From d91c1ab470edd94e52bca738e53b5ad0f0247176 Mon Sep 17 00:00:00 2001 From: Paul Moore Date: Fri, 16 Jun 2023 18:02:43 -0400 Subject: selinux: cleanup the policycap accessor functions In the process of reverting back to directly accessing the global selinux_state pointer we left behind some artifacts in the selinux_policycap_XXX() helper functions. This patch cleans up some of that left-behind cruft. Signed-off-by: Paul Moore --- security/selinux/include/security.h | 35 +++++++++++------------------------ 1 file changed, 11 insertions(+), 24 deletions(-) (limited to 'security/selinux/include/security.h') diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h index 3b605f39e040..60eb161a0e5a 100644 --- a/security/selinux/include/security.h +++ b/security/selinux/include/security.h @@ -148,58 +148,45 @@ static inline bool checkreqprot_get(void) static inline bool selinux_policycap_netpeer(void) { - struct selinux_state *state = &selinux_state; - - return READ_ONCE(state->policycap[POLICYDB_CAP_NETPEER]); + return READ_ONCE(selinux_state.policycap[POLICYDB_CAP_NETPEER]); } static inline bool selinux_policycap_openperm(void) { - struct selinux_state *state = &selinux_state; - - return READ_ONCE(state->policycap[POLICYDB_CAP_OPENPERM]); + return READ_ONCE(selinux_state.policycap[POLICYDB_CAP_OPENPERM]); } static inline bool selinux_policycap_extsockclass(void) { - struct selinux_state *state = &selinux_state; - - return READ_ONCE(state->policycap[POLICYDB_CAP_EXTSOCKCLASS]); + return READ_ONCE(selinux_state.policycap[POLICYDB_CAP_EXTSOCKCLASS]); } static inline bool selinux_policycap_alwaysnetwork(void) { - struct selinux_state *state = &selinux_state; - - return READ_ONCE(state->policycap[POLICYDB_CAP_ALWAYSNETWORK]); + return READ_ONCE(selinux_state.policycap[POLICYDB_CAP_ALWAYSNETWORK]); } static inline bool selinux_policycap_cgroupseclabel(void) { - struct selinux_state *state = &selinux_state; - - return READ_ONCE(state->policycap[POLICYDB_CAP_CGROUPSECLABEL]); + return READ_ONCE(selinux_state.policycap[POLICYDB_CAP_CGROUPSECLABEL]); } static inline bool selinux_policycap_nnp_nosuid_transition(void) { - struct selinux_state *state = &selinux_state; - - return READ_ONCE(state->policycap[POLICYDB_CAP_NNP_NOSUID_TRANSITION]); + return READ_ONCE( + selinux_state.policycap[POLICYDB_CAP_NNP_NOSUID_TRANSITION]); } static inline bool selinux_policycap_genfs_seclabel_symlinks(void) { - struct selinux_state *state = &selinux_state; - - return READ_ONCE(state->policycap[POLICYDB_CAP_GENFS_SECLABEL_SYMLINKS]); + return READ_ONCE( + selinux_state.policycap[POLICYDB_CAP_GENFS_SECLABEL_SYMLINKS]); } static inline bool selinux_policycap_ioctl_skip_cloexec(void) { - struct selinux_state *state = &selinux_state; - - return READ_ONCE(state->policycap[POLICYDB_CAP_IOCTL_SKIP_CLOEXEC]); + return READ_ONCE( + selinux_state.policycap[POLICYDB_CAP_IOCTL_SKIP_CLOEXEC]); } struct selinux_policy_convert_data; -- cgit v1.2.3-70-g09d2 From 5b0eea835d4e9cb5229e696c5763929fc2394f39 Mon Sep 17 00:00:00 2001 From: Ondrej Mosnacek Date: Tue, 20 Jun 2023 15:12:22 +0200 Subject: selinux: introduce an initial SID for early boot processes Currently, SELinux doesn't allow distinguishing between kernel threads and userspace processes that are started before the policy is first loaded - both get the label corresponding to the kernel SID. The only way a process that persists from early boot can get a meaningful label is by doing a voluntary dyntransition or re-executing itself. Reusing the kernel label for userspace processes is problematic for several reasons: 1. The kernel is considered to be a privileged domain and generally needs to have a wide range of permissions allowed to work correctly, which prevents the policy writer from effectively hardening against early boot processes that might remain running unintentionally after the policy is loaded (they represent a potential extra attack surface that should be mitigated). 2. Despite the kernel being treated as a privileged domain, the policy writer may want to impose certain special limitations on kernel threads that may conflict with the requirements of intentional early boot processes. For example, it is a good hardening practice to limit what executables the kernel can execute as usermode helpers and to confine the resulting usermode helper processes. However, a (legitimate) process surviving from early boot may need to execute a different set of executables. 