search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Btrfs: fix list transaction->pending_ordered corruption
[linux/fpc-iii.git] / security / selinux / hooks.c
blobb1e455b47b82009a00e7eaef591a4068dfdc55fd
1 /*
2 * NSA Security-Enhanced Linux (SELinux) security module
3 *
4 * This file contains the SELinux hook function implementations.
5 *
6 * Authors: Stephen Smalley, <sds@epoch.ncsc.mil>
7 * Chris Vance, <cvance@nai.com>
8 * Wayne Salamon, <wsalamon@nai.com>
9 * James Morris <jmorris@redhat.com>
10 *
11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12 * Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
13 * Eric Paris <eparis@redhat.com>
14 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
15 * <dgoeddel@trustedcs.com>
16 * Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
17 * Paul Moore <paul@paul-moore.com>
18 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
19 * Yuichi Nakamura <ynakam@hitachisoft.jp>
20 *
21 * This program is free software; you can redistribute it and/or modify
22 * it under the terms of the GNU General Public License version 2,
23 * as published by the Free Software Foundation.
24 */
25
26 #include <linux/init.h>
27 #include <linux/kd.h>
28 #include <linux/kernel.h>
29 #include <linux/tracehook.h>
30 #include <linux/errno.h>
31 #include <linux/sched.h>
32 #include <linux/security.h>
33 #include <linux/xattr.h>
34 #include <linux/capability.h>
35 #include <linux/unistd.h>
36 #include <linux/mm.h>
37 #include <linux/mman.h>
38 #include <linux/slab.h>
39 #include <linux/pagemap.h>
40 #include <linux/proc_fs.h>
41 #include <linux/swap.h>
42 #include <linux/spinlock.h>
43 #include <linux/syscalls.h>
44 #include <linux/dcache.h>
45 #include <linux/file.h>
46 #include <linux/fdtable.h>
47 #include <linux/namei.h>
48 #include <linux/mount.h>
49 #include <linux/netfilter_ipv4.h>
50 #include <linux/netfilter_ipv6.h>
51 #include <linux/tty.h>
52 #include <net/icmp.h>
53 #include <net/ip.h> /* for local_port_range[] */
54 #include <net/sock.h>
55 #include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
56 #include <net/inet_connection_sock.h>
57 #include <net/net_namespace.h>
58 #include <net/netlabel.h>
59 #include <linux/uaccess.h>
60 #include <asm/ioctls.h>
61 #include <linux/atomic.h>
62 #include <linux/bitops.h>
63 #include <linux/interrupt.h>
64 #include <linux/netdevice.h> /* for network interface checks */
65 #include <net/netlink.h>
66 #include <linux/tcp.h>
67 #include <linux/udp.h>
68 #include <linux/dccp.h>
69 #include <linux/quota.h>
70 #include <linux/un.h> /* for Unix socket types */
71 #include <net/af_unix.h> /* for Unix socket types */
72 #include <linux/parser.h>
73 #include <linux/nfs_mount.h>
74 #include <net/ipv6.h>
75 #include <linux/hugetlb.h>
76 #include <linux/personality.h>
77 #include <linux/audit.h>
78 #include <linux/string.h>
79 #include <linux/selinux.h>
80 #include <linux/mutex.h>
81 #include <linux/posix-timers.h>
82 #include <linux/syslog.h>
83 #include <linux/user_namespace.h>
84 #include <linux/export.h>
85 #include <linux/msg.h>
86 #include <linux/shm.h>
87
88 #include "avc.h"
89 #include "objsec.h"
90 #include "netif.h"
91 #include "netnode.h"
92 #include "netport.h"
93 #include "xfrm.h"
94 #include "netlabel.h"
95 #include "audit.h"
96 #include "avc_ss.h"
97
98 extern struct security_operations *security_ops;
99
100 /* SECMARK reference count */
101 static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
102
103 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
104 int selinux_enforcing;
105
106 static int __init enforcing_setup(char *str)
107 {
108 unsigned long enforcing;
109 if (!kstrtoul(str, 0, &enforcing))
110 selinux_enforcing = enforcing ? 1 : 0;
111 return 1;
112 }
113 __setup("enforcing=", enforcing_setup);
114 #endif
115
116 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
117 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
118
119 static int __init selinux_enabled_setup(char *str)
120 {
121 unsigned long enabled;
122 if (!kstrtoul(str, 0, &enabled))
123 selinux_enabled = enabled ? 1 : 0;
124 return 1;
125 }
126 __setup("selinux=", selinux_enabled_setup);
127 #else
128 int selinux_enabled = 1;
129 #endif
130
131 static struct kmem_cache *sel_inode_cache;
132
133 /**
134 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
135 *
136 * Description:
137 * This function checks the SECMARK reference counter to see if any SECMARK
138 * targets are currently configured, if the reference counter is greater than
139 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is
140 * enabled, false (0) if SECMARK is disabled. If the always_check_network
141 * policy capability is enabled, SECMARK is always considered enabled.
142 *
143 */
144 static int selinux_secmark_enabled(void)
145 {
146 return (selinux_policycap_alwaysnetwork || atomic_read(&selinux_secmark_refcount));
147 }
148
149 /**
150 * selinux_peerlbl_enabled - Check to see if peer labeling is currently enabled
151 *
152 * Description:
153 * This function checks if NetLabel or labeled IPSEC is enabled. Returns true
154 * (1) if any are enabled or false (0) if neither are enabled. If the
155 * always_check_network policy capability is enabled, peer labeling
156 * is always considered enabled.
157 *
158 */
159 static int selinux_peerlbl_enabled(void)
160 {
161 return (selinux_policycap_alwaysnetwork || netlbl_enabled() || selinux_xfrm_enabled());
162 }
163
164 static int selinux_netcache_avc_callback(u32 event)
165 {
166 if (event == AVC_CALLBACK_RESET) {
167 sel_netif_flush();
168 sel_netnode_flush();
169 sel_netport_flush();
170 synchronize_net();
171 }
172 return 0;
173 }
174
175 /*
176 * initialise the security for the init task
177 */
178 static void cred_init_security(void)
179 {
180 struct cred *cred = (struct cred *) current->real_cred;
181 struct task_security_struct *tsec;
182
183 tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
184 if (!tsec)
185 panic("SELinux: Failed to initialize initial task.\n");
186
187 tsec->osid = tsec->sid = SECINITSID_KERNEL;
188 cred->security = tsec;
189 }
190
191 /*
192 * get the security ID of a set of credentials
193 */
194 static inline u32 cred_sid(const struct cred *cred)
195 {
196 const struct task_security_struct *tsec;
197
198 tsec = cred->security;
199 return tsec->sid;
200 }
201
202 /*
203 * get the objective security ID of a task
204 */
205 static inline u32 task_sid(const struct task_struct *task)
206 {
207 u32 sid;
208
209 rcu_read_lock();
210 sid = cred_sid(__task_cred(task));
211 rcu_read_unlock();
212 return sid;
213 }
214
215 /*
216 * get the subjective security ID of the current task
217 */
218 static inline u32 current_sid(void)
219 {
220 const struct task_security_struct *tsec = current_security();
221
222 return tsec->sid;
223 }
224
225 /* Allocate and free functions for each kind of security blob. */
226
227 static int inode_alloc_security(struct inode *inode)
228 {
229 struct inode_security_struct *isec;
230 u32 sid = current_sid();
231
232 isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
233 if (!isec)
234 return -ENOMEM;
235
236 mutex_init(&isec->lock);
237 INIT_LIST_HEAD(&isec->list);
238 isec->inode = inode;
239 isec->sid = SECINITSID_UNLABELED;
240 isec->sclass = SECCLASS_FILE;
241 isec->task_sid = sid;
242 inode->i_security = isec;
243
244 return 0;
245 }
246
247 static void inode_free_rcu(struct rcu_head *head)
248 {
249 struct inode_security_struct *isec;
250
251 isec = container_of(head, struct inode_security_struct, rcu);
252 kmem_cache_free(sel_inode_cache, isec);
253 }
254
255 static void inode_free_security(struct inode *inode)
256 {
257 struct inode_security_struct *isec = inode->i_security;
258 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
259
260 spin_lock(&sbsec->isec_lock);
261 if (!list_empty(&isec->list))
262 list_del_init(&isec->list);
263 spin_unlock(&sbsec->isec_lock);
264
265 /*
266 * The inode may still be referenced in a path walk and
267 * a call to selinux_inode_permission() can be made
268 * after inode_free_security() is called. Ideally, the VFS
269 * wouldn't do this, but fixing that is a much harder
270 * job. For now, simply free the i_security via RCU, and
271 * leave the current inode->i_security pointer intact.
272 * The inode will be freed after the RCU grace period too.
273 */
274 call_rcu(&isec->rcu, inode_free_rcu);
275 }
276
277 static int file_alloc_security(struct file *file)
278 {
279 struct file_security_struct *fsec;
280 u32 sid = current_sid();
281
282 fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL);
283 if (!fsec)
284 return -ENOMEM;
285
286 fsec->sid = sid;
287 fsec->fown_sid = sid;
288 file->f_security = fsec;
289
290 return 0;
291 }
292
293 static void file_free_security(struct file *file)
294 {
295 struct file_security_struct *fsec = file->f_security;
296 file->f_security = NULL;
297 kfree(fsec);
298 }
299
300 static int superblock_alloc_security(struct super_block *sb)
301 {
302 struct superblock_security_struct *sbsec;
303
304 sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
305 if (!sbsec)
306 return -ENOMEM;
307
308 mutex_init(&sbsec->lock);
309 INIT_LIST_HEAD(&sbsec->isec_head);
310 spin_lock_init(&sbsec->isec_lock);
311 sbsec->sb = sb;
312 sbsec->sid = SECINITSID_UNLABELED;
313 sbsec->def_sid = SECINITSID_FILE;
314 sbsec->mntpoint_sid = SECINITSID_UNLABELED;
315 sb->s_security = sbsec;
316
317 return 0;
318 }
319
320 static void superblock_free_security(struct super_block *sb)
321 {
322 struct superblock_security_struct *sbsec = sb->s_security;
323 sb->s_security = NULL;
324 kfree(sbsec);
325 }
326
327 /* The file system's label must be initialized prior to use. */
328
329 static const char *labeling_behaviors[7] = {
330 "uses xattr",
331 "uses transition SIDs",
332 "uses task SIDs",
333 "uses genfs_contexts",
334 "not configured for labeling",
335 "uses mountpoint labeling",
336 "uses native labeling",
337 };
338
339 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
340
341 static inline int inode_doinit(struct inode *inode)
342 {
343 return inode_doinit_with_dentry(inode, NULL);
344 }
345
346 enum {
347 Opt_error = -1,
348 Opt_context = 1,
349 Opt_fscontext = 2,
350 Opt_defcontext = 3,
351 Opt_rootcontext = 4,
352 Opt_labelsupport = 5,
353 Opt_nextmntopt = 6,
354 };
355
356 #define NUM_SEL_MNT_OPTS (Opt_nextmntopt - 1)
357
358 static const match_table_t tokens = {
359 {Opt_context, CONTEXT_STR "%s"},
360 {Opt_fscontext, FSCONTEXT_STR "%s"},
361 {Opt_defcontext, DEFCONTEXT_STR "%s"},
362 {Opt_rootcontext, ROOTCONTEXT_STR "%s"},
363 {Opt_labelsupport, LABELSUPP_STR},
364 {Opt_error, NULL},
365 };
366
367 #define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
368
369 static int may_context_mount_sb_relabel(u32 sid,
370 struct superblock_security_struct *sbsec,
371 const struct cred *cred)
372 {
373 const struct task_security_struct *tsec = cred->security;
374 int rc;
375
376 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
377 FILESYSTEM__RELABELFROM, NULL);
378 if (rc)
379 return rc;
380
381 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
382 FILESYSTEM__RELABELTO, NULL);
383 return rc;
384 }
385
386 static int may_context_mount_inode_relabel(u32 sid,
387 struct superblock_security_struct *sbsec,
388 const struct cred *cred)
389 {
390 const struct task_security_struct *tsec = cred->security;
391 int rc;
392 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
393 FILESYSTEM__RELABELFROM, NULL);
394 if (rc)
395 return rc;
396
397 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
398 FILESYSTEM__ASSOCIATE, NULL);
399 return rc;
400 }
401
402 static int selinux_is_sblabel_mnt(struct super_block *sb)
403 {
404 struct superblock_security_struct *sbsec = sb->s_security;
405
406 if (sbsec->behavior == SECURITY_FS_USE_XATTR ||
407 sbsec->behavior == SECURITY_FS_USE_TRANS ||
408 sbsec->behavior == SECURITY_FS_USE_TASK ||
409 sbsec->behavior == SECURITY_FS_USE_NATIVE)
410 return 1;
411
412 /* Special handling for sysfs. Is genfs but also has setxattr handler*/
413 if (strncmp(sb->s_type->name, "sysfs", sizeof("sysfs")) == 0)
414 return 1;
415
416 /*
417 * Special handling for rootfs. Is genfs but supports
418 * setting SELinux context on in-core inodes.
419 */
420 if (strncmp(sb->s_type->name, "rootfs", sizeof("rootfs")) == 0)
421 return 1;
422
423 return 0;
424 }
425
426 static int sb_finish_set_opts(struct super_block *sb)
427 {
428 struct superblock_security_struct *sbsec = sb->s_security;
429 struct dentry *root = sb->s_root;
430 struct inode *root_inode = root->d_inode;
431 int rc = 0;
432
433 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
434 /* Make sure that the xattr handler exists and that no
435 error other than -ENODATA is returned by getxattr on
436 the root directory. -ENODATA is ok, as this may be
437 the first boot of the SELinux kernel before we have
438 assigned xattr values to the filesystem. */
439 if (!root_inode->i_op->getxattr) {
440 printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
441 "xattr support\n", sb->s_id, sb->s_type->name);
442 rc = -EOPNOTSUPP;
443 goto out;
444 }
445 rc = root_inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
446 if (rc < 0 && rc != -ENODATA) {
447 if (rc == -EOPNOTSUPP)
448 printk(KERN_WARNING "SELinux: (dev %s, type "
449 "%s) has no security xattr handler\n",
450 sb->s_id, sb->s_type->name);
451 else
452 printk(KERN_WARNING "SELinux: (dev %s, type "
453 "%s) getxattr errno %d\n", sb->s_id,
454 sb->s_type->name, -rc);
455 goto out;
456 }
457 }
458
459 if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
460 printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n",
461 sb->s_id, sb->s_type->name);
462 else
463 printk(KERN_DEBUG "SELinux: initialized (dev %s, type %s), %s\n",
464 sb->s_id, sb->s_type->name,
465 labeling_behaviors[sbsec->behavior-1]);
466
467 sbsec->flags |= SE_SBINITIALIZED;
468 if (selinux_is_sblabel_mnt(sb))
469 sbsec->flags |= SBLABEL_MNT;
470
471 /* Initialize the root inode. */
472 rc = inode_doinit_with_dentry(root_inode, root);
473
474 /* Initialize any other inodes associated with the superblock, e.g.
475 inodes created prior to initial policy load or inodes created
476 during get_sb by a pseudo filesystem that directly
477 populates itself. */
478 spin_lock(&sbsec->isec_lock);
479 next_inode:
480 if (!list_empty(&sbsec->isec_head)) {
481 struct inode_security_struct *isec =
482 list_entry(sbsec->isec_head.next,
483 struct inode_security_struct, list);
484 struct inode *inode = isec->inode;
485 list_del_init(&isec->list);
486 spin_unlock(&sbsec->isec_lock);
487 inode = igrab(inode);
488 if (inode) {
489 if (!IS_PRIVATE(inode))
490 inode_doinit(inode);
491 iput(inode);
492 }
493 spin_lock(&sbsec->isec_lock);
494 goto next_inode;
495 }
496 spin_unlock(&sbsec->isec_lock);
497 out:
498 return rc;
499 }
500
501 /*
502 * This function should allow an FS to ask what it's mount security
503 * options were so it can use those later for submounts, displaying
504 * mount options, or whatever.
505 */
506 static int selinux_get_mnt_opts(const struct super_block *sb,
507 struct security_mnt_opts *opts)
508 {
509 int rc = 0, i;
510 struct superblock_security_struct *sbsec = sb->s_security;
511 char *context = NULL;
512 u32 len;
513 char tmp;
514
515 security_init_mnt_opts(opts);
516
517 if (!(sbsec->flags & SE_SBINITIALIZED))
518 return -EINVAL;
519
520 if (!ss_initialized)
521 return -EINVAL;
522
523 /* make sure we always check enough bits to cover the mask */
524 BUILD_BUG_ON(SE_MNTMASK >= (1 << NUM_SEL_MNT_OPTS));
525
526 tmp = sbsec->flags & SE_MNTMASK;
527 /* count the number of mount options for this sb */
528 for (i = 0; i < NUM_SEL_MNT_OPTS; i++) {
529 if (tmp & 0x01)
530 opts->num_mnt_opts++;
531 tmp >>= 1;
532 }
533 /* Check if the Label support flag is set */
534 if (sbsec->flags & SBLABEL_MNT)
535 opts->num_mnt_opts++;
536
537 opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
538 if (!opts->mnt_opts) {
539 rc = -ENOMEM;
540 goto out_free;
541 }
542
543 opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
544 if (!opts->mnt_opts_flags) {
545 rc = -ENOMEM;
546 goto out_free;
547 }
548
549 i = 0;
550 if (sbsec->flags & FSCONTEXT_MNT) {
551 rc = security_sid_to_context(sbsec->sid, &context, &len);
552 if (rc)
553 goto out_free;
554 opts->mnt_opts[i] = context;
555 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
556 }
557 if (sbsec->flags & CONTEXT_MNT) {
558 rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len);
559 if (rc)
560 goto out_free;
561 opts->mnt_opts[i] = context;
562 opts->mnt_opts_flags[i++] = CONTEXT_MNT;
563 }
564 if (sbsec->flags & DEFCONTEXT_MNT) {
565 rc = security_sid_to_context(sbsec->def_sid, &context, &len);
566 if (rc)
567 goto out_free;
568 opts->mnt_opts[i] = context;
569 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
570 }
571 if (sbsec->flags & ROOTCONTEXT_MNT) {
572 struct inode *root = sbsec->sb->s_root->d_inode;
573 struct inode_security_struct *isec = root->i_security;
574
575 rc = security_sid_to_context(isec->sid, &context, &len);
576 if (rc)
577 goto out_free;
578 opts->mnt_opts[i] = context;
579 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
580 }
581 if (sbsec->flags & SBLABEL_MNT) {
582 opts->mnt_opts[i] = NULL;
583 opts->mnt_opts_flags[i++] = SBLABEL_MNT;
584 }
585
586 BUG_ON(i != opts->num_mnt_opts);
587
588 return 0;
589
590 out_free:
591 security_free_mnt_opts(opts);
592 return rc;
593 }
594
595 static int bad_option(struct superblock_security_struct *sbsec, char flag,
596 u32 old_sid, u32 new_sid)
597 {
598 char mnt_flags = sbsec->flags & SE_MNTMASK;
599
600 /* check if the old mount command had the same options */
601 if (sbsec->flags & SE_SBINITIALIZED)
602 if (!(sbsec->flags & flag) ||
603 (old_sid != new_sid))
604 return 1;
605
606 /* check if we were passed the same options twice,
607 * aka someone passed context=a,context=b
608 */
609 if (!(sbsec->flags & SE_SBINITIALIZED))
610 if (mnt_flags & flag)
611 return 1;
612 return 0;
613 }
614
615 /*
616 * Allow filesystems with binary mount data to explicitly set mount point
617 * labeling information.
618 */
619 static int selinux_set_mnt_opts(struct super_block *sb,
620 struct security_mnt_opts *opts,
621 unsigned long kern_flags,
622 unsigned long *set_kern_flags)
623 {
624 const struct cred *cred = current_cred();
625 int rc = 0, i;
626 struct superblock_security_struct *sbsec = sb->s_security;
627 const char *name = sb->s_type->name;
628 struct inode *inode = sbsec->sb->s_root->d_inode;
629 struct inode_security_struct *root_isec = inode->i_security;
630 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
631 u32 defcontext_sid = 0;
632 char **mount_options = opts->mnt_opts;
633 int *flags = opts->mnt_opts_flags;
634 int num_opts = opts->num_mnt_opts;
635
636 mutex_lock(&sbsec->lock);
637
638 if (!ss_initialized) {
639 if (!num_opts) {
640 /* Defer initialization until selinux_complete_init,
641 after the initial policy is loaded and the security
642 server is ready to handle calls. */
643 goto out;
644 }
645 rc = -EINVAL;
646 printk(KERN_WARNING "SELinux: Unable to set superblock options "
647 "before the security server is initialized\n");
648 goto out;
649 }
650 if (kern_flags && !set_kern_flags) {
651 /* Specifying internal flags without providing a place to
652 * place the results is not allowed */
653 rc = -EINVAL;
654 goto out;
655 }
656
657 /*
658 * Binary mount data FS will come through this function twice. Once
659 * from an explicit call and once from the generic calls from the vfs.
660 * Since the generic VFS calls will not contain any security mount data
661 * we need to skip the double mount verification.
662 *
663 * This does open a hole in which we will not notice if the first
664 * mount using this sb set explict options and a second mount using
665 * this sb does not set any security options. (The first options
666 * will be used for both mounts)
667 */
668 if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
669 && (num_opts == 0))
670 goto out;
671
672 /*
673 * parse the mount options, check if they are valid sids.
674 * also check if someone is trying to mount the same sb more
675 * than once with different security options.
676 */
677 for (i = 0; i < num_opts; i++) {
678 u32 sid;
679
680 if (flags[i] == SBLABEL_MNT)
681 continue;
682 rc = security_context_to_sid(mount_options[i],
683 strlen(mount_options[i]), &sid, GFP_KERNEL);
684 if (rc) {
685 printk(KERN_WARNING "SELinux: security_context_to_sid"
686 "(%s) failed for (dev %s, type %s) errno=%d\n",
687 mount_options[i], sb->s_id, name, rc);
688 goto out;
689 }
690 switch (flags[i]) {
691 case FSCONTEXT_MNT:
692 fscontext_sid = sid;
693
694 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
695 fscontext_sid))
696 goto out_double_mount;
697
698 sbsec->flags |= FSCONTEXT_MNT;
699 break;
700 case CONTEXT_MNT:
701 context_sid = sid;
702
703 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
704 context_sid))
705 goto out_double_mount;
706
707 sbsec->flags |= CONTEXT_MNT;
708 break;
709 case ROOTCONTEXT_MNT:
710 rootcontext_sid = sid;
711
712 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
713 rootcontext_sid))
714 goto out_double_mount;
715
716 sbsec->flags |= ROOTCONTEXT_MNT;
717
718 break;
719 case DEFCONTEXT_MNT:
720 defcontext_sid = sid;
721
722 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
723 defcontext_sid))
724 goto out_double_mount;
725
726 sbsec->flags |= DEFCONTEXT_MNT;
727
728 break;
729 default:
730 rc = -EINVAL;
731 goto out;
732 }
733 }
734
735 if (sbsec->flags & SE_SBINITIALIZED) {
736 /* previously mounted with options, but not on this attempt? */
737 if ((sbsec->flags & SE_MNTMASK) && !num_opts)
738 goto out_double_mount;
739 rc = 0;
740 goto out;
741 }
742
743 if (strcmp(sb->s_type->name, "proc") == 0)
744 sbsec->flags |= SE_SBPROC;
745
746 if (!sbsec->behavior) {
747 /*
748 * Determine the labeling behavior to use for this
749 * filesystem type.
750 */
751 rc = security_fs_use(sb);
752 if (rc) {
753 printk(KERN_WARNING
754 "%s: security_fs_use(%s) returned %d\n",
755 __func__, sb->s_type->name, rc);
756 goto out;
757 }
758 }
759 /* sets the context of the superblock for the fs being mounted. */
760 if (fscontext_sid) {
761 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
762 if (rc)
763 goto out;
764
765 sbsec->sid = fscontext_sid;
766 }
767
768 /*
769 * Switch to using mount point labeling behavior.
770 * sets the label used on all file below the mountpoint, and will set
771 * the superblock context if not already set.
