Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
L
linux
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
Kirill Smelkov
linux
Commits
f121b8fc
Commit
f121b8fc
authored
Jul 22, 2002
by
Greg Kroah-Hartman
Browse files
Options
Browse Files
Download
Plain Diff
merge
parents
a8bffd28
e175ac64
Changes
29
Expand all
Show whitespace changes
Inline
Side-by-side
Showing
29 changed files
with
1505 additions
and
47 deletions
+1505
-47
drivers/char/tty_io.c
drivers/char/tty_io.c
+4
-0
fs/attr.c
fs/attr.c
+8
-3
fs/dnotify.c
fs/dnotify.c
+8
-0
fs/dquot.c
fs/dquot.c
+3
-0
fs/fcntl.c
fs/fcntl.c
+25
-0
fs/file_table.c
fs/file_table.c
+9
-0
fs/inode.c
fs/inode.c
+12
-0
fs/ioctl.c
fs/ioctl.c
+8
-0
fs/locks.c
fs/locks.c
+20
-0
fs/namei.c
fs/namei.c
+100
-26
fs/namespace.c
fs/namespace.c
+27
-0
fs/open.c
fs/open.c
+4
-0
fs/proc/base.c
fs/proc/base.c
+1
-1
fs/quota.c
fs/quota.c
+3
-1
fs/read_write.c
fs/read_write.c
+35
-10
fs/readdir.c
fs/readdir.c
+5
-0
fs/stat.c
fs/stat.c
+11
-2
fs/super.c
fs/super.c
+9
-0
fs/xattr.c
fs/xattr.c
+17
-0
include/linux/fs.h
include/linux/fs.h
+5
-0
include/linux/security.h
include/linux/security.h
+430
-0
init/do_mounts.c
init/do_mounts.c
+1
-0
kernel/acct.c
kernel/acct.c
+5
-0
mm/filemap.c
mm/filemap.c
+9
-0
mm/mmap.c
mm/mmap.c
+5
-0
mm/mprotect.c
mm/mprotect.c
+5
-0
net/core/scm.c
net/core/scm.c
+4
-0
security/capability.c
security/capability.c
+364
-2
security/dummy.c
security/dummy.c
+368
-2
No files found.
drivers/char/tty_io.c
View file @
f121b8fc
...
...
@@ -1458,6 +1458,10 @@ static int tty_fasync(int fd, struct file * filp, int on)
if
(
!
waitqueue_active
(
&
tty
->
read_wait
))
tty
->
minimum_to_wake
=
1
;
if
(
filp
->
f_owner
.
pid
==
0
)
{
retval
=
security_ops
->
file_set_fowner
(
filp
);
if
(
retval
)
return
retval
;
filp
->
f_owner
.
pid
=
(
-
tty
->
pgrp
)
?
:
current
->
pid
;
filp
->
f_owner
.
uid
=
current
->
uid
;
filp
->
f_owner
.
euid
=
current
->
euid
;
...
...
fs/attr.c
View file @
f121b8fc
...
...
@@ -12,6 +12,7 @@
#include <linux/dnotify.h>
#include <linux/fcntl.h>
#include <linux/quotaops.h>
#include <linux/security.h>
/* Taken over from the old code... */
...
...
@@ -151,10 +152,14 @@ int notify_change(struct dentry * dentry, struct iattr * attr)
}
}
if
(
inode
->
i_op
&&
inode
->
i_op
->
setattr
)
if
(
inode
->
i_op
&&
inode
->
i_op
->
setattr
)
{
error
=
security_ops
->
inode_setattr
(
dentry
,
attr
);
if
(
!
error
)
error
=
inode
->
i_op
->
setattr
(
dentry
,
attr
);
else
{
}
else
{
error
=
inode_change_ok
(
inode
,
attr
);
if
(
!
error
)
error
=
security_ops
->
inode_setattr
(
dentry
,
attr
);
if
(
!
error
)
{
if
((
ia_valid
&
ATTR_UID
&&
attr
->
ia_uid
!=
inode
->
i_uid
)
||
(
ia_valid
&
ATTR_GID
&&
attr
->
ia_gid
!=
inode
->
i_gid
))
...
...
fs/dnotify.c
View file @
f121b8fc
...
...
@@ -68,6 +68,7 @@ int fcntl_dirnotify(int fd, struct file *filp, unsigned long arg)
struct
dnotify_struct
**
prev
;
struct
inode
*
inode
;
fl_owner_t
id
=
current
->
files
;
int
error
;
if
((
arg
&
~
DN_MULTISHOT
)
==
0
)
{
dnotify_flush
(
filp
,
id
);
...
...
@@ -93,6 +94,13 @@ int fcntl_dirnotify(int fd, struct file *filp, unsigned long arg)
}
prev
=
&
odn
->
dn_next
;
}
error
=
security_ops
->
file_set_fowner
(
filp
);
if
(
error
)
{
write_unlock
(
&
dn_lock
);
return
error
;
}
filp
->
f_owner
.
pid
=
current
->
pid
;
filp
->
f_owner
.
uid
=
current
->
uid
;
filp
->
f_owner
.
euid
=
current
->
euid
;
...
...
fs/dquot.c
View file @
f121b8fc
...
...
@@ -1316,6 +1316,9 @@ int vfs_quota_on(struct super_block *sb, int type, int format_id, char *path)
error
=
-
EIO
;
if
(
!
f
->
f_op
||
!
f
->
f_op
->
read
||
!
f
->
f_op
->
write
)
goto
out_f
;
error
=
security_ops
->
quota_on
(
f
);
if
(
error
)
goto
out_f
;
inode
=
f
->
f_dentry
->
d_inode
;
error
=
-
EACCES
;
if
(
!
S_ISREG
(
inode
->
i_mode
))
...
...
fs/fcntl.c
View file @
f121b8fc
...
...
@@ -11,6 +11,7 @@
#include <linux/smp_lock.h>
#include <linux/slab.h>
#include <linux/iobuf.h>
#include <linux/security.h>
#include <asm/poll.h>
#include <asm/siginfo.h>
...
...
@@ -305,6 +306,13 @@ static long do_fcntl(unsigned int fd, unsigned int cmd,
break
;
case
F_SETOWN
:
lock_kernel
();
err
=
security_ops
->
file_set_fowner
(
filp
);
if
(
err
)
{
unlock_kernel
();
break
;
}
filp
->
f_owner
.
pid
=
arg
;
filp
->
f_owner
.
uid
=
current
->
uid
;
filp
->
f_owner
.
euid
=
current
->
euid
;
...
...
@@ -353,6 +361,12 @@ asmlinkage long sys_fcntl(unsigned int fd, unsigned int cmd, unsigned long arg)
if
(
!
filp
)
goto
out
;
err
=
security_ops
->
file_fcntl
(
filp
,
cmd
,
arg
);
if
(
err
)
{
fput
(
filp
);
return
err
;
}
err
=
do_fcntl
(
fd
,
cmd
,
arg
,
filp
);
fput
(
filp
);
...
...
@@ -371,6 +385,13 @@ asmlinkage long sys_fcntl64(unsigned int fd, unsigned int cmd, unsigned long arg
if
(
!
filp
)
goto
out
;
err
=
security_ops
->
file_fcntl
(
filp
,
cmd
,
arg
);
if
(
err
)
{
fput
(
filp
);
return
err
;
}
err
=
-
EBADF
;
switch
(
cmd
)
{
case
F_GETLK64
:
err
=
fcntl_getlk64
(
filp
,
(
struct
flock64
*
)
arg
);
...
...
@@ -409,6 +430,10 @@ static void send_sigio_to_task(struct task_struct *p,
(
fown
->
euid
^
p
->
suid
)
&&
(
fown
->
euid
^
p
->
uid
)
&&
(
fown
->
uid
^
p
->
suid
)
&&
(
fown
->
uid
^
p
->
uid
))
return
;
if
(
security_ops
->
file_send_sigiotask
(
p
,
fown
,
fd
,
reason
))
return
;
switch
(
fown
->
signum
)
{
siginfo_t
si
;
default:
...
...
fs/file_table.c
View file @
f121b8fc
...
...
@@ -13,6 +13,7 @@
#include <linux/smp_lock.h>
#include <linux/iobuf.h>
#include <linux/fs.h>
#include <linux/security.h>
/* sysctl tunables... */
struct
files_stat_struct
files_stat
=
{
0
,
0
,
NR_FILE
};
...
...
@@ -43,6 +44,12 @@ struct file * get_empty_filp(void)
files_stat
.
nr_free_files
--
;
new_one:
memset
(
f
,
0
,
sizeof
(
*
f
));
if
(
security_ops
->
file_alloc_security
(
f
))
{
list_add
(
&
f
->
f_list
,
&
free_list
);
files_stat
.
nr_free_files
++
;
file_list_unlock
();
return
NULL
;
}
atomic_set
(
&
f
->
f_count
,
1
);
f
->
f_version
=
++
event
;
f
->
f_uid
=
current
->
fsuid
;
...
...
@@ -117,6 +124,7 @@ void __fput(struct file * file)
if
(
file
->
f_op
&&
file
->
f_op
->
release
)
file
->
f_op
->
release
(
inode
,
file
);
security_ops
->
file_free_security
(
file
);
fops_put
(
file
->
f_op
);
if
(
file
->
f_mode
&
FMODE_WRITE
)
put_write_access
(
inode
);
...
