@@ -103,8 +103,6 @@
#include "audit.h"
#include "avc_ss.h"
-struct selinux_ns *current_selinux_ns;
-
/* SECMARK reference count */
static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
@@ -202,6 +200,8 @@ static int selinux_lsm_notifier_avc_callback(u32 event)
return 0;
}
+static struct selinux_ns *init_selinux_ns __ro_after_init;
+
/*
* initialise the security for the init task
*/
@@ -212,6 +212,7 @@ static void cred_init_security(void)
tsec = selinux_cred(cred);
tsec->osid = tsec->sid = SECINITSID_KERNEL;
+ tsec->ns = get_selinux_ns(init_selinux_ns);
}
/*
@@ -225,15 +226,35 @@ static inline u32 cred_sid(const struct cred *cred)
return tsec->sid;
}
+static struct task_security_struct unlabeled_task_security = {
+ .osid = SECINITSID_UNLABELED,
+ .sid = SECINITSID_UNLABELED,
+};
+
+static const struct task_security_struct *task_security(
+ const struct task_struct *p)
+{
+ const struct task_security_struct *tsec;
+
+ tsec = selinux_cred(__task_cred(p));
+ while (tsec->ns != current_selinux_ns && tsec->parent_cred)
+ tsec = selinux_cred(tsec->parent_cred);
+ if (tsec->ns != current_selinux_ns)
+ return &unlabeled_task_security;
+ return tsec;
+}
+
/*
* get the objective security ID of a task
*/
static inline u32 task_sid(const struct task_struct *task)
{
+ const struct task_security_struct *tsec;
u32 sid;
rcu_read_lock();
- sid = cred_sid(__task_cred(task));
+ tsec = task_security(task);
+ sid = tsec->sid;
rcu_read_unlock();
return sid;
}
@@ -3889,6 +3910,18 @@ static int selinux_task_alloc(struct task_struct *task,
sid, sid, SECCLASS_PROCESS, PROCESS__FORK, NULL);
}
+/*
+ * free/release any cred memory other than the blob itself
+ */
+static void selinux_cred_free(struct cred *cred)
+{
+ struct task_security_struct *tsec = selinux_cred(cred);
+
+ put_selinux_ns(tsec->ns);
+ if (tsec->parent_cred)
+ put_cred(tsec->parent_cred);
+}
+
/*
* prepare a new set of credentials for modification
*/
@@ -3899,6 +3932,9 @@ static int selinux_cred_prepare(struct cred *new, const struct cred *old,
struct task_security_struct *tsec = selinux_cred(new);
*tsec = *old_tsec;
+ tsec->ns = get_selinux_ns(old_tsec->ns);
+ if (old_tsec->parent_cred)
+ tsec->parent_cred = get_cred(old_tsec->parent_cred);
return 0;
}
@@ -3911,6 +3947,9 @@ static void selinux_cred_transfer(struct cred *new, const struct cred *old)
struct task_security_struct *tsec = selinux_cred(new);
*tsec = *old_tsec;
+ tsec->ns = get_selinux_ns(old_tsec->ns);
+ if (old_tsec->parent_cred)
+ tsec->parent_cred = get_cred(old_tsec->parent_cred);
}
static void selinux_cred_getsecid(const struct cred *c, u32 *secid)
@@ -6280,7 +6319,7 @@ static int selinux_getprocattr(struct task_struct *p,
unsigned len;
rcu_read_lock();
- __tsec = selinux_cred(__task_cred(p));
+ __tsec = task_security(p);
if (current != p) {
error = avc_has_perm(current_selinux_ns,
@@ -6895,6 +6934,7 @@ static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = {
LSM_HOOK_INIT(file_open, selinux_file_open),
LSM_HOOK_INIT(task_alloc, selinux_task_alloc),
+ LSM_HOOK_INIT(cred_free, selinux_cred_free),
LSM_HOOK_INIT(cred_prepare, selinux_cred_prepare),
LSM_HOOK_INIT(cred_transfer, selinux_cred_transfer),
LSM_HOOK_INIT(cred_getsecid, selinux_cred_getsecid),
@@ -7096,8 +7136,6 @@ void __put_selinux_ns(struct selinux_ns *ns)
schedule_work(&ns->work);
}
-static struct selinux_ns *init_selinux_ns __ro_after_init;
-
static __init int selinux_init(void)
{
pr_info("SELinux: Initializing.\n");
@@ -7107,7 +7145,6 @@ static __init int selinux_init(void)
enforcing_set(init_selinux_ns, selinux_enforcing_boot);
init_selinux_ns->checkreqprot = selinux_checkreqprot_boot;
- current_selinux_ns = init_selinux_ns;
/* Set the security state for the initial task. */
cred_init_security();
@@ -28,15 +28,6 @@
#include "flask.h"
#include "avc.h"
-struct task_security_struct {
- u32 osid; /* SID prior to last execve */
- u32 sid; /* current SID */
- u32 exec_sid; /* exec SID */
- u32 create_sid; /* fscreate SID */
- u32 keycreate_sid; /* keycreate SID */
- u32 sockcreate_sid; /* fscreate SID */
-};
-
enum label_initialized {
LABEL_INVALID, /* invalid or not initialized */
