2019-05-31 01:09:32 -07:00
// SPDX-License-Identifier: GPL-2.0-only
2005-04-16 15:20:36 -07:00
/* Updated: Karl MacMillan <kmacmillan@tresys.com>
*
2008-04-17 14:15:45 -04:00
* Added conditional policy language extensions
2005-04-16 15:20:36 -07:00
*
2011-08-01 11:10:33 +00:00
* Updated : Hewlett - Packard < paul @ paul - moore . com >
2008-01-29 08:38:19 -05:00
*
2008-04-17 14:15:45 -04:00
* Added support for the policy capability bitmap
2008-01-29 08:38:19 -05:00
*
* Copyright ( C ) 2007 Hewlett - Packard Development Company , L . P .
2005-04-16 15:20:36 -07:00
* Copyright ( C ) 2003 - 2004 Tresys Technology , LLC
* Copyright ( C ) 2004 Red Hat , Inc . , James Morris < jmorris @ redhat . com >
*/
# include <linux/kernel.h>
# include <linux/pagemap.h>
# include <linux/slab.h>
# include <linux/vmalloc.h>
# include <linux/fs.h>
2019-03-25 16:38:30 +00:00
# include <linux/fs_context.h>
2018-03-20 11:59:11 -04:00
# include <linux/mount.h>
2006-03-22 00:09:14 -08:00
# include <linux/mutex.h>
selinux: Create new booleans and class dirs out of tree
In order to avoid concurrency issues around selinuxfs resource availability
during policy load, we first create new directories out of tree for
reloaded resources, then swap them in, and finally delete the old versions.
This fix focuses on concurrency in each of the two subtrees swapped, and
not concurrency between the trees. This means that it is still possible
that subsequent reads to eg the booleans directory and the class directory
during a policy load could see the old state for one and the new for the other.
The problem of ensuring that policy loads are fully atomic from the perspective
of userspace is larger than what is dealt with here. This commit focuses on
ensuring that the directories contents always match either the new or the old
policy state from the perspective of userspace.
In the previous implementation, on policy load /sys/fs/selinux is updated
by deleting the previous contents of
/sys/fs/selinux/{class,booleans} and then recreating them. This means
that there is a period of time when the contents of these directories do not
exist which can cause race conditions as userspace relies on them for
information about the policy. In addition, it means that error recovery in
the event of failure is challenging.
In order to demonstrate the race condition that this series fixes, you
can use the following commands:
while true; do cat /sys/fs/selinux/class/service/perms/status
>/dev/null; done &
while true; do load_policy; done;
In the existing code, this will display errors fairly often as the class
lookup fails. (In normal operation from systemd, this would result in a
permission check which would be allowed or denied based on policy settings
around unknown object classes.) After applying this patch series you
should expect to no longer see such error messages.
Signed-off-by: Daniel Burgener <dburgener@linux.microsoft.com>
Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
2020-08-19 15:59:35 -04:00
# include <linux/namei.h>
2005-04-16 15:20:36 -07:00
# include <linux/init.h>
# include <linux/string.h>
# include <linux/security.h>
# include <linux/major.h>
# include <linux/seq_file.h>
# include <linux/percpu.h>
2006-01-04 14:08:39 +00:00
# include <linux/audit.h>
2008-05-14 11:27:45 -04:00
# include <linux/uaccess.h>
2011-05-10 15:34:16 -07:00
# include <linux/kobject.h>
2011-05-26 14:59:25 -04:00
# include <linux/ctype.h>
2005-04-16 15:20:36 -07:00
/* selinuxfs pseudo filesystem for exporting the security policy API.
Based on the proc code and the fs / nfsd / nfsctl . c code . */
# include "flask.h"
# include "avc.h"
# include "avc_ss.h"
# include "security.h"
# include "objsec.h"
# include "conditional.h"
2021-02-12 08:37:09 -08:00
# include "ima.h"
2005-04-16 15:20:36 -07:00
enum sel_inos {
SEL_ROOT_INO = 2 ,
SEL_LOAD , /* load policy */
SEL_ENFORCE , /* get or set enforcing status */
SEL_CONTEXT , /* validate context */
SEL_ACCESS , /* compute access decision */
SEL_CREATE , /* compute create labeling decision */
SEL_RELABEL , /* compute relabeling decision */
SEL_USER , /* compute reachable user contexts */
SEL_POLICYVERS , /* return policy version for this kernel */
SEL_COMMIT_BOOLS , /* commit new boolean values */
SEL_MLS , /* return if MLS policy is enabled */
SEL_DISABLE , /* disable SELinux until next reboot */
SEL_MEMBER , /* compute polyinstantiation membership decision */
SEL_CHECKREQPROT , /* check requested protection, not kernel-applied one */
[SECMARK]: Add new packet controls to SELinux
Add new per-packet access controls to SELinux, replacing the old
packet controls.
Packets are labeled with the iptables SECMARK and CONNSECMARK targets,
then security policy for the packets is enforced with these controls.
To allow for a smooth transition to the new controls, the old code is
still present, but not active by default. To restore previous
behavior, the old controls may be activated at runtime by writing a
'1' to /selinux/compat_net, and also via the kernel boot parameter
selinux_compat_net. Switching between the network control models
requires the security load_policy permission. The old controls will
probably eventually be removed and any continued use is discouraged.
With this patch, the new secmark controls for SElinux are disabled by
default, so existing behavior is entirely preserved, and the user is
not affected at all.
It also provides a config option to enable the secmark controls by
default (which can always be overridden at boot and runtime). It is
also noted in the kconfig help that the user will need updated
userspace if enabling secmark controls for SELinux and that they'll
probably need the SECMARK and CONNMARK targets, and conntrack protocol
helpers, although such decisions are beyond the scope of kernel
configuration.
Signed-off-by: James Morris <jmorris@namei.org>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-06-09 00:33:33 -07:00
SEL_COMPAT_NET , /* whether to use old compat network packet controls */
2007-09-21 14:37:10 -04:00
SEL_REJECT_UNKNOWN , /* export unknown reject handling to userspace */
SEL_DENY_UNKNOWN , /* export unknown deny handling to userspace */
selinux: fast status update interface (/selinux/status)
This patch provides a new /selinux/status entry which allows applications
read-only mmap(2).
This region reflects selinux_kernel_status structure in kernel space.
struct selinux_kernel_status
{
u32 length; /* length of this structure */
u32 sequence; /* sequence number of seqlock logic */
u32 enforcing; /* current setting of enforcing mode */
u32 policyload; /* times of policy reloaded */
u32 deny_unknown; /* current setting of deny_unknown */
};
When userspace object manager caches access control decisions provided
by SELinux, it needs to invalidate the cache on policy reload and setenforce
to keep consistency.
However, the applications need to check the kernel state for each accesses
on userspace avc, or launch a background worker process.
In heuristic, frequency of invalidation is much less than frequency of
making access control decision, so it is annoying to invoke a system call
to check we don't need to invalidate the userspace cache.
If we can use a background worker thread, it allows to receive invalidation
messages from the kernel. But it requires us an invasive coding toward the
base application in some cases; E.g, when we provide a feature performing
with SELinux as a plugin module, it is unwelcome manner to launch its own
worker thread from the module.
If we could map /selinux/status to process memory space, application can
know updates of selinux status; policy reload or setenforce.
A typical application checks selinux_kernel_status::sequence when it tries
to reference userspace avc. If it was changed from the last time when it
checked userspace avc, it means something was updated in the kernel space.
Then, the application can reset userspace avc or update current enforcing
mode, without any system call invocations.
This sequence number is updated according to the seqlock logic, so we need
to wait for a while if it is odd number.
Signed-off-by: KaiGai Kohei <kaigai@ak.jp.nec.com>
Acked-by: Eric Paris <eparis@redhat.com>
--
security/selinux/include/security.h | 21 ++++++
security/selinux/selinuxfs.c | 56 +++++++++++++++
security/selinux/ss/Makefile | 2 +-
security/selinux/ss/services.c | 3 +
security/selinux/ss/status.c | 129 +++++++++++++++++++++++++++++++++++
5 files changed, 210 insertions(+), 1 deletions(-)
Signed-off-by: James Morris <jmorris@namei.org>
2010-09-14 18:28:39 +09:00
SEL_STATUS , /* export current status using mmap() */
2010-10-13 17:50:25 -04:00
SEL_POLICY , /* allow userspace to read the in kernel policy */
2015-12-24 11:09:41 -05:00
SEL_VALIDATE_TRANS , /* compute validatetrans decision */
2007-04-04 16:18:39 -04:00
SEL_INO_NEXT , /* The next inode number to use */
2005-04-16 15:20:36 -07:00
} ;
2018-03-20 11:59:11 -04:00
struct selinux_fs_info {
struct dentry * bool_dir ;
unsigned int bool_num ;
char * * bool_pending_names ;
2022-08-30 17:45:00 +02:00
int * bool_pending_values ;
2018-03-20 11:59:11 -04:00
struct dentry * class_dir ;
unsigned long last_class_ino ;
bool policy_opened ;
struct dentry * policycap_dir ;
unsigned long last_ino ;
struct super_block * sb ;
} ;
static int selinux_fs_info_create ( struct super_block * sb )
{
struct selinux_fs_info * fsi ;
fsi = kzalloc ( sizeof ( * fsi ) , GFP_KERNEL ) ;
if ( ! fsi )
return - ENOMEM ;
fsi - > last_ino = SEL_INO_NEXT - 1 ;
fsi - > sb = sb ;
sb - > s_fs_info = fsi ;
return 0 ;
}
static void selinux_fs_info_free ( struct super_block * sb )
{
struct selinux_fs_info * fsi = sb - > s_fs_info ;
2023-08-07 19:11:39 +02:00
unsigned int i ;
2018-03-20 11:59:11 -04:00
if ( fsi ) {
for ( i = 0 ; i < fsi - > bool_num ; i + + )
kfree ( fsi - > bool_pending_names [ i ] ) ;
kfree ( fsi - > bool_pending_names ) ;
kfree ( fsi - > bool_pending_values ) ;
}
kfree ( sb - > s_fs_info ) ;
sb - > s_fs_info = NULL ;
}
2007-04-04 16:18:39 -04:00
2008-01-29 08:38:19 -05:00
# define SEL_INITCON_INO_OFFSET 0x01000000
# define SEL_BOOL_INO_OFFSET 0x02000000
# define SEL_CLASS_INO_OFFSET 0x04000000
# define SEL_POLICYCAP_INO_OFFSET 0x08000000
# define SEL_INO_MASK 0x00ffffff
2007-04-04 10:11:29 -04:00
2020-08-19 15:59:34 -04:00
# define BOOL_DIR_NAME "booleans"
# define CLASS_DIR_NAME "class"
# define POLICYCAP_DIR_NAME "policy_capabilities"
2005-04-16 15:20:36 -07:00
# define TMPBUFLEN 12
static ssize_t sel_read_enforce ( struct file * filp , char __user * buf ,
size_t count , loff_t * ppos )
{
char tmpbuf [ TMPBUFLEN ] ;
ssize_t length ;
2018-03-01 18:48:02 -05:00
length = scnprintf ( tmpbuf , TMPBUFLEN , " %d " ,
2023-03-09 13:30:37 -05:00
enforcing_enabled ( ) ) ;
2005-04-16 15:20:36 -07:00
return simple_read_from_buffer ( buf , count , ppos , tmpbuf , length ) ;
}
# ifdef CONFIG_SECURITY_SELINUX_DEVELOP
2008-04-17 14:15:45 -04:00
static ssize_t sel_write_enforce ( struct file * file , const char __user * buf ,
2005-04-16 15:20:36 -07:00
size_t count , loff_t * ppos )
{
2010-11-23 11:40:08 -05:00
char * page = NULL ;
2005-04-16 15:20:36 -07:00
ssize_t length ;
2023-07-06 15:23:34 +02:00
int scan_value ;
bool old_value , new_value ;
2005-04-16 15:20:36 -07:00
2005-10-30 14:59:24 -08:00
if ( count > = PAGE_SIZE )
2015-12-24 00:08:06 -05:00
return - ENOMEM ;
2010-11-23 11:40:08 -05:00
/* No partial writes. */
if ( * ppos ! = 0 )
2015-12-24 00:08:06 -05:00
return - EINVAL ;
2010-11-23 11:40:08 -05:00
2015-12-24 00:08:06 -05:00
page = memdup_user_nul ( buf , count ) ;
if ( IS_ERR ( page ) )
return PTR_ERR ( page ) ;
2005-04-16 15:20:36 -07:00
length = - EINVAL ;
2023-07-06 15:23:34 +02:00
if ( sscanf ( page , " %d " , & scan_value ) ! = 1 )
2005-04-16 15:20:36 -07:00
goto out ;
2023-07-06 15:23:34 +02:00
new_value = ! ! scan_value ;
2016-11-18 09:30:38 -05:00
2023-03-09 13:30:37 -05:00
old_value = enforcing_enabled ( ) ;
2018-03-01 18:48:02 -05:00
if ( new_value ! = old_value ) {
2023-03-09 13:30:37 -05:00
length = avc_has_perm ( current_sid ( ) , SECINITSID_SECURITY ,
2017-01-09 10:07:31 -05:00
SECCLASS_SECURITY , SECURITY__SETENFORCE ,
NULL ) ;
2005-04-16 15:20:36 -07:00
if ( length )
goto out ;
2018-05-12 21:58:20 -04:00
audit_log ( audit_context ( ) , GFP_KERNEL , AUDIT_MAC_STATUS ,
2018-04-09 19:34:22 -04:00
" enforcing=%d old_enforcing=%d auid=%u ses=%u "
2019-12-17 09:15:10 -05:00
" enabled=1 old-enabled=1 lsm=selinux res=1 " ,
2018-03-01 18:48:02 -05:00
new_value , old_value ,
2012-08-20 00:09:36 -07:00
from_kuid ( & init_user_ns , audit_get_loginuid ( current ) ) ,
2019-12-17 09:15:10 -05:00
audit_get_sessionid ( current ) ) ;
2023-03-09 13:30:37 -05:00
enforcing_set ( new_value ) ;
2018-03-01 18:48:02 -05:00
if ( new_value )
2023-03-09 13:30:37 -05:00
avc_ss_reset ( 0 ) ;
2018-03-01 18:48:02 -05:00
selnl_notify_setenforce ( new_value ) ;
2023-03-09 13:30:37 -05:00
selinux_status_update_setenforce ( new_value ) ;
2018-03-01 18:48:02 -05:00
if ( ! new_value )
2019-06-14 15:20:14 +03:00
call_blocking_lsm_notifier ( LSM_POLICY_CHANGE , NULL ) ;
2021-02-12 08:37:09 -08:00
2023-03-09 13:30:37 -05:00
selinux_ima_measure_state ( ) ;
2005-04-16 15:20:36 -07:00
}
length = count ;
out :
2015-12-24 00:08:06 -05:00
kfree ( page ) ;
2005-04-16 15:20:36 -07:00
return length ;
}
# else
# define sel_write_enforce NULL
# endif
2007-02-12 00:55:37 -08:00
static const struct file_operations sel_enforce_ops = {
2005-04-16 15:20:36 -07:00
. read = sel_read_enforce ,
. write = sel_write_enforce ,
2010-07-07 23:40:10 +02:00
. llseek = generic_file_llseek ,
2005-04-16 15:20:36 -07:00
} ;
2007-09-21 14:37:10 -04:00
static ssize_t sel_read_handle_unknown ( struct file * filp , char __user * buf ,
size_t count , loff_t * ppos )
{
char tmpbuf [ TMPBUFLEN ] ;
ssize_t length ;
2013-01-23 17:07:38 -05:00
ino_t ino = file_inode ( filp ) - > i_ino ;
2007-09-21 14:37:10 -04:00
int handle_unknown = ( ino = = SEL_REJECT_UNKNOWN ) ?
2023-03-09 13:30:37 -05:00
security_get_reject_unknown ( ) :
! security_get_allow_unknown ( ) ;
2007-09-21 14:37:10 -04:00
length = scnprintf ( tmpbuf , TMPBUFLEN , " %d " , handle_unknown ) ;
return simple_read_from_buffer ( buf , count , ppos , tmpbuf , length ) ;
}
static const struct file_operations sel_handle_unknown_ops = {
. read = sel_read_handle_unknown ,
2010-07-07 23:40:10 +02:00
. llseek = generic_file_llseek ,
2007-09-21 14:37:10 -04:00
} ;
selinux: fast status update interface (/selinux/status)
This patch provides a new /selinux/status entry which allows applications
read-only mmap(2).
This region reflects selinux_kernel_status structure in kernel space.
struct selinux_kernel_status
{
u32 length; /* length of this structure */
u32 sequence; /* sequence number of seqlock logic */
u32 enforcing; /* current setting of enforcing mode */
u32 policyload; /* times of policy reloaded */
u32 deny_unknown; /* current setting of deny_unknown */
};
When userspace object manager caches access control decisions provided
by SELinux, it needs to invalidate the cache on policy reload and setenforce
to keep consistency.
However, the applications need to check the kernel state for each accesses
on userspace avc, or launch a background worker process.
In heuristic, frequency of invalidation is much less than frequency of
making access control decision, so it is annoying to invoke a system call
to check we don't need to invalidate the userspace cache.
If we can use a background worker thread, it allows to receive invalidation
messages from the kernel. But it requires us an invasive coding toward the
base application in some cases; E.g, when we provide a feature performing
with SELinux as a plugin module, it is unwelcome manner to launch its own
worker thread from the module.
If we could map /selinux/status to process memory space, application can
know updates of selinux status; policy reload or setenforce.
A typical application checks selinux_kernel_status::sequence when it tries
to reference userspace avc. If it was changed from the last time when it
checked userspace avc, it means something was updated in the kernel space.
Then, the application can reset userspace avc or update current enforcing
mode, without any system call invocations.
This sequence number is updated according to the seqlock logic, so we need
to wait for a while if it is odd number.
Signed-off-by: KaiGai Kohei <kaigai@ak.jp.nec.com>
Acked-by: Eric Paris <eparis@redhat.com>
--
security/selinux/include/security.h | 21 ++++++
security/selinux/selinuxfs.c | 56 +++++++++++++++
security/selinux/ss/Makefile | 2 +-
security/selinux/ss/services.c | 3 +
security/selinux/ss/status.c | 129 +++++++++++++++++++++++++++++++++++
5 files changed, 210 insertions(+), 1 deletions(-)
Signed-off-by: James Morris <jmorris@namei.org>
2010-09-14 18:28:39 +09:00
static int sel_open_handle_status ( struct inode * inode , struct file * filp )
{
2023-03-09 13:30:37 -05:00
struct page * status = selinux_kernel_status_page ( ) ;
selinux: fast status update interface (/selinux/status)
This patch provides a new /selinux/status entry which allows applications
read-only mmap(2).
This region reflects selinux_kernel_status structure in kernel space.
struct selinux_kernel_status
{
u32 length; /* length of this structure */
u32 sequence; /* sequence number of seqlock logic */
u32 enforcing; /* current setting of enforcing mode */
u32 policyload; /* times of policy reloaded */
u32 deny_unknown; /* current setting of deny_unknown */
};
When userspace object manager caches access control decisions provided
by SELinux, it needs to invalidate the cache on policy reload and setenforce
to keep consistency.
However, the applications need to check the kernel state for each accesses
on userspace avc, or launch a background worker process.
In heuristic, frequency of invalidation is much less than frequency of
making access control decision, so it is annoying to invoke a system call
to check we don't need to invalidate the userspace cache.
If we can use a background worker thread, it allows to receive invalidation
messages from the kernel. But it requires us an invasive coding toward the
base application in some cases; E.g, when we provide a feature performing
with SELinux as a plugin module, it is unwelcome manner to launch its own
worker thread from the module.
If we could map /selinux/status to process memory space, application can
know updates of selinux status; policy reload or setenforce.
A typical application checks selinux_kernel_status::sequence when it tries
to reference userspace avc. If it was changed from the last time when it
checked userspace avc, it means something was updated in the kernel space.
Then, the application can reset userspace avc or update current enforcing
mode, without any system call invocations.
This sequence number is updated according to the seqlock logic, so we need
to wait for a while if it is odd number.
Signed-off-by: KaiGai Kohei <kaigai@ak.jp.nec.com>
Acked-by: Eric Paris <eparis@redhat.com>
--
security/selinux/include/security.h | 21 ++++++
security/selinux/selinuxfs.c | 56 +++++++++++++++
security/selinux/ss/Makefile | 2 +-
security/selinux/ss/services.c | 3 +
security/selinux/ss/status.c | 129 +++++++++++++++++++++++++++++++++++
5 files changed, 210 insertions(+), 1 deletions(-)
Signed-off-by: James Morris <jmorris@namei.org>
2010-09-14 18:28:39 +09:00
if ( ! status )
return - ENOMEM ;
filp - > private_data = status ;
return 0 ;
}
static ssize_t sel_read_handle_status ( struct file * filp , char __user * buf ,
size_t count , loff_t * ppos )
{
struct page * status = filp - > private_data ;
BUG_ON ( ! status ) ;
return simple_read_from_buffer ( buf , count , ppos ,
page_address ( status ) ,
sizeof ( struct selinux_kernel_status ) ) ;
}
static int sel_mmap_handle_status ( struct file * filp ,
struct vm_area_struct * vma )
{
struct page * status = filp - > private_data ;
unsigned long size = vma - > vm_end - vma - > vm_start ;
BUG_ON ( ! status ) ;
/* only allows one page from the head */
if ( vma - > vm_pgoff > 0 | | size ! = PAGE_SIZE )
return - EIO ;
/* disallow writable mapping */
if ( vma - > vm_flags & VM_WRITE )
return - EPERM ;
/* disallow mprotect() turns it into writable */
2023-01-26 11:37:49 -08:00
vm_flags_clear ( vma , VM_MAYWRITE ) ;
selinux: fast status update interface (/selinux/status)
This patch provides a new /selinux/status entry which allows applications
read-only mmap(2).
This region reflects selinux_kernel_status structure in kernel space.
struct selinux_kernel_status
{
u32 length; /* length of this structure */
u32 sequence; /* sequence number of seqlock logic */
u32 enforcing; /* current setting of enforcing mode */
u32 policyload; /* times of policy reloaded */
u32 deny_unknown; /* current setting of deny_unknown */
};
When userspace object manager caches access control decisions provided
by SELinux, it needs to invalidate the cache on policy reload and setenforce
to keep consistency.
However, the applications need to check the kernel state for each accesses
on userspace avc, or launch a background worker process.
In heuristic, frequency of invalidation is much less than frequency of
making access control decision, so it is annoying to invoke a system call
to check we don't need to invalidate the userspace cache.
If we can use a background worker thread, it allows to receive invalidation
messages from the kernel. But it requires us an invasive coding toward the
base application in some cases; E.g, when we provide a feature performing
with SELinux as a plugin module, it is unwelcome manner to launch its own
worker thread from the module.
If we could map /selinux/status to process memory space, application can
know updates of selinux status; policy reload or setenforce.
A typical application checks selinux_kernel_status::sequence when it tries
to reference userspace avc. If it was changed from the last time when it
checked userspace avc, it means something was updated in the kernel space.
Then, the application can reset userspace avc or update current enforcing
mode, without any system call invocations.
This sequence number is updated according to the seqlock logic, so we need
to wait for a while if it is odd number.
Signed-off-by: KaiGai Kohei <kaigai@ak.jp.nec.com>
Acked-by: Eric Paris <eparis@redhat.com>
--
security/selinux/include/security.h | 21 ++++++
security/selinux/selinuxfs.c | 56 +++++++++++++++
security/selinux/ss/Makefile | 2 +-
security/selinux/ss/services.c | 3 +
security/selinux/ss/status.c | 129 +++++++++++++++++++++++++++++++++++
5 files changed, 210 insertions(+), 1 deletions(-)
Signed-off-by: James Morris <jmorris@namei.org>
2010-09-14 18:28:39 +09:00
return remap_pfn_range ( vma , vma - > vm_start ,
page_to_pfn ( status ) ,
size , vma - > vm_page_prot ) ;
}
static const struct file_operations sel_handle_status_ops = {
. open = sel_open_handle_status ,
. read = sel_read_handle_status ,
. mmap = sel_mmap_handle_status ,
. llseek = generic_file_llseek ,
} ;
2008-04-17 14:15:45 -04:00
static ssize_t sel_write_disable ( struct file * file , const char __user * buf ,
2005-04-16 15:20:36 -07:00
size_t count , loff_t * ppos )
{
2015-12-24 00:08:06 -05:00
char * page ;
2005-04-16 15:20:36 -07:00
ssize_t length ;
int new_value ;
2019-12-18 21:45:08 -05:00
2005-10-30 14:59:24 -08:00
if ( count > = PAGE_SIZE )
2015-12-24 00:08:06 -05:00
return - ENOMEM ;
2010-11-23 11:40:08 -05:00
/* No partial writes. */
if ( * ppos ! = 0 )
2015-12-24 00:08:06 -05:00
return - EINVAL ;
2010-11-23 11:40:08 -05:00
2015-12-24 00:08:06 -05:00
page = memdup_user_nul ( buf , count ) ;
if ( IS_ERR ( page ) )
return PTR_ERR ( page ) ;
2005-04-16 15:20:36 -07:00
selinux: remove the runtime disable functionality
After working with the larger SELinux-based distros for several
years, we're finally at a place where we can disable the SELinux
runtime disable functionality. The existing kernel deprecation
notice explains the functionality and why we want to remove it:
The selinuxfs "disable" node allows SELinux to be disabled at
runtime prior to a policy being loaded into the kernel. If
disabled via this mechanism, SELinux will remain disabled until
the system is rebooted.
The preferred method of disabling SELinux is via the "selinux=0"
boot parameter, but the selinuxfs "disable" node was created to
make it easier for systems with primitive bootloaders that did not
allow for easy modification of the kernel command line.
Unfortunately, allowing for SELinux to be disabled at runtime makes
it difficult to secure the kernel's LSM hooks using the
"__ro_after_init" feature.
It is that last sentence, mentioning the '__ro_after_init' hardening,
which is the real motivation for this change, and if you look at the
diffstat you'll see that the impact of this patch reaches across all
the different LSMs, helping prevent tampering at the LSM hook level.
