_NETIF, NETIF__INGRESS, "ingress")
57   - S_(SECCLASS_NETIF, NETIF__EGRESS, "egress")
58   - S_(SECCLASS_UNIX_STREAM_SOCKET, UNIX_STREAM_SOCKET__CONNECTTO, "connectto")
59   - S_(SECCLASS_UNIX_STREAM_SOCKET, UNIX_STREAM_SOCKET__NEWCONN, "newconn")
60   - S_(SECCLASS_UNIX_STREAM_SOCKET, UNIX_STREAM_SOCKET__ACCEPTFROM, "acceptfrom")
61   - S_(SECCLASS_PROCESS, PROCESS__FORK, "fork")
62   - S_(SECCLASS_PROCESS, PROCESS__TRANSITION, "transition")
63   - S_(SECCLASS_PROCESS, PROCESS__SIGCHLD, "sigchld")
64   - S_(SECCLASS_PROCESS, PROCESS__SIGKILL, "sigkill")
65   - S_(SECCLASS_PROCESS, PROCESS__SIGSTOP, "sigstop")
66   - S_(SECCLASS_PROCESS, PROCESS__SIGNULL, "signull")
67   - S_(SECCLASS_PROCESS, PROCESS__SIGNAL, "signal")
68   - S_(SECCLASS_PROCESS, PROCESS__PTRACE, "ptrace")
69   - S_(SECCLASS_PROCESS, PROCESS__GETSCHED, "getsched")
70   - S_(SECCLASS_PROCESS, PROCESS__SETSCHED, "setsched")
71   - S_(SECCLASS_PROCESS, PROCESS__GETSESSION, "getsession")
72   - S_(SECCLASS_PROCESS, PROCESS__GETPGID, "getpgid")
73   - S_(SECCLASS_PROCESS, PROCESS__SETPGID, "setpgid")
74   - S_(SECCLASS_PROCESS, PROCESS__GETCAP, "getcap")
75   - S_(SECCLASS_PROCESS, PROCESS__SETCAP, "setcap")
76   - S_(SECCLASS_PROCESS, PROCESS__SHARE, "share")
77   - S_(SECCLASS_PROCESS, PROCESS__GETATTR, "getattr")
78   - S_(SECCLASS_PROCESS, PROCESS__SETEXEC, "setexec")
79   - S_(SECCLASS_PROCESS, PROCESS__SETFSCREATE, "setfscreate")
80   - S_(SECCLASS_PROCESS, PROCESS__NOATSECURE, "noatsecure")
81   - S_(SECCLASS_PROCESS, PROCESS__SIGINH, "siginh")
82   - S_(SECCLASS_PROCESS, PROCESS__SETRLIMIT, "setrlimit")
83   - S_(SECCLASS_PROCESS, PROCESS__RLIMITINH, "rlimitinh")
84   - S_(SECCLASS_PROCESS, PROCESS__DYNTRANSITION, "dyntransition")
85   - S_(SECCLASS_PROCESS, PROCESS__SETCURRENT, "setcurrent")
86   - S_(SECCLASS_PROCESS, PROCESS__EXECMEM, "execmem")
87   - S_(SECCLASS_PROCESS, PROCESS__EXECSTACK, "execstack")
88   - S_(SECCLASS_PROCESS, PROCESS__EXECHEAP, "execheap")
89   - S_(SECCLASS_PROCESS, PROCESS__SETKEYCREATE, "setkeycreate")
90   - S_(SECCLASS_PROCESS, PROCESS__SETSOCKCREATE, "setsockcreate")
91   - S_(SECCLASS_MSGQ, MSGQ__ENQUEUE, "enqueue")
92   - S_(SECCLASS_MSG, MSG__SEND, "send")
93   - S_(SECCLASS_MSG, MSG__RECEIVE, "receive")
94   - S_(SECCLASS_SHM, SHM__LOCK, "lock")
95   - S_(SECCLASS_SECURITY, SECURITY__COMPUTE_AV, "compute_av")
96   - S_(SECCLASS_SECURITY, SECURITY__COMPUTE_CREATE, "compute_create")
97   - S_(SECCLASS_SECURITY, SECURITY__COMPUTE_MEMBER, "compute_member")
98   - S_(SECCLASS_SECURITY, SECURITY__CHECK_CONTEXT, "check_context")
99   - S_(SECCLASS_SECURITY, SECURITY__LOAD_POLICY, "load_policy")
100   - S_(SECCLASS_SECURITY, SECURITY__COMPUTE_RELABEL, "compute_relabel")
101   - S_(SECCLASS_SECURITY, SECURITY__COMPUTE_USER, "compute_user")
102   - S_(SECCLASS_SECURITY, SECURITY__SETENFORCE, "setenforce")
103   - S_(SECCLASS_SECURITY, SECURITY__SETBOOL, "setbool")
104   - S_(SECCLASS_SECURITY, SECURITY__SETSECPARAM, "setsecparam")
105   - S_(SECCLASS_SECURITY, SECURITY__SETCHECKREQPROT, "setcheckreqprot")
106   - S_(SECCLASS_SYSTEM, SYSTEM__IPC_INFO, "ipc_info")
107   - S_(SECCLASS_SYSTEM, SYSTEM__SYSLOG_READ, "syslog_read")
108   - S_(SECCLASS_SYSTEM, SYSTEM__SYSLOG_MOD, "syslog_mod")
109   - S_(SECCLASS_SYSTEM, SYSTEM__SYSLOG_CONSOLE, "syslog_console")
110   - S_(SECCLASS_SYSTEM, SYSTEM__MODULE_REQUEST, "module_request")
111   - S_(SECCLASS_CAPABILITY, CAPABILITY__CHOWN, "chown")
112   - S_(SECCLASS_CAPABILITY, CAPABILITY__DAC_OVERRIDE, "dac_override")
113   - S_(SECCLASS_CAPABILITY, CAPABILITY__DAC_READ_SEARCH, "dac_read_search")
114   - S_(SECCLASS_CAPABILITY, CAPABILITY__FOWNER, "fowner")
115   - S_(SECCLASS_CAPABILITY, CAPABILITY__FSETID, "fsetid")
116   - S_(SECCLASS_CAPABILITY, CAPABILITY__KILL, "kill")
117   - S_(SECCLASS_CAPABILITY, CAPABILITY__SETGID, "setgid")
118   - S_(SECCLASS_CAPABILITY, CAPABILITY__SETUID, "setuid")
119   - S_(SECCLASS_CAPABILITY, CAPABILITY__SETPCAP, "setpcap")
120   - S_(SECCLASS_CAPABILITY, CAPABILITY__LINUX_IMMUTABLE, "linux_immutable")
121   - S_(SECCLASS_CAPABILITY, CAPABILITY__NET_BIND_SERVICE, "net_bind_service")
122   - S_(SECCLASS_CAPABILITY, CAPABILITY__NET_BROADCAST, "net_broadcast")
123   - S_(SECCLASS_CAPABILITY, CAPABILITY__NET_ADMIN, "net_admin")
124   - S_(SECCLASS_CAPABILITY, CAPABILITY__NET_RAW, "net_raw")
125   - S_(SECCLASS_CAPABILITY, CAPABILITY__IPC_LOCK, "ipc_lock")
126   - S_(SECCLASS_CAPABILITY, CAPABILITY__IPC_OWNER, "ipc_owner")
127   - S_(SECCLASS_CAPABILITY, CAPABILITY__SYS_MODULE, "sys_module")
128   - S_(SECCLASS_CAPABILITY, CAPABILITY__SYS_RAWIO, "sys_rawio")
129   - S_(SECCLASS_CAPABILITY, CAPABILITY__SYS_CHROOT, "sys_chroot")
130   - S_(SECCLASS_CAPABILITY, CAPABILITY__SYS_PTRACE, "sys_ptrace")
131   - S_(SECCLASS_CAPABILITY, CAPABILITY__SYS_PACCT, "sys_pacct")
132   - S_(SECCLASS_CAPABILITY, CAPABILITY__SYS_ADMIN, "sys_admin")
133   - S_(SECCLASS_CAPABILITY, CAPABILITY__SYS_BOOT, "sys_boot")
134   - S_(SECCLASS_CAPABILITY, CAPABILITY__SYS_NICE, "sys_nice")
135   - S_(SECCLASS_CAPABILITY, CAPABILITY__SYS_RESOURCE, "sys_resource")
136   - S_(SECCLASS_CAPABILITY, CAPABILITY__SYS_TIME, "sys_time")
137   - S_(SECCLASS_CAPABILITY, CAPABILITY__SYS_TTY_CONFIG, "sys_tty_config")
138   - S_(SECCLASS_CAPABILITY, CAPABILITY__MKNOD, "mknod")
139   - S_(SECCLASS_CAPABILITY, CAPABILITY__LEASE, "lease")
140   - S_(SECCLASS_CAPABILITY, CAPABILITY__AUDIT_WRITE, "audit_write")
141   - S_(SECCLASS_CAPABILITY, CAPABILITY__AUDIT_CONTROL, "audit_control")
142   - S_(SECCLASS_CAPABILITY, CAPABILITY__SETFCAP, "setfcap")
143   - S_(SECCLASS_CAPABILITY2, CAPABILITY2__MAC_OVERRIDE, "mac_override")
144   - S_(SECCLASS_CAPABILITY2, CAPABILITY2__MAC_ADMIN, "mac_admin")
145   - S_(SECCLASS_NETLINK_ROUTE_SOCKET, NETLINK_ROUTE_SOCKET__NLMSG_READ, "nlmsg_read")
146   - S_(SECCLASS_NETLINK_ROUTE_SOCKET, NETLINK_ROUTE_SOCKET__NLMSG_WRITE, "nlmsg_write")
147   - S_(SECCLASS_NETLINK_FIREWALL_SOCKET, NETLINK_FIREWALL_SOCKET__NLMSG_READ, "nlmsg_read")
148   - S_(SECCLASS_NETLINK_FIREWALL_SOCKET, NETLINK_FIREWALL_SOCKET__NLMSG_WRITE, "nlmsg_write")
149   - S_(SECCLASS_NETLINK_TCPDIAG_SOCKET, NETLINK_TCPDIAG_SOCKET__NLMSG_READ, "nlmsg_read")
150   - S_(SECCLASS_NETLINK_TCPDIAG_SOCKET, NETLINK_TCPDIAG_SOCKET__NLMSG_WRITE, "nlmsg_write")
151   - S_(SECCLASS_NETLINK_XFRM_SOCKET, NETLINK_XFRM_SOCKET__NLMSG_READ, "nlmsg_read")
152   - S_(SECCLASS_NETLINK_XFRM_SOCKET, NETLINK_XFRM_SOCKET__NLMSG_WRITE, "nlmsg_write")
153   - S_(SECCLASS_NETLINK_AUDIT_SOCKET, NETLINK_AUDIT_SOCKET__NLMSG_READ, "nlmsg_read")
154   - S_(SECCLASS_NETLINK_AUDIT_SOCKET, NETLINK_AUDIT_SOCKET__NLMSG_WRITE, "nlmsg_write")
155   - S_(SECCLASS_NETLINK_AUDIT_SOCKET, NETLINK_AUDIT_SOCKET__NLMSG_RELAY, "nlmsg_relay")
