aboutsummaryrefslogtreecommitdiffstats
path: root/security/selinux/hooks.c
diff options
context:
space:
mode:
Diffstat (limited to 'security/selinux/hooks.c')
-rw-r--r--security/selinux/hooks.c27
1 files changed, 16 insertions, 11 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index f9c3764e4859..8fb248843009 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -1446,8 +1446,11 @@ static int task_has_capability(struct task_struct *tsk,
1446 } 1446 }
1447 1447
1448 rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd); 1448 rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd);
1449 if (audit == SECURITY_CAP_AUDIT) 1449 if (audit == SECURITY_CAP_AUDIT) {
1450 avc_audit(sid, sid, sclass, av, &avd, rc, &ad); 1450 int rc2 = avc_audit(sid, sid, sclass, av, &avd, rc, &ad, 0);
1451 if (rc2)
1452 return rc2;
1453 }
1451 return rc; 1454 return rc;
1452} 1455}
1453 1456
@@ -1467,7 +1470,8 @@ static int task_has_system(struct task_struct *tsk,
1467static int inode_has_perm(const struct cred *cred, 1470static int inode_has_perm(const struct cred *cred,
1468 struct inode *inode, 1471 struct inode *inode,
1469 u32 perms, 1472 u32 perms,
1470 struct common_audit_data *adp) 1473 struct common_audit_data *adp,
1474 unsigned flags)
1471{ 1475{
1472 struct inode_security_struct *isec; 1476 struct inode_security_struct *isec;
1473 struct common_audit_data ad; 1477 struct common_audit_data ad;
@@ -1487,7 +1491,7 @@ static int inode_has_perm(const struct cred *cred,
1487 ad.u.fs.inode = inode; 1491 ad.u.fs.inode = inode;
1488 } 1492 }
1489 1493
1490 return avc_has_perm(sid, isec->sid, isec->sclass, perms, adp); 1494 return avc_has_perm_flags(sid, isec->sid, isec->sclass, perms, adp, flags);
1491} 1495}
1492 1496
1493/* Same as inode_has_perm, but pass explicit audit data containing 1497/* Same as inode_has_perm, but pass explicit audit data containing
@@ -1504,7 +1508,7 @@ static inline int dentry_has_perm(const struct cred *cred,
1504 COMMON_AUDIT_DATA_INIT(&ad, FS); 1508 COMMON_AUDIT_DATA_INIT(&ad, FS);
1505 ad.u.fs.path.mnt = mnt; 1509 ad.u.fs.path.mnt = mnt;
1506 ad.u.fs.path.dentry = dentry; 1510 ad.u.fs.path.dentry = dentry;
1507 return inode_has_perm(cred, inode, av, &ad); 1511 return inode_has_perm(cred, inode, av, &ad, 0);
1508} 1512}
1509 1513
1510/* Check whether a task can use an open file descriptor to 1514/* Check whether a task can use an open file descriptor to
@@ -1540,7 +1544,7 @@ static int file_has_perm(const struct cred *cred,
1540 /* av is zero if only checking access to the descriptor. */ 1544 /* av is zero if only checking access to the descriptor. */
1541 rc = 0; 1545 rc = 0;
1542 if (av) 1546 if (av)
1543 rc = inode_has_perm(cred, inode, av, &ad); 1547 rc = inode_has_perm(cred, inode, av, &ad, 0);
1544 1548
1545out: 1549out:
1546 return rc; 1550 return rc;
@@ -1574,7 +1578,8 @@ static int may_create(struct inode *dir,
1574 return rc; 1578 return rc;
1575 1579
1576 if (!newsid || !(sbsec->flags & SE_SBLABELSUPP)) { 1580 if (!newsid || !(sbsec->flags & SE_SBLABELSUPP)) {
1577 rc = security_transition_sid(sid, dsec->sid, tclass, NULL, &newsid); 1581 rc = security_transition_sid(sid, dsec->sid, tclass,
1582 &dentry->d_name, &newsid);
1578 if (rc) 1583 if (rc)
1579 return rc; 1584 return rc;
1580 } 1585 }
@@ -2103,7 +2108,7 @@ static inline void flush_unauthorized_files(const struct cred *cred,
2103 file = file_priv->file; 2108 file = file_priv->file;
2104 inode = file->f_path.dentry->d_inode; 2109 inode = file->f_path.dentry->d_inode;
2105 if (inode_has_perm(cred, inode, 2110 if (inode_has_perm(cred, inode,
2106 FILE__READ | FILE__WRITE, NULL)) { 2111 FILE__READ | FILE__WRITE, NULL, 0)) {
2107 drop_tty = 1; 2112 drop_tty = 1;
2108 } 2113 }
2109 } 2114 }
@@ -2635,7 +2640,7 @@ static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *na
2635 return dentry_has_perm(cred, NULL, dentry, FILE__READ); 2640 return dentry_has_perm(cred, NULL, dentry, FILE__READ);
2636} 2641}
2637 2642
2638static int selinux_inode_permission(struct inode *inode, int mask) 2643static int selinux_inode_permission(struct inode *inode, int mask, unsigned flags)
2639{ 2644{
2640 const struct cred *cred = current_cred(); 2645 const struct cred *cred = current_cred();
2641 struct common_audit_data ad; 2646 struct common_audit_data ad;
@@ -2657,7 +2662,7 @@ static int selinux_inode_permission(struct inode *inode, int mask)
2657 2662
2658 perms = file_mask_to_av(inode->i_mode, mask); 2663 perms = file_mask_to_av(inode->i_mode, mask);
2659 2664
2660 return inode_has_perm(cred, inode, perms, &ad); 2665 return inode_has_perm(cred, inode, perms, &ad, flags);
2661} 2666}
2662 2667
2663static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr) 2668static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
@@ -3205,7 +3210,7 @@ static int selinux_dentry_open(struct file *file, const struct cred *cred)
3205 * new inode label or new policy. 3210 * new inode label or new policy.
3206 * This check is not redundant - do not remove. 3211 * This check is not redundant - do not remove.
3207 */ 3212 */
3208 return inode_has_perm(cred, inode, open_file_to_av(file), NULL); 3213 return inode_has_perm(cred, inode, open_file_to_av(file), NULL, 0);
3209} 3214}
3210 3215
3211/* task security operations */ 3216/* task security operations */
generated by cgit v1.2.2 (git 2.25.0) at 2025-12-01 19:57:38 -0500