selinux/stable-4.17 PR 20180403
-----BEGIN PGP SIGNATURE-----
iQJIBAABCAAyFiEEcQCq365ubpQNLgrWVeRaWujKfIoFAlrD6XoUHHBhdWxAcGF1
bC1tb29yZS5jb20ACgkQVeRaWujKfIpy9RAAjwhkNBNJhw1UlGggVvst8lzJBdMp
XxL7cg+1TcZkB12yrghILg+gY4j5PzY4GJo1gvllWIHsT8Ud6cQTI/AzeYR2OfZ3
mHv3gtyzmHsPGBdqhmgC7R10tpyXFXwDc3VLMtuuDiUl/seFEaJWOMYP7zj+tRil
XoOCyoV9bb1wb7vNAzQikK8yhz3fu72Y5QOODLfaYeYojMKs8Q8pMZgi68oVQUXk
SmS2mj0k2P3UqeOSk+8phJQhilm32m0tE0YnLvzAhblJLqeS2DUNnWORP1j4oQ/Q
aOOu4ZQ9PA1N7VAIGceuf2HZHhnrFzWdvggp2bxegcRSIfUZ84FuZbrj60RUz2ja
V6GmKYACnyd28TAWdnzjKEd4dc36LSPxnaj8hcrvyO2V34ozVEsvIEIJREoXRUJS
heJ9HT+VIvmguzRCIPPeC1ZYopIt8M1kTRrszigU80TuZjIP0VJHLGQn/rgRQzuO
cV5gmJ6TSGn1l54H13koBzgUCo0cAub8Nl+288qek+jLWoHnKwzLB+1HCWuyeCHt
2q6wdFfenYH0lXdIzCeC7NNHRKCrPNwkZ/32d4ZQf4cu5tAn8bOk8dSHchoAfZG8
p7N6jPPoxmi2F/GRKrTiUNZvQpyvgX3hjtJS6ljOTSYgRhjeNYeCP8U+BlOpLVQy
U4KzB9wOAngTEpo=
=p2Sh
-----END PGP SIGNATURE-----
Merge tag 'selinux-pr-20180403' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux
Pull SELinux updates from Paul Moore:
"A bigger than usual pull request for SELinux, 13 patches (lucky!)
along with a scary looking diffstat.
Although if you look a bit closer, excluding the usual minor
tweaks/fixes, there are really only two significant changes in this
pull request: the addition of proper SELinux access controls for SCTP
and the encapsulation of a lot of internal SELinux state.
The SCTP changes are the result of a multi-month effort (maybe even a
year or longer?) between the SELinux folks and the SCTP folks to add
proper SELinux controls. A special thanks go to Richard for seeing
this through and keeping the effort moving forward.
The state encapsulation work is a bit of janitorial work that came out
of some early work on SELinux namespacing. The question of namespacing
is still an open one, but I believe there is some real value in the
encapsulation work so we've split that out and are now sending that up
to you"
* tag 'selinux-pr-20180403' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux:
selinux: wrap AVC state
selinux: wrap selinuxfs state
selinux: fix handling of uninitialized selinux state in get_bools/classes
selinux: Update SELinux SCTP documentation
selinux: Fix ltp test connect-syscall failure
selinux: rename the {is,set}_enforcing() functions
selinux: wrap global selinux state
selinux: fix typo in selinux_netlbl_sctp_sk_clone declaration
selinux: Add SCTP support
sctp: Add LSM hooks
sctp: Add ip option support
security: Add support for SCTP security hooks
netlabel: If PF_INET6, check sk_buff ip header version
This commit is contained in:
Linus Torvalds
commit
9eda2d2dca
43 changed files with 2953 additions and 1269 deletions
|
|
@ -906,6 +906,33 @@
|
|||
* associated with the TUN device's security structure.
|
||||
* @security pointer to the TUN devices's security structure.
|
||||
*
|
||||
* Security hooks for SCTP
|
||||
*
|
||||
* @sctp_assoc_request:
|
||||
* Passes the @ep and @chunk->skb of the association INIT packet to
|
||||
* the security module.
|
||||
* @ep pointer to sctp endpoint structure.
|
||||
* @skb pointer to skbuff of association packet.
|
||||
* Return 0 on success, error on failure.
|
||||
* @sctp_bind_connect:
|
||||
* Validiate permissions required for each address associated with sock
|
||||
* @sk. Depending on @optname, the addresses will be treated as either
|
||||
* for a connect or bind service. The @addrlen is calculated on each
|
||||
* ipv4 and ipv6 address using sizeof(struct sockaddr_in) or
|
||||
* sizeof(struct sockaddr_in6).
