rpms/kernel/devel capabilities-over-netlink-in-permissive-mode.patch, NONE, 1.1.8.1 linux-2.6-audit-git.patch, NONE, 1.1.32.1 linux-2.6-audit-pending.patch, NONE, 1.1.20.1 linux-2.6-net-label.patch, NONE, 1.1.8.1 kernel-2.6.spec, 1.2293, 1.2293.2.1
fedora-cvs-commits at redhat.com
fedora-cvs-commits at redhat.com
Mon Jun 19 23:33:16 UTC 2006
Author: sgrubb
Update of /cvs/dist/rpms/kernel/devel
In directory cvs.devel.redhat.com:/tmp/cvs-serv32732
Modified Files:
Tag: private-lspp-37-branch
kernel-2.6.spec
Added Files:
Tag: private-lspp-37-branch
capabilities-over-netlink-in-permissive-mode.patch
linux-2.6-audit-git.patch linux-2.6-audit-pending.patch
linux-2.6-net-label.patch
Log Message:
* Mon Jun 19 2006 Steve Grubb <sgrubb at redhat.com>
- lspp.37
capabilities-over-netlink-in-permissive-mode.patch:
hooks.c | 3 ++-
1 files changed, 2 insertions(+), 1 deletion(-)
--- NEW FILE capabilities-over-netlink-in-permissive-mode.patch ---
>From dgoeddel at trustedcs.com Wed May 31 13:35:19 2006
Return-Path: <redhat-lspp-bounces at redhat.com>
Received: from mail.boston.redhat.com ([unix socket])
by mail.boston.redhat.com (Cyrus v2.1.12) with LMTP; Wed, 31 May 2006 13:35:52 -0400
X-Sieve: CMU Sieve 2.2
Received: from int-mx1.corp.redhat.com (int-mx1.corp.redhat.com [172.16.52.254])
by mail.boston.redhat.com (8.12.8/8.12.8) with ESMTP id k4VHZqWc010601;
Wed, 31 May 2006 13:35:52 -0400
Received: from mx1.util.phx.redhat.com (mx1.util.phx.redhat.com [10.8.4.92])
by int-mx1.corp.redhat.com (8.12.11.20060308/8.12.11) with ESMTP id k4VHZp3j005299;
Wed, 31 May 2006 13:35:51 -0400
Received: from hormel.redhat.com (hormel.util.phx.redhat.com [10.8.4.111])
by mx1.util.phx.redhat.com (8.13.1/8.13.1) with ESMTP id k4VHZk7i006383;
Wed, 31 May 2006 13:35:46 -0400
Received: from listman.util.phx.redhat.com (listman.util.phx.redhat.com [10.8.4.110])
by hormel.redhat.com (Postfix) with ESMTP
id E809472E6B; Wed, 31 May 2006 13:35:45 -0400 (EDT)
Received: from int-mx1.corp.redhat.com (int-mx1.corp.redhat.com
[172.16.52.254])
by listman.util.phx.redhat.com (8.13.1/8.13.1) with ESMTP id
k4VHZgTd027651 for <redhat-lspp at listman.util.phx.redhat.com>;
Wed, 31 May 2006 13:35:42 -0400
Received: from mx3.redhat.com (mx3.redhat.com [172.16.48.32])
by int-mx1.corp.redhat.com (8.12.11.20060308/8.12.11) with ESMTP id
k4VHZfqq005281; Wed, 31 May 2006 13:35:41 -0400
Received: from tcsfw4.tcs-sec.com (tcsfw4.tcs-sec.com [65.127.223.133])
by mx3.redhat.com (8.13.1/8.13.1) with ESMTP id k4VHZZb3010500;
Wed, 31 May 2006 13:35:35 -0400
Received: (from smmsp at localhost)
by tcsfw4.tcs-sec.com (8.12.2/8.12.2) id k4VHZRIl013520;
Wed, 31 May 2006 13:35:27 -0400 (EDT)
Received: from trauma.tcs-sec.com(192.168.1.16) by tcsfw4.tcs-sec.com via smap
(V1.3) id (null); Wed May 31 13:35:21 2006
Received: from chaos.tcs.tcs-sec.com (Not Verified[192.168.1.4]) by
trauma.tcs-sec.com with NetIQ MailMarshal (v6, 0, 3, 8)
id <B447dd3d90000>; Wed, 31 May 2006 13:35:21 -0400
Received: from [10.1.10.208] (tcs_pc.tcs-sec.com [10.1.10.208]) by
chaos.tcs.tcs-sec.com with SMTP (Microsoft Exchange Internet
Mail Service Version 5.5.2653.13)
id D34Q43ZG; Wed, 31 May 2006 13:35:20 -0400
Message-ID: <447DD3D7.4050200 at trustedcs.com>
Date: Wed, 31 May 2006 12:35:19 -0500
From: Darrel Goeddel <dgoeddel at trustedcs.com>
User-Agent: Mozilla Thunderbird 1.0.8-1.1.fc4 (X11/20060501)
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: Stephen Smalley <sds at epoch.ncsc.mil>,
James Morris <jmorris at redhat.com>
Content-Type: text/plain;
charset=ISO-8859-1;
format=flowed
Content-Transfer-Encoding: 7bit
X-RedHat-Spam-Score: -2.82
X-loop: redhat-lspp at redhat.com
Cc: redhat-lspp at redhat.com,
"'SELinux List'" <SELinux at tycho.nsa.gov>
Subject: [redhat-lspp] [PATCH] fix masking of capabilities over netlink in
permissive mode
X-BeenThere: redhat-lspp at redhat.com
X-Mailman-Version: 2.1.5
Precedence: junk
List-Id: Red Hat LSPP / MLS Discussion <redhat-lspp.redhat.com>
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/redhat-lspp>,
<mailto:redhat-lspp-request at redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/redhat-lspp>
List-Post: <mailto:redhat-lspp at redhat.com>
List-Help: <mailto:redhat-lspp-request at redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/redhat-lspp>,
<mailto:redhat-lspp-request at redhat.com?subject=subscribe>
Sender: redhat-lspp-bounces at redhat.com
Errors-To: redhat-lspp-bounces at redhat.com
X-Length: 5179
X-UID: 66725
I think I ran across the problem described in this thread:
http://www.redhat.com/archives/linux-audit/2006-May/msg00059.html
The process' effective capabilities are always being masked with the
allowed vector of the avc decision (for self against the capability
security class) in netlink's copy of the process capabilities (eff_cap).
The allowed vector takes on a slightly different role when SELinux
is not in enforcing mode - it starts to track used-but-not-normally-
permitted actions in the allowed vector. That is what is causing
the first attempt to fail (the allowed vector has not been "inflated")
and the following attempts to succeed (the vector has been inflated in
response to its previous use). Does my reasoning (and patch) seem to
be on track?
This patch removes the masking of capabilities passed over netlink
socket when SELinux is in enforcing mode.
