aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorKevin Hilman <khilman@linaro.org>2015-11-11 15:05:46 -0800
committerKevin Hilman <khilman@linaro.org>2015-11-11 15:05:46 -0800
commit444e6cd9569605e88e4b2317cbeb23849e449093 (patch)
tree00f706ad2b7cc34a0d2da73be8234290c51ae227
parent83ec293e0817e2536097dd86f7aba9c1c39ef1d2 (diff)
parent7acde36bcee74c4adf1fa338d02a879939d0033a (diff)
downloadlinux-linaro-stable-444e6cd9569605e88e4b2317cbeb23849e449093.tar.gz
Merge branch 'android-3.14' of ../../android/aosp into linux-linaro-lsk-v3.14-android
* 'android-3.14' of ../../android/aosp: wakeup: Add the guard condition for len in pm_get_active_wakeup_sources mm: reorder can_do_mlock to fix audit denial staging: ion: debugfs to shrink pool selinux: Android kernel compatibility with M userspace selinux: extended permissions for ioctls security: add ioctl specific auditing to lsm_audit selinux: remove unnecessary pointer reassignment Revert "security: lsm_audit: add ioctl specific auditing" Revert "SELinux: per-command whitelisting of ioctls" Revert "SELinux: use deletion-safe iterator to free list" Revert "SELinux: ss: Fix policy write for ioctl operations" arm: mm: support ARCH_MMAP_RND_BITS. mm: mmap: Add new /proc tunable for mmap_base ASLR. uid_cputime: Check for the range while removing range of UIDs.
-rw-r--r--Documentation/sysctl/kernel.txt14
-rw-r--r--arch/arm/Kconfig24
-rw-r--r--arch/arm/mm/mmap.c7
-rw-r--r--drivers/base/power/wakeup.c2
-rw-r--r--drivers/misc/uid_cputime.c9
-rw-r--r--drivers/staging/android/ion/ion.c22
-rw-r--r--include/linux/mm.h6
-rw-r--r--kernel/sysctl.c11
-rw-r--r--mm/mlock.c4
-rw-r--r--security/selinux/avc.c459
-rw-r--r--security/selinux/hooks.c6
-rw-r--r--security/selinux/include/avc.h8
-rw-r--r--security/selinux/include/security.h44
-rw-r--r--security/selinux/ss/avtab.c151
-rw-r--r--security/selinux/ss/avtab.h43
-rw-r--r--security/selinux/ss/conditional.c16
-rw-r--r--security/selinux/ss/conditional.h6
-rw-r--r--security/selinux/ss/policydb.c2
-rw-r--r--security/selinux/ss/services.c161
-rw-r--r--security/selinux/ss/services.h4
20 files changed, 564 insertions, 435 deletions
diff --git a/Documentation/sysctl/kernel.txt b/Documentation/sysctl/kernel.txt
index 855d9b37bf76..c28245e1279b 100644
--- a/Documentation/sysctl/kernel.txt
+++ b/Documentation/sysctl/kernel.txt
@@ -41,6 +41,7 @@ show up in /proc/sys/kernel:
- kptr_restrict
- kstack_depth_to_print [ X86 only ]
- l2cr [ PPC only ]
+- mmap_rnd_bits
- modprobe ==> Documentation/debugging-modules.txt
- modules_disabled
- msg_next_id [ sysv ipc ]
@@ -381,6 +382,19 @@ This flag controls the L2 cache of G3 processor boards. If
==============================================================
+mmap_rnd_bits:
+
+This value can be used to select the number of bits to use to
+determine the random offset to the base address of vma regions
+resulting from mmap allocations on architectures which support
+tuning address space randomization. This value will be bounded
+by the architecture's minimum and maximum supported values.
+
+This value can be changed after boot using the
+/proc/sys/kernel/mmap_rnd_bits tunable
+
+==============================================================
+
modules_disabled:
A toggle value indicating if modules are allowed to be loaded
diff --git a/arch/arm/Kconfig b/arch/arm/Kconfig
index 924ea5bec5bf..2284bda18a8d 100644
--- a/arch/arm/Kconfig
+++ b/arch/arm/Kconfig
@@ -296,6 +296,30 @@ config MMU
Select if you want MMU-based virtualised addressing space
support by paged memory management. If unsure, say 'Y'.
+config ARCH_MMAP_RND_BITS_MIN
+ int
+ default 8
+
+config ARCH_MMAP_RND_BITS_MAX
+ int
+ default 14 if MMU && PAGE_OFFSET=0x40000000
+ default 15 if MMU && PAGE_OFFSET=0x80000000
+ default 16 if MMU
+ default 8
+
+config ARCH_MMAP_RND_BITS
+ int "Number of bits to use for ASLR of mmap base address" if EXPERT
+ range ARCH_MMAP_RND_BITS_MIN ARCH_MMAP_RND_BITS_MAX
+ default ARCH_MMAP_RND_BITS_MIN
+ help
+ This value can be used to select the number of bits to use to
+ determine the random offset to the base address of vma regions
+ resulting from mmap allocations. This value will be bounded
+ by the architecture's minimum and maximum supported values.
+
+ This value can be changed after boot using the
+ /proc/sys/kernel/mmap_rnd_bits tunable
+
#
# The "ARM system type" choice list is ordered alphabetically by option
# text. Please add new entries in the option alphabetic order.
diff --git a/arch/arm/mm/mmap.c b/arch/arm/mm/mmap.c
index 5e85ed371364..290cbb310486 100644
--- a/arch/arm/mm/mmap.c
+++ b/arch/arm/mm/mmap.c
@@ -11,6 +11,10 @@
#include <linux/random.h>
#include <asm/cachetype.h>
+int mmap_rnd_bits_min = CONFIG_ARCH_MMAP_RND_BITS_MIN;
+int mmap_rnd_bits_max = CONFIG_ARCH_MMAP_RND_BITS_MAX;
+int mmap_rnd_bits = CONFIG_ARCH_MMAP_RND_BITS;
+
#define COLOUR_ALIGN(addr,pgoff) \
((((addr)+SHMLBA-1)&~(SHMLBA-1)) + \
(((pgoff)<<PAGE_SHIFT) & (SHMLBA-1)))
@@ -173,10 +177,9 @@ void arch_pick_mmap_layout(struct mm_struct *mm)
{
unsigned long random_factor = 0UL;
- /* 8 bits of randomness in 20 address space bits */
if ((current->flags & PF_RANDOMIZE) &&
!(current->personality & ADDR_NO_RANDOMIZE))
- random_factor = (get_random_int() % (1 << 8)) << PAGE_SHIFT;
+ random_factor = (get_random_int() % (1 << mmap_rnd_bits)) << PAGE_SHIFT;
if (mmap_is_legacy()) {
mm->mmap_base = TASK_UNMAPPED_BASE + random_factor;
diff --git a/drivers/base/power/wakeup.c b/drivers/base/power/wakeup.c
index 303e8616d6bc..0551bf201869 100644
--- a/drivers/base/power/wakeup.c
+++ b/drivers/base/power/wakeup.c
@@ -668,7 +668,7 @@ void pm_get_active_wakeup_sources(char *pending_wakeup_source, size_t max)
rcu_read_lock();
list_for_each_entry_rcu(ws, &wakeup_sources, entry) {
- if (ws->active) {
+ if (ws->active && len < max) {
if (!active)
len += scnprintf(pending_wakeup_source, max,
"Pending Wakeup Sources: ");
diff --git a/drivers/misc/uid_cputime.c b/drivers/misc/uid_cputime.c
index 43298a43ecc3..c751188ce2ab 100644
--- a/drivers/misc/uid_cputime.c
+++ b/drivers/misc/uid_cputime.c
@@ -174,14 +174,15 @@ static ssize_t uid_remove_write(struct file *file,
kstrtol(end_uid, 10, &uid_end) != 0) {
return -EINVAL;
}
-
mutex_lock(&uid_lock);
for (; uid_start <= uid_end; uid_start++) {
hash_for_each_possible_safe(hash_table, uid_entry, tmp,
- hash, uid_start) {
- hash_del(&uid_entry->hash);
- kfree(uid_entry);
+ hash, (uid_t)uid_start) {
+ if (uid_start == uid_entry->uid) {
+ hash_del(&uid_entry->hash);
+ kfree(uid_entry);
+ }
}
}
diff --git a/drivers/staging/android/ion/ion.c b/drivers/staging/android/ion/ion.c
index fa398ef8ae24..e241616da377 100644
--- a/drivers/staging/android/ion/ion.c
+++ b/drivers/staging/android/ion/ion.c
@@ -1453,7 +1453,6 @@ static const struct file_operations debug_heap_fops = {
.release = single_release,
};
-#ifdef DEBUG_HEAP_SHRINKER
static int debug_shrink_set(void *data, u64 val)
{
struct ion_heap *heap = data;
@@ -1461,15 +1460,14 @@ static int debug_shrink_set(void *data, u64 val)
int objs;
sc.gfp_mask = -1;
- sc.nr_to_scan = 0;
-
- if (!val)
- return 0;
+ sc.nr_to_scan = val;
- objs = heap->shrinker.shrink(&heap->shrinker, &sc);
- sc.nr_to_scan = objs;
+ if (!val) {
+ objs = heap->shrinker.count_objects(&heap->shrinker, &sc);
+ sc.nr_to_scan = objs;
+ }
- heap->shrinker.shrink(&heap->shrinker, &sc);
+ heap->shrinker.scan_objects(&heap->shrinker, &sc);
return 0;
}
@@ -1482,14 +1480,13 @@ static int debug_shrink_get(void *data, u64 *val)
sc.gfp_mask = -1;
sc.nr_to_scan = 0;
- objs = heap->shrinker.shrink(&heap->shrinker, &sc);
+ objs = heap->shrinker.count_objects(&heap->shrinker, &sc);
*val = objs;
return 0;
}
DEFINE_SIMPLE_ATTRIBUTE(debug_shrink_fops, debug_shrink_get,
debug_shrink_set, "%llu\n");
-#endif
void ion_device_add_heap(struct ion_device *dev, struct ion_heap *heap)
{
@@ -1523,8 +1520,7 @@ void ion_device_add_heap(struct ion_device *dev, struct ion_heap *heap)
path, heap->name);
}
-#ifdef DEBUG_HEAP_SHRINKER
- if (heap->shrinker.shrink) {
+ if (heap->shrinker.count_objects && heap->shrinker.scan_objects) {
char debug_name[64];
snprintf(debug_name, 64, "%s_shrink", heap->name);
@@ -1538,7 +1534,7 @@ void ion_device_add_heap(struct ion_device *dev, struct ion_heap *heap)
path, debug_name);
}
}
-#endif
+
up_write(&dev->lock);
}
diff --git a/include/linux/mm.h b/include/linux/mm.h
index e731c57a8dd1..370ae3baea23 100644
--- a/include/linux/mm.h
+++ b/include/linux/mm.h
@@ -47,6 +47,12 @@ extern int sysctl_legacy_va_layout;
#define sysctl_legacy_va_layout 0
#endif
+#ifdef CONFIG_ARCH_MMAP_RND_BITS
+extern int mmap_rnd_bits_min;
+extern int mmap_rnd_bits_max;
+extern int mmap_rnd_bits;
+#endif
+
#include <asm/page.h>
