| hooks.c (95c14904b6f6f8a35365f0c58d530c85b4fb96b4) | hooks.c (5626d3e86141390c8efc7bcb929b6a4b58b00480) |
|---|---|
| 1/* 2 * NSA Security-Enhanced Linux (SELinux) security module 3 * 4 * This file contains the SELinux hook function implementations. 5 * 6 * Authors: Stephen Smalley, <sds@epoch.ncsc.mil> 7 * Chris Vance, <cvance@nai.com> 8 * Wayne Salamon, <wsalamon@nai.com> --- 1878 unchanged lines hidden (view full) --- 1887 error = secondary_ops->capset(new, old, 1888 effective, inheritable, permitted); 1889 if (error) 1890 return error; 1891 1892 return cred_has_perm(old, new, PROCESS__SETCAP); 1893} 1894 | 1/* 2 * NSA Security-Enhanced Linux (SELinux) security module 3 * 4 * This file contains the SELinux hook function implementations. 5 * 6 * Authors: Stephen Smalley, <sds@epoch.ncsc.mil> 7 * Chris Vance, <cvance@nai.com> 8 * Wayne Salamon, <wsalamon@nai.com> --- 1878 unchanged lines hidden (view full) --- 1887 error = secondary_ops->capset(new, old, 1888 effective, inheritable, permitted); 1889 if (error) 1890 return error; 1891 1892 return cred_has_perm(old, new, PROCESS__SETCAP); 1893} 1894 |
| 1895/* 1896 * (This comment used to live with the selinux_task_setuid hook, 1897 * which was removed). 1898 * 1899 * Since setuid only affects the current process, and since the SELinux 1900 * controls are not based on the Linux identity attributes, SELinux does not 1901 * need to control this operation. However, SELinux does control the use of 1902 * the CAP_SETUID and CAP_SETGID capabilities using the capable hook. 1903 */ 1904 |
|
| 1895static int selinux_capable(struct task_struct *tsk, const struct cred *cred, 1896 int cap, int audit) 1897{ 1898 int rc; 1899 1900 rc = secondary_ops->capable(tsk, cred, cap, audit); 1901 if (rc) 1902 return rc; --- 1001 unchanged lines hidden (view full) --- 2904static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size) 2905{ 2906 const int len = sizeof(XATTR_NAME_SELINUX); 2907 if (buffer && len <= buffer_size) 2908 memcpy(buffer, XATTR_NAME_SELINUX, len); 2909 return len; 2910} 2911 | 1905static int selinux_capable(struct task_struct *tsk, const struct cred *cred, 1906 int cap, int audit) 1907{ 1908 int rc; 1909 1910 rc = secondary_ops->capable(tsk, cred, cap, audit); 1911 if (rc) 1912 return rc; --- 1001 unchanged lines hidden (view full) --- 2914static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size) 2915{ 2916 const int len = sizeof(XATTR_NAME_SELINUX); 2917 if (buffer && len <= buffer_size) 2918 memcpy(buffer, XATTR_NAME_SELINUX, len); 2919 return len; 2920} 2921 |
| 2912static int selinux_inode_need_killpriv(struct dentry *dentry) 2913{ 2914 return secondary_ops->inode_need_killpriv(dentry); 2915} 2916 2917static int selinux_inode_killpriv(struct dentry *dentry) 2918{ 2919 return secondary_ops->inode_killpriv(dentry); 2920} 2921 | |
| 2922static void selinux_inode_getsecid(const struct inode *inode, u32 *secid) 2923{ 2924 struct inode_security_struct *isec = inode->i_security; 2925 *secid = isec->sid; 2926} 2927 2928/* file security operations */ 2929 --- 353 unchanged lines hidden (view full) --- 3283 KERNEL_SERVICE__CREATE_FILES_AS, 3284 NULL); 3285 3286 if (ret == 0) 3287 tsec->create_sid = isec->sid; 3288 return 0; 3289} 3290 | 2922static void selinux_inode_getsecid(const struct inode *inode, u32 *secid) 2923{ 2924 struct inode_security_struct *isec = inode->i_security; 2925 *secid = isec->sid; 2926} 2927 2928/* file security operations */ 2929 --- 353 unchanged lines hidden (view full) --- 3283 KERNEL_SERVICE__CREATE_FILES_AS, 3284 NULL); 3285 3286 if (ret == 0) 3287 tsec->create_sid = isec->sid; 3288 return 0; 3289} 3290 |
