2005-04-17 06:20:36 +08:00
|
|
|
/*
|
|
|
|
* Security server interface.
|
|
|
|
*
|
|
|
|
* Author : Stephen Smalley, <sds@epoch.ncsc.mil>
|
|
|
|
*
|
|
|
|
*/
|
|
|
|
|
|
|
|
#ifndef _SELINUX_SECURITY_H_
|
|
|
|
#define _SELINUX_SECURITY_H_
|
|
|
|
|
SELinux: Use dentry name in new object labeling
Currently SELinux has rules which label new objects according to 3 criteria.
The label of the process creating the object, the label of the parent
directory, and the type of object (reg, dir, char, block, etc.) This patch
adds a 4th criteria, the dentry name, thus we can distinguish between
creating a file in an etc_t directory called shadow and one called motd.
There is no file globbing, regex parsing, or anything mystical. Either the
policy exactly (strcmp) matches the dentry name of the object or it doesn't.
This patch has no changes from today if policy does not implement the new
rules.
Signed-off-by: Eric Paris <eparis@redhat.com>
2011-02-02 00:05:40 +08:00
|
|
|
#include <linux/dcache.h>
|
2009-05-18 22:26:10 +08:00
|
|
|
#include <linux/magic.h>
|
2010-10-14 04:24:41 +08:00
|
|
|
#include <linux/types.h>
|
2005-04-17 06:20:36 +08:00
|
|
|
#include "flask.h"
|
|
|
|
|
|
|
|
#define SECSID_NULL 0x00000000 /* unspecified SID */
|
|
|
|
#define SECSID_WILD 0xffffffff /* wildcard SID */
|
|
|
|
#define SECCLASS_NULL 0x0000 /* no class */
|
|
|
|
|
|
|
|
/* Identify specific policy version changes */
|
|
|
|
#define POLICYDB_VERSION_BASE 15
|
|
|
|
#define POLICYDB_VERSION_BOOL 16
|
|
|
|
#define POLICYDB_VERSION_IPV6 17
|
|
|
|
#define POLICYDB_VERSION_NLCLASS 18
|
|
|
|
#define POLICYDB_VERSION_VALIDATETRANS 19
|
|
|
|
#define POLICYDB_VERSION_MLS 19
|
2005-09-04 06:55:16 +08:00
|
|
|
#define POLICYDB_VERSION_AVTAB 20
|
2006-09-26 14:31:59 +08:00
|
|
|
#define POLICYDB_VERSION_RANGETRANS 21
|
2008-01-29 21:38:19 +08:00
|
|
|
#define POLICYDB_VERSION_POLCAP 22
|
2008-03-31 09:17:33 +08:00
|
|
|
#define POLICYDB_VERSION_PERMISSIVE 23
|
2008-08-28 15:35:57 +08:00
|
|
|
#define POLICYDB_VERSION_BOUNDARY 24
|
SELinux: Use dentry name in new object labeling
Currently SELinux has rules which label new objects according to 3 criteria.
The label of the process creating the object, the label of the parent
directory, and the type of object (reg, dir, char, block, etc.) This patch
adds a 4th criteria, the dentry name, thus we can distinguish between
creating a file in an etc_t directory called shadow and one called motd.
There is no file globbing, regex parsing, or anything mystical. Either the
policy exactly (strcmp) matches the dentry name of the object or it doesn't.
This patch has no changes from today if policy does not implement the new
rules.
