summaryrefslogtreecommitdiff
path: root/security/selinux
diff options
context:
space:
mode:
authorOndrej Mosnacek <omosnace@redhat.com>2019-02-22 17:57:17 +0300
committerPaul Moore <paul@paul-moore.com>2019-03-21 05:07:45 +0300
commitec882da5cda911e799b8a5ede94d099fdc0c656b (patch)
treeb7a09e2138b42635095aa4c43022fd53d526ab77 /security/selinux
parentb230d5aba2d1a7b0636408889a75bf9eae6b8bc7 (diff)
downloadlinux-ec882da5cda911e799b8a5ede94d099fdc0c656b.tar.xz
selinux: implement the kernfs_init_security hook
The hook applies the same logic as selinux_determine_inode_label(), with the exception of the super_block handling, which will be enforced on the actual inodes later by other hooks. Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com> [PM: minor merge fixes] Signed-off-by: Paul Moore <paul@paul-moore.com>
Diffstat (limited to 'security/selinux')
-rw-r--r--security/selinux/hooks.c66
1 files changed, 66 insertions, 0 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 085409b36794..ab4b049daf17 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -89,6 +89,8 @@
#include <linux/msg.h>
#include <linux/shm.h>
#include <linux/bpf.h>
+#include <linux/kernfs.h>
+#include <linux/stringhash.h> /* for hashlen_string() */
#include <uapi/linux/mount.h>
#include "avc.h"
@@ -3382,6 +3384,68 @@ static int selinux_inode_copy_up_xattr(const char *name)
return -EOPNOTSUPP;
}
+/* kernfs node operations */
+
+int selinux_kernfs_init_security(struct kernfs_node *kn_dir,
+ struct kernfs_node *kn)
+{
+ const struct task_security_struct *tsec = current_security();
+ u32 parent_sid, newsid, clen;
+ int rc;
+ char *context;
+
+ rc = kernfs_security_xattr_get(kn_dir, XATTR_SELINUX_SUFFIX, NULL, 0);
+ if (rc == -ENODATA)
+ return 0;
+ else if (rc < 0)
+ return rc;
+
+ clen = (u32)rc;
+ context = kmalloc(clen, GFP_KERNEL);
+ if (!context)
+ return -ENOMEM;
+
+ rc = kernfs_security_xattr_get(kn_dir, XATTR_SELINUX_SUFFIX, context,
+ clen);
+ if (rc < 0) {
+ kfree(context);
+ return rc;
+ }
+
+ rc = security_context_to_sid(&selinux_state, context, clen, &parent_sid,
+ GFP_KERNEL);
+ kfree(context);
+ if (rc)
+ return rc;
+
+ if (tsec->create_sid) {
+ newsid = tsec->create_sid;
+ } else {
+ u16 secclass = inode_mode_to_security_class(kn->mode);
+ struct qstr q;
+
+ q.name = kn->name;
+ q.hash_len = hashlen_string(kn_dir, kn->name);
+
+ rc = security_transition_sid(&selinux_state, tsec->sid,
+ parent_sid, secclass, &q,
+ &newsid);
+ if (rc)
+ return rc;
+ }
+
+ rc = security_sid_to_context_force(&selinux_state, newsid,
+ &context, &clen);
+ if (rc)
+ return rc;
+
+ rc = kernfs_security_xattr_set(kn, XATTR_SELINUX_SUFFIX, context, clen,
+ XATTR_CREATE);
+ kfree(context);
+ return rc;
+}
+
+
/* file security operations */
static int selinux_revalidate_file_permission(struct file *file, int mask)
@@ -6730,6 +6794,8 @@ static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = {
LSM_HOOK_INIT(inode_copy_up, selinux_inode_copy_up),
LSM_HOOK_INIT(inode_copy_up_xattr, selinux_inode_copy_up_xattr),
+ LSM_HOOK_INIT(kernfs_init_security, selinux_kernfs_init_security),
+
LSM_HOOK_INIT(file_permission, selinux_file_permission),
LSM_HOOK_INIT(file_alloc_security, selinux_file_alloc_security),
LSM_HOOK_INIT(file_ioctl, selinux_file_ioctl),