#include <asm/pgtable.h>
#include <asm/processor.h>
diff --git a/kernel/sysctl.c b/kernel/sysctl.c
index 4d0d28863ac3..769684d6cfc8 100644
--- a/kernel/sysctl.c
+++ b/kernel/sysctl.c
@@ -1110,6 +1110,17 @@ static struct ctl_table kern_table[] = {
.proc_handler = proc_dointvec,
},
#endif
+#ifdef CONFIG_ARCH_MMAP_RND_BITS
+ {
+ .procname = "mmap_rnd_bits",
+ .data = &mmap_rnd_bits,
+ .maxlen = sizeof(mmap_rnd_bits),
+ .mode = 0644,
+ .proc_handler = proc_dointvec_minmax,
+ .extra1 = &mmap_rnd_bits_min,
+ .extra2 = &mmap_rnd_bits_max,
+ },
+#endif
{ }
};
diff --git a/mm/mlock.c b/mm/mlock.c
index f84bf52f5974..c2fbe0dc8323 100644
--- a/mm/mlock.c
+++ b/mm/mlock.c
@@ -26,10 +26,10 @@
int can_do_mlock(void)
{
- if (capable(CAP_IPC_LOCK))
- return 1;
if (rlimit(RLIMIT_MEMLOCK) != 0)
return 1;
+ if (capable(CAP_IPC_LOCK))
+ return 1;
return 0;
}
EXPORT_SYMBOL(can_do_mlock);
diff --git a/security/selinux/avc.c b/security/selinux/avc.c
index 21a34153df14..fd33dbce9d8a 100644
--- a/security/selinux/avc.c
+++ b/security/selinux/avc.c
@@ -49,7 +49,7 @@ struct avc_entry {
u32 tsid;
u16 tclass;
struct av_decision avd;
- struct avc_operation_node *ops_node;
+ struct avc_xperms_node *xp_node;
};
struct avc_node {
@@ -58,6 +58,16 @@ struct avc_node {
struct rcu_head rhead;
};
+struct avc_xperms_decision_node {
+ struct extended_perms_decision xpd;
+ struct list_head xpd_list; /* list of extended_perms_decision */
+};
+
+struct avc_xperms_node {
+ struct extended_perms xp;
+ struct list_head xpd_head; /* list head of extended_perms_decision */
+};
+
struct avc_cache {
struct hlist_head slots[AVC_CACHE_SLOTS]; /* head for avc_node->list */
spinlock_t slots_lock[AVC_CACHE_SLOTS]; /* lock for writes */
@@ -66,16 +76,6 @@ struct avc_cache {
u32 latest_notif; /* latest revocation notification */
};
-struct avc_operation_decision_node {
- struct operation_decision od;
- struct list_head od_list;
-};
-
-struct avc_operation_node {
- struct operation ops;
- struct list_head od_head; /* list of operation_decision_node */
-};
-
struct avc_callback_node {
int (*callback) (u32 event);
u32 events;
@@ -92,9 +92,9 @@ DEFINE_PER_CPU(struct avc_cache_stats, avc_cache_stats) = { 0 };
static struct avc_cache avc_cache;
static struct avc_callback_node *avc_callbacks;
static struct kmem_cache *avc_node_cachep;
-static struct kmem_cache *avc_operation_decision_node_cachep;
-static struct kmem_cache *avc_operation_node_cachep;
-static struct kmem_cache *avc_operation_perm_cachep;
+static struct kmem_cache *avc_xperms_data_cachep;
+static struct kmem_cache *avc_xperms_decision_cachep;
+static struct kmem_cache *avc_xperms_cachep;
static inline int avc_hash(u32 ssid, u32 tsid, u16 tclass)
{
@@ -185,17 +185,17 @@ void __init avc_init(void)
atomic_set(&avc_cache.lru_hint, 0);
avc_node_cachep = kmem_cache_create("avc_node", sizeof(struct avc_node),
- 0, SLAB_PANIC, NULL);
- avc_operation_node_cachep = kmem_cache_create("avc_operation_node",
- sizeof(struct avc_operation_node),
- 0, SLAB_PANIC, NULL);
- avc_operation_decision_node_cachep = kmem_cache_create(
- "avc_operation_decision_node",
- sizeof(struct avc_operation_decision_node),
- 0, SLAB_PANIC, NULL);
- avc_operation_perm_cachep = kmem_cache_create("avc_operation_perm",
- sizeof(struct operation_perm),
- 0, SLAB_PANIC, NULL);
+ 0, SLAB_PANIC, NULL);
+ avc_xperms_cachep = kmem_cache_create("avc_xperms_node",
+ sizeof(struct avc_xperms_node),
+ 0, SLAB_PANIC, NULL);
+ avc_xperms_decision_cachep = kmem_cache_create(
+ "avc_xperms_decision_node",
+ sizeof(struct avc_xperms_decision_node),
+ 0, SLAB_PANIC, NULL);
+ avc_xperms_data_cachep = kmem_cache_create("avc_xperms_data",
+ sizeof(struct extended_perms_data),
+ 0, SLAB_PANIC, NULL);
audit_log(current->audit_context, GFP_KERNEL, AUDIT_KERNEL, "AVC INITIALIZED\n");
}
@@ -231,222 +231,214 @@ int avc_get_hash_stats(char *page)
}
/*
- * using a linked list for operation_decision lookup because the list is
+ * using a linked list for extended_perms_decision lookup because the list is
* always small. i.e. less than 5, typically 1
*/
-static struct operation_decision *avc_operation_lookup(u8 type,
- struct avc_operation_node *ops_node)
+static struct extended_perms_decision *avc_xperms_decision_lookup(u8 driver,
+ struct avc_xperms_node *xp_node)
{
- struct avc_operation_decision_node *od_node;
- struct operation_decision *od = NULL;
+ struct avc_xperms_decision_node *xpd_node;
- list_for_each_entry(od_node, &ops_node->od_head, od_list) {
- if (od_node->od.type != type)
- continue;
- od = &od_node->od;
- break;
+ list_for_each_entry(xpd_node, &xp_node->xpd_head, xpd_list) {
+ if (xpd_node->xpd.driver == driver)
+ return &xpd_node->xpd;
}
- return od;
+ return NULL;
}
-static inline unsigned int avc_operation_has_perm(struct operation_decision *od,
- u16 cmd, u8 specified)
+static inline unsigned int
+avc_xperms_has_perm(struct extended_perms_decision *xpd,
+ u8 perm, u8 which)
{
unsigned int rc = 0;
- u8 num = cmd & 0xff;
-
- if ((specified == OPERATION_ALLOWED) &&
- (od->specified & OPERATION_ALLOWED))
- rc = security_operation_test(od->allowed->perms, num);
- else if ((specified == OPERATION_AUDITALLOW) &&
- (od->specified & OPERATION_AUDITALLOW))
- rc = security_operation_test(od->auditallow->perms, num);
- else if ((specified == OPERATION_DONTAUDIT) &&
- (od->specified & OPERATION_DONTAUDIT))
- rc = security_operation_test(od->dontaudit->perms, num);
+
+ if ((which == XPERMS_ALLOWED) &&
+ (xpd->used & XPERMS_ALLOWED))
+ rc = security_xperm_test(xpd->allowed->p, perm);
+ else if ((which == XPERMS_AUDITALLOW) &&
+ (xpd->used & XPERMS_AUDITALLOW))
+ rc = security_xperm_test(xpd->auditallow->p, perm);
+ else if ((which == XPERMS_DONTAUDIT) &&
+ (xpd->used & XPERMS_DONTAUDIT))
+ rc = security_xperm_test(xpd->dontaudit->p, perm);
return rc;
}
-static void avc_operation_allow_perm(struct avc_operation_node *node, u16 cmd)
+static void avc_xperms_allow_perm(struct avc_xperms_node *xp_node,
+ u8 driver, u8 perm)
{
- struct operation_decision *od;
- u8 type;
- u8 num;
-
- type = cmd >> 8;
- num = cmd & 0xff;
- security_operation_set(node->ops.type, type);
- od = avc_operation_lookup(type, node);
- if (od && od->allowed)
- security_operation_set(od->allowed->perms, num);
+ struct extended_perms_decision *xpd;
+ security_xperm_set(xp_node->xp.drivers.p, driver);
+ xpd = avc_xperms_decision_lookup(driver, xp_node);
+ if (xpd && xpd->allowed)
+ security_xperm_set(xpd->allowed->p, perm);
}
-static void avc_operation_decision_free(
- struct avc_operation_decision_node *od_node)
+static void avc_xperms_decision_free(struct avc_xperms_decision_node *xpd_node)
{
- struct operation_decision *od;
-
- od = &od_node->od;
- if (od->allowed)
- kmem_cache_free(avc_operation_perm_cachep, od->allowed);
- if (od->auditallow)
- kmem_cache_free(avc_operation_perm_cachep, od->auditallow);
- if (od->dontaudit)
- kmem_cache_free(avc_operation_perm_cachep, od->dontaudit);
- kmem_cache_free(avc_operation_decision_node_cachep, od_node);
+ struct extended_perms_decision *xpd;
+
+ xpd = &xpd_node->xpd;
+ if (xpd->allowed)
+ kmem_cache_free(avc_xperms_data_cachep, xpd->allowed);
+ if (xpd->auditallow)
+ kmem_cache_free(avc_xperms_data_cachep, xpd->auditallow);
+ if (xpd->dontaudit)
+ kmem_cache_free(avc_xperms_data_cachep, xpd->dontaudit);
+ kmem_cache_free(avc_xperms_decision_cachep, xpd_node);
}
-static void avc_operation_free(struct avc_operation_node *ops_node)
+static void avc_xperms_free(struct avc_xperms_node *xp_node)
{
- struct avc_operation_decision_node *od_node, *tmp;
+ struct avc_xperms_decision_node *xpd_node, *tmp;
- if (!ops_node)
+ if (!xp_node)
return;
- list_for_each_entry_safe(od_node, tmp, &ops_node->od_head, od_list) {
- list_del(&od_node->od_list);
- avc_operation_decision_free(od_node);
+ list_for_each_entry_safe(xpd_node, tmp, &xp_node->xpd_head, xpd_list) {
+ list_del(&xpd_node->xpd_list);
+ avc_xperms_decision_free(xpd_node);
}
- kmem_cache_free(avc_operation_node_cachep, ops_node);
+ kmem_cache_free(avc_xperms_cachep, xp_node);
}
-static void avc_copy_operation_decision(struct operation_decision *dest,
- struct operation_decision *src)
+static void avc_copy_xperms_decision(struct extended_perms_decision *dest,
+ struct extended_perms_decision *src)
{
- dest->type = src->type;
- dest->specified = src->specified;
- if (dest->specified & OPERATION_ALLOWED)
- memcpy(dest->allowed->perms, src->allowed->perms,
- sizeof(src->allowed->perms));
- if (dest->specified & OPERATION_AUDITALLOW)
- memcpy(dest->auditallow->perms, src->auditallow->perms,
- sizeof(src->auditallow->perms));
- if (dest->specified & OPERATION_DONTAUDIT)
- memcpy(dest->dontaudit->perms, src->dontaudit->perms,
