search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
dm thin metadata: fix __udivdi3 undefined on 32-bit
[linux/fpc-iii.git] / security / selinux / hooks.c
blob99212ff6a568f3b9c868bb9ca6d73abe7a606f6c
1 /*
2 * NSA Security-Enhanced Linux (SELinux) security module
3 *
4 * This file contains the SELinux hook function implementations.
5 *
6 * Authors: Stephen Smalley, <sds@epoch.ncsc.mil>
7 * Chris Vance, <cvance@nai.com>
8 * Wayne Salamon, <wsalamon@nai.com>
9 * James Morris <jmorris@redhat.com>
10 *
11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12 * Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
13 * Eric Paris <eparis@redhat.com>
14 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
15 * <dgoeddel@trustedcs.com>
16 * Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
17 * Paul Moore <paul@paul-moore.com>
18 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
19 * Yuichi Nakamura <ynakam@hitachisoft.jp>
20 *
21 * This program is free software; you can redistribute it and/or modify
22 * it under the terms of the GNU General Public License version 2,
23 * as published by the Free Software Foundation.
24 */
25
26 #include <linux/init.h>
27 #include <linux/kd.h>
28 #include <linux/kernel.h>
29 #include <linux/tracehook.h>
30 #include <linux/errno.h>
31 #include <linux/sched.h>
32 #include <linux/lsm_hooks.h>
33 #include <linux/xattr.h>
34 #include <linux/capability.h>
35 #include <linux/unistd.h>
36 #include <linux/mm.h>
37 #include <linux/mman.h>
38 #include <linux/slab.h>
39 #include <linux/pagemap.h>
40 #include <linux/proc_fs.h>
41 #include <linux/swap.h>
42 #include <linux/spinlock.h>
43 #include <linux/syscalls.h>
44 #include <linux/dcache.h>
45 #include <linux/file.h>
46 #include <linux/fdtable.h>
47 #include <linux/namei.h>
48 #include <linux/mount.h>
49 #include <linux/netfilter_ipv4.h>
50 #include <linux/netfilter_ipv6.h>
51 #include <linux/tty.h>
52 #include <net/icmp.h>
53 #include <net/ip.h> /* for local_port_range[] */
54 #include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
55 #include <net/inet_connection_sock.h>
56 #include <net/net_namespace.h>
57 #include <net/netlabel.h>
58 #include <linux/uaccess.h>
59 #include <asm/ioctls.h>
60 #include <linux/atomic.h>
61 #include <linux/bitops.h>
62 #include <linux/interrupt.h>
63 #include <linux/netdevice.h> /* for network interface checks */
64 #include <net/netlink.h>
65 #include <linux/tcp.h>
66 #include <linux/udp.h>
67 #include <linux/dccp.h>
68 #include <linux/quota.h>
69 #include <linux/un.h> /* for Unix socket types */
70 #include <net/af_unix.h> /* for Unix socket types */
71 #include <linux/parser.h>
72 #include <linux/nfs_mount.h>
73 #include <net/ipv6.h>
74 #include <linux/hugetlb.h>
75 #include <linux/personality.h>
76 #include <linux/audit.h>
77 #include <linux/string.h>
78 #include <linux/selinux.h>
79 #include <linux/mutex.h>
80 #include <linux/posix-timers.h>
81 #include <linux/syslog.h>
82 #include <linux/user_namespace.h>
83 #include <linux/export.h>
84 #include <linux/msg.h>
85 #include <linux/shm.h>
86
87 #include "avc.h"
88 #include "objsec.h"
89 #include "netif.h"
90 #include "netnode.h"
91 #include "netport.h"
92 #include "xfrm.h"
93 #include "netlabel.h"
94 #include "audit.h"
95 #include "avc_ss.h"
96
97 /* SECMARK reference count */
98 static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
99
100 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
101 int selinux_enforcing;
102
103 static int __init enforcing_setup(char *str)
104 {
105 unsigned long enforcing;
106 if (!kstrtoul(str, 0, &enforcing))
107 selinux_enforcing = enforcing ? 1 : 0;
108 return 1;
109 }
110 __setup("enforcing=", enforcing_setup);
111 #endif
112
113 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
114 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
115
116 static int __init selinux_enabled_setup(char *str)
117 {
118 unsigned long enabled;
119 if (!kstrtoul(str, 0, &enabled))
120 selinux_enabled = enabled ? 1 : 0;
121 return 1;
122 }
123 __setup("selinux=", selinux_enabled_setup);
124 #else
125 int selinux_enabled = 1;
126 #endif
127
128 static struct kmem_cache *sel_inode_cache;
129 static struct kmem_cache *file_security_cache;
130
131 /**
132 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
133 *
134 * Description:
135 * This function checks the SECMARK reference counter to see if any SECMARK
136 * targets are currently configured, if the reference counter is greater than
137 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is
138 * enabled, false (0) if SECMARK is disabled. If the always_check_network
139 * policy capability is enabled, SECMARK is always considered enabled.
140 *
141 */
142 static int selinux_secmark_enabled(void)
143 {
144 return (selinux_policycap_alwaysnetwork || atomic_read(&selinux_secmark_refcount));
145 }
146
147 /**
148 * selinux_peerlbl_enabled - Check to see if peer labeling is currently enabled
149 *
150 * Description:
151 * This function checks if NetLabel or labeled IPSEC is enabled. Returns true
152 * (1) if any are enabled or false (0) if neither are enabled. If the
153 * always_check_network policy capability is enabled, peer labeling
154 * is always considered enabled.
155 *
156 */
157 static int selinux_peerlbl_enabled(void)
158 {
159 return (selinux_policycap_alwaysnetwork || netlbl_enabled() || selinux_xfrm_enabled());
160 }
161
162 static int selinux_netcache_avc_callback(u32 event)
163 {
164 if (event == AVC_CALLBACK_RESET) {
165 sel_netif_flush();
166 sel_netnode_flush();
167 sel_netport_flush();
168 synchronize_net();
169 }
170 return 0;
171 }
172
173 /*
174 * initialise the security for the init task
175 */
176 static void cred_init_security(void)
177 {
178 struct cred *cred = (struct cred *) current->real_cred;
179 struct task_security_struct *tsec;
180
181 tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
182 if (!tsec)
183 panic("SELinux: Failed to initialize initial task.\n");
184
185 tsec->osid = tsec->sid = SECINITSID_KERNEL;
186 cred->security = tsec;
187 }
188
189 /*
190 * get the security ID of a set of credentials
191 */
192 static inline u32 cred_sid(const struct cred *cred)
193 {
194 const struct task_security_struct *tsec;
195
196 tsec = cred->security;
197 return tsec->sid;
198 }
199
200 /*
201 * get the objective security ID of a task
202 */
203 static inline u32 task_sid(const struct task_struct *task)
204 {
205 u32 sid;
206
207 rcu_read_lock();
208 sid = cred_sid(__task_cred(task));
209 rcu_read_unlock();
210 return sid;
211 }
212
213 /*
214 * get the subjective security ID of the current task
215 */
216 static inline u32 current_sid(void)
217 {
218 const struct task_security_struct *tsec = current_security();
219
220 return tsec->sid;
221 }
222
223 /* Allocate and free functions for each kind of security blob. */
224
225 static int inode_alloc_security(struct inode *inode)
226 {
227 struct inode_security_struct *isec;
228 u32 sid = current_sid();
229
230 isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
231 if (!isec)
232 return -ENOMEM;
233
234 mutex_init(&isec->lock);
235 INIT_LIST_HEAD(&isec->list);
236 isec->inode = inode;
237 isec->sid = SECINITSID_UNLABELED;
238 isec->sclass = SECCLASS_FILE;
239 isec->task_sid = sid;
240 inode->i_security = isec;
241
242 return 0;
243 }
244
245 static void inode_free_rcu(struct rcu_head *head)
246 {
247 struct inode_security_struct *isec;
248
249 isec = container_of(head, struct inode_security_struct, rcu);
250 kmem_cache_free(sel_inode_cache, isec);
251 }
252
253 static void inode_free_security(struct inode *inode)
254 {
255 struct inode_security_struct *isec = inode->i_security;
256 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
257
258 /*
259 * As not all inode security structures are in a list, we check for
260 * empty list outside of the lock to make sure that we won't waste
261 * time taking a lock doing nothing.
262 *
263 * The list_del_init() function can be safely called more than once.
264 * It should not be possible for this function to be called with
265 * concurrent list_add(), but for better safety against future changes
266 * in the code, we use list_empty_careful() here.
267 */
268 if (!list_empty_careful(&isec->list)) {
269 spin_lock(&sbsec->isec_lock);
270 list_del_init(&isec->list);
271 spin_unlock(&sbsec->isec_lock);
272 }
273
274 /*
275 * The inode may still be referenced in a path walk and
276 * a call to selinux_inode_permission() can be made
277 * after inode_free_security() is called. Ideally, the VFS
278 * wouldn't do this, but fixing that is a much harder
279 * job. For now, simply free the i_security via RCU, and
280 * leave the current inode->i_security pointer intact.
281 * The inode will be freed after the RCU grace period too.
282 */
283 call_rcu(&isec->rcu, inode_free_rcu);
284 }
285
286 static int file_alloc_security(struct file *file)
287 {
288 struct file_security_struct *fsec;
289 u32 sid = current_sid();
290
291 fsec = kmem_cache_zalloc(file_security_cache, GFP_KERNEL);
292 if (!fsec)
293 return -ENOMEM;
294
295 fsec->sid = sid;
296 fsec->fown_sid = sid;
297 file->f_security = fsec;
298
299 return 0;
300 }
301
302 static void file_free_security(struct file *file)
303 {
304 struct file_security_struct *fsec = file->f_security;
305 file->f_security = NULL;
306 kmem_cache_free(file_security_cache, fsec);
307 }
308
309 static int superblock_alloc_security(struct super_block *sb)
310 {
311 struct superblock_security_struct *sbsec;
312
313 sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
314 if (!sbsec)
315 return -ENOMEM;
316
317 mutex_init(&sbsec->lock);
318 INIT_LIST_HEAD(&sbsec->isec_head);
319 spin_lock_init(&sbsec->isec_lock);
320 sbsec->sb = sb;
321 sbsec->sid = SECINITSID_UNLABELED;
322 sbsec->def_sid = SECINITSID_FILE;
323 sbsec->mntpoint_sid = SECINITSID_UNLABELED;
324 sb->s_security = sbsec;
325
326 return 0;
327 }
328
329 static void superblock_free_security(struct super_block *sb)
330 {
331 struct superblock_security_struct *sbsec = sb->s_security;
332 sb->s_security = NULL;
333 kfree(sbsec);
334 }
335
336 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
337
338 static inline int inode_doinit(struct inode *inode)
339 {
340 return inode_doinit_with_dentry(inode, NULL);
341 }
342
343 enum {
344 Opt_error = -1,
345 Opt_context = 1,
346 Opt_fscontext = 2,
347 Opt_defcontext = 3,
348 Opt_rootcontext = 4,
349 Opt_labelsupport = 5,
350 Opt_nextmntopt = 6,
351 };
352
353 #define NUM_SEL_MNT_OPTS (Opt_nextmntopt - 1)
354
355 static const match_table_t tokens = {
356 {Opt_context, CONTEXT_STR "%s"},
357 {Opt_fscontext, FSCONTEXT_STR "%s"},
358 {Opt_defcontext, DEFCONTEXT_STR "%s"},
359 {Opt_rootcontext, ROOTCONTEXT_STR "%s"},
360 {Opt_labelsupport, LABELSUPP_STR},
361 {Opt_error, NULL},
362 };
363
364 #define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
365
366 static int may_context_mount_sb_relabel(u32 sid,
367 struct superblock_security_struct *sbsec,
368 const struct cred *cred)
369 {
370 const struct task_security_struct *tsec = cred->security;
371 int rc;
372
373 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
374 FILESYSTEM__RELABELFROM, NULL);
375 if (rc)
376 return rc;
377
378 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
379 FILESYSTEM__RELABELTO, NULL);
380 return rc;
381 }
382
383 static int may_context_mount_inode_relabel(u32 sid,
384 struct superblock_security_struct *sbsec,
385 const struct cred *cred)
386 {
387 const struct task_security_struct *tsec = cred->security;
388 int rc;
389 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
390 FILESYSTEM__RELABELFROM, NULL);
391 if (rc)
392 return rc;
393
394 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
395 FILESYSTEM__ASSOCIATE, NULL);
396 return rc;
397 }
398
399 static int selinux_is_sblabel_mnt(struct super_block *sb)
400 {
401 struct superblock_security_struct *sbsec = sb->s_security;
402
403 return sbsec->behavior == SECURITY_FS_USE_XATTR ||
404 sbsec->behavior == SECURITY_FS_USE_TRANS ||
405 sbsec->behavior == SECURITY_FS_USE_TASK ||
406 sbsec->behavior == SECURITY_FS_USE_NATIVE ||
407 /* Special handling. Genfs but also in-core setxattr handler */
408 !strcmp(sb->s_type->name, "sysfs") ||
409 !strcmp(sb->s_type->name, "pstore") ||
410 !strcmp(sb->s_type->name, "debugfs") ||
411 !strcmp(sb->s_type->name, "rootfs");
412 }
413
414 static int sb_finish_set_opts(struct super_block *sb)
415 {
416 struct superblock_security_struct *sbsec = sb->s_security;
417 struct dentry *root = sb->s_root;
418 struct inode *root_inode = d_backing_inode(root);
419 int rc = 0;
420
421 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
422 /* Make sure that the xattr handler exists and that no
423 error other than -ENODATA is returned by getxattr on
424 the root directory. -ENODATA is ok, as this may be
425 the first boot of the SELinux kernel before we have
426 assigned xattr values to the filesystem. */
427 if (!root_inode->i_op->getxattr) {
428 printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
429 "xattr support\n", sb->s_id, sb->s_type->name);
430 rc = -EOPNOTSUPP;
431 goto out;
432 }
433 rc = root_inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
434 if (rc < 0 && rc != -ENODATA) {
435 if (rc == -EOPNOTSUPP)
436 printk(KERN_WARNING "SELinux: (dev %s, type "
437 "%s) has no security xattr handler\n",
438 sb->s_id, sb->s_type->name);
439 else
440 printk(KERN_WARNING "SELinux: (dev %s, type "
441 "%s) getxattr errno %d\n", sb->s_id,
442 sb->s_type->name, -rc);
443 goto out;
444 }
445 }
446
447 sbsec->flags |= SE_SBINITIALIZED;
448 if (selinux_is_sblabel_mnt(sb))
449 sbsec->flags |= SBLABEL_MNT;
450
451 /* Initialize the root inode. */
452 rc = inode_doinit_with_dentry(root_inode, root);
453
454 /* Initialize any other inodes associated with the superblock, e.g.
