From 0794c66d49885a2f615618ce4940434b5b067d84 Mon Sep 17 00:00:00 2001 From: Stephen Smalley Date: Mon, 17 Mar 2008 08:55:18 -0400 Subject: selinux: handle files opened with flags 3 by checking ioctl permission Handle files opened with flags 3 by checking ioctl permission. Default to returning FILE__IOCTL from file_to_av() if the f_mode has neither FMODE_READ nor FMODE_WRITE, and thus check ioctl permission on exec or transfer, thereby validating such descriptors early as with normal r/w descriptors and catching leaks of them prior to attempted usage. Signed-off-by: Stephen Smalley Acked-by: Eric Paris Signed-off-by: James Morris --- security/selinux/hooks.c | 6 ++++++ 1 file changed, 6 insertions(+) (limited to 'security/selinux/hooks.c') diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 41a049f50f58..c2fef7b12dc7 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -1630,6 +1630,12 @@ static inline u32 file_to_av(struct file *file) else av |= FILE__WRITE; } + if (!av) { + /* + * Special file opened with flags 3 for ioctl-only use. + */ + av = FILE__IOCTL; + } return av; } -- cgit v1.2.3 From a02fe13297af26c13d004b1d44f391c077094ea0 Mon Sep 17 00:00:00 2001 From: Josef Bacik Date: Fri, 4 Apr 2008 09:35:05 +1100 Subject: selinux: prevent rentry into the FS BUG fix. Keep us from re-entering the fs when we aren't supposed to. See discussion at http://marc.info/?t=120716967100004&r=1&w=2 Signed-off-by: Josef Bacik Acked-by: Stephen Smalley Signed-off-by: James Morris --- security/selinux/hooks.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'security/selinux/hooks.c') diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index c2fef7b12dc7..820d07a60ab0 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -180,7 +180,7 @@ static int inode_alloc_security(struct inode *inode) struct task_security_struct *tsec = current->security; struct inode_security_struct *isec; - isec = kmem_cache_zalloc(sel_inode_cache, GFP_KERNEL); + isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS); if (!isec) return -ENOMEM; @@ -2429,7 +2429,7 @@ static int selinux_inode_init_security(struct inode *inode, struct inode *dir, return -EOPNOTSUPP; if (name) { - namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_KERNEL); + namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_NOFS); if (!namep) return -ENOMEM; *name = namep; -- cgit v1.2.3 From 869ab5147e1eead890245cfd4f652ba282b6ac26 Mon Sep 17 00:00:00 2001 From: Stephen Smalley Date: Fri, 4 Apr 2008 08:46:05 -0400 Subject: SELinux: more GFP_NOFS fixups to prevent selinux from re-entering the fs code More cases where SELinux must not re-enter the fs code. Called from the d_instantiate security hook. Signed-off-by: Stephen Smalley Signed-off-by: James Morris --- security/selinux/hooks.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) (limited to 'security/selinux/hooks.c') diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 820d07a60ab0..89bb6d36c0a7 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -1143,7 +1143,7 @@ static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dent } len = INITCONTEXTLEN; - context = kmalloc(len, GFP_KERNEL); + context = kmalloc(len, GFP_NOFS); if (!context) { rc = -ENOMEM; dput(dentry); @@ -1161,7 +1161,7 @@ static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dent } kfree(context); len = rc; - context = kmalloc(len, GFP_KERNEL); + context = kmalloc(len, GFP_NOFS); if (!context) { rc = -ENOMEM; dput(dentry); @@ -1185,7 +1185,8 @@ static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dent rc = 0; } else { rc = security_context_to_sid_default(context, rc, &sid, - sbsec->def_sid); + sbsec->def_sid, + GFP_NOFS); if (rc) { printk(KERN_WARNING "%s: context_to_sid(%s) " "returned %d for dev=%s ino=%ld\n", -- cgit v1.2.3 From 5a55261716e838f188598ab3d7a0abf9cf1338f8 Mon Sep 17 00:00:00 2001 From: Eric Paris Date: Wed, 9 Apr 2008 14:08:35 -0400 Subject: SELinux: don't BUG if fs reuses a superblock I (wrongly) assumed that nfs_xdev_get_sb() would not ever share a superblock and so cloning mount options would always be correct. Turns out that isn't the case and we could fall over a BUG_ON() that wasn't a BUG at all. Since there is little we can do to reconcile different mount options this patch just leaves the sb alone and the first set of options wins. Signed-off-by: Eric Paris Acked-by: Stephen Smalley Acked-by: Trond Myklebust Signed-off-by: James Morris --- security/selinux/hooks.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'security/selinux/hooks.c') diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 89bb6d36c0a7..d39b59cf8a08 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -760,13 +760,13 @@ static void selinux_sb_clone_mnt_opts(const struct super_block *oldsb, * this early in the boot process. */ BUG_ON(!ss_initialized); - /* this might go away sometime down the line if there is a new user - * of clone, but for now, nfs better not get here... */ - BUG_ON(newsbsec->initialized); - /* how can we clone if the old one wasn't set up?? */ BUG_ON(!oldsbsec->initialized); + /* if fs is reusing a sb, just let its options stand... */ + if (newsbsec->initialized) + return; + mutex_lock(&newsbsec->lock); newsbsec->flags = oldsbsec->flags; -- cgit v1.2.3