search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
kbuild: fix silentoldconfig with make O=
[linux-2.6/verdex.git] / security / selinux / hooks.c
blobf40c8221ec1ba215b9526d74993ad5e8a4ed4256
1 /*
2 * NSA Security-Enhanced Linux (SELinux) security module
3 *
4 * This file contains the SELinux hook function implementations.
5 *
6 * Authors: Stephen Smalley, <sds@epoch.ncsc.mil>
7 * Chris Vance, <cvance@nai.com>
8 * Wayne Salamon, <wsalamon@nai.com>
9 * James Morris <jmorris@redhat.com>
10 *
11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12 * Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com>
13 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
14 * <dgoeddel@trustedcs.com>
15 *
16 * This program is free software; you can redistribute it and/or modify
17 * it under the terms of the GNU General Public License version 2,
18 * as published by the Free Software Foundation.
19 */
20
21 #include <linux/config.h>
22 #include <linux/module.h>
23 #include <linux/init.h>
24 #include <linux/kernel.h>
25 #include <linux/ptrace.h>
26 #include <linux/errno.h>
27 #include <linux/sched.h>
28 #include <linux/security.h>
29 #include <linux/xattr.h>
30 #include <linux/capability.h>
31 #include <linux/unistd.h>
32 #include <linux/mm.h>
33 #include <linux/mman.h>
34 #include <linux/slab.h>
35 #include <linux/pagemap.h>
36 #include <linux/swap.h>
37 #include <linux/smp_lock.h>
38 #include <linux/spinlock.h>
39 #include <linux/syscalls.h>
40 #include <linux/file.h>
41 #include <linux/namei.h>
42 #include <linux/mount.h>
43 #include <linux/ext2_fs.h>
44 #include <linux/proc_fs.h>
45 #include <linux/kd.h>
46 #include <linux/netfilter_ipv4.h>
47 #include <linux/netfilter_ipv6.h>
48 #include <linux/tty.h>
49 #include <net/icmp.h>
50 #include <net/ip.h> /* for sysctl_local_port_range[] */
51 #include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
52 #include <asm/uaccess.h>
53 #include <asm/semaphore.h>
54 #include <asm/ioctls.h>
55 #include <linux/bitops.h>
56 #include <linux/interrupt.h>
57 #include <linux/netdevice.h> /* for network interface checks */
58 #include <linux/netlink.h>
59 #include <linux/tcp.h>
60 #include <linux/udp.h>
61 #include <linux/quota.h>
62 #include <linux/un.h> /* for Unix socket types */
63 #include <net/af_unix.h> /* for Unix socket types */
64 #include <linux/parser.h>
65 #include <linux/nfs_mount.h>
66 #include <net/ipv6.h>
67 #include <linux/hugetlb.h>
68 #include <linux/personality.h>
69 #include <linux/sysctl.h>
70 #include <linux/audit.h>
71 #include <linux/string.h>
72
73 #include "avc.h"
74 #include "objsec.h"
75 #include "netif.h"
76
77 #define XATTR_SELINUX_SUFFIX "selinux"
78 #define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX
79
80 extern unsigned int policydb_loaded_version;
81 extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm);
82
83 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
84 int selinux_enforcing = 0;
85
86 static int __init enforcing_setup(char *str)
87 {
88 selinux_enforcing = simple_strtol(str,NULL,0);
89 return 1;
90 }
91 __setup("enforcing=", enforcing_setup);
92 #endif
93
94 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
95 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
96
97 static int __init selinux_enabled_setup(char *str)
98 {
99 selinux_enabled = simple_strtol(str, NULL, 0);
100 return 1;
101 }
102 __setup("selinux=", selinux_enabled_setup);
103 #endif
104
105 /* Original (dummy) security module. */
106 static struct security_operations *original_ops = NULL;
107
108 /* Minimal support for a secondary security module,
109 just to allow the use of the dummy or capability modules.
110 The owlsm module can alternatively be used as a secondary
111 module as long as CONFIG_OWLSM_FD is not enabled. */
112 static struct security_operations *secondary_ops = NULL;
113
114 /* Lists of inode and superblock security structures initialized
115 before the policy was loaded. */
116 static LIST_HEAD(superblock_security_head);
117 static DEFINE_SPINLOCK(sb_security_lock);
118
119 /* Allocate and free functions for each kind of security blob. */
120
121 static int task_alloc_security(struct task_struct *task)
122 {
123 struct task_security_struct *tsec;
124
125 tsec = kmalloc(sizeof(struct task_security_struct), GFP_KERNEL);
126 if (!tsec)
127 return -ENOMEM;
128
129 memset(tsec, 0, sizeof(struct task_security_struct));
130 tsec->magic = SELINUX_MAGIC;
131 tsec->task = task;
132 tsec->osid = tsec->sid = tsec->ptrace_sid = SECINITSID_UNLABELED;
133 task->security = tsec;
134
135 return 0;
136 }
137
138 static void task_free_security(struct task_struct *task)
139 {
140 struct task_security_struct *tsec = task->security;
141
142 if (!tsec || tsec->magic != SELINUX_MAGIC)
143 return;
144
145 task->security = NULL;
146 kfree(tsec);
147 }
148
149 static int inode_alloc_security(struct inode *inode)
150 {
151 struct task_security_struct *tsec = current->security;
152 struct inode_security_struct *isec;
153
154 isec = kmalloc(sizeof(struct inode_security_struct), GFP_KERNEL);
155 if (!isec)
156 return -ENOMEM;
157
158 memset(isec, 0, sizeof(struct inode_security_struct));
159 init_MUTEX(&isec->sem);
160 INIT_LIST_HEAD(&isec->list);
161 isec->magic = SELINUX_MAGIC;
162 isec->inode = inode;
163 isec->sid = SECINITSID_UNLABELED;
164 isec->sclass = SECCLASS_FILE;
165 if (tsec && tsec->magic == SELINUX_MAGIC)
166 isec->task_sid = tsec->sid;
167 else
168 isec->task_sid = SECINITSID_UNLABELED;
169 inode->i_security = isec;
170
171 return 0;
172 }
173
174 static void inode_free_security(struct inode *inode)
175 {
176 struct inode_security_struct *isec = inode->i_security;
177 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
178
179 if (!isec || isec->magic != SELINUX_MAGIC)
180 return;
181
182 spin_lock(&sbsec->isec_lock);
183 if (!list_empty(&isec->list))
184 list_del_init(&isec->list);
185 spin_unlock(&sbsec->isec_lock);
186
187 inode->i_security = NULL;
188 kfree(isec);
189 }
190
191 static int file_alloc_security(struct file *file)
192 {
193 struct task_security_struct *tsec = current->security;
194 struct file_security_struct *fsec;
195
196 fsec = kmalloc(sizeof(struct file_security_struct), GFP_ATOMIC);
197 if (!fsec)
198 return -ENOMEM;
199
200 memset(fsec, 0, sizeof(struct file_security_struct));
201 fsec->magic = SELINUX_MAGIC;
202 fsec->file = file;
203 if (tsec && tsec->magic == SELINUX_MAGIC) {
204 fsec->sid = tsec->sid;
205 fsec->fown_sid = tsec->sid;
206 } else {
207 fsec->sid = SECINITSID_UNLABELED;
208 fsec->fown_sid = SECINITSID_UNLABELED;
209 }
210 file->f_security = fsec;
211
212 return 0;
213 }
214
215 static void file_free_security(struct file *file)
216 {
217 struct file_security_struct *fsec = file->f_security;
218
219 if (!fsec || fsec->magic != SELINUX_MAGIC)
220 return;
221
222 file->f_security = NULL;
223 kfree(fsec);
224 }
225
226 static int superblock_alloc_security(struct super_block *sb)
227 {
228 struct superblock_security_struct *sbsec;
229
230 sbsec = kmalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
231 if (!sbsec)
232 return -ENOMEM;
233
234 memset(sbsec, 0, sizeof(struct superblock_security_struct));
235 init_MUTEX(&sbsec->sem);
236 INIT_LIST_HEAD(&sbsec->list);
237 INIT_LIST_HEAD(&sbsec->isec_head);
238 spin_lock_init(&sbsec->isec_lock);
239 sbsec->magic = SELINUX_MAGIC;
240 sbsec->sb = sb;
241 sbsec->sid = SECINITSID_UNLABELED;
242 sbsec->def_sid = SECINITSID_FILE;
243 sb->s_security = sbsec;
244
245 return 0;
246 }
247
248 static void superblock_free_security(struct super_block *sb)
249 {
250 struct superblock_security_struct *sbsec = sb->s_security;
251
252 if (!sbsec || sbsec->magic != SELINUX_MAGIC)
253 return;
254
255 spin_lock(&sb_security_lock);
256 if (!list_empty(&sbsec->list))
257 list_del_init(&sbsec->list);
258 spin_unlock(&sb_security_lock);
259
260 sb->s_security = NULL;
261 kfree(sbsec);
262 }
263
264 #ifdef CONFIG_SECURITY_NETWORK
265 static int sk_alloc_security(struct sock *sk, int family, int priority)
266 {
267 struct sk_security_struct *ssec;
268
269 if (family != PF_UNIX)
270 return 0;
271
272 ssec = kmalloc(sizeof(*ssec), priority);
273 if (!ssec)
274 return -ENOMEM;
275
276 memset(ssec, 0, sizeof(*ssec));
277 ssec->magic = SELINUX_MAGIC;
278 ssec->sk = sk;
279 ssec->peer_sid = SECINITSID_UNLABELED;
280 sk->sk_security = ssec;
281
282 return 0;
283 }
284
285 static void sk_free_security(struct sock *sk)
286 {
287 struct sk_security_struct *ssec = sk->sk_security;
288
289 if (sk->sk_family != PF_UNIX || ssec->magic != SELINUX_MAGIC)
290 return;
291
292 sk->sk_security = NULL;
293 kfree(ssec);
294 }
295 #endif /* CONFIG_SECURITY_NETWORK */
296
297 /* The security server must be initialized before
298 any labeling or access decisions can be provided. */
299 extern int ss_initialized;
300
301 /* The file system's label must be initialized prior to use. */
302
303 static char *labeling_behaviors[6] = {
304 "uses xattr",
305 "uses transition SIDs",
306 "uses task SIDs",
307 "uses genfs_contexts",
308 "not configured for labeling",
309 "uses mountpoint labeling",
310 };
311
312 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
313
314 static inline int inode_doinit(struct inode *inode)
315 {
316 return inode_doinit_with_dentry(inode, NULL);
317 }
318
319 enum {
320 Opt_context = 1,
321 Opt_fscontext = 2,
322 Opt_defcontext = 4,
323 };
324
325 static match_table_t tokens = {
326 {Opt_context, "context=%s"},
327 {Opt_fscontext, "fscontext=%s"},
328 {Opt_defcontext, "defcontext=%s"},
329 };
330
331 #define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
332
333 static int try_context_mount(struct super_block *sb, void *data)
334 {
335 char *context = NULL, *defcontext = NULL;
336 const char *name;
337 u32 sid;
338 int alloc = 0, rc = 0, seen = 0;
339 struct task_security_struct *tsec = current->security;
340 struct superblock_security_struct *sbsec = sb->s_security;
341
342 if (!data)
343 goto out;
344
345 name = sb->s_type->name;
346
347 if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA) {
348
349 /* NFS we understand. */
350 if (!strcmp(name, "nfs")) {
351 struct nfs_mount_data *d = data;
352
353 if (d->version < NFS_MOUNT_VERSION)
354 goto out;
355
356 if (d->context[0]) {
357 context = d->context;
358 seen |= Opt_context;
359 }
360 } else
361 goto out;
362
363 } else {
364 /* Standard string-based options. */
365 char *p, *options = data;
366
367 while ((p = strsep(&options, ",")) != NULL) {
368 int token;
369 substring_t args[MAX_OPT_ARGS];
370
371 if (!*p)
372 continue;
373
374 token = match_token(p, tokens, args);
375
376 switch (token) {
377 case Opt_context:
378 if (seen) {
379 rc = -EINVAL;
380 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
381 goto out_free;
382 }
383 context = match_strdup(&args[0]);
384 if (!context) {
385 rc = -ENOMEM;
386 goto out_free;
387 }
388 if (!alloc)
389 alloc = 1;
390 seen |= Opt_context;
391 break;
392
393 case Opt_fscontext:
394 if (seen & (Opt_context|Opt_fscontext)) {
395 rc = -EINVAL;
396 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
397 goto out_free;
398 }
399 context = match_strdup(&args[0]);
400 if (!context) {
401 rc = -ENOMEM;
402 goto out_free;
403 }
404 if (!alloc)
405 alloc = 1;
406 seen |= Opt_fscontext;
407 break;
408
409 case Opt_defcontext:
410 if (sbsec->behavior != SECURITY_FS_USE_XATTR) {
411 rc = -EINVAL;
412 printk(KERN_WARNING "SELinux: "
413 "defcontext option is invalid "
414 "for this filesystem type\n");
415 goto out_free;
416 }
417 if (seen & (Opt_context|Opt_defcontext)) {
418 rc = -EINVAL;
419 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
420 goto out_free;
421 }
422 defcontext = match_strdup(&args[0]);
423 if (!defcontext) {
424 rc = -ENOMEM;
425 goto out_free;
426 }
427 if (!alloc)
428 alloc = 1;
429 seen |= Opt_defcontext;
430 break;
431
432 default:
433 rc = -EINVAL;
434 printk(KERN_WARNING "SELinux: unknown mount "
435 "option\n");
436 goto out_free;
437
438 }
439 }
440 }
441
442 if (!seen)
443 goto out;
444
445 if (context) {
446 rc = security_context_to_sid(context, strlen(context), &sid);
447 if (rc) {
448 printk(KERN_WARNING "SELinux: security_context_to_sid"
449 "(%s) failed for (dev %s, type %s) errno=%d\n",
450 context, sb->s_id, name, rc);
451 goto out_free;
452 }
453
454 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
455 FILESYSTEM__RELABELFROM, NULL);
456 if (rc)
457 goto out_free;
458
459 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
460 FILESYSTEM__RELABELTO, NULL);
461 if (rc)
462 goto out_free;
463
464 sbsec->sid = sid;
465
466 if (seen & Opt_context)
467 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
468 }
469
470 if (defcontext) {
471 rc = security_context_to_sid(defcontext, strlen(defcontext), &sid);
472 if (rc) {
473 printk(KERN_WARNING "SELinux: security_context_to_sid"
474 "(%s) failed for (dev %s, type %s) errno=%d\n",
475 defcontext, sb->s_id, name, rc);
476 goto out_free;
477 }
478
479 if (sid == sbsec->def_sid)
480 goto out_free;
481
482 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
483 FILESYSTEM__RELABELFROM, NULL);
484 if (rc)
485 goto out_free;
486
487 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
488 FILESYSTEM__ASSOCIATE, NULL);
489 if (rc)
490 goto out_free;
491
492 sbsec->def_sid = sid;
493 }
494
495 out_free:
496 if (alloc) {
497 kfree(context);
498 kfree(defcontext);
499 }
500 out:
501 return rc;
502 }
503
504 static int superblock_doinit(struct super_block *sb, void *data)
505 {
506 struct superblock_security_struct *sbsec = sb->s_security;
507 struct dentry *root = sb->s_root;
508 struct inode *inode = root->d_inode;
509 int rc = 0;
510
511 down(&sbsec->sem);
512 if (sbsec->initialized)
513 goto out;
514
515 if (!ss_initialized) {
516 /* Defer initialization until selinux_complete_init,
517 after the initial policy is loaded and the security
518 server is ready to handle calls. */
519 spin_lock(&sb_security_lock);
520 if (list_empty(&sbsec->list))
521 list_add(&sbsec->list, &superblock_security_head);
522 spin_unlock(&sb_security_lock);
523 goto out;
524 }
525
526 /* Determine the labeling behavior to use for this filesystem type. */
527 rc = security_fs_use(sb->s_type->name, &sbsec->behavior, &sbsec->sid);
528 if (rc) {
529 printk(KERN_WARNING "%s: security_fs_use(%s) returned %d\n",
530 __FUNCTION__, sb->s_type->name, rc);
531 goto out;
532 }
533
534 rc = try_context_mount(sb, data);
535 if (rc)
536 goto out;
537
538 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
539 /* Make sure that the xattr handler exists and that no
540 error other than -ENODATA is returned by getxattr on
541 the root directory. -ENODATA is ok, as this may be
542 the first boot of the SELinux kernel before we have
543 assigned xattr values to the filesystem. */
544 if (!inode->i_op->getxattr) {
545 printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
546 "xattr support\n", sb->s_id, sb->s_type->name);
547 rc = -EOPNOTSUPP;
548 goto out;
549 }
550 rc = inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
551 if (rc < 0 && rc != -ENODATA) {
552 if (rc == -EOPNOTSUPP)
553 printk(KERN_WARNING "SELinux: (dev %s, type "
554 "%s) has no security xattr handler\n",
555 sb->s_id, sb->s_type->name);
556 else
557 printk(KERN_WARNING "SELinux: (dev %s, type "
558 "%s) getxattr errno %d\n", sb->s_id,
559 sb->s_type->name, -rc);
560 goto out;
561 }
562 }
563
564 if (strcmp(sb->s_type->name, "proc") == 0)
565 sbsec->proc = 1;
566
567 sbsec->initialized = 1;
568
569 if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors)) {
570 printk(KERN_INFO "SELinux: initialized (dev %s, type %s), unknown behavior\n",
571 sb->s_id, sb->s_type->name);
572 }
573 else {
574 printk(KERN_INFO "SELinux: initialized (dev %s, type %s), %s\n",
575 sb->s_id, sb->s_type->name,
576 labeling_behaviors[sbsec->behavior-1]);
577 }
578
579 /* Initialize the root inode. */
580 rc = inode_doinit_with_dentry(sb->s_root->d_inode, sb->s_root);
581
582 /* Initialize any other inodes associated with the superblock, e.g.
