From 341e0cb593a2b7ec86dd6ca96c68eadc3f6fe1e6 Mon Sep 17 00:00:00 2001 From: Janak Desai Date: Mon, 28 Mar 2016 11:09:46 -0400 Subject: [PATCH 01/11] netlabel: fix a problem with netlbl_secattr_catmap_setrng() We try to be clever and set large chunks of the bitmap at once, when possible; unfortunately we weren't very clever when we wrote the code and messed up the if-conditional. Fix this bug and restore proper operation. Signed-off-by: Janak Desai Signed-off-by: Paul Moore --- net/netlabel/netlabel_kapi.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/netlabel/netlabel_kapi.c b/net/netlabel/netlabel_kapi.c index 28cddc85b700..1325776daa27 100644 --- a/net/netlabel/netlabel_kapi.c +++ b/net/netlabel/netlabel_kapi.c @@ -677,7 +677,7 @@ int netlbl_catmap_setrng(struct netlbl_lsm_catmap **catmap, u32 spot = start; while (rc == 0 && spot <= end) { - if (((spot & (BITS_PER_LONG - 1)) != 0) && + if (((spot & (BITS_PER_LONG - 1)) == 0) && ((end - spot) > BITS_PER_LONG)) { rc = netlbl_catmap_setlong(catmap, spot, From 899134f2f6e27dcae1fee12593c492577cc80987 Mon Sep 17 00:00:00 2001 From: Paul Moore Date: Mon, 28 Mar 2016 15:19:10 -0400 Subject: [PATCH 02/11] selinux: don't revalidate inodes in selinux_socket_getpeersec_dgram() We don't have to worry about socket inodes being invalidated so use inode_security_novalidate() to fetch the inode's security blob. Signed-off-by: Paul Moore --- security/selinux/hooks.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 912deee3f01e..65642be91644 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -4598,6 +4598,7 @@ static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff * { u32 peer_secid = SECSID_NULL; u16 family; + struct inode_security_struct *isec; if (skb && skb->protocol == htons(ETH_P_IP)) family = PF_INET; @@ -4608,9 +4609,10 @@ static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff * else goto out; - if (sock && family == PF_UNIX) - selinux_inode_getsecid(SOCK_INODE(sock), &peer_secid); - else if (skb) + if (sock && family == PF_UNIX) { + isec = inode_security_novalidate(SOCK_INODE(sock)); + peer_secid = isec->sid; + } else if (skb) selinux_skb_peerlbl_sid(skb, family, &peer_secid); out: From 4b57d6bcd94034e2eb168bdec2474e3b2b848e44 Mon Sep 17 00:00:00 2001 From: Paul Moore Date: Mon, 28 Mar 2016 15:16:53 -0400 Subject: [PATCH 03/11] selinux: simply inode label states to INVALID and INITIALIZED There really is no need for LABEL_MISSING as we really only care if the inode's label is INVALID or INITIALIZED. Also adjust the revalidate code to reload the label whenever the label is not INITIALIZED so we are less sensitive to label state in the future. Signed-off-by: Paul Moore --- security/selinux/hooks.c | 2 +- security/selinux/include/objsec.h | 5 ++--- 2 files changed, 3 insertions(+), 4 deletions(-) diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 65642be91644..dd1fbea37b78 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -259,7 +259,7 @@ static int __inode_security_revalidate(struct inode *inode, might_sleep_if(may_sleep); - if (isec->initialized == LABEL_INVALID) { + if (isec->initialized != LABEL_INITIALIZED) { if (!may_sleep) return -ECHILD; diff --git a/security/selinux/include/objsec.h b/security/selinux/include/objsec.h index a2ae05414ba1..c21e135460a5 100644 --- a/security/selinux/include/objsec.h +++ b/security/selinux/include/objsec.h @@ -38,9 +38,8 @@ struct task_security_struct { }; enum label_initialized { - LABEL_MISSING, /* not initialized */ - LABEL_INITIALIZED, /* inizialized */ - LABEL_INVALID /* invalid */ + LABEL_INVALID, /* invalid or not initialized */ + LABEL_INITIALIZED /* initialized */ }; struct inode_security_struct { From 