Thanks to visit codestin.com
Credit goes to github.com

Skip to content
This repository was archived by the owner on Sep 24, 2020. It is now read-only.

Rebase CoreOS patches onto Linux v4.8.17 #36

Merged
merged 21 commits into from
Jan 18, 2017
Merged

Rebase CoreOS patches onto Linux v4.8.17 #36

Changes from 1 commit
Commits
Show all changes
21 commits
Select commit Hold shift + click to select a range
72f2135
security, overlayfs: provide copy up security hook for unioned files
rhvgoyal Jul 19, 2016
b45eb80
selinux: Implementation for inode_copy_up() hook
rhvgoyal Jul 19, 2016
8a5e4f3
security,overlayfs: Provide security hook for copy up of xattrs for o…
rhvgoyal Jul 19, 2016
6f9f703
selinux: Implementation for inode_copy_up_xattr() hook
rhvgoyal Jul 19, 2016
1104a4c
selinux: Pass security pointer to determine_inode_label()
rhvgoyal Jul 19, 2016
6edae16
security, overlayfs: Provide hook to correctly label newly created files
rhvgoyal Jul 19, 2016
d1d5776
selinux: Implement dentry_create_files_as() hook
rhvgoyal Jul 19, 2016
14accb8
Add secure_modules() call
Aug 9, 2013
c1a2f1a
PCI: Lock down BAR access when module security is enabled
Mar 8, 2012
ef9962b
x86: Lock down IO port access when module security is enabled
Mar 8, 2012
d01d4b3
ACPI: Limit access to custom_method
Mar 9, 2012
70e4a01
asus-wmi: Restrict debugfs interface when module loading is restricted
Mar 9, 2012
c746f34
Restrict /dev/mem and /dev/kmem when module loading is restricted
Mar 9, 2012
5f74d42
acpi: Ignore acpi_rsdp kernel parameter when module loading is restri…
jwboyer Jun 25, 2012
fb93701
kexec: Disable at runtime if the kernel enforces module loading restr…
Nov 20, 2015
c707e9d
x86: Restrict MSR access when module loading is restricted
Feb 8, 2013
22a7af2
Add option to automatically enforce module signatures when in Secure …
Aug 9, 2013
2271087
efi: Make EFI_SECURE_BOOT_SIG_ENFORCE depend on EFI
Aug 27, 2013
b0f4c9e
efi: Add EFI_SECURE_BOOT bit
Aug 27, 2013
f342c4a
hibernate: Disable in a signed modules environment
Jun 20, 2014
fd0e348
kbuild: derive relative path for KBUILD_SRC from CURDIR
Nov 25, 2015
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
selinux: Pass security pointer to determine_inode_label() 
Right now selinux_determine_inode_label() works on security pointer of
current task. Soon I need this to work on a security pointer retrieved
from a set of creds. So start passing in a pointer and caller can decide
where to fetch security pointer from.

Signed-off-by: Vivek Goyal <[email protected]>
Acked-by: Stephen Smalley <[email protected]>
  • Loading branch information
@rhvgoyal @crawford
rhvgoyal authored and crawford committed Jan 18, 2017
commit 1104a4c8e3bdf480e5ca55b558a3812b5190bb84
19 changes: 10 additions & 9 deletions security/selinux/hooks.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1808,13 +1808,13 @@ static int file_has_perm(const struct cred *cred,
/*
* Determine the label for an inode that might be unioned.
*/
static int selinux_determine_inode_label(struct inode *dir,
const struct qstr *name,
u16 tclass,
u32 *_new_isid)
static int
selinux_determine_inode_label(const struct task_security_struct *tsec,
struct inode *dir,
const struct qstr *name, u16 tclass,
u32 *_new_isid)
{
const struct superblock_security_struct *sbsec = dir->i_sb->s_security;
const struct task_security_struct *tsec = current_security();

if ((sbsec->flags & SE_SBINITIALIZED) &&
(sbsec->behavior == SECURITY_FS_USE_MNTPOINT)) {
Expand Down Expand Up @@ -1857,8 +1857,8 @@ static int may_create(struct inode *dir,
if (rc)
return rc;

rc = selinux_determine_inode_label(dir, &dentry->d_name, tclass,
&newsid);
rc = selinux_determine_inode_label(current_security(), dir,
&dentry->d_name, tclass, &newsid);
if (rc)
return rc;

Expand Down Expand Up @@ -2838,7 +2838,8 @@ static int selinux_dentry_init_security(struct dentry *dentry, int mode,
u32 newsid;
int rc;

rc = selinux_determine_inode_label(d_inode(dentry->d_parent), name,
rc = selinux_determine_inode_label(current_security(),
d_inode(dentry->d_parent), name,
inode_mode_to_security_class(mode),
&newsid);
if (rc)
Expand All @@ -2863,7 +2864,7 @@ static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
sid = tsec->sid;
newsid = tsec->create_sid;

rc = selinux_determine_inode_label(
rc = selinux_determine_inode_label(current_security(),
dir, qstr,
inode_mode_to_security_class(inode->i_mode),
&newsid);
Expand Down