mirror of
https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git
synced 2025-01-07 14:32:23 +00:00
[PATCH] selinux: extend selinuxfs context interface
This patch extends the selinuxfs context interface to allow return the canonical form of the context to userspace. Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: James Morris <jmorris@namei.org> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
This commit is contained in:
parent
25a74f3ba8
commit
ce9982d048
@ -271,46 +271,38 @@ static struct file_operations sel_load_ops = {
|
|||||||
.write = sel_write_load,
|
.write = sel_write_load,
|
||||||
};
|
};
|
||||||
|
|
||||||
|
static ssize_t sel_write_context(struct file * file, char *buf, size_t size)
|
||||||
static ssize_t sel_write_context(struct file * file, const char __user * buf,
|
|
||||||
size_t count, loff_t *ppos)
|
|
||||||
|
|
||||||
{
|
{
|
||||||
char *page;
|
char *canon;
|
||||||
u32 sid;
|
u32 sid, len;
|
||||||
ssize_t length;
|
ssize_t length;
|
||||||
|
|
||||||
length = task_has_security(current, SECURITY__CHECK_CONTEXT);
|
length = task_has_security(current, SECURITY__CHECK_CONTEXT);
|
||||||
if (length)
|
if (length)
|
||||||
return length;
|
return length;
|
||||||
|
|
||||||
if (count >= PAGE_SIZE)
|
length = security_context_to_sid(buf, size, &sid);
|
||||||
return -ENOMEM;
|
|
||||||
if (*ppos != 0) {
|
|
||||||
/* No partial writes. */
|
|
||||||
return -EINVAL;
|
|
||||||
}
|
|
||||||
page = (char*)get_zeroed_page(GFP_KERNEL);
|
|
||||||
if (!page)
|
|
||||||
return -ENOMEM;
|
|
||||||
length = -EFAULT;
|
|
||||||
if (copy_from_user(page, buf, count))
|
|
||||||
goto out;
|
|
||||||
|
|
||||||
length = security_context_to_sid(page, count, &sid);
|
|
||||||
if (length < 0)
|
if (length < 0)
|
||||||
goto out;
|
return length;
|
||||||
|
|
||||||
length = count;
|
length = security_sid_to_context(sid, &canon, &len);
|
||||||
|
if (length < 0)
|
||||||
|
return length;
|
||||||
|
|
||||||
|
if (len > SIMPLE_TRANSACTION_LIMIT) {
|
||||||
|
printk(KERN_ERR "%s: context size (%u) exceeds payload "
|
||||||
|
"max\n", __FUNCTION__, len);
|
||||||
|
length = -ERANGE;
|
||||||
|
goto out;
|
||||||
|
}
|
||||||
|
|
||||||
|
memcpy(buf, canon, len);
|
||||||
|
length = len;
|
||||||
out:
|
out:
|
||||||
free_page((unsigned long) page);
|
kfree(canon);
|
||||||
return length;
|
return length;
|
||||||
}
|
}
|
||||||
|
|
||||||
static struct file_operations sel_context_ops = {
|
|
||||||
.write = sel_write_context,
|
|
||||||
};
|
|
||||||
|
|
||||||
static ssize_t sel_read_checkreqprot(struct file *filp, char __user *buf,
|
static ssize_t sel_read_checkreqprot(struct file *filp, char __user *buf,
|
||||||
size_t count, loff_t *ppos)
|
size_t count, loff_t *ppos)
|
||||||
{
|
{
|
||||||
@ -375,6 +367,7 @@ static ssize_t (*write_op[])(struct file *, char *, size_t) = {
|
|||||||
[SEL_RELABEL] = sel_write_relabel,
|
[SEL_RELABEL] = sel_write_relabel,
|
||||||
[SEL_USER] = sel_write_user,
|
[SEL_USER] = sel_write_user,
|
||||||
[SEL_MEMBER] = sel_write_member,
|
[SEL_MEMBER] = sel_write_member,
|
||||||
|
[SEL_CONTEXT] = sel_write_context,
|
||||||
};
|
};
|
||||||
|
|
||||||
static ssize_t selinux_transaction_write(struct file *file, const char __user *buf, size_t size, loff_t *pos)
|
static ssize_t selinux_transaction_write(struct file *file, const char __user *buf, size_t size, loff_t *pos)
|
||||||
@ -1220,7 +1213,7 @@ static int sel_fill_super(struct super_block * sb, void * data, int silent)
|
|||||||
static struct tree_descr selinux_files[] = {
|
static struct tree_descr selinux_files[] = {
|
||||||
[SEL_LOAD] = {"load", &sel_load_ops, S_IRUSR|S_IWUSR},
|
[SEL_LOAD] = {"load", &sel_load_ops, S_IRUSR|S_IWUSR},
|
||||||
[SEL_ENFORCE] = {"enforce", &sel_enforce_ops, S_IRUGO|S_IWUSR},
|
[SEL_ENFORCE] = {"enforce", &sel_enforce_ops, S_IRUGO|S_IWUSR},
|
||||||
[SEL_CONTEXT] = {"context", &sel_context_ops, S_IRUGO|S_IWUGO},
|
[SEL_CONTEXT] = {"context", &transaction_ops, S_IRUGO|S_IWUGO},
|
||||||
[SEL_ACCESS] = {"access", &transaction_ops, S_IRUGO|S_IWUGO},
|
[SEL_ACCESS] = {"access", &transaction_ops, S_IRUGO|S_IWUGO},
|
||||||
[SEL_CREATE] = {"create", &transaction_ops, S_IRUGO|S_IWUGO},
|
[SEL_CREATE] = {"create", &transaction_ops, S_IRUGO|S_IWUGO},
|
||||||
[SEL_RELABEL] = {"relabel", &transaction_ops, S_IRUGO|S_IWUGO},
|
[SEL_RELABEL] = {"relabel", &transaction_ops, S_IRUGO|S_IWUGO},
|
||||||
|
Loading…
Reference in New Issue
Block a user