| hooks.c (73bcc49959e4e40911dd0dd634bf1b353827df66) | hooks.c (e3fea3f70fd68af0574a5f24246cdb4ed07f2b74) |
|---|---|
| 1/* 2 * NSA Security-Enhanced Linux (SELinux) security module 3 * 4 * This file contains the SELinux hook function implementations. 5 * 6 * Authors: Stephen Smalley, <sds@epoch.ncsc.mil> 7 * Chris Vance, <cvance@nai.com> 8 * Wayne Salamon, <wsalamon@nai.com> --- 2115 unchanged lines hidden (view full) --- 2124 2125 /* Revalidate access to inherited open files. */ 2126 spin_lock(&files->file_lock); 2127 for (;;) { 2128 unsigned long set, i; 2129 int fd; 2130 2131 j++; | 1/* 2 * NSA Security-Enhanced Linux (SELinux) security module 3 * 4 * This file contains the SELinux hook function implementations. 5 * 6 * Authors: Stephen Smalley, <sds@epoch.ncsc.mil> 7 * Chris Vance, <cvance@nai.com> 8 * Wayne Salamon, <wsalamon@nai.com> --- 2115 unchanged lines hidden (view full) --- 2124 2125 /* Revalidate access to inherited open files. */ 2126 spin_lock(&files->file_lock); 2127 for (;;) { 2128 unsigned long set, i; 2129 int fd; 2130 2131 j++; |
| 2132 i = j * __NFDBITS; | 2132 i = j * BITS_PER_LONG; |
| 2133 fdt = files_fdtable(files); 2134 if (i >= fdt->max_fds) 2135 break; 2136 set = fdt->open_fds[j]; 2137 if (!set) 2138 continue; 2139 spin_unlock(&files->file_lock); 2140 for ( ; set ; i++, set >>= 1) { --- 11 unchanged lines hidden (view full) --- 2152 put_unused_fd(fd); 2153 fput(file); 2154 continue; 2155 } 2156 if (devnull) { 2157 get_file(devnull); 2158 } else { 2159 devnull = dentry_open( | 2133 fdt = files_fdtable(files); 2134 if (i >= fdt->max_fds) 2135 break; 2136 set = fdt->open_fds[j]; 2137 if (!set) 2138 continue; 2139 spin_unlock(&files->file_lock); 2140 for ( ; set ; i++, set >>= 1) { --- 11 unchanged lines hidden (view full) --- 2152 put_unused_fd(fd); 2153 fput(file); 2154 continue; 2155 } 2156 if (devnull) { 2157 get_file(devnull); 2158 } else { 2159 devnull = dentry_open( |
| 2160 dget(selinux_null), 2161 mntget(selinuxfs_mount), | 2160 &selinux_null, |
| 2162 O_RDWR, cred); 2163 if (IS_ERR(devnull)) { 2164 devnull = NULL; 2165 put_unused_fd(fd); 2166 fput(file); 2167 continue; 2168 } 2169 } --- 617 unchanged lines hidden (view full) --- 2787 if (rc == -EINVAL) { 2788 if (!capable(CAP_MAC_ADMIN)) { 2789 struct audit_buffer *ab; 2790 size_t audit_size; 2791 const char *str; 2792 2793 /* We strip a nul only if it is at the end, otherwise the 2794 * context contains a nul and we should audit that */ | 2161 O_RDWR, cred); 2162 if (IS_ERR(devnull)) { 2163 devnull = NULL; 2164 put_unused_fd(fd); 2165 fput(file); 2166 continue; 2167 } 2168 } --- 617 unchanged lines hidden (view full) --- 2786 if (rc == -EINVAL) { 2787 if (!capable(CAP_MAC_ADMIN)) { 2788 struct audit_buffer *ab; 2789 size_t audit_size; 2790 const char *str; 2791 2792 /* We strip a nul only if it is at the end, otherwise the 2793 * context contains a nul and we should audit that */ |
| 2795 str = value; 2796 if (str[size - 1] == '\0') 2797 audit_size = size - 1; 2798 else 2799 audit_size = size; | 2794 if (value) { 2795 str = value; 2796 if (str[size - 1] == '\0') 2797 audit_size = size - 1; 2798 else 2799 audit_size = size; 2800 } else { 2801 str = ""; 2802 audit_size = 0; 2803 } |
