Skip to content

Commit

Permalink
Merge tag 'selinux-pr-20171113' of git://git.kernel.org/pub/scm/linux…
Browse files Browse the repository at this point in the history
…/kernel/git/pcmoore/selinux

Pull SELinux updates from Paul Moore:
 "Seven SELinux patches for v4.15, although five of the seven are small
  build fixes and cleanups.

  Of the remaining two patches, the only one worth really calling out is
  Eric's fix for the SELinux filesystem xattr set/remove code; the other
  patch simply converts the SELinux hash table implementation to use
  kmem_cache.

  Eric's setxattr/removexattr tweak converts SELinux back to calling the
  commoncap implementations when the xattr is not SELinux related. The
  immediate win is to fixup filesystem capabilities in user namespaces,
  but it makes things a bit saner overall; more information in the
  commit description"

* tag 'selinux-pr-20171113' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux:
  selinux: remove extraneous initialization of slots_used and max_chain_len
  selinux: remove redundant assignment to len
  selinux: remove redundant assignment to str
  selinux: fix build warning
  selinux: fix build warning by removing the unused sid variable
  selinux: Perform both commoncap and selinux xattr checks
  selinux: Use kmem_cache for hashtab_node
  • Loading branch information
torvalds committed Nov 15, 2017
2 parents f9bab26 + 5794ed7 commit 8c38fb5
Show file tree
Hide file tree
Showing 5 changed files with 47 additions and 36 deletions.
55 changes: 23 additions & 32 deletions security/selinux/hooks.c
Original file line number Diff line number Diff line change
Expand Up @@ -2935,13 +2935,12 @@ static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
{
const struct task_security_struct *tsec = current_security();
struct superblock_security_struct *sbsec;
u32 sid, newsid, clen;
u32 newsid, clen;
int rc;
char *context;

sbsec = dir->i_sb->s_security;

sid = tsec->sid;
newsid = tsec->create_sid;

rc = selinux_determine_inode_label(current_security(),
Expand Down Expand Up @@ -3141,27 +3140,6 @@ static int selinux_inode_getattr(const struct path *path)
return path_has_perm(current_cred(), path, FILE__GETATTR);
}

static int selinux_inode_setotherxattr(struct dentry *dentry, const char *name)
{
const struct cred *cred = current_cred();

if (!strncmp(name, XATTR_SECURITY_PREFIX,
sizeof XATTR_SECURITY_PREFIX - 1)) {
if (!strcmp(name, XATTR_NAME_CAPS)) {
if (!capable(CAP_SETFCAP))
return -EPERM;
} else if (!capable(CAP_SYS_ADMIN)) {
/* A different attribute in the security namespace.
Restrict to administrator. */
return -EPERM;
}
}

/* Not an attribute we recognize, so just check the
ordinary setattr permission. */
return dentry_has_perm(cred, dentry, FILE__SETATTR);
}

static bool has_cap_mac_admin(bool audit)
{
const struct cred *cred = current_cred();
Expand All @@ -3184,8 +3162,15 @@ static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
u32 newsid, sid = current_sid();
int rc = 0;

if (strcmp(name, XATTR_NAME_SELINUX))
return selinux_inode_setotherxattr(dentry, name);
if (strcmp(name, XATTR_NAME_SELINUX)) {
rc = cap_inode_setxattr(dentry, name, value, size, flags);
if (rc)
return rc;

/* Not an attribute we recognize, so just check the
ordinary setattr permission. */
return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
}

sbsec = inode->i_sb->s_security;
if (!(sbsec->flags & SBLABEL_MNT))
Expand All @@ -3208,18 +3193,17 @@ static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
if (!has_cap_mac_admin(true)) {
struct audit_buffer *ab;
size_t audit_size;
const char *str;

/* We strip a nul only if it is at the end, otherwise the
* context contains a nul and we should audit that */
if (value) {
str = value;
const char *str = value;

if (str[size - 1] == '\0')
audit_size = size - 1;
else
audit_size = size;
} else {
str = "";
audit_size = 0;
}
ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR);
Expand Down Expand Up @@ -3299,8 +3283,15 @@ static int selinux_inode_listxattr(struct dentry *dentry)

static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
{
if (strcmp(name, XATTR_NAME_SELINUX))
return selinux_inode_setotherxattr(dentry, name);
if (strcmp(name, XATTR_NAME_SELINUX)) {
int rc = cap_inode_removexattr(dentry, name);
if (rc)
return rc;

/* Not an attribute we recognize, so just check the
ordinary setattr permission. */
return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
}