772 */
773 if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !context_sid) {
774 sbsec->behavior = SECURITY_FS_USE_NATIVE;
775 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
776 }
777
778 if (context_sid) {
779 if (!fscontext_sid) {
780 rc = may_context_mount_sb_relabel(context_sid, sbsec,
781 cred);
782 if (rc)
783 goto out;
784 sbsec->sid = context_sid;
785 } else {
786 rc = may_context_mount_inode_relabel(context_sid, sbsec,
787 cred);
788 if (rc)
789 goto out;
790 }
791 if (!rootcontext_sid)
792 rootcontext_sid = context_sid;
793
794 sbsec->mntpoint_sid = context_sid;
795 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
796 }
797
798 if (rootcontext_sid) {
799 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
800 cred);
801 if (rc)
802 goto out;
803
804 root_isec->sid = rootcontext_sid;
805 root_isec->initialized = 1;
806 }
807
808 if (defcontext_sid) {
809 if (sbsec->behavior != SECURITY_FS_USE_XATTR &&
810 sbsec->behavior != SECURITY_FS_USE_NATIVE) {
811 rc = -EINVAL;
812 printk(KERN_WARNING "SELinux: defcontext option is "
813 "invalid for this filesystem type\n");
814 goto out;
815 }
816
817 if (defcontext_sid != sbsec->def_sid) {
818 rc = may_context_mount_inode_relabel(defcontext_sid,
819 sbsec, cred);
820 if (rc)
821 goto out;
822 }
823
824 sbsec->def_sid = defcontext_sid;
825 }
826
827 rc = sb_finish_set_opts(sb);
828 out:
829 mutex_unlock(&sbsec->lock);
830 return rc;
831 out_double_mount:
832 rc = -EINVAL;
833 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, different "
834 "security settings for (dev %s, type %s)\n", sb->s_id, name);
835 goto out;
836 }
837
838 static int selinux_cmp_sb_context(const struct super_block *oldsb,
839 const struct super_block *newsb)
840 {
841 struct superblock_security_struct *old = oldsb->s_security;
842 struct superblock_security_struct *new = newsb->s_security;
843 char oldflags = old->flags & SE_MNTMASK;
844 char newflags = new->flags & SE_MNTMASK;
845
846 if (oldflags != newflags)
847 goto mismatch;
848 if ((oldflags & FSCONTEXT_MNT) && old->sid != new->sid)
849 goto mismatch;
850 if ((oldflags & CONTEXT_MNT) && old->mntpoint_sid != new->mntpoint_sid)
851 goto mismatch;
852 if ((oldflags & DEFCONTEXT_MNT) && old->def_sid != new->def_sid)
853 goto mismatch;
854 if (oldflags & ROOTCONTEXT_MNT) {
855 struct inode_security_struct *oldroot = oldsb->s_root->d_inode->i_security;
856 struct inode_security_struct *newroot = newsb->s_root->d_inode->i_security;
857 if (oldroot->sid != newroot->sid)
858 goto mismatch;
859 }
860 return 0;
861 mismatch:
862 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, "
863 "different security settings for (dev %s, "
864 "type %s)\n", newsb->s_id, newsb->s_type->name);
865 return -EBUSY;
866 }
867
868 static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
869 struct super_block *newsb)
870 {
871 const struct superblock_security_struct *oldsbsec = oldsb->s_security;
872 struct superblock_security_struct *newsbsec = newsb->s_security;
873
874 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT);
875 int set_context = (oldsbsec->flags & CONTEXT_MNT);
876 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT);
877
878 /*
879 * if the parent was able to be mounted it clearly had no special lsm
880 * mount options. thus we can safely deal with this superblock later
881 */
882 if (!ss_initialized)
883 return 0;
884
885 /* how can we clone if the old one wasn't set up?? */
886 BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
887
888 /* if fs is reusing a sb, make sure that the contexts match */
889 if (newsbsec->flags & SE_SBINITIALIZED)
890 return selinux_cmp_sb_context(oldsb, newsb);
891
892 mutex_lock(&newsbsec->lock);
893
894 newsbsec->flags = oldsbsec->flags;
895
896 newsbsec->sid = oldsbsec->sid;
897 newsbsec->def_sid = oldsbsec->def_sid;
898 newsbsec->behavior = oldsbsec->behavior;
899
900 if (set_context) {
901 u32 sid = oldsbsec->mntpoint_sid;
902
903 if (!set_fscontext)
904 newsbsec->sid = sid;
905 if (!set_rootcontext) {
906 struct inode *newinode = newsb->s_root->d_inode;
907 struct inode_security_struct *newisec = newinode->i_security;
908 newisec->sid = sid;
909 }
910 newsbsec->mntpoint_sid = sid;
911 }
912 if (set_rootcontext) {
913 const struct inode *oldinode = oldsb->s_root->d_inode;
914 const struct inode_security_struct *oldisec = oldinode->i_security;
915 struct inode *newinode = newsb->s_root->d_inode;
916 struct inode_security_struct *newisec = newinode->i_security;
917
918 newisec->sid = oldisec->sid;
919 }
920
921 sb_finish_set_opts(newsb);
922 mutex_unlock(&newsbsec->lock);
923 return 0;
924 }
925
926 static int selinux_parse_opts_str(char *options,
927 struct security_mnt_opts *opts)
928 {
929 char *p;
930 char *context = NULL, *defcontext = NULL;
931 char *fscontext = NULL, *rootcontext = NULL;
932 int rc, num_mnt_opts = 0;
933
934 opts->num_mnt_opts = 0;
935
936 /* Standard string-based options. */
937 while ((p = strsep(&options, "|")) != NULL) {
938 int token;
939 substring_t args[MAX_OPT_ARGS];
940
941 if (!*p)
942 continue;
943
944 token = match_token(p, tokens, args);
945
946 switch (token) {
947 case Opt_context:
948 if (context || defcontext) {
949 rc = -EINVAL;
950 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
951 goto out_err;
952 }
953 context = match_strdup(&args[0]);
954 if (!context) {
955 rc = -ENOMEM;
956 goto out_err;
957 }
958 break;
959
960 case Opt_fscontext:
961 if (fscontext) {
962 rc = -EINVAL;
963 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
964 goto out_err;
965 }
966 fscontext = match_strdup(&args[0]);
967 if (!fscontext) {
968 rc = -ENOMEM;
969 goto out_err;
970 }
971 break;
972
973 case Opt_rootcontext:
974 if (rootcontext) {
975 rc = -EINVAL;
976 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
977 goto out_err;
978 }
979 rootcontext = match_strdup(&args[0]);
980 if (!rootcontext) {
981 rc = -ENOMEM;
982 goto out_err;
983 }
984 break;
985
986 case Opt_defcontext:
987 if (context || defcontext) {
988 rc = -EINVAL;
989 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
990 goto out_err;
991 }
992 defcontext = match_strdup(&args[0]);
993 if (!defcontext) {
994 rc = -ENOMEM;
995 goto out_err;
996 }
997 break;
998 case Opt_labelsupport:
999 break;
1000 default:
1001 rc = -EINVAL;
1002 printk(KERN_WARNING "SELinux: unknown mount option\n");
1003 goto out_err;
1004
1005 }
1006 }
1007
1008 rc = -ENOMEM;
1009 opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_ATOMIC);
1010 if (!opts->mnt_opts)
1011 goto out_err;
1012
1013 opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int), GFP_ATOMIC);
1014 if (!opts->mnt_opts_flags) {
1015 kfree(opts->mnt_opts);
1016 goto out_err;
1017 }
1018
1019 if (fscontext) {
1020 opts->mnt_opts[num_mnt_opts] = fscontext;
1021 opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
1022 }
1023 if (context) {
1024 opts->mnt_opts[num_mnt_opts] = context;
1025 opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
1026 }
1027 if (rootcontext) {
1028 opts->mnt_opts[num_mnt_opts] = rootcontext;
1029 opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
1030 }
1031 if (defcontext) {
1032 opts->mnt_opts[num_mnt_opts] = defcontext;
1033 opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
1034 }
1035
1036 opts->num_mnt_opts = num_mnt_opts;
1037 return 0;
1038
1039 out_err:
1040 kfree(context);
1041 kfree(defcontext);
1042 kfree(fscontext);
1043 kfree(rootcontext);
1044 return rc;
1045 }
1046 /*
1047 * string mount options parsing and call set the sbsec
1048 */
1049 static int superblock_doinit(struct super_block *sb, void *data)
1050 {
1051 int rc = 0;
1052 char *options = data;
1053 struct security_mnt_opts opts;
1054
1055 security_init_mnt_opts(&opts);
1056
1057 if (!data)
1058 goto out;
1059
1060 BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
1061
1062 rc = selinux_parse_opts_str(options, &opts);
1063 if (rc)
1064 goto out_err;
1065
1066 out:
1067 rc = selinux_set_mnt_opts(sb, &opts, 0, NULL);
1068
1069 out_err:
1070 security_free_mnt_opts(&opts);
1071 return rc;
1072 }
1073
1074 static void selinux_write_opts(struct seq_file *m,
1075 struct security_mnt_opts *opts)
1076 {
1077 int i;
1078 char *prefix;
1079
1080 for (i = 0; i < opts->num_mnt_opts; i++) {
1081 char *has_comma;
1082
1083 if (opts->mnt_opts[i])
1084 has_comma = strchr(opts->mnt_opts[i], ',');
1085 else
1086 has_comma = NULL;
1087
1088 switch (opts->mnt_opts_flags[i]) {
1089 case CONTEXT_MNT:
1090 prefix = CONTEXT_STR;
1091 break;
1092 case FSCONTEXT_MNT:
1093 prefix = FSCONTEXT_STR;
1094 break;
1095 case ROOTCONTEXT_MNT:
1096 prefix = ROOTCONTEXT_STR;
1097 break;
1098 case DEFCONTEXT_MNT:
1099 prefix = DEFCONTEXT_STR;
1100 break;
1101 case SBLABEL_MNT:
1102 seq_putc(m, ',');
1103 seq_puts(m, LABELSUPP_STR);
1104 continue;
1105 default:
1106 BUG();
1107 return;
1108 };
1109 /* we need a comma before each option */
1110 seq_putc(m, ',');
1111 seq_puts(m, prefix);
1112 if (has_comma)
1113 seq_putc(m, '\"');
1114 seq_puts(m, opts->mnt_opts[i]);
1115 if (has_comma)
1116 seq_putc(m, '\"');
1117 }
1118 }
1119
1120 static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1121 {
1122 struct security_mnt_opts opts;
1123 int rc;
1124
1125 rc = selinux_get_mnt_opts(sb, &opts);
1126 if (rc) {
1127 /* before policy load we may get EINVAL, don't show anything */
1128 if (rc == -EINVAL)
1129 rc = 0;
1130 return rc;
1131 }
1132
1133 selinux_write_opts(m, &opts);
1134
1135 security_free_mnt_opts(&opts);
1136
1137 return rc;
1138 }
1139
1140 static inline u16 inode_mode_to_security_class(umode_t mode)
1141 {
1142 switch (mode & S_IFMT) {
1143 case S_IFSOCK:
1144 return SECCLASS_SOCK_FILE;
1145 case S_IFLNK:
1146 return SECCLASS_LNK_FILE;
1147 case S_IFREG:
1148 return SECCLASS_FILE;
1149 case S_IFBLK:
1150 return SECCLASS_BLK_FILE;
1151 case S_IFDIR:
1152 return SECCLASS_DIR;
1153 case S_IFCHR:
1154 return SECCLASS_CHR_FILE;
1155 case S_IFIFO:
1156 return SECCLASS_FIFO_FILE;
1157
1158 }
1159
1160 return SECCLASS_FILE;
1161 }
1162
1163 static inline int default_protocol_stream(int protocol)
1164 {
1165 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
1166 }
1167
1168 static inline int default_protocol_dgram(int protocol)
1169 {
1170 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1171 }
1172
1173 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1174 {
1175 switch (family) {
1176 case PF_UNIX:
1177 switch (type) {
1178 case SOCK_STREAM:
1179 case SOCK_SEQPACKET:
1180 return SECCLASS_UNIX_STREAM_SOCKET;
1181 case SOCK_DGRAM:
1182 return SECCLASS_UNIX_DGRAM_SOCKET;
1183 }
1184 break;
1185 case PF_INET:
1186 case PF_INET6:
1187 switch (type) {
1188 case SOCK_STREAM:
1189 if (default_protocol_stream(protocol))
1190 return SECCLASS_TCP_SOCKET;
1191 else
1192 return SECCLASS_RAWIP_SOCKET;
1193 case SOCK_DGRAM:
1194 if (default_protocol_dgram(protocol))
1195 return SECCLASS_UDP_SOCKET;
1196 else
1197 return SECCLASS_RAWIP_SOCKET;
1198 case SOCK_DCCP:
1199 return SECCLASS_DCCP_SOCKET;
1200 default:
1201 return SECCLASS_RAWIP_SOCKET;
1202 }
1203 break;
1204 case PF_NETLINK:
1205 switch (protocol) {
1206 case NETLINK_ROUTE:
1207 return SECCLASS_NETLINK_ROUTE_SOCKET;
1208 case NETLINK_FIREWALL:
1209 return SECCLASS_NETLINK_FIREWALL_SOCKET;
1210 case NETLINK_SOCK_DIAG:
1211 return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1212 case NETLINK_NFLOG:
1213 return SECCLASS_NETLINK_NFLOG_SOCKET;
1214 case NETLINK_XFRM:
1215 return SECCLASS_NETLINK_XFRM_SOCKET;
1216 case NETLINK_SELINUX:
1217 return SECCLASS_NETLINK_SELINUX_SOCKET;
1218 case NETLINK_AUDIT:
1219 return SECCLASS_NETLINK_AUDIT_SOCKET;
1220 case NETLINK_IP6_FW:
1221 return SECCLASS_NETLINK_IP6FW_SOCKET;
1222 case NETLINK_DNRTMSG:
1223 return SECCLASS_NETLINK_DNRT_SOCKET;
1224 case NETLINK_KOBJECT_UEVENT:
1225 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1226 default:
1227 return SECCLASS_NETLINK_SOCKET;
1228 }
1229 case PF_PACKET:
1230 return SECCLASS_PACKET_SOCKET;
1231 case PF_KEY:
1232 return SECCLASS_KEY_SOCKET;
1233 case PF_APPLETALK:
1234 return SECCLASS_APPLETALK_SOCKET;
1235 }
1236
1237 return SECCLASS_SOCKET;
1238 }
1239
1240 #ifdef CONFIG_PROC_FS
1241 static int selinux_proc_get_sid(struct dentry *dentry,
1242 u16 tclass,
1243 u32 *sid)
1244 {
1245 int rc;
1246 char *buffer, *path;
1247
1248 buffer = (char *)__get_free_page(GFP_KERNEL);
1249 if (!buffer)
1250 return -ENOMEM;
1251
1252 path = dentry_path_raw(dentry, buffer, PAGE_SIZE);
1253 if (IS_ERR(path))
1254 rc = PTR_ERR(path);
1255 else {
1256 /* each process gets a /proc/PID/ entry. Strip off the
1257 * PID part to get a valid selinux labeling.
1258 * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
1259 while (path[1] >= '0' && path[1] <= '9') {
1260 path[1] = '/';
1261 path++;
1262 }
1263 rc = security_genfs_sid("proc", path, tclass, sid);
1264 }
1265 free_page((unsigned long)buffer);
1266 return rc;
1267 }
1268 #else
1269 static int selinux_proc_get_sid(struct dentry *dentry,
1270 u16 tclass,
1271 u32 *sid)
1272 {
1273 return -EINVAL;
1274 }
1275 #endif
1276
1277 /* The inode's security attributes must be initialized before first use. */
1278 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1279 {
1280 struct superblock_security_struct *sbsec = NULL;
1281 struct inode_security_struct *isec = inode->i_security;
1282 u32 sid;
1283 struct dentry *dentry;
1284 #define INITCONTEXTLEN 255
1285 char *context = NULL;
1286 unsigned len = 0;
1287 int rc = 0;
1288
1289 if (isec->initialized)
1290 goto out;
1291
1292 mutex_lock(&isec->lock);
1293 if (isec->initialized)
1294 goto out_unlock;
1295
1296 sbsec = inode->i_sb->s_security;
1297 if (!(sbsec->flags & SE_SBINITIALIZED)) {
1298 /* Defer initialization until selinux_complete_init,
1299 after the initial policy is loaded and the security
1300 server is ready to handle calls. */
1301 spin_lock(&sbsec->isec_lock);
1302 if (list_empty(&isec->list))
1303 list_add(&isec->list, &sbsec->isec_head);
1304 spin_unlock(&sbsec->isec_lock);
1305 goto out_unlock;
1306 }
1307
1308 switch (sbsec->behavior) {
1309 case SECURITY_FS_USE_NATIVE:
1310 break;
1311 case SECURITY_FS_USE_XATTR:
1312 if (!inode->i_op->getxattr) {
1313 isec->sid = sbsec->def_sid;
1314 break;
1315 }
1316
1317 /* Need a dentry, since the xattr API requires one.
1318 Life would be simpler if we could just pass the inode. */
1319 if (opt_dentry) {
1320 /* Called from d_instantiate or d_splice_alias. */
1321 dentry = dget(opt_dentry);
1322 } else {
1323 /* Called from selinux_complete_init, try to find a dentry. */
1324 dentry = d_find_alias(inode);
1325 }
1326 if (!dentry) {
1327 /*
1328 * this is can be hit on boot when a file is accessed
1329 * before the policy is loaded. When we load policy we
1330 * may find inodes that have no dentry on the
1331 * sbsec->isec_head list. No reason to complain as these
1332 * will get fixed up the next time we go through
1333 * inode_doinit with a dentry, before these inodes could
1334 * be used again by userspace.
1335 */
1336 goto out_unlock;
1337 }
1338
1339 len = INITCONTEXTLEN;
1340 context = kmalloc(len+1, GFP_NOFS);
1341 if (!context) {
1342 rc = -ENOMEM;
1343 dput(dentry);
1344 goto out_unlock;
1345 }
1346 context[len] = '\0';
1347 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1348 context, len);
1349 if (rc == -ERANGE) {
1350 kfree(context);
1351
1352 /* Need a larger buffer. Query for the right size. */
1353 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1354 NULL, 0);
1355 if (rc < 0) {
1356 dput(dentry);
1357 goto out_unlock;
1358 }
1359 len = rc;
1360 context = kmalloc(len+1, GFP_NOFS);
1361 if (!context) {
1362 rc = -ENOMEM;
1363 dput(dentry);
1364 goto out_unlock;
1365 }
1366 context[len] = '\0';
1367 rc = inode->i_op->getxattr(dentry,
1368 XATTR_NAME_SELINUX,
1369 context, len);
1370 }
1371 dput(dentry);
1372 if (rc < 0) {
1373 if (rc != -ENODATA) {
1374 printk(KERN_WARNING "SELinux: %s: getxattr returned "
1375 "%d for dev=%s ino=%ld\n", __func__,
1376 -rc, inode->i_sb->s_id, inode->i_ino);
1377 kfree(context);
1378 goto out_unlock;
1379 }
1380 /* Map ENODATA to the default file SID */
1381 sid = sbsec->def_sid;
1382 rc = 0;
1383 } else {
1384 rc = security_context_to_sid_default(context, rc, &sid,
1385 sbsec->def_sid,
1386 GFP_NOFS);
1387 if (rc) {
1388 char *dev = inode->i_sb->s_id;
1389 unsigned long ino = inode->i_ino;
1390
1391 if (rc == -EINVAL) {
1392 if (printk_ratelimit())
1393 printk(KERN_NOTICE "SELinux: inode=%lu on dev=%s was found to have an invalid "
1394 "context=%s. This indicates you may need to relabel the inode or the "
1395 "filesystem in question.\n", ino, dev, context);
1396 } else {
1397 printk(KERN_WARNING "SELinux: %s: context_to_sid(%s) "
1398 "returned %d for dev=%s ino=%ld\n",
1399 __func__, context, -rc, dev, ino);
1400 }
1401 kfree(context);
1402 /* Leave with the unlabeled SID */
1403 rc = 0;
1404 break;
1405 }
1406 }
1407 kfree(context);
1408 isec->sid = sid;
1409 break;
1410 case SECURITY_FS_USE_TASK:
1411 isec->sid = isec->task_sid;
1412 break;
1413 case SECURITY_FS_USE_TRANS:
1414 /* Default to the fs SID. */
1415 isec->sid = sbsec->sid;
1416
1417 /* Try to obtain a transition SID. */
1418 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1419 rc = security_transition_sid(isec->task_sid, sbsec->sid,
1420 isec->sclass, NULL, &sid);
1421 if (rc)
1422 goto out_unlock;
1423 isec->sid = sid;
1424 break;
1425 case SECURITY_FS_USE_MNTPOINT:
1426 isec->sid = sbsec->mntpoint_sid;
1427 break;
1428 default:
1429 /* Default to the fs superblock SID. */
1430 isec->sid = sbsec->sid;
1431
1432 if ((sbsec->flags & SE_SBPROC) && !S_ISLNK(inode->i_mode)) {
1433 /* We must have a dentry to determine the label on
1434 * procfs inodes */
1435 if (opt_dentry)
1436 /* Called from d_instantiate or
1437 * d_splice_alias. */
1438 dentry = dget(opt_dentry);
1439 else
1440 /* Called from selinux_complete_init, try to
1441 * find a dentry. */
1442 dentry = d_find_alias(inode);
1443 /*
1444 * This can be hit on boot when a file is accessed
1445 * before the policy is loaded. When we load policy we
1446 * may find inodes that have no dentry on the
1447 * sbsec->isec_head list. No reason to complain as
1448 * these will get fixed up the next time we go through
1449 * inode_doinit() with a dentry, before these inodes
1450 * could be used again by userspace.
1451 */
1452 if (!dentry)
1453 goto out_unlock;
1454 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1455 rc = selinux_proc_get_sid(dentry, isec->sclass, &sid);
1456 dput(dentry);
1457 if (rc)
1458 goto out_unlock;
1459 isec->sid = sid;
1460 }
1461 break;
1462 }
1463
1464 isec->initialized = 1;
1465
1466 out_unlock:
1467 mutex_unlock(&isec->lock);
1468 out:
1469 if (isec->sclass == SECCLASS_FILE)
1470 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1471 return rc;
1472 }
1473
1474 /* Convert a Linux signal to an access vector. */
1475 static inline u32 signal_to_av(int sig)
1476 {
1477 u32 perm = 0;
1478
1479 switch (sig) {
1480 case SIGCHLD:
1481 /* Commonly granted from child to parent. */
1482 perm = PROCESS__SIGCHLD;
1483 break;
1484 case SIGKILL:
1485 /* Cannot be caught or ignored */
1486 perm = PROCESS__SIGKILL;
1487 break;
1488 case SIGSTOP:
1489 /* Cannot be caught or ignored */
1490 perm = PROCESS__SIGSTOP;
1491 break;
1492 default:
1493 /* All other signals. */
1494 perm = PROCESS__SIGNAL;
1495 break;
1496 }
1497
1498 return perm;
1499 }
1500
1501 /*
1502 * Check permission between a pair of credentials
1503 * fork check, ptrace check, etc.
1504 */
1505 static int cred_has_perm(const struct cred *actor,
1506 const struct cred *target,
1507 u32 perms)
1508 {
1509 u32 asid = cred_sid(actor), tsid = cred_sid(target);
1510
1511 return avc_has_perm(asid, tsid, SECCLASS_PROCESS, perms, NULL);
1512 }
1513
1514 /*
1515 * Check permission between a pair of tasks, e.g. signal checks,
1516 * fork check, ptrace check, etc.
1517 * tsk1 is the actor and tsk2 is the target
1518 * - this uses the default subjective creds of tsk1
1519 */
1520 static int task_has_perm(const struct task_struct *tsk1,
1521 const struct task_struct *tsk2,
1522 u32 perms)
1523 {
1524 const struct task_security_struct *__tsec1, *__tsec2;
1525 u32 sid1, sid2;
1526
1527 rcu_read_lock();
1528 __tsec1 = __task_cred(tsk1)->security; sid1 = __tsec1->sid;
1529 __tsec2 = __task_cred(tsk2)->security; sid2 = __tsec2->sid;
1530 rcu_read_unlock();
1531 return avc_has_perm(sid1, sid2, SECCLASS_PROCESS, perms, NULL);
1532 }
1533
1534 /*
1535 * Check permission between current and another task, e.g. signal checks,
1536 * fork check, ptrace check, etc.
1537 * current is the actor and tsk2 is the target
1538 * - this uses current's subjective creds
1539 */
1540 static int current_has_perm(const struct task_struct *tsk,
1541 u32 perms)
1542 {
1543 u32 sid, tsid;
1544
1545 sid = current_sid();
1546 tsid = task_sid(tsk);
1547 return avc_has_perm(sid, tsid, SECCLASS_PROCESS, perms, NULL);
1548 }
1549
1550 #if CAP_LAST_CAP > 63
1551 #error Fix SELinux to handle capabilities > 63.
1552 #endif
1553
1554 /* Check whether a task is allowed to use a capability. */
1555 static int cred_has_capability(const struct cred *cred,
1556 int cap, int audit)
1557 {
1558 struct common_audit_data ad;
1559 struct av_decision avd;
1560 u16 sclass;
1561 u32 sid = cred_sid(cred);
1562 u32 av = CAP_TO_MASK(cap);
1563 int rc;
1564
1565 ad.type = LSM_AUDIT_DATA_CAP;
1566 ad.u.cap = cap;
1567
1568 switch (CAP_TO_INDEX(cap)) {
1569 case 0:
1570 sclass = SECCLASS_CAPABILITY;
1571 break;
1572 case 1:
1573 sclass = SECCLASS_CAPABILITY2;
1574 break;
1575 default:
1576 printk(KERN_ERR
1577 "SELinux: out of range capability %d\n", cap);
1578 BUG();
1579 return -EINVAL;
1580 }
1581
1582 rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd);
1583 if (audit == SECURITY_CAP_AUDIT) {
1584 int rc2 = avc_audit(sid, sid, sclass, av, &avd, rc, &ad);
1585 if (rc2)
1586 return rc2;
1587 }
1588 return rc;
1589 }
1590
1591 /* Check whether a task is allowed to use a system operation. */
1592 static int task_has_system(struct task_struct *tsk,
1593 u32 perms)
1594 {
1595 u32 sid = task_sid(tsk);
1596
1597 return avc_has_perm(sid, SECINITSID_KERNEL,
1598 SECCLASS_SYSTEM, perms, NULL);
1599 }
1600
1601 /* Check whether a task has a particular permission to an inode.
