License cleanup: add SPDX GPL-2.0 license identifier to files with no license
Many source files in the tree are missing licensing information, which
makes it harder for compliance tools to determine the correct license.
By default all files without license information are under the default
license of the kernel, which is GPL version 2.
Update the files which contain no license information with the 'GPL-2.0'
SPDX license identifier. The SPDX identifier is a legally binding
shorthand, which can be used instead of the full boiler plate text.
This patch is based on work done by Thomas Gleixner and Kate Stewart and
Philippe Ombredanne.
How this work was done:
Patches were generated and checked against linux-4.14-rc6 for a subset of
the use cases:
- file had no licensing information it it.
- file was a */uapi/* one with no licensing information in it,
- file was a */uapi/* one with existing licensing information,
Further patches will be generated in subsequent months to fix up cases
where non-standard license headers were used, and references to license
had to be inferred by heuristics based on keywords.
The analysis to determine which SPDX License Identifier to be applied to
a file was done in a spreadsheet of side by side results from of the
output of two independent scanners (ScanCode & Windriver) producing SPDX
tag:value files created by Philippe Ombredanne. Philippe prepared the
base worksheet, and did an initial spot review of a few 1000 files.
The 4.13 kernel was the starting point of the analysis with 60,537 files
assessed. Kate Stewart did a file by file comparison of the scanner
results in the spreadsheet to determine which SPDX license identifier(s)
to be applied to the file. She confirmed any determination that was not
immediately clear with lawyers working with the Linux Foundation.
Criteria used to select files for SPDX license identifier tagging was:
- Files considered eligible had to be source code files.
- Make and config files were included as candidates if they contained >5
lines of source
- File already had some variant of a license header in it (even if <5
lines).
All documentation files were explicitly excluded.
The following heuristics were used to determine which SPDX license
identifiers to apply.
- when both scanners couldn't find any license traces, file was
considered to have no license information in it, and the top level
COPYING file license applied.
For non */uapi/* files that summary was:
SPDX license identifier # files
---------------------------------------------------|-------
GPL-2.0 11139
and resulted in the first patch in this series.
If that file was a */uapi/* path one, it was "GPL-2.0 WITH
Linux-syscall-note" otherwise it was "GPL-2.0". Results of that was:
SPDX license identifier # files
---------------------------------------------------|-------
GPL-2.0 WITH Linux-syscall-note 930
and resulted in the second patch in this series.
- if a file had some form of licensing information in it, and was one
of the */uapi/* ones, it was denoted with the Linux-syscall-note if
any GPL family license was found in the file or had no licensing in
it (per prior point). Results summary:
SPDX license identifier # files
---------------------------------------------------|------
GPL-2.0 WITH Linux-syscall-note 270
GPL-2.0+ WITH Linux-syscall-note 169
((GPL-2.0 WITH Linux-syscall-note) OR BSD-2-Clause) 21
((GPL-2.0 WITH Linux-syscall-note) OR BSD-3-Clause) 17
LGPL-2.1+ WITH Linux-syscall-note 15
GPL-1.0+ WITH Linux-syscall-note 14
((GPL-2.0+ WITH Linux-syscall-note) OR BSD-3-Clause) 5
LGPL-2.0+ WITH Linux-syscall-note 4
LGPL-2.1 WITH Linux-syscall-note 3
((GPL-2.0 WITH Linux-syscall-note) OR MIT) 3
((GPL-2.0 WITH Linux-syscall-note) AND MIT) 1
and that resulted in the third patch in this series.
- when the two scanners agreed on the detected license(s), that became
the concluded license(s).
- when there was disagreement between the two scanners (one detected a
license but the other didn't, or they both detected different
licenses) a manual inspection of the file occurred.
- In most cases a manual inspection of the information in the file
resulted in a clear resolution of the license that should apply (and
which scanner probably needed to revisit its heuristics).
- When it was not immediately clear, the license identifier was
confirmed with lawyers working with the Linux Foundation.
- If there was any question as to the appropriate license identifier,
the file was flagged for further research and to be revisited later
in time.
In total, over 70 hours of logged manual review was done on the
spreadsheet to determine the SPDX license identifiers to apply to the
source files by Kate, Philippe, Thomas and, in some cases, confirmation
by lawyers working with the Linux Foundation.
Kate also obtained a third independent scan of the 4.13 code base from
FOSSology, and compared selected files where the other two scanners
disagreed against that SPDX file, to see if there was new insights. The
Windriver scanner is based on an older version of FOSSology in part, so
they are related.
Thomas did random spot checks in about 500 files from the spreadsheets
for the uapi headers and agreed with SPDX license identifier in the
files he inspected. For the non-uapi files Thomas did random spot checks
in about 15000 files.
In initial set of patches against 4.14-rc6, 3 files were found to have
copy/paste license identifier errors, and have been fixed to reflect the
correct identifier.
Additionally Philippe spent 10 hours this week doing a detailed manual
inspection and review of the 12,461 patched files from the initial patch
version early this week with:
- a full scancode scan run, collecting the matched texts, detected
license ids and scores
- reviewing anything where there was a license detected (about 500+
files) to ensure that the applied SPDX license was correct
- reviewing anything where there was no detection but the patch license
was not GPL-2.0 WITH Linux-syscall-note to ensure that the applied
SPDX license was correct
This produced a worksheet with 20 files needing minor correction. This
worksheet was then exported into 3 different .csv files for the
different types of files to be modified.
These .csv files were then reviewed by Greg. Thomas wrote a script to
parse the csv files and add the proper SPDX tag to the file, in the
format that the file expected. This script was further refined by Greg
based on the output to detect more types of files automatically and to
distinguish between header and source .c files (which need different
comment types.) Finally Greg ran the script using the .csv files to
generate the patches.
Reviewed-by: Kate Stewart <kstewart@linuxfoundation.org>
Reviewed-by: Philippe Ombredanne <pombredanne@nexb.com>
Reviewed-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2017-11-01 22:07:57 +08:00
|
|
|
/* SPDX-License-Identifier: GPL-2.0 */
|
2005-04-17 06:20:36 +08:00
|
|
|
/*
|
|
|
|
* Security server interface.
|
|
|
|
*
|
2017-08-18 01:32:36 +08:00
|
|
|
* Author : Stephen Smalley, <sds@tycho.nsa.gov>
|
2005-04-17 06:20:36 +08:00
|
|
|
*
|
|
|
|
*/
|
|
|
|
|
|
|
|
#ifndef _SELINUX_SECURITY_H_
|
|
|
|
#define _SELINUX_SECURITY_H_
|
|
|
|
|
2014-06-11 23:55:30 +08:00
|
|
|
#include <linux/compiler.h>
|
SELinux: Use dentry name in new object labeling
Currently SELinux has rules which label new objects according to 3 criteria.
The label of the process creating the object, the label of the parent
directory, and the type of object (reg, dir, char, block, etc.) This patch
adds a 4th criteria, the dentry name, thus we can distinguish between
creating a file in an etc_t directory called shadow and one called motd.
There is no file globbing, regex parsing, or anything mystical. Either the
policy exactly (strcmp) matches the dentry name of the object or it doesn't.