From a SELinux perspective, it is important to note that if you
continue to disable SELinux via "/etc/selinux/config" it may appear
that SELinux is disabled, but it is simply in an uninitialized state.
If you load a policy with `load_policy -i`, you will see SELinux
come alive just as if you had loaded the policy during early-boot.
It is also worth noting that the "/sys/fs/selinux/disable" file is
always writable now, regardless of the Kconfig settings, but writing
to the file has no effect on the system, other than to display an
error on the console if a non-zero/true value is written.
Finally, in the several years where we have been working on
deprecating this functionality, there has only been one instance of
someone mentioning any user visible breakage. In this particular
case it was an individual's kernel test system, and the workaround
documented in the deprecation notice ("selinux=0" on the kernel
command line) resolved the issue without problem.
Acked-by: Casey Schaufler <casey@schaufler-ca.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
2023-03-17 12:43:07 -04:00
if ( sscanf ( page , " %d " , & new_value ) ! = 1 ) {
length = - EINVAL ;
2005-04-16 15:20:36 -07:00
goto out ;
selinux: remove the runtime disable functionality
After working with the larger SELinux-based distros for several
years, we're finally at a place where we can disable the SELinux
runtime disable functionality. The existing kernel deprecation
notice explains the functionality and why we want to remove it:
The selinuxfs "disable" node allows SELinux to be disabled at
runtime prior to a policy being loaded into the kernel. If
disabled via this mechanism, SELinux will remain disabled until
the system is rebooted.
The preferred method of disabling SELinux is via the "selinux=0"
boot parameter, but the selinuxfs "disable" node was created to
make it easier for systems with primitive bootloaders that did not
allow for easy modification of the kernel command line.
Unfortunately, allowing for SELinux to be disabled at runtime makes
it difficult to secure the kernel's LSM hooks using the
"__ro_after_init" feature.
It is that last sentence, mentioning the '__ro_after_init' hardening,
which is the real motivation for this change, and if you look at the
diffstat you'll see that the impact of this patch reaches across all
the different LSMs, helping prevent tampering at the LSM hook level.
From a SELinux perspective, it is important to note that if you
continue to disable SELinux via "/etc/selinux/config" it may appear
that SELinux is disabled, but it is simply in an uninitialized state.
If you load a policy with `load_policy -i`, you will see SELinux
come alive just as if you had loaded the policy during early-boot.
It is also worth noting that the "/sys/fs/selinux/disable" file is
always writable now, regardless of the Kconfig settings, but writing
to the file has no effect on the system, other than to display an
error on the console if a non-zero/true value is written.
Finally, in the several years where we have been working on
deprecating this functionality, there has only been one instance of
someone mentioning any user visible breakage. In this particular
case it was an individual's kernel test system, and the workaround
documented in the deprecation notice ("selinux=0" on the kernel
command line) resolved the issue without problem.
Acked-by: Casey Schaufler <casey@schaufler-ca.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
2023-03-17 12:43:07 -04:00
}
length = count ;
2005-04-16 15:20:36 -07:00
if ( new_value ) {
selinux: remove the runtime disable functionality
After working with the larger SELinux-based distros for several
years, we're finally at a place where we can disable the SELinux
runtime disable functionality. The existing kernel deprecation
notice explains the functionality and why we want to remove it:
The selinuxfs "disable" node allows SELinux to be disabled at
runtime prior to a policy being loaded into the kernel. If
disabled via this mechanism, SELinux will remain disabled until
the system is rebooted.
The preferred method of disabling SELinux is via the "selinux=0"
boot parameter, but the selinuxfs "disable" node was created to
make it easier for systems with primitive bootloaders that did not
allow for easy modification of the kernel command line.
Unfortunately, allowing for SELinux to be disabled at runtime makes
it difficult to secure the kernel's LSM hooks using the
"__ro_after_init" feature.
It is that last sentence, mentioning the '__ro_after_init' hardening,
which is the real motivation for this change, and if you look at the
diffstat you'll see that the impact of this patch reaches across all
the different LSMs, helping prevent tampering at the LSM hook level.
From a SELinux perspective, it is important to note that if you
continue to disable SELinux via "/etc/selinux/config" it may appear
that SELinux is disabled, but it is simply in an uninitialized state.
If you load a policy with `load_policy -i`, you will see SELinux
come alive just as if you had loaded the policy during early-boot.
It is also worth noting that the "/sys/fs/selinux/disable" file is
always writable now, regardless of the Kconfig settings, but writing
to the file has no effect on the system, other than to display an
error on the console if a non-zero/true value is written.
Finally, in the several years where we have been working on
deprecating this functionality, there has only been one instance of
someone mentioning any user visible breakage. In this particular
case it was an individual's kernel test system, and the workaround
documented in the deprecation notice ("selinux=0" on the kernel
command line) resolved the issue without problem.
Acked-by: Casey Schaufler <casey@schaufler-ca.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
2023-03-17 12:43:07 -04:00
pr_err ( " SELinux: https://github.com/SELinuxProject/selinux-kernel/wiki/DEPRECATE-runtime-disable \n " ) ;
pr_err ( " SELinux: Runtime disable is not supported, use selinux=0 on the kernel cmdline. \n " ) ;
2005-04-16 15:20:36 -07:00
}
out :
2015-12-24 00:08:06 -05:00
kfree ( page ) ;
2005-04-16 15:20:36 -07:00
return length ;
}
2007-02-12 00:55:37 -08:00
static const struct file_operations sel_disable_ops = {
2005-04-16 15:20:36 -07:00
. write = sel_write_disable ,
2010-07-07 23:40:10 +02:00
. llseek = generic_file_llseek ,
2005-04-16 15:20:36 -07:00
} ;
static ssize_t sel_read_policyvers ( struct file * filp , char __user * buf ,
2008-04-17 14:15:45 -04:00
size_t count , loff_t * ppos )
2005-04-16 15:20:36 -07:00
{
char tmpbuf [ TMPBUFLEN ] ;
ssize_t length ;
length = scnprintf ( tmpbuf , TMPBUFLEN , " %u " , POLICYDB_VERSION_MAX ) ;
return simple_read_from_buffer ( buf , count , ppos , tmpbuf , length ) ;
}
2007-02-12 00:55:37 -08:00
static const struct file_operations sel_policyvers_ops = {
2005-04-16 15:20:36 -07:00
. read = sel_read_policyvers ,
2010-07-07 23:40:10 +02:00
. llseek = generic_file_llseek ,
2005-04-16 15:20:36 -07:00
} ;
/* declaration for sel_write_load */
2020-08-19 15:59:33 -04:00
static int sel_make_bools ( struct selinux_policy * newpolicy , struct dentry * bool_dir ,
unsigned int * bool_num , char * * * bool_pending_names ,
2022-08-30 17:45:00 +02:00
int * * bool_pending_values ) ;
2020-08-19 15:59:33 -04:00
static int sel_make_classes ( struct selinux_policy * newpolicy ,
struct dentry * class_dir ,
unsigned long * last_class_ino ) ;
2007-05-23 09:12:09 -04:00
/* declaration for sel_make_class_dirs */
2012-03-18 20:36:59 -04:00
static struct dentry * sel_make_dir ( struct dentry * dir , const char * name ,
2007-05-23 09:12:09 -04:00
unsigned long * ino ) ;
2005-04-16 15:20:36 -07:00
selinux: Create new booleans and class dirs out of tree
In order to avoid concurrency issues around selinuxfs resource availability
during policy load, we first create new directories out of tree for
reloaded resources, then swap them in, and finally delete the old versions.
This fix focuses on concurrency in each of the two subtrees swapped, and
not concurrency between the trees. This means that it is still possible
that subsequent reads to eg the booleans directory and the class directory
during a policy load could see the old state for one and the new for the other.
The problem of ensuring that policy loads are fully atomic from the perspective
of userspace is larger than what is dealt with here. This commit focuses on
ensuring that the directories contents always match either the new or the old
policy state from the perspective of userspace.
In the previous implementation, on policy load /sys/fs/selinux is updated
by deleting the previous contents of
/sys/fs/selinux/{class,booleans} and then recreating them. This means
that there is a period of time when the contents of these directories do not
exist which can cause race conditions as userspace relies on them for
information about the policy. In addition, it means that error recovery in
the event of failure is challenging.
In order to demonstrate the race condition that this series fixes, you
can use the following commands:
while true; do cat /sys/fs/selinux/class/service/perms/status
>/dev/null; done &
while true; do load_policy; done;
In the existing code, this will display errors fairly often as the class
lookup fails. (In normal operation from systemd, this would result in a
permission check which would be allowed or denied based on policy settings
around unknown object classes.) After applying this patch series you
should expect to no longer see such error messages.
Signed-off-by: Daniel Burgener <dburgener@linux.microsoft.com>
Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
2020-08-19 15:59:35 -04:00
/* declaration for sel_make_policy_nodes */
selinux: saner handling of policy reloads
On policy reload selinuxfs replaces two subdirectories (/booleans
and /class) with new variants. Unfortunately, that's done with
serious abuses of directory locking.
1) lock_rename() should be done to parents, not to objects being
exchanged
2) there's a bunch of reasons why it should not be done for directories
that do not have a common ancestor; most of those do not apply to
selinuxfs, but even in the best case the proof is subtle and brittle.
3) failure halfway through the creation of /class will leak
names and values arrays.
4) use of d_genocide() is also rather brittle; it's probably not much of
a bug per se, but e.g. an overmount of /sys/fs/selinuxfs/classes/shm/index
with any regular file will end up with leaked mount on policy reload.
Sure, don't do it, but...
Let's stop messing with disconnected directories; just create
a temporary (/.swapover) with no permissions for anyone (on the
level of ->permission() returing -EPERM, no matter who's calling
it) and build the new /booleans and /class in there; then
lock_rename on root and that temporary directory and d_exchange()
old and new both for class and booleans. Then unlock and use
simple_recursive_removal() to take the temporary out; it's much
more robust.
And instead of bothering with separate pathways for freeing
new (on failure halfway through) and old (on success) names/values,
do all freeing in one place. With temporaries swapped with the
old ones when we are past all possible failures.
The only user-visible difference is that /.swapover shows up
(but isn't possible to open, look up into, etc.) for the
duration of policy reload.
Reviewed-by: Stephen Smalley <stephen.smalley.work@gmail.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
[PM: applied some fixes from Al post merge]
Signed-off-by: Paul Moore <paul@paul-moore.com>
2023-10-16 23:08:35 +01:00
static struct dentry * sel_make_swapover_dir ( struct super_block * sb ,
selinux: Create new booleans and class dirs out of tree
In order to avoid concurrency issues around selinuxfs resource availability
during policy load, we first create new directories out of tree for
reloaded resources, then swap them in, and finally delete the old versions.
This fix focuses on concurrency in each of the two subtrees swapped, and
not concurrency between the trees. This means that it is still possible
that subsequent reads to eg the booleans directory and the class directory
during a policy load could see the old state for one and the new for the other.
The problem of ensuring that policy loads are fully atomic from the perspective
of userspace is larger than what is dealt with here. This commit focuses on
ensuring that the directories contents always match either the new or the old
policy state from the perspective of userspace.
In the previous implementation, on policy load /sys/fs/selinux is updated
by deleting the previous contents of
/sys/fs/selinux/{class,booleans} and then recreating them. This means
that there is a period of time when the contents of these directories do not
exist which can cause race conditions as userspace relies on them for
information about the policy. In addition, it means that error recovery in
the event of failure is challenging.
In order to demonstrate the race condition that this series fixes, you
can use the following commands:
while true; do cat /sys/fs/selinux/class/service/perms/status
>/dev/null; done &
while true; do load_policy; done;
In the existing code, this will display errors fairly often as the class
lookup fails. (In normal operation from systemd, this would result in a
permission check which would be allowed or denied based on policy settings
around unknown object classes.) After applying this patch series you
should expect to no longer see such error messages.
Signed-off-by: Daniel Burgener <dburgener@linux.microsoft.com>
Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
2020-08-19 15:59:35 -04:00
unsigned long * ino ) ;
2005-04-16 15:20:36 -07:00
static ssize_t sel_read_mls ( struct file * filp , char __user * buf ,
size_t count , loff_t * ppos )
{
char tmpbuf [ TMPBUFLEN ] ;
ssize_t length ;
2010-02-03 16:40:20 +01:00
length = scnprintf ( tmpbuf , TMPBUFLEN , " %d " ,
2023-03-09 13:30:37 -05:00
security_mls_enabled ( ) ) ;
2005-04-16 15:20:36 -07:00
return simple_read_from_buffer ( buf , count , ppos , tmpbuf , length ) ;
}
2007-02-12 00:55:37 -08:00
static const struct file_operations sel_mls_ops = {
2005-04-16 15:20:36 -07:00
. read = sel_read_mls ,
2010-07-07 23:40:10 +02:00
. llseek = generic_file_llseek ,
2005-04-16 15:20:36 -07:00
} ;
2010-10-13 17:50:25 -04:00
struct policy_load_memory {
size_t len ;
void * data ;
} ;
static int sel_open_policy ( struct inode * inode , struct file * filp )
{
2018-03-20 11:59:11 -04:00
struct selinux_fs_info * fsi = inode - > i_sb - > s_fs_info ;
2010-10-13 17:50:25 -04:00
struct policy_load_memory * plm = NULL ;
int rc ;
BUG_ON ( filp - > private_data ) ;
2023-03-09 13:30:37 -05:00
mutex_lock ( & selinux_state . policy_mutex ) ;
2010-10-13 17:50:25 -04:00
2023-03-09 13:30:37 -05:00
rc = avc_has_perm ( current_sid ( ) , SECINITSID_SECURITY ,
2017-01-09 10:07:31 -05:00
SECCLASS_SECURITY , SECURITY__READ_POLICY , NULL ) ;
2010-10-13 17:50:25 -04:00
if ( rc )
goto err ;
rc = - EBUSY ;
2018-03-20 11:59:11 -04:00
if ( fsi - > policy_opened )
2010-10-13 17:50:25 -04:00
goto err ;
rc = - ENOMEM ;
plm = kzalloc ( sizeof ( * plm ) , GFP_KERNEL ) ;
if ( ! plm )
goto err ;
2023-03-09 13:30:37 -05:00
rc = security_read_policy ( & plm - > data , & plm - > len ) ;
2010-10-13 17:50:25 -04:00
if ( rc )
goto err ;
2020-08-27 18:27:53 +02:00
if ( ( size_t ) i_size_read ( inode ) ! = plm - > len ) {
inode_lock ( inode ) ;
i_size_write ( inode , plm - > len ) ;
inode_unlock ( inode ) ;
}
2018-03-20 11:59:11 -04:00
fsi - > policy_opened = 1 ;
2010-10-13 17:50:25 -04:00
filp - > private_data = plm ;
2023-03-09 13:30:37 -05:00
mutex_unlock ( & selinux_state . policy_mutex ) ;
2010-10-13 17:50:25 -04:00
return 0 ;
err :
2023-03-09 13:30:37 -05:00
mutex_unlock ( & selinux_state . policy_mutex ) ;
2010-10-13 17:50:25 -04:00
if ( plm )
vfree ( plm - > data ) ;
kfree ( plm ) ;
return rc ;
}
static int sel_release_policy ( struct inode * inode , struct file * filp )
{
2018-03-20 11:59:11 -04:00
struct selinux_fs_info * fsi = inode - > i_sb - > s_fs_info ;
2010-10-13 17:50:25 -04:00
struct policy_load_memory * plm = filp - > private_data ;
BUG_ON ( ! plm ) ;
2018-03-20 11:59:11 -04:00
fsi - > policy_opened = 0 ;
2010-10-13 17:50:25 -04:00
vfree ( plm - > data ) ;
kfree ( plm ) ;
return 0 ;
}
static ssize_t sel_read_policy ( struct file * filp , char __user * buf ,
size_t count , loff_t * ppos )
{
struct policy_load_memory * plm = filp - > private_data ;
int ret ;
2023-03-09 13:30:37 -05:00
ret = avc_has_perm ( current_sid ( ) , SECINITSID_SECURITY ,
2017-01-09 10:07:31 -05:00
SECCLASS_SECURITY , SECURITY__READ_POLICY , NULL ) ;
2010-10-13 17:50:25 -04:00
if ( ret )
2018-06-28 20:39:54 -04:00
return ret ;
2010-10-13 17:50:25 -04:00
2018-06-28 20:39:54 -04:00
return simple_read_from_buffer ( buf , count , ppos , plm - > data , plm - > len ) ;
2010-10-13 17:50:25 -04:00
}
2018-04-14 21:02:41 +05:30
static vm_fault_t sel_mmap_policy_fault ( struct vm_fault * vmf )
2010-10-13 17:50:31 -04:00
{
2017-02-24 14:56:41 -08:00
struct policy_load_memory * plm = vmf - > vma - > vm_file - > private_data ;
2010-10-13 17:50:31 -04:00
unsigned long offset ;
struct page * page ;
if ( vmf - > flags & ( FAULT_FLAG_MKWRITE | FAULT_FLAG_WRITE ) )
return VM_FAULT_SIGBUS ;
offset = vmf - > pgoff < < PAGE_SHIFT ;
if ( offset > = roundup ( plm - > len , PAGE_SIZE ) )
return VM_FAULT_SIGBUS ;
page = vmalloc_to_page ( plm - > data + offset ) ;
get_page ( page ) ;
vmf - > page = page ;
return 0 ;
}
2015-09-09 15:39:26 -07:00
static const struct vm_operations_struct sel_mmap_policy_ops = {
2010-10-13 17:50:31 -04:00
. fault = sel_mmap_policy_fault ,
. page_mkwrite = sel_mmap_policy_fault ,
} ;
2011-08-30 10:50:12 +10:00
static int sel_mmap_policy ( struct file * filp , struct vm_area_struct * vma )
2010-10-13 17:50:31 -04:00
{
if ( vma - > vm_flags & VM_SHARED ) {
/* do not allow mprotect to make mapping writable */
2023-01-26 11:37:49 -08:00
vm_flags_clear ( vma , VM_MAYWRITE ) ;
2010-10-13 17:50:31 -04:00
if ( vma - > vm_flags & VM_WRITE )
return - EACCES ;
}
2023-01-26 11:37:49 -08:00
vm_flags_set ( vma , VM_DONTEXPAND | VM_DONTDUMP ) ;
2010-10-13 17:50:31 -04:00
vma - > vm_ops = & sel_mmap_policy_ops ;
return 0 ;
}
2010-10-13 17:50:25 -04:00
static const struct file_operations sel_policy_ops = {
. open = sel_open_policy ,
. read = sel_read_policy ,
2010-10-13 17:50:31 -04:00
. mmap = sel_mmap_policy ,
2010-10-13 17:50:25 -04:00
. release = sel_release_policy ,
2012-02-16 15:08:39 -05:00
. llseek = generic_file_llseek ,
2010-10-13 17:50:25 -04:00
} ;
selinux: Create new booleans and class dirs out of tree
In order to avoid concurrency issues around selinuxfs resource availability
during policy load, we first create new directories out of tree for
reloaded resources, then swap them in, and finally delete the old versions.
This fix focuses on concurrency in each of the two subtrees swapped, and
not concurrency between the trees. This means that it is still possible
that subsequent reads to eg the booleans directory and the class directory
during a policy load could see the old state for one and the new for the other.
The problem of ensuring that policy loads are fully atomic from the perspective
of userspace is larger than what is dealt with here. This commit focuses on
ensuring that the directories contents always match either the new or the old
policy state from the perspective of userspace.
In the previous implementation, on policy load /sys/fs/selinux is updated
by deleting the previous contents of
/sys/fs/selinux/{class,booleans} and then recreating them. This means
that there is a period of time when the contents of these directories do not
exist which can cause race conditions as userspace relies on them for
information about the policy. In addition, it means that error recovery in
the event of failure is challenging.
In order to demonstrate the race condition that this series fixes, you
can use the following commands:
while true; do cat /sys/fs/selinux/class/service/perms/status
>/dev/null; done &
while true; do load_policy; done;
In the existing code, this will display errors fairly often as the class
lookup fails. (In normal operation from systemd, this would result in a
permission check which would be allowed or denied based on policy settings
around unknown object classes.) After applying this patch series you
should expect to no longer see such error messages.
Signed-off-by: Daniel Burgener <dburgener@linux.microsoft.com>
Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
2020-08-19 15:59:35 -04:00
static void sel_remove_old_bool_data ( unsigned int bool_num , char * * bool_names ,
2022-08-30 17:45:00 +02:00
int * bool_values )
2020-08-19 15:59:32 -04:00
{
u32 i ;
/* bool_dir cleanup */
selinux: Create new booleans and class dirs out of tree
In order to avoid concurrency issues around selinuxfs resource availability
during policy load, we first create new directories out of tree for
reloaded resources, then swap them in, and finally delete the old versions.
This fix focuses on concurrency in each of the two subtrees swapped, and
not concurrency between the trees. This means that it is still possible
that subsequent reads to eg the booleans directory and the class directory
during a policy load could see the old state for one and the new for the other.
The problem of ensuring that policy loads are fully atomic from the perspective
of userspace is larger than what is dealt with here. This commit focuses on
ensuring that the directories contents always match either the new or the old
policy state from the perspective of userspace.
In the previous implementation, on policy load /sys/fs/selinux is updated
by deleting the previous contents of
/sys/fs/selinux/{class,booleans} and then recreating them. This means
that there is a period of time when the contents of these directories do not
exist which can cause race conditions as userspace relies on them for
information about the policy. In addition, it means that error recovery in
the event of failure is challenging.
In order to demonstrate the race condition that this series fixes, you
can use the following commands:
while true; do cat /sys/fs/selinux/class/service/perms/status
>/dev/null; done &
while true; do load_policy; done;
In the existing code, this will display errors fairly often as the class
lookup fails. (In normal operation from systemd, this would result in a
permission check which would be allowed or denied based on policy settings
around unknown object classes.) After applying this patch series you
should expect to no longer see such error messages.
Signed-off-by: Daniel Burgener <dburgener@linux.microsoft.com>
Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
2020-08-19 15:59:35 -04:00
for ( i = 0 ; i < bool_num ; i + + )
kfree ( bool_names [ i ] ) ;
kfree ( bool_names ) ;
kfree ( bool_values ) ;
2020-08-19 15:59:32 -04:00
}
2020-08-07 09:29:34 -04:00
static int sel_make_policy_nodes ( struct selinux_fs_info * fsi ,
struct selinux_policy * newpolicy )
2018-03-20 11:59:11 -04:00
{
selinux: Create new booleans and class dirs out of tree
In order to avoid concurrency issues around selinuxfs resource availability
during policy load, we first create new directories out of tree for
reloaded resources, then swap them in, and finally delete the old versions.
This fix focuses on concurrency in each of the two subtrees swapped, and
not concurrency between the trees. This means that it is still possible
that subsequent reads to eg the booleans directory and the class directory
during a policy load could see the old state for one and the new for the other.
The problem of ensuring that policy loads are fully atomic from the perspective
of userspace is larger than what is dealt with here. This commit focuses on
ensuring that the directories contents always match either the new or the old
policy state from the perspective of userspace.
In the previous implementation, on policy load /sys/fs/selinux is updated
by deleting the previous contents of
/sys/fs/selinux/{class,booleans} and then recreating them. This means
that there is a period of time when the contents of these directories do not
exist which can cause race conditions as userspace relies on them for
information about the policy. In addition, it means that error recovery in
the event of failure is challenging.
In order to demonstrate the race condition that this series fixes, you
can use the following commands:
while true; do cat /sys/fs/selinux/class/service/perms/status
>/dev/null; done &
while true; do load_policy; done;
In the existing code, this will display errors fairly often as the class
lookup fails. (In normal operation from systemd, this would result in a
permission check which would be allowed or denied based on policy settings
around unknown object classes.) After applying this patch series you
should expect to no longer see such error messages.
Signed-off-by: Daniel Burgener <dburgener@linux.microsoft.com>
Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
2020-08-19 15:59:35 -04:00
int ret = 0 ;
selinux: saner handling of policy reloads
On policy reload selinuxfs replaces two subdirectories (/booleans
and /class) with new variants. Unfortunately, that's done with
serious abuses of directory locking.
1) lock_rename() should be done to parents, not to objects being
exchanged
2) there's a bunch of reasons why it should not be done for directories
that do not have a common ancestor; most of those do not apply to
selinuxfs, but even in the best case the proof is subtle and brittle.
3) failure halfway through the creation of /class will leak
names and values arrays.
4) use of d_genocide() is also rather brittle; it's probably not much of
a bug per se, but e.g. an overmount of /sys/fs/selinuxfs/classes/shm/index
with any regular file will end up with leaked mount on policy reload.
Sure, don't do it, but...
Let's stop messing with disconnected directories; just create
a temporary (/.swapover) with no permissions for anyone (on the
level of ->permission() returing -EPERM, no matter who's calling
it) and build the new /booleans and /class in there; then
lock_rename on root and that temporary directory and d_exchange()
old and new both for class and booleans. Then unlock and use
simple_recursive_removal() to take the temporary out; it's much
more robust.
And instead of bothering with separate pathways for freeing
new (on failure halfway through) and old (on success) names/values,
do all freeing in one place. With temporaries swapped with the
old ones when we are past all possible failures.
The only user-visible difference is that /.swapover shows up
(but isn't possible to open, look up into, etc.) for the
duration of policy reload.
Reviewed-by: Stephen Smalley <stephen.smalley.work@gmail.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
[PM: applied some fixes from Al post merge]
Signed-off-by: Paul Moore <paul@paul-moore.com>
2023-10-16 23:08:35 +01:00
struct dentry * tmp_parent , * tmp_bool_dir , * tmp_class_dir ;
unsigned int bool_num = 0 ;
char * * bool_names = NULL ;
int * bool_values = NULL ;
selinux: Create new booleans and class dirs out of tree
In order to avoid concurrency issues around selinuxfs resource availability
during policy load, we first create new directories out of tree for
reloaded resources, then swap them in, and finally delete the old versions.
This fix focuses on concurrency in each of the two subtrees swapped, and
not concurrency between the trees. This means that it is still possible
that subsequent reads to eg the booleans directory and the class directory
during a policy load could see the old state for one and the new for the other.
The problem of ensuring that policy loads are fully atomic from the perspective
of userspace is larger than what is dealt with here. This commit focuses on
ensuring that the directories contents always match either the new or the old
policy state from the perspective of userspace.