Signed-off-by: Darrel Goeddel <dgoeddel at trustedcs.com>
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 21dad41..c7650bb 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -3599,7 +3599,8 @@ static int selinux_netlink_send(struct s
avd.allowed = 0;
avc_has_perm_noaudit(tsec->sid, tsec->sid,
SECCLASS_CAPABILITY, ~0, &avd);
- cap_mask(NETLINK_CB(skb).eff_cap, avd.allowed);
+ if (selinux_enforcing)
+ cap_mask(NETLINK_CB(skb).eff_cap, avd.allowed);
if (policydb_loaded_version >= POLICYDB_VERSION_NLCLASS)
err = selinux_nlmsg_perm(sk, skb);
--
Darrel
--
redhat-lspp mailing list
redhat-lspp at redhat.com
https://www.redhat.com/mailman/listinfo/redhat-lspp
linux-2.6-audit-git.patch:
Documentation/filesystems/inotify.txt | 130 ++++
fs/Kconfig | 24
fs/Makefile | 1
fs/exec.c | 6
fs/inotify.c | 991 +++++++++-------------------------
fs/inotify_user.c | 719 ++++++++++++++++++++++++
fs/namei.c | 2
fs/open.c | 4
fs/proc/base.c | 5
fs/xattr.c | 4
include/linux/audit.h | 99 ++-
include/linux/fsnotify.h | 32 -
include/linux/inotify.h | 109 +++
include/linux/sched.h | 2
init/Kconfig | 3
ipc/mqueue.c | 22
ipc/msg.c | 9
ipc/sem.c | 8
ipc/shm.c | 2
kernel/audit.c | 205 +++++--
kernel/audit.h | 61 +-
kernel/auditfilter.c | 899 ++++++++++++++++++++++++++++--
kernel/auditsc.c | 648 +++++++++++++++++-----
kernel/signal.c | 2
kernel/sysctl.c | 4
kernel/user.c | 2
security/selinux/ss/services.c | 2
27 files changed, 2961 insertions(+), 1034 deletions(-)
--- NEW FILE linux-2.6-audit-git.patch ---
diff --git a/Documentation/filesystems/inotify.txt b/Documentation/filesystems/inotify.txt
index 6d50190..59a919f 100644
--- a/Documentation/filesystems/inotify.txt
+++ b/Documentation/filesystems/inotify.txt
@@ -69,17 +69,135 @@ Prototypes:
int inotify_rm_watch (int fd, __u32 mask);
-(iii) Internal Kernel Implementation
+(iii) Kernel Interface
-Each inotify instance is associated with an inotify_device structure.
+Inotify's kernel API consists a set of functions for managing watches and an
+event callback.
+
+To use the kernel API, you must first initialize an inotify instance with a set
+of inotify_operations. You are given an opaque inotify_handle, which you use
+for any further calls to inotify.
+
+ struct inotify_handle *ih = inotify_init(my_event_handler);
+
+You must provide a function for processing events and a function for destroying
+the inotify watch.
+
+ void handle_event(struct inotify_watch *watch, u32 wd, u32 mask,
+ u32 cookie, const char *name, struct inode *inode)
+
+ watch - the pointer to the inotify_watch that triggered this call
+ wd - the watch descriptor
+ mask - describes the event that occurred
+ cookie - an identifier for synchronizing events
+ name - the dentry name for affected files in a directory-based event
+ inode - the affected inode in a directory-based event
+
+ void destroy_watch(struct inotify_watch *watch)
+
+You may add watches by providing a pre-allocated and initialized inotify_watch
+structure and specifying the inode to watch along with an inotify event mask.
+You must pin the inode during the call. You will likely wish to embed the
+inotify_watch structure in a structure of your own which contains other
+information about the watch. Once you add an inotify watch, it is immediately
+subject to removal depending on filesystem events. You must grab a reference if
+you depend on the watch hanging around after the call.
+
+ inotify_init_watch(&my_watch->iwatch);
+ inotify_get_watch(&my_watch->iwatch); // optional
+ s32 wd = inotify_add_watch(ih, &my_watch->iwatch, inode, mask);
+ inotify_put_watch(&my_watch->iwatch); // optional
+
+You may use the watch descriptor (wd) or the address of the inotify_watch for
+other inotify operations. You must not directly read or manipulate data in the
+inotify_watch. Additionally, you must not call inotify_add_watch() more than
+once for a given inotify_watch structure, unless you have first called either
+inotify_rm_watch() or inotify_rm_wd().
+
+To determine if you have already registered a watch for a given inode, you may
+call inotify_find_watch(), which gives you both the wd and the watch pointer for
+the inotify_watch, or an error if the watch does not exist.
+
+ wd = inotify_find_watch(ih, inode, &watchp);
+
+You may use container_of() on the watch pointer to access your own data
+associated with a given watch. When an existing watch is found,
+inotify_find_watch() bumps the refcount before releasing its locks. You must
+put that reference with:
+
+ put_inotify_watch(watchp);
+
+Call inotify_find_update_watch() to update the event mask for an existing watch.
+inotify_find_update_watch() returns the wd of the updated watch, or an error if
+the watch does not exist.
+
+ wd = inotify_find_update_watch(ih, inode, mask);
+
+An existing watch may be removed by calling either inotify_rm_watch() or
+inotify_rm_wd().
+
+ int ret = inotify_rm_watch(ih, &my_watch->iwatch);
+ int ret = inotify_rm_wd(ih, wd);
+
+A watch may be removed while executing your event handler with the following:
+
+ inotify_remove_watch_locked(ih, iwatch);
+
+Call inotify_destroy() to remove all watches from your inotify instance and
+release it. If there are no outstanding references, inotify_destroy() will call
+your destroy_watch op for each watch.
+
+ inotify_destroy(ih);
+
+When inotify removes a watch, it sends an IN_IGNORED event to your callback.
+You may use this event as an indication to free the watch memory. Note that
+inotify may remove a watch due to filesystem events, as well as by your request.
+If you use IN_ONESHOT, inotify will remove the watch after the first event, at
+which point you may call the final inotify_put_watch.
+
+(iv) Kernel Interface Prototypes
+
+ struct inotify_handle *inotify_init(struct inotify_operations *ops);
+
+ inotify_init_watch(struct inotify_watch *watch);
+
+ s32 inotify_add_watch(struct inotify_handle *ih,
+ struct inotify_watch *watch,
+ struct inode *inode, u32 mask);
+
+ s32 inotify_find_watch(struct inotify_handle *ih, struct inode *inode,
+ struct inotify_watch **watchp);
+
+ s32 inotify_find_update_watch(struct inotify_handle *ih,
+ struct inode *inode, u32 mask);
+
+ int inotify_rm_wd(struct inotify_handle *ih, u32 wd);
+
+ int inotify_rm_watch(struct inotify_handle *ih,
+ struct inotify_watch *watch);
+
+ void inotify_remove_watch_locked(struct inotify_handle *ih,
+ struct inotify_watch *watch);
+
+ void inotify_destroy(struct inotify_handle *ih);
+
+ void get_inotify_watch(struct inotify_watch *watch);
+ void put_inotify_watch(struct inotify_watch *watch);
+
+
+(v) Internal Kernel Implementation
+
+Each inotify instance is represented by an inotify_handle structure.
