~ [ source navigation ] ~ [ diff markup ] ~ [ identifier search ] ~

TOMOYO Linux Cross Reference
Linux/security/ipe/fs.c

Version: ~ [ linux-6.12-rc7 ] ~ [ linux-6.11.7 ] ~ [ linux-6.10.14 ] ~ [ linux-6.9.12 ] ~ [ linux-6.8.12 ] ~ [ linux-6.7.12 ] ~ [ linux-6.6.60 ] ~ [ linux-6.5.13 ] ~ [ linux-6.4.16 ] ~ [ linux-6.3.13 ] ~ [ linux-6.2.16 ] ~ [ linux-6.1.116 ] ~ [ linux-6.0.19 ] ~ [ linux-5.19.17 ] ~ [ linux-5.18.19 ] ~ [ linux-5.17.15 ] ~ [ linux-5.16.20 ] ~ [ linux-5.15.171 ] ~ [ linux-5.14.21 ] ~ [ linux-5.13.19 ] ~ [ linux-5.12.19 ] ~ [ linux-5.11.22 ] ~ [ linux-5.10.229 ] ~ [ linux-5.9.16 ] ~ [ linux-5.8.18 ] ~ [ linux-5.7.19 ] ~ [ linux-5.6.19 ] ~ [ linux-5.5.19 ] ~ [ linux-5.4.285 ] ~ [ linux-5.3.18 ] ~ [ linux-5.2.21 ] ~ [ linux-5.1.21 ] ~ [ linux-5.0.21 ] ~ [ linux-4.20.17 ] ~ [ linux-4.19.323 ] ~ [ linux-4.18.20 ] ~ [ linux-4.17.19 ] ~ [ linux-4.16.18 ] ~ [ linux-4.15.18 ] ~ [ linux-4.14.336 ] ~ [ linux-4.13.16 ] ~ [ linux-4.12.14 ] ~ [ linux-4.11.12 ] ~ [ linux-4.10.17 ] ~ [ linux-4.9.337 ] ~ [ linux-4.4.302 ] ~ [ linux-3.10.108 ] ~ [ linux-2.6.32.71 ] ~ [ linux-2.6.0 ] ~ [ linux-2.4.37.11 ] ~ [ unix-v6-master ] ~ [ ccs-tools-1.8.12 ] ~ [ policy-sample ] ~
Architecture: ~ [ i386 ] ~ [ alpha ] ~ [ m68k ] ~ [ mips ] ~ [ ppc ] ~ [ sparc ] ~ [ sparc64 ] ~

Diff markup

Differences between /security/ipe/fs.c (Version linux-6.12-rc7) and /security/ipe/fs.c (Version linux-4.10.17)