...
@@ -149,6 +157,7 @@ struct file * fget(unsigned int fd)
void
put_filp
(
struct
file
*
file
)
{
if
(
atomic_dec_and_test
(
&
file
->
f_count
))
{
security_ops
->
file_free_security
(
file
);
file_list_lock
();
list_del
(
&
file
->
f_list
);
list_add
(
&
file
->
f_list
,
&
free_list
);
...
...
fs/inode.c
View file @
f121b8fc
...
...
@@ -16,6 +16,7 @@
#include <linux/backing-dev.h>
#include <linux/wait.h>
#include <linux/hash.h>
#include <linux/security.h>
/*
* This is needed for the following functions:
...
...
@@ -100,6 +101,14 @@ static struct inode *alloc_inode(struct super_block *sb)
if
(
inode
)
{
struct
address_space
*
const
mapping
=
&
inode
->
i_data
;
inode
->
i_security
=
NULL
;
if
(
security_ops
->
inode_alloc_security
(
inode
))
{
if
(
inode
->
i_sb
->
s_op
->
destroy_inode
)
inode
->
i_sb
->
s_op
->
destroy_inode
(
inode
);
else
kmem_cache_free
(
inode_cachep
,
(
inode
));
return
NULL
;
}
inode
->
i_sb
=
sb
;
inode
->
i_dev
=
sb
->
s_dev
;
inode
->
i_blkbits
=
sb
->
s_blocksize_bits
;
...
...
@@ -137,6 +146,7 @@ static void destroy_inode(struct inode *inode)
{
if
(
inode_has_buffers
(
inode
))
BUG
();
security_ops
->
inode_free_security
(
inode
);
if
(
inode
->
i_sb
->
s_op
->
destroy_inode
)
inode
->
i_sb
->
s_op
->
destroy_inode
(
inode
);
else
...
...
@@ -793,6 +803,8 @@ void generic_delete_inode(struct inode *inode)
if
(
inode
->
i_data
.
nrpages
)
truncate_inode_pages
(
&
inode
->
i_data
,
0
);
security_ops
->
inode_delete
(
inode
);
if
(
op
&&
op
->
delete_inode
)
{
void
(
*
delete
)(
struct
inode
*
)
=
op
->
delete_inode
;
if
(
!
is_bad_inode
(
inode
))
...
...
fs/ioctl.c
View file @
f121b8fc
...
...
@@ -8,6 +8,7 @@
#include <linux/smp_lock.h>
#include <linux/file.h>
#include <linux/fs.h>
#include <linux/security.h>
#include <asm/uaccess.h>
#include <asm/ioctls.h>
...
...
@@ -57,6 +58,13 @@ asmlinkage long sys_ioctl(unsigned int fd, unsigned int cmd, unsigned long arg)
if
(
!
filp
)
goto
out
;
error
=
0
;
error
=
security_ops
->
file_ioctl
(
filp
,
cmd
,
arg
);
if
(
error
)
{
fput
(
filp
);
goto
out
;
}
lock_kernel
();
switch
(
cmd
)
{
case
FIOCLEX
:
...
...
fs/locks.c
View file @
f121b8fc
...
...
@@ -1309,6 +1309,11 @@ int fcntl_setlease(unsigned int fd, struct file *filp, long arg)
fl
->
fl_next
=
*
before
;
*
before
=
fl
;
list_add
(
&
fl
->
fl_link
,
&
file_lock_list
);
error
=
security_ops
->
file_set_fowner
(
filp
);
if
(
error
)
goto
out_unlock
;
filp
->
f_owner
.
pid
=
current
->
pid
;
filp
->
f_owner
.
uid
=
current
->
uid
;
filp
->
f_owner
.
euid
=
current
->
euid
;
...
...
@@ -1354,6 +1359,11 @@ asmlinkage long sys_flock(unsigned int fd, unsigned int cmd)
if
(
error
<
0
)
goto
out_putf
;
error
=
security_ops
->
file_lock
(
filp
,
cmd
,
(
cmd
&
LOCK_NB
)
?
0
:
1
);
if
(
error
)
goto
out_putf
;
error
=
flock_lock_file
(
filp
,
lock
,
(
cmd
&
(
LOCK_UN
|
LOCK_NB
))
?
0
:
1
);
...
...
@@ -1484,6 +1494,11 @@ int fcntl_setlk(struct file *filp, unsigned int cmd, struct flock *l)
goto
out
;
}
error
=
security_ops
->
file_lock
(
filp
,
file_lock
->
fl_type
,
cmd
==
F_SETLKW
);
if
(
error
)
goto
out
;
if
(
filp
->
f_op
&&
filp
->
f_op
->
lock
!=
NULL
)
{
error
=
filp
->
f_op
->
lock
(
filp
,
cmd
,
file_lock
);
if
(
error
<
0
)
...
...
@@ -1603,6 +1618,11 @@ int fcntl_setlk64(struct file *filp, unsigned int cmd, struct flock64 *l)
goto
out
;
}
error
=
security_ops
->
file_lock
(
filp
,
file_lock
->
fl_type
,
cmd
==
F_SETLKW64
);
if
(
error
)
goto
out
;
if
(
filp
->
f_op
&&
filp
->
f_op
->
lock
!=
NULL
)
{
error
=
filp
->
f_op
->
lock
(
filp
,
cmd
,
file_lock
);
if
(
error
<
0
)
...
...
fs/namei.c
View file @
f121b8fc
...
...
@@ -23,6 +23,7 @@
#include <linux/dnotify.h>
#include <linux/smp_lock.h>
#include <linux/personality.h>
#include <linux/security.h>
#include <asm/namei.h>
#include <asm/uaccess.h>
...
...
@@ -204,9 +205,20 @@ int vfs_permission(struct inode * inode, int mask)
int
permission
(
struct
inode
*
inode
,
int
mask
)
{
int
retval
;
int
submask
;
/* Ordinary permission routines do not understand MAY_APPEND. */
submask
=
mask
&
~
MAY_APPEND
;
if
(
inode
->
i_op
&&
inode
->
i_op
->
permission
)
return
inode
->
i_op
->
permission
(
inode
,
mask
);
return
vfs_permission
(
inode
,
mask
);
retval
=
inode
->
i_op
->
permission
(
inode
,
submask
);
else
retval
=
vfs_permission
(
inode
,
submask
);
if
(
retval
)
return
retval
;
return
security_ops
->
inode_permission
(
inode
,
mask
);
}
/*
...
...
@@ -318,15 +330,17 @@ static inline int exec_permission_lite(struct inode *inode)
mode
>>=
3
;
if
(
mode
&
MAY_EXEC
)
return
0
;
goto
ok
;
if
((
inode
->
i_mode
&
S_IXUGO
)
&&
capable
(
CAP_DAC_OVERRIDE
))
return
0
;
goto
ok
;
if
(
S_ISDIR
(
inode
->
i_mode
)
&&
capable
(
CAP_DAC_READ_SEARCH
))
return
0
;
goto
ok
;
return
-
EACCES
;
ok:
return
security_ops
->
inode_permission_lite
(
inode
,
MAY_EXEC
);
}
/*
...
...
@@ -358,8 +372,10 @@ static struct dentry * real_lookup(struct dentry * parent, struct qstr * name, i
result
=
dir
->
i_op
->
lookup
(
dir
,
dentry
);
if
(
result
)
dput
(
dentry
);
else
else
{
result
=
dentry
;
security_ops
->
inode_post_lookup
(
dir
,
result
);
}
}
up
(
&
dir
->
i_sem
);
return
result
;
...
...
@@ -388,7 +404,7 @@ static struct dentry * real_lookup(struct dentry * parent, struct qstr * name, i
*/
static
inline
int
do_follow_link
(
struct
dentry
*
dentry
,
struct
nameidata
*
nd
)
{
int
err
;
int
err
=
-
ELOOP
;
if
(
current
->
link_count
>=
5
)
goto
loop
;
if
(
current
->
total_link_count
>=
40
)
...
...
@@ -397,6 +413,9 @@ static inline int do_follow_link(struct dentry *dentry, struct nameidata *nd)
current
->
state
=
TASK_RUNNING
;
schedule
();
}
err
=
security_ops
->
inode_follow_link
(
dentry
,
nd
);
if
(
err
)
goto
loop
;
current
->
link_count
++
;
current
->
total_link_count
++
;
UPDATE_ATIME
(
dentry
->
d_inode
);
...
...
@@ -405,7 +424,7 @@ static inline int do_follow_link(struct dentry *dentry, struct nameidata *nd)
return
err
;
loop:
path_release
(
nd
);
return
-
ELOOP
;
return
err
;
}
int
follow_up
(
struct
vfsmount
**
mnt
,
struct
dentry
**
dentry
)
...
...
@@ -897,9 +916,10 @@ struct dentry * lookup_hash(struct qstr *name, struct dentry * base)
if
(
!
new
)
goto
out
;
dentry
=
inode
->
i_op
->
lookup
(
inode
,
new
);
if
(
!
dentry
)
if
(
!
dentry
)
{
dentry
=
new
;
else
security_ops
->
inode_post_lookup
(
inode
,
dentry
);
}
else
dput
(
new
);
}
out:
...
...
