Página inicial Explorar Ajuda
Registrar Entrar
phyus
/
linux-vybrid_public
8
0
Fork 0
Arquivos Issues 0 Pull Requests 0 Wiki
Ver código fonte

selinux: support 64-bit capabilities

Fix SELinux to handle 64-bit capabilities correctly, and to catch
future extensions of capabilities beyond 64 bits to ensure that SELinux
is properly updated.

Signed-off-by:  Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: James Morris <jmorris@namei.org>
Stephen Smalley 17 anos atrás
pai
19af35546d
commit
b68e418c44
5 arquivos alterados com 27 adições e 2 exclusões
Visão dividida Mostrar estatísticas do Diff
  1. 19 2
      security/selinux/hooks.c
  2. 3 0
      security/selinux/include/av_perm_to_string.h
  3. 3 0
      security/selinux/include/av_permissions.h
  4. 1 0
      security/selinux/include/class_to_string.h
  5. 1 0
      security/selinux/include/flask.h

+ 19 - 2
security/selinux/hooks.c
Ver arquivo 

@@ -1272,12 +1272,18 @@ static int task_has_perm(struct task_struct *tsk1,
 
 			    SECCLASS_PROCESS, perms, NULL);
 
 }
 
 
+#if CAP_LAST_CAP > 63
 
+#error Fix SELinux to handle capabilities > 63.
 
+#endif
 
+
 
 /* Check whether a task is allowed to use a capability. */
 
 static int task_has_capability(struct task_struct *tsk,
 
 			       int cap)
 
 {
 
 	struct task_security_struct *tsec;
 
 	struct avc_audit_data ad;
 
+	u16 sclass;
 
+	u32 av = CAP_TO_MASK(cap);
 
 
 	tsec = tsk->security;
 
 
@@ -1285,8 +1291,19 @@ static int task_has_capability(struct task_struct *tsk,
 
 	ad.tsk = tsk;
 
 	ad.u.cap = cap;
 
 
-	return avc_has_perm(tsec->sid, tsec->sid,
 
-			    SECCLASS_CAPABILITY, CAP_TO_MASK(cap), &ad);
 
+	switch (CAP_TO_INDEX(cap)) {
 
+	case 0:
 
+		sclass = SECCLASS_CAPABILITY;
 
+		break;
 
+	case 1:
 
+		sclass = SECCLASS_CAPABILITY2;
 
+		break;
 
+	default:
 
+		printk(KERN_ERR
 
+		       "SELinux:  out of range capability %d\n", cap);
 
+		BUG();
 
+	}
 
+	return avc_has_perm(tsec->sid, tsec->sid, sclass, av, &ad);
 
 }
 
 
 /* Check whether a task is allowed to use a system operation. */

+ 3 - 0
security/selinux/include/av_perm_to_string.h
Ver arquivo 

@@ -132,6 +132,9 @@
 
    S_(SECCLASS_CAPABILITY, CAPABILITY__LEASE, "lease")
 
    S_(SECCLASS_CAPABILITY, CAPABILITY__AUDIT_WRITE, "audit_write")
 
    S_(SECCLASS_CAPABILITY, CAPABILITY__AUDIT_CONTROL, "audit_control")
 
+   S_(SECCLASS_CAPABILITY, CAPABILITY__SETFCAP, "setfcap")
 
+   S_(SECCLASS_CAPABILITY2, CAPABILITY2__MAC_OVERRIDE, "mac_override")
 
+   S_(SECCLASS_CAPABILITY2, CAPABILITY2__MAC_ADMIN, "mac_admin")
 
    S_(SECCLASS_NETLINK_ROUTE_SOCKET, NETLINK_ROUTE_SOCKET__NLMSG_READ, "nlmsg_read")
 
    S_(SECCLASS_NETLINK_ROUTE_SOCKET, NETLINK_ROUTE_SOCKET__NLMSG_WRITE, "nlmsg_write")
 
    S_(SECCLASS_NETLINK_FIREWALL_SOCKET, NETLINK_FIREWALL_SOCKET__NLMSG_READ, "nlmsg_read")

+ 3 - 0
security/selinux/include/av_permissions.h
Ver arquivo 

@@ -533,6 +533,9 @@
 
 #define CAPABILITY__LEASE                         0x10000000UL
 
 #define CAPABILITY__AUDIT_WRITE                   0x20000000UL
 
 #define CAPABILITY__AUDIT_CONTROL                 0x40000000UL
 
+#define CAPABILITY__SETFCAP                       0x80000000UL
 
+#define CAPABILITY2__MAC_OVERRIDE                 0x00000001UL
 
+#define CAPABILITY2__MAC_ADMIN                    0x00000002UL
 
 #define NETLINK_ROUTE_SOCKET__IOCTL               0x00000001UL
 
 #define NETLINK_ROUTE_SOCKET__READ                0x00000002UL
 
 #define NETLINK_ROUTE_SOCKET__WRITE               0x00000004UL

+ 1 - 0
security/selinux/include/class_to_string.h
Ver arquivo 

@@ -71,3 +71,4 @@
 
     S_(NULL)
 
     S_(NULL)
 
     S_("peer")
 
+    S_("capability2")

+ 1 - 0
security/selinux/include/flask.h
Ver arquivo 

@@ -51,6 +51,7 @@
 
 #define SECCLASS_DCCP_SOCKET                             60
 
 #define SECCLASS_MEMPROTECT                              61
 
 #define SECCLASS_PEER                                    68
 
+#define SECCLASS_CAPABILITY2                             69
 
 
 /*
 
  * Security identifier indices for initial entities