10 Sep, 2011
3 commits
-
Fix several sparse warnings in the SELinux security server code.
Signed-off-by: James Morris
-
Fix sparse warnings in SELinux Netlink code.
Signed-off-by: James Morris
-
Sparse fix: move selinux_complete_init
Signed-off-by: James Morris
02 Aug, 2011
1 commit
-
My @hp.com will no longer be valid starting August 5, 2011 so an update is
necessary. My new email address is employer independent so we don't have
to worry about doing this again any time soon.Signed-off-by: Paul Moore
Signed-off-by: Paul Moore
Signed-off-by: David S. Miller
15 Jun, 2011
2 commits
-
When policy version is less than POLICYDB_VERSION_FILENAME_TRANS,
skip file_name_trans_write().Signed-off-by: Roy.Li
Signed-off-by: Eric Paris
27 May, 2011
2 commits
-
Right now security_get_user_sids() will pass in a NULL avd pointer to
avc_has_perm_noaudit(), which then forces that function to have a dummy
entry for that case and just generally test it.Don't do it. The normal callers all pass a real avd pointer, and this
helper function is incredibly hot. So don't make avc_has_perm_noaudit()
do conditional stuff that isn't needed for the common case.This also avoids some duplicated stack space.
Signed-off-by: Linus Torvalds
-
Conflicts:
lib/flex_array.c
security/selinux/avc.c
security/selinux/hooks.c
security/selinux/ss/policydb.c
security/smack/smack_lsm.c
24 May, 2011
1 commit
-
Conflicts:
lib/flex_array.c
security/selinux/avc.c
security/selinux/hooks.c
security/selinux/ss/policydb.c
security/smack/smack_lsm.cManually resolve conflicts.
Signed-off-by: James Morris
13 May, 2011
2 commits
-
The filename_trans rule processing has some printk(KERN_ERR ) messages
which were intended as debug aids in creating the code but weren't removed
before it was submitted. Remove them.Reported-by: Paul Bolle
Signed-off-by: Eric Paris
04 May, 2011
1 commit
29 Apr, 2011
8 commits
-
Change flex_array_prealloc to take the number of elements for which space
should be allocated instead of the last (inclusive) element. Users
and documentation are updated accordingly. flex_arrays got introduced before
they had users. When folks started using it, they ended up needing a
different API than was coded up originally. This swaps over to the API that
folks apparently need.Based-on-patch-by: Steffen Klassert
Signed-off-by: Eric Paris
Tested-by: Chris Richards
Acked-by: Dave Hansen
Cc: stable@kernel.org [2.6.38+] -
Change flex_array_prealloc to take the number of elements for which space
should be allocated instead of the last (inclusive) element. Users
and documentation are updated accordingly. flex_arrays got introduced before
they had users. When folks started using it, they ended up needing a
different API than was coded up originally. This swaps over to the API that
folks apparently need.Based-on-patch-by: Steffen Klassert
Signed-off-by: Eric Paris
Tested-by: Chris Richards
Acked-by: Dave Hansen
Cc: stable@kernel.org [2.6.38+] -
To shorten the list we need to run if filename trans rules exist for the type
of the given parent directory I put them in a hashtable. Given the policy we
are expecting to use in Fedora this takes the worst case list run from about
5,000 entries to 17.Signed-off-by: Eric Paris
Reviewed-by: James Morris -
Instead of a hashtab entry counter function only useful for range
transition rules make a function generic for any hashtable to use.Signed-off-by: Eric Paris
Reviewed-by: James Morris -
We have custom debug functions like rangetr_hash_eval and symtab_hash_eval
which do the same thing. Just create a generic function that takes the name
of the hash table as an argument instead of having custom functions.Signed-off-by: Eric Paris
Reviewed-by: James Morris -
Right now we walk to filename trans rule list for every inode that is
created. First passes at policy using this facility creates around 5000
filename trans rules. Running a list of 5000 entries every time is a bad
idea. This patch adds a new ebitmap to policy which has a bit set for each
ttype that has at least 1 filename trans rule. Thus when an inode is
created we can quickly determine if any rules exist for this parent
directory type and can skip the list if we know there is definitely no
relevant entry.Signed-off-by: Eric Paris
Reviewed-by: James Morris -
filename_compute_type() takes as arguments the numeric value of the type of
the subject and target. It does not take a context. Thus the names are
misleading. Fix the argument names.Signed-off-by: Eric Paris
Reviewed-by: James Morris -
filename_compute_type used to take a qstr, but it now takes just a name.
Fix the comments to indicate it is an objname, not a qstr.Signed-off-by: Eric Paris
25 Apr, 2011
1 commit
-
The len should be an size_t but is a ssize_t. Easy enough fix to silence
build warnings. We have no need for signed-ness.Signed-off-by: Eric Paris
Reviewed-by: James Morris
20 Apr, 2011
1 commit
-
The filename_trans rule processing has some printk(KERN_ERR ) messages
which were intended as debug aids in creating the code but weren't removed
before it was submitted. Remove them.Signed-off-by: Eric Paris
08 Apr, 2011
2 commits
-
Initialize policydb.process_class once all symtabs read from policy image,
so that it could be used to setup the role_trans.tclass field when a lower
version policy.X is loaded.Signed-off-by: Harry Ciao
Signed-off-by: Eric Paris -
Commit 6f5317e730505d5cbc851c435a2dfe3d5a21d343 introduced a bug in the
handling of userspace object classes that is causing breakage for Xorg
when XSELinux is enabled. Fix the bug by changing map_class() to return
SECCLASS_NULL when the class cannot be mapped to a kernel object class.Reported-by: "Justin P. Mattock"
Signed-off-by: Stephen Smalley
Signed-off-by: James Morris
02 Apr, 2011
1 commit
-
The attached patch allows /selinux/create takes optional 4th argument
to support TYPE_TRANSITION with name extension for userspace object
managers.
If 4th argument is not supplied, it shall perform as existing kernel.
In fact, the regression test of SE-PostgreSQL works well on the patched
kernel.Thanks,
Signed-off-by: KaiGai Kohei
[manually verify fuzz was not an issue, and it wasn't: eparis]
Signed-off-by: Eric Paris
31 Mar, 2011
1 commit
-
Fixes generated by 'codespell' and manually reviewed.
Signed-off-by: Lucas De Marchi
29 Mar, 2011
4 commits
-
Commit 6f5317e730505d5cbc851c435a2dfe3d5a21d343 introduced a bug in the
handling of userspace object classes that is causing breakage for Xorg
when XSELinux is enabled. Fix the bug by changing map_class() to return
SECCLASS_NULL when the class cannot be mapped to a kernel object class.Reported-by: "Justin P. Mattock"
Signed-off-by: Stephen Smalley
Signed-off-by: James Morris -
If kernel policy version is >= 26, then write the class field of the
role_trans structure into the binary reprensentation.Signed-off-by: Harry Ciao
Acked-by: Stephen Smalley
Signed-off-by: Eric Paris -
Apply role_transition rules for all kinds of classes.
Signed-off-by: Harry Ciao
Acked-by: Stephen Smalley
Signed-off-by: Eric Paris -
If kernel policy version is >= 26, then the binary representation of
the role_trans structure supports specifying the class for the current
subject or the newly created object.If kernel policy version is < 26, then the class field would be default
to the process class.Signed-off-by: Harry Ciao
Acked-by: Stephen Smalley
Signed-off-by: Eric Paris
08 Mar, 2011
2 commits
04 Mar, 2011
1 commit
-
The socket SID would be computed on creation and no longer inherit
its creator's SID by default. Socket may have a different type but
needs to retain the creator's role and MLS attribute in order not
to break labeled networking and network access control.The kernel value for a class would be used to determine if the class
if one of socket classes. If security_compute_sid is called from
userspace the policy value for a class would be mapped to the relevant
kernel value first.Signed-off-by: Harry Ciao
Signed-off-by: Eric Paris
Acked-by: Stephen Smalley
02 Feb, 2011
1 commit
-
Currently SELinux has rules which label new objects according to 3 criteria.
The label of the process creating the object, the label of the parent
directory, and the type of object (reg, dir, char, block, etc.) This patch
adds a 4th criteria, the dentry name, thus we can distinguish between
creating a file in an etc_t directory called shadow and one called motd.There is no file globbing, regex parsing, or anything mystical. Either the
policy exactly (strcmp) matches the dentry name of the object or it doesn't.
This patch has no changes from today if policy does not implement the new
rules.Signed-off-by: Eric Paris
24 Jan, 2011
2 commits
-
Return -ENOMEM when memory allocation fails in cond_init_bool_indexes,
correctly propagating error code to caller.Signed-off-by: Davidlohr Bueso
Signed-off-by: James Morris -
Kill unused MAX_AVTAB_HASH_MASK and ebitmap_startbit.
Signed-off-by: Shan Wei
Signed-off-by: James Morris
08 Dec, 2010
1 commit
-
sidtab_context_to_sid takes up a large share of time when creating large
numbers of new inodes (~30-40% in oprofile runs). This patch implements a
cache of 3 entries which is checked before we do a full context_to_sid lookup.
On one system this showed over a x3 improvement in the number of inodes that
could be created per second and around a 20% improvement on another system.Any time we look up the same context string sucessivly (imagine ls -lZ) we
should hit this cache hot. A cache miss should have a relatively minor affect
on performance next to doing the full table search.All operations on the cache are done COMPLETELY lockless. We know that all
struct sidtab_node objects created will never be deleted until a new policy is
loaded thus we never have to worry about a pointer being dereferenced. Since
we also know that pointer assignment is atomic we know that the cache will
always have valid pointers. Given this information we implement a FIFO cache
in an array of 3 pointers. Every result (whether a cache hit or table lookup)
will be places in the 0 spot of the cache and the rest of the entries moved
down one spot. The 3rd entry will be lost.Races are possible and are even likely to happen. Lets assume that 4 tasks
are hitting sidtab_context_to_sid. The first task checks against the first
entry in the cache and it is a miss. Now lets assume a second task updates
the cache with a new entry. This will push the first entry back to the second
spot. Now the first task might check against the second entry (which it
already checked) and will miss again. Now say some third task updates the
cache and push the second entry to the third spot. The first task my check
the third entry (for the third time!) and again have a miss. At which point
it will just do a full table lookup. No big deal!Signed-off-by: Eric Paris
01 Dec, 2010
3 commits
-
We duplicate functionality in policydb_index_classes() and
policydb_index_others(). This patch merges those functions just to make it
clear there is nothing special happening here.Signed-off-by: Eric Paris
-
The sym_val_to_name type array can be quite large as it grows linearly with
the number of types. With known policies having over 5k types these
allocations are growing large enough that they are likely to fail. Convert
those to flex_array so no allocation is larger than PAGE_SIZESigned-off-by: Eric Paris
-
In rawhide type_val_to_struct will allocate 26848 bytes, an order 3
allocations. While this hasn't been seen to fail it isn't outside the
realm of possibiliy on systems with severe memory fragmentation. Convert
to flex_array so no allocation will ever be bigger than PAGE_SIZE.Signed-off-by: Eric Paris