Thanks Stephen.
This updated patch fixes a bug in the original where a
non-deletion-safe linked list iterator was being used to free the
list. Updated to the deletion safe version.
On Wed, Apr 22, 2015 at 5:25 AM, Stephen Smalley <sds@xxxxxxxxxxxxx> wrote:
> On 04/21/2015 07:03 PM, Jeff Vander Stoep wrote:
>> Extend the generic ioctl permission check with support for per-command
>> filtering. Source/target/class sets including the ioctl permission may
>> additionally include a set of commands. Example:
>>
>> allow <source> <target>:<class> { 0x8910-0x8926 0x892A-0x8935 }
>> auditallow <source> <target>:<class> 0x892A
>>
>> When ioctl commands are omitted only the permissions are checked. This
>> feature is intended to provide finer granularity for the ioctl
>> permission which may be too imprecise in some circumstances. For
>> example, the same driver may use ioctls to provide important and
>> benign functionality such as driver version or socket type as well as
>> dangerous capabilities such as debugging features, read/write/execute
>> to physical memory or access to sensitive data. Per-command filtering
>> provides a mechanism to reduce the attack surface of the kernel, and
>> limit applications to the subset of commands required.
>>
>> The format of the policy binary has been modified to include ioctl
>> commands, and the policy version number has been incremented to
>> POLICYDB_VERSION_IOCTL_OPERATIONS=30 to account for the format change.
>>
>> Signed-off-by: Jeff Vander Stoep <jeffv@xxxxxxxxxx>
>
> Acked-by: Stephen Smalley <sds@xxxxxxxxxxxxx>
>
> No need to re-send, but normally you'd include some indication of how
> the new version differs from the prior one, either as part of the
> description if it makes sense to include in the change log or after the
> marker line (---) otherwise.
>
>> ---
>> security/selinux/avc.c | 424 ++++++++++++++++++++++++++++++++++--
>> security/selinux/hooks.c | 40 +++-
>> security/selinux/include/avc.h | 5 +
>> security/selinux/include/security.h | 34 ++-
>> security/selinux/ss/avtab.c | 91 ++++++--
>> security/selinux/ss/avtab.h | 25 ++-
>> security/selinux/ss/conditional.c | 32 ++-
>> security/selinux/ss/conditional.h | 6 +-
>> security/selinux/ss/policydb.c | 5 +
>> security/selinux/ss/services.c | 202 +++++++++++++++--
>> security/selinux/ss/services.h | 6 +
>> 11 files changed, 810 insertions(+), 60 deletions(-)
>>
>> diff --git a/security/selinux/avc.c b/security/selinux/avc.c
>> index 3c17dda..47918fa 100644
>> --- a/security/selinux/avc.c
>> +++ b/security/selinux/avc.c
>> @@ -22,6 +22,7 @@
>> #include <linux/init.h>
>> #include <linux/skbuff.h>
>> #include <linux/percpu.h>
>> +#include <linux/list.h>
>> #include <net/sock.h>
>> #include <linux/un.h>
>> #include <net/af_unix.h>
>> @@ -48,6 +49,7 @@ struct avc_entry {
>> u32 tsid;
>> u16 tclass;
>> struct av_decision avd;
>> + struct avc_operation_node *ops_node;
>> };
>>
>> struct avc_node {
>> @@ -64,6 +66,16 @@ struct avc_cache {
>> u32 latest_notif; /* latest revocation notification */
>> };
>>
>> +struct avc_operation_decision_node {
>> + struct operation_decision od;
>> + struct list_head od_list;
>> +};
>> +
>> +struct avc_operation_node {
>> + struct operation ops;
>> + struct list_head od_head; /* list of operation_decision_node */
>> +};
>> +
>> struct avc_callback_node {
>> int (*callback) (u32 event);
>> u32 events;
>> @@ -80,6 +92,9 @@ DEFINE_PER_CPU(struct avc_cache_stats, avc_cache_stats) = { 0 };
>> static struct avc_cache avc_cache;
>> static struct avc_callback_node *avc_callbacks;
>> static struct kmem_cache *avc_node_cachep;
>> +static struct kmem_cache *avc_operation_decision_node_cachep;
>> +static struct kmem_cache *avc_operation_node_cachep;
>> +static struct kmem_cache *avc_operation_perm_cachep;
>>
>> static inline int avc_hash(u32 ssid, u32 tsid, u16 tclass)
>> {
>> @@ -171,6 +186,16 @@ void __init avc_init(void)
>>
>> avc_node_cachep = kmem_cache_create("avc_node", sizeof(struct avc_node),
>> 0, SLAB_PANIC, NULL);
>> + avc_operation_node_cachep = kmem_cache_create("avc_operation_node",
>> + sizeof(struct avc_operation_node),
>> + 0, SLAB_PANIC, NULL);
>> + avc_operation_decision_node_cachep = kmem_cache_create(
>> + "avc_operation_decision_node",
>> + sizeof(struct avc_operation_decision_node),
>> + 0, SLAB_PANIC, NULL);
>> + avc_operation_perm_cachep = kmem_cache_create("avc_operation_perm",
>> + sizeof(struct operation_perm),
>> + 0, SLAB_PANIC, NULL);
>>
>> audit_log(current->audit_context, GFP_KERNEL, AUDIT_KERNEL, "AVC INITIALIZED\n");
>> }
>> @@ -205,9 +230,271 @@ int avc_get_hash_stats(char *page)
>> slots_used, AVC_CACHE_SLOTS, max_chain_len);
>> }
>>
>> +/*
>> + * using a linked list for operation_decision lookup because the list is
>> + * always small. i.e. less than 5, typically 1
>> + */
>> +static struct operation_decision *avc_operation_lookup(u8 type,
>> + struct avc_operation_node *ops_node)
>> +{
>> + struct avc_operation_decision_node *od_node;
>> + struct operation_decision *od = NULL;
>> +
>> + list_for_each_entry(od_node, &ops_node->od_head, od_list) {
>> + if (od_node->od.type != type)
>> + continue;
>> + od = &od_node->od;
>> + break;
>> + }
>> + return od;
>> +}
>> +
>> +static inline unsigned int avc_operation_has_perm(struct operation_decision *od,
>> + u16 cmd, u8 specified)
>> +{
>> + unsigned int rc = 0;
>> + u8 num = cmd & 0xff;
>> +
>> + if ((specified == OPERATION_ALLOWED) &&
>> + (od->specified & OPERATION_ALLOWED))
>> + rc = security_operation_test(od->allowed->perms, num);
>> + else if ((specified == OPERATION_AUDITALLOW) &&
>> + (od->specified & OPERATION_AUDITALLOW))
>> + rc = security_operation_test(od->auditallow->perms, num);
>> + else if ((specified == OPERATION_DONTAUDIT) &&
>> + (od->specified & OPERATION_DONTAUDIT))
>> + rc = security_operation_test(od->dontaudit->perms, num);
>> + return rc;
>> +}
>> +
>> +static void avc_operation_allow_perm(struct avc_operation_node *node, u16 cmd)
>> +{
>> + struct operation_decision *od;
>> + u8 type;
>> + u8 num;
>> +
>> + type = cmd >> 8;
>> + num = cmd & 0xff;
>> + security_operation_set(node->ops.type, type);
>> + od = avc_operation_lookup(type, node);
>> + if (od && od->allowed)
>> + security_operation_set(od->allowed->perms, num);
>> +}
>> +
>> +static void avc_operation_decision_free(
>> + struct avc_operation_decision_node *od_node)
>> +{
>> + struct operation_decision *od;
>> +
>> + od = &od_node->od;
>> + if (od->allowed)
>> + kmem_cache_free(avc_operation_perm_cachep, od->allowed);
>> + if (od->auditallow)
>> + kmem_cache_free(avc_operation_perm_cachep, od->auditallow);
>> + if (od->dontaudit)
>> + kmem_cache_free(avc_operation_perm_cachep, od->dontaudit);
>> + kmem_cache_free(avc_operation_decision_node_cachep, od_node);
>> +}
>> +
>> +static void avc_operation_free(struct avc_operation_node *ops_node)
>> +{
>> + struct avc_operation_decision_node *od_node, *tmp;
>> +
>> + if (!ops_node)
>> + return;
>> +
>> + list_for_each_entry_safe(od_node, tmp, &ops_node->od_head, od_list) {
>> + list_del(&od_node->od_list);
>> + avc_operation_decision_free(od_node);
>> + }
>> + kmem_cache_free(avc_operation_node_cachep, ops_node);
>> +}
>> +
>> +static void avc_copy_operation_decision(struct operation_decision *dest,
>> + struct operation_decision *src)
>> +{
>> + dest->type = src->type;
>> + dest->specified = src->specified;
>> + if (dest->specified & OPERATION_ALLOWED)
>> + memcpy(dest->allowed->perms, src->allowed->perms,
>> + sizeof(src->allowed->perms));
>> + if (dest->specified & OPERATION_AUDITALLOW)
>> + memcpy(dest->auditallow->perms, src->auditallow->perms,
>> + sizeof(src->auditallow->perms));
>> + if (dest->specified & OPERATION_DONTAUDIT)
>> + memcpy(dest->dontaudit->perms, src->dontaudit->perms,
>> + sizeof(src->dontaudit->perms));
>> +}
>> +
>> +/*
>> + * similar to avc_copy_operation_decision, but only copy decision
>> + * information relevant to this command
>> + */
>> +static inline void avc_quick_copy_operation_decision(u16 cmd,
>> + struct operation_decision *dest,
>> + struct operation_decision *src)
>> +{
>> + /*
>> + * compute index of the u32 of the 256 bits (8 u32s) that contain this
>> + * command permission
>> + */
>> + u8 i = (0xff & cmd) >> 5;
>> +
>> + dest->specified = src->specified;
>> + if (dest->specified & OPERATION_ALLOWED)
>> + dest->allowed->perms[i] = src->allowed->perms[i];
>> + if (dest->specified & OPERATION_AUDITALLOW)
>> + dest->auditallow->perms[i] = src->auditallow->perms[i];
>> + if (dest->specified & OPERATION_DONTAUDIT)
>> + dest->dontaudit->perms[i] = src->dontaudit->perms[i];
>> +}
>> +
>> +static struct avc_operation_decision_node
>> + *avc_operation_decision_alloc(u8 specified)
>> +{
>> + struct avc_operation_decision_node *node;
>> + struct operation_decision *od;
>> +
>> + node = kmem_cache_zalloc(avc_operation_decision_node_cachep,
>> + GFP_ATOMIC | __GFP_NOMEMALLOC);
>> + if (!node)
>> + return NULL;
>> +
>> + od = &node->od;
>> + if (specified & OPERATION_ALLOWED) {
>> + od->allowed = kmem_cache_zalloc(avc_operation_perm_cachep,
>> + GFP_ATOMIC | __GFP_NOMEMALLOC);
>> + if (!od->allowed)
>> + goto error;
>> + }
>> + if (specified & OPERATION_AUDITALLOW) {
>> + od->auditallow = kmem_cache_zalloc(avc_operation_perm_cachep,
>> + GFP_ATOMIC | __GFP_NOMEMALLOC);
>> + if (!od->auditallow)
>> + goto error;
>> + }
>> + if (specified & OPERATION_DONTAUDIT) {
>> + od->dontaudit = kmem_cache_zalloc(avc_operation_perm_cachep,
>> + GFP_ATOMIC | __GFP_NOMEMALLOC);
>> + if (!od->dontaudit)
>> + goto error;
>> + }
>> + return node;
>> +error:
>> + avc_operation_decision_free(node);
>> + return NULL;
>> +}
>> +
>> +static int avc_add_operation(struct avc_node *node,
>> + struct operation_decision *od)
>> +{
>> + struct avc_operation_decision_node *dest_od;
>> +
>> + node->ae.ops_node->ops.len++;
>> + dest_od = avc_operation_decision_alloc(od->specified);
>> + if (!dest_od)
>> + return -ENOMEM;
>> + avc_copy_operation_decision(&dest_od->od, od);
>> + list_add(&dest_od->od_list, &node->ae.ops_node->od_head);
>> + return 0;
>> +}
>> +
>> +static struct avc_operation_node *avc_operation_alloc(void)
>> +{
>> + struct avc_operation_node *ops;
>> +
>> + ops = kmem_cache_zalloc(avc_operation_node_cachep,
>> + GFP_ATOMIC|__GFP_NOMEMALLOC);
>> + if (!ops)
>> + return ops;
>> + INIT_LIST_HEAD(&ops->od_head);
>> + return ops;
>> +}
>> +
>> +static int avc_operation_populate(struct avc_node *node,
>> + struct avc_operation_node *src)
>> +{
>> + struct avc_operation_node *dest;
>> + struct avc_operation_decision_node *dest_od;
>> + struct avc_operation_decision_node *src_od;
>> +
>> + if (src->ops.len == 0)
>> + return 0;
>> + dest = avc_operation_alloc();
>> + if (!dest)
>> + return -ENOMEM;
>> +
>> + memcpy(dest->ops.type, &src->ops.type, sizeof(dest->ops.type));
>> + dest->ops.len = src->ops.len;
>> +
>> + /* for each source od allocate a destination od and copy */
>> + list_for_each_entry(src_od, &src->od_head, od_list) {
>> + dest_od = avc_operation_decision_alloc(src_od->od.specified);
>> + if (!dest_od)
>> + goto error;
>> + avc_copy_operation_decision(&dest_od->od, &src_od->od);
>> + list_add(&dest_od->od_list, &dest->od_head);
>> + }
>> + node->ae.ops_node = dest;
>> + return 0;
>> +error:
>> + avc_operation_free(dest);
>> + return -ENOMEM;
>> +
>> +}
>> +
>> +static inline u32 avc_operation_audit_required(u32 requested,
>> + struct av_decision *avd,
>> + struct operation_decision *od,
>> + u16 cmd,
>> + int result,
>> + u32 *deniedp)
>> +{
>> + u32 denied, audited;
>> +
>> + denied = requested & ~avd->allowed;
>> + if (unlikely(denied)) {
>> + audited = denied & avd->auditdeny;
>> + if (audited && od) {
>> + if (avc_operation_has_perm(od, cmd,
>> + OPERATION_DONTAUDIT))
>> + audited &= ~requested;
>> + }
>> + } else if (result) {
>> + audited = denied = requested;
>> + } else {
>> + audited = requested & avd->auditallow;
>> + if (audited && od) {
>> + if (!avc_operation_has_perm(od, cmd,
>> + OPERATION_AUDITALLOW))
>> + audited &= ~requested;
>> + }
>> + }
>> +
>> + *deniedp = denied;
>> + return audited;
>> +}
>> +
>> +static inline int avc_operation_audit(u32 ssid, u32 tsid, u16 tclass,
>> + u32 requested, struct av_decision *avd,
>> + struct operation_decision *od,
>> + u16 cmd, int result,
>> + struct common_audit_data *ad)
>> +{
>> + u32 audited, denied;
>> +
>> + audited = avc_operation_audit_required(
>> + requested, avd, od, cmd, result, &denied);
>> + if (likely(!audited))
>> + return 0;
>> + return slow_avc_audit(ssid, tsid, tclass, requested,
>> + audited, denied, result, ad, 0);
>> +}
>> +
>> static void avc_node_free(struct rcu_head *rhead)
>> {
>> struct avc_node *node = container_of(rhead, struct avc_node, rhead);
>> + avc_operation_free(node->ae.ops_node);
>> kmem_cache_free(avc_node_cachep, node);
>> avc_cache_stats_incr(frees);
>> }
>> @@ -221,6 +508,7 @@ static void avc_node_delete(struct avc_node *node)
>>
>> static void avc_node_kill(struct avc_node *node)
>> {
>> + avc_operation_free(node->ae.ops_node);
>> kmem_cache_free(avc_node_cachep, node);
>> avc_cache_stats_incr(frees);
>> atomic_dec(&avc_cache.active_nodes);
>> @@ -367,6 +655,7 @@ static int avc_latest_notif_update(int seqno, int is_insert)
>> * @tsid: target security identifier
>> * @tclass: target security class
>> * @avd: resulting av decision
>> + * @ops: resulting operation decisions
>> *
>> * Insert an AVC entry for the SID pair
>> * (@ssid, @tsid) and class @tclass.
