Linux Audio

Check our new training course

Open Menu / fs / cachefiles / security.c
Loading...
v6.8
  1// SPDX-License-Identifier: GPL-2.0-or-later
  2/* CacheFiles security management
  3 *
  4 * Copyright (C) 2007, 2021 Red Hat, Inc. All Rights Reserved.
  5 * Written by David Howells (dhowells@redhat.com)
 
 
 
 
 
  6 */
  7
  8#include <linux/fs.h>
  9#include <linux/cred.h>
 10#include "internal.h"
 11
 12/*
 13 * determine the security context within which we access the cache from within
 14 * the kernel
 15 */
 16int cachefiles_get_security_ID(struct cachefiles_cache *cache)
 17{
 18	struct cred *new;
 19	int ret;
 20
 21	_enter("{%s}", cache->secctx);
 22
 23	new = prepare_kernel_cred(current);
 24	if (!new) {
 25		ret = -ENOMEM;
 26		goto error;
 27	}
 28
 29	if (cache->secctx) {
 30		ret = set_security_override_from_ctx(new, cache->secctx);
 31		if (ret < 0) {
 32			put_cred(new);
 33			pr_err("Security denies permission to nominate security context: error %d\n",
 34			       ret);
 35			goto error;
 36		}
 37	}
 38
 39	cache->cache_cred = new;
 40	ret = 0;
 41error:
 42	_leave(" = %d", ret);
 43	return ret;
 44}
 45
 46/*
 47 * see if mkdir and create can be performed in the root directory
 48 */
 49static int cachefiles_check_cache_dir(struct cachefiles_cache *cache,
 50				      struct dentry *root)
 51{
 52	int ret;
 53
 54	ret = security_inode_mkdir(d_backing_inode(root), root, 0);
 55	if (ret < 0) {
 56		pr_err("Security denies permission to make dirs: error %d",
 57		       ret);
 58		return ret;
 59	}
 60
 61	ret = security_inode_create(d_backing_inode(root), root, 0);
 62	if (ret < 0)
 63		pr_err("Security denies permission to create files: error %d",
 64		       ret);
 65
 66	return ret;
 67}
 68
 69/*
 70 * check the security details of the on-disk cache
 71 * - must be called with security override in force
 72 * - must return with a security override in force - even in the case of an
 73 *   error
 74 */
 75int cachefiles_determine_cache_security(struct cachefiles_cache *cache,
 76					struct dentry *root,
 77					const struct cred **_saved_cred)
 78{
 79	struct cred *new;
 80	int ret;
 81
 82	_enter("");
 83
 84	/* duplicate the cache creds for COW (the override is currently in
 85	 * force, so we can use prepare_creds() to do this) */
 86	new = prepare_creds();
 87	if (!new)
 88		return -ENOMEM;
 89
 90	cachefiles_end_secure(cache, *_saved_cred);
 91
 92	/* use the cache root dir's security context as the basis with
 93	 * which create files */
 94	ret = set_create_files_as(new, d_backing_inode(root));
 95	if (ret < 0) {
 96		abort_creds(new);
 97		cachefiles_begin_secure(cache, _saved_cred);
 98		_leave(" = %d [cfa]", ret);
 99		return ret;
100	}
101
102	put_cred(cache->cache_cred);
103	cache->cache_cred = new;
104
105	cachefiles_begin_secure(cache, _saved_cred);
106	ret = cachefiles_check_cache_dir(cache, root);
107
108	if (ret == -EOPNOTSUPP)
109		ret = 0;
110	_leave(" = %d", ret);
111	return ret;
112}
v4.10.11
 
  1/* CacheFiles security management
  2 *
  3 * Copyright (C) 2007 Red Hat, Inc. All Rights Reserved.
  4 * Written by David Howells (dhowells@redhat.com)
  5 *
  6 * This program is free software; you can redistribute it and/or
  7 * modify it under the terms of the GNU General Public Licence
  8 * as published by the Free Software Foundation; either version
  9 * 2 of the Licence, or (at your option) any later version.
 10 */
 11
 12#include <linux/fs.h>
 13#include <linux/cred.h>
 14#include "internal.h"
 15
 16/*
 17 * determine the security context within which we access the cache from within
 18 * the kernel
 19 */
 20int cachefiles_get_security_ID(struct cachefiles_cache *cache)
 21{
 22	struct cred *new;
 23	int ret;
 24
 25	_enter("{%s}", cache->secctx);
 26
 27	new = prepare_kernel_cred(current);
 28	if (!new) {
 29		ret = -ENOMEM;
 30		goto error;
 31	}
 32
 33	if (cache->secctx) {
 34		ret = set_security_override_from_ctx(new, cache->secctx);
 35		if (ret < 0) {
 36			put_cred(new);
 37			pr_err("Security denies permission to nominate security context: error %d\n",
 38			       ret);
 39			goto error;
 40		}
 41	}
 42
 43	cache->cache_cred = new;
 44	ret = 0;
 45error:
 46	_leave(" = %d", ret);
 47	return ret;
 48}
 49
 50/*
 51 * see if mkdir and create can be performed in the root directory
 52 */
 53static int cachefiles_check_cache_dir(struct cachefiles_cache *cache,
 54				      struct dentry *root)
 55{
 56	int ret;
 57
 58	ret = security_inode_mkdir(d_backing_inode(root), root, 0);
 59	if (ret < 0) {
 60		pr_err("Security denies permission to make dirs: error %d",
 61		       ret);
 62		return ret;
 63	}
 64
 65	ret = security_inode_create(d_backing_inode(root), root, 0);
 66	if (ret < 0)
 67		pr_err("Security denies permission to create files: error %d",
 68		       ret);
 69
 70	return ret;
 71}
 72
 73/*
 74 * check the security details of the on-disk cache
 75 * - must be called with security override in force
 76 * - must return with a security override in force - even in the case of an
 77 *   error
 78 */
 79int cachefiles_determine_cache_security(struct cachefiles_cache *cache,
 80					struct dentry *root,
 81					const struct cred **_saved_cred)
 82{
 83	struct cred *new;
 84	int ret;
 85
 86	_enter("");
 87
 88	/* duplicate the cache creds for COW (the override is currently in
 89	 * force, so we can use prepare_creds() to do this) */
 90	new = prepare_creds();
 91	if (!new)
 92		return -ENOMEM;
 93
 94	cachefiles_end_secure(cache, *_saved_cred);
 95
 96	/* use the cache root dir's security context as the basis with
 97	 * which create files */
 98	ret = set_create_files_as(new, d_backing_inode(root));
 99	if (ret < 0) {
100		abort_creds(new);
101		cachefiles_begin_secure(cache, _saved_cred);
102		_leave(" = %d [cfa]", ret);
103		return ret;
104	}
105
106	put_cred(cache->cache_cred);
107	cache->cache_cred = new;
108
109	cachefiles_begin_secure(cache, _saved_cred);
110	ret = cachefiles_check_cache_dir(cache, root);
111
112	if (ret == -EOPNOTSUPP)
113		ret = 0;
114	_leave(" = %d", ret);
115	return ret;
116}