git.samba.org / sfrench / cifs-2.6.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Merge tag 'selinux-pr-20180516' of git://git.kernel.org/pub/scm/linux/kernel/git...
[sfrench/cifs-2.6.git] / security / selinux / hooks.c
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index efeb1db8f61d45ca4e3c5a3b4486dcbf1c8610c2..be5817df0a9d98eab91b059d814f27322d8e7665 100644 (file)
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -3947,6 +3947,11 @@ static void selinux_cred_transfer(struct cred *new, const struct cred *old)
        *tsec = *old_tsec;
 }
 
+static void selinux_cred_getsecid(const struct cred *c, u32 *secid)
+{
+       *secid = cred_sid(c);
+}
+
 /*
  * set the security data for a kernel service
  * - all the creation contexts are set to unlabelled
@@ -4156,16 +4161,19 @@ static int selinux_task_movememory(struct task_struct *p)
 }
 
 static int selinux_task_kill(struct task_struct *p, struct siginfo *info,
-                               int sig, u32 secid)
+                               int sig, const struct cred *cred)
 {
+       u32 secid;
        u32 perm;
 
        if (!sig)
                perm = PROCESS__SIGNULL; /* null signal; existence test */
        else
                perm = signal_to_av(sig);
-       if (!secid)
+       if (!cred)
                secid = current_sid();
+       else
+               secid = cred_sid(cred);
        return avc_has_perm(&selinux_state,
                            secid, task_sid(p), SECCLASS_PROCESS, perm, NULL);
 }
@@ -5943,54 +5951,54 @@ static void selinux_msg_msg_free_security(struct msg_msg *msg)
 }
 
 /* message queue security operations */
-static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
+static int selinux_msg_queue_alloc_security(struct kern_ipc_perm *msq)
 {
        struct ipc_security_struct *isec;
        struct common_audit_data ad;
        u32 sid = current_sid();
        int rc;
 
-       rc = ipc_alloc_security(&msq->q_perm, SECCLASS_MSGQ);
+       rc = ipc_alloc_security(msq, SECCLASS_MSGQ);
        if (rc)
                return rc;
 
-       isec = msq->q_perm.security;
+       isec = msq->security;
 
        ad.type = LSM_AUDIT_DATA_IPC;
-       ad.u.ipc_id = msq->q_perm.key;
+       ad.u.ipc_id = msq->key;
 
        rc = avc_has_perm(&selinux_state,
                          sid, isec->sid, SECCLASS_MSGQ,
                          MSGQ__CREATE, &ad);
        if (rc) {
-               ipc_free_security(&msq->q_perm);
+               ipc_free_security(msq);
                return rc;
        }
        return 0;
 }
 
-static void selinux_msg_queue_free_security(struct msg_queue *msq)
+static void selinux_msg_queue_free_security(struct kern_ipc_perm *msq)
 {
-       ipc_free_security(&msq->q_perm);
+       ipc_free_security(msq);
 }
 
-static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg)
+static int selinux_msg_queue_associate(struct kern_ipc_perm *msq, int msqflg)
 {
        struct ipc_security_struct *isec;
        struct common_audit_data ad;
        u32 sid = current_sid();
 
-       isec = msq->q_perm.security;
+       isec = msq->security;
 
        ad.type = LSM_AUDIT_DATA_IPC;
-       ad.u.ipc_id = msq->q_perm.key;
+       ad.u.ipc_id = msq->key;
 
        return avc_has_perm(&selinux_state,
                            sid, isec->sid, SECCLASS_MSGQ,
                            MSGQ__ASSOCIATE, &ad);
 }
 
-static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd)
+static int selinux_msg_queue_msgctl(struct kern_ipc_perm *msq, int cmd)
 {
        int err;
        int perms;
@@ -6004,6 +6012,7 @@ static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd)
                                    SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
        case IPC_STAT:
        case MSG_STAT:
+       case MSG_STAT_ANY:
                perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
                break;
        case IPC_SET:
@@ -6016,11 +6025,11 @@ static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd)
                return 0;
        }
 
-       err = ipc_has_perm(&msq->q_perm, perms);
+       err = ipc_has_perm(msq, perms);
        return err;
 }
 