1602 The 'adp' parameter is optional and allows other audit
1603 data to be passed (e.g. the dentry). */
1604 static int inode_has_perm(const struct cred *cred,
1605 struct inode *inode,
1606 u32 perms,
1607 struct common_audit_data *adp)
1608 {
1609 struct inode_security_struct *isec;
1610 u32 sid;
1611
1612 validate_creds(cred);
1613
1614 if (unlikely(IS_PRIVATE(inode)))
1615 return 0;
1616
1617 sid = cred_sid(cred);
1618 isec = inode->i_security;
1619
1620 return avc_has_perm(sid, isec->sid, isec->sclass, perms, adp);
1621 }
1622
1623 /* Same as inode_has_perm, but pass explicit audit data containing
1624 the dentry to help the auditing code to more easily generate the
1625 pathname if needed. */
1626 static inline int dentry_has_perm(const struct cred *cred,
1627 struct dentry *dentry,
1628 u32 av)
1629 {
1630 struct inode *inode = dentry->d_inode;
1631 struct common_audit_data ad;
1632
1633 ad.type = LSM_AUDIT_DATA_DENTRY;
1634 ad.u.dentry = dentry;
1635 return inode_has_perm(cred, inode, av, &ad);
1636 }
1637
1638 /* Same as inode_has_perm, but pass explicit audit data containing
1639 the path to help the auditing code to more easily generate the
1640 pathname if needed. */
1641 static inline int path_has_perm(const struct cred *cred,
1642 struct path *path,
1643 u32 av)
1644 {
1645 struct inode *inode = path->dentry->d_inode;
1646 struct common_audit_data ad;
1647
1648 ad.type = LSM_AUDIT_DATA_PATH;
1649 ad.u.path = *path;
1650 return inode_has_perm(cred, inode, av, &ad);
1651 }
1652
1653 /* Same as path_has_perm, but uses the inode from the file struct. */
1654 static inline int file_path_has_perm(const struct cred *cred,
1655 struct file *file,
1656 u32 av)
1657 {
1658 struct common_audit_data ad;
1659
1660 ad.type = LSM_AUDIT_DATA_PATH;
1661 ad.u.path = file->f_path;
1662 return inode_has_perm(cred, file_inode(file), av, &ad);
1663 }
1664
1665 /* Check whether a task can use an open file descriptor to
1666 access an inode in a given way. Check access to the
1667 descriptor itself, and then use dentry_has_perm to
1668 check a particular permission to the file.
1669 Access to the descriptor is implicitly granted if it
1670 has the same SID as the process. If av is zero, then
1671 access to the file is not checked, e.g. for cases
1672 where only the descriptor is affected like seek. */
1673 static int file_has_perm(const struct cred *cred,
1674 struct file *file,
1675 u32 av)
1676 {
1677 struct file_security_struct *fsec = file->f_security;
1678 struct inode *inode = file_inode(file);
1679 struct common_audit_data ad;
1680 u32 sid = cred_sid(cred);
1681 int rc;
1682
1683 ad.type = LSM_AUDIT_DATA_PATH;
1684 ad.u.path = file->f_path;
1685
1686 if (sid != fsec->sid) {
1687 rc = avc_has_perm(sid, fsec->sid,
1688 SECCLASS_FD,
1689 FD__USE,
1690 &ad);
1691 if (rc)
1692 goto out;
1693 }
1694
1695 /* av is zero if only checking access to the descriptor. */
1696 rc = 0;
1697 if (av)
1698 rc = inode_has_perm(cred, inode, av, &ad);
1699
1700 out:
1701 return rc;
1702 }
1703
1704 /* Check whether a task can create a file. */
1705 static int may_create(struct inode *dir,
1706 struct dentry *dentry,
1707 u16 tclass)
1708 {
1709 const struct task_security_struct *tsec = current_security();
1710 struct inode_security_struct *dsec;
1711 struct superblock_security_struct *sbsec;
1712 u32 sid, newsid;
1713 struct common_audit_data ad;
1714 int rc;
1715
1716 dsec = dir->i_security;
1717 sbsec = dir->i_sb->s_security;
1718
1719 sid = tsec->sid;
1720 newsid = tsec->create_sid;
1721
1722 ad.type = LSM_AUDIT_DATA_DENTRY;
1723 ad.u.dentry = dentry;
1724
1725 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR,
1726 DIR__ADD_NAME | DIR__SEARCH,
1727 &ad);
1728 if (rc)
1729 return rc;
1730
1731 if (!newsid || !(sbsec->flags & SBLABEL_MNT)) {
1732 rc = security_transition_sid(sid, dsec->sid, tclass,
1733 &dentry->d_name, &newsid);
1734 if (rc)
1735 return rc;
1736 }
1737
1738 rc = avc_has_perm(sid, newsid, tclass, FILE__CREATE, &ad);
1739 if (rc)
1740 return rc;
1741
1742 return avc_has_perm(newsid, sbsec->sid,
1743 SECCLASS_FILESYSTEM,
1744 FILESYSTEM__ASSOCIATE, &ad);
1745 }
1746
1747 /* Check whether a task can create a key. */
1748 static int may_create_key(u32 ksid,
1749 struct task_struct *ctx)
1750 {
1751 u32 sid = task_sid(ctx);
1752
1753 return avc_has_perm(sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL);
1754 }
1755
1756 #define MAY_LINK 0
1757 #define MAY_UNLINK 1
1758 #define MAY_RMDIR 2
1759
1760 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1761 static int may_link(struct inode *dir,
1762 struct dentry *dentry,
1763 int kind)
1764
1765 {
1766 struct inode_security_struct *dsec, *isec;
1767 struct common_audit_data ad;
1768 u32 sid = current_sid();
1769 u32 av;
1770 int rc;
1771
1772 dsec = dir->i_security;
1773 isec = dentry->d_inode->i_security;
1774
1775 ad.type = LSM_AUDIT_DATA_DENTRY;
1776 ad.u.dentry = dentry;
1777
1778 av = DIR__SEARCH;
1779 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1780 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, av, &ad);
1781 if (rc)
1782 return rc;
1783
1784 switch (kind) {
1785 case MAY_LINK:
1786 av = FILE__LINK;
1787 break;
1788 case MAY_UNLINK:
1789 av = FILE__UNLINK;
1790 break;
1791 case MAY_RMDIR:
1792 av = DIR__RMDIR;
1793 break;
1794 default:
1795 printk(KERN_WARNING "SELinux: %s: unrecognized kind %d\n",
1796 __func__, kind);
1797 return 0;
1798 }
1799
1800 rc = avc_has_perm(sid, isec->sid, isec->sclass, av, &ad);
1801 return rc;
1802 }
1803
1804 static inline int may_rename(struct inode *old_dir,
1805 struct dentry *old_dentry,
1806 struct inode *new_dir,
1807 struct dentry *new_dentry)
1808 {
1809 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1810 struct common_audit_data ad;
1811 u32 sid = current_sid();
1812 u32 av;
1813 int old_is_dir, new_is_dir;
1814 int rc;
1815
1816 old_dsec = old_dir->i_security;
1817 old_isec = old_dentry->d_inode->i_security;
1818 old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
1819 new_dsec = new_dir->i_security;
1820
1821 ad.type = LSM_AUDIT_DATA_DENTRY;
1822
1823 ad.u.dentry = old_dentry;
1824 rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR,
1825 DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1826 if (rc)
1827 return rc;
1828 rc = avc_has_perm(sid, old_isec->sid,
1829 old_isec->sclass, FILE__RENAME, &ad);
1830 if (rc)
1831 return rc;
1832 if (old_is_dir && new_dir != old_dir) {
1833 rc = avc_has_perm(sid, old_isec->sid,
1834 old_isec->sclass, DIR__REPARENT, &ad);
1835 if (rc)
1836 return rc;
1837 }
1838
1839 ad.u.dentry = new_dentry;
1840 av = DIR__ADD_NAME | DIR__SEARCH;
1841 if (new_dentry->d_inode)
1842 av |= DIR__REMOVE_NAME;
1843 rc = avc_has_perm(sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1844 if (rc)
1845 return rc;
1846 if (new_dentry->d_inode) {
1847 new_isec = new_dentry->d_inode->i_security;
1848 new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
1849 rc = avc_has_perm(sid, new_isec->sid,
1850 new_isec->sclass,
1851 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1852 if (rc)
1853 return rc;
1854 }
1855
1856 return 0;
1857 }
1858
1859 /* Check whether a task can perform a filesystem operation. */
1860 static int superblock_has_perm(const struct cred *cred,
1861 struct super_block *sb,
1862 u32 perms,
1863 struct common_audit_data *ad)
1864 {
1865 struct superblock_security_struct *sbsec;
1866 u32 sid = cred_sid(cred);
1867
1868 sbsec = sb->s_security;
1869 return avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
1870 }
1871
1872 /* Convert a Linux mode and permission mask to an access vector. */
1873 static inline u32 file_mask_to_av(int mode, int mask)
1874 {
1875 u32 av = 0;
1876
1877 if (!S_ISDIR(mode)) {
1878 if (mask & MAY_EXEC)
1879 av |= FILE__EXECUTE;
1880 if (mask & MAY_READ)
1881 av |= FILE__READ;
1882
1883 if (mask & MAY_APPEND)
1884 av |= FILE__APPEND;
1885 else if (mask & MAY_WRITE)
1886 av |= FILE__WRITE;
1887
1888 } else {
1889 if (mask & MAY_EXEC)
1890 av |= DIR__SEARCH;
1891 if (mask & MAY_WRITE)
1892 av |= DIR__WRITE;
1893 if (mask & MAY_READ)
1894 av |= DIR__READ;
1895 }
1896
1897 return av;
1898 }
1899
1900 /* Convert a Linux file to an access vector. */
1901 static inline u32 file_to_av(struct file *file)
1902 {
1903 u32 av = 0;
1904
1905 if (file->f_mode & FMODE_READ)
1906 av |= FILE__READ;
1907 if (file->f_mode & FMODE_WRITE) {
1908 if (file->f_flags & O_APPEND)
1909 av |= FILE__APPEND;
1910 else
1911 av |= FILE__WRITE;
1912 }
1913 if (!av) {
1914 /*
1915 * Special file opened with flags 3 for ioctl-only use.
1916 */
1917 av = FILE__IOCTL;
1918 }
1919
1920 return av;
1921 }
1922
1923 /*
1924 * Convert a file to an access vector and include the correct open
1925 * open permission.
1926 */
1927 static inline u32 open_file_to_av(struct file *file)
1928 {
1929 u32 av = file_to_av(file);
1930
1931 if (selinux_policycap_openperm)
1932 av |= FILE__OPEN;
1933
1934 return av;
1935 }
1936
1937 /* Hook functions begin here. */
1938
1939 static int selinux_ptrace_access_check(struct task_struct *child,
1940 unsigned int mode)
1941 {
1942 int rc;
1943
1944 rc = cap_ptrace_access_check(child, mode);
1945 if (rc)
1946 return rc;
1947
1948 if (mode & PTRACE_MODE_READ) {
1949 u32 sid = current_sid();
1950 u32 csid = task_sid(child);
1951 return avc_has_perm(sid, csid, SECCLASS_FILE, FILE__READ, NULL);
1952 }
1953
1954 return current_has_perm(child, PROCESS__PTRACE);
1955 }
1956
1957 static int selinux_ptrace_traceme(struct task_struct *parent)
1958 {
1959 int rc;
1960
1961 rc = cap_ptrace_traceme(parent);
1962 if (rc)
1963 return rc;
1964
1965 return task_has_perm(parent, current, PROCESS__PTRACE);
1966 }
1967
1968 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
1969 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1970 {
1971 int error;
1972
1973 error = current_has_perm(target, PROCESS__GETCAP);
1974 if (error)
1975 return error;
1976
1977 return cap_capget(target, effective, inheritable, permitted);
1978 }
1979
1980 static int selinux_capset(struct cred *new, const struct cred *old,
1981 const kernel_cap_t *effective,
1982 const kernel_cap_t *inheritable,
1983 const kernel_cap_t *permitted)
1984 {
1985 int error;
1986
1987 error = cap_capset(new, old,
1988 effective, inheritable, permitted);
1989 if (error)
1990 return error;
1991
1992 return cred_has_perm(old, new, PROCESS__SETCAP);
1993 }
1994
1995 /*
1996 * (This comment used to live with the selinux_task_setuid hook,
1997 * which was removed).
1998 *
1999 * Since setuid only affects the current process, and since the SELinux
2000 * controls are not based on the Linux identity attributes, SELinux does not
2001 * need to control this operation. However, SELinux does control the use of
2002 * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
2003 */
2004
2005 static int selinux_capable(const struct cred *cred, struct user_namespace *ns,
2006 int cap, int audit)
2007 {
2008 int rc;
2009
2010 rc = cap_capable(cred, ns, cap, audit);
2011 if (rc)
2012 return rc;
2013
2014 return cred_has_capability(cred, cap, audit);
2015 }
2016
2017 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
2018 {
2019 const struct cred *cred = current_cred();
2020 int rc = 0;
2021
2022 if (!sb)
2023 return 0;
2024
2025 switch (cmds) {
2026 case Q_SYNC:
2027 case Q_QUOTAON:
2028 case Q_QUOTAOFF:
2029 case Q_SETINFO:
2030 case Q_SETQUOTA:
2031 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
2032 break;
2033 case Q_GETFMT:
2034 case Q_GETINFO:
2035 case Q_GETQUOTA:
2036 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
2037 break;
2038 default:
2039 rc = 0; /* let the kernel handle invalid cmds */
2040 break;
2041 }
2042 return rc;
2043 }
2044
2045 static int selinux_quota_on(struct dentry *dentry)
2046 {
2047 const struct cred *cred = current_cred();
2048
2049 return dentry_has_perm(cred, dentry, FILE__QUOTAON);
2050 }
2051
2052 static int selinux_syslog(int type)
2053 {
2054 int rc;
2055
2056 switch (type) {
2057 case SYSLOG_ACTION_READ_ALL: /* Read last kernel messages */
2058 case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */
2059 rc = task_has_system(current, SYSTEM__SYSLOG_READ);
2060 break;
2061 case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */
2062 case SYSLOG_ACTION_CONSOLE_ON: /* Enable logging to console */
2063 /* Set level of messages printed to console */
2064 case SYSLOG_ACTION_CONSOLE_LEVEL:
2065 rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
2066 break;
2067 case SYSLOG_ACTION_CLOSE: /* Close log */
2068 case SYSLOG_ACTION_OPEN: /* Open log */
2069 case SYSLOG_ACTION_READ: /* Read from log */
2070 case SYSLOG_ACTION_READ_CLEAR: /* Read/clear last kernel messages */
2071 case SYSLOG_ACTION_CLEAR: /* Clear ring buffer */
2072 default:
2073 rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
2074 break;
2075 }
2076 return rc;
2077 }
2078
2079 /*
2080 * Check that a process has enough memory to allocate a new virtual
2081 * mapping. 0 means there is enough memory for the allocation to
2082 * succeed and -ENOMEM implies there is not.
2083 *
2084 * Do not audit the selinux permission check, as this is applied to all
2085 * processes that allocate mappings.
2086 */
2087 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
2088 {
2089 int rc, cap_sys_admin = 0;
2090
2091 rc = selinux_capable(current_cred(), &init_user_ns, CAP_SYS_ADMIN,
2092 SECURITY_CAP_NOAUDIT);
2093 if (rc == 0)
2094 cap_sys_admin = 1;
2095
2096 return __vm_enough_memory(mm, pages, cap_sys_admin);
2097 }
2098
2099 /* binprm security operations */
2100
2101 static int check_nnp_nosuid(const struct linux_binprm *bprm,
2102 const struct task_security_struct *old_tsec,
2103 const struct task_security_struct *new_tsec)
2104 {
2105 int nnp = (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS);
2106 int nosuid = (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID);
2107 int rc;
2108
2109 if (!nnp && !nosuid)
2110 return 0; /* neither NNP nor nosuid */
2111
2112 if (new_tsec->sid == old_tsec->sid)
2113 return 0; /* No change in credentials */
2114
2115 /*
2116 * The only transitions we permit under NNP or nosuid
2117 * are transitions to bounded SIDs, i.e. SIDs that are
2118 * guaranteed to only be allowed a subset of the permissions
2119 * of the current SID.
2120 */
2121 rc = security_bounded_transition(old_tsec->sid, new_tsec->sid);
2122 if (rc) {
2123 /*
2124 * On failure, preserve the errno values for NNP vs nosuid.
2125 * NNP: Operation not permitted for caller.
2126 * nosuid: Permission denied to file.
2127 */
2128 if (nnp)
2129 return -EPERM;
2130 else
2131 return -EACCES;
2132 }
2133 return 0;
2134 }
2135
2136 static int selinux_bprm_set_creds(struct linux_binprm *bprm)
2137 {
2138 const struct task_security_struct *old_tsec;
2139 struct task_security_struct *new_tsec;
2140 struct inode_security_struct *isec;
2141 struct common_audit_data ad;
2142 struct inode *inode = file_inode(bprm->file);
2143 int rc;
2144
2145 rc = cap_bprm_set_creds(bprm);
2146 if (rc)
2147 return rc;
2148
2149 /* SELinux context only depends on initial program or script and not
2150 * the script interpreter */
2151 if (bprm->cred_prepared)
2152 return 0;
2153
2154 old_tsec = current_security();
2155 new_tsec = bprm->cred->security;
2156 isec = inode->i_security;
2157
2158 /* Default to the current task SID. */
2159 new_tsec->sid = old_tsec->sid;
2160 new_tsec->osid = old_tsec->sid;
2161
2162 /* Reset fs, key, and sock SIDs on execve. */
2163 new_tsec->create_sid = 0;
2164 new_tsec->keycreate_sid = 0;
2165 new_tsec->sockcreate_sid = 0;
2166
2167 if (old_tsec->exec_sid) {
2168 new_tsec->sid = old_tsec->exec_sid;
2169 /* Reset exec SID on execve. */
2170 new_tsec->exec_sid = 0;
2171
2172 /* Fail on NNP or nosuid if not an allowed transition. */
2173 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2174 if (rc)
2175 return rc;
2176 } else {
2177 /* Check for a default transition on this program. */
2178 rc = security_transition_sid(old_tsec->sid, isec->sid,
2179 SECCLASS_PROCESS, NULL,
2180 &new_tsec->sid);
2181 if (rc)
2182 return rc;
2183
2184 /*
2185 * Fallback to old SID on NNP or nosuid if not an allowed
2186 * transition.
2187 */
2188 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2189 if (rc)
2190 new_tsec->sid = old_tsec->sid;
2191 }
2192
2193 ad.type = LSM_AUDIT_DATA_PATH;
2194 ad.u.path = bprm->file->f_path;
2195
2196 if (new_tsec->sid == old_tsec->sid) {
2197 rc = avc_has_perm(old_tsec->sid, isec->sid,
2198 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2199 if (rc)
2200 return rc;
2201 } else {
2202 /* Check permissions for the transition. */
2203 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2204 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2205 if (rc)
2206 return rc;
2207
2208 rc = avc_has_perm(new_tsec->sid, isec->sid,
2209 SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2210 if (rc)
2211 return rc;
2212
2213 /* Check for shared state */
2214 if (bprm->unsafe & LSM_UNSAFE_SHARE) {
2215 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2216 SECCLASS_PROCESS, PROCESS__SHARE,
2217 NULL);
2218 if (rc)
2219 return -EPERM;
2220 }
2221
2222 /* Make sure that anyone attempting to ptrace over a task that
2223 * changes its SID has the appropriate permit */
2224 if (bprm->unsafe &
2225 (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
2226 struct task_struct *tracer;
2227 struct task_security_struct *sec;
2228 u32 ptsid = 0;
2229
2230 rcu_read_lock();
2231 tracer = ptrace_parent(current);
2232 if (likely(tracer != NULL)) {
2233 sec = __task_cred(tracer)->security;
2234 ptsid = sec->sid;
2235 }
2236 rcu_read_unlock();
2237
2238 if (ptsid != 0) {
2239 rc = avc_has_perm(ptsid, new_tsec->sid,
2240 SECCLASS_PROCESS,
2241 PROCESS__PTRACE, NULL);
2242 if (rc)
2243 return -EPERM;
2244 }
2245 }
2246
2247 /* Clear any possibly unsafe personality bits on exec: */
2248 bprm->per_clear |= PER_CLEAR_ON_SETID;
2249 }
2250
2251 return 0;
2252 }
2253
2254 static int selinux_bprm_secureexec(struct linux_binprm *bprm)
2255 {
2256 const struct task_security_struct *tsec = current_security();
2257 u32 sid, osid;
2258 int atsecure = 0;
2259
2260 sid = tsec->sid;
2261 osid = tsec->osid;
2262
2263 if (osid != sid) {
2264 /* Enable secure mode for SIDs transitions unless
2265 the noatsecure permission is granted between
2266 the two SIDs, i.e. ahp returns 0. */
2267 atsecure = avc_has_perm(osid, sid,
2268 SECCLASS_PROCESS,
2269 PROCESS__NOATSECURE, NULL);
2270 }
2271
2272 return (atsecure || cap_bprm_secureexec(bprm));
2273 }
2274
2275 static int match_file(const void *p, struct file *file, unsigned fd)
2276 {
2277 return file_has_perm(p, file, file_to_av(file)) ? fd + 1 : 0;
2278 }
2279
2280 /* Derived from fs/exec.c:flush_old_files. */
2281 static inline void flush_unauthorized_files(const struct cred *cred,
2282 struct files_struct *files)
2283 {
2284 struct file *file, *devnull = NULL;
2285 struct tty_struct *tty;
2286 int drop_tty = 0;
2287 unsigned n;
2288
2289 tty = get_current_tty();
2290 if (tty) {
2291 spin_lock(&tty_files_lock);
2292 if (!list_empty(&tty->tty_files)) {
2293 struct tty_file_private *file_priv;
2294
2295 /* Revalidate access to controlling tty.
2296 Use file_path_has_perm on the tty path directly
2297 rather than using file_has_perm, as this particular
2298 open file may belong to another process and we are
2299 only interested in the inode-based check here. */
2300 file_priv = list_first_entry(&tty->tty_files,
2301 struct tty_file_private, list);
2302 file = file_priv->file;
2303 if (file_path_has_perm(cred, file, FILE__READ | FILE__WRITE))
2304 drop_tty = 1;
2305 }
2306 spin_unlock(&tty_files_lock);
2307 tty_kref_put(tty);
2308 }
2309 /* Reset controlling tty. */
2310 if (drop_tty)
2311 no_tty();
2312
2313 /* Revalidate access to inherited open files. */
2314 n = iterate_fd(files, 0, match_file, cred);
2315 if (!n) /* none found? */
2316 return;
2317
2318 devnull = dentry_open(&selinux_null, O_RDWR, cred);
2319 if (IS_ERR(devnull))
2320 devnull = NULL;
2321 /* replace all the matching ones with this */
2322 do {
2323 replace_fd(n - 1, devnull, 0);
2324 } while ((n = iterate_fd(files, n, match_file, cred)) != 0);
2325 if (devnull)
2326 fput(devnull);
2327 }
2328
2329 /*
2330 * Prepare a process for imminent new credential changes due to exec
2331 */
2332 static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
2333 {
2334 struct task_security_struct *new_tsec;
2335 struct rlimit *rlim, *initrlim;
2336 int rc, i;
2337
2338 new_tsec = bprm->cred->security;
2339 if (new_tsec->sid == new_tsec->osid)
2340 return;
2341
2342 /* Close files for which the new task SID is not authorized. */
2343 flush_unauthorized_files(bprm->cred, current->files);
2344
2345 /* Always clear parent death signal on SID transitions. */
2346 current->pdeath_signal = 0;
2347
2348 /* Check whether the new SID can inherit resource limits from the old
2349 * SID. If not, reset all soft limits to the lower of the current
2350 * task's hard limit and the init task's soft limit.
2351 *
2352 * Note that the setting of hard limits (even to lower them) can be
2353 * controlled by the setrlimit check. The inclusion of the init task's
2354 * soft limit into the computation is to avoid resetting soft limits
2355 * higher than the default soft limit for cases where the default is
2356 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2357 */
2358 rc = avc_has_perm(new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
2359 PROCESS__RLIMITINH, NULL);
2360 if (rc) {
2361 /* protect against do_prlimit() */
2362 task_lock(current);
2363 for (i = 0; i < RLIM_NLIMITS; i++) {
2364 rlim = current->signal->rlim + i;
2365 initrlim = init_task.signal->rlim + i;
2366 rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
2367 }
2368 task_unlock(current);
2369 update_rlimit_cpu(current, rlimit(RLIMIT_CPU));
2370 }
2371 }
2372
2373 /*
2374 * Clean up the process immediately after the installation of new credentials
2375 * due to exec
2376 */
2377 static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
2378 {
2379 const struct task_security_struct *tsec = current_security();
2380 struct itimerval itimer;
2381 u32 osid, sid;
2382 int rc, i;
2383
2384 osid = tsec->osid;
2385 sid = tsec->sid;
2386
2387 if (sid == osid)
2388 return;
2389
2390 /* Check whether the new SID can inherit signal state from the old SID.