156   - S_(SECCLASS_NETLINK_AUDIT_SOCKET, NETLINK_AUDIT_SOCKET__NLMSG_READPRIV, "nlmsg_readpriv")
157   - S_(SECCLASS_NETLINK_AUDIT_SOCKET, NETLINK_AUDIT_SOCKET__NLMSG_TTY_AUDIT, "nlmsg_tty_audit")
158   - S_(SECCLASS_NETLINK_IP6FW_SOCKET, NETLINK_IP6FW_SOCKET__NLMSG_READ, "nlmsg_read")
159   - S_(SECCLASS_NETLINK_IP6FW_SOCKET, NETLINK_IP6FW_SOCKET__NLMSG_WRITE, "nlmsg_write")
160   - S_(SECCLASS_ASSOCIATION, ASSOCIATION__SENDTO, "sendto")
161   - S_(SECCLASS_ASSOCIATION, ASSOCIATION__RECVFROM, "recvfrom")
162   - S_(SECCLASS_ASSOCIATION, ASSOCIATION__SETCONTEXT, "setcontext")
163   - S_(SECCLASS_ASSOCIATION, ASSOCIATION__POLMATCH, "polmatch")
164   - S_(SECCLASS_PACKET, PACKET__SEND, "send")
165   - S_(SECCLASS_PACKET, PACKET__RECV, "recv")
166   - S_(SECCLASS_PACKET, PACKET__RELABELTO, "relabelto")
167   - S_(SECCLASS_PACKET, PACKET__FLOW_IN, "flow_in")
168   - S_(SECCLASS_PACKET, PACKET__FLOW_OUT, "flow_out")
169   - S_(SECCLASS_PACKET, PACKET__FORWARD_IN, "forward_in")
170   - S_(SECCLASS_PACKET, PACKET__FORWARD_OUT, "forward_out")
171   - S_(SECCLASS_KEY, KEY__VIEW, "view")
172   - S_(SECCLASS_KEY, KEY__READ, "read")
173   - S_(SECCLASS_KEY, KEY__WRITE, "write")
174   - S_(SECCLASS_KEY, KEY__SEARCH, "search")
175   - S_(SECCLASS_KEY, KEY__LINK, "link")
176   - S_(SECCLASS_KEY, KEY__SETATTR, "setattr")
177   - S_(SECCLASS_KEY, KEY__CREATE, "create")
178   - S_(SECCLASS_DCCP_SOCKET, DCCP_SOCKET__NODE_BIND, "node_bind")
179   - S_(SECCLASS_DCCP_SOCKET, DCCP_SOCKET__NAME_CONNECT, "name_connect")
180   - S_(SECCLASS_MEMPROTECT, MEMPROTECT__MMAP_ZERO, "mmap_zero")
181   - S_(SECCLASS_PEER, PEER__RECV, "recv")
182   - S_(SECCLASS_KERNEL_SERVICE, KERNEL_SERVICE__USE_AS_OVERRIDE, "use_as_override")
183   - S_(SECCLASS_KERNEL_SERVICE, KERNEL_SERVICE__CREATE_FILES_AS, "create_files_as")
security/selinux/include/av_permissions.h
Diff comments   View file @ c6d3aaa
... ... @@ -423,28 +423,6 @@
423 423 #define UNIX_DGRAM_SOCKET__RECV_MSG 0x00080000UL
424 424 #define UNIX_DGRAM_SOCKET__SEND_MSG 0x00100000UL
425 425 #define UNIX_DGRAM_SOCKET__NAME_BIND 0x00200000UL
426   -#define TUN_SOCKET__IOCTL 0x00000001UL
427   -#define TUN_SOCKET__READ 0x00000002UL
428   -#define TUN_SOCKET__WRITE 0x00000004UL
429   -#define TUN_SOCKET__CREATE 0x00000008UL
430   -#define TUN_SOCKET__GETATTR 0x00000010UL
431   -#define TUN_SOCKET__SETATTR 0x00000020UL
432   -#define TUN_SOCKET__LOCK 0x00000040UL
433   -#define TUN_SOCKET__RELABELFROM 0x00000080UL
434   -#define TUN_SOCKET__RELABELTO 0x00000100UL
435   -#define TUN_SOCKET__APPEND 0x00000200UL
436   -#define TUN_SOCKET__BIND 0x00000400UL
437   -#define TUN_SOCKET__CONNECT 0x00000800UL
438   -#define TUN_SOCKET__LISTEN 0x00001000UL
439   -#define TUN_SOCKET__ACCEPT 0x00002000UL
440   -#define TUN_SOCKET__GETOPT 0x00004000UL
441   -#define TUN_SOCKET__SETOPT 0x00008000UL
442   -#define TUN_SOCKET__SHUTDOWN 0x00010000UL
443   -#define TUN_SOCKET__RECVFROM 0x00020000UL
444   -#define TUN_SOCKET__SENDTO 0x00040000UL
445   -#define TUN_SOCKET__RECV_MSG 0x00080000UL
446   -#define TUN_SOCKET__SEND_MSG 0x00100000UL
447   -#define TUN_SOCKET__NAME_BIND 0x00200000UL
448 426 #define PROCESS__FORK 0x00000001UL
449 427 #define PROCESS__TRANSITION 0x00000002UL
450 428 #define PROCESS__SIGCHLD 0x00000004UL
... ... @@ -868,4 +846,26 @@
868 846 #define PEER__RECV 0x00000001UL
869 847 #define KERNEL_SERVICE__USE_AS_OVERRIDE 0x00000001UL
870 848 #define KERNEL_SERVICE__CREATE_FILES_AS 0x00000002UL
  849 +#define TUN_SOCKET__IOCTL 0x00000001UL
  850 +#define TUN_SOCKET__READ 0x00000002UL
  851 +#define TUN_SOCKET__WRITE 0x00000004UL
  852 +#define TUN_SOCKET__CREATE 0x00000008UL
  853 +#define TUN_SOCKET__GETATTR 0x00000010UL
  854 +#define TUN_SOCKET__SETATTR 0x00000020UL
  855 +#define TUN_SOCKET__LOCK 0x00000040UL
  856 +#define TUN_SOCKET__RELABELFROM 0x00000080UL
  857 +#define TUN_SOCKET__RELABELTO 0x00000100UL
  858 +#define TUN_SOCKET__APPEND 0x00000200UL
  859 +#define TUN_SOCKET__BIND 0x00000400UL
  860 +#define TUN_SOCKET__CONNECT 0x00000800UL
  861 +#define TUN_SOCKET__LISTEN 0x00001000UL
  862 +#define TUN_SOCKET__ACCEPT 0x00002000UL
  863 +#define TUN_SOCKET__GETOPT 0x00004000UL
  864 +#define TUN_SOCKET__SETOPT 0x00008000UL
  865 +#define TUN_SOCKET__SHUTDOWN 0x00010000UL
  866 +#define TUN_SOCKET__RECVFROM 0x00020000UL
  867 +#define TUN_SOCKET__SENDTO 0x00040000UL
  868 +#define TUN_SOCKET__RECV_MSG 0x00080000UL
  869 +#define TUN_SOCKET__SEND_MSG 0x00100000UL
  870 +#define TUN_SOCKET__NAME_BIND 0x00200000UL
security/selinux/include/avc_ss.h
Diff comments   View file @ c6d3aaa
... ... @@ -10,26 +10,13 @@
10 10  
11 11 int avc_ss_reset(u32 seqno);
12 12  
13   -struct av_perm_to_string {
14   - u16 tclass;
15   - u32 value;
  13 +/* Class/perm mapping support */
  14 +struct security_class_mapping {
16 15 const char *name;
  16 + const char *perms[sizeof(u32) * 8 + 1];
17 17 };
18 18  
19   -struct av_inherit {
20   - const char **common_pts;
21   - u32 common_base;
22   - u16 tclass;
23   -};
24   -
25   -struct selinux_class_perm {
26   - const struct av_perm_to_string *av_perm_to_string;
27   - u32 av_pts_len;
28   - u32 cts_len;
29   - const char **class_to_string;
30   - const struct av_inherit *av_inherit;
31   - u32 av_inherit_len;
32   -};
  19 +extern struct security_class_mapping secclass_map[];
33 20  
34 21 #endif /* _SELINUX_AVC_SS_H_ */
security/selinux/include/class_to_string.h
View file @ c6d3aaa
1   -/* This file is automatically generated. Do not edit. */
2   -/*
3   - * Security object class definitions
4   - */
5   - S_(NULL)
6   - S_("security")
7   - S_("process")
8   - S_("system")
9   - S_("capability")
10   - S_("filesystem")
11   - S_("file")
12   - S_("dir")
13   - S_("fd")
14   - S_("lnk_file")
15   - S_("chr_file")
16   - S_("blk_file")
17   - S_("sock_file")
18   - S_("fifo_file")
19   - S_("socket")
20   - S_("tcp_socket")
21   - S_("udp_socket")
22   - S_("rawip_socket")
23   - S_("node")
24   - S_("netif")
25   - S_("netlink_socket")
26   - S_("packet_socket")
27   - S_("key_socket")
28   - S_("unix_stream_socket")
29   - S_("unix_dgram_socket")
30   - S_("sem")
31   - S_("msg")
32   - S_("msgq")
33   - S_("shm")
34   - S_("ipc")
35   - S_(NULL)
36   - S_(NULL)
37   - S_(NULL)
38   - S_(NULL)
39   - S_(NULL)
40   - S_(NULL)
41   - S_(NULL)
42   - S_(NULL)
43   - S_(NULL)
44   - S_(NULL)
45   - S_(NULL)
46   - S_(NULL)
47   - S_(NULL)
48   - S_("netlink_route_socket")
49   - S_("netlink_firewall_socket")
50   - S_("netlink_tcpdiag_socket")
51   - S_("netlink_nflog_socket")
52   - S_("netlink_xfrm_socket")
53   - S_("netlink_selinux_socket")
54   - S_("netlink_audit_socket")
55   - S_("netlink_ip6fw_socket")
