summaryrefslogtreecommitdiff
path: root/security
diff options
context:
space:
mode:
Diffstat (limited to 'security')
-rw-r--r--security/integrity/iint.c2
-rw-r--r--security/integrity/ima/ima.h11
-rw-r--r--security/integrity/ima/ima_api.c21
-rw-r--r--security/integrity/ima/ima_appraise.c3
-rw-r--r--security/integrity/ima/ima_fs.c9
-rw-r--r--security/integrity/ima/ima_init.c3
-rw-r--r--security/integrity/ima/ima_main.c12
-rw-r--r--security/integrity/ima/ima_policy.c35
-rw-r--r--security/integrity/ima/ima_queue.c13
-rw-r--r--security/integrity/integrity.h1
-rw-r--r--security/selinux/hooks.c21
-rw-r--r--security/selinux/include/netlabel.h4
-rw-r--r--security/selinux/netlabel.c36
-rw-r--r--security/selinux/selinuxfs.c2
-rw-r--r--security/selinux/ss/ebitmap.c2
-rw-r--r--security/selinux/ss/services.c70
-rw-r--r--security/smack/smack_lsm.c2
17 files changed, 153 insertions, 94 deletions
diff --git a/security/integrity/iint.c b/security/integrity/iint.c
index 345b75997e4c..c710d22042f9 100644
--- a/security/integrity/iint.c
+++ b/security/integrity/iint.c
@@ -79,6 +79,7 @@ static void iint_free(struct integrity_iint_cache *iint)
iint->ima_bprm_status = INTEGRITY_UNKNOWN;
iint->ima_read_status = INTEGRITY_UNKNOWN;
iint->evm_status = INTEGRITY_UNKNOWN;
+ iint->measured_pcrs = 0;
kmem_cache_free(iint_cache, iint);
}
@@ -159,6 +160,7 @@ static void init_once(void *foo)
iint->ima_bprm_status = INTEGRITY_UNKNOWN;
iint->ima_read_status = INTEGRITY_UNKNOWN;
iint->evm_status = INTEGRITY_UNKNOWN;
+ iint->measured_pcrs = 0;
}
static int __init integrity_iintcache_init(void)
diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h
index d3a939bf2781..db25f54a04fe 100644
--- a/security/integrity/ima/ima.h
+++ b/security/integrity/ima/ima.h
@@ -88,6 +88,7 @@ struct ima_template_desc {
};
struct ima_template_entry {
+ int pcr;
u8 digest[TPM_DIGEST_SIZE]; /* sha1 or md5 measurement hash */
struct ima_template_desc *template_desc; /* template descriptor */
u32 template_data_len;
@@ -154,7 +155,8 @@ enum ima_hooks {
};
/* LIM API function definitions */
-int ima_get_action(struct inode *inode, int mask, enum ima_hooks func);
+int ima_get_action(struct inode *inode, int mask,
+ enum ima_hooks func, int *pcr);
int ima_must_measure(struct inode *inode, int mask, enum ima_hooks func);
int ima_collect_measurement(struct integrity_iint_cache *iint,
struct file *file, void *buf, loff_t size,
@@ -162,19 +164,20 @@ int ima_collect_measurement(struct integrity_iint_cache *iint,
void ima_store_measurement(struct integrity_iint_cache *iint, struct file *file,
const unsigned char *filename,
struct evm_ima_xattr_data *xattr_value,
- int xattr_len);
+ int xattr_len, int pcr);
void ima_audit_measurement(struct integrity_iint_cache *iint,
const unsigned char *filename);
int ima_alloc_init_template(struct ima_event_data *event_data,
struct ima_template_entry **entry);
int ima_store_template(struct ima_template_entry *entry, int violation,
- struct inode *inode, const unsigned char *filename);
+ struct inode *inode,
+ const unsigned char *filename, int pcr);
void ima_free_template_entry(struct ima_template_entry *entry);
const char *ima_d_path(const struct path *path, char **pathbuf);
