From 5b0eea835d4e9cb5229e696c5763929fc2394f39 Mon Sep 17 00:00:00 2001
From: Ondrej Mosnacek <omosnace@redhat.com>
Date: Tue, 20 Jun 2023 15:12:22 +0200
Subject: selinux: introduce an initial SID for early boot processes
Currently, SELinux doesn't allow distinguishing between kernel threads
and userspace processes that are started before the policy is first
loaded - both get the label corresponding to the kernel SID. The only
way a process that persists from early boot can get a meaningful label
is by doing a voluntary dyntransition or re-executing itself.
Reusing the kernel label for userspace processes is problematic for
several reasons:
1. The kernel is considered to be a privileged domain and generally
needs to have a wide range of permissions allowed to work correctly,
which prevents the policy writer from effectively hardening against
early boot processes that might remain running unintentionally after
the policy is loaded (they represent a potential extra attack surface
that should be mitigated).
2. Despite the kernel being treated as a privileged domain, the policy
writer may want to impose certain special limitations on kernel
threads that may conflict with the requirements of intentional early
boot processes. For example, it is a good hardening practice to limit
what executables the kernel can execute as usermode helpers and to
confine the resulting usermode helper processes. However, a
(legitimate) process surviving from early boot may need to execute a
different set of executables.
3. As currently implemented, overlayfs remembers the security context of
the process that created an overlayfs mount and uses it to bound
subsequent operations on files using this context. If an overlayfs
mount is created before the SELinux policy is loaded, these "mounter"
checks are made against the kernel context, which may clash with
restrictions on the kernel domain (see 2.).
To resolve this, introduce a new initial SID (reusing the slot of the
former "init" initial SID) that will be assigned to any userspace
process started before the policy is first loaded. This is easy to do,
as we can simply label any process that goes through the
bprm_creds_for_exec LSM hook with the new init-SID instead of
propagating the kernel SID from the parent.
To provide backwards compatibility for existing policies that are
unaware of this new semantic of the "init" initial SID, introduce a new
policy capability "userspace_initial_context" and set the "init" SID to
the same context as the "kernel" SID unless this capability is set by
the policy.
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
---
security/selinux/hooks.c | 28 ++++++++++++++++++++++++++++
1 file changed, 28 insertions(+)
(limited to 'security/selinux/hooks.c')
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index d06e350fedee..b8a8a4f0f2ad 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -2288,6 +2288,19 @@ static int selinux_bprm_creds_for_exec(struct linux_binprm *bprm)
new_tsec->keycreate_sid = 0;
new_tsec->sockcreate_sid = 0;
+ /*
+ * Before policy is loaded, label any task outside kernel space
+ * as SECINITSID_INIT, so that any userspace tasks surviving from
+ * early boot end up with a label different from SECINITSID_KERNEL
+ * (if the policy chooses to set SECINITSID_INIT != SECINITSID_KERNEL).
+ */
+ if (!selinux_initialized()) {
+ new_tsec->sid = SECINITSID_INIT;
+ /* also clear the exec_sid just in case */
+ new_tsec->exec_sid = 0;
+ return 0;
+ }
+
if (old_tsec->exec_sid) {
new_tsec->sid = old_tsec->exec_sid;
/* Reset exec SID on execve. */
@@ -4504,6 +4517,21 @@ static int sock_has_perm(struct sock *sk, u32 perms)
if (sksec->sid == SECINITSID_KERNEL)
return 0;
+ /*
+ * Before POLICYDB_CAP_USERSPACE_INITIAL_CONTEXT, sockets that
+ * inherited the kernel context from early boot used to be skipped
+ * here, so preserve that behavior unless the capability is set.
+ *
+ * By setting the capability the policy signals that it is ready
+ * for this quirk to be fixed. Note that sockets created by a kernel
+ * thread or a usermode helper executed without a transition will
+ * still be skipped in this check regardless of the policycap
+ * setting.
+ */
+ if (!selinux_policycap_userspace_initial_context() &&
+ sksec->sid == SECINITSID_INIT)
+ return 0;
+
ad.type = LSM_AUDIT_DATA_NET;
ad.u.net = &net;
ad.u.net->sk = sk;
--
cgit v1.2.3
From a13479bb3c9d559fceb075986d8e0154a7eabbb1 Mon Sep 17 00:00:00 2001
From: Christian Göttsche <cgzones@googlemail.com>
Date: Thu, 6 Jul 2023 15:23:27 +0200
Subject: selinux: avoid implicit conversions in the LSM hooks
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Use the identical types in assignments of local variables for the
destination.
Merge tail calls into return statements.
