From da2d41308c4206b966d77dcb77fb838d94244352 Mon Sep 17 00:00:00 2001 From: Canfeng Guo Date: Wed, 3 Jul 2024 10:56:05 +0800 Subject: selinux: Streamline type determination in security_compute_sid Simplifies the logic for determining the security context type in security_compute_sid, enhancing readability and efficiency. Consolidates default type assignment logic next to type transition checks, removing redundancy and improving code flow. Signed-off-by: Canfeng Guo Signed-off-by: Paul Moore --- security/selinux/ss/services.c | 36 +++++++++++++++++++----------------- 1 file changed, 19 insertions(+), 17 deletions(-) (limited to 'security/selinux') diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c index e33e55384b75..a9830fbfc5c6 100644 --- a/security/selinux/ss/services.c +++ b/security/selinux/ss/services.c @@ -1804,22 +1804,9 @@ retry: newcontext.role = OBJECT_R_VAL; } - /* Set the type to default values. */ - if (cladatum && cladatum->default_type == DEFAULT_SOURCE) { - newcontext.type = scontext->type; - } else if (cladatum && cladatum->default_type == DEFAULT_TARGET) { - newcontext.type = tcontext->type; - } else { - if ((tclass == policydb->process_class) || sock) { - /* Use the type of process. */ - newcontext.type = scontext->type; - } else { - /* Use the type of the related object. */ - newcontext.type = tcontext->type; - } - } - - /* Look for a type transition/member/change rule. */ + /* Set the type. + * Look for a type transition/member/change rule. + */ avkey.source_type = scontext->type; avkey.target_type = tcontext->type; avkey.target_class = tclass; @@ -1837,9 +1824,24 @@ retry: } } + /* If a permanent rule is found, use the type from + * the type transition/member/change rule. Otherwise, + * set the type to its default values. + */ if (avnode) { - /* Use the type from the type transition/member/change rule. */ newcontext.type = avnode->datum.u.data; + } else if (cladatum && cladatum->default_type == DEFAULT_SOURCE) { + newcontext.type = scontext->type; + } else if (cladatum && cladatum->default_type == DEFAULT_TARGET) { + newcontext.type = tcontext->type; + } else { + if ((tclass == policydb->process_class) || sock) { + /* Use the type of process. */ + newcontext.type = scontext->type; + } else { + /* Use the type of the related object. */ + newcontext.type = tcontext->type; + } } /* if we have a objname this is a file trans check so check those rules */ -- cgit v1.2.3 From fc328c869c4128fc1f975b8cfe92e9ec320d477f Mon Sep 17 00:00:00 2001 From: Gaosheng Cui Date: Fri, 12 Jul 2024 09:45:34 +0800 Subject: selinux: refactor code to return ERR_PTR in selinux_netlbl_sock_genattr Refactor the code in selinux_netlbl_sock_genattr to return ERR_PTR when an error occurs. Signed-off-by: Gaosheng Cui Signed-off-by: Paul Moore --- security/selinux/netlabel.c | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) (limited to 'security/selinux') diff --git a/security/selinux/netlabel.c b/security/selinux/netlabel.c index 55885634e880..63c481dd71bb 100644 --- a/security/selinux/netlabel.c +++ b/security/selinux/netlabel.c @@ -62,7 +62,7 @@ static int selinux_netlbl_sidlookup_cached(struct sk_buff *skb, * Description: * Generate the NetLabel security attributes for a socket, making full use of * the socket's attribute cache. Returns a pointer to the security attributes - * on success, NULL on failure. + * on success, or an ERR_PTR on failure. * */ static struct netlbl_lsm_secattr *selinux_netlbl_sock_genattr(struct sock *sk) @@ -76,11 +76,12 @@ static struct netlbl_lsm_secattr *selinux_netlbl_sock_genattr(struct sock *sk) secattr = netlbl_secattr_alloc(GFP_ATOMIC); if (secattr == NULL) - return NULL; + return ERR_PTR(-ENOMEM); + rc = security_netlbl_sid_to_secattr(sksec->sid, secattr); if (rc != 0) { netlbl_secattr_free(secattr); - return NULL; + return ERR_PTR(rc); } sksec->nlbl_secattr = secattr; @@ -400,8 +401,8 @@ int selinux_netlbl_socket_post_create(struct sock *sk, u16 family) return 0; secattr = selinux_netlbl_sock_genattr(sk); - if (secattr == NULL) - return -ENOMEM; + if (IS_ERR(secattr)) + return PTR_ERR(secattr); /* On socket creation, replacement of IP options is safe even if * the caller does not hold the socket lock. */ @@ -561,10 +562,9 @@ static int selinux_netlbl_socket_connect_helper(struct sock *sk, return rc; } secattr = selinux_netlbl_sock_genattr(sk); - if (secattr == NULL) { - rc = -ENOMEM; - return rc; - } + if (IS_ERR(secattr)) + return PTR_ERR(secattr); + rc = netlbl_conn_setattr(sk, addr, secattr); if (rc == 0) sksec->nlbl_state = NLBL_CONNLABELED; -- cgit v1.2.3 From 2571bb9d553ba2b8db1971bd3c903bff07d0bb11 Mon Sep 17 00:00:00 2001 From: Stephen Smalley Date: Mon, 26 Aug 2024 08:47:09 -0400 Subject: selinux: annotate false positive data race to avoid KCSAN warnings KCSAN flags the check of isec->initialized by __inode_security_revalidate() as a data race. This is indeed a racy check, but inode_doinit_with_dentry() will recheck with isec->lock held. Annotate the check with the data_race() macro to silence the KCSAN false positive. Reported-by: syzbot+319ed1769c0078257262@syzkaller.appspotmail.com Signed-off-by: Stephen Smalley Signed-off-by: Paul Moore --- security/selinux/hooks.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) (limited to 'security/selinux') diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 55c78c318ccd..70c335846336 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -282,8 +282,13 @@ static int __inode_security_revalidate(struct inode *inode, might_sleep_if(may_sleep); + /* + * The check of isec->initialized below is racy but + * inode_doinit_with_dentry() will recheck with + * isec->lock held. + */ if (selinux_initialized() && - isec->initialized != LABEL_INITIALIZED) { + data_race(isec->initialized != LABEL_INITIALIZED)) { if (!may_sleep) return -ECHILD; -- cgit v1.2.3 From 4ad858bd6fbe21c563f177d499da5f99b4b2480e Mon Sep 17 00:00:00 2001 From: Eric Suen Date: Tue, 27 Aug 2024 10:40:03 -0700 Subject: selinux: replace kmem_cache_create() with KMEM_CACHE() Based on guidance in include/linux/slab.h, replace kmem_cache_create() with KMEM_CACHE() for sources under security/selinux to simplify creation of SLAB caches. Signed-off-by: Eric Suen [PM: minor grammar nits in the description] Signed-off-by: Paul Moore --- security/selinux/avc.c | 16 ++++------------ security/selinux/ss/avtab.c | 7 ++----- security/selinux/ss/ebitmap.c | 4 +--- security/selinux/ss/hashtab.c | 4 +--- 4 files changed, 8 insertions(+), 23 deletions(-) (limited to 'security/selinux') diff --git a/security/selinux/avc.c b/security/selinux/avc.c index 32eb67fb3e42..1ec377ce6d22 100644 --- a/security/selinux/avc.c +++ b/security/selinux/avc.c @@ -134,18 +134,10 @@ static inline u32 avc_hash(u32 ssid, u32 tsid, u16 tclass) */ void __init avc_init(void) { - avc_node_cachep = kmem_cache_create("avc_node", sizeof(struct avc_node), - 0, SLAB_PANIC, NULL); - avc_xperms_cachep = kmem_cache_create("avc_xperms_node", - sizeof(struct avc_xperms_node), - 0, SLAB_PANIC, NULL); - avc_xperms_decision_cachep = kmem_cache_create( - "avc_xperms_decision_node", - sizeof(struct avc_xperms_decision_node), - 0, SLAB_PANIC, NULL); - avc_xperms_data_cachep = kmem_cache_create("avc_xperms_data", - sizeof(struct extended_perms_data), - 0, SLAB_PANIC, NULL); + avc_node_cachep = KMEM_CACHE(avc_node, SLAB_PANIC); + avc_xperms_cachep = KMEM_CACHE(avc_xperms_node, SLAB_PANIC); + avc_xperms_decision_cachep = KMEM_CACHE(avc_xperms_decision_node, SLAB_PANIC); + avc_xperms_data_cachep = KMEM_CACHE(extended_perms_data, SLAB_PANIC); } int avc_get_hash_stats(char *page) diff --git a/security/selinux/ss/avtab.c