This patch has no changes from today if policy does not implement the new
rules.
Signed-off-by: Eric Paris <eparis@redhat.com>
2011-02-02 00:05:40 +08:00
|
|
|
#include <linux/dcache.h>
|
2009-05-18 22:26:10 +08:00
|
|
|
#include <linux/magic.h>
|
2010-10-14 04:24:41 +08:00
|
|
|
#include <linux/types.h>
|
2018-03-02 07:48:02 +08:00
|
|
|
#include <linux/refcount.h>
|
|
|
|
#include <linux/workqueue.h>
|
2005-04-17 06:20:36 +08:00
|
|
|
#include "flask.h"
|
|
|
|
|
|
|
|
#define SECSID_NULL 0x00000000 /* unspecified SID */
|
|
|
|
#define SECSID_WILD 0xffffffff /* wildcard SID */
|
|
|
|
#define SECCLASS_NULL 0x0000 /* no class */
|
|
|
|
|
|
|
|
/* Identify specific policy version changes */
|
|
|
|
#define POLICYDB_VERSION_BASE 15
|
|
|
|
#define POLICYDB_VERSION_BOOL 16
|
|
|
|
#define POLICYDB_VERSION_IPV6 17
|
|
|
|
#define POLICYDB_VERSION_NLCLASS 18
|
|
|
|
#define POLICYDB_VERSION_VALIDATETRANS 19
|
|
|
|
#define POLICYDB_VERSION_MLS 19
|
2005-09-04 06:55:16 +08:00
|
|
|
#define POLICYDB_VERSION_AVTAB 20
|
2006-09-26 14:31:59 +08:00
|
|
|
#define POLICYDB_VERSION_RANGETRANS 21
|
2008-01-29 21:38:19 +08:00
|
|
|
#define POLICYDB_VERSION_POLCAP 22
|
2008-03-31 09:17:33 +08:00
|
|
|
#define POLICYDB_VERSION_PERMISSIVE 23
|
2008-08-28 15:35:57 +08:00
|
|
|
#define POLICYDB_VERSION_BOUNDARY 24
|
SELinux: Use dentry name in new object labeling
Currently SELinux has rules which label new objects according to 3 criteria.
The label of the process creating the object, the label of the parent
directory, and the type of object (reg, dir, char, block, etc.) This patch
adds a 4th criteria, the dentry name, thus we can distinguish between
creating a file in an etc_t directory called shadow and one called motd.
There is no file globbing, regex parsing, or anything mystical. Either the
policy exactly (strcmp) matches the dentry name of the object or it doesn't.
This patch has no changes from today if policy does not implement the new
rules.
Signed-off-by: Eric Paris <eparis@redhat.com>
2011-02-02 00:05:40 +08:00
|
|
|
#define POLICYDB_VERSION_FILENAME_TRANS 25
|
2011-03-25 13:51:56 +08:00
|
|
|
#define POLICYDB_VERSION_ROLETRANS 26
|
2012-03-21 02:35:12 +08:00
|
|
|
#define POLICYDB_VERSION_NEW_OBJECT_DEFAULTS 27
|
2012-03-21 02:35:12 +08:00
|
|
|
#define POLICYDB_VERSION_DEFAULT_TYPE 28
|
2013-11-20 06:34:23 +08:00
|
|
|
#define POLICYDB_VERSION_CONSTRAINT_NAMES 29
|
2015-07-11 05:19:56 +08:00
|
|
|
#define POLICYDB_VERSION_XPERMS_IOCTL 30
|
2017-05-19 20:48:55 +08:00
|
|
|
#define POLICYDB_VERSION_INFINIBAND 31
|
2005-04-17 06:20:36 +08:00
|
|
|
|
|
|
|
/* Range of policy versions we understand*/
|
|
|
|
#define POLICYDB_VERSION_MIN POLICYDB_VERSION_BASE
|
2017-05-19 20:48:55 +08:00
|
|
|
#define POLICYDB_VERSION_MAX POLICYDB_VERSION_INFINIBAND
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2009-01-16 22:22:02 +08:00
|
|
|
/* Mask for just the mount related flags */
|
|
|
|
#define SE_MNTMASK 0x0f
|
|
|
|
/* Super block security struct flags for mount options */
|
2012-10-10 04:20:08 +08:00
|
|
|
/* BE CAREFUL, these need to be the low order bits for selinux_get_mnt_opts */
|
2008-03-05 23:31:54 +08:00
|
|
|
#define CONTEXT_MNT 0x01
|
|
|
|
#define FSCONTEXT_MNT 0x02
|
|
|
|
#define ROOTCONTEXT_MNT 0x04
|
|
|
|
#define DEFCONTEXT_MNT 0x08
|
2012-10-10 04:20:08 +08:00
|
|
|
#define SBLABEL_MNT 0x10
|
2009-01-16 22:22:02 +08:00
|
|
|
/* Non-mount related flags */
|
2012-10-10 04:20:08 +08:00
|
|
|
#define SE_SBINITIALIZED 0x0100
|
|
|
|
#define SE_SBPROC 0x0200
|
2015-06-05 04:22:17 +08:00
|
|
|
#define SE_SBGENFS 0x0400
|
2008-03-05 23:31:54 +08:00
|
|
|
|
2008-04-02 01:24:09 +08:00
|
|
|
#define CONTEXT_STR "context="
|
|
|
|
#define FSCONTEXT_STR "fscontext="
|
|
|
|
#define ROOTCONTEXT_STR "rootcontext="
|
|
|
|
#define DEFCONTEXT_STR "defcontext="
|
2009-01-16 22:22:03 +08:00
|
|
|
#define LABELSUPP_STR "seclabel"
|
2008-04-02 01:24:09 +08:00
|
|
|
|
2007-03-01 04:14:22 +08:00
|
|
|
struct netlbl_lsm_secattr;
|
2006-11-18 12:01:03 +08:00
|
|
|
|
2005-04-17 06:20:36 +08:00
|
|
|
extern int selinux_enabled;
|
|
|
|
|
2008-01-29 21:38:19 +08:00
|
|
|
/* Policy capabilities */
|
|
|
|
enum {
|
|
|
|
POLICYDB_CAPABILITY_NETPEER,
|
2008-02-29 01:58:40 +08:00
|
|
|
POLICYDB_CAPABILITY_OPENPERM,
|
selinux: support distinctions among all network address families
Extend SELinux to support distinctions among all network address families
implemented by the kernel by defining new socket security classes
and mapping to them. Otherwise, many sockets are mapped to the generic
socket class and are indistinguishable in policy. This has come up
previously with regard to selectively allowing access to bluetooth sockets,
and more recently with regard to selectively allowing access to AF_ALG
sockets. Guido Trentalancia submitted a patch that took a similar approach
to add only support for distinguishing AF_ALG sockets, but this generalizes
his approach to handle all address families implemented by the kernel.
Socket security classes are also added for ICMP and SCTP sockets.
Socket security classes were not defined for AF_* values that are reserved
but unimplemented in the kernel, e.g. AF_NETBEUI, AF_SECURITY, AF_ASH,
AF_ECONET, AF_SNA, AF_WANPIPE.