In the previous implementation, on policy load /sys/fs/selinux is updated
by deleting the previous contents of
/sys/fs/selinux/{class,booleans} and then recreating them. This means
that there is a period of time when the contents of these directories do not
exist which can cause race conditions as userspace relies on them for
information about the policy. In addition, it means that error recovery in
the event of failure is challenging.
In order to demonstrate the race condition that this series fixes, you
can use the following commands:
while true; do cat /sys/fs/selinux/class/service/perms/status
>/dev/null; done &
while true; do load_policy; done;
In the existing code, this will display errors fairly often as the class
lookup fails. (In normal operation from systemd, this would result in a
permission check which would be allowed or denied based on policy settings
around unknown object classes.) After applying this patch series you
should expect to no longer see such error messages.
Signed-off-by: Daniel Burgener <dburgener@linux.microsoft.com>
Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
2020-08-19 15:59:35 -04:00
unsigned long tmp_ino = fsi - > last_ino ; /* Don't increment last_ino in this function */
selinux: saner handling of policy reloads
On policy reload selinuxfs replaces two subdirectories (/booleans
and /class) with new variants. Unfortunately, that's done with
serious abuses of directory locking.
1) lock_rename() should be done to parents, not to objects being
exchanged
2) there's a bunch of reasons why it should not be done for directories
that do not have a common ancestor; most of those do not apply to
selinuxfs, but even in the best case the proof is subtle and brittle.
3) failure halfway through the creation of /class will leak
names and values arrays.
4) use of d_genocide() is also rather brittle; it's probably not much of
a bug per se, but e.g. an overmount of /sys/fs/selinuxfs/classes/shm/index
with any regular file will end up with leaked mount on policy reload.
Sure, don't do it, but...
Let's stop messing with disconnected directories; just create
a temporary (/.swapover) with no permissions for anyone (on the
level of ->permission() returing -EPERM, no matter who's calling
it) and build the new /booleans and /class in there; then
lock_rename on root and that temporary directory and d_exchange()
old and new both for class and booleans. Then unlock and use
simple_recursive_removal() to take the temporary out; it's much
more robust.
And instead of bothering with separate pathways for freeing
new (on failure halfway through) and old (on success) names/values,
do all freeing in one place. With temporaries swapped with the
old ones when we are past all possible failures.
The only user-visible difference is that /.swapover shows up
(but isn't possible to open, look up into, etc.) for the
duration of policy reload.
Reviewed-by: Stephen Smalley <stephen.smalley.work@gmail.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
[PM: applied some fixes from Al post merge]
Signed-off-by: Paul Moore <paul@paul-moore.com>
2023-10-16 23:08:35 +01:00
tmp_parent = sel_make_swapover_dir ( fsi - > sb , & tmp_ino ) ;
selinux: Create new booleans and class dirs out of tree
In order to avoid concurrency issues around selinuxfs resource availability
during policy load, we first create new directories out of tree for
reloaded resources, then swap them in, and finally delete the old versions.
This fix focuses on concurrency in each of the two subtrees swapped, and
not concurrency between the trees. This means that it is still possible
that subsequent reads to eg the booleans directory and the class directory
during a policy load could see the old state for one and the new for the other.
The problem of ensuring that policy loads are fully atomic from the perspective
of userspace is larger than what is dealt with here. This commit focuses on
ensuring that the directories contents always match either the new or the old
policy state from the perspective of userspace.
In the previous implementation, on policy load /sys/fs/selinux is updated
by deleting the previous contents of
/sys/fs/selinux/{class,booleans} and then recreating them. This means
that there is a period of time when the contents of these directories do not
exist which can cause race conditions as userspace relies on them for
information about the policy. In addition, it means that error recovery in
the event of failure is challenging.
In order to demonstrate the race condition that this series fixes, you
can use the following commands:
while true; do cat /sys/fs/selinux/class/service/perms/status
>/dev/null; done &
while true; do load_policy; done;
In the existing code, this will display errors fairly often as the class
lookup fails. (In normal operation from systemd, this would result in a
permission check which would be allowed or denied based on policy settings
around unknown object classes.) After applying this patch series you
should expect to no longer see such error messages.
Signed-off-by: Daniel Burgener <dburgener@linux.microsoft.com>
Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
2020-08-19 15:59:35 -04:00
if ( IS_ERR ( tmp_parent ) )
return PTR_ERR ( tmp_parent ) ;
tmp_ino = fsi - > bool_dir - > d_inode - > i_ino - 1 ; /* sel_make_dir will increment and set */
tmp_bool_dir = sel_make_dir ( tmp_parent , BOOL_DIR_NAME , & tmp_ino ) ;
if ( IS_ERR ( tmp_bool_dir ) ) {
ret = PTR_ERR ( tmp_bool_dir ) ;
goto out ;
}
2018-03-20 11:59:11 -04:00
selinux: Create new booleans and class dirs out of tree
In order to avoid concurrency issues around selinuxfs resource availability
during policy load, we first create new directories out of tree for
reloaded resources, then swap them in, and finally delete the old versions.
This fix focuses on concurrency in each of the two subtrees swapped, and
not concurrency between the trees. This means that it is still possible
that subsequent reads to eg the booleans directory and the class directory
during a policy load could see the old state for one and the new for the other.
The problem of ensuring that policy loads are fully atomic from the perspective
of userspace is larger than what is dealt with here. This commit focuses on
ensuring that the directories contents always match either the new or the old
policy state from the perspective of userspace.
In the previous implementation, on policy load /sys/fs/selinux is updated
by deleting the previous contents of
/sys/fs/selinux/{class,booleans} and then recreating them. This means
that there is a period of time when the contents of these directories do not
exist which can cause race conditions as userspace relies on them for
information about the policy. In addition, it means that error recovery in
the event of failure is challenging.
In order to demonstrate the race condition that this series fixes, you
can use the following commands:
while true; do cat /sys/fs/selinux/class/service/perms/status
>/dev/null; done &
while true; do load_policy; done;
In the existing code, this will display errors fairly often as the class
lookup fails. (In normal operation from systemd, this would result in a
permission check which would be allowed or denied based on policy settings
around unknown object classes.) After applying this patch series you
should expect to no longer see such error messages.
Signed-off-by: Daniel Burgener <dburgener@linux.microsoft.com>
Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
2020-08-19 15:59:35 -04:00
tmp_ino = fsi - > class_dir - > d_inode - > i_ino - 1 ; /* sel_make_dir will increment and set */
tmp_class_dir = sel_make_dir ( tmp_parent , CLASS_DIR_NAME , & tmp_ino ) ;
if ( IS_ERR ( tmp_class_dir ) ) {
ret = PTR_ERR ( tmp_class_dir ) ;
goto out ;
}
2020-08-19 15:59:32 -04:00
selinux: saner handling of policy reloads
On policy reload selinuxfs replaces two subdirectories (/booleans
and /class) with new variants. Unfortunately, that's done with
serious abuses of directory locking.
1) lock_rename() should be done to parents, not to objects being
exchanged
2) there's a bunch of reasons why it should not be done for directories
that do not have a common ancestor; most of those do not apply to
selinuxfs, but even in the best case the proof is subtle and brittle.
3) failure halfway through the creation of /class will leak
names and values arrays.
4) use of d_genocide() is also rather brittle; it's probably not much of
a bug per se, but e.g. an overmount of /sys/fs/selinuxfs/classes/shm/index
with any regular file will end up with leaked mount on policy reload.
Sure, don't do it, but...
Let's stop messing with disconnected directories; just create
a temporary (/.swapover) with no permissions for anyone (on the
level of ->permission() returing -EPERM, no matter who's calling
it) and build the new /booleans and /class in there; then
lock_rename on root and that temporary directory and d_exchange()
old and new both for class and booleans. Then unlock and use
simple_recursive_removal() to take the temporary out; it's much
more robust.
And instead of bothering with separate pathways for freeing
new (on failure halfway through) and old (on success) names/values,
do all freeing in one place. With temporaries swapped with the
old ones when we are past all possible failures.
The only user-visible difference is that /.swapover shows up
(but isn't possible to open, look up into, etc.) for the
duration of policy reload.
Reviewed-by: Stephen Smalley <stephen.smalley.work@gmail.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
[PM: applied some fixes from Al post merge]
Signed-off-by: Paul Moore <paul@paul-moore.com>
2023-10-16 23:08:35 +01:00
ret = sel_make_bools ( newpolicy , tmp_bool_dir , & bool_num ,
& bool_names , & bool_values ) ;
2021-03-18 22:53:03 +01:00
if ( ret )
selinux: Create new booleans and class dirs out of tree
In order to avoid concurrency issues around selinuxfs resource availability
during policy load, we first create new directories out of tree for
reloaded resources, then swap them in, and finally delete the old versions.
This fix focuses on concurrency in each of the two subtrees swapped, and
not concurrency between the trees. This means that it is still possible
that subsequent reads to eg the booleans directory and the class directory
during a policy load could see the old state for one and the new for the other.
The problem of ensuring that policy loads are fully atomic from the perspective
of userspace is larger than what is dealt with here. This commit focuses on
ensuring that the directories contents always match either the new or the old
policy state from the perspective of userspace.
In the previous implementation, on policy load /sys/fs/selinux is updated
by deleting the previous contents of
/sys/fs/selinux/{class,booleans} and then recreating them. This means
that there is a period of time when the contents of these directories do not
exist which can cause race conditions as userspace relies on them for
information about the policy. In addition, it means that error recovery in
the event of failure is challenging.
In order to demonstrate the race condition that this series fixes, you
can use the following commands:
while true; do cat /sys/fs/selinux/class/service/perms/status
>/dev/null; done &
while true; do load_policy; done;
In the existing code, this will display errors fairly often as the class
lookup fails. (In normal operation from systemd, this would result in a
permission check which would be allowed or denied based on policy settings
around unknown object classes.) After applying this patch series you
should expect to no longer see such error messages.
Signed-off-by: Daniel Burgener <dburgener@linux.microsoft.com>
Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
2020-08-19 15:59:35 -04:00
goto out ;
2018-03-20 11:59:11 -04:00
selinux: Create new booleans and class dirs out of tree
In order to avoid concurrency issues around selinuxfs resource availability
during policy load, we first create new directories out of tree for
reloaded resources, then swap them in, and finally delete the old versions.
This fix focuses on concurrency in each of the two subtrees swapped, and
not concurrency between the trees. This means that it is still possible
that subsequent reads to eg the booleans directory and the class directory
during a policy load could see the old state for one and the new for the other.
The problem of ensuring that policy loads are fully atomic from the perspective
of userspace is larger than what is dealt with here. This commit focuses on
ensuring that the directories contents always match either the new or the old
policy state from the perspective of userspace.
In the previous implementation, on policy load /sys/fs/selinux is updated
by deleting the previous contents of
/sys/fs/selinux/{class,booleans} and then recreating them. This means
that there is a period of time when the contents of these directories do not
exist which can cause race conditions as userspace relies on them for
information about the policy. In addition, it means that error recovery in
the event of failure is challenging.
In order to demonstrate the race condition that this series fixes, you
can use the following commands:
while true; do cat /sys/fs/selinux/class/service/perms/status
>/dev/null; done &
while true; do load_policy; done;
In the existing code, this will display errors fairly often as the class
lookup fails. (In normal operation from systemd, this would result in a
permission check which would be allowed or denied based on policy settings
around unknown object classes.) After applying this patch series you
should expect to no longer see such error messages.
Signed-off-by: Daniel Burgener <dburgener@linux.microsoft.com>
Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
2020-08-19 15:59:35 -04:00
ret = sel_make_classes ( newpolicy , tmp_class_dir ,
2020-08-19 15:59:33 -04:00
& fsi - > last_class_ino ) ;
2021-03-18 22:53:03 +01:00
if ( ret )
selinux: Create new booleans and class dirs out of tree
In order to avoid concurrency issues around selinuxfs resource availability
during policy load, we first create new directories out of tree for
reloaded resources, then swap them in, and finally delete the old versions.
This fix focuses on concurrency in each of the two subtrees swapped, and
not concurrency between the trees. This means that it is still possible
that subsequent reads to eg the booleans directory and the class directory
during a policy load could see the old state for one and the new for the other.
The problem of ensuring that policy loads are fully atomic from the perspective
of userspace is larger than what is dealt with here. This commit focuses on
ensuring that the directories contents always match either the new or the old
policy state from the perspective of userspace.
In the previous implementation, on policy load /sys/fs/selinux is updated
by deleting the previous contents of
/sys/fs/selinux/{class,booleans} and then recreating them. This means
that there is a period of time when the contents of these directories do not
exist which can cause race conditions as userspace relies on them for
information about the policy. In addition, it means that error recovery in
the event of failure is challenging.
In order to demonstrate the race condition that this series fixes, you
can use the following commands:
while true; do cat /sys/fs/selinux/class/service/perms/status
>/dev/null; done &
while true; do load_policy; done;
In the existing code, this will display errors fairly often as the class
lookup fails. (In normal operation from systemd, this would result in a
permission check which would be allowed or denied based on policy settings
around unknown object classes.) After applying this patch series you
should expect to no longer see such error messages.
Signed-off-by: Daniel Burgener <dburgener@linux.microsoft.com>
Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
2020-08-19 15:59:35 -04:00
goto out ;
2018-03-20 11:59:11 -04:00
selinux: saner handling of policy reloads
On policy reload selinuxfs replaces two subdirectories (/booleans
and /class) with new variants. Unfortunately, that's done with
serious abuses of directory locking.
1) lock_rename() should be done to parents, not to objects being
exchanged
2) there's a bunch of reasons why it should not be done for directories
that do not have a common ancestor; most of those do not apply to
selinuxfs, but even in the best case the proof is subtle and brittle.
3) failure halfway through the creation of /class will leak
names and values arrays.
4) use of d_genocide() is also rather brittle; it's probably not much of
a bug per se, but e.g. an overmount of /sys/fs/selinuxfs/classes/shm/index
with any regular file will end up with leaked mount on policy reload.
Sure, don't do it, but...
Let's stop messing with disconnected directories; just create
a temporary (/.swapover) with no permissions for anyone (on the
level of ->permission() returing -EPERM, no matter who's calling
it) and build the new /booleans and /class in there; then
lock_rename on root and that temporary directory and d_exchange()
old and new both for class and booleans. Then unlock and use
simple_recursive_removal() to take the temporary out; it's much
more robust.
And instead of bothering with separate pathways for freeing
new (on failure halfway through) and old (on success) names/values,
do all freeing in one place. With temporaries swapped with the
old ones when we are past all possible failures.
The only user-visible difference is that /.swapover shows up
(but isn't possible to open, look up into, etc.) for the
duration of policy reload.
Reviewed-by: Stephen Smalley <stephen.smalley.work@gmail.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
[PM: applied some fixes from Al post merge]
Signed-off-by: Paul Moore <paul@paul-moore.com>
2023-10-16 23:08:35 +01:00
lock_rename ( tmp_parent , fsi - > sb - > s_root ) ;
selinux: Create new booleans and class dirs out of tree
In order to avoid concurrency issues around selinuxfs resource availability
during policy load, we first create new directories out of tree for
reloaded resources, then swap them in, and finally delete the old versions.
This fix focuses on concurrency in each of the two subtrees swapped, and
not concurrency between the trees. This means that it is still possible
that subsequent reads to eg the booleans directory and the class directory
during a policy load could see the old state for one and the new for the other.
The problem of ensuring that policy loads are fully atomic from the perspective
of userspace is larger than what is dealt with here. This commit focuses on
ensuring that the directories contents always match either the new or the old
policy state from the perspective of userspace.
In the previous implementation, on policy load /sys/fs/selinux is updated
by deleting the previous contents of
/sys/fs/selinux/{class,booleans} and then recreating them. This means
that there is a period of time when the contents of these directories do not
exist which can cause race conditions as userspace relies on them for
information about the policy. In addition, it means that error recovery in
the event of failure is challenging.
In order to demonstrate the race condition that this series fixes, you
can use the following commands:
while true; do cat /sys/fs/selinux/class/service/perms/status
>/dev/null; done &
while true; do load_policy; done;
In the existing code, this will display errors fairly often as the class
lookup fails. (In normal operation from systemd, this would result in a
permission check which would be allowed or denied based on policy settings
around unknown object classes.) After applying this patch series you
should expect to no longer see such error messages.
Signed-off-by: Daniel Burgener <dburgener@linux.microsoft.com>
Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
2020-08-19 15:59:35 -04:00
/* booleans */
d_exchange ( tmp_bool_dir , fsi - > bool_dir ) ;
selinux: saner handling of policy reloads
On policy reload selinuxfs replaces two subdirectories (/booleans
and /class) with new variants. Unfortunately, that's done with
serious abuses of directory locking.
1) lock_rename() should be done to parents, not to objects being
exchanged
2) there's a bunch of reasons why it should not be done for directories
that do not have a common ancestor; most of those do not apply to
selinuxfs, but even in the best case the proof is subtle and brittle.
3) failure halfway through the creation of /class will leak
names and values arrays.
4) use of d_genocide() is also rather brittle; it's probably not much of
a bug per se, but e.g. an overmount of /sys/fs/selinuxfs/classes/shm/index
with any regular file will end up with leaked mount on policy reload.
Sure, don't do it, but...
Let's stop messing with disconnected directories; just create
a temporary (/.swapover) with no permissions for anyone (on the
level of ->permission() returing -EPERM, no matter who's calling
it) and build the new /booleans and /class in there; then
lock_rename on root and that temporary directory and d_exchange()
old and new both for class and booleans. Then unlock and use
simple_recursive_removal() to take the temporary out; it's much
more robust.
And instead of bothering with separate pathways for freeing
new (on failure halfway through) and old (on success) names/values,
do all freeing in one place. With temporaries swapped with the
old ones when we are past all possible failures.
The only user-visible difference is that /.swapover shows up
(but isn't possible to open, look up into, etc.) for the
duration of policy reload.
Reviewed-by: Stephen Smalley <stephen.smalley.work@gmail.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
[PM: applied some fixes from Al post merge]
Signed-off-by: Paul Moore <paul@paul-moore.com>
2023-10-16 23:08:35 +01:00
swap ( fsi - > bool_num , bool_num ) ;
swap ( fsi - > bool_pending_names , bool_names ) ;
swap ( fsi - > bool_pending_values , bool_values ) ;
selinux: Create new booleans and class dirs out of tree
In order to avoid concurrency issues around selinuxfs resource availability
during policy load, we first create new directories out of tree for
reloaded resources, then swap them in, and finally delete the old versions.
This fix focuses on concurrency in each of the two subtrees swapped, and
not concurrency between the trees. This means that it is still possible
that subsequent reads to eg the booleans directory and the class directory
during a policy load could see the old state for one and the new for the other.
The problem of ensuring that policy loads are fully atomic from the perspective
of userspace is larger than what is dealt with here. This commit focuses on
ensuring that the directories contents always match either the new or the old
policy state from the perspective of userspace.
In the previous implementation, on policy load /sys/fs/selinux is updated
by deleting the previous contents of
/sys/fs/selinux/{class,booleans} and then recreating them. This means
that there is a period of time when the contents of these directories do not
exist which can cause race conditions as userspace relies on them for
information about the policy. In addition, it means that error recovery in
the event of failure is challenging.
In order to demonstrate the race condition that this series fixes, you
can use the following commands:
while true; do cat /sys/fs/selinux/class/service/perms/status
>/dev/null; done &
while true; do load_policy; done;
In the existing code, this will display errors fairly often as the class
lookup fails. (In normal operation from systemd, this would result in a
permission check which would be allowed or denied based on policy settings
around unknown object classes.) After applying this patch series you
should expect to no longer see such error messages.
Signed-off-by: Daniel Burgener <dburgener@linux.microsoft.com>
Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
2020-08-19 15:59:35 -04:00
fsi - > bool_dir = tmp_bool_dir ;
/* classes */
d_exchange ( tmp_class_dir , fsi - > class_dir ) ;
fsi - > class_dir = tmp_class_dir ;
selinux: saner handling of policy reloads
On policy reload selinuxfs replaces two subdirectories (/booleans
and /class) with new variants. Unfortunately, that's done with
serious abuses of directory locking.
1) lock_rename() should be done to parents, not to objects being
exchanged
2) there's a bunch of reasons why it should not be done for directories
that do not have a common ancestor; most of those do not apply to
selinuxfs, but even in the best case the proof is subtle and brittle.
3) failure halfway through the creation of /class will leak
names and values arrays.
4) use of d_genocide() is also rather brittle; it's probably not much of
a bug per se, but e.g. an overmount of /sys/fs/selinuxfs/classes/shm/index
with any regular file will end up with leaked mount on policy reload.
Sure, don't do it, but...
Let's stop messing with disconnected directories; just create
a temporary (/.swapover) with no permissions for anyone (on the
level of ->permission() returing -EPERM, no matter who's calling
it) and build the new /booleans and /class in there; then
lock_rename on root and that temporary directory and d_exchange()
old and new both for class and booleans. Then unlock and use
simple_recursive_removal() to take the temporary out; it's much
more robust.
And instead of bothering with separate pathways for freeing
new (on failure halfway through) and old (on success) names/values,
do all freeing in one place. With temporaries swapped with the
old ones when we are past all possible failures.
The only user-visible difference is that /.swapover shows up
(but isn't possible to open, look up into, etc.) for the
duration of policy reload.
Reviewed-by: Stephen Smalley <stephen.smalley.work@gmail.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
[PM: applied some fixes from Al post merge]
Signed-off-by: Paul Moore <paul@paul-moore.com>
2023-10-16 23:08:35 +01:00
unlock_rename ( tmp_parent , fsi - > sb - > s_root ) ;
selinux: Create new booleans and class dirs out of tree
In order to avoid concurrency issues around selinuxfs resource availability
during policy load, we first create new directories out of tree for
reloaded resources, then swap them in, and finally delete the old versions.
This fix focuses on concurrency in each of the two subtrees swapped, and
not concurrency between the trees. This means that it is still possible
that subsequent reads to eg the booleans directory and the class directory
during a policy load could see the old state for one and the new for the other.
The problem of ensuring that policy loads are fully atomic from the perspective
of userspace is larger than what is dealt with here. This commit focuses on
ensuring that the directories contents always match either the new or the old
policy state from the perspective of userspace.
In the previous implementation, on policy load /sys/fs/selinux is updated
by deleting the previous contents of
/sys/fs/selinux/{class,booleans} and then recreating them. This means
that there is a period of time when the contents of these directories do not
exist which can cause race conditions as userspace relies on them for
information about the policy. In addition, it means that error recovery in
the event of failure is challenging.
In order to demonstrate the race condition that this series fixes, you
can use the following commands:
while true; do cat /sys/fs/selinux/class/service/perms/status
>/dev/null; done &
while true; do load_policy; done;
In the existing code, this will display errors fairly often as the class
lookup fails. (In normal operation from systemd, this would result in a
permission check which would be allowed or denied based on policy settings
around unknown object classes.) After applying this patch series you
should expect to no longer see such error messages.
Signed-off-by: Daniel Burgener <dburgener@linux.microsoft.com>
Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
2020-08-19 15:59:35 -04:00
out :
selinux: saner handling of policy reloads
On policy reload selinuxfs replaces two subdirectories (/booleans
and /class) with new variants. Unfortunately, that's done with
serious abuses of directory locking.
1) lock_rename() should be done to parents, not to objects being
exchanged
2) there's a bunch of reasons why it should not be done for directories
that do not have a common ancestor; most of those do not apply to
selinuxfs, but even in the best case the proof is subtle and brittle.
3) failure halfway through the creation of /class will leak
names and values arrays.
4) use of d_genocide() is also rather brittle; it's probably not much of
a bug per se, but e.g. an overmount of /sys/fs/selinuxfs/classes/shm/index
with any regular file will end up with leaked mount on policy reload.
Sure, don't do it, but...
Let's stop messing with disconnected directories; just create
a temporary (/.swapover) with no permissions for anyone (on the
level of ->permission() returing -EPERM, no matter who's calling
it) and build the new /booleans and /class in there; then
lock_rename on root and that temporary directory and d_exchange()
old and new both for class and booleans. Then unlock and use
simple_recursive_removal() to take the temporary out; it's much
more robust.
And instead of bothering with separate pathways for freeing
new (on failure halfway through) and old (on success) names/values,
do all freeing in one place. With temporaries swapped with the
old ones when we are past all possible failures.
The only user-visible difference is that /.swapover shows up
(but isn't possible to open, look up into, etc.) for the
duration of policy reload.
Reviewed-by: Stephen Smalley <stephen.smalley.work@gmail.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
[PM: applied some fixes from Al post merge]
Signed-off-by: Paul Moore <paul@paul-moore.com>
2023-10-16 23:08:35 +01:00
sel_remove_old_bool_data ( bool_num , bool_names , bool_values ) ;
selinux: Create new booleans and class dirs out of tree
In order to avoid concurrency issues around selinuxfs resource availability
during policy load, we first create new directories out of tree for
reloaded resources, then swap them in, and finally delete the old versions.
This fix focuses on concurrency in each of the two subtrees swapped, and
not concurrency between the trees. This means that it is still possible
that subsequent reads to eg the booleans directory and the class directory
during a policy load could see the old state for one and the new for the other.
The problem of ensuring that policy loads are fully atomic from the perspective
of userspace is larger than what is dealt with here. This commit focuses on
ensuring that the directories contents always match either the new or the old
policy state from the perspective of userspace.
In the previous implementation, on policy load /sys/fs/selinux is updated
by deleting the previous contents of
/sys/fs/selinux/{class,booleans} and then recreating them. This means
that there is a period of time when the contents of these directories do not
exist which can cause race conditions as userspace relies on them for
information about the policy. In addition, it means that error recovery in
the event of failure is challenging.
In order to demonstrate the race condition that this series fixes, you
can use the following commands:
while true; do cat /sys/fs/selinux/class/service/perms/status
>/dev/null; done &
while true; do load_policy; done;
In the existing code, this will display errors fairly often as the class
lookup fails. (In normal operation from systemd, this would result in a
permission check which would be allowed or denied based on policy settings
around unknown object classes.) After applying this patch series you
should expect to no longer see such error messages.