56   - S_("netlink_dnrt_socket")
57   - S_(NULL)
58   - S_(NULL)
59   - S_("association")
60   - S_("netlink_kobject_uevent_socket")
61   - S_("appletalk_socket")
62   - S_("packet")
63   - S_("key")
64   - S_(NULL)
65   - S_("dccp_socket")
66   - S_("memprotect")
67   - S_(NULL)
68   - S_(NULL)
69   - S_(NULL)
70   - S_(NULL)
71   - S_(NULL)
72   - S_(NULL)
73   - S_("peer")
74   - S_("capability2")
75   - S_(NULL)
76   - S_(NULL)
77   - S_(NULL)
78   - S_(NULL)
79   - S_("kernel_service")
80   - S_("tun_socket")
security/selinux/include/classmap.h
Diff comments   View file @ c6d3aaa
  1 +#define COMMON_FILE_SOCK_PERMS "ioctl", "read", "write", "create", \
  2 + "getattr", "setattr", "lock", "relabelfrom", "relabelto", "append"
  3 +
  4 +#define COMMON_FILE_PERMS COMMON_FILE_SOCK_PERMS, "unlink", "link", \
  5 + "rename", "execute", "swapon", "quotaon", "mounton"
  6 +
  7 +#define COMMON_SOCK_PERMS COMMON_FILE_SOCK_PERMS, "bind", "connect", \
  8 + "listen", "accept", "getopt", "setopt", "shutdown", "recvfrom", \
  9 + "sendto", "recv_msg", "send_msg", "name_bind"
  10 +
  11 +#define COMMON_IPC_PERMS "create", "destroy", "getattr", "setattr", "read", \
  12 + "write", "associate", "unix_read", "unix_write"
  13 +
  14 +struct security_class_mapping secclass_map[] = {
  15 + { "security",
  16 + { "compute_av", "compute_create", "compute_member",
  17 + "check_context", "load_policy", "compute_relabel",
  18 + "compute_user", "setenforce", "setbool", "setsecparam",
  19 + "setcheckreqprot", NULL } },
  20 + { "process",
  21 + { "fork", "transition", "sigchld", "sigkill",
  22 + "sigstop", "signull", "signal", "ptrace", "getsched", "setsched",
  23 + "getsession", "getpgid", "setpgid", "getcap", "setcap", "share",
  24 + "getattr", "setexec", "setfscreate", "noatsecure", "siginh",
  25 + "setrlimit", "rlimitinh", "dyntransition", "setcurrent",
  26 + "execmem", "execstack", "execheap", "setkeycreate",
  27 + "setsockcreate", NULL } },
  28 + { "system",
  29 + { "ipc_info", "syslog_read", "syslog_mod",
  30 + "syslog_console", "module_request", NULL } },
  31 + { "capability",
  32 + { "chown", "dac_override", "dac_read_search",
  33 + "fowner", "fsetid", "kill", "setgid", "setuid", "setpcap",
  34 + "linux_immutable", "net_bind_service", "net_broadcast",
  35 + "net_admin", "net_raw", "ipc_lock", "ipc_owner", "sys_module",
  36 + "sys_rawio", "sys_chroot", "sys_ptrace", "sys_pacct", "sys_admin",
  37 + "sys_boot", "sys_nice", "sys_resource", "sys_time",
  38 + "sys_tty_config", "mknod", "lease", "audit_write",
  39 + "audit_control", "setfcap", NULL } },
  40 + { "filesystem",
  41 + { "mount", "remount", "unmount", "getattr",
  42 + "relabelfrom", "relabelto", "transition", "associate", "quotamod",
  43 + "quotaget", NULL } },
  44 + { "file",
  45 + { COMMON_FILE_PERMS,
  46 + "execute_no_trans", "entrypoint", "execmod", "open", NULL } },
  47 + { "dir",
  48 + { COMMON_FILE_PERMS, "add_name", "remove_name",
  49 + "reparent", "search", "rmdir", "open", NULL } },
  50 + { "fd", { "use", NULL } },
  51 + { "lnk_file",
  52 + { COMMON_FILE_PERMS, NULL } },
  53 + { "chr_file",
  54 + { COMMON_FILE_PERMS,
  55 + "execute_no_trans", "entrypoint", "execmod", "open", NULL } },
  56 + { "blk_file",
  57 + { COMMON_FILE_PERMS, "open", NULL } },
  58 + { "sock_file",
  59 + { COMMON_FILE_PERMS, "open", NULL } },
  60 + { "fifo_file",
  61 + { COMMON_FILE_PERMS, "open", NULL } },
  62 + { "socket",
  63 + { COMMON_SOCK_PERMS, NULL } },
  64 + { "tcp_socket",
  65 + { COMMON_SOCK_PERMS,
  66 + "connectto", "newconn", "acceptfrom", "node_bind", "name_connect",
  67 + NULL } },
  68 + { "udp_socket",
  69 + { COMMON_SOCK_PERMS,
  70 + "node_bind", NULL } },
  71 + { "rawip_socket",
  72 + { COMMON_SOCK_PERMS,
  73 + "node_bind", NULL } },
  74 + { "node",
  75 + { "tcp_recv", "tcp_send", "udp_recv", "udp_send",
  76 + "rawip_recv", "rawip_send", "enforce_dest",
  77 + "dccp_recv", "dccp_send", "recvfrom", "sendto", NULL } },
  78 + { "netif",
  79 + { "tcp_recv", "tcp_send", "udp_recv", "udp_send",
  80 + "rawip_recv", "rawip_send", "dccp_recv", "dccp_send",
  81 + "ingress", "egress", NULL } },
  82 + { "netlink_socket",
  83 + { COMMON_SOCK_PERMS, NULL } },
  84 + { "packet_socket",
  85 + { COMMON_SOCK_PERMS, NULL } },
  86 + { "key_socket",
  87 + { COMMON_SOCK_PERMS, NULL } },
  88 + { "unix_stream_socket",
  89 + { COMMON_SOCK_PERMS, "connectto", "newconn", "acceptfrom", NULL
  90 + } },
  91 + { "unix_dgram_socket",
  92 + { COMMON_SOCK_PERMS, NULL
  93 + } },
  94 + { "sem",
  95 + { COMMON_IPC_PERMS, NULL } },
  96 + { "msg", { "send", "receive", NULL } },
  97 + { "msgq",
  98 + { COMMON_IPC_PERMS, "enqueue", NULL } },
  99 + { "shm",
  100 + { COMMON_IPC_PERMS, "lock", NULL } },
  101 + { "ipc",
  102 + { COMMON_IPC_PERMS, NULL } },
  103 + { "netlink_route_socket",
  104 + { COMMON_SOCK_PERMS,
  105 + "nlmsg_read", "nlmsg_write", NULL } },
  106 + { "netlink_firewall_socket",
  107 + { COMMON_SOCK_PERMS,
  108 + "nlmsg_read", "nlmsg_write", NULL } },
  109 + { "netlink_tcpdiag_socket",
  110 + { COMMON_SOCK_PERMS,
  111 + "nlmsg_read", "nlmsg_write", NULL } },
  112 + { "netlink_nflog_socket",
  113 + { COMMON_SOCK_PERMS, NULL } },
  114 + { "netlink_xfrm_socket",
  115 + { COMMON_SOCK_PERMS,
  116 + "nlmsg_read", "nlmsg_write", NULL } },
  117 + { "netlink_selinux_socket",
  118 + { COMMON_SOCK_PERMS, NULL } },
  119 + { "netlink_audit_socket",
  120 + { COMMON_SOCK_PERMS,
  121 + "nlmsg_read", "nlmsg_write", "nlmsg_relay", "nlmsg_readpriv",
  122 + "nlmsg_tty_audit", NULL } },
  123 + { "netlink_ip6fw_socket",
  124 + { COMMON_SOCK_PERMS,
  125 + "nlmsg_read", "nlmsg_write", NULL } },
  126 + { "netlink_dnrt_socket",
  127 + { COMMON_SOCK_PERMS, NULL } },
  128 + { "association",
  129 + { "sendto", "recvfrom", "setcontext", "polmatch", NULL } },
  130 + { "netlink_kobject_uevent_socket",
  131 + { COMMON_SOCK_PERMS, NULL } },
  132 + { "appletalk_socket",
  133 + { COMMON_SOCK_PERMS, NULL } },
  134 + { "packet",
  135 + { "send", "recv", "relabelto", "flow_in", "flow_out",
  136 + "forward_in", "forward_out", NULL } },
  137 + { "key",
  138 + { "view", "read", "write", "search", "link", "setattr", "create",
  139 + NULL } },
  140 + { "dccp_socket",
  141 + { COMMON_SOCK_PERMS,
  142 + "node_bind", "name_connect", NULL } },
  143 + { "memprotect", { "mmap_zero", NULL } },
  144 + { "peer", { "recv", NULL } },
  145 + { "capability2", { "mac_override", "mac_admin", NULL } },
  146 + { "kernel_service", { "use_as_override", "create_files_as", NULL } },
  147 + { "tun_socket",
  148 + { COMMON_SOCK_PERMS, NULL } },
  149 + { NULL }
  150 + };
