Commits

Stephen Smalley  committed 6233b08

Fix security_binder_transfer_binder hook.

Drop the owning task argument to security_binder_transfer_binder
since ref->node->proc can be NULL (dead owner?).
Revise the SELinux checking to apply a single transfer check between
the source and destination tasks. Owning task is no longer relevant.
Drop the receive permission definition as it is no longer used.

This makes the transfer permission similar to the call permission; it is only
useful if you want to allow a binder IPC between two tasks (call permission)
but deny passing of binder references between them (transfer permission).

  • Participants
  • Parent commits 3a6c4e2
  • Branches seandroid-tegra3-grouper-3.1-jb-mr1

Comments (0)

Files changed (6)

File drivers/staging/android/binder.c

 					fp->cookie, node->cookie);
 				goto err_binder_get_ref_for_node_failed;
 			}
-			if (security_binder_transfer_binder(proc->tsk, target_proc->tsk, node->proc->tsk)) {
+			if (security_binder_transfer_binder(proc->tsk, target_proc->tsk)) {
 				return_error = BR_FAILED_REPLY;
 				goto err_binder_get_ref_for_node_failed;
 			}
 				return_error = BR_FAILED_REPLY;
 				goto err_binder_get_ref_failed;
 			}
-			if (security_binder_transfer_binder(proc->tsk, target_proc->tsk, ref->node->proc->tsk)) {
+			if (security_binder_transfer_binder(proc->tsk, target_proc->tsk)) {
 				return_error = BR_FAILED_REPLY;
 				goto err_binder_get_ref_failed;
 			}

File include/linux/security.h

 
 	int (*binder_set_context_mgr) (struct task_struct *mgr);
 	int (*binder_transaction) (struct task_struct *from, struct task_struct *to);
-	int (*binder_transfer_binder) (struct task_struct *from, struct task_struct *to, struct task_struct *owner);
+	int (*binder_transfer_binder) (struct task_struct *from, struct task_struct *to);
 	int (*binder_transfer_file) (struct task_struct *from, struct task_struct *to, struct file *file);
 
 	int (*ptrace_access_check) (struct task_struct *child, unsigned int mode);
 /* Security operations */
 int security_binder_set_context_mgr(struct task_struct *mgr);
 int security_binder_transaction(struct task_struct *from, struct task_struct *to);
-int security_binder_transfer_binder(struct task_struct *from, struct task_struct *to, struct task_struct *owner);
+int security_binder_transfer_binder(struct task_struct *from, struct task_struct *to);
 int security_binder_transfer_file(struct task_struct *from, struct task_struct *to, struct file *file);
 int security_ptrace_access_check(struct task_struct *child, unsigned int mode);
 int security_ptrace_traceme(struct task_struct *parent);
 	return 0;
 }
 
-static inline int security_binder_transfer_binder(struct task_struct *from, struct task_struct *to, struct task_struct *owner)
+static inline int security_binder_transfer_binder(struct task_struct *from, struct task_struct *to)
 {
 	return 0;
 }

File security/capability.c

 	return 0;
 }
 
-static int cap_binder_transfer_binder(struct task_struct *from, struct task_struct *to, struct task_struct *owner)
+static int cap_binder_transfer_binder(struct task_struct *from, struct task_struct *to)
 {
 	return 0;
 }

File security/security.c

 	return security_ops->binder_transaction(from, to);
 }
 
-int security_binder_transfer_binder(struct task_struct *from, struct task_struct *to, struct task_struct *owner)
+int security_binder_transfer_binder(struct task_struct *from, struct task_struct *to)
 {
-	return security_ops->binder_transfer_binder(from, to, owner);
+	return security_ops->binder_transfer_binder(from, to);
 }
 
 int security_binder_transfer_file(struct task_struct *from, struct task_struct *to, struct file *file)

File security/selinux/hooks.c

 	return avc_has_perm(fromsid, tosid, SECCLASS_BINDER, BINDER__CALL, NULL);
 }
 
-static int selinux_binder_transfer_binder(struct task_struct *from, struct task_struct *to, struct task_struct *owner)
+static int selinux_binder_transfer_binder(struct task_struct *from, struct task_struct *to)
 {
 	u32 fromsid = task_sid(from);
 	u32 tosid = task_sid(to);
-	u32 ownersid = task_sid(owner);
-	int rc;
-
-	rc = avc_has_perm(fromsid, ownersid, SECCLASS_BINDER, BINDER__TRANSFER, NULL);
-	if (rc)
-		return rc;
-
-	return avc_has_perm(tosid, ownersid, SECCLASS_BINDER, BINDER__RECEIVE, NULL);
+	return avc_has_perm(fromsid, tosid, SECCLASS_BINDER, BINDER__TRANSFER, NULL);
 }
 
 static int selinux_binder_transfer_file(struct task_struct *from, struct task_struct *to, struct file *file)

File security/selinux/include/classmap.h

 	{ "kernel_service", { "use_as_override", "create_files_as", NULL } },
 	{ "tun_socket",
 	  { COMMON_SOCK_PERMS, NULL } },
-	{ "binder", { "impersonate", "call", "set_context_mgr", "transfer", "receive", NULL } },
+	{ "binder", { "impersonate", "call", "set_context_mgr", "transfer", NULL } },
 	{ NULL }
   };