@@ -1103,14 +1123,17 @@ int vfs_create(struct inode *dir, struct dentry *dentry, int mode)
if
(
!
dir
->
i_op
||
!
dir
->
i_op
->
create
)
return
-
EACCES
;
/* shouldn't it be ENOSYS? */
DQUOT_INIT
(
dir
);
mode
&=
S_IALLUGO
;
mode
|=
S_IFREG
;
error
=
security_ops
->
inode_create
(
dir
,
dentry
,
mode
);
if
(
error
)
return
error
;
DQUOT_INIT
(
dir
);
error
=
dir
->
i_op
->
create
(
dir
,
dentry
,
mode
);
if
(
!
error
)
if
(
!
error
)
{
inode_dir_notify
(
dir
,
DN_CREATE
);
security_ops
->
inode_post_create
(
dir
,
dentry
,
mode
);
}
return
error
;
}
...
...
@@ -1211,6 +1234,11 @@ int open_namei(const char * pathname, int flag, int mode, struct nameidata *nd)
acc_mode
=
ACC_MODE
(
flag
);
/* Allow the LSM permission hook to distinguish append
access from general write access. */
if
(
flag
&
O_APPEND
)
acc_mode
|=
MAY_APPEND
;
/*
* The simplest case - just a plain lookup.
*/
...
...
@@ -1316,6 +1344,9 @@ int open_namei(const char * pathname, int flag, int mode, struct nameidata *nd)
* stored in nd->last.name and we will have to putname() it when we
* are done. Procfs-like symlinks just set LAST_BIND.
*/
error
=
security_ops
->
inode_follow_link
(
dentry
,
nd
);
if
(
error
)
goto
exit_dput
;
UPDATE_ATIME
(
dentry
->
d_inode
);
error
=
dentry
->
d_inode
->
i_op
->
follow_link
(
dentry
,
nd
);
dput
(
dentry
);
...
...
@@ -1379,10 +1410,16 @@ int vfs_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
if
(
!
dir
->
i_op
||
!
dir
->
i_op
->
mknod
)
return
-
EPERM
;
error
=
security_ops
->
inode_mknod
(
dir
,
dentry
,
mode
,
dev
);
if
(
error
)
return
error
;
DQUOT_INIT
(
dir
);
error
=
dir
->
i_op
->
mknod
(
dir
,
dentry
,
mode
,
dev
);
if
(
!
error
)
if
(
!
error
)
{
inode_dir_notify
(
dir
,
DN_CREATE
);
security_ops
->
inode_post_mknod
(
dir
,
dentry
,
mode
,
dev
);
}
return
error
;
}
...
...
@@ -1440,11 +1477,17 @@ int vfs_mkdir(struct inode *dir, struct dentry *dentry, int mode)
if
(
!
dir
->
i_op
||
!
dir
->
i_op
->
mkdir
)
return
-
EPERM
;
DQUOT_INIT
(
dir
);
mode
&=
(
S_IRWXUGO
|
S_ISVTX
);
error
=
security_ops
->
inode_mkdir
(
dir
,
dentry
,
mode
);
if
(
error
)
return
error
;
DQUOT_INIT
(
dir
);
error
=
dir
->
i_op
->
mkdir
(
dir
,
dentry
,
mode
);
if
(
!
error
)
if
(
!
error
)
{
inode_dir_notify
(
dir
,
DN_CREATE
);
security_ops
->
inode_post_mkdir
(
dir
,
dentry
,
mode
);
}
return
error
;
}
...
...
@@ -1523,10 +1566,13 @@ int vfs_rmdir(struct inode *dir, struct dentry *dentry)
if
(
d_mountpoint
(
dentry
))
error
=
-
EBUSY
;
else
{
error
=
security_ops
->
inode_rmdir
(
dir
,
dentry
);
if
(
!
error
)
{
error
=
dir
->
i_op
->
rmdir
(
dir
,
dentry
);
if
(
!
error
)
dentry
->
d_inode
->
i_flags
|=
S_DEAD
;
}
}
up
(
&
dentry
->
d_inode
->
i_sem
);
if
(
!
error
)
{
inode_dir_notify
(
dir
,
DN_DELETE
);
...
...
@@ -1593,8 +1639,12 @@ int vfs_unlink(struct inode *dir, struct dentry *dentry)
down
(
&
dentry
->
d_inode
->
i_sem
);
if
(
d_mountpoint
(
dentry
))
error
=
-
EBUSY
;
else
else
{
error
=
security_ops
->
inode_unlink
(
dir
,
dentry
);
if
(
!
error
)
{
error
=
dir
->
i_op
->
unlink
(
dir
,
dentry
);
}
}
up
(
&
dentry
->
d_inode
->
i_sem
);
if
(
!
error
)
{
d_delete
(
dentry
);
...
...
@@ -1655,10 +1705,16 @@ int vfs_symlink(struct inode *dir, struct dentry *dentry, const char *oldname)
if
(
!
dir
->
i_op
||
!
dir
->
i_op
->
symlink
)
return
-
EPERM
;
error
=
security_ops
->
inode_symlink
(
dir
,
dentry
,
oldname
);
if
(
error
)
return
error
;
DQUOT_INIT
(
dir
);
error
=
dir
->
i_op
->
symlink
(
dir
,
dentry
,
oldname
);
if
(
!
error
)
if
(
!
error
)
{
inode_dir_notify
(
dir
,
DN_CREATE
);
security_ops
->
inode_post_symlink
(
dir
,
dentry
,
oldname
);
}
return
error
;
}
...
...
@@ -1720,12 +1776,18 @@ int vfs_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_de
if
(
S_ISDIR
(
old_dentry
->
d_inode
->
i_mode
))
return
-
EPERM
;
error
=
security_ops
->
inode_link
(
old_dentry
,
dir
,
new_dentry
);
if
(
error
)
return
error
;
down
(
&
old_dentry
->
d_inode
->
i_sem
);
DQUOT_INIT
(
dir
);
error
=
dir
->
i_op
->
link
(
old_dentry
,
dir
,
new_dentry
);
up
(
&
old_dentry
->
d_inode
->
i_sem
);
if
(
!
error
)
if
(
!
error
)
{
inode_dir_notify
(
dir
,
DN_CREATE
);
security_ops
->
inode_post_link
(
old_dentry
,
dir
,
new_dentry
);
}
return
error
;
}
...
...
@@ -1817,9 +1879,13 @@ int vfs_rename_dir(struct inode *old_dir, struct dentry *old_dentry,
* If we are going to change the parent - check write permissions,
* we'll need to flip '..'.
*/
if
(
new_dir
!=
old_dir
)
if
(
new_dir
!=
old_dir
)
{
error
=
permission
(
old_dentry
->
d_inode
,
MAY_WRITE
);
if
(
error
)
return
error
;
}
error
=
security_ops
->
inode_rename
(
old_dir
,
old_dentry
,
new_dir
,
new_dentry
);
if
(
error
)
return
error
;
...
...
@@ -1840,8 +1906,11 @@ int vfs_rename_dir(struct inode *old_dir, struct dentry *old_dentry,
d_rehash
(
new_dentry
);
dput
(
new_dentry
);
}
if
(
!
error
)
if
(
!
error
)
{
d_move
(
old_dentry
,
new_dentry
);
security_ops
->
inode_post_rename
(
old_dir
,
old_dentry
,
new_dir
,
new_dentry
);
}
return
error
;
}
...
...
@@ -1851,6 +1920,10 @@ int vfs_rename_other(struct inode *old_dir, struct dentry *old_dentry,
struct
inode
*
target
;
int
error
;
error
=
security_ops
->
inode_rename
(
old_dir
,
old_dentry
,
new_dir
,
new_dentry
);
if
(
error
)
return
error
;
dget
(
new_dentry
);
target
=
new_dentry
->
d_inode
;
if
(
target
)
...
...
@@ -1863,6 +1936,7 @@ int vfs_rename_other(struct inode *old_dir, struct dentry *old_dentry,
/* The following d_move() should become unconditional */
if
(
!
(
old_dir
->
i_sb
->
s_type
->
fs_flags
&
FS_ODD_RENAME
))
d_move
(
old_dentry
,
new_dentry
);
security_ops
->
inode_post_rename
(
old_dir
,
old_dentry
,
new_dir
,
new_dentry
);
}
if
(
target
)
up
(
&
target
->
i_sem
);
...
...
fs/namespace.c
View file @
f121b8fc
...
...
@@ -288,6 +288,10 @@ static int do_umount(struct vfsmount *mnt, int flags)
struct
super_block
*
sb
=
mnt
->
mnt_sb
;
int
retval
=
0
;
retval
=
security_ops
->
sb_umount
(
mnt
,
flags
);
if
(
retval
)
return
retval
;
/*
* If we may have to abort operations to get out of this
* mount, and they will themselves hold resources we must
...
...
@@ -337,6 +341,7 @@ static int do_umount(struct vfsmount *mnt, int flags)
DQUOT_OFF
(
sb
);
acct_auto_close
(
sb
);
unlock_kernel
();
security_ops
->
sb_umount_close
(
mnt
);
spin_lock
(
&
dcache_lock
);
}
retval
=
-
EBUSY
;
...
...
@@ -346,6 +351,8 @@ static int do_umount(struct vfsmount *mnt, int flags)
retval
=
0
;
}
spin_unlock
(
&
dcache_lock
);
if
(
retval
)
security_ops
->
sb_umount_busy
(
mnt
);
up_write
(
&
current
->
namespace
->
sem
);
return
retval
;
}
...
