| hooks.c (4f5a884fc212d99654e4fb36ba98d5354f0dd18e) | hooks.c (0266c25e7c2821181b610595df42cbca6bc93cb8) |
|---|---|
| 1// SPDX-License-Identifier: GPL-2.0-only 2/* 3 * NSA Security-Enhanced Linux (SELinux) security module 4 * 5 * This file contains the SELinux hook function implementations. 6 * 7 * Authors: Stephen Smalley, <sds@tycho.nsa.gov> 8 * Chris Vance, <cvance@nai.com> --- 216 unchanged lines hidden (view full) --- 225{ 226 const struct task_security_struct *tsec; 227 228 tsec = selinux_cred(cred); 229 return tsec->sid; 230} 231 232/* | 1// SPDX-License-Identifier: GPL-2.0-only 2/* 3 * NSA Security-Enhanced Linux (SELinux) security module 4 * 5 * This file contains the SELinux hook function implementations. 6 * 7 * Authors: Stephen Smalley, <sds@tycho.nsa.gov> 8 * Chris Vance, <cvance@nai.com> --- 216 unchanged lines hidden (view full) --- 225{ 226 const struct task_security_struct *tsec; 227 228 tsec = selinux_cred(cred); 229 return tsec->sid; 230} 231 232/* |
| 233 * get the subjective security ID of a task 234 */ 235static inline u32 task_sid_subj(const struct task_struct *task) 236{ 237 u32 sid; 238 239 rcu_read_lock(); 240 sid = cred_sid(rcu_dereference(task->cred)); 241 rcu_read_unlock(); 242 return sid; 243} 244 245/* | |
| 246 * get the objective security ID of a task 247 */ 248static inline u32 task_sid_obj(const struct task_struct *task) 249{ 250 u32 sid; 251 252 rcu_read_lock(); 253 sid = cred_sid(__task_cred(task)); --- 233 unchanged lines hidden (view full) --- 487 case SECURITY_FS_USE_NONE: 488 default: 489 return 0; 490 } 491} 492 493static int sb_check_xattr_support(struct super_block *sb) 494{ | 233 * get the objective security ID of a task 234 */ 235static inline u32 task_sid_obj(const struct task_struct *task) 236{ 237 u32 sid; 238 239 rcu_read_lock(); 240 sid = cred_sid(__task_cred(task)); --- 233 unchanged lines hidden (view full) --- 474 case SECURITY_FS_USE_NONE: 475 default: 476 return 0; 477 } 478} 479 480static int sb_check_xattr_support(struct super_block *sb) 481{ |
| 495 struct superblock_security_struct *sbsec = sb->s_security; | 482 struct superblock_security_struct *sbsec = selinux_superblock(sb); |
| 496 struct dentry *root = sb->s_root; 497 struct inode *root_inode = d_backing_inode(root); 498 u32 sid; 499 int rc; 500 501 /* 502 * Make sure that the xattr handler exists and that no 503 * error other than -ENODATA is returned by getxattr on --- 479 unchanged lines hidden (view full) --- 983out: 984 mutex_unlock(&newsbsec->lock); 985 return rc; 986} 987 988static int selinux_add_opt(int token, const char *s, void **mnt_opts) 989{ 990 struct selinux_mnt_opts *opts = *mnt_opts; | 483 struct dentry *root = sb->s_root; 484 struct inode *root_inode = d_backing_inode(root); 485 u32 sid; 486 int rc; 487 488 /* 489 * Make sure that the xattr handler exists and that no 490 * error other than -ENODATA is returned by getxattr on --- 479 unchanged lines hidden (view full) --- 970out: 971 mutex_unlock(&newsbsec->lock); 972 return rc; 973} 974 975static int selinux_add_opt(int token, const char *s, void **mnt_opts) 976{ 977 struct selinux_mnt_opts *opts = *mnt_opts; |
