summaryrefslogtreecommitdiff
path: root/security/selinux/selinuxfs.c
AgeCommit message (Collapse)AuthorFilesLines
2010-02-09selinux: fix memory leak in sel_make_boolsXiaotian Feng1-0/+2
In sel_make_bools, kernel allocates memory for bool_pending_names[i] with security_get_bools. So if we just free bool_pending_names, those memories for bool_pending_names[i] will be leaked. This patch resolves dozens of following kmemleak report after resuming from suspend: unreferenced object 0xffff88022e4c7380 (size 32): comm "init", pid 1, jiffies 4294677173 backtrace: [<ffffffff810f76b5>] create_object+0x1a2/0x2a9 [<ffffffff810f78bb>] kmemleak_alloc+0x26/0x4b [<ffffffff810ef3eb>] __kmalloc+0x18f/0x1b8 [<ffffffff811cd511>] security_get_bools+0xd7/0x16f [<ffffffff811c48c0>] sel_write_load+0x12e/0x62b [<ffffffff810f9a39>] vfs_write+0xae/0x10b [<ffffffff810f9b56>] sys_write+0x4a/0x6e [<ffffffff81011b82>] system_call_fastpath+0x16/0x1b [<ffffffffffffffff>] 0xffffffffffffffff Signed-off-by: Xiaotian Feng <dfeng@redhat.com> Signed-off-by: James Morris <jmorris@namei.org>
2010-02-04selinux: allow MLS->non-MLS and vice versa upon policy reloadGuido Trentalancia1-1/+2
Allow runtime switching between different policy types (e.g. from a MLS/MCS policy to a non-MLS/non-MCS policy or viceversa). Signed-off-by: Guido Trentalancia <guido@trentalancia.com> Acked-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: James Morris <jmorris@namei.org>
2010-01-18selinux: change the handling of unknown classesStephen Smalley1-5/+2
If allow_unknown==deny, SELinux treats an undefined kernel security class as an error condition rather than as a typical permission denial and thus does not allow permissions on undefined classes even when in permissive mode. Change the SELinux logic so that this case is handled as a typical permission denial, subject to the usual permissive mode and permissive domain handling. Also drop the 'requested' argument from security_compute_av() and helpers as it is a legacy of the original security server interface and is unused. Changes: - Handle permissive domains consistently by moving up the test for a permissive domain. - Make security_compute_av_user() consistent with security_compute_av(); the only difference now is that security_compute_av() performs mapping between the kernel-private class and permission indices and the policy values. In the userspace case, this mapping is handled by libselinux. - Moved avd_init inside the policy lock. Based in part on a patch by Paul Moore <paul.moore@hp.com>. Reported-by: Andrew Worsley <amworsley@gmail.com> Signed-off-by: Stephen D. Smalley <sds@tycho.nsa.gov> Reviewed-by: Paul Moore <paul.moore@hp.com> Signed-off-by: James Morris <jmorris@namei.org>
2009-10-07selinux: dynamic class/perm discoveryStephen Smalley1-2/+2
Modify SELinux to dynamically discover class and permission values upon policy load, based on the dynamic object class/perm discovery logic from libselinux. A mapping is created between kernel-private class and permission indices used outside the security server and the policy values used within the security server. The mappings are only applied upon kernel-internal computations; similar mappings for the private indices of userspace object managers is handled on a per-object manager basis by the userspace AVC. The interfaces for compute_av and transition_sid are split for kernel vs. userspace; the userspace functions are distinguished by a _user suffix. The kernel-private class indices are no longer tied to the policy values and thus do not need to skip indices for userspace classes; thus the kernel class index values are compressed. The flask.h definitions were regenerated by deleting the userspace classes from refpolicy's definitions and then regenerating the headers. Going forward, we can just maintain the flask.h, av_permissions.h, and classmap.h definitions separately from policy as they are no longer tied to the policy values. The next patch introduces a utility to automate generation of flask.h and av_permissions.h from the classmap.h definitions. The older kernel class and permission string tables are removed and replaced by a single security class mapping table that is walked at policy load to generate the mapping. The old kernel class validation logic is completely replaced by the mapping logic. The handle unknown logic is reworked. reject_unknown=1 is handled when the mappings are computed at policy load time, similar to the old handling