- sizeof(src->dontaudit->perms));
+ dest->driver = src->driver;
+ dest->used = src->used;
+ if (dest->used & XPERMS_ALLOWED)
+ memcpy(dest->allowed->p, src->allowed->p,
+ sizeof(src->allowed->p));
+ if (dest->used & XPERMS_AUDITALLOW)
+ memcpy(dest->auditallow->p, src->auditallow->p,
+ sizeof(src->auditallow->p));
+ if (dest->used & XPERMS_DONTAUDIT)
+ memcpy(dest->dontaudit->p, src->dontaudit->p,
+ sizeof(src->dontaudit->p));
}
/*
- * similar to avc_copy_operation_decision, but only copy decision
- * information relevant to this command
+ * similar to avc_copy_xperms_decision, but only copy decision
+ * information relevant to this perm
*/
-static inline void avc_quick_copy_operation_decision(u16 cmd,
- struct operation_decision *dest,
- struct operation_decision *src)
+static inline void avc_quick_copy_xperms_decision(u8 perm,
+ struct extended_perms_decision *dest,
+ struct extended_perms_decision *src)
{
/*
* compute index of the u32 of the 256 bits (8 u32s) that contain this
* command permission
*/
- u8 i = (0xff & cmd) >> 5;
-
- dest->specified = src->specified;
- if (dest->specified & OPERATION_ALLOWED)
- dest->allowed->perms[i] = src->allowed->perms[i];
- if (dest->specified & OPERATION_AUDITALLOW)
- dest->auditallow->perms[i] = src->auditallow->perms[i];
- if (dest->specified & OPERATION_DONTAUDIT)
- dest->dontaudit->perms[i] = src->dontaudit->perms[i];
+ u8 i = perm >> 5;
+
+ dest->used = src->used;
+ if (dest->used & XPERMS_ALLOWED)
+ dest->allowed->p[i] = src->allowed->p[i];
+ if (dest->used & XPERMS_AUDITALLOW)
+ dest->auditallow->p[i] = src->auditallow->p[i];
+ if (dest->used & XPERMS_DONTAUDIT)
+ dest->dontaudit->p[i] = src->dontaudit->p[i];
}
-static struct avc_operation_decision_node
- *avc_operation_decision_alloc(u8 specified)
+static struct avc_xperms_decision_node
+ *avc_xperms_decision_alloc(u8 which)
{
- struct avc_operation_decision_node *node;
- struct operation_decision *od;
+ struct avc_xperms_decision_node *xpd_node;
+ struct extended_perms_decision *xpd;
- node = kmem_cache_zalloc(avc_operation_decision_node_cachep,
+ xpd_node = kmem_cache_zalloc(avc_xperms_decision_cachep,
GFP_ATOMIC | __GFP_NOMEMALLOC);
- if (!node)
+ if (!xpd_node)
return NULL;
- od = &node->od;
- if (specified & OPERATION_ALLOWED) {
- od->allowed = kmem_cache_zalloc(avc_operation_perm_cachep,
+ xpd = &xpd_node->xpd;
+ if (which & XPERMS_ALLOWED) {
+ xpd->allowed = kmem_cache_zalloc(avc_xperms_data_cachep,
GFP_ATOMIC | __GFP_NOMEMALLOC);
- if (!od->allowed)
+ if (!xpd->allowed)
goto error;
}
- if (specified & OPERATION_AUDITALLOW) {
- od->auditallow = kmem_cache_zalloc(avc_operation_perm_cachep,
+ if (which & XPERMS_AUDITALLOW) {
+ xpd->auditallow = kmem_cache_zalloc(avc_xperms_data_cachep,
GFP_ATOMIC | __GFP_NOMEMALLOC);
- if (!od->auditallow)
+ if (!xpd->auditallow)
goto error;
}
- if (specified & OPERATION_DONTAUDIT) {
- od->dontaudit = kmem_cache_zalloc(avc_operation_perm_cachep,
+ if (which & XPERMS_DONTAUDIT) {
+ xpd->dontaudit = kmem_cache_zalloc(avc_xperms_data_cachep,
GFP_ATOMIC | __GFP_NOMEMALLOC);
- if (!od->dontaudit)
+ if (!xpd->dontaudit)
goto error;
}
- return node;
+ return xpd_node;
error:
- avc_operation_decision_free(node);
+ avc_xperms_decision_free(xpd_node);
return NULL;
}
-static int avc_add_operation(struct avc_node *node,
- struct operation_decision *od)
+static int avc_add_xperms_decision(struct avc_node *node,
+ struct extended_perms_decision *src)
{
- struct avc_operation_decision_node *dest_od;
+ struct avc_xperms_decision_node *dest_xpd;
- node->ae.ops_node->ops.len++;
- dest_od = avc_operation_decision_alloc(od->specified);
- if (!dest_od)
+ node->ae.xp_node->xp.len++;
+ dest_xpd = avc_xperms_decision_alloc(src->used);
+ if (!dest_xpd)
return -ENOMEM;
- avc_copy_operation_decision(&dest_od->od, od);
- list_add(&dest_od->od_list, &node->ae.ops_node->od_head);
+ avc_copy_xperms_decision(&dest_xpd->xpd, src);
+ list_add(&dest_xpd->xpd_list, &node->ae.xp_node->xpd_head);
return 0;
}
-static struct avc_operation_node *avc_operation_alloc(void)
+static struct avc_xperms_node *avc_xperms_alloc(void)
{
- struct avc_operation_node *ops;
+ struct avc_xperms_node *xp_node;
- ops = kmem_cache_zalloc(avc_operation_node_cachep,
+ xp_node = kmem_cache_zalloc(avc_xperms_cachep,
GFP_ATOMIC|__GFP_NOMEMALLOC);
- if (!ops)
- return ops;
- INIT_LIST_HEAD(&ops->od_head);
- return ops;
+ if (!xp_node)
+ return xp_node;
+ INIT_LIST_HEAD(&xp_node->xpd_head);
+ return xp_node;
}
-static int avc_operation_populate(struct avc_node *node,
- struct avc_operation_node *src)
+static int avc_xperms_populate(struct avc_node *node,
+ struct avc_xperms_node *src)
{
- struct avc_operation_node *dest;
- struct avc_operation_decision_node *dest_od;
- struct avc_operation_decision_node *src_od;
+ struct avc_xperms_node *dest;
+ struct avc_xperms_decision_node *dest_xpd;
+ struct avc_xperms_decision_node *src_xpd;
- if (src->ops.len == 0)
+ if (src->xp.len == 0)
return 0;
- dest = avc_operation_alloc();
+ dest = avc_xperms_alloc();
if (!dest)
return -ENOMEM;
- memcpy(dest->ops.type, &src->ops.type, sizeof(dest->ops.type));
- dest->ops.len = src->ops.len;
+ memcpy(dest->xp.drivers.p, src->xp.drivers.p, sizeof(dest->xp.drivers.p));
+ dest->xp.len = src->xp.len;
- /* for each source od allocate a destination od and copy */
- list_for_each_entry(src_od, &src->od_head, od_list) {
- dest_od = avc_operation_decision_alloc(src_od->od.specified);
- if (!dest_od)
+ /* for each source xpd allocate a destination xpd and copy */
+ list_for_each_entry(src_xpd, &src->xpd_head, xpd_list) {
+ dest_xpd = avc_xperms_decision_alloc(src_xpd->xpd.used);
+ if (!dest_xpd)
goto error;
- avc_copy_operation_decision(&dest_od->od, &src_od->od);
- list_add(&dest_od->od_list, &dest->od_head);
+ avc_copy_xperms_decision(&dest_xpd->xpd, &src_xpd->xpd);
+ list_add(&dest_xpd->xpd_list, &dest->xpd_head);
}
- node->ae.ops_node = dest;
+ node->ae.xp_node = dest;
return 0;
error:
- avc_operation_free(dest);
+ avc_xperms_free(dest);
return -ENOMEM;
}
-static inline u32 avc_operation_audit_required(u32 requested,
+static inline u32 avc_xperms_audit_required(u32 requested,
struct av_decision *avd,
- struct operation_decision *od,
- u16 cmd,
+ struct extended_perms_decision *xpd,
+ u8 perm,
int result,
u32 *deniedp)
{
@@ -455,18 +447,16 @@ static inline u32 avc_operation_audit_required(u32 requested,
denied = requested & ~avd->allowed;
if (unlikely(denied)) {
audited = denied & avd->auditdeny;
- if (audited && od) {
- if (avc_operation_has_perm(od, cmd,
- OPERATION_DONTAUDIT))
+ if (audited && xpd) {
+ if (avc_xperms_has_perm(xpd, perm, XPERMS_DONTAUDIT))
audited &= ~requested;
}
} else if (result) {
audited = denied = requested;
} else {
audited = requested & avd->auditallow;
- if (audited && od) {
- if (!avc_operation_has_perm(od, cmd,
- OPERATION_AUDITALLOW))
+ if (audited && xpd) {
+ if (!avc_xperms_has_perm(xpd, perm, XPERMS_AUDITALLOW))
audited &= ~requested;
}
}
@@ -475,16 +465,16 @@ static inline u32 avc_operation_audit_required(u32 requested,
return audited;
}
-static inline int avc_operation_audit(u32 ssid, u32 tsid, u16 tclass,
+static inline int avc_xperms_audit(u32 ssid, u32 tsid, u16 tclass,
u32 requested, struct av_decision *avd,
- struct operation_decision *od,
- u16 cmd, int result,
+ struct extended_perms_decision *xpd,
+ u8 perm, int result,
struct common_audit_data *ad)
{
u32 audited, denied;
- audited = avc_operation_audit_required(
- requested, avd, od, cmd, result, &denied);
+ audited = avc_xperms_audit_required(
+ requested, avd, xpd, perm, result, &denied);
if (likely(!audited))
return 0;
return slow_avc_audit(ssid, tsid, tclass, requested,
@@ -494,7 +484,7 @@ static inline int avc_operation_audit(u32 ssid, u32 tsid, u16 tclass,
static void avc_node_free(struct rcu_head *rhead)
{
struct avc_node *node = container_of(rhead, struct avc_node, rhead);
- avc_operation_free(node->ae.ops_node);
+ avc_xperms_free(node->ae.xp_node);
kmem_cache_free(avc_node_cachep, node);
avc_cache_stats_incr(frees);
}
@@ -508,7 +498,7 @@ static void avc_node_delete(struct avc_node *node)
static void avc_node_kill(struct avc_node *node)
{
- avc_operation_free(node->ae.ops_node);
+ avc_xperms_free(node->ae.xp_node);
kmem_cache_free(avc_node_cachep, node);
avc_cache_stats_incr(frees);
atomic_dec(&avc_cache.active_nodes);
@@ -655,7 +645,7 @@ static int avc_latest_notif_update(int seqno, int is_insert)
* @tsid: target security identifier
* @tclass: target security class
* @avd: resulting av decision
- * @ops: resulting operation decisions
+ * @xp_node: resulting extended permissions
*
* Insert an AVC entry for the SID pair
* (@ssid, @tsid) and class @tclass.
