diff options
Diffstat (limited to 'security/security.c')
| -rw-r--r-- | security/security.c | 104 |
1 files changed, 60 insertions, 44 deletions
diff --git a/security/security.c b/security/security.c index c53949f17d9e..4ba6d4cc061f 100644 --- a/security/security.c +++ b/security/security.c | |||
| @@ -89,20 +89,12 @@ __setup("security=", choose_lsm); | |||
| 89 | * Return true if: | 89 | * Return true if: |
| 90 | * -The passed LSM is the one chosen by user at boot time, | 90 | * -The passed LSM is the one chosen by user at boot time, |
| 91 | * -or the passed LSM is configured as the default and the user did not | 91 | * -or the passed LSM is configured as the default and the user did not |
| 92 | * choose an alternate LSM at boot time, | 92 | * choose an alternate LSM at boot time. |
| 93 | * -or there is no default LSM set and the user didn't specify a | ||
| 94 | * specific LSM and we're the first to ask for registration permission, | ||
| 95 | * -or the passed LSM is currently loaded. | ||
| 96 | * Otherwise, return false. | 93 | * Otherwise, return false. |
| 97 | */ | 94 | */ |
| 98 | int __init security_module_enable(struct security_operations *ops) | 95 | int __init security_module_enable(struct security_operations *ops) |
| 99 | { | 96 | { |
| 100 | if (!*chosen_lsm) | 97 | return !strcmp(ops->name, chosen_lsm); |
| 101 | strncpy(chosen_lsm, ops->name, SECURITY_NAME_MAX); | ||
| 102 | else if (strncmp(ops->name, chosen_lsm, SECURITY_NAME_MAX)) | ||
| 103 | return 0; | ||
| 104 | |||
| 105 | return 1; | ||
| 106 | } | 98 | } |
| 107 | 99 | ||
| 108 | /** | 100 | /** |
| @@ -162,39 +154,37 @@ int security_capset(struct cred *new, const struct cred *old, | |||
| 162 | effective, inheritable, permitted); | 154 | effective, inheritable, permitted); |
| 163 | } | 155 | } |
| 164 | 156 | ||
| 165 | int security_capable(int cap) | 157 | int security_capable(struct user_namespace *ns, const struct cred *cred, |
| 158 | int cap) | ||
| 166 | { | 159 | { |
| 167 | return security_ops->capable(current, current_cred(), cap, | 160 | return security_ops->capable(current, cred, ns, cap, |
| 168 | SECURITY_CAP_AUDIT); | 161 | SECURITY_CAP_AUDIT); |
| 169 | } | 162 | } |
| 170 | 163 | ||
| 171 | int security_real_capable(struct task_struct *tsk, int cap) | 164 | int security_real_capable(struct task_struct *tsk, struct user_namespace *ns, |
| 165 | int cap) | ||
| 172 | { | 166 | { |
| 173 | const struct cred *cred; | 167 | const struct cred *cred; |
| 174 | int ret; | 168 | int ret; |
| 175 | 169 | ||
| 176 | cred = get_task_cred(tsk); | 170 | cred = get_task_cred(tsk); |
| 177 | ret = security_ops->capable(tsk, cred, cap, SECURITY_CAP_AUDIT); | 171 | ret = security_ops->capable(tsk, cred, ns, cap, SECURITY_CAP_AUDIT); |
| 178 | put_cred(cred); | 172 | put_cred(cred); |
| 179 | return ret; | 173 | return ret; |
| 180 | } | 174 | } |
| 181 | 175 | ||
| 182 | int security_real_capable_noaudit(struct task_struct *tsk, int cap) | 176 | int security_real_capable_noaudit(struct task_struct *tsk, |
| 177 | struct user_namespace *ns, int cap) | ||
| 183 | { | 178 | { |
| 184 | const struct cred *cred; | 179 | const struct cred *cred; |
| 185 | int ret; | 180 | int ret; |
| 186 | 181 | ||
| 187 | cred = get_task_cred(tsk); | 182 | cred = get_task_cred(tsk); |
| 188 | ret = security_ops->capable(tsk, cred, cap, SECURITY_CAP_NOAUDIT); | 183 | ret = security_ops->capable(tsk, cred, ns, cap, SECURITY_CAP_NOAUDIT); |
| 189 | put_cred(cred); | 184 | put_cred(cred); |
| 190 | return ret; | 185 | return ret; |
| 191 | } | 186 | } |
| 192 | 187 | ||
| 193 | int security_sysctl(struct ctl_table *table, int op) | ||
| 194 | { | ||
| 195 | return security_ops->sysctl(table, op); | ||
| 196 | } | ||
| 197 | |||
| 198 | int security_quotactl(int cmds, int type, int id, struct super_block *sb) | 188 | int security_quotactl(int cmds, int type, int id, struct super_block *sb) |
| 199 | { | 189 | { |
| 200 | return security_ops->quotactl(cmds, type, id, sb); | 190 | return security_ops->quotactl(cmds, type, id, sb); |
| @@ -205,12 +195,12 @@ int security_quota_on(struct dentry *dentry) | |||
| 205 | return security_ops->quota_on(dentry); | 195 | return security_ops->quota_on(dentry); |
| 206 | } | 196 | } |
| 207 | 197 | ||
| 208 | int security_syslog(int type, bool from_file) | 198 | int security_syslog(int type) |
| 209 | { | 199 | { |
| 210 | return security_ops->syslog(type, from_file); | 200 | return security_ops->syslog(type); |
| 211 | } | 201 | } |
| 212 | 202 | ||
| 213 | int security_settime(struct timespec *ts, struct timezone *tz) | 203 | int security_settime(const struct timespec *ts, const struct timezone *tz) |
| 214 | { | 204 | { |
| 215 | return security_ops->settime(ts, tz); | 205 | return security_ops->settime(ts, tz); |
| 216 | } | 206 | } |
| @@ -280,6 +270,11 @@ int security_sb_copy_data(char *orig, char *copy) | |||
| 280 | } | 270 | } |
| 281 | EXPORT_SYMBOL(security_sb_copy_data); | 271 | EXPORT_SYMBOL(security_sb_copy_data); |
| 282 | 272 | ||
| 273 | int security_sb_remount(struct super_block *sb, void *data) | ||
| 274 | { | ||
| 275 | return security_ops->sb_remount(sb, data); | ||
| 276 | } | ||
| 277 | |||
| 283 | int security_sb_kern_mount(struct super_block *sb, int flags, void *data) | 278 | int security_sb_kern_mount(struct super_block *sb, int flags, void *data) |
| 284 | { | 279 | { |
| 285 | return security_ops->sb_kern_mount(sb, flags, data); | 280 | return security_ops->sb_kern_mount(sb, flags, data); |
| @@ -333,16 +328,8 @@ EXPORT_SYMBOL(security_sb_parse_opts_str); | |||
| 333 | 328 | ||
| 334 | int security_inode_alloc(struct inode *inode) | 329 | int security_inode_alloc(struct inode *inode) |
| 335 | { | 330 | { |
| 336 | int ret; | ||
| 337 | |||
| 338 | inode->i_security = NULL; | 331 | inode->i_security = NULL; |
| 339 | ret = security_ops->inode_alloc_security(inode); | 332 | return security_ops->inode_alloc_security(inode); |
| 340 | if (ret) | ||
| 341 | return ret; | ||
| 342 | ret = ima_inode_alloc(inode); | ||
| 343 | if (ret) | ||
| 344 | security_inode_free(inode); | ||
| 345 | return ret; | ||
| 346 | } | 333 | } |
| 347 | 334 | ||
| 348 | void security_inode_free(struct inode *inode) | 335 | void security_inode_free(struct inode *inode) |
| @@ -352,11 +339,13 @@ void security_inode_free(struct inode *inode) | |||
| 352 | } | 339 | } |
| 353 | 340 | ||
| 354 | int security_inode_init_security(struct inode *inode, struct inode *dir, | 341 | int security_inode_init_security(struct inode *inode, struct inode *dir, |
| 355 | char **name, void **value, size_t *len) | 342 | const struct qstr *qstr, char **name, |
| 343 | void **value, size_t *len) | ||
| 356 | { | 344 | { |
| 357 | if (unlikely(IS_PRIVATE(inode))) | 345 | if (unlikely(IS_PRIVATE(inode))) |
| 358 | return -EOPNOTSUPP; | 346 | return -EOPNOTSUPP; |
| 359 | return security_ops->inode_init_security(inode, dir, name, value, len); | 347 | return security_ops->inode_init_security(inode, dir, qstr, name, value, |
| 348 | len); | ||
| 360 | } | 349 | } |
| 361 | EXPORT_SYMBOL(security_inode_init_security); | 350 | EXPORT_SYMBOL(security_inode_init_security); |
| 362 | 351 | ||
| @@ -376,6 +365,7 @@ int security_path_mkdir(struct path *dir, struct dentry *dentry, int mode) | |||
| 376 | return 0; | 365 | return 0; |
| 377 | return security_ops->path_mkdir(dir, dentry, mode); | 366 | return security_ops->path_mkdir(dir, dentry, mode); |
| 378 | } | 367 | } |
| 368 | EXPORT_SYMBOL(security_path_mkdir); | ||
| 379 | 369 | ||
| 380 | int security_path_rmdir(struct path *dir, struct dentry *dentry) | 370 | int security_path_rmdir(struct path *dir, struct dentry *dentry) |
| 381 | { | 371 | { |
| @@ -390,6 +380,7 @@ int security_path_unlink(struct path *dir, struct dentry *dentry) | |||
| 390 | return 0; | 380 | return 0; |
| 391 | return security_ops->path_unlink(dir, dentry); | 381 | return security_ops->path_unlink(dir, dentry); |
| 392 | } | 382 | } |
| 383 | EXPORT_SYMBOL(security_path_unlink); | ||
| 393 | 384 | ||
| 394 | int security_path_symlink(struct path *dir, struct dentry *dentry, | 385 | int security_path_symlink(struct path *dir, struct dentry *dentry, |
| 395 | const char *old_name) | 386 | const char *old_name) |
| @@ -416,6 +407,7 @@ int security_path_rename(struct path *old_dir, struct dentry *old_dentry, | |||
| 416 | return security_ops->path_rename(old_dir, old_dentry, new_dir, | 407 | return security_ops->path_rename(old_dir, old_dentry, new_dir, |
| 417 | new_dentry); | 408 | new_dentry); |
| 418 | } | 409 | } |
| 410 | EXPORT_SYMBOL(security_path_rename); | ||
| 419 | 411 | ||
| 420 | int security_path_truncate(struct path *path) | 412 | int security_path_truncate(struct path *path) |
| 421 | { | 413 | { |
| @@ -526,7 +518,14 @@ int security_inode_permission(struct inode *inode, int mask) | |||
| 526 | { | 518 | { |
| 527 | if (unlikely(IS_PRIVATE(inode))) | 519 | if (unlikely(IS_PRIVATE(inode))) |
| 528 | return 0; | 520 | return 0; |
| 529 | return security_ops->inode_permission(inode, mask); | 521 | return security_ops->inode_permission(inode, mask, 0); |
| 522 | } | ||
| 523 | |||
| 524 | int security_inode_exec_permission(struct inode *inode, unsigned int flags) | ||
| 525 | { | ||
| 526 | if (unlikely(IS_PRIVATE(inode))) | ||
| 527 | return 0; | ||
| 528 | return security_ops->inode_permission(inode, MAY_EXEC, flags); | ||
| 530 | } | 529 | } |
| 531 | 530 | ||
| 532 | int security_inode_setattr(struct dentry *dentry, struct iattr *attr) | 531 | int security_inode_setattr(struct dentry *dentry, struct iattr *attr) |
| @@ -786,10 +785,9 @@ int security_task_setrlimit(struct task_struct *p, unsigned int resource, | |||
| 786 | return security_ops->task_setrlimit(p, resource, new_rlim); | 785 | return security_ops->task_setrlimit(p, resource, new_rlim); |
| 787 | } | 786 | } |
| 788 | 787 | ||
| 789 | int security_task_setscheduler(struct task_struct *p, | 788 | int security_task_setscheduler(struct task_struct *p) |
| 790 | int policy, struct sched_param *lp) | ||
| 791 | { | 789 | { |
| 792 | return security_ops->task_setscheduler(p, policy, lp); | 790 | return security_ops->task_setscheduler(p); |
| 793 | } | 791 | } |
| 794 | 792 | ||
| 795 | int security_task_getscheduler(struct task_struct *p) | 793 | int security_task_getscheduler(struct task_struct *p) |