| 978 bool is_alloc_opts = false; |
|
| 991 | 979 |
| 992 if (token == Opt_seclabel) /* eaten and completely ignored */ | 980 if (token == Opt_seclabel) 981 /* eaten and completely ignored */ |
| 993 return 0; | 982 return 0; |
| 983 if (!s) 984 return -ENOMEM; |
|
| 994 995 if (!opts) { | 985 986 if (!opts) { |
| 996 opts = kzalloc(sizeof(struct selinux_mnt_opts), GFP_KERNEL); | 987 opts = kzalloc(sizeof(*opts), GFP_KERNEL); |
| 997 if (!opts) 998 return -ENOMEM; 999 *mnt_opts = opts; | 988 if (!opts) 989 return -ENOMEM; 990 *mnt_opts = opts; |
| 991 is_alloc_opts = true; |
|
| 1000 } | 992 } |
| 1001 if (!s) 1002 return -ENOMEM; | 993 |
| 1003 switch (token) { 1004 case Opt_context: 1005 if (opts->context || opts->defcontext) | 994 switch (token) { 995 case Opt_context: 996 if (opts->context || opts->defcontext) |
| 1006 goto Einval; | 997 goto err; |
| 1007 opts->context = s; 1008 break; 1009 case Opt_fscontext: 1010 if (opts->fscontext) | 998 opts->context = s; 999 break; 1000 case Opt_fscontext: 1001 if (opts->fscontext) |
| 1011 goto Einval; | 1002 goto err; |
| 1012 opts->fscontext = s; 1013 break; 1014 case Opt_rootcontext: 1015 if (opts->rootcontext) | 1003 opts->fscontext = s; 1004 break; 1005 case Opt_rootcontext: 1006 if (opts->rootcontext) |
| 1016 goto Einval; | 1007 goto err; |
| 1017 opts->rootcontext = s; 1018 break; 1019 case Opt_defcontext: 1020 if (opts->context || opts->defcontext) | 1008 opts->rootcontext = s; 1009 break; 1010 case Opt_defcontext: 1011 if (opts->context || opts->defcontext) |
| 1021 goto Einval; | 1012 goto err; |
| 1022 opts->defcontext = s; 1023 break; 1024 } | 1013 opts->defcontext = s; 1014 break; 1015 } |
| 1016 |
|
| 1025 return 0; | 1017 return 0; |
| 1026Einval: 1027 pr_warn(SEL_MOUNT_FAIL_MSG); 1028 return -EINVAL; 1029} | |
| 1030 | 1018 |
| 1031static int selinux_add_mnt_opt(const char *option, const char *val, int len, 1032 void **mnt_opts) 1033{ 1034 int token = Opt_error; 1035 int rc, i; 1036 1037 for (i = 0; i < ARRAY_SIZE(tokens); i++) { 1038 if (strcmp(option, tokens[i].name) == 0) { 1039 token = tokens[i].opt; 1040 break; 1041 } 1042 } 1043 1044 if (token == Opt_error) 1045 return -EINVAL; 1046 1047 if (token != Opt_seclabel) { 1048 val = kmemdup_nul(val, len, GFP_KERNEL); 1049 if (!val) { 1050 rc = -ENOMEM; 1051 goto free_opt; 1052 } 1053 } 1054 rc = selinux_add_opt(token, val, mnt_opts); 1055 if (unlikely(rc)) { 1056 kfree(val); 1057 goto free_opt; 1058 } 1059 return rc; 1060 1061free_opt: 1062 if (*mnt_opts) { 1063 selinux_free_mnt_opts(*mnt_opts); | 1019err: 1020 if (is_alloc_opts) { 1021 kfree(opts); |
| 1064 *mnt_opts = NULL; 1065 } | 1022 *mnt_opts = NULL; 1023 } |
| 1066 return rc; | 1024 pr_warn(SEL_MOUNT_FAIL_MSG); 1025 return -EINVAL; |