455 inodes created prior to initial policy load or inodes created
456 during get_sb by a pseudo filesystem that directly
457 populates itself. */
458 spin_lock(&sbsec->isec_lock);
459 next_inode:
460 if (!list_empty(&sbsec->isec_head)) {
461 struct inode_security_struct *isec =
462 list_entry(sbsec->isec_head.next,
463 struct inode_security_struct, list);
464 struct inode *inode = isec->inode;
465 list_del_init(&isec->list);
466 spin_unlock(&sbsec->isec_lock);
467 inode = igrab(inode);
468 if (inode) {
469 if (!IS_PRIVATE(inode))
470 inode_doinit(inode);
471 iput(inode);
472 }
473 spin_lock(&sbsec->isec_lock);
474 goto next_inode;
475 }
476 spin_unlock(&sbsec->isec_lock);
477 out:
478 return rc;
479 }
480
481 /*
482 * This function should allow an FS to ask what it's mount security
483 * options were so it can use those later for submounts, displaying
484 * mount options, or whatever.
485 */
486 static int selinux_get_mnt_opts(const struct super_block *sb,
487 struct security_mnt_opts *opts)
488 {
489 int rc = 0, i;
490 struct superblock_security_struct *sbsec = sb->s_security;
491 char *context = NULL;
492 u32 len;
493 char tmp;
494
495 security_init_mnt_opts(opts);
496
497 if (!(sbsec->flags & SE_SBINITIALIZED))
498 return -EINVAL;
499
500 if (!ss_initialized)
501 return -EINVAL;
502
503 /* make sure we always check enough bits to cover the mask */
504 BUILD_BUG_ON(SE_MNTMASK >= (1 << NUM_SEL_MNT_OPTS));
505
506 tmp = sbsec->flags & SE_MNTMASK;
507 /* count the number of mount options for this sb */
508 for (i = 0; i < NUM_SEL_MNT_OPTS; i++) {
509 if (tmp & 0x01)
510 opts->num_mnt_opts++;
511 tmp >>= 1;
512 }
513 /* Check if the Label support flag is set */
514 if (sbsec->flags & SBLABEL_MNT)
515 opts->num_mnt_opts++;
516
517 opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
518 if (!opts->mnt_opts) {
519 rc = -ENOMEM;
520 goto out_free;
521 }
522
523 opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
524 if (!opts->mnt_opts_flags) {
525 rc = -ENOMEM;
526 goto out_free;
527 }
528
529 i = 0;
530 if (sbsec->flags & FSCONTEXT_MNT) {
531 rc = security_sid_to_context(sbsec->sid, &context, &len);
532 if (rc)
533 goto out_free;
534 opts->mnt_opts[i] = context;
535 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
536 }
537 if (sbsec->flags & CONTEXT_MNT) {
538 rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len);
539 if (rc)
540 goto out_free;
541 opts->mnt_opts[i] = context;
542 opts->mnt_opts_flags[i++] = CONTEXT_MNT;
543 }
544 if (sbsec->flags & DEFCONTEXT_MNT) {
545 rc = security_sid_to_context(sbsec->def_sid, &context, &len);
546 if (rc)
547 goto out_free;
548 opts->mnt_opts[i] = context;
549 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
550 }
551 if (sbsec->flags & ROOTCONTEXT_MNT) {
552 struct inode *root = d_backing_inode(sbsec->sb->s_root);
553 struct inode_security_struct *isec = root->i_security;
554
555 rc = security_sid_to_context(isec->sid, &context, &len);
556 if (rc)
557 goto out_free;
558 opts->mnt_opts[i] = context;
559 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
560 }
561 if (sbsec->flags & SBLABEL_MNT) {
562 opts->mnt_opts[i] = NULL;
563 opts->mnt_opts_flags[i++] = SBLABEL_MNT;
564 }
565
566 BUG_ON(i != opts->num_mnt_opts);
567
568 return 0;
569
570 out_free:
571 security_free_mnt_opts(opts);
572 return rc;
573 }
574
575 static int bad_option(struct superblock_security_struct *sbsec, char flag,
576 u32 old_sid, u32 new_sid)
577 {
578 char mnt_flags = sbsec->flags & SE_MNTMASK;
579
580 /* check if the old mount command had the same options */
581 if (sbsec->flags & SE_SBINITIALIZED)
582 if (!(sbsec->flags & flag) ||
583 (old_sid != new_sid))
584 return 1;
585
586 /* check if we were passed the same options twice,
587 * aka someone passed context=a,context=b
588 */
589 if (!(sbsec->flags & SE_SBINITIALIZED))
590 if (mnt_flags & flag)
591 return 1;
592 return 0;
593 }
594
595 /*
596 * Allow filesystems with binary mount data to explicitly set mount point
597 * labeling information.
598 */
599 static int selinux_set_mnt_opts(struct super_block *sb,
600 struct security_mnt_opts *opts,
601 unsigned long kern_flags,
602 unsigned long *set_kern_flags)
603 {
604 const struct cred *cred = current_cred();
605 int rc = 0, i;
606 struct superblock_security_struct *sbsec = sb->s_security;
607 const char *name = sb->s_type->name;
608 struct inode *inode = d_backing_inode(sbsec->sb->s_root);
609 struct inode_security_struct *root_isec = inode->i_security;
610 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
611 u32 defcontext_sid = 0;
612 char **mount_options = opts->mnt_opts;
613 int *flags = opts->mnt_opts_flags;
614 int num_opts = opts->num_mnt_opts;
615
616 mutex_lock(&sbsec->lock);
617
618 if (!ss_initialized) {
619 if (!num_opts) {
620 /* Defer initialization until selinux_complete_init,
621 after the initial policy is loaded and the security
622 server is ready to handle calls. */
623 goto out;
624 }
625 rc = -EINVAL;
626 printk(KERN_WARNING "SELinux: Unable to set superblock options "
627 "before the security server is initialized\n");
628 goto out;
629 }
630 if (kern_flags && !set_kern_flags) {
631 /* Specifying internal flags without providing a place to
632 * place the results is not allowed */
633 rc = -EINVAL;
634 goto out;
635 }
636
637 /*
638 * Binary mount data FS will come through this function twice. Once
639 * from an explicit call and once from the generic calls from the vfs.
