Security Enhanced Linux
What's New
Frequently Asked Questions
Background
Documents
License
Download
Participating
Mail List
Archives
Remaining Work
Contributors
Related Work
Press Releases
Information Assurance Research
NIARL In-house Research Areas
Mathematical Sciences Program
Sabbaticals
Computer & Information Sciences Research
Technology Transfer
Advanced Computing
Advanced Mathematics
Communications & Networking
Information Processing
Microelectronics
Other Technologies
Technology Fact Sheets
Publications
Related Links
|
SELinux Mailing List[SELINUX] Event notifications via Netlink
From: James Morris <jmorris_at_redhat.com>
Date: Wed, 18 Feb 2004 11:52:31 -0500 (EST)
For example, a userspace AVC (Access Vector Cache, the component that makes access control decisions) is being implemented for use by Security Enhanced X and SE-DBUS. These applications will request access control decisions from the usersapce AVC, which will relay and cache decisions from the kernel AVC. When the security policy is reloaded or the enforcing mode is changed in the kernel, the userspace AVC can be notified and take appropriate action (e.g. flush cache). Please apply. include/linux/netlink.h | 1 include/linux/selinux_netlink.h | 37 +++++++++++++ security/selinux/Makefile | 2 security/selinux/netlink.c | 113 ++++++++++++++++++++++++++++++++++++++++ security/selinux/selinuxfs.c | 3 + security/selinux/ss/services.c | 3 +6 files changed, 158 insertions(+), 1 deletion(-)
diff -urN -X dontdiff linux-2.6.3.o/include/linux/netlink.h linux-2.6.3.w/include/linux/netlink.h --- linux-2.6.3.o/include/linux/netlink.h 2003-10-15 08:53:19.000000000 -0400 +++ linux-2.6.3.w/include/linux/netlink.h 2004-02-18 08:53:17.583636544 -0500 @@ -11,6 +11,7 @@@@ -0,0 +1,37 @@ +/* + * Netlink event notifications for SELinux. + * + * Author: James Morris <jmorris@redhat.com> + * + * Copyright (C) 2004 Red Hat, Inc., James Morris <jmorris@redhat.com> + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License version 2, + * as published by the Free Software Foundation. + */ +#ifndef _LINUX_SELINUX_NETLINK_H +#define _LINUX_SELINUX_NETLINK_H + +/* Message types. */ +#define SELNL_MSG_BASE 0x10 +enum { + SELNL_MSG_SETENFORCE = SELNL_MSG_BASE, + SELNL_MSG_POLICYLOAD, + SELNL_MSG_MAX +}; + +/* Multicast groups */ +#define SELNL_GRP_NONE 0x00000000 +#define SELNL_GRP_AVC 0x00000001 /* AVC notifications */ +#define SELNL_GRP_ALL 0xffffffff + +/* Message structures */ +struct selnl_msg_setenforce { + u_int32_t val; +}; + +struct selnl_msg_policyload { + u_int32_t seqno; +}; + +#endif /* _LINUX_SELINUX_NETLINK_H */ diff -urN -X dontdiff linux-2.6.3.o/security/selinux/Makefile linux-2.6.3.w/security/selinux/Makefile --- linux-2.6.3.o/security/selinux/Makefile 2004-02-04 08:39:07.000000000 -0500 +++ linux-2.6.3.w/security/selinux/Makefile 2004-02-18 08:53:17.605633200 -0500@@ -4,7 +4,7 @@ obj-$(CONFIG_SECURITY_SELINUX) := selinux.o ss/
-selinux-y := avc.o hooks.o selinuxfs.o
