search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input
[linux-btrfs-devel.git] / security / selinux / hooks.c
blobe545b9f6707210fa56b54a2e8257e57630776b36
1 /*
2 * NSA Security-Enhanced Linux (SELinux) security module
3 *
4 * This file contains the SELinux hook function implementations.
5 *
6 * Authors: Stephen Smalley, <sds@epoch.ncsc.mil>
7 * Chris Vance, <cvance@nai.com>
8 * Wayne Salamon, <wsalamon@nai.com>
9 * James Morris <jmorris@redhat.com>
10 *
11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12 * Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
13 * Eric Paris <eparis@redhat.com>
14 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
15 * <dgoeddel@trustedcs.com>
16 * Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
17 * Paul Moore <paul@paul-moore.com>
18 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
19 * Yuichi Nakamura <ynakam@hitachisoft.jp>
20 *
21 * This program is free software; you can redistribute it and/or modify
22 * it under the terms of the GNU General Public License version 2,
23 * as published by the Free Software Foundation.
24 */
25
26 #include <linux/init.h>
27 #include <linux/kd.h>
28 #include <linux/kernel.h>
29 #include <linux/tracehook.h>
30 #include <linux/errno.h>
31 #include <linux/ext2_fs.h>
32 #include <linux/sched.h>
33 #include <linux/security.h>
34 #include <linux/xattr.h>
35 #include <linux/capability.h>
36 #include <linux/unistd.h>
37 #include <linux/mm.h>
38 #include <linux/mman.h>
39 #include <linux/slab.h>
40 #include <linux/pagemap.h>
41 #include <linux/proc_fs.h>
42 #include <linux/swap.h>
43 #include <linux/spinlock.h>
44 #include <linux/syscalls.h>
45 #include <linux/dcache.h>
46 #include <linux/file.h>
47 #include <linux/fdtable.h>
48 #include <linux/namei.h>
49 #include <linux/mount.h>
50 #include <linux/netfilter_ipv4.h>
51 #include <linux/netfilter_ipv6.h>
52 #include <linux/tty.h>
53 #include <net/icmp.h>
54 #include <net/ip.h> /* for local_port_range[] */
55 #include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
56 #include <net/net_namespace.h>
57 #include <net/netlabel.h>
58 #include <linux/uaccess.h>
59 #include <asm/ioctls.h>
60 #include <linux/atomic.h>
61 #include <linux/bitops.h>
62 #include <linux/interrupt.h>
63 #include <linux/netdevice.h> /* for network interface checks */
64 #include <linux/netlink.h>
65 #include <linux/tcp.h>
66 #include <linux/udp.h>
67 #include <linux/dccp.h>
68 #include <linux/quota.h>
69 #include <linux/un.h> /* for Unix socket types */
70 #include <net/af_unix.h> /* for Unix socket types */
71 #include <linux/parser.h>
72 #include <linux/nfs_mount.h>
73 #include <net/ipv6.h>
74 #include <linux/hugetlb.h>
75 #include <linux/personality.h>
76 #include <linux/audit.h>
77 #include <linux/string.h>
78 #include <linux/selinux.h>
79 #include <linux/mutex.h>
80 #include <linux/posix-timers.h>
81 #include <linux/syslog.h>
82 #include <linux/user_namespace.h>
83
84 #include "avc.h"
85 #include "objsec.h"
86 #include "netif.h"
87 #include "netnode.h"
88 #include "netport.h"
89 #include "xfrm.h"
90 #include "netlabel.h"
91 #include "audit.h"
92 #include "avc_ss.h"
93
94 #define NUM_SEL_MNT_OPTS 5
95
96 extern struct security_operations *security_ops;
97
98 /* SECMARK reference count */
99 static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
100
101 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
102 int selinux_enforcing;
103
104 static int __init enforcing_setup(char *str)
105 {
106 unsigned long enforcing;
107 if (!strict_strtoul(str, 0, &enforcing))
108 selinux_enforcing = enforcing ? 1 : 0;
109 return 1;
110 }
111 __setup("enforcing=", enforcing_setup);
112 #endif
113
114 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
115 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
116
117 static int __init selinux_enabled_setup(char *str)
118 {
119 unsigned long enabled;
120 if (!strict_strtoul(str, 0, &enabled))
121 selinux_enabled = enabled ? 1 : 0;
122 return 1;
123 }
124 __setup("selinux=", selinux_enabled_setup);
125 #else
126 int selinux_enabled = 1;
127 #endif
128
129 static struct kmem_cache *sel_inode_cache;
130
131 /**
132 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
133 *
134 * Description:
135 * This function checks the SECMARK reference counter to see if any SECMARK
136 * targets are currently configured, if the reference counter is greater than
137 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is
138 * enabled, false (0) if SECMARK is disabled.
139 *
140 */
141 static int selinux_secmark_enabled(void)
142 {
143 return (atomic_read(&selinux_secmark_refcount) > 0);
144 }
145
146 /*
147 * initialise the security for the init task
148 */
149 static void cred_init_security(void)
150 {
151 struct cred *cred = (struct cred *) current->real_cred;
152 struct task_security_struct *tsec;
153
154 tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
155 if (!tsec)
156 panic("SELinux: Failed to initialize initial task.\n");
157
158 tsec->osid = tsec->sid = SECINITSID_KERNEL;
159 cred->security = tsec;
160 }
161
162 /*
163 * get the security ID of a set of credentials
164 */
165 static inline u32 cred_sid(const struct cred *cred)
166 {
167 const struct task_security_struct *tsec;
168
169 tsec = cred->security;
170 return tsec->sid;
171 }
172
173 /*
174 * get the objective security ID of a task
175 */
176 static inline u32 task_sid(const struct task_struct *task)
177 {
178 u32 sid;
179
180 rcu_read_lock();
181 sid = cred_sid(__task_cred(task));
182 rcu_read_unlock();
183 return sid;
184 }
185
186 /*
187 * get the subjective security ID of the current task
188 */
189 static inline u32 current_sid(void)
190 {
191 const struct task_security_struct *tsec = current_security();
192
193 return tsec->sid;
194 }
195
196 /* Allocate and free functions for each kind of security blob. */
197
198 static int inode_alloc_security(struct inode *inode)
199 {
200 struct inode_security_struct *isec;
201 u32 sid = current_sid();
202
203 isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
204 if (!isec)
205 return -ENOMEM;
206
207 mutex_init(&isec->lock);
208 INIT_LIST_HEAD(&isec->list);
209 isec->inode = inode;
210 isec->sid = SECINITSID_UNLABELED;
211 isec->sclass = SECCLASS_FILE;
212 isec->task_sid = sid;
213 inode->i_security = isec;
214
215 return 0;
216 }
217
218 static void inode_free_security(struct inode *inode)
219 {
220 struct inode_security_struct *isec = inode->i_security;
221 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
222
223 spin_lock(&sbsec->isec_lock);
224 if (!list_empty(&isec->list))
225 list_del_init(&isec->list);
226 spin_unlock(&sbsec->isec_lock);
227
228 inode->i_security = NULL;
229 kmem_cache_free(sel_inode_cache, isec);
230 }
231
232 static int file_alloc_security(struct file *file)
233 {
234 struct file_security_struct *fsec;
235 u32 sid = current_sid();
236
237 fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL);
238 if (!fsec)
239 return -ENOMEM;
240
241 fsec->sid = sid;
242 fsec->fown_sid = sid;
243 file->f_security = fsec;
244
245 return 0;
246 }
247
248 static void file_free_security(struct file *file)
249 {
250 struct file_security_struct *fsec = file->f_security;
251 file->f_security = NULL;
252 kfree(fsec);
253 }
254
255 static int superblock_alloc_security(struct super_block *sb)
256 {
257 struct superblock_security_struct *sbsec;
258
259 sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
260 if (!sbsec)
261 return -ENOMEM;
262
263 mutex_init(&sbsec->lock);
264 INIT_LIST_HEAD(&sbsec->isec_head);
265 spin_lock_init(&sbsec->isec_lock);
266 sbsec->sb = sb;
267 sbsec->sid = SECINITSID_UNLABELED;
268 sbsec->def_sid = SECINITSID_FILE;
269 sbsec->mntpoint_sid = SECINITSID_UNLABELED;
270 sb->s_security = sbsec;
271
272 return 0;
273 }
274
275 static void superblock_free_security(struct super_block *sb)
276 {
277 struct superblock_security_struct *sbsec = sb->s_security;
278 sb->s_security = NULL;
279 kfree(sbsec);
280 }
281
282 /* The file system's label must be initialized prior to use. */
283
284 static const char *labeling_behaviors[6] = {
285 "uses xattr",
286 "uses transition SIDs",
287 "uses task SIDs",
288 "uses genfs_contexts",
289 "not configured for labeling",
290 "uses mountpoint labeling",
291 };
292
293 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
294
295 static inline int inode_doinit(struct inode *inode)
296 {
297 return inode_doinit_with_dentry(inode, NULL);
298 }
299
300 enum {
301 Opt_error = -1,
302 Opt_context = 1,
303 Opt_fscontext = 2,
304 Opt_defcontext = 3,
305 Opt_rootcontext = 4,
306 Opt_labelsupport = 5,
307 };
308
309 static const match_table_t tokens = {
310 {Opt_context, CONTEXT_STR "%s"},
311 {Opt_fscontext, FSCONTEXT_STR "%s"},
312 {Opt_defcontext, DEFCONTEXT_STR "%s"},
313 {Opt_rootcontext, ROOTCONTEXT_STR "%s"},
314 {Opt_labelsupport, LABELSUPP_STR},
315 {Opt_error, NULL},
316 };
317
318 #define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
319
320 static int may_context_mount_sb_relabel(u32 sid,
321 struct superblock_security_struct *sbsec,
322 const struct cred *cred)
323 {
324 const struct task_security_struct *tsec = cred->security;
325 int rc;
326
327 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
328 FILESYSTEM__RELABELFROM, NULL);
329 if (rc)
330 return rc;
331
332 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
333 FILESYSTEM__RELABELTO, NULL);
334 return rc;
335 }
336
337 static int may_context_mount_inode_relabel(u32 sid,
338 struct superblock_security_struct *sbsec,
339 const struct cred *cred)
340 {
341 const struct task_security_struct *tsec = cred->security;
342 int rc;
343 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
344 FILESYSTEM__RELABELFROM, NULL);
345 if (rc)
346 return rc;
347
348 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
349 FILESYSTEM__ASSOCIATE, NULL);
350 return rc;
351 }
352
353 static int sb_finish_set_opts(struct super_block *sb)
354 {
355 struct superblock_security_struct *sbsec = sb->s_security;
356 struct dentry *root = sb->s_root;
357 struct inode *root_inode = root->d_inode;
358 int rc = 0;
359
360 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
361 /* Make sure that the xattr handler exists and that no
362 error other than -ENODATA is returned by getxattr on
363 the root directory. -ENODATA is ok, as this may be
364 the first boot of the SELinux kernel before we have
365 assigned xattr values to the filesystem. */
366 if (!root_inode->i_op->getxattr) {
367 printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
368 "xattr support\n", sb->s_id, sb->s_type->name);
369 rc = -EOPNOTSUPP;
370 goto out;
371 }
372 rc = root_inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
373 if (rc < 0 && rc != -ENODATA) {
374 if (rc == -EOPNOTSUPP)
375 printk(KERN_WARNING "SELinux: (dev %s, type "
376 "%s) has no security xattr handler\n",
377 sb->s_id, sb->s_type->name);
378 else
379 printk(KERN_WARNING "SELinux: (dev %s, type "
380 "%s) getxattr errno %d\n", sb->s_id,
381 sb->s_type->name, -rc);
382 goto out;
383 }
384 }
385
386 sbsec->flags |= (SE_SBINITIALIZED | SE_SBLABELSUPP);
387
388 if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
389 printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n",
390 sb->s_id, sb->s_type->name);
391 else
392 printk(KERN_DEBUG "SELinux: initialized (dev %s, type %s), %s\n",
393 sb->s_id, sb->s_type->name,
394 labeling_behaviors[sbsec->behavior-1]);
395
396 if (sbsec->behavior == SECURITY_FS_USE_GENFS ||
397 sbsec->behavior == SECURITY_FS_USE_MNTPOINT ||
398 sbsec->behavior == SECURITY_FS_USE_NONE ||
399 sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
400 sbsec->flags &= ~SE_SBLABELSUPP;
401
402 /* Special handling for sysfs. Is genfs but also has setxattr handler*/
403 if (strncmp(sb->s_type->name, "sysfs", sizeof("sysfs")) == 0)
404 sbsec->flags |= SE_SBLABELSUPP;
405
406 /* Initialize the root inode. */
407 rc = inode_doinit_with_dentry(root_inode, root);
408
409 /* Initialize any other inodes associated with the superblock, e.g.
410 inodes created prior to initial policy load or inodes created
411 during get_sb by a pseudo filesystem that directly
412 populates itself. */
413 spin_lock(&sbsec->isec_lock);
414 next_inode:
415 if (!list_empty(&sbsec->isec_head)) {
416 struct inode_security_struct *isec =
417 list_entry(sbsec->isec_head.next,
418 struct inode_security_struct, list);
419 struct inode *inode = isec->inode;
420 spin_unlock(&sbsec->isec_lock);
421 inode = igrab(inode);
422 if (inode) {
423 if (!IS_PRIVATE(inode))
424 inode_doinit(inode);
425 iput(inode);
426 }
427 spin_lock(&sbsec->isec_lock);
428 list_del_init(&isec->list);
429 goto next_inode;
430 }
431 spin_unlock(&sbsec->isec_lock);
432 out:
433 return rc;
434 }
435
436 /*
437 * This function should allow an FS to ask what it's mount security
438 * options were so it can use those later for submounts, displaying
439 * mount options, or whatever.
440 */
441 static int selinux_get_mnt_opts(const struct super_block *sb,
442 struct security_mnt_opts *opts)
443 {
444 int rc = 0, i;
445 struct superblock_security_struct *sbsec = sb->s_security;
446 char *context = NULL;
447 u32 len;
448 char tmp;
449
450 security_init_mnt_opts(opts);
451
452 if (!(sbsec->flags & SE_SBINITIALIZED))
453 return -EINVAL;
454
455 if (!ss_initialized)
456 return -EINVAL;
457
458 tmp = sbsec->flags & SE_MNTMASK;
459 /* count the number of mount options for this sb */
460 for (i = 0; i < 8; i++) {
461 if (tmp & 0x01)
462 opts->num_mnt_opts++;
463 tmp >>= 1;
464 }
465 /* Check if the Label support flag is set */
466 if (sbsec->flags & SE_SBLABELSUPP)
467 opts->num_mnt_opts++;
468
469 opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
470 if (!opts->mnt_opts) {
471 rc = -ENOMEM;
472 goto out_free;
473 }
474
475 opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
476 if (!opts->mnt_opts_flags) {
477 rc = -ENOMEM;
478 goto out_free;
479 }
480
481 i = 0;
482 if (sbsec->flags & FSCONTEXT_MNT) {
483 rc = security_sid_to_context(sbsec->sid, &context, &len);
484 if (rc)
485 goto out_free;
486 opts->mnt_opts[i] = context;
487 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
488 }
489 if (sbsec->flags & CONTEXT_MNT) {
490 rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len);
491 if (rc)
492 goto out_free;
493 opts->mnt_opts[i] = context;
494 opts->mnt_opts_flags[i++] = CONTEXT_MNT;
495 }
496 if (sbsec->flags & DEFCONTEXT_MNT) {
497 rc = security_sid_to_context(sbsec->def_sid, &context, &len);
498 if (rc)
499 goto out_free;
500 opts->mnt_opts[i] = context;
501 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
502 }
503 if (sbsec->flags & ROOTCONTEXT_MNT) {
504 struct inode *root = sbsec->sb->s_root->d_inode;
505 struct inode_security_struct *isec = root->i_security;
506
507 rc = security_sid_to_context(isec->sid, &context, &len);
508 if (rc)
509 goto out_free;
510 opts->mnt_opts[i] = context;
511 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
512 }
513 if (sbsec->flags & SE_SBLABELSUPP) {
514 opts->mnt_opts[i] = NULL;
515 opts->mnt_opts_flags[i++] = SE_SBLABELSUPP;
516 }
517
518 BUG_ON(i != opts->num_mnt_opts);
519
520 return 0;
521
522 out_free:
523 security_free_mnt_opts(opts);
524 return rc;
525 }
526
527 static int bad_option(struct superblock_security_struct *sbsec, char flag,
528 u32 old_sid, u32 new_sid)
529 {
530 char mnt_flags = sbsec->flags & SE_MNTMASK;
531
532 /* check if the old mount command had the same options */
533 if (sbsec->flags & SE_SBINITIALIZED)
534 if (!(sbsec->flags & flag) ||
535 (old_sid != new_sid))
536 return 1;
537
538 /* check if we were passed the same options twice,
539 * aka someone passed context=a,context=b
540 */
541 if (!(sbsec->flags & SE_SBINITIALIZED))
542 if (mnt_flags & flag)
543 return 1;
544 return 0;
545 }
546
547 /*
548 * Allow filesystems with binary mount data to explicitly set mount point
549 * labeling information.
550 */
551 static int selinux_set_mnt_opts(struct super_block *sb,
552 struct security_mnt_opts *opts)
553 {
554 const struct cred *cred = current_cred();
555 int rc = 0, i;
556 struct superblock_security_struct *sbsec = sb->s_security;
557 const char *name = sb->s_type->name;
558 struct inode *inode = sbsec->sb->s_root->d_inode;
559 struct inode_security_struct *root_isec = inode->i_security;
560 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
561 u32 defcontext_sid = 0;
562 char **mount_options = opts->mnt_opts;
563 int *flags = opts->mnt_opts_flags;
564 int num_opts = opts->num_mnt_opts;
565
566 mutex_lock(&sbsec->lock);
567
568 if (!ss_initialized) {
569 if (!num_opts) {
570 /* Defer initialization until selinux_complete_init,
571 after the initial policy is loaded and the security
572 server is ready to handle calls. */
573 goto out;
574 }
575 rc = -EINVAL;
576 printk(KERN_WARNING "SELinux: Unable to set superblock options "
577 "before the security server is initialized\n");
578 goto out;
579 }
580
581 /*
582 * Binary mount data FS will come through this function twice. Once
583 * from an explicit call and once from the generic calls from the vfs.
584 * Since the generic VFS calls will not contain any security mount data
585 * we need to skip the double mount verification.
586 *
587 * This does open a hole in which we will not notice if the first
588 * mount using this sb set explict options and a second mount using
589 * this sb does not set any security options. (The first options
590 * will be used for both mounts)
591 */
592 if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
593 && (num_opts == 0))
594 goto out;
595
596 /*
597 * parse the mount options, check if they are valid sids.
598 * also check if someone is trying to mount the same sb more
599 * than once with different security options.
600 */
601 for (i = 0; i < num_opts; i++) {
602 u32 sid;
603
604 if (flags[i] == SE_SBLABELSUPP)
605 continue;
606 rc = security_context_to_sid(mount_options[i],
607 strlen(mount_options[i]), &sid);
608 if (rc) {
609 printk(KERN_WARNING "SELinux: security_context_to_sid"
610 "(%s) failed for (dev %s, type %s) errno=%d\n",
611 mount_options[i], sb->s_id, name, rc);
612 goto out;
613 }
614 switch (flags[i]) {
615 case FSCONTEXT_MNT:
616 fscontext_sid = sid;
617
618 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
619 fscontext_sid))
620 goto out_double_mount;
621
622 sbsec->flags |= FSCONTEXT_MNT;
623 break;
624 case CONTEXT_MNT:
625 context_sid = sid;
626
627 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
628 context_sid))
629 goto out_double_mount;
630
631 sbsec->flags |= CONTEXT_MNT;
632 break;
633 case ROOTCONTEXT_MNT:
634 rootcontext_sid = sid;
635
636 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
637 rootcontext_sid))
638 goto out_double_mount;
639
640 sbsec->flags |= ROOTCONTEXT_MNT;
641
642 break;
643 case DEFCONTEXT_MNT:
644 defcontext_sid = sid;
645
646 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
647 defcontext_sid))
648 goto out_double_mount;
649
650 sbsec->flags |= DEFCONTEXT_MNT;
651
652 break;
653 default:
654 rc = -EINVAL;
655 goto out;
656 }
657 }
658
659 if (sbsec->flags & SE_SBINITIALIZED) {
660 /* previously mounted with options, but not on this attempt? */
661 if ((sbsec->flags & SE_MNTMASK) && !num_opts)
662 goto out_double_mount;
663 rc = 0;
664 goto out;
665 }
666
667 if (strcmp(sb->s_type->name, "proc") == 0)
668 sbsec->flags |= SE_SBPROC;
669
670 /* Determine the labeling behavior to use for this filesystem type. */
671 rc = security_fs_use((sbsec->flags & SE_SBPROC) ? "proc" : sb->s_type->name, &sbsec->behavior, &sbsec->sid);
672 if (rc) {
673 printk(KERN_WARNING "%s: security_fs_use(%s) returned %d\n",
674 __func__, sb->s_type->name, rc);
675 goto out;
676 }
677
678 /* sets the context of the superblock for the fs being mounted. */
679 if (fscontext_sid) {
680 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
681 if (rc)
682 goto out;
683
684 sbsec->sid = fscontext_sid;
685 }
686
687 /*
688 * Switch to using mount point labeling behavior.
689 * sets the label used on all file below the mountpoint, and will set
690 * the superblock context if not already set.