by the class validation logic. allow_unknown=1 is handled when computing and mapping decisions - if the permission was not able to be mapped (i.e. undefined, mapped to zero), then it is automatically added to the allowed vector. If the class was not able to be mapped (i.e. undefined, mapped to zero), then all permissions are allowed for it if allow_unknown=1. avc_audit leverages the new security class mapping table to lookup the class and permission names from the kernel-private indices. The mdp program is updated to use the new table when generating the class definitions and allow rules for a minimal boot policy for the kernel. It should be noted that this policy will not include any userspace classes, nor will its policy index values for the kernel classes correspond with the ones in refpolicy (they will instead match the kernel-private indices). Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: James Morris <jmorris@namei.org>
2009-05-19selinux: remove obsolete read buffer limit from sel_read_boolStephen Smalley1-4/+0
On Tue, 2009-05-19 at 00:05 -0400, Eamon Walsh wrote: > Recent versions of coreutils have bumped the read buffer size from 4K to > 32K in several of the utilities. > > This means that "cat /selinux/booleans/xserver_object_manager" no longer > works, it returns "Invalid argument" on F11. getsebool works fine. > > sel_read_bool has a check for "count > PAGE_SIZE" that doesn't seem to > be present in the other read functions. Maybe it could be removed? Yes, that check is obsoleted by the conversion of those functions to using simple_read_from_buffer(), which will reduce count if necessary to what is available in the buffer. Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: James Morris <jmorris@namei.org>
2009-04-02Permissive domain in userspace object managerKaiGai Kohei1-2/+2
This patch enables applications to handle permissive domain correctly. Since the v2.6.26 kernel, SELinux has supported an idea of permissive domain which allows certain processes to work as if permissive mode, even if the global setting is enforcing mode. However, we don't have an application program interface to inform what domains are permissive one, and what domains are not. It means applications focuses on SELinux (XACE/SELinux, SE-PostgreSQL and so on) cannot handle permissive domain correctly. This patch add the sixth field (flags) on the reply of the /selinux/access interface which is used to make an access control decision from userspace. If the first bit of the flags field is positive, it means the required access control decision is on permissive domain, so application should allow any required actions, as the kernel doing. This patch also has a side benefit. The av_decision.flags is set at context_struct_compute_av(). It enables to check required permissions without read_lock(&policy_rwlock). Signed-off-by: KaiGai Kohei <kaigai@ak.jp.nec.com> Acked-by: Stephen Smalley <sds@tycho.nsa.gov> Acked-by: Eric Paris <eparis@redhat.com> -- security/selinux/avc.c | 2 +- security/selinux/include/security.h | 4 +++- security/selinux/selinuxfs.c | 4 ++-- security/selinux/ss/services.c | 30 +++++------------------------- 4 files changed, 11 insertions(+), 29 deletions(-) Signed-off-by: James Morris <jmorris@namei.org>
2009-03-28selinux: Remove the "compat_net" compatibility codePaul Moore1-68/+0
The SELinux "compat_net" is marked as deprecated, the time has come to finally remove it from the kernel. Further code simplifications are likely in the future, but this patch was intended to be a simple, straight-up removal of the compat_net code. Signed-off-by: Paul Moore <paul.moore@hp.com> Signed-off-by: James Morris <jmorris@namei.org>
2009-02-14SELinux: remove unused av.decided fieldEric Paris1-1/+1
It appears there was an intention to have the security server only decide certain permissions and leave other for later as some sort of a portential performance win. We are currently always deciding all 32 bits of permissions and this is a useless couple of branches and wasted space. This patch completely drops the av.decided concept. This in a 17% reduction in the time spent in avc_has_perm_noaudit based on oprofile sampling of a tbench benchmark. Signed-off-by: Eric Paris <eparis@redhat.com> Reviewed-by: Paul Moore <paul.moore@hp.com> Acked-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: James Morris <jmorris@namei.org>
2009-01-07Merge branch 'next' into for-linusJames Morris1-8/+8