Avoid using leading underscores for function local variable.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
[PM: subject line tweaks]
Signed-off-by: Paul Moore <paul@paul-moore.com>
---
security/selinux/hooks.c | 26 ++++++++++----------------
1 file changed, 10 insertions(+), 16 deletions(-)
(limited to 'security/selinux/hooks.c')
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index b8a8a4f0f2ad..fff50604abce 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -1125,7 +1125,7 @@ static inline int default_protocol_dgram(int protocol)
static inline u16 socket_type_to_security_class(int family, int type, int protocol)
{
- int extsockclass = selinux_policycap_extsockclass();
+ bool extsockclass = selinux_policycap_extsockclass();
switch (family) {
case PF_UNIX:
@@ -5027,15 +5027,13 @@ static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
{
- int err;
+ int err, peerlbl_active, secmark_active;
struct sk_security_struct *sksec = sk->sk_security;
u16 family = sk->sk_family;
u32 sk_sid = sksec->sid;
struct common_audit_data ad;
struct lsm_network_audit net = {0,};
char *addrp;
- u8 secmark_active;
- u8 peerlbl_active;
if (family != PF_INET && family != PF_INET6)
return 0;
@@ -5498,11 +5496,11 @@ static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb)
static int selinux_secmark_relabel_packet(u32 sid)
{
- const struct task_security_struct *__tsec;
+ const struct task_security_struct *tsec;
u32 tsid;
- __tsec = selinux_cred(current_cred());
- tsid = __tsec->sid;
+ tsec = selinux_cred(current_cred());
+ tsid = tsec->sid;
return avc_has_perm(tsid, sid, SECCLASS_PACKET, PACKET__RELABELTO,
NULL);
@@ -6000,8 +5998,7 @@ static int selinux_msg_queue_associate(struct kern_ipc_perm *msq, int msqflg)
static int selinux_msg_queue_msgctl(struct kern_ipc_perm *msq, int cmd)
{
- int err;
- int perms;
+ u32 perms;
switch (cmd) {
case IPC_INFO:
@@ -6024,8 +6021,7 @@ static int selinux_msg_queue_msgctl(struct kern_ipc_perm *msq, int cmd)
return 0;
}
- err = ipc_has_perm(msq, perms);
- return err;
+ return ipc_has_perm(msq, perms);
}
static int selinux_msg_queue_msgsnd(struct kern_ipc_perm *msq, struct msg_msg *msg, int msqflg)
@@ -6130,8 +6126,7 @@ static int selinux_shm_associate(struct kern_ipc_perm *shp, int shmflg)
/* Note, at this point, shp is locked down */
static int selinux_shm_shmctl(struct kern_ipc_perm *shp, int cmd)
{
- int perms;
- int err;
+ u32 perms;
switch (cmd) {
case IPC_INFO:
@@ -6158,8 +6153,7 @@ static int selinux_shm_shmctl(struct kern_ipc_perm *shp, int cmd)
return 0;
}
- err = ipc_has_perm(shp, perms);
- return err;
+ return ipc_has_perm(shp, perms);
}
static int selinux_shm_shmat(struct kern_ipc_perm *shp,
@@ -6928,7 +6922,7 @@ static int selinux_uring_override_creds(const struct cred *new)
*/
static int selinux_uring_sqpoll(void)
{
- int sid = current_sid();
+ u32 sid = current_sid();
return avc_has_perm(sid, sid,
SECCLASS_IO_URING, IO_URING__SQPOLL, NULL);
--
cgit v1.2.3
From 90aa4f5e92f2797c3c86e05f588ab277b0e0ba39 Mon Sep 17 00:00:00 2001
From: Stephen Smalley <stephen.smalley.work@gmail.com>
Date: Tue, 18 Jul 2023 13:13:35 -0400
Subject: selinux: de-brand SELinux
Change "NSA SELinux" to just "SELinux" in Kconfig help text and
comments. While NSA was the original primary developer and continues to
help maintain SELinux, SELinux has long since transitioned to a wide
community of developers and maintainers. SELinux has been part of the
mainline Linux kernel for nearly 20 years now [1] and has received
contributions from many individuals and organizations.
[1] https://lore.kernel.org/lkml/Pine.LNX.4.44.0308082228470.1852-100000@home.osdl.org/
Signed-off-by: Stephen Smalley <stephen.smalley.work@gmail.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
---
security/selinux/Kconfig | 16 ++++++++--------
security/selinux/hooks.c | 2 +-
security/selinux/include/objsec.h | 2 +-
security/selinux/xfrm.c | 2 +-
4 files changed, 11 insertions(+), 11 deletions(-)
(limited to 'security/selinux/hooks.c')
diff --git a/security/selinux/Kconfig b/security/selinux/Kconfig
index 95a186ec0fcb..c275115b5088 100644
--- a/security/selinux/Kconfig
+++ b/security/selinux/Kconfig
@@ -1,16 +1,16 @@
# SPDX-License-Identifier: GPL-2.0-only
config SECURITY_SELINUX
- bool "NSA SELinux Support"
+ bool "SELinux Support"
depends on SECURITY_NETWORK && AUDIT && NET && INET
select NETWORK_SECMARK
default n
help
- This selects NSA Security-Enhanced Linux (SELinux).
+ This selects Security-Enhanced Linux (SELinux).
You will also need a policy configuration and a labeled filesystem.
If you are unsure how to answer this question, answer N.
config SECURITY_SELINUX_BOOTPARAM
- bool "NSA SELinux boot parameter"
+ bool "SELinux boot parameter"
depends on SECURITY_SELINUX
default n
help
@@ -24,11 +24,11 @@ config SECURITY_SELINUX_BOOTPARAM
If you are unsure how to answer this question, answer N.
config SECURITY_SELINUX_DEVELOP
- bool "NSA SELinux Development Support"
+ bool "SELinux Development Support"
depends on SECURITY_SELINUX
default y
help
- This enables the development support option of NSA SELinux,
+ This enables the development support option of SELinux,
which is useful for experimenting with SELinux and developing
policies. If unsure, say Y. With this option enabled, the
kernel will start in permissive mode (log everything, deny nothing)
@@ -38,7 +38,7 @@ config SECURITY_SELINUX_DEVELOP
/sys/fs/selinux/enforce.
config SECURITY_SELINUX_AVC_STATS
- bool "NSA SELinux AVC Statistics"
+ bool "SELinux AVC Statistics"
depends on SECURITY_SELINUX
default y
help
@@ -47,7 +47,7 @@ config SECURITY_SELINUX_AVC_STATS
tools such as avcstat.
config SECURITY_SELINUX_SIDTAB_HASH_BITS
- int "NSA SELinux sidtab hashtable size"
+ int "SELinux sidtab hashtable size"
depends on SECURITY_SELINUX
range 8 13
default 9
@@ -59,7 +59,7 @@ config SECURITY_SELINUX_SIDTAB_HASH_BITS
will ensure that lookups times are short and stable.
config SECURITY_SELINUX_SID2STR_CACHE_SIZE
- int "NSA SELinux SID to context string translation cache size"
+ int "SELinux SID to context string translation cache size"
depends on SECURITY_SELINUX
default 256
help
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index fff50604abce..9aa60ce23209 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -1,6 +1,6 @@
// SPDX-License-Identifier: GPL-2.0-only
/*
- * NSA Security-Enhanced Linux (SELinux) security module
+ * Security-Enhanced Linux (SELinux) security module
*
* This file contains the SELinux hook function implementations.
*
diff --git a/security/selinux/include/objsec.h b/security/selinux/include/objsec.h
index 2953132408bf..8f50e8fe0488 100644
--- a/security/selinux/include/objsec.h
+++ b/security/selinux/include/objsec.h
@@ -1,6 +1,6 @@
/* SPDX-License-Identifier: GPL-2.0-only */
/*
- * NSA Security-Enhanced Linux (SELinux) security module
+ * Security-Enhanced Linux (SELinux) security module
*
* This file contains the SELinux security data structures for kernel objects.
*
diff --git a/security/selinux/xfrm.c b/security/selinux/xfrm.c
index 1fca42c4d0ae..95fcd2d3433e 100644
--- a/security/selinux/xfrm.c
+++ b/security/selinux/xfrm.c
@@ -1,6 +1,6 @@
// SPDX-License-Identifier: GPL-2.0-only
/*
- * NSA Security-Enhanced Linux (SELinux) security module
+ * Security-Enhanced Linux (SELinux) security module
*
* This file contains the SELinux XFRM hook function implementations.
