Commit | Line | Data |
---|---|---|
9ae326a6 DH |
1 | /* CacheFiles security management |
2 | * | |
3 | * Copyright (C) 2007 Red Hat, Inc. All Rights Reserved. | |
4 | * Written by David Howells (dhowells@redhat.com) | |
5 | * | |
6 | * This program is free software; you can redistribute it and/or | |
7 | * modify it under the terms of the GNU General Public Licence | |
8 | * as published by the Free Software Foundation; either version | |
9 | * 2 of the Licence, or (at your option) any later version. | |
10 | */ | |
11 | ||
12 | #include <linux/fs.h> | |
13 | #include <linux/cred.h> | |
14 | #include "internal.h" | |
15 | ||
16 | /* | |
17 | * determine the security context within which we access the cache from within | |
18 | * the kernel | |
19 | */ | |
20 | int cachefiles_get_security_ID(struct cachefiles_cache *cache) | |
21 | { | |
22 | struct cred *new; | |
23 | int ret; | |
24 | ||
25 | _enter("{%s}", cache->secctx); | |
26 | ||
27 | new = prepare_kernel_cred(current); | |
28 | if (!new) { | |
29 | ret = -ENOMEM; | |
30 | goto error; | |
31 | } | |
32 | ||
33 | if (cache->secctx) { | |
34 | ret = set_security_override_from_ctx(new, cache->secctx); | |
35 | if (ret < 0) { | |
36 | put_cred(new); | |
37 | printk(KERN_ERR "CacheFiles:" | |
38 | " Security denies permission to nominate" | |
39 | " security context: error %d\n", | |
40 | ret); | |
41 | goto error; | |
42 | } | |
43 | } | |
44 | ||
45 | cache->cache_cred = new; | |
46 | ret = 0; | |
47 | error: | |
48 | _leave(" = %d", ret); | |
49 | return ret; | |
50 | } | |
51 | ||
52 | /* | |
53 | * see if mkdir and create can be performed in the root directory | |
54 | */ | |
55 | static int cachefiles_check_cache_dir(struct cachefiles_cache *cache, | |
56 | struct dentry *root) | |
57 | { | |
58 | int ret; | |
59 | ||
60 | ret = security_inode_mkdir(root->d_inode, root, 0); | |
61 | if (ret < 0) { | |
62 | printk(KERN_ERR "CacheFiles:" | |
63 | " Security denies permission to make dirs: error %d", | |
64 | ret); | |
65 | return ret; | |
66 | } | |
67 | ||
68 | ret = security_inode_create(root->d_inode, root, 0); | |
69 | if (ret < 0) | |
70 | printk(KERN_ERR "CacheFiles:" | |
71 | " Security denies permission to create files: error %d", | |
72 | ret); | |
73 | ||
74 | return ret; | |
75 | } | |
76 | ||
77 | /* | |
78 | * check the security details of the on-disk cache | |
79 | * - must be called with security override in force | |
80 | */ | |
81 | int cachefiles_determine_cache_security(struct cachefiles_cache *cache, | |
82 | struct dentry *root, | |
83 | const struct cred **_saved_cred) | |
84 | { | |
85 | struct cred *new; | |
86 | int ret; | |
87 | ||
88 | _enter(""); | |
89 | ||
90 | /* duplicate the cache creds for COW (the override is currently in | |
91 | * force, so we can use prepare_creds() to do this) */ | |
92 | new = prepare_creds(); | |
93 | if (!new) | |
94 | return -ENOMEM; | |
95 | ||
96 | cachefiles_end_secure(cache, *_saved_cred); | |
97 | ||
98 | /* use the cache root dir's security context as the basis with | |
99 | * which create files */ | |
100 | ret = set_create_files_as(new, root->d_inode); | |
101 | if (ret < 0) { | |
102 | _leave(" = %d [cfa]", ret); | |
103 | return ret; | |
104 | } | |
105 | ||
106 | put_cred(cache->cache_cred); | |
107 | cache->cache_cred = new; | |
108 | ||
109 | cachefiles_begin_secure(cache, _saved_cred); | |
110 | ret = cachefiles_check_cache_dir(cache, root); | |
111 | ||
112 | if (ret == -EOPNOTSUPP) | |
113 | ret = 0; | |
114 | _leave(" = %d", ret); | |
115 | return ret; | |
116 | } |