forked from luck/tmp_suning_uos_patched
5825a95fe9
-----BEGIN PGP SIGNATURE----- iQJIBAABCAAyFiEES0KozwfymdVUl37v6iDy2pc3iXMFAl2BLvcUHHBhdWxAcGF1 bC1tb29yZS5jb20ACgkQ6iDy2pc3iXP9pA/+Ls9sRGZoEipycbgRnwkL9/6yFtn4 UCFGMP0eobrjL82i8uMOa/72Budsp3ZaZRxf36NpbMDPyB9ohp5jf7o1WFTELESv EwxVvOMNwrxO2UbzRv3iywnhdPVJ4gHPa4GWfBHu2EEfhz3/Bv0tPIBdeXAbq4aC R0p+M9X0FFEp9eP4ftwOvFGpbZ8zKo1kwgdvCnqLhHDkyqtapqO/ByCTe1VATERP fyxjYDZNnITmI0plaIxCeeudklOTtVSAL4JPh1rk8rZIkUznZ4EBDHxdKiaz3j9C ZtAthiAA9PfAwf4DZSPHnGsfINxeNBKLD65jZn/PUne/gNJEx4DK041X9HXBNwjv OoArw58LCzxtTNZ//WB4CovRpeSdKvmKv0oh61k8cdQahLeHhzXE1wLQbnnBJLI3 CTsumIp4ZPEOX5r4ogdS3UIQpo3KrZump7VO85yUTRni150JpZR3egYpmcJ0So1A QTPemBhC2CHJVTpycYZ9fVTlPeC4oNwosPmvpB8XeGu3w5JpuNSId+BDR/ZlQAmq xWiIocGL3UMuPuJUrTGChifqBAgzK+gLa7S7RYPEnTCkj6LVQwsuP4gBXf75QTG4 FPwVcoMSDFxUDF0oFqwz4GfJlCxBSzX+BkWUn6jIiXKXBnQjU+1gu6KTwE25mf/j snJznFk25hFYFaM= =n4ht -----END PGP SIGNATURE----- Merge tag 'selinux-pr-20190917' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux Pull selinux updates from Paul Moore: - Add LSM hooks, and SELinux access control hooks, for dnotify, fanotify, and inotify watches. This has been discussed with both the LSM and fs/notify folks and everybody is good with these new hooks. - The LSM stacking changes missed a few calls to current_security() in the SELinux code; we fix those and remove current_security() for good. - Improve our network object labeling cache so that we always return the object's label, even when under memory pressure. Previously we would return an error if we couldn't allocate a new cache entry, now we always return the label even if we can't create a new cache entry for it. - Convert the sidtab atomic_t counter to a normal u32 with READ/WRITE_ONCE() and memory barrier protection. - A few patches to policydb.c to clean things up (remove forward declarations, long lines, bad variable names, etc) * tag 'selinux-pr-20190917' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux: lsm: remove current_security() selinux: fix residual uses of current_security() for the SELinux blob selinux: avoid atomic_t usage in sidtab fanotify, inotify, dnotify, security: add security hook for fs notifications selinux: always return a secid from the network caches if we find one selinux: policydb - rename type_val_to_struct_array selinux: policydb - fix some checkpatch.pl warnings selinux: shuffle around policydb.c to get rid of forward declarations
189 lines
4.9 KiB
C
189 lines
4.9 KiB
C
/* SPDX-License-Identifier: GPL-2.0-only */
|
|
/*
|
|
* NSA Security-Enhanced Linux (SELinux) security module
|
|
*
|
|
* This file contains the SELinux security data structures for kernel objects.
|
|
*
|
|
* Author(s): Stephen Smalley, <sds@tycho.nsa.gov>
|
|
* Chris Vance, <cvance@nai.com>
|
|
* Wayne Salamon, <wsalamon@nai.com>
|
|
* James Morris <jmorris@redhat.com>
|
|
*
|
|
* Copyright (C) 2001,2002 Networks Associates Technology, Inc.