691 */
692 if (context_sid) {
693 if (!fscontext_sid) {
694 rc = may_context_mount_sb_relabel(context_sid, sbsec,
695 cred);
696 if (rc)
697 goto out;
698 sbsec->sid = context_sid;
699 } else {
700 rc = may_context_mount_inode_relabel(context_sid, sbsec,
701 cred);
702 if (rc)
703 goto out;
704 }
705 if (!rootcontext_sid)
706 rootcontext_sid = context_sid;
707
708 sbsec->mntpoint_sid = context_sid;
709 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
710 }
711
712 if (rootcontext_sid) {
713 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
714 cred);
715 if (rc)
716 goto out;
717
718 root_isec->sid = rootcontext_sid;
719 root_isec->initialized = 1;
720 }
721
722 if (defcontext_sid) {
723 if (sbsec->behavior != SECURITY_FS_USE_XATTR) {
724 rc = -EINVAL;
725 printk(KERN_WARNING "SELinux: defcontext option is "
726 "invalid for this filesystem type\n");
727 goto out;
728 }
729
730 if (defcontext_sid != sbsec->def_sid) {
731 rc = may_context_mount_inode_relabel(defcontext_sid,
732 sbsec, cred);
733 if (rc)
734 goto out;
735 }
736
737 sbsec->def_sid = defcontext_sid;
738 }
739
740 rc = sb_finish_set_opts(sb);
741 out:
742 mutex_unlock(&sbsec->lock);
743 return rc;
744 out_double_mount:
745 rc = -EINVAL;
746 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, different "
747 "security settings for (dev %s, type %s)\n", sb->s_id, name);
748 goto out;
749 }
750
751 static void selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
752 struct super_block *newsb)
753 {
754 const struct superblock_security_struct *oldsbsec = oldsb->s_security;
755 struct superblock_security_struct *newsbsec = newsb->s_security;
756
757 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT);
758 int set_context = (oldsbsec->flags & CONTEXT_MNT);
759 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT);
760
761 /*
762 * if the parent was able to be mounted it clearly had no special lsm
763 * mount options. thus we can safely deal with this superblock later
764 */
765 if (!ss_initialized)
766 return;
767
768 /* how can we clone if the old one wasn't set up?? */
769 BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
770
771 /* if fs is reusing a sb, just let its options stand... */
772 if (newsbsec->flags & SE_SBINITIALIZED)
773 return;
774
775 mutex_lock(&newsbsec->lock);
776
777 newsbsec->flags = oldsbsec->flags;
778
779 newsbsec->sid = oldsbsec->sid;
780 newsbsec->def_sid = oldsbsec->def_sid;
781 newsbsec->behavior = oldsbsec->behavior;
782
783 if (set_context) {
784 u32 sid = oldsbsec->mntpoint_sid;
785
786 if (!set_fscontext)
787 newsbsec->sid = sid;
788 if (!set_rootcontext) {
789 struct inode *newinode = newsb->s_root->d_inode;
790 struct inode_security_struct *newisec = newinode->i_security;
791 newisec->sid = sid;
792 }
793 newsbsec->mntpoint_sid = sid;
794 }
795 if (set_rootcontext) {
796 const struct inode *oldinode = oldsb->s_root->d_inode;
797 const struct inode_security_struct *oldisec = oldinode->i_security;
798 struct inode *newinode = newsb->s_root->d_inode;
799 struct inode_security_struct *newisec = newinode->i_security;
800
801 newisec->sid = oldisec->sid;
802 }
803
804 sb_finish_set_opts(newsb);
805 mutex_unlock(&newsbsec->lock);
806 }
807
808 static int selinux_parse_opts_str(char *options,
809 struct security_mnt_opts *opts)
810 {
811 char *p;
812 char *context = NULL, *defcontext = NULL;
813 char *fscontext = NULL, *rootcontext = NULL;
814 int rc, num_mnt_opts = 0;
815
816 opts->num_mnt_opts = 0;
817
818 /* Standard string-based options. */
819 while ((p = strsep(&options, "|")) != NULL) {
820 int token;
821 substring_t args[MAX_OPT_ARGS];
822
823 if (!*p)
824 continue;
825
826 token = match_token(p, tokens, args);
827
828 switch (token) {
829 case Opt_context:
830 if (context || defcontext) {
831 rc = -EINVAL;
832 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
833 goto out_err;
834 }
835 context = match_strdup(&args[0]);
836 if (!context) {
837 rc = -ENOMEM;
838 goto out_err;
839 }
840 break;
841
842 case Opt_fscontext:
843 if (fscontext) {
844 rc = -EINVAL;
845 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
846 goto out_err;
847 }
848 fscontext = match_strdup(&args[0]);
849 if (!fscontext) {
850 rc = -ENOMEM;
851 goto out_err;
852 }
853 break;
854
855 case Opt_rootcontext:
856 if (rootcontext) {
857 rc = -EINVAL;
858 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
859 goto out_err;
860 }
861 rootcontext = match_strdup(&args[0]);
862 if (!rootcontext) {
863 rc = -ENOMEM;
864 goto out_err;
865 }
866 break;
867
868 case Opt_defcontext:
869 if (context || defcontext) {
870 rc = -EINVAL;
871 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
872 goto out_err;
873 }
874 defcontext = match_strdup(&args[0]);
875 if (!defcontext) {
876 rc = -ENOMEM;
877 goto out_err;
878 }
879 break;
880 case Opt_labelsupport:
881 break;
882 default:
883 rc = -EINVAL;
884 printk(KERN_WARNING "SELinux: unknown mount option\n");
885 goto out_err;
886
887 }
888 }
889
890 rc = -ENOMEM;
891 opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_ATOMIC);
892 if (!opts->mnt_opts)
893 goto out_err;
894
895 opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int), GFP_ATOMIC);
896 if (!opts->mnt_opts_flags) {
897 kfree(opts->mnt_opts);
898 goto out_err;
899 }
900
901 if (fscontext) {
902 opts->mnt_opts[num_mnt_opts] = fscontext;
903 opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
904 }
905 if (context) {
906 opts->mnt_opts[num_mnt_opts] = context;
907 opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
908 }
909 if (rootcontext) {
910 opts->mnt_opts[num_mnt_opts] = rootcontext;
911 opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
912 }
913 if (defcontext) {
914 opts->mnt_opts[num_mnt_opts] = defcontext;
915 opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
916 }
917
918 opts->num_mnt_opts = num_mnt_opts;
919 return 0;
920
921 out_err:
922 kfree(context);
923 kfree(defcontext);
924 kfree(fscontext);
925 kfree(rootcontext);
926 return rc;
927 }
928 /*
929 * string mount options parsing and call set the sbsec
930 */
931 static int superblock_doinit(struct super_block *sb, void *data)
932 {
933 int rc = 0;
934 char *options = data;
935 struct security_mnt_opts opts;
936
937 security_init_mnt_opts(&opts);
938
939 if (!data)
940 goto out;
941
942 BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
943
944 rc = selinux_parse_opts_str(options, &opts);
945 if (rc)
946 goto out_err;
947
948 out:
949 rc = selinux_set_mnt_opts(sb, &opts);
950
951 out_err:
952 security_free_mnt_opts(&opts);
953 return rc;
954 }
955
956 static void selinux_write_opts(struct seq_file *m,
957 struct security_mnt_opts *opts)
958 {
959 int i;
960 char *prefix;
961
962 for (i = 0; i < opts->num_mnt_opts; i++) {
963 char *has_comma;
964
965 if (opts->mnt_opts[i])
966 has_comma = strchr(opts->mnt_opts[i], ',');
967 else
968 has_comma = NULL;
969
970 switch (opts->mnt_opts_flags[i]) {
971 case CONTEXT_MNT:
972 prefix = CONTEXT_STR;
973 break;
974 case FSCONTEXT_MNT:
975 prefix = FSCONTEXT_STR;
976 break;
977 case ROOTCONTEXT_MNT:
978 prefix = ROOTCONTEXT_STR;
979 break;
980 case DEFCONTEXT_MNT:
981 prefix = DEFCONTEXT_STR;
982 break;
983 case SE_SBLABELSUPP:
984 seq_putc(m, ',');
985 seq_puts(m, LABELSUPP_STR);
986 continue;
987 default:
988 BUG();
989 return;
990 };
991 /* we need a comma before each option */
992 seq_putc(m, ',');
993 seq_puts(m, prefix);
994 if (has_comma)
995 seq_putc(m, '\"');
996 seq_puts(m, opts->mnt_opts[i]);
997 if (has_comma)
998 seq_putc(m, '\"');
999 }
1000 }
1001
1002 static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1003 {
1004 struct security_mnt_opts opts;
1005 int rc;
1006
1007 rc = selinux_get_mnt_opts(sb, &opts);
1008 if (rc) {
1009 /* before policy load we may get EINVAL, don't show anything */
1010 if (rc == -EINVAL)
1011 rc = 0;
1012 return rc;
1013 }
1014
1015 selinux_write_opts(m, &opts);
1016
1017 security_free_mnt_opts(&opts);
1018
1019 return rc;
1020 }
1021
1022 static inline u16 inode_mode_to_security_class(umode_t mode)
1023 {
1024 switch (mode & S_IFMT) {
1025 case S_IFSOCK:
1026 return SECCLASS_SOCK_FILE;
1027 case S_IFLNK:
1028 return SECCLASS_LNK_FILE;
1029 case S_IFREG:
1030 return SECCLASS_FILE;
1031 case S_IFBLK:
1032 return SECCLASS_BLK_FILE;
1033 case S_IFDIR:
1034 return SECCLASS_DIR;
1035 case S_IFCHR:
1036 return SECCLASS_CHR_FILE;
1037 case S_IFIFO:
1038 return SECCLASS_FIFO_FILE;
1039
1040 }
1041
1042 return SECCLASS_FILE;
1043 }
1044
1045 static inline int default_protocol_stream(int protocol)
1046 {
1047 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
1048 }
1049
1050 static inline int default_protocol_dgram(int protocol)
1051 {
1052 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1053 }
1054
1055 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1056 {
1057 switch (family) {
1058 case PF_UNIX:
1059 switch (type) {
1060 case SOCK_STREAM:
1061 case SOCK_SEQPACKET:
1062 return SECCLASS_UNIX_STREAM_SOCKET;
1063 case SOCK_DGRAM:
1064 return SECCLASS_UNIX_DGRAM_SOCKET;
1065 }
1066 break;
1067 case PF_INET:
1068 case PF_INET6:
1069 switch (type) {
1070 case SOCK_STREAM:
1071 if (default_protocol_stream(protocol))
1072 return SECCLASS_TCP_SOCKET;
1073 else
1074 return SECCLASS_RAWIP_SOCKET;
1075 case SOCK_DGRAM:
1076 if (default_protocol_dgram(protocol))
1077 return SECCLASS_UDP_SOCKET;
1078 else
1079 return SECCLASS_RAWIP_SOCKET;
1080 case SOCK_DCCP:
1081 return SECCLASS_DCCP_SOCKET;
1082 default:
1083 return SECCLASS_RAWIP_SOCKET;
1084 }
1085 break;
1086 case PF_NETLINK:
1087 switch (protocol) {
1088 case NETLINK_ROUTE:
1089 return SECCLASS_NETLINK_ROUTE_SOCKET;
1090 case NETLINK_FIREWALL:
1091 return SECCLASS_NETLINK_FIREWALL_SOCKET;
1092 case NETLINK_INET_DIAG:
1093 return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1094 case NETLINK_NFLOG:
1095 return SECCLASS_NETLINK_NFLOG_SOCKET;
1096 case NETLINK_XFRM:
1097 return SECCLASS_NETLINK_XFRM_SOCKET;
1098 case NETLINK_SELINUX:
1099 return SECCLASS_NETLINK_SELINUX_SOCKET;
1100 case NETLINK_AUDIT:
1101 return SECCLASS_NETLINK_AUDIT_SOCKET;
1102 case NETLINK_IP6_FW:
1103 return SECCLASS_NETLINK_IP6FW_SOCKET;
1104 case NETLINK_DNRTMSG:
1105 return SECCLASS_NETLINK_DNRT_SOCKET;
1106 case NETLINK_KOBJECT_UEVENT:
1107 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1108 default:
1109 return SECCLASS_NETLINK_SOCKET;
1110 }
1111 case PF_PACKET:
1112 return SECCLASS_PACKET_SOCKET;
1113 case PF_KEY:
1114 return SECCLASS_KEY_SOCKET;
1115 case PF_APPLETALK:
1116 return SECCLASS_APPLETALK_SOCKET;
1117 }
1118
1119 return SECCLASS_SOCKET;
1120 }
1121
1122 #ifdef CONFIG_PROC_FS
1123 static int selinux_proc_get_sid(struct dentry *dentry,
1124 u16 tclass,
1125 u32 *sid)
1126 {
1127 int rc;
1128 char *buffer, *path;
1129
1130 buffer = (char *)__get_free_page(GFP_KERNEL);
1131 if (!buffer)
1132 return -ENOMEM;
1133
1134 path = dentry_path_raw(dentry, buffer, PAGE_SIZE);
1135 if (IS_ERR(path))
1136 rc = PTR_ERR(path);
1137 else {
1138 /* each process gets a /proc/PID/ entry. Strip off the
1139 * PID part to get a valid selinux labeling.
1140 * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
1141 while (path[1] >= '0' && path[1] <= '9') {
1142 path[1] = '/';
1143 path++;
1144 }
1145 rc = security_genfs_sid("proc", path, tclass, sid);
1146 }
1147 free_page((unsigned long)buffer);
1148 return rc;
1149 }
1150 #else
1151 static int selinux_proc_get_sid(struct dentry *dentry,
1152 u16 tclass,
1153 u32 *sid)
1154 {
1155 return -EINVAL;
1156 }
1157 #endif
1158
1159 /* The inode's security attributes must be initialized before first use. */
1160 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1161 {
1162 struct superblock_security_struct *sbsec = NULL;
1163 struct inode_security_struct *isec = inode->i_security;
1164 u32 sid;
1165 struct dentry *dentry;
1166 #define INITCONTEXTLEN 255
1167 char *context = NULL;
1168 unsigned len = 0;
1169 int rc = 0;
1170
1171 if (isec->initialized)
1172 goto out;
1173
1174 mutex_lock(&isec->lock);
1175 if (isec->initialized)
1176 goto out_unlock;
1177
1178 sbsec = inode->i_sb->s_security;
1179 if (!(sbsec->flags & SE_SBINITIALIZED)) {
1180 /* Defer initialization until selinux_complete_init,
1181 after the initial policy is loaded and the security
1182 server is ready to handle calls. */
1183 spin_lock(&sbsec->isec_lock);
1184 if (list_empty(&isec->list))
1185 list_add(&isec->list, &sbsec->isec_head);
1186 spin_unlock(&sbsec->isec_lock);
1187 goto out_unlock;
1188 }
1189
1190 switch (sbsec->behavior) {
1191 case SECURITY_FS_USE_XATTR:
1192 if (!inode->i_op->getxattr) {
1193 isec->sid = sbsec->def_sid;
1194 break;
1195 }
1196
1197 /* Need a dentry, since the xattr API requires one.
1198 Life would be simpler if we could just pass the inode. */
1199 if (opt_dentry) {
1200 /* Called from d_instantiate or d_splice_alias. */
1201 dentry = dget(opt_dentry);
1202 } else {
1203 /* Called from selinux_complete_init, try to find a dentry. */
1204 dentry = d_find_alias(inode);
1205 }
1206 if (!dentry) {
1207 /*
1208 * this is can be hit on boot when a file is accessed
1209 * before the policy is loaded. When we load policy we
1210 * may find inodes that have no dentry on the
1211 * sbsec->isec_head list. No reason to complain as these
1212 * will get fixed up the next time we go through
1213 * inode_doinit with a dentry, before these inodes could
1214 * be used again by userspace.
1215 */
1216 goto out_unlock;
1217 }
1218
1219 len = INITCONTEXTLEN;
1220 context = kmalloc(len+1, GFP_NOFS);
1221 if (!context) {
1222 rc = -ENOMEM;
1223 dput(dentry);
1224 goto out_unlock;
1225 }
1226 context[len] = '\0';
1227 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1228 context, len);
1229 if (rc == -ERANGE) {
1230 kfree(context);
1231
1232 /* Need a larger buffer. Query for the right size. */
1233 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1234 NULL, 0);
1235 if (rc < 0) {
1236 dput(dentry);
1237 goto out_unlock;
1238 }
1239 len = rc;
1240 context = kmalloc(len+1, GFP_NOFS);
1241 if (!context) {
1242 rc = -ENOMEM;
1243 dput(dentry);
1244 goto out_unlock;
1245 }
1246 context[len] = '\0';
1247 rc = inode->i_op->getxattr(dentry,
1248 XATTR_NAME_SELINUX,
1249 context, len);
1250 }
1251 dput(dentry);
1252 if (rc < 0) {
1253 if (rc != -ENODATA) {
1254 printk(KERN_WARNING "SELinux: %s: getxattr returned "
1255 "%d for dev=%s ino=%ld\n", __func__,
1256 -rc, inode->i_sb->s_id, inode->i_ino);
1257 kfree(context);
1258 goto out_unlock;
1259 }
1260 /* Map ENODATA to the default file SID */
1261 sid = sbsec->def_sid;
1262 rc = 0;
1263 } else {
1264 rc = security_context_to_sid_default(context, rc, &sid,
1265 sbsec->def_sid,
1266 GFP_NOFS);
1267 if (rc) {
1268 char *dev = inode->i_sb->s_id;
1269 unsigned long ino = inode->i_ino;
1270
1271 if (rc == -EINVAL) {
1272 if (printk_ratelimit())
1273 printk(KERN_NOTICE "SELinux: inode=%lu on dev=%s was found to have an invalid "
1274 "context=%s. This indicates you may need to relabel the inode or the "
1275 "filesystem in question.\n", ino, dev, context);
1276 } else {
1277 printk(KERN_WARNING "SELinux: %s: context_to_sid(%s) "
1278 "returned %d for dev=%s ino=%ld\n",
1279 __func__, context, -rc, dev, ino);
1280 }
1281 kfree(context);
1282 /* Leave with the unlabeled SID */
1283 rc = 0;
1284 break;
1285 }
1286 }
1287 kfree(context);
1288 isec->sid = sid;
1289 break;
1290 case SECURITY_FS_USE_TASK:
1291 isec->sid = isec->task_sid;
1292 break;
1293 case SECURITY_FS_USE_TRANS:
1294 /* Default to the fs SID. */
1295 isec->sid = sbsec->sid;
1296
1297 /* Try to obtain a transition SID. */
1298 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1299 rc = security_transition_sid(isec->task_sid, sbsec->sid,
1300 isec->sclass, NULL, &sid);
1301 if (rc)
1302 goto out_unlock;
1303 isec->sid = sid;
1304 break;
1305 case SECURITY_FS_USE_MNTPOINT:
1306 isec->sid = sbsec->mntpoint_sid;
1307 break;
1308 default:
1309 /* Default to the fs superblock SID. */
1310 isec->sid = sbsec->sid;
1311
1312 if ((sbsec->flags & SE_SBPROC) && !S_ISLNK(inode->i_mode)) {
1313 if (opt_dentry) {
1314 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1315 rc = selinux_proc_get_sid(opt_dentry,
1316 isec->sclass,
1317 &sid);
1318 if (rc)
1319 goto out_unlock;
1320 isec->sid = sid;
1321 }
1322 }
1323 break;
1324 }
1325
1326 isec->initialized = 1;
1327
1328 out_unlock:
1329 mutex_unlock(&isec->lock);
1330 out:
1331 if (isec->sclass == SECCLASS_FILE)
1332 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1333 return rc;
1334 }
1335
1336 /* Convert a Linux signal to an access vector. */
1337 static inline u32 signal_to_av(int sig)
1338 {
1339 u32 perm = 0;
1340
1341 switch (sig) {
1342 case SIGCHLD:
1343 /* Commonly granted from child to parent. */
1344 perm = PROCESS__SIGCHLD;
1345 break;
1346 case SIGKILL:
1347 /* Cannot be caught or ignored */
1348 perm = PROCESS__SIGKILL;
1349 break;
1350 case SIGSTOP:
1351 /* Cannot be caught or ignored */
1352 perm = PROCESS__SIGSTOP;
1353 break;
1354 default:
1355 /* All other signals. */
1356 perm = PROCESS__SIGNAL;
1357 break;
1358 }
1359
1360 return perm;
1361 }
1362
1363 /*
1364 * Check permission between a pair of credentials
1365 * fork check, ptrace check, etc.
1366 */
1367 static int cred_has_perm(const struct cred *actor,
1368 const struct cred *target,
1369 u32 perms)
1370 {
1371 u32 asid = cred_sid(actor), tsid = cred_sid(target);
1372
1373 return avc_has_perm(asid, tsid, SECCLASS_PROCESS, perms, NULL);
1374 }
1375
1376 /*
1377 * Check permission between a pair of tasks, e.g. signal checks,
1378 * fork check, ptrace check, etc.
1379 * tsk1 is the actor and tsk2 is the target
1380 * - this uses the default subjective creds of tsk1
1381 */
1382 static int task_has_perm(const struct task_struct *tsk1,
1383 const struct task_struct *tsk2,
1384 u32 perms)
1385 {
1386 const struct task_security_struct *__tsec1, *__tsec2;
1387 u32 sid1, sid2;
1388
1389 rcu_read_lock();
1390 __tsec1 = __task_cred(tsk1)->security; sid1 = __tsec1->sid;
1391 __tsec2 = __task_cred(tsk2)->security; sid2 = __tsec2->sid;
1392 rcu_read_unlock();
1393 return avc_has_perm(sid1, sid2, SECCLASS_PROCESS, perms, NULL);
1394 }
1395
1396 /*
1397 * Check permission between current and another task, e.g. signal checks,
1398 * fork check, ptrace check, etc.
1399 * current is the actor and tsk2 is the target
1400 * - this uses current's subjective creds
1401 */
1402 static int current_has_perm(const struct task_struct *tsk,
1403 u32 perms)
1404 {
1405 u32 sid, tsid;
1406
1407 sid = current_sid();
1408 tsid = task_sid(tsk);
1409 return avc_has_perm(sid, tsid, SECCLASS_PROCESS, perms, NULL);
1410 }
1411
1412 #if CAP_LAST_CAP > 63
1413 #error Fix SELinux to handle capabilities > 63.
1414 #endif
1415
1416 /* Check whether a task is allowed to use a capability. */
1417 static int task_has_capability(struct task_struct *tsk,
1418 const struct cred *cred,
1419 int cap, int audit)
1420 {
1421 struct common_audit_data ad;
1422 struct av_decision avd;
1423 u16 sclass;
1424 u32 sid = cred_sid(cred);
1425 u32 av = CAP_TO_MASK(cap);
1426 int rc;
1427
1428 COMMON_AUDIT_DATA_INIT(&ad, CAP);
1429 ad.tsk = tsk;
1430 ad.u.cap = cap;
1431
1432 switch (CAP_TO_INDEX(cap)) {
1433 case 0:
1434 sclass = SECCLASS_CAPABILITY;
1435 break;
1436 case 1:
1437 sclass = SECCLASS_CAPABILITY2;
1438 break;
1439 default:
1440 printk(KERN_ERR
1441 "SELinux: out of range capability %d\n", cap);
1442 BUG();
1443 return -EINVAL;
1444 }
1445
1446 rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd);
1447 if (audit == SECURITY_CAP_AUDIT) {
1448 int rc2 = avc_audit(sid, sid, sclass, av, &avd, rc, &ad, 0);
1449 if (rc2)
1450 return rc2;
1451 }
1452 return rc;
1453 }
1454
1455 /* Check whether a task is allowed to use a system operation. */
1456 static int task_has_system(struct task_struct *tsk,
1457 u32 perms)
1458 {
1459 u32 sid = task_sid(tsk);
1460
1461 return avc_has_perm(sid, SECINITSID_KERNEL,
1462 SECCLASS_SYSTEM, perms, NULL);
1463 }
1464
1465 /* Check whether a task has a particular permission to an inode.
1466 The 'adp' parameter is optional and allows other audit
1467 data to be passed (e.g. the dentry). */
1468 static int inode_has_perm(const struct cred *cred,
1469 struct inode *inode,
1470 u32 perms,
1471 struct common_audit_data *adp,
1472 unsigned flags)
1473 {
1474 struct inode_security_struct *isec;
1475 u32 sid;
1476
1477 validate_creds(cred);
1478
1479 if (unlikely(IS_PRIVATE(inode)))
1480 return 0;
1481
1482 sid = cred_sid(cred);
1483 isec = inode->i_security;
1484
1485 return avc_has_perm_flags(sid, isec->sid, isec->sclass, perms, adp, flags);
1486 }
1487
1488 static int inode_has_perm_noadp(const struct cred *cred,
1489 struct inode *inode,
1490 u32 perms,
1491 unsigned flags)
1492 {
1493 struct common_audit_data ad;
1494
1495 COMMON_AUDIT_DATA_INIT(&ad, INODE);
1496 ad.u.inode = inode;
1497 return inode_has_perm(cred, inode, perms, &ad, flags);
1498 }
1499
1500 /* Same as inode_has_perm, but pass explicit audit data containing
1501 the dentry to help the auditing code to more easily generate the
1502 pathname if needed. */
1503 static inline int dentry_has_perm(const struct cred *cred,
1504 struct dentry *dentry,
1505 u32 av)
1506 {
1507 struct inode *inode = dentry->d_inode;
1508 struct common_audit_data ad;
1509
1510 COMMON_AUDIT_DATA_INIT(&ad, DENTRY);
1511 ad.u.dentry = dentry;
1512 return inode_has_perm(cred, inode, av, &ad, 0);
1513 }
1514
1515 /* Same as inode_has_perm, but pass explicit audit data containing
1516 the path to help the auditing code to more easily generate the
1517 pathname if needed. */
1518 static inline int path_has_perm(const struct cred *cred,
1519 struct path *path,
1520 u32 av)
1521 {
1522 struct inode *inode = path->dentry->d_inode;
1523 struct common_audit_data ad;
1524
1525 COMMON_AUDIT_DATA_INIT(&ad, PATH);
1526 ad.u.path = *path;
1527 return inode_has_perm(cred, inode, av, &ad, 0);
1528 }
1529
1530 /* Check whether a task can use an open file descriptor to
1531 access an inode in a given way. Check access to the
1532 descriptor itself, and then use dentry_has_perm to
1533 check a particular permission to the file.
