LSM: generalize flag passing to security_capable

This patch provides a general mechanism for passing flags to the security_capable LSM hook. It replaces the specific 'audit' flag that is used to tell security_capable whether it should log an audit message for the given capability check. The reason for generalizing this flag passing is so we can add an additional flag that signifies whether security_capable is being called by a setid syscall (which is needed by the proposed SafeSetID LSM). Signed-off-by: Micah Morton <mortonm@chromium.org> Reviewed-by: Kees Cook <keescook@chromium.org> Signed-off-by: James Morris <james.morris@microsoft.com>
author: Micah Morton <mortonm@chromium.org> 2019-01-07 19:10:53 -0500
committer: James Morris <james.morris@microsoft.com> 2019-01-10 17:16:06 -0500
commit: c1a85a00ea66cb6f0bd0f14e47c28c2b0999799f (patch)
tree: 310c082e0b41d2d3ff8b619553ed5e45ad244862 /security/selinux/hooks.c
parent: 2233975cd7927672525361c4c6eebc0b8d018a74 (diff)
1 files changed, 9 insertions, 9 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index d98e1d8d18f6..b2ee49f938f1 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -1578,7 +1578,7 @@ static inline u32 signal_to_av(int sig)
 /* Check whether a task is allowed to use a capability. */
 static int cred_has_capability(const struct cred *cred,
-                               int cap, int audit, bool initns)
+                               int cap, unsigned int opts, bool initns)
 {
        struct common_audit_data ad;
        struct av_decision avd;
@@ -1605,7 +1605,7 @@ static int cred_has_capability(const struct cred *cred,
        rc = avc_has_perm_noaudit(&selinux_state,
                                  sid, sid, sclass, av, 0, &avd);
-        if (audit == SECURITY_CAP_AUDIT) {
+        if (!(opts & CAP_OPT_NOAUDIT)) {
                int rc2 = avc_audit(&selinux_state,
                                    sid, sid, sclass, av, &avd, rc, &ad, 0);
                if (rc2)
@@ -2125,9 +2125,9 @@ static int selinux_capset(struct cred *new, const struct cred *old,
 */
 static int selinux_capable(const struct cred *cred, struct user_namespace *ns,
-                           int cap, int audit)
+                           int cap, unsigned int opts)
 {
-        return cred_has_capability(cred, cap, audit, ns == &init_user_ns);
+        return cred_has_capability(cred, cap, opts, ns == &init_user_ns);
 }
 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
@@ -2201,7 +2201,7 @@ static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
        int rc, cap_sys_admin = 0;
        rc = cred_has_capability(current_cred(), CAP_SYS_ADMIN,
-                                 SECURITY_CAP_NOAUDIT, true);
+                                 CAP_OPT_NOAUDIT, true);
        if (rc == 0)
                cap_sys_admin = 1;
@@ -2988,11 +2988,11 @@ static int selinux_inode_getattr(const struct path *path)
 static bool has_cap_mac_admin(bool audit)
 {
        const struct cred *cred = current_cred();
-        int cap_audit = audit ? SECURITY_CAP_AUDIT : SECURITY_CAP_NOAUDIT;
+        unsigned int opts = audit ? CAP_OPT_NONE : CAP_OPT_NOAUDIT;
-        if (cap_capable(cred, &init_user_ns, CAP_MAC_ADMIN, cap_audit))
+        if (cap_capable(cred, &init_user_ns, CAP_MAC_ADMIN, opts))
                return false;
-        if (cred_has_capability(cred, CAP_MAC_ADMIN, cap_audit, true))
+        if (cred_has_capability(cred, CAP_MAC_ADMIN, opts, true))
                return false;
        return true;
 }
@@ -3387,7 +3387,7 @@ static int selinux_file_ioctl(struct file *file, unsigned int cmd,
        case KDSKBENT:
        case KDSKBSENT:
                error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG,
-                                            SECURITY_CAP_AUDIT, true);
+                                            CAP_OPT_NONE, true);
                break;
        /* default case assumes that the command will go