+Inotify's userspace consumers also have an inotify_device which is
+associated with the inotify_handle, and on which events are queued.
Each watch is associated with an inotify_watch structure. Watches are chained
-off of each associated device and each associated inode.
+off of each associated inotify_handle and each associated inode.
-See fs/inotify.c for the locking and lifetime rules.
+See fs/inotify.c and fs/inotify_user.c for the locking and lifetime rules.
-(iv) Rationale
+(vi) Rationale
Q: What is the design decision behind not tying the watch to the open fd of
the watched object?
@@ -145,7 +263,7 @@ A: The poor user-space interface is the
file descriptor-based one that allows basic file I/O and poll/select.
Obtaining the fd and managing the watches could have been done either via a
device file or a family of new system calls. We decided to implement a
- family of system calls because that is the preffered approach for new kernel
+ family of system calls because that is the preferred approach for new kernel
interfaces. The only real difference was whether we wanted to use open(2)
and ioctl(2) or a couple of new system calls. System calls beat ioctls.
diff --git a/fs/Kconfig b/fs/Kconfig
index f9b5842..74f11a2 100644
--- a/fs/Kconfig
+++ b/fs/Kconfig
@@ -393,18 +393,30 @@ config INOTIFY
bool "Inotify file change notification support"
default y
---help---
- Say Y here to enable inotify support and the associated system
- calls. Inotify is a file change notification system and a
- replacement for dnotify. Inotify fixes numerous shortcomings in
- dnotify and introduces several new features. It allows monitoring
- of both files and directories via a single open fd. Other features
- include multiple file events, one-shot support, and unmount
+ Say Y here to enable inotify support. Inotify is a file change
+ notification system and a replacement for dnotify. Inotify fixes
+ numerous shortcomings in dnotify and introduces several new features
+ including multiple file events, one-shot support, and unmount
notification.
For more information, see Documentation/filesystems/inotify.txt
If unsure, say Y.
+config INOTIFY_USER
+ bool "Inotify support for userspace"
+ depends on INOTIFY
+ default y
+ ---help---
+ Say Y here to enable inotify support for userspace, including the
+ associated system calls. Inotify allows monitoring of both files and
+ directories via a single open fd. Events are read from the file
+ descriptor, which is also select()- and poll()-able.
+
+ For more information, see Documentation/filesystems/inotify.txt
+
+ If unsure, say Y.
+
config QUOTA
bool "Quota support"
help
diff --git a/fs/Makefile b/fs/Makefile
index 078d3d1..d0ea6bf 100644
--- a/fs/Makefile
+++ b/fs/Makefile
[...5229 lines suppressed...]
+ if (!audit_enabled)
+ return 0;
+
if (likely(!context))
return 0;
@@ -1187,6 +1517,30 @@ int audit_ipc_obj(struct kern_ipc_perm *
if (!ax)
return -ENOMEM;
+ ax->mqdes = mqdes;
+ ax->mqstat = *mqstat;
+
+ ax->d.type = AUDIT_MQ_GETSETATTR;
+ ax->d.next = context->aux;
+ context->aux = (void *)ax;
+ return 0;
+}
+
+/**
+ * audit_ipc_obj - record audit data for ipc object
+ * @ipcp: ipc permissions
+ *
+ * Returns 0 for success or NULL context or < 0 on error.
+ */
+int __audit_ipc_obj(struct kern_ipc_perm *ipcp)
+{
+ struct audit_aux_data_ipcctl *ax;
+ struct audit_context *context = current->audit_context;
+
+ ax = kmalloc(sizeof(*ax), GFP_ATOMIC);
+ if (!ax)
+ return -ENOMEM;
+
ax->uid = ipcp->uid;
ax->gid = ipcp->gid;
ax->mode = ipcp->mode;
@@ -1207,14 +1561,11 @@ int audit_ipc_obj(struct kern_ipc_perm *
*
* Returns 0 for success or NULL context or < 0 on error.
*/
-int audit_ipc_set_perm(unsigned long qbytes, uid_t uid, gid_t gid, mode_t mode, struct kern_ipc_perm *ipcp)
+int __audit_ipc_set_perm(unsigned long qbytes, uid_t uid, gid_t gid, mode_t mode)
{
struct audit_aux_data_ipcctl *ax;
struct audit_context *context = current->audit_context;
- if (likely(!context))
- return 0;
-
ax = kmalloc(sizeof(*ax), GFP_ATOMIC);
if (!ax)
return -ENOMEM;
@@ -1223,7 +1574,6 @@ int audit_ipc_set_perm(unsigned long qby
ax->uid = uid;
ax->gid = gid;
ax->mode = mode;
- selinux_get_ipc_sid(ipcp, &ax->osid);
ax->d.type = AUDIT_IPC_SET_PERM;
ax->d.next = context->aux;
@@ -1231,6 +1581,39 @@ int audit_ipc_set_perm(unsigned long qby
return 0;
}
+int audit_bprm(struct linux_binprm *bprm)
+{
+ struct audit_aux_data_execve *ax;
+ struct audit_context *context = current->audit_context;
+ unsigned long p, next;
+ void *to;
+
+ if (likely(!audit_enabled || !context))
+ return 0;
+
+ ax = kmalloc(sizeof(*ax) + PAGE_SIZE * MAX_ARG_PAGES - bprm->p,
+ GFP_KERNEL);
+ if (!ax)
+ return -ENOMEM;
+
+ ax->argc = bprm->argc;
+ ax->envc = bprm->envc;
+ for (p = bprm->p, to = ax->mem; p < MAX_ARG_PAGES*PAGE_SIZE; p = next) {
+ struct page *page = bprm->page[p / PAGE_SIZE];
+ void *kaddr = kmap(page);
+ next = (p + PAGE_SIZE) & ~(PAGE_SIZE - 1);
+ memcpy(to, kaddr + (p & (PAGE_SIZE - 1)), next - p);
+ to += next - p;
+ kunmap(page);
+ }
+
+ ax->d.type = AUDIT_EXECVE;
+ ax->d.next = context->aux;
+ context->aux = (void *)ax;
+ return 0;
+}
+
+
/**
* audit_socketcall - record audit data for sys_socketcall
* @nargs: number of args
@@ -1325,19 +1708,20 @@ int audit_avc_path(struct dentry *dentry
* If the audit subsystem is being terminated, record the task (pid)
* and uid that is doing that.