Backward compatibility is provided by only enabling the finer-grained
socket classes if a new policy capability is set in the policy; older
policies will behave as before. The legacy redhat1 policy capability
that was only ever used in testing within Fedora for ptrace_child
is reclaimed for this purpose; as far as I can tell, this policy
capability is not enabled in any supported distro policy.
Add a pair of conditional compilation guards to detect when new AF_* values
are added so that we can update SELinux accordingly rather than having to
belatedly update it long after new address families are introduced.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: Paul Moore <paul@paul-moore.com>
2017-01-09 23:07:30 +08:00
|
|
|
POLICYDB_CAPABILITY_EXTSOCKCLASS,
|
2013-05-03 21:05:39 +08:00
|
|
|
POLICYDB_CAPABILITY_ALWAYSNETWORK,
|
2017-02-28 23:35:56 +08:00
|
|
|
POLICYDB_CAPABILITY_CGROUPSECLABEL,
|
selinux: Generalize support for NNP/nosuid SELinux domain transitions
As systemd ramps up enabling NNP (NoNewPrivileges) for system services,
it is increasingly breaking SELinux domain transitions for those services
and their descendants. systemd enables NNP not only for services whose
unit files explicitly specify NoNewPrivileges=yes but also for services
whose unit files specify any of the following options in combination with
running without CAP_SYS_ADMIN (e.g. specifying User= or a
CapabilityBoundingSet= without CAP_SYS_ADMIN): SystemCallFilter=,
SystemCallArchitectures=, RestrictAddressFamilies=, RestrictNamespaces=,
PrivateDevices=, ProtectKernelTunables=, ProtectKernelModules=,
MemoryDenyWriteExecute=, or RestrictRealtime= as per the systemd.exec(5)
man page.
The end result is bad for the security of both SELinux-disabled and
SELinux-enabled systems. Packagers have to turn off these
options in the unit files to preserve SELinux domain transitions. For
users who choose to disable SELinux, this means that they miss out on
at least having the systemd-supported protections. For users who keep
SELinux enabled, they may still be missing out on some protections
because it isn't necessarily guaranteed that the SELinux policy for
that service provides the same protections in all cases.
commit 7b0d0b40cd78 ("selinux: Permit bounded transitions under
NO_NEW_PRIVS or NOSUID.") allowed bounded transitions under NNP in
order to support limited usage for sandboxing programs. However,
defining typebounds for all of the affected service domains
is impractical to implement in policy, since typebounds requires us
to ensure that each domain is allowed everything all of its descendant
domains are allowed, and this has to be repeated for the entire chain
of domain transitions. There is no way to clone all allow rules from
descendants to their ancestors in policy currently, and doing so would
be undesirable even if it were practical, as it requires leaking
permissions to objects and operations into ancestor domains that could
weaken their own security in order to allow them to the descendants
(e.g. if a descendant requires execmem permission, then so do all of
its ancestors; if a descendant requires execute permission to a file,
then so do all of its ancestors; if a descendant requires read to a
symbolic link or temporary file, then so do all of its ancestors...).
SELinux domains are intentionally not hierarchical / bounded in this
manner normally, and making them so would undermine their protections
and least privilege.
We have long had a similar tension with SELinux transitions and nosuid
mounts, albeit not as severe. Users often have had to choose between
retaining nosuid on a mount and allowing SELinux domain transitions on
files within those mounts. This likewise leads to unfortunate tradeoffs
in security.
Decouple NNP/nosuid from SELinux transitions, so that we don't have to
make a choice between them. Introduce a nnp_nosuid_transition policy
capability that enables transitions under NNP/nosuid to be based on
a permission (nnp_transition for NNP; nosuid_transition for nosuid)
between the old and new contexts in addition to the current support
for bounded transitions. Domain transitions can then be allowed in
policy without requiring the parent to be a strict superset of all of
its children.
With this change, systemd unit files can be left unmodified from upstream.
SELinux-disabled and SELinux-enabled users will benefit from retaining any
of the systemd-provided protections. SELinux policy will only need to
be adapted to enable the new policy capability and to allow the
new permissions between domain pairs as appropriate.
NB: Allowing nnp_transition between two contexts opens up the potential
for the old context to subvert the new context by installing seccomp
filters before the execve. Allowing nosuid_transition between two contexts
opens up the potential for a context transition to occur on a file from
an untrusted filesystem (e.g. removable media or remote filesystem). Use
with care.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: Paul Moore <paul@paul-moore.com>
2017-07-31 22:12:46 +08:00
|
|
|
POLICYDB_CAPABILITY_NNP_NOSUID_TRANSITION,
|
2008-01-29 21:38:19 +08:00
|
|
|
__POLICYDB_CAPABILITY_MAX
|
|
|
|
};
|
|
|
|
#define POLICYDB_CAPABILITY_MAX (__POLICYDB_CAPABILITY_MAX - 1)
|
|
|
|
|
2017-05-19 04:58:31 +08:00
|
|
|
extern char *selinux_policycap_names[__POLICYDB_CAPABILITY_MAX];
|
|
|
|
|
2008-08-28 15:35:57 +08:00
|
|
|
/*
|
|
|
|
* type_datum properties
|
|
|
|
* available at the kernel policy version >= POLICYDB_VERSION_BOUNDARY
|
|
|
|
*/
|
|
|
|
#define TYPEDATUM_PROPERTY_PRIMARY 0x0001
|
|
|
|
#define TYPEDATUM_PROPERTY_ATTRIBUTE 0x0002
|
|
|
|
|
|
|
|
/* limitation of boundary depth */
|
|
|
|
#define POLICYDB_BOUNDS_MAXDEPTH 4
|
|
|
|
|
2018-03-02 07:48:02 +08:00
|
|
|
struct selinux_ss;
|
|
|
|
|
|
|
|
struct selinux_state {
|
|
|
|
bool disabled;
|
|
|
|
#ifdef CONFIG_SECURITY_SELINUX_DEVELOP
|
|
|
|
bool enforcing;
|
|
|
|
#endif
|
|
|
|
bool checkreqprot;
|
|
|
|
bool initialized;
|
|
|
|
bool policycap[__POLICYDB_CAPABILITY_MAX];
|
|
|
|
struct selinux_ss *ss;
|
|
|
|
};
|
|
|
|
|
|
|
|
void selinux_ss_init(struct selinux_ss **ss);
|
|
|
|
|
|
|
|
