diff options
| author | David Howells <dhowells@redhat.com> | 2018-11-01 19:07:24 -0400 |
|---|---|---|
| committer | Al Viro <viro@zeniv.linux.org.uk> | 2019-02-28 03:29:24 -0500 |
| commit | 442155c1bd84f82bff2d05d0ec4d0090df17ecfa (patch) | |
| tree | cf02556d9bcc6ed826c6ae0cf99392bb57e7265a /security/selinux | |
| parent | da2441fdffbf7602da702aea5bd95ca4dc3d63fc (diff) | |
selinux: Implement the new mount API LSM hooks
Implement the new mount API LSM hooks for SELinux. At some point the old
hooks will need to be removed.
Signed-off-by: David Howells <dhowells@redhat.com>
cc: Paul Moore <paul@paul-moore.com>
cc: Stephen Smalley <sds@tycho.nsa.gov>
cc: selinux@tycho.nsa.gov
cc: linux-security-module@vger.kernel.org
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Diffstat (limited to 'security/selinux')
| -rw-r--r-- | security/selinux/hooks.c | 49 | ||||
| -rw-r--r-- | security/selinux/include/security.h | 10 |
2 files changed, 49 insertions, 10 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index f0e36c3492ba..f99381e97d73 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c | |||
| @@ -48,6 +48,8 @@ | |||
| 48 | #include <linux/fdtable.h> | 48 | #include <linux/fdtable.h> |
| 49 | #include <linux/namei.h> | 49 | #include <linux/namei.h> |
| 50 | #include <linux/mount.h> | 50 | #include <linux/mount.h> |
| 51 | #include <linux/fs_context.h> | ||
| 52 | #include <linux/fs_parser.h> | ||
| 51 | #include <linux/netfilter_ipv4.h> | 53 | #include <linux/netfilter_ipv4.h> |
| 52 | #include <linux/netfilter_ipv6.h> | 54 | #include <linux/netfilter_ipv6.h> |
| 53 | #include <linux/tty.h> | 55 | #include <linux/tty.h> |
| @@ -454,11 +456,11 @@ static inline int inode_doinit(struct inode *inode) | |||
| 454 | 456 | ||
| 455 | enum { | 457 | enum { |
| 456 | Opt_error = -1, | 458 | Opt_error = -1, |
| 457 | Opt_context = 1, | 459 | Opt_context = 0, |
| 460 | Opt_defcontext = 1, | ||
| 458 | Opt_fscontext = 2, | 461 | Opt_fscontext = 2, |
| 459 | Opt_defcontext = 3, | 462 | Opt_rootcontext = 3, |
| 460 | Opt_rootcontext = 4, | 463 | Opt_seclabel = 4, |
| 461 | Opt_seclabel = 5, | ||
| 462 | }; | 464 | }; |
| 463 | 465 | ||
| 464 | #define A(s, has_arg) {#s, sizeof(#s) - 1, Opt_##s, has_arg} | 466 | #define A(s, has_arg) {#s, sizeof(#s) - 1, Opt_##s, has_arg} |
| @@ -1089,6 +1091,7 @@ static int show_sid(struct seq_file *m, u32 sid) | |||
| 1089 | if (!rc) { | 1091 | if (!rc) { |
| 1090 | bool has_comma = context && strchr(context, ','); | 1092 | bool has_comma = context && strchr(context, ','); |
| 1091 | 1093 | ||
| 1094 | seq_putc(m, '='); | ||
| 1092 | if (has_comma) | 1095 | if (has_comma) |
| 1093 | seq_putc(m, '\"'); | 1096 | seq_putc(m, '\"'); |
| 1094 | seq_escape(m, context, "\"\n\\"); | 1097 | seq_escape(m, context, "\"\n\\"); |
| @@ -1142,7 +1145,7 @@ static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb) | |||
| 1142 | } | 1145 | } |
| 1143 | if (sbsec->flags & SBLABEL_MNT) { | 1146 | if (sbsec->flags & SBLABEL_MNT) { |
| 1144 | seq_putc(m, ','); | 1147 | seq_putc(m, ','); |
| 1145 | seq_puts(m, LABELSUPP_STR); | 1148 | seq_puts(m, SECLABEL_STR); |
| 1146 | } | 1149 | } |
| 1147 | return 0; | 1150 | return 0; |
| 1148 | } | 1151 | } |
| @@ -2761,6 +2764,38 @@ static int selinux_umount(struct vfsmount *mnt, int flags) | |||
| 2761 | FILESYSTEM__UNMOUNT, NULL); | 2764 | FILESYSTEM__UNMOUNT, NULL); |
| 2762 | } | 2765 | } |
| 2763 | 2766 | ||
| 2767 | static const struct fs_parameter_spec selinux_param_specs[] = { | ||
| 2768 | fsparam_string(CONTEXT_STR, Opt_context), | ||