| 2800 ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR); 2801 audit_log_format(ab, "op=setxattr invalid_context="); 2802 audit_log_n_untrustedstring(ab, value, audit_size); 2803 audit_log_end(ab); 2804 2805 return rc; 2806 } 2807 rc = security_context_to_sid_force(value, size, &newsid); --- 2950 unchanged lines hidden (view full) --- 5758security_initcall(selinux_init); 5759 5760#if defined(CONFIG_NETFILTER) 5761 5762static struct nf_hook_ops selinux_ipv4_ops[] = { 5763 { 5764 .hook = selinux_ipv4_postroute, 5765 .owner = THIS_MODULE, | 2804 ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR); 2805 audit_log_format(ab, "op=setxattr invalid_context="); 2806 audit_log_n_untrustedstring(ab, value, audit_size); 2807 audit_log_end(ab); 2808 2809 return rc; 2810 } 2811 rc = security_context_to_sid_force(value, size, &newsid); --- 2950 unchanged lines hidden (view full) --- 5762security_initcall(selinux_init); 5763 5764#if defined(CONFIG_NETFILTER) 5765 5766static struct nf_hook_ops selinux_ipv4_ops[] = { 5767 { 5768 .hook = selinux_ipv4_postroute, 5769 .owner = THIS_MODULE, |
| 5766 .pf = PF_INET, | 5770 .pf = NFPROTO_IPV4, |
| 5767 .hooknum = NF_INET_POST_ROUTING, 5768 .priority = NF_IP_PRI_SELINUX_LAST, 5769 }, 5770 { 5771 .hook = selinux_ipv4_forward, 5772 .owner = THIS_MODULE, | 5771 .hooknum = NF_INET_POST_ROUTING, 5772 .priority = NF_IP_PRI_SELINUX_LAST, 5773 }, 5774 { 5775 .hook = selinux_ipv4_forward, 5776 .owner = THIS_MODULE, |
| 5773 .pf = PF_INET, | 5777 .pf = NFPROTO_IPV4, |
| 5774 .hooknum = NF_INET_FORWARD, 5775 .priority = NF_IP_PRI_SELINUX_FIRST, 5776 }, 5777 { 5778 .hook = selinux_ipv4_output, 5779 .owner = THIS_MODULE, | 5778 .hooknum = NF_INET_FORWARD, 5779 .priority = NF_IP_PRI_SELINUX_FIRST, 5780 }, 5781 { 5782 .hook = selinux_ipv4_output, 5783 .owner = THIS_MODULE, |
| 5780 .pf = PF_INET, | 5784 .pf = NFPROTO_IPV4, |
| 5781 .hooknum = NF_INET_LOCAL_OUT, 5782 .priority = NF_IP_PRI_SELINUX_FIRST, 5783 } 5784}; 5785 5786#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) 5787 5788static struct nf_hook_ops selinux_ipv6_ops[] = { 5789 { 5790 .hook = selinux_ipv6_postroute, 5791 .owner = THIS_MODULE, | 5785 .hooknum = NF_INET_LOCAL_OUT, 5786 .priority = NF_IP_PRI_SELINUX_FIRST, 5787 } 5788}; 5789 5790#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) 5791 5792static struct nf_hook_ops selinux_ipv6_ops[] = { 5793 { 5794 .hook = selinux_ipv6_postroute, 5795 .owner = THIS_MODULE, |
| 5792 .pf = PF_INET6, | 5796 .pf = NFPROTO_IPV6, |
| 5793 .hooknum = NF_INET_POST_ROUTING, 5794 .priority = NF_IP6_PRI_SELINUX_LAST, 5795 }, 5796 { 5797 .hook = selinux_ipv6_forward, 5798 .owner = THIS_MODULE, | 5797 .hooknum = NF_INET_POST_ROUTING, 5798 .priority = NF_IP6_PRI_SELINUX_LAST, 5799 }, 5800 { 5801 .hook = selinux_ipv6_forward, 5802 .owner = THIS_MODULE, |
| 5799 .pf = PF_INET6, | 5803 .pf = NFPROTO_IPV6, |
| 5800 .hooknum = NF_INET_FORWARD, 5801 .priority = NF_IP6_PRI_SELINUX_FIRST, 5802 } 5803}; 5804 5805#endif /* IPV6 */ 5806 5807static int __init selinux_nf_ip_init(void) --- 78 unchanged lines hidden --- | 5804 .hooknum = NF_INET_FORWARD, 5805 .priority = NF_IP6_PRI_SELINUX_FIRST, 5806 } 5807}; 5808 5809#endif /* IPV6 */ 5810 5811static int __init selinux_nf_ip_init(void) --- 78 unchanged lines hidden --- |