2391 * If not, clear itimers to avoid subsequent signal generation and
2392 * flush and unblock signals.
2393 *
2394 * This must occur _after_ the task SID has been updated so that any
2395 * kill done after the flush will be checked against the new SID.
2396 */
2397 rc = avc_has_perm(osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
2398 if (rc) {
2399 memset(&itimer, 0, sizeof itimer);
2400 for (i = 0; i < 3; i++)
2401 do_setitimer(i, &itimer, NULL);
2402 spin_lock_irq(&current->sighand->siglock);
2403 if (!(current->signal->flags & SIGNAL_GROUP_EXIT)) {
2404 __flush_signals(current);
2405 flush_signal_handlers(current, 1);
2406 sigemptyset(&current->blocked);
2407 }
2408 spin_unlock_irq(&current->sighand->siglock);
2409 }
2410
2411 /* Wake up the parent if it is waiting so that it can recheck
2412 * wait permission to the new task SID. */
2413 read_lock(&tasklist_lock);
2414 __wake_up_parent(current, current->real_parent);
2415 read_unlock(&tasklist_lock);
2416 }
2417
2418 /* superblock security operations */
2419
2420 static int selinux_sb_alloc_security(struct super_block *sb)
2421 {
2422 return superblock_alloc_security(sb);
2423 }
2424
2425 static void selinux_sb_free_security(struct super_block *sb)
2426 {
2427 superblock_free_security(sb);
2428 }
2429
2430 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2431 {
2432 if (plen > olen)
2433 return 0;
2434
2435 return !memcmp(prefix, option, plen);
2436 }
2437
2438 static inline int selinux_option(char *option, int len)
2439 {
2440 return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) ||
2441 match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) ||
2442 match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) ||
2443 match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len) ||
2444 match_prefix(LABELSUPP_STR, sizeof(LABELSUPP_STR)-1, option, len));
2445 }
2446
2447 static inline void take_option(char **to, char *from, int *first, int len)
2448 {
2449 if (!*first) {
2450 **to = ',';
2451 *to += 1;
2452 } else
2453 *first = 0;
2454 memcpy(*to, from, len);
2455 *to += len;
2456 }
2457
2458 static inline void take_selinux_option(char **to, char *from, int *first,
2459 int len)
2460 {
2461 int current_size = 0;
2462
2463 if (!*first) {
2464 **to = '|';
2465 *to += 1;
2466 } else
2467 *first = 0;
2468
2469 while (current_size < len) {
2470 if (*from != '"') {
2471 **to = *from;
2472 *to += 1;
2473 }
2474 from += 1;
2475 current_size += 1;
2476 }
2477 }
2478
2479 static int selinux_sb_copy_data(char *orig, char *copy)
2480 {
2481 int fnosec, fsec, rc = 0;
2482 char *in_save, *in_curr, *in_end;
2483 char *sec_curr, *nosec_save, *nosec;
2484 int open_quote = 0;
2485
2486 in_curr = orig;
2487 sec_curr = copy;
2488
2489 nosec = (char *)get_zeroed_page(GFP_KERNEL);
2490 if (!nosec) {
2491 rc = -ENOMEM;
2492 goto out;
2493 }
2494
2495 nosec_save = nosec;
2496 fnosec = fsec = 1;
2497 in_save = in_end = orig;
2498
2499 do {
2500 if (*in_end == '"')
2501 open_quote = !open_quote;
2502 if ((*in_end == ',' && open_quote == 0) ||
2503 *in_end == '\0') {
2504 int len = in_end - in_curr;
2505
2506 if (selinux_option(in_curr, len))
2507 take_selinux_option(&sec_curr, in_curr, &fsec, len);
2508 else
2509 take_option(&nosec, in_curr, &fnosec, len);
2510
2511 in_curr = in_end + 1;
2512 }
2513 } while (*in_end++);
2514
2515 strcpy(in_save, nosec_save);
2516 free_page((unsigned long)nosec_save);
2517 out:
2518 return rc;
2519 }
2520
2521 static int selinux_sb_remount(struct super_block *sb, void *data)
2522 {
2523 int rc, i, *flags;
2524 struct security_mnt_opts opts;
2525 char *secdata, **mount_options;
2526 struct superblock_security_struct *sbsec = sb->s_security;
2527
2528 if (!(sbsec->flags & SE_SBINITIALIZED))
2529 return 0;
2530
2531 if (!data)
2532 return 0;
2533
2534 if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
2535 return 0;
2536
2537 security_init_mnt_opts(&opts);
2538 secdata = alloc_secdata();
2539 if (!secdata)
2540 return -ENOMEM;
2541 rc = selinux_sb_copy_data(data, secdata);
2542 if (rc)
2543 goto out_free_secdata;
2544
2545 rc = selinux_parse_opts_str(secdata, &opts);
2546 if (rc)
2547 goto out_free_secdata;
2548
2549 mount_options = opts.mnt_opts;
2550 flags = opts.mnt_opts_flags;
2551
2552 for (i = 0; i < opts.num_mnt_opts; i++) {
2553 u32 sid;
2554 size_t len;
2555
2556 if (flags[i] == SBLABEL_MNT)
2557 continue;
2558 len = strlen(mount_options[i]);
2559 rc = security_context_to_sid(mount_options[i], len, &sid,
2560 GFP_KERNEL);
2561 if (rc) {
2562 printk(KERN_WARNING "SELinux: security_context_to_sid"
2563 "(%s) failed for (dev %s, type %s) errno=%d\n",
2564 mount_options[i], sb->s_id, sb->s_type->name, rc);
2565 goto out_free_opts;
2566 }
2567 rc = -EINVAL;
2568 switch (flags[i]) {
2569 case FSCONTEXT_MNT:
2570 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid))
2571 goto out_bad_option;
2572 break;
2573 case CONTEXT_MNT:
2574 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid))
2575 goto out_bad_option;
2576 break;
2577 case ROOTCONTEXT_MNT: {
2578 struct inode_security_struct *root_isec;
2579 root_isec = sb->s_root->d_inode->i_security;
2580
2581 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid))
2582 goto out_bad_option;
2583 break;
2584 }
2585 case DEFCONTEXT_MNT:
2586 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid))
2587 goto out_bad_option;
2588 break;
2589 default:
2590 goto out_free_opts;
2591 }
2592 }
2593
2594 rc = 0;
2595 out_free_opts:
2596 security_free_mnt_opts(&opts);
2597 out_free_secdata:
2598 free_secdata(secdata);
2599 return rc;
2600 out_bad_option:
2601 printk(KERN_WARNING "SELinux: unable to change security options "
2602 "during remount (dev %s, type=%s)\n", sb->s_id,
2603 sb->s_type->name);
2604 goto out_free_opts;
2605 }
2606
2607 static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data)
2608 {
2609 const struct cred *cred = current_cred();
2610 struct common_audit_data ad;
2611 int rc;
2612
2613 rc = superblock_doinit(sb, data);
2614 if (rc)
2615 return rc;
2616
2617 /* Allow all mounts performed by the kernel */
2618 if (flags & MS_KERNMOUNT)
2619 return 0;
2620
2621 ad.type = LSM_AUDIT_DATA_DENTRY;
2622 ad.u.dentry = sb->s_root;
2623 return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
2624 }
2625
2626 static int selinux_sb_statfs(struct dentry *dentry)
2627 {
2628 const struct cred *cred = current_cred();
2629 struct common_audit_data ad;
2630
2631 ad.type = LSM_AUDIT_DATA_DENTRY;
2632 ad.u.dentry = dentry->d_sb->s_root;
2633 return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2634 }
2635
2636 static int selinux_mount(const char *dev_name,
2637 struct path *path,
2638 const char *type,
2639 unsigned long flags,
2640 void *data)
2641 {
2642 const struct cred *cred = current_cred();
2643
2644 if (flags & MS_REMOUNT)
2645 return superblock_has_perm(cred, path->dentry->d_sb,
2646 FILESYSTEM__REMOUNT, NULL);
2647 else
2648 return path_has_perm(cred, path, FILE__MOUNTON);
2649 }
2650
2651 static int selinux_umount(struct vfsmount *mnt, int flags)
2652 {
2653 const struct cred *cred = current_cred();
2654
2655 return superblock_has_perm(cred, mnt->mnt_sb,
2656 FILESYSTEM__UNMOUNT, NULL);
2657 }
2658
2659 /* inode security operations */
2660
2661 static int selinux_inode_alloc_security(struct inode *inode)
2662 {
2663 return inode_alloc_security(inode);
2664 }
2665
2666 static void selinux_inode_free_security(struct inode *inode)
2667 {
2668 inode_free_security(inode);
2669 }
2670
2671 static int selinux_dentry_init_security(struct dentry *dentry, int mode,
2672 struct qstr *name, void **ctx,
2673 u32 *ctxlen)
2674 {
2675 const struct cred *cred = current_cred();
2676 struct task_security_struct *tsec;
2677 struct inode_security_struct *dsec;
2678 struct superblock_security_struct *sbsec;
2679 struct inode *dir = dentry->d_parent->d_inode;
2680 u32 newsid;
2681 int rc;
2682
2683 tsec = cred->security;
2684 dsec = dir->i_security;
2685 sbsec = dir->i_sb->s_security;
2686
2687 if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
2688 newsid = tsec->create_sid;
2689 } else {
2690 rc = security_transition_sid(tsec->sid, dsec->sid,
2691 inode_mode_to_security_class(mode),
2692 name,
2693 &newsid);
2694 if (rc) {
2695 printk(KERN_WARNING
2696 "%s: security_transition_sid failed, rc=%d\n",
2697 __func__, -rc);
2698 return rc;
2699 }
2700 }
2701
2702 return security_sid_to_context(newsid, (char **)ctx, ctxlen);
2703 }
2704
2705 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2706 const struct qstr *qstr,
2707 const char **name,
2708 void **value, size_t *len)
2709 {
2710 const struct task_security_struct *tsec = current_security();
2711 struct inode_security_struct *dsec;
2712 struct superblock_security_struct *sbsec;
2713 u32 sid, newsid, clen;
2714 int rc;
2715 char *context;
2716
2717 dsec = dir->i_security;
2718 sbsec = dir->i_sb->s_security;
2719
2720 sid = tsec->sid;
2721 newsid = tsec->create_sid;
2722
2723 if ((sbsec->flags & SE_SBINITIALIZED) &&
2724 (sbsec->behavior == SECURITY_FS_USE_MNTPOINT))
2725 newsid = sbsec->mntpoint_sid;
2726 else if (!newsid || !(sbsec->flags & SBLABEL_MNT)) {
2727 rc = security_transition_sid(sid, dsec->sid,
2728 inode_mode_to_security_class(inode->i_mode),
2729 qstr, &newsid);
2730 if (rc) {
2731 printk(KERN_WARNING "%s: "
2732 "security_transition_sid failed, rc=%d (dev=%s "
2733 "ino=%ld)\n",
2734 __func__,
2735 -rc, inode->i_sb->s_id, inode->i_ino);
2736 return rc;
2737 }
2738 }
2739
2740 /* Possibly defer initialization to selinux_complete_init. */
2741 if (sbsec->flags & SE_SBINITIALIZED) {
2742 struct inode_security_struct *isec = inode->i_security;
2743 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2744 isec->sid = newsid;
2745 isec->initialized = 1;
2746 }
2747
2748 if (!ss_initialized || !(sbsec->flags & SBLABEL_MNT))
2749 return -EOPNOTSUPP;
2750
2751 if (name)
2752 *name = XATTR_SELINUX_SUFFIX;
2753
2754 if (value && len) {
2755 rc = security_sid_to_context_force(newsid, &context, &clen);
2756 if (rc)
2757 return rc;
2758 *value = context;
2759 *len = clen;
2760 }
2761
2762 return 0;
2763 }
2764
2765 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode)
2766 {
2767 return may_create(dir, dentry, SECCLASS_FILE);
2768 }
2769
2770 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2771 {
2772 return may_link(dir, old_dentry, MAY_LINK);
2773 }
2774
2775 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2776 {
2777 return may_link(dir, dentry, MAY_UNLINK);
2778 }
2779
2780 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2781 {
2782 return may_create(dir, dentry, SECCLASS_LNK_FILE);
2783 }
2784
2785 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask)
2786 {
2787 return may_create(dir, dentry, SECCLASS_DIR);
2788 }
2789
2790 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2791 {
2792 return may_link(dir, dentry, MAY_RMDIR);
2793 }
2794
2795 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
2796 {
2797 return may_create(dir, dentry, inode_mode_to_security_class(mode));
2798 }
2799
2800 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2801 struct inode *new_inode, struct dentry *new_dentry)
2802 {
2803 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2804 }
2805
2806 static int selinux_inode_readlink(struct dentry *dentry)
2807 {
2808 const struct cred *cred = current_cred();
2809
2810 return dentry_has_perm(cred, dentry, FILE__READ);
2811 }
2812
2813 static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2814 {
2815 const struct cred *cred = current_cred();
2816
2817 return dentry_has_perm(cred, dentry, FILE__READ);
2818 }
2819
2820 static noinline int audit_inode_permission(struct inode *inode,
2821 u32 perms, u32 audited, u32 denied,
2822 int result,
2823 unsigned flags)
2824 {
2825 struct common_audit_data ad;
2826 struct inode_security_struct *isec = inode->i_security;
2827 int rc;
2828
2829 ad.type = LSM_AUDIT_DATA_INODE;
2830 ad.u.inode = inode;
2831
2832 rc = slow_avc_audit(current_sid(), isec->sid, isec->sclass, perms,
2833 audited, denied, result, &ad, flags);
2834 if (rc)
2835 return rc;
2836 return 0;
2837 }
2838
2839 static int selinux_inode_permission(struct inode *inode, int mask)
2840 {
2841 const struct cred *cred = current_cred();
2842 u32 perms;
2843 bool from_access;
2844 unsigned flags = mask & MAY_NOT_BLOCK;
2845 struct inode_security_struct *isec;
2846 u32 sid;
2847 struct av_decision avd;
2848 int rc, rc2;
2849 u32 audited, denied;
2850
2851 from_access = mask & MAY_ACCESS;
2852 mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
2853
2854 /* No permission to check. Existence test. */
2855 if (!mask)
2856 return 0;
2857
2858 validate_creds(cred);
2859
2860 if (unlikely(IS_PRIVATE(inode)))
2861 return 0;
2862
2863 perms = file_mask_to_av(inode->i_mode, mask);
2864
2865 sid = cred_sid(cred);
2866 isec = inode->i_security;
2867
2868 rc = avc_has_perm_noaudit(sid, isec->sid, isec->sclass, perms, 0, &avd);
2869 audited = avc_audit_required(perms, &avd, rc,
2870 from_access ? FILE__AUDIT_ACCESS : 0,
2871 &denied);
2872 if (likely(!audited))
2873 return rc;
2874
2875 rc2 = audit_inode_permission(inode, perms, audited, denied, rc, flags);
2876 if (rc2)
2877 return rc2;
2878 return rc;
2879 }
2880
2881 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2882 {
2883 const struct cred *cred = current_cred();
2884 unsigned int ia_valid = iattr->ia_valid;
2885 __u32 av = FILE__WRITE;
2886
2887 /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
2888 if (ia_valid & ATTR_FORCE) {
2889 ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE |
2890 ATTR_FORCE);
2891 if (!ia_valid)
2892 return 0;
2893 }
2894
2895 if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2896 ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
2897 return dentry_has_perm(cred, dentry, FILE__SETATTR);
2898
2899 if (selinux_policycap_openperm && (ia_valid & ATTR_SIZE))
2900 av |= FILE__OPEN;
2901
2902 return dentry_has_perm(cred, dentry, av);
2903 }
2904
2905 static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
2906 {
2907 const struct cred *cred = current_cred();
2908 struct path path;
2909
2910 path.dentry = dentry;
2911 path.mnt = mnt;
2912
2913 return path_has_perm(cred, &path, FILE__GETATTR);
2914 }
2915
2916 static int selinux_inode_setotherxattr(struct dentry *dentry, const char *name)
2917 {
2918 const struct cred *cred = current_cred();
2919
2920 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2921 sizeof XATTR_SECURITY_PREFIX - 1)) {
2922 if (!strcmp(name, XATTR_NAME_CAPS)) {
2923 if (!capable(CAP_SETFCAP))
2924 return -EPERM;
2925 } else if (!capable(CAP_SYS_ADMIN)) {
2926 /* A different attribute in the security namespace.
2927 Restrict to administrator. */
2928 return -EPERM;
2929 }
2930 }
2931
2932 /* Not an attribute we recognize, so just check the
2933 ordinary setattr permission. */
2934 return dentry_has_perm(cred, dentry, FILE__SETATTR);
2935 }
2936
2937 static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
2938 const void *value, size_t size, int flags)
2939 {
2940 struct inode *inode = dentry->d_inode;
2941 struct inode_security_struct *isec = inode->i_security;
2942 struct superblock_security_struct *sbsec;
2943 struct common_audit_data ad;
2944 u32 newsid, sid = current_sid();
2945 int rc = 0;
2946
2947 if (strcmp(name, XATTR_NAME_SELINUX))
2948 return selinux_inode_setotherxattr(dentry, name);
2949
2950 sbsec = inode->i_sb->s_security;
2951 if (!(sbsec->flags & SBLABEL_MNT))
2952 return -EOPNOTSUPP;
2953
2954 if (!inode_owner_or_capable(inode))
2955 return -EPERM;
2956
2957 ad.type = LSM_AUDIT_DATA_DENTRY;
2958 ad.u.dentry = dentry;
2959
2960 rc = avc_has_perm(sid, isec->sid, isec->sclass,
2961 FILE__RELABELFROM, &ad);
2962 if (rc)
2963 return rc;
2964
2965 rc = security_context_to_sid(value, size, &newsid, GFP_KERNEL);
2966 if (rc == -EINVAL) {
2967 if (!capable(CAP_MAC_ADMIN)) {
2968 struct audit_buffer *ab;
2969 size_t audit_size;
2970 const char *str;
2971
2972 /* We strip a nul only if it is at the end, otherwise the
2973 * context contains a nul and we should audit that */
2974 if (value) {
2975 str = value;
2976 if (str[size - 1] == '\0')
2977 audit_size = size - 1;
2978 else
2979 audit_size = size;
2980 } else {
2981 str = "";
2982 audit_size = 0;
2983 }
2984 ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR);
2985 audit_log_format(ab, "op=setxattr invalid_context=");
2986 audit_log_n_untrustedstring(ab, value, audit_size);
2987 audit_log_end(ab);
2988
2989 return rc;
2990 }
2991 rc = security_context_to_sid_force(value, size, &newsid);
2992 }
2993 if (rc)
2994 return rc;
2995
2996 rc = avc_has_perm(sid, newsid, isec->sclass,
2997 FILE__RELABELTO, &ad);
2998 if (rc)
2999 return rc;
3000
3001 rc = security_validate_transition(isec->sid, newsid, sid,
3002 isec->sclass);
3003 if (rc)
3004 return rc;
3005
3006 return avc_has_perm(newsid,
3007 sbsec->sid,
3008 SECCLASS_FILESYSTEM,
3009 FILESYSTEM__ASSOCIATE,
3010 &ad);
3011 }
3012
3013 static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
3014 const void *value, size_t size,
3015 int flags)
3016 {
3017 struct inode *inode = dentry->d_inode;
3018 struct inode_security_struct *isec = inode->i_security;
3019 u32 newsid;
3020 int rc;
3021
3022 if (strcmp(name, XATTR_NAME_SELINUX)) {
3023 /* Not an attribute we recognize, so nothing to do. */
3024 return;
3025 }
3026
3027 rc = security_context_to_sid_force(value, size, &newsid);
3028 if (rc) {
3029 printk(KERN_ERR "SELinux: unable to map context to SID"
3030 "for (%s, %lu), rc=%d\n",
3031 inode->i_sb->s_id, inode->i_ino, -rc);
3032 return;
3033 }
3034
3035 isec->sclass = inode_mode_to_security_class(inode->i_mode);
3036 isec->sid = newsid;
3037 isec->initialized = 1;
3038
3039 return;
3040 }
3041
3042 static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
3043 {
3044 const struct cred *cred = current_cred();
3045
3046 return dentry_has_perm(cred, dentry, FILE__GETATTR);
3047 }
3048
3049 static int selinux_inode_listxattr(struct dentry *dentry)
3050 {
3051 const struct cred *cred = current_cred();
3052
3053 return dentry_has_perm(cred, dentry, FILE__GETATTR);
3054 }
3055
3056 static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
3057 {
3058 if (strcmp(name, XATTR_NAME_SELINUX))
3059 return selinux_inode_setotherxattr(dentry, name);
3060
3061 /* No one is allowed to remove a SELinux security label.
3062 You can change the label, but all data must be labeled. */
3063 return -EACCES;
3064 }
3065
3066 /*
3067 * Copy the inode security context value to the user.
3068 *
3069 * Permission check is handled by selinux_inode_getxattr hook.
3070 */
3071 static int selinux_inode_getsecurity(const struct inode *inode, const char *name, void **buffer, bool alloc)
3072 {
3073 u32 size;
3074 int error;
3075 char *context = NULL;
3076 struct inode_security_struct *isec = inode->i_security;
3077
3078 if (strcmp(name, XATTR_SELINUX_SUFFIX))
3079 return -EOPNOTSUPP;
3080
3081 /*
3082 * If the caller has CAP_MAC_ADMIN, then get the raw context
3083 * value even if it is not defined by current policy; otherwise,
3084 * use the in-core value under current policy.
3085 * Use the non-auditing forms of the permission checks since
3086 * getxattr may be called by unprivileged processes commonly
3087 * and lack of permission just means that we fall back to the
3088 * in-core context value, not a denial.
3089 */
3090 error = selinux_capable(current_cred(), &init_user_ns, CAP_MAC_ADMIN,
3091 SECURITY_CAP_NOAUDIT);
3092 if (!error)
3093 error = security_sid_to_context_force(isec->sid, &context,
3094 &size);
3095 else
3096 error = security_sid_to_context(isec->sid, &context, &size);
3097 if (error)
3098 return error;
3099 error = size;
3100 if (alloc) {
3101 *buffer = context;
3102 goto out_nofree;
3103 }
3104 kfree(context);
3105 out_nofree:
3106 return error;
3107 }
3108
3109 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
3110 const void *value, size_t size, int flags)
3111 {
3112 struct inode_security_struct *isec = inode->i_security;
3113 u32 newsid;
3114 int rc;
3115
3116 if (strcmp(name, XATTR_SELINUX_SUFFIX))
3117 return -EOPNOTSUPP;
3118
3119 if (!value || !size)
3120 return -EACCES;
3121
3122 rc = security_context_to_sid((void *)value, size, &newsid, GFP_KERNEL);
3123 if (rc)
3124 return rc;
3125
3126 isec->sclass = inode_mode_to_security_class(inode->i_mode);
3127 isec->sid = newsid;
3128 isec->initialized = 1;
3129 return 0;
3130 }
3131
3132 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
3133 {
3134 const int len = sizeof(XATTR_NAME_SELINUX);
3135 if (buffer && len <= buffer_size)
3136 memcpy(buffer, XATTR_NAME_SELINUX, len);
3137 return len;
3138 }
3139
3140 static void selinux_inode_getsecid(const struct inode *inode, u32 *secid)
3141 {
3142 struct inode_security_struct *isec = inode->i_security;
3143 *secid = isec->sid;
3144 }
3145
3146 /* file security operations */
3147
3148 static int selinux_revalidate_file_permission(struct file *file, int mask)
3149 {
3150 const struct cred *cred = current_cred();
3151 struct inode *inode = file_inode(file);
3152
3153 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
3154 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
3155 mask |= MAY_APPEND;
3156
3157 return file_has_perm(cred, file,
3158 file_mask_to_av(inode->i_mode, mask));
3159 }
3160
3161 static int selinux_file_permission(struct file *file, int mask)
3162 {
3163 struct inode *inode = file_inode(file);
3164 struct file_security_struct *fsec = file->f_security;
3165 struct inode_security_struct *isec = inode->i_security;
3166 u32 sid = current_sid();
3167
3168 if (!mask)
3169 /* No permission to check. Existence test. */
3170 return 0;
3171
3172 if (sid == fsec->sid && fsec->isid == isec->sid &&
3173 fsec->pseqno == avc_policy_seqno())
3174 /* No change since file_open check. */
3175 return 0;
3176
3177 return selinux_revalidate_file_permission(file, mask);
3178 }
3179
3180 static int selinux_file_alloc_security(struct file *file)
3181 {
3182 return file_alloc_security(file);
3183 }
3184
3185 static void selinux_file_free_security(struct file *file)
3186 {
3187 file_free_security(file);
3188 }
3189
3190 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
3191 unsigned long arg)
3192 {
3193 const struct cred *cred = current_cred();
3194 int error = 0;
3195
3196 switch (cmd) {
3197 case FIONREAD:
3198 /* fall through */
3199 case FIBMAP:
3200 /* fall through */
3201 case FIGETBSZ:
3202 /* fall through */
3203 case FS_IOC_GETFLAGS:
3204 /* fall through */
3205 case FS_IOC_GETVERSION:
3206 error = file_has_perm(cred, file, FILE__GETATTR);
3207 break;
3208
3209 case FS_IOC_SETFLAGS:
3210 /* fall through */
3211 case FS_IOC_SETVERSION:
3212 error = file_has_perm(cred, file, FILE__SETATTR);
3213 break;
3214
3215 /* sys_ioctl() checks */
3216 case FIONBIO:
3217 /* fall through */
3218 case FIOASYNC:
3219 error = file_has_perm(cred, file, 0);
3220 break;
3221
3222 case KDSKBENT:
3223 case KDSKBSENT:
3224 error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG,
3225 SECURITY_CAP_AUDIT);
3226 break;
3227
3228 /* default case assumes that the command will go
3229 * to the file's ioctl() function.