@@ -669,7 +659,7 @@ static int avc_latest_notif_update(int seqno, int is_insert)
*/
static struct avc_node *avc_insert(u32 ssid, u32 tsid, u16 tclass,
struct av_decision *avd,
- struct avc_operation_node *ops_node)
+ struct avc_xperms_node *xp_node)
{
struct avc_node *pos, *node = NULL;
int hvalue;
@@ -686,7 +676,7 @@ static struct avc_node *avc_insert(u32 ssid, u32 tsid, u16 tclass,
hvalue = avc_hash(ssid, tsid, tclass);
avc_node_populate(node, ssid, tsid, tclass, avd);
- rc = avc_operation_populate(node, ops_node);
+ rc = avc_xperms_populate(node, xp_node);
if (rc) {
kmem_cache_free(avc_node_cachep, node);
return NULL;
@@ -824,16 +814,16 @@ static inline int avc_sidcmp(u32 x, u32 y)
* @perms : Permission mask bits
* @ssid,@tsid,@tclass : identifier of an AVC entry
* @seqno : sequence number when decision was made
- * @od: operation_decision to be added to the node
+ * @xpd: extended_perms_decision to be added to the node
*
* if a valid AVC entry doesn't exist,this function returns -ENOENT.
* if kmalloc() called internal returns NULL, this function returns -ENOMEM.
* otherwise, this function updates the AVC entry. The original AVC-entry object
* will release later by RCU.
*/
-static int avc_update_node(u32 event, u32 perms, u16 cmd, u32 ssid, u32 tsid,
- u16 tclass, u32 seqno,
- struct operation_decision *od,
+static int avc_update_node(u32 event, u32 perms, u8 driver, u8 xperm, u32 ssid,
+ u32 tsid, u16 tclass, u32 seqno,
+ struct extended_perms_decision *xpd,
u32 flags)
{
int hvalue, rc = 0;
@@ -878,8 +868,8 @@ static int avc_update_node(u32 event, u32 perms, u16 cmd, u32 ssid, u32 tsid,
avc_node_populate(node, ssid, tsid, tclass, &orig->ae.avd);
- if (orig->ae.ops_node) {
- rc = avc_operation_populate(node, orig->ae.ops_node);
+ if (orig->ae.xp_node) {
+ rc = avc_xperms_populate(node, orig->ae.xp_node);
if (rc) {
kmem_cache_free(avc_node_cachep, node);
goto out_unlock;
@@ -889,8 +879,8 @@ static int avc_update_node(u32 event, u32 perms, u16 cmd, u32 ssid, u32 tsid,
switch (event) {
case AVC_CALLBACK_GRANT:
node->ae.avd.allowed |= perms;
- if (node->ae.ops_node && (flags & AVC_OPERATION_CMD))
- avc_operation_allow_perm(node->ae.ops_node, cmd);
+ if (node->ae.xp_node && (flags & AVC_EXTENDED_PERMS))
+ avc_xperms_allow_perm(node->ae.xp_node, driver, xperm);
break;
case AVC_CALLBACK_TRY_REVOKE:
case AVC_CALLBACK_REVOKE:
@@ -908,8 +898,8 @@ static int avc_update_node(u32 event, u32 perms, u16 cmd, u32 ssid, u32 tsid,
case AVC_CALLBACK_AUDITDENY_DISABLE:
node->ae.avd.auditdeny &= ~perms;
break;
- case AVC_CALLBACK_ADD_OPERATION:
- avc_add_operation(node, od);
+ case AVC_CALLBACK_ADD_XPERMS:
+ avc_add_xperms_decision(node, xpd);
break;
}
avc_node_replace(node, orig);
@@ -983,18 +973,18 @@ int avc_ss_reset(u32 seqno)
*/
static noinline struct avc_node *avc_compute_av(u32 ssid, u32 tsid,
u16 tclass, struct av_decision *avd,
- struct avc_operation_node *ops_node)
+ struct avc_xperms_node *xp_node)
{
rcu_read_unlock();
- INIT_LIST_HEAD(&ops_node->od_head);
- security_compute_av(ssid, tsid, tclass, avd, &ops_node->ops);
+ INIT_LIST_HEAD(&xp_node->xpd_head);
+ security_compute_av(ssid, tsid, tclass, avd, &xp_node->xp);
rcu_read_lock();
- return avc_insert(ssid, tsid, tclass, avd, ops_node);
+ return avc_insert(ssid, tsid, tclass, avd, xp_node);
}
static noinline int avc_denied(u32 ssid, u32 tsid,
u16 tclass, u32 requested,
- u16 cmd, unsigned flags,
+ u8 driver, u8 xperm, unsigned flags,
struct av_decision *avd)
{
if (flags & AVC_STRICT)
@@ -1003,88 +993,87 @@ static noinline int avc_denied(u32 ssid, u32 tsid,
if (selinux_enforcing && !(avd->flags & AVD_FLAGS_PERMISSIVE))
return -EACCES;
- avc_update_node(AVC_CALLBACK_GRANT, requested, cmd, ssid,
+ avc_update_node(AVC_CALLBACK_GRANT, requested, driver, xperm, ssid,
tsid, tclass, avd->seqno, NULL, flags);
return 0;
}
/*
- * ioctl commands are comprised of four fields, direction, size, type, and
- * number. The avc operation logic filters based on two of them:
- *
- * type: or code, typically unique to each driver
- * number: or function
- *
- * For example, 0x89 is a socket type, and number 0x27 is the get hardware
- * address function.
+ * The avc extended permissions logic adds an additional 256 bits of
+ * permissions to an avc node when extended permissions for that node are
+ * specified in the avtab. If the additional 256 permissions is not adequate,
+ * as-is the case with ioctls, then multiple may be chained together and the
+ * driver field is used to specify which set contains the permission.
