From 4a0b33f771db2b82fdfad08b9f34def786162865 Mon Sep 17 00:00:00 2001 From: Al Viro Date: Mon, 16 Oct 2023 23:08:35 +0100 Subject: [PATCH 01/24] selinux: saner handling of policy reloads On policy reload selinuxfs replaces two subdirectories (/booleans and /class) with new variants. Unfortunately, that's done with serious abuses of directory locking. 1) lock_rename() should be done to parents, not to objects being exchanged 2) there's a bunch of reasons why it should not be done for directories that do not have a common ancestor; most of those do not apply to selinuxfs, but even in the best case the proof is subtle and brittle. 3) failure halfway through the creation of /class will leak names and values arrays. 4) use of d_genocide() is also rather brittle; it's probably not much of a bug per se, but e.g. an overmount of /sys/fs/selinuxfs/classes/shm/index with any regular file will end up with leaked mount on policy reload. Sure, don't do it, but... Let's stop messing with disconnected directories; just create a temporary (/.swapover) with no permissions for anyone (on the level of ->permission() returing -EPERM, no matter who's calling it) and build the new /booleans and /class in there; then lock_rename on root and that temporary directory and d_exchange() old and new both for class and booleans. Then unlock and use simple_recursive_removal() to take the temporary out; it's much more robust. And instead of bothering with separate pathways for freeing new (on failure halfway through) and old (on success) names/values, do all freeing in one place. With temporaries swapped with the old ones when we are past all possible failures. The only user-visible difference is that /.swapover shows up (but isn't possible to open, look up into, etc.) for the duration of policy reload. Reviewed-by: Stephen Smalley Signed-off-by: Al Viro [PM: applied some fixes from Al post merge] Signed-off-by: Paul Moore --- security/selinux/selinuxfs.c | 148 ++++++++++++++++------------------- 1 file changed, 68 insertions(+), 80 deletions(-) diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c index 6c596ae7fef9..0619a1cbbfbe 100644 --- a/security/selinux/selinuxfs.c +++ b/security/selinux/selinuxfs.c @@ -336,12 +336,9 @@ static struct dentry *sel_make_dir(struct dentry *dir, const char *name, unsigned long *ino); /* declaration for sel_make_policy_nodes */ -static struct dentry *sel_make_disconnected_dir(struct super_block *sb, +static struct dentry *sel_make_swapover_dir(struct super_block *sb, unsigned long *ino); -/* declaration for sel_make_policy_nodes */ -static void sel_remove_entries(struct dentry *de); - static ssize_t sel_read_mls(struct file *filp, char __user *buf, size_t count, loff_t *ppos) { @@ -508,13 +505,13 @@ static int sel_make_policy_nodes(struct selinux_fs_info *fsi, struct selinux_policy *newpolicy) { int ret = 0; - struct dentry *tmp_parent, *tmp_bool_dir, *tmp_class_dir, *old_dentry; - unsigned int tmp_bool_num, old_bool_num; - char **tmp_bool_names, **old_bool_names; - int *tmp_bool_values, *old_bool_values; + struct dentry *tmp_parent, *tmp_bool_dir, *tmp_class_dir; + unsigned int bool_num = 0; + char **bool_names = NULL; + int *bool_values = NULL; unsigned long tmp_ino = fsi->last_ino; /* Don't increment last_ino in this function */ - tmp_parent = sel_make_disconnected_dir(fsi->sb, &tmp_ino); + tmp_parent = sel_make_swapover_dir(fsi->sb, &tmp_ino); if (IS_ERR(tmp_parent)) return PTR_ERR(tmp_parent); @@ -532,8 +529,8 @@ static int sel_make_policy_nodes(struct selinux_fs_info *fsi, goto out; } - ret = sel_make_bools(newpolicy, tmp_bool_dir, &tmp_bool_num, - &tmp_bool_names, &tmp_bool_values); + ret = sel_make_bools(newpolicy, tmp_bool_dir, &bool_num, + &bool_names, &bool_values); if (ret) goto out; @@ -542,38 +539,30 @@ static int sel_make_policy_nodes(struct selinux_fs_info *fsi, if (ret) goto out; + lock_rename(tmp_parent, fsi->sb->s_root); + /* booleans */ - old_dentry = fsi->bool_dir; - lock_rename(tmp_bool_dir, old_dentry); d_exchange(tmp_bool_dir, fsi->bool_dir); - old_bool_num = fsi->bool_num; - old_bool_names = fsi->bool_pending_names; - old_bool_values = fsi->bool_pending_values; - - fsi->bool_num = tmp_bool_num; - fsi->bool_pending_names = tmp_bool_names; - fsi->bool_pending_values = tmp_bool_values; - - sel_remove_old_bool_data(old_bool_num, old_bool_names, old_bool_values); + swap(fsi->bool_num, bool_num); + swap(fsi->bool_pending_names, bool_names); + swap(fsi->bool_pending_values, bool_values); fsi->bool_dir = tmp_bool_dir; - unlock_rename(tmp_bool_dir, old_dentry); /* classes */ - old_dentry = fsi->class_dir; - lock_rename(tmp_class_dir, old_dentry); d_exchange(tmp_class_dir, fsi->class_dir); fsi->class_dir = tmp_class_dir; - unlock_rename(tmp_class_dir, old_dentry); + + unlock_rename(tmp_parent, fsi->sb->s_root); out: + sel_remove_old_bool_data(bool_num, bool_names, bool_values); /* Since the other temporary dirs are children of tmp_parent * this will handle all the cleanup in the case of a failure before * the swapover */ - sel_remove_entries(tmp_parent); - dput(tmp_parent); /* d_genocide() only handles the children */ + simple_recursive_removal(tmp_parent, NULL); return ret; } @@ -1351,54 +1340,48 @@ static const struct file_operations sel_commit_bools_ops = { .llseek = generic_file_llseek, }; -static void sel_remove_entries(struct dentry *de) -{ - d_genocide(de); - shrink_dcache_parent(de); -} - static int sel_make_bools(struct selinux_policy *newpolicy, struct dentry *bool_dir, unsigned int *bool_num, char ***bool_pending_names, int **bool_pending_values) { int ret; - ssize_t len; - struct dentry *dentry = NULL; - struct inode *inode = NULL; - struct inode_security_struct *isec; - char **names = NULL, *page; + char **names, *page; u32 i, num; - int *values = NULL; - u32 sid; - ret = -ENOMEM; page = (char *)get_zeroed_page(GFP_KERNEL); if (!page) - goto out; + return -ENOMEM; - ret = security_get_bools(newpolicy, &num, &names, &values); + ret = security_get_bools(newpolicy, &num, &names, bool_pending_values); if (ret) goto out; - for (i = 0; i < num; i++) { - ret = -ENOMEM; - dentry = d_alloc_name(bool_dir, names[i]); - if (!dentry) - goto out; + *bool_num = num; + *bool_pending_names = names; + + for (i = 0; i < num; i++) { + struct dentry *dentry; + struct inode *inode; + struct inode_security_struct *isec; + ssize_t len; + u32 sid; + + len = snprintf(page, PAGE_SIZE, "/%s/%s", BOOL_DIR_NAME, names[i]); + if (len >= PAGE_SIZE) { + ret = -ENAMETOOLONG; + break; + } + dentry = d_alloc_name(bool_dir, names[i]); + if (!dentry) { + ret = -ENOMEM; + break; + } - ret = -ENOMEM; inode = sel_make_inode(bool_dir->d_sb, S_IFREG | S_IRUGO | S_IWUSR); if (!inode) { dput(dentry); - goto out; - } - - ret = -ENAMETOOLONG; - len = snprintf(page, PAGE_SIZE, "/%s/%s", BOOL_DIR_NAME, names[i]); - if (len >= PAGE_SIZE) { - dput(dentry); - iput(inode); - goto out; + ret = -ENOMEM; + break; } isec = selinux_inode(inode); @@ -1416,23 +1399,8 @@ static int sel_make_bools(struct selinux_policy *newpolicy, struct dentry *bool_ inode->i_ino = i|SEL_BOOL_INO_OFFSET; d_add(dentry, inode); } - *bool_num = num; - *bool_pending_names = names; - *bool_pending_values = values; - - free_page((unsigned long)page); - return 0; out: free_page((unsigned long)page); - - if (names) { - for (i = 0; i < num; i++) - kfree(names[i]); - kfree(names); - } - kfree(values); - sel_remove_entries(bool_dir); - return ret; } @@ -1961,20 +1929,40 @@ static struct dentry *sel_make_dir(struct dentry *dir, const char *name, return dentry; } -static struct dentry *sel_make_disconnected_dir(struct super_block *sb, +static int reject_all(struct mnt_idmap *idmap, struct inode *inode, int mask) +{ + return -EPERM; // no access for anyone, root or no root. +} + +static const struct inode_operations swapover_dir_inode_operations = { + .lookup = simple_lookup, + .permission = reject_all, +}; + +static struct dentry *sel_make_swapover_dir(struct super_block *sb, unsigned long *ino) { - struct inode *inode = sel_make_inode(sb, S_IFDIR | S_IRUGO | S_IXUGO); + struct dentry *dentry = d_alloc_name(sb->s_root, ".swapover"); + struct inode *inode; - if (!inode) + if (!dentry) return ERR_PTR(-ENOMEM); - inode->i_op = &simple_dir_inode_operations; - inode->i_fop = &simple_dir_operations; + inode = sel_make_inode(sb, S_IFDIR); + if (!inode) { + dput(dentry); + return ERR_PTR(-ENOMEM); + } + + inode->i_op = &swapover_dir_inode_operations; inode->i_ino = ++(*ino); /* directory inodes start off with i_nlink == 2 (for "." entry) */ inc_nlink(inode); - return d_obtain_alias(inode); + inode_lock(sb->s_root->d_inode); + d_add(dentry, inode); + inc_nlink(sb->s_root->d_inode); + inode_unlock(sb->s_root->d_inode); + return dentry; } #define NULL_FILE_NAME "null" From a67d2a14a77eed5dbdace1801bf2255962121bdb Mon Sep 17 00:00:00 2001 From: Paul Moore Date: Fri, 10 Nov 2023 15:46:49 -0500 Subject: [PATCH 02/24] selinux: update filenametr_hash() to use full_name_hash() Using full_name_hash() instead of partial_name_hash() should result in cleaner and better performing code. Suggested-by: Linus Torvalds Signed-off-by: Paul Moore --- security/selinux/ss/policydb.c | 11 ++--------- 1 file changed, 2 insertions(+), 9 deletions(-) diff --git a/security/selinux/ss/policydb.c b/security/selinux/ss/policydb.c index 595a435ea9c8..bd1e7f26d951 100644 --- a/security/selinux/ss/policydb.c +++ b/security/selinux/ss/policydb.c @@ -409,16 +409,9 @@ static int roles_init(struct policydb *p) static u32 filenametr_hash(const void *k) { const struct filename_trans_key *ft = k; - unsigned long hash; - unsigned int byte_num; - unsigned char focus; + unsigned long salt = ft->ttype ^ ft->tclass; - hash = ft->ttype ^ ft->tclass; - - byte_num = 0; - while ((focus = ft->name[byte_num++])) - hash = partial_name_hash(focus, hash); - return hash; + return full_name_hash((void *)salt, ft->name, strlen(ft->name)); } static int filenametr_cmp(const void *k1, const void *k2) From f5364ecfd8c3ec81cf3350caa4629d98408101e5 Mon Sep 17 00:00:00 2001 From: Paul Moore Date: Wed, 15 Nov 2023 11:50:29 -0500 Subject: [PATCH 03/24] MAINTAINERS: update the SELinux entry Bring the SELinux entry up to date with the following changes: * Remove the selinuxproject.org link. The wiki located there is in read-only mode and exists primarily for historical reasons. * Add our patchwork link. I'm not sure this is of much use for anyone but the maintainer, but there is a provision for including it here so we might as well include it. * Add a bug report URI. I suspect most everyone knows to send mail to the mailing list if they hit a bug, but let's make it official. * Add a link to the SELinux tree process/management documentation. While the doc exists both in the canonical kernel.org location and the GitHub mirror, provide a link to the mirror as GitHub does a better job rendering the Markdown. * Update the source tree's git URI to use https. Signed-off-by: Paul Moore --- MAINTAINERS | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/MAINTAINERS