| 1067} 1068 1069static int show_sid(struct seq_file *m, u32 sid) 1070{ 1071 char *context = NULL; 1072 u32 len; 1073 int rc; 1074 --- 1608 unchanged lines hidden (view full) --- 2683 *mnt_opts = NULL; 2684 } 2685 return rc; 2686} 2687 2688static int selinux_sb_mnt_opts_compat(struct super_block *sb, void *mnt_opts) 2689{ 2690 struct selinux_mnt_opts *opts = mnt_opts; | 1026} 1027 1028static int show_sid(struct seq_file *m, u32 sid) 1029{ 1030 char *context = NULL; 1031 u32 len; 1032 int rc; 1033 --- 1608 unchanged lines hidden (view full) --- 2642 *mnt_opts = NULL; 2643 } 2644 return rc; 2645} 2646 2647static int selinux_sb_mnt_opts_compat(struct super_block *sb, void *mnt_opts) 2648{ 2649 struct selinux_mnt_opts *opts = mnt_opts; |
| 2691 struct superblock_security_struct *sbsec = sb->s_security; | 2650 struct superblock_security_struct *sbsec = selinux_superblock(sb); |
| 2692 u32 sid; 2693 int rc; 2694 2695 /* 2696 * Superblock not initialized (i.e. no options) - reject if any 2697 * options specified, otherwise accept. 2698 */ 2699 if (!(sbsec->flags & SE_SBINITIALIZED)) --- 1505 unchanged lines hidden (view full) --- 4205 4206static int selinux_task_getsid(struct task_struct *p) 4207{ 4208 return avc_has_perm(&selinux_state, 4209 current_sid(), task_sid_obj(p), SECCLASS_PROCESS, 4210 PROCESS__GETSESSION, NULL); 4211} 4212 | 2651 u32 sid; 2652 int rc; 2653 2654 /* 2655 * Superblock not initialized (i.e. no options) - reject if any 2656 * options specified, otherwise accept. 2657 */ 2658 if (!(sbsec->flags & SE_SBINITIALIZED)) --- 1505 unchanged lines hidden (view full) --- 4164 4165static int selinux_task_getsid(struct task_struct *p) 4166{ 4167 return avc_has_perm(&selinux_state, 4168 current_sid(), task_sid_obj(p), SECCLASS_PROCESS, 4169 PROCESS__GETSESSION, NULL); 4170} 4171 |
| 4213static void selinux_task_getsecid_subj(struct task_struct *p, u32 *secid) | 4172static void selinux_current_getsecid_subj(u32 *secid) |
| 4214{ | 4173{ |
| 4215 *secid = task_sid_subj(p); | 4174 *secid = current_sid(); |
| 4216} 4217 4218static void selinux_task_getsecid_obj(struct task_struct *p, u32 *secid) 4219{ 4220 *secid = task_sid_obj(p); 4221} 4222 4223static int selinux_task_setnice(struct task_struct *p, int nice) --- 2935 unchanged lines hidden (view full) --- 7159 LSM_HOOK_INIT(kernel_act_as, selinux_kernel_act_as), 7160 LSM_HOOK_INIT(kernel_create_files_as, selinux_kernel_create_files_as), 7161 LSM_HOOK_INIT(kernel_module_request, selinux_kernel_module_request), 7162 LSM_HOOK_INIT(kernel_load_data, selinux_kernel_load_data), 7163 LSM_HOOK_INIT(kernel_read_file, selinux_kernel_read_file), 7164 LSM_HOOK_INIT(task_setpgid, selinux_task_setpgid), 7165 LSM_HOOK_INIT(task_getpgid, selinux_task_getpgid), 7166 LSM_HOOK_INIT(task_getsid, selinux_task_getsid), | 4175} 4176 4177static void selinux_task_getsecid_obj(struct task_struct *p, u32 *secid) 4178{ 4179 *secid = task_sid_obj(p); 4180} 4181 4182static int selinux_task_setnice(struct task_struct *p, int nice) --- 2935 unchanged lines