diff options
Diffstat (limited to 'security/selinux/hooks.c')
| -rw-r--r-- | security/selinux/hooks.c | 84 | 
1 files changed, 57 insertions, 27 deletions
| diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index a6bf90ace84c..3448454c82d0 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -2920,23 +2920,22 @@ static int selinux_inode_init_security(struct inode *inode, struct inode *dir,  	struct superblock_security_struct *sbsec;  	struct xattr *xattr = lsm_get_xattr_slot(xattrs, xattr_count);  	u32 newsid, clen; +	u16 newsclass;  	int rc;  	char *context;  	sbsec = selinux_superblock(dir->i_sb);  	newsid = tsec->create_sid; - -	rc = selinux_determine_inode_label(tsec, dir, qstr, -		inode_mode_to_security_class(inode->i_mode), -		&newsid); +	newsclass = inode_mode_to_security_class(inode->i_mode); +	rc = selinux_determine_inode_label(tsec, dir, qstr, newsclass, &newsid);  	if (rc)  		return rc;  	/* Possibly defer initialization to selinux_complete_init. */  	if (sbsec->flags & SE_SBINITIALIZED) {  		struct inode_security_struct *isec = selinux_inode(inode); -		isec->sclass = inode_mode_to_security_class(inode->i_mode); +		isec->sclass = newsclass;  		isec->sid = newsid;  		isec->initialized = LABEL_INITIALIZED;  	} @@ -3136,7 +3135,8 @@ static int selinux_inode_permission(struct inode *inode, int mask)  	return rc;  } -static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr) +static int selinux_inode_setattr(struct mnt_idmap *idmap, struct dentry *dentry, +				 struct iattr *iattr)  {  	const struct cred *cred = current_cred();  	struct inode *inode = d_backing_inode(dentry); @@ -3534,9 +3534,10 @@ static int selinux_inode_copy_up_xattr(const char *name)  {  	/* The copy_up hook above sets the initial context on an inode, but we  	 * don't then want to overwrite it by blindly copying all the lower -	 * xattrs up.  Instead, we have to filter out SELinux-related xattrs. +	 * xattrs up.  Instead, filter out SELinux-related xattrs following +	 * policy load.  	 */ -	if (strcmp(name, XATTR_NAME_SELINUX) == 0) +	if (selinux_initialized() && strcmp(name, XATTR_NAME_SELINUX) == 0)  		return 1; /* Discard */  	/*  	 * Any other attribute apart from SELINUX is not claimed, supported @@ -5194,11 +5195,11 @@ out_len:  	return err;  } -static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid) +static int selinux_socket_getpeersec_dgram(struct socket *sock, +					   struct sk_buff *skb, u32 *secid)  {  	u32 peer_secid = SECSID_NULL;  	u16 family; -	struct inode_security_struct *isec;  	if (skb && skb->protocol == htons(ETH_P_IP))  		family = PF_INET; @@ -5206,19 +5207,21 @@ static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *  		family = PF_INET6;  	else if (sock)  		family = sock->sk->sk_family; -	else -		goto out; +	else { +		*secid = SECSID_NULL; +		return -EINVAL; +	}  	if (sock && family == PF_UNIX) { +		struct inode_security_struct *isec;  		isec = inode_security_novalidate(SOCK_INODE(sock));  		peer_secid = isec->sid;  	} else if (skb)  		selinux_skb_peerlbl_sid(skb, family, &peer_secid); -out:  	*secid = peer_secid;  	if (peer_secid == SECSID_NULL) -		return -EINVAL; +		return -ENOPROTOOPT;  	return 0;  } @@ -6556,10 +6559,10 @@ abort_change:   * There will only ever be one attribute.   */  static int selinux_getselfattr(unsigned int attr, struct lsm_ctx __user *ctx, -			       size_t *size, u32 flags) +			       u32 *size, u32 flags)  {  	int rc; -	char *val; +	char *val = NULL;  	int val_len;  	val_len = selinux_lsm_getattr(attr, current, &val); @@ -6571,7 +6574,7 @@ static int selinux_getselfattr(unsigned int attr, struct lsm_ctx __user *ctx,  }  static int selinux_setselfattr(unsigned int attr, struct lsm_ctx *ctx, -			       size_t size, u32 flags) +			       u32 size, u32 flags)  {  	int rc; @@ -6920,7 +6923,8 @@ static int selinux_bpf_prog(struct bpf_prog *prog)  			    BPF__PROG_RUN, NULL);  } -static int selinux_bpf_map_alloc(struct bpf_map *map) +static int selinux_bpf_map_create(struct bpf_map *map, union bpf_attr *attr, +				  struct bpf_token *token)  {  	struct bpf_security_struct *bpfsec; @@ -6942,7 +6946,31 @@ static void selinux_bpf_map_free(struct bpf_map *map)  	kfree(bpfsec);  } -static int selinux_bpf_prog_alloc(struct bpf_prog_aux *aux) +static int selinux_bpf_prog_load(struct bpf_prog *prog, union bpf_attr *attr, +				 struct bpf_token *token) +{ +	struct bpf_security_struct *bpfsec; + +	bpfsec = kzalloc(sizeof(*bpfsec), GFP_KERNEL); +	if (!bpfsec) +		return -ENOMEM; + +	bpfsec->sid = current_sid(); +	prog->aux->security = bpfsec; + +	return 0; +} + +static void selinux_bpf_prog_free(struct bpf_prog *prog) +{ +	struct bpf_security_struct *bpfsec = prog->aux->security; + +	prog->aux->security = NULL; +	kfree(bpfsec); +} + +static int selinux_bpf_token_create(struct bpf_token *token, union bpf_attr *attr, +				    struct path *path)  {  	struct bpf_security_struct *bpfsec; @@ -6951,16 +6979,16 @@ static int selinux_bpf_prog_alloc(struct bpf_prog_aux *aux)  		return -ENOMEM;  	bpfsec->sid = current_sid(); -	aux->security = bpfsec; +	token->security = bpfsec;  	return 0;  } -static void selinux_bpf_prog_free(struct bpf_prog_aux *aux) +static void selinux_bpf_token_free(struct bpf_token *token)  { -	struct bpf_security_struct *bpfsec = aux->security; +	struct bpf_security_struct *bpfsec = token->security; -	aux->security = NULL; +	token->security = NULL;  	kfree(bpfsec);  }  #endif @@ -7324,8 +7352,9 @@ static struct security_hook_list selinux_hooks[] __ro_after_init = {  	LSM_HOOK_INIT(bpf, selinux_bpf),  	LSM_HOOK_INIT(bpf_map, selinux_bpf_map),  	LSM_HOOK_INIT(bpf_prog, selinux_bpf_prog), -	LSM_HOOK_INIT(bpf_map_free_security, selinux_bpf_map_free), -	LSM_HOOK_INIT(bpf_prog_free_security, selinux_bpf_prog_free), +	LSM_HOOK_INIT(bpf_map_free, selinux_bpf_map_free), +	LSM_HOOK_INIT(bpf_prog_free, selinux_bpf_prog_free), +	LSM_HOOK_INIT(bpf_token_free, selinux_bpf_token_free),  #endif  #ifdef CONFIG_PERF_EVENTS @@ -7382,8 +7411,9 @@ static struct security_hook_list selinux_hooks[] __ro_after_init = {  	LSM_HOOK_INIT(audit_rule_init, selinux_audit_rule_init),  #endif  #ifdef CONFIG_BPF_SYSCALL -	LSM_HOOK_INIT(bpf_map_alloc_security, selinux_bpf_map_alloc), -	LSM_HOOK_INIT(bpf_prog_alloc_security, selinux_bpf_prog_alloc), +	LSM_HOOK_INIT(bpf_map_create, selinux_bpf_map_create), +	LSM_HOOK_INIT(bpf_prog_load, selinux_bpf_prog_load), +	LSM_HOOK_INIT(bpf_token_create, selinux_bpf_token_create),  #endif  #ifdef CONFIG_PERF_EVENTS  	LSM_HOOK_INIT(perf_event_alloc, selinux_perf_event_alloc), |