3. As currently implemented, overlayfs remembers the security context of the process that created an overlayfs mount and uses it to bound subsequent operations on files using this context. If an overlayfs mount is created before the SELinux policy is loaded, these "mounter" checks are made against the kernel context, which may clash with restrictions on the kernel domain (see 2.). To resolve this, introduce a new initial SID (reusing the slot of the former "init" initial SID) that will be assigned to any userspace process started before the policy is first loaded. This is easy to do, as we can simply label any process that goes through the bprm_creds_for_exec LSM hook with the new init-SID instead of propagating the kernel SID from the parent. To provide backwards compatibility for existing policies that are unaware of this new semantic of the "init" initial SID, introduce a new policy capability "userspace_initial_context" and set the "init" SID to the same context as the "kernel" SID unless this capability is set by the policy. Signed-off-by: Ondrej Mosnacek Signed-off-by: Paul Moore --- security/selinux/hooks.c | 28 ++++++++++++++++++++++++ security/selinux/include/initial_sid_to_string.h | 2 +- security/selinux/include/policycap.h | 1 + security/selinux/include/policycap_names.h | 3 ++- security/selinux/include/security.h | 6 +++++ security/selinux/ss/policydb.c | 27 +++++++++++++++++++++++ 6 files changed, 65 insertions(+), 2 deletions(-) (limited to 'security/selinux/include/security.h') diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index d06e350fedee..b8a8a4f0f2ad 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -2288,6 +2288,19 @@ static int selinux_bprm_creds_for_exec(struct linux_binprm *bprm) new_tsec->keycreate_sid = 0; new_tsec->sockcreate_sid = 0; + /* + * Before policy is loaded, label any task outside kernel space + * as SECINITSID_INIT, so that any userspace tasks surviving from + * early boot end up with a label different from SECINITSID_KERNEL + * (if the policy chooses to set SECINITSID_INIT != SECINITSID_KERNEL). + */ + if (!selinux_initialized()) { + new_tsec->sid = SECINITSID_INIT; + /* also clear the exec_sid just in case */ + new_tsec->exec_sid = 0; + return 0; + } + if (old_tsec->exec_sid) { new_tsec->sid = old_tsec->exec_sid; /* Reset exec SID on execve. */ @@ -4504,6 +4517,21 @@ static int sock_has_perm(struct sock *sk, u32 perms) if (sksec->sid == SECINITSID_KERNEL) return 0; + /* + * Before POLICYDB_CAP_USERSPACE_INITIAL_CONTEXT, sockets that + * inherited the kernel context from early boot used to be skipped + * here, so preserve that behavior unless the capability is set. + * + * By setting the capability the policy signals that it is ready + * for this quirk to be fixed. Note that sockets created by a kernel + * thread or a usermode helper executed without a transition will + * still be skipped in this check regardless of the policycap + * setting. + */ + if (!selinux_policycap_userspace_initial_context() && + sksec->sid == SECINITSID_INIT) + return 0; + ad.type = LSM_AUDIT_DATA_NET; ad.u.net = &net; ad.u.net->sk = sk; diff --git a/security/selinux/include/initial_sid_to_string.h b/security/selinux/include/initial_sid_to_string.h index ecc6e74fa09b..5e5f0993dac2 100644 --- a/security/selinux/include/initial_sid_to_string.h +++ b/security/selinux/include/initial_sid_to_string.h @@ -10,7 +10,7 @@ static const char *const initial_sid_to_string[] = { NULL, "file", NULL, - NULL, + "init", "any_socket", "port", "netif", diff --git a/security/selinux/include/policycap.h b/security/selinux/include/policycap.h index f35d3458e71d..c7373e6effe5 100644 --- a/security/selinux/include/policycap.h +++ b/security/selinux/include/policycap.h @@ -12,6 +12,7 @@ enum { POLICYDB_CAP_NNP_NOSUID_TRANSITION, POLICYDB_CAP_GENFS_SECLABEL_SYMLINKS, POLICYDB_CAP_IOCTL_SKIP_CLOEXEC, + POLICYDB_CAP_USERSPACE_INITIAL_CONTEXT, __POLICYDB_CAP_MAX }; #define POLICYDB_CAP_MAX (__POLICYDB_CAP_MAX - 1) diff --git a/security/selinux/include/policycap_names.h b/security/selinux/include/policycap_names.h index 2a87fc3702b8..28e4c9ee2399 100644 --- a/security/selinux/include/policycap_names.h +++ b/security/selinux/include/policycap_names.h @@ -13,7 +13,8 @@ const char *const selinux_policycap_names[__POLICYDB_CAP_MAX] = { "cgroup_seclabel", "nnp_nosuid_transition", "genfs_seclabel_symlinks", - "ioctl_skip_cloexec" + "ioctl_skip_cloexec", + "userspace_initial_context", }; #endif /* _SELINUX_POLICYCAP_NAMES_H_ */ diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h index 60eb161a0e5a..665c4e5bae99 100644 --- a/security/selinux/include/security.h +++ b/security/selinux/include/security.h @@ -189,6 +189,12 @@ static inline bool selinux_policycap_ioctl_skip_cloexec(void) selinux_state.policycap[POLICYDB_CAP_IOCTL_SKIP_CLOEXEC]); } +static inline bool selinux_policycap_userspace_initial_context(void) +{ + return