0c6181cb301fd04a5800920ba423be753b0a4a01 Mon Sep 17 00:00:00 2001 From: Paul Moore Date: Wed, 30 Mar 2016 21:41:21 -0400 Subject: [PATCH 04/11] selinux: consolidate the ptrace parent lookup code We lookup the tracing parent in two places, using effectively the same code, let's consolidate it. Signed-off-by: Paul Moore --- security/selinux/hooks.c | 38 +++++++++++++++++--------------------- 1 file changed, 17 insertions(+), 21 deletions(-) diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index dd1fbea37b78..5003b5aa3b43 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -2229,6 +2229,20 @@ static int selinux_vm_enough_memory(struct mm_struct *mm, long pages) /* binprm security operations */ +static u32 ptrace_parent_sid(struct task_struct *task) +{ + u32 sid = 0; + struct task_struct *tracer; + + rcu_read_lock(); + tracer = ptrace_parent(task); + if (tracer) + sid = task_sid(tracer); + rcu_read_unlock(); + + return sid; +} + static int check_nnp_nosuid(const struct linux_binprm *bprm, const struct task_security_struct *old_tsec, const struct task_security_struct *new_tsec) @@ -2350,18 +2364,7 @@ static int selinux_bprm_set_creds(struct linux_binprm *bprm) * changes its SID has the appropriate permit */ if (bprm->unsafe & (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) { - struct task_struct *tracer; - struct task_security_struct *sec; - u32 ptsid = 0; - - rcu_read_lock(); - tracer = ptrace_parent(current); - if (likely(tracer != NULL)) { - sec = __task_cred(tracer)->security; - ptsid = sec->sid; - } - rcu_read_unlock(); - + u32 ptsid = ptrace_parent_sid(current); if (ptsid != 0) { rc = avc_has_perm(ptsid, new_tsec->sid, SECCLASS_PROCESS, @@ -5677,7 +5680,6 @@ static int selinux_setprocattr(struct task_struct *p, char *name, void *value, size_t size) { struct task_security_struct *tsec; - struct task_struct *tracer; struct cred *new; u32 sid = 0, ptsid; int error; @@ -5784,14 +5786,8 @@ static int selinux_setprocattr(struct task_struct *p, /* Check for ptracing, and update the task SID if ok. Otherwise, leave SID unchanged and fail. */ - ptsid = 0; - rcu_read_lock(); - tracer = ptrace_parent(p); - if (tracer) - ptsid = task_sid(tracer); - rcu_read_unlock(); - - if (tracer) { + ptsid = ptrace_parent_sid(p); + if (ptsid != 0) { error = avc_has_perm(ptsid, sid, SECCLASS_PROCESS, PROCESS__PTRACE, NULL); if (error) From 61d612ea731e57dc510472fb746b55cdc017f371 Mon Sep 17 00:00:00 2001 From: Jeff Vander Stoep Date: Tue, 5 Apr 2016 13:06:27 -0700 Subject: [PATCH 05/11] selinux: restrict kernel module loading Utilize existing kernel_read_file hook on kernel module load. Add module_load permission to the system class. Enforces restrictions on kernel module origin when calling the finit_module syscall. The hook checks that source type has permission module_load for the target type. Example for finit_module: allow foo bar_file:system module_load; Similarly restrictions are enforced on kernel module loading when calling the init_module syscall. The hook checks that source type has permission module_load with itself as the target object because the kernel module is sourced from the calling process. Example for init_module: allow foo foo:system module_load; Signed-off-by: Jeff Vander Stoep [PM: fixed return value of selinux_kernel_read_file()] Signed-off-by: Paul Moore --- security/selinux/hooks.c | 47 +++++++++++++++++++++++++++++ security/selinux/include/classmap.h | 2 +- 2 files changed, 48 insertions(+), 1 deletion(-) diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 5003b5aa3b43..fce7dc81f2d9 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -3722,6 +3722,52 @@ static int selinux_kernel_module_request(char *kmod_name) SYSTEM__MODULE_REQUEST, &ad); } +static int selinux_kernel_module_from_file(struct file *file) +{ + struct common_audit_data ad; + struct inode_security_struct *isec; + struct file_security_struct *fsec; + u32 sid = current_sid(); + int rc; + + /* init_module */ + if (file == NULL) + return avc_has_perm(sid, sid, SECCLASS_SYSTEM, + SYSTEM__MODULE_LOAD, NULL); + + /* finit_module */ + ad.type = LSM_AUDIT_DATA_PATH; + ad.u.path = file->f_path; + + isec = inode_security(file_inode(file)); + fsec = file->f_security; + + if (sid != fsec->sid) { + rc = avc_has_perm(sid, fsec->sid, SECCLASS_FD, FD__USE, &ad); + if (rc) + return rc; + } + + return avc_has_perm(sid, isec->sid, SECCLASS_SYSTEM, + SYSTEM__MODULE_LOAD, &ad); +} + +static int selinux_kernel_read_file(struct file *file, + enum kernel_read_file_id id) +{ + int rc = 0; + + switch (id) { + case READING_MODULE: + rc = selinux_kernel_module_from_file(file); + break; + default: + break; + } + + return rc; +} + static int selinux_task_setpgid(struct task_struct *p, pid_t pgid) { return current_has_perm(p, PROCESS__SETPGID); @@ -6018,6 +6064,7 @@ static struct security_hook_list selinux_hooks[] = { LSM_HOOK_INIT(kernel_act_as, selinux_kernel_act_as), LSM_HOOK_INIT(kernel_create_files_as, selinux_kernel_create_files_as), LSM_HOOK_INIT(kernel_module_request, selinux_kernel_module_request), + LSM_HOOK_INIT(kernel_read_file, selinux_kernel_read_file), LSM_HOOK_INIT(task_setpgid, selinux_task_setpgid), LSM_HOOK_INIT(task_getpgid, selinux_task_getpgid), LSM_HOOK_INIT(task_getsid, selinux_task_getsid), diff --git a/security/selinux/include/classmap.h b/security/selinux/include/classmap.h index ef83c4b85a33..8fbd1383d75e 100644 --- a/security/selinux/include/classmap.h +++ b/security/selinux/include/classmap.h @@ -32,7 +32,7 @@ struct security_class_mapping secclass_map[] = { "setsockcreate", NULL } }, { "system", { "ipc_info", "syslog_read", "syslog_mod", - "syslog_console", "module_request", NULL } }, + "syslog_console", "module_request", "module_load", NULL } }, { "capability", { "chown", "dac_override", "dac_read_search", "fowner", "fsetid", "kill", "setgid", "setuid", "setpcap", From 0fd71a620be8648486a126fccadf9f7c2a818676 Mon Sep 17 00:00:00 2001 From: Prarit Bhargava Date: Thu, 14 Apr 2016 10:40:57 -0400 Subject: [PATCH 06/11] selinux: Change bool variable name to index. security_get_bool_value(int bool) argument "bool" conflicts with in-kernel macros such as BUILD_BUG(). This patch changes this to index which isn't a type. Cc: Paul Moore Cc: Stephen Smalley Cc: Eric Paris Cc: James Morris Cc: "Serge E. Hallyn" Cc: Rasmus Villemoes Cc: Andrew Perepechko Cc: Jeff Vander Stoep Cc: selinux@tycho.nsa.gov Cc: Eric Paris Cc: Paul Moore Cc: David Howells Signed-off-by: Prarit Bhargava Acked-by: David Howells [PM: wrapped description for checkpatch.pl, use "selinux:..." as subj] Signed-off-by: Paul Moore --- security/selinux/include/conditional.h | 2 +- security/selinux/ss/services.c | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/security/selinux/include/conditional.h b/security/selinux/include/conditional.h index 67ce7a8d8301..ff4fddca9050 100644 --- a/security/selinux/include/conditional.h +++ b/security/selinux/include/conditional.h @@ -17,6 +17,6 @@ int security_get_bools(int *len, char ***names, int **values); int security_set_bools(int len, int *values); -int security_get_bool_value(int bool); +int security_get_bool_value(int index); #endif diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c index ebda97333f1b..89df64672b89 100644 --- a/security/selinux/ss/services.c +++ b/security/selinux/ss/services.c @@ -2696,7 +2696,7 @@ int security_set_bools(int len, int *values) return rc; } -int security_get_bool_value(int bool) +int security_get_bool_value(int index) { int rc; int len; @@ -2705,10 +2705,10 @@ int security_get_bool_value(int bool) rc = -EFAULT; len = policydb.p_bools.nprim; - if (bool >= len) + if (index >= len) goto out; - rc = policydb.bool_val_to_struct[bool]->state; + rc = policydb.bool_val_to_struct[index]->state; out: read_unlock(&policy_rwlock); return rc; From 2c97165befb487c0dc8b25d39f457d0d91d22a6f Mon Sep 17 00:00:00 2001 From: Paul Moore Date: Tue, 19 Apr 2016 16:36:28 -0400 Subject: [PATCH 07/11] selinux: don't revalidate an inode's label when explicitly setting it There is no point in attempting to revalidate an inode's security label when we are in the process of setting it. Reported-by: Stephen Smalley Signed-off-by: Paul Moore --- security/selinux/hooks.c | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index fce7dc81f2d9..f8ecc0a3c0fa 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -297,6 +297,13 @@ static struct inode_security_struct *inode_security(struct inode *inode) return inode->i_security; } +static struct inode_security_struct *backing_inode_security_novalidate(struct dentry *dentry) +{ + struct inode *inode = d_backing_inode(dentry); + + return inode->i_security; +} + /* * Get the security label of a dentry's backing inode. */ @@ -686,7 +693,7 @@ static int selinux_set_mnt_opts(struct super_block *sb, struct superblock_security_struct *sbsec = sb->s_security; const char *name = sb->s_type->name; struct dentry *root = sbsec->sb->s_root; - struct inode_security_struct *root_isec = backing_inode_security(root); + struct inode_security_struct *root_isec; u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0; u32 defcontext_sid = 0; char **mount_options = opts->mnt_opts; @@ -729,6 +736,8 @@ static int selinux_set_mnt_opts(struct super_block *sb, && (num_opts == 0)) goto out; + root_isec = backing_inode_security_novalidate(root); + /* * parse the mount options, check if they are valid sids. * also check if someone is trying to mount the same sb more @@ -3222,7 +3231,7 @@ static int selinux_inode_getsecurity(struct inode *inode, const char *name, void static int selinux_inode_setsecurity(struct inode *inode, const char *name, const void *value, size_t size, int flags) { - struct inode_security_struct *isec = inode_security(inode); + struct inode_security_struct *isec = inode_security_novalidate(inode); u32 newsid; int rc; From 20cdef8d57591ec8674f65ccfe555aca5fd10b64 Mon Sep 17 00:00:00 2001 From: Paul Moore Date: Mon, 4 Apr 2016 14:14:42 -0400 Subject: [PATCH 08/11] selinux: delay inode label lookup as long as possible Since looking up an inode's label can result in revalidation, delay the lookup as long as possible to limit the performance impact. Signed-off-by: Paul Moore --- security/selinux/hooks.c | 21 +++++++++++++-------- 1 file changed, 13 insertions(+), 8 deletions(-) diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index f8ecc0a3c0fa..b09aad7ad423 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -1790,7 +1790,6 @@ static int selinux_determine_inode_label(struct inode *dir, u32 *_new_isid) { const struct superblock_security_struct *sbsec = dir->i_sb->s_security; - const struct inode_security_struct *dsec = inode_security(dir); const struct task_security_struct *tsec = current_security(); if ((sbsec->flags & SE_SBINITIALIZED) && @@ -1800,6 +1799,7 @@ static int selinux_determine_inode_label(struct inode *dir, tsec->create_sid) { *_new_isid = tsec->create_sid; } else { + const struct inode_security_struct *dsec = inode_security(dir); return security_transition_sid(tsec->sid, dsec->sid, tclass, name, _new_isid); } @@ -2084,7 +2084,7 @@ static int selinux_binder_transfer_file(struct task_struct *from, u32 sid = task_sid(to); struct file_security_struct *fsec = file->f_security; struct dentry *dentry = file->f_path.dentry; - struct inode_security_struct *isec = backing_inode_security(dentry); + struct inode_security_struct *isec; struct common_audit_data ad; int rc; @@ -2103,6 +2103,7 @@ static int selinux_binder_transfer_file(struct task_struct *from, if (unlikely(IS_PRIVATE(d_backing_inode(dentry)))) return 0; + isec = backing_inode_security(dentry); return avc_has_perm(sid, isec->sid, isec->sclass, file_to_av(file), &ad); } @@ -3057,7 +3058,7 @@ static int selinux_inode_setxattr(struct dentry *dentry, const char *name, const void *value, size_t size, int flags) { struct inode *inode = d_backing_inode(dentry); - struct inode_security_struct *isec = backing_inode_security(dentry); + struct inode_security_struct *isec; struct superblock_security_struct *sbsec; struct common_audit_data ad; u32 newsid, sid = current_sid(); @@ -3076,6 +3077,7 @@ static int selinux_inode_setxattr(struct dentry *dentry, const char *name, ad.type = LSM_AUDIT_DATA_DENTRY; ad.u.dentry = dentry; + isec = backing_inode_security(dentry); rc = avc_has_perm(sid, isec->sid, isec->sclass, FILE__RELABELFROM, &ad); if (rc) @@ -3134,7 +3136,7 @@ static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name, int flags) { struct inode *inode = d_backing_inode(dentry); - struct inode_security_struct *isec = backing_inode_security(dentry); + struct inode_security_struct *isec; u32 newsid; int rc; @@ -3151,6 +3153,7 @@ static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name, return; } + isec = backing_inode_security(dentry); isec->sclass = inode_mode_to_security_class(inode->i_mode); isec->sid = newsid; isec->initialized = LABEL_INITIALIZED; @@ -3192,7 +3195,7 @@ static int selinux_inode_getsecurity(struct inode *inode, const char *name, void u32 size; int error; char *context = NULL; - struct inode_security_struct *isec = inode_security(inode); + struct inode_security_struct *isec; if (strcmp(name, XATTR_SELINUX_SUFFIX)) return -EOPNOTSUPP; @@ -3211,6 +3214,7 @@ static int selinux_inode_getsecurity(struct inode *inode, const char *name, void if (!error) error = cred_has_capability(current_cred(), CAP_MAC_ADMIN, SECURITY_CAP_NOAUDIT); + isec = inode_security(inode); if (!error) error = security_sid_to_context_force(isec->sid, &context, &size); @@ -3320,7 +3324,7 @@ static int ioctl_has_perm(const struct cred *cred, struct file *file, struct common_audit_data ad; struct file_security_struct *fsec = file->f_security; struct inode *inode = file_inode(file); - struct inode_security_struct *isec = inode_security(inode); + struct inode_security_struct *isec; struct lsm_ioctlop_audit ioctl; u32 ssid = cred_sid(cred); int rc; @@ -3344,6 +3348,7 @@ static int ioctl_has_perm(const struct cred *cred, struct file *file, if (unlikely(IS_PRIVATE(inode))) return 0; + isec = inode_security(inode); rc = avc_has_extended_perms(ssid, isec->sid, isec->sclass, requested, driver, xperm, &ad); out: @@ -3745,18 +3750,18 @@ static int selinux_kernel_module_from_file(struct file *file) SYSTEM__MODULE_LOAD, NULL); /* finit_module */ + ad.type = LSM_AUDIT_DATA_PATH; ad.u.path = file->f_path; - isec = inode_security(file_inode(file)); fsec = file->f_security; - if (sid != fsec->sid) { rc = avc_has_perm(sid, fsec->sid, SECCLASS_FD, FD__USE, &ad); if (rc) return rc; } + isec = inode_security(file_inode(file)); return avc_has_perm(sid, isec->sid, SECCLASS_SYSTEM, SYSTEM__MODULE_LOAD, &ad); } From 1ac42476263eec99fb2d3c31ee946cb44e80ddd5 Mon Sep 17 00:00:00 2001 From: Paul Moore Date: Mon, 18 Apr 2016 16:41:38 -0400 Subject: [PATCH 09/11] selinux: check ss_initialized before revalidating an inode label There is no point in trying to revalidate an inode's security label if the security server is not yet initialized. Signed-off-by: Paul Moore --- security/selinux/hooks.