3230 */
3231 default:
3232 error = file_has_perm(cred, file, FILE__IOCTL);
3233 }
3234 return error;
3235 }
3236
3237 static int default_noexec;
3238
3239 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
3240 {
3241 const struct cred *cred = current_cred();
3242 int rc = 0;
3243
3244 if (default_noexec &&
3245 (prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
3246 /*
3247 * We are making executable an anonymous mapping or a
3248 * private file mapping that will also be writable.
3249 * This has an additional check.
3250 */
3251 rc = cred_has_perm(cred, cred, PROCESS__EXECMEM);
3252 if (rc)
3253 goto error;
3254 }
3255
3256 if (file) {
3257 /* read access is always possible with a mapping */
3258 u32 av = FILE__READ;
3259
3260 /* write access only matters if the mapping is shared */
3261 if (shared && (prot & PROT_WRITE))
3262 av |= FILE__WRITE;
3263
3264 if (prot & PROT_EXEC)
3265 av |= FILE__EXECUTE;
3266
3267 return file_has_perm(cred, file, av);
3268 }
3269
3270 error:
3271 return rc;
3272 }
3273
3274 static int selinux_mmap_addr(unsigned long addr)
3275 {
3276 int rc;
3277
3278 /* do DAC check on address space usage */
3279 rc = cap_mmap_addr(addr);
3280 if (rc)
3281 return rc;
3282
3283 if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
3284 u32 sid = current_sid();
3285 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
3286 MEMPROTECT__MMAP_ZERO, NULL);
3287 }
3288
3289 return rc;
3290 }
3291
3292 static int selinux_mmap_file(struct file *file, unsigned long reqprot,
3293 unsigned long prot, unsigned long flags)
3294 {
3295 if (selinux_checkreqprot)
3296 prot = reqprot;
3297
3298 return file_map_prot_check(file, prot,
3299 (flags & MAP_TYPE) == MAP_SHARED);
3300 }
3301
3302 static int selinux_file_mprotect(struct vm_area_struct *vma,
3303 unsigned long reqprot,
3304 unsigned long prot)
3305 {
3306 const struct cred *cred = current_cred();
3307
3308 if (selinux_checkreqprot)
3309 prot = reqprot;
3310
3311 if (default_noexec &&
3312 (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
3313 int rc = 0;
3314 if (vma->vm_start >= vma->vm_mm->start_brk &&
3315 vma->vm_end <= vma->vm_mm->brk) {
3316 rc = cred_has_perm(cred, cred, PROCESS__EXECHEAP);
3317 } else if (!vma->vm_file &&
3318 vma->vm_start <= vma->vm_mm->start_stack &&
3319 vma->vm_end >= vma->vm_mm->start_stack) {
3320 rc = current_has_perm(current, PROCESS__EXECSTACK);
3321 } else if (vma->vm_file && vma->anon_vma) {
3322 /*
3323 * We are making executable a file mapping that has
3324 * had some COW done. Since pages might have been
3325 * written, check ability to execute the possibly
3326 * modified content. This typically should only
3327 * occur for text relocations.
3328 */
3329 rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD);
3330 }
3331 if (rc)
3332 return rc;
3333 }
3334
3335 return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
3336 }
3337
3338 static int selinux_file_lock(struct file *file, unsigned int cmd)
3339 {
3340 const struct cred *cred = current_cred();
3341
3342 return file_has_perm(cred, file, FILE__LOCK);
3343 }
3344
3345 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
3346 unsigned long arg)
3347 {
3348 const struct cred *cred = current_cred();
3349 int err = 0;
3350
3351 switch (cmd) {
3352 case F_SETFL:
3353 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
3354 err = file_has_perm(cred, file, FILE__WRITE);
3355 break;
3356 }
3357 /* fall through */
3358 case F_SETOWN:
3359 case F_SETSIG:
3360 case F_GETFL:
3361 case F_GETOWN:
3362 case F_GETSIG:
3363 case F_GETOWNER_UIDS:
3364 /* Just check FD__USE permission */
3365 err = file_has_perm(cred, file, 0);
3366 break;
3367 case F_GETLK:
3368 case F_SETLK:
3369 case F_SETLKW:
3370 case F_OFD_GETLK:
3371 case F_OFD_SETLK:
3372 case F_OFD_SETLKW:
3373 #if BITS_PER_LONG == 32
3374 case F_GETLK64:
3375 case F_SETLK64:
3376 case F_SETLKW64:
3377 #endif
3378 err = file_has_perm(cred, file, FILE__LOCK);
3379 break;
3380 }
3381
3382 return err;
3383 }
3384
3385 static void selinux_file_set_fowner(struct file *file)
3386 {
3387 struct file_security_struct *fsec;
3388
3389 fsec = file->f_security;
3390 fsec->fown_sid = current_sid();
3391 }
3392
3393 static int selinux_file_send_sigiotask(struct task_struct *tsk,
3394 struct fown_struct *fown, int signum)
3395 {
3396 struct file *file;
3397 u32 sid = task_sid(tsk);
3398 u32 perm;
3399 struct file_security_struct *fsec;
3400
3401 /* struct fown_struct is never outside the context of a struct file */
3402 file = container_of(fown, struct file, f_owner);
3403
3404 fsec = file->f_security;
3405
3406 if (!signum)
3407 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
3408 else
3409 perm = signal_to_av(signum);
3410
3411 return avc_has_perm(fsec->fown_sid, sid,
3412 SECCLASS_PROCESS, perm, NULL);
3413 }
3414
3415 static int selinux_file_receive(struct file *file)
3416 {
3417 const struct cred *cred = current_cred();
3418
3419 return file_has_perm(cred, file, file_to_av(file));
3420 }
3421
3422 static int selinux_file_open(struct file *file, const struct cred *cred)
3423 {
3424 struct file_security_struct *fsec;
3425 struct inode_security_struct *isec;
3426
3427 fsec = file->f_security;
3428 isec = file_inode(file)->i_security;
3429 /*
3430 * Save inode label and policy sequence number
3431 * at open-time so that selinux_file_permission
3432 * can determine whether revalidation is necessary.
3433 * Task label is already saved in the file security
3434 * struct as its SID.
3435 */
3436 fsec->isid = isec->sid;
3437 fsec->pseqno = avc_policy_seqno();
3438 /*
3439 * Since the inode label or policy seqno may have changed
3440 * between the selinux_inode_permission check and the saving
3441 * of state above, recheck that access is still permitted.
3442 * Otherwise, access might never be revalidated against the
3443 * new inode label or new policy.
3444 * This check is not redundant - do not remove.
3445 */
3446 return file_path_has_perm(cred, file, open_file_to_av(file));
3447 }
3448
3449 /* task security operations */
3450
3451 static int selinux_task_create(unsigned long clone_flags)
3452 {
3453 return current_has_perm(current, PROCESS__FORK);
3454 }
3455
3456 /*
3457 * allocate the SELinux part of blank credentials
3458 */
3459 static int selinux_cred_alloc_blank(struct cred *cred, gfp_t gfp)
3460 {
3461 struct task_security_struct *tsec;
3462
3463 tsec = kzalloc(sizeof(struct task_security_struct), gfp);
3464 if (!tsec)
3465 return -ENOMEM;
3466
3467 cred->security = tsec;
3468 return 0;
3469 }
3470
3471 /*
3472 * detach and free the LSM part of a set of credentials
3473 */
3474 static void selinux_cred_free(struct cred *cred)
3475 {
3476 struct task_security_struct *tsec = cred->security;
3477
3478 /*
3479 * cred->security == NULL if security_cred_alloc_blank() or
3480 * security_prepare_creds() returned an error.
3481 */
3482 BUG_ON(cred->security && (unsigned long) cred->security < PAGE_SIZE);
3483 cred->security = (void *) 0x7UL;
3484 kfree(tsec);
3485 }
3486
3487 /*
3488 * prepare a new set of credentials for modification
3489 */
3490 static int selinux_cred_prepare(struct cred *new, const struct cred *old,
3491 gfp_t gfp)
3492 {
3493 const struct task_security_struct *old_tsec;
3494 struct task_security_struct *tsec;
3495
3496 old_tsec = old->security;
3497
3498 tsec = kmemdup(old_tsec, sizeof(struct task_security_struct), gfp);
3499 if (!tsec)
3500 return -ENOMEM;
3501
3502 new->security = tsec;
3503 return 0;
3504 }
3505
3506 /*
3507 * transfer the SELinux data to a blank set of creds
3508 */
3509 static void selinux_cred_transfer(struct cred *new, const struct cred *old)
3510 {
3511 const struct task_security_struct *old_tsec = old->security;
3512 struct task_security_struct *tsec = new->security;
3513
3514 *tsec = *old_tsec;
3515 }
3516
3517 /*
3518 * set the security data for a kernel service
3519 * - all the creation contexts are set to unlabelled
3520 */
3521 static int selinux_kernel_act_as(struct cred *new, u32 secid)
3522 {
3523 struct task_security_struct *tsec = new->security;
3524 u32 sid = current_sid();
3525 int ret;
3526
3527 ret = avc_has_perm(sid, secid,
3528 SECCLASS_KERNEL_SERVICE,
3529 KERNEL_SERVICE__USE_AS_OVERRIDE,
3530 NULL);
3531 if (ret == 0) {
3532 tsec->sid = secid;
3533 tsec->create_sid = 0;
3534 tsec->keycreate_sid = 0;
3535 tsec->sockcreate_sid = 0;
3536 }
3537 return ret;
3538 }
3539
3540 /*
3541 * set the file creation context in a security record to the same as the
3542 * objective context of the specified inode
3543 */
3544 static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode)
3545 {
3546 struct inode_security_struct *isec = inode->i_security;
3547 struct task_security_struct *tsec = new->security;
3548 u32 sid = current_sid();
3549 int ret;
3550
3551 ret = avc_has_perm(sid, isec->sid,
3552 SECCLASS_KERNEL_SERVICE,
3553 KERNEL_SERVICE__CREATE_FILES_AS,
3554 NULL);
3555
3556 if (ret == 0)
3557 tsec->create_sid = isec->sid;
3558 return ret;
3559 }
3560
3561 static int selinux_kernel_module_request(char *kmod_name)
3562 {
3563 u32 sid;
3564 struct common_audit_data ad;
3565
3566 sid = task_sid(current);
3567
3568 ad.type = LSM_AUDIT_DATA_KMOD;
3569 ad.u.kmod_name = kmod_name;
3570
3571 return avc_has_perm(sid, SECINITSID_KERNEL, SECCLASS_SYSTEM,
3572 SYSTEM__MODULE_REQUEST, &ad);
3573 }
3574
3575 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
3576 {
3577 return current_has_perm(p, PROCESS__SETPGID);
3578 }
3579
3580 static int selinux_task_getpgid(struct task_struct *p)
3581 {
3582 return current_has_perm(p, PROCESS__GETPGID);
3583 }
3584
3585 static int selinux_task_getsid(struct task_struct *p)
3586 {
3587 return current_has_perm(p, PROCESS__GETSESSION);
3588 }
3589
3590 static void selinux_task_getsecid(struct task_struct *p, u32 *secid)
3591 {
3592 *secid = task_sid(p);
3593 }
3594
3595 static int selinux_task_setnice(struct task_struct *p, int nice)
3596 {
3597 int rc;
3598
3599 rc = cap_task_setnice(p, nice);
3600 if (rc)
3601 return rc;
3602
3603 return current_has_perm(p, PROCESS__SETSCHED);
3604 }
3605
3606 static int selinux_task_setioprio(struct task_struct *p, int ioprio)
3607 {
3608 int rc;
3609
3610 rc = cap_task_setioprio(p, ioprio);
3611 if (rc)
3612 return rc;
3613
3614 return current_has_perm(p, PROCESS__SETSCHED);
3615 }
3616
3617 static int selinux_task_getioprio(struct task_struct *p)
3618 {
3619 return current_has_perm(p, PROCESS__GETSCHED);
3620 }
3621
3622 static int selinux_task_setrlimit(struct task_struct *p, unsigned int resource,
3623 struct rlimit *new_rlim)
3624 {
3625 struct rlimit *old_rlim = p->signal->rlim + resource;
3626
3627 /* Control the ability to change the hard limit (whether
3628 lowering or raising it), so that the hard limit can
3629 later be used as a safe reset point for the soft limit
3630 upon context transitions. See selinux_bprm_committing_creds. */
3631 if (old_rlim->rlim_max != new_rlim->rlim_max)
3632 return current_has_perm(p, PROCESS__SETRLIMIT);
3633
3634 return 0;
3635 }
3636
3637 static int selinux_task_setscheduler(struct task_struct *p)
3638 {
3639 int rc;
3640
3641 rc = cap_task_setscheduler(p);
3642 if (rc)
3643 return rc;
3644
3645 return current_has_perm(p, PROCESS__SETSCHED);
3646 }
3647
3648 static int selinux_task_getscheduler(struct task_struct *p)
3649 {
3650 return current_has_perm(p, PROCESS__GETSCHED);
3651 }
3652
3653 static int selinux_task_movememory(struct task_struct *p)
3654 {
3655 return current_has_perm(p, PROCESS__SETSCHED);
3656 }
3657
3658 static int selinux_task_kill(struct task_struct *p, struct siginfo *info,
3659 int sig, u32 secid)
3660 {
3661 u32 perm;
3662 int rc;
3663
3664 if (!sig)
3665 perm = PROCESS__SIGNULL; /* null signal; existence test */
3666 else
3667 perm = signal_to_av(sig);
3668 if (secid)
3669 rc = avc_has_perm(secid, task_sid(p),
3670 SECCLASS_PROCESS, perm, NULL);
3671 else
3672 rc = current_has_perm(p, perm);
3673 return rc;
3674 }
3675
3676 static int selinux_task_wait(struct task_struct *p)
3677 {
3678 return task_has_perm(p, current, PROCESS__SIGCHLD);
3679 }
3680
3681 static void selinux_task_to_inode(struct task_struct *p,
3682 struct inode *inode)
3683 {
3684 struct inode_security_struct *isec = inode->i_security;
3685 u32 sid = task_sid(p);
3686
3687 isec->sid = sid;
3688 isec->initialized = 1;
3689 }
3690
3691 /* Returns error only if unable to parse addresses */
3692 static int selinux_parse_skb_ipv4(struct sk_buff *skb,
3693 struct common_audit_data *ad, u8 *proto)
3694 {
3695 int offset, ihlen, ret = -EINVAL;
3696 struct iphdr _iph, *ih;
3697
3698 offset = skb_network_offset(skb);
3699 ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
3700 if (ih == NULL)
3701 goto out;
3702
3703 ihlen = ih->ihl * 4;
3704 if (ihlen < sizeof(_iph))
3705 goto out;
3706
3707 ad->u.net->v4info.saddr = ih->saddr;
3708 ad->u.net->v4info.daddr = ih->daddr;
3709 ret = 0;
3710
3711 if (proto)
3712 *proto = ih->protocol;
3713
3714 switch (ih->protocol) {
3715 case IPPROTO_TCP: {
3716 struct tcphdr _tcph, *th;
3717
3718 if (ntohs(ih->frag_off) & IP_OFFSET)
3719 break;
3720
3721 offset += ihlen;
3722 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3723 if (th == NULL)
3724 break;
3725
3726 ad->u.net->sport = th->source;
3727 ad->u.net->dport = th->dest;
3728 break;
3729 }
3730
3731 case IPPROTO_UDP: {
3732 struct udphdr _udph, *uh;
3733
3734 if (ntohs(ih->frag_off) & IP_OFFSET)
3735 break;
3736
3737 offset += ihlen;
3738 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3739 if (uh == NULL)
3740 break;
3741
3742 ad->u.net->sport = uh->source;
3743 ad->u.net->dport = uh->dest;
3744 break;
3745 }
3746
3747 case IPPROTO_DCCP: {
3748 struct dccp_hdr _dccph, *dh;
3749
3750 if (ntohs(ih->frag_off) & IP_OFFSET)
3751 break;
3752
3753 offset += ihlen;
3754 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3755 if (dh == NULL)
3756 break;
3757
3758 ad->u.net->sport = dh->dccph_sport;
3759 ad->u.net->dport = dh->dccph_dport;
3760 break;
3761 }
3762
3763 default:
3764 break;
3765 }
3766 out:
3767 return ret;
3768 }
3769
3770 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3771
3772 /* Returns error only if unable to parse addresses */
3773 static int selinux_parse_skb_ipv6(struct sk_buff *skb,
3774 struct common_audit_data *ad, u8 *proto)
3775 {
3776 u8 nexthdr;
3777 int ret = -EINVAL, offset;
3778 struct ipv6hdr _ipv6h, *ip6;
3779 __be16 frag_off;
3780
3781 offset = skb_network_offset(skb);
3782 ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
3783 if (ip6 == NULL)
3784 goto out;
3785
3786 ad->u.net->v6info.saddr = ip6->saddr;
3787 ad->u.net->v6info.daddr = ip6->daddr;
3788 ret = 0;
3789
3790 nexthdr = ip6->nexthdr;
3791 offset += sizeof(_ipv6h);
3792 offset = ipv6_skip_exthdr(skb, offset, &nexthdr, &frag_off);
3793 if (offset < 0)
3794 goto out;
3795
3796 if (proto)
3797 *proto = nexthdr;
3798
3799 switch (nexthdr) {
3800 case IPPROTO_TCP: {
3801 struct tcphdr _tcph, *th;
3802
3803 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3804 if (th == NULL)
3805 break;
3806
3807 ad->u.net->sport = th->source;
3808 ad->u.net->dport = th->dest;
3809 break;
3810 }
3811
3812 case IPPROTO_UDP: {
3813 struct udphdr _udph, *uh;
3814
3815 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3816 if (uh == NULL)
3817 break;
3818
3819 ad->u.net->sport = uh->source;
3820 ad->u.net->dport = uh->dest;
3821 break;
3822 }
3823
3824 case IPPROTO_DCCP: {
3825 struct dccp_hdr _dccph, *dh;
3826
3827 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3828 if (dh == NULL)
3829 break;
3830
3831 ad->u.net->sport = dh->dccph_sport;
3832 ad->u.net->dport = dh->dccph_dport;
3833 break;
3834 }
3835
3836 /* includes fragments */
3837 default:
3838 break;
3839 }
3840 out:
3841 return ret;
3842 }
3843
3844 #endif /* IPV6 */
3845
3846 static int selinux_parse_skb(struct sk_buff *skb, struct common_audit_data *ad,
3847 char **_addrp, int src, u8 *proto)
3848 {
3849 char *addrp;
3850 int ret;
3851
3852 switch (ad->u.net->family) {
3853 case PF_INET:
3854 ret = selinux_parse_skb_ipv4(skb, ad, proto);
3855 if (ret)
3856 goto parse_error;
3857 addrp = (char *)(src ? &ad->u.net->v4info.saddr :
3858 &ad->u.net->v4info.daddr);
3859 goto okay;
3860
3861 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3862 case PF_INET6:
3863 ret = selinux_parse_skb_ipv6(skb, ad, proto);
3864 if (ret)
3865 goto parse_error;
3866 addrp = (char *)(src ? &ad->u.net->v6info.saddr :
3867 &ad->u.net->v6info.daddr);
3868 goto okay;
3869 #endif /* IPV6 */
3870 default:
3871 addrp = NULL;
3872 goto okay;
3873 }
3874
3875 parse_error:
3876 printk(KERN_WARNING
3877 "SELinux: failure in selinux_parse_skb(),"
3878 " unable to parse packet\n");
3879 return ret;
3880
3881 okay:
3882 if (_addrp)
3883 *_addrp = addrp;
3884 return 0;
3885 }
3886
3887 /**
3888 * selinux_skb_peerlbl_sid - Determine the peer label of a packet
3889 * @skb: the packet
3890 * @family: protocol family
3891 * @sid: the packet's peer label SID
3892 *
3893 * Description:
3894 * Check the various different forms of network peer labeling and determine
3895 * the peer label/SID for the packet; most of the magic actually occurs in
3896 * the security server function security_net_peersid_cmp(). The function
3897 * returns zero if the value in @sid is valid (although it may be SECSID_NULL)
3898 * or -EACCES if @sid is invalid due to inconsistencies with the different
3899 * peer labels.
3900 *
3901 */
3902 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
3903 {
3904 int err;
3905 u32 xfrm_sid;
3906 u32 nlbl_sid;
3907 u32 nlbl_type;
3908
3909 err = selinux_xfrm_skb_sid(skb, &xfrm_sid);
3910 if (unlikely(err))
3911 return -EACCES;
3912 err = selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid);
3913 if (unlikely(err))
3914 return -EACCES;
3915
3916 err = security_net_peersid_resolve(nlbl_sid, nlbl_type, xfrm_sid, sid);
3917 if (unlikely(err)) {
3918 printk(KERN_WARNING
3919 "SELinux: failure in selinux_skb_peerlbl_sid(),"
3920 " unable to determine packet's peer label\n");
3921 return -EACCES;
3922 }
3923
3924 return 0;
3925 }
3926
3927 /**
3928 * selinux_conn_sid - Determine the child socket label for a connection
3929 * @sk_sid: the parent socket's SID
3930 * @skb_sid: the packet's SID
3931 * @conn_sid: the resulting connection SID
3932 *
3933 * If @skb_sid is valid then the user:role:type information from @sk_sid is
3934 * combined with the MLS information from @skb_sid in order to create
3935 * @conn_sid. If @skb_sid is not valid then then @conn_sid is simply a copy
3936 * of @sk_sid. Returns zero on success, negative values on failure.
3937 *
3938 */
3939 static int selinux_conn_sid(u32 sk_sid, u32 skb_sid, u32 *conn_sid)
3940 {
3941 int err = 0;
3942
3943 if (skb_sid != SECSID_NULL)
3944 err = security_sid_mls_copy(sk_sid, skb_sid, conn_sid);
3945 else
3946 *conn_sid = sk_sid;
3947
3948 return err;
3949 }
3950
3951 /* socket security operations */
3952
3953 static int socket_sockcreate_sid(const struct task_security_struct *tsec,
3954 u16 secclass, u32 *socksid)
3955 {
3956 if (tsec->sockcreate_sid > SECSID_NULL) {
3957 *socksid = tsec->sockcreate_sid;
3958 return 0;
3959 }
3960
3961 return security_transition_sid(tsec->sid, tsec->sid, secclass, NULL,
3962 socksid);
3963 }
3964
3965 static int sock_has_perm(struct task_struct *task, struct sock *sk, u32 perms)
3966 {
3967 struct sk_security_struct *sksec = sk->sk_security;
3968 struct common_audit_data ad;
3969 struct lsm_network_audit net = {0,};
3970 u32 tsid = task_sid(task);
3971
3972 if (sksec->sid == SECINITSID_KERNEL)
3973 return 0;
3974
3975 ad.type = LSM_AUDIT_DATA_NET;
3976 ad.u.net = &net;
3977 ad.u.net->sk = sk;
3978
3979 return avc_has_perm(tsid, sksec->sid, sksec->sclass, perms, &ad);
3980 }
3981
3982 static int selinux_socket_create(int family, int type,
3983 int protocol, int kern)
3984 {
3985 const struct task_security_struct *tsec = current_security();
3986 u32 newsid;
3987 u16 secclass;
3988 int rc;
3989
3990 if (kern)
3991 return 0;
3992
3993 secclass = socket_type_to_security_class(family, type, protocol);
3994 rc = socket_sockcreate_sid(tsec, secclass, &newsid);
3995 if (rc)
3996 return rc;
3997
3998 return avc_has_perm(tsec->sid, newsid, secclass, SOCKET__CREATE, NULL);
3999 }
4000
4001 static int selinux_socket_post_create(struct socket *sock, int family,
4002 int type, int protocol, int kern)
4003 {
4004 const struct task_security_struct *tsec = current_security();
4005 struct inode_security_struct *isec = SOCK_INODE(sock)->i_security;
4006 struct sk_security_struct *sksec;
4007 int err = 0;
4008
4009 isec->sclass = socket_type_to_security_class(family, type, protocol);
4010
4011 if (kern)
4012 isec->sid = SECINITSID_KERNEL;
4013 else {
4014 err = socket_sockcreate_sid(tsec, isec->sclass, &(isec->sid));
4015 if (err)
4016 return err;
4017 }
4018
4019 isec->initialized = 1;
4020
4021 if (sock->sk) {
4022 sksec = sock->sk->sk_security;
4023 sksec->sid = isec->sid;
4024 sksec->sclass = isec->sclass;
4025 err = selinux_netlbl_socket_post_create(sock->sk, family);
4026 }
4027
4028 return err;
4029 }
4030
4031 /* Range of port numbers used to automatically bind.
