| hooks.c (b78b7d59bdbe6028ab362c2551dc684872f2052a) | hooks.c (65cddd50980be8c9c27ad7518a0dc812eccb25d5) |
|---|---|
| 1// SPDX-License-Identifier: GPL-2.0-only 2/* 3 * NSA Security-Enhanced Linux (SELinux) security module 4 * 5 * This file contains the SELinux hook function implementations. 6 * 7 * Authors: Stephen Smalley, <sds@tycho.nsa.gov> 8 * Chris Vance, <cvance@nai.com> --- 258 unchanged lines hidden (view full) --- 267static int __inode_security_revalidate(struct inode *inode, 268 struct dentry *dentry, 269 bool may_sleep) 270{ 271 struct inode_security_struct *isec = selinux_inode(inode); 272 273 might_sleep_if(may_sleep); 274 | 1// SPDX-License-Identifier: GPL-2.0-only 2/* 3 * NSA Security-Enhanced Linux (SELinux) security module 4 * 5 * This file contains the SELinux hook function implementations. 6 * 7 * Authors: Stephen Smalley, <sds@tycho.nsa.gov> 8 * Chris Vance, <cvance@nai.com> --- 258 unchanged lines hidden (view full) --- 267static int __inode_security_revalidate(struct inode *inode, 268 struct dentry *dentry, 269 bool may_sleep) 270{ 271 struct inode_security_struct *isec = selinux_inode(inode); 272 273 might_sleep_if(may_sleep); 274 |
| 275 if (selinux_state.initialized && | 275 if (selinux_initialized(&selinux_state) && |
| 276 isec->initialized != LABEL_INITIALIZED) { 277 if (!may_sleep) 278 return -ECHILD; 279 280 /* 281 * Try reloading the inode security label. This will fail if 282 * @opt_dentry is NULL and no dentry for this inode can be 283 * found; in that case, continue using the old label. --- 370 unchanged lines hidden (view full) --- 654 struct selinux_mnt_opts *opts = mnt_opts; 655 struct inode_security_struct *root_isec; 656 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0; 657 u32 defcontext_sid = 0; 658 int rc = 0; 659 660 mutex_lock(&sbsec->lock); 661 | 276 isec->initialized != LABEL_INITIALIZED) { 277 if (!may_sleep) 278 return -ECHILD; 279 280 /* 281 * Try reloading the inode security label. This will fail if 282 * @opt_dentry is NULL and no dentry for this inode can be 283 * found; in that case, continue using the old label. --- 370 unchanged lines hidden (view full) --- 654 struct selinux_mnt_opts *opts = mnt_opts; 655 struct inode_security_struct *root_isec; 656 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0; 657 u32 defcontext_sid = 0; 658 int rc = 0; 659 660 mutex_lock(&sbsec->lock); 661 |
| 662 if (!selinux_state.initialized) { | 662 if (!selinux_initialized(&selinux_state)) { |
| 663 if (!opts) { 664 /* Defer initialization until selinux_complete_init, 665 after the initial policy is loaded and the security 666 server is ready to handle calls. */ 667 goto out; 668 } 669 rc = -EINVAL; 670 pr_warn("SELinux: Unable to set superblock options " --- 253 unchanged lines hidden (view full) --- 924 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT); 925 int set_context = (oldsbsec->flags & CONTEXT_MNT); 926 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT); 927 928 /* 929 * if the parent was able to be mounted it clearly had no special lsm 930 * mount options. thus we can safely deal with this superblock later 931 */ | 663 if (!opts) { 664 /* Defer initialization until selinux_complete_init, 665 after the initial policy is loaded and the security 666 server is ready to handle calls. */ 667 goto out; 668 } 669 rc = -EINVAL; 670 pr_warn("SELinux: Unable to set superblock options " --- 253 unchanged lines hidden (view full) --- 924 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT); 925 int set_context = (oldsbsec->flags & CONTEXT_MNT); 926 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT); 927 928 /* 929 * if the parent was able to be mounted it clearly had no special lsm 930 * mount options. thus we can safely deal with this superblock later 931 */ |