Signed-off-by: Eric Paris <eparis@redhat.com>
2011-02-02 00:05:40 +08:00
|
|
|
#define POLICYDB_VERSION_FILENAME_TRANS 25
|
2011-03-25 13:51:56 +08:00
|
|
|
#define POLICYDB_VERSION_ROLETRANS 26
|
2012-03-21 02:35:12 +08:00
|
|
|
#define POLICYDB_VERSION_NEW_OBJECT_DEFAULTS 27
|
2012-03-21 02:35:12 +08:00
|
|
|
#define POLICYDB_VERSION_DEFAULT_TYPE 28
|
2005-04-17 06:20:36 +08:00
|
|
|
|
|
|
|
/* Range of policy versions we understand*/
|
|
|
|
#define POLICYDB_VERSION_MIN POLICYDB_VERSION_BASE
|
2006-09-26 14:31:58 +08:00
|
|
|
#ifdef CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX
|
|
|
|
#define POLICYDB_VERSION_MAX CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX_VALUE
|
|
|
|
#else
|
2012-03-21 02:35:12 +08:00
|
|
|
#define POLICYDB_VERSION_MAX POLICYDB_VERSION_DEFAULT_TYPE
|
2006-09-26 14:31:58 +08:00
|
|
|
#endif
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2009-01-16 22:22:02 +08:00
|
|
|
/* Mask for just the mount related flags */
|
|
|
|
#define SE_MNTMASK 0x0f
|
|
|
|
/* Super block security struct flags for mount options */
|
2008-03-05 23:31:54 +08:00
|
|
|
#define CONTEXT_MNT 0x01
|
|
|
|
#define FSCONTEXT_MNT 0x02
|
|
|
|
#define ROOTCONTEXT_MNT 0x04
|
|
|
|
#define DEFCONTEXT_MNT 0x08
|
2009-01-16 22:22:02 +08:00
|
|
|
/* Non-mount related flags */
|
|
|
|
#define SE_SBINITIALIZED 0x10
|
|
|
|
#define SE_SBPROC 0x20
|
2009-01-16 22:22:03 +08:00
|
|
|
#define SE_SBLABELSUPP 0x40
|
2008-03-05 23:31:54 +08:00
|
|
|
|
2008-04-02 01:24:09 +08:00
|
|
|
#define CONTEXT_STR "context="
|
|
|
|
#define FSCONTEXT_STR "fscontext="
|
|
|
|
#define ROOTCONTEXT_STR "rootcontext="
|
|
|
|
#define DEFCONTEXT_STR "defcontext="
|
2009-01-16 22:22:03 +08:00
|
|
|
#define LABELSUPP_STR "seclabel"
|
2008-04-02 01:24:09 +08:00
|
|
|
|
2007-03-01 04:14:22 +08:00
|
|
|
struct netlbl_lsm_secattr;
|
2006-11-18 12:01:03 +08:00
|
|
|
|
2005-04-17 06:20:36 +08:00
|
|
|
extern int selinux_enabled;
|
|
|
|
|
2008-01-29 21:38:19 +08:00
|
|
|
/* Policy capabilities */
|
|
|
|
enum {
|
|
|
|
POLICYDB_CAPABILITY_NETPEER,
|
2008-02-29 01:58:40 +08:00
|
|
|
POLICYDB_CAPABILITY_OPENPERM,
|
2008-01-29 21:38:19 +08:00
|
|
|
__POLICYDB_CAPABILITY_MAX
|
|
|
|
};
|
|
|
|
#define POLICYDB_CAPABILITY_MAX (__POLICYDB_CAPABILITY_MAX - 1)
|
|
|
|
|
|
|
|
extern int selinux_policycap_netpeer;
|
2008-02-29 01:58:40 +08:00
|
|
|
extern int selinux_policycap_openperm;
|
2008-01-29 21:38:19 +08:00
|
|
|
|
2008-08-28 15:35:57 +08:00
|
|
|
/*
|
|
|
|
* type_datum properties
|
|
|
|
* available at the kernel policy version >= POLICYDB_VERSION_BOUNDARY
|
|
|
|
*/
|
|
|
|
#define TYPEDATUM_PROPERTY_PRIMARY 0x0001
|
|
|
|
#define TYPEDATUM_PROPERTY_ATTRIBUTE 0x0002
|
|
|
|
|
|
|
|
/* limitation of boundary depth */
|
|
|
|
#define POLICYDB_BOUNDS_MAXDEPTH 4
|
|
|
|
|
2010-02-03 23:40:20 +08:00
|
|
|
int security_mls_enabled(void);
|
|
|
|
|
2008-04-23 05:46:11 +08:00
|
|
|
int security_load_policy(void *data, size_t len);
|
2011-04-20 22:21:28 +08:00
|
|
|
int security_read_policy(void **data, size_t *len);
|
2010-10-14 05:50:25 +08:00
|
|
|
size_t security_policydb_len(void);
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2008-01-29 21:38:19 +08:00
|
|
|
int security_policycap_supported(unsigned int req_cap);
|
|
|
|
|
2007-05-23 21:12:09 +08:00
|
|
|
#define SEL_VEC_MAX 32
|
2005-04-17 06:20:36 +08:00
|
|
|
struct av_decision {
|
|
|
|
u32 allowed;
|
|
|
|
u32 auditallow;
|
|
|
|
u32 auditdeny;
|
|
|
|
u32 seqno;
|
Permissive domain in userspace object manager
This patch enables applications to handle permissive domain correctly.
