selinux: add permission checks for loading other kinds of kernel files

Although the LSM hooks for loading kernel modules were later generalized
to cover loading other kinds of files, SELinux didn't implement
corresponding permission checks, leaving only the module case covered.
Define and add new permission checks for these other cases.

Signed-off-by: Cameron K. Williams <ckwilliams.work@gmail.com>
Signed-off-by: Kipp N. Davis <kippndavis.work@gmx.com>
Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
[PM: merge fuzz, line length, and spacing fixes]
Signed-off-by: Paul Moore <paul@paul-moore.com>

diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index a80e3f01153fb27af5a254e7081c0ce1d66379fc..0fc70dcf1409c35fc7035adb0e03b6a51d021ddc 100644 (file)
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -4096,7 +4096,7 @@ static int selinux_kernel_module_request(char *kmod_name)
                            SYSTEM__MODULE_REQUEST, &ad);
 }
 
-static int selinux_kernel_module_from_file(struct file *file)
+static int selinux_kernel_load_from_file(struct file *file, u32 requested)
 {
        struct common_audit_data ad;
        struct inode_security_struct *isec;
@@ -4104,12 +4104,8 @@ static int selinux_kernel_module_from_file(struct file *file)
        u32 sid = current_sid();
        int rc;
 
-       /* init_module */
        if (file == NULL)
-               return avc_has_perm(sid, sid, SECCLASS_SYSTEM,
-                                       SYSTEM__MODULE_LOAD, NULL);
-
-       /* finit_module */
+               return avc_has_perm(sid, sid, SECCLASS_SYSTEM, requested, NULL);
 
        ad.type = LSM_AUDIT_DATA_FILE;
        ad.u.file = file;
@@ -4122,8 +4118,7 @@ static int selinux_kernel_module_from_file(struct file *file)
        }
 
        isec = inode_security(file_inode(file));
-       return avc_has_perm(sid, isec->sid, SECCLASS_SYSTEM,
-                               SYSTEM__MODULE_LOAD, &ad);
+       return avc_has_perm(sid, isec->sid, SECCLASS_SYSTEM, requested, &ad);
 }
 
 static int selinux_kernel_read_file(struct file *file,
@@ -4132,9 +4127,30 @@ static int selinux_kernel_read_file(struct file *file,
 {
        int rc = 0;
 
+       BUILD_BUG_ON_MSG(READING_MAX_ID > 7,
+                        "New kernel_read_file_id introduced; update SELinux!");
+
        switch (id) {
+       case READING_FIRMWARE:
+               rc = selinux_kernel_load_from_file(file, SYSTEM__FIRMWARE_LOAD);
+               break;
        case READING_MODULE:
-               rc = selinux_kernel_module_from_file(file);
+               rc = selinux_kernel_load_from_file(file, SYSTEM__MODULE_LOAD);
+               break;
+       case READING_KEXEC_IMAGE:
+               rc = selinux_kernel_load_from_file(file,
+                                                  SYSTEM__KEXEC_IMAGE_LOAD);
+               break;
+       case READING_KEXEC_INITRAMFS:
+               rc = selinux_kernel_load_from_file(file,
+                                               SYSTEM__KEXEC_INITRAMFS_LOAD);
+               break;
+       case READING_POLICY:
+               rc = selinux_kernel_load_from_file(file, SYSTEM__POLICY_LOAD);
+               break;
+       case READING_X509_CERTIFICATE:
+               rc = selinux_kernel_load_from_file(file,
+                                               SYSTEM__X509_CERTIFICATE_LOAD);
                break;
        default:
                break;
@@ -4147,9 +4163,31 @@ static int selinux_kernel_load_data(enum kernel_load_data_id id, bool contents)
 {
        int rc = 0;
 
+       BUILD_BUG_ON_MSG(LOADING_MAX_ID > 7,
+                        "New kernel_load_data_id introduced; update SELinux!");
+
        switch (id) {
+       case LOADING_FIRMWARE:
+               rc = selinux_kernel_load_from_file(NULL, SYSTEM__FIRMWARE_LOAD);
+               break;
        case LOADING_MODULE:
-               rc = selinux_kernel_module_from_file(NULL);
+               rc = selinux_kernel_load_from_file(NULL, SYSTEM__MODULE_LOAD);
+               break;
+       case LOADING_KEXEC_IMAGE:
+               rc = selinux_kernel_load_from_file(NULL,
+                                                  SYSTEM__KEXEC_IMAGE_LOAD);
+               break;
+       case LOADING_KEXEC_INITRAMFS:
+               rc = selinux_kernel_load_from_file(NULL,
+                                               SYSTEM__KEXEC_INITRAMFS_LOAD);
+               break;
+       case LOADING_POLICY:
+               rc = selinux_kernel_load_from_file(NULL,
+                                                  SYSTEM__POLICY_LOAD);
+               break;
+       case LOADING_X509_CERTIFICATE:
+               rc = selinux_kernel_load_from_file(NULL,
+                                               SYSTEM__X509_CERTIFICATE_LOAD);
                break;
        default:
                break;

diff --git a/security/selinux/include/classmap.h b/security/selinux/include/classmap.h
index 03e82477dce97faa42bff3369dc838f6796d5491..cfac41d12f7d43cbc30040d0fcf384c704c28d4f 100644 (file)
--- a/security/selinux/include/classmap.h
+++ b/security/selinux/include/classmap.h
@@ -63,7 +63,9 @@ const struct security_class_mapping secclass_map[] = {
        { "process2", { "nnp_transition", "nosuid_transition", NULL } },
        { "system",
          { "ipc_info", "syslog_read", "syslog_mod", "syslog_console",
-           "module_request", "module_load", NULL } },
+           "module_request", "module_load", "firmware_load",
+           "kexec_image_load", "kexec_initramfs_load", "policy_load",
+           "x509_certificate_load", NULL } },
        { "capability", { COMMON_CAP_PERMS, NULL } },
        { "filesystem",
          { "mount", "remount", "unmount", "getattr", "relabelfrom",