*/
-int avc_has_operation(u32 ssid, u32 tsid, u16 tclass, u32 requested,
- u16 cmd, struct common_audit_data *ad)
+int avc_has_extended_perms(u32 ssid, u32 tsid, u16 tclass, u32 requested,
+ u8 driver, u8 xperm, struct common_audit_data *ad)
{
struct avc_node *node;
struct av_decision avd;
u32 denied;
- struct operation_decision *od = NULL;
- struct operation_decision od_local;
- struct operation_perm allowed;
- struct operation_perm auditallow;
- struct operation_perm dontaudit;
- struct avc_operation_node local_ops_node;
- struct avc_operation_node *ops_node;
- u8 type = cmd >> 8;
+ struct extended_perms_decision local_xpd;
+ struct extended_perms_decision *xpd = NULL;
+ struct extended_perms_data allowed;
+ struct extended_perms_data auditallow;
+ struct extended_perms_data dontaudit;
+ struct avc_xperms_node local_xp_node;
+ struct avc_xperms_node *xp_node;
int rc = 0, rc2;
- ops_node = &local_ops_node;
+ xp_node = &local_xp_node;
BUG_ON(!requested);
rcu_read_lock();
node = avc_lookup(ssid, tsid, tclass);
if (unlikely(!node)) {
- node = avc_compute_av(ssid, tsid, tclass, &avd, ops_node);
+ node = avc_compute_av(ssid, tsid, tclass, &avd, xp_node);
} else {
memcpy(&avd, &node->ae.avd, sizeof(avd));
- ops_node = node->ae.ops_node;
+ xp_node = node->ae.xp_node;
}
- /* if operations are not defined, only consider av_decision */
- if (!ops_node || !ops_node->ops.len)
+ /* if extended permissions are not defined, only consider av_decision */
+ if (!xp_node || !xp_node->xp.len)
goto decision;
- od_local.allowed = &allowed;
- od_local.auditallow = &auditallow;
- od_local.dontaudit = &dontaudit;
+ local_xpd.allowed = &allowed;
+ local_xpd.auditallow = &auditallow;
+ local_xpd.dontaudit = &dontaudit;
- /* lookup operation decision */
- od = avc_operation_lookup(type, ops_node);
- if (unlikely(!od)) {
- /* Compute operation decision if type is flagged */
- if (!security_operation_test(ops_node->ops.type, type)) {
+ xpd = avc_xperms_decision_lookup(driver, xp_node);
+ if (unlikely(!xpd)) {
+ /*
+ * Compute the extended_perms_decision only if the driver
+ * is flagged
+ */
+ if (!security_xperm_test(xp_node->xp.drivers.p, driver)) {
avd.allowed &= ~requested;
goto decision;
}
rcu_read_unlock();
- security_compute_operation(ssid, tsid, tclass, type, &od_local);
+ security_compute_xperms_decision(ssid, tsid, tclass, driver,
+ &local_xpd);
rcu_read_lock();
- avc_update_node(AVC_CALLBACK_ADD_OPERATION, requested, cmd,
- ssid, tsid, tclass, avd.seqno, &od_local, 0);
+ avc_update_node(AVC_CALLBACK_ADD_XPERMS, requested, driver, xperm,
+ ssid, tsid, tclass, avd.seqno, &local_xpd, 0);
} else {
- avc_quick_copy_operation_decision(cmd, &od_local, od);
+ avc_quick_copy_xperms_decision(xperm, &local_xpd, xpd);
}
- od = &od_local;
+ xpd = &local_xpd;
- if (!avc_operation_has_perm(od, cmd, OPERATION_ALLOWED))
+ if (!avc_xperms_has_perm(xpd, xperm, XPERMS_ALLOWED))
avd.allowed &= ~requested;
decision:
denied = requested & ~(avd.allowed);
if (unlikely(denied))
- rc = avc_denied(ssid, tsid, tclass, requested, cmd,
- AVC_OPERATION_CMD, &avd);
+ rc = avc_denied(ssid, tsid, tclass, requested, driver, xperm,
+ AVC_EXTENDED_PERMS, &avd);
rcu_read_unlock();
- rc2 = avc_operation_audit(ssid, tsid, tclass, requested,
- &avd, od, cmd, rc, ad);
+ rc2 = avc_xperms_audit(ssid, tsid, tclass, requested,
+ &avd, xpd, xperm, rc, ad);
if (rc2)
return rc2;
return rc;
@@ -1116,7 +1105,7 @@ inline int avc_has_perm_noaudit(u32 ssid, u32 tsid,
struct av_decision *avd)
{
struct avc_node *node;
- struct avc_operation_node ops_node;
+ struct avc_xperms_node xp_node;
int rc = 0;
u32 denied;
@@ -1126,13 +1115,13 @@ inline int avc_has_perm_noaudit(u32 ssid, u32 tsid,
node = avc_lookup(ssid, tsid, tclass);
if (unlikely(!node))
- node = avc_compute_av(ssid, tsid, tclass, avd, &ops_node);
+ node = avc_compute_av(ssid, tsid, tclass, avd, &xp_node);
else
memcpy(avd, &node->ae.avd, sizeof(*avd));
denied = requested & ~(avd->allowed);
if (unlikely(denied))
- rc = avc_denied(ssid, tsid, tclass, requested, 0, flags, avd);
+ rc = avc_denied(ssid, tsid, tclass, requested, 0, 0, flags, avd);
rcu_read_unlock();
return rc;
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index b16e957e9006..e45ef573534b 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -3215,6 +3215,8 @@ int ioctl_has_perm(const struct cred *cred, struct file *file,
struct lsm_ioctlop_audit ioctl;
u32 ssid = cred_sid(cred);
int rc;
+ u8 driver = cmd >> 8;
+ u8 xperm = cmd & 0xff;
ad.type = LSM_AUDIT_DATA_IOCTL_OP;
ad.u.op = &ioctl;
@@ -3233,8 +3235,8 @@ int ioctl_has_perm(const struct cred *cred, struct file *file,
if (unlikely(IS_PRIVATE(inode)))
return 0;
- rc = avc_has_operation(ssid, isec->sid, isec->sclass,
- requested, cmd, &ad);
+ rc = avc_has_extended_perms(ssid, isec->sid, isec->sclass,
+ requested, driver, xperm, &ad);
out:
return rc;
}
diff --git a/security/selinux/include/avc.h b/security/selinux/include/avc.h
index 3165d4ed837c..03a9f08053e3 100644
--- a/security/selinux/include/avc.h
+++ b/security/selinux/include/avc.h
@@ -142,7 +142,7 @@ static inline int avc_audit(u32 ssid, u32 tsid,
}
#define AVC_STRICT 1 /* Ignore permissive mode. */
-#define AVC_OPERATION_CMD 2 /* ignore command when updating operations */
+#define AVC_EXTENDED_PERMS 2 /* update extended permissions */
int avc_has_perm_noaudit(u32 ssid, u32 tsid,
u16 tclass, u32 requested,
unsigned flags,
@@ -152,8 +152,8 @@ int avc_has_perm(u32 ssid, u32 tsid,
u16 tclass, u32 requested,
struct common_audit_data *auditdata);
-int avc_has_operation(u32 ssid, u32 tsid, u16 tclass, u32 requested,
- u16 cmd, struct common_audit_data *ad);
+int avc_has_extended_perms(u32 ssid, u32 tsid, u16 tclass, u32 requested,
+ u8 driver, u8 perm, struct common_audit_data *ad);
u32 avc_policy_seqno(void);
@@ -165,7 +165,7 @@ u32 avc_policy_seqno(void);
#define AVC_CALLBACK_AUDITALLOW_DISABLE 32
#define AVC_CALLBACK_AUDITDENY_ENABLE 64
#define AVC_CALLBACK_AUDITDENY_DISABLE 128
-#define AVC_CALLBACK_ADD_OPERATION 256
+#define AVC_CALLBACK_ADD_XPERMS 256
int avc_add_callback(int (*callback)(u32 event), u32 events);
diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h
index be99667c2a21..c9acb6ee2cae 100644
--- a/security/selinux/include/security.h
+++ b/security/selinux/include/security.h
@@ -34,14 +34,14 @@
#define POLICYDB_VERSION_NEW_OBJECT_DEFAULTS 27
#define POLICYDB_VERSION_DEFAULT_TYPE 28
#define POLICYDB_VERSION_CONSTRAINT_NAMES 29
-#define POLICYDB_VERSION_IOCTL_OPERATIONS 30
+#define POLICYDB_VERSION_XPERMS_IOCTL 30
/* Range of policy versions we understand*/
#define POLICYDB_VERSION_MIN POLICYDB_VERSION_BASE
#ifdef CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX
#define POLICYDB_VERSION_MAX CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX_VALUE
#else
-#define POLICYDB_VERSION_MAX POLICYDB_VERSION_IOCTL_OPERATIONS
+#define POLICYDB_VERSION_MAX POLICYDB_VERSION_XPERMS_IOCTL
#endif
/* Mask for just the mount related flags */
@@ -109,29 +109,27 @@ struct av_decision {
u32 flags;
};
-#define security_operation_set(perms, x) (perms[x >> 5] |= 1 << (x & 0x1f))
-#define security_operation_test(perms, x) (1 & (perms[x >> 5] >> (x & 0x1f)))
+#define XPERMS_ALLOWED 1
+#define XPERMS_AUDITALLOW 2
+#define XPERMS_DONTAUDIT 4
-struct operation_perm {
- u32 perms[8];
+#define security_xperm_set(perms, x) (perms[x >> 5] |= 1 << (x & 0x1f))
+#define security_xperm_test(perms, x) (1 & (perms[x >> 5] >> (x & 0x1f)))
+struct extended_perms_data {
+ u32 p[8];
};
-struct operation_decision {
- u8 type;
- u8 specified;
- struct operation_perm *allowed;
- struct operation_perm *auditallow;
- struct operation_perm *dontaudit;
+struct extended_perms_decision {
+ u8 used;
+ u8 driver;
+ struct extended_perms_data *allowed;
+ struct extended_perms_data *auditallow;
+ struct extended_perms_data *dontaudit;
};
-#define OPERATION_ALLOWED 1
-#define OPERATION_AUDITALLOW 2
-#define OPERATION_DONTAUDIT 4
-#define OPERATION_ALL (OPERATION_ALLOWED | OPERATION_AUDITALLOW |\
- OPERATION_DONTAUDIT)
-struct operation {
- u16 len; /* length of operation decision chain */
- u32 type[8]; /* 256 types */
+struct extended_perms {
+ u16 len; /* length associated decision chain */
+ struct extended_perms_data drivers; /* flag drivers that are used */
};
/* definitions of av_decision.flags */
@@ -139,10 +137,10 @@ struct operation {
void security_compute_av(u32 ssid, u32 tsid,