Since the v2.6.26 kernel, SELinux has supported an idea of permissive
domain which allows certain processes to work as if permissive mode,
even if the global setting is enforcing mode.
However, we don't have an application program interface to inform
what domains are permissive one, and what domains are not.
It means applications focuses on SELinux (XACE/SELinux, SE-PostgreSQL
and so on) cannot handle permissive domain correctly.
This patch add the sixth field (flags) on the reply of the /selinux/access
interface which is used to make an access control decision from userspace.
If the first bit of the flags field is positive, it means the required
access control decision is on permissive domain, so application should
allow any required actions, as the kernel doing.
This patch also has a side benefit. The av_decision.flags is set at
context_struct_compute_av(). It enables to check required permissions
without read_lock(&policy_rwlock).
Signed-off-by: KaiGai Kohei <kaigai@ak.jp.nec.com>
Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
Acked-by: Eric Paris <eparis@redhat.com>
--
security/selinux/avc.c | 2 +-
security/selinux/include/security.h | 4 +++-
security/selinux/selinuxfs.c | 4 ++--
security/selinux/ss/services.c | 30 +++++-------------------------
4 files changed, 11 insertions(+), 29 deletions(-)
Signed-off-by: James Morris <jmorris@namei.org>
2009-04-01 09:07:57 +08:00
|
|
|
u32 flags;
|
2005-04-17 06:20:36 +08:00
|
|
|
};
|
|
|
|
|
Permissive domain in userspace object manager
This patch enables applications to handle permissive domain correctly.
Since the v2.6.26 kernel, SELinux has supported an idea of permissive
domain which allows certain processes to work as if permissive mode,
even if the global setting is enforcing mode.
However, we don't have an application program interface to inform
what domains are permissive one, and what domains are not.
It means applications focuses on SELinux (XACE/SELinux, SE-PostgreSQL
and so on) cannot handle permissive domain correctly.
This patch add the sixth field (flags) on the reply of the /selinux/access
interface which is used to make an access control decision from userspace.
If the first bit of the flags field is positive, it means the required
access control decision is on permissive domain, so application should
allow any required actions, as the kernel doing.
This patch also has a side benefit. The av_decision.flags is set at
context_struct_compute_av(). It enables to check required permissions
without read_lock(&policy_rwlock).
Signed-off-by: KaiGai Kohei <kaigai@ak.jp.nec.com>
Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
Acked-by: Eric Paris <eparis@redhat.com>
--
security/selinux/avc.c | 2 +-
security/selinux/include/security.h | 4 +++-
security/selinux/selinuxfs.c | 4 ++--
security/selinux/ss/services.c | 30 +++++-------------------------
4 files changed, 11 insertions(+), 29 deletions(-)
Signed-off-by: James Morris <jmorris@namei.org>
2009-04-01 09:07:57 +08:00
|
|
|
/* definitions of av_decision.flags */
|
|
|
|
#define AVD_FLAGS_PERMISSIVE 0x0001
|
2008-03-31 09:17:33 +08:00
|
|
|
|
2010-01-15 06:28:10 +08:00
|
|
|
void security_compute_av(u32 ssid, u32 tsid,
|
|
|
|
u16 tclass, struct av_decision *avd);
|
selinux: dynamic class/perm discovery
Modify SELinux to dynamically discover class and permission values
upon policy load, based on the dynamic object class/perm discovery
logic from libselinux. A mapping is created between kernel-private
class and permission indices used outside the security server and the
policy values used within the security server.