640 * Since the generic VFS calls will not contain any security mount data
641 * we need to skip the double mount verification.
642 *
643 * This does open a hole in which we will not notice if the first
644 * mount using this sb set explict options and a second mount using
645 * this sb does not set any security options. (The first options
646 * will be used for both mounts)
647 */
648 if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
649 && (num_opts == 0))
650 goto out;
651
652 /*
653 * parse the mount options, check if they are valid sids.
654 * also check if someone is trying to mount the same sb more
655 * than once with different security options.
656 */
657 for (i = 0; i < num_opts; i++) {
658 u32 sid;
659
660 if (flags[i] == SBLABEL_MNT)
661 continue;
662 rc = security_context_str_to_sid(mount_options[i], &sid, GFP_KERNEL);
663 if (rc) {
664 printk(KERN_WARNING "SELinux: security_context_str_to_sid"
665 "(%s) failed for (dev %s, type %s) errno=%d\n",
666 mount_options[i], sb->s_id, name, rc);
667 goto out;
668 }
669 switch (flags[i]) {
670 case FSCONTEXT_MNT:
671 fscontext_sid = sid;
672
673 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
674 fscontext_sid))
675 goto out_double_mount;
676
677 sbsec->flags |= FSCONTEXT_MNT;
678 break;
679 case CONTEXT_MNT:
680 context_sid = sid;
681
682 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
683 context_sid))
684 goto out_double_mount;
685
686 sbsec->flags |= CONTEXT_MNT;
687 break;
688 case ROOTCONTEXT_MNT:
689 rootcontext_sid = sid;
690
691 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
692 rootcontext_sid))
693 goto out_double_mount;
694
695 sbsec->flags |= ROOTCONTEXT_MNT;
696
697 break;
698 case DEFCONTEXT_MNT:
699 defcontext_sid = sid;
700
701 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
702 defcontext_sid))
703 goto out_double_mount;
704
705 sbsec->flags |= DEFCONTEXT_MNT;
706
707 break;
708 default:
709 rc = -EINVAL;
710 goto out;
711 }
712 }
713
714 if (sbsec->flags & SE_SBINITIALIZED) {
715 /* previously mounted with options, but not on this attempt? */
716 if ((sbsec->flags & SE_MNTMASK) && !num_opts)
717 goto out_double_mount;
718 rc = 0;
719 goto out;
720 }
721
722 if (strcmp(sb->s_type->name, "proc") == 0)
723 sbsec->flags |= SE_SBPROC | SE_SBGENFS;
724
725 if (!strcmp(sb->s_type->name, "debugfs") ||
726 !strcmp(sb->s_type->name, "sysfs") ||
727 !strcmp(sb->s_type->name, "pstore"))
728 sbsec->flags |= SE_SBGENFS;
729
730 if (!sbsec->behavior) {
731 /*
732 * Determine the labeling behavior to use for this
733 * filesystem type.
734 */
735 rc = security_fs_use(sb);
736 if (rc) {
737 printk(KERN_WARNING
738 "%s: security_fs_use(%s) returned %d\n",
739 __func__, sb->s_type->name, rc);
740 goto out;
741 }
742 }
743 /* sets the context of the superblock for the fs being mounted. */
744 if (fscontext_sid) {
745 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
746 if (rc)
747 goto out;
748
749 sbsec->sid = fscontext_sid;
750 }
751
752 /*
753 * Switch to using mount point labeling behavior.
754 * sets the label used on all file below the mountpoint, and will set
755 * the superblock context if not already set.
756 */
757 if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !context_sid) {
758 sbsec->behavior = SECURITY_FS_USE_NATIVE;
759 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
760 }
761
762 if (context_sid) {
763 if (!fscontext_sid) {
764 rc = may_context_mount_sb_relabel(context_sid, sbsec,
765 cred);
766 if (rc)
767 goto out;
768 sbsec->sid = context_sid;
769 } else {
770 rc = may_context_mount_inode_relabel(context_sid, sbsec,
771 cred);
772 if (rc)
773 goto out;
774 }
775 if (!rootcontext_sid)
776 rootcontext_sid = context_sid;
777
778 sbsec->mntpoint_sid = context_sid;
779 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
780 }
781
782 if (rootcontext_sid) {
783 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
784 cred);
785 if (rc)
786 goto out;
787
788 root_isec->sid = rootcontext_sid;
789 root_isec->initialized = 1;
790 }
791
792 if (defcontext_sid) {
793 if (sbsec->behavior != SECURITY_FS_USE_XATTR &&
794 sbsec->behavior != SECURITY_FS_USE_NATIVE) {
795 rc = -EINVAL;
796 printk(KERN_WARNING "SELinux: defcontext option is "
797 "invalid for this filesystem type\n");
798 goto out;
799 }
800
801 if (defcontext_sid != sbsec->def_sid) {
802 rc = may_context_mount_inode_relabel(defcontext_sid,
803 sbsec, cred);
804 if (rc)
805 goto out;
806 }
807
808 sbsec->def_sid = defcontext_sid;
809 }
810
811 rc = sb_finish_set_opts(sb);
812 out:
813 mutex_unlock(&sbsec->lock);
814 return rc;
815 out_double_mount:
816 rc = -EINVAL;
817 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, different "
818 "security settings for (dev %s, type %s)\n", sb->s_id, name);
819 goto out;
820 }
821
822 static int selinux_cmp_sb_context(const struct super_block *oldsb,
823 const struct super_block *newsb)
824 {
825 struct superblock_security_struct *old = oldsb->s_security;
826 struct superblock_security_struct *new = newsb->s_security;
827 char oldflags = old->flags & SE_MNTMASK;
828 char newflags = new->flags & SE_MNTMASK;
829
830 if (oldflags != newflags)
831 goto mismatch;
832 if ((oldflags & FSCONTEXT_MNT) && old->sid != new->sid)
833 goto mismatch;
834 if ((oldflags & CONTEXT_MNT) && old->mntpoint_sid != new->mntpoint_sid)
835 goto mismatch;
836 if ((oldflags & DEFCONTEXT_MNT) && old->def_sid != new->def_sid)
837 goto mismatch;
