| 1 |
/* |
| 2 |
* security/caitsith/lsm2caitsith.c |
| 3 |
* |
| 4 |
* Copyright (C) 2005-2012 NTT DATA CORPORATION |
| 5 |
* |
| 6 |
* Version: 0.2.11 2023/05/27 |
| 7 |
*/ |
| 8 |
|
| 9 |
#include <linux/path.h> |
| 10 |
#include <linux/security.h> |
| 11 |
#include <linux/caitsith.h> |
| 12 |
|
| 13 |
int ccs_sb_umount(struct vfsmount *mnt, int flags) |
| 14 |
{ |
| 15 |
return ccs_umount_permission(mnt, flags); |
| 16 |
} |
| 17 |
|
| 18 |
#if LINUX_VERSION_CODE < KERNEL_VERSION(4, 1, 0) |
| 19 |
int ccs_inode_getattr(struct vfsmount *mnt, struct dentry *dentry) |
| 20 |
{ |
| 21 |
return ccs_getattr_permission(mnt, dentry); |
| 22 |
} |
| 23 |
#else |
| 24 |
int ccs_inode_getattr(const struct path *path) |
| 25 |
{ |
| 26 |
return ccs_getattr_permission(path->mnt, path->dentry); |
| 27 |
} |
| 28 |
#endif |
| 29 |
|
| 30 |
int ccs_file_ioctl(struct file *file, unsigned int cmd, unsigned long arg) |
| 31 |
{ |
| 32 |
return ccs_ioctl_permission(file, cmd, arg); |
| 33 |
} |
| 34 |
|
| 35 |
int ccs_file_fcntl(struct file *file, unsigned int cmd, unsigned long arg) |
| 36 |
{ |
| 37 |
return ccs_fcntl_permission(file, cmd, arg); |
| 38 |
} |
| 39 |
|
| 40 |
#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 19, 0) || (defined(RHEL_MAJOR) && RHEL_MAJOR == 8) |
| 41 |
int ccs_file_open(struct file *file) |
| 42 |
{ |
| 43 |
return ccs_open_permission(file); |
| 44 |
} |
| 45 |
#else |
| 46 |
int ccs_file_open(struct file *file, const struct cred *cred) |
| 47 |
{ |
| 48 |
return ccs_open_permission(file); |
| 49 |
} |
| 50 |
#endif |
| 51 |
|
| 52 |
int ccs_socket_create(int family, int type, int protocol, int kern) |
| 53 |
{ |
| 54 |
return ccs_socket_create_permission(family, type, protocol); |
| 55 |
} |
| 56 |
|
| 57 |
int ccs_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen) |
| 58 |
{ |
| 59 |
return ccs_socket_bind_permission(sock, address, addrlen); |
| 60 |
} |
| 61 |
|
| 62 |
int ccs_socket_connect(struct socket *sock, struct sockaddr *address, |
| 63 |
int addrlen) |
| 64 |
{ |
| 65 |
return ccs_socket_connect_permission(sock, address, addrlen); |
| 66 |
} |
| 67 |
|
| 68 |
int ccs_socket_listen(struct socket *sock, int backlog) |
| 69 |
{ |
| 70 |
return ccs_socket_listen_permission(sock); |
| 71 |
} |
| 72 |
|
| 73 |
int ccs_socket_sendmsg(struct socket *sock, struct msghdr *msg, int size) |
| 74 |
{ |
| 75 |
return ccs_socket_sendmsg_permission(sock, msg, size); |
| 76 |
} |
| 77 |
|
| 78 |
#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 7, 0) |
| 79 |
|
| 80 |
int ccs_settime(const struct timespec64 *ts, const struct timezone *tz) |
| 81 |
{ |
| 82 |
return ccs_capable(CCS_SYS_SETTIME) ? 0 : -EPERM; |
| 83 |
} |
| 84 |
|
| 85 |
int ccs_sb_mount(const char *dev_name, const struct path *path, |
| 86 |
const char *type, unsigned long flags, void *data) |
| 87 |
{ |
| 88 |