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index b09aad7ad423..474011c46bbd 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -259,7 +259,7 @@ static int __inode_security_revalidate(struct inode *inode, might_sleep_if(may_sleep); - if (isec->initialized != LABEL_INITIALIZED) { + if (ss_initialized && isec->initialized != LABEL_INITIALIZED) { if (!may_sleep) return -ECHILD; From 8e4ff6f228e4722cac74db716e308d1da33d744f Mon Sep 17 00:00:00 2001 From: Stephen Smalley Date: Fri, 8 Apr 2016 13:52:00 -0400 Subject: [PATCH 10/11] selinux: distinguish non-init user namespace capability checks Distinguish capability checks against a target associated with the init user namespace versus capability checks against a target associated with a non-init user namespace by defining and using separate security classes for the latter. This is needed to support e.g. Chrome usage of user namespaces for the Chrome sandbox without needing to allow Chrome to also exercise capabilities on targets in the init user namespace. Suggested-by: Dan Walsh Signed-off-by: Stephen Smalley Signed-off-by: Paul Moore --- security/selinux/hooks.c | 14 +++++++------- security/selinux/include/classmap.h | 28 ++++++++++++++++++---------- 2 files changed, 25 insertions(+), 17 deletions(-) diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 474011c46bbd..bbff80c6d3f2 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -1631,7 +1631,7 @@ static int current_has_perm(const struct task_struct *tsk, /* Check whether a task is allowed to use a capability. */ static int cred_has_capability(const struct cred *cred, - int cap, int audit) + int cap, int audit, bool initns) { struct common_audit_data ad; struct av_decision avd; @@ -1645,10 +1645,10 @@ static int cred_has_capability(const struct cred *cred, switch (CAP_TO_INDEX(cap)) { case 0: - sclass = SECCLASS_CAPABILITY; + sclass = initns ? SECCLASS_CAPABILITY : SECCLASS_CAP_USERNS; break; case 1: - sclass = SECCLASS_CAPABILITY2; + sclass = initns ? SECCLASS_CAPABILITY2 : SECCLASS_CAP2_USERNS; break; default: printk(KERN_ERR @@ -2152,7 +2152,7 @@ static int selinux_capset(struct cred *new, const struct cred *old, static int selinux_capable(const struct cred *cred, struct user_namespace *ns, int cap, int audit) { - return cred_has_capability(cred, cap, audit); + return cred_has_capability(cred, cap, audit, ns == &init_user_ns); } static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb) @@ -2230,7 +2230,7 @@ static int selinux_vm_enough_memory(struct mm_struct *mm, long pages) int rc, cap_sys_admin = 0; rc = cred_has_capability(current_cred(), CAP_SYS_ADMIN, - SECURITY_CAP_NOAUDIT); + SECURITY_CAP_NOAUDIT, true); if (rc == 0) cap_sys_admin = 1; @@ -3213,7 +3213,7 @@ static int selinux_inode_getsecurity(struct inode *inode, const char *name, void SECURITY_CAP_NOAUDIT); if (!error) error = cred_has_capability(current_cred(), CAP_MAC_ADMIN, - SECURITY_CAP_NOAUDIT); + SECURITY_CAP_NOAUDIT, true); isec = inode_security(inode); if (!error) error = security_sid_to_context_force(isec->sid, &context, @@ -3390,7 +3390,7 @@ static int selinux_file_ioctl(struct file *file, unsigned int cmd, case KDSKBENT: case KDSKBSENT: error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG, - SECURITY_CAP_AUDIT); + SECURITY_CAP_AUDIT, true); break; /* default case assumes that the command will go diff --git a/security/selinux/include/classmap.h b/security/selinux/include/classmap.h