aboutsummaryrefslogtreecommitdiffstats
path: root/security/selinux/hooks.c
diff options
context:
space:
mode:
authorLinus Torvalds <torvalds@linux-foundation.org>2017-05-03 11:50:52 -0400
committerLinus Torvalds <torvalds@linux-foundation.org>2017-05-03 11:50:52 -0400
commit0302e28dee643932ee7b3c112ebccdbb9f8ec32c (patch)
tree405d4cb3f772ef069ed7f291adc4b74a4e73346e /security/selinux/hooks.c
parent89c9fea3c8034cdb2fd745f551cde0b507fd6893 (diff)
parent8979b02aaf1d6de8d52cc143aa4da961ed32e5a2 (diff)
Merge branch 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security
Pull security subsystem updates from James Morris: "Highlights: IMA: - provide ">" and "<" operators for fowner/uid/euid rules KEYS: - add a system blacklist keyring - add KEYCTL_RESTRICT_KEYRING, exposes keyring link restriction functionality to userland via keyctl() LSM: - harden LSM API with __ro_after_init - add prlmit security hook, implement for SELinux - revive security_task_alloc hook TPM: - implement contextual TPM command 'spaces'" * 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security: (98 commits) tpm: Fix reference count to main device tpm_tis: convert to using locality callbacks tpm: fix handling of the TPM 2.0 event logs tpm_crb: remove a cruft constant keys: select CONFIG_CRYPTO when selecting DH / KDF apparmor: Make path_max parameter readonly apparmor: fix parameters so that the permission test is bypassed at boot apparmor: fix invalid reference to index variable of iterator line 836 apparmor: use SHASH_DESC_ON_STACK security/apparmor/lsm.c: set debug messages apparmor: fix boolreturn.cocci warnings Smack: Use GFP_KERNEL for smk_netlbl_mls(). smack: fix double free in smack_parse_opts_str() KEYS: add SP800-56A KDF support for DH KEYS: Keyring asymmetric key restrict method with chaining KEYS: Restrict asymmetric key linkage using a specific keychain KEYS: Add a lookup_restriction function for the asymmetric key type KEYS: Add KEYCTL_RESTRICT_KEYRING KEYS: Consistent ordering for __key_link_begin and restrict check KEYS: Add an optional lookup_restriction hook to key_type ...
Diffstat (limited to 'security/selinux/hooks.c')
-rw-r--r--security/selinux/hooks.c26
1 files changed, 25 insertions, 1 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 0c2ac318aa7f..e67a526d1f30 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -3920,6 +3920,21 @@ static int selinux_task_getioprio(struct task_struct *p)
3920 PROCESS__GETSCHED, NULL); 3920 PROCESS__GETSCHED, NULL);
3921} 3921}
3922 3922
3923int selinux_task_prlimit(const struct cred *cred, const struct cred *tcred,
3924 unsigned int flags)
3925{
3926 u32 av = 0;
3927
3928 if (!flags)
3929 return 0;
3930 if (flags & LSM_PRLIMIT_WRITE)
3931 av |= PROCESS__SETRLIMIT;
3932 if (flags & LSM_PRLIMIT_READ)
3933 av |= PROCESS__GETRLIMIT;
3934 return avc_has_perm(cred_sid(cred), cred_sid(tcred),
3935 SECCLASS_PROCESS, av, NULL);
3936}
3937
3923static int selinux_task_setrlimit(struct task_struct *p, unsigned int resource, 3938static int selinux_task_setrlimit(struct task_struct *p, unsigned int resource,
3924 struct rlimit *new_rlim) 3939 struct rlimit *new_rlim)
3925{ 3940{
@@ -4352,10 +4367,18 @@ static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, in
4352 u32 sid, node_perm; 4367 u32 sid, node_perm;
4353 4368
4354 if (family == PF_INET) { 4369 if (family == PF_INET) {
4370 if (addrlen < sizeof(struct sockaddr_in)) {
4371 err = -EINVAL;
4372 goto out;
4373 }
4355 addr4 = (struct sockaddr_in *)address; 4374 addr4 = (struct sockaddr_in *)address;
4356 snum = ntohs(addr4->sin_port); 4375 snum = ntohs(addr4->sin_port);
4357 addrp = (char *)&addr4->sin_addr.s_addr; 4376 addrp = (char *)&addr4->sin_addr.s_addr;
4358 } else { 4377 } else {
4378 if (addrlen < SIN6_LEN_RFC2133) {
4379 err = -EINVAL;
4380 goto out;
4381 }
4359 addr6 = (struct sockaddr_in6 *)address; 4382 addr6 = (struct sockaddr_in6 *)address;
4360 snum = ntohs(addr6->sin6_port); 4383 snum = ntohs(addr6->sin6_port);
4361 addrp = (char *)&addr6->sin6_addr.s6_addr; 4384 addrp = (char *)&addr6->sin6_addr.s6_addr;
@@ -6108,7 +6131,7 @@ static int selinux_key_getsecurity(struct key *key, char **_buffer)
6108 6131
6109#endif 6132#endif
6110 6133
6111static struct security_hook_list selinux_hooks[] = { 6134static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = {
6112 LSM_HOOK_INIT(binder_set_context_mgr, selinux_binder_set_context_mgr), 6135 LSM_HOOK_INIT(binder_set_context_mgr, selinux_binder_set_context_mgr),
6113 LSM_HOOK_INIT(binder_transaction, selinux_binder_transaction), 6136 LSM_HOOK_INIT(binder_transaction, selinux_binder_transaction),
6114 LSM_HOOK_INIT(binder_transfer_binder, selinux_binder_transfer_binder), 6137 LSM_HOOK_INIT(binder_transfer_binder, selinux_binder_transfer_binder),
@@ -6206,6 +6229,7 @@ static struct security_hook_list selinux_hooks[] = {
6206 LSM_HOOK_INIT(task_setnice, selinux_task_setnice), 6229 LSM_HOOK_INIT(task_setnice, selinux_task_setnice),
6207 LSM_HOOK_INIT(task_setioprio, selinux_task_setioprio), 6230 LSM_HOOK_INIT(task_setioprio, selinux_task_setioprio),
6208 LSM_HOOK_INIT(task_getioprio, selinux_task_getioprio), 6231 LSM_HOOK_INIT(task_getioprio, selinux_task_getioprio),
6232 LSM_HOOK_INIT(task_prlimit, selinux_task_prlimit),
6209 LSM_HOOK_INIT(task_setrlimit, selinux_task_setrlimit), 6233 LSM_HOOK_INIT(task_setrlimit, selinux_task_setrlimit),
6210 LSM_HOOK_INIT(task_setscheduler, selinux_task_setscheduler), 6234 LSM_HOOK_INIT(task_setscheduler, selinux_task_setscheduler),
6211 LSM_HOOK_INIT(task_getscheduler, selinux_task_getscheduler), 6235 LSM_HOOK_INIT(task_getscheduler, selinux_task_getscheduler),
generated by cgit v1.2.2 (git 2.25.0) at 2025-04-26 09:39:50 -0400