extern struct selinux_state selinux_state;
|
|
|
|
|
|
|
|
#ifdef CONFIG_SECURITY_SELINUX_DEVELOP
|
|
|
|
static inline bool is_enforcing(struct selinux_state *state)
|
|
|
|
{
|
|
|
|
return state->enforcing;
|
|
|
|
}
|
|
|
|
|
|
|
|
static inline void set_enforcing(struct selinux_state *state, bool value)
|
|
|
|
{
|
|
|
|
state->enforcing = value;
|
|
|
|
}
|
|
|
|
#else
|
|
|
|
static inline bool is_enforcing(struct selinux_state *state)
|
|
|
|
{
|
|
|
|
return true;
|
|
|
|
}
|
|
|
|
|
|
|
|
static inline void set_enforcing(struct selinux_state *state, bool value)
|
|
|
|
{
|
|
|
|
}
|
|
|
|
#endif
|
|
|
|
|
|
|
|
static inline bool selinux_policycap_netpeer(void)
|
|
|
|
{
|
|
|
|
struct selinux_state *state = &selinux_state;
|
|
|
|
|
|
|
|
return state->policycap[POLICYDB_CAPABILITY_NETPEER];
|
|
|
|
}
|
|
|
|
|
|
|
|
static inline bool selinux_policycap_openperm(void)
|
|
|
|
{
|
|
|
|
struct selinux_state *state = &selinux_state;
|
|
|
|
|
|
|
|
return state->policycap[POLICYDB_CAPABILITY_OPENPERM];
|
|
|
|
}
|
2010-02-03 23:40:20 +08:00
|
|
|
|
2018-03-02 07:48:02 +08:00
|
|
|
static inline bool selinux_policycap_extsockclass(void)
|
|
|
|
{
|
|
|
|
struct selinux_state *state = &selinux_state;
|
|
|
|
|
|
|
|
return state->policycap[POLICYDB_CAPABILITY_EXTSOCKCLASS];
|
|
|
|
}
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2018-03-02 07:48:02 +08:00
|
|
|
static inline bool selinux_policycap_alwaysnetwork(void)
|
|
|
|
{
|
|
|
|
struct selinux_state *state = &selinux_state;
|
|
|
|
|
|
|
|
return state->policycap[POLICYDB_CAPABILITY_ALWAYSNETWORK];
|
|
|
|
}
|
|
|
|
|
|
|
|
static inline bool selinux_policycap_cgroupseclabel(void)
|
|
|
|
{
|
|
|
|
struct selinux_state *state = &selinux_state;
|
|
|
|
|
|
|
|
return state->policycap[POLICYDB_CAPABILITY_CGROUPSECLABEL];
|
|
|
|
}
|
|
|
|
|
|
|
|
static inline bool selinux_policycap_nnp_nosuid_transition(void)
|
|
|
|
{
|
|
|
|
struct selinux_state *state = &selinux_state;
|
|
|
|
|
|
|
|
return state->policycap[POLICYDB_CAPABILITY_NNP_NOSUID_TRANSITION];
|
|
|
|
}
|
|
|
|
|
|
|
|
int security_mls_enabled(struct selinux_state *state);
|
|
|
|
int security_load_policy(struct selinux_state *state,
|
|
|
|
void *data, size_t len);
|
|
|
|
int security_read_policy(struct selinux_state *state,
|
|
|
|
void **data, size_t *len);
|
|
|
|
size_t security_policydb_len(struct selinux_state *state);
|
|
|
|
|
|
|
|
int security_policycap_supported(struct selinux_state *state,
|
|
|
|
unsigned int req_cap);
|
2008-01-29 21:38:19 +08:00
|
|
|
|
2007-05-23 21:12:09 +08:00
|
|
|
#define SEL_VEC_MAX 32
|
2005-04-17 06:20:36 +08:00
|
|
|
struct av_decision {
|
|
|
|
u32 allowed;
|
|
|
|
u32 auditallow;
|
|
|
|
u32 auditdeny;
|
|
|
|
u32 seqno;
|
Permissive domain in userspace object manager
This patch enables applications to handle permissive domain correctly.
Since the v2.6.26 kernel, SELinux has supported an idea of permissive
domain which allows certain processes to work as if permissive mode,
even if the global setting is enforcing mode.
However, we don't have an application program interface to inform
what domains are permissive one, and what domains are not.
It means applications focuses on SELinux (XACE/SELinux, SE-PostgreSQL
and so on) cannot handle permissive domain correctly.
This patch add the sixth field (flags) on the reply of the /selinux/access
interface which is used to make an access control decision from userspace.
If the first bit of the flags field is positive, it means the required
access control decision is on permissive domain, so application should
allow any required actions, as the kernel doing.
This patch also has a side benefit. The av_decision.flags is set at
context_struct_compute_av(). It enables to check required permissions
without read_lock(&policy_rwlock).
Signed-off-by: KaiGai Kohei <kaigai@ak.jp.nec.com>
Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
Acked-by: Eric Paris <eparis@redhat.com>
--
security/selinux/avc.c | 2 +-
security/selinux/include/security.h | 4 +++-
security/selinux/selinuxfs.c | 4 ++--
security/selinux/ss/services.c | 30 +++++-------------------------
4 files changed, 11 insertions(+), 29 deletions(-)
Signed-off-by: James Morris <jmorris@namei.org>
2009-04-01 09:07:57 +08:00
|
|
|
u32 flags;
|
2005-04-17 06:20:36 +08:00
|
|
|
};
|
|
|
|
|
2015-07-11 05:19:56 +08:00
|
|
|
#define XPERMS_ALLOWED 1
|
|
|
|
#define XPERMS_AUDITALLOW 2
|
|
|
|
#define XPERMS_DONTAUDIT 4
|
|
|
|
|
|
|
|
#define security_xperm_set(perms, x) (perms[x >> 5] |= 1 << (x & 0x1f))
|
|
|
|
#define security_xperm_test(perms, x) (1 & (perms[x >> 5] >> (x & 0x1f)))
|
|
|
|
struct extended_perms_data {
|
|
|
|
u32 p[8];
|
|
|
|
};
|
|
|
|
|
|
|
|
struct extended_perms_decision {
|
|
|
|
u8 used;
|
|
|
|
u8 driver;
|
|
|
|
struct extended_perms_data *allowed;
|
|
|
|
struct extended_perms_data *auditallow;
|
|
|
|
struct extended_perms_data *dontaudit;
|
|
|
|
};
|
|
|
|
|
|
|
|
struct extended_perms {
|
|
|
|
u16 len; /* length associated decision chain */
|
|
|
|
struct extended_perms_data drivers; /* flag drivers that are used */
|
|
|
|
};
|
|
|
|
|
Permissive domain in userspace object manager
This patch enables applications to handle permissive domain correctly.
Since the v2.6.26 kernel, SELinux has supported an idea of permissive
domain which allows certain processes to work as if permissive mode,
even if the global setting is enforcing mode.
However, we don't have an application program interface to inform
what domains are permissive one, and what domains are not.
It means applications focuses on SELinux (XACE/SELinux, SE-PostgreSQL
and so on) cannot handle permissive domain correctly.
This patch add the sixth field (flags) on the reply of the /selinux/access
interface which is used to make an access control decision from userspace.
If the first bit of the flags field is positive, it means the required
access control decision is on permissive domain, so application should
allow any required actions, as the kernel doing.
This patch also has a side benefit. The av_decision.flags is set at
context_struct_compute_av(). It enables to check required permissions
without read_lock(&policy_rwlock).