index 8fbd1383d75e..1f1f4b2f6018 100644 --- a/security/selinux/include/classmap.h +++ b/security/selinux/include/classmap.h @@ -12,6 +12,18 @@ #define COMMON_IPC_PERMS "create", "destroy", "getattr", "setattr", "read", \ "write", "associate", "unix_read", "unix_write" +#define COMMON_CAP_PERMS "chown", "dac_override", "dac_read_search", \ + "fowner", "fsetid", "kill", "setgid", "setuid", "setpcap", \ + "linux_immutable", "net_bind_service", "net_broadcast", \ + "net_admin", "net_raw", "ipc_lock", "ipc_owner", "sys_module", \ + "sys_rawio", "sys_chroot", "sys_ptrace", "sys_pacct", "sys_admin", \ + "sys_boot", "sys_nice", "sys_resource", "sys_time", \ + "sys_tty_config", "mknod", "lease", "audit_write", \ + "audit_control", "setfcap" + +#define COMMON_CAP2_PERMS "mac_override", "mac_admin", "syslog", \ + "wake_alarm", "block_suspend", "audit_read" + /* * Note: The name for any socket class should be suffixed by "socket", * and doesn't contain more than one substr of "socket". @@ -34,14 +46,7 @@ struct security_class_mapping secclass_map[] = { { "ipc_info", "syslog_read", "syslog_mod", "syslog_console", "module_request", "module_load", NULL } }, { "capability", - { "chown", "dac_override", "dac_read_search", - "fowner", "fsetid", "kill", "setgid", "setuid", "setpcap", - "linux_immutable", "net_bind_service", "net_broadcast", - "net_admin", "net_raw", "ipc_lock", "ipc_owner", "sys_module", - "sys_rawio", "sys_chroot", "sys_ptrace", "sys_pacct", "sys_admin", - "sys_boot", "sys_nice", "sys_resource", "sys_time", - "sys_tty_config", "mknod", "lease", "audit_write", - "audit_control", "setfcap", NULL } }, + { COMMON_CAP_PERMS, NULL } }, { "filesystem", { "mount", "remount", "unmount", "getattr", "relabelfrom", "relabelto", "associate", "quotamod", @@ -150,12 +155,15 @@ struct security_class_mapping secclass_map[] = { { "memprotect", { "mmap_zero", NULL } }, { "peer", { "recv", NULL } }, { "capability2", - { "mac_override", "mac_admin", "syslog", "wake_alarm", "block_suspend", - "audit_read", NULL } }, + { COMMON_CAP2_PERMS, NULL } }, { "kernel_service", { "use_as_override", "create_files_as", NULL } }, { "tun_socket", { COMMON_SOCK_PERMS, "attach_queue", NULL } }, { "binder", { "impersonate", "call", "set_context_mgr", "transfer", NULL } }, + { "cap_userns", + { COMMON_CAP_PERMS, NULL } }, + { "cap2_userns", + { COMMON_CAP2_PERMS, NULL } }, { NULL } }; From c2316dbf124257ae19fd2e29cb5ec51060649d38 Mon Sep 17 00:00:00 2001 From: Stephen Smalley Date: Fri, 8 Apr 2016 13:55:03 -0400 Subject: [PATCH 11/11] selinux: apply execstack check on thread stacks The execstack check was only being applied on the main process stack. Thread stacks allocated via mmap were only subject to the execmem permission check. Augment the check to apply to the current thread stack as well. Note that this does NOT prevent making a different thread's stack executable. Suggested-by: Nick Kralevich Acked-by: Nick Kralevich Signed-off-by: Stephen Smalley Signed-off-by: Paul Moore --- security/selinux/hooks.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index bbff80c6d3f2..a00ab81ab719 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -3479,8 +3479,9 @@ static int selinux_file_mprotect(struct vm_area_struct *vma, vma->vm_end <= vma->vm_mm->brk) { rc = cred_has_perm(cred, cred, PROCESS__EXECHEAP); } else if (!vma->vm_file && - vma->vm_start <= vma->vm_mm->start_stack && - vma->vm_end >= vma->vm_mm->start_stack) { + ((vma->vm_start <= vma->vm_mm->start_stack && + vma->vm_end >= vma->vm_mm->start_stack) || + vma_is_stack_for_task(vma, current))) { rc = current_has_perm(current, PROCESS__EXECSTACK); } else if (vma->vm_file && vma->anon_vma) { /*