4032 Need to determine whether we should perform a name_bind
4033 permission check between the socket and the port number. */
4034
4035 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
4036 {
4037 struct sock *sk = sock->sk;
4038 u16 family;
4039 int err;
4040
4041 err = sock_has_perm(current, sk, SOCKET__BIND);
4042 if (err)
4043 goto out;
4044
4045 /*
4046 * If PF_INET or PF_INET6, check name_bind permission for the port.
4047 * Multiple address binding for SCTP is not supported yet: we just
4048 * check the first address now.
4049 */
4050 family = sk->sk_family;
4051 if (family == PF_INET || family == PF_INET6) {
4052 char *addrp;
4053 struct sk_security_struct *sksec = sk->sk_security;
4054 struct common_audit_data ad;
4055 struct lsm_network_audit net = {0,};
4056 struct sockaddr_in *addr4 = NULL;
4057 struct sockaddr_in6 *addr6 = NULL;
4058 unsigned short snum;
4059 u32 sid, node_perm;
4060
4061 if (family == PF_INET) {
4062 addr4 = (struct sockaddr_in *)address;
4063 snum = ntohs(addr4->sin_port);
4064 addrp = (char *)&addr4->sin_addr.s_addr;
4065 } else {
4066 addr6 = (struct sockaddr_in6 *)address;
4067 snum = ntohs(addr6->sin6_port);
4068 addrp = (char *)&addr6->sin6_addr.s6_addr;
4069 }
4070
4071 if (snum) {
4072 int low, high;
4073
4074 inet_get_local_port_range(sock_net(sk), &low, &high);
4075
4076 if (snum < max(PROT_SOCK, low) || snum > high) {
4077 err = sel_netport_sid(sk->sk_protocol,
4078 snum, &sid);
4079 if (err)
4080 goto out;
4081 ad.type = LSM_AUDIT_DATA_NET;
4082 ad.u.net = &net;
4083 ad.u.net->sport = htons(snum);
4084 ad.u.net->family = family;
4085 err = avc_has_perm(sksec->sid, sid,
4086 sksec->sclass,
4087 SOCKET__NAME_BIND, &ad);
4088 if (err)
4089 goto out;
4090 }
4091 }
4092
4093 switch (sksec->sclass) {
4094 case SECCLASS_TCP_SOCKET:
4095 node_perm = TCP_SOCKET__NODE_BIND;
4096 break;
4097
4098 case SECCLASS_UDP_SOCKET:
4099 node_perm = UDP_SOCKET__NODE_BIND;
4100 break;
4101
4102 case SECCLASS_DCCP_SOCKET:
4103 node_perm = DCCP_SOCKET__NODE_BIND;
4104 break;
4105
4106 default:
4107 node_perm = RAWIP_SOCKET__NODE_BIND;
4108 break;
4109 }
4110
4111 err = sel_netnode_sid(addrp, family, &sid);
4112 if (err)
4113 goto out;
4114
4115 ad.type = LSM_AUDIT_DATA_NET;
4116 ad.u.net = &net;
4117 ad.u.net->sport = htons(snum);
4118 ad.u.net->family = family;
4119
4120 if (family == PF_INET)
4121 ad.u.net->v4info.saddr = addr4->sin_addr.s_addr;
4122 else
4123 ad.u.net->v6info.saddr = addr6->sin6_addr;
4124
4125 err = avc_has_perm(sksec->sid, sid,
4126 sksec->sclass, node_perm, &ad);
4127 if (err)
4128 goto out;
4129 }
4130 out:
4131 return err;
4132 }
4133
4134 static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
4135 {
4136 struct sock *sk = sock->sk;
4137 struct sk_security_struct *sksec = sk->sk_security;
4138 int err;
4139
4140 err = sock_has_perm(current, sk, SOCKET__CONNECT);
4141 if (err)
4142 return err;
4143
4144 /*
4145 * If a TCP or DCCP socket, check name_connect permission for the port.
4146 */
4147 if (sksec->sclass == SECCLASS_TCP_SOCKET ||
4148 sksec->sclass == SECCLASS_DCCP_SOCKET) {
4149 struct common_audit_data ad;
4150 struct lsm_network_audit net = {0,};
4151 struct sockaddr_in *addr4 = NULL;
4152 struct sockaddr_in6 *addr6 = NULL;
4153 unsigned short snum;
4154 u32 sid, perm;
4155
4156 if (sk->sk_family == PF_INET) {
4157 addr4 = (struct sockaddr_in *)address;
4158 if (addrlen < sizeof(struct sockaddr_in))
4159 return -EINVAL;
4160 snum = ntohs(addr4->sin_port);
4161 } else {
4162 addr6 = (struct sockaddr_in6 *)address;
4163 if (addrlen < SIN6_LEN_RFC2133)
4164 return -EINVAL;
4165 snum = ntohs(addr6->sin6_port);
4166 }
4167
4168 err = sel_netport_sid(sk->sk_protocol, snum, &sid);
4169 if (err)
4170 goto out;
4171
4172 perm = (sksec->sclass == SECCLASS_TCP_SOCKET) ?
4173 TCP_SOCKET__NAME_CONNECT : DCCP_SOCKET__NAME_CONNECT;
4174
4175 ad.type = LSM_AUDIT_DATA_NET;
4176 ad.u.net = &net;
4177 ad.u.net->dport = htons(snum);
4178 ad.u.net->family = sk->sk_family;
4179 err = avc_has_perm(sksec->sid, sid, sksec->sclass, perm, &ad);
4180 if (err)
4181 goto out;
4182 }
4183
4184 err = selinux_netlbl_socket_connect(sk, address);
4185
4186 out:
4187 return err;
4188 }
4189
4190 static int selinux_socket_listen(struct socket *sock, int backlog)
4191 {
4192 return sock_has_perm(current, sock->sk, SOCKET__LISTEN);
4193 }
4194
4195 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
4196 {
4197 int err;
4198 struct inode_security_struct *isec;
4199 struct inode_security_struct *newisec;
4200
4201 err = sock_has_perm(current, sock->sk, SOCKET__ACCEPT);
4202 if (err)
4203 return err;
4204
4205 newisec = SOCK_INODE(newsock)->i_security;
4206
4207 isec = SOCK_INODE(sock)->i_security;
4208 newisec->sclass = isec->sclass;
4209 newisec->sid = isec->sid;
4210 newisec->initialized = 1;
4211
4212 return 0;
4213 }
4214
4215 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
4216 int size)
4217 {
4218 return sock_has_perm(current, sock->sk, SOCKET__WRITE);
4219 }
4220
4221 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
4222 int size, int flags)
4223 {
4224 return sock_has_perm(current, sock->sk, SOCKET__READ);
4225 }
4226
4227 static int selinux_socket_getsockname(struct socket *sock)
4228 {
4229 return sock_has_perm(current, sock->sk, SOCKET__GETATTR);
4230 }
4231
4232 static int selinux_socket_getpeername(struct socket *sock)
4233 {
4234 return sock_has_perm(current, sock->sk, SOCKET__GETATTR);
4235 }
4236
4237 static int selinux_socket_setsockopt(struct socket *sock, int level, int optname)
4238 {
4239 int err;
4240
4241 err = sock_has_perm(current, sock->sk, SOCKET__SETOPT);
4242 if (err)
4243 return err;
4244
4245 return selinux_netlbl_socket_setsockopt(sock, level, optname);
4246 }
4247
4248 static int selinux_socket_getsockopt(struct socket *sock, int level,
4249 int optname)
4250 {
4251 return sock_has_perm(current, sock->sk, SOCKET__GETOPT);
4252 }
4253
4254 static int selinux_socket_shutdown(struct socket *sock, int how)
4255 {
4256 return sock_has_perm(current, sock->sk, SOCKET__SHUTDOWN);
4257 }
4258
4259 static int selinux_socket_unix_stream_connect(struct sock *sock,
4260 struct sock *other,
4261 struct sock *newsk)
4262 {
4263 struct sk_security_struct *sksec_sock = sock->sk_security;
4264 struct sk_security_struct *sksec_other = other->sk_security;
4265 struct sk_security_struct *sksec_new = newsk->sk_security;
4266 struct common_audit_data ad;
4267 struct lsm_network_audit net = {0,};
4268 int err;
4269
4270 ad.type = LSM_AUDIT_DATA_NET;
4271 ad.u.net = &net;
4272 ad.u.net->sk = other;
4273
4274 err = avc_has_perm(sksec_sock->sid, sksec_other->sid,
4275 sksec_other->sclass,
4276 UNIX_STREAM_SOCKET__CONNECTTO, &ad);
4277 if (err)
4278 return err;
4279
4280 /* server child socket */
4281 sksec_new->peer_sid = sksec_sock->sid;
4282 err = security_sid_mls_copy(sksec_other->sid, sksec_sock->sid,
4283 &sksec_new->sid);
4284 if (err)
4285 return err;
4286
4287 /* connecting socket */
4288 sksec_sock->peer_sid = sksec_new->sid;
4289
4290 return 0;
4291 }
4292
4293 static int selinux_socket_unix_may_send(struct socket *sock,
4294 struct socket *other)
4295 {
4296 struct sk_security_struct *ssec = sock->sk->sk_security;
4297 struct sk_security_struct *osec = other->sk->sk_security;
4298 struct common_audit_data ad;
4299 struct lsm_network_audit net = {0,};
4300
4301 ad.type = LSM_AUDIT_DATA_NET;
4302 ad.u.net = &net;
4303 ad.u.net->sk = other->sk;
4304
4305 return avc_has_perm(ssec->sid, osec->sid, osec->sclass, SOCKET__SENDTO,
4306 &ad);
4307 }
4308
4309 static int selinux_inet_sys_rcv_skb(struct net *ns, int ifindex,
4310 char *addrp, u16 family, u32 peer_sid,
4311 struct common_audit_data *ad)
4312 {
4313 int err;
4314 u32 if_sid;
4315 u32 node_sid;
4316
4317 err = sel_netif_sid(ns, ifindex, &if_sid);
4318 if (err)
4319 return err;
4320 err = avc_has_perm(peer_sid, if_sid,
4321 SECCLASS_NETIF, NETIF__INGRESS, ad);
4322 if (err)
4323 return err;
4324
4325 err = sel_netnode_sid(addrp, family, &node_sid);
4326 if (err)
4327 return err;
4328 return avc_has_perm(peer_sid, node_sid,
4329 SECCLASS_NODE, NODE__RECVFROM, ad);
4330 }
4331
4332 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
4333 u16 family)
4334 {
4335 int err = 0;
4336 struct sk_security_struct *sksec = sk->sk_security;
4337 u32 sk_sid = sksec->sid;
4338 struct common_audit_data ad;
4339 struct lsm_network_audit net = {0,};
4340 char *addrp;
4341
4342 ad.type = LSM_AUDIT_DATA_NET;
4343 ad.u.net = &net;
4344 ad.u.net->netif = skb->skb_iif;
4345 ad.u.net->family = family;
4346 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4347 if (err)
4348 return err;
4349
4350 if (selinux_secmark_enabled()) {
4351 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4352 PACKET__RECV, &ad);
4353 if (err)
4354 return err;
4355 }
4356
4357 err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, &ad);
4358 if (err)
4359 return err;
4360 err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad);
4361
4362 return err;
4363 }
4364
4365 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
4366 {
4367 int err;
4368 struct sk_security_struct *sksec = sk->sk_security;
4369 u16 family = sk->sk_family;
4370 u32 sk_sid = sksec->sid;
4371 struct common_audit_data ad;
4372 struct lsm_network_audit net = {0,};
4373 char *addrp;
4374 u8 secmark_active;
4375 u8 peerlbl_active;
4376
4377 if (family != PF_INET && family != PF_INET6)
4378 return 0;
4379
4380 /* Handle mapped IPv4 packets arriving via IPv6 sockets */
4381 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4382 family = PF_INET;
4383
4384 /* If any sort of compatibility mode is enabled then handoff processing
4385 * to the selinux_sock_rcv_skb_compat() function to deal with the
4386 * special handling. We do this in an attempt to keep this function
4387 * as fast and as clean as possible. */
4388 if (!selinux_policycap_netpeer)
4389 return selinux_sock_rcv_skb_compat(sk, skb, family);
4390
4391 secmark_active = selinux_secmark_enabled();
4392 peerlbl_active = selinux_peerlbl_enabled();
4393 if (!secmark_active && !peerlbl_active)
4394 return 0;
4395
4396 ad.type = LSM_AUDIT_DATA_NET;
4397 ad.u.net = &net;
4398 ad.u.net->netif = skb->skb_iif;
4399 ad.u.net->family = family;
4400 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4401 if (err)
4402 return err;
4403
4404 if (peerlbl_active) {
4405 u32 peer_sid;
4406
4407 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
4408 if (err)
4409 return err;
4410 err = selinux_inet_sys_rcv_skb(sock_net(sk), skb->skb_iif,
4411 addrp, family, peer_sid, &ad);
4412 if (err) {
4413 selinux_netlbl_err(skb, err, 0);
4414 return err;
4415 }
4416 err = avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER,
4417 PEER__RECV, &ad);
4418 if (err) {
4419 selinux_netlbl_err(skb, err, 0);
4420 return err;
4421 }
4422 }
4423
4424 if (secmark_active) {
4425 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4426 PACKET__RECV, &ad);
4427 if (err)
4428 return err;
4429 }
4430
4431 return err;
4432 }
4433
4434 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval,
4435 int __user *optlen, unsigned len)
4436 {
4437 int err = 0;
4438 char *scontext;
4439 u32 scontext_len;
4440 struct sk_security_struct *sksec = sock->sk->sk_security;
4441 u32 peer_sid = SECSID_NULL;
4442
4443 if (sksec->sclass == SECCLASS_UNIX_STREAM_SOCKET ||
4444 sksec->sclass == SECCLASS_TCP_SOCKET)
4445 peer_sid = sksec->peer_sid;
4446 if (peer_sid == SECSID_NULL)
4447 return -ENOPROTOOPT;
4448
4449 err = security_sid_to_context(peer_sid, &scontext, &scontext_len);
4450 if (err)
4451 return err;
4452
4453 if (scontext_len > len) {
4454 err = -ERANGE;
4455 goto out_len;
4456 }
4457
4458 if (copy_to_user(optval, scontext, scontext_len))
4459 err = -EFAULT;
4460
4461 out_len:
4462 if (put_user(scontext_len, optlen))
4463 err = -EFAULT;
4464 kfree(scontext);
4465 return err;
4466 }
4467
4468 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
4469 {
4470 u32 peer_secid = SECSID_NULL;
4471 u16 family;
4472
4473 if (skb && skb->protocol == htons(ETH_P_IP))
4474 family = PF_INET;
4475 else if (skb && skb->protocol == htons(ETH_P_IPV6))
4476 family = PF_INET6;
4477 else if (sock)
4478 family = sock->sk->sk_family;
4479 else
4480 goto out;
4481
4482 if (sock && family == PF_UNIX)
4483 selinux_inode_getsecid(SOCK_INODE(sock), &peer_secid);
4484 else if (skb)
4485 selinux_skb_peerlbl_sid(skb, family, &peer_secid);
4486
4487 out:
4488 *secid = peer_secid;
4489 if (peer_secid == SECSID_NULL)
4490 return -EINVAL;
4491 return 0;
4492 }
4493
4494 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
4495 {
4496 struct sk_security_struct *sksec;
4497
4498 sksec = kzalloc(sizeof(*sksec), priority);
4499 if (!sksec)
4500 return -ENOMEM;
4501
4502 sksec->peer_sid = SECINITSID_UNLABELED;
4503 sksec->sid = SECINITSID_UNLABELED;
4504 selinux_netlbl_sk_security_reset(sksec);
4505 sk->sk_security = sksec;
4506
4507 return 0;
4508 }
4509
4510 static void selinux_sk_free_security(struct sock *sk)
4511 {
4512 struct sk_security_struct *sksec = sk->sk_security;
4513
4514 sk->sk_security = NULL;
4515 selinux_netlbl_sk_security_free(sksec);
4516 kfree(sksec);
4517 }
4518
4519 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
4520 {
4521 struct sk_security_struct *sksec = sk->sk_security;
4522 struct sk_security_struct *newsksec = newsk->sk_security;
4523
4524 newsksec->sid = sksec->sid;
4525 newsksec->peer_sid = sksec->peer_sid;
4526 newsksec->sclass = sksec->sclass;
4527
4528 selinux_netlbl_sk_security_reset(newsksec);
4529 }
4530
4531 static void selinux_sk_getsecid(struct sock *sk, u32 *secid)
4532 {
4533 if (!sk)
4534 *secid = SECINITSID_ANY_SOCKET;
4535 else {
4536 struct sk_security_struct *sksec = sk->sk_security;
4537
4538 *secid = sksec->sid;
4539 }
4540 }
4541
4542 static void selinux_sock_graft(struct sock *sk, struct socket *parent)
4543 {
4544 struct inode_security_struct *isec = SOCK_INODE(parent)->i_security;
4545 struct sk_security_struct *sksec = sk->sk_security;
4546
4547 if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
4548 sk->sk_family == PF_UNIX)
4549 isec->sid = sksec->sid;
4550 sksec->sclass = isec->sclass;
4551 }
4552
4553 static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
4554 struct request_sock *req)
4555 {
4556 struct sk_security_struct *sksec = sk->sk_security;
4557 int err;
4558 u16 family = req->rsk_ops->family;
4559 u32 connsid;
4560 u32 peersid;
4561
4562 err = selinux_skb_peerlbl_sid(skb, family, &peersid);
4563 if (err)
4564 return err;
4565 err = selinux_conn_sid(sksec->sid, peersid, &connsid);
4566 if (err)
4567 return err;
4568 req->secid = connsid;
4569 req->peer_secid = peersid;
4570
4571 return selinux_netlbl_inet_conn_request(req, family);
4572 }
4573
4574 static void selinux_inet_csk_clone(struct sock *newsk,
4575 const struct request_sock *req)
4576 {
4577 struct sk_security_struct *newsksec = newsk->sk_security;
4578
4579 newsksec->sid = req->secid;
4580 newsksec->peer_sid = req->peer_secid;
4581 /* NOTE: Ideally, we should also get the isec->sid for the
4582 new socket in sync, but we don't have the isec available yet.
4583 So we will wait until sock_graft to do it, by which
4584 time it will have been created and available. */
4585
4586 /* We don't need to take any sort of lock here as we are the only
4587 * thread with access to newsksec */
4588 selinux_netlbl_inet_csk_clone(newsk, req->rsk_ops->family);
4589 }
4590
4591 static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb)
4592 {
4593 u16 family = sk->sk_family;
4594 struct sk_security_struct *sksec = sk->sk_security;
4595
4596 /* handle mapped IPv4 packets arriving via IPv6 sockets */
4597 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4598 family = PF_INET;
4599
4600 selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid);
4601 }
4602
4603 static void selinux_skb_owned_by(struct sk_buff *skb, struct sock *sk)
4604 {
4605 skb_set_owner_w(skb, sk);
4606 }
4607
4608 static int selinux_secmark_relabel_packet(u32 sid)
4609 {
4610 const struct task_security_struct *__tsec;
4611 u32 tsid;
4612
4613 __tsec = current_security();
4614 tsid = __tsec->sid;
4615
4616 return avc_has_perm(tsid, sid, SECCLASS_PACKET, PACKET__RELABELTO, NULL);
4617 }
4618
4619 static void selinux_secmark_refcount_inc(void)
4620 {
4621 atomic_inc(&selinux_secmark_refcount);
4622 }
4623
4624 static void selinux_secmark_refcount_dec(void)
4625 {
4626 atomic_dec(&selinux_secmark_refcount);
4627 }
4628
4629 static void selinux_req_classify_flow(const struct request_sock *req,
4630 struct flowi *fl)
4631 {
4632 fl->flowi_secid = req->secid;
4633 }
4634
4635 static int selinux_tun_dev_alloc_security(void **security)
4636 {
4637 struct tun_security_struct *tunsec;
4638
4639 tunsec = kzalloc(sizeof(*tunsec), GFP_KERNEL);
4640 if (!tunsec)
4641 return -ENOMEM;
4642 tunsec->sid = current_sid();
4643
4644 *security = tunsec;
4645 return 0;
4646 }
4647
4648 static void selinux_tun_dev_free_security(void *security)
4649 {
4650 kfree(security);
4651 }
4652
4653 static int selinux_tun_dev_create(void)
4654 {
4655 u32 sid = current_sid();
4656
4657 /* we aren't taking into account the "sockcreate" SID since the socket
4658 * that is being created here is not a socket in the traditional sense,
4659 * instead it is a private sock, accessible only to the kernel, and
4660 * representing a wide range of network traffic spanning multiple
4661 * connections unlike traditional sockets - check the TUN driver to
4662 * get a better understanding of why this socket is special */
4663
4664 return avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET, TUN_SOCKET__CREATE,
4665 NULL);
4666 }
4667
4668 static int selinux_tun_dev_attach_queue(void *security)
4669 {
4670 struct tun_security_struct *tunsec = security;
4671
4672 return avc_has_perm(current_sid(), tunsec->sid, SECCLASS_TUN_SOCKET,
4673 TUN_SOCKET__ATTACH_QUEUE, NULL);
4674 }
4675
4676 static int selinux_tun_dev_attach(struct sock *sk, void *security)
4677 {
4678 struct tun_security_struct *tunsec = security;
4679 struct sk_security_struct *sksec = sk->sk_security;
4680
4681 /* we don't currently perform any NetLabel based labeling here and it
4682 * isn't clear that we would want to do so anyway; while we could apply
4683 * labeling without the support of the TUN user the resulting labeled
4684 * traffic from the other end of the connection would almost certainly
4685 * cause confusion to the TUN user that had no idea network labeling
4686 * protocols were being used */
4687
4688 sksec->sid = tunsec->sid;
4689 sksec->sclass = SECCLASS_TUN_SOCKET;
4690
4691 return 0;
4692 }
4693
4694 static int selinux_tun_dev_open(void *security)
4695 {
4696 struct tun_security_struct *tunsec = security;
4697 u32 sid = current_sid();
4698 int err;
4699
4700 err = avc_has_perm(sid, tunsec->sid, SECCLASS_TUN_SOCKET,
4701 TUN_SOCKET__RELABELFROM, NULL);
4702 if (err)
4703 return err;
4704 err = avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET,
4705 TUN_SOCKET__RELABELTO, NULL);
4706 if (err)
4707 return err;
4708 tunsec->sid = sid;
4709
4710 return 0;
4711 }
4712
4713 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
4714 {
4715 int err = 0;
4716 u32 perm;
4717 struct nlmsghdr *nlh;
4718 struct sk_security_struct *sksec = sk->sk_security;
4719
4720 if (skb->len < NLMSG_HDRLEN) {
4721 err = -EINVAL;
4722 goto out;
4723 }
4724 nlh = nlmsg_hdr(skb);
4725
4726 err = selinux_nlmsg_lookup(sksec->sclass, nlh->nlmsg_type, &perm);
4727 if (err) {
4728 if (err == -EINVAL) {
4729 printk(KERN_WARNING
4730 "SELinux: unrecognized netlink message:"
4731 " protocol=%hu nlmsg_type=%hu sclass=%hu\n",
4732 sk->sk_protocol, nlh->nlmsg_type, sksec->sclass);
4733 if (!selinux_enforcing || security_get_allow_unknown())
4734 err = 0;
4735 }
4736
4737 /* Ignore */
4738 if (err == -ENOENT)
4739 err = 0;
4740 goto out;
4741 }
4742
4743 err = sock_has_perm(current, sk, perm);
4744 out:
4745 return err;
4746 }
4747
4748 #ifdef CONFIG_NETFILTER
4749
4750 static unsigned int selinux_ip_forward(struct sk_buff *skb,
4751 const struct net_device *indev,
4752 u16 family)
4753 {
4754 int err;
4755 char *addrp;
4756 u32 peer_sid;
4757 struct common_audit_data ad;
4758 struct lsm_network_audit net = {0,};
4759 u8 secmark_active;
4760 u8 netlbl_active;
4761 u8 peerlbl_active;
4762
4763 if (!selinux_policycap_netpeer)
4764 return NF_ACCEPT;
4765
4766 secmark_active = selinux_secmark_enabled();
4767 netlbl_active = netlbl_enabled();
4768 peerlbl_active = selinux_peerlbl_enabled();
4769 if (!secmark_active && !peerlbl_active)
4770 return NF_ACCEPT;
4771
4772 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0)
4773 return NF_DROP;
4774
4775 ad.type = LSM_AUDIT_DATA_NET;
4776 ad.u.net = &net;
4777 ad.u.net->netif = indev->ifindex;
4778 ad.u.net->family = family;
4779 if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0)
4780 return NF_DROP;
4781
4782 if (peerlbl_active) {
4783 err = selinux_inet_sys_rcv_skb(dev_net(indev), indev->ifindex,
4784 addrp, family, peer_sid, &ad);
4785 if (err) {
4786 selinux_netlbl_err(skb, err, 1);
4787 return NF_DROP;
4788 }
4789 }
4790
4791 if (secmark_active)
4792 if (avc_has_perm(peer_sid, skb->secmark,
4793 SECCLASS_PACKET, PACKET__FORWARD_IN, &ad))
4794 return NF_DROP;
4795
4796 if (netlbl_active)
4797 /* we do this in the FORWARD path and not the POST_ROUTING
4798 * path because we want to make sure we apply the necessary
4799 * labeling before IPsec is applied so we can leverage AH
4800 * protection */
4801 if (selinux_netlbl_skbuff_setsid(skb, family, peer_sid) != 0)
4802 return NF_DROP;
4803
4804 return NF_ACCEPT;
4805 }
4806
4807 static unsigned int selinux_ipv4_forward(const struct nf_hook_ops *ops,
4808 struct sk_buff *skb,
4809 const struct net_device *in,
4810 const struct net_device *out,
4811 int (*okfn)(struct sk_buff *))
4812 {
4813 return selinux_ip_forward(skb, in, PF_INET);
4814 }
4815
4816 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4817 static unsigned int selinux_ipv6_forward(const struct nf_hook_ops *ops,
4818 struct sk_buff *skb,
4819 const struct net_device *in,
4820 const struct net_device *out,
4821 int (*okfn)(struct sk_buff *))
4822 {
4823 return selinux_ip_forward(skb, in, PF_INET6);
4824 }
4825 #endif /* IPV6 */
4826
4827 static unsigned int selinux_ip_output(struct sk_buff *skb,
4828 u16 family)
4829 {
4830 struct sock *sk;
4831 u32 sid;
4832
4833 if (!netlbl_enabled())
4834 return NF_ACCEPT;
4835
4836 /* we do this in the LOCAL_OUT path and not the POST_ROUTING path
4837 * because we want to make sure we apply the necessary labeling
4838 * before IPsec is applied so we can leverage AH protection */
4839 sk = skb->sk;
4840 if (sk) {
4841 struct sk_security_struct *sksec;
4842
4843 if (sk->sk_state == TCP_LISTEN)
4844 /* if the socket is the listening state then this
4845 * packet is a SYN-ACK packet which means it needs to
4846 * be labeled based on the connection/request_sock and
4847 * not the parent socket. unfortunately, we can't
4848 * lookup the request_sock yet as it isn't queued on
4849 * the parent socket until after the SYN-ACK is sent.