*/
-void audit_signal_info(int sig, struct task_struct *t)
+void __audit_signal_info(int sig, struct task_struct *t)
{
extern pid_t audit_sig_pid;
extern uid_t audit_sig_uid;
-
- if (unlikely(audit_pid && t->tgid == audit_pid)) {
- if (sig == SIGTERM || sig == SIGHUP) {
- struct audit_context *ctx = current->audit_context;
- audit_sig_pid = current->pid;
- if (ctx)
- audit_sig_uid = ctx->loginuid;
- else
- audit_sig_uid = current->uid;
- }
+ extern u32 audit_sig_sid;
+
+ if (sig == SIGTERM || sig == SIGHUP || sig == SIGUSR1) {
+ struct task_struct *tsk = current;
+ struct audit_context *ctx = tsk->audit_context;
+ audit_sig_pid = tsk->pid;
+ if (ctx)
+ audit_sig_uid = ctx->loginuid;
+ else
+ audit_sig_uid = tsk->uid;
+ selinux_get_task_sid(tsk, &audit_sig_sid);
}
}
diff --git a/kernel/signal.c b/kernel/signal.c
index e5f8aea..1b3c921 100644
--- a/kernel/signal.c
+++ b/kernel/signal.c
@@ -23,12 +23,12 @@ #include <linux/security.h>
#include <linux/syscalls.h>
#include <linux/ptrace.h>
#include <linux/signal.h>
-#include <linux/audit.h>
#include <linux/capability.h>
#include <asm/param.h>
#include <asm/uaccess.h>
#include <asm/unistd.h>
#include <asm/siginfo.h>
+#include "audit.h" /* audit_signal_info() */
/*
* SLAB caches for signal bits.
diff --git a/kernel/sysctl.c b/kernel/sysctl.c
index e82726f..0d656e6 100644
--- a/kernel/sysctl.c
+++ b/kernel/sysctl.c
@@ -150,7 +150,7 @@ extern ctl_table random_table[];
#ifdef CONFIG_UNIX98_PTYS
extern ctl_table pty_table[];
#endif
-#ifdef CONFIG_INOTIFY
+#ifdef CONFIG_INOTIFY_USER
extern ctl_table inotify_table[];
#endif
@@ -1028,7 +1028,7 @@ #ifdef CONFIG_MMU
.mode = 0644,
.proc_handler = &proc_doulongvec_minmax,
},
-#ifdef CONFIG_INOTIFY
+#ifdef CONFIG_INOTIFY_USER
{
.ctl_name = FS_INOTIFY,
.procname = "inotify",
diff --git a/kernel/user.c b/kernel/user.c
index 2116642..4b1eb74 100644
--- a/kernel/user.c
+++ b/kernel/user.c
@@ -140,7 +140,7 @@ struct user_struct * alloc_uid(uid_t uid
atomic_set(&new->processes, 0);
atomic_set(&new->files, 0);
atomic_set(&new->sigpending, 0);
-#ifdef CONFIG_INOTIFY
+#ifdef CONFIG_INOTIFY_USER
atomic_set(&new->inotify_watches, 0);
atomic_set(&new->inotify_devs, 0);
#endif
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
index c284dbb..e9548bc 100644
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@@ -1980,7 +1980,7 @@ int selinux_audit_rule_match(u32 ctxid,
break;
case AUDIT_SE_SEN:
case AUDIT_SE_CLR:
- level = (op == AUDIT_SE_SEN ?
+ level = (field == AUDIT_SE_SEN ?
&ctxt->range.level[0] : &ctxt->range.level[1]);
switch (op) {
case AUDIT_EQUAL:
linux-2.6-audit-pending.patch:
include/linux/audit.h | 3 +
kernel/audit.h | 1
kernel/auditfilter.c | 95 +++++++++++++++++++++++++++++++-------------------
kernel/auditsc.c | 15 +++++++
4 files changed, 78 insertions(+), 36 deletions(-)
--- NEW FILE linux-2.6-audit-pending.patch ---
diff --git a/include/linux/audit.h b/include/linux/audit.h
index e1c1dbd..f7883ec 100644
--- a/include/linux/audit.h
+++ b/include/linux/audit.h
@@ -123,6 +123,7 @@ #define AUDIT_ALWAYS 2 /* Generate aud
/* Rule structure sizes -- if these change, different AUDIT_ADD and
* AUDIT_LIST commands must be implemented. */
#define AUDIT_MAX_FIELDS 64
+#define AUDIT_MAX_KEY_LEN 32
#define AUDIT_BITMASK_SIZE 64
#define AUDIT_WORD(nr) ((__u32)((nr)/32))
#define AUDIT_BIT(nr) (1 << ((nr) - AUDIT_WORD(nr)*32))
@@ -172,6 +173,8 @@ #define AUDIT_ARG1 (AUDIT_ARG0+1)
#define AUDIT_ARG2 (AUDIT_ARG0+2)
#define AUDIT_ARG3 (AUDIT_ARG0+3)
+#define AUDIT_FILTERKEY 210
+
#define AUDIT_NEGATE 0x80000000
/* These are the supported operators.
diff --git a/kernel/audit.h b/kernel/audit.h
index 8323e41..6aa33b8 100644
--- a/kernel/audit.h
+++ b/kernel/audit.h
@@ -81,6 +81,7 @@ struct audit_krule {
u32 mask[AUDIT_BITMASK_SIZE];
u32 buflen; /* for data alloc on list rules */
u32 field_count;
+ char *filterkey; /* ties events to rules */
struct audit_field *fields;
struct audit_field *inode_f; /* quick access to an inode field */
struct audit_watch *watch; /* associated watch */
diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
index 4c99d2c..e98db08 100644
--- a/kernel/auditfilter.c
+++ b/kernel/auditfilter.c
@@ -141,6 +141,7 @@ static inline void audit_free_rule(struc
selinux_audit_rule_free(f->se_rule);
}
kfree(e->rule.fields);
+ kfree(e->rule.filterkey);
kfree(e);
}
@@ -511,6 +512,16 @@ static struct audit_entry *audit_data_to
if (err)
goto exit_free;
break;
+ case AUDIT_FILTERKEY:
+ err = -EINVAL;
+ if (entry->rule.filterkey || f->val > AUDIT_MAX_KEY_LEN)
+ goto exit_free;
+ str = audit_unpack_string(&bufp, &remain, f->val);
+ if (IS_ERR(str))
+ goto exit_free;
+ entry->rule.buflen += f->val;
+ entry->rule.filterkey = str;
+ break;
default:
goto exit_free;
}
@@ -612,6 +623,10 @@ static struct audit_rule_data *audit_kru
data->buflen += data->values[i] =
audit_pack_string(&bufp, krule->watch->path);
break;
+ case AUDIT_FILTERKEY:
+ data->buflen += data->values[i] =
+ audit_pack_string(&bufp, krule->filterkey);
+ break;
default:
data->values[i] = f->val;
}
@@ -651,6 +666,11 @@ static int audit_compare_rule(struct aud
if (strcmp(a->watch->path, b->watch->path))
return 1;
break;
+ case AUDIT_FILTERKEY:
+ /* both filterkeys exist based on above type compare */
+ if (strcmp(a->filterkey, b->filterkey))
+ return 1;
+ break;
default:
if (a->fields[i].val != b->fields[i].val)
return 1;
@@ -730,6 +750,7 @@ static struct audit_entry *audit_dupe_ru
