From c8a36c583deb911e20cc03f79f8f5c21c51170be Mon Sep 17 00:00:00 2001
From: xiacong <xiacong4@huawei.com>
Date: Thu, 7 Dec 2023 22:48:10 +0800
Subject: [PATCH] =?UTF-8?q?=E5=86=85=E6=A0=B8=E5=AE=B9=E5=99=A8=E9=80=83?=
 =?UTF-8?q?=E9=80=B8=E6=A8=A1=E5=9D=97=E6=96=B0=E5=A2=9EHOOK=E7=82=B9?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: xiacong <xiacong4@huawei.com>
Change-Id: Ic5fb5cd5e68b8b1caa890106938c3747fe3e60ea
Signed-off-by: xiacong <xiacong4@huawei.com>
---
 include/linux/hck/lite_hck_ced.h | 15 +++++++++++++++
 kernel/exit.c                    |  3 +++
 kernel/fork.c                    |  2 +-
 kernel/nsproxy.c                 |  5 +++++
 security/selinux/hooks.c         |  3 +++
 5 files changed, 27 insertions(+), 1 deletion(-)

diff --git a/include/linux/hck/lite_hck_ced.h b/include/linux/hck/lite_hck_ced.h
index e5c9526df66f..9d1ffb7ccef3 100644
--- a/include/linux/hck/lite_hck_ced.h
+++ b/include/linux/hck/lite_hck_ced.h
@@ -18,6 +18,10 @@
 #undef REGISTER_HCK_LITE_DATA_HOOK
 #define REGISTER_HCK_LITE_DATA_HOOK(name, probe, data)
 #else
+DECLARE_HCK_LITE_HOOK(ced_setattr_insert_lhck,
+	TP_PROTO(struct task_struct *task),
+	TP_ARGS(task));
+
 DECLARE_HCK_LITE_HOOK(ced_switch_task_namespaces_lhck,
 	TP_PROTO(const struct nsproxy *new),
 	TP_ARGS(new));
@@ -26,10 +30,21 @@ DECLARE_HCK_LITE_HOOK(ced_detection_lhck,
 	TP_PROTO(struct task_struct *task),
 	TP_ARGS(task));
 
+DECLARE_HCK_LITE_HOOK(ced_exit_lhck,
+	TP_PROTO(struct task_struct *task),
+	TP_ARGS(task));
+
+DECLARE_HCK_LITE_HOOK(ced_kernel_clone_lhck,
+	TP_PROTO(struct task_struct *task),
+	TP_ARGS(task));
+
 DECLARE_HCK_LITE_HOOK(ced_commit_creds_lhck,
 	TP_PROTO(const struct cred *new),
 	TP_ARGS(new));
 
+DECLARE_HCK_LITE_HOOK(ced_switch_task_namespaces_permission_lhck,
+	TP_PROTO(const struct nsproxy *new, int *ret),
+	TP_ARGS(new, ret));
 #endif /* CONFIG_HCK */
 
 #endif /* _LITE_HCK_CED_H */
diff --git a/kernel/exit.c b/kernel/exit.c
index d788d34dc0ab..195a697d5ed4 100644
--- a/kernel/exit.c
+++ b/kernel/exit.c
@@ -75,6 +75,8 @@
 #include <asm/unistd.h>
 #include <asm/mmu_context.h>
 
+#include <linux/hck/lite_hck_ced.h>
+
 /*
  * The default value should be high enough to not crash a system that randomly
  * crashes its kernel from time to time, but low enough to at least not permit
@@ -886,6 +888,7 @@ void __noreturn do_exit(long code)
 
 	exit_tasks_rcu_start();
 	exit_notify(tsk, group_dead);
+	CALL_HCK_LITE_HOOK(ced_exit_lhck, tsk);
 	proc_exit_connector(tsk);
 	mpol_put_task_policy(tsk);
 #ifdef CONFIG_FUTEX
diff --git a/kernel/fork.c b/kernel/fork.c
index e431e1f47255..dd0375e4644b 100644
--- a/kernel/fork.c
+++ b/kernel/fork.c
@@ -2543,7 +2543,7 @@ pid_t kernel_clone(struct kernel_clone_args *args)
 		get_task_struct(p);
 	}
 
-	CALL_HCK_LITE_HOOK(ced_detection_lhck, p);
+	CALL_HCK_LITE_HOOK(ced_kernel_clone_lhck, p);
 	wake_up_new_task(p);
 
 	/* forking complete and child started to run, tell ptracer */
diff --git a/kernel/nsproxy.c b/kernel/nsproxy.c
index a75aa2db3bca..37f570812af2 100644
--- a/kernel/nsproxy.c
+++ b/kernel/nsproxy.c
@@ -243,7 +243,12 @@ int unshare_nsproxy_namespaces(unsigned long unshare_flags,
 void switch_task_namespaces(struct task_struct *p, struct nsproxy *new)
 {
 	struct nsproxy *ns;
+	int ret = 0;
 	CALL_HCK_LITE_HOOK(ced_switch_task_namespaces_lhck, new);
+	CALL_HCK_LITE_HOOK(ced_switch_task_namespaces_permission_lhck, new, &ret);
+	if (ret)
+		return;
+
 	might_sleep();
 
 	task_lock(p);
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 662f7b4a9516..3c3e3a4c9e01 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -93,6 +93,8 @@
 #include <linux/fsnotify.h>
 #include <linux/fanotify.h>
 
+#include <linux/hck/lite_hck_ced.h>
+
 #include "avc.h"
 #include "objsec.h"
 #include "netif.h"
@@ -6483,6 +6485,7 @@ static int selinux_setprocattr(const char *name, void *value, size_t size)
 	}
 
 	commit_creds(new);
+	CALL_HCK_LITE_HOOK(ced_setattr_insert_lhck, current);
 	return size;
 
 abort_change:
-- 
Gitee