2009-01-05zero i_uid/i_gid on inode allocationAl Viro1-2/+0
... and don't bother in callers. Don't bother with zeroing i_blocks, while we are at it - it's already been zeroed. i_mode is not worth the effort; it has no common default value. Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2009-01-01cpumask: prepare for iterators to only go to nr_cpu_ids/nr_cpumask_bits.: coreRusty Russell1-1/+1
Impact: cleanup In future, all cpumask ops will only be valid (in general) for bit numbers < nr_cpu_ids. So use that instead of NR_CPUS in iterators and other comparisons. This is always safe: no cpu number can be >= nr_cpu_ids, and nr_cpu_ids is initialized to NR_CPUS at boot. Signed-off-by: Rusty Russell <rusty@rustcorp.com.au> Signed-off-by: Mike Travis <travis@sgi.com> Acked-by: Ingo Molnar <mingo@elte.hu> Acked-by: James Morris <jmorris@namei.org> Cc: Eric Biederman <ebiederm@xmission.com>
2008-12-31selinux: Deprecate and schedule the removal of the the compat_net functionalityPaul Moore1-8/+8
This patch is the first step towards removing the old "compat_net" code from the kernel. Secmark, the "compat_net" replacement was first introduced in 2.6.18 (September 2006) and the major Linux distributions with SELinux support have transitioned to Secmark so it is time to start deprecating the "compat_net" mechanism. Testing a patched version of 2.6.28-rc6 with the initial release of Fedora Core 5 did not show any problems when running in enforcing mode. This patch adds an entry to the feature-removal-schedule.txt file and removes the SECURITY_SELINUX_ENABLE_SECMARK_DEFAULT configuration option, forcing Secmark on by default although it can still be disabled at runtime. The patch also makes the Secmark permission checks "dynamic" in the sense that they are only executed when Secmark is configured; this should help prevent problems with older distributions that have not yet migrated to Secmark. Signed-off-by: Paul Moore <paul.moore@hp.com> Acked-by: James Morris <jmorris@namei.org>
2008-11-14CRED: Use RCU to access another task's creds and to release a task's own credsDavid Howells1-4/+9
Use RCU to access another task's creds and to release a task's own creds. This means that it will be possible for the credentials of a task to be replaced without another task (a) requiring a full lock to read them, and (b) seeing deallocated memory. Signed-off-by: David Howells <dhowells@redhat.com> Acked-by: James Morris <jmorris@namei.org> Acked-by: Serge Hallyn <serue@us.ibm.com> Signed-off-by: James Morris <jmorris@namei.org>
2008-11-14CRED: Separate task security context from task_structDavid Howells1-1/+1
Separate the task security context from task_struct. At this point, the security data is temporarily embedded in the task_struct with two pointers pointing to it. Note that the Alpha arch is altered as it refers to (E)UID and (E)GID in entry.S via asm-offsets. With comment fixes Signed-off-by: Marc Dionne <marc.c.dionne@gmail.com> Signed-off-by: David Howells <dhowells@redhat.com> Acked-by: James Morris <jmorris@namei.org> Acked-by: Serge Hallyn <serue@us.ibm.com> Signed-off-by: James Morris <jmorris@namei.org>
2008-07-14SELinux: more user friendly unknown handling printkEric Paris1-5/+0
I've gotten complaints and reports about people not understanding the meaning of the current unknown class/perm handling the kernel emits on every policy load. Hopefully this will make make it clear to everyone the meaning of the message and won't waste a printk the user won't care about anyway on systems where the kernel and the policy agree on everything. Signed-off-by: Eric Paris <eparis@redhat.com> Signed-off-by: James Morris <jmorris@namei.org>
2008-07-14SELinux: keep the code clean formating and syntaxEric Paris1-3/+7
Formatting and syntax changes whitespace, tabs to spaces, trailing space put open { on same line as struct def remove unneeded {} after if statements change printk("Lu") to printk("llu") convert asm/uaccess.h to linux/uaacess.h includes remove unnecessary asm/bug.h includes convert all users of simple_strtol to strict_strtol Signed-off-by: Eric Paris <eparis@redhat.com> Signed-off-by: James Morris <jmorris@namei.org>
2008-04-22Merge branch 'for-linus' of ↵Linus Torvalds1-62/+65