...
@@ -463,6 +470,10 @@ static int graft_tree(struct vfsmount *mnt, struct nameidata *nd)
if
(
IS_DEADDIR
(
nd
->
dentry
->
d_inode
))
goto
out_unlock
;
err
=
security_ops
->
sb_check_sb
(
mnt
,
nd
);
if
(
err
)
goto
out_unlock
;
spin_lock
(
&
dcache_lock
);
if
(
IS_ROOT
(
nd
->
dentry
)
||
!
d_unhashed
(
nd
->
dentry
))
{
struct
list_head
head
;
...
...
@@ -475,6 +486,8 @@ static int graft_tree(struct vfsmount *mnt, struct nameidata *nd)
spin_unlock
(
&
dcache_lock
);
out_unlock:
up
(
&
nd
->
dentry
->
d_inode
->
i_sem
);
if
(
!
err
)
security_ops
->
sb_post_addmount
(
mnt
,
nd
);
return
err
;
}
...
...
@@ -544,6 +557,8 @@ static int do_remount(struct nameidata *nd,int flags,int mnt_flags,void *data)
if
(
!
err
)
nd
->
mnt
->
mnt_flags
=
mnt_flags
;
up_write
(
&
sb
->
s_umount
);
if
(
!
err
)
security_ops
->
sb_post_remount
(
nd
->
mnt
,
flags
,
data
);
return
err
;
}
...
...
@@ -726,6 +741,10 @@ long do_mount(char * dev_name, char * dir_name, char *type_page,
if
(
retval
)
return
retval
;
retval
=
security_ops
->
sb_mount
(
dev_name
,
&
nd
,
type_page
,
flags
,
data_page
);
if
(
retval
)
goto
dput_out
;
if
(
flags
&
MS_REMOUNT
)
retval
=
do_remount
(
&
nd
,
flags
&
~
MS_REMOUNT
,
mnt_flags
,
data_page
);
...
...
@@ -736,6 +755,7 @@ long do_mount(char * dev_name, char * dir_name, char *type_page,
else
retval
=
do_add_mount
(
&
nd
,
type_page
,
flags
,
mnt_flags
,
dev_name
,
data_page
);
dput_out:
path_release
(
&
nd
);
return
retval
;
}
...
...
@@ -919,6 +939,12 @@ asmlinkage long sys_pivot_root(const char *new_root, const char *put_old)
if
(
error
)
goto
out1
;
error
=
security_ops
->
sb_pivotroot
(
&
old_nd
,
&
new_nd
);
if
(
error
)
{
path_release
(
&
old_nd
);
goto
out1
;
}
read_lock
(
&
current
->
fs
->
lock
);
user_nd
.
mnt
=
mntget
(
current
->
fs
->
rootmnt
);
user_nd
.
dentry
=
dget
(
current
->
fs
->
root
);
...
...
@@ -963,6 +989,7 @@ asmlinkage long sys_pivot_root(const char *new_root, const char *put_old)
attach_mnt
(
new_nd
.
mnt
,
&
root_parent
);
spin_unlock
(
&
dcache_lock
);
chroot_fs_refs
(
&
user_nd
,
&
new_nd
);
security_ops
->
sb_post_pivotroot
(
&
user_nd
,
&
new_nd
);
error
=
0
;
path_release
(
&
root_parent
);
path_release
(
&
parent_nd
);
...
...
fs/open.c
View file @
f121b8fc
...
...
@@ -17,6 +17,7 @@
#include <linux/iobuf.h>
#include <linux/namei.h>
#include <linux/backing-dev.h>
#include <linux/security.h>
#include <asm/uaccess.h>
...
...
@@ -30,6 +31,9 @@ int vfs_statfs(struct super_block *sb, struct statfs *buf)
retval
=
-
ENOSYS
;
if
(
sb
->
s_op
&&
sb
->
s_op
->
statfs
)
{
memset
(
buf
,
0
,
sizeof
(
struct
statfs
));
retval
=
security_ops
->
sb_statfs
(
sb
);
if
(
retval
)
return
retval
;
retval
=
sb
->
s_op
->
statfs
(
sb
,
buf
);
}
}
...
...
fs/proc/base.c
View file @
f121b8fc
...
...
@@ -406,7 +406,7 @@ static struct file_operations proc_info_file_operations = {
};
#define MAY_PTRACE(p) \
(p==current||(p->parent==current&&(p->ptrace & PT_PTRACED)&&p->state==TASK_STOPPED))
(p==current||(p->parent==current&&(p->ptrace & PT_PTRACED)&&p->state==TASK_STOPPED
&&security_ops->ptrace(current,p)==0
))
static
int
mem_open
(
struct
inode
*
inode
,
struct
file
*
file
)
...
...
fs/quota.c
View file @
f121b8fc
...
...
@@ -12,6 +12,7 @@
#include <asm/uaccess.h>
#include <linux/kernel.h>
#include <linux/smp_lock.h>
#include <linux/security.h>
/* Check validity of quotactl */
static
int
check_quotactl_valid
(
struct
super_block
*
sb
,
int
type
,
int
cmd
,
qid_t
id
)
...
...
@@ -96,7 +97,8 @@ static int check_quotactl_valid(struct super_block *sb, int type, int cmd, qid_t
else
if
(
cmd
!=
Q_GETFMT
&&
cmd
!=
Q_SYNC
&&
cmd
!=
Q_GETINFO
&&
cmd
!=
Q_XGETQSTAT
)
if
(
!
capable
(
CAP_SYS_ADMIN
))
return
-
EPERM
;
return
0
;
return
security_ops
->
quotactl
(
cmd
,
type
,
id
,
sb
);
}
/* Resolve device pathname to superblock */
...
...
fs/read_write.c
View file @
f121b8fc
...
...
@@ -11,6 +11,7 @@
#include <linux/uio.h>
#include <linux/smp_lock.h>
#include <linux/dnotify.h>
#include <linux/security.h>
#include <asm/uaccess.h>
...
...
@@ -117,6 +118,13 @@ asmlinkage off_t sys_lseek(unsigned int fd, off_t offset, unsigned int origin)
file
=
fget
(
fd
);
if
(
!
file
)
goto
bad
;
retval
=
security_ops
->
file_llseek
(
file
);
if
(
retval
)
{
fput
(
file
);
goto
bad
;
}
retval
=
-
EINVAL
;
if
(
origin
<=
2
)
{
loff_t
res
=
llseek
(
file
,
offset
,
origin
);
...
...
@@ -142,6 +150,11 @@ asmlinkage long sys_llseek(unsigned int fd, unsigned long offset_high,
file
=
fget
(
fd
);
if
(
!
file
)
goto
bad
;
retval
=
security_ops
->
file_llseek
(
file
);
if
(
retval
)
goto
out_putf
;
retval
=
-
EINVAL
;
if
(
origin
>
2
)
goto
out_putf
;
...
...
@@ -175,11 +188,14 @@ ssize_t vfs_read(struct file *file, char *buf, size_t count, loff_t *pos)
return
-
EINVAL
;
ret
=
locks_verify_area
(
FLOCK_VERIFY_READ
,
inode
,
file
,
*
pos
,
count
);
if
(
!
ret
)
{
ret
=
security_ops
->
file_permission
(
file
,
MAY_READ
);
if
(
!
ret
)
{
ret
=
file
->
f_op
->
read
(
file
,
buf
,
count
,
pos
);
if
(
ret
>
0
)
dnotify_parent
(
file
->
f_dentry
,
DN_ACCESS
);
}
}
return
ret
;
}
...
...
@@ -197,11 +213,14 @@ ssize_t vfs_write(struct file *file, const char *buf, size_t count, loff_t *pos)
return
-
EINVAL
;
ret
=
locks_verify_area
(
FLOCK_VERIFY_WRITE
,
inode
,
file
,
*
pos
,
count
);
if
(
!
ret
)
{
ret
=
security_ops
->
file_permission
(
file
,
MAY_WRITE
);
if
(
!
ret
)
{
ret
=
file
->
f_op
->
write
(
file
,
buf
,
count
,
pos
);
if
(
ret
>
0
)
dnotify_parent
(
file
->
f_dentry
,
DN_MODIFY
);
}
}
return
ret
;
}
...
...
@@ -378,8 +397,11 @@ asmlinkage ssize_t sys_readv(unsigned long fd, const struct iovec * vector,
if
(
!
file
)
goto
bad_file
;
if
(
file
->
f_op
&&
(
file
->
f_mode
&
FMODE_READ
)
&&
(
file
->
f_op
->
readv
||
file
->
f_op
->
read
))
(
file
->
f_op
->
readv
||
file
->
f_op
->
read
))
{
ret
=
security_ops
->
file_permission
(
file
,
MAY_READ
);
if
(
!
ret
)
ret
=
do_readv_writev
(
VERIFY_WRITE
,
file
,
vector
,
count
);
}
fput
(
file
);
bad_file:
...
...
@@ -398,8 +420,11 @@ asmlinkage ssize_t sys_writev(unsigned long fd, const struct iovec * vector,
if
(
!
file
)
goto
bad_file
;
if
(
file
->
f_op
&&
(
file
->
f_mode
&
FMODE_WRITE
)
&&
(
file
->
f_op
->
writev
||
file
->
f_op
->
write
))
(
file
->
f_op
->
writev
||
file
->
f_op
->
write
))
{
ret
=
security_ops
->
file_permission
(
file
,
MAY_WRITE
);
if
(
!
ret
)
ret
=
do_readv_writev
(
VERIFY_READ
,
file
,
vector
,
count
);
}
fput
(
file
);
bad_file:
...