Signed-off-by: KaiGai Kohei <kaigai@ak.jp.nec.com>
Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
Acked-by: Eric Paris <eparis@redhat.com>
--
security/selinux/avc.c | 2 +-
security/selinux/include/security.h | 4 +++-
security/selinux/selinuxfs.c | 4 ++--
security/selinux/ss/services.c | 30 +++++-------------------------
4 files changed, 11 insertions(+), 29 deletions(-)
Signed-off-by: James Morris <jmorris@namei.org>
2009-04-01 09:07:57 +08:00
|
|
|
/* definitions of av_decision.flags */
|
|
|
|
#define AVD_FLAGS_PERMISSIVE 0x0001
|
2008-03-31 09:17:33 +08:00
|
|
|
|
2018-03-02 07:48:02 +08:00
|
|
|
void security_compute_av(struct selinux_state *state,
|
|
|
|
u32 ssid, u32 tsid,
|
2015-07-11 05:19:56 +08:00
|
|
|
u16 tclass, struct av_decision *avd,
|
|
|
|
struct extended_perms *xperms);
|
|
|
|
|
2018-03-02 07:48:02 +08:00
|
|
|
void security_compute_xperms_decision(struct selinux_state *state,
|
|
|
|
u32 ssid, u32 tsid, u16 tclass,
|
|
|
|
u8 driver,
|
|
|
|
struct extended_perms_decision *xpermd);
|
selinux: dynamic class/perm discovery
Modify SELinux to dynamically discover class and permission values
upon policy load, based on the dynamic object class/perm discovery
logic from libselinux. A mapping is created between kernel-private
class and permission indices used outside the security server and the
policy values used within the security server.
The mappings are only applied upon kernel-internal computations;
similar mappings for the private indices of userspace object managers
is handled on a per-object manager basis by the userspace AVC. The
interfaces for compute_av and transition_sid are split for kernel
vs. userspace; the userspace functions are distinguished by a _user
suffix.
The kernel-private class indices are no longer tied to the policy
values and thus do not need to skip indices for userspace classes;
thus the kernel class index values are compressed. The flask.h
definitions were regenerated by deleting the userspace classes from
refpolicy's definitions and then regenerating the headers. Going
forward, we can just maintain the flask.h, av_permissions.h, and
classmap.h definitions separately from policy as they are no longer
tied to the policy values. The next patch introduces a utility to
automate generation of flask.h and av_permissions.h from the
classmap.h definitions.
The older kernel class and permission string tables are removed and
replaced by a single security class mapping table that is walked at
policy load to generate the mapping. The old kernel class validation
logic is completely replaced by the mapping logic.
The handle unknown logic is reworked. reject_unknown=1 is handled
when the mappings are computed at policy load time, similar to the old
handling by the class validation logic. allow_unknown=1 is handled
when computing and mapping decisions - if the permission was not able
to be mapped (i.e. undefined, mapped to zero), then it is
automatically added to the allowed vector. If the class was not able
to be mapped (i.e. undefined, mapped to zero), then all permissions
are allowed for it if allow_unknown=1.
avc_audit leverages the new security class mapping table to lookup the
class and permission names from the kernel-private indices.
The mdp program is updated to use the new table when generating the
class definitions and allow rules for a minimal boot policy for the
kernel. It should be noted that this policy will not include any
userspace classes, nor will its policy index values for the kernel
classes correspond with the ones in refpolicy (they will instead match
the kernel-private indices).
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: James Morris <jmorris@namei.org>
2009-10-01 01:37:50 +08:00
|
|
|
|
2018-03-02 07:48:02 +08:00
|
|
|
void security_compute_av_user(struct selinux_state *state,
|
|
|
|
u32 ssid, u32 tsid,
|
|
|
|
u16 tclass, struct av_decision *avd);
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2018-03-02 07:48:02 +08:00
|
|
|
int security_transition_sid(struct selinux_state *state,
|
|
|
|
u32 ssid, u32 tsid, u16 tclass,
|
SELinux: Use dentry name in new object labeling
Currently SELinux has rules which label new objects according to 3 criteria.
The label of the process creating the object, the label of the parent
directory, and the type of object (reg, dir, char, block, etc.) This patch
adds a 4th criteria, the dentry name, thus we can distinguish between
creating a file in an etc_t directory called shadow and one called motd.
There is no file globbing, regex parsing, or anything mystical. Either the
policy exactly (strcmp) matches the dentry name of the object or it doesn't.
This patch has no changes from today if policy does not implement the new
rules.
Signed-off-by: Eric Paris <eparis@redhat.com>
2011-02-02 00:05:40 +08:00
|
|
|
const struct qstr *qstr, u32 *out_sid);
|
selinux: dynamic class/perm discovery
Modify SELinux to dynamically discover class and permission values
upon policy load, based on the dynamic object class/perm discovery
logic from libselinux. A mapping is created between kernel-private
class and permission indices used outside the security server and the
policy values used within the security server.
The mappings are only applied upon kernel-internal computations;
similar mappings for the private indices of userspace object managers
is handled on a per-object manager basis by the userspace AVC. The
interfaces for compute_av and transition_sid are split for kernel
vs. userspace; the userspace functions are distinguished by a _user
suffix.
The kernel-private class indices are no longer tied to the policy
values and thus do not need to skip indices for userspace classes;
thus the kernel class index values are compressed. The flask.h
definitions were regenerated by deleting the userspace classes from
refpolicy's definitions and then regenerating the headers. Going
forward, we can just maintain the flask.h, av_permissions.h, and
classmap.h definitions separately from policy as they are no longer
tied to the policy values. The next patch introduces a utility to
automate generation of flask.h and av_permissions.h from the
classmap.h definitions.
The older kernel class and permission string tables are removed and
replaced by a single security class mapping table that is walked at
policy load to generate the mapping. The old kernel class validation
logic is completely replaced by the mapping logic.
The handle unknown logic is reworked. reject_unknown=1 is handled
when the mappings are computed at policy load time, similar to the old
handling by the class validation logic. allow_unknown=1 is handled
when computing and mapping decisions - if the permission was not able
to be mapped (i.e. undefined, mapped to zero), then it is
automatically added to the allowed vector. If the class was not able
to be mapped (i.e. undefined, mapped to zero), then all permissions
are allowed for it if allow_unknown=1.
avc_audit leverages the new security class mapping table to lookup the
class and permission names from the kernel-private indices.
The mdp program is updated to use the new table when generating the
class definitions and allow rules for a minimal boot policy for the
kernel. It should be noted that this policy will not include any
userspace classes, nor will its policy index values for the kernel
classes correspond with the ones in refpolicy (they will instead match
the kernel-private indices).