4850 * the "solution" is to simply pass the packet as-is
4851 * as any IP option based labeling should be copied
4852 * from the initial connection request (in the IP
4853 * layer). it is far from ideal, but until we get a
4854 * security label in the packet itself this is the
4855 * best we can do. */
4856 return NF_ACCEPT;
4857
4858 /* standard practice, label using the parent socket */
4859 sksec = sk->sk_security;
4860 sid = sksec->sid;
4861 } else
4862 sid = SECINITSID_KERNEL;
4863 if (selinux_netlbl_skbuff_setsid(skb, family, sid) != 0)
4864 return NF_DROP;
4865
4866 return NF_ACCEPT;
4867 }
4868
4869 static unsigned int selinux_ipv4_output(const struct nf_hook_ops *ops,
4870 struct sk_buff *skb,
4871 const struct net_device *in,
4872 const struct net_device *out,
4873 int (*okfn)(struct sk_buff *))
4874 {
4875 return selinux_ip_output(skb, PF_INET);
4876 }
4877
4878 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
4879 int ifindex,
4880 u16 family)
4881 {
4882 struct sock *sk = skb->sk;
4883 struct sk_security_struct *sksec;
4884 struct common_audit_data ad;
4885 struct lsm_network_audit net = {0,};
4886 char *addrp;
4887 u8 proto;
4888
4889 if (sk == NULL)
4890 return NF_ACCEPT;
4891 sksec = sk->sk_security;
4892
4893 ad.type = LSM_AUDIT_DATA_NET;
4894 ad.u.net = &net;
4895 ad.u.net->netif = ifindex;
4896 ad.u.net->family = family;
4897 if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto))
4898 return NF_DROP;
4899
4900 if (selinux_secmark_enabled())
4901 if (avc_has_perm(sksec->sid, skb->secmark,
4902 SECCLASS_PACKET, PACKET__SEND, &ad))
4903 return NF_DROP_ERR(-ECONNREFUSED);
4904
4905 if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto))
4906 return NF_DROP_ERR(-ECONNREFUSED);
4907
4908 return NF_ACCEPT;
4909 }
4910
4911 static unsigned int selinux_ip_postroute(struct sk_buff *skb,
4912 const struct net_device *outdev,
4913 u16 family)
4914 {
4915 u32 secmark_perm;
4916 u32 peer_sid;
4917 int ifindex = outdev->ifindex;
4918 struct sock *sk;
4919 struct common_audit_data ad;
4920 struct lsm_network_audit net = {0,};
4921 char *addrp;
4922 u8 secmark_active;
4923 u8 peerlbl_active;
4924
4925 /* If any sort of compatibility mode is enabled then handoff processing
4926 * to the selinux_ip_postroute_compat() function to deal with the
4927 * special handling. We do this in an attempt to keep this function
4928 * as fast and as clean as possible. */
4929 if (!selinux_policycap_netpeer)
4930 return selinux_ip_postroute_compat(skb, ifindex, family);
4931
4932 secmark_active = selinux_secmark_enabled();
4933 peerlbl_active = selinux_peerlbl_enabled();
4934 if (!secmark_active && !peerlbl_active)
4935 return NF_ACCEPT;
4936
4937 sk = skb->sk;
4938
4939 #ifdef CONFIG_XFRM
4940 /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec
4941 * packet transformation so allow the packet to pass without any checks
4942 * since we'll have another chance to perform access control checks
4943 * when the packet is on it's final way out.
4944 * NOTE: there appear to be some IPv6 multicast cases where skb->dst
4945 * is NULL, in this case go ahead and apply access control.
4946 * NOTE: if this is a local socket (skb->sk != NULL) that is in the
4947 * TCP listening state we cannot wait until the XFRM processing
4948 * is done as we will miss out on the SA label if we do;
4949 * unfortunately, this means more work, but it is only once per
4950 * connection. */
4951 if (skb_dst(skb) != NULL && skb_dst(skb)->xfrm != NULL &&
4952 !(sk != NULL && sk->sk_state == TCP_LISTEN))
4953 return NF_ACCEPT;
4954 #endif
4955
4956 if (sk == NULL) {
4957 /* Without an associated socket the packet is either coming
4958 * from the kernel or it is being forwarded; check the packet
4959 * to determine which and if the packet is being forwarded
4960 * query the packet directly to determine the security label. */
4961 if (skb->skb_iif) {
4962 secmark_perm = PACKET__FORWARD_OUT;
4963 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid))
4964 return NF_DROP;
4965 } else {
4966 secmark_perm = PACKET__SEND;
4967 peer_sid = SECINITSID_KERNEL;
4968 }
4969 } else if (sk->sk_state == TCP_LISTEN) {
4970 /* Locally generated packet but the associated socket is in the
4971 * listening state which means this is a SYN-ACK packet. In
4972 * this particular case the correct security label is assigned
4973 * to the connection/request_sock but unfortunately we can't
4974 * query the request_sock as it isn't queued on the parent
4975 * socket until after the SYN-ACK packet is sent; the only
4976 * viable choice is to regenerate the label like we do in
4977 * selinux_inet_conn_request(). See also selinux_ip_output()
4978 * for similar problems. */
4979 u32 skb_sid;
4980 struct sk_security_struct *sksec = sk->sk_security;
4981 if (selinux_skb_peerlbl_sid(skb, family, &skb_sid))
4982 return NF_DROP;
4983 /* At this point, if the returned skb peerlbl is SECSID_NULL
4984 * and the packet has been through at least one XFRM
4985 * transformation then we must be dealing with the "final"
4986 * form of labeled IPsec packet; since we've already applied
4987 * all of our access controls on this packet we can safely
4988 * pass the packet. */
4989 if (skb_sid == SECSID_NULL) {
4990 switch (family) {
4991 case PF_INET:
4992 if (IPCB(skb)->flags & IPSKB_XFRM_TRANSFORMED)
4993 return NF_ACCEPT;
4994 break;
4995 case PF_INET6:
4996 if (IP6CB(skb)->flags & IP6SKB_XFRM_TRANSFORMED)
4997 return NF_ACCEPT;
4998 break;
4999 default:
5000 return NF_DROP_ERR(-ECONNREFUSED);
5001 }
5002 }
5003 if (selinux_conn_sid(sksec->sid, skb_sid, &peer_sid))
5004 return NF_DROP;
5005 secmark_perm = PACKET__SEND;
5006 } else {
5007 /* Locally generated packet, fetch the security label from the
5008 * associated socket. */
5009 struct sk_security_struct *sksec = sk->sk_security;
5010 peer_sid = sksec->sid;
5011 secmark_perm = PACKET__SEND;
5012 }
5013
5014 ad.type = LSM_AUDIT_DATA_NET;
5015 ad.u.net = &net;
5016 ad.u.net->netif = ifindex;
5017 ad.u.net->family = family;
5018 if (selinux_parse_skb(skb, &ad, &addrp, 0, NULL))
5019 return NF_DROP;
5020
5021 if (secmark_active)
5022 if (avc_has_perm(peer_sid, skb->secmark,
5023 SECCLASS_PACKET, secmark_perm, &ad))
5024 return NF_DROP_ERR(-ECONNREFUSED);
5025
5026 if (peerlbl_active) {
5027 u32 if_sid;
5028 u32 node_sid;
5029
5030 if (sel_netif_sid(dev_net(outdev), ifindex, &if_sid))
5031 return NF_DROP;
5032 if (avc_has_perm(peer_sid, if_sid,
5033 SECCLASS_NETIF, NETIF__EGRESS, &ad))
5034 return NF_DROP_ERR(-ECONNREFUSED);
5035
5036 if (sel_netnode_sid(addrp, family, &node_sid))
5037 return NF_DROP;
5038 if (avc_has_perm(peer_sid, node_sid,
5039 SECCLASS_NODE, NODE__SENDTO, &ad))
5040 return NF_DROP_ERR(-ECONNREFUSED);
5041 }
5042
5043 return NF_ACCEPT;
5044 }
5045
5046 static unsigned int selinux_ipv4_postroute(const struct nf_hook_ops *ops,
5047 struct sk_buff *skb,
5048 const struct net_device *in,
5049 const struct net_device *out,
5050 int (*okfn)(struct sk_buff *))
5051 {
5052 return selinux_ip_postroute(skb, out, PF_INET);
5053 }
5054
5055 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5056 static unsigned int selinux_ipv6_postroute(const struct nf_hook_ops *ops,
5057 struct sk_buff *skb,
5058 const struct net_device *in,
5059 const struct net_device *out,
5060 int (*okfn)(struct sk_buff *))
5061 {
5062 return selinux_ip_postroute(skb, out, PF_INET6);
5063 }
5064 #endif /* IPV6 */
5065
5066 #endif /* CONFIG_NETFILTER */
5067
5068 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
5069 {
5070 int err;
5071
5072 err = cap_netlink_send(sk, skb);
5073 if (err)
5074 return err;
5075
5076 return selinux_nlmsg_perm(sk, skb);
5077 }
5078
5079 static int ipc_alloc_security(struct task_struct *task,
5080 struct kern_ipc_perm *perm,
5081 u16 sclass)
5082 {
5083 struct ipc_security_struct *isec;
5084 u32 sid;
5085
5086 isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL);
5087 if (!isec)
5088 return -ENOMEM;
5089
5090 sid = task_sid(task);
5091 isec->sclass = sclass;
5092 isec->sid = sid;
5093 perm->security = isec;
5094
5095 return 0;
5096 }
5097
5098 static void ipc_free_security(struct kern_ipc_perm *perm)
5099 {
5100 struct ipc_security_struct *isec = perm->security;
5101 perm->security = NULL;
5102 kfree(isec);
5103 }
5104
5105 static int msg_msg_alloc_security(struct msg_msg *msg)
5106 {
5107 struct msg_security_struct *msec;
5108
5109 msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL);
5110 if (!msec)
5111 return -ENOMEM;
5112
5113 msec->sid = SECINITSID_UNLABELED;
5114 msg->security = msec;
5115
5116 return 0;
5117 }
5118
5119 static void msg_msg_free_security(struct msg_msg *msg)
5120 {
5121 struct msg_security_struct *msec = msg->security;
5122
5123 msg->security = NULL;
5124 kfree(msec);
5125 }
5126
5127 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
5128 u32 perms)
5129 {
5130 struct ipc_security_struct *isec;
5131 struct common_audit_data ad;
5132 u32 sid = current_sid();
5133
5134 isec = ipc_perms->security;
5135
5136 ad.type = LSM_AUDIT_DATA_IPC;
5137 ad.u.ipc_id = ipc_perms->key;
5138
5139 return avc_has_perm(sid, isec->sid, isec->sclass, perms, &ad);
5140 }
5141
5142 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
5143 {
5144 return msg_msg_alloc_security(msg);
5145 }
5146
5147 static void selinux_msg_msg_free_security(struct msg_msg *msg)
5148 {
5149 msg_msg_free_security(msg);
5150 }
5151
5152 /* message queue security operations */
5153 static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
5154 {
5155 struct ipc_security_struct *isec;
5156 struct common_audit_data ad;
5157 u32 sid = current_sid();
5158 int rc;
5159
5160 rc = ipc_alloc_security(current, &msq->q_perm, SECCLASS_MSGQ);
5161 if (rc)
5162 return rc;
5163
5164 isec = msq->q_perm.security;
5165
5166 ad.type = LSM_AUDIT_DATA_IPC;
5167 ad.u.ipc_id = msq->q_perm.key;
5168
5169 rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
5170 MSGQ__CREATE, &ad);
5171 if (rc) {
5172 ipc_free_security(&msq->q_perm);
5173 return rc;
5174 }
5175 return 0;
5176 }
5177
5178 static void selinux_msg_queue_free_security(struct msg_queue *msq)
5179 {
5180 ipc_free_security(&msq->q_perm);
5181 }
5182
5183 static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg)
5184 {
5185 struct ipc_security_struct *isec;
5186 struct common_audit_data ad;
5187 u32 sid = current_sid();
5188
5189 isec = msq->q_perm.security;
5190
5191 ad.type = LSM_AUDIT_DATA_IPC;
5192 ad.u.ipc_id = msq->q_perm.key;
5193
5194 return avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
5195 MSGQ__ASSOCIATE, &ad);
5196 }
5197
5198 static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd)
5199 {
5200 int err;
5201 int perms;
5202
5203 switch (cmd) {
5204 case IPC_INFO:
5205 case MSG_INFO:
5206 /* No specific object, just general system-wide information. */
5207 return task_has_system(current, SYSTEM__IPC_INFO);
5208 case IPC_STAT:
5209 case MSG_STAT:
5210 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
5211 break;
5212 case IPC_SET:
5213 perms = MSGQ__SETATTR;
5214 break;
5215 case IPC_RMID:
5216 perms = MSGQ__DESTROY;
5217 break;
5218 default:
5219 return 0;
5220 }
5221
5222 err = ipc_has_perm(&msq->q_perm, perms);
5223 return err;
5224 }
5225
5226 static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg)
5227 {
5228 struct ipc_security_struct *isec;
5229 struct msg_security_struct *msec;
5230 struct common_audit_data ad;
5231 u32 sid = current_sid();
5232 int rc;
5233
5234 isec = msq->q_perm.security;
5235 msec = msg->security;
5236
5237 /*
5238 * First time through, need to assign label to the message
5239 */
5240 if (msec->sid == SECINITSID_UNLABELED) {
5241 /*
5242 * Compute new sid based on current process and
5243 * message queue this message will be stored in
5244 */
5245 rc = security_transition_sid(sid, isec->sid, SECCLASS_MSG,
5246 NULL, &msec->sid);
5247 if (rc)
5248 return rc;
5249 }
5250
5251 ad.type = LSM_AUDIT_DATA_IPC;
5252 ad.u.ipc_id = msq->q_perm.key;
5253
5254 /* Can this process write to the queue? */
5255 rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
5256 MSGQ__WRITE, &ad);
5257 if (!rc)
5258 /* Can this process send the message */
5259 rc = avc_has_perm(sid, msec->sid, SECCLASS_MSG,
5260 MSG__SEND, &ad);
5261 if (!rc)
5262 /* Can the message be put in the queue? */
5263 rc = avc_has_perm(msec->sid, isec->sid, SECCLASS_MSGQ,
5264 MSGQ__ENQUEUE, &ad);
5265
5266 return rc;
5267 }
5268
5269 static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
5270 struct task_struct *target,
5271 long type, int mode)
5272 {
5273 struct ipc_security_struct *isec;
5274 struct msg_security_struct *msec;
5275 struct common_audit_data ad;
5276 u32 sid = task_sid(target);
5277 int rc;
5278
5279 isec = msq->q_perm.security;
5280 msec = msg->security;
5281
5282 ad.type = LSM_AUDIT_DATA_IPC;
5283 ad.u.ipc_id = msq->q_perm.key;
5284
5285 rc = avc_has_perm(sid, isec->sid,
5286 SECCLASS_MSGQ, MSGQ__READ, &ad);
5287 if (!rc)
5288 rc = avc_has_perm(sid, msec->sid,
5289 SECCLASS_MSG, MSG__RECEIVE, &ad);
5290 return rc;
5291 }
5292
5293 /* Shared Memory security operations */
5294 static int selinux_shm_alloc_security(struct shmid_kernel *shp)
5295 {
5296 struct ipc_security_struct *isec;
5297 struct common_audit_data ad;
5298 u32 sid = current_sid();
5299 int rc;
5300
5301 rc = ipc_alloc_security(current, &shp->shm_perm, SECCLASS_SHM);
5302 if (rc)
5303 return rc;
5304
5305 isec = shp->shm_perm.security;
5306
5307 ad.type = LSM_AUDIT_DATA_IPC;
5308 ad.u.ipc_id = shp->shm_perm.key;
5309
5310 rc = avc_has_perm(sid, isec->sid, SECCLASS_SHM,
5311 SHM__CREATE, &ad);
5312 if (rc) {
5313 ipc_free_security(&shp->shm_perm);
5314 return rc;
5315 }
5316 return 0;
5317 }
5318
5319 static void selinux_shm_free_security(struct shmid_kernel *shp)
5320 {
5321 ipc_free_security(&shp->shm_perm);
5322 }
5323
5324 static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg)
5325 {
5326 struct ipc_security_struct *isec;
5327 struct common_audit_data ad;
5328 u32 sid = current_sid();
5329
5330 isec = shp->shm_perm.security;
5331
5332 ad.type = LSM_AUDIT_DATA_IPC;
5333 ad.u.ipc_id = shp->shm_perm.key;
5334
5335 return avc_has_perm(sid, isec->sid, SECCLASS_SHM,
5336 SHM__ASSOCIATE, &ad);
5337 }
5338
5339 /* Note, at this point, shp is locked down */
5340 static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd)
5341 {
5342 int perms;
5343 int err;
5344
5345 switch (cmd) {
5346 case IPC_INFO:
5347 case SHM_INFO:
5348 /* No specific object, just general system-wide information. */
5349 return task_has_system(current, SYSTEM__IPC_INFO);
5350 case IPC_STAT:
5351 case SHM_STAT:
5352 perms = SHM__GETATTR | SHM__ASSOCIATE;
5353 break;
5354 case IPC_SET:
5355 perms = SHM__SETATTR;
5356 break;
5357 case SHM_LOCK:
5358 case SHM_UNLOCK:
5359 perms = SHM__LOCK;
5360 break;
5361 case IPC_RMID:
5362 perms = SHM__DESTROY;
5363 break;
5364 default:
5365 return 0;
5366 }
5367
5368 err = ipc_has_perm(&shp->shm_perm, perms);
5369 return err;
5370 }
5371
5372 static int selinux_shm_shmat(struct shmid_kernel *shp,
5373 char __user *shmaddr, int shmflg)
5374 {
5375 u32 perms;
5376
5377 if (shmflg & SHM_RDONLY)
5378 perms = SHM__READ;
5379 else
5380 perms = SHM__READ | SHM__WRITE;
5381
5382 return ipc_has_perm(&shp->shm_perm, perms);
5383 }
5384
5385 /* Semaphore security operations */
5386 static int selinux_sem_alloc_security(struct sem_array *sma)
5387 {
5388 struct ipc_security_struct *isec;
5389 struct common_audit_data ad;
5390 u32 sid = current_sid();
5391 int rc;
5392
5393 rc = ipc_alloc_security(current, &sma->sem_perm, SECCLASS_SEM);
5394 if (rc)
5395 return rc;
5396
5397 isec = sma->sem_perm.security;
5398
5399 ad.type = LSM_AUDIT_DATA_IPC;
5400 ad.u.ipc_id = sma->sem_perm.key;
5401
5402 rc = avc_has_perm(sid, isec->sid, SECCLASS_SEM,
5403 SEM__CREATE, &ad);
5404 if (rc) {
5405 ipc_free_security(&sma->sem_perm);
5406 return rc;
5407 }
5408 return 0;
5409 }
5410
5411 static void selinux_sem_free_security(struct sem_array *sma)
5412 {
5413 ipc_free_security(&sma->sem_perm);
5414 }
5415
5416 static int selinux_sem_associate(struct sem_array *sma, int semflg)
5417 {
5418 struct ipc_security_struct *isec;
5419 struct common_audit_data ad;
5420 u32 sid = current_sid();
5421
5422 isec = sma->sem_perm.security;
5423
5424 ad.type = LSM_AUDIT_DATA_IPC;
5425 ad.u.ipc_id = sma->sem_perm.key;
5426
5427 return avc_has_perm(sid, isec->sid, SECCLASS_SEM,
5428 SEM__ASSOCIATE, &ad);
5429 }
5430
5431 /* Note, at this point, sma is locked down */
5432 static int selinux_sem_semctl(struct sem_array *sma, int cmd)
5433 {
5434 int err;
5435 u32 perms;
5436
5437 switch (cmd) {
5438 case IPC_INFO:
5439 case SEM_INFO:
5440 /* No specific object, just general system-wide information. */
5441 return task_has_system(current, SYSTEM__IPC_INFO);
5442 case GETPID:
5443 case GETNCNT:
5444 case GETZCNT:
5445 perms = SEM__GETATTR;
5446 break;
5447 case GETVAL:
5448 case GETALL:
5449 perms = SEM__READ;
5450 break;
5451 case SETVAL:
5452 case SETALL:
5453 perms = SEM__WRITE;
5454 break;
5455 case IPC_RMID:
5456 perms = SEM__DESTROY;
5457 break;
5458 case IPC_SET:
5459 perms = SEM__SETATTR;
5460 break;
5461 case IPC_STAT:
5462 case SEM_STAT:
5463 perms = SEM__GETATTR | SEM__ASSOCIATE;
5464 break;
5465 default:
5466 return 0;
5467 }
5468
5469 err = ipc_has_perm(&sma->sem_perm, perms);
5470 return err;
5471 }
5472
5473 static int selinux_sem_semop(struct sem_array *sma,
5474 struct sembuf *sops, unsigned nsops, int alter)
5475 {
5476 u32 perms;
5477
5478 if (alter)
5479 perms = SEM__READ | SEM__WRITE;
5480 else
5481 perms = SEM__READ;
5482
5483 return ipc_has_perm(&sma->sem_perm, perms);
5484 }
5485
5486 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
5487 {
5488 u32 av = 0;
5489
5490 av = 0;
5491 if (flag & S_IRUGO)
5492 av |= IPC__UNIX_READ;
5493 if (flag & S_IWUGO)
5494 av |= IPC__UNIX_WRITE;
5495
5496 if (av == 0)
5497 return 0;
5498
5499 return ipc_has_perm(ipcp, av);
5500 }
5501
5502 static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
5503 {
5504 struct ipc_security_struct *isec = ipcp->security;
5505 *secid = isec->sid;
5506 }
5507
5508 static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode)
5509 {
5510 if (inode)
5511 inode_doinit_with_dentry(inode, dentry);
5512 }
5513
5514 static int selinux_getprocattr(struct task_struct *p,
5515 char *name, char **value)
5516 {
5517 const struct task_security_struct *__tsec;
5518 u32 sid;
5519 int error;
5520 unsigned len;
5521
5522 if (current != p) {
5523 error = current_has_perm(p, PROCESS__GETATTR);
5524 if (error)
5525 return error;
5526 }
5527
5528 rcu_read_lock();
5529 __tsec = __task_cred(p)->security;
5530
5531 if (!strcmp(name, "current"))
5532 sid = __tsec->sid;
5533 else if (!strcmp(name, "prev"))
5534 sid = __tsec->osid;
5535 else if (!strcmp(name, "exec"))
5536 sid = __tsec->exec_sid;
5537 else if (!strcmp(name, "fscreate"))
5538 sid = __tsec->create_sid;
5539 else if (!strcmp(name, "keycreate"))
5540 sid = __tsec->keycreate_sid;
5541 else if (!strcmp(name, "sockcreate"))
5542 sid = __tsec->sockcreate_sid;
5543 else
5544 goto invalid;
5545 rcu_read_unlock();
5546
5547 if (!sid)
5548 return 0;
5549
5550 error = security_sid_to_context(sid, value, &len);
5551 if (error)
5552 return error;
5553 return len;
5554
5555 invalid:
5556 rcu_read_unlock();
5557 return -EINVAL;
5558 }
5559
5560 static int selinux_setprocattr(struct task_struct *p,
5561 char *name, void *value, size_t size)
5562 {
5563 struct task_security_struct *tsec;
5564 struct task_struct *tracer;
5565 struct cred *new;
5566 u32 sid = 0, ptsid;
5567 int error;
5568 char *str = value;
5569
5570 if (current != p) {
5571 /* SELinux only allows a process to change its own
5572 security attributes. */
5573 return -EACCES;
5574 }
5575
5576 /*
5577 * Basic control over ability to set these attributes at all.