u16 tclass, struct av_decision *avd,
- struct operation *ops);
+ struct extended_perms *xperms);
-void security_compute_operation(u32 ssid, u32 tsid, u16 tclass,
- u8 type, struct operation_decision *od);
+void security_compute_xperms_decision(u32 ssid, u32 tsid, u16 tclass,
+ u8 driver, struct extended_perms_decision *xpermd);
void security_compute_av_user(u32 ssid, u32 tsid,
u16 tclass, struct av_decision *avd);
diff --git a/security/selinux/ss/avtab.c b/security/selinux/ss/avtab.c
index dd7466cb2021..640c16b9d3fb 100644
--- a/security/selinux/ss/avtab.c
+++ b/security/selinux/ss/avtab.c
@@ -24,7 +24,7 @@
#include "policydb.h"
static struct kmem_cache *avtab_node_cachep;
-static struct kmem_cache *avtab_operation_cachep;
+static struct kmem_cache *avtab_xperms_cachep;
static inline int avtab_hash(struct avtab_key *keyp, u16 mask)
{
@@ -38,20 +38,20 @@ avtab_insert_node(struct avtab *h, int hvalue,
struct avtab_key *key, struct avtab_datum *datum)
{
struct avtab_node *newnode;
- struct avtab_operation *ops;
+ struct avtab_extended_perms *xperms;
newnode = kmem_cache_zalloc(avtab_node_cachep, GFP_KERNEL);
if (newnode == NULL)
return NULL;
newnode->key = *key;
- if (key->specified & AVTAB_OP) {
- ops = kmem_cache_zalloc(avtab_operation_cachep, GFP_KERNEL);
- if (ops == NULL) {
+ if (key->specified & AVTAB_XPERMS) {
+ xperms = kmem_cache_zalloc(avtab_xperms_cachep, GFP_KERNEL);
+ if (xperms == NULL) {
kmem_cache_free(avtab_node_cachep, newnode);
return NULL;
}
- *ops = *(datum->u.ops);
- newnode->datum.u.ops = ops;
+ *xperms = *(datum->u.xperms);
+ newnode->datum.u.xperms = xperms;
} else {
newnode->datum.u.data = datum->u.data;
}
@@ -85,7 +85,8 @@ static int avtab_insert(struct avtab *h, struct avtab_key *key, struct avtab_dat
key->target_type == cur->key.target_type &&
key->target_class == cur->key.target_class &&
(specified & cur->key.specified)) {
- if (specified & AVTAB_OPNUM)
+ /* extended perms may not be unique */
+ if (specified & AVTAB_XPERMS)
break;
return -EEXIST;
}
@@ -249,9 +250,9 @@ void avtab_destroy(struct avtab *h)
while (cur) {
temp = cur;
cur = cur->next;
- if (temp->key.specified & AVTAB_OP)
- kmem_cache_free(avtab_operation_cachep,
- temp->datum.u.ops);
+ if (temp->key.specified & AVTAB_XPERMS)
+ kmem_cache_free(avtab_xperms_cachep,
+ temp->datum.u.xperms);
kmem_cache_free(avtab_node_cachep, temp);
}
h->htable[i] = NULL;
@@ -334,6 +335,32 @@ void avtab_hash_eval(struct avtab *h, char *tag)
chain2_len_sum);
}
+/*
+ * extended permissions compatibility. Make ToT Android kernels compatible
+ * with Android M releases
+ */
+#define AVTAB_OPTYPE_ALLOWED 0x1000
+#define AVTAB_OPTYPE_AUDITALLOW 0x2000
+#define AVTAB_OPTYPE_DONTAUDIT 0x4000
+#define AVTAB_OPTYPE (AVTAB_OPTYPE_ALLOWED | \
+ AVTAB_OPTYPE_AUDITALLOW | \
+ AVTAB_OPTYPE_DONTAUDIT)
+#define AVTAB_XPERMS_OPTYPE 4
+
+#define avtab_xperms_to_optype(x) (x << AVTAB_XPERMS_OPTYPE)
+#define avtab_optype_to_xperms(x) (x >> AVTAB_XPERMS_OPTYPE)
+
+static unsigned int avtab_android_m_compat;
+
+static void avtab_android_m_compat_set(void)
+{
+ if (!avtab_android_m_compat) {
+ pr_info("SELinux: Android master kernel running Android"
+ " M policy in compatibility mode.\n");
+ avtab_android_m_compat = 1;
+ }
+}
+
static uint16_t spec_order[] = {
AVTAB_ALLOWED,
AVTAB_AUDITDENY,
@@ -341,12 +368,9 @@ static uint16_t spec_order[] = {
AVTAB_TRANSITION,
AVTAB_CHANGE,
AVTAB_MEMBER,
- AVTAB_OPNUM_ALLOWED,
- AVTAB_OPNUM_AUDITALLOW,
- AVTAB_OPNUM_DONTAUDIT,
- AVTAB_OPTYPE_ALLOWED,
- AVTAB_OPTYPE_AUDITALLOW,
- AVTAB_OPTYPE_DONTAUDIT
+ AVTAB_XPERMS_ALLOWED,
+ AVTAB_XPERMS_AUDITALLOW,
+ AVTAB_XPERMS_DONTAUDIT
};
int avtab_read_item(struct avtab *a, void *fp, struct policydb *pol,
@@ -359,8 +383,9 @@ int avtab_read_item(struct avtab *a, void *fp, struct policydb *pol,
u32 items, items2, val, vers = pol->policyvers;
struct avtab_key key;
struct avtab_datum datum;
- struct avtab_operation ops;
- __le32 buf32[ARRAY_SIZE(ops.op.perms)];
+ struct avtab_extended_perms xperms;
+ __le32 buf32[ARRAY_SIZE(xperms.perms.p)];
+ unsigned int android_m_compat_optype = 0;
int i, rc;
unsigned set;
@@ -417,8 +442,8 @@ int avtab_read_item(struct avtab *a, void *fp, struct policydb *pol,
printk(KERN_ERR "SELinux: avtab: entry has both access vectors and types\n");
return -EINVAL;
}
- if (val & AVTAB_OP) {
- printk(KERN_ERR "SELinux: avtab: entry has operations\n");
+ if (val & AVTAB_XPERMS) {
+ printk(KERN_ERR "SELinux: avtab: entry has extended permissions\n");
return -EINVAL;
}
@@ -444,12 +469,20 @@ int avtab_read_item(struct avtab *a, void *fp, struct policydb *pol,
printk(KERN_ERR "SELinux: avtab: truncated entry\n");
return rc;
}
+
items = 0;
key.source_type = le16_to_cpu(buf16[items++]);
key.target_type = le16_to_cpu(buf16[items++]);
key.target_class = le16_to_cpu(buf16[items++]);
key.specified = le16_to_cpu(buf16[items++]);
+ if ((key.specified & AVTAB_OPTYPE) &&
+ (vers == POLICYDB_VERSION_XPERMS_IOCTL)) {
+ key.specified = avtab_optype_to_xperms(key.specified);
+ android_m_compat_optype = 1;
+ avtab_android_m_compat_set();
+ }
+
if (!policydb_type_isvalid(pol, key.source_type) ||
!policydb_type_isvalid(pol, key.target_type) ||
!policydb_class_isvalid(pol, key.target_class)) {
@@ -467,29 +500,51 @@ int avtab_read_item(struct avtab *a, void *fp, struct policydb *pol,
return -EINVAL;
}
- if ((vers < POLICYDB_VERSION_IOCTL_OPERATIONS)
- || !(key.specified & AVTAB_OP)) {
- rc = next_entry(buf32, fp, sizeof(u32));
+ if ((vers < POLICYDB_VERSION_XPERMS_IOCTL) &&
+ (key.specified & AVTAB_XPERMS)) {
+ printk(KERN_ERR "SELinux: avtab: policy version %u does not "
+ "support extended permissions rules and one "
+ "was specified\n", vers);
+ return -EINVAL;
+ } else if (key.specified & AVTAB_XPERMS) {
+ memset(&xperms, 0, sizeof(struct avtab_extended_perms));
+ rc = next_entry(&xperms.specified, fp, sizeof(u8));
if (rc) {
printk(KERN_ERR "SELinux: avtab: truncated entry\n");
return rc;
}
- datum.u.data = le32_to_cpu(*buf32);
- } else {
- memset(&ops, 0, sizeof(struct avtab_operation));
- rc = next_entry(&ops.type, fp, sizeof(u8));
+ if (avtab_android_m_compat ||
+ ((xperms.specified != AVTAB_XPERMS_IOCTLFUNCTION) &&
+ (xperms.specified != AVTAB_XPERMS_IOCTLDRIVER) &&
+ (vers == POLICYDB_VERSION_XPERMS_IOCTL))) {
+ xperms.driver = xperms.specified;
+ if (android_m_compat_optype)
+ xperms.specified = AVTAB_XPERMS_IOCTLDRIVER;
+ else
+ xperms.specified = AVTAB_XPERMS_IOCTLFUNCTION;
+ avtab_android_m_compat_set();
+ } else {
+ rc = next_entry(&xperms.driver, fp, sizeof(u8));
+ if (rc) {
+ printk(KERN_ERR "SELinux: avtab: truncated entry\n");
+ return rc;
+ }
+ }
+ rc = next_entry(buf32, fp, sizeof(u32)*ARRAY_SIZE(xperms.perms.p));
if (rc) {
printk(KERN_ERR "SELinux: avtab: truncated entry\n");
return rc;
}
- rc = next_entry(buf32, fp, sizeof(u32)*ARRAY_SIZE(ops.op.perms));
+ for (i = 0; i < ARRAY_SIZE(xperms.perms.p); i++)
+ xperms.perms.p[i] = le32_to_cpu(buf32[i]);
+ datum.u.xperms = &xperms;
+ } else {
+ rc = next_entry(buf32, fp, sizeof(u32));
if (rc) {
printk(KERN_ERR "SELinux: avtab: truncated entry\n");
return rc;
}
- for (i = 0; i < ARRAY_SIZE(ops.op.perms); i++)
- ops.op.perms[i] = le32_to_cpu(buf32[i]);
- datum.u.ops = &ops;
+ datum.u.data = le32_to_cpu(*buf32);
}
if ((key.specified & AVTAB_TYPE) &&
!policydb_type_isvalid(pol, datum.u.data)) {
@@ -552,26 +607,36 @@ bad:
int avtab_write_item(struct policydb *p, struct avtab_node *cur, void *fp)
{
__le16 buf16[4];
- __le32 buf32[ARRAY_SIZE(cur->datum.u.ops->op.perms)];
+ __le32 buf32[ARRAY_SIZE(cur->datum.u.xperms->perms.p)];
int rc;
unsigned int i;
buf16[0] = cpu_to_le16(cur->key.source_type);
buf16[1] = cpu_to_le16(cur->key.target_type);
buf16[2] = cpu_to_le16(cur->key.target_class);
- buf16[3] = cpu_to_le16(cur->key.specified);
+ if (avtab_android_m_compat && (cur->key.specified & AVTAB_XPERMS) &&
+ (cur->datum.u.xperms->specified == AVTAB_XPERMS_IOCTLDRIVER))
+ buf16[3] = cpu_to_le16(avtab_xperms_to_optype(cur->key.specified));
+ else
+ buf16[3] = cpu_to_le16(cur->key.specified);
rc = put_entry(buf16, sizeof(u16), 4, fp);
if (rc)
return rc;
- if (cur->key.specified & AVTAB_OP) {
- rc = put_entry(&cur->datum.u.ops->type, sizeof(u8), 1, fp);
+ if (cur->key.specified & AVTAB_XPERMS) {
+ if (avtab_android_m_compat == 0) {
+ rc = put_entry(&cur->datum.u.xperms->specified,
+ sizeof(u8), 1, fp);
+ if (rc)
+ return rc;
+ }