return ccs_mount_permission(dev_name, path, type, flags, data); |
| 89 |
} |
| 90 |
|
| 91 |
int ccs_sb_pivotroot(const struct path *old_path, const struct path *new_path) |
| 92 |
{ |
| 93 |
return ccs_pivot_root_permission(old_path, new_path); |
| 94 |
} |
| 95 |
|
| 96 |
#if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 2, 0) |
| 97 |
int ccs_move_mount(const struct path *from_path, const struct path *to_path) |
| 98 |
{ |
| 99 |
return ccs_move_mount_permission(from_path, to_path); |
| 100 |
} |
| 101 |
#endif |
| 102 |
|
| 103 |
int ccs_path_unlink(const struct path *dir, struct dentry *dentry) |
| 104 |
{ |
| 105 |
return ccs_unlink_permission(dentry, dir->mnt); |
| 106 |
} |
| 107 |
|
| 108 |
int ccs_path_mkdir(const struct path *dir, struct dentry *dentry, umode_t mode) |
| 109 |
{ |
| 110 |
return ccs_mkdir_permission(dentry, dir->mnt, mode); |
| 111 |
} |
| 112 |
|
| 113 |
int ccs_path_rmdir(const struct path *dir, struct dentry *dentry) |
| 114 |
{ |
| 115 |
return ccs_rmdir_permission(dentry, dir->mnt); |
| 116 |
} |
| 117 |
|
| 118 |
int ccs_path_mknod(const struct path *dir, struct dentry *dentry, umode_t mode, |
| 119 |
unsigned int dev) |
| 120 |
{ |
| 121 |
return ccs_mknod_permission(dentry, dir->mnt, mode, dev); |
| 122 |
} |
| 123 |
|
| 124 |
int ccs_file_truncate(struct file *file) |
| 125 |
{ |
| 126 |
return ccs_path_truncate(&file->f_path); |
| 127 |
} |
| 128 |
|
| 129 |
int ccs_path_truncate(const struct path *path) |
| 130 |
{ |
| 131 |
return ccs_truncate_permission(path->dentry, path->mnt); |
| 132 |
} |
| 133 |
|
| 134 |
int ccs_path_symlink(const struct path *dir, struct dentry *dentry, |
| 135 |
const char *old_name) |
| 136 |
{ |
| 137 |
return ccs_symlink_permission(dentry, dir->mnt, old_name); |
| 138 |
} |
| 139 |
|
| 140 |
int ccs_path_link(struct dentry *old_dentry, const struct path *new_dir, |
| 141 |
struct dentry *new_dentry) |
| 142 |
{ |
| 143 |
return ccs_link_permission(old_dentry, new_dentry, new_dir->mnt); |
| 144 |
} |
| 145 |
|
| 146 |
#if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 19, 0) |
| 147 |
int ccs_path_rename(const struct path *old_dir, struct dentry *old_dentry, |
| 148 |
const struct path *new_dir, struct dentry *new_dentry, |
| 149 |
const unsigned int flags) |
| 150 |
{ |
| 151 |
return ccs_rename_permission(old_dentry, new_dentry, new_dir->mnt, flags); |
| 152 |
} |
| 153 |
#else |
| 154 |
int ccs_path_rename(const struct path *old_dir, struct dentry *old_dentry, |
| 155 |
const struct path *new_dir, struct dentry *new_dentry) |
| 156 |
{ |
| 157 |
return ccs_rename_permission(old_dentry, new_dentry, new_dir->mnt); |
| 158 |
} |
| 159 |
#endif |
| 160 |
|
| 161 |
int ccs_path_chmod(const struct path *path, umode_t mode) |
| 162 |
{ |
| 163 |
return ccs_chmod_permission(path->dentry, path->mnt, mode); |
| 164 |
} |
| 165 |
|
| 166 |
