Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit fb2a624d authored by Linus Torvalds's avatar Linus Torvalds
Browse files

Merge tag 'selinux-pr-20181224' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux 

Pull selinux patches from Paul Moore:
 "I already used my best holiday pull request lines in the audit pull
  request, so this one is going to be a bit more boring, sorry about
  that. To make up for this, we do have a birthday of sorts to
  celebrate: SELinux turns 18 years old this December. Perhaps not the
  most exciting thing in the world for most people, but I think it's
  safe to say that anyone reading this email doesn't exactly fall into
  the "most people" category.

  Back to business and the pull request itself:

  Ondrej has five patches in this pull request and I lump them into
  three categories: one patch to always allow submounts (using similar
  logic to elsewhere in the kernel), one to fix some issues with the
  SELinux policydb, and the others to cleanup and improve the SELinux
  sidtab.

  The other patches from Alexey and Petr and trivial fixes that are
  adequately described in their respective subject lines.

  With this last pull request of the year, I want to thank everyone who
  has contributed patches, testing, and reviews to the SELinux project
  this year, and the past 18 years. Like any good open source effort,
  SELinux is only as good as the community which supports it, and I'm
  very happy that we have the community we do - thank you all!"

* tag 'selinux-pr-20181224' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux:
  selinux: overhaul sidtab to fix bug and improve performance
  selinux: use separate table for initial SID lookup
  selinux: make "selinux_policycap_names[]" const char *
  selinux: always allow mounting submounts
  selinux: refactor sidtab conversion
  Documentation: Update SELinux reference policy URL
  selinux: policydb - fix byte order and alignment issues
parents 047ce6d3 ee1a84fd

Documentation/admin-guide/LSM/SELinux.rst

+1 −1
Original line number Diff line number Diff line
@@ -6,7 +6,7 @@ If you want to use SELinux, chances are you will want 
to use the distro-provided policies, or install the

latest reference policy release from



	http://oss.tresys.com/projects/refpolicy

	https://github.com/SELinuxProject/refpolicy



However, if you want to install a dummy policy for

testing, you can do using ``mdp`` provided under

security/selinux/hooks.c

+1 −1
Original line number Diff line number Diff line
@@ -2934,7 +2934,7 @@ static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data) 
		return rc;



	/* Allow all mounts performed by the kernel */

	if (flags & MS_KERNMOUNT)

	if (flags & (MS_KERNMOUNT | MS_SUBMOUNT))

		return 0;



	ad.type = LSM_AUDIT_DATA_DENTRY;

security/selinux/include/security.h

+1 −1
Original line number Diff line number Diff line
@@ -81,7 +81,7 @@ enum { 
};

#define POLICYDB_CAPABILITY_MAX (__POLICYDB_CAPABILITY_MAX - 1)



extern char *selinux_policycap_names[__POLICYDB_CAPABILITY_MAX];

extern const char *selinux_policycap_names[__POLICYDB_CAPABILITY_MAX];



/*

 * type_datum properties

security/selinux/ss/mls.c

+11 −13
Original line number Diff line number Diff line
@@ -440,16 +440,17 @@ int mls_setup_user_range(struct policydb *p, 


/*

 * Convert the MLS fields in the security context

 * structure `c' from the values specified in the

 * policy `oldp' to the values specified in the policy `newp'.

 * structure `oldc' from the values specified in the

 * policy `oldp' to the values specified in the policy `newp',

 * storing the resulting context in `newc'.

 */

int mls_convert_context(struct policydb *oldp,

			struct policydb *newp,

			struct context *c)

			struct context *oldc,

			struct context *newc)

{

	struct level_datum *levdatum;

	struct cat_datum *catdatum;

	struct ebitmap bitmap;

	struct ebitmap_node *node;

	int l, i;
@@ -459,28 +460,25 @@ int mls_convert_context(struct policydb *oldp, 
	for (l = 0; l < 2; l++) {

		levdatum = hashtab_search(newp->p_levels.table,

					  sym_name(oldp, SYM_LEVELS,

						   c->range.level[l].sens - 1));

						   oldc->range.level[l].sens - 1));



		if (!levdatum)

			return -EINVAL;

		c->range.level[l].sens = levdatum->level->sens;

		newc->range.level[l].sens = levdatum->level->sens;



		ebitmap_init(&bitmap);

		ebitmap_for_each_positive_bit(&c->range.level[l].cat, node, i) {

		ebitmap_for_each_positive_bit(&oldc->range.level[l].cat,

					      node, i) {

			int rc;



			catdatum = hashtab_search(newp->p_cats.table,

						  sym_name(oldp, SYM_CATS, i));

			if (!catdatum)

				return -EINVAL;

			rc = ebitmap_set_bit(&bitmap, catdatum->value - 1, 1);

			rc = ebitmap_set_bit(&newc->range.level[l].cat,

					     catdatum->value - 1, 1);

			if (rc)

				return rc;



			cond_resched();

		}

		ebitmap_destroy(&c->range.level[l].cat);

		c->range.level[l].cat = bitmap;

	}



	return 0;

security/selinux/ss/mls.h

+2 −1
Original line number Diff line number Diff line
@@ -46,7 +46,8 @@ int mls_range_set(struct context *context, struct mls_range *range); 


int mls_convert_context(struct policydb *oldp,

			struct policydb *newp,

			struct context *context);

			struct context *oldc,

			struct context *newc);



int mls_compute_sid(struct policydb *p,

		    struct context *scontext,