search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Luca's patch ported
[cbs-scheduler.git] / security / selinux / hooks.c
blob9d62f299f1559526117470caae20ed8ad9d91f18
1 /*
2 * NSA Security-Enhanced Linux (SELinux) security module
3 *
4 * This file contains the SELinux hook function implementations.
5 *
6 * Authors: Stephen Smalley, <sds@epoch.ncsc.mil>
7 * Chris Vance, <cvance@nai.com>
8 * Wayne Salamon, <wsalamon@nai.com>
9 * James Morris <jmorris@redhat.com>
10 *
11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12 * Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
13 * Eric Paris <eparis@redhat.com>
14 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
15 * <dgoeddel@trustedcs.com>
16 * Copyright (C) 2006, 2007 Hewlett-Packard Development Company, L.P.
17 * Paul Moore <paul.moore@hp.com>
18 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
19 * Yuichi Nakamura <ynakam@hitachisoft.jp>
20 *
21 * This program is free software; you can redistribute it and/or modify
22 * it under the terms of the GNU General Public License version 2,
23 * as published by the Free Software Foundation.
24 */
25
26 #include <linux/init.h>
27 #include <linux/kernel.h>
28 #include <linux/tracehook.h>
29 #include <linux/errno.h>
30 #include <linux/sched.h>
31 #include <linux/security.h>
32 #include <linux/xattr.h>
33 #include <linux/capability.h>
34 #include <linux/unistd.h>
35 #include <linux/mm.h>
36 #include <linux/mman.h>
37 #include <linux/slab.h>
38 #include <linux/pagemap.h>
39 #include <linux/swap.h>
40 #include <linux/spinlock.h>
41 #include <linux/syscalls.h>
42 #include <linux/file.h>
43 #include <linux/fdtable.h>
44 #include <linux/namei.h>
45 #include <linux/mount.h>
46 #include <linux/proc_fs.h>
47 #include <linux/netfilter_ipv4.h>
48 #include <linux/netfilter_ipv6.h>
49 #include <linux/tty.h>
50 #include <net/icmp.h>
51 #include <net/ip.h> /* for local_port_range[] */
52 #include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
53 #include <net/net_namespace.h>
54 #include <net/netlabel.h>
55 #include <linux/uaccess.h>
56 #include <asm/ioctls.h>
57 #include <asm/atomic.h>
58 #include <linux/bitops.h>
59 #include <linux/interrupt.h>
60 #include <linux/netdevice.h> /* for network interface checks */
61 #include <linux/netlink.h>
62 #include <linux/tcp.h>
63 #include <linux/udp.h>
64 #include <linux/dccp.h>
65 #include <linux/quota.h>
66 #include <linux/un.h> /* for Unix socket types */
67 #include <net/af_unix.h> /* for Unix socket types */
68 #include <linux/parser.h>
69 #include <linux/nfs_mount.h>
70 #include <net/ipv6.h>
71 #include <linux/hugetlb.h>
72 #include <linux/personality.h>
73 #include <linux/sysctl.h>
74 #include <linux/audit.h>
75 #include <linux/string.h>
76 #include <linux/selinux.h>
77 #include <linux/mutex.h>
78 #include <linux/posix-timers.h>
79
80 #include "avc.h"
81 #include "objsec.h"
82 #include "netif.h"
83 #include "netnode.h"
84 #include "netport.h"
85 #include "xfrm.h"
86 #include "netlabel.h"
87 #include "audit.h"
88
89 #define XATTR_SELINUX_SUFFIX "selinux"
90 #define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX
91
92 #define NUM_SEL_MNT_OPTS 4
93
94 extern unsigned int policydb_loaded_version;
95 extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm);
96 extern int selinux_compat_net;
97 extern struct security_operations *security_ops;
98
99 /* SECMARK reference count */
100 atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
101
102 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
103 int selinux_enforcing;
104
105 static int __init enforcing_setup(char *str)
106 {
107 unsigned long enforcing;
108 if (!strict_strtoul(str, 0, &enforcing))
109 selinux_enforcing = enforcing ? 1 : 0;
110 return 1;
111 }
112 __setup("enforcing=", enforcing_setup);
113 #endif
114
115 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
116 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
117
118 static int __init selinux_enabled_setup(char *str)
119 {
120 unsigned long enabled;
121 if (!strict_strtoul(str, 0, &enabled))
122 selinux_enabled = enabled ? 1 : 0;
123 return 1;
124 }
125 __setup("selinux=", selinux_enabled_setup);
126 #else
127 int selinux_enabled = 1;
128 #endif
129
130
131 /*
132 * Minimal support for a secondary security module,
133 * just to allow the use of the capability module.
134 */
135 static struct security_operations *secondary_ops;
136
137 /* Lists of inode and superblock security structures initialized
138 before the policy was loaded. */
139 static LIST_HEAD(superblock_security_head);
140 static DEFINE_SPINLOCK(sb_security_lock);
141
142 static struct kmem_cache *sel_inode_cache;
143
144 /**
145 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
146 *
147 * Description:
148 * This function checks the SECMARK reference counter to see if any SECMARK
149 * targets are currently configured, if the reference counter is greater than
150 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is
151 * enabled, false (0) if SECMARK is disabled.
152 *
153 */
154 static int selinux_secmark_enabled(void)
155 {
156 return (atomic_read(&selinux_secmark_refcount) > 0);
157 }
158
159 /*
160 * initialise the security for the init task
161 */
162 static void cred_init_security(void)
163 {
164 struct cred *cred = (struct cred *) current->real_cred;
165 struct task_security_struct *tsec;
166
167 tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
168 if (!tsec)
169 panic("SELinux: Failed to initialize initial task.\n");
170
171 tsec->osid = tsec->sid = SECINITSID_KERNEL;
172 cred->security = tsec;
173 }
174
175 /*
176 * get the security ID of a set of credentials
177 */
178 static inline u32 cred_sid(const struct cred *cred)
179 {
180 const struct task_security_struct *tsec;
181
182 tsec = cred->security;
183 return tsec->sid;
184 }
185
186 /*
187 * get the objective security ID of a task
188 */
189 static inline u32 task_sid(const struct task_struct *task)
190 {
191 u32 sid;
192
193 rcu_read_lock();
194 sid = cred_sid(__task_cred(task));
195 rcu_read_unlock();
196 return sid;
197 }
198
199 /*
200 * get the subjective security ID of the current task
201 */
202 static inline u32 current_sid(void)
203 {
204 const struct task_security_struct *tsec = current_cred()->security;
205
206 return tsec->sid;
207 }
208
209 /* Allocate and free functions for each kind of security blob. */
210
211 static int inode_alloc_security(struct inode *inode)
212 {
213 struct inode_security_struct *isec;
214 u32 sid = current_sid();
215
216 isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
217 if (!isec)
218 return -ENOMEM;
219
220 mutex_init(&isec->lock);
221 INIT_LIST_HEAD(&isec->list);
222 isec->inode = inode;
223 isec->sid = SECINITSID_UNLABELED;
224 isec->sclass = SECCLASS_FILE;
225 isec->task_sid = sid;
226 inode->i_security = isec;
227
228 return 0;
229 }
230
231 static void inode_free_security(struct inode *inode)
232 {
233 struct inode_security_struct *isec = inode->i_security;
234 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
235
236 spin_lock(&sbsec->isec_lock);
237 if (!list_empty(&isec->list))
238 list_del_init(&isec->list);
239 spin_unlock(&sbsec->isec_lock);
240
241 inode->i_security = NULL;
242 kmem_cache_free(sel_inode_cache, isec);
243 }
244
245 static int file_alloc_security(struct file *file)
246 {
247 struct file_security_struct *fsec;
248 u32 sid = current_sid();
249
250 fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL);
251 if (!fsec)
252 return -ENOMEM;
253
254 fsec->sid = sid;
255 fsec->fown_sid = sid;
256 file->f_security = fsec;
257
258 return 0;
259 }
260
261 static void file_free_security(struct file *file)
262 {
263 struct file_security_struct *fsec = file->f_security;
264 file->f_security = NULL;
265 kfree(fsec);
266 }
267
268 static int superblock_alloc_security(struct super_block *sb)
269 {
270 struct superblock_security_struct *sbsec;
271
272 sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
273 if (!sbsec)
274 return -ENOMEM;
275
276 mutex_init(&sbsec->lock);
277 INIT_LIST_HEAD(&sbsec->list);
278 INIT_LIST_HEAD(&sbsec->isec_head);
279 spin_lock_init(&sbsec->isec_lock);
280 sbsec->sb = sb;
281 sbsec->sid = SECINITSID_UNLABELED;
282 sbsec->def_sid = SECINITSID_FILE;
283 sbsec->mntpoint_sid = SECINITSID_UNLABELED;
284 sb->s_security = sbsec;
285
286 return 0;
287 }
288
289 static void superblock_free_security(struct super_block *sb)
290 {
291 struct superblock_security_struct *sbsec = sb->s_security;
292
293 spin_lock(&sb_security_lock);
294 if (!list_empty(&sbsec->list))
295 list_del_init(&sbsec->list);
296 spin_unlock(&sb_security_lock);
297
298 sb->s_security = NULL;
299 kfree(sbsec);
300 }
301
302 static int sk_alloc_security(struct sock *sk, int family, gfp_t priority)
303 {
304 struct sk_security_struct *ssec;
305
306 ssec = kzalloc(sizeof(*ssec), priority);
307 if (!ssec)
308 return -ENOMEM;
309
310 ssec->peer_sid = SECINITSID_UNLABELED;
311 ssec->sid = SECINITSID_UNLABELED;
312 sk->sk_security = ssec;
313
314 selinux_netlbl_sk_security_reset(ssec);
315
316 return 0;
317 }
318
319 static void sk_free_security(struct sock *sk)
320 {
321 struct sk_security_struct *ssec = sk->sk_security;
322
323 sk->sk_security = NULL;
324 selinux_netlbl_sk_security_free(ssec);
325 kfree(ssec);
326 }
327
328 /* The security server must be initialized before
329 any labeling or access decisions can be provided. */
330 extern int ss_initialized;
331
332 /* The file system's label must be initialized prior to use. */
333
334 static char *labeling_behaviors[6] = {
335 "uses xattr",
336 "uses transition SIDs",
337 "uses task SIDs",
338 "uses genfs_contexts",
339 "not configured for labeling",
340 "uses mountpoint labeling",
341 };
342
343 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
344
345 static inline int inode_doinit(struct inode *inode)
346 {
347 return inode_doinit_with_dentry(inode, NULL);
348 }
349
350 enum {
351 Opt_error = -1,
352 Opt_context = 1,
353 Opt_fscontext = 2,
354 Opt_defcontext = 3,
355 Opt_rootcontext = 4,
356 };
357
358 static const match_table_t tokens = {
359 {Opt_context, CONTEXT_STR "%s"},
360 {Opt_fscontext, FSCONTEXT_STR "%s"},
361 {Opt_defcontext, DEFCONTEXT_STR "%s"},
362 {Opt_rootcontext, ROOTCONTEXT_STR "%s"},
363 {Opt_error, NULL},
364 };
365
366 #define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
367
368 static int may_context_mount_sb_relabel(u32 sid,
369 struct superblock_security_struct *sbsec,
370 const struct cred *cred)
371 {
372 const struct task_security_struct *tsec = cred->security;
373 int rc;
374
375 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
376 FILESYSTEM__RELABELFROM, NULL);
377 if (rc)
378 return rc;
379
380 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
381 FILESYSTEM__RELABELTO, NULL);
382 return rc;
383 }
384
385 static int may_context_mount_inode_relabel(u32 sid,
386 struct superblock_security_struct *sbsec,
387 const struct cred *cred)
388 {
389 const struct task_security_struct *tsec = cred->security;
390 int rc;
391 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
392 FILESYSTEM__RELABELFROM, NULL);
393 if (rc)
394 return rc;
395
396 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
397 FILESYSTEM__ASSOCIATE, NULL);
398 return rc;
399 }
400
401 static int sb_finish_set_opts(struct super_block *sb)
402 {
403 struct superblock_security_struct *sbsec = sb->s_security;
404 struct dentry *root = sb->s_root;
405 struct inode *root_inode = root->d_inode;
406 int rc = 0;
407
408 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
409 /* Make sure that the xattr handler exists and that no
410 error other than -ENODATA is returned by getxattr on
411 the root directory. -ENODATA is ok, as this may be
412 the first boot of the SELinux kernel before we have
413 assigned xattr values to the filesystem. */
414 if (!root_inode->i_op->getxattr) {
415 printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
416 "xattr support\n", sb->s_id, sb->s_type->name);
417 rc = -EOPNOTSUPP;
418 goto out;
419 }
420 rc = root_inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
421 if (rc < 0 && rc != -ENODATA) {
422 if (rc == -EOPNOTSUPP)
423 printk(KERN_WARNING "SELinux: (dev %s, type "
424 "%s) has no security xattr handler\n",
425 sb->s_id, sb->s_type->name);
426 else
427 printk(KERN_WARNING "SELinux: (dev %s, type "
428 "%s) getxattr errno %d\n", sb->s_id,
429 sb->s_type->name, -rc);
430 goto out;
431 }
432 }
433
434 sbsec->initialized = 1;
435
436 if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
437 printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n",
438 sb->s_id, sb->s_type->name);
439 else
440 printk(KERN_DEBUG "SELinux: initialized (dev %s, type %s), %s\n",
441 sb->s_id, sb->s_type->name,
442 labeling_behaviors[sbsec->behavior-1]);
443
444 /* Initialize the root inode. */
445 rc = inode_doinit_with_dentry(root_inode, root);
446
447 /* Initialize any other inodes associated with the superblock, e.g.
448 inodes created prior to initial policy load or inodes created
449 during get_sb by a pseudo filesystem that directly
450 populates itself. */
451 spin_lock(&sbsec->isec_lock);
452 next_inode:
453 if (!list_empty(&sbsec->isec_head)) {
454 struct inode_security_struct *isec =
455 list_entry(sbsec->isec_head.next,
456 struct inode_security_struct, list);
457 struct inode *inode = isec->inode;
458 spin_unlock(&sbsec->isec_lock);
459 inode = igrab(inode);
460 if (inode) {
461 if (!IS_PRIVATE(inode))
462 inode_doinit(inode);
463 iput(inode);
464 }
465 spin_lock(&sbsec->isec_lock);
466 list_del_init(&isec->list);
467 goto next_inode;
468 }
469 spin_unlock(&sbsec->isec_lock);
470 out:
471 return rc;
472 }
473
474 /*
475 * This function should allow an FS to ask what it's mount security
476 * options were so it can use those later for submounts, displaying
477 * mount options, or whatever.
478 */
479 static int selinux_get_mnt_opts(const struct super_block *sb,
480 struct security_mnt_opts *opts)
481 {
482 int rc = 0, i;
483 struct superblock_security_struct *sbsec = sb->s_security;
484 char *context = NULL;
485 u32 len;
486 char tmp;
487
488 security_init_mnt_opts(opts);
489
490 if (!sbsec->initialized)
491 return -EINVAL;
492
493 if (!ss_initialized)
494 return -EINVAL;
495
496 /*
497 * if we ever use sbsec flags for anything other than tracking mount
498 * settings this is going to need a mask
499 */
500 tmp = sbsec->flags;
501 /* count the number of mount options for this sb */
502 for (i = 0; i < 8; i++) {
503 if (tmp & 0x01)
504 opts->num_mnt_opts++;
505 tmp >>= 1;
506 }
507
508 opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
509 if (!opts->mnt_opts) {
510 rc = -ENOMEM;
511 goto out_free;
512 }
513
514 opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
515 if (!opts->mnt_opts_flags) {
516 rc = -ENOMEM;
517 goto out_free;
518 }
519
520 i = 0;
521 if (sbsec->flags & FSCONTEXT_MNT) {
522 rc = security_sid_to_context(sbsec->sid, &context, &len);
523 if (rc)
524 goto out_free;
525 opts->mnt_opts[i] = context;
526 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
527 }
528 if (sbsec->flags & CONTEXT_MNT) {
529 rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len);
530 if (rc)
531 goto out_free;
532 opts->mnt_opts[i] = context;
533 opts->mnt_opts_flags[i++] = CONTEXT_MNT;
534 }
535 if (sbsec->flags & DEFCONTEXT_MNT) {
536 rc = security_sid_to_context(sbsec->def_sid, &context, &len);
537 if (rc)
538 goto out_free;
539 opts->mnt_opts[i] = context;
540 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
541 }
542 if (sbsec->flags & ROOTCONTEXT_MNT) {
543 struct inode *root = sbsec->sb->s_root->d_inode;
544 struct inode_security_struct *isec = root->i_security;
545
546 rc = security_sid_to_context(isec->sid, &context, &len);
547 if (rc)
548 goto out_free;
549 opts->mnt_opts[i] = context;
550 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
551 }
552
553 BUG_ON(i != opts->num_mnt_opts);
554
555 return 0;
556
557 out_free:
558 security_free_mnt_opts(opts);
559 return rc;
560 }
561
562 static int bad_option(struct superblock_security_struct *sbsec, char flag,
563 u32 old_sid, u32 new_sid)
564 {
565 /* check if the old mount command had the same options */
566 if (sbsec->initialized)
567 if (!(sbsec->flags & flag) ||
568 (old_sid != new_sid))
569 return 1;
570
571 /* check if we were passed the same options twice,
572 * aka someone passed context=a,context=b
573 */
574 if (!sbsec->initialized)
575 if (sbsec->flags & flag)
576 return 1;
577 return 0;
578 }
579
580 /*
581 * Allow filesystems with binary mount data to explicitly set mount point
582 * labeling information.
583 */
584 static int selinux_set_mnt_opts(struct super_block *sb,
585 struct security_mnt_opts *opts)
586 {
587 const struct cred *cred = current_cred();
588 int rc = 0, i;
589 struct superblock_security_struct *sbsec = sb->s_security;
590 const char *name = sb->s_type->name;
591 struct inode *inode = sbsec->sb->s_root->d_inode;
592 struct inode_security_struct *root_isec = inode->i_security;
593 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
594 u32 defcontext_sid = 0;
595 char **mount_options = opts->mnt_opts;
596 int *flags = opts->mnt_opts_flags;
597 int num_opts = opts->num_mnt_opts;
598
599 mutex_lock(&sbsec->lock);
600
601 if (!ss_initialized) {
602 if (!num_opts) {
603 /* Defer initialization until selinux_complete_init,
604 after the initial policy is loaded and the security
605 server is ready to handle calls. */
606 spin_lock(&sb_security_lock);
607 if (list_empty(&sbsec->list))
608 list_add(&sbsec->list, &superblock_security_head);
609 spin_unlock(&sb_security_lock);
610 goto out;
611 }
612 rc = -EINVAL;
613 printk(KERN_WARNING "SELinux: Unable to set superblock options "
614 "before the security server is initialized\n");
615 goto out;
616 }
617
618 /*
619 * Binary mount data FS will come through this function twice. Once
620 * from an explicit call and once from the generic calls from the vfs.
621 * Since the generic VFS calls will not contain any security mount data
622 * we need to skip the double mount verification.
623 *
624 * This does open a hole in which we will not notice if the first
625 * mount using this sb set explict options and a second mount using
626 * this sb does not set any security options. (The first options
627 * will be used for both mounts)
628 */
629 if (sbsec->initialized && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
630 && (num_opts == 0))
631 goto out;
632
633 /*
634 * parse the mount options, check if they are valid sids.
635 * also check if someone is trying to mount the same sb more
636 * than once with different security options.
637 */
638 for (i = 0; i < num_opts; i++) {
639 u32 sid;
640 rc = security_context_to_sid(mount_options[i],
641 strlen(mount_options[i]), &sid);
642 if (rc) {
643 printk(KERN_WARNING "SELinux: security_context_to_sid"
644 "(%s) failed for (dev %s, type %s) errno=%d\n",
645 mount_options[i], sb->s_id, name, rc);
646 goto out;
647 }
648 switch (flags[i]) {
649 case FSCONTEXT_MNT:
650 fscontext_sid = sid;
651
652 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
653 fscontext_sid))
654 goto out_double_mount;
655
656 sbsec->flags |= FSCONTEXT_MNT;
657 break;
658 case CONTEXT_MNT:
659 context_sid = sid;
660
661 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
662 context_sid))
663 goto out_double_mount;
664
665 sbsec->flags |= CONTEXT_MNT;
666 break;
667 case ROOTCONTEXT_MNT:
668 rootcontext_sid = sid;
669
670 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
671 rootcontext_sid))
672 goto out_double_mount;
673
674 sbsec->flags |= ROOTCONTEXT_MNT;
675
676 break;
677 case DEFCONTEXT_MNT:
678 defcontext_sid = sid;
679
680 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
681 defcontext_sid))
682 goto out_double_mount;
683
684 sbsec->flags |= DEFCONTEXT_MNT;
685
686 break;
687 default:
688 rc = -EINVAL;
689 goto out;
690 }
691 }
692
693 if (sbsec->initialized) {
694 /* previously mounted with options, but not on this attempt? */
695 if (sbsec->flags && !num_opts)
696 goto out_double_mount;
697 rc = 0;
698 goto out;
699 }
700
701 if (strcmp(sb->s_type->name, "proc") == 0)
702 sbsec->proc = 1;
703
704 /* Determine the labeling behavior to use for this filesystem type. */
705 rc = security_fs_use(sbsec->proc ? "proc" : sb->s_type->name, &sbsec->behavior, &sbsec->sid);
706 if (rc) {
707 printk(KERN_WARNING "%s: security_fs_use(%s) returned %d\n",
708 __func__, sb->s_type->name, rc);
709 goto out;
710 }
711
712 /* sets the context of the superblock for the fs being mounted. */
713 if (fscontext_sid) {
714 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
715 if (rc)
716 goto out;
717
718 sbsec->sid = fscontext_sid;
719 }
720
721 /*
722 * Switch to using mount point labeling behavior.
723 * sets the label used on all file below the mountpoint, and will set
724 * the superblock context if not already set.