/* IMA policy related functions */
int ima_match_policy(struct inode *inode, enum ima_hooks func, int mask,
- int flags);
+ int flags, int *pcr);
void ima_init_policy(void);
void ima_update_policy(void);
void ima_update_policy_flag(void);
diff --git a/security/integrity/ima/ima_api.c b/security/integrity/ima/ima_api.c
index 5a2218fe877a..9df26a2b75ba 100644
--- a/security/integrity/ima/ima_api.c
+++ b/security/integrity/ima/ima_api.c
@@ -87,7 +87,7 @@ out:
*/
int ima_store_template(struct ima_template_entry *entry,
int violation, struct inode *inode,
- const unsigned char *filename)
+ const unsigned char *filename, int pcr)
{
static const char op[] = "add_template_measure";
static const char audit_cause[] = "hashing_error";
@@ -114,6 +114,7 @@ int ima_store_template(struct ima_template_entry *entry,
}
memcpy(entry->digest, hash.hdr.digest, hash.hdr.length);
}
+ entry->pcr = pcr;
result = ima_add_template_entry(entry, violation, op, inode, filename);
return result;
}
@@ -144,7 +145,8 @@ void ima_add_violation(struct file *file, const unsigned char *filename,
result = -ENOMEM;
goto err_out;
}
- result = ima_store_template(entry, violation, inode, filename);
+ result = ima_store_template(entry, violation, inode,
+ filename, CONFIG_IMA_MEASURE_PCR_IDX);
if (result < 0)
ima_free_template_entry(entry);
err_out:
@@ -157,6 +159,7 @@ err_out:
* @inode: pointer to inode to measure
* @mask: contains the permission mask (MAY_READ, MAY_WRITE, MAY_EXECUTE)
* @func: caller identifier
+ * @pcr: pointer filled in if matched measure policy sets pcr=
*
* The policy is defined in terms of keypairs:
* subj=, obj=, type=, func=, mask=, fsmagic=
@@ -168,13 +171,13 @@ err_out:
* Returns IMA_MEASURE, IMA_APPRAISE mask.
*
*/
-int ima_get_action(struct inode *inode, int mask, enum ima_hooks func)
+int ima_get_action(struct inode *inode, int mask, enum ima_hooks func, int *pcr)
{
int flags = IMA_MEASURE | IMA_AUDIT | IMA_APPRAISE;
flags &= ima_policy_flag;
- return ima_match_policy(inode, func, mask, flags);
+ return ima_match_policy(inode, func, mask, flags, pcr);
}
/*
@@ -252,7 +255,7 @@ out:
void ima_store_measurement(struct integrity_iint_cache *iint,
struct file *file, const unsigned char *filename,
struct evm_ima_xattr_data *xattr_value,
- int xattr_len)
+ int xattr_len, int pcr)
{
static const char op[] = "add_template_measure";
static const char audit_cause[] = "ENOMEM";
@@ -263,7 +266,7 @@ void ima_store_measurement(struct integrity_iint_cache *iint,
xattr_len, NULL};
int violation = 0;
- if (iint->flags & IMA_MEASURED)
+ if (iint->measured_pcrs & (0x1 << pcr))
return;
result = ima_alloc_init_template(&event_data, &entry);
@@ -273,9 +276,11 @@ void ima_store_measurement(struct integrity_iint_cache *iint,
return;
}
- result = ima_store_template(entry, violation, inode, filename);
- if (!result || result == -EEXIST)
+ result = ima_store_template(entry, violation, inode, filename, pcr);
+ if (!result || result == -EEXIST) {
iint->flags |= IMA_MEASURED;
+ iint->measured_pcrs |= (0x1 << pcr);
+ }
if (result < 0)
ima_free_template_entry(entry);
}
diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c
index 1bcbc12e03d9..4b9b4a4e1b89 100644
--- a/security/integrity/ima/ima_appraise.c
