security.c 2.7 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117
  1. /* CacheFiles security management
  2. *
  3. * Copyright (C) 2007 Red Hat, Inc. All Rights Reserved.
  4. * Written by David Howells (dhowells@redhat.com)
  5. *
  6. * This program is free software; you can redistribute it and/or
  7. * modify it under the terms of the GNU General Public Licence
  8. * as published by the Free Software Foundation; either version
  9. * 2 of the Licence, or (at your option) any later version.
  10. */
  11. #include <linux/fs.h>
  12. #include <linux/cred.h>
  13. #include "internal.h"
  14. /*
  15. * determine the security context within which we access the cache from within
  16. * the kernel
  17. */
  18. int cachefiles_get_security_ID(struct cachefiles_cache *cache)
  19. {
  20. struct cred *new;
  21. int ret;
  22. _enter("{%s}", cache->secctx);
  23. new = prepare_kernel_cred(current);
  24. if (!new) {
  25. ret = -ENOMEM;
  26. goto error;
  27. }
  28. if (cache->secctx) {
  29. ret = set_security_override_from_ctx(new, cache->secctx);
  30. if (ret < 0) {
  31. put_cred(new);
  32. pr_err("Security denies permission to nominate security context: error %d\n",
  33. ret);
  34. goto error;
  35. }
  36. }
  37. cache->cache_cred = new;
  38. ret = 0;
  39. error:
  40. _leave(" = %d", ret);
  41. return ret;
  42. }
  43. /*
  44. * see if mkdir and create can be performed in the root directory
  45. */
  46. static int cachefiles_check_cache_dir(struct cachefiles_cache *cache,
  47. struct dentry *root)
  48. {
  49. int ret;
  50. ret = security_inode_mkdir(d_backing_inode(root), root, 0);
  51. if (ret < 0) {
  52. pr_err("Security denies permission to make dirs: error %d",
  53. ret);
  54. return ret;
  55. }
  56. ret = security_inode_create(d_backing_inode(root), root, 0);
  57. if (ret < 0)
  58. pr_err("Security denies permission to create files: error %d",
  59. ret);
  60. return ret;
  61. }
  62. /*
  63. * check the security details of the on-disk cache
  64. * - must be called with security override in force
  65. * - must return with a security override in force - even in the case of an
  66. * error
  67. */
  68. int cachefiles_determine_cache_security(struct cachefiles_cache *cache,
  69. struct dentry *root,
  70. const struct cred **_saved_cred)
  71. {
  72. struct cred *new;
  73. int ret;
  74. _enter("");
  75. /* duplicate the cache creds for COW (the override is currently in
  76. * force, so we can use prepare_creds() to do this) */
  77. new = prepare_creds();
  78. if (!new)
  79. return -ENOMEM;
  80. cachefiles_end_secure(cache, *_saved_cred);
  81. /* use the cache root dir's security context as the basis with
  82. * which create files */
  83. ret = set_create_files_as(new, d_backing_inode(root));
  84. if (ret < 0) {
  85. abort_creds(new);
  86. cachefiles_begin_secure(cache, _saved_cred);
  87. _leave(" = %d [cfa]", ret);
  88. return ret;
  89. }
  90. put_cred(cache->cache_cred);
  91. cache->cache_cred = new;
  92. cachefiles_begin_secure(cache, _saved_cred);
  93. ret = cachefiles_check_cache_dir(cache, root);
  94. if (ret == -EOPNOTSUPP)
  95. ret = 0;
  96. _leave(" = %d", ret);
  97. return ret;
  98. }