LABEL_INITIALIZED, /* initialized */
@@ -145,10 +136,6 @@ struct bpf_security_struct {
};
extern struct lsm_blob_sizes selinux_blob_sizes;
-static inline struct task_security_struct *selinux_cred(const struct cred *cred)
-{
- return cred->security + selinux_blob_sizes.lbs_cred;
-}
static inline struct file_security_struct *selinux_file(const struct file *file)
{
@@ -175,14 +162,4 @@ static inline struct ipc_security_struct *selinux_ipc(
return ipc->security + selinux_blob_sizes.lbs_ipc;
}
-/*
- * get the subjective security ID of the current task
- */
-static inline u32 current_sid(void)
-{
- const struct task_security_struct *tsec = selinux_cred(current_cred());
-
- return tsec->sid;
-}
-
#endif /* _SELINUX_OBJSEC_H_ */
@@ -15,6 +15,8 @@
#include <linux/types.h>
#include <linux/refcount.h>
#include <linux/workqueue.h>
+#include <linux/cred.h>
+#include <linux/lsm_hooks.h>
#include "flask.h"
#define SECSID_NULL 0x00000000 /* unspecified SID */
@@ -134,7 +136,35 @@ static inline struct selinux_ns *get_selinux_ns(struct selinux_ns *ns)
return ns;
}
-extern struct selinux_ns *current_selinux_ns;
+struct task_security_struct {
+ u32 osid; /* SID prior to last execve */
+ u32 sid; /* current SID */
+ u32 exec_sid; /* exec SID */
+ u32 create_sid; /* fscreate SID */
+ u32 keycreate_sid; /* keycreate SID */
+ u32 sockcreate_sid; /* fscreate SID */
+ struct selinux_ns *ns; /* selinux namespace */
+ const struct cred *parent_cred; /* cred in parent ns */
+};
+
+extern struct lsm_blob_sizes selinux_blob_sizes;
+
+static inline struct task_security_struct *selinux_cred(const struct cred *cred)
+{
+ return cred->security + selinux_blob_sizes.lbs_cred;
+}
+
+/*
+ * get the subjective security ID of the current task
+ */
+static inline u32 current_sid(void)
+{
+ const struct task_security_struct *tsec = selinux_cred(current_cred());
+
+ return tsec->sid;
+}
+
+#define current_selinux_ns (selinux_cred(current_cred())->ns)
#ifdef CONFIG_SECURITY_SELINUX_DEVELOP
static inline bool enforcing_enabled(struct selinux_ns *ns)
Extend the task security structure to include a reference to the associated selinux namespace, and to also contain a pointer to the cred in the parent namespace. The current selinux namespace is changed to the per-task/cred selinux namespace for the current task/cred. This change makes it possible to support per-cred selinux namespaces, but does not yet introduce a mechanism for unsharing of the selinux namespace. Thus, by itself, this change does not alter the existing situation with respect to all processes still using a single init selinux namespace. An alternative would be to hang the selinux namespace off of the user namespace, which itself is associated with the cred. This seems undesirable however since DAC and MAC are orthogonal, and there appear to be real use cases where one will want to use selinux namespaces without user namespaces and vice versa. However, one advantage of hanging off the user namespace would be that it is already associated with other namespaces, such as the network namespace, thus potentially facilitating looking up the relevant selinux namespace from the network input/forward hooks. In most cases however, it appears that we could instead copy a reference to the creating task selinux namespace to sock security structures and use that in those hooks. Introduce a task_security() helper to obtain the correct task/cred security structure from the hooks, and update the hooks to use it. This returns a pointer to the security structure for the task in the same selinux namespace as the caller, or if there is none, a fake security structure with the well-defined unlabeled SIDs. This ensures that we return a valid result that can be used for permission checks and for returning contexts from e.g. reading /proc/pid/attr files. Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> --- security/selinux/hooks.c | 51 +++++++++++++++++++++++++---- security/selinux/include/objsec.h | 23 ------------- security/selinux/include/security.h | 32 +++++++++++++++++- 3 files changed, 75 insertions(+), 31 deletions(-)