int
gr_tpe_allow(const struct file *file)
{
#ifdef CONFIG_GRKERNSEC
struct inode *inode = file->f_path.dentry->d_parent->d_inode;
const struct cred *cred = current_cred();
if (cred->uid && ((grsec_enable_tpe &&
#ifdef CONFIG_GRKERNSEC_TPE_INVERT
!in_group_p(grsec_tpe_gid)
#else
in_group_p(grsec_tpe_gid)
#endif
) || gr_acl_tpe_check()) &&
(inode->i_uid || (!inode->i_uid && ((inode->i_mode & S_IWGRP) ||
(inode->i_mode & S_IWOTH))))) {
gr_log_fs_generic(GR_DONT_AUDIT, GR_EXEC_TPE_MSG, file->f_path.dentry, file->f_path.mnt);
return 0;
}
#ifdef CONFIG_GRKERNSEC_TPE_ALL
if (cred->uid && grsec_enable_tpe && grsec_enable_tpe_all &&
((inode->i_uid && (inode->i_uid != cred->uid)) ||
(inode->i_mode & S_IWGRP) || (inode->i_mode & S_IWOTH))) {
gr_log_fs_generic(GR_DONT_AUDIT, GR_EXEC_TPE_MSG, file->f_path.dentry, file->f_path.mnt);
return 0;
}
#endif
#endif
return 1;
}
void
gr_log_chroot_exec(const struct dentry *dentry, const struct vfsmount *mnt)
{
#ifdef CONFIG_GRKERNSEC_CHROOT_EXECLOG
if (grsec_enable_chroot_execlog && proc_is_chrooted(current))
gr_log_fs_generic(GR_DO_AUDIT, GR_EXEC_CHROOT_MSG, dentry, mnt);
#endif
return;
}
int
gr_handle_chroot_chroot(const struct dentry *dentry, const struct vfsmount *mnt)
{
#ifdef CONFIG_GRKERNSEC_CHROOT_DOUBLE
if (grsec_enable_chroot_double && proc_is_chrooted(current) &&
!gr_is_outside_chroot(dentry, mnt)) {
gr_log_fs_generic(GR_DONT_AUDIT, GR_CHROOT_CHROOT_MSG, dentry, mnt);
return -EPERM;
}
#endif
return 0;
}
int
gr_handle_rofs_mount(struct dentry *dentry, struct vfsmount *mnt, int mnt_flags)
{
#ifdef CONFIG_GRKERNSEC_ROFS
if (grsec_enable_rofs && !(mnt_flags & MNT_READONLY)) {
gr_log_fs_generic(GR_DO_AUDIT, GR_ROFS_MOUNT_MSG, dentry, mnt);
return -EPERM;
} else
return 0;
#endif
return 0;
}
int
gr_handle_chroot_mknod(const struct dentry *dentry,
const struct vfsmount *mnt, const int mode)
{
#ifdef CONFIG_GRKERNSEC_CHROOT_MKNOD
if (grsec_enable_chroot_mknod && !S_ISFIFO(mode) && !S_ISREG(mode) &&
proc_is_chrooted(current)) {
gr_log_fs_generic(GR_DONT_AUDIT, GR_MKNOD_CHROOT_MSG, dentry, mnt);
return -EPERM;
}
#endif
return 0;
}
int
gr_handle_rofs_blockwrite(struct dentry *dentry, struct vfsmount *mnt, int acc_mode)
{
#ifdef CONFIG_GRKERNSEC_ROFS
if (grsec_enable_rofs && (acc_mode & MAY_WRITE) &&
dentry->d_inode && S_ISBLK(dentry->d_inode->i_mode)) {
gr_log_fs_generic(GR_DO_AUDIT, GR_ROFS_BLOCKWRITE_MSG, dentry, mnt);
return -EPERM;
} else
return 0;
#endif
return 0;
}
int
gr_handle_chroot_chmod(const struct dentry *dentry,
const struct vfsmount *mnt, const int mode)
{
#ifdef CONFIG_GRKERNSEC_CHROOT_CHMOD
if (grsec_enable_chroot_chmod &&
((mode & S_ISUID) || ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP))) &&
proc_is_chrooted(current)) {
gr_log_fs_generic(GR_DONT_AUDIT, GR_CHMOD_CHROOT_MSG, dentry, mnt);
return -EPERM;
}
#endif
return 0;
}
int
gr_handle_chroot_chmod(const struct dentry *dentry,
const struct vfsmount *mnt, const int mode)
{
#ifdef CONFIG_GRKERNSEC_CHROOT_CHMOD
/* allow chmod +s on directories, but not files */
if (grsec_enable_chroot_chmod && !S_ISDIR(dentry->d_inode->i_mode) &&
((mode & S_ISUID) || ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP))) &&
proc_is_chrooted(current)) {
gr_log_fs_generic(GR_DONT_AUDIT, GR_CHMOD_CHROOT_MSG, dentry, mnt);
return -EPERM;
}
#endif
return 0;
}
int
gr_chroot_fchdir(struct dentry *u_dentry, struct vfsmount *u_mnt)
{
#ifdef CONFIG_GRKERNSEC_CHROOT_FCHDIR
if (!grsec_enable_chroot_fchdir)
return 1;
if (!proc_is_chrooted(current))
return 1;
else if (!gr_is_outside_chroot(u_dentry, u_mnt)) {
gr_log_fs_generic(GR_DONT_AUDIT, GR_CHROOT_FCHDIR_MSG, u_dentry, u_mnt);
return 0;
}
#endif
return 1;
}