int ccs_path_chown(const struct path *path, kuid_t uid, kgid_t gid) |
| 167 |
{ |
| 168 |
return ccs_chown_permission(path->dentry, path->mnt, uid, gid); |
| 169 |
} |
| 170 |
|
| 171 |
int ccs_path_chroot(const struct path *path) |
| 172 |
{ |
| 173 |
return ccs_chroot_permission(path); |
| 174 |
} |
| 175 |
|
| 176 |
#else |
| 177 |
|
| 178 |
int ccs_settime(const struct timespec *ts, const struct timezone *tz) |
| 179 |
{ |
| 180 |
return ccs_capable(CCS_SYS_SETTIME) ? 0 : -EPERM; |
| 181 |
} |
| 182 |
|
| 183 |
int ccs_sb_mount(const char *dev_name, struct path *path, const char *type, |
| 184 |
unsigned long flags, void *data) |
| 185 |
{ |
| 186 |
return ccs_mount_permission(dev_name, path, type, flags, data); |
| 187 |
} |
| 188 |
|
| 189 |
int ccs_sb_pivotroot(struct path *old_path, struct path *new_path) |
| 190 |
{ |
| 191 |
return ccs_pivot_root_permission(old_path, new_path); |
| 192 |
} |
| 193 |
|
| 194 |
int ccs_path_unlink(struct path *dir, struct dentry *dentry) |
| 195 |
{ |
| 196 |
return ccs_unlink_permission(dentry, dir->mnt); |
| 197 |
} |
| 198 |
|
| 199 |
int ccs_path_mkdir(struct path *dir, struct dentry *dentry, umode_t mode) |
| 200 |
{ |
| 201 |
return ccs_mkdir_permission(dentry, dir->mnt, mode); |
| 202 |
} |
| 203 |
|
| 204 |
int ccs_path_rmdir(struct path *dir, struct dentry *dentry) |
| 205 |
{ |
| 206 |
return ccs_rmdir_permission(dentry, dir->mnt); |
| 207 |
} |
| 208 |
|
| 209 |
int ccs_path_mknod(struct path *dir, struct dentry *dentry, umode_t mode, |
| 210 |
unsigned int dev) |
| 211 |
{ |
| 212 |
return ccs_mknod_permission(dentry, dir->mnt, mode, dev); |
| 213 |
} |
| 214 |
|
| 215 |
int ccs_path_truncate(struct path *path) |
| 216 |
{ |
| 217 |
return ccs_truncate_permission(path->dentry, path->mnt); |
| 218 |
} |
| 219 |
|
| 220 |
int ccs_path_symlink(struct path *dir, struct dentry *dentry, |
| 221 |
const char *old_name) |
| 222 |
{ |
| 223 |
return ccs_symlink_permission(dentry, dir->mnt, old_name); |
| 224 |
} |
| 225 |
|
| 226 |
int ccs_path_link(struct dentry *old_dentry, struct path *new_dir, |
| 227 |
struct dentry *new_dentry) |
| 228 |
{ |
| 229 |
return ccs_link_permission(old_dentry, new_dentry, new_dir->mnt); |
| 230 |
} |
| 231 |
|
| 232 |
int ccs_path_rename(struct path *old_dir, struct dentry *old_dentry, |
| 233 |
struct path *new_dir, struct dentry *new_dentry) |
| 234 |
{ |
| 235 |
return ccs_rename_permission(old_dentry, new_dentry, new_dir->mnt); |
| 236 |
} |
| 237 |
|
| 238 |
int ccs_path_chmod(struct path *path, umode_t mode) |
| 239 |
{ |
| 240 |
return ccs_chmod_permission(path->dentry, path->mnt, mode); |
| 241 |
} |
| 242 |
|
| 243 |
int ccs_path_chown(struct path *path, kuid_t uid, kgid_t gid) |
| 244 |
{ |
| 245 |
return ccs_chown_permission(path->dentry, path->mnt, uid, gid); |
| 246 |
} |
| 247 |
|
| 248 |
int ccs_path_chroot(struct path *path) |
| 249 |
{ |
| 250 |