git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/selinux-2.6 * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/selinux-2.6: SELinux: one little, two little, three little whitespaces, the avc.c saga. SELinux: cleanup on isle selinuxfs.c changing whitespace for fun and profit: policydb.c SELinux: whitespace and formating fixes for hooks.c SELinux: clean up printks SELinux: sidtab.c whitespace, syntax, and static declaraction cleanups SELinux: services.c whitespace, syntax, and static declaraction cleanups SELinux: mls.c whitespace, syntax, and static declaraction cleanups SELinux: hashtab.c whitespace, syntax, and static declaraction cleanups SELinux: ebitmap.c whitespace, syntax, and static declaraction cleanups SELinux: conditional.c whitespace, syntax, and static declaraction cleanups SELinux: avtab.c whitespace, syntax, and static declaraction cleanups SELinux: xfrm.c whitespace, syntax, and static declaraction cleanups SELinux: nlmsgtab.c whitespace, syntax, and static declaraction cleanups SELinux: netnode.c whitespace, syntax, and static declaraction cleanups SELinux: netlink.c whitespace, syntax, and static declaraction cleanups SELinux: netlabel.c whitespace, syntax, and static declaraction cleanups SELinux: netif.c whitespace, syntax, and static declaraction cleanups
2008-04-21SELinux: cleanup on isle selinuxfs.cEric Paris1-55/+57
Why would anyone just clean up white space all day? Because they were out too late last night and don't want to think for a day. So here is a nice clean selinuxfs.c patch. Signed-off-by: Eric Paris <eparis@redhat.com> Signed-off-by: James Morris <jmorris@namei.org>
2008-04-21SELinux: clean up printksEric Paris1-7/+8
Make sure all printk start with KERN_* Make sure all printk end with \n Make sure all printk have the word 'selinux' in them Change "function name" to "%s", __func__ (found 2 wrong) Signed-off-by: Eric Paris <eparis@redhat.com> Signed-off-by: James Morris <jmorris@namei.org>
2008-04-19security: Remove unnecessary inclusions of asm/semaphore.hMatthew Wilcox1-1/+0
None of these files use any of the functionality promised by asm/semaphore.h. Signed-off-by: Matthew Wilcox <willy@linux.intel.com>
2008-04-18security: replace remaining __FUNCTION__ occurrencesHarvey Harrison1-4/+4
__FUNCTION__ is gcc-specific, use __func__ Signed-off-by: Harvey Harrison <harvey.harrison@gmail.com> Cc: James Morris <jmorris@namei.org> Cc: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: James Morris <jmorris@namei.org>
2008-04-18SELinux: create new open permissionEric Paris1-1/+2
Adds a new open permission inside SELinux when 'opening' a file. The idea is that opening a file and reading/writing to that file are not the same thing. Its different if a program had its stdout redirected to /tmp/output than if the program tried to directly open /tmp/output. This should allow policy writers to more liberally give read/write permissions across the policy while still blocking many design and programing flaws SELinux is so good at catching today. Signed-off-by: Eric Paris <eparis@redhat.com> Acked-by: Stephen Smalley <sds@tycho.nsa.gov> Reviewed-by: Paul Moore <paul.moore@hp.com> Signed-off-by: James Morris <jmorris@namei.org>
2008-02-01[AUDIT] add session id to audit messagesEric Paris1-7/+10
In order to correlate audit records to an individual login add a session id. This is incremented every time a user logs in and is included in almost all messages which currently output the auid. The field is labeled ses= or oses= Signed-off-by: Eric Paris <eparis@redhat.com>
2008-02-01[PATCH] switch audit_get_loginuid() to task_struct *Al Viro1-3/+3
all callers pass something->audit_context Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2008-01-30SELinux: Add a capabilities bitmap to SELinux policy version 22Paul Moore1-4/+85
Add a new policy capabilities bitmap to SELinux policy version 22. This bitmap will enable the security server to query the policy to determine which features it supports. Signed-off-by: Paul Moore <paul.moore@hp.com> Signed-off-by: James Morris <jmorris@namei.org>
2008-01-25security/selinux: constify function pointer tables and fieldsJan Engelhardt1-1/+1
Constify function pointer tables and fields. Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de> Signed-off-by: James Morris <jmorris@namei.org>
2007-12-05SELinux: detect dead booleansStephen Smalley1-13/+30
Instead of using f_op to detect dead booleans, check the inode index against the number of booleans and check the dentry name against the boolean name for that index on reads and writes. This prevents incorrect use of a boolean file opened prior to a policy reload while allowing valid use of it as long as it still corresponds to the same boolean in the policy. Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: James Morris <jmorris@namei.org>