838 if (oldflags & ROOTCONTEXT_MNT) {
839 struct inode_security_struct *oldroot = d_backing_inode(oldsb->s_root)->i_security;
840 struct inode_security_struct *newroot = d_backing_inode(newsb->s_root)->i_security;
841 if (oldroot->sid != newroot->sid)
842 goto mismatch;
843 }
844 return 0;
845 mismatch:
846 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, "
847 "different security settings for (dev %s, "
848 "type %s)\n", newsb->s_id, newsb->s_type->name);
849 return -EBUSY;
850 }
851
852 static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
853 struct super_block *newsb)
854 {
855 const struct superblock_security_struct *oldsbsec = oldsb->s_security;
856 struct superblock_security_struct *newsbsec = newsb->s_security;
857
858 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT);
859 int set_context = (oldsbsec->flags & CONTEXT_MNT);
860 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT);
861
862 /*
863 * if the parent was able to be mounted it clearly had no special lsm
864 * mount options. thus we can safely deal with this superblock later
865 */
866 if (!ss_initialized)
867 return 0;
868
869 /* how can we clone if the old one wasn't set up?? */
870 BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
871
872 /* if fs is reusing a sb, make sure that the contexts match */
873 if (newsbsec->flags & SE_SBINITIALIZED)
874 return selinux_cmp_sb_context(oldsb, newsb);
875
876 mutex_lock(&newsbsec->lock);
877
878 newsbsec->flags = oldsbsec->flags;
879
880 newsbsec->sid = oldsbsec->sid;
881 newsbsec->def_sid = oldsbsec->def_sid;
882 newsbsec->behavior = oldsbsec->behavior;
883
884 if (set_context) {
885 u32 sid = oldsbsec->mntpoint_sid;
886
887 if (!set_fscontext)
888 newsbsec->sid = sid;
889 if (!set_rootcontext) {
890 struct inode *newinode = d_backing_inode(newsb->s_root);
891 struct inode_security_struct *newisec = newinode->i_security;
892 newisec->sid = sid;
893 }
894 newsbsec->mntpoint_sid = sid;
895 }
896 if (set_rootcontext) {
897 const struct inode *oldinode = d_backing_inode(oldsb->s_root);
898 const struct inode_security_struct *oldisec = oldinode->i_security;
899 struct inode *newinode = d_backing_inode(newsb->s_root);
900 struct inode_security_struct *newisec = newinode->i_security;
901
902 newisec->sid = oldisec->sid;
903 }
904
905 sb_finish_set_opts(newsb);
906 mutex_unlock(&newsbsec->lock);
907 return 0;
908 }
909
910 static int selinux_parse_opts_str(char *options,
911 struct security_mnt_opts *opts)
912 {
913 char *p;
914 char *context = NULL, *defcontext = NULL;
915 char *fscontext = NULL, *rootcontext = NULL;
916 int rc, num_mnt_opts = 0;
917
918 opts->num_mnt_opts = 0;
919
920 /* Standard string-based options. */
921 while ((p = strsep(&options, "|")) != NULL) {
922 int token;
923 substring_t args[MAX_OPT_ARGS];
924
925 if (!*p)
926 continue;
927
928 token = match_token(p, tokens, args);
929
930 switch (token) {
931 case Opt_context:
932 if (context || defcontext) {
933 rc = -EINVAL;
934 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
935 goto out_err;
936 }
937 context = match_strdup(&args[0]);
938 if (!context) {
939 rc = -ENOMEM;
940 goto out_err;
941 }
942 break;
943
944 case Opt_fscontext:
945 if (fscontext) {
946 rc = -EINVAL;
947 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
948 goto out_err;
949 }
950 fscontext = match_strdup(&args[0]);
951 if (!fscontext) {
952 rc = -ENOMEM;
953 goto out_err;
954 }
955 break;
956
957 case Opt_rootcontext:
958 if (rootcontext) {
959 rc = -EINVAL;
960 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
961 goto out_err;
962 }
963 rootcontext = match_strdup(&args[0]);
964 if (!rootcontext) {
965 rc = -ENOMEM;
966 goto out_err;
967 }
968 break;
969
970 case Opt_defcontext:
971 if (context || defcontext) {
972 rc = -EINVAL;
973 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
974 goto out_err;
975 }
976 defcontext = match_strdup(&args[0]);
977 if (!defcontext) {
978 rc = -ENOMEM;
979 goto out_err;
980 }
981 break;
982 case Opt_labelsupport:
983 break;
984 default:
985 rc = -EINVAL;
986 printk(KERN_WARNING "SELinux: unknown mount option\n");
987 goto out_err;
988
989 }
990 }
991
992 rc = -ENOMEM;
993 opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_ATOMIC);
994 if (!opts->mnt_opts)
995 goto out_err;
996
997 opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int), GFP_ATOMIC);
998 if (!opts->mnt_opts_flags) {
999 kfree(opts->mnt_opts);
1000 goto out_err;
1001 }
1002
1003 if (fscontext) {
1004 opts->mnt_opts[num_mnt_opts] = fscontext;
1005 opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
1006 }
1007 if (context) {
1008 opts->mnt_opts[num_mnt_opts] = context;
1009 opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
1010 }
1011 if (rootcontext) {
1012 opts->mnt_opts[num_mnt_opts] = rootcontext;
1013 opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
1014 }
1015 if (defcontext) {
1016 opts->mnt_opts[num_mnt_opts] = defcontext;
1017 opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
1018 }
1019
1020 opts->num_mnt_opts = num_mnt_opts;
1021 return 0;
1022
1023 out_err:
1024 kfree(context);
1025 kfree(defcontext);
1026 kfree(fscontext);
1027 kfree(rootcontext);
1028 return rc;
1029 }
1030 /*
1031 * string mount options parsing and call set the sbsec
1032 */
1033 static int superblock_doinit(struct super_block *sb, void *data)
1034 {
1035 int rc = 0;
1036 char *options = data;
1037 struct security_mnt_opts opts;
1038
