diff options
| author | Stephen Smalley <sds@tycho.nsa.gov> | 2015-01-21 10:54:10 -0500 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2015-01-25 12:17:57 -0500 |
| commit | 79af73079d753b2d04e46f7445716d3b5f914dbd (patch) | |
| tree | 565ce3d58ccae8765fe13e20064b3ba48eaa0ebc /drivers/android | |
| parent | 79563db9ddd37908343103debf20da716ccc5ce4 (diff) | |
Add security hooks to binder and implement the hooks for SELinux.
Add security hooks to the binder and implement the hooks for SELinux.
The security hooks enable security modules such as SELinux to implement
controls over binder IPC. The security hooks include support for
controlling what process can become the binder context manager
(binder_set_context_mgr), controlling the ability of a process
to invoke a binder transaction/IPC to another process (binder_transaction),
controlling the ability of a process to transfer a binder reference to
another process (binder_transfer_binder), and controlling the ability
of a process to transfer an open file to another process (binder_transfer_file).
These hooks have been included in the Android kernel trees since Android 4.3.
(Updated to reflect upstream relocation and changes to the binder driver,
changes to the LSM audit data structures, coding style cleanups, and
to add inline documentation for the hooks).
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Acked-by: Nick Kralevich <nnk@google.com>
Acked-by: Jeffrey Vander Stoep <jeffv@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'drivers/android')
| -rw-r--r-- | drivers/android/binder.c | 26 |
1 files changed, 26 insertions, 0 deletions
diff --git a/drivers/android/binder.c b/drivers/android/binder.c index 8c43521d3f11..33b09b6568a4 100644 --- a/drivers/android/binder.c +++ b/drivers/android/binder.c | |||
| @@ -37,6 +37,7 @@ | |||
| 37 | #include <linux/vmalloc.h> | 37 | #include <linux/vmalloc.h> |
| 38 | #include <linux/slab.h> | 38 | #include <linux/slab.h> |
| 39 | #include <linux/pid_namespace.h> | 39 | #include <linux/pid_namespace.h> |
| 40 | #include <linux/security.h> | ||
| 40 | 41 | ||
| 41 | #ifdef CONFIG_ANDROID_BINDER_IPC_32BIT | 42 | #ifdef CONFIG_ANDROID_BINDER_IPC_32BIT |
| 42 | #define BINDER_IPC_32BIT 1 | 43 | #define BINDER_IPC_32BIT 1 |
| @@ -1400,6 +1401,11 @@ static void binder_transaction(struct binder_proc *proc, | |||
| 1400 | return_error = BR_DEAD_REPLY; | 1401 | return_error = BR_DEAD_REPLY; |
| 1401 | goto err_dead_binder; | 1402 | goto err_dead_binder; |
| 1402 | } | 1403 | } |
| 1404 | if (security_binder_transaction(proc->tsk, | ||
| 1405 | target_proc->tsk) < 0) { | ||
| 1406 | return_error = BR_FAILED_REPLY; | ||
| 1407 | goto err_invalid_target_handle; | ||
| 1408 | } | ||
| 1403 | if (!(tr->flags & TF_ONE_WAY) && thread->transaction_stack) { | 1409 | if (!(tr->flags & TF_ONE_WAY) && thread->transaction_stack) { |
| 1404 | struct binder_transaction *tmp; | 1410 | struct binder_transaction *tmp; |
| 1405 | 1411 | ||
| @@ -1551,6 +1557,11 @@ static void binder_transaction(struct binder_proc *proc, | |||
| 1551 | return_error = BR_FAILED_REPLY; | 1557 | return_error = BR_FAILED_REPLY; |
| 1552 | goto err_binder_get_ref_for_node_failed; | 1558 | goto err_binder_get_ref_for_node_failed; |
| 1553 | } | 1559 | } |
| 1560 | if (security_binder_transfer_binder(proc->tsk, | ||
| 1561 | target_proc->tsk)) { | ||
| 1562 | return_error = BR_FAILED_REPLY; | ||
| 1563 | goto err_binder_get_ref_for_node_failed; | ||
| 1564 | } | ||
| 1554 | ref = binder_get_ref_for_node(target_proc, node); | 1565 | ref = binder_get_ref_for_node(target_proc, node); |
| 1555 | if (ref == NULL) { | 1566 | if (ref == NULL) { |
| 1556 | return_error = BR_FAILED_REPLY; | 1567 | return_error = BR_FAILED_REPLY; |
| @@ -1581,6 +1592,11 @@ static void binder_transaction(struct binder_proc *proc, | |||
| 1581 | return_error = BR_FAILED_REPLY; | 1592 | return_error = BR_FAILED_REPLY; |
| 1582 | goto err_binder_get_ref_failed; | 1593 | goto err_binder_get_ref_failed; |
| 1583 | } | 1594 | } |
| 1595 | if (security_binder_transfer_binder(proc->tsk, | ||
| 1596 | target_proc->tsk)) { | ||
| 1597 | return_error = BR_FAILED_REPLY; | ||
| 1598 | goto err_binder_get_ref_failed; | ||
| 1599 | } | ||
| 1584 | if (ref->node->proc == target_proc) { | 1600 | if (ref->node->proc == target_proc) { |
| 1585 | if (fp->type == BINDER_TYPE_HANDLE) | 1601 | if (fp->type == BINDER_TYPE_HANDLE) |
| 1586 | fp->type = BINDER_TYPE_BINDER; | 1602 | fp->type = BINDER_TYPE_BINDER; |
| @@ -1638,6 +1654,13 @@ static void binder_transaction(struct binder_proc *proc, | |||
| 1638 | return_error = BR_FAILED_REPLY; | 1654 | return_error = BR_FAILED_REPLY; |
| 1639 | goto err_fget_failed; | 1655 | goto err_fget_failed; |
| 1640 | } | 1656 | } |
| 1657 | if (security_binder_transfer_file(proc->tsk, | ||
| 1658 | target_proc->tsk, | ||
| 1659 | file) < 0) { | ||
| 1660 | fput(file); | ||
| 1661 | return_error = BR_FAILED_REPLY; | ||
| 1662 | goto err_get_unused_fd_failed; | ||
| 1663 | } | ||
| 1641 | target_fd = task_get_unused_fd_flags(target_proc, O_CLOEXEC); | 1664 | target_fd = task_get_unused_fd_flags(target_proc, O_CLOEXEC); |
| 1642 | if (target_fd < 0) { | 1665 | if (target_fd < 0) { |
| 1643 | fput(file); | 1666 | fput(file); |
| @@ -2675,6 +2698,9 @@ static int binder_ioctl_set_ctx_mgr(struct file *filp) | |||
| 2675 | ret = -EBUSY; | 2698 | ret = -EBUSY; |
| 2676 | goto out; | 2699 | goto out; |
| 2677 | } | 2700 | } |
| 2701 | ret = security_binder_set_context_mgr(proc->tsk); | ||
| 2702 | if (ret < 0) | ||
| 2703 | goto out; | ||
| 2678 | if (uid_valid(binder_context_mgr_uid)) { | 2704 | if (uid_valid(binder_context_mgr_uid)) { |
| 2679 | if (!uid_eq(binder_context_mgr_uid, curr_euid)) { | 2705 | if (!uid_eq(binder_context_mgr_uid, curr_euid)) { |
| 2680 | pr_err("BINDER_SET_CONTEXT_MGR bad uid %d != %d\n", | 2706 | pr_err("BINDER_SET_CONTEXT_MGR bad uid %d != %d\n", |