/* Updated: Karl MacMillan <kmacmillan@tresys.com>
*
- * Added conditional policy language extensions
+ * Added conditional policy language extensions
*
+ * Updated: Hewlett-Packard <paul.moore@hp.com>
+ *
+ * Added support for the policy capability bitmap
+ *
+ * Copyright (C) 2007 Hewlett-Packard Development Company, L.P.
* Copyright (C) 2003 - 2004 Tresys Technology, LLC
* Copyright (C) 2004 Red Hat, Inc., James Morris <jmorris@redhat.com>
* This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
+ * it under the terms of the GNU General Public License as published by
* the Free Software Foundation, version 2.
*/
#include <linux/percpu.h>
#include <linux/audit.h>
#include <asm/uaccess.h>
-#include <asm/semaphore.h>
/* selinuxfs pseudo filesystem for exporting the security policy API.
Based on the proc code and the fs/nfsd/nfsctl.c code. */
#include "objsec.h"
#include "conditional.h"
+/* Policy capability filenames */
+static char *policycap_names[] = {
+ "network_peer_controls",
+ "open_perms"
+};
+
unsigned int selinux_checkreqprot = CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE;
#ifdef CONFIG_SECURITY_SELINUX_ENABLE_SECMARK_DEFAULT
static int __init checkreqprot_setup(char *str)
{
- selinux_checkreqprot = simple_strtoul(str,NULL,0) ? 1 : 0;
+ selinux_checkreqprot = simple_strtoul(str, NULL, 0) ? 1 : 0;
return 1;
}
__setup("checkreqprot=", checkreqprot_setup);
static int __init selinux_compat_net_setup(char *str)
{
- selinux_compat_net = simple_strtoul(str,NULL,0) ? 1 : 0;
+ selinux_compat_net = simple_strtoul(str, NULL, 0) ? 1 : 0;
return 1;
}
__setup("selinux_compat_net=", selinux_compat_net_setup);
static DEFINE_MUTEX(sel_mutex);
/* global data for booleans */
-static struct dentry *bool_dir = NULL;
-static int bool_num = 0;
+static struct dentry *bool_dir;
+static int bool_num;
static char **bool_pending_names;
-static int *bool_pending_values = NULL;
+static int *bool_pending_values;
/* global data for classes */
-static struct dentry *class_dir = NULL;
+static struct dentry *class_dir;
static unsigned long last_class_ino;
+/* global data for policy capabilities */
+static struct dentry *policycap_dir;
+
extern void selnl_notify_setenforce(int val);
/* Check whether a task is allowed to use a security operation. */
static unsigned long sel_last_ino = SEL_INO_NEXT - 1;
-#define SEL_INITCON_INO_OFFSET 0x01000000
-#define SEL_BOOL_INO_OFFSET 0x02000000
-#define SEL_CLASS_INO_OFFSET 0x04000000
-#define SEL_INO_MASK 0x00ffffff
+#define SEL_INITCON_INO_OFFSET 0x01000000
+#define SEL_BOOL_INO_OFFSET 0x02000000
+#define SEL_CLASS_INO_OFFSET 0x04000000
+#define SEL_POLICYCAP_INO_OFFSET 0x08000000
+#define SEL_INO_MASK 0x00ffffff
#define TMPBUFLEN 12
static ssize_t sel_read_enforce(struct file *filp, char __user *buf,
}
#ifdef CONFIG_SECURITY_SELINUX_DEVELOP
-static ssize_t sel_write_enforce(struct file * file, const char __user * buf,
+static ssize_t sel_write_enforce(struct file *file, const char __user *buf,
size_t count, loff_t *ppos)
{
/* No partial writes. */
return -EINVAL;
}
- page = (char*)get_zeroed_page(GFP_KERNEL);
+ page = (char *)get_zeroed_page(GFP_KERNEL);
if (!page)
return -ENOMEM;
length = -EFAULT;
if (length)
goto out;
audit_log(current->audit_context, GFP_KERNEL, AUDIT_MAC_STATUS,
- "enforcing=%d old_enforcing=%d auid=%u", new_value,
- selinux_enforcing,
- audit_get_loginuid(current->audit_context));
+ "enforcing=%d old_enforcing=%d auid=%u ses=%u",
+ new_value, selinux_enforcing,
+ audit_get_loginuid(current),
+ audit_get_sessionid(current));
selinux_enforcing = new_value;
if (selinux_enforcing)
avc_ss_reset(0);
};
#ifdef CONFIG_SECURITY_SELINUX_DISABLE
-static ssize_t sel_write_disable(struct file * file, const char __user * buf,
+static ssize_t sel_write_disable(struct file *file, const char __user *buf,
size_t count, loff_t *ppos)
{
/* No partial writes. */
return -EINVAL;
}
- page = (char*)get_zeroed_page(GFP_KERNEL);
+ page = (char *)get_zeroed_page(GFP_KERNEL);
if (!page)
return -ENOMEM;
length = -EFAULT;
if (length < 0)
goto out;
audit_log(current->audit_context, GFP_KERNEL, AUDIT_MAC_STATUS,