security/selinux/include/common_perm_to_string.h
View file @ c6d3aaa
1   -/* This file is automatically generated. Do not edit. */
2   -TB_(common_file_perm_to_string)
3   - S_("ioctl")
4   - S_("read")
5   - S_("write")
6   - S_("create")
7   - S_("getattr")
8   - S_("setattr")
9   - S_("lock")
10   - S_("relabelfrom")
11   - S_("relabelto")
12   - S_("append")
13   - S_("unlink")
14   - S_("link")
15   - S_("rename")
16   - S_("execute")
17   - S_("swapon")
18   - S_("quotaon")
19   - S_("mounton")
20   -TE_(common_file_perm_to_string)
21   -
22   -TB_(common_socket_perm_to_string)
23   - S_("ioctl")
24   - S_("read")
25   - S_("write")
26   - S_("create")
27   - S_("getattr")
28   - S_("setattr")
29   - S_("lock")
30   - S_("relabelfrom")
31   - S_("relabelto")
32   - S_("append")
33   - S_("bind")
34   - S_("connect")
35   - S_("listen")
36   - S_("accept")
37   - S_("getopt")
38   - S_("setopt")
39   - S_("shutdown")
40   - S_("recvfrom")
41   - S_("sendto")
42   - S_("recv_msg")
43   - S_("send_msg")
44   - S_("name_bind")
45   -TE_(common_socket_perm_to_string)
46   -
47   -TB_(common_ipc_perm_to_string)
48   - S_("create")
49   - S_("destroy")
50   - S_("getattr")
51   - S_("setattr")
52   - S_("read")
53   - S_("write")
54   - S_("associate")
55   - S_("unix_read")
56   - S_("unix_write")
57   -TE_(common_ipc_perm_to_string)
security/selinux/include/flask.h
Diff comments   View file @ c6d3aaa
... ... @@ -34,26 +34,26 @@
34 34 #define SECCLASS_MSGQ 27
35 35 #define SECCLASS_SHM 28
36 36 #define SECCLASS_IPC 29
37   -#define SECCLASS_NETLINK_ROUTE_SOCKET 43
38   -#define SECCLASS_NETLINK_FIREWALL_SOCKET 44
39   -#define SECCLASS_NETLINK_TCPDIAG_SOCKET 45
40   -#define SECCLASS_NETLINK_NFLOG_SOCKET 46
41   -#define SECCLASS_NETLINK_XFRM_SOCKET 47
42   -#define SECCLASS_NETLINK_SELINUX_SOCKET 48
43   -#define SECCLASS_NETLINK_AUDIT_SOCKET 49
44   -#define SECCLASS_NETLINK_IP6FW_SOCKET 50
45   -#define SECCLASS_NETLINK_DNRT_SOCKET 51
46   -#define SECCLASS_ASSOCIATION 54
47   -#define SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET 55
48   -#define SECCLASS_APPLETALK_SOCKET 56
49   -#define SECCLASS_PACKET 57
50   -#define SECCLASS_KEY 58
51   -#define SECCLASS_DCCP_SOCKET 60
52   -#define SECCLASS_MEMPROTECT 61
53   -#define SECCLASS_PEER 68
54   -#define SECCLASS_CAPABILITY2 69
55   -#define SECCLASS_KERNEL_SERVICE 74
56   -#define SECCLASS_TUN_SOCKET 75
  37 +#define SECCLASS_NETLINK_ROUTE_SOCKET 30
  38 +#define SECCLASS_NETLINK_FIREWALL_SOCKET 31
  39 +#define SECCLASS_NETLINK_TCPDIAG_SOCKET 32
  40 +#define SECCLASS_NETLINK_NFLOG_SOCKET 33
  41 +#define SECCLASS_NETLINK_XFRM_SOCKET 34
  42 +#define SECCLASS_NETLINK_SELINUX_SOCKET 35
  43 +#define SECCLASS_NETLINK_AUDIT_SOCKET 36
  44 +#define SECCLASS_NETLINK_IP6FW_SOCKET 37
  45 +#define SECCLASS_NETLINK_DNRT_SOCKET 38
  46 +#define SECCLASS_ASSOCIATION 39
  47 +#define SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET 40
  48 +#define SECCLASS_APPLETALK_SOCKET 41
  49 +#define SECCLASS_PACKET 42
  50 +#define SECCLASS_KEY 43
  51 +#define SECCLASS_DCCP_SOCKET 44
  52 +#define SECCLASS_MEMPROTECT 45
  53 +#define SECCLASS_PEER 46
  54 +#define SECCLASS_CAPABILITY2 47
  55 +#define SECCLASS_KERNEL_SERVICE 48
  56 +#define SECCLASS_TUN_SOCKET 49
57 57  
58 58 /*
59 59 * Security identifier indices for initial entities
security/selinux/include/security.h
Diff comments   View file @ c6d3aaa
... ... @@ -97,11 +97,18 @@
97 97 #define AVD_FLAGS_PERMISSIVE 0x0001
98 98  
99 99 int security_compute_av(u32 ssid, u32 tsid,
100   - u16 tclass, u32 requested,
101   - struct av_decision *avd);
  100 + u16 tclass, u32 requested,
  101 + struct av_decision *avd);
102 102  
  103 +int security_compute_av_user(u32 ssid, u32 tsid,
  104 + u16 tclass, u32 requested,
  105 + struct av_decision *avd);
  106 +
103 107 int security_transition_sid(u32 ssid, u32 tsid,
104   - u16 tclass, u32 *out_sid);
  108 + u16 tclass, u32 *out_sid);
  109 +
  110 +int security_transition_sid_user(u32 ssid, u32 tsid,
  111 + u16 tclass, u32 *out_sid);
105 112  
106 113 int security_member_sid(u32 ssid, u32 tsid,
107 114 u16 tclass, u32 *out_sid);
security/selinux/selinuxfs.c
Diff comments   View file @ c6d3aaa
... ... @@ -522,7 +522,7 @@
522 522 if (length < 0)
523 523 goto out2;
524 524  
525   - length = security_compute_av(ssid, tsid, tclass, req, &avd);
  525 + length = security_compute_av_user(ssid, tsid, tclass, req, &avd);
526 526 if (length < 0)
527 527 goto out2;
528 528  
... ... @@ -571,7 +571,7 @@
571 571 if (length < 0)
572 572 goto out2;
573 573  
574   - length = security_transition_sid(ssid, tsid, tclass, &newsid);
  574 + length = security_transition_sid_user(ssid, tsid, tclass, &newsid);
575 575 if (length < 0)
576 576 goto out2;
577 577  
security/selinux/ss/mls.c
Diff comments   View file @ c6d3aaa
... ... @@ -532,7 +532,7 @@
532 532 }
533 533 /* Fallthrough */
534 534 case AVTAB_CHANGE:
535   - if (tclass == SECCLASS_PROCESS)
  535 + if (tclass == policydb.process_class)
536 536 /* Use the process MLS attributes. */
537 537 return mls_context_cpy(newcontext, scontext);
538 538 else
security/selinux/ss/policydb.c
Diff comments   View file @ c6d3aaa
... ... @@ -713,7 +713,6 @@
713 713 ebitmap_destroy(&p->type_attr_map[i]);
714 714 }
715 715 kfree(p->type_attr_map);
716   - kfree(p->undefined_perms);
717 716 ebitmap_destroy(&p->policycaps);
718 717 ebitmap_destroy(&p->permissive_map);
719 718  
... ... @@ -1640,6 +1639,40 @@
1640 1639  
1641 1640 extern int ss_initialized;
1642 1641  
  1642 +u16 string_to_security_class(struct policydb *p, const char *name)
  1643 +{
  1644 + struct class_datum *cladatum;
  1645 +
  1646 + cladatum = hashtab_search(p->p_classes.table, name);
  1647 + if (!cladatum)
  1648 + return 0;
  1649 +
  1650 + return cladatum->value;
  1651 +}
  1652 +
  1653 +u32 string_to_av_perm(struct policydb *p, u16 tclass, const char *name)
  1654 +{
  1655 + struct class_datum *cladatum;
  1656 + struct perm_datum *perdatum = NULL;
  1657 + struct common_datum *comdatum;
  1658 +
  1659 + if (!tclass || tclass > p->p_classes.nprim)
  1660 + return 0;
  1661 +
  1662 + cladatum = p->class_val_to_struct[tclass-1];
  1663 + comdatum = cladatum->comdatum;
  1664 + if (comdatum)
  1665 + perdatum = hashtab_search(comdatum->permissions.table,
  1666 + name);
  1667 + if (!perdatum)
  1668 + perdatum = hashtab_search(cladatum->permissions.table,
  1669 + name);
  1670 + if (!perdatum)
  1671 + return 0;
  1672 +
  1673 + return 1U << (perdatum->value-1);
  1674 +}
  1675 +
1643 1676 /*
1644 1677 * Read the configuration data from a policy database binary
1645 1678 * representation file into a policy database structure.