selinux-$(CONFIG_SECURITY_NETWORK) += netif.o diff -urN -X dontdiff linux-2.6.3.o/security/selinux/netlink.c linux-2.6.3.w/security/selinux/netlink.c --- linux-2.6.3.o/security/selinux/netlink.c 1969-12-31 19:00:00.000000000 -0500 +++ linux-2.6.3.w/security/selinux/netlink.c 2004-02-18 09:01:54.288085528 -0500@@ -0,0 +1,113 @@ +/* + * Netlink event notifications for SELinux. + * + * Author: James Morris <jmorris@redhat.com> + * + * Copyright (C) 2004 Red Hat, Inc., James Morris <jmorris@redhat.com> + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License version 2, + * as published by the Free Software Foundation. + */ +#include <linux/init.h> +#include <linux/types.h> +#include <linux/stddef.h> +#include <linux/kernel.h> +#include <linux/list.h> +#include <linux/skbuff.h> +#include <linux/netlink.h> +#include <linux/selinux_netlink.h> + +static struct sock *selnl; + +static int selnl_msglen(int msgtype) +{ + int ret = 0; + + switch (msgtype) { + case SELNL_MSG_SETENFORCE: + ret = sizeof(struct selnl_msg_setenforce); + break; + + case SELNL_MSG_POLICYLOAD: + ret = sizeof(struct selnl_msg_policyload); + break; + + default: + BUG(); + } + return ret; +} + +static void selnl_add_payload(struct nlmsghdr *nlh, int len, int msgtype, void *data) +{ + switch (msgtype) { + case SELNL_MSG_SETENFORCE: { + struct selnl_msg_setenforce *msg = NLMSG_DATA(nlh); + + memset(msg, 0, len); + msg->val = *((int *)data); + break; + } + + case SELNL_MSG_POLICYLOAD: { + struct selnl_msg_policyload *msg = NLMSG_DATA(nlh); + + memset(msg, 0, len); + msg->seqno = *((u32 *)data); + break; + } + + default: + BUG(); + } +} + +static void selnl_notify(int msgtype, void *data) +{ + int len; + unsigned char *tmp; + struct sk_buff *skb; + struct nlmsghdr *nlh; + + len = selnl_msglen(msgtype); + + skb = alloc_skb(NLMSG_SPACE(len), GFP_USER); + if (!skb) + goto oom; + + tmp = skb->tail; + nlh = NLMSG_PUT(skb, 0, 0, msgtype, len); + selnl_add_payload(nlh, len, msgtype, data); + nlh->nlmsg_len = skb->tail - tmp; + netlink_broadcast(selnl, skb, 0, SELNL_GRP_AVC, GFP_USER); +out: + return; + +nlmsg_failure: + kfree_skb(skb); +oom: + printk(KERN_ERR "SELinux: OOM in %s\n", __FUNCTION__); + goto out; +} + +void selnl_notify_setenforce(int val) +{ + selnl_notify(SELNL_MSG_SETENFORCE, &val); +} + +void selnl_notify_policyload(u32 seqno) +{ + selnl_notify(SELNL_MSG_POLICYLOAD, &seqno); +} + +static int __init selnl_init(void) +{ + selnl = netlink_kernel_create(NETLINK_SELINUX, NULL); + if (selnl == NULL) + panic("SELinux: Cannot create netlink socket."); + netlink_set_nonroot(NETLINK_SELINUX, NL_NONROOT_RECV); + return 0; +} + +__initcall(selnl_init); diff -urN -X dontdiff linux-2.6.3.o/security/selinux/selinuxfs.c linux-2.6.3.w/security/selinux/selinuxfs.c --- linux-2.6.3.o/security/selinux/selinuxfs.c 2004-02-18 00:17:09.000000000 -0500 +++ linux-2.6.3.w/security/selinux/selinuxfs.c 2004-02-18 08:53:17.616631528 -0500@@ -17,6 +17,8 @@ #include "security.h" #include "objsec.h"
+extern void selnl_notify_setenforce(int val);
+
u32 perms)
selinux_enforcing = new_value; if (selinux_enforcing) avc_ss_reset(0); + selnl_notify_setenforce(selinux_enforcing); } length = count; out: diff -urN -X dontdiff linux-2.6.3.o/security/selinux/ss/services.c linux-2.6.3.w/security/selinux/ss/services.c --- linux-2.6.3.o/security/selinux/ss/services.c 2004-02-18 00:17:09.000000000 -0500 +++ linux-2.6.3.w/security/selinux/ss/services.c 2004-02-18 08:53:17.619631072 -0500@@ -28,6 +28,8 @@ #include "services.h" #include "mls.h"
+extern void selnl_notify_policyload(u32 seqno);
+
sidtab_destroy(&oldsidtab); avc_ss_reset(seqno); + selnl_notify_policyload(seqno); return 0; -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.Received on Wed 18 Feb 2004 - 11:52:45 EST |
|
Date Posted: Jan 15, 2009 | Last Modified: Jan 15, 2009 | Last Reviewed: Jan 15, 2009 |