summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorStephen Smalley <sds@tycho.nsa.gov>2017-05-05 09:14:48 -0400
committerPaul Moore <paul@paul-moore.com>2017-05-23 10:23:39 -0400
commit3ba4bf5f1e2c58bddd84ba27c5aeaf8ca1d36bff (patch)
treecd3dfc14e97e3dbb731d6a63d97bb49af5ee176b
parentdb59000ab760f8d77b07b7f2898ff61110f88607 (diff)
downloadtalos-obmc-linux-3ba4bf5f1e2c58bddd84ba27c5aeaf8ca1d36bff.tar.gz
talos-obmc-linux-3ba4bf5f1e2c58bddd84ba27c5aeaf8ca1d36bff.zip
selinux: add a map permission check for mmap
Add a map permission check on mmap so that we can distinguish memory mapped access (since it has different implications for revocation). When a file is opened and then read or written via syscalls like read(2)/write(2), we revalidate access on each read/write operation via selinux_file_permission() and therefore can revoke access if the process context, the file context, or the policy changes in such a manner that access is no longer allowed. When a file is opened and then memory mapped via mmap(2) and then subsequently read or written directly in memory, we presently have no way to revalidate or revoke access. The purpose of a separate map permission check on mmap(2) is to permit policy to prohibit memory mapping of specific files for which we need to ensure that every access is revalidated, particularly useful for scenarios where we expect the file to be relabeled at runtime in order to reflect state changes (e.g. cross-domain solution, assured pipeline without data copying). Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: Paul Moore <paul@paul-moore.com>
-rw-r--r--security/selinux/hooks.c12
-rw-r--r--security/selinux/include/classmap.h2
2 files changed, 13 insertions, 1 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index dddb81e06d2d..e29800091e17 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -3557,6 +3557,18 @@ static int selinux_mmap_addr(unsigned long addr)
static int selinux_mmap_file(struct file *file, unsigned long reqprot,
unsigned long prot, unsigned long flags)
{
+ struct common_audit_data ad;
+ int rc;
+
+ if (file) {
+ ad.type = LSM_AUDIT_DATA_FILE;
+ ad.u.file = file;
+ rc = inode_has_perm(current_cred(), file_inode(file),
+ FILE__MAP, &ad);
+ if (rc)
+ return rc;
+ }
+
if (selinux_checkreqprot)
prot = reqprot;
diff --git a/security/selinux/include/classmap.h b/security/selinux/include/classmap.h
index 1e0cc9b5de20..3e49a78f1f46 100644
--- a/security/selinux/include/classmap.h
+++ b/security/selinux/include/classmap.h
@@ -1,7 +1,7 @@
#include <linux/capability.h>
#define COMMON_FILE_SOCK_PERMS "ioctl", "read", "write", "create", \
- "getattr", "setattr", "lock", "relabelfrom", "relabelto", "append"
+ "getattr", "setattr", "lock", "relabelfrom", "relabelto", "append", "map"
#define COMMON_FILE_PERMS COMMON_FILE_SOCK_PERMS, "unlink", "link", \
"rename", "execute", "quotaon", "mounton", "audit_access", \
OpenPOWER on IntegriCloud