... ... @@ -1861,6 +1894,16 @@
1861 1894 if (rc)
1862 1895 goto bad;
1863 1896  
  1897 + p->process_class = string_to_security_class(p, "process");
  1898 + if (!p->process_class)
  1899 + goto bad;
  1900 + p->process_trans_perms = string_to_av_perm(p, p->process_class,
  1901 + "transition");
  1902 + p->process_trans_perms |= string_to_av_perm(p, p->process_class,
  1903 + "dyntransition");
  1904 + if (!p->process_trans_perms)
  1905 + goto bad;
  1906 +
1864 1907 for (i = 0; i < info->ocon_num; i++) {
1865 1908 rc = next_entry(buf, fp, sizeof(u32));
1866 1909 if (rc < 0)
... ... @@ -2101,7 +2144,7 @@
2101 2144 goto bad;
2102 2145 rt->target_class = le32_to_cpu(buf[0]);
2103 2146 } else
2104   - rt->target_class = SECCLASS_PROCESS;
  2147 + rt->target_class = p->process_class;
2105 2148 if (!policydb_type_isvalid(p, rt->source_type) ||
2106 2149 !policydb_type_isvalid(p, rt->target_type) ||
2107 2150 !policydb_class_isvalid(p, rt->target_class)) {
security/selinux/ss/policydb.h
Diff comments   View file @ c6d3aaa
... ... @@ -254,7 +254,9 @@
254 254  
255 255 unsigned int reject_unknown : 1;
256 256 unsigned int allow_unknown : 1;
257   - u32 *undefined_perms;
  257 +
  258 + u16 process_class;
  259 + u32 process_trans_perms;
258 260 };
259 261  
260 262 extern void policydb_destroy(struct policydb *p);
... ... @@ -294,6 +296,9 @@
294 296 fp->len -= bytes;
295 297 return 0;
296 298 }
  299 +
  300 +extern u16 string_to_security_class(struct policydb *p, const char *name);
  301 +extern u32 string_to_av_perm(struct policydb *p, u16 tclass, const char *name);
297 302  
298 303 #endif /* _SS_POLICYDB_H_ */
security/selinux/ss/services.c
Diff comments   View file @ c6d3aaa
... ... @@ -70,11 +70,6 @@
70 70 int selinux_policycap_netpeer;
71 71 int selinux_policycap_openperm;
72 72  
73   -/*
74   - * This is declared in avc.c
75   - */
76   -extern const struct selinux_class_perm selinux_class_perm;
77   -
78 73 static DEFINE_RWLOCK(policy_rwlock);
79 74  
80 75 static struct sidtab sidtab;
81 76  
... ... @@ -98,7 +93,159 @@
98 93 u16 tclass,
99 94 u32 requested,
100 95 struct av_decision *avd);
  96 +
  97 +struct selinux_mapping {
  98 + u16 value; /* policy value */
  99 + unsigned num_perms;
  100 + u32 perms[sizeof(u32) * 8];
  101 +};
  102 +
  103 +static struct selinux_mapping *current_mapping;
  104 +static u16 current_mapping_size;
  105 +
  106 +static int selinux_set_mapping(struct policydb *pol,
  107 + struct security_class_mapping *map,
  108 + struct selinux_mapping **out_map_p,
  109 + u16 *out_map_size)
  110 +{
  111 + struct selinux_mapping *out_map = NULL;
  112 + size_t size = sizeof(struct selinux_mapping);
  113 + u16 i, j;
  114 + unsigned k;
  115 + bool print_unknown_handle = false;
  116 +
  117 + /* Find number of classes in the input mapping */
  118 + if (!map)
  119 + return -EINVAL;
  120 + i = 0;
  121 + while (map[i].name)
  122 + i++;
  123 +
  124 + /* Allocate space for the class records, plus one for class zero */
  125 + out_map = kcalloc(++i, size, GFP_ATOMIC);
  126 + if (!out_map)
  127 + return -ENOMEM;
  128 +
  129 + /* Store the raw class and permission values */
  130 + j = 0;
  131 + while (map[j].name) {
  132 + struct security_class_mapping *p_in = map + (j++);
  133 + struct selinux_mapping *p_out = out_map + j;
  134 +
  135 + /* An empty class string skips ahead */
  136 + if (!strcmp(p_in->name, "")) {
  137 + p_out->num_perms = 0;
  138 + continue;
  139 + }
  140 +
  141 + p_out->value = string_to_security_class(pol, p_in->name);
  142 + if (!p_out->value) {
  143 + printk(KERN_INFO
  144 + "SELinux: Class %s not defined in policy.\n",
  145 + p_in->name);
  146 + if (pol->reject_unknown)
  147 + goto err;
  148 + p_out->num_perms = 0;
  149 + print_unknown_handle = true;
  150 + continue;
  151 + }
  152 +
  153 + k = 0;
  154 + while (p_in->perms && p_in->perms[k]) {
  155 + /* An empty permission string skips ahead */
  156 + if (!*p_in->perms[k]) {
  157 + k++;
  158 + continue;
  159 + }
  160 + p_out->perms[k] = string_to_av_perm(pol, p_out->value,
  161 + p_in->perms[k]);
  162 + if (!p_out->perms[k]) {
  163 + printk(KERN_INFO
  164 + "SELinux: Permission %s in class %s not defined in policy.\n",
  165 + p_in->perms[k], p_in->name);
  166 + if (pol->reject_unknown)
  167 + goto err;
  168 + print_unknown_handle = true;
  169 + }
  170 +
  171 + k++;
  172 + }
  173 + p_out->num_perms = k;
  174 + }
  175 +
  176 + if (print_unknown_handle)
  177 + printk(KERN_INFO "SELinux: the above unknown classes and permissions will be %s\n",
  178 + pol->allow_unknown ? "allowed" : "denied");
  179 +
  180 + *out_map_p = out_map;
  181 + *out_map_size = i;
  182 + return 0;
  183 +err:
  184 + kfree(out_map);
  185 + return -EINVAL;
  186 +}
  187 +
101 188 /*
  189 + * Get real, policy values from mapped values
  190 + */
  191 +
  192 +static u16 unmap_class(u16 tclass)
  193 +{
  194 + if (tclass < current_mapping_size)
  195 + return current_mapping[tclass].value;
  196 +
  197 + return tclass;
  198 +}
  199 +
  200 +static u32 unmap_perm(u16 tclass, u32 tperm)
  201 +{
  202 + if (tclass < current_mapping_size) {
  203 + unsigned i;
  204 + u32 kperm = 0;
  205 +
  206 + for (i = 0; i < current_mapping[tclass].num_perms; i++)
  207 + if (tperm & (1<<i)) {
  208 + kperm |= current_mapping[tclass].perms[i];
  209 + tperm &= ~(1<<i);
  210 + }
  211 + return kperm;
  212 + }
  213 +
  214 + return tperm;
  215 +}
  216 +
  217 +static void map_decision(u16 tclass, struct av_decision *avd,
  218 + int allow_unknown)
  219 +{
  220 + if (tclass < current_mapping_size) {
  221 + unsigned i, n = current_mapping[tclass].num_perms;
  222 + u32 result;
  223 +
  224 + for (i = 0, result = 0; i < n; i++) {
  225 + if (avd->allowed & current_mapping[tclass].perms[i])
  226 + result |= 1<<i;
  227 + if (allow_unknown && !current_mapping[tclass].perms[i])
  228 + result |= 1<<i;
  229 + }
  230 + avd->allowed = result;
  231 +
  232 + for (i = 0, result = 0; i < n; i++)
  233 + if (avd->auditallow & current_mapping[tclass].perms[i])
  234 + result |= 1<<i;
  235 + avd->auditallow = result;
  236 +
  237 + for (i = 0, result = 0; i < n; i++) {
  238 + if (avd->auditdeny & current_mapping[tclass].perms[i])
  239 + result |= 1<<i;
  240 + if (!allow_unknown && !current_mapping[tclass].perms[i])
  241 + result |= 1<<i;
  242 + }
  243 + avd->auditdeny = result;
  244 + }
  245 +}
  246 +
  247 +
  248 +/*
102 249 * Return the boolean value of a constraint expression
103 250 * when it is applied to the specified source and target
104 251 * security contexts.