b/MAINTAINERS index 97f51d5ec1cf..931c52cc8393 100644 --- a/MAINTAINERS +++ b/MAINTAINERS @@ -19520,9 +19520,11 @@ M: Stephen Smalley M: Eric Paris L: selinux@vger.kernel.org S: Supported -W: https://selinuxproject.org W: https://github.com/SELinuxProject -T: git git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux.git +Q: https://patchwork.kernel.org/project/selinux/list +B: mailto:selinux@vger.kernel.org +P: https://github.com/SELinuxProject/selinux-kernel/blob/main/README.md +T: git https://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux.git F: Documentation/ABI/removed/sysfs-selinux-checkreqprot F: Documentation/ABI/removed/sysfs-selinux-disable F: Documentation/admin-guide/LSM/SELinux.rst From 1712ed62153125e62d4d1e0ca68d35387e6a6993 Mon Sep 17 00:00:00 2001 From: Jacob Satterfield Date: Fri, 3 Nov 2023 17:29:51 +0000 Subject: [PATCH 04/24] selinux: refactor avtab_node comparisons In four separate functions within avtab, the same comparison logic is used. The only difference is how the result is handled or whether there is a unique specifier value to be checked for or used. Extracting this functionality into the avtab_node_cmp() function unifies the comparison logic between searching and insertion and gets rid of duplicative code so that the implementation is easier to maintain. Signed-off-by: Jacob Satterfield Reviewed-by: Stephen Smalley Signed-off-by: Paul Moore --- security/selinux/ss/avtab.c | 101 +++++++++++++++--------------------- 1 file changed, 41 insertions(+), 60 deletions(-) diff --git a/security/selinux/ss/avtab.c b/security/selinux/ss/avtab.c index 8751a602ead2..697eb4352439 100644 --- a/security/selinux/ss/avtab.c +++ b/security/selinux/ss/avtab.c @@ -96,12 +96,34 @@ avtab_insert_node(struct avtab *h, struct avtab_node **dst, return newnode; } +static int avtab_node_cmp(const struct avtab_key *key1, + const struct avtab_key *key2) +{ + u16 specified = key1->specified & ~(AVTAB_ENABLED|AVTAB_ENABLED_OLD); + + if (key1->source_type == key2->source_type && + key1->target_type == key2->target_type && + key1->target_class == key2->target_class && + (specified & key2->specified)) + return 0; + if (key1->source_type < key2->source_type) + return -1; + if (key1->source_type == key2->source_type && + key1->target_type < key2->target_type) + return -1; + if (key1->source_type == key2->source_type && + key1->target_type == key2->target_type && + key1->target_class < key2->target_class) + return -1; + return 1; +} + static int avtab_insert(struct avtab *h, const struct avtab_key *key, const struct avtab_datum *datum) { u32 hvalue; struct avtab_node *prev, *cur, *newnode; - u16 specified = key->specified & ~(AVTAB_ENABLED|AVTAB_ENABLED_OLD); + int cmp; if (!h || !h->nslot || h->nel == U32_MAX) return -EINVAL; @@ -110,23 +132,11 @@ static int avtab_insert(struct avtab *h, const struct avtab_key *key, for (prev = NULL, cur = h->htable[hvalue]; cur; prev = cur, cur = cur->next) { - if (key->source_type == cur->key.source_type && - key->target_type == cur->key.target_type && - key->target_class == cur->key.target_class && - (specified & cur->key.specified)) { - /* extended perms may not be unique */ - if (specified & AVTAB_XPERMS) - break; + cmp = avtab_node_cmp(key, &cur->key); + /* extended perms may not be unique */ + if (cmp == 0 && !(key->specified & AVTAB_XPERMS)) return -EEXIST; - } - if (key->source_type < cur->key.source_type) - break; - if (key->source_type == cur->key.source_type && - key->target_type < cur->key.target_type) - break; - if (key->source_type == cur->key.source_type && - key->target_type == cur->key.target_type && - key->target_class < cur->key.target_class) + if (cmp <= 0) break; } @@ -148,7 +158,7 @@ struct avtab_node *avtab_insert_nonunique(struct avtab *h, { u32 hvalue; struct avtab_node *prev, *cur; - u16 specified = key->specified & ~(AVTAB_ENABLED|AVTAB_ENABLED_OLD); + int cmp; if (!h || !h->nslot || h->nel == U32_MAX) return NULL; @@ -156,19 +166,8 @@ struct avtab_node *avtab_insert_nonunique(struct avtab *h, for (prev = NULL, cur = h->htable[hvalue]; cur; prev = cur, cur = cur->next) { - if (key->source_type == cur->key.source_type && - key->target_type == cur->key.target_type && - key->target_class == cur->key.target_class && - (specified & cur->key.specified)) - break; - if (key->source_type < cur->key.source_type) - break; - if (key->source_type == cur->key.source_type && - key->target_type < cur->key.target_type) - break; - if (key->source_type == cur->key.source_type && - key->target_type == cur->key.target_type && - key->target_class < cur->key.target_class) + cmp = avtab_node_cmp(key, &cur->key); + if (cmp <= 0) break; } return avtab_insert_node(h, prev ? &prev->next : &h->htable[hvalue], @@ -183,7 +182,7 @@ struct avtab_node *avtab_search_node(struct avtab *h, { u32 hvalue; struct avtab_node *cur; - u16 specified = key->specified & ~(AVTAB_ENABLED|AVTAB_ENABLED_OLD); + int cmp; if (!h || !h->nslot) return NULL; @@ -191,20 +190,10 @@ struct avtab_node *avtab_search_node(struct avtab *h, hvalue = avtab_hash(key, h->mask); for (cur = h->htable[hvalue]; cur; cur = cur->next) { - if (key->source_type == cur->key.source_type && - key->target_type == cur->key.target_type && - key->target_class == cur->key.target_class && - (specified & cur->key.specified)) + cmp = avtab_node_cmp(key, &cur->key); + if (cmp == 0) return cur; - - if (key->source_type < cur->key.source_type) - break; - if (key->source_type == cur->key.source_type && - key->target_type < cur->key.target_type) - break; - if (key->source_type == cur->key.source_type && - key->target_type == cur->key.target_type && - key->target_class < cur->key.target_class) + if (cmp < 0) break; } return NULL; @@ -213,27 +202,19 @@ struct avtab_node *avtab_search_node(struct avtab *h, struct avtab_node* avtab_search_node_next(struct avtab_node *node, u16 specified) { + struct avtab_key tmp_key; struct avtab_node *cur; + int cmp; if (!node) return NULL; - - specified &= ~(AVTAB_ENABLED|AVTAB_ENABLED_OLD); + tmp_key = node->key; + tmp_key.specified = specified; for (cur = node->next; cur; cur = cur->next) { - if (node->key.source_type == cur->key.source_type && - node->key.target_type == cur->key.target_type && - node->key.target_class == cur->key.target_class && - (specified & cur->key.specified)) + cmp = avtab_node_cmp(&tmp_key, &cur->key); + if (cmp == 0) return cur; - - if (node->key.source_type < cur->key.source_type) - break; - if (node->key.source_type == cur->key.source_type && - node->key.target_type < cur->key.target_type) - break; - if (node->key.source_type == cur->key.source_type && - node->key.target_type == cur->key.target_type && - node->key.target_class < cur->key.target_class) + if (cmp < 0) break; } return NULL; From ae254858ce0745aba25d107159b580ab5fdada5b Mon Sep 17 00:00:00 2001 From: Ondrej Mosnacek Date: Tue, 14 Nov 2023 16:51:16 +0100 Subject: [PATCH 05/24] selinux: introduce an initial SID for early boot processes Currently, SELinux doesn't allow distinguishing between kernel threads and userspace processes that are started before the policy is first loaded - both get the label corresponding to the kernel SID. The only way a process that persists from early boot can get a meaningful label is by doing a voluntary dyntransition or re-executing itself. Reusing the kernel label for userspace processes is problematic for several reasons: 1. The kernel is considered to be a privileged domain and generally needs to have a wide range of permissions allowed to work correctly, which prevents the policy writer from effectively hardening against early boot processes that might remain running unintentionally after the policy is loaded (they represent a potential extra attack surface that should be mitigated). 2. Despite the kernel being treated as a privileged domain, the policy writer may want to impose certain special limitations on kernel threads that may conflict with the requirements of intentional early boot processes. For example, it is a good hardening practice to limit what executables the kernel can execute as usermode helpers and to confine the resulting usermode helper processes. However, a (legitimate) process surviving from early boot may need to execute a different set of executables. 3. As currently implemented, overlayfs remembers the security context of the process that created an overlayfs mount and uses it to bound subsequent operations on files using this context. If an overlayfs mount is created before the SELinux policy is loaded, these "mounter" checks are made against the kernel context, which may clash with restrictions on the kernel domain (see 2.). To resolve this, introduce a new initial SID (reusing the slot of the former "init" initial SID) that will be assigned to any userspace process started before the policy is first loaded. This is easy to do, as we can simply label any process that goes through the bprm_creds_for_exec LSM hook with the new init-SID instead of propagating the kernel SID from the parent. To provide backwards compatibility for existing policies that are unaware of this new semantic of the "init" initial SID, introduce a new policy capability "userspace_initial_context" and set the "init" SID to the same context as the "kernel" SID unless this capability is set by the policy. Another small backwards compatibility measure is needed in security_sid_to_context_core() for before the initial SELinux policy load - see the code comment for explanation. Signed-off-by: Ondrej Mosnacek Reviewed-by: Stephen Smalley [PM: edited comments based on feedback/discussion] Signed-off-by: Paul Moore --- security/selinux/hooks.c | 28 +++++++++++++++++++ .../selinux/include/initial_sid_to_string.h | 2 +- security/selinux/include/policycap.h | 1 + security/selinux/include/policycap_names.h | 1 + security/selinux/include/security.h | 6 ++++ security/selinux/ss/policydb.c | 27 ++++++++++++++++++ security/selinux/ss/services.c | 13 ++++++++- 7 files changed, 76 insertions(+), 2 deletions(-) diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index feda711c6b7b..855589b64641 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -2315,6 +2315,19 @@ static int selinux_bprm_creds_for_exec(struct linux_binprm *bprm) new_tsec->keycreate_sid = 0; new_tsec->sockcreate_sid = 0; + /* + * Before policy is loaded, label any task outside kernel space + * as SECINITSID_INIT, so that any userspace tasks surviving from + * early boot end up with a label different from SECINITSID_KERNEL + * (if the policy chooses to set SECINITSID_INIT != SECINITSID_KERNEL). + */ + if (!selinux_initialized()) { + new_tsec->sid = SECINITSID_INIT; + /* also clear the exec_sid just in case */ + new_tsec->exec_sid = 0; + return 0; + } + if (old_tsec->exec_sid) { new_tsec->sid = old_tsec->exec_sid; /* Reset exec SID on execve. */ @@ -4553,6 +4566,21 @@ static int sock_has_perm(struct sock *sk, u32 perms) if (sksec->sid == SECINITSID_KERNEL) return 0; + /* + * Before POLICYDB_CAP_USERSPACE_INITIAL_CONTEXT, sockets