u32 fcount = old->field_count;
struct audit_entry *entry;
struct audit_krule *new;
+ char *fk;
int i, err = 0;
entry = audit_init_entry(fcount);
@@ -760,6 +781,13 @@ static struct audit_entry *audit_dupe_ru
case AUDIT_SE_CLR:
err = audit_dupe_selinux_field(&new->fields[i],
&old->fields[i]);
+ break;
+ case AUDIT_FILTERKEY:
+ fk = kstrdup(old->filterkey, GFP_KERNEL);
+ if (unlikely(!fk))
+ err = -ENOMEM;
+ else
+ new->filterkey = fk;
}
if (err) {
audit_free_rule(entry);
@@ -1245,6 +1273,34 @@ static void audit_list_rules(int pid, in
skb_queue_tail(q, skb);
}
+/* Log rule additions and removals */
+static void audit_log_rule_change(uid_t loginuid, u32 sid, char *action,
+ struct audit_krule *rule, int res)
+{
+ struct audit_buffer *ab;
+
+ ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE);
+ if (!ab)
+ return;
+ audit_log_format(ab, "auid=%u", loginuid);
+ if (sid) {
+ char *ctx = NULL;
+ u32 len;
+ if (selinux_ctxid_to_string(sid, &ctx, &len))
+ audit_log_format(ab, " ssid=%u", sid);
+ else
+ audit_log_format(ab, " subj=%s", ctx);
+ kfree(ctx);
+ }
+ audit_log_format(ab, " %s rule key=", action);
+ if (rule->filterkey)
+ audit_log_untrustedstring(ab, rule->filterkey);
+ else
+ audit_log_format(ab, "(null)");
+ audit_log_format(ab, " list=%d res=%d", rule->listnr, res);
+ audit_log_end(ab);
+}
+
/**
* audit_receive_filter - apply all rules to the specified message type
* @type: audit message type
@@ -1304,24 +1360,7 @@ int audit_receive_filter(int type, int p
err = audit_add_rule(entry,
&audit_filter_list[entry->rule.listnr]);
-
- if (sid) {
- char *ctx = NULL;
- u32 len;
- if (selinux_ctxid_to_string(sid, &ctx, &len)) {
- /* Maybe call audit_panic? */
- audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
- "auid=%u ssid=%u add rule to list=%d res=%d",
- loginuid, sid, entry->rule.listnr, !err);
- } else
- audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
- "auid=%u subj=%s add rule to list=%d res=%d",
- loginuid, ctx, entry->rule.listnr, !err);
- kfree(ctx);
- } else
- audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
- "auid=%u add rule to list=%d res=%d",
- loginuid, entry->rule.listnr, !err);
+ audit_log_rule_change(loginuid, sid, "add", &entry->rule, !err);
if (err)
audit_free_rule(entry);
@@ -1337,24 +1376,8 @@ int audit_receive_filter(int type, int p
err = audit_del_rule(entry,
&audit_filter_list[entry->rule.listnr]);
-
- if (sid) {
- char *ctx = NULL;
- u32 len;
- if (selinux_ctxid_to_string(sid, &ctx, &len)) {
- /* Maybe call audit_panic? */
- audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
- "auid=%u ssid=%u remove rule from list=%d res=%d",
- loginuid, sid, entry->rule.listnr, !err);
- } else
- audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
- "auid=%u subj=%s remove rule from list=%d res=%d",
- loginuid, ctx, entry->rule.listnr, !err);
- kfree(ctx);
- } else
- audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
- "auid=%u remove rule from list=%d res=%d",
- loginuid, entry->rule.listnr, !err);
+ audit_log_rule_change(loginuid, sid, "remove", &entry->rule,
+ !err);
audit_free_rule(entry);
break;
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 1c43dba..b32ccfa 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -186,6 +186,7 @@ struct audit_context {
int auditable; /* 1 if record should be written */
int name_count;
struct audit_names names[AUDIT_NAMES];
+ char * filterkey; /* key for rule that triggered record */
struct dentry * pwd;
struct vfsmount * pwdmnt;
struct audit_context *previous; /* For nested syscalls */
@@ -348,11 +349,17 @@ static int audit_filter_rules(struct tas
if (ctx)
result = audit_comparator(ctx->argv[f->type-AUDIT_ARG0], f->op, f->val);
break;
+ case AUDIT_FILTERKEY:
+ /* ignore this field for filtering */
+ result = 1;
+ break;
}
if (!result)
return 0;
}
+ if (rule->filterkey)
+ ctx->filterkey = kstrdup(rule->filterkey, GFP_ATOMIC);
switch (rule->action) {
case AUDIT_NEVER: *state = AUDIT_DISABLED; break;
case AUDIT_ALWAYS: *state = AUDIT_RECORD_CONTEXT; break;
@@ -627,6 +634,7 @@ static inline void audit_free_context(st
}
audit_free_names(context);
audit_free_aux(context);
+ kfree(context->filterkey);
kfree(context);
context = previous;
} while (context);
@@ -736,6 +744,11 @@ static void audit_log_exit(struct audit_
context->euid, context->suid, context->fsuid,
context->egid, context->sgid, context->fsgid, tty);
audit_log_task_info(ab, tsk);
+ if (context->filterkey) {
+ audit_log_format(ab, " key=");
+ audit_log_untrustedstring(ab, context->filterkey);
+ } else
+ audit_log_format(ab, " key=(null)");
audit_log_end(ab);
for (aux = context->aux; aux; aux = aux->next) {
@@ -1061,6 +1074,8 @@ void audit_syscall_exit(int valid, long
} else {
audit_free_names(context);
audit_free_aux(context);
+ kfree(context->filterkey);
+ context->filterkey = NULL;
tsk->audit_context = context;
}
}
linux-2.6-net-label.patch:
CREDITS | 7
Documentation/00-INDEX | 2
Documentation/netlabel/00-INDEX | 10
Documentation/netlabel/cipso_ipv4.txt | 48
Documentation/netlabel/draft-ietf-cipso-ipsecurity-01.txt | 781 ++++++
Documentation/netlabel/introduction.txt | 44
Documentation/netlabel/lsm_interface.txt | 47
include/linux/ip.h | 1
include/linux/netlink.h | 1
include/net/cipso_ipv4.h | 159 +
include/net/inet_sock.h | 2
include/net/netlabel.h | 354 ++
net/Kconfig | 2
net/Makefile | 1
net/ipv4/Makefile | 1
net/ipv4/ah4.c | 2
net/ipv4/cipso_ipv4.c | 1749 ++++++++++++++
net/ipv4/ip_options.c | 19