*
--
cgit v1.2.3
From e5faa839c3eee199447573c4e227daeb76d402cf Mon Sep 17 00:00:00 2001
From: Christian Göttsche <cgzones@googlemail.com>
Date: Tue, 18 Jul 2023 21:00:24 +0200
Subject: selinux: add missing newlines in pr_err() statements
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The kernel print statements do not append an implicit newline to format
strings.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
[PM: subject line tweak]
Signed-off-by: Paul Moore <paul@paul-moore.com>
---
security/selinux/hooks.c | 2 +-
security/selinux/ss/policydb.c | 6 +++---
2 files changed, 4 insertions(+), 4 deletions(-)
(limited to 'security/selinux/hooks.c')
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 9aa60ce23209..dc51f28815b0 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -2930,7 +2930,7 @@ static int selinux_inode_init_security_anon(struct inode *inode,
struct inode_security_struct *context_isec =
selinux_inode(context_inode);
if (context_isec->initialized != LABEL_INITIALIZED) {
- pr_err("SELinux: context_inode is not initialized");
+ pr_err("SELinux: context_inode is not initialized\n");
return -EACCES;
}
diff --git a/security/selinux/ss/policydb.c b/security/selinux/ss/policydb.c
index cfe77ef24ee2..61e0e5000025 100644
--- a/security/selinux/ss/policydb.c
+++ b/security/selinux/ss/policydb.c
@@ -1687,7 +1687,7 @@ static int user_bounds_sanity_check(void *key, void *datum, void *datap)
if (++depth == POLICYDB_BOUNDS_MAXDEPTH) {
pr_err("SELinux: user %s: "
- "too deep or looped boundary",
+ "too deep or looped boundary\n",
(char *) key);
return -EINVAL;
}
@@ -1766,7 +1766,7 @@ static int type_bounds_sanity_check(void *key, void *datum, void *datap)
if (upper->attribute) {
pr_err("SELinux: type %s: "
- "bounded by attribute %s",
+ "bounded by attribute %s\n",
(char *) key,
sym_name(p, SYM_TYPES, upper->value - 1));
return -EINVAL;
@@ -3675,7 +3675,7 @@ int policydb_write(struct policydb *p, void *fp)
info = policydb_lookup_compat(p->policyvers);
if (!info) {
pr_err("SELinux: compatibility lookup failed for policy "
- "version %d", p->policyvers);
+ "version %d\n", p->policyvers);
return -EINVAL;
}
--
cgit v1.2.3
From 0fe53224bf5be183d263f262212c06ff00c69ca4 Mon Sep 17 00:00:00 2001
From: Stephen Smalley <stephen.smalley.work@gmail.com>
Date: Wed, 19 Jul 2023 11:12:50 -0400
Subject: selinux: update my email address
Update my email address; MAINTAINERS was updated some time ago.
Signed-off-by: Stephen Smalley <stephen.smalley.work@gmail.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
---
security/selinux/avc.c | 2 +-
security/selinux/hooks.c | 2 +-
security/selinux/include/avc.h | 2 +-
security/selinux/include/avc_ss.h | 2 +-
security/selinux/include/objsec.h | 2 +-
security/selinux/include/security.h | 2 +-
security/selinux/ss/avtab.c | 2 +-
security/selinux/ss/avtab.h | 2 +-
security/selinux/ss/constraint.h | 2 +-
security/selinux/ss/context.h | 2 +-
security/selinux/ss/ebitmap.c | 2 +-
security/selinux/ss/ebitmap.h | 2 +-
security/selinux/ss/hashtab.c | 2 +-
security/selinux/ss/hashtab.h | 2 +-
security/selinux/ss/mls.c | 2 +-
security/selinux/ss/mls.h | 2 +-
security/selinux/ss/mls_types.h | 2 +-
security/selinux/ss/policydb.c | 2 +-
security/selinux/ss/policydb.h | 2 +-
security/selinux/ss/services.c | 2 +-
security/selinux/ss/services.h | 2 +-
security/selinux/ss/sidtab.c | 2 +-
security/selinux/ss/sidtab.h | 2 +-
security/selinux/ss/symtab.c | 2 +-
security/selinux/ss/symtab.h | 2 +-
25 files changed, 25 insertions(+), 25 deletions(-)
(limited to 'security/selinux/hooks.c')
diff --git a/security/selinux/avc.c b/security/selinux/avc.c
index cd55479cce25..32eb67fb3e42 100644
--- a/security/selinux/avc.c
+++ b/security/selinux/avc.c
@@ -2,7 +2,7 @@
/*
* Implementation of the kernel access vector cache (AVC).
*
- * Authors: Stephen Smalley, <sds@tycho.nsa.gov>
+ * Authors: Stephen Smalley, <stephen.smalley.work@gmail.com>
* James Morris <jmorris@redhat.com>
*
* Update: KaiGai, Kohei <kaigai@ak.jp.nec.com>
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index dc51f28815b0..a85a9f52e0c3 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -4,7 +4,7 @@
*
* This file contains the SELinux hook function implementations.
*
- * Authors: Stephen Smalley, <sds@tycho.nsa.gov>
+ * Authors: Stephen Smalley, <stephen.smalley.work@gmail.com>
* Chris Vance, <cvance@nai.com>
* Wayne Salamon, <wsalamon@nai.com>
* James Morris <jmorris@redhat.com>
diff --git a/security/selinux/include/avc.h b/security/selinux/include/avc.h
index 9e055f74daf6..8f0aa66ccb13 100644
--- a/security/selinux/include/avc.h
+++ b/security/selinux/include/avc.h
@@ -2,7 +2,7 @@
/*
* Access vector cache interface for object managers.
*
- * Author : Stephen Smalley, <sds@tycho.nsa.gov>
+ * Author : Stephen Smalley, <stephen.smalley.work@gmail.com>
*/
#ifndef _SELINUX_AVC_H_
#define _SELINUX_AVC_H_
diff --git a/security/selinux/include/avc_ss.h b/security/selinux/include/avc_ss.h
index b9668be7b443..88b139e086c4 100644
--- a/security/selinux/include/avc_ss.h
+++ b/security/selinux/include/avc_ss.h
@@ -2,7 +2,7 @@
/*
* Access vector cache interface for the security server.