583 inodes created prior to initial policy load or inodes created
584 during get_sb by a pseudo filesystem that directly
585 populates itself. */
586 spin_lock(&sbsec->isec_lock);
587 next_inode:
588 if (!list_empty(&sbsec->isec_head)) {
589 struct inode_security_struct *isec =
590 list_entry(sbsec->isec_head.next,
591 struct inode_security_struct, list);
592 struct inode *inode = isec->inode;
593 spin_unlock(&sbsec->isec_lock);
594 inode = igrab(inode);
595 if (inode) {
596 if (!IS_PRIVATE (inode))
597 inode_doinit(inode);
598 iput(inode);
599 }
600 spin_lock(&sbsec->isec_lock);
601 list_del_init(&isec->list);
602 goto next_inode;
603 }
604 spin_unlock(&sbsec->isec_lock);
605 out:
606 up(&sbsec->sem);
607 return rc;
608 }
609
610 static inline u16 inode_mode_to_security_class(umode_t mode)
611 {
612 switch (mode & S_IFMT) {
613 case S_IFSOCK:
614 return SECCLASS_SOCK_FILE;
615 case S_IFLNK:
616 return SECCLASS_LNK_FILE;
617 case S_IFREG:
618 return SECCLASS_FILE;
619 case S_IFBLK:
620 return SECCLASS_BLK_FILE;
621 case S_IFDIR:
622 return SECCLASS_DIR;
623 case S_IFCHR:
624 return SECCLASS_CHR_FILE;
625 case S_IFIFO:
626 return SECCLASS_FIFO_FILE;
627
628 }
629
630 return SECCLASS_FILE;
631 }
632
633 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
634 {
635 switch (family) {
636 case PF_UNIX:
637 switch (type) {
638 case SOCK_STREAM:
639 case SOCK_SEQPACKET:
640 return SECCLASS_UNIX_STREAM_SOCKET;
641 case SOCK_DGRAM:
642 return SECCLASS_UNIX_DGRAM_SOCKET;
643 }
644 break;
645 case PF_INET:
646 case PF_INET6:
647 switch (type) {
648 case SOCK_STREAM:
649 return SECCLASS_TCP_SOCKET;
650 case SOCK_DGRAM:
651 return SECCLASS_UDP_SOCKET;
652 case SOCK_RAW:
653 return SECCLASS_RAWIP_SOCKET;
654 }
655 break;
656 case PF_NETLINK:
657 switch (protocol) {
658 case NETLINK_ROUTE:
659 return SECCLASS_NETLINK_ROUTE_SOCKET;
660 case NETLINK_FIREWALL:
661 return SECCLASS_NETLINK_FIREWALL_SOCKET;
662 case NETLINK_INET_DIAG:
663 return SECCLASS_NETLINK_TCPDIAG_SOCKET;
664 case NETLINK_NFLOG:
665 return SECCLASS_NETLINK_NFLOG_SOCKET;
666 case NETLINK_XFRM:
667 return SECCLASS_NETLINK_XFRM_SOCKET;
668 case NETLINK_SELINUX:
669 return SECCLASS_NETLINK_SELINUX_SOCKET;
670 case NETLINK_AUDIT:
671 return SECCLASS_NETLINK_AUDIT_SOCKET;
672 case NETLINK_IP6_FW:
673 return SECCLASS_NETLINK_IP6FW_SOCKET;
674 case NETLINK_DNRTMSG:
675 return SECCLASS_NETLINK_DNRT_SOCKET;
676 case NETLINK_KOBJECT_UEVENT:
677 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
678 default:
679 return SECCLASS_NETLINK_SOCKET;
680 }
681 case PF_PACKET:
682 return SECCLASS_PACKET_SOCKET;
683 case PF_KEY:
684 return SECCLASS_KEY_SOCKET;
685 }
686
687 return SECCLASS_SOCKET;
688 }
689
690 #ifdef CONFIG_PROC_FS
691 static int selinux_proc_get_sid(struct proc_dir_entry *de,
692 u16 tclass,
693 u32 *sid)
694 {
695 int buflen, rc;
696 char *buffer, *path, *end;
697
698 buffer = (char*)__get_free_page(GFP_KERNEL);
699 if (!buffer)
700 return -ENOMEM;
701
702 buflen = PAGE_SIZE;
703 end = buffer+buflen;
704 *--end = '\0';
705 buflen--;
706 path = end-1;
707 *path = '/';
708 while (de && de != de->parent) {
709 buflen -= de->namelen + 1;
710 if (buflen < 0)
711 break;
712 end -= de->namelen;
713 memcpy(end, de->name, de->namelen);
714 *--end = '/';
715 path = end;
716 de = de->parent;
717 }
718 rc = security_genfs_sid("proc", path, tclass, sid);
719 free_page((unsigned long)buffer);
720 return rc;
721 }
722 #else
723 static int selinux_proc_get_sid(struct proc_dir_entry *de,
724 u16 tclass,
725 u32 *sid)
726 {
727 return -EINVAL;
728 }
729 #endif
730
731 /* The inode's security attributes must be initialized before first use. */
732 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
733 {
734 struct superblock_security_struct *sbsec = NULL;
735 struct inode_security_struct *isec = inode->i_security;
736 u32 sid;
737 struct dentry *dentry;
738 #define INITCONTEXTLEN 255
739 char *context = NULL;
740 unsigned len = 0;
741 int rc = 0;
742 int hold_sem = 0;
743
744 if (isec->initialized)
745 goto out;
746
747 down(&isec->sem);
748 hold_sem = 1;
749 if (isec->initialized)
750 goto out;
751
752 sbsec = inode->i_sb->s_security;
753 if (!sbsec->initialized) {
754 /* Defer initialization until selinux_complete_init,
755 after the initial policy is loaded and the security
756 server is ready to handle calls. */
757 spin_lock(&sbsec->isec_lock);
758 if (list_empty(&isec->list))
759 list_add(&isec->list, &sbsec->isec_head);
760 spin_unlock(&sbsec->isec_lock);
761 goto out;
762 }
763
764 switch (sbsec->behavior) {
765 case SECURITY_FS_USE_XATTR:
766 if (!inode->i_op->getxattr) {
767 isec->sid = sbsec->def_sid;
768 break;
769 }
770
771 /* Need a dentry, since the xattr API requires one.
772 Life would be simpler if we could just pass the inode. */
773 if (opt_dentry) {
774 /* Called from d_instantiate or d_splice_alias. */
775 dentry = dget(opt_dentry);
776 } else {
777 /* Called from selinux_complete_init, try to find a dentry. */
778 dentry = d_find_alias(inode);
779 }
780 if (!dentry) {
781 printk(KERN_WARNING "%s: no dentry for dev=%s "
782 "ino=%ld\n", __FUNCTION__, inode->i_sb->s_id,
783 inode->i_ino);
784 goto out;
785 }
786
787 len = INITCONTEXTLEN;
788 context = kmalloc(len, GFP_KERNEL);
789 if (!context) {
790 rc = -ENOMEM;
791 dput(dentry);
792 goto out;
793 }
794 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
795 context, len);
796 if (rc == -ERANGE) {
797 /* Need a larger buffer. Query for the right size. */
798 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
799 NULL, 0);
800 if (rc < 0) {
801 dput(dentry);
802 goto out;
803 }
804 kfree(context);
805 len = rc;
806 context = kmalloc(len, GFP_KERNEL);
807 if (!context) {
808 rc = -ENOMEM;
809 dput(dentry);
810 goto out;
811 }
812 rc = inode->i_op->getxattr(dentry,
813 XATTR_NAME_SELINUX,
814 context, len);
815 }
816 dput(dentry);
817 if (rc < 0) {
818 if (rc != -ENODATA) {
819 printk(KERN_WARNING "%s: getxattr returned "
820 "%d for dev=%s ino=%ld\n", __FUNCTION__,
821 -rc, inode->i_sb->s_id, inode->i_ino);
822 kfree(context);
823 goto out;
824 }
825 /* Map ENODATA to the default file SID */
826 sid = sbsec->def_sid;
827 rc = 0;
828 } else {
829 rc = security_context_to_sid_default(context, rc, &sid,
830 sbsec->def_sid);
831 if (rc) {
832 printk(KERN_WARNING "%s: context_to_sid(%s) "
833 "returned %d for dev=%s ino=%ld\n",
834 __FUNCTION__, context, -rc,
835 inode->i_sb->s_id, inode->i_ino);
836 kfree(context);
837 /* Leave with the unlabeled SID */
838 rc = 0;
839 break;
840 }
841 }
842 kfree(context);
843 isec->sid = sid;
844 break;
845 case SECURITY_FS_USE_TASK:
846 isec->sid = isec->task_sid;
847 break;
848 case SECURITY_FS_USE_TRANS:
849 /* Default to the fs SID. */
850 isec->sid = sbsec->sid;
851
852 /* Try to obtain a transition SID. */
853 isec->sclass = inode_mode_to_security_class(inode->i_mode);
854 rc = security_transition_sid(isec->task_sid,
855 sbsec->sid,
856 isec->sclass,
857 &sid);
858 if (rc)
859 goto out;
860 isec->sid = sid;
861 break;
862 default:
863 /* Default to the fs SID. */
864 isec->sid = sbsec->sid;
865
866 if (sbsec->proc) {
867 struct proc_inode *proci = PROC_I(inode);
868 if (proci->pde) {
869 isec->sclass = inode_mode_to_security_class(inode->i_mode);
870 rc = selinux_proc_get_sid(proci->pde,
871 isec->sclass,
872 &sid);
873 if (rc)
874 goto out;
875 isec->sid = sid;
876 }
877 }
878 break;
879 }
880
881 isec->initialized = 1;
882
883 out:
884 if (isec->sclass == SECCLASS_FILE)
885 isec->sclass = inode_mode_to_security_class(inode->i_mode);
886
887 if (hold_sem)
888 up(&isec->sem);
889 return rc;
890 }
891
892 /* Convert a Linux signal to an access vector. */
893 static inline u32 signal_to_av(int sig)
894 {
895 u32 perm = 0;
896
897 switch (sig) {
898 case SIGCHLD:
899 /* Commonly granted from child to parent. */
900 perm = PROCESS__SIGCHLD;
901 break;
902 case SIGKILL:
903 /* Cannot be caught or ignored */
904 perm = PROCESS__SIGKILL;
905 break;
906 case SIGSTOP:
907 /* Cannot be caught or ignored */
908 perm = PROCESS__SIGSTOP;
909 break;
910 default:
911 /* All other signals. */
912 perm = PROCESS__SIGNAL;
913 break;
914 }
915
916 return perm;
917 }
918
919 /* Check permission betweeen a pair of tasks, e.g. signal checks,
920 fork check, ptrace check, etc. */
921 static int task_has_perm(struct task_struct *tsk1,
922 struct task_struct *tsk2,
923 u32 perms)
924 {
925 struct task_security_struct *tsec1, *tsec2;
926
927 tsec1 = tsk1->security;
928 tsec2 = tsk2->security;
929 return avc_has_perm(tsec1->sid, tsec2->sid,
930 SECCLASS_PROCESS, perms, NULL);
931 }
932
933 /* Check whether a task is allowed to use a capability. */
934 static int task_has_capability(struct task_struct *tsk,
935 int cap)
936 {
937 struct task_security_struct *tsec;
938 struct avc_audit_data ad;
939
940 tsec = tsk->security;
941
942 AVC_AUDIT_DATA_INIT(&ad,CAP);
943 ad.tsk = tsk;
944 ad.u.cap = cap;
945
946 return avc_has_perm(tsec->sid, tsec->sid,
947 SECCLASS_CAPABILITY, CAP_TO_MASK(cap), &ad);
948 }
949
950 /* Check whether a task is allowed to use a system operation. */
951 static int task_has_system(struct task_struct *tsk,
952 u32 perms)
953 {
954 struct task_security_struct *tsec;
955
956 tsec = tsk->security;
957
958 return avc_has_perm(tsec->sid, SECINITSID_KERNEL,
959 SECCLASS_SYSTEM, perms, NULL);
960 }
961
962 /* Check whether a task has a particular permission to an inode.
963 The 'adp' parameter is optional and allows other audit
964 data to be passed (e.g. the dentry). */
965 static int inode_has_perm(struct task_struct *tsk,
966 struct inode *inode,
967 u32 perms,
968 struct avc_audit_data *adp)
969 {
970 struct task_security_struct *tsec;
971 struct inode_security_struct *isec;
972 struct avc_audit_data ad;
973
974 tsec = tsk->security;
975 isec = inode->i_security;
976
977 if (!adp) {
978 adp = &ad;
979 AVC_AUDIT_DATA_INIT(&ad, FS);
980 ad.u.fs.inode = inode;
981 }
982
983 return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, adp);
984 }
985
986 /* Same as inode_has_perm, but pass explicit audit data containing
987 the dentry to help the auditing code to more easily generate the
988 pathname if needed. */
989 static inline int dentry_has_perm(struct task_struct *tsk,
990 struct vfsmount *mnt,
991 struct dentry *dentry,
992 u32 av)
993 {
994 struct inode *inode = dentry->d_inode;
995 struct avc_audit_data ad;
996 AVC_AUDIT_DATA_INIT(&ad,FS);
997 ad.u.fs.mnt = mnt;
998 ad.u.fs.dentry = dentry;
999 return inode_has_perm(tsk, inode, av, &ad);
1000 }
1001
1002 /* Check whether a task can use an open file descriptor to
1003 access an inode in a given way. Check access to the
1004 descriptor itself, and then use dentry_has_perm to
1005 check a particular permission to the file.
1006 Access to the descriptor is implicitly granted if it
1007 has the same SID as the process. If av is zero, then
1008 access to the file is not checked, e.g. for cases
1009 where only the descriptor is affected like seek. */
1010 static inline int file_has_perm(struct task_struct *tsk,
1011 struct file *file,
1012 u32 av)
1013 {
1014 struct task_security_struct *tsec = tsk->security;
1015 struct file_security_struct *fsec = file->f_security;
1016 struct vfsmount *mnt = file->f_vfsmnt;
1017 struct dentry *dentry = file->f_dentry;
1018 struct inode *inode = dentry->d_inode;
1019 struct avc_audit_data ad;
1020 int rc;
1021
1022 AVC_AUDIT_DATA_INIT(&ad, FS);
1023 ad.u.fs.mnt = mnt;
1024 ad.u.fs.dentry = dentry;
1025
1026 if (tsec->sid != fsec->sid) {
1027 rc = avc_has_perm(tsec->sid, fsec->sid,
1028 SECCLASS_FD,
1029 FD__USE,
1030 &ad);
1031 if (rc)
1032 return rc;
1033 }
1034
1035 /* av is zero if only checking access to the descriptor. */
1036 if (av)
1037 return inode_has_perm(tsk, inode, av, &ad);
1038
1039 return 0;
1040 }
1041
1042 /* Check whether a task can create a file. */
1043 static int may_create(struct inode *dir,
1044 struct dentry *dentry,
1045 u16 tclass)
1046 {
1047 struct task_security_struct *tsec;
1048 struct inode_security_struct *dsec;
1049 struct superblock_security_struct *sbsec;
1050 u32 newsid;
1051 struct avc_audit_data ad;
1052 int rc;
1053
1054 tsec = current->security;
1055 dsec = dir->i_security;
1056 sbsec = dir->i_sb->s_security;
1057
1058 AVC_AUDIT_DATA_INIT(&ad, FS);
1059 ad.u.fs.dentry = dentry;
1060
1061 rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR,
1062 DIR__ADD_NAME | DIR__SEARCH,
1063 &ad);
1064 if (rc)
1065 return rc;
1066
1067 if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
1068 newsid = tsec->create_sid;
1069 } else {
1070 rc = security_transition_sid(tsec->sid, dsec->sid, tclass,
1071 &newsid);
1072 if (rc)
1073 return rc;
1074 }
1075
1076 rc = avc_has_perm(tsec->sid, newsid, tclass, FILE__CREATE, &ad);
1077 if (rc)
1078 return rc;
1079
1080 return avc_has_perm(newsid, sbsec->sid,
1081 SECCLASS_FILESYSTEM,
1082 FILESYSTEM__ASSOCIATE, &ad);
1083 }
1084
1085 #define MAY_LINK 0
1086 #define MAY_UNLINK 1
1087 #define MAY_RMDIR 2
1088
1089 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1090 static int may_link(struct inode *dir,
1091 struct dentry *dentry,
1092 int kind)
1093
1094 {
1095 struct task_security_struct *tsec;
1096 struct inode_security_struct *dsec, *isec;
1097 struct avc_audit_data ad;
1098 u32 av;
1099 int rc;
1100
1101 tsec = current->security;
1102 dsec = dir->i_security;
1103 isec = dentry->d_inode->i_security;
1104
1105 AVC_AUDIT_DATA_INIT(&ad, FS);
1106 ad.u.fs.dentry = dentry;
1107
1108 av = DIR__SEARCH;
1109 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1110 rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR, av, &ad);
1111 if (rc)
1112 return rc;
1113
1114 switch (kind) {
1115 case MAY_LINK:
1116 av = FILE__LINK;
1117 break;
1118 case MAY_UNLINK:
1119 av = FILE__UNLINK;
1120 break;
1121 case MAY_RMDIR:
1122 av = DIR__RMDIR;
1123 break;
1124 default:
1125 printk(KERN_WARNING "may_link: unrecognized kind %d\n", kind);
1126 return 0;
1127 }
1128
1129 rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass, av, &ad);
1130 return rc;
1131 }
1132
1133 static inline int may_rename(struct inode *old_dir,
1134 struct dentry *old_dentry,
1135 struct inode *new_dir,
1136 struct dentry *new_dentry)
1137 {
1138 struct task_security_struct *tsec;
1139 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1140 struct avc_audit_data ad;
1141 u32 av;
1142 int old_is_dir, new_is_dir;
1143 int rc;
1144
1145 tsec = current->security;
1146 old_dsec = old_dir->i_security;
1147 old_isec = old_dentry->d_inode->i_security;
1148 old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
1149 new_dsec = new_dir->i_security;
1150
1151 AVC_AUDIT_DATA_INIT(&ad, FS);
1152
1153 ad.u.fs.dentry = old_dentry;
1154 rc = avc_has_perm(tsec->sid, old_dsec->sid, SECCLASS_DIR,
1155 DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1156 if (rc)
1157 return rc;
1158 rc = avc_has_perm(tsec->sid, old_isec->sid,
1159 old_isec->sclass, FILE__RENAME, &ad);
1160 if (rc)
1161 return rc;
1162 if (old_is_dir && new_dir != old_dir) {
1163 rc = avc_has_perm(tsec->sid, old_isec->sid,
1164 old_isec->sclass, DIR__REPARENT, &ad);
1165 if (rc)
1166 return rc;
1167 }
1168
1169 ad.u.fs.dentry = new_dentry;
1170 av = DIR__ADD_NAME | DIR__SEARCH;
1171 if (new_dentry->d_inode)
1172 av |= DIR__REMOVE_NAME;
1173 rc = avc_has_perm(tsec->sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1174 if (rc)
1175 return rc;
1176 if (new_dentry->d_inode) {
1177 new_isec = new_dentry->d_inode->i_security;
1178 new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
1179 rc = avc_has_perm(tsec->sid, new_isec->sid,
1180 new_isec->sclass,
1181 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1182 if (rc)
1183 return rc;
1184 }
1185
1186 return 0;
1187 }
1188
1189 /* Check whether a task can perform a filesystem operation. */
1190 static int superblock_has_perm(struct task_struct *tsk,
1191 struct super_block *sb,
1192 u32 perms,
1193 struct avc_audit_data *ad)
1194 {
1195 struct task_security_struct *tsec;
1196 struct superblock_security_struct *sbsec;
1197
1198 tsec = tsk->security;
1199 sbsec = sb->s_security;
1200 return avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
1201 perms, ad);
1202 }
1203
1204 /* Convert a Linux mode and permission mask to an access vector. */
1205 static inline u32 file_mask_to_av(int mode, int mask)
1206 {
1207 u32 av = 0;
1208
1209 if ((mode & S_IFMT) != S_IFDIR) {
1210 if (mask & MAY_EXEC)
1211 av |= FILE__EXECUTE;
1212 if (mask & MAY_READ)
1213 av |= FILE__READ;
1214
1215 if (mask & MAY_APPEND)
1216 av |= FILE__APPEND;
1217 else if (mask & MAY_WRITE)
1218 av |= FILE__WRITE;
1219
1220 } else {
1221 if (mask & MAY_EXEC)
1222 av |= DIR__SEARCH;
1223 if (mask & MAY_WRITE)
1224 av |= DIR__WRITE;
1225 if (mask & MAY_READ)
1226 av |= DIR__READ;
1227 }
1228
1229 return av;
1230 }
1231
1232 /* Convert a Linux file to an access vector. */
1233 static inline u32 file_to_av(struct file *file)
1234 {
1235 u32 av = 0;
1236
1237 if (file->f_mode & FMODE_READ)
1238 av |= FILE__READ;
1239 if (file->f_mode & FMODE_WRITE) {
1240 if (file->f_flags & O_APPEND)
1241 av |= FILE__APPEND;
1242 else
1243 av |= FILE__WRITE;
1244 }
1245
1246 return av;
1247 }
1248
1249 /* Set an inode's SID to a specified value. */
1250 static int inode_security_set_sid(struct inode *inode, u32 sid)
1251 {
1252 struct inode_security_struct *isec = inode->i_security;
1253 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
1254
1255 if (!sbsec->initialized) {
1256 /* Defer initialization to selinux_complete_init. */
1257 return 0;
1258 }
1259
1260 down(&isec->sem);
1261 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1262 isec->sid = sid;
1263 isec->initialized = 1;
1264 up(&isec->sem);
1265 return 0;
1266 }
1267
1268 /* Hook functions begin here. */
1269
1270 static int selinux_ptrace(struct task_struct *parent, struct task_struct *child)
1271 {
1272 struct task_security_struct *psec = parent->security;
1273 struct task_security_struct *csec = child->security;
1274 int rc;
1275
1276 rc = secondary_ops->ptrace(parent,child);
1277 if (rc)
1278 return rc;
1279
1280 rc = task_has_perm(parent, child, PROCESS__PTRACE);
1281 /* Save the SID of the tracing process for later use in apply_creds. */
1282 if (!rc)
1283 csec->ptrace_sid = psec->sid;
1284 return rc;
1285 }
1286
1287 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
1288 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1289 {
1290 int error;
1291
1292 error = task_has_perm(current, target, PROCESS__GETCAP);
1293 if (error)
1294 return error;
1295
1296 return secondary_ops->capget(target, effective, inheritable, permitted);
1297 }
1298
1299 static int selinux_capset_check(struct task_struct *target, kernel_cap_t *effective,
1300 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1301 {
1302 int error;
1303
1304 error = secondary_ops->capset_check(target, effective, inheritable, permitted);
1305 if (error)
1306 return error;
1307
1308 return task_has_perm(current, target, PROCESS__SETCAP);
1309 }
1310
1311 static void selinux_capset_set(struct task_struct *target, kernel_cap_t *effective,
1312 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1313 {
1314 secondary_ops->capset_set(target, effective, inheritable, permitted);
1315 }
1316
1317 static int selinux_capable(struct task_struct *tsk, int cap)
1318 {
1319 int rc;
1320
1321 rc = secondary_ops->capable(tsk, cap);
1322 if (rc)
1323 return rc;
1324
1325 return task_has_capability(tsk,cap);
1326 }
1327
1328 static int selinux_sysctl(ctl_table *table, int op)
1329 {
1330 int error = 0;
1331 u32 av;
1332 struct task_security_struct *tsec;
1333 u32 tsid;
1334 int rc;
1335
1336 rc = secondary_ops->sysctl(table, op);
1337 if (rc)
1338 return rc;
1339
1340 tsec = current->security;
1341
1342 rc = selinux_proc_get_sid(table->de, (op == 001) ?
1343 SECCLASS_DIR : SECCLASS_FILE, &tsid);
1344 if (rc) {
1345 /* Default to the well-defined sysctl SID. */
1346 tsid = SECINITSID_SYSCTL;
1347 }
1348
1349 /* The op values are "defined" in sysctl.c, thereby creating
1350 * a bad coupling between this module and sysctl.c */
1351 if(op == 001) {
1352 error = avc_has_perm(tsec->sid, tsid,
1353 SECCLASS_DIR, DIR__SEARCH, NULL);
1354 } else {
1355 av = 0;
1356 if (op & 004)
1357 av |= FILE__READ;
1358 if (op & 002)
1359 av |= FILE__WRITE;
1360 if (av)
1361 error = avc_has_perm(tsec->sid, tsid,
1362 SECCLASS_FILE, av, NULL);
1363 }
1364
1365 return error;
1366 }
1367
1368 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
1369 {
1370 int rc = 0;
1371
1372 if (!sb)
1373 return 0;
1374
1375 switch (cmds) {
1376 case Q_SYNC:
1377 case Q_QUOTAON:
1378 case Q_QUOTAOFF:
1379 case Q_SETINFO:
1380 case Q_SETQUOTA:
1381 rc = superblock_has_perm(current,
1382 sb,
1383 FILESYSTEM__QUOTAMOD, NULL);
1384 break;
1385 case Q_GETFMT:
1386 case Q_GETINFO:
1387 case Q_GETQUOTA:
1388 rc = superblock_has_perm(current,
1389 sb,
1390 FILESYSTEM__QUOTAGET, NULL);
1391 break;
1392 default:
1393 rc = 0; /* let the kernel handle invalid cmds */
1394 break;
1395 }
1396 return rc;
1397 }
1398
1399 static int selinux_quota_on(struct dentry *dentry)
1400 {
1401 return dentry_has_perm(current, NULL, dentry, FILE__QUOTAON);
1402 }
1403
1404 static int selinux_syslog(int type)
1405 {
1406 int rc;
1407
1408 rc = secondary_ops->syslog(type);
1409 if (rc)
1410 return rc;
1411
1412 switch (type) {
1413 case 3: /* Read last kernel messages */
1414 case 10: /* Return size of the log buffer */
1415 rc = task_has_system(current, SYSTEM__SYSLOG_READ);
1416 break;
1417 case 6: /* Disable logging to console */
1418 case 7: /* Enable logging to console */
1419 case 8: /* Set level of messages printed to console */
1420 rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
1421 break;
1422 case 0: /* Close log */
1423 case 1: /* Open log */
1424 case 2: /* Read from log */
1425 case 4: /* Read/clear last kernel messages */
1426 case 5: /* Clear ring buffer */
1427 default:
1428 rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
1429 break;
1430 }
1431 return rc;
1432 }
1433
1434 /*
1435 * Check that a process has enough memory to allocate a new virtual
1436 * mapping. 0 means there is enough memory for the allocation to
1437 * succeed and -ENOMEM implies there is not.
1438 *
1439 * Note that secondary_ops->capable and task_has_perm_noaudit return 0
1440 * if the capability is granted, but __vm_enough_memory requires 1 if
1441 * the capability is granted.
1442 *
1443 * Do not audit the selinux permission check, as this is applied to all
1444 * processes that allocate mappings.
1445 */
1446 static int selinux_vm_enough_memory(long pages)
1447 {
1448 int rc, cap_sys_admin = 0;
1449 struct task_security_struct *tsec = current->security;
1450
1451 rc = secondary_ops->capable(current, CAP_SYS_ADMIN);
1452 if (rc == 0)
1453 rc = avc_has_perm_noaudit(tsec->sid, tsec->sid,
1454 SECCLASS_CAPABILITY,
1455 CAP_TO_MASK(CAP_SYS_ADMIN),
1456 NULL);
1457
1458 if (rc == 0)
1459 cap_sys_admin = 1;
1460
1461 return __vm_enough_memory(pages, cap_sys_admin);
1462 }
1463
1464 /* binprm security operations */
1465
1466 static int selinux_bprm_alloc_security(struct linux_binprm *bprm)
1467 {
1468 struct bprm_security_struct *bsec;
1469
1470 bsec = kmalloc(sizeof(struct bprm_security_struct), GFP_KERNEL);
1471 if (!bsec)
1472 return -ENOMEM;
1473
1474 memset(bsec, 0, sizeof *bsec);
1475 bsec->magic = SELINUX_MAGIC;
1476 bsec->bprm = bprm;
1477 bsec->sid = SECINITSID_UNLABELED;
1478 bsec->set = 0;
1479
1480 bprm->security = bsec;
1481 return 0;
1482 }
1483
1484 static int selinux_bprm_set_security(struct linux_binprm *bprm)
1485 {
1486 struct task_security_struct *tsec;
1487 struct inode *inode = bprm->file->f_dentry->d_inode;
1488 struct inode_security_struct *isec;
1489 struct bprm_security_struct *bsec;
1490 u32 newsid;
1491 struct avc_audit_data ad;
1492 int rc;
1493
1494 rc = secondary_ops->bprm_set_security(bprm);
1495 if (rc)
1496 return rc;
1497
1498 bsec = bprm->security;
1499
1500 if (bsec->set)
1501 return 0;
1502
1503 tsec = current->security;
1504 isec = inode->i_security;
1505
1506 /* Default to the current task SID. */
1507 bsec->sid = tsec->sid;
1508
1509 /* Reset create SID on execve. */
1510 tsec->create_sid = 0;
1511
1512 if (tsec->exec_sid) {
1513 newsid = tsec->exec_sid;
1514 /* Reset exec SID on execve. */
1515 tsec->exec_sid = 0;
1516 } else {
1517 /* Check for a default transition on this program. */
1518 rc = security_transition_sid(tsec->sid, isec->sid,
1519 SECCLASS_PROCESS, &newsid);
1520 if (rc)
1521 return rc;
1522 }
1523
1524 AVC_AUDIT_DATA_INIT(&ad, FS);
1525 ad.u.fs.mnt = bprm->file->f_vfsmnt;
1526 ad.u.fs.dentry = bprm->file->f_dentry;
1527
1528 if (bprm->file->f_vfsmnt->mnt_flags & MNT_NOSUID)
1529 newsid = tsec->sid;
1530
1531 if (tsec->sid == newsid) {
1532 rc = avc_has_perm(tsec->sid, isec->sid,
1533 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
1534 if (rc)
1535 return rc;
1536 } else {
1537 /* Check permissions for the transition. */
1538 rc = avc_has_perm(tsec->sid, newsid,
1539 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
1540 if (rc)
1541 return rc;
1542
1543 rc = avc_has_perm(newsid, isec->sid,
1544 SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
1545 if (rc)
1546 return rc;
1547
1548 /* Clear any possibly unsafe personality bits on exec: */
1549 current->personality &= ~PER_CLEAR_ON_SETID;
1550
1551 /* Set the security field to the new SID. */
1552 bsec->sid = newsid;
1553 }
1554
1555 bsec->set = 1;
1556 return 0;
1557 }
1558
1559 static int selinux_bprm_check_security (struct linux_binprm *bprm)
1560 {
1561 return secondary_ops->bprm_check_security(bprm);
1562 }
1563
1564
1565 static int selinux_bprm_secureexec (struct linux_binprm *bprm)
1566 {
1567 struct task_security_struct *tsec = current->security;
1568 int atsecure = 0;
1569
1570 if (tsec->osid != tsec->sid) {
1571 /* Enable secure mode for SIDs transitions unless
1572 the noatsecure permission is granted between
1573 the two SIDs, i.e. ahp returns 0. */
1574 atsecure = avc_has_perm(tsec->osid, tsec->sid,
1575 SECCLASS_PROCESS,
1576 PROCESS__NOATSECURE, NULL);
1577 }
1578
1579 return (atsecure || secondary_ops->bprm_secureexec(bprm));
1580 }
1581
1582 static void selinux_bprm_free_security(struct linux_binprm *bprm)
1583 {
1584 kfree(bprm->security);
1585 bprm->security = NULL;
1586 }
1587
1588 extern struct vfsmount *selinuxfs_mount;
1589 extern struct dentry *selinux_null;
1590
1591 /* Derived from fs/exec.c:flush_old_files. */
1592 static inline void flush_unauthorized_files(struct files_struct * files)
1593 {
1594 struct avc_audit_data ad;
1595 struct file *file, *devnull = NULL;
1596 struct tty_struct *tty = current->signal->tty;
1597 struct fdtable *fdt;
1598 long j = -1;
1599
1600 if (tty) {
1601 file_list_lock();
1602 file = list_entry(tty->tty_files.next, typeof(*file), f_list);
1603 if (file) {
1604 /* Revalidate access to controlling tty.
1605 Use inode_has_perm on the tty inode directly rather
1606 than using file_has_perm, as this particular open
1607 file may belong to another process and we are only
1608 interested in the inode-based check here. */
1609 struct inode *inode = file->f_dentry->d_inode;
1610 if (inode_has_perm(current, inode,
1611 FILE__READ | FILE__WRITE, NULL)) {
1612 /* Reset controlling tty. */
1613 current->signal->tty = NULL;
1614 current->signal->tty_old_pgrp = 0;
1615 }
1616 }
1617 file_list_unlock();
1618 }
1619
1620 /* Revalidate access to inherited open files. */
1621
1622 AVC_AUDIT_DATA_INIT(&ad,FS);
1623
1624 spin_lock(&files->file_lock);
1625 for (;;) {
1626 unsigned long set, i;
1627 int fd;
1628
1629 j++;
1630 i = j * __NFDBITS;
1631 fdt = files_fdtable(files);
1632 if (i >= fdt->max_fds || i >= fdt->max_fdset)
1633 break;
1634 set = fdt->open_fds->fds_bits[j];
1635 if (!set)
1636 continue;
1637 spin_unlock(&files->file_lock);
1638 for ( ; set ; i++,set >>= 1) {
1639 if (set & 1) {
1640 file = fget(i);
1641 if (!file)
1642 continue;
1643 if (file_has_perm(current,
1644 file,
1645 file_to_av(file))) {
1646 sys_close(i);
1647 fd = get_unused_fd();
1648 if (fd != i) {
1649 if (fd >= 0)
1650 put_unused_fd(fd);
1651 fput(file);
1652 continue;
1653 }
1654 if (devnull) {
1655 rcuref_inc(&devnull->f_count);
1656 } else {
1657 devnull = dentry_open(dget(selinux_null), mntget(selinuxfs_mount), O_RDWR);
1658 if (!devnull) {
1659 put_unused_fd(fd);
1660 fput(file);
1661 continue;
1662 }
1663 }
1664 fd_install(fd, devnull);
1665 }
1666 fput(file);
1667 }
1668 }
1669 spin_lock(&files->file_lock);
1670
1671 }
1672 spin_unlock(&files->file_lock);
1673 }
1674
1675 static void selinux_bprm_apply_creds(struct linux_binprm *bprm, int unsafe)
1676 {
1677 struct task_security_struct *tsec;
1678 struct bprm_security_struct *bsec;
1679 u32 sid;
1680 int rc;
1681
1682 secondary_ops->bprm_apply_creds(bprm, unsafe);
1683
1684 tsec = current->security;
1685
1686 bsec = bprm->security;
1687 sid = bsec->sid;
1688
1689 tsec->osid = tsec->sid;
1690 bsec->unsafe = 0;
1691 if (tsec->sid != sid) {
1692 /* Check for shared state. If not ok, leave SID
1693 unchanged and kill. */
1694 if (unsafe & LSM_UNSAFE_SHARE) {
1695 rc = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
1696 PROCESS__SHARE, NULL);
1697 if (rc) {
1698 bsec->unsafe = 1;
1699 return;
1700 }
1701 }
1702
1703 /* Check for ptracing, and update the task SID if ok.