The mappings are only applied upon kernel-internal computations;
similar mappings for the private indices of userspace object managers
is handled on a per-object manager basis by the userspace AVC. The
interfaces for compute_av and transition_sid are split for kernel
vs. userspace; the userspace functions are distinguished by a _user
suffix.
The kernel-private class indices are no longer tied to the policy
values and thus do not need to skip indices for userspace classes;
thus the kernel class index values are compressed. The flask.h
definitions were regenerated by deleting the userspace classes from
refpolicy's definitions and then regenerating the headers. Going
forward, we can just maintain the flask.h, av_permissions.h, and
classmap.h definitions separately from policy as they are no longer
tied to the policy values. The next patch introduces a utility to
automate generation of flask.h and av_permissions.h from the
classmap.h definitions.
The older kernel class and permission string tables are removed and
replaced by a single security class mapping table that is walked at
policy load to generate the mapping. The old kernel class validation
logic is completely replaced by the mapping logic.
The handle unknown logic is reworked. reject_unknown=1 is handled
when the mappings are computed at policy load time, similar to the old
handling by the class validation logic. allow_unknown=1 is handled
when computing and mapping decisions - if the permission was not able
to be mapped (i.e. undefined, mapped to zero), then it is
automatically added to the allowed vector. If the class was not able
to be mapped (i.e. undefined, mapped to zero), then all permissions
are allowed for it if allow_unknown=1.
avc_audit leverages the new security class mapping table to lookup the
class and permission names from the kernel-private indices.
The mdp program is updated to use the new table when generating the
class definitions and allow rules for a minimal boot policy for the
kernel. It should be noted that this policy will not include any
userspace classes, nor will its policy index values for the kernel
classes correspond with the ones in refpolicy (they will instead match
the kernel-private indices).
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: James Morris <jmorris@namei.org>
2009-10-01 01:37:50 +08:00
|
|
|
|
2010-01-15 06:28:10 +08:00
|
|
|
void security_compute_av_user(u32 ssid, u32 tsid,
|
|
|
|
u16 tclass, struct av_decision *avd);
|
2005-04-17 06:20:36 +08:00
|
|
|
|
SELinux: Use dentry name in new object labeling
Currently SELinux has rules which label new objects according to 3 criteria.
The label of the process creating the object, the label of the parent
directory, and the type of object (reg, dir, char, block, etc.) This patch
adds a 4th criteria, the dentry name, thus we can distinguish between
creating a file in an etc_t directory called shadow and one called motd.
There is no file globbing, regex parsing, or anything mystical. Either the
policy exactly (strcmp) matches the dentry name of the object or it doesn't.
This patch has no changes from today if policy does not implement the new
rules.
Signed-off-by: Eric Paris <eparis@redhat.com>
2011-02-02 00:05:40 +08:00
|
|
|
int security_transition_sid(u32 ssid, u32 tsid, u16 tclass,
|
|
|
|
const struct qstr *qstr, u32 *out_sid);
|
selinux: dynamic class/perm discovery
Modify SELinux to dynamically discover class and permission values
upon policy load, based on the dynamic object class/perm discovery
logic from libselinux. A mapping is created between kernel-private
class and permission indices used outside the security server and the
policy values used within the security server.
The mappings are only applied upon kernel-internal computations;
similar mappings for the private indices of userspace object managers
is handled on a per-object manager basis by the userspace AVC. The
interfaces for compute_av and transition_sid are split for kernel
vs. userspace; the userspace functions are distinguished by a _user
suffix.