- "selinux=0 auid=%u",
- audit_get_loginuid(current->audit_context));
+ "selinux=0 auid=%u ses=%u",
+ audit_get_loginuid(current),
+ audit_get_sessionid(current));
}
length = count;
};
static ssize_t sel_read_policyvers(struct file *filp, char __user *buf,
- size_t count, loff_t *ppos)
+ size_t count, loff_t *ppos)
{
char tmpbuf[TMPBUFLEN];
ssize_t length;
/* declaration for sel_write_load */
static int sel_make_bools(void);
static int sel_make_classes(void);
+static int sel_make_policycap(void);
/* declaration for sel_make_class_dirs */
static int sel_make_dir(struct inode *dir, struct dentry *dentry,
.read = sel_read_mls,
};
-static ssize_t sel_write_load(struct file * file, const char __user * buf,
+static ssize_t sel_write_load(struct file *file, const char __user *buf,
size_t count, loff_t *ppos)
{
}
ret = sel_make_classes();
+ if (ret) {
+ length = ret;
+ goto out1;
+ }
+
+ ret = sel_make_policycap();
if (ret)
length = ret;
else
(security_get_allow_unknown() ? "allow" : "deny")));
audit_log(current->audit_context, GFP_KERNEL, AUDIT_MAC_POLICY_LOAD,
- "policy loaded auid=%u",
- audit_get_loginuid(current->audit_context));
+ "policy loaded auid=%u ses=%u",
+ audit_get_loginuid(current),
+ audit_get_sessionid(current));
out:
mutex_unlock(&sel_mutex);
vfree(data);
.write = sel_write_load,
};
-static ssize_t sel_write_context(struct file * file, char *buf, size_t size)
+static ssize_t sel_write_context(struct file *file, char *buf, size_t size)
{
char *canon;
u32 sid, len;
return length;
if (len > SIMPLE_TRANSACTION_LIMIT) {
- printk(KERN_ERR "%s: context size (%u) exceeds payload "
- "max\n", __FUNCTION__, len);
+ printk(KERN_ERR "SELinux: %s: context size (%u) exceeds "
+ "payload max\n", __func__, len);
length = -ERANGE;
goto out;
}
return simple_read_from_buffer(buf, count, ppos, tmpbuf, length);
}
-static ssize_t sel_write_checkreqprot(struct file * file, const char __user * buf,
+static ssize_t sel_write_checkreqprot(struct file *file, const char __user *buf,
size_t count, loff_t *ppos)
{
char *page;
/* No partial writes. */
return -EINVAL;
}
- page = (char*)get_zeroed_page(GFP_KERNEL);
+ page = (char *)get_zeroed_page(GFP_KERNEL);
if (!page)
return -ENOMEM;
length = -EFAULT;
return simple_read_from_buffer(buf, count, ppos, tmpbuf, length);
}
-static ssize_t sel_write_compat_net(struct file * file, const char __user * buf,
+static ssize_t sel_write_compat_net(struct file *file, const char __user *buf,
size_t count, loff_t *ppos)
{
char *page;
/* No partial writes. */
return -EINVAL;
}
- page = (char*)get_zeroed_page(GFP_KERNEL);
+ page = (char *)get_zeroed_page(GFP_KERNEL);
if (!page)
return -ENOMEM;
length = -EFAULT;
/*
* Remaining nodes use transaction based IO methods like nfsd/nfsctl.c
*/
-static ssize_t sel_write_access(struct file * file, char *buf, size_t size);
-static ssize_t sel_write_create(struct file * file, char *buf, size_t size);
-static ssize_t sel_write_relabel(struct file * file, char *buf, size_t size);
-static ssize_t sel_write_user(struct file * file, char *buf, size_t size);
-static ssize_t sel_write_member(struct file * file, char *buf, size_t size);
+static ssize_t sel_write_access(struct file *file, char *buf, size_t size);
+static ssize_t sel_write_create(struct file *file, char *buf, size_t size);
+static ssize_t sel_write_relabel(struct file *file, char *buf, size_t size);
+static ssize_t sel_write_user(struct file *file, char *buf, size_t size);
+static ssize_t sel_write_member(struct file *file, char *buf, size_t size);
static ssize_t (*write_op[])(struct file *, char *, size_t) = {
[SEL_ACCESS] = sel_write_access,
static ssize_t selinux_transaction_write(struct file *file, const char __user *buf, size_t size, loff_t *pos)
{
- ino_t ino = file->f_path.dentry->d_inode->i_ino;
+ ino_t ino = file->f_path.dentry->d_inode->i_ino;
char *data;
ssize_t rv;
if (IS_ERR(data))
return PTR_ERR(data);
- rv = write_op[ino](file, data, size);
- if (rv>0) {
+ rv = write_op[ino](file, data, size);
+ if (rv > 0) {
simple_transaction_set(file, rv);
rv = size;
}
* and the length returned. Otherwise return 0 or and -error.
