mirror of
https://github.com/AuxXxilium/linux_dsm_epyc7002.git
synced 2024-11-24 03:40:52 +07:00
LSM: Add security_path_chroot().
This patch allows pathname based LSM modules to check chroot() operations. This hook is used by TOMOYO. Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
This commit is contained in:
parent
89eda06837
commit
8b8efb4403
@ -587,6 +587,9 @@ SYSCALL_DEFINE1(chroot, const char __user *, filename)
|
|||||||
error = -EPERM;
|
error = -EPERM;
|
||||||
if (!capable(CAP_SYS_CHROOT))
|
if (!capable(CAP_SYS_CHROOT))
|
||||||
goto dput_and_out;
|
goto dput_and_out;
|
||||||
|
error = security_path_chroot(&path);
|
||||||
|
if (error)
|
||||||
|
goto dput_and_out;
|
||||||
|
|
||||||
set_fs_root(current->fs, &path);
|
set_fs_root(current->fs, &path);
|
||||||
error = 0;
|
error = 0;
|
||||||
|
@ -459,6 +459,10 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts)
|
|||||||
* @uid contains new owner's ID.
|
* @uid contains new owner's ID.
|
||||||
* @gid contains new group's ID.
|
* @gid contains new group's ID.
|
||||||
* Return 0 if permission is granted.
|
* Return 0 if permission is granted.
|
||||||
|
* @path_chroot:
|
||||||
|
* Check for permission to change root directory.
|
||||||
|
* @path contains the path structure.
|
||||||
|
* Return 0 if permission is granted.
|
||||||
* @inode_readlink:
|
* @inode_readlink:
|
||||||
* Check the permission to read the symbolic link.
|
* Check the permission to read the symbolic link.
|
||||||
* @dentry contains the dentry structure for the file link.
|
* @dentry contains the dentry structure for the file link.
|
||||||
@ -1503,6 +1507,7 @@ struct security_operations {
|
|||||||
int (*path_chmod) (struct dentry *dentry, struct vfsmount *mnt,
|
int (*path_chmod) (struct dentry *dentry, struct vfsmount *mnt,
|
||||||
mode_t mode);
|
mode_t mode);
|
||||||
int (*path_chown) (struct path *path, uid_t uid, gid_t gid);
|
int (*path_chown) (struct path *path, uid_t uid, gid_t gid);
|
||||||
|
int (*path_chroot) (struct path *path);
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
int (*inode_alloc_security) (struct inode *inode);
|
int (*inode_alloc_security) (struct inode *inode);
|
||||||
@ -2970,6 +2975,7 @@ int security_path_rename(struct path *old_dir, struct dentry *old_dentry,
|
|||||||
int security_path_chmod(struct dentry *dentry, struct vfsmount *mnt,
|
int security_path_chmod(struct dentry *dentry, struct vfsmount *mnt,
|
||||||
mode_t mode);
|
mode_t mode);
|
||||||
int security_path_chown(struct path *path, uid_t uid, gid_t gid);
|
int security_path_chown(struct path *path, uid_t uid, gid_t gid);
|
||||||
|
int security_path_chroot(struct path *path);
|
||||||
#else /* CONFIG_SECURITY_PATH */
|
#else /* CONFIG_SECURITY_PATH */
|
||||||
static inline int security_path_unlink(struct path *dir, struct dentry *dentry)
|
static inline int security_path_unlink(struct path *dir, struct dentry *dentry)
|
||||||
{
|
{
|
||||||
@ -3031,6 +3037,11 @@ static inline int security_path_chown(struct path *path, uid_t uid, gid_t gid)
|
|||||||
{
|
{
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
static inline int security_path_chroot(struct path *path)
|
||||||
|
{
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
#endif /* CONFIG_SECURITY_PATH */
|
#endif /* CONFIG_SECURITY_PATH */
|
||||||
|
|
||||||
#ifdef CONFIG_KEYS
|
#ifdef CONFIG_KEYS
|
||||||
|
@ -319,6 +319,11 @@ static int cap_path_chown(struct path *path, uid_t uid, gid_t gid)
|
|||||||
{
|
{
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
static int cap_path_chroot(struct path *root)
|
||||||
|
{
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
static int cap_file_permission(struct file *file, int mask)
|
static int cap_file_permission(struct file *file, int mask)
|
||||||
@ -990,6 +995,7 @@ void security_fixup_ops(struct security_operations *ops)
|
|||||||
set_to_cap_if_null(ops, path_truncate);
|
set_to_cap_if_null(ops, path_truncate);
|
||||||
set_to_cap_if_null(ops, path_chmod);
|
set_to_cap_if_null(ops, path_chmod);
|
||||||
set_to_cap_if_null(ops, path_chown);
|
set_to_cap_if_null(ops, path_chown);
|
||||||
|
set_to_cap_if_null(ops, path_chroot);
|
||||||
#endif
|
#endif
|
||||||
set_to_cap_if_null(ops, file_permission);
|
set_to_cap_if_null(ops, file_permission);
|
||||||
set_to_cap_if_null(ops, file_alloc_security);
|
set_to_cap_if_null(ops, file_alloc_security);
|
||||||
|
@ -449,6 +449,11 @@ int security_path_chown(struct path *path, uid_t uid, gid_t gid)
|
|||||||
return 0;
|
return 0;
|
||||||
return security_ops->path_chown(path, uid, gid);
|
return security_ops->path_chown(path, uid, gid);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
int security_path_chroot(struct path *path)
|
||||||
|
{
|
||||||
|
return security_ops->path_chroot(path);
|
||||||
|
}
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
int security_inode_create(struct inode *dir, struct dentry *dentry, int mode)
|
int security_inode_create(struct inode *dir, struct dentry *dentry, int mode)
|
||||||
|
Loading…
Reference in New Issue
Block a user