...
fs/readdir.c
View file @
f121b8fc
...
...
@@ -20,6 +20,11 @@ int vfs_readdir(struct file *file, filldir_t filler, void *buf)
int
res
=
-
ENOTDIR
;
if
(
!
file
->
f_op
||
!
file
->
f_op
->
readdir
)
goto
out
;
res
=
security_ops
->
file_permission
(
file
,
MAY_READ
);
if
(
res
)
goto
out
;
down
(
&
inode
->
i_sem
);
res
=
-
ENOENT
;
if
(
!
IS_DEADDIR
(
inode
))
{
...
...
fs/stat.c
View file @
f121b8fc
...
...
@@ -12,6 +12,7 @@
#include <linux/highuid.h>
#include <linux/fs.h>
#include <linux/namei.h>
#include <linux/security.h>
#include <asm/uaccess.h>
...
...
@@ -36,6 +37,11 @@ void generic_fillattr(struct inode *inode, struct kstat *stat)
int
vfs_getattr
(
struct
vfsmount
*
mnt
,
struct
dentry
*
dentry
,
struct
kstat
*
stat
)
{
struct
inode
*
inode
=
dentry
->
d_inode
;
int
retval
;
retval
=
security_ops
->
inode_getattr
(
mnt
,
dentry
);
if
(
retval
)
return
retval
;
if
(
inode
->
i_op
->
getattr
)
return
inode
->
i_op
->
getattr
(
mnt
,
dentry
,
stat
);
...
...
@@ -232,9 +238,12 @@ asmlinkage long sys_readlink(const char * path, char * buf, int bufsiz)
error
=
-
EINVAL
;
if
(
inode
->
i_op
&&
inode
->
i_op
->
readlink
)
{
error
=
security_ops
->
inode_readlink
(
nd
.
dentry
);
if
(
!
error
)
{
UPDATE_ATIME
(
inode
);
error
=
inode
->
i_op
->
readlink
(
nd
.
dentry
,
buf
,
bufsiz
);
}
}
path_release
(
&
nd
);
}
return
error
;
...
...
fs/super.c
View file @
f121b8fc
...
...
@@ -31,6 +31,8 @@
#include <linux/buffer_head.h>
/* for fsync_super() */
#include <asm/uaccess.h>
#include <linux/security.h>
void
get_filesystem
(
struct
file_system_type
*
fs
);
void
put_filesystem
(
struct
file_system_type
*
fs
);
struct
file_system_type
*
get_fs_type
(
const
char
*
name
);
...
...
@@ -49,6 +51,11 @@ static struct super_block *alloc_super(void)
struct
super_block
*
s
=
kmalloc
(
sizeof
(
struct
super_block
),
GFP_USER
);
if
(
s
)
{
memset
(
s
,
0
,
sizeof
(
struct
super_block
));
if
(
security_ops
->
sb_alloc_security
(
s
))
{
kfree
(
s
);
s
=
NULL
;
goto
out
;
}
INIT_LIST_HEAD
(
&
s
->
s_dirty
);
INIT_LIST_HEAD
(
&
s
->
s_io
);
INIT_LIST_HEAD
(
&
s
->
s_locked_inodes
);
...
...
@@ -67,6 +74,7 @@ static struct super_block *alloc_super(void)
s
->
dq_op
=
sb_dquot_ops
;
s
->
s_qcop
=
sb_quotactl_ops
;
}
out:
return
s
;
}
...
...
@@ -78,6 +86,7 @@ static struct super_block *alloc_super(void)
*/
static
inline
void
destroy_super
(
struct
super_block
*
s
)
{
security_ops
->
sb_free_security
(
s
);
kfree
(
s
);
}
...
...
fs/xattr.c
View file @
f121b8fc
...
...
@@ -85,11 +85,16 @@ setxattr(struct dentry *d, char *name, void *value, size_t size, int flags)
error
=
-
EOPNOTSUPP
;
if
(
d
->
d_inode
->
i_op
&&
d
->
d_inode
->
i_op
->
setxattr
)
{
error
=
security_ops
->
inode_setxattr
(
d
,
kname
,
kvalue
,
size
,
flags
);
if
(
error
)
goto
out
;
down
(
&
d
->
d_inode
->
i_sem
);
error
=
d
->
d_inode
->
i_op
->
setxattr
(
d
,
kname
,
kvalue
,
size
,
flags
);
up
(
&
d
->
d_inode
->
i_sem
);
}
out:
xattr_free
(
kvalue
,
size
);
return
error
;
}
...
...
@@ -158,6 +163,9 @@ getxattr(struct dentry *d, char *name, void *value, size_t size)
error
=
-
EOPNOTSUPP
;
if
(
d
->
d_inode
->
i_op
&&
d
->
d_inode
->
i_op
->
getxattr
)
{
error
=
security_ops
->
inode_getxattr
(
d
,
kname
);
if
(
error
)
goto
out
;
down
(
&
d
->
d_inode
->
i_sem
);
error
=
d
->
d_inode
->
i_op
->
getxattr
(
d
,
kname
,
kvalue
,
size
);
up
(
&
d
->
d_inode
->
i_sem
);
...
...
@@ -166,6 +174,7 @@ getxattr(struct dentry *d, char *name, void *value, size_t size)
if
(
kvalue
&&
error
>
0
)
if
(
copy_to_user
(
value
,
kvalue
,
error
))
error
=
-
EFAULT
;
out:
xattr_free
(
kvalue
,
size
);
return
error
;
}
...
...
@@ -227,6 +236,9 @@ listxattr(struct dentry *d, char *list, size_t size)
error
=
-
EOPNOTSUPP
;
if
(
d
->
d_inode
->
i_op
&&
d
->
d_inode
->
i_op
->
listxattr
)
{
error
=
security_ops
->
inode_listxattr
(
d
);
if
(
error
)
goto
out
;
down
(
&
d
->
d_inode
->
i_sem
);
error
=
d
->
d_inode
->
i_op
->
listxattr
(
d
,
klist
,
size
);
up
(
&
d
->
d_inode
->
i_sem
);
...
...
@@ -235,6 +247,7 @@ listxattr(struct dentry *d, char *list, size_t size)
if
(
klist
&&
error
>
0
)
if
(
copy_to_user
(
list
,
klist
,
error
))
error
=
-
EFAULT
;
out:
xattr_free
(
klist
,
size
);
return
error
;
}
...
...
@@ -298,10 +311,14 @@ removexattr(struct dentry *d, char *name)
error
=
-
EOPNOTSUPP
;
if
(
d
->
d_inode
->
i_op
&&
d
->
d_inode
->
i_op
->
removexattr
)
{
error
=
security_ops
->
inode_removexattr
(
d
,
kname
);
if
(
error
)
goto
out
;
down
(
&
d
->
d_inode
->
i_sem
);
error
=
d
->
d_inode
->
i_op
->
removexattr
(
d
,
kname
);
up
(
&
d
->
d_inode
->
i_sem
);
}
out:
return
error
;
}
...
...
include/linux/fs.h
View file @
f121b8fc
...
...
@@ -72,6 +72,7 @@ extern int leases_enable, dir_notify_enable, lease_break_time;
#define MAY_EXEC 1
#define MAY_WRITE 2
#define MAY_READ 4
#define MAY_APPEND 8
#define FMODE_READ 1
#define FMODE_WRITE 2
...
...
@@ -399,6 +400,7 @@ struct inode {
unsigned
char
i_sock
;
atomic_t
i_writecount
;
void
*
i_security
;
__u32
i_generation
;
union
{
void
*
generic_ip
;
...
...
@@ -429,6 +431,7 @@ struct fown_struct {
int
pid
;
/* pid or -pgrp where SIGIO should be sent */
uid_t
uid
,
euid
;
/* uid/euid of process setting the owner */
int
signum
;
/* posix.1b rt signal to be delivered on IO */
void
*
security
;
};
static
inline
void
inode_add_bytes
(
struct
inode
*
inode
,
loff_t
bytes
)
...
...
@@ -492,6 +495,7 @@ struct file {
struct
file_ra_state
f_ra
;
unsigned
long
f_version
;
void
*
f_security
;
/* needed for tty driver, and maybe others */
void
*
private_data
;
...
...
@@ -645,6 +649,7 @@ struct super_block {
int
s_count
;
int
s_syncing
;
atomic_t
s_active
;
void
*
s_security
;
struct
list_head
s_dirty
;
/* dirty inodes */
struct
list_head
s_io
;
/* parked for writeback */
...
...
include/linux/security.h
View file @
f121b8fc
This diff is collapsed.
Click to expand it.
init/do_mounts.c
View file @
f121b8fc
...
...
@@ -845,6 +845,7 @@ void prepare_namespace(void)
sys_umount
(
"/dev"
,
0
);
sys_mount
(
"."
,
"/"
,
NULL
,
MS_MOVE
,
NULL
);
sys_chroot
(
"."
);
security_ops
->
sb_post_mountroot
();
mount_devfs_fs
();
}
...