READ_ONCE( + selinux_state.policycap[POLICYDB_CAP_USERSPACE_INITIAL_CONTEXT]); +} + struct selinux_policy_convert_data; struct selinux_load_state { diff --git a/security/selinux/ss/policydb.c b/security/selinux/ss/policydb.c index 31b08b34c722..cfe77ef24ee2 100644 --- a/security/selinux/ss/policydb.c +++ b/security/selinux/ss/policydb.c @@ -863,6 +863,8 @@ void policydb_destroy(struct policydb *p) int policydb_load_isids(struct policydb *p, struct sidtab *s) { struct ocontext *head, *c; + bool isid_init_supported = ebitmap_get_bit(&p->policycaps, + POLICYDB_CAP_USERSPACE_INITIAL_CONTEXT); int rc; rc = sidtab_init(s); @@ -886,6 +888,13 @@ int policydb_load_isids(struct policydb *p, struct sidtab *s) if (!name) continue; + /* + * Also ignore SECINITSID_INIT if the policy doesn't declare + * support for it + */ + if (sid == SECINITSID_INIT && !isid_init_supported) + continue; + rc = sidtab_set_initial(s, sid, &c->context[0]); if (rc) { pr_err("SELinux: unable to load initial SID %s.\n", @@ -893,6 +902,24 @@ int policydb_load_isids(struct policydb *p, struct sidtab *s) sidtab_destroy(s); return rc; } + + /* + * If the policy doesn't support the "userspace_initial_context" + * capability, set SECINITSID_INIT to the same context as + * SECINITSID_KERNEL. This ensures the same behavior as before + * the reintroduction of SECINITSID_INIT, where all tasks + * started before policy load would initially get the context + * corresponding to SECINITSID_KERNEL. + */ + if (sid == SECINITSID_KERNEL && !isid_init_supported) { + rc = sidtab_set_initial(s, SECINITSID_INIT, &c->context[0]); + if (rc) { + pr_err("SELinux: unable to load initial SID %s.\n", + name); + sidtab_destroy(s); + return rc; + } + } } return 0; } -- cgit v1.2.3-70-g09d2 From 1f270f1c34127e5a65ba5aaf574f313f0693fcfa Mon Sep 17 00:00:00 2001 From: Christian Göttsche Date: Thu, 6 Jul 2023 15:23:24 +0200 Subject: selinux: consistently use u32 as sequence number type in the status code MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Align the type with the one used in selinux_notify_policy_change() and the sequence member of struct selinux_kernel_status. Signed-off-by: Christian Göttsche [PM: subject line tweaks] Signed-off-by: Paul Moore --- security/selinux/include/security.h | 2 +- security/selinux/status.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) (limited to 'security/selinux/include/security.h') diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h index 665c4e5bae99..08840aa0782d 100644 --- a/security/selinux/include/security.h +++ b/security/selinux/include/security.h @@ -376,7 +376,7 @@ struct selinux_kernel_status { } __packed; extern void selinux_status_update_setenforce(int enforcing); -extern void selinux_status_update_policyload(int seqno); +extern void selinux_status_update_policyload(u32 seqno); extern void selinux_complete_init(void); extern struct path selinux_null; extern void selnl_notify_setenforce(int val); diff --git a/security/selinux/status.c b/security/selinux/status.c index 19ef929a075c..e436e4975adc 100644 --- a/security/selinux/status.c +++ b/security/selinux/status.c @@ -101,7 +101,7 @@ void selinux_status_update_setenforce(int enforcing) * It updates status of the times of policy reloaded, and current * setting of deny_unknown. */ -void selinux_status_update_policyload(int seqno) +void selinux_status_update_policyload(u32 seqno) { struct selinux_kernel_status *status; -- cgit v1.2.3-70-g09d2 From c867248cf451964a14c64b4ca232055f117df9c1 Mon Sep 17 00:00:00 2001 From: Christian Göttsche Date: Thu, 6 Jul 2023 15:23:34 +0200 Subject: selinux: avoid implicit conversions regarding enforcing status MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Use the type bool as parameter type in selinux_status_update_setenforce(). The related function enforcing_enabled() returns the type bool, while the struct selinux_kernel_status member enforcing uses an u32. Signed-off-by: Christian Göttsche [PM: subject line tweaks] Signed-off-by: Paul Moore --- security/selinux/include/security.h | 2 +- security/selinux/selinuxfs.c | 7 ++++--- security/selinux/status.c | 4 ++-- 3 files changed, 7 insertions(+), 6 deletions(-) (limited to 'security/selinux/include/security.h') diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h index 08840aa0782d..6b8b8fc3badd 100644 --- a/security/selinux/include/security.h +++ b/security/selinux/include/security.h @@ -375,7 +375,7 @@ struct selinux_kernel_status { */ } __packed; -extern void selinux_status_update_setenforce(int enforcing); +extern void selinux_status_update_setenforce(bool enforcing); extern void selinux_status_update_policyload(u32 seqno); extern void selinux_complete_init(void); extern struct