*
- * Author : Stephen Smalley, <sds@tycho.nsa.gov>
+ * Author : Stephen Smalley, <stephen.smalley.work@gmail.com>
*/
#ifndef _SELINUX_AVC_SS_H_
#define _SELINUX_AVC_SS_H_
diff --git a/security/selinux/include/objsec.h b/security/selinux/include/objsec.h
index 8f50e8fe0488..8159fd53c3de 100644
--- a/security/selinux/include/objsec.h
+++ b/security/selinux/include/objsec.h
@@ -4,7 +4,7 @@
*
* This file contains the SELinux security data structures for kernel objects.
*
- * Author(s): Stephen Smalley, <sds@tycho.nsa.gov>
+ * Author(s): Stephen Smalley, <stephen.smalley.work@gmail.com>
* Chris Vance, <cvance@nai.com>
* Wayne Salamon, <wsalamon@nai.com>
* James Morris <jmorris@redhat.com>
diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h
index 6b8b8fc3badd..668e393a9709 100644
--- a/security/selinux/include/security.h
+++ b/security/selinux/include/security.h
@@ -2,7 +2,7 @@
/*
* Security server interface.
*
- * Author : Stephen Smalley, <sds@tycho.nsa.gov>
+ * Author : Stephen Smalley, <stephen.smalley.work@gmail.com>
*
*/
diff --git a/security/selinux/ss/avtab.c b/security/selinux/ss/avtab.c
index 5fd439c5b8a4..32f92da00b0e 100644
--- a/security/selinux/ss/avtab.c
+++ b/security/selinux/ss/avtab.c
@@ -1,7 +1,7 @@
/*
* Implementation of the access vector table type.
*
- * Author : Stephen Smalley, <sds@tycho.nsa.gov>
+ * Author : Stephen Smalley, <stephen.smalley.work@gmail.com>
*/
/* Updated: Frank Mayer <mayerf@tresys.com> and Karl MacMillan <kmacmillan@tresys.com>
diff --git a/security/selinux/ss/avtab.h b/security/selinux/ss/avtab.h
index c2b88430c916..2ef5d1ae2844 100644
--- a/security/selinux/ss/avtab.h
+++ b/security/selinux/ss/avtab.h
@@ -6,7 +6,7 @@
* table is used to represent the type enforcement
* tables.
*
- * Author : Stephen Smalley, <sds@tycho.nsa.gov>
+ * Author : Stephen Smalley, <stephen.smalley.work@gmail.com>
*/
/* Updated: Frank Mayer <mayerf@tresys.com> and Karl MacMillan <kmacmillan@tresys.com>
diff --git a/security/selinux/ss/constraint.h b/security/selinux/ss/constraint.h
index 4e563be9ef5f..f76eb3128ad5 100644
--- a/security/selinux/ss/constraint.h
+++ b/security/selinux/ss/constraint.h
@@ -11,7 +11,7 @@
* process from labeling an object with a different user
* identity.
*
- * Author : Stephen Smalley, <sds@tycho.nsa.gov>
+ * Author : Stephen Smalley, <stephen.smalley.work@gmail.com>
*/
#ifndef _SS_CONSTRAINT_H_
#define _SS_CONSTRAINT_H_
diff --git a/security/selinux/ss/context.h b/security/selinux/ss/context.h
index aed704b8c642..1f59468c0759 100644
--- a/security/selinux/ss/context.h
+++ b/security/selinux/ss/context.h
@@ -11,7 +11,7 @@
* security server and can be changed without affecting
* clients of the security server.
*
- * Author : Stephen Smalley, <sds@tycho.nsa.gov>
+ * Author : Stephen Smalley, <stephen.smalley.work@gmail.com>
*/
#ifndef _SS_CONTEXT_H_
#define _SS_CONTEXT_H_
diff --git a/security/selinux/ss/ebitmap.c b/security/selinux/ss/ebitmap.c
index d31b87be9a1e..77875ad355f7 100644
--- a/security/selinux/ss/ebitmap.c
+++ b/security/selinux/ss/ebitmap.c
@@ -2,7 +2,7 @@
/*
* Implementation of the extensible bitmap type.
*
- * Author : Stephen Smalley, <sds@tycho.nsa.gov>
+ * Author : Stephen Smalley, <stephen.smalley.work@gmail.com>
*/
/*
* Updated: Hewlett-Packard <paul@paul-moore.com>
diff --git a/security/selinux/ss/ebitmap.h b/security/selinux/ss/ebitmap.h
index e5b57dc3fc53..e3c807cfad90 100644
--- a/security/selinux/ss/ebitmap.h
+++ b/security/selinux/ss/ebitmap.h
@@ -10,7 +10,7 @@
* an explicitly specified starting bit position within
* the total bitmap.
*
- * Author : Stephen Smalley, <sds@tycho.nsa.gov>
+ * Author : Stephen Smalley, <stephen.smalley.work@gmail.com>
*/
#ifndef _SS_EBITMAP_H_
#define _SS_EBITMAP_H_
diff --git a/security/selinux/ss/hashtab.c b/security/selinux/ss/hashtab.c
index 3fb8f9026e9b..30532ec319ce 100644
--- a/security/selinux/ss/hashtab.c
+++ b/security/selinux/ss/hashtab.c
@@ -2,7 +2,7 @@
/*
* Implementation of the hash table type.
*
- * Author : Stephen Smalley, <sds@tycho.nsa.gov>
+ * Author : Stephen Smalley, <stephen.smalley.work@gmail.com>
*/
#include <linux/kernel.h>
#include <linux/slab.h>
diff --git a/security/selinux/ss/hashtab.h b/security/selinux/ss/hashtab.h
index 043a773bf0b7..9dac6da45b98 100644
--- a/security/selinux/ss/hashtab.h
+++ b/security/selinux/ss/hashtab.h
@@ -6,7 +6,7 @@
* functions for hash computation and key comparison are
* provided by the creator of the table.
*
- * Author : Stephen Smalley, <sds@tycho.nsa.gov>
+ * Author : Stephen Smalley, <stephen.smalley.work@gmail.com>
*/
#ifndef _SS_HASHTAB_H_
#define _SS_HASHTAB_H_
diff --git a/security/selinux/ss/mls.c b/security/selinux/ss/mls.c
index 99571b19d4a9..b2c6c846ea03 100644
--- a/security/selinux/ss/mls.c
+++ b/security/selinux/ss/mls.c
@@ -2,7 +2,7 @@
/*
* Implementation of the multi-level security (MLS) policy.
