aboutsummaryrefslogtreecommitdiffstats
path: root/security
diff options
context:
space:
mode:
Diffstat (limited to 'security')
-rw-r--r--security/dummy.c52
-rw-r--r--security/selinux/hooks.c178
2 files changed, 67 insertions, 163 deletions
diff --git a/security/dummy.c b/security/dummy.c
index 6ff887586479..9623a61dfc76 100644
--- a/security/dummy.c
+++ b/security/dummy.c
@@ -258,16 +258,16 @@ static void dummy_inode_free_security (struct inode *inode)
258 return; 258 return;
259} 259}
260 260
261static int dummy_inode_create (struct inode *inode, struct dentry *dentry, 261static int dummy_inode_init_security (struct inode *inode, struct inode *dir,
262 int mask) 262 char **name, void **value, size_t *len)
263{ 263{
264 return 0; 264 return -EOPNOTSUPP;
265} 265}
266 266
267static void dummy_inode_post_create (struct inode *inode, struct dentry *dentry, 267static int dummy_inode_create (struct inode *inode, struct dentry *dentry,
268 int mask) 268 int mask)
269{ 269{
270 return; 270 return 0;
271} 271}
272 272
273static int dummy_inode_link (struct dentry *old_dentry, struct inode *inode, 273static int dummy_inode_link (struct dentry *old_dentry, struct inode *inode,
@@ -276,13 +276,6 @@ static int dummy_inode_link (struct dentry *old_dentry, struct inode *inode,
276 return 0; 276 return 0;
277} 277}
278 278
279static void dummy_inode_post_link (struct dentry *old_dentry,
280 struct inode *inode,
281 struct dentry *new_dentry)
282{
283 return;
284}
285
286static int dummy_inode_unlink (struct inode *inode, struct dentry *dentry) 279static int dummy_inode_unlink (struct inode *inode, struct dentry *dentry)
287{ 280{
288 return 0; 281 return 0;
@@ -294,24 +287,12 @@ static int dummy_inode_symlink (struct inode *inode, struct dentry *dentry,
294 return 0; 287 return 0;
295} 288}
296 289
297static void dummy_inode_post_symlink (struct inode *inode,
298 struct dentry *dentry, const char *name)
299{
300 return;
301}
302
303static int dummy_inode_mkdir (struct inode *inode, struct dentry *dentry, 290static int dummy_inode_mkdir (struct inode *inode, struct dentry *dentry,
304 int mask) 291 int mask)
305{ 292{
306 return 0; 293 return 0;
307} 294}
308 295
309static void dummy_inode_post_mkdir (struct inode *inode, struct dentry *dentry,
310 int mask)
311{
312 return;
313}
314
315static int dummy_inode_rmdir (struct inode *inode, struct dentry *dentry) 296static int dummy_inode_rmdir (struct inode *inode, struct dentry *dentry)
316{ 297{
317 return 0; 298 return 0;
@@ -323,12 +304,6 @@ static int dummy_inode_mknod (struct inode *inode, struct dentry *dentry,
323 return 0; 304 return 0;
324} 305}
325 306
326static void dummy_inode_post_mknod (struct inode *inode, struct dentry *dentry,
327 int mode, dev_t dev)
328{
329 return;
330}
331
332static int dummy_inode_rename (struct inode *old_inode, 307static int dummy_inode_rename (struct inode *old_inode,
333 struct dentry *old_dentry, 308 struct dentry *old_dentry,
334 struct inode *new_inode, 309 struct inode *new_inode,
@@ -337,14 +312,6 @@ static int dummy_inode_rename (struct inode *old_inode,
337 return 0; 312 return 0;
338} 313}
339 314
340static void dummy_inode_post_rename (struct inode *old_inode,
341 struct dentry *old_dentry,
342 struct inode *new_inode,
343 struct dentry *new_dentry)
344{
345 return;
346}
347
348static int dummy_inode_readlink (struct dentry *dentry) 315static int dummy_inode_readlink (struct dentry *dentry)
349{ 316{
350 return 0; 317 return 0;
@@ -886,20 +853,15 @@ void security_fixup_ops (struct security_operations *ops)
886 set_to_dummy_if_null(ops, sb_post_pivotroot); 853 set_to_dummy_if_null(ops, sb_post_pivotroot);
887 set_to_dummy_if_null(ops, inode_alloc_security); 854 set_to_dummy_if_null(ops, inode_alloc_security);
888 set_to_dummy_if_null(ops, inode_free_security); 855 set_to_dummy_if_null(ops, inode_free_security);
856 set_to_dummy_if_null(ops, inode_init_security);
889 set_to_dummy_if_null(ops, inode_create); 857 set_to_dummy_if_null(ops, inode_create);
890 set_to_dummy_if_null(ops, inode_post_create);
891 set_to_dummy_if_null(ops, inode_link); 858 set_to_dummy_if_null(ops, inode_link);
892 set_to_dummy_if_null(ops, inode_post_link);
893 set_to_dummy_if_null(ops, inode_unlink); 859 set_to_dummy_if_null(ops, inode_unlink);
894 set_to_dummy_if_null(ops, inode_symlink); 860 set_to_dummy_if_null(ops, inode_symlink);
895 set_to_dummy_if_null(ops, inode_post_symlink);
896 set_to_dummy_if_null(ops, inode_mkdir); 861 set_to_dummy_if_null(ops, inode_mkdir);
897 set_to_dummy_if_null(ops, inode_post_mkdir);
898 set_to_dummy_if_null(ops, inode_rmdir); 862 set_to_dummy_if_null(ops, inode_rmdir);
899 set_to_dummy_if_null(ops, inode_mknod); 863 set_to_dummy_if_null(ops, inode_mknod);
900 set_to_dummy_if_null(ops, inode_post_mknod);
901 set_to_dummy_if_null(ops, inode_rename); 864 set_to_dummy_if_null(ops, inode_rename);
902 set_to_dummy_if_null(ops, inode_post_rename);
903 set_to_dummy_if_null(ops, inode_readlink); 865 set_to_dummy_if_null(ops, inode_readlink);
904 set_to_dummy_if_null(ops, inode_follow_link); 866 set_to_dummy_if_null(ops, inode_follow_link);
905 set_to_dummy_if_null(ops, inode_permission); 867 set_to_dummy_if_null(ops, inode_permission);
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 8641f8894b4c..f40c8221ec1b 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -1265,85 +1265,6 @@ static int inode_security_set_sid(struct inode *inode, u32 sid)
1265 return 0; 1265 return 0;
1266} 1266}
1267 1267
1268/* Set the security attributes on a newly created file. */
1269static int post_create(struct inode *dir,
1270 struct dentry *dentry)
1271{
1272
1273 struct task_security_struct *tsec;
1274 struct inode *inode;
1275 struct inode_security_struct *dsec;
1276 struct superblock_security_struct *sbsec;
1277 u32 newsid;
1278 char *context;
1279 unsigned int len;
1280 int rc;
1281
1282 tsec = current->security;
1283 dsec = dir->i_security;
1284 sbsec = dir->i_sb->s_security;
1285
1286 inode = dentry->d_inode;
1287 if (!inode) {
1288 /* Some file system types (e.g. NFS) may not instantiate
1289 a dentry for all create operations (e.g. symlink),
1290 so we have to check to see if the inode is non-NULL. */
1291 printk(KERN_WARNING "post_create: no inode, dir (dev=%s, "
1292 "ino=%ld)\n", dir->i_sb->s_id, dir->i_ino);
1293 return 0;
1294 }
1295
1296 if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
1297 newsid = tsec->create_sid;
1298 } else {
1299 rc = security_transition_sid(tsec->sid, dsec->sid,
1300 inode_mode_to_security_class(inode->i_mode),
1301 &newsid);
1302 if (rc) {
1303 printk(KERN_WARNING "post_create: "
1304 "security_transition_sid failed, rc=%d (dev=%s "
1305 "ino=%ld)\n",
1306 -rc, inode->i_sb->s_id, inode->i_ino);
1307 return rc;
1308 }
1309 }
1310
1311 rc = inode_security_set_sid(inode, newsid);
1312 if (rc) {
1313 printk(KERN_WARNING "post_create: inode_security_set_sid "
1314 "failed, rc=%d (dev=%s ino=%ld)\n",
1315 -rc, inode->i_sb->s_id, inode->i_ino);
1316 return rc;
1317 }
1318
1319 if (sbsec->behavior == SECURITY_FS_USE_XATTR &&
1320 inode->i_op->setxattr) {
1321 /* Use extended attributes. */
1322 rc = security_sid_to_context(newsid, &context, &len);
1323 if (rc) {
1324 printk(KERN_WARNING "post_create: sid_to_context "
1325 "failed, rc=%d (dev=%s ino=%ld)\n",
1326 -rc, inode->i_sb->s_id, inode->i_ino);
1327 return rc;
1328 }
1329 down(&inode->i_sem);
1330 rc = inode->i_op->setxattr(dentry,
1331 XATTR_NAME_SELINUX,
1332 context, len, 0);
1333 up(&inode->i_sem);
1334 kfree(context);
1335 if (rc < 0) {
1336 printk(KERN_WARNING "post_create: setxattr failed, "
1337 "rc=%d (dev=%s ino=%ld)\n",
1338 -rc, inode->i_sb->s_id, inode->i_ino);
1339 return rc;
1340 }
1341 }
1342
1343 return 0;
1344}
1345
1346
1347/* Hook functions begin here. */ 1268/* Hook functions begin here. */
1348 1269
1349static int selinux_ptrace(struct task_struct *parent, struct task_struct *child) 1270static int selinux_ptrace(struct task_struct *parent, struct task_struct *child)
@@ -1673,6 +1594,7 @@ static inline void flush_unauthorized_files(struct files_struct * files)