1534 Access to the descriptor is implicitly granted if it
1535 has the same SID as the process. If av is zero, then
1536 access to the file is not checked, e.g. for cases
1537 where only the descriptor is affected like seek. */
1538 static int file_has_perm(const struct cred *cred,
1539 struct file *file,
1540 u32 av)
1541 {
1542 struct file_security_struct *fsec = file->f_security;
1543 struct inode *inode = file->f_path.dentry->d_inode;
1544 struct common_audit_data ad;
1545 u32 sid = cred_sid(cred);
1546 int rc;
1547
1548 COMMON_AUDIT_DATA_INIT(&ad, PATH);
1549 ad.u.path = file->f_path;
1550
1551 if (sid != fsec->sid) {
1552 rc = avc_has_perm(sid, fsec->sid,
1553 SECCLASS_FD,
1554 FD__USE,
1555 &ad);
1556 if (rc)
1557 goto out;
1558 }
1559
1560 /* av is zero if only checking access to the descriptor. */
1561 rc = 0;
1562 if (av)
1563 rc = inode_has_perm(cred, inode, av, &ad, 0);
1564
1565 out:
1566 return rc;
1567 }
1568
1569 /* Check whether a task can create a file. */
1570 static int may_create(struct inode *dir,
1571 struct dentry *dentry,
1572 u16 tclass)
1573 {
1574 const struct task_security_struct *tsec = current_security();
1575 struct inode_security_struct *dsec;
1576 struct superblock_security_struct *sbsec;
1577 u32 sid, newsid;
1578 struct common_audit_data ad;
1579 int rc;
1580
1581 dsec = dir->i_security;
1582 sbsec = dir->i_sb->s_security;
1583
1584 sid = tsec->sid;
1585 newsid = tsec->create_sid;
1586
1587 COMMON_AUDIT_DATA_INIT(&ad, DENTRY);
1588 ad.u.dentry = dentry;
1589
1590 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR,
1591 DIR__ADD_NAME | DIR__SEARCH,
1592 &ad);
1593 if (rc)
1594 return rc;
1595
1596 if (!newsid || !(sbsec->flags & SE_SBLABELSUPP)) {
1597 rc = security_transition_sid(sid, dsec->sid, tclass,
1598 &dentry->d_name, &newsid);
1599 if (rc)
1600 return rc;
1601 }
1602
1603 rc = avc_has_perm(sid, newsid, tclass, FILE__CREATE, &ad);
1604 if (rc)
1605 return rc;
1606
1607 return avc_has_perm(newsid, sbsec->sid,
1608 SECCLASS_FILESYSTEM,
1609 FILESYSTEM__ASSOCIATE, &ad);
1610 }
1611
1612 /* Check whether a task can create a key. */
1613 static int may_create_key(u32 ksid,
1614 struct task_struct *ctx)
1615 {
1616 u32 sid = task_sid(ctx);
1617
1618 return avc_has_perm(sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL);
1619 }
1620
1621 #define MAY_LINK 0
1622 #define MAY_UNLINK 1
1623 #define MAY_RMDIR 2
1624
1625 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1626 static int may_link(struct inode *dir,
1627 struct dentry *dentry,
1628 int kind)
1629
1630 {
1631 struct inode_security_struct *dsec, *isec;
1632 struct common_audit_data ad;
1633 u32 sid = current_sid();
1634 u32 av;
1635 int rc;
1636
1637 dsec = dir->i_security;
1638 isec = dentry->d_inode->i_security;
1639
1640 COMMON_AUDIT_DATA_INIT(&ad, DENTRY);
1641 ad.u.dentry = dentry;
1642
1643 av = DIR__SEARCH;
1644 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1645 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, av, &ad);
1646 if (rc)
1647 return rc;
1648
1649 switch (kind) {
1650 case MAY_LINK:
1651 av = FILE__LINK;
1652 break;
1653 case MAY_UNLINK:
1654 av = FILE__UNLINK;
1655 break;
1656 case MAY_RMDIR:
1657 av = DIR__RMDIR;
1658 break;
1659 default:
1660 printk(KERN_WARNING "SELinux: %s: unrecognized kind %d\n",
1661 __func__, kind);
1662 return 0;
1663 }
1664
1665 rc = avc_has_perm(sid, isec->sid, isec->sclass, av, &ad);
1666 return rc;
1667 }
1668
1669 static inline int may_rename(struct inode *old_dir,
1670 struct dentry *old_dentry,
1671 struct inode *new_dir,
1672 struct dentry *new_dentry)
1673 {
1674 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1675 struct common_audit_data ad;
1676 u32 sid = current_sid();
1677 u32 av;
1678 int old_is_dir, new_is_dir;
1679 int rc;
1680
1681 old_dsec = old_dir->i_security;
1682 old_isec = old_dentry->d_inode->i_security;
1683 old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
1684 new_dsec = new_dir->i_security;
1685
1686 COMMON_AUDIT_DATA_INIT(&ad, DENTRY);
1687
1688 ad.u.dentry = old_dentry;
1689 rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR,
1690 DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1691 if (rc)
1692 return rc;
1693 rc = avc_has_perm(sid, old_isec->sid,
1694 old_isec->sclass, FILE__RENAME, &ad);
1695 if (rc)
1696 return rc;
1697 if (old_is_dir && new_dir != old_dir) {
1698 rc = avc_has_perm(sid, old_isec->sid,
1699 old_isec->sclass, DIR__REPARENT, &ad);
1700 if (rc)
1701 return rc;
1702 }
1703
1704 ad.u.dentry = new_dentry;
1705 av = DIR__ADD_NAME | DIR__SEARCH;
1706 if (new_dentry->d_inode)
1707 av |= DIR__REMOVE_NAME;
1708 rc = avc_has_perm(sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1709 if (rc)
1710 return rc;
1711 if (new_dentry->d_inode) {
1712 new_isec = new_dentry->d_inode->i_security;
1713 new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
1714 rc = avc_has_perm(sid, new_isec->sid,
1715 new_isec->sclass,
1716 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1717 if (rc)
1718 return rc;
1719 }
1720
1721 return 0;
1722 }
1723
1724 /* Check whether a task can perform a filesystem operation. */
1725 static int superblock_has_perm(const struct cred *cred,
1726 struct super_block *sb,
1727 u32 perms,
1728 struct common_audit_data *ad)
1729 {
1730 struct superblock_security_struct *sbsec;
1731 u32 sid = cred_sid(cred);
1732
1733 sbsec = sb->s_security;
1734 return avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
1735 }
1736
1737 /* Convert a Linux mode and permission mask to an access vector. */
1738 static inline u32 file_mask_to_av(int mode, int mask)
1739 {
1740 u32 av = 0;
1741
1742 if ((mode & S_IFMT) != S_IFDIR) {
1743 if (mask & MAY_EXEC)
1744 av |= FILE__EXECUTE;
1745 if (mask & MAY_READ)
1746 av |= FILE__READ;
1747
1748 if (mask & MAY_APPEND)
1749 av |= FILE__APPEND;
1750 else if (mask & MAY_WRITE)
1751 av |= FILE__WRITE;
1752
1753 } else {
1754 if (mask & MAY_EXEC)
1755 av |= DIR__SEARCH;
1756 if (mask & MAY_WRITE)
1757 av |= DIR__WRITE;
1758 if (mask & MAY_READ)
1759 av |= DIR__READ;
1760 }
1761
1762 return av;
1763 }
1764
1765 /* Convert a Linux file to an access vector. */
1766 static inline u32 file_to_av(struct file *file)
1767 {
1768 u32 av = 0;
1769
1770 if (file->f_mode & FMODE_READ)
1771 av |= FILE__READ;
1772 if (file->f_mode & FMODE_WRITE) {
1773 if (file->f_flags & O_APPEND)
1774 av |= FILE__APPEND;
1775 else
1776 av |= FILE__WRITE;
1777 }
1778 if (!av) {
1779 /*
1780 * Special file opened with flags 3 for ioctl-only use.
1781 */
1782 av = FILE__IOCTL;
1783 }
1784
1785 return av;
1786 }
1787
1788 /*
1789 * Convert a file to an access vector and include the correct open
1790 * open permission.
1791 */
1792 static inline u32 open_file_to_av(struct file *file)
1793 {
1794 u32 av = file_to_av(file);
1795
1796 if (selinux_policycap_openperm)
1797 av |= FILE__OPEN;
1798
1799 return av;
1800 }
1801
1802 /* Hook functions begin here. */
1803
1804 static int selinux_ptrace_access_check(struct task_struct *child,
1805 unsigned int mode)
1806 {
1807 int rc;
1808
1809 rc = cap_ptrace_access_check(child, mode);
1810 if (rc)
1811 return rc;
1812
1813 if (mode == PTRACE_MODE_READ) {
1814 u32 sid = current_sid();
1815 u32 csid = task_sid(child);
1816 return avc_has_perm(sid, csid, SECCLASS_FILE, FILE__READ, NULL);
1817 }
1818
1819 return current_has_perm(child, PROCESS__PTRACE);
1820 }
1821
1822 static int selinux_ptrace_traceme(struct task_struct *parent)
1823 {
1824 int rc;
1825
1826 rc = cap_ptrace_traceme(parent);
1827 if (rc)
1828 return rc;
1829
1830 return task_has_perm(parent, current, PROCESS__PTRACE);
1831 }
1832
1833 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
1834 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1835 {
1836 int error;
1837
1838 error = current_has_perm(target, PROCESS__GETCAP);
1839 if (error)
1840 return error;
1841
1842 return cap_capget(target, effective, inheritable, permitted);
1843 }
1844
1845 static int selinux_capset(struct cred *new, const struct cred *old,
1846 const kernel_cap_t *effective,
1847 const kernel_cap_t *inheritable,
1848 const kernel_cap_t *permitted)
1849 {
1850 int error;
1851
1852 error = cap_capset(new, old,
1853 effective, inheritable, permitted);
1854 if (error)
1855 return error;
1856
1857 return cred_has_perm(old, new, PROCESS__SETCAP);
1858 }
1859
1860 /*
1861 * (This comment used to live with the selinux_task_setuid hook,
1862 * which was removed).
1863 *
1864 * Since setuid only affects the current process, and since the SELinux
1865 * controls are not based on the Linux identity attributes, SELinux does not
1866 * need to control this operation. However, SELinux does control the use of
1867 * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
1868 */
1869
1870 static int selinux_capable(struct task_struct *tsk, const struct cred *cred,
1871 struct user_namespace *ns, int cap, int audit)
1872 {
1873 int rc;
1874
1875 rc = cap_capable(tsk, cred, ns, cap, audit);
1876 if (rc)
1877 return rc;
1878
1879 return task_has_capability(tsk, cred, cap, audit);
1880 }
1881
1882 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
1883 {
1884 const struct cred *cred = current_cred();
1885 int rc = 0;
1886
1887 if (!sb)
1888 return 0;
1889
1890 switch (cmds) {
1891 case Q_SYNC:
1892 case Q_QUOTAON:
1893 case Q_QUOTAOFF:
1894 case Q_SETINFO:
1895 case Q_SETQUOTA:
1896 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
1897 break;
1898 case Q_GETFMT:
1899 case Q_GETINFO:
1900 case Q_GETQUOTA:
1901 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
1902 break;
1903 default:
1904 rc = 0; /* let the kernel handle invalid cmds */
1905 break;
1906 }
1907 return rc;
1908 }
1909
1910 static int selinux_quota_on(struct dentry *dentry)
1911 {
1912 const struct cred *cred = current_cred();
1913
1914 return dentry_has_perm(cred, dentry, FILE__QUOTAON);
1915 }
1916
1917 static int selinux_syslog(int type)
1918 {
1919 int rc;
1920
1921 switch (type) {
1922 case SYSLOG_ACTION_READ_ALL: /* Read last kernel messages */
1923 case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */
1924 rc = task_has_system(current, SYSTEM__SYSLOG_READ);
1925 break;
1926 case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */
1927 case SYSLOG_ACTION_CONSOLE_ON: /* Enable logging to console */
1928 /* Set level of messages printed to console */
1929 case SYSLOG_ACTION_CONSOLE_LEVEL:
1930 rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
1931 break;
1932 case SYSLOG_ACTION_CLOSE: /* Close log */
1933 case SYSLOG_ACTION_OPEN: /* Open log */
1934 case SYSLOG_ACTION_READ: /* Read from log */
1935 case SYSLOG_ACTION_READ_CLEAR: /* Read/clear last kernel messages */
1936 case SYSLOG_ACTION_CLEAR: /* Clear ring buffer */
1937 default:
1938 rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
1939 break;
1940 }
1941 return rc;
1942 }
1943
1944 /*
1945 * Check that a process has enough memory to allocate a new virtual
1946 * mapping. 0 means there is enough memory for the allocation to
1947 * succeed and -ENOMEM implies there is not.
1948 *
1949 * Do not audit the selinux permission check, as this is applied to all
1950 * processes that allocate mappings.
1951 */
1952 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
1953 {
1954 int rc, cap_sys_admin = 0;
1955
1956 rc = selinux_capable(current, current_cred(),
1957 &init_user_ns, CAP_SYS_ADMIN,
1958 SECURITY_CAP_NOAUDIT);
1959 if (rc == 0)
1960 cap_sys_admin = 1;
1961
1962 return __vm_enough_memory(mm, pages, cap_sys_admin);
1963 }
1964
1965 /* binprm security operations */
1966
1967 static int selinux_bprm_set_creds(struct linux_binprm *bprm)
1968 {
1969 const struct task_security_struct *old_tsec;
1970 struct task_security_struct *new_tsec;
1971 struct inode_security_struct *isec;
1972 struct common_audit_data ad;
1973 struct inode *inode = bprm->file->f_path.dentry->d_inode;
1974 int rc;
1975
1976 rc = cap_bprm_set_creds(bprm);
1977 if (rc)
1978 return rc;
1979
1980 /* SELinux context only depends on initial program or script and not
1981 * the script interpreter */
1982 if (bprm->cred_prepared)
1983 return 0;
1984
1985 old_tsec = current_security();
1986 new_tsec = bprm->cred->security;
1987 isec = inode->i_security;
1988
1989 /* Default to the current task SID. */
1990 new_tsec->sid = old_tsec->sid;
1991 new_tsec->osid = old_tsec->sid;
1992
1993 /* Reset fs, key, and sock SIDs on execve. */
1994 new_tsec->create_sid = 0;
1995 new_tsec->keycreate_sid = 0;
1996 new_tsec->sockcreate_sid = 0;
1997
1998 if (old_tsec->exec_sid) {
1999 new_tsec->sid = old_tsec->exec_sid;
2000 /* Reset exec SID on execve. */
2001 new_tsec->exec_sid = 0;
2002 } else {
2003 /* Check for a default transition on this program. */
2004 rc = security_transition_sid(old_tsec->sid, isec->sid,
2005 SECCLASS_PROCESS, NULL,
2006 &new_tsec->sid);
2007 if (rc)
2008 return rc;
2009 }
2010
2011 COMMON_AUDIT_DATA_INIT(&ad, PATH);
2012 ad.u.path = bprm->file->f_path;
2013
2014 if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID)
2015 new_tsec->sid = old_tsec->sid;
2016
2017 if (new_tsec->sid == old_tsec->sid) {
2018 rc = avc_has_perm(old_tsec->sid, isec->sid,
2019 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2020 if (rc)
2021 return rc;
2022 } else {
2023 /* Check permissions for the transition. */
2024 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2025 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2026 if (rc)
2027 return rc;
2028
2029 rc = avc_has_perm(new_tsec->sid, isec->sid,
2030 SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2031 if (rc)
2032 return rc;
2033
2034 /* Check for shared state */
2035 if (bprm->unsafe & LSM_UNSAFE_SHARE) {
2036 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2037 SECCLASS_PROCESS, PROCESS__SHARE,
2038 NULL);
2039 if (rc)
2040 return -EPERM;
2041 }
2042
2043 /* Make sure that anyone attempting to ptrace over a task that
2044 * changes its SID has the appropriate permit */
2045 if (bprm->unsafe &
2046 (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
2047 struct task_struct *tracer;
2048 struct task_security_struct *sec;
2049 u32 ptsid = 0;
2050
2051 rcu_read_lock();
2052 tracer = ptrace_parent(current);
2053 if (likely(tracer != NULL)) {
2054 sec = __task_cred(tracer)->security;
2055 ptsid = sec->sid;
2056 }
2057 rcu_read_unlock();
2058
2059 if (ptsid != 0) {
2060 rc = avc_has_perm(ptsid, new_tsec->sid,
2061 SECCLASS_PROCESS,
2062 PROCESS__PTRACE, NULL);
2063 if (rc)
2064 return -EPERM;
2065 }
2066 }
2067
2068 /* Clear any possibly unsafe personality bits on exec: */
2069 bprm->per_clear |= PER_CLEAR_ON_SETID;
2070 }
2071
2072 return 0;
2073 }
2074
2075 static int selinux_bprm_secureexec(struct linux_binprm *bprm)
2076 {
2077 const struct task_security_struct *tsec = current_security();
2078 u32 sid, osid;
2079 int atsecure = 0;
2080
2081 sid = tsec->sid;
2082 osid = tsec->osid;
2083
2084 if (osid != sid) {
2085 /* Enable secure mode for SIDs transitions unless
2086 the noatsecure permission is granted between
2087 the two SIDs, i.e. ahp returns 0. */
2088 atsecure = avc_has_perm(osid, sid,
2089 SECCLASS_PROCESS,
2090 PROCESS__NOATSECURE, NULL);
2091 }
2092
2093 return (atsecure || cap_bprm_secureexec(bprm));
2094 }
2095
2096 /* Derived from fs/exec.c:flush_old_files. */
2097 static inline void flush_unauthorized_files(const struct cred *cred,
2098 struct files_struct *files)
2099 {
2100 struct common_audit_data ad;
2101 struct file *file, *devnull = NULL;
2102 struct tty_struct *tty;
2103 struct fdtable *fdt;
2104 long j = -1;
2105 int drop_tty = 0;
2106
2107 tty = get_current_tty();
2108 if (tty) {
2109 spin_lock(&tty_files_lock);
2110 if (!list_empty(&tty->tty_files)) {
2111 struct tty_file_private *file_priv;
2112 struct inode *inode;
2113
2114 /* Revalidate access to controlling tty.
2115 Use inode_has_perm on the tty inode directly rather
2116 than using file_has_perm, as this particular open
2117 file may belong to another process and we are only
2118 interested in the inode-based check here. */
2119 file_priv = list_first_entry(&tty->tty_files,
2120 struct tty_file_private, list);
2121 file = file_priv->file;
2122 inode = file->f_path.dentry->d_inode;
2123 if (inode_has_perm_noadp(cred, inode,
2124 FILE__READ | FILE__WRITE, 0)) {
2125 drop_tty = 1;
2126 }
2127 }
2128 spin_unlock(&tty_files_lock);
2129 tty_kref_put(tty);
2130 }
2131 /* Reset controlling tty. */
2132 if (drop_tty)
2133 no_tty();
2134
2135 /* Revalidate access to inherited open files. */
2136
2137 COMMON_AUDIT_DATA_INIT(&ad, INODE);
2138
2139 spin_lock(&files->file_lock);
2140 for (;;) {
2141 unsigned long set, i;
2142 int fd;
2143
2144 j++;
2145 i = j * __NFDBITS;
2146 fdt = files_fdtable(files);
2147 if (i >= fdt->max_fds)
2148 break;
2149 set = fdt->open_fds->fds_bits[j];
2150 if (!set)
2151 continue;
2152 spin_unlock(&files->file_lock);
2153 for ( ; set ; i++, set >>= 1) {
2154 if (set & 1) {
2155 file = fget(i);
2156 if (!file)
2157 continue;
2158 if (file_has_perm(cred,
2159 file,
2160 file_to_av(file))) {
2161 sys_close(i);
2162 fd = get_unused_fd();
2163 if (fd != i) {
2164 if (fd >= 0)
2165 put_unused_fd(fd);
2166 fput(file);
2167 continue;
2168 }
2169 if (devnull) {
2170 get_file(devnull);
2171 } else {
2172 devnull = dentry_open(
2173 dget(selinux_null),
2174 mntget(selinuxfs_mount),
2175 O_RDWR, cred);
2176 if (IS_ERR(devnull)) {
2177 devnull = NULL;
2178 put_unused_fd(fd);
2179 fput(file);
2180 continue;
2181 }
2182 }
2183 fd_install(fd, devnull);
2184 }
2185 fput(file);
2186 }
2187 }
2188 spin_lock(&files->file_lock);
2189
2190 }
2191 spin_unlock(&files->file_lock);
2192 }
2193
2194 /*
2195 * Prepare a process for imminent new credential changes due to exec
2196 */
2197 static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
2198 {
2199 struct task_security_struct *new_tsec;
2200 struct rlimit *rlim, *initrlim;
2201 int rc, i;
2202
2203 new_tsec = bprm->cred->security;
2204 if (new_tsec->sid == new_tsec->osid)
2205 return;
2206
2207 /* Close files for which the new task SID is not authorized. */
2208 flush_unauthorized_files(bprm->cred, current->files);
2209
2210 /* Always clear parent death signal on SID transitions. */
2211 current->pdeath_signal = 0;
2212
2213 /* Check whether the new SID can inherit resource limits from the old
2214 * SID. If not, reset all soft limits to the lower of the current
2215 * task's hard limit and the init task's soft limit.
2216 *
2217 * Note that the setting of hard limits (even to lower them) can be
2218 * controlled by the setrlimit check. The inclusion of the init task's
2219 * soft limit into the computation is to avoid resetting soft limits
2220 * higher than the default soft limit for cases where the default is
2221 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2222 */
2223 rc = avc_has_perm(new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
2224 PROCESS__RLIMITINH, NULL);
2225 if (rc) {
2226 /* protect against do_prlimit() */
2227 task_lock(current);
2228 for (i = 0; i < RLIM_NLIMITS; i++) {
2229 rlim = current->signal->rlim + i;
2230 initrlim = init_task.signal->rlim + i;
2231 rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
2232 }
2233 task_unlock(current);
2234 update_rlimit_cpu(current, rlimit(RLIMIT_CPU));
2235 }
2236 }
2237
2238 /*
2239 * Clean up the process immediately after the installation of new credentials
2240 * due to exec
2241 */
2242 static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
2243 {
2244 const struct task_security_struct *tsec = current_security();
2245 struct itimerval itimer;
2246 u32 osid, sid;
2247 int rc, i;
2248
2249 osid = tsec->osid;
2250 sid = tsec->sid;
2251
2252 if (sid == osid)
2253 return;
2254
2255 /* Check whether the new SID can inherit signal state from the old SID.
