5e41ff9e06
The following patch set enables atomic security labeling of newly created inodes by altering the fs code to invoke a new LSM hook to obtain the security attribute to apply to a newly created inode and to set up the incore inode security state during the inode creation transaction. This parallels the existing processing for setting ACLs on newly created inodes. Otherwise, it is possible for new inodes to be accessed by another thread via the dcache prior to complete security setup (presently handled by the post_create/mkdir/... LSM hooks in the VFS) and a newly created inode may be left unlabeled on the disk in the event of a crash. SELinux presently works around the issue by ensuring that the incore inode security label is initialized to a special SID that is inaccessible to unprivileged processes (in accordance with policy), thereby preventing inappropriate access but potentially causing false denials on legitimate accesses. A simple test program demonstrates such false denials on SELinux, and the patch solves the problem. Similar such false denials have been encountered in real applications. This patch defines a new inode_init_security LSM hook to obtain the security attribute to apply to a newly created inode and to set up the incore inode security state for it, and adds a corresponding hook function implementation to SELinux. Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
114 lines
3.9 KiB
C
114 lines
3.9 KiB
C
/*
|
|
* NSA Security-Enhanced Linux (SELinux) security module
|
|
*
|
|
* This file contains the SELinux security data structures for kernel objects.
|
|
*
|
|
* Author(s): Stephen Smalley, <sds@epoch.ncsc.mil>
|
|
* Chris Vance, <cvance@nai.com>
|
|
* Wayne Salamon, <wsalamon@nai.com>
|
|
* James Morris <jmorris@redhat.com>
|
|
*
|
|
* Copyright (C) 2001,2002 Networks Associates Technology, Inc.
|
|
* Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com>
|
|
*
|
|
* This program is free software; you can redistribute it and/or modify
|
|
* it under the terms of the GNU General Public License version 2,
|
|
* as published by the Free Software Foundation.
|
|
*/
|
|
#ifndef _SELINUX_OBJSEC_H_
|
|
#define _SELINUX_OBJSEC_H_
|
|
|
|
#include <linux/list.h>
|
|
#include <linux/sched.h>
|
|
#include <linux/fs.h>
|
|
#include <linux/binfmts.h>
|
|
#include <linux/in.h>
|
|
#include "flask.h"
|
|
#include "avc.h"
|
|
|
|
struct task_security_struct {
|
|
unsigned long magic; /* magic number for this module */
|
|
struct task_struct *task; /* back pointer to task object */
|
|
u32 osid; /* SID prior to last execve */
|
|
u32 sid; /* current SID */
|
|
u32 exec_sid; /* exec SID */
|
|
u32 create_sid; /* fscreate SID */
|
|
u32 ptrace_sid; /* SID of ptrace parent */
|
|
};
|
|
|
|
struct inode_security_struct {
|
|
unsigned long magic; /* magic number for this module */
|
|
struct inode *inode; /* back pointer to inode object */
|
|
struct list_head list; /* list of inode_security_struct */
|
|
u32 task_sid; /* SID of creating task */
|
|
u32 sid; /* SID of this object */
|
|
u16 sclass; /* security class of this object */
|
|
unsigned char initialized; /* initialization flag */
|
|
struct semaphore sem;
|
|
unsigned char inherit; /* inherit SID from parent entry */
|
|
unsigned char security_attr_init; /* security attributes init flag */
|
|
};
|
|
|
|
struct file_security_struct {
|
|
unsigned long magic; /* magic number for this module */
|
|
struct file *file; /* back pointer to file object */
|
|
u32 sid; /* SID of open file description */
|
|
u32 fown_sid; /* SID of file owner (for SIGIO) */
|
|
};
|
|
|
|
struct superblock_security_struct {
|
|
unsigned long magic; /* magic number for this module */
|
|
struct super_block *sb; /* back pointer to sb object */
|
|
struct list_head list; /* list of superblock_security_struct */
|
|
u32 sid; /* SID of file system */
|
|
u32 def_sid; /* default SID for labeling */
|
|
unsigned int behavior; /* labeling behavior */
|
|
unsigned char initialized; /* initialization flag */
|
|
unsigned char proc; /* proc fs */
|
|
struct semaphore sem;
|
|
struct list_head isec_head;
|
|
spinlock_t isec_lock;
|
|
};
|
|
|
|
struct msg_security_struct {
|
|
unsigned long magic; /* magic number for this module */
|
|
struct msg_msg *msg; /* back pointer */
|
|
u32 sid; /* SID of message */
|
|
};
|
|
|
|
struct ipc_security_struct {
|
|
unsigned long magic; /* magic number for this module */
|
|
struct kern_ipc_perm *ipc_perm; /* back pointer */
|
|
u16 sclass; /* security class of this object */
|
|
u32 sid; /* SID of IPC resource */
|
|
};
|
|
|
|
struct bprm_security_struct {
|
|
unsigned long magic; /* magic number for this module */
|
|
struct linux_binprm *bprm; /* back pointer to bprm object */
|
|
u32 sid; /* SID for transformed process */
|
|
unsigned char set;
|
|
|
|
/*
|
|
* unsafe is used to share failure information from bprm_apply_creds()
|
|
* to bprm_post_apply_creds().
|
|
*/
|
|
char unsafe;
|
|
};
|
|
|
|
struct netif_security_struct {
|
|
struct net_device *dev; /* back pointer */
|
|
u32 if_sid; /* SID for this interface */
|
|
u32 msg_sid; /* default SID for messages received on this interface */
|
|
};
|
|
|
|
struct sk_security_struct {
|
|
unsigned long magic; /* magic number for this module */
|
|
struct sock *sk; /* back pointer to sk object */
|
|
u32 peer_sid; /* SID of peer */
|
|
};
|
|
|
|
extern unsigned int selinux_checkreqprot;
|
|
|
|
#endif /* _SELINUX_OBJSEC_H_ */
|