return ccs_chroot_permission(path); |
| 251 |
} |
| 252 |
|
| 253 |
#endif |
| 254 |
|
| 255 |
#if !defined(CONFIG_SECURITY_PATH) |
| 256 |
EXPORT_SYMBOL(ccs_path_mkdir); |
| 257 |
EXPORT_SYMBOL(ccs_path_mknod); |
| 258 |
EXPORT_SYMBOL(ccs_path_unlink); |
| 259 |
EXPORT_SYMBOL(ccs_path_rename); |
| 260 |
#endif |
| 261 |
|
| 262 |
#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 2, 0) && defined(CONFIG_SECURITY) |
| 263 |
|
| 264 |
#include <linux/lsm_hooks.h> |
| 265 |
|
| 266 |
static struct security_hook_list caitsith_hooks[] = { |
| 267 |
LSM_HOOK_INIT(settime, ccs_settime), |
| 268 |
LSM_HOOK_INIT(sb_mount, ccs_sb_mount), |
| 269 |
#if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 2, 0) |
| 270 |
LSM_HOOK_INIT(move_mount, ccs_move_mount), |
| 271 |
#endif |
| 272 |
LSM_HOOK_INIT(sb_umount, ccs_sb_umount), |
| 273 |
LSM_HOOK_INIT(sb_pivotroot, ccs_sb_pivotroot), |
| 274 |
LSM_HOOK_INIT(inode_getattr, ccs_inode_getattr), |
| 275 |
LSM_HOOK_INIT(file_ioctl, ccs_file_ioctl), |
| 276 |
LSM_HOOK_INIT(file_fcntl, ccs_file_fcntl), |
| 277 |
LSM_HOOK_INIT(file_open, ccs_file_open), |
| 278 |
#if defined(CONFIG_SECURITY_NETWORK) |
| 279 |
LSM_HOOK_INIT(socket_create, ccs_socket_create), |
| 280 |
LSM_HOOK_INIT(socket_bind, ccs_socket_bind), |
| 281 |
LSM_HOOK_INIT(socket_connect, ccs_socket_connect), |
| 282 |
LSM_HOOK_INIT(socket_listen, ccs_socket_listen), |
| 283 |
LSM_HOOK_INIT(socket_sendmsg, ccs_socket_sendmsg), |
| 284 |
#endif |
| 285 |
#if LINUX_VERSION_CODE >= KERNEL_VERSION(6, 2, 0) |
| 286 |
LSM_HOOK_INIT(file_truncate, ccs_file_truncate), |
| 287 |
#endif |
| 288 |
#if defined(CONFIG_SECURITY_PATH) |
| 289 |
LSM_HOOK_INIT(path_unlink, ccs_path_unlink), |
| 290 |
LSM_HOOK_INIT(path_mkdir, ccs_path_mkdir), |
| 291 |
LSM_HOOK_INIT(path_rmdir, ccs_path_rmdir), |
| 292 |
LSM_HOOK_INIT(path_mknod, ccs_path_mknod), |
| 293 |
LSM_HOOK_INIT(path_truncate, ccs_path_truncate), |
| 294 |
LSM_HOOK_INIT(path_symlink, ccs_path_symlink), |
| 295 |
LSM_HOOK_INIT(path_link, ccs_path_link), |
| 296 |
LSM_HOOK_INIT(path_rename, ccs_path_rename), |
| 297 |
LSM_HOOK_INIT(path_chmod, ccs_path_chmod), |
| 298 |
LSM_HOOK_INIT(path_chown, ccs_path_chown), |
| 299 |
LSM_HOOK_INIT(path_chroot, ccs_path_chroot), |
| 300 |
#endif |
| 301 |
}; |
| 302 |
|
| 303 |
static int __init cs_add_hooks(void) |
| 304 |
{ |
| 305 |
if (caitsith_ops.disabled) |
| 306 |
return 0; |
| 307 |
#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 11, 0) |
| 308 |
security_add_hooks(caitsith_hooks, ARRAY_SIZE(caitsith_hooks), |
| 309 |
"caitsith"); |
| 310 |
#else |
| 311 |
security_add_hooks(caitsith_hooks, ARRAY_SIZE(caitsith_hooks)); |
| 312 |
#endif |
| 313 |
return 0; |
| 314 |
} |
| 315 |
late_initcall(cs_add_hooks); |
| 316 |
#endif /* LINUX_VERSION_CODE >= KERNEL_VERSION(4, 2, 0) && defined(CONFIG_SECURITY) */ |
Parent Directory
Revision Log