hooks.c (b0c636b99997c8594da6a46e166ce4fcf6956fda) hooks.c (dd6f953adb5c4deb9cd7b6a5054e7d5eafe4ed71)
1/*
2 * NSA Security-Enhanced Linux (SELinux) security module
3 *
4 * This file contains the SELinux hook function implementations.
5 *
6 * Authors: Stephen Smalley, <sds@epoch.ncsc.mil>
7 * Chris Vance, <cvance@nai.com>
8 * Wayne Salamon, <wsalamon@nai.com>

--- 654 unchanged lines hidden (view full) ---

663
664 if (strcmp(sb->s_type->name, "proc") == 0)
665 sbsec->proc = 1;
666
667 /* Determine the labeling behavior to use for this filesystem type. */
668 rc = security_fs_use(sb->s_type->name, &sbsec->behavior, &sbsec->sid);
669 if (rc) {
670 printk(KERN_WARNING "%s: security_fs_use(%s) returned %d\n",
1/*
2 * NSA Security-Enhanced Linux (SELinux) security module
3 *
4 * This file contains the SELinux hook function implementations.
5 *
6 * Authors: Stephen Smalley, <sds@epoch.ncsc.mil>
7 * Chris Vance, <cvance@nai.com>
8 * Wayne Salamon, <wsalamon@nai.com>

--- 654 unchanged lines hidden (view full) ---

663
664 if (strcmp(sb->s_type->name, "proc") == 0)
665 sbsec->proc = 1;
666
667 /* Determine the labeling behavior to use for this filesystem type. */
668 rc = security_fs_use(sb->s_type->name, &sbsec->behavior, &sbsec->sid);
669 if (rc) {
670 printk(KERN_WARNING "%s: security_fs_use(%s) returned %d\n",
671 __FUNCTION__, sb->s_type->name, rc);
671 __func__, sb->s_type->name, rc);
672 goto out;
673 }
674
675 /* sets the context of the superblock for the fs being mounted. */
676 if (fscontext_sid) {
677
678 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, tsec);
679 if (rc)

--- 449 unchanged lines hidden (view full) ---

1129 /* Called from d_instantiate or d_splice_alias. */
1130 dentry = dget(opt_dentry);
1131 } else {
1132 /* Called from selinux_complete_init, try to find a dentry. */
1133 dentry = d_find_alias(inode);
1134 }
1135 if (!dentry) {
1136 printk(KERN_WARNING "%s: no dentry for dev=%s "
672 goto out;
673 }
674
675 /* sets the context of the superblock for the fs being mounted. */
676 if (fscontext_sid) {
677
678 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, tsec);
679 if (rc)

--- 449 unchanged lines hidden (view full) ---

1129 /* Called from d_instantiate or d_splice_alias. */
1130 dentry = dget(opt_dentry);
1131 } else {
1132 /* Called from selinux_complete_init, try to find a dentry. */
1133 dentry = d_find_alias(inode);
1134 }
1135 if (!dentry) {
1136 printk(KERN_WARNING "%s: no dentry for dev=%s "
1137 "ino=%ld\n", __FUNCTION__, inode->i_sb->s_id,
1137 "ino=%ld\n", __func__, inode->i_sb->s_id,
1138 inode->i_ino);
1139 goto out_unlock;
1140 }
1141
1142 len = INITCONTEXTLEN;
1143 context = kmalloc(len, GFP_NOFS);
1144 if (!context) {
1145 rc = -ENOMEM;

--- 21 unchanged lines hidden (view full) ---

1167 rc = inode->i_op->getxattr(dentry,
1168 XATTR_NAME_SELINUX,
1169 context, len);
1170 }
1171 dput(dentry);
1172 if (rc < 0) {
1173 if (rc != -ENODATA) {
1174 printk(KERN_WARNING "%s: getxattr returned "
1138 inode->i_ino);
1139 goto out_unlock;
1140 }
1141
1142 len = INITCONTEXTLEN;
1143 context = kmalloc(len, GFP_NOFS);
1144 if (!context) {
1145 rc = -ENOMEM;

--- 21 unchanged lines hidden (view full) ---

1167 rc = inode->i_op->getxattr(dentry,
1168 XATTR_NAME_SELINUX,
1169 context, len);
1170 }
1171 dput(dentry);
1172 if (rc < 0) {
1173 if (rc != -ENODATA) {
1174 printk(KERN_WARNING "%s: getxattr returned "
1175 "%d for dev=%s ino=%ld\n", __FUNCTION__,
1175 "%d for dev=%s ino=%ld\n", __func__,
1176 -rc, inode->i_sb->s_id, inode->i_ino);
1177 kfree(context);
1178 goto out_unlock;
1179 }
1180 /* Map ENODATA to the default file SID */
1181 sid = sbsec->def_sid;
1182 rc = 0;
1183 } else {
1184 rc = security_context_to_sid_default(context, rc, &sid,
1185 sbsec->def_sid,
1186 GFP_NOFS);
1187 if (rc) {
1188 printk(KERN_WARNING "%s: context_to_sid(%s) "
1189 "returned %d for dev=%s ino=%ld\n",
1176 -rc, inode->i_sb->s_id, inode->i_ino);
1177 kfree(context);
1178 goto out_unlock;
1179 }
1180 /* Map ENODATA to the default file SID */
1181 sid = sbsec->def_sid;
1182 rc = 0;
1183 } else {
1184 rc = security_context_to_sid_default(context, rc, &sid,
1185 sbsec->def_sid,
1186 GFP_NOFS);
1187 if (rc) {
1188 printk(KERN_WARNING "%s: context_to_sid(%s) "
1189 "returned %d for dev=%s ino=%ld\n",
1190 __FUNCTION__, context, -rc,
1190 __func__, context, -rc,
1191 inode->i_sb->s_id, inode->i_ino);
1192 kfree(context);
1193 /* Leave with the unlabeled SID */
1194 rc = 0;
1195 break;
1196 }
1197 }
1198 kfree(context);

