1 /* CacheFiles security management
3 * Copyright (C) 2007 Red Hat, Inc. All Rights Reserved.
4 * Written by David Howells (dhowells@redhat.com)
6 * This program is free software; you can redistribute it and/or
7 * modify it under the terms of the GNU General Public Licence
8 * as published by the Free Software Foundation; either version
9 * 2 of the Licence, or (at your option) any later version.
13 #include <linux/cred.h>
17 * determine the security context within which we access the cache from within
20 int cachefiles_get_security_ID(struct cachefiles_cache
*cache
)
25 _enter("{%s}", cache
->secctx
);
27 new = prepare_kernel_cred(current
);
34 ret
= set_security_override_from_ctx(new, cache
->secctx
);
37 pr_err("Security denies permission to nominate security context: error %d\n",
43 cache
->cache_cred
= new;
51 * see if mkdir and create can be performed in the root directory
53 static int cachefiles_check_cache_dir(struct cachefiles_cache
*cache
,
58 ret
= security_inode_mkdir(root
->d_inode
, root
, 0);
60 pr_err("Security denies permission to make dirs: error %d",
65 ret
= security_inode_create(root
->d_inode
, root
, 0);
67 pr_err("Security denies permission to create files: error %d",
74 * check the security details of the on-disk cache
75 * - must be called with security override in force
76 * - must return with a security override in force - even in the case of an
79 int cachefiles_determine_cache_security(struct cachefiles_cache
*cache
,
81 const struct cred
**_saved_cred
)
88 /* duplicate the cache creds for COW (the override is currently in
89 * force, so we can use prepare_creds() to do this) */
90 new = prepare_creds();
94 cachefiles_end_secure(cache
, *_saved_cred
);
96 /* use the cache root dir's security context as the basis with
97 * which create files */
98 ret
= set_create_files_as(new, root
->d_inode
);
101 cachefiles_begin_secure(cache
, _saved_cred
);
102 _leave(" = %d [cfa]", ret
);
106 put_cred(cache
->cache_cred
);
107 cache
->cache_cred
= new;
109 cachefiles_begin_secure(cache
, _saved_cred
);
110 ret
= cachefiles_check_cache_dir(cache
, root
);
112 if (ret
== -EOPNOTSUPP
)
114 _leave(" = %d", ret
);