>> @@ -378,7 +667,9 @@ static int avc_latest_notif_update(int seqno, int is_insert)
>> * the access vectors into a cache entry, returns
>> * avc_node inserted. Otherwise, this function returns NULL.
>> */
>> -static struct avc_node *avc_insert(u32 ssid, u32 tsid, u16 tclass, struct av_decision *avd)
>> +static struct avc_node *avc_insert(u32 ssid, u32 tsid, u16 tclass,
>> + struct av_decision *avd,
>> + struct avc_operation_node *ops_node)
>> {
>> struct avc_node *pos, *node = NULL;
>> int hvalue;
>> @@ -391,10 +682,15 @@ static struct avc_node *avc_insert(u32 ssid, u32 tsid, u16 tclass, struct av_dec
>> if (node) {
>> struct hlist_head *head;
>> spinlock_t *lock;
>> + int rc = 0;
>>
>> hvalue = avc_hash(ssid, tsid, tclass);
>> avc_node_populate(node, ssid, tsid, tclass, avd);
>> -
>> + rc = avc_operation_populate(node, ops_node);
>> + if (rc) {
>> + kmem_cache_free(avc_node_cachep, node);
>> + return NULL;
>> + }
>> head = &avc_cache.slots[hvalue];
>> lock = &avc_cache.slots_lock[hvalue];
>>
>> @@ -523,14 +819,17 @@ out:
>> * @perms : Permission mask bits
>> * @ssid,@tsid,@tclass : identifier of an AVC entry
>> * @seqno : sequence number when decision was made
>> + * @od: operation_decision to be added to the node
>> *
>> * if a valid AVC entry doesn't exist,this function returns -ENOENT.
>> * if kmalloc() called internal returns NULL, this function returns -ENOMEM.
>> * otherwise, this function updates the AVC entry. The original AVC-entry object
>> * will release later by RCU.
>> */
>> -static int avc_update_node(u32 event, u32 perms, u32 ssid, u32 tsid, u16 tclass,
>> - u32 seqno)
>> +static int avc_update_node(u32 event, u32 perms, u16 cmd, u32 ssid, u32 tsid,
>> + u16 tclass, u32 seqno,
>> + struct operation_decision *od,
>> + u32 flags)
>> {
>> int hvalue, rc = 0;
>> unsigned long flag;
>> @@ -574,9 +873,19 @@ static int avc_update_node(u32 event, u32 perms, u32 ssid, u32 tsid, u16 tclass,
>>
>> avc_node_populate(node, ssid, tsid, tclass, &orig->ae.avd);
>>
>> + if (orig->ae.ops_node) {
>> + rc = avc_operation_populate(node, orig->ae.ops_node);
>> + if (rc) {
>> + kmem_cache_free(avc_node_cachep, node);
>> + goto out_unlock;
>> + }
>> + }
>> +
>> switch (event) {
>> case AVC_CALLBACK_GRANT:
>> node->ae.avd.allowed |= perms;
>> + if (node->ae.ops_node && (flags & AVC_OPERATION_CMD))
>> + avc_operation_allow_perm(node->ae.ops_node, cmd);
>> break;
>> case AVC_CALLBACK_TRY_REVOKE:
>> case AVC_CALLBACK_REVOKE:
>> @@ -594,6 +903,9 @@ static int avc_update_node(u32 event, u32 perms, u32 ssid, u32 tsid, u16 tclass,
>> case AVC_CALLBACK_AUDITDENY_DISABLE:
>> node->ae.avd.auditdeny &= ~perms;
>> break;
>> + case AVC_CALLBACK_ADD_OPERATION:
>> + avc_add_operation(node, od);
>> + break;
>> }
>> avc_node_replace(node, orig);
>> out_unlock:
>> @@ -665,18 +977,20 @@ int avc_ss_reset(u32 seqno)
>> * results in a bigger stack frame.
>> */
>> static noinline struct avc_node *avc_compute_av(u32 ssid, u32 tsid,
>> - u16 tclass, struct av_decision *avd)
>> + u16 tclass, struct av_decision *avd,
>> + struct avc_operation_node *ops_node)
>> {
>> rcu_read_unlock();
>> - security_compute_av(ssid, tsid, tclass, avd);
>> + INIT_LIST_HEAD(&ops_node->od_head);
>> + security_compute_av(ssid, tsid, tclass, avd, &ops_node->ops);
>> rcu_read_lock();
>> - return avc_insert(ssid, tsid, tclass, avd);
>> + return avc_insert(ssid, tsid, tclass, avd, ops_node);
>> }
>>
>> static noinline int avc_denied(u32 ssid, u32 tsid,
>> - u16 tclass, u32 requested,
>> - unsigned flags,
>> - struct av_decision *avd)
>> + u16 tclass, u32 requested,
>> + u16 cmd, unsigned flags,
>> + struct av_decision *avd)
>> {
>> if (flags & AVC_STRICT)
>> return -EACCES;
>> @@ -684,11 +998,92 @@ static noinline int avc_denied(u32 ssid, u32 tsid,
>> if (selinux_enforcing && !(avd->flags & AVD_FLAGS_PERMISSIVE))
>> return -EACCES;
>>
>> - avc_update_node(AVC_CALLBACK_GRANT, requested, ssid,
>> - tsid, tclass, avd->seqno);
>> + avc_update_node(AVC_CALLBACK_GRANT, requested, cmd, ssid,
>> + tsid, tclass, avd->seqno, NULL, flags);
>> return 0;
>> }
>>
>> +/*
>> + * ioctl commands are comprised of four fields, direction, size, type, and
>> + * number. The avc operation logic filters based on two of them:
>> + *
>> + * type: or code, typically unique to each driver
>> + * number: or function
>> + *
>> + * For example, 0x89 is a socket type, and number 0x27 is the get hardware
>> + * address function.
