Security Enhanced Linux
What's New
Frequently Asked Questions
Background
Documents
License
Download
Participating
Mail List
Archives
Remaining Work
Contributors
Related Work
Press Releases
Information Assurance Research
NIARL In-house Research Areas
Mathematical Sciences Program
Sabbaticals
Computer & Information Sciences Research
Technology Transfer
Advanced Computing
Advanced Mathematics
Communications & Networking
Information Processing
Microelectronics
Other Technologies
Technology Fact Sheets
Publications
Related Links
|
SELinux Mailing ListRe: [RFC][PATCH] collect security labels on user processes generating audit messages
From: Timothy R. Chavez <tinytim_at_us.ibm.com>
Date: Tue, 14 Feb 2006 17:48:22 -0600
Thank you for the comments. While implementing your feedback I came across a pretty severe bug. I was basically obtaining the sid and then throwing it away (I was returning it from the function, but not actually assigning it to anything). New patch below. I still need to test this a little more. Thanks! -tim
diff --git a/include/linux/netlink.h b/include/linux/netlink.h
index 6a2ccf7..ccd5905 100644
__u32 dst_group; kernel_cap_t eff_cap; __u32 loginuid; /* Login (audit) uid */ + __u32 secid; /* SELinux security id */};
#define NETLINK_CB(skb) (*(struct netlink_skb_parms*)&((skb)->cb))
diff --git a/include/linux/security.h b/include/linux/security.h
index b4fe8aa..c6fe5fe 100644
int (*ipc_permission) (struct kern_ipc_perm * ipcp, short flag); int (*ipc_getsecurity)(struct kern_ipc_perm *ipcp, void *buffer, size_t size);} +static inline void security_task_getsecid(struct task_struct *tsk, __u32 *sid) +{ + security_ops->task_getsecid(tsk, sid); +} + static inline int security_ipc_permission (struct kern_ipc_perm *ipcp, short flag) { @@ -2457,6 +2468,9 @@ static inline void security_task_reparen static inline void security_task_to_inode(struct task_struct *p, struct inode *inode) { } +static inline void security_task_getsecid(struct task_struct *tsk, __u32 *sid) +{ } + static inline int security_ipc_permission (struct kern_ipc_perm *ipcp, short flag) { diff --git a/include/linux/selinux.h b/include/linux/selinux.h new file mode 100644 index 0000000..c2e0e20 --- /dev/null +++ b/include/linux/selinux.h @@ -0,0 +1,52 @@ +/* + * SELinux services exported to the rest of the kernel. + * + * Author: James Morris <jmorris@redhat.com> + * + * Copyright (C) 2005 Red Hat, Inc., James Morris <jmorris@redhat.com> + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License version 2, + * as published by the Free Software Foundation. + */ +#ifndef _LINUX_SELINUX_H +#define _LINUX_SELINUX_H + +#ifdef CONFIG_SECURITY_SELINUX + +/** + * selinux_available - check if SELinux is available for use. + * + * Returns true if configured, enabled, not disabled and policy loaded. + */ +int selinux_available(void); + +/** + * selinux_id_to_ctx - map a security context ID to a string + * @ctxid: security context ID to be converted. + * @ctx: address of context string to be returned + * @ctxlen: length of returned context string. + * + * Returns 0 if successful, -errno if not. On success, the context + * string will be allocated internally, and the caller must call + * kfree() on it after use. + */ +int selinux_id_to_ctx(u32 ctxid, char **ctx, u32 *ctxlen); + +#else + +static inline int selinux_available(void) +{ + return 0; +} + +static inline int selinux_id_to_ctx(u32 ctxid, char **ctx, u32 *ctxlen) +{ + *ctx = NULL; + *ctxlen = 0; + return 0; +} + +#endif /* CONFIG_SECURITY_SELINUX */ + +#endif /* _LINUX_SELINUX_H */ diff --git a/kernel/audit.c b/kernel/audit.c index d95efd6..4ca77dd 100644 --- a/kernel/audit.c +++ b/kernel/audit.c @@ -50,6 +50,7 @@ #include <linux/kthread.h>
#include <linux/audit.h>
#include <net/sock.h>
