diff options
| author | Vivek Goyal <vgoyal@redhat.com> | 2016-07-13 10:44:53 -0400 |
|---|---|---|
| committer | Paul Moore <paul@paul-moore.com> | 2016-08-10 08:25:22 -0400 |
| commit | a518b0a5b0d7f3397e065acb956bca9635aa892d (patch) | |
| tree | bba2a0bb0bc1a5569dab8371b43367f4c5c10618 | |
| parent | 2602625b7e46576b00db619ac788c508ba3bcb2c (diff) | |
selinux: Implement dentry_create_files_as() hook
Calculate what would be the label of newly created file and set that
secid in the passed creds.
Context of the task which is actually creating file is retrieved from
set of creds passed in. (old->security).
Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: Paul Moore <paul@paul-moore.com>
| -rw-r--r-- | security/selinux/hooks.c | 22 |
1 files changed, 22 insertions, 0 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index f9d398bc9dcd..e15e56081c0c 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c | |||
| @@ -2848,6 +2848,27 @@ static int selinux_dentry_init_security(struct dentry *dentry, int mode, | |||
| 2848 | return security_sid_to_context(newsid, (char **)ctx, ctxlen); | 2848 | return security_sid_to_context(newsid, (char **)ctx, ctxlen); |
| 2849 | } | 2849 | } |
| 2850 | 2850 | ||
| 2851 | static int selinux_dentry_create_files_as(struct dentry *dentry, int mode, | ||
| 2852 | struct qstr *name, | ||
| 2853 | const struct cred *old, | ||
| 2854 | struct cred *new) | ||
| 2855 | { | ||
| 2856 | u32 newsid; | ||
| 2857 | int rc; | ||
| 2858 | struct task_security_struct *tsec; | ||
| 2859 | |||
| 2860 | rc = selinux_determine_inode_label(old->security, | ||
| 2861 | d_inode(dentry->d_parent), name, | ||
| 2862 | inode_mode_to_security_class(mode), | ||
| 2863 | &newsid); | ||
| 2864 | if (rc) | ||
| 2865 | return rc; | ||
| 2866 | |||
| 2867 | tsec = new->security; | ||
| 2868 | tsec->create_sid = newsid; | ||
| 2869 | return 0; | ||
| 2870 | } | ||
| 2871 | |||
| 2851 | static int selinux_inode_init_security(struct inode *inode, struct inode *dir, | 2872 | static int selinux_inode_init_security(struct inode *inode, struct inode *dir, |
| 2852 | const struct qstr *qstr, | 2873 | const struct qstr *qstr, |
| 2853 | const char **name, | 2874 | const char **name, |
| @@ -6098,6 +6119,7 @@ static struct security_hook_list selinux_hooks[] = { | |||
| 6098 | LSM_HOOK_INIT(sb_parse_opts_str, selinux_parse_opts_str), | 6119 | LSM_HOOK_INIT(sb_parse_opts_str, selinux_parse_opts_str), |
| 6099 | 6120 | ||
| 6100 | LSM_HOOK_INIT(dentry_init_security, selinux_dentry_init_security), | 6121 | LSM_HOOK_INIT(dentry_init_security, selinux_dentry_init_security), |
| 6122 | LSM_HOOK_INIT(dentry_create_files_as, selinux_dentry_create_files_as), | ||
| 6101 | 6123 | ||
| 6102 | LSM_HOOK_INIT(inode_alloc_security, selinux_inode_alloc_security), | 6124 | LSM_HOOK_INIT(inode_alloc_security, selinux_inode_alloc_security), |
| 6103 | LSM_HOOK_INIT(inode_free_security, selinux_inode_free_security), | 6125 | LSM_HOOK_INIT(inode_free_security, selinux_inode_free_security), |