security: add inode_init_security_anon() LSM hook
This change adds a new LSM hook, inode_init_security_anon(), that will be used while creating secure anonymous inodes. The hook allows/denies its creation and assigns a security context to the inode. The new hook accepts an optional context_inode parameter that callers can use to provide additional contextual information to security modules for granting/denying permission to create an anon-inode of the same type. This context_inode's security_context can also be used to initialize the newly created anon-inode's security_context. Signed-off-by: Lokesh Gidra <lokeshgidra@google.com> Reviewed-by: Eric Biggers <ebiggers@google.com> Signed-off-by: Paul Moore <paul@paul-moore.com>
This commit is contained in:
parent
08abe46b2c
commit
215b674b84
|
@ -113,6 +113,8 @@ LSM_HOOK(void, LSM_RET_VOID, inode_free_security, struct inode *inode)
|
|||
LSM_HOOK(int, 0, inode_init_security, struct inode *inode,
|
||||
struct inode *dir, const struct qstr *qstr, const char **name,
|
||||
void **value, size_t *len)
|
||||
LSM_HOOK(int, 0, inode_init_security_anon, struct inode *inode,
|
||||
const struct qstr *name, const struct inode *context_inode)
|
||||
LSM_HOOK(int, 0, inode_create, struct inode *dir, struct dentry *dentry,
|
||||
umode_t mode)
|
||||
LSM_HOOK(int, 0, inode_link, struct dentry *old_dentry, struct inode *dir,
|
||||
|
|
|
@ -233,6 +233,15 @@
|
|||
* Returns 0 if @name and @value have been successfully set,
|
||||
* -EOPNOTSUPP if no security attribute is needed, or
|
||||
* -ENOMEM on memory allocation failure.
|
||||
* @inode_init_security_anon:
|
||||
* Set up the incore security field for the new anonymous inode
|
||||
* and return whether the inode creation is permitted by the security
|
||||
* module or not.
|
||||
* @inode contains the inode structure
|
||||
* @name name of the anonymous inode class
|
||||
* @context_inode optional related inode
|
||||
* Returns 0 on success, -EACCES if the security module denies the
|
||||
* creation of this inode, or another -errno upon other errors.
|
||||
* @inode_create:
|
||||
* Check permission to create a regular file.
|
||||
* @dir contains inode structure of the parent of the new file.
|
||||
|
|
|
@ -324,6 +324,9 @@ void security_inode_free(struct inode *inode);
|
|||
int security_inode_init_security(struct inode *inode, struct inode *dir,
|
||||
const struct qstr *qstr,
|
||||
initxattrs initxattrs, void *fs_data);
|
||||
int security_inode_init_security_anon(struct inode *inode,
|
||||
const struct qstr *name,
|
||||
const struct inode *context_inode);
|
||||
int security_old_inode_init_security(struct inode *inode, struct inode *dir,
|
||||
const struct qstr *qstr, const char **name,
|
||||
void **value, size_t *len);
|
||||
|
@ -738,6 +741,13 @@ static inline int security_inode_init_security(struct inode *inode,
|
|||
return 0;
|
||||
}
|
||||
|
||||
static inline int security_inode_init_security_anon(struct inode *inode,
|
||||
const struct qstr *name,
|
||||
const struct inode *context_inode)
|
||||
{
|
||||
return 0;
|
||||
}
|
||||
|
||||
static inline int security_old_inode_init_security(struct inode *inode,
|
||||
struct inode *dir,
|
||||
const struct qstr *qstr,
|
||||
|
|
|
@ -1059,6 +1059,14 @@ int security_inode_init_security(struct inode *inode, struct inode *dir,
|
|||
}
|
||||
EXPORT_SYMBOL(security_inode_init_security);
|
||||
|
||||
int security_inode_init_security_anon(struct inode *inode,
|
||||
const struct qstr *name,
|
||||
const struct inode *context_inode)
|
||||
{
|
||||
return call_int_hook(inode_init_security_anon, 0, inode, name,
|
||||
context_inode);
|
||||
}
|
||||
|
||||
int security_old_inode_init_security(struct inode *inode, struct inode *dir,
|
||||
const struct qstr *qstr, const char **name,
|
||||
void **value, size_t *len)
|
||||
|
|
Loading…
Reference in New Issue