|
|
* Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com>
|
|
* Copyright (C) 2016 Mellanox Technologies
|
|
*/
|
|
#ifndef _SELINUX_OBJSEC_H_
|
|
#define _SELINUX_OBJSEC_H_
|
|
|
|
#include <linux/list.h>
|
|
#include <linux/sched.h>
|
|
#include <linux/fs.h>
|
|
#include <linux/binfmts.h>
|
|
#include <linux/in.h>
|
|
#include <linux/spinlock.h>
|
|
#include <linux/lsm_hooks.h>
|
|
#include <linux/msg.h>
|
|
#include <net/net_namespace.h>
|
|
#include "flask.h"
|
|
#include "avc.h"
|
|
|
|
struct task_security_struct {
|
|
u32 osid; /* SID prior to last execve */
|
|
u32 sid; /* current SID */
|
|
u32 exec_sid; /* exec SID */
|
|
u32 create_sid; /* fscreate SID */
|
|
u32 keycreate_sid; /* keycreate SID */
|
|
u32 sockcreate_sid; /* fscreate SID */
|
|
};
|
|
|
|
enum label_initialized {
|
|
LABEL_INVALID, /* invalid or not initialized */
|
|
LABEL_INITIALIZED, /* initialized */
|
|
LABEL_PENDING
|
|
};
|
|
|
|
struct inode_security_struct {
|
|
struct inode *inode; /* back pointer to inode object */
|
|
struct list_head list; /* list of inode_security_struct */
|
|
u32 task_sid; /* SID of creating task */
|
|
u32 sid; /* SID of this object */
|
|
u16 sclass; /* security class of this object */
|
|
unsigned char initialized; /* initialization flag */
|
|
spinlock_t lock;
|
|
};
|
|
|
|
struct file_security_struct {
|
|
u32 sid; /* SID of open file description */
|
|
u32 fown_sid; /* SID of file owner (for SIGIO) */
|
|
u32 isid; /* SID of inode at the time of file open */
|
|
u32 pseqno; /* Policy seqno at the time of file open */
|
|
};
|
|
|
|
struct superblock_security_struct {
|
|
struct super_block *sb; /* back pointer to sb object */
|
|
u32 sid; /* SID of file system superblock */
|
|
u32 def_sid; /* default SID for labeling */
|
|
u32 mntpoint_sid; /* SECURITY_FS_USE_MNTPOINT context for files */
|
|
unsigned short behavior; /* labeling behavior */
|
|
unsigned short flags; /* which mount options were specified */
|
|
struct mutex lock;
|
|
struct list_head isec_head;
|
|
spinlock_t isec_lock;
|
|
};
|
|
|
|
struct msg_security_struct {
|
|
u32 sid; /* SID of message */
|
|
};
|
|
|
|
struct ipc_security_struct {
|
|
u16 sclass; /* security class of this object */
|
|
u32 sid; /* SID of IPC resource */
|
|
};
|
|
|
|
struct netif_security_struct {
|
|
struct net *ns; /* network namespace */
|
|
int ifindex; /* device index */
|
|
u32 sid; /* SID for this interface */
|
|
};
|
|
|
|
struct netnode_security_struct {
|
|
union {
|
|
__be32 ipv4; /* IPv4 node address */
|
|
struct in6_addr ipv6; /* IPv6 node address */
|
|
} addr;
|
|
u32 sid; /* SID for this node */
|
|
u16 family; /* address family */
|
|
};
|
|
|
|
struct netport_security_struct {
|
|
u32 sid; /* SID for this node */
|
|
u16 port; /* port number */
|
|
u8 protocol; /* transport protocol */
|
|
};
|
|
|
|
struct sk_security_struct {
|
|
#ifdef CONFIG_NETLABEL
|
|
enum { /* NetLabel state */
|
|
NLBL_UNSET = 0,
|
|
NLBL_REQUIRE,
|
|
NLBL_LABELED,
|
|
NLBL_REQSKB,
|
|
NLBL_CONNLABELED,
|
|
} nlbl_state;
|
|
struct netlbl_lsm_secattr *nlbl_secattr; /* NetLabel sec attributes */
|
|
#endif
|
|
u32 sid; /* SID of this object */
|
|
u32 peer_sid; /* SID of peer */
|
|
u16 sclass; /* sock security class */
|
|
enum { /* SCTP association state */
|
|
SCTP_ASSOC_UNSET = 0,
|
|
SCTP_ASSOC_SET,
|
|
} sctp_assoc_state;
|
|
};
|
|
|
|
struct tun_security_struct {
|
|
u32 sid; /* SID for the tun device sockets */
|
|
};
|
|
|
|
struct key_security_struct {
|
|
u32 sid; /* SID of key */
|
|
};
|
|
|
|
struct ib_security_struct {
|
|
u32 sid; /* SID of the queue pair or MAD agent */
|
|
};
|
|
|
|
struct pkey_security_struct {
|
|
u64 subnet_prefix; /* Port subnet prefix */
|
|
u16 pkey; /* PKey number */
|
|
u32 sid; /* SID of pkey */
|
|
};
|
|
|
|
struct bpf_security_struct {
|
|
u32 sid; /*SID of bpf obj creater*/
|
|
};
|
|
|
|
extern struct lsm_blob_sizes selinux_blob_sizes;
|
|
static inline struct task_security_struct *selinux_cred(const struct cred *cred)
|
|
{
|
|
return cred->security + selinux_blob_sizes.lbs_cred;
|
|
}
|
|
|
|
static inline struct file_security_struct *selinux_file(const struct file *file)
|
|
{
|
|
return file->f_security + selinux_blob_sizes.lbs_file;
|
|
}
|
|
|
|
static inline struct inode_security_struct *selinux_inode(
|
|
const struct inode *inode)
|
|
{
|
|
if (unlikely(!inode->i_security))
|
|
return NULL;
|
|
return inode->i_security + selinux_blob_sizes.lbs_inode;
|
|
}
|
|
|
|
static inline struct msg_security_struct *selinux_msg_msg(
|
|
const struct msg_msg *msg_msg)
|
|
{
|
|
return msg_msg->security + selinux_blob_sizes.lbs_msg_msg;
|
|
}
|
|
|
|
static inline struct ipc_security_struct *selinux_ipc(
|
|
const struct kern_ipc_perm *ipc)
|
|
{
|
|
return ipc->security + selinux_blob_sizes.lbs_ipc;
|
|
}
|
|
|
|
/*
|
|
* get the subjective security ID of the current task
|
|
*/
|
|
static inline u32 current_sid(void)
|
|
{
|
|
const struct task_security_struct *tsec = selinux_cred(current_cred());
|
|
|
|
return tsec->sid;
|
|
}
|
|
|
|
#endif /* _SELINUX_OBJSEC_H_ */
|