| hooks.c (df4779b5d2732eb7550fe35249e82db1b3d4fb95) | hooks.c (cb89e2465896f30d4247ac9ff47d30522e39745a) |
|---|---|
| 1// SPDX-License-Identifier: GPL-2.0-only 2/* 3 * NSA Security-Enhanced Linux (SELinux) security module 4 * 5 * This file contains the SELinux hook function implementations. 6 * 7 * Authors: Stephen Smalley, <sds@tycho.nsa.gov> 8 * Chris Vance, <cvance@nai.com> --- 224 unchanged lines hidden (view full) --- 233 u32 sid; 234 235 rcu_read_lock(); 236 sid = cred_sid(__task_cred(task)); 237 rcu_read_unlock(); 238 return sid; 239} 240 | 1// SPDX-License-Identifier: GPL-2.0-only 2/* 3 * NSA Security-Enhanced Linux (SELinux) security module 4 * 5 * This file contains the SELinux hook function implementations. 6 * 7 * Authors: Stephen Smalley, <sds@tycho.nsa.gov> 8 * Chris Vance, <cvance@nai.com> --- 224 unchanged lines hidden (view full) --- 233 u32 sid; 234 235 rcu_read_lock(); 236 sid = cred_sid(__task_cred(task)); 237 rcu_read_unlock(); 238 return sid; 239} 240 |
| 241/* Allocate and free functions for each kind of security blob. */ 242 243static int inode_alloc_security(struct inode *inode) 244{ 245 struct inode_security_struct *isec = selinux_inode(inode); 246 u32 sid = current_sid(); 247 248 spin_lock_init(&isec->lock); 249 INIT_LIST_HEAD(&isec->list); 250 isec->inode = inode; 251 isec->sid = SECINITSID_UNLABELED; 252 isec->sclass = SECCLASS_FILE; 253 isec->task_sid = sid; 254 isec->initialized = LABEL_INVALID; 255 256 return 0; 257} 258 | |
| 259static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry); 260 261/* 262 * Try reloading inode security labels that have been marked as invalid. The 263 * @may_sleep parameter indicates when sleeping and thus reloading labels is 264 * allowed; when set to false, returns -ECHILD when the label is 265 * invalid. The @dentry parameter should be set to a dentry of the inode. 266 */ --- 82 unchanged lines hidden (view full) --- 349 */ 350 if (!list_empty_careful(&isec->list)) { 351 spin_lock(&sbsec->isec_lock); 352 list_del_init(&isec->list); 353 spin_unlock(&sbsec->isec_lock); 354 } 355} 356 | 241static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry); 242 243/* 244 * Try reloading inode security labels that have been marked as invalid. The 245 * @may_sleep parameter indicates when sleeping and thus reloading labels is 246 * allowed; when set to false, returns -ECHILD when the label is 247 * invalid. The @dentry parameter should be set to a dentry of the inode. 248 */ --- 82 unchanged lines hidden (view full) --- 331 */ 332 if (!list_empty_careful(&isec->list)) { 333 spin_lock(&sbsec->isec_lock); 334 list_del_init(&isec->list); 335 spin_unlock(&sbsec->isec_lock); 336 } 337} 338 |
| 357static int file_alloc_security(struct file *file) 358{ 359 struct file_security_struct *fsec = selinux_file(file); 360 u32 sid = current_sid(); 361 362 fsec->sid = sid; 363 fsec->fown_sid = sid; 364 365 return 0; 366} 367 368static int superblock_alloc_security(struct super_block *sb) 369{ 370 struct superblock_security_struct *sbsec; 371 372 sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL); 373 if (!sbsec) 374 return -ENOMEM; 375 376 mutex_init(&sbsec->lock); 377 INIT_LIST_HEAD(&sbsec->isec_head); 378 spin_lock_init(&sbsec->isec_lock); 379 sbsec->sb = sb; 380 sbsec->sid = SECINITSID_UNLABELED; 381 sbsec->def_sid = SECINITSID_FILE; 382 sbsec->mntpoint_sid = SECINITSID_UNLABELED; 383 sb->s_security = sbsec; 384 385 return 0; 386} 387 | |
