This patch extends the set of calls to the secondary security module
by SELinux as well as revising a few existing calls to support other
security modules and to more cleanly stack with the capability module.
Please apply.
Signed-off-by: Stephen Smalley <[email protected]>
security/selinux/hooks.c | 94 ++++++++++++++++++++++++++++++++++++++++++-----
1 files changed, 85 insertions(+), 9 deletions(-)
Index: linux-2.6/security/selinux/hooks.c
===================================================================
RCS file: /nfshome/pal/CVS/linux-2.6/security/selinux/hooks.c,v
retrieving revision 1.112
diff -u -p -r1.112 hooks.c
--- linux-2.6/security/selinux/hooks.c 16 Jun 2004 14:49:42 -0000 1.112
+++ linux-2.6/security/selinux/hooks.c 22 Jun 2004 14:14:59 -0000
@@ -1389,11 +1389,11 @@ static int selinux_capset_check(struct t
{
int error;
- error = task_has_perm(current, target, PROCESS__SETCAP);
+ error = secondary_ops->capset_check(target, effective, inheritable, permitted);
if (error)
return error;
- return secondary_ops->capset_check(target, effective, inheritable, permitted);
+ return task_has_perm(current, target, PROCESS__SETCAP);
}
static void selinux_capset_set(struct task_struct *target, kernel_cap_t *effective,
@@ -1427,6 +1427,10 @@ static int selinux_sysctl(ctl_table *tab
u32 tsid;
int rc;
+ rc = secondary_ops->sysctl(table, op);
+ if (rc)
+ return rc;
+
tsec = current->security;
rc = selinux_proc_get_sid(table->de, (op == 001) ?
@@ -1690,7 +1694,7 @@ static int selinux_bprm_set_security(str
static int selinux_bprm_check_security (struct linux_binprm *bprm)
{
- return 0;
+ return secondary_ops->bprm_check_security(bprm);
}
@@ -1708,12 +1712,7 @@ static int selinux_bprm_secureexec (stru
PROCESS__NOATSECURE, NULL, NULL);
}
- /* Note that we must include the legacy uid/gid test below
- to retain it, as the new userland will simply use the
- value passed by AT_SECURE to decide whether to enable
- secure mode. */
- return ( atsecure || current->euid != current->uid ||
- current->egid != current->gid);
+ return (atsecure || secondary_ops->bprm_secureexec(bprm));
}
static void selinux_bprm_free_security(struct linux_binprm *bprm)
@@ -2058,6 +2057,12 @@ static int selinux_mount(char * dev_name
unsigned long flags,
void * data)
{
+ int rc;
+
+ rc = secondary_ops->sb_mount(dev_name, nd, type, flags, data);
+ if (rc)
+ return rc;
+
if (flags & MS_REMOUNT)
return superblock_has_perm(current, nd->mnt->mnt_sb,
FILESYSTEM__REMOUNT, NULL);
@@ -2068,6 +2073,12 @@ static int selinux_mount(char * dev_name
static int selinux_umount(struct vfsmount *mnt, int flags)
{
+ int rc;
+
+ rc = secondary_ops->sb_umount(mnt, flags);
+ if (rc)
+ return rc;
+
return superblock_has_perm(current,mnt->mnt_sb,
FILESYSTEM__UNMOUNT,NULL);
}
@@ -2111,6 +2122,11 @@ static void selinux_inode_post_link(stru
static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
{
+ int rc;
+
+ rc = secondary_ops->inode_unlink(dir, dentry);
+ if (rc)
+ return rc;
return may_link(dir, dentry, MAY_UNLINK);
}
@@ -2141,6 +2157,12 @@ static int selinux_inode_rmdir(struct in
static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
{
+ int rc;
+
+ rc = secondary_ops->inode_mknod(dir, dentry, mode, dev);
+ if (rc)
+ return rc;
+
return may_create(dir, dentry, inode_mode_to_security_class(mode));
}
@@ -2179,6 +2201,12 @@ static int selinux_inode_follow_link(str
static int selinux_inode_permission(struct inode *inode, int mask,
struct nameidata *nd)
{
+ int rc;
+
+ rc = secondary_ops->inode_permission(inode, mask, nd);
+ if (rc)
+ return rc;
+
if (!mask) {
/* No permission to check. Existence test. */
return 0;
@@ -2190,6 +2218,12 @@ static int selinux_inode_permission(stru
static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
{
+ int rc;
+
+ rc = secondary_ops->inode_setattr(dentry, iattr);
+ if (rc)
+ return rc;
+
if (iattr->ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
ATTR_ATIME_SET | ATTR_MTIME_SET))
return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
@@ -2456,6 +2490,11 @@ static int selinux_file_ioctl(struct fil
static int selinux_file_mmap(struct file *file, unsigned long prot, unsigned long flags)
{
u32 av;
+ int rc;
+
+ rc = secondary_ops->file_mmap(file, prot, flags);
+ if (rc)
+ return rc;
if (file) {
/* read access is always possible with a mapping */
@@ -2476,6 +2515,12 @@ static int selinux_file_mmap(struct file
static int selinux_file_mprotect(struct vm_area_struct *vma,