725 */
726 if (context_sid) {
727 if (!fscontext_sid) {
728 rc = may_context_mount_sb_relabel(context_sid, sbsec,
729 cred);
730 if (rc)
731 goto out;
732 sbsec->sid = context_sid;
733 } else {
734 rc = may_context_mount_inode_relabel(context_sid, sbsec,
735 cred);
736 if (rc)
737 goto out;
738 }
739 if (!rootcontext_sid)
740 rootcontext_sid = context_sid;
741
742 sbsec->mntpoint_sid = context_sid;
743 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
744 }
745
746 if (rootcontext_sid) {
747 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
748 cred);
749 if (rc)
750 goto out;
751
752 root_isec->sid = rootcontext_sid;
753 root_isec->initialized = 1;
754 }
755
756 if (defcontext_sid) {
757 if (sbsec->behavior != SECURITY_FS_USE_XATTR) {
758 rc = -EINVAL;
759 printk(KERN_WARNING "SELinux: defcontext option is "
760 "invalid for this filesystem type\n");
761 goto out;
762 }
763
764 if (defcontext_sid != sbsec->def_sid) {
765 rc = may_context_mount_inode_relabel(defcontext_sid,
766 sbsec, cred);
767 if (rc)
768 goto out;
769 }
770
771 sbsec->def_sid = defcontext_sid;
772 }
773
774 rc = sb_finish_set_opts(sb);
775 out:
776 mutex_unlock(&sbsec->lock);
777 return rc;
778 out_double_mount:
779 rc = -EINVAL;
780 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, different "
781 "security settings for (dev %s, type %s)\n", sb->s_id, name);
782 goto out;
783 }
784
785 static void selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
786 struct super_block *newsb)
787 {
788 const struct superblock_security_struct *oldsbsec = oldsb->s_security;
789 struct superblock_security_struct *newsbsec = newsb->s_security;
790
791 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT);
792 int set_context = (oldsbsec->flags & CONTEXT_MNT);
793 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT);
794
795 /*
796 * if the parent was able to be mounted it clearly had no special lsm
797 * mount options. thus we can safely put this sb on the list and deal
798 * with it later
799 */
800 if (!ss_initialized) {
801 spin_lock(&sb_security_lock);
802 if (list_empty(&newsbsec->list))
803 list_add(&newsbsec->list, &superblock_security_head);
804 spin_unlock(&sb_security_lock);
805 return;
806 }
807
808 /* how can we clone if the old one wasn't set up?? */
809 BUG_ON(!oldsbsec->initialized);
810
811 /* if fs is reusing a sb, just let its options stand... */
812 if (newsbsec->initialized)
813 return;
814
815 mutex_lock(&newsbsec->lock);
816
817 newsbsec->flags = oldsbsec->flags;
818
819 newsbsec->sid = oldsbsec->sid;
820 newsbsec->def_sid = oldsbsec->def_sid;
821 newsbsec->behavior = oldsbsec->behavior;
822
823 if (set_context) {
824 u32 sid = oldsbsec->mntpoint_sid;
825
826 if (!set_fscontext)
827 newsbsec->sid = sid;
828 if (!set_rootcontext) {
829 struct inode *newinode = newsb->s_root->d_inode;
830 struct inode_security_struct *newisec = newinode->i_security;
831 newisec->sid = sid;
832 }
833 newsbsec->mntpoint_sid = sid;
834 }
835 if (set_rootcontext) {
836 const struct inode *oldinode = oldsb->s_root->d_inode;
837 const struct inode_security_struct *oldisec = oldinode->i_security;
838 struct inode *newinode = newsb->s_root->d_inode;
839 struct inode_security_struct *newisec = newinode->i_security;
840
841 newisec->sid = oldisec->sid;
842 }
843
844 sb_finish_set_opts(newsb);
845 mutex_unlock(&newsbsec->lock);
846 }
847
848 static int selinux_parse_opts_str(char *options,
849 struct security_mnt_opts *opts)
850 {
851 char *p;
852 char *context = NULL, *defcontext = NULL;
853 char *fscontext = NULL, *rootcontext = NULL;
854 int rc, num_mnt_opts = 0;
855
856 opts->num_mnt_opts = 0;
857
858 /* Standard string-based options. */
859 while ((p = strsep(&options, "|")) != NULL) {
860 int token;
861 substring_t args[MAX_OPT_ARGS];
862
863 if (!*p)
864 continue;
865
866 token = match_token(p, tokens, args);
867
868 switch (token) {
869 case Opt_context:
870 if (context || defcontext) {
871 rc = -EINVAL;
872 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
873 goto out_err;
874 }
875 context = match_strdup(&args[0]);
876 if (!context) {
877 rc = -ENOMEM;
878 goto out_err;
879 }
880 break;
881
882 case Opt_fscontext:
883 if (fscontext) {
884 rc = -EINVAL;
885 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
886 goto out_err;
887 }
888 fscontext = match_strdup(&args[0]);
889 if (!fscontext) {
890 rc = -ENOMEM;
891 goto out_err;
892 }
893 break;
894
895 case Opt_rootcontext:
896 if (rootcontext) {
897 rc = -EINVAL;
898 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
899 goto out_err;
900 }
901 rootcontext = match_strdup(&args[0]);
902 if (!rootcontext) {
903 rc = -ENOMEM;
904 goto out_err;
905 }
906 break;
907
908 case Opt_defcontext:
909 if (context || defcontext) {
910 rc = -EINVAL;
911 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
912 goto out_err;
913 }
914 defcontext = match_strdup(&args[0]);
915 if (!defcontext) {
916 rc = -ENOMEM;
917 goto out_err;
918 }
919 break;
920
921 default:
922 rc = -EINVAL;
923 printk(KERN_WARNING "SELinux: unknown mount option\n");
924 goto out_err;
925
926 }
927 }
928
929 rc = -ENOMEM;
930 opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_ATOMIC);
931 if (!opts->mnt_opts)
932 goto out_err;
933
934 opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int), GFP_ATOMIC);
935 if (!opts->mnt_opts_flags) {
936 kfree(opts->mnt_opts);
937 goto out_err;
938 }
939
940 if (fscontext) {
941 opts->mnt_opts[num_mnt_opts] = fscontext;
942 opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
943 }
944 if (context) {
945 opts->mnt_opts[num_mnt_opts] = context;
946 opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
947 }
948 if (rootcontext) {
949 opts->mnt_opts[num_mnt_opts] = rootcontext;
950 opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
951 }
952 if (defcontext) {
953 opts->mnt_opts[num_mnt_opts] = defcontext;
954 opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
955 }
956
957 opts->num_mnt_opts = num_mnt_opts;
958 return 0;
959
960 out_err:
961 kfree(context);
962 kfree(defcontext);
963 kfree(fscontext);
964 kfree(rootcontext);
965 return rc;
966 }
967 /*
968 * string mount options parsing and call set the sbsec
969 */
970 static int superblock_doinit(struct super_block *sb, void *data)
971 {
972 int rc = 0;
973 char *options = data;
974 struct security_mnt_opts opts;
975
976 security_init_mnt_opts(&opts);
977
978 if (!data)
979 goto out;
980
981 BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
982
983 rc = selinux_parse_opts_str(options, &opts);
984 if (rc)
985 goto out_err;
986
987 out:
988 rc = selinux_set_mnt_opts(sb, &opts);
989
990 out_err:
991 security_free_mnt_opts(&opts);
992 return rc;
993 }
994
995 static void selinux_write_opts(struct seq_file *m,
996 struct security_mnt_opts *opts)
997 {
998 int i;
999 char *prefix;
1000
1001 for (i = 0; i < opts->num_mnt_opts; i++) {
1002 char *has_comma = strchr(opts->mnt_opts[i], ',');
1003
1004 switch (opts->mnt_opts_flags[i]) {
1005 case CONTEXT_MNT:
1006 prefix = CONTEXT_STR;
1007 break;
1008 case FSCONTEXT_MNT:
1009 prefix = FSCONTEXT_STR;
1010 break;
1011 case ROOTCONTEXT_MNT:
1012 prefix = ROOTCONTEXT_STR;
1013 break;
1014 case DEFCONTEXT_MNT:
1015 prefix = DEFCONTEXT_STR;
1016 break;
1017 default:
1018 BUG();
1019 };
1020 /* we need a comma before each option */
1021 seq_putc(m, ',');
1022 seq_puts(m, prefix);
1023 if (has_comma)
1024 seq_putc(m, '\"');
1025 seq_puts(m, opts->mnt_opts[i]);
1026 if (has_comma)
1027 seq_putc(m, '\"');
1028 }
1029 }
1030
1031 static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1032 {
1033 struct security_mnt_opts opts;
1034 int rc;
1035
1036 rc = selinux_get_mnt_opts(sb, &opts);
1037 if (rc) {
1038 /* before policy load we may get EINVAL, don't show anything */
1039 if (rc == -EINVAL)
1040 rc = 0;
1041 return rc;
1042 }
1043
1044 selinux_write_opts(m, &opts);
1045
1046 security_free_mnt_opts(&opts);
1047
1048 return rc;
1049 }
1050
1051 static inline u16 inode_mode_to_security_class(umode_t mode)
1052 {
1053 switch (mode & S_IFMT) {
1054 case S_IFSOCK:
1055 return SECCLASS_SOCK_FILE;
1056 case S_IFLNK:
1057 return SECCLASS_LNK_FILE;
1058 case S_IFREG:
1059 return SECCLASS_FILE;
1060 case S_IFBLK:
1061 return SECCLASS_BLK_FILE;
1062 case S_IFDIR:
1063 return SECCLASS_DIR;
1064 case S_IFCHR:
1065 return SECCLASS_CHR_FILE;
1066 case S_IFIFO:
1067 return SECCLASS_FIFO_FILE;
1068
1069 }
1070
1071 return SECCLASS_FILE;
1072 }
1073
1074 static inline int default_protocol_stream(int protocol)
1075 {
1076 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
1077 }
1078
1079 static inline int default_protocol_dgram(int protocol)
1080 {
1081 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1082 }
1083
1084 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1085 {
1086 switch (family) {
1087 case PF_UNIX:
1088 switch (type) {
1089 case SOCK_STREAM:
1090 case SOCK_SEQPACKET:
1091 return SECCLASS_UNIX_STREAM_SOCKET;
1092 case SOCK_DGRAM:
1093 return SECCLASS_UNIX_DGRAM_SOCKET;
1094 }
1095 break;
1096 case PF_INET:
1097 case PF_INET6:
1098 switch (type) {
1099 case SOCK_STREAM:
1100 if (default_protocol_stream(protocol))
1101 return SECCLASS_TCP_SOCKET;
1102 else
1103 return SECCLASS_RAWIP_SOCKET;
1104 case SOCK_DGRAM:
1105 if (default_protocol_dgram(protocol))
1106 return SECCLASS_UDP_SOCKET;
1107 else
1108 return SECCLASS_RAWIP_SOCKET;
1109 case SOCK_DCCP:
1110 return SECCLASS_DCCP_SOCKET;
1111 default:
1112 return SECCLASS_RAWIP_SOCKET;
1113 }
1114 break;
1115 case PF_NETLINK:
1116 switch (protocol) {
1117 case NETLINK_ROUTE:
1118 return SECCLASS_NETLINK_ROUTE_SOCKET;
1119 case NETLINK_FIREWALL:
1120 return SECCLASS_NETLINK_FIREWALL_SOCKET;
1121 case NETLINK_INET_DIAG:
1122 return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1123 case NETLINK_NFLOG:
1124 return SECCLASS_NETLINK_NFLOG_SOCKET;
1125 case NETLINK_XFRM:
1126 return SECCLASS_NETLINK_XFRM_SOCKET;
1127 case NETLINK_SELINUX:
1128 return SECCLASS_NETLINK_SELINUX_SOCKET;
1129 case NETLINK_AUDIT:
1130 return SECCLASS_NETLINK_AUDIT_SOCKET;
1131 case NETLINK_IP6_FW:
1132 return SECCLASS_NETLINK_IP6FW_SOCKET;
1133 case NETLINK_DNRTMSG:
1134 return SECCLASS_NETLINK_DNRT_SOCKET;
1135 case NETLINK_KOBJECT_UEVENT:
1136 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1137 default:
1138 return SECCLASS_NETLINK_SOCKET;
1139 }
1140 case PF_PACKET:
1141 return SECCLASS_PACKET_SOCKET;
1142 case PF_KEY:
1143 return SECCLASS_KEY_SOCKET;
1144 case PF_APPLETALK:
1145 return SECCLASS_APPLETALK_SOCKET;
1146 }
1147
1148 return SECCLASS_SOCKET;
1149 }
1150
1151 #ifdef CONFIG_PROC_FS
1152 static int selinux_proc_get_sid(struct proc_dir_entry *de,
1153 u16 tclass,
1154 u32 *sid)
1155 {
1156 int buflen, rc;
1157 char *buffer, *path, *end;
1158
1159 buffer = (char *)__get_free_page(GFP_KERNEL);
1160 if (!buffer)
1161 return -ENOMEM;
1162
1163 buflen = PAGE_SIZE;
1164 end = buffer+buflen;
1165 *--end = '\0';
1166 buflen--;
1167 path = end-1;
1168 *path = '/';
1169 while (de && de != de->parent) {
1170 buflen -= de->namelen + 1;
1171 if (buflen < 0)
1172 break;
1173 end -= de->namelen;
1174 memcpy(end, de->name, de->namelen);
1175 *--end = '/';
1176 path = end;
1177 de = de->parent;
1178 }
1179 rc = security_genfs_sid("proc", path, tclass, sid);
1180 free_page((unsigned long)buffer);
1181 return rc;
1182 }
1183 #else
1184 static int selinux_proc_get_sid(struct proc_dir_entry *de,
1185 u16 tclass,
1186 u32 *sid)
1187 {
1188 return -EINVAL;
1189 }
1190 #endif
1191
1192 /* The inode's security attributes must be initialized before first use. */
1193 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1194 {
1195 struct superblock_security_struct *sbsec = NULL;
1196 struct inode_security_struct *isec = inode->i_security;
1197 u32 sid;
1198 struct dentry *dentry;
1199 #define INITCONTEXTLEN 255
1200 char *context = NULL;
1201 unsigned len = 0;
1202 int rc = 0;
1203
1204 if (isec->initialized)
1205 goto out;
1206
1207 mutex_lock(&isec->lock);
1208 if (isec->initialized)
1209 goto out_unlock;
1210
1211 sbsec = inode->i_sb->s_security;
1212 if (!sbsec->initialized) {
1213 /* Defer initialization until selinux_complete_init,
1214 after the initial policy is loaded and the security
1215 server is ready to handle calls. */
1216 spin_lock(&sbsec->isec_lock);
1217 if (list_empty(&isec->list))
1218 list_add(&isec->list, &sbsec->isec_head);
1219 spin_unlock(&sbsec->isec_lock);
1220 goto out_unlock;
1221 }
1222
1223 switch (sbsec->behavior) {
1224 case SECURITY_FS_USE_XATTR:
1225 if (!inode->i_op->getxattr) {
1226 isec->sid = sbsec->def_sid;
1227 break;
1228 }
1229
1230 /* Need a dentry, since the xattr API requires one.
1231 Life would be simpler if we could just pass the inode. */
1232 if (opt_dentry) {
1233 /* Called from d_instantiate or d_splice_alias. */
1234 dentry = dget(opt_dentry);
1235 } else {
1236 /* Called from selinux_complete_init, try to find a dentry. */
1237 dentry = d_find_alias(inode);
1238 }
1239 if (!dentry) {
1240 printk(KERN_WARNING "SELinux: %s: no dentry for dev=%s "
1241 "ino=%ld\n", __func__, inode->i_sb->s_id,
1242 inode->i_ino);
1243 goto out_unlock;
1244 }
1245
1246 len = INITCONTEXTLEN;
1247 context = kmalloc(len, GFP_NOFS);
1248 if (!context) {
1249 rc = -ENOMEM;
1250 dput(dentry);
1251 goto out_unlock;
1252 }
1253 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1254 context, len);
1255 if (rc == -ERANGE) {
1256 /* Need a larger buffer. Query for the right size. */
1257 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1258 NULL, 0);
1259 if (rc < 0) {
1260 dput(dentry);
1261 goto out_unlock;
1262 }
1263 kfree(context);
1264 len = rc;
1265 context = kmalloc(len, GFP_NOFS);
1266 if (!context) {
1267 rc = -ENOMEM;
1268 dput(dentry);
1269 goto out_unlock;
1270 }
1271 rc = inode->i_op->getxattr(dentry,
1272 XATTR_NAME_SELINUX,
1273 context, len);
1274 }
1275 dput(dentry);
1276 if (rc < 0) {
1277 if (rc != -ENODATA) {
1278 printk(KERN_WARNING "SELinux: %s: getxattr returned "
1279 "%d for dev=%s ino=%ld\n", __func__,
1280 -rc, inode->i_sb->s_id, inode->i_ino);
1281 kfree(context);
1282 goto out_unlock;
1283 }
1284 /* Map ENODATA to the default file SID */
1285 sid = sbsec->def_sid;
1286 rc = 0;
1287 } else {
1288 rc = security_context_to_sid_default(context, rc, &sid,
1289 sbsec->def_sid,
1290 GFP_NOFS);
1291 if (rc) {
1292 printk(KERN_WARNING "SELinux: %s: context_to_sid(%s) "
1293 "returned %d for dev=%s ino=%ld\n",
1294 __func__, context, -rc,
1295 inode->i_sb->s_id, inode->i_ino);
1296 kfree(context);
1297 /* Leave with the unlabeled SID */
1298 rc = 0;
1299 break;
1300 }
1301 }
1302 kfree(context);
1303 isec->sid = sid;
1304 break;
1305 case SECURITY_FS_USE_TASK:
1306 isec->sid = isec->task_sid;
1307 break;
1308 case SECURITY_FS_USE_TRANS:
1309 /* Default to the fs SID. */
1310 isec->sid = sbsec->sid;
1311
1312 /* Try to obtain a transition SID. */
1313 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1314 rc = security_transition_sid(isec->task_sid,
1315 sbsec->sid,
1316 isec->sclass,
1317 &sid);
1318 if (rc)
1319 goto out_unlock;
1320 isec->sid = sid;
1321 break;
1322 case SECURITY_FS_USE_MNTPOINT:
1323 isec->sid = sbsec->mntpoint_sid;
1324 break;
1325 default:
1326 /* Default to the fs superblock SID. */
1327 isec->sid = sbsec->sid;
1328
1329 if (sbsec->proc && !S_ISLNK(inode->i_mode)) {
1330 struct proc_inode *proci = PROC_I(inode);
1331 if (proci->pde) {
1332 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1333 rc = selinux_proc_get_sid(proci->pde,
1334 isec->sclass,
1335 &sid);
1336 if (rc)
1337 goto out_unlock;
1338 isec->sid = sid;
1339 }
1340 }
1341 break;
1342 }
1343
1344 isec->initialized = 1;
1345
1346 out_unlock:
1347 mutex_unlock(&isec->lock);
1348 out:
1349 if (isec->sclass == SECCLASS_FILE)
1350 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1351 return rc;
1352 }
1353
1354 /* Convert a Linux signal to an access vector. */
1355 static inline u32 signal_to_av(int sig)
1356 {
1357 u32 perm = 0;
1358
1359 switch (sig) {
1360 case SIGCHLD:
1361 /* Commonly granted from child to parent. */
1362 perm = PROCESS__SIGCHLD;
1363 break;
1364 case SIGKILL:
1365 /* Cannot be caught or ignored */
1366 perm = PROCESS__SIGKILL;
1367 break;
1368 case SIGSTOP:
1369 /* Cannot be caught or ignored */
1370 perm = PROCESS__SIGSTOP;
1371 break;
1372 default:
1373 /* All other signals. */
1374 perm = PROCESS__SIGNAL;
1375 break;
1376 }
1377
1378 return perm;
1379 }
1380
1381 /*
1382 * Check permission between a pair of credentials
1383 * fork check, ptrace check, etc.
1384 */
1385 static int cred_has_perm(const struct cred *actor,
1386 const struct cred *target,
1387 u32 perms)
1388 {
1389 u32 asid = cred_sid(actor), tsid = cred_sid(target);
1390
1391 return avc_has_perm(asid, tsid, SECCLASS_PROCESS, perms, NULL);
1392 }
1393
1394 /*
1395 * Check permission between a pair of tasks, e.g. signal checks,
1396 * fork check, ptrace check, etc.
1397 * tsk1 is the actor and tsk2 is the target
1398 * - this uses the default subjective creds of tsk1
1399 */
1400 static int task_has_perm(const struct task_struct *tsk1,
1401 const struct task_struct *tsk2,
1402 u32 perms)
1403 {
1404 const struct task_security_struct *__tsec1, *__tsec2;
1405 u32 sid1, sid2;
1406
1407 rcu_read_lock();
1408 __tsec1 = __task_cred(tsk1)->security; sid1 = __tsec1->sid;
1409 __tsec2 = __task_cred(tsk2)->security; sid2 = __tsec2->sid;
1410 rcu_read_unlock();
1411 return avc_has_perm(sid1, sid2, SECCLASS_PROCESS, perms, NULL);
1412 }
1413
1414 /*
1415 * Check permission between current and another task, e.g. signal checks,
1416 * fork check, ptrace check, etc.
1417 * current is the actor and tsk2 is the target
1418 * - this uses current's subjective creds
1419 */
1420 static int current_has_perm(const struct task_struct *tsk,
1421 u32 perms)
1422 {
1423 u32 sid, tsid;
1424
1425 sid = current_sid();
1426 tsid = task_sid(tsk);
1427 return avc_has_perm(sid, tsid, SECCLASS_PROCESS, perms, NULL);
1428 }
1429
1430 #if CAP_LAST_CAP > 63
1431 #error Fix SELinux to handle capabilities > 63.
1432 #endif
1433
1434 /* Check whether a task is allowed to use a capability. */
1435 static int task_has_capability(struct task_struct *tsk,
1436 const struct cred *cred,
1437 int cap, int audit)
1438 {
1439 struct avc_audit_data ad;
1440 struct av_decision avd;
1441 u16 sclass;
1442 u32 sid = cred_sid(cred);
1443 u32 av = CAP_TO_MASK(cap);
1444 int rc;
1445
1446 AVC_AUDIT_DATA_INIT(&ad, CAP);
1447 ad.tsk = tsk;
1448 ad.u.cap = cap;
1449
1450 switch (CAP_TO_INDEX(cap)) {
1451 case 0:
1452 sclass = SECCLASS_CAPABILITY;
1453 break;
1454 case 1:
1455 sclass = SECCLASS_CAPABILITY2;
1456 break;
1457 default:
1458 printk(KERN_ERR
1459 "SELinux: out of range capability %d\n", cap);
1460 BUG();
1461 }
1462
1463 rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd);
1464 if (audit == SECURITY_CAP_AUDIT)
1465 avc_audit(sid, sid, sclass, av, &avd, rc, &ad);
1466 return rc;
1467 }
1468
1469 /* Check whether a task is allowed to use a system operation. */
1470 static int task_has_system(struct task_struct *tsk,
1471 u32 perms)
1472 {
1473 u32 sid = task_sid(tsk);
1474
1475 return avc_has_perm(sid, SECINITSID_KERNEL,
1476 SECCLASS_SYSTEM, perms, NULL);
1477 }
1478
1479 /* Check whether a task has a particular permission to an inode.
1480 The 'adp' parameter is optional and allows other audit
1481 data to be passed (e.g. the dentry). */
1482 static int inode_has_perm(const struct cred *cred,
1483 struct inode *inode,
1484 u32 perms,
1485 struct avc_audit_data *adp)
1486 {
1487 struct inode_security_struct *isec;
1488 struct avc_audit_data ad;
1489 u32 sid;
1490
1491 if (unlikely(IS_PRIVATE(inode)))
1492 return 0;
1493
1494 sid = cred_sid(cred);
1495 isec = inode->i_security;
1496
1497 if (!adp) {
1498 adp = &ad;
1499 AVC_AUDIT_DATA_INIT(&ad, FS);
1500 ad.u.fs.inode = inode;
1501 }
1502
1503 return avc_has_perm(sid, isec->sid, isec->sclass, perms, adp);
1504 }
1505
1506 /* Same as inode_has_perm, but pass explicit audit data containing
1507 the dentry to help the auditing code to more easily generate the
1508 pathname if needed. */
1509 static inline int dentry_has_perm(const struct cred *cred,
1510 struct vfsmount *mnt,
1511 struct dentry *dentry,
1512 u32 av)
1513 {
1514 struct inode *inode = dentry->d_inode;
1515 struct avc_audit_data ad;
1516
1517 AVC_AUDIT_DATA_INIT(&ad, FS);
1518 ad.u.fs.path.mnt = mnt;
1519 ad.u.fs.path.dentry = dentry;
1520 return inode_has_perm(cred, inode, av, &ad);
1521 }
1522
1523 /* Check whether a task can use an open file descriptor to
1524 access an inode in a given way. Check access to the
1525 descriptor itself, and then use dentry_has_perm to
1526 check a particular permission to the file.