+ rc = put_entry(&cur->datum.u.xperms->driver, sizeof(u8), 1, fp);
if (rc)
return rc;
- for (i = 0; i < ARRAY_SIZE(cur->datum.u.ops->op.perms); i++)
- buf32[i] = cpu_to_le32(cur->datum.u.ops->op.perms[i]);
+ for (i = 0; i < ARRAY_SIZE(cur->datum.u.xperms->perms.p); i++)
+ buf32[i] = cpu_to_le32(cur->datum.u.xperms->perms.p[i]);
rc = put_entry(buf32, sizeof(u32),
- ARRAY_SIZE(cur->datum.u.ops->op.perms), fp);
+ ARRAY_SIZE(cur->datum.u.xperms->perms.p), fp);
} else {
buf32[0] = cpu_to_le32(cur->datum.u.data);
rc = put_entry(buf32, sizeof(u32), 1, fp);
@@ -608,13 +673,13 @@ void avtab_cache_init(void)
avtab_node_cachep = kmem_cache_create("avtab_node",
sizeof(struct avtab_node),
0, SLAB_PANIC, NULL);
- avtab_operation_cachep = kmem_cache_create("avtab_operation",
- sizeof(struct avtab_operation),
- 0, SLAB_PANIC, NULL);
+ avtab_xperms_cachep = kmem_cache_create("avtab_extended_perms",
+ sizeof(struct avtab_extended_perms),
+ 0, SLAB_PANIC, NULL);
}
void avtab_cache_destroy(void)
{
kmem_cache_destroy(avtab_node_cachep);
- kmem_cache_destroy(avtab_operation_cachep);
+ kmem_cache_destroy(avtab_xperms_cachep);
}
diff --git a/security/selinux/ss/avtab.h b/security/selinux/ss/avtab.h
index 97acd6fa705e..8133523ca679 100644
--- a/security/selinux/ss/avtab.h
+++ b/security/selinux/ss/avtab.h
@@ -37,33 +37,42 @@ struct avtab_key {
#define AVTAB_MEMBER 0x0020
#define AVTAB_CHANGE 0x0040
#define AVTAB_TYPE (AVTAB_TRANSITION | AVTAB_MEMBER | AVTAB_CHANGE)
-#define AVTAB_OPNUM_ALLOWED 0x0100
-#define AVTAB_OPNUM_AUDITALLOW 0x0200
-#define AVTAB_OPNUM_DONTAUDIT 0x0400
-#define AVTAB_OPNUM (AVTAB_OPNUM_ALLOWED | \
- AVTAB_OPNUM_AUDITALLOW | \
- AVTAB_OPNUM_DONTAUDIT)
-#define AVTAB_OPTYPE_ALLOWED 0x1000
-#define AVTAB_OPTYPE_AUDITALLOW 0x2000
-#define AVTAB_OPTYPE_DONTAUDIT 0x4000
-#define AVTAB_OPTYPE (AVTAB_OPTYPE_ALLOWED | \
- AVTAB_OPTYPE_AUDITALLOW | \
- AVTAB_OPTYPE_DONTAUDIT)
-#define AVTAB_OP (AVTAB_OPNUM | AVTAB_OPTYPE)
+/* extended permissions */
+#define AVTAB_XPERMS_ALLOWED 0x0100
+#define AVTAB_XPERMS_AUDITALLOW 0x0200
+#define AVTAB_XPERMS_DONTAUDIT 0x0400
+#define AVTAB_XPERMS (AVTAB_XPERMS_ALLOWED | \
+ AVTAB_XPERMS_AUDITALLOW | \
+ AVTAB_XPERMS_DONTAUDIT)
#define AVTAB_ENABLED_OLD 0x80000000 /* reserved for used in cond_avtab */
#define AVTAB_ENABLED 0x8000 /* reserved for used in cond_avtab */
u16 specified; /* what field is specified */
};
-struct avtab_operation {
- u8 type;
- struct operation_perm op;
+/*
+ * For operations that require more than the 32 permissions provided by the avc
+ * extended permissions may be used to provide 256 bits of permissions.
+ */
+struct avtab_extended_perms {
+/* These are not flags. All 256 values may be used */
+#define AVTAB_XPERMS_IOCTLFUNCTION 0x01
+#define AVTAB_XPERMS_IOCTLDRIVER 0x02
+ /* extension of the avtab_key specified */
+ u8 specified; /* ioctl, netfilter, ... */
+ /*
+ * if 256 bits is not adequate as is often the case with ioctls, then
+ * multiple extended perms may be used and the driver field
+ * specifies which permissions are included.
+ */
+ u8 driver;
+ /* 256 bits of permissions */
+ struct extended_perms_data perms;
};
struct avtab_datum {
union {
u32 data; /* access vector or type value */
- struct avtab_operation *ops; /* ioctl operations */
+ struct avtab_extended_perms *xperms;
} u;
};
diff --git a/security/selinux/ss/conditional.c b/security/selinux/ss/conditional.c
index 16651c7a1541..6618fb45cca0 100644
--- a/security/selinux/ss/conditional.c
+++ b/security/selinux/ss/conditional.c
@@ -619,18 +619,18 @@ int cond_write_list(struct policydb *p, struct cond_node *list, void *fp)
return 0;
}
-void cond_compute_operation(struct avtab *ctab, struct avtab_key *key,
- struct operation_decision *od)
+void cond_compute_xperms(struct avtab *ctab, struct avtab_key *key,
+ struct extended_perms_decision *xpermd)
{
struct avtab_node *node;
- if (!ctab || !key || !od)
+ if (!ctab || !key || !xpermd)
return;
for (node = avtab_search_node(ctab, key); node;
node = avtab_search_node_next(node, key->specified)) {
if (node->key.specified & AVTAB_ENABLED)
- services_compute_operation_num(od, node);
+ services_compute_xperms_decision(xpermd, node);
}
return;
@@ -639,11 +639,11 @@ void cond_compute_operation(struct avtab *ctab, struct avtab_key *key,
* av table, and if so, add them to the result
*/
void cond_compute_av(struct avtab *ctab, struct avtab_key *key,
- struct av_decision *avd, struct operation *ops)
+ struct av_decision *avd, struct extended_perms *xperms)
{
struct avtab_node *node;
- if (!ctab || !key || !avd || !ops)
+ if (!ctab || !key || !avd || !xperms)
return;
for (node = avtab_search_node(ctab, key); node;
@@ -663,8 +663,8 @@ void cond_compute_av(struct avtab *ctab, struct avtab_key *key,
(node->key.specified & (AVTAB_AUDITALLOW|AVTAB_ENABLED)))
avd->auditallow |= node->datum.u.data;
if ((node->key.specified & AVTAB_ENABLED) &&
- (node->key.specified & AVTAB_OP))
- services_compute_operation_type(ops, node);
+ (node->key.specified & AVTAB_XPERMS))
+ services_compute_xperms_drivers(xperms, node);
}
return;
}
diff --git a/security/selinux/ss/conditional.h b/security/selinux/ss/conditional.h
index 80ee2bb20eee..ddb43e7e1c75 100644
--- a/security/selinux/ss/conditional.h
+++ b/security/selinux/ss/conditional.h
@@ -74,9 +74,9 @@ int cond_write_bool(void *key, void *datum, void *ptr);
int cond_write_list(struct policydb *p, struct cond_node *list, void *fp);
void cond_compute_av(struct avtab *ctab, struct avtab_key *key,
- struct av_decision *avd, struct operation *ops);
-void cond_compute_operation(struct avtab *ctab, struct avtab_key *key,
- struct operation_decision *od);
+ struct av_decision *avd, struct extended_perms *xperms);
+void cond_compute_xperms(struct avtab *ctab, struct avtab_key *key,
+ struct extended_perms_decision *xpermd);
int evaluate_cond_node(struct policydb *p, struct cond_node *node);
#endif /* _CONDITIONAL_H_ */
diff --git a/security/selinux/ss/policydb.c b/security/selinux/ss/policydb.c
index 3d67403b9ce4..f34cdf1de240 100644
--- a/security/selinux/ss/policydb.c
+++ b/security/selinux/ss/policydb.c
@@ -149,7 +149,7 @@ static struct policydb_compat_info policydb_compat[] = {
.ocon_num = OCON_NUM,
},
{
- .version = POLICYDB_VERSION_IOCTL_OPERATIONS,
+ .version = POLICYDB_VERSION_XPERMS_IOCTL,
.sym_num = SYM_NUM,
.ocon_num = OCON_NUM,
},
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
index 94f3cc3c78f2..e6c5d9334794 100644
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@@ -96,7 +96,7 @@ static void context_struct_compute_av(struct context *scontext,
struct context *tcontext,
u16 tclass,
struct av_decision *avd,
- struct operation *ops);
+ struct extended_perms *xperms);
struct selinux_mapping {
u16 value; /* policy value */
@@ -616,39 +616,40 @@ static void type_attribute_bounds_av(struct context *scontext,
}
}
-/* flag ioctl types that have operation permissions */
-void services_compute_operation_type(
- struct operation *ops,
+/*
+ * flag which drivers have permissions
+ * only looking for ioctl based extended permssions
+ */
+void services_compute_xperms_drivers(
+ struct extended_perms *xperms,
struct avtab_node *node)
{
- u8 type;
unsigned int i;
- if (node->key.specified & AVTAB_OPTYPE) {
- /* if allowing one or more complete types */
- for (i = 0; i < ARRAY_SIZE(ops->type); i++)
- ops->type[i] |= node->datum.u.ops->op.perms[i];
- } else {
- /* if allowing operations within a type */
- type = node->datum.u.ops->type;
- security_operation_set(ops->type, type);
+ if (node->datum.u.xperms->specified == AVTAB_XPERMS_IOCTLDRIVER) {
+ /* if one or more driver has all permissions allowed */
+ for (i = 0; i < ARRAY_SIZE(xperms->drivers.p); i++)
+ xperms->drivers.p[i] |= node->datum.u.xperms->perms.p[i];
+ } else if (node->datum.u.xperms->specified == AVTAB_XPERMS_IOCTLFUNCTION) {
+ /* if allowing permissions within a driver */
+ security_xperm_set(xperms->drivers.p,
+ node->datum.u.xperms->driver);
}
/* If no ioctl commands are allowed, ignore auditallow and auditdeny */
- if (node->key.specified & AVTAB_OPTYPE_ALLOWED ||
- node->key.specified & AVTAB_OPNUM_ALLOWED)
- ops->len = 1;
+ if (node->key.specified & AVTAB_XPERMS_ALLOWED)
+ xperms->len = 1;
}
/*
- * Compute access vectors and operations ranges based on a context
+ * Compute access vectors and extended permissions based on a context
* structure pair for the permissions in a particular class.