+++ b/security/integrity/ima/ima_appraise.c
@@ -41,7 +41,7 @@ int ima_must_appraise(struct inode *inode, int mask, enum ima_hooks func)
if (!ima_appraise)
return 0;
- return ima_match_policy(inode, func, mask, IMA_APPRAISE);
+ return ima_match_policy(inode, func, mask, IMA_APPRAISE, NULL);
}
static int ima_fix_xattr(struct dentry *dentry,
@@ -370,6 +370,7 @@ static void ima_reset_appraise_flags(struct inode *inode, int digsig)
return;
iint->flags &= ~IMA_DONE_MASK;
+ iint->measured_pcrs = 0;
if (digsig)
iint->flags |= IMA_DIGSIG;
return;
diff --git a/security/integrity/ima/ima_fs.c b/security/integrity/ima/ima_fs.c
index 60d011aaec38..c07a3844ea0a 100644
--- a/security/integrity/ima/ima_fs.c
+++ b/security/integrity/ima/ima_fs.c
@@ -123,7 +123,6 @@ static int ima_measurements_show(struct seq_file *m, void *v)
struct ima_template_entry *e;
char *template_name;
int namelen;
- u32 pcr = CONFIG_IMA_MEASURE_PCR_IDX;
bool is_ima_template = false;
int i;
@@ -137,10 +136,10 @@ static int ima_measurements_show(struct seq_file *m, void *v)
/*
* 1st: PCRIndex
- * PCR used is always the same (config option) in
- * little-endian format
+ * PCR used defaults to the same (config option) in
+ * little-endian format, unless set in policy
*/
- ima_putc(m, &pcr, sizeof(pcr));
+ ima_putc(m, &e->pcr, sizeof(e->pcr));
/* 2nd: template digest */
ima_putc(m, e->digest, TPM_DIGEST_SIZE);
@@ -219,7 +218,7 @@ static int ima_ascii_measurements_show(struct seq_file *m, void *v)
e->template_desc->name : e->template_desc->fmt;
/* 1st: PCR used (config option) */
- seq_printf(m, "%2d ", CONFIG_IMA_MEASURE_PCR_IDX);
+ seq_printf(m, "%2d ", e->pcr);
/* 2nd: SHA1 template hash */
ima_print_digest(m, e->digest, TPM_DIGEST_SIZE);
diff --git a/security/integrity/ima/ima_init.c b/security/integrity/ima/ima_init.c
index 5d679a685616..32912bd54ead 100644
--- a/security/integrity/ima/ima_init.c
+++ b/security/integrity/ima/ima_init.c
@@ -79,7 +79,8 @@ static int __init ima_add_boot_aggregate(void)
}
result = ima_store_template(entry, violation, NULL,
- boot_aggregate_name);
+ boot_aggregate_name,
+ CONFIG_IMA_MEASURE_PCR_IDX);
if (result < 0) {
ima_free_template_entry(entry);
audit_cause = "store_entry";
diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
index 68b26c340acd..596ef616ac21 100644
--- a/security/integrity/ima/ima_main.c
+++ b/security/integrity/ima/ima_main.c
@@ -125,6 +125,7 @@ static void ima_check_last_writer(struct integrity_iint_cache *iint,
if ((iint->version != inode->i_version) ||
(iint->flags & IMA_NEW_FILE)) {
iint->flags &= ~(IMA_DONE_MASK | IMA_NEW_FILE);
+ iint->measured_pcrs = 0;
if (iint->flags & IMA_APPRAISE)
ima_update_xattr(iint, file);
}
@@ -162,6 +163,7 @@ static int process_measurement(struct file *file, char *buf, loff_t size,
char *pathbuf = NULL;
const char *pathname = NULL;
int rc = -ENOMEM, action, must_appraise;
+ int pcr = CONFIG_IMA_MEASURE_PCR_IDX;
struct evm_ima_xattr_data *xattr_value = NULL;
int xattr_len = 0;
bool violation_check;
@@ -174,7 +176,7 @@ static int process_measurement(struct file *file, char *buf, loff_t size,
* bitmask based on the appraise/audit/measurement policy.
* Included is the appraise submask.
*/
- action = ima_get_action(inode, mask, func);
+ action = ima_get_action(inode, mask, func, &pcr);
violation_check = ((func == FILE_CHECK || func == MMAP_CHECK) &&
(ima_policy_flag & IMA_MEASURE));
if (!action && !violation_check)
@@ -209,7 +211,11 @@ static int process_measurement(struct file *file, char *buf, loff_t size,
*/
iint->flags |= action;
action &= IMA_DO_MASK;
- action &= ~((iint->flags & IMA_DONE_MASK) >> 1);
+ action &= ~((iint->flags & (IMA_DONE_MASK ^ IMA_MEASURED)) >> 1);
+
+ /* If target pcr is already measured, unset IMA_MEASURE action */
+ if ((action & IMA_MEASURE) && (iint->measured_pcrs & (0x1 << pcr)))
+ action ^= IMA_MEASURE;
/* Nothing to do, just return existing appraised status */
if (!action) {
@@ -238,7 +244,7 @@ static int process_measurement(struct file *file, char *buf, loff_t size,
if (action & IMA_MEASURE)
ima_store_measurement(iint, file, pathname,
- xattr_value, xattr_len);
+ xattr_value, xattr_len, pcr);
if (action & IMA_APPRAISE_SUBMASK)
rc = ima_appraise_measurement(func, iint, file, pathname,
xattr_value, xattr_len, opened);
diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
index 0f887a564a29..aed47b777a57 100644
--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c
@@ -32,6 +32,7 @@
#define IMA_FSUUID 0x0020
#define IMA_INMASK 0x0040
#define IMA_EUID 0x0080
+#define IMA_PCR 0x0100
#define UNKNOWN 0
#define MEASURE 0x0001 /* same as IMA_MEASURE */
@@ -40,6 +41,9 @@
#define DONT_APPRAISE 0x0008
#define AUDIT 0x0040
+#define INVALID_PCR(a) (((a) < 0) || \
+ (a) >= (FIELD_SIZEOF(struct integrity_iint_cache, measured_pcrs) * 8))
+
int ima_policy_flag;
static int temp_ima_appraise;
@@ -60,6 +64,7 @@ struct ima_rule_entry {
u8 fsuuid[16];
kuid_t uid;
kuid_t fowner;
+ int pcr;
struct {
void *rule; /* LSM file metadata specific */
void *args_p; /* audit value */
@@ -319,6 +324,7 @@ static int get_subaction(struct ima_rule_entry *rule, enum ima_hooks func)
* @inode: pointer to an inode for which the policy decision is being made
* @func: IMA hook identifier
* @mask: requested action (MAY_READ | MAY_WRITE | MAY_APPEND | MAY_EXEC)
+ * @pcr: set the pcr to extend
*
* Measure decision based on func/mask/fsmagic and LSM(subj/obj/type)
* conditions.
@@ -328,7 +334,7 @@ static int get_subaction(struct ima_rule_entry *rule, enum ima_hooks func)
* than writes so ima_match_policy() is classical RCU candidate.
*/
int ima_match_policy(struct inode *inode, enum ima_hooks func, int mask,
- int flags)
+ int flags, int *pcr)
{
struct ima_rule_entry *entry;
int action = 0, actmask = flags | (flags << 1);
@@ -353,6 +359,9 @@ int ima_match_policy(struct inode *inode, enum ima_hooks func, int mask,
else
actmask &= ~(entry->action | entry->action >> 1);
+ if ((pcr) && (entry->flags & IMA_PCR))
+ *pcr = entry->pcr;
+
if (!actmask)
break;
}
@@ -478,7 +487,8 @@ enum {
Opt_subj_user, Opt_subj_role, Opt_subj_type,
Opt_func, Opt_mask, Opt_fsmagic,
Opt_fsuuid, Opt_uid, Opt_euid, Opt_fowner,
- Opt_appraise_type, Opt_permit_directio
+ Opt_appraise_type, Opt_permit_directio,
+ Opt_pcr
};
static match_table_t policy_tokens = {
@@ -502,6 +512,7 @@ static match_table_t policy_tokens = {
{Opt_fowner, "fowner=%s"},
{Opt_appraise_type, "appraise_type=%s"},
{Opt_permit_directio, "permit_directio"},
+ {Opt_pcr, "pcr=%s"},
{Opt_err, NULL}
};
@@ -774,6 +785,20 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry)
case Opt_permit_directio:
entry->flags |= IMA_PERMIT_DIRECTIO;
break;
+ case Opt_pcr:
+ if (entry->action != MEASURE) {
+ result = -EINVAL;
+ break;
+ }
+ ima_log_string(ab, "pcr", args[0].from);
+
+ result = kstrtoint(args[0].from, 10, &entry->pcr);
+ if (result || INVALID_PCR(entry->pcr))
+ result = -EINVAL;
+ else
+ entry->flags |= IMA_PCR;
+
+ break;
case Opt_err:
ima_log_string(ab, "UNKNOWN", p);
result = -EINVAL;
@@ -1011,6 +1036,12 @@ int ima_policy_show(struct seq_file *m, void *v)
seq_puts(m, " ");
}
+ if (entry->flags & IMA_PCR) {
+ snprintf(tbuf, sizeof(tbuf), "%d", entry->pcr);
+ seq_printf(m, pt(Opt_pcr), tbuf);
+ seq_puts(m, " ");
+ }
+
if (entry->flags & IMA_FSUUID) {
seq_printf(m, "fsuuid=%pU", entry->fsuuid);
seq_puts(m, " ");
diff --git a/security/integrity/ima/ima_queue.c b/security/integrity/ima/ima_queue.c
index 552705d5a78d..32f6ac0f96df 100644
--- a/security/integrity/ima/ima_queue.c
+++ b/security/integrity/ima/ima_queue.c
@@ -44,7 +44,8 @@ struct ima_h_table ima_htable = {
static DEFINE_MUTEX(ima_extend_list_mutex);
/* lookup up the digest value in the hash table, and return the entry */
-static struct ima_queue_entry *ima_lookup_digest_entry(u8 *digest_value)
+static struct ima_queue_entry *ima_lookup_digest_entry(u8 *digest_value,
+ int pcr)
{
struct ima_queue_entry *qe, *ret = NULL;
unsigned int key;
@@ -54,7 +55,7 @@ static struct ima_queue_entry *ima_lookup_digest_entry(u8 *digest_value)
rcu_read_lock();
hlist_for_each_entry_rcu(qe, &ima_htable.queue[key], hnext) {
rc = memcmp(qe->entry->digest, digest_value, TPM_DIGEST_SIZE);
- if (rc == 0) {
+ if ((rc == 0) && (qe->entry->pcr == pcr)) {
ret = qe;
break;
}
@@ -89,14 +90,14 @@ static int ima_add_digest_entry(struct ima_template_entry *entry)
return 0;
}
-static int ima_pcr_extend(const u8 *hash)
+static int ima_pcr_extend(const u8 *hash, int pcr)
{
int result = 0;
if (!ima_used_chip)
return result;
- result = tpm_pcr_extend(TPM_ANY_NUM, CONFIG_IMA_MEASURE_PCR_IDX, hash);
+ result = tpm_pcr_extend(TPM_ANY_NUM, pcr, hash);
if (result != 0)
pr_err("Error Communicating to TPM chip, result: %d\n", result);
return result;
@@ -118,7 +119,7 @@ int ima_add_template_entry(struct ima_template_entry *entry, int violation,
mutex_lock(&ima_extend_list_mutex);
if (!violation) {
memcpy(digest, entry->digest, sizeof(digest));
- if (ima_lookup_digest_entry(digest)) {
+ if (ima_lookup_digest_entry(digest, entry->pcr)) {
audit_cause = "hash_exists";
result = -EEXIST;
goto out;
@@ -135,7 +136,7 @@ int ima_add_template_entry(struct ima_template_entry *entry, int violation,
if (violation) /* invalidate pcr */
memset(digest, 0xff, sizeof(digest));
- tpmresult = ima_pcr_extend(digest);
+ tpmresult = ima_pcr_extend(digest, entry->pcr);
if (tpmresult != 0) {
snprintf(tpm_audit_cause, AUDIT_CAUSE_LEN_MAX, "TPM_error(%d)",
tpmresult);
diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h
index 90bc57d796ec..24520b4ef3b0 100644
--- a/security/integrity/integrity.h
+++ b/security/integrity/integrity.h
@@ -103,6 +103,7 @@ struct integrity_iint_cache {
struct inode *inode; /* back pointer to inode in question */
u64 version; /* track inode changes */
unsigned long flags;
+ unsigned long measured_pcrs;
enum integrity_status ima_file_status:4;
enum integrity_status ima_mmap_status:4;
enum integrity_status ima_bprm_status:4;
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index a86d537eb79b..da934342a39f 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -4604,13 +4604,13 @@ static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
err = selinux_inet_sys_rcv_skb(sock_net(sk), skb->skb_iif,
addrp, family, peer_sid, &ad);
if (err) {
- selinux_netlbl_err(skb, err, 0);
+ selinux_netlbl_err(skb, family, err, 0);
return err;
}
err = avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER,
PEER__RECV, &ad);
if (err) {
- selinux_netlbl_err(skb, err, 0);
+ selinux_netlbl_err(skb, family, err, 0);
return err;
}
}
@@ -4978,7 +4978,7 @@ static unsigned int selinux_ip_forward(struct sk_buff *skb,
err = selinux_inet_sys_rcv_skb(dev_net(indev), indev->ifindex,
addrp, family, peer_sid, &ad);
if (err) {
- selinux_netlbl_err(skb, err, 1);
+ selinux_netlbl_err(skb, family, err, 1);
return NF_DROP;
}
}
@@ -5064,6 +5064,15 @@ static unsigned int selinux_ipv4_output(void *priv,
return selinux_ip_output(skb, PF_INET);
}
+#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
+static unsigned int selinux_ipv6_output(void *priv,
+ struct sk_buff *skb,
+ const struct nf_hook_state *state)
+{
+ return selinux_ip_output(skb, PF_INET6);
+}
+#endif /* IPV6 */
+
static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
int ifindex,
u16 family)
@@ -6298,6 +6307,12 @@ static struct nf_hook_ops selinux_nf_ops[] = {
.hooknum = NF_INET_FORWARD,
.priority = NF_IP6_PRI_SELINUX_FIRST,
},
+ {
+ .hook = selinux_ipv6_output,
+ .pf = NFPROTO_IPV6,
+ .hooknum = NF_INET_LOCAL_OUT,
+ .priority = NF_IP6_PRI_SELINUX_FIRST,
+ },
#endif /* IPV6 */
};
diff --git a/security/selinux/include/netlabel.h b/security/selinux/include/netlabel.h
index 8c59b8f150e8..75686d53df07 100644
--- a/security/selinux/include/netlabel.h
+++ b/security/selinux/include/netlabel.h
@@ -40,7 +40,8 @@
#ifdef CONFIG_NETLABEL
void selinux_netlbl_cache_invalidate(void);
-void selinux_netlbl_err(struct sk_buff *skb, int error, int gateway);
+void selinux_netlbl_err(struct sk_buff *skb, u16 family, int error,
+ int gateway);
void selinux_netlbl_sk_security_free(struct sk_security_struct *sksec);
void selinux_netlbl_sk_security_reset(struct sk_security_struct *sksec);
@@ -72,6 +73,7 @@ static inline void selinux_netlbl_cache_invalidate(void)
}
static inline void selinux_netlbl_err(struct sk_buff *skb,
+ u16 family,
int error,
int gateway)
{
diff --git a/security/selinux/netlabel.c b/security/selinux/netlabel.c
index 1f989a539fd4..aaba6677ee2e 100644
--- a/security/selinux/netlabel.c
+++ b/security/selinux/netlabel.c
@@ -54,6 +54,7 @@
*
*/
static int selinux_netlbl_sidlookup_cached(struct sk_buff *skb,
+ u16 family,
struct netlbl_lsm_secattr *secattr,
u32 *sid)
{
@@ -63,7 +64,7 @@ static int selinux_netlbl_sidlookup_cached(struct sk_buff *skb,
if (rc == 0 &&
(secattr->flags & NETLBL_SECATTR_CACHEABLE) &&
(secattr->flags & NETLBL_SECATTR_CACHE))
- netlbl_cache_add(skb, secattr);
+ netlbl_cache_add(skb, family, secattr);
return rc;
}
@@ -151,9 +152,9 @@ void selinux_netlbl_cache_invalidate(void)
* present on the packet, NetLabel is smart enough to only act when it should.
*
*/
-void selinux_netlbl_err(struct sk_buff *skb, int error, int gateway)
+void selinux_netlbl_err(struct sk_buff *skb, u16 family, int error, int gateway)
{
- netlbl_skbuff_err(skb, error, gateway);
+ netlbl_skbuff_err(skb, family, error, gateway);
}
/**
@@ -214,7 +215,8 @@ int selinux_netlbl_skbuff_getsid(struct sk_buff *skb,
netlbl_secattr_init(&secattr);
rc = netlbl_skbuff_getattr(skb, family, &secattr);
if (rc == 0 && secattr.flags != NETLBL_SECATTR_NONE)
- rc = selinux_netlbl_sidlookup_cached(skb, &secattr, sid);
+ rc = selinux_netlbl_sidlookup_cached(skb, family,
+ &secattr, sid);
else
*sid = SECSID_NULL;
*type = secattr.type;
@@ -284,7 +286,7 @@ int selinux_netlbl_inet_conn_request(struct request_sock *req, u16 family)
int rc;
struct netlbl_lsm_secattr secattr;
- if (family != PF_INET)
+ if (family != PF_INET && family != PF_INET6)
return 0;
netlbl_secattr_init(&secattr);
@@ -333,7 +335,7 @@ int selinux_netlbl_socket_post_create(struct sock *sk, u16 family)
struct sk_security_struct *sksec = sk->sk_security;
struct netlbl_lsm_secattr *secattr;
- if (family != PF_INET)
+ if (family != PF_INET && family != PF_INET6)
return 0;
secattr = selinux_netlbl_sock_genattr(sk);
@@ -382,7 +384,8 @@ int selinux_netlbl_sock_rcv_skb(struct sk_security_struct *sksec,
netlbl_secattr_init(&secattr);
rc = netlbl_skbuff_getattr(skb, family, &secattr);
if (rc == 0 && secattr.flags != NETLBL_SECATTR_NONE)
- rc = selinux_netlbl_sidlookup_cached(skb, &secattr, &nlbl_sid);
+ rc = selinux_netlbl_sidlookup_cached(skb, family,
+ &secattr, &nlbl_sid);
else
nlbl_sid = SECINITSID_UNLABELED;
netlbl_secattr_destroy(&secattr);
@@ -405,11 +408,26 @@ int selinux_netlbl_sock_rcv_skb(struct sk_security_struct *sksec,
return 0;
if (nlbl_sid != SECINITSID_UNLABELED)
- netlbl_skbuff_err(skb, rc, 0);
+ netlbl_skbuff_err(skb, family, rc, 0);
return rc;
}
/**
+ * selinux_netlbl_option - Is this a NetLabel option
+ * @level: the socket level or protocol
+ * @optname: the socket option name
+ *
+ * Description:
+ * Returns true if @level and @optname refer to a NetLabel option.
+ * Helper for selinux_netlbl_socket_setsockopt().
+ */
+static inline int selinux_netlbl_option(int level, int optname)
+{
+ return (level == IPPROTO_IP && optname == IP_OPTIONS) ||
+ (level == IPPROTO_IPV6 && optname == IPV6_HOPOPTS);
+}
+
+/**
* selinux_netlbl_socket_setsockopt - Do not allow users to remove a NetLabel
* @sock: the socket
* @level: the socket level or protocol
@@ -431,7 +449,7 @@ int selinux_netlbl_socket_setsockopt(struct socket *sock,
struct sk_security_struct *sksec = sk->sk_security;
struct netlbl_lsm_secattr secattr;
- if (level == IPPROTO_IP && optname == IP_OPTIONS &&
+ if (selinux_netlbl_option(level, optname) &&
(sksec->nlbl_state == NLBL_LABELED ||
sksec->nlbl_state == NLBL_CONNLABELED)) {
netlbl_secattr_init(&secattr);
diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c
index 1b1fd27de632..0765c5b053b5 100644
--- a/security/selinux/selinuxfs.c
+++ b/security/selinux/selinuxfs.c
@@ -1347,7 +1347,7 @@ static ssize_t sel_write_avc_cache_threshold(struct file *file,
{
char *page;
ssize_t ret;
- int new_value;
+ unsigned int new_value;
ret = task_has_security(current, SECURITY__SETSECPARAM);
if (ret)
diff --git a/security/selinux/ss/ebitmap.c b/security/selinux/ss/ebitmap.c
index 57644b1dc42e..894b6cdc11c5 100644