Signed-off-by: Daniel Burgener <dburgener@linux.microsoft.com>
Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
2020-08-19 15:59:35 -04:00
/* Since the other temporary dirs are children of tmp_parent
* this will handle all the cleanup in the case of a failure before
* the swapover
*/
selinux: saner handling of policy reloads
On policy reload selinuxfs replaces two subdirectories (/booleans
and /class) with new variants. Unfortunately, that's done with
serious abuses of directory locking.
1) lock_rename() should be done to parents, not to objects being
exchanged
2) there's a bunch of reasons why it should not be done for directories
that do not have a common ancestor; most of those do not apply to
selinuxfs, but even in the best case the proof is subtle and brittle.
3) failure halfway through the creation of /class will leak
names and values arrays.
4) use of d_genocide() is also rather brittle; it's probably not much of
a bug per se, but e.g. an overmount of /sys/fs/selinuxfs/classes/shm/index
with any regular file will end up with leaked mount on policy reload.
Sure, don't do it, but...
Let's stop messing with disconnected directories; just create
a temporary (/.swapover) with no permissions for anyone (on the
level of ->permission() returing -EPERM, no matter who's calling
it) and build the new /booleans and /class in there; then
lock_rename on root and that temporary directory and d_exchange()
old and new both for class and booleans. Then unlock and use
simple_recursive_removal() to take the temporary out; it's much
more robust.
And instead of bothering with separate pathways for freeing
new (on failure halfway through) and old (on success) names/values,
do all freeing in one place. With temporaries swapped with the
old ones when we are past all possible failures.
The only user-visible difference is that /.swapover shows up
(but isn't possible to open, look up into, etc.) for the
duration of policy reload.
Reviewed-by: Stephen Smalley <stephen.smalley.work@gmail.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
[PM: applied some fixes from Al post merge]
Signed-off-by: Paul Moore <paul@paul-moore.com>
2023-10-16 23:08:35 +01:00
simple_recursive_removal ( tmp_parent , NULL ) ;
selinux: Create new booleans and class dirs out of tree
In order to avoid concurrency issues around selinuxfs resource availability
during policy load, we first create new directories out of tree for
reloaded resources, then swap them in, and finally delete the old versions.
This fix focuses on concurrency in each of the two subtrees swapped, and
not concurrency between the trees. This means that it is still possible
that subsequent reads to eg the booleans directory and the class directory
during a policy load could see the old state for one and the new for the other.
The problem of ensuring that policy loads are fully atomic from the perspective
of userspace is larger than what is dealt with here. This commit focuses on
ensuring that the directories contents always match either the new or the old
policy state from the perspective of userspace.
In the previous implementation, on policy load /sys/fs/selinux is updated
by deleting the previous contents of
/sys/fs/selinux/{class,booleans} and then recreating them. This means
that there is a period of time when the contents of these directories do not
exist which can cause race conditions as userspace relies on them for
information about the policy. In addition, it means that error recovery in
the event of failure is challenging.
In order to demonstrate the race condition that this series fixes, you
can use the following commands:
while true; do cat /sys/fs/selinux/class/service/perms/status
>/dev/null; done &
while true; do load_policy; done;
In the existing code, this will display errors fairly often as the class
lookup fails. (In normal operation from systemd, this would result in a
permission check which would be allowed or denied based on policy settings
around unknown object classes.) After applying this patch series you
should expect to no longer see such error messages.
Signed-off-by: Daniel Burgener <dburgener@linux.microsoft.com>
Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
2020-08-19 15:59:35 -04:00
return ret ;
2018-03-20 11:59:11 -04:00
}
2008-04-17 14:15:45 -04:00
static ssize_t sel_write_load ( struct file * file , const char __user * buf ,
2005-04-16 15:20:36 -07:00
size_t count , loff_t * ppos )
{
2024-03-04 22:12:22 -05:00
struct selinux_fs_info * fsi ;
2021-03-18 22:53:02 +01:00
struct selinux_load_state load_state ;
2005-04-16 15:20:36 -07:00
ssize_t length ;
void * data = NULL ;
2024-03-04 22:12:22 -05:00
/* no partial writes */
if ( * ppos )
return - EINVAL ;
/* no empty policies */
if ( ! count )
return - EINVAL ;
2023-03-09 13:30:37 -05:00
mutex_lock ( & selinux_state . policy_mutex ) ;
2005-04-16 15:20:36 -07:00
2023-03-09 13:30:37 -05:00
length = avc_has_perm ( current_sid ( ) , SECINITSID_SECURITY ,
2017-01-09 10:07:31 -05:00
SECCLASS_SECURITY , SECURITY__LOAD_POLICY , NULL ) ;
2005-04-16 15:20:36 -07:00
if ( length )
goto out ;
2010-11-23 11:40:08 -05:00
data = vmalloc ( count ) ;
2024-03-04 22:12:22 -05:00
if ( ! data ) {
length = - ENOMEM ;
2005-04-16 15:20:36 -07:00
goto out ;
2024-03-04 22:12:22 -05:00
}
if ( copy_from_user ( data , buf , count ) ! = 0 ) {
length = - EFAULT ;
2005-04-16 15:20:36 -07:00
goto out ;
2024-03-04 22:12:22 -05:00
}
2005-04-16 15:20:36 -07:00
2023-03-09 13:30:37 -05:00
length = security_load_policy ( data , count , & load_state ) ;
2017-01-09 10:07:31 -05:00
if ( length ) {
pr_warn_ratelimited ( " SELinux: failed to load policy \n " ) ;
2005-04-16 15:20:36 -07:00
goto out ;
2017-01-09 10:07:31 -05:00
}
2024-03-04 22:12:22 -05:00
fsi = file_inode ( file ) - > i_sb - > s_fs_info ;
2021-03-18 22:53:02 +01:00
length = sel_make_policy_nodes ( fsi , load_state . policy ) ;
2020-08-07 09:29:34 -04:00
if ( length ) {
2021-03-18 22:53:03 +01:00
pr_warn_ratelimited ( " SELinux: failed to initialize selinuxfs \n " ) ;
2023-03-09 13:30:37 -05:00
selinux_policy_cancel ( & load_state ) ;
2021-03-18 22:53:01 +01:00
goto out ;
2020-08-07 09:29:34 -04:00
}
2023-03-09 13:30:37 -05:00
selinux_policy_commit ( & load_state ) ;
2010-11-23 11:40:08 -05:00
length = count ;
2018-05-12 21:58:20 -04:00
audit_log ( audit_context ( ) , GFP_KERNEL , AUDIT_MAC_POLICY_LOAD ,
2018-04-09 19:36:31 -04:00
" auid=%u ses=%u lsm=selinux res=1 " ,
2012-08-20 00:09:36 -07:00
from_kuid ( & init_user_ns , audit_get_loginuid ( current ) ) ,
2008-01-08 10:06:53 -05:00
audit_get_sessionid ( current ) ) ;
2024-03-04 22:12:22 -05:00
2005-04-16 15:20:36 -07:00
out :
2023-03-09 13:30:37 -05:00
mutex_unlock ( & selinux_state . policy_mutex ) ;
2005-04-16 15:20:36 -07:00
vfree ( data ) ;
return length ;
}
2007-02-12 00:55:37 -08:00
static const struct file_operations sel_load_ops = {
2005-04-16 15:20:36 -07:00
. write = sel_write_load ,
2010-07-07 23:40:10 +02:00
. llseek = generic_file_llseek ,
2005-04-16 15:20:36 -07:00
} ;
2008-04-17 14:15:45 -04:00
static ssize_t sel_write_context ( struct file * file , char * buf , size_t size )
2005-04-16 15:20:36 -07:00
{
2010-11-23 11:40:08 -05:00
char * canon = NULL ;
2005-11-08 21:34:33 -08:00
u32 sid , len ;
2005-04-16 15:20:36 -07:00
ssize_t length ;
2023-03-09 13:30:37 -05:00
length = avc_has_perm ( current_sid ( ) , SECINITSID_SECURITY ,
2017-01-09 10:07:31 -05:00
SECCLASS_SECURITY , SECURITY__CHECK_CONTEXT , NULL ) ;
2005-04-16 15:20:36 -07:00
if ( length )
2010-11-23 11:40:08 -05:00
goto out ;
2005-04-16 15:20:36 -07:00
2023-03-09 13:30:37 -05:00
length = security_context_to_sid ( buf , size , & sid , GFP_KERNEL ) ;
2010-11-23 11:40:08 -05:00
if ( length )
goto out ;
2005-04-16 15:20:36 -07:00
2023-03-09 13:30:37 -05:00
length = security_sid_to_context ( sid , & canon , & len ) ;
2010-11-23 11:40:08 -05:00
if ( length )
goto out ;
2005-11-08 21:34:33 -08:00
2010-11-23 11:40:08 -05:00
length = - ERANGE ;
2005-11-08 21:34:33 -08:00
if ( len > SIMPLE_TRANSACTION_LIMIT ) {
2018-06-12 10:09:06 +02:00
pr_err ( " SELinux: %s: context size (%u) exceeds "
2008-04-17 11:52:44 -04:00
" payload max \n " , __func__ , len ) ;
2005-04-16 15:20:36 -07:00
goto out ;
2005-11-08 21:34:33 -08:00
}
2005-04-16 15:20:36 -07:00
2005-11-08 21:34:33 -08:00
memcpy ( buf , canon , len ) ;
length = len ;
2005-04-16 15:20:36 -07:00
out :
2005-11-08 21:34:33 -08:00
kfree ( canon ) ;
2005-04-16 15:20:36 -07:00
return length ;
}
static ssize_t sel_read_checkreqprot ( struct file * filp , char __user * buf ,
size_t count , loff_t * ppos )
{
char tmpbuf [ TMPBUFLEN ] ;
ssize_t length ;
2020-09-14 10:31:57 -07:00
length = scnprintf ( tmpbuf , TMPBUFLEN , " %u " ,
2023-03-09 13:30:37 -05:00
checkreqprot_get ( ) ) ;
2005-04-16 15:20:36 -07:00
return simple_read_from_buffer ( buf , count , ppos , tmpbuf , length ) ;
}
2008-04-17 14:15:45 -04:00
static ssize_t sel_write_checkreqprot ( struct file * file , const char __user * buf ,
2005-04-16 15:20:36 -07:00
size_t count , loff_t * ppos )
{
2015-12-24 00:08:06 -05:00
char * page ;
2005-04-16 15:20:36 -07:00
ssize_t length ;
unsigned int new_value ;
2023-03-09 13:30:37 -05:00
length = avc_has_perm ( current_sid ( ) , SECINITSID_SECURITY ,
2017-01-09 10:07:31 -05:00
SECCLASS_SECURITY , SECURITY__SETCHECKREQPROT ,
NULL ) ;
2005-04-16 15:20:36 -07:00
if ( length )
2015-12-24 00:08:06 -05:00
return length ;
2005-04-16 15:20:36 -07:00
2005-10-30 14:59:24 -08:00
if ( count > = PAGE_SIZE )
2015-12-24 00:08:06 -05:00
return - ENOMEM ;
2010-11-23 11:40:08 -05:00
/* No partial writes. */
if ( * ppos ! = 0 )
2015-12-24 00:08:06 -05:00
return - EINVAL ;
2010-11-23 11:40:08 -05:00
2015-12-24 00:08:06 -05:00
page = memdup_user_nul ( buf , count ) ;
if ( IS_ERR ( page ) )
return PTR_ERR ( page ) ;
2005-04-16 15:20:36 -07:00
selinux: remove the 'checkreqprot' functionality
We originally promised that the SELinux 'checkreqprot' functionality
would be removed no sooner than June 2021, and now that it is March
2023 it seems like it is a good time to do the final removal. The
deprecation notice in the kernel provides plenty of detail on why
'checkreqprot' is not desirable, with the key point repeated below:
This was a compatibility mechanism for legacy userspace and
for the READ_IMPLIES_EXEC personality flag. However, if set to
1, it weakens security by allowing mappings to be made executable
without authorization by policy. The default value of checkreqprot
at boot was changed starting in Linux v4.4 to 0 (i.e. check the
actual protection), and Android and Linux distributions have been
explicitly writing a "0" to /sys/fs/selinux/checkreqprot during
initialization for some time.
Along with the official deprecation notice, we have been discussing
this on-list and directly with several of the larger SELinux-based
distros and everyone is happy to see this feature finally removed.
In an attempt to catch all of the smaller, and DIY, Linux systems
we have been writing a deprecation notice URL into the kernel log,
along with a growing ssleep() penalty, when admins enabled
checkreqprot at runtime or via the kernel command line. We have
yet to have anyone come to us and raise an objection to the
deprecation or planned removal.
It is worth noting that while this patch removes the checkreqprot
functionality, it leaves the user visible interfaces (kernel command
line and selinuxfs file) intact, just inert. This should help
prevent breakages with existing userspace tools that correctly, but
unnecessarily, disable checkreqprot at boot or runtime. Admins
that attempt to enable checkreqprot will be met with a removal
message in the kernel log.
Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
2023-03-16 11:43:08 -04:00
if ( sscanf ( page , " %u " , & new_value ) ! = 1 ) {
length = - EINVAL ;
2005-04-16 15:20:36 -07:00
goto out ;
selinux: remove the 'checkreqprot' functionality
We originally promised that the SELinux 'checkreqprot' functionality
would be removed no sooner than June 2021, and now that it is March
2023 it seems like it is a good time to do the final removal. The
deprecation notice in the kernel provides plenty of detail on why
'checkreqprot' is not desirable, with the key point repeated below:
This was a compatibility mechanism for legacy userspace and
for the READ_IMPLIES_EXEC personality flag. However, if set to
1, it weakens security by allowing mappings to be made executable
without authorization by policy. The default value of checkreqprot
at boot was changed starting in Linux v4.4 to 0 (i.e. check the
actual protection), and Android and Linux distributions have been
explicitly writing a "0" to /sys/fs/selinux/checkreqprot during
initialization for some time.
Along with the official deprecation notice, we have been discussing
this on-list and directly with several of the larger SELinux-based
distros and everyone is happy to see this feature finally removed.
In an attempt to catch all of the smaller, and DIY, Linux systems
we have been writing a deprecation notice URL into the kernel log,
along with a growing ssleep() penalty, when admins enabled
checkreqprot at runtime or via the kernel command line. We have
yet to have anyone come to us and raise an objection to the
deprecation or planned removal.
It is worth noting that while this patch removes the checkreqprot
functionality, it leaves the user visible interfaces (kernel command
line and selinuxfs file) intact, just inert. This should help
prevent breakages with existing userspace tools that correctly, but
unnecessarily, disable checkreqprot at boot or runtime. Admins
that attempt to enable checkreqprot will be met with a removal
message in the kernel log.
Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
2023-03-16 11:43:08 -04:00
}
length = count ;
2005-04-16 15:20:36 -07:00
2020-01-08 11:24:47 -05:00
if ( new_value ) {
char comm [ sizeof ( current - > comm ) ] ;
memcpy ( comm , current - > comm , sizeof ( comm ) ) ;
selinux: remove the 'checkreqprot' functionality
We originally promised that the SELinux 'checkreqprot' functionality
would be removed no sooner than June 2021, and now that it is March
2023 it seems like it is a good time to do the final removal. The
deprecation notice in the kernel provides plenty of detail on why
'checkreqprot' is not desirable, with the key point repeated below:
This was a compatibility mechanism for legacy userspace and
for the READ_IMPLIES_EXEC personality flag. However, if set to
1, it weakens security by allowing mappings to be made executable
without authorization by policy. The default value of checkreqprot
at boot was changed starting in Linux v4.4 to 0 (i.e. check the
actual protection), and Android and Linux distributions have been
explicitly writing a "0" to /sys/fs/selinux/checkreqprot during
initialization for some time.
Along with the official deprecation notice, we have been discussing
this on-list and directly with several of the larger SELinux-based
distros and everyone is happy to see this feature finally removed.
In an attempt to catch all of the smaller, and DIY, Linux systems
we have been writing a deprecation notice URL into the kernel log,
along with a growing ssleep() penalty, when admins enabled
checkreqprot at runtime or via the kernel command line. We have
yet to have anyone come to us and raise an objection to the
deprecation or planned removal.
It is worth noting that while this patch removes the checkreqprot
functionality, it leaves the user visible interfaces (kernel command
line and selinuxfs file) intact, just inert. This should help
prevent breakages with existing userspace tools that correctly, but
unnecessarily, disable checkreqprot at boot or runtime. Admins
that attempt to enable checkreqprot will be met with a removal
message in the kernel log.
Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
2023-03-16 11:43:08 -04:00
pr_err ( " SELinux: %s (%d) set checkreqprot to 1. This is no longer supported. \n " ,
2022-03-08 17:11:57 -05:00
comm , current - > pid ) ;
2020-01-08 11:24:47 -05:00
}
2023-03-09 13:30:37 -05:00
selinux_ima_measure_state ( ) ;
2021-02-12 08:37:09 -08:00
2005-04-16 15:20:36 -07:00
out :
2015-12-24 00:08:06 -05:00
kfree ( page ) ;
2005-04-16 15:20:36 -07:00
return length ;
}
2007-02-12 00:55:37 -08:00
static const struct file_operations sel_checkreqprot_ops = {
2005-04-16 15:20:36 -07:00
. read = sel_read_checkreqprot ,
. write = sel_write_checkreqprot ,
2010-07-07 23:40:10 +02:00
. llseek = generic_file_llseek ,
2005-04-16 15:20:36 -07:00
} ;
2015-12-24 11:09:41 -05:00
static ssize_t sel_write_validatetrans ( struct file * file ,
const char __user * buf ,
size_t count , loff_t * ppos )
{
char * oldcon = NULL , * newcon = NULL , * taskcon = NULL ;
char * req = NULL ;
u32 osid , nsid , tsid ;
u16 tclass ;
int rc ;
2023-03-09 13:30:37 -05:00
rc = avc_has_perm ( current_sid ( ) , SECINITSID_SECURITY ,
2017-01-09 10:07:31 -05:00
SECCLASS_SECURITY , SECURITY__VALIDATE_TRANS , NULL ) ;
2015-12-24 11:09:41 -05:00
if ( rc )
goto out ;
rc = - ENOMEM ;
if ( count > = PAGE_SIZE )
goto out ;
/* No partial writes. */
rc = - EINVAL ;
if ( * ppos ! = 0 )
goto out ;
2017-05-13 18:12:07 -04:00
req = memdup_user_nul ( buf , count ) ;
if ( IS_ERR ( req ) ) {
rc = PTR_ERR ( req ) ;
req = NULL ;
2015-12-24 11:09:41 -05:00
goto out ;
2017-05-13 18:12:07 -04:00
}
2015-12-24 11:09:41 -05:00
rc = - ENOMEM ;
oldcon = kzalloc ( count + 1 , GFP_KERNEL ) ;
if ( ! oldcon )
goto out ;
newcon = kzalloc ( count + 1 , GFP_KERNEL ) ;
if ( ! newcon )
goto out ;
taskcon = kzalloc ( count + 1 , GFP_KERNEL ) ;
if ( ! taskcon )
goto out ;
rc = - EINVAL ;
if ( sscanf ( req , " %s %s %hu %s " , oldcon , newcon , & tclass , taskcon ) ! = 4 )
goto out ;
2023-03-09 13:30:37 -05:00
rc = security_context_str_to_sid ( oldcon , & osid , GFP_KERNEL ) ;
2015-12-24 11:09:41 -05:00
if ( rc )
goto out ;
2023-03-09 13:30:37 -05:00
rc = security_context_str_to_sid ( newcon , & nsid , GFP_KERNEL ) ;
2015-12-24 11:09:41 -05:00
if ( rc )
goto out ;
2023-03-09 13:30:37 -05:00
rc = security_context_str_to_sid ( taskcon , & tsid , GFP_KERNEL ) ;
2015-12-24 11:09:41 -05:00
if ( rc )
goto out ;
2023-03-09 13:30:37 -05:00
rc = security_validate_transition_user ( osid , nsid , tsid , tclass ) ;
2015-12-24 11:09:41 -05:00
if ( ! rc )
rc = count ;
out :
kfree ( req ) ;
kfree ( oldcon ) ;
kfree ( newcon ) ;
kfree ( taskcon ) ;
return rc ;
}
static const struct file_operations sel_transition_ops = {
. write = sel_write_validatetrans ,
. llseek = generic_file_llseek ,
} ;
2005-04-16 15:20:36 -07:00
/*
* Remaining nodes use transaction based IO methods like nfsd / nfsctl . c
*/
2008-04-17 14:15:45 -04:00
static ssize_t sel_write_access ( struct file * file , char * buf , size_t size ) ;
static ssize_t sel_write_create ( struct file * file , char * buf , size_t size ) ;
static ssize_t sel_write_relabel ( struct file * file , char * buf , size_t size ) ;
static ssize_t sel_write_user ( struct file * file , char * buf , size_t size ) ;
static ssize_t sel_write_member ( struct file * file , char * buf , size_t size ) ;
2005-04-16 15:20:36 -07:00
2018-07-17 10:43:56 -07:00
static ssize_t ( * const write_op [ ] ) ( struct file * , char * , size_t ) = {
2005-04-16 15:20:36 -07:00
[ SEL_ACCESS ] = sel_write_access ,
[ SEL_CREATE ] = sel_write_create ,
[ SEL_RELABEL ] = sel_write_relabel ,
[ SEL_USER ] = sel_write_user ,
[ SEL_MEMBER ] = sel_write_member ,
2005-11-08 21:34:33 -08:00
[ SEL_CONTEXT ] = sel_write_context ,
2005-04-16 15:20:36 -07:00
} ;
static ssize_t selinux_transaction_write ( struct file * file , const char __user * buf , size_t size , loff_t * pos )
{
2013-01-23 17:07:38 -05:00
ino_t ino = file_inode ( file ) - > i_ino ;
2005-04-16 15:20:36 -07:00
char * data ;
ssize_t rv ;
2006-01-06 00:11:22 -08:00
if ( ino > = ARRAY_SIZE ( write_op ) | | ! write_op [ ino ] )
2005-04-16 15:20:36 -07:00
return - EINVAL ;
data = simple_transaction_get ( file , buf , size ) ;
if ( IS_ERR ( data ) )
return PTR_ERR ( data ) ;
2008-04-17 14:15:45 -04:00
rv = write_op [ ino ] ( file , data , size ) ;
if ( rv > 0 ) {
2005-04-16 15:20:36 -07:00
simple_transaction_set ( file , rv ) ;
rv = size ;
}
return rv ;
}
2007-02-12 00:55:37 -08:00
static const struct file_operations transaction_ops = {
2005-04-16 15:20:36 -07:00
. write = selinux_transaction_write ,
. read = simple_transaction_read ,
. release = simple_transaction_release ,
2010-07-07 23:40:10 +02:00
. llseek = generic_file_llseek ,
2005-04-16 15:20:36 -07:00
} ;
/*
* payload - write methods
* If the method has a response , the response should be put in buf ,
* and the length returned . Otherwise return 0 or and - error .
*/
2008-04-17 14:15:45 -04:00
static ssize_t sel_write_access ( struct file * file , char * buf , size_t size )
2005-04-16 15:20:36 -07:00
{
2010-11-23 11:40:08 -05:00
char * scon = NULL , * tcon = NULL ;
2005-04-16 15:20:36 -07:00
u32 ssid , tsid ;
u16 tclass ;
struct av_decision avd ;
ssize_t length ;
2023-03-09 13:30:37 -05:00
length = avc_has_perm ( current_sid ( ) , SECINITSID_SECURITY ,
2017-01-09 10:07:31 -05:00
SECCLASS_SECURITY , SECURITY__COMPUTE_AV , NULL ) ;
2005-04-16 15:20:36 -07:00
if ( length )
2010-11-23 11:40:08 -05:00
goto out ;
2005-04-16 15:20:36 -07:00
length = - ENOMEM ;
2010-04-09 19:30:29 +08:00
scon = kzalloc ( size + 1 , GFP_KERNEL ) ;
2005-04-16 15:20:36 -07:00
if ( ! scon )
2010-11-23 11:40:08 -05:00
goto out ;
2005-04-16 15:20:36 -07:00
2010-11-23 11:40:08 -05:00
length = - ENOMEM ;
2010-04-09 19:30:29 +08:00
tcon = kzalloc ( size + 1 , GFP_KERNEL ) ;
2005-04-16 15:20:36 -07:00
if ( ! tcon )
goto out ;
length = - EINVAL ;
2010-01-14 17:28:10 -05:00
if ( sscanf ( buf , " %s %s %hu " , scon , tcon , & tclass ) ! = 3 )
2010-11-23 11:40:08 -05:00
goto out ;
2005-04-16 15:20:36 -07:00
2023-03-09 13:30:37 -05:00
length = security_context_str_to_sid ( scon , & ssid , GFP_KERNEL ) ;
2010-11-23 11:40:08 -05:00
if ( length )
goto out ;
2023-03-09 13:30:37 -05:00
length = security_context_str_to_sid ( tcon , & tsid , GFP_KERNEL ) ;
2010-11-23 11:40:08 -05:00
if ( length )
goto out ;
2005-04-16 15:20:36 -07:00
2023-03-09 13:30:37 -05:00
security_compute_av_user ( ssid , tsid , tclass , & avd ) ;
2005-04-16 15:20:36 -07:00
length = scnprintf ( buf , SIMPLE_TRANSACTION_LIMIT ,
Permissive domain in userspace object manager
This patch enables applications to handle permissive domain correctly.
Since the v2.6.26 kernel, SELinux has supported an idea of permissive
domain which allows certain processes to work as if permissive mode,
even if the global setting is enforcing mode.
However, we don't have an application program interface to inform
what domains are permissive one, and what domains are not.
It means applications focuses on SELinux (XACE/SELinux, SE-PostgreSQL
and so on) cannot handle permissive domain correctly.
This patch add the sixth field (flags) on the reply of the /selinux/access
interface which is used to make an access control decision from userspace.
If the first bit of the flags field is positive, it means the required
access control decision is on permissive domain, so application should
allow any required actions, as the kernel doing.
This patch also has a side benefit. The av_decision.flags is set at
context_struct_compute_av(). It enables to check required permissions
without read_lock(&policy_rwlock).
