diff options
Diffstat (limited to 'security/selinux/hooks.c')
| -rw-r--r-- | security/selinux/hooks.c | 70 |
1 files changed, 33 insertions, 37 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index bb230d5d7085..5feecb41009d 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c | |||
| @@ -76,6 +76,7 @@ | |||
| 76 | #include <linux/selinux.h> | 76 | #include <linux/selinux.h> |
| 77 | #include <linux/mutex.h> | 77 | #include <linux/mutex.h> |
| 78 | #include <linux/posix-timers.h> | 78 | #include <linux/posix-timers.h> |
| 79 | #include <linux/syslog.h> | ||
| 79 | 80 | ||
| 80 | #include "avc.h" | 81 | #include "avc.h" |
| 81 | #include "objsec.h" | 82 | #include "objsec.h" |
| @@ -91,7 +92,6 @@ | |||
| 91 | 92 | ||
| 92 | #define NUM_SEL_MNT_OPTS 5 | 93 | #define NUM_SEL_MNT_OPTS 5 |
| 93 | 94 | ||
| 94 | extern unsigned int policydb_loaded_version; | ||
| 95 | extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm); | 95 | extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm); |
| 96 | extern struct security_operations *security_ops; | 96 | extern struct security_operations *security_ops; |
| 97 | 97 | ||
| @@ -126,13 +126,6 @@ __setup("selinux=", selinux_enabled_setup); | |||
| 126 | int selinux_enabled = 1; | 126 | int selinux_enabled = 1; |
| 127 | #endif | 127 | #endif |
| 128 | 128 | ||
| 129 | |||
| 130 | /* | ||
| 131 | * Minimal support for a secondary security module, | ||
| 132 | * just to allow the use of the capability module. | ||
| 133 | */ | ||
| 134 | static struct security_operations *secondary_ops; | ||
| 135 | |||
| 136 | /* Lists of inode and superblock security structures initialized | 129 | /* Lists of inode and superblock security structures initialized |
| 137 | before the policy was loaded. */ | 130 | before the policy was loaded. */ |
| 138 | static LIST_HEAD(superblock_security_head); | 131 | static LIST_HEAD(superblock_security_head); |
| @@ -2050,29 +2043,30 @@ static int selinux_quota_on(struct dentry *dentry) | |||
| 2050 | return dentry_has_perm(cred, NULL, dentry, FILE__QUOTAON); | 2043 | return dentry_has_perm(cred, NULL, dentry, FILE__QUOTAON); |
| 2051 | } | 2044 | } |
| 2052 | 2045 | ||
| 2053 | static int selinux_syslog(int type) | 2046 | static int selinux_syslog(int type, bool from_file) |
| 2054 | { | 2047 | { |
| 2055 | int rc; | 2048 | int rc; |
| 2056 | 2049 | ||
| 2057 | rc = cap_syslog(type); | 2050 | rc = cap_syslog(type, from_file); |
| 2058 | if (rc) | 2051 | if (rc) |
| 2059 | return rc; | 2052 | return rc; |
| 2060 | 2053 | ||
| 2061 | switch (type) { | 2054 | switch (type) { |
| 2062 | case 3: /* Read last kernel messages */ | 2055 | case SYSLOG_ACTION_READ_ALL: /* Read last kernel messages */ |
| 2063 | case 10: /* Return size of the log buffer */ | 2056 | case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */ |
| 2064 | rc = task_has_system(current, SYSTEM__SYSLOG_READ); | 2057 | rc = task_has_system(current, SYSTEM__SYSLOG_READ); |
| 2065 | break; | 2058 | break; |
| 2066 | case 6: /* Disable logging to console */ | 2059 | case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */ |
| 2067 | case 7: /* Enable logging to console */ | 2060 | case SYSLOG_ACTION_CONSOLE_ON: /* Enable logging to console */ |
| 2068 | case 8: /* Set level of messages printed to console */ | 2061 | /* Set level of messages printed to console */ |
| 2062 | case SYSLOG_ACTION_CONSOLE_LEVEL: | ||
| 2069 | rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE); | 2063 | rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE); |
| 2070 | break; | 2064 | break; |
| 2071 | case 0: /* Close log */ | 2065 | case SYSLOG_ACTION_CLOSE: /* Close log */ |
| 2072 | case 1: /* Open log */ | 2066 | case SYSLOG_ACTION_OPEN: /* Open log */ |
| 2073 | case 2: /* Read from log */ | 2067 | case SYSLOG_ACTION_READ: /* Read from log */ |
| 2074 | case 4: /* Read/clear last kernel messages */ | 2068 | case SYSLOG_ACTION_READ_CLEAR: /* Read/clear last kernel messages */ |
| 2075 | case 5: /* Clear ring buffer */ | 2069 | case SYSLOG_ACTION_CLEAR: /* Clear ring buffer */ |
| 2076 | default: | 2070 | default: |
| 2077 | rc = task_has_system(current, SYSTEM__SYSLOG_MOD); | 2071 | rc = task_has_system(current, SYSTEM__SYSLOG_MOD); |
| 2078 | break; | 2072 | break; |
| @@ -2366,7 +2360,7 @@ static void selinux_bprm_committing_creds(struct linux_binprm *bprm) | |||
| 2366 | initrlim = init_task.signal->rlim + i; | 2360 | initrlim = init_task.signal->rlim + i; |
| 2367 | rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur); | 2361 | rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur); |
| 2368 | } | 2362 | } |
| 2369 | update_rlimit_cpu(rlim->rlim_cur); | 2363 | update_rlimit_cpu(current->signal->rlim[RLIMIT_CPU].rlim_cur); |
| 2370 | } | 2364 | } |
| 2371 | } | 2365 | } |
| 2372 | 2366 | ||
| @@ -3335,12 +3329,21 @@ static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode) | |||
| 3335 | 3329 | ||
| 3336 | if (ret == 0) | 3330 | if (ret == 0) |
| 3337 | tsec->create_sid = isec->sid; | 3331 | tsec->create_sid = isec->sid; |
| 3338 | return 0; | 3332 | return ret; |
| 3339 | } | 3333 | } |
| 3340 | 3334 | ||
| 3341 | static int selinux_kernel_module_request(void) | 3335 | static int selinux_kernel_module_request(char *kmod_name) |
| 3342 | { | 3336 | { |
| 3343 | return task_has_system(current, SYSTEM__MODULE_REQUEST); | 3337 | u32 sid; |
| 3338 | struct common_audit_data ad; | ||
| 3339 | |||
| 3340 | sid = task_sid(current); | ||
| 3341 | |||
| 3342 | COMMON_AUDIT_DATA_INIT(&ad, KMOD); | ||
| 3343 | ad.u.kmod_name = kmod_name; | ||
| 3344 | |||
| 3345 | return avc_has_perm(sid, SECINITSID_KERNEL, SECCLASS_SYSTEM, | ||
| 3346 | SYSTEM__MODULE_REQUEST, &ad); | ||
| 3344 | } | 3347 | } |
| 3345 | 3348 | ||
| 3346 | static int selinux_task_setpgid(struct task_struct *p, pid_t pgid) | 3349 | static int selinux_task_setpgid(struct task_struct *p, pid_t pgid) |
| @@ -4085,7 +4088,7 @@ static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb, | |||
| 4085 | char *addrp; | 4088 | char *addrp; |
| 4086 | 4089 | ||
| 4087 | COMMON_AUDIT_DATA_INIT(&ad, NET); | 4090 | COMMON_AUDIT_DATA_INIT(&ad, NET); |
| 4088 | ad.u.net.netif = skb->iif; | 4091 | ad.u.net.netif = skb->skb_iif; |
| 4089 | ad.u.net.family = family; | 4092 | ad.u.net.family = family; |
| 4090 | err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL); | 4093 | err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL); |
