korg/linux
0
0
Fork 0
mirror of https://mirrors.bfsu.edu.cn/git/linux.git synced 2024-11-27 22:24:11 +08:00
Code Issues Packages Projects Releases Wiki Activity

selinux/stable-6.2 PR 20221212

Browse Source 
-----BEGIN PGP SIGNATURE-----
 
 iQJIBAABCAAyFiEES0KozwfymdVUl37v6iDy2pc3iXMFAmOXmvkUHHBhdWxAcGF1
 bC1tb29yZS5jb20ACgkQ6iDy2pc3iXNP8BAA0jhzbzMXynz7es7dQTdE2J22umMe
 CzGoNxyMAPEYRPlTZmqqwSUaDPhtt4Z0MDkAG1Fn46qn3W8b0L31Z5kXTpanl+1P
 ZMP2WRCiuBS8V90XrMhQ9qvUjnIJwe/RRbwiyaSBxRUrN4MU6RA/q9suyYu/aKvo
 sueRJJtJgcwb8fGpKbaoGU4NiSeCCzabT7E+ofPYt4joCAdbLzokszbWrqEYInh/
 yb6V03Mad/wl7jz3BwSwY+cVdEuJV+mDcfIg1yB7O9pr/H8HpIcXvYIyEICrVdGw
 nstkI76w22HcbHkWWbLWNAdPRUcMRA8Bf3GAXuhV+8gr2g8bt5ePEXsqkc1Oh75z
 o59TaBwCGxsE6qffBcytdBueqaf+CFWXv0kTIRGS9SMMCe6r3y8UIYxzdebOEB3v
 uJVWOUZTI3FqFdHl6v9I2d1R5FQurh2yX01JIe5vk2I5Oswy8hHVvDFxnJ5AEeUW
 Mcl/zV2lGgdfLrxQ+qideiTx/d71Dw/BExlyaFP8b1/ccX0X6vnOtvt6z3vw4KsR
 QDffPbFZhtApJuHBf05iYMXaUS41RU55sAaDtFh94eWRD5EZ9298qGpP6+weJvlz
 ofBvKaZswQj6ZdymoZB+A+vbwUKItp2ApijyLbOMtaP1RNY1/47aO0kQkmPRuHe7
 5+cKG8cjyrruZXw=
 =4AGR
 -----END PGP SIGNATURE-----

Merge tag 'selinux-pr-20221212' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux

Pull selinux updates from Paul Moore:
 "Two SELinux patches: one increases the sleep time on deprecated
  functionality, and one removes the indirect calls in the sidtab
  context conversion code"

* tag 'selinux-pr-20221212' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux:
  selinux: remove the sidtab context conversion indirect calls
  selinux: increase the deprecation sleep for checkreqprot and runtime disable
This commit is contained in:
Linus Torvalds 2022-12-13 09:32:05 -08:00
commit 57888f7b95
5 changed files with 52 additions and 47 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
security/selinux/selinuxfs.c
View File

@ -294,7 +294,7 @@ static ssize_t sel_write_disable(struct file *file, const char __user *buf,
*/ */
pr_err("SELinux: Runtime disable is deprecated, use selinux=0 on the kernel cmdline.\n"); pr_err("SELinux: Runtime disable is deprecated, use selinux=0 on the kernel cmdline.\n");
pr_err("SELinux: https://github.com/SELinuxProject/selinux-kernel/wiki/DEPRECATE-runtime-disable\n"); pr_err("SELinux: https://github.com/SELinuxProject/selinux-kernel/wiki/DEPRECATE-runtime-disable\n");
ssleep(5); ssleep(15);
if (count >= PAGE_SIZE) if (count >= PAGE_SIZE)
return -ENOMEM; return -ENOMEM;
@ -763,7 +763,7 @@ static ssize_t sel_write_checkreqprot(struct file *file, const char __user *buf,
checkreqprot_set(fsi->state, (new_value ? 1 : 0)); checkreqprot_set(fsi->state, (new_value ? 1 : 0));
if (new_value) if (new_value)
ssleep(5); ssleep(15);
length = count; length = count;
selinux_ima_measure_state(fsi->state); selinux_ima_measure_state(fsi->state);

54
security/selinux/ss/services.c
View File

@ -68,12 +68,6 @@
#include "policycap_names.h" #include "policycap_names.h"
#include "ima.h" #include "ima.h"
struct convert_context_args {
struct selinux_state *state;
struct policydb *oldp;
struct policydb *newp;
};
struct selinux_policy_convert_data { struct selinux_policy_convert_data {
struct convert_context_args args; struct convert_context_args args;
struct sidtab_convert_params sidtab_params; struct sidtab_convert_params sidtab_params;
@ -2014,18 +2008,22 @@ static inline int convert_context_handle_invalid_context(
return 0; return 0;
} }
/* /**
* Convert the values in the security context * services_convert_context - Convert a security context across policies.
* structure `oldc' from the values specified * @args: populated convert_context_args struct
* in the policy `p->oldp' to the values specified * @oldc: original context
* in the policy `p->newp', storing the new context * @newc: converted context
* in `newc'. Verify that the context is valid * @gfp_flags: allocation flags
* under the new policy. *
* Convert the values in the security context structure @oldc from the values
* specified in the policy @args->oldp to the values specified in the policy
* @args->newp, storing the new context in @newc, and verifying that the
* context is valid under the new policy.
*/ */
static int convert_context(struct context *oldc, struct context *newc, void *p, int services_convert_context(struct convert_context_args *args,
gfp_t gfp_flags) struct context *oldc, struct context *newc,
gfp_t gfp_flags)
{ {
struct convert_context_args *args;
struct ocontext *oc; struct ocontext *oc;
struct role_datum *role; struct role_datum *role;
struct type_datum *typdatum; struct type_datum *typdatum;
@ -2034,15 +2032,12 @@ static int convert_context(struct context *oldc, struct context *newc, void *p,
u32 len; u32 len;
int rc; int rc;
args = p;
if (oldc->str) { if (oldc->str) {
s = kstrdup(oldc->str, gfp_flags); s = kstrdup(oldc->str, gfp_flags);
if (!s) if (!s)
return -ENOMEM; return -ENOMEM;
rc = string_to_context_struct(args->newp, NULL, s, rc = string_to_context_struct(args->newp, NULL, s, newc, SECSID_NULL);
newc, SECSID_NULL);
if (rc == -EINVAL) { if (rc == -EINVAL) {
/* /*
* Retain string representation for later mapping. * Retain string representation for later mapping.
@ -2073,8 +2068,7 @@ static int convert_context(struct context *oldc, struct context *newc, void *p,
/* Convert the user. */ /* Convert the user. */
usrdatum = symtab_search(&args->newp->p_users, usrdatum = symtab_search(&args->newp->p_users,
sym_name(args->oldp, sym_name(args->oldp, SYM_USERS, oldc->user - 1));
SYM_USERS, oldc->user - 1));
if (!usrdatum) if (!usrdatum)
goto bad; goto bad;
newc->user = usrdatum->value; newc->user = usrdatum->value;
@ -2088,8 +2082,7 @@ static int convert_context(struct context *oldc, struct context *newc, void *p,
/* Convert the type. */ /* Convert the type. */
typdatum = symtab_search(&args->newp->p_types, typdatum = symtab_search(&args->newp->p_types,
sym_name(args->oldp, sym_name(args->oldp, SYM_TYPES, oldc->type - 1));
SYM_TYPES, oldc->type - 1));
if (!typdatum) if (!typdatum)
goto bad; goto bad;
newc->type = typdatum->value; newc->type = typdatum->value;
@ -2123,8 +2116,7 @@ static int convert_context(struct context *oldc, struct context *newc, void *p,
/* Check the validity of the new context. */ /* Check the validity of the new context. */
if (!policydb_context_isvalid(args->newp, newc)) { if (!policydb_context_isvalid(args->newp, newc)) {
rc = convert_context_handle_invalid_context(args->state, rc = convert_context_handle_invalid_context(args->state,
args->oldp, args->oldp, oldc);
oldc);
if (rc) if (rc)
goto bad; goto bad;
} }
@ -2333,21 +2325,21 @@ int security_load_policy(struct selinux_state *state, void *data, size_t len,
goto err_free_isids; goto err_free_isids;
} }
/*
* Convert the internal representations of contexts
* in the new SID table.
*/
convert_data = kmalloc(sizeof(*convert_data), GFP_KERNEL); convert_data = kmalloc(sizeof(*convert_data), GFP_KERNEL);
if (!convert_data) { if (!convert_data) {
rc = -ENOMEM; rc = -ENOMEM;
goto err_free_isids; goto err_free_isids;
} }
/*
* Convert the internal representations of contexts
* in the new SID table.
*/
convert_data->args.state = state; convert_data->args.state = state;
convert_data->args.oldp = &oldpolicy->policydb; convert_data->args.oldp = &oldpolicy->policydb;
convert_data->args.newp = &newpolicy->policydb; convert_data->args.newp = &newpolicy->policydb;
convert_data->sidtab_params.func = convert_context;
convert_data->sidtab_params.args = &convert_data->args; convert_data->sidtab_params.args = &convert_data->args;
convert_data->sidtab_params.target = newpolicy->sidtab; convert_data->sidtab_params.target = newpolicy->sidtab;