The kernel-private class indices are no longer tied to the policy
values and thus do not need to skip indices for userspace classes;
thus the kernel class index values are compressed. The flask.h
definitions were regenerated by deleting the userspace classes from
refpolicy's definitions and then regenerating the headers. Going
forward, we can just maintain the flask.h, av_permissions.h, and
classmap.h definitions separately from policy as they are no longer
tied to the policy values. The next patch introduces a utility to
automate generation of flask.h and av_permissions.h from the
classmap.h definitions.
The older kernel class and permission string tables are removed and
replaced by a single security class mapping table that is walked at
policy load to generate the mapping. The old kernel class validation
logic is completely replaced by the mapping logic.
The handle unknown logic is reworked. reject_unknown=1 is handled
when the mappings are computed at policy load time, similar to the old
handling by the class validation logic. allow_unknown=1 is handled
when computing and mapping decisions - if the permission was not able
to be mapped (i.e. undefined, mapped to zero), then it is
automatically added to the allowed vector. If the class was not able
to be mapped (i.e. undefined, mapped to zero), then all permissions
are allowed for it if allow_unknown=1.
avc_audit leverages the new security class mapping table to lookup the
class and permission names from the kernel-private indices.
The mdp program is updated to use the new table when generating the
class definitions and allow rules for a minimal boot policy for the
kernel. It should be noted that this policy will not include any
userspace classes, nor will its policy index values for the kernel
classes correspond with the ones in refpolicy (they will instead match
the kernel-private indices).
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: James Morris <jmorris@namei.org>
2009-10-01 01:37:50 +08:00
|
|
|
|
2011-04-01 22:39:26 +08:00
|
|
|
int security_transition_sid_user(u32 ssid, u32 tsid, u16 tclass,
|
|
|
|
const char *objname, u32 *out_sid);
|
2005-04-17 06:20:36 +08:00
|
|
|
|
|
|
|
int security_member_sid(u32 ssid, u32 tsid,
|
|
|
|
u16 tclass, u32 *out_sid);
|
|
|
|
|
|
|
|
int security_change_sid(u32 ssid, u32 tsid,
|
|
|
|
u16 tclass, u32 *out_sid);
|
|
|
|
|
|
|
|
int security_sid_to_context(u32 sid, char **scontext,
|
|
|
|
u32 *scontext_len);
|
|
|
|
|
2008-05-08 01:03:20 +08:00
|
|
|
int security_sid_to_context_force(u32 sid, char **scontext, u32 *scontext_len);
|
|
|
|
|
2008-04-29 15:59:41 +08:00
|
|
|
int security_context_to_sid(const char *scontext, u32 scontext_len,
|
2005-04-17 06:20:36 +08:00
|
|
|
u32 *out_sid);
|
|
|
|
|
2008-04-30 03:52:51 +08:00
|
|
|
int security_context_to_sid_default(const char *scontext, u32 scontext_len,
|
2008-04-04 20:46:05 +08:00
|
|
|
u32 *out_sid, u32 def_sid, gfp_t gfp_flags);
|
2005-07-28 16:07:37 +08:00
|
|
|
|
2008-05-08 01:03:20 +08:00
|
|
|
int security_context_to_sid_force(const char *scontext, u32 scontext_len,
|
|
|
|
u32 *sid);
|
|
|
|
|
2005-04-17 06:20:36 +08:00
|
|
|
int security_get_user_sids(u32 callsid, char *username,
|
|
|
|
u32 **sids, u32 *nel);
|
|
|
|
|
2008-04-10 22:48:14 +08:00
|
|
|