1527 Access to the descriptor is implicitly granted if it
1528 has the same SID as the process. If av is zero, then
1529 access to the file is not checked, e.g. for cases
1530 where only the descriptor is affected like seek. */
1531 static int file_has_perm(const struct cred *cred,
1532 struct file *file,
1533 u32 av)
1534 {
1535 struct file_security_struct *fsec = file->f_security;
1536 struct inode *inode = file->f_path.dentry->d_inode;
1537 struct avc_audit_data ad;
1538 u32 sid = cred_sid(cred);
1539 int rc;
1540
1541 AVC_AUDIT_DATA_INIT(&ad, FS);
1542 ad.u.fs.path = file->f_path;
1543
1544 if (sid != fsec->sid) {
1545 rc = avc_has_perm(sid, fsec->sid,
1546 SECCLASS_FD,
1547 FD__USE,
1548 &ad);
1549 if (rc)
1550 goto out;
1551 }
1552
1553 /* av is zero if only checking access to the descriptor. */
1554 rc = 0;
1555 if (av)
1556 rc = inode_has_perm(cred, inode, av, &ad);
1557
1558 out:
1559 return rc;
1560 }
1561
1562 /* Check whether a task can create a file. */
1563 static int may_create(struct inode *dir,
1564 struct dentry *dentry,
1565 u16 tclass)
1566 {
1567 const struct cred *cred = current_cred();
1568 const struct task_security_struct *tsec = cred->security;
1569 struct inode_security_struct *dsec;
1570 struct superblock_security_struct *sbsec;
1571 u32 sid, newsid;
1572 struct avc_audit_data ad;
1573 int rc;
1574
1575 dsec = dir->i_security;
1576 sbsec = dir->i_sb->s_security;
1577
1578 sid = tsec->sid;
1579 newsid = tsec->create_sid;
1580
1581 AVC_AUDIT_DATA_INIT(&ad, FS);
1582 ad.u.fs.path.dentry = dentry;
1583
1584 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR,
1585 DIR__ADD_NAME | DIR__SEARCH,
1586 &ad);
1587 if (rc)
1588 return rc;
1589
1590 if (!newsid || sbsec->behavior == SECURITY_FS_USE_MNTPOINT) {
1591 rc = security_transition_sid(sid, dsec->sid, tclass, &newsid);
1592 if (rc)
1593 return rc;
1594 }
1595
1596 rc = avc_has_perm(sid, newsid, tclass, FILE__CREATE, &ad);
1597 if (rc)
1598 return rc;
1599
1600 return avc_has_perm(newsid, sbsec->sid,
1601 SECCLASS_FILESYSTEM,
1602 FILESYSTEM__ASSOCIATE, &ad);
1603 }
1604
1605 /* Check whether a task can create a key. */
1606 static int may_create_key(u32 ksid,
1607 struct task_struct *ctx)
1608 {
1609 u32 sid = task_sid(ctx);
1610
1611 return avc_has_perm(sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL);
1612 }
1613
1614 #define MAY_LINK 0
1615 #define MAY_UNLINK 1
1616 #define MAY_RMDIR 2
1617
1618 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1619 static int may_link(struct inode *dir,
1620 struct dentry *dentry,
1621 int kind)
1622
1623 {
1624 struct inode_security_struct *dsec, *isec;
1625 struct avc_audit_data ad;
1626 u32 sid = current_sid();
1627 u32 av;
1628 int rc;
1629
1630 dsec = dir->i_security;
1631 isec = dentry->d_inode->i_security;
1632
1633 AVC_AUDIT_DATA_INIT(&ad, FS);
1634 ad.u.fs.path.dentry = dentry;
1635
1636 av = DIR__SEARCH;
1637 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1638 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, av, &ad);
1639 if (rc)
1640 return rc;
1641
1642 switch (kind) {
1643 case MAY_LINK:
1644 av = FILE__LINK;
1645 break;
1646 case MAY_UNLINK:
1647 av = FILE__UNLINK;
1648 break;
1649 case MAY_RMDIR:
1650 av = DIR__RMDIR;
1651 break;
1652 default:
1653 printk(KERN_WARNING "SELinux: %s: unrecognized kind %d\n",
1654 __func__, kind);
1655 return 0;
1656 }
1657
1658 rc = avc_has_perm(sid, isec->sid, isec->sclass, av, &ad);
1659 return rc;
1660 }
1661
1662 static inline int may_rename(struct inode *old_dir,
1663 struct dentry *old_dentry,
1664 struct inode *new_dir,
1665 struct dentry *new_dentry)
1666 {
1667 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1668 struct avc_audit_data ad;
1669 u32 sid = current_sid();
1670 u32 av;
1671 int old_is_dir, new_is_dir;
1672 int rc;
1673
1674 old_dsec = old_dir->i_security;
1675 old_isec = old_dentry->d_inode->i_security;
1676 old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
1677 new_dsec = new_dir->i_security;
1678
1679 AVC_AUDIT_DATA_INIT(&ad, FS);
1680
1681 ad.u.fs.path.dentry = old_dentry;
1682 rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR,
1683 DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1684 if (rc)
1685 return rc;
1686 rc = avc_has_perm(sid, old_isec->sid,
1687 old_isec->sclass, FILE__RENAME, &ad);
1688 if (rc)
1689 return rc;
1690 if (old_is_dir && new_dir != old_dir) {
1691 rc = avc_has_perm(sid, old_isec->sid,
1692 old_isec->sclass, DIR__REPARENT, &ad);
1693 if (rc)
1694 return rc;
1695 }
1696
1697 ad.u.fs.path.dentry = new_dentry;
1698 av = DIR__ADD_NAME | DIR__SEARCH;
1699 if (new_dentry->d_inode)
1700 av |= DIR__REMOVE_NAME;
1701 rc = avc_has_perm(sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1702 if (rc)
1703 return rc;
1704 if (new_dentry->d_inode) {
1705 new_isec = new_dentry->d_inode->i_security;
1706 new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
1707 rc = avc_has_perm(sid, new_isec->sid,
1708 new_isec->sclass,
1709 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1710 if (rc)
1711 return rc;
1712 }
1713
1714 return 0;
1715 }
1716
1717 /* Check whether a task can perform a filesystem operation. */
1718 static int superblock_has_perm(const struct cred *cred,
1719 struct super_block *sb,
1720 u32 perms,
1721 struct avc_audit_data *ad)
1722 {
1723 struct superblock_security_struct *sbsec;
1724 u32 sid = cred_sid(cred);
1725
1726 sbsec = sb->s_security;
1727 return avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
1728 }
1729
1730 /* Convert a Linux mode and permission mask to an access vector. */
1731 static inline u32 file_mask_to_av(int mode, int mask)
1732 {
1733 u32 av = 0;
1734
1735 if ((mode & S_IFMT) != S_IFDIR) {
1736 if (mask & MAY_EXEC)
1737 av |= FILE__EXECUTE;
1738 if (mask & MAY_READ)
1739 av |= FILE__READ;
1740
1741 if (mask & MAY_APPEND)
1742 av |= FILE__APPEND;
1743 else if (mask & MAY_WRITE)
1744 av |= FILE__WRITE;
1745
1746 } else {
1747 if (mask & MAY_EXEC)
1748 av |= DIR__SEARCH;
1749 if (mask & MAY_WRITE)
1750 av |= DIR__WRITE;
1751 if (mask & MAY_READ)
1752 av |= DIR__READ;
1753 }
1754
1755 return av;
1756 }
1757
1758 /* Convert a Linux file to an access vector. */
1759 static inline u32 file_to_av(struct file *file)
1760 {
1761 u32 av = 0;
1762
1763 if (file->f_mode & FMODE_READ)
1764 av |= FILE__READ;
1765 if (file->f_mode & FMODE_WRITE) {
1766 if (file->f_flags & O_APPEND)
1767 av |= FILE__APPEND;
1768 else
1769 av |= FILE__WRITE;
1770 }
1771 if (!av) {
1772 /*
1773 * Special file opened with flags 3 for ioctl-only use.
1774 */
1775 av = FILE__IOCTL;
1776 }
1777
1778 return av;
1779 }
1780
1781 /*
1782 * Convert a file to an access vector and include the correct open
1783 * open permission.
1784 */
1785 static inline u32 open_file_to_av(struct file *file)
1786 {
1787 u32 av = file_to_av(file);
1788
1789 if (selinux_policycap_openperm) {
1790 mode_t mode = file->f_path.dentry->d_inode->i_mode;
1791 /*
1792 * lnk files and socks do not really have an 'open'
1793 */
1794 if (S_ISREG(mode))
1795 av |= FILE__OPEN;
1796 else if (S_ISCHR(mode))
1797 av |= CHR_FILE__OPEN;
1798 else if (S_ISBLK(mode))
1799 av |= BLK_FILE__OPEN;
1800 else if (S_ISFIFO(mode))
1801 av |= FIFO_FILE__OPEN;
1802 else if (S_ISDIR(mode))
1803 av |= DIR__OPEN;
1804 else
1805 printk(KERN_ERR "SELinux: WARNING: inside %s with "
1806 "unknown mode:%o\n", __func__, mode);
1807 }
1808 return av;
1809 }
1810
1811 /* Hook functions begin here. */
1812
1813 static int selinux_ptrace_may_access(struct task_struct *child,
1814 unsigned int mode)
1815 {
1816 int rc;
1817
1818 rc = secondary_ops->ptrace_may_access(child, mode);
1819 if (rc)
1820 return rc;
1821
1822 if (mode == PTRACE_MODE_READ) {
1823 u32 sid = current_sid();
1824 u32 csid = task_sid(child);
1825 return avc_has_perm(sid, csid, SECCLASS_FILE, FILE__READ, NULL);
1826 }
1827
1828 return current_has_perm(child, PROCESS__PTRACE);
1829 }
1830
1831 static int selinux_ptrace_traceme(struct task_struct *parent)
1832 {
1833 int rc;
1834
1835 rc = secondary_ops->ptrace_traceme(parent);
1836 if (rc)
1837 return rc;
1838
1839 return task_has_perm(parent, current, PROCESS__PTRACE);
1840 }
1841
1842 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
1843 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1844 {
1845 int error;
1846
1847 error = current_has_perm(target, PROCESS__GETCAP);
1848 if (error)
1849 return error;
1850
1851 return secondary_ops->capget(target, effective, inheritable, permitted);
1852 }
1853
1854 static int selinux_capset(struct cred *new, const struct cred *old,
1855 const kernel_cap_t *effective,
1856 const kernel_cap_t *inheritable,
1857 const kernel_cap_t *permitted)
1858 {
1859 int error;
1860
1861 error = secondary_ops->capset(new, old,
1862 effective, inheritable, permitted);
1863 if (error)
1864 return error;
1865
1866 return cred_has_perm(old, new, PROCESS__SETCAP);
1867 }
1868
1869 static int selinux_capable(struct task_struct *tsk, const struct cred *cred,
1870 int cap, int audit)
1871 {
1872 int rc;
1873
1874 rc = secondary_ops->capable(tsk, cred, cap, audit);
1875 if (rc)
1876 return rc;
1877
1878 return task_has_capability(tsk, cred, cap, audit);
1879 }
1880
1881 static int selinux_sysctl_get_sid(ctl_table *table, u16 tclass, u32 *sid)
1882 {
1883 int buflen, rc;
1884 char *buffer, *path, *end;
1885
1886 rc = -ENOMEM;
1887 buffer = (char *)__get_free_page(GFP_KERNEL);
1888 if (!buffer)
1889 goto out;
1890
1891 buflen = PAGE_SIZE;
1892 end = buffer+buflen;
1893 *--end = '\0';
1894 buflen--;
1895 path = end-1;
1896 *path = '/';
1897 while (table) {
1898 const char *name = table->procname;
1899 size_t namelen = strlen(name);
1900 buflen -= namelen + 1;
1901 if (buflen < 0)
1902 goto out_free;
1903 end -= namelen;
1904 memcpy(end, name, namelen);
1905 *--end = '/';
1906 path = end;
1907 table = table->parent;
1908 }
1909 buflen -= 4;
1910 if (buflen < 0)
1911 goto out_free;
1912 end -= 4;
1913 memcpy(end, "/sys", 4);
1914 path = end;
1915 rc = security_genfs_sid("proc", path, tclass, sid);
1916 out_free:
1917 free_page((unsigned long)buffer);
1918 out:
1919 return rc;
1920 }
1921
1922 static int selinux_sysctl(ctl_table *table, int op)
1923 {
1924 int error = 0;
1925 u32 av;
1926 u32 tsid, sid;
1927 int rc;
1928
1929 rc = secondary_ops->sysctl(table, op);
1930 if (rc)
1931 return rc;
1932
1933 sid = current_sid();
1934
1935 rc = selinux_sysctl_get_sid(table, (op == 0001) ?
1936 SECCLASS_DIR : SECCLASS_FILE, &tsid);
1937 if (rc) {
1938 /* Default to the well-defined sysctl SID. */
1939 tsid = SECINITSID_SYSCTL;
1940 }
1941
1942 /* The op values are "defined" in sysctl.c, thereby creating
1943 * a bad coupling between this module and sysctl.c */
1944 if (op == 001) {
1945 error = avc_has_perm(sid, tsid,
1946 SECCLASS_DIR, DIR__SEARCH, NULL);
1947 } else {
1948 av = 0;
1949 if (op & 004)
1950 av |= FILE__READ;
1951 if (op & 002)
1952 av |= FILE__WRITE;
1953 if (av)
1954 error = avc_has_perm(sid, tsid,
1955 SECCLASS_FILE, av, NULL);
1956 }
1957
1958 return error;
1959 }
1960
1961 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
1962 {
1963 const struct cred *cred = current_cred();
1964 int rc = 0;
1965
1966 if (!sb)
1967 return 0;
1968
1969 switch (cmds) {
1970 case Q_SYNC:
1971 case Q_QUOTAON:
1972 case Q_QUOTAOFF:
1973 case Q_SETINFO:
1974 case Q_SETQUOTA:
1975 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
1976 break;
1977 case Q_GETFMT:
1978 case Q_GETINFO:
1979 case Q_GETQUOTA:
1980 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
1981 break;
1982 default:
1983 rc = 0; /* let the kernel handle invalid cmds */
1984 break;
1985 }
1986 return rc;
1987 }
1988
1989 static int selinux_quota_on(struct dentry *dentry)
1990 {
1991 const struct cred *cred = current_cred();
1992
1993 return dentry_has_perm(cred, NULL, dentry, FILE__QUOTAON);
1994 }
1995
1996 static int selinux_syslog(int type)
1997 {
1998 int rc;
1999
2000 rc = secondary_ops->syslog(type);
2001 if (rc)
2002 return rc;
2003
2004 switch (type) {
2005 case 3: /* Read last kernel messages */
2006 case 10: /* Return size of the log buffer */
2007 rc = task_has_system(current, SYSTEM__SYSLOG_READ);
2008 break;
2009 case 6: /* Disable logging to console */
2010 case 7: /* Enable logging to console */
2011 case 8: /* Set level of messages printed to console */
2012 rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
2013 break;
2014 case 0: /* Close log */
2015 case 1: /* Open log */
2016 case 2: /* Read from log */
2017 case 4: /* Read/clear last kernel messages */
2018 case 5: /* Clear ring buffer */
2019 default:
2020 rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
2021 break;
2022 }
2023 return rc;
2024 }
2025
2026 /*
2027 * Check that a process has enough memory to allocate a new virtual
2028 * mapping. 0 means there is enough memory for the allocation to
2029 * succeed and -ENOMEM implies there is not.
2030 *
2031 * Note that secondary_ops->capable and task_has_perm_noaudit return 0
2032 * if the capability is granted, but __vm_enough_memory requires 1 if
2033 * the capability is granted.
2034 *
2035 * Do not audit the selinux permission check, as this is applied to all
2036 * processes that allocate mappings.
2037 */
2038 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
2039 {
2040 int rc, cap_sys_admin = 0;
2041
2042 rc = selinux_capable(current, current_cred(), CAP_SYS_ADMIN,
2043 SECURITY_CAP_NOAUDIT);
2044 if (rc == 0)
2045 cap_sys_admin = 1;
2046
2047 return __vm_enough_memory(mm, pages, cap_sys_admin);
2048 }
2049
2050 /* binprm security operations */
2051
2052 static int selinux_bprm_set_creds(struct linux_binprm *bprm)
2053 {
2054 const struct task_security_struct *old_tsec;
2055 struct task_security_struct *new_tsec;
2056 struct inode_security_struct *isec;
2057 struct avc_audit_data ad;
2058 struct inode *inode = bprm->file->f_path.dentry->d_inode;
2059 int rc;
2060
2061 rc = secondary_ops->bprm_set_creds(bprm);
2062 if (rc)
2063 return rc;
2064
2065 /* SELinux context only depends on initial program or script and not
2066 * the script interpreter */
2067 if (bprm->cred_prepared)
2068 return 0;
2069
2070 old_tsec = current_security();
2071 new_tsec = bprm->cred->security;
2072 isec = inode->i_security;
2073
2074 /* Default to the current task SID. */
2075 new_tsec->sid = old_tsec->sid;
2076 new_tsec->osid = old_tsec->sid;
2077
2078 /* Reset fs, key, and sock SIDs on execve. */
2079 new_tsec->create_sid = 0;
2080 new_tsec->keycreate_sid = 0;
2081 new_tsec->sockcreate_sid = 0;
2082
2083 if (old_tsec->exec_sid) {
2084 new_tsec->sid = old_tsec->exec_sid;
2085 /* Reset exec SID on execve. */
2086 new_tsec->exec_sid = 0;
2087 } else {
2088 /* Check for a default transition on this program. */
2089 rc = security_transition_sid(old_tsec->sid, isec->sid,
2090 SECCLASS_PROCESS, &new_tsec->sid);
2091 if (rc)
2092 return rc;
2093 }
2094
2095 AVC_AUDIT_DATA_INIT(&ad, FS);
2096 ad.u.fs.path = bprm->file->f_path;
2097
2098 if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID)
2099 new_tsec->sid = old_tsec->sid;
2100
2101 if (new_tsec->sid == old_tsec->sid) {
2102 rc = avc_has_perm(old_tsec->sid, isec->sid,
2103 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2104 if (rc)
2105 return rc;
2106 } else {
2107 /* Check permissions for the transition. */
2108 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2109 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2110 if (rc)
2111 return rc;
2112
2113 rc = avc_has_perm(new_tsec->sid, isec->sid,
2114 SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2115 if (rc)
2116 return rc;
2117
2118 /* Check for shared state */
2119 if (bprm->unsafe & LSM_UNSAFE_SHARE) {
2120 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2121 SECCLASS_PROCESS, PROCESS__SHARE,
2122 NULL);
2123 if (rc)
2124 return -EPERM;
2125 }
2126
2127 /* Make sure that anyone attempting to ptrace over a task that
2128 * changes its SID has the appropriate permit */
2129 if (bprm->unsafe &
2130 (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
2131 struct task_struct *tracer;
2132 struct task_security_struct *sec;
2133 u32 ptsid = 0;
2134
2135 rcu_read_lock();
2136 tracer = tracehook_tracer_task(current);
2137 if (likely(tracer != NULL)) {
2138 sec = __task_cred(tracer)->security;
2139 ptsid = sec->sid;
2140 }
2141 rcu_read_unlock();
2142
2143 if (ptsid != 0) {
2144 rc = avc_has_perm(ptsid, new_tsec->sid,
2145 SECCLASS_PROCESS,
2146 PROCESS__PTRACE, NULL);
2147 if (rc)
2148 return -EPERM;
2149 }
2150 }
2151
2152 /* Clear any possibly unsafe personality bits on exec: */
2153 bprm->per_clear |= PER_CLEAR_ON_SETID;
2154 }
2155
2156 return 0;
2157 }
2158
2159 static int selinux_bprm_check_security(struct linux_binprm *bprm)
2160 {
2161 return secondary_ops->bprm_check_security(bprm);
2162 }
2163
2164 static int selinux_bprm_secureexec(struct linux_binprm *bprm)
2165 {
2166 const struct cred *cred = current_cred();
2167 const struct task_security_struct *tsec = cred->security;
2168 u32 sid, osid;
2169 int atsecure = 0;
2170
2171 sid = tsec->sid;
2172 osid = tsec->osid;
2173
2174 if (osid != sid) {
2175 /* Enable secure mode for SIDs transitions unless
2176 the noatsecure permission is granted between
2177 the two SIDs, i.e. ahp returns 0. */
2178 atsecure = avc_has_perm(osid, sid,
2179 SECCLASS_PROCESS,
2180 PROCESS__NOATSECURE, NULL);
2181 }
2182
2183 return (atsecure || secondary_ops->bprm_secureexec(bprm));
2184 }
2185
2186 extern struct vfsmount *selinuxfs_mount;
2187 extern struct dentry *selinux_null;
2188
2189 /* Derived from fs/exec.c:flush_old_files. */
2190 static inline void flush_unauthorized_files(const struct cred *cred,
2191 struct files_struct *files)
2192 {
2193 struct avc_audit_data ad;
2194 struct file *file, *devnull = NULL;
2195 struct tty_struct *tty;
2196 struct fdtable *fdt;
2197 long j = -1;
2198 int drop_tty = 0;
2199
2200 tty = get_current_tty();
2201 if (tty) {
2202 file_list_lock();
2203 if (!list_empty(&tty->tty_files)) {
2204 struct inode *inode;
2205
2206 /* Revalidate access to controlling tty.
2207 Use inode_has_perm on the tty inode directly rather
2208 than using file_has_perm, as this particular open
2209 file may belong to another process and we are only
2210 interested in the inode-based check here. */
2211 file = list_first_entry(&tty->tty_files, struct file, f_u.fu_list);
2212 inode = file->f_path.dentry->d_inode;
2213 if (inode_has_perm(cred, inode,
2214 FILE__READ | FILE__WRITE, NULL)) {
2215 drop_tty = 1;
2216 }
2217 }
2218 file_list_unlock();
2219 tty_kref_put(tty);
2220 }
2221 /* Reset controlling tty. */
2222 if (drop_tty)
2223 no_tty();
2224
2225 /* Revalidate access to inherited open files. */
2226
2227 AVC_AUDIT_DATA_INIT(&ad, FS);
2228
2229 spin_lock(&files->file_lock);
2230 for (;;) {
2231 unsigned long set, i;
2232 int fd;
2233
2234 j++;
2235 i = j * __NFDBITS;
2236 fdt = files_fdtable(files);
2237 if (i >= fdt->max_fds)
2238 break;
2239 set = fdt->open_fds->fds_bits[j];
2240 if (!set)
2241 continue;
2242 spin_unlock(&files->file_lock);
2243 for ( ; set ; i++, set >>= 1) {
2244 if (set & 1) {
2245 file = fget(i);
2246 if (!file)
2247 continue;
2248 if (file_has_perm(cred,
2249 file,
2250 file_to_av(file))) {
2251 sys_close(i);
2252 fd = get_unused_fd();
2253 if (fd != i) {
2254 if (fd >= 0)
2255 put_unused_fd(fd);
2256 fput(file);
2257 continue;
2258 }
2259 if (devnull) {
2260 get_file(devnull);
2261 } else {
2262 devnull = dentry_open(
2263 dget(selinux_null),
2264 mntget(selinuxfs_mount),
2265 O_RDWR, cred);
2266 if (IS_ERR(devnull)) {
2267 devnull = NULL;
2268 put_unused_fd(fd);
2269 fput(file);
2270 continue;
2271 }
2272 }
2273 fd_install(fd, devnull);
2274 }
2275 fput(file);
2276 }
2277 }
2278 spin_lock(&files->file_lock);
2279
2280 }
2281 spin_unlock(&files->file_lock);
2282 }
2283
2284 /*
2285 * Prepare a process for imminent new credential changes due to exec
2286 */
2287 static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
2288 {
2289 struct task_security_struct *new_tsec;
2290 struct rlimit *rlim, *initrlim;
2291 int rc, i;
2292
2293 secondary_ops->bprm_committing_creds(bprm);
2294
2295 new_tsec = bprm->cred->security;
2296 if (new_tsec->sid == new_tsec->osid)
2297 return;
2298
2299 /* Close files for which the new task SID is not authorized. */
2300 flush_unauthorized_files(bprm->cred, current->files);
2301
2302 /* Always clear parent death signal on SID transitions. */
2303 current->pdeath_signal = 0;
2304
2305 /* Check whether the new SID can inherit resource limits from the old
2306 * SID. If not, reset all soft limits to the lower of the current
2307 * task's hard limit and the init task's soft limit.