| 3291static int selinux_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags) 3292{ 3293 /* Since setuid only affects the current process, and 3294 since the SELinux controls are not based on the Linux 3295 identity attributes, SELinux does not need to control 3296 this operation. However, SELinux does control the use 3297 of the CAP_SETUID and CAP_SETGID capabilities using the 3298 capable hook. */ 3299 return 0; 3300} 3301 3302static int selinux_task_fix_setuid(struct cred *new, const struct cred *old, 3303 int flags) 3304{ 3305 return secondary_ops->task_fix_setuid(new, old, flags); 3306} 3307 3308static int selinux_task_setgid(gid_t id0, gid_t id1, gid_t id2, int flags) 3309{ 3310 /* See the comment for setuid above. */ 3311 return 0; 3312} 3313 | |
| 3314static int selinux_task_setpgid(struct task_struct *p, pid_t pgid) 3315{ 3316 return current_has_perm(p, PROCESS__SETPGID); 3317} 3318 3319static int selinux_task_getpgid(struct task_struct *p) 3320{ 3321 return current_has_perm(p, PROCESS__GETPGID); --- 4 unchanged lines hidden (view full) --- 3326 return current_has_perm(p, PROCESS__GETSESSION); 3327} 3328 3329static void selinux_task_getsecid(struct task_struct *p, u32 *secid) 3330{ 3331 *secid = task_sid(p); 3332} 3333 | 3291static int selinux_task_setpgid(struct task_struct *p, pid_t pgid) 3292{ 3293 return current_has_perm(p, PROCESS__SETPGID); 3294} 3295 3296static int selinux_task_getpgid(struct task_struct *p) 3297{ 3298 return current_has_perm(p, PROCESS__GETPGID); --- 4 unchanged lines hidden (view full) --- 3303 return current_has_perm(p, PROCESS__GETSESSION); 3304} 3305 3306static void selinux_task_getsecid(struct task_struct *p, u32 *secid) 3307{ 3308 *secid = task_sid(p); 3309} 3310 |
| 3334static int selinux_task_setgroups(struct group_info *group_info) 3335{ 3336 /* See the comment for setuid above. */ 3337 return 0; 3338} 3339 | |
| 3340static int selinux_task_setnice(struct task_struct *p, int nice) 3341{ 3342 int rc; 3343 3344 rc = secondary_ops->task_setnice(p, nice); 3345 if (rc) 3346 return rc; 3347 --- 64 unchanged lines hidden (view full) --- 3412 if (secid) 3413 rc = avc_has_perm(secid, task_sid(p), 3414 SECCLASS_PROCESS, perm, NULL); 3415 else 3416 rc = current_has_perm(p, perm); 3417 return rc; 3418} 3419 | 3311static int selinux_task_setnice(struct task_struct *p, int nice) 3312{ 3313 int rc; 3314 3315 rc = secondary_ops->task_setnice(p, nice); 3316 if (rc) 3317 return rc; 3318 --- 64 unchanged lines hidden (view full) --- 3383 if (secid) 3384 rc = avc_has_perm(secid, task_sid(p), 3385 SECCLASS_PROCESS, perm, NULL); 3386 else 3387 rc = current_has_perm(p, perm); 3388 return rc; 3389} 3390 |
| 3420static int selinux_task_prctl(int option, 3421 unsigned long arg2, 3422 unsigned long arg3, 3423 unsigned long arg4, 3424 unsigned long arg5) 3425{ 3426 /* The current prctl operations do not appear to require 3427 any SELinux controls since they merely observe or modify 3428 the state of the current process. */ 3429 return secondary_ops->task_prctl(option, arg2, arg3, arg4, arg5); 3430} 3431 | |
| 3432static int selinux_task_wait(struct task_struct *p) 3433{ 3434 return task_has_perm(p, current, PROCESS__SIGCHLD); 3435} 3436 3437static void selinux_task_to_inode(struct task_struct *p, 3438 struct inode *inode) 3439{ --- 2118 unchanged lines hidden (view full) --- 5558 .inode_setxattr = selinux_inode_setxattr, 5559 .inode_post_setxattr = selinux_inode_post_setxattr, 5560 .inode_getxattr = selinux_inode_getxattr, 5561 .inode_listxattr = selinux_inode_listxattr, 5562 .inode_removexattr = selinux_inode_removexattr, 5563 .inode_getsecurity = selinux_inode_getsecurity, 5564 .inode_setsecurity = selinux_inode_setsecurity, 5565 .inode_listsecurity = selinux_inode_listsecurity, | 3391static int selinux_task_wait(struct task_struct *p) 3392{ 3393 return task_has_perm(p, current, PROCESS__SIGCHLD); 3394} 3395 3396static void selinux_task_to_inode(struct task_struct *p, 3397 struct inode *inode) 3398{ --- 2118 unchanged lines hidden (view full) --- 5517 .inode_setxattr = selinux_inode_setxattr, 5518 .inode_post_setxattr = selinux_inode_post_setxattr, 5519 .inode_getxattr = selinux_inode_getxattr, 5520 .inode_listxattr = selinux_inode_listxattr, 5521 .inode_removexattr = selinux_inode_removexattr, 5522 .inode_getsecurity = selinux_inode_getsecurity, 5523 .inode_setsecurity = selinux_inode_setsecurity, 5524 .inode_listsecurity = selinux_inode_listsecurity, |
