CRED: Allow kernel services to override LSM settings for task actions
Allow kernel services to override LSM settings appropriate to the actions
performed by a task by duplicating a set of credentials, modifying it and then
using task_struct::cred to point to it when performing operations on behalf of
a task.
This is used, for example, by CacheFiles which has to transparently access the
cache on behalf of a process that thinks it is doing, say, NFS accesses with a
potentially inappropriate (with respect to accessing the cache) set of
credentials.
This patch provides two LSM hooks for modifying a task security record:
(*) security_kernel_act_as() which allows modification of the security datum
with which a task acts on other objects (most notably files).
(*) security_kernel_create_files_as() which allows modification of the
security datum that is used to initialise the security data on a file that
a task creates.
The patch also provides four new credentials handling functions, which wrap the
LSM functions:
(1) prepare_kernel_cred()
Prepare a set of credentials for a kernel service to use, based either on
a daemon's credentials or on init_cred. All the keyrings are cleared.
(2) set_security_override()
Set the LSM security ID in a set of credentials to a specific security
context, assuming permission from the LSM policy.
(3) set_security_override_from_ctx()
As (2), but takes the security context as a string.
(4) set_create_files_as()
Set the file creation LSM security ID in a set of credentials to be the
same as that on a particular inode.
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> [Smack changes]
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: James Morris <jmorris@namei.org>
This commit is contained in:
David Howells
committed by
James Morris
James Morris
parent
1bfdc75ae0
commit
3a3b7ce933
@@ -3277,6 +3277,50 @@ static void selinux_cred_commit(struct cred *new, const struct cred *old)
|
||||
secondary_ops->cred_commit(new, old);
|
||||
}
|
||||
|
||||
/*
|
||||
* set the security data for a kernel service
|
||||
* - all the creation contexts are set to unlabelled
|
||||
*/
|
||||
static int selinux_kernel_act_as(struct cred *new, u32 secid)
|
||||
{
|
||||
struct task_security_struct *tsec = new->security;
|
||||
u32 sid = current_sid();
|
||||
int ret;
|
||||
|
||||
ret = avc_has_perm(sid, secid,
|
||||
SECCLASS_KERNEL_SERVICE,
|
||||
KERNEL_SERVICE__USE_AS_OVERRIDE,
|
||||
NULL);
|
||||
if (ret == 0) {
|
||||
tsec->sid = secid;
|
||||
tsec->create_sid = 0;
|
||||
tsec->keycreate_sid = 0;
|
||||
tsec->sockcreate_sid = 0;
|
||||
}
|
||||
return ret;
|
||||
}
|
||||
|
||||
/*
|
||||
* set the file creation context in a security record to the same as the
|
||||
* objective context of the specified inode
|
||||
*/
|
||||
static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode)
|
||||
{
|
||||
struct inode_security_struct *isec = inode->i_security;
|
||||
struct task_security_struct *tsec = new->security;
|
||||
u32 sid = current_sid();
|
||||
int ret;
|
||||
|
||||
ret = avc_has_perm(sid, isec->sid,
|
||||
SECCLASS_KERNEL_SERVICE,
|
||||
KERNEL_SERVICE__CREATE_FILES_AS,
|
||||
NULL);
|
||||
|
||||
if (ret == 0)
|
||||
tsec->create_sid = isec->sid;
|
||||
return 0;
|
||||
}
|
||||
|
||||
static int selinux_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
|
||||
{
|
||||
/* Since setuid only affects the current process, and
|
||||
@@ -5593,6 +5637,8 @@ static struct security_operations selinux_ops = {
|
||||
.cred_free = selinux_cred_free,
|
||||
.cred_prepare = selinux_cred_prepare,
|
||||
.cred_commit = selinux_cred_commit,
|
||||
.kernel_act_as = selinux_kernel_act_as,
|
||||
.kernel_create_files_as = selinux_kernel_create_files_as,
|
||||
.task_setuid = selinux_task_setuid,
|
||||
.task_fix_setuid = selinux_task_fix_setuid,
|
||||
.task_setgid = selinux_task_setgid,
|
||||
|
||||
Reference in New Issue
Block a user