| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20250610172226.1470741-20-stephen.smalley.work@gmail.com>
Date: Tue, 10 Jun 2025 13:21:50 -0400
From: Stephen Smalley <stephen.smalley.work@...il.com>
To: selinux@...r.kernel.org
Cc: paul@...l-moore.com,
omosnace@...hat.com,
netdev@...r.kernel.org,
Stephen Smalley <stephen.smalley.work@...il.com>
Subject: [PATCH v4 19/42] selinux: eliminate global SID table if !CONFIG_SECURITY_SELINUX_NS
Completely eliminate the global SID table and its wrapper functions
when CONFIG_SECURITY_SELINUX_NS=n to avoid imposing overhead on
systems that do not enable SELinux namespaces.
Signed-off-by: Stephen Smalley <stephen.smalley.work@...il.com>
---
security/selinux/Makefile | 3 +-
security/selinux/include/audit.h | 8 +
security/selinux/include/global_sidtab.h | 7 +
security/selinux/include/security.h | 213 ++++++++++++++++++++++-
security/selinux/include/sidtab.h | 4 +
security/selinux/ss/sidtab.c | 8 +
6 files changed, 241 insertions(+), 2 deletions(-)
diff --git a/security/selinux/Makefile b/security/selinux/Makefile
index fe5f6f4bb0ea..e6b9628ab800 100644
--- a/security/selinux/Makefile
+++ b/security/selinux/Makefile
@@ -15,7 +15,7 @@ ccflags-y := -I$(srctree)/security/selinux -I$(srctree)/security/selinux/include
ccflags-$(CONFIG_SECURITY_SELINUX_DEBUG) += -DDEBUG
selinux-y := avc.o hooks.o selinuxfs.o netlink.o nlmsgtab.o netif.o \
- netnode.o netport.o status.o global_sidtab.o \
+ netnode.o netport.o status.o \
ss/ebitmap.o ss/hashtab.o ss/symtab.o ss/sidtab.o ss/avtab.o \
ss/policydb.o ss/services.o ss/conditional.o ss/mls.o ss/context.o
@@ -23,6 +23,7 @@ selinux-$(CONFIG_SECURITY_NETWORK_XFRM) += xfrm.o
selinux-$(CONFIG_NETLABEL) += netlabel.o
selinux-$(CONFIG_SECURITY_INFINIBAND) += ibpkey.o
selinux-$(CONFIG_IMA) += ima.o
+selinux-$(CONFIG_SECURITY_SELINUX_NS) += global_sidtab.o
genhdrs := flask.h av_permissions.h
diff --git a/security/selinux/include/audit.h b/security/selinux/include/audit.h
index d5b0425055e4..9dbddc6262c3 100644
--- a/security/selinux/include/audit.h
+++ b/security/selinux/include/audit.h
@@ -49,8 +49,16 @@ void selinux_audit_rule_free(void *rule);
* Returns 1 if the context id matches the rule, 0 if it does not, and
* -errno on failure.
*/
+#ifdef CONFIG_SECURITY_SELINUX_NS
int selinux_audit_rule_match(struct lsm_prop *prop, u32 field, u32 op,
void *rule);
+#else
+static inline int selinux_audit_rule_match(struct lsm_prop *prop, u32 field,
+ u32 op, void *rule)
+{
+ return selinux_ss_audit_rule_match(prop, field, op, rule);
+}
+#endif
/**
* selinux_audit_rule_known - check to see if rule contains selinux fields.
diff --git a/security/selinux/include/global_sidtab.h b/security/selinux/include/global_sidtab.h
index a47cebecc944..2e06bb865326 100644
--- a/security/selinux/include/global_sidtab.h
+++ b/security/selinux/include/global_sidtab.h
@@ -7,6 +7,13 @@
#ifndef _GLOBAL_SIDTAB_H_
#define _GLOBAL_SIDTAB_H_
+#ifdef CONFIG_SECURITY_SELINUX_NS
extern int global_sidtab_init(void);
+#else
+static inline int global_sidtab_init(void)
+{
+ return 0;
+}
+#endif /* CONFIG_SECURITY_SELINUX_NS */
#endif /* _GLOBAL_SIDTAB_H_ */
diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h
index 4851f2d4ab9a..572d9ea9cef6 100644
--- a/security/selinux/include/security.h
+++ b/security/selinux/include/security.h
@@ -348,6 +348,8 @@ struct extended_perms {
/* definitions of av_decision.flags */
#define AVD_FLAGS_PERMISSIVE 0x0001
+#ifdef CONFIG_SECURITY_SELINUX_NS
+
void security_compute_av(struct selinux_state *state, u32 ssid, u32 tsid,
u16 tclass, struct av_decision *avd,
struct extended_perms *xperms);
@@ -413,6 +415,160 @@ int security_sid_mls_copy(struct selinux_state *state, u32 sid, u32 mls_sid,
int security_net_peersid_resolve(struct selinux_state *state, u32 nlbl_sid,
u32 nlbl_type, u32 xfrm_sid, u32 *peer_sid);
+#else
+
+#include "selinux_ss.h"
+
+static inline void security_compute_av(struct selinux_state *state, u32 ssid,
+ u32 tsid, u16 tclass,
+ struct av_decision *avd,
+ struct extended_perms *xperms)
+{
+ selinux_ss_compute_av(state, ssid, tsid, tclass, avd, xperms);
+}
+
+static inline void
+security_compute_xperms_decision(struct selinux_state *state, u32 ssid,
+ u32 tsid, u16 tclass, u8 driver, u8 base_perm,
+ struct extended_perms_decision *xpermd)
+{
+ selinux_ss_compute_xperms_decision(state, ssid, tsid, tclass, driver,
+ base_perm, xpermd);
+}
+
+static inline int security_transition_sid(struct selinux_state *state, u32 ssid,
+ u32 tsid, u16 tclass,
+ const struct qstr *qstr, u32 *out_sid)
+{
+ return selinux_ss_transition_sid(state, ssid, tsid, tclass, qstr,
+ out_sid);
+}
+
+static inline int security_sid_to_context(struct selinux_state *state, u32 sid,
+ char **scontext, u32 *scontext_len)
+{
+ return selinux_ss_sid_to_context(state, sid, scontext, scontext_len);
+}
+
+static inline int security_sid_to_context_valid(struct selinux_state *state,
+ u32 sid, char **scontext,
+ u32 *scontext_len)
+{
+ return selinux_ss_sid_to_context(state, sid, scontext, scontext_len);
+}
+
+static inline int security_sid_to_context_force(struct selinux_state *state,
+ u32 sid, char **scontext,
+ u32 *scontext_len)
+{
+ return selinux_ss_sid_to_context_force(state, sid, scontext,
+ scontext_len);
+}
+
+static inline int security_sid_to_context_inval(struct selinux_state *state,
+ u32 sid, char **scontext,
+ u32 *scontext_len)
+{
+ return selinux_ss_sid_to_context_inval(state, sid, scontext,
+ scontext_len);
+}
+
+static inline int security_context_to_sid(struct selinux_state *state,
+ const char *scontext,
+ u32 scontext_len, u32 *out_sid,
+ gfp_t gfp)
+{
+ return selinux_ss_context_to_sid(state, scontext, scontext_len, out_sid,
+ gfp);
+}
+
+static inline int security_context_str_to_sid(struct selinux_state *state,
+ const char *scontext,
+ u32 *out_sid, gfp_t gfp)
+{
+ return selinux_ss_context_str_to_sid(state, scontext, out_sid, gfp);
+}
+
+static inline int security_context_to_sid_default(struct selinux_state *state,
+ const char *scontext,
+ u32 scontext_len,
+ u32 *out_sid, u32 def_sid,
