| hooks.c (b6dff3ec5e116e3af6f537d4caedcad6b9e5082a) | hooks.c (f1752eec6145c97163dbce62d17cf5d928e28a27) |
|---|---|
| 1/* 2 * NSA Security-Enhanced Linux (SELinux) security module 3 * 4 * This file contains the SELinux hook function implementations. 5 * 6 * Authors: Stephen Smalley, <sds@epoch.ncsc.mil> 7 * Chris Vance, <cvance@nai.com> 8 * Wayne Salamon, <wsalamon@nai.com> --- 144 unchanged lines hidden (view full) --- 153 */ 154static int selinux_secmark_enabled(void) 155{ 156 return (atomic_read(&selinux_secmark_refcount) > 0); 157} 158 159/* Allocate and free functions for each kind of security blob. */ 160 | 1/* 2 * NSA Security-Enhanced Linux (SELinux) security module 3 * 4 * This file contains the SELinux hook function implementations. 5 * 6 * Authors: Stephen Smalley, <sds@epoch.ncsc.mil> 7 * Chris Vance, <cvance@nai.com> 8 * Wayne Salamon, <wsalamon@nai.com> --- 144 unchanged lines hidden (view full) --- 153 */ 154static int selinux_secmark_enabled(void) 155{ 156 return (atomic_read(&selinux_secmark_refcount) > 0); 157} 158 159/* Allocate and free functions for each kind of security blob. */ 160 |
| 161static int task_alloc_security(struct task_struct *task) | 161static int cred_alloc_security(struct cred *cred) |
| 162{ 163 struct task_security_struct *tsec; 164 165 tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL); 166 if (!tsec) 167 return -ENOMEM; 168 169 tsec->osid = tsec->sid = SECINITSID_UNLABELED; | 162{ 163 struct task_security_struct *tsec; 164 165 tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL); 166 if (!tsec) 167 return -ENOMEM; 168 169 tsec->osid = tsec->sid = SECINITSID_UNLABELED; |
| 170 task->cred->security = tsec; | 170 cred->security = tsec; |
| 171 172 return 0; 173} 174 | 171 172 return 0; 173} 174 |
| 175static void task_free_security(struct task_struct *task) 176{ 177 struct task_security_struct *tsec = task->cred->security; 178 task->cred->security = NULL; 179 kfree(tsec); 180} 181 | |
| 182static int inode_alloc_security(struct inode *inode) 183{ 184 struct task_security_struct *tsec = current->cred->security; 185 struct inode_security_struct *isec; 186 187 isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS); 188 if (!isec) 189 return -ENOMEM; --- 2989 unchanged lines hidden (view full) --- 3179 3180 rc = secondary_ops->task_create(clone_flags); 3181 if (rc) 3182 return rc; 3183 3184 return task_has_perm(current, current, PROCESS__FORK); 3185} 3186 | 175static int inode_alloc_security(struct inode *inode) 176{ 177 struct task_security_struct *tsec = current->cred->security; 178 struct inode_security_struct *isec; 179 180 isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS); 181 if (!isec) 182 return -ENOMEM; --- 2989 unchanged lines hidden (view full) --- 3172 3173 rc = secondary_ops->task_create(clone_flags); 3174 if (rc) 3175 return rc; 3176 3177 return task_has_perm(current, current, PROCESS__FORK); 3178} 3179 |
| 3187static int selinux_task_alloc_security(struct task_struct *tsk) | 3180static int selinux_cred_alloc_security(struct cred *cred) |
| 3188{ 3189 struct task_security_struct *tsec1, *tsec2; 3190 int rc; 3191 3192 tsec1 = current->cred->security; 3193 | 3181{ 3182 struct task_security_struct *tsec1, *tsec2; 3183 int rc; 3184 3185 tsec1 = current->cred->security; 3186 |
| 3194 rc = task_alloc_security(tsk); | 3187 rc = cred_alloc_security(cred); |
| 3195 if (rc) 3196 return rc; | 3188 if (rc) 3189 return rc; |
| 3197 tsec2 = tsk->cred->security; | 3190 tsec2 = cred->security; |
| 3198 3199 tsec2->osid = tsec1->osid; 3200 tsec2->sid = tsec1->sid; 3201 3202 /* Retain the exec, fs, key, and sock SIDs across fork */ 3203 tsec2->exec_sid = tsec1->exec_sid; 3204 tsec2->create_sid = tsec1->create_sid; 3205 tsec2->keycreate_sid = tsec1->keycreate_sid; 3206 tsec2->sockcreate_sid = tsec1->sockcreate_sid; 3207 3208 return 0; 3209} 3210 | 3191 3192 tsec2->osid = tsec1->osid; 3193 tsec2->sid = tsec1->sid; 3194 3195 /* Retain the exec, fs, key, and sock SIDs across fork */ 3196 tsec2->exec_sid = tsec1->exec_sid; 3197 tsec2->create_sid = tsec1->create_sid; 3198 tsec2->keycreate_sid = tsec1->keycreate_sid; 3199 tsec2->sockcreate_sid = tsec1->sockcreate_sid; 3200 3201 return 0; 3202} 3203 |
| 3211static void selinux_task_free_security(struct task_struct *tsk) | 3204/* 3205 * detach and free the LSM part of a set of credentials 3206 */ 3207static void selinux_cred_free(struct cred *cred) |
| 3212{ | 3208{ |
| 3213 task_free_security(tsk); | 3209 struct task_security_struct *tsec = cred->security; 3210 cred->security = NULL; 3211 kfree(tsec); |
| 3214} 3215 3216static int selinux_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags) 3217{ 3218 /* Since setuid only affects the current process, and 3219 since the SELinux controls are not based on the Linux 3220 identity attributes, SELinux does not need to control 3221 this operation. However, SELinux does control the use --- 2325 unchanged lines hidden (view full) --- 5547 .file_fcntl = selinux_file_fcntl, 5548 .file_set_fowner = selinux_file_set_fowner, 5549 .file_send_sigiotask = selinux_file_send_sigiotask, 5550 .file_receive = selinux_file_receive, 5551 5552 .dentry_open = selinux_dentry_open, 5553 5554 .task_create = selinux_task_create, | 3212} 3213 3214static int selinux_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags) 3215{ 3216 /* Since setuid only affects the current process, and 3217 since the SELinux controls are not based on the Linux 3218 identity attributes, SELinux does not need to control 3219 this operation. However, SELinux does control the use --- 2325 unchanged lines hidden (view full) --- 5545 .file_fcntl = selinux_file_fcntl, 5546 .file_set_fowner = selinux_file_set_fowner, 5547 .file_send_sigiotask = selinux_file_send_sigiotask, 5548 .file_receive = selinux_file_receive, 5549 5550 .dentry_open = selinux_dentry_open, 5551 5552 .task_create = selinux_task_create, |
| 5555 .task_alloc_security = selinux_task_alloc_security, 5556 .task_free_security = selinux_task_free_security, | 5553 .cred_alloc_security = selinux_cred_alloc_security, 5554 .cred_free = selinux_cred_free, |
| 5557 .task_setuid = selinux_task_setuid, 5558 .task_post_setuid = selinux_task_post_setuid, 5559 .task_setgid = selinux_task_setgid, 5560 .task_setpgid = selinux_task_setpgid, 5561 .task_getpgid = selinux_task_getpgid, 5562 .task_getsid = selinux_task_getsid, 5563 .task_getsecid = selinux_task_getsecid, 5564 .task_setgroups = selinux_task_setgroups, --- 113 unchanged lines hidden (view full) --- 5678 if (!selinux_enabled) { 5679 printk(KERN_INFO "SELinux: Disabled at boot.\n"); 5680 return 0; 5681 } 5682 5683 printk(KERN_INFO "SELinux: Initializing.\n"); 5684 5685 /* Set the security state for the initial task. */ | 5555 .task_setuid = selinux_task_setuid, 5556 .task_post_setuid = selinux_task_post_setuid, 5557 .task_setgid = selinux_task_setgid, 5558 .task_setpgid = selinux_task_setpgid, 5559 .task_getpgid = selinux_task_getpgid, 5560 .task_getsid = selinux_task_getsid, 5561 .task_getsecid = selinux_task_getsecid, 5562 .task_setgroups = selinux_task_setgroups, --- 113 unchanged lines hidden (view full) --- 5676 if (!selinux_enabled) { 5677 printk(KERN_INFO "SELinux: Disabled at boot.\n"); 5678 return 0; 5679 } 5680 5681 printk(KERN_INFO "SELinux: Initializing.\n"); 5682 5683 /* Set the security state for the initial task. */ |
| 5686 if (task_alloc_security(current)) | 5684 if (cred_alloc_security(current->cred)) |
| 5687 panic("SELinux: Failed to initialize initial task.\n"); 5688 tsec = current->cred->security; 5689 tsec->osid = tsec->sid = SECINITSID_KERNEL; 5690 5691 sel_inode_cache = kmem_cache_create("selinux_inode_security", 5692 sizeof(struct inode_security_struct), 5693 0, SLAB_PANIC, NULL); 5694 avc_init(); --- 176 unchanged lines hidden --- | 5685 panic("SELinux: Failed to initialize initial task.\n"); 5686 tsec = current->cred->security; 5687 tsec->osid = tsec->sid = SECINITSID_KERNEL; 5688 5689 sel_inode_cache = kmem_cache_create("selinux_inode_security", 5690 sizeof(struct inode_security_struct), 5691 0, SLAB_PANIC, NULL); 5692 avc_init(); --- 176 unchanged lines hidden --- |