linux/fs/cachefiles/security.c
Thomas Gleixner b4d0d230cc treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 36
Based on 1 normalized pattern(s):

  this program is free software you can redistribute it and or modify
  it under the terms of the gnu general public licence as published by
  the free software foundation either version 2 of the licence or at
  your option any later version

extracted by the scancode license scanner the SPDX license identifier

  GPL-2.0-or-later

has been chosen to replace the boilerplate/reference in 114 file(s).

Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Reviewed-by: Allison Randal <allison@lohutok.net>
Reviewed-by: Kate Stewart <kstewart@linuxfoundation.org>
Cc: linux-spdx@vger.kernel.org
Link: https://lkml.kernel.org/r/20190520170857.552531963@linutronix.de
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2019-05-24 17:27:11 +02:00

113 lines
2.5 KiB
C

// SPDX-License-Identifier: GPL-2.0-or-later
/* CacheFiles security management
*
* Copyright (C) 2007 Red Hat, Inc. All Rights Reserved.
* Written by David Howells (dhowells@redhat.com)
*/
#include <linux/fs.h>
#include <linux/cred.h>
#include "internal.h"
/*
* determine the security context within which we access the cache from within
* the kernel
*/
int cachefiles_get_security_ID(struct cachefiles_cache *cache)
{
struct cred *new;
int ret;
_enter("{%s}", cache->secctx);
new = prepare_kernel_cred(current);
if (!new) {
ret = -ENOMEM;
goto error;
}
if (cache->secctx) {
ret = set_security_override_from_ctx(new, cache->secctx);
if (ret < 0) {
put_cred(new);
pr_err("Security denies permission to nominate security context: error %d\n",
ret);
goto error;
}
}
cache->cache_cred = new;
ret = 0;
error:
_leave(" = %d", ret);
return ret;
}
/*
* see if mkdir and create can be performed in the root directory
*/
static int cachefiles_check_cache_dir(struct cachefiles_cache *cache,
struct dentry *root)
{
int ret;
ret = security_inode_mkdir(d_backing_inode(root), root, 0);
if (ret < 0) {
pr_err("Security denies permission to make dirs: error %d",
ret);
return ret;
}
ret = security_inode_create(d_backing_inode(root), root, 0);
if (ret < 0)
pr_err("Security denies permission to create files: error %d",
ret);
return ret;
}
/*
* check the security details of the on-disk cache
* - must be called with security override in force
* - must return with a security override in force - even in the case of an
* error
*/
int cachefiles_determine_cache_security(struct cachefiles_cache *cache,
struct dentry *root,
const struct cred **_saved_cred)
{
struct cred *new;
int ret;
_enter("");
/* duplicate the cache creds for COW (the override is currently in
* force, so we can use prepare_creds() to do this) */
new = prepare_creds();
if (!new)
return -ENOMEM;
cachefiles_end_secure(cache, *_saved_cred);
/* use the cache root dir's security context as the basis with
* which create files */
ret = set_create_files_as(new, d_backing_inode(root));
if (ret < 0) {
abort_creds(new);
cachefiles_begin_secure(cache, _saved_cred);
_leave(" = %d [cfa]", ret);
return ret;
}
put_cred(cache->cache_cred);
cache->cache_cred = new;
cachefiles_begin_secure(cache, _saved_cred);
ret = cachefiles_check_cache_dir(cache, root);
if (ret == -EOPNOTSUPP)
ret = 0;
_leave(" = %d", ret);
return ret;
}