1039 security_init_mnt_opts(&opts);
1040
1041 if (!data)
1042 goto out;
1043
1044 BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
1045
1046 rc = selinux_parse_opts_str(options, &opts);
1047 if (rc)
1048 goto out_err;
1049
1050 out:
1051 rc = selinux_set_mnt_opts(sb, &opts, 0, NULL);
1052
1053 out_err:
1054 security_free_mnt_opts(&opts);
1055 return rc;
1056 }
1057
1058 static void selinux_write_opts(struct seq_file *m,
1059 struct security_mnt_opts *opts)
1060 {
1061 int i;
1062 char *prefix;
1063
1064 for (i = 0; i < opts->num_mnt_opts; i++) {
1065 char *has_comma;
1066
1067 if (opts->mnt_opts[i])
1068 has_comma = strchr(opts->mnt_opts[i], ',');
1069 else
1070 has_comma = NULL;
1071
1072 switch (opts->mnt_opts_flags[i]) {
1073 case CONTEXT_MNT:
1074 prefix = CONTEXT_STR;
1075 break;
1076 case FSCONTEXT_MNT:
1077 prefix = FSCONTEXT_STR;
1078 break;
1079 case ROOTCONTEXT_MNT:
1080 prefix = ROOTCONTEXT_STR;
1081 break;
1082 case DEFCONTEXT_MNT:
1083 prefix = DEFCONTEXT_STR;
1084 break;
1085 case SBLABEL_MNT:
1086 seq_putc(m, ',');
1087 seq_puts(m, LABELSUPP_STR);
1088 continue;
1089 default:
1090 BUG();
1091 return;
1092 };
1093 /* we need a comma before each option */
1094 seq_putc(m, ',');
1095 seq_puts(m, prefix);
1096 if (has_comma)
1097 seq_putc(m, '\"');
1098 seq_escape(m, opts->mnt_opts[i], "\"\n\\");
1099 if (has_comma)
1100 seq_putc(m, '\"');
1101 }
1102 }
1103
1104 static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1105 {
1106 struct security_mnt_opts opts;
1107 int rc;
1108
1109 rc = selinux_get_mnt_opts(sb, &opts);
1110 if (rc) {
1111 /* before policy load we may get EINVAL, don't show anything */
1112 if (rc == -EINVAL)
1113 rc = 0;
1114 return rc;
1115 }
1116
1117 selinux_write_opts(m, &opts);
1118
1119 security_free_mnt_opts(&opts);
1120
1121 return rc;
1122 }
1123
1124 static inline u16 inode_mode_to_security_class(umode_t mode)
1125 {
1126 switch (mode & S_IFMT) {
1127 case S_IFSOCK:
1128 return SECCLASS_SOCK_FILE;
1129 case S_IFLNK:
1130 return SECCLASS_LNK_FILE;
1131 case S_IFREG:
1132 return SECCLASS_FILE;
1133 case S_IFBLK:
1134 return SECCLASS_BLK_FILE;
1135 case S_IFDIR:
1136 return SECCLASS_DIR;
1137 case S_IFCHR:
1138 return SECCLASS_CHR_FILE;
1139 case S_IFIFO:
1140 return SECCLASS_FIFO_FILE;
1141
1142 }
1143
1144 return SECCLASS_FILE;
1145 }
1146
1147 static inline int default_protocol_stream(int protocol)
1148 {
1149 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
1150 }
1151
1152 static inline int default_protocol_dgram(int protocol)
1153 {
1154 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1155 }
1156
1157 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1158 {
1159 switch (family) {
1160 case PF_UNIX:
1161 switch (type) {
1162 case SOCK_STREAM:
1163 case SOCK_SEQPACKET:
1164 return SECCLASS_UNIX_STREAM_SOCKET;
1165 case SOCK_DGRAM:
1166 return SECCLASS_UNIX_DGRAM_SOCKET;
1167 }
1168 break;
1169 case PF_INET:
1170 case PF_INET6:
1171 switch (type) {
1172 case SOCK_STREAM:
1173 if (default_protocol_stream(protocol))
1174 return SECCLASS_TCP_SOCKET;
1175 else
1176 return SECCLASS_RAWIP_SOCKET;
1177 case SOCK_DGRAM:
1178 if (default_protocol_dgram(protocol))
1179 return SECCLASS_UDP_SOCKET;
1180 else
1181 return SECCLASS_RAWIP_SOCKET;
1182 case SOCK_DCCP:
1183 return SECCLASS_DCCP_SOCKET;
1184 default:
1185 return SECCLASS_RAWIP_SOCKET;
1186 }
1187 break;
1188 case PF_NETLINK:
1189 switch (protocol) {
1190 case NETLINK_ROUTE:
1191 return SECCLASS_NETLINK_ROUTE_SOCKET;
1192 case NETLINK_SOCK_DIAG:
1193 return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1194 case NETLINK_NFLOG:
1195 return SECCLASS_NETLINK_NFLOG_SOCKET;
1196 case NETLINK_XFRM:
1197 return SECCLASS_NETLINK_XFRM_SOCKET;
1198 case NETLINK_SELINUX:
1199 return SECCLASS_NETLINK_SELINUX_SOCKET;
1200 case NETLINK_ISCSI:
1201 return SECCLASS_NETLINK_ISCSI_SOCKET;
1202 case NETLINK_AUDIT:
1203 return SECCLASS_NETLINK_AUDIT_SOCKET;
1204 case NETLINK_FIB_LOOKUP:
1205 return SECCLASS_NETLINK_FIB_LOOKUP_SOCKET;
1206 case NETLINK_CONNECTOR:
1207 return SECCLASS_NETLINK_CONNECTOR_SOCKET;
1208 case NETLINK_NETFILTER:
1209 return SECCLASS_NETLINK_NETFILTER_SOCKET;
1210 case NETLINK_DNRTMSG:
1211 return SECCLASS_NETLINK_DNRT_SOCKET;
1212 case NETLINK_KOBJECT_UEVENT:
1213 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1214 case NETLINK_GENERIC:
1215 return SECCLASS_NETLINK_GENERIC_SOCKET;
1216 case NETLINK_SCSITRANSPORT:
1217 return SECCLASS_NETLINK_SCSITRANSPORT_SOCKET;
1218 case NETLINK_RDMA:
1219 return SECCLASS_NETLINK_RDMA_SOCKET;
1220 case NETLINK_CRYPTO:
1221 return SECCLASS_NETLINK_CRYPTO_SOCKET;
1222 default:
1223 return SECCLASS_NETLINK_SOCKET;
1224 }
1225 case PF_PACKET:
1226 return SECCLASS_PACKET_SOCKET;
1227 case PF_KEY:
1228 return SECCLASS_KEY_SOCKET;
1229 case PF_APPLETALK:
1230 return SECCLASS_APPLETALK_SOCKET;
1231 }
1232
1233 return SECCLASS_SOCKET;
1234 }
1235
1236 static int selinux_genfs_get_sid(struct dentry *dentry,
1237 u16 tclass,
1238 u16 flags,
1239 u32 *sid)
1240 {
1241 int rc;
1242 struct super_block *sb = dentry->d_inode->i_sb;
1243 char *buffer, *path;
1244
1245 buffer = (char *)__get_free_page(GFP_KERNEL);
1246 if (!buffer)
1247 return -ENOMEM;
1248
1249 path = dentry_path_raw(dentry, buffer, PAGE_SIZE);
1250 if (IS_ERR(path))
1251 rc = PTR_ERR(path);
1252 else {
1253 if (flags & SE_SBPROC) {
1254 /* each process gets a /proc/PID/ entry. Strip off the
1255 * PID part to get a valid selinux labeling.