-static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg)
+static int selinux_msg_queue_msgsnd(struct kern_ipc_perm *msq, struct msg_msg *msg, int msqflg)
 {
        struct ipc_security_struct *isec;
        struct msg_security_struct *msec;
@@ -6028,7 +6037,7 @@ static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg,
        u32 sid = current_sid();
        int rc;
 
-       isec = msq->q_perm.security;
+       isec = msq->security;
        msec = msg->security;
 
        /*
@@ -6046,7 +6055,7 @@ static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg,
        }
 
        ad.type = LSM_AUDIT_DATA_IPC;
-       ad.u.ipc_id = msq->q_perm.key;
+       ad.u.ipc_id = msq->key;
 
        /* Can this process write to the queue? */
        rc = avc_has_perm(&selinux_state,
@@ -6066,7 +6075,7 @@ static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg,
        return rc;
 }
 
-static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
+static int selinux_msg_queue_msgrcv(struct kern_ipc_perm *msq, struct msg_msg *msg,
                                    struct task_struct *target,
                                    long type, int mode)
 {
@@ -6076,11 +6085,11 @@ static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
        u32 sid = task_sid(target);
        int rc;
 
-       isec = msq->q_perm.security;
+       isec = msq->security;
        msec = msg->security;
 
        ad.type = LSM_AUDIT_DATA_IPC;
-       ad.u.ipc_id = msq->q_perm.key;
+       ad.u.ipc_id = msq->key;
 
        rc = avc_has_perm(&selinux_state,
                          sid, isec->sid,
@@ -6093,47 +6102,47 @@ static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
 }
 
 /* Shared Memory security operations */
-static int selinux_shm_alloc_security(struct shmid_kernel *shp)
+static int selinux_shm_alloc_security(struct kern_ipc_perm *shp)
 {
        struct ipc_security_struct *isec;
        struct common_audit_data ad;
        u32 sid = current_sid();
        int rc;
 
-       rc = ipc_alloc_security(&shp->shm_perm, SECCLASS_SHM);
+       rc = ipc_alloc_security(shp, SECCLASS_SHM);
        if (rc)
                return rc;
 
-       isec = shp->shm_perm.security;
+       isec = shp->security;
 
        ad.type = LSM_AUDIT_DATA_IPC;
-       ad.u.ipc_id = shp->shm_perm.key;
+       ad.u.ipc_id = shp->key;
 
        rc = avc_has_perm(&selinux_state,
                          sid, isec->sid, SECCLASS_SHM,
                          SHM__CREATE, &ad);
        if (rc) {
-               ipc_free_security(&shp->shm_perm);
+               ipc_free_security(shp);
                return rc;
        }
        return 0;
 }
 
-static void selinux_shm_free_security(struct shmid_kernel *shp)
+static void selinux_shm_free_security(struct kern_ipc_perm *shp)
 {
-       ipc_free_security(&shp->shm_perm);
+       ipc_free_security(shp);
 }
 
-static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg)
+static int selinux_shm_associate(struct kern_ipc_perm *shp, int shmflg)
 {
        struct ipc_security_struct *isec;
        struct common_audit_data ad;
        u32 sid = current_sid();
 
-       isec = shp->shm_perm.security;
+       isec = shp->security;
 
        ad.type = LSM_AUDIT_DATA_IPC;
-       ad.u.ipc_id = shp->shm_perm.key;
+       ad.u.ipc_id = shp->key;
 
        return avc_has_perm(&selinux_state,
                            sid, isec->sid, SECCLASS_SHM,
@@ -6141,7 +6150,7 @@ static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg)
 }
 
 /* Note, at this point, shp is locked down */
-static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd)
+static int selinux_shm_shmctl(struct kern_ipc_perm *shp, int cmd)
 {
        int perms;
        int err;
@@ -6155,6 +6164,7 @@ static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd)
                                    SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
        case IPC_STAT:
        case SHM_STAT:
+       case SHM_STAT_ANY:
                perms = SHM__GETATTR | SHM__ASSOCIATE;
                break;
        case IPC_SET:
@@ -6171,11 +6181,11 @@ static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd)
                return 0;
        }
 
-       err = ipc_has_perm(&shp->shm_perm, perms);
+       err = ipc_has_perm(shp, perms);
        return err;
 }
 
-static int selinux_shm_shmat(struct shmid_kernel *shp,
+static int selinux_shm_shmat(struct kern_ipc_perm *shp,
                             char __user *shmaddr, int shmflg)
 {
        u32 perms;
@@ -6185,51 +6195,51 @@ static int selinux_shm_shmat(struct shmid_kernel *shp,
        else
                perms = SHM__READ | SHM__WRITE;
 