2007-12-05SELinux: do not clear f_op when removing entriesStephen Smalley1-27/+1
Do not clear f_op when removing entries since it isn't safe to do. Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: James Morris <jmorris@namei.org>
2007-10-17SELinux: policy selectable handling of unknown classes and permsEric Paris1-0/+26
Allow policy to select, in much the same way as it selects MLS support, how the kernel should handle access decisions which contain either unknown classes or unknown permissions in known classes. The three choices for the policy flags are 0 - Deny unknown security access. (default) 2 - reject loading policy if it does not contain all definitions 4 - allow unknown security access The policy's choice is exported through 2 booleans in selinuxfs. /selinux/deny_unknown and /selinux/reject_unknown. Signed-off-by: Eric Paris <eparis@redhat.com> Acked-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: James Morris <jmorris@namei.org>
2007-07-12selinux: add selinuxfs structure for object class discoveryChristopher J. PeBenito1-0/+249
The structure is as follows (relative to selinuxfs root): /class/file/index /class/file/perms/read /class/file/perms/write ... Each class is allocated 33 inodes, 1 for the class index and 32 for permissions. Relative to SEL_CLASS_INO_OFFSET, the inode of the index file DIV 33 is the class number. The inode of the permission file % 33 is the index of the permission for that class. Signed-off-by: Christopher J. PeBenito <cpebenito@tresys.com> Signed-off-by: James Morris <jmorris@namei.org>
2007-07-12selinux: change sel_make_dir() to specify inode counter.Christopher J. PeBenito1-5/+6
Specify the inode counter explicitly in sel_make_dir(), rather than always using sel_last_ino. Signed-off-by: Christopher J. PeBenito <cpebenito@tresys.com> Signed-off-by: James Morris <jmorris@namei.org>
2007-07-12selinux: rename sel_remove_bools() for more general usage.Christopher J. PeBenito1-5/+4
sel_remove_bools() will also be used by the object class discovery, rename it for more general use. Signed-off-by: Christopher J. PeBenito <cpebenito@tresys.com> Signed-off-by: James Morris <jmorris@namei.org>
2007-04-26selinux: change numbering of boolean directory inodes in selinuxfsJames Carter1-6/+5
Change the numbering of the booleans directory inodes in selinuxfs to provide more room for new inodes without a conflict in inode numbers and to be consistent with how inode numbering is done in the initial_contexts directory. Signed-off-by: James Carter <jwcart2@tycho.nsa.gov> Acked-by: Eric Paris <eparis@parisplace.org> Acked-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: James Morris <jmorris@namei.org>
2007-04-26selinux: remove unused enumeration constant from selinuxfsJames Carter1-1/+0
Remove the unused enumeration constant, SEL_AVC, from the sel_inos enumeration in selinuxfs. Signed-off-by: James Carter <jwcart2@tycho.nsa.gov> Acked-by: Eric Paris <eparis@parisplace.org> Acked-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: James Morris <jmorris@namei.org>
2007-04-26selinux: explicitly number all selinuxfs inodesJames Carter1-0/+6
Explicitly number all selinuxfs inodes to prevent a conflict between inodes numbered using last_ino when created with new_inode() and those labeled explicitly. Signed-off-by: James Carter <jwcart2@tycho.nsa.gov> Acked-by: Eric Paris <eparis@parisplace.org> Acked-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: James Morris <jmorris@namei.org>
2007-04-26selinux: export initial SID contexts via selinuxfsJames Carter1-0/+67
Make the initial SID contexts accessible to userspace via selinuxfs. An initial use of this support will be to make the unlabeled context available to libselinux for use for invalidated userspace SIDs. Signed-off-by: James Carter <jwcart2@tycho.nsa.gov> Acked-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: James Morris <jmorris@namei.org>
2007-02-12[PATCH] mark struct file_operations const 9Arjan van de Ven1-13/+13
Many struct file_operations in the kernel can be "const". Marking them const moves these to the .rodata section, which avoids false sharing with potential dirty data. In addition it'll catch accidental writes at compile time to these shared resources. Signed-off-by: Arjan van de Ven <arjan@linux.intel.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2006-12-08[PATCH] struct path: convert selinuxJosef Sipek1-4/+4
