Commit Graph

10 Commits

Author SHA1 Message Date
Christian Göttsche
3854698833 libsepol: add support for new polcap genfs_seclabel_symlinks
Add support for new SELinux policy capability genfs_seclabel_symlinks.
With this capability enabled symlinks on kernel filesystems will receive
contexts based on genfscon statements, like directories and files,
and not be restricted to the respective filesystem root sid.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
2020-02-06 10:50:54 -05:00
Stephen Smalley
ae1cd12076 libsepol: Define nnp_nosuid_transition policy capability
Define the nnp_nosuid_transition policy capability used to enable
SELinux domain transitions under NNP or nosuid if the
nnp_transition permission or nosuid_transition permission is
allowed between the old and new contexts. When this capability is not
enabled, such transitions remain limited to bounded transitions as they
were prior to the introduction of this capability.

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2017-07-28 15:42:36 -04:00
Stephen Smalley
43b24f0132 libsepol: Define cgroup_seclabel policy capability
Define the new cgroup_seclabel policy capability used to
enable userspace setting of security labels on cgroup files
via setfscreatecon() aka /proc/self/attr/fscreate and/or
setfilecon() aka setxattr().

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2017-03-02 12:39:13 -05:00
Nicolas Iooss
d4923b49b4 libsepol: make capability index an unsigned int
When sepol_polcap_getname() is called with a negative capnum, it
dereferences polcap_names[capnum] which produces a segmentation fault
most of the time.

For information, here is a gdb session when hll/pp loads a policy module
which has been mutated by American Fuzzy Lop:

    Program received signal SIGSEGV, Segmentation fault.
    sepol_polcap_getname (capnum=capnum@entry=-4259840) at polcaps.c:34
    34      return polcap_names[capnum];
    => 0x00007ffff7a8da07 <sepol_polcap_getname+135>:   48 8b 04 f8 mov
    (%rax,%rdi,8),%rax

    (gdb) bt
    #0  sepol_polcap_getname (capnum=capnum@entry=-4259840) at
    polcaps.c:34
    #1  0x00007ffff7a7c440 in polcaps_to_cil (pdb=0x6042e0) at
    module_to_cil.c:2492
    #2  sepol_module_policydb_to_cil (fp=fp@entry=0x7ffff79c75e0
    <_IO_2_1_stdout_>, pdb=0x6042e0, linked=linked@entry=0) at
    module_to_cil.c:4039
    #3  0x00007ffff7a7e695 in sepol_module_package_to_cil
    (fp=fp@entry=0x7ffff79c75e0 <_IO_2_1_stdout_>, mod_pkg=0x604280) at
    module_to_cil.c:4087
    #4  0x0000000000401acc in main (argc=<optimized out>,
    argv=<optimized out>) at pp.c:150

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2017-01-09 16:00:14 -05:00
Stephen Smalley
d479baa82d libsepol: Define extended_socket_class policy capability
Define the extended_socket_class policy capability used to enable
the use of separate socket security classes for all network address
families rather than the generic socket class. This also enables
separate security classes for ICMP and SCTP sockets, which were previously
mapped to the rawip_socket class.

The legacy redhat1 policy capability that was only ever used in testing
within Fedora for ptrace_child is reclaimed for this purpose; as far as
I can tell, this policy capability is not enabled in any supported distro
policy.

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-12-08 09:17:17 -05:00
Stephen Smalley
cf8625be58 libsepol: do not #include <sys/cdefs.h>
ratbert90 submitted this patch via
https://github.com/SELinuxProject/selinux/issues/19.
Apparently musl does not provide sys/cdefs.h, see
http://wiki.musl-libc.org/wiki/FAQ#Q:_I.27m_trying_to_compile_something_against_musl_and_I_get_error_messages_about_sys.2Fcdefs.h.

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-11-29 11:03:17 -05:00
dcashman
ed7a6ba24a Allow libsepol C++ static library on device.
Change-Id: I7da601767c3a4ebed7274e33304d8b589a9115fe
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2015-01-20 10:31:15 -05:00
Chris PeBenito
01723ac2ce libsepol: Add always_check_network policy capability
Currently the packet class in SELinux is not checked if there are no
SECMARK rules in the security or mangle netfilter tables.  Similarly, the
peer class is not checked if there is no NetLabel or labeled IPSEC.  Some
systems prefer that these classes are always checked, for example, to
protect the system should the netfilter rules fail to load or if the
nefilter rules were maliciously flushed.

Add the always_check_network policy capability which, when enabled, treats
these mechanisms as enabled, even if there are no labeling rules.

Signed-off-by: Chris PeBenito <cpebenito@tresys.com>
Signed-off-by: Eric Paris <eparis@redhat.com>
2012-09-12 14:30:24 -04:00
Eric Paris
7a1e3e1fef libsepol: reserve policycapability for redhat testing of ptrace child
Red Hat is testing ptrace_child in the wild.  reserve this policy
capability so we don't have conflicts.

Signed-off-by: Eric Paris <eparis@redhat.com>
2012-06-28 11:21:15 -04:00
Joshua Brindle
13cd4c8960 initial import from svn trunk revision 2950 2008-08-19 15:30:36 -04:00