2256 * If not, clear itimers to avoid subsequent signal generation and
2257 * flush and unblock signals.
2258 *
2259 * This must occur _after_ the task SID has been updated so that any
2260 * kill done after the flush will be checked against the new SID.
2261 */
2262 rc = avc_has_perm(osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
2263 if (rc) {
2264 memset(&itimer, 0, sizeof itimer);
2265 for (i = 0; i < 3; i++)
2266 do_setitimer(i, &itimer, NULL);
2267 spin_lock_irq(&current->sighand->siglock);
2268 if (!(current->signal->flags & SIGNAL_GROUP_EXIT)) {
2269 __flush_signals(current);
2270 flush_signal_handlers(current, 1);
2271 sigemptyset(&current->blocked);
2272 }
2273 spin_unlock_irq(&current->sighand->siglock);
2274 }
2275
2276 /* Wake up the parent if it is waiting so that it can recheck
2277 * wait permission to the new task SID. */
2278 read_lock(&tasklist_lock);
2279 __wake_up_parent(current, current->real_parent);
2280 read_unlock(&tasklist_lock);
2281 }
2282
2283 /* superblock security operations */
2284
2285 static int selinux_sb_alloc_security(struct super_block *sb)
2286 {
2287 return superblock_alloc_security(sb);
2288 }
2289
2290 static void selinux_sb_free_security(struct super_block *sb)
2291 {
2292 superblock_free_security(sb);
2293 }
2294
2295 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2296 {
2297 if (plen > olen)
2298 return 0;
2299
2300 return !memcmp(prefix, option, plen);
2301 }
2302
2303 static inline int selinux_option(char *option, int len)
2304 {
2305 return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) ||
2306 match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) ||
2307 match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) ||
2308 match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len) ||
2309 match_prefix(LABELSUPP_STR, sizeof(LABELSUPP_STR)-1, option, len));
2310 }
2311
2312 static inline void take_option(char **to, char *from, int *first, int len)
2313 {
2314 if (!*first) {
2315 **to = ',';
2316 *to += 1;
2317 } else
2318 *first = 0;
2319 memcpy(*to, from, len);
2320 *to += len;
2321 }
2322
2323 static inline void take_selinux_option(char **to, char *from, int *first,
2324 int len)
2325 {
2326 int current_size = 0;
2327
2328 if (!*first) {
2329 **to = '|';
2330 *to += 1;
2331 } else
2332 *first = 0;
2333
2334 while (current_size < len) {
2335 if (*from != '"') {
2336 **to = *from;
2337 *to += 1;
2338 }
2339 from += 1;
2340 current_size += 1;
2341 }
2342 }
2343
2344 static int selinux_sb_copy_data(char *orig, char *copy)
2345 {
2346 int fnosec, fsec, rc = 0;
2347 char *in_save, *in_curr, *in_end;
2348 char *sec_curr, *nosec_save, *nosec;
2349 int open_quote = 0;
2350
2351 in_curr = orig;
2352 sec_curr = copy;
2353
2354 nosec = (char *)get_zeroed_page(GFP_KERNEL);
2355 if (!nosec) {
2356 rc = -ENOMEM;
2357 goto out;
2358 }
2359
2360 nosec_save = nosec;
2361 fnosec = fsec = 1;
2362 in_save = in_end = orig;
2363
2364 do {
2365 if (*in_end == '"')
2366 open_quote = !open_quote;
2367 if ((*in_end == ',' && open_quote == 0) ||
2368 *in_end == '\0') {
2369 int len = in_end - in_curr;
2370
2371 if (selinux_option(in_curr, len))
2372 take_selinux_option(&sec_curr, in_curr, &fsec, len);
2373 else
2374 take_option(&nosec, in_curr, &fnosec, len);
2375
2376 in_curr = in_end + 1;
2377 }
2378 } while (*in_end++);
2379
2380 strcpy(in_save, nosec_save);
2381 free_page((unsigned long)nosec_save);
2382 out:
2383 return rc;
2384 }
2385
2386 static int selinux_sb_remount(struct super_block *sb, void *data)
2387 {
2388 int rc, i, *flags;
2389 struct security_mnt_opts opts;
2390 char *secdata, **mount_options;
2391 struct superblock_security_struct *sbsec = sb->s_security;
2392
2393 if (!(sbsec->flags & SE_SBINITIALIZED))
2394 return 0;
2395
2396 if (!data)
2397 return 0;
2398
2399 if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
2400 return 0;
2401
2402 security_init_mnt_opts(&opts);
2403 secdata = alloc_secdata();
2404 if (!secdata)
2405 return -ENOMEM;
2406 rc = selinux_sb_copy_data(data, secdata);
2407 if (rc)
2408 goto out_free_secdata;
2409
2410 rc = selinux_parse_opts_str(secdata, &opts);
2411 if (rc)
2412 goto out_free_secdata;
2413
2414 mount_options = opts.mnt_opts;
2415 flags = opts.mnt_opts_flags;
2416
2417 for (i = 0; i < opts.num_mnt_opts; i++) {
2418 u32 sid;
2419 size_t len;
2420
2421 if (flags[i] == SE_SBLABELSUPP)
2422 continue;
2423 len = strlen(mount_options[i]);
2424 rc = security_context_to_sid(mount_options[i], len, &sid);
2425 if (rc) {
2426 printk(KERN_WARNING "SELinux: security_context_to_sid"
2427 "(%s) failed for (dev %s, type %s) errno=%d\n",
2428 mount_options[i], sb->s_id, sb->s_type->name, rc);
2429 goto out_free_opts;
2430 }
2431 rc = -EINVAL;
2432 switch (flags[i]) {
2433 case FSCONTEXT_MNT:
2434 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid))
2435 goto out_bad_option;
2436 break;
2437 case CONTEXT_MNT:
2438 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid))
2439 goto out_bad_option;
2440 break;
2441 case ROOTCONTEXT_MNT: {
2442 struct inode_security_struct *root_isec;
2443 root_isec = sb->s_root->d_inode->i_security;
2444
2445 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid))
2446 goto out_bad_option;
2447 break;
2448 }
2449 case DEFCONTEXT_MNT:
2450 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid))
2451 goto out_bad_option;
2452 break;
2453 default:
2454 goto out_free_opts;
2455 }
2456 }
2457
2458 rc = 0;
2459 out_free_opts:
2460 security_free_mnt_opts(&opts);
2461 out_free_secdata:
2462 free_secdata(secdata);
2463 return rc;
2464 out_bad_option:
2465 printk(KERN_WARNING "SELinux: unable to change security options "
2466 "during remount (dev %s, type=%s)\n", sb->s_id,
2467 sb->s_type->name);
2468 goto out_free_opts;
2469 }
2470
2471 static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data)
2472 {
2473 const struct cred *cred = current_cred();
2474 struct common_audit_data ad;
2475 int rc;
2476
2477 rc = superblock_doinit(sb, data);
2478 if (rc)
2479 return rc;
2480
2481 /* Allow all mounts performed by the kernel */
2482 if (flags & MS_KERNMOUNT)
2483 return 0;
2484
2485 COMMON_AUDIT_DATA_INIT(&ad, DENTRY);
2486 ad.u.dentry = sb->s_root;
2487 return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
2488 }
2489
2490 static int selinux_sb_statfs(struct dentry *dentry)
2491 {
2492 const struct cred *cred = current_cred();
2493 struct common_audit_data ad;
2494
2495 COMMON_AUDIT_DATA_INIT(&ad, DENTRY);
2496 ad.u.dentry = dentry->d_sb->s_root;
2497 return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2498 }
2499
2500 static int selinux_mount(char *dev_name,
2501 struct path *path,
2502 char *type,
2503 unsigned long flags,
2504 void *data)
2505 {
2506 const struct cred *cred = current_cred();
2507
2508 if (flags & MS_REMOUNT)
2509 return superblock_has_perm(cred, path->mnt->mnt_sb,
2510 FILESYSTEM__REMOUNT, NULL);
2511 else
2512 return path_has_perm(cred, path, FILE__MOUNTON);
2513 }
2514
2515 static int selinux_umount(struct vfsmount *mnt, int flags)
2516 {
2517 const struct cred *cred = current_cred();
2518
2519 return superblock_has_perm(cred, mnt->mnt_sb,
2520 FILESYSTEM__UNMOUNT, NULL);
2521 }
2522
2523 /* inode security operations */
2524
2525 static int selinux_inode_alloc_security(struct inode *inode)
2526 {
2527 return inode_alloc_security(inode);
2528 }
2529
2530 static void selinux_inode_free_security(struct inode *inode)
2531 {
2532 inode_free_security(inode);
2533 }
2534
2535 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2536 const struct qstr *qstr, char **name,
2537 void **value, size_t *len)
2538 {
2539 const struct task_security_struct *tsec = current_security();
2540 struct inode_security_struct *dsec;
2541 struct superblock_security_struct *sbsec;
2542 u32 sid, newsid, clen;
2543 int rc;
2544 char *namep = NULL, *context;
2545
2546 dsec = dir->i_security;
2547 sbsec = dir->i_sb->s_security;
2548
2549 sid = tsec->sid;
2550 newsid = tsec->create_sid;
2551
2552 if ((sbsec->flags & SE_SBINITIALIZED) &&
2553 (sbsec->behavior == SECURITY_FS_USE_MNTPOINT))
2554 newsid = sbsec->mntpoint_sid;
2555 else if (!newsid || !(sbsec->flags & SE_SBLABELSUPP)) {
2556 rc = security_transition_sid(sid, dsec->sid,
2557 inode_mode_to_security_class(inode->i_mode),
2558 qstr, &newsid);
2559 if (rc) {
2560 printk(KERN_WARNING "%s: "
2561 "security_transition_sid failed, rc=%d (dev=%s "
2562 "ino=%ld)\n",
2563 __func__,
2564 -rc, inode->i_sb->s_id, inode->i_ino);
2565 return rc;
2566 }
2567 }
2568
2569 /* Possibly defer initialization to selinux_complete_init. */
2570 if (sbsec->flags & SE_SBINITIALIZED) {
2571 struct inode_security_struct *isec = inode->i_security;
2572 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2573 isec->sid = newsid;
2574 isec->initialized = 1;
2575 }
2576
2577 if (!ss_initialized || !(sbsec->flags & SE_SBLABELSUPP))
2578 return -EOPNOTSUPP;
2579
2580 if (name) {
2581 namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_NOFS);
2582 if (!namep)
2583 return -ENOMEM;
2584 *name = namep;
2585 }
2586
2587 if (value && len) {
2588 rc = security_sid_to_context_force(newsid, &context, &clen);
2589 if (rc) {
2590 kfree(namep);
2591 return rc;
2592 }
2593 *value = context;
2594 *len = clen;
2595 }
2596
2597 return 0;
2598 }
2599
2600 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, int mask)
2601 {
2602 return may_create(dir, dentry, SECCLASS_FILE);
2603 }
2604
2605 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2606 {
2607 return may_link(dir, old_dentry, MAY_LINK);
2608 }
2609
2610 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2611 {
2612 return may_link(dir, dentry, MAY_UNLINK);
2613 }
2614
2615 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2616 {
2617 return may_create(dir, dentry, SECCLASS_LNK_FILE);
2618 }
2619
2620 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, int mask)
2621 {
2622 return may_create(dir, dentry, SECCLASS_DIR);
2623 }
2624
2625 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2626 {
2627 return may_link(dir, dentry, MAY_RMDIR);
2628 }
2629
2630 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
2631 {
2632 return may_create(dir, dentry, inode_mode_to_security_class(mode));
2633 }
2634
2635 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2636 struct inode *new_inode, struct dentry *new_dentry)
2637 {
2638 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2639 }
2640
2641 static int selinux_inode_readlink(struct dentry *dentry)
2642 {
2643 const struct cred *cred = current_cred();
2644
2645 return dentry_has_perm(cred, dentry, FILE__READ);
2646 }
2647
2648 static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2649 {
2650 const struct cred *cred = current_cred();
2651
2652 return dentry_has_perm(cred, dentry, FILE__READ);
2653 }
2654
2655 static int selinux_inode_permission(struct inode *inode, int mask)
2656 {
2657 const struct cred *cred = current_cred();
2658 struct common_audit_data ad;
2659 u32 perms;
2660 bool from_access;
2661 unsigned flags = mask & MAY_NOT_BLOCK;
2662
2663 from_access = mask & MAY_ACCESS;
2664 mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
2665
2666 /* No permission to check. Existence test. */
2667 if (!mask)
2668 return 0;
2669
2670 COMMON_AUDIT_DATA_INIT(&ad, INODE);
2671 ad.u.inode = inode;
2672
2673 if (from_access)
2674 ad.selinux_audit_data.auditdeny |= FILE__AUDIT_ACCESS;
2675
2676 perms = file_mask_to_av(inode->i_mode, mask);
2677
2678 return inode_has_perm(cred, inode, perms, &ad, flags);
2679 }
2680
2681 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2682 {
2683 const struct cred *cred = current_cred();
2684 unsigned int ia_valid = iattr->ia_valid;
2685
2686 /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
2687 if (ia_valid & ATTR_FORCE) {
2688 ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE |
2689 ATTR_FORCE);
2690 if (!ia_valid)
2691 return 0;
2692 }
2693
2694 if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2695 ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
2696 return dentry_has_perm(cred, dentry, FILE__SETATTR);
2697
2698 return dentry_has_perm(cred, dentry, FILE__WRITE);
2699 }
2700
2701 static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
2702 {
2703 const struct cred *cred = current_cred();
2704 struct path path;
2705
2706 path.dentry = dentry;
2707 path.mnt = mnt;
2708
2709 return path_has_perm(cred, &path, FILE__GETATTR);
2710 }
2711
2712 static int selinux_inode_setotherxattr(struct dentry *dentry, const char *name)
2713 {
2714 const struct cred *cred = current_cred();
2715
2716 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2717 sizeof XATTR_SECURITY_PREFIX - 1)) {
2718 if (!strcmp(name, XATTR_NAME_CAPS)) {
2719 if (!capable(CAP_SETFCAP))
2720 return -EPERM;
2721 } else if (!capable(CAP_SYS_ADMIN)) {
2722 /* A different attribute in the security namespace.
2723 Restrict to administrator. */
2724 return -EPERM;
2725 }
2726 }
2727
2728 /* Not an attribute we recognize, so just check the
2729 ordinary setattr permission. */
2730 return dentry_has_perm(cred, dentry, FILE__SETATTR);
2731 }
2732
2733 static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
2734 const void *value, size_t size, int flags)
2735 {
2736 struct inode *inode = dentry->d_inode;
2737 struct inode_security_struct *isec = inode->i_security;
2738 struct superblock_security_struct *sbsec;
2739 struct common_audit_data ad;
2740 u32 newsid, sid = current_sid();
2741 int rc = 0;
2742
2743 if (strcmp(name, XATTR_NAME_SELINUX))
2744 return selinux_inode_setotherxattr(dentry, name);
2745
2746 sbsec = inode->i_sb->s_security;
2747 if (!(sbsec->flags & SE_SBLABELSUPP))
2748 return -EOPNOTSUPP;
2749
2750 if (!inode_owner_or_capable(inode))
2751 return -EPERM;
2752
2753 COMMON_AUDIT_DATA_INIT(&ad, DENTRY);
2754 ad.u.dentry = dentry;
2755
2756 rc = avc_has_perm(sid, isec->sid, isec->sclass,
2757 FILE__RELABELFROM, &ad);
2758 if (rc)
2759 return rc;
2760
2761 rc = security_context_to_sid(value, size, &newsid);
2762 if (rc == -EINVAL) {
2763 if (!capable(CAP_MAC_ADMIN))
2764 return rc;
2765 rc = security_context_to_sid_force(value, size, &newsid);
2766 }
2767 if (rc)
2768 return rc;
2769
2770 rc = avc_has_perm(sid, newsid, isec->sclass,
2771 FILE__RELABELTO, &ad);
2772 if (rc)
2773 return rc;
2774
2775 rc = security_validate_transition(isec->sid, newsid, sid,
2776 isec->sclass);
2777 if (rc)
2778 return rc;
2779
2780 return avc_has_perm(newsid,
2781 sbsec->sid,
2782 SECCLASS_FILESYSTEM,
2783 FILESYSTEM__ASSOCIATE,
2784 &ad);
2785 }
2786
2787 static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
2788 const void *value, size_t size,
2789 int flags)
2790 {
2791 struct inode *inode = dentry->d_inode;
2792 struct inode_security_struct *isec = inode->i_security;
2793 u32 newsid;
2794 int rc;
2795
2796 if (strcmp(name, XATTR_NAME_SELINUX)) {
2797 /* Not an attribute we recognize, so nothing to do. */
2798 return;
2799 }
2800
2801 rc = security_context_to_sid_force(value, size, &newsid);
2802 if (rc) {
2803 printk(KERN_ERR "SELinux: unable to map context to SID"
2804 "for (%s, %lu), rc=%d\n",
2805 inode->i_sb->s_id, inode->i_ino, -rc);
2806 return;
2807 }
2808
2809 isec->sid = newsid;
2810 return;
2811 }
2812
2813 static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
2814 {
2815 const struct cred *cred = current_cred();
2816
2817 return dentry_has_perm(cred, dentry, FILE__GETATTR);
2818 }
2819
2820 static int selinux_inode_listxattr(struct dentry *dentry)
2821 {
2822 const struct cred *cred = current_cred();
2823
2824 return dentry_has_perm(cred, dentry, FILE__GETATTR);
2825 }
2826
2827 static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
2828 {
2829 if (strcmp(name, XATTR_NAME_SELINUX))
2830 return selinux_inode_setotherxattr(dentry, name);
2831
2832 /* No one is allowed to remove a SELinux security label.
2833 You can change the label, but all data must be labeled. */
2834 return -EACCES;
2835 }
2836
2837 /*
2838 * Copy the inode security context value to the user.
2839 *
2840 * Permission check is handled by selinux_inode_getxattr hook.
2841 */
2842 static int selinux_inode_getsecurity(const struct inode *inode, const char *name, void **buffer, bool alloc)
2843 {
2844 u32 size;
2845 int error;
2846 char *context = NULL;
2847 struct inode_security_struct *isec = inode->i_security;
2848
2849 if (strcmp(name, XATTR_SELINUX_SUFFIX))
2850 return -EOPNOTSUPP;
2851
2852 /*
2853 * If the caller has CAP_MAC_ADMIN, then get the raw context
2854 * value even if it is not defined by current policy; otherwise,
2855 * use the in-core value under current policy.
2856 * Use the non-auditing forms of the permission checks since
2857 * getxattr may be called by unprivileged processes commonly
2858 * and lack of permission just means that we fall back to the
2859 * in-core context value, not a denial.
2860 */
2861 error = selinux_capable(current, current_cred(),
2862 &init_user_ns, CAP_MAC_ADMIN,
2863 SECURITY_CAP_NOAUDIT);
2864 if (!error)
2865 error = security_sid_to_context_force(isec->sid, &context,
2866 &size);
2867 else
2868 error = security_sid_to_context(isec->sid, &context, &size);
2869 if (error)
2870 return error;
2871 error = size;
2872 if (alloc) {
2873 *buffer = context;
2874 goto out_nofree;
2875 }
2876 kfree(context);
2877 out_nofree:
2878 return error;
2879 }
2880
2881 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
2882 const void *value, size_t size, int flags)
2883 {
2884 struct inode_security_struct *isec = inode->i_security;
2885 u32 newsid;
2886 int rc;
2887
2888 if (strcmp(name, XATTR_SELINUX_SUFFIX))
2889 return -EOPNOTSUPP;
2890
2891 if (!value || !size)
2892 return -EACCES;
2893
2894 rc = security_context_to_sid((void *)value, size, &newsid);
2895 if (rc)
2896 return rc;
2897
2898 isec->sid = newsid;
2899 isec->initialized = 1;
2900 return 0;
2901 }
2902
2903 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
2904 {
2905 const int len = sizeof(XATTR_NAME_SELINUX);
2906 if (buffer && len <= buffer_size)
2907 memcpy(buffer, XATTR_NAME_SELINUX, len);
2908 return len;
2909 }
2910
2911 static void selinux_inode_getsecid(const struct inode *inode, u32 *secid)
2912 {
2913 struct inode_security_struct *isec = inode->i_security;
2914 *secid = isec->sid;
2915 }
2916
2917 /* file security operations */
2918
2919 static int selinux_revalidate_file_permission(struct file *file, int mask)
2920 {
2921 const struct cred *cred = current_cred();
2922 struct inode *inode = file->f_path.dentry->d_inode;
2923
2924 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
2925 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
2926 mask |= MAY_APPEND;
2927
2928 return file_has_perm(cred, file,
2929 file_mask_to_av(inode->i_mode, mask));
2930 }
2931
2932 static int selinux_file_permission(struct file *file, int mask)
2933 {
2934 struct inode *inode = file->f_path.dentry->d_inode;
2935 struct file_security_struct *fsec = file->f_security;
2936 struct inode_security_struct *isec = inode->i_security;
2937 u32 sid = current_sid();
2938
2939 if (!mask)
2940 /* No permission to check. Existence test. */
2941 return 0;
2942
2943 if (sid == fsec->sid && fsec->isid == isec->sid &&
2944 fsec->pseqno == avc_policy_seqno())
2945 /* No change since dentry_open check. */
2946 return 0;
2947
2948 return selinux_revalidate_file_permission(file, mask);
2949 }
2950
2951 static int selinux_file_alloc_security(struct file *file)
2952 {
2953 return file_alloc_security(file);
2954 }
2955
2956 static void selinux_file_free_security(struct file *file)
2957 {
2958 file_free_security(file);
2959 }
2960
2961 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
2962 unsigned long arg)
2963 {
2964 const struct cred *cred = current_cred();
2965 int error = 0;
2966
2967 switch (cmd) {
2968 case FIONREAD:
2969 /* fall through */
2970 case FIBMAP:
2971 /* fall through */
2972 case FIGETBSZ:
2973 /* fall through */
2974 case EXT2_IOC_GETFLAGS:
2975 /* fall through */
2976 case EXT2_IOC_GETVERSION:
2977 error = file_has_perm(cred, file, FILE__GETATTR);
2978 break;
2979
2980 case EXT2_IOC_SETFLAGS:
2981 /* fall through */
2982 case EXT2_IOC_SETVERSION:
2983 error = file_has_perm(cred, file, FILE__SETATTR);
2984 break;
2985
2986 /* sys_ioctl() checks */
2987 case FIONBIO:
2988 /* fall through */
2989 case FIOASYNC:
2990 error = file_has_perm(cred, file, 0);
2991 break;
2992
2993 case KDSKBENT:
2994 case KDSKBSENT:
2995 error = task_has_capability(current, cred, CAP_SYS_TTY_CONFIG,
2996 SECURITY_CAP_AUDIT);
2997 break;
2998
2999 /* default case assumes that the command will go
3000 * to the file's ioctl() function.
3001 */
3002 default:
3003 error = file_has_perm(cred, file, FILE__IOCTL);
3004 }
3005 return error;
3006 }
3007
3008 static int default_noexec;
3009
3010 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
3011 {
3012 const struct cred *cred = current_cred();
3013 int rc = 0;
3014
3015 if (default_noexec &&
3016 (prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
3017 /*
3018 * We are making executable an anonymous mapping or a
3019 * private file mapping that will also be writable.
3020 * This has an additional check.
3021 */
3022 rc = cred_has_perm(cred, cred, PROCESS__EXECMEM);
3023 if (rc)
3024 goto error;
3025 }
3026
3027 if (file) {
3028 /* read access is always possible with a mapping */
3029 u32 av = FILE__READ;
3030
3031 /* write access only matters if the mapping is shared */
3032 if (shared && (prot & PROT_WRITE))
3033 av |= FILE__WRITE;
3034
3035 if (prot & PROT_EXEC)
3036 av |= FILE__EXECUTE;
3037
3038 return file_has_perm(cred, file, av);
3039 }
3040
3041 error:
3042 return rc;
3043 }
3044
3045 static int selinux_file_mmap(struct file *file, unsigned long reqprot,
3046 unsigned long prot, unsigned long flags,
3047 unsigned long addr, unsigned long addr_only)
3048 {
3049 int rc = 0;
3050 u32 sid = current_sid();
3051
3052 /*
3053 * notice that we are intentionally putting the SELinux check before
3054 * the secondary cap_file_mmap check. This is such a likely attempt
3055 * at bad behaviour/exploit that we always want to get the AVC, even
3056 * if DAC would have also denied the operation.
3057 */
3058 if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
3059 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
3060 MEMPROTECT__MMAP_ZERO, NULL);
3061 if (rc)
3062 return rc;
3063 }
3064
3065 /* do DAC check on address space usage */
3066 rc = cap_file_mmap(file, reqprot, prot, flags, addr, addr_only);
3067 if (rc || addr_only)
3068 return rc;
3069
3070 if (selinux_checkreqprot)
3071 prot = reqprot;
3072
3073 return file_map_prot_check(file, prot,
3074 (flags & MAP_TYPE) == MAP_SHARED);
3075 }
3076
3077 static int selinux_file_mprotect(struct vm_area_struct *vma,
3078 unsigned long reqprot,
3079 unsigned long prot)
3080 {
3081 const struct cred *cred = current_cred();
3082
3083 if (selinux_checkreqprot)
3084 prot = reqprot;
3085
3086 if (default_noexec &&
3087 (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
3088 int rc = 0;
3089 if (vma->vm_start >= vma->vm_mm->start_brk &&
3090 vma->vm_end <= vma->vm_mm->brk) {
3091 rc = cred_has_perm(cred, cred, PROCESS__EXECHEAP);
3092 } else if (!vma->vm_file &&
3093 vma->vm_start <= vma->vm_mm->start_stack &&
3094 vma->vm_end >= vma->vm_mm->start_stack) {
3095 rc = current_has_perm(current, PROCESS__EXECSTACK);
3096 } else if (vma->vm_file && vma->anon_vma) {
3097 /*
3098 * We are making executable a file mapping that has
3099 * had some COW done. Since pages might have been
3100 * written, check ability to execute the possibly
3101 * modified content. This typically should only
3102 * occur for text relocations.
3103 */
3104 rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD);
3105 }
3106 if (rc)
3107 return rc;
3108 }
3109
3110 return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
3111 }
3112
3113 static int selinux_file_lock(struct file *file, unsigned int cmd)
3114 {
3115 const struct cred *cred = current_cred();
3116
3117 return file_has_perm(cred, file, FILE__LOCK);
3118 }
3119
3120 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
3121 unsigned long arg)
3122 {
3123 const struct cred *cred = current_cred();
3124 int err = 0;
3125
3126 switch (cmd) {
3127 case F_SETFL:
3128 if (!file->f_path.dentry || !file->f_path.dentry->d_inode) {
3129 err = -EINVAL;
3130 break;
3131 }
3132
3133 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
3134 err = file_has_perm(cred, file, FILE__WRITE);
3135 break;
3136 }
3137 /* fall through */
3138 case F_SETOWN:
3139 case F_SETSIG:
3140 case F_GETFL:
3141 case F_GETOWN:
3142 case F_GETSIG:
3143 /* Just check FD__USE permission */
3144 err = file_has_perm(cred, file, 0);
3145 break;
3146 case F_GETLK:
3147 case F_SETLK:
3148 case F_SETLKW:
3149 #if BITS_PER_LONG == 32
3150 case F_GETLK64:
3151 case F_SETLK64:
3152 case F_SETLKW64:
3153 #endif
3154 if (!file->f_path.dentry || !file->f_path.dentry->d_inode) {
3155 err = -EINVAL;
3156 break;
3157 }
3158 err = file_has_perm(cred, file, FILE__LOCK);
3159 break;
3160 }
3161
3162 return err;
3163 }
3164
3165 static int selinux_file_set_fowner(struct file *file)
3166 {
3167 struct file_security_struct *fsec;
3168
3169 fsec = file->f_security;
3170 fsec->fown_sid = current_sid();
3171
3172 return 0;
3173 }
3174
3175 static int selinux_file_send_sigiotask(struct task_struct *tsk,
3176 struct fown_struct *fown, int signum)
3177 {
3178 struct file *file;
3179 u32 sid = task_sid(tsk);
3180 u32 perm;
3181 struct file_security_struct *fsec;
3182
3183 /* struct fown_struct is never outside the context of a struct file */
3184 file = container_of(fown, struct file, f_owner);
3185
3186 fsec = file->f_security;
3187
3188 if (!signum)
3189 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
3190 else
3191 perm = signal_to_av(signum);
3192
3193 return avc_has_perm(fsec->fown_sid, sid,
3194 SECCLASS_PROCESS, perm, NULL);
3195 }
3196
3197 static int selinux_file_receive(struct file *file)
3198 {
3199 const struct cred *cred = current_cred();
3200
3201 return file_has_perm(cred, file, file_to_av(file));
3202 }
3203
3204 static int selinux_dentry_open(struct file *file, const struct cred *cred)
3205 {
3206 struct file_security_struct *fsec;
3207 struct inode *inode;
3208 struct inode_security_struct *isec;
3209
3210 inode = file->f_path.dentry->d_inode;
3211 fsec = file->f_security;
3212 isec = inode->i_security;
3213 /*
3214 * Save inode label and policy sequence number
3215 * at open-time so that selinux_file_permission
3216 * can determine whether revalidation is necessary.
3217 * Task label is already saved in the file security
3218 * struct as its SID.
3219 */
3220 fsec->isid = isec->sid;
3221 fsec->pseqno = avc_policy_seqno();
3222 /*
3223 * Since the inode label or policy seqno may have changed
3224 * between the selinux_inode_permission check and the saving
3225 * of state above, recheck that access is still permitted.
3226 * Otherwise, access might never be revalidated against the
3227 * new inode label or new policy.
3228 * This check is not redundant - do not remove.
3229 */
3230 return inode_has_perm_noadp(cred, inode, open_file_to_av(file), 0);
3231 }
3232
3233 /* task security operations */
3234
3235 static int selinux_task_create(unsigned long clone_flags)
3236 {
3237 return current_has_perm(current, PROCESS__FORK);
3238 }
3239
3240 /*
3241 * allocate the SELinux part of blank credentials
3242 */
3243 static int selinux_cred_alloc_blank(struct cred *cred, gfp_t gfp)
3244 {
3245 struct task_security_struct *tsec;
3246
3247 tsec = kzalloc(sizeof(struct task_security_struct), gfp);
3248 if (!tsec)
3249 return -ENOMEM;
3250
3251 cred->security = tsec;
3252 return 0;
3253 }
3254
3255 /*
3256 * detach and free the LSM part of a set of credentials
3257 */
3258 static void selinux_cred_free(struct cred *cred)
3259 {
3260 struct task_security_struct *tsec = cred->security;
3261
3262 /*
3263 * cred->security == NULL if security_cred_alloc_blank() or
3264 * security_prepare_creds() returned an error.
3265 */
3266 BUG_ON(cred->security && (unsigned long) cred->security < PAGE_SIZE);
3267 cred->security = (void *) 0x7UL;
3268 kfree(tsec);
3269 }
3270
3271 /*
3272 * prepare a new set of credentials for modification
3273 */
3274 static int selinux_cred_prepare(struct cred *new, const struct cred *old,
3275 gfp_t gfp)
3276 {
3277 const struct task_security_struct *old_tsec;
3278 struct task_security_struct *tsec;
3279
3280 old_tsec = old->security;
3281
3282 tsec = kmemdup(old_tsec, sizeof(struct task_security_struct), gfp);
3283 if (!tsec)
3284 return -ENOMEM;
3285
3286 new->security = tsec;
3287 return 0;
3288 }
3289
3290 /*
3291 * transfer the SELinux data to a blank set of creds
3292 */
3293 static void selinux_cred_transfer(struct cred *new, const struct cred *old)
3294 {
3295 const struct task_security_struct *old_tsec = old->security;
3296 struct task_security_struct *tsec = new->security;
3297
3298 *tsec = *old_tsec;
3299 }
3300
3301 /*
3302 * set the security data for a kernel service
3303 * - all the creation contexts are set to unlabelled
3304 */
3305 static int selinux_kernel_act_as(struct cred *new, u32 secid)
3306 {
3307 struct task_security_struct *tsec = new->security;
3308 u32 sid = current_sid();
3309 int ret;
3310
3311 ret = avc_has_perm(sid, secid,
3312 SECCLASS_KERNEL_SERVICE,
3313 KERNEL_SERVICE__USE_AS_OVERRIDE,
3314 NULL);
3315 if (ret == 0) {
3316 tsec->sid = secid;
3317 tsec->create_sid = 0;
3318 tsec->keycreate_sid = 0;
3319 tsec->sockcreate_sid = 0;
3320 }
3321 return ret;
3322 }
3323
3324 /*
3325 * set the file creation context in a security record to the same as the
3326 * objective context of the specified inode
3327 */
3328 static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode)
3329 {
3330 struct inode_security_struct *isec = inode->i_security;
3331 struct task_security_struct *tsec = new->security;
3332 u32 sid = current_sid();
3333 int ret;
3334
3335 ret = avc_has_perm(sid, isec->sid,
3336 SECCLASS_KERNEL_SERVICE,
3337 KERNEL_SERVICE__CREATE_FILES_AS,
3338 NULL);
3339
3340 if (ret == 0)
3341 tsec->create_sid = isec->sid;
3342 return ret;
3343 }
3344
3345 static int selinux_kernel_module_request(char *kmod_name)
3346 {
3347 u32 sid;
3348 struct common_audit_data ad;
3349
3350 sid = task_sid(current);
3351
3352 COMMON_AUDIT_DATA_INIT(&ad, KMOD);
3353 ad.u.kmod_name = kmod_name;
3354
3355 return avc_has_perm(sid, SECINITSID_KERNEL, SECCLASS_SYSTEM,
3356 SYSTEM__MODULE_REQUEST, &ad);
3357 }
3358
3359 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
3360 {
3361 return current_has_perm(p, PROCESS__SETPGID);
3362 }
3363
3364 static int selinux_task_getpgid(struct task_struct *p)
3365 {
3366 return current_has_perm(p, PROCESS__GETPGID);
3367 }
3368
3369 static int selinux_task_getsid(struct task_struct *p)
3370 {
3371 return current_has_perm(p, PROCESS__GETSESSION);
3372 }
3373
3374 static void selinux_task_getsecid(struct task_struct *p, u32 *secid)
3375 {
3376 *secid = task_sid(p);
3377 }
3378
3379 static int selinux_task_setnice(struct task_struct *p, int nice)
3380 {
3381 int rc;
3382
3383 rc = cap_task_setnice(p, nice);
3384 if (rc)
3385 return rc;
3386
3387 return current_has_perm(p, PROCESS__SETSCHED);
3388 }
3389
3390 static int selinux_task_setioprio(struct task_struct *p, int ioprio)
3391 {
3392 int rc;
3393
3394 rc = cap_task_setioprio(p, ioprio);
3395 if (rc)
3396 return rc;
3397
3398 return current_has_perm(p, PROCESS__SETSCHED);
3399 }
3400
3401 static int selinux_task_getioprio(struct task_struct *p)
3402 {
3403 return current_has_perm(p, PROCESS__GETSCHED);
3404 }
3405
3406 static int selinux_task_setrlimit(struct task_struct *p, unsigned int resource,
3407 struct rlimit *new_rlim)
3408 {
3409 struct rlimit *old_rlim = p->signal->rlim + resource;
3410
3411 /* Control the ability to change the hard limit (whether
3412 lowering or raising it), so that the hard limit can
3413 later be used as a safe reset point for the soft limit
3414 upon context transitions. See selinux_bprm_committing_creds. */
3415 if (old_rlim->rlim_max != new_rlim->rlim_max)
3416 return current_has_perm(p, PROCESS__SETRLIMIT);
3417
3418 return 0;
3419 }
3420
3421 static int selinux_task_setscheduler(struct task_struct *p)
3422 {
3423 int rc;
3424
3425 rc = cap_task_setscheduler(p);
3426 if (rc)
3427 return rc;
3428
3429 return current_has_perm(p, PROCESS__SETSCHED);
3430 }
3431
3432 static int selinux_task_getscheduler(struct task_struct *p)
3433 {
3434 return current_has_perm(p, PROCESS__GETSCHED);
3435 }
3436
3437 static int selinux_task_movememory(struct task_struct *p)
3438 {
3439 return current_has_perm(p, PROCESS__SETSCHED);
3440 }
3441
3442 static int selinux_task_kill(struct task_struct *p, struct siginfo *info,
3443 int sig, u32 secid)
3444 {
3445 u32 perm;
3446 int rc;
3447
3448 if (!sig)
3449 perm = PROCESS__SIGNULL; /* null signal; existence test */
3450 else
3451 perm = signal_to_av(sig);
3452 if (secid)
3453 rc = avc_has_perm(secid, task_sid(p),
3454 SECCLASS_PROCESS, perm, NULL);
3455 else
3456 rc = current_has_perm(p, perm);
3457 return rc;
3458 }
3459
3460 static int selinux_task_wait(struct task_struct *p)
3461 {
3462 return task_has_perm(p, current, PROCESS__SIGCHLD);
3463 }
3464
3465 static void selinux_task_to_inode(struct task_struct *p,
3466 struct inode *inode)
3467 {
3468 struct inode_security_struct *isec = inode->i_security;
3469 u32 sid = task_sid(p);
3470
3471 isec->sid = sid;
3472 isec->initialized = 1;
3473 }
3474
3475 /* Returns error only if unable to parse addresses */
3476 static int selinux_parse_skb_ipv4(struct sk_buff *skb,
3477 struct common_audit_data *ad, u8 *proto)
3478 {
3479 int offset, ihlen, ret = -EINVAL;
3480 struct iphdr _iph, *ih;
3481
3482 offset = skb_network_offset(skb);
3483 ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
3484 if (ih == NULL)
3485 goto out;
3486
3487 ihlen = ih->ihl * 4;
3488 if (ihlen < sizeof(_iph))
3489 goto out;
3490
3491 ad->u.net.v4info.saddr = ih->saddr;
3492 ad->u.net.v4info.daddr = ih->daddr;
3493 ret = 0;
3494
3495 if (proto)
3496 *proto = ih->protocol;
3497
3498 switch (ih->protocol) {
3499 case IPPROTO_TCP: {
3500 struct tcphdr _tcph, *th;
3501
3502 if (ntohs(ih->frag_off) & IP_OFFSET)
3503 break;
3504
3505 offset += ihlen;
3506 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3507 if (th == NULL)
3508 break;
3509
3510 ad->u.net.sport = th->source;
3511 ad->u.net.dport = th->dest;
3512 break;
3513 }
3514
3515 case IPPROTO_UDP: {
3516 struct udphdr _udph, *uh;
3517
3518 if (ntohs(ih->frag_off) & IP_OFFSET)
3519 break;
3520
3521 offset += ihlen;
3522 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3523 if (uh == NULL)
3524 break;
3525
3526 ad->u.net.sport = uh->source;
3527 ad->u.net.dport = uh->dest;
3528 break;
3529 }
3530
3531 case IPPROTO_DCCP: {
3532 struct dccp_hdr _dccph, *dh;
3533
3534 if (ntohs(ih->frag_off) & IP_OFFSET)
3535 break;
3536
3537 offset += ihlen;
3538 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3539 if (dh == NULL)
3540 break;
3541
3542 ad->u.net.sport = dh->dccph_sport;
3543 ad->u.net.dport = dh->dccph_dport;
3544 break;
3545 }
3546
3547 default:
3548 break;
3549 }
3550 out:
3551 return ret;
3552 }
3553
3554 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3555
3556 /* Returns error only if unable to parse addresses */
3557 static int selinux_parse_skb_ipv6(struct sk_buff *skb,
3558 struct common_audit_data *ad, u8 *proto)
3559 {
3560 u8 nexthdr;
3561 int ret = -EINVAL, offset;
3562 struct ipv6hdr _ipv6h, *ip6;
3563
3564 offset = skb_network_offset(skb);
3565 ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
3566 if (ip6 == NULL)
3567 goto out;
3568
3569 ipv6_addr_copy(&ad->u.net.v6info.saddr, &ip6->saddr);
3570 ipv6_addr_copy(&ad->u.net.v6info.daddr, &ip6->daddr);
3571 ret = 0;
3572
3573 nexthdr = ip6->nexthdr;
3574 offset += sizeof(_ipv6h);
3575 offset = ipv6_skip_exthdr(skb, offset, &nexthdr);
3576 if (offset < 0)
3577 goto out;
3578
3579 if (proto)
3580 *proto = nexthdr;
3581
3582 switch (nexthdr) {
3583 case IPPROTO_TCP: {
3584 struct tcphdr _tcph, *th;
3585
3586 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3587 if (th == NULL)
3588 break;
3589
3590 ad->u.net.sport = th->source;
3591 ad->u.net.dport = th->dest;
3592 break;
3593 }
3594
3595 case IPPROTO_UDP: {
3596 struct udphdr _udph, *uh;
3597
3598 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3599 if (uh == NULL)
3600 break;
3601
3602 ad->u.net.sport = uh->source;
3603 ad->u.net.dport = uh->dest;
3604 break;
3605 }
3606
3607 case IPPROTO_DCCP: {
3608 struct dccp_hdr _dccph, *dh;
3609
3610 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3611 if (dh == NULL)
3612 break;
3613
3614 ad->u.net.sport = dh->dccph_sport;
3615 ad->u.net.dport = dh->dccph_dport;
3616 break;
3617 }
3618
3619 /* includes fragments */
3620 default:
3621 break;
3622 }
3623 out:
3624 return ret;
3625 }
3626
3627 #endif /* IPV6 */
3628
3629 static int selinux_parse_skb(struct sk_buff *skb, struct common_audit_data *ad,
3630 char **_addrp, int src, u8 *proto)
3631 {
3632 char *addrp;
3633 int ret;
3634
3635 switch (ad->u.net.family) {
3636 case PF_INET:
3637 ret = selinux_parse_skb_ipv4(skb, ad, proto);
3638 if (ret)
3639 goto parse_error;
3640 addrp = (char *)(src ? &ad->u.net.v4info.saddr :
3641 &ad->u.net.v4info.daddr);
3642 goto okay;
3643
3644 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3645 case PF_INET6:
3646 ret = selinux_parse_skb_ipv6(skb, ad, proto);
3647 if (ret)
3648 goto parse_error;
3649 addrp = (char *)(src ? &ad->u.net.v6info.saddr :
3650 &ad->u.net.v6info.daddr);
3651 goto okay;
3652 #endif /* IPV6 */
3653 default:
3654 addrp = NULL;
3655 goto okay;
3656 }
3657
3658 parse_error:
3659 printk(KERN_WARNING
3660 "SELinux: failure in selinux_parse_skb(),"
3661 " unable to parse packet\n");
3662 return ret;
3663
3664 okay:
3665 if (_addrp)
3666 *_addrp = addrp;
3667 return 0;
3668 }
3669
3670 /**
3671 * selinux_skb_peerlbl_sid - Determine the peer label of a packet
3672 * @skb: the packet
3673 * @family: protocol family
3674 * @sid: the packet's peer label SID
3675 *
3676 * Description:
3677 * Check the various different forms of network peer labeling and determine
3678 * the peer label/SID for the packet; most of the magic actually occurs in
3679 * the security server function security_net_peersid_cmp(). The function
3680 * returns zero if the value in @sid is valid (although it may be SECSID_NULL)
3681 * or -EACCES if @sid is invalid due to inconsistencies with the different
3682 * peer labels.
3683 *
3684 */
3685 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
3686 {
3687 int err;
3688 u32 xfrm_sid;
3689 u32 nlbl_sid;
3690 u32 nlbl_type;
3691
3692 selinux_skb_xfrm_sid(skb, &xfrm_sid);
3693 selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid);
3694
3695 err = security_net_peersid_resolve(nlbl_sid, nlbl_type, xfrm_sid, sid);
3696 if (unlikely(err)) {
3697 printk(KERN_WARNING
3698 "SELinux: failure in selinux_skb_peerlbl_sid(),"
3699 " unable to determine packet's peer label\n");
3700 return -EACCES;
3701 }
3702
3703 return 0;
3704 }
3705
3706 /* socket security operations */
3707
3708 static int socket_sockcreate_sid(const struct task_security_struct *tsec,
3709 u16 secclass, u32 *socksid)
3710 {
3711 if (tsec->sockcreate_sid > SECSID_NULL) {
3712 *socksid = tsec->sockcreate_sid;
3713 return 0;
3714 }
3715
3716 return security_transition_sid(tsec->sid, tsec->sid, secclass, NULL,
3717 socksid);
3718 }
3719
3720 static int sock_has_perm(struct task_struct *task, struct sock *sk, u32 perms)
3721 {
3722 struct sk_security_struct *sksec = sk->sk_security;
3723 struct common_audit_data ad;
3724 u32 tsid = task_sid(task);
3725
3726 if (sksec->sid == SECINITSID_KERNEL)
3727 return 0;
3728
3729 COMMON_AUDIT_DATA_INIT(&ad, NET);
3730 ad.u.net.sk = sk;
3731
3732 return avc_has_perm(tsid, sksec->sid, sksec->sclass, perms, &ad);
3733 }
3734
3735 static int selinux_socket_create(int family, int type,
3736 int protocol, int kern)
3737 {
3738 const struct task_security_struct *tsec = current_security();
3739 u32 newsid;
3740 u16 secclass;
3741 int rc;
3742
3743 if (kern)
3744 return 0;
3745
3746 secclass = socket_type_to_security_class(family, type, protocol);
3747 rc = socket_sockcreate_sid(tsec, secclass, &newsid);
3748 if (rc)
3749 return rc;
3750
3751 return avc_has_perm(tsec->sid, newsid, secclass, SOCKET__CREATE, NULL);
3752 }
3753
3754 static int selinux_socket_post_create(struct socket *sock, int family,
3755 int type, int protocol, int kern)
3756 {
3757 const struct task_security_struct *tsec = current_security();
3758 struct inode_security_struct *isec = SOCK_INODE(sock)->i_security;
3759 struct sk_security_struct *sksec;
3760 int err = 0;
3761
3762 isec->sclass = socket_type_to_security_class(family, type, protocol);
3763
3764 if (kern)
3765 isec->sid = SECINITSID_KERNEL;
3766 else {
3767 err = socket_sockcreate_sid(tsec, isec->sclass, &(isec->sid));
3768 if (err)
3769 return err;
3770 }
3771
3772 isec->initialized = 1;
3773
3774 if (sock->sk) {
3775 sksec = sock->sk->sk_security;
3776 sksec->sid = isec->sid;
3777 sksec->sclass = isec->sclass;
3778 err = selinux_netlbl_socket_post_create(sock->sk, family);
3779 }
3780
3781 return err;
3782 }
3783
3784 /* Range of port numbers used to automatically bind.
3785 Need to determine whether we should perform a name_bind
3786 permission check between the socket and the port number. */
3787
3788 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
3789 {
3790 struct sock *sk = sock->sk;
3791 u16 family;
3792 int err;
3793
3794 err = sock_has_perm(current, sk, SOCKET__BIND);
3795 if (err)
3796 goto out;
3797
3798 /*
3799 * If PF_INET or PF_INET6, check name_bind permission for the port.
3800 * Multiple address binding for SCTP is not supported yet: we just
3801 * check the first address now.
3802 */
3803 family = sk->sk_family;
3804 if (family == PF_INET || family == PF_INET6) {
3805 char *addrp;
3806 struct sk_security_struct *sksec = sk->sk_security;
3807 struct common_audit_data ad;
3808 struct sockaddr_in *addr4 = NULL;
3809 struct sockaddr_in6 *addr6 = NULL;
3810 unsigned short snum;
3811 u32 sid, node_perm;
3812
3813 if (family == PF_INET) {
3814 addr4 = (struct sockaddr_in *)address;
3815 snum = ntohs(addr4->sin_port);
3816 addrp = (char *)&addr4->sin_addr.s_addr;
3817 } else {
3818 addr6 = (struct sockaddr_in6 *)address;
3819 snum = ntohs(addr6->sin6_port);
3820 addrp = (char *)&addr6->sin6_addr.s6_addr;
3821 }
3822
3823 if (snum) {
3824 int low, high;
3825
3826 inet_get_local_port_range(&low, &high);
3827
3828 if (snum < max(PROT_SOCK, low) || snum > high) {
3829 err = sel_netport_sid(sk->sk_protocol,
3830 snum, &sid);
3831 if (err)
3832 goto out;
3833 COMMON_AUDIT_DATA_INIT(&ad, NET);
3834 ad.u.net.sport = htons(snum);
3835 ad.u.net.family = family;
3836 err = avc_has_perm(sksec->sid, sid,
3837 sksec->sclass,
3838 SOCKET__NAME_BIND, &ad);
3839 if (err)
3840 goto out;
3841 }
3842 }
3843
3844 switch (sksec->sclass) {
3845 case SECCLASS_TCP_SOCKET:
3846 node_perm = TCP_SOCKET__NODE_BIND;
3847 break;
3848
3849 case SECCLASS_UDP_SOCKET:
3850 node_perm = UDP_SOCKET__NODE_BIND;
3851 break;
3852
3853 case SECCLASS_DCCP_SOCKET:
3854 node_perm = DCCP_SOCKET__NODE_BIND;
3855 break;
3856
3857 default:
3858 node_perm = RAWIP_SOCKET__NODE_BIND;
3859 break;
3860 }
3861
3862 err = sel_netnode_sid(addrp, family, &sid);
3863 if (err)
3864 goto out;
3865
3866 COMMON_AUDIT_DATA_INIT(&ad, NET);
3867 ad.u.net.sport = htons(snum);
3868 ad.u.net.family = family;
3869
3870 if (family == PF_INET)
3871 ad.u.net.v4info.saddr = addr4->sin_addr.s_addr;
3872 else
3873 ipv6_addr_copy(&ad.u.net.v6info.saddr, &addr6->sin6_addr);
3874
3875 err = avc_has_perm(sksec->sid, sid,
3876 sksec->sclass, node_perm, &ad);
3877 if (err)
3878 goto out;
3879 }
3880 out:
3881 return err;
3882 }
3883
3884 static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
3885 {
3886 struct sock *sk = sock->sk;
3887 struct sk_security_struct *sksec = sk->sk_security;
3888 int err;
3889
3890 err = sock_has_perm(current, sk, SOCKET__CONNECT);
3891 if (err)
3892 return err;
3893
3894 /*
3895 * If a TCP or DCCP socket, check name_connect permission for the port.
3896 */
3897 if (sksec->sclass == SECCLASS_TCP_SOCKET ||
3898 sksec->sclass == SECCLASS_DCCP_SOCKET) {
3899 struct common_audit_data ad;
3900 struct sockaddr_in *addr4 = NULL;
3901 struct sockaddr_in6 *addr6 = NULL;
3902 unsigned short snum;
3903 u32 sid, perm;
3904
3905 if (sk->sk_family == PF_INET) {
3906 addr4 = (struct sockaddr_in *)address;
3907 if (addrlen < sizeof(struct sockaddr_in))
3908 return -EINVAL;
3909 snum = ntohs(addr4->sin_port);
3910 } else {
3911 addr6 = (struct sockaddr_in6 *)address;
3912 if (addrlen < SIN6_LEN_RFC2133)
3913 return -EINVAL;
3914 snum = ntohs(addr6->sin6_port);
3915 }
3916
3917 err = sel_netport_sid(sk->sk_protocol, snum, &sid);
3918 if (err)
3919 goto out;
3920
3921 perm = (sksec->sclass == SECCLASS_TCP_SOCKET) ?
3922 TCP_SOCKET__NAME_CONNECT : DCCP_SOCKET__NAME_CONNECT;
3923
3924 COMMON_AUDIT_DATA_INIT(&ad, NET);
3925 ad.u.net.dport = htons(snum);
3926 ad.u.net.family = sk->sk_family;
3927 err = avc_has_perm(sksec->sid, sid, sksec->sclass, perm, &ad);
3928 if (err)
3929 goto out;
3930 }
3931
3932 err = selinux_netlbl_socket_connect(sk, address);
3933
3934 out:
3935 return err;
3936 }
3937
3938 static int selinux_socket_listen(struct socket *sock, int backlog)
3939 {
3940 return sock_has_perm(current, sock->sk, SOCKET__LISTEN);
3941 }
3942
3943 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
3944 {
3945 int err;
3946 struct inode_security_struct *isec;
3947 struct inode_security_struct *newisec;
3948
3949 err = sock_has_perm(current, sock->sk, SOCKET__ACCEPT);
3950 if (err)
3951 return err;
3952
3953 newisec = SOCK_INODE(newsock)->i_security;
3954
3955 isec = SOCK_INODE(sock)->i_security;
3956 newisec->sclass = isec->sclass;
3957 newisec->sid = isec->sid;
3958 newisec->initialized = 1;
3959
3960 return 0;
3961 }
3962
3963 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
3964 int size)
3965 {
3966 return sock_has_perm(current, sock->sk, SOCKET__WRITE);
3967 }
3968
3969 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
3970 int size, int flags)
3971 {
3972 return sock_has_perm(current, sock->sk, SOCKET__READ);
3973 }
3974
3975 static int selinux_socket_getsockname(struct socket *sock)
3976 {
3977 return sock_has_perm(current, sock->sk, SOCKET__GETATTR);
3978 }
3979
3980 static int selinux_socket_getpeername(struct socket *sock)
3981 {
3982 return sock_has_perm(current, sock->sk, SOCKET__GETATTR);
3983 }
3984
3985 static int selinux_socket_setsockopt(struct socket *sock, int level, int optname)
3986 {
3987 int err;
3988
3989 err = sock_has_perm(current, sock->sk, SOCKET__SETOPT);
3990 if (err)
3991 return err;
3992
3993 return selinux_netlbl_socket_setsockopt(sock, level, optname);
3994 }
3995
3996 static int selinux_socket_getsockopt(struct socket *sock, int level,
3997 int optname)
3998 {
3999 return sock_has_perm(current, sock->sk, SOCKET__GETOPT);
4000 }
4001
4002 static int selinux_socket_shutdown(struct socket *sock, int how)
4003 {
4004 return sock_has_perm(current, sock->sk, SOCKET__SHUTDOWN);
4005 }
4006
4007 static int selinux_socket_unix_stream_connect(struct sock *sock,
4008 struct sock *other,
4009 struct sock *newsk)
4010 {
4011 struct sk_security_struct *sksec_sock = sock->sk_security;
4012 struct sk_security_struct *sksec_other = other->sk_security;
4013 struct sk_security_struct *sksec_new = newsk->sk_security;
4014 struct common_audit_data ad;
4015 int err;
4016
4017 COMMON_AUDIT_DATA_INIT(&ad, NET);
4018 ad.u.net.sk = other;
4019
4020 err = avc_has_perm(sksec_sock->sid, sksec_other->sid,
4021 sksec_other->sclass,
4022 UNIX_STREAM_SOCKET__CONNECTTO, &ad);
4023 if (err)
4024 return err;
4025
4026 /* server child socket */
4027 sksec_new->peer_sid = sksec_sock->sid;
4028 err = security_sid_mls_copy(sksec_other->sid, sksec_sock->sid,
4029 &sksec_new->sid);
4030 if (err)
4031 return err;
4032
4033 /* connecting socket */
4034 sksec_sock->peer_sid = sksec_new->sid;
4035
4036 return 0;
4037 }
4038
4039 static int selinux_socket_unix_may_send(struct socket *sock,
4040 struct socket *other)
4041 {
4042 struct sk_security_struct *ssec = sock->sk->sk_security;
4043 struct sk_security_struct *osec = other->sk->sk_security;
4044 struct common_audit_data ad;
4045
4046 COMMON_AUDIT_DATA_INIT(&ad, NET);
4047 ad.u.net.sk = other->sk;
4048
4049 return avc_has_perm(ssec->sid, osec->sid, osec->sclass, SOCKET__SENDTO,
4050 &ad);
4051 }
4052
4053 static int selinux_inet_sys_rcv_skb(int ifindex, char *addrp, u16 family,
4054 u32 peer_sid,
4055 struct common_audit_data *ad)
4056 {
4057 int err;
4058 u32 if_sid;
4059 u32 node_sid;
4060
4061 err = sel_netif_sid(ifindex, &if_sid);
4062 if (err)
4063 return err;
4064 err = avc_has_perm(peer_sid, if_sid,
4065 SECCLASS_NETIF, NETIF__INGRESS, ad);
4066 if (err)
4067 return err;
4068
4069 err = sel_netnode_sid(addrp, family, &node_sid);
4070 if (err)
4071 return err;
4072 return avc_has_perm(peer_sid, node_sid,
4073 SECCLASS_NODE, NODE__RECVFROM, ad);
4074 }
4075
4076 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
4077 u16 family)
4078 {
4079 int err = 0;
4080 struct sk_security_struct *sksec = sk->sk_security;
4081 u32 sk_sid = sksec->sid;
4082 struct common_audit_data ad;
4083 char *addrp;
4084
4085 COMMON_AUDIT_DATA_INIT(&ad, NET);
4086 ad.u.net.netif = skb->skb_iif;
4087 ad.u.net.family = family;
4088 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4089 if (err)
4090 return err;
4091
4092 if (selinux_secmark_enabled()) {
4093 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4094 PACKET__RECV, &ad);
4095 if (err)
4096 return err;
4097 }
4098
4099 err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, &ad);
4100 if (err)
4101 return err;
4102 err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad);
4103
4104 return err;
4105 }
4106
4107 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
4108 {
4109 int err;
4110 struct sk_security_struct *sksec = sk->sk_security;
4111 u16 family = sk->sk_family;
4112 u32 sk_sid = sksec->sid;
4113 struct common_audit_data ad;
4114 char *addrp;
4115 u8 secmark_active;
4116 u8 peerlbl_active;
4117
4118 if (family != PF_INET && family != PF_INET6)
4119 return 0;
4120
4121 /* Handle mapped IPv4 packets arriving via IPv6 sockets */
4122 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4123 family = PF_INET;
4124
4125 /* If any sort of compatibility mode is enabled then handoff processing
4126 * to the selinux_sock_rcv_skb_compat() function to deal with the
4127 * special handling. We do this in an attempt to keep this function
4128 * as fast and as clean as possible. */
4129 if (!selinux_policycap_netpeer)
4130 return selinux_sock_rcv_skb_compat(sk, skb, family);
4131
4132 secmark_active = selinux_secmark_enabled();
4133 peerlbl_active = netlbl_enabled() || selinux_xfrm_enabled();
4134 if (!secmark_active && !peerlbl_active)
4135 return 0;
4136
4137 COMMON_AUDIT_DATA_INIT(&ad, NET);
4138 ad.u.net.netif = skb->skb_iif;
4139 ad.u.net.family = family;
4140 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4141 if (err)
4142 return err;
4143
4144 if (peerlbl_active) {
4145 u32 peer_sid;
4146
4147 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
4148 if (err)
4149 return err;
4150 err = selinux_inet_sys_rcv_skb(skb->skb_iif, addrp, family,
4151 peer_sid, &ad);
4152 if (err) {
4153 selinux_netlbl_err(skb, err, 0);
4154 return err;
4155 }
4156 err = avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER,
4157 PEER__RECV, &ad);
4158 if (err)
4159 selinux_netlbl_err(skb, err, 0);
4160 }
4161
4162 if (secmark_active) {
4163 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4164 PACKET__RECV, &ad);
4165 if (err)
4166 return err;
4167 }
4168
4169 return err;
4170 }
4171
4172 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval,
4173 int __user *optlen, unsigned len)
4174 {
4175 int err = 0;
4176 char *scontext;
4177 u32 scontext_len;
4178 struct sk_security_struct *sksec = sock->sk->sk_security;
4179 u32 peer_sid = SECSID_NULL;
4180
4181 if (sksec->sclass == SECCLASS_UNIX_STREAM_SOCKET ||
4182 sksec->sclass == SECCLASS_TCP_SOCKET)
4183 peer_sid = sksec->peer_sid;
4184 if (peer_sid == SECSID_NULL)
4185 return -ENOPROTOOPT;
4186
4187 err = security_sid_to_context(peer_sid, &scontext, &scontext_len);
4188 if (err)
4189 return err;
4190
4191 if (scontext_len > len) {
4192 err = -ERANGE;
4193 goto out_len;
4194 }
4195
4196 if (copy_to_user(optval, scontext, scontext_len))
4197 err = -EFAULT;
4198
4199 out_len:
4200 if (put_user(scontext_len, optlen))
4201 err = -EFAULT;
4202 kfree(scontext);
4203 return err;
4204 }
4205
4206 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
4207 {
4208 u32 peer_secid = SECSID_NULL;
4209 u16 family;
4210
4211 if (skb && skb->protocol == htons(ETH_P_IP))
4212 family = PF_INET;
4213 else if (skb && skb->protocol == htons(ETH_P_IPV6))
4214 family = PF_INET6;
4215 else if (sock)
4216 family = sock->sk->sk_family;
4217 else
4218 goto out;
4219
4220 if (sock && family == PF_UNIX)
4221 selinux_inode_getsecid(SOCK_INODE(sock), &peer_secid);
4222 else if (skb)
4223 selinux_skb_peerlbl_sid(skb, family, &peer_secid);
4224
4225 out:
4226 *secid = peer_secid;
4227 if (peer_secid == SECSID_NULL)
4228 return -EINVAL;
4229 return 0;
4230 }
4231
4232 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
4233 {
4234 struct sk_security_struct *sksec;
4235
4236 sksec = kzalloc(sizeof(*sksec), priority);
4237 if (!sksec)
4238 return -ENOMEM;
4239
4240 sksec->peer_sid = SECINITSID_UNLABELED;
4241 sksec->sid = SECINITSID_UNLABELED;
4242 selinux_netlbl_sk_security_reset(sksec);
4243 sk->sk_security = sksec;
4244
4245 return 0;
4246 }
4247
4248 static void selinux_sk_free_security(struct sock *sk)
4249 {
4250 struct sk_security_struct *sksec = sk->sk_security;
4251
4252 sk->sk_security = NULL;
4253 selinux_netlbl_sk_security_free(sksec);
4254 kfree(sksec);
4255 }
4256
4257 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
4258 {
4259 struct sk_security_struct *sksec = sk->sk_security;
4260 struct sk_security_struct *newsksec = newsk->sk_security;
4261
4262 newsksec->sid = sksec->sid;
4263 newsksec->peer_sid = sksec->peer_sid;
4264 newsksec->sclass = sksec->sclass;
4265
4266 selinux_netlbl_sk_security_reset(newsksec);
4267 }
4268
4269 static void selinux_sk_getsecid(struct sock *sk, u32 *secid)
4270 {
4271 if (!sk)
4272 *secid = SECINITSID_ANY_SOCKET;
4273 else {
4274 struct sk_security_struct *sksec = sk->sk_security;
4275
4276 *secid = sksec->sid;
4277 }
4278 }
4279
4280 static void selinux_sock_graft(struct sock *sk, struct socket *parent)
4281 {
4282 struct inode_security_struct *isec = SOCK_INODE(parent)->i_security;
4283 struct sk_security_struct *sksec = sk->sk_security;
4284
4285 if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
4286 sk->sk_family == PF_UNIX)
4287 isec->sid = sksec->sid;
4288 sksec->sclass = isec->sclass;
4289 }
4290
4291 static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
4292 struct request_sock *req)
4293 {
4294 struct sk_security_struct *sksec = sk->sk_security;
4295 int err;
4296 u16 family = sk->sk_family;
4297 u32 newsid;
4298 u32 peersid;
4299
4300 /* handle mapped IPv4 packets arriving via IPv6 sockets */
4301 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4302 family = PF_INET;
4303
4304 err = selinux_skb_peerlbl_sid(skb, family, &peersid);
4305 if (err)
4306 return err;
4307 if (peersid == SECSID_NULL) {
4308 req->secid = sksec->sid;
4309 req->peer_secid = SECSID_NULL;
4310 } else {
4311 err = security_sid_mls_copy(sksec->sid, peersid, &newsid);
4312 if (err)
4313 return err;
4314 req->secid = newsid;
4315 req->peer_secid = peersid;
4316 }
4317
4318 return selinux_netlbl_inet_conn_request(req, family);
4319 }
4320
4321 static void selinux_inet_csk_clone(struct sock *newsk,
4322 const struct request_sock *req)
4323 {
4324 struct sk_security_struct *newsksec = newsk->sk_security;
4325
4326 newsksec->sid = req->secid;
4327 newsksec->peer_sid = req->peer_secid;
4328 /* NOTE: Ideally, we should also get the isec->sid for the
4329 new socket in sync, but we don't have the isec available yet.
4330 So we will wait until sock_graft to do it, by which
4331 time it will have been created and available. */
4332
4333 /* We don't need to take any sort of lock here as we are the only
4334 * thread with access to newsksec */
4335 selinux_netlbl_inet_csk_clone(newsk, req->rsk_ops->family);
4336 }
4337
4338 static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb)
4339 {
4340 u16 family = sk->sk_family;
4341 struct sk_security_struct *sksec = sk->sk_security;
4342
4343 /* handle mapped IPv4 packets arriving via IPv6 sockets */
4344 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4345 family = PF_INET;
4346
4347 selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid);
4348 }
4349
4350 static int selinux_secmark_relabel_packet(u32 sid)
4351 {
4352 const struct task_security_struct *__tsec;
4353 u32 tsid;
4354
4355 __tsec = current_security();
4356 tsid = __tsec->sid;
4357
4358 return avc_has_perm(tsid, sid, SECCLASS_PACKET, PACKET__RELABELTO, NULL);
4359 }
4360
4361 static void selinux_secmark_refcount_inc(void)
4362 {
4363 atomic_inc(&selinux_secmark_refcount);
4364 }
4365
4366 static void selinux_secmark_refcount_dec(void)
4367 {
4368 atomic_dec(&selinux_secmark_refcount);
4369 }
4370
4371 static void selinux_req_classify_flow(const struct request_sock *req,
4372 struct flowi *fl)
4373 {
4374 fl->flowi_secid = req->secid;
4375 }
4376
4377 static int selinux_tun_dev_create(void)
4378 {
4379 u32 sid = current_sid();
4380
4381 /* we aren't taking into account the "sockcreate" SID since the socket
4382 * that is being created here is not a socket in the traditional sense,
4383 * instead it is a private sock, accessible only to the kernel, and
4384 * representing a wide range of network traffic spanning multiple
4385 * connections unlike traditional sockets - check the TUN driver to
4386 * get a better understanding of why this socket is special */
4387
4388 return avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET, TUN_SOCKET__CREATE,
4389 NULL);
4390 }
4391
4392 static void selinux_tun_dev_post_create(struct sock *sk)
4393 {
4394 struct sk_security_struct *sksec = sk->sk_security;
4395
4396 /* we don't currently perform any NetLabel based labeling here and it
4397 * isn't clear that we would want to do so anyway; while we could apply
4398 * labeling without the support of the TUN user the resulting labeled
4399 * traffic from the other end of the connection would almost certainly
4400 * cause confusion to the TUN user that had no idea network labeling
4401 * protocols were being used */
4402
4403 /* see the comments in selinux_tun_dev_create() about why we don't use
4404 * the sockcreate SID here */
4405
4406 sksec->sid = current_sid();
4407 sksec->sclass = SECCLASS_TUN_SOCKET;
4408 }
4409
4410 static int selinux_tun_dev_attach(struct sock *sk)
4411 {
4412 struct sk_security_struct *sksec = sk->sk_security;
4413 u32 sid = current_sid();
4414 int err;
4415
4416 err = avc_has_perm(sid, sksec->sid, SECCLASS_TUN_SOCKET,
4417 TUN_SOCKET__RELABELFROM, NULL);
4418 if (err)
4419 return err;
4420 err = avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET,
4421 TUN_SOCKET__RELABELTO, NULL);
4422 if (err)
4423 return err;
4424
4425 sksec->sid = sid;
4426
4427 return 0;
4428 }
4429
4430 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
4431 {
4432 int err = 0;
4433 u32 perm;
4434 struct nlmsghdr *nlh;
4435 struct sk_security_struct *sksec = sk->sk_security;
4436
4437 if (skb->len < NLMSG_SPACE(0)) {
4438 err = -EINVAL;
4439 goto out;
4440 }
4441 nlh = nlmsg_hdr(skb);
4442
4443 err = selinux_nlmsg_lookup(sksec->sclass, nlh->nlmsg_type, &perm);
4444 if (err) {
4445 if (err == -EINVAL) {
4446 audit_log(current->audit_context, GFP_KERNEL, AUDIT_SELINUX_ERR,
4447 "SELinux: unrecognized netlink message"
4448 " type=%hu for sclass=%hu\n",
4449 nlh->nlmsg_type, sksec->sclass);
4450 if (!selinux_enforcing || security_get_allow_unknown())
4451 err = 0;
4452 }
4453
4454 /* Ignore */
4455 if (err == -ENOENT)
4456 err = 0;
4457 goto out;
4458 }
4459
4460 err = sock_has_perm(current, sk, perm);
4461 out:
4462 return err;
4463 }
4464
4465 #ifdef CONFIG_NETFILTER
4466
4467 static unsigned int selinux_ip_forward(struct sk_buff *skb, int ifindex,
4468 u16 family)
4469 {
4470 int err;
4471 char *addrp;
4472 u32 peer_sid;
4473 struct common_audit_data ad;
4474 u8 secmark_active;
4475 u8 netlbl_active;
4476 u8 peerlbl_active;
4477
4478 if (!selinux_policycap_netpeer)
4479 return NF_ACCEPT;
4480
4481 secmark_active = selinux_secmark_enabled();
4482 netlbl_active = netlbl_enabled();
4483 peerlbl_active = netlbl_active || selinux_xfrm_enabled();
4484 if (!secmark_active && !peerlbl_active)
4485 return NF_ACCEPT;
4486
4487 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0)
4488 return NF_DROP;
4489
4490 COMMON_AUDIT_DATA_INIT(&ad, NET);
4491 ad.u.net.netif = ifindex;
4492 ad.u.net.family = family;
4493 if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0)
4494 return NF_DROP;
4495
4496 if (peerlbl_active) {
4497 err = selinux_inet_sys_rcv_skb(ifindex, addrp, family,
4498 peer_sid, &ad);
4499 if (err) {
4500 selinux_netlbl_err(skb, err, 1);
4501 return NF_DROP;
4502 }
4503 }
4504
4505 if (secmark_active)
4506 if (avc_has_perm(peer_sid, skb->secmark,
4507 SECCLASS_PACKET, PACKET__FORWARD_IN, &ad))
4508 return NF_DROP;
4509
4510 if (netlbl_active)
4511 /* we do this in the FORWARD path and not the POST_ROUTING
4512 * path because we want to make sure we apply the necessary
4513 * labeling before IPsec is applied so we can leverage AH
4514 * protection */
4515 if (selinux_netlbl_skbuff_setsid(skb, family, peer_sid) != 0)
4516 return NF_DROP;
4517
4518 return NF_ACCEPT;
4519 }
4520
4521 static unsigned int selinux_ipv4_forward(unsigned int hooknum,
4522 struct sk_buff *skb,
4523 const struct net_device *in,
4524 const struct net_device *out,
4525 int (*okfn)(struct sk_buff *))
4526 {
4527 return selinux_ip_forward(skb, in->ifindex, PF_INET);
4528 }
4529
4530 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4531 static unsigned int selinux_ipv6_forward(unsigned int hooknum,
4532 struct sk_buff *skb,
4533 const struct net_device *in,
4534 const struct net_device *out,
4535 int (*okfn)(struct sk_buff *))
4536 {
4537 return selinux_ip_forward(skb, in->ifindex, PF_INET6);
4538 }
4539 #endif /* IPV6 */
4540
4541 static unsigned int selinux_ip_output(struct sk_buff *skb,
4542 u16 family)
4543 {
4544 u32 sid;
4545
4546 if (!netlbl_enabled())
4547 return NF_ACCEPT;
4548
4549 /* we do this in the LOCAL_OUT path and not the POST_ROUTING path
4550 * because we want to make sure we apply the necessary labeling
4551 * before IPsec is applied so we can leverage AH protection */
4552 if (skb->sk) {
4553 struct sk_security_struct *sksec = skb->sk->sk_security;
4554 sid = sksec->sid;
4555 } else
4556 sid = SECINITSID_KERNEL;
4557 if (selinux_netlbl_skbuff_setsid(skb, family, sid) != 0)
4558 return NF_DROP;
4559
4560 return NF_ACCEPT;
4561 }
4562
4563 static unsigned int selinux_ipv4_output(unsigned int hooknum,
4564 struct sk_buff *skb,
4565 const struct net_device *in,
4566 const struct net_device *out,
4567 int (*okfn)(struct sk_buff *))
4568 {
4569 return selinux_ip_output(skb, PF_INET);
4570 }
4571
4572 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
4573 int ifindex,
4574 u16 family)
4575 {
4576 struct sock *sk = skb->sk;
4577 struct sk_security_struct *sksec;
4578 struct common_audit_data ad;
4579 char *addrp;
4580 u8 proto;
4581
4582 if (sk == NULL)
4583 return NF_ACCEPT;
4584 sksec = sk->sk_security;
4585
4586 COMMON_AUDIT_DATA_INIT(&ad, NET);
4587 ad.u.net.netif = ifindex;
4588 ad.u.net.family = family;
4589 if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto))
4590 return NF_DROP;
4591
4592 if (selinux_secmark_enabled())
4593 if (avc_has_perm(sksec->sid, skb->secmark,
4594 SECCLASS_PACKET, PACKET__SEND, &ad))
4595 return NF_DROP_ERR(-ECONNREFUSED);
4596
4597 if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto))
4598 return NF_DROP_ERR(-ECONNREFUSED);
4599
4600 return NF_ACCEPT;
4601 }
4602
4603 static unsigned int selinux_ip_postroute(struct sk_buff *skb, int ifindex,
4604 u16 family)
4605 {
4606 u32 secmark_perm;
4607 u32 peer_sid;
4608 struct sock *sk;
4609 struct common_audit_data ad;
4610 char *addrp;
4611 u8 secmark_active;
4612 u8 peerlbl_active;
4613
4614 /* If any sort of compatibility mode is enabled then handoff processing
4615 * to the selinux_ip_postroute_compat() function to deal with the
4616 * special handling. We do this in an attempt to keep this function
4617 * as fast and as clean as possible. */
4618 if (!selinux_policycap_netpeer)
4619 return selinux_ip_postroute_compat(skb, ifindex, family);
4620 #ifdef CONFIG_XFRM
4621 /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec
4622 * packet transformation so allow the packet to pass without any checks
4623 * since we'll have another chance to perform access control checks
4624 * when the packet is on it's final way out.
4625 * NOTE: there appear to be some IPv6 multicast cases where skb->dst
4626 * is NULL, in this case go ahead and apply access control. */
4627 if (skb_dst(skb) != NULL && skb_dst(skb)->xfrm != NULL)
4628 return NF_ACCEPT;
4629 #endif
4630 secmark_active = selinux_secmark_enabled();
4631 peerlbl_active = netlbl_enabled() || selinux_xfrm_enabled();
4632 if (!secmark_active && !peerlbl_active)
4633 return NF_ACCEPT;
4634
4635 /* if the packet is being forwarded then get the peer label from the
4636 * packet itself; otherwise check to see if it is from a local
4637 * application or the kernel, if from an application get the peer label
4638 * from the sending socket, otherwise use the kernel's sid */
4639 sk = skb->sk;
4640 if (sk == NULL) {
4641 if (skb->skb_iif) {
4642 secmark_perm = PACKET__FORWARD_OUT;
4643 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid))
4644 return NF_DROP;
4645 } else {
4646 secmark_perm = PACKET__SEND;
4647 peer_sid = SECINITSID_KERNEL;
4648 }
4649 } else {
4650 struct sk_security_struct *sksec = sk->sk_security;
4651 peer_sid = sksec->sid;
4652 secmark_perm = PACKET__SEND;
4653 }
4654
4655 COMMON_AUDIT_DATA_INIT(&ad, NET);
4656 ad.u.net.netif = ifindex;
4657 ad.u.net.family = family;
4658 if (selinux_parse_skb(skb, &ad, &addrp, 0, NULL))
4659 return NF_DROP;
4660
4661 if (secmark_active)
4662 if (avc_has_perm(peer_sid, skb->secmark,
4663 SECCLASS_PACKET, secmark_perm, &ad))
4664 return NF_DROP_ERR(-ECONNREFUSED);
4665
4666 if (peerlbl_active) {
4667 u32 if_sid;
4668 u32 node_sid;
4669
4670 if (sel_netif_sid(ifindex, &if_sid))
4671 return NF_DROP;
4672 if (avc_has_perm(peer_sid, if_sid,
4673 SECCLASS_NETIF, NETIF__EGRESS, &ad))
4674 return NF_DROP_ERR(-ECONNREFUSED);
4675
4676 if (sel_netnode_sid(addrp, family, &node_sid))
4677 return NF_DROP;
4678 if (avc_has_perm(peer_sid, node_sid,
4679 SECCLASS_NODE, NODE__SENDTO, &ad))
4680 return NF_DROP_ERR(-ECONNREFUSED);
4681 }
4682
4683 return NF_ACCEPT;
4684 }
4685
4686 static unsigned int selinux_ipv4_postroute(unsigned int hooknum,
4687 struct sk_buff *skb,
4688 const struct net_device *in,
4689 const struct net_device *out,
4690 int (*okfn)(struct sk_buff *))
4691 {
4692 return selinux_ip_postroute(skb, out->ifindex, PF_INET);
4693 }
4694
4695 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4696 static unsigned int selinux_ipv6_postroute(unsigned int hooknum,
4697 struct sk_buff *skb,
4698 const struct net_device *in,
4699 const struct net_device *out,
4700 int (*okfn)(struct sk_buff *))
4701 {
4702 return selinux_ip_postroute(skb, out->ifindex, PF_INET6);
4703 }
4704 #endif /* IPV6 */
4705
4706 #endif /* CONFIG_NETFILTER */
4707
4708 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
4709 {
4710 int err;
4711
4712 err = cap_netlink_send(sk, skb);
4713 if (err)
4714 return err;
4715
4716 return selinux_nlmsg_perm(sk, skb);
4717 }
4718
4719 static int selinux_netlink_recv(struct sk_buff *skb, int capability)
4720 {
4721 int err;
4722 struct common_audit_data ad;
4723 u32 sid;
4724
4725 err = cap_netlink_recv(skb, capability);
4726 if (err)
4727 return err;
4728
4729 COMMON_AUDIT_DATA_INIT(&ad, CAP);
4730 ad.u.cap = capability;
4731
4732 security_task_getsecid(current, &sid);
4733 return avc_has_perm(sid, sid, SECCLASS_CAPABILITY,
4734 CAP_TO_MASK(capability), &ad);
4735 }
4736
4737 static int ipc_alloc_security(struct task_struct *task,
4738 struct kern_ipc_perm *perm,
4739 u16 sclass)
4740 {
4741 struct ipc_security_struct *isec;
4742 u32 sid;
4743
4744 isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL);
4745 if (!isec)
4746 return -ENOMEM;
4747
4748 sid = task_sid(task);
4749 isec->sclass = sclass;
4750 isec->sid = sid;
4751 perm->security = isec;
4752
4753 return 0;
4754 }
4755
4756 static void ipc_free_security(struct kern_ipc_perm *perm)
4757 {
4758 struct ipc_security_struct *isec = perm->security;
4759 perm->security = NULL;
4760 kfree(isec);
4761 }
4762
4763 static int msg_msg_alloc_security(struct msg_msg *msg)
4764 {
4765 struct msg_security_struct *msec;
4766
4767 msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL);
4768 if (!msec)
4769 return -ENOMEM;
4770
4771 msec->sid = SECINITSID_UNLABELED;
4772 msg->security = msec;
4773
4774 return 0;
4775 }
4776
4777 static void msg_msg_free_security(struct msg_msg *msg)
4778 {
4779 struct msg_security_struct *msec = msg->security;
4780
4781 msg->security = NULL;
4782 kfree(msec);
4783 }
4784
4785 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
4786 u32 perms)
4787 {
4788 struct ipc_security_struct *isec;
4789 struct common_audit_data ad;
4790 u32 sid = current_sid();
4791
4792 isec = ipc_perms->security;
4793
4794 COMMON_AUDIT_DATA_INIT(&ad, IPC);
4795 ad.u.ipc_id = ipc_perms->key;
4796
4797 return avc_has_perm(sid, isec->sid, isec->sclass, perms, &ad);
4798 }
4799
4800 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
4801 {
4802 return msg_msg_alloc_security(msg);
4803 }
4804
4805 static void selinux_msg_msg_free_security(struct msg_msg *msg)
4806 {
4807 msg_msg_free_security(msg);
4808 }
4809
4810 /* message queue security operations */
4811 static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
4812 {
4813 struct ipc_security_struct *isec;
4814 struct common_audit_data ad;
4815 u32 sid = current_sid();
4816 int rc;
4817
4818 rc = ipc_alloc_security(current, &msq->q_perm, SECCLASS_MSGQ);
4819 if (rc)
4820 return rc;
4821
4822 isec = msq->q_perm.security;
4823
4824 COMMON_AUDIT_DATA_INIT(&ad, IPC);
4825 ad.u.ipc_id = msq->q_perm.key;
4826
4827 rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
4828 MSGQ__CREATE, &ad);
4829 if (rc) {
4830 ipc_free_security(&msq->q_perm);
4831 return rc;
4832 }
4833 return 0;
4834 }
4835
4836 static void selinux_msg_queue_free_security(struct msg_queue *msq)
4837 {
4838 ipc_free_security(&msq->q_perm);
4839 }
4840
4841 static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg)
4842 {
4843 struct ipc_security_struct *isec;
4844 struct common_audit_data ad;
4845 u32 sid = current_sid();
4846
4847 isec = msq->q_perm.security;
4848
4849 COMMON_AUDIT_DATA_INIT(&ad, IPC);
4850 ad.u.ipc_id = msq->q_perm.key;
4851
4852 return avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
4853 MSGQ__ASSOCIATE, &ad);
4854 }
4855
4856 static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd)
4857 {
4858 int err;
4859 int perms;
4860
4861 switch (cmd) {
4862 case IPC_INFO:
4863 case MSG_INFO:
4864 /* No specific object, just general system-wide information. */
4865 return task_has_system(current, SYSTEM__IPC_INFO);
4866 case IPC_STAT:
4867 case MSG_STAT:
4868 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
4869 break;
4870 case IPC_SET:
4871 perms = MSGQ__SETATTR;
4872 break;
4873 case IPC_RMID:
4874 perms = MSGQ__DESTROY;
4875 break;
4876 default:
4877 return 0;
4878 }
4879
4880 err = ipc_has_perm(&msq->q_perm, perms);
4881 return err;
4882 }
4883
4884 static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg)
4885 {
4886 struct ipc_security_struct *isec;
4887 struct msg_security_struct *msec;
4888 struct common_audit_data ad;
4889 u32 sid = current_sid();
4890 int rc;
4891
4892 isec = msq->q_perm.security;
4893 msec = msg->security;
4894
4895 /*
4896 * First time through, need to assign label to the message
4897 */
4898 if (msec->sid == SECINITSID_UNLABELED) {
4899 /*
4900 * Compute new sid based on current process and
4901 * message queue this message will be stored in
4902 */
4903 rc = security_transition_sid(sid, isec->sid, SECCLASS_MSG,
4904 NULL, &msec->sid);
4905 if (rc)
4906 return rc;
4907 }
4908
4909 COMMON_AUDIT_DATA_INIT(&ad, IPC);
4910 ad.u.ipc_id = msq->q_perm.key;
4911
4912 /* Can this process write to the queue? */
4913 rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
4914 MSGQ__WRITE, &ad);
4915 if (!rc)
4916 /* Can this process send the message */
4917 rc = avc_has_perm(sid, msec->sid, SECCLASS_MSG,
4918 MSG__SEND, &ad);
4919 if (!rc)
4920 /* Can the message be put in the queue? */
4921 rc = avc_has_perm(msec->sid, isec->sid, SECCLASS_MSGQ,
4922 MSGQ__ENQUEUE, &ad);
4923
4924 return rc;
4925 }
4926
4927 static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
4928 struct task_struct *target,
4929 long type, int mode)
4930 {
4931 struct ipc_security_struct *isec;
4932 struct msg_security_struct *msec;
4933 struct common_audit_data ad;
4934 u32 sid = task_sid(target);
4935 int rc;
4936
4937 isec = msq->q_perm.security;
4938 msec = msg->security;
4939
4940 COMMON_AUDIT_DATA_INIT(&ad, IPC);
4941 ad.u.ipc_id = msq->q_perm.key;
4942
4943 rc = avc_has_perm(sid, isec->sid,
4944 SECCLASS_MSGQ, MSGQ__READ, &ad);
4945 if (!rc)
4946 rc = avc_has_perm(sid, msec->sid,
4947 SECCLASS_MSG, MSG__RECEIVE, &ad);
4948 return rc;
4949 }
4950
4951 /* Shared Memory security operations */
4952 static int selinux_shm_alloc_security(struct shmid_kernel *shp)
4953 {
4954 struct ipc_security_struct *isec;
4955 struct common_audit_data ad;
4956 u32 sid = current_sid();
4957 int rc;
4958
4959 rc = ipc_alloc_security(current, &shp->shm_perm, SECCLASS_SHM);
4960 if (rc)
4961 return rc;
4962
4963 isec = shp->shm_perm.security;
4964
4965 COMMON_AUDIT_DATA_INIT(&ad, IPC);
4966 ad.u.ipc_id = shp->shm_perm.key;
4967
4968 rc = avc_has_perm(sid, isec->sid, SECCLASS_SHM,
4969 SHM__CREATE, &ad);
4970 if (rc) {
4971 ipc_free_security(&shp->shm_perm);
4972 return rc;
4973 }
4974 return 0;
4975 }
4976
4977 static void selinux_shm_free_security(struct shmid_kernel *shp)
4978 {
4979 ipc_free_security(&shp->shm_perm);
4980 }
4981
4982 static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg)
4983 {
4984 struct ipc_security_struct *isec;
4985 struct common_audit_data ad;
4986 u32 sid = current_sid();
4987
4988 isec = shp->shm_perm.security;
4989
4990 COMMON_AUDIT_DATA_INIT(&ad, IPC);
4991 ad.u.ipc_id = shp->shm_perm.key;
4992
4993 return avc_has_perm(sid, isec->sid, SECCLASS_SHM,
4994 SHM__ASSOCIATE, &ad);
4995 }
4996
4997 /* Note, at this point, shp is locked down */
4998 static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd)
4999 {
5000 int perms;
5001 int err;
5002
5003 switch (cmd) {
5004 case IPC_INFO:
5005 case SHM_INFO:
5006 /* No specific object, just general system-wide information. */
5007 return task_has_system(current, SYSTEM__IPC_INFO);
5008 case IPC_STAT:
5009 case SHM_STAT:
5010 perms = SHM__GETATTR | SHM__ASSOCIATE;
5011 break;
5012 case IPC_SET:
5013 perms = SHM__SETATTR;
5014 break;
5015 case SHM_LOCK:
5016 case SHM_UNLOCK:
5017 perms = SHM__LOCK;
5018 break;
5019 case IPC_RMID:
5020 perms = SHM__DESTROY;
5021 break;
5022 default:
5023 return 0;
5024 }
5025
5026 err = ipc_has_perm(&shp->shm_perm, perms);
5027 return err;
5028 }
5029
5030 static int selinux_shm_shmat(struct shmid_kernel *shp,
5031 char __user *shmaddr, int shmflg)
5032 {
5033 u32 perms;
5034
5035 if (shmflg & SHM_RDONLY)
5036 perms = SHM__READ;
5037 else
5038 perms = SHM__READ | SHM__WRITE;
5039
5040 return ipc_has_perm(&shp->shm_perm, perms);
5041 }
5042
5043 /* Semaphore security operations */
5044 static int selinux_sem_alloc_security(struct sem_array *sma)
5045 {
5046 struct ipc_security_struct *isec;
5047 struct common_audit_data ad;
5048 u32 sid = current_sid();
5049 int rc;
5050
5051 rc = ipc_alloc_security(current, &sma->sem_perm, SECCLASS_SEM);
5052 if (rc)
5053 return rc;
5054
5055 isec = sma->sem_perm.security;
5056
5057 COMMON_AUDIT_DATA_INIT(&ad, IPC);
5058 ad.u.ipc_id = sma->sem_perm.key;
5059
5060 rc = avc_has_perm(sid, isec->sid, SECCLASS_SEM,
5061 SEM__CREATE, &ad);
5062 if (rc) {
5063 ipc_free_security(&sma->sem_perm);
5064 return rc;
5065 }
5066 return 0;
5067 }
5068
5069 static void selinux_sem_free_security(struct sem_array *sma)
5070 {
5071 ipc_free_security(&sma->sem_perm);
5072 }
5073
5074 static int selinux_sem_associate(struct sem_array *sma, int semflg)
5075 {
5076 struct ipc_security_struct *isec;
5077 struct common_audit_data ad;
5078 u32 sid = current_sid();
5079
5080 isec = sma->sem_perm.security;
5081
5082 COMMON_AUDIT_DATA_INIT(&ad, IPC);
5083 ad.u.ipc_id = sma->sem_perm.key;
5084
5085 return avc_has_perm(sid, isec->sid, SECCLASS_SEM,
5086 SEM__ASSOCIATE, &ad);
5087 }
5088
5089 /* Note, at this point, sma is locked down */
5090 static int selinux_sem_semctl(struct sem_array *sma, int cmd)
5091 {
5092 int err;
5093 u32 perms;
5094
5095 switch (cmd) {
5096 case IPC_INFO:
5097 case SEM_INFO:
5098 /* No specific object, just general system-wide information. */
5099 return task_has_system(current, SYSTEM__IPC_INFO);
5100 case GETPID:
5101 case GETNCNT:
5102 case GETZCNT:
5103 perms = SEM__GETATTR;
5104 break;
5105 case GETVAL:
5106 case GETALL:
5107 perms = SEM__READ;
5108 break;
5109 case SETVAL:
5110 case SETALL:
5111 perms = SEM__WRITE;
5112 break;
5113 case IPC_RMID:
5114 perms = SEM__DESTROY;
5115 break;
5116 case IPC_SET:
5117 perms = SEM__SETATTR;
5118 break;
5119 case IPC_STAT:
5120 case SEM_STAT:
5121 perms = SEM__GETATTR | SEM__ASSOCIATE;
5122 break;
5123 default:
5124 return 0;
5125 }
5126
5127 err = ipc_has_perm(&sma->sem_perm, perms);
5128 return err;
5129 }
5130
5131 static int selinux_sem_semop(struct sem_array *sma,
5132 struct sembuf *sops, unsigned nsops, int alter)
5133 {
5134 u32 perms;
5135
5136 if (alter)
5137 perms = SEM__READ | SEM__WRITE;
5138 else
5139 perms = SEM__READ;
5140
5141 return ipc_has_perm(&sma->sem_perm, perms);
5142 }
5143
5144 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
5145 {
5146 u32 av = 0;
5147
5148 av = 0;
5149 if (flag & S_IRUGO)
5150 av |= IPC__UNIX_READ;
5151 if (flag & S_IWUGO)
5152 av |= IPC__UNIX_WRITE;
5153
5154 if (av == 0)
5155 return 0;
5156
5157 return ipc_has_perm(ipcp, av);
5158 }
5159
5160 static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
5161 {
5162 struct ipc_security_struct *isec = ipcp->security;
5163 *secid = isec->sid;
5164 }
5165
5166 static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode)
5167 {
5168 if (inode)
5169 inode_doinit_with_dentry(inode, dentry);
5170 }
5171
5172 static int selinux_getprocattr(struct task_struct *p,
5173 char *name, char **value)
5174 {
5175 const struct task_security_struct *__tsec;
5176 u32 sid;
5177 int error;
5178 unsigned len;
5179
5180 if (current != p) {
5181 error = current_has_perm(p, PROCESS__GETATTR);
5182 if (error)
5183 return error;
5184 }
5185
5186 rcu_read_lock();
5187 __tsec = __task_cred(p)->security;
5188
5189 if (!strcmp(name, "current"))
5190 sid = __tsec->sid;
5191 else if (!strcmp(name, "prev"))
5192 sid = __tsec->osid;
5193 else if (!strcmp(name, "exec"))
5194 sid = __tsec->exec_sid;
5195 else if (!strcmp(name, "fscreate"))
5196 sid = __tsec->create_sid;
5197 else if (!strcmp(name, "keycreate"))
5198 sid = __tsec->keycreate_sid;
5199 else if (!strcmp(name, "sockcreate"))
5200 sid = __tsec->sockcreate_sid;
5201 else
5202 goto invalid;
5203 rcu_read_unlock();
5204
5205 if (!sid)
5206 return 0;
5207
5208 error = security_sid_to_context(sid, value, &len);
5209 if (error)
5210 return error;
5211 return len;
5212
5213 invalid:
5214 rcu_read_unlock();
5215 return -EINVAL;
5216 }
5217
5218 static int selinux_setprocattr(struct task_struct *p,
5219 char *name, void *value, size_t size)
5220 {
5221 struct task_security_struct *tsec;
5222 struct task_struct *tracer;
5223 struct cred *new;
5224 u32 sid = 0, ptsid;
5225 int error;
5226 char *str = value;
5227
5228 if (current != p) {
5229 /* SELinux only allows a process to change its own
5230 security attributes. */
5231 return -EACCES;
5232 }
5233
5234 /*
5235 * Basic control over ability to set these attributes at all.