net/netlabel/Kconfig | 47
net/netlabel/Makefile | 15
net/netlabel/netlabel_cipso_v4.c | 580 ++++
net/netlabel/netlabel_cipso_v4.h | 201 +
net/netlabel/netlabel_domainhash.c | 629 +++++
net/netlabel/netlabel_domainhash.h | 64
net/netlabel/netlabel_kapi.c | 420 +++
net/netlabel/netlabel_mgmt.c | 677 +++++
net/netlabel/netlabel_mgmt.h | 248 +
net/netlabel/netlabel_unlabeled.c | 285 ++
net/netlabel/netlabel_unlabeled.h | 83
net/netlabel/netlabel_user.c | 174 +
net/netlabel/netlabel_user.h | 42
security/selinux/hooks.c | 81
security/selinux/include/av_inherit.h | 1
security/selinux/include/av_perm_to_string.h | 2
security/selinux/include/av_permissions.h | 1
security/selinux/include/flask.h | 1
security/selinux/include/security.h | 9
security/selinux/nlmsgtab.c | 159 -
security/selinux/ss/ebitmap.c | 155 +
security/selinux/ss/ebitmap.h | 6
security/selinux/ss/mls.c | 160 +
security/selinux/ss/mls.h | 25
security/selinux/ss/services.c | 415 +++
security/selinux/xfrm.c | 22
44 files changed, 7642 insertions(+), 90 deletions(-)
--- NEW FILE linux-2.6-net-label.patch ---
>From paul.moore at hp.com Tue Jun 13 13:19:29 2006
Return-Path: <paul.moore at hp.com>
Received: from mail.boston.redhat.com ([unix socket])
by mail.boston.redhat.com (Cyrus v2.1.12) with LMTP; Tue, 13 Jun 2006 13:19:46 -0400
X-Sieve: CMU Sieve 2.2
Received: from int-mx1.corp.redhat.com (int-mx1.corp.redhat.com [172.16.52.254])
by mail.boston.redhat.com (8.12.8/8.12.8) with ESMTP id k5DHJklQ024760
for <sgrubb at boston.redhat.com>; Tue, 13 Jun 2006 13:19:46 -0400
Received: from mx1.redhat.com (mx1.redhat.com [172.16.48.31])
by int-mx1.corp.redhat.com (8.12.11.20060308/8.12.11) with ESMTP id k5DHJjvp003404;
Tue, 13 Jun 2006 13:19:45 -0400
Received: from atlrel9.hp.com (atlrel9.hp.com [156.153.255.214])
by mx1.redhat.com (8.12.11.20060308/8.12.11) with ESMTP id k5DHJbhR014102;
Tue, 13 Jun 2006 13:19:37 -0400
Received: from smtp1.fc.hp.com (smtp.fc.hp.com [15.15.136.127])
by atlrel9.hp.com (Postfix) with ESMTP id BC9063411C;
Tue, 13 Jun 2006 13:19:31 -0400 (EDT)
Received: from [16.116.96.193] (flek.zko.hp.com [16.116.96.193])
by smtp1.fc.hp.com (Postfix) with ESMTP id B2A0D1D83F;
Tue, 13 Jun 2006 17:19:30 +0000 (UTC)
Message-ID: <448EF3A1.8060500 at hp.com>
Date: Tue, 13 Jun 2006 13:19:29 -0400
From: Paul Moore <paul.moore at hp.com>
Organization: Hewlett Packard
User-Agent: Mozilla Thunderbird 1.0.8-1.1.fc4 (X11/20060501)
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: redhat-lspp at redhat.com
Cc: Steve Grubb <sgrubb at redhat.com>
Subject: Updated NetLabel patch
X-Enigmail-Version: 0.92.0.0
Content-Type: multipart/mixed;
boundary="------------060702020000000708020100"
X-RedHat-Spam-Score: -98.817
X-UID: 68857
X-Length: 271297
This is a multi-part message in MIME format.
--------------060702020000000708020100
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Attached is an updated NetLabel patch from June 13th (today) against the
lspp.35 sources. As before it has been quickly tested on x86, x86_64,
targeted/enforcing, and mls/permissive although not all hw/policy
combinations have been tested. If you wish to configure NetLabel to use
CIPSO please grab the June 13th release of netlabel_tools which can be
found here:
* http://free.linux.hp.com/~pmoore/projects/linux_cipso
The big changes since the last posting on June 6th are:
* Demonstrated interop between TSOL v 8 (big thanks to Ted)
* Relabeling of sockets on accept()
* The addition of the "pass through" CIPSO mapping
* Better NetLabel netlink error reporting to userspace
* Verified CIPSO option is recognized as immutable by AH
(not yet tested)
The patch stats:
CREDITS | 7
Documentation/00-INDEX | 2
Documentation/netlabel/00-INDEX | 10
Documentation/netlabel/cipso_ipv4.txt | 48
Documentation/netlabel/draft-ietf-cipso-ipsecurity-01.txt | 791 ++++
Documentation/netlabel/introduction.txt | 44
Documentation/netlabel/lsm_interface.txt | 47
include/linux/ip.h | 1
include/linux/netlink.h | 1
include/net/cipso_ipv4.h | 159
include/net/inet_sock.h | 2
include/net/netlabel.h | 354 ++
net/Kconfig | 2
net/Makefile | 1
net/ipv4/Makefile | 1
net/ipv4/ah4.c | 2
net/ipv4/cipso_ipv4.c | 1749 ++++++
net/ipv4/ip_options.c | 19
net/netlabel/Kconfig | 47
net/netlabel/Makefile | 15
net/netlabel/netlabel_cipso_v4.c | 580 +++
net/netlabel/netlabel_cipso_v4.h | 201 +
net/netlabel/netlabel_domainhash.c | 629 +++
net/netlabel/netlabel_domainhash.h | 64
net/netlabel/netlabel_kapi.c | 420 ++
net/netlabel/netlabel_mgmt.c | 677 +++
net/netlabel/netlabel_mgmt.h | 248 +
net/netlabel/netlabel_unlabeled.c | 285 +
net/netlabel/netlabel_unlabeled.h | 83
net/netlabel/netlabel_user.c | 174
net/netlabel/netlabel_user.h | 42
security/selinux/hooks.c | 81
security/selinux/include/av_inherit.h | 1
security/selinux/include/av_perm_to_string.h | 2
security/selinux/include/av_permissions.h | 1
security/selinux/include/flask.h | 1
security/selinux/include/security.h | 9
security/selinux/nlmsgtab.c | 159
security/selinux/ss/ebitmap.c | 155
security/selinux/ss/ebitmap.h | 6
security/selinux/ss/mls.c | 160
security/selinux/ss/mls.h | 25
security/selinux/ss/services.c | 415 ++
security/selinux/xfrm.c | 22
44 files changed, 7652 insertions(+), 90 deletions(-)
I'll be posting a more "reviewer friendly" patchset in a week or so once
this has been out for a few days and I have had a chance to work on the
patch a bit more (discussed on Monday's concall).
--
paul moore
linux security @ hp
--------------060702020000000708020100
Content-Type: text/x-patch;
name="netlabel_06132006.diff"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
filename="netlabel_06132006.diff"
diff -purN linux-2.6.16.i686/CREDITS linux-2.6.16.i686-netlabel_06132006/CREDITS
--- linux-2.6.16.i686/CREDITS 2006-06-13 10:47:07.000000000 -0400
+++ linux-2.6.16.i686-netlabel_06132006/CREDITS 2006-06-13 11:19:58.000000000 -0400
@@ -2383,6 +2383,13 @@ N: Thomas Molina
E: tmolina at cablespeed.com
D: bug fixes, documentation, minor hackery
+N: Paul Moore
+E: paul.moore at hp.com
+D: NetLabel author
+S: Hewlett-Packard
+S: 110 Spit Brook Road
+S: Nashua, NH 03062
+
N: James Morris
E: jmorris at namei.org
W: http://namei.org/
diff -purN linux-2.6.16.i686/Documentation/00-INDEX linux-2.6.16.i686-netlabel_06132006/Documentation/00-INDEX
--- linux-2.6.16.i686/Documentation/00-INDEX 2006-03-20 00:53:29.000000000 -0500
+++ linux-2.6.16.i686-netlabel_06132006/Documentation/00-INDEX 2006-06-13 11:19:58.000000000 -0400
@@ -184,6 +184,8 @@ mtrr.txt
- how to use PPro Memory Type Range Registers to increase performance.
nbd.txt
- info on a TCP implementation of a network block device.
+netlabel/
+ - directory with information on the NetLabel subsystem.
networking/
- directory with info on various aspects of networking with Linux.
nfsroot.txt
diff -purN linux-2.6.16.i686/Documentation/netlabel/00-INDEX linux-2.6.16.i686-netlabel_06132006/Documentation/netlabel/00-INDEX
--- linux-2.6.16.i686/Documentation/netlabel/00-INDEX 1969-12-31 19:00:00.000000000 -0500
+++ linux-2.6.16.i686-netlabel_06132006/Documentation/netlabel/00-INDEX 2006-06-13 11:19:58.000000000 -0400
@@ -0,0 +1,10 @@
+00-INDEX
+ - this file.
+cipso_ipv4.txt
+ - documentation on the IPv4 CIPSO protocol engine.
+draft-ietf-cipso-ipsecurity-01.txt
+ - IETF draft of the CIPSO protocol, dated 16 July 1992.
+introduction.txt
+ - NetLabel introduction, READ THIS FIRST.
+lsm_interface.txt
+ - documentation on the NetLabel kernel security module API.
diff -purN linux-2.6.16.i686/Documentation/netlabel/cipso_ipv4.txt linux-2.6.16.i686-netlabel_06132006/Documentation/netlabel/cipso_ipv4.txt
--- linux-2.6.16.i686/Documentation/netlabel/cipso_ipv4.txt 1969-12-31 19:00:00.000000000 -0500
+++ linux-2.6.16.i686-netlabel_06132006/Documentation/netlabel/cipso_ipv4.txt 2006-06-13 11:19:58.000000000 -0400
@@ -0,0 +1,48 @@
+NetLabel CIPSO/IPv4 Protocol Engine
+==============================================================================
+Paul Moore, paul.moore at hp.com
+
+May 17, 2006
+
+ * Overview
+
+The NetLabel CIPSO/IPv4 protocol engine is based on the IETF Commercial IP
+Security Option (CIPSO) draft from July 16, 1992. A copy of this draft can be
+found in this directory, consult '00-INDEX' for the filename. While the IETF
+draft never made it to an RFC standard it has become a de-facto standard for
+labeled networking and is used in many trusted operating systems.
+
+ * Outbound Packet Processing
+
+The CIPSO/IPv4 protocol engine applies the CIPSO IP option to packets by
+adding the CIPSO label to the socket. This causes all packets leaving the
+system through the socket to have the CIPSO IP option applied. The socket's
+CIPSO label can be changed at any point in time, however, it is recommended
+that it is set upon the socket's creation. The LSM can set the socket's CIPSO
+label by using the NetLabel security module API; if the NetLabel "domain" is
+configured to use CIPSO for packet labeling then a CIPSO IP option will be
+generated and attached to the socket.
+
+ * Inbound Packet Processing
+
+The CIPSO/IPv4 protocol engine validates every CIPSO IP option it finds at the
+IP layer without any special handling required by the LSM. However, in order
[...7963 lines suppressed...]
+
+/**
+ * security_netlbl_skbuff_getsid - Get the sid of a packet using NetLabel
+ * @skb: the packet
+ * @base_sid: the SELinux SID to use as a context for MLS only attributes
+ * @sid: the SID
+ *
+ * Description:
+ * Call the NetLabel mechanism to get the security attributes of the given
+ * packet and use those attributes to determine the correct context/SID to
+ * assign to the packet. Returns zero on success, negative values on failure.
+ *
+ */
+int security_netlbl_skbuff_getsid(struct sk_buff *skb,
+ const u32 base_sid,
+ u32 *sid)
+{
+ int ret_val;
+ struct netlbl_lsm_secattr secattr;
+
+ if (!ss_initialized)
+ return 0;
+
+ netlbl_secattr_init(&secattr);
+
+ ret_val = netlbl_skbuff_getattr(skb, &secattr);
+ if (ret_val == 0)
+ ret_val = security_netlbl_secattr_to_sid(skb,
+ &secattr,
+ base_sid,
+ sid);
+
+ secattr.set_cache = 0;
+ netlbl_secattr_destroy(&secattr);
+
+ return ret_val;
+}
+
+/**
+ * security_netlbl_socket_setsid - Label a socket using the NetLabel mechanism
+ * @sock: the socket to label
+ * @sid: the SID to use as the basis for the label
+ *
+ * Description:
+ * Attempt to label a socket using the NetLabel mechanism using the given
+ * SID. Returns zero values on success, negative values on failure.
+ *
+ */
+int security_netlbl_socket_setsid(const struct socket *sock, const u32 sid)
+{
+ int ret_val;
+ struct netlbl_lsm_secattr secattr;
+ struct context *ctx;
+
+ if (!ss_initialized)
+ return 0;
+
+ ctx = sidtab_search(&sidtab, sid);
+ if (ctx != NULL) {
+ netlbl_secattr_init(&secattr);
+
+ if (security_context_export_type(ctx,
+ &secattr.domain,
+ NULL) == 0)
+ secattr.set_domain = 1;
+ if (mls_export_lvl(ctx, &secattr.mls_lvl, NULL) == 0)
+ secattr.set_mls_lvl = 1;
+ if (mls_export_cat(ctx,
+ &secattr.mls_cat,
+ &secattr.mls_cat_len,
+ NULL,
+ NULL) == 0)
+ secattr.set_mls_cat = 1;
+
+ ret_val = netlbl_socket_setattr(sock, &secattr);
+ netlbl_secattr_destroy(&secattr);
+ } else
+ ret_val = -ENOENT;
+
+ return ret_val;
+}
+
+/**
+ * security_netlbl_socket_accept - Handle the labeling of an accept()ed socket
+ * @sock: the original socket
+ * @newsock: the new accept()ed socket
+ *
+ * Description:
+ * Attempt to label a socket using the NetLabel mechanism based on the packets
+ * in the queue and the original socket's SID. Returns zero values on success,
+ * negative values on failure.