*/
-static ssize_t sel_write_access(struct file * file, char *buf, size_t size)
+static ssize_t sel_write_access(struct file *file, char *buf, size_t size)
{
char *scon, *tcon;
u32 ssid, tsid;
return length;
}
-static ssize_t sel_write_create(struct file * file, char *buf, size_t size)
+static ssize_t sel_write_create(struct file *file, char *buf, size_t size)
{
char *scon, *tcon;
u32 ssid, tsid, newsid;
goto out2;
if (len > SIMPLE_TRANSACTION_LIMIT) {
- printk(KERN_ERR "%s: context size (%u) exceeds payload "
- "max\n", __FUNCTION__, len);
+ printk(KERN_ERR "SELinux: %s: context size (%u) exceeds "
+ "payload max\n", __func__, len);
length = -ERANGE;
goto out3;
}
return length;
}
-static ssize_t sel_write_relabel(struct file * file, char *buf, size_t size)
+static ssize_t sel_write_relabel(struct file *file, char *buf, size_t size)
{
char *scon, *tcon;
u32 ssid, tsid, newsid;
return length;
}
-static ssize_t sel_write_user(struct file * file, char *buf, size_t size)
+static ssize_t sel_write_user(struct file *file, char *buf, size_t size)
{
char *con, *user, *ptr;
u32 sid, *sids;
return length;
}
-static ssize_t sel_write_member(struct file * file, char *buf, size_t size)
+static ssize_t sel_write_member(struct file *file, char *buf, size_t size)
{
char *scon, *tcon;
u32 ssid, tsid, newsid;
goto out2;
if (len > SIMPLE_TRANSACTION_LIMIT) {
- printk(KERN_ERR "%s: context size (%u) exceeds payload "
- "max\n", __FUNCTION__, len);
+ printk(KERN_ERR "SELinux: %s: context size (%u) exceeds "
+ "payload max\n", __func__, len);
length = -ERANGE;
goto out3;
}
ret = -EINVAL;
goto out;
}
- if (!(page = (char*)get_zeroed_page(GFP_KERNEL))) {
+ page = (char *)get_zeroed_page(GFP_KERNEL);
+ if (!page) {
ret = -ENOMEM;
goto out;
}
length = -EINVAL;
goto out;
}
- page = (char*)get_zeroed_page(GFP_KERNEL);
+ page = (char *)get_zeroed_page(GFP_KERNEL);
if (!page) {
length = -ENOMEM;
goto out;
}
static const struct file_operations sel_bool_ops = {
- .read = sel_read_bool,
- .write = sel_write_bool,
+ .read = sel_read_bool,
+ .write = sel_write_bool,
};
static ssize_t sel_commit_bools_write(struct file *filep,
/* No partial writes. */
goto out;
}
- page = (char*)get_zeroed_page(GFP_KERNEL);
+ page = (char *)get_zeroed_page(GFP_KERNEL);
if (!page) {
length = -ENOMEM;
goto out;
if (sscanf(page, "%d", &new_value) != 1)
goto out;
- if (new_value && bool_pending_values) {
+ if (new_value && bool_pending_values)
security_set_bools(bool_num, bool_pending_values);
- }
length = count;
}
static const struct file_operations sel_commit_bools_ops = {
- .write = sel_commit_bools_write,
+ .write = sel_commit_bools_write,
};
static void sel_remove_entries(struct dentry *de)
sel_remove_entries(dir);
- if (!(page = (char*)get_zeroed_page(GFP_KERNEL)))
+ page = (char *)get_zeroed_page(GFP_KERNEL);
+ if (!page)
return -ENOMEM;
ret = security_get_bools(&num, &names, &values);
ret = -ENAMETOOLONG;
goto err;
}
- isec = (struct inode_security_struct*)inode->i_security;
- if ((ret = security_genfs_sid("selinuxfs", page, SECCLASS_FILE, &sid)))
+ isec = (struct inode_security_struct *)inode->i_security;
+ ret = security_genfs_sid("selinuxfs", page, SECCLASS_FILE, &sid);
+ if (ret)
goto err;
isec->sid = sid;
isec->initialized = 1;
#define NULL_FILE_NAME "null"
-struct dentry *selinux_null = NULL;
+struct dentry *selinux_null;
static ssize_t sel_read_avc_cache_threshold(struct file *filp, char __user *buf,
size_t count, loff_t *ppos)
return simple_read_from_buffer(buf, count, ppos, tmpbuf, length);
}
-static ssize_t sel_write_avc_cache_threshold(struct file * file,
- const char __user * buf,
+static ssize_t sel_write_avc_cache_threshold(struct file *file,
+ const char __user *buf,
size_t count, loff_t *ppos)
{
goto out;
}
- page = (char*)get_zeroed_page(GFP_KERNEL);
+ page = (char *)get_zeroed_page(GFP_KERNEL);
if (!page) {
ret = -ENOMEM;
goto out;
return ret;
}
-static ssize_t sel_read_initcon(struct file * file, char __user *buf,
+static ssize_t sel_read_initcon(struct file *file, char __user *buf,
size_t count, loff_t *ppos)
{
struct inode *inode;
return (ino & SEL_INO_MASK) % (SEL_VEC_MAX + 1);
}
-static ssize_t sel_read_class(struct file * file, char __user *buf,
+static ssize_t sel_read_class(struct file *file, char __user *buf,
size_t count, loff_t *ppos)
{
ssize_t rc, len;
.read = sel_read_class,
};
-static ssize_t sel_read_perm(struct file * file, char __user *buf,
+static ssize_t sel_read_perm(struct file *file, char __user *buf,
size_t count, loff_t *ppos)
{
ssize_t rc, len;
goto out;
}
- len = snprintf(page, PAGE_SIZE,"%d", sel_ino_to_perm(ino));
+ len = snprintf(page, PAGE_SIZE, "%d", sel_ino_to_perm(ino));
rc = simple_read_from_buffer(buf, count, ppos, page, len);
free_page((unsigned long)page);
out:
.read = sel_read_perm,
};
+static ssize_t sel_read_policycap(struct file *file, char __user *buf,
+ size_t count, loff_t *ppos)
+{
+ int value;
+ char tmpbuf[TMPBUFLEN];
+ ssize_t length;
+ unsigned long i_ino = file->f_path.dentry->d_inode->i_ino;
+
+ value = security_policycap_supported(i_ino & SEL_INO_MASK);
+ length = scnprintf(tmpbuf, TMPBUFLEN, "%d", value);
+
+ return simple_read_from_buffer(buf, count, ppos, tmpbuf, length);
+}
+
+static const struct file_operations sel_policycap_ops = {
+ .read = sel_read_policycap,
+};
+
static int sel_make_perm_files(char *objclass, int classvalue,
struct dentry *dir)
{
return rc;
}
+static int sel_make_policycap(void)
+{
+ unsigned int iter;
+ struct dentry *dentry = NULL;
+ struct inode *inode = NULL;
+
+ sel_remove_entries(policycap_dir);
+
+ for (iter = 0; iter <= POLICYDB_CAPABILITY_MAX; iter++) {
+ if (iter < ARRAY_SIZE(policycap_names))
+ dentry = d_alloc_name(policycap_dir,
+ policycap_names[iter]);
+ else
+ dentry = d_alloc_name(policycap_dir, "unknown");
+
+ if (dentry == NULL)
+ return -ENOMEM;
+
+ inode = sel_make_inode(policycap_dir->d_sb, S_IFREG | S_IRUGO);
+ if (inode == NULL)
+ return -ENOMEM;
+
+ inode->i_fop = &sel_policycap_ops;
+ inode->i_ino = iter | SEL_POLICYCAP_INO_OFFSET;
+ d_add(dentry, inode);
+ }
+
+ return 0;
+}
+
static int sel_make_dir(struct inode *dir, struct dentry *dentry,
unsigned long *ino)
{
return ret;
}
-static int sel_fill_super(struct super_block * sb, void * data, int silent)
+static int sel_fill_super(struct super_block *sb, void *data, int silent)
{
int ret;
struct dentry *dentry;
goto err;
}
inode->i_ino = ++sel_last_ino;
- isec = (struct inode_security_struct*)inode->i_security;
+ isec = (struct inode_security_struct *)inode->i_security;
isec->sid = SECINITSID_DEVNULL;
isec->sclass = SECCLASS_CHR_FILE;
isec->initialized = 1;
class_dir = dentry;
+ dentry = d_alloc_name(sb->s_root, "policy_capabilities");
+ if (!dentry) {
+ ret = -ENOMEM;
+ goto err;
+ }
+
+ ret = sel_make_dir(root_inode, dentry, &sel_last_ino);
+ if (ret)
+ goto err;
+
+ policycap_dir = dentry;
+
out:
return ret;
err:
- printk(KERN_ERR "%s: failed while creating inodes\n", __FUNCTION__);
+ printk(KERN_ERR "SELinux: %s: failed while creating inodes\n",
+ __func__);
goto out;
}
projects / linux-2.6-omap-h63xx.git / blobdiff