mirror of
https://mirrors.bfsu.edu.cn/git/linux.git
synced 2024-11-14 15:54:15 +08:00
5825a95fe9
-----BEGIN PGP SIGNATURE----- iQJIBAABCAAyFiEES0KozwfymdVUl37v6iDy2pc3iXMFAl2BLvcUHHBhdWxAcGF1 bC1tb29yZS5jb20ACgkQ6iDy2pc3iXP9pA/+Ls9sRGZoEipycbgRnwkL9/6yFtn4 UCFGMP0eobrjL82i8uMOa/72Budsp3ZaZRxf36NpbMDPyB9ohp5jf7o1WFTELESv EwxVvOMNwrxO2UbzRv3iywnhdPVJ4gHPa4GWfBHu2EEfhz3/Bv0tPIBdeXAbq4aC R0p+M9X0FFEp9eP4ftwOvFGpbZ8zKo1kwgdvCnqLhHDkyqtapqO/ByCTe1VATERP fyxjYDZNnITmI0plaIxCeeudklOTtVSAL4JPh1rk8rZIkUznZ4EBDHxdKiaz3j9C ZtAthiAA9PfAwf4DZSPHnGsfINxeNBKLD65jZn/PUne/gNJEx4DK041X9HXBNwjv OoArw58LCzxtTNZ//WB4CovRpeSdKvmKv0oh61k8cdQahLeHhzXE1wLQbnnBJLI3 CTsumIp4ZPEOX5r4ogdS3UIQpo3KrZump7VO85yUTRni150JpZR3egYpmcJ0So1A QTPemBhC2CHJVTpycYZ9fVTlPeC4oNwosPmvpB8XeGu3w5JpuNSId+BDR/ZlQAmq xWiIocGL3UMuPuJUrTGChifqBAgzK+gLa7S7RYPEnTCkj6LVQwsuP4gBXf75QTG4 FPwVcoMSDFxUDF0oFqwz4GfJlCxBSzX+BkWUn6jIiXKXBnQjU+1gu6KTwE25mf/j snJznFk25hFYFaM= =n4ht -----END PGP SIGNATURE----- Merge tag 'selinux-pr-20190917' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux Pull selinux updates from Paul Moore: - Add LSM hooks, and SELinux access control hooks, for dnotify, fanotify, and inotify watches. This has been discussed with both the LSM and fs/notify folks and everybody is good with these new hooks. - The LSM stacking changes missed a few calls to current_security() in the SELinux code; we fix those and remove current_security() for good. - Improve our network object labeling cache so that we always return the object's label, even when under memory pressure. Previously we would return an error if we couldn't allocate a new cache entry, now we always return the label even if we can't create a new cache entry for it. - Convert the sidtab atomic_t counter to a normal u32 with READ/WRITE_ONCE() and memory barrier protection. - A few patches to policydb.c to clean things up (remove forward declarations, long lines, bad variable names, etc) * tag 'selinux-pr-20190917' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux: lsm: remove current_security() selinux: fix residual uses of current_security() for the SELinux blob selinux: avoid atomic_t usage in sidtab fanotify, inotify, dnotify, security: add security hook for fs notifications selinux: always return a secid from the network caches if we find one selinux: policydb - rename type_val_to_struct_array selinux: policydb - fix some checkpatch.pl warnings selinux: shuffle around policydb.c to get rid of forward declarations
240 lines
5.8 KiB
C
240 lines
5.8 KiB
C
// SPDX-License-Identifier: GPL-2.0-only
|
|
/*
|
|
* Network port table
|
|
*
|
|
* SELinux must keep a mapping of network ports to labels/SIDs. This
|
|
* mapping is maintained as part of the normal policy but a fast cache is
|
|
* needed to reduce the lookup overhead.