| 4091 | if (err) | 4094 | if (err) |
| @@ -4147,7 +4150,7 @@ static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb) | |||
| 4147 | return 0; | 4150 | return 0; |
| 4148 | 4151 | ||
| 4149 | COMMON_AUDIT_DATA_INIT(&ad, NET); | 4152 | COMMON_AUDIT_DATA_INIT(&ad, NET); |
| 4150 | ad.u.net.netif = skb->iif; | 4153 | ad.u.net.netif = skb->skb_iif; |
| 4151 | ad.u.net.family = family; | 4154 | ad.u.net.family = family; |
| 4152 | err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL); | 4155 | err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL); |
| 4153 | if (err) | 4156 | if (err) |
| @@ -4159,7 +4162,7 @@ static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb) | |||
| 4159 | err = selinux_skb_peerlbl_sid(skb, family, &peer_sid); | 4162 | err = selinux_skb_peerlbl_sid(skb, family, &peer_sid); |
| 4160 | if (err) | 4163 | if (err) |
| 4161 | return err; | 4164 | return err; |
| 4162 | err = selinux_inet_sys_rcv_skb(skb->iif, addrp, family, | 4165 | err = selinux_inet_sys_rcv_skb(skb->skb_iif, addrp, family, |
| 4163 | peer_sid, &ad); | 4166 | peer_sid, &ad); |
| 4164 | if (err) { | 4167 | if (err) { |
| 4165 | selinux_netlbl_err(skb, err, 0); | 4168 | selinux_netlbl_err(skb, err, 0); |
| @@ -4714,10 +4717,7 @@ static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb) | |||
| 4714 | if (err) | 4717 | if (err) |
| 4715 | return err; | 4718 | return err; |
| 4716 | 4719 | ||
| 4717 | if (policydb_loaded_version >= POLICYDB_VERSION_NLCLASS) | 4720 | return selinux_nlmsg_perm(sk, skb); |
| 4718 | err = selinux_nlmsg_perm(sk, skb); | ||
| 4719 | |||
| 4720 | return err; | ||
| 4721 | } | 4721 | } |
| 4722 | 4722 | ||
| 4723 | static int selinux_netlink_recv(struct sk_buff *skb, int capability) | 4723 | static int selinux_netlink_recv(struct sk_buff *skb, int capability) |
| @@ -5667,9 +5667,6 @@ static __init int selinux_init(void) | |||
| 5667 | 0, SLAB_PANIC, NULL); | 5667 | 0, SLAB_PANIC, NULL); |
| 5668 | avc_init(); | 5668 | avc_init(); |
| 5669 | 5669 | ||
| 5670 | secondary_ops = security_ops; | ||
| 5671 | if (!secondary_ops) | ||
| 5672 | panic("SELinux: No initial security operations\n"); | ||
| 5673 | if (register_security(&selinux_ops)) | 5670 | if (register_security(&selinux_ops)) |
| 5674 | panic("SELinux: Unable to register with kernel.\n"); | 5671 | panic("SELinux: Unable to register with kernel.\n"); |
| 5675 | 5672 | ||
| @@ -5830,12 +5827,11 @@ int selinux_disable(void) | |||
| 5830 | selinux_disabled = 1; | 5827 | selinux_disabled = 1; |
| 5831 | selinux_enabled = 0; | 5828 | selinux_enabled = 0; |
| 5832 | 5829 | ||
| 5830 | reset_security_ops(); | ||
| 5831 | |||
| 5833 | /* Try to destroy the avc node cache */ | 5832 | /* Try to destroy the avc node cache */ |
| 5834 | avc_disable(); | 5833 | avc_disable(); |
| 5835 | 5834 | ||
| 5836 | /* Reset security_ops to the secondary module, dummy or capability. */ | ||
| 5837 | security_ops = secondary_ops; | ||
| 5838 | |||
| 5839 | /* Unregister netfilter hooks. */ | 5835 | /* Unregister netfilter hooks. */ |
| 5840 | selinux_nf_ip_exit(); | 5836 | selinux_nf_ip_exit(); |
| 5841 | 5837 | ||