*
- * Author : Stephen Smalley, <sds@tycho.nsa.gov>
+ * Author : Stephen Smalley, <stephen.smalley.work@gmail.com>
*/
/*
* Updated: Trusted Computer Solutions, Inc. <dgoeddel@trustedcs.com>
diff --git a/security/selinux/ss/mls.h b/security/selinux/ss/mls.h
index 15cacde0ff61..107681dd1824 100644
--- a/security/selinux/ss/mls.h
+++ b/security/selinux/ss/mls.h
@@ -2,7 +2,7 @@
/*
* Multi-level security (MLS) policy operations.
*
- * Author : Stephen Smalley, <sds@tycho.nsa.gov>
+ * Author : Stephen Smalley, <stephen.smalley.work@gmail.com>
*/
/*
* Updated: Trusted Computer Solutions, Inc. <dgoeddel@trustedcs.com>
diff --git a/security/selinux/ss/mls_types.h b/security/selinux/ss/mls_types.h
index 7d48d5e52233..f492cf148891 100644
--- a/security/selinux/ss/mls_types.h
+++ b/security/selinux/ss/mls_types.h
@@ -2,7 +2,7 @@
/*
* Type definitions for the multi-level security (MLS) policy.
*
- * Author : Stephen Smalley, <sds@tycho.nsa.gov>
+ * Author : Stephen Smalley, <stephen.smalley.work@gmail.com>
*/
/*
* Updated: Trusted Computer Solutions, Inc. <dgoeddel@trustedcs.com>
diff --git a/security/selinux/ss/policydb.c b/security/selinux/ss/policydb.c
index 61e0e5000025..b903a4dfdce1 100644
--- a/security/selinux/ss/policydb.c
+++ b/security/selinux/ss/policydb.c
@@ -2,7 +2,7 @@
/*
* Implementation of the policy database.
*
- * Author : Stephen Smalley, <sds@tycho.nsa.gov>
+ * Author : Stephen Smalley, <stephen.smalley.work@gmail.com>
*/
/*
diff --git a/security/selinux/ss/policydb.h b/security/selinux/ss/policydb.h
index 6b4ad8e91265..b97cda489753 100644
--- a/security/selinux/ss/policydb.h
+++ b/security/selinux/ss/policydb.h
@@ -3,7 +3,7 @@
* A policy database (policydb) specifies the
* configuration data for the security policy.
*
- * Author : Stephen Smalley, <sds@tycho.nsa.gov>
+ * Author : Stephen Smalley, <stephen.smalley.work@gmail.com>
*/
/*
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
index fa47e4e38935..2c5be06fbada 100644
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@@ -2,7 +2,7 @@
/*
* Implementation of the security services.
*
- * Authors : Stephen Smalley, <sds@tycho.nsa.gov>
+ * Authors : Stephen Smalley, <stephen.smalley.work@gmail.com>
* James Morris <jmorris@redhat.com>
*
* Updated: Trusted Computer Solutions, Inc. <dgoeddel@trustedcs.com>
diff --git a/security/selinux/ss/services.h b/security/selinux/ss/services.h
index 8a9b85f44b66..ed2ee6600467 100644
--- a/security/selinux/ss/services.h
+++ b/security/selinux/ss/services.h
@@ -2,7 +2,7 @@
/*
* Implementation of the security services.
*
- * Author : Stephen Smalley, <sds@tycho.nsa.gov>
+ * Author : Stephen Smalley, <stephen.smalley.work@gmail.com>
*/
#ifndef _SS_SERVICES_H_
#define _SS_SERVICES_H_
diff --git a/security/selinux/ss/sidtab.c b/security/selinux/ss/sidtab.c
index 38d25173aebd..d8ead463b8df 100644
--- a/security/selinux/ss/sidtab.c
+++ b/security/selinux/ss/sidtab.c
@@ -2,7 +2,7 @@
/*
* Implementation of the SID table type.
*
- * Original author: Stephen Smalley, <sds@tycho.nsa.gov>
+ * Original author: Stephen Smalley, <stephen.smalley.work@gmail.com>
* Author: Ondrej Mosnacek, <omosnacek@gmail.com>
*
* Copyright (C) 2018 Red Hat, Inc.
diff --git a/security/selinux/ss/sidtab.h b/security/selinux/ss/sidtab.h
index 72810a080e77..22258201cd14 100644
--- a/security/selinux/ss/sidtab.h
+++ b/security/selinux/ss/sidtab.h
@@ -3,7 +3,7 @@
* A security identifier table (sidtab) is a lookup table
* of security context structures indexed by SID value.
*
- * Original author: Stephen Smalley, <sds@tycho.nsa.gov>
+ * Original author: Stephen Smalley, <stephen.smalley.work@gmail.com>
* Author: Ondrej Mosnacek, <omosnacek@gmail.com>
*
* Copyright (C) 2018 Red Hat, Inc.
diff --git a/security/selinux/ss/symtab.c b/security/selinux/ss/symtab.c
index 7a77571fb275..43d7f0319ccd 100644
--- a/security/selinux/ss/symtab.c
+++ b/security/selinux/ss/symtab.c
@@ -2,7 +2,7 @@
/*
* Implementation of the symbol table type.
*
- * Author : Stephen Smalley, <sds@tycho.nsa.gov>
+ * Author : Stephen Smalley, <stephen.smalley.work@gmail.com>
*/
#include <linux/kernel.h>
#include <linux/string.h>
diff --git a/security/selinux/ss/symtab.h b/security/selinux/ss/symtab.h
index 3033c4db6cb6..0a3b5de79a0f 100644
--- a/security/selinux/ss/symtab.h
+++ b/security/selinux/ss/symtab.h
@@ -5,7 +5,7 @@
* is arbitrary. The symbol table type is implemented
* using the hash table type (hashtab).
*
- * Author : Stephen Smalley, <sds@tycho.nsa.gov>
+ * Author : Stephen Smalley, <stephen.smalley.work@gmail.com>
*/
#ifndef _SS_SYMTAB_H_
#define _SS_SYMTAB_H_
--
cgit v1.2.3
From dd51fcd42fd6bf37608f54303b974b47f73c1490 Mon Sep 17 00:00:00 2001
From: Paolo Abeni <pabeni@redhat.com>
Date: Wed, 19 Jul 2023 13:37:49 +0200
Subject: selinux: introduce and use lsm_ad_net_init*() helpers
Perf traces of network-related workload shows a measurable overhead
inside the network-related selinux hooks while zeroing the
lsm_network_audit struct.
In most cases we can delay the initialization of such structure to the
usage point, avoiding such overhead in a few cases.
