| hooks.c (df561f6688fef775baa341a0f5d960becd248b11) | hooks.c (c76a2f9ecdcb44cdcdb2de82e90d84283736aeb2) |
|---|---|
| 1// SPDX-License-Identifier: GPL-2.0-only 2/* 3 * NSA Security-Enhanced Linux (SELinux) security module 4 * 5 * This file contains the SELinux hook function implementations. 6 * 7 * Authors: Stephen Smalley, <sds@tycho.nsa.gov> 8 * Chris Vance, <cvance@nai.com> --- 1964 unchanged lines hidden (view full) --- 1973 */ 1974 av = FILE__IOCTL; 1975 } 1976 1977 return av; 1978} 1979 1980/* | 1// SPDX-License-Identifier: GPL-2.0-only 2/* 3 * NSA Security-Enhanced Linux (SELinux) security module 4 * 5 * This file contains the SELinux hook function implementations. 6 * 7 * Authors: Stephen Smalley, <sds@tycho.nsa.gov> 8 * Chris Vance, <cvance@nai.com> --- 1964 unchanged lines hidden (view full) --- 1973 */ 1974 av = FILE__IOCTL; 1975 } 1976 1977 return av; 1978} 1979 1980/* |
| 1981 * Convert a file to an access vector and include the correct open | 1981 * Convert a file to an access vector and include the correct |
| 1982 * open permission. 1983 */ 1984static inline u32 open_file_to_av(struct file *file) 1985{ 1986 u32 av = file_to_av(file); 1987 struct inode *inode = file_inode(file); 1988 1989 if (selinux_policycap_openperm() && --- 1276 unchanged lines hidden (view full) --- 3266 if (rc) 3267 return rc; 3268 3269 /* Not an attribute we recognize, so just check the 3270 ordinary setattr permission. */ 3271 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR); 3272 } 3273 | 1982 * open permission. 1983 */ 1984static inline u32 open_file_to_av(struct file *file) 1985{ 1986 u32 av = file_to_av(file); 1987 struct inode *inode = file_inode(file); 1988 1989 if (selinux_policycap_openperm() && --- 1276 unchanged lines hidden (view full) --- 3266 if (rc) 3267 return rc; 3268 3269 /* Not an attribute we recognize, so just check the 3270 ordinary setattr permission. */ 3271 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR); 3272 } 3273 |
| 3274 if (!selinux_initialized(&selinux_state)) 3275 return 0; 3276 |
|
| 3274 /* No one is allowed to remove a SELinux security label. 3275 You can change the label, but all data must be labeled. */ 3276 return -EACCES; 3277} 3278 3279static int selinux_path_notify(const struct path *path, u64 mask, 3280 unsigned int obj_type) 3281{ --- 319 unchanged lines hidden (view full) --- 3601static int selinux_file_ioctl(struct file *file, unsigned int cmd, 3602 unsigned long arg) 3603{ 3604 const struct cred *cred = current_cred(); 3605 int error = 0; 3606 3607 switch (cmd) { 3608 case FIONREAD: | 3277 /* No one is allowed to remove a SELinux security label. 3278 You can change the label, but all data must be labeled. */ 3279 return -EACCES; 3280} 3281 3282static int selinux_path_notify(const struct path *path, u64 mask, 3283 unsigned int obj_type) 3284{ --- 319 unchanged lines hidden (view full) --- 3604static int selinux_file_ioctl(struct file *file, unsigned int cmd, 3605 unsigned long arg) 3606{ 3607 const struct cred *cred = current_cred(); 3608 int error = 0; 3609 3610 switch (cmd) { 3611 case FIONREAD: |
| 3612 /* fall through */ |
|
| 3609 case FIBMAP: | 3613 case FIBMAP: |
| 3614 /* fall through */ |
|
| 3610 case FIGETBSZ: | 3615 case FIGETBSZ: |
| 3616 /* fall through */ |
|
| 3611 case FS_IOC_GETFLAGS: | 3617 case FS_IOC_GETFLAGS: |
| 3618 /* fall through */ |
|
| 3612 case FS_IOC_GETVERSION: 3613 error = file_has_perm(cred, file, FILE__GETATTR); 3614 break; 3615 3616 case FS_IOC_SETFLAGS: | 3619 case FS_IOC_GETVERSION: 3620 error = file_has_perm(cred, file, FILE__GETATTR); 3621 break; 3622 3623 case FS_IOC_SETFLAGS: |
| 3624 /* fall through */ |
|
| 3617 case FS_IOC_SETVERSION: 3618 error = file_has_perm(cred, file, FILE__SETATTR); 3619 break; 3620 3621 /* sys_ioctl() checks */ 3622 case FIONBIO: | 3625 case FS_IOC_SETVERSION: 3626 error = file_has_perm(cred, file, FILE__SETATTR); 3627 break; 3628 3629 /* sys_ioctl() checks */ 3630 case FIONBIO: |
| 3631 /* fall through */ |
|
| 3623 case FIOASYNC: 3624 error = file_has_perm(cred, file, 0); 3625 break; 3626 3627 case KDSKBENT: 3628 case KDSKBSENT: 3629 error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG, 3630 CAP_OPT_NONE, true); --- 141 unchanged lines hidden (view full) --- 3772 int err = 0; 3773 3774 switch (cmd) { 3775 case F_SETFL: 3776 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) { 3777 err = file_has_perm(cred, file, FILE__WRITE); 3778 break; 3779 } | 3632 case FIOASYNC: 3633 error = file_has_perm(cred, file, 0); 3634 break; 3635 3636 case KDSKBENT: 3637 case KDSKBSENT: 3638 error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG, 3639 CAP_OPT_NONE, true); --- 141 unchanged lines hidden (view full) --- 3781 int err = 0; 3782 3783 switch (cmd) { 3784 case F_SETFL: 3785 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) { 3786 err = file_has_perm(cred, file, FILE__WRITE); 3787 break; 3788 } |
| 3780 fallthrough; | 3789 /* fall through */ |
| 3781 case F_SETOWN: 3782 case F_SETSIG: 3783 case F_GETFL: 3784 case F_GETOWN: 3785 case F_GETSIG: 3786 case F_GETOWNER_UIDS: 3787 /* Just check FD__USE permission */ 3788 err = file_has_perm(cred, file, 0); --- 644 unchanged lines hidden (view full) --- 4433/** 4434 * selinux_conn_sid - Determine the child socket label for a connection 4435 * @sk_sid: the parent socket's SID 4436 * @skb_sid: the packet's SID 4437 * @conn_sid: the resulting connection SID 4438 * 4439 * If @skb_sid is valid then the user:role:type information from @sk_sid is 4440 * combined with the MLS information from @skb_sid in order to create | 3790 case F_SETOWN: 3791 case F_SETSIG: 3792 case F_GETFL: 3793 case F_GETOWN: 3794 case F_GETSIG: 3795 case F_GETOWNER_UIDS: 3796 /* Just check FD__USE permission */ 3797 err = file_has_perm(cred, file, 0); --- 644 unchanged lines hidden (view full) --- 4442/** 4443 * selinux_conn_sid - Determine the child socket label for a connection 4444 * @sk_sid: the parent socket's SID 4445 * @skb_sid: the packet's SID 4446 * @conn_sid: the resulting connection SID 4447 * 4448 * If @skb_sid is valid then the user:role:type information from @sk_sid is 4449 * combined with the MLS information from @skb_sid in order to create |
| 4441 * @conn_sid. If @skb_sid is not valid then then @conn_sid is simply a copy | 4450 * @conn_sid. If @skb_sid is not valid then @conn_sid is simply a copy |
| 4442 * of @sk_sid. Returns zero on success, negative values on failure. 4443 * 4444 */ 4445static int selinux_conn_sid(u32 sk_sid, u32 skb_sid, u32 *conn_sid) 4446{ 4447 int err = 0; 4448 4449 if (skb_sid != SECSID_NULL) --- 853 unchanged lines hidden (view full) --- 5303 case SCTP_PARAM_ADD_IP: 5304 case SCTP_SENDMSG_CONNECT: 5305 err = selinux_socket_connect_helper(sock, addr, len); 5306 if (err) 5307 return err; 5308 5309 /* As selinux_sctp_bind_connect() is called by the 5310 * SCTP protocol layer, the socket is already locked, | 4451 * of @sk_sid. Returns zero on success, negative values on failure. 4452 * 4453 */ 4454static int selinux_conn_sid(u32 sk_sid, u32 skb_sid, u32 *conn_sid) 4455{ 4456 int err = 0; 4457 4458 if (skb_sid != SECSID_NULL) --- 853 unchanged lines hidden (view full) --- 5312 case SCTP_PARAM_ADD_IP: 5313 case SCTP_SENDMSG_CONNECT: 5314 err = selinux_socket_connect_helper(sock, addr, len); 5315 if (err) 5316 return err; 5317 5318 /* As selinux_sctp_bind_connect() is called by the 5319 * SCTP protocol layer, the socket is already locked, |
| 5311 * therefore selinux_netlbl_socket_connect_locked() is | 5320 * therefore selinux_netlbl_socket_connect_locked() |
| 5312 * is called here. The situations handled are: 5313 * sctp_connectx(3), sctp_sendmsg(3), sendmsg(2), 5314 * whenever a new IP address is added or when a new 5315 * primary address is selected. 5316 * Note that an SCTP connect(2) call happens before 5317 * the SCTP protocol layer and is handled via 5318 * selinux_socket_connect(). 5319 */ --- 2097 unchanged lines hidden --- | 5321 * is called here. The situations handled are: 5322 * sctp_connectx(3), sctp_sendmsg(3), sendmsg(2), 5323 * whenever a new IP address is added or when a new 5324 * primary address is selected. 5325 * Note that an SCTP connect(2) call happens before 5326 * the SCTP protocol layer and is handled via 5327 * selinux_socket_connect(). 5328 */ --- 2097 unchanged lines hidden --- |