|
|
*
|
|
* Author: Paul Moore <paul@paul-moore.com>
|
|
*
|
|
* This code is heavily based on the "netif" concept originally developed by
|
|
* James Morris <jmorris@redhat.com>
|
|
* (see security/selinux/netif.c for more information)
|
|
*/
|
|
|
|
/*
|
|
* (c) Copyright Hewlett-Packard Development Company, L.P., 2008
|
|
*/
|
|
|
|
#include <linux/types.h>
|
|
#include <linux/rcupdate.h>
|
|
#include <linux/list.h>
|
|
#include <linux/slab.h>
|
|
#include <linux/spinlock.h>
|
|
#include <linux/in.h>
|
|
#include <linux/in6.h>
|
|
#include <linux/ip.h>
|
|
#include <linux/ipv6.h>
|
|
#include <net/ip.h>
|
|
#include <net/ipv6.h>
|
|
|
|
#include "netport.h"
|
|
#include "objsec.h"
|
|
|
|
#define SEL_NETPORT_HASH_SIZE 256
|
|
#define SEL_NETPORT_HASH_BKT_LIMIT 16
|
|
|
|
struct sel_netport_bkt {
|
|
int size;
|
|
struct list_head list;
|
|
};
|
|
|
|
struct sel_netport {
|
|
struct netport_security_struct psec;
|
|
|
|
struct list_head list;
|
|
struct rcu_head rcu;
|
|
};
|
|
|
|
/* NOTE: we are using a combined hash table for both IPv4 and IPv6, the reason
|
|
* for this is that I suspect most users will not make heavy use of both
|
|
* address families at the same time so one table will usually end up wasted,
|
|
* if this becomes a problem we can always add a hash table for each address
|
|
* family later */
|
|
|
|
static LIST_HEAD(sel_netport_list);
|
|
static DEFINE_SPINLOCK(sel_netport_lock);
|
|
static struct sel_netport_bkt sel_netport_hash[SEL_NETPORT_HASH_SIZE];
|
|
|
|
/**
|
|
* sel_netport_hashfn - Hashing function for the port table
|
|
* @pnum: port number
|
|
*
|
|
* Description:
|
|
* This is the hashing function for the port table, it returns the bucket
|
|
* number for the given port.
|
|
*
|
|
*/
|
|
static unsigned int sel_netport_hashfn(u16 pnum)
|
|
{
|
|
return (pnum & (SEL_NETPORT_HASH_SIZE - 1));
|
|
}
|
|
|
|
/**
|
|
* sel_netport_find - Search for a port record
|
|
* @protocol: protocol
|
|
* @port: pnum
|
|
*
|
|
* Description:
|
|
* Search the network port table and return the matching record. If an entry
|
|
* can not be found in the table return NULL.
|
|
*
|
|
*/
|
|
static struct sel_netport *sel_netport_find(u8 protocol, u16 pnum)
|
|
{
|
|
unsigned int idx;
|
|
struct sel_netport *port;
|
|
|
|
idx = sel_netport_hashfn(pnum);
|
|
list_for_each_entry_rcu(port, &sel_netport_hash[idx].list, list)
|
|
if (port->psec.port == pnum && port->psec.protocol == protocol)
|
|
return port;
|
|
|
|
return NULL;
|
|
}
|
|
|
|
/**
|
|
* sel_netport_insert - Insert a new port into the table
|
|
* @port: the new port record
|
|
*
|
|
* Description:
|
|
* Add a new port record to the network address hash table.
|
|
*
|
|
*/
|
|
static void sel_netport_insert(struct sel_netport *port)
|
|
{
|
|
unsigned int idx;
|
|
|
|
/* we need to impose a limit on the growth of the hash table so check
|
|
* this bucket to make sure it is within the specified bounds */
|
|
idx = sel_netport_hashfn(port->psec.port);
|
|
list_add_rcu(&port->list, &sel_netport_hash[idx].list);
|
|
if (sel_netport_hash[idx].size == SEL_NETPORT_HASH_BKT_LIMIT) {
|
|
struct sel_netport *tail;
|
|
tail = list_entry(
|
|
rcu_dereference_protected(
|
|
sel_netport_hash[idx].list.prev,
|
|
lockdep_is_held(&sel_netport_lock)),
|
|
struct sel_netport, list);
|
|
list_del_rcu(&tail->list);
|
|
kfree_rcu(tail, rcu);
|
|
} else
|
|
sel_netport_hash[idx].size++;
|
|
}
|
|
|
|
/**
|
|
* sel_netport_sid_slow - Lookup the SID of a network address using the policy
|
|
* @protocol: protocol
|
|
* @pnum: port
|
|
* @sid: port SID
|
|
*
|
|
* Description:
|
|
* This function determines the SID of a network port by quering the security
|
|
* policy. The result is added to the network port table to speedup future
|
|
* queries. Returns zero on success, negative values on failure.
|
|
*
|
|
*/
|
|
static int sel_netport_sid_slow(u8 protocol, u16 pnum, u32 *sid)
|
|
{
|
|
int ret;
|
|
struct sel_netport *port;
|
|
struct sel_netport *new;
|
|
|
|
spin_lock_bh(&sel_netport_lock);
|
|
port = sel_netport_find(protocol, pnum);
|
|
if (port != NULL) {
|
|
*sid = port->psec.sid;
|
|
spin_unlock_bh(&sel_netport_lock);
|
|
return 0;
|
|
}
|
|
|
|
ret = security_port_sid(&selinux_state, protocol, pnum, sid);
|
|
if (ret != 0)
|
|
goto out;
|
|
new = kzalloc(sizeof(*new), GFP_ATOMIC);
|
|
if (new) {
|
|
new->psec.port = pnum;
|
|
new->psec.protocol = protocol;
|
|
new->psec.sid = *sid;
|
|
sel_netport_insert(new);
|
|
}
|
|
|
|
out:
|
|
spin_unlock_bh(&sel_netport_lock);
|
|
if (unlikely(ret))
|
|
pr_warn("SELinux: failure in %s(), unable to determine network port label\n",
|
|
__func__);
|
|
return ret;
|
|
}
|
|
|
|
/**
|
|
* sel_netport_sid - Lookup the SID of a network port
|
|
* @protocol: protocol
|
|
* @pnum: port
|
|
* @sid: port SID
|
|
*
|
|
* Description:
|
|
* This function determines the SID of a network port using the fastest method
|
|
* possible. First the port table is queried, but if an entry can't be found
|
|
* then the policy is queried and the result is added to the table to speedup
|
|
* future queries. Returns zero on success, negative values on failure.
|
|
*
|
|
*/
|
|
int sel_netport_sid(u8 protocol, u16 pnum, u32 *sid)
|
|
{
|
|
struct sel_netport *port;
|
|
|
|
rcu_read_lock();
|
|
port = sel_netport_find(protocol, pnum);
|
|
if (port != NULL) {
|
|
*sid = port->psec.sid;
|
|
rcu_read_unlock();
|
|
return 0;
|
|
}
|
|
rcu_read_unlock();
|
|
|
|
return sel_netport_sid_slow(protocol, pnum, sid);
|
|
}
|
|
|
|
/**
|
|
* sel_netport_flush - Flush the entire network port table
|
|
*
|
|
* Description:
|
|
* Remove all entries from the network address table.
|
|
*
|
|
*/
|
|
void sel_netport_flush(void)
|
|
{
|
|
unsigned int idx;
|
|
struct sel_netport *port, *port_tmp;
|
|
|
|
spin_lock_bh(&sel_netport_lock);
|
|
for (idx = 0; idx < SEL_NETPORT_HASH_SIZE; idx++) {
|
|
list_for_each_entry_safe(port, port_tmp,
|
|
&sel_netport_hash[idx].list, list) {
|
|
list_del_rcu(&port->list);
|
|
kfree_rcu(port, rcu);
|
|
}
|
|
sel_netport_hash[idx].size = 0;
|
|
}
|
|
spin_unlock_bh(&sel_netport_lock);
|
|
}
|
|
|
|
static __init int sel_netport_init(void)
|
|
{
|
|
int iter;
|
|
|
|
if (!selinux_enabled)
|
|
return 0;
|
|
|
|
for (iter = 0; iter < SEL_NETPORT_HASH_SIZE; iter++) {
|
|
INIT_LIST_HEAD(&sel_netport_hash[iter].list);
|
|
sel_netport_hash[iter].size = 0;
|
|
}
|
|
|
|
return 0;
|
|
}
|
|
|
|
__initcall(sel_netport_init);
|