... ... @@ -467,7 +614,6 @@
467 614 struct class_datum *tclass_datum;
468 615 struct ebitmap *sattr, *tattr;
469 616 struct ebitmap_node *snode, *tnode;
470   - const struct selinux_class_perm *kdefs = &selinux_class_perm;
471 617 unsigned int i, j;
472 618  
473 619 /*
... ... @@ -477,9 +623,9 @@
477 623 * to remain in the correct class.
478 624 */
479 625 if (policydb_loaded_version < POLICYDB_VERSION_NLCLASS)
480   - if (tclass >= SECCLASS_NETLINK_ROUTE_SOCKET &&
481   - tclass <= SECCLASS_NETLINK_DNRT_SOCKET)
482   - tclass = SECCLASS_NETLINK_SOCKET;
  626 + if (tclass >= unmap_class(SECCLASS_NETLINK_ROUTE_SOCKET) &&
  627 + tclass <= unmap_class(SECCLASS_NETLINK_DNRT_SOCKET))
  628 + tclass = unmap_class(SECCLASS_NETLINK_SOCKET);
483 629  
484 630 /*
485 631 * Initialize the access vectors to the default values.
486 632  
... ... @@ -490,34 +636,12 @@
490 636 avd->seqno = latest_granting;
491 637 avd->flags = 0;
492 638  
493   - /*
494   - * Check for all the invalid cases.
495   - * - tclass 0
496   - * - tclass > policy and > kernel
497   - * - tclass > policy but is a userspace class
498   - * - tclass > policy but we do not allow unknowns
499   - */
500   - if (unlikely(!tclass))
501   - goto inval_class;
502   - if (unlikely(tclass > policydb.p_classes.nprim))
503   - if (tclass > kdefs->cts_len ||
504   - !kdefs->class_to_string[tclass] ||
505   - !policydb.allow_unknown)
506   - goto inval_class;
  639 + if (unlikely(!tclass || tclass > policydb.p_classes.nprim)) {
  640 + if (printk_ratelimit())
  641 + printk(KERN_WARNING "SELinux: Invalid class %hu\n", tclass);
  642 + return -EINVAL;
  643 + }
507 644  
508   - /*
509   - * Kernel class and we allow unknown so pad the allow decision
510   - * the pad will be all 1 for unknown classes.
511   - */
512   - if (tclass <= kdefs->cts_len && policydb.allow_unknown)
513   - avd->allowed = policydb.undefined_perms[tclass - 1];
514   -
515   - /*
516   - * Not in policy. Since decision is completed (all 1 or all 0) return.
517   - */
518   - if (unlikely(tclass > policydb.p_classes.nprim))
519   - return 0;
520   -
521 645 tclass_datum = policydb.class_val_to_struct[tclass - 1];
522 646  
523 647 /*
... ... @@ -568,8 +692,8 @@
568 692 * role is changing, then check the (current_role, new_role)
569 693 * pair.
570 694 */
571   - if (tclass == SECCLASS_PROCESS &&
572   - (avd->allowed & (PROCESS__TRANSITION | PROCESS__DYNTRANSITION)) &&
  695 + if (tclass == policydb.process_class &&
  696 + (avd->allowed & policydb.process_trans_perms) &&
573 697 scontext->role != tcontext->role) {
574 698 for (ra = policydb.role_allow; ra; ra = ra->next) {
575 699 if (scontext->role == ra->role &&
... ... @@ -577,8 +701,7 @@
577 701 break;
578 702 }
579 703 if (!ra)
580   - avd->allowed &= ~(PROCESS__TRANSITION |
581   - PROCESS__DYNTRANSITION);
  704 + avd->allowed &= ~policydb.process_trans_perms;
582 705 }
583 706  
584 707 /*
... ... @@ -590,21 +713,6 @@
590 713 tclass, requested, avd);
591 714  
592 715 return 0;
593   -
594   -inval_class:
595   - if (!tclass || tclass > kdefs->cts_len ||
596   - !kdefs->class_to_string[tclass]) {
597   - if (printk_ratelimit())
598   - printk(KERN_ERR "SELinux: %s: unrecognized class %d\n",
599   - __func__, tclass);
600   - return -EINVAL;
601   - }
602   -
603   - /*
604   - * Known to the kernel, but not to the policy.
605   - * Handle as a denial (allowed is 0).
606   - */
607   - return 0;
608 716 }
609 717  
610 718 static int security_validtrans_handle_fail(struct context *ocontext,
611 719  
... ... @@ -636,13 +744,14 @@
636 744 }
637 745  
638 746 int security_validate_transition(u32 oldsid, u32 newsid, u32 tasksid,
639   - u16 tclass)
  747 + u16 orig_tclass)
640 748 {
641 749 struct context *ocontext;
642 750 struct context *ncontext;
643 751 struct context *tcontext;
644 752 struct class_datum *tclass_datum;
645 753 struct constraint_node *constraint;
  754 + u16 tclass;
646 755 int rc = 0;
647 756  
648 757 if (!ss_initialized)
... ... @@ -650,6 +759,8 @@
650 759  
651 760 read_lock(&policy_rwlock);
652 761  
  762 + tclass = unmap_class(orig_tclass);
  763 +
653 764 /*
654 765 * Remap extended Netlink classes for old policy versions.
655 766 * Do this here rather than socket_type_to_security_class()
... ... @@ -657,9 +768,9 @@
657 768 * to remain in the correct class.
658 769 */
659 770 if (policydb_loaded_version < POLICYDB_VERSION_NLCLASS)
660   - if (tclass >= SECCLASS_NETLINK_ROUTE_SOCKET &&
661   - tclass <= SECCLASS_NETLINK_DNRT_SOCKET)
662   - tclass = SECCLASS_NETLINK_SOCKET;
  771 + if (tclass >= unmap_class(SECCLASS_NETLINK_ROUTE_SOCKET) &&
  772 + tclass <= unmap_class(SECCLASS_NETLINK_DNRT_SOCKET))
  773 + tclass = unmap_class(SECCLASS_NETLINK_SOCKET);
663 774  
664 775 if (!tclass || tclass > policydb.p_classes.nprim) {
665 776 printk(KERN_ERR "SELinux: %s: unrecognized class %d\n",
... ... @@ -792,6 +903,38 @@
792 903 }
793 904  
794 905  
  906 +static int security_compute_av_core(u32 ssid,
  907 + u32 tsid,
  908 + u16 tclass,
  909 + u32 requested,
  910 + struct av_decision *avd)
  911 +{
  912 + struct context *scontext = NULL, *tcontext = NULL;
  913 + int rc = 0;
  914 +
  915 + scontext = sidtab_search(&sidtab, ssid);
  916 + if (!scontext) {
  917 + printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n",
  918 + __func__, ssid);
  919 + return -EINVAL;
  920 + }
  921 + tcontext = sidtab_search(&sidtab, tsid);
  922 + if (!tcontext) {
  923 + printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n",
  924 + __func__, tsid);
  925 + return -EINVAL;
  926 + }
  927 +
  928 + rc = context_struct_compute_av(scontext, tcontext, tclass,
  929 + requested, avd);
  930 +
  931 + /* permissive domain? */
  932 + if (ebitmap_get_bit(&policydb.permissive_map, scontext->type))
  933 + avd->flags |= AVD_FLAGS_PERMISSIVE;
  934 +
  935 + return rc;
  936 +}
  937 +
795 938 /**
796 939 * security_compute_av - Compute access vector decisions.