that + * inherited the kernel context from early boot used to be skipped + * here, so preserve that behavior unless the capability is set. + * + * By setting the capability the policy signals that it is ready + * for this quirk to be fixed. Note that sockets created by a kernel + * thread or a usermode helper executed without a transition will + * still be skipped in this check regardless of the policycap + * setting. + */ + if (!selinux_policycap_userspace_initial_context() && + sksec->sid == SECINITSID_INIT) + return 0; + ad_net_init_from_sk(&ad, &net, sk); return avc_has_perm(current_sid(), sksec->sid, sksec->sclass, perms, diff --git a/security/selinux/include/initial_sid_to_string.h b/security/selinux/include/initial_sid_to_string.h index ecc6e74fa09b..5e5f0993dac2 100644 --- a/security/selinux/include/initial_sid_to_string.h +++ b/security/selinux/include/initial_sid_to_string.h @@ -10,7 +10,7 @@ static const char *const initial_sid_to_string[] = { NULL, "file", NULL, - NULL, + "init", "any_socket", "port", "netif", diff --git a/security/selinux/include/policycap.h b/security/selinux/include/policycap.h index f35d3458e71d..c7373e6effe5 100644 --- a/security/selinux/include/policycap.h +++ b/security/selinux/include/policycap.h @@ -12,6 +12,7 @@ enum { POLICYDB_CAP_NNP_NOSUID_TRANSITION, POLICYDB_CAP_GENFS_SECLABEL_SYMLINKS, POLICYDB_CAP_IOCTL_SKIP_CLOEXEC, + POLICYDB_CAP_USERSPACE_INITIAL_CONTEXT, __POLICYDB_CAP_MAX }; #define POLICYDB_CAP_MAX (__POLICYDB_CAP_MAX - 1) diff --git a/security/selinux/include/policycap_names.h b/security/selinux/include/policycap_names.h index 49bbe120d173..28e4c9ee2399 100644 --- a/security/selinux/include/policycap_names.h +++ b/security/selinux/include/policycap_names.h @@ -14,6 +14,7 @@ const char *const selinux_policycap_names[__POLICYDB_CAP_MAX] = { "nnp_nosuid_transition", "genfs_seclabel_symlinks", "ioctl_skip_cloexec", + "userspace_initial_context", }; #endif /* _SELINUX_POLICYCAP_NAMES_H_ */ diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h index a9de89af8fdc..074d439fe9ad 100644 --- a/security/selinux/include/security.h +++ b/security/selinux/include/security.h @@ -189,6 +189,12 @@ static inline bool selinux_policycap_ioctl_skip_cloexec(void) selinux_state.policycap[POLICYDB_CAP_IOCTL_SKIP_CLOEXEC]); } +static inline bool selinux_policycap_userspace_initial_context(void) +{ + return READ_ONCE( + selinux_state.policycap[POLICYDB_CAP_USERSPACE_INITIAL_CONTEXT]); +} + struct selinux_policy_convert_data; struct selinux_load_state { diff --git a/security/selinux/ss/policydb.c b/security/selinux/ss/policydb.c index bd1e7f26d951..3b19ad28c922 100644 --- a/security/selinux/ss/policydb.c +++ b/security/selinux/ss/policydb.c @@ -857,6 +857,8 @@ void policydb_destroy(struct policydb *p) int policydb_load_isids(struct policydb *p, struct sidtab *s) { struct ocontext *head, *c; + bool isid_init_supported = ebitmap_get_bit(&p->policycaps, + POLICYDB_CAP_USERSPACE_INITIAL_CONTEXT); int rc; rc = sidtab_init(s); @@ -880,6 +882,13 @@ int policydb_load_isids(struct policydb *p, struct sidtab *s) if (!name) continue; + /* + * Also ignore SECINITSID_INIT if the policy doesn't declare + * support for it + */ + if (sid == SECINITSID_INIT && !isid_init_supported) + continue; + rc = sidtab_set_initial(s, sid, &c->context[0]); if (rc) { pr_err("SELinux: unable to load initial SID %s.\n", @@ -887,6 +896,24 @@ int policydb_load_isids(struct policydb *p, struct sidtab *s) sidtab_destroy(s); return rc; } + + /* + * If the policy doesn't support the "userspace_initial_context" + * capability, set SECINITSID_INIT to the same context as + * SECINITSID_KERNEL. This ensures the same behavior as before + * the reintroduction of SECINITSID_INIT, where all tasks + * started before policy load would initially get the context + * corresponding to SECINITSID_KERNEL. + */ + if (sid == SECINITSID_KERNEL && !isid_init_supported) { + rc = sidtab_set_initial(s, SECINITSID_INIT, &c->context[0]); + if (rc) { + pr_err("SELinux: unable to load initial SID %s.\n", + name); + sidtab_destroy(s); + return rc; + } + } } return 0; } diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c index 1eeffc66ea7d..e88b1b6c4adb 100644 --- a/security/selinux/ss/services.c +++ b/security/selinux/ss/services.c @@ -1322,8 +1322,19 @@ static int security_sid_to_context_core(u32 sid, char **scontext, if (!selinux_initialized()) { if (sid <= SECINITSID_NUM) { char *scontextp; - const char *s = initial_sid_to_string[sid]; + const char *s; + /* + * Before the policy is loaded, translate + * SECINITSID_INIT to "kernel", because systemd and + * libselinux < 2.6 take a getcon_raw() result that is + * both non-null and not "kernel" to mean that a policy + * is already loaded. + */ + if (sid == SECINITSID_INIT) + sid = SECINITSID_KERNEL; + + s = initial_sid_to_string[sid]; if (!s) return -EINVAL; *scontext_len = strlen(s) + 1; From 3c1e09d533dba45af8b4681f005c9b5807f9b182 Mon Sep 17 00:00:00 2001 From: Munehisa Kamata Date: Thu, 7 Dec 2023 01:33:56 +0000 Subject: [PATCH 06/24] selinux: remove the wrong comment about multithreaded process handling Since commit d9250dea3f89 ("SELinux: add boundary support and thread context assignment"), SELinux has been supporting assigning per-thread security context under a constraint and the comment was updated accordingly. However, seems like commit d84f4f992cbd ("CRED: Inaugurate COW credentials") accidentally brought the old comment back that doesn't match what the code does. Considering the ease of understanding the code, this patch just removes the wrong comment. Fixes: d84f4f992cbd ("CRED: Inaugurate COW credentials") Signed-off-by: Munehisa Kamata Signed-off-by: Paul Moore --- security/selinux/hooks.c | 1 - 1 file changed, 1 deletion(-) diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 855589b64641..863ff67e7849 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -6459,7 +6459,6 @@ static int selinux_setprocattr(const char *name, void *value, size_t size) if (sid == 0) goto abort_change; - /* Only allow single threaded processes to change context */ if (!current_is_single_threaded()) { error = security_bounded_transition(tsec->sid, sid); if (error) From e24a6371282be83932b4254169bfb8216a8363ea Mon Sep 17 00:00:00 2001 From: Paul Moore Date: Wed, 20 Dec 2023 11:52:45 -0500 Subject: [PATCH 07/24] MAINTAINERS: add Ondrej Mosnacek as a SELinux reviewer Add Ondrej as a trusted SELinux reviewer. Ondrej has a long history of providing quality SELinux kernel patches and we're lucky to have him as an official SELinux reviewer. Reviewed-by: Stephen Smalley Acked-by: Ondrej Mosnacek Signed-off-by: Paul Moore --- MAINTAINERS | 1 + 1 file changed, 1 insertion(+) diff --git a/MAINTAINERS b/MAINTAINERS index 931c52cc8393..295939417dc0 100644 --- a/MAINTAINERS +++ b/MAINTAINERS @@ -19518,6 +19518,7 @@ SELINUX SECURITY MODULE M: Paul Moore M: Stephen Smalley M: Eric Paris +R: Ondrej Mosnacek L: selinux@vger.kernel.org S: Supported W: https://github.com/SELinuxProject From 932b641837c8881a09b7b6f87d4f6925569d93e9 Mon Sep 17 00:00:00 2001 From: Paul Moore Date: Wed, 20 Dec 2023 11:53:49 -0500 Subject: [PATCH 08/24] MAINTAINERS: drop Eric Paris from his SELinux role Eric Paris is an important part of SELinux history and we are all thankful not only for his stint as maintainer, but his numerous contributions over the years. Unfortunately for us, Eric has moved on to other things and hasn't contributed to the SELinux community in several years (his last SELinux kernel commit was in 2013) so it's time to officially drop Eric as a maintainer. I also want to get ahead of any claims of impropriety and state that this change has absolutely nothing to do with commit 2be4d74f2fd4 ;) Thanks for all you've done Eric, you'll always be welcome back. Reviewed-by: Stephen Smalley Signed-off-by: Paul Moore --- MAINTAINERS | 1 - 1 file changed, 1 deletion(-) diff --git a/MAINTAINERS b/MAINTAINERS index 295939417dc0..1901468c32d7 100644 --- a/MAINTAINERS +++ b/MAINTAINERS @@ -19517,7 +19517,6 @@ X: security/selinux/ SELINUX SECURITY MODULE M: Paul Moore M: Stephen Smalley -M: Eric Paris R: Ondrej Mosnacek L: selinux@vger.kernel.org S: Supported From e9b0748b6bb3deaeff967245d33117f29e12917c Mon Sep 17 00:00:00 2001 From: Paul Moore Date: Thu, 21 Dec 2023 17:18:44 -0500 Subject: [PATCH 09/24] selinux: fix style issues in security/selinux/include/audit.h As part of on ongoing effort to perform more automated testing and provide more tools for individual developers to validate their patches before submitting, we are trying to make our code "clang-format clean". My hope is that once we have fixed all of our style "quirks", developers will be able to run clang-format on their patches to help avoid silly formatting problems and ensure their changes fit in well with the rest of the SELinux kernel code. Signed-off-by: Paul Moore --- security/selinux/include/audit.h | 1 - 1 file changed, 1 deletion(-) diff --git a/security/selinux/include/audit.h b/security/selinux/include/audit.h index d5495134a5b9..52aca71210b4 100644 --- a/security/selinux/include/audit.h +++ b/security/selinux/include/audit.h @@ -57,4 +57,3 @@ int selinux_audit_rule_match(u32 sid, u32 field, u32 op, void *rule); int selinux_audit_rule_known(struct audit_krule *rule); #endif /* _SELINUX_AUDIT_H */ - From bdaaf515ba8f38af6443d2e94ea3c7f502fe1b0e Mon Sep 17 00:00:00 2001 From: Paul Moore Date: Thu, 21 Dec 2023 17:18:45 -0500 Subject: [PATCH 10/24] selinux: fix style issues in security/selinux/include/avc.h As part of on ongoing effort to perform more automated testing and provide more tools for individual developers to validate their patches before submitting, we are trying to make our code "clang-format clean". My hope is that once we have fixed all of our style "quirks", developers will be able to run clang-format on their patches to help avoid silly formatting problems and ensure their changes fit in well with the rest of the SELinux kernel code. Signed-off-by: Paul Moore --- security/selinux/include/avc.h | 41 +++++++++++++--------------------- 1 file changed, 15 insertions(+), 26 deletions(-) diff --git a/security/selinux/include/avc.h b/security/selinux/include/avc.h index 8f0aa66ccb13..eadae219fa78 100644 --- a/security/selinux/include/avc.h +++ b/security/selinux/include/avc.h @@ -4,6 +4,7 @@ * * Author : Stephen Smalley, */ + #ifndef _SELINUX_AVC_H_ #define _SELINUX_AVC_H_ @@ -60,11 +61,8 @@ struct selinux_audit_data { void __init avc_init(void); -static inline u32 avc_audit_required(u32 requested, - struct av_decision *avd, - int result, - u32 auditdeny, - u32 *deniedp) +static inline u32 avc_audit_required(u32 requested, struct av_decision *avd, + int result, u32 auditdeny, u32 *deniedp) { u32 denied, audited; denied = requested & ~avd->allowed; @@ -96,9 +94,8 @@ static inline u32 avc_audit_required(u32 requested, return audited; } -int slow_avc_audit(u32 ssid, u32 tsid, u16 tclass, - u32 requested, u32 audited, u32 denied, int