| 388static void superblock_free_security(struct super_block *sb) 389{ 390 struct superblock_security_struct *sbsec = sb->s_security; 391 sb->s_security = NULL; 392 kfree(sbsec); 393} 394 395struct selinux_mnt_opts { --- 5 unchanged lines hidden (view full) --- 401 struct selinux_mnt_opts *opts = mnt_opts; 402 kfree(opts->fscontext); 403 kfree(opts->context); 404 kfree(opts->rootcontext); 405 kfree(opts->defcontext); 406 kfree(opts); 407} 408 | 339static void superblock_free_security(struct super_block *sb) 340{ 341 struct superblock_security_struct *sbsec = sb->s_security; 342 sb->s_security = NULL; 343 kfree(sbsec); 344} 345 346struct selinux_mnt_opts { --- 5 unchanged lines hidden (view full) --- 352 struct selinux_mnt_opts *opts = mnt_opts; 353 kfree(opts->fscontext); 354 kfree(opts->context); 355 kfree(opts->rootcontext); 356 kfree(opts->defcontext); 357 kfree(opts); 358} 359 |
| 409static inline int inode_doinit(struct inode *inode) 410{ 411 return inode_doinit_with_dentry(inode, NULL); 412} 413 | |
| 414enum { 415 Opt_error = -1, 416 Opt_context = 0, 417 Opt_defcontext = 1, 418 Opt_fscontext = 2, 419 Opt_rootcontext = 3, 420 Opt_seclabel = 4, 421}; --- 171 unchanged lines hidden (view full) --- 593 list_first_entry(&sbsec->isec_head, 594 struct inode_security_struct, list); 595 struct inode *inode = isec->inode; 596 list_del_init(&isec->list); 597 spin_unlock(&sbsec->isec_lock); 598 inode = igrab(inode); 599 if (inode) { 600 if (!IS_PRIVATE(inode)) | 360enum { 361 Opt_error = -1, 362 Opt_context = 0, 363 Opt_defcontext = 1, 364 Opt_fscontext = 2, 365 Opt_rootcontext = 3, 366 Opt_seclabel = 4, 367}; --- 171 unchanged lines hidden (view full) --- 539 list_first_entry(&sbsec->isec_head, 540 struct inode_security_struct, list); 541 struct inode *inode = isec->inode; 542 list_del_init(&isec->list); 543 spin_unlock(&sbsec->isec_lock); 544 inode = igrab(inode); 545 if (inode) { 546 if (!IS_PRIVATE(inode)) |
| 601 inode_doinit(inode); | 547 inode_doinit_with_dentry(inode, NULL); |
| 602 iput(inode); 603 } 604 spin_lock(&sbsec->isec_lock); 605 } 606 spin_unlock(&sbsec->isec_lock); 607out: 608 return rc; 609} --- 1978 unchanged lines hidden (view full) --- 2588 __wake_up_parent(current, current->real_parent); 2589 read_unlock(&tasklist_lock); 2590} 2591 2592/* superblock security operations */ 2593 2594static int selinux_sb_alloc_security(struct super_block *sb) 2595{ | 548 iput(inode); 549 } 550 spin_lock(&sbsec->isec_lock); 551 } 552 spin_unlock(&sbsec->isec_lock); 553out: 554 return rc; 555} --- 1978 unchanged lines hidden (view full) --- 2534 __wake_up_parent(current, current->real_parent); 2535 read_unlock(&tasklist_lock); 2536} 2537 2538/* superblock security operations */ 2539 2540static int selinux_sb_alloc_security(struct super_block *sb) 2541{ |
| 2596 return superblock_alloc_security(sb); | 2542 struct superblock_security_struct *sbsec; 2543 2544 sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL); 2545 if (!sbsec) 2546 return -ENOMEM; 2547 2548 mutex_init(&sbsec->lock); 2549 INIT_LIST_HEAD(&sbsec->isec_head); 2550 spin_lock_init(&sbsec->isec_lock); 2551 sbsec->sb = sb; 2552 sbsec->sid = SECINITSID_UNLABELED; 2553 sbsec->def_sid = SECINITSID_FILE; 2554 sbsec->mntpoint_sid = SECINITSID_UNLABELED; 2555 sb->s_security = sbsec; 2556 2557 return 0; |
| 2597} 2598 2599static void selinux_sb_free_security(struct super_block *sb) 2600{ 2601 superblock_free_security(sb); 2602} 2603 2604static inline int opt_len(const char *s) --- 235 unchanged lines hidden (view full) --- 2840 } 2841 return rc; 2842} 2843 2844/* inode security operations */ 2845 2846static int selinux_inode_alloc_security(struct inode *inode) 2847{ | 2558} 2559 2560static void selinux_sb_free_security(struct super_block *sb) 2561{ 2562 superblock_free_security(sb); 2563} 2564 2565static inline int opt_len(const char *s) --- 235 unchanged lines hidden (view full) --- 2801 } 2802 return rc; 2803} 2804 2805/* inode security operations */ 2806 2807static int selinux_inode_alloc_security(struct inode *inode) 2808{ |
| 2848 return inode_alloc_security(inode); | 2809 struct inode_security_struct *isec = selinux_inode(inode); 2810 u32 sid = current_sid(); 2811 2812 spin_lock_init(&isec->lock); 2813 INIT_LIST_HEAD(&isec->list); 2814 isec->inode = inode; 2815 isec->sid = SECINITSID_UNLABELED; 2816 isec->sclass = SECCLASS_FILE; 2817 isec->task_sid = sid; 2818 isec->initialized = LABEL_INVALID; 2819 2820 return 0; |
| 2849} 2850 2851static void selinux_inode_free_security(struct inode *inode) 2852{ 2853 inode_free_security(inode); 2854} 2855 2856static int selinux_dentry_init_security(struct dentry *dentry, int mode, --- 693 unchanged lines hidden (view full) --- 3550 /* No change since file_open check. */ 3551 return 0; 3552 3553 return selinux_revalidate_file_permission(file, mask); 3554} 3555 3556static int selinux_file_alloc_security(struct file *file) 3557{ | 2821} 2822 2823static void selinux_inode_free_security(struct inode *inode) 2824{ 2825 inode_free_security(inode); 2826} 2827 2828static int selinux_dentry_init_security(struct dentry *dentry, int mode, --- 693 unchanged lines hidden (view full) --- 3522 /* No change since file_open check. */ 3523 return 0; 3524 3525 return selinux_revalidate_file_permission(file, mask); 3526} 3527 3528static int selinux_file_alloc_security(struct file *file) 3529{ |
| 3558 return file_alloc_security(file); | 3530 struct file_security_struct *fsec = selinux_file(file); 3531 u32 sid = current_sid(); 3532 3533 fsec->sid = sid; 3534 fsec->fown_sid = sid; 3535 3536 return 0; |
| 3559} 3560 3561/* 3562 * Check whether a task has the ioctl permission and cmd 3563 * operation to an inode. 3564 */ 3565static int ioctl_has_perm(const struct cred *cred, struct file *file, 3566 u32 requested, u16 cmd) --- 3799 unchanged lines hidden --- | 3537} 3538 3539/* 3540 * Check whether a task has the ioctl permission and cmd 3541 * operation to an inode. 3542 */ 3543static int ioctl_has_perm(const struct cred *cred, struct file *file, 3544 u32 requested, u16 cmd) --- 3799 unchanged lines hidden --- |