aboutsummaryrefslogtreecommitdiffstats
path: root/security
diff options
context:
space:
mode:
Diffstat (limited to 'security')
-rw-r--r--security/selinux/hooks.c35
-rw-r--r--security/selinux/include/av_perm_to_string.h2
-rw-r--r--security/selinux/include/av_permissions.h3
-rw-r--r--security/selinux/include/objsec.h1
4 files changed, 34 insertions, 7 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 13384fef0d60..0d8b27513bdc 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -1099,6 +1099,17 @@ static int may_create(struct inode *dir,
1099 FILESYSTEM__ASSOCIATE, &ad); 1099 FILESYSTEM__ASSOCIATE, &ad);
1100} 1100}
1101 1101
1102/* Check whether a task can create a key. */
1103static int may_create_key(u32 ksid,
1104 struct task_struct *ctx)
1105{
1106 struct task_security_struct *tsec;
1107
1108 tsec = ctx->security;
1109
1110 return avc_has_perm(tsec->sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL);
1111}
1112
1102#define MAY_LINK 0 1113#define MAY_LINK 0
1103#define MAY_UNLINK 1 1114#define MAY_UNLINK 1
1104#define MAY_RMDIR 2 1115#define MAY_RMDIR 2
@@ -4150,6 +4161,8 @@ static int selinux_getprocattr(struct task_struct *p,
4150 sid = tsec->exec_sid; 4161 sid = tsec->exec_sid;
4151 else if (!strcmp(name, "fscreate")) 4162 else if (!strcmp(name, "fscreate"))
4152 sid = tsec->create_sid; 4163 sid = tsec->create_sid;
4164 else if (!strcmp(name, "keycreate"))
4165 sid = tsec->keycreate_sid;
4153 else 4166 else
4154 return -EINVAL; 4167 return -EINVAL;
4155 4168
@@ -4182,6 +4195,8 @@ static int selinux_setprocattr(struct task_struct *p,
4182 error = task_has_perm(current, p, PROCESS__SETEXEC); 4195 error = task_has_perm(current, p, PROCESS__SETEXEC);
4183 else if (!strcmp(name, "fscreate")) 4196 else if (!strcmp(name, "fscreate"))
4184 error = task_has_perm(current, p, PROCESS__SETFSCREATE); 4197 error = task_has_perm(current, p, PROCESS__SETFSCREATE);
4198 else if (!strcmp(name, "keycreate"))
4199 error = task_has_perm(current, p, PROCESS__SETKEYCREATE);
4185 else if (!strcmp(name, "current")) 4200 else if (!strcmp(name, "current"))
4186 error = task_has_perm(current, p, PROCESS__SETCURRENT); 4201 error = task_has_perm(current, p, PROCESS__SETCURRENT);
4187 else 4202 else
@@ -4211,7 +4226,12 @@ static int selinux_setprocattr(struct task_struct *p,
4211 tsec->exec_sid = sid; 4226 tsec->exec_sid = sid;
4212 else if (!strcmp(name, "fscreate")) 4227 else if (!strcmp(name, "fscreate"))
4213 tsec->create_sid = sid; 4228 tsec->create_sid = sid;
4214 else if (!strcmp(name, "current")) { 4229 else if (!strcmp(name, "keycreate")) {
4230 error = may_create_key(sid, p);
4231 if (error)
4232 return error;
4233 tsec->keycreate_sid = sid;
4234 } else if (!strcmp(name, "current")) {
4215 struct av_decision avd; 4235 struct av_decision avd;
4216 4236
4217 if (sid == 0) 4237 if (sid == 0)
@@ -4275,7 +4295,10 @@ static int selinux_key_alloc(struct key *k, struct task_struct *tsk,
4275 return -ENOMEM; 4295 return -ENOMEM;
4276 4296
4277 ksec->obj = k; 4297 ksec->obj = k;
4278 ksec->sid = tsec->sid; 4298 if (tsec->keycreate_sid)
4299 ksec->sid = tsec->keycreate_sid;
4300 else
4301 ksec->sid = tsec->sid;
4279 k->security = ksec; 4302 k->security = ksec;
4280 4303
4281 return 0; 4304 return 0;
@@ -4514,10 +4537,10 @@ static __init int selinux_init(void)
4514 4537
4515#ifdef CONFIG_KEYS 4538#ifdef CONFIG_KEYS