...
kernel/acct.c
View file @
f121b8fc
...
...
@@ -195,6 +195,7 @@ asmlinkage long sys_acct(const char *name)
{
struct
file
*
file
=
NULL
;
char
*
tmp
;
int
error
;
if
(
!
capable
(
CAP_SYS_PACCT
))
return
-
EPERM
;
...
...
@@ -221,6 +222,10 @@ asmlinkage long sys_acct(const char *name)
}
}
error
=
security_ops
->
acct
(
file
);
if
(
error
)
return
error
;
spin_lock
(
&
acct_globals
.
lock
);
acct_file_reopen
(
file
);
spin_unlock
(
&
acct_globals
.
lock
);
...
...
mm/filemap.c
View file @
f121b8fc
...
...
@@ -21,6 +21,7 @@
#include <linux/iobuf.h>
#include <linux/hash.h>
#include <linux/writeback.h>
#include <linux/security.h>
/*
* This is needed for the following functions:
* - try_to_release_page
...
...
@@ -1143,6 +1144,10 @@ static ssize_t common_sendfile(int out_fd, int in_fd, loff_t *offset, size_t cou
if
(
retval
)
goto
fput_in
;
retval
=
security_ops
->
file_permission
(
in_file
,
MAY_READ
);
if
(
retval
)
goto
fput_in
;
/*
* Get output file, and verify that it is ok..
*/
...
...
@@ -1160,6 +1165,10 @@ static ssize_t common_sendfile(int out_fd, int in_fd, loff_t *offset, size_t cou
if
(
retval
)
goto
fput_out
;
retval
=
security_ops
->
file_permission
(
out_file
,
MAY_WRITE
);
if
(
retval
)
goto
fput_out
;
retval
=
0
;
if
(
count
)
{
read_descriptor_t
desc
;
...
...
mm/mmap.c
View file @
f121b8fc
...
...
@@ -14,6 +14,7 @@
#include <linux/file.h>
#include <linux/fs.h>
#include <linux/personality.h>
#include <linux/security.h>
#include <asm/uaccess.h>
#include <asm/pgalloc.h>
...
...
@@ -475,6 +476,10 @@ unsigned long do_mmap_pgoff(struct file * file, unsigned long addr, unsigned lon
}
}
error
=
security_ops
->
file_mmap
(
file
,
prot
,
flags
);
if
(
error
)
return
error
;
/* Clear old maps */
error
=
-
ENOMEM
;
munmap_back:
...
...
mm/mprotect.c
View file @
f121b8fc
...
...
@@ -10,6 +10,7 @@
#include <linux/mman.h>
#include <linux/fs.h>
#include <linux/highmem.h>
#include <linux/security.h>
#include <asm/uaccess.h>
#include <asm/pgalloc.h>
...
...
@@ -306,6 +307,10 @@ asmlinkage long sys_mprotect(unsigned long start, size_t len, unsigned long prot
goto
out
;
}
error
=
security_ops
->
file_mprotect
(
vma
,
prot
);
if
(
error
)
goto
out
;
if
(
vma
->
vm_end
>
end
)
{
error
=
mprotect_fixup
(
vma
,
&
prev
,
nstart
,
end
,
newflags
);
goto
out
;
...
...
net/core/scm.c
View file @
f121b8fc
...
...
@@ -22,6 +22,7 @@
#include <linux/net.h>
#include <linux/interrupt.h>
#include <linux/netdevice.h>
#include <linux/security.h>
#include <asm/system.h>
#include <asm/uaccess.h>
...
...
@@ -216,6 +217,9 @@ void scm_detach_fds(struct msghdr *msg, struct scm_cookie *scm)
for
(
i
=
0
,
cmfptr
=
(
int
*
)
CMSG_DATA
(
cm
);
i
<
fdmax
;
i
++
,
cmfptr
++
)
{
int
new_fd
;
err
=
security_ops
->
file_receive
(
fp
[
i
]);
if
(
err
)
break
;
err
=
get_unused_fd
();
if
(
err
<
0
)
break
;
...
...
security/capability.c
View file @
f121b8fc
...
...
@@ -37,6 +37,16 @@ static int cap_sys_security (unsigned int id, unsigned int call,
return
-
ENOSYS
;
}
static
int
cap_quotactl
(
int
cmds
,
int
type
,
int
id
,
struct
super_block
*
sb
)
{
return
0
;
}
static
int
cap_quota_on
(
struct
file
*
f
)
{
return
0
;
}
static
int
cap_ptrace
(
struct
task_struct
*
parent
,
struct
task_struct
*
child
)
{
/* Derived from arch/i386/kernel/ptrace.c:sys_ptrace. */
...
...
@@ -95,6 +105,11 @@ static void cap_capset_set (struct task_struct *target,
target
->
cap_permitted
=
*
permitted
;
}
static
int
cap_acct
(
struct
file
*
file
)
{
return
0
;
}
static
int
cap_bprm_alloc_security
(
struct
linux_binprm
*
bprm
)
{
return
0
;
...
...
@@ -189,6 +204,294 @@ static void cap_bprm_compute_creds (struct linux_binprm *bprm)
current
->
keep_capabilities
=
0
;
}
static
int
cap_sb_alloc_security
(
struct
super_block
*
sb
)
{
return
0
;
}
static
void
cap_sb_free_security
(
struct
super_block
*
sb
)
{
return
;
}
static
int
cap_sb_statfs
(
struct
super_block
*
sb
)
{
return
0
;
}
static
int
cap_mount
(
char
*
dev_name
,
struct
nameidata
*
nd
,
char
*
type
,
unsigned
long
flags
,
void
*
data
)
{
return
0
;
}
static
int
cap_check_sb
(
struct
vfsmount
*
mnt
,
struct
nameidata
*
nd
)
{
return
0
;
}
static
int
cap_umount
(
struct
vfsmount
*
mnt
,
int
flags
)
{
return
0
;
}
static
void
cap_umount_close
(
struct
vfsmount
*
mnt
)
{
return
;
}
static
void
cap_umount_busy
(
struct
vfsmount
*
mnt
)
{
return
;
}
static
void
cap_post_remount
(
struct
vfsmount
*
mnt
,
unsigned
long
flags
,
void
*
data
)
{
return
;
}
static
void
cap_post_mountroot
(
void
)
{
return
;
}
static
void
cap_post_addmount
(
struct
vfsmount
*
mnt
,
struct
nameidata
*
nd
)
{
return
;
}
static
int
cap_pivotroot
(
struct
nameidata
*
old_nd
,
struct
nameidata
*
new_nd
)
{
return
0
;
}
static
void
cap_post_pivotroot
(
struct
nameidata
*
old_nd
,
struct
nameidata
*
new_nd
)
{
return
;
}
static
int
cap_inode_alloc_security
(
struct
inode
*
inode
)
{
return
0
;
}
static
void
cap_inode_free_security
(
struct
inode
*
inode
)
{
return
;
}
static
int
cap_inode_create
(
struct
inode
*
inode
,
struct
dentry
*
dentry
,
int
mask
)
{
return
0
;
}
static
void
cap_inode_post_create
(
struct
inode
*
inode
,
struct
dentry
*
dentry
,
int
mask
)
{
return
;
}
static
int
cap_inode_link
(
struct
dentry
*
old_dentry
,
struct
inode
*
inode
,
struct
dentry
*
new_dentry
)
{
return
0
;
}
static
void
cap_inode_post_link
(
struct
dentry
*
old_dentry
,
struct
inode
*
inode
,
struct
dentry
*
new_dentry
)
{
return
;
}
static
int
cap_inode_unlink
(
struct
inode
*
inode
,
struct
dentry
*
dentry
)
{
return
0
;
}
static
int
cap_inode_symlink
(
struct
inode
*
inode
,
struct
dentry
*
dentry
,
const
char
*
name
)
{
return
0
;
}
static
void
cap_inode_post_symlink
(
struct
inode
*
inode
,
struct
dentry
*
dentry
,
const
char
*
name
)
{
return
;
}
static
int
cap_inode_mkdir
(
struct
inode
*
inode
,
struct
dentry
*
dentry
,
int
mask
)
{
return
0
;
}
static
void
cap_inode_post_mkdir
(
struct
inode
*
inode
,
struct
dentry
*
dentry
,
int
mask
)
{
return
;
}
static
int
cap_inode_rmdir
(
struct
inode
*
inode
,
struct
dentry
*
dentry
)
{
return
0
;
}
static
int
cap_inode_mknod
(
struct
inode