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: James Morris <jmorris@namei.org>
2009-10-01 01:37:50 +08:00
|
|
|
|
2018-03-02 07:48:02 +08:00
|
|
|
int security_transition_sid_user(struct selinux_state *state,
|
|
|
|
u32 ssid, u32 tsid, u16 tclass,
|
2011-04-01 22:39:26 +08:00
|
|
|
const char *objname, u32 *out_sid);
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2018-03-02 07:48:02 +08:00
|
|
|
int security_member_sid(struct selinux_state *state, u32 ssid, u32 tsid,
|
|
|
|
u16 tclass, u32 *out_sid);
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2018-03-02 07:48:02 +08:00
|
|
|
int security_change_sid(struct selinux_state *state, u32 ssid, u32 tsid,
|
|
|
|
u16 tclass, u32 *out_sid);
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2018-03-02 07:48:02 +08:00
|
|
|
int security_sid_to_context(struct selinux_state *state, u32 sid,
|
|
|
|
char **scontext, u32 *scontext_len);
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2018-03-02 07:48:02 +08:00
|
|
|
int security_sid_to_context_force(struct selinux_state *state,
|
|
|
|
u32 sid, char **scontext, u32 *scontext_len);
|
2008-05-08 01:03:20 +08:00
|
|
|
|
2018-03-02 07:48:02 +08:00
|
|
|
int security_context_to_sid(struct selinux_state *state,
|
|
|
|
const char *scontext, u32 scontext_len,
|
2014-03-07 19:44:19 +08:00
|
|
|
u32 *out_sid, gfp_t gfp);
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2018-03-02 07:48:02 +08:00
|
|
|
int security_context_str_to_sid(struct selinux_state *state,
|
|
|
|
const char *scontext, u32 *out_sid, gfp_t gfp);
|
2015-10-22 05:44:25 +08:00
|
|
|
|
2018-03-02 07:48:02 +08:00
|
|
|
int security_context_to_sid_default(struct selinux_state *state,
|
|
|
|
const char *scontext, u32 scontext_len,
|
2008-04-04 20:46:05 +08:00
|
|
|
u32 *out_sid, u32 def_sid, gfp_t gfp_flags);
|
2005-07-28 16:07:37 +08:00
|
|
|
|
2018-03-02 07:48:02 +08:00
|
|
|
int security_context_to_sid_force(struct selinux_state *state,
|
|
|
|
const char *scontext, u32 scontext_len,
|
2008-05-08 01:03:20 +08:00
|
|
|
u32 *sid);
|
|
|
|
|
2018-03-02 07:48:02 +08:00
|
|
|
int security_get_user_sids(struct selinux_state *state,
|
|
|
|
u32 callsid, char *username,
|
2005-04-17 06:20:36 +08:00
|
|
|
u32 **sids, u32 *nel);
|
|
|
|
|
2018-03-02 07:48:02 +08:00
|
|
|
int security_port_sid(struct selinux_state *state,
|
|
|
|
u8 protocol, u16 port, u32 *out_sid);
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2018-03-02 07:48:02 +08:00
|
|
|
int security_ib_pkey_sid(struct selinux_state *state,
|
|
|
|
u64 subnet_prefix, u16 pkey_num, u32 *out_sid);
|
2017-05-19 20:48:57 +08:00
|
|
|
|
2018-03-02 07:48:02 +08:00
|
|
|
int security_ib_endport_sid(struct selinux_state *state,
|
|
|
|
const char *dev_name, u8 port_num, u32 *out_sid);
|
2017-05-19 20:48:58 +08:00
|
|
|
|
2018-03-02 07:48:02 +08:00
|
|
|
int security_netif_sid(struct selinux_state *state,
|
|
|
|
char *name, u32 *if_sid);
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2018-03-02 07:48:02 +08:00
|
|
|
int security_node_sid(struct selinux_state *state,
|
|
|
|
u16 domain, void *addr, u32 addrlen,
|
|
|
|
u32 *out_sid);
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2018-03-02 07:48:02 +08:00
|
|
|
int security_validate_transition(struct selinux_state *state,
|
|
|
|
u32 oldsid, u32 newsid, u32 tasksid,
|
2008-04-23 05:46:11 +08:00
|
|
|
u16 tclass);
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2018-03-02 07:48:02 +08:00
|
|
|
int security_validate_transition_user(struct selinux_state *state,
|
|
|
|
u32 oldsid, u32 newsid, u32 tasksid,
|
2015-12-25 00:09:41 +08:00
|
|
|
u16 tclass);
|
|
|
|
|
2018-03-02 07:48:02 +08:00
|
|
|
int security_bounded_transition(struct selinux_state *state,
|
|
|
|
u32 oldsid, u32 newsid);
|
2008-08-28 15:35:57 +08:00
|
|
|
|
2018-03-02 07:48:02 +08:00
|
|
|
int security_sid_mls_copy(struct selinux_state *state,
|
|
|
|
u32 sid, u32 mls_sid, u32 *new_sid);
|
2006-07-25 14:27:16 +08:00
|
|
|
|
2018-03-02 07:48:02 +08:00
|
|
|
int security_net_peersid_resolve(struct selinux_state *state,
|
|
|
|
u32 nlbl_sid, u32 nlbl_type,
|
2008-01-29 21:38:23 +08:00
|
|
|
u32 xfrm_sid,
|
|
|
|
u32 *peer_sid);
|
|
|
|
|
2018-03-02 07:48:02 +08:00
|
|
|
int security_get_classes(struct selinux_state *state,
|
|
|
|
char ***classes, int *nclasses);
|
|
|
|
int security_get_permissions(struct selinux_state *state,
|
|
|
|
char *class, char ***perms, int *nperms);
|
|
|
|
int security_get_reject_unknown(struct selinux_state *state);
|
|
|
|
int security_get_allow_unknown(struct selinux_state *state);
|
2007-05-23 21:12:06 +08:00
|
|
|
|
2005-04-17 06:20:36 +08:00
|
|
|
#define SECURITY_FS_USE_XATTR 1 /* use xattr */
|
|
|
|
#define SECURITY_FS_USE_TRANS 2 /* use transition SIDs, e.g. devpts/tmpfs */
|
|
|
|
#define SECURITY_FS_USE_TASK 3 /* use task SIDs, e.g. pipefs/sockfs */
|
|
|
|
#define SECURITY_FS_USE_GENFS 4 /* use the genfs support */
|
|
|
|
#define SECURITY_FS_USE_NONE 5 /* no labeling support */
|
|
|
|
#define SECURITY_FS_USE_MNTPOINT 6 /* use mountpoint labeling */
|
2013-05-23 00:50:37 +08:00
|
|
|
#define SECURITY_FS_USE_NATIVE 7 /* use native label support */
|
|
|
|
#define SECURITY_FS_USE_MAX 7 /* Highest SECURITY_FS_USE_XXX */
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2018-03-02 07:48:02 +08:00
|
|
|
int security_fs_use(struct selinux_state *state, struct super_block *sb);
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2018-03-02 07:48:02 +08:00
|
|
|
int security_genfs_sid(struct selinux_state *state,
|
|
|
|
const char *fstype, char *name, u16 sclass,
|
|
|
|
u32 *sid);
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2007-03-01 04:14:22 +08:00
|
|
|
#ifdef CONFIG_NETLABEL
|
2018-03-02 07:48:02 +08:00
|
|
|
int security_netlbl_secattr_to_sid(struct selinux_state *state,
|
|
|
|
struct netlbl_lsm_secattr *secattr,
|
2007-03-01 04:14:22 +08:00
|
|
|
u32 *sid);
|
|
|
|
|
2018-03-02 07:48:02 +08:00
|
|
|
int security_netlbl_sid_to_secattr(struct selinux_state *state,
|
|
|
|
u32 sid,
|
2007-03-01 04:14:22 +08:00
|
|
|
struct netlbl_lsm_secattr *secattr);
|
|
|
|
#else
|
2018-03-02 07:48:02 +08:00
|
|
|
static inline int security_netlbl_secattr_to_sid(struct selinux_state *state,
|
2007-03-01 04:14:22 +08:00
|
|
|
struct netlbl_lsm_secattr *secattr,
|
|
|
|
u32 *sid)
|
|
|
|
{
|
|
|
|
return -EIDRM;
|
|
|
|
}
|
|
|
|
|
2018-03-02 07:48:02 +08:00
|
|
|
static inline int security_netlbl_sid_to_secattr(struct selinux_state *state,
|
|
|
|
u32 sid,
|
|
|
|
struct netlbl_lsm_secattr *secattr)
|
2007-03-01 04:14:22 +08:00
|
|
|
{
|
|
|
|
return -ENOENT;
|
|
|
|
}
|
|
|
|
#endif /* CONFIG_NETLABEL */
|
|
|
|
|
2007-04-04 22:11:29 +08:00
|
|
|
const char *security_get_initial_sid_context(u32 sid);
|
|
|
|
|
selinux: fast status update interface (/selinux/status)
This patch provides a new /selinux/status entry which allows applications
read-only mmap(2).