| 2769 | fsparam_string(DEFCONTEXT_STR, Opt_defcontext), | ||
| 2770 | fsparam_string(FSCONTEXT_STR, Opt_fscontext), | ||
| 2771 | fsparam_string(ROOTCONTEXT_STR, Opt_rootcontext), | ||
| 2772 | fsparam_flag (SECLABEL_STR, Opt_seclabel), | ||
| 2773 | {} | ||
| 2774 | }; | ||
| 2775 | |||
| 2776 | static const struct fs_parameter_description selinux_fs_parameters = { | ||
| 2777 | .name = "SELinux", | ||
| 2778 | .specs = selinux_param_specs, | ||
| 2779 | }; | ||
| 2780 | |||
| 2781 | static int selinux_fs_context_parse_param(struct fs_context *fc, | ||
| 2782 | struct fs_parameter *param) | ||
| 2783 | { | ||
| 2784 | struct fs_parse_result result; | ||
| 2785 | int opt, rc; | ||
| 2786 | |||
| 2787 | opt = fs_parse(fc, &selinux_fs_parameters, param, &result); | ||
| 2788 | if (opt < 0) | ||
| 2789 | return opt; | ||
| 2790 | |||
| 2791 | rc = selinux_add_opt(opt, param->string, &fc->security); | ||
| 2792 | if (!rc) { | ||
| 2793 | param->string = NULL; | ||
| 2794 | rc = 1; | ||
| 2795 | } | ||
| 2796 | return rc; | ||
| 2797 | } | ||
| 2798 | |||
| 2764 | /* inode security operations */ | 2799 | /* inode security operations */ |
| 2765 | 2800 | ||
| 2766 | static int selinux_inode_alloc_security(struct inode *inode) | 2801 | static int selinux_inode_alloc_security(struct inode *inode) |
| @@ -6710,6 +6745,8 @@ static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = { | |||
| 6710 | LSM_HOOK_INIT(bprm_committing_creds, selinux_bprm_committing_creds), | 6745 | LSM_HOOK_INIT(bprm_committing_creds, selinux_bprm_committing_creds), |
| 6711 | LSM_HOOK_INIT(bprm_committed_creds, selinux_bprm_committed_creds), | 6746 | LSM_HOOK_INIT(bprm_committed_creds, selinux_bprm_committed_creds), |
| 6712 | 6747 | ||
| 6748 | LSM_HOOK_INIT(fs_context_parse_param, selinux_fs_context_parse_param), | ||
| 6749 | |||
| 6713 | LSM_HOOK_INIT(sb_alloc_security, selinux_sb_alloc_security), | 6750 | LSM_HOOK_INIT(sb_alloc_security, selinux_sb_alloc_security), |
| 6714 | LSM_HOOK_INIT(sb_free_security, selinux_sb_free_security), | 6751 | LSM_HOOK_INIT(sb_free_security, selinux_sb_free_security), |
| 6715 | LSM_HOOK_INIT(sb_eat_lsm_opts, selinux_sb_eat_lsm_opts), | 6752 | LSM_HOOK_INIT(sb_eat_lsm_opts, selinux_sb_eat_lsm_opts), |
| @@ -6978,6 +7015,8 @@ static __init int selinux_init(void) | |||
| 6978 | else | 7015 | else |
| 6979 | pr_debug("SELinux: Starting in permissive mode\n"); | 7016 | pr_debug("SELinux: Starting in permissive mode\n"); |
| 6980 | 7017 | ||
| 7018 | fs_validate_description(&selinux_fs_parameters); | ||
| 7019 | |||
| 6981 | return 0; | 7020 | return 0; |
| 6982 | } | 7021 | } |
| 6983 | 7022 | ||
diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h index ba8eedf42b90..529d8941c9c5 100644 --- a/security/selinux/include/security.h +++ b/security/selinux/include/security.h | |||
| @@ -59,11 +59,11 @@ | |||
| 59 | #define SE_SBPROC 0x0200 | 59 | #define SE_SBPROC 0x0200 |
| 60 | #define SE_SBGENFS 0x0400 | 60 | #define SE_SBGENFS 0x0400 |
| 61 | 61 | ||
| 62 | #define CONTEXT_STR "context=" | 62 | #define CONTEXT_STR "context" |
| 63 | #define FSCONTEXT_STR "fscontext=" | 63 | #define FSCONTEXT_STR "fscontext" |
| 64 | #define ROOTCONTEXT_STR "rootcontext=" | 64 | #define ROOTCONTEXT_STR "rootcontext" |
| 65 | #define DEFCONTEXT_STR "defcontext=" | 65 | #define DEFCONTEXT_STR "defcontext" |
| 66 | #define LABELSUPP_STR "seclabel" | 66 | #define SECLABEL_STR "seclabel" |
| 67 | 67 | ||
| 68 | struct netlbl_lsm_secattr; | 68 | struct netlbl_lsm_secattr; |
| 69 | 69 | ||