static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) { - u32 uid, pid, seq; + u32 uid, pid, sid, seq; void *data; struct audit_status *status_get, status_set; int err; diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c index 96020d7..1f4b241 100644 --- a/net/netlink/af_netlink.c +++ b/net/netlink/af_netlink.c @@ -1120,6 +1120,7 @@ static int netlink_sendmsg(struct kiocb NETLINK_CB(skb).dst_pid = dst_pid; NETLINK_CB(skb).dst_group = dst_group; NETLINK_CB(skb).loginuid = audit_get_loginuid(current->audit_context); + security_task_getsecid(current, &NETLINK_CB(skb).secid); memcpy(NETLINK_CREDS(skb), &siocb->scm->creds, sizeof(struct ucred)); /* What can I do? Netlink is asynchronous, so thatdiff --git a/security/dummy.c b/security/dummy.c index 75e7c4a..2325823 100644 --- a/security/dummy.c +++ b/security/dummy.c @@ -557,6 +557,12 @@ static void dummy_task_reparent_to_init static void dummy_task_to_inode(struct task_struct *p, struct inode *inode) { } +static void dummy_task_getsecid(struct task_struct *tsk, __u32 *sid) +{ + *sid = 0; + return; +} + static int dummy_ipc_permission (struct kern_ipc_perm *ipcp, short flag) {
return 0;
set_to_dummy_if_null(ops, task_prctl); set_to_dummy_if_null(ops, task_reparent_to_init); set_to_dummy_if_null(ops, task_to_inode); + set_to_dummy_if_null(ops, task_getsecid); set_to_dummy_if_null(ops, ipc_permission); set_to_dummy_if_null(ops, ipc_getsecurity); set_to_dummy_if_null(ops, msg_msg_alloc_security);diff --git a/security/selinux/Makefile b/security/selinux/Makefile index b038cd0..3e3d4eb 100644 --- a/security/selinux/Makefile +++ b/security/selinux/Makefile @@ -4,7 +4,7 @@ obj-$(CONFIG_SECURITY_SELINUX) := selinux.o ss/ -selinux-y := avc.o hooks.o selinuxfs.o netlink.o nlmsgtab.o +selinux-y := avc.o hooks.o selinuxfs.o netlink.o nlmsgtab.o exports.o selinux-$(CONFIG_SECURITY_NETWORK) += netif.o
diff --git a/security/selinux/exports.c b/security/selinux/exports.c
new file mode 100644
+/* + * SELinux services exported to the rest of the kernel. + * + * Author: James Morris <jmorris@redhat.com> + * + * Copyright (C) 2005 Red Hat, Inc., James Morris <jmorris@redhat.com> + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License version 2, + * as published by the Free Software Foundation. + */ +#include <linux/types.h> +#include <linux/kernel.h> +#include <linux/module.h> +#include <linux/selinux.h> + +#include "security.h" + +extern int ss_initialized; + +int selinux_available(void) +{ + return ss_initialized; +} + +int selinux_id_to_ctx(u32 ctxid, char **ctx, u32 *ctxlen) +{ + return security_sid_to_context(ctxid, ctx, ctxlen); +} + +EXPORT_SYMBOL_GPL(selinux_available); +EXPORT_SYMBOL_GPL(selinux_id_to_ctx); diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 21c8aa6..d2356ad 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -2769,6 +2769,14 @@ static void selinux_task_to_inode(struct
return;
+static void selinux_task_getsecid(struct task_struct *tsk, __u32 *sid) +{ + struct task_security_struct *tsec = tsk->security; + + *sid = tsec->sid; + return; +} + #ifdef CONFIG_SECURITY_NETWORK
/* Returns error only if unable to parse addresses */
.task_prctl = selinux_task_prctl, .task_reparent_to_init = selinux_task_reparent_to_init, .task_to_inode = selinux_task_to_inode, + .task_getsecid = selinux_task_getsecid, .ipc_permission = selinux_ipc_permission, .ipc_getsecurity = selinux_ipc_getsecurity,diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h index 5f016c9..a2e5bb0 100644 --- a/security/selinux/include/security.h +++ b/security/selinux/include/security.h @@ -63,7 +63,7 @@ int security_change_sid(u32 ssid, u32 ts int security_sid_to_context(u32 sid, char **scontext, u32 *scontext_len); -int security_context_to_sid(char *scontext, u32 scontext_len, +int security_context_to_sid(const char *scontext, u32 scontext_len, u32 *out_sid);
int security_context_to_sid_default(char *scontext, u32 scontext_len, u32 *out_sid, u32 def_sid);
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
index 2311255..c66f765 100644
} -static int security_context_to_sid_core(char *scontext, u32 scontext_len, u32 *sid, u32 def_sid) +static int security_context_to_sid_core(const char *scontext, u32 scontext_len, u32 *sid, u32 def_sid) { char *scontext2; struct context context; @@ -743,7 +743,7 @@ out:
-- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.Received on Tue 14 Feb 2006 - 18:36:43 EST |
|
Date Posted: Jan 15, 2009 | Last Modified: Jan 15, 2009 | Last Reviewed: Jan 15, 2009 |