selinux: only invoke capabilities and selinux for CAP_MAC_ADMIN checks
SELinux uses CAP_MAC_ADMIN to control the ability to get or set a raw, uninterpreted security context unknown to the currently loaded security policy. When performing these checks, we only want to perform a base capabilities check and a SELinux permission check. If any other modules that implement a capable hook are stacked with SELinux, we do not want to require them to also have to authorize CAP_MAC_ADMIN, since it may have different implications for their security model. Rework the CAP_MAC_ADMIN checks within SELinux to only invoke the capabilities module and the SELinux permission checking. Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: Paul Moore <paul@paul-moore.com>
This commit is contained in:
parent
46be14d2b6
commit
db59000ab7
1 changed files with 15 additions and 8 deletions
|
@ -3107,6 +3107,18 @@ static int selinux_inode_setotherxattr(struct dentry *dentry, const char *name)
|
|||
return dentry_has_perm(cred, dentry, FILE__SETATTR);
|
||||
}
|
||||
|
||||
static bool has_cap_mac_admin(bool audit)
|
||||
{
|
||||
const struct cred *cred = current_cred();
|
||||
int cap_audit = audit ? SECURITY_CAP_AUDIT : SECURITY_CAP_NOAUDIT;
|
||||
|
||||
if (cap_capable(cred, &init_user_ns, CAP_MAC_ADMIN, cap_audit))
|
||||
return false;
|
||||
if (cred_has_capability(cred, CAP_MAC_ADMIN, cap_audit, true))
|
||||
return false;
|
||||
return true;
|
||||
}
|
||||
|
||||
static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
|
||||
const void *value, size_t size, int flags)
|
||||
{
|
||||
|
@ -3138,7 +3150,7 @@ static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
|
|||
|
||||
rc = security_context_to_sid(value, size, &newsid, GFP_KERNEL);
|
||||
if (rc == -EINVAL) {
|
||||
if (!capable(CAP_MAC_ADMIN)) {
|
||||
if (!has_cap_mac_admin(true)) {
|
||||
struct audit_buffer *ab;
|
||||
size_t audit_size;
|
||||
const char *str;
|
||||
|
@ -3264,13 +3276,8 @@ static int selinux_inode_getsecurity(struct inode *inode, const char *name, void
|
|||
* and lack of permission just means that we fall back to the
|
||||
* in-core context value, not a denial.
|
||||
*/
|
||||
error = cap_capable(current_cred(), &init_user_ns, CAP_MAC_ADMIN,
|
||||
SECURITY_CAP_NOAUDIT);
|
||||
if (!error)
|
||||
error = cred_has_capability(current_cred(), CAP_MAC_ADMIN,
|
||||
SECURITY_CAP_NOAUDIT, true);
|
||||
isec = inode_security(inode);
|
||||
if (!error)
|
||||
if (has_cap_mac_admin(false))
|
||||
error = security_sid_to_context_force(isec->sid, &context,
|
||||
&size);
|
||||
else
|
||||
|
@ -5919,7 +5926,7 @@ static int selinux_setprocattr(const char *name, void *value, size_t size)
|
|||
}
|
||||
error = security_context_to_sid(value, size, &sid, GFP_KERNEL);
|
||||
if (error == -EINVAL && !strcmp(name, "fscreate")) {
|
||||
if (!capable(CAP_MAC_ADMIN)) {
|
||||
if (!has_cap_mac_admin(true)) {
|
||||
struct audit_buffer *ab;
|
||||
size_t audit_size;
|
||||
|
||||
|
|
Loading…
Reference in a new issue