--- 1233 unchanged lines hidden (view full) ---

2432 } else {
2433 rc = security_transition_sid(tsec->sid, dsec->sid,
2434 inode_mode_to_security_class(inode->i_mode),
2435 &newsid);
2436 if (rc) {
2437 printk(KERN_WARNING "%s: "
2438 "security_transition_sid failed, rc=%d (dev=%s "
2439 "ino=%ld)\n",
1191 inode->i_sb->s_id, inode->i_ino);
1192 kfree(context);
1193 /* Leave with the unlabeled SID */
1194 rc = 0;
1195 break;
1196 }
1197 }
1198 kfree(context);

--- 1233 unchanged lines hidden (view full) ---

2432 } else {
2433 rc = security_transition_sid(tsec->sid, dsec->sid,
2434 inode_mode_to_security_class(inode->i_mode),
2435 &newsid);
2436 if (rc) {
2437 printk(KERN_WARNING "%s: "
2438 "security_transition_sid failed, rc=%d (dev=%s "
2439 "ino=%ld)\n",
2440 __FUNCTION__,
2440 __func__,
2441 -rc, inode->i_sb->s_id, inode->i_ino);
2442 return rc;
2443 }
2444 }
2445
2446 /* Possibly defer initialization to selinux_complete_init. */
2447 if (sbsec->initialized) {
2448 struct inode_security_struct *isec = inode->i_security;

--- 217 unchanged lines hidden (view full) ---

2666 if (strcmp(name, XATTR_NAME_SELINUX)) {
2667 /* Not an attribute we recognize, so nothing to do. */
2668 return;
2669 }
2670
2671 rc = security_context_to_sid(value, size, &newsid);
2672 if (rc) {
2673 printk(KERN_WARNING "%s: unable to obtain SID for context "
2441 -rc, inode->i_sb->s_id, inode->i_ino);
2442 return rc;
2443 }
2444 }
2445
2446 /* Possibly defer initialization to selinux_complete_init. */
2447 if (sbsec->initialized) {
2448 struct inode_security_struct *isec = inode->i_security;

--- 217 unchanged lines hidden (view full) ---

2666 if (strcmp(name, XATTR_NAME_SELINUX)) {
2667 /* Not an attribute we recognize, so nothing to do. */
2668 return;
2669 }
2670
2671 rc = security_context_to_sid(value, size, &newsid);
2672 if (rc) {
2673 printk(KERN_WARNING "%s: unable to obtain SID for context "
2674 "%s, rc=%d\n", __FUNCTION__, (char*)value, -rc);
2674 "%s, rc=%d\n", __func__, (char*)value, -rc);
2675 return;
2676 }
2677
2678 isec->sid = newsid;
2679 return;
2680}
2681
2682static int selinux_inode_getxattr (struct dentry *dentry, char *name)

--- 2329 unchanged lines hidden (view full) ---

5012 return ipc_has_perm(ipcp, av);
5013}
5014
5015/* module stacking operations */
5016static int selinux_register_security (const char *name, struct security_operations *ops)
5017{
5018 if (secondary_ops != original_ops) {
5019 printk(KERN_ERR "%s: There is already a secondary security "
2675 return;
2676 }
2677
2678 isec->sid = newsid;
2679 return;
2680}
2681
2682static int selinux_inode_getxattr (struct dentry *dentry, char *name)

--- 2329 unchanged lines hidden (view full) ---

5012 return ipc_has_perm(ipcp, av);
5013}
5014
5015/* module stacking operations */
5016static int selinux_register_security (const char *name, struct security_operations *ops)
5017{
5018 if (secondary_ops != original_ops) {
5019 printk(KERN_ERR "%s: There is already a secondary security "
5020 "module registered.\n", __FUNCTION__);
5020 "module registered.\n", __func__);
5021 return -EINVAL;
5022 }
5023
5024 secondary_ops = ops;
5025
5026 printk(KERN_INFO "%s: Registering secondary module %s\n",
5021 return -EINVAL;
5022 }
5023
5024 secondary_ops = ops;
5025
5026 printk(KERN_INFO "%s: Registering secondary module %s\n",
5027 __FUNCTION__,
5027 __func__,
5028 name);
5029
5030 return 0;
5031}
5032
5033static void selinux_d_instantiate (struct dentry *dentry, struct inode *inode)
5034{
5035 if (inode)

--- 622 unchanged lines hidden ---
5028 name);
5029
5030 return 0;
5031}
5032
5033static void selinux_d_instantiate (struct dentry *dentry, struct inode *inode)
5034{
5035 if (inode)

--- 622 unchanged lines hidden ---