797 940 * @ssid: source security identifier
798 941  
799 942  
... ... @@ -807,13 +950,46 @@
807 950 */
808 951 int security_compute_av(u32 ssid,
809 952 u32 tsid,
810   - u16 tclass,
811   - u32 requested,
  953 + u16 orig_tclass,
  954 + u32 orig_requested,
812 955 struct av_decision *avd)
813 956 {
814   - struct context *scontext = NULL, *tcontext = NULL;
815   - int rc = 0;
  957 + u16 tclass;
  958 + u32 requested;
  959 + int rc;
816 960  
  961 + if (!ss_initialized)
  962 + goto allow;
  963 +
  964 + read_lock(&policy_rwlock);
  965 + requested = unmap_perm(orig_tclass, orig_requested);
  966 + tclass = unmap_class(orig_tclass);
  967 + if (unlikely(orig_tclass && !tclass)) {
  968 + if (policydb.allow_unknown)
  969 + goto allow;
  970 + return -EINVAL;
  971 + }
  972 + rc = security_compute_av_core(ssid, tsid, tclass, requested, avd);
  973 + map_decision(orig_tclass, avd, policydb.allow_unknown);
  974 + read_unlock(&policy_rwlock);
  975 + return rc;
  976 +allow:
  977 + avd->allowed = 0xffffffff;
  978 + avd->auditallow = 0;
  979 + avd->auditdeny = 0xffffffff;
  980 + avd->seqno = latest_granting;
  981 + avd->flags = 0;
  982 + return 0;
  983 +}
  984 +
  985 +int security_compute_av_user(u32 ssid,
  986 + u32 tsid,
  987 + u16 tclass,
  988 + u32 requested,
  989 + struct av_decision *avd)
  990 +{
  991 + int rc;
  992 +
817 993 if (!ss_initialized) {
818 994 avd->allowed = 0xffffffff;
819 995 avd->auditallow = 0;
... ... @@ -823,29 +999,7 @@
823 999 }
824 1000  
825 1001 read_lock(&policy_rwlock);
826   -
827   - scontext = sidtab_search(&sidtab, ssid);
828   - if (!scontext) {
829   - printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n",
830   - __func__, ssid);
831   - rc = -EINVAL;
832   - goto out;
833   - }
834   - tcontext = sidtab_search(&sidtab, tsid);
835   - if (!tcontext) {
836   - printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n",
837   - __func__, tsid);
838   - rc = -EINVAL;
839   - goto out;
840   - }
841   -
842   - rc = context_struct_compute_av(scontext, tcontext, tclass,
843   - requested, avd);
844   -
845   - /* permissive domain? */
846   - if (ebitmap_get_bit(&policydb.permissive_map, scontext->type))
847   - avd->flags |= AVD_FLAGS_PERMISSIVE;
848   -out:
  1002 + rc = security_compute_av_core(ssid, tsid, tclass, requested, avd);
849 1003 read_unlock(&policy_rwlock);
850 1004 return rc;
851 1005 }
852 1006  
853 1007  
854 1008  
... ... @@ -1204,20 +1358,22 @@
1204 1358  
1205 1359 static int security_compute_sid(u32 ssid,
1206 1360 u32 tsid,
1207   - u16 tclass,
  1361 + u16 orig_tclass,
1208 1362 u32 specified,
1209   - u32 *out_sid)
  1363 + u32 *out_sid,
  1364 + bool kern)
1210 1365 {
1211 1366 struct context *scontext = NULL, *tcontext = NULL, newcontext;
1212 1367 struct role_trans *roletr = NULL;
1213 1368 struct avtab_key avkey;
1214 1369 struct avtab_datum *avdatum;
1215 1370 struct avtab_node *node;
  1371 + u16 tclass;
1216 1372 int rc = 0;
1217 1373  
1218 1374 if (!ss_initialized) {
1219   - switch (tclass) {
1220   - case SECCLASS_PROCESS:
  1375 + switch (orig_tclass) {
  1376 + case SECCLASS_PROCESS: /* kernel value */
1221 1377 *out_sid = ssid;
1222 1378 break;
1223 1379 default:
... ... @@ -1231,6 +1387,11 @@
1231 1387  
1232 1388 read_lock(&policy_rwlock);
1233 1389  
  1390 + if (kern)
  1391 + tclass = unmap_class(orig_tclass);
  1392 + else
  1393 + tclass = orig_tclass;
  1394 +
1234 1395 scontext = sidtab_search(&sidtab, ssid);
1235 1396 if (!scontext) {
1236 1397 printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n",
1237 1398  
... ... @@ -1260,13 +1421,11 @@
1260 1421 }
1261 1422  
1262 1423 /* Set the role and type to default values. */
1263   - switch (tclass) {
1264   - case SECCLASS_PROCESS:
  1424 + if (tclass == policydb.process_class) {
1265 1425 /* Use the current role and type of process. */
1266 1426 newcontext.role = scontext->role;
1267 1427 newcontext.type = scontext->type;
1268   - break;
1269   - default:
  1428 + } else {
1270 1429 /* Use the well-defined object role. */
1271 1430 newcontext.role = OBJECT_R_VAL;
1272 1431 /* Use the type of the related object. */
... ... @@ -1297,8 +1456,7 @@
1297 1456 }
1298 1457  
1299 1458 /* Check for class-specific changes. */
1300   - switch (tclass) {
1301   - case SECCLASS_PROCESS:
  1459 + if (tclass == policydb.process_class) {
1302 1460 if (specified & AVTAB_TRANSITION) {
1303 1461 /* Look for a role transition rule. */
1304 1462 for (roletr = policydb.role_tr; roletr;
... ... @@ -1311,9 +1469,6 @@
1311 1469 }
1312 1470 }
1313 1471 }
1314   - break;
1315   - default:
1316   - break;
1317 1472 }
1318 1473  
1319 1474 /* Set the MLS attributes.
1320 1475  
... ... @@ -1358,9 +1513,19 @@
1358 1513 u16 tclass,
1359 1514 u32 *out_sid)
1360 1515 {
1361   - return security_compute_sid(ssid, tsid, tclass, AVTAB_TRANSITION, out_sid);
  1516 + return security_compute_sid(ssid, tsid, tclass, AVTAB_TRANSITION,
  1517 + out_sid, true);
1362 1518 }
1363 1519  
  1520 +int security_transition_sid_user(u32 ssid,
  1521 + u32 tsid,
  1522 + u16 tclass,
  1523 + u32 *out_sid)
  1524 +{
  1525 + return security_compute_sid(ssid, tsid, tclass, AVTAB_TRANSITION,
  1526 + out_sid, false);
  1527 +}
  1528 +
1364 1529 /**
1365 1530 * security_member_sid - Compute the SID for member selection.
