diff options
Diffstat (limited to 'security/selinux/hooks.c')
-rw-r--r-- | security/selinux/hooks.c | 53 |
1 files changed, 52 insertions, 1 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index cf76150e623e..97b7e2738097 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c | |||
@@ -14,6 +14,8 @@ | |||
14 | * <dgoeddel@trustedcs.com> | 14 | * <dgoeddel@trustedcs.com> |
15 | * Copyright (C) 2006 Hewlett-Packard Development Company, L.P. | 15 | * Copyright (C) 2006 Hewlett-Packard Development Company, L.P. |
16 | * Paul Moore, <paul.moore@hp.com> | 16 | * Paul Moore, <paul.moore@hp.com> |
17 | * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd. | ||
18 | * Yuichi Nakamura <ynakam@hitachisoft.jp> | ||
17 | * | 19 | * |
18 | * This program is free software; you can redistribute it and/or modify | 20 | * This program is free software; you can redistribute it and/or modify |
19 | * it under the terms of the GNU General Public License version 2, | 21 | * it under the terms of the GNU General Public License version 2, |
@@ -2464,7 +2466,7 @@ static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t | |||
2464 | 2466 | ||
2465 | /* file security operations */ | 2467 | /* file security operations */ |
2466 | 2468 | ||
2467 | static int selinux_file_permission(struct file *file, int mask) | 2469 | static int selinux_revalidate_file_permission(struct file *file, int mask) |
2468 | { | 2470 | { |
2469 | int rc; | 2471 | int rc; |
2470 | struct inode *inode = file->f_path.dentry->d_inode; | 2472 | struct inode *inode = file->f_path.dentry->d_inode; |
@@ -2486,6 +2488,25 @@ static int selinux_file_permission(struct file *file, int mask) | |||
2486 | return selinux_netlbl_inode_permission(inode, mask); | 2488 | return selinux_netlbl_inode_permission(inode, mask); |
2487 | } | 2489 | } |
2488 | 2490 | ||
2491 | static int selinux_file_permission(struct file *file, int mask) | ||
2492 | { | ||
2493 | struct inode *inode = file->f_path.dentry->d_inode; | ||
2494 | struct task_security_struct *tsec = current->security; | ||
2495 | struct file_security_struct *fsec = file->f_security; | ||
2496 | struct inode_security_struct *isec = inode->i_security; | ||
2497 | |||
2498 | if (!mask) { | ||
2499 | /* No permission to check. Existence test. */ | ||
2500 | return 0; | ||
2501 | } | ||
2502 | |||
2503 | if (tsec->sid == fsec->sid && fsec->isid == isec->sid | ||
2504 | && fsec->pseqno == avc_policy_seqno()) | ||
2505 | return selinux_netlbl_inode_permission(inode, mask); | ||
2506 | |||
2507 | return selinux_revalidate_file_permission(file, mask); | ||
2508 | } | ||
2509 | |||
2489 | static int selinux_file_alloc_security(struct file *file) | 2510 | static int selinux_file_alloc_security(struct file *file) |
2490 | { | 2511 | { |
2491 | return file_alloc_security(file); | 2512 | return file_alloc_security(file); |
@@ -2725,6 +2746,34 @@ static int selinux_file_receive(struct file *file) | |||
2725 | return file_has_perm(current, file, file_to_av(file)); | 2746 | return file_has_perm(current, file, file_to_av(file)); |
2726 | } | 2747 | } |
2727 | 2748 | ||
2749 | static int selinux_dentry_open(struct file *file) | ||
2750 | { | ||
2751 | struct file_security_struct *fsec; | ||
2752 | struct inode *inode; | ||
2753 | struct inode_security_struct *isec; | ||
2754 | inode = file->f_path.dentry->d_inode; | ||
2755 | fsec = file->f_security; | ||
2756 | isec = inode->i_security; | ||
2757 | /* | ||
2758 | * Save inode label and policy sequence number | ||
2759 | * at open-time so that selinux_file_permission | ||
2760 | * can determine whether revalidation is necessary. | ||
2761 | * Task label is already saved in the file security | ||
2762 | * struct as its SID. | ||
2763 | */ | ||
2764 | fsec->isid = isec->sid; | ||
2765 | fsec->pseqno = avc_policy_seqno(); | ||
2766 | /* | ||
2767 | * Since the inode label or policy seqno may have changed | ||
2768 | * between the selinux_inode_permission check and the saving | ||
2769 | * of state above, recheck that access is still permitted. | ||
2770 | * Otherwise, access might never be revalidated against the | ||
2771 | * new inode label or new policy. | ||
2772 | * This check is not redundant - do not remove. | ||
2773 | */ | ||
2774 | return inode_has_perm(current, inode, file_to_av(file), NULL); | ||
2775 | } | ||
2776 | |||
2728 | /* task security operations */ | 2777 | /* task security operations */ |
2729 | 2778 | ||
2730 | static int selinux_task_create(unsigned long clone_flags) | 2779 | static int selinux_task_create(unsigned long clone_flags) |
@@ -4794,6 +4843,8 @@ static struct security_operations selinux_ops = { | |||
4794 | .file_send_sigiotask = selinux_file_send_sigiotask, | 4843 | .file_send_sigiotask = selinux_file_send_sigiotask, |
4795 | .file_receive = selinux_file_receive, | 4844 | .file_receive = selinux_file_receive, |
4796 | 4845 | ||
4846 | .dentry_open = selinux_dentry_open, | ||
4847 | |||
4797 | .task_create = selinux_task_create, | 4848 | .task_create = selinux_task_create, |
4798 | .task_alloc_security = selinux_task_alloc_security, | 4849 | .task_alloc_security = selinux_task_alloc_security, |
4799 | .task_free_security = selinux_task_free_security, | 4850 | .task_free_security = selinux_task_free_security, |