Commit 7b540812 authored by Linus Torvalds's avatar Linus Torvalds
Browse files

Merge tag 'selinux-pr-20201012' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux 

Pull selinux updates from Paul Moore:
 "A decent number of SELinux patches for v5.10, twenty two in total. The
  highlights are listed below, but all of the patches pass our test
  suite and merge cleanly.

   - A number of changes to how the SELinux policy is loaded and managed
     inside the kernel with the goal of improving the atomicity of a
     SELinux policy load operation.

     These changes account for the bulk of the diffstat as well as the
     patch count. A special thanks to everyone who contributed patches
     and fixes for this work.

   - Convert the SELinux policy read-write lock to RCU.

   - A tracepoint was added for audited SELinux access control events;
     this should help provide a more unified backtrace across kernel and
     userspace.

   - Allow the removal of security.selinux xattrs when a SELinux policy
     is not loaded.

   - Enable policy capabilities in SELinux policies created with the
     scripts/selinux/mdp tool.

   - Provide some "no sooner than" dates for the SELinux checkreqprot
     sysfs deprecation"

* tag 'selinux-pr-20201012' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux: (22 commits)
  selinux: provide a "no sooner than" date for the checkreqprot removal
  selinux: Add helper functions to get and set checkreqprot
  selinux: access policycaps with READ_ONCE/WRITE_ONCE
  selinux: simplify away security_policydb_len()
  selinux: move policy mutex to selinux_state, use in lockdep checks
  selinux: fix error handling bugs in security_load_policy()
  selinux: convert policy read-write lock to RCU
  selinux: delete repeated words in comments
  selinux: add basic filtering for audit trace events
  selinux: add tracepoint on audited events
  selinux: Create new booleans and class dirs out of tree
  selinux: Standardize string literal usage for selinuxfs directory names
  selinux: Refactor selinuxfs directory populating functions
  selinux: Create function for selinuxfs directory cleanup
  selinux: permit removing security.selinux xattr before policy load
  selinux: fix memdup.cocci warnings
  selinux: avoid dereferencing the policy prior to initialization
  selinux: fix allocation failure check on newpolicy->sidtab
  selinux: refactor changing booleans
  selinux: move policy commit after updating selinuxfs
  ...
parents 01fb1e2f 0d50f059

Documentation/ABI/obsolete/sysfs-selinux-checkreqprot

+1 −1
Original line number Diff line number Diff line
@@ -15,7 +15,7 @@ Description: 
	actual protection), and Android and Linux distributions have been

	explicitly writing a "0" to /sys/fs/selinux/checkreqprot during

	initialization for some time.  Support for setting checkreqprot to 1

	will be	removed in a future kernel release, at which point the kernel

	will be	removed no sooner than June 2021, at which point the kernel

	will always cease using checkreqprot internally and will always

	check the actual protections being applied upon mmap/mprotect calls.

	The checkreqprot selinuxfs node will remain for backward compatibility

MAINTAINERS

+1 −0
Original line number Diff line number Diff line
@@ -15621,6 +15621,7 @@ T: git git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux.git 
F:	Documentation/ABI/obsolete/sysfs-selinux-checkreqprot

F:	Documentation/ABI/obsolete/sysfs-selinux-disable

F:	Documentation/admin-guide/LSM/SELinux.rst

F:	include/trace/events/avc.h

F:	include/uapi/linux/selinux_netlink.h

F:	scripts/selinux/

F:	security/selinux/

include/trace/events/avc.h

0 → 100644
+53 −0
Original line number Diff line number Diff line 
/* SPDX-License-Identifier: GPL-2.0 */

/*

 * Authors:	Thiébaud Weksteen <tweek@google.com>

 *		Peter Enderborg <Peter.Enderborg@sony.com>

 */

#undef TRACE_SYSTEM

#define TRACE_SYSTEM avc



#if !defined(_TRACE_SELINUX_H) || defined(TRACE_HEADER_MULTI_READ)