path selinux_null; diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c index bad1f6b685fd..f79e96f0f221 100644 --- a/security/selinux/selinuxfs.c +++ b/security/selinux/selinuxfs.c @@ -138,7 +138,8 @@ static ssize_t sel_write_enforce(struct file *file, const char __user *buf, { char *page = NULL; ssize_t length; - int old_value, new_value; + int scan_value; + bool old_value, new_value; if (count >= PAGE_SIZE) return -ENOMEM; @@ -152,10 +153,10 @@ static ssize_t sel_write_enforce(struct file *file, const char __user *buf, return PTR_ERR(page); length = -EINVAL; - if (sscanf(page, "%d", &new_value) != 1) + if (sscanf(page, "%d", &scan_value) != 1) goto out; - new_value = !!new_value; + new_value = !!scan_value; old_value = enforcing_enabled(); if (new_value != old_value) { diff --git a/security/selinux/status.c b/security/selinux/status.c index e436e4975adc..dffca22ce6f7 100644 --- a/security/selinux/status.c +++ b/security/selinux/status.c @@ -76,7 +76,7 @@ struct page *selinux_kernel_status_page(void) * * It updates status of the current enforcing/permissive mode. */ -void selinux_status_update_setenforce(int enforcing) +void selinux_status_update_setenforce(bool enforcing) { struct selinux_kernel_status *status; @@ -87,7 +87,7 @@ void selinux_status_update_setenforce(int enforcing) status->sequence++; smp_wmb(); - status->enforcing = enforcing; + status->enforcing = enforcing ? 1 : 0; smp_wmb(); status->sequence++; -- cgit v1.2.3-70-g09d2 From 0fe53224bf5be183d263f262212c06ff00c69ca4 Mon Sep 17 00:00:00 2001 From: Stephen Smalley Date: Wed, 19 Jul 2023 11:12:50 -0400 Subject: selinux: update my email address Update my email address; MAINTAINERS was updated some time ago. Signed-off-by: Stephen Smalley Signed-off-by: Paul Moore --- security/selinux/avc.c | 2 +- security/selinux/hooks.c | 2 +- security/selinux/include/avc.h | 2 +- security/selinux/include/avc_ss.h | 2 +- security/selinux/include/objsec.h | 2 +- security/selinux/include/security.h | 2 +- security/selinux/ss/avtab.c | 2 +- security/selinux/ss/avtab.h | 2 +- security/selinux/ss/constraint.h | 2 +- security/selinux/ss/context.h | 2 +- security/selinux/ss/ebitmap.c | 2 +- security/selinux/ss/ebitmap.h | 2 +- security/selinux/ss/hashtab.c | 2 +- security/selinux/ss/hashtab.h | 2 +- security/selinux/ss/mls.c | 2 +- security/selinux/ss/mls.h | 2 +- security/selinux/ss/mls_types.h | 2 +- security/selinux/ss/policydb.c | 2 +- security/selinux/ss/policydb.h | 2 +- security/selinux/ss/services.c | 2 +- security/selinux/ss/services.h | 2 +- security/selinux/ss/sidtab.c | 2 +- security/selinux/ss/sidtab.h | 2 +- security/selinux/ss/symtab.c | 2 +- security/selinux/ss/symtab.h | 2 +- 25 files changed, 25 insertions(+), 25 deletions(-) (limited to 'security/selinux/include/security.h') diff --git a/security/selinux/avc.c b/security/selinux/avc.c index cd55479cce25..32eb67fb3e42 100644 --- a/security/selinux/avc.c +++ b/security/selinux/avc.c @@ -2,7 +2,7 @@ /* * Implementation of the kernel access vector cache (AVC). * - * Authors: Stephen Smalley, + * Authors: Stephen Smalley, * James Morris * * Update: KaiGai, Kohei diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index dc51f28815b0..a85a9f52e0c3 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -4,7 +4,7 @@ * * This file contains the SELinux hook function implementations. * - * Authors: Stephen Smalley, + * Authors: Stephen Smalley, * Chris Vance, * Wayne Salamon, * James Morris diff --git a/security/selinux/include/avc.h b/security/selinux/include/avc.h index 9e055f74daf6..8f0aa66ccb13 100644 --- a/security/selinux/include/avc.h +++ b/security/selinux/include/avc.h @@ -2,7 +2,7 @@ /* * Access vector cache interface for object managers. * - * Author : Stephen Smalley, + * Author : Stephen Smalley, */ #ifndef _SELINUX_AVC_H_ #define _SELINUX_AVC_H_ diff --git a/security/selinux/include/avc_ss.h b/security/selinux/include/avc_ss.h index b9668be7b443..88b139e086c4 100644 --- a/security/selinux/include/avc_ss.h +++ b/security/selinux/include/avc_ss.h @@ -2,7 +2,7 @@ /* * Access vector cache interface for the security server. * - * Author : Stephen Smalley, + * Author : Stephen Smalley, */ #ifndef _SELINUX_AVC_SS_H_ #define _SELINUX_AVC_SS_H_ diff --git a/security/selinux/include/objsec.h b/security/selinux/include/objsec.h index 8f50e8fe0488..8159fd53c3de 100644 --- a/security/selinux/include/objsec.h +++ b/security/selinux/include/objsec.h @@ -4,7 +4,7 @@ * * This file contains the SELinux security data structures for kernel objects. * - * Author(s): Stephen Smalley, + * Author(s): Stephen Smalley, * Chris Vance, * Wayne Salamon, * James Morris diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h index 6b8b8fc3badd..668e393a9709 100644 --- a/security/selinux/include/security.h +++ b/security/selinux/include/security.h @@ -2,7 +2,7 @@ /* * Security server interface. * - * Author : Stephen Smalley, + * Author : Stephen Smalley, * */ diff --git a/security/selinux/ss/avtab.c b/security/selinux/ss/avtab.c index 5fd439c5b8a4..32f92da00b0e 100644 --- a/security/selinux/ss/avtab.c +++ b/security/selinux/ss/avtab.c @@ -1,7 +1,7 @@ /* * Implementation of the access vector table type. * - * Author : Stephen Smalley, + * Author : Stephen Smalley, */ /* Updated: Frank Mayer and Karl MacMillan diff --git a/security/selinux/ss/avtab.h b/security/selinux/ss/avtab.h index c2b88430c916..2ef5d1ae2844 100644 --- a/security/selinux/ss/avtab.h +++ b/security/selinux/ss/avtab.h @@ -6,7 +6,7 @@ * table is used to represent the type enforcement * tables. * - * Author : Stephen Smalley, + * Author : Stephen Smalley, */ /* Updated: Frank Mayer and Karl MacMillan diff --git a/security/selinux/ss/constraint.h b/security/selinux/ss/constraint.h index 4e563be9ef5f..f76eb3128ad5 100644 --- a/security/selinux/ss/constraint.h +++ b/security/selinux/ss/constraint.h @@ -11,7 +11,7 @@ * process from labeling an object with a different user * identity. * - * Author : Stephen Smalley, + * Author : Stephen Smalley, */ #ifndef _SS_CONSTRAINT_H_ #define _SS_CONSTRAINT_H_ diff --git a/security/selinux/ss/context.h b/security/selinux/ss/context.h index aed704b8c642..1f59468c0759 100644 --- a/security/selinux/ss/context.h +++ b/security/selinux/ss/context.h @@ -11,7 +11,7 @@ * security server and can be changed without affecting * clients of the security server. * - * Author : Stephen Smalley, + * Author : Stephen Smalley, */ #ifndef _SS_CONTEXT_H_ #define _SS_CONTEXT_H_ diff --git a/security/selinux/ss/ebitmap.c b/security/selinux/ss/ebitmap.c index d31b87be9a1e..77875ad355f7 100644 --- a/security/selinux/ss/ebitmap.c +++ b/security/selinux/ss/ebitmap.c @@ -2,7 +2,7 @@ /* * Implementation of the extensible bitmap type. * - * Author : Stephen Smalley, + * Author : Stephen Smalley, */ /* * Updated: Hewlett-Packard diff --git a/security/selinux/ss/ebitmap.h b/security/selinux/ss/ebitmap.h index e5b57dc3fc53..e3c807cfad90 100644 --- a/security/selinux/ss/ebitmap.h +++ b/security/selinux/ss/ebitmap.h @@ -10,7 +10,7 @@ * an explicitly specified starting bit position within * the total bitmap. * - * Author : Stephen Smalley, + * Author : Stephen Smalley, */ #ifndef _SS_EBITMAP_H_ #define _SS_EBITMAP_H_ diff --git a/security/selinux/ss/hashtab.c b/security/selinux/ss/hashtab.c index 3fb8f9026e9b..30532ec319ce 100644 --- a/security/selinux/ss/hashtab.c +++ b/security/selinux/ss/hashtab.c @@ -2,7 +2,7 @@ /* * Implementation of the hash table type. * - * Author : Stephen Smalley, + * Author : Stephen Smalley, */ #include #include diff --git a/security/selinux/ss/hashtab.h b/security/selinux/ss/hashtab.h index 043a773bf0b7..9dac6da45b98 100644 --- a/security/selinux/ss/hashtab.h +++ b/security/selinux/ss/hashtab.h @@ -6,7 +6,7 @@ * functions for hash computation and key comparison are * provided by the creator of the table. * - * Author : Stephen Smalley, + * Author : Stephen Smalley, */ #ifndef _SS_HASHTAB_H_ #define _SS_HASHTAB_H_ diff --git a/security/selinux/ss/mls.c b/security/selinux/ss/mls.c index 99571b19d4a9..b2c6c846ea03 100644 --- a/security/selinux/ss/mls.c +++ b/security/selinux/ss/mls.c @@ -2,7 +2,7 @@ /* * Implementation of the multi-level security (MLS) policy. * - * Author : Stephen Smalley, + * Author : Stephen Smalley, */ /* * Updated: Trusted Computer Solutions, Inc. diff --git a/security/selinux/ss/mls.h b/security/selinux/ss/mls.h index 15cacde0ff61..107681dd1824 100644 --- a/security/selinux/ss/mls.h +++ b/security/selinux/ss/mls.h @@ -2,7 +2,7 @@ /* * Multi-level security (MLS) policy operations. * - * Author : Stephen Smalley, + * Author : Stephen Smalley, */ /* * Updated: Trusted Computer Solutions, Inc. diff --git a/security/selinux/ss/mls_types.h b/security/selinux/ss/mls_types.h index 7d48d5e52233..f492cf148891 100644 --- a/security/selinux/ss/mls_types.h +++ b/security/selinux/ss/mls_types.h @@ -2,7 +2,7 @@ /* * Type definitions for the multi-level security (MLS) policy. * - * Author : Stephen Smalley, + * Author : Stephen Smalley, */ /* * Updated: Trusted Computer Solutions, Inc. diff --git a/security/selinux/ss/policydb.c b/security/selinux/ss/policydb.c index 61e0e5000025..b903a4dfdce1 100644 --- a/security/selinux/ss/policydb.c +++ b/security/selinux/ss/policydb.c @@ -2,7 +2,7 @@ /* * Implementation of the policy database. * - * Author : Stephen Smalley, + * Author : Stephen Smalley, */ /* diff --git