| 5566 .inode_need_killpriv = selinux_inode_need_killpriv, 5567 .inode_killpriv = selinux_inode_killpriv, | |
| 5568 .inode_getsecid = selinux_inode_getsecid, 5569 5570 .file_permission = selinux_file_permission, 5571 .file_alloc_security = selinux_file_alloc_security, 5572 .file_free_security = selinux_file_free_security, 5573 .file_ioctl = selinux_file_ioctl, 5574 .file_mmap = selinux_file_mmap, 5575 .file_mprotect = selinux_file_mprotect, --- 5 unchanged lines hidden (view full) --- 5581 5582 .dentry_open = selinux_dentry_open, 5583 5584 .task_create = selinux_task_create, 5585 .cred_free = selinux_cred_free, 5586 .cred_prepare = selinux_cred_prepare, 5587 .kernel_act_as = selinux_kernel_act_as, 5588 .kernel_create_files_as = selinux_kernel_create_files_as, | 5525 .inode_getsecid = selinux_inode_getsecid, 5526 5527 .file_permission = selinux_file_permission, 5528 .file_alloc_security = selinux_file_alloc_security, 5529 .file_free_security = selinux_file_free_security, 5530 .file_ioctl = selinux_file_ioctl, 5531 .file_mmap = selinux_file_mmap, 5532 .file_mprotect = selinux_file_mprotect, --- 5 unchanged lines hidden (view full) --- 5538 5539 .dentry_open = selinux_dentry_open, 5540 5541 .task_create = selinux_task_create, 5542 .cred_free = selinux_cred_free, 5543 .cred_prepare = selinux_cred_prepare, 5544 .kernel_act_as = selinux_kernel_act_as, 5545 .kernel_create_files_as = selinux_kernel_create_files_as, |
| 5589 .task_setuid = selinux_task_setuid, 5590 .task_fix_setuid = selinux_task_fix_setuid, 5591 .task_setgid = selinux_task_setgid, | |
| 5592 .task_setpgid = selinux_task_setpgid, 5593 .task_getpgid = selinux_task_getpgid, 5594 .task_getsid = selinux_task_getsid, 5595 .task_getsecid = selinux_task_getsecid, | 5546 .task_setpgid = selinux_task_setpgid, 5547 .task_getpgid = selinux_task_getpgid, 5548 .task_getsid = selinux_task_getsid, 5549 .task_getsecid = selinux_task_getsecid, |
| 5596 .task_setgroups = selinux_task_setgroups, | |
| 5597 .task_setnice = selinux_task_setnice, 5598 .task_setioprio = selinux_task_setioprio, 5599 .task_getioprio = selinux_task_getioprio, 5600 .task_setrlimit = selinux_task_setrlimit, 5601 .task_setscheduler = selinux_task_setscheduler, 5602 .task_getscheduler = selinux_task_getscheduler, 5603 .task_movememory = selinux_task_movememory, 5604 .task_kill = selinux_task_kill, 5605 .task_wait = selinux_task_wait, | 5550 .task_setnice = selinux_task_setnice, 5551 .task_setioprio = selinux_task_setioprio, 5552 .task_getioprio = selinux_task_getioprio, 5553 .task_setrlimit = selinux_task_setrlimit, 5554 .task_setscheduler = selinux_task_setscheduler, 5555 .task_getscheduler = selinux_task_getscheduler, 5556 .task_movememory = selinux_task_movememory, 5557 .task_kill = selinux_task_kill, 5558 .task_wait = selinux_task_wait, |
| 5606 .task_prctl = selinux_task_prctl, | |
| 5607 .task_to_inode = selinux_task_to_inode, 5608 5609 .ipc_permission = selinux_ipc_permission, 5610 .ipc_getsecid = selinux_ipc_getsecid, 5611 5612 .msg_msg_alloc_security = selinux_msg_msg_alloc_security, 5613 .msg_msg_free_security = selinux_msg_msg_free_security, 5614 --- 282 unchanged lines hidden --- | 5559 .task_to_inode = selinux_task_to_inode, 5560 5561 .ipc_permission = selinux_ipc_permission, 5562 .ipc_getsecid = selinux_ipc_getsecid, 5563 5564 .msg_msg_alloc_security = selinux_msg_msg_alloc_security, 5565 .msg_msg_free_security = selinux_msg_msg_free_security, 5566 --- 282 unchanged lines hidden --- |