int
gr_chroot_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
const time_t shm_createtime)
{
#ifdef CONFIG_GRKERNSEC_CHROOT_SHMAT
struct pid *pid = NULL;
time_t starttime;
if (unlikely(!grsec_enable_chroot_shmat))
return 1;
if (likely(!proc_is_chrooted(current)))
return 1;
read_lock(&tasklist_lock);
pid = find_vpid(shm_cprid);
if (pid) {
struct task_struct *p;
p = pid_task(pid, PIDTYPE_PID);
task_lock(p);
starttime = p->start_time.tv_sec;
if (unlikely(!have_same_root(current, p) &&
time_before_eq((unsigned long)starttime, (unsigned long)shm_createtime))) {
task_unlock(p);
read_unlock(&tasklist_lock);
gr_log_noargs(GR_DONT_AUDIT, GR_SHMAT_CHROOT_MSG);
return 0;
}
task_unlock(p);
} else {
pid = find_vpid(shm_lapid);
if (pid) {
struct task_struct *p;
p = pid_task(pid, PIDTYPE_PID);
task_lock(p);
if (unlikely(!have_same_root(current, p))) {
task_unlock(p);
read_unlock(&tasklist_lock);
gr_log_noargs(GR_DONT_AUDIT, GR_SHMAT_CHROOT_MSG);
return 0;
}
task_unlock(p);
}
}
read_unlock(&tasklist_lock);
#endif
return 1;
}
int
gr_handle_chroot_unix(const pid_t pid)
{
#ifdef CONFIG_GRKERNSEC_CHROOT_UNIX
struct pid *spid = NULL;
if (unlikely(!grsec_enable_chroot_unix))
return 1;
if (likely(!proc_is_chrooted(current)))
return 1;
read_lock(&tasklist_lock);
spid = find_vpid(pid);
if (spid) {
struct task_struct *p;
p = pid_task(spid, PIDTYPE_PID);
task_lock(p);
if (unlikely(!have_same_root(current, p))) {
task_unlock(p);
read_unlock(&tasklist_lock);
gr_log_noargs(GR_DONT_AUDIT, GR_UNIX_CHROOT_MSG);
return 0;
}
task_unlock(p);
}
read_unlock(&tasklist_lock);
#endif
return 1;
}
int
gr_handle_chroot_unix(const pid_t pid)
{
#ifdef CONFIG_GRKERNSEC_CHROOT_UNIX
struct task_struct *p;
if (unlikely(!grsec_enable_chroot_unix))
return 1;
if (likely(!proc_is_chrooted(current)))
return 1;
rcu_read_lock();
read_lock(&tasklist_lock);
p = find_task_by_vpid_unrestricted(pid);
if (unlikely(p && !have_same_root(current, p))) {
read_unlock(&tasklist_lock);
rcu_read_unlock();
gr_log_noargs(GR_DONT_AUDIT, GR_UNIX_CHROOT_MSG);
return 0;
}
read_unlock(&tasklist_lock);
rcu_read_unlock();
#endif
return 1;
}
int
gr_chroot_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
const time_t shm_createtime)
{
#ifdef CONFIG_GRKERNSEC_CHROOT_SHMAT
struct task_struct *p;
time_t starttime;
if (unlikely(!grsec_enable_chroot_shmat))
return 1;
if (likely(!proc_is_chrooted(current)))
return 1;
rcu_read_lock();
read_lock(&tasklist_lock);
if ((p = find_task_by_vpid_unrestricted(shm_cprid))) {
starttime = p->start_time.tv_sec;
if (time_before_eq((unsigned long)starttime, (unsigned long)shm_createtime)) {
if (have_same_root(current, p)) {
goto allow;
} else {
read_unlock(&tasklist_lock);
rcu_read_unlock();
gr_log_noargs(GR_DONT_AUDIT, GR_SHMAT_CHROOT_MSG);
return 0;
}
}
/* creator exited, pid reuse, fall through to next check */
}
if ((p = find_task_by_vpid_unrestricted(shm_lapid))) {
if (unlikely(!have_same_root(current, p))) {
read_unlock(&tasklist_lock);
rcu_read_unlock();
gr_log_noargs(GR_DONT_AUDIT, GR_SHMAT_CHROOT_MSG);
return 0;
}
}
allow:
read_unlock(&tasklist_lock);
rcu_read_unlock();
#endif
return 1;
}
int
gr_handle_chroot_nice(void)
{
#ifdef CONFIG_GRKERNSEC_CHROOT_NICE
if (grsec_enable_chroot_nice && proc_is_chrooted(current)) {
gr_log_noargs(GR_DONT_AUDIT, GR_NICE_CHROOT_MSG);
return -EPERM;
}
#endif
return 0;
}
void
gr_log_msgget(const int ret, const int msgflg)
{
#ifdef CONFIG_GRKERNSEC_AUDIT_IPC
if (((grsec_enable_group && in_group_p(grsec_audit_gid) &&
grsec_enable_audit_ipc) || (grsec_enable_audit_ipc &&
!grsec_enable_group)) && (ret >= 0)
&& (msgflg & IPC_CREAT))
gr_log_noargs(GR_DO_AUDIT, GR_MSGQ_AUDIT_MSG);
#endif
return;
}
void
gr_log_semget(const int err, const int semflg)
{
#ifdef CONFIG_GRKERNSEC_AUDIT_IPC
if (((grsec_enable_group && in_group_p(grsec_audit_gid) &&
grsec_enable_audit_ipc) || (grsec_enable_audit_ipc &&
!grsec_enable_group)) && (err >= 0)
&& (semflg & IPC_CREAT))
gr_log_noargs(GR_DO_AUDIT, GR_SEM_AUDIT_MSG);
#endif
return;
}