int security_port_sid(u8 protocol, u16 port, u32 *out_sid);
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2008-01-29 21:38:08 +08:00
|
|
|
int security_netif_sid(char *name, u32 *if_sid);
|
2005-04-17 06:20:36 +08:00
|
|
|
|
|
|
|
int security_node_sid(u16 domain, void *addr, u32 addrlen,
|
|
|
|
u32 *out_sid);
|
|
|
|
|
|
|
|
int security_validate_transition(u32 oldsid, u32 newsid, u32 tasksid,
|
2008-04-23 05:46:11 +08:00
|
|
|
u16 tclass);
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2008-08-28 15:35:57 +08:00
|
|
|
int security_bounded_transition(u32 oldsid, u32 newsid);
|
|
|
|
|
2006-07-25 14:27:16 +08:00
|
|
|
int security_sid_mls_copy(u32 sid, u32 mls_sid, u32 *new_sid);
|
|
|
|
|
2008-01-29 21:38:23 +08:00
|
|
|
int security_net_peersid_resolve(u32 nlbl_sid, u32 nlbl_type,
|
|
|
|
u32 xfrm_sid,
|
|
|
|
u32 *peer_sid);
|
|
|
|
|
2007-05-23 21:12:06 +08:00
|
|
|
int security_get_classes(char ***classes, int *nclasses);
|
|
|
|
int security_get_permissions(char *class, char ***perms, int *nperms);
|
2007-09-22 02:37:10 +08:00
|
|
|
int security_get_reject_unknown(void);
|
|
|
|
int security_get_allow_unknown(void);
|
2007-05-23 21:12:06 +08:00
|
|
|
|
2005-04-17 06:20:36 +08:00
|
|
|
#define SECURITY_FS_USE_XATTR 1 /* use xattr */
|
|
|
|
#define SECURITY_FS_USE_TRANS 2 /* use transition SIDs, e.g. devpts/tmpfs */
|
|
|
|
#define SECURITY_FS_USE_TASK 3 /* use task SIDs, e.g. pipefs/sockfs */
|
|
|
|
#define SECURITY_FS_USE_GENFS 4 /* use the genfs support */
|
|
|
|
#define SECURITY_FS_USE_NONE 5 /* no labeling support */
|
|
|
|
#define SECURITY_FS_USE_MNTPOINT 6 /* use mountpoint labeling */
|
|
|
|
|
|
|
|
int security_fs_use(const char *fstype, unsigned int *behavior,
|
2008-07-15 16:32:49 +08:00
|
|
|
u32 *sid);
|
2005-04-17 06:20:36 +08:00
|
|
|
|
|
|
|
int security_genfs_sid(const char *fstype, char *name, u16 sclass,
|
|
|
|
u32 *sid);
|
|
|
|
|
2007-03-01 04:14:22 +08:00
|
|
|
#ifdef CONFIG_NETLABEL
|
|
|
|
int security_netlbl_secattr_to_sid(struct netlbl_lsm_secattr *secattr,
|
|
|
|
u32 *sid);
|
|
|
|
|
|
|
|
int security_netlbl_sid_to_secattr(u32 sid,
|
|
|
|
struct netlbl_lsm_secattr *secattr);
|
|
|
|
#else
|
|
|
|
static inline int security_netlbl_secattr_to_sid(
|
|
|
|
struct netlbl_lsm_secattr *secattr,
|
|
|
|
u32 *sid)
|
|
|
|
{
|
|
|
|
return -EIDRM;
|
|
|
|
}
|
|
|
|
|
|
|
|
static inline int security_netlbl_sid_to_secattr(u32 sid,
|
|
|
|
struct netlbl_lsm_secattr *secattr)
|
|
|
|
{
|
|
|
|
return -ENOENT;
|
|
|
|
}
|
|
|
|
#endif /* CONFIG_NETLABEL */
|
|
|
|
|
2007-04-04 22:11:29 +08:00
|
|
|
const char *security_get_initial_sid_context(u32 sid);
|
|
|
|
|
selinux: fast status update interface (/selinux/status)
This patch provides a new /selinux/status entry which allows applications
read-only mmap(2).
This region reflects selinux_kernel_status structure in kernel space.
struct selinux_kernel_status
{
u32 length; /* length of this structure */
u32 sequence; /* sequence number of seqlock logic */
u32 enforcing; /* current setting of enforcing mode */
u32 policyload; /* times of policy reloaded */
u32 deny_unknown; /* current setting of deny_unknown */
};
When userspace object manager caches access control decisions provided
by SELinux, it needs to invalidate the cache on policy reload and setenforce
to keep consistency.