5236 * current == p, but we'll pass them separately in case the
5237 * above restriction is ever removed.
5238 */
5239 if (!strcmp(name, "exec"))
5240 error = current_has_perm(p, PROCESS__SETEXEC);
5241 else if (!strcmp(name, "fscreate"))
5242 error = current_has_perm(p, PROCESS__SETFSCREATE);
5243 else if (!strcmp(name, "keycreate"))
5244 error = current_has_perm(p, PROCESS__SETKEYCREATE);
5245 else if (!strcmp(name, "sockcreate"))
5246 error = current_has_perm(p, PROCESS__SETSOCKCREATE);
5247 else if (!strcmp(name, "current"))
5248 error = current_has_perm(p, PROCESS__SETCURRENT);
5249 else
5250 error = -EINVAL;
5251 if (error)
5252 return error;
5253
5254 /* Obtain a SID for the context, if one was specified. */
5255 if (size && str[1] && str[1] != '\n') {
5256 if (str[size-1] == '\n') {
5257 str[size-1] = 0;
5258 size--;
5259 }
5260 error = security_context_to_sid(value, size, &sid);
5261 if (error == -EINVAL && !strcmp(name, "fscreate")) {
5262 if (!capable(CAP_MAC_ADMIN))
5263 return error;
5264 error = security_context_to_sid_force(value, size,
5265 &sid);
5266 }
5267 if (error)
5268 return error;
5269 }
5270
5271 new = prepare_creds();
5272 if (!new)
5273 return -ENOMEM;
5274
5275 /* Permission checking based on the specified context is
5276 performed during the actual operation (execve,
5277 open/mkdir/...), when we know the full context of the
5278 operation. See selinux_bprm_set_creds for the execve
5279 checks and may_create for the file creation checks. The
5280 operation will then fail if the context is not permitted. */
5281 tsec = new->security;
5282 if (!strcmp(name, "exec")) {
5283 tsec->exec_sid = sid;
5284 } else if (!strcmp(name, "fscreate")) {
5285 tsec->create_sid = sid;
5286 } else if (!strcmp(name, "keycreate")) {
5287 error = may_create_key(sid, p);
5288 if (error)
5289 goto abort_change;
5290 tsec->keycreate_sid = sid;
5291 } else if (!strcmp(name, "sockcreate")) {
5292 tsec->sockcreate_sid = sid;
5293 } else if (!strcmp(name, "current")) {
5294 error = -EINVAL;
5295 if (sid == 0)
5296 goto abort_change;
5297
5298 /* Only allow single threaded processes to change context */
5299 error = -EPERM;
5300 if (!current_is_single_threaded()) {
5301 error = security_bounded_transition(tsec->sid, sid);
5302 if (error)
5303 goto abort_change;
5304 }
5305
5306 /* Check permissions for the transition. */
5307 error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
5308 PROCESS__DYNTRANSITION, NULL);
5309 if (error)
5310 goto abort_change;
5311
5312 /* Check for ptracing, and update the task SID if ok.
5313 Otherwise, leave SID unchanged and fail. */
5314 ptsid = 0;
5315 task_lock(p);
5316 tracer = ptrace_parent(p);
5317 if (tracer)
5318 ptsid = task_sid(tracer);
5319 task_unlock(p);
5320
5321 if (tracer) {
5322 error = avc_has_perm(ptsid, sid, SECCLASS_PROCESS,
5323 PROCESS__PTRACE, NULL);
5324 if (error)
5325 goto abort_change;
5326 }
5327
5328 tsec->sid = sid;
5329 } else {
5330 error = -EINVAL;
5331 goto abort_change;
5332 }
5333
5334 commit_creds(new);
5335 return size;
5336
5337 abort_change:
5338 abort_creds(new);
5339 return error;
5340 }
5341
5342 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
5343 {
5344 return security_sid_to_context(secid, secdata, seclen);
5345 }
5346
5347 static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
5348 {
5349 return security_context_to_sid(secdata, seclen, secid);
5350 }
5351
5352 static void selinux_release_secctx(char *secdata, u32 seclen)
5353 {
5354 kfree(secdata);
5355 }
5356
5357 /*
5358 * called with inode->i_mutex locked
5359 */
5360 static int selinux_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen)
5361 {
5362 return selinux_inode_setsecurity(inode, XATTR_SELINUX_SUFFIX, ctx, ctxlen, 0);
5363 }
5364
5365 /*
5366 * called with inode->i_mutex locked
5367 */
5368 static int selinux_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen)
5369 {
5370 return __vfs_setxattr_noperm(dentry, XATTR_NAME_SELINUX, ctx, ctxlen, 0);
5371 }
5372
5373 static int selinux_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen)
5374 {
5375 int len = 0;
5376 len = selinux_inode_getsecurity(inode, XATTR_SELINUX_SUFFIX,
5377 ctx, true);
5378 if (len < 0)
5379 return len;
5380 *ctxlen = len;
5381 return 0;
5382 }
5383 #ifdef CONFIG_KEYS
5384
5385 static int selinux_key_alloc(struct key *k, const struct cred *cred,
5386 unsigned long flags)
5387 {
5388 const struct task_security_struct *tsec;
5389 struct key_security_struct *ksec;
5390
5391 ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL);
5392 if (!ksec)
5393 return -ENOMEM;
5394
5395 tsec = cred->security;
5396 if (tsec->keycreate_sid)
5397 ksec->sid = tsec->keycreate_sid;
5398 else
5399 ksec->sid = tsec->sid;
5400
5401 k->security = ksec;
5402 return 0;
5403 }
5404
5405 static void selinux_key_free(struct key *k)
5406 {
5407 struct key_security_struct *ksec = k->security;
5408
5409 k->security = NULL;
5410 kfree(ksec);
5411 }
5412
5413 static int selinux_key_permission(key_ref_t key_ref,
5414 const struct cred *cred,
5415 key_perm_t perm)
5416 {
5417 struct key *key;
5418 struct key_security_struct *ksec;
5419 u32 sid;
5420
5421 /* if no specific permissions are requested, we skip the
5422 permission check. No serious, additional covert channels
5423 appear to be created. */
5424 if (perm == 0)
5425 return 0;
5426
5427 sid = cred_sid(cred);
5428
5429 key = key_ref_to_ptr(key_ref);
5430 ksec = key->security;
5431
5432 return avc_has_perm(sid, ksec->sid, SECCLASS_KEY, perm, NULL);
5433 }
5434
5435 static int selinux_key_getsecurity(struct key *key, char **_buffer)
5436 {
5437 struct key_security_struct *ksec = key->security;
5438 char *context = NULL;
5439 unsigned len;
5440 int rc;
5441
5442 rc = security_sid_to_context(ksec->sid, &context, &len);
5443 if (!rc)
5444 rc = len;
5445 *_buffer = context;
5446 return rc;
5447 }
5448
5449 #endif
5450
5451 static struct security_operations selinux_ops = {
5452 .name = "selinux",
5453
5454 .ptrace_access_check = selinux_ptrace_access_check,
5455 .ptrace_traceme = selinux_ptrace_traceme,
5456 .capget = selinux_capget,
5457 .capset = selinux_capset,
5458 .capable = selinux_capable,
5459 .quotactl = selinux_quotactl,
5460 .quota_on = selinux_quota_on,
5461 .syslog = selinux_syslog,
5462 .vm_enough_memory = selinux_vm_enough_memory,
5463
5464 .netlink_send = selinux_netlink_send,
5465 .netlink_recv = selinux_netlink_recv,
5466
5467 .bprm_set_creds = selinux_bprm_set_creds,
5468 .bprm_committing_creds = selinux_bprm_committing_creds,
5469 .bprm_committed_creds = selinux_bprm_committed_creds,
5470 .bprm_secureexec = selinux_bprm_secureexec,
5471
5472 .sb_alloc_security = selinux_sb_alloc_security,
5473 .sb_free_security = selinux_sb_free_security,
5474 .sb_copy_data = selinux_sb_copy_data,
5475 .sb_remount = selinux_sb_remount,
5476 .sb_kern_mount = selinux_sb_kern_mount,
5477 .sb_show_options = selinux_sb_show_options,
5478 .sb_statfs = selinux_sb_statfs,
5479 .sb_mount = selinux_mount,
5480 .sb_umount = selinux_umount,
5481 .sb_set_mnt_opts = selinux_set_mnt_opts,
5482 .sb_clone_mnt_opts = selinux_sb_clone_mnt_opts,
5483 .sb_parse_opts_str = selinux_parse_opts_str,
5484
5485
5486 .inode_alloc_security = selinux_inode_alloc_security,
5487 .inode_free_security = selinux_inode_free_security,
5488 .inode_init_security = selinux_inode_init_security,
5489 .inode_create = selinux_inode_create,
5490 .inode_link = selinux_inode_link,
5491 .inode_unlink = selinux_inode_unlink,
5492 .inode_symlink = selinux_inode_symlink,
5493 .inode_mkdir = selinux_inode_mkdir,
5494 .inode_rmdir = selinux_inode_rmdir,
5495 .inode_mknod = selinux_inode_mknod,
5496 .inode_rename = selinux_inode_rename,
5497 .inode_readlink = selinux_inode_readlink,
5498 .inode_follow_link = selinux_inode_follow_link,
5499 .inode_permission = selinux_inode_permission,
5500 .inode_setattr = selinux_inode_setattr,
5501 .inode_getattr = selinux_inode_getattr,
5502 .inode_setxattr = selinux_inode_setxattr,
5503 .inode_post_setxattr = selinux_inode_post_setxattr,
5504 .inode_getxattr = selinux_inode_getxattr,
5505 .inode_listxattr = selinux_inode_listxattr,
5506 .inode_removexattr = selinux_inode_removexattr,
5507 .inode_getsecurity = selinux_inode_getsecurity,
5508 .inode_setsecurity = selinux_inode_setsecurity,
5509 .inode_listsecurity = selinux_inode_listsecurity,
5510 .inode_getsecid = selinux_inode_getsecid,
5511
5512 .file_permission = selinux_file_permission,
5513 .file_alloc_security = selinux_file_alloc_security,
5514 .file_free_security = selinux_file_free_security,
5515 .file_ioctl = selinux_file_ioctl,
5516 .file_mmap = selinux_file_mmap,
5517 .file_mprotect = selinux_file_mprotect,
5518 .file_lock = selinux_file_lock,
5519 .file_fcntl = selinux_file_fcntl,
5520 .file_set_fowner = selinux_file_set_fowner,
5521 .file_send_sigiotask = selinux_file_send_sigiotask,
5522 .file_receive = selinux_file_receive,
5523
5524 .dentry_open = selinux_dentry_open,
5525
5526 .task_create = selinux_task_create,
5527 .cred_alloc_blank = selinux_cred_alloc_blank,
5528 .cred_free = selinux_cred_free,
5529 .cred_prepare = selinux_cred_prepare,
5530 .cred_transfer = selinux_cred_transfer,
5531 .kernel_act_as = selinux_kernel_act_as,
5532 .kernel_create_files_as = selinux_kernel_create_files_as,
5533 .kernel_module_request = selinux_kernel_module_request,
5534 .task_setpgid = selinux_task_setpgid,
5535 .task_getpgid = selinux_task_getpgid,
5536 .task_getsid = selinux_task_getsid,
5537 .task_getsecid = selinux_task_getsecid,
5538 .task_setnice = selinux_task_setnice,
5539 .task_setioprio = selinux_task_setioprio,
5540 .task_getioprio = selinux_task_getioprio,
5541 .task_setrlimit = selinux_task_setrlimit,
5542 .task_setscheduler = selinux_task_setscheduler,
5543 .task_getscheduler = selinux_task_getscheduler,
5544 .task_movememory = selinux_task_movememory,
5545 .task_kill = selinux_task_kill,
5546 .task_wait = selinux_task_wait,
5547 .task_to_inode = selinux_task_to_inode,
5548
5549 .ipc_permission = selinux_ipc_permission,
5550 .ipc_getsecid = selinux_ipc_getsecid,
5551
5552 .msg_msg_alloc_security = selinux_msg_msg_alloc_security,
5553 .msg_msg_free_security = selinux_msg_msg_free_security,
5554
5555 .msg_queue_alloc_security = selinux_msg_queue_alloc_security,
5556 .msg_queue_free_security = selinux_msg_queue_free_security,
5557 .msg_queue_associate = selinux_msg_queue_associate,
5558 .msg_queue_msgctl = selinux_msg_queue_msgctl,
5559 .msg_queue_msgsnd = selinux_msg_queue_msgsnd,
5560 .msg_queue_msgrcv = selinux_msg_queue_msgrcv,
5561
5562 .shm_alloc_security = selinux_shm_alloc_security,
5563 .shm_free_security = selinux_shm_free_security,
5564 .shm_associate = selinux_shm_associate,
5565 .shm_shmctl = selinux_shm_shmctl,
5566 .shm_shmat = selinux_shm_shmat,
5567
5568 .sem_alloc_security = selinux_sem_alloc_security,
5569 .sem_free_security = selinux_sem_free_security,
5570 .sem_associate = selinux_sem_associate,
5571 .sem_semctl = selinux_sem_semctl,
5572 .sem_semop = selinux_sem_semop,
5573
5574 .d_instantiate = selinux_d_instantiate,
5575
5576 .getprocattr = selinux_getprocattr,
5577 .setprocattr = selinux_setprocattr,
5578
5579 .secid_to_secctx = selinux_secid_to_secctx,
5580 .secctx_to_secid = selinux_secctx_to_secid,
5581 .release_secctx = selinux_release_secctx,
5582 .inode_notifysecctx = selinux_inode_notifysecctx,
5583 .inode_setsecctx = selinux_inode_setsecctx,
5584 .inode_getsecctx = selinux_inode_getsecctx,
5585
5586 .unix_stream_connect = selinux_socket_unix_stream_connect,
5587 .unix_may_send = selinux_socket_unix_may_send,
5588
5589 .socket_create = selinux_socket_create,
5590 .socket_post_create = selinux_socket_post_create,
5591 .socket_bind = selinux_socket_bind,
5592 .socket_connect = selinux_socket_connect,
5593 .socket_listen = selinux_socket_listen,
5594 .socket_accept = selinux_socket_accept,
5595 .socket_sendmsg = selinux_socket_sendmsg,
5596 .socket_recvmsg = selinux_socket_recvmsg,
5597 .socket_getsockname = selinux_socket_getsockname,
5598 .socket_getpeername = selinux_socket_getpeername,
5599 .socket_getsockopt = selinux_socket_getsockopt,
5600 .socket_setsockopt = selinux_socket_setsockopt,
5601 .socket_shutdown = selinux_socket_shutdown,
5602 .socket_sock_rcv_skb = selinux_socket_sock_rcv_skb,
5603 .socket_getpeersec_stream = selinux_socket_getpeersec_stream,
5604 .socket_getpeersec_dgram = selinux_socket_getpeersec_dgram,
5605 .sk_alloc_security = selinux_sk_alloc_security,
5606 .sk_free_security = selinux_sk_free_security,
5607 .sk_clone_security = selinux_sk_clone_security,
5608 .sk_getsecid = selinux_sk_getsecid,
5609 .sock_graft = selinux_sock_graft,
5610 .inet_conn_request = selinux_inet_conn_request,
5611 .inet_csk_clone = selinux_inet_csk_clone,
5612 .inet_conn_established = selinux_inet_conn_established,
5613 .secmark_relabel_packet = selinux_secmark_relabel_packet,
5614 .secmark_refcount_inc = selinux_secmark_refcount_inc,
5615 .secmark_refcount_dec = selinux_secmark_refcount_dec,
5616 .req_classify_flow = selinux_req_classify_flow,
5617 .tun_dev_create = selinux_tun_dev_create,
5618 .tun_dev_post_create = selinux_tun_dev_post_create,
5619 .tun_dev_attach = selinux_tun_dev_attach,
5620
5621 #ifdef CONFIG_SECURITY_NETWORK_XFRM
5622 .xfrm_policy_alloc_security = selinux_xfrm_policy_alloc,
5623 .xfrm_policy_clone_security = selinux_xfrm_policy_clone,
5624 .xfrm_policy_free_security = selinux_xfrm_policy_free,
5625 .xfrm_policy_delete_security = selinux_xfrm_policy_delete,
5626 .xfrm_state_alloc_security = selinux_xfrm_state_alloc,
5627 .xfrm_state_free_security = selinux_xfrm_state_free,
5628 .xfrm_state_delete_security = selinux_xfrm_state_delete,
5629 .xfrm_policy_lookup = selinux_xfrm_policy_lookup,
5630 .xfrm_state_pol_flow_match = selinux_xfrm_state_pol_flow_match,
5631 .xfrm_decode_session = selinux_xfrm_decode_session,
5632 #endif
5633
5634 #ifdef CONFIG_KEYS
5635 .key_alloc = selinux_key_alloc,
5636 .key_free = selinux_key_free,
5637 .key_permission = selinux_key_permission,
5638 .key_getsecurity = selinux_key_getsecurity,
5639 #endif
5640
5641 #ifdef CONFIG_AUDIT
5642 .audit_rule_init = selinux_audit_rule_init,
5643 .audit_rule_known = selinux_audit_rule_known,
5644 .audit_rule_match = selinux_audit_rule_match,
5645 .audit_rule_free = selinux_audit_rule_free,
5646 #endif
5647 };
5648
5649 static __init int selinux_init(void)
5650 {
5651 if (!security_module_enable(&selinux_ops)) {
5652 selinux_enabled = 0;
5653 return 0;
5654 }
5655
5656 if (!selinux_enabled) {
5657 printk(KERN_INFO "SELinux: Disabled at boot.\n");
5658 return 0;
5659 }
5660
5661 printk(KERN_INFO "SELinux: Initializing.\n");
5662
5663 /* Set the security state for the initial task. */
5664 cred_init_security();
5665
5666 default_noexec = !(VM_DATA_DEFAULT_FLAGS & VM_EXEC);
5667
5668 sel_inode_cache = kmem_cache_create("selinux_inode_security",
5669 sizeof(struct inode_security_struct),
5670 0, SLAB_PANIC, NULL);
5671 avc_init();
5672
5673 if (register_security(&selinux_ops))
5674 panic("SELinux: Unable to register with kernel.\n");
5675
5676 if (selinux_enforcing)
5677 printk(KERN_DEBUG "SELinux: Starting in enforcing mode\n");
5678 else
5679 printk(KERN_DEBUG "SELinux: Starting in permissive mode\n");
5680
5681 return 0;
5682 }
5683
5684 static void delayed_superblock_init(struct super_block *sb, void *unused)
5685 {
5686 superblock_doinit(sb, NULL);
5687 }
5688
5689 void selinux_complete_init(void)
5690 {
5691 printk(KERN_DEBUG "SELinux: Completing initialization.\n");
5692
5693 /* Set up any superblocks initialized prior to the policy load. */
5694 printk(KERN_DEBUG "SELinux: Setting up existing superblocks.\n");
5695 iterate_supers(delayed_superblock_init, NULL);
5696 }
5697
5698 /* SELinux requires early initialization in order to label
5699 all processes and objects when they are created. */
5700 security_initcall(selinux_init);
5701
5702 #if defined(CONFIG_NETFILTER)
5703
5704 static struct nf_hook_ops selinux_ipv4_ops[] = {
5705 {
5706 .hook = selinux_ipv4_postroute,
5707 .owner = THIS_MODULE,
5708 .pf = PF_INET,
5709 .hooknum = NF_INET_POST_ROUTING,
5710 .priority = NF_IP_PRI_SELINUX_LAST,
5711 },
5712 {
5713 .hook = selinux_ipv4_forward,
5714 .owner = THIS_MODULE,
5715 .pf = PF_INET,
5716 .hooknum = NF_INET_FORWARD,
5717 .priority = NF_IP_PRI_SELINUX_FIRST,
5718 },
5719 {
5720 .hook = selinux_ipv4_output,
5721 .owner = THIS_MODULE,
5722 .pf = PF_INET,
5723 .hooknum = NF_INET_LOCAL_OUT,
5724 .priority = NF_IP_PRI_SELINUX_FIRST,
5725 }
5726 };
5727
5728 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5729
5730 static struct nf_hook_ops selinux_ipv6_ops[] = {
5731 {
5732 .hook = selinux_ipv6_postroute,
5733 .owner = THIS_MODULE,
5734 .pf = PF_INET6,
5735 .hooknum = NF_INET_POST_ROUTING,
5736 .priority = NF_IP6_PRI_SELINUX_LAST,
5737 },
5738 {
5739 .hook = selinux_ipv6_forward,
5740 .owner = THIS_MODULE,
5741 .pf = PF_INET6,
5742 .hooknum = NF_INET_FORWARD,
5743 .priority = NF_IP6_PRI_SELINUX_FIRST,
5744 }
5745 };
5746
5747 #endif /* IPV6 */
5748
5749 static int __init selinux_nf_ip_init(void)
5750 {
5751 int err = 0;
5752
5753 if (!selinux_enabled)
5754 goto out;
5755
5756 printk(KERN_DEBUG "SELinux: Registering netfilter hooks\n");
5757
5758 err = nf_register_hooks(selinux_ipv4_ops, ARRAY_SIZE(selinux_ipv4_ops));
5759 if (err)
5760 panic("SELinux: nf_register_hooks for IPv4: error %d\n", err);
5761
5762 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5763 err = nf_register_hooks(selinux_ipv6_ops, ARRAY_SIZE(selinux_ipv6_ops));
5764 if (err)
5765 panic("SELinux: nf_register_hooks for IPv6: error %d\n", err);
5766 #endif /* IPV6 */
5767
5768 out:
5769 return err;
5770 }
5771
5772 __initcall(selinux_nf_ip_init);
5773
5774 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5775 static void selinux_nf_ip_exit(void)
5776 {
5777 printk(KERN_DEBUG "SELinux: Unregistering netfilter hooks\n");
5778
5779 nf_unregister_hooks(selinux_ipv4_ops, ARRAY_SIZE(selinux_ipv4_ops));
5780 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5781 nf_unregister_hooks(selinux_ipv6_ops, ARRAY_SIZE(selinux_ipv6_ops));
5782 #endif /* IPV6 */
5783 }
5784 #endif
5785
5786 #else /* CONFIG_NETFILTER */
5787
5788 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5789 #define selinux_nf_ip_exit()
5790 #endif
5791
5792 #endif /* CONFIG_NETFILTER */
5793
5794 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5795 static int selinux_disabled;
5796
5797 int selinux_disable(void)
5798 {
5799 if (ss_initialized) {
5800 /* Not permitted after initial policy load. */
5801 return -EINVAL;
5802 }
5803
5804 if (selinux_disabled) {
5805 /* Only do this once. */
5806 return -EINVAL;
5807 }
5808
5809 printk(KERN_INFO "SELinux: Disabled at runtime.\n");
5810
5811 selinux_disabled = 1;
5812 selinux_enabled = 0;
5813
5814 reset_security_ops();
5815
5816 /* Try to destroy the avc node cache */
5817 avc_disable();
5818
5819 /* Unregister netfilter hooks. */
5820 selinux_nf_ip_exit();
5821
5822 /* Unregister selinuxfs. */
5823 exit_sel_fs();
5824
5825 return 0;
5826 }
5827 #endif
Linux Btrfs Development