Signed-off-by: Josef Sipek <jsipek@fsl.cs.sunysb.edu> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2006-10-01[PATCH] r/o bind mount prepwork: inc_nlink() helperDave Hansen1-2/+2
This is mostly included for parity with dec_nlink(), where we will have some more hooks. This one should stay pretty darn straightforward for now. Signed-off-by: Dave Hansen <haveblue@us.ibm.com> Acked-by: Christoph Hellwig <hch@lst.de> Cc: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2006-09-27[PATCH] inode-diet: Eliminate i_blksize from the inode structureTheodore Ts'o1-1/+0
This eliminates the i_blksize field from struct inode. Filesystems that want to provide a per-inode st_blksize can do so by providing their own getattr routine instead of using the generic_fillattr() function. Note that some filesystems were providing pretty much random (and incorrect) values for i_blksize. [bunk@stusta.de: cleanup] [akpm@osdl.org: generic_fillattr() fix] Signed-off-by: "Theodore Ts'o" <tytso@mit.edu> Signed-off-by: Adrian Bunk <bunk@stusta.de> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2006-06-30Remove obsolete #include <linux/config.h>Jörn Engel1-1/+0
Signed-off-by: Jörn Engel <joern@wohnheim.fh-wedel.de> Signed-off-by: Adrian Bunk <bunk@stusta.de>
2006-06-23[PATCH] VFS: Permit filesystem to override root dentry on mountDavid Howells1-3/+4
Extend the get_sb() filesystem operation to take an extra argument that permits the VFS to pass in the target vfsmount that defines the mountpoint. The filesystem is then required to manually set the superblock and root dentry pointers. For most filesystems, this should be done with simple_set_mnt() which will set the superblock pointer and then set the root dentry to the superblock's s_root (as per the old default behaviour). The get_sb() op now returns an integer as there's now no need to return the superblock pointer. This patch permits a superblock to be implicitly shared amongst several mount points, such as can be done with NFS to avoid potential inode aliasing. In such a case, simple_set_mnt() would not be called, and instead the mnt_root and mnt_sb would be set directly. The patch also makes the following changes: (*) the get_sb_*() convenience functions in the core kernel now take a vfsmount pointer argument and return an integer, so most filesystems have to change very little. (*) If one of the convenience function is not used, then get_sb() should normally call simple_set_mnt() to instantiate the vfsmount. This will always return 0, and so can be tail-called from get_sb(). (*) generic_shutdown_super() now calls shrink_dcache_sb() to clean up the dcache upon superblock destruction rather than shrink_dcache_anon(). This is required because the superblock may now have multiple trees that aren't actually bound to s_root, but that still need to be cleaned up. The currently called functions assume that the whole tree is rooted at s_root, and that anonymous dentries are not the roots of trees which results in dentries being left unculled. However, with the way NFS superblock sharing are currently set to be implemented, these assumptions are violated: the root of the filesystem is simply a dummy dentry and inode (the real inode for '/' may well be inaccessible), and all the vfsmounts are rooted on anonymous[*] dentries with child trees. [*] Anonymous until discovered from another tree. (*) The documentation has been adjusted, including the additional bit of changing ext2_* into foo_* in the documentation. [akpm@osdl.org: convert ipath_fs, do other stuff] Signed-off-by: David Howells <dhowells@redhat.com> Acked-by: Al Viro <viro@zeniv.linux.org.uk> Cc: Nathan Scott <nathans@sgi.com> Cc: Roland Dreier <rolandd@cisco.com> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2006-06-18[SECMARK]: Add new packet controls to SELinuxJames Morris1-0/+66