| 932 if (!selinux_state.initialized) | 932 if (!selinux_initialized(&selinux_state)) |
| 933 return 0; 934 935 /* 936 * Specifying internal flags without providing a place to 937 * place the results is not allowed. 938 */ 939 if (kern_flags && !set_kern_flags) 940 return -EINVAL; --- 158 unchanged lines hidden (view full) --- 1099static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb) 1100{ 1101 struct superblock_security_struct *sbsec = sb->s_security; 1102 int rc; 1103 1104 if (!(sbsec->flags & SE_SBINITIALIZED)) 1105 return 0; 1106 | 933 return 0; 934 935 /* 936 * Specifying internal flags without providing a place to 937 * place the results is not allowed. 938 */ 939 if (kern_flags && !set_kern_flags) 940 return -EINVAL; --- 158 unchanged lines hidden (view full) --- 1099static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb) 1100{ 1101 struct superblock_security_struct *sbsec = sb->s_security; 1102 int rc; 1103 1104 if (!(sbsec->flags & SE_SBINITIALIZED)) 1105 return 0; 1106 |
| 1107 if (!selinux_state.initialized) | 1107 if (!selinux_initialized(&selinux_state)) |
| 1108 return 0; 1109 1110 if (sbsec->flags & FSCONTEXT_MNT) { 1111 seq_putc(m, ','); 1112 seq_puts(m, FSCONTEXT_STR); 1113 rc = show_sid(m, sbsec->sid); 1114 if (rc) 1115 return rc; --- 1800 unchanged lines hidden (view full) --- 2916 /* Possibly defer initialization to selinux_complete_init. */ 2917 if (sbsec->flags & SE_SBINITIALIZED) { 2918 struct inode_security_struct *isec = selinux_inode(inode); 2919 isec->sclass = inode_mode_to_security_class(inode->i_mode); 2920 isec->sid = newsid; 2921 isec->initialized = LABEL_INITIALIZED; 2922 } 2923 | 1108 return 0; 1109 1110 if (sbsec->flags & FSCONTEXT_MNT) { 1111 seq_putc(m, ','); 1112 seq_puts(m, FSCONTEXT_STR); 1113 rc = show_sid(m, sbsec->sid); 1114 if (rc) 1115 return rc; --- 1800 unchanged lines hidden (view full) --- 2916 /* Possibly defer initialization to selinux_complete_init. */ 2917 if (sbsec->flags & SE_SBINITIALIZED) { 2918 struct inode_security_struct *isec = selinux_inode(inode); 2919 isec->sclass = inode_mode_to_security_class(inode->i_mode); 2920 isec->sid = newsid; 2921 isec->initialized = LABEL_INITIALIZED; 2922 } 2923 |
| 2924 if (!selinux_state.initialized || !(sbsec->flags & SBLABEL_MNT)) | 2924 if (!selinux_initialized(&selinux_state) || 2925 !(sbsec->flags & SBLABEL_MNT)) |
| 2925 return -EOPNOTSUPP; 2926 2927 if (name) 2928 *name = XATTR_SELINUX_SUFFIX; 2929 2930 if (value && len) { 2931 rc = security_sid_to_context_force(&selinux_state, newsid, 2932 &context, &clen); --- 206 unchanged lines hidden (view full) --- 3139 if (rc) 3140 return rc; 3141 3142 /* Not an attribute we recognize, so just check the 3143 ordinary setattr permission. */ 3144 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR); 3145 } 3146 | 2926 return -EOPNOTSUPP; 2927 2928 if (name) 2929 *name = XATTR_SELINUX_SUFFIX; 2930 2931 if (value && len) { 2932 rc = security_sid_to_context_force(&selinux_state, newsid, 2933 &context, &clen); --- 206 unchanged lines hidden (view full) --- 3140 if (rc) 3141 return rc; 3142 3143 /* Not an attribute we recognize, so just check the 3144 ordinary setattr permission. */ 3145 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR); 3146 } 3147 |
| 3147 if (!selinux_state.initialized) | 3148 if (!selinux_initialized(&selinux_state)) |
| 3148 return (inode_owner_or_capable(inode) ? 0 : -EPERM); 3149 3150 sbsec = inode->i_sb->s_security; 3151 if (!(sbsec->flags & SBLABEL_MNT)) 3152 return -EOPNOTSUPP; 3153 3154 if (!inode_owner_or_capable(inode)) 3155 return -EPERM; --- 69 unchanged lines hidden (view full) --- 3225 u32 newsid; 3226 int rc; 3227 3228 if (strcmp(name, XATTR_NAME_SELINUX)) { 3229 /* Not an attribute we recognize, so nothing to do. */ 3230 return; 3231 } 3232 | 3149 return (inode_owner_or_capable(inode) ? 0 : -EPERM); 3150 3151 sbsec = inode->i_sb->s_security; 3152 if (!(sbsec->flags & SBLABEL_MNT)) 3153 return -EOPNOTSUPP; 3154 3155 if (!inode_owner_or_capable(inode)) 3156 return -EPERM; --- 69 unchanged lines hidden (view full) --- 3226 u32 newsid; 3227 int rc; 3228 3229 if (strcmp(name, XATTR_NAME_SELINUX)) { 3230 /* Not an attribute we recognize, so nothing to do. */ 3231 return; 3232 } 3233 |
| 3233 if (!selinux_state.initialized) { | 3234 if (!selinux_initialized(&selinux_state)) { |
| 3234 /* If we haven't even been initialized, then we can't validate 3235 * against a policy, so leave the label as invalid. It may 3236 * resolve to a valid label on the next revalidation try if 3237 * we've since initialized. 3238 */ 3239 return; 3240 } 3241 --- 4053 unchanged lines hidden (view full) --- 7295#define selinux_nf_ip_exit() 7296#endif 7297 7298#endif /* CONFIG_NETFILTER */ 7299 7300#ifdef CONFIG_SECURITY_SELINUX_DISABLE 7301int selinux_disable(struct selinux_state *state) 7302{ | 3235 /* If we haven't even been initialized, then we can't validate 3236 * against a policy, so leave the label as invalid. It may 3237 * resolve to a valid label on the next revalidation try if 3238 * we've since initialized. 3239 */ 3240 return; 3241 } 3242 --- 4053 unchanged lines hidden (view full) --- 7296#define selinux_nf_ip_exit() 7297#endif 7298 7299#endif /* CONFIG_NETFILTER */ 7300 7301#ifdef CONFIG_SECURITY_SELINUX_DISABLE 7302int selinux_disable(struct selinux_state *state) 7303{ |
| 7303 if (state->initialized) { | 7304 if (selinux_initialized(state)) { |
| 7304 /* Not permitted after initial policy load. */ 7305 return -EINVAL; 7306 } 7307 | 7305 /* Not permitted after initial policy load. */ 7306 return -EINVAL; 7307 } 7308 |
| 7308 if (state->disabled) { | 7309 if (selinux_disabled(state)) { |
| 7309 /* Only do this once. */ 7310 return -EINVAL; 7311 } 7312 | 7310 /* Only do this once. */ 7311 return -EINVAL; 7312 } 7313 |
| 7313 state->disabled = 1; | 7314 selinux_mark_disabled(state); |
| 7314 7315 pr_info("SELinux: Disabled at runtime.\n"); 7316 7317 security_delete_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks)); 7318 7319 /* Try to destroy the avc node cache */ 7320 avc_disable(); 7321 7322 /* Unregister netfilter hooks. */ 7323 selinux_nf_ip_exit(); 7324 7325 /* Unregister selinuxfs. */ 7326 exit_sel_fs(); 7327 7328 return 0; 7329} 7330#endif | 7315 7316 pr_info("SELinux: Disabled at runtime.\n"); 7317 7318 security_delete_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks)); 7319 7320 /* Try to destroy the avc node cache */ 7321 avc_disable(); 7322 7323 /* Unregister netfilter hooks. */ 7324 selinux_nf_ip_exit(); 7325 7326 /* Unregister selinuxfs. */ 7327 exit_sel_fs(); 7328 7329 return 0; 7330} 7331#endif |