1673 struct avc_audit_data ad; 1594 struct avc_audit_data ad;
1674 struct file *file, *devnull = NULL; 1595 struct file *file, *devnull = NULL;
1675 struct tty_struct *tty = current->signal->tty; 1596 struct tty_struct *tty = current->signal->tty;
1597 struct fdtable *fdt;
1676 long j = -1; 1598 long j = -1;
1677 1599
1678 if (tty) { 1600 if (tty) {
@@ -1706,9 +1628,10 @@ static inline void flush_unauthorized_files(struct files_struct * files)
1706 1628
1707 j++; 1629 j++;
1708 i = j * __NFDBITS; 1630 i = j * __NFDBITS;
1709 if (i >= files->max_fds || i >= files->max_fdset) 1631 fdt = files_fdtable(files);
1632 if (i >= fdt->max_fds || i >= fdt->max_fdset)
1710 break; 1633 break;
1711 set = files->open_fds->fds_bits[j]; 1634 set = fdt->open_fds->fds_bits[j];
1712 if (!set) 1635 if (!set)
1713 continue; 1636 continue;
1714 spin_unlock(&files->file_lock); 1637 spin_unlock(&files->file_lock);
@@ -1729,7 +1652,7 @@ static inline void flush_unauthorized_files(struct files_struct * files)
1729 continue; 1652 continue;
1730 } 1653 }
1731 if (devnull) { 1654 if (devnull) {
1732 atomic_inc(&devnull->f_count); 1655 rcuref_inc(&devnull->f_count);
1733 } else { 1656 } else {
1734 devnull = dentry_open(dget(selinux_null), mntget(selinuxfs_mount), O_RDWR); 1657 devnull = dentry_open(dget(selinux_null), mntget(selinuxfs_mount), O_RDWR);
1735 if (!devnull) { 1658 if (!devnull) {
@@ -2018,14 +1941,64 @@ static void selinux_inode_free_security(struct inode *inode)
2018 inode_free_security(inode); 1941 inode_free_security(inode);
2019} 1942}
2020 1943
2021static int selinux_inode_create(struct inode *dir, struct dentry *dentry, int mask) 1944static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
1945 char **name, void **value,
1946 size_t *len)
2022{ 1947{
2023 return may_create(dir, dentry, SECCLASS_FILE); 1948 struct task_security_struct *tsec;
1949 struct inode_security_struct *dsec;
1950 struct superblock_security_struct *sbsec;
1951 struct inode_security_struct *isec;
1952 u32 newsid, clen;
1953 int rc;
1954 char *namep = NULL, *context;
1955
1956 tsec = current->security;
1957 dsec = dir->i_security;
1958 sbsec = dir->i_sb->s_security;
1959 isec = inode->i_security;
1960
1961 if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
1962 newsid = tsec->create_sid;
1963 } else {
1964 rc = security_transition_sid(tsec->sid, dsec->sid,
1965 inode_mode_to_security_class(inode->i_mode),
1966 &newsid);
1967 if (rc) {
1968 printk(KERN_WARNING "%s: "
1969 "security_transition_sid failed, rc=%d (dev=%s "
1970 "ino=%ld)\n",
1971 __FUNCTION__,
1972 -rc, inode->i_sb->s_id, inode->i_ino);
1973 return rc;
1974 }
1975 }
1976
1977 inode_security_set_sid(inode, newsid);
1978
1979 if (name) {
1980 namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_KERNEL);
1981 if (!namep)
1982 return -ENOMEM;
1983 *name = namep;
1984 }
1985
1986 if (value && len) {
1987 rc = security_sid_to_context(newsid, &context, &clen);
1988 if (rc) {
1989 kfree(namep);
1990 return rc;
1991 }
1992 *value = context;
1993 *len = clen;
1994 }
1995
1996 return 0;
2024} 1997}
2025 1998
2026static void selinux_inode_post_create(struct inode *dir, struct dentry *dentry, int mask) 1999static int selinux_inode_create(struct inode *dir, struct dentry *dentry, int mask)
2027{ 2000{
2028 post_create(dir, dentry); 2001 return may_create(dir, dentry, SECCLASS_FILE);
2029} 2002}
2030 2003
2031static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry) 2004static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
@@ -2038,11 +2011,6 @@ static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, stru
2038 return may_link(dir, old_dentry, MAY_LINK); 2011 return may_link(dir, old_dentry, MAY_LINK);
2039} 2012}
2040 2013
2041static void selinux_inode_post_link(struct dentry *old_dentry, struct inode *inode, struct dentry *new_dentry)
2042{
2043 return;
2044}
2045
2046static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry) 2014static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2047{ 2015{
2048 int rc; 2016 int rc;
@@ -2058,21 +2026,11 @@ static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const
2058 return may_create(dir, dentry, SECCLASS_LNK_FILE); 2026 return may_create(dir, dentry, SECCLASS_LNK_FILE);
2059} 2027}
2060 2028
2061static void selinux_inode_post_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2062{
2063 post_create(dir, dentry);
2064}
2065
2066static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, int mask) 2029static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, int mask)
2067{ 2030{
2068 return may_create(dir, dentry, SECCLASS_DIR); 2031 return may_create(dir, dentry, SECCLASS_DIR);
2069} 2032}
2070 2033
2071static void selinux_inode_post_mkdir(struct inode *dir, struct dentry *dentry, int mask)
2072{
2073 post_create(dir, dentry);
2074}
2075
2076static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry) 2034static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2077{ 2035{
2078 return may_link(dir, dentry, MAY_RMDIR); 2036 return may_link(dir, dentry, MAY_RMDIR);
@@ -2089,23 +2047,12 @@ static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, int mod
2089 return may_create(dir, dentry, inode_mode_to_security_class(mode)); 2047 return may_create(dir, dentry, inode_mode_to_security_class(mode));
2090} 2048}
2091 2049
2092static void selinux_inode_post_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
2093{
2094 post_create(dir, dentry);
2095}
2096
2097static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry, 2050static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2098 struct inode *new_inode, struct dentry *new_dentry) 2051 struct inode *new_inode, struct dentry *new_dentry)
2099{ 2052{
2100 return may_rename(old_inode, old_dentry, new_inode, new_dentry); 2053 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2101} 2054}
2102 2055
2103static void selinux_inode_post_rename(struct inode *old_inode, struct dentry *old_dentry,
2104 struct inode *new_inode, struct dentry *new_dentry)
2105{
2106 return;
2107}
2108
2109static int selinux_inode_readlink(struct dentry *dentry) 2056static int selinux_inode_readlink(struct dentry *dentry)
2110{ 2057{
2111 return dentry_has_perm(current, NULL, dentry, FILE__READ); 2058 return dentry_has_perm(current, NULL, dentry, FILE__READ);
@@ -4298,20 +4245,15 @@ static struct security_operations selinux_ops = {
4298 4245
4299 .inode_alloc_security = selinux_inode_alloc_security, 4246 .inode_alloc_security = selinux_inode_alloc_security,
4300 .inode_free_security = selinux_inode_free_security, 4247 .inode_free_security = selinux_inode_free_security,
4248 .inode_init_security = selinux_inode_init_security,
4301 .inode_create = selinux_inode_create, 4249 .inode_create = selinux_inode_create,
4302 .inode_post_create = selinux_inode_post_create,
4303 .inode_link = selinux_inode_link, 4250 .inode_link = selinux_inode_link,
4304 .inode_post_link = selinux_inode_post_link,
4305 .inode_unlink = selinux_inode_unlink, 4251 .inode_unlink = selinux_inode_unlink,
4306 .inode_symlink = selinux_inode_symlink, 4252 .inode_symlink = selinux_inode_symlink,
4307 .inode_post_symlink = selinux_inode_post_symlink,
4308 .inode_mkdir = selinux_inode_mkdir, 4253 .inode_mkdir = selinux_inode_mkdir,
4309 .inode_post_mkdir = selinux_inode_post_mkdir,
4310 .inode_rmdir = selinux_inode_rmdir, 4254 .inode_rmdir = selinux_inode_rmdir,
4311 .inode_mknod = selinux_inode_mknod, 4255 .inode_mknod = selinux_inode_mknod,
4312 .inode_post_mknod = selinux_inode_post_mknod,
4313 .inode_rename = selinux_inode_rename, 4256 .inode_rename = selinux_inode_rename,
4314 .inode_post_rename = selinux_inode_post_rename,
4315 .inode_readlink = selinux_inode_readlink, 4257 .inode_readlink = selinux_inode_readlink,
4316 .inode_follow_link = selinux_inode_follow_link, 4258 .inode_follow_link = selinux_inode_follow_link,
4317 .inode_permission = selinux_inode_permission, 4259 .inode_permission = selinux_inode_permission,
generated by cgit v1.2.2 (git 2.25.0) at 2025-06-17 11:50:13 -0400