b/security/selinux/ss/avtab.c index 2ad98732d052..8e400dd736b7 100644 --- a/security/selinux/ss/avtab.c +++ b/security/selinux/ss/avtab.c @@ -604,9 +604,6 @@ int avtab_write(struct policydb *p, struct avtab *a, void *fp) void __init avtab_cache_init(void) { - avtab_node_cachep = kmem_cache_create( - "avtab_node", sizeof(struct avtab_node), 0, SLAB_PANIC, NULL); - avtab_xperms_cachep = kmem_cache_create( - "avtab_extended_perms", sizeof(struct avtab_extended_perms), 0, - SLAB_PANIC, NULL); + avtab_node_cachep = KMEM_CACHE(avtab_node, SLAB_PANIC); + avtab_xperms_cachep = KMEM_CACHE(avtab_extended_perms, SLAB_PANIC); } diff --git a/security/selinux/ss/ebitmap.c b/security/selinux/ss/ebitmap.c index 04d7f4907a06..99c01be15115 100644 --- a/security/selinux/ss/ebitmap.c +++ b/security/selinux/ss/ebitmap.c @@ -572,7 +572,5 @@ u32 ebitmap_hash(const struct ebitmap *e, u32 hash) void __init ebitmap_cache_init(void) { - ebitmap_node_cachep = kmem_cache_create("ebitmap_node", - sizeof(struct ebitmap_node), 0, - SLAB_PANIC, NULL); + ebitmap_node_cachep = KMEM_CACHE(ebitmap_node, SLAB_PANIC); } diff --git a/security/selinux/ss/hashtab.c b/security/selinux/ss/hashtab.c index 32c4cb37f3d2..383fd2d70878 100644 --- a/security/selinux/ss/hashtab.c +++ b/security/selinux/ss/hashtab.c @@ -194,7 +194,5 @@ error: void __init hashtab_cache_init(void) { - hashtab_node_cachep = kmem_cache_create("hashtab_node", - sizeof(struct hashtab_node), 0, - SLAB_PANIC, NULL); + hashtab_node_cachep = KMEM_CACHE(hashtab_node, SLAB_PANIC); } -- cgit v1.2.3 From a3422eb4facdebb685b9b4688feb60430450e3c9 Mon Sep 17 00:00:00 2001 From: Guido Trentalancia Date: Wed, 28 Aug 2024 11:35:19 +0200 Subject: selinux: mark both IPv4 and IPv6 accepted connection sockets as labeled The current partial labeling was introduced in 389fb800ac8b ("netlabel: Label incoming TCP connections correctly in SELinux") due to the fact that IPv6 labeling was not supported yet at the time. Signed-off-by: Guido Trentalancia [PM: properly format the referenced commit ID, adjust subject] Signed-off-by: Paul Moore --- security/selinux/netlabel.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'security/selinux') diff --git a/security/selinux/netlabel.c b/security/selinux/netlabel.c index 63c481dd71bb..5ad2fd68abbf 100644 --- a/security/selinux/netlabel.c +++ b/security/selinux/netlabel.c @@ -359,7 +359,7 @@ void selinux_netlbl_inet_csk_clone(struct sock *sk, u16 family) { struct sk_security_struct *sksec = sk->sk_security; - if (family == PF_INET) + if (family == PF_INET || family == PF_INET6) sksec->nlbl_state = NLBL_LABELED; else sksec->nlbl_state = NLBL_UNSET; -- cgit v1.2.3 From 68cfb28332420e0515cb6ffdb46921d59ba9739f Mon Sep 17 00:00:00 2001 From: Zhen Lei Date: Thu, 22 Aug 2024 22:08:58 +0800 Subject: selinux: simplify avc_xperms_audit_required() By associative and commutative laws, the result of the two 'audited' is zero. Take the second 'audited' as an example: 1) audited = requested & avd->auditallow; 2) audited &= ~requested; ==> audited = ~requested & (requested & avd->auditallow); ==> audited = (~requested & requested) & avd->auditallow; ==> audited = 0 & avd->auditallow; ==> audited = 0; In fact, it is more readable to directly write zero. The value of the first 'audited' is 0 because AUDIT is not allowed. The second 'audited' is zero because there is no AUDITALLOW permission. Signed-off-by: Zhen Lei Signed-off-by: Paul Moore --- security/selinux/avc.