1704 Otherwise, leave SID unchanged and kill. */
1705 if (unsafe & (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
1706 rc = avc_has_perm(tsec->ptrace_sid, sid,
1707 SECCLASS_PROCESS, PROCESS__PTRACE,
1708 NULL);
1709 if (rc) {
1710 bsec->unsafe = 1;
1711 return;
1712 }
1713 }
1714 tsec->sid = sid;
1715 }
1716 }
1717
1718 /*
1719 * called after apply_creds without the task lock held
1720 */
1721 static void selinux_bprm_post_apply_creds(struct linux_binprm *bprm)
1722 {
1723 struct task_security_struct *tsec;
1724 struct rlimit *rlim, *initrlim;
1725 struct itimerval itimer;
1726 struct bprm_security_struct *bsec;
1727 int rc, i;
1728
1729 tsec = current->security;
1730 bsec = bprm->security;
1731
1732 if (bsec->unsafe) {
1733 force_sig_specific(SIGKILL, current);
1734 return;
1735 }
1736 if (tsec->osid == tsec->sid)
1737 return;
1738
1739 /* Close files for which the new task SID is not authorized. */
1740 flush_unauthorized_files(current->files);
1741
1742 /* Check whether the new SID can inherit signal state
1743 from the old SID. If not, clear itimers to avoid
1744 subsequent signal generation and flush and unblock
1745 signals. This must occur _after_ the task SID has
1746 been updated so that any kill done after the flush
1747 will be checked against the new SID. */
1748 rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
1749 PROCESS__SIGINH, NULL);
1750 if (rc) {
1751 memset(&itimer, 0, sizeof itimer);
1752 for (i = 0; i < 3; i++)
1753 do_setitimer(i, &itimer, NULL);
1754 flush_signals(current);
1755 spin_lock_irq(&current->sighand->siglock);
1756 flush_signal_handlers(current, 1);
1757 sigemptyset(&current->blocked);
1758 recalc_sigpending();
1759 spin_unlock_irq(&current->sighand->siglock);
1760 }
1761
1762 /* Check whether the new SID can inherit resource limits
1763 from the old SID. If not, reset all soft limits to
1764 the lower of the current task's hard limit and the init
1765 task's soft limit. Note that the setting of hard limits
1766 (even to lower them) can be controlled by the setrlimit
1767 check. The inclusion of the init task's soft limit into
1768 the computation is to avoid resetting soft limits higher
1769 than the default soft limit for cases where the default
1770 is lower than the hard limit, e.g. RLIMIT_CORE or
1771 RLIMIT_STACK.*/
1772 rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
1773 PROCESS__RLIMITINH, NULL);
1774 if (rc) {
1775 for (i = 0; i < RLIM_NLIMITS; i++) {
1776 rlim = current->signal->rlim + i;
1777 initrlim = init_task.signal->rlim+i;
1778 rlim->rlim_cur = min(rlim->rlim_max,initrlim->rlim_cur);
1779 }
1780 if (current->signal->rlim[RLIMIT_CPU].rlim_cur != RLIM_INFINITY) {
1781 /*
1782 * This will cause RLIMIT_CPU calculations
1783 * to be refigured.
1784 */
1785 current->it_prof_expires = jiffies_to_cputime(1);
1786 }
1787 }
1788
1789 /* Wake up the parent if it is waiting so that it can
1790 recheck wait permission to the new task SID. */
1791 wake_up_interruptible(&current->parent->signal->wait_chldexit);
1792 }
1793
1794 /* superblock security operations */
1795
1796 static int selinux_sb_alloc_security(struct super_block *sb)
1797 {
1798 return superblock_alloc_security(sb);
1799 }
1800
1801 static void selinux_sb_free_security(struct super_block *sb)
1802 {
1803 superblock_free_security(sb);
1804 }
1805
1806 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
1807 {
1808 if (plen > olen)
1809 return 0;
1810
1811 return !memcmp(prefix, option, plen);
1812 }
1813
1814 static inline int selinux_option(char *option, int len)
1815 {
1816 return (match_prefix("context=", sizeof("context=")-1, option, len) ||
1817 match_prefix("fscontext=", sizeof("fscontext=")-1, option, len) ||
1818 match_prefix("defcontext=", sizeof("defcontext=")-1, option, len));
1819 }
1820
1821 static inline void take_option(char **to, char *from, int *first, int len)
1822 {
1823 if (!*first) {
1824 **to = ',';
1825 *to += 1;
1826 }
1827 else
1828 *first = 0;
1829 memcpy(*to, from, len);
1830 *to += len;
1831 }
1832
1833 static int selinux_sb_copy_data(struct file_system_type *type, void *orig, void *copy)
1834 {
1835 int fnosec, fsec, rc = 0;
1836 char *in_save, *in_curr, *in_end;
1837 char *sec_curr, *nosec_save, *nosec;
1838
1839 in_curr = orig;
1840 sec_curr = copy;
1841
1842 /* Binary mount data: just copy */
1843 if (type->fs_flags & FS_BINARY_MOUNTDATA) {
1844 copy_page(sec_curr, in_curr);
1845 goto out;
1846 }
1847
1848 nosec = (char *)get_zeroed_page(GFP_KERNEL);
1849 if (!nosec) {
1850 rc = -ENOMEM;
1851 goto out;
1852 }
1853
1854 nosec_save = nosec;
1855 fnosec = fsec = 1;
1856 in_save = in_end = orig;
1857
1858 do {
1859 if (*in_end == ',' || *in_end == '\0') {
1860 int len = in_end - in_curr;
1861
1862 if (selinux_option(in_curr, len))
1863 take_option(&sec_curr, in_curr, &fsec, len);
1864 else
1865 take_option(&nosec, in_curr, &fnosec, len);
1866
1867 in_curr = in_end + 1;
1868 }
1869 } while (*in_end++);
1870
1871 strcpy(in_save, nosec_save);
1872 free_page((unsigned long)nosec_save);
1873 out:
1874 return rc;
1875 }
1876
1877 static int selinux_sb_kern_mount(struct super_block *sb, void *data)
1878 {
1879 struct avc_audit_data ad;
1880 int rc;
1881
1882 rc = superblock_doinit(sb, data);
1883 if (rc)
1884 return rc;
1885
1886 AVC_AUDIT_DATA_INIT(&ad,FS);
1887 ad.u.fs.dentry = sb->s_root;
1888 return superblock_has_perm(current, sb, FILESYSTEM__MOUNT, &ad);
1889 }
1890
1891 static int selinux_sb_statfs(struct super_block *sb)
1892 {
1893 struct avc_audit_data ad;
1894
1895 AVC_AUDIT_DATA_INIT(&ad,FS);
1896 ad.u.fs.dentry = sb->s_root;
1897 return superblock_has_perm(current, sb, FILESYSTEM__GETATTR, &ad);
1898 }
1899
1900 static int selinux_mount(char * dev_name,
1901 struct nameidata *nd,
1902 char * type,
1903 unsigned long flags,
1904 void * data)
1905 {
1906 int rc;
1907
1908 rc = secondary_ops->sb_mount(dev_name, nd, type, flags, data);
1909 if (rc)
1910 return rc;
1911
1912 if (flags & MS_REMOUNT)
1913 return superblock_has_perm(current, nd->mnt->mnt_sb,
1914 FILESYSTEM__REMOUNT, NULL);
1915 else
1916 return dentry_has_perm(current, nd->mnt, nd->dentry,
1917 FILE__MOUNTON);
1918 }
1919
1920 static int selinux_umount(struct vfsmount *mnt, int flags)
1921 {
1922 int rc;
1923
1924 rc = secondary_ops->sb_umount(mnt, flags);
1925 if (rc)
1926 return rc;
1927
1928 return superblock_has_perm(current,mnt->mnt_sb,
1929 FILESYSTEM__UNMOUNT,NULL);
1930 }
1931
1932 /* inode security operations */
1933
1934 static int selinux_inode_alloc_security(struct inode *inode)
1935 {
1936 return inode_alloc_security(inode);
1937 }
1938
1939 static void selinux_inode_free_security(struct inode *inode)
1940 {
1941 inode_free_security(inode);
1942 }
1943
1944 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
1945 char **name, void **value,
1946 size_t *len)
1947 {
1948 struct task_security_struct *tsec;
1949 struct inode_security_struct *dsec;
1950 struct superblock_security_struct *sbsec;
1951 struct inode_security_struct *isec;
1952 u32 newsid, clen;
1953 int rc;
1954 char *namep = NULL, *context;
1955
1956 tsec = current->security;
1957 dsec = dir->i_security;
1958 sbsec = dir->i_sb->s_security;
1959 isec = inode->i_security;
1960
1961 if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
1962 newsid = tsec->create_sid;
1963 } else {
1964 rc = security_transition_sid(tsec->sid, dsec->sid,
1965 inode_mode_to_security_class(inode->i_mode),
1966 &newsid);
1967 if (rc) {
1968 printk(KERN_WARNING "%s: "
1969 "security_transition_sid failed, rc=%d (dev=%s "
1970 "ino=%ld)\n",
1971 __FUNCTION__,
1972 -rc, inode->i_sb->s_id, inode->i_ino);
1973 return rc;
1974 }
1975 }
1976
1977 inode_security_set_sid(inode, newsid);
1978
1979 if (name) {
1980 namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_KERNEL);
1981 if (!namep)
1982 return -ENOMEM;
1983 *name = namep;
1984 }
1985
1986 if (value && len) {
1987 rc = security_sid_to_context(newsid, &context, &clen);
1988 if (rc) {
1989 kfree(namep);
1990 return rc;
1991 }
1992 *value = context;
1993 *len = clen;
1994 }
1995
1996 return 0;
1997 }
1998
1999 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, int mask)
2000 {
2001 return may_create(dir, dentry, SECCLASS_FILE);
2002 }
2003
2004 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2005 {
2006 int rc;
2007
2008 rc = secondary_ops->inode_link(old_dentry,dir,new_dentry);
2009 if (rc)
2010 return rc;
2011 return may_link(dir, old_dentry, MAY_LINK);
2012 }
2013
2014 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2015 {
2016 int rc;
2017
2018 rc = secondary_ops->inode_unlink(dir, dentry);
2019 if (rc)
2020 return rc;
2021 return may_link(dir, dentry, MAY_UNLINK);
2022 }
2023
2024 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2025 {
2026 return may_create(dir, dentry, SECCLASS_LNK_FILE);
2027 }
2028
2029 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, int mask)
2030 {
2031 return may_create(dir, dentry, SECCLASS_DIR);
2032 }
2033
2034 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2035 {
2036 return may_link(dir, dentry, MAY_RMDIR);
2037 }
2038
2039 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
2040 {
2041 int rc;
2042
2043 rc = secondary_ops->inode_mknod(dir, dentry, mode, dev);
2044 if (rc)
2045 return rc;
2046
2047 return may_create(dir, dentry, inode_mode_to_security_class(mode));
2048 }
2049
2050 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2051 struct inode *new_inode, struct dentry *new_dentry)
2052 {
2053 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2054 }
2055
2056 static int selinux_inode_readlink(struct dentry *dentry)
2057 {
2058 return dentry_has_perm(current, NULL, dentry, FILE__READ);
2059 }
2060
2061 static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2062 {
2063 int rc;
2064
2065 rc = secondary_ops->inode_follow_link(dentry,nameidata);
2066 if (rc)
2067 return rc;
2068 return dentry_has_perm(current, NULL, dentry, FILE__READ);
2069 }
2070
2071 static int selinux_inode_permission(struct inode *inode, int mask,
2072 struct nameidata *nd)
2073 {
2074 int rc;
2075
2076 rc = secondary_ops->inode_permission(inode, mask, nd);
2077 if (rc)
2078 return rc;
2079
2080 if (!mask) {
2081 /* No permission to check. Existence test. */
2082 return 0;
2083 }
2084
2085 return inode_has_perm(current, inode,
2086 file_mask_to_av(inode->i_mode, mask), NULL);
2087 }
2088
2089 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2090 {
2091 int rc;
2092
2093 rc = secondary_ops->inode_setattr(dentry, iattr);
2094 if (rc)
2095 return rc;
2096
2097 if (iattr->ia_valid & ATTR_FORCE)
2098 return 0;
2099
2100 if (iattr->ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2101 ATTR_ATIME_SET | ATTR_MTIME_SET))
2102 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2103
2104 return dentry_has_perm(current, NULL, dentry, FILE__WRITE);
2105 }
2106
2107 static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
2108 {
2109 return dentry_has_perm(current, mnt, dentry, FILE__GETATTR);
2110 }
2111
2112 static int selinux_inode_setxattr(struct dentry *dentry, char *name, void *value, size_t size, int flags)
2113 {
2114 struct task_security_struct *tsec = current->security;
2115 struct inode *inode = dentry->d_inode;
2116 struct inode_security_struct *isec = inode->i_security;
2117 struct superblock_security_struct *sbsec;
2118 struct avc_audit_data ad;
2119 u32 newsid;
2120 int rc = 0;
2121
2122 if (strcmp(name, XATTR_NAME_SELINUX)) {
2123 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2124 sizeof XATTR_SECURITY_PREFIX - 1) &&
2125 !capable(CAP_SYS_ADMIN)) {
2126 /* A different attribute in the security namespace.
2127 Restrict to administrator. */
2128 return -EPERM;
2129 }
2130
2131 /* Not an attribute we recognize, so just check the
2132 ordinary setattr permission. */
2133 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2134 }
2135
2136 sbsec = inode->i_sb->s_security;
2137 if (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2138 return -EOPNOTSUPP;
2139
2140 if ((current->fsuid != inode->i_uid) && !capable(CAP_FOWNER))
2141 return -EPERM;
2142
2143 AVC_AUDIT_DATA_INIT(&ad,FS);
2144 ad.u.fs.dentry = dentry;
2145
2146 rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass,
2147 FILE__RELABELFROM, &ad);
2148 if (rc)
2149 return rc;
2150
2151 rc = security_context_to_sid(value, size, &newsid);
2152 if (rc)
2153 return rc;
2154
2155 rc = avc_has_perm(tsec->sid, newsid, isec->sclass,
2156 FILE__RELABELTO, &ad);
2157 if (rc)
2158 return rc;
2159
2160 rc = security_validate_transition(isec->sid, newsid, tsec->sid,
2161 isec->sclass);
2162 if (rc)
2163 return rc;
2164
2165 return avc_has_perm(newsid,
2166 sbsec->sid,
2167 SECCLASS_FILESYSTEM,
2168 FILESYSTEM__ASSOCIATE,
2169 &ad);
2170 }
2171
2172 static void selinux_inode_post_setxattr(struct dentry *dentry, char *name,
2173 void *value, size_t size, int flags)
2174 {
2175 struct inode *inode = dentry->d_inode;
2176 struct inode_security_struct *isec = inode->i_security;
2177 u32 newsid;
2178 int rc;
2179
2180 if (strcmp(name, XATTR_NAME_SELINUX)) {
2181 /* Not an attribute we recognize, so nothing to do. */
2182 return;
2183 }
2184
2185 rc = security_context_to_sid(value, size, &newsid);
2186 if (rc) {
2187 printk(KERN_WARNING "%s: unable to obtain SID for context "
2188 "%s, rc=%d\n", __FUNCTION__, (char*)value, -rc);
2189 return;
2190 }
2191
2192 isec->sid = newsid;
2193 return;
2194 }
2195
2196 static int selinux_inode_getxattr (struct dentry *dentry, char *name)
2197 {
2198 struct inode *inode = dentry->d_inode;
2199 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
2200
2201 if (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2202 return -EOPNOTSUPP;
2203
2204 return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2205 }
2206
2207 static int selinux_inode_listxattr (struct dentry *dentry)
2208 {
2209 return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2210 }
2211
2212 static int selinux_inode_removexattr (struct dentry *dentry, char *name)
2213 {
2214 if (strcmp(name, XATTR_NAME_SELINUX)) {
2215 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2216 sizeof XATTR_SECURITY_PREFIX - 1) &&
2217 !capable(CAP_SYS_ADMIN)) {
2218 /* A different attribute in the security namespace.
2219 Restrict to administrator. */
2220 return -EPERM;
2221 }
2222
2223 /* Not an attribute we recognize, so just check the
2224 ordinary setattr permission. Might want a separate
2225 permission for removexattr. */
2226 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2227 }
2228
2229 /* No one is allowed to remove a SELinux security label.
2230 You can change the label, but all data must be labeled. */
2231 return -EACCES;
2232 }
2233
2234 static int selinux_inode_getsecurity(struct inode *inode, const char *name, void *buffer, size_t size)
2235 {
2236 struct inode_security_struct *isec = inode->i_security;
2237 char *context;
2238 unsigned len;
2239 int rc;
2240
2241 /* Permission check handled by selinux_inode_getxattr hook.*/
2242
2243 if (strcmp(name, XATTR_SELINUX_SUFFIX))
2244 return -EOPNOTSUPP;
2245
2246 rc = security_sid_to_context(isec->sid, &context, &len);
2247 if (rc)
2248 return rc;
2249
2250 if (!buffer || !size) {
2251 kfree(context);
2252 return len;
2253 }
2254 if (size < len) {
2255 kfree(context);
2256 return -ERANGE;
2257 }
2258 memcpy(buffer, context, len);
2259 kfree(context);
2260 return len;
2261 }
2262
2263 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
2264 const void *value, size_t size, int flags)
2265 {
2266 struct inode_security_struct *isec = inode->i_security;
2267 u32 newsid;
2268 int rc;
2269
2270 if (strcmp(name, XATTR_SELINUX_SUFFIX))
2271 return -EOPNOTSUPP;
2272
2273 if (!value || !size)
2274 return -EACCES;
2275
2276 rc = security_context_to_sid((void*)value, size, &newsid);
2277 if (rc)
2278 return rc;
2279
2280 isec->sid = newsid;
2281 return 0;
2282 }
2283
2284 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
2285 {
2286 const int len = sizeof(XATTR_NAME_SELINUX);
2287 if (buffer && len <= buffer_size)
2288 memcpy(buffer, XATTR_NAME_SELINUX, len);
2289 return len;
2290 }
2291
2292 /* file security operations */
2293
2294 static int selinux_file_permission(struct file *file, int mask)
2295 {
2296 struct inode *inode = file->f_dentry->d_inode;
2297
2298 if (!mask) {
2299 /* No permission to check. Existence test. */
2300 return 0;
2301 }
2302
2303 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
2304 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
2305 mask |= MAY_APPEND;
2306
2307 return file_has_perm(current, file,
2308 file_mask_to_av(inode->i_mode, mask));
2309 }
2310
2311 static int selinux_file_alloc_security(struct file *file)
2312 {
2313 return file_alloc_security(file);
2314 }
2315
2316 static void selinux_file_free_security(struct file *file)
2317 {
2318 file_free_security(file);
2319 }
2320
2321 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
2322 unsigned long arg)
2323 {
2324 int error = 0;
2325
2326 switch (cmd) {
2327 case FIONREAD:
2328 /* fall through */
2329 case FIBMAP:
2330 /* fall through */
2331 case FIGETBSZ:
2332 /* fall through */
2333 case EXT2_IOC_GETFLAGS:
2334 /* fall through */
2335 case EXT2_IOC_GETVERSION:
2336 error = file_has_perm(current, file, FILE__GETATTR);
2337 break;
2338
2339 case EXT2_IOC_SETFLAGS:
2340 /* fall through */
2341 case EXT2_IOC_SETVERSION:
2342 error = file_has_perm(current, file, FILE__SETATTR);
2343 break;
2344
2345 /* sys_ioctl() checks */
2346 case FIONBIO:
2347 /* fall through */
2348 case FIOASYNC:
2349 error = file_has_perm(current, file, 0);
2350 break;
2351
2352 case KDSKBENT:
2353 case KDSKBSENT:
2354 error = task_has_capability(current,CAP_SYS_TTY_CONFIG);
2355 break;
2356
2357 /* default case assumes that the command will go
2358 * to the file's ioctl() function.
2359 */
2360 default:
2361 error = file_has_perm(current, file, FILE__IOCTL);
2362
2363 }
2364 return error;
2365 }
2366
2367 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
2368 {
2369 #ifndef CONFIG_PPC32
2370 if ((prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
2371 /*
2372 * We are making executable an anonymous mapping or a
2373 * private file mapping that will also be writable.
2374 * This has an additional check.
2375 */
2376 int rc = task_has_perm(current, current, PROCESS__EXECMEM);
2377 if (rc)
2378 return rc;
2379 }
2380 #endif
2381
2382 if (file) {
2383 /* read access is always possible with a mapping */
2384 u32 av = FILE__READ;
2385
2386 /* write access only matters if the mapping is shared */
2387 if (shared && (prot & PROT_WRITE))
2388 av |= FILE__WRITE;
2389
2390 if (prot & PROT_EXEC)
2391 av |= FILE__EXECUTE;
2392
2393 return file_has_perm(current, file, av);
2394 }
2395 return 0;
2396 }
2397
2398 static int selinux_file_mmap(struct file *file, unsigned long reqprot,
2399 unsigned long prot, unsigned long flags)
2400 {
2401 int rc;
2402
2403 rc = secondary_ops->file_mmap(file, reqprot, prot, flags);
2404 if (rc)
2405 return rc;
2406
2407 if (selinux_checkreqprot)
2408 prot = reqprot;
2409
2410 return file_map_prot_check(file, prot,
2411 (flags & MAP_TYPE) == MAP_SHARED);
2412 }
2413
2414 static int selinux_file_mprotect(struct vm_area_struct *vma,
2415 unsigned long reqprot,
2416 unsigned long prot)
2417 {
2418 int rc;
2419
2420 rc = secondary_ops->file_mprotect(vma, reqprot, prot);
2421 if (rc)
2422 return rc;
2423
2424 if (selinux_checkreqprot)
2425 prot = reqprot;
2426
2427 #ifndef CONFIG_PPC32
2428 if ((prot & PROT_EXEC) && !(vma->vm_flags & VM_EXECUTABLE) &&
2429 (vma->vm_start >= vma->vm_mm->start_brk &&
2430 vma->vm_end <= vma->vm_mm->brk)) {
2431 /*
2432 * We are making an executable mapping in the brk region.
2433 * This has an additional execheap check.
2434 */
2435 rc = task_has_perm(current, current, PROCESS__EXECHEAP);
2436 if (rc)
2437 return rc;
2438 }
2439 if (vma->vm_file != NULL && vma->anon_vma != NULL && (prot & PROT_EXEC)) {
2440 /*
2441 * We are making executable a file mapping that has
2442 * had some COW done. Since pages might have been written,
2443 * check ability to execute the possibly modified content.
2444 * This typically should only occur for text relocations.
2445 */
2446 int rc = file_has_perm(current, vma->vm_file, FILE__EXECMOD);
2447 if (rc)
2448 return rc;
2449 }
2450 if (!vma->vm_file && (prot & PROT_EXEC) &&
2451 vma->vm_start <= vma->vm_mm->start_stack &&
2452 vma->vm_end >= vma->vm_mm->start_stack) {
2453 /* Attempt to make the process stack executable.
2454 * This has an additional execstack check.
2455 */
2456 rc = task_has_perm(current, current, PROCESS__EXECSTACK);
2457 if (rc)
2458 return rc;
2459 }
2460 #endif
2461
2462 return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
2463 }
2464
2465 static int selinux_file_lock(struct file *file, unsigned int cmd)
2466 {
2467 return file_has_perm(current, file, FILE__LOCK);
2468 }
2469
2470 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
2471 unsigned long arg)
2472 {
2473 int err = 0;
2474
2475 switch (cmd) {
2476 case F_SETFL:
2477 if (!file->f_dentry || !file->f_dentry->d_inode) {
2478 err = -EINVAL;
2479 break;
2480 }
2481
2482 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
2483 err = file_has_perm(current, file,FILE__WRITE);
2484 break;
2485 }
2486 /* fall through */
2487 case F_SETOWN:
2488 case F_SETSIG:
2489 case F_GETFL:
2490 case F_GETOWN:
2491 case F_GETSIG:
2492 /* Just check FD__USE permission */
2493 err = file_has_perm(current, file, 0);
2494 break;
2495 case F_GETLK:
2496 case F_SETLK:
2497 case F_SETLKW:
2498 #if BITS_PER_LONG == 32
2499 case F_GETLK64:
2500 case F_SETLK64:
2501 case F_SETLKW64:
2502 #endif
2503 if (!file->f_dentry || !file->f_dentry->d_inode) {
2504 err = -EINVAL;
2505 break;
2506 }
2507 err = file_has_perm(current, file, FILE__LOCK);
2508 break;
2509 }
2510
2511 return err;
2512 }
2513
2514 static int selinux_file_set_fowner(struct file *file)
2515 {
2516 struct task_security_struct *tsec;
2517 struct file_security_struct *fsec;
2518
2519 tsec = current->security;
2520 fsec = file->f_security;
2521 fsec->fown_sid = tsec->sid;
2522
2523 return 0;
2524 }
2525
2526 static int selinux_file_send_sigiotask(struct task_struct *tsk,
2527 struct fown_struct *fown, int signum)
2528 {
2529 struct file *file;
2530 u32 perm;
2531 struct task_security_struct *tsec;
2532 struct file_security_struct *fsec;
2533
2534 /* struct fown_struct is never outside the context of a struct file */
2535 file = (struct file *)((long)fown - offsetof(struct file,f_owner));
2536
2537 tsec = tsk->security;
2538 fsec = file->f_security;
2539
2540 if (!signum)
2541 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
2542 else
2543 perm = signal_to_av(signum);
2544
2545 return avc_has_perm(fsec->fown_sid, tsec->sid,
2546 SECCLASS_PROCESS, perm, NULL);
2547 }
2548
2549 static int selinux_file_receive(struct file *file)
2550 {
2551 return file_has_perm(current, file, file_to_av(file));
2552 }
2553
2554 /* task security operations */
2555
2556 static int selinux_task_create(unsigned long clone_flags)
2557 {
2558 int rc;
2559
2560 rc = secondary_ops->task_create(clone_flags);
2561 if (rc)
2562 return rc;
2563
2564 return task_has_perm(current, current, PROCESS__FORK);
2565 }
2566
2567 static int selinux_task_alloc_security(struct task_struct *tsk)
2568 {
2569 struct task_security_struct *tsec1, *tsec2;
2570 int rc;
2571
2572 tsec1 = current->security;
2573
2574 rc = task_alloc_security(tsk);
2575 if (rc)
2576 return rc;
2577 tsec2 = tsk->security;
2578
2579 tsec2->osid = tsec1->osid;
2580 tsec2->sid = tsec1->sid;
2581
2582 /* Retain the exec and create SIDs across fork */
2583 tsec2->exec_sid = tsec1->exec_sid;
2584 tsec2->create_sid = tsec1->create_sid;
2585
2586 /* Retain ptracer SID across fork, if any.
2587 This will be reset by the ptrace hook upon any
2588 subsequent ptrace_attach operations. */
2589 tsec2->ptrace_sid = tsec1->ptrace_sid;
2590
2591 return 0;
2592 }
2593
2594 static void selinux_task_free_security(struct task_struct *tsk)
2595 {
2596 task_free_security(tsk);
2597 }
2598
2599 static int selinux_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
2600 {
2601 /* Since setuid only affects the current process, and
2602 since the SELinux controls are not based on the Linux
2603 identity attributes, SELinux does not need to control
2604 this operation. However, SELinux does control the use
2605 of the CAP_SETUID and CAP_SETGID capabilities using the
2606 capable hook. */
2607 return 0;
2608 }
2609
2610 static int selinux_task_post_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
2611 {
2612 return secondary_ops->task_post_setuid(id0,id1,id2,flags);
2613 }
2614
2615 static int selinux_task_setgid(gid_t id0, gid_t id1, gid_t id2, int flags)
2616 {
2617 /* See the comment for setuid above. */
2618 return 0;
2619 }
2620
2621 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
2622 {
2623 return task_has_perm(current, p, PROCESS__SETPGID);
2624 }
2625
2626 static int selinux_task_getpgid(struct task_struct *p)
2627 {
2628 return task_has_perm(current, p, PROCESS__GETPGID);
2629 }
2630
2631 static int selinux_task_getsid(struct task_struct *p)
2632 {
2633 return task_has_perm(current, p, PROCESS__GETSESSION);
2634 }
2635
2636 static int selinux_task_setgroups(struct group_info *group_info)
2637 {
2638 /* See the comment for setuid above. */
2639 return 0;
2640 }
2641
2642 static int selinux_task_setnice(struct task_struct *p, int nice)
2643 {
2644 int rc;
2645
2646 rc = secondary_ops->task_setnice(p, nice);
2647 if (rc)
2648 return rc;
2649
2650 return task_has_perm(current,p, PROCESS__SETSCHED);
2651 }
2652
2653 static int selinux_task_setrlimit(unsigned int resource, struct rlimit *new_rlim)
2654 {
2655 struct rlimit *old_rlim = current->signal->rlim + resource;
2656 int rc;
2657
2658 rc = secondary_ops->task_setrlimit(resource, new_rlim);
2659 if (rc)
2660 return rc;
2661
2662 /* Control the ability to change the hard limit (whether
2663 lowering or raising it), so that the hard limit can
2664 later be used as a safe reset point for the soft limit
2665 upon context transitions. See selinux_bprm_apply_creds. */
2666 if (old_rlim->rlim_max != new_rlim->rlim_max)
2667 return task_has_perm(current, current, PROCESS__SETRLIMIT);
2668
2669 return 0;
2670 }
2671
2672 static int selinux_task_setscheduler(struct task_struct *p, int policy, struct sched_param *lp)
2673 {
2674 return task_has_perm(current, p, PROCESS__SETSCHED);
2675 }
2676
2677 static int selinux_task_getscheduler(struct task_struct *p)
2678 {
2679 return task_has_perm(current, p, PROCESS__GETSCHED);
2680 }
2681
2682 static int selinux_task_kill(struct task_struct *p, struct siginfo *info, int sig)
2683 {
2684 u32 perm;
2685 int rc;
2686
2687 rc = secondary_ops->task_kill(p, info, sig);
2688 if (rc)
2689 return rc;
2690
2691 if (info && ((unsigned long)info == 1 ||
2692 (unsigned long)info == 2 || SI_FROMKERNEL(info)))
2693 return 0;
2694
2695 if (!sig)
2696 perm = PROCESS__SIGNULL; /* null signal; existence test */
2697 else
2698 perm = signal_to_av(sig);
2699
2700 return task_has_perm(current, p, perm);
2701 }
2702
2703 static int selinux_task_prctl(int option,
2704 unsigned long arg2,
2705 unsigned long arg3,
2706 unsigned long arg4,
2707 unsigned long arg5)
2708 {
2709 /* The current prctl operations do not appear to require
2710 any SELinux controls since they merely observe or modify
2711 the state of the current process. */
2712 return 0;
2713 }
2714
2715 static int selinux_task_wait(struct task_struct *p)
2716 {
2717 u32 perm;
2718
2719 perm = signal_to_av(p->exit_signal);
2720
2721 return task_has_perm(p, current, perm);
2722 }
2723
2724 static void selinux_task_reparent_to_init(struct task_struct *p)
2725 {
2726 struct task_security_struct *tsec;
2727
2728 secondary_ops->task_reparent_to_init(p);
2729
2730 tsec = p->security;
2731 tsec->osid = tsec->sid;
2732 tsec->sid = SECINITSID_KERNEL;
2733 return;
2734 }
2735
2736 static void selinux_task_to_inode(struct task_struct *p,
2737 struct inode *inode)
2738 {
2739 struct task_security_struct *tsec = p->security;
2740 struct inode_security_struct *isec = inode->i_security;
2741
2742 isec->sid = tsec->sid;
2743 isec->initialized = 1;
2744 return;
2745 }
2746
2747 #ifdef CONFIG_SECURITY_NETWORK
2748
2749 /* Returns error only if unable to parse addresses */
2750 static int selinux_parse_skb_ipv4(struct sk_buff *skb, struct avc_audit_data *ad)
2751 {
2752 int offset, ihlen, ret = -EINVAL;
2753 struct iphdr _iph, *ih;
2754
2755 offset = skb->nh.raw - skb->data;
2756 ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
2757 if (ih == NULL)
2758 goto out;
2759
2760 ihlen = ih->ihl * 4;
2761 if (ihlen < sizeof(_iph))
2762 goto out;
2763
2764 ad->u.net.v4info.saddr = ih->saddr;
2765 ad->u.net.v4info.daddr = ih->daddr;
2766 ret = 0;
2767
2768 switch (ih->protocol) {
2769 case IPPROTO_TCP: {
2770 struct tcphdr _tcph, *th;
2771
2772 if (ntohs(ih->frag_off) & IP_OFFSET)
2773 break;
2774
2775 offset += ihlen;
2776 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
2777 if (th == NULL)
2778 break;
2779
2780 ad->u.net.sport = th->source;
2781 ad->u.net.dport = th->dest;
2782 break;
2783 }
2784
2785 case IPPROTO_UDP: {
2786 struct udphdr _udph, *uh;
2787
2788 if (ntohs(ih->frag_off) & IP_OFFSET)
2789 break;
2790
2791 offset += ihlen;
2792 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
2793 if (uh == NULL)
2794 break;
2795
2796 ad->u.net.sport = uh->source;
2797 ad->u.net.dport = uh->dest;
2798 break;
2799 }
2800
2801 default:
2802 break;
2803 }
2804 out:
2805 return ret;
2806 }
2807
2808 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
2809
2810 /* Returns error only if unable to parse addresses */
2811 static int selinux_parse_skb_ipv6(struct sk_buff *skb, struct avc_audit_data *ad)
2812 {
2813 u8 nexthdr;
2814 int ret = -EINVAL, offset;
2815 struct ipv6hdr _ipv6h, *ip6;
2816
2817 offset = skb->nh.raw - skb->data;
2818 ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
2819 if (ip6 == NULL)
2820 goto out;
2821
2822 ipv6_addr_copy(&ad->u.net.v6info.saddr, &ip6->saddr);
2823 ipv6_addr_copy(&ad->u.net.v6info.daddr, &ip6->daddr);
2824 ret = 0;
2825
2826 nexthdr = ip6->nexthdr;
2827 offset += sizeof(_ipv6h);
2828 offset = ipv6_skip_exthdr(skb, offset, &nexthdr);
2829 if (offset < 0)
2830 goto out;
2831
2832 switch (nexthdr) {
2833 case IPPROTO_TCP: {
2834 struct tcphdr _tcph, *th;
2835
2836 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
2837 if (th == NULL)
2838 break;
2839
2840 ad->u.net.sport = th->source;
2841 ad->u.net.dport = th->dest;
2842 break;
2843 }
2844
2845 case IPPROTO_UDP: {
2846 struct udphdr _udph, *uh;
2847
2848 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
2849 if (uh == NULL)
2850 break;
2851
2852 ad->u.net.sport = uh->source;
2853 ad->u.net.dport = uh->dest;
2854 break;
2855 }
2856
2857 /* includes fragments */
2858 default:
2859 break;
2860 }
2861 out:
2862 return ret;
2863 }
2864
2865 #endif /* IPV6 */
2866
2867 static int selinux_parse_skb(struct sk_buff *skb, struct avc_audit_data *ad,
2868 char **addrp, int *len, int src)
2869 {
2870 int ret = 0;
2871
2872 switch (ad->u.net.family) {
2873 case PF_INET:
2874 ret = selinux_parse_skb_ipv4(skb, ad);
2875 if (ret || !addrp)
2876 break;
2877 *len = 4;
2878 *addrp = (char *)(src ? &ad->u.net.v4info.saddr :
2879 &ad->u.net.v4info.daddr);
2880 break;
2881
2882 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
2883 case PF_INET6:
2884 ret = selinux_parse_skb_ipv6(skb, ad);
2885 if (ret || !addrp)
2886 break;
2887 *len = 16;
2888 *addrp = (char *)(src ? &ad->u.net.v6info.saddr :
2889 &ad->u.net.v6info.daddr);
2890 break;
2891 #endif /* IPV6 */
2892 default:
2893 break;
2894 }
2895
2896 return ret;
2897 }
2898
2899 /* socket security operations */
2900 static int socket_has_perm(struct task_struct *task, struct socket *sock,
2901 u32 perms)
2902 {
2903 struct inode_security_struct *isec;
2904 struct task_security_struct *tsec;
2905 struct avc_audit_data ad;
2906 int err = 0;
2907
2908 tsec = task->security;
2909 isec = SOCK_INODE(sock)->i_security;
2910
2911 if (isec->sid == SECINITSID_KERNEL)
2912 goto out;
2913
2914 AVC_AUDIT_DATA_INIT(&ad,NET);
2915 ad.u.net.sk = sock->sk;
2916 err = avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, &ad);
2917
2918 out:
2919 return err;
2920 }
2921
2922 static int selinux_socket_create(int family, int type,
2923 int protocol, int kern)
2924 {
2925 int err = 0;
2926 struct task_security_struct *tsec;
2927
2928 if (kern)
2929 goto out;
2930
2931 tsec = current->security;
2932 err = avc_has_perm(tsec->sid, tsec->sid,
2933 socket_type_to_security_class(family, type,
2934 protocol), SOCKET__CREATE, NULL);
2935
2936 out:
2937 return err;
2938 }
2939
2940 static void selinux_socket_post_create(struct socket *sock, int family,
2941 int type, int protocol, int kern)
2942 {
2943 struct inode_security_struct *isec;
2944 struct task_security_struct *tsec;
2945
2946 isec = SOCK_INODE(sock)->i_security;
2947
2948 tsec = current->security;
2949 isec->sclass = socket_type_to_security_class(family, type, protocol);
2950 isec->sid = kern ? SECINITSID_KERNEL : tsec->sid;
2951 isec->initialized = 1;
2952
2953 return;
2954 }
2955
2956 /* Range of port numbers used to automatically bind.
2957 Need to determine whether we should perform a name_bind
2958 permission check between the socket and the port number. */
2959 #define ip_local_port_range_0 sysctl_local_port_range[0]
2960 #define ip_local_port_range_1 sysctl_local_port_range[1]
2961
2962 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
2963 {
2964 u16 family;
2965 int err;
2966
2967 err = socket_has_perm(current, sock, SOCKET__BIND);
2968 if (err)
2969 goto out;
2970
2971 /*
2972 * If PF_INET or PF_INET6, check name_bind permission for the port.
2973 */
2974 family = sock->sk->sk_family;
2975 if (family == PF_INET || family == PF_INET6) {
2976 char *addrp;
2977 struct inode_security_struct *isec;
2978 struct task_security_struct *tsec;
2979 struct avc_audit_data ad;
2980 struct sockaddr_in *addr4 = NULL;
2981 struct sockaddr_in6 *addr6 = NULL;
2982 unsigned short snum;
2983 struct sock *sk = sock->sk;
2984 u32 sid, node_perm, addrlen;
2985
2986 tsec = current->security;
2987 isec = SOCK_INODE(sock)->i_security;
2988
2989 if (family == PF_INET) {
2990 addr4 = (struct sockaddr_in *)address;
2991 snum = ntohs(addr4->sin_port);
2992 addrlen = sizeof(addr4->sin_addr.s_addr);
2993 addrp = (char *)&addr4->sin_addr.s_addr;
2994 } else {
2995 addr6 = (struct sockaddr_in6 *)address;
2996 snum = ntohs(addr6->sin6_port);
2997 addrlen = sizeof(addr6->sin6_addr.s6_addr);
2998 addrp = (char *)&addr6->sin6_addr.s6_addr;
2999 }
3000
3001 if (snum&&(snum < max(PROT_SOCK,ip_local_port_range_0) ||
3002 snum > ip_local_port_range_1)) {
3003 err = security_port_sid(sk->sk_family, sk->sk_type,
3004 sk->sk_protocol, snum, &sid);
3005 if (err)
3006 goto out;
3007 AVC_AUDIT_DATA_INIT(&ad,NET);
3008 ad.u.net.sport = htons(snum);
3009 ad.u.net.family = family;
3010 err = avc_has_perm(isec->sid, sid,
3011 isec->sclass,
3012 SOCKET__NAME_BIND, &ad);
3013 if (err)
3014 goto out;
3015 }
3016
3017 switch(sk->sk_protocol) {
3018 case IPPROTO_TCP:
3019 node_perm = TCP_SOCKET__NODE_BIND;
3020 break;
3021
3022 case IPPROTO_UDP:
3023 node_perm = UDP_SOCKET__NODE_BIND;
3024 break;
3025
3026 default:
3027 node_perm = RAWIP_SOCKET__NODE_BIND;
3028 break;
3029 }
3030
3031 err = security_node_sid(family, addrp, addrlen, &sid);
3032 if (err)
3033 goto out;
3034
3035 AVC_AUDIT_DATA_INIT(&ad,NET);
3036 ad.u.net.sport = htons(snum);
3037 ad.u.net.family = family;
3038
3039 if (family == PF_INET)
3040 ad.u.net.v4info.saddr = addr4->sin_addr.s_addr;
3041 else
3042 ipv6_addr_copy(&ad.u.net.v6info.saddr, &addr6->sin6_addr);
3043
3044 err = avc_has_perm(isec->sid, sid,
3045 isec->sclass, node_perm, &ad);
3046 if (err)
3047 goto out;
3048 }
3049 out:
3050 return err;
3051 }
3052
3053 static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
3054 {
3055 struct inode_security_struct *isec;
3056 int err;
3057
3058 err = socket_has_perm(current, sock, SOCKET__CONNECT);
3059 if (err)
3060 return err;
3061
3062 /*
3063 * If a TCP socket, check name_connect permission for the port.
3064 */
3065 isec = SOCK_INODE(sock)->i_security;
3066 if (isec->sclass == SECCLASS_TCP_SOCKET) {
3067 struct sock *sk = sock->sk;
3068 struct avc_audit_data ad;
3069 struct sockaddr_in *addr4 = NULL;
3070 struct sockaddr_in6 *addr6 = NULL;
3071 unsigned short snum;
3072 u32 sid;
3073
3074 if (sk->sk_family == PF_INET) {
3075 addr4 = (struct sockaddr_in *)address;
3076 if (addrlen < sizeof(struct sockaddr_in))
3077 return -EINVAL;
3078 snum = ntohs(addr4->sin_port);
3079 } else {
3080 addr6 = (struct sockaddr_in6 *)address;
3081 if (addrlen < SIN6_LEN_RFC2133)
3082 return -EINVAL;
3083 snum = ntohs(addr6->sin6_port);
3084 }
3085
3086 err = security_port_sid(sk->sk_family, sk->sk_type,
3087 sk->sk_protocol, snum, &sid);
3088 if (err)
3089 goto out;
3090
3091 AVC_AUDIT_DATA_INIT(&ad,NET);
3092 ad.u.net.dport = htons(snum);
3093 ad.u.net.family = sk->sk_family;
3094 err = avc_has_perm(isec->sid, sid, isec->sclass,
3095 TCP_SOCKET__NAME_CONNECT, &ad);
3096 if (err)
3097 goto out;
3098 }
3099
3100 out:
3101 return err;
3102 }
3103
3104 static int selinux_socket_listen(struct socket *sock, int backlog)
3105 {
3106 return socket_has_perm(current, sock, SOCKET__LISTEN);
3107 }
3108
3109 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
3110 {
3111 int err;
3112 struct inode_security_struct *isec;
3113 struct inode_security_struct *newisec;
3114
3115 err = socket_has_perm(current, sock, SOCKET__ACCEPT);
3116 if (err)
3117 return err;
3118
3119 newisec = SOCK_INODE(newsock)->i_security;
3120
3121 isec = SOCK_INODE(sock)->i_security;
3122 newisec->sclass = isec->sclass;
3123 newisec->sid = isec->sid;
3124 newisec->initialized = 1;
3125
3126 return 0;
3127 }
3128
3129 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
3130 int size)
3131 {
3132 return socket_has_perm(current, sock, SOCKET__WRITE);
3133 }
3134
3135 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
3136 int size, int flags)
3137 {
3138 return socket_has_perm(current, sock, SOCKET__READ);
3139 }
3140
3141 static int selinux_socket_getsockname(struct socket *sock)
3142 {
3143 return socket_has_perm(current, sock, SOCKET__GETATTR);
3144 }
3145
3146 static int selinux_socket_getpeername(struct socket *sock)
3147 {
3148 return socket_has_perm(current, sock, SOCKET__GETATTR);
3149 }
3150
3151 static int selinux_socket_setsockopt(struct socket *sock,int level,int optname)
3152 {
3153 return socket_has_perm(current, sock, SOCKET__SETOPT);
3154 }
3155
3156 static int selinux_socket_getsockopt(struct socket *sock, int level,
3157 int optname)
3158 {
3159 return socket_has_perm(current, sock, SOCKET__GETOPT);
3160 }
3161
3162 static int selinux_socket_shutdown(struct socket *sock, int how)
3163 {
3164 return socket_has_perm(current, sock, SOCKET__SHUTDOWN);
3165 }
3166
3167 static int selinux_socket_unix_stream_connect(struct socket *sock,
3168 struct socket *other,
3169 struct sock *newsk)
3170 {
3171 struct sk_security_struct *ssec;
3172 struct inode_security_struct *isec;
3173 struct inode_security_struct *other_isec;
3174 struct avc_audit_data ad;
3175 int err;
3176
3177 err = secondary_ops->unix_stream_connect(sock, other, newsk);
3178 if (err)
3179 return err;
3180
3181 isec = SOCK_INODE(sock)->i_security;
3182 other_isec = SOCK_INODE(other)->i_security;
3183
3184 AVC_AUDIT_DATA_INIT(&ad,NET);
3185 ad.u.net.sk = other->sk;
3186
3187 err = avc_has_perm(isec->sid, other_isec->sid,
3188 isec->sclass,
3189 UNIX_STREAM_SOCKET__CONNECTTO, &ad);
3190 if (err)
3191 return err;
3192
3193 /* connecting socket */
3194 ssec = sock->sk->sk_security;
3195 ssec->peer_sid = other_isec->sid;
3196
3197 /* server child socket */
3198 ssec = newsk->sk_security;
3199 ssec->peer_sid = isec->sid;
3200
3201 return 0;
3202 }
3203
3204 static int selinux_socket_unix_may_send(struct socket *sock,
3205 struct socket *other)
3206 {
3207 struct inode_security_struct *isec;
3208 struct inode_security_struct *other_isec;
3209 struct avc_audit_data ad;
3210 int err;
3211
3212 isec = SOCK_INODE(sock)->i_security;
3213 other_isec = SOCK_INODE(other)->i_security;
3214
3215 AVC_AUDIT_DATA_INIT(&ad,NET);
3216 ad.u.net.sk = other->sk;
3217
3218 err = avc_has_perm(isec->sid, other_isec->sid,
3219 isec->sclass, SOCKET__SENDTO, &ad);
3220 if (err)
3221 return err;
3222
3223 return 0;
3224 }
3225
3226 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
3227 {
3228 u16 family;
3229 char *addrp;
3230 int len, err = 0;
3231 u32 netif_perm, node_perm, node_sid, if_sid, recv_perm = 0;
3232 u32 sock_sid = 0;
3233 u16 sock_class = 0;
3234 struct socket *sock;
3235 struct net_device *dev;
3236 struct avc_audit_data ad;
3237
3238 family = sk->sk_family;
3239 if (family != PF_INET && family != PF_INET6)
3240 goto out;
3241
3242 /* Handle mapped IPv4 packets arriving via IPv6 sockets */
3243 if (family == PF_INET6 && skb->protocol == ntohs(ETH_P_IP))
3244 family = PF_INET;
3245
3246 read_lock_bh(&sk->sk_callback_lock);
3247 sock = sk->sk_socket;
3248 if (sock) {
3249 struct inode *inode;
3250 inode = SOCK_INODE(sock);
3251 if (inode) {
3252 struct inode_security_struct *isec;
3253 isec = inode->i_security;
3254 sock_sid = isec->sid;
3255 sock_class = isec->sclass;
3256 }
3257 }
3258 read_unlock_bh(&sk->sk_callback_lock);
3259 if (!sock_sid)
3260 goto out;
3261
3262 dev = skb->dev;
3263 if (!dev)
3264 goto out;
3265
3266 err = sel_netif_sids(dev, &if_sid, NULL);
3267 if (err)
3268 goto out;
3269
3270 switch (sock_class) {
3271 case SECCLASS_UDP_SOCKET:
3272 netif_perm = NETIF__UDP_RECV;
3273 node_perm = NODE__UDP_RECV;
3274 recv_perm = UDP_SOCKET__RECV_MSG;
3275 break;
3276
3277 case SECCLASS_TCP_SOCKET:
3278 netif_perm = NETIF__TCP_RECV;
3279 node_perm = NODE__TCP_RECV;
3280 recv_perm = TCP_SOCKET__RECV_MSG;
3281 break;
3282
3283 default:
3284 netif_perm = NETIF__RAWIP_RECV;
3285 node_perm = NODE__RAWIP_RECV;
3286 break;
3287 }
3288
3289 AVC_AUDIT_DATA_INIT(&ad, NET);
3290 ad.u.net.netif = dev->name;
3291 ad.u.net.family = family;
3292
3293 err = selinux_parse_skb(skb, &ad, &addrp, &len, 1);
3294 if (err)
3295 goto out;
3296
3297 err = avc_has_perm(sock_sid, if_sid, SECCLASS_NETIF, netif_perm, &ad);
3298 if (err)
3299 goto out;
3300
3301 /* Fixme: this lookup is inefficient */
3302 err = security_node_sid(family, addrp, len, &node_sid);
3303 if (err)
3304 goto out;
3305
3306 err = avc_has_perm(sock_sid, node_sid, SECCLASS_NODE, node_perm, &ad);
3307 if (err)
3308 goto out;
3309
3310 if (recv_perm) {
3311 u32 port_sid;
3312
3313 /* Fixme: make this more efficient */
3314 err = security_port_sid(sk->sk_family, sk->sk_type,
3315 sk->sk_protocol, ntohs(ad.u.net.sport),
3316 &port_sid);
3317 if (err)
3318 goto out;
3319
3320 err = avc_has_perm(sock_sid, port_sid,
3321 sock_class, recv_perm, &ad);
3322 }
3323 out:
3324 return err;
3325 }
3326
3327 static int selinux_socket_getpeersec(struct socket *sock, char __user *optval,
3328 int __user *optlen, unsigned len)
3329 {
3330 int err = 0;
3331 char *scontext;
3332 u32 scontext_len;
3333 struct sk_security_struct *ssec;
3334 struct inode_security_struct *isec;
3335
3336 isec = SOCK_INODE(sock)->i_security;
3337 if (isec->sclass != SECCLASS_UNIX_STREAM_SOCKET) {
3338 err = -ENOPROTOOPT;
3339 goto out;
3340 }
3341
3342 ssec = sock->sk->sk_security;
3343
3344 err = security_sid_to_context(ssec->peer_sid, &scontext, &scontext_len);
3345 if (err)
3346 goto out;
3347
3348 if (scontext_len > len) {
3349 err = -ERANGE;
3350 goto out_len;
3351 }
3352
3353 if (copy_to_user(optval, scontext, scontext_len))
3354 err = -EFAULT;
3355
3356 out_len:
3357 if (put_user(scontext_len, optlen))
3358 err = -EFAULT;
3359
3360 kfree(scontext);
3361 out:
3362 return err;
3363 }
3364
3365 static int selinux_sk_alloc_security(struct sock *sk, int family, int priority)
3366 {
3367 return sk_alloc_security(sk, family, priority);
3368 }
3369
3370 static void selinux_sk_free_security(struct sock *sk)
3371 {
3372 sk_free_security(sk);
3373 }
3374
3375 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
3376 {
3377 int err = 0;
3378 u32 perm;
3379 struct nlmsghdr *nlh;
3380 struct socket *sock = sk->sk_socket;
3381 struct inode_security_struct *isec = SOCK_INODE(sock)->i_security;
3382
3383 if (skb->len < NLMSG_SPACE(0)) {
3384 err = -EINVAL;
3385 goto out;
3386 }
3387 nlh = (struct nlmsghdr *)skb->data;
3388
3389 err = selinux_nlmsg_lookup(isec->sclass, nlh->nlmsg_type, &perm);
3390 if (err) {
3391 if (err == -EINVAL) {
3392 audit_log(current->audit_context, AUDIT_SELINUX_ERR,
3393 "SELinux: unrecognized netlink message"
3394 " type=%hu for sclass=%hu\n",
3395 nlh->nlmsg_type, isec->sclass);
3396 if (!selinux_enforcing)
3397 err = 0;
3398 }
3399
3400 /* Ignore */
3401 if (err == -ENOENT)
3402 err = 0;
3403 goto out;
3404 }
3405
3406 err = socket_has_perm(current, sock, perm);
3407 out:
3408 return err;
3409 }
3410
3411 #ifdef CONFIG_NETFILTER
3412
3413 static unsigned int selinux_ip_postroute_last(unsigned int hooknum,
3414 struct sk_buff **pskb,
3415 const struct net_device *in,
3416 const struct net_device *out,
3417 int (*okfn)(struct sk_buff *),
3418 u16 family)
3419 {
3420 char *addrp;
3421 int len, err = NF_ACCEPT;
3422 u32 netif_perm, node_perm, node_sid, if_sid, send_perm = 0;
3423 struct sock *sk;
3424 struct socket *sock;
3425 struct inode *inode;
3426 struct sk_buff *skb = *pskb;
3427 struct inode_security_struct *isec;
3428 struct avc_audit_data ad;
3429 struct net_device *dev = (struct net_device *)out;
3430
3431 sk = skb->sk;
3432 if (!sk)
3433 goto out;
3434
3435 sock = sk->sk_socket;
3436 if (!sock)
3437 goto out;
3438
3439 inode = SOCK_INODE(sock);
3440 if (!inode)
3441 goto out;
3442
3443 err = sel_netif_sids(dev, &if_sid, NULL);
3444 if (err)
3445 goto out;
3446
3447 isec = inode->i_security;
3448
3449 switch (isec->sclass) {
3450 case SECCLASS_UDP_SOCKET:
3451 netif_perm = NETIF__UDP_SEND;
3452 node_perm = NODE__UDP_SEND;
3453 send_perm = UDP_SOCKET__SEND_MSG;
3454 break;
3455
3456 case SECCLASS_TCP_SOCKET:
3457 netif_perm = NETIF__TCP_SEND;
3458 node_perm = NODE__TCP_SEND;
3459 send_perm = TCP_SOCKET__SEND_MSG;
3460 break;
3461
3462 default:
3463 netif_perm = NETIF__RAWIP_SEND;
3464 node_perm = NODE__RAWIP_SEND;
3465 break;
3466 }
3467
3468
3469 AVC_AUDIT_DATA_INIT(&ad, NET);
3470 ad.u.net.netif = dev->name;
3471 ad.u.net.family = family;
3472
3473 err = selinux_parse_skb(skb, &ad, &addrp,
3474 &len, 0) ? NF_DROP : NF_ACCEPT;
3475 if (err != NF_ACCEPT)
3476 goto out;
3477
3478 err = avc_has_perm(isec->sid, if_sid, SECCLASS_NETIF,
3479 netif_perm, &ad) ? NF_DROP : NF_ACCEPT;
3480 if (err != NF_ACCEPT)
3481 goto out;
3482
3483 /* Fixme: this lookup is inefficient */
3484 err = security_node_sid(family, addrp, len,
3485 &node_sid) ? NF_DROP : NF_ACCEPT;
3486 if (err != NF_ACCEPT)
3487 goto out;
3488
3489 err = avc_has_perm(isec->sid, node_sid, SECCLASS_NODE,
3490 node_perm, &ad) ? NF_DROP : NF_ACCEPT;
3491 if (err != NF_ACCEPT)
3492 goto out;
3493
3494 if (send_perm) {
3495 u32 port_sid;
3496
3497 /* Fixme: make this more efficient */
3498 err = security_port_sid(sk->sk_family,
3499 sk->sk_type,
3500 sk->sk_protocol,
3501 ntohs(ad.u.net.dport),
3502 &port_sid) ? NF_DROP : NF_ACCEPT;
3503 if (err != NF_ACCEPT)
3504 goto out;
3505
3506 err = avc_has_perm(isec->sid, port_sid, isec->sclass,
3507 send_perm, &ad) ? NF_DROP : NF_ACCEPT;
3508 }
3509
3510 out:
3511 return err;
3512 }
3513
3514 static unsigned int selinux_ipv4_postroute_last(unsigned int hooknum,
3515 struct sk_buff **pskb,
3516 const struct net_device *in,
3517 const struct net_device *out,
3518 int (*okfn)(struct sk_buff *))
3519 {
3520 return selinux_ip_postroute_last(hooknum, pskb, in, out, okfn, PF_INET);
3521 }
3522
3523 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3524
3525 static unsigned int selinux_ipv6_postroute_last(unsigned int hooknum,
3526 struct sk_buff **pskb,
3527 const struct net_device *in,
3528 const struct net_device *out,
3529 int (*okfn)(struct sk_buff *))
3530 {
3531 return selinux_ip_postroute_last(hooknum, pskb, in, out, okfn, PF_INET6);
3532 }
3533
3534 #endif /* IPV6 */
3535
3536 #endif /* CONFIG_NETFILTER */
3537
3538 #else
3539
3540 static inline int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
3541 {
3542 return 0;
3543 }
3544
3545 #endif /* CONFIG_SECURITY_NETWORK */
3546
3547 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
3548 {
3549 struct task_security_struct *tsec;
3550 struct av_decision avd;
3551 int err;
3552
3553 err = secondary_ops->netlink_send(sk, skb);
3554 if (err)
3555 return err;
3556
3557 tsec = current->security;
3558
3559 avd.allowed = 0;
3560 avc_has_perm_noaudit(tsec->sid, tsec->sid,
3561 SECCLASS_CAPABILITY, ~0, &avd);
3562 cap_mask(NETLINK_CB(skb).eff_cap, avd.allowed);
3563
3564 if (policydb_loaded_version >= POLICYDB_VERSION_NLCLASS)
3565 err = selinux_nlmsg_perm(sk, skb);
3566
3567 return err;
3568 }
3569
3570 static int selinux_netlink_recv(struct sk_buff *skb)
3571 {
3572 if (!cap_raised(NETLINK_CB(skb).eff_cap, CAP_NET_ADMIN))
3573 return -EPERM;
3574 return 0;
3575 }
3576
3577 static int ipc_alloc_security(struct task_struct *task,
3578 struct kern_ipc_perm *perm,
3579 u16 sclass)
3580 {
3581 struct task_security_struct *tsec = task->security;
3582 struct ipc_security_struct *isec;
3583
3584 isec = kmalloc(sizeof(struct ipc_security_struct), GFP_KERNEL);
3585 if (!isec)
3586 return -ENOMEM;
3587
3588 memset(isec, 0, sizeof(struct ipc_security_struct));
3589 isec->magic = SELINUX_MAGIC;
3590 isec->sclass = sclass;
3591 isec->ipc_perm = perm;
3592 if (tsec) {
3593 isec->sid = tsec->sid;
3594 } else {
3595 isec->sid = SECINITSID_UNLABELED;
3596 }
3597 perm->security = isec;
3598
3599 return 0;
3600 }
3601
3602 static void ipc_free_security(struct kern_ipc_perm *perm)
3603 {
3604 struct ipc_security_struct *isec = perm->security;
3605 if (!isec || isec->magic != SELINUX_MAGIC)
3606 return;
3607
3608 perm->security = NULL;
3609 kfree(isec);
3610 }
3611
3612 static int msg_msg_alloc_security(struct msg_msg *msg)
3613 {
3614 struct msg_security_struct *msec;
3615
3616 msec = kmalloc(sizeof(struct msg_security_struct), GFP_KERNEL);
3617 if (!msec)
3618 return -ENOMEM;
3619
3620 memset(msec, 0, sizeof(struct msg_security_struct));
3621 msec->magic = SELINUX_MAGIC;
3622 msec->msg = msg;
3623 msec->sid = SECINITSID_UNLABELED;
3624 msg->security = msec;
3625
3626 return 0;
3627 }
3628
3629 static void msg_msg_free_security(struct msg_msg *msg)
3630 {
3631 struct msg_security_struct *msec = msg->security;
3632 if (!msec || msec->magic != SELINUX_MAGIC)
3633 return;
3634
3635 msg->security = NULL;
3636 kfree(msec);
3637 }
3638
3639 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
3640 u32 perms)
3641 {
3642 struct task_security_struct *tsec;
3643 struct ipc_security_struct *isec;
3644 struct avc_audit_data ad;
3645
3646 tsec = current->security;
3647 isec = ipc_perms->security;
3648
3649 AVC_AUDIT_DATA_INIT(&ad, IPC);
3650 ad.u.ipc_id = ipc_perms->key;
3651
3652 return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, &ad);
3653 }
3654
3655 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
3656 {
3657 return msg_msg_alloc_security(msg);
3658 }
3659
3660 static void selinux_msg_msg_free_security(struct msg_msg *msg)
3661 {
3662 msg_msg_free_security(msg);
3663 }
3664
3665 /* message queue security operations */
3666 static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
3667 {
3668 struct task_security_struct *tsec;
3669 struct ipc_security_struct *isec;
3670 struct avc_audit_data ad;
3671 int rc;
3672
3673 rc = ipc_alloc_security(current, &msq->q_perm, SECCLASS_MSGQ);
3674 if (rc)
3675 return rc;
3676
3677 tsec = current->security;
3678 isec = msq->q_perm.security;
3679
3680 AVC_AUDIT_DATA_INIT(&ad, IPC);
3681 ad.u.ipc_id = msq->q_perm.key;
3682
3683 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
3684 MSGQ__CREATE, &ad);
3685 if (rc) {
3686 ipc_free_security(&msq->q_perm);
3687 return rc;
3688 }
3689 return 0;
3690 }
3691
3692 static void selinux_msg_queue_free_security(struct msg_queue *msq)
3693 {
3694 ipc_free_security(&msq->q_perm);
3695 }
3696
3697 static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg)
3698 {
3699 struct task_security_struct *tsec;
3700 struct ipc_security_struct *isec;
3701 struct avc_audit_data ad;
3702
3703 tsec = current->security;
3704 isec = msq->q_perm.security;
3705
3706 AVC_AUDIT_DATA_INIT(&ad, IPC);
3707 ad.u.ipc_id = msq->q_perm.key;
3708
3709 return avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
3710 MSGQ__ASSOCIATE, &ad);
3711 }
3712
3713 static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd)
3714 {
3715 int err;
3716 int perms;
3717
3718 switch(cmd) {
3719 case IPC_INFO:
3720 case MSG_INFO:
3721 /* No specific object, just general system-wide information. */
3722 return task_has_system(current, SYSTEM__IPC_INFO);
3723 case IPC_STAT:
3724 case MSG_STAT:
3725 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
3726 break;
3727 case IPC_SET:
3728 perms = MSGQ__SETATTR;
3729 break;
3730 case IPC_RMID:
3731 perms = MSGQ__DESTROY;
3732 break;
3733 default:
3734 return 0;
3735 }
3736
3737 err = ipc_has_perm(&msq->q_perm, perms);
3738 return err;
3739 }
3740
3741 static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg)
3742 {
3743 struct task_security_struct *tsec;
3744 struct ipc_security_struct *isec;
3745 struct msg_security_struct *msec;
3746 struct avc_audit_data ad;
3747 int rc;
3748
3749 tsec = current->security;
3750 isec = msq->q_perm.security;
3751 msec = msg->security;
3752
3753 /*
3754 * First time through, need to assign label to the message
3755 */
3756 if (msec->sid == SECINITSID_UNLABELED) {
3757 /*
3758 * Compute new sid based on current process and
3759 * message queue this message will be stored in
3760 */
3761 rc = security_transition_sid(tsec->sid,
3762 isec->sid,
3763 SECCLASS_MSG,
3764 &msec->sid);
3765 if (rc)
3766 return rc;
3767 }
3768
3769 AVC_AUDIT_DATA_INIT(&ad, IPC);
3770 ad.u.ipc_id = msq->q_perm.key;
3771
3772 /* Can this process write to the queue? */
3773 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
3774 MSGQ__WRITE, &ad);
3775 if (!rc)
3776 /* Can this process send the message */
3777 rc = avc_has_perm(tsec->sid, msec->sid,
3778 SECCLASS_MSG, MSG__SEND, &ad);
3779 if (!rc)
3780 /* Can the message be put in the queue? */
3781 rc = avc_has_perm(msec->sid, isec->sid,
3782 SECCLASS_MSGQ, MSGQ__ENQUEUE, &ad);
3783
3784 return rc;
3785 }
3786
3787 static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
3788 struct task_struct *target,
3789 long type, int mode)
3790 {
3791 struct task_security_struct *tsec;
3792 struct ipc_security_struct *isec;
3793 struct msg_security_struct *msec;
3794 struct avc_audit_data ad;
3795 int rc;
3796
3797 tsec = target->security;
3798 isec = msq->q_perm.security;
3799 msec = msg->security;
3800
3801 AVC_AUDIT_DATA_INIT(&ad, IPC);
3802 ad.u.ipc_id = msq->q_perm.key;
3803
3804 rc = avc_has_perm(tsec->sid, isec->sid,
3805 SECCLASS_MSGQ, MSGQ__READ, &ad);
3806 if (!rc)
3807 rc = avc_has_perm(tsec->sid, msec->sid,
3808 SECCLASS_MSG, MSG__RECEIVE, &ad);
3809 return rc;
3810 }
3811
3812 /* Shared Memory security operations */
3813 static int selinux_shm_alloc_security(struct shmid_kernel *shp)
3814 {
3815 struct task_security_struct *tsec;
3816 struct ipc_security_struct *isec;
3817 struct avc_audit_data ad;
3818 int rc;
3819
3820 rc = ipc_alloc_security(current, &shp->shm_perm, SECCLASS_SHM);
3821 if (rc)
3822 return rc;
3823
3824 tsec = current->security;
3825 isec = shp->shm_perm.security;
3826
3827 AVC_AUDIT_DATA_INIT(&ad, IPC);
3828 ad.u.ipc_id = shp->shm_perm.key;
3829
3830 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SHM,
3831 SHM__CREATE, &ad);
3832 if (rc) {
3833 ipc_free_security(&shp->shm_perm);
3834 return rc;
3835 }
3836 return 0;
3837 }
3838
3839 static void selinux_shm_free_security(struct shmid_kernel *shp)
3840 {
3841 ipc_free_security(&shp->shm_perm);
3842 }
3843
3844 static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg)
3845 {
3846 struct task_security_struct *tsec;
3847 struct ipc_security_struct *isec;
3848 struct avc_audit_data ad;
3849
3850 tsec = current->security;
3851 isec = shp->shm_perm.security;
3852
3853 AVC_AUDIT_DATA_INIT(&ad, IPC);
3854 ad.u.ipc_id = shp->shm_perm.key;
3855
3856 return avc_has_perm(tsec->sid, isec->sid, SECCLASS_SHM,
3857 SHM__ASSOCIATE, &ad);
3858 }
3859
3860 /* Note, at this point, shp is locked down */
3861 static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd)
3862 {
3863 int perms;
3864 int err;
3865
3866 switch(cmd) {
3867 case IPC_INFO:
3868 case SHM_INFO:
3869 /* No specific object, just general system-wide information. */
3870 return task_has_system(current, SYSTEM__IPC_INFO);
3871 case IPC_STAT:
3872 case SHM_STAT:
3873 perms = SHM__GETATTR | SHM__ASSOCIATE;
3874 break;
3875 case IPC_SET:
3876 perms = SHM__SETATTR;
3877 break;
3878 case SHM_LOCK:
3879 case SHM_UNLOCK:
3880 perms = SHM__LOCK;
3881 break;
3882 case IPC_RMID:
3883 perms = SHM__DESTROY;
3884 break;
3885 default:
3886 return 0;
3887 }
3888
3889 err = ipc_has_perm(&shp->shm_perm, perms);
3890 return err;
3891 }
3892
3893 static int selinux_shm_shmat(struct shmid_kernel *shp,
3894 char __user *shmaddr, int shmflg)
3895 {
3896 u32 perms;
3897 int rc;
3898
3899 rc = secondary_ops->shm_shmat(shp, shmaddr, shmflg);
3900 if (rc)
3901 return rc;
3902
3903 if (shmflg & SHM_RDONLY)
3904 perms = SHM__READ;
3905 else
3906 perms = SHM__READ | SHM__WRITE;
3907
3908 return ipc_has_perm(&shp->shm_perm, perms);
3909 }
3910
3911 /* Semaphore security operations */
3912 static int selinux_sem_alloc_security(struct sem_array *sma)
3913 {
3914 struct task_security_struct *tsec;
3915 struct ipc_security_struct *isec;
3916 struct avc_audit_data ad;
3917 int rc;
3918
3919 rc = ipc_alloc_security(current, &sma->sem_perm, SECCLASS_SEM);
3920 if (rc)
3921 return rc;
3922
3923 tsec = current->security;
3924 isec = sma->sem_perm.security;
3925
3926 AVC_AUDIT_DATA_INIT(&ad, IPC);
3927 ad.u.ipc_id = sma->sem_perm.key;
3928
3929 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SEM,
3930 SEM__CREATE, &ad);
3931 if (rc) {
3932 ipc_free_security(&sma->sem_perm);
3933 return rc;
3934 }
3935 return 0;
3936 }
3937
3938 static void selinux_sem_free_security(struct sem_array *sma)
3939 {
3940 ipc_free_security(&sma->sem_perm);
3941 }
3942
3943 static int selinux_sem_associate(struct sem_array *sma, int semflg)
3944 {
3945 struct task_security_struct *tsec;
3946 struct ipc_security_struct *isec;
3947 struct avc_audit_data ad;
3948
3949 tsec = current->security;
3950 isec = sma->sem_perm.security;
3951
3952 AVC_AUDIT_DATA_INIT(&ad, IPC);
3953 ad.u.ipc_id = sma->sem_perm.key;
3954
3955 return avc_has_perm(tsec->sid, isec->sid, SECCLASS_SEM,
3956 SEM__ASSOCIATE, &ad);
3957 }
3958
3959 /* Note, at this point, sma is locked down */
3960 static int selinux_sem_semctl(struct sem_array *sma, int cmd)
3961 {
3962 int err;
3963 u32 perms;
3964
3965 switch(cmd) {
3966 case IPC_INFO:
3967 case SEM_INFO:
3968 /* No specific object, just general system-wide information. */
3969 return task_has_system(current, SYSTEM__IPC_INFO);
3970 case GETPID:
3971 case GETNCNT:
3972 case GETZCNT:
3973 perms = SEM__GETATTR;
3974 break;
3975 case GETVAL:
3976 case GETALL:
3977 perms = SEM__READ;
3978 break;
3979 case SETVAL:
3980 case SETALL:
3981 perms = SEM__WRITE;
3982 break;
3983 case IPC_RMID:
3984 perms = SEM__DESTROY;
3985 break;
3986 case IPC_SET:
3987 perms = SEM__SETATTR;
3988 break;
3989 case IPC_STAT:
3990 case SEM_STAT:
3991 perms = SEM__GETATTR | SEM__ASSOCIATE;
3992 break;
3993 default:
3994 return 0;
3995 }
3996
3997 err = ipc_has_perm(&sma->sem_perm, perms);
3998 return err;
3999 }
4000
4001 static int selinux_sem_semop(struct sem_array *sma,
4002 struct sembuf *sops, unsigned nsops, int alter)
4003 {
4004 u32 perms;
4005
4006 if (alter)
4007 perms = SEM__READ | SEM__WRITE;
4008 else
4009 perms = SEM__READ;
4010
4011 return ipc_has_perm(&sma->sem_perm, perms);
4012 }
4013
4014 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
4015 {
4016 u32 av = 0;
4017
4018 av = 0;
4019 if (flag & S_IRUGO)
4020 av |= IPC__UNIX_READ;
4021 if (flag & S_IWUGO)
4022 av |= IPC__UNIX_WRITE;
4023
4024 if (av == 0)
4025 return 0;
4026
4027 return ipc_has_perm(ipcp, av);
4028 }
4029
4030 /* module stacking operations */
4031 static int selinux_register_security (const char *name, struct security_operations *ops)
4032 {
4033 if (secondary_ops != original_ops) {
4034 printk(KERN_INFO "%s: There is already a secondary security "
4035 "module registered.\n", __FUNCTION__);
4036 return -EINVAL;
4037 }
4038
4039 secondary_ops = ops;
4040
4041 printk(KERN_INFO "%s: Registering secondary module %s\n",
4042 __FUNCTION__,
4043 name);
4044
4045 return 0;
4046 }
4047
4048 static int selinux_unregister_security (const char *name, struct security_operations *ops)
4049 {
4050 if (ops != secondary_ops) {
4051 printk (KERN_INFO "%s: trying to unregister a security module "
4052 "that is not registered.\n", __FUNCTION__);
4053 return -EINVAL;
4054 }
4055
4056 secondary_ops = original_ops;
4057
4058 return 0;
4059 }
4060
4061 static void selinux_d_instantiate (struct dentry *dentry, struct inode *inode)
4062 {
4063 if (inode)
4064 inode_doinit_with_dentry(inode, dentry);
4065 }
4066
4067 static int selinux_getprocattr(struct task_struct *p,
4068 char *name, void *value, size_t size)
4069 {
4070 struct task_security_struct *tsec;
4071 u32 sid, len;
4072 char *context;
4073 int error;
4074
4075 if (current != p) {
4076 error = task_has_perm(current, p, PROCESS__GETATTR);
4077 if (error)
4078 return error;
4079 }
4080
4081 if (!size)
4082 return -ERANGE;
4083
4084 tsec = p->security;
4085
4086 if (!strcmp(name, "current"))
4087 sid = tsec->sid;
4088 else if (!strcmp(name, "prev"))
4089 sid = tsec->osid;
4090 else if (!strcmp(name, "exec"))
4091 sid = tsec->exec_sid;
4092 else if (!strcmp(name, "fscreate"))
4093 sid = tsec->create_sid;
4094 else
4095 return -EINVAL;
4096
4097 if (!sid)
4098 return 0;
4099
4100 error = security_sid_to_context(sid, &context, &len);
4101 if (error)
4102 return error;
4103 if (len > size) {
4104 kfree(context);
4105 return -ERANGE;
4106 }
4107 memcpy(value, context, len);
4108 kfree(context);
4109 return len;
4110 }
4111
4112 static int selinux_setprocattr(struct task_struct *p,
4113 char *name, void *value, size_t size)
4114 {
4115 struct task_security_struct *tsec;
4116 u32 sid = 0;
4117 int error;
4118 char *str = value;
4119
4120 if (current != p) {
4121 /* SELinux only allows a process to change its own
4122 security attributes. */
4123 return -EACCES;
4124 }
4125
4126 /*
4127 * Basic control over ability to set these attributes at all.
4128 * current == p, but we'll pass them separately in case the
4129 * above restriction is ever removed.
4130 */
4131 if (!strcmp(name, "exec"))
4132 error = task_has_perm(current, p, PROCESS__SETEXEC);
4133 else if (!strcmp(name, "fscreate"))
4134 error = task_has_perm(current, p, PROCESS__SETFSCREATE);
4135 else if (!strcmp(name, "current"))
4136 error = task_has_perm(current, p, PROCESS__SETCURRENT);
4137 else
4138 error = -EINVAL;
4139 if (error)
4140 return error;
4141
4142 /* Obtain a SID for the context, if one was specified. */
4143 if (size && str[1] && str[1] != '\n') {
4144 if (str[size-1] == '\n') {
4145 str[size-1] = 0;
4146 size--;
4147 }
4148 error = security_context_to_sid(value, size, &sid);
4149 if (error)
4150 return error;
4151 }
4152
4153 /* Permission checking based on the specified context is
4154 performed during the actual operation (execve,
4155 open/mkdir/...), when we know the full context of the
4156 operation. See selinux_bprm_set_security for the execve
4157 checks and may_create for the file creation checks. The
4158 operation will then fail if the context is not permitted. */
4159 tsec = p->security;
4160 if (!strcmp(name, "exec"))
4161 tsec->exec_sid = sid;
4162 else if (!strcmp(name, "fscreate"))
4163 tsec->create_sid = sid;
4164 else if (!strcmp(name, "current")) {
4165 struct av_decision avd;
4166
4167 if (sid == 0)
4168 return -EINVAL;
4169
4170 /* Only allow single threaded processes to change context */
4171 if (atomic_read(&p->mm->mm_users) != 1) {
4172 struct task_struct *g, *t;
4173 struct mm_struct *mm = p->mm;
4174 read_lock(&tasklist_lock);
4175 do_each_thread(g, t)
4176 if (t->mm == mm && t != p) {
4177 read_unlock(&tasklist_lock);
4178 return -EPERM;
4179 }
4180 while_each_thread(g, t);
4181 read_unlock(&tasklist_lock);
4182 }
4183
4184 /* Check permissions for the transition. */
4185 error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
4186 PROCESS__DYNTRANSITION, NULL);
4187 if (error)
4188 return error;
4189
4190 /* Check for ptracing, and update the task SID if ok.
4191 Otherwise, leave SID unchanged and fail. */
4192 task_lock(p);
4193 if (p->ptrace & PT_PTRACED) {
4194 error = avc_has_perm_noaudit(tsec->ptrace_sid, sid,
4195 SECCLASS_PROCESS,
4196 PROCESS__PTRACE, &avd);
4197 if (!error)
4198 tsec->sid = sid;
4199 task_unlock(p);
4200 avc_audit(tsec->ptrace_sid, sid, SECCLASS_PROCESS,
4201 PROCESS__PTRACE, &avd, error, NULL);
4202 if (error)
4203 return error;
4204 } else {
4205 tsec->sid = sid;
4206 task_unlock(p);
4207 }
4208 }
4209 else
4210 return -EINVAL;
4211
4212 return size;
4213 }
4214
4215 static struct security_operations selinux_ops = {
4216 .ptrace = selinux_ptrace,
4217 .capget = selinux_capget,
4218 .capset_check = selinux_capset_check,
4219 .capset_set = selinux_capset_set,
4220 .sysctl = selinux_sysctl,
4221 .capable = selinux_capable,
4222 .quotactl = selinux_quotactl,
4223 .quota_on = selinux_quota_on,
4224 .syslog = selinux_syslog,
4225 .vm_enough_memory = selinux_vm_enough_memory,
4226
4227 .netlink_send = selinux_netlink_send,
4228 .netlink_recv = selinux_netlink_recv,
4229
4230 .bprm_alloc_security = selinux_bprm_alloc_security,
4231 .bprm_free_security = selinux_bprm_free_security,
4232 .bprm_apply_creds = selinux_bprm_apply_creds,
4233 .bprm_post_apply_creds = selinux_bprm_post_apply_creds,
4234 .bprm_set_security = selinux_bprm_set_security,
4235 .bprm_check_security = selinux_bprm_check_security,
4236 .bprm_secureexec = selinux_bprm_secureexec,
4237
4238 .sb_alloc_security = selinux_sb_alloc_security,
4239 .sb_free_security = selinux_sb_free_security,
4240 .sb_copy_data = selinux_sb_copy_data,
4241 .sb_kern_mount = selinux_sb_kern_mount,
4242 .sb_statfs = selinux_sb_statfs,
4243 .sb_mount = selinux_mount,
4244 .sb_umount = selinux_umount,
4245
4246 .inode_alloc_security = selinux_inode_alloc_security,
4247 .inode_free_security = selinux_inode_free_security,
4248 .inode_init_security = selinux_inode_init_security,
4249 .inode_create = selinux_inode_create,
4250 .inode_link = selinux_inode_link,
4251 .inode_unlink = selinux_inode_unlink,
4252 .inode_symlink = selinux_inode_symlink,
4253 .inode_mkdir = selinux_inode_mkdir,
4254 .inode_rmdir = selinux_inode_rmdir,
4255 .inode_mknod = selinux_inode_mknod,
4256 .inode_rename = selinux_inode_rename,
4257 .inode_readlink = selinux_inode_readlink,
4258 .inode_follow_link = selinux_inode_follow_link,
4259 .inode_permission = selinux_inode_permission,
4260 .inode_setattr = selinux_inode_setattr,
4261 .inode_getattr = selinux_inode_getattr,
4262 .inode_setxattr = selinux_inode_setxattr,
4263 .inode_post_setxattr = selinux_inode_post_setxattr,
4264 .inode_getxattr = selinux_inode_getxattr,
4265 .inode_listxattr = selinux_inode_listxattr,
4266 .inode_removexattr = selinux_inode_removexattr,
4267 .inode_getsecurity = selinux_inode_getsecurity,
4268 .inode_setsecurity = selinux_inode_setsecurity,
4269 .inode_listsecurity = selinux_inode_listsecurity,
4270
4271 .file_permission = selinux_file_permission,
4272 .file_alloc_security = selinux_file_alloc_security,
4273 .file_free_security = selinux_file_free_security,
4274 .file_ioctl = selinux_file_ioctl,
4275 .file_mmap = selinux_file_mmap,
4276 .file_mprotect = selinux_file_mprotect,
4277 .file_lock = selinux_file_lock,
4278 .file_fcntl = selinux_file_fcntl,
4279 .file_set_fowner = selinux_file_set_fowner,
4280 .file_send_sigiotask = selinux_file_send_sigiotask,
4281 .file_receive = selinux_file_receive,
4282
4283 .task_create = selinux_task_create,
4284 .task_alloc_security = selinux_task_alloc_security,
4285 .task_free_security = selinux_task_free_security,
4286 .task_setuid = selinux_task_setuid,
4287 .task_post_setuid = selinux_task_post_setuid,
4288 .task_setgid = selinux_task_setgid,
4289 .task_setpgid = selinux_task_setpgid,
4290 .task_getpgid = selinux_task_getpgid,
4291 .task_getsid = selinux_task_getsid,
4292 .task_setgroups = selinux_task_setgroups,
4293 .task_setnice = selinux_task_setnice,
4294 .task_setrlimit = selinux_task_setrlimit,
4295 .task_setscheduler = selinux_task_setscheduler,
4296 .task_getscheduler = selinux_task_getscheduler,
4297 .task_kill = selinux_task_kill,
4298 .task_wait = selinux_task_wait,
4299 .task_prctl = selinux_task_prctl,
4300 .task_reparent_to_init = selinux_task_reparent_to_init,
4301 .task_to_inode = selinux_task_to_inode,
4302
4303 .ipc_permission = selinux_ipc_permission,
4304
4305 .msg_msg_alloc_security = selinux_msg_msg_alloc_security,
4306 .msg_msg_free_security = selinux_msg_msg_free_security,
4307
4308 .msg_queue_alloc_security = selinux_msg_queue_alloc_security,
4309 .msg_queue_free_security = selinux_msg_queue_free_security,
4310 .msg_queue_associate = selinux_msg_queue_associate,
4311 .msg_queue_msgctl = selinux_msg_queue_msgctl,
4312 .msg_queue_msgsnd = selinux_msg_queue_msgsnd,
4313 .msg_queue_msgrcv = selinux_msg_queue_msgrcv,
4314
4315 .shm_alloc_security = selinux_shm_alloc_security,
4316 .shm_free_security = selinux_shm_free_security,
4317 .shm_associate = selinux_shm_associate,
4318 .shm_shmctl = selinux_shm_shmctl,
4319 .shm_shmat = selinux_shm_shmat,
4320
4321 .sem_alloc_security = selinux_sem_alloc_security,
4322 .sem_free_security = selinux_sem_free_security,
4323 .sem_associate = selinux_sem_associate,
4324 .sem_semctl = selinux_sem_semctl,
4325 .sem_semop = selinux_sem_semop,
4326
4327 .register_security = selinux_register_security,
4328 .unregister_security = selinux_unregister_security,
4329
4330 .d_instantiate = selinux_d_instantiate,
4331
4332 .getprocattr = selinux_getprocattr,
4333 .setprocattr = selinux_setprocattr,
4334
4335 #ifdef CONFIG_SECURITY_NETWORK
4336 .unix_stream_connect = selinux_socket_unix_stream_connect,
4337 .unix_may_send = selinux_socket_unix_may_send,
4338
4339 .socket_create = selinux_socket_create,
4340 .socket_post_create = selinux_socket_post_create,
4341 .socket_bind = selinux_socket_bind,
4342 .socket_connect = selinux_socket_connect,
4343 .socket_listen = selinux_socket_listen,
4344 .socket_accept = selinux_socket_accept,
4345 .socket_sendmsg = selinux_socket_sendmsg,
4346 .socket_recvmsg = selinux_socket_recvmsg,
4347 .socket_getsockname = selinux_socket_getsockname,
4348 .socket_getpeername = selinux_socket_getpeername,
4349 .socket_getsockopt = selinux_socket_getsockopt,
4350 .socket_setsockopt = selinux_socket_setsockopt,
4351 .socket_shutdown = selinux_socket_shutdown,
4352 .socket_sock_rcv_skb = selinux_socket_sock_rcv_skb,
4353 .socket_getpeersec = selinux_socket_getpeersec,
4354 .sk_alloc_security = selinux_sk_alloc_security,
4355 .sk_free_security = selinux_sk_free_security,
4356 #endif
4357 };
4358
4359 static __init int selinux_init(void)
4360 {
4361 struct task_security_struct *tsec;
4362
4363 if (!selinux_enabled) {
4364 printk(KERN_INFO "SELinux: Disabled at boot.\n");
4365 return 0;
4366 }
4367
4368 printk(KERN_INFO "SELinux: Initializing.\n");
4369
4370 /* Set the security state for the initial task. */
4371 if (task_alloc_security(current))
4372 panic("SELinux: Failed to initialize initial task.\n");
4373 tsec = current->security;
4374 tsec->osid = tsec->sid = SECINITSID_KERNEL;
4375
4376 avc_init();
4377
4378 original_ops = secondary_ops = security_ops;
4379 if (!secondary_ops)
4380 panic ("SELinux: No initial security operations\n");
4381 if (register_security (&selinux_ops))
4382 panic("SELinux: Unable to register with kernel.\n");
4383
4384 if (selinux_enforcing) {
4385 printk(KERN_INFO "SELinux: Starting in enforcing mode\n");
4386 } else {
4387 printk(KERN_INFO "SELinux: Starting in permissive mode\n");
4388 }
4389 return 0;
4390 }
4391
4392 void selinux_complete_init(void)
4393 {
4394 printk(KERN_INFO "SELinux: Completing initialization.\n");
4395
4396 /* Set up any superblocks initialized prior to the policy load. */
4397 printk(KERN_INFO "SELinux: Setting up existing superblocks.\n");
4398 spin_lock(&sb_security_lock);
4399 next_sb:
4400 if (!list_empty(&superblock_security_head)) {
4401 struct superblock_security_struct *sbsec =
4402 list_entry(superblock_security_head.next,
4403 struct superblock_security_struct,
4404 list);
4405 struct super_block *sb = sbsec->sb;
4406 spin_lock(&sb_lock);
4407 sb->s_count++;
4408 spin_unlock(&sb_lock);
4409 spin_unlock(&sb_security_lock);
4410 down_read(&sb->s_umount);
4411 if (sb->s_root)
4412 superblock_doinit(sb, NULL);
4413 drop_super(sb);
4414 spin_lock(&sb_security_lock);
4415 list_del_init(&sbsec->list);
4416 goto next_sb;
4417 }
4418 spin_unlock(&sb_security_lock);
4419 }
4420
4421 /* SELinux requires early initialization in order to label
4422 all processes and objects when they are created. */
4423 security_initcall(selinux_init);
4424
4425 #if defined(CONFIG_SECURITY_NETWORK) && defined(CONFIG_NETFILTER)
4426
4427 static struct nf_hook_ops selinux_ipv4_op = {
4428 .hook = selinux_ipv4_postroute_last,
4429 .owner = THIS_MODULE,
4430 .pf = PF_INET,
4431 .hooknum = NF_IP_POST_ROUTING,
4432 .priority = NF_IP_PRI_SELINUX_LAST,
4433 };
4434
4435 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4436
4437 static struct nf_hook_ops selinux_ipv6_op = {
4438 .hook = selinux_ipv6_postroute_last,
4439 .owner = THIS_MODULE,
4440 .pf = PF_INET6,
4441 .hooknum = NF_IP6_POST_ROUTING,
4442 .priority = NF_IP6_PRI_SELINUX_LAST,
4443 };
4444
4445 #endif /* IPV6 */
4446
4447 static int __init selinux_nf_ip_init(void)
4448 {
4449 int err = 0;
4450
4451 if (!selinux_enabled)
4452 goto out;
4453
4454 printk(KERN_INFO "SELinux: Registering netfilter hooks\n");
4455
4456 err = nf_register_hook(&selinux_ipv4_op);
4457 if (err)
4458 panic("SELinux: nf_register_hook for IPv4: error %d\n", err);
4459
4460 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4461
4462 err = nf_register_hook(&selinux_ipv6_op);
4463 if (err)
4464 panic("SELinux: nf_register_hook for IPv6: error %d\n", err);
4465
4466 #endif /* IPV6 */
4467 out:
4468 return err;
4469 }
4470
4471 __initcall(selinux_nf_ip_init);
4472
4473 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
4474 static void selinux_nf_ip_exit(void)
4475 {
4476 printk(KERN_INFO "SELinux: Unregistering netfilter hooks\n");
4477
4478 nf_unregister_hook(&selinux_ipv4_op);
4479 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4480 nf_unregister_hook(&selinux_ipv6_op);
4481 #endif /* IPV6 */
4482 }
4483 #endif
4484
4485 #else /* CONFIG_SECURITY_NETWORK && CONFIG_NETFILTER */
4486
4487 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
4488 #define selinux_nf_ip_exit()
4489 #endif
4490
4491 #endif /* CONFIG_SECURITY_NETWORK && CONFIG_NETFILTER */
4492
4493 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
4494 int selinux_disable(void)
4495 {
4496 extern void exit_sel_fs(void);
4497 static int selinux_disabled = 0;
4498
4499 if (ss_initialized) {
4500 /* Not permitted after initial policy load. */
4501 return -EINVAL;
4502 }
4503
4504 if (selinux_disabled) {
4505 /* Only do this once. */
4506 return -EINVAL;
4507 }
4508
4509 printk(KERN_INFO "SELinux: Disabled at runtime.\n");
4510
4511 selinux_disabled = 1;
4512
4513 /* Reset security_ops to the secondary module, dummy or capability. */
4514 security_ops = secondary_ops;
4515
4516 /* Unregister netfilter hooks. */
4517 selinux_nf_ip_exit();
4518
4519 /* Unregister selinuxfs. */
4520 exit_sel_fs();
4521
4522 return 0;
4523 }
4524 #endif
4525
4526
Verdex Pro support