Add SELinux policy capability for always checking packet and peer classes. (2be4d74f) · Commits · 戴 / test

security/selinux/hooks.c

+21 −5

Original line number	Diff line number	Diff line
		@@ -136,12 +136,28 @@ static struct kmem_cache *sel_inode_cache;
		* This function checks the SECMARK reference counter to see if any SECMARK
		* targets are currently configured, if the reference counter is greater than
		* zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is
		* enabled, false (0) if SECMARK is disabled.
		* enabled, false (0) if SECMARK is disabled. If the always_check_network
		* policy capability is enabled, SECMARK is always considered enabled.
		*
		*/
		static int selinux_secmark_enabled(void)
		{
		return (atomic_read(&selinux_secmark_refcount) > 0);
		return (selinux_policycap_alwaysnetwork \|\| atomic_read(&selinux_secmark_refcount));
		}

		/**
		* selinux_peerlbl_enabled - Check to see if peer labeling is currently enabled
		*
		* Description:
		* This function checks if NetLabel or labeled IPSEC is enabled. Returns true
		* (1) if any are enabled or false (0) if neither are enabled. If the
		* always_check_network policy capability is enabled, peer labeling
		* is always considered enabled.
		*
		*/
		static int selinux_peerlbl_enabled(void)
		{
		return (selinux_policycap_alwaysnetwork \|\| netlbl_enabled() \|\| selinux_xfrm_enabled());
		}

		/*
		@@ -4197,7 +4213,7 @@ static int selinux_socket_sock_rcv_skb(struct sock sk, struct sk_buff skb)
		return selinux_sock_rcv_skb_compat(sk, skb, family);

		secmark_active = selinux_secmark_enabled();
		peerlbl_active = netlbl_enabled() \|\| selinux_xfrm_enabled();
		peerlbl_active = selinux_peerlbl_enabled();
		if (!secmark_active && !peerlbl_active)
		return 0;

		@@ -4579,7 +4595,7 @@ static unsigned int selinux_ip_forward(struct sk_buff *skb, int ifindex,

		secmark_active = selinux_secmark_enabled();
		netlbl_active = netlbl_enabled();
		peerlbl_active = netlbl_active \|\| selinux_xfrm_enabled();
		peerlbl_active = selinux_peerlbl_enabled();
		if (!secmark_active && !peerlbl_active)
		return NF_ACCEPT;

		@@ -4731,7 +4747,7 @@ static unsigned int selinux_ip_postroute(struct sk_buff *skb, int ifindex,
		return NF_ACCEPT;
		#endif
		secmark_active = selinux_secmark_enabled();
		peerlbl_active = netlbl_enabled() \|\| selinux_xfrm_enabled();
		peerlbl_active = selinux_peerlbl_enabled();
		if (!secmark_active && !peerlbl_active)
		return NF_ACCEPT;

security/selinux/include/security.h

+3 −0

Original line number	Diff line number	Diff line
		@@ -69,12 +69,15 @@ extern int selinux_enabled;
		enum {
		POLICYDB_CAPABILITY_NETPEER,
		POLICYDB_CAPABILITY_OPENPERM,
		POLICYDB_CAPABILITY_REDHAT1,
		POLICYDB_CAPABILITY_ALWAYSNETWORK,
		__POLICYDB_CAPABILITY_MAX
		};
		#define POLICYDB_CAPABILITY_MAX (__POLICYDB_CAPABILITY_MAX - 1)

		extern int selinux_policycap_netpeer;
		extern int selinux_policycap_openperm;
		extern int selinux_policycap_alwaysnetwork;

		/*
		* type_datum properties

security/selinux/selinuxfs.c

+3 −1

Original line number	Diff line number	Diff line
		@@ -44,7 +44,9 @@
		/* Policy capability filenames */
		static char *policycap_names[] = {
		"network_peer_controls",
		"open_perms"
		"open_perms",
		"redhat1",
		"always_check_network"
		};

		unsigned int selinux_checkreqprot = CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE;

security/selinux/ss/services.c

+3 −0

Original line number	Diff line number	Diff line
		@@ -72,6 +72,7 @@

		int selinux_policycap_netpeer;
		int selinux_policycap_openperm;
		int selinux_policycap_alwaysnetwork;

		static DEFINE_RWLOCK(policy_rwlock);

		@@ -1812,6 +1813,8 @@ static void security_load_policycaps(void)
		POLICYDB_CAPABILITY_NETPEER);
		selinux_policycap_openperm = ebitmap_get_bit(&policydb.policycaps,
		POLICYDB_CAPABILITY_OPENPERM);
		selinux_policycap_alwaysnetwork = ebitmap_get_bit(&policydb.policycaps,
		POLICYDB_CAPABILITY_ALWAYSNETWORK);
		}

		static int security_preserve_bools(struct policydb *p);

Admin message