1256 * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
1257 while (path[1] >= '0' && path[1] <= '9') {
1258 path[1] = '/';
1259 path++;
1260 }
1261 }
1262 rc = security_genfs_sid(sb->s_type->name, path, tclass, sid);
1263 }
1264 free_page((unsigned long)buffer);
1265 return rc;
1266 }
1267
1268 /* The inode's security attributes must be initialized before first use. */
1269 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1270 {
1271 struct superblock_security_struct *sbsec = NULL;
1272 struct inode_security_struct *isec = inode->i_security;
1273 u32 sid;
1274 struct dentry *dentry;
1275 #define INITCONTEXTLEN 255
1276 char *context = NULL;
1277 unsigned len = 0;
1278 int rc = 0;
1279
1280 if (isec->initialized)
1281 goto out;
1282
1283 mutex_lock(&isec->lock);
1284 if (isec->initialized)
1285 goto out_unlock;
1286
1287 sbsec = inode->i_sb->s_security;
1288 if (!(sbsec->flags & SE_SBINITIALIZED)) {
1289 /* Defer initialization until selinux_complete_init,
1290 after the initial policy is loaded and the security
1291 server is ready to handle calls. */
1292 spin_lock(&sbsec->isec_lock);
1293 if (list_empty(&isec->list))
1294 list_add(&isec->list, &sbsec->isec_head);
1295 spin_unlock(&sbsec->isec_lock);
1296 goto out_unlock;
1297 }
1298
1299 switch (sbsec->behavior) {
1300 case SECURITY_FS_USE_NATIVE:
1301 break;
1302 case SECURITY_FS_USE_XATTR:
1303 if (!inode->i_op->getxattr) {
1304 isec->sid = sbsec->def_sid;
1305 break;
1306 }
1307
1308 /* Need a dentry, since the xattr API requires one.
1309 Life would be simpler if we could just pass the inode. */
1310 if (opt_dentry) {
1311 /* Called from d_instantiate or d_splice_alias. */
1312 dentry = dget(opt_dentry);
1313 } else {
1314 /* Called from selinux_complete_init, try to find a dentry. */
1315 dentry = d_find_alias(inode);
1316 }
1317 if (!dentry) {
1318 /*
1319 * this is can be hit on boot when a file is accessed
1320 * before the policy is loaded. When we load policy we
1321 * may find inodes that have no dentry on the
1322 * sbsec->isec_head list. No reason to complain as these
1323 * will get fixed up the next time we go through
1324 * inode_doinit with a dentry, before these inodes could
1325 * be used again by userspace.
1326 */
1327 goto out_unlock;
1328 }
1329
1330 len = INITCONTEXTLEN;
1331 context = kmalloc(len+1, GFP_NOFS);
1332 if (!context) {
1333 rc = -ENOMEM;
1334 dput(dentry);
1335 goto out_unlock;
1336 }
1337 context[len] = '\0';
1338 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1339 context, len);
1340 if (rc == -ERANGE) {
1341 kfree(context);
1342
1343 /* Need a larger buffer. Query for the right size. */
1344 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1345 NULL, 0);
1346 if (rc < 0) {
1347 dput(dentry);
1348 goto out_unlock;
1349 }
1350 len = rc;
1351 context = kmalloc(len+1, GFP_NOFS);
1352 if (!context) {
1353 rc = -ENOMEM;
1354 dput(dentry);
1355 goto out_unlock;
1356 }
1357 context[len] = '\0';
1358 rc = inode->i_op->getxattr(dentry,
1359 XATTR_NAME_SELINUX,
1360 context, len);
1361 }
1362 dput(dentry);
1363 if (rc < 0) {
1364 if (rc != -ENODATA) {
1365 printk(KERN_WARNING "SELinux: %s: getxattr returned "
1366 "%d for dev=%s ino=%ld\n", __func__,
1367 -rc, inode->i_sb->s_id, inode->i_ino);
1368 kfree(context);
1369 goto out_unlock;
1370 }
1371 /* Map ENODATA to the default file SID */
1372 sid = sbsec->def_sid;
1373 rc = 0;
1374 } else {
1375 rc = security_context_to_sid_default(context, rc, &sid,
1376 sbsec->def_sid,
1377 GFP_NOFS);
1378 if (rc) {
1379 char *dev = inode->i_sb->s_id;
1380 unsigned long ino = inode->i_ino;
1381
1382 if (rc == -EINVAL) {
1383 if (printk_ratelimit())
1384 printk(KERN_NOTICE "SELinux: inode=%lu on dev=%s was found to have an invalid "
1385 "context=%s. This indicates you may need to relabel the inode or the "
1386 "filesystem in question.\n", ino, dev, context);
1387 } else {
1388 printk(KERN_WARNING "SELinux: %s: context_to_sid(%s) "
1389 "returned %d for dev=%s ino=%ld\n",
1390 __func__, context, -rc, dev, ino);
1391 }
1392 kfree(context);
1393 /* Leave with the unlabeled SID */
1394 rc = 0;
1395 break;
1396 }
1397 }
1398 kfree(context);
1399 isec->sid = sid;
1400 break;
1401 case SECURITY_FS_USE_TASK:
1402 isec->sid = isec->task_sid;
1403 break;
1404 case SECURITY_FS_USE_TRANS:
1405 /* Default to the fs SID. */
1406 isec->sid = sbsec->sid;
1407
1408 /* Try to obtain a transition SID. */
1409 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1410 rc = security_transition_sid(isec->task_sid, sbsec->sid,
1411 isec->sclass, NULL, &sid);
1412 if (rc)
1413 goto out_unlock;
1414 isec->sid = sid;
1415 break;
1416 case SECURITY_FS_USE_MNTPOINT:
1417 isec->sid = sbsec->mntpoint_sid;
1418 break;
1419 default:
1420 /* Default to the fs superblock SID. */
1421 isec->sid = sbsec->sid;
1422
1423 if ((sbsec->flags & SE_SBGENFS) && !S_ISLNK(inode->i_mode)) {
1424 /* We must have a dentry to determine the label on
1425 * procfs inodes */
1426 if (opt_dentry)
1427 /* Called from d_instantiate or
1428 * d_splice_alias. */
1429 dentry = dget(opt_dentry);
1430 else
1431 /* Called from selinux_complete_init, try to
1432 * find a dentry. */
1433 dentry = d_find_alias(inode);
1434 /*
1435 * This can be hit on boot when a file is accessed
1436 * before the policy is loaded. When we load policy we
1437 * may find inodes that have no dentry on the
1438 * sbsec->isec_head list. No reason to complain as
1439 * these will get fixed up the next time we go through
1440 * inode_doinit() with a dentry, before these inodes
1441 * could be used again by userspace.
1442 */
1443 if (!dentry)
1444 goto out_unlock;
1445 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1446 rc = selinux_genfs_get_sid(dentry, isec->sclass,
1447 sbsec->flags, &sid);
1448 dput(dentry);
1449 if (rc)
1450 goto out_unlock;
1451 isec->sid = sid;
1452 }
1453 break;
1454 }
1455
1456 isec->initialized = 1;
1457
1458 out_unlock:
1459 mutex_unlock(&isec->lock);
1460 out:
1461 if (isec->sclass == SECCLASS_FILE)
1462 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1463 return rc;
1464 }
1465
1466 /* Convert a Linux signal to an access vector. */
1467 static inline u32 signal_to_av(int sig)
1468 {
1469 u32 perm = 0;
1470
1471 switch (sig) {
1472 case SIGCHLD:
1473 /* Commonly granted from child to parent. */
1474 perm = PROCESS__SIGCHLD;
1475 break;
1476 case SIGKILL:
1477 /* Cannot be caught or ignored */
1478 perm = PROCESS__SIGKILL;
1479 break;
1480 case SIGSTOP:
1481 /* Cannot be caught or ignored */
1482 perm = PROCESS__SIGSTOP;
1483 break;
1484 default:
1485 /* All other signals. */
1486 perm = PROCESS__SIGNAL;
1487 break;
1488 }
1489
1490 return perm;
1491 }
1492
1493 /*
1494 * Check permission between a pair of credentials
1495 * fork check, ptrace check, etc.