result, - struct common_audit_data *a); +int slow_avc_audit(u32 ssid, u32 tsid, u16 tclass, u32 requested, u32 audited, + u32 denied, int result, struct common_audit_data *a); /** * avc_audit - Audit the granting or denial of permissions. @@ -119,36 +116,29 @@ int slow_avc_audit(u32 ssid, u32 tsid, u16 tclass, * be performed under a lock, to allow the lock to be released * before calling the auditing code. */ -static inline int avc_audit(u32 ssid, u32 tsid, - u16 tclass, u32 requested, - struct av_decision *avd, - int result, +static inline int avc_audit(u32 ssid, u32 tsid, u16 tclass, u32 requested, + struct av_decision *avd, int result, struct common_audit_data *a) { u32 audited, denied; audited = avc_audit_required(requested, avd, result, 0, &denied); if (likely(!audited)) return 0; - return slow_avc_audit(ssid, tsid, tclass, - requested, audited, denied, result, - a); + return slow_avc_audit(ssid, tsid, tclass, requested, audited, denied, + result, a); } -#define AVC_STRICT 1 /* Ignore permissive mode. */ -#define AVC_EXTENDED_PERMS 2 /* update extended permissions */ -int avc_has_perm_noaudit(u32 ssid, u32 tsid, - u16 tclass, u32 requested, - unsigned flags, - struct av_decision *avd); +#define AVC_STRICT 1 /* Ignore permissive mode. */ +#define AVC_EXTENDED_PERMS 2 /* update extended permissions */ +int avc_has_perm_noaudit(u32 ssid, u32 tsid, u16 tclass, u32 requested, + unsigned flags, struct av_decision *avd); -int avc_has_perm(u32 ssid, u32 tsid, - u16 tclass, u32 requested, +int avc_has_perm(u32 ssid, u32 tsid, u16 tclass, u32 requested, struct common_audit_data *auditdata); int avc_has_extended_perms(u32 ssid, u32 tsid, u16 tclass, u32 requested, u8 driver, u8 perm, struct common_audit_data *ad); - u32 avc_policy_seqno(void); #define AVC_CALLBACK_GRANT 1 @@ -156,7 +146,7 @@ u32 avc_policy_seqno(void); #define AVC_CALLBACK_REVOKE 4 #define AVC_CALLBACK_RESET 8 #define AVC_CALLBACK_AUDITALLOW_ENABLE 16 -#define AVC_CALLBACK_AUDITALLOW_DISABLE 32 +#define AVC_CALLBACK_AUDITALLOW_DISABLE 32 #define AVC_CALLBACK_AUDITDENY_ENABLE 64 #define AVC_CALLBACK_AUDITDENY_DISABLE 128 #define AVC_CALLBACK_ADD_XPERMS 256 @@ -173,4 +163,3 @@ DECLARE_PER_CPU(struct avc_cache_stats, avc_cache_stats); #endif #endif /* _SELINUX_AVC_H_ */ - From bb4e5993f1d5d9620b267a6a1ad345353860de6a Mon Sep 17 00:00:00 2001 From: Paul Moore Date: Thu, 21 Dec 2023 17:18:46 -0500 Subject: [PATCH 11/24] selinux: align avc_has_perm_noaudit() prototype with definition A trivial correction to convert an 'unsigned' parameter into an 'unsigned int' parameter so the prototype matches the function definition. I really thought that someone submitted a patch for this a few years ago but sadly I can't find it now. Signed-off-by: Paul Moore --- security/selinux/include/avc.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/security/selinux/include/avc.h b/security/selinux/include/avc.h index eadae219fa78..96a614d47df8 100644 --- a/security/selinux/include/avc.h +++ b/security/selinux/include/avc.h @@ -131,7 +131,7 @@ static inline int avc_audit(u32 ssid, u32 tsid, u16 tclass, u32 requested, #define AVC_STRICT 1 /* Ignore permissive mode. */ #define AVC_EXTENDED_PERMS 2 /* update extended permissions */ int avc_has_perm_noaudit(u32 ssid, u32 tsid, u16 tclass, u32 requested, - unsigned flags, struct av_decision *avd); + unsigned int flags, struct av_decision *avd); int avc_has_perm(u32 ssid, u32 tsid, u16 tclass, u32 requested, struct common_audit_data *auditdata); From 1d08fa8b9511153ec4fe06b166d65a700fbd0771 Mon Sep 17 00:00:00 2001 From: Paul Moore Date: Thu, 21 Dec 2023 17:18:47 -0500 Subject: [PATCH 12/24] selinux: fix style issues in security/selinux/include/avc_ss.h As part of on ongoing effort to perform more automated testing and provide more tools for individual developers to validate their patches before submitting, we are trying to make our code "clang-format clean". My hope is that once we have fixed all of our style "quirks", developers will be able to run clang-format on their patches to help avoid silly formatting problems and ensure their changes fit in well with the rest of the SELinux kernel code. Signed-off-by: Paul Moore --- security/selinux/include/avc_ss.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/security/selinux/include/avc_ss.h b/security/selinux/include/avc_ss.h index 88b139e086c4..48ad64d54032 100644 --- a/security/selinux/include/avc_ss.h +++ b/security/selinux/include/avc_ss.h @@ -4,6 +4,7 @@ * * Author : Stephen Smalley, */ + #ifndef _SELINUX_AVC_SS_H_ #define _SELINUX_AVC_SS_H_ @@ -20,4 +21,3 @@ struct security_class_mapping { extern const struct security_class_mapping secclass_map[]; #endif /* _SELINUX_AVC_SS_H_ */ - From 27283b3118f4ab8e151f8c7c67ef6df00d9f40f9 Mon Sep 17 00:00:00 2001 From: Paul Moore Date: Thu, 21 Dec 2023 17:18:48 -0500 Subject: [PATCH 13/24] selinux: fix style issues in security/selinux/include/classmap.h As part of on ongoing effort to perform more automated testing and provide more tools for individual developers to validate their patches before submitting, we are trying to make our code "clang-format clean". My hope is that once we have fixed all of our style "quirks", developers will be able to run clang-format on their patches to help avoid silly formatting problems and ensure their changes fit in well with the rest of the SELinux kernel code. Signed-off-by: Paul Moore --- security/selinux/include/classmap.h | 342 +++++++++++----------------- 1 file changed, 132 insertions(+), 210 deletions(-) diff --git a/security/selinux/include/classmap.h b/security/selinux/include/classmap.h index a3c380775d41..7229c9bf6c27 100644 --- a/security/selinux/include/classmap.h +++ b/security/selinux/include/classmap.h @@ -1,34 +1,40 @@ /* SPDX-License-Identifier: GPL-2.0 */ + #include #include -#define COMMON_FILE_SOCK_PERMS "ioctl", "read", "write", "create", \ - "getattr", "setattr", "lock", "relabelfrom", "relabelto", "append", "map" +#define COMMON_FILE_SOCK_PERMS \ + "ioctl", "read", "write", "create", "getattr", "setattr", "lock", \ + "relabelfrom", "relabelto", "append", "map" -#define COMMON_FILE_PERMS COMMON_FILE_SOCK_PERMS, "unlink", "link", \ - "rename", "execute", "quotaon", "mounton", "audit_access", \ - "open", "execmod", "watch", "watch_mount", "watch_sb", \ - "watch_with_perm", "watch_reads" +#define COMMON_FILE_PERMS \ + COMMON_FILE_SOCK_PERMS, "unlink", "link", "rename", "execute", \ + "quotaon", "mounton", "audit_access", "open", "execmod", \ + "watch", "watch_mount", "watch_sb", "watch_with_perm", \ + "watch_reads" -#define COMMON_SOCK_PERMS COMMON_FILE_SOCK_PERMS, "bind", "connect", \ - "listen", "accept", "getopt", "setopt", "shutdown", "recvfrom", \ - "sendto", "name_bind" +#define COMMON_SOCK_PERMS \ + COMMON_FILE_SOCK_PERMS, "bind", "connect", "listen", "accept", \ + "getopt", "setopt", "shutdown", "recvfrom", "sendto", \ + "name_bind" -#define COMMON_IPC_PERMS "create", "destroy", "getattr", "setattr", "read", \ - "write", "associate", "unix_read", "unix_write" +#define COMMON_IPC_PERMS \ + "create", "destroy", "getattr", "setattr", "read", "write", \ + "associate", "unix_read", "unix_write" -#define COMMON_CAP_PERMS "chown", "dac_override", "dac_read_search", \ - "fowner", "fsetid", "kill", "setgid", "setuid", "setpcap", \ - "linux_immutable", "net_bind_service", "net_broadcast", \ - "net_admin", "net_raw", "ipc_lock", "ipc_owner", "sys_module", \ - "sys_rawio", "sys_chroot", "sys_ptrace", "sys_pacct", "sys_admin", \ - "sys_boot", "sys_nice", "sys_resource", "sys_time", \ - "sys_tty_config", "mknod", "lease", "audit_write", \ - "audit_control", "setfcap" +#define COMMON_CAP_PERMS \ + "chown", "dac_override", "dac_read_search", "fowner", "fsetid", \ + "kill", "setgid", "setuid", "setpcap", "linux_immutable", \ + "net_bind_service", "net_broadcast", "net_admin", "net_raw", \ + "ipc_lock", "ipc_owner", "sys_module", "sys_rawio", \ + "sys_chroot", "sys_ptrace", "sys_pacct", "sys_admin", \ + "sys_boot", "sys_nice", "sys_resource", "sys_time", \ + "sys_tty_config", "mknod", "lease", "audit_write", \ + "audit_control", "setfcap" -#define COMMON_CAP2_PERMS "mac_override", "mac_admin", "syslog", \ - "wake_alarm", "block_suspend", "audit_read", "perfmon", "bpf", \ - "checkpoint_restore" +#define COMMON_CAP2_PERMS \ + "mac_override", "mac_admin", "syslog", "wake_alarm", "block_suspend", \ + "audit_read", "perfmon", "bpf", "checkpoint_restore" #if CAP_LAST_CAP > CAP_CHECKPOINT_RESTORE #error New capability defined, please update COMMON_CAP2_PERMS. @@ -40,224 +46,140 @@ */ const struct security_class_mapping secclass_map[] = { { "security", - { "compute_av", "compute_create", "compute_member", - "check_context", "load_policy", "compute_relabel", - "compute_user", "setenforce", "setbool", "setsecparam", - "setcheckreqprot", "read_policy", "validate_trans", NULL } }, + { "compute_av", "compute_create", "compute_member", "check_context", + "load_policy", "compute_relabel", "compute_user", "setenforce", + "setbool", "setsecparam", "setcheckreqprot", "read_policy", + "validate_trans", NULL } }, { "process", - { "fork", "transition", "sigchld", "sigkill", - "sigstop", "signull", "signal", "ptrace", "getsched", "setsched", - "getsession", "getpgid", "setpgid", "getcap", "setcap", "share", - "getattr", "setexec", "setfscreate", "noatsecure", "siginh", - "setrlimit", "rlimitinh", "dyntransition", "setcurrent", - "execmem", "execstack", "execheap", "setkeycreate", - "setsockcreate", "getrlimit", NULL } }, - { "process2", - { "nnp_transition", "nosuid_transition", NULL } }, + { "fork", "transition", "sigchld", "sigkill", + "sigstop", "signull", "signal", "ptrace", + "getsched", "setsched", "getsession", "getpgid", + "setpgid", "getcap", "setcap", "share", + "getattr", "setexec", "setfscreate", "noatsecure", + "siginh", "setrlimit", "rlimitinh", "dyntransition", + "setcurrent", "execmem", "execstack", "execheap", + "setkeycreate", "setsockcreate", "getrlimit", NULL } }, + { "process2", { "nnp_transition", "nosuid_transition", NULL } }, { "system", - { "ipc_info", "syslog_read", "syslog_mod", - "syslog_console", "module_request", "module_load", NULL } }, - { "capability", - { COMMON_CAP_PERMS, NULL } }, + { "ipc_info", "syslog_read", "syslog_mod", "syslog_console", + "module_request", "module_load", NULL } }, + { "capability", { COMMON_CAP_PERMS, NULL } }, { "filesystem", - { "mount", "remount", "unmount", "getattr", - "relabelfrom", "relabelto", "associate", "quotamod", - "quotaget", "watch", NULL } }, + { "mount", "remount", "unmount", "getattr", "relabelfrom", + "relabelto", "associate", "quotamod", "quotaget", "watch", NULL } }, { "file", - { COMMON_FILE_PERMS, - "execute_no_trans", "entrypoint", NULL } }, + { COMMON_FILE_PERMS, "execute_no_trans", "entrypoint", NULL } }, { "dir", - { COMMON_FILE_PERMS, "add_name", "remove_name", - "reparent", "search", "rmdir", NULL } }, + { COMMON_FILE_PERMS, "add_name", "remove_name", "reparent", "search", + "rmdir", NULL } }, { "fd", { "use", NULL } }, - { "lnk_file", - { COMMON_FILE_PERMS, NULL } }, - { "chr_file", - { COMMON_FILE_PERMS, NULL } }, - { "blk_file", - { COMMON_FILE_PERMS, NULL } }, - { "sock_file", - { COMMON_FILE_PERMS, NULL } }, - { "fifo_file", - { COMMON_FILE_PERMS, NULL } }, - { "socket", - { COMMON_SOCK_PERMS, NULL } }, + { "lnk_file", { COMMON_FILE_PERMS, NULL } }, + { "chr_file", { COMMON_FILE_PERMS, NULL } }, + { "blk_file", { COMMON_FILE_PERMS, NULL } }, + { "sock_file", { COMMON_FILE_PERMS, NULL } }, + { "fifo_file", { COMMON_FILE_PERMS, NULL } }, + { "socket", { COMMON_SOCK_PERMS, NULL } }, { "tcp_socket", - { COMMON_SOCK_PERMS, - "node_bind", "name_connect", - NULL } }, - { "udp_socket", - { COMMON_SOCK_PERMS, - "node_bind", NULL } }, - { "rawip_socket", - { COMMON_SOCK_PERMS, - "node_bind", NULL } }, - { "node", - { "recvfrom", "sendto", NULL } }, - { "netif", - { "ingress", "egress", NULL } }, - { "netlink_socket", - { COMMON_SOCK_PERMS, NULL } }, - { "packet_socket", - { COMMON_SOCK_PERMS, NULL } }, - { "key_socket", - { COMMON_SOCK_PERMS, NULL } }, - { "unix_stream_socket", - { COMMON_SOCK_PERMS, "connectto", NULL } }, - { "unix_dgram_socket", - { COMMON_SOCK_PERMS, NULL } }, - { "sem", - { COMMON_IPC_PERMS, NULL } }, + { COMMON_SOCK_PERMS, "node_bind", "name_connect", NULL } }, + { "udp_socket", { COMMON_SOCK_PERMS, "node_bind", NULL } }, + { "rawip_socket", { COMMON_SOCK_PERMS, "node_bind", NULL } }, + { "node", { "recvfrom", "sendto", NULL } }, + { "netif", { "ingress", "egress", NULL } }, + { "netlink_socket", { COMMON_SOCK_PERMS, NULL } }, + { "packet_socket", { COMMON_SOCK_PERMS, NULL } }, + { "key_socket", { COMMON_SOCK_PERMS, NULL } }, + { "unix_stream_socket", { COMMON_SOCK_PERMS, "connectto", NULL } }, + { "unix_dgram_socket", { COMMON_SOCK_PERMS, NULL } }, + { "sem", { COMMON_IPC_PERMS, NULL } }, { "msg", { "send", "receive", NULL } }, - { "msgq", - { COMMON_IPC_PERMS, "enqueue", NULL } }, - { "shm", - { COMMON_IPC_PERMS, "lock", NULL } }, - { "ipc", - { COMMON_IPC_PERMS, NULL } }, + { "msgq", { COMMON_IPC_PERMS, "enqueue", NULL } }, + { "shm", { COMMON_IPC_PERMS, "lock", NULL } }, + { "ipc", { COMMON_IPC_PERMS, NULL } }, { "netlink_route_socket", - { COMMON_SOCK_PERMS, - "nlmsg_read", "nlmsg_write", NULL } }, + { COMMON_SOCK_PERMS, "nlmsg_read", "nlmsg_write", NULL } }, { "netlink_tcpdiag_socket", - { COMMON_SOCK_PERMS, - "nlmsg_read", "nlmsg_write", NULL } }, - { "netlink_nflog_socket", - { COMMON_SOCK_PERMS, NULL } }, + { COMMON_SOCK_PERMS, "nlmsg_read", "nlmsg_write", NULL } }, + { "netlink_nflog_socket", { COMMON_SOCK_PERMS, NULL } }, { "netlink_xfrm_socket", - { COMMON_SOCK_PERMS, - "nlmsg_read", "nlmsg_write", NULL } }, - { "netlink_selinux_socket", - { COMMON_SOCK_PERMS, NULL } }, - { "netlink_iscsi_socket", - { COMMON_SOCK_PERMS, NULL } }, + { COMMON_SOCK_PERMS, "nlmsg_read", "nlmsg_write", NULL } }, + { "netlink_selinux_socket", { COMMON_SOCK_PERMS, NULL } }, + { "netlink_iscsi_socket", { COMMON_SOCK_PERMS, NULL } }, { "netlink_audit_socket", - { COMMON_SOCK_PERMS, - "nlmsg_read", "nlmsg_write", "nlmsg_relay", "nlmsg_readpriv", - "nlmsg_tty_audit", NULL } }, - { "netlink_fib_lookup_socket", - { COMMON_SOCK_PERMS, NULL } }, - { "netlink_connector_socket", - { COMMON_SOCK_PERMS, NULL } }, - { "netlink_netfilter_socket", - { COMMON_SOCK_PERMS, NULL } }, - { "netlink_dnrt_socket", - { COMMON_SOCK_PERMS, NULL } }, + { COMMON_SOCK_PERMS, "nlmsg_read", "nlmsg_write", "nlmsg_relay", + "nlmsg_readpriv", "nlmsg_tty_audit", NULL } }, + { "netlink_fib_lookup_socket", { COMMON_SOCK_PERMS, NULL } }, + { "netlink_connector_socket", { COMMON_SOCK_PERMS, NULL } }, + { "netlink_netfilter_socket", { COMMON_SOCK_PERMS, NULL } }, + { "netlink_dnrt_socket", { COMMON_SOCK_PERMS, NULL } }, { "association", { "sendto", "recvfrom", "setcontext", "polmatch", NULL } }, - { "netlink_kobject_uevent_socket", - { COMMON_SOCK_PERMS, NULL } }, - { "netlink_generic_socket", - { COMMON_SOCK_PERMS, NULL } }, - { "netlink_scsitransport_socket", - { COMMON_SOCK_PERMS, NULL } }, - { "netlink_rdma_socket", - { COMMON_SOCK_PERMS, NULL } }, - { "netlink_crypto_socket", - { COMMON_SOCK_PERMS, NULL } }, - { "appletalk_socket", - { COMMON_SOCK_PERMS, NULL } }, + { "netlink_kobject_uevent_socket", { COMMON_SOCK_PERMS, NULL } }, + { "netlink_generic_socket", { COMMON_SOCK_PERMS, NULL } }, + { "netlink_scsitransport_socket", { COMMON_SOCK_PERMS, NULL } }, + { "netlink_rdma_socket", { COMMON_SOCK_PERMS, NULL } }, + { "netlink_crypto_socket", { COMMON_SOCK_PERMS, NULL } }, + { "appletalk_socket", { COMMON_SOCK_PERMS, NULL } }, { "packet", { "send", "recv", "relabelto", "forward_in", "forward_out", NULL } }, { "key", { "view", "read", "write", "search", "link", "setattr", "create", NULL } }, { "dccp_socket", - { COMMON_SOCK_PERMS, - "node_bind", "name_connect", NULL } }, + { COMMON_SOCK_PERMS, "node_bind", "name_connect", NULL } }, { "memprotect", { "mmap_zero", NULL } }, { "peer", { "recv", NULL } }, - { "capability2", - { COMMON_CAP2_PERMS, NULL } }, + { "capability2", { COMMON_CAP2_PERMS, NULL } }, { "kernel_service", { "use_as_override", "create_files_as", NULL } }, - { "tun_socket", - { COMMON_SOCK_PERMS, "attach_queue", NULL } }, - { "binder", { "impersonate", "call", "set_context_mgr", "transfer", - NULL } }, - { "cap_userns", - { COMMON_CAP_PERMS, NULL } }, - { "cap2_userns", - { COMMON_CAP2_PERMS, NULL } }, + { "tun_socket", { COMMON_SOCK_PERMS, "attach_queue", NULL } }, + { "binder", + { "impersonate", "call", "set_context_mgr", "transfer", NULL } }, + { "cap_userns", { COMMON_CAP_PERMS, NULL } }, + { "cap2_userns", { COMMON_CAP2_PERMS, NULL } }, { "sctp_socket", - { COMMON_SOCK_PERMS, - "node_bind", "name_connect", "association", NULL } }, - { "icmp_socket", - { COMMON_SOCK_PERMS, - "node_bind", NULL } }, - { "ax25_socket", - { COMMON_SOCK_PERMS, NULL } }, - { "ipx_socket", - { COMMON_SOCK_PERMS, NULL } }, - { "netrom_socket", - { COMMON_SOCK_PERMS, NULL } }, - { "atmpvc_socket", - { COMMON_SOCK_PERMS, NULL } }, - { "x25_socket", - { COMMON_SOCK_PERMS, NULL } }, - { "rose_socket", - { COMMON_SOCK_PERMS, NULL } }, - { "decnet_socket", - { COMMON_SOCK_PERMS, NULL } }, - { "atmsvc_socket", - { COMMON_SOCK_PERMS, NULL } }, - { "rds_socket", - { COMMON_SOCK_PERMS, NULL } }, - { "irda_socket", - { COMMON_SOCK_PERMS, NULL } }, - { "pppox_socket", - { COMMON_SOCK_PERMS, NULL } }, - { "llc_socket", - { COMMON_SOCK_PERMS, NULL } }, - { "can_socket", - { COMMON_SOCK_PERMS, NULL } }, - { "tipc_socket", - { COMMON_SOCK_PERMS, NULL } }, - { "bluetooth_socket", - { COMMON_SOCK_PERMS, NULL } }, - { "iucv_socket", - { COMMON_SOCK_PERMS, NULL } }, - { "rxrpc_socket", - { COMMON_SOCK_PERMS, NULL } }, - { "isdn_socket", - { COMMON_SOCK_PERMS, NULL } }, - { "phonet_socket", - { COMMON_SOCK_PERMS, NULL } }, - { "ieee802154_socket", - { COMMON_SOCK_PERMS, NULL } }, - { "caif_socket", - { COMMON_SOCK_PERMS, NULL } }, - { "alg_socket", - { COMMON_SOCK_PERMS, NULL } }, - { "nfc_socket", - { COMMON_SOCK_PERMS, NULL } }, - { "vsock_socket", - { COMMON_SOCK_PERMS, NULL } }, - { "kcm_socket", - { COMMON_SOCK_PERMS, NULL } }, - { "qipcrtr_socket", - { COMMON_SOCK_PERMS, NULL } }, - { "smc_socket", - { COMMON_SOCK_PERMS, NULL } }, - { "infiniband_pkey", - { "access", NULL } }, - { "infiniband_endport", - { "manage_subnet", NULL } }, + { COMMON_SOCK_PERMS, "node_bind", "name_connect", "association", + NULL } }, + { "icmp_socket", { COMMON_SOCK_PERMS, "node_bind", NULL } }, + { "ax25_socket", { COMMON_SOCK_PERMS, NULL } }, + { "ipx_socket", { COMMON_SOCK_PERMS, NULL } }, + { "netrom_socket", { COMMON_SOCK_PERMS, NULL } }, + { "atmpvc_socket", { COMMON_SOCK_PERMS, NULL } }, + { "x25_socket", { COMMON_SOCK_PERMS, NULL } }, + { "rose_socket", { COMMON_SOCK_PERMS, NULL } }, + { "decnet_socket", { COMMON_SOCK_PERMS, NULL } }, + { "atmsvc_socket", { COMMON_SOCK_PERMS, NULL } }, + { "rds_socket", { COMMON_SOCK_PERMS, NULL } }, + { "irda_socket", { COMMON_SOCK_PERMS, NULL } }, + { "pppox_socket", { COMMON_SOCK_PERMS, NULL } }, + { "llc_socket", { COMMON_SOCK_PERMS, NULL } }, + { "can_socket", { COMMON_SOCK_PERMS, NULL } }, + { "tipc_socket", { COMMON_SOCK_PERMS, NULL } }, + { "bluetooth_socket", { COMMON_SOCK_PERMS, NULL } }, + { "iucv_socket", { COMMON_SOCK_PERMS, NULL } }, + { "rxrpc_socket", { COMMON_SOCK_PERMS, NULL } }, + { "isdn_socket", { COMMON_SOCK_PERMS, NULL } }, + { "phonet_socket", { COMMON_SOCK_PERMS, NULL } }, + { "ieee802154_socket", { COMMON_SOCK_PERMS, NULL } }, + { "caif_socket", { COMMON_SOCK_PERMS, NULL } }, + { "alg_socket", { COMMON_SOCK_PERMS, NULL } }, + { "nfc_socket", { COMMON_SOCK_PERMS, NULL } }, + { "vsock_socket", { COMMON_SOCK_PERMS, NULL } }, + { "kcm_socket", { COMMON_SOCK_PERMS, NULL } }, + { "qipcrtr_socket", { COMMON_SOCK_PERMS, NULL } }, + { "smc_socket", { COMMON_SOCK_PERMS, NULL } }, + { "infiniband_pkey", { "access", NULL } }, + { "infiniband_endport", { "manage_subnet", NULL } }, { "bpf", { "map_create", "map_read", "map_write", "prog_load", "prog_run", NULL } }, - { "xdp_socket", - { COMMON_SOCK_PERMS, NULL } }, - { "mctp_socket", - { COMMON_SOCK_PERMS, NULL } }, + { "xdp_socket", { COMMON_SOCK_PERMS, NULL } }, + { "mctp_socket", { COMMON_SOCK_PERMS, NULL } }, { "perf_event", { "open", "cpu", "kernel", "tracepoint", "read", "write", NULL } }, - { "anon_inode", - { COMMON_FILE_PERMS, NULL } }, - { "io_uring", - { "override_creds", "sqpoll", "cmd", NULL } }, - { "user_namespace", - { "create", NULL } }, + { "anon_inode", { COMMON_FILE_PERMS, NULL } }, + { "io_uring", { "override_creds", "sqpoll", "cmd", NULL } }, + { "user_namespace", { "create", NULL } }, { NULL } - }; +}; #if PF_MAX > 46 #error New address family defined, please update secclass_map. From ce4a781baec0d5393fa7da9e9588d12b482256e4 Mon Sep 17 00:00:00 2001 From: Paul Moore Date: Thu, 21 Dec 2023 17:18:49 -0500 Subject: [PATCH 14/24] selinux: fix style issues in security/selinux/include/conditional.h As part of on ongoing effort to perform more automated testing and provide more tools for individual developers to validate their patches before submitting, we are trying to make our code "clang-format clean". My hope is that once we have fixed all of our style "quirks", developers will be able to run clang-format on their patches to help avoid silly formatting problems and ensure their changes fit in well with the rest of the SELinux kernel code. Signed-off-by: Paul Moore --- security/selinux/include/conditional.