This patch introduces two new hooks. One to get all relavent information from
an LSM about an inode an the second given that context to set it on the
inode. The setcontext call takes a flag to indicate if it should set the incore
representation, the ondisk representation or both.
Signed-off-by: David P. Quigley <dpquigl@xxxxxxxxxxxxx>
---
include/linux/security.h | 18 ++++++++++++++++++
security/dummy.c | 12 ++++++++++++
security/security.c | 12 ++++++++++++
security/selinux/hooks.c | 45 ++++++++++++++++++++++++++++++++++++++++++++-
4 files changed, 86 insertions(+), 1 deletions(-)
diff --git a/include/linux/security.h b/include/linux/security.h
index fe52cde..9b1cc6f 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -112,6 +112,10 @@ struct request_sock;
#define LSM_UNSAFE_PTRACE 2
#define LSM_UNSAFE_PTRACE_CAP 4
+/* Flags for setcontext */
+#define LSM_SETCORE 1
+#define LSM_SETDISK 2
+
#ifdef CONFIG_SECURITY
/**
@@ -1395,6 +1399,9 @@ struct security_operations {
int (*secctx_to_secid)(char *secdata, u32 seclen, u32 *secid);
void (*release_secctx)(char *secdata, u32 seclen);
+ int (*setcontext)(struct dentry *dentry, void *ctx, u32 ctxlen, int flags);
+ int (*getcontext)(struct dentry *dentry, void **ctx, u32 *ctxlen);
+
#ifdef CONFIG_SECURITY_NETWORK
int (*unix_stream_connect) (struct socket * sock,
struct socket * other, struct sock * newsk);
@@ -1634,6 +1641,8 @@ int security_secid_to_secctx(u32 secid, char **secdata, u32 *seclen);
int security_secctx_to_secid(char *secdata, u32 seclen, u32 *secid);
void security_release_secctx(char *secdata, u32 seclen);
+int security_setcontext(struct dentry *dentry, void *ctx, u32 ctxlen, int flags);
+int security_getcontext(struct dentry *dentry, void **ctx, u32 *ctxlen);
#else /* CONFIG_SECURITY */
/*
@@ -2316,6 +2325,15 @@ static inline int security_secctx_to_secid(char *secdata,
static inline void security_release_secctx(char *secdata, u32 seclen)
{
}
+
+static inline int security_setcontext(struct dentry *dentry, void *ctx, u32 ctxlen, int flags)
+{
+ return -EOPNOTSUPP;
+}
+static inline int security_getcontext(struct dentry *dentry, void **ctx, u32 *ctxlen)
+{
+ return -EOPNOTSUPP;
+}
#endif /* CONFIG_SECURITY */
#ifdef CONFIG_SECURITY_NETWORK
diff --git a/security/dummy.c b/security/dummy.c
index 649326b..576f9db 100644
--- a/security/dummy.c
+++ b/security/dummy.c
@@ -960,6 +960,16 @@ static void dummy_release_secctx(char *secdata, u32 seclen)
{
}
+static int dummy_setcontext(struct dentry *dentry, void *ctx, u32 ctxlen, int flags)
+{
+ return -EOPNOTSUPP;
+}
+
+static int dummy_getcontext(struct dentry *dentry, void **ctx, u32 *ctxlen)
+{
+ return -EOPNOTSUPP;
+}
+
#ifdef CONFIG_KEYS
static inline int dummy_key_alloc(struct key *key, struct task_struct *ctx,
unsigned long flags)
@@ -1118,6 +1128,8 @@ void security_fixup_ops (struct security_operations *ops)
set_to_dummy_if_null(ops, secid_to_secctx);
set_to_dummy_if_null(ops, secctx_to_secid);
set_to_dummy_if_null(ops, release_secctx);
+ set_to_dummy_if_null(ops, setcontext);
+ set_to_dummy_if_null(ops, getcontext);
#ifdef CONFIG_SECURITY_NETWORK
set_to_dummy_if_null(ops, unix_stream_connect);
set_to_dummy_if_null(ops, unix_may_send);
diff --git a/security/security.c b/security/security.c
index d15e56c..11871ae 100644
--- a/security/security.c
+++ b/security/security.c
@@ -845,6 +845,18 @@ void security_release_secctx(char *secdata, u32 seclen)
}
EXPORT_SYMBOL(security_release_secctx);
+int security_setcontext(struct dentry *dentry, void *ctx, u32 ctxlen, int flags)
+{
+ return security_ops->setcontext(dentry, ctx, ctxlen, flags);
+}
+EXPORT_SYMBOL(security_setcontext);
+
+int security_getcontext(struct dentry *dentry, void **ctx, u32 *ctxlen)
+{
+ return security_ops->getcontext(dentry, ctx, ctxlen);
+}
+EXPORT_SYMBOL(security_getcontext);
+
#ifdef CONFIG_SECURITY_NETWORK
int security_unix_stream_connect(struct socket *sock, struct socket *other,
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 75c2e99..d28c0ed 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -75,6 +75,7 @@
#include <linux/string.h>
#include <linux/selinux.h>
#include <linux/mutex.h>
+#include <linux/fsnotify.h>
#include "avc.h"
#include "objsec.h"
@@ -5163,6 +5164,47 @@ static void selinux_release_secctx(char *secdata, u32 seclen)
kfree(secdata);
}
+/*
+ * This hook requires that the inode i_mutex be locked
+ */
+static int selinux_setcontext(struct dentry *dentry, void *ctx, u32 ctxlen, int flags)
+{
+ struct inode *inode = dentry->d_inode;
+ int rc = 0;
+
+ if (flags & LSM_SETCORE) {
+ rc = selinux_inode_setsecurity(inode, XATTR_SELINUX_SUFFIX,
+ ctx, ctxlen, 0);
+ if(rc)
+ return rc;
+ }
+ if (flags & LSM_SETDISK) {
+ rc = -EOPNOTSUPP;
+ if (inode->i_op->setxattr) {
+ rc = inode->i_op->setxattr(dentry, XATTR_NAME_SELINUX, ctx, ctxlen, 0);
+ if (!rc) {
+ fsnotify_xattr(dentry);
+ security_inode_post_setxattr(dentry, XATTR_NAME_SELINUX, ctx,
+ ctxlen, 0);
+ }
+ } else {
+ rc = security_inode_setsecurity(inode, XATTR_SELINUX_SUFFIX, ctx,
+ ctxlen, 0);
+ if (!rc)
+ fsnotify_xattr(dentry);
+ }
+ }
+
+ return rc;
+}
+static int selinux_getcontext(struct dentry *dentry, void **ctx, u32 *ctxlen)
+{
+ struct inode *inode = dentry->d_inode;
+
+ *ctxlen = selinux_inode_getsecurity(inode, XATTR_SELINUX_SUFFIX,
+ ctx, true);
+ return *ctxlen;
+}
#ifdef CONFIG_KEYS
static int selinux_key_alloc(struct key *k, struct task_struct *tsk,
@@ -5351,7 +5393,8 @@ static struct security_operations selinux_ops = {
.secid_to_secctx = selinux_secid_to_secctx,
.secctx_to_secid = selinux_secctx_to_secid,
.release_secctx = selinux_release_secctx,
-
+ .setcontext = selinux_setcontext,
+ .getcontext = selinux_getcontext,
.unix_stream_connect = selinux_socket_unix_stream_connect,
.unix_may_send = selinux_socket_unix_may_send,
--
1.5.4.1
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
