| hooks.c (9b8321531a90c400e9c561d903926eee79639dcf) | hooks.c (04f6d70f6e64900a5d70a5fc199dd9d5fa787738) |
|---|---|
| 1/* 2 * NSA Security-Enhanced Linux (SELinux) security module 3 * 4 * This file contains the SELinux hook function implementations. 5 * 6 * Authors: Stephen Smalley, <sds@epoch.ncsc.mil> 7 * Chris Vance, <cvance@nai.com> 8 * Wayne Salamon, <wsalamon@nai.com> --- 1959 unchanged lines hidden (view full) --- 1968 1969static int selinux_quota_on(struct dentry *dentry) 1970{ 1971 const struct cred *cred = current_cred(); 1972 1973 return dentry_has_perm(cred, NULL, dentry, FILE__QUOTAON); 1974} 1975 | 1/* 2 * NSA Security-Enhanced Linux (SELinux) security module 3 * 4 * This file contains the SELinux hook function implementations. 5 * 6 * Authors: Stephen Smalley, <sds@epoch.ncsc.mil> 7 * Chris Vance, <cvance@nai.com> 8 * Wayne Salamon, <wsalamon@nai.com> --- 1959 unchanged lines hidden (view full) --- 1968 1969static int selinux_quota_on(struct dentry *dentry) 1970{ 1971 const struct cred *cred = current_cred(); 1972 1973 return dentry_has_perm(cred, NULL, dentry, FILE__QUOTAON); 1974} 1975 |
| 1976static int selinux_syslog(int type) | 1976static int selinux_syslog(int type, bool from_file) |
| 1977{ 1978 int rc; 1979 | 1977{ 1978 int rc; 1979 |
| 1980 rc = cap_syslog(type, from_file); 1981 if (rc) 1982 return rc; 1983 |
|
| 1980 switch (type) { 1981 case SYSLOG_ACTION_READ_ALL: /* Read last kernel messages */ 1982 case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */ 1983 rc = task_has_system(current, SYSTEM__SYSLOG_READ); 1984 break; 1985 case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */ 1986 case SYSLOG_ACTION_CONSOLE_ON: /* Enable logging to console */ 1987 /* Set level of messages printed to console */ --- 2588 unchanged lines hidden (view full) --- 4576 break; 4577 case PF_INET6: 4578 if (IP6CB(skb)->flags & IP6SKB_FORWARDED) 4579 secmark_perm = PACKET__FORWARD_OUT; 4580 else 4581 secmark_perm = PACKET__SEND; 4582 break; 4583 default: | 1984 switch (type) { 1985 case SYSLOG_ACTION_READ_ALL: /* Read last kernel messages */ 1986 case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */ 1987 rc = task_has_system(current, SYSTEM__SYSLOG_READ); 1988 break; 1989 case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */ 1990 case SYSLOG_ACTION_CONSOLE_ON: /* Enable logging to console */ 1991 /* Set level of messages printed to console */ --- 2588 unchanged lines hidden (view full) --- 4580 break; 4581 case PF_INET6: 4582 if (IP6CB(skb)->flags & IP6SKB_FORWARDED) 4583 secmark_perm = PACKET__FORWARD_OUT; 4584 else 4585 secmark_perm = PACKET__SEND; 4586 break; 4587 default: |
| 4584 return NF_DROP; | 4588 return NF_DROP_ERR(-ECONNREFUSED); |
| 4585 } 4586 if (secmark_perm == PACKET__FORWARD_OUT) { 4587 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid)) 4588 return NF_DROP; 4589 } else 4590 peer_sid = SECINITSID_KERNEL; 4591 } else { 4592 struct sk_security_struct *sksec = sk->sk_security; --- 5 unchanged lines hidden (view full) --- 4598 ad.u.net.netif = ifindex; 4599 ad.u.net.family = family; 4600 if (selinux_parse_skb(skb, &ad, &addrp, 0, NULL)) 4601 return NF_DROP; 4602 4603 if (secmark_active) 4604 if (avc_has_perm(peer_sid, skb->secmark, 4605 SECCLASS_PACKET, secmark_perm, &ad)) | 4589 } 4590 if (secmark_perm == PACKET__FORWARD_OUT) { 4591 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid)) 4592 return NF_DROP; 4593 } else 4594 peer_sid = SECINITSID_KERNEL; 4595 } else { 4596 struct sk_security_struct *sksec = sk->sk_security; --- 5 unchanged lines hidden (view full) --- 4602 ad.u.net.netif = ifindex; 4603 ad.u.net.family = family; 4604 if (selinux_parse_skb(skb, &ad, &addrp, 0, NULL)) 4605 return NF_DROP; 4606 4607 if (secmark_active) 4608 if (avc_has_perm(peer_sid, skb->secmark, 4609 SECCLASS_PACKET, secmark_perm, &ad)) |
| 4606 return NF_DROP; | 4610 return NF_DROP_ERR(-ECONNREFUSED); |
| 4607 4608 if (peerlbl_active) { 4609 u32 if_sid; 4610 u32 node_sid; 4611 4612 if (sel_netif_sid(ifindex, &if_sid)) 4613 return NF_DROP; 4614 if (avc_has_perm(peer_sid, if_sid, 4615 SECCLASS_NETIF, NETIF__EGRESS, &ad)) | 4611 4612 if (peerlbl_active) { 4613 u32 if_sid; 4614 u32 node_sid; 4615 4616 if (sel_netif_sid(ifindex, &if_sid)) 4617 return NF_DROP; 4618 if (avc_has_perm(peer_sid, if_sid, 4619 SECCLASS_NETIF, NETIF__EGRESS, &ad)) |
| 4616 return NF_DROP; | 4620 return NF_DROP_ERR(-ECONNREFUSED); |
| 4617 4618 if (sel_netnode_sid(addrp, family, &node_sid)) 4619 return NF_DROP; 4620 if (avc_has_perm(peer_sid, node_sid, 4621 SECCLASS_NODE, NODE__SENDTO, &ad)) | 4621 4622 if (sel_netnode_sid(addrp, family, &node_sid)) 4623 return NF_DROP; 4624 if (avc_has_perm(peer_sid, node_sid, 4625 SECCLASS_NODE, NODE__SENDTO, &ad)) |
| 4622 return NF_DROP; | 4626 return NF_DROP_ERR(-ECONNREFUSED); |
| 4623 } 4624 4625 return NF_ACCEPT; 4626} 4627 4628static unsigned int selinux_ipv4_postroute(unsigned int hooknum, 4629 struct sk_buff *skb, 4630 const struct net_device *in, --- 1139 unchanged lines hidden --- | 4627 } 4628 4629 return NF_ACCEPT; 4630} 4631 4632static unsigned int selinux_ipv4_postroute(unsigned int hooknum, 4633 struct sk_buff *skb, 4634 const struct net_device *in, --- 1139 unchanged lines hidden --- |