15
security/selinux/ss/services.h
View File

@ -29,10 +29,19 @@ struct selinux_policy {
u32 latest_granting; u32 latest_granting;
} __randomize_layout; } __randomize_layout;
void services_compute_xperms_drivers(struct extended_perms *xperms, struct convert_context_args {
struct avtab_node *node); struct selinux_state *state;
struct policydb *oldp;
struct policydb *newp;
};
void services_compute_xperms_drivers(struct extended_perms *xperms,
struct avtab_node *node);
void services_compute_xperms_decision(struct extended_perms_decision *xpermd, void services_compute_xperms_decision(struct extended_perms_decision *xpermd,
struct avtab_node *node); struct avtab_node *node);
int services_convert_context(struct convert_context_args *args,
struct context *oldc, struct context *newc,
gfp_t gfp_flags);
#endif /* _SS_SERVICES_H_ */ #endif /* _SS_SERVICES_H_ */

23
security/selinux/ss/sidtab.c
View File

@ -18,6 +18,7 @@
#include "flask.h" #include "flask.h"
#include "security.h" #include "security.h"
#include "sidtab.h" #include "sidtab.h"
#include "services.h"
struct sidtab_str_cache { struct sidtab_str_cache {
struct rcu_head rcu_member; struct rcu_head rcu_member;
@ -292,7 +293,6 @@ int sidtab_context_to_sid(struct sidtab *s, struct context *context,
} }
count = s->count; count = s->count;
convert = s->convert;
/* bail out if we already reached max entries */ /* bail out if we already reached max entries */
rc = -EOVERFLOW; rc = -EOVERFLOW;
@ -316,25 +316,29 @@ int sidtab_context_to_sid(struct sidtab *s, struct context *context,
* if we are building a new sidtab, we need to convert the context * if we are building a new sidtab, we need to convert the context
* and insert it there as well * and insert it there as well
*/ */
convert = s->convert;
if (convert) { if (convert) {
struct sidtab *target = convert->target;
rc = -ENOMEM; rc = -ENOMEM;
dst_convert = sidtab_do_lookup(convert->target, count, 1); dst_convert = sidtab_do_lookup(target, count, 1);
if (!dst_convert) { if (!dst_convert) {
context_destroy(&dst->context); context_destroy(&dst->context);
goto out_unlock; goto out_unlock;
} }
rc = convert->func(context, &dst_convert->context, rc = services_convert_context(convert->args,
convert->args, GFP_ATOMIC); context, &dst_convert->context,
GFP_ATOMIC);
if (rc) { if (rc) {
context_destroy(&dst->context); context_destroy(&dst->context);
goto out_unlock; goto out_unlock;
} }
dst_convert->sid = index_to_sid(count); dst_convert->sid = index_to_sid(count);
dst_convert->hash = context_compute_hash(&dst_convert->context); dst_convert->hash = context_compute_hash(&dst_convert->context);
convert->target->count = count + 1; target->count = count + 1;
hash_add_rcu(convert->target->context_to_sid, hash_add_rcu(target->context_to_sid,
&dst_convert->list, dst_convert->hash); &dst_convert->list, dst_convert->hash);
} }
@ -402,9 +406,10 @@ static int sidtab_convert_tree(union sidtab_entry_inner *edst,
} }
i = 0; i = 0;
while (i < SIDTAB_LEAF_ENTRIES && *pos < count) { while (i < SIDTAB_LEAF_ENTRIES && *pos < count) {
rc = convert->func(&esrc->ptr_leaf->entries[i].context, rc = services_convert_context(convert->args,
&edst->ptr_leaf->entries[i].context, &esrc->ptr_leaf->entries[i].context,
convert->args, GFP_KERNEL); &edst->ptr_leaf->entries[i].context,
GFP_KERNEL);
if (rc) if (rc)
return rc; return rc;
(*pos)++; (*pos)++;

3
security/selinux/ss/sidtab.h
View File

@ -65,8 +65,7 @@ struct sidtab_isid_entry {
}; };
struct sidtab_convert_params { struct sidtab_convert_params {
int (*func)(struct context *oldc, struct context *newc, void *args, gfp_t gfp_flags); struct convert_context_args *args;
void *args;
struct sidtab *target; struct sidtab *target;
}; };