However, the applications need to check the kernel state for each accesses
on userspace avc, or launch a background worker process.
In heuristic, frequency of invalidation is much less than frequency of
making access control decision, so it is annoying to invoke a system call
to check we don't need to invalidate the userspace cache.
If we can use a background worker thread, it allows to receive invalidation
messages from the kernel. But it requires us an invasive coding toward the
base application in some cases; E.g, when we provide a feature performing
with SELinux as a plugin module, it is unwelcome manner to launch its own
worker thread from the module.
If we could map /selinux/status to process memory space, application can
know updates of selinux status; policy reload or setenforce.
A typical application checks selinux_kernel_status::sequence when it tries
to reference userspace avc. If it was changed from the last time when it
checked userspace avc, it means something was updated in the kernel space.
Then, the application can reset userspace avc or update current enforcing
mode, without any system call invocations.
This sequence number is updated according to the seqlock logic, so we need
to wait for a while if it is odd number.
Signed-off-by: KaiGai Kohei <kaigai@ak.jp.nec.com>
Acked-by: Eric Paris <eparis@redhat.com>
--
security/selinux/include/security.h | 21 ++++++
security/selinux/selinuxfs.c | 56 +++++++++++++++
security/selinux/ss/Makefile | 2 +-
security/selinux/ss/services.c | 3 +
security/selinux/ss/status.c | 129 +++++++++++++++++++++++++++++++++++
5 files changed, 210 insertions(+), 1 deletions(-)
Signed-off-by: James Morris <jmorris@namei.org>
2010-09-14 17:28:39 +08:00
|
|
|
/*
|
|
|
|
* status notifier using mmap interface
|
|
|
|
*/
|
|
|
|
extern struct page *selinux_kernel_status_page(void);
|
|
|
|
|
|
|
|
#define SELINUX_KERNEL_STATUS_VERSION 1
|
2010-09-30 10:49:55 +08:00
|
|
|
struct selinux_kernel_status {
|
selinux: fast status update interface (/selinux/status)
This patch provides a new /selinux/status entry which allows applications
read-only mmap(2).
This region reflects selinux_kernel_status structure in kernel space.
struct selinux_kernel_status
{
u32 length; /* length of this structure */
u32 sequence; /* sequence number of seqlock logic */
u32 enforcing; /* current setting of enforcing mode */
u32 policyload; /* times of policy reloaded */
u32 deny_unknown; /* current setting of deny_unknown */
};
When userspace object manager caches access control decisions provided
by SELinux, it needs to invalidate the cache on policy reload and setenforce
to keep consistency.
However, the applications need to check the kernel state for each accesses
on userspace avc, or launch a background worker process.
In heuristic, frequency of invalidation is much less than frequency of
making access control decision, so it is annoying to invoke a system call
to check we don't need to invalidate the userspace cache.
If we can use a background worker thread, it allows to receive invalidation
messages from the kernel. But it requires us an invasive coding toward the
base application in some cases; E.g, when we provide a feature performing
with SELinux as a plugin module, it is unwelcome manner to launch its own
worker thread from the module.
If we could map /selinux/status to process memory space, application can
know updates of selinux status; policy reload or setenforce.
A typical application checks selinux_kernel_status::sequence when it tries
to reference userspace avc. If it was changed from the last time when it
checked userspace avc, it means something was updated in the kernel space.
Then, the application can reset userspace avc or update current enforcing
mode, without any system call invocations.
This sequence number is updated according to the seqlock logic, so we need
to wait for a while if it is odd number.