+ gfp_t gfp_flags)
+{
+ return selinux_ss_context_to_sid_default(state, scontext, scontext_len,
+ out_sid, def_sid, gfp_flags);
+}
+
+static inline int security_context_to_sid_force(struct selinux_state *state,
+ const char *scontext,
+ u32 scontext_len, u32 *sid)
+{
+ return selinux_ss_context_to_sid_force(state, scontext, scontext_len,
+ sid, GFP_KERNEL);
+}
+
+static inline int security_port_sid(struct selinux_state *state, u8 protocol,
+ u16 port, u32 *out_sid)
+{
+ return selinux_ss_port_sid(state, protocol, port, out_sid);
+}
+
+static inline int security_ib_pkey_sid(struct selinux_state *state,
+ u64 subnet_prefix, u16 pkey_num,
+ u32 *out_sid)
+{
+ return selinux_ss_ib_pkey_sid(state, subnet_prefix, pkey_num, out_sid);
+}
+
+static inline int security_ib_endport_sid(struct selinux_state *state,
+ const char *dev_name, u8 port_num,
+ u32 *out_sid)
+{
+ return selinux_ss_ib_endport_sid(state, dev_name, port_num, out_sid);
+}
+
+static inline int security_netif_sid(struct selinux_state *state,
+ const char *name, u32 *if_sid)
+{
+ return selinux_ss_netif_sid(state, name, if_sid);
+}
+
+static inline int security_node_sid(struct selinux_state *state, u16 domain,
+ const void *addr, u32 addrlen, u32 *out_sid)
+{
+ return selinux_ss_node_sid(state, domain, addr, addrlen, out_sid);
+}
+
+static inline int security_validate_transition(struct selinux_state *state,
+ u32 oldsid, u32 newsid,
+ u32 tasksid, u16 tclass)
+{
+ return selinux_ss_validate_transition(state, oldsid, newsid, tasksid,
+ tclass);
+}
+
+static inline int security_bounded_transition(struct selinux_state *state,
+ u32 old_sid, u32 new_sid)
+{
+ return selinux_ss_bounded_transition(state, old_sid, new_sid);
+}
+
+static inline int security_sid_mls_copy(struct selinux_state *state, u32 sid,
+ u32 mls_sid, u32 *new_sid)
+{
+ return selinux_ss_sid_mls_copy(state, sid, mls_sid, new_sid);
+}
+
+static inline int security_net_peersid_resolve(struct selinux_state *state,
+ u32 nlbl_sid, u32 nlbl_type,
+ u32 xfrm_sid, u32 *peer_sid)
+{
+ return selinux_ss_net_peersid_resolve(state, nlbl_sid, nlbl_type,
+ xfrm_sid, peer_sid);
+}
+
+#endif /* CONFIG_SECURITY_SELINUX_NS */
+
int security_get_classes(struct selinux_policy *policy, char ***classes,
u32 *nclasses);
int security_get_permissions(struct selinux_policy *policy, const char *class,
@@ -429,6 +585,7 @@ int security_get_allow_unknown(struct selinux_state *state);
#define SECURITY_FS_USE_NATIVE 7 /* use native label support */
#define SECURITY_FS_USE_MAX 7 /* Highest SECURITY_FS_USE_XXX */
+#ifdef CONFIG_SECURITY_SELINUX_NS
int security_fs_use(struct selinux_state *state, const char *fstype,
unsigned short *behavior, u32 *sid);
@@ -437,15 +594,69 @@ int security_genfs_sid(struct selinux_state *state, const char *fstype,
int selinux_policy_genfs_sid(struct selinux_policy *policy, const char *fstype,
const char *path, u16 sclass, u32 *sid);
+#else
+static inline int security_fs_use(struct selinux_state *state,
+ const char *fstype, unsigned short *behavior,
+ u32 *sid)
+{
+ return selinux_ss_fs_use(state, fstype, behavior, sid);
+}
+
+static inline int security_genfs_sid(struct selinux_state *state,
+ const char *fstype, const char *path,
+ u16 sclass, u32 *sid)
+{
+ return selinux_ss_genfs_sid(state, fstype, path, sclass, sid);
+}
+
+static inline int selinux_policy_genfs_sid(struct selinux_policy *policy,
+ const char *fstype, const char *path,
+ u16 sclass, u32 *sid)
