mirror of
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
synced 2026-03-03 03:25:26 -05:00
690ffcd817
Pull selinux updates from Paul Moore: - Extended permissions supported in conditional policy The SELinux extended permissions, aka "xperms", allow security admins to target individuals ioctls, and recently netlink messages, with their SELinux policy. Adding support for conditional policies allows admins to toggle the granular xperms using SELinux booleans, helping pave the way for greater use of xperms in general purpose SELinux policies. This change bumps the maximum SELinux policy version to 34. - Fix a SCTP/SELinux error return code inconsistency Depending on the loaded SELinux policy, specifically it's EXTSOCKCLASS support, the bind(2) LSM/SELinux hook could return different error codes due to the SELinux code checking the socket's SELinux object class (which can vary depending on EXTSOCKCLASS) and not the socket's sk_protocol field. We fix this by doing the obvious, and looking at the sock->sk_protocol field instead of the object class. - Makefile fixes to properly cleanup av_permissions.h Add av_permissions.h to "targets" so that it is properly cleaned up using the kbuild infrastructure. - A number of smaller improvements by Christian Göttsche A variety of straightforward changes to reduce code duplication, reduce pointer lookups, migrate void pointers to defined types, simplify code, constify function parameters, and correct iterator types. * tag 'selinux-pr-20250121' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux: selinux: make more use of str_read() when loading the policy selinux: avoid unnecessary indirection in struct level_datum selinux: use known type instead of void pointer selinux: rename comparison functions for clarity selinux: rework match_ipv6_addrmask() selinux: constify and reconcile function parameter names selinux: avoid using types indicating user space interaction selinux: supply missing field initializers selinux: add netlink nlmsg_type audit message selinux: add support for xperms in conditional policies selinux: Fix SCTP error inconsistency in selinux_socket_bind() selinux: use native iterator types selinux: add generated av_permissions.h to targets
146 lines
3.2 KiB
C
146 lines
3.2 KiB
C
/* SPDX-License-Identifier: GPL-2.0 */
|
|
/*
|
|
* Common LSM logging functions
|
|
* Heavily borrowed from selinux/avc.h
|
|
*
|
|
* Author : Etienne BASSET <etienne.basset@ensta.org>
|
|
*
|
|
* All credits to : Stephen Smalley, <sds@tycho.nsa.gov>
|
|
* All BUGS to : Etienne BASSET <etienne.basset@ensta.org>
|
|
*/
|
|
#ifndef _LSM_COMMON_LOGGING_
|
|
#define _LSM_COMMON_LOGGING_
|
|
|
|
#include <linux/stddef.h>
|
|
#include <linux/errno.h>
|
|
#include <linux/kernel.h>
|
|
#include <linux/kdev_t.h>
|
|
#include <linux/spinlock.h>
|
|
#include <linux/init.h>
|
|
#include <linux/audit.h>
|
|
#include <linux/in6.h>
|
|
#include <linux/path.h>
|
|
#include <linux/key.h>
|
|
#include <linux/skbuff.h>
|
|
#include <rdma/ib_verbs.h>
|
|
|
|
struct lsm_network_audit {
|
|
int netif;
|
|
const struct sock *sk;
|
|
u16 family;
|
|
__be16 dport;
|
|
__be16 sport;
|
|
union {
|
|
struct {
|
|
__be32 daddr;
|
|
__be32 saddr;
|
|
} v4;
|
|
struct {
|
|
struct in6_addr daddr;
|
|
struct in6_addr saddr;
|
|
} v6;
|
|
} fam;
|
|
};
|
|
|
|
struct lsm_ioctlop_audit {
|
|
struct path path;
|
|
u16 cmd;
|
|
};
|
|
|
|
struct lsm_ibpkey_audit {
|
|
u64 subnet_prefix;
|
|
u16 pkey;
|
|
};
|
|
|
|
struct lsm_ibendport_audit {
|
|
const char *dev_name;
|
|
u8 port;
|
|
};
|
|
|
|
/* Auxiliary data to use in generating the audit record. */
|
|
struct common_audit_data {
|
|
char type;
|
|
#define LSM_AUDIT_DATA_PATH 1
|
|
#define LSM_AUDIT_DATA_NET 2
|
|
#define LSM_AUDIT_DATA_CAP 3
|
|
#define LSM_AUDIT_DATA_IPC 4
|
|
#define LSM_AUDIT_DATA_TASK 5
|
|
#define LSM_AUDIT_DATA_KEY 6
|
|
#define LSM_AUDIT_DATA_NONE 7
|
|
#define LSM_AUDIT_DATA_KMOD 8
|
|
#define LSM_AUDIT_DATA_INODE 9
|
|
#define LSM_AUDIT_DATA_DENTRY 10
|
|
#define LSM_AUDIT_DATA_IOCTL_OP 11
|
|
#define LSM_AUDIT_DATA_FILE 12
|
|
#define LSM_AUDIT_DATA_IBPKEY 13
|
|
#define LSM_AUDIT_DATA_IBENDPORT 14
|
|
#define LSM_AUDIT_DATA_LOCKDOWN 15
|
|
#define LSM_AUDIT_DATA_NOTIFICATION 16
|
|
#define LSM_AUDIT_DATA_ANONINODE 17
|
|
#define LSM_AUDIT_DATA_NLMSGTYPE 18
|
|
union {
|
|
struct path path;
|
|
struct dentry *dentry;
|
|
struct inode *inode;
|
|
struct lsm_network_audit *net;
|
|
int cap;
|
|
int ipc_id;
|
|
struct task_struct *tsk;
|
|
#ifdef CONFIG_KEYS
|
|
struct {
|
|
key_serial_t key;
|
|
char *key_desc;
|
|
} key_struct;
|
|
#endif
|
|
char *kmod_name;
|
|
struct lsm_ioctlop_audit *op;
|
|
struct file *file;
|
|
struct lsm_ibpkey_audit *ibpkey;
|
|
struct lsm_ibendport_audit *ibendport;
|
|
int reason;
|
|
const char *anonclass;
|
|
u16 nlmsg_type;
|
|
} u;
|
|
/* this union contains LSM specific data */
|
|
union {
|
|
#ifdef CONFIG_SECURITY_SMACK
|
|
struct smack_audit_data *smack_audit_data;
|
|
#endif
|
|
#ifdef CONFIG_SECURITY_SELINUX
|
|
struct selinux_audit_data *selinux_audit_data;
|
|
#endif
|
|
#ifdef CONFIG_SECURITY_APPARMOR
|
|
struct apparmor_audit_data *apparmor_audit_data;
|
|
#endif
|
|
}; /* per LSM data pointer union */
|
|
};
|
|
|
|
#define v4info fam.v4
|
|
#define v6info fam.v6
|
|
|
|
#ifdef CONFIG_AUDIT
|
|
|
|
int ipv4_skb_to_auditdata(struct sk_buff *skb,
|
|
struct common_audit_data *ad, u8 *proto);
|
|
|
|
#if IS_ENABLED(CONFIG_IPV6)
|
|
int ipv6_skb_to_auditdata(struct sk_buff *skb,
|
|
struct common_audit_data *ad, u8 *proto);
|
|
#endif /* IS_ENABLED(CONFIG_IPV6) */
|
|
|
|
void common_lsm_audit(struct common_audit_data *a,
|
|
void (*pre_audit)(struct audit_buffer *, void *),
|
|
void (*post_audit)(struct audit_buffer *, void *));
|
|
|
|
#else /* CONFIG_AUDIT */
|
|
|
|
static inline void common_lsm_audit(struct common_audit_data *a,
|
|
void (*pre_audit)(struct audit_buffer *, void *),
|
|
void (*post_audit)(struct audit_buffer *, void *))
|
|
{
|
|
}
|
|
|
|
#endif /* CONFIG_AUDIT */
|
|
|
|
#endif
|