-       return ipc_has_perm(&shp->shm_perm, perms);
+       return ipc_has_perm(shp, perms);
 }
 
 /* Semaphore security operations */
-static int selinux_sem_alloc_security(struct sem_array *sma)
+static int selinux_sem_alloc_security(struct kern_ipc_perm *sma)
 {
        struct ipc_security_struct *isec;
        struct common_audit_data ad;
        u32 sid = current_sid();
        int rc;
 
-       rc = ipc_alloc_security(&sma->sem_perm, SECCLASS_SEM);
+       rc = ipc_alloc_security(sma, SECCLASS_SEM);
        if (rc)
                return rc;
 
-       isec = sma->sem_perm.security;
+       isec = sma->security;
 
        ad.type = LSM_AUDIT_DATA_IPC;
-       ad.u.ipc_id = sma->sem_perm.key;
+       ad.u.ipc_id = sma->key;
 
        rc = avc_has_perm(&selinux_state,
                          sid, isec->sid, SECCLASS_SEM,
                          SEM__CREATE, &ad);
        if (rc) {
-               ipc_free_security(&sma->sem_perm);
+               ipc_free_security(sma);
                return rc;
        }
        return 0;
 }
 
-static void selinux_sem_free_security(struct sem_array *sma)
+static void selinux_sem_free_security(struct kern_ipc_perm *sma)
 {
-       ipc_free_security(&sma->sem_perm);
+       ipc_free_security(sma);
 }
 
-static int selinux_sem_associate(struct sem_array *sma, int semflg)
+static int selinux_sem_associate(struct kern_ipc_perm *sma, int semflg)
 {
        struct ipc_security_struct *isec;
        struct common_audit_data ad;
        u32 sid = current_sid();
 
-       isec = sma->sem_perm.security;
+       isec = sma->security;
 
        ad.type = LSM_AUDIT_DATA_IPC;
-       ad.u.ipc_id = sma->sem_perm.key;
+       ad.u.ipc_id = sma->key;
 
        return avc_has_perm(&selinux_state,
                            sid, isec->sid, SECCLASS_SEM,
@@ -6237,7 +6247,7 @@ static int selinux_sem_associate(struct sem_array *sma, int semflg)
 }
 
 /* Note, at this point, sma is locked down */
-static int selinux_sem_semctl(struct sem_array *sma, int cmd)
+static int selinux_sem_semctl(struct kern_ipc_perm *sma, int cmd)
 {
        int err;
        u32 perms;
@@ -6270,17 +6280,18 @@ static int selinux_sem_semctl(struct sem_array *sma, int cmd)
                break;
        case IPC_STAT:
        case SEM_STAT:
+       case SEM_STAT_ANY:
                perms = SEM__GETATTR | SEM__ASSOCIATE;
                break;
        default:
                return 0;
        }
 
-       err = ipc_has_perm(&sma->sem_perm, perms);
+       err = ipc_has_perm(sma, perms);
        return err;
 }
 
-static int selinux_sem_semop(struct sem_array *sma,
+static int selinux_sem_semop(struct kern_ipc_perm *sma,
                             struct sembuf *sops, unsigned nsops, int alter)
 {
        u32 perms;
@@ -6290,7 +6301,7 @@ static int selinux_sem_semop(struct sem_array *sma,
        else
                perms = SEM__READ;
 
-       return ipc_has_perm(&sma->sem_perm, perms);
+       return ipc_has_perm(sma, perms);
 }
 
 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
@@ -6929,6 +6940,7 @@ static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = {
        LSM_HOOK_INIT(cred_free, selinux_cred_free),
        LSM_HOOK_INIT(cred_prepare, selinux_cred_prepare),
        LSM_HOOK_INIT(cred_transfer, selinux_cred_transfer),
+       LSM_HOOK_INIT(cred_getsecid, selinux_cred_getsecid),
        LSM_HOOK_INIT(kernel_act_as, selinux_kernel_act_as),
        LSM_HOOK_INIT(kernel_create_files_as, selinux_kernel_create_files_as),
        LSM_HOOK_INIT(kernel_module_request, selinux_kernel_module_request),
Unnamed repository; edit this file 'description' to name the repository.