Additionally, the audit code accesses the IP address information only
for AF_INET* families, and selinux_parse_skb() will fill-out the
relevant fields in such cases. When the family field is zeroed or the
initialization is followed by the mentioned parsing, the zeroing can be
limited to the sk, family and netif fields.
By factoring out the audit-data initialization to new helpers, this
patch removes some duplicate code and gives small but measurable
performance gain under UDP flood.
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
---
security/selinux/hooks.c | 84 +++++++++++++++++++++++++-----------------------
1 file changed, 43 insertions(+), 41 deletions(-)
(limited to 'security/selinux/hooks.c')
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index a85a9f52e0c3..6f53fa71fbdb 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -224,6 +224,31 @@ static inline u32 cred_sid(const struct cred *cred)
return tsec->sid;
}
+static void __ad_net_init(struct common_audit_data *ad,
+ struct lsm_network_audit *net,
+ int ifindex, struct sock *sk, u16 family)
+{
+ ad->type = LSM_AUDIT_DATA_NET;
+ ad->u.net = net;
+ net->netif = ifindex;
+ net->sk = sk;
+ net->family = family;
+}
+
+static void ad_net_init_from_sk(struct common_audit_data *ad,
+ struct lsm_network_audit *net,
+ struct sock *sk)
+{
+ __ad_net_init(ad, net, 0, sk, 0);
+}
+
+static void ad_net_init_from_iif(struct common_audit_data *ad,
+ struct lsm_network_audit *net,
+ int ifindex, u16 family)
+{
+ __ad_net_init(ad, net, ifindex, 0, family);
+}
+
/*
* get the objective security ID of a task
*/
@@ -4512,7 +4537,7 @@ static int sock_has_perm(struct sock *sk, u32 perms)
{
struct sk_security_struct *sksec = sk->sk_security;
struct common_audit_data ad;
- struct lsm_network_audit net = {0,};
+ struct lsm_network_audit net;
if (sksec->sid == SECINITSID_KERNEL)
return 0;
@@ -4532,9 +4557,7 @@ static int sock_has_perm(struct sock *sk, u32 perms)
sksec->sid == SECINITSID_INIT)
return 0;
- ad.type = LSM_AUDIT_DATA_NET;
- ad.u.net = &net;
- ad.u.net->sk = sk;
+ ad_net_init_from_sk(&ad, &net, sk);
return avc_has_perm(current_sid(), sksec->sid, sksec->sclass, perms,
&ad);
@@ -4927,12 +4950,10 @@ static int selinux_socket_unix_stream_connect(struct sock *sock,
struct sk_security_struct *sksec_other = other->sk_security;
struct sk_security_struct *sksec_new = newsk->sk_security;
struct common_audit_data ad;
- struct lsm_network_audit net = {0,};
+ struct lsm_network_audit net;
int err;
- ad.type = LSM_AUDIT_DATA_NET;
- ad.u.net = &net;
- ad.u.net->sk = other;
+ ad_net_init_from_sk(&ad, &net, other);
err = avc_has_perm(sksec_sock->sid, sksec_other->sid,
sksec_other->sclass,
@@ -4959,11 +4980,9 @@ static int selinux_socket_unix_may_send(struct socket *sock,
struct sk_security_struct *ssec = sock->sk->sk_security;
struct sk_security_struct *osec = other->sk->sk_security;
struct common_audit_data ad;
- struct lsm_network_audit net = {0,};
+ struct lsm_network_audit net;
- ad.type = LSM_AUDIT_DATA_NET;
- ad.u.net = &net;
- ad.u.net->sk = other->sk;
+ ad_net_init_from_sk(&ad, &net, other->sk);
return avc_has_perm(ssec->sid, osec->sid, osec->sclass, SOCKET__SENDTO,
&ad);
@@ -4999,13 +5018,10 @@ static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
struct sk_security_struct *sksec = sk->sk_security;
u32 sk_sid = sksec->sid;
struct common_audit_data ad;
- struct lsm_network_audit net = {0,};
+ struct lsm_network_audit net;
char *addrp;
- ad.type = LSM_AUDIT_DATA_NET;
- ad.u.net = &net;
- ad.u.net->netif = skb->skb_iif;
- ad.u.net->family = family;
+ ad_net_init_from_iif(&ad, &net, skb->skb_iif, family);
err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
if (err)
return err;
@@ -5032,7 +5048,7 @@ static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
u16 family = sk->sk_family;
u32 sk_sid = sksec->sid;
struct common_audit_data ad;
- struct lsm_network_audit net = {0,};
+ struct lsm_network_audit net;
char *addrp;
if (family != PF_INET && family != PF_INET6)
@@ -5054,10 +5070,7 @@ static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
if (!secmark_active && !peerlbl_active)
return 0;
- ad.type = LSM_AUDIT_DATA_NET;
- ad.u.net = &net;
- ad.u.net->netif = skb->skb_iif;
- ad.u.net->family = family;
+ ad_net_init_from_iif(&ad, &net, skb->skb_iif, family);
err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
if (err)
return err;
@@ -5227,7 +5240,7 @@ static int selinux_sctp_process_new_assoc(struct sctp_association *asoc,
u16 family = sk->sk_family;
struct sk_security_struct *sksec = sk->sk_security;
struct common_audit_data ad;
- struct lsm_network_audit net = {0,};
+ struct lsm_network_audit net;
int err;
/* handle mapped IPv4 packets arriving via IPv6 sockets */
@@ -5263,9 +5276,7 @@ static int selinux_sctp_process_new_assoc(struct sctp_association *asoc,
/* Other association peer SIDs are checked to enforce
* consistency among the peer SIDs.
