int gr_handle_symlink_owner(const struct path *link, const struct inode *target) { #ifdef CONFIG_GRKERNSEC_SYMLINKOWN const struct inode *link_inode = d_backing_inode(link->dentry); if (grsec_enable_symlinkown && in_group_p(grsec_symlinkown_gid) && /* ignore root-owned links, e.g. /proc/self */ gr_is_global_nonroot(link_inode->i_uid) && target && !uid_eq(link_inode->i_uid, target->i_uid)) { gr_log_fs_int2(GR_DONT_AUDIT, GR_SYMLINKOWNER_MSG, link->dentry, link->mnt, link_inode->i_uid, target->i_uid); return 1; } #endif return 0; }
int gr_handle_follow_link(const struct inode *parent, const struct inode *inode, const struct dentry *dentry, const struct vfsmount *mnt) { #ifdef CONFIG_GRKERNSEC_LINK const struct cred *cred = current_cred(); if (grsec_enable_link && S_ISLNK(inode->i_mode) && (parent->i_mode & S_ISVTX) && (parent->i_uid != inode->i_uid) && (parent->i_mode & S_IWOTH) && (cred->fsuid != inode->i_uid)) { gr_log_fs_int2(GR_DONT_AUDIT, GR_SYMLINK_MSG, dentry, mnt, inode->i_uid, inode->i_gid); return -EACCES; } #endif return 0; }
int gr_handle_follow_link(const struct dentry *dentry, const struct vfsmount *mnt) { #ifdef CONFIG_GRKERNSEC_LINK struct inode *inode = d_backing_inode(dentry); struct inode *parent = d_backing_inode(dentry->d_parent); const struct cred *cred = current_cred(); if (grsec_enable_link && d_is_symlink(dentry) && (parent->i_mode & S_ISVTX) && !uid_eq(parent->i_uid, inode->i_uid) && (parent->i_mode & S_IWOTH) && !uid_eq(cred->fsuid, inode->i_uid)) { gr_log_fs_int2(GR_DONT_AUDIT, GR_SYMLINK_MSG, dentry, mnt, inode->i_uid, inode->i_gid); return -EACCES; } #endif return 0; }
int gr_handle_fifo(const struct dentry *dentry, const struct vfsmount *mnt, const struct dentry *dir, const int flag, const int acc_mode) { #ifdef CONFIG_GRKERNSEC_FIFO const struct cred *cred = current_cred(); if (grsec_enable_fifo && S_ISFIFO(dentry->d_inode->i_mode) && !(flag & O_EXCL) && (dir->d_inode->i_mode & S_ISVTX) && (dentry->d_inode->i_uid != dir->d_inode->i_uid) && (cred->fsuid != dentry->d_inode->i_uid)) { if (!generic_permission(dentry->d_inode, acc_mode, NULL)) gr_log_fs_int2(GR_DONT_AUDIT, GR_FIFO_MSG, dentry, mnt, dentry->d_inode->i_uid, dentry->d_inode->i_gid); return -EACCES; } #endif return 0; }