Commit b0c636b9 authored by Eric Paris's avatar Eric Paris Committed by James Morris
Browse files

SELinux: create new open permission 



Adds a new open permission inside SELinux when 'opening' a file.  The idea
is that opening a file and reading/writing to that file are not the same
thing.  Its different if a program had its stdout redirected to /tmp/output
than if the program tried to directly open /tmp/output. This should allow
policy writers to more liberally give read/write permissions across the
policy while still blocking many design and programing flaws SELinux is so
good at catching today.

Signed-off-by: default avatarEric Paris <eparis@redhat.com>
Acked-by: default avatarStephen Smalley <sds@tycho.nsa.gov>
Reviewed-by: default avatarPaul Moore <paul.moore@hp.com>
Signed-off-by: default avatarJames Morris <jmorris@namei.org>
parent d4ee4231

security/selinux/hooks.c

+30 −1
Original line number Diff line number Diff line
@@ -1615,6 +1615,35 @@ static inline u32 file_mask_to_av(int mode, int mask) 
	return av;

}



/*

 * Convert a file mask to an access vector and include the correct open

 * open permission.

 */

static inline u32 open_file_mask_to_av(int mode, int mask)

{

	u32 av = file_mask_to_av(mode, mask);



	if (selinux_policycap_openperm) {

		/*

		 * lnk files and socks do not really have an 'open'

		 */

		if (S_ISREG(mode))

			av |= FILE__OPEN;

		else if (S_ISCHR(mode))

			av |= CHR_FILE__OPEN;

		else if (S_ISBLK(mode))

			av |= BLK_FILE__OPEN;

		else if (S_ISFIFO(mode))

			av |= FIFO_FILE__OPEN;

		else if (S_ISDIR(mode))

			av |= DIR__OPEN;

		else

			printk(KERN_ERR "SELinux: WARNING: inside open_file_to_av "

				"with unknown mode:%x\n", mode);

	}

	return av;

}



/* Convert a Linux file to an access vector. */

static inline u32 file_to_av(struct file *file)

{
@@ -2532,7 +2561,7 @@ static int selinux_inode_permission(struct inode *inode, int mask, 
	}



	return inode_has_perm(current, inode,

			       file_mask_to_av(inode->i_mode, mask), NULL);

			       open_file_mask_to_av(inode->i_mode, mask), NULL);

}



static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)

security/selinux/include/av_perm_to_string.h

+5 −0
Original line number Diff line number Diff line
@@ -14,12 +14,17 @@ 
   S_(SECCLASS_DIR, DIR__REPARENT, "reparent")

   S_(SECCLASS_DIR, DIR__SEARCH, "search")

   S_(SECCLASS_DIR, DIR__RMDIR, "rmdir")

   S_(SECCLASS_DIR, DIR__OPEN, "open")

   S_(SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, "execute_no_trans")

   S_(SECCLASS_FILE, FILE__ENTRYPOINT, "entrypoint")

   S_(SECCLASS_FILE, FILE__EXECMOD, "execmod")

   S_(SECCLASS_FILE, FILE__OPEN, "open")

   S_(SECCLASS_CHR_FILE, CHR_FILE__EXECUTE_NO_TRANS, "execute_no_trans")

   S_(SECCLASS_CHR_FILE, CHR_FILE__ENTRYPOINT, "entrypoint")

   S_(SECCLASS_CHR_FILE, CHR_FILE__EXECMOD, "execmod")

   S_(SECCLASS_CHR_FILE, CHR_FILE__OPEN, "open")

   S_(SECCLASS_BLK_FILE, BLK_FILE__OPEN, "open")

   S_(SECCLASS_FIFO_FILE, FIFO_FILE__OPEN, "open")

   S_(SECCLASS_FD, FD__USE, "use")

   S_(SECCLASS_TCP_SOCKET, TCP_SOCKET__CONNECTTO, "connectto")

   S_(SECCLASS_TCP_SOCKET, TCP_SOCKET__NEWCONN, "newconn")

security/selinux/include/av_permissions.h

+5 −0
Original line number Diff line number Diff line
@@ -79,6 +79,7 @@ 
#define DIR__REPARENT                             0x00080000UL

#define DIR__SEARCH                               0x00100000UL

#define DIR__RMDIR                                0x00200000UL

#define DIR__OPEN                                 0x00400000UL

#define FILE__IOCTL                               0x00000001UL

#define FILE__READ                                0x00000002UL

#define FILE__WRITE                               0x00000004UL
@@ -99,6 +100,7 @@ 
#define FILE__EXECUTE_NO_TRANS                    0x00020000UL

#define FILE__ENTRYPOINT                          0x00040000UL

#define FILE__EXECMOD                             0x00080000UL

#define FILE__OPEN                                0x00100000UL

#define LNK_FILE__IOCTL                           0x00000001UL

#define LNK_FILE__READ                            0x00000002UL

#define LNK_FILE__WRITE                           0x00000004UL
@@ -136,6 +138,7 @@ 
#define CHR_FILE__EXECUTE_NO_TRANS                0x00020000UL

#define CHR_FILE__ENTRYPOINT                      0x00040000UL

#define CHR_FILE__EXECMOD                         0x00080000UL

#define CHR_FILE__OPEN                            0x00100000UL

#define BLK_FILE__IOCTL                           0x00000001UL

#define BLK_FILE__READ                            0x00000002UL

#define BLK_FILE__WRITE                           0x00000004UL
@@ -153,6 +156,7 @@ 
#define BLK_FILE__SWAPON                          0x00004000UL

#define BLK_FILE__QUOTAON                         0x00008000UL

#define BLK_FILE__MOUNTON                         0x00010000UL

#define BLK_FILE__OPEN                            0x00020000UL

#define SOCK_FILE__IOCTL                          0x00000001UL

#define SOCK_FILE__READ                           0x00000002UL

#define SOCK_FILE__WRITE                          0x00000004UL
@@ -187,6 +191,7 @@ 
#define FIFO_FILE__SWAPON                         0x00004000UL

#define FIFO_FILE__QUOTAON                        0x00008000UL

#define FIFO_FILE__MOUNTON                        0x00010000UL

#define FIFO_FILE__OPEN                           0x00020000UL

#define FD__USE                                   0x00000001UL

#define SOCKET__IOCTL                             0x00000001UL

#define SOCKET__READ                              0x00000002UL

security/selinux/include/security.h

+2 −0
Original line number Diff line number Diff line
@@ -48,11 +48,13 @@ extern int selinux_mls_enabled; 
/* Policy capabilities */

enum {

	POLICYDB_CAPABILITY_NETPEER,

	POLICYDB_CAPABILITY_OPENPERM,

	__POLICYDB_CAPABILITY_MAX

};

#define POLICYDB_CAPABILITY_MAX (__POLICYDB_CAPABILITY_MAX - 1)



extern int selinux_policycap_netpeer;

extern int selinux_policycap_openperm;



int security_load_policy(void * data, size_t len);

security/selinux/selinuxfs.c

+2 −1
Original line number Diff line number Diff line
@@ -42,7 +42,8 @@ 


/* Policy capability filenames */

static char *policycap_names[] = {

	"network_peer_controls"

	"network_peer_controls",

	"open_perms"

};



unsigned int selinux_checkreqprot = CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE;

CRA Git | Maintained and supported by SUSTech CRA and CCSE