1366 1531 * @ssid: source security identifier
... ... @@ -1379,7 +1544,8 @@
1379 1544 u16 tclass,
1380 1545 u32 *out_sid)
1381 1546 {
1382   - return security_compute_sid(ssid, tsid, tclass, AVTAB_MEMBER, out_sid);
  1547 + return security_compute_sid(ssid, tsid, tclass, AVTAB_MEMBER, out_sid,
  1548 + false);
1383 1549 }
1384 1550  
1385 1551 /**
1386 1552  
... ... @@ -1400,146 +1566,10 @@
1400 1566 u16 tclass,
1401 1567 u32 *out_sid)
1402 1568 {
1403   - return security_compute_sid(ssid, tsid, tclass, AVTAB_CHANGE, out_sid);
  1569 + return security_compute_sid(ssid, tsid, tclass, AVTAB_CHANGE, out_sid,
  1570 + false);
1404 1571 }
1405 1572  
1406   -/*
1407   - * Verify that each kernel class that is defined in the
1408   - * policy is correct
1409   - */
1410   -static int validate_classes(struct policydb *p)
1411   -{
1412   - int i, j;
1413   - struct class_datum *cladatum;
1414   - struct perm_datum *perdatum;
1415   - u32 nprim, tmp, common_pts_len, perm_val, pol_val;
1416   - u16 class_val;
1417   - const struct selinux_class_perm *kdefs = &selinux_class_perm;
1418   - const char *def_class, *def_perm, *pol_class;
1419   - struct symtab *perms;
1420   - bool print_unknown_handle = 0;
1421   -
1422   - if (p->allow_unknown) {
1423   - u32 num_classes = kdefs->cts_len;
1424   - p->undefined_perms = kcalloc(num_classes, sizeof(u32), GFP_KERNEL);
1425   - if (!p->undefined_perms)
1426   - return -ENOMEM;
1427   - }
1428   -
1429   - for (i = 1; i < kdefs->cts_len; i++) {
1430   - def_class = kdefs->class_to_string[i];
1431   - if (!def_class)
1432   - continue;
1433   - if (i > p->p_classes.nprim) {
1434   - printk(KERN_INFO
1435   - "SELinux: class %s not defined in policy\n",
1436   - def_class);
1437   - if (p->reject_unknown)
1438   - return -EINVAL;
1439   - if (p->allow_unknown)
1440   - p->undefined_perms[i-1] = ~0U;
1441   - print_unknown_handle = 1;
1442   - continue;
1443   - }
1444   - pol_class = p->p_class_val_to_name[i-1];
1445   - if (strcmp(pol_class, def_class)) {
1446   - printk(KERN_ERR
1447   - "SELinux: class %d is incorrect, found %s but should be %s\n",
1448   - i, pol_class, def_class);
1449   - return -EINVAL;
1450   - }
1451   - }
1452   - for (i = 0; i < kdefs->av_pts_len; i++) {
1453   - class_val = kdefs->av_perm_to_string[i].tclass;
1454   - perm_val = kdefs->av_perm_to_string[i].value;
1455   - def_perm = kdefs->av_perm_to_string[i].name;
1456   - if (class_val > p->p_classes.nprim)
1457   - continue;
1458   - pol_class = p->p_class_val_to_name[class_val-1];
1459   - cladatum = hashtab_search(p->p_classes.table, pol_class);
1460   - BUG_ON(!cladatum);
1461   - perms = &cladatum->permissions;
1462   - nprim = 1 << (perms->nprim - 1);
1463   - if (perm_val > nprim) {
1464   - printk(KERN_INFO
1465   - "SELinux: permission %s in class %s not defined in policy\n",
1466   - def_perm, pol_class);
1467   - if (p->reject_unknown)
1468   - return -EINVAL;
1469   - if (p->allow_unknown)
1470   - p->undefined_perms[class_val-1] |= perm_val;
1471   - print_unknown_handle = 1;
1472   - continue;
1473   - }
1474   - perdatum = hashtab_search(perms->table, def_perm);
1475   - if (perdatum == NULL) {
1476   - printk(KERN_ERR
1477   - "SELinux: permission %s in class %s not found in policy, bad policy\n",
1478   - def_perm, pol_class);
1479   - return -EINVAL;
1480   - }
1481   - pol_val = 1 << (perdatum->value - 1);
1482   - if (pol_val != perm_val) {
1483   - printk(KERN_ERR
1484   - "SELinux: permission %s in class %s has incorrect value\n",
1485   - def_perm, pol_class);
1486   - return -EINVAL;
1487   - }
1488   - }
1489   - for (i = 0; i < kdefs->av_inherit_len; i++) {
1490   - class_val = kdefs->av_inherit[i].tclass;
1491   - if (class_val > p->p_classes.nprim)
1492   - continue;
1493   - pol_class = p->p_class_val_to_name[class_val-1];
1494   - cladatum = hashtab_search(p->p_classes.table, pol_class);
1495   - BUG_ON(!cladatum);
1496   - if (!cladatum->comdatum) {
1497   - printk(KERN_ERR
1498   - "SELinux: class %s should have an inherits clause but does not\n",
1499   - pol_class);
1500   - return -EINVAL;
1501   - }
1502   - tmp = kdefs->av_inherit[i].common_base;
1503   - common_pts_len = 0;
1504   - while (!(tmp & 0x01)) {
1505   - common_pts_len++;
1506   - tmp >>= 1;
1507   - }
1508   - perms = &cladatum->comdatum->permissions;
1509   - for (j = 0; j < common_pts_len; j++) {
1510   - def_perm = kdefs->av_inherit[i].common_pts[j];
1511   - if (j >= perms->nprim) {
1512   - printk(KERN_INFO
1513   - "SELinux: permission %s in class %s not defined in policy\n",
1514   - def_perm, pol_class);
1515   - if (p->reject_unknown)
1516   - return -EINVAL;
1517   - if (p->allow_unknown)
1518   - p->undefined_perms[class_val-1] |= (1 << j);
1519   - print_unknown_handle = 1;
1520   - continue;
1521   - }
1522   - perdatum = hashtab_search(perms->table, def_perm);
1523   - if (perdatum == NULL) {
1524   - printk(KERN_ERR
1525   - "SELinux: permission %s in class %s not found in policy, bad policy\n",
1526   - def_perm, pol_class);
1527   - return -EINVAL;
1528   - }
1529   - if (perdatum->value != j + 1) {
1530   - printk(KERN_ERR
1531   - "SELinux: permission %s in class %s has incorrect value\n",
1532   - def_perm, pol_class);
1533   - return -EINVAL;
1534   - }
1535   - }
1536   - }
1537   - if (print_unknown_handle)
1538   - printk(KERN_INFO "SELinux: the above unknown classes and permissions will be %s\n",
1539   - (security_get_allow_unknown() ? "allowed" : "denied"));
1540   - return 0;
1541   -}
1542   -
1543 1573 /* Clone the SID into the new SID table. */
1544 1574 static int clone_sid(u32 sid,
1545 1575 struct context *context,
1546 1576  
... ... @@ -1710,8 +1740,10 @@
1710 1740 {
1711 1741 struct policydb oldpolicydb, newpolicydb;
1712 1742 struct sidtab oldsidtab, newsidtab;
  1743 + struct selinux_mapping *oldmap, *map = NULL;
1713 1744 struct convert_context_args args;
1714 1745 u32 seqno;
  1746 + u16 map_size;
1715 1747 int rc = 0;
1716 1748 struct policy_file file = { data, len }, *fp = &file;
1717 1749  
1718 1750  
... ... @@ -1721,16 +1753,14 @@
1721 1753 avtab_cache_destroy();
1722 1754 return -EINVAL;
1723 1755 }
1724   - if (policydb_load_isids(&policydb, &sidtab)) {
  1756 + if (selinux_set_mapping(&policydb, secclass_map,
  1757 + &current_mapping,
  1758 + &current_mapping_size)) {
1725 1759 policydb_destroy(&policydb);
1726 1760 avtab_cache_destroy();
1727 1761 return -EINVAL;
1728 1762 }
1729   - /* Verify that the kernel defined classes are correct. */
1730   - if (validate_classes(&policydb)) {
1731   - printk(KERN_ERR
1732   - "SELinux: the definition of a class is incorrect\n");
1733   - sidtab_destroy(&sidtab);
  1763 + if (policydb_load_isids(&policydb, &sidtab)) {
1734 1764 policydb_destroy(&policydb);
1735 1765 avtab_cache_destroy();
1736 1766 return -EINVAL;
1737 1767  
... ... @@ -1759,13 +1789,9 @@
1759 1789 return -ENOMEM;
1760 1790 }
1761 1791  
1762   - /* Verify that the kernel defined classes are correct. */
1763   - if (validate_classes(&newpolicydb)) {
1764   - printk(KERN_ERR
1765   - "SELinux: the definition of a class is incorrect\n");
1766   - rc = -EINVAL;
  1792 + if (selinux_set_mapping(&newpolicydb, secclass_map,
  1793 + &map, &map_size))
1767 1794 goto err;
1768   - }
1769 1795  
1770 1796 rc = security_preserve_bools(&newpolicydb);
1771 1797 if (rc) {
... ... @@ -1799,6 +1825,9 @@
1799 1825 memcpy(&policydb, &newpolicydb, sizeof policydb);
1800 1826 sidtab_set(&sidtab, &newsidtab);
1801 1827 security_load_policycaps();
  1828 + oldmap = current_mapping;
  1829 + current_mapping = map;
  1830 + current_mapping_size = map_size;
1802 1831 seqno = ++latest_granting;
1803 1832 policydb_loaded_version = policydb.policyvers;
1804 1833 write_unlock_irq(&policy_rwlock);
... ... @@ -1806,6 +1835,7 @@
1806 1835 /* Free the old policydb and SID table. */
1807 1836 policydb_destroy(&oldpolicydb);
1808 1837 sidtab_destroy(&oldsidtab);
  1838 + kfree(oldmap);
1809 1839  
1810 1840 avc_ss_reset(seqno);
1811 1841 selnl_notify_policyload(seqno);
... ... @@ -1815,6 +1845,7 @@
1815 1845 return 0;
1816 1846  
1817 1847 err:
  1848 + kfree(map);
1818 1849 sidtab_destroy(&newsidtab);
1819 1850 policydb_destroy(&newpolicydb);
1820 1851 return rc;
... ... @@ -2091,7 +2122,7 @@
2091 2122 }
2092 2123 for (i = 0, j = 0; i < mynel; i++) {
2093 2124 rc = avc_has_perm_noaudit(fromsid, mysids[i],
2094   - SECCLASS_PROCESS,
  2125 + SECCLASS_PROCESS, /* kernel value */
2095 2126 PROCESS__TRANSITION, AVC_STRICT,
2096 2127 NULL);
2097 2128 if (!rc)
2098 2129  
... ... @@ -2119,10 +2150,11 @@
2119 2150 */
2120 2151 int security_genfs_sid(const char *fstype,
2121 2152 char *path,
2122   - u16 sclass,
  2153 + u16 orig_sclass,
2123 2154 u32 *sid)
2124 2155 {
2125 2156 int len;
  2157 + u16 sclass;
2126 2158 struct genfs *genfs;
2127 2159 struct ocontext *c;
2128 2160 int rc = 0, cmp = 0;
... ... @@ -2131,6 +2163,8 @@
2131 2163 path++;
2132 2164  
2133 2165 read_lock(&policy_rwlock);
  2166 +
  2167 + sclass = unmap_class(orig_sclass);
2134 2168  
2135 2169 for (genfs = policydb.genfs; genfs; genfs = genfs->next) {
2136 2170 cmp = strcmp(fstype, genfs->fstype);