4516 /* Add security information to initial keyrings */ 4539 /* Add security information to initial keyrings */
4517 security_key_alloc(&root_user_keyring, current, 4540 selinux_key_alloc(&root_user_keyring, current,
4518 KEY_ALLOC_NOT_IN_QUOTA); 4541 KEY_ALLOC_NOT_IN_QUOTA);
4519 security_key_alloc(&root_session_keyring, current, 4542 selinux_key_alloc(&root_session_keyring, current,
4520 KEY_ALLOC_NOT_IN_QUOTA); 4543 KEY_ALLOC_NOT_IN_QUOTA);
4521#endif 4544#endif
4522 4545
4523 return 0; 4546 return 0;
diff --git a/security/selinux/include/av_perm_to_string.h b/security/selinux/include/av_perm_to_string.h
index bc020bde6c86..e777578ccd9d 100644
--- a/security/selinux/include/av_perm_to_string.h
+++ b/security/selinux/include/av_perm_to_string.h
@@ -72,6 +72,7 @@
72 S_(SECCLASS_PROCESS, PROCESS__EXECMEM, "execmem") 72 S_(SECCLASS_PROCESS, PROCESS__EXECMEM, "execmem")
73 S_(SECCLASS_PROCESS, PROCESS__EXECSTACK, "execstack") 73 S_(SECCLASS_PROCESS, PROCESS__EXECSTACK, "execstack")
74 S_(SECCLASS_PROCESS, PROCESS__EXECHEAP, "execheap") 74 S_(SECCLASS_PROCESS, PROCESS__EXECHEAP, "execheap")
75 S_(SECCLASS_PROCESS, PROCESS__SETKEYCREATE, "setkeycreate")
75 S_(SECCLASS_MSGQ, MSGQ__ENQUEUE, "enqueue") 76 S_(SECCLASS_MSGQ, MSGQ__ENQUEUE, "enqueue")
76 S_(SECCLASS_MSG, MSG__SEND, "send") 77 S_(SECCLASS_MSG, MSG__SEND, "send")
77 S_(SECCLASS_MSG, MSG__RECEIVE, "receive") 78 S_(SECCLASS_MSG, MSG__RECEIVE, "receive")
@@ -248,3 +249,4 @@
248 S_(SECCLASS_KEY, KEY__SEARCH, "search") 249 S_(SECCLASS_KEY, KEY__SEARCH, "search")
249 S_(SECCLASS_KEY, KEY__LINK, "link") 250 S_(SECCLASS_KEY, KEY__LINK, "link")
250 S_(SECCLASS_KEY, KEY__SETATTR, "setattr") 251 S_(SECCLASS_KEY, KEY__SETATTR, "setattr")
252 S_(SECCLASS_KEY, KEY__CREATE, "create")
diff --git a/security/selinux/include/av_permissions.h b/security/selinux/include/av_permissions.h
index 1205227a3a33..1e1678023b68 100644
--- a/security/selinux/include/av_permissions.h
+++ b/security/selinux/include/av_permissions.h
@@ -467,6 +467,7 @@
467#define PROCESS__EXECMEM 0x02000000UL 467#define PROCESS__EXECMEM 0x02000000UL
468#define PROCESS__EXECSTACK 0x04000000UL 468#define PROCESS__EXECSTACK 0x04000000UL
469#define PROCESS__EXECHEAP 0x08000000UL 469#define PROCESS__EXECHEAP 0x08000000UL
470#define PROCESS__SETKEYCREATE 0x10000000UL
470 471
471#define IPC__CREATE 0x00000001UL 472#define IPC__CREATE 0x00000001UL
472#define IPC__DESTROY 0x00000002UL 473#define IPC__DESTROY 0x00000002UL
@@ -966,4 +967,4 @@
966#define KEY__SEARCH 0x00000008UL 967#define KEY__SEARCH 0x00000008UL
967#define KEY__LINK 0x00000010UL 968#define KEY__LINK 0x00000010UL
968#define KEY__SETATTR 0x00000020UL 969#define KEY__SETATTR 0x00000020UL
969 970#define KEY__CREATE 0x00000040UL
diff --git a/security/selinux/include/objsec.h b/security/selinux/include/objsec.h
index 8f5547ad1856..191b3e4484ce 100644
--- a/security/selinux/include/objsec.h
+++ b/security/selinux/include/objsec.h
@@ -32,6 +32,7 @@ struct task_security_struct {
32 u32 sid; /* current SID */ 32 u32 sid; /* current SID */
33 u32 exec_sid; /* exec SID */ 33 u32 exec_sid; /* exec SID */
34 u32 create_sid; /* fscreate SID */ 34 u32 create_sid; /* fscreate SID */
35 u32 keycreate_sid; /* keycreate SID */
35 u32 ptrace_sid; /* SID of ptrace parent */ 36 u32 ptrace_sid; /* SID of ptrace parent */
36}; 37};
37 38