--- a/security/selinux/ss/ebitmap.c
+++ b/security/selinux/ss/ebitmap.c
@@ -165,7 +165,7 @@ int ebitmap_netlbl_import(struct ebitmap *ebmap,
e_iter = kzalloc(sizeof(*e_iter), GFP_ATOMIC);
if (e_iter == NULL)
goto netlbl_import_failure;
- e_iter->startbit = offset & ~(EBITMAP_SIZE - 1);
+ e_iter->startbit = offset - (offset % EBITMAP_SIZE);
if (e_prev == NULL)
ebmap->node = e_iter;
else
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
index 89df64672b89..082b20c78363 100644
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@@ -543,7 +543,7 @@ static void type_attribute_bounds_av(struct context *scontext,
struct av_decision *avd)
{
struct context lo_scontext;
- struct context lo_tcontext;
+ struct context lo_tcontext, *tcontextp = tcontext;
struct av_decision lo_avd;
struct type_datum *source;
struct type_datum *target;
@@ -553,67 +553,41 @@ static void type_attribute_bounds_av(struct context *scontext,
scontext->type - 1);
BUG_ON(!source);
+ if (!source->bounds)
+ return;
+
target = flex_array_get_ptr(policydb.type_val_to_struct_array,
tcontext->type - 1);
BUG_ON(!target);
- if (source->bounds) {
- memset(&lo_avd, 0, sizeof(lo_avd));
-
- memcpy(&lo_scontext, scontext, sizeof(lo_scontext));
- lo_scontext.type = source->bounds;
+ memset(&lo_avd, 0, sizeof(lo_avd));
- context_struct_compute_av(&lo_scontext,
- tcontext,
- tclass,
- &lo_avd,
- NULL);
- if ((lo_avd.allowed & avd->allowed) == avd->allowed)
- return; /* no masked permission */
- masked = ~lo_avd.allowed & avd->allowed;
- }
+ memcpy(&lo_scontext, scontext, sizeof(lo_scontext));
+ lo_scontext.type = source->bounds;
if (target->bounds) {
- memset(&lo_avd, 0, sizeof(lo_avd));
-
memcpy(&lo_tcontext, tcontext, sizeof(lo_tcontext));
lo_tcontext.type = target->bounds;
-
- context_struct_compute_av(scontext,
- &lo_tcontext,
- tclass,
- &lo_avd,
- NULL);
- if ((lo_avd.allowed & avd->allowed) == avd->allowed)
- return; /* no masked permission */
- masked = ~lo_avd.allowed & avd->allowed;
+ tcontextp = &lo_tcontext;
}
- if (source->bounds && target->bounds) {
- memset(&lo_avd, 0, sizeof(lo_avd));
- /*
- * lo_scontext and lo_tcontext are already
- * set up.
- */
+ context_struct_compute_av(&lo_scontext,
+ tcontextp,
+ tclass,
+ &lo_avd,
+ NULL);
- context_struct_compute_av(&lo_scontext,
- &lo_tcontext,
- tclass,
- &lo_avd,
- NULL);
- if ((lo_avd.allowed & avd->allowed) == avd->allowed)
- return; /* no masked permission */
- masked = ~lo_avd.allowed & avd->allowed;
- }
+ masked = ~lo_avd.allowed & avd->allowed;
- if (masked) {
- /* mask violated permissions */
- avd->allowed &= ~masked;
+ if (likely(!masked))
+ return; /* no masked permission */
- /* audit masked permissions */
- security_dump_masked_av(scontext, tcontext,
- tclass, masked, "bounds");
- }
+ /* mask violated permissions */
+ avd->allowed &= ~masked;
+
+ /* audit masked permissions */
+ security_dump_masked_av(scontext, tcontext,
+ tclass, masked, "bounds");
}
/*
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index e96080eaacbb..0cc54a02b1c6 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -3995,7 +3995,7 @@ access_check:
rc = smk_bu_note("IPv4 delivery", skp, ssp->smk_in,
MAY_WRITE, rc);
if (rc != 0)
- netlbl_skbuff_err(skb, rc, 0);
+ netlbl_skbuff_err(skb, sk->sk_family, rc, 0);
break;
#if IS_ENABLED(CONFIG_IPV6)
case PF_INET6: