From f74af6e816c940c678c235d49486fe40d7e49ce9 Mon Sep 17 00:00:00 2001 From: Paul Moore Date: Mon, 25 Feb 2008 11:40:33 -0500 Subject: SELinux: Correct the NetLabel locking for the sk_security_struct The RCU/spinlock locking approach for the nlbl_state in the sk_security_struct was almost certainly overkill. This patch removes both the RCU and spinlock locking, relying on the existing socket locks to handle the case of multiple writers. This change also makes several code reductions possible. Less locking, less code - it's a Good Thing. Signed-off-by: Paul Moore Signed-off-by: James Morris --- security/selinux/include/objsec.h | 1 - 1 file changed, 1 deletion(-) (limited to 'security/selinux/include/objsec.h') diff --git a/security/selinux/include/objsec.h b/security/selinux/include/objsec.h index c6c2bb4ebacc..0b74077eed4f 100644 --- a/security/selinux/include/objsec.h +++ b/security/selinux/include/objsec.h @@ -120,7 +120,6 @@ struct sk_security_struct { NLBL_REQUIRE, NLBL_LABELED, } nlbl_state; - spinlock_t nlbl_lock; /* protects nlbl_state */ #endif }; -- cgit v1.2.3 From 98e9894650455426f67c2157db4f39bd14fac2f6 Mon Sep 17 00:00:00 2001 From: James Morris Date: Tue, 26 Feb 2008 09:52:58 +1100 Subject: SELinux: remove unused backpointers from security objects Remove unused backpoiters from security objects. Signed-off-by: James Morris --- security/selinux/hooks.c | 7 ------- security/selinux/include/objsec.h | 7 ------- 2 files changed, 14 deletions(-) (limited to 'security/selinux/include/objsec.h') diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index d51bd40a04a8..710894d4841b 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -161,7 +161,6 @@ static int task_alloc_security(struct task_struct *task) if (!tsec) return -ENOMEM; - tsec->task = task; tsec->osid = tsec->sid = tsec->ptrace_sid = SECINITSID_UNLABELED; task->security = tsec; @@ -218,7 +217,6 @@ static int file_alloc_security(struct file *file) if (!fsec) return -ENOMEM; - fsec->file = file; fsec->sid = tsec->sid; fsec->fown_sid = tsec->sid; file->f_security = fsec; @@ -275,7 +273,6 @@ static int sk_alloc_security(struct sock *sk, int family, gfp_t priority) if (!ssec) return -ENOMEM; - ssec->sk = sk; ssec->peer_sid = SECINITSID_UNLABELED; ssec->sid = SECINITSID_UNLABELED; sk->sk_security = ssec; @@ -1889,7 +1886,6 @@ static int selinux_bprm_alloc_security(struct linux_binprm *bprm) if (!bsec) return -ENOMEM; - bsec->bprm = bprm; bsec->sid = SECINITSID_UNLABELED; bsec->set = 0; @@ -4561,7 +4557,6 @@ static int ipc_alloc_security(struct task_struct *task, return -ENOMEM; isec->sclass = sclass; - isec->ipc_perm = perm; isec->sid = tsec->sid; perm->security = isec; @@ -4583,7 +4578,6 @@ static int msg_msg_alloc_security(struct msg_msg *msg) if (!msec) return -ENOMEM; - msec->msg = msg; msec->sid = SECINITSID_UNLABELED; msg->security = msec; @@ -5194,7 +5188,6 @@ static int selinux_key_alloc(struct key *k, struct task_struct *tsk, if (!ksec) return -ENOMEM; - ksec->obj = k; if (tsec->keycreate_sid) ksec->sid = tsec->keycreate_sid; else diff --git a/security/selinux/include/objsec.h b/security/selinux/include/objsec.h index 0b74077eed4f..020a8754b809 100644 --- a/security/selinux/include/objsec.h +++ b/security/selinux/include/objsec.h @@ -28,7 +28,6 @@ #include "avc.h" struct task_security_struct { - struct task_struct *task; /* back pointer to task object */ u32 osid; /* SID prior to last execve */ u32 sid; /* current SID */ u32 exec_sid; /* exec SID */ @@ -50,7 +49,6 @@ struct inode_security_struct { }; struct file_security_struct { - struct file *file; /* back pointer to file object */ u32 sid; /* SID of open file description */ u32 fown_sid; /* SID of file owner (for SIGIO) */ u32 isid; /* SID of inode at the time of file open */ @@ -73,18 +71,15 @@ struct superblock_security_struct { }; struct msg_security_struct { - struct msg_msg *msg; /* back pointer */ u32 sid; /* SID of message */ }; struct ipc_security_struct { - struct kern_ipc_perm *ipc_perm; /* back pointer */ u16 sclass; /* security class of this object */ u32 sid; /* SID of IPC resource */ }; struct bprm_security_struct { - struct linux_binprm *bprm; /* back pointer to bprm object */ u32 sid; /* SID for transformed process */ unsigned char set; @@ -110,7 +105,6 @@ struct netnode_security_struct { }; struct sk_security_struct { - struct sock *sk; /* back pointer to sk object */ u32 sid; /* SID of this object */ u32 peer_sid; /* SID of peer */ u16 sclass; /* sock security class */ @@ -124,7 +118,6 @@ struct sk_security_struct { }; struct key_security_struct { - struct key *obj; /* back pointer */ u32 sid; /* SID of key */ }; -- cgit v1.2.3 From 0356357c5158c71d4cbf20196b2f784435dd916c Mon Sep 17 00:00:00 2001 From: Roland McGrath Date: Wed, 26 Mar 2008 15:46:39 -0700 Subject: selinux: remove ptrace_sid This changes checks related to ptrace to get rid of the ptrace_sid tracking. It's good to disentangle the security model from the ptrace implementation internals. It's sufficient to check against the SID of the ptracer at the time a tracee attempts a transition. Signed-off-by: Roland McGrath Acked-by: Stephen Smalley Signed-off-by: James Morris --- security/selinux/hooks.c | 71 ++++++++++++++++++++++++++------------- security/selinux/include/objsec.h | 1 - 2 files changed, 47 insertions(+), 25 deletions(-) (limited to 'security/selinux/include/objsec.h') diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 973e31eb1097..9d002f8484a3 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -161,7 +161,7 @@ static int task_alloc_security(struct task_struct *task) if (!tsec) return -ENOMEM; - tsec->osid = tsec->sid = tsec->ptrace_sid = SECINITSID_UNLABELED; + tsec->osid = tsec->sid = SECINITSID_UNLABELED; task->security = tsec; return 0; @@ -1671,19 +1671,13 @@ static inline u32 file_to_av(struct file *file) static int selinux_ptrace(struct task_struct *parent, struct task_struct *child) { - struct task_security_struct *psec = parent->security; - struct task_security_struct *csec = child->security; int rc; rc = secondary_ops->ptrace(parent,child); if (rc) return rc; - rc = task_has_perm(parent, child, PROCESS__PTRACE); - /* Save the SID of the tracing process for later use in apply_creds. */ - if (!(child->ptrace & PT_PTRACED) && !rc) - csec->ptrace_sid = psec->sid; - return rc; + return task_has_perm(parent, child, PROCESS__PTRACE); } static int selinux_capget(struct task_struct *target, kernel_cap_t *effective, @@ -1905,6 +1899,22 @@ static int selinux_vm_enough_memory(struct mm_struct *mm, long pages) return __vm_enough_memory(mm, pages, cap_sys_admin); } +/** + * task_tracer_task - return the task that is tracing the given task + * @task: task to consider + * + * Returns NULL if noone is tracing @task, or the &struct task_struct + * pointer to its tracer. + * + * Must be called under rcu_read_lock(). + */ +static struct task_struct *task_tracer_task(struct task_struct *task) +{ + if (task->ptrace & PT_PTRACED) + return rcu_dereference(task->parent); + return NULL; +} + /* binprm security operations */ static int selinux_bprm_alloc_security(struct linux_binprm *bprm) @@ -2151,12 +2161,25 @@ static void selinux_bprm_apply_creds(struct linux_binprm *bprm, int unsafe) /* Check for ptracing, and update the task SID