>> + */
>> +int avc_has_operation(u32 ssid, u32 tsid, u16 tclass, u32 requested,
>> + u16 cmd, struct common_audit_data *ad)
>> +{
>> + struct avc_node *node;
>> + struct av_decision avd;
>> + u32 denied;
>> + struct operation_decision *od = NULL;
>> + struct operation_decision od_local;
>> + struct operation_perm allowed;
>> + struct operation_perm auditallow;
>> + struct operation_perm dontaudit;
>> + struct avc_operation_node local_ops_node;
>> + struct avc_operation_node *ops_node;
>> + u8 type = cmd >> 8;
>> + int rc = 0, rc2;
>> +
>> + ops_node = &local_ops_node;
>> + BUG_ON(!requested);
>> +
>> + rcu_read_lock();
>> +
>> + node = avc_lookup(ssid, tsid, tclass);
>> + if (unlikely(!node)) {
>> + node = avc_compute_av(ssid, tsid, tclass, &avd, ops_node);
>> + } else {
>> + memcpy(&avd, &node->ae.avd, sizeof(avd));
>> + ops_node = node->ae.ops_node;
>> + }
>> + /* if operations are not defined, only consider av_decision */
>> + if (!ops_node || !ops_node->ops.len)
>> + goto decision;
>> +
>> + od_local.allowed = &allowed;
>> + od_local.auditallow = &auditallow;
>> + od_local.dontaudit = &dontaudit;
>> +
>> + /* lookup operation decision */
>> + od = avc_operation_lookup(type, ops_node);
>> + if (unlikely(!od)) {
>> + /* Compute operation decision if type is flagged */
>> + if (!security_operation_test(ops_node->ops.type, type)) {
>> + avd.allowed &= ~requested;
>> + goto decision;
>> + }
>> + rcu_read_unlock();
>> + security_compute_operation(ssid, tsid, tclass, type, &od_local);
>> + rcu_read_lock();
>> + avc_update_node(AVC_CALLBACK_ADD_OPERATION, requested, cmd,
>> + ssid, tsid, tclass, avd.seqno, &od_local, 0);
>> + } else {
>> + avc_quick_copy_operation_decision(cmd, &od_local, od);
>> + }
>> + od = &od_local;
>> +
>> + if (!avc_operation_has_perm(od, cmd, OPERATION_ALLOWED))
>> + avd.allowed &= ~requested;
>> +
>> +decision:
>> + denied = requested & ~(avd.allowed);
>> + if (unlikely(denied))
>> + rc = avc_denied(ssid, tsid, tclass, requested, cmd,
>> + AVC_OPERATION_CMD, &avd);
>> +
>> + rcu_read_unlock();
>> +
>> + rc2 = avc_operation_audit(ssid, tsid, tclass, requested,
>> + &avd, od, cmd, rc, ad);
>> + if (rc2)
>> + return rc2;
>> + return rc;
>> +}
>>
>> /**
>> * avc_has_perm_noaudit - Check permissions but perform no auditing.
>> @@ -716,6 +1111,7 @@ inline int avc_has_perm_noaudit(u32 ssid, u32 tsid,
>> struct av_decision *avd)
>> {
>> struct avc_node *node;
>> + struct avc_operation_node ops_node;
>> int rc = 0;
>> u32 denied;
>>
>> @@ -725,13 +1121,13 @@ inline int avc_has_perm_noaudit(u32 ssid, u32 tsid,
>>
>> node = avc_lookup(ssid, tsid, tclass);
>> if (unlikely(!node))
>> - node = avc_compute_av(ssid, tsid, tclass, avd);
>> + node = avc_compute_av(ssid, tsid, tclass, avd, &ops_node);
>> else
>> memcpy(avd, &node->ae.avd, sizeof(*avd));
>>
>> denied = requested & ~(avd->allowed);
>> if (unlikely(denied))
>> - rc = avc_denied(ssid, tsid, tclass, requested, flags, avd);
>> + rc = avc_denied(ssid, tsid, tclass, requested, 0, flags, avd);
>>
>> rcu_read_unlock();
>> return rc;
>> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
>> index 4d1a541..0fe64bb 100644
>> --- a/security/selinux/hooks.c
>> +++ b/security/selinux/hooks.c
>> @@ -3239,6 +3239,44 @@ static void selinux_file_free_security(struct file *file)
>> file_free_security(file);
>> }
>>
>> +/*
>> + * Check whether a task has the ioctl permission and cmd
>> + * operation to an inode.
>> + */
>> +int ioctl_has_perm(const struct cred *cred, struct file *file,
>> + u32 requested, u16 cmd)
>> +{
>> + struct common_audit_data ad;
>> + struct file_security_struct *fsec = file->f_security;
>> + struct inode *inode = file_inode(file);
>> + struct inode_security_struct *isec = inode->i_security;
>> + struct lsm_ioctlop_audit ioctl;
>> + u32 ssid = cred_sid(cred);
>> + int rc;
>> +
>> + ad.type = LSM_AUDIT_DATA_IOCTL_OP;
>> + ad.u.op = &ioctl;
>> + ad.u.op->cmd = cmd;
>> + ad.u.op->path = file->f_path;
>> +
>> + if (ssid != fsec->sid) {
>> + rc = avc_has_perm(ssid, fsec->sid,
>> + SECCLASS_FD,
>> + FD__USE,
>> + &ad);
>> + if (rc)
>> + goto out;
>> + }
>> +
>> + if (unlikely(IS_PRIVATE(inode)))
>> + return 0;
>> +
>> + rc = avc_has_operation(ssid, isec->sid, isec->sclass,
>> + requested, cmd, &ad);
>> +out:
>> + return rc;
>> +}
>> +
>> static int selinux_file_ioctl(struct file *file, unsigned int cmd,
>> unsigned long arg)
>> {
>> @@ -3281,7 +3319,7 @@ static int selinux_file_ioctl(struct file *file, unsigned int cmd,
>> * to the file's ioctl() function.
>> */
>> default:
>> - error = file_has_perm(cred, file, FILE__IOCTL);
>> + error = ioctl_has_perm(cred, file, FILE__IOCTL, (u16) cmd);
>> }
>> return error;
>> }
>> diff --git a/security/selinux/include/avc.h b/security/selinux/include/avc.h
>> index ddf8eec..3165d4e 100644
>> --- a/security/selinux/include/avc.h
>> +++ b/security/selinux/include/avc.h
>> @@ -142,6 +142,7 @@ static inline int avc_audit(u32 ssid, u32 tsid,
>> }
>>
>> #define AVC_STRICT 1 /* Ignore permissive mode. */
>> +#define AVC_OPERATION_CMD 2 /* ignore command when updating operations */
>> int avc_has_perm_noaudit(u32 ssid, u32 tsid,
>> u16 tclass, u32 requested,
>> unsigned flags,
>> @@ -151,6 +152,9 @@ int avc_has_perm(u32 ssid, u32 tsid,
>> u16 tclass, u32 requested,
>> struct common_audit_data *auditdata);
>>
>> +int avc_has_operation(u32 ssid, u32 tsid, u16 tclass, u32 requested,
>> + u16 cmd, struct common_audit_data *ad);
>> +
>> u32 avc_policy_seqno(void);
>>
>> #define AVC_CALLBACK_GRANT 1
>> @@ -161,6 +165,7 @@ u32 avc_policy_seqno(void);
>> #define AVC_CALLBACK_AUDITALLOW_DISABLE 32
>> #define AVC_CALLBACK_AUDITDENY_ENABLE 64
>> #define AVC_CALLBACK_AUDITDENY_DISABLE 128
>> +#define AVC_CALLBACK_ADD_OPERATION 256
>>
>> int avc_add_callback(int (*callback)(u32 event), u32 events);
>>
>> diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h
>> index d1e0b23..9f4f7cb 100644
>> --- a/security/selinux/include/security.h
>> +++ b/security/selinux/include/security.h
>> @@ -35,13 +35,14 @@
>> #define POLICYDB_VERSION_NEW_OBJECT_DEFAULTS 27
>> #define POLICYDB_VERSION_DEFAULT_TYPE 28
>> #define POLICYDB_VERSION_CONSTRAINT_NAMES 29
>> +#define POLICYDB_VERSION_IOCTL_OPERATIONS 30
>>
>> /* Range of policy versions we understand*/
>> #define POLICYDB_VERSION_MIN POLICYDB_VERSION_BASE
>> #ifdef CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX
>> #define POLICYDB_VERSION_MAX CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX_VALUE
>> #else
>> -#define POLICYDB_VERSION_MAX POLICYDB_VERSION_CONSTRAINT_NAMES
>> +#define POLICYDB_VERSION_MAX POLICYDB_VERSION_IOCTL_OPERATIONS
>> #endif
>>
>> /* Mask for just the mount related flags */
>> @@ -108,11 +109,40 @@ struct av_decision {
>> u32 flags;
>> };
>>
>> +#define security_operation_set(perms, x) (perms[x >> 5] |= 1 << (x & 0x1f))
>> +#define security_operation_test(perms, x) (1 & (perms[x >> 5] >> (x & 0x1f)))
>> +
>> +struct operation_perm {
>> + u32 perms[8];
>> +};
>> +
>> +struct operation_decision {
>> + u8 type;
>> + u8 specified;
>> + struct operation_perm *allowed;
>> + struct operation_perm *auditallow;
>> + struct operation_perm *dontaudit;
>> +};
>> +
>> +#define OPERATION_ALLOWED 1
>> +#define OPERATION_AUDITALLOW 2
>> +#define OPERATION_DONTAUDIT 4
>> +#define OPERATION_ALL (OPERATION_ALLOWED | OPERATION_AUDITALLOW |\
>> + OPERATION_DONTAUDIT)
>> +struct operation {
>> + u16 len; /* length of operation decision chain */
>> + u32 type[8]; /* 256 types */
>> +};
>> +
>> /* definitions of av_decision.flags */
>> #define AVD_FLAGS_PERMISSIVE 0x0001
>>
>> void security_compute_av(u32 ssid, u32 tsid,
>> - u16 tclass, struct av_decision *avd);
>> + u16 tclass, struct av_decision *avd,
>> + struct operation *ops);
>> +
>> +void security_compute_operation(u32 ssid, u32 tsid, u16 tclass,
>> + u8 type, struct operation_decision *od);
>>
>> void security_compute_av_user(u32 ssid, u32 tsid,
>> u16 tclass, struct av_decision *avd);
>> diff --git a/security/selinux/ss/avtab.c b/security/selinux/ss/avtab.c
>> index b64f277..28a4d27 100644
>> --- a/security/selinux/ss/avtab.c
>> +++ b/security/selinux/ss/avtab.c
>> @@ -24,6 +24,7 @@
>> #include "policydb.h"
>>
>> static struct kmem_cache *avtab_node_cachep;
>> +static struct kmem_cache *avtab_operation_cachep;
>>
>> /* Based on MurmurHash3, written by Austin Appleby and placed in the
>> * public domain.
>> @@ -70,11 +71,24 @@ avtab_insert_node(struct avtab *h, int hvalue,
>> struct avtab_key *key, struct avtab_datum *datum)
>> {
>> struct avtab_node *newnode;
>> + struct avtab_operation *ops;
>> newnode = kmem_cache_zalloc(avtab_node_cachep, GFP_KERNEL);
>> if (newnode == NULL)
>> return NULL;
>> newnode->key = *key;
>> - newnode->datum = *datum;
>> +
>> + if (key->specified & AVTAB_OP) {
>> + ops = kmem_cache_zalloc(avtab_operation_cachep, GFP_KERNEL);
>> + if (ops == NULL) {
>> + kmem_cache_free(avtab_node_cachep, newnode);
>> + return NULL;
>> + }
>> + *ops = *(datum->u.ops);
>> + newnode->datum.u.ops = ops;
>> + } else {
>> + newnode->datum.u.data = datum->u.data;
>> + }
>> +
>> if (prev) {
>> newnode->next = prev->next;
>> prev->next = newnode;
>> @@ -107,8 +121,11 @@ static int avtab_insert(struct avtab *h, struct avtab_key *key, struct avtab_dat
>> if (key->source_type == cur->key.source_type &&
>> key->target_type == cur->key.target_type &&
>> key->target_class == cur->key.target_class &&
>> - (specified & cur->key.specified))
>> + (specified & cur->key.specified)) {
>> + if (specified & AVTAB_OPNUM)
>> + break;
>> return -EEXIST;
>> + }
>> if (key->source_type < cur->key.source_type)
>> break;
>> if (key->source_type == cur->key.source_type &&
>> @@ -271,6 +288,9 @@ void avtab_destroy(struct avtab *h)
>> while (cur) {
>> temp = cur;
>> cur = cur->next;
>> + if (temp->key.specified & AVTAB_OP)
>> + kmem_cache_free(avtab_operation_cachep,
>> + temp->datum.u.ops);
>> kmem_cache_free(avtab_node_cachep, temp);
>> }
>> }
>> @@ -359,7 +379,13 @@ static uint16_t spec_order[] = {
>> AVTAB_AUDITALLOW,
>> AVTAB_TRANSITION,
>> AVTAB_CHANGE,
>> - AVTAB_MEMBER
>> + AVTAB_MEMBER,
>> + AVTAB_OPNUM_ALLOWED,
>> + AVTAB_OPNUM_AUDITALLOW,
>> + AVTAB_OPNUM_DONTAUDIT,
>> + AVTAB_OPTYPE_ALLOWED,
>> + AVTAB_OPTYPE_AUDITALLOW,
>> + AVTAB_OPTYPE_DONTAUDIT
>> };
>>
>> int avtab_read_item(struct avtab *a, void *fp, struct policydb *pol,
>> @@ -369,10 +395,11 @@ int avtab_read_item(struct avtab *a, void *fp, struct policydb *pol,
>> {
>> __le16 buf16[4];
>> u16 enabled;
>> - __le32 buf32[7];
>> u32 items, items2, val, vers = pol->policyvers;
>> struct avtab_key key;
>> struct avtab_datum datum;
>> + struct avtab_operation ops;
>> + __le32 buf32[ARRAY_SIZE(ops.op.perms)];
>> int i, rc;
>> unsigned set;
>>
>> @@ -429,11 +456,15 @@ int avtab_read_item(struct avtab *a, void *fp, struct policydb *pol,
>> printk(KERN_ERR "SELinux: avtab: entry has both access vectors and types\n");
>> return -EINVAL;
>> }
>> + if (val & AVTAB_OP) {
>> + printk(KERN_ERR "SELinux: avtab: entry has operations\n");
>> + return -EINVAL;
>> + }
>>
>> for (i = 0; i < ARRAY_SIZE(spec_order); i++) {
>> if (val & spec_order[i]) {
>> key.specified = spec_order[i] | enabled;
>> - datum.data = le32_to_cpu(buf32[items++]);
>> + datum.u.data = le32_to_cpu(buf32[items++]);
>> rc = insertf(a, &key, &datum, p);
>> if (rc)
>> return rc;
>> @@ -452,7 +483,6 @@ int avtab_read_item(struct avtab *a, void *fp, struct policydb *pol,
>> printk(KERN_ERR "SELinux: avtab: truncated entry\n");
>> return rc;
>> }
>> -
>> items = 0;
>> key.source_type = le16_to_cpu(buf16[items++]);
>> key.target_type = le16_to_cpu(buf16[items++]);
>> @@ -476,14 +506,32 @@ int avtab_read_item(struct avtab *a, void *fp, struct policydb *pol,
>> return -EINVAL;
>> }
>>
>> - rc = next_entry(buf32, fp, sizeof(u32));
>> - if (rc) {
>> - printk(KERN_ERR "SELinux: avtab: truncated entry\n");
>> - return rc;
>> + if ((vers < POLICYDB_VERSION_IOCTL_OPERATIONS)
>> + || !(key.specified & AVTAB_OP)) {
>> + rc = next_entry(buf32, fp, sizeof(u32));
>> + if (rc) {
>> + printk(KERN_ERR "SELinux: avtab: truncated entry\n");
>> + return rc;
>> + }
>> + datum.u.data = le32_to_cpu(*buf32);
>> + } else {
>> + memset(&ops, 0, sizeof(struct avtab_operation));
>> + rc = next_entry(&ops.type, fp, sizeof(u8));
>> + if (rc) {
>> + printk(KERN_ERR "SELinux: avtab: truncated entry\n");
>> + return rc;
>> + }
>> + rc = next_entry(buf32, fp, sizeof(u32)*ARRAY_SIZE(ops.op.perms));
>> + if (rc) {
>> + printk(KERN_ERR "SELinux: avtab: truncated entry\n");
>> + return rc;
>> + }
>> + for (i = 0; i < ARRAY_SIZE(ops.op.perms); i++)
>> + ops.op.perms[i] = le32_to_cpu(buf32[i]);
>> + datum.u.ops = &ops;
>> }
>> - datum.data = le32_to_cpu(*buf32);
>> if ((key.specified & AVTAB_TYPE) &&
>> - !policydb_type_isvalid(pol, datum.data)) {
>> + !policydb_type_isvalid(pol, datum.u.data)) {
>> printk(KERN_ERR "SELinux: avtab: invalid type\n");
>> return -EINVAL;
>> }
>> @@ -543,8 +591,9 @@ bad:
>> int avtab_write_item(struct policydb *p, struct avtab_node *cur, void *fp)
>> {
>> __le16 buf16[4];
>> - __le32 buf32[1];
>> + __le32 buf32[ARRAY_SIZE(cur->datum.u.ops->op.perms)];
>> int rc;
>> + unsigned int i;
>>
>> buf16[0] = cpu_to_le16(cur->key.source_type);
>> buf16[1] = cpu_to_le16(cur->key.target_type);
>> @@ -553,8 +602,16 @@ int avtab_write_item(struct policydb *p, struct avtab_node *cur, void *fp)
>> rc = put_entry(buf16, sizeof(u16), 4, fp);
>> if (rc)
>> return rc;
>> - buf32[0] = cpu_to_le32(cur->datum.data);
>> - rc = put_entry(buf32, sizeof(u32), 1, fp);
>> +
>> + if (cur->key.specified & AVTAB_OP) {
>> + for (i = 0; i < ARRAY_SIZE(cur->datum.u.ops->op.perms); i++)
>> + buf32[i] = cpu_to_le32(cur->datum.u.ops->op.perms[i]);
>> + rc = put_entry(buf32, sizeof(u32),
>> + ARRAY_SIZE(cur->datum.u.ops->op.perms), fp);
>> + } else {
>> + buf32[0] = cpu_to_le32(cur->datum.u.data);
>> + rc = put_entry(buf32, sizeof(u32), 1, fp);
>> + }
>> if (rc)
>> return rc;
>> return 0;
>> @@ -588,9 +645,13 @@ void avtab_cache_init(void)
>> avtab_node_cachep = kmem_cache_create("avtab_node",
>> sizeof(struct avtab_node),
>> 0, SLAB_PANIC, NULL);
>> + avtab_operation_cachep = kmem_cache_create("avtab_operation",
>> + sizeof(struct avtab_operation),
>> + 0, SLAB_PANIC, NULL);
>> }
>>
>> void avtab_cache_destroy(void)
>> {
>> kmem_cache_destroy(avtab_node_cachep);
>> + kmem_cache_destroy(avtab_operation_cachep);
>> }
>> diff --git a/security/selinux/ss/avtab.h b/security/selinux/ss/avtab.h
>> index adb451c..0a8be63e 100644
>> --- a/security/selinux/ss/avtab.h
>> +++ b/security/selinux/ss/avtab.h
>> @@ -25,6 +25,8 @@
>>
>> #include <linux/flex_array.h>
>>
>> +#include "security.h"
>> +
>> struct avtab_key {
>> u16 source_type; /* source type */
>> u16 target_type; /* target type */
>> @@ -37,13 +39,34 @@ struct avtab_key {
>> #define AVTAB_MEMBER 0x0020
>> #define AVTAB_CHANGE 0x0040
>> #define AVTAB_TYPE (AVTAB_TRANSITION | AVTAB_MEMBER | AVTAB_CHANGE)
>> +#define AVTAB_OPNUM_ALLOWED 0x0100
>> +#define AVTAB_OPNUM_AUDITALLOW 0x0200
>> +#define AVTAB_OPNUM_DONTAUDIT 0x0400
>> +#define AVTAB_OPNUM (AVTAB_OPNUM_ALLOWED | \
>> + AVTAB_OPNUM_AUDITALLOW | \
>> + AVTAB_OPNUM_DONTAUDIT)
>> +#define AVTAB_OPTYPE_ALLOWED 0x1000
>> +#define AVTAB_OPTYPE_AUDITALLOW 0x2000
>> +#define AVTAB_OPTYPE_DONTAUDIT 0x4000
>> +#define AVTAB_OPTYPE (AVTAB_OPTYPE_ALLOWED | \
>> + AVTAB_OPTYPE_AUDITALLOW | \
>> + AVTAB_OPTYPE_DONTAUDIT)
>> +#define AVTAB_OP (AVTAB_OPNUM | AVTAB_OPTYPE)
>> #define AVTAB_ENABLED_OLD 0x80000000 /* reserved for used in cond_avtab */
>> #define AVTAB_ENABLED 0x8000 /* reserved for used in cond_avtab */
>> u16 specified; /* what field is specified */
>> };
>>
>> +struct avtab_operation {
>> + u8 type;
>> + struct operation_perm op;
>> +};
>> +
>> struct avtab_datum {
>> - u32 data; /* access vector or type value */
>> + union {
>> + u32 data; /* access vector or type value */
>> + struct avtab_operation *ops; /* ioctl operations */
>> + } u;
>> };
>>
>> struct avtab_node {
>> diff --git a/security/selinux/ss/conditional.c b/security/selinux/ss/conditional.c
>> index 62c6773..c4cd20a 100644
>> --- a/security/selinux/ss/conditional.c
>> +++ b/security/selinux/ss/conditional.c
>> @@ -15,6 +15,7 @@
>>
>> #include "security.h"
>> #include "conditional.h"
>> +#include "services.h"
>>
>> /*
>> * cond_evaluate_expr evaluates a conditional expr
>> @@ -612,21 +613,39 @@ int cond_write_list(struct policydb *p, struct cond_node *list, void *fp)
>>
>> return 0;
>> }
>> +
>> +void cond_compute_operation(struct avtab *ctab, struct avtab_key *key,
>> + struct operation_decision *od)
>> +{
>> + struct avtab_node *node;
>> +
>> + if (!ctab || !key || !od)
>> + return;
>> +
>> + for (node = avtab_search_node(ctab, key); node;
>> + node = avtab_search_node_next(node, key->specified)) {
>> + if (node->key.specified & AVTAB_ENABLED)
>> + services_compute_operation_num(od, node);
>> + }
>> + return;
>> +
>> +}
>> /* Determine whether additional permissions are granted by the conditional
>> * av table, and if so, add them to the result
>> */
>> -void cond_compute_av(struct avtab *ctab, struct avtab_key *key, struct av_decision *avd)
>> +void cond_compute_av(struct avtab *ctab, struct avtab_key *key,
>> + struct av_decision *avd, struct operation *ops)
>> {
>> struct avtab_node *node;
>>
>> - if (!ctab || !key || !avd)
>> + if (!ctab || !key || !avd || !ops)
>> return;
>>
>> for (node = avtab_search_node(ctab, key); node;
>> node = avtab_search_node_next(node, key->specified)) {
>> if ((u16)(AVTAB_ALLOWED|AVTAB_ENABLED) ==
>> (node->key.specified & (AVTAB_ALLOWED|AVTAB_ENABLED)))
>> - avd->allowed |= node->datum.data;
>> + avd->allowed |= node->datum.u.data;
>> if ((u16)(AVTAB_AUDITDENY|AVTAB_ENABLED) ==
>> (node->key.specified & (AVTAB_AUDITDENY|AVTAB_ENABLED)))
>> /* Since a '0' in an auditdeny mask represents a
>> @@ -634,10 +653,13 @@ void cond_compute_av(struct avtab *ctab, struct avtab_key *key, struct av_decisi
>> * the '&' operand to ensure that all '0's in the mask
>> * are retained (much unlike the allow and auditallow cases).
>> */
>> - avd->auditdeny &= node->datum.data;
>> + avd->auditdeny &= node->datum.u.data;
>> if ((u16)(AVTAB_AUDITALLOW|AVTAB_ENABLED) ==
>> (node->key.specified & (AVTAB_AUDITALLOW|AVTAB_ENABLED)))
>> - avd->auditallow |= node->datum.data;
>> + avd->auditallow |= node->datum.u.data;
>> + if ((node->key.specified & AVTAB_ENABLED) &&
>> + (node->key.specified & AVTAB_OP))
>> + services_compute_operation_type(ops, node);
>> }
>> return;
>> }
>> diff --git a/security/selinux/ss/conditional.h b/security/selinux/ss/conditional.h
>> index 4d1f874..80ee2bb 100644
>> --- a/security/selinux/ss/conditional.h
>> +++ b/security/selinux/ss/conditional.h
>> @@ -73,8 +73,10 @@ int cond_read_list(struct policydb *p, void *fp);
>> int cond_write_bool(void *key, void *datum, void *ptr);
>> int cond_write_list(struct policydb *p, struct cond_node *list, void *fp);
>>
>> -void cond_compute_av(struct avtab *ctab, struct avtab_key *key, struct av_decision *avd);
>> -
>> +void cond_compute_av(struct avtab *ctab, struct avtab_key *key,
>> + struct av_decision *avd, struct operation *ops);
>> +void cond_compute_operation(struct avtab *ctab, struct avtab_key *key,
>> + struct operation_decision *od);
>> int evaluate_cond_node(struct policydb *p, struct cond_node *node);
>>
>> #endif /* _CONDITIONAL_H_ */
>> diff --git a/security/selinux/ss/policydb.c b/security/selinux/ss/policydb.c
>> index 74aa224..68ffbda 100644
>> --- a/security/selinux/ss/policydb.c
>> +++ b/security/selinux/ss/policydb.c
>> @@ -148,6 +148,11 @@ static struct policydb_compat_info policydb_compat[] = {
>> .sym_num = SYM_NUM,
>> .ocon_num = OCON_NUM,
>> },
>> + {
>> + .version = POLICYDB_VERSION_IOCTL_OPERATIONS,
>> + .sym_num = SYM_NUM,
>> + .ocon_num = OCON_NUM,
>> + },
>> };
>>
>> static struct policydb_compat_info *policydb_lookup_compat(int version)
>> diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
>> index 9e2d820..d8d966f 100644
>> --- a/security/selinux/ss/services.c
>> +++ b/security/selinux/ss/services.c
>> @@ -93,9 +93,10 @@ static int context_struct_to_string(struct context *context, char **scontext,
>> u32 *scontext_len);
>>
>> static void context_struct_compute_av(struct context *scontext,
>> - struct context *tcontext,
>> - u16 tclass,
>> - struct av_decision *avd);
>> + struct context *tcontext,
>> + u16 tclass,
>> + struct av_decision *avd,
>> + struct operation *ops);
>>
>> struct selinux_mapping {
>> u16 value; /* policy value */
>> @@ -565,7 +566,8 @@ static void type_attribute_bounds_av(struct context *scontext,
>> context_struct_compute_av(&lo_scontext,
>> tcontext,
>> tclass,
>> - &lo_avd);
>> + &lo_avd,
>> + NULL);
>> if ((lo_avd.allowed & avd->allowed) == avd->allowed)
>> return; /* no masked permission */
>> masked = ~lo_avd.allowed & avd->allowed;
>> @@ -580,7 +582,8 @@ static void type_attribute_bounds_av(struct context *scontext,
>> context_struct_compute_av(scontext,
>> &lo_tcontext,
>> tclass,
>> - &lo_avd);
>> + &lo_avd,
>> + NULL);
>> if ((lo_avd.allowed & avd->allowed) == avd->allowed)
>> return; /* no masked permission */
>> masked = ~lo_avd.allowed & avd->allowed;
>> @@ -596,7 +599,8 @@ static void type_attribute_bounds_av(struct context *scontext,
>> context_struct_compute_av(&lo_scontext,
>> &lo_tcontext,
>> tclass,
>> - &lo_avd);
>> + &lo_avd,
>> + NULL);
>> if ((lo_avd.allowed & avd->allowed) == avd->allowed)
>> return; /* no masked permission */
>> masked = ~lo_avd.allowed & avd->allowed;
>> @@ -612,14 +616,39 @@ static void type_attribute_bounds_av(struct context *scontext,
>> }
>> }
>>
>> +/* flag ioctl types that have operation permissions */
>> +void services_compute_operation_type(
>> + struct operation *ops,
>> + struct avtab_node *node)
>> +{
>> + u8 type;
>> + unsigned int i;
>> +
>> + if (node->key.specified & AVTAB_OPTYPE) {
>> + /* if allowing one or more complete types */
>> + for (i = 0; i < ARRAY_SIZE(ops->type); i++)
>> + ops->type[i] |= node->datum.u.ops->op.perms[i];
>> + } else {
>> + /* if allowing operations within a type */
>> + type = node->datum.u.ops->type;
>> + security_operation_set(ops->type, type);
>> + }
>> +
>> + /* If no ioctl commands are allowed, ignore auditallow and auditdeny */
>> + if (node->key.specified & AVTAB_OPTYPE_ALLOWED ||
>> + node->key.specified & AVTAB_OPNUM_ALLOWED)
>> + ops->len = 1;
>> +}
>> +
>> /*
>> - * Compute access vectors based on a context structure pair for
>> - * the permissions in a particular class.
>> + * Compute access vectors and operations ranges based on a context
>> + * structure pair for the permissions in a particular class.
>> */
>> static void context_struct_compute_av(struct context *scontext,
>> - struct context *tcontext,
>> - u16 tclass,
>> - struct av_decision *avd)
>> + struct context *tcontext,
>> + u16 tclass,
>> + struct av_decision *avd,
>> + struct operation *ops)
>> {
>> struct constraint_node *constraint;
>> struct role_allow *ra;
>> @@ -633,6 +662,10 @@ static void context_struct_compute_av(struct context *scontext,
>> avd->allowed = 0;
>> avd->auditallow = 0;
>> avd->auditdeny = 0xffffffff;
>> + if (ops) {
>> + memset(&ops->type, 0, sizeof(ops->type));
>> + ops->len = 0;
>> + }
>>
>> if (unlikely(!tclass || tclass > policydb.p_classes.nprim)) {
>> if (printk_ratelimit())
>> @@ -647,7 +680,7 @@ static void context_struct_compute_av(struct context *scontext,
>> * this permission check, then use it.
>> */
>> avkey.target_class = tclass;
>> - avkey.specified = AVTAB_AV;
>> + avkey.specified = AVTAB_AV | AVTAB_OP;
>> sattr = flex_array_get(policydb.type_attr_map_array, scontext->type - 1);
>> BUG_ON(!sattr);
>> tattr = flex_array_get(policydb.type_attr_map_array, tcontext->type - 1);
>> @@ -660,15 +693,17 @@ static void context_struct_compute_av(struct context *scontext,
>> node;
>> node = avtab_search_node_next(node, avkey.specified)) {
>> if (node->key.specified == AVTAB_ALLOWED)
>> - avd->allowed |= node->datum.data;
>> + avd->allowed |= node->datum.u.data;
>> else if (node->key.specified == AVTAB_AUDITALLOW)
>> - avd->auditallow |= node->datum.data;
>> + avd->auditallow |= node->datum.u.data;
>> else if (node->key.specified == AVTAB_AUDITDENY)
>> - avd->auditdeny &= node->datum.data;
>> + avd->auditdeny &= node->datum.u.data;
>> + else if (ops && (node->key.specified & AVTAB_OP))
>> + services_compute_operation_type(ops, node);
>> }
>>
>> /* Check conditional av table for additional permissions */
>> - cond_compute_av(&policydb.te_cond_avtab, &avkey, avd);
>> + cond_compute_av(&policydb.te_cond_avtab, &avkey, avd, ops);
>>
>> }
>> }
>> @@ -899,13 +934,138 @@ static void avd_init(struct av_decision *avd)
>> avd->flags = 0;
>> }
>>
>> +void services_compute_operation_num(struct operation_decision *od,
>> + struct avtab_node *node)
>> +{
>> + unsigned int i;
>>
>> + if (node->key.specified & AVTAB_OPNUM) {
>> + if (od->type != node->datum.u.ops->type)
>> + return;
>> + } else {
>> + if (!security_operation_test(node->datum.u.ops->op.perms,
>> + od->type))
>> + return;
>> + }
>> +
>> + if (node->key.specified == AVTAB_OPTYPE_ALLOWED) {
>> + od->specified |= OPERATION_ALLOWED;
>> + memset(od->allowed->perms, 0xff,
>> + sizeof(od->allowed->perms));
>> + } else if (node->key.specified == AVTAB_OPTYPE_AUDITALLOW) {
>> + od->specified |= OPERATION_AUDITALLOW;
>> + memset(od->auditallow->perms, 0xff,
>> + sizeof(od->auditallow->perms));
>> + } else if (node->key.specified == AVTAB_OPTYPE_DONTAUDIT) {
>> + od->specified |= OPERATION_DONTAUDIT;
>> + memset(od->dontaudit->perms, 0xff,
>> + sizeof(od->dontaudit->perms));
>> + } else if (node->key.specified == AVTAB_OPNUM_ALLOWED) {
>> + od->specified |= OPERATION_ALLOWED;
>> + for (i = 0; i < ARRAY_SIZE(od->allowed->perms); i++)
>> + od->allowed->perms[i] |=
>> + node->datum.u.ops->op.perms[i];
>> + } else if (node->key.specified == AVTAB_OPNUM_AUDITALLOW) {
>> + od->specified |= OPERATION_AUDITALLOW;
>> + for (i = 0; i < ARRAY_SIZE(od->auditallow->perms); i++)
>> + od->auditallow->perms[i] |=
>> + node->datum.u.ops->op.perms[i];
>> + } else if (node->key.specified == AVTAB_OPNUM_DONTAUDIT) {
>> + od->specified |= OPERATION_DONTAUDIT;
>> + for (i = 0; i < ARRAY_SIZE(od->dontaudit->perms); i++)
>> + od->dontaudit->perms[i] |=
>> + node->datum.u.ops->op.perms[i];
>> + } else {
>> + BUG();
>> + }
>> +}
>> +
>> +void security_compute_operation(u32 ssid,
>> + u32 tsid,
>> + u16 orig_tclass,
>> + u8 type,
>> + struct operation_decision *od)
>> +{
>> + u16 tclass;
>> + struct context *scontext, *tcontext;
>> + struct avtab_key avkey;
>> + struct avtab_node *node;
>> + struct ebitmap *sattr, *tattr;
>> + struct ebitmap_node *snode, *tnode;
>> + unsigned int i, j;
>> +
>> + od->type = type;
>> + od->specified = 0;
>> + memset(od->allowed->perms, 0, sizeof(od->allowed->perms));
>> + memset(od->auditallow->perms, 0, sizeof(od->auditallow->perms));
>> + memset(od->dontaudit->perms, 0, sizeof(od->dontaudit->perms));
>> +
>> + read_lock(&policy_rwlock);
>> + if (!ss_initialized)
>> + goto allow;
>> +
>> + scontext = sidtab_search(&sidtab, ssid);
>> + if (!scontext) {
>> + printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n",
>> + __func__, ssid);
>> + goto out;
>> + }
>> +
>> + tcontext = sidtab_search(&sidtab, tsid);
>> + if (!tcontext) {
>> + printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n",
>> + __func__, tsid);
>> + goto out;
>> + }
>> +
>> + tclass = unmap_class(orig_tclass);
>> + if (unlikely(orig_tclass && !tclass)) {
>> + if (policydb.allow_unknown)
>> + goto allow;
>> + goto out;
>> + }
>> +
>> +
>> + if (unlikely(!tclass || tclass > policydb.p_classes.nprim)) {
>> + pr_warn_ratelimited("SELinux: Invalid class %hu\n", tclass);
>> + goto out;
>> + }
>> +
>> + avkey.target_class = tclass;
>> + avkey.specified = AVTAB_OP;
>> + sattr = flex_array_get(policydb.type_attr_map_array,
>> + scontext->type - 1);
>> + BUG_ON(!sattr);
>> + tattr = flex_array_get(policydb.type_attr_map_array,
>> + tcontext->type - 1);
>> + BUG_ON(!tattr);
>> + ebitmap_for_each_positive_bit(sattr, snode, i) {
>> + ebitmap_for_each_positive_bit(tattr, tnode, j) {
>> + avkey.source_type = i + 1;
>> + avkey.target_type = j + 1;
>> + for (node = avtab_search_node(&policydb.te_avtab, &avkey);
>> + node;
>> + node = avtab_search_node_next(node, avkey.specified))
>> + services_compute_operation_num(od, node);
>> +
>> + cond_compute_operation(&policydb.te_cond_avtab,
>> + &avkey, od);
>> + }
>> + }
>> +out:
>> + read_unlock(&policy_rwlock);
>> + return;
>> +allow:
>> + memset(od->allowed->perms, 0xff, sizeof(od->allowed->perms));
>> + goto out;
>> +}
>> /**
>> * security_compute_av - Compute access vector decisions.
>> * @ssid: source security identifier
>> * @tsid: target security identifier
>> * @tclass: target security class
>> * @avd: access vector decisions
>> + * @od: operation decisions
>> *
>> * Compute a set of access vector decisions based on the
>> * SID pair (@ssid, @tsid) for the permissions in @tclass.
>> @@ -913,13 +1073,15 @@ static void avd_init(struct av_decision *avd)
>> void security_compute_av(u32 ssid,
>> u32 tsid,
>> u16 orig_tclass,
>> - struct av_decision *avd)
>> + struct av_decision *avd,
>> + struct operation *ops)
>> {
>> u16 tclass;
>> struct context *scontext = NULL, *tcontext = NULL;
>>
>> read_lock(&policy_rwlock);
>> avd_init(avd);
>> + ops->len = 0;
>> if (!ss_initialized)
>> goto allow;
>>
>> @@ -947,7 +1109,7 @@ void security_compute_av(u32 ssid,
>> goto allow;
>> goto out;
>> }
>> - context_struct_compute_av(scontext, tcontext, tclass, avd);
>> + context_struct_compute_av(scontext, tcontext, tclass, avd, ops);
>> map_decision(orig_tclass, avd, policydb.allow_unknown);
>> out:
>> read_unlock(&policy_rwlock);
>> @@ -993,7 +1155,7 @@ void security_compute_av_user(u32 ssid,
>> goto out;
>> }
>>
>> - context_struct_compute_av(scontext, tcontext, tclass, avd);
>> + context_struct_compute_av(scontext, tcontext, tclass, avd, NULL);
>> out:
>> read_unlock(&policy_rwlock);
>> return;
>> @@ -1515,7 +1677,7 @@ static int security_compute_sid(u32 ssid,
>>
>> if (avdatum) {
>> /* Use the type from the type transition/member/change rule. */
>> - newcontext.type = avdatum->data;
>> + newcontext.type = avdatum->u.data;
>> }
>>
>> /* if we have a objname this is a file trans check so check those rules */
>> diff --git a/security/selinux/ss/services.h b/security/selinux/ss/services.h
>> index e8d907e..5697574 100644
>> --- a/security/selinux/ss/services.h
>> +++ b/security/selinux/ss/services.h
>> @@ -11,5 +11,11 @@
>>
>> extern struct policydb policydb;
>>
>> +void services_compute_operation_type(struct operation *ops,
>> + struct avtab_node *node);
>> +
>> +void services_compute_operation_num(struct operation_decision *od,
>> + struct avtab_node *node);
>> +
>> #endif /* _SS_SERVICES_H_ */
>>
>>
>
_______________________________________________
Selinux mailing list
Selinux@xxxxxxxxxxxxx
To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
