int gr_tpe_allow(const struct file *file) { #ifdef CONFIG_GRKERNSEC struct inode *inode = file->f_path.dentry->d_parent->d_inode; const struct cred *cred = current_cred(); if (cred->uid && ((grsec_enable_tpe && #ifdef CONFIG_GRKERNSEC_TPE_INVERT !in_group_p(grsec_tpe_gid) #else in_group_p(grsec_tpe_gid) #endif ) || gr_acl_tpe_check()) && (inode->i_uid || (!inode->i_uid && ((inode->i_mode & S_IWGRP) || (inode->i_mode & S_IWOTH))))) { gr_log_fs_generic(GR_DONT_AUDIT, GR_EXEC_TPE_MSG, file->f_path.dentry, file->f_path.mnt); return 0; } #ifdef CONFIG_GRKERNSEC_TPE_ALL if (cred->uid && grsec_enable_tpe && grsec_enable_tpe_all && ((inode->i_uid && (inode->i_uid != cred->uid)) || (inode->i_mode & S_IWGRP) || (inode->i_mode & S_IWOTH))) { gr_log_fs_generic(GR_DONT_AUDIT, GR_EXEC_TPE_MSG, file->f_path.dentry, file->f_path.mnt); return 0; } #endif #endif return 1; }
void gr_log_chroot_exec(const struct dentry *dentry, const struct vfsmount *mnt) { #ifdef CONFIG_GRKERNSEC_CHROOT_EXECLOG if (grsec_enable_chroot_execlog && proc_is_chrooted(current)) gr_log_fs_generic(GR_DO_AUDIT, GR_EXEC_CHROOT_MSG, dentry, mnt); #endif return; }
int gr_handle_chroot_chroot(const struct dentry *dentry, const struct vfsmount *mnt) { #ifdef CONFIG_GRKERNSEC_CHROOT_DOUBLE if (grsec_enable_chroot_double && proc_is_chrooted(current) && !gr_is_outside_chroot(dentry, mnt)) { gr_log_fs_generic(GR_DONT_AUDIT, GR_CHROOT_CHROOT_MSG, dentry, mnt); return -EPERM; } #endif return 0; }
int gr_handle_rofs_mount(struct dentry *dentry, struct vfsmount *mnt, int mnt_flags) { #ifdef CONFIG_GRKERNSEC_ROFS if (grsec_enable_rofs && !(mnt_flags & MNT_READONLY)) { gr_log_fs_generic(GR_DO_AUDIT, GR_ROFS_MOUNT_MSG, dentry, mnt); return -EPERM; } else return 0; #endif return 0; }
int gr_handle_chroot_mknod(const struct dentry *dentry, const struct vfsmount *mnt, const int mode) { #ifdef CONFIG_GRKERNSEC_CHROOT_MKNOD if (grsec_enable_chroot_mknod && !S_ISFIFO(mode) && !S_ISREG(mode) && proc_is_chrooted(current)) { gr_log_fs_generic(GR_DONT_AUDIT, GR_MKNOD_CHROOT_MSG, dentry, mnt); return -EPERM; } #endif return 0; }
int gr_handle_rofs_blockwrite(struct dentry *dentry, struct vfsmount *mnt, int acc_mode) { #ifdef CONFIG_GRKERNSEC_ROFS if (grsec_enable_rofs && (acc_mode & MAY_WRITE) && dentry->d_inode && S_ISBLK(dentry->d_inode->i_mode)) { gr_log_fs_generic(GR_DO_AUDIT, GR_ROFS_BLOCKWRITE_MSG, dentry, mnt); return -EPERM; } else return 0; #endif return 0; }
int gr_handle_chroot_chmod(const struct dentry *dentry, const struct vfsmount *mnt, const int mode) { #ifdef CONFIG_GRKERNSEC_CHROOT_CHMOD if (grsec_enable_chroot_chmod && ((mode & S_ISUID) || ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP))) && proc_is_chrooted(current)) { gr_log_fs_generic(GR_DONT_AUDIT, GR_CHMOD_CHROOT_MSG, dentry, mnt); return -EPERM; } #endif return 0; }
int gr_handle_chroot_chmod(const struct dentry *dentry, const struct vfsmount *mnt, const int mode) { #ifdef CONFIG_GRKERNSEC_CHROOT_CHMOD /* allow chmod +s on directories, but not files */ if (grsec_enable_chroot_chmod && !S_ISDIR(dentry->d_inode->i_mode) && ((mode & S_ISUID) || ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP))) && proc_is_chrooted(current)) { gr_log_fs_generic(GR_DONT_AUDIT, GR_CHMOD_CHROOT_MSG, dentry, mnt); return -EPERM; } #endif return 0; }
int gr_chroot_fchdir(struct dentry *u_dentry, struct vfsmount *u_mnt) { #ifdef CONFIG_GRKERNSEC_CHROOT_FCHDIR if (!grsec_enable_chroot_fchdir) return 1; if (!proc_is_chrooted(current)) return 1; else if (!gr_is_outside_chroot(u_dentry, u_mnt)) { gr_log_fs_generic(GR_DONT_AUDIT, GR_CHROOT_FCHDIR_MSG, u_dentry, u_mnt); return 0; } #endif return 1; }