diff options
author | Karol Lewandowski <k.lewandowsk@samsung.com> | 2014-05-12 19:03:34 +0200 |
---|---|---|
committer | Maciej Wereski <m.wereski@partner.samsung.com> | 2014-05-29 13:51:12 +0200 |
commit | 58aa8fb6ad8fd56a5d98f2266cb904713db5c326 (patch) | |
tree | df8cb31dd23d48e96b89c15ee4a1f1a8d22d1a85 /connection.c | |
parent | ec3840de2ec4f92530e774237c472f461243b753 (diff) | |
download | kdbus-bus-58aa8fb6ad8fd56a5d98f2266cb904713db5c326.tar.gz kdbus-bus-58aa8fb6ad8fd56a5d98f2266cb904713db5c326.tar.bz2 kdbus-bus-58aa8fb6ad8fd56a5d98f2266cb904713db5c326.zip |
Introduce lsm hooks for kdbus
This is combination of work by Karol Lewandowski and Paul Moore
on LSM hooks for kdbus.
[v1 Initial version]
Signed-off-by: Karol Lewandowski <k.lewandowsk@samsung.com>
[v2 added: memfd_seal
added: bus_alloc/free
added: ep_create ; ep_setpolicy ; ep_create
added: read ; write ]
Signed-off-by: Paul Moore <pmoore@redhat.com>
[v3 Rebased on top of 11f6693c1 (compatible with systemd v212),
dropped: memfd_seal - will be addressed in separately,
renamed: ep_create -> ep_alloc (for consistency),
renamed: send+recv -> talk,
renamed: read -> recv ; write -> send,
added: domain_alloc/free
added: ep_free ]
Signed-off-by: Karol Lewandowski <k.lewandowsk@samsung.com>
[v4 Reverted many of v3 changes after comments by Paul
renamed: ep_alloc -> ep_create (as introduced in v2)
dropped: ep_free
changed: send+recv takes (kdbus_conn *, kdbus_bus *) params
changed: name_acquire takes kdbus_conn * param (as in v2)]
Signed-off-by: Karol Lewandowski <k.lewandowsk@samsung.com>
Diffstat (limited to 'connection.c')
-rw-r--r-- | connection.c | 48 |
1 files changed, 48 insertions, 0 deletions
diff --git a/connection.c b/connection.c index 06f8438394d..f7c57a37f2b 100644 --- a/connection.c +++ b/connection.c @@ -25,6 +25,7 @@ #include <linux/sizes.h> #include <linux/slab.h> #include <linux/syscalls.h> +#include <linux/security.h> #include "bus.h" #include "connection.h" @@ -849,6 +850,12 @@ static int kdbus_conn_fds_install(struct kdbus_conn *conn, int ret, *fds; size_t size; + for (i = 0; i < queue->fds_count; i++) { + ret = security_file_receive(queue->fds_fp[i]); + if (ret) + return ret; + } + /* get array of file descriptors */ size = queue->fds_count * sizeof(int); fds = kmalloc(size, GFP_KERNEL); @@ -897,6 +904,13 @@ static int kdbus_conn_memfds_install(struct kdbus_conn *conn, size_t size; int ret = 0; + for (i = 0; i < queue->memfds_count; i++) { + ret = security_file_receive(queue->memfds_fp[i]); + if (ret) + return ret; + } + + size = queue->memfds_count * sizeof(int); fds = kmalloc(size, GFP_KERNEL); if (!fds) @@ -993,6 +1007,10 @@ int kdbus_cmd_msg_recv(struct kdbus_conn *conn, LIST_HEAD(notify_list); int ret = 0; + ret = security_kdbus_recv(conn, conn->ep->bus); + if (ret) + return ret; + mutex_lock(&conn->lock); if (conn->msg_count == 0) { ret = -EAGAIN; @@ -1141,6 +1159,10 @@ int kdbus_conn_kmsg_send(struct kdbus_ep *ep, bool sync = msg->flags & KDBUS_MSG_FLAGS_SYNC_REPLY; int ret; + ret = security_kdbus_send(conn_src, bus); + if (ret) + return ret; + /* assign domain-global message sequence number */ BUG_ON(kmsg->seq > 0); kmsg->seq = atomic64_inc_return(&bus->domain->msg_seq_last); @@ -1199,6 +1221,10 @@ int kdbus_conn_kmsg_send(struct kdbus_ep *ep, if (!conn_src) goto meta_append; + ret = security_kdbus_talk(conn_src, conn_dst); + if (ret) + return ret; + if (msg->flags & KDBUS_MSG_FLAGS_EXPECT_REPLY) { struct timespec ts; @@ -1592,6 +1618,7 @@ static void __kdbus_conn_free(struct kref *kref) kdbus_pool_free(conn->pool); kdbus_ep_unref(conn->ep); kdbus_bus_unref(conn->bus); + security_kdbus_conn_free(conn); kfree(conn->name); kfree(conn); } @@ -1736,6 +1763,10 @@ int kdbus_cmd_conn_info(struct kdbus_conn *conn, mutex_unlock(&conn->bus->lock); } + ret = security_kdbus_conn_info(conn); + if (ret) + goto exit; + /* * If a lookup by name was requested, set owner_conn to the * matching entry's connection pointer. Otherwise, owner_conn @@ -1865,6 +1896,10 @@ int kdbus_cmd_conn_update(struct kdbus_conn *conn, return ret; } + ret = security_kdbus_ep_setpolicy(conn->bus); + if (ret) + return ret; + ret = kdbus_policy_set(conn->bus->policy_db, cmd->items, KDBUS_ITEMS_SIZE(cmd, items), 1, false, conn); @@ -1898,6 +1933,8 @@ int kdbus_conn_new(struct kdbus_ep *ep, bool is_policy_holder; bool is_activator; bool is_monitor; + u32 len, sid; + char *label; int ret; bus = ep->bus; @@ -1990,6 +2027,10 @@ int kdbus_conn_new(struct kdbus_ep *ep, goto exit_free_conn; } + ret = security_kdbus_ep_setpolicy(bus); + if (ret) + goto exit_free_conn; + /* * Policy holders may install any number of names, and * are allowed to use wildcards as well. @@ -2087,6 +2128,7 @@ int kdbus_conn_new(struct kdbus_ep *ep, } if (seclabel) { + /* XXX - this needs investigation, relabel? -- Paul */ ret = kdbus_meta_append_data(conn->owner_meta, KDBUS_ITEM_SECLABEL, seclabel, seclabel_len); @@ -2131,6 +2173,12 @@ int kdbus_conn_new(struct kdbus_ep *ep, goto exit_unref_user_unlock; } + security_task_getsecid(current, &sid); + security_secid_to_secctx(sid, &label, &len); + ret = security_kdbus_connect(conn, label, len); + if (ret < 0) + goto exit_unref_user_unlock; + /* link into bus and endpoint */ list_add_tail(&conn->ep_entry, &ep->conn_list); hash_add(bus->conn_hash, &conn->hentry, conn->id); |