diff options
| author | Linus Torvalds <torvalds@g5.osdl.org> | 2006-03-25 12:24:53 -0500 |
|---|---|---|
| committer | Linus Torvalds <torvalds@g5.osdl.org> | 2006-03-25 12:24:53 -0500 |
| commit | 1b9a3917366028cc451a98dd22e3bcd537d4e5c1 (patch) | |
| tree | d911058720e0a9aeeaf9f407ccdc6fbf4047f47d /security/selinux/hooks.c | |
| parent | 3661f00e2097676847deb01add1a0918044bd816 (diff) | |
| parent | 71e1c784b24a026a490b3de01541fc5ee14ebc09 (diff) | |
Merge branch 'audit.b3' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/audit-current
* 'audit.b3' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/audit-current: (22 commits)
[PATCH] fix audit_init failure path
[PATCH] EXPORT_SYMBOL patch for audit_log, audit_log_start, audit_log_end and audit_format
[PATCH] sem2mutex: audit_netlink_sem
[PATCH] simplify audit_free() locking
[PATCH] Fix audit operators
[PATCH] promiscuous mode
[PATCH] Add tty to syscall audit records
[PATCH] add/remove rule update
[PATCH] audit string fields interface + consumer
[PATCH] SE Linux audit events
[PATCH] Minor cosmetic cleanups to the code moved into auditfilter.c
[PATCH] Fix audit record filtering with !CONFIG_AUDITSYSCALL
[PATCH] Fix IA64 success/failure indication in syscall auditing.
[PATCH] Miscellaneous bug and warning fixes
[PATCH] Capture selinux subject/object context information.
[PATCH] Exclude messages by message type
[PATCH] Collect more inode information during syscall processing.
[PATCH] Pass dentry, not just name, in fsnotify creation hooks.
[PATCH] Define new range of userspace messages.
[PATCH] Filter rule comparators
...
Fixed trivial conflict in security/selinux/hooks.c
Diffstat (limited to 'security/selinux/hooks.c')
| -rw-r--r-- | security/selinux/hooks.c | 98 |
1 files changed, 46 insertions, 52 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index ccaf988f3729..b61b9554bc27 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c | |||
| @@ -119,6 +119,32 @@ static DEFINE_SPINLOCK(sb_security_lock); | |||
| 119 | 119 | ||
| 120 | static kmem_cache_t *sel_inode_cache; | 120 | static kmem_cache_t *sel_inode_cache; |
| 121 | 121 | ||
| 122 | /* Return security context for a given sid or just the context | ||
| 123 | length if the buffer is null or length is 0 */ | ||
| 124 | static int selinux_getsecurity(u32 sid, void *buffer, size_t size) | ||
| 125 | { | ||
| 126 | char *context; | ||
| 127 | unsigned len; | ||
| 128 | int rc; | ||
| 129 | |||
| 130 | rc = security_sid_to_context(sid, &context, &len); | ||
| 131 | if (rc) | ||
| 132 | return rc; | ||
| 133 | |||
| 134 | if (!buffer || !size) | ||
| 135 | goto getsecurity_exit; | ||
| 136 | |||
| 137 | if (size < len) { | ||
| 138 | len = -ERANGE; | ||
| 139 | goto getsecurity_exit; | ||
| 140 | } | ||
| 141 | memcpy(buffer, context, len); | ||
| 142 | |||
| 143 | getsecurity_exit: | ||
| 144 | kfree(context); | ||
| 145 | return len; | ||
| 146 | } | ||
| 147 | |||
| 122 | /* Allocate and free functions for each kind of security blob. */ | 148 | /* Allocate and free functions for each kind of security blob. */ |
| 123 | 149 | ||
| 124 | static int task_alloc_security(struct task_struct *task) | 150 | static int task_alloc_security(struct task_struct *task) |
| @@ -2210,6 +2236,11 @@ static int selinux_inode_removexattr (struct dentry *dentry, char *name) | |||
| 2210 | return -EACCES; | 2236 | return -EACCES; |
| 2211 | } | 2237 | } |
| 2212 | 2238 | ||
| 2239 | static const char *selinux_inode_xattr_getsuffix(void) | ||
| 2240 | { | ||
| 2241 | return XATTR_SELINUX_SUFFIX; | ||
| 2242 | } | ||
| 2243 | |||
| 2213 | /* | 2244 | /* |
| 2214 | * Copy the in-core inode security context value to the user. If the | 2245 | * Copy the in-core inode security context value to the user. If the |
| 2215 | * getxattr() prior to this succeeded, check to see if we need to | 2246 | * getxattr() prior to this succeeded, check to see if we need to |
| @@ -2217,47 +2248,14 @@ static int selinux_inode_removexattr (struct dentry *dentry, char *name) | |||
| 2217 | * | 2248 | * |
| 2218 | * Permission check is handled by selinux_inode_getxattr hook. | 2249 | * Permission check is handled by selinux_inode_getxattr hook. |
| 2219 | */ | 2250 | */ |
| 2220 | static int selinux_inode_getsecurity(struct inode *inode, const char *name, void *buffer, size_t size, int err) | 2251 | static int selinux_inode_getsecurity(const struct inode *inode, const char *name, void *buffer, size_t size, int err) |
| 2221 | { | 2252 | { |
| 2222 | struct inode_security_struct *isec = inode->i_security; | 2253 | struct inode_security_struct *isec = inode->i_security; |
| 2223 | char *context; | ||
| 2224 | unsigned len; | ||
| 2225 | int rc; | ||
| 2226 | |||
| 2227 | if (strcmp(name, XATTR_SELINUX_SUFFIX)) { | ||
| 2228 | rc = -EOPNOTSUPP; | ||
| 2229 | goto out; | ||
| 2230 | } | ||
| 2231 | |||
| 2232 | rc = security_sid_to_context(isec->sid, &context, &len); | ||
| 2233 | if (rc) | ||
| 2234 | goto out; | ||
| 2235 | |||
| 2236 | /* Probe for required buffer size */ | ||
| 2237 | if (!buffer || !size) { | ||
| 2238 | rc = len; | ||
| 2239 | goto out_free; | ||
| 2240 | } | ||
| 2241 | 2254 | ||
| 2242 | if (size < len) { | 2255 | if (strcmp(name, XATTR_SELINUX_SUFFIX)) |
| 2243 | rc = -ERANGE; | 2256 | return -EOPNOTSUPP; |
| 2244 | goto out_free; | ||
| 2245 | } | ||
| 2246 | 2257 | ||
| 2247 | if (err > 0) { | 2258 | return selinux_getsecurity(isec->sid, buffer, size); |
| 2248 | if ((len == err) && !(memcmp(context, buffer, len))) { | ||
| 2249 | /* Don't need to canonicalize value */ | ||
| 2250 | rc = err; | ||
| 2251 | goto out_free; | ||
| 2252 | } | ||
| 2253 | memset(buffer, 0, size); | ||
| 2254 | } | ||
| 2255 | memcpy(buffer, context, len); | ||
| 2256 | rc = len; | ||
| 2257 | out_free: | ||
| 2258 | kfree(context); | ||
| 2259 | out: | ||
| 2260 | return rc; | ||
| 2261 | } | 2259 | } |
| 2262 | 2260 | ||
| 2263 | static int selinux_inode_setsecurity(struct inode *inode, const char *name, | 2261 | static int selinux_inode_setsecurity(struct inode *inode, const char *name, |
| @@ -4054,6 +4052,13 @@ static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag) | |||
| 4054 | return ipc_has_perm(ipcp, av); | 4052 | return ipc_has_perm(ipcp, av); |
| 4055 | } | 4053 | } |
| 4056 | 4054 | ||
| 4055 | static int selinux_ipc_getsecurity(struct kern_ipc_perm *ipcp, void *buffer, size_t size) | ||
| 4056 | { | ||
| 4057 | struct ipc_security_struct *isec = ipcp->security; | ||
| 4058 | |||
| 4059 | return selinux_getsecurity(isec->sid, buffer, size); | ||
| 4060 | } | ||
| 4061 | |||
| 4057 | /* module stacking operations */ | 4062 | /* module stacking operations */ |
| 4058 | static int selinux_register_security (const char *name, struct security_operations *ops) | 4063 | static int selinux_register_security (const char *name, struct security_operations *ops) |
| 4059 | { | 4064 | { |
| @@ -4095,8 +4100,7 @@ static int selinux_getprocattr(struct task_struct *p, | |||
| 4095 | char *name, void *value, size_t size) | 4100 | char *name, void *value, size_t size) |
| 4096 | { | 4101 | { |
| 4097 | struct task_security_struct *tsec; | 4102 | struct task_security_struct *tsec; |
| 4098 | u32 sid, len; | 4103 | u32 sid; |
| 4099 | char *context; | ||
| 4100 | int error; | 4104 | int error; |
| 4101 | 4105 | ||
| 4102 | if (current != p) { | 4106 | if (current != p) { |
| @@ -4105,9 +4109,6 @@ static int selinux_getprocattr(struct task_struct *p, | |||
| 4105 | return error; | 4109 | return error; |
| 4106 | } | 4110 | } |
| 4107 | 4111 | ||
| 4108 | if (!size) | ||
| 4109 | return -ERANGE; | ||
| 4110 | |||
| 4111 | tsec = p->security; | 4112 | tsec = p->security; |
| 4112 | 4113 | ||
| 4113 | if (!strcmp(name, "current")) | 4114 | if (!strcmp(name, "current")) |
| @@ -4124,16 +4125,7 @@ static int selinux_getprocattr(struct task_struct *p, | |||
| 4124 | if (!sid) | 4125 | if (!sid) |
| 4125 | return 0; | 4126 | return 0; |
| 4126 | 4127 | ||
| 4127 | error = security_sid_to_context(sid, &context, &len); | 4128 | return selinux_getsecurity(sid, value, size); |
| 4128 | if (error) | ||
| 4129 | return error; | ||
| 4130 | if (len > size) { | ||
| 4131 | kfree(context); | ||
| 4132 | return -ERANGE; | ||
| 4133 | } | ||
| 4134 | memcpy(value, context, len); | ||
| 4135 | kfree(context); | ||
| 4136 | return len; | ||
| 4137 | } | 4129 | } |
| 4138 | 4130 | ||
| 4139 | static int selinux_setprocattr(struct task_struct *p, | 4131 | static int selinux_setprocattr(struct task_struct *p, |
| @@ -4291,6 +4283,7 @@ static struct security_operations selinux_ops = { | |||
| 4291 | .inode_getxattr = selinux_inode_getxattr, | 4283 | .inode_getxattr = selinux_inode_getxattr, |
| 4292 | .inode_listxattr = selinux_inode_listxattr, | 4284 | .inode_listxattr = selinux_inode_listxattr, |
| 4293 | .inode_removexattr = selinux_inode_removexattr, | 4285 | .inode_removexattr = selinux_inode_removexattr, |
| 4286 | .inode_xattr_getsuffix = selinux_inode_xattr_getsuffix, | ||
| 4294 | .inode_getsecurity = selinux_inode_getsecurity, | 4287 | .inode_getsecurity = selinux_inode_getsecurity, |
| 4295 | .inode_setsecurity = selinux_inode_setsecurity, | 4288 | .inode_setsecurity = selinux_inode_setsecurity, |
| 4296 | .inode_listsecurity = selinux_inode_listsecurity, | 4289 | .inode_listsecurity = selinux_inode_listsecurity, |
| @@ -4328,6 +4321,7 @@ static struct security_operations selinux_ops = { | |||
| 4328 | .task_to_inode = selinux_task_to_inode, | 4321 | .task_to_inode = selinux_task_to_inode, |
| 4329 | 4322 | ||
| 4330 | .ipc_permission = selinux_ipc_permission, | 4323 | .ipc_permission = selinux_ipc_permission, |
| 4324 | .ipc_getsecurity = selinux_ipc_getsecurity, | ||
| 4331 | 4325 | ||
| 4332 | .msg_msg_alloc_security = selinux_msg_msg_alloc_security, | 4326 | .msg_msg_alloc_security = selinux_msg_msg_alloc_security, |
| 4333 | .msg_msg_free_security = selinux_msg_msg_free_security, | 4327 | .msg_msg_free_security = selinux_msg_msg_free_security, |