*
inode
,
struct
dentry
*
dentry
,
int
major
,
dev_t
minor
)
{
return
0
;
}
static
void
cap_inode_post_mknod
(
struct
inode
*
inode
,
struct
dentry
*
dentry
,
int
major
,
dev_t
minor
)
{
return
;
}
static
int
cap_inode_rename
(
struct
inode
*
old_inode
,
struct
dentry
*
old_dentry
,
struct
inode
*
new_inode
,
struct
dentry
*
new_dentry
)
{
return
0
;
}
static
void
cap_inode_post_rename
(
struct
inode
*
old_inode
,
struct
dentry
*
old_dentry
,
struct
inode
*
new_inode
,
struct
dentry
*
new_dentry
)
{
return
;
}
static
int
cap_inode_readlink
(
struct
dentry
*
dentry
)
{
return
0
;
}
static
int
cap_inode_follow_link
(
struct
dentry
*
dentry
,
struct
nameidata
*
nameidata
)
{
return
0
;
}
static
int
cap_inode_permission
(
struct
inode
*
inode
,
int
mask
)
{
return
0
;
}
static
int
cap_inode_permission_lite
(
struct
inode
*
inode
,
int
mask
)
{
return
0
;
}
static
int
cap_inode_setattr
(
struct
dentry
*
dentry
,
struct
iattr
*
iattr
)
{
return
0
;
}
static
int
cap_inode_getattr
(
struct
vfsmount
*
mnt
,
struct
dentry
*
dentry
)
{
return
0
;
}
static
void
cap_post_lookup
(
struct
inode
*
ino
,
struct
dentry
*
d
)
{
return
;
}
static
void
cap_delete
(
struct
inode
*
ino
)
{
return
;
}
static
int
cap_inode_setxattr
(
struct
dentry
*
dentry
,
char
*
name
,
void
*
value
,
size_t
size
,
int
flags
)
{
return
0
;
}
static
int
cap_inode_getxattr
(
struct
dentry
*
dentry
,
char
*
name
)
{
return
0
;
}
static
int
cap_inode_listxattr
(
struct
dentry
*
dentry
)
{
return
0
;
}
static
int
cap_inode_removexattr
(
struct
dentry
*
dentry
,
char
*
name
)
{
return
0
;
}
static
int
cap_file_permission
(
struct
file
*
file
,
int
mask
)
{
return
0
;
}
static
int
cap_file_alloc_security
(
struct
file
*
file
)
{
return
0
;
}
static
void
cap_file_free_security
(
struct
file
*
file
)
{
return
;
}
static
int
cap_file_llseek
(
struct
file
*
file
)
{
return
0
;
}
static
int
cap_file_ioctl
(
struct
file
*
file
,
unsigned
int
command
,
unsigned
long
arg
)
{
return
0
;
}
static
int
cap_file_mmap
(
struct
file
*
file
,
unsigned
long
prot
,
unsigned
long
flags
)
{
return
0
;
}
static
int
cap_file_mprotect
(
struct
vm_area_struct
*
vma
,
unsigned
long
prot
)
{
return
0
;
}
static
int
cap_file_lock
(
struct
file
*
file
,
unsigned
int
cmd
,
int
blocking
)
{
return
0
;
}
static
int
cap_file_fcntl
(
struct
file
*
file
,
unsigned
int
cmd
,
unsigned
long
arg
)
{
return
0
;
}
static
int
cap_file_set_fowner
(
struct
file
*
file
)
{
return
0
;
}
static
int
cap_file_send_sigiotask
(
struct
task_struct
*
tsk
,
struct
fown_struct
*
fown
,
int
fd
,
int
reason
)
{
return
0
;
}
static
int
cap_file_receive
(
struct
file
*
file
)
{
return
0
;
}
static
int
cap_task_create
(
unsigned
long
clone_flags
)
{
return
0
;
...
...
@@ -391,8 +694,11 @@ static struct security_operations capability_ops = {
.
capget
=
cap_capget
,
.
capset_check
=
cap_capset_check
,
.
capset_set
=
cap_capset_set
,
.
acct
=
cap_acct
,
.
capable
=
cap_capable
,
.
sys_security
=
cap_sys_security
,
.
quotactl
=
cap_quotactl
,
.
quota_on
=
cap_quota_on
,
.
bprm_alloc_security
=
cap_bprm_alloc_security
,
.
bprm_free_security
=
cap_bprm_free_security
,
...
...
@@ -400,6 +706,62 @@ static struct security_operations capability_ops = {
.
bprm_set_security
=
cap_bprm_set_security
,
.
bprm_check_security
=
cap_bprm_check_security
,
sb_alloc_security:
cap_sb_alloc_security
,
sb_free_security:
cap_sb_free_security
,
sb_statfs:
cap_sb_statfs
,
sb_mount:
cap_mount
,
sb_check_sb:
cap_check_sb
,
sb_umount:
cap_umount
,
sb_umount_close:
cap_umount_close
,
sb_umount_busy:
cap_umount_busy
,
sb_post_remount:
cap_post_remount
,
sb_post_mountroot:
cap_post_mountroot
,
sb_post_addmount:
cap_post_addmount
,
sb_pivotroot:
cap_pivotroot
,
sb_post_pivotroot:
cap_post_pivotroot
,
inode_alloc_security:
cap_inode_alloc_security
,
inode_free_security:
cap_inode_free_security
,
inode_create:
cap_inode_create
,
inode_post_create:
cap_inode_post_create
,
inode_link:
cap_inode_link
,
inode_post_link:
cap_inode_post_link
,
inode_unlink:
cap_inode_unlink
,
inode_symlink:
cap_inode_symlink
,
inode_post_symlink:
cap_inode_post_symlink
,
inode_mkdir:
cap_inode_mkdir
,
inode_post_mkdir:
cap_inode_post_mkdir
,
inode_rmdir:
cap_inode_rmdir
,
inode_mknod:
cap_inode_mknod
,
inode_post_mknod:
cap_inode_post_mknod
,
inode_rename:
cap_inode_rename
,
inode_post_rename:
cap_inode_post_rename
,
inode_readlink:
cap_inode_readlink
,
inode_follow_link:
cap_inode_follow_link
,
inode_permission:
cap_inode_permission
,
inode_permission_lite:
cap_inode_permission_lite
,
inode_setattr:
cap_inode_setattr
,
inode_getattr:
cap_inode_getattr
,
inode_post_lookup:
cap_post_lookup
,
inode_delete:
cap_delete
,
inode_setxattr:
cap_inode_setxattr
,
inode_getxattr:
cap_inode_getxattr
,
inode_listxattr:
cap_inode_listxattr
,
inode_removexattr:
cap_inode_removexattr
,
file_permission:
cap_file_permission
,
file_alloc_security:
cap_file_alloc_security
,
file_free_security:
cap_file_free_security
,
file_llseek:
cap_file_llseek
,
file_ioctl:
cap_file_ioctl
,
file_mmap:
cap_file_mmap
,
file_mprotect:
cap_file_mprotect
,
file_lock:
cap_file_lock
,
file_fcntl:
cap_file_fcntl
,
file_set_fowner:
cap_file_set_fowner
,
file_send_sigiotask:
cap_file_send_sigiotask
,
file_receive:
cap_file_receive
,
.
task_create
=
cap_task_create
,
.
task_alloc_security
=
cap_task_alloc_security
,
.
task_free_security
=
cap_task_free_security
,
...
...
security/dummy.c
View file @
f121b8fc
...
...
@@ -46,6 +46,11 @@ static void dummy_capset_set (struct task_struct *target,
return
;
}
static
int
dummy_acct
(
struct
file
*
file
)
{
return
0
;
}
static
int
dummy_capable
(
struct
task_struct
*
tsk
,
int
cap
)
{
if
(
cap_is_fs_cap
(
cap
)
?
tsk
->
fsuid
==
0
:
tsk
->
euid
==
0
)
...
...
@@ -62,6 +67,16 @@ static int dummy_sys_security (unsigned int id, unsigned int call,
return
-
ENOSYS
;
}
static
int
dummy_quotactl
(
int
cmds
,
int
type
,
int
id
,
struct
super_block
*
sb
)
{
return
0
;
}
static
int
dummy_quota_on
(
struct
file
*
f
)
{
return
0
;
}
static
int
dummy_bprm_alloc_security
(
struct
linux_binprm
*
bprm
)
{
return
0
;
...
...