Signed-off-by: KaiGai Kohei <kaigai@ak.jp.nec.com>
Acked-by: Eric Paris <eparis@redhat.com>
--
security/selinux/include/security.h | 21 ++++++
security/selinux/selinuxfs.c | 56 +++++++++++++++
security/selinux/ss/Makefile | 2 +-
security/selinux/ss/services.c | 3 +
security/selinux/ss/status.c | 129 +++++++++++++++++++++++++++++++++++
5 files changed, 210 insertions(+), 1 deletions(-)
Signed-off-by: James Morris <jmorris@namei.org>
2010-09-14 17:28:39 +08:00
|
|
|
u32 version; /* version number of thie structure */
|
|
|
|
u32 sequence; /* sequence number of seqlock logic */
|
|
|
|
u32 enforcing; /* current setting of enforcing mode */
|
|
|
|
u32 policyload; /* times of policy reloaded */
|
|
|
|
u32 deny_unknown; /* current setting of deny_unknown */
|
|
|
|
/*
|
|
|
|
* The version > 0 supports above members.
|
|
|
|
*/
|
|
|
|
} __attribute__((packed));
|
|
|
|
|
|
|
|
extern void selinux_status_update_setenforce(int enforcing);
|
|
|
|
extern void selinux_status_update_policyload(int seqno);
|
2011-08-17 09:13:31 +08:00
|
|
|
extern void selinux_complete_init(void);
|
2011-08-17 09:17:14 +08:00
|
|
|
extern int selinux_disable(void);
|
2011-08-30 08:50:12 +08:00
|
|
|
extern void exit_sel_fs(void);
|
2012-06-27 01:58:53 +08:00
|
|
|
extern struct path selinux_null;
|
2011-08-30 08:50:12 +08:00
|
|
|
extern struct vfsmount *selinuxfs_mount;
|
2011-08-30 10:09:15 +08:00
|
|
|
extern void selnl_notify_setenforce(int val);
|
|
|
|
extern void selnl_notify_policyload(u32 seqno);
|
|
|
|
extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm);
|
selinux: fast status update interface (/selinux/status)
This patch provides a new /selinux/status entry which allows applications
read-only mmap(2).
This region reflects selinux_kernel_status structure in kernel space.
struct selinux_kernel_status
{
u32 length; /* length of this structure */
u32 sequence; /* sequence number of seqlock logic */
u32 enforcing; /* current setting of enforcing mode */
u32 policyload; /* times of policy reloaded */
u32 deny_unknown; /* current setting of deny_unknown */
};
When userspace object manager caches access control decisions provided
by SELinux, it needs to invalidate the cache on policy reload and setenforce
to keep consistency.
However, the applications need to check the kernel state for each accesses
on userspace avc, or launch a background worker process.
In heuristic, frequency of invalidation is much less than frequency of
making access control decision, so it is annoying to invoke a system call
to check we don't need to invalidate the userspace cache.
If we can use a background worker thread, it allows to receive invalidation
messages from the kernel. But it requires us an invasive coding toward the
base application in some cases; E.g, when we provide a feature performing
with SELinux as a plugin module, it is unwelcome manner to launch its own
worker thread from the module.
If we could map /selinux/status to process memory space, application can
know updates of selinux status; policy reload or setenforce.
A typical application checks selinux_kernel_status::sequence when it tries
to reference userspace avc. If it was changed from the last time when it
checked userspace avc, it means something was updated in the kernel space.
Then, the application can reset userspace avc or update current enforcing
mode, without any system call invocations.
This sequence number is updated according to the seqlock logic, so we need
to wait for a while if it is odd number.
Signed-off-by: KaiGai Kohei <kaigai@ak.jp.nec.com>
Acked-by: Eric Paris <eparis@redhat.com>
--
security/selinux/include/security.h | 21 ++++++
security/selinux/selinuxfs.c | 56 +++++++++++++++
security/selinux/ss/Makefile | 2 +-
security/selinux/ss/services.c | 3 +
security/selinux/ss/status.c | 129 +++++++++++++++++++++++++++++++++++
5 files changed, 210 insertions(+), 1 deletions(-)
Signed-off-by: James Morris <jmorris@namei.org>
2010-09-14 17:28:39 +08:00
|
|
|
|
2005-04-17 06:20:36 +08:00
|
|
|
#endif /* _SELINUX_SECURITY_H_ */
|
|
|
|
|