hooks.c (b0c636b99997c8594da6a46e166ce4fcf6956fda) | hooks.c (dd6f953adb5c4deb9cd7b6a5054e7d5eafe4ed71) |
---|---|
1/* 2 * NSA Security-Enhanced Linux (SELinux) security module 3 * 4 * This file contains the SELinux hook function implementations. 5 * 6 * Authors: Stephen Smalley, <sds@epoch.ncsc.mil> 7 * Chris Vance, <cvance@nai.com> 8 * Wayne Salamon, <wsalamon@nai.com> --- 654 unchanged lines hidden (view full) --- 663 664 if (strcmp(sb->s_type->name, "proc") == 0) 665 sbsec->proc = 1; 666 667 /* Determine the labeling behavior to use for this filesystem type. */ 668 rc = security_fs_use(sb->s_type->name, &sbsec->behavior, &sbsec->sid); 669 if (rc) { 670 printk(KERN_WARNING "%s: security_fs_use(%s) returned %d\n", | 1/* 2 * NSA Security-Enhanced Linux (SELinux) security module 3 * 4 * This file contains the SELinux hook function implementations. 5 * 6 * Authors: Stephen Smalley, <sds@epoch.ncsc.mil> 7 * Chris Vance, <cvance@nai.com> 8 * Wayne Salamon, <wsalamon@nai.com> --- 654 unchanged lines hidden (view full) --- 663 664 if (strcmp(sb->s_type->name, "proc") == 0) 665 sbsec->proc = 1; 666 667 /* Determine the labeling behavior to use for this filesystem type. */ 668 rc = security_fs_use(sb->s_type->name, &sbsec->behavior, &sbsec->sid); 669 if (rc) { 670 printk(KERN_WARNING "%s: security_fs_use(%s) returned %d\n", |
671 __FUNCTION__, sb->s_type->name, rc); | 671 __func__, sb->s_type->name, rc); |
672 goto out; 673 } 674 675 /* sets the context of the superblock for the fs being mounted. */ 676 if (fscontext_sid) { 677 678 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, tsec); 679 if (rc) --- 449 unchanged lines hidden (view full) --- 1129 /* Called from d_instantiate or d_splice_alias. */ 1130 dentry = dget(opt_dentry); 1131 } else { 1132 /* Called from selinux_complete_init, try to find a dentry. */ 1133 dentry = d_find_alias(inode); 1134 } 1135 if (!dentry) { 1136 printk(KERN_WARNING "%s: no dentry for dev=%s " | 672 goto out; 673 } 674 675 /* sets the context of the superblock for the fs being mounted. */ 676 if (fscontext_sid) { 677 678 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, tsec); 679 if (rc) --- 449 unchanged lines hidden (view full) --- 1129 /* Called from d_instantiate or d_splice_alias. */ 1130 dentry = dget(opt_dentry); 1131 } else { 1132 /* Called from selinux_complete_init, try to find a dentry. */ 1133 dentry = d_find_alias(inode); 1134 } 1135 if (!dentry) { 1136 printk(KERN_WARNING "%s: no dentry for dev=%s " |
1137 "ino=%ld\n", __FUNCTION__, inode->i_sb->s_id, | 1137 "ino=%ld\n", __func__, inode->i_sb->s_id, |
1138 inode->i_ino); 1139 goto out_unlock; 1140 } 1141 1142 len = INITCONTEXTLEN; 1143 context = kmalloc(len, GFP_NOFS); 1144 if (!context) { 1145 rc = -ENOMEM; --- 21 unchanged lines hidden (view full) --- 1167 rc = inode->i_op->getxattr(dentry, 1168 XATTR_NAME_SELINUX, 1169 context, len); 1170 } 1171 dput(dentry); 1172 if (rc < 0) { 1173 if (rc != -ENODATA) { 1174 printk(KERN_WARNING "%s: getxattr returned " | 1138 inode->i_ino); 1139 goto out_unlock; 1140 } 1141 1142 len = INITCONTEXTLEN; 1143 context = kmalloc(len, GFP_NOFS); 1144 if (!context) { 1145 rc = -ENOMEM; --- 21 unchanged lines hidden (view full) --- 1167 rc = inode->i_op->getxattr(dentry, 1168 XATTR_NAME_SELINUX, 1169 context, len); 1170 } 1171 dput(dentry); 1172 if (rc < 0) { 1173 if (rc != -ENODATA) { 1174 printk(KERN_WARNING "%s: getxattr returned " |
1175 "%d for dev=%s ino=%ld\n", __FUNCTION__, | 1175 "%d for dev=%s ino=%ld\n", __func__, |
1176 -rc, inode->i_sb->s_id, inode->i_ino); 1177 kfree(context); 1178 goto out_unlock; 1179 } 1180 /* Map ENODATA to the default file SID */ 1181 sid = sbsec->def_sid; 1182 rc = 0; 1183 } else { 1184 rc = security_context_to_sid_default(context, rc, &sid, 1185 sbsec->def_sid, 1186 GFP_NOFS); 1187 if (rc) { 1188 printk(KERN_WARNING "%s: context_to_sid(%s) " 1189 "returned %d for dev=%s ino=%ld\n", | 1176 -rc, inode->i_sb->s_id, inode->i_ino); 1177 kfree(context); 1178 goto out_unlock; 1179 } 1180 /* Map ENODATA to the default file SID */ 1181 sid = sbsec->def_sid; 1182 rc = 0; 1183 } else { 1184 rc = security_context_to_sid_default(context, rc, &sid, 1185 sbsec->def_sid, 1186 GFP_NOFS); 1187 if (rc) { 1188 printk(KERN_WARNING "%s: context_to_sid(%s) " 1189 "returned %d for dev=%s ino=%ld\n", |
1190 __FUNCTION__, context, -rc, | 1190 __func__, context, -rc, |
1191 inode->i_sb->s_id, inode->i_ino); 1192 kfree(context); 1193 /* Leave with the unlabeled SID */ 1194 rc = 0; 1195 break; 1196 } 1197 } 1198 kfree(context); --- 1233 unchanged lines hidden (view full) --- 2432 } else { 2433 rc = security_transition_sid(tsec->sid, dsec->sid, 2434 inode_mode_to_security_class(inode->i_mode), 2435 &newsid); 2436 if (rc) { 2437 printk(KERN_WARNING "%s: " 2438 "security_transition_sid failed, rc=%d (dev=%s " 2439 "ino=%ld)\n", | 1191 inode->i_sb->s_id, inode->i_ino); 1192 kfree(context); 1193 /* Leave with the unlabeled SID */ 1194 rc = 0; 1195 break; 1196 } 1197 } 1198 kfree(context); --- 1233 unchanged lines hidden (view full) --- 2432 } else { 2433 rc = security_transition_sid(tsec->sid, dsec->sid, 2434 inode_mode_to_security_class(inode->i_mode), 2435 &newsid); 2436 if (rc) { 2437 printk(KERN_WARNING "%s: " 2438 "security_transition_sid failed, rc=%d (dev=%s " 2439 "ino=%ld)\n", |
2440 __FUNCTION__, | 2440 __func__, |
2441 -rc, inode->i_sb->s_id, inode->i_ino); 2442 return rc; 2443 } 2444 } 2445 2446 /* Possibly defer initialization to selinux_complete_init. */ 2447 if (sbsec->initialized) { 2448 struct inode_security_struct *isec = inode->i_security; --- 217 unchanged lines hidden (view full) --- 2666 if (strcmp(name, XATTR_NAME_SELINUX)) { 2667 /* Not an attribute we recognize, so nothing to do. */ 2668 return; 2669 } 2670 2671 rc = security_context_to_sid(value, size, &newsid); 2672 if (rc) { 2673 printk(KERN_WARNING "%s: unable to obtain SID for context " | 2441 -rc, inode->i_sb->s_id, inode->i_ino); 2442 return rc; 2443 } 2444 } 2445 2446 /* Possibly defer initialization to selinux_complete_init. */ 2447 if (sbsec->initialized) { 2448 struct inode_security_struct *isec = inode->i_security; --- 217 unchanged lines hidden (view full) --- 2666 if (strcmp(name, XATTR_NAME_SELINUX)) { 2667 /* Not an attribute we recognize, so nothing to do. */ 2668 return; 2669 } 2670 2671 rc = security_context_to_sid(value, size, &newsid); 2672 if (rc) { 2673 printk(KERN_WARNING "%s: unable to obtain SID for context " |
2674 "%s, rc=%d\n", __FUNCTION__, (char*)value, -rc); | 2674 "%s, rc=%d\n", __func__, (char*)value, -rc); |
2675 return; 2676 } 2677 2678 isec->sid = newsid; 2679 return; 2680} 2681 2682static int selinux_inode_getxattr (struct dentry *dentry, char *name) --- 2329 unchanged lines hidden (view full) --- 5012 return ipc_has_perm(ipcp, av); 5013} 5014 5015/* module stacking operations */ 5016static int selinux_register_security (const char *name, struct security_operations *ops) 5017{ 5018 if (secondary_ops != original_ops) { 5019 printk(KERN_ERR "%s: There is already a secondary security " | 2675 return; 2676 } 2677 2678 isec->sid = newsid; 2679 return; 2680} 2681 2682static int selinux_inode_getxattr (struct dentry *dentry, char *name) --- 2329 unchanged lines hidden (view full) --- 5012 return ipc_has_perm(ipcp, av); 5013} 5014 5015/* module stacking operations */ 5016static int selinux_register_security (const char *name, struct security_operations *ops) 5017{ 5018 if (secondary_ops != original_ops) { 5019 printk(KERN_ERR "%s: There is already a secondary security " |
5020 "module registered.\n", __FUNCTION__); | 5020 "module registered.\n", __func__); |
5021 return -EINVAL; 5022 } 5023 5024 secondary_ops = ops; 5025 5026 printk(KERN_INFO "%s: Registering secondary module %s\n", | 5021 return -EINVAL; 5022 } 5023 5024 secondary_ops = ops; 5025 5026 printk(KERN_INFO "%s: Registering secondary module %s\n", |
5027 __FUNCTION__, | 5027 __func__, |
5028 name); 5029 5030 return 0; 5031} 5032 5033static void selinux_d_instantiate (struct dentry *dentry, struct inode *inode) 5034{ 5035 if (inode) --- 622 unchanged lines hidden --- | 5028 name); 5029 5030 return 0; 5031} 5032 5033static void selinux_d_instantiate (struct dentry *dentry, struct inode *inode) 5034{ 5035 if (inode) --- 622 unchanged lines hidden --- |