diff options
Diffstat (limited to 'security/selinux/hooks.c')
| -rw-r--r-- | security/selinux/hooks.c | 73 |
1 files changed, 73 insertions, 0 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 87a915656eab..29c39e0b03ed 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c | |||
| @@ -1920,6 +1920,74 @@ static inline u32 open_file_to_av(struct file *file) | |||
| 1920 | 1920 | ||
| 1921 | /* Hook functions begin here. */ | 1921 | /* Hook functions begin here. */ |
| 1922 | 1922 | ||
| 1923 | static int selinux_binder_set_context_mgr(struct task_struct *mgr) | ||
| 1924 | { | ||
| 1925 | u32 mysid = current_sid(); | ||
| 1926 | u32 mgrsid = task_sid(mgr); | ||
| 1927 | |||
| 1928 | return avc_has_perm(mysid, mgrsid, SECCLASS_BINDER, | ||
| 1929 | BINDER__SET_CONTEXT_MGR, NULL); | ||
| 1930 | } | ||
| 1931 | |||
| 1932 | static int selinux_binder_transaction(struct task_struct *from, | ||
| 1933 | struct task_struct *to) | ||
| 1934 | { | ||
| 1935 | u32 mysid = current_sid(); | ||
| 1936 | u32 fromsid = task_sid(from); | ||
| 1937 | u32 tosid = task_sid(to); | ||
| 1938 | int rc; | ||
| 1939 | |||
| 1940 | if (mysid != fromsid) { | ||
| 1941 | rc = avc_has_perm(mysid, fromsid, SECCLASS_BINDER, | ||
| 1942 | BINDER__IMPERSONATE, NULL); | ||
| 1943 | if (rc) | ||
| 1944 | return rc; | ||
| 1945 | } | ||
| 1946 | |||
| 1947 | return avc_has_perm(fromsid, tosid, SECCLASS_BINDER, BINDER__CALL, | ||
| 1948 | NULL); | ||
| 1949 | } | ||
| 1950 | |||
| 1951 | static int selinux_binder_transfer_binder(struct task_struct *from, | ||
| 1952 | struct task_struct *to) | ||
| 1953 | { | ||
| 1954 | u32 fromsid = task_sid(from); | ||
| 1955 | u32 tosid = task_sid(to); | ||
| 1956 | |||
| 1957 | return avc_has_perm(fromsid, tosid, SECCLASS_BINDER, BINDER__TRANSFER, | ||
| 1958 | NULL); | ||
| 1959 | } | ||
| 1960 | |||
| 1961 | static int selinux_binder_transfer_file(struct task_struct *from, | ||
| 1962 | struct task_struct *to, | ||
| 1963 | struct file *file) | ||
| 1964 | { | ||
| 1965 | u32 sid = task_sid(to); | ||
| 1966 | struct file_security_struct *fsec = file->f_security; | ||
| 1967 | struct inode *inode = file->f_path.dentry->d_inode; | ||
| 1968 | struct inode_security_struct *isec = inode->i_security; | ||
| 1969 | struct common_audit_data ad; | ||
| 1970 | int rc; | ||
| 1971 | |||
| 1972 | ad.type = LSM_AUDIT_DATA_PATH; | ||
| 1973 | ad.u.path = file->f_path; | ||
| 1974 | |||
| 1975 | if (sid != fsec->sid) { | ||
| 1976 | rc = avc_has_perm(sid, fsec->sid, | ||
| 1977 | SECCLASS_FD, | ||
| 1978 | FD__USE, | ||
| 1979 | &ad); | ||
| 1980 | if (rc) | ||
| 1981 | return rc; | ||
| 1982 | } | ||
| 1983 | |||
| 1984 | if (unlikely(IS_PRIVATE(inode))) | ||
| 1985 | return 0; | ||
| 1986 | |||
| 1987 | return avc_has_perm(sid, isec->sid, isec->sclass, file_to_av(file), | ||
| 1988 | &ad); | ||
| 1989 | } | ||
| 1990 | |||
| 1923 | static int selinux_ptrace_access_check(struct task_struct *child, | 1991 | static int selinux_ptrace_access_check(struct task_struct *child, |
| 1924 | unsigned int mode) | 1992 | unsigned int mode) |
| 1925 | { | 1993 | { |
| @@ -5797,6 +5865,11 @@ static int selinux_key_getsecurity(struct key *key, char **_buffer) | |||
| 5797 | static struct security_operations selinux_ops = { | 5865 | static struct security_operations selinux_ops = { |
| 5798 | .name = "selinux", | 5866 | .name = "selinux", |
| 5799 | 5867 | ||
| 5868 | .binder_set_context_mgr = selinux_binder_set_context_mgr, | ||
| 5869 | .binder_transaction = selinux_binder_transaction, | ||
| 5870 | .binder_transfer_binder = selinux_binder_transfer_binder, | ||
| 5871 | .binder_transfer_file = selinux_binder_transfer_file, | ||
| 5872 | |||
| 5800 | .ptrace_access_check = selinux_ptrace_access_check, | 5873 | .ptrace_access_check = selinux_ptrace_access_check, |
| 5801 | .ptrace_traceme = selinux_ptrace_traceme, | 5874 | .ptrace_traceme = selinux_ptrace_traceme, |
| 5802 | .capget = selinux_capget, | 5875 | .capget = selinux_capget, |