*/
- ad.type = LSM_AUDIT_DATA_NET;
- ad.u.net = &net;
- ad.u.net->sk = asoc->base.sk;
+ ad_net_init_from_sk(&ad, &net, asoc->base.sk);
err = avc_has_perm(sksec->peer_sid, asoc->peer_secid,
sksec->sclass, SCTP_SOCKET__ASSOCIATION,
&ad);
@@ -5610,7 +5621,7 @@ static unsigned int selinux_ip_forward(void *priv, struct sk_buff *skb,
char *addrp;
u32 peer_sid;
struct common_audit_data ad;
- struct lsm_network_audit net = {0,};
+ struct lsm_network_audit net;
int secmark_active, peerlbl_active;
if (!selinux_policycap_netpeer())
@@ -5626,10 +5637,7 @@ static unsigned int selinux_ip_forward(void *priv, struct sk_buff *skb,
return NF_DROP;
ifindex = state->in->ifindex;
- ad.type = LSM_AUDIT_DATA_NET;
- ad.u.net = &net;
- ad.u.net->netif = ifindex;
- ad.u.net->family = family;
+ ad_net_init_from_iif(&ad, &net, ifindex, family);
if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0)
return NF_DROP;
@@ -5709,7 +5717,7 @@ static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
struct sock *sk;
struct sk_security_struct *sksec;
struct common_audit_data ad;
- struct lsm_network_audit net = {0,};
+ struct lsm_network_audit net;
u8 proto = 0;
sk = skb_to_full_sk(skb);
@@ -5717,10 +5725,7 @@ static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
return NF_ACCEPT;
sksec = sk->sk_security;
- ad.type = LSM_AUDIT_DATA_NET;
- ad.u.net = &net;
- ad.u.net->netif = state->out->ifindex;
- ad.u.net->family = state->pf;
+ ad_net_init_from_iif(&ad, &net, state->out->ifindex, state->pf);
if (selinux_parse_skb(skb, &ad, NULL, 0, &proto))
return NF_DROP;
@@ -5745,7 +5750,7 @@ static unsigned int selinux_ip_postroute(void *priv,
int ifindex;
struct sock *sk;
struct common_audit_data ad;
- struct lsm_network_audit net = {0,};
+ struct lsm_network_audit net;
char *addrp;
int secmark_active, peerlbl_active;
@@ -5842,10 +5847,7 @@ static unsigned int selinux_ip_postroute(void *priv,
}
ifindex = state->out->ifindex;
- ad.type = LSM_AUDIT_DATA_NET;
- ad.u.net = &net;
- ad.u.net->netif = ifindex;
- ad.u.net->family = family;
+ ad_net_init_from_iif(&ad, &net, ifindex, family);
if (selinux_parse_skb(skb, &ad, &addrp, 0, NULL))
return NF_DROP;
--
cgit v1.2.3
From 3876043ad9f7ff5fa3e506ea9673641971e46d8b Mon Sep 17 00:00:00 2001
From: Paul Moore <paul@paul-moore.com>
Date: Thu, 20 Jul 2023 16:26:34 -0400
Subject: selinux: fix a 0/NULL mistmatch in ad_net_init_from_iif()
Use a NULL instead of a zero to resolve a int/pointer mismatch.
Cc: Paolo Abeni <pabeni@redhat.com>
Reported-by: kernel test robot <lkp@intel.com>
Closes: https://lore.kernel.org/oe-kbuild-all/202307210332.4AqFZfzI-lkp@intel.com/
Fixes: dd51fcd42fd6 ("selinux: introduce and use lsm_ad_net_init*() helpers")
Acked-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
---
security/selinux/hooks.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
(limited to 'security/selinux/hooks.c')
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 6f53fa71fbdb..5194f12def97 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -246,7 +246,7 @@ static void ad_net_init_from_iif(struct common_audit_data *ad,
struct lsm_network_audit *net,
int ifindex, u16 family)
{
- __ad_net_init(ad, net, ifindex, 0, family);
+ __ad_net_init(ad, net, ifindex, NULL, family);
}
/*
--
cgit v1.2.3
From 19c5b015d1b9122393151134879dcfcf0ae6057a Mon Sep 17 00:00:00 2001
From: Christian Göttsche <cgzones@googlemail.com>
Date: Fri, 28 Jul 2023 17:01:49 +0200
Subject: selinux: log about VM being executable by default
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
In case virtual memory is being marked as executable by default, SELinux
checks regarding explicit potential dangerous use are disabled.
Inform the user about it.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
---
security/selinux/hooks.c | 2 ++
1 file changed, 2 insertions(+)
(limited to 'security/selinux/hooks.c')
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 5194f12def97..7cd687284563 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -7265,6 +7265,8 @@ static __init int selinux_init(void)
cred_init_security();
default_noexec = !(VM_DATA_DEFAULT_FLAGS & VM_EXEC);
+ if (!default_noexec)
+ pr_notice("SELinux: virtual memory is executable by default\n");
avc_init();
--
cgit v1.2.3
From 64f18f8a8c091f1f8fdc4805bafaffd15b588b23 Mon Sep 17 00:00:00 2001
From: Xiu Jianfeng <xiujianfeng@huawei.com>
Date: Fri, 4 Aug 2023 03:46:52 +0000
Subject: selinux: update comment on selinux_hooks[]
After commit f22f9aaf6c3d ("selinux: remove the runtime disable
functionality"), the comment on selinux_hooks[] is out-of-date,
remove the last paragraph about runtime disable functionality.
Signed-off-by: Xiu Jianfeng <xiujianfeng@huawei.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
---
security/selinux/hooks.c | 4 ----
1 file changed, 4 deletions(-)
(limited to 'security/selinux/hooks.c')
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 7cd687284563..cf787eaca755 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -6963,10 +6963,6 @@ static int selinux_uring_cmd(struct io_uring_cmd *ioucmd)
* hooks ("allocating" hooks).
*
* Please follow block comment delimiters in the list to keep this order.
- *
- * This ordering is needed for SELinux runtime disable to work at least somewhat
- * safely. Breaking the ordering rules above might lead to NULL pointer derefs
- * when disabling SELinux at runtime.
*/
static struct security_hook_list selinux_hooks[] __ro_after_init = {
LSM_HOOK_INIT(binder_set_context_mgr, selinux_binder_set_context_mgr),
--
cgit v1.2.3
From 817199e006e514e6c39a17ed2e9fece1bd56b898 Mon Sep 17 00:00:00 2001
From: Paul Moore <paul@paul-moore.com>
Date: Mon, 7 Aug 2023 22:57:22 -0400
Subject: selinux: revert SECINITSID_INIT support
This commit reverts 5b0eea835d4e ("selinux: introduce an initial SID
for early boot processes") as it was found to cause problems on
distros with old SELinux userspace tools/libraries, specifically
Ubuntu 16.04.
Hopefully we will be able to re-add this functionality at a later
date, but let's revert this for now to help ensure a stable and
backwards compatible SELinux tree.