if ok. Otherwise, leave SID unchanged and kill. */ if (unsafe & (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) { - rc = avc_has_perm(tsec->ptrace_sid, sid, - SECCLASS_PROCESS, PROCESS__PTRACE, - NULL); - if (rc) { - bsec->unsafe = 1; - return; + struct task_struct *tracer; + struct task_security_struct *sec; + u32 ptsid = 0; + + rcu_read_lock(); + tracer = task_tracer_task(current); + if (likely(tracer != NULL)) { + sec = tracer->security; + ptsid = sec->sid; + } + rcu_read_unlock(); + + if (ptsid != 0) { + rc = avc_has_perm(ptsid, sid, SECCLASS_PROCESS, + PROCESS__PTRACE, NULL); + if (rc) { + bsec->unsafe = 1; + return; + } } } tsec->sid = sid; @@ -3112,11 +3135,6 @@ static int selinux_task_alloc_security(struct task_struct *tsk) tsec2->keycreate_sid = tsec1->keycreate_sid; tsec2->sockcreate_sid = tsec1->sockcreate_sid; - /* Retain ptracer SID across fork, if any. - This will be reset by the ptrace hook upon any - subsequent ptrace_attach operations. */ - tsec2->ptrace_sid = tsec1->ptrace_sid; - return 0; } @@ -5080,6 +5098,7 @@ static int selinux_setprocattr(struct task_struct *p, char *name, void *value, size_t size) { struct task_security_struct *tsec; + struct task_struct *tracer; u32 sid = 0; int error; char *str = value; @@ -5168,18 +5187,24 @@ static int selinux_setprocattr(struct task_struct *p, /* Check for ptracing, and update the task SID if ok. Otherwise, leave SID unchanged and fail. */ task_lock(p); - if (p->ptrace & PT_PTRACED) { - error = avc_has_perm_noaudit(tsec->ptrace_sid, sid, + rcu_read_lock(); + tracer = task_tracer_task(p); + if (tracer != NULL) { + struct task_security_struct *ptsec = tracer->security; + u32 ptsid = ptsec->sid; + rcu_read_unlock(); + error = avc_has_perm_noaudit(ptsid, sid, SECCLASS_PROCESS, PROCESS__PTRACE, 0, &avd); if (!error) tsec->sid = sid; task_unlock(p); - avc_audit(tsec->ptrace_sid, sid, SECCLASS_PROCESS, + avc_audit(ptsid, sid, SECCLASS_PROCESS, PROCESS__PTRACE, &avd, error, NULL); if (error) return error; } else { + rcu_read_unlock(); tsec->sid = sid; task_unlock(p); } @@ -5653,5 +5678,3 @@ int selinux_disable(void) return 0; } #endif - - diff --git a/security/selinux/include/objsec.h b/security/selinux/include/objsec.h index 020a8754b809..957b10d0f76f 100644 --- a/security/selinux/include/objsec.h +++ b/security/selinux/include/objsec.h @@ -34,7 +34,6 @@ struct task_security_struct { u32 create_sid; /* fscreate SID */ u32 keycreate_sid; /* keycreate SID */ u32 sockcreate_sid; /* fscreate SID */ - u32 ptrace_sid; /* SID of ptrace parent */ }; struct inode_security_struct { -- cgit v1.2.3 From 3e11217263d0521e212cb8a017fbc2a1514db78f Mon Sep 17 00:00:00 2001 From: Paul Moore Date: Thu, 10 Apr 2008 10:48:14 -0400 Subject: SELinux: Add network port SID cache Much like we added a network node cache, this patch adds a network port cache. The design is taken almost completely from the network node cache which in turn was taken from the network interface cache. The basic idea is to cache entries in a hash table based on protocol/port information. The hash function only takes the port number into account since the number of different protocols in use at any one time is expected to be relatively small. Signed-off-by: Paul Moore Acked-by: Stephen Smalley Signed-off-by: James Morris --- security/selinux/Makefile | 1 + security/selinux/hooks.c | 20 ++++++++------------ security/selinux/include/objsec.h | 6 ++++++ security/selinux/include/security.h | 3 +-- security/selinux/ss/services.c | 8 +------- 5 files changed, 17 insertions(+), 21 deletions(-) (limited to 'security/selinux/include/objsec.h') diff --git a/security/selinux/Makefile b/security/selinux/Makefile index 00afd85f1edb..d47fc5e545e0 100644 --- a/security/selinux/Makefile +++ b/security/selinux/Makefile @@ -11,6 +11,7 @@ selinux-y := avc.o \ nlmsgtab.o \ netif.o \ netnode.o \ + netport.o \ exports.o selinux-$(CONFIG_SECURITY_NETWORK_XFRM) += xfrm.o diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 93c809a6e4fa..34f2d46c7984 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -80,6 +80,7 @@ #include "objsec.h" #include "netif.h" #include "netnode.h" +#include "netport.h" #include "xfrm.h" #include "netlabel.h" @@ -3670,10 +3671,8 @@ static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, in inet_get_local_port_range(&low, &high); if (snum < max(PROT_SOCK, low) || snum > high) { - err = security_port_sid(sk->sk_family, - sk->sk_type, - sk->sk_protocol, snum, - &sid); + err = sel_netport_sid(sk->sk_protocol, + snum, &sid); if (err) goto out; AVC_AUDIT_DATA_INIT(&ad,NET); @@ -3761,8 +3760,7 @@ static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, snum = ntohs(addr6->sin6_port); } - err = security_port_sid(sk->sk_family, sk->sk_type, - sk->sk_protocol, snum, &sid); + err = sel_netport_sid(sk->sk_protocol, snum, &sid); if (err) goto out; @@ -3993,9 +3991,8 @@ static int selinux_sock_rcv_skb_iptables_compat(struct sock *sk, if (!recv_perm) return 0; - err = security_port_sid(sk->sk_family, sk->sk_type, - sk->sk_protocol, ntohs(ad->u.net.sport), - &port_sid); + err = sel_netport_sid(sk->sk_protocol, + ntohs(ad->u.net.sport), &port_sid); if (unlikely(err)) { printk(KERN_WARNING "SELinux: failure in" @@ -4416,9 +4413,8 @@ static int selinux_ip_postroute_iptables_compat(struct sock *sk, if (send_perm != 0) return 0; - err = security_port_sid(sk->sk_family, sk->sk_type, - sk->sk_protocol, ntohs(ad->u.net.dport), - &port_sid); + err = sel_netport_sid(sk->sk_protocol, + ntohs(ad->u.net.dport), &port_sid); if (unlikely(err)) { printk(KERN_WARNING "SELinux: failure in" diff --git a/security/selinux/include/objsec.h b/security/selinux/include/objsec.h index 957b10d0f76f..300b61bad7b3 100644 --- a/security/selinux/include/objsec.h +++ b/security/selinux/include/objsec.h @@ -103,6 +103,12 @@ struct netnode_security_struct { u16 family; /* address family */ }; +struct netport_security_struct { + u32 sid; /* SID for this node */ + u16 port; /* port number */ + u8 protocol; /* transport protocol */ +}; + struct sk_security_struct { u32 sid; /* SID of this object */ u32 peer_sid; /* SID of peer */ diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h index bc823ef70a12..1904c462a605 100644 --- a/security/selinux/include/security.h +++ b/security/selinux/include/security.h @@ -102,8 +102,7 @@ int security_context_to_sid_default(char *scontext, u32 scontext_len, int security_get_user_sids(u32 callsid, char *username, u32 **sids, u32 *nel); -int security_port_sid(u16 domain, u16 type, u8 protocol, u16 port, - u32 *out_sid); +int security_port_sid(u8 protocol, u16 port, u32 *out_sid); int security_netif_sid(char *name, u32 *if_sid); diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c index 098c96b6f9de..d75050819b06 100644 --- a/security/selinux/ss/services.c +++ b/security/selinux/ss/services.c @@ -1472,17 +1472,11 @@ err: /** * security_port_sid - Obtain the SID for a port. - * @domain: communication domain aka address family - * @type: socket type * @protocol: protocol number * @port: port number * @out_sid: security identifier */ -int security_port_sid(u16 domain, - u16 type, - u8 protocol, - u16 port, - u32 *out_sid) +int security_port_sid(u8 protocol, u16 port, u32 *out_sid) { struct ocontext *c; int rc = 0; -- cgit v1.2.3