Add new per-packet access controls to SELinux, replacing the old packet controls. Packets are labeled with the iptables SECMARK and CONNSECMARK targets, then security policy for the packets is enforced with these controls. To allow for a smooth transition to the new controls, the old code is still present, but not active by default. To restore previous behavior, the old controls may be activated at runtime by writing a '1' to /selinux/compat_net, and also via the kernel boot parameter selinux_compat_net. Switching between the network control models requires the security load_policy permission. The old controls will probably eventually be removed and any continued use is discouraged. With this patch, the new secmark controls for SElinux are disabled by default, so existing behavior is entirely preserved, and the user is not affected at all. It also provides a config option to enable the secmark controls by default (which can always be overridden at boot and runtime). It is also noted in the kconfig help that the user will need updated userspace if enabling secmark controls for SELinux and that they'll probably need the SECMARK and CONNMARK targets, and conntrack protocol helpers, although such decisions are beyond the scope of kernel configuration. Signed-off-by: James Morris <jmorris@namei.org> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: David S. Miller <davem@davemloft.net>
2006-03-25Merge branch 'audit.b3' of ↵Linus Torvalds1-0/+11
git://git.kernel.org/pub/scm/linux/kernel/git/viro/audit-current * 'audit.b3' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/audit-current: (22 commits) [PATCH] fix audit_init failure path [PATCH] EXPORT_SYMBOL patch for audit_log, audit_log_start, audit_log_end and audit_format [PATCH] sem2mutex: audit_netlink_sem [PATCH] simplify audit_free() locking [PATCH] Fix audit operators [PATCH] promiscuous mode [PATCH] Add tty to syscall audit records [PATCH] add/remove rule update [PATCH] audit string fields interface + consumer [PATCH] SE Linux audit events [PATCH] Minor cosmetic cleanups to the code moved into auditfilter.c [PATCH] Fix audit record filtering with !CONFIG_AUDITSYSCALL [PATCH] Fix IA64 success/failure indication in syscall auditing. [PATCH] Miscellaneous bug and warning fixes [PATCH] Capture selinux subject/object context information. [PATCH] Exclude messages by message type [PATCH] Collect more inode information during syscall processing. [PATCH] Pass dentry, not just name, in fsnotify creation hooks. [PATCH] Define new range of userspace messages. [PATCH] Filter rule comparators ... Fixed trivial conflict in security/selinux/hooks.c
2006-03-22[PATCH] SELinux: fix hard link count for selinuxfs root directoryJames Morris1-5/+9
A further fix is needed for selinuxfs link count management, to ensure that the count is correct for the parent directory when a subdirectory is created. This is only required for the root directory currently, but the code has been updated for the general case. Signed-off-by: James Morris <jmorris@namei.org> Acked-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2006-03-22[PATCH] selinuxfs cleanups: sel_make_avc_filesJames Morris1-5/+2
Fix copy & paste error in sel_make_avc_files(), removing a supurious call to d_genocide() in the error path. All of this will be cleaned up by kill_litter_super(). Signed-off-by: James Morris <jmorris@namei.org> Acked-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2006-03-22[PATCH] selinuxfs cleanups: sel_make_boolsJames Morris1-4/+1
Remove the call to sel_make_bools() from sel_fill_super(), as policy needs to be loaded before the boolean files can be created. Policy will never be loaded during sel_fill_super() as selinuxfs is kernel mounted during init and the only means to load policy is via selinuxfs. Also, the call to d_genocide() on the error path of sel_make_bools() is incorrect and replaced with sel_remove_bools(). Signed-off-by: James Morris <jmorris@namei.org> Acked-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2006-03-22[PATCH] selinuxfs cleanups: sel_fill_super exit pathJames Morris1-17/+24
Unify the error path of sel_fill_super() so that all errors pass through the same point and generate an error message. Also, removes a spurious dput() in the error path which breaks the refcounting for the filesystem (litter_kill_super() will correctly clean things up itself on error). Signed-off-by: James Morris <jmorris@namei.org> Acked-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2006-03-22[PATCH] selinuxfs cleanups: use sel_make_dir()James Morris1-8/+4
Use existing sel_make_dir() helper to create booleans directory rather than duplicating the logic. Signed-off-by: James Morris <jmorris@namei.org> Acked-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2006-03-22[PATCH] selinuxfs cleanups: fix hard link countJames Morris1-0/+4
Fix the hard link count for selinuxfs directories, which are currently one short. Signed-off-by: James Morris <jmorris@namei.org> Acked-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>