a/security/selinux/ss/policydb.h b/security/selinux/ss/policydb.h index 6b4ad8e91265..b97cda489753 100644 --- a/security/selinux/ss/policydb.h +++ b/security/selinux/ss/policydb.h @@ -3,7 +3,7 @@ * A policy database (policydb) specifies the * configuration data for the security policy. * - * Author : Stephen Smalley, + * Author : Stephen Smalley, */ /* diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c index fa47e4e38935..2c5be06fbada 100644 --- a/security/selinux/ss/services.c +++ b/security/selinux/ss/services.c @@ -2,7 +2,7 @@ /* * Implementation of the security services. * - * Authors : Stephen Smalley, + * Authors : Stephen Smalley, * James Morris * * Updated: Trusted Computer Solutions, Inc. diff --git a/security/selinux/ss/services.h b/security/selinux/ss/services.h index 8a9b85f44b66..ed2ee6600467 100644 --- a/security/selinux/ss/services.h +++ b/security/selinux/ss/services.h @@ -2,7 +2,7 @@ /* * Implementation of the security services. * - * Author : Stephen Smalley, + * Author : Stephen Smalley, */ #ifndef _SS_SERVICES_H_ #define _SS_SERVICES_H_ diff --git a/security/selinux/ss/sidtab.c b/security/selinux/ss/sidtab.c index 38d25173aebd..d8ead463b8df 100644 --- a/security/selinux/ss/sidtab.c +++ b/security/selinux/ss/sidtab.c @@ -2,7 +2,7 @@ /* * Implementation of the SID table type. * - * Original author: Stephen Smalley, + * Original author: Stephen Smalley, * Author: Ondrej Mosnacek, * * Copyright (C) 2018 Red Hat, Inc. diff --git a/security/selinux/ss/sidtab.h b/security/selinux/ss/sidtab.h index 72810a080e77..22258201cd14 100644 --- a/security/selinux/ss/sidtab.h +++ b/security/selinux/ss/sidtab.h @@ -3,7 +3,7 @@ * A security identifier table (sidtab) is a lookup table * of security context structures indexed by SID value. * - * Original author: Stephen Smalley, + * Original author: Stephen Smalley, * Author: Ondrej Mosnacek, * * Copyright (C) 2018 Red Hat, Inc. diff --git a/security/selinux/ss/symtab.c b/security/selinux/ss/symtab.c index 7a77571fb275..43d7f0319ccd 100644 --- a/security/selinux/ss/symtab.c +++ b/security/selinux/ss/symtab.c @@ -2,7 +2,7 @@ /* * Implementation of the symbol table type. * - * Author : Stephen Smalley, + * Author : Stephen Smalley, */ #include #include diff --git a/security/selinux/ss/symtab.h b/security/selinux/ss/symtab.h index 3033c4db6cb6..0a3b5de79a0f 100644 --- a/security/selinux/ss/symtab.h +++ b/security/selinux/ss/symtab.h @@ -5,7 +5,7 @@ * is arbitrary. The symbol table type is implemented * using the hash table type (hashtab). * - * Author : Stephen Smalley, + * Author : Stephen Smalley, */ #ifndef _SS_SYMTAB_H_ #define _SS_SYMTAB_H_ -- cgit v1.2.3-70-g09d2 From c50e125d057152bc68dfd5669b73611343653eb7 Mon Sep 17 00:00:00 2001 From: Christian Göttsche Date: Fri, 28 Jul 2023 17:54:56 +0200 Subject: selinux: avoid implicit conversions in services code MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Use u32 as the output parameter type in security_get_classes() and security_get_permissions(), based on the type of the symtab nprim member. Declare the read-only class string parameter of security_get_permissions() const. Avoid several implicit conversions by using the identical type for the destination. Use the type identical to the source for local variables. Signed-off-by: Christian Göttsche [PM: cleanup extra whitespace in subject] Signed-off-by: Paul Moore --- security/selinux/include/security.h | 4 ++-- security/selinux/selinuxfs.c | 7 ++++--- security/selinux/ss/services.c | 23 ++++++++++++----------- 3 files changed, 18 insertions(+), 16 deletions(-) (limited to 'security/selinux/include/security.h') diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h index 668e393a9709..074d439fe9ad 100644 --- a/security/selinux/include/security.h +++ b/security/selinux/include/security.h @@ -312,9 +312,9 @@ int security_net_peersid_resolve(u32 nlbl_sid, u32 nlbl_type, u32 *peer_sid); int security_get_classes(struct selinux_policy *policy, - char ***classes, int *nclasses); + char ***classes, u32 *nclasses); int security_get_permissions(struct selinux_policy *policy, - char *class, char ***perms, int *nperms); + const char *class, char ***perms, u32 *nperms); int security_get_reject_unknown(void); int security_get_allow_unknown(void); diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c index f79e96f0f221..b969e87fd870 100644 --- a/security/selinux/selinuxfs.c +++ b/security/selinux/selinuxfs.c @@ -1798,7 +1798,8 @@ static int sel_make_perm_files(struct selinux_policy *newpolicy, char *objclass, int classvalue, struct dentry *dir) { - int i, rc, nperms; + u32 i, nperms; + int rc; char **perms; rc = security_get_permissions(newpolicy, objclass, &perms, &nperms); @@ -1868,8 +1869,8 @@ static int sel_make_classes(struct selinux_policy *newpolicy, struct dentry *class_dir, unsigned long *last_class_ino) { - - int rc, nclasses, i; + u32 i, nclasses; + int rc; char **classes; rc = security_get_classes(newpolicy, &classes, &nclasses); diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c index 2c5be06fbada..3ec0bb39c234 100644 --- a/security/selinux/ss/services.c +++ b/security/selinux/ss/services.c @@ -856,7 +856,7 @@ int security_bounded_transition(u32 old_sid, u32 new_sid) struct sidtab *sidtab; struct sidtab_entry *old_entry, *new_entry; struct type_datum *type; - int index; + u32 index; int rc; if (!selinux_initialized()) @@ -1511,7 +1511,7 @@ static int security_context_to_sid_core(const char *scontext, u32 scontext_len, return -ENOMEM; if (!selinux_initialized()) { - int i; + u32 i; for (i = 1; i < SECINITSID_NUM; i++) { const char *s = initial_sid_to_string[i]; @@ -2821,7 +2821,6 @@ static inline int __security_genfs_sid(struct selinux_policy *policy, { struct policydb *policydb = &policy->policydb; struct sidtab *sidtab = policy->sidtab; - int len; u16 sclass; struct genfs *genfs; struct ocontext *c; @@ -2843,7 +2842,7 @@ static inline int __security_genfs_sid(struct selinux_policy *policy, return -ENOENT; for (c = genfs->head; c; c = c->next) { - len = strlen(c->u.name); + size_t len = strlen(c->u.name); if ((!c->v.sclass || sclass == c->v.sclass) && (strncmp(c->u.name, path, len) == 0)) break; @@ -3331,7 +3330,7 @@ static int get_classes_callback(void *k, void *d, void *args) { struct class_datum *datum = d; char *name = k, **classes = args; - int value = datum->value - 1; + u32 value = datum->value - 1; classes[value] = kstrdup(name, GFP_ATOMIC); if (!classes[value]) @@ -3341,7 +3340,7 @@ static int get_classes_callback(void *k, void *d, void *args) } int security_get_classes(struct selinux_policy *policy, - char ***classes, int *nclasses) + char ***classes, u32 *nclasses) { struct policydb *policydb; int rc; @@ -3357,7 +3356,8 @@ int security_get_classes(struct selinux_policy *policy, rc = hashtab_map(&policydb->p_classes.table, get_classes_callback, *classes); if (rc) { - int i; + u32 i; + for (i = 0; i < *nclasses; i++) kfree((*classes)[i]); kfree(*classes); @@ -3371,7 +3371,7 @@ static int get_permissions_callback(void *k, void *d, void *args) { struct perm_datum *datum = d; char *name = k, **perms = args; - int value = datum->value - 1; + u32 value = datum->value - 1; perms[value] = kstrdup(name, GFP_ATOMIC); if (!perms[value]) @@ -3381,10 +3381,11 @@ static int get_permissions_callback(void *k, void *d, void *args) } int security_get_permissions(struct selinux_policy *policy, - char *class, char ***perms, int *nperms) + const char *class, char ***perms, u32 *nperms) { struct policydb *policydb; - int rc, i; + u32 i; + int rc; struct class_datum *match; policydb = &policy->policydb; @@ -3599,7 +3600,7 @@ err: /* Check to see if the rule contains any selinux fields */ int selinux_audit_rule_known(struct audit_krule *rule) { - int i; + u32 i; for (i = 0; i < rule->field_count; i++) { struct audit_field *f = &rule->fields[i]; -- cgit v1.2.3-70-g09d2 From 817199e006e514e6c39a17ed2e9fece1bd56b898 Mon Sep 17 00:00:00 2001 From: Paul Moore Date: Mon, 7 Aug 2023 22:57:22 -0400 Subject: selinux: revert SECINITSID_INIT support This commit reverts 5b0eea835d4e ("selinux: introduce an initial SID for early boot processes") as it was found to cause problems on distros with old SELinux userspace tools/libraries, specifically Ubuntu 16.04. Hopefully we will be able to re-add this functionality at a later date, but let's revert this for now to help ensure a stable and backwards compatible SELinux tree. Link: https://lore.kernel.org/selinux/87edkseqf8.fsf@mail.lhotse Acked-by: Ondrej Mosnacek Signed-off-by: Paul Moore --- security/selinux/hooks.c | 28 ------------------------ security/selinux/include/initial_sid_to_string.h | 2 +- security/selinux/include/policycap.h | 1 - security/selinux/include/policycap_names.h | 1 - security/selinux/include/security.h | 6 ----- security/selinux/ss/policydb.c | 27 ----------------------- 6 files changed, 1 insertion(+), 64 deletions(-) (limited to 'security/selinux/include/security.h') diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index cf787eaca755..7138083c5bef 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -2313,19 +2313,6 @@ static int selinux_bprm_creds_for_exec(struct linux_binprm *bprm) new_tsec->keycreate_sid = 0; new_tsec->sockcreate_sid = 0; - /* - * Before policy is loaded, label any task outside kernel space - * as SECINITSID_INIT, so that any userspace tasks surviving from - * early boot end