| @@ -994,8 +992,7 @@ EXPORT_SYMBOL(security_inode_getsecctx); | |||
| 994 | 992 | ||
| 995 | #ifdef CONFIG_SECURITY_NETWORK | 993 | #ifdef CONFIG_SECURITY_NETWORK |
| 996 | 994 | ||
| 997 | int security_unix_stream_connect(struct socket *sock, struct socket *other, | 995 | int security_unix_stream_connect(struct sock *sock, struct sock *other, struct sock *newsk) |
| 998 | struct sock *newsk) | ||
| 999 | { | 996 | { |
| 1000 | return security_ops->unix_stream_connect(sock, other, newsk); | 997 | return security_ops->unix_stream_connect(sock, other, newsk); |
| 1001 | } | 998 | } |
| @@ -1110,7 +1107,7 @@ void security_sk_clone(const struct sock *sk, struct sock *newsk) | |||
| 1110 | 1107 | ||
| 1111 | void security_sk_classify_flow(struct sock *sk, struct flowi *fl) | 1108 | void security_sk_classify_flow(struct sock *sk, struct flowi *fl) |
| 1112 | { | 1109 | { |
| 1113 | security_ops->sk_getsecid(sk, &fl->secid); | 1110 | security_ops->sk_getsecid(sk, &fl->flowi_secid); |
| 1114 | } | 1111 | } |
| 1115 | EXPORT_SYMBOL(security_sk_classify_flow); | 1112 | EXPORT_SYMBOL(security_sk_classify_flow); |
| 1116 | 1113 | ||
| @@ -1145,6 +1142,24 @@ void security_inet_conn_established(struct sock *sk, | |||
| 1145 | security_ops->inet_conn_established(sk, skb); | 1142 | security_ops->inet_conn_established(sk, skb); |
| 1146 | } | 1143 | } |
| 1147 | 1144 | ||
| 1145 | int security_secmark_relabel_packet(u32 secid) | ||
| 1146 | { | ||
| 1147 | return security_ops->secmark_relabel_packet(secid); | ||
| 1148 | } | ||
| 1149 | EXPORT_SYMBOL(security_secmark_relabel_packet); | ||
| 1150 | |||
| 1151 | void security_secmark_refcount_inc(void) | ||
| 1152 | { | ||
| 1153 | security_ops->secmark_refcount_inc(); | ||
| 1154 | } | ||
| 1155 | EXPORT_SYMBOL(security_secmark_refcount_inc); | ||
| 1156 | |||
| 1157 | void security_secmark_refcount_dec(void) | ||
| 1158 | { | ||
| 1159 | security_ops->secmark_refcount_dec(); | ||
| 1160 | } | ||
| 1161 | EXPORT_SYMBOL(security_secmark_refcount_dec); | ||
| 1162 | |||
| 1148 | int security_tun_dev_create(void) | 1163 | int security_tun_dev_create(void) |
| 1149 | { | 1164 | { |
| 1150 | return security_ops->tun_dev_create(); | 1165 | return security_ops->tun_dev_create(); |
| @@ -1225,7 +1240,8 @@ int security_xfrm_policy_lookup(struct xfrm_sec_ctx *ctx, u32 fl_secid, u8 dir) | |||
| 1225 | } | 1240 | } |
| 1226 | 1241 | ||
| 1227 | int security_xfrm_state_pol_flow_match(struct xfrm_state *x, | 1242 | int security_xfrm_state_pol_flow_match(struct xfrm_state *x, |
| 1228 | struct xfrm_policy *xp, struct flowi *fl) | 1243 | struct xfrm_policy *xp, |
| 1244 | const struct flowi *fl) | ||
| 1229 | { | 1245 | { |
| 1230 | return security_ops->xfrm_state_pol_flow_match(x, xp, fl); | 1246 | return security_ops->xfrm_state_pol_flow_match(x, xp, fl); |
| 1231 | } | 1247 | } |
| @@ -1237,7 +1253,7 @@ int security_xfrm_decode_session(struct sk_buff *skb, u32 *secid) | |||
| 1237 | 1253 | ||
| 1238 | void security_skb_classify_flow(struct sk_buff *skb, struct flowi *fl) | 1254 | void security_skb_classify_flow(struct sk_buff *skb, struct flowi *fl) |
| 1239 | { | 1255 | { |
| 1240 | int rc = security_ops->xfrm_decode_session(skb, &fl->secid, 0); | 1256 | int rc = security_ops->xfrm_decode_session(skb, &fl->flowi_secid, 0); |
| 1241 | 1257 | ||
| 1242 | BUG_ON(rc); | 1258 | BUG_ON(rc); |
| 1243 | } | 1259 | } |