Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
torvalds
GitHub Repository: torvalds/linux
 Path: blob/master/fs/cachefiles/security.c
26278 views
1
// SPDX-License-Identifier: GPL-2.0-or-later

2
/* CacheFiles security management

3
 *

4
 * Copyright (C) 2007, 2021 Red Hat, Inc. All Rights Reserved.

5
 * Written by David Howells ([email protected])

6
 */

7


8
#include <linux/fs.h>

9
#include <linux/cred.h>

10
#include "internal.h"

11


12
/*

13
 * determine the security context within which we access the cache from within

14
 * the kernel

15
 */

16
int cachefiles_get_security_ID(struct cachefiles_cache *cache)

17
{

18
	struct cred *new;

19
	int ret;

20


21
	_enter("{%u}", cache->have_secid ? cache->secid : 0);

22


23
	new = prepare_kernel_cred(current);

24
	if (!new) {

25
		ret = -ENOMEM;

26
		goto error;

27
	}

28


29
	if (cache->have_secid) {

30
		ret = set_security_override(new, cache->secid);

31
		if (ret < 0) {

32
			put_cred(new);

33
			pr_err("Security denies permission to nominate security context: error %d\n",

34
			       ret);

35
			goto error;

36
		}

37
	}

38


39
	cache->cache_cred = new;

40
	ret = 0;

41
error:

42
	_leave(" = %d", ret);

43
	return ret;

44
}

45


46
/*

47
 * see if mkdir and create can be performed in the root directory

48
 */

49
static int cachefiles_check_cache_dir(struct cachefiles_cache *cache,

50
				      struct dentry *root)

51
{

52
	int ret;

53


54
	ret = security_inode_mkdir(d_backing_inode(root), root, 0);

55
	if (ret < 0) {

56
		pr_err("Security denies permission to make dirs: error %d",

57
		       ret);

58
		return ret;

59
	}

60


61
	ret = security_inode_create(d_backing_inode(root), root, 0);

62
	if (ret < 0)

63
		pr_err("Security denies permission to create files: error %d",

64
		       ret);

65


66
	return ret;

67
}

68


69
/*

70
 * check the security details of the on-disk cache

71
 * - must be called with security override in force

72
 * - must return with a security override in force - even in the case of an

73
 *   error

74
 */

75
int cachefiles_determine_cache_security(struct cachefiles_cache *cache,

76
					struct dentry *root,

77
					const struct cred **_saved_cred)

78
{

79
	struct cred *new;

80
	int ret;

81


82
	_enter("");

83


84
	/* duplicate the cache creds for COW (the override is currently in

85
	 * force, so we can use prepare_creds() to do this) */

86
	new = prepare_creds();

87
	if (!new)

88
		return -ENOMEM;

89


90
	cachefiles_end_secure(cache, *_saved_cred);

91


92
	/* use the cache root dir's security context as the basis with

93
	 * which create files */

94
	ret = set_create_files_as(new, d_backing_inode(root));

95
	if (ret < 0) {

96
		abort_creds(new);

97
		cachefiles_begin_secure(cache, _saved_cred);

98
		_leave(" = %d [cfa]", ret);

99
		return ret;

100
	}

101


102
	put_cred(cache->cache_cred);

103
	cache->cache_cred = new;

104


105
	cachefiles_begin_secure(cache, _saved_cred);

106
	ret = cachefiles_check_cache_dir(cache, root);

107


108
	if (ret == -EOPNOTSUPP)

109
		ret = 0;

110
	_leave(" = %d", ret);

111
	return ret;

112
}

113


114