hooks.c - OpenGrok cross reference for /linux/security/selinux/hooks.c

Deleted Added

sdiffudifftextold (5d2d4a9f..)new (ae254858..)

hooks.c (5d2d4a9f603a47403395408f64b1261ca61f6d50)	hooks.c (ae254858ce0745aba25d107159b580ab5fdada5b)
1// SPDX-License-Identifier: GPL-2.0-only 2/* 3 * Security-Enhanced Linux (SELinux) security module 4 * 5 * This file contains the SELinux hook function implementations. 6 * 7 * Authors: Stephen Smalley, <stephen.smalley.work@gmail.com> 8 * Chris Vance, <cvance@nai.com> --- 2301 unchanged lines hidden (view full) --- 2310 new_tsec->sid = old_tsec->sid; 2311 new_tsec->osid = old_tsec->sid; 2312 2313 /* Reset fs, key, and sock SIDs on execve. */ 2314 new_tsec->create_sid = 0; 2315 new_tsec->keycreate_sid = 0; 2316 new_tsec->sockcreate_sid = 0; 2317	1// SPDX-License-Identifier: GPL-2.0-only 2/* 3 * Security-Enhanced Linux (SELinux) security module 4 * 5 * This file contains the SELinux hook function implementations. 6 * 7 * Authors: Stephen Smalley, <stephen.smalley.work@gmail.com> 8 * Chris Vance, <cvance@nai.com> --- 2301 unchanged lines hidden (view full) --- 2310 new_tsec->sid = old_tsec->sid; 2311 new_tsec->osid = old_tsec->sid; 2312 2313 /* Reset fs, key, and sock SIDs on execve. */ 2314 new_tsec->create_sid = 0; 2315 new_tsec->keycreate_sid = 0; 2316 new_tsec->sockcreate_sid = 0; 2317
	2318 /* 2319 * Before policy is loaded, label any task outside kernel space 2320 * as SECINITSID_INIT, so that any userspace tasks surviving from 2321 * early boot end up with a label different from SECINITSID_KERNEL 2322 * (if the policy chooses to set SECINITSID_INIT != SECINITSID_KERNEL). 2323 / 2324 if (!selinux_initialized()) { 2325 new_tsec->sid = SECINITSID_INIT; 2326 / also clear the exec_sid just in case */ 2327 new_tsec->exec_sid = 0; 2328 return 0; 2329 } 2330
2318 if (old_tsec->exec_sid) { 2319 new_tsec->sid = old_tsec->exec_sid; 2320 /* Reset exec SID on execve. / 2321 new_tsec->exec_sid = 0; 2322 2323 / Fail on NNP or nosuid if not an allowed transition. / 2324 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec); 2325 if (rc) --- 2222 unchanged lines hidden* (view full) --- 4548{ 4549 struct sk_security_struct *sksec = sk->sk_security; 4550 struct common_audit_data ad; 4551 struct lsm_network_audit net; 4552 4553 if (sksec->sid == SECINITSID_KERNEL) 4554 return 0; 4555	2331 if (old_tsec->exec_sid) { 2332 new_tsec->sid = old_tsec->exec_sid; 2333 /* Reset exec SID on execve. / 2334 new_tsec->exec_sid = 0; 2335 2336 / Fail on NNP or nosuid if not an allowed transition. / 2337 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec); 2338 if (rc) --- 2222 unchanged lines hidden* (view full) --- 4561{ 4562 struct sk_security_struct *sksec = sk->sk_security; 4563 struct common_audit_data ad; 4564 struct lsm_network_audit net; 4565 4566 if (sksec->sid == SECINITSID_KERNEL) 4567 return 0; 4568
	4569 /* 4570 * Before POLICYDB_CAP_USERSPACE_INITIAL_CONTEXT, sockets that 4571 * inherited the kernel context from early boot used to be skipped 4572 * here, so preserve that behavior unless the capability is set. 4573 * 4574 * By setting the capability the policy signals that it is ready 4575 * for this quirk to be fixed. Note that sockets created by a kernel 4576 * thread or a usermode helper executed without a transition will 4577 * still be skipped in this check regardless of the policycap 4578 * setting. 4579 */ 4580 if (!selinux_policycap_userspace_initial_context() && 4581 sksec->sid == SECINITSID_INIT) 4582 return 0; 4583
4556 ad_net_init_from_sk(&ad, &net, sk); 4557 4558 return avc_has_perm(current_sid(), sksec->sid, sksec->sclass, perms, 4559 &ad); 4560} 4561 4562static int selinux_socket_create(int family, int type, 4563 int protocol, int kern) --- 2827 unchanged lines hidden ---	4584 ad_net_init_from_sk(&ad, &net, sk); 4585 4586 return avc_has_perm(current_sid(), sksec->sid, sksec->sclass, perms, 4587 &ad); 4588} 4589 4590static int selinux_socket_create(int family, int type, 4591 int protocol, int kern) --- 2827 unchanged lines hidden ---