unsigned long prot)
{
+ int rc;
+
+ rc = secondary_ops->file_mprotect(vma, prot);
+ if (rc)
+ return rc;
+
return selinux_file_mmap(vma->vm_file, prot, vma->vm_flags);
}
@@ -2573,6 +2618,12 @@ static int selinux_file_receive(struct f
static int selinux_task_create(unsigned long clone_flags)
{
+ int rc;
+
+ rc = secondary_ops->task_create(clone_flags);
+ if (rc)
+ return rc;
+
return task_has_perm(current, current, PROCESS__FORK);
}
@@ -2648,13 +2699,24 @@ static int selinux_task_setgroups(struct
static int selinux_task_setnice(struct task_struct *p, int nice)
{
+ int rc;
+
+ rc = secondary_ops->task_setnice(p, nice);
+ if (rc)
+ return rc;
+
return task_has_perm(current,p, PROCESS__SETSCHED);
}
static int selinux_task_setrlimit(unsigned int resource, struct rlimit *new_rlim)
{
struct rlimit *old_rlim = current->rlim + resource;
+ int rc;
+ rc = secondary_ops->task_setrlimit(resource, new_rlim);
+ if (rc)
+ return rc;
+
/* Control the ability to change the hard limit (whether
lowering or raising it), so that the hard limit can
later be used as a safe reset point for the soft limit
@@ -2688,6 +2750,11 @@ static int selinux_task_getscheduler(str
static int selinux_task_kill(struct task_struct *p, struct siginfo *info, int sig)
{
u32 perm;
+ int rc;
+
+ rc = secondary_ops->task_kill(p, info, sig);
+ if (rc)
+ return rc;
if (info && ((unsigned long)info == 1 ||
(unsigned long)info == 2 || SI_FROMKERNEL(info)))
@@ -3129,6 +3196,10 @@ static int selinux_socket_unix_stream_co
struct avc_audit_data ad;
int err;
+ err = secondary_ops->unix_stream_connect(sock, other, newsk);
+ if (err)
+ return err;
+
isec = SOCK_INODE(sock)->i_security;
other_isec = SOCK_INODE(other)->i_security;
@@ -3847,6 +3918,11 @@ static int selinux_shm_shmat(struct shmi
char __user *shmaddr, int shmflg)
{
u32 perms;
+ int rc;
+
+ rc = secondary_ops->shm_shmat(shp, shmaddr, shmflg);
+ if (rc)
+ return rc;
if (shmflg & SHM_RDONLY)
perms = SHM__READ;
--
Stephen Smalley <[email protected]>
National Security Agency
On Tue, 22 Jun 2004 10:49:45 EDT, you said:
> This patch extends the set of calls to the secondary security module
> by SELinux as well as revising a few existing calls to support other
> security modules and to more cleanly stack with the capability module.
> Please apply.
>
> Signed-off-by: Stephen Smalley <[email protected]>
Thank you. :)
For those who tuned in late, this patch is a superset of a patch I had to make to
get some LSM work of mine to play nice with SELinux (my original request to the
SELinux crew included 2 other hooks which I since retracted, having found other
solutions).
It also addresses at least some of the things that Serge Hallyn was looking at
doing with some other LSM work, and also cleans up some issues for yet a third
thing that Serge and I were semi-collaborating on (no Serge, I hadn't forgotten
about that, I was sort of dragging my feet waiting for this patch to show up
and make my life a lot simpler.. ;)
On Thu, 24 Jun 2004 [email protected] wrote:
> For those who tuned in late, this patch is a superset of a patch I had to make to
> get some LSM work of mine to play nice with SELinux (my original request to the
> SELinux crew included 2 other hooks which I since retracted, having found other
> solutions).
>
> It also addresses at least some of the things that Serge Hallyn was looking at
> doing with some other LSM work, and also cleans up some issues for yet a third
> thing that Serge and I were semi-collaborating on (no Serge, I hadn't forgotten
> about that, I was sort of dragging my feet waiting for this patch to show up
> and make my life a lot simpler.. ;)
Is any of this work heading into the mainline kernel?
- James
--
James Morris
<[email protected]>
On Thu, 2004-06-24 at 09:04, James Morris wrote:
> Is any of this work heading into the mainline kernel?
At least for stacking, I/we hope to submit two separate patches at some
point:
1. Permit multiplexing of kernel object security fields between multiple
LSM's, like trustedbsd's does. Without this, many modules which it
makes sense to stack, cannot be stacked. For instance, bsdjail and (as
of recently) DigSig, and either or both of the above with SELinux.
2. A (simpler than my current) stacker LSM.
But I definately hope they're heading into the mainline kernel :-)
--
=======================================================
Serge Hallyn
Security Software Engineer, IBM Linux Technology Center
[email protected]