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'security/selinux') diff --git a/security/selinux/avc.c b/security/selinux/avc.c index 1ec377ce6d22..e0d1a9dfacee 100644 --- a/security/selinux/avc.c +++ b/security/selinux/avc.c @@ -388,7 +388,7 @@ static inline u32 avc_xperms_audit_required(u32 requested, audited = denied & avd->auditdeny; if (audited && xpd) { if (avc_xperms_has_perm(xpd, perm, XPERMS_DONTAUDIT)) - audited &= ~requested; + audited = 0; } } else if (result) { audited = denied = requested; @@ -396,7 +396,7 @@ static inline u32 avc_xperms_audit_required(u32 requested, audited = requested & avd->auditallow; if (audited && xpd) { if (!avc_xperms_has_perm(xpd, perm, XPERMS_AUDITALLOW)) - audited &= ~requested; + audited = 0; } } -- cgit v1.2.3 From d19a9e25a722d629041ac8fd320a86c016e349d1 Mon Sep 17 00:00:00 2001 From: Paul Moore Date: Tue, 3 Sep 2024 18:53:20 -0400 Subject: selinux: fix style problems in security/selinux/include/audit.h Remove the needless indent in the function comment header blocks. Signed-off-by: Paul Moore --- security/selinux/include/audit.h | 46 ++++++++++++++++++++-------------------- 1 file changed, 23 insertions(+), 23 deletions(-) (limited to 'security/selinux') diff --git a/security/selinux/include/audit.h b/security/selinux/include/audit.h index 29c7d4c86f6d..168d17be7df3 100644 --- a/security/selinux/include/audit.h +++ b/security/selinux/include/audit.h @@ -16,45 +16,45 @@ #include /** - * selinux_audit_rule_init - alloc/init an selinux audit rule structure. - * @field: the field this rule refers to - * @op: the operator the rule uses - * @rulestr: the text "target" of the rule - * @rule: pointer to the new rule structure returned via this - * @gfp: GFP flag used for kmalloc + * selinux_audit_rule_init - alloc/init an selinux audit rule structure. + * @field: the field this rule refers to + * @op: the operator the rule uses + * @rulestr: the text "target" of the rule + * @rule: pointer to the new rule structure returned via this + * @gfp: GFP flag used for kmalloc * - * Returns 0 if successful, -errno if not. On success, the rule structure - * will be allocated internally. The caller must free this structure with - * selinux_audit_rule_free() after use. + * Returns 0 if successful, -errno if not. On success, the rule structure + * will be allocated internally. The caller must free this structure with + * selinux_audit_rule_free() after use. */ int selinux_audit_rule_init(u32 field, u32 op, char *rulestr, void **rule, gfp_t gfp); /** - * selinux_audit_rule_free - free an selinux audit rule structure. - * @rule: pointer to the audit rule to be freed + * selinux_audit_rule_free - free an selinux audit rule structure. + * @rule: pointer to the audit rule to be freed * - * This will free all memory associated with the given rule. - * If @rule is NULL, no operation is performed. + * This will free all memory associated with the given rule. + * If @rule is NULL, no operation is performed. */ void selinux_audit_rule_free(void *rule); /** - * selinux_audit_rule_match - determine if a context ID matches a rule. - * @sid: the context ID to check - * @field: the field this rule refers to - * @op: the operator the rule uses - * @rule: pointer to the audit rule to check against + * selinux_audit_rule_match - determine if a context ID matches a rule. + * @sid: the context ID to check + * @field: the field this rule refers to + * @op: the operator the rule uses + * @rule: pointer to the audit rule to check against * - * Returns 1 if the context id matches the rule, 0 if it does not, and - * -errno on failure. + * Returns 1 if the context id matches the rule, 0 if it does not, and + * -errno on failure. */ int selinux_audit_rule_match(u32 sid, u32 field, u32 op, void *rule); /** - * selinux_audit_rule_known - check to see if rule contains selinux fields. - * @rule: rule to be checked - * Returns 1 if there are selinux fields specified in the rule, 0 otherwise. + * selinux_audit_rule_known - check to see if rule contains selinux fields. + * @rule: rule to be checked + * Returns 1 if there are selinux fields specified in the rule, 0 otherwise. */ int selinux_audit_rule_known(struct audit_krule *rule); -- cgit v1.2.3