| hooks.c (d61330c689df2ef7ac76b63be2bd0a8561e47fd9) | hooks.c (442155c1bd84f82bff2d05d0ec4d0090df17ecfa) |
|---|---|
| 1/* 2 * NSA Security-Enhanced Linux (SELinux) security module 3 * 4 * This file contains the SELinux hook function implementations. 5 * 6 * Authors: Stephen Smalley, <sds@tycho.nsa.gov> 7 * Chris Vance, <cvance@nai.com> 8 * Wayne Salamon, <wsalamon@nai.com> --- 34 unchanged lines hidden (view full) --- 43#include <linux/swap.h> 44#include <linux/spinlock.h> 45#include <linux/syscalls.h> 46#include <linux/dcache.h> 47#include <linux/file.h> 48#include <linux/fdtable.h> 49#include <linux/namei.h> 50#include <linux/mount.h> | 1/* 2 * NSA Security-Enhanced Linux (SELinux) security module 3 * 4 * This file contains the SELinux hook function implementations. 5 * 6 * Authors: Stephen Smalley, <sds@tycho.nsa.gov> 7 * Chris Vance, <cvance@nai.com> 8 * Wayne Salamon, <wsalamon@nai.com> --- 34 unchanged lines hidden (view full) --- 43#include <linux/swap.h> 44#include <linux/spinlock.h> 45#include <linux/syscalls.h> 46#include <linux/dcache.h> 47#include <linux/file.h> 48#include <linux/fdtable.h> 49#include <linux/namei.h> 50#include <linux/mount.h> |
| 51#include <linux/fs_context.h> 52#include <linux/fs_parser.h> |
|
| 51#include <linux/netfilter_ipv4.h> 52#include <linux/netfilter_ipv6.h> 53#include <linux/tty.h> 54#include <net/icmp.h> 55#include <net/ip.h> /* for local_port_range[] */ 56#include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */ 57#include <net/inet_connection_sock.h> 58#include <net/net_namespace.h> --- 390 unchanged lines hidden (view full) --- 449 450static inline int inode_doinit(struct inode *inode) 451{ 452 return inode_doinit_with_dentry(inode, NULL); 453} 454 455enum { 456 Opt_error = -1, | 53#include <linux/netfilter_ipv4.h> 54#include <linux/netfilter_ipv6.h> 55#include <linux/tty.h> 56#include <net/icmp.h> 57#include <net/ip.h> /* for local_port_range[] */ 58#include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */ 59#include <net/inet_connection_sock.h> 60#include <net/net_namespace.h> --- 390 unchanged lines hidden (view full) --- 451 452static inline int inode_doinit(struct inode *inode) 453{ 454 return inode_doinit_with_dentry(inode, NULL); 455} 456 457enum { 458 Opt_error = -1, |
| 457 Opt_context = 1, | 459 Opt_context = 0, 460 Opt_defcontext = 1, |
| 458 Opt_fscontext = 2, | 461 Opt_fscontext = 2, |
| 459 Opt_defcontext = 3, 460 Opt_rootcontext = 4, 461 Opt_seclabel = 5, | 462 Opt_rootcontext = 3, 463 Opt_seclabel = 4, |
| 462}; 463 464#define A(s, has_arg) {#s, sizeof(#s) - 1, Opt_##s, has_arg} 465static struct { 466 const char *name; 467 int len; 468 int opt; 469 bool has_arg; --- 614 unchanged lines hidden (view full) --- 1084 u32 len; 1085 int rc; 1086 1087 rc = security_sid_to_context(&selinux_state, sid, 1088 &context, &len); 1089 if (!rc) { 1090 bool has_comma = context && strchr(context, ','); 1091 | 464}; 465 466#define A(s, has_arg) {#s, sizeof(#s) - 1, Opt_##s, has_arg} 467static struct { 468 const char *name; 469 int len; 470 int opt; 471 bool has_arg; --- 614 unchanged lines hidden (view full) --- 1086 u32 len; 1087 int rc; 1088 1089 rc = security_sid_to_context(&selinux_state, sid, 1090 &context, &len); 1091 if (!rc) { 1092 bool has_comma = context && strchr(context, ','); 1093 |
| 1094 seq_putc(m, '='); |
|
| 1092 if (has_comma) 1093 seq_putc(m, '\"'); 1094 seq_escape(m, context, "\"\n\\"); 1095 if (has_comma) 1096 seq_putc(m, '\"'); 1097 } 1098 kfree(context); 1099 return rc; --- 37 unchanged lines hidden (view full) --- 1137 seq_putc(m, ','); 1138 seq_puts(m, ROOTCONTEXT_STR); 1139 rc = show_sid(m, isec->sid); 1140 if (rc) 1141 return rc; 1142 } 1143 if (sbsec->flags & SBLABEL_MNT) { 1144 seq_putc(m, ','); | 1095 if (has_comma) 1096 seq_putc(m, '\"'); 1097 seq_escape(m, context, "\"\n\\"); 1098 if (has_comma) 1099 seq_putc(m, '\"'); 1100 } 1101 kfree(context); 1102 return rc; --- 37 unchanged lines hidden (view full) --- 1140 seq_putc(m, ','); 1141 seq_puts(m, ROOTCONTEXT_STR); 1142 rc = show_sid(m, isec->sid); 1143 if (rc) 1144 return rc; 1145 } 1146 if (sbsec->flags & SBLABEL_MNT) { 1147 seq_putc(m, ','); |
| 1145 seq_puts(m, LABELSUPP_STR); | 1148 seq_puts(m, SECLABEL_STR); |
| 1146 } 1147 return 0; 1148} 1149 1150static inline u16 inode_mode_to_security_class(umode_t mode) 1151{ 1152 switch (mode & S_IFMT) { 1153 case S_IFSOCK: --- 1602 unchanged lines hidden (view full) --- 2756static int selinux_umount(struct vfsmount *mnt, int flags) 2757{ 2758 const struct cred *cred = current_cred(); 2759 2760 return superblock_has_perm(cred, mnt->mnt_sb, 2761 FILESYSTEM__UNMOUNT, NULL); 2762} 2763 | 1149 } 1150 return 0; 1151} 1152 1153static inline u16 inode_mode_to_security_class(umode_t mode) 1154{ 1155 switch (mode & S_IFMT) { 1156 case S_IFSOCK: --- 1602 unchanged lines hidden (view full) --- 2759static int selinux_umount(struct vfsmount *mnt, int flags) 2760{ 2761 const struct cred *cred = current_cred(); 2762 2763 return superblock_has_perm(cred, mnt->mnt_sb, 2764 FILESYSTEM__UNMOUNT, NULL); 2765} 2766 |
| 2767static const struct fs_parameter_spec selinux_param_specs[] = { 2768 fsparam_string(CONTEXT_STR, Opt_context), 2769 fsparam_string(DEFCONTEXT_STR, Opt_defcontext), 2770 fsparam_string(FSCONTEXT_STR, Opt_fscontext), 2771 fsparam_string(ROOTCONTEXT_STR, Opt_rootcontext), 2772 fsparam_flag (SECLABEL_STR, Opt_seclabel), 2773 {} 2774}; 2775 2776static const struct fs_parameter_description selinux_fs_parameters = { 2777 .name = "SELinux", 2778 .specs = selinux_param_specs, 2779}; 2780 2781static int selinux_fs_context_parse_param(struct fs_context *fc, 2782 struct fs_parameter *param) 2783{ 2784 struct fs_parse_result result; 2785 int opt, rc; 2786 2787 opt = fs_parse(fc, &selinux_fs_parameters, param, &result); 2788 if (opt < 0) 2789 return opt; 2790 2791 rc = selinux_add_opt(opt, param->string, &fc->security); 2792 if (!rc) { 2793 param->string = NULL; 2794 rc = 1; 2795 } 2796 return rc; 2797} 2798 |
|
| 2764/* inode security operations */ 2765 2766static int selinux_inode_alloc_security(struct inode *inode) 2767{ 2768 return inode_alloc_security(inode); 2769} 2770 2771static void selinux_inode_free_security(struct inode *inode) --- 1754 unchanged lines hidden (view full) --- 4526err_af: 4527 /* Note that SCTP services expect -EINVAL, others -EAFNOSUPPORT. */ 4528 if (sksec->sclass == SECCLASS_SCTP_SOCKET) 4529 return -EINVAL; 4530 return -EAFNOSUPPORT; 4531} 4532 4533/* This supports connect(2) and SCTP connect services such as sctp_connectx(3) | 2799/* inode security operations */ 2800 2801static int selinux_inode_alloc_security(struct inode *inode) 2802{ 2803 return inode_alloc_security(inode); 2804} 2805 2806static void selinux_inode_free_security(struct inode *inode) --- 1754 unchanged lines hidden (view full) --- 4561err_af: 4562 /* Note that SCTP services expect -EINVAL, others -EAFNOSUPPORT. */ 4563 if (sksec->sclass == SECCLASS_SCTP_SOCKET) 4564 return -EINVAL; 4565 return -EAFNOSUPPORT; 4566} 4567 4568/* This supports connect(2) and SCTP connect services such as sctp_connectx(3) |
| 4534 * and sctp_sendmsg(3) as described in Documentation/security/SCTP.rst | 4569 * and sctp_sendmsg(3) as described in Documentation/security/LSM-sctp.rst |
| 4535 */ 4536static int selinux_socket_connect_helper(struct socket *sock, 4537 struct sockaddr *address, int addrlen) 4538{ 4539 struct sock *sk = sock->sk; 4540 struct sk_security_struct *sksec = sk->sk_security; 4541 int err; 4542 --- 2162 unchanged lines hidden (view full) --- 6705 LSM_HOOK_INIT(vm_enough_memory, selinux_vm_enough_memory), 6706 6707 LSM_HOOK_INIT(netlink_send, selinux_netlink_send), 6708 6709 LSM_HOOK_INIT(bprm_set_creds, selinux_bprm_set_creds), 6710 LSM_HOOK_INIT(bprm_committing_creds, selinux_bprm_committing_creds), 6711 LSM_HOOK_INIT(bprm_committed_creds, selinux_bprm_committed_creds), 6712 | 4570 */ 4571static int selinux_socket_connect_helper(struct socket *sock, 4572 struct sockaddr *address, int addrlen) 4573{ 4574 struct sock *sk = sock->sk; 4575 struct sk_security_struct *sksec = sk->sk_security; 4576 int err; 4577 --- 2162 unchanged lines hidden (view full) --- 6740 LSM_HOOK_INIT(vm_enough_memory, selinux_vm_enough_memory), 6741 6742 LSM_HOOK_INIT(netlink_send, selinux_netlink_send), 6743 6744 LSM_HOOK_INIT(bprm_set_creds, selinux_bprm_set_creds), 6745 LSM_HOOK_INIT(bprm_committing_creds, selinux_bprm_committing_creds), 6746 LSM_HOOK_INIT(bprm_committed_creds, selinux_bprm_committed_creds), 6747 |
| 6748 LSM_HOOK_INIT(fs_context_parse_param, selinux_fs_context_parse_param), 6749 |
|
| 6713 LSM_HOOK_INIT(sb_alloc_security, selinux_sb_alloc_security), 6714 LSM_HOOK_INIT(sb_free_security, selinux_sb_free_security), 6715 LSM_HOOK_INIT(sb_eat_lsm_opts, selinux_sb_eat_lsm_opts), 6716 LSM_HOOK_INIT(sb_free_mnt_opts, selinux_free_mnt_opts), 6717 LSM_HOOK_INIT(sb_remount, selinux_sb_remount), 6718 LSM_HOOK_INIT(sb_kern_mount, selinux_sb_kern_mount), 6719 LSM_HOOK_INIT(sb_show_options, selinux_sb_show_options), 6720 LSM_HOOK_INIT(sb_statfs, selinux_sb_statfs), --- 252 unchanged lines hidden (view full) --- 6973 if (avc_add_callback(selinux_lsm_notifier_avc_callback, AVC_CALLBACK_RESET)) 6974 panic("SELinux: Unable to register AVC LSM notifier callback\n"); 6975 6976 if (selinux_enforcing_boot) 6977 pr_debug("SELinux: Starting in enforcing mode\n"); 6978 else 6979 pr_debug("SELinux: Starting in permissive mode\n"); 6980 | 6750 LSM_HOOK_INIT(sb_alloc_security, selinux_sb_alloc_security), 6751 LSM_HOOK_INIT(sb_free_security, selinux_sb_free_security), 6752 LSM_HOOK_INIT(sb_eat_lsm_opts, selinux_sb_eat_lsm_opts), 6753 LSM_HOOK_INIT(sb_free_mnt_opts, selinux_free_mnt_opts), 6754 LSM_HOOK_INIT(sb_remount, selinux_sb_remount), 6755 LSM_HOOK_INIT(sb_kern_mount, selinux_sb_kern_mount), 6756 LSM_HOOK_INIT(sb_show_options, selinux_sb_show_options), 6757 LSM_HOOK_INIT(sb_statfs, selinux_sb_statfs), --- 252 unchanged lines hidden (view full) --- 7010 if (avc_add_callback(selinux_lsm_notifier_avc_callback, AVC_CALLBACK_RESET)) 7011 panic("SELinux: Unable to register AVC LSM notifier callback\n"); 7012 7013 if (selinux_enforcing_boot) 7014 pr_debug("SELinux: Starting in enforcing mode\n"); 7015 else 7016 pr_debug("SELinux: Starting in permissive mode\n"); 7017 |
| 7018 fs_validate_description(&selinux_fs_parameters); 7019 |
|
| 6981 return 0; 6982} 6983 6984static void delayed_superblock_init(struct super_block *sb, void *unused) 6985{ 6986 selinux_set_mnt_opts(sb, NULL, 0, NULL); 6987} 6988 --- 143 unchanged lines hidden --- | 7020 return 0; 7021} 7022 7023static void delayed_superblock_init(struct super_block *sb, void *unused) 7024{ 7025 selinux_set_mnt_opts(sb, NULL, 0, NULL); 7026} 7027 --- 143 unchanged lines hidden --- |