  1 // SPDX-License-Identifier: GPL-2.0                 1 
  2 /*                                                
  3  * Copyright (C) 2020-2024 Microsoft Corporati    
  4  */                                               
  5                                                   
  6 #include <linux/dcache.h>                         
  7 #include <linux/security.h>                       
  8                                                   
  9 #include "ipe.h"                                  
 10 #include "fs.h"                                   
 11 #include "eval.h"                                 
 12 #include "policy.h"                               
 13 #include "audit.h"                                
 14                                                   
 15 static struct dentry *np __ro_after_init;         
 16 static struct dentry *root __ro_after_init;       
 17 struct dentry *policy_root __ro_after_init;       
 18 static struct dentry *audit_node __ro_after_in    
 19 static struct dentry *enforce_node __ro_after_    
 20                                                   
 21 /**                                               
 22  * setaudit() - Write handler for the security    
 23  * @f: Supplies a file structure representing     
 24  * @data: Supplies a buffer passed to the writ    
 25  * @len: Supplies the length of @data.            
 26  * @offset: unused.                               
 27  *                                                
 28  * Return:                                        
 29  * * Length of buffer written   - Success         
 30  * * %-EPERM                    - Insufficient    
 31  */                                               
 32 static ssize_t setaudit(struct file *f, const     
 33                         size_t len, loff_t *of    
 34 {                                                 
 35         int rc = 0;                               
 36         bool value;                               
 37                                                   
 38         if (!file_ns_capable(f, &init_user_ns,    
 39                 return -EPERM;                    
 40                                                   
 41         rc = kstrtobool_from_user(data, len, &    
 42         if (rc)                                   
 43                 return rc;                        
 44                                                   
 45         WRITE_ONCE(success_audit, value);         
 46                                                   
 47         return len;                               
 48 }                                                 
 49                                                   
 50 /**                                               
 51  * getaudit() - Read handler for the securityf    
 52  * @f: Supplies a file structure representing     
 53  * @data: Supplies a buffer passed to the read    
 54  * @len: Supplies the length of @data.            
 55  * @offset: unused.                               
 56  *                                                
 57  * Return: Length of buffer written               
 58  */                                               
 59 static ssize_t getaudit(struct file *f, char _    
 60                         size_t len, loff_t *of    
 61 {                                                 
 62         const char *result;                       
 63                                                   
 64         result = ((READ_ONCE(success_audit)) ?    
 65                                                   
 66         return simple_read_from_buffer(data, l    
 67 }                                                 
 68                                                   
 69 /**                                               
 70  * setenforce() - Write handler for the securi    
 71  * @f: Supplies a file structure representing     
 72  * @data: Supplies a buffer passed to the writ    
 73  * @len: Supplies the length of @data.            
 74  * @offset: unused.                               
 75  *                                                
 76  * Return:                                        
 77  * * Length of buffer written   - Success         
 78  * * %-EPERM                    - Insufficient    
 79  */                                               
 80 static ssize_t setenforce(struct file *f, cons    
 81                           size_t len, loff_t *    
 82 {                                                 
 83         int rc = 0;                               
 84         bool new_value, old_value;                
 85                                                   
 86         if (!file_ns_capable(f, &init_user_ns,    
 87                 return -EPERM;                    
 88                                                   
 89         old_value = READ_ONCE(enforce);           
 90         rc = kstrtobool_from_user(data, len, &    
 91         if (rc)                                   
 92                 return rc;                        
 93                                                   
 94         if (new_value != old_value) {             
 95                 ipe_audit_enforce(new_value, o    
 96                 WRITE_ONCE(enforce, new_value)    
 97         }                                         
 98                                                   
 99         return len;                               
100 }                                                 
101                                                   
102 /**                                               
103  * getenforce() - Read handler for the securit    
104  * @f: Supplies a file structure representing     
105  * @data: Supplies a buffer passed to the read    
106  * @len: Supplies the length of @data.            
107  * @offset: unused.                               
108  *                                                
109  * Return: Length of buffer written               
110  */                                               
111 static ssize_t getenforce(struct file *f, char    
112                           size_t len, loff_t *    
113 {                                                 
114         const char *result;                       
115                                                   
116         result = ((READ_ONCE(enforce)) ? "1" :    
117                                                   
118         return simple_read_from_buffer(data, l    
119 }                                                 
120                                                   
121 /**                                               
122  * new_policy() - Write handler for the securi    
123  * @f: Supplies a file structure representing     
124  * @data: Supplies a buffer passed to the writ    
125  * @len: Supplies the length of @data.            
126  * @offset: unused.                               
127  *                                                
128  * Return:                                        
129  * * Length of buffer written   - Success         
130  * * %-EPERM                    - Insufficient    
131  * * %-ENOMEM                   - Out of memor    
132  * * %-EBADMSG                  - Policy is in    
133  * * %-ERANGE                   - Policy versi    
134  * * %-EINVAL                   - Policy versi    
135  * * %-EEXIST                   - Same name po    
136  */                                               
137 static ssize_t new_policy(struct file *f, cons    
138                           size_t len, loff_t *    
139 {                                                 
140         struct ipe_policy *p = NULL;              
141         char *copy = NULL;                        
142         int rc = 0;                               
143                                                   
144         if (!file_ns_capable(f, &init_user_ns,    
145                 return -EPERM;                    
146                                                   
147         copy = memdup_user_nul(data, len);        
148         if (IS_ERR(copy))                         
149                 return PTR_ERR(copy);             
150                                                   
151         p = ipe_new_policy(NULL, 0, copy, len)    
152         if (IS_ERR(p)) {                          
153                 rc = PTR_ERR(p);                  
154                 goto out;                         
155         }                                         
156                                                   
157         rc = ipe_new_policyfs_node(p);            
158         if (rc)                                   
159                 goto out;                         
160                                                   
161         ipe_audit_policy_load(p);                 
162                                                   
163 out:                                              
164         if (rc < 0)                               
165                 ipe_free_policy(p);               
166         kfree(copy);                              
167         return (rc < 0) ? rc : len;               
168 }                                                 
169                                                   
170 static const struct file_operations np_fops =     
171         .write = new_policy,                      
172 };                                                
173                                                   
174 static const struct file_operations audit_fops    
175         .write = setaudit,                        
176         .read = getaudit,                         
177 };                                                
178                                                   
179 static const struct file_operations enforce_fo    
180         .write = setenforce,                      
181         .read = getenforce,                       
182 };                                                
183                                                   
184 /**                                               
185  * ipe_init_securityfs() - Initialize IPE's se    
186  *                                                
187  * Return: %0 on success. If an error occurs,     
188  * the -errno.                                    
189  */                                               
190 static int __init ipe_init_securityfs(void)       
191 {                                                 
192         int rc = 0;                               
193         struct ipe_policy *ap;                    
194                                                   
195         if (!ipe_enabled)                         
196                 return -EOPNOTSUPP;               
197                                                   
198         root = securityfs_create_dir("ipe", NU    
199         if (IS_ERR(root)) {                       
200                 rc = PTR_ERR(root);               
201                 goto err;                         
202         }                                         
203                                                   
204         audit_node = securityfs_create_file("s    
205                                             NU    
206         if (IS_ERR(audit_node)) {                 
207                 rc = PTR_ERR(audit_node);         
208                 goto err;                         
209         }                                         
210                                                   
211         enforce_node = securityfs_create_file(    
212                                                   
213         if (IS_ERR(enforce_node)) {               
214                 rc = PTR_ERR(enforce_node);       
215                 goto err;                         
216         }                                         
217                                                   
218         policy_root = securityfs_create_dir("p    
219         if (IS_ERR(policy_root)) {                
220                 rc = PTR_ERR(policy_root);        
221                 goto err;                         
222         }                                         
223                                                   
224         ap = rcu_access_pointer(ipe_active_pol    
225         if (ap) {                                 
226                 rc = ipe_new_policyfs_node(ap)    
227                 if (rc)                           
228                         goto err;                 
229         }                                         
230                                                   
231         np = securityfs_create_file("new_polic    
232         if (IS_ERR(np)) {                         
233                 rc = PTR_ERR(np);                 
234                 goto err;                         
235         }                                         
236                                                   
237         return 0;                                 
238 err:                                              
239         securityfs_remove(np);                    
240         securityfs_remove(policy_root);           
241         securityfs_remove(enforce_node);          
242         securityfs_remove(audit_node);            
243         securityfs_remove(root);                  
244         return rc;                                
245 }                                                 
246                                                   
247 fs_initcall(ipe_init_securityfs);                 
248                                                   

~ [ source navigation ] ~ [ diff markup ] ~ [ identifier search ] ~

kernel.org | git.kernel.org | LWN.net | Project Home | SVN repository | Mail admin

Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.

sflogo.php