2308 *
2309 * Note that the setting of hard limits (even to lower them) can be
2310 * controlled by the setrlimit check. The inclusion of the init task's
2311 * soft limit into the computation is to avoid resetting soft limits
2312 * higher than the default soft limit for cases where the default is
2313 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2314 */
2315 rc = avc_has_perm(new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
2316 PROCESS__RLIMITINH, NULL);
2317 if (rc) {
2318 for (i = 0; i < RLIM_NLIMITS; i++) {
2319 rlim = current->signal->rlim + i;
2320 initrlim = init_task.signal->rlim + i;
2321 rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
2322 }
2323 update_rlimit_cpu(rlim->rlim_cur);
2324 }
2325 }
2326
2327 /*
2328 * Clean up the process immediately after the installation of new credentials
2329 * due to exec
2330 */
2331 static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
2332 {
2333 const struct task_security_struct *tsec = current_security();
2334 struct itimerval itimer;
2335 struct sighand_struct *psig;
2336 u32 osid, sid;
2337 int rc, i;
2338 unsigned long flags;
2339
2340 secondary_ops->bprm_committed_creds(bprm);
2341
2342 osid = tsec->osid;
2343 sid = tsec->sid;
2344
2345 if (sid == osid)
2346 return;
2347
2348 /* Check whether the new SID can inherit signal state from the old SID.
2349 * If not, clear itimers to avoid subsequent signal generation and
2350 * flush and unblock signals.
2351 *
2352 * This must occur _after_ the task SID has been updated so that any
2353 * kill done after the flush will be checked against the new SID.
2354 */
2355 rc = avc_has_perm(osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
2356 if (rc) {
2357 memset(&itimer, 0, sizeof itimer);
2358 for (i = 0; i < 3; i++)
2359 do_setitimer(i, &itimer, NULL);
2360 flush_signals(current);
2361 spin_lock_irq(&current->sighand->siglock);
2362 flush_signal_handlers(current, 1);
2363 sigemptyset(&current->blocked);
2364 recalc_sigpending();
2365 spin_unlock_irq(&current->sighand->siglock);
2366 }
2367
2368 /* Wake up the parent if it is waiting so that it can recheck
2369 * wait permission to the new task SID. */
2370 read_lock_irq(&tasklist_lock);
2371 psig = current->parent->sighand;
2372 spin_lock_irqsave(&psig->siglock, flags);
2373 wake_up_interruptible(&current->parent->signal->wait_chldexit);
2374 spin_unlock_irqrestore(&psig->siglock, flags);
2375 read_unlock_irq(&tasklist_lock);
2376 }
2377
2378 /* superblock security operations */
2379
2380 static int selinux_sb_alloc_security(struct super_block *sb)
2381 {
2382 return superblock_alloc_security(sb);
2383 }
2384
2385 static void selinux_sb_free_security(struct super_block *sb)
2386 {
2387 superblock_free_security(sb);
2388 }
2389
2390 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2391 {
2392 if (plen > olen)
2393 return 0;
2394
2395 return !memcmp(prefix, option, plen);
2396 }
2397
2398 static inline int selinux_option(char *option, int len)
2399 {
2400 return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) ||
2401 match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) ||
2402 match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) ||
2403 match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len));
2404 }
2405
2406 static inline void take_option(char **to, char *from, int *first, int len)
2407 {
2408 if (!*first) {
2409 **to = ',';
2410 *to += 1;
2411 } else
2412 *first = 0;
2413 memcpy(*to, from, len);
2414 *to += len;
2415 }
2416
2417 static inline void take_selinux_option(char **to, char *from, int *first,
2418 int len)
2419 {
2420 int current_size = 0;
2421
2422 if (!*first) {
2423 **to = '|';
2424 *to += 1;
2425 } else
2426 *first = 0;
2427
2428 while (current_size < len) {
2429 if (*from != '"') {
2430 **to = *from;
2431 *to += 1;
2432 }
2433 from += 1;
2434 current_size += 1;
2435 }
2436 }
2437
2438 static int selinux_sb_copy_data(char *orig, char *copy)
2439 {
2440 int fnosec, fsec, rc = 0;
2441 char *in_save, *in_curr, *in_end;
2442 char *sec_curr, *nosec_save, *nosec;
2443 int open_quote = 0;
2444
2445 in_curr = orig;
2446 sec_curr = copy;
2447
2448 nosec = (char *)get_zeroed_page(GFP_KERNEL);
2449 if (!nosec) {
2450 rc = -ENOMEM;
2451 goto out;
2452 }
2453
2454 nosec_save = nosec;
2455 fnosec = fsec = 1;
2456 in_save = in_end = orig;
2457
2458 do {
2459 if (*in_end == '"')
2460 open_quote = !open_quote;
2461 if ((*in_end == ',' && open_quote == 0) ||
2462 *in_end == '\0') {
2463 int len = in_end - in_curr;
2464
2465 if (selinux_option(in_curr, len))
2466 take_selinux_option(&sec_curr, in_curr, &fsec, len);
2467 else
2468 take_option(&nosec, in_curr, &fnosec, len);
2469
2470 in_curr = in_end + 1;
2471 }
2472 } while (*in_end++);
2473
2474 strcpy(in_save, nosec_save);
2475 free_page((unsigned long)nosec_save);
2476 out:
2477 return rc;
2478 }
2479
2480 static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data)
2481 {
2482 const struct cred *cred = current_cred();
2483 struct avc_audit_data ad;
2484 int rc;
2485
2486 rc = superblock_doinit(sb, data);
2487 if (rc)
2488 return rc;
2489
2490 /* Allow all mounts performed by the kernel */
2491 if (flags & MS_KERNMOUNT)
2492 return 0;
2493
2494 AVC_AUDIT_DATA_INIT(&ad, FS);
2495 ad.u.fs.path.dentry = sb->s_root;
2496 return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
2497 }
2498
2499 static int selinux_sb_statfs(struct dentry *dentry)
2500 {
2501 const struct cred *cred = current_cred();
2502 struct avc_audit_data ad;
2503
2504 AVC_AUDIT_DATA_INIT(&ad, FS);
2505 ad.u.fs.path.dentry = dentry->d_sb->s_root;
2506 return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2507 }
2508
2509 static int selinux_mount(char *dev_name,
2510 struct path *path,
2511 char *type,
2512 unsigned long flags,
2513 void *data)
2514 {
2515 const struct cred *cred = current_cred();
2516 int rc;
2517
2518 rc = secondary_ops->sb_mount(dev_name, path, type, flags, data);
2519 if (rc)
2520 return rc;
2521
2522 if (flags & MS_REMOUNT)
2523 return superblock_has_perm(cred, path->mnt->mnt_sb,
2524 FILESYSTEM__REMOUNT, NULL);
2525 else
2526 return dentry_has_perm(cred, path->mnt, path->dentry,
2527 FILE__MOUNTON);
2528 }
2529
2530 static int selinux_umount(struct vfsmount *mnt, int flags)
2531 {
2532 const struct cred *cred = current_cred();
2533 int rc;
2534
2535 rc = secondary_ops->sb_umount(mnt, flags);
2536 if (rc)
2537 return rc;
2538
2539 return superblock_has_perm(cred, mnt->mnt_sb,
2540 FILESYSTEM__UNMOUNT, NULL);
2541 }
2542
2543 /* inode security operations */
2544
2545 static int selinux_inode_alloc_security(struct inode *inode)
2546 {
2547 return inode_alloc_security(inode);
2548 }
2549
2550 static void selinux_inode_free_security(struct inode *inode)
2551 {
2552 inode_free_security(inode);
2553 }
2554
2555 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2556 char **name, void **value,
2557 size_t *len)
2558 {
2559 const struct cred *cred = current_cred();
2560 const struct task_security_struct *tsec = cred->security;
2561 struct inode_security_struct *dsec;
2562 struct superblock_security_struct *sbsec;
2563 u32 sid, newsid, clen;
2564 int rc;
2565 char *namep = NULL, *context;
2566
2567 dsec = dir->i_security;
2568 sbsec = dir->i_sb->s_security;
2569
2570 sid = tsec->sid;
2571 newsid = tsec->create_sid;
2572
2573 if (!newsid || sbsec->behavior == SECURITY_FS_USE_MNTPOINT) {
2574 rc = security_transition_sid(sid, dsec->sid,
2575 inode_mode_to_security_class(inode->i_mode),
2576 &newsid);
2577 if (rc) {
2578 printk(KERN_WARNING "%s: "
2579 "security_transition_sid failed, rc=%d (dev=%s "
2580 "ino=%ld)\n",
2581 __func__,
2582 -rc, inode->i_sb->s_id, inode->i_ino);
2583 return rc;
2584 }
2585 }
2586
2587 /* Possibly defer initialization to selinux_complete_init. */
2588 if (sbsec->initialized) {
2589 struct inode_security_struct *isec = inode->i_security;
2590 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2591 isec->sid = newsid;
2592 isec->initialized = 1;
2593 }
2594
2595 if (!ss_initialized || sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2596 return -EOPNOTSUPP;
2597
2598 if (name) {
2599 namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_NOFS);
2600 if (!namep)
2601 return -ENOMEM;
2602 *name = namep;
2603 }
2604
2605 if (value && len) {
2606 rc = security_sid_to_context_force(newsid, &context, &clen);
2607 if (rc) {
2608 kfree(namep);
2609 return rc;
2610 }
2611 *value = context;
2612 *len = clen;
2613 }
2614
2615 return 0;
2616 }
2617
2618 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, int mask)
2619 {
2620 return may_create(dir, dentry, SECCLASS_FILE);
2621 }
2622
2623 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2624 {
2625 int rc;
2626
2627 rc = secondary_ops->inode_link(old_dentry, dir, new_dentry);
2628 if (rc)
2629 return rc;
2630 return may_link(dir, old_dentry, MAY_LINK);
2631 }
2632
2633 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2634 {
2635 int rc;
2636
2637 rc = secondary_ops->inode_unlink(dir, dentry);
2638 if (rc)
2639 return rc;
2640 return may_link(dir, dentry, MAY_UNLINK);
2641 }
2642
2643 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2644 {
2645 return may_create(dir, dentry, SECCLASS_LNK_FILE);
2646 }
2647
2648 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, int mask)
2649 {
2650 return may_create(dir, dentry, SECCLASS_DIR);
2651 }
2652
2653 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2654 {
2655 return may_link(dir, dentry, MAY_RMDIR);
2656 }
2657
2658 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
2659 {
2660 int rc;
2661
2662 rc = secondary_ops->inode_mknod(dir, dentry, mode, dev);
2663 if (rc)
2664 return rc;
2665
2666 return may_create(dir, dentry, inode_mode_to_security_class(mode));
2667 }
2668
2669 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2670 struct inode *new_inode, struct dentry *new_dentry)
2671 {
2672 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2673 }
2674
2675 static int selinux_inode_readlink(struct dentry *dentry)
2676 {
2677 const struct cred *cred = current_cred();
2678
2679 return dentry_has_perm(cred, NULL, dentry, FILE__READ);
2680 }
2681
2682 static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2683 {
2684 const struct cred *cred = current_cred();
2685 int rc;
2686
2687 rc = secondary_ops->inode_follow_link(dentry, nameidata);
2688 if (rc)
2689 return rc;
2690 return dentry_has_perm(cred, NULL, dentry, FILE__READ);
2691 }
2692
2693 static int selinux_inode_permission(struct inode *inode, int mask)
2694 {
2695 const struct cred *cred = current_cred();
2696 int rc;
2697
2698 rc = secondary_ops->inode_permission(inode, mask);
2699 if (rc)
2700 return rc;
2701
2702 if (!mask) {
2703 /* No permission to check. Existence test. */
2704 return 0;
2705 }
2706
2707 return inode_has_perm(cred, inode,
2708 file_mask_to_av(inode->i_mode, mask), NULL);
2709 }
2710
2711 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2712 {
2713 const struct cred *cred = current_cred();
2714 int rc;
2715
2716 rc = secondary_ops->inode_setattr(dentry, iattr);
2717 if (rc)
2718 return rc;
2719
2720 if (iattr->ia_valid & ATTR_FORCE)
2721 return 0;
2722
2723 if (iattr->ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2724 ATTR_ATIME_SET | ATTR_MTIME_SET))
2725 return dentry_has_perm(cred, NULL, dentry, FILE__SETATTR);
2726
2727 return dentry_has_perm(cred, NULL, dentry, FILE__WRITE);
2728 }
2729
2730 static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
2731 {
2732 const struct cred *cred = current_cred();
2733
2734 return dentry_has_perm(cred, mnt, dentry, FILE__GETATTR);
2735 }
2736
2737 static int selinux_inode_setotherxattr(struct dentry *dentry, const char *name)
2738 {
2739 const struct cred *cred = current_cred();
2740
2741 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2742 sizeof XATTR_SECURITY_PREFIX - 1)) {
2743 if (!strcmp(name, XATTR_NAME_CAPS)) {
2744 if (!capable(CAP_SETFCAP))
2745 return -EPERM;
2746 } else if (!capable(CAP_SYS_ADMIN)) {
2747 /* A different attribute in the security namespace.
2748 Restrict to administrator. */
2749 return -EPERM;
2750 }
2751 }
2752
2753 /* Not an attribute we recognize, so just check the
2754 ordinary setattr permission. */
2755 return dentry_has_perm(cred, NULL, dentry, FILE__SETATTR);
2756 }
2757
2758 static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
2759 const void *value, size_t size, int flags)
2760 {
2761 struct inode *inode = dentry->d_inode;
2762 struct inode_security_struct *isec = inode->i_security;
2763 struct superblock_security_struct *sbsec;
2764 struct avc_audit_data ad;
2765 u32 newsid, sid = current_sid();
2766 int rc = 0;
2767
2768 if (strcmp(name, XATTR_NAME_SELINUX))
2769 return selinux_inode_setotherxattr(dentry, name);
2770
2771 sbsec = inode->i_sb->s_security;
2772 if (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2773 return -EOPNOTSUPP;
2774
2775 if (!is_owner_or_cap(inode))
2776 return -EPERM;
2777
2778 AVC_AUDIT_DATA_INIT(&ad, FS);
2779 ad.u.fs.path.dentry = dentry;
2780
2781 rc = avc_has_perm(sid, isec->sid, isec->sclass,
2782 FILE__RELABELFROM, &ad);
2783 if (rc)
2784 return rc;
2785
2786 rc = security_context_to_sid(value, size, &newsid);
2787 if (rc == -EINVAL) {
2788 if (!capable(CAP_MAC_ADMIN))
2789 return rc;
2790 rc = security_context_to_sid_force(value, size, &newsid);
2791 }
2792 if (rc)
2793 return rc;
2794
2795 rc = avc_has_perm(sid, newsid, isec->sclass,
2796 FILE__RELABELTO, &ad);
2797 if (rc)
2798 return rc;
2799
2800 rc = security_validate_transition(isec->sid, newsid, sid,
2801 isec->sclass);
2802 if (rc)
2803 return rc;
2804
2805 return avc_has_perm(newsid,
2806 sbsec->sid,
2807 SECCLASS_FILESYSTEM,
2808 FILESYSTEM__ASSOCIATE,
2809 &ad);
2810 }
2811
2812 static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
2813 const void *value, size_t size,
2814 int flags)
2815 {
2816 struct inode *inode = dentry->d_inode;
2817 struct inode_security_struct *isec = inode->i_security;
2818 u32 newsid;
2819 int rc;
2820
2821 if (strcmp(name, XATTR_NAME_SELINUX)) {
2822 /* Not an attribute we recognize, so nothing to do. */
2823 return;
2824 }
2825
2826 rc = security_context_to_sid_force(value, size, &newsid);
2827 if (rc) {
2828 printk(KERN_ERR "SELinux: unable to map context to SID"
2829 "for (%s, %lu), rc=%d\n",
2830 inode->i_sb->s_id, inode->i_ino, -rc);
2831 return;
2832 }
2833
2834 isec->sid = newsid;
2835 return;
2836 }
2837
2838 static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
2839 {
2840 const struct cred *cred = current_cred();
2841
2842 return dentry_has_perm(cred, NULL, dentry, FILE__GETATTR);
2843 }
2844
2845 static int selinux_inode_listxattr(struct dentry *dentry)
2846 {
2847 const struct cred *cred = current_cred();
2848
2849 return dentry_has_perm(cred, NULL, dentry, FILE__GETATTR);
2850 }
2851
2852 static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
2853 {
2854 if (strcmp(name, XATTR_NAME_SELINUX))
2855 return selinux_inode_setotherxattr(dentry, name);
2856
2857 /* No one is allowed to remove a SELinux security label.
2858 You can change the label, but all data must be labeled. */
2859 return -EACCES;
2860 }
2861
2862 /*
2863 * Copy the inode security context value to the user.
2864 *
2865 * Permission check is handled by selinux_inode_getxattr hook.
2866 */
2867 static int selinux_inode_getsecurity(const struct inode *inode, const char *name, void **buffer, bool alloc)
2868 {
2869 u32 size;
2870 int error;
2871 char *context = NULL;
2872 struct inode_security_struct *isec = inode->i_security;
2873
2874 if (strcmp(name, XATTR_SELINUX_SUFFIX))
2875 return -EOPNOTSUPP;
2876
2877 /*
2878 * If the caller has CAP_MAC_ADMIN, then get the raw context
2879 * value even if it is not defined by current policy; otherwise,
2880 * use the in-core value under current policy.
2881 * Use the non-auditing forms of the permission checks since
2882 * getxattr may be called by unprivileged processes commonly
2883 * and lack of permission just means that we fall back to the
2884 * in-core context value, not a denial.
2885 */
2886 error = selinux_capable(current, current_cred(), CAP_MAC_ADMIN,
2887 SECURITY_CAP_NOAUDIT);
2888 if (!error)
2889 error = security_sid_to_context_force(isec->sid, &context,
2890 &size);
2891 else
2892 error = security_sid_to_context(isec->sid, &context, &size);
2893 if (error)
2894 return error;
2895 error = size;
2896 if (alloc) {
2897 *buffer = context;
2898 goto out_nofree;
2899 }
2900 kfree(context);
2901 out_nofree:
2902 return error;
2903 }
2904
2905 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
2906 const void *value, size_t size, int flags)
2907 {
2908 struct inode_security_struct *isec = inode->i_security;
2909 u32 newsid;
2910 int rc;
2911
2912 if (strcmp(name, XATTR_SELINUX_SUFFIX))
2913 return -EOPNOTSUPP;
2914
2915 if (!value || !size)
2916 return -EACCES;
2917
2918 rc = security_context_to_sid((void *)value, size, &newsid);
2919 if (rc)
2920 return rc;
2921
2922 isec->sid = newsid;
2923 return 0;
2924 }
2925
2926 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
2927 {
2928 const int len = sizeof(XATTR_NAME_SELINUX);
2929 if (buffer && len <= buffer_size)
2930 memcpy(buffer, XATTR_NAME_SELINUX, len);
2931 return len;
2932 }
2933
2934 static int selinux_inode_need_killpriv(struct dentry *dentry)
2935 {
2936 return secondary_ops->inode_need_killpriv(dentry);
2937 }
2938
2939 static int selinux_inode_killpriv(struct dentry *dentry)
2940 {
2941 return secondary_ops->inode_killpriv(dentry);
2942 }
2943
2944 static void selinux_inode_getsecid(const struct inode *inode, u32 *secid)
2945 {
2946 struct inode_security_struct *isec = inode->i_security;
2947 *secid = isec->sid;
2948 }
2949
2950 /* file security operations */
2951
2952 static int selinux_revalidate_file_permission(struct file *file, int mask)
2953 {
2954 const struct cred *cred = current_cred();
2955 struct inode *inode = file->f_path.dentry->d_inode;
2956
2957 if (!mask) {
2958 /* No permission to check. Existence test. */
2959 return 0;
2960 }
2961
2962 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
2963 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
2964 mask |= MAY_APPEND;
2965
2966 return file_has_perm(cred, file, file_mask_to_av(inode->i_mode, mask));
2967 }
2968
2969 static int selinux_file_permission(struct file *file, int mask)
2970 {
2971 if (!mask) {
2972 /* No permission to check. Existence test. */
2973 return 0;
2974 }
2975
2976 return selinux_revalidate_file_permission(file, mask);
2977 }
2978
2979 static int selinux_file_alloc_security(struct file *file)
2980 {
2981 return file_alloc_security(file);
2982 }
2983
2984 static void selinux_file_free_security(struct file *file)
2985 {
2986 file_free_security(file);
2987 }
2988
2989 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
2990 unsigned long arg)
2991 {
2992 const struct cred *cred = current_cred();
2993 u32 av = 0;
2994
2995 if (_IOC_DIR(cmd) & _IOC_WRITE)
2996 av |= FILE__WRITE;
2997 if (_IOC_DIR(cmd) & _IOC_READ)
2998 av |= FILE__READ;
2999 if (!av)
3000 av = FILE__IOCTL;
3001
3002 return file_has_perm(cred, file, av);
3003 }
3004
3005 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
3006 {
3007 const struct cred *cred = current_cred();
3008 int rc = 0;
3009
3010 #ifndef CONFIG_PPC32
3011 if ((prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
3012 /*
3013 * We are making executable an anonymous mapping or a
3014 * private file mapping that will also be writable.
3015 * This has an additional check.
3016 */
3017 rc = cred_has_perm(cred, cred, PROCESS__EXECMEM);
3018 if (rc)
3019 goto error;
3020 }
3021 #endif
3022
3023 if (file) {
3024 /* read access is always possible with a mapping */
3025 u32 av = FILE__READ;
3026
3027 /* write access only matters if the mapping is shared */
3028 if (shared && (prot & PROT_WRITE))
3029 av |= FILE__WRITE;
3030
3031 if (prot & PROT_EXEC)
3032 av |= FILE__EXECUTE;
3033
3034 return file_has_perm(cred, file, av);
3035 }
3036
3037 error:
3038 return rc;
3039 }
3040
3041 static int selinux_file_mmap(struct file *file, unsigned long reqprot,
3042 unsigned long prot, unsigned long flags,
3043 unsigned long addr, unsigned long addr_only)
3044 {
3045 int rc = 0;
3046 u32 sid = current_sid();
3047
3048 if (addr < mmap_min_addr)
3049 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
3050 MEMPROTECT__MMAP_ZERO, NULL);
3051 if (rc || addr_only)
3052 return rc;
3053
3054 if (selinux_checkreqprot)
3055 prot = reqprot;
3056
3057 return file_map_prot_check(file, prot,
3058 (flags & MAP_TYPE) == MAP_SHARED);
3059 }
3060
3061 static int selinux_file_mprotect(struct vm_area_struct *vma,
3062 unsigned long reqprot,
3063 unsigned long prot)
3064 {
3065 const struct cred *cred = current_cred();
3066 int rc;
3067
3068 rc = secondary_ops->file_mprotect(vma, reqprot, prot);
3069 if (rc)
3070 return rc;
3071
3072 if (selinux_checkreqprot)
3073 prot = reqprot;
3074
3075 #ifndef CONFIG_PPC32
3076 if ((prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
3077 rc = 0;
3078 if (vma->vm_start >= vma->vm_mm->start_brk &&
3079 vma->vm_end <= vma->vm_mm->brk) {
3080 rc = cred_has_perm(cred, cred, PROCESS__EXECHEAP);
3081 } else if (!vma->vm_file &&
3082 vma->vm_start <= vma->vm_mm->start_stack &&
3083 vma->vm_end >= vma->vm_mm->start_stack) {
3084 rc = current_has_perm(current, PROCESS__EXECSTACK);
3085 } else if (vma->vm_file && vma->anon_vma) {
3086 /*
3087 * We are making executable a file mapping that has
3088 * had some COW done. Since pages might have been
3089 * written, check ability to execute the possibly
3090 * modified content. This typically should only
3091 * occur for text relocations.
3092 */
3093 rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD);
3094 }
3095 if (rc)
3096 return rc;
3097 }
3098 #endif
3099
3100 return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
3101 }
3102
3103 static int selinux_file_lock(struct file *file, unsigned int cmd)
3104 {
3105 const struct cred *cred = current_cred();
3106
3107 return file_has_perm(cred, file, FILE__LOCK);
3108 }
3109
3110 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
3111 unsigned long arg)
3112 {
3113 const struct cred *cred = current_cred();
3114 int err = 0;
3115
3116 switch (cmd) {
3117 case F_SETFL:
3118 if (!file->f_path.dentry || !file->f_path.dentry->d_inode) {
3119 err = -EINVAL;
3120 break;
3121 }
3122
3123 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
3124 err = file_has_perm(cred, file, FILE__WRITE);
3125 break;
3126 }
3127 /* fall through */
3128 case F_SETOWN:
3129 case F_SETSIG:
3130 case F_GETFL:
3131 case F_GETOWN:
3132 case F_GETSIG:
3133 /* Just check FD__USE permission */
3134 err = file_has_perm(cred, file, 0);
3135 break;
3136 case F_GETLK:
3137 case F_SETLK:
3138 case F_SETLKW:
3139 #if BITS_PER_LONG == 32
3140 case F_GETLK64:
3141 case F_SETLK64:
3142 case F_SETLKW64:
3143 #endif
3144 if (!file->f_path.dentry || !file->f_path.dentry->d_inode) {
3145 err = -EINVAL;
3146 break;
3147 }
3148 err = file_has_perm(cred, file, FILE__LOCK);
3149 break;
3150 }
3151
3152 return err;
3153 }
3154
3155 static int selinux_file_set_fowner(struct file *file)
3156 {
3157 struct file_security_struct *fsec;
3158
3159 fsec = file->f_security;
3160 fsec->fown_sid = current_sid();
3161
3162 return 0;
3163 }
3164
3165 static int selinux_file_send_sigiotask(struct task_struct *tsk,
3166 struct fown_struct *fown, int signum)
3167 {
3168 struct file *file;
3169 u32 sid = current_sid();
3170 u32 perm;
3171 struct file_security_struct *fsec;
3172
3173 /* struct fown_struct is never outside the context of a struct file */
3174 file = container_of(fown, struct file, f_owner);
3175
3176 fsec = file->f_security;
3177
3178 if (!signum)
3179 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
3180 else
3181 perm = signal_to_av(signum);
3182
3183 return avc_has_perm(fsec->fown_sid, sid,
3184 SECCLASS_PROCESS, perm, NULL);
3185 }
3186
3187 static int selinux_file_receive(struct file *file)
3188 {
3189 const struct cred *cred = current_cred();
3190
3191 return file_has_perm(cred, file, file_to_av(file));
3192 }
3193
3194 static int selinux_dentry_open(struct file *file, const struct cred *cred)
3195 {
3196 struct file_security_struct *fsec;
3197 struct inode *inode;
3198 struct inode_security_struct *isec;
3199
3200 inode = file->f_path.dentry->d_inode;
3201 fsec = file->f_security;
3202 isec = inode->i_security;
3203 /*
3204 * Save inode label and policy sequence number
3205 * at open-time so that selinux_file_permission
3206 * can determine whether revalidation is necessary.
3207 * Task label is already saved in the file security
3208 * struct as its SID.
3209 */
3210 fsec->isid = isec->sid;
3211 fsec->pseqno = avc_policy_seqno();
3212 /*
3213 * Since the inode label or policy seqno may have changed
3214 * between the selinux_inode_permission check and the saving
3215 * of state above, recheck that access is still permitted.
3216 * Otherwise, access might never be revalidated against the
3217 * new inode label or new policy.
3218 * This check is not redundant - do not remove.
3219 */
3220 return inode_has_perm(cred, inode, open_file_to_av(file), NULL);
3221 }
3222
3223 /* task security operations */
3224
3225 static int selinux_task_create(unsigned long clone_flags)
3226 {
3227 int rc;
3228
3229 rc = secondary_ops->task_create(clone_flags);
3230 if (rc)
3231 return rc;
3232
3233 return current_has_perm(current, PROCESS__FORK);
3234 }
3235
3236 /*
3237 * detach and free the LSM part of a set of credentials
3238 */
3239 static void selinux_cred_free(struct cred *cred)
3240 {
3241 struct task_security_struct *tsec = cred->security;
3242 cred->security = NULL;
3243 kfree(tsec);
3244 }
3245
3246 /*
3247 * prepare a new set of credentials for modification
3248 */
3249 static int selinux_cred_prepare(struct cred *new, const struct cred *old,
3250 gfp_t gfp)
3251 {
3252 const struct task_security_struct *old_tsec;
3253 struct task_security_struct *tsec;
3254
3255 old_tsec = old->security;
3256
3257 tsec = kmemdup(old_tsec, sizeof(struct task_security_struct), gfp);
3258 if (!tsec)
3259 return -ENOMEM;
3260
3261 new->security = tsec;
3262 return 0;
3263 }
3264
3265 /*
3266 * commit new credentials
3267 */
3268 static void selinux_cred_commit(struct cred *new, const struct cred *old)
3269 {
3270 secondary_ops->cred_commit(new, old);
3271 }
3272
3273 /*
3274 * set the security data for a kernel service
3275 * - all the creation contexts are set to unlabelled
3276 */
3277 static int selinux_kernel_act_as(struct cred *new, u32 secid)
3278 {
3279 struct task_security_struct *tsec = new->security;
3280 u32 sid = current_sid();
3281 int ret;
3282
3283 ret = avc_has_perm(sid, secid,
3284 SECCLASS_KERNEL_SERVICE,
3285 KERNEL_SERVICE__USE_AS_OVERRIDE,
3286 NULL);
3287 if (ret == 0) {
3288 tsec->sid = secid;
3289 tsec->create_sid = 0;
3290 tsec->keycreate_sid = 0;
3291 tsec->sockcreate_sid = 0;
3292 }
3293 return ret;
3294 }
3295
3296 /*
3297 * set the file creation context in a security record to the same as the
3298 * objective context of the specified inode
3299 */
3300 static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode)
3301 {
3302 struct inode_security_struct *isec = inode->i_security;
3303 struct task_security_struct *tsec = new->security;
3304 u32 sid = current_sid();
3305 int ret;
3306
3307 ret = avc_has_perm(sid, isec->sid,
3308 SECCLASS_KERNEL_SERVICE,
3309 KERNEL_SERVICE__CREATE_FILES_AS,
3310 NULL);
3311
3312 if (ret == 0)
3313 tsec->create_sid = isec->sid;
3314 return 0;
3315 }
3316
3317 static int selinux_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
3318 {
3319 /* Since setuid only affects the current process, and
3320 since the SELinux controls are not based on the Linux
3321 identity attributes, SELinux does not need to control
3322 this operation. However, SELinux does control the use
3323 of the CAP_SETUID and CAP_SETGID capabilities using the
3324 capable hook. */
3325 return 0;
3326 }
3327
3328 static int selinux_task_fix_setuid(struct cred *new, const struct cred *old,
3329 int flags)
3330 {
3331 return secondary_ops->task_fix_setuid(new, old, flags);
3332 }
3333
3334 static int selinux_task_setgid(gid_t id0, gid_t id1, gid_t id2, int flags)
3335 {
3336 /* See the comment for setuid above. */
3337 return 0;
3338 }
3339
3340 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
3341 {
3342 return current_has_perm(p, PROCESS__SETPGID);
3343 }
3344
3345 static int selinux_task_getpgid(struct task_struct *p)
3346 {
3347 return current_has_perm(p, PROCESS__GETPGID);
3348 }
3349
3350 static int selinux_task_getsid(struct task_struct *p)
3351 {
3352 return current_has_perm(p, PROCESS__GETSESSION);
3353 }
3354
3355 static void selinux_task_getsecid(struct task_struct *p, u32 *secid)
3356 {
3357 *secid = task_sid(p);
3358 }
3359
3360 static int selinux_task_setgroups(struct group_info *group_info)
3361 {
3362 /* See the comment for setuid above. */
3363 return 0;
3364 }
3365
3366 static int selinux_task_setnice(struct task_struct *p, int nice)
3367 {
3368 int rc;
3369
3370 rc = secondary_ops->task_setnice(p, nice);
3371 if (rc)
3372 return rc;
3373
3374 return current_has_perm(p, PROCESS__SETSCHED);
3375 }
3376
3377 static int selinux_task_setioprio(struct task_struct *p, int ioprio)
3378 {
3379 int rc;
3380
3381 rc = secondary_ops->task_setioprio(p, ioprio);
3382 if (rc)
3383 return rc;
3384
3385 return current_has_perm(p, PROCESS__SETSCHED);
3386 }
3387
3388 static int selinux_task_getioprio(struct task_struct *p)
3389 {
3390 return current_has_perm(p, PROCESS__GETSCHED);
3391 }
3392
3393 static int selinux_task_setrlimit(unsigned int resource, struct rlimit *new_rlim)
3394 {
3395 struct rlimit *old_rlim = current->signal->rlim + resource;
3396 int rc;
3397
3398 rc = secondary_ops->task_setrlimit(resource, new_rlim);
3399 if (rc)
3400 return rc;
3401
3402 /* Control the ability to change the hard limit (whether
3403 lowering or raising it), so that the hard limit can
3404 later be used as a safe reset point for the soft limit
3405 upon context transitions. See selinux_bprm_committing_creds. */
3406 if (old_rlim->rlim_max != new_rlim->rlim_max)
3407 return current_has_perm(current, PROCESS__SETRLIMIT);
3408
3409 return 0;
3410 }
3411
3412 static int selinux_task_setscheduler(struct task_struct *p, int policy, struct sched_param *lp)
3413 {
3414 int rc;
3415
3416 rc = secondary_ops->task_setscheduler(p, policy, lp);
3417 if (rc)
3418 return rc;
3419
3420 return current_has_perm(p, PROCESS__SETSCHED);
3421 }
3422
3423 static int selinux_task_getscheduler(struct task_struct *p)
3424 {
3425 return current_has_perm(p, PROCESS__GETSCHED);
3426 }
3427
3428 static int selinux_task_movememory(struct task_struct *p)
3429 {
3430 return current_has_perm(p, PROCESS__SETSCHED);
3431 }
3432
3433 static int selinux_task_kill(struct task_struct *p, struct siginfo *info,
3434 int sig, u32 secid)
3435 {
3436 u32 perm;
3437 int rc;
3438
3439 rc = secondary_ops->task_kill(p, info, sig, secid);
3440 if (rc)
3441 return rc;
3442
3443 if (!sig)
3444 perm = PROCESS__SIGNULL; /* null signal; existence test */
3445 else
3446 perm = signal_to_av(sig);
3447 if (secid)
3448 rc = avc_has_perm(secid, task_sid(p),
3449 SECCLASS_PROCESS, perm, NULL);
3450 else
3451 rc = current_has_perm(p, perm);
3452 return rc;
3453 }
3454
3455 static int selinux_task_prctl(int option,
3456 unsigned long arg2,
3457 unsigned long arg3,
3458 unsigned long arg4,
3459 unsigned long arg5)
3460 {
3461 /* The current prctl operations do not appear to require
3462 any SELinux controls since they merely observe or modify
3463 the state of the current process. */
3464 return secondary_ops->task_prctl(option, arg2, arg3, arg4, arg5);
3465 }
3466
3467 static int selinux_task_wait(struct task_struct *p)
3468 {
3469 return task_has_perm(p, current, PROCESS__SIGCHLD);
3470 }
3471
3472 static void selinux_task_to_inode(struct task_struct *p,
3473 struct inode *inode)
3474 {
3475 struct inode_security_struct *isec = inode->i_security;
3476 u32 sid = task_sid(p);
3477
3478 isec->sid = sid;
3479 isec->initialized = 1;
3480 }
3481
3482 /* Returns error only if unable to parse addresses */
3483 static int selinux_parse_skb_ipv4(struct sk_buff *skb,
3484 struct avc_audit_data *ad, u8 *proto)
3485 {
3486 int offset, ihlen, ret = -EINVAL;
3487 struct iphdr _iph, *ih;
3488
3489 offset = skb_network_offset(skb);
3490 ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
3491 if (ih == NULL)
3492 goto out;
3493
3494 ihlen = ih->ihl * 4;
3495 if (ihlen < sizeof(_iph))
3496 goto out;
3497
3498 ad->u.net.v4info.saddr = ih->saddr;
3499 ad->u.net.v4info.daddr = ih->daddr;
3500 ret = 0;
3501
3502 if (proto)
3503 *proto = ih->protocol;
3504
3505 switch (ih->protocol) {
3506 case IPPROTO_TCP: {
3507 struct tcphdr _tcph, *th;
3508
3509 if (ntohs(ih->frag_off) & IP_OFFSET)
3510 break;
3511
3512 offset += ihlen;
3513 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3514 if (th == NULL)
3515 break;
3516
3517 ad->u.net.sport = th->source;
3518 ad->u.net.dport = th->dest;
3519 break;
3520 }
3521
3522 case IPPROTO_UDP: {
3523 struct udphdr _udph, *uh;
3524
3525 if (ntohs(ih->frag_off) & IP_OFFSET)
3526 break;
3527
3528 offset += ihlen;
3529 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3530 if (uh == NULL)
3531 break;
3532
3533 ad->u.net.sport = uh->source;
3534 ad->u.net.dport = uh->dest;
3535 break;
3536 }
3537
3538 case IPPROTO_DCCP: {
3539 struct dccp_hdr _dccph, *dh;
3540
3541 if (ntohs(ih->frag_off) & IP_OFFSET)
3542 break;
3543
3544 offset += ihlen;
3545 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3546 if (dh == NULL)
3547 break;
3548
3549 ad->u.net.sport = dh->dccph_sport;
3550 ad->u.net.dport = dh->dccph_dport;
3551 break;
3552 }
3553
3554 default:
3555 break;
3556 }
3557 out:
3558 return ret;
3559 }
3560
3561 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3562
3563 /* Returns error only if unable to parse addresses */
3564 static int selinux_parse_skb_ipv6(struct sk_buff *skb,
3565 struct avc_audit_data *ad, u8 *proto)
3566 {
3567 u8 nexthdr;
3568 int ret = -EINVAL, offset;
3569 struct ipv6hdr _ipv6h, *ip6;
3570
3571 offset = skb_network_offset(skb);
3572 ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
3573 if (ip6 == NULL)
3574 goto out;
3575
3576 ipv6_addr_copy(&ad->u.net.v6info.saddr, &ip6->saddr);
3577 ipv6_addr_copy(&ad->u.net.v6info.daddr, &ip6->daddr);
3578 ret = 0;
3579
3580 nexthdr = ip6->nexthdr;
3581 offset += sizeof(_ipv6h);
3582 offset = ipv6_skip_exthdr(skb, offset, &nexthdr);
3583 if (offset < 0)
3584 goto out;
3585
3586 if (proto)
3587 *proto = nexthdr;
3588
3589 switch (nexthdr) {
3590 case IPPROTO_TCP: {
3591 struct tcphdr _tcph, *th;
3592
3593 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3594 if (th == NULL)
3595 break;
3596
3597 ad->u.net.sport = th->source;
3598 ad->u.net.dport = th->dest;
3599 break;
3600 }
3601
3602 case IPPROTO_UDP: {
3603 struct udphdr _udph, *uh;
3604
3605 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3606 if (uh == NULL)
3607 break;
3608
3609 ad->u.net.sport = uh->source;
3610 ad->u.net.dport = uh->dest;
3611 break;
3612 }
3613
3614 case IPPROTO_DCCP: {
3615 struct dccp_hdr _dccph, *dh;
3616
3617 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3618 if (dh == NULL)
3619 break;
3620
3621 ad->u.net.sport = dh->dccph_sport;
3622 ad->u.net.dport = dh->dccph_dport;
3623 break;
3624 }
3625
3626 /* includes fragments */
3627 default:
3628 break;
3629 }
3630 out:
3631 return ret;
3632 }
3633
3634 #endif /* IPV6 */
3635
3636 static int selinux_parse_skb(struct sk_buff *skb, struct avc_audit_data *ad,
3637 char **_addrp, int src, u8 *proto)
3638 {
3639 char *addrp;
3640 int ret;
3641
3642 switch (ad->u.net.family) {
3643 case PF_INET:
3644 ret = selinux_parse_skb_ipv4(skb, ad, proto);
3645 if (ret)
3646 goto parse_error;
3647 addrp = (char *)(src ? &ad->u.net.v4info.saddr :
3648 &ad->u.net.v4info.daddr);
3649 goto okay;
3650
3651 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3652 case PF_INET6:
3653 ret = selinux_parse_skb_ipv6(skb, ad, proto);
3654 if (ret)
3655 goto parse_error;
3656 addrp = (char *)(src ? &ad->u.net.v6info.saddr :
3657 &ad->u.net.v6info.daddr);
3658 goto okay;
3659 #endif /* IPV6 */
3660 default:
3661 addrp = NULL;
3662 goto okay;
3663 }
3664
3665 parse_error:
3666 printk(KERN_WARNING
3667 "SELinux: failure in selinux_parse_skb(),"
3668 " unable to parse packet\n");
3669 return ret;
3670
3671 okay:
3672 if (_addrp)
3673 *_addrp = addrp;
3674 return 0;
3675 }
3676
3677 /**
3678 * selinux_skb_peerlbl_sid - Determine the peer label of a packet
3679 * @skb: the packet
3680 * @family: protocol family
3681 * @sid: the packet's peer label SID
3682 *
3683 * Description:
3684 * Check the various different forms of network peer labeling and determine
3685 * the peer label/SID for the packet; most of the magic actually occurs in
3686 * the security server function security_net_peersid_cmp(). The function
3687 * returns zero if the value in @sid is valid (although it may be SECSID_NULL)
3688 * or -EACCES if @sid is invalid due to inconsistencies with the different
3689 * peer labels.
3690 *
3691 */
3692 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
3693 {
3694 int err;
3695 u32 xfrm_sid;
3696 u32 nlbl_sid;
3697 u32 nlbl_type;
3698
3699 selinux_skb_xfrm_sid(skb, &xfrm_sid);
3700 selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid);
3701
3702 err = security_net_peersid_resolve(nlbl_sid, nlbl_type, xfrm_sid, sid);
3703 if (unlikely(err)) {
3704 printk(KERN_WARNING
3705 "SELinux: failure in selinux_skb_peerlbl_sid(),"
3706 " unable to determine packet's peer label\n");
3707 return -EACCES;
3708 }
3709
3710 return 0;
3711 }
3712
3713 /* socket security operations */
3714 static int socket_has_perm(struct task_struct *task, struct socket *sock,
3715 u32 perms)
3716 {
3717 struct inode_security_struct *isec;
3718 struct avc_audit_data ad;
3719 u32 sid;
3720 int err = 0;
3721
3722 isec = SOCK_INODE(sock)->i_security;
3723
3724 if (isec->sid == SECINITSID_KERNEL)
3725 goto out;
3726 sid = task_sid(task);
3727
3728 AVC_AUDIT_DATA_INIT(&ad, NET);
3729 ad.u.net.sk = sock->sk;
3730 err = avc_has_perm(sid, isec->sid, isec->sclass, perms, &ad);
3731
3732 out:
3733 return err;
3734 }
3735
3736 static int selinux_socket_create(int family, int type,
3737 int protocol, int kern)
3738 {
3739 const struct cred *cred = current_cred();
3740 const struct task_security_struct *tsec = cred->security;
3741 u32 sid, newsid;
3742 u16 secclass;
3743 int err = 0;
3744
3745 if (kern)
3746 goto out;
3747
3748 sid = tsec->sid;
3749 newsid = tsec->sockcreate_sid ?: sid;
3750
3751 secclass = socket_type_to_security_class(family, type, protocol);
3752 err = avc_has_perm(sid, newsid, secclass, SOCKET__CREATE, NULL);
3753
3754 out:
3755 return err;
3756 }
3757
3758 static int selinux_socket_post_create(struct socket *sock, int family,
3759 int type, int protocol, int kern)
3760 {
3761 const struct cred *cred = current_cred();
3762 const struct task_security_struct *tsec = cred->security;
3763 struct inode_security_struct *isec;
3764 struct sk_security_struct *sksec;
3765 u32 sid, newsid;
3766 int err = 0;
3767
3768 sid = tsec->sid;
3769 newsid = tsec->sockcreate_sid;
3770
3771 isec = SOCK_INODE(sock)->i_security;
3772
3773 if (kern)
3774 isec->sid = SECINITSID_KERNEL;
3775 else if (newsid)
3776 isec->sid = newsid;
3777 else
3778 isec->sid = sid;
3779
3780 isec->sclass = socket_type_to_security_class(family, type, protocol);
3781 isec->initialized = 1;
3782
3783 if (sock->sk) {
3784 sksec = sock->sk->sk_security;
3785 sksec->sid = isec->sid;
3786 sksec->sclass = isec->sclass;
3787 err = selinux_netlbl_socket_post_create(sock->sk, family);
3788 }
3789
3790 return err;
3791 }
3792
3793 /* Range of port numbers used to automatically bind.
3794 Need to determine whether we should perform a name_bind
3795 permission check between the socket and the port number. */
3796
3797 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
3798 {
3799 u16 family;
3800 int err;
3801
3802 err = socket_has_perm(current, sock, SOCKET__BIND);
3803 if (err)
3804 goto out;
3805
3806 /*
3807 * If PF_INET or PF_INET6, check name_bind permission for the port.
3808 * Multiple address binding for SCTP is not supported yet: we just
3809 * check the first address now.
3810 */
3811 family = sock->sk->sk_family;
3812 if (family == PF_INET || family == PF_INET6) {
3813 char *addrp;
3814 struct inode_security_struct *isec;
3815 struct avc_audit_data ad;
3816 struct sockaddr_in *addr4 = NULL;
3817 struct sockaddr_in6 *addr6 = NULL;
3818 unsigned short snum;
3819 struct sock *sk = sock->sk;
3820 u32 sid, node_perm;
3821
3822 isec = SOCK_INODE(sock)->i_security;
3823
3824 if (family == PF_INET) {
3825 addr4 = (struct sockaddr_in *)address;
3826 snum = ntohs(addr4->sin_port);
3827 addrp = (char *)&addr4->sin_addr.s_addr;
3828 } else {
3829 addr6 = (struct sockaddr_in6 *)address;
3830 snum = ntohs(addr6->sin6_port);
3831 addrp = (char *)&addr6->sin6_addr.s6_addr;
3832 }
3833
3834 if (snum) {
3835 int low, high;
3836
3837 inet_get_local_port_range(&low, &high);
3838
3839 if (snum < max(PROT_SOCK, low) || snum > high) {
3840 err = sel_netport_sid(sk->sk_protocol,
3841 snum, &sid);
3842 if (err)
3843 goto out;
3844 AVC_AUDIT_DATA_INIT(&ad, NET);
3845 ad.u.net.sport = htons(snum);
3846 ad.u.net.family = family;
3847 err = avc_has_perm(isec->sid, sid,
3848 isec->sclass,
3849 SOCKET__NAME_BIND, &ad);
3850 if (err)
3851 goto out;
3852 }
3853 }
3854
3855 switch (isec->sclass) {
3856 case SECCLASS_TCP_SOCKET:
3857 node_perm = TCP_SOCKET__NODE_BIND;
3858 break;
3859
3860 case SECCLASS_UDP_SOCKET:
3861 node_perm = UDP_SOCKET__NODE_BIND;
3862 break;
3863
3864 case SECCLASS_DCCP_SOCKET:
3865 node_perm = DCCP_SOCKET__NODE_BIND;
3866 break;
3867
3868 default:
3869 node_perm = RAWIP_SOCKET__NODE_BIND;
3870 break;
3871 }
3872
3873 err = sel_netnode_sid(addrp, family, &sid);
3874 if (err)
3875 goto out;
3876
3877 AVC_AUDIT_DATA_INIT(&ad, NET);
3878 ad.u.net.sport = htons(snum);
3879 ad.u.net.family = family;
3880
3881 if (family == PF_INET)
3882 ad.u.net.v4info.saddr = addr4->sin_addr.s_addr;
3883 else
3884 ipv6_addr_copy(&ad.u.net.v6info.saddr, &addr6->sin6_addr);
3885
3886 err = avc_has_perm(isec->sid, sid,
3887 isec->sclass, node_perm, &ad);
3888 if (err)
3889 goto out;
3890 }
3891 out:
3892 return err;
3893 }
3894
3895 static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
3896 {
3897 struct sock *sk = sock->sk;
3898 struct inode_security_struct *isec;
3899 int err;
3900
3901 err = socket_has_perm(current, sock, SOCKET__CONNECT);
3902 if (err)
3903 return err;
3904
3905 /*
3906 * If a TCP or DCCP socket, check name_connect permission for the port.
3907 */
3908 isec = SOCK_INODE(sock)->i_security;
3909 if (isec->sclass == SECCLASS_TCP_SOCKET ||
3910 isec->sclass == SECCLASS_DCCP_SOCKET) {
3911 struct avc_audit_data ad;
3912 struct sockaddr_in *addr4 = NULL;
3913 struct sockaddr_in6 *addr6 = NULL;
3914 unsigned short snum;
3915 u32 sid, perm;
3916
3917 if (sk->sk_family == PF_INET) {
3918 addr4 = (struct sockaddr_in *)address;
3919 if (addrlen < sizeof(struct sockaddr_in))
3920 return -EINVAL;
3921 snum = ntohs(addr4->sin_port);
3922 } else {
3923 addr6 = (struct sockaddr_in6 *)address;
3924 if (addrlen < SIN6_LEN_RFC2133)
3925 return -EINVAL;
3926 snum = ntohs(addr6->sin6_port);
3927 }
3928
3929 err = sel_netport_sid(sk->sk_protocol, snum, &sid);
3930 if (err)
3931 goto out;
3932
3933 perm = (isec->sclass == SECCLASS_TCP_SOCKET) ?
3934 TCP_SOCKET__NAME_CONNECT : DCCP_SOCKET__NAME_CONNECT;
3935
3936 AVC_AUDIT_DATA_INIT(&ad, NET);
3937 ad.u.net.dport = htons(snum);
3938 ad.u.net.family = sk->sk_family;
3939 err = avc_has_perm(isec->sid, sid, isec->sclass, perm, &ad);
3940 if (err)
3941 goto out;
3942 }
3943
3944 err = selinux_netlbl_socket_connect(sk, address);
3945
3946 out:
3947 return err;
3948 }
3949
3950 static int selinux_socket_listen(struct socket *sock, int backlog)
3951 {
3952 return socket_has_perm(current, sock, SOCKET__LISTEN);
3953 }
3954
3955 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
3956 {
3957 int err;
3958 struct inode_security_struct *isec;
3959 struct inode_security_struct *newisec;
3960
3961 err = socket_has_perm(current, sock, SOCKET__ACCEPT);
3962 if (err)
3963 return err;
3964
3965 newisec = SOCK_INODE(newsock)->i_security;
3966
3967 isec = SOCK_INODE(sock)->i_security;
3968 newisec->sclass = isec->sclass;
3969 newisec->sid = isec->sid;
3970 newisec->initialized = 1;
3971
3972 return 0;
3973 }
3974
3975 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
3976 int size)
3977 {
3978 return socket_has_perm(current, sock, SOCKET__WRITE);
3979 }
3980
3981 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
3982 int size, int flags)
3983 {
3984 return socket_has_perm(current, sock, SOCKET__READ);
3985 }
3986
3987 static int selinux_socket_getsockname(struct socket *sock)
3988 {
3989 return socket_has_perm(current, sock, SOCKET__GETATTR);
3990 }
3991
3992 static int selinux_socket_getpeername(struct socket *sock)
3993 {
3994 return socket_has_perm(current, sock, SOCKET__GETATTR);
3995 }
3996
3997 static int selinux_socket_setsockopt(struct socket *sock, int level, int optname)
3998 {
3999 int err;
4000
4001 err = socket_has_perm(current, sock, SOCKET__SETOPT);
4002 if (err)
4003 return err;
4004
4005 return selinux_netlbl_socket_setsockopt(sock, level, optname);
4006 }
4007
4008 static int selinux_socket_getsockopt(struct socket *sock, int level,
4009 int optname)
4010 {
4011 return socket_has_perm(current, sock, SOCKET__GETOPT);
4012 }
4013
4014 static int selinux_socket_shutdown(struct socket *sock, int how)
4015 {
4016 return socket_has_perm(current, sock, SOCKET__SHUTDOWN);
4017 }
4018
4019 static int selinux_socket_unix_stream_connect(struct socket *sock,
4020 struct socket *other,
4021 struct sock *newsk)
4022 {
4023 struct sk_security_struct *ssec;
4024 struct inode_security_struct *isec;
4025 struct inode_security_struct *other_isec;
4026 struct avc_audit_data ad;
4027 int err;
4028
4029 err = secondary_ops->unix_stream_connect(sock, other, newsk);
4030 if (err)
4031 return err;
4032
4033 isec = SOCK_INODE(sock)->i_security;
4034 other_isec = SOCK_INODE(other)->i_security;
4035
4036 AVC_AUDIT_DATA_INIT(&ad, NET);
4037 ad.u.net.sk = other->sk;
4038
4039 err = avc_has_perm(isec->sid, other_isec->sid,
4040 isec->sclass,
4041 UNIX_STREAM_SOCKET__CONNECTTO, &ad);
4042 if (err)
4043 return err;
4044
4045 /* connecting socket */
4046 ssec = sock->sk->sk_security;
4047 ssec->peer_sid = other_isec->sid;
4048
4049 /* server child socket */
4050 ssec = newsk->sk_security;
4051 ssec->peer_sid = isec->sid;
4052 err = security_sid_mls_copy(other_isec->sid, ssec->peer_sid, &ssec->sid);
4053
4054 return err;
4055 }
4056
4057 static int selinux_socket_unix_may_send(struct socket *sock,
4058 struct socket *other)
4059 {
4060 struct inode_security_struct *isec;
4061 struct inode_security_struct *other_isec;
4062 struct avc_audit_data ad;
4063 int err;
4064
4065 isec = SOCK_INODE(sock)->i_security;
4066 other_isec = SOCK_INODE(other)->i_security;
4067
4068 AVC_AUDIT_DATA_INIT(&ad, NET);
4069 ad.u.net.sk = other->sk;
4070
4071 err = avc_has_perm(isec->sid, other_isec->sid,
4072 isec->sclass, SOCKET__SENDTO, &ad);
4073 if (err)
4074 return err;
4075
4076 return 0;
4077 }
4078
4079 static int selinux_inet_sys_rcv_skb(int ifindex, char *addrp, u16 family,
4080 u32 peer_sid,
4081 struct avc_audit_data *ad)
4082 {
4083 int err;
4084 u32 if_sid;
4085 u32 node_sid;
4086
4087 err = sel_netif_sid(ifindex, &if_sid);
4088 if (err)
4089 return err;
4090 err = avc_has_perm(peer_sid, if_sid,
4091 SECCLASS_NETIF, NETIF__INGRESS, ad);
4092 if (err)
4093 return err;
4094
4095 err = sel_netnode_sid(addrp, family, &node_sid);
4096 if (err)
4097 return err;
4098 return avc_has_perm(peer_sid, node_sid,
4099 SECCLASS_NODE, NODE__RECVFROM, ad);
4100 }
4101
4102 static int selinux_sock_rcv_skb_iptables_compat(struct sock *sk,
4103 struct sk_buff *skb,
4104 struct avc_audit_data *ad,
4105 u16 family,
4106 char *addrp)
4107 {
4108 int err;
4109 struct sk_security_struct *sksec = sk->sk_security;
4110 u16 sk_class;
4111 u32 netif_perm, node_perm, recv_perm;
4112 u32 port_sid, node_sid, if_sid, sk_sid;
4113
4114 sk_sid = sksec->sid;
4115 sk_class = sksec->sclass;
4116
4117 switch (sk_class) {
4118 case SECCLASS_UDP_SOCKET:
4119 netif_perm = NETIF__UDP_RECV;
4120 node_perm = NODE__UDP_RECV;
4121 recv_perm = UDP_SOCKET__RECV_MSG;
4122 break;
4123 case SECCLASS_TCP_SOCKET:
4124 netif_perm = NETIF__TCP_RECV;
4125 node_perm = NODE__TCP_RECV;
4126 recv_perm = TCP_SOCKET__RECV_MSG;
4127 break;
4128 case SECCLASS_DCCP_SOCKET:
4129 netif_perm = NETIF__DCCP_RECV;
4130 node_perm = NODE__DCCP_RECV;
4131 recv_perm = DCCP_SOCKET__RECV_MSG;
4132 break;
4133 default:
4134 netif_perm = NETIF__RAWIP_RECV;
4135 node_perm = NODE__RAWIP_RECV;
4136 recv_perm = 0;
4137 break;
4138 }
4139
4140 err = sel_netif_sid(skb->iif, &if_sid);
4141 if (err)
4142 return err;
4143 err = avc_has_perm(sk_sid, if_sid, SECCLASS_NETIF, netif_perm, ad);
4144 if (err)
4145 return err;
4146
4147 err = sel_netnode_sid(addrp, family, &node_sid);
4148 if (err)
4149 return err;
4150 err = avc_has_perm(sk_sid, node_sid, SECCLASS_NODE, node_perm, ad);
4151 if (err)
4152 return err;
4153
4154 if (!recv_perm)
4155 return 0;
4156 err = sel_netport_sid(sk->sk_protocol,
4157 ntohs(ad->u.net.sport), &port_sid);
4158 if (unlikely(err)) {
4159 printk(KERN_WARNING
4160 "SELinux: failure in"
4161 " selinux_sock_rcv_skb_iptables_compat(),"
4162 " network port label not found\n");
4163 return err;
4164 }
4165 return avc_has_perm(sk_sid, port_sid, sk_class, recv_perm, ad);
4166 }
4167
4168 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
4169 u16 family)
4170 {
4171 int err = 0;
4172 struct sk_security_struct *sksec = sk->sk_security;
4173 u32 peer_sid;
4174 u32 sk_sid = sksec->sid;
4175 struct avc_audit_data ad;
4176 char *addrp;
4177
4178 AVC_AUDIT_DATA_INIT(&ad, NET);
4179 ad.u.net.netif = skb->iif;
4180 ad.u.net.family = family;
4181 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4182 if (err)
4183 return err;
4184
4185 if (selinux_compat_net)
4186 err = selinux_sock_rcv_skb_iptables_compat(sk, skb, &ad,
4187 family, addrp);
4188 else if (selinux_secmark_enabled())
4189 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4190 PACKET__RECV, &ad);
4191 if (err)
4192 return err;
4193
4194 if (selinux_policycap_netpeer) {
4195 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
4196 if (err)
4197 return err;
4198 err = avc_has_perm(sk_sid, peer_sid,
4199 SECCLASS_PEER, PEER__RECV, &ad);
4200 if (err)
4201 selinux_netlbl_err(skb, err, 0);
4202 } else {
4203 err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, &ad);
4204 if (err)
4205 return err;
4206 err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad);
4207 }
4208
4209 return err;
4210 }
4211
4212 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
4213 {
4214 int err;
4215 struct sk_security_struct *sksec = sk->sk_security;
4216 u16 family = sk->sk_family;
4217 u32 sk_sid = sksec->sid;
4218 struct avc_audit_data ad;
4219 char *addrp;
4220 u8 secmark_active;
4221 u8 peerlbl_active;
4222
4223 if (family != PF_INET && family != PF_INET6)
4224 return 0;
4225
4226 /* Handle mapped IPv4 packets arriving via IPv6 sockets */
4227 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4228 family = PF_INET;
4229
4230 /* If any sort of compatibility mode is enabled then handoff processing
4231 * to the selinux_sock_rcv_skb_compat() function to deal with the
4232 * special handling. We do this in an attempt to keep this function
4233 * as fast and as clean as possible. */
4234 if (selinux_compat_net || !selinux_policycap_netpeer)
4235 return selinux_sock_rcv_skb_compat(sk, skb, family);
4236
4237 secmark_active = selinux_secmark_enabled();
4238 peerlbl_active = netlbl_enabled() || selinux_xfrm_enabled();
4239 if (!secmark_active && !peerlbl_active)
4240 return 0;
4241
4242 AVC_AUDIT_DATA_INIT(&ad, NET);
4243 ad.u.net.netif = skb->iif;
4244 ad.u.net.family = family;
4245 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4246 if (err)
4247 return err;
4248
4249 if (peerlbl_active) {
4250 u32 peer_sid;
4251
4252 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
4253 if (err)
4254 return err;
4255 err = selinux_inet_sys_rcv_skb(skb->iif, addrp, family,
4256 peer_sid, &ad);
4257 if (err) {
4258 selinux_netlbl_err(skb, err, 0);
4259 return err;
4260 }
4261 err = avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER,
4262 PEER__RECV, &ad);
4263 if (err)
4264 selinux_netlbl_err(skb, err, 0);
4265 }
4266
4267 if (secmark_active) {
4268 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4269 PACKET__RECV, &ad);
4270 if (err)
4271 return err;
4272 }
4273
4274 return err;
4275 }
4276
4277 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval,
4278 int __user *optlen, unsigned len)
4279 {
4280 int err = 0;
4281 char *scontext;
4282 u32 scontext_len;
4283 struct sk_security_struct *ssec;
4284 struct inode_security_struct *isec;
4285 u32 peer_sid = SECSID_NULL;
4286
4287 isec = SOCK_INODE(sock)->i_security;
4288
4289 if (isec->sclass == SECCLASS_UNIX_STREAM_SOCKET ||
4290 isec->sclass == SECCLASS_TCP_SOCKET) {
4291 ssec = sock->sk->sk_security;
4292 peer_sid = ssec->peer_sid;
4293 }
4294 if (peer_sid == SECSID_NULL) {
4295 err = -ENOPROTOOPT;
4296 goto out;
4297 }
4298
4299 err = security_sid_to_context(peer_sid, &scontext, &scontext_len);
4300
4301 if (err)
4302 goto out;
4303
4304 if (scontext_len > len) {
4305 err = -ERANGE;
4306 goto out_len;
4307 }
4308
4309 if (copy_to_user(optval, scontext, scontext_len))
4310 err = -EFAULT;
4311
4312 out_len:
4313 if (put_user(scontext_len, optlen))
4314 err = -EFAULT;
4315
4316 kfree(scontext);
4317 out:
4318 return err;
4319 }
4320
4321 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
4322 {
4323 u32 peer_secid = SECSID_NULL;
4324 u16 family;
4325
4326 if (skb && skb->protocol == htons(ETH_P_IP))
4327 family = PF_INET;
4328 else if (skb && skb->protocol == htons(ETH_P_IPV6))
4329 family = PF_INET6;
4330 else if (sock)
4331 family = sock->sk->sk_family;
4332 else
4333 goto out;
4334
4335 if (sock && family == PF_UNIX)
4336 selinux_inode_getsecid(SOCK_INODE(sock), &peer_secid);
4337 else if (skb)
4338 selinux_skb_peerlbl_sid(skb, family, &peer_secid);
4339
4340 out:
4341 *secid = peer_secid;
4342 if (peer_secid == SECSID_NULL)
4343 return -EINVAL;
4344 return 0;
4345 }
4346
4347 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
4348 {
4349 return sk_alloc_security(sk, family, priority);
4350 }
4351
4352 static void selinux_sk_free_security(struct sock *sk)
4353 {
4354 sk_free_security(sk);
4355 }
4356
4357 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
4358 {
4359 struct sk_security_struct *ssec = sk->sk_security;
4360 struct sk_security_struct *newssec = newsk->sk_security;
4361
4362 newssec->sid = ssec->sid;
4363 newssec->peer_sid = ssec->peer_sid;
4364 newssec->sclass = ssec->sclass;
4365
4366 selinux_netlbl_sk_security_reset(newssec);
4367 }
4368
4369 static void selinux_sk_getsecid(struct sock *sk, u32 *secid)
4370 {
4371 if (!sk)
4372 *secid = SECINITSID_ANY_SOCKET;
4373 else {
4374 struct sk_security_struct *sksec = sk->sk_security;
4375
4376 *secid = sksec->sid;
4377 }
4378 }
4379
4380 static void selinux_sock_graft(struct sock *sk, struct socket *parent)
4381 {
4382 struct inode_security_struct *isec = SOCK_INODE(parent)->i_security;
4383 struct sk_security_struct *sksec = sk->sk_security;
4384
4385 if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
4386 sk->sk_family == PF_UNIX)
4387 isec->sid = sksec->sid;
4388 sksec->sclass = isec->sclass;
4389 }
4390
4391 static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
4392 struct request_sock *req)
4393 {
4394 struct sk_security_struct *sksec = sk->sk_security;
4395 int err;
4396 u16 family = sk->sk_family;
4397 u32 newsid;
4398 u32 peersid;
4399
4400 /* handle mapped IPv4 packets arriving via IPv6 sockets */
4401 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4402 family = PF_INET;
4403
4404 err = selinux_skb_peerlbl_sid(skb, family, &peersid);
4405 if (err)
4406 return err;
4407 if (peersid == SECSID_NULL) {
4408 req->secid = sksec->sid;
4409 req->peer_secid = SECSID_NULL;
4410 return 0;
4411 } else {
4412 err = security_sid_mls_copy(sksec->sid, peersid, &newsid);
4413 if (err)
4414 return err;
4415 req->secid = newsid;
4416 req->peer_secid = peersid;
4417 }
4418
4419 return selinux_netlbl_inet_conn_request(req, family);
4420 }
4421
4422 static void selinux_inet_csk_clone(struct sock *newsk,
4423 const struct request_sock *req)
4424 {
4425 struct sk_security_struct *newsksec = newsk->sk_security;
4426
4427 newsksec->sid = req->secid;
4428 newsksec->peer_sid = req->peer_secid;
4429 /* NOTE: Ideally, we should also get the isec->sid for the
4430 new socket in sync, but we don't have the isec available yet.
4431 So we will wait until sock_graft to do it, by which
4432 time it will have been created and available. */
4433
4434 /* We don't need to take any sort of lock here as we are the only
4435 * thread with access to newsksec */
4436 selinux_netlbl_inet_csk_clone(newsk, req->rsk_ops->family);
4437 }
4438
4439 static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb)
4440 {
4441 u16 family = sk->sk_family;
4442 struct sk_security_struct *sksec = sk->sk_security;
4443
4444 /* handle mapped IPv4 packets arriving via IPv6 sockets */
4445 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4446 family = PF_INET;
4447
4448 selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid);
4449 }
4450
4451 static void selinux_req_classify_flow(const struct request_sock *req,
4452 struct flowi *fl)
4453 {
4454 fl->secid = req->secid;
4455 }
4456
4457 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
4458 {
4459 int err = 0;
4460 u32 perm;
4461 struct nlmsghdr *nlh;
4462 struct socket *sock = sk->sk_socket;
4463 struct inode_security_struct *isec = SOCK_INODE(sock)->i_security;
4464
4465 if (skb->len < NLMSG_SPACE(0)) {
4466 err = -EINVAL;
4467 goto out;
4468 }
4469 nlh = nlmsg_hdr(skb);
4470
4471 err = selinux_nlmsg_lookup(isec->sclass, nlh->nlmsg_type, &perm);
4472 if (err) {
4473 if (err == -EINVAL) {
4474 audit_log(current->audit_context, GFP_KERNEL, AUDIT_SELINUX_ERR,
4475 "SELinux: unrecognized netlink message"
4476 " type=%hu for sclass=%hu\n",
4477 nlh->nlmsg_type, isec->sclass);
4478 if (!selinux_enforcing || security_get_allow_unknown())
4479 err = 0;
4480 }
4481
4482 /* Ignore */
4483 if (err == -ENOENT)
4484 err = 0;
4485 goto out;
4486 }
4487
4488 err = socket_has_perm(current, sock, perm);
4489 out:
4490 return err;
4491 }
4492
4493 #ifdef CONFIG_NETFILTER
4494
4495 static unsigned int selinux_ip_forward(struct sk_buff *skb, int ifindex,
4496 u16 family)
4497 {
4498 int err;
4499 char *addrp;
4500 u32 peer_sid;
4501 struct avc_audit_data ad;
4502 u8 secmark_active;
4503 u8 netlbl_active;
4504 u8 peerlbl_active;
4505
4506 if (!selinux_policycap_netpeer)
4507 return NF_ACCEPT;
4508
4509 secmark_active = selinux_secmark_enabled();
4510 netlbl_active = netlbl_enabled();
4511 peerlbl_active = netlbl_active || selinux_xfrm_enabled();
4512 if (!secmark_active && !peerlbl_active)
4513 return NF_ACCEPT;
4514
4515 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0)
4516 return NF_DROP;
4517
4518 AVC_AUDIT_DATA_INIT(&ad, NET);
4519 ad.u.net.netif = ifindex;
4520 ad.u.net.family = family;
4521 if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0)
4522 return NF_DROP;
4523
4524 if (peerlbl_active) {
4525 err = selinux_inet_sys_rcv_skb(ifindex, addrp, family,
4526 peer_sid, &ad);
4527 if (err) {
4528 selinux_netlbl_err(skb, err, 1);
4529 return NF_DROP;
4530 }
4531 }
4532
4533 if (secmark_active)
4534 if (avc_has_perm(peer_sid, skb->secmark,
4535 SECCLASS_PACKET, PACKET__FORWARD_IN, &ad))
4536 return NF_DROP;
4537
4538 if (netlbl_active)
4539 /* we do this in the FORWARD path and not the POST_ROUTING
4540 * path because we want to make sure we apply the necessary
4541 * labeling before IPsec is applied so we can leverage AH
4542 * protection */
4543 if (selinux_netlbl_skbuff_setsid(skb, family, peer_sid) != 0)
4544 return NF_DROP;
4545
4546 return NF_ACCEPT;
4547 }
4548
4549 static unsigned int selinux_ipv4_forward(unsigned int hooknum,
4550 struct sk_buff *skb,
4551 const struct net_device *in,
4552 const struct net_device *out,
4553 int (*okfn)(struct sk_buff *))
4554 {
4555 return selinux_ip_forward(skb, in->ifindex, PF_INET);
4556 }
4557
4558 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4559 static unsigned int selinux_ipv6_forward(unsigned int hooknum,
4560 struct sk_buff *skb,
4561 const struct net_device *in,
4562 const struct net_device *out,
4563 int (*okfn)(struct sk_buff *))
4564 {
4565 return selinux_ip_forward(skb, in->ifindex, PF_INET6);
4566 }
4567 #endif /* IPV6 */
4568
4569 static unsigned int selinux_ip_output(struct sk_buff *skb,
4570 u16 family)
4571 {
4572 u32 sid;
4573
4574 if (!netlbl_enabled())
4575 return NF_ACCEPT;
4576
4577 /* we do this in the LOCAL_OUT path and not the POST_ROUTING path
4578 * because we want to make sure we apply the necessary labeling
4579 * before IPsec is applied so we can leverage AH protection */
4580 if (skb->sk) {
4581 struct sk_security_struct *sksec = skb->sk->sk_security;
4582 sid = sksec->sid;
4583 } else
4584 sid = SECINITSID_KERNEL;
4585 if (selinux_netlbl_skbuff_setsid(skb, family, sid) != 0)
4586 return NF_DROP;
4587
4588 return NF_ACCEPT;
4589 }
4590
4591 static unsigned int selinux_ipv4_output(unsigned int hooknum,
4592 struct sk_buff *skb,
4593 const struct net_device *in,
4594 const struct net_device *out,
4595 int (*okfn)(struct sk_buff *))
4596 {
4597 return selinux_ip_output(skb, PF_INET);
4598 }
4599
4600 static int selinux_ip_postroute_iptables_compat(struct sock *sk,
4601 int ifindex,
4602 struct avc_audit_data *ad,
4603 u16 family, char *addrp)
4604 {
4605 int err;
4606 struct sk_security_struct *sksec = sk->sk_security;
4607 u16 sk_class;
4608 u32 netif_perm, node_perm, send_perm;
4609 u32 port_sid, node_sid, if_sid, sk_sid;
4610
4611 sk_sid = sksec->sid;
4612 sk_class = sksec->sclass;
4613
4614 switch (sk_class) {
4615 case SECCLASS_UDP_SOCKET:
4616 netif_perm = NETIF__UDP_SEND;
4617 node_perm = NODE__UDP_SEND;
4618 send_perm = UDP_SOCKET__SEND_MSG;
4619 break;
4620 case SECCLASS_TCP_SOCKET:
4621 netif_perm = NETIF__TCP_SEND;
4622 node_perm = NODE__TCP_SEND;
4623 send_perm = TCP_SOCKET__SEND_MSG;
4624 break;
4625 case SECCLASS_DCCP_SOCKET:
4626 netif_perm = NETIF__DCCP_SEND;
4627 node_perm = NODE__DCCP_SEND;
4628 send_perm = DCCP_SOCKET__SEND_MSG;
4629 break;
4630 default:
4631 netif_perm = NETIF__RAWIP_SEND;
4632 node_perm = NODE__RAWIP_SEND;
4633 send_perm = 0;
4634 break;
4635 }
4636
4637 err = sel_netif_sid(ifindex, &if_sid);
4638 if (err)
4639 return err;
4640 err = avc_has_perm(sk_sid, if_sid, SECCLASS_NETIF, netif_perm, ad);
4641 if (err)
4642 return err;
4643
4644 err = sel_netnode_sid(addrp, family, &node_sid);
4645 if (err)
4646 return err;
4647 err = avc_has_perm(sk_sid, node_sid, SECCLASS_NODE, node_perm, ad);
4648 if (err)
4649 return err;
4650
4651 if (!send_perm)
4652 return 0;
4653
4654 err = sel_netport_sid(sk->sk_protocol,
4655 ntohs(ad->u.net.dport), &port_sid);
4656 if (unlikely(err)) {
4657 printk(KERN_WARNING
4658 "SELinux: failure in"
4659 " selinux_ip_postroute_iptables_compat(),"
4660 " network port label not found\n");
4661 return err;
4662 }
4663 return avc_has_perm(sk_sid, port_sid, sk_class, send_perm, ad);
4664 }
4665
4666 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
4667 int ifindex,
4668 u16 family)
4669 {
4670 struct sock *sk = skb->sk;
4671 struct sk_security_struct *sksec;
4672 struct avc_audit_data ad;
4673 char *addrp;
4674 u8 proto;
4675
4676 if (sk == NULL)
4677 return NF_ACCEPT;
4678 sksec = sk->sk_security;
4679
4680 AVC_AUDIT_DATA_INIT(&ad, NET);
4681 ad.u.net.netif = ifindex;
4682 ad.u.net.family = family;
4683 if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto))
4684 return NF_DROP;
4685
4686 if (selinux_compat_net) {
4687 if (selinux_ip_postroute_iptables_compat(skb->sk, ifindex,
4688 &ad, family, addrp))
4689 return NF_DROP;
4690 } else if (selinux_secmark_enabled()) {
4691 if (avc_has_perm(sksec->sid, skb->secmark,
4692 SECCLASS_PACKET, PACKET__SEND, &ad))
4693 return NF_DROP;
4694 }
4695
4696 if (selinux_policycap_netpeer)
4697 if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto))
4698 return NF_DROP;
4699
4700 return NF_ACCEPT;
4701 }
4702
4703 static unsigned int selinux_ip_postroute(struct sk_buff *skb, int ifindex,
4704 u16 family)
4705 {
4706 u32 secmark_perm;
4707 u32 peer_sid;
4708 struct sock *sk;
4709 struct avc_audit_data ad;
4710 char *addrp;
4711 u8 secmark_active;
4712 u8 peerlbl_active;
4713
4714 /* If any sort of compatibility mode is enabled then handoff processing
4715 * to the selinux_ip_postroute_compat() function to deal with the
4716 * special handling. We do this in an attempt to keep this function
4717 * as fast and as clean as possible. */
4718 if (selinux_compat_net || !selinux_policycap_netpeer)
4719 return selinux_ip_postroute_compat(skb, ifindex, family);
4720 #ifdef CONFIG_XFRM
4721 /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec
4722 * packet transformation so allow the packet to pass without any checks
4723 * since we'll have another chance to perform access control checks
4724 * when the packet is on it's final way out.
4725 * NOTE: there appear to be some IPv6 multicast cases where skb->dst
4726 * is NULL, in this case go ahead and apply access control. */
4727 if (skb->dst != NULL && skb->dst->xfrm != NULL)
4728 return NF_ACCEPT;
4729 #endif
4730 secmark_active = selinux_secmark_enabled();
4731 peerlbl_active = netlbl_enabled() || selinux_xfrm_enabled();
4732 if (!secmark_active && !peerlbl_active)
4733 return NF_ACCEPT;
4734
4735 /* if the packet is being forwarded then get the peer label from the
4736 * packet itself; otherwise check to see if it is from a local
4737 * application or the kernel, if from an application get the peer label
4738 * from the sending socket, otherwise use the kernel's sid */
4739 sk = skb->sk;
4740 if (sk == NULL) {
4741 switch (family) {
4742 case PF_INET:
4743 if (IPCB(skb)->flags & IPSKB_FORWARDED)
4744 secmark_perm = PACKET__FORWARD_OUT;
4745 else
4746 secmark_perm = PACKET__SEND;
4747 break;
4748 case PF_INET6:
4749 if (IP6CB(skb)->flags & IP6SKB_FORWARDED)
4750 secmark_perm = PACKET__FORWARD_OUT;
4751 else
4752 secmark_perm = PACKET__SEND;
4753 break;
4754 default:
4755 return NF_DROP;
4756 }
4757 if (secmark_perm == PACKET__FORWARD_OUT) {
4758 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid))
4759 return NF_DROP;
4760 } else
4761 peer_sid = SECINITSID_KERNEL;
4762 } else {
4763 struct sk_security_struct *sksec = sk->sk_security;
4764 peer_sid = sksec->sid;
4765 secmark_perm = PACKET__SEND;
4766 }
4767
4768 AVC_AUDIT_DATA_INIT(&ad, NET);
4769 ad.u.net.netif = ifindex;
4770 ad.u.net.family = family;
4771 if (selinux_parse_skb(skb, &ad, &addrp, 0, NULL))
4772 return NF_DROP;
4773
4774 if (secmark_active)
4775 if (avc_has_perm(peer_sid, skb->secmark,
4776 SECCLASS_PACKET, secmark_perm, &ad))
4777 return NF_DROP;
4778
4779 if (peerlbl_active) {
4780 u32 if_sid;
4781 u32 node_sid;
4782
4783 if (sel_netif_sid(ifindex, &if_sid))
4784 return NF_DROP;
4785 if (avc_has_perm(peer_sid, if_sid,
4786 SECCLASS_NETIF, NETIF__EGRESS, &ad))
4787 return NF_DROP;
4788
4789 if (sel_netnode_sid(addrp, family, &node_sid))
4790 return NF_DROP;
4791 if (avc_has_perm(peer_sid, node_sid,
4792 SECCLASS_NODE, NODE__SENDTO, &ad))
4793 return NF_DROP;
4794 }
4795
4796 return NF_ACCEPT;
4797 }
4798
4799 static unsigned int selinux_ipv4_postroute(unsigned int hooknum,
4800 struct sk_buff *skb,
4801 const struct net_device *in,
4802 const struct net_device *out,
4803 int (*okfn)(struct sk_buff *))
4804 {
4805 return selinux_ip_postroute(skb, out->ifindex, PF_INET);
4806 }
4807
4808 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4809 static unsigned int selinux_ipv6_postroute(unsigned int hooknum,
4810 struct sk_buff *skb,
4811 const struct net_device *in,
4812 const struct net_device *out,
4813 int (*okfn)(struct sk_buff *))
4814 {
4815 return selinux_ip_postroute(skb, out->ifindex, PF_INET6);
4816 }
4817 #endif /* IPV6 */
4818
4819 #endif /* CONFIG_NETFILTER */
4820
4821 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
4822 {
4823 int err;
4824
4825 err = secondary_ops->netlink_send(sk, skb);
4826 if (err)
4827 return err;
4828
4829 if (policydb_loaded_version >= POLICYDB_VERSION_NLCLASS)
4830 err = selinux_nlmsg_perm(sk, skb);
4831
4832 return err;
4833 }
4834
4835 static int selinux_netlink_recv(struct sk_buff *skb, int capability)
4836 {
4837 int err;
4838 struct avc_audit_data ad;
4839
4840 err = secondary_ops->netlink_recv(skb, capability);
4841 if (err)
4842 return err;
4843
4844 AVC_AUDIT_DATA_INIT(&ad, CAP);
4845 ad.u.cap = capability;
4846
4847 return avc_has_perm(NETLINK_CB(skb).sid, NETLINK_CB(skb).sid,
4848 SECCLASS_CAPABILITY, CAP_TO_MASK(capability), &ad);
4849 }
4850
4851 static int ipc_alloc_security(struct task_struct *task,
4852 struct kern_ipc_perm *perm,
4853 u16 sclass)
4854 {
4855 struct ipc_security_struct *isec;
4856 u32 sid;
4857
4858 isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL);
4859 if (!isec)
4860 return -ENOMEM;
4861
4862 sid = task_sid(task);
4863 isec->sclass = sclass;
4864 isec->sid = sid;
4865 perm->security = isec;
4866
4867 return 0;
4868 }
4869
4870 static void ipc_free_security(struct kern_ipc_perm *perm)
4871 {
4872 struct ipc_security_struct *isec = perm->security;
4873 perm->security = NULL;
4874 kfree(isec);
4875 }
4876
4877 static int msg_msg_alloc_security(struct msg_msg *msg)
4878 {
4879 struct msg_security_struct *msec;
4880
4881 msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL);
4882 if (!msec)
4883 return -ENOMEM;
4884
4885 msec->sid = SECINITSID_UNLABELED;
4886 msg->security = msec;
4887
4888 return 0;
4889 }
4890
4891 static void msg_msg_free_security(struct msg_msg *msg)
4892 {
4893 struct msg_security_struct *msec = msg->security;
4894
4895 msg->security = NULL;
4896 kfree(msec);
4897 }
4898
4899 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
4900 u32 perms)
4901 {
4902 struct ipc_security_struct *isec;
4903 struct avc_audit_data ad;
4904 u32 sid = current_sid();
4905
4906 isec = ipc_perms->security;
4907
4908 AVC_AUDIT_DATA_INIT(&ad, IPC);
4909 ad.u.ipc_id = ipc_perms->key;
4910
4911 return avc_has_perm(sid, isec->sid, isec->sclass, perms, &ad);
4912 }
4913
4914 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
4915 {
4916 return msg_msg_alloc_security(msg);
4917 }
4918
4919 static void selinux_msg_msg_free_security(struct msg_msg *msg)
4920 {
4921 msg_msg_free_security(msg);
4922 }
4923
4924 /* message queue security operations */
4925 static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
4926 {
4927 struct ipc_security_struct *isec;
4928 struct avc_audit_data ad;
4929 u32 sid = current_sid();
4930 int rc;
4931
4932 rc = ipc_alloc_security(current, &msq->q_perm, SECCLASS_MSGQ);
4933 if (rc)
4934 return rc;
4935
4936 isec = msq->q_perm.security;
4937
4938 AVC_AUDIT_DATA_INIT(&ad, IPC);
4939 ad.u.ipc_id = msq->q_perm.key;
4940
4941 rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
4942 MSGQ__CREATE, &ad);
4943 if (rc) {
4944 ipc_free_security(&msq->q_perm);
4945 return rc;
4946 }
4947 return 0;
4948 }
4949
4950 static void selinux_msg_queue_free_security(struct msg_queue *msq)
4951 {
4952 ipc_free_security(&msq->q_perm);
4953 }
4954
4955 static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg)
4956 {
4957 struct ipc_security_struct *isec;
4958 struct avc_audit_data ad;
4959 u32 sid = current_sid();
4960
4961 isec = msq->q_perm.security;
4962
4963 AVC_AUDIT_DATA_INIT(&ad, IPC);
4964 ad.u.ipc_id = msq->q_perm.key;
4965
4966 return avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
4967 MSGQ__ASSOCIATE, &ad);
4968 }
4969
4970 static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd)
4971 {
4972 int err;
4973 int perms;
4974
4975 switch (cmd) {
4976 case IPC_INFO:
4977 case MSG_INFO:
4978 /* No specific object, just general system-wide information. */
4979 return task_has_system(current, SYSTEM__IPC_INFO);
4980 case IPC_STAT:
4981 case MSG_STAT:
4982 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
4983 break;
4984 case IPC_SET:
4985 perms = MSGQ__SETATTR;
4986 break;
4987 case IPC_RMID:
4988 perms = MSGQ__DESTROY;
4989 break;
4990 default:
4991 return 0;
4992 }
4993
4994 err = ipc_has_perm(&msq->q_perm, perms);
4995 return err;
4996 }
4997
4998 static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg)
4999 {
5000 struct ipc_security_struct *isec;
5001 struct msg_security_struct *msec;
5002 struct avc_audit_data ad;
5003 u32 sid = current_sid();
5004 int rc;
5005
5006 isec = msq->q_perm.security;
5007 msec = msg->security;
5008
5009 /*
5010 * First time through, need to assign label to the message
5011 */
5012 if (msec->sid == SECINITSID_UNLABELED) {
5013 /*
5014 * Compute new sid based on current process and
5015 * message queue this message will be stored in
5016 */
5017 rc = security_transition_sid(sid, isec->sid, SECCLASS_MSG,
5018 &msec->sid);
5019 if (rc)
5020 return rc;
5021 }
5022
5023 AVC_AUDIT_DATA_INIT(&ad, IPC);
5024 ad.u.ipc_id = msq->q_perm.key;
5025
5026 /* Can this process write to the queue? */
5027 rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
5028 MSGQ__WRITE, &ad);
5029 if (!rc)
5030 /* Can this process send the message */
5031 rc = avc_has_perm(sid, msec->sid, SECCLASS_MSG,
5032 MSG__SEND, &ad);
5033 if (!rc)
5034 /* Can the message be put in the queue? */
5035 rc = avc_has_perm(msec->sid, isec->sid, SECCLASS_MSGQ,
5036 MSGQ__ENQUEUE, &ad);
5037
5038 return rc;
5039 }
5040
5041 static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
5042 struct task_struct *target,
5043 long type, int mode)
5044 {
5045 struct ipc_security_struct *isec;
5046 struct msg_security_struct *msec;
5047 struct avc_audit_data ad;
5048 u32 sid = task_sid(target);
5049 int rc;
5050
5051 isec = msq->q_perm.security;
5052 msec = msg->security;
5053
5054 AVC_AUDIT_DATA_INIT(&ad, IPC);
5055 ad.u.ipc_id = msq->q_perm.key;
5056
5057 rc = avc_has_perm(sid, isec->sid,
5058 SECCLASS_MSGQ, MSGQ__READ, &ad);
5059 if (!rc)
5060 rc = avc_has_perm(sid, msec->sid,
5061 SECCLASS_MSG, MSG__RECEIVE, &ad);
5062 return rc;
5063 }
5064
5065 /* Shared Memory security operations */
5066 static int selinux_shm_alloc_security(struct shmid_kernel *shp)
5067 {
5068 struct ipc_security_struct *isec;
5069 struct avc_audit_data ad;
5070 u32 sid = current_sid();
5071 int rc;
5072
5073 rc = ipc_alloc_security(current, &shp->shm_perm, SECCLASS_SHM);
5074 if (rc)
5075 return rc;
5076
5077 isec = shp->shm_perm.security;
5078
5079 AVC_AUDIT_DATA_INIT(&ad, IPC);
5080 ad.u.ipc_id = shp->shm_perm.key;
5081
5082 rc = avc_has_perm(sid, isec->sid, SECCLASS_SHM,
5083 SHM__CREATE, &ad);
5084 if (rc) {
5085 ipc_free_security(&shp->shm_perm);
5086 return rc;
5087 }
5088 return 0;
5089 }
5090
5091 static void selinux_shm_free_security(struct shmid_kernel *shp)
5092 {
5093 ipc_free_security(&shp->shm_perm);
5094 }
5095
5096 static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg)
5097 {
5098 struct ipc_security_struct *isec;
5099 struct avc_audit_data ad;
5100 u32 sid = current_sid();
5101
5102 isec = shp->shm_perm.security;
5103
5104 AVC_AUDIT_DATA_INIT(&ad, IPC);
5105 ad.u.ipc_id = shp->shm_perm.key;
5106
5107 return avc_has_perm(sid, isec->sid, SECCLASS_SHM,
5108 SHM__ASSOCIATE, &ad);
5109 }
5110
5111 /* Note, at this point, shp is locked down */
5112 static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd)
5113 {
5114 int perms;
5115 int err;
5116
5117 switch (cmd) {
5118 case IPC_INFO:
5119 case SHM_INFO:
5120 /* No specific object, just general system-wide information. */
5121 return task_has_system(current, SYSTEM__IPC_INFO);
5122 case IPC_STAT:
5123 case SHM_STAT:
5124 perms = SHM__GETATTR | SHM__ASSOCIATE;
5125 break;
5126 case IPC_SET:
5127 perms = SHM__SETATTR;
5128 break;
5129 case SHM_LOCK:
5130 case SHM_UNLOCK:
5131 perms = SHM__LOCK;
5132 break;
5133 case IPC_RMID:
5134 perms = SHM__DESTROY;
5135 break;
5136 default:
5137 return 0;
5138 }
5139
5140 err = ipc_has_perm(&shp->shm_perm, perms);
5141 return err;
5142 }
5143
5144 static int selinux_shm_shmat(struct shmid_kernel *shp,
5145 char __user *shmaddr, int shmflg)
5146 {
5147 u32 perms;
5148 int rc;
5149
5150 rc = secondary_ops->shm_shmat(shp, shmaddr, shmflg);
5151 if (rc)
5152 return rc;
5153
5154 if (shmflg & SHM_RDONLY)
5155 perms = SHM__READ;
5156 else
5157 perms = SHM__READ | SHM__WRITE;
5158
5159 return ipc_has_perm(&shp->shm_perm, perms);
5160 }
5161
5162 /* Semaphore security operations */
5163 static int selinux_sem_alloc_security(struct sem_array *sma)
5164 {
5165 struct ipc_security_struct *isec;
5166 struct avc_audit_data ad;
5167 u32 sid = current_sid();
5168 int rc;
5169
5170 rc = ipc_alloc_security(current, &sma->sem_perm, SECCLASS_SEM);
5171 if (rc)
5172 return rc;
5173
5174 isec = sma->sem_perm.security;
5175
5176 AVC_AUDIT_DATA_INIT(&ad, IPC);
5177 ad.u.ipc_id = sma->sem_perm.key;
5178
5179 rc = avc_has_perm(sid, isec->sid, SECCLASS_SEM,
5180 SEM__CREATE, &ad);
5181 if (rc) {
5182 ipc_free_security(&sma->sem_perm);
5183 return rc;
5184 }
5185 return 0;
5186 }
5187
5188 static void selinux_sem_free_security(struct sem_array *sma)
5189 {
5190 ipc_free_security(&sma->sem_perm);
5191 }
5192
5193 static int selinux_sem_associate(struct sem_array *sma, int semflg)
5194 {
5195 struct ipc_security_struct *isec;
5196 struct avc_audit_data ad;
5197 u32 sid = current_sid();
5198
5199 isec = sma->sem_perm.security;
5200
5201 AVC_AUDIT_DATA_INIT(&ad, IPC);
5202 ad.u.ipc_id = sma->sem_perm.key;
5203
5204 return avc_has_perm(sid, isec->sid, SECCLASS_SEM,
5205 SEM__ASSOCIATE, &ad);
5206 }
5207
5208 /* Note, at this point, sma is locked down */
5209 static int selinux_sem_semctl(struct sem_array *sma, int cmd)
5210 {
5211 int err;
5212 u32 perms;
5213
5214 switch (cmd) {
5215 case IPC_INFO:
5216 case SEM_INFO:
5217 /* No specific object, just general system-wide information. */
5218 return task_has_system(current, SYSTEM__IPC_INFO);
5219 case GETPID:
5220 case GETNCNT:
5221 case GETZCNT:
5222 perms = SEM__GETATTR;
5223 break;
5224 case GETVAL:
5225 case GETALL:
5226 perms = SEM__READ;
5227 break;
5228 case SETVAL:
5229 case SETALL:
5230 perms = SEM__WRITE;
5231 break;
5232 case IPC_RMID:
5233 perms = SEM__DESTROY;
5234 break;
5235 case IPC_SET:
5236 perms = SEM__SETATTR;
5237 break;
5238 case IPC_STAT:
5239 case SEM_STAT:
5240 perms = SEM__GETATTR | SEM__ASSOCIATE;
5241 break;
5242 default:
5243 return 0;
5244 }
5245
5246 err = ipc_has_perm(&sma->sem_perm, perms);
5247 return err;
5248 }
5249
5250 static int selinux_sem_semop(struct sem_array *sma,
5251 struct sembuf *sops, unsigned nsops, int alter)
5252 {
5253 u32 perms;
5254
5255 if (alter)
5256 perms = SEM__READ | SEM__WRITE;
5257 else
5258 perms = SEM__READ;
5259
5260 return ipc_has_perm(&sma->sem_perm, perms);
5261 }
5262
5263 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
5264 {
5265 u32 av = 0;
5266
5267 av = 0;
5268 if (flag & S_IRUGO)
5269 av |= IPC__UNIX_READ;
5270 if (flag & S_IWUGO)
5271 av |= IPC__UNIX_WRITE;
5272
5273 if (av == 0)
5274 return 0;
5275
5276 return ipc_has_perm(ipcp, av);
5277 }
5278
5279 static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
5280 {
5281 struct ipc_security_struct *isec = ipcp->security;
5282 *secid = isec->sid;
5283 }
5284
5285 static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode)
5286 {
5287 if (inode)
5288 inode_doinit_with_dentry(inode, dentry);
5289 }
5290
5291 static int selinux_getprocattr(struct task_struct *p,
5292 char *name, char **value)
5293 {
5294 const struct task_security_struct *__tsec;
5295 u32 sid;
5296 int error;
5297 unsigned len;
5298
5299 if (current != p) {
5300 error = current_has_perm(p, PROCESS__GETATTR);
5301 if (error)
5302 return error;
5303 }
5304
5305 rcu_read_lock();
5306 __tsec = __task_cred(p)->security;
5307
5308 if (!strcmp(name, "current"))
5309 sid = __tsec->sid;
5310 else if (!strcmp(name, "prev"))
5311 sid = __tsec->osid;
5312 else if (!strcmp(name, "exec"))
5313 sid = __tsec->exec_sid;
5314 else if (!strcmp(name, "fscreate"))
5315 sid = __tsec->create_sid;
5316 else if (!strcmp(name, "keycreate"))
5317 sid = __tsec->keycreate_sid;
5318 else if (!strcmp(name, "sockcreate"))
5319 sid = __tsec->sockcreate_sid;
5320 else
5321 goto invalid;
5322 rcu_read_unlock();
5323
5324 if (!sid)
5325 return 0;
5326
5327 error = security_sid_to_context(sid, value, &len);
5328 if (error)
5329 return error;
5330 return len;
5331
5332 invalid:
5333 rcu_read_unlock();
5334 return -EINVAL;
5335 }
5336
5337 static int selinux_setprocattr(struct task_struct *p,
5338 char *name, void *value, size_t size)
5339 {
5340 struct task_security_struct *tsec;
5341 struct task_struct *tracer;
5342 struct cred *new;
5343 u32 sid = 0, ptsid;
5344 int error;
5345 char *str = value;
5346
5347 if (current != p) {
5348 /* SELinux only allows a process to change its own
5349 security attributes. */
5350 return -EACCES;
5351 }
5352
5353 /*
5354 * Basic control over ability to set these attributes at all.
5355 * current == p, but we'll pass them separately in case the
5356 * above restriction is ever removed.
5357 */
5358 if (!strcmp(name, "exec"))
5359 error = current_has_perm(p, PROCESS__SETEXEC);
5360 else if (!strcmp(name, "fscreate"))
5361 error = current_has_perm(p, PROCESS__SETFSCREATE);
5362 else if (!strcmp(name, "keycreate"))
5363 error = current_has_perm(p, PROCESS__SETKEYCREATE);
5364 else if (!strcmp(name, "sockcreate"))
5365 error = current_has_perm(p, PROCESS__SETSOCKCREATE);
5366 else if (!strcmp(name, "current"))
5367 error = current_has_perm(p, PROCESS__SETCURRENT);
5368 else
5369 error = -EINVAL;
5370 if (error)
5371 return error;
5372
5373 /* Obtain a SID for the context, if one was specified. */
5374 if (size && str[1] && str[1] != '\n') {
5375 if (str[size-1] == '\n') {
5376 str[size-1] = 0;
5377 size--;
5378 }
5379 error = security_context_to_sid(value, size, &sid);
5380 if (error == -EINVAL && !strcmp(name, "fscreate")) {
5381 if (!capable(CAP_MAC_ADMIN))
5382 return error;
5383 error = security_context_to_sid_force(value, size,
5384 &sid);
5385 }
5386 if (error)
5387 return error;
5388 }
5389
5390 new = prepare_creds();
5391 if (!new)
5392 return -ENOMEM;
5393
5394 /* Permission checking based on the specified context is
5395 performed during the actual operation (execve,
5396 open/mkdir/...), when we know the full context of the
5397 operation. See selinux_bprm_set_creds for the execve
5398 checks and may_create for the file creation checks. The
5399 operation will then fail if the context is not permitted. */
5400 tsec = new->security;
5401 if (!strcmp(name, "exec")) {
5402 tsec->exec_sid = sid;
5403 } else if (!strcmp(name, "fscreate")) {
5404 tsec->create_sid = sid;
5405 } else if (!strcmp(name, "keycreate")) {
5406 error = may_create_key(sid, p);
5407 if (error)
5408 goto abort_change;
5409 tsec->keycreate_sid = sid;
5410 } else if (!strcmp(name, "sockcreate")) {
5411 tsec->sockcreate_sid = sid;
5412 } else if (!strcmp(name, "current")) {
5413 error = -EINVAL;
5414 if (sid == 0)
5415 goto abort_change;
5416
5417 /* Only allow single threaded processes to change context */
5418 error = -EPERM;
5419 if (!is_single_threaded(p)) {
5420 error = security_bounded_transition(tsec->sid, sid);
5421 if (error)
5422 goto abort_change;
5423 }
5424
5425 /* Check permissions for the transition. */
5426 error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
5427 PROCESS__DYNTRANSITION, NULL);
5428 if (error)
5429 goto abort_change;
5430
5431 /* Check for ptracing, and update the task SID if ok.
5432 Otherwise, leave SID unchanged and fail. */
5433 ptsid = 0;
5434 task_lock(p);
5435 tracer = tracehook_tracer_task(p);
5436 if (tracer)
5437 ptsid = task_sid(tracer);
5438 task_unlock(p);
5439
5440 if (tracer) {
5441 error = avc_has_perm(ptsid, sid, SECCLASS_PROCESS,
5442 PROCESS__PTRACE, NULL);
5443 if (error)
5444 goto abort_change;
5445 }
5446
5447 tsec->sid = sid;
5448 } else {
5449 error = -EINVAL;
5450 goto abort_change;
5451 }
5452
5453 commit_creds(new);
5454 return size;
5455
5456 abort_change:
5457 abort_creds(new);
5458 return error;
5459 }
5460
5461 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
5462 {
5463 return security_sid_to_context(secid, secdata, seclen);
5464 }
5465
5466 static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
5467 {
5468 return security_context_to_sid(secdata, seclen, secid);
5469 }
5470
5471 static void selinux_release_secctx(char *secdata, u32 seclen)
5472 {
5473 kfree(secdata);
5474 }
5475
5476 #ifdef CONFIG_KEYS
5477
5478 static int selinux_key_alloc(struct key *k, const struct cred *cred,
5479 unsigned long flags)
5480 {
5481 const struct task_security_struct *tsec;
5482 struct key_security_struct *ksec;
5483
5484 ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL);
5485 if (!ksec)
5486 return -ENOMEM;
5487
5488 tsec = cred->security;
5489 if (tsec->keycreate_sid)
5490 ksec->sid = tsec->keycreate_sid;
5491 else
5492 ksec->sid = tsec->sid;
5493
5494 k->security = ksec;
5495 return 0;
5496 }
5497
5498 static void selinux_key_free(struct key *k)
5499 {
5500 struct key_security_struct *ksec = k->security;
5501
5502 k->security = NULL;
5503 kfree(ksec);
5504 }
5505
5506 static int selinux_key_permission(key_ref_t key_ref,
5507 const struct cred *cred,
5508 key_perm_t perm)
5509 {
5510 struct key *key;
5511 struct key_security_struct *ksec;
5512 u32 sid;
5513
5514 /* if no specific permissions are requested, we skip the
5515 permission check. No serious, additional covert channels
5516 appear to be created. */
5517 if (perm == 0)
5518 return 0;
5519
5520 sid = cred_sid(cred);
5521
5522 key = key_ref_to_ptr(key_ref);
5523 ksec = key->security;
5524
5525 return avc_has_perm(sid, ksec->sid, SECCLASS_KEY, perm, NULL);
5526 }
5527
5528 static int selinux_key_getsecurity(struct key *key, char **_buffer)
5529 {
5530 struct key_security_struct *ksec = key->security;
5531 char *context = NULL;
5532 unsigned len;
5533 int rc;
5534
5535 rc = security_sid_to_context(ksec->sid, &context, &len);
5536 if (!rc)
5537 rc = len;
5538 *_buffer = context;
5539 return rc;
5540 }
5541
5542 #endif
5543
5544 static struct security_operations selinux_ops = {
5545 .name = "selinux",
5546
5547 .ptrace_may_access = selinux_ptrace_may_access,
5548 .ptrace_traceme = selinux_ptrace_traceme,
5549 .capget = selinux_capget,
5550 .capset = selinux_capset,
5551 .sysctl = selinux_sysctl,
5552 .capable = selinux_capable,
5553 .quotactl = selinux_quotactl,
5554 .quota_on = selinux_quota_on,
5555 .syslog = selinux_syslog,
5556 .vm_enough_memory = selinux_vm_enough_memory,
5557
5558 .netlink_send = selinux_netlink_send,
5559 .netlink_recv = selinux_netlink_recv,
5560
5561 .bprm_set_creds = selinux_bprm_set_creds,
5562 .bprm_check_security = selinux_bprm_check_security,
5563 .bprm_committing_creds = selinux_bprm_committing_creds,
5564 .bprm_committed_creds = selinux_bprm_committed_creds,
5565 .bprm_secureexec = selinux_bprm_secureexec,
5566
5567 .sb_alloc_security = selinux_sb_alloc_security,
5568 .sb_free_security = selinux_sb_free_security,
5569 .sb_copy_data = selinux_sb_copy_data,
5570 .sb_kern_mount = selinux_sb_kern_mount,
5571 .sb_show_options = selinux_sb_show_options,
5572 .sb_statfs = selinux_sb_statfs,
5573 .sb_mount = selinux_mount,
5574 .sb_umount = selinux_umount,
5575 .sb_set_mnt_opts = selinux_set_mnt_opts,
5576 .sb_clone_mnt_opts = selinux_sb_clone_mnt_opts,
5577 .sb_parse_opts_str = selinux_parse_opts_str,
5578
5579
5580 .inode_alloc_security = selinux_inode_alloc_security,
5581 .inode_free_security = selinux_inode_free_security,
5582 .inode_init_security = selinux_inode_init_security,
5583 .inode_create = selinux_inode_create,
5584 .inode_link = selinux_inode_link,
5585 .inode_unlink = selinux_inode_unlink,
5586 .inode_symlink = selinux_inode_symlink,
5587 .inode_mkdir = selinux_inode_mkdir,
5588 .inode_rmdir = selinux_inode_rmdir,
5589 .inode_mknod = selinux_inode_mknod,
5590 .inode_rename = selinux_inode_rename,
5591 .inode_readlink = selinux_inode_readlink,
5592 .inode_follow_link = selinux_inode_follow_link,
5593 .inode_permission = selinux_inode_permission,
5594 .inode_setattr = selinux_inode_setattr,
5595 .inode_getattr = selinux_inode_getattr,
5596 .inode_setxattr = selinux_inode_setxattr,
5597 .inode_post_setxattr = selinux_inode_post_setxattr,
5598 .inode_getxattr = selinux_inode_getxattr,
5599 .inode_listxattr = selinux_inode_listxattr,
5600 .inode_removexattr = selinux_inode_removexattr,
5601 .inode_getsecurity = selinux_inode_getsecurity,
5602 .inode_setsecurity = selinux_inode_setsecurity,
5603 .inode_listsecurity = selinux_inode_listsecurity,
5604 .inode_need_killpriv = selinux_inode_need_killpriv,
5605 .inode_killpriv = selinux_inode_killpriv,
5606 .inode_getsecid = selinux_inode_getsecid,
5607
5608 .file_permission = selinux_file_permission,
5609 .file_alloc_security = selinux_file_alloc_security,
5610 .file_free_security = selinux_file_free_security,
5611 .file_ioctl = selinux_file_ioctl,
5612 .file_mmap = selinux_file_mmap,
5613 .file_mprotect = selinux_file_mprotect,
5614 .file_lock = selinux_file_lock,
5615 .file_fcntl = selinux_file_fcntl,
5616 .file_set_fowner = selinux_file_set_fowner,
5617 .file_send_sigiotask = selinux_file_send_sigiotask,
5618 .file_receive = selinux_file_receive,
5619
5620 .dentry_open = selinux_dentry_open,
5621
5622 .task_create = selinux_task_create,
5623 .cred_free = selinux_cred_free,
5624 .cred_prepare = selinux_cred_prepare,
5625 .cred_commit = selinux_cred_commit,
5626 .kernel_act_as = selinux_kernel_act_as,
5627 .kernel_create_files_as = selinux_kernel_create_files_as,
5628 .task_setuid = selinux_task_setuid,
5629 .task_fix_setuid = selinux_task_fix_setuid,
5630 .task_setgid = selinux_task_setgid,
5631 .task_setpgid = selinux_task_setpgid,
5632 .task_getpgid = selinux_task_getpgid,
5633 .task_getsid = selinux_task_getsid,
5634 .task_getsecid = selinux_task_getsecid,
5635 .task_setgroups = selinux_task_setgroups,
5636 .task_setnice = selinux_task_setnice,
5637 .task_setioprio = selinux_task_setioprio,
5638 .task_getioprio = selinux_task_getioprio,
5639 .task_setrlimit = selinux_task_setrlimit,
5640 .task_setscheduler = selinux_task_setscheduler,
5641 .task_getscheduler = selinux_task_getscheduler,
5642 .task_movememory = selinux_task_movememory,
5643 .task_kill = selinux_task_kill,
5644 .task_wait = selinux_task_wait,
5645 .task_prctl = selinux_task_prctl,
5646 .task_to_inode = selinux_task_to_inode,
5647
5648 .ipc_permission = selinux_ipc_permission,
5649 .ipc_getsecid = selinux_ipc_getsecid,
5650
5651 .msg_msg_alloc_security = selinux_msg_msg_alloc_security,
5652 .msg_msg_free_security = selinux_msg_msg_free_security,
5653
5654 .msg_queue_alloc_security = selinux_msg_queue_alloc_security,
5655 .msg_queue_free_security = selinux_msg_queue_free_security,
5656 .msg_queue_associate = selinux_msg_queue_associate,
5657 .msg_queue_msgctl = selinux_msg_queue_msgctl,
5658 .msg_queue_msgsnd = selinux_msg_queue_msgsnd,
5659 .msg_queue_msgrcv = selinux_msg_queue_msgrcv,
5660
5661 .shm_alloc_security = selinux_shm_alloc_security,
5662 .shm_free_security = selinux_shm_free_security,
5663 .shm_associate = selinux_shm_associate,
5664 .shm_shmctl = selinux_shm_shmctl,
5665 .shm_shmat = selinux_shm_shmat,
5666
5667 .sem_alloc_security = selinux_sem_alloc_security,
5668 .sem_free_security = selinux_sem_free_security,
5669 .sem_associate = selinux_sem_associate,
5670 .sem_semctl = selinux_sem_semctl,
5671 .sem_semop = selinux_sem_semop,
5672
5673 .d_instantiate = selinux_d_instantiate,
5674
5675 .getprocattr = selinux_getprocattr,
5676 .setprocattr = selinux_setprocattr,
5677
5678 .secid_to_secctx = selinux_secid_to_secctx,
5679 .secctx_to_secid = selinux_secctx_to_secid,
5680 .release_secctx = selinux_release_secctx,
5681
5682 .unix_stream_connect = selinux_socket_unix_stream_connect,
5683 .unix_may_send = selinux_socket_unix_may_send,
5684
5685 .socket_create = selinux_socket_create,
5686 .socket_post_create = selinux_socket_post_create,
5687 .socket_bind = selinux_socket_bind,
5688 .socket_connect = selinux_socket_connect,
5689 .socket_listen = selinux_socket_listen,
5690 .socket_accept = selinux_socket_accept,
5691 .socket_sendmsg = selinux_socket_sendmsg,
5692 .socket_recvmsg = selinux_socket_recvmsg,
5693 .socket_getsockname = selinux_socket_getsockname,
5694 .socket_getpeername = selinux_socket_getpeername,
5695 .socket_getsockopt = selinux_socket_getsockopt,
5696 .socket_setsockopt = selinux_socket_setsockopt,
5697 .socket_shutdown = selinux_socket_shutdown,
5698 .socket_sock_rcv_skb = selinux_socket_sock_rcv_skb,
5699 .socket_getpeersec_stream = selinux_socket_getpeersec_stream,
5700 .socket_getpeersec_dgram = selinux_socket_getpeersec_dgram,
5701 .sk_alloc_security = selinux_sk_alloc_security,
5702 .sk_free_security = selinux_sk_free_security,
5703 .sk_clone_security = selinux_sk_clone_security,
5704 .sk_getsecid = selinux_sk_getsecid,
5705 .sock_graft = selinux_sock_graft,
5706 .inet_conn_request = selinux_inet_conn_request,
5707 .inet_csk_clone = selinux_inet_csk_clone,
5708 .inet_conn_established = selinux_inet_conn_established,
5709 .req_classify_flow = selinux_req_classify_flow,
5710
5711 #ifdef CONFIG_SECURITY_NETWORK_XFRM
5712 .xfrm_policy_alloc_security = selinux_xfrm_policy_alloc,
5713 .xfrm_policy_clone_security = selinux_xfrm_policy_clone,
5714 .xfrm_policy_free_security = selinux_xfrm_policy_free,
5715 .xfrm_policy_delete_security = selinux_xfrm_policy_delete,
5716 .xfrm_state_alloc_security = selinux_xfrm_state_alloc,
5717 .xfrm_state_free_security = selinux_xfrm_state_free,
5718 .xfrm_state_delete_security = selinux_xfrm_state_delete,
5719 .xfrm_policy_lookup = selinux_xfrm_policy_lookup,
5720 .xfrm_state_pol_flow_match = selinux_xfrm_state_pol_flow_match,
5721 .xfrm_decode_session = selinux_xfrm_decode_session,
5722 #endif
5723
5724 #ifdef CONFIG_KEYS
5725 .key_alloc = selinux_key_alloc,
5726 .key_free = selinux_key_free,
5727 .key_permission = selinux_key_permission,
5728 .key_getsecurity = selinux_key_getsecurity,
5729 #endif
5730
5731 #ifdef CONFIG_AUDIT
5732 .audit_rule_init = selinux_audit_rule_init,
5733 .audit_rule_known = selinux_audit_rule_known,
5734 .audit_rule_match = selinux_audit_rule_match,
5735 .audit_rule_free = selinux_audit_rule_free,
5736 #endif
5737 };
5738
5739 static __init int selinux_init(void)
5740 {
5741 if (!security_module_enable(&selinux_ops)) {
5742 selinux_enabled = 0;
5743 return 0;
5744 }
5745
5746 if (!selinux_enabled) {
5747 printk(KERN_INFO "SELinux: Disabled at boot.\n");
5748 return 0;
5749 }
5750
5751 printk(KERN_INFO "SELinux: Initializing.\n");
5752
5753 /* Set the security state for the initial task. */
5754 cred_init_security();
5755
5756 sel_inode_cache = kmem_cache_create("selinux_inode_security",
5757 sizeof(struct inode_security_struct),
5758 0, SLAB_PANIC, NULL);
5759 avc_init();
5760
5761 secondary_ops = security_ops;
5762 if (!secondary_ops)
5763 panic("SELinux: No initial security operations\n");
5764 if (register_security(&selinux_ops))
5765 panic("SELinux: Unable to register with kernel.\n");
5766
5767 if (selinux_enforcing)
5768 printk(KERN_DEBUG "SELinux: Starting in enforcing mode\n");
5769 else
5770 printk(KERN_DEBUG "SELinux: Starting in permissive mode\n");
5771
5772 return 0;
5773 }
5774
5775 void selinux_complete_init(void)
5776 {
5777 printk(KERN_DEBUG "SELinux: Completing initialization.\n");
5778
5779 /* Set up any superblocks initialized prior to the policy load. */
5780 printk(KERN_DEBUG "SELinux: Setting up existing superblocks.\n");
5781 spin_lock(&sb_lock);
5782 spin_lock(&sb_security_lock);
5783 next_sb:
5784 if (!list_empty(&superblock_security_head)) {
5785 struct superblock_security_struct *sbsec =
5786 list_entry(superblock_security_head.next,
5787 struct superblock_security_struct,
5788 list);
5789 struct super_block *sb = sbsec->sb;
5790 sb->s_count++;
5791 spin_unlock(&sb_security_lock);
5792 spin_unlock(&sb_lock);
5793 down_read(&sb->s_umount);
5794 if (sb->s_root)
5795 superblock_doinit(sb, NULL);
5796 drop_super(sb);
5797 spin_lock(&sb_lock);
5798 spin_lock(&sb_security_lock);
5799 list_del_init(&sbsec->list);
5800 goto next_sb;
5801 }
5802 spin_unlock(&sb_security_lock);
5803 spin_unlock(&sb_lock);
5804 }
5805
5806 /* SELinux requires early initialization in order to label
5807 all processes and objects when they are created. */
5808 security_initcall(selinux_init);
5809
5810 #if defined(CONFIG_NETFILTER)
5811
5812 static struct nf_hook_ops selinux_ipv4_ops[] = {
5813 {
5814 .hook = selinux_ipv4_postroute,
5815 .owner = THIS_MODULE,
5816 .pf = PF_INET,
5817 .hooknum = NF_INET_POST_ROUTING,
5818 .priority = NF_IP_PRI_SELINUX_LAST,
5819 },
5820 {
5821 .hook = selinux_ipv4_forward,
5822 .owner = THIS_MODULE,
5823 .pf = PF_INET,
5824 .hooknum = NF_INET_FORWARD,
5825 .priority = NF_IP_PRI_SELINUX_FIRST,
5826 },
5827 {
5828 .hook = selinux_ipv4_output,
5829 .owner = THIS_MODULE,
5830 .pf = PF_INET,
5831 .hooknum = NF_INET_LOCAL_OUT,
5832 .priority = NF_IP_PRI_SELINUX_FIRST,
5833 }
5834 };
5835
5836 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5837
5838 static struct nf_hook_ops selinux_ipv6_ops[] = {
5839 {
5840 .hook = selinux_ipv6_postroute,
5841 .owner = THIS_MODULE,
5842 .pf = PF_INET6,
5843 .hooknum = NF_INET_POST_ROUTING,
5844 .priority = NF_IP6_PRI_SELINUX_LAST,
5845 },
5846 {
5847 .hook = selinux_ipv6_forward,
5848 .owner = THIS_MODULE,
5849 .pf = PF_INET6,
5850 .hooknum = NF_INET_FORWARD,
5851 .priority = NF_IP6_PRI_SELINUX_FIRST,
5852 }
5853 };
5854
5855 #endif /* IPV6 */
5856
5857 static int __init selinux_nf_ip_init(void)
5858 {
5859 int err = 0;
5860
5861 if (!selinux_enabled)
5862 goto out;
5863
5864 printk(KERN_DEBUG "SELinux: Registering netfilter hooks\n");
5865
5866 err = nf_register_hooks(selinux_ipv4_ops, ARRAY_SIZE(selinux_ipv4_ops));
5867 if (err)
5868 panic("SELinux: nf_register_hooks for IPv4: error %d\n", err);
5869
5870 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5871 err = nf_register_hooks(selinux_ipv6_ops, ARRAY_SIZE(selinux_ipv6_ops));
5872 if (err)
5873 panic("SELinux: nf_register_hooks for IPv6: error %d\n", err);
5874 #endif /* IPV6 */
5875
5876 out:
5877 return err;
5878 }
5879
5880 __initcall(selinux_nf_ip_init);
5881
5882 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5883 static void selinux_nf_ip_exit(void)
5884 {
5885 printk(KERN_DEBUG "SELinux: Unregistering netfilter hooks\n");
5886
5887 nf_unregister_hooks(selinux_ipv4_ops, ARRAY_SIZE(selinux_ipv4_ops));
5888 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5889 nf_unregister_hooks(selinux_ipv6_ops, ARRAY_SIZE(selinux_ipv6_ops));
5890 #endif /* IPV6 */
5891 }
5892 #endif
5893
5894 #else /* CONFIG_NETFILTER */
5895
5896 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5897 #define selinux_nf_ip_exit()
5898 #endif
5899
5900 #endif /* CONFIG_NETFILTER */
5901
5902 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5903 static int selinux_disabled;
5904
5905 int selinux_disable(void)
5906 {
5907 extern void exit_sel_fs(void);
5908
5909 if (ss_initialized) {
5910 /* Not permitted after initial policy load. */
5911 return -EINVAL;
5912 }
5913
5914 if (selinux_disabled) {
5915 /* Only do this once. */
5916 return -EINVAL;
5917 }
5918
5919 printk(KERN_INFO "SELinux: Disabled at runtime.\n");
5920
5921 selinux_disabled = 1;
5922 selinux_enabled = 0;
5923
5924 /* Reset security_ops to the secondary module, dummy or capability. */
5925 security_ops = secondary_ops;
5926
5927 /* Unregister netfilter hooks. */
5928 selinux_nf_ip_exit();
5929
5930 /* Unregister selinuxfs. */
5931 exit_sel_fs();
5932
5933 return 0;
5934 }
5935 #endif
A cbs scheduler for rt-kernel