This region reflects selinux_kernel_status structure in kernel space.
struct selinux_kernel_status
{
u32 length; /* length of this structure */
u32 sequence; /* sequence number of seqlock logic */
u32 enforcing; /* current setting of enforcing mode */
u32 policyload; /* times of policy reloaded */
u32 deny_unknown; /* current setting of deny_unknown */
};
When userspace object manager caches access control decisions provided
by SELinux, it needs to invalidate the cache on policy reload and setenforce
to keep consistency.
However, the applications need to check the kernel state for each accesses
on userspace avc, or launch a background worker process.
In heuristic, frequency of invalidation is much less than frequency of
making access control decision, so it is annoying to invoke a system call
to check we don't need to invalidate the userspace cache.
If we can use a background worker thread, it allows to receive invalidation
messages from the kernel. But it requires us an invasive coding toward the
base application in some cases; E.g, when we provide a feature performing
with SELinux as a plugin module, it is unwelcome manner to launch its own
worker thread from the module.
If we could map /selinux/status to process memory space, application can
know updates of selinux status; policy reload or setenforce.
A typical application checks selinux_kernel_status::sequence when it tries
to reference userspace avc. If it was changed from the last time when it
checked userspace avc, it means something was updated in the kernel space.
Then, the application can reset userspace avc or update current enforcing
mode, without any system call invocations.
This sequence number is updated according to the seqlock logic, so we need
to wait for a while if it is odd number.
Signed-off-by: KaiGai Kohei <kaigai@ak.jp.nec.com>
Acked-by: Eric Paris <eparis@redhat.com>
--
security/selinux/include/security.h | 21 ++++++
security/selinux/selinuxfs.c | 56 +++++++++++++++
security/selinux/ss/Makefile | 2 +-
security/selinux/ss/services.c | 3 +
security/selinux/ss/status.c | 129 +++++++++++++++++++++++++++++++++++
5 files changed, 210 insertions(+), 1 deletions(-)
Signed-off-by: James Morris <jmorris@namei.org>
2010-09-14 17:28:39 +08:00
|
|
|
/*
|
|
|
|
* status notifier using mmap interface
|
|
|
|
*/
|
2018-03-02 07:48:02 +08:00
|
|
|
extern struct page *selinux_kernel_status_page(struct selinux_state *state);
|
selinux: fast status update interface (/selinux/status)
This patch provides a new /selinux/status entry which allows applications
read-only mmap(2).
This region reflects selinux_kernel_status structure in kernel space.
struct selinux_kernel_status
{
u32 length; /* length of this structure */
u32 sequence; /* sequence number of seqlock logic */
u32 enforcing; /* current setting of enforcing mode */
u32 policyload; /* times of policy reloaded */
u32 deny_unknown; /* current setting of deny_unknown */
};
When userspace object manager caches access control decisions provided
by SELinux, it needs to invalidate the cache on policy reload and setenforce
to keep consistency.
However, the applications need to check the kernel state for each accesses
on userspace avc, or launch a background worker process.
In heuristic, frequency of invalidation is much less than frequency of
making access control decision, so it is annoying to invoke a system call
to check we don't need to invalidate the userspace cache.
If we can use a background worker thread, it allows to receive invalidation
messages from the kernel. But it requires us an invasive coding toward the
base application in some cases; E.g, when we provide a feature performing
with SELinux as a plugin module, it is unwelcome manner to launch its own
worker thread from the module.
If we could map /selinux/status to process memory space, application can
know updates of selinux status; policy reload or setenforce.
A typical application checks selinux_kernel_status::sequence when it tries
to reference userspace avc. If it was changed from the last time when it
checked userspace avc, it means something was updated in the kernel space.
Then, the application can reset userspace avc or update current enforcing
mode, without any system call invocations.
This sequence number is updated according to the seqlock logic, so we need
to wait for a while if it is odd number.
Signed-off-by: KaiGai Kohei <kaigai@ak.jp.nec.com>
Acked-by: Eric Paris <eparis@redhat.com>
--
security/selinux/include/security.h | 21 ++++++
security/selinux/selinuxfs.c | 56 +++++++++++++++
security/selinux/ss/Makefile | 2 +-
security/selinux/ss/services.c | 3 +
security/selinux/ss/status.c | 129 +++++++++++++++++++++++++++++++++++
5 files changed, 210 insertions(+), 1 deletions(-)
Signed-off-by: James Morris <jmorris@namei.org>
2010-09-14 17:28:39 +08:00
|
|
|
|
|
|
|
#define SELINUX_KERNEL_STATUS_VERSION 1
|
2010-09-30 10:49:55 +08:00
|
|
|
struct selinux_kernel_status {
|
selinux: fast status update interface (/selinux/status)
This patch provides a new /selinux/status entry which allows applications
read-only mmap(2).
This region reflects selinux_kernel_status structure in kernel space.
struct selinux_kernel_status
{
u32 length; /* length of this structure */
u32 sequence; /* sequence number of seqlock logic */
u32 enforcing; /* current setting of enforcing mode */
u32 policyload; /* times of policy reloaded */
u32 deny_unknown; /* current setting of deny_unknown */
};
When userspace object manager caches access control decisions provided
by SELinux, it needs to invalidate the cache on policy reload and setenforce
to keep consistency.
However, the applications need to check the kernel state for each accesses
on userspace avc, or launch a background worker process.
In heuristic, frequency of invalidation is much less than frequency of
making access control decision, so it is annoying to invoke a system call
to check we don't need to invalidate the userspace cache.
If we can use a background worker thread, it allows to receive invalidation
messages from the kernel. But it requires us an invasive coding toward the
base application in some cases; E.g, when we provide a feature performing
with SELinux as a plugin module, it is unwelcome manner to launch its own
worker thread from the module.
If we could map /selinux/status to process memory space, application can
know updates of selinux status; policy reload or setenforce.
A typical application checks selinux_kernel_status::sequence when it tries
to reference userspace avc. If it was changed from the last time when it
checked userspace avc, it means something was updated in the kernel space.