Signed-off-by: KaiGai Kohei <kaigai@ak.jp.nec.com>
Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
Acked-by: Eric Paris <eparis@redhat.com>
--
security/selinux/avc.c | 2 +-
security/selinux/include/security.h | 4 +++-
security/selinux/selinuxfs.c | 4 ++--
security/selinux/ss/services.c | 30 +++++-------------------------
4 files changed, 11 insertions(+), 29 deletions(-)
Signed-off-by: James Morris <jmorris@namei.org>
2009-04-01 10:07:57 +09:00
" %x %x %x %x %u %x " ,
2009-02-12 14:50:54 -05:00
avd . allowed , 0xffffffff ,
2005-04-16 15:20:36 -07:00
avd . auditallow , avd . auditdeny ,
Permissive domain in userspace object manager
This patch enables applications to handle permissive domain correctly.
Since the v2.6.26 kernel, SELinux has supported an idea of permissive
domain which allows certain processes to work as if permissive mode,
even if the global setting is enforcing mode.
However, we don't have an application program interface to inform
what domains are permissive one, and what domains are not.
It means applications focuses on SELinux (XACE/SELinux, SE-PostgreSQL
and so on) cannot handle permissive domain correctly.
This patch add the sixth field (flags) on the reply of the /selinux/access
interface which is used to make an access control decision from userspace.
If the first bit of the flags field is positive, it means the required
access control decision is on permissive domain, so application should
allow any required actions, as the kernel doing.
This patch also has a side benefit. The av_decision.flags is set at
context_struct_compute_av(). It enables to check required permissions
without read_lock(&policy_rwlock).
Signed-off-by: KaiGai Kohei <kaigai@ak.jp.nec.com>
Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
Acked-by: Eric Paris <eparis@redhat.com>
--
security/selinux/avc.c | 2 +-
security/selinux/include/security.h | 4 +++-
security/selinux/selinuxfs.c | 4 ++--
security/selinux/ss/services.c | 30 +++++-------------------------
4 files changed, 11 insertions(+), 29 deletions(-)
Signed-off-by: James Morris <jmorris@namei.org>
2009-04-01 10:07:57 +09:00
avd . seqno , avd . flags ) ;
2005-04-16 15:20:36 -07:00
out :
2010-11-23 11:40:08 -05:00
kfree ( tcon ) ;
2005-04-16 15:20:36 -07:00
kfree ( scon ) ;
return length ;
}
2008-04-17 14:15:45 -04:00
static ssize_t sel_write_create ( struct file * file , char * buf , size_t size )
2005-04-16 15:20:36 -07:00
{
2010-11-23 11:40:08 -05:00
char * scon = NULL , * tcon = NULL ;
2011-04-01 15:39:26 +01:00
char * namebuf = NULL , * objname = NULL ;
2005-04-16 15:20:36 -07:00
u32 ssid , tsid , newsid ;
u16 tclass ;
ssize_t length ;
2010-11-23 11:40:08 -05:00
char * newcon = NULL ;
2005-04-16 15:20:36 -07:00
u32 len ;
2011-04-01 15:39:26 +01:00
int nargs ;
2005-04-16 15:20:36 -07:00
2023-03-09 13:30:37 -05:00
length = avc_has_perm ( current_sid ( ) , SECINITSID_SECURITY ,
2017-01-09 10:07:31 -05:00
SECCLASS_SECURITY , SECURITY__COMPUTE_CREATE ,
NULL ) ;
2005-04-16 15:20:36 -07:00
if ( length )
2010-11-23 11:40:08 -05:00
goto out ;
2005-04-16 15:20:36 -07:00
length = - ENOMEM ;
2010-04-09 19:30:29 +08:00
scon = kzalloc ( size + 1 , GFP_KERNEL ) ;
2005-04-16 15:20:36 -07:00
if ( ! scon )
2010-11-23 11:40:08 -05:00
goto out ;
2005-04-16 15:20:36 -07:00
2010-11-23 11:40:08 -05:00
length = - ENOMEM ;
2010-04-09 19:30:29 +08:00
tcon = kzalloc ( size + 1 , GFP_KERNEL ) ;
2005-04-16 15:20:36 -07:00
if ( ! tcon )
goto out ;
2011-04-01 15:39:26 +01:00
length = - ENOMEM ;
namebuf = kzalloc ( size + 1 , GFP_KERNEL ) ;
if ( ! namebuf )
goto out ;
2005-04-16 15:20:36 -07:00
length = - EINVAL ;
2011-04-01 15:39:26 +01:00
nargs = sscanf ( buf , " %s %s %hu %s " , scon , tcon , & tclass , namebuf ) ;
if ( nargs < 3 | | nargs > 4 )
2010-11-23 11:40:08 -05:00
goto out ;
2011-05-26 14:59:25 -04:00
if ( nargs = = 4 ) {
/*
* If and when the name of new object to be queried contains
* either whitespace or multibyte characters , they shall be
* encoded based on the percentage - encoding rule .
* If not encoded , the sscanf logic picks up only left - half
2023-04-20 17:04:59 +02:00
* of the supplied name ; split by a whitespace unexpectedly .
2011-05-26 14:59:25 -04:00
*/
char * r , * w ;
int c1 , c2 ;
r = w = namebuf ;
do {
c1 = * r + + ;
if ( c1 = = ' + ' )
c1 = ' ' ;
else if ( c1 = = ' % ' ) {
2011-11-15 15:11:41 -08:00
c1 = hex_to_bin ( * r + + ) ;
if ( c1 < 0 )
2011-05-26 14:59:25 -04:00
goto out ;
2011-11-15 15:11:41 -08:00
c2 = hex_to_bin ( * r + + ) ;
if ( c2 < 0 )
2011-05-26 14:59:25 -04:00
goto out ;
c1 = ( c1 < < 4 ) | c2 ;
}
* w + + = c1 ;
} while ( c1 ! = ' \0 ' ) ;
2011-04-01 15:39:26 +01:00
objname = namebuf ;
2011-05-26 14:59:25 -04:00
}
2005-04-16 15:20:36 -07:00
2023-03-09 13:30:37 -05:00
length = security_context_str_to_sid ( scon , & ssid , GFP_KERNEL ) ;
2010-11-23 11:40:08 -05:00
if ( length )
goto out ;
2023-03-09 13:30:37 -05:00
length = security_context_str_to_sid ( tcon , & tsid , GFP_KERNEL ) ;
2010-11-23 11:40:08 -05:00
if ( length )
goto out ;
2005-04-16 15:20:36 -07:00
2023-03-09 13:30:37 -05:00
length = security_transition_sid_user ( ssid , tsid , tclass ,
2018-03-20 11:59:11 -04:00
objname , & newsid ) ;
2010-11-23 11:40:08 -05:00
if ( length )
goto out ;
2005-04-16 15:20:36 -07:00
2023-03-09 13:30:37 -05:00
length = security_sid_to_context ( newsid , & newcon , & len ) ;
2010-11-23 11:40:08 -05:00
if ( length )
goto out ;
2005-04-16 15:20:36 -07:00
2010-11-23 11:40:08 -05:00
length = - ERANGE ;
2005-04-16 15:20:36 -07:00
if ( len > SIMPLE_TRANSACTION_LIMIT ) {
2018-06-12 10:09:06 +02:00
pr_err ( " SELinux: %s: context size (%u) exceeds "
2008-04-17 11:52:44 -04:00
" payload max \n " , __func__ , len ) ;
2010-11-23 11:40:08 -05:00
goto out ;
2005-04-16 15:20:36 -07:00
}
memcpy ( buf , newcon , len ) ;
length = len ;
2010-11-23 11:40:08 -05:00
out :
2005-04-16 15:20:36 -07:00
kfree ( newcon ) ;
2011-04-01 15:39:26 +01:00
kfree ( namebuf ) ;
2005-04-16 15:20:36 -07:00
kfree ( tcon ) ;
kfree ( scon ) ;
return length ;
}
2008-04-17 14:15:45 -04:00
static ssize_t sel_write_relabel ( struct file * file , char * buf , size_t size )
2005-04-16 15:20:36 -07:00
{
2010-11-23 11:40:08 -05:00
char * scon = NULL , * tcon = NULL ;
2005-04-16 15:20:36 -07:00
u32 ssid , tsid , newsid ;
u16 tclass ;
ssize_t length ;
2010-11-23 11:40:08 -05:00
char * newcon = NULL ;
2005-04-16 15:20:36 -07:00
u32 len ;
2023-03-09 13:30:37 -05:00
length = avc_has_perm ( current_sid ( ) , SECINITSID_SECURITY ,
2017-01-09 10:07:31 -05:00
SECCLASS_SECURITY , SECURITY__COMPUTE_RELABEL ,
NULL ) ;
2005-04-16 15:20:36 -07:00
if ( length )
2010-11-23 11:40:08 -05:00
goto out ;
2005-04-16 15:20:36 -07:00
length = - ENOMEM ;
2010-04-09 19:30:29 +08:00
scon = kzalloc ( size + 1 , GFP_KERNEL ) ;
2005-04-16 15:20:36 -07:00
if ( ! scon )
2010-11-23 11:40:08 -05:00
goto out ;
2005-04-16 15:20:36 -07:00
2010-11-23 11:40:08 -05:00
length = - ENOMEM ;
2010-04-09 19:30:29 +08:00
tcon = kzalloc ( size + 1 , GFP_KERNEL ) ;
2005-04-16 15:20:36 -07:00
if ( ! tcon )
goto out ;
length = - EINVAL ;
if ( sscanf ( buf , " %s %s %hu " , scon , tcon , & tclass ) ! = 3 )
2010-11-23 11:40:08 -05:00
goto out ;
2005-04-16 15:20:36 -07:00
2023-03-09 13:30:37 -05:00
length = security_context_str_to_sid ( scon , & ssid , GFP_KERNEL ) ;
2010-11-23 11:40:08 -05:00
if ( length )
goto out ;
2023-03-09 13:30:37 -05:00
length = security_context_str_to_sid ( tcon , & tsid , GFP_KERNEL ) ;
2010-11-23 11:40:08 -05:00
if ( length )
goto out ;
2005-04-16 15:20:36 -07:00
2023-03-09 13:30:37 -05:00
length = security_change_sid ( ssid , tsid , tclass , & newsid ) ;
2010-11-23 11:40:08 -05:00
if ( length )
goto out ;
2005-04-16 15:20:36 -07:00
2023-03-09 13:30:37 -05:00
length = security_sid_to_context ( newsid , & newcon , & len ) ;
2010-11-23 11:40:08 -05:00
if ( length )
goto out ;
2005-04-16 15:20:36 -07:00
2010-11-23 11:40:08 -05:00
length = - ERANGE ;
if ( len > SIMPLE_TRANSACTION_LIMIT )
goto out ;
2005-04-16 15:20:36 -07:00
memcpy ( buf , newcon , len ) ;
length = len ;
2010-11-23 11:40:08 -05:00
out :
2005-04-16 15:20:36 -07:00
kfree ( newcon ) ;
kfree ( tcon ) ;
kfree ( scon ) ;
return length ;
}
2008-04-17 14:15:45 -04:00
static ssize_t sel_write_user ( struct file * file , char * buf , size_t size )
2005-04-16 15:20:36 -07:00
{
2010-11-23 11:40:08 -05:00
char * con = NULL , * user = NULL , * ptr ;
u32 sid , * sids = NULL ;
2005-04-16 15:20:36 -07:00
ssize_t length ;
char * newcon ;
2023-08-07 19:11:39 +02:00
int rc ;
u32 i , len , nsids ;
2005-04-16 15:20:36 -07:00
2023-03-09 13:30:37 -05:00
length = avc_has_perm ( current_sid ( ) , SECINITSID_SECURITY ,
2017-01-09 10:07:31 -05:00
SECCLASS_SECURITY , SECURITY__COMPUTE_USER ,
NULL ) ;
2005-04-16 15:20:36 -07:00
if ( length )
2011-04-08 19:49:08 -07:00
goto out ;
2005-04-16 15:20:36 -07:00
length = - ENOMEM ;
2010-04-09 19:30:29 +08:00
con = kzalloc ( size + 1 , GFP_KERNEL ) ;
2005-04-16 15:20:36 -07:00
if ( ! con )
2011-04-08 19:49:08 -07:00
goto out ;
2005-04-16 15:20:36 -07:00
2010-11-23 11:40:08 -05:00
length = - ENOMEM ;
2010-04-09 19:30:29 +08:00
user = kzalloc ( size + 1 , GFP_KERNEL ) ;
2005-04-16 15:20:36 -07:00
if ( ! user )
goto out ;
length = - EINVAL ;
if ( sscanf ( buf , " %s %s " , con , user ) ! = 2 )
2010-11-23 11:40:08 -05:00
goto out ;
2005-04-16 15:20:36 -07:00
2023-03-09 13:30:37 -05:00
length = security_context_str_to_sid ( con , & sid , GFP_KERNEL ) ;
2010-11-23 11:40:08 -05:00
if ( length )
goto out ;
2005-04-16 15:20:36 -07:00
2023-03-09 13:30:37 -05:00
length = security_get_user_sids ( sid , user , & sids , & nsids ) ;
2010-11-23 11:40:08 -05:00
if ( length )
goto out ;
2005-04-16 15:20:36 -07:00
length = sprintf ( buf , " %u " , nsids ) + 1 ;
ptr = buf + length ;
for ( i = 0 ; i < nsids ; i + + ) {
2023-03-09 13:30:37 -05:00
rc = security_sid_to_context ( sids [ i ] , & newcon , & len ) ;
2005-04-16 15:20:36 -07:00
if ( rc ) {
length = rc ;
2010-11-23 11:40:08 -05:00
goto out ;
2005-04-16 15:20:36 -07:00
}
if ( ( length + len ) > = SIMPLE_TRANSACTION_LIMIT ) {
kfree ( newcon ) ;
length = - ERANGE ;
2010-11-23 11:40:08 -05:00
goto out ;
2005-04-16 15:20:36 -07:00
}
memcpy ( ptr , newcon , len ) ;
kfree ( newcon ) ;
ptr + = len ;
length + = len ;
}
2010-11-23 11:40:08 -05:00
out :
2005-04-16 15:20:36 -07:00
kfree ( sids ) ;
kfree ( user ) ;
kfree ( con ) ;
return length ;
}
2008-04-17 14:15:45 -04:00
static ssize_t sel_write_member ( struct file * file , char * buf , size_t size )
2005-04-16 15:20:36 -07:00
{
2010-11-23 11:40:08 -05:00
char * scon = NULL , * tcon = NULL ;
2005-04-16 15:20:36 -07:00
u32 ssid , tsid , newsid ;
u16 tclass ;
ssize_t length ;
2010-11-23 11:40:08 -05:00
char * newcon = NULL ;
2005-04-16 15:20:36 -07:00
u32 len ;
2023-03-09 13:30:37 -05:00
length = avc_has_perm ( current_sid ( ) , SECINITSID_SECURITY ,
2017-01-09 10:07:31 -05:00
SECCLASS_SECURITY , SECURITY__COMPUTE_MEMBER ,
NULL ) ;
2005-04-16 15:20:36 -07:00
if ( length )
2010-11-23 11:40:08 -05:00
goto out ;
2005-04-16 15:20:36 -07:00
length = - ENOMEM ;
2010-04-09 19:30:29 +08:00
scon = kzalloc ( size + 1 , GFP_KERNEL ) ;
2005-04-16 15:20:36 -07:00
if ( ! scon )
2011-04-08 19:49:08 -07:00
goto out ;
2005-04-16 15:20:36 -07:00
2010-11-23 11:40:08 -05:00
length = - ENOMEM ;
2010-04-09 19:30:29 +08:00
tcon = kzalloc ( size + 1 , GFP_KERNEL ) ;
2005-04-16 15:20:36 -07:00
if ( ! tcon )
goto out ;
length = - EINVAL ;
if ( sscanf ( buf , " %s %s %hu " , scon , tcon , & tclass ) ! = 3 )
2010-11-23 11:40:08 -05:00
goto out ;
2005-04-16 15:20:36 -07:00
2023-03-09 13:30:37 -05:00
length = security_context_str_to_sid ( scon , & ssid , GFP_KERNEL ) ;
2010-11-23 11:40:08 -05:00
if ( length )
goto out ;
2023-03-09 13:30:37 -05:00
length = security_context_str_to_sid ( tcon , & tsid , GFP_KERNEL ) ;
2010-11-23 11:40:08 -05:00
if ( length )
goto out ;
2005-04-16 15:20:36 -07:00
2023-03-09 13:30:37 -05:00
length = security_member_sid ( ssid , tsid , tclass , & newsid ) ;
2010-11-23 11:40:08 -05:00
if ( length )
goto out ;
2005-04-16 15:20:36 -07:00
2023-03-09 13:30:37 -05:00
length = security_sid_to_context ( newsid , & newcon , & len ) ;
2010-11-23 11:40:08 -05:00
if ( length )
goto out ;
2005-04-16 15:20:36 -07:00
2010-11-23 11:40:08 -05:00
length = - ERANGE ;
2005-04-16 15:20:36 -07:00
if ( len > SIMPLE_TRANSACTION_LIMIT ) {
2018-06-12 10:09:06 +02:00
pr_err ( " SELinux: %s: context size (%u) exceeds "
2008-04-17 11:52:44 -04:00
" payload max \n " , __func__ , len ) ;
2010-11-23 11:40:08 -05:00
goto out ;
2005-04-16 15:20:36 -07:00
}
memcpy ( buf , newcon , len ) ;
length = len ;
2010-11-23 11:40:08 -05:00
out :
2005-04-16 15:20:36 -07:00
kfree ( newcon ) ;
kfree ( tcon ) ;
kfree ( scon ) ;
return length ;
}
2023-08-07 19:11:39 +02:00
static struct inode * sel_make_inode ( struct super_block * sb , umode_t mode )
2005-04-16 15:20:36 -07:00
{
struct inode * ret = new_inode ( sb ) ;
if ( ret ) {
ret - > i_mode = mode ;
2023-10-04 14:53:10 -04:00
simple_inode_init_ts ( ret ) ;
2005-04-16 15:20:36 -07:00
}
return ret ;
}
static ssize_t sel_read_bool ( struct file * filep , char __user * buf ,
size_t count , loff_t * ppos )
{
2018-03-20 11:59:11 -04:00
struct selinux_fs_info * fsi = file_inode ( filep ) - > i_sb - > s_fs_info ;
2005-04-16 15:20:36 -07:00
char * page = NULL ;
ssize_t length ;
ssize_t ret ;
int cur_enforcing ;
2013-01-23 17:07:38 -05:00
unsigned index = file_inode ( filep ) - > i_ino & SEL_INO_MASK ;
2007-11-26 11:12:53 -05:00
const char * name = filep - > f_path . dentry - > d_name . name ;
2005-04-16 15:20:36 -07:00
2023-03-09 13:30:37 -05:00
mutex_lock ( & selinux_state . policy_mutex ) ;
2005-04-16 15:20:36 -07:00
2010-11-23 11:40:08 -05:00
ret = - EINVAL ;
2018-03-20 11:59:11 -04:00
if ( index > = fsi - > bool_num | | strcmp ( name ,
fsi - > bool_pending_names [ index ] ) )
2018-06-28 20:39:54 -04:00
goto out_unlock ;
2005-04-16 15:20:36 -07:00
2010-11-23 11:40:08 -05:00
ret = - ENOMEM ;
2008-04-17 14:15:45 -04:00
page = ( char * ) get_zeroed_page ( GFP_KERNEL ) ;
2010-11-23 11:40:08 -05:00
if ( ! page )
2018-06-28 20:39:54 -04:00
goto out_unlock ;
2005-04-16 15:20:36 -07:00
2023-03-09 13:30:37 -05:00
cur_enforcing = security_get_bool_value ( index ) ;
2005-04-16 15:20:36 -07:00
if ( cur_enforcing < 0 ) {
ret = cur_enforcing ;
2018-06-28 20:39:54 -04:00
goto out_unlock ;
2005-04-16 15:20:36 -07:00
}
length = scnprintf ( page , PAGE_SIZE , " %d %d " , cur_enforcing ,
2018-03-20 11:59:11 -04:00
fsi - > bool_pending_values [ index ] ) ;
2023-03-09 13:30:37 -05:00
mutex_unlock ( & selinux_state . policy_mutex ) ;
2018-06-28 20:39:54 -04:00
ret = simple_read_from_buffer ( buf , count , ppos , page , length ) ;
out_free :
2010-11-23 11:40:08 -05:00
free_page ( ( unsigned long ) page ) ;
2005-04-16 15:20:36 -07:00
return ret ;
2018-06-28 20:39:54 -04:00
out_unlock :
2023-03-09 13:30:37 -05:00
mutex_unlock ( & selinux_state . policy_mutex ) ;
2018-06-28 20:39:54 -04:00
goto out_free ;
2005-04-16 15:20:36 -07:00
}
static ssize_t sel_write_bool ( struct file * filep , const char __user * buf ,
size_t count , loff_t * ppos )
{
2018-03-20 11:59:11 -04:00
struct selinux_fs_info * fsi = file_inode ( filep ) - > i_sb - > s_fs_info ;
2005-04-16 15:20:36 -07:00
char * page = NULL ;
2007-11-26 11:12:53 -05:00
ssize_t length ;
2005-04-16 15:20:36 -07:00
int new_value ;
2013-01-23 17:07:38 -05:00
unsigned index = file_inode ( filep ) - > i_ino & SEL_INO_MASK ;
2007-11-26 11:12:53 -05:00
const char * name = filep - > f_path . dentry - > d_name . name ;
2005-04-16 15:20:36 -07:00
2018-06-28 20:39:54 -04:00
if ( count > = PAGE_SIZE )
return - ENOMEM ;
/* No partial writes. */
if ( * ppos ! = 0 )
return - EINVAL ;
page = memdup_user_nul ( buf , count ) ;
if ( IS_ERR ( page ) )
return PTR_ERR ( page ) ;
2023-03-09 13:30:37 -05:00
mutex_lock ( & selinux_state . policy_mutex ) ;
2005-04-16 15:20:36 -07:00
2023-03-09 13:30:37 -05:00
length = avc_has_perm ( current_sid ( ) , SECINITSID_SECURITY ,
2017-01-09 10:07:31 -05:00
SECCLASS_SECURITY , SECURITY__SETBOOL ,
NULL ) ;
2005-04-16 15:20:36 -07:00
if ( length )
goto out ;
2010-11-23 11:40:08 -05:00
length = - EINVAL ;
2018-03-20 11:59:11 -04:00
if ( index > = fsi - > bool_num | | strcmp ( name ,
fsi - > bool_pending_names [ index ] ) )
2007-11-26 11:12:53 -05:00
goto out ;
2005-04-16 15:20:36 -07:00
length = - EINVAL ;
if ( sscanf ( page , " %d " , & new_value ) ! = 1 )
goto out ;
if ( new_value )
new_value = 1 ;
2018-03-20 11:59:11 -04:00
fsi - > bool_pending_values [ index ] = new_value ;
2005-04-16 15:20:36 -07:00
length = count ;
out :
2023-03-09 13:30:37 -05:00
mutex_unlock ( & selinux_state . policy_mutex ) ;
2015-12-24 00:08:06 -05:00
kfree ( page ) ;
2005-04-16 15:20:36 -07:00
return length ;
}
2007-02-12 00:55:37 -08:00
static const struct file_operations sel_bool_ops = {
2008-04-17 14:15:45 -04:00
. read = sel_read_bool ,
. write = sel_write_bool ,
2010-07-07 23:40:10 +02:00
. llseek = generic_file_llseek ,
2005-04-16 15:20:36 -07:00
} ;
static ssize_t sel_commit_bools_write ( struct file * filep ,
const char __user * buf ,
size_t count , loff_t * ppos )
{
2018-03-20 11:59:11 -04:00
struct selinux_fs_info * fsi = file_inode ( filep ) - > i_sb - > s_fs_info ;
2005-04-16 15:20:36 -07:00
char * page = NULL ;
2007-11-26 11:12:53 -05:00
ssize_t length ;
2005-04-16 15:20:36 -07:00
int new_value ;
2018-06-28 20:39:54 -04:00
if ( count > = PAGE_SIZE )
return - ENOMEM ;
/* No partial writes. */
if ( * ppos ! = 0 )
return - EINVAL ;
page = memdup_user_nul ( buf , count ) ;
if ( IS_ERR ( page ) )
return PTR_ERR ( page ) ;
2023-03-09 13:30:37 -05:00
mutex_lock ( & selinux_state . policy_mutex ) ;
2005-04-16 15:20:36 -07:00
2023-03-09 13:30:37 -05:00
length = avc_has_perm ( current_sid ( ) , SECINITSID_SECURITY ,
2017-01-09 10:07:31 -05:00
SECCLASS_SECURITY , SECURITY__SETBOOL ,
NULL ) ;
2005-04-16 15:20:36 -07:00
if ( length )
goto out ;
length = - EINVAL ;
if ( sscanf ( page , " %d " , & new_value ) ! = 1 )
goto out ;
2010-11-23 11:40:08 -05:00
length = 0 ;
2018-03-20 11:59:11 -04:00
if ( new_value & & fsi - > bool_pending_values )
2023-03-09 13:30:37 -05:00
length = security_set_bools ( fsi - > bool_num ,
2018-03-20 11:59:11 -04:00
fsi - > bool_pending_values ) ;
2005-04-16 15:20:36 -07:00
2010-11-23 11:40:08 -05:00
if ( ! length )
length = count ;
2005-04-16 15:20:36 -07:00
out :
2023-03-09 13:30:37 -05:00
mutex_unlock ( & selinux_state . policy_mutex ) ;
2015-12-24 00:08:06 -05:00
kfree ( page ) ;
2005-04-16 15:20:36 -07:00
return length ;
}
2007-02-12 00:55:37 -08:00
static const struct file_operations sel_commit_bools_ops = {
2008-04-17 14:15:45 -04:00
. write = sel_commit_bools_write ,
2010-07-07 23:40:10 +02:00
. llseek = generic_file_llseek ,
2005-04-16 15:20:36 -07:00
} ;
2020-08-19 15:59:33 -04:00
static int sel_make_bools ( struct selinux_policy * newpolicy , struct dentry * bool_dir ,
unsigned int * bool_num , char * * * bool_pending_names ,
2022-08-30 17:45:00 +02:00
int * * bool_pending_values )
2005-04-16 15:20:36 -07:00
{
2020-02-03 12:27:20 +01:00
int ret ;
selinux: saner handling of policy reloads
On policy reload selinuxfs replaces two subdirectories (/booleans
and /class) with new variants. Unfortunately, that's done with
serious abuses of directory locking.