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/security/selinux/include/conditional.h b/security/selinux/include/conditional.h index 693a654714eb..5910bb7c2eca 100644 --- a/security/selinux/include/conditional.h +++ b/security/selinux/include/conditional.h @@ -13,8 +13,8 @@ #include "security.h" -int security_get_bools(struct selinux_policy *policy, - u32 *len, char ***names, int **values); +int security_get_bools(struct selinux_policy *policy, u32 *len, char ***names, + int **values); int security_set_bools(u32 len, int *values); From e5a4cc30cb9b04aad158cd3c905fbf5ce31c777c Mon Sep 17 00:00:00 2001 From: Paul Moore Date: Thu, 21 Dec 2023 17:18:50 -0500 Subject: [PATCH 15/24] selinux: fix style issues in security/selinux/include/ima.h As part of on ongoing effort to perform more automated testing and provide more tools for individual developers to validate their patches before submitting, we are trying to make our code "clang-format clean". My hope is that once we have fixed all of our style "quirks", developers will be able to run clang-format on their patches to help avoid silly formatting problems and ensure their changes fit in well with the rest of the SELinux kernel code. Signed-off-by: Paul Moore --- security/selinux/include/ima.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/security/selinux/include/ima.h b/security/selinux/include/ima.h index 93c05e97eb7f..38ab302f5946 100644 --- a/security/selinux/include/ima.h +++ b/security/selinux/include/ima.h @@ -25,4 +25,4 @@ static inline void selinux_ima_measure_state_locked(void) } #endif -#endif /* _SELINUX_IMA_H_ */ +#endif /* _SELINUX_IMA_H_ */ From e04f8585d02242acb9ca418ad137c3f7a9429c13 Mon Sep 17 00:00:00 2001 From: Paul Moore Date: Thu, 21 Dec 2023 17:18:51 -0500 Subject: [PATCH 16/24] selinux: fix style issues in security/selinux/include/netif.h As part of on ongoing effort to perform more automated testing and provide more tools for individual developers to validate their patches before submitting, we are trying to make our code "clang-format clean". My hope is that once we have fixed all of our style "quirks", developers will be able to run clang-format on their patches to help avoid silly formatting problems and ensure their changes fit in well with the rest of the SELinux kernel code. Signed-off-by: Paul Moore --- security/selinux/include/netif.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/security/selinux/include/netif.h b/security/selinux/include/netif.h index 85ec30d11144..2838bdc170dd 100644 --- a/security/selinux/include/netif.h +++ b/security/selinux/include/netif.h @@ -11,6 +11,7 @@ * Copyright (C) 2007 Hewlett-Packard Development Company, L.P. * Paul Moore */ + #ifndef _SELINUX_NETIF_H_ #define _SELINUX_NETIF_H_ @@ -20,5 +21,4 @@ void sel_netif_flush(void); int sel_netif_sid(struct net *ns, int ifindex, u32 *sid); -#endif /* _SELINUX_NETIF_H_ */ - +#endif /* _SELINUX_NETIF_H_ */ From 3e7773f8dabeb79a870d7d1155c395bf043498d0 Mon Sep 17 00:00:00 2001 From: Paul Moore Date: Thu, 21 Dec 2023 17:18:52 -0500 Subject: [PATCH 17/24] selinux: fix style issues with security/selinux/include/netlabel.h As part of on ongoing effort to perform more automated testing and provide more tools for individual developers to validate their patches before submitting, we are trying to make our code "clang-format clean". My hope is that once we have fixed all of our style "quirks", developers will be able to run clang-format on their patches to help avoid silly formatting problems and ensure their changes fit in well with the rest of the SELinux kernel code. Signed-off-by: Paul Moore --- security/selinux/include/netlabel.h | 53 +++++++++++------------------ 1 file changed, 20 insertions(+), 33 deletions(-) diff --git a/security/selinux/include/netlabel.h b/security/selinux/include/netlabel.h index 4d0456d3d459..5731c0dcd3e8 100644 --- a/security/selinux/include/netlabel.h +++ b/security/selinux/include/netlabel.h @@ -32,25 +32,19 @@ void selinux_netlbl_err(struct sk_buff *skb, u16 family, int error, void selinux_netlbl_sk_security_free(struct sk_security_struct *sksec); void selinux_netlbl_sk_security_reset(struct sk_security_struct *sksec); -int selinux_netlbl_skbuff_getsid(struct sk_buff *skb, - u16 family, - u32 *type, +int selinux_netlbl_skbuff_getsid(struct sk_buff *skb, u16 family, u32 *type, u32 *sid); -int selinux_netlbl_skbuff_setsid(struct sk_buff *skb, - u16 family, - u32 sid); +int selinux_netlbl_skbuff_setsid(struct sk_buff *skb, u16 family, u32 sid); int selinux_netlbl_sctp_assoc_request(struct sctp_association *asoc, - struct sk_buff *skb); + struct sk_buff *skb); int selinux_netlbl_inet_conn_request(struct request_sock *req, u16 family); void selinux_netlbl_inet_csk_clone(struct sock *sk, u16 family); void selinux_netlbl_sctp_sk_clone(struct sock *sk, struct sock *newsk); int selinux_netlbl_socket_post_create(struct sock *sk, u16 family); int selinux_netlbl_sock_rcv_skb(struct sk_security_struct *sksec, - struct sk_buff *skb, - u16 family, + struct sk_buff *skb, u16 family, struct common_audit_data *ad); -int selinux_netlbl_socket_setsockopt(struct socket *sock, - int level, +int selinux_netlbl_socket_setsockopt(struct socket *sock, int level, int optname); int selinux_netlbl_socket_connect(struct sock *sk, struct sockaddr *addr); int selinux_netlbl_socket_connect_locked(struct sock *sk, @@ -62,44 +56,40 @@ static inline void selinux_netlbl_cache_invalidate(void) return; } -static inline void selinux_netlbl_err(struct sk_buff *skb, - u16 family, - int error, - int gateway) +static inline void selinux_netlbl_err(struct sk_buff *skb, u16 family, + int error, int gateway) { return; } -static inline void selinux_netlbl_sk_security_free( - struct sk_security_struct *sksec) +static inline void +selinux_netlbl_sk_security_free(struct sk_security_struct *sksec) { return; } -static inline void selinux_netlbl_sk_security_reset( - struct sk_security_struct *sksec) +static inline void +selinux_netlbl_sk_security_reset(struct sk_security_struct *sksec) { return; } -static inline int selinux_netlbl_skbuff_getsid(struct sk_buff *skb, - u16 family, - u32 *type, - u32 *sid) +static inline int selinux_netlbl_skbuff_getsid(struct sk_buff *skb, u16 family, + u32 *type, u32 *sid) { *type = NETLBL_NLTYPE_NONE; *sid = SECSID_NULL; return 0; } -static inline int selinux_netlbl_skbuff_setsid(struct sk_buff *skb, - u16 family, +static inline int selinux_netlbl_skbuff_setsid(struct sk_buff *skb, u16 family, u32 sid) { return 0; } -static inline int selinux_netlbl_sctp_assoc_request(struct sctp_association *asoc, - struct sk_buff *skb) +static inline int +selinux_netlbl_sctp_assoc_request(struct sctp_association *asoc, + struct sk_buff *skb) { return 0; } @@ -117,21 +107,18 @@ static inline void selinux_netlbl_sctp_sk_clone(struct sock *sk, { return; } -static inline int selinux_netlbl_socket_post_create(struct sock *sk, - u16 family) +static inline int selinux_netlbl_socket_post_create(struct sock *sk, u16 family) { return 0; } static inline int selinux_netlbl_sock_rcv_skb(struct sk_security_struct *sksec, - struct sk_buff *skb, - u16 family, + struct sk_buff *skb, u16 family, struct common_audit_data *ad) { return 0; } static inline int selinux_netlbl_socket_setsockopt(struct socket *sock, - int level, - int optname) + int level, int optname) { return 0; } From c787022036663c538b14df6c5edcc2ab93a16eee Mon Sep 17 00:00:00 2001 From: Paul Moore Date: Thu, 21 Dec 2023 17:18:53 -0500 Subject: [PATCH 18/24] selinux: fix style issues in security/selinux/include/objsec.h As part of on ongoing effort to perform more automated testing and provide more tools for individual developers to validate their patches before submitting, we are trying to make our code "clang-format clean". My hope is that once we have fixed all of our style "quirks", developers will be able to run clang-format on their patches to help avoid silly formatting problems and ensure their changes fit in well with the rest of the SELinux kernel code. Signed-off-by: Paul Moore --- security/selinux/include/objsec.h | 129 +++++++++++++++--------------- 1 file changed, 65 insertions(+), 64 deletions(-) diff --git a/security/selinux/include/objsec.h b/security/selinux/include/objsec.h index 8159fd53c3de..dea1d6f3ed2d 100644 --- a/security/selinux/include/objsec.h +++ b/security/selinux/include/objsec.h @@ -13,6 +13,7 @@ * Copyright (C) 2003 Red Hat, Inc., James Morris * Copyright (C) 2016 Mellanox Technologies */ + #ifndef _SELINUX_OBJSEC_H_ #define _SELINUX_OBJSEC_H_ @@ -29,122 +30,122 @@ #include "avc.h" struct task_security_struct { - u32 osid; /* SID prior to last execve */ - u32 sid; /* current SID */ - u32 exec_sid; /* exec SID */ - u32 create_sid; /* fscreate SID */ - u32 keycreate_sid; /* keycreate SID */ - u32 sockcreate_sid; /* fscreate SID */ + u32 osid; /* SID prior to last execve */ + u32 sid; /* current SID */ + u32 exec_sid; /* exec SID */ + u32 create_sid; /* fscreate SID */ + u32 keycreate_sid; /* keycreate SID */ + u32 sockcreate_sid; /* fscreate SID */ } __randomize_layout; enum label_initialized { - LABEL_INVALID, /* invalid or not initialized */ - LABEL_INITIALIZED, /* initialized */ + LABEL_INVALID, /* invalid or not initialized */ + LABEL_INITIALIZED, /* initialized */ LABEL_PENDING }; struct inode_security_struct { - struct inode *inode; /* back pointer to inode object */ - struct list_head list; /* list of inode_security_struct */ - u32 task_sid; /* SID of creating task */ - u32 sid; /* SID of this object */ - u16 sclass; /* security class of this object */ - unsigned char initialized; /* initialization flag */ + struct inode *inode; /* back pointer to inode object */ + struct list_head list; /* list of inode_security_struct */ + u32 task_sid; /* SID of creating task */ + u32 sid; /* SID of this object */ + u16 sclass; /* security class of this object */ + unsigned char initialized; /* initialization flag */ spinlock_t lock; }; struct file_security_struct { - u32 sid; /* SID of open file description */ - u32 fown_sid; /* SID of file owner (for SIGIO) */ - u32 isid; /* SID of inode at the time of file open */ - u32 pseqno; /* Policy seqno at the time of file open */ + u32 sid; /* SID of open file description */ + u32 fown_sid; /* SID of file owner (for SIGIO) */ + u32 isid; /* SID of inode at the time of file open */ + u32 pseqno; /* Policy seqno at the time of file open */ }; struct superblock_security_struct { - u32 sid; /* SID of file system superblock */ - u32 def_sid; /* default SID for labeling */ - u32 mntpoint_sid; /* SECURITY_FS_USE_MNTPOINT context for files */ - unsigned short behavior; /* labeling behavior */ - unsigned short flags; /* which mount options were specified */ + u32 sid; /* SID of file system superblock */ + u32 def_sid; /* default SID for labeling */ + u32 mntpoint_sid; /* SECURITY_FS_USE_MNTPOINT context for files */ + unsigned short behavior; /* labeling behavior */ + unsigned short flags; /* which mount options were specified */ struct mutex lock; struct list_head isec_head; spinlock_t isec_lock; }; struct msg_security_struct { - u32 sid; /* SID of message */ + u32 sid; /* SID of message */ }; struct ipc_security_struct { - u16 sclass; /* security class of this object */ - u32 sid; /* SID of IPC resource */ + u16 sclass; /* security class of this object */ + u32 sid; /* SID of IPC resource */ }; struct netif_security_struct { - struct net *ns; /* network namespace */ - int ifindex; /* device index */ - u32 sid; /* SID for this interface */ + struct net *ns; /* network namespace */ + int ifindex; /* device index */ + u32 sid; /* SID for this interface */ }; struct netnode_security_struct { union { - __be32 ipv4; /* IPv4 node address */ - struct in6_addr ipv6; /* IPv6 node address */ + __be32 ipv4; /* IPv4 node address */ + struct in6_addr ipv6; /* IPv6 node address */ } addr; - u32 sid; /* SID for this node */ - u16 family; /* address family */ + u32 sid; /* SID for this node */ + u16 family; /* address family */ }; struct netport_security_struct { - u32 sid; /* SID for this node */ - u16 port; /* port number */ - u8 protocol; /* transport protocol */ + u32 sid; /* SID for this node */ + u16 port; /* port number */ + u8 protocol; /* transport protocol */ }; struct sk_security_struct { #ifdef CONFIG_NETLABEL - enum { /* NetLabel state */ - NLBL_UNSET = 0, - NLBL_REQUIRE, - NLBL_LABELED, - NLBL_REQSKB, - NLBL_CONNLABELED, + enum { /* NetLabel state */ + NLBL_UNSET = 0, + NLBL_REQUIRE, + NLBL_LABELED, + NLBL_REQSKB, + NLBL_CONNLABELED, } nlbl_state; struct netlbl_lsm_secattr *nlbl_secattr; /* NetLabel sec attributes */ #endif - u32 sid; /* SID of this object */ - u32 peer_sid; /* SID of peer */ - u16 sclass; /* sock security class */ - enum { /* SCTP association state */ - SCTP_ASSOC_UNSET = 0, - SCTP_ASSOC_SET, + u32 sid; /* SID of this object */ + u32 peer_sid; /* SID of peer */ + u16 sclass; /* sock security class */ + enum { /* SCTP association state */ + SCTP_ASSOC_UNSET = 0, + SCTP_ASSOC_SET, } sctp_assoc_state; }; struct tun_security_struct { - u32 sid; /* SID for the tun device sockets */ + u32 sid; /* SID for the tun device sockets */ }; struct key_security_struct { - u32 sid; /* SID of key */ + u32 sid; /* SID of key */ }; struct ib_security_struct { - u32 sid; /* SID of the queue pair or MAD agent */ + u32 sid; /* SID of the queue pair or MAD agent */ }; struct pkey_security_struct { - u64 subnet_prefix; /* Port subnet prefix */ - u16 pkey; /* PKey number */ - u32 sid; /* SID of pkey */ + u64 subnet_prefix; /* Port subnet prefix */ + u16 pkey; /* PKey number */ + u32 sid; /* SID of pkey */ }; struct bpf_security_struct { - u32 sid; /* SID of bpf obj creator */ + u32 sid; /* SID of bpf obj creator */ }; struct perf_event_security_struct { - u32 sid; /* SID of perf_event obj creator */ + u32 sid; /* SID of perf_event obj creator */ }; extern struct lsm_blob_sizes selinux_blob_sizes; @@ -158,22 +159,22 @@ static inline struct file_security_struct *selinux_file(const struct file *file) return file->f_security + selinux_blob_sizes.lbs_file; } -static inline struct inode_security_struct *selinux_inode( - const struct inode *inode) +static inline struct inode_security_struct * +selinux_inode(const struct inode *inode) { if (unlikely(!inode->i_security)) return NULL; return inode->i_security + selinux_blob_sizes.lbs_inode; } -static inline struct msg_security_struct *selinux_msg_msg( - const struct msg_msg *msg_msg) +static inline struct msg_security_struct * +selinux_msg_msg(const struct msg_msg *msg_msg) { return msg_msg->security + selinux_blob_sizes.lbs_msg_msg; } -static inline struct ipc_security_struct *selinux_ipc( - const struct kern_ipc_perm *ipc) +static inline struct ipc_security_struct * +selinux_ipc(const struct kern_ipc_perm *ipc) { return ipc->security + selinux_blob_sizes.lbs_ipc; } @@ -188,8 +189,8 @@ static inline u32 current_sid(void) return tsec->sid; } -static inline struct superblock_security_struct *selinux_superblock( - const struct super_block *superblock) +static inline struct superblock_security_struct * +selinux_superblock(const struct super_block *superblock) { return superblock->s_security + selinux_blob_sizes.lbs_superblock; } From db896a00611d93e3f962dfc9b1c0b7788ec7952e Mon Sep 17 00:00:00 2001 From: Paul Moore Date: Thu, 21 Dec 2023 17:18:54 -0500 Subject: [PATCH 19/24] selinux: fix style issues in security/selinux/include/policycap.h As part of on ongoing effort to perform more automated testing and provide more tools for individual developers to validate their patches before submitting, we are trying to make our code "clang-format clean". My hope is that once we have fixed all of our style "quirks", developers will be able to run clang-format on their patches to help avoid silly formatting problems and ensure their changes fit in well with the rest of the SELinux kernel code. Signed-off-by: Paul Moore --- security/selinux/include/policycap.h | 1 + 1 file changed, 1 insertion(+) diff --git a/security/selinux/include/policycap.h b/security/selinux/include/policycap.h index c7373e6effe5..dc3674eb29c1 100644 --- a/security/selinux/include/policycap.h +++ b/security/selinux/include/policycap.h @@ -1,4 +1,5 @@ /* SPDX-License-Identifier: GPL-2.0 */ + #ifndef _SELINUX_POLICYCAP_H_ #define _SELINUX_POLICYCAP_H_ From 376ef14d621d169534c143ef411d0b2303bb6f79 Mon Sep 17 00:00:00 2001 From: Paul Moore Date: Thu, 21 Dec 2023 17:18:55 -0500 Subject: [PATCH 20/24] selinux: fix style issues with security/selinux/include/policycap_names.h As part of on ongoing effort to perform more automated testing and provide more tools for individual developers to validate their patches before submitting, we are trying to make our code "clang-format clean". My hope is that once we have fixed all of our style "quirks", developers will be able to run clang-format on their patches to help avoid silly formatting problems and ensure their changes fit in well with the rest of the SELinux kernel code. Signed-off-by: Paul Moore --- security/selinux/include/policycap_names.h | 3 +++ 1 file changed, 3 insertions(+) diff --git a/security/selinux/include/policycap_names.h b/security/selinux/include/policycap_names.h index 28e4c9ee2399..2cffcc1ce851 100644 --- a/security/selinux/include/policycap_names.h +++ b/security/selinux/include/policycap_names.h @@ -1,9 +1,11 @@ /* SPDX-License-Identifier: GPL-2.0 */ + #ifndef _SELINUX_POLICYCAP_NAMES_H_ #define _SELINUX_POLICYCAP_NAMES_H_ #include "policycap.h" +/* clang-format off */ /* Policy capability names */ const char *const selinux_policycap_names[__POLICYDB_CAP_MAX] = { "network_peer_controls", @@ -16,5 +18,6 @@ const char *const selinux_policycap_names[__POLICYDB_CAP_MAX] = { "ioctl_skip_cloexec", "userspace_initial_context", }; +/* clang-format on */ #endif /* _SELINUX_POLICYCAP_NAMES_H_ */ From 7d1464bd1134461d4a6144b1514c2aa778af4f03 Mon Sep 17 00:00:00 2001 From: Paul Moore Date: Thu, 21 Dec 2023 17:18:56 -0500 Subject: [PATCH 21/24] selinux: fix style issues in security/selinux/include/security.h As part of on ongoing effort to perform more automated testing and provide more tools for individual developers to validate their patches before submitting, we are trying to make our code "clang-format clean". My hope is that once we have fixed all of our style "quirks", developers will be able to run clang-format on their patches to help avoid silly formatting problems and ensure their changes fit in well with the rest of the SELinux kernel code. Signed-off-by: Paul Moore --- security/selinux/include/security.h | 155 ++++++++++++++-------------- 1 file changed, 75 insertions(+), 80 deletions(-) diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h index 074d439fe9ad..289bf9233f71 100644 --- a/security/selinux/include/security.h +++ b/security/selinux/include/security.h @@ -21,57 +21,57 @@ #include "flask.h" #include "policycap.h" -#define SECSID_NULL 0x00000000 /* unspecified SID */ -#define SECSID_WILD 0xffffffff /* wildcard SID */ -#define SECCLASS_NULL 0x0000 /* no class */ +#define SECSID_NULL 0x00000000 /* unspecified SID */ +#define SECSID_WILD 0xffffffff /* wildcard SID */ +#define SECCLASS_NULL 0x0000 /* no class */ /* Identify specific policy version changes */ -#define POLICYDB_VERSION_BASE 15 -#define POLICYDB_VERSION_BOOL 16 -#define POLICYDB_VERSION_IPV6 17 -#define POLICYDB_VERSION_NLCLASS 18 -#define POLICYDB_VERSION_VALIDATETRANS 19 -#define POLICYDB_VERSION_MLS 19 -#define POLICYDB_VERSION_AVTAB 20 -#define POLICYDB_VERSION_RANGETRANS 21 -#define POLICYDB_VERSION_POLCAP 22 -#define POLICYDB_VERSION_PERMISSIVE 23 -#define POLICYDB_VERSION_BOUNDARY 24 -#define POLICYDB_VERSION_FILENAME_TRANS 25 -#define POLICYDB_VERSION_ROLETRANS 26 -#define POLICYDB_VERSION_NEW_OBJECT_DEFAULTS 27 -#define POLICYDB_VERSION_DEFAULT_TYPE 28 -#define POLICYDB_VERSION_CONSTRAINT_NAMES 29 -#define POLICYDB_VERSION_XPERMS_IOCTL 30 -#define POLICYDB_VERSION_INFINIBAND 31 -#define POLICYDB_VERSION_GLBLUB 32 -#define POLICYDB_VERSION_COMP_FTRANS 33 /* compressed filename transitions */ +#define POLICYDB_VERSION_BASE 15 +#define POLICYDB_VERSION_BOOL 16 +#define POLICYDB_VERSION_IPV6 17 +#define POLICYDB_VERSION_NLCLASS 18 +#define POLICYDB_VERSION_VALIDATETRANS 19 +#define POLICYDB_VERSION_MLS 19 +#define POLICYDB_VERSION_AVTAB 20 +#define POLICYDB_VERSION_RANGETRANS 21 +#define POLICYDB_VERSION_POLCAP 22 +#define POLICYDB_VERSION_PERMISSIVE 23 +#define POLICYDB_VERSION_BOUNDARY 24 +#define POLICYDB_VERSION_FILENAME_TRANS 25 +#define POLICYDB_VERSION_ROLETRANS 26 +#define POLICYDB_VERSION_NEW_OBJECT_DEFAULTS 27 +#define POLICYDB_VERSION_DEFAULT_TYPE 28 +#define POLICYDB_VERSION_CONSTRAINT_NAMES 29 +#define POLICYDB_VERSION_XPERMS_IOCTL 30 +#define POLICYDB_VERSION_INFINIBAND 31 +#define POLICYDB_VERSION_GLBLUB 32 +#define POLICYDB_VERSION_COMP_FTRANS 33 /* compressed filename transitions */ /* Range of policy versions we understand*/ -#define POLICYDB_VERSION_MIN POLICYDB_VERSION_BASE -#define POLICYDB_VERSION_MAX POLICYDB_VERSION_COMP_FTRANS +#define POLICYDB_VERSION_MIN POLICYDB_VERSION_BASE +#define POLICYDB_VERSION_MAX POLICYDB_VERSION_COMP_FTRANS /* Mask for just the mount related flags */ -#define SE_MNTMASK 0x0f +#define SE_MNTMASK 0x0f /* Super block security struct flags for mount options */ /* BE CAREFUL, these need to be the low order bits for selinux_get_mnt_opts */ #define CONTEXT_MNT 0x01 #define FSCONTEXT_MNT 0x02 -#define ROOTCONTEXT_MNT 0x04 +#define ROOTCONTEXT_MNT 0x04 #define DEFCONTEXT_MNT 0x08 #define SBLABEL_MNT 0x10 /* Non-mount related flags */ -#define SE_SBINITIALIZED 0x0100 -#define SE_SBPROC 0x0200 -#define SE_SBGENFS 0x0400 -#define SE_SBGENFS_XATTR 0x0800 -#define SE_SBNATIVE 0x1000 +#define SE_SBINITIALIZED 0x0100 +#define SE_SBPROC 0x0200 +#define SE_SBGENFS 0x0400 +#define SE_SBGENFS_XATTR 0x0800 +#define SE_SBNATIVE 0x1000 #define CONTEXT_STR "context" #define FSCONTEXT_STR "fscontext" -#define ROOTCONTEXT_STR "rootcontext" +#define ROOTCONTEXT_STR "rootcontext" #define DEFCONTEXT_STR "defcontext" -#define SECLABEL_STR "seclabel" +#define SECLABEL_STR "seclabel" struct netlbl_lsm_secattr; @@ -81,11 +81,11 @@ extern int selinux_enabled_boot; * type_datum properties * available at the kernel policy version >= POLICYDB_VERSION_BOUNDARY */ -#define TYPEDATUM_PROPERTY_PRIMARY 0x0001 -#define TYPEDATUM_PROPERTY_ATTRIBUTE 0x0002 +#define TYPEDATUM_PROPERTY_PRIMARY 0x0001 +#define TYPEDATUM_PROPERTY_ATTRIBUTE 0x0002 /* limitation of boundary depth */ -#define POLICYDB_BOUNDS_MAXDEPTH 4 +#define POLICYDB_BOUNDS_MAXDEPTH 4 struct selinux_policy; @@ -220,12 +220,12 @@ struct av_decision { u32 flags; }; -#define XPERMS_ALLOWED 1 +#define XPERMS_ALLOWED 1 #define XPERMS_AUDITALLOW 2 -#define XPERMS_DONTAUDIT 4 +#define XPERMS_DONTAUDIT 4 -#define security_xperm_set(perms, x) ((perms)[(x) >> 5] |= 1 << ((x) & 0x1f)) -#define security_xperm_test(perms, x) (1 & ((perms)[(x) >> 5] >> ((x) & 0x1f))) +#define security_xperm_set(perms, x) ((perms)[(x) >> 5] |= 1 << ((x)&0x1f)) +#define security_xperm_test(perms, x) (1 & ((perms)[(x) >> 5] >> ((x)&0x1f))) struct extended_perms_data { u32 p[8]; }; @@ -239,23 +239,22 @@ struct extended_perms_decision { }; struct extended_perms { - u16 len; /* length associated decision chain */ + u16 len; /* length associated decision chain */ struct extended_perms_data drivers; /* flag drivers that are used */ }; /* definitions of av_decision.flags */ -#define AVD_FLAGS_PERMISSIVE 0x0001 +#define AVD_FLAGS_PERMISSIVE 0x0001 -void security_compute_av(u32 ssid, u32 tsid, - u16 tclass, struct av_decision *avd, +void security_compute_av(u32 ssid, u32 tsid, u16 tclass, + struct av_decision *avd, struct extended_perms *xperms); -void security_compute_xperms_decision(u32 ssid, u32 tsid, u16 tclass, - u8 driver, +void security_compute_xperms_decision(u32 ssid, u32 tsid, u16 tclass, u8 driver, struct extended_perms_decision *xpermd); -void security_compute_av_user(u32 ssid, u32 tsid, - u16 tclass, struct av_decision *avd); +void security_compute_av_user(u32 ssid, u32 tsid, u16 tclass, + struct av_decision *avd); int security_transition_sid(u32 ssid, u32 tsid, u16 tclass, const struct qstr *qstr, u32 *out_sid); @@ -294,8 +293,7 @@ int security_ib_endport_sid(const char *dev_name, u8 port_num, u32 *out_sid); int security_netif_sid(char *name, u32 *if_sid); -int security_node_sid(u16 domain, void *addr, u32 addrlen, - u32 *out_sid); +int security_node_sid(u16 domain, void *addr, u32 addrlen, u32 *out_sid); int security_validate_transition(u32 oldsid, u32 newsid, u32 tasksid, u16 tclass); @@ -307,50 +305,47 @@ int security_bounded_transition(u32 oldsid, u32 newsid); int security_sid_mls_copy(u32 sid, u32 mls_sid, u32 *new_sid); -int security_net_peersid_resolve(u32 nlbl_sid, u32 nlbl_type, - u32 xfrm_sid, +int security_net_peersid_resolve(u32 nlbl_sid, u32 nlbl_type, u32 xfrm_sid, u32 *peer_sid); -int security_get_classes(struct selinux_policy *policy, - char ***classes, u32 *nclasses); -int security_get_permissions(struct selinux_policy *policy, - const char *class, char ***perms, u32 *nperms); +int security_get_classes(struct selinux_policy *policy, char ***classes, + u32 *nclasses); +int security_get_permissions(struct selinux_policy *policy, const char *class, + char ***perms, u32 *nperms); int security_get_reject_unknown(void); int security_get_allow_unknown(void); -#define SECURITY_FS_USE_XATTR 1 /* use xattr */ -#define SECURITY_FS_USE_TRANS 2 /* use transition SIDs, e.g. devpts/tmpfs */ -#define SECURITY_FS_USE_TASK 3 /* use task SIDs, e.g. pipefs/sockfs */ -#define SECURITY_FS_USE_GENFS 4 /* use the genfs support */ -#define SECURITY_FS_USE_NONE 5 /* no labeling support */ -#define SECURITY_FS_USE_MNTPOINT 6 /* use mountpoint labeling */ -#define SECURITY_FS_USE_NATIVE 7 /* use native label support */ -#define SECURITY_FS_USE_MAX 7 /* Highest SECURITY_FS_USE_XXX */ +#define SECURITY_FS_USE_XATTR 1 /* use xattr */ +#define SECURITY_FS_USE_TRANS 2 /* use transition SIDs, e.g. devpts/tmpfs */ +#define SECURITY_FS_USE_TASK 3 /* use task SIDs, e.g. pipefs/sockfs */ +#define SECURITY_FS_USE_GENFS 4 /* use the genfs support */ +#define SECURITY_FS_USE_NONE 5 /* no labeling support */ +#define SECURITY_FS_USE_MNTPOINT 6 /* use mountpoint labeling */ +#define SECURITY_FS_USE_NATIVE 7 /* use native label support */ +#define SECURITY_FS_USE_MAX 7 /* Highest SECURITY_FS_USE_XXX */ int security_fs_use(struct super_block *sb); int security_genfs_sid(const char *fstype, const char *path, u16 sclass, u32 *sid); -int selinux_policy_genfs_sid(struct selinux_policy *policy, - const char *fstype, const char *path, u16 sclass, - u32 *sid); +int selinux_policy_genfs_sid(struct selinux_policy *policy, const char *fstype, + const char *path, u16 sclass, u32 *sid); #ifdef CONFIG_NETLABEL int security_netlbl_secattr_to_sid(struct netlbl_lsm_secattr *secattr, u32 *sid); -int security_netlbl_sid_to_secattr(u32 sid, - struct netlbl_lsm_secattr *secattr); +int security_netlbl_sid_to_secattr(u32 sid, struct netlbl_lsm_secattr *secattr); #else -static inline int security_netlbl_secattr_to_sid(struct netlbl_lsm_secattr *secattr, - u32 *sid) +static inline int +security_netlbl_secattr_to_sid(struct netlbl_lsm_secattr *secattr, u32 *sid) { return -EIDRM; } -static inline int security_netlbl_sid_to_secattr(u32 sid, - struct netlbl_lsm_secattr *secattr) +static inline int +security_netlbl_sid_to_secattr(u32 sid, struct netlbl_lsm_secattr *secattr) { return -ENOENT; } @@ -363,13 +358,13 @@ const char *security_get_initial_sid_context(u32 sid); */ extern struct page *selinux_kernel_status_page(void); -#define SELINUX_KERNEL_STATUS_VERSION 1 +#define SELINUX_KERNEL_STATUS_VERSION 1 struct selinux_kernel_status { - u32 version; /* version number of the structure */ - u32 sequence; /* sequence number of seqlock logic */ - u32 enforcing; /* current setting of enforcing mode */ - u32 policyload; /* times of policy reloaded */ - u32 deny_unknown; /* current setting of deny_unknown */ + u32 version; /* version number of the structure */ + u32 sequence; /* sequence number of seqlock logic */ + u32 enforcing; /* current setting of enforcing mode */ + u32 policyload; /* times of policy reloaded */ + u32 deny_unknown; /* current setting of deny_unknown */ /* * The version > 0 supports above members. */ From cea92163383709228207567ea4966954a136e3db Mon Sep 17 00:00:00 2001 From: Paul Moore Date: Thu, 21 Dec 2023 17:18:57 -0500 Subject: [PATCH 22/24] selinux: fix style issues in security/selinux/include/xfrm.h As part of on ongoing effort to perform more automated testing and provide more tools for individual developers to validate their patches before submitting, we are trying to make our code "clang-format clean". My hope is that once we have fixed all of our style "quirks", developers will be able to run clang-format on their patches to help avoid silly formatting problems and ensure their changes fit in well with the rest of the SELinux kernel code. Signed-off-by: Paul Moore --- security/selinux/include/xfrm.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/security/selinux/include/xfrm.h b/security/selinux/include/xfrm.h index c75839860200..de485556ae29 100644 --- a/security/selinux/include/xfrm.h +++ b/security/selinux/include/xfrm.h @@ -5,6 +5,7 @@ * Author : Trent Jaeger, * Updated : Venkat Yekkirala, */ + #ifndef _SELINUX_XFRM_H_ #define _SELINUX_XFRM_H_ @@ -13,8 +14,7 @@ #include int selinux_xfrm_policy_alloc(struct xfrm_sec_ctx **ctxp, - struct xfrm_user_sec_ctx *uctx, - gfp_t gfp); + struct xfrm_user_sec_ctx *uctx, gfp_t gfp); int selinux_xfrm_policy_clone(struct xfrm_sec_ctx *old_ctx, struct xfrm_sec_ctx **new_ctxp); void selinux_xfrm_policy_free(struct xfrm_sec_ctx *ctx); From cc2a7341994a5b46abd8a1e05ca018b88f29fe45 Mon Sep 17 00:00:00 2001 From: Paul Moore Date: Thu, 21 Dec 2023 17:18:58 -0500 Subject: [PATCH 23/24] selinux: fix style issues in security/selinux/include/initial_sid_to_string.h As part of on ongoing effort to perform more automated testing and provide more tools for individual developers to validate their patches before submitting, we are trying to make our code "clang-format clean". My hope is that once we have fixed all of our style "quirks", developers will be able to run clang-format on their patches to help avoid silly formatting problems and ensure their changes fit in well with the rest of the SELinux kernel code. Signed-off-by: Paul Moore --- .../selinux/include/initial_sid_to_string.h | 57 +++++++++---------- 1 file changed, 28 insertions(+), 29 deletions(-) diff --git a/security/selinux/include/initial_sid_to_string.h b/security/selinux/include/initial_sid_to_string.h index 5e5f0993dac2..99b353b2abb4 100644 --- a/security/selinux/include/initial_sid_to_string.h +++ b/security/selinux/include/initial_sid_to_string.h @@ -3,33 +3,32 @@ #include static const char *const initial_sid_to_string[] = { - NULL, - "kernel", - "security", - "unlabeled", - NULL, - "file", - NULL, - "init", - "any_socket", - "port", - "netif", - "netmsg", - "node", - NULL, - NULL, - NULL, - NULL, - NULL, - NULL, - NULL, - NULL, - NULL, - NULL, - NULL, - NULL, - NULL, - NULL, - "devnull", + NULL, /* zero placeholder, not used */ + "kernel", /* kernel / SECINITSID_KERNEL */ + "security", /* security / SECINITSID_SECURITY */ + "unlabeled", /* unlabeled / SECINITSID_UNLABELED */ + NULL, /* fs */ + "file", /* file / SECINITSID_FILE */ + NULL, /* file_labels */ + "init", /* init / SECINITSID_INIT */ + "any_socket", /* any_socket / SECINITSID_ANY_SOCKET */ + "port", /* port / SECINITSID_PORT */ + "netif", /* netif / SECINITSID_NETIF */ + "netmsg", /* netmsg / SECINITSID_NETMSG */ + "node", /* node / SECINITSID_NODE */ + NULL, /* igmp_packet */ + NULL, /* icmp_socket */ + NULL, /* tcp_socket */ + NULL, /* sysctl_modprobe */ + NULL, /* sysctl */ + NULL, /* sysctl_fs */ + NULL, /* sysctl_kernel */ + NULL, /* sysctl_net */ + NULL, /* sysctl_net_unix */ + NULL, /* sysctl_vm */ + NULL, /* sysctl_dev */ + NULL, /* kmod */ + NULL, /* policy */ + NULL, /* scmp_packet */ + "devnull", /* devnull / SECINITSID_DEVNULL */ }; - From bbf5a1d0e5d0fb3bdf90205aa872636122692a50 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micka=C3=ABl=20Sala=C3=BCn?= Date: Wed, 3 Jan 2024 17:34:15 +0100 Subject: [PATCH 24/24] selinux: Fix error priority for bind with AF_UNSPEC on PF_INET6 socket MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The IPv6 network stack first checks the sockaddr length (-EINVAL error) before checking the family (-EAFNOSUPPORT error). This was discovered thanks to commit a549d055a22e ("selftests/landlock: Add network tests"). Cc: Eric Paris Cc: Konstantin Meskhidze Cc: Paul Moore Cc: Stephen Smalley Reported-by: Muhammad Usama Anjum Closes: https://lore.kernel.org/r/0584f91c-537c-4188-9e4f-04f192565667@collabora.com Fixes: 0f8db8cc73df ("selinux: add AF_UNSPEC and INADDR_ANY checks to selinux_socket_bind()") Signed-off-by: Mickaël Salaün Tested-by: Muhammad Usama Anjum Signed-off-by: Paul Moore --- security/selinux/hooks.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 863ff67e7849..7c69ce62c106 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -4695,6 +4695,13 @@ static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, in return -EINVAL; addr4 = (struct sockaddr_in *)address; if (family_sa == AF_UNSPEC) { + if (family == PF_INET6) { + /* Length check from inet6_bind_sk() */ + if (addrlen < SIN6_LEN_RFC2133) + return -EINVAL; + /* Family check from __inet6_bind() */ + goto err_af; + } /* see __inet_bind(), we only want to allow * AF_UNSPEC if the address is INADDR_ANY */