*/
static void context_struct_compute_av(struct context *scontext,
struct context *tcontext,
u16 tclass,
struct av_decision *avd,
- struct operation *ops)
+ struct extended_perms *xperms)
{
struct constraint_node *constraint;
struct role_allow *ra;
@@ -662,9 +663,9 @@ static void context_struct_compute_av(struct context *scontext,
avd->allowed = 0;
avd->auditallow = 0;
avd->auditdeny = 0xffffffff;
- if (ops) {
- memset(&ops->type, 0, sizeof(ops->type));
- ops->len = 0;
+ if (xperms) {
+ memset(&xperms->drivers, 0, sizeof(xperms->drivers));
+ xperms->len = 0;
}
if (unlikely(!tclass || tclass > policydb.p_classes.nprim)) {
@@ -680,7 +681,7 @@ static void context_struct_compute_av(struct context *scontext,
* this permission check, then use it.
*/
avkey.target_class = tclass;
- avkey.specified = AVTAB_AV | AVTAB_OP;
+ avkey.specified = AVTAB_AV | AVTAB_XPERMS;
sattr = flex_array_get(policydb.type_attr_map_array, scontext->type - 1);
BUG_ON(!sattr);
tattr = flex_array_get(policydb.type_attr_map_array, tcontext->type - 1);
@@ -698,12 +699,13 @@ static void context_struct_compute_av(struct context *scontext,
avd->auditallow |= node->datum.u.data;
else if (node->key.specified == AVTAB_AUDITDENY)
avd->auditdeny &= node->datum.u.data;
- else if (ops && (node->key.specified & AVTAB_OP))
- services_compute_operation_type(ops, node);
+ else if (xperms && (node->key.specified & AVTAB_XPERMS))
+ services_compute_xperms_drivers(xperms, node);
}
/* Check conditional av table for additional permissions */
- cond_compute_av(&policydb.te_cond_avtab, &avkey, avd, ops);
+ cond_compute_av(&policydb.te_cond_avtab, &avkey,
+ avd, xperms);
}
}
@@ -934,57 +936,65 @@ static void avd_init(struct av_decision *avd)
avd->flags = 0;
}
-void services_compute_operation_num(struct operation_decision *od,
+void services_compute_xperms_decision(struct extended_perms_decision *xpermd,
struct avtab_node *node)
{
unsigned int i;
- if (node->key.specified & AVTAB_OPNUM) {
- if (od->type != node->datum.u.ops->type)
+ if (node->datum.u.xperms->specified == AVTAB_XPERMS_IOCTLFUNCTION) {
+ if (xpermd->driver != node->datum.u.xperms->driver)
return;
- } else {
- if (!security_operation_test(node->datum.u.ops->op.perms,
- od->type))
+ } else if (node->datum.u.xperms->specified == AVTAB_XPERMS_IOCTLDRIVER) {
+ if (!security_xperm_test(node->datum.u.xperms->perms.p,
+ xpermd->driver))
return;
+ } else {
+ BUG();
}
- if (node->key.specified == AVTAB_OPTYPE_ALLOWED) {
- od->specified |= OPERATION_ALLOWED;
- memset(od->allowed->perms, 0xff,
- sizeof(od->allowed->perms));
- } else if (node->key.specified == AVTAB_OPTYPE_AUDITALLOW) {
- od->specified |= OPERATION_AUDITALLOW;
- memset(od->auditallow->perms, 0xff,
- sizeof(od->auditallow->perms));
- } else if (node->key.specified == AVTAB_OPTYPE_DONTAUDIT) {
- od->specified |= OPERATION_DONTAUDIT;
- memset(od->dontaudit->perms, 0xff,
- sizeof(od->dontaudit->perms));
- } else if (node->key.specified == AVTAB_OPNUM_ALLOWED) {
- od->specified |= OPERATION_ALLOWED;
- for (i = 0; i < ARRAY_SIZE(od->allowed->perms); i++)
- od->allowed->perms[i] |=
- node->datum.u.ops->op.perms[i];
- } else if (node->key.specified == AVTAB_OPNUM_AUDITALLOW) {
- od->specified |= OPERATION_AUDITALLOW;
- for (i = 0; i < ARRAY_SIZE(od->auditallow->perms); i++)
- od->auditallow->perms[i] |=
- node->datum.u.ops->op.perms[i];
- } else if (node->key.specified == AVTAB_OPNUM_DONTAUDIT) {
- od->specified |= OPERATION_DONTAUDIT;
- for (i = 0; i < ARRAY_SIZE(od->dontaudit->perms); i++)
- od->dontaudit->perms[i] |=
- node->datum.u.ops->op.perms[i];
+ if (node->key.specified == AVTAB_XPERMS_ALLOWED) {
+ xpermd->used |= XPERMS_ALLOWED;
+ if (node->datum.u.xperms->specified == AVTAB_XPERMS_IOCTLDRIVER) {
+ memset(xpermd->allowed->p, 0xff,
+ sizeof(xpermd->allowed->p));
+ }
+ if (node->datum.u.xperms->specified == AVTAB_XPERMS_IOCTLFUNCTION) {
+ for (i = 0; i < ARRAY_SIZE(xpermd->allowed->p); i++)
+ xpermd->allowed->p[i] |=
+ node->datum.u.xperms->perms.p[i];
+ }
+ } else if (node->key.specified == AVTAB_XPERMS_AUDITALLOW) {
+ xpermd->used |= XPERMS_AUDITALLOW;
+ if (node->datum.u.xperms->specified == AVTAB_XPERMS_IOCTLDRIVER) {
+ memset(xpermd->auditallow->p, 0xff,
+ sizeof(xpermd->auditallow->p));
+ }
+ if (node->datum.u.xperms->specified == AVTAB_XPERMS_IOCTLFUNCTION) {
+ for (i = 0; i < ARRAY_SIZE(xpermd->auditallow->p); i++)
+ xpermd->auditallow->p[i] |=
+ node->datum.u.xperms->perms.p[i];
+ }
+ } else if (node->key.specified == AVTAB_XPERMS_DONTAUDIT) {
+ xpermd->used |= XPERMS_DONTAUDIT;
+ if (node->datum.u.xperms->specified == AVTAB_XPERMS_IOCTLDRIVER) {
+ memset(xpermd->dontaudit->p, 0xff,
+ sizeof(xpermd->dontaudit->p));
+ }
+ if (node->datum.u.xperms->specified == AVTAB_XPERMS_IOCTLFUNCTION) {
+ for (i = 0; i < ARRAY_SIZE(xpermd->dontaudit->p); i++)
+ xpermd->dontaudit->p[i] |=
+ node->datum.u.xperms->perms.p[i];
+ }
} else {
BUG();
}
}
-void security_compute_operation(u32 ssid,
+void security_compute_xperms_decision(u32 ssid,
u32 tsid,
u16 orig_tclass,
- u8 type,
- struct operation_decision *od)
+ u8 driver,
+ struct extended_perms_decision *xpermd)
{
u16 tclass;
struct context *scontext, *tcontext;
@@ -994,11 +1004,11 @@ void security_compute_operation(u32 ssid,
struct ebitmap_node *snode, *tnode;
unsigned int i, j;
- od->type = type;
- od->specified = 0;
- memset(od->allowed->perms, 0, sizeof(od->allowed->perms));
- memset(od->auditallow->perms, 0, sizeof(od->auditallow->perms));
- memset(od->dontaudit->perms, 0, sizeof(od->dontaudit->perms));
+ xpermd->driver = driver;
+ xpermd->used = 0;
+ memset(xpermd->allowed->p, 0, sizeof(xpermd->allowed->p));
+ memset(xpermd->auditallow->p, 0, sizeof(xpermd->auditallow->p));
+ memset(xpermd->dontaudit->p, 0, sizeof(xpermd->dontaudit->p));
read_lock(&policy_rwlock);
if (!ss_initialized)
@@ -1032,7 +1042,7 @@ void security_compute_operation(u32 ssid,
}
avkey.target_class = tclass;
- avkey.specified = AVTAB_OP;
+ avkey.specified = AVTAB_XPERMS;
sattr = flex_array_get(policydb.type_attr_map_array,
scontext->type - 1);
BUG_ON(!sattr);
@@ -1046,26 +1056,27 @@ void security_compute_operation(u32 ssid,
for (node = avtab_search_node(&policydb.te_avtab, &avkey);
node;
node = avtab_search_node_next(node, avkey.specified))
- services_compute_operation_num(od, node);
+ services_compute_xperms_decision(xpermd, node);
- cond_compute_operation(&policydb.te_cond_avtab,
- &avkey, od);
+ cond_compute_xperms(&policydb.te_cond_avtab,
+ &avkey, xpermd);
}
}
out:
read_unlock(&policy_rwlock);
return;
allow:
- memset(od->allowed->perms, 0xff, sizeof(od->allowed->perms));
+ memset(xpermd->allowed->p, 0xff, sizeof(xpermd->allowed->p));
goto out;
}
+
/**
* security_compute_av - Compute access vector decisions.
* @ssid: source security identifier
* @tsid: target security identifier
* @tclass: target security class
* @avd: access vector decisions
- * @od: operation decisions
+ * @xperms: extended permissions
*
* Compute a set of access vector decisions based on the
* SID pair (@ssid, @tsid) for the permissions in @tclass.
@@ -1074,14 +1085,14 @@ void security_compute_av(u32 ssid,
u32 tsid,
u16 orig_tclass,
struct av_decision *avd,
- struct operation *ops)
+ struct extended_perms *xperms)
{
u16 tclass;
struct context *scontext = NULL, *tcontext = NULL;
read_lock(&policy_rwlock);
avd_init(avd);
- ops->len = 0;
+ xperms->len = 0;
if (!ss_initialized)
goto allow;
@@ -1109,7 +1120,7 @@ void security_compute_av(u32 ssid,
goto allow;
goto out;
}
- context_struct_compute_av(scontext, tcontext, tclass, avd, ops);
+ context_struct_compute_av(scontext, tcontext, tclass, avd, xperms);
map_decision(orig_tclass, avd, policydb.allow_unknown);
out:
read_unlock(&policy_rwlock);
diff --git a/security/selinux/ss/services.h b/security/selinux/ss/services.h
index 569757484d05..6abcd8729ec3 100644
--- a/security/selinux/ss/services.h
+++ b/security/selinux/ss/services.h
@@ -11,10 +11,10 @@
extern struct policydb policydb;
-void services_compute_operation_type(struct operation *ops,
+void services_compute_xperms_drivers(struct extended_perms *xperms,
struct avtab_node *node);
-void services_compute_operation_num(struct operation_decision *od,
+void services_compute_xperms_decision(struct extended_perms_decision *xpermd,
struct avtab_node *node);
#endif /* _SS_SERVICES_H_ */