1) lock_rename() should be done to parents, not to objects being
exchanged
2) there's a bunch of reasons why it should not be done for directories
that do not have a common ancestor; most of those do not apply to
selinuxfs, but even in the best case the proof is subtle and brittle.
3) failure halfway through the creation of /class will leak
names and values arrays.
4) use of d_genocide() is also rather brittle; it's probably not much of
a bug per se, but e.g. an overmount of /sys/fs/selinuxfs/classes/shm/index
with any regular file will end up with leaked mount on policy reload.
Sure, don't do it, but...
Let's stop messing with disconnected directories; just create
a temporary (/.swapover) with no permissions for anyone (on the
level of ->permission() returing -EPERM, no matter who's calling
it) and build the new /booleans and /class in there; then
lock_rename on root and that temporary directory and d_exchange()
old and new both for class and booleans. Then unlock and use
simple_recursive_removal() to take the temporary out; it's much
more robust.
And instead of bothering with separate pathways for freeing
new (on failure halfway through) and old (on success) names/values,
do all freeing in one place. With temporaries swapped with the
old ones when we are past all possible failures.
The only user-visible difference is that /.swapover shows up
(but isn't possible to open, look up into, etc.) for the
duration of policy reload.
Reviewed-by: Stephen Smalley <stephen.smalley.work@gmail.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
[PM: applied some fixes from Al post merge]
Signed-off-by: Paul Moore <paul@paul-moore.com>
2023-10-16 23:08:35 +01:00
char * * names , * page ;
2020-02-03 12:27:20 +01:00
u32 i , num ;
2005-04-16 15:20:36 -07:00
2008-04-17 14:15:45 -04:00
page = ( char * ) get_zeroed_page ( GFP_KERNEL ) ;
if ( ! page )
selinux: saner handling of policy reloads
On policy reload selinuxfs replaces two subdirectories (/booleans
and /class) with new variants. Unfortunately, that's done with
serious abuses of directory locking.
1) lock_rename() should be done to parents, not to objects being
exchanged
2) there's a bunch of reasons why it should not be done for directories
that do not have a common ancestor; most of those do not apply to
selinuxfs, but even in the best case the proof is subtle and brittle.
3) failure halfway through the creation of /class will leak
names and values arrays.
4) use of d_genocide() is also rather brittle; it's probably not much of
a bug per se, but e.g. an overmount of /sys/fs/selinuxfs/classes/shm/index
with any regular file will end up with leaked mount on policy reload.
Sure, don't do it, but...
Let's stop messing with disconnected directories; just create
a temporary (/.swapover) with no permissions for anyone (on the
level of ->permission() returing -EPERM, no matter who's calling
it) and build the new /booleans and /class in there; then
lock_rename on root and that temporary directory and d_exchange()
old and new both for class and booleans. Then unlock and use
simple_recursive_removal() to take the temporary out; it's much
more robust.
And instead of bothering with separate pathways for freeing
new (on failure halfway through) and old (on success) names/values,
do all freeing in one place. With temporaries swapped with the
old ones when we are past all possible failures.
The only user-visible difference is that /.swapover shows up
(but isn't possible to open, look up into, etc.) for the
duration of policy reload.
Reviewed-by: Stephen Smalley <stephen.smalley.work@gmail.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
[PM: applied some fixes from Al post merge]
Signed-off-by: Paul Moore <paul@paul-moore.com>
2023-10-16 23:08:35 +01:00
return - ENOMEM ;
2005-04-16 15:20:36 -07:00
selinux: saner handling of policy reloads
On policy reload selinuxfs replaces two subdirectories (/booleans
and /class) with new variants. Unfortunately, that's done with
serious abuses of directory locking.
1) lock_rename() should be done to parents, not to objects being
exchanged
2) there's a bunch of reasons why it should not be done for directories
that do not have a common ancestor; most of those do not apply to
selinuxfs, but even in the best case the proof is subtle and brittle.
3) failure halfway through the creation of /class will leak
names and values arrays.
4) use of d_genocide() is also rather brittle; it's probably not much of
a bug per se, but e.g. an overmount of /sys/fs/selinuxfs/classes/shm/index
with any regular file will end up with leaked mount on policy reload.
Sure, don't do it, but...
Let's stop messing with disconnected directories; just create
a temporary (/.swapover) with no permissions for anyone (on the
level of ->permission() returing -EPERM, no matter who's calling
it) and build the new /booleans and /class in there; then
lock_rename on root and that temporary directory and d_exchange()
old and new both for class and booleans. Then unlock and use
simple_recursive_removal() to take the temporary out; it's much
more robust.
And instead of bothering with separate pathways for freeing
new (on failure halfway through) and old (on success) names/values,
do all freeing in one place. With temporaries swapped with the
old ones when we are past all possible failures.
The only user-visible difference is that /.swapover shows up
(but isn't possible to open, look up into, etc.) for the
duration of policy reload.
Reviewed-by: Stephen Smalley <stephen.smalley.work@gmail.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
[PM: applied some fixes from Al post merge]
Signed-off-by: Paul Moore <paul@paul-moore.com>
2023-10-16 23:08:35 +01:00
ret = security_get_bools ( newpolicy , & num , & names , bool_pending_values ) ;
2010-11-23 11:40:08 -05:00
if ( ret )
2005-04-16 15:20:36 -07:00
goto out ;
selinux: saner handling of policy reloads
On policy reload selinuxfs replaces two subdirectories (/booleans
and /class) with new variants. Unfortunately, that's done with
serious abuses of directory locking.
1) lock_rename() should be done to parents, not to objects being
exchanged
2) there's a bunch of reasons why it should not be done for directories
that do not have a common ancestor; most of those do not apply to
selinuxfs, but even in the best case the proof is subtle and brittle.
3) failure halfway through the creation of /class will leak
names and values arrays.
4) use of d_genocide() is also rather brittle; it's probably not much of
a bug per se, but e.g. an overmount of /sys/fs/selinuxfs/classes/shm/index
with any regular file will end up with leaked mount on policy reload.
Sure, don't do it, but...
Let's stop messing with disconnected directories; just create
a temporary (/.swapover) with no permissions for anyone (on the
level of ->permission() returing -EPERM, no matter who's calling
it) and build the new /booleans and /class in there; then
lock_rename on root and that temporary directory and d_exchange()
old and new both for class and booleans. Then unlock and use
simple_recursive_removal() to take the temporary out; it's much
more robust.
And instead of bothering with separate pathways for freeing
new (on failure halfway through) and old (on success) names/values,
do all freeing in one place. With temporaries swapped with the
old ones when we are past all possible failures.
The only user-visible difference is that /.swapover shows up
(but isn't possible to open, look up into, etc.) for the
duration of policy reload.
Reviewed-by: Stephen Smalley <stephen.smalley.work@gmail.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
[PM: applied some fixes from Al post merge]
Signed-off-by: Paul Moore <paul@paul-moore.com>
2023-10-16 23:08:35 +01:00
* bool_num = num ;
* bool_pending_names = names ;
2005-04-16 15:20:36 -07:00
for ( i = 0 ; i < num ; i + + ) {
selinux: saner handling of policy reloads
On policy reload selinuxfs replaces two subdirectories (/booleans
and /class) with new variants. Unfortunately, that's done with
serious abuses of directory locking.
1) lock_rename() should be done to parents, not to objects being
exchanged
2) there's a bunch of reasons why it should not be done for directories
that do not have a common ancestor; most of those do not apply to
selinuxfs, but even in the best case the proof is subtle and brittle.
3) failure halfway through the creation of /class will leak
names and values arrays.
4) use of d_genocide() is also rather brittle; it's probably not much of
a bug per se, but e.g. an overmount of /sys/fs/selinuxfs/classes/shm/index
with any regular file will end up with leaked mount on policy reload.
Sure, don't do it, but...
Let's stop messing with disconnected directories; just create
a temporary (/.swapover) with no permissions for anyone (on the
level of ->permission() returing -EPERM, no matter who's calling
it) and build the new /booleans and /class in there; then
lock_rename on root and that temporary directory and d_exchange()
old and new both for class and booleans. Then unlock and use
simple_recursive_removal() to take the temporary out; it's much
more robust.
And instead of bothering with separate pathways for freeing
new (on failure halfway through) and old (on success) names/values,
do all freeing in one place. With temporaries swapped with the
old ones when we are past all possible failures.
The only user-visible difference is that /.swapover shows up
(but isn't possible to open, look up into, etc.) for the
duration of policy reload.
Reviewed-by: Stephen Smalley <stephen.smalley.work@gmail.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
[PM: applied some fixes from Al post merge]
Signed-off-by: Paul Moore <paul@paul-moore.com>
2023-10-16 23:08:35 +01:00
struct dentry * dentry ;
struct inode * inode ;
struct inode_security_struct * isec ;
ssize_t len ;
u32 sid ;
len = snprintf ( page , PAGE_SIZE , " /%s/%s " , BOOL_DIR_NAME , names [ i ] ) ;
if ( len > = PAGE_SIZE ) {
ret = - ENAMETOOLONG ;
break ;
}
2020-08-19 15:59:33 -04:00
dentry = d_alloc_name ( bool_dir , names [ i ] ) ;
selinux: saner handling of policy reloads
On policy reload selinuxfs replaces two subdirectories (/booleans
and /class) with new variants. Unfortunately, that's done with
serious abuses of directory locking.
1) lock_rename() should be done to parents, not to objects being
exchanged
2) there's a bunch of reasons why it should not be done for directories
that do not have a common ancestor; most of those do not apply to
selinuxfs, but even in the best case the proof is subtle and brittle.
3) failure halfway through the creation of /class will leak
names and values arrays.
4) use of d_genocide() is also rather brittle; it's probably not much of
a bug per se, but e.g. an overmount of /sys/fs/selinuxfs/classes/shm/index
with any regular file will end up with leaked mount on policy reload.
Sure, don't do it, but...
Let's stop messing with disconnected directories; just create
a temporary (/.swapover) with no permissions for anyone (on the
level of ->permission() returing -EPERM, no matter who's calling
it) and build the new /booleans and /class in there; then
lock_rename on root and that temporary directory and d_exchange()
old and new both for class and booleans. Then unlock and use
simple_recursive_removal() to take the temporary out; it's much
more robust.
And instead of bothering with separate pathways for freeing
new (on failure halfway through) and old (on success) names/values,
do all freeing in one place. With temporaries swapped with the
old ones when we are past all possible failures.
The only user-visible difference is that /.swapover shows up
(but isn't possible to open, look up into, etc.) for the
duration of policy reload.
Reviewed-by: Stephen Smalley <stephen.smalley.work@gmail.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
[PM: applied some fixes from Al post merge]
Signed-off-by: Paul Moore <paul@paul-moore.com>
2023-10-16 23:08:35 +01:00
if ( ! dentry ) {
ret = - ENOMEM ;
break ;
}
2010-11-23 11:40:08 -05:00
2020-08-19 15:59:33 -04:00
inode = sel_make_inode ( bool_dir - > d_sb , S_IFREG | S_IRUGO | S_IWUSR ) ;
2018-08-05 17:10:36 +08:00
if ( ! inode ) {
dput ( dentry ) ;
selinux: saner handling of policy reloads
On policy reload selinuxfs replaces two subdirectories (/booleans
and /class) with new variants. Unfortunately, that's done with
serious abuses of directory locking.
1) lock_rename() should be done to parents, not to objects being
exchanged
2) there's a bunch of reasons why it should not be done for directories
that do not have a common ancestor; most of those do not apply to
selinuxfs, but even in the best case the proof is subtle and brittle.
3) failure halfway through the creation of /class will leak
names and values arrays.
4) use of d_genocide() is also rather brittle; it's probably not much of
a bug per se, but e.g. an overmount of /sys/fs/selinuxfs/classes/shm/index
with any regular file will end up with leaked mount on policy reload.
Sure, don't do it, but...
Let's stop messing with disconnected directories; just create
a temporary (/.swapover) with no permissions for anyone (on the
level of ->permission() returing -EPERM, no matter who's calling
it) and build the new /booleans and /class in there; then
lock_rename on root and that temporary directory and d_exchange()
old and new both for class and booleans. Then unlock and use
simple_recursive_removal() to take the temporary out; it's much
more robust.
And instead of bothering with separate pathways for freeing
new (on failure halfway through) and old (on success) names/values,
do all freeing in one place. With temporaries swapped with the
old ones when we are past all possible failures.
The only user-visible difference is that /.swapover shows up
(but isn't possible to open, look up into, etc.) for the
duration of policy reload.
Reviewed-by: Stephen Smalley <stephen.smalley.work@gmail.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
[PM: applied some fixes from Al post merge]
Signed-off-by: Paul Moore <paul@paul-moore.com>
2023-10-16 23:08:35 +01:00
ret = - ENOMEM ;
break ;
2018-08-05 17:10:36 +08:00
}
2010-11-23 11:40:08 -05:00
2018-09-21 17:19:11 -07:00
isec = selinux_inode ( inode ) ;
2020-08-07 09:29:34 -04:00
ret = selinux_policy_genfs_sid ( newpolicy , " selinuxfs " , page ,
2018-03-01 18:48:02 -05:00
SECCLASS_FILE , & sid ) ;
2017-01-09 10:07:31 -05:00
if ( ret ) {
2017-01-09 10:07:32 -05:00
pr_warn_ratelimited ( " SELinux: no sid found, defaulting to security isid for %s \n " ,
page ) ;
sid = SECINITSID_SECURITY ;
2017-01-09 10:07:31 -05:00
}
2005-04-16 15:20:36 -07:00
isec - > sid = sid ;
2016-11-10 22:18:27 +01:00
isec - > initialized = LABEL_INITIALIZED ;
2005-04-16 15:20:36 -07:00
inode - > i_fop = & sel_bool_ops ;
2007-04-04 16:18:50 -04:00
inode - > i_ino = i | SEL_BOOL_INO_OFFSET ;
2005-04-16 15:20:36 -07:00
d_add ( dentry , inode ) ;
}
out :
free_page ( ( unsigned long ) page ) ;
2010-11-23 11:40:08 -05:00
return ret ;
2005-04-16 15:20:36 -07:00
}
static ssize_t sel_read_avc_cache_threshold ( struct file * filp , char __user * buf ,
size_t count , loff_t * ppos )
{
char tmpbuf [ TMPBUFLEN ] ;
ssize_t length ;
2018-03-05 11:47:56 -05:00
length = scnprintf ( tmpbuf , TMPBUFLEN , " %u " ,
2023-03-09 13:30:37 -05:00
avc_get_cache_threshold ( ) ) ;
2005-04-16 15:20:36 -07:00
return simple_read_from_buffer ( buf , count , ppos , tmpbuf , length ) ;
}
2008-04-17 14:15:45 -04:00
static ssize_t sel_write_avc_cache_threshold ( struct file * file ,
const char __user * buf ,
2005-04-16 15:20:36 -07:00
size_t count , loff_t * ppos )
{
2015-12-24 00:08:06 -05:00
char * page ;
2005-04-16 15:20:36 -07:00
ssize_t ret ;
2016-06-10 23:14:26 +02:00
unsigned int new_value ;
2005-04-16 15:20:36 -07:00
2023-03-09 13:30:37 -05:00
ret = avc_has_perm ( current_sid ( ) , SECINITSID_SECURITY ,
2017-01-09 10:07:31 -05:00
SECCLASS_SECURITY , SECURITY__SETSECPARAM ,
NULL ) ;
2010-11-23 11:40:08 -05:00
if ( ret )
2015-12-24 00:08:06 -05:00
return ret ;
2005-04-16 15:20:36 -07:00
2010-11-23 11:40:08 -05:00
if ( count > = PAGE_SIZE )
2015-12-24 00:08:06 -05:00
return - ENOMEM ;
2005-04-16 15:20:36 -07:00
2010-11-23 11:40:08 -05:00
/* No partial writes. */
if ( * ppos ! = 0 )
2015-12-24 00:08:06 -05:00
return - EINVAL ;
2005-04-16 15:20:36 -07:00
2015-12-24 00:08:06 -05:00
page = memdup_user_nul ( buf , count ) ;
if ( IS_ERR ( page ) )
return PTR_ERR ( page ) ;
2005-04-16 15:20:36 -07:00
2010-11-23 11:40:08 -05:00
ret = - EINVAL ;
if ( sscanf ( page , " %u " , & new_value ) ! = 1 )
2005-04-16 15:20:36 -07:00
goto out ;
2023-03-09 13:30:37 -05:00
avc_set_cache_threshold ( new_value ) ;
2010-11-23 11:40:08 -05:00
2005-04-16 15:20:36 -07:00
ret = count ;
out :
2015-12-24 00:08:06 -05:00
kfree ( page ) ;
2005-04-16 15:20:36 -07:00
return ret ;
}
static ssize_t sel_read_avc_hash_stats ( struct file * filp , char __user * buf ,
size_t count , loff_t * ppos )
{
char * page ;
2010-11-23 11:40:08 -05:00
ssize_t length ;
2005-04-16 15:20:36 -07:00
page = ( char * ) __get_free_page ( GFP_KERNEL ) ;
2010-11-23 11:40:08 -05:00
if ( ! page )
return - ENOMEM ;
2023-03-09 13:30:37 -05:00
length = avc_get_hash_stats ( page ) ;
2010-11-23 11:40:08 -05:00
if ( length > = 0 )
length = simple_read_from_buffer ( buf , count , ppos , page , length ) ;
2005-04-16 15:20:36 -07:00
free_page ( ( unsigned long ) page ) ;
2010-11-23 11:40:08 -05:00
return length ;
2005-04-16 15:20:36 -07:00
}
2019-11-22 10:33:06 +01:00
static ssize_t sel_read_sidtab_hash_stats ( struct file * filp , char __user * buf ,
size_t count , loff_t * ppos )
{
char * page ;
ssize_t length ;
page = ( char * ) __get_free_page ( GFP_KERNEL ) ;
if ( ! page )
return - ENOMEM ;
2023-03-09 13:30:37 -05:00
length = security_sidtab_hash_stats ( page ) ;
2019-11-22 10:33:06 +01:00
if ( length > = 0 )
length = simple_read_from_buffer ( buf , count , ppos , page ,
length ) ;
free_page ( ( unsigned long ) page ) ;
return length ;
}
static const struct file_operations sel_sidtab_hash_stats_ops = {
. read = sel_read_sidtab_hash_stats ,
. llseek = generic_file_llseek ,
} ;
2007-02-12 00:55:37 -08:00
static const struct file_operations sel_avc_cache_threshold_ops = {
2005-04-16 15:20:36 -07:00
. read = sel_read_avc_cache_threshold ,
. write = sel_write_avc_cache_threshold ,
2010-07-07 23:40:10 +02:00
. llseek = generic_file_llseek ,
2005-04-16 15:20:36 -07:00
} ;
2007-02-12 00:55:37 -08:00
static const struct file_operations sel_avc_hash_stats_ops = {
2005-04-16 15:20:36 -07:00
. read = sel_read_avc_hash_stats ,
2010-07-07 23:40:10 +02:00
. llseek = generic_file_llseek ,
2005-04-16 15:20:36 -07:00
} ;
# ifdef CONFIG_SECURITY_SELINUX_AVC_STATS
static struct avc_cache_stats * sel_avc_get_stat_idx ( loff_t * idx )
{
int cpu ;
2009-01-01 10:12:15 +10:30
for ( cpu = * idx ; cpu < nr_cpu_ids ; + + cpu ) {
2005-04-16 15:20:36 -07:00
if ( ! cpu_possible ( cpu ) )
continue ;
* idx = cpu + 1 ;
return & per_cpu ( avc_cache_stats , cpu ) ;
}
selinux: sel_avc_get_stat_idx should increase position index
If seq_file .next function does not change position index,
read after some lseek can generate unexpected output.
$ dd if=/sys/fs/selinux/avc/cache_stats # usual output
lookups hits misses allocations reclaims frees
817223 810034 7189 7189 6992 7037
1934894 1926896 7998 7998 7632 7683
1322812 1317176 5636 5636 5456 5507
1560571 1551548 9023 9023 9056 9115
0+1 records in
0+1 records out
189 bytes copied, 5,1564e-05 s, 3,7 MB/s
$# read after lseek to midle of last line
$ dd if=/sys/fs/selinux/avc/cache_stats bs=180 skip=1
dd: /sys/fs/selinux/avc/cache_stats: cannot skip to specified offset
056 9115 <<<< end of last line
1560571 1551548 9023 9023 9056 9115 <<< whole last line once again
0+1 records in
0+1 records out
45 bytes copied, 8,7221e-05 s, 516 kB/s
$# read after lseek beyond end of of file
$ dd if=/sys/fs/selinux/avc/cache_stats bs=1000 skip=1
dd: /sys/fs/selinux/avc/cache_stats: cannot skip to specified offset
1560571 1551548 9023 9023 9056 9115 <<<< generates whole last line
0+1 records in
0+1 records out
36 bytes copied, 9,0934e-05 s, 396 kB/s
https://bugzilla.kernel.org/show_bug.cgi?id=206283
Signed-off-by: Vasily Averin <vvs@virtuozzo.com>
Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: Paul Moore <paul@paul-moore.com>
2020-02-01 10:47:47 +03:00
( * idx ) + + ;
2005-04-16 15:20:36 -07:00
return NULL ;
}
static void * sel_avc_stats_seq_start ( struct seq_file * seq , loff_t * pos )
{
loff_t n = * pos - 1 ;
if ( * pos = = 0 )
return SEQ_START_TOKEN ;
return sel_avc_get_stat_idx ( & n ) ;
}
static void * sel_avc_stats_seq_next ( struct seq_file * seq , void * v , loff_t * pos )
{
return sel_avc_get_stat_idx ( pos ) ;
}
static int sel_avc_stats_seq_show ( struct seq_file * seq , void * v )
{
struct avc_cache_stats * st = v ;
2017-01-15 14:04:53 +01:00
if ( v = = SEQ_START_TOKEN ) {
seq_puts ( seq ,
" lookups hits misses allocations reclaims frees \n " ) ;
} else {
2011-05-19 21:22:53 -07:00
unsigned int lookups = st - > lookups ;
unsigned int misses = st - > misses ;
unsigned int hits = lookups - misses ;
seq_printf ( seq , " %u %u %u %u %u %u \n " , lookups ,
hits , misses , st - > allocations ,
2005-04-16 15:20:36 -07:00
st - > reclaims , st - > frees ) ;
2011-05-19 21:22:53 -07:00
}
2005-04-16 15:20:36 -07:00
return 0 ;
}
static void sel_avc_stats_seq_stop ( struct seq_file * seq , void * v )
{ }
2008-01-23 00:02:58 +01:00
static const struct seq_operations sel_avc_cache_stats_seq_ops = {
2005-04-16 15:20:36 -07:00
. start = sel_avc_stats_seq_start ,
. next = sel_avc_stats_seq_next ,
. show = sel_avc_stats_seq_show ,
. stop = sel_avc_stats_seq_stop ,
} ;
static int sel_open_avc_cache_stats ( struct inode * inode , struct file * file )
{
return seq_open ( file , & sel_avc_cache_stats_seq_ops ) ;
}
2007-02-12 00:55:37 -08:00
static const struct file_operations sel_avc_cache_stats_ops = {
2005-04-16 15:20:36 -07:00
. open = sel_open_avc_cache_stats ,
. read = seq_read ,
. llseek = seq_lseek ,
. release = seq_release ,
} ;
# endif
static int sel_make_avc_files ( struct dentry * dir )
{
2018-03-20 11:59:11 -04:00
struct super_block * sb = dir - > d_sb ;
struct selinux_fs_info * fsi = sb - > s_fs_info ;
2023-08-07 19:11:39 +02:00
unsigned int i ;
2017-03-25 21:15:37 -07:00
static const struct tree_descr files [ ] = {
2005-04-16 15:20:36 -07:00
{ " cache_threshold " ,
& sel_avc_cache_threshold_ops , S_IRUGO | S_IWUSR } ,
{ " hash_stats " , & sel_avc_hash_stats_ops , S_IRUGO } ,
# ifdef CONFIG_SECURITY_SELINUX_AVC_STATS
{ " cache_stats " , & sel_avc_cache_stats_ops , S_IRUGO } ,
# endif
} ;
2006-01-06 00:11:22 -08:00
for ( i = 0 ; i < ARRAY_SIZE ( files ) ; i + + ) {
2005-04-16 15:20:36 -07:00
struct inode * inode ;
struct dentry * dentry ;
dentry = d_alloc_name ( dir , files [ i ] . name ) ;
2010-11-23 11:40:08 -05:00
if ( ! dentry )
return - ENOMEM ;
2005-04-16 15:20:36 -07:00
inode = sel_make_inode ( dir - > d_sb , S_IFREG | files [ i ] . mode ) ;
2018-08-05 17:10:36 +08:00
if ( ! inode ) {
dput ( dentry ) ;
2010-11-23 11:40:08 -05:00
return - ENOMEM ;
2018-08-05 17:10:36 +08:00
}
2010-11-23 11:40:08 -05:00
2005-04-16 15:20:36 -07:00
inode - > i_fop = files [ i ] . ops ;
2018-03-20 11:59:11 -04:00
inode - > i_ino = + + fsi - > last_ino ;
2005-04-16 15:20:36 -07:00
d_add ( dentry , inode ) ;
}
2010-11-23 11:40:08 -05:00
return 0 ;
2005-04-16 15:20:36 -07:00
}
2019-11-22 10:33:06 +01:00
static int sel_make_ss_files ( struct dentry * dir )
{
struct super_block * sb = dir - > d_sb ;
struct selinux_fs_info * fsi = sb - > s_fs_info ;
2023-08-07 19:11:39 +02:00
unsigned int i ;
2023-04-20 17:05:03 +02:00
static const struct tree_descr files [ ] = {
2019-11-22 10:33:06 +01:00
{ " sidtab_hash_stats " , & sel_sidtab_hash_stats_ops , S_IRUGO } ,
} ;
for ( i = 0 ; i < ARRAY_SIZE ( files ) ; i + + ) {
struct inode * inode ;
struct dentry * dentry ;
dentry = d_alloc_name ( dir , files [ i ] . name ) ;
if ( ! dentry )
return - ENOMEM ;
inode = sel_make_inode ( dir - > d_sb , S_IFREG | files [ i ] . mode ) ;
if ( ! inode ) {
dput ( dentry ) ;
return - ENOMEM ;
}
inode - > i_fop = files [ i ] . ops ;
inode - > i_ino = + + fsi - > last_ino ;
d_add ( dentry , inode ) ;
}
return 0 ;
}
2008-04-17 14:15:45 -04:00
static ssize_t sel_read_initcon ( struct file * file , char __user * buf ,
2007-04-04 10:11:29 -04:00
size_t count , loff_t * ppos )
{
char * con ;
u32 sid , len ;
ssize_t ret ;
2013-01-23 17:07:38 -05:00
sid = file_inode ( file ) - > i_ino & SEL_INO_MASK ;
2023-03-09 13:30:37 -05:00
ret = security_sid_to_context ( sid , & con , & len ) ;
2010-11-23 11:40:08 -05:00
if ( ret )
2007-04-04 10:11:29 -04:00
return ret ;
ret = simple_read_from_buffer ( buf , count , ppos , con , len ) ;
kfree ( con ) ;
return ret ;
}
static const struct file_operations sel_initcon_ops = {
. read = sel_read_initcon ,
2010-07-07 23:40:10 +02:00
. llseek = generic_file_llseek ,
2007-04-04 10:11:29 -04:00
} ;
static int sel_make_initcon_files ( struct dentry * dir )
{
2023-08-07 19:11:39 +02:00
unsigned int i ;
2007-04-04 10:11:29 -04:00
for ( i = 1 ; i < = SECINITSID_NUM ; i + + ) {
struct inode * inode ;
struct dentry * dentry ;
selinux: remove unused initial SIDs and improve handling
Remove initial SIDs that have never been used or are no longer used by
the kernel from its string table, which is also used to generate the
SECINITSID_* symbols referenced in code. Update the code to
gracefully handle the fact that these can now be NULL. Stop treating
it as an error if a policy defines additional initial SIDs unknown to
the kernel. Do not load unused initial SID contexts into the sidtab.
Fix the incorrect usage of the name from the ocontext in error
messages when loading initial SIDs since these are not presently
written to the kernel policy and are therefore always NULL.
After this change, it is possible to safely reclaim and reuse some of
the unused initial SIDs without compatibility issues. Specifically,
unused initial SIDs that were being assigned the same context as the
unlabeled initial SID in policies can be reclaimed and reused for
another purpose, with existing policies still treating them as having
the unlabeled context and future policies having the option of mapping
them to a more specific context. For example, this could have been
used when the infiniband labeling support was introduced to define
initial SIDs for the default pkey and endport SIDs similar to the
handling of port/netif/node SIDs rather than always using
SECINITSID_UNLABELED as the default.
The set of safely reclaimable unused initial SIDs across all known
policies is igmp_packet (13), icmp_socket (14), tcp_socket (15), kmod
(24), policy (25), and scmp_packet (26); these initial SIDs were
assigned the same context as unlabeled in all known policies including
mls. If only considering non-mls policies (i.e. assuming that mls
users always upgrade policy with their kernels), the set of safely
reclaimable unused initial SIDs further includes file_labels (6), init
(7), sysctl_modprobe (16), and sysctl_fs (18) through sysctl_dev (23).
Adding new initial SIDs beyond SECINITSID_NUM to policy unfortunately
became a fatal error in commit 24ed7fdae669 ("selinux: use separate
table for initial SID lookup") and even before that it could cause
problems on a policy reload (collision between the new initial SID and
one allocated at runtime) ever since commit 42596eafdd75 ("selinux:
load the initial SIDs upon every policy load") so we cannot safely
start adding new initial SIDs to policies beyond SECINITSID_NUM (27)
until such a time as all such kernels do not need to be supported and
only those that include this commit are relevant. That is not a big
deal since we haven't added a new initial SID since 2004 (v2.6.7) and
we have plenty of unused ones we can reclaim if we truly need one.
If we want to avoid the wasted storage in initial_sid_to_string[]
and/or sidtab->isids[] for the unused initial SIDs, we could introduce
an indirection between the kernel initial SID values and the policy
initial SID values and just map the policy SID values in the ocontexts
to the kernel values during policy_load_isids(). Originally I thought
we'd do this by preserving the initial SID names in the kernel policy
and creating a mapping at load time like we do for the security
classes and permissions but that would require a new kernel policy
format version and associated changes to libsepol/checkpolicy and I'm
not sure it is justified. Simpler approach is just to create a fixed
mapping table in the kernel from the existing fixed policy values to
the kernel values. Less flexible but probably sufficient.
A separate selinux userspace change was applied in
https://github.com/SELinuxProject/selinux/commit/8677ce5e8f592950ae6f14cea1b68a20ddc1ac25
to enable removal of most of the unused initial SID contexts from
policies, but there is no dependency between that change and this one.
That change permits removing all of the unused initial SID contexts
from policy except for the fs and sysctl SID contexts. The initial
SID declarations themselves would remain in policy to preserve the
values of subsequent ones but the contexts can be dropped. If/when
the kernel decides to reuse one of them, future policies can change
the name and start assigning a context again without breaking
compatibility.
Here is how I would envision staging changes to the initial SIDs in a
compatible manner after this commit is applied:
1. At any time after this commit is applied, the kernel could choose
to reclaim one of the safely reclaimable unused initial SIDs listed
above for a new purpose (i.e. replace its NULL entry in the
initial_sid_to_string[] table with a new name and start using the
newly generated SECINITSID_name symbol in code), and refpolicy could
at that time rename its declaration of that initial SID to reflect its
new purpose and start assigning it a context going
forward. Existing/old policies would map the reclaimed initial SID to
the unlabeled context, so that would be the initial default behavior
until policies are updated. This doesn't depend on the selinux
userspace change; it will work with existing policies and userspace.
2. In 6 months or so we'll have another SELinux userspace release that
will include the libsepol/checkpolicy support for omitting unused
initial SID contexts.
3. At any time after that release, refpolicy can make that release its
minimum build requirement and drop the sid context statements (but not
the sid declarations) for all of the unused initial SIDs except for
fs and sysctl, which must remain for compatibility on policy
reload with old kernels and for compatibility with kernels that were
still using SECINITSID_SYSCTL (< 2.6.39). This doesn't depend on this
kernel commit; it will work with previous kernels as well.
4. After N years for some value of N, refpolicy decides that it no
longer cares about policy reload compatibility for kernels that
predate this kernel commit, and refpolicy drops the fs and sysctl
SID contexts from policy too (but retains the declarations).
5. After M years for some value of M, the kernel decides that it no
longer cares about compatibility with refpolicies that predate step 4
(dropping the fs and sysctl SIDs), and those two SIDs also become
safely reclaimable. This step is optional and need not ever occur unless
we decide that the need to reclaim those two SIDs outweighs the
compatibility cost.
6. After O years for some value of O, refpolicy decides that it no
longer cares about policy load (not just reload) compatibility for
kernels that predate this kernel commit, and both kernel and refpolicy
can then start adding and using new initial SIDs beyond 27. This does
not depend on the previous change (step 5) and can occur independent
of it.
Fixes: https://github.com/SELinuxProject/selinux-kernel/issues/12
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: Paul Moore <paul@paul-moore.com>
2020-02-24 11:10:23 -05:00
const char * s = security_get_initial_sid_context ( i ) ;
if ( ! s )
continue ;
dentry = d_alloc_name ( dir , s ) ;
2010-11-23 11:40:08 -05:00
if ( ! dentry )
return - ENOMEM ;
2007-04-04 10:11:29 -04:00
inode = sel_make_inode ( dir - > d_sb , S_IFREG | S_IRUGO ) ;
2018-08-05 17:10:36 +08:00
if ( ! inode ) {
dput ( dentry ) ;
2010-11-23 11:40:08 -05:00
return - ENOMEM ;
2018-08-05 17:10:36 +08:00
}
2010-11-23 11:40:08 -05:00
2007-04-04 10:11:29 -04:00
inode - > i_fop = & sel_initcon_ops ;
inode - > i_ino = i | SEL_INITCON_INO_OFFSET ;
d_add ( dentry , inode ) ;
}
2010-11-23 11:40:08 -05:00
return 0 ;
2007-04-04 10:11:29 -04:00
}
2007-05-23 09:12:09 -04:00
static inline unsigned long sel_class_to_ino ( u16 class )
{
return ( class * ( SEL_VEC_MAX + 1 ) ) | SEL_CLASS_INO_OFFSET ;
}
static inline u16 sel_ino_to_class ( unsigned long ino )
{
2012-04-04 13:46:46 -04:00
return ( ino & SEL_INO_MASK ) / ( SEL_VEC_MAX + 1 ) ;
2007-05-23 09:12:09 -04:00
}
static inline unsigned long sel_perm_to_ino ( u16 class , u32 perm )
{
return ( class * ( SEL_VEC_MAX + 1 ) + perm ) | SEL_CLASS_INO_OFFSET ;
}
static inline u32 sel_ino_to_perm ( unsigned long ino )
{
return ( ino & SEL_INO_MASK ) % ( SEL_VEC_MAX + 1 ) ;
}
2008-04-17 14:15:45 -04:00
static ssize_t sel_read_class ( struct file * file , char __user * buf ,
2007-05-23 09:12:09 -04:00
size_t count , loff_t * ppos )
{
2013-01-23 17:07:38 -05:00
unsigned long ino = file_inode ( file ) - > i_ino ;
2012-04-02 19:40:47 -04:00
char res [ TMPBUFLEN ] ;
2020-01-07 09:39:18 +08:00
ssize_t len = scnprintf ( res , sizeof ( res ) , " %d " , sel_ino_to_class ( ino ) ) ;
2012-04-02 19:40:47 -04:00
return simple_read_from_buffer ( buf , count , ppos , res , len ) ;
2007-05-23 09:12:09 -04:00
}
static const struct file_operations sel_class_ops = {
. read = sel_read_class ,
2010-07-07 23:40:10 +02:00
. llseek = generic_file_llseek ,
2007-05-23 09:12:09 -04:00
} ;
2008-04-17 14:15:45 -04:00
static ssize_t sel_read_perm ( struct file * file , char __user * buf ,
2007-05-23 09:12:09 -04:00
size_t count , loff_t * ppos )
{
2013-01-23 17:07:38 -05:00
unsigned long ino = file_inode ( file ) - > i_ino ;
2012-04-02 19:40:47 -04:00
char res [ TMPBUFLEN ] ;
2020-01-07 09:39:18 +08:00
ssize_t len = scnprintf ( res , sizeof ( res ) , " %d " , sel_ino_to_perm ( ino ) ) ;
2012-04-02 19:40:47 -04:00
return simple_read_from_buffer ( buf , count , ppos , res , len ) ;
2007-05-23 09:12:09 -04:00
}
static const struct file_operations sel_perm_ops = {
. read = sel_read_perm ,
2010-07-07 23:40:10 +02:00
. llseek = generic_file_llseek ,
2007-05-23 09:12:09 -04:00
} ;
2008-01-29 08:38:19 -05:00
static ssize_t sel_read_policycap ( struct file * file , char __user * buf ,
size_t count , loff_t * ppos )
{
int value ;
char tmpbuf [ TMPBUFLEN ] ;
ssize_t length ;
2013-01-23 17:07:38 -05:00
unsigned long i_ino = file_inode ( file ) - > i_ino ;
2008-01-29 08:38:19 -05:00
2023-03-09 13:30:37 -05:00
value = security_policycap_supported ( i_ino & SEL_INO_MASK ) ;
2008-01-29 08:38:19 -05:00
length = scnprintf ( tmpbuf , TMPBUFLEN , " %d " , value ) ;
return simple_read_from_buffer ( buf , count , ppos , tmpbuf , length ) ;
}
static const struct file_operations sel_policycap_ops = {
. read = sel_read_policycap ,
2010-07-07 23:40:10 +02:00
. llseek = generic_file_llseek ,
2008-01-29 08:38:19 -05:00
} ;
2020-08-07 09:29:34 -04:00
static int sel_make_perm_files ( struct selinux_policy * newpolicy ,
char * objclass , int classvalue ,
struct dentry * dir )
2007-05-23 09:12:09 -04:00
{
2023-07-28 17:54:56 +02:00
u32 i , nperms ;
int rc ;
2007-05-23 09:12:09 -04:00
char * * perms ;
2020-08-07 09:29:34 -04:00
rc = security_get_permissions ( newpolicy , objclass , & perms , & nperms ) ;
2007-05-23 09:12:09 -04:00
if ( rc )
2010-11-23 11:40:08 -05:00
return rc ;
2007-05-23 09:12:09 -04:00
for ( i = 0 ; i < nperms ; i + + ) {
struct inode * inode ;
struct dentry * dentry ;
2010-11-23 11:40:08 -05:00
rc = - ENOMEM ;
2007-05-23 09:12:09 -04:00
dentry = d_alloc_name ( dir , perms [ i ] ) ;
2010-11-23 11:40:08 -05:00
if ( ! dentry )
goto out ;
2007-05-23 09:12:09 -04:00
2010-11-23 11:40:08 -05:00
rc = - ENOMEM ;
2007-05-23 09:12:09 -04:00
inode = sel_make_inode ( dir - > d_sb , S_IFREG | S_IRUGO ) ;
2018-08-05 17:10:36 +08:00
if ( ! inode ) {
dput ( dentry ) ;
2010-11-23 11:40:08 -05:00
goto out ;
2018-08-05 17:10:36 +08:00
}
2010-11-23 11:40:08 -05:00
2007-05-23 09:12:09 -04:00
inode - > i_fop = & sel_perm_ops ;
/* i+1 since perm values are 1-indexed */
2010-04-09 19:30:29 +08:00
inode - > i_ino = sel_perm_to_ino ( classvalue , i + 1 ) ;
2007-05-23 09:12:09 -04:00
d_add ( dentry , inode ) ;
}
2010-11-23 11:40:08 -05:00
rc = 0 ;
out :
2007-05-23 09:12:09 -04:00
for ( i = 0 ; i < nperms ; i + + )
kfree ( perms [ i ] ) ;
kfree ( perms ) ;
return rc ;
}
2020-08-07 09:29:34 -04:00
static int sel_make_class_dir_entries ( struct selinux_policy * newpolicy ,
char * classname , int index ,
struct dentry * dir )
2007-05-23 09:12:09 -04:00
{
2018-03-20 11:59:11 -04:00
struct super_block * sb = dir - > d_sb ;
struct selinux_fs_info * fsi = sb - > s_fs_info ;
2007-05-23 09:12:09 -04:00
struct dentry * dentry = NULL ;
struct inode * inode = NULL ;
dentry = d_alloc_name ( dir , " index " ) ;
2010-11-23 11:40:08 -05:00
if ( ! dentry )
return - ENOMEM ;
2007-05-23 09:12:09 -04:00
inode = sel_make_inode ( dir - > d_sb , S_IFREG | S_IRUGO ) ;
2018-08-05 17:10:36 +08:00
if ( ! inode ) {
dput ( dentry ) ;
2010-11-23 11:40:08 -05:00
return - ENOMEM ;
2018-08-05 17:10:36 +08:00
}
2007-05-23 09:12:09 -04:00
inode - > i_fop = & sel_class_ops ;
inode - > i_ino = sel_class_to_ino ( index ) ;
d_add ( dentry , inode ) ;
2018-03-20 11:59:11 -04:00
dentry = sel_make_dir ( dir , " perms " , & fsi - > last_class_ino ) ;
2012-03-18 20:36:59 -04:00
if ( IS_ERR ( dentry ) )
return PTR_ERR ( dentry ) ;
2007-05-23 09:12:09 -04:00
2022-08-30 08:41:24 +00:00
return sel_make_perm_files ( newpolicy , classname , index , dentry ) ;
2007-05-23 09:12:09 -04:00
}
2020-08-19 15:59:33 -04:00
static int sel_make_classes ( struct selinux_policy * newpolicy ,
struct dentry * class_dir ,
unsigned long * last_class_ino )
2007-05-23 09:12:09 -04:00
{
2023-07-28 17:54:56 +02:00
u32 i , nclasses ;
int rc ;
2007-05-23 09:12:09 -04:00
char * * classes ;
2020-08-07 09:29:34 -04:00
rc = security_get_classes ( newpolicy , & classes , & nclasses ) ;
2010-11-23 11:40:08 -05:00
if ( rc )
return rc ;
2007-05-23 09:12:09 -04:00
/* +2 since classes are 1-indexed */
2020-08-19 15:59:33 -04:00
* last_class_ino = sel_class_to_ino ( nclasses + 2 ) ;
2007-05-23 09:12:09 -04:00
for ( i = 0 ; i < nclasses ; i + + ) {
struct dentry * class_name_dir ;
2020-08-19 15:59:33 -04:00
class_name_dir = sel_make_dir ( class_dir , classes [ i ] ,
last_class_ino ) ;
2012-03-18 20:36:59 -04:00
if ( IS_ERR ( class_name_dir ) ) {
rc = PTR_ERR ( class_name_dir ) ;
2010-11-23 11:40:08 -05:00
goto out ;
2012-03-18 20:36:59 -04:00
}
2007-05-23 09:12:09 -04:00
/* i+1 since class values are 1-indexed */
2020-08-07 09:29:34 -04:00
rc = sel_make_class_dir_entries ( newpolicy , classes [ i ] , i + 1 ,
2007-05-23 09:12:09 -04:00
class_name_dir ) ;
if ( rc )
2010-11-23 11:40:08 -05:00
goto out ;
2007-05-23 09:12:09 -04:00
}
2010-11-23 11:40:08 -05:00
rc = 0 ;
out :
2007-05-23 09:12:09 -04:00
for ( i = 0 ; i < nclasses ; i + + )
kfree ( classes [ i ] ) ;
kfree ( classes ) ;
return rc ;
}
2018-03-20 11:59:11 -04:00
static int sel_make_policycap ( struct selinux_fs_info * fsi )
2008-01-29 08:38:19 -05:00
{
unsigned int iter ;
struct dentry * dentry = NULL ;
struct inode * inode = NULL ;
2022-03-01 12:39:20 -05:00
for ( iter = 0 ; iter < = POLICYDB_CAP_MAX ; iter + + ) {
2017-05-18 16:58:31 -04:00
if ( iter < ARRAY_SIZE ( selinux_policycap_names ) )
2018-03-20 11:59:11 -04:00
dentry = d_alloc_name ( fsi - > policycap_dir ,
2017-05-18 16:58:31 -04:00
selinux_policycap_names [ iter ] ) ;
2008-01-29 08:38:19 -05:00
else
2018-03-20 11:59:11 -04:00
dentry = d_alloc_name ( fsi - > policycap_dir , " unknown " ) ;
2008-01-29 08:38:19 -05:00
if ( dentry = = NULL )
return - ENOMEM ;
2018-03-20 11:59:11 -04:00
inode = sel_make_inode ( fsi - > sb , S_IFREG | 0444 ) ;
2018-08-05 17:10:36 +08:00
if ( inode = = NULL ) {
dput ( dentry ) ;
2008-01-29 08:38:19 -05:00
return - ENOMEM ;
2018-08-05 17:10:36 +08:00
}
2008-01-29 08:38:19 -05:00
inode - > i_fop = & sel_policycap_ops ;
inode - > i_ino = iter | SEL_POLICYCAP_INO_OFFSET ;
d_add ( dentry , inode ) ;
}
return 0 ;
}
2012-03-18 20:36:59 -04:00
static struct dentry * sel_make_dir ( struct dentry * dir , const char * name ,
2007-05-23 09:12:08 -04:00
unsigned long * ino )
2005-04-16 15:20:36 -07:00
{
2012-03-18 20:36:59 -04:00
struct dentry * dentry = d_alloc_name ( dir , name ) ;
2005-04-16 15:20:36 -07:00
struct inode * inode ;
2012-03-18 20:36:59 -04:00
if ( ! dentry )
return ERR_PTR ( - ENOMEM ) ;
inode = sel_make_inode ( dir - > d_sb , S_IFDIR | S_IRUGO | S_IXUGO ) ;
if ( ! inode ) {
dput ( dentry ) ;
return ERR_PTR ( - ENOMEM ) ;
}
2010-11-23 11:40:08 -05:00
2005-04-16 15:20:36 -07:00
inode - > i_op = & simple_dir_inode_operations ;
inode - > i_fop = & simple_dir_operations ;
2007-05-23 09:12:08 -04:00
inode - > i_ino = + + ( * ino ) ;
2006-03-22 00:09:16 -08:00
/* directory inodes start off with i_nlink == 2 (for "." entry) */
2006-09-30 23:29:04 -07:00
inc_nlink ( inode ) ;
2005-04-16 15:20:36 -07:00
d_add ( dentry , inode ) ;
2006-03-22 00:09:20 -08:00
/* bump link count on parent directory, too */
2015-02-19 10:47:02 +00:00
inc_nlink ( d_inode ( dir ) ) ;
2010-11-23 11:40:08 -05:00
2012-03-18 20:36:59 -04:00
return dentry ;
2005-04-16 15:20:36 -07:00
}
selinux: saner handling of policy reloads
On policy reload selinuxfs replaces two subdirectories (/booleans
and /class) with new variants. Unfortunately, that's done with
serious abuses of directory locking.
1) lock_rename() should be done to parents, not to objects being
exchanged
2) there's a bunch of reasons why it should not be done for directories
that do not have a common ancestor; most of those do not apply to
selinuxfs, but even in the best case the proof is subtle and brittle.
3) failure halfway through the creation of /class will leak
names and values arrays.
4) use of d_genocide() is also rather brittle; it's probably not much of
a bug per se, but e.g. an overmount of /sys/fs/selinuxfs/classes/shm/index
with any regular file will end up with leaked mount on policy reload.
Sure, don't do it, but...
Let's stop messing with disconnected directories; just create
a temporary (/.swapover) with no permissions for anyone (on the
level of ->permission() returing -EPERM, no matter who's calling
it) and build the new /booleans and /class in there; then
lock_rename on root and that temporary directory and d_exchange()
old and new both for class and booleans. Then unlock and use
simple_recursive_removal() to take the temporary out; it's much
more robust.
And instead of bothering with separate pathways for freeing
new (on failure halfway through) and old (on success) names/values,
do all freeing in one place. With temporaries swapped with the
old ones when we are past all possible failures.
The only user-visible difference is that /.swapover shows up
(but isn't possible to open, look up into, etc.) for the
duration of policy reload.
Reviewed-by: Stephen Smalley <stephen.smalley.work@gmail.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
[PM: applied some fixes from Al post merge]
Signed-off-by: Paul Moore <paul@paul-moore.com>
2023-10-16 23:08:35 +01:00
static int reject_all ( struct mnt_idmap * idmap , struct inode * inode , int mask )
{
return - EPERM ; // no access for anyone, root or no root.
}
static const struct inode_operations swapover_dir_inode_operations = {
. lookup = simple_lookup ,
. permission = reject_all ,
} ;
static struct dentry * sel_make_swapover_dir ( struct super_block * sb ,
selinux: Create new booleans and class dirs out of tree
In order to avoid concurrency issues around selinuxfs resource availability
during policy load, we first create new directories out of tree for
reloaded resources, then swap them in, and finally delete the old versions.
This fix focuses on concurrency in each of the two subtrees swapped, and
not concurrency between the trees. This means that it is still possible
that subsequent reads to eg the booleans directory and the class directory
during a policy load could see the old state for one and the new for the other.
The problem of ensuring that policy loads are fully atomic from the perspective
of userspace is larger than what is dealt with here. This commit focuses on
ensuring that the directories contents always match either the new or the old
policy state from the perspective of userspace.
In the previous implementation, on policy load /sys/fs/selinux is updated
by deleting the previous contents of
/sys/fs/selinux/{class,booleans} and then recreating them. This means
that there is a period of time when the contents of these directories do not
exist which can cause race conditions as userspace relies on them for
information about the policy. In addition, it means that error recovery in
the event of failure is challenging.
In order to demonstrate the race condition that this series fixes, you
can use the following commands:
while true; do cat /sys/fs/selinux/class/service/perms/status
>/dev/null; done &
while true; do load_policy; done;
In the existing code, this will display errors fairly often as the class
lookup fails. (In normal operation from systemd, this would result in a
permission check which would be allowed or denied based on policy settings
around unknown object classes.) After applying this patch series you
should expect to no longer see such error messages.
Signed-off-by: Daniel Burgener <dburgener@linux.microsoft.com>
Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
2020-08-19 15:59:35 -04:00
unsigned long * ino )
{
selinux: saner handling of policy reloads
On policy reload selinuxfs replaces two subdirectories (/booleans
and /class) with new variants. Unfortunately, that's done with
serious abuses of directory locking.
1) lock_rename() should be done to parents, not to objects being
exchanged
2) there's a bunch of reasons why it should not be done for directories
that do not have a common ancestor; most of those do not apply to
selinuxfs, but even in the best case the proof is subtle and brittle.
3) failure halfway through the creation of /class will leak
names and values arrays.
4) use of d_genocide() is also rather brittle; it's probably not much of
a bug per se, but e.g. an overmount of /sys/fs/selinuxfs/classes/shm/index
with any regular file will end up with leaked mount on policy reload.
Sure, don't do it, but...
Let's stop messing with disconnected directories; just create
a temporary (/.swapover) with no permissions for anyone (on the
level of ->permission() returing -EPERM, no matter who's calling
it) and build the new /booleans and /class in there; then
lock_rename on root and that temporary directory and d_exchange()
old and new both for class and booleans. Then unlock and use
simple_recursive_removal() to take the temporary out; it's much
more robust.
And instead of bothering with separate pathways for freeing
new (on failure halfway through) and old (on success) names/values,
do all freeing in one place. With temporaries swapped with the
old ones when we are past all possible failures.
The only user-visible difference is that /.swapover shows up
(but isn't possible to open, look up into, etc.) for the
duration of policy reload.
Reviewed-by: Stephen Smalley <stephen.smalley.work@gmail.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
[PM: applied some fixes from Al post merge]
Signed-off-by: Paul Moore <paul@paul-moore.com>
2023-10-16 23:08:35 +01:00
struct dentry * dentry = d_alloc_name ( sb - > s_root , " .swapover " ) ;
struct inode * inode ;
selinux: Create new booleans and class dirs out of tree
In order to avoid concurrency issues around selinuxfs resource availability
during policy load, we first create new directories out of tree for
reloaded resources, then swap them in, and finally delete the old versions.
This fix focuses on concurrency in each of the two subtrees swapped, and
not concurrency between the trees. This means that it is still possible
that subsequent reads to eg the booleans directory and the class directory
during a policy load could see the old state for one and the new for the other.
The problem of ensuring that policy loads are fully atomic from the perspective
of userspace is larger than what is dealt with here. This commit focuses on
ensuring that the directories contents always match either the new or the old
policy state from the perspective of userspace.
In the previous implementation, on policy load /sys/fs/selinux is updated
by deleting the previous contents of
/sys/fs/selinux/{class,booleans} and then recreating them. This means
that there is a period of time when the contents of these directories do not
exist which can cause race conditions as userspace relies on them for
information about the policy. In addition, it means that error recovery in
the event of failure is challenging.
In order to demonstrate the race condition that this series fixes, you
can use the following commands:
while true; do cat /sys/fs/selinux/class/service/perms/status
>/dev/null; done &
while true; do load_policy; done;
In the existing code, this will display errors fairly often as the class
lookup fails. (In normal operation from systemd, this would result in a
permission check which would be allowed or denied based on policy settings
around unknown object classes.) After applying this patch series you
should expect to no longer see such error messages.
Signed-off-by: Daniel Burgener <dburgener@linux.microsoft.com>
Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
2020-08-19 15:59:35 -04:00
selinux: saner handling of policy reloads
On policy reload selinuxfs replaces two subdirectories (/booleans
and /class) with new variants. Unfortunately, that's done with
serious abuses of directory locking.
1) lock_rename() should be done to parents, not to objects being
exchanged
2) there's a bunch of reasons why it should not be done for directories
that do not have a common ancestor; most of those do not apply to
selinuxfs, but even in the best case the proof is subtle and brittle.
3) failure halfway through the creation of /class will leak
names and values arrays.
4) use of d_genocide() is also rather brittle; it's probably not much of
a bug per se, but e.g. an overmount of /sys/fs/selinuxfs/classes/shm/index
with any regular file will end up with leaked mount on policy reload.
Sure, don't do it, but...
Let's stop messing with disconnected directories; just create
a temporary (/.swapover) with no permissions for anyone (on the
level of ->permission() returing -EPERM, no matter who's calling
it) and build the new /booleans and /class in there; then
lock_rename on root and that temporary directory and d_exchange()
old and new both for class and booleans. Then unlock and use
simple_recursive_removal() to take the temporary out; it's much
more robust.
And instead of bothering with separate pathways for freeing
new (on failure halfway through) and old (on success) names/values,
do all freeing in one place. With temporaries swapped with the
old ones when we are past all possible failures.
The only user-visible difference is that /.swapover shows up
(but isn't possible to open, look up into, etc.) for the
duration of policy reload.
Reviewed-by: Stephen Smalley <stephen.smalley.work@gmail.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
[PM: applied some fixes from Al post merge]
Signed-off-by: Paul Moore <paul@paul-moore.com>
2023-10-16 23:08:35 +01:00
if ( ! dentry )
selinux: Create new booleans and class dirs out of tree
In order to avoid concurrency issues around selinuxfs resource availability
during policy load, we first create new directories out of tree for
reloaded resources, then swap them in, and finally delete the old versions.
This fix focuses on concurrency in each of the two subtrees swapped, and
not concurrency between the trees. This means that it is still possible
that subsequent reads to eg the booleans directory and the class directory
during a policy load could see the old state for one and the new for the other.
The problem of ensuring that policy loads are fully atomic from the perspective
of userspace is larger than what is dealt with here. This commit focuses on
ensuring that the directories contents always match either the new or the old
policy state from the perspective of userspace.
In the previous implementation, on policy load /sys/fs/selinux is updated
by deleting the previous contents of
/sys/fs/selinux/{class,booleans} and then recreating them. This means
that there is a period of time when the contents of these directories do not
exist which can cause race conditions as userspace relies on them for
information about the policy. In addition, it means that error recovery in
the event of failure is challenging.
In order to demonstrate the race condition that this series fixes, you
can use the following commands:
while true; do cat /sys/fs/selinux/class/service/perms/status
>/dev/null; done &
while true; do load_policy; done;
In the existing code, this will display errors fairly often as the class
lookup fails. (In normal operation from systemd, this would result in a
permission check which would be allowed or denied based on policy settings
around unknown object classes.) After applying this patch series you
should expect to no longer see such error messages.
Signed-off-by: Daniel Burgener <dburgener@linux.microsoft.com>
Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
2020-08-19 15:59:35 -04:00
return ERR_PTR ( - ENOMEM ) ;
selinux: saner handling of policy reloads
On policy reload selinuxfs replaces two subdirectories (/booleans
and /class) with new variants. Unfortunately, that's done with
serious abuses of directory locking.
1) lock_rename() should be done to parents, not to objects being
exchanged
2) there's a bunch of reasons why it should not be done for directories
that do not have a common ancestor; most of those do not apply to
selinuxfs, but even in the best case the proof is subtle and brittle.
3) failure halfway through the creation of /class will leak
names and values arrays.
4) use of d_genocide() is also rather brittle; it's probably not much of
a bug per se, but e.g. an overmount of /sys/fs/selinuxfs/classes/shm/index
with any regular file will end up with leaked mount on policy reload.
Sure, don't do it, but...
Let's stop messing with disconnected directories; just create
a temporary (/.swapover) with no permissions for anyone (on the
level of ->permission() returing -EPERM, no matter who's calling
it) and build the new /booleans and /class in there; then
lock_rename on root and that temporary directory and d_exchange()
old and new both for class and booleans. Then unlock and use
simple_recursive_removal() to take the temporary out; it's much
more robust.
And instead of bothering with separate pathways for freeing
new (on failure halfway through) and old (on success) names/values,
do all freeing in one place. With temporaries swapped with the
old ones when we are past all possible failures.
The only user-visible difference is that /.swapover shows up
(but isn't possible to open, look up into, etc.) for the
duration of policy reload.
Reviewed-by: Stephen Smalley <stephen.smalley.work@gmail.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
[PM: applied some fixes from Al post merge]
Signed-off-by: Paul Moore <paul@paul-moore.com>
2023-10-16 23:08:35 +01:00
inode = sel_make_inode ( sb , S_IFDIR ) ;
if ( ! inode ) {
dput ( dentry ) ;
return ERR_PTR ( - ENOMEM ) ;
}
inode - > i_op = & swapover_dir_inode_operations ;
selinux: Create new booleans and class dirs out of tree
In order to avoid concurrency issues around selinuxfs resource availability
during policy load, we first create new directories out of tree for
reloaded resources, then swap them in, and finally delete the old versions.
This fix focuses on concurrency in each of the two subtrees swapped, and
not concurrency between the trees. This means that it is still possible
that subsequent reads to eg the booleans directory and the class directory
during a policy load could see the old state for one and the new for the other.
The problem of ensuring that policy loads are fully atomic from the perspective
of userspace is larger than what is dealt with here. This commit focuses on
ensuring that the directories contents always match either the new or the old
policy state from the perspective of userspace.
In the previous implementation, on policy load /sys/fs/selinux is updated
by deleting the previous contents of
/sys/fs/selinux/{class,booleans} and then recreating them. This means
that there is a period of time when the contents of these directories do not
exist which can cause race conditions as userspace relies on them for
information about the policy. In addition, it means that error recovery in
the event of failure is challenging.
In order to demonstrate the race condition that this series fixes, you
can use the following commands:
while true; do cat /sys/fs/selinux/class/service/perms/status
>/dev/null; done &
while true; do load_policy; done;
In the existing code, this will display errors fairly often as the class
lookup fails. (In normal operation from systemd, this would result in a
permission check which would be allowed or denied based on policy settings
around unknown object classes.) After applying this patch series you
should expect to no longer see such error messages.
Signed-off-by: Daniel Burgener <dburgener@linux.microsoft.com>
Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
2020-08-19 15:59:35 -04:00
inode - > i_ino = + + ( * ino ) ;
/* directory inodes start off with i_nlink == 2 (for "." entry) */
inc_nlink ( inode ) ;
selinux: saner handling of policy reloads
On policy reload selinuxfs replaces two subdirectories (/booleans
and /class) with new variants. Unfortunately, that's done with
serious abuses of directory locking.
1) lock_rename() should be done to parents, not to objects being
exchanged
2) there's a bunch of reasons why it should not be done for directories
that do not have a common ancestor; most of those do not apply to
selinuxfs, but even in the best case the proof is subtle and brittle.
3) failure halfway through the creation of /class will leak
names and values arrays.
4) use of d_genocide() is also rather brittle; it's probably not much of
a bug per se, but e.g. an overmount of /sys/fs/selinuxfs/classes/shm/index
with any regular file will end up with leaked mount on policy reload.
Sure, don't do it, but...
Let's stop messing with disconnected directories; just create
a temporary (/.swapover) with no permissions for anyone (on the
level of ->permission() returing -EPERM, no matter who's calling
it) and build the new /booleans and /class in there; then
lock_rename on root and that temporary directory and d_exchange()
old and new both for class and booleans. Then unlock and use
simple_recursive_removal() to take the temporary out; it's much
more robust.
And instead of bothering with separate pathways for freeing
new (on failure halfway through) and old (on success) names/values,
do all freeing in one place. With temporaries swapped with the
old ones when we are past all possible failures.
The only user-visible difference is that /.swapover shows up
(but isn't possible to open, look up into, etc.) for the
duration of policy reload.
Reviewed-by: Stephen Smalley <stephen.smalley.work@gmail.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
[PM: applied some fixes from Al post merge]
Signed-off-by: Paul Moore <paul@paul-moore.com>
2023-10-16 23:08:35 +01:00
inode_lock ( sb - > s_root - > d_inode ) ;
d_add ( dentry , inode ) ;
inc_nlink ( sb - > s_root - > d_inode ) ;
inode_unlock ( sb - > s_root - > d_inode ) ;
return dentry ;
selinux: Create new booleans and class dirs out of tree
In order to avoid concurrency issues around selinuxfs resource availability
during policy load, we first create new directories out of tree for
reloaded resources, then swap them in, and finally delete the old versions.
This fix focuses on concurrency in each of the two subtrees swapped, and
not concurrency between the trees. This means that it is still possible
that subsequent reads to eg the booleans directory and the class directory
during a policy load could see the old state for one and the new for the other.
The problem of ensuring that policy loads are fully atomic from the perspective
of userspace is larger than what is dealt with here. This commit focuses on
ensuring that the directories contents always match either the new or the old
policy state from the perspective of userspace.
In the previous implementation, on policy load /sys/fs/selinux is updated
by deleting the previous contents of
/sys/fs/selinux/{class,booleans} and then recreating them. This means
that there is a period of time when the contents of these directories do not
exist which can cause race conditions as userspace relies on them for
information about the policy. In addition, it means that error recovery in
the event of failure is challenging.
In order to demonstrate the race condition that this series fixes, you
can use the following commands:
while true; do cat /sys/fs/selinux/class/service/perms/status
>/dev/null; done &
while true; do load_policy; done;
In the existing code, this will display errors fairly often as the class
lookup fails. (In normal operation from systemd, this would result in a
permission check which would be allowed or denied based on policy settings
around unknown object classes.) After applying this patch series you
should expect to no longer see such error messages.
Signed-off-by: Daniel Burgener <dburgener@linux.microsoft.com>
Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
2020-08-19 15:59:35 -04:00
}
2018-03-20 11:59:11 -04:00
# define NULL_FILE_NAME "null"
2019-03-25 16:38:30 +00:00
static int sel_fill_super ( struct super_block * sb , struct fs_context * fc )
2005-04-16 15:20:36 -07:00
{
2018-03-20 11:59:11 -04:00
struct selinux_fs_info * fsi ;
2005-04-16 15:20:36 -07:00
int ret ;
struct dentry * dentry ;
2012-03-18 20:36:59 -04:00
struct inode * inode ;
2005-04-16 15:20:36 -07:00
struct inode_security_struct * isec ;
2017-03-25 21:15:37 -07:00
static const struct tree_descr selinux_files [ ] = {
2005-04-16 15:20:36 -07:00
[ SEL_LOAD ] = { " load " , & sel_load_ops , S_IRUSR | S_IWUSR } ,
[ SEL_ENFORCE ] = { " enforce " , & sel_enforce_ops , S_IRUGO | S_IWUSR } ,
2005-11-08 21:34:33 -08:00
[ SEL_CONTEXT ] = { " context " , & transaction_ops , S_IRUGO | S_IWUGO } ,
2005-04-16 15:20:36 -07:00
[ SEL_ACCESS ] = { " access " , & transaction_ops , S_IRUGO | S_IWUGO } ,
[ SEL_CREATE ] = { " create " , & transaction_ops , S_IRUGO | S_IWUGO } ,
[ SEL_RELABEL ] = { " relabel " , & transaction_ops , S_IRUGO | S_IWUGO } ,
[ SEL_USER ] = { " user " , & transaction_ops , S_IRUGO | S_IWUGO } ,
[ SEL_POLICYVERS ] = { " policyvers " , & sel_policyvers_ops , S_IRUGO } ,
[ SEL_COMMIT_BOOLS ] = { " commit_pending_bools " , & sel_commit_bools_ops , S_IWUSR } ,
[ SEL_MLS ] = { " mls " , & sel_mls_ops , S_IRUGO } ,
[ SEL_DISABLE ] = { " disable " , & sel_disable_ops , S_IWUSR } ,
[ SEL_MEMBER ] = { " member " , & transaction_ops , S_IRUGO | S_IWUGO } ,
[ SEL_CHECKREQPROT ] = { " checkreqprot " , & sel_checkreqprot_ops , S_IRUGO | S_IWUSR } ,
2007-09-21 14:37:10 -04:00
[ SEL_REJECT_UNKNOWN ] = { " reject_unknown " , & sel_handle_unknown_ops , S_IRUGO } ,
[ SEL_DENY_UNKNOWN ] = { " deny_unknown " , & sel_handle_unknown_ops , S_IRUGO } ,
selinux: fast status update interface (/selinux/status)
This patch provides a new /selinux/status entry which allows applications
read-only mmap(2).
This region reflects selinux_kernel_status structure in kernel space.
struct selinux_kernel_status
{
u32 length; /* length of this structure */
u32 sequence; /* sequence number of seqlock logic */
u32 enforcing; /* current setting of enforcing mode */
u32 policyload; /* times of policy reloaded */
u32 deny_unknown; /* current setting of deny_unknown */
};
When userspace object manager caches access control decisions provided
by SELinux, it needs to invalidate the cache on policy reload and setenforce
to keep consistency.
However, the applications need to check the kernel state for each accesses
on userspace avc, or launch a background worker process.
In heuristic, frequency of invalidation is much less than frequency of
making access control decision, so it is annoying to invoke a system call
to check we don't need to invalidate the userspace cache.
If we can use a background worker thread, it allows to receive invalidation
messages from the kernel. But it requires us an invasive coding toward the
base application in some cases; E.g, when we provide a feature performing
with SELinux as a plugin module, it is unwelcome manner to launch its own
worker thread from the module.
If we could map /selinux/status to process memory space, application can
know updates of selinux status; policy reload or setenforce.
A typical application checks selinux_kernel_status::sequence when it tries
to reference userspace avc. If it was changed from the last time when it
checked userspace avc, it means something was updated in the kernel space.
Then, the application can reset userspace avc or update current enforcing
mode, without any system call invocations.
This sequence number is updated according to the seqlock logic, so we need
to wait for a while if it is odd number.
Signed-off-by: KaiGai Kohei <kaigai@ak.jp.nec.com>
Acked-by: Eric Paris <eparis@redhat.com>
--
security/selinux/include/security.h | 21 ++++++
security/selinux/selinuxfs.c | 56 +++++++++++++++
security/selinux/ss/Makefile | 2 +-
security/selinux/ss/services.c | 3 +
security/selinux/ss/status.c | 129 +++++++++++++++++++++++++++++++++++
5 files changed, 210 insertions(+), 1 deletions(-)
Signed-off-by: James Morris <jmorris@namei.org>
2010-09-14 18:28:39 +09:00
[ SEL_STATUS ] = { " status " , & sel_handle_status_ops , S_IRUGO } ,
2012-02-16 15:08:39 -05:00
[ SEL_POLICY ] = { " policy " , & sel_policy_ops , S_IRUGO } ,
2015-12-24 11:09:41 -05:00
[ SEL_VALIDATE_TRANS ] = { " validatetrans " , & sel_transition_ops ,
S_IWUGO } ,
2005-04-16 15:20:36 -07:00
/* last one */ { " " }
} ;
2018-03-20 11:59:11 -04:00
ret = selinux_fs_info_create ( sb ) ;
if ( ret )
goto err ;
2005-04-16 15:20:36 -07:00
ret = simple_fill_super ( sb , SELINUX_MAGIC , selinux_files ) ;
if ( ret )
2006-03-22 00:09:17 -08:00
goto err ;
2005-04-16 15:20:36 -07:00
2018-03-20 11:59:11 -04:00
fsi = sb - > s_fs_info ;
fsi - > bool_dir = sel_make_dir ( sb - > s_root , BOOL_DIR_NAME , & fsi - > last_ino ) ;
if ( IS_ERR ( fsi - > bool_dir ) ) {
ret = PTR_ERR ( fsi - > bool_dir ) ;
fsi - > bool_dir = NULL ;
2006-03-22 00:09:17 -08:00
goto err ;
2012-03-18 20:36:59 -04:00
}
2005-04-16 15:20:36 -07:00
2010-11-23 11:40:08 -05:00
ret = - ENOMEM ;
2005-04-16 15:20:36 -07:00
dentry = d_alloc_name ( sb - > s_root , NULL_FILE_NAME ) ;
2010-11-23 11:40:08 -05:00
if ( ! dentry )
2006-03-22 00:09:17 -08:00
goto err ;
2005-04-16 15:20:36 -07:00
2010-11-23 11:40:08 -05:00
ret = - ENOMEM ;
2005-04-16 15:20:36 -07:00
inode = sel_make_inode ( sb , S_IFCHR | S_IRUGO | S_IWUGO ) ;
2018-08-05 17:10:36 +08:00
if ( ! inode ) {
dput ( dentry ) ;
2006-03-22 00:09:17 -08:00
goto err ;
2018-08-05 17:10:36 +08:00
}
2010-11-23 11:40:08 -05:00
2018-03-20 11:59:11 -04:00
inode - > i_ino = + + fsi - > last_ino ;
2018-09-21 17:19:11 -07:00
isec = selinux_inode ( inode ) ;
2005-04-16 15:20:36 -07:00
isec - > sid = SECINITSID_DEVNULL ;
isec - > sclass = SECCLASS_CHR_FILE ;
2016-11-10 22:18:27 +01:00
isec - > initialized = LABEL_INITIALIZED ;
2005-04-16 15:20:36 -07:00
init_special_inode ( inode , S_IFCHR | S_IRUGO | S_IWUGO , MKDEV ( MEM_MAJOR , 3 ) ) ;
d_add ( dentry , inode ) ;
2018-03-20 11:59:11 -04:00
dentry = sel_make_dir ( sb - > s_root , " avc " , & fsi - > last_ino ) ;
2012-03-18 20:36:59 -04:00
if ( IS_ERR ( dentry ) ) {
ret = PTR_ERR ( dentry ) ;
2006-03-22 00:09:17 -08:00
goto err ;
2012-03-18 20:36:59 -04:00
}
2005-04-16 15:20:36 -07:00
ret = sel_make_avc_files ( dentry ) ;
2022-01-25 15:14:20 +01:00
if ( ret )
goto err ;
2019-11-22 10:33:06 +01:00
dentry = sel_make_dir ( sb - > s_root , " ss " , & fsi - > last_ino ) ;
if ( IS_ERR ( dentry ) ) {
ret = PTR_ERR ( dentry ) ;
goto err ;
}
ret = sel_make_ss_files ( dentry ) ;
2005-04-16 15:20:36 -07:00
if ( ret )
2006-03-22 00:09:17 -08:00
goto err ;
2007-04-04 10:11:29 -04:00
2018-03-20 11:59:11 -04:00
dentry = sel_make_dir ( sb - > s_root , " initial_contexts " , & fsi - > last_ino ) ;
2012-03-18 20:36:59 -04:00
if ( IS_ERR ( dentry ) ) {
ret = PTR_ERR ( dentry ) ;
2007-04-04 10:11:29 -04:00
goto err ;
2012-03-18 20:36:59 -04:00
}
2007-04-04 10:11:29 -04:00
ret = sel_make_initcon_files ( dentry ) ;
if ( ret )
goto err ;
2020-08-19 15:59:34 -04:00
fsi - > class_dir = sel_make_dir ( sb - > s_root , CLASS_DIR_NAME , & fsi - > last_ino ) ;
2018-03-20 11:59:11 -04:00
if ( IS_ERR ( fsi - > class_dir ) ) {
ret = PTR_ERR ( fsi - > class_dir ) ;
fsi - > class_dir = NULL ;
2008-01-29 08:38:19 -05:00
goto err ;
2012-03-18 20:36:59 -04:00
}
2008-01-29 08:38:19 -05:00
2020-08-19 15:59:34 -04:00
fsi - > policycap_dir = sel_make_dir ( sb - > s_root , POLICYCAP_DIR_NAME ,
2018-03-20 11:59:11 -04:00
& fsi - > last_ino ) ;
if ( IS_ERR ( fsi - > policycap_dir ) ) {
ret = PTR_ERR ( fsi - > policycap_dir ) ;
fsi - > policycap_dir = NULL ;
2008-01-29 08:38:19 -05:00
goto err ;
2012-03-18 20:36:59 -04:00
}
2018-03-20 11:59:11 -04:00
2020-08-07 09:29:34 -04:00
ret = sel_make_policycap ( fsi ) ;
if ( ret ) {
pr_err ( " SELinux: failed to load policy capabilities \n " ) ;
2018-03-20 11:59:11 -04:00
goto err ;
2020-08-07 09:29:34 -04:00
}
2010-11-23 11:40:08 -05:00
return 0 ;
2006-03-22 00:09:17 -08:00
err :
2018-06-12 10:09:06 +02:00
pr_err ( " SELinux: %s: failed while creating inodes \n " ,
2008-04-17 11:52:44 -04:00
__func__ ) ;
2018-03-20 11:59:11 -04:00
selinux_fs_info_free ( sb ) ;
2010-11-23 11:40:08 -05:00
return ret ;
2005-04-16 15:20:36 -07:00
}
2019-03-25 16:38:30 +00:00
static int sel_get_tree ( struct fs_context * fc )
2005-04-16 15:20:36 -07:00
{
2019-03-25 16:38:30 +00:00
return get_tree_single ( fc , sel_fill_super ) ;
}
static const struct fs_context_operations sel_context_ops = {
. get_tree = sel_get_tree ,
} ;
static int sel_init_fs_context ( struct fs_context * fc )
{
fc - > ops = & sel_context_ops ;
return 0 ;
2005-04-16 15:20:36 -07:00
}
2018-03-20 11:59:11 -04:00
static void sel_kill_sb ( struct super_block * sb )
{
selinux_fs_info_free ( sb ) ;
kill_litter_super ( sb ) ;
}
2005-04-16 15:20:36 -07:00
static struct file_system_type sel_fs_type = {
. name = " selinuxfs " ,
2019-03-25 16:38:30 +00:00
. init_fs_context = sel_init_fs_context ,
2018-03-20 11:59:11 -04:00
. kill_sb = sel_kill_sb ,
2005-04-16 15:20:36 -07:00
} ;
2021-01-06 14:26:21 +01:00
struct path selinux_null __ro_after_init ;
2005-04-16 15:20:36 -07:00
static int __init init_sel_fs ( void )
{
2018-03-20 11:59:11 -04:00
struct qstr null_name = QSTR_INIT ( NULL_FILE_NAME ,
sizeof ( NULL_FILE_NAME ) - 1 ) ;
2005-04-16 15:20:36 -07:00
int err ;
2019-12-17 09:15:10 -05:00
if ( ! selinux_enabled_boot )
2005-04-16 15:20:36 -07:00
return 0 ;
2011-05-10 15:34:16 -07:00
2015-05-13 17:35:41 -05:00
err = sysfs_create_mount_point ( fs_kobj , " selinux " ) ;
if ( err )
return err ;
2011-05-10 15:34:16 -07:00
2005-04-16 15:20:36 -07:00
err = register_filesystem ( & sel_fs_type ) ;
2011-05-10 15:34:16 -07:00
if ( err ) {
2015-05-13 17:35:41 -05:00
sysfs_remove_mount_point ( fs_kobj , " selinux " ) ;
2010-11-23 11:40:08 -05:00
return err ;
2011-05-10 15:34:16 -07:00
}
2010-11-23 11:40:08 -05:00
2024-03-28 20:16:58 +01:00
selinux_null . mnt = kern_mount ( & sel_fs_type ) ;
if ( IS_ERR ( selinux_null . mnt ) ) {
2018-06-12 10:09:06 +02:00
pr_err ( " selinuxfs: could not mount! \n " ) ;
2024-03-28 20:16:58 +01:00
err = PTR_ERR ( selinux_null . mnt ) ;
selinux_null . mnt = NULL ;
return err ;
2005-04-16 15:20:36 -07:00
}
2024-03-28 20:16:58 +01:00
2018-03-20 11:59:11 -04:00
selinux_null . dentry = d_hash_and_lookup ( selinux_null . mnt - > mnt_root ,
& null_name ) ;
if ( IS_ERR ( selinux_null . dentry ) ) {
pr_err ( " selinuxfs: could not lookup null! \n " ) ;
err = PTR_ERR ( selinux_null . dentry ) ;
selinux_null . dentry = NULL ;
2024-03-28 20:16:58 +01:00
return err ;
2018-03-20 11:59:11 -04:00
}
2010-11-23 11:40:08 -05:00
2024-04-05 17:50:33 +02:00
/*
* Try to pre - allocate the status page , so the sequence number of the
* initial policy load can be stored .
*/
( void ) selinux_kernel_status_page ( ) ;
2005-04-16 15:20:36 -07:00
return err ;
}
__initcall ( init_sel_fs ) ;