author	Micah Morton <mortonm@chromium.org>	2019-01-07 19:10:53 -0500
committer	James Morris <james.morris@microsoft.com>	2019-01-10 17:16:06 -0500
commit	c1a85a00ea66cb6f0bd0f14e47c28c2b0999799f (patch)
tree	310c082e0b41d2d3ff8b619553ed5e45ad244862 /security/selinux/hooks.c
parent	2233975cd7927672525361c4c6eebc0b8d018a74 (diff)

diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index d98e1d8d18f6..b2ee49f938f1 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c
@@ -1578,7 +1578,7 @@ static inline u32 signal_to_av(int sig)
1578		1578
1579	/* Check whether a task is allowed to use a capability. */	1579	/* Check whether a task is allowed to use a capability. */
1580	static int cred_has_capability(const struct cred *cred,	1580	static int cred_has_capability(const struct cred *cred,
1581	int cap, int audit, bool initns)	1581	int cap, unsigned int opts, bool initns)
1582	{	1582	{
1583	struct common_audit_data ad;	1583	struct common_audit_data ad;
1584	struct av_decision avd;	1584	struct av_decision avd;
@@ -1605,7 +1605,7 @@ static int cred_has_capability(const struct cred *cred,
1605		1605
1606	rc = avc_has_perm_noaudit(&selinux_state,	1606	rc = avc_has_perm_noaudit(&selinux_state,
1607	sid, sid, sclass, av, 0, &avd);	1607	sid, sid, sclass, av, 0, &avd);
1608	if (audit == SECURITY_CAP_AUDIT) {	1608	if (!(opts & CAP_OPT_NOAUDIT)) {
1609	int rc2 = avc_audit(&selinux_state,	1609	int rc2 = avc_audit(&selinux_state,
1610	sid, sid, sclass, av, &avd, rc, &ad, 0);	1610	sid, sid, sclass, av, &avd, rc, &ad, 0);
1611	if (rc2)	1611	if (rc2)
@@ -2125,9 +2125,9 @@ static int selinux_capset(struct cred new, const struct cred old,
2125	*/	2125	*/
2126		2126
2127	static int selinux_capable(const struct cred cred, struct user_namespace ns,	2127	static int selinux_capable(const struct cred cred, struct user_namespace ns,
2128	int cap, int audit)	2128	int cap, unsigned int opts)
2129	{	2129	{
2130	return cred_has_capability(cred, cap, audit, ns == &init_user_ns);	2130	return cred_has_capability(cred, cap, opts, ns == &init_user_ns);
2131	}	2131	}
2132		2132
2133	static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)	2133	static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
@@ -2201,7 +2201,7 @@ static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
2201	int rc, cap_sys_admin = 0;	2201	int rc, cap_sys_admin = 0;
2202		2202
2203	rc = cred_has_capability(current_cred(), CAP_SYS_ADMIN,	2203	rc = cred_has_capability(current_cred(), CAP_SYS_ADMIN,
2204	SECURITY_CAP_NOAUDIT, true);	2204	CAP_OPT_NOAUDIT, true);
2205	if (rc == 0)	2205	if (rc == 0)
2206	cap_sys_admin = 1;	2206	cap_sys_admin = 1;
2207		2207
@@ -2988,11 +2988,11 @@ static int selinux_inode_getattr(const struct path *path)
2988	static bool has_cap_mac_admin(bool audit)	2988	static bool has_cap_mac_admin(bool audit)
2989	{	2989	{
2990	const struct cred *cred = current_cred();	2990	const struct cred *cred = current_cred();
2991	int cap_audit = audit ? SECURITY_CAP_AUDIT : SECURITY_CAP_NOAUDIT;	2991	unsigned int opts = audit ? CAP_OPT_NONE : CAP_OPT_NOAUDIT;
2992		2992
2993	if (cap_capable(cred, &init_user_ns, CAP_MAC_ADMIN, cap_audit))	2993	if (cap_capable(cred, &init_user_ns, CAP_MAC_ADMIN, opts))
2994	return false;	2994	return false;
2995	if (cred_has_capability(cred, CAP_MAC_ADMIN, cap_audit, true))	2995	if (cred_has_capability(cred, CAP_MAC_ADMIN, opts, true))
2996	return false;	2996	return false;
2997	return true;	2997	return true;
2998	}	2998	}
@@ -3387,7 +3387,7 @@ static int selinux_file_ioctl(struct file *file, unsigned int cmd,
3387	case KDSKBENT:	3387	case KDSKBENT:
3388	case KDSKBSENT:	3388	case KDSKBSENT:
3389	error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG,	3389	error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG,
3390	SECURITY_CAP_AUDIT, true);	3390	CAP_OPT_NONE, true);
3391	break;	3391	break;
3392		3392
3393	/* default case assumes that the command will go	3393	/* default case assumes that the command will go