@@ -87,6 +102,298 @@ static int dummy_bprm_check_security (struct linux_binprm *bprm)
return
0
;
}
static
int
dummy_sb_alloc_security
(
struct
super_block
*
sb
)
{
return
0
;
}
static
void
dummy_sb_free_security
(
struct
super_block
*
sb
)
{
return
;
}
static
int
dummy_sb_statfs
(
struct
super_block
*
sb
)
{
return
0
;
}
static
int
dummy_mount
(
char
*
dev_name
,
struct
nameidata
*
nd
,
char
*
type
,
unsigned
long
flags
,
void
*
data
)
{
return
0
;
}
static
int
dummy_check_sb
(
struct
vfsmount
*
mnt
,
struct
nameidata
*
nd
)
{
return
0
;
}
static
int
dummy_umount
(
struct
vfsmount
*
mnt
,
int
flags
)
{
return
0
;
}
static
void
dummy_umount_close
(
struct
vfsmount
*
mnt
)
{
return
;
}
static
void
dummy_umount_busy
(
struct
vfsmount
*
mnt
)
{
return
;
}
static
void
dummy_post_remount
(
struct
vfsmount
*
mnt
,
unsigned
long
flags
,
void
*
data
)
{
return
;
}
static
void
dummy_post_mountroot
(
void
)
{
return
;
}
static
void
dummy_post_addmount
(
struct
vfsmount
*
mnt
,
struct
nameidata
*
nd
)
{
return
;
}
static
int
dummy_pivotroot
(
struct
nameidata
*
old_nd
,
struct
nameidata
*
new_nd
)
{
return
0
;
}
static
void
dummy_post_pivotroot
(
struct
nameidata
*
old_nd
,
struct
nameidata
*
new_nd
)
{
return
;
}
static
int
dummy_inode_alloc_security
(
struct
inode
*
inode
)
{
return
0
;
}
static
void
dummy_inode_free_security
(
struct
inode
*
inode
)
{
return
;
}
static
int
dummy_inode_create
(
struct
inode
*
inode
,
struct
dentry
*
dentry
,
int
mask
)
{
return
0
;
}
static
void
dummy_inode_post_create
(
struct
inode
*
inode
,
struct
dentry
*
dentry
,
int
mask
)
{
return
;
}
static
int
dummy_inode_link
(
struct
dentry
*
old_dentry
,
struct
inode
*
inode
,
struct
dentry
*
new_dentry
)
{
return
0
;
}
static
void
dummy_inode_post_link
(
struct
dentry
*
old_dentry
,
struct
inode
*
inode
,
struct
dentry
*
new_dentry
)
{
return
;
}
static
int
dummy_inode_unlink
(
struct
inode
*
inode
,
struct
dentry
*
dentry
)
{
return
0
;
}
static
int
dummy_inode_symlink
(
struct
inode
*
inode
,
struct
dentry
*
dentry
,
const
char
*
name
)
{
return
0
;
}
static
void
dummy_inode_post_symlink
(
struct
inode
*
inode
,
struct
dentry
*
dentry
,
const
char
*
name
)
{
return
;
}
static
int
dummy_inode_mkdir
(
struct
inode
*
inode
,
struct
dentry
*
dentry
,
int
mask
)
{
return
0
;
}
static
void
dummy_inode_post_mkdir
(
struct
inode
*
inode
,
struct
dentry
*
dentry
,
int
mask
)
{
return
;
}
static
int
dummy_inode_rmdir
(
struct
inode
*
inode
,
struct
dentry
*
dentry
)
{
return
0
;
}
static
int
dummy_inode_mknod
(
struct
inode
*
inode
,
struct
dentry
*
dentry
,
int
major
,
dev_t
minor
)
{
return
0
;
}
static
void
dummy_inode_post_mknod
(
struct
inode
*
inode
,
struct
dentry
*
dentry
,
int
major
,
dev_t
minor
)
{
return
;
}
static
int
dummy_inode_rename
(
struct
inode
*
old_inode
,
struct
dentry
*
old_dentry
,
struct
inode
*
new_inode
,
struct
dentry
*
new_dentry
)
{
return
0
;
}
static
void
dummy_inode_post_rename
(
struct
inode
*
old_inode
,
struct
dentry
*
old_dentry
,
struct
inode
*
new_inode
,
struct
dentry
*
new_dentry
)
{
return
;
}
static
int
dummy_inode_readlink
(
struct
dentry
*
dentry
)
{
return
0
;
}
static
int
dummy_inode_follow_link
(
struct
dentry
*
dentry
,
struct
nameidata
*
nameidata
)
{
return
0
;
}
static
int
dummy_inode_permission
(
struct
inode
*
inode
,
int
mask
)
{
return
0
;
}
static
int
dummy_inode_permission_lite
(
struct
inode
*
inode
,
int
mask
)
{
return
0
;
}
static
int
dummy_inode_setattr
(
struct
dentry
*
dentry
,
struct
iattr
*
iattr
)
{
return
0
;
}
static
int
dummy_inode_getattr
(
struct
vfsmount
*
mnt
,
struct
dentry
*
dentry
)
{
return
0
;
}
static
void
dummy_post_lookup
(
struct
inode
*
ino
,
struct
dentry
*
d
)
{
return
;
}
static
void
dummy_delete
(
struct
inode
*
ino
)
{
return
;
}
static
int
dummy_inode_setxattr
(
struct
dentry
*
dentry
,
char
*
name
,
void
*
value
,
size_t
size
,
int
flags
)
{
return
0
;
}
static
int
dummy_inode_getxattr
(
struct
dentry
*
dentry
,
char
*
name
)
{
return
0
;
}
static
int
dummy_inode_listxattr
(
struct
dentry
*
dentry
)
{
return
0
;
}
static
int
dummy_inode_removexattr
(
struct
dentry
*
dentry
,
char
*
name
)
{
return
0
;
}
static
int
dummy_file_permission
(
struct
file
*
file
,
int
mask
)
{
return
0
;
}
static
int
dummy_file_alloc_security
(
struct
file
*
file
)
{
return
0
;
}
static
void
dummy_file_free_security
(
struct
file
*
file
)
{
return
;
}
static
int
dummy_file_llseek
(
struct
file
*
file
)
{
return
0
;
}
static
int
dummy_file_ioctl
(
struct
file
*
file
,
unsigned
int
command
,
unsigned
long
arg
)
{
return
0
;
}
static
int
dummy_file_mmap
(
struct
file
*
file
,
unsigned
long
prot
,
unsigned
long
flags
)
{
return
0
;
}
static
int
dummy_file_mprotect
(
struct
vm_area_struct
*
vma
,
unsigned
long
prot
)
{
return
0
;
}
static
int
dummy_file_lock
(
struct
file
*
file
,
unsigned
int
cmd
,
int
blocking
)
{
return
0
;
}
static
int
dummy_file_fcntl
(
struct
file
*
file
,
unsigned
int
cmd
,
unsigned
long
arg
)
{
return
0
;
}
static
int
dummy_file_set_fowner
(
struct
file
*
file
)
{
return
0
;
}
static
int
dummy_file_send_sigiotask
(
struct
task_struct
*
tsk
,
struct
fown_struct
*
fown
,
int
fd
,
int
reason
)
{
return
0
;
}
static
int
dummy_file_receive
(
struct
file
*
file
)
{
return
0
;
}
static
int
dummy_task_create
(
unsigned
long
clone_flags
)
{
return
0
;
...
...
@@ -201,8 +508,11 @@ struct security_operations dummy_security_ops = {
.
capget
=
dummy_capget
,
.
capset_check
=
dummy_capset_check
,
.
capset_set
=
dummy_capset_set
,
.
acct
=
dummy_act
,
.
capable
=
dummy_capable
,
.
sys_security
=
dummy_sys_security
,
quotactl:
dummy_quotactl
,
quota_on:
dummy_quota_on
,
.
bprm_alloc_security
=
dummy_bprm_alloc_security
,
.
bprm_free_security
=
dummy_bprm_free_security
,
...
...
@@ -210,6 +520,62 @@ struct security_operations dummy_security_ops = {
.
bprm_set_security
=
dummy_bprm_set_security
,
.
bprm_check_security
=
dummy_bprm_check_security
,
sb_alloc_security:
dummy_sb_alloc_security
,
sb_free_security:
dummy_sb_free_security
,
sb_statfs:
dummy_sb_statfs
,
sb_mount:
dummy_mount
,
sb_check_sb:
dummy_check_sb
,
sb_umount:
dummy_umount
,
sb_umount_close:
dummy_umount_close
,
sb_umount_busy:
dummy_umount_busy
,
sb_post_remount:
dummy_post_remount
,
sb_post_mountroot:
dummy_post_mountroot
,
sb_post_addmount:
dummy_post_addmount
,
sb_pivotroot:
dummy_pivotroot
,
sb_post_pivotroot:
dummy_post_pivotroot
,
inode_alloc_security:
dummy_inode_alloc_security
,
inode_free_security:
dummy_inode_free_security
,
inode_create:
dummy_inode_create
,
inode_post_create:
dummy_inode_post_create
,
inode_link:
dummy_inode_link
,
inode_post_link:
dummy_inode_post_link
,
inode_unlink:
dummy_inode_unlink
,
inode_symlink:
dummy_inode_symlink
,
inode_post_symlink:
dummy_inode_post_symlink
,
inode_mkdir:
dummy_inode_mkdir
,
inode_post_mkdir:
dummy_inode_post_mkdir
,
inode_rmdir:
dummy_inode_rmdir
,
inode_mknod:
dummy_inode_mknod
,
inode_post_mknod:
dummy_inode_post_mknod
,
inode_rename:
dummy_inode_rename
,
inode_post_rename:
dummy_inode_post_rename
,
inode_readlink:
dummy_inode_readlink
,
inode_follow_link:
dummy_inode_follow_link
,
inode_permission:
dummy_inode_permission
,
inode_permission_lite:
dummy_inode_permission_lite
,
inode_setattr:
dummy_inode_setattr
,
inode_getattr:
dummy_inode_getattr
,
inode_post_lookup:
dummy_post_lookup
,
inode_delete:
dummy_delete
,
inode_setxattr:
dummy_inode_setxattr
,
inode_getxattr:
dummy_inode_getxattr
,
inode_listxattr:
dummy_inode_listxattr
,
inode_removexattr:
dummy_inode_removexattr
,
file_permission:
dummy_file_permission
,
file_alloc_security:
dummy_file_alloc_security
,
file_free_security:
dummy_file_free_security
,
file_llseek:
dummy_file_llseek
,
file_ioctl:
dummy_file_ioctl
,
file_mmap:
dummy_file_mmap
,
file_mprotect:
dummy_file_mprotect
,
file_lock:
dummy_file_lock
,
file_fcntl:
dummy_file_fcntl
,
file_set_fowner:
dummy_file_set_fowner
,
file_send_sigiotask:
dummy_file_send_sigiotask
,
file_receive:
dummy_file_receive
,
.
task_create
=
dummy_task_create
,
.
task_alloc_security
=
dummy_task_alloc_security
,
.
task_free_security
=
dummy_task_free_security
,
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment