| hooks.c (6bcdfd2cac5559c680aef8dd4c5facada55ab623) | hooks.c (5b0eea835d4e9cb5229e696c5763929fc2394f39) |
|---|---|
| 1// SPDX-License-Identifier: GPL-2.0-only 2/* 3 * NSA Security-Enhanced Linux (SELinux) security module 4 * 5 * This file contains the SELinux hook function implementations. 6 * 7 * Authors: Stephen Smalley, <sds@tycho.nsa.gov> 8 * Chris Vance, <cvance@nai.com> --- 90 unchanged lines hidden (view full) --- 99#include "netnode.h" 100#include "netport.h" 101#include "ibpkey.h" 102#include "xfrm.h" 103#include "netlabel.h" 104#include "audit.h" 105#include "avc_ss.h" 106 | 1// SPDX-License-Identifier: GPL-2.0-only 2/* 3 * NSA Security-Enhanced Linux (SELinux) security module 4 * 5 * This file contains the SELinux hook function implementations. 6 * 7 * Authors: Stephen Smalley, <sds@tycho.nsa.gov> 8 * Chris Vance, <cvance@nai.com> --- 90 unchanged lines hidden (view full) --- 99#include "netnode.h" 100#include "netport.h" 101#include "ibpkey.h" 102#include "xfrm.h" 103#include "netlabel.h" 104#include "audit.h" 105#include "avc_ss.h" 106 |
| 107#define SELINUX_INODE_INIT_XATTRS 1 108 | |
| 109struct selinux_state selinux_state; 110 111/* SECMARK reference count */ 112static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0); 113 114#ifdef CONFIG_SECURITY_SELINUX_DEVELOP 115static int selinux_enforcing_boot __initdata; 116 --- 2168 unchanged lines hidden (view full) --- 2285 new_tsec->sid = old_tsec->sid; 2286 new_tsec->osid = old_tsec->sid; 2287 2288 /* Reset fs, key, and sock SIDs on execve. */ 2289 new_tsec->create_sid = 0; 2290 new_tsec->keycreate_sid = 0; 2291 new_tsec->sockcreate_sid = 0; 2292 | 107struct selinux_state selinux_state; 108 109/* SECMARK reference count */ 110static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0); 111 112#ifdef CONFIG_SECURITY_SELINUX_DEVELOP 113static int selinux_enforcing_boot __initdata; 114 --- 2168 unchanged lines hidden (view full) --- 2283 new_tsec->sid = old_tsec->sid; 2284 new_tsec->osid = old_tsec->sid; 2285 2286 /* Reset fs, key, and sock SIDs on execve. */ 2287 new_tsec->create_sid = 0; 2288 new_tsec->keycreate_sid = 0; 2289 new_tsec->sockcreate_sid = 0; 2290 |
| 2291 /* 2292 * Before policy is loaded, label any task outside kernel space 2293 * as SECINITSID_INIT, so that any userspace tasks surviving from 2294 * early boot end up with a label different from SECINITSID_KERNEL 2295 * (if the policy chooses to set SECINITSID_INIT != SECINITSID_KERNEL). 2296 */ 2297 if (!selinux_initialized()) { 2298 new_tsec->sid = SECINITSID_INIT; 2299 /* also clear the exec_sid just in case */ 2300 new_tsec->exec_sid = 0; 2301 return 0; 2302 } 2303 |
|
| 2293 if (old_tsec->exec_sid) { 2294 new_tsec->sid = old_tsec->exec_sid; 2295 /* Reset exec SID on execve. */ 2296 new_tsec->exec_sid = 0; 2297 2298 /* Fail on NNP or nosuid if not an allowed transition. */ 2299 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec); 2300 if (rc) --- 543 unchanged lines hidden (view full) --- 2844 2845 tsec = selinux_cred(new); 2846 tsec->create_sid = newsid; 2847 return 0; 2848} 2849 2850static int selinux_inode_init_security(struct inode *inode, struct inode *dir, 2851 const struct qstr *qstr, | 2304 if (old_tsec->exec_sid) { 2305 new_tsec->sid = old_tsec->exec_sid; 2306 /* Reset exec SID on execve. */ 2307 new_tsec->exec_sid = 0; 2308 2309 /* Fail on NNP or nosuid if not an allowed transition. */ 2310 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec); 2311 if (rc) --- 543 unchanged lines hidden (view full) --- 2855 2856 tsec = selinux_cred(new); 2857 tsec->create_sid = newsid; 2858 return 0; 2859} 2860 2861static int selinux_inode_init_security(struct inode *inode, struct inode *dir, 2862 const struct qstr *qstr, |
| 2852 struct xattr *xattrs, int *xattr_count) | 2863 const char **name, 2864 void **value, size_t *len) |
| 2853{ 2854 const struct task_security_struct *tsec = selinux_cred(current_cred()); 2855 struct superblock_security_struct *sbsec; | 2865{ 2866 const struct task_security_struct *tsec = selinux_cred(current_cred()); 2867 struct superblock_security_struct *sbsec; |
| 2856 struct xattr *xattr = lsm_get_xattr_slot(xattrs, xattr_count); | |
| 2857 u32 newsid, clen; 2858 int rc; 2859 char *context; 2860 2861 sbsec = selinux_superblock(dir->i_sb); 2862 2863 newsid = tsec->create_sid; 2864 --- 10 unchanged lines hidden (view full) --- 2875 isec->sid = newsid; 2876 isec->initialized = LABEL_INITIALIZED; 2877 } 2878 2879 if (!selinux_initialized() || 2880 !(sbsec->flags & SBLABEL_MNT)) 2881 return -EOPNOTSUPP; 2882 | 2868 u32 newsid, clen; 2869 int rc; 2870 char *context; 2871 2872 sbsec = selinux_superblock(dir->i_sb); 2873 2874 newsid = tsec->create_sid; 2875 --- 10 unchanged lines hidden (view full) --- 2886 isec->sid = newsid; 2887 isec->initialized = LABEL_INITIALIZED; 2888 } 2889 2890 if (!selinux_initialized() || 2891 !(sbsec->flags & SBLABEL_MNT)) 2892 return -EOPNOTSUPP; 2893 |
| 2883 if (xattr) { | 2894 if (name) 2895 *name = XATTR_SELINUX_SUFFIX; 2896 2897 if (value && len) { |
| 2884 rc = security_sid_to_context_force(newsid, 2885 &context, &clen); 2886 if (rc) 2887 return rc; | 2898 rc = security_sid_to_context_force(newsid, 2899 &context, &clen); 2900 if (rc) 2901 return rc; |
| 2888 xattr->value = context; 2889 xattr->value_len = clen; 2890 xattr->name = XATTR_SELINUX_SUFFIX; | 2902 *value = context; 2903 *len = clen; |
| 2891 } 2892 2893 return 0; 2894} 2895 2896static int selinux_inode_init_security_anon(struct inode *inode, 2897 const struct qstr *name, 2898 const struct inode *context_inode) --- 1600 unchanged lines hidden (view full) --- 4499{ 4500 struct sk_security_struct *sksec = sk->sk_security; 4501 struct common_audit_data ad; 4502 struct lsm_network_audit net = {0,}; 4503 4504 if (sksec->sid == SECINITSID_KERNEL) 4505 return 0; 4506 | 2904 } 2905 2906 return 0; 2907} 2908 2909static int selinux_inode_init_security_anon(struct inode *inode, 2910 const struct qstr *name, 2911 const struct inode *context_inode) --- 1600 unchanged lines hidden (view full) --- 4512{ 4513 struct sk_security_struct *sksec = sk->sk_security; 4514 struct common_audit_data ad; 4515 struct lsm_network_audit net = {0,}; 4516 4517 if (sksec->sid == SECINITSID_KERNEL) 4518 return 0; 4519 |
| 4520 /* 4521 * Before POLICYDB_CAP_USERSPACE_INITIAL_CONTEXT, sockets that 4522 * inherited the kernel context from early boot used to be skipped 4523 * here, so preserve that behavior unless the capability is set. 4524 * 4525 * By setting the capability the policy signals that it is ready 4526 * for this quirk to be fixed. Note that sockets created by a kernel 4527 * thread or a usermode helper executed without a transition will 4528 * still be skipped in this check regardless of the policycap 4529 * setting. 4530 */ 4531 if (!selinux_policycap_userspace_initial_context() && 4532 sksec->sid == SECINITSID_INIT) 4533 return 0; 4534 |
|
| 4507 ad.type = LSM_AUDIT_DATA_NET; 4508 ad.u.net = &net; 4509 ad.u.net->sk = sk; 4510 4511 return avc_has_perm(current_sid(), sksec->sid, sksec->sclass, perms, 4512 &ad); 4513} 4514 --- 2295 unchanged lines hidden (view full) --- 6810 6811struct lsm_blob_sizes selinux_blob_sizes __ro_after_init = { 6812 .lbs_cred = sizeof(struct task_security_struct), 6813 .lbs_file = sizeof(struct file_security_struct), 6814 .lbs_inode = sizeof(struct inode_security_struct), 6815 .lbs_ipc = sizeof(struct ipc_security_struct), 6816 .lbs_msg_msg = sizeof(struct msg_security_struct), 6817 .lbs_superblock = sizeof(struct superblock_security_struct), | 4535 ad.type = LSM_AUDIT_DATA_NET; 4536 ad.u.net = &net; 4537 ad.u.net->sk = sk; 4538 4539 return avc_has_perm(current_sid(), sksec->sid, sksec->sclass, perms, 4540 &ad); 4541} 4542 --- 2295 unchanged lines hidden (view full) --- 6838 6839struct lsm_blob_sizes selinux_blob_sizes __ro_after_init = { 6840 .lbs_cred = sizeof(struct task_security_struct), 6841 .lbs_file = sizeof(struct file_security_struct), 6842 .lbs_inode = sizeof(struct inode_security_struct), 6843 .lbs_ipc = sizeof(struct ipc_security_struct), 6844 .lbs_msg_msg = sizeof(struct msg_security_struct), 6845 .lbs_superblock = sizeof(struct superblock_security_struct), |
| 6818 .lbs_xattr_count = SELINUX_INODE_INIT_XATTRS, | |
| 6819}; 6820 6821#ifdef CONFIG_PERF_EVENTS 6822static int selinux_perf_event_open(struct perf_event_attr *attr, int type) 6823{ 6824 u32 requested, sid = current_sid(); 6825 6826 if (type == PERF_SECURITY_OPEN) --- 545 unchanged lines hidden --- | 6846}; 6847 6848#ifdef CONFIG_PERF_EVENTS 6849static int selinux_perf_event_open(struct perf_event_attr *attr, int type) 6850{ 6851 u32 requested, sid = current_sid(); 6852 6853 if (type == PERF_SECURITY_OPEN) --- 545 unchanged lines hidden --- |