up with a label different from SECINITSID_KERNEL - * (if the policy chooses to set SECINITSID_INIT != SECINITSID_KERNEL). - */ - if (!selinux_initialized()) { - new_tsec->sid = SECINITSID_INIT; - /* also clear the exec_sid just in case */ - new_tsec->exec_sid = 0; - return 0; - } - if (old_tsec->exec_sid) { new_tsec->sid = old_tsec->exec_sid; /* Reset exec SID on execve. */ @@ -4542,21 +4529,6 @@ static int sock_has_perm(struct sock *sk, u32 perms) if (sksec->sid == SECINITSID_KERNEL) return 0; - /* - * Before POLICYDB_CAP_USERSPACE_INITIAL_CONTEXT, sockets that - * inherited the kernel context from early boot used to be skipped - * here, so preserve that behavior unless the capability is set. - * - * By setting the capability the policy signals that it is ready - * for this quirk to be fixed. Note that sockets created by a kernel - * thread or a usermode helper executed without a transition will - * still be skipped in this check regardless of the policycap - * setting. - */ - if (!selinux_policycap_userspace_initial_context() && - sksec->sid == SECINITSID_INIT) - return 0; - ad_net_init_from_sk(&ad, &net, sk); return avc_has_perm(current_sid(), sksec->sid, sksec->sclass, perms, diff --git a/security/selinux/include/initial_sid_to_string.h b/security/selinux/include/initial_sid_to_string.h index 5e5f0993dac2..ecc6e74fa09b 100644 --- a/security/selinux/include/initial_sid_to_string.h +++ b/security/selinux/include/initial_sid_to_string.h @@ -10,7 +10,7 @@ static const char *const initial_sid_to_string[] = { NULL, "file", NULL, - "init", + NULL, "any_socket", "port", "netif", diff --git a/security/selinux/include/policycap.h b/security/selinux/include/policycap.h index c7373e6effe5..f35d3458e71d 100644 --- a/security/selinux/include/policycap.h +++ b/security/selinux/include/policycap.h @@ -12,7 +12,6 @@ enum { POLICYDB_CAP_NNP_NOSUID_TRANSITION, POLICYDB_CAP_GENFS_SECLABEL_SYMLINKS, POLICYDB_CAP_IOCTL_SKIP_CLOEXEC, - POLICYDB_CAP_USERSPACE_INITIAL_CONTEXT, __POLICYDB_CAP_MAX }; #define POLICYDB_CAP_MAX (__POLICYDB_CAP_MAX - 1) diff --git a/security/selinux/include/policycap_names.h b/security/selinux/include/policycap_names.h index 28e4c9ee2399..49bbe120d173 100644 --- a/security/selinux/include/policycap_names.h +++ b/security/selinux/include/policycap_names.h @@ -14,7 +14,6 @@ const char *const selinux_policycap_names[__POLICYDB_CAP_MAX] = { "nnp_nosuid_transition", "genfs_seclabel_symlinks", "ioctl_skip_cloexec", - "userspace_initial_context", }; #endif /* _SELINUX_POLICYCAP_NAMES_H_ */ diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h index 074d439fe9ad..a9de89af8fdc 100644 --- a/security/selinux/include/security.h +++ b/security/selinux/include/security.h @@ -189,12 +189,6 @@ static inline bool selinux_policycap_ioctl_skip_cloexec(void) selinux_state.policycap[POLICYDB_CAP_IOCTL_SKIP_CLOEXEC]); } -static inline bool selinux_policycap_userspace_initial_context(void) -{ - return READ_ONCE( - selinux_state.policycap[POLICYDB_CAP_USERSPACE_INITIAL_CONTEXT]); -} - struct selinux_policy_convert_data; struct selinux_load_state { diff --git a/security/selinux/ss/policydb.c b/security/selinux/ss/policydb.c index bb850b608dc6..cd44b13b8d3f 100644 --- a/security/selinux/ss/policydb.c +++ b/security/selinux/ss/policydb.c @@ -864,8 +864,6 @@ void policydb_destroy(struct policydb *p) int policydb_load_isids(struct policydb *p, struct sidtab *s) { struct ocontext *head, *c; - bool isid_init_supported = ebitmap_get_bit(&p->policycaps, - POLICYDB_CAP_USERSPACE_INITIAL_CONTEXT); int rc; rc = sidtab_init(s); @@ -889,13 +887,6 @@ int policydb_load_isids(struct policydb *p, struct sidtab *s) if (!name) continue; - /* - * Also ignore SECINITSID_INIT if the policy doesn't declare - * support for it - */ - if (sid == SECINITSID_INIT && !isid_init_supported) - continue; - rc = sidtab_set_initial(s, sid, &c->context[0]); if (rc) { pr_err("SELinux: unable to load initial SID %s.\n", @@ -903,24 +894,6 @@ int policydb_load_isids(struct policydb *p, struct sidtab *s) sidtab_destroy(s); return rc; } - - /* - * If the policy doesn't support the "userspace_initial_context" - * capability, set SECINITSID_INIT to the same context as - * SECINITSID_KERNEL. This ensures the same behavior as before - * the reintroduction of SECINITSID_INIT, where all tasks - * started before policy load would initially get the context - * corresponding to SECINITSID_KERNEL. - */ - if (sid == SECINITSID_KERNEL && !isid_init_supported) { - rc = sidtab_set_initial(s, SECINITSID_INIT, &c->context[0]); - if (rc) { - pr_err("SELinux: unable to load initial SID %s.\n", - name); - sidtab_destroy(s); - return rc; - } - } } return 0; } -- cgit v1.2.3-70-g09d2