aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--include/linux/audit.h8
-rw-r--r--include/linux/security.h27
-rw-r--r--ipc/msg.c5
-rw-r--r--ipc/sem.c5
-rw-r--r--ipc/shm.c4
-rw-r--r--kernel/audit.c2
-rw-r--r--kernel/auditsc.c142
-rw-r--r--security/dummy.c6
-rw-r--r--security/selinux/hooks.c96
9 files changed, 226 insertions, 69 deletions
diff --git a/include/linux/audit.h b/include/linux/audit.h
index 8fa1a8fbc04d..1912d8e8ae90 100644
--- a/include/linux/audit.h
+++ b/include/linux/audit.h
@@ -285,13 +285,14 @@ extern void auditsc_get_stamp(struct audit_context *ctx,
285 struct timespec *t, unsigned int *serial); 285 struct timespec *t, unsigned int *serial);
286extern int audit_set_loginuid(struct task_struct *task, uid_t loginuid); 286extern int audit_set_loginuid(struct task_struct *task, uid_t loginuid);
287extern uid_t audit_get_loginuid(struct audit_context *ctx); 287extern uid_t audit_get_loginuid(struct audit_context *ctx);
288extern int audit_ipc_perms(unsigned long qbytes, uid_t uid, gid_t gid, mode_t mode); 288extern int audit_ipc_perms(unsigned long qbytes, uid_t uid, gid_t gid, mode_t mode, struct kern_ipc_perm *ipcp);
289extern int audit_socketcall(int nargs, unsigned long *args); 289extern int audit_socketcall(int nargs, unsigned long *args);
290extern int audit_sockaddr(int len, void *addr); 290extern int audit_sockaddr(int len, void *addr);
291extern int audit_avc_path(struct dentry *dentry, struct vfsmount *mnt); 291extern int audit_avc_path(struct dentry *dentry, struct vfsmount *mnt);
292extern void audit_signal_info(int sig, struct task_struct *t); 292extern void audit_signal_info(int sig, struct task_struct *t);
293extern int audit_filter_user(struct netlink_skb_parms *cb, int type); 293extern int audit_filter_user(struct netlink_skb_parms *cb, int type);
294extern int audit_filter_type(int type); 294extern int audit_filter_type(int type);
295extern int audit_set_macxattr(const char *name);
295#else 296#else
296#define audit_alloc(t) ({ 0; }) 297#define audit_alloc(t) ({ 0; })
297#define audit_free(t) do { ; } while (0) 298#define audit_free(t) do { ; } while (0)
@@ -306,12 +307,13 @@ extern int audit_filter_type(int type);
306#define audit_receive_filter(t,p,u,s,d,l) ({ -EOPNOTSUPP; }) 307#define audit_receive_filter(t,p,u,s,d,l) ({ -EOPNOTSUPP; })
307#define auditsc_get_stamp(c,t,s) do { BUG(); } while (0) 308#define auditsc_get_stamp(c,t,s) do { BUG(); } while (0)
308#define audit_get_loginuid(c) ({ -1; }) 309#define audit_get_loginuid(c) ({ -1; })
309#define audit_ipc_perms(q,u,g,m) ({ 0; }) 310#define audit_ipc_perms(q,u,g,m,i) ({ 0; })
310#define audit_socketcall(n,a) ({ 0; }) 311#define audit_socketcall(n,a) ({ 0; })
311#define audit_sockaddr(len, addr) ({ 0; }) 312#define audit_sockaddr(len, addr) ({ 0; })
312#define audit_avc_path(dentry, mnt) ({ 0; }) 313#define audit_avc_path(dentry, mnt) ({ 0; })
313#define audit_signal_info(s,t) do { ; } while (0) 314#define audit_signal_info(s,t) do { ; } while (0)
314#define audit_filter_user(cb,t) ({ 1; }) 315#define audit_filter_user(cb,t) ({ 1; })
316#define audit_set_macxattr(n) do { ; } while (0)
315#endif 317#endif
316 318
317#ifdef CONFIG_AUDIT 319#ifdef CONFIG_AUDIT
@@ -340,6 +342,7 @@ extern void audit_send_reply(int pid, int seq, int type,
340 int done, int multi, 342 int done, int multi,
341 void *payload, int size); 343 void *payload, int size);
342extern void audit_log_lost(const char *message); 344extern void audit_log_lost(const char *message);
345extern void audit_panic(const char *message);
343extern struct semaphore audit_netlink_sem; 346extern struct semaphore audit_netlink_sem;
344#else 347#else
345#define audit_log(c,g,t,f,...) do { ; } while (0) 348#define audit_log(c,g,t,f,...) do { ; } while (0)
@@ -350,6 +353,7 @@ extern struct semaphore audit_netlink_sem;
350#define audit_log_hex(a,b,l) do { ; } while (0) 353#define audit_log_hex(a,b,l) do { ; } while (0)
351#define audit_log_untrustedstring(a,s) do { ; } while (0) 354#define audit_log_untrustedstring(a,s) do { ; } while (0)
352#define audit_log_d_path(b,p,d,v) do { ; } while (0) 355#define audit_log_d_path(b,p,d,v) do { ; } while (0)
356#define audit_panic(m) do { ; } while (0)
353#endif 357#endif
354#endif 358#endif
355#endif 359#endif
diff --git a/include/linux/security.h b/include/linux/security.h
index 7cbef482e13a..ec0bbbc3ffc2 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -869,6 +869,11 @@ struct swap_info_struct;
869 * @ipcp contains the kernel IPC permission structure 869 * @ipcp contains the kernel IPC permission structure
870 * @flag contains the desired (requested) permission set 870 * @flag contains the desired (requested) permission set
871 * Return 0 if permission is granted. 871 * Return 0 if permission is granted.
872 * @ipc_getsecurity:
873 * Copy the security label associated with the ipc object into
874 * @buffer. @buffer may be NULL to request the size of the buffer
875 * required. @size indicates the size of @buffer in bytes. Return
876 * number of bytes used/required on success.
872 * 877 *
873 * Security hooks for individual messages held in System V IPC message queues 878 * Security hooks for individual messages held in System V IPC message queues
874 * @msg_msg_alloc_security: 879 * @msg_msg_alloc_security:
@@ -1168,6 +1173,7 @@ struct security_operations {
1168 int (*inode_getxattr) (struct dentry *dentry, char *name); 1173 int (*inode_getxattr) (struct dentry *dentry, char *name);
1169 int (*inode_listxattr) (struct dentry *dentry); 1174 int (*inode_listxattr) (struct dentry *dentry);
1170 int (*inode_removexattr) (struct dentry *dentry, char *name); 1175 int (*inode_removexattr) (struct dentry *dentry, char *name);
1176 char *(*inode_xattr_getsuffix) (void);
1171 int (*inode_getsecurity)(struct inode *inode, const char *name, void *buffer, size_t size, int err); 1177 int (*inode_getsecurity)(struct inode *inode, const char *name, void *buffer, size_t size, int err);
1172 int (*inode_setsecurity)(struct inode *inode, const char *name, const void *value, size_t size, int flags); 1178 int (*inode_setsecurity)(struct inode *inode, const char *name, const void *value, size_t size, int flags);
1173 int (*inode_listsecurity)(struct inode *inode, char *buffer, size_t buffer_size); 1179 int (*inode_listsecurity)(struct inode *inode, char *buffer, size_t buffer_size);
@@ -1217,6 +1223,7 @@ struct security_operations {
1217 void (*task_to_inode)(struct task_struct *p, struct inode *inode); 1223 void (*task_to_inode)(struct task_struct *p, struct inode *inode);
1218 1224
1219 int (*ipc_permission) (struct kern_ipc_perm * ipcp, short flag); 1225 int (*ipc_permission) (struct kern_ipc_perm * ipcp, short flag);
1226 int (*ipc_getsecurity)(struct kern_ipc_perm *ipcp, void *buffer, size_t size);
1220 1227
1221 int (*msg_msg_alloc_security) (struct msg_msg * msg); 1228 int (*msg_msg_alloc_security) (struct msg_msg * msg);
1222 void (*msg_msg_free_security) (struct msg_msg * msg); 1229 void (*msg_msg_free_security) (struct msg_msg * msg);
@@ -1674,6 +1681,11 @@ static inline int security_inode_removexattr (struct dentry *dentry, char *name)
1674 return security_ops->inode_removexattr (dentry, name); 1681 return security_ops->inode_removexattr (dentry, name);
1675} 1682}
1676 1683
1684static inline const char *security_inode_xattr_getsuffix(void)
1685{
1686 return security_ops->inode_xattr_getsuffix();
1687}
1688
1677static inline int security_inode_getsecurity(struct inode *inode, const char *name, void *buffer, size_t size, int err) 1689static inline int security_inode_getsecurity(struct inode *inode, const char *name, void *buffer, size_t size, int err)
1678{ 1690{
1679 if (unlikely (IS_PRIVATE (inode))) 1691 if (unlikely (IS_PRIVATE (inode)))
@@ -1869,6 +1881,11 @@ static inline int security_ipc_permission (struct kern_ipc_perm *ipcp,
1869 return security_ops->ipc_permission (ipcp, flag); 1881 return security_ops->ipc_permission (ipcp, flag);
1870} 1882}
1871 1883
1884static inline int security_ipc_getsecurity(struct kern_ipc_perm *ipcp, void *buffer, size_t size)
1885{
1886 return security_ops->ipc_getsecurity(ipcp, buffer, size);
1887}
1888
1872static inline int security_msg_msg_alloc (struct msg_msg * msg) 1889static inline int security_msg_msg_alloc (struct msg_msg * msg)
1873{ 1890{
1874 return security_ops->msg_msg_alloc_security (msg); 1891 return security_ops->msg_msg_alloc_security (msg);
@@ -2316,6 +2333,11 @@ static inline int security_inode_removexattr (struct dentry *dentry, char *name)
2316 return cap_inode_removexattr(dentry, name); 2333 return cap_inode_removexattr(dentry, name);
2317} 2334}
2318 2335
2336static inline const char *security_inode_xattr_getsuffix (void)
2337{
2338 return NULL ;
2339}
2340
2319static inline int security_inode_getsecurity(struct inode *inode, const char *name, void *buffer, size_t size, int err) 2341static inline int security_inode_getsecurity(struct inode *inode, const char *name, void *buffer, size_t size, int err)
2320{ 2342{
2321 return -EOPNOTSUPP; 2343 return -EOPNOTSUPP;
@@ -2499,6 +2521,11 @@ static inline int security_ipc_permission (struct kern_ipc_perm *ipcp,
2499 return 0; 2521 return 0;
2500} 2522}
2501 2523
2524static inline int security_ipc_getsecurity(struct kern_ipc_perm *ipcp, void *buffer, size_t size)
2525{
2526 return -EOPNOTSUPP;
2527}
2528
2502static inline int security_msg_msg_alloc (struct msg_msg * msg) 2529static inline int security_msg_msg_alloc (struct msg_msg * msg)
2503{ 2530{
2504 return 0; 2531 return 0;
diff --git a/ipc/msg.c b/ipc/msg.c
index fbf757064a32..8c30ec2f6e34 100644
--- a/ipc/msg.c
+++ b/ipc/msg.c
@@ -429,8 +429,6 @@ asmlinkage long sys_msgctl (int msqid, int cmd, struct msqid_ds __user *buf)
429 return -EFAULT; 429 return -EFAULT;
430 if (copy_msqid_from_user (&setbuf, buf, version)) 430 if (copy_msqid_from_user (&setbuf, buf, version))
431 return -EFAULT; 431 return -EFAULT;
432 if ((err = audit_ipc_perms(setbuf.qbytes, setbuf.uid, setbuf.gid, setbuf.mode)))
433 return err;
434 break; 432 break;
435 case IPC_RMID: 433 case IPC_RMID:
436 break; 434 break;
@@ -461,6 +459,9 @@ asmlinkage long sys_msgctl (int msqid, int cmd, struct msqid_ds __user *buf)
461 switch (cmd) { 459 switch (cmd) {
462 case IPC_SET: 460 case IPC_SET:
463 { 461 {
462 if ((err = audit_ipc_perms(setbuf.qbytes, setbuf.uid, setbuf.gid, setbuf.mode, ipcp)))
463 goto out_unlock_up;
464
464 err = -EPERM; 465 err = -EPERM;
465 if (setbuf.qbytes > msg_ctlmnb && !capable(CAP_SYS_RESOURCE))