Link: https://lore.kernel.org/selinux/87edkseqf8.fsf@mail.lhotse
Acked-by: Ondrej Mosnacek <omosnace@redhat.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
---
security/selinux/hooks.c | 28 ------------------------
security/selinux/include/initial_sid_to_string.h | 2 +-
security/selinux/include/policycap.h | 1 -
security/selinux/include/policycap_names.h | 1 -
security/selinux/include/security.h | 6 -----
security/selinux/ss/policydb.c | 27 -----------------------
6 files changed, 1 insertion(+), 64 deletions(-)
(limited to 'security/selinux/hooks.c')
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index cf787eaca755..7138083c5bef 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -2313,19 +2313,6 @@ static int selinux_bprm_creds_for_exec(struct linux_binprm *bprm)
new_tsec->keycreate_sid = 0;
new_tsec->sockcreate_sid = 0;
- /*
- * Before policy is loaded, label any task outside kernel space
- * as SECINITSID_INIT, so that any userspace tasks surviving from
- * early boot end up with a label different from SECINITSID_KERNEL
- * (if the policy chooses to set SECINITSID_INIT != SECINITSID_KERNEL).
- */
- if (!selinux_initialized()) {
- new_tsec->sid = SECINITSID_INIT;
- /* also clear the exec_sid just in case */
- new_tsec->exec_sid = 0;
- return 0;
- }
-
if (old_tsec->exec_sid) {
new_tsec->sid = old_tsec->exec_sid;
/* Reset exec SID on execve. */
@@ -4542,21 +4529,6 @@ static int sock_has_perm(struct sock *sk, u32 perms)
if (sksec->sid == SECINITSID_KERNEL)
return 0;
- /*
- * Before POLICYDB_CAP_USERSPACE_INITIAL_CONTEXT, sockets that
- * inherited the kernel context from early boot used to be skipped
- * here, so preserve that behavior unless the capability is set.
- *
- * By setting the capability the policy signals that it is ready
- * for this quirk to be fixed. Note that sockets created by a kernel
- * thread or a usermode helper executed without a transition will
- * still be skipped in this check regardless of the policycap
- * setting.
- */
- if (!selinux_policycap_userspace_initial_context() &&
- sksec->sid == SECINITSID_INIT)
- return 0;
-
ad_net_init_from_sk(&ad, &net, sk);
return avc_has_perm(current_sid(), sksec->sid, sksec->sclass, perms,
diff --git a/security/selinux/include/initial_sid_to_string.h b/security/selinux/include/initial_sid_to_string.h
index 5e5f0993dac2..ecc6e74fa09b 100644
--- a/security/selinux/include/initial_sid_to_string.h
+++ b/security/selinux/include/initial_sid_to_string.h
@@ -10,7 +10,7 @@ static const char *const initial_sid_to_string[] = {
NULL,
"file",
NULL,
- "init",
+ NULL,
"any_socket",
"port",
"netif",
diff --git a/security/selinux/include/policycap.h b/security/selinux/include/policycap.h
index c7373e6effe5..f35d3458e71d 100644
--- a/security/selinux/include/policycap.h
+++ b/security/selinux/include/policycap.h
@@ -12,7 +12,6 @@ enum {
POLICYDB_CAP_NNP_NOSUID_TRANSITION,
POLICYDB_CAP_GENFS_SECLABEL_SYMLINKS,
POLICYDB_CAP_IOCTL_SKIP_CLOEXEC,
- POLICYDB_CAP_USERSPACE_INITIAL_CONTEXT,
__POLICYDB_CAP_MAX
};
#define POLICYDB_CAP_MAX (__POLICYDB_CAP_MAX - 1)
diff --git a/security/selinux/include/policycap_names.h b/security/selinux/include/policycap_names.h
index 28e4c9ee2399..49bbe120d173 100644
--- a/security/selinux/include/policycap_names.h
+++ b/security/selinux/include/policycap_names.h
@@ -14,7 +14,6 @@ const char *const selinux_policycap_names[__POLICYDB_CAP_MAX] = {
"nnp_nosuid_transition",
"genfs_seclabel_symlinks",
"ioctl_skip_cloexec",
- "userspace_initial_context",
};
#endif /* _SELINUX_POLICYCAP_NAMES_H_ */
diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h
index 074d439fe9ad..a9de89af8fdc 100644
--- a/security/selinux/include/security.h
+++ b/security/selinux/include/security.h
@@ -189,12 +189,6 @@ static inline bool selinux_policycap_ioctl_skip_cloexec(void)
selinux_state.policycap[POLICYDB_CAP_IOCTL_SKIP_CLOEXEC]);
}
-static inline bool selinux_policycap_userspace_initial_context(void)
-{
- return READ_ONCE(
- selinux_state.policycap[POLICYDB_CAP_USERSPACE_INITIAL_CONTEXT]);
-}
-
struct selinux_policy_convert_data;
struct selinux_load_state {
diff --git a/security/selinux/ss/policydb.c b/security/selinux/ss/policydb.c
index bb850b608dc6..cd44b13b8d3f 100644
--- a/security/selinux/ss/policydb.c
+++ b/security/selinux/ss/policydb.c
@@ -864,8 +864,6 @@ void policydb_destroy(struct policydb *p)
int policydb_load_isids(struct policydb *p, struct sidtab *s)
{
struct ocontext *head, *c;
- bool isid_init_supported = ebitmap_get_bit(&p->policycaps,
- POLICYDB_CAP_USERSPACE_INITIAL_CONTEXT);
int rc;
rc = sidtab_init(s);
@@ -889,13 +887,6 @@ int policydb_load_isids(struct policydb *p, struct sidtab *s)
if (!name)
continue;
- /*
- * Also ignore SECINITSID_INIT if the policy doesn't declare
- * support for it
- */
- if (sid == SECINITSID_INIT && !isid_init_supported)
- continue;
-
rc = sidtab_set_initial(s, sid, &c->context[0]);
if (rc) {
pr_err("SELinux: unable to load initial SID %s.\n",
@@ -903,24 +894,6 @@ int policydb_load_isids(struct policydb *p, struct sidtab *s)
sidtab_destroy(s);
return rc;
}
-
- /*
- * If the policy doesn't support the "userspace_initial_context"
- * capability, set SECINITSID_INIT to the same context as
- * SECINITSID_KERNEL. This ensures the same behavior as before
- * the reintroduction of SECINITSID_INIT, where all tasks
- * started before policy load would initially get the context
- * corresponding to SECINITSID_KERNEL.
- */
- if (sid == SECINITSID_KERNEL && !isid_init_supported) {
- rc = sidtab_set_initial(s, SECINITSID_INIT, &c->context[0]);
- if (rc) {
- pr_err("SELinux: unable to load initial SID %s.\n",
- name);
- sidtab_destroy(s);
- return rc;
- }
- }
}
return 0;
}
--
cgit v1.2.3