diff options
Diffstat (limited to 'connection.c')
| -rw-r--r-- | connection.c | 48 |
1 files changed, 48 insertions, 0 deletions
diff --git a/connection.c b/connection.c index 06f8438394d..f7c57a37f2b 100644 --- a/connection.c +++ b/connection.c @@ -25,6 +25,7 @@ #include <linux/sizes.h> #include <linux/slab.h> #include <linux/syscalls.h> +#include <linux/security.h> #include "bus.h" #include "connection.h" @@ -849,6 +850,12 @@ static int kdbus_conn_fds_install(struct kdbus_conn *conn, int ret, *fds; size_t size; + for (i = 0; i < queue->fds_count; i++) { + ret = security_file_receive(queue->fds_fp[i]); + if (ret) + return ret; + } + /* get array of file descriptors */ size = queue->fds_count * sizeof(int); fds = kmalloc(size, GFP_KERNEL); @@ -897,6 +904,13 @@ static int kdbus_conn_memfds_install(struct kdbus_conn *conn, size_t size; int ret = 0; + for (i = 0; i < queue->memfds_count; i++) { + ret = security_file_receive(queue->memfds_fp[i]); + if (ret) + return ret; + } + + size = queue->memfds_count * sizeof(int); fds = kmalloc(size, GFP_KERNEL); if (!fds) @@ -993,6 +1007,10 @@ int kdbus_cmd_msg_recv(struct kdbus_conn *conn, LIST_HEAD(notify_list); int ret = 0; + ret = security_kdbus_recv(conn, conn->ep->bus); + if (ret) + return ret; + mutex_lock(&conn->lock); if (conn->msg_count == 0) { ret = -EAGAIN; @@ -1141,6 +1159,10 @@ int kdbus_conn_kmsg_send(struct kdbus_ep *ep, bool sync = msg->flags & KDBUS_MSG_FLAGS_SYNC_REPLY; int ret; + ret = security_kdbus_send(conn_src, bus); + if (ret) + return ret; + /* assign domain-global message sequence number */ BUG_ON(kmsg->seq > 0); kmsg->seq = atomic64_inc_return(&bus->domain->msg_seq_last); @@ -1199,6 +1221,10 @@ int kdbus_conn_kmsg_send(struct kdbus_ep *ep, if (!conn_src) goto meta_append; + ret = security_kdbus_talk(conn_src, conn_dst); + if (ret) + return ret; + if (msg->flags & KDBUS_MSG_FLAGS_EXPECT_REPLY) { struct timespec ts; @@ -1592,6 +1618,7 @@ static void __kdbus_conn_free(struct kref *kref) kdbus_pool_free(conn->pool); kdbus_ep_unref(conn->ep); kdbus_bus_unref(conn->bus); + security_kdbus_conn_free(conn); kfree(conn->name); kfree(conn); } @@ -1736,6 +1763,10 @@ int kdbus_cmd_conn_info(struct kdbus_conn *conn, mutex_unlock(&conn->bus->lock); } + ret = security_kdbus_conn_info(conn); + if (ret) + goto exit; + /* * If a lookup by name was requested, set owner_conn to the * matching entry's connection pointer. Otherwise, owner_conn @@ -1865,6 +1896,10 @@ int kdbus_cmd_conn_update(struct kdbus_conn *conn, return ret; } + ret = security_kdbus_ep_setpolicy(conn->bus); + if (ret) + return ret; + ret = kdbus_policy_set(conn->bus->policy_db, cmd->items, KDBUS_ITEMS_SIZE(cmd, items), 1, false, conn); @@ -1898,6 +1933,8 @@ int kdbus_conn_new(struct kdbus_ep *ep, bool is_policy_holder; bool is_activator; bool is_monitor; + u32 len, sid; + char *label; int ret; bus = ep->bus; @@ -1990,6 +2027,10 @@ int kdbus_conn_new(struct kdbus_ep *ep, goto exit_free_conn; } + ret = security_kdbus_ep_setpolicy(bus); + if (ret) + goto exit_free_conn; + /* * Policy holders may install any number of names, and * are allowed to use wildcards as well. @@ -2087,6 +2128,7 @@ int kdbus_conn_new(struct kdbus_ep *ep, } if (seclabel) { + /* XXX - this needs investigation, relabel? -- Paul */ ret = kdbus_meta_append_data(conn->owner_meta, KDBUS_ITEM_SECLABEL, seclabel, seclabel_len); @@ -2131,6 +2173,12 @@ int kdbus_conn_new(struct kdbus_ep *ep, goto exit_unref_user_unlock; } + security_task_getsecid(current, &sid); + security_secid_to_secctx(sid, &label, &len); + ret = security_kdbus_connect(conn, label, len); + if (ret < 0) + goto exit_unref_user_unlock; + /* link into bus and endpoint */ list_add_tail(&conn->ep_entry, &ep->conn_list); hash_add(bus->conn_hash, &conn->hentry, conn->id); |