Then, the application can reset userspace avc or update current enforcing
mode, without any system call invocations.
This sequence number is updated according to the seqlock logic, so we need
to wait for a while if it is odd number.
Signed-off-by: KaiGai Kohei <kaigai@ak.jp.nec.com>
Acked-by: Eric Paris <eparis@redhat.com>
--
security/selinux/include/security.h | 21 ++++++
security/selinux/selinuxfs.c | 56 +++++++++++++++
security/selinux/ss/Makefile | 2 +-
security/selinux/ss/services.c | 3 +
security/selinux/ss/status.c | 129 +++++++++++++++++++++++++++++++++++
5 files changed, 210 insertions(+), 1 deletions(-)
Signed-off-by: James Morris <jmorris@namei.org>
2010-09-14 17:28:39 +08:00
|
|
|
u32 version; /* version number of thie structure */
|
|
|
|
u32 sequence; /* sequence number of seqlock logic */
|
|
|
|
u32 enforcing; /* current setting of enforcing mode */
|
|
|
|
u32 policyload; /* times of policy reloaded */
|
|
|
|
u32 deny_unknown; /* current setting of deny_unknown */
|
|
|
|
/*
|
|
|
|
* The version > 0 supports above members.
|
|
|
|
*/
|
2014-06-11 23:55:30 +08:00
|
|
|
} __packed;
|
selinux: fast status update interface (/selinux/status)
This patch provides a new /selinux/status entry which allows applications
read-only mmap(2).
This region reflects selinux_kernel_status structure in kernel space.
struct selinux_kernel_status
{
u32 length; /* length of this structure */
u32 sequence; /* sequence number of seqlock logic */
u32 enforcing; /* current setting of enforcing mode */
u32 policyload; /* times of policy reloaded */
u32 deny_unknown; /* current setting of deny_unknown */
};
When userspace object manager caches access control decisions provided
by SELinux, it needs to invalidate the cache on policy reload and setenforce
to keep consistency.
However, the applications need to check the kernel state for each accesses
on userspace avc, or launch a background worker process.
In heuristic, frequency of invalidation is much less than frequency of
making access control decision, so it is annoying to invoke a system call
to check we don't need to invalidate the userspace cache.
If we can use a background worker thread, it allows to receive invalidation
messages from the kernel. But it requires us an invasive coding toward the
base application in some cases; E.g, when we provide a feature performing
with SELinux as a plugin module, it is unwelcome manner to launch its own
worker thread from the module.
If we could map /selinux/status to process memory space, application can
know updates of selinux status; policy reload or setenforce.
A typical application checks selinux_kernel_status::sequence when it tries
to reference userspace avc. If it was changed from the last time when it
checked userspace avc, it means something was updated in the kernel space.
Then, the application can reset userspace avc or update current enforcing
mode, without any system call invocations.
This sequence number is updated according to the seqlock logic, so we need
to wait for a while if it is odd number.
Signed-off-by: KaiGai Kohei <kaigai@ak.jp.nec.com>
Acked-by: Eric Paris <eparis@redhat.com>
--
security/selinux/include/security.h | 21 ++++++
security/selinux/selinuxfs.c | 56 +++++++++++++++
security/selinux/ss/Makefile | 2 +-
security/selinux/ss/services.c | 3 +
security/selinux/ss/status.c | 129 +++++++++++++++++++++++++++++++++++
5 files changed, 210 insertions(+), 1 deletions(-)
Signed-off-by: James Morris <jmorris@namei.org>
2010-09-14 17:28:39 +08:00
|
|
|
|
2018-03-02 07:48:02 +08:00
|
|
|
extern void selinux_status_update_setenforce(struct selinux_state *state,
|
|
|
|
int enforcing);
|
|
|
|
extern void selinux_status_update_policyload(struct selinux_state *state,
|
|
|
|
int seqno);
|
2011-08-17 09:13:31 +08:00
|
|
|
extern void selinux_complete_init(void);
|
2018-03-02 07:48:02 +08:00
|
|
|
extern int selinux_disable(struct selinux_state *state);
|
2011-08-30 08:50:12 +08:00
|
|
|
extern void exit_sel_fs(void);
|
2012-06-27 01:58:53 +08:00
|
|
|
extern struct path selinux_null;
|
2011-08-30 08:50:12 +08:00
|
|
|
extern struct vfsmount *selinuxfs_mount;
|
2011-08-30 10:09:15 +08:00
|
|
|
extern void selnl_notify_setenforce(int val);
|
|
|
|
extern void selnl_notify_policyload(u32 seqno);
|
|
|
|
extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm);
|
selinux: fast status update interface (/selinux/status)
This patch provides a new /selinux/status entry which allows applications
read-only mmap(2).
This region reflects selinux_kernel_status structure in kernel space.
struct selinux_kernel_status
{
u32 length; /* length of this structure */
u32 sequence; /* sequence number of seqlock logic */
u32 enforcing; /* current setting of enforcing mode */
u32 policyload; /* times of policy reloaded */
u32 deny_unknown; /* current setting of deny_unknown */
};
When userspace object manager caches access control decisions provided
by SELinux, it needs to invalidate the cache on policy reload and setenforce
to keep consistency.
However, the applications need to check the kernel state for each accesses
on userspace avc, or launch a background worker process.
In heuristic, frequency of invalidation is much less than frequency of
making access control decision, so it is annoying to invoke a system call
to check we don't need to invalidate the userspace cache.
If we can use a background worker thread, it allows to receive invalidation
messages from the kernel. But it requires us an invasive coding toward the
base application in some cases; E.g, when we provide a feature performing
with SELinux as a plugin module, it is unwelcome manner to launch its own
worker thread from the module.
If we could map /selinux/status to process memory space, application can
know updates of selinux status; policy reload or setenforce.
A typical application checks selinux_kernel_status::sequence when it tries
to reference userspace avc. If it was changed from the last time when it
checked userspace avc, it means something was updated in the kernel space.
Then, the application can reset userspace avc or update current enforcing
mode, without any system call invocations.
This sequence number is updated according to the seqlock logic, so we need
to wait for a while if it is odd number.
Signed-off-by: KaiGai Kohei <kaigai@ak.jp.nec.com>
Acked-by: Eric Paris <eparis@redhat.com>
--
security/selinux/include/security.h | 21 ++++++
security/selinux/selinuxfs.c | 56 +++++++++++++++
security/selinux/ss/Makefile | 2 +-
security/selinux/ss/services.c | 3 +
security/selinux/ss/status.c | 129 +++++++++++++++++++++++++++++++++++
5 files changed, 210 insertions(+), 1 deletions(-)
Signed-off-by: James Morris <jmorris@namei.org>
2010-09-14 17:28:39 +08:00
|
|
|
|
2018-03-02 07:48:02 +08:00
|
|
|
extern void avtab_cache_init(void);
|
|
|
|
extern void ebitmap_cache_init(void);
|
|
|
|
extern void hashtab_cache_init(void);
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2018-03-02 07:48:02 +08:00
|
|
|
#endif /* _SELINUX_SECURITY_H_ */
|