hidden (view full) --- 7118 LSM_HOOK_INIT(kernel_act_as, selinux_kernel_act_as), 7119 LSM_HOOK_INIT(kernel_create_files_as, selinux_kernel_create_files_as), 7120 LSM_HOOK_INIT(kernel_module_request, selinux_kernel_module_request), 7121 LSM_HOOK_INIT(kernel_load_data, selinux_kernel_load_data), 7122 LSM_HOOK_INIT(kernel_read_file, selinux_kernel_read_file), 7123 LSM_HOOK_INIT(task_setpgid, selinux_task_setpgid), 7124 LSM_HOOK_INIT(task_getpgid, selinux_task_getpgid), 7125 LSM_HOOK_INIT(task_getsid, selinux_task_getsid), |
| 7167 LSM_HOOK_INIT(task_getsecid_subj, selinux_task_getsecid_subj), | 7126 LSM_HOOK_INIT(current_getsecid_subj, selinux_current_getsecid_subj), |
| 7168 LSM_HOOK_INIT(task_getsecid_obj, selinux_task_getsecid_obj), 7169 LSM_HOOK_INIT(task_setnice, selinux_task_setnice), 7170 LSM_HOOK_INIT(task_setioprio, selinux_task_setioprio), 7171 LSM_HOOK_INIT(task_getioprio, selinux_task_getioprio), 7172 LSM_HOOK_INIT(task_prlimit, selinux_task_prlimit), 7173 LSM_HOOK_INIT(task_setrlimit, selinux_task_setrlimit), 7174 LSM_HOOK_INIT(task_setscheduler, selinux_task_setscheduler), 7175 LSM_HOOK_INIT(task_getscheduler, selinux_task_getscheduler), --- 122 unchanged lines hidden (view full) --- 7298#endif 7299 7300 /* 7301 * PUT "CLONING" (ACCESSING + ALLOCATING) HOOKS HERE 7302 */ 7303 LSM_HOOK_INIT(fs_context_dup, selinux_fs_context_dup), 7304 LSM_HOOK_INIT(fs_context_parse_param, selinux_fs_context_parse_param), 7305 LSM_HOOK_INIT(sb_eat_lsm_opts, selinux_sb_eat_lsm_opts), | 7127 LSM_HOOK_INIT(task_getsecid_obj, selinux_task_getsecid_obj), 7128 LSM_HOOK_INIT(task_setnice, selinux_task_setnice), 7129 LSM_HOOK_INIT(task_setioprio, selinux_task_setioprio), 7130 LSM_HOOK_INIT(task_getioprio, selinux_task_getioprio), 7131 LSM_HOOK_INIT(task_prlimit, selinux_task_prlimit), 7132 LSM_HOOK_INIT(task_setrlimit, selinux_task_setrlimit), 7133 LSM_HOOK_INIT(task_setscheduler, selinux_task_setscheduler), 7134 LSM_HOOK_INIT(task_getscheduler, selinux_task_getscheduler), --- 122 unchanged lines hidden (view full) --- 7257#endif 7258 7259 /* 7260 * PUT "CLONING" (ACCESSING + ALLOCATING) HOOKS HERE 7261 */ 7262 LSM_HOOK_INIT(fs_context_dup, selinux_fs_context_dup), 7263 LSM_HOOK_INIT(fs_context_parse_param, selinux_fs_context_parse_param), 7264 LSM_HOOK_INIT(sb_eat_lsm_opts, selinux_sb_eat_lsm_opts), |
| 7306 LSM_HOOK_INIT(sb_add_mnt_opt, selinux_add_mnt_opt), | |
| 7307#ifdef CONFIG_SECURITY_NETWORK_XFRM 7308 LSM_HOOK_INIT(xfrm_policy_clone_security, selinux_xfrm_policy_clone), 7309#endif 7310 7311 /* 7312 * PUT "ALLOCATING" HOOKS HERE 7313 */ 7314 LSM_HOOK_INIT(msg_msg_alloc_security, selinux_msg_msg_alloc_security), --- 229 unchanged lines hidden --- | 7265#ifdef CONFIG_SECURITY_NETWORK_XFRM 7266 LSM_HOOK_INIT(xfrm_policy_clone_security, selinux_xfrm_policy_clone), 7267#endif 7268 7269 /* 7270 * PUT "ALLOCATING" HOOKS HERE 7271 */ 7272 LSM_HOOK_INIT(msg_msg_alloc_security, selinux_msg_msg_alloc_security), --- 229 unchanged lines hidden --- |