#define _TRACE_SELINUX_H



#include <linux/tracepoint.h>



TRACE_EVENT(selinux_audited,



	TP_PROTO(struct selinux_audit_data *sad,

		char *scontext,

		char *tcontext,

		const char *tclass

	),



	TP_ARGS(sad, scontext, tcontext, tclass),



	TP_STRUCT__entry(

		__field(u32, requested)

		__field(u32, denied)

		__field(u32, audited)

		__field(int, result)

		__string(scontext, scontext)

		__string(tcontext, tcontext)

		__string(tclass, tclass)

	),



	TP_fast_assign(

		__entry->requested	= sad->requested;

		__entry->denied		= sad->denied;

		__entry->audited	= sad->audited;

		__entry->result		= sad->result;

		__assign_str(tcontext, tcontext);

		__assign_str(scontext, scontext);

		__assign_str(tclass, tclass);

	),



	TP_printk("requested=0x%x denied=0x%x audited=0x%x result=%d scontext=%s tcontext=%s tclass=%s",

		__entry->requested, __entry->denied, __entry->audited, __entry->result,

		__get_str(scontext), __get_str(tcontext), __get_str(tclass)

	)

);



#endif



/* This part must be outside protection */

#include <trace/define_trace.h>

scripts/selinux/mdp/mdp.c

+7 −0
Original line number Diff line number Diff line
@@ -35,6 +35,9 @@ struct security_class_mapping { 


#include "classmap.h"

#include "initial_sid_to_string.h"

#include "policycap_names.h"



#define ARRAY_SIZE(arr) (sizeof(arr) / sizeof((arr)[0]))



int main(int argc, char *argv[])

{
@@ -115,6 +118,10 @@ int main(int argc, char *argv[]) 
		}

	}



	/* enable all policy capabilities */

	for (i = 0; i < ARRAY_SIZE(selinux_policycap_names); i++)

		fprintf(fout, "policycap %s;\n", selinux_policycap_names[i]);



	/* types, roles, and allows */

	fprintf(fout, "type base_t;\n");

	fprintf(fout, "role base_r;\n");

security/selinux/avc.c

+18 −11
Original line number Diff line number Diff line
@@ -31,6 +31,9 @@ 
#include "avc_ss.h"

#include "classmap.h"



#define CREATE_TRACE_POINTS

#include <trace/events/avc.h>



#define AVC_CACHE_SLOTS			512

#define AVC_DEF_CACHE_THRESHOLD		512

#define AVC_CACHE_RECLAIM		16
@@ -702,33 +705,37 @@ static void avc_audit_post_callback(struct audit_buffer *ab, void *a) 
{

	struct common_audit_data *ad = a;

	struct selinux_audit_data *sad = ad->selinux_audit_data;

	char *scontext;

	char *scontext = NULL;

	char *tcontext = NULL;

	const char *tclass = NULL;

	u32 scontext_len;

	u32 tcontext_len;

	int rc;



	rc = security_sid_to_context(sad->state, sad->ssid, &scontext,

				     &scontext_len);

	if (rc)

		audit_log_format(ab, " ssid=%d", sad->ssid);

	else {

	else

		audit_log_format(ab, " scontext=%s", scontext);

		kfree(scontext);

	}



	rc = security_sid_to_context(sad->state, sad->tsid, &scontext,

				     &scontext_len);

	rc = security_sid_to_context(sad->state, sad->tsid, &tcontext,

				     &tcontext_len);

	if (rc)

		audit_log_format(ab, " tsid=%d", sad->tsid);

	else {

		audit_log_format(ab, " tcontext=%s", scontext);

		kfree(scontext);

	}

	else

		audit_log_format(ab, " tcontext=%s", tcontext);



	audit_log_format(ab, " tclass=%s", secclass_map[sad->tclass-1].name);

	tclass = secclass_map[sad->tclass-1].name;

	audit_log_format(ab, " tclass=%s", tclass);



	if (sad->denied)

		audit_log_format(ab, " permissive=%u", sad->result ? 0 : 1);



	trace_selinux_audited(sad, scontext, tcontext, tclass);

	kfree(tcontext);

	kfree(scontext);



	/* in case of invalid context report also the actual context string */

	rc = security_sid_to_context_inval(sad->state, sad->ssid, &scontext,

					   &scontext_len);

CRA Git | Maintained and supported by SUSTech CRA and CCSE