5578 * current == p, but we'll pass them separately in case the
5579 * above restriction is ever removed.
5580 */
5581 if (!strcmp(name, "exec"))
5582 error = current_has_perm(p, PROCESS__SETEXEC);
5583 else if (!strcmp(name, "fscreate"))
5584 error = current_has_perm(p, PROCESS__SETFSCREATE);
5585 else if (!strcmp(name, "keycreate"))
5586 error = current_has_perm(p, PROCESS__SETKEYCREATE);
5587 else if (!strcmp(name, "sockcreate"))
5588 error = current_has_perm(p, PROCESS__SETSOCKCREATE);
5589 else if (!strcmp(name, "current"))
5590 error = current_has_perm(p, PROCESS__SETCURRENT);
5591 else
5592 error = -EINVAL;
5593 if (error)
5594 return error;
5595
5596 /* Obtain a SID for the context, if one was specified. */
5597 if (size && str[1] && str[1] != '\n') {
5598 if (str[size-1] == '\n') {
5599 str[size-1] = 0;
5600 size--;
5601 }
5602 error = security_context_to_sid(value, size, &sid, GFP_KERNEL);
5603 if (error == -EINVAL && !strcmp(name, "fscreate")) {
5604 if (!capable(CAP_MAC_ADMIN)) {
5605 struct audit_buffer *ab;
5606 size_t audit_size;
5607
5608 /* We strip a nul only if it is at the end, otherwise the
5609 * context contains a nul and we should audit that */
5610 if (str[size - 1] == '\0')
5611 audit_size = size - 1;
5612 else
5613 audit_size = size;
5614 ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR);
5615 audit_log_format(ab, "op=fscreate invalid_context=");
5616 audit_log_n_untrustedstring(ab, value, audit_size);
5617 audit_log_end(ab);
5618
5619 return error;
5620 }
5621 error = security_context_to_sid_force(value, size,
5622 &sid);
5623 }
5624 if (error)
5625 return error;
5626 }
5627
5628 new = prepare_creds();
5629 if (!new)
5630 return -ENOMEM;
5631
5632 /* Permission checking based on the specified context is
5633 performed during the actual operation (execve,
5634 open/mkdir/...), when we know the full context of the
5635 operation. See selinux_bprm_set_creds for the execve
5636 checks and may_create for the file creation checks. The
5637 operation will then fail if the context is not permitted. */
5638 tsec = new->security;
5639 if (!strcmp(name, "exec")) {
5640 tsec->exec_sid = sid;
5641 } else if (!strcmp(name, "fscreate")) {
5642 tsec->create_sid = sid;
5643 } else if (!strcmp(name, "keycreate")) {
5644 error = may_create_key(sid, p);
5645 if (error)
5646 goto abort_change;
5647 tsec->keycreate_sid = sid;
5648 } else if (!strcmp(name, "sockcreate")) {
5649 tsec->sockcreate_sid = sid;
5650 } else if (!strcmp(name, "current")) {
5651 error = -EINVAL;
5652 if (sid == 0)
5653 goto abort_change;
5654
5655 /* Only allow single threaded processes to change context */
5656 error = -EPERM;
5657 if (!current_is_single_threaded()) {
5658 error = security_bounded_transition(tsec->sid, sid);
5659 if (error)
5660 goto abort_change;
5661 }
5662
5663 /* Check permissions for the transition. */
5664 error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
5665 PROCESS__DYNTRANSITION, NULL);
5666 if (error)
5667 goto abort_change;
5668
5669 /* Check for ptracing, and update the task SID if ok.
5670 Otherwise, leave SID unchanged and fail. */
5671 ptsid = 0;
5672 rcu_read_lock();
5673 tracer = ptrace_parent(p);
5674 if (tracer)
5675 ptsid = task_sid(tracer);
5676 rcu_read_unlock();
5677
5678 if (tracer) {
5679 error = avc_has_perm(ptsid, sid, SECCLASS_PROCESS,
5680 PROCESS__PTRACE, NULL);
5681 if (error)
5682 goto abort_change;
5683 }
5684
5685 tsec->sid = sid;
5686 } else {
5687 error = -EINVAL;
5688 goto abort_change;
5689 }
5690
5691 commit_creds(new);
5692 return size;
5693
5694 abort_change:
5695 abort_creds(new);
5696 return error;
5697 }
5698
5699 static int selinux_ismaclabel(const char *name)
5700 {
5701 return (strcmp(name, XATTR_SELINUX_SUFFIX) == 0);
5702 }
5703
5704 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
5705 {
5706 return security_sid_to_context(secid, secdata, seclen);
5707 }
5708
5709 static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
5710 {
5711 return security_context_to_sid(secdata, seclen, secid, GFP_KERNEL);
5712 }
5713
5714 static void selinux_release_secctx(char *secdata, u32 seclen)
5715 {
5716 kfree(secdata);
5717 }
5718
5719 /*
5720 * called with inode->i_mutex locked
5721 */
5722 static int selinux_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen)
5723 {
5724 return selinux_inode_setsecurity(inode, XATTR_SELINUX_SUFFIX, ctx, ctxlen, 0);
5725 }
5726
5727 /*
5728 * called with inode->i_mutex locked
5729 */
5730 static int selinux_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen)
5731 {
5732 return __vfs_setxattr_noperm(dentry, XATTR_NAME_SELINUX, ctx, ctxlen, 0);
5733 }
5734
5735 static int selinux_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen)
5736 {
5737 int len = 0;
5738 len = selinux_inode_getsecurity(inode, XATTR_SELINUX_SUFFIX,
5739 ctx, true);
5740 if (len < 0)
5741 return len;
5742 *ctxlen = len;
5743 return 0;
5744 }
5745 #ifdef CONFIG_KEYS
5746
5747 static int selinux_key_alloc(struct key *k, const struct cred *cred,
5748 unsigned long flags)
5749 {
5750 const struct task_security_struct *tsec;
5751 struct key_security_struct *ksec;
5752
5753 ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL);
5754 if (!ksec)
5755 return -ENOMEM;
5756
5757 tsec = cred->security;
5758 if (tsec->keycreate_sid)
5759 ksec->sid = tsec->keycreate_sid;
5760 else
5761 ksec->sid = tsec->sid;
5762
5763 k->security = ksec;
5764 return 0;
5765 }
5766
5767 static void selinux_key_free(struct key *k)
5768 {
5769 struct key_security_struct *ksec = k->security;
5770
5771 k->security = NULL;
5772 kfree(ksec);
5773 }
5774
5775 static int selinux_key_permission(key_ref_t key_ref,
5776 const struct cred *cred,
5777 unsigned perm)
5778 {
5779 struct key *key;
5780 struct key_security_struct *ksec;
5781 u32 sid;
5782
5783 /* if no specific permissions are requested, we skip the
5784 permission check. No serious, additional covert channels
5785 appear to be created. */
5786 if (perm == 0)
5787 return 0;
5788
5789 sid = cred_sid(cred);
5790
5791 key = key_ref_to_ptr(key_ref);
5792 ksec = key->security;
5793
5794 return avc_has_perm(sid, ksec->sid, SECCLASS_KEY, perm, NULL);
5795 }
5796
5797 static int selinux_key_getsecurity(struct key *key, char **_buffer)
5798 {
5799 struct key_security_struct *ksec = key->security;
5800 char *context = NULL;
5801 unsigned len;
5802 int rc;
5803
5804 rc = security_sid_to_context(ksec->sid, &context, &len);
5805 if (!rc)
5806 rc = len;
5807 *_buffer = context;
5808 return rc;
5809 }
5810
5811 #endif
5812
5813 static struct security_operations selinux_ops = {
5814 .name = "selinux",
5815
5816 .ptrace_access_check = selinux_ptrace_access_check,
5817 .ptrace_traceme = selinux_ptrace_traceme,
5818 .capget = selinux_capget,
5819 .capset = selinux_capset,
5820 .capable = selinux_capable,
5821 .quotactl = selinux_quotactl,
5822 .quota_on = selinux_quota_on,
5823 .syslog = selinux_syslog,
5824 .vm_enough_memory = selinux_vm_enough_memory,
5825
5826 .netlink_send = selinux_netlink_send,
5827
5828 .bprm_set_creds = selinux_bprm_set_creds,
5829 .bprm_committing_creds = selinux_bprm_committing_creds,
5830 .bprm_committed_creds = selinux_bprm_committed_creds,
5831 .bprm_secureexec = selinux_bprm_secureexec,
5832
5833 .sb_alloc_security = selinux_sb_alloc_security,
5834 .sb_free_security = selinux_sb_free_security,
5835 .sb_copy_data = selinux_sb_copy_data,
5836 .sb_remount = selinux_sb_remount,
5837 .sb_kern_mount = selinux_sb_kern_mount,
5838 .sb_show_options = selinux_sb_show_options,
5839 .sb_statfs = selinux_sb_statfs,
5840 .sb_mount = selinux_mount,
5841 .sb_umount = selinux_umount,
5842 .sb_set_mnt_opts = selinux_set_mnt_opts,
5843 .sb_clone_mnt_opts = selinux_sb_clone_mnt_opts,
5844 .sb_parse_opts_str = selinux_parse_opts_str,
5845
5846 .dentry_init_security = selinux_dentry_init_security,
5847
5848 .inode_alloc_security = selinux_inode_alloc_security,
5849 .inode_free_security = selinux_inode_free_security,
5850 .inode_init_security = selinux_inode_init_security,
5851 .inode_create = selinux_inode_create,
5852 .inode_link = selinux_inode_link,
5853 .inode_unlink = selinux_inode_unlink,
5854 .inode_symlink = selinux_inode_symlink,
5855 .inode_mkdir = selinux_inode_mkdir,
5856 .inode_rmdir = selinux_inode_rmdir,
5857 .inode_mknod = selinux_inode_mknod,
5858 .inode_rename = selinux_inode_rename,
5859 .inode_readlink = selinux_inode_readlink,
5860 .inode_follow_link = selinux_inode_follow_link,
5861 .inode_permission = selinux_inode_permission,
5862 .inode_setattr = selinux_inode_setattr,
5863 .inode_getattr = selinux_inode_getattr,
5864 .inode_setxattr = selinux_inode_setxattr,
5865 .inode_post_setxattr = selinux_inode_post_setxattr,
5866 .inode_getxattr = selinux_inode_getxattr,
5867 .inode_listxattr = selinux_inode_listxattr,
5868 .inode_removexattr = selinux_inode_removexattr,
5869 .inode_getsecurity = selinux_inode_getsecurity,
5870 .inode_setsecurity = selinux_inode_setsecurity,
5871 .inode_listsecurity = selinux_inode_listsecurity,
5872 .inode_getsecid = selinux_inode_getsecid,
5873
5874 .file_permission = selinux_file_permission,
5875 .file_alloc_security = selinux_file_alloc_security,
5876 .file_free_security = selinux_file_free_security,
5877 .file_ioctl = selinux_file_ioctl,
5878 .mmap_file = selinux_mmap_file,
5879 .mmap_addr = selinux_mmap_addr,
5880 .file_mprotect = selinux_file_mprotect,
5881 .file_lock = selinux_file_lock,
5882 .file_fcntl = selinux_file_fcntl,
5883 .file_set_fowner = selinux_file_set_fowner,
5884 .file_send_sigiotask = selinux_file_send_sigiotask,
5885 .file_receive = selinux_file_receive,
5886
5887 .file_open = selinux_file_open,
5888
5889 .task_create = selinux_task_create,
5890 .cred_alloc_blank = selinux_cred_alloc_blank,
5891 .cred_free = selinux_cred_free,
5892 .cred_prepare = selinux_cred_prepare,
5893 .cred_transfer = selinux_cred_transfer,
5894 .kernel_act_as = selinux_kernel_act_as,
5895 .kernel_create_files_as = selinux_kernel_create_files_as,
5896 .kernel_module_request = selinux_kernel_module_request,
5897 .task_setpgid = selinux_task_setpgid,
5898 .task_getpgid = selinux_task_getpgid,
5899 .task_getsid = selinux_task_getsid,
5900 .task_getsecid = selinux_task_getsecid,
5901 .task_setnice = selinux_task_setnice,
5902 .task_setioprio = selinux_task_setioprio,
5903 .task_getioprio = selinux_task_getioprio,
5904 .task_setrlimit = selinux_task_setrlimit,
5905 .task_setscheduler = selinux_task_setscheduler,
5906 .task_getscheduler = selinux_task_getscheduler,
5907 .task_movememory = selinux_task_movememory,
5908 .task_kill = selinux_task_kill,
5909 .task_wait = selinux_task_wait,
5910 .task_to_inode = selinux_task_to_inode,
5911
5912 .ipc_permission = selinux_ipc_permission,
5913 .ipc_getsecid = selinux_ipc_getsecid,
5914
5915 .msg_msg_alloc_security = selinux_msg_msg_alloc_security,
5916 .msg_msg_free_security = selinux_msg_msg_free_security,
5917
5918 .msg_queue_alloc_security = selinux_msg_queue_alloc_security,
5919 .msg_queue_free_security = selinux_msg_queue_free_security,
5920 .msg_queue_associate = selinux_msg_queue_associate,
5921 .msg_queue_msgctl = selinux_msg_queue_msgctl,
5922 .msg_queue_msgsnd = selinux_msg_queue_msgsnd,
5923 .msg_queue_msgrcv = selinux_msg_queue_msgrcv,
5924
5925 .shm_alloc_security = selinux_shm_alloc_security,
5926 .shm_free_security = selinux_shm_free_security,
5927 .shm_associate = selinux_shm_associate,
5928 .shm_shmctl = selinux_shm_shmctl,
5929 .shm_shmat = selinux_shm_shmat,
5930
5931 .sem_alloc_security = selinux_sem_alloc_security,
5932 .sem_free_security = selinux_sem_free_security,
5933 .sem_associate = selinux_sem_associate,
5934 .sem_semctl = selinux_sem_semctl,
5935 .sem_semop = selinux_sem_semop,
5936
5937 .d_instantiate = selinux_d_instantiate,
5938
5939 .getprocattr = selinux_getprocattr,
5940 .setprocattr = selinux_setprocattr,
5941
5942 .ismaclabel = selinux_ismaclabel,
5943 .secid_to_secctx = selinux_secid_to_secctx,
5944 .secctx_to_secid = selinux_secctx_to_secid,
5945 .release_secctx = selinux_release_secctx,
5946 .inode_notifysecctx = selinux_inode_notifysecctx,
5947 .inode_setsecctx = selinux_inode_setsecctx,
5948 .inode_getsecctx = selinux_inode_getsecctx,
5949
5950 .unix_stream_connect = selinux_socket_unix_stream_connect,
5951 .unix_may_send = selinux_socket_unix_may_send,
5952
5953 .socket_create = selinux_socket_create,
5954 .socket_post_create = selinux_socket_post_create,
5955 .socket_bind = selinux_socket_bind,
5956 .socket_connect = selinux_socket_connect,
5957 .socket_listen = selinux_socket_listen,
5958 .socket_accept = selinux_socket_accept,
5959 .socket_sendmsg = selinux_socket_sendmsg,
5960 .socket_recvmsg = selinux_socket_recvmsg,
5961 .socket_getsockname = selinux_socket_getsockname,
5962 .socket_getpeername = selinux_socket_getpeername,
5963 .socket_getsockopt = selinux_socket_getsockopt,
5964 .socket_setsockopt = selinux_socket_setsockopt,
5965 .socket_shutdown = selinux_socket_shutdown,
5966 .socket_sock_rcv_skb = selinux_socket_sock_rcv_skb,
5967 .socket_getpeersec_stream = selinux_socket_getpeersec_stream,
5968 .socket_getpeersec_dgram = selinux_socket_getpeersec_dgram,
5969 .sk_alloc_security = selinux_sk_alloc_security,
5970 .sk_free_security = selinux_sk_free_security,
5971 .sk_clone_security = selinux_sk_clone_security,
5972 .sk_getsecid = selinux_sk_getsecid,
5973 .sock_graft = selinux_sock_graft,
5974 .inet_conn_request = selinux_inet_conn_request,
5975 .inet_csk_clone = selinux_inet_csk_clone,
5976 .inet_conn_established = selinux_inet_conn_established,
5977 .secmark_relabel_packet = selinux_secmark_relabel_packet,
5978 .secmark_refcount_inc = selinux_secmark_refcount_inc,
5979 .secmark_refcount_dec = selinux_secmark_refcount_dec,
5980 .req_classify_flow = selinux_req_classify_flow,
5981 .tun_dev_alloc_security = selinux_tun_dev_alloc_security,
5982 .tun_dev_free_security = selinux_tun_dev_free_security,
5983 .tun_dev_create = selinux_tun_dev_create,
5984 .tun_dev_attach_queue = selinux_tun_dev_attach_queue,
5985 .tun_dev_attach = selinux_tun_dev_attach,
5986 .tun_dev_open = selinux_tun_dev_open,
5987 .skb_owned_by = selinux_skb_owned_by,
5988
5989 #ifdef CONFIG_SECURITY_NETWORK_XFRM
5990 .xfrm_policy_alloc_security = selinux_xfrm_policy_alloc,
5991 .xfrm_policy_clone_security = selinux_xfrm_policy_clone,
5992 .xfrm_policy_free_security = selinux_xfrm_policy_free,
5993 .xfrm_policy_delete_security = selinux_xfrm_policy_delete,
5994 .xfrm_state_alloc = selinux_xfrm_state_alloc,
5995 .xfrm_state_alloc_acquire = selinux_xfrm_state_alloc_acquire,
5996 .xfrm_state_free_security = selinux_xfrm_state_free,
5997 .xfrm_state_delete_security = selinux_xfrm_state_delete,
5998 .xfrm_policy_lookup = selinux_xfrm_policy_lookup,
5999 .xfrm_state_pol_flow_match = selinux_xfrm_state_pol_flow_match,
6000 .xfrm_decode_session = selinux_xfrm_decode_session,
6001 #endif
6002
6003 #ifdef CONFIG_KEYS
6004 .key_alloc = selinux_key_alloc,
6005 .key_free = selinux_key_free,
6006 .key_permission = selinux_key_permission,
6007 .key_getsecurity = selinux_key_getsecurity,
6008 #endif
6009
6010 #ifdef CONFIG_AUDIT
6011 .audit_rule_init = selinux_audit_rule_init,
6012 .audit_rule_known = selinux_audit_rule_known,
6013 .audit_rule_match = selinux_audit_rule_match,
6014 .audit_rule_free = selinux_audit_rule_free,
6015 #endif
6016 };
6017
6018 static __init int selinux_init(void)
6019 {
6020 if (!security_module_enable(&selinux_ops)) {
6021 selinux_enabled = 0;
6022 return 0;
6023 }
6024
6025 if (!selinux_enabled) {
6026 printk(KERN_INFO "SELinux: Disabled at boot.\n");
6027 return 0;
6028 }
6029
6030 printk(KERN_INFO "SELinux: Initializing.\n");
6031
6032 /* Set the security state for the initial task. */
6033 cred_init_security();
6034
6035 default_noexec = !(VM_DATA_DEFAULT_FLAGS & VM_EXEC);
6036
6037 sel_inode_cache = kmem_cache_create("selinux_inode_security",
6038 sizeof(struct inode_security_struct),
6039 0, SLAB_PANIC, NULL);
6040 avc_init();
6041
6042 if (register_security(&selinux_ops))
6043 panic("SELinux: Unable to register with kernel.\n");
6044
6045 if (avc_add_callback(selinux_netcache_avc_callback, AVC_CALLBACK_RESET))
6046 panic("SELinux: Unable to register AVC netcache callback\n");
6047
6048 if (selinux_enforcing)
6049 printk(KERN_DEBUG "SELinux: Starting in enforcing mode\n");
6050 else
6051 printk(KERN_DEBUG "SELinux: Starting in permissive mode\n");
6052
6053 return 0;
6054 }
6055
6056 static void delayed_superblock_init(struct super_block *sb, void *unused)
6057 {
6058 superblock_doinit(sb, NULL);
6059 }
6060
6061 void selinux_complete_init(void)
6062 {
6063 printk(KERN_DEBUG "SELinux: Completing initialization.\n");
6064
6065 /* Set up any superblocks initialized prior to the policy load. */
6066 printk(KERN_DEBUG "SELinux: Setting up existing superblocks.\n");
6067 iterate_supers(delayed_superblock_init, NULL);
6068 }
6069
6070 /* SELinux requires early initialization in order to label
6071 all processes and objects when they are created. */
6072 security_initcall(selinux_init);
6073
6074 #if defined(CONFIG_NETFILTER)
6075
6076 static struct nf_hook_ops selinux_nf_ops[] = {
6077 {
6078 .hook = selinux_ipv4_postroute,
6079 .owner = THIS_MODULE,
6080 .pf = NFPROTO_IPV4,
6081 .hooknum = NF_INET_POST_ROUTING,
6082 .priority = NF_IP_PRI_SELINUX_LAST,
6083 },
6084 {
6085 .hook = selinux_ipv4_forward,
6086 .owner = THIS_MODULE,
6087 .pf = NFPROTO_IPV4,
6088 .hooknum = NF_INET_FORWARD,
6089 .priority = NF_IP_PRI_SELINUX_FIRST,
6090 },
6091 {
6092 .hook = selinux_ipv4_output,
6093 .owner = THIS_MODULE,
6094 .pf = NFPROTO_IPV4,
6095 .hooknum = NF_INET_LOCAL_OUT,
6096 .priority = NF_IP_PRI_SELINUX_FIRST,
6097 },
6098 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
6099 {
6100 .hook = selinux_ipv6_postroute,
6101 .owner = THIS_MODULE,
6102 .pf = NFPROTO_IPV6,
6103 .hooknum = NF_INET_POST_ROUTING,
6104 .priority = NF_IP6_PRI_SELINUX_LAST,
6105 },
6106 {
6107 .hook = selinux_ipv6_forward,
6108 .owner = THIS_MODULE,
6109 .pf = NFPROTO_IPV6,
6110 .hooknum = NF_INET_FORWARD,
6111 .priority = NF_IP6_PRI_SELINUX_FIRST,
6112 },
6113 #endif /* IPV6 */
6114 };
6115
6116 static int __init selinux_nf_ip_init(void)
6117 {
6118 int err;
6119
6120 if (!selinux_enabled)
6121 return 0;
6122
6123 printk(KERN_DEBUG "SELinux: Registering netfilter hooks\n");
6124
6125 err = nf_register_hooks(selinux_nf_ops, ARRAY_SIZE(selinux_nf_ops));
6126 if (err)
6127 panic("SELinux: nf_register_hooks: error %d\n", err);
6128
6129 return 0;
6130 }
6131
6132 __initcall(selinux_nf_ip_init);
6133
6134 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
6135 static void selinux_nf_ip_exit(void)
6136 {
6137 printk(KERN_DEBUG "SELinux: Unregistering netfilter hooks\n");
6138
6139 nf_unregister_hooks(selinux_nf_ops, ARRAY_SIZE(selinux_nf_ops));
6140 }
6141 #endif
6142
6143 #else /* CONFIG_NETFILTER */
6144
6145 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
6146 #define selinux_nf_ip_exit()
6147 #endif
6148
6149 #endif /* CONFIG_NETFILTER */
6150
6151 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
6152 static int selinux_disabled;
6153
6154 int selinux_disable(void)
6155 {
6156 if (ss_initialized) {
6157 /* Not permitted after initial policy load. */
6158 return -EINVAL;
6159 }
6160
6161 if (selinux_disabled) {
6162 /* Only do this once. */
6163 return -EINVAL;
6164 }
6165
6166 printk(KERN_INFO "SELinux: Disabled at runtime.\n");
6167
6168 selinux_disabled = 1;
6169 selinux_enabled = 0;
6170
6171 reset_security_ops();
6172
6173 /* Try to destroy the avc node cache */
6174 avc_disable();
6175
6176 /* Unregister netfilter hooks. */
6177 selinux_nf_ip_exit();
6178
6179 /* Unregister selinuxfs. */
6180 exit_sel_fs();
6181
6182 return 0;
6183 }
6184 #endif
Linux with added FPC-III support