/* No one is allowed to remove a SELinux security label.
You can change the label, but all data must be labeled. */
Expand Down Expand Up @@ -3995,8 +3986,8 @@ static int selinux_task_getioprio(struct task_struct *p)
PROCESS__GETSCHED, NULL);
}

int selinux_task_prlimit(const struct cred *cred, const struct cred *tcred,
unsigned int flags)
static int selinux_task_prlimit(const struct cred *cred, const struct cred *tcred,
unsigned int flags)
{
u32 av = 0;

Expand Down
1 change: 0 additions & 1 deletion security/selinux/ss/conditional.c
Original file line number Diff line number Diff line change
Expand Up @@ -361,7 +361,6 @@ static int cond_read_av_list(struct policydb *p, void *fp, struct cond_av_list *

*ret_list = NULL;

len = 0;
rc = next_entry(buf, fp, sizeof(u32));
if (rc)
return rc;
Expand Down
19 changes: 16 additions & 3 deletions security/selinux/ss/hashtab.c
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,8 @@
#include <linux/sched.h>
#include "hashtab.h"

static struct kmem_cache *hashtab_node_cachep;

struct hashtab *hashtab_create(u32 (*hash_value)(struct hashtab *h, const void *key),
int (*keycmp)(struct hashtab *h, const void *key1, const void *key2),
u32 size)
Expand Down Expand Up @@ -58,7 +60,7 @@ int hashtab_insert(struct hashtab *h, void *key, void *datum)
if (cur && (h->keycmp(h, key, cur->key) == 0))
return -EEXIST;

newnode = kzalloc(sizeof(*newnode), GFP_KERNEL);
newnode = kmem_cache_zalloc(hashtab_node_cachep, GFP_KERNEL);
if (!newnode)
return -ENOMEM;
newnode->key = key;
Expand Down Expand Up @@ -107,7 +109,7 @@ void hashtab_destroy(struct hashtab *h)
while (cur) {
temp = cur;
cur = cur->next;
kfree(temp);
kmem_cache_free(hashtab_node_cachep, temp);
}
h->htable[i] = NULL;
}
Expand Down Expand Up @@ -149,7 +151,7 @@ void hashtab_stat(struct hashtab *h, struct hashtab_info *info)

slots_used = 0;
max_chain_len = 0;
for (slots_used = max_chain_len = i = 0; i < h->size; i++) {
for (i = 0; i < h->size; i++) {
cur = h->htable[i];
if (cur) {
slots_used++;
Expand All @@ -167,3 +169,14 @@ void hashtab_stat(struct hashtab *h, struct hashtab_info *info)
info->slots_used = slots_used;
info->max_chain_len = max_chain_len;
}
void hashtab_cache_init(void)
{
hashtab_node_cachep = kmem_cache_create("hashtab_node",
sizeof(struct hashtab_node),
0, SLAB_PANIC, NULL);
}

void hashtab_cache_destroy(void)
{
kmem_cache_destroy(hashtab_node_cachep);
}
4 changes: 4 additions & 0 deletions security/selinux/ss/hashtab.h
Original file line number Diff line number Diff line change
Expand Up @@ -85,4 +85,8 @@ int hashtab_map(struct hashtab *h,
/* Fill info with some hash table statistics */
void hashtab_stat(struct hashtab *h, struct hashtab_info *info);

/* Use kmem_cache for hashtab_node */
void hashtab_cache_init(void);
void hashtab_cache_destroy(void);

#endif /* _SS_HASHTAB_H */
4 changes: 4 additions & 0 deletions security/selinux/ss/services.c
Original file line number Diff line number Diff line change
Expand Up @@ -2060,10 +2060,12 @@ int security_load_policy(void *data, size_t len)
if (!ss_initialized) {
avtab_cache_init();
ebitmap_cache_init();
hashtab_cache_init();
rc = policydb_read(&policydb, fp);
if (rc) {
avtab_cache_destroy();
ebitmap_cache_destroy();
hashtab_cache_destroy();
goto out;
}

Expand All @@ -2075,6 +2077,7 @@ int security_load_policy(void *data, size_t len)
policydb_destroy(&policydb);
avtab_cache_destroy();
ebitmap_cache_destroy();
hashtab_cache_destroy();
goto out;
}

Expand All @@ -2083,6 +2086,7 @@ int security_load_policy(void *data, size_t len)
policydb_destroy(&policydb);
avtab_cache_destroy();
ebitmap_cache_destroy();
hashtab_cache_destroy();
goto out;
}

Expand Down

0 comments on commit 8c38fb5

Please sign in to comment.