+ *
+ */
+int security_netlbl_socket_accept(struct socket *sock, struct socket *newsock)
+{
+ int ret_val;
+ struct inode_security_struct *isec = SOCK_INODE(sock)->i_security;
+ struct netlbl_lsm_secattr secattr;
+ u32 newsock_sid;
+ u16 sock_class;
+ u32 relabelto_perm;
+
+ if (!ss_initialized)
+ return 0;
+ netlbl_secattr_init(&secattr);
+
+ ret_val = netlbl_socket_getattr(newsock, &secattr);
+ if (ret_val != 0)
+ goto netlbl_socket_accept_return;
+ ret_val = security_netlbl_secattr_to_sid(NULL,
+ &secattr,
+ isec->sid,
+ &newsock_sid);
+ if (ret_val != 0 || newsock_sid == SECINITSID_UNLABELED)
+ goto netlbl_socket_accept_return;
+
+ sock_class = isec->sclass;
+ switch (sock_class) {
+ case SECCLASS_UDP_SOCKET:
+ relabelto_perm = UDP_SOCKET__RELABELTO;
+ break;
+ case SECCLASS_TCP_SOCKET:
+ relabelto_perm = TCP_SOCKET__RELABELTO;
+ break;
+ default:
+ relabelto_perm = RAWIP_SOCKET__RELABELTO;
+ }
+
+ /* PM - should we have a "RELABELFROM" check too? */
+ /* PM - i suspect we should audit this socket relabel */
+ ret_val = avc_has_perm(isec->sid,
+ newsock_sid,
+ sock_class,
+ relabelto_perm,
+ NULL);
+ if (ret_val != 0)
+ goto netlbl_socket_accept_return;
+
+ isec = SOCK_INODE(newsock)->i_security;
+ isec->sid = newsock_sid;
+
+netlbl_socket_accept_return:
+ secattr.set_cache = 0;
+ netlbl_secattr_destroy(&secattr);
+
+ return security_netlbl_socket_setsid(newsock, isec->sid);
+}
+#endif /* CONFIG_NETLABEL */
+
struct selinux_audit_rule {
u32 au_seqno;
struct context au_ctxt;
diff -purN linux-2.6.16.i686/security/selinux/xfrm.c linux-2.6.16.i686-netlabel_06132006/security/selinux/xfrm.c
--- linux-2.6.16.i686/security/selinux/xfrm.c 2006-06-13 10:46:59.000000000 -0400
+++ linux-2.6.16.i686-netlabel_06132006/security/selinux/xfrm.c 2006-06-13 11:20:00.000000000 -0400
@@ -295,13 +295,13 @@ u32 selinux_socket_getpeer_dgram(struct
/*
* LSM hook that controls access to unlabelled packets. If
* a xfrm_state is authorizable (defined by macro) then it was
- * already authorized by the IPSec process. If not, then
- * we need to check for unlabelled access since this may not have
- * gone thru the IPSec process.
+ * already authorized by the IPsec process. Return zero when the
+ * packet has been approved by the IPsec process, negative values
+ * otherwise.
*/
int selinux_xfrm_sock_rcv_skb(u32 isec_sid, struct sk_buff *skb)
{
- int i, rc = 0;
+ int i;
struct sec_path *sp;
sp = skb->sp;
@@ -317,21 +317,11 @@ int selinux_xfrm_sock_rcv_skb(u32 isec_s
struct xfrm_state *x = sp->xvec[i];
if (x && selinux_authorizable_xfrm(x))
- goto accept;
+ return 0;
}
}
- /* check SELinux sock for unlabelled access */
- rc = avc_has_perm(isec_sid, SECINITSID_UNLABELED, SECCLASS_ASSOCIATION,
- ASSOCIATION__RECVFROM, NULL);
- if (rc)
- goto drop;
-
-accept:
- return 0;
-
-drop:
- return rc;
+ return -ENOMSG;
}
/*
--------------060702020000000708020100--
Index: kernel-2.6.spec
===================================================================
RCS file: /cvs/dist/rpms/kernel/devel/kernel-2.6.spec,v
retrieving revision 1.2293
retrieving revision 1.2293.2.1
diff -u -r1.2293 -r1.2293.2.1
--- kernel-2.6.spec 18 Jun 2006 04:35:30 -0000 1.2293
+++ kernel-2.6.spec 19 Jun 2006 23:33:11 -0000 1.2293.2.1
@@ -11,10 +11,10 @@
# Whether to apply the Xen patches, leave this enabled.
%define includexen 1
# Whether to build the Xen kernels, disable if you want.
-%define buildxen 1
+%define buildxen 0
%define buildxenPAE 0
%define builddoc 0
-%define buildkdump 1
+%define buildkdump 0
%define buildheaders 0
# Versions of various parts
@@ -28,7 +28,7 @@
%define sublevel 17
%define kversion 2.6.%{sublevel}
%define rpmversion 2.6.%{sublevel}
-%define tag FC6
+%define tag FC6.lspp.37
%if %{rhelbuild}
%define tag EL
%endif
@@ -457,6 +457,12 @@
# Xen hypervisor patches
Patch20000: xen-sched-sedf.patch
+# Audit & lspp patches
+Patch20100: linux-2.6-audit-git.patch
+Patch20101: linux-2.6-audit-pending.patch
+Patch20102: capabilities-over-netlink-in-permissive-mode.patch
+Patch20103: linux-2.6-net-label.patch
+
# END OF PATCH DEFINITIONS
@@ -1093,11 +1099,22 @@
cp -f %{all_arch_configs} .
+# Audit patches
+%patch20100 -p1
+%patch20101 -p1
+%patch20102 -p1
+#%patch20103 -p1
+
# now run oldconfig over all the config files
for i in *.config
do
mv $i .config
+ echo "CONFIG_INOTIFY_USER=y" >> .config
+ echo "CONFIG_NETLABEL=y" >> .config
+ echo "CONFIG_NETLABEL_CIPSOV4=y" >> .config
+ echo "CONFIG_NETLABEL_UNLABELED=y" >> .config
+ echo "CONFIG_NETLABEL_UNLABELED_DEFAULT=y" >> .config
Arch=`head -1 .config | cut -b 3-`
make ARCH=$Arch nonint_oldconfig > /dev/null
echo "# $Arch" > configs/$i
@@ -1696,6 +1713,9 @@
%endif
%changelog
+* Mon Jun 19 2006 Steve Grubb <sgrubb at redhat.com>
+- lspp.37
+
* Sun Jun 18 2006 Dave Jones <davej at redhat.com>
- 2.6.17
More information about the fedora-cvs-commits
mailing list