+{
+ return selinux_ss_policy_genfs_sid(policy, fstype, path, sclass, sid);
+}
+#endif
#ifdef CONFIG_NETLABEL
+#ifdef CONFIG_SECURITY_SELINUX_NS
int security_netlbl_secattr_to_sid(struct selinux_state *state,
struct netlbl_lsm_secattr *secattr,
u32 *sid);
int security_netlbl_sid_to_secattr(struct selinux_state *state, u32 sid,
struct netlbl_lsm_secattr *secattr);
-#else
+#else /* CONFIG_SECURITY_SELINUX_NS */
+#include <net/netlabel.h>
+
+static inline int
+security_netlbl_secattr_to_sid(struct selinux_state *state,
+ struct netlbl_lsm_secattr *secattr, u32 *sid)
+{
+ if (secattr->flags & NETLBL_SECATTR_SECID) {
+ *sid = secattr->attr.secid;
+ return 0;
+ }
+
+ return selinux_ss_netlbl_secattr_to_sid(state, secattr, sid);
+}
+
+static inline int
+security_netlbl_sid_to_secattr(struct selinux_state *state, u32 sid,
+ struct netlbl_lsm_secattr *secattr)
+{
+ int rc;
+
+ rc = selinux_ss_netlbl_sid_to_secattr(state, sid, secattr);
+ if (rc)
+ return rc;
+
+ secattr->attr.secid = sid;
+ secattr->flags |= NETLBL_SECATTR_SECID;
+ return 0;
+}
+
+#endif /* CONFIG_SECURITY_SELINUX_NS */
+#else /* CONFIG_NETLABEL */
static inline int
security_netlbl_secattr_to_sid(struct selinux_state *state,
struct netlbl_lsm_secattr *secattr, u32 *sid)
diff --git a/security/selinux/include/sidtab.h b/security/selinux/include/sidtab.h
index 1d40e1a7fa42..61389c588775 100644
--- a/security/selinux/include/sidtab.h
+++ b/security/selinux/include/sidtab.h
@@ -26,8 +26,10 @@ struct sidtab_entry {
struct sidtab_str_cache __rcu *cache;
#endif
struct hlist_node list;
+#ifdef CONFIG_SECURITY_SELINUX_NS
u32 ss_sid; // global SID table only
struct selinux_state *state; // global SID table only
+#endif
};
union sidtab_entry_inner {
@@ -136,8 +138,10 @@ void sidtab_freeze_end(struct sidtab *s, unsigned long *flags)
int sidtab_context_to_sid(struct sidtab *s, struct context *context, u32 *sid);
+#ifdef CONFIG_SECURITY_SELINUX_NS
int sidtab_context_ss_to_sid(struct sidtab *s, struct context *context,
struct selinux_state *state, u32 ss_sid, u32 *sid);
+#endif
void sidtab_destroy(struct sidtab *s);
diff --git a/security/selinux/ss/sidtab.c b/security/selinux/ss/sidtab.c
index da8d19ce5866..19991f01cd20 100644
--- a/security/selinux/ss/sidtab.c
+++ b/security/selinux/ss/sidtab.c
@@ -265,8 +265,12 @@ struct sidtab_entry *sidtab_search_entry_force(struct sidtab *s, u32 sid)
return sidtab_search_core(s, sid, 1);
}
+#ifdef CONFIG_SECURITY_SELINUX_NS
int sidtab_context_ss_to_sid(struct sidtab *s, struct context *context,
struct selinux_state *state, u32 ss_sid, u32 *sid)
+#else
+int sidtab_context_to_sid(struct sidtab *s, struct context *context, u32 *sid)
+#endif
{
unsigned long flags;
u32 count, hash = context_compute_hash(context);
@@ -309,8 +313,10 @@ int sidtab_context_ss_to_sid(struct sidtab *s, struct context *context,
goto out_unlock;
dst->sid = index_to_sid(count);
+#ifdef CONFIG_SECURITY_SELINUX_NS
dst->state = state;
dst->ss_sid = ss_sid;
+#endif
dst->hash = hash;
rc = context_cpy(&dst->context, context);
@@ -359,10 +365,12 @@ int sidtab_context_ss_to_sid(struct sidtab *s, struct context *context,
return rc;
}
+#ifdef CONFIG_SECURITY_SELINUX_NS
int sidtab_context_to_sid(struct sidtab *s, struct context *context, u32 *sid)
{
return sidtab_context_ss_to_sid(s, context, NULL, 0, sid);
}
+#endif
static void sidtab_convert_hashtable(struct sidtab *s, u32 count)
{
--
2.49.0
Powered by blists - more mailing lists