Commit 4aa17619 authored by Christian Göttsche's avatar Christian Göttsche Committed by Paul Moore
Browse files

selinux: add support for xperms in conditional policies 



Add support for extended permission rules in conditional policies.
Currently the kernel accepts such rules already, but evaluating a
security decision will hit a BUG() in
services_compute_xperms_decision().  Thus reject extended permission
rules in conditional policies for current policy versions.

Add a new policy version for this feature.

Signed-off-by: default avatarChristian Göttsche <cgzones@googlemail.com>
Acked-by: default avatarStephen Smalley <stephen.smalley.work@gmail.com>
Tested-by: default avatarStephen Smalley <stephen.smalley.work@gmail.com>
Signed-off-by: default avatarPaul Moore <paul@paul-moore.com>
parent 034294fb

security/selinux/include/security.h

+2 −1
Original line number Diff line number Diff line
@@ -46,10 +46,11 @@ 
#define POLICYDB_VERSION_INFINIBAND	     31

#define POLICYDB_VERSION_GLBLUB		     32

#define POLICYDB_VERSION_COMP_FTRANS	     33 /* compressed filename transitions */

#define POLICYDB_VERSION_COND_XPERMS	     34 /* extended permissions in conditional policies */



/* Range of policy versions we understand*/

#define POLICYDB_VERSION_MIN POLICYDB_VERSION_BASE

#define POLICYDB_VERSION_MAX POLICYDB_VERSION_COMP_FTRANS

#define POLICYDB_VERSION_MAX POLICYDB_VERSION_COND_XPERMS



/* Mask for just the mount related flags */

#define SE_MNTMASK 0x0f

security/selinux/ss/avtab.c

+9 −2
Original line number Diff line number Diff line
@@ -339,7 +339,7 @@ static const uint16_t spec_order[] = { 
int avtab_read_item(struct avtab *a, void *fp, struct policydb *pol,

		    int (*insertf)(struct avtab *a, const struct avtab_key *k,

				   const struct avtab_datum *d, void *p),

		    void *p)

		    void *p, bool conditional)

{

	__le16 buf16[4];

	u16 enabled;
@@ -457,6 +457,13 @@ int avtab_read_item(struct avtab *a, void *fp, struct policydb *pol, 
		       "was specified\n",

		       vers);

		return -EINVAL;

	} else if ((vers < POLICYDB_VERSION_COND_XPERMS) &&

		   (key.specified & AVTAB_XPERMS) && conditional) {

		pr_err("SELinux:  avtab:  policy version %u does not "

		       "support extended permissions rules in conditional "

		       "policies and one was specified\n",

		       vers);

		return -EINVAL;

	} else if (key.specified & AVTAB_XPERMS) {

		memset(&xperms, 0, sizeof(struct avtab_extended_perms));

		rc = next_entry(&xperms.specified, fp, sizeof(u8));
@@ -523,7 +530,7 @@ int avtab_read(struct avtab *a, void *fp, struct policydb *pol) 
		goto bad;



	for (i = 0; i < nel; i++) {

		rc = avtab_read_item(a, fp, pol, avtab_insertf, NULL);

		rc = avtab_read_item(a, fp, pol, avtab_insertf, NULL, false);

		if (rc) {

			if (rc == -ENOMEM)

				pr_err("SELinux: avtab: out of memory\n");

security/selinux/ss/avtab.h

+1 −1
Original line number Diff line number Diff line
@@ -108,7 +108,7 @@ struct policydb; 
int avtab_read_item(struct avtab *a, void *fp, struct policydb *pol,

		    int (*insert)(struct avtab *a, const struct avtab_key *k,

				  const struct avtab_datum *d, void *p),

		    void *p);

		    void *p, bool conditional);



int avtab_read(struct avtab *a, void *fp, struct policydb *pol);

int avtab_write_item(struct policydb *p, const struct avtab_node *cur,

security/selinux/ss/conditional.c

+1 −1
Original line number Diff line number Diff line
@@ -349,7 +349,7 @@ static int cond_read_av_list(struct policydb *p, void *fp, 
	for (i = 0; i < len; i++) {

		data.dst = &list->nodes[i];

		rc = avtab_read_item(&p->te_cond_avtab, fp, p, cond_insertf,

				     &data);

				     &data, true);

		if (rc) {

			kfree(list->nodes);

			list->nodes = NULL;

security/selinux/ss/policydb.c

+5 −0
Original line number Diff line number Diff line
@@ -155,6 +155,11 @@ static const struct policydb_compat_info policydb_compat[] = { 
		.sym_num = SYM_NUM,

		.ocon_num = OCON_NUM,

	},

	{

		.version = POLICYDB_VERSION_COND_XPERMS,

		.sym_num = SYM_NUM,

		.ocon_num = OCON_NUM,

	},

};



static const struct policydb_compat_info *