|
||||
* @sk pointer to sock structure.
|
||||
* @optname name of the option to validate.
|
||||
* @address list containing one or more ipv4/ipv6 addresses.
|
||||
* @addrlen total length of address(s).
|
||||
* Return 0 on success, error on failure.
|
||||
* @sctp_sk_clone:
|
||||
* Called whenever a new socket is created by accept(2) (i.e. a TCP
|
||||
* style socket) or when a socket is 'peeled off' e.g userspace
|
||||
* calls sctp_peeloff(3).
|
||||
* @ep pointer to current sctp endpoint structure.
|
||||
* @sk pointer to current sock structure.
|
||||
* @sk pointer to new sock structure.
|
||||
*
|
||||
* Security hooks for Infiniband
|
||||
*
|
||||
* @ib_pkey_access:
|
||||
|
|
@ -1665,6 +1692,12 @@ union security_list_options {
|
|||
int (*tun_dev_attach_queue)(void *security);
|
||||
int (*tun_dev_attach)(struct sock *sk, void *security);
|
||||
int (*tun_dev_open)(void *security);
|
||||
int (*sctp_assoc_request)(struct sctp_endpoint *ep,
|
||||
struct sk_buff *skb);
|
||||
int (*sctp_bind_connect)(struct sock *sk, int optname,
|
||||
struct sockaddr *address, int addrlen);
|
||||
void (*sctp_sk_clone)(struct sctp_endpoint *ep, struct sock *sk,
|
||||
struct sock *newsk);
|
||||
#endif /* CONFIG_SECURITY_NETWORK */
|
||||
|
||||
#ifdef CONFIG_SECURITY_INFINIBAND
|
||||
|
|
@ -1914,6 +1947,9 @@ struct security_hook_heads {
|
|||
struct list_head tun_dev_attach_queue;
|
||||
struct list_head tun_dev_attach;
|
||||
struct list_head tun_dev_open;
|
||||
struct list_head sctp_assoc_request;
|
||||
struct list_head sctp_bind_connect;
|
||||
struct list_head sctp_sk_clone;
|
||||
#endif /* CONFIG_SECURITY_NETWORK */
|
||||
#ifdef CONFIG_SECURITY_INFINIBAND
|
||||
struct list_head ib_pkey_access;
|
||||
|
|
|
|||
|
|
@ -112,6 +112,7 @@ struct xfrm_policy;
|
|||
struct xfrm_state;
|
||||
struct xfrm_user_sec_ctx;
|
||||
struct seq_file;
|
||||
struct sctp_endpoint;
|
||||
|
||||
#ifdef CONFIG_MMU
|
||||
extern unsigned long mmap_min_addr;
|
||||
|
|
@ -1226,6 +1227,11 @@ int security_tun_dev_create(void);
|
|||
int security_tun_dev_attach_queue(void *security);
|
||||
int security_tun_dev_attach(struct sock *sk, void *security);
|
||||
int security_tun_dev_open(void *security);
|
||||
int security_sctp_assoc_request(struct sctp_endpoint *ep, struct sk_buff *skb);
|
||||
int security_sctp_bind_connect(struct sock *sk, int optname,
|
||||
struct sockaddr *address, int addrlen);
|
||||
void security_sctp_sk_clone(struct sctp_endpoint *ep, struct sock *sk,
|
||||
struct sock *newsk);
|
||||
|
||||
#else /* CONFIG_SECURITY_NETWORK */
|
||||
static inline int security_unix_stream_connect(struct sock *sock,
|
||||
|
|
@ -1418,6 +1424,25 @@ static inline int security_tun_dev_open(void *security)
|
|||
{
|
||||
return 0;
|
||||
}
|
||||
|
||||
static inline int security_sctp_assoc_request(struct sctp_endpoint *ep,
|
||||
struct sk_buff *skb)
|
||||
{
|
||||
return 0;
|
||||
}
|
||||
|
||||
static inline int security_sctp_bind_connect(struct sock *sk, int optname,
|
||||
struct sockaddr *address,
|
||||
int addrlen)
|
||||
{
|
||||
return 0;
|
||||
}
|
||||
|
||||
static inline void security_sctp_sk_clone(struct sctp_endpoint *ep,
|
||||
struct sock *sk,
|
||||
struct sock *newsk)
|
||||
{
|
||||
}
|
||||
#endif /* CONFIG_SECURITY_NETWORK */
|
||||
|
||||
#ifdef CONFIG_SECURITY_INFINIBAND
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue