search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
CRED: Allow kernel services to override LSM settings for task actions
[linux-2.6/verdex.git] / security / selinux / hooks.c
blob520f82ab3fbfbea2fc136af8f881bf41420c990a
1 /*
2 * NSA Security-Enhanced Linux (SELinux) security module
3 *
4 * This file contains the SELinux hook function implementations.
5 *
6 * Authors: Stephen Smalley, <sds@epoch.ncsc.mil>
7 * Chris Vance, <cvance@nai.com>
8 * Wayne Salamon, <wsalamon@nai.com>
9 * James Morris <jmorris@redhat.com>
10 *
11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12 * Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
13 * Eric Paris <eparis@redhat.com>
14 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
15 * <dgoeddel@trustedcs.com>
16 * Copyright (C) 2006, 2007 Hewlett-Packard Development Company, L.P.
17 * Paul Moore <paul.moore@hp.com>
18 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
19 * Yuichi Nakamura <ynakam@hitachisoft.jp>
20 *
21 * This program is free software; you can redistribute it and/or modify
22 * it under the terms of the GNU General Public License version 2,
23 * as published by the Free Software Foundation.
24 */
25
26 #include <linux/init.h>
27 #include <linux/kernel.h>
28 #include <linux/tracehook.h>
29 #include <linux/errno.h>
30 #include <linux/sched.h>
31 #include <linux/security.h>
32 #include <linux/xattr.h>
33 #include <linux/capability.h>
34 #include <linux/unistd.h>
35 #include <linux/mm.h>
36 #include <linux/mman.h>
37 #include <linux/slab.h>
38 #include <linux/pagemap.h>
39 #include <linux/swap.h>
40 #include <linux/spinlock.h>
41 #include <linux/syscalls.h>
42 #include <linux/file.h>
43 #include <linux/fdtable.h>
44 #include <linux/namei.h>
45 #include <linux/mount.h>
46 #include <linux/proc_fs.h>
47 #include <linux/netfilter_ipv4.h>
48 #include <linux/netfilter_ipv6.h>
49 #include <linux/tty.h>
50 #include <net/icmp.h>
51 #include <net/ip.h> /* for local_port_range[] */
52 #include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
53 #include <net/net_namespace.h>
54 #include <net/netlabel.h>
55 #include <linux/uaccess.h>
56 #include <asm/ioctls.h>
57 #include <asm/atomic.h>
58 #include <linux/bitops.h>
59 #include <linux/interrupt.h>
60 #include <linux/netdevice.h> /* for network interface checks */
61 #include <linux/netlink.h>
62 #include <linux/tcp.h>
63 #include <linux/udp.h>
64 #include <linux/dccp.h>
65 #include <linux/quota.h>
66 #include <linux/un.h> /* for Unix socket types */
67 #include <net/af_unix.h> /* for Unix socket types */
68 #include <linux/parser.h>
69 #include <linux/nfs_mount.h>
70 #include <net/ipv6.h>
71 #include <linux/hugetlb.h>
72 #include <linux/personality.h>
73 #include <linux/sysctl.h>
74 #include <linux/audit.h>
75 #include <linux/string.h>
76 #include <linux/selinux.h>
77 #include <linux/mutex.h>
78 #include <linux/posix-timers.h>
79
80 #include "avc.h"
81 #include "objsec.h"
82 #include "netif.h"
83 #include "netnode.h"
84 #include "netport.h"
85 #include "xfrm.h"
86 #include "netlabel.h"
87 #include "audit.h"
88
89 #define XATTR_SELINUX_SUFFIX "selinux"
90 #define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX
91
92 #define NUM_SEL_MNT_OPTS 4
93
94 extern unsigned int policydb_loaded_version;
95 extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm);
96 extern int selinux_compat_net;
97 extern struct security_operations *security_ops;
98
99 /* SECMARK reference count */
100 atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
101
102 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
103 int selinux_enforcing;
104
105 static int __init enforcing_setup(char *str)
106 {
107 unsigned long enforcing;
108 if (!strict_strtoul(str, 0, &enforcing))
109 selinux_enforcing = enforcing ? 1 : 0;
110 return 1;
111 }
112 __setup("enforcing=", enforcing_setup);
113 #endif
114
115 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
116 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
117
118 static int __init selinux_enabled_setup(char *str)
119 {
120 unsigned long enabled;
121 if (!strict_strtoul(str, 0, &enabled))
122 selinux_enabled = enabled ? 1 : 0;
123 return 1;
124 }
125 __setup("selinux=", selinux_enabled_setup);
126 #else
127 int selinux_enabled = 1;
128 #endif
129
130
131 /*
132 * Minimal support for a secondary security module,
133 * just to allow the use of the capability module.
134 */
135 static struct security_operations *secondary_ops;
136
137 /* Lists of inode and superblock security structures initialized
138 before the policy was loaded. */
139 static LIST_HEAD(superblock_security_head);
140 static DEFINE_SPINLOCK(sb_security_lock);
141
142 static struct kmem_cache *sel_inode_cache;
143
144 /**
145 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
146 *
147 * Description:
148 * This function checks the SECMARK reference counter to see if any SECMARK
149 * targets are currently configured, if the reference counter is greater than
150 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is
151 * enabled, false (0) if SECMARK is disabled.
152 *
153 */
154 static int selinux_secmark_enabled(void)
155 {
156 return (atomic_read(&selinux_secmark_refcount) > 0);
157 }
158
159 /*
160 * initialise the security for the init task
161 */
162 static void cred_init_security(void)
163 {
164 struct cred *cred = (struct cred *) current->real_cred;
165 struct task_security_struct *tsec;
166
167 tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
168 if (!tsec)
169 panic("SELinux: Failed to initialize initial task.\n");
170
171 tsec->osid = tsec->sid = SECINITSID_KERNEL;
172 cred->security = tsec;
173 }
174
175 /*
176 * get the security ID of a set of credentials
177 */
178 static inline u32 cred_sid(const struct cred *cred)
179 {
180 const struct task_security_struct *tsec;
181
182 tsec = cred->security;
183 return tsec->sid;
184 }
185
186 /*
187 * get the objective security ID of a task
188 */
189 static inline u32 task_sid(const struct task_struct *task)
190 {
191 u32 sid;
192
193 rcu_read_lock();
194 sid = cred_sid(__task_cred(task));
195 rcu_read_unlock();
196 return sid;
197 }
198
199 /*
200 * get the subjective security ID of the current task
201 */
202 static inline u32 current_sid(void)
203 {
204 const struct task_security_struct *tsec = current_cred()->security;
205
206 return tsec->sid;
207 }
208
209 /* Allocate and free functions for each kind of security blob. */
210
211 static int inode_alloc_security(struct inode *inode)
212 {
213 struct inode_security_struct *isec;
214 u32 sid = current_sid();
215
216 isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
217 if (!isec)
218 return -ENOMEM;
219
220 mutex_init(&isec->lock);
221 INIT_LIST_HEAD(&isec->list);
222 isec->inode = inode;
223 isec->sid = SECINITSID_UNLABELED;
224 isec->sclass = SECCLASS_FILE;
225 isec->task_sid = sid;
226 inode->i_security = isec;
227
228 return 0;
229 }
230
231 static void inode_free_security(struct inode *inode)
232 {
233 struct inode_security_struct *isec = inode->i_security;
234 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
235
236 spin_lock(&sbsec->isec_lock);
237 if (!list_empty(&isec->list))
238 list_del_init(&isec->list);
239 spin_unlock(&sbsec->isec_lock);
240
241 inode->i_security = NULL;
242 kmem_cache_free(sel_inode_cache, isec);
243 }
244
245 static int file_alloc_security(struct file *file)
246 {
247 struct file_security_struct *fsec;
248 u32 sid = current_sid();
249
250 fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL);
251 if (!fsec)
252 return -ENOMEM;
253
254 fsec->sid = sid;
255 fsec->fown_sid = sid;
256 file->f_security = fsec;
257
258 return 0;
259 }
260
261 static void file_free_security(struct file *file)
262 {
263 struct file_security_struct *fsec = file->f_security;
264 file->f_security = NULL;
265 kfree(fsec);
266 }
267
268 static int superblock_alloc_security(struct super_block *sb)
269 {
270 struct superblock_security_struct *sbsec;
271
272 sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
273 if (!sbsec)
274 return -ENOMEM;
275
276 mutex_init(&sbsec->lock);
277 INIT_LIST_HEAD(&sbsec->list);
278 INIT_LIST_HEAD(&sbsec->isec_head);
279 spin_lock_init(&sbsec->isec_lock);
280 sbsec->sb = sb;
281 sbsec->sid = SECINITSID_UNLABELED;
282 sbsec->def_sid = SECINITSID_FILE;
283 sbsec->mntpoint_sid = SECINITSID_UNLABELED;
284 sb->s_security = sbsec;
285
286 return 0;
287 }
288
289 static void superblock_free_security(struct super_block *sb)
290 {
291 struct superblock_security_struct *sbsec = sb->s_security;
292
293 spin_lock(&sb_security_lock);
294 if (!list_empty(&sbsec->list))
295 list_del_init(&sbsec->list);
296 spin_unlock(&sb_security_lock);
297
298 sb->s_security = NULL;
299 kfree(sbsec);
300 }
301
302 static int sk_alloc_security(struct sock *sk, int family, gfp_t priority)
303 {
304 struct sk_security_struct *ssec;
305
306 ssec = kzalloc(sizeof(*ssec), priority);
307 if (!ssec)
308 return -ENOMEM;
309
310 ssec->peer_sid = SECINITSID_UNLABELED;
311 ssec->sid = SECINITSID_UNLABELED;
312 sk->sk_security = ssec;
313
314 selinux_netlbl_sk_security_reset(ssec, family);
315
316 return 0;
317 }
318
319 static void sk_free_security(struct sock *sk)
320 {
321 struct sk_security_struct *ssec = sk->sk_security;
322
323 sk->sk_security = NULL;
324 selinux_netlbl_sk_security_free(ssec);
325 kfree(ssec);
326 }
327
328 /* The security server must be initialized before
329 any labeling or access decisions can be provided. */
330 extern int ss_initialized;
331
332 /* The file system's label must be initialized prior to use. */
333
334 static char *labeling_behaviors[6] = {
335 "uses xattr",
336 "uses transition SIDs",
337 "uses task SIDs",
338 "uses genfs_contexts",
339 "not configured for labeling",
340 "uses mountpoint labeling",
341 };
342
343 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
344
345 static inline int inode_doinit(struct inode *inode)
346 {
347 return inode_doinit_with_dentry(inode, NULL);
348 }
349
350 enum {
351 Opt_error = -1,
352 Opt_context = 1,
353 Opt_fscontext = 2,
354 Opt_defcontext = 3,
355 Opt_rootcontext = 4,
356 };
357
358 static const match_table_t tokens = {
359 {Opt_context, CONTEXT_STR "%s"},
360 {Opt_fscontext, FSCONTEXT_STR "%s"},
361 {Opt_defcontext, DEFCONTEXT_STR "%s"},
362 {Opt_rootcontext, ROOTCONTEXT_STR "%s"},
363 {Opt_error, NULL},
364 };
365
366 #define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
367
368 static int may_context_mount_sb_relabel(u32 sid,
369 struct superblock_security_struct *sbsec,
370 const struct cred *cred)
371 {
372 const struct task_security_struct *tsec = cred->security;
373 int rc;
374
375 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
376 FILESYSTEM__RELABELFROM, NULL);
377 if (rc)
378 return rc;
379
380 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
381 FILESYSTEM__RELABELTO, NULL);
382 return rc;
383 }
384
385 static int may_context_mount_inode_relabel(u32 sid,
386 struct superblock_security_struct *sbsec,
387 const struct cred *cred)
388 {
389 const struct task_security_struct *tsec = cred->security;
390 int rc;
391 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
392 FILESYSTEM__RELABELFROM, NULL);
393 if (rc)
394 return rc;
395
396 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
397 FILESYSTEM__ASSOCIATE, NULL);
398 return rc;
399 }
400
401 static int sb_finish_set_opts(struct super_block *sb)
402 {
403 struct superblock_security_struct *sbsec = sb->s_security;
404 struct dentry *root = sb->s_root;
405 struct inode *root_inode = root->d_inode;
406 int rc = 0;
407
408 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
409 /* Make sure that the xattr handler exists and that no
410 error other than -ENODATA is returned by getxattr on
411 the root directory. -ENODATA is ok, as this may be
412 the first boot of the SELinux kernel before we have
413 assigned xattr values to the filesystem. */
414 if (!root_inode->i_op->getxattr) {
415 printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
416 "xattr support\n", sb->s_id, sb->s_type->name);
417 rc = -EOPNOTSUPP;
418 goto out;
419 }
420 rc = root_inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
421 if (rc < 0 && rc != -ENODATA) {
422 if (rc == -EOPNOTSUPP)
423 printk(KERN_WARNING "SELinux: (dev %s, type "
424 "%s) has no security xattr handler\n",
425 sb->s_id, sb->s_type->name);
426 else
427 printk(KERN_WARNING "SELinux: (dev %s, type "
428 "%s) getxattr errno %d\n", sb->s_id,
429 sb->s_type->name, -rc);
430 goto out;
431 }
432 }
433
434 sbsec->initialized = 1;
435
436 if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
437 printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n",
438 sb->s_id, sb->s_type->name);
439 else
440 printk(KERN_DEBUG "SELinux: initialized (dev %s, type %s), %s\n",
441 sb->s_id, sb->s_type->name,
442 labeling_behaviors[sbsec->behavior-1]);
443
444 /* Initialize the root inode. */
445 rc = inode_doinit_with_dentry(root_inode, root);
446
447 /* Initialize any other inodes associated with the superblock, e.g.
448 inodes created prior to initial policy load or inodes created
449 during get_sb by a pseudo filesystem that directly
450 populates itself. */
451 spin_lock(&sbsec->isec_lock);
452 next_inode:
453 if (!list_empty(&sbsec->isec_head)) {
454 struct inode_security_struct *isec =
455 list_entry(sbsec->isec_head.next,
456 struct inode_security_struct, list);
457 struct inode *inode = isec->inode;
458 spin_unlock(&sbsec->isec_lock);
459 inode = igrab(inode);
460 if (inode) {
461 if (!IS_PRIVATE(inode))
462 inode_doinit(inode);
463 iput(inode);
464 }
465 spin_lock(&sbsec->isec_lock);
466 list_del_init(&isec->list);
467 goto next_inode;
468 }
469 spin_unlock(&sbsec->isec_lock);
470 out:
471 return rc;
472 }
473
474 /*
475 * This function should allow an FS to ask what it's mount security
476 * options were so it can use those later for submounts, displaying
477 * mount options, or whatever.
478 */
479 static int selinux_get_mnt_opts(const struct super_block *sb,
480 struct security_mnt_opts *opts)
481 {
482 int rc = 0, i;
483 struct superblock_security_struct *sbsec = sb->s_security;
484 char *context = NULL;
485 u32 len;
486 char tmp;
487
488 security_init_mnt_opts(opts);
489
490 if (!sbsec->initialized)
491 return -EINVAL;
492
493 if (!ss_initialized)
494 return -EINVAL;
495
496 /*
497 * if we ever use sbsec flags for anything other than tracking mount
498 * settings this is going to need a mask
499 */
500 tmp = sbsec->flags;
501 /* count the number of mount options for this sb */
502 for (i = 0; i < 8; i++) {
503 if (tmp & 0x01)
504 opts->num_mnt_opts++;
505 tmp >>= 1;
506 }
507
508 opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
509 if (!opts->mnt_opts) {
510 rc = -ENOMEM;
511 goto out_free;
512 }
513
514 opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
515 if (!opts->mnt_opts_flags) {
516 rc = -ENOMEM;
517 goto out_free;
518 }
519
520 i = 0;
521 if (sbsec->flags & FSCONTEXT_MNT) {
522 rc = security_sid_to_context(sbsec->sid, &context, &len);
523 if (rc)
524 goto out_free;
525 opts->mnt_opts[i] = context;
526 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
527 }
528 if (sbsec->flags & CONTEXT_MNT) {
529 rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len);
530 if (rc)
531 goto out_free;
532 opts->mnt_opts[i] = context;
533 opts->mnt_opts_flags[i++] = CONTEXT_MNT;
534 }
535 if (sbsec->flags & DEFCONTEXT_MNT) {
536 rc = security_sid_to_context(sbsec->def_sid, &context, &len);
537 if (rc)
538 goto out_free;
539 opts->mnt_opts[i] = context;
540 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
541 }
542 if (sbsec->flags & ROOTCONTEXT_MNT) {
543 struct inode *root = sbsec->sb->s_root->d_inode;
544 struct inode_security_struct *isec = root->i_security;
545
546 rc = security_sid_to_context(isec->sid, &context, &len);
547 if (rc)
548 goto out_free;
549 opts->mnt_opts[i] = context;
550 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
551 }
552
553 BUG_ON(i != opts->num_mnt_opts);
554
555 return 0;
556
557 out_free:
558 security_free_mnt_opts(opts);
559 return rc;
560 }
561
562 static int bad_option(struct superblock_security_struct *sbsec, char flag,
563 u32 old_sid, u32 new_sid)
564 {
565 /* check if the old mount command had the same options */
566 if (sbsec->initialized)
567 if (!(sbsec->flags & flag) ||
568 (old_sid != new_sid))
569 return 1;
570
571 /* check if we were passed the same options twice,
572 * aka someone passed context=a,context=b
573 */
574 if (!sbsec->initialized)
575 if (sbsec->flags & flag)
576 return 1;
577 return 0;
578 }
579
580 /*
581 * Allow filesystems with binary mount data to explicitly set mount point
582 * labeling information.
583 */
584 static int selinux_set_mnt_opts(struct super_block *sb,
585 struct security_mnt_opts *opts)
586 {
587 const struct cred *cred = current_cred();
588 int rc = 0, i;
589 struct superblock_security_struct *sbsec = sb->s_security;
590 const char *name = sb->s_type->name;
591 struct inode *inode = sbsec->sb->s_root->d_inode;
592 struct inode_security_struct *root_isec = inode->i_security;
593 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
594 u32 defcontext_sid = 0;
595 char **mount_options = opts->mnt_opts;
596 int *flags = opts->mnt_opts_flags;
597 int num_opts = opts->num_mnt_opts;
598
599 mutex_lock(&sbsec->lock);
600
601 if (!ss_initialized) {
602 if (!num_opts) {
603 /* Defer initialization until selinux_complete_init,
604 after the initial policy is loaded and the security
605 server is ready to handle calls. */
606 spin_lock(&sb_security_lock);
607 if (list_empty(&sbsec->list))
608 list_add(&sbsec->list, &superblock_security_head);
609 spin_unlock(&sb_security_lock);
610 goto out;
611 }
612 rc = -EINVAL;
613 printk(KERN_WARNING "SELinux: Unable to set superblock options "
614 "before the security server is initialized\n");
615 goto out;
616 }
617
618 /*
619 * Binary mount data FS will come through this function twice. Once
620 * from an explicit call and once from the generic calls from the vfs.
621 * Since the generic VFS calls will not contain any security mount data
622 * we need to skip the double mount verification.
623 *
624 * This does open a hole in which we will not notice if the first
625 * mount using this sb set explict options and a second mount using
626 * this sb does not set any security options. (The first options
627 * will be used for both mounts)
628 */
629 if (sbsec->initialized && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
630 && (num_opts == 0))
631 goto out;
632
633 /*
634 * parse the mount options, check if they are valid sids.
635 * also check if someone is trying to mount the same sb more
636 * than once with different security options.
637 */
638 for (i = 0; i < num_opts; i++) {
639 u32 sid;
640 rc = security_context_to_sid(mount_options[i],
641 strlen(mount_options[i]), &sid);
642 if (rc) {
643 printk(KERN_WARNING "SELinux: security_context_to_sid"
644 "(%s) failed for (dev %s, type %s) errno=%d\n",
645 mount_options[i], sb->s_id, name, rc);
646 goto out;
647 }
648 switch (flags[i]) {
649 case FSCONTEXT_MNT:
650 fscontext_sid = sid;
651
652 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
653 fscontext_sid))
654 goto out_double_mount;
655
656 sbsec->flags |= FSCONTEXT_MNT;
657 break;
658 case CONTEXT_MNT:
659 context_sid = sid;
660
661 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
662 context_sid))
663 goto out_double_mount;
664
665 sbsec->flags |= CONTEXT_MNT;
666 break;
667 case ROOTCONTEXT_MNT:
668 rootcontext_sid = sid;
669
670 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
671 rootcontext_sid))
672 goto out_double_mount;
673
674 sbsec->flags |= ROOTCONTEXT_MNT;
675
676 break;
677 case DEFCONTEXT_MNT:
678 defcontext_sid = sid;
679
680 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
681 defcontext_sid))
682 goto out_double_mount;
683
684 sbsec->flags |= DEFCONTEXT_MNT;
685
686 break;
687 default:
688 rc = -EINVAL;
689 goto out;
690 }
691 }
692
693 if (sbsec->initialized) {
694 /* previously mounted with options, but not on this attempt? */
695 if (sbsec->flags && !num_opts)
696 goto out_double_mount;
697 rc = 0;
698 goto out;
699 }
700
701 if (strcmp(sb->s_type->name, "proc") == 0)
702 sbsec->proc = 1;
703
704 /* Determine the labeling behavior to use for this filesystem type. */
705 rc = security_fs_use(sb->s_type->name, &sbsec->behavior, &sbsec->sid);
706 if (rc) {
707 printk(KERN_WARNING "%s: security_fs_use(%s) returned %d\n",
708 __func__, sb->s_type->name, rc);
709 goto out;
710 }
711
712 /* sets the context of the superblock for the fs being mounted. */
713 if (fscontext_sid) {
714 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
715 if (rc)
716 goto out;
717
718 sbsec->sid = fscontext_sid;
719 }
720
721 /*
722 * Switch to using mount point labeling behavior.
723 * sets the label used on all file below the mountpoint, and will set
724 * the superblock context if not already set.
725 */
726 if (context_sid) {
727 if (!fscontext_sid) {
728 rc = may_context_mount_sb_relabel(context_sid, sbsec,
729 cred);
730 if (rc)
731 goto out;
732 sbsec->sid = context_sid;
733 } else {
734 rc = may_context_mount_inode_relabel(context_sid, sbsec,
735 cred);
736 if (rc)
737 goto out;
738 }
739 if (!rootcontext_sid)
740 rootcontext_sid = context_sid;
741
742 sbsec->mntpoint_sid = context_sid;
743 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
744 }
745
746 if (rootcontext_sid) {
747 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
748 cred);
749 if (rc)
750 goto out;
751
752 root_isec->sid = rootcontext_sid;
753 root_isec->initialized = 1;
754 }
755
756 if (defcontext_sid) {
757 if (sbsec->behavior != SECURITY_FS_USE_XATTR) {
758 rc = -EINVAL;
759 printk(KERN_WARNING "SELinux: defcontext option is "
760 "invalid for this filesystem type\n");
761 goto out;
762 }
763
764 if (defcontext_sid != sbsec->def_sid) {
765 rc = may_context_mount_inode_relabel(defcontext_sid,
766 sbsec, cred);
767 if (rc)
768 goto out;
769 }
770
771 sbsec->def_sid = defcontext_sid;
772 }
773
774 rc = sb_finish_set_opts(sb);
775 out:
776 mutex_unlock(&sbsec->lock);
777 return rc;
778 out_double_mount:
779 rc = -EINVAL;
780 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, different "
781 "security settings for (dev %s, type %s)\n", sb->s_id, name);
782 goto out;
783 }
784
785 static void selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
786 struct super_block *newsb)
787 {
788 const struct superblock_security_struct *oldsbsec = oldsb->s_security;
789 struct superblock_security_struct *newsbsec = newsb->s_security;
790
791 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT);
792 int set_context = (oldsbsec->flags & CONTEXT_MNT);
793 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT);
794
795 /*
796 * if the parent was able to be mounted it clearly had no special lsm
797 * mount options. thus we can safely put this sb on the list and deal
798 * with it later
799 */
800 if (!ss_initialized) {
801 spin_lock(&sb_security_lock);
802 if (list_empty(&newsbsec->list))
803 list_add(&newsbsec->list, &superblock_security_head);
804 spin_unlock(&sb_security_lock);
805 return;
806 }
807
808 /* how can we clone if the old one wasn't set up?? */
809 BUG_ON(!oldsbsec->initialized);
810
811 /* if fs is reusing a sb, just let its options stand... */
812 if (newsbsec->initialized)
813 return;
814
815 mutex_lock(&newsbsec->lock);
816
817 newsbsec->flags = oldsbsec->flags;
818
819 newsbsec->sid = oldsbsec->sid;
820 newsbsec->def_sid = oldsbsec->def_sid;
821 newsbsec->behavior = oldsbsec->behavior;
822
823 if (set_context) {
824 u32 sid = oldsbsec->mntpoint_sid;
825
826 if (!set_fscontext)
827 newsbsec->sid = sid;
828 if (!set_rootcontext) {
829 struct inode *newinode = newsb->s_root->d_inode;
830 struct inode_security_struct *newisec = newinode->i_security;
831 newisec->sid = sid;
832 }
833 newsbsec->mntpoint_sid = sid;
834 }
835 if (set_rootcontext) {
836 const struct inode *oldinode = oldsb->s_root->d_inode;
837 const struct inode_security_struct *oldisec = oldinode->i_security;
838 struct inode *newinode = newsb->s_root->d_inode;
839 struct inode_security_struct *newisec = newinode->i_security;
840
841 newisec->sid = oldisec->sid;
842 }
843
844 sb_finish_set_opts(newsb);
845 mutex_unlock(&newsbsec->lock);
846 }
847
848 static int selinux_parse_opts_str(char *options,
849 struct security_mnt_opts *opts)
850 {
851 char *p;
852 char *context = NULL, *defcontext = NULL;
853 char *fscontext = NULL, *rootcontext = NULL;
854 int rc, num_mnt_opts = 0;
855
856 opts->num_mnt_opts = 0;
857
858 /* Standard string-based options. */
859 while ((p = strsep(&options, "|")) != NULL) {
860 int token;
861 substring_t args[MAX_OPT_ARGS];
862
863 if (!*p)
864 continue;
865
866 token = match_token(p, tokens, args);
867
868 switch (token) {
869 case Opt_context:
870 if (context || defcontext) {
871 rc = -EINVAL;
872 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
873 goto out_err;
874 }
875 context = match_strdup(&args[0]);
876 if (!context) {
877 rc = -ENOMEM;
878 goto out_err;
879 }
880 break;
881
882 case Opt_fscontext:
883 if (fscontext) {
884 rc = -EINVAL;
885 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
886 goto out_err;
887 }
888 fscontext = match_strdup(&args[0]);
889 if (!fscontext) {
890 rc = -ENOMEM;
891 goto out_err;
892 }
893 break;
894
895 case Opt_rootcontext:
896 if (rootcontext) {
897 rc = -EINVAL;
898 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
899 goto out_err;
900 }
901 rootcontext = match_strdup(&args[0]);
902 if (!rootcontext) {
903 rc = -ENOMEM;
904 goto out_err;
905 }
906 break;
907
908 case Opt_defcontext:
909 if (context || defcontext) {
910 rc = -EINVAL;
911 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
912 goto out_err;
913 }
914 defcontext = match_strdup(&args[0]);
915 if (!defcontext) {
916 rc = -ENOMEM;
917 goto out_err;
918 }
919 break;
920
921 default:
922 rc = -EINVAL;
923 printk(KERN_WARNING "SELinux: unknown mount option\n");
924 goto out_err;
925
926 }
927 }
928
929 rc = -ENOMEM;
930 opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_ATOMIC);
931 if (!opts->mnt_opts)
932 goto out_err;
933
934 opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int), GFP_ATOMIC);
935 if (!opts->mnt_opts_flags) {
936 kfree(opts->mnt_opts);
937 goto out_err;
938 }
939
940 if (fscontext) {
941 opts->mnt_opts[num_mnt_opts] = fscontext;
942 opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
943 }
944 if (context) {
945 opts->mnt_opts[num_mnt_opts] = context;
946 opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
947 }
948 if (rootcontext) {
949 opts->mnt_opts[num_mnt_opts] = rootcontext;
950 opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
951 }
952 if (defcontext) {
953 opts->mnt_opts[num_mnt_opts] = defcontext;
954 opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
955 }
956
957 opts->num_mnt_opts = num_mnt_opts;
958 return 0;
959
960 out_err:
961 kfree(context);
962 kfree(defcontext);
963 kfree(fscontext);
964 kfree(rootcontext);
965 return rc;
966 }
967 /*
968 * string mount options parsing and call set the sbsec
969 */
970 static int superblock_doinit(struct super_block *sb, void *data)
971 {
972 int rc = 0;
973 char *options = data;
974 struct security_mnt_opts opts;
975
976 security_init_mnt_opts(&opts);
977
978 if (!data)
979 goto out;
980
981 BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
982
983 rc = selinux_parse_opts_str(options, &opts);
984 if (rc)
985 goto out_err;
986
987 out:
988 rc = selinux_set_mnt_opts(sb, &opts);
989
990 out_err:
991 security_free_mnt_opts(&opts);
992 return rc;
993 }
994
995 static void selinux_write_opts(struct seq_file *m,
996 struct security_mnt_opts *opts)
997 {
998 int i;
999 char *prefix;
1000
1001 for (i = 0; i < opts->num_mnt_opts; i++) {
1002 char *has_comma = strchr(opts->mnt_opts[i], ',');
1003
1004 switch (opts->mnt_opts_flags[i]) {
1005 case CONTEXT_MNT:
1006 prefix = CONTEXT_STR;
1007 break;
1008 case FSCONTEXT_MNT:
1009 prefix = FSCONTEXT_STR;
1010 break;
1011 case ROOTCONTEXT_MNT:
1012 prefix = ROOTCONTEXT_STR;
1013 break;
1014 case DEFCONTEXT_MNT:
1015 prefix = DEFCONTEXT_STR;
1016 break;
1017 default:
1018 BUG();
1019 };
1020 /* we need a comma before each option */
1021 seq_putc(m, ',');
1022 seq_puts(m, prefix);
1023 if (has_comma)
1024 seq_putc(m, '\"');
1025 seq_puts(m, opts->mnt_opts[i]);
1026 if (has_comma)
1027 seq_putc(m, '\"');
1028 }
1029 }
1030
1031 static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1032 {
1033 struct security_mnt_opts opts;
1034 int rc;
1035
1036 rc = selinux_get_mnt_opts(sb, &opts);
1037 if (rc) {
1038 /* before policy load we may get EINVAL, don't show anything */
1039 if (rc == -EINVAL)
1040 rc = 0;
1041 return rc;
1042 }
1043
1044 selinux_write_opts(m, &opts);
1045
1046 security_free_mnt_opts(&opts);
1047
1048 return rc;
1049 }
1050
1051 static inline u16 inode_mode_to_security_class(umode_t mode)
1052 {
1053 switch (mode & S_IFMT) {
1054 case S_IFSOCK:
1055 return SECCLASS_SOCK_FILE;
1056 case S_IFLNK:
1057 return SECCLASS_LNK_FILE;
1058 case S_IFREG:
1059 return SECCLASS_FILE;
1060 case S_IFBLK:
1061 return SECCLASS_BLK_FILE;
1062 case S_IFDIR:
1063 return SECCLASS_DIR;
1064 case S_IFCHR:
1065 return SECCLASS_CHR_FILE;
1066 case S_IFIFO:
1067 return SECCLASS_FIFO_FILE;
1068
1069 }
1070
1071 return SECCLASS_FILE;
1072 }
1073
1074 static inline int default_protocol_stream(int protocol)
1075 {
1076 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
1077 }
1078
1079 static inline int default_protocol_dgram(int protocol)
1080 {
1081 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1082 }
1083
1084 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1085 {
1086 switch (family) {
1087 case PF_UNIX:
1088 switch (type) {
1089 case SOCK_STREAM:
1090 case SOCK_SEQPACKET:
1091 return SECCLASS_UNIX_STREAM_SOCKET;
1092 case SOCK_DGRAM:
1093 return SECCLASS_UNIX_DGRAM_SOCKET;
1094 }
1095 break;
1096 case PF_INET:
1097 case PF_INET6:
1098 switch (type) {
1099 case SOCK_STREAM:
1100 if (default_protocol_stream(protocol))
1101 return SECCLASS_TCP_SOCKET;
1102 else
1103 return SECCLASS_RAWIP_SOCKET;
1104 case SOCK_DGRAM:
1105 if (default_protocol_dgram(protocol))
1106 return SECCLASS_UDP_SOCKET;
1107 else
1108 return SECCLASS_RAWIP_SOCKET;
1109 case SOCK_DCCP:
1110 return SECCLASS_DCCP_SOCKET;
1111 default:
1112 return SECCLASS_RAWIP_SOCKET;
1113 }
1114 break;
1115 case PF_NETLINK:
1116 switch (protocol) {
1117 case NETLINK_ROUTE:
1118 return SECCLASS_NETLINK_ROUTE_SOCKET;
1119 case NETLINK_FIREWALL:
1120 return SECCLASS_NETLINK_FIREWALL_SOCKET;
1121 case NETLINK_INET_DIAG:
1122 return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1123 case NETLINK_NFLOG:
1124 return SECCLASS_NETLINK_NFLOG_SOCKET;
1125 case NETLINK_XFRM:
1126 return SECCLASS_NETLINK_XFRM_SOCKET;
1127 case NETLINK_SELINUX:
1128 return SECCLASS_NETLINK_SELINUX_SOCKET;
1129 case NETLINK_AUDIT:
1130 return SECCLASS_NETLINK_AUDIT_SOCKET;
1131 case NETLINK_IP6_FW:
1132 return SECCLASS_NETLINK_IP6FW_SOCKET;
1133 case NETLINK_DNRTMSG:
1134 return SECCLASS_NETLINK_DNRT_SOCKET;
1135 case NETLINK_KOBJECT_UEVENT:
1136 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1137 default:
1138 return SECCLASS_NETLINK_SOCKET;
1139 }
1140 case PF_PACKET:
1141 return SECCLASS_PACKET_SOCKET;
1142 case PF_KEY:
1143 return SECCLASS_KEY_SOCKET;
1144 case PF_APPLETALK:
1145 return SECCLASS_APPLETALK_SOCKET;
1146 }
1147
1148 return SECCLASS_SOCKET;
1149 }
1150
1151 #ifdef CONFIG_PROC_FS
1152 static int selinux_proc_get_sid(struct proc_dir_entry *de,
1153 u16 tclass,
1154 u32 *sid)
1155 {
1156 int buflen, rc;
1157 char *buffer, *path, *end;
1158
1159 buffer = (char *)__get_free_page(GFP_KERNEL);
1160 if (!buffer)
1161 return -ENOMEM;
1162
1163 buflen = PAGE_SIZE;
1164 end = buffer+buflen;
1165 *--end = '\0';
1166 buflen--;
1167 path = end-1;
1168 *path = '/';
1169 while (de && de != de->parent) {
1170 buflen -= de->namelen + 1;
1171 if (buflen < 0)
1172 break;
1173 end -= de->namelen;
1174 memcpy(end, de->name, de->namelen);
1175 *--end = '/';
1176 path = end;
1177 de = de->parent;
1178 }
1179 rc = security_genfs_sid("proc", path, tclass, sid);
1180 free_page((unsigned long)buffer);
1181 return rc;
1182 }
1183 #else
1184 static int selinux_proc_get_sid(struct proc_dir_entry *de,
1185 u16 tclass,
1186 u32 *sid)
1187 {
1188 return -EINVAL;
1189 }
1190 #endif
1191
1192 /* The inode's security attributes must be initialized before first use. */
1193 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1194 {
1195 struct superblock_security_struct *sbsec = NULL;
1196 struct inode_security_struct *isec = inode->i_security;
1197 u32 sid;
1198 struct dentry *dentry;
1199 #define INITCONTEXTLEN 255
1200 char *context = NULL;
1201 unsigned len = 0;
1202 int rc = 0;
1203
1204 if (isec->initialized)
1205 goto out;
1206
1207 mutex_lock(&isec->lock);
1208 if (isec->initialized)
1209 goto out_unlock;
1210
1211 sbsec = inode->i_sb->s_security;
1212 if (!sbsec->initialized) {
1213 /* Defer initialization until selinux_complete_init,
1214 after the initial policy is loaded and the security
1215 server is ready to handle calls. */
1216 spin_lock(&sbsec->isec_lock);
1217 if (list_empty(&isec->list))
1218 list_add(&isec->list, &sbsec->isec_head);
1219 spin_unlock(&sbsec->isec_lock);
1220 goto out_unlock;
1221 }
1222
1223 switch (sbsec->behavior) {
1224 case SECURITY_FS_USE_XATTR:
1225 if (!inode->i_op->getxattr) {
1226 isec->sid = sbsec->def_sid;
1227 break;
1228 }
1229
1230 /* Need a dentry, since the xattr API requires one.
1231 Life would be simpler if we could just pass the inode. */
1232 if (opt_dentry) {
1233 /* Called from d_instantiate or d_splice_alias. */
1234 dentry = dget(opt_dentry);
1235 } else {
1236 /* Called from selinux_complete_init, try to find a dentry. */
1237 dentry = d_find_alias(inode);
1238 }
1239 if (!dentry) {
1240 printk(KERN_WARNING "SELinux: %s: no dentry for dev=%s "
1241 "ino=%ld\n", __func__, inode->i_sb->s_id,
1242 inode->i_ino);
1243 goto out_unlock;
1244 }
1245
1246 len = INITCONTEXTLEN;
1247 context = kmalloc(len, GFP_NOFS);
1248 if (!context) {
1249 rc = -ENOMEM;
1250 dput(dentry);
1251 goto out_unlock;
1252 }
1253 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1254 context, len);
1255 if (rc == -ERANGE) {
1256 /* Need a larger buffer. Query for the right size. */
1257 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1258 NULL, 0);
1259 if (rc < 0) {
1260 dput(dentry);
1261 goto out_unlock;
1262 }
1263 kfree(context);
1264 len = rc;
1265 context = kmalloc(len, GFP_NOFS);
1266 if (!context) {
1267 rc = -ENOMEM;
1268 dput(dentry);
1269 goto out_unlock;
1270 }
1271 rc = inode->i_op->getxattr(dentry,
1272 XATTR_NAME_SELINUX,
1273 context, len);
1274 }
1275 dput(dentry);
1276 if (rc < 0) {
1277 if (rc != -ENODATA) {
1278 printk(KERN_WARNING "SELinux: %s: getxattr returned "
1279 "%d for dev=%s ino=%ld\n", __func__,
1280 -rc, inode->i_sb->s_id, inode->i_ino);
1281 kfree(context);
1282 goto out_unlock;
1283 }
1284 /* Map ENODATA to the default file SID */
1285 sid = sbsec->def_sid;
1286 rc = 0;
1287 } else {
1288 rc = security_context_to_sid_default(context, rc, &sid,
1289 sbsec->def_sid,
1290 GFP_NOFS);
1291 if (rc) {
1292 printk(KERN_WARNING "SELinux: %s: context_to_sid(%s) "
1293 "returned %d for dev=%s ino=%ld\n",
1294 __func__, context, -rc,
1295 inode->i_sb->s_id, inode->i_ino);
1296 kfree(context);
1297 /* Leave with the unlabeled SID */
1298 rc = 0;
1299 break;
1300 }
1301 }
1302 kfree(context);
1303 isec->sid = sid;
1304 break;
1305 case SECURITY_FS_USE_TASK:
1306 isec->sid = isec->task_sid;
1307 break;
1308 case SECURITY_FS_USE_TRANS:
1309 /* Default to the fs SID. */
1310 isec->sid = sbsec->sid;
1311
1312 /* Try to obtain a transition SID. */
1313 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1314 rc = security_transition_sid(isec->task_sid,
1315 sbsec->sid,
1316 isec->sclass,
1317 &sid);
1318 if (rc)
1319 goto out_unlock;
1320 isec->sid = sid;
1321 break;
1322 case SECURITY_FS_USE_MNTPOINT:
1323 isec->sid = sbsec->mntpoint_sid;
1324 break;
1325 default:
1326 /* Default to the fs superblock SID. */
1327 isec->sid = sbsec->sid;
1328
1329 if (sbsec->proc && !S_ISLNK(inode->i_mode)) {
1330 struct proc_inode *proci = PROC_I(inode);
1331 if (proci->pde) {
1332 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1333 rc = selinux_proc_get_sid(proci->pde,
1334 isec->sclass,
1335 &sid);
1336 if (rc)
1337 goto out_unlock;
1338 isec->sid = sid;
1339 }
1340 }
1341 break;
1342 }
1343
1344 isec->initialized = 1;
1345
1346 out_unlock:
1347 mutex_unlock(&isec->lock);
1348 out:
1349 if (isec->sclass == SECCLASS_FILE)
1350 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1351 return rc;
1352 }
1353
1354 /* Convert a Linux signal to an access vector. */
1355 static inline u32 signal_to_av(int sig)
1356 {
1357 u32 perm = 0;
1358
1359 switch (sig) {
1360 case SIGCHLD:
1361 /* Commonly granted from child to parent. */
1362 perm = PROCESS__SIGCHLD;
1363 break;
1364 case SIGKILL:
1365 /* Cannot be caught or ignored */
1366 perm = PROCESS__SIGKILL;
1367 break;
1368 case SIGSTOP:
1369 /* Cannot be caught or ignored */
1370 perm = PROCESS__SIGSTOP;
1371 break;
1372 default:
1373 /* All other signals. */
1374 perm = PROCESS__SIGNAL;
1375 break;
1376 }
1377
1378 return perm;
1379 }
1380
1381 /*
1382 * Check permission between a pair of credentials
1383 * fork check, ptrace check, etc.
1384 */
1385 static int cred_has_perm(const struct cred *actor,
1386 const struct cred *target,
1387 u32 perms)
1388 {
1389 u32 asid = cred_sid(actor), tsid = cred_sid(target);
1390
1391 return avc_has_perm(asid, tsid, SECCLASS_PROCESS, perms, NULL);
1392 }
1393
1394 /*
1395 * Check permission between a pair of tasks, e.g. signal checks,
1396 * fork check, ptrace check, etc.
1397 * tsk1 is the actor and tsk2 is the target
1398 * - this uses the default subjective creds of tsk1
1399 */
1400 static int task_has_perm(const struct task_struct *tsk1,
1401 const struct task_struct *tsk2,
1402 u32 perms)
1403 {
1404 const struct task_security_struct *__tsec1, *__tsec2;
1405 u32 sid1, sid2;
1406
1407 rcu_read_lock();
1408 __tsec1 = __task_cred(tsk1)->security; sid1 = __tsec1->sid;
1409 __tsec2 = __task_cred(tsk2)->security; sid2 = __tsec2->sid;
1410 rcu_read_unlock();
1411 return avc_has_perm(sid1, sid2, SECCLASS_PROCESS, perms, NULL);
1412 }
1413
1414 /*
1415 * Check permission between current and another task, e.g. signal checks,
1416 * fork check, ptrace check, etc.
1417 * current is the actor and tsk2 is the target
1418 * - this uses current's subjective creds
1419 */
1420 static int current_has_perm(const struct task_struct *tsk,
1421 u32 perms)
1422 {
1423 u32 sid, tsid;
1424
1425 sid = current_sid();
1426 tsid = task_sid(tsk);
1427 return avc_has_perm(sid, tsid, SECCLASS_PROCESS, perms, NULL);
1428 }
1429
1430 #if CAP_LAST_CAP > 63
1431 #error Fix SELinux to handle capabilities > 63.
1432 #endif
1433
1434 /* Check whether a task is allowed to use a capability. */
1435 static int task_has_capability(struct task_struct *tsk,
1436 int cap, int audit)
1437 {
1438 struct avc_audit_data ad;
1439 struct av_decision avd;
1440 u16 sclass;
1441 u32 sid = task_sid(tsk);
1442 u32 av = CAP_TO_MASK(cap);
1443 int rc;
1444
1445 AVC_AUDIT_DATA_INIT(&ad, CAP);
1446 ad.tsk = tsk;
1447 ad.u.cap = cap;
1448
1449 switch (CAP_TO_INDEX(cap)) {
1450 case 0:
1451 sclass = SECCLASS_CAPABILITY;
1452 break;
1453 case 1:
1454 sclass = SECCLASS_CAPABILITY2;
1455 break;
1456 default:
1457 printk(KERN_ERR
1458 "SELinux: out of range capability %d\n", cap);
1459 BUG();
1460 }
1461
1462 rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd);
1463 if (audit == SECURITY_CAP_AUDIT)
1464 avc_audit(sid, sid, sclass, av, &avd, rc, &ad);
1465 return rc;
1466 }
1467
1468 /* Check whether a task is allowed to use a system operation. */
1469 static int task_has_system(struct task_struct *tsk,
1470 u32 perms)
1471 {
1472 u32 sid = task_sid(tsk);
1473
1474 return avc_has_perm(sid, SECINITSID_KERNEL,
1475 SECCLASS_SYSTEM, perms, NULL);
1476 }
1477
1478 /* Check whether a task has a particular permission to an inode.
1479 The 'adp' parameter is optional and allows other audit
1480 data to be passed (e.g. the dentry). */
1481 static int inode_has_perm(const struct cred *cred,
1482 struct inode *inode,
1483 u32 perms,
1484 struct avc_audit_data *adp)
1485 {
1486 struct inode_security_struct *isec;
1487 struct avc_audit_data ad;
1488 u32 sid;
1489
1490 if (unlikely(IS_PRIVATE(inode)))
1491 return 0;
1492
1493 sid = cred_sid(cred);
1494 isec = inode->i_security;
1495
1496 if (!adp) {
1497 adp = &ad;
1498 AVC_AUDIT_DATA_INIT(&ad, FS);
1499 ad.u.fs.inode = inode;
1500 }
1501
1502 return avc_has_perm(sid, isec->sid, isec->sclass, perms, adp);
1503 }
1504
1505 /* Same as inode_has_perm, but pass explicit audit data containing
1506 the dentry to help the auditing code to more easily generate the
1507 pathname if needed. */
1508 static inline int dentry_has_perm(const struct cred *cred,
1509 struct vfsmount *mnt,
1510 struct dentry *dentry,
1511 u32 av)
1512 {
1513 struct inode *inode = dentry->d_inode;
1514 struct avc_audit_data ad;
1515
1516 AVC_AUDIT_DATA_INIT(&ad, FS);
1517 ad.u.fs.path.mnt = mnt;
1518 ad.u.fs.path.dentry = dentry;
1519 return inode_has_perm(cred, inode, av, &ad);
1520 }
1521
1522 /* Check whether a task can use an open file descriptor to
1523 access an inode in a given way. Check access to the
1524 descriptor itself, and then use dentry_has_perm to
1525 check a particular permission to the file.
1526 Access to the descriptor is implicitly granted if it
1527 has the same SID as the process. If av is zero, then
1528 access to the file is not checked, e.g. for cases
1529 where only the descriptor is affected like seek. */
1530 static int file_has_perm(const struct cred *cred,
1531 struct file *file,
1532 u32 av)
1533 {
1534 struct file_security_struct *fsec = file->f_security;
1535 struct inode *inode = file->f_path.dentry->d_inode;
1536 struct avc_audit_data ad;
1537 u32 sid = cred_sid(cred);
1538 int rc;
1539
1540 AVC_AUDIT_DATA_INIT(&ad, FS);
1541 ad.u.fs.path = file->f_path;
1542
1543 if (sid != fsec->sid) {
1544 rc = avc_has_perm(sid, fsec->sid,
1545 SECCLASS_FD,
1546 FD__USE,
1547 &ad);
1548 if (rc)
1549 goto out;
1550 }
1551
1552 /* av is zero if only checking access to the descriptor. */
1553 rc = 0;
1554 if (av)
1555 rc = inode_has_perm(cred, inode, av, &ad);
1556
1557 out:
1558 return rc;
1559 }
1560
1561 /* Check whether a task can create a file. */
1562 static int may_create(struct inode *dir,
1563 struct dentry *dentry,
1564 u16 tclass)
1565 {
1566 const struct cred *cred = current_cred();
1567 const struct task_security_struct *tsec = cred->security;
1568 struct inode_security_struct *dsec;
1569 struct superblock_security_struct *sbsec;
1570 u32 sid, newsid;
1571 struct avc_audit_data ad;
1572 int rc;
1573
1574 dsec = dir->i_security;
1575 sbsec = dir->i_sb->s_security;
1576
1577 sid = tsec->sid;
1578 newsid = tsec->create_sid;
1579
1580 AVC_AUDIT_DATA_INIT(&ad, FS);
1581 ad.u.fs.path.dentry = dentry;
1582
1583 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR,
1584 DIR__ADD_NAME | DIR__SEARCH,
1585 &ad);
1586 if (rc)
1587 return rc;
1588
1589 if (!newsid || sbsec->behavior == SECURITY_FS_USE_MNTPOINT) {
1590 rc = security_transition_sid(sid, dsec->sid, tclass, &newsid);
1591 if (rc)
1592 return rc;
1593 }
1594
1595 rc = avc_has_perm(sid, newsid, tclass, FILE__CREATE, &ad);
1596 if (rc)
1597 return rc;
1598
1599 return avc_has_perm(newsid, sbsec->sid,
1600 SECCLASS_FILESYSTEM,
1601 FILESYSTEM__ASSOCIATE, &ad);
1602 }
1603
1604 /* Check whether a task can create a key. */
1605 static int may_create_key(u32 ksid,
1606 struct task_struct *ctx)
1607 {
1608 u32 sid = task_sid(ctx);
1609
1610 return avc_has_perm(sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL);
1611 }
1612
1613 #define MAY_LINK 0
1614 #define MAY_UNLINK 1
1615 #define MAY_RMDIR 2
1616
1617 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1618 static int may_link(struct inode *dir,
1619 struct dentry *dentry,
1620 int kind)
1621
1622 {
1623 struct inode_security_struct *dsec, *isec;
1624 struct avc_audit_data ad;
1625 u32 sid = current_sid();
1626 u32 av;
1627 int rc;
1628
1629 dsec = dir->i_security;
1630 isec = dentry->d_inode->i_security;
1631
1632 AVC_AUDIT_DATA_INIT(&ad, FS);
1633 ad.u.fs.path.dentry = dentry;
1634
1635 av = DIR__SEARCH;
1636 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1637 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, av, &ad);
1638 if (rc)
1639 return rc;
1640
1641 switch (kind) {
1642 case MAY_LINK:
1643 av = FILE__LINK;
1644 break;
1645 case MAY_UNLINK:
1646 av = FILE__UNLINK;
1647 break;
1648 case MAY_RMDIR:
1649 av = DIR__RMDIR;
1650 break;
1651 default:
1652 printk(KERN_WARNING "SELinux: %s: unrecognized kind %d\n",
1653 __func__, kind);
1654 return 0;
1655 }
1656
1657 rc = avc_has_perm(sid, isec->sid, isec->sclass, av, &ad);
1658 return rc;
1659 }
1660
1661 static inline int may_rename(struct inode *old_dir,
1662 struct dentry *old_dentry,
1663 struct inode *new_dir,
1664 struct dentry *new_dentry)
1665 {
1666 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1667 struct avc_audit_data ad;
1668 u32 sid = current_sid();
1669 u32 av;
1670 int old_is_dir, new_is_dir;
1671 int rc;
1672
1673 old_dsec = old_dir->i_security;
1674 old_isec = old_dentry->d_inode->i_security;
1675 old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
1676 new_dsec = new_dir->i_security;
1677
1678 AVC_AUDIT_DATA_INIT(&ad, FS);
1679
1680 ad.u.fs.path.dentry = old_dentry;
1681 rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR,
1682 DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1683 if (rc)
1684 return rc;
1685 rc = avc_has_perm(sid, old_isec->sid,
1686 old_isec->sclass, FILE__RENAME, &ad);
1687 if (rc)
1688 return rc;
1689 if (old_is_dir && new_dir != old_dir) {
1690 rc = avc_has_perm(sid, old_isec->sid,
1691 old_isec->sclass, DIR__REPARENT, &ad);
1692 if (rc)
1693 return rc;
1694 }
1695
1696 ad.u.fs.path.dentry = new_dentry;
1697 av = DIR__ADD_NAME | DIR__SEARCH;
1698 if (new_dentry->d_inode)
1699 av |= DIR__REMOVE_NAME;
1700 rc = avc_has_perm(sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1701 if (rc)
1702 return rc;
1703 if (new_dentry->d_inode) {
1704 new_isec = new_dentry->d_inode->i_security;
1705 new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
1706 rc = avc_has_perm(sid, new_isec->sid,
1707 new_isec->sclass,
1708 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1709 if (rc)
1710 return rc;
1711 }
1712
1713 return 0;
1714 }
1715
1716 /* Check whether a task can perform a filesystem operation. */
1717 static int superblock_has_perm(const struct cred *cred,
1718 struct super_block *sb,
1719 u32 perms,
1720 struct avc_audit_data *ad)
1721 {
1722 struct superblock_security_struct *sbsec;
1723 u32 sid = cred_sid(cred);
1724
1725 sbsec = sb->s_security;
1726 return avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
1727 }
1728
1729 /* Convert a Linux mode and permission mask to an access vector. */
1730 static inline u32 file_mask_to_av(int mode, int mask)
1731 {
1732 u32 av = 0;
1733
1734 if ((mode & S_IFMT) != S_IFDIR) {
1735 if (mask & MAY_EXEC)
1736 av |= FILE__EXECUTE;
1737 if (mask & MAY_READ)
1738 av |= FILE__READ;
1739
1740 if (mask & MAY_APPEND)
1741 av |= FILE__APPEND;
1742 else if (mask & MAY_WRITE)
1743 av |= FILE__WRITE;
1744
1745 } else {
1746 if (mask & MAY_EXEC)
1747 av |= DIR__SEARCH;
1748 if (mask & MAY_WRITE)
1749 av |= DIR__WRITE;
1750 if (mask & MAY_READ)
1751 av |= DIR__READ;
1752 }
1753
1754 return av;
1755 }
1756
1757 /* Convert a Linux file to an access vector. */
1758 static inline u32 file_to_av(struct file *file)
1759 {
1760 u32 av = 0;
1761
1762 if (file->f_mode & FMODE_READ)
1763 av |= FILE__READ;
1764 if (file->f_mode & FMODE_WRITE) {
1765 if (file->f_flags & O_APPEND)
1766 av |= FILE__APPEND;
1767 else
1768 av |= FILE__WRITE;
1769 }
1770 if (!av) {
1771 /*
1772 * Special file opened with flags 3 for ioctl-only use.
1773 */
1774 av = FILE__IOCTL;
1775 }
1776
1777 return av;
1778 }
1779
1780 /*
1781 * Convert a file to an access vector and include the correct open
1782 * open permission.
1783 */
1784 static inline u32 open_file_to_av(struct file *file)
1785 {
1786 u32 av = file_to_av(file);
1787
1788 if (selinux_policycap_openperm) {
1789 mode_t mode = file->f_path.dentry->d_inode->i_mode;
1790 /*
1791 * lnk files and socks do not really have an 'open'
1792 */
1793 if (S_ISREG(mode))
1794 av |= FILE__OPEN;
1795 else if (S_ISCHR(mode))
1796 av |= CHR_FILE__OPEN;
1797 else if (S_ISBLK(mode))
1798 av |= BLK_FILE__OPEN;
1799 else if (S_ISFIFO(mode))
1800 av |= FIFO_FILE__OPEN;
1801 else if (S_ISDIR(mode))
1802 av |= DIR__OPEN;
1803 else
1804 printk(KERN_ERR "SELinux: WARNING: inside %s with "
1805 "unknown mode:%o\n", __func__, mode);
1806 }
1807 return av;
1808 }
1809
1810 /* Hook functions begin here. */
1811
1812 static int selinux_ptrace_may_access(struct task_struct *child,
1813 unsigned int mode)
1814 {
1815 int rc;
1816
1817 rc = secondary_ops->ptrace_may_access(child, mode);
1818 if (rc)
1819 return rc;
1820
1821 if (mode == PTRACE_MODE_READ) {
1822 u32 sid = current_sid();
1823 u32 csid = task_sid(child);
1824 return avc_has_perm(sid, csid, SECCLASS_FILE, FILE__READ, NULL);
1825 }
1826
1827 return current_has_perm(child, PROCESS__PTRACE);
1828 }
1829
1830 static int selinux_ptrace_traceme(struct task_struct *parent)
1831 {
1832 int rc;
1833
1834 rc = secondary_ops->ptrace_traceme(parent);
1835 if (rc)
1836 return rc;
1837
1838 return task_has_perm(parent, current, PROCESS__PTRACE);
1839 }
1840
1841 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
1842 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1843 {
1844 int error;
1845
1846 error = current_has_perm(target, PROCESS__GETCAP);
1847 if (error)
1848 return error;
1849
1850 return secondary_ops->capget(target, effective, inheritable, permitted);
1851 }
1852
1853 static int selinux_capset(struct cred *new, const struct cred *old,
1854 const kernel_cap_t *effective,
1855 const kernel_cap_t *inheritable,
1856 const kernel_cap_t *permitted)
1857 {
1858 int error;
1859
1860 error = secondary_ops->capset(new, old,
1861 effective, inheritable, permitted);
1862 if (error)
1863 return error;
1864
1865 return cred_has_perm(old, new, PROCESS__SETCAP);
1866 }
1867
1868 static int selinux_capable(struct task_struct *tsk, int cap, int audit)
1869 {
1870 int rc;
1871
1872 rc = secondary_ops->capable(tsk, cap, audit);
1873 if (rc)
1874 return rc;
1875
1876 return task_has_capability(tsk, cap, audit);
1877 }
1878
1879 static int selinux_sysctl_get_sid(ctl_table *table, u16 tclass, u32 *sid)
1880 {
1881 int buflen, rc;
1882 char *buffer, *path, *end;
1883
1884 rc = -ENOMEM;
1885 buffer = (char *)__get_free_page(GFP_KERNEL);
1886 if (!buffer)
1887 goto out;
1888
1889 buflen = PAGE_SIZE;
1890 end = buffer+buflen;
1891 *--end = '\0';
1892 buflen--;
1893 path = end-1;
1894 *path = '/';
1895 while (table) {
1896 const char *name = table->procname;
1897 size_t namelen = strlen(name);
1898 buflen -= namelen + 1;
1899 if (buflen < 0)
1900 goto out_free;
1901 end -= namelen;
1902 memcpy(end, name, namelen);
1903 *--end = '/';
1904 path = end;
1905 table = table->parent;
1906 }
1907 buflen -= 4;
1908 if (buflen < 0)
1909 goto out_free;
1910 end -= 4;
1911 memcpy(end, "/sys", 4);
1912 path = end;
1913 rc = security_genfs_sid("proc", path, tclass, sid);
1914 out_free:
1915 free_page((unsigned long)buffer);
1916 out:
1917 return rc;
1918 }
1919
1920 static int selinux_sysctl(ctl_table *table, int op)
1921 {
1922 int error = 0;
1923 u32 av;
1924 u32 tsid, sid;
1925 int rc;
1926
1927 rc = secondary_ops->sysctl(table, op);
1928 if (rc)
1929 return rc;
1930
1931 sid = current_sid();
1932
1933 rc = selinux_sysctl_get_sid(table, (op == 0001) ?
1934 SECCLASS_DIR : SECCLASS_FILE, &tsid);
1935 if (rc) {
1936 /* Default to the well-defined sysctl SID. */
1937 tsid = SECINITSID_SYSCTL;
1938 }
1939
1940 /* The op values are "defined" in sysctl.c, thereby creating
1941 * a bad coupling between this module and sysctl.c */
1942 if (op == 001) {
1943 error = avc_has_perm(sid, tsid,
1944 SECCLASS_DIR, DIR__SEARCH, NULL);
1945 } else {
1946 av = 0;
1947 if (op & 004)
1948 av |= FILE__READ;
1949 if (op & 002)
1950 av |= FILE__WRITE;
1951 if (av)
1952 error = avc_has_perm(sid, tsid,
1953 SECCLASS_FILE, av, NULL);
1954 }
1955
1956 return error;
1957 }
1958
1959 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
1960 {
1961 const struct cred *cred = current_cred();
1962 int rc = 0;
1963
1964 if (!sb)
1965 return 0;
1966
1967 switch (cmds) {
1968 case Q_SYNC:
1969 case Q_QUOTAON:
1970 case Q_QUOTAOFF:
1971 case Q_SETINFO:
1972 case Q_SETQUOTA:
1973 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
1974 break;
1975 case Q_GETFMT:
1976 case Q_GETINFO:
1977 case Q_GETQUOTA:
1978 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
1979 break;
1980 default:
1981 rc = 0; /* let the kernel handle invalid cmds */
1982 break;
1983 }
1984 return rc;
1985 }
1986
1987 static int selinux_quota_on(struct dentry *dentry)
1988 {
1989 const struct cred *cred = current_cred();
1990
1991 return dentry_has_perm(cred, NULL, dentry, FILE__QUOTAON);
1992 }
1993
1994 static int selinux_syslog(int type)
1995 {
1996 int rc;
1997
1998 rc = secondary_ops->syslog(type);
1999 if (rc)
2000 return rc;
2001
2002 switch (type) {
2003 case 3: /* Read last kernel messages */
2004 case 10: /* Return size of the log buffer */
2005 rc = task_has_system(current, SYSTEM__SYSLOG_READ);
2006 break;
2007 case 6: /* Disable logging to console */
2008 case 7: /* Enable logging to console */
2009 case 8: /* Set level of messages printed to console */
2010 rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
2011 break;
2012 case 0: /* Close log */
2013 case 1: /* Open log */
2014 case 2: /* Read from log */
2015 case 4: /* Read/clear last kernel messages */
2016 case 5: /* Clear ring buffer */
2017 default:
2018 rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
2019 break;
2020 }
2021 return rc;
2022 }
2023
2024 /*
2025 * Check that a process has enough memory to allocate a new virtual
2026 * mapping. 0 means there is enough memory for the allocation to
2027 * succeed and -ENOMEM implies there is not.
2028 *
2029 * Note that secondary_ops->capable and task_has_perm_noaudit return 0
2030 * if the capability is granted, but __vm_enough_memory requires 1 if
2031 * the capability is granted.
2032 *
2033 * Do not audit the selinux permission check, as this is applied to all
2034 * processes that allocate mappings.
2035 */
2036 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
2037 {
2038 int rc, cap_sys_admin = 0;
2039
2040 rc = selinux_capable(current, CAP_SYS_ADMIN, SECURITY_CAP_NOAUDIT);
2041 if (rc == 0)
2042 cap_sys_admin = 1;
2043
2044 return __vm_enough_memory(mm, pages, cap_sys_admin);
2045 }
2046
2047 /* binprm security operations */
2048
2049 static int selinux_bprm_set_creds(struct linux_binprm *bprm)
2050 {
2051 const struct task_security_struct *old_tsec;
2052 struct task_security_struct *new_tsec;
2053 struct inode_security_struct *isec;
2054 struct avc_audit_data ad;
2055 struct inode *inode = bprm->file->f_path.dentry->d_inode;
2056 int rc;
2057
2058 rc = secondary_ops->bprm_set_creds(bprm);
2059 if (rc)
2060 return rc;
2061
2062 /* SELinux context only depends on initial program or script and not
2063 * the script interpreter */
2064 if (bprm->cred_prepared)
2065 return 0;
2066
2067 old_tsec = current_security();
2068 new_tsec = bprm->cred->security;
2069 isec = inode->i_security;
2070
2071 /* Default to the current task SID. */
2072 new_tsec->sid = old_tsec->sid;
2073 new_tsec->osid = old_tsec->sid;
2074
2075 /* Reset fs, key, and sock SIDs on execve. */
2076 new_tsec->create_sid = 0;
2077 new_tsec->keycreate_sid = 0;
2078 new_tsec->sockcreate_sid = 0;
2079
2080 if (old_tsec->exec_sid) {
2081 new_tsec->sid = old_tsec->exec_sid;
2082 /* Reset exec SID on execve. */
2083 new_tsec->exec_sid = 0;
2084 } else {
2085 /* Check for a default transition on this program. */
2086 rc = security_transition_sid(old_tsec->sid, isec->sid,
2087 SECCLASS_PROCESS, &new_tsec->sid);
2088 if (rc)
2089 return rc;
2090 }
2091
2092 AVC_AUDIT_DATA_INIT(&ad, FS);
2093 ad.u.fs.path = bprm->file->f_path;
2094
2095 if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID)
2096 new_tsec->sid = old_tsec->sid;
2097
2098 if (new_tsec->sid == old_tsec->sid) {
2099 rc = avc_has_perm(old_tsec->sid, isec->sid,
2100 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2101 if (rc)
2102 return rc;
2103 } else {
2104 /* Check permissions for the transition. */
2105 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2106 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2107 if (rc)
2108 return rc;
2109
2110 rc = avc_has_perm(new_tsec->sid, isec->sid,
2111 SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2112 if (rc)
2113 return rc;
2114
2115 /* Check for shared state */
2116 if (bprm->unsafe & LSM_UNSAFE_SHARE) {
2117 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2118 SECCLASS_PROCESS, PROCESS__SHARE,
2119 NULL);
2120 if (rc)
2121 return -EPERM;
2122 }
2123
2124 /* Make sure that anyone attempting to ptrace over a task that
2125 * changes its SID has the appropriate permit */
2126 if (bprm->unsafe &
2127 (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
2128 struct task_struct *tracer;
2129 struct task_security_struct *sec;
2130 u32 ptsid = 0;
2131
2132 rcu_read_lock();
2133 tracer = tracehook_tracer_task(current);
2134 if (likely(tracer != NULL)) {
2135 sec = __task_cred(tracer)->security;
2136 ptsid = sec->sid;
2137 }
2138 rcu_read_unlock();
2139
2140 if (ptsid != 0) {
2141 rc = avc_has_perm(ptsid, new_tsec->sid,
2142 SECCLASS_PROCESS,
2143 PROCESS__PTRACE, NULL);
2144 if (rc)
2145 return -EPERM;
2146 }
2147 }
2148
2149 /* Clear any possibly unsafe personality bits on exec: */
2150 bprm->per_clear |= PER_CLEAR_ON_SETID;
2151 }
2152
2153 return 0;
2154 }
2155
2156 static int selinux_bprm_check_security(struct linux_binprm *bprm)
2157 {
2158 return secondary_ops->bprm_check_security(bprm);
2159 }
2160
2161 static int selinux_bprm_secureexec(struct linux_binprm *bprm)
2162 {
2163 const struct cred *cred = current_cred();
2164 const struct task_security_struct *tsec = cred->security;
2165 u32 sid, osid;
2166 int atsecure = 0;
2167
2168 sid = tsec->sid;
2169 osid = tsec->osid;
2170
2171 if (osid != sid) {
2172 /* Enable secure mode for SIDs transitions unless
2173 the noatsecure permission is granted between
2174 the two SIDs, i.e. ahp returns 0. */
2175 atsecure = avc_has_perm(osid, sid,
2176 SECCLASS_PROCESS,
2177 PROCESS__NOATSECURE, NULL);
2178 }
2179
2180 return (atsecure || secondary_ops->bprm_secureexec(bprm));
2181 }
2182
2183 extern struct vfsmount *selinuxfs_mount;
2184 extern struct dentry *selinux_null;
2185
2186 /* Derived from fs/exec.c:flush_old_files. */
2187 static inline void flush_unauthorized_files(const struct cred *cred,
2188 struct files_struct *files)
2189 {
2190 struct avc_audit_data ad;
2191 struct file *file, *devnull = NULL;
2192 struct tty_struct *tty;
2193 struct fdtable *fdt;
2194 long j = -1;
2195 int drop_tty = 0;
2196
2197 tty = get_current_tty();
2198 if (tty) {
2199 file_list_lock();
2200 if (!list_empty(&tty->tty_files)) {
2201 struct inode *inode;
2202
2203 /* Revalidate access to controlling tty.
2204 Use inode_has_perm on the tty inode directly rather
2205 than using file_has_perm, as this particular open
2206 file may belong to another process and we are only
2207 interested in the inode-based check here. */
2208 file = list_first_entry(&tty->tty_files, struct file, f_u.fu_list);
2209 inode = file->f_path.dentry->d_inode;
2210 if (inode_has_perm(cred, inode,
2211 FILE__READ | FILE__WRITE, NULL)) {
2212 drop_tty = 1;
2213 }
2214 }
2215 file_list_unlock();
2216 tty_kref_put(tty);
2217 }
2218 /* Reset controlling tty. */
2219 if (drop_tty)
2220 no_tty();
2221
2222 /* Revalidate access to inherited open files. */
2223
2224 AVC_AUDIT_DATA_INIT(&ad, FS);
2225
2226 spin_lock(&files->file_lock);
2227 for (;;) {
2228 unsigned long set, i;
2229 int fd;
2230
2231 j++;
2232 i = j * __NFDBITS;
2233 fdt = files_fdtable(files);
2234 if (i >= fdt->max_fds)
2235 break;
2236 set = fdt->open_fds->fds_bits[j];
2237 if (!set)
2238 continue;
2239 spin_unlock(&files->file_lock);
2240 for ( ; set ; i++, set >>= 1) {
2241 if (set & 1) {
2242 file = fget(i);
2243 if (!file)
2244 continue;
2245 if (file_has_perm(cred,
2246 file,
2247 file_to_av(file))) {
2248 sys_close(i);
2249 fd = get_unused_fd();
2250 if (fd != i) {
2251 if (fd >= 0)
2252 put_unused_fd(fd);
2253 fput(file);
2254 continue;
2255 }
2256 if (devnull) {
2257 get_file(devnull);
2258 } else {
2259 devnull = dentry_open(
2260 dget(selinux_null),
2261 mntget(selinuxfs_mount),
2262 O_RDWR, cred);
2263 if (IS_ERR(devnull)) {
2264 devnull = NULL;
2265 put_unused_fd(fd);
2266 fput(file);
2267 continue;
2268 }
2269 }
2270 fd_install(fd, devnull);
2271 }
2272 fput(file);
2273 }
2274 }
2275 spin_lock(&files->file_lock);
2276
2277 }
2278 spin_unlock(&files->file_lock);
2279 }
2280
2281 /*
2282 * Prepare a process for imminent new credential changes due to exec
2283 */
2284 static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
2285 {
2286 struct task_security_struct *new_tsec;
2287 struct rlimit *rlim, *initrlim;
2288 int rc, i;
2289
2290 secondary_ops->bprm_committing_creds(bprm);
2291
2292 new_tsec = bprm->cred->security;
2293 if (new_tsec->sid == new_tsec->osid)
2294 return;
2295
2296 /* Close files for which the new task SID is not authorized. */
2297 flush_unauthorized_files(bprm->cred, current->files);
2298
2299 /* Always clear parent death signal on SID transitions. */
2300 current->pdeath_signal = 0;
2301
2302 /* Check whether the new SID can inherit resource limits from the old
2303 * SID. If not, reset all soft limits to the lower of the current
2304 * task's hard limit and the init task's soft limit.
2305 *
2306 * Note that the setting of hard limits (even to lower them) can be
2307 * controlled by the setrlimit check. The inclusion of the init task's
2308 * soft limit into the computation is to avoid resetting soft limits
2309 * higher than the default soft limit for cases where the default is
2310 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2311 */
2312 rc = avc_has_perm(new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
2313 PROCESS__RLIMITINH, NULL);
2314 if (rc) {
2315 for (i = 0; i < RLIM_NLIMITS; i++) {
2316 rlim = current->signal->rlim + i;
2317 initrlim = init_task.signal->rlim + i;
2318 rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
2319 }
2320 update_rlimit_cpu(rlim->rlim_cur);
2321 }
2322 }
2323
2324 /*
2325 * Clean up the process immediately after the installation of new credentials
2326 * due to exec
2327 */
2328 static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
2329 {
2330 const struct task_security_struct *tsec = current_security();
2331 struct itimerval itimer;
2332 struct sighand_struct *psig;
2333 u32 osid, sid;
2334 int rc, i;
2335 unsigned long flags;
2336
2337 secondary_ops->bprm_committed_creds(bprm);
2338
2339 osid = tsec->osid;
2340 sid = tsec->sid;
2341
2342 if (sid == osid)
2343 return;
2344
2345 /* Check whether the new SID can inherit signal state from the old SID.
2346 * If not, clear itimers to avoid subsequent signal generation and
2347 * flush and unblock signals.
2348 *
2349 * This must occur _after_ the task SID has been updated so that any
2350 * kill done after the flush will be checked against the new SID.
2351 */
2352 rc = avc_has_perm(osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
2353 if (rc) {
2354 memset(&itimer, 0, sizeof itimer);
2355 for (i = 0; i < 3; i++)
2356 do_setitimer(i, &itimer, NULL);
2357 flush_signals(current);
2358 spin_lock_irq(&current->sighand->siglock);
2359 flush_signal_handlers(current, 1);
2360 sigemptyset(&current->blocked);
2361 recalc_sigpending();
2362 spin_unlock_irq(&current->sighand->siglock);
2363 }
2364
2365 /* Wake up the parent if it is waiting so that it can recheck
2366 * wait permission to the new task SID. */
2367 read_lock_irq(&tasklist_lock);
2368 psig = current->parent->sighand;
2369 spin_lock_irqsave(&psig->siglock, flags);
2370 wake_up_interruptible(&current->parent->signal->wait_chldexit);
2371 spin_unlock_irqrestore(&psig->siglock, flags);
2372 read_unlock_irq(&tasklist_lock);
2373 }
2374
2375 /* superblock security operations */
2376
2377 static int selinux_sb_alloc_security(struct super_block *sb)
2378 {
2379 return superblock_alloc_security(sb);
2380 }
2381
2382 static void selinux_sb_free_security(struct super_block *sb)
2383 {
2384 superblock_free_security(sb);
2385 }
2386
2387 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2388 {
2389 if (plen > olen)
2390 return 0;
2391
2392 return !memcmp(prefix, option, plen);
2393 }
2394
2395 static inline int selinux_option(char *option, int len)
2396 {
2397 return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) ||
2398 match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) ||
2399 match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) ||
2400 match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len));
2401 }
2402
2403 static inline void take_option(char **to, char *from, int *first, int len)
2404 {
2405 if (!*first) {
2406 **to = ',';
2407 *to += 1;
2408 } else
2409 *first = 0;
2410 memcpy(*to, from, len);
2411 *to += len;
2412 }
2413
2414 static inline void take_selinux_option(char **to, char *from, int *first,
2415 int len)
2416 {
2417 int current_size = 0;
2418
2419 if (!*first) {
2420 **to = '|';
2421 *to += 1;
2422 } else
2423 *first = 0;
2424
2425 while (current_size < len) {
2426 if (*from != '"') {
2427 **to = *from;
2428 *to += 1;
2429 }
2430 from += 1;
2431 current_size += 1;
2432 }
2433 }
2434
2435 static int selinux_sb_copy_data(char *orig, char *copy)
2436 {
2437 int fnosec, fsec, rc = 0;
2438 char *in_save, *in_curr, *in_end;
2439 char *sec_curr, *nosec_save, *nosec;
2440 int open_quote = 0;
2441
2442 in_curr = orig;
2443 sec_curr = copy;
2444
2445 nosec = (char *)get_zeroed_page(GFP_KERNEL);
2446 if (!nosec) {
2447 rc = -ENOMEM;
2448 goto out;
2449 }
2450
2451 nosec_save = nosec;
2452 fnosec = fsec = 1;
2453 in_save = in_end = orig;
2454
2455 do {
2456 if (*in_end == '"')
2457 open_quote = !open_quote;
2458 if ((*in_end == ',' && open_quote == 0) ||
2459 *in_end == '\0') {
2460 int len = in_end - in_curr;
2461
2462 if (selinux_option(in_curr, len))
2463 take_selinux_option(&sec_curr, in_curr, &fsec, len);
2464 else
2465 take_option(&nosec, in_curr, &fnosec, len);
2466
2467 in_curr = in_end + 1;
2468 }
2469 } while (*in_end++);
2470
2471 strcpy(in_save, nosec_save);
2472 free_page((unsigned long)nosec_save);
2473 out:
2474 return rc;
2475 }
2476
2477 static int selinux_sb_kern_mount(struct super_block *sb, void *data)
2478 {
2479 const struct cred *cred = current_cred();
2480 struct avc_audit_data ad;
2481 int rc;
2482
2483 rc = superblock_doinit(sb, data);
2484 if (rc)
2485 return rc;
2486
2487 AVC_AUDIT_DATA_INIT(&ad, FS);
2488 ad.u.fs.path.dentry = sb->s_root;
2489 return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
2490 }
2491
2492 static int selinux_sb_statfs(struct dentry *dentry)
2493 {
2494 const struct cred *cred = current_cred();
2495 struct avc_audit_data ad;
2496
2497 AVC_AUDIT_DATA_INIT(&ad, FS);
2498 ad.u.fs.path.dentry = dentry->d_sb->s_root;
2499 return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2500 }
2501
2502 static int selinux_mount(char *dev_name,
2503 struct path *path,
2504 char *type,
2505 unsigned long flags,
2506 void *data)
2507 {
2508 const struct cred *cred = current_cred();
2509 int rc;
2510
2511 rc = secondary_ops->sb_mount(dev_name, path, type, flags, data);
2512 if (rc)
2513 return rc;
2514
2515 if (flags & MS_REMOUNT)
2516 return superblock_has_perm(cred, path->mnt->mnt_sb,
2517 FILESYSTEM__REMOUNT, NULL);
2518 else
2519 return dentry_has_perm(cred, path->mnt, path->dentry,
2520 FILE__MOUNTON);
2521 }
2522
2523 static int selinux_umount(struct vfsmount *mnt, int flags)
2524 {
2525 const struct cred *cred = current_cred();
2526 int rc;
2527
2528 rc = secondary_ops->sb_umount(mnt, flags);
2529 if (rc)
2530 return rc;
2531
2532 return superblock_has_perm(cred, mnt->mnt_sb,
2533 FILESYSTEM__UNMOUNT, NULL);
2534 }
2535
2536 /* inode security operations */
2537
2538 static int selinux_inode_alloc_security(struct inode *inode)
2539 {
2540 return inode_alloc_security(inode);
2541 }
2542
2543 static void selinux_inode_free_security(struct inode *inode)
2544 {
2545 inode_free_security(inode);
2546 }
2547
2548 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2549 char **name, void **value,
2550 size_t *len)
2551 {
2552 const struct cred *cred = current_cred();
2553 const struct task_security_struct *tsec = cred->security;
2554 struct inode_security_struct *dsec;
2555 struct superblock_security_struct *sbsec;
2556 u32 sid, newsid, clen;
2557 int rc;
2558 char *namep = NULL, *context;
2559
2560 dsec = dir->i_security;
2561 sbsec = dir->i_sb->s_security;
2562
2563 sid = tsec->sid;
2564 newsid = tsec->create_sid;
2565
2566 if (!newsid || sbsec->behavior == SECURITY_FS_USE_MNTPOINT) {
2567 rc = security_transition_sid(sid, dsec->sid,
2568 inode_mode_to_security_class(inode->i_mode),
2569 &newsid);
2570 if (rc) {
2571 printk(KERN_WARNING "%s: "
2572 "security_transition_sid failed, rc=%d (dev=%s "
2573 "ino=%ld)\n",
2574 __func__,
2575 -rc, inode->i_sb->s_id, inode->i_ino);
2576 return rc;
2577 }
2578 }
2579
2580 /* Possibly defer initialization to selinux_complete_init. */
2581 if (sbsec->initialized) {
2582 struct inode_security_struct *isec = inode->i_security;
2583 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2584 isec->sid = newsid;
2585 isec->initialized = 1;
2586 }
2587
2588 if (!ss_initialized || sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2589 return -EOPNOTSUPP;
2590
2591 if (name) {
2592 namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_NOFS);
2593 if (!namep)
2594 return -ENOMEM;
2595 *name = namep;
2596 }
2597
2598 if (value && len) {
2599 rc = security_sid_to_context_force(newsid, &context, &clen);
2600 if (rc) {
2601 kfree(namep);
2602 return rc;
2603 }
2604 *value = context;
2605 *len = clen;
2606 }
2607
2608 return 0;
2609 }
2610
2611 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, int mask)
2612 {
2613 return may_create(dir, dentry, SECCLASS_FILE);
2614 }
2615
2616 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2617 {
2618 int rc;
2619
2620 rc = secondary_ops->inode_link(old_dentry, dir, new_dentry);
2621 if (rc)
2622 return rc;
2623 return may_link(dir, old_dentry, MAY_LINK);
2624 }
2625
2626 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2627 {
2628 int rc;
2629
2630 rc = secondary_ops->inode_unlink(dir, dentry);
2631 if (rc)
2632 return rc;
2633 return may_link(dir, dentry, MAY_UNLINK);
2634 }
2635
2636 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2637 {
2638 return may_create(dir, dentry, SECCLASS_LNK_FILE);
2639 }
2640
2641 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, int mask)
2642 {
2643 return may_create(dir, dentry, SECCLASS_DIR);
2644 }
2645
2646 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2647 {
2648 return may_link(dir, dentry, MAY_RMDIR);
2649 }
2650
2651 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
2652 {
2653 int rc;
2654
2655 rc = secondary_ops->inode_mknod(dir, dentry, mode, dev);
2656 if (rc)
2657 return rc;
2658
2659 return may_create(dir, dentry, inode_mode_to_security_class(mode));
2660 }
2661
2662 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2663 struct inode *new_inode, struct dentry *new_dentry)
2664 {
2665 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2666 }
2667
2668 static int selinux_inode_readlink(struct dentry *dentry)
2669 {
2670 const struct cred *cred = current_cred();
2671
2672 return dentry_has_perm(cred, NULL, dentry, FILE__READ);
2673 }
2674
2675 static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2676 {
2677 const struct cred *cred = current_cred();
2678 int rc;
2679
2680 rc = secondary_ops->inode_follow_link(dentry, nameidata);
2681 if (rc)
2682 return rc;
2683 return dentry_has_perm(cred, NULL, dentry, FILE__READ);
2684 }
2685
2686 static int selinux_inode_permission(struct inode *inode, int mask)
2687 {
2688 const struct cred *cred = current_cred();
2689 int rc;
2690
2691 rc = secondary_ops->inode_permission(inode, mask);
2692 if (rc)
2693 return rc;
2694
2695 if (!mask) {
2696 /* No permission to check. Existence test. */
2697 return 0;
2698 }
2699
2700 return inode_has_perm(cred, inode,
2701 file_mask_to_av(inode->i_mode, mask), NULL);
2702 }
2703
2704 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2705 {
2706 const struct cred *cred = current_cred();
2707 int rc;
2708
2709 rc = secondary_ops->inode_setattr(dentry, iattr);
2710 if (rc)
2711 return rc;
2712
2713 if (iattr->ia_valid & ATTR_FORCE)
2714 return 0;
2715
2716 if (iattr->ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2717 ATTR_ATIME_SET | ATTR_MTIME_SET))
2718 return dentry_has_perm(cred, NULL, dentry, FILE__SETATTR);
2719
2720 return dentry_has_perm(cred, NULL, dentry, FILE__WRITE);
2721 }
2722
2723 static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
2724 {
2725 const struct cred *cred = current_cred();
2726
2727 return dentry_has_perm(cred, mnt, dentry, FILE__GETATTR);
2728 }
2729
2730 static int selinux_inode_setotherxattr(struct dentry *dentry, const char *name)
2731 {
2732 const struct cred *cred = current_cred();
2733
2734 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2735 sizeof XATTR_SECURITY_PREFIX - 1)) {
2736 if (!strcmp(name, XATTR_NAME_CAPS)) {
2737 if (!capable(CAP_SETFCAP))
2738 return -EPERM;
2739 } else if (!capable(CAP_SYS_ADMIN)) {
2740 /* A different attribute in the security namespace.
2741 Restrict to administrator. */
2742 return -EPERM;
2743 }
2744 }
2745
2746 /* Not an attribute we recognize, so just check the
2747 ordinary setattr permission. */
2748 return dentry_has_perm(cred, NULL, dentry, FILE__SETATTR);
2749 }
2750
2751 static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
2752 const void *value, size_t size, int flags)
2753 {
2754 struct inode *inode = dentry->d_inode;
2755 struct inode_security_struct *isec = inode->i_security;
2756 struct superblock_security_struct *sbsec;
2757 struct avc_audit_data ad;
2758 u32 newsid, sid = current_sid();
2759 int rc = 0;
2760
2761 if (strcmp(name, XATTR_NAME_SELINUX))
2762 return selinux_inode_setotherxattr(dentry, name);
2763
2764 sbsec = inode->i_sb->s_security;
2765 if (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2766 return -EOPNOTSUPP;
2767
2768 if (!is_owner_or_cap(inode))
2769 return -EPERM;
2770
2771 AVC_AUDIT_DATA_INIT(&ad, FS);
2772 ad.u.fs.path.dentry = dentry;
2773
2774 rc = avc_has_perm(sid, isec->sid, isec->sclass,
2775 FILE__RELABELFROM, &ad);
2776 if (rc)
2777 return rc;
2778
2779 rc = security_context_to_sid(value, size, &newsid);
2780 if (rc == -EINVAL) {
2781 if (!capable(CAP_MAC_ADMIN))
2782 return rc;
2783 rc = security_context_to_sid_force(value, size, &newsid);
2784 }
2785 if (rc)
2786 return rc;
2787
2788 rc = avc_has_perm(sid, newsid, isec->sclass,
2789 FILE__RELABELTO, &ad);
2790 if (rc)
2791 return rc;
2792
2793 rc = security_validate_transition(isec->sid, newsid, sid,
2794 isec->sclass);
2795 if (rc)
2796 return rc;
2797
2798 return avc_has_perm(newsid,
2799 sbsec->sid,
2800 SECCLASS_FILESYSTEM,
2801 FILESYSTEM__ASSOCIATE,
2802 &ad);
2803 }
2804
2805 static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
2806 const void *value, size_t size,
2807 int flags)
2808 {
2809 struct inode *inode = dentry->d_inode;
2810 struct inode_security_struct *isec = inode->i_security;
2811 u32 newsid;
2812 int rc;
2813
2814 if (strcmp(name, XATTR_NAME_SELINUX)) {
2815 /* Not an attribute we recognize, so nothing to do. */
2816 return;
2817 }
2818
2819 rc = security_context_to_sid_force(value, size, &newsid);
2820 if (rc) {
2821 printk(KERN_ERR "SELinux: unable to map context to SID"
2822 "for (%s, %lu), rc=%d\n",
2823 inode->i_sb->s_id, inode->i_ino, -rc);
2824 return;
2825 }
2826
2827 isec->sid = newsid;
2828 return;
2829 }
2830
2831 static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
2832 {
2833 const struct cred *cred = current_cred();
2834
2835 return dentry_has_perm(cred, NULL, dentry, FILE__GETATTR);
2836 }
2837
2838 static int selinux_inode_listxattr(struct dentry *dentry)
2839 {
2840 const struct cred *cred = current_cred();
2841
2842 return dentry_has_perm(cred, NULL, dentry, FILE__GETATTR);
2843 }
2844
2845 static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
2846 {
2847 if (strcmp(name, XATTR_NAME_SELINUX))
2848 return selinux_inode_setotherxattr(dentry, name);
2849
2850 /* No one is allowed to remove a SELinux security label.
2851 You can change the label, but all data must be labeled. */
2852 return -EACCES;
2853 }
2854
2855 /*
2856 * Copy the inode security context value to the user.
2857 *
2858 * Permission check is handled by selinux_inode_getxattr hook.
2859 */
2860 static int selinux_inode_getsecurity(const struct inode *inode, const char *name, void **buffer, bool alloc)
2861 {
2862 u32 size;
2863 int error;
2864 char *context = NULL;
2865 struct inode_security_struct *isec = inode->i_security;
2866
2867 if (strcmp(name, XATTR_SELINUX_SUFFIX))
2868 return -EOPNOTSUPP;
2869
2870 /*
2871 * If the caller has CAP_MAC_ADMIN, then get the raw context
2872 * value even if it is not defined by current policy; otherwise,
2873 * use the in-core value under current policy.
2874 * Use the non-auditing forms of the permission checks since
2875 * getxattr may be called by unprivileged processes commonly
2876 * and lack of permission just means that we fall back to the
2877 * in-core context value, not a denial.
2878 */
2879 error = selinux_capable(current, CAP_MAC_ADMIN, SECURITY_CAP_NOAUDIT);
2880 if (!error)
2881 error = security_sid_to_context_force(isec->sid, &context,
2882 &size);
2883 else
2884 error = security_sid_to_context(isec->sid, &context, &size);
2885 if (error)
2886 return error;
2887 error = size;
2888 if (alloc) {
2889 *buffer = context;
2890 goto out_nofree;
2891 }
2892 kfree(context);
2893 out_nofree:
2894 return error;
2895 }
2896
2897 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
2898 const void *value, size_t size, int flags)
2899 {
2900 struct inode_security_struct *isec = inode->i_security;
2901 u32 newsid;
2902 int rc;
2903
2904 if (strcmp(name, XATTR_SELINUX_SUFFIX))
2905 return -EOPNOTSUPP;
2906
2907 if (!value || !size)
2908 return -EACCES;
2909
2910 rc = security_context_to_sid((void *)value, size, &newsid);
2911 if (rc)
2912 return rc;
2913
2914 isec->sid = newsid;
2915 return 0;
2916 }
2917
2918 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
2919 {
2920 const int len = sizeof(XATTR_NAME_SELINUX);
2921 if (buffer && len <= buffer_size)
2922 memcpy(buffer, XATTR_NAME_SELINUX, len);
2923 return len;
2924 }
2925
2926 static int selinux_inode_need_killpriv(struct dentry *dentry)
2927 {
2928 return secondary_ops->inode_need_killpriv(dentry);
2929 }
2930
2931 static int selinux_inode_killpriv(struct dentry *dentry)
2932 {
2933 return secondary_ops->inode_killpriv(dentry);
2934 }
2935
2936 static void selinux_inode_getsecid(const struct inode *inode, u32 *secid)
2937 {
2938 struct inode_security_struct *isec = inode->i_security;
2939 *secid = isec->sid;
2940 }
2941
2942 /* file security operations */
2943
2944 static int selinux_revalidate_file_permission(struct file *file, int mask)
2945 {
2946 const struct cred *cred = current_cred();
2947 int rc;
2948 struct inode *inode = file->f_path.dentry->d_inode;
2949
2950 if (!mask) {
2951 /* No permission to check. Existence test. */
2952 return 0;
2953 }
2954
2955 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
2956 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
2957 mask |= MAY_APPEND;
2958
2959 rc = file_has_perm(cred, file,
2960 file_mask_to_av(inode->i_mode, mask));
2961 if (rc)
2962 return rc;
2963
2964 return selinux_netlbl_inode_permission(inode, mask);
2965 }
2966
2967 static int selinux_file_permission(struct file *file, int mask)
2968 {
2969 struct inode *inode = file->f_path.dentry->d_inode;
2970 struct file_security_struct *fsec = file->f_security;
2971 struct inode_security_struct *isec = inode->i_security;
2972 u32 sid = current_sid();
2973
2974 if (!mask) {
2975 /* No permission to check. Existence test. */
2976 return 0;
2977 }
2978
2979 if (sid == fsec->sid && fsec->isid == isec->sid
2980 && fsec->pseqno == avc_policy_seqno())
2981 return selinux_netlbl_inode_permission(inode, mask);
2982
2983 return selinux_revalidate_file_permission(file, mask);
2984 }
2985
2986 static int selinux_file_alloc_security(struct file *file)
2987 {
2988 return file_alloc_security(file);
2989 }
2990
2991 static void selinux_file_free_security(struct file *file)
2992 {
2993 file_free_security(file);
2994 }
2995
2996 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
2997 unsigned long arg)
2998 {
2999 const struct cred *cred = current_cred();
3000 u32 av = 0;
3001
3002 if (_IOC_DIR(cmd) & _IOC_WRITE)
3003 av |= FILE__WRITE;
3004 if (_IOC_DIR(cmd) & _IOC_READ)
3005 av |= FILE__READ;
3006 if (!av)
3007 av = FILE__IOCTL;
3008
3009 return file_has_perm(cred, file, av);
3010 }
3011
3012 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
3013 {
3014 const struct cred *cred = current_cred();
3015 int rc = 0;
3016
3017 #ifndef CONFIG_PPC32
3018 if ((prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
3019 /*
3020 * We are making executable an anonymous mapping or a
3021 * private file mapping that will also be writable.
3022 * This has an additional check.
3023 */
3024 rc = cred_has_perm(cred, cred, PROCESS__EXECMEM);
3025 if (rc)
3026 goto error;
3027 }
3028 #endif
3029
3030 if (file) {
3031 /* read access is always possible with a mapping */
3032 u32 av = FILE__READ;
3033
3034 /* write access only matters if the mapping is shared */
3035 if (shared && (prot & PROT_WRITE))
3036 av |= FILE__WRITE;
3037
3038 if (prot & PROT_EXEC)
3039 av |= FILE__EXECUTE;
3040
3041 return file_has_perm(cred, file, av);
3042 }
3043
3044 error:
3045 return rc;
3046 }
3047
3048 static int selinux_file_mmap(struct file *file, unsigned long reqprot,
3049 unsigned long prot, unsigned long flags,
3050 unsigned long addr, unsigned long addr_only)
3051 {
3052 int rc = 0;
3053 u32 sid = current_sid();
3054
3055 if (addr < mmap_min_addr)
3056 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
3057 MEMPROTECT__MMAP_ZERO, NULL);
3058 if (rc || addr_only)
3059 return rc;
3060
3061 if (selinux_checkreqprot)
3062 prot = reqprot;
3063
3064 return file_map_prot_check(file, prot,
3065 (flags & MAP_TYPE) == MAP_SHARED);
3066 }
3067
3068 static int selinux_file_mprotect(struct vm_area_struct *vma,
3069 unsigned long reqprot,
3070 unsigned long prot)
3071 {
3072 const struct cred *cred = current_cred();
3073 int rc;
3074
3075 rc = secondary_ops->file_mprotect(vma, reqprot, prot);
3076 if (rc)
3077 return rc;
3078
3079 if (selinux_checkreqprot)
3080 prot = reqprot;
3081
3082 #ifndef CONFIG_PPC32
3083 if ((prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
3084 rc = 0;
3085 if (vma->vm_start >= vma->vm_mm->start_brk &&
3086 vma->vm_end <= vma->vm_mm->brk) {
3087 rc = cred_has_perm(cred, cred, PROCESS__EXECHEAP);
3088 } else if (!vma->vm_file &&
3089 vma->vm_start <= vma->vm_mm->start_stack &&
3090 vma->vm_end >= vma->vm_mm->start_stack) {
3091 rc = current_has_perm(current, PROCESS__EXECSTACK);
3092 } else if (vma->vm_file && vma->anon_vma) {
3093 /*
3094 * We are making executable a file mapping that has
3095 * had some COW done. Since pages might have been
3096 * written, check ability to execute the possibly
3097 * modified content. This typically should only
3098 * occur for text relocations.
3099 */
3100 rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD);
3101 }
3102 if (rc)
3103 return rc;
3104 }
3105 #endif
3106
3107 return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
3108 }
3109
3110 static int selinux_file_lock(struct file *file, unsigned int cmd)
3111 {
3112 const struct cred *cred = current_cred();
3113
3114 return file_has_perm(cred, file, FILE__LOCK);
3115 }
3116
3117 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
3118 unsigned long arg)
3119 {
3120 const struct cred *cred = current_cred();
3121 int err = 0;
3122
3123 switch (cmd) {
3124 case F_SETFL:
3125 if (!file->f_path.dentry || !file->f_path.dentry->d_inode) {
3126 err = -EINVAL;
3127 break;
3128 }
3129
3130 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
3131 err = file_has_perm(cred, file, FILE__WRITE);
3132 break;
3133 }
3134 /* fall through */
3135 case F_SETOWN:
3136 case F_SETSIG:
3137 case F_GETFL:
3138 case F_GETOWN:
3139 case F_GETSIG:
3140 /* Just check FD__USE permission */
3141 err = file_has_perm(cred, file, 0);
3142 break;
3143 case F_GETLK:
3144 case F_SETLK:
3145 case F_SETLKW:
3146 #if BITS_PER_LONG == 32
3147 case F_GETLK64:
3148 case F_SETLK64:
3149 case F_SETLKW64:
3150 #endif
3151 if (!file->f_path.dentry || !file->f_path.dentry->d_inode) {
3152 err = -EINVAL;
3153 break;
3154 }
3155 err = file_has_perm(cred, file, FILE__LOCK);
3156 break;
3157 }
3158
3159 return err;
3160 }
3161
3162 static int selinux_file_set_fowner(struct file *file)
3163 {
3164 struct file_security_struct *fsec;
3165
3166 fsec = file->f_security;
3167 fsec->fown_sid = current_sid();
3168
3169 return 0;
3170 }
3171
3172 static int selinux_file_send_sigiotask(struct task_struct *tsk,
3173 struct fown_struct *fown, int signum)
3174 {
3175 struct file *file;
3176 u32 sid = current_sid();
3177 u32 perm;
3178 struct file_security_struct *fsec;
3179
3180 /* struct fown_struct is never outside the context of a struct file */
3181 file = container_of(fown, struct file, f_owner);
3182
3183 fsec = file->f_security;
3184
3185 if (!signum)
3186 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
3187 else
3188 perm = signal_to_av(signum);
3189
3190 return avc_has_perm(fsec->fown_sid, sid,
3191 SECCLASS_PROCESS, perm, NULL);
3192 }
3193
3194 static int selinux_file_receive(struct file *file)
3195 {
3196 const struct cred *cred = current_cred();
3197
3198 return file_has_perm(cred, file, file_to_av(file));
3199 }
3200
3201 static int selinux_dentry_open(struct file *file, const struct cred *cred)
3202 {
3203 struct file_security_struct *fsec;
3204 struct inode *inode;
3205 struct inode_security_struct *isec;
3206
3207 inode = file->f_path.dentry->d_inode;
3208 fsec = file->f_security;
3209 isec = inode->i_security;
3210 /*
3211 * Save inode label and policy sequence number
3212 * at open-time so that selinux_file_permission
3213 * can determine whether revalidation is necessary.
3214 * Task label is already saved in the file security
3215 * struct as its SID.
3216 */
3217 fsec->isid = isec->sid;
3218 fsec->pseqno = avc_policy_seqno();
3219 /*
3220 * Since the inode label or policy seqno may have changed
3221 * between the selinux_inode_permission check and the saving
3222 * of state above, recheck that access is still permitted.
3223 * Otherwise, access might never be revalidated against the
3224 * new inode label or new policy.
3225 * This check is not redundant - do not remove.
3226 */
3227 return inode_has_perm(cred, inode, open_file_to_av(file), NULL);
3228 }
3229
3230 /* task security operations */
3231
3232 static int selinux_task_create(unsigned long clone_flags)
3233 {
3234 int rc;
3235
3236 rc = secondary_ops->task_create(clone_flags);
3237 if (rc)
3238 return rc;
3239
3240 return current_has_perm(current, PROCESS__FORK);
3241 }
3242
3243 /*
3244 * detach and free the LSM part of a set of credentials
3245 */
3246 static void selinux_cred_free(struct cred *cred)
3247 {
3248 struct task_security_struct *tsec = cred->security;
3249 cred->security = NULL;
3250 kfree(tsec);
3251 }
3252
3253 /*
3254 * prepare a new set of credentials for modification
3255 */
3256 static int selinux_cred_prepare(struct cred *new, const struct cred *old,
3257 gfp_t gfp)
3258 {
3259 const struct task_security_struct *old_tsec;
3260 struct task_security_struct *tsec;
3261
3262 old_tsec = old->security;
3263
3264 tsec = kmemdup(old_tsec, sizeof(struct task_security_struct), gfp);
3265 if (!tsec)
3266 return -ENOMEM;
3267
3268 new->security = tsec;
3269 return 0;
3270 }
3271
3272 /*
3273 * commit new credentials
3274 */
3275 static void selinux_cred_commit(struct cred *new, const struct cred *old)
3276 {
3277 secondary_ops->cred_commit(new, old);
3278 }
3279
3280 /*
3281 * set the security data for a kernel service
3282 * - all the creation contexts are set to unlabelled
3283 */
3284 static int selinux_kernel_act_as(struct cred *new, u32 secid)
3285 {
3286 struct task_security_struct *tsec = new->security;
3287 u32 sid = current_sid();
3288 int ret;
3289
3290 ret = avc_has_perm(sid, secid,
3291 SECCLASS_KERNEL_SERVICE,
3292 KERNEL_SERVICE__USE_AS_OVERRIDE,
3293 NULL);
3294 if (ret == 0) {
3295 tsec->sid = secid;
3296 tsec->create_sid = 0;
3297 tsec->keycreate_sid = 0;
3298 tsec->sockcreate_sid = 0;
3299 }
3300 return ret;
3301 }
3302
3303 /*
3304 * set the file creation context in a security record to the same as the
3305 * objective context of the specified inode
3306 */
3307 static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode)
3308 {
3309 struct inode_security_struct *isec = inode->i_security;
3310 struct task_security_struct *tsec = new->security;
3311 u32 sid = current_sid();
3312 int ret;
3313
3314 ret = avc_has_perm(sid, isec->sid,
3315 SECCLASS_KERNEL_SERVICE,
3316 KERNEL_SERVICE__CREATE_FILES_AS,
3317 NULL);
3318
3319 if (ret == 0)
3320 tsec->create_sid = isec->sid;
3321 return 0;
3322 }
3323
3324 static int selinux_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
3325 {
3326 /* Since setuid only affects the current process, and
3327 since the SELinux controls are not based on the Linux
3328 identity attributes, SELinux does not need to control
3329 this operation. However, SELinux does control the use
3330 of the CAP_SETUID and CAP_SETGID capabilities using the
3331 capable hook. */
3332 return 0;
3333 }
3334
3335 static int selinux_task_fix_setuid(struct cred *new, const struct cred *old,
3336 int flags)
3337 {
3338 return secondary_ops->task_fix_setuid(new, old, flags);
3339 }
3340
3341 static int selinux_task_setgid(gid_t id0, gid_t id1, gid_t id2, int flags)
3342 {
3343 /* See the comment for setuid above. */
3344 return 0;
3345 }
3346
3347 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
3348 {
3349 return current_has_perm(p, PROCESS__SETPGID);
3350 }
3351
3352 static int selinux_task_getpgid(struct task_struct *p)
3353 {
3354 return current_has_perm(p, PROCESS__GETPGID);
3355 }
3356
3357 static int selinux_task_getsid(struct task_struct *p)
3358 {
3359 return current_has_perm(p, PROCESS__GETSESSION);
3360 }
3361
3362 static void selinux_task_getsecid(struct task_struct *p, u32 *secid)
3363 {
3364 *secid = task_sid(p);
3365 }
3366
3367 static int selinux_task_setgroups(struct group_info *group_info)
3368 {
3369 /* See the comment for setuid above. */
3370 return 0;
3371 }
3372
3373 static int selinux_task_setnice(struct task_struct *p, int nice)
3374 {
3375 int rc;
3376
3377 rc = secondary_ops->task_setnice(p, nice);
3378 if (rc)
3379 return rc;
3380
3381 return current_has_perm(p, PROCESS__SETSCHED);
3382 }
3383
3384 static int selinux_task_setioprio(struct task_struct *p, int ioprio)
3385 {
3386 int rc;
3387
3388 rc = secondary_ops->task_setioprio(p, ioprio);
3389 if (rc)
3390 return rc;
3391
3392 return current_has_perm(p, PROCESS__SETSCHED);
3393 }
3394
3395 static int selinux_task_getioprio(struct task_struct *p)
3396 {
3397 return current_has_perm(p, PROCESS__GETSCHED);
3398 }
3399
3400 static int selinux_task_setrlimit(unsigned int resource, struct rlimit *new_rlim)
3401 {
3402 struct rlimit *old_rlim = current->signal->rlim + resource;
3403 int rc;
3404
3405 rc = secondary_ops->task_setrlimit(resource, new_rlim);
3406 if (rc)
3407 return rc;
3408
3409 /* Control the ability to change the hard limit (whether
3410 lowering or raising it), so that the hard limit can
3411 later be used as a safe reset point for the soft limit
3412 upon context transitions. See selinux_bprm_committing_creds. */
3413 if (old_rlim->rlim_max != new_rlim->rlim_max)
3414 return current_has_perm(current, PROCESS__SETRLIMIT);
3415
3416 return 0;
3417 }
3418
3419 static int selinux_task_setscheduler(struct task_struct *p, int policy, struct sched_param *lp)
3420 {
3421 int rc;
3422
3423 rc = secondary_ops->task_setscheduler(p, policy, lp);
3424 if (rc)
3425 return rc;
3426
3427 return current_has_perm(p, PROCESS__SETSCHED);
3428 }
3429
3430 static int selinux_task_getscheduler(struct task_struct *p)
3431 {
3432 return current_has_perm(p, PROCESS__GETSCHED);
3433 }
3434
3435 static int selinux_task_movememory(struct task_struct *p)
3436 {
3437 return current_has_perm(p, PROCESS__SETSCHED);
3438 }
3439
3440 static int selinux_task_kill(struct task_struct *p, struct siginfo *info,
3441 int sig, u32 secid)
3442 {
3443 u32 perm;
3444 int rc;
3445
3446 rc = secondary_ops->task_kill(p, info, sig, secid);
3447 if (rc)
3448 return rc;
3449
3450 if (!sig)
3451 perm = PROCESS__SIGNULL; /* null signal; existence test */
3452 else
3453 perm = signal_to_av(sig);
3454 if (secid)
3455 rc = avc_has_perm(secid, task_sid(p),
3456 SECCLASS_PROCESS, perm, NULL);
3457 else
3458 rc = current_has_perm(p, perm);
3459 return rc;
3460 }
3461
3462 static int selinux_task_prctl(int option,
3463 unsigned long arg2,
3464 unsigned long arg3,
3465 unsigned long arg4,
3466 unsigned long arg5)
3467 {
3468 /* The current prctl operations do not appear to require
3469 any SELinux controls since they merely observe or modify
3470 the state of the current process. */
3471 return secondary_ops->task_prctl(option, arg2, arg3, arg4, arg5);
3472 }
3473
3474 static int selinux_task_wait(struct task_struct *p)
3475 {
3476 return task_has_perm(p, current, PROCESS__SIGCHLD);
3477 }
3478
3479 static void selinux_task_to_inode(struct task_struct *p,
3480 struct inode *inode)
3481 {
3482 struct inode_security_struct *isec = inode->i_security;
3483 u32 sid = task_sid(p);
3484
3485 isec->sid = sid;
3486 isec->initialized = 1;
3487 }
3488
3489 /* Returns error only if unable to parse addresses */
3490 static int selinux_parse_skb_ipv4(struct sk_buff *skb,
3491 struct avc_audit_data *ad, u8 *proto)
3492 {
3493 int offset, ihlen, ret = -EINVAL;
3494 struct iphdr _iph, *ih;
3495
3496 offset = skb_network_offset(skb);
3497 ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
3498 if (ih == NULL)
3499 goto out;
3500
3501 ihlen = ih->ihl * 4;
3502 if (ihlen < sizeof(_iph))
3503 goto out;
3504
3505 ad->u.net.v4info.saddr = ih->saddr;
3506 ad->u.net.v4info.daddr = ih->daddr;
3507 ret = 0;
3508
3509 if (proto)
3510 *proto = ih->protocol;
3511
3512 switch (ih->protocol) {
3513 case IPPROTO_TCP: {
3514 struct tcphdr _tcph, *th;
3515
3516 if (ntohs(ih->frag_off) & IP_OFFSET)
3517 break;
3518
3519 offset += ihlen;
3520 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3521 if (th == NULL)
3522 break;
3523
3524 ad->u.net.sport = th->source;
3525 ad->u.net.dport = th->dest;
3526 break;
3527 }
3528
3529 case IPPROTO_UDP: {
3530 struct udphdr _udph, *uh;
3531
3532 if (ntohs(ih->frag_off) & IP_OFFSET)
3533 break;
3534
3535 offset += ihlen;
3536 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3537 if (uh == NULL)
3538 break;
3539
3540 ad->u.net.sport = uh->source;
3541 ad->u.net.dport = uh->dest;
3542 break;
3543 }
3544
3545 case IPPROTO_DCCP: {
3546 struct dccp_hdr _dccph, *dh;
3547
3548 if (ntohs(ih->frag_off) & IP_OFFSET)
3549 break;
3550
3551 offset += ihlen;
3552 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3553 if (dh == NULL)
3554 break;
3555
3556 ad->u.net.sport = dh->dccph_sport;
3557 ad->u.net.dport = dh->dccph_dport;
3558 break;
3559 }
3560
3561 default:
3562 break;
3563 }
3564 out:
3565 return ret;
3566 }
3567
3568 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3569
3570 /* Returns error only if unable to parse addresses */
3571 static int selinux_parse_skb_ipv6(struct sk_buff *skb,
3572 struct avc_audit_data *ad, u8 *proto)
3573 {
3574 u8 nexthdr;
3575 int ret = -EINVAL, offset;
3576 struct ipv6hdr _ipv6h, *ip6;
3577
3578 offset = skb_network_offset(skb);
3579 ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
3580 if (ip6 == NULL)
3581 goto out;
3582
3583 ipv6_addr_copy(&ad->u.net.v6info.saddr, &ip6->saddr);
3584 ipv6_addr_copy(&ad->u.net.v6info.daddr, &ip6->daddr);
3585 ret = 0;
3586
3587 nexthdr = ip6->nexthdr;
3588 offset += sizeof(_ipv6h);
3589 offset = ipv6_skip_exthdr(skb, offset, &nexthdr);
3590 if (offset < 0)
3591 goto out;
3592
3593 if (proto)
3594 *proto = nexthdr;
3595
3596 switch (nexthdr) {
3597 case IPPROTO_TCP: {
3598 struct tcphdr _tcph, *th;
3599
3600 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3601 if (th == NULL)
3602 break;
3603
3604 ad->u.net.sport = th->source;
3605 ad->u.net.dport = th->dest;
3606 break;
3607 }
3608
3609 case IPPROTO_UDP: {
3610 struct udphdr _udph, *uh;
3611
3612 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3613 if (uh == NULL)
3614 break;
3615
3616 ad->u.net.sport = uh->source;
3617 ad->u.net.dport = uh->dest;
3618 break;
3619 }
3620
3621 case IPPROTO_DCCP: {
3622 struct dccp_hdr _dccph, *dh;
3623
3624 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3625 if (dh == NULL)
3626 break;
3627
3628 ad->u.net.sport = dh->dccph_sport;
3629 ad->u.net.dport = dh->dccph_dport;
3630 break;
3631 }
3632
3633 /* includes fragments */
3634 default:
3635 break;
3636 }
3637 out:
3638 return ret;
3639 }
3640
3641 #endif /* IPV6 */
3642
3643 static int selinux_parse_skb(struct sk_buff *skb, struct avc_audit_data *ad,
3644 char **_addrp, int src, u8 *proto)
3645 {
3646 char *addrp;
3647 int ret;
3648
3649 switch (ad->u.net.family) {
3650 case PF_INET:
3651 ret = selinux_parse_skb_ipv4(skb, ad, proto);
3652 if (ret)
3653 goto parse_error;
3654 addrp = (char *)(src ? &ad->u.net.v4info.saddr :
3655 &ad->u.net.v4info.daddr);
3656 goto okay;
3657
3658 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3659 case PF_INET6:
3660 ret = selinux_parse_skb_ipv6(skb, ad, proto);
3661 if (ret)
3662 goto parse_error;
3663 addrp = (char *)(src ? &ad->u.net.v6info.saddr :
3664 &ad->u.net.v6info.daddr);
3665 goto okay;
3666 #endif /* IPV6 */
3667 default:
3668 addrp = NULL;
3669 goto okay;
3670 }
3671
3672 parse_error:
3673 printk(KERN_WARNING
3674 "SELinux: failure in selinux_parse_skb(),"
3675 " unable to parse packet\n");
3676 return ret;
3677
3678 okay:
3679 if (_addrp)
3680 *_addrp = addrp;
3681 return 0;
3682 }
3683
3684 /**
3685 * selinux_skb_peerlbl_sid - Determine the peer label of a packet
3686 * @skb: the packet
3687 * @family: protocol family
3688 * @sid: the packet's peer label SID
3689 *
3690 * Description:
3691 * Check the various different forms of network peer labeling and determine
3692 * the peer label/SID for the packet; most of the magic actually occurs in
3693 * the security server function security_net_peersid_cmp(). The function
3694 * returns zero if the value in @sid is valid (although it may be SECSID_NULL)
3695 * or -EACCES if @sid is invalid due to inconsistencies with the different
3696 * peer labels.
3697 *
3698 */
3699 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
3700 {
3701 int err;
3702 u32 xfrm_sid;
3703 u32 nlbl_sid;
3704 u32 nlbl_type;
3705
3706 selinux_skb_xfrm_sid(skb, &xfrm_sid);
3707 selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid);
3708
3709 err = security_net_peersid_resolve(nlbl_sid, nlbl_type, xfrm_sid, sid);
3710 if (unlikely(err)) {
3711 printk(KERN_WARNING
3712 "SELinux: failure in selinux_skb_peerlbl_sid(),"
3713 " unable to determine packet's peer label\n");
3714 return -EACCES;
3715 }
3716
3717 return 0;
3718 }
3719
3720 /* socket security operations */
3721 static int socket_has_perm(struct task_struct *task, struct socket *sock,
3722 u32 perms)
3723 {
3724 struct inode_security_struct *isec;
3725 struct avc_audit_data ad;
3726 u32 sid;
3727 int err = 0;
3728
3729 isec = SOCK_INODE(sock)->i_security;
3730
3731 if (isec->sid == SECINITSID_KERNEL)
3732 goto out;
3733 sid = task_sid(task);
3734
3735 AVC_AUDIT_DATA_INIT(&ad, NET);
3736 ad.u.net.sk = sock->sk;
3737 err = avc_has_perm(sid, isec->sid, isec->sclass, perms, &ad);
3738
3739 out:
3740 return err;
3741 }
3742
3743 static int selinux_socket_create(int family, int type,
3744 int protocol, int kern)
3745 {
3746 const struct cred *cred = current_cred();
3747 const struct task_security_struct *tsec = cred->security;
3748 u32 sid, newsid;
3749 u16 secclass;
3750 int err = 0;
3751
3752 if (kern)
3753 goto out;
3754
3755 sid = tsec->sid;
3756 newsid = tsec->sockcreate_sid ?: sid;
3757
3758 secclass = socket_type_to_security_class(family, type, protocol);
3759 err = avc_has_perm(sid, newsid, secclass, SOCKET__CREATE, NULL);
3760
3761 out:
3762 return err;
3763 }
3764
3765 static int selinux_socket_post_create(struct socket *sock, int family,
3766 int type, int protocol, int kern)
3767 {
3768 const struct cred *cred = current_cred();
3769 const struct task_security_struct *tsec = cred->security;
3770 struct inode_security_struct *isec;
3771 struct sk_security_struct *sksec;
3772 u32 sid, newsid;
3773 int err = 0;
3774
3775 sid = tsec->sid;
3776 newsid = tsec->sockcreate_sid;
3777
3778 isec = SOCK_INODE(sock)->i_security;
3779
3780 if (kern)
3781 isec->sid = SECINITSID_KERNEL;
3782 else if (newsid)
3783 isec->sid = newsid;
3784 else
3785 isec->sid = sid;
3786
3787 isec->sclass = socket_type_to_security_class(family, type, protocol);
3788 isec->initialized = 1;
3789
3790 if (sock->sk) {
3791 sksec = sock->sk->sk_security;
3792 sksec->sid = isec->sid;
3793 sksec->sclass = isec->sclass;
3794 err = selinux_netlbl_socket_post_create(sock);
3795 }
3796
3797 return err;
3798 }
3799
3800 /* Range of port numbers used to automatically bind.
3801 Need to determine whether we should perform a name_bind
3802 permission check between the socket and the port number. */
3803
3804 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
3805 {
3806 u16 family;
3807 int err;
3808
3809 err = socket_has_perm(current, sock, SOCKET__BIND);
3810 if (err)
3811 goto out;
3812
3813 /*
3814 * If PF_INET or PF_INET6, check name_bind permission for the port.
3815 * Multiple address binding for SCTP is not supported yet: we just
3816 * check the first address now.
3817 */
3818 family = sock->sk->sk_family;
3819 if (family == PF_INET || family == PF_INET6) {
3820 char *addrp;
3821 struct inode_security_struct *isec;
3822 struct avc_audit_data ad;
3823 struct sockaddr_in *addr4 = NULL;
3824 struct sockaddr_in6 *addr6 = NULL;
3825 unsigned short snum;
3826 struct sock *sk = sock->sk;
3827 u32 sid, node_perm;
3828
3829 isec = SOCK_INODE(sock)->i_security;
3830
3831 if (family == PF_INET) {
3832 addr4 = (struct sockaddr_in *)address;
3833 snum = ntohs(addr4->sin_port);
3834 addrp = (char *)&addr4->sin_addr.s_addr;
3835 } else {
3836 addr6 = (struct sockaddr_in6 *)address;
3837 snum = ntohs(addr6->sin6_port);
3838 addrp = (char *)&addr6->sin6_addr.s6_addr;
3839 }
3840
3841 if (snum) {
3842 int low, high;
3843
3844 inet_get_local_port_range(&low, &high);
3845
3846 if (snum < max(PROT_SOCK, low) || snum > high) {
3847 err = sel_netport_sid(sk->sk_protocol,
3848 snum, &sid);
3849 if (err)
3850 goto out;
3851 AVC_AUDIT_DATA_INIT(&ad, NET);
3852 ad.u.net.sport = htons(snum);
3853 ad.u.net.family = family;
3854 err = avc_has_perm(isec->sid, sid,
3855 isec->sclass,
3856 SOCKET__NAME_BIND, &ad);
3857 if (err)
3858 goto out;
3859 }
3860 }
3861
3862 switch (isec->sclass) {
3863 case SECCLASS_TCP_SOCKET:
3864 node_perm = TCP_SOCKET__NODE_BIND;
3865 break;
3866
3867 case SECCLASS_UDP_SOCKET:
3868 node_perm = UDP_SOCKET__NODE_BIND;
3869 break;
3870
3871 case SECCLASS_DCCP_SOCKET:
3872 node_perm = DCCP_SOCKET__NODE_BIND;
3873 break;
3874
3875 default:
3876 node_perm = RAWIP_SOCKET__NODE_BIND;
3877 break;
3878 }
3879
3880 err = sel_netnode_sid(addrp, family, &sid);
3881 if (err)
3882 goto out;
3883
3884 AVC_AUDIT_DATA_INIT(&ad, NET);
3885 ad.u.net.sport = htons(snum);
3886 ad.u.net.family = family;
3887
3888 if (family == PF_INET)
3889 ad.u.net.v4info.saddr = addr4->sin_addr.s_addr;
3890 else
3891 ipv6_addr_copy(&ad.u.net.v6info.saddr, &addr6->sin6_addr);
3892
3893 err = avc_has_perm(isec->sid, sid,
3894 isec->sclass, node_perm, &ad);
3895 if (err)
3896 goto out;
3897 }
3898 out:
3899 return err;
3900 }
3901
3902 static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
3903 {
3904 struct sock *sk = sock->sk;
3905 struct inode_security_struct *isec;
3906 int err;
3907
3908 err = socket_has_perm(current, sock, SOCKET__CONNECT);
3909 if (err)
3910 return err;
3911
3912 /*
3913 * If a TCP or DCCP socket, check name_connect permission for the port.
3914 */
3915 isec = SOCK_INODE(sock)->i_security;
3916 if (isec->sclass == SECCLASS_TCP_SOCKET ||
3917 isec->sclass == SECCLASS_DCCP_SOCKET) {
3918 struct avc_audit_data ad;
3919 struct sockaddr_in *addr4 = NULL;
3920 struct sockaddr_in6 *addr6 = NULL;
3921 unsigned short snum;
3922 u32 sid, perm;
3923
3924 if (sk->sk_family == PF_INET) {
3925 addr4 = (struct sockaddr_in *)address;
3926 if (addrlen < sizeof(struct sockaddr_in))
3927 return -EINVAL;
3928 snum = ntohs(addr4->sin_port);
3929 } else {
3930 addr6 = (struct sockaddr_in6 *)address;
3931 if (addrlen < SIN6_LEN_RFC2133)
3932 return -EINVAL;
3933 snum = ntohs(addr6->sin6_port);
3934 }
3935
3936 err = sel_netport_sid(sk->sk_protocol, snum, &sid);
3937 if (err)
3938 goto out;
3939
3940 perm = (isec->sclass == SECCLASS_TCP_SOCKET) ?
3941 TCP_SOCKET__NAME_CONNECT : DCCP_SOCKET__NAME_CONNECT;
3942
3943 AVC_AUDIT_DATA_INIT(&ad, NET);
3944 ad.u.net.dport = htons(snum);
3945 ad.u.net.family = sk->sk_family;
3946 err = avc_has_perm(isec->sid, sid, isec->sclass, perm, &ad);
3947 if (err)
3948 goto out;
3949 }
3950
3951 err = selinux_netlbl_socket_connect(sk, address);
3952
3953 out:
3954 return err;
3955 }
3956
3957 static int selinux_socket_listen(struct socket *sock, int backlog)
3958 {
3959 return socket_has_perm(current, sock, SOCKET__LISTEN);
3960 }
3961
3962 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
3963 {
3964 int err;
3965 struct inode_security_struct *isec;
3966 struct inode_security_struct *newisec;
3967
3968 err = socket_has_perm(current, sock, SOCKET__ACCEPT);
3969 if (err)
3970 return err;
3971
3972 newisec = SOCK_INODE(newsock)->i_security;
3973
3974 isec = SOCK_INODE(sock)->i_security;
3975 newisec->sclass = isec->sclass;
3976 newisec->sid = isec->sid;
3977 newisec->initialized = 1;
3978
3979 return 0;
3980 }
3981
3982 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
3983 int size)
3984 {
3985 int rc;
3986
3987 rc = socket_has_perm(current, sock, SOCKET__WRITE);
3988 if (rc)
3989 return rc;
3990
3991 return selinux_netlbl_inode_permission(SOCK_INODE(sock), MAY_WRITE);
3992 }
3993
3994 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
3995 int size, int flags)
3996 {
3997 return socket_has_perm(current, sock, SOCKET__READ);
3998 }
3999
4000 static int selinux_socket_getsockname(struct socket *sock)
4001 {
4002 return socket_has_perm(current, sock, SOCKET__GETATTR);
4003 }
4004
4005 static int selinux_socket_getpeername(struct socket *sock)
4006 {
4007 return socket_has_perm(current, sock, SOCKET__GETATTR);
4008 }
4009
4010 static int selinux_socket_setsockopt(struct socket *sock, int level, int optname)
4011 {
4012 int err;
4013
4014 err = socket_has_perm(current, sock, SOCKET__SETOPT);
4015 if (err)
4016 return err;
4017
4018 return selinux_netlbl_socket_setsockopt(sock, level, optname);
4019 }
4020
4021 static int selinux_socket_getsockopt(struct socket *sock, int level,
4022 int optname)
4023 {
4024 return socket_has_perm(current, sock, SOCKET__GETOPT);
4025 }
4026
4027 static int selinux_socket_shutdown(struct socket *sock, int how)
4028 {
4029 return socket_has_perm(current, sock, SOCKET__SHUTDOWN);
4030 }
4031
4032 static int selinux_socket_unix_stream_connect(struct socket *sock,
4033 struct socket *other,
4034 struct sock *newsk)
4035 {
4036 struct sk_security_struct *ssec;
4037 struct inode_security_struct *isec;
4038 struct inode_security_struct *other_isec;
4039 struct avc_audit_data ad;
4040 int err;
4041
4042 err = secondary_ops->unix_stream_connect(sock, other, newsk);
4043 if (err)
4044 return err;
4045
4046 isec = SOCK_INODE(sock)->i_security;
4047 other_isec = SOCK_INODE(other)->i_security;
4048
4049 AVC_AUDIT_DATA_INIT(&ad, NET);
4050 ad.u.net.sk = other->sk;
4051
4052 err = avc_has_perm(isec->sid, other_isec->sid,
4053 isec->sclass,
4054 UNIX_STREAM_SOCKET__CONNECTTO, &ad);
4055 if (err)
4056 return err;
4057
4058 /* connecting socket */
4059 ssec = sock->sk->sk_security;
4060 ssec->peer_sid = other_isec->sid;
4061
4062 /* server child socket */
4063 ssec = newsk->sk_security;
4064 ssec->peer_sid = isec->sid;
4065 err = security_sid_mls_copy(other_isec->sid, ssec->peer_sid, &ssec->sid);
4066
4067 return err;
4068 }
4069
4070 static int selinux_socket_unix_may_send(struct socket *sock,
4071 struct socket *other)
4072 {
4073 struct inode_security_struct *isec;
4074 struct inode_security_struct *other_isec;
4075 struct avc_audit_data ad;
4076 int err;
4077
4078 isec = SOCK_INODE(sock)->i_security;
4079 other_isec = SOCK_INODE(other)->i_security;
4080
4081 AVC_AUDIT_DATA_INIT(&ad, NET);
4082 ad.u.net.sk = other->sk;
4083
4084 err = avc_has_perm(isec->sid, other_isec->sid,
4085 isec->sclass, SOCKET__SENDTO, &ad);
4086 if (err)
4087 return err;
4088
4089 return 0;
4090 }
4091
4092 static int selinux_inet_sys_rcv_skb(int ifindex, char *addrp, u16 family,
4093 u32 peer_sid,
4094 struct avc_audit_data *ad)
4095 {
4096 int err;
4097 u32 if_sid;
4098 u32 node_sid;
4099
4100 err = sel_netif_sid(ifindex, &if_sid);
4101 if (err)
4102 return err;
4103 err = avc_has_perm(peer_sid, if_sid,
4104 SECCLASS_NETIF, NETIF__INGRESS, ad);
4105 if (err)
4106 return err;
4107
4108 err = sel_netnode_sid(addrp, family, &node_sid);
4109 if (err)
4110 return err;
4111 return avc_has_perm(peer_sid, node_sid,
4112 SECCLASS_NODE, NODE__RECVFROM, ad);
4113 }
4114
4115 static int selinux_sock_rcv_skb_iptables_compat(struct sock *sk,
4116 struct sk_buff *skb,
4117 struct avc_audit_data *ad,
4118 u16 family,
4119 char *addrp)
4120 {
4121 int err;
4122 struct sk_security_struct *sksec = sk->sk_security;
4123 u16 sk_class;
4124 u32 netif_perm, node_perm, recv_perm;
4125 u32 port_sid, node_sid, if_sid, sk_sid;
4126
4127 sk_sid = sksec->sid;
4128 sk_class = sksec->sclass;
4129
4130 switch (sk_class) {
4131 case SECCLASS_UDP_SOCKET:
4132 netif_perm = NETIF__UDP_RECV;
4133 node_perm = NODE__UDP_RECV;
4134 recv_perm = UDP_SOCKET__RECV_MSG;
4135 break;
4136 case SECCLASS_TCP_SOCKET:
4137 netif_perm = NETIF__TCP_RECV;
4138 node_perm = NODE__TCP_RECV;
4139 recv_perm = TCP_SOCKET__RECV_MSG;
4140 break;
4141 case SECCLASS_DCCP_SOCKET:
4142 netif_perm = NETIF__DCCP_RECV;
4143 node_perm = NODE__DCCP_RECV;
4144 recv_perm = DCCP_SOCKET__RECV_MSG;
4145 break;
4146 default:
4147 netif_perm = NETIF__RAWIP_RECV;
4148 node_perm = NODE__RAWIP_RECV;
4149 recv_perm = 0;
4150 break;
4151 }
4152
4153 err = sel_netif_sid(skb->iif, &if_sid);
4154 if (err)
4155 return err;
4156 err = avc_has_perm(sk_sid, if_sid, SECCLASS_NETIF, netif_perm, ad);
4157 if (err)
4158 return err;
4159
4160 err = sel_netnode_sid(addrp, family, &node_sid);
4161 if (err)
4162 return err;
4163 err = avc_has_perm(sk_sid, node_sid, SECCLASS_NODE, node_perm, ad);
4164 if (err)
4165 return err;
4166
4167 if (!recv_perm)
4168 return 0;
4169 err = sel_netport_sid(sk->sk_protocol,
4170 ntohs(ad->u.net.sport), &port_sid);
4171 if (unlikely(err)) {
4172 printk(KERN_WARNING
4173 "SELinux: failure in"
4174 " selinux_sock_rcv_skb_iptables_compat(),"
4175 " network port label not found\n");
4176 return err;
4177 }
4178 return avc_has_perm(sk_sid, port_sid, sk_class, recv_perm, ad);
4179 }
4180
4181 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
4182 u16 family)
4183 {
4184 int err;
4185 struct sk_security_struct *sksec = sk->sk_security;
4186 u32 peer_sid;
4187 u32 sk_sid = sksec->sid;
4188 struct avc_audit_data ad;
4189 char *addrp;
4190
4191 AVC_AUDIT_DATA_INIT(&ad, NET);
4192 ad.u.net.netif = skb->iif;
4193 ad.u.net.family = family;
4194 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4195 if (err)
4196 return err;
4197
4198 if (selinux_compat_net)
4199 err = selinux_sock_rcv_skb_iptables_compat(sk, skb, &ad,
4200 family, addrp);
4201 else
4202 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4203 PACKET__RECV, &ad);
4204 if (err)
4205 return err;
4206
4207 if (selinux_policycap_netpeer) {
4208 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
4209 if (err)
4210 return err;
4211 err = avc_has_perm(sk_sid, peer_sid,
4212 SECCLASS_PEER, PEER__RECV, &ad);
4213 if (err)
4214 selinux_netlbl_err(skb, err, 0);
4215 } else {
4216 err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, &ad);
4217 if (err)
4218 return err;
4219 err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad);
4220 }
4221
4222 return err;
4223 }
4224
4225 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
4226 {
4227 int err;
4228 struct sk_security_struct *sksec = sk->sk_security;
4229 u16 family = sk->sk_family;
4230 u32 sk_sid = sksec->sid;
4231 struct avc_audit_data ad;
4232 char *addrp;
4233 u8 secmark_active;
4234 u8 peerlbl_active;
4235
4236 if (family != PF_INET && family != PF_INET6)
4237 return 0;
4238
4239 /* Handle mapped IPv4 packets arriving via IPv6 sockets */
4240 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4241 family = PF_INET;
4242
4243 /* If any sort of compatibility mode is enabled then handoff processing
4244 * to the selinux_sock_rcv_skb_compat() function to deal with the
4245 * special handling. We do this in an attempt to keep this function
4246 * as fast and as clean as possible. */
4247 if (selinux_compat_net || !selinux_policycap_netpeer)
4248 return selinux_sock_rcv_skb_compat(sk, skb, family);
4249
4250 secmark_active = selinux_secmark_enabled();
4251 peerlbl_active = netlbl_enabled() || selinux_xfrm_enabled();
4252 if (!secmark_active && !peerlbl_active)
4253 return 0;
4254
4255 AVC_AUDIT_DATA_INIT(&ad, NET);
4256 ad.u.net.netif = skb->iif;
4257 ad.u.net.family = family;
4258 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4259 if (err)
4260 return err;
4261
4262 if (peerlbl_active) {
4263 u32 peer_sid;
4264
4265 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
4266 if (err)
4267 return err;
4268 err = selinux_inet_sys_rcv_skb(skb->iif, addrp, family,
4269 peer_sid, &ad);
4270 if (err) {
4271 selinux_netlbl_err(skb, err, 0);
4272 return err;
4273 }
4274 err = avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER,
4275 PEER__RECV, &ad);
4276 if (err)
4277 selinux_netlbl_err(skb, err, 0);
4278 }
4279
4280 if (secmark_active) {
4281 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4282 PACKET__RECV, &ad);
4283 if (err)
4284 return err;
4285 }
4286
4287 return err;
4288 }
4289
4290 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval,
4291 int __user *optlen, unsigned len)
4292 {
4293 int err = 0;
4294 char *scontext;
4295 u32 scontext_len;
4296 struct sk_security_struct *ssec;
4297 struct inode_security_struct *isec;
4298 u32 peer_sid = SECSID_NULL;
4299
4300 isec = SOCK_INODE(sock)->i_security;
4301
4302 if (isec->sclass == SECCLASS_UNIX_STREAM_SOCKET ||
4303 isec->sclass == SECCLASS_TCP_SOCKET) {
4304 ssec = sock->sk->sk_security;
4305 peer_sid = ssec->peer_sid;
4306 }
4307 if (peer_sid == SECSID_NULL) {
4308 err = -ENOPROTOOPT;
4309 goto out;
4310 }
4311
4312 err = security_sid_to_context(peer_sid, &scontext, &scontext_len);
4313
4314 if (err)
4315 goto out;
4316
4317 if (scontext_len > len) {
4318 err = -ERANGE;
4319 goto out_len;
4320 }
4321
4322 if (copy_to_user(optval, scontext, scontext_len))
4323 err = -EFAULT;
4324
4325 out_len:
4326 if (put_user(scontext_len, optlen))
4327 err = -EFAULT;
4328
4329 kfree(scontext);
4330 out:
4331 return err;
4332 }
4333
4334 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
4335 {
4336 u32 peer_secid = SECSID_NULL;
4337 u16 family;
4338
4339 if (skb && skb->protocol == htons(ETH_P_IP))
4340 family = PF_INET;
4341 else if (skb && skb->protocol == htons(ETH_P_IPV6))
4342 family = PF_INET6;
4343 else if (sock)
4344 family = sock->sk->sk_family;
4345 else
4346 goto out;
4347
4348 if (sock && family == PF_UNIX)
4349 selinux_inode_getsecid(SOCK_INODE(sock), &peer_secid);
4350 else if (skb)
4351 selinux_skb_peerlbl_sid(skb, family, &peer_secid);
4352
4353 out:
4354 *secid = peer_secid;
4355 if (peer_secid == SECSID_NULL)
4356 return -EINVAL;
4357 return 0;
4358 }
4359
4360 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
4361 {
4362 return sk_alloc_security(sk, family, priority);
4363 }
4364
4365 static void selinux_sk_free_security(struct sock *sk)
4366 {
4367 sk_free_security(sk);
4368 }
4369
4370 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
4371 {
4372 struct sk_security_struct *ssec = sk->sk_security;
4373 struct sk_security_struct *newssec = newsk->sk_security;
4374
4375 newssec->sid = ssec->sid;
4376 newssec->peer_sid = ssec->peer_sid;
4377 newssec->sclass = ssec->sclass;
4378
4379 selinux_netlbl_sk_security_reset(newssec, newsk->sk_family);
4380 }
4381
4382 static void selinux_sk_getsecid(struct sock *sk, u32 *secid)
4383 {
4384 if (!sk)
4385 *secid = SECINITSID_ANY_SOCKET;
4386 else {
4387 struct sk_security_struct *sksec = sk->sk_security;
4388
4389 *secid = sksec->sid;
4390 }
4391 }
4392
4393 static void selinux_sock_graft(struct sock *sk, struct socket *parent)
4394 {
4395 struct inode_security_struct *isec = SOCK_INODE(parent)->i_security;
4396 struct sk_security_struct *sksec = sk->sk_security;
4397
4398 if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
4399 sk->sk_family == PF_UNIX)
4400 isec->sid = sksec->sid;
4401 sksec->sclass = isec->sclass;
4402 }
4403
4404 static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
4405 struct request_sock *req)
4406 {
4407 struct sk_security_struct *sksec = sk->sk_security;
4408 int err;
4409 u16 family = sk->sk_family;
4410 u32 newsid;
4411 u32 peersid;
4412
4413 /* handle mapped IPv4 packets arriving via IPv6 sockets */
4414 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4415 family = PF_INET;
4416
4417 err = selinux_skb_peerlbl_sid(skb, family, &peersid);
4418 if (err)
4419 return err;
4420 if (peersid == SECSID_NULL) {
4421 req->secid = sksec->sid;
4422 req->peer_secid = SECSID_NULL;
4423 return 0;
4424 }
4425
4426 err = security_sid_mls_copy(sksec->sid, peersid, &newsid);
4427 if (err)
4428 return err;
4429
4430 req->secid = newsid;
4431 req->peer_secid = peersid;
4432 return 0;
4433 }
4434
4435 static void selinux_inet_csk_clone(struct sock *newsk,
4436 const struct request_sock *req)
4437 {
4438 struct sk_security_struct *newsksec = newsk->sk_security;
4439
4440 newsksec->sid = req->secid;
4441 newsksec->peer_sid = req->peer_secid;
4442 /* NOTE: Ideally, we should also get the isec->sid for the
4443 new socket in sync, but we don't have the isec available yet.
4444 So we will wait until sock_graft to do it, by which
4445 time it will have been created and available. */
4446
4447 /* We don't need to take any sort of lock here as we are the only
4448 * thread with access to newsksec */
4449 selinux_netlbl_sk_security_reset(newsksec, req->rsk_ops->family);
4450 }
4451
4452 static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb)
4453 {
4454 u16 family = sk->sk_family;
4455 struct sk_security_struct *sksec = sk->sk_security;
4456
4457 /* handle mapped IPv4 packets arriving via IPv6 sockets */
4458 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4459 family = PF_INET;
4460
4461 selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid);
4462
4463 selinux_netlbl_inet_conn_established(sk, family);
4464 }
4465
4466 static void selinux_req_classify_flow(const struct request_sock *req,
4467 struct flowi *fl)
4468 {
4469 fl->secid = req->secid;
4470 }
4471
4472 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
4473 {
4474 int err = 0;
4475 u32 perm;
4476 struct nlmsghdr *nlh;
4477 struct socket *sock = sk->sk_socket;
4478 struct inode_security_struct *isec = SOCK_INODE(sock)->i_security;
4479
4480 if (skb->len < NLMSG_SPACE(0)) {
4481 err = -EINVAL;
4482 goto out;
4483 }
4484 nlh = nlmsg_hdr(skb);
4485
4486 err = selinux_nlmsg_lookup(isec->sclass, nlh->nlmsg_type, &perm);
4487 if (err) {
4488 if (err == -EINVAL) {
4489 audit_log(current->audit_context, GFP_KERNEL, AUDIT_SELINUX_ERR,
4490 "SELinux: unrecognized netlink message"
4491 " type=%hu for sclass=%hu\n",
4492 nlh->nlmsg_type, isec->sclass);
4493 if (!selinux_enforcing || security_get_allow_unknown())
4494 err = 0;
4495 }
4496
4497 /* Ignore */
4498 if (err == -ENOENT)
4499 err = 0;
4500 goto out;
4501 }
4502
4503 err = socket_has_perm(current, sock, perm);
4504 out:
4505 return err;
4506 }
4507
4508 #ifdef CONFIG_NETFILTER
4509
4510 static unsigned int selinux_ip_forward(struct sk_buff *skb, int ifindex,
4511 u16 family)
4512 {
4513 int err;
4514 char *addrp;
4515 u32 peer_sid;
4516 struct avc_audit_data ad;
4517 u8 secmark_active;
4518 u8 netlbl_active;
4519 u8 peerlbl_active;
4520
4521 if (!selinux_policycap_netpeer)
4522 return NF_ACCEPT;
4523
4524 secmark_active = selinux_secmark_enabled();
4525 netlbl_active = netlbl_enabled();
4526 peerlbl_active = netlbl_active || selinux_xfrm_enabled();
4527 if (!secmark_active && !peerlbl_active)
4528 return NF_ACCEPT;
4529
4530 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0)
4531 return NF_DROP;
4532
4533 AVC_AUDIT_DATA_INIT(&ad, NET);
4534 ad.u.net.netif = ifindex;
4535 ad.u.net.family = family;
4536 if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0)
4537 return NF_DROP;
4538
4539 if (peerlbl_active) {
4540 err = selinux_inet_sys_rcv_skb(ifindex, addrp, family,
4541 peer_sid, &ad);
4542 if (err) {
4543 selinux_netlbl_err(skb, err, 1);
4544 return NF_DROP;
4545 }
4546 }
4547
4548 if (secmark_active)
4549 if (avc_has_perm(peer_sid, skb->secmark,
4550 SECCLASS_PACKET, PACKET__FORWARD_IN, &ad))
4551 return NF_DROP;
4552
4553 if (netlbl_active)
4554 /* we do this in the FORWARD path and not the POST_ROUTING
4555 * path because we want to make sure we apply the necessary
4556 * labeling before IPsec is applied so we can leverage AH
4557 * protection */
4558 if (selinux_netlbl_skbuff_setsid(skb, family, peer_sid) != 0)
4559 return NF_DROP;
4560
4561 return NF_ACCEPT;
4562 }
4563
4564 static unsigned int selinux_ipv4_forward(unsigned int hooknum,
4565 struct sk_buff *skb,
4566 const struct net_device *in,
4567 const struct net_device *out,
4568 int (*okfn)(struct sk_buff *))
4569 {
4570 return selinux_ip_forward(skb, in->ifindex, PF_INET);
4571 }
4572
4573 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4574 static unsigned int selinux_ipv6_forward(unsigned int hooknum,
4575 struct sk_buff *skb,
4576 const struct net_device *in,
4577 const struct net_device *out,
4578 int (*okfn)(struct sk_buff *))
4579 {
4580 return selinux_ip_forward(skb, in->ifindex, PF_INET6);
4581 }
4582 #endif /* IPV6 */
4583
4584 static unsigned int selinux_ip_output(struct sk_buff *skb,
4585 u16 family)
4586 {
4587 u32 sid;
4588
4589 if (!netlbl_enabled())
4590 return NF_ACCEPT;
4591
4592 /* we do this in the LOCAL_OUT path and not the POST_ROUTING path
4593 * because we want to make sure we apply the necessary labeling
4594 * before IPsec is applied so we can leverage AH protection */
4595 if (skb->sk) {
4596 struct sk_security_struct *sksec = skb->sk->sk_security;
4597 sid = sksec->sid;
4598 } else
4599 sid = SECINITSID_KERNEL;
4600 if (selinux_netlbl_skbuff_setsid(skb, family, sid) != 0)
4601 return NF_DROP;
4602
4603 return NF_ACCEPT;
4604 }
4605
4606 static unsigned int selinux_ipv4_output(unsigned int hooknum,
4607 struct sk_buff *skb,
4608 const struct net_device *in,
4609 const struct net_device *out,
4610 int (*okfn)(struct sk_buff *))
4611 {
4612 return selinux_ip_output(skb, PF_INET);
4613 }
4614
4615 static int selinux_ip_postroute_iptables_compat(struct sock *sk,
4616 int ifindex,
4617 struct avc_audit_data *ad,
4618 u16 family, char *addrp)
4619 {
4620 int err;
4621 struct sk_security_struct *sksec = sk->sk_security;
4622 u16 sk_class;
4623 u32 netif_perm, node_perm, send_perm;
4624 u32 port_sid, node_sid, if_sid, sk_sid;
4625
4626 sk_sid = sksec->sid;
4627 sk_class = sksec->sclass;
4628
4629 switch (sk_class) {
4630 case SECCLASS_UDP_SOCKET:
4631 netif_perm = NETIF__UDP_SEND;
4632 node_perm = NODE__UDP_SEND;
4633 send_perm = UDP_SOCKET__SEND_MSG;
4634 break;
4635 case SECCLASS_TCP_SOCKET:
4636 netif_perm = NETIF__TCP_SEND;
4637 node_perm = NODE__TCP_SEND;
4638 send_perm = TCP_SOCKET__SEND_MSG;
4639 break;
4640 case SECCLASS_DCCP_SOCKET:
4641 netif_perm = NETIF__DCCP_SEND;
4642 node_perm = NODE__DCCP_SEND;
4643 send_perm = DCCP_SOCKET__SEND_MSG;
4644 break;
4645 default:
4646 netif_perm = NETIF__RAWIP_SEND;
4647 node_perm = NODE__RAWIP_SEND;
4648 send_perm = 0;
4649 break;
4650 }
4651
4652 err = sel_netif_sid(ifindex, &if_sid);
4653 if (err)
4654 return err;
4655 err = avc_has_perm(sk_sid, if_sid, SECCLASS_NETIF, netif_perm, ad);
4656 return err;
4657
4658 err = sel_netnode_sid(addrp, family, &node_sid);
4659 if (err)
4660 return err;
4661 err = avc_has_perm(sk_sid, node_sid, SECCLASS_NODE, node_perm, ad);
4662 if (err)
4663 return err;
4664
4665 if (send_perm != 0)
4666 return 0;
4667
4668 err = sel_netport_sid(sk->sk_protocol,
4669 ntohs(ad->u.net.dport), &port_sid);
4670 if (unlikely(err)) {
4671 printk(KERN_WARNING
4672 "SELinux: failure in"
4673 " selinux_ip_postroute_iptables_compat(),"
4674 " network port label not found\n");
4675 return err;
4676 }
4677 return avc_has_perm(sk_sid, port_sid, sk_class, send_perm, ad);
4678 }
4679
4680 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
4681 int ifindex,
4682 u16 family)
4683 {
4684 struct sock *sk = skb->sk;
4685 struct sk_security_struct *sksec;
4686 struct avc_audit_data ad;
4687 char *addrp;
4688 u8 proto;
4689
4690 if (sk == NULL)
4691 return NF_ACCEPT;
4692 sksec = sk->sk_security;
4693
4694 AVC_AUDIT_DATA_INIT(&ad, NET);
4695 ad.u.net.netif = ifindex;
4696 ad.u.net.family = family;
4697 if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto))
4698 return NF_DROP;
4699
4700 if (selinux_compat_net) {
4701 if (selinux_ip_postroute_iptables_compat(skb->sk, ifindex,
4702 &ad, family, addrp))
4703 return NF_DROP;
4704 } else {
4705 if (avc_has_perm(sksec->sid, skb->secmark,
4706 SECCLASS_PACKET, PACKET__SEND, &ad))
4707 return NF_DROP;
4708 }
4709
4710 if (selinux_policycap_netpeer)
4711 if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto))
4712 return NF_DROP;
4713
4714 return NF_ACCEPT;
4715 }
4716
4717 static unsigned int selinux_ip_postroute(struct sk_buff *skb, int ifindex,
4718 u16 family)
4719 {
4720 u32 secmark_perm;
4721 u32 peer_sid;
4722 struct sock *sk;
4723 struct avc_audit_data ad;
4724 char *addrp;
4725 u8 secmark_active;
4726 u8 peerlbl_active;
4727
4728 /* If any sort of compatibility mode is enabled then handoff processing
4729 * to the selinux_ip_postroute_compat() function to deal with the
4730 * special handling. We do this in an attempt to keep this function
4731 * as fast and as clean as possible. */
4732 if (selinux_compat_net || !selinux_policycap_netpeer)
4733 return selinux_ip_postroute_compat(skb, ifindex, family);
4734
4735 /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec
4736 * packet transformation so allow the packet to pass without any checks
4737 * since we'll have another chance to perform access control checks
4738 * when the packet is on it's final way out.
4739 * NOTE: there appear to be some IPv6 multicast cases where skb->dst
4740 * is NULL, in this case go ahead and apply access control. */
4741 if (skb->dst != NULL && skb->dst->xfrm != NULL)
4742 return NF_ACCEPT;
4743
4744 secmark_active = selinux_secmark_enabled();
4745 peerlbl_active = netlbl_enabled() || selinux_xfrm_enabled();
4746 if (!secmark_active && !peerlbl_active)
4747 return NF_ACCEPT;
4748
4749 /* if the packet is being forwarded then get the peer label from the
4750 * packet itself; otherwise check to see if it is from a local
4751 * application or the kernel, if from an application get the peer label
4752 * from the sending socket, otherwise use the kernel's sid */
4753 sk = skb->sk;
4754 if (sk == NULL) {
4755 switch (family) {
4756 case PF_INET:
4757 if (IPCB(skb)->flags & IPSKB_FORWARDED)
4758 secmark_perm = PACKET__FORWARD_OUT;
4759 else
4760 secmark_perm = PACKET__SEND;
4761 break;
4762 case PF_INET6:
4763 if (IP6CB(skb)->flags & IP6SKB_FORWARDED)
4764 secmark_perm = PACKET__FORWARD_OUT;
4765 else
4766 secmark_perm = PACKET__SEND;
4767 break;
4768 default:
4769 return NF_DROP;
4770 }
4771 if (secmark_perm == PACKET__FORWARD_OUT) {
4772 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid))
4773 return NF_DROP;
4774 } else
4775 peer_sid = SECINITSID_KERNEL;
4776 } else {
4777 struct sk_security_struct *sksec = sk->sk_security;
4778 peer_sid = sksec->sid;
4779 secmark_perm = PACKET__SEND;
4780 }
4781
4782 AVC_AUDIT_DATA_INIT(&ad, NET);
4783 ad.u.net.netif = ifindex;
4784 ad.u.net.family = family;
4785 if (selinux_parse_skb(skb, &ad, &addrp, 0, NULL))
4786 return NF_DROP;
4787
4788 if (secmark_active)
4789 if (avc_has_perm(peer_sid, skb->secmark,
4790 SECCLASS_PACKET, secmark_perm, &ad))
4791 return NF_DROP;
4792
4793 if (peerlbl_active) {
4794 u32 if_sid;
4795 u32 node_sid;
4796
4797 if (sel_netif_sid(ifindex, &if_sid))
4798 return NF_DROP;
4799 if (avc_has_perm(peer_sid, if_sid,
4800 SECCLASS_NETIF, NETIF__EGRESS, &ad))
4801 return NF_DROP;
4802
4803 if (sel_netnode_sid(addrp, family, &node_sid))
4804 return NF_DROP;
4805 if (avc_has_perm(peer_sid, node_sid,
4806 SECCLASS_NODE, NODE__SENDTO, &ad))
4807 return NF_DROP;
4808 }
4809
4810 return NF_ACCEPT;
4811 }
4812
4813 static unsigned int selinux_ipv4_postroute(unsigned int hooknum,
4814 struct sk_buff *skb,
4815 const struct net_device *in,
4816 const struct net_device *out,
4817 int (*okfn)(struct sk_buff *))
4818 {
4819 return selinux_ip_postroute(skb, out->ifindex, PF_INET);
4820 }
4821
4822 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4823 static unsigned int selinux_ipv6_postroute(unsigned int hooknum,
4824 struct sk_buff *skb,
4825 const struct net_device *in,
4826 const struct net_device *out,
4827 int (*okfn)(struct sk_buff *))
4828 {
4829 return selinux_ip_postroute(skb, out->ifindex, PF_INET6);
4830 }
4831 #endif /* IPV6 */
4832
4833 #endif /* CONFIG_NETFILTER */
4834
4835 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
4836 {
4837 int err;
4838
4839 err = secondary_ops->netlink_send(sk, skb);
4840 if (err)
4841 return err;
4842
4843 if (policydb_loaded_version >= POLICYDB_VERSION_NLCLASS)
4844 err = selinux_nlmsg_perm(sk, skb);
4845
4846 return err;
4847 }
4848
4849 static int selinux_netlink_recv(struct sk_buff *skb, int capability)
4850 {
4851 int err;
4852 struct avc_audit_data ad;
4853
4854 err = secondary_ops->netlink_recv(skb, capability);
4855 if (err)
4856 return err;
4857
4858 AVC_AUDIT_DATA_INIT(&ad, CAP);
4859 ad.u.cap = capability;
4860
4861 return avc_has_perm(NETLINK_CB(skb).sid, NETLINK_CB(skb).sid,
4862 SECCLASS_CAPABILITY, CAP_TO_MASK(capability), &ad);
4863 }
4864
4865 static int ipc_alloc_security(struct task_struct *task,
4866 struct kern_ipc_perm *perm,
4867 u16 sclass)
4868 {
4869 struct ipc_security_struct *isec;
4870 u32 sid;
4871
4872 isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL);
4873 if (!isec)
4874 return -ENOMEM;
4875
4876 sid = task_sid(task);
4877 isec->sclass = sclass;
4878 isec->sid = sid;
4879 perm->security = isec;
4880
4881 return 0;
4882 }
4883
4884 static void ipc_free_security(struct kern_ipc_perm *perm)
4885 {
4886 struct ipc_security_struct *isec = perm->security;
4887 perm->security = NULL;
4888 kfree(isec);
4889 }
4890
4891 static int msg_msg_alloc_security(struct msg_msg *msg)
4892 {
4893 struct msg_security_struct *msec;
4894
4895 msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL);
4896 if (!msec)
4897 return -ENOMEM;
4898
4899 msec->sid = SECINITSID_UNLABELED;
4900 msg->security = msec;
4901
4902 return 0;
4903 }
4904
4905 static void msg_msg_free_security(struct msg_msg *msg)
4906 {
4907 struct msg_security_struct *msec = msg->security;
4908
4909 msg->security = NULL;
4910 kfree(msec);
4911 }
4912
4913 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
4914 u32 perms)
4915 {
4916 struct ipc_security_struct *isec;
4917 struct avc_audit_data ad;
4918 u32 sid = current_sid();
4919
4920 isec = ipc_perms->security;
4921
4922 AVC_AUDIT_DATA_INIT(&ad, IPC);
4923 ad.u.ipc_id = ipc_perms->key;
4924
4925 return avc_has_perm(sid, isec->sid, isec->sclass, perms, &ad);
4926 }
4927
4928 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
4929 {
4930 return msg_msg_alloc_security(msg);
4931 }
4932
4933 static void selinux_msg_msg_free_security(struct msg_msg *msg)
4934 {
4935 msg_msg_free_security(msg);
4936 }
4937
4938 /* message queue security operations */
4939 static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
4940 {
4941 struct ipc_security_struct *isec;
4942 struct avc_audit_data ad;
4943 u32 sid = current_sid();
4944 int rc;
4945
4946 rc = ipc_alloc_security(current, &msq->q_perm, SECCLASS_MSGQ);
4947 if (rc)
4948 return rc;
4949
4950 isec = msq->q_perm.security;
4951
4952 AVC_AUDIT_DATA_INIT(&ad, IPC);
4953 ad.u.ipc_id = msq->q_perm.key;
4954
4955 rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
4956 MSGQ__CREATE, &ad);
4957 if (rc) {
4958 ipc_free_security(&msq->q_perm);
4959 return rc;
4960 }
4961 return 0;
4962 }
4963
4964 static void selinux_msg_queue_free_security(struct msg_queue *msq)
4965 {
4966 ipc_free_security(&msq->q_perm);
4967 }
4968
4969 static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg)
4970 {
4971 struct ipc_security_struct *isec;
4972 struct avc_audit_data ad;
4973 u32 sid = current_sid();
4974
4975 isec = msq->q_perm.security;
4976
4977 AVC_AUDIT_DATA_INIT(&ad, IPC);
4978 ad.u.ipc_id = msq->q_perm.key;
4979
4980 return avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
4981 MSGQ__ASSOCIATE, &ad);
4982 }
4983
4984 static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd)
4985 {
4986 int err;
4987 int perms;
4988
4989 switch (cmd) {
4990 case IPC_INFO:
4991 case MSG_INFO:
4992 /* No specific object, just general system-wide information. */
4993 return task_has_system(current, SYSTEM__IPC_INFO);
4994 case IPC_STAT:
4995 case MSG_STAT:
4996 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
4997 break;
4998 case IPC_SET:
4999 perms = MSGQ__SETATTR;
5000 break;
5001 case IPC_RMID:
5002 perms = MSGQ__DESTROY;
5003 break;
5004 default:
5005 return 0;
5006 }
5007
5008 err = ipc_has_perm(&msq->q_perm, perms);
5009 return err;
5010 }
5011
5012 static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg)
5013 {
5014 struct ipc_security_struct *isec;
5015 struct msg_security_struct *msec;
5016 struct avc_audit_data ad;
5017 u32 sid = current_sid();
5018 int rc;
5019
5020 isec = msq->q_perm.security;
5021 msec = msg->security;
5022
5023 /*
5024 * First time through, need to assign label to the message
5025 */
5026 if (msec->sid == SECINITSID_UNLABELED) {
5027 /*
5028 * Compute new sid based on current process and
5029 * message queue this message will be stored in
5030 */
5031 rc = security_transition_sid(sid, isec->sid, SECCLASS_MSG,
5032 &msec->sid);
5033 if (rc)
5034 return rc;
5035 }
5036
5037 AVC_AUDIT_DATA_INIT(&ad, IPC);
5038 ad.u.ipc_id = msq->q_perm.key;
5039
5040 /* Can this process write to the queue? */
5041 rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
5042 MSGQ__WRITE, &ad);
5043 if (!rc)
5044 /* Can this process send the message */
5045 rc = avc_has_perm(sid, msec->sid, SECCLASS_MSG,
5046 MSG__SEND, &ad);
5047 if (!rc)
5048 /* Can the message be put in the queue? */
5049 rc = avc_has_perm(msec->sid, isec->sid, SECCLASS_MSGQ,
5050 MSGQ__ENQUEUE, &ad);
5051
5052 return rc;
5053 }
5054
5055 static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
5056 struct task_struct *target,
5057 long type, int mode)
5058 {
5059 struct ipc_security_struct *isec;
5060 struct msg_security_struct *msec;
5061 struct avc_audit_data ad;
5062 u32 sid = task_sid(target);
5063 int rc;
5064
5065 isec = msq->q_perm.security;
5066 msec = msg->security;
5067
5068 AVC_AUDIT_DATA_INIT(&ad, IPC);
5069 ad.u.ipc_id = msq->q_perm.key;
5070
5071 rc = avc_has_perm(sid, isec->sid,
5072 SECCLASS_MSGQ, MSGQ__READ, &ad);
5073 if (!rc)
5074 rc = avc_has_perm(sid, msec->sid,
5075 SECCLASS_MSG, MSG__RECEIVE, &ad);
5076 return rc;
5077 }
5078
5079 /* Shared Memory security operations */
5080 static int selinux_shm_alloc_security(struct shmid_kernel *shp)
5081 {
5082 struct ipc_security_struct *isec;
5083 struct avc_audit_data ad;
5084 u32 sid = current_sid();
5085 int rc;
5086
5087 rc = ipc_alloc_security(current, &shp->shm_perm, SECCLASS_SHM);
5088 if (rc)
5089 return rc;
5090
5091 isec = shp->shm_perm.security;
5092
5093 AVC_AUDIT_DATA_INIT(&ad, IPC);
5094 ad.u.ipc_id = shp->shm_perm.key;
5095
5096 rc = avc_has_perm(sid, isec->sid, SECCLASS_SHM,
5097 SHM__CREATE, &ad);
5098 if (rc) {
5099 ipc_free_security(&shp->shm_perm);
5100 return rc;
5101 }
5102 return 0;
5103 }
5104
5105 static void selinux_shm_free_security(struct shmid_kernel *shp)
5106 {
5107 ipc_free_security(&shp->shm_perm);
5108 }
5109
5110 static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg)
5111 {
5112 struct ipc_security_struct *isec;
5113 struct avc_audit_data ad;
5114 u32 sid = current_sid();
5115
5116 isec = shp->shm_perm.security;
5117
5118 AVC_AUDIT_DATA_INIT(&ad, IPC);
5119 ad.u.ipc_id = shp->shm_perm.key;
5120
5121 return avc_has_perm(sid, isec->sid, SECCLASS_SHM,
5122 SHM__ASSOCIATE, &ad);
5123 }
5124
5125 /* Note, at this point, shp is locked down */
5126 static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd)
5127 {
5128 int perms;
5129 int err;
5130
5131 switch (cmd) {
5132 case IPC_INFO:
5133 case SHM_INFO:
5134 /* No specific object, just general system-wide information. */
5135 return task_has_system(current, SYSTEM__IPC_INFO);
5136 case IPC_STAT:
5137 case SHM_STAT:
5138 perms = SHM__GETATTR | SHM__ASSOCIATE;
5139 break;
5140 case IPC_SET:
5141 perms = SHM__SETATTR;
5142 break;
5143 case SHM_LOCK:
5144 case SHM_UNLOCK:
5145 perms = SHM__LOCK;
5146 break;
5147 case IPC_RMID:
5148 perms = SHM__DESTROY;
5149 break;
5150 default:
5151 return 0;
5152 }
5153
5154 err = ipc_has_perm(&shp->shm_perm, perms);
5155 return err;
5156 }
5157
5158 static int selinux_shm_shmat(struct shmid_kernel *shp,
5159 char __user *shmaddr, int shmflg)
5160 {
5161 u32 perms;
5162 int rc;
5163
5164 rc = secondary_ops->shm_shmat(shp, shmaddr, shmflg);
5165 if (rc)
5166 return rc;
5167
5168 if (shmflg & SHM_RDONLY)
5169 perms = SHM__READ;
5170 else
5171 perms = SHM__READ | SHM__WRITE;
5172
5173 return ipc_has_perm(&shp->shm_perm, perms);
5174 }
5175
5176 /* Semaphore security operations */
5177 static int selinux_sem_alloc_security(struct sem_array *sma)
5178 {
5179 struct ipc_security_struct *isec;
5180 struct avc_audit_data ad;
5181 u32 sid = current_sid();
5182 int rc;
5183
5184 rc = ipc_alloc_security(current, &sma->sem_perm, SECCLASS_SEM);
5185 if (rc)
5186 return rc;
5187
5188 isec = sma->sem_perm.security;
5189
5190 AVC_AUDIT_DATA_INIT(&ad, IPC);
5191 ad.u.ipc_id = sma->sem_perm.key;
5192
5193 rc = avc_has_perm(sid, isec->sid, SECCLASS_SEM,
5194 SEM__CREATE, &ad);
5195 if (rc) {
5196 ipc_free_security(&sma->sem_perm);
5197 return rc;
5198 }
5199 return 0;
5200 }
5201
5202 static void selinux_sem_free_security(struct sem_array *sma)
5203 {
5204 ipc_free_security(&sma->sem_perm);
5205 }
5206
5207 static int selinux_sem_associate(struct sem_array *sma, int semflg)
5208 {
5209 struct ipc_security_struct *isec;
5210 struct avc_audit_data ad;
5211 u32 sid = current_sid();
5212
5213 isec = sma->sem_perm.security;
5214
5215 AVC_AUDIT_DATA_INIT(&ad, IPC);
5216 ad.u.ipc_id = sma->sem_perm.key;
5217
5218 return avc_has_perm(sid, isec->sid, SECCLASS_SEM,
5219 SEM__ASSOCIATE, &ad);
5220 }
5221
5222 /* Note, at this point, sma is locked down */
5223 static int selinux_sem_semctl(struct sem_array *sma, int cmd)
5224 {
5225 int err;
5226 u32 perms;
5227
5228 switch (cmd) {
5229 case IPC_INFO:
5230 case SEM_INFO:
5231 /* No specific object, just general system-wide information. */
5232 return task_has_system(current, SYSTEM__IPC_INFO);
5233 case GETPID:
5234 case GETNCNT:
5235 case GETZCNT:
5236 perms = SEM__GETATTR;
5237 break;
5238 case GETVAL:
5239 case GETALL:
5240 perms = SEM__READ;
5241 break;
5242 case SETVAL:
5243 case SETALL:
5244 perms = SEM__WRITE;
5245 break;
5246 case IPC_RMID:
5247 perms = SEM__DESTROY;
5248 break;
5249 case IPC_SET:
5250 perms = SEM__SETATTR;
5251 break;
5252 case IPC_STAT:
5253 case SEM_STAT:
5254 perms = SEM__GETATTR | SEM__ASSOCIATE;
5255 break;
5256 default:
5257 return 0;
5258 }
5259
5260 err = ipc_has_perm(&sma->sem_perm, perms);
5261 return err;
5262 }
5263
5264 static int selinux_sem_semop(struct sem_array *sma,
5265 struct sembuf *sops, unsigned nsops, int alter)
5266 {
5267 u32 perms;
5268
5269 if (alter)
5270 perms = SEM__READ | SEM__WRITE;
5271 else
5272 perms = SEM__READ;
5273
5274 return ipc_has_perm(&sma->sem_perm, perms);
5275 }
5276
5277 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
5278 {
5279 u32 av = 0;
5280
5281 av = 0;
5282 if (flag & S_IRUGO)
5283 av |= IPC__UNIX_READ;
5284 if (flag & S_IWUGO)
5285 av |= IPC__UNIX_WRITE;
5286
5287 if (av == 0)
5288 return 0;
5289
5290 return ipc_has_perm(ipcp, av);
5291 }
5292
5293 static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
5294 {
5295 struct ipc_security_struct *isec = ipcp->security;
5296 *secid = isec->sid;
5297 }
5298
5299 static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode)
5300 {
5301 if (inode)
5302 inode_doinit_with_dentry(inode, dentry);
5303 }
5304
5305 static int selinux_getprocattr(struct task_struct *p,
5306 char *name, char **value)
5307 {
5308 const struct task_security_struct *__tsec;
5309 u32 sid;
5310 int error;
5311 unsigned len;
5312
5313 if (current != p) {
5314 error = current_has_perm(p, PROCESS__GETATTR);
5315 if (error)
5316 return error;
5317 }
5318
5319 rcu_read_lock();
5320 __tsec = __task_cred(p)->security;
5321
5322 if (!strcmp(name, "current"))
5323 sid = __tsec->sid;
5324 else if (!strcmp(name, "prev"))
5325 sid = __tsec->osid;
5326 else if (!strcmp(name, "exec"))
5327 sid = __tsec->exec_sid;
5328 else if (!strcmp(name, "fscreate"))
5329 sid = __tsec->create_sid;
5330 else if (!strcmp(name, "keycreate"))
5331 sid = __tsec->keycreate_sid;
5332 else if (!strcmp(name, "sockcreate"))
5333 sid = __tsec->sockcreate_sid;
5334 else
5335 goto invalid;
5336 rcu_read_unlock();
5337
5338 if (!sid)
5339 return 0;
5340
5341 error = security_sid_to_context(sid, value, &len);
5342 if (error)
5343 return error;
5344 return len;
5345
5346 invalid:
5347 rcu_read_unlock();
5348 return -EINVAL;
5349 }
5350
5351 static int selinux_setprocattr(struct task_struct *p,
5352 char *name, void *value, size_t size)
5353 {
5354 struct task_security_struct *tsec;
5355 struct task_struct *tracer;
5356 struct cred *new;
5357 u32 sid = 0, ptsid;
5358 int error;
5359 char *str = value;
5360
5361 if (current != p) {
5362 /* SELinux only allows a process to change its own
5363 security attributes. */
5364 return -EACCES;
5365 }
5366
5367 /*
5368 * Basic control over ability to set these attributes at all.
5369 * current == p, but we'll pass them separately in case the
5370 * above restriction is ever removed.
5371 */
5372 if (!strcmp(name, "exec"))
5373 error = current_has_perm(p, PROCESS__SETEXEC);
5374 else if (!strcmp(name, "fscreate"))
5375 error = current_has_perm(p, PROCESS__SETFSCREATE);
5376 else if (!strcmp(name, "keycreate"))
5377 error = current_has_perm(p, PROCESS__SETKEYCREATE);
5378 else if (!strcmp(name, "sockcreate"))
5379 error = current_has_perm(p, PROCESS__SETSOCKCREATE);
5380 else if (!strcmp(name, "current"))
5381 error = current_has_perm(p, PROCESS__SETCURRENT);
5382 else
5383 error = -EINVAL;
5384 if (error)
5385 return error;
5386
5387 /* Obtain a SID for the context, if one was specified. */
5388 if (size && str[1] && str[1] != '\n') {
5389 if (str[size-1] == '\n') {
5390 str[size-1] = 0;
5391 size--;
5392 }
5393 error = security_context_to_sid(value, size, &sid);
5394 if (error == -EINVAL && !strcmp(name, "fscreate")) {
5395 if (!capable(CAP_MAC_ADMIN))
5396 return error;
5397 error = security_context_to_sid_force(value, size,
5398 &sid);
5399 }
5400 if (error)
5401 return error;
5402 }
5403
5404 new = prepare_creds();
5405 if (!new)
5406 return -ENOMEM;
5407
5408 /* Permission checking based on the specified context is
5409 performed during the actual operation (execve,
5410 open/mkdir/...), when we know the full context of the
5411 operation. See selinux_bprm_set_creds for the execve
5412 checks and may_create for the file creation checks. The
5413 operation will then fail if the context is not permitted. */
5414 tsec = new->security;
5415 if (!strcmp(name, "exec")) {
5416 tsec->exec_sid = sid;
5417 } else if (!strcmp(name, "fscreate")) {
5418 tsec->create_sid = sid;
5419 } else if (!strcmp(name, "keycreate")) {
5420 error = may_create_key(sid, p);
5421 if (error)
5422 goto abort_change;
5423 tsec->keycreate_sid = sid;
5424 } else if (!strcmp(name, "sockcreate")) {
5425 tsec->sockcreate_sid = sid;
5426 } else if (!strcmp(name, "current")) {
5427 error = -EINVAL;
5428 if (sid == 0)
5429 goto abort_change;
5430
5431 /* Only allow single threaded processes to change context */
5432 error = -EPERM;
5433 if (!is_single_threaded(p)) {
5434 error = security_bounded_transition(tsec->sid, sid);
5435 if (error)
5436 goto abort_change;
5437 }
5438
5439 /* Check permissions for the transition. */
5440 error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
5441 PROCESS__DYNTRANSITION, NULL);
5442 if (error)
5443 goto abort_change;
5444
5445 /* Check for ptracing, and update the task SID if ok.
5446 Otherwise, leave SID unchanged and fail. */
5447 ptsid = 0;
5448 task_lock(p);
5449 tracer = tracehook_tracer_task(p);
5450 if (tracer)
5451 ptsid = task_sid(tracer);
5452 task_unlock(p);
5453
5454 if (tracer) {
5455 error = avc_has_perm(ptsid, sid, SECCLASS_PROCESS,
5456 PROCESS__PTRACE, NULL);
5457 if (error)
5458 goto abort_change;
5459 }
5460
5461 tsec->sid = sid;
5462 } else {
5463 error = -EINVAL;
5464 goto abort_change;
5465 }
5466
5467 commit_creds(new);
5468 return size;
5469
5470 abort_change:
5471 abort_creds(new);
5472 return error;
5473 }
5474
5475 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
5476 {
5477 return security_sid_to_context(secid, secdata, seclen);
5478 }
5479
5480 static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
5481 {
5482 return security_context_to_sid(secdata, seclen, secid);
5483 }
5484
5485 static void selinux_release_secctx(char *secdata, u32 seclen)
5486 {
5487 kfree(secdata);
5488 }
5489
5490 #ifdef CONFIG_KEYS
5491
5492 static int selinux_key_alloc(struct key *k, const struct cred *cred,
5493 unsigned long flags)
5494 {
5495 const struct task_security_struct *tsec;
5496 struct key_security_struct *ksec;
5497
5498 ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL);
5499 if (!ksec)
5500 return -ENOMEM;
5501
5502 tsec = cred->security;
5503 if (tsec->keycreate_sid)
5504 ksec->sid = tsec->keycreate_sid;
5505 else
5506 ksec->sid = tsec->sid;
5507
5508 k->security = ksec;
5509 return 0;
5510 }
5511
5512 static void selinux_key_free(struct key *k)
5513 {
5514 struct key_security_struct *ksec = k->security;
5515
5516 k->security = NULL;
5517 kfree(ksec);
5518 }
5519
5520 static int selinux_key_permission(key_ref_t key_ref,
5521 const struct cred *cred,
5522 key_perm_t perm)
5523 {
5524 struct key *key;
5525 struct key_security_struct *ksec;
5526 u32 sid;
5527
5528 /* if no specific permissions are requested, we skip the
5529 permission check. No serious, additional covert channels
5530 appear to be created. */
5531 if (perm == 0)
5532 return 0;
5533
5534 sid = cred_sid(cred);
5535
5536 key = key_ref_to_ptr(key_ref);
5537 ksec = key->security;
5538
5539 return avc_has_perm(sid, ksec->sid, SECCLASS_KEY, perm, NULL);
5540 }
5541
5542 static int selinux_key_getsecurity(struct key *key, char **_buffer)
5543 {
5544 struct key_security_struct *ksec = key->security;
5545 char *context = NULL;
5546 unsigned len;
5547 int rc;
5548
5549 rc = security_sid_to_context(ksec->sid, &context, &len);
5550 if (!rc)
5551 rc = len;
5552 *_buffer = context;
5553 return rc;
5554 }
5555
5556 #endif
5557
5558 static struct security_operations selinux_ops = {
5559 .name = "selinux",
5560
5561 .ptrace_may_access = selinux_ptrace_may_access,
5562 .ptrace_traceme = selinux_ptrace_traceme,
5563 .capget = selinux_capget,
5564 .capset = selinux_capset,
5565 .sysctl = selinux_sysctl,
5566 .capable = selinux_capable,
5567 .quotactl = selinux_quotactl,
5568 .quota_on = selinux_quota_on,
5569 .syslog = selinux_syslog,
5570 .vm_enough_memory = selinux_vm_enough_memory,
5571
5572 .netlink_send = selinux_netlink_send,
5573 .netlink_recv = selinux_netlink_recv,
5574
5575 .bprm_set_creds = selinux_bprm_set_creds,
5576 .bprm_check_security = selinux_bprm_check_security,
5577 .bprm_committing_creds = selinux_bprm_committing_creds,
5578 .bprm_committed_creds = selinux_bprm_committed_creds,
5579 .bprm_secureexec = selinux_bprm_secureexec,
5580
5581 .sb_alloc_security = selinux_sb_alloc_security,
5582 .sb_free_security = selinux_sb_free_security,
5583 .sb_copy_data = selinux_sb_copy_data,
5584 .sb_kern_mount = selinux_sb_kern_mount,
5585 .sb_show_options = selinux_sb_show_options,
5586 .sb_statfs = selinux_sb_statfs,
5587 .sb_mount = selinux_mount,
5588 .sb_umount = selinux_umount,
5589 .sb_set_mnt_opts = selinux_set_mnt_opts,
5590 .sb_clone_mnt_opts = selinux_sb_clone_mnt_opts,
5591 .sb_parse_opts_str = selinux_parse_opts_str,
5592
5593
5594 .inode_alloc_security = selinux_inode_alloc_security,
5595 .inode_free_security = selinux_inode_free_security,
5596 .inode_init_security = selinux_inode_init_security,
5597 .inode_create = selinux_inode_create,
5598 .inode_link = selinux_inode_link,
5599 .inode_unlink = selinux_inode_unlink,
5600 .inode_symlink = selinux_inode_symlink,
5601 .inode_mkdir = selinux_inode_mkdir,
5602 .inode_rmdir = selinux_inode_rmdir,
5603 .inode_mknod = selinux_inode_mknod,
5604 .inode_rename = selinux_inode_rename,
5605 .inode_readlink = selinux_inode_readlink,
5606 .inode_follow_link = selinux_inode_follow_link,
5607 .inode_permission = selinux_inode_permission,
5608 .inode_setattr = selinux_inode_setattr,
5609 .inode_getattr = selinux_inode_getattr,
5610 .inode_setxattr = selinux_inode_setxattr,
5611 .inode_post_setxattr = selinux_inode_post_setxattr,
5612 .inode_getxattr = selinux_inode_getxattr,
5613 .inode_listxattr = selinux_inode_listxattr,
5614 .inode_removexattr = selinux_inode_removexattr,
5615 .inode_getsecurity = selinux_inode_getsecurity,
5616 .inode_setsecurity = selinux_inode_setsecurity,
5617 .inode_listsecurity = selinux_inode_listsecurity,
5618 .inode_need_killpriv = selinux_inode_need_killpriv,
5619 .inode_killpriv = selinux_inode_killpriv,
5620 .inode_getsecid = selinux_inode_getsecid,
5621
5622 .file_permission = selinux_file_permission,
5623 .file_alloc_security = selinux_file_alloc_security,
5624 .file_free_security = selinux_file_free_security,
5625 .file_ioctl = selinux_file_ioctl,
5626 .file_mmap = selinux_file_mmap,
5627 .file_mprotect = selinux_file_mprotect,
5628 .file_lock = selinux_file_lock,
5629 .file_fcntl = selinux_file_fcntl,
5630 .file_set_fowner = selinux_file_set_fowner,
5631 .file_send_sigiotask = selinux_file_send_sigiotask,
5632 .file_receive = selinux_file_receive,
5633
5634 .dentry_open = selinux_dentry_open,
5635
5636 .task_create = selinux_task_create,
5637 .cred_free = selinux_cred_free,
5638 .cred_prepare = selinux_cred_prepare,
5639 .cred_commit = selinux_cred_commit,
5640 .kernel_act_as = selinux_kernel_act_as,
5641 .kernel_create_files_as = selinux_kernel_create_files_as,
5642 .task_setuid = selinux_task_setuid,
5643 .task_fix_setuid = selinux_task_fix_setuid,
5644 .task_setgid = selinux_task_setgid,
5645 .task_setpgid = selinux_task_setpgid,
5646 .task_getpgid = selinux_task_getpgid,
5647 .task_getsid = selinux_task_getsid,
5648 .task_getsecid = selinux_task_getsecid,
5649 .task_setgroups = selinux_task_setgroups,
5650 .task_setnice = selinux_task_setnice,
5651 .task_setioprio = selinux_task_setioprio,
5652 .task_getioprio = selinux_task_getioprio,
5653 .task_setrlimit = selinux_task_setrlimit,
5654 .task_setscheduler = selinux_task_setscheduler,
5655 .task_getscheduler = selinux_task_getscheduler,
5656 .task_movememory = selinux_task_movememory,
5657 .task_kill = selinux_task_kill,
5658 .task_wait = selinux_task_wait,
5659 .task_prctl = selinux_task_prctl,
5660 .task_to_inode = selinux_task_to_inode,
5661
5662 .ipc_permission = selinux_ipc_permission,
5663 .ipc_getsecid = selinux_ipc_getsecid,
5664
5665 .msg_msg_alloc_security = selinux_msg_msg_alloc_security,
5666 .msg_msg_free_security = selinux_msg_msg_free_security,
5667
5668 .msg_queue_alloc_security = selinux_msg_queue_alloc_security,
5669 .msg_queue_free_security = selinux_msg_queue_free_security,
5670 .msg_queue_associate = selinux_msg_queue_associate,
5671 .msg_queue_msgctl = selinux_msg_queue_msgctl,
5672 .msg_queue_msgsnd = selinux_msg_queue_msgsnd,
5673 .msg_queue_msgrcv = selinux_msg_queue_msgrcv,
5674
5675 .shm_alloc_security = selinux_shm_alloc_security,
5676 .shm_free_security = selinux_shm_free_security,
5677 .shm_associate = selinux_shm_associate,
5678 .shm_shmctl = selinux_shm_shmctl,
5679 .shm_shmat = selinux_shm_shmat,
5680
5681 .sem_alloc_security = selinux_sem_alloc_security,
5682 .sem_free_security = selinux_sem_free_security,
5683 .sem_associate = selinux_sem_associate,
5684 .sem_semctl = selinux_sem_semctl,
5685 .sem_semop = selinux_sem_semop,
5686
5687 .d_instantiate = selinux_d_instantiate,
5688
5689 .getprocattr = selinux_getprocattr,
5690 .setprocattr = selinux_setprocattr,
5691
5692 .secid_to_secctx = selinux_secid_to_secctx,
5693 .secctx_to_secid = selinux_secctx_to_secid,
5694 .release_secctx = selinux_release_secctx,
5695
5696 .unix_stream_connect = selinux_socket_unix_stream_connect,
5697 .unix_may_send = selinux_socket_unix_may_send,
5698
5699 .socket_create = selinux_socket_create,
5700 .socket_post_create = selinux_socket_post_create,
5701 .socket_bind = selinux_socket_bind,
5702 .socket_connect = selinux_socket_connect,
5703 .socket_listen = selinux_socket_listen,
5704 .socket_accept = selinux_socket_accept,
5705 .socket_sendmsg = selinux_socket_sendmsg,
5706 .socket_recvmsg = selinux_socket_recvmsg,
5707 .socket_getsockname = selinux_socket_getsockname,
5708 .socket_getpeername = selinux_socket_getpeername,
5709 .socket_getsockopt = selinux_socket_getsockopt,
5710 .socket_setsockopt = selinux_socket_setsockopt,
5711 .socket_shutdown = selinux_socket_shutdown,
5712 .socket_sock_rcv_skb = selinux_socket_sock_rcv_skb,
5713 .socket_getpeersec_stream = selinux_socket_getpeersec_stream,
5714 .socket_getpeersec_dgram = selinux_socket_getpeersec_dgram,
5715 .sk_alloc_security = selinux_sk_alloc_security,
5716 .sk_free_security = selinux_sk_free_security,
5717 .sk_clone_security = selinux_sk_clone_security,
5718 .sk_getsecid = selinux_sk_getsecid,
5719 .sock_graft = selinux_sock_graft,
5720 .inet_conn_request = selinux_inet_conn_request,
5721 .inet_csk_clone = selinux_inet_csk_clone,
5722 .inet_conn_established = selinux_inet_conn_established,
5723 .req_classify_flow = selinux_req_classify_flow,
5724
5725 #ifdef CONFIG_SECURITY_NETWORK_XFRM
5726 .xfrm_policy_alloc_security = selinux_xfrm_policy_alloc,
5727 .xfrm_policy_clone_security = selinux_xfrm_policy_clone,
5728 .xfrm_policy_free_security = selinux_xfrm_policy_free,
5729 .xfrm_policy_delete_security = selinux_xfrm_policy_delete,
5730 .xfrm_state_alloc_security = selinux_xfrm_state_alloc,
5731 .xfrm_state_free_security = selinux_xfrm_state_free,
5732 .xfrm_state_delete_security = selinux_xfrm_state_delete,
5733 .xfrm_policy_lookup = selinux_xfrm_policy_lookup,
5734 .xfrm_state_pol_flow_match = selinux_xfrm_state_pol_flow_match,
5735 .xfrm_decode_session = selinux_xfrm_decode_session,
5736 #endif
5737
5738 #ifdef CONFIG_KEYS
5739 .key_alloc = selinux_key_alloc,
5740 .key_free = selinux_key_free,
5741 .key_permission = selinux_key_permission,
5742 .key_getsecurity = selinux_key_getsecurity,
5743 #endif
5744
5745 #ifdef CONFIG_AUDIT
5746 .audit_rule_init = selinux_audit_rule_init,
5747 .audit_rule_known = selinux_audit_rule_known,
5748 .audit_rule_match = selinux_audit_rule_match,
5749 .audit_rule_free = selinux_audit_rule_free,
5750 #endif
5751 };
5752
5753 static __init int selinux_init(void)
5754 {
5755 if (!security_module_enable(&selinux_ops)) {
5756 selinux_enabled = 0;
5757 return 0;
5758 }
5759
5760 if (!selinux_enabled) {
5761 printk(KERN_INFO "SELinux: Disabled at boot.\n");
5762 return 0;
5763 }
5764
5765 printk(KERN_INFO "SELinux: Initializing.\n");
5766
5767 /* Set the security state for the initial task. */
5768 cred_init_security();
5769
5770 sel_inode_cache = kmem_cache_create("selinux_inode_security",
5771 sizeof(struct inode_security_struct),
5772 0, SLAB_PANIC, NULL);
5773 avc_init();
5774
5775 secondary_ops = security_ops;
5776 if (!secondary_ops)
5777 panic("SELinux: No initial security operations\n");
5778 if (register_security(&selinux_ops))
5779 panic("SELinux: Unable to register with kernel.\n");
5780
5781 if (selinux_enforcing)
5782 printk(KERN_DEBUG "SELinux: Starting in enforcing mode\n");
5783 else
5784 printk(KERN_DEBUG "SELinux: Starting in permissive mode\n");
5785
5786 return 0;
5787 }
5788
5789 void selinux_complete_init(void)
5790 {
5791 printk(KERN_DEBUG "SELinux: Completing initialization.\n");
5792
5793 /* Set up any superblocks initialized prior to the policy load. */
5794 printk(KERN_DEBUG "SELinux: Setting up existing superblocks.\n");
5795 spin_lock(&sb_lock);
5796 spin_lock(&sb_security_lock);
5797 next_sb:
5798 if (!list_empty(&superblock_security_head)) {
5799 struct superblock_security_struct *sbsec =
5800 list_entry(superblock_security_head.next,
5801 struct superblock_security_struct,
5802 list);
5803 struct super_block *sb = sbsec->sb;
5804 sb->s_count++;
5805 spin_unlock(&sb_security_lock);
5806 spin_unlock(&sb_lock);
5807 down_read(&sb->s_umount);
5808 if (sb->s_root)
5809 superblock_doinit(sb, NULL);
5810 drop_super(sb);
5811 spin_lock(&sb_lock);
5812 spin_lock(&sb_security_lock);
5813 list_del_init(&sbsec->list);
5814 goto next_sb;
5815 }
5816 spin_unlock(&sb_security_lock);
5817 spin_unlock(&sb_lock);
5818 }
5819
5820 /* SELinux requires early initialization in order to label
5821 all processes and objects when they are created. */
5822 security_initcall(selinux_init);
5823
5824 #if defined(CONFIG_NETFILTER)
5825
5826 static struct nf_hook_ops selinux_ipv4_ops[] = {
5827 {
5828 .hook = selinux_ipv4_postroute,
5829 .owner = THIS_MODULE,
5830 .pf = PF_INET,
5831 .hooknum = NF_INET_POST_ROUTING,
5832 .priority = NF_IP_PRI_SELINUX_LAST,
5833 },
5834 {
5835 .hook = selinux_ipv4_forward,
5836 .owner = THIS_MODULE,
5837 .pf = PF_INET,
5838 .hooknum = NF_INET_FORWARD,
5839 .priority = NF_IP_PRI_SELINUX_FIRST,
5840 },
5841 {
5842 .hook = selinux_ipv4_output,
5843 .owner = THIS_MODULE,
5844 .pf = PF_INET,
5845 .hooknum = NF_INET_LOCAL_OUT,
5846 .priority = NF_IP_PRI_SELINUX_FIRST,
5847 }
5848 };
5849
5850 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5851
5852 static struct nf_hook_ops selinux_ipv6_ops[] = {
5853 {
5854 .hook = selinux_ipv6_postroute,
5855 .owner = THIS_MODULE,
5856 .pf = PF_INET6,
5857 .hooknum = NF_INET_POST_ROUTING,
5858 .priority = NF_IP6_PRI_SELINUX_LAST,
5859 },
5860 {
5861 .hook = selinux_ipv6_forward,
5862 .owner = THIS_MODULE,
5863 .pf = PF_INET6,
5864 .hooknum = NF_INET_FORWARD,
5865 .priority = NF_IP6_PRI_SELINUX_FIRST,
5866 }
5867 };
5868
5869 #endif /* IPV6 */
5870
5871 static int __init selinux_nf_ip_init(void)
5872 {
5873 int err = 0;
5874
5875 if (!selinux_enabled)
5876 goto out;
5877
5878 printk(KERN_DEBUG "SELinux: Registering netfilter hooks\n");
5879
5880 err = nf_register_hooks(selinux_ipv4_ops, ARRAY_SIZE(selinux_ipv4_ops));
5881 if (err)
5882 panic("SELinux: nf_register_hooks for IPv4: error %d\n", err);
5883
5884 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5885 err = nf_register_hooks(selinux_ipv6_ops, ARRAY_SIZE(selinux_ipv6_ops));
5886 if (err)
5887 panic("SELinux: nf_register_hooks for IPv6: error %d\n", err);
5888 #endif /* IPV6 */
5889
5890 out:
5891 return err;
5892 }
5893
5894 __initcall(selinux_nf_ip_init);
5895
5896 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5897 static void selinux_nf_ip_exit(void)
5898 {
5899 printk(KERN_DEBUG "SELinux: Unregistering netfilter hooks\n");
5900
5901 nf_unregister_hooks(selinux_ipv4_ops, ARRAY_SIZE(selinux_ipv4_ops));
5902 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5903 nf_unregister_hooks(selinux_ipv6_ops, ARRAY_SIZE(selinux_ipv6_ops));
5904 #endif /* IPV6 */
5905 }
5906 #endif
5907
5908 #else /* CONFIG_NETFILTER */
5909
5910 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5911 #define selinux_nf_ip_exit()
5912 #endif
5913
5914 #endif /* CONFIG_NETFILTER */
5915
5916 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5917 static int selinux_disabled;
5918
5919 int selinux_disable(void)
5920 {
5921 extern void exit_sel_fs(void);
5922
5923 if (ss_initialized) {
5924 /* Not permitted after initial policy load. */
5925 return -EINVAL;
5926 }
5927
5928 if (selinux_disabled) {
5929 /* Only do this once. */
5930 return -EINVAL;
5931 }
5932
5933 printk(KERN_INFO "SELinux: Disabled at runtime.\n");
5934
5935 selinux_disabled = 1;
5936 selinux_enabled = 0;
5937
5938 /* Reset security_ops to the secondary module, dummy or capability. */
5939 security_ops = secondary_ops;
5940
5941 /* Unregister netfilter hooks. */
5942 selinux_nf_ip_exit();
5943
5944 /* Unregister selinuxfs. */
5945 exit_sel_fs();
5946
5947 return 0;
5948 }
5949 #endif
Verdex Pro support