1496 */
1497 static int cred_has_perm(const struct cred *actor,
1498 const struct cred *target,
1499 u32 perms)
1500 {
1501 u32 asid = cred_sid(actor), tsid = cred_sid(target);
1502
1503 return avc_has_perm(asid, tsid, SECCLASS_PROCESS, perms, NULL);
1504 }
1505
1506 /*
1507 * Check permission between a pair of tasks, e.g. signal checks,
1508 * fork check, ptrace check, etc.
1509 * tsk1 is the actor and tsk2 is the target
1510 * - this uses the default subjective creds of tsk1
1511 */
1512 static int task_has_perm(const struct task_struct *tsk1,
1513 const struct task_struct *tsk2,
1514 u32 perms)
1515 {
1516 const struct task_security_struct *__tsec1, *__tsec2;
1517 u32 sid1, sid2;
1518
1519 rcu_read_lock();
1520 __tsec1 = __task_cred(tsk1)->security; sid1 = __tsec1->sid;
1521 __tsec2 = __task_cred(tsk2)->security; sid2 = __tsec2->sid;
1522 rcu_read_unlock();
1523 return avc_has_perm(sid1, sid2, SECCLASS_PROCESS, perms, NULL);
1524 }
1525
1526 /*
1527 * Check permission between current and another task, e.g. signal checks,
1528 * fork check, ptrace check, etc.
1529 * current is the actor and tsk2 is the target
1530 * - this uses current's subjective creds
1531 */
1532 static int current_has_perm(const struct task_struct *tsk,
1533 u32 perms)
1534 {
1535 u32 sid, tsid;
1536
1537 sid = current_sid();
1538 tsid = task_sid(tsk);
1539 return avc_has_perm(sid, tsid, SECCLASS_PROCESS, perms, NULL);
1540 }
1541
1542 #if CAP_LAST_CAP > 63
1543 #error Fix SELinux to handle capabilities > 63.
1544 #endif
1545
1546 /* Check whether a task is allowed to use a capability. */
1547 static int cred_has_capability(const struct cred *cred,
1548 int cap, int audit)
1549 {
1550 struct common_audit_data ad;
1551 struct av_decision avd;
1552 u16 sclass;
1553 u32 sid = cred_sid(cred);
1554 u32 av = CAP_TO_MASK(cap);
1555 int rc;
1556
1557 ad.type = LSM_AUDIT_DATA_CAP;
1558 ad.u.cap = cap;
1559
1560 switch (CAP_TO_INDEX(cap)) {
1561 case 0:
1562 sclass = SECCLASS_CAPABILITY;
1563 break;
1564 case 1:
1565 sclass = SECCLASS_CAPABILITY2;
1566 break;
1567 default:
1568 printk(KERN_ERR
1569 "SELinux: out of range capability %d\n", cap);
1570 BUG();
1571 return -EINVAL;
1572 }
1573
1574 rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd);
1575 if (audit == SECURITY_CAP_AUDIT) {
1576 int rc2 = avc_audit(sid, sid, sclass, av, &avd, rc, &ad, 0);
1577 if (rc2)
1578 return rc2;
1579 }
1580 return rc;
1581 }
1582
1583 /* Check whether a task is allowed to use a system operation. */
1584 static int task_has_system(struct task_struct *tsk,
1585 u32 perms)
1586 {
1587 u32 sid = task_sid(tsk);
1588
1589 return avc_has_perm(sid, SECINITSID_KERNEL,
1590 SECCLASS_SYSTEM, perms, NULL);
1591 }
1592
1593 /* Check whether a task has a particular permission to an inode.
1594 The 'adp' parameter is optional and allows other audit
1595 data to be passed (e.g. the dentry). */
1596 static int inode_has_perm(const struct cred *cred,
1597 struct inode *inode,
1598 u32 perms,
1599 struct common_audit_data *adp)
1600 {
1601 struct inode_security_struct *isec;
1602 u32 sid;
1603
1604 validate_creds(cred);
1605
1606 if (unlikely(IS_PRIVATE(inode)))
1607 return 0;
1608
1609 sid = cred_sid(cred);
1610 isec = inode->i_security;
1611
1612 return avc_has_perm(sid, isec->sid, isec->sclass, perms, adp);
1613 }
1614
1615 /* Same as inode_has_perm, but pass explicit audit data containing
1616 the dentry to help the auditing code to more easily generate the
1617 pathname if needed. */
1618 static inline int dentry_has_perm(const struct cred *cred,
1619 struct dentry *dentry,
1620 u32 av)
1621 {
1622 struct inode *inode = d_backing_inode(dentry);
1623 struct common_audit_data ad;
1624
1625 ad.type = LSM_AUDIT_DATA_DENTRY;
1626 ad.u.dentry = dentry;
1627 return inode_has_perm(cred, inode, av, &ad);
1628 }
1629
1630 /* Same as inode_has_perm, but pass explicit audit data containing
1631 the path to help the auditing code to more easily generate the
1632 pathname if needed. */
1633 static inline int path_has_perm(const struct cred *cred,
1634 const struct path *path,
1635 u32 av)
1636 {
1637 struct inode *inode = d_backing_inode(path->dentry);
1638 struct common_audit_data ad;
1639
1640 ad.type = LSM_AUDIT_DATA_PATH;
1641 ad.u.path = *path;
1642 return inode_has_perm(cred, inode, av, &ad);
1643 }
1644
1645 /* Same as path_has_perm, but uses the inode from the file struct. */
1646 static inline int file_path_has_perm(const struct cred *cred,
1647 struct file *file,
1648 u32 av)
1649 {
1650 struct common_audit_data ad;
1651
1652 ad.type = LSM_AUDIT_DATA_PATH;
1653 ad.u.path = file->f_path;
1654 return inode_has_perm(cred, file_inode(file), av, &ad);
1655 }
1656
1657 /* Check whether a task can use an open file descriptor to
1658 access an inode in a given way. Check access to the
1659 descriptor itself, and then use dentry_has_perm to
1660 check a particular permission to the file.
1661 Access to the descriptor is implicitly granted if it
1662 has the same SID as the process. If av is zero, then
1663 access to the file is not checked, e.g. for cases
1664 where only the descriptor is affected like seek. */
1665 static int file_has_perm(const struct cred *cred,
1666 struct file *file,
1667 u32 av)
1668 {
1669 struct file_security_struct *fsec = file->f_security;
1670 struct inode *inode = file_inode(file);
1671 struct common_audit_data ad;
1672 u32 sid = cred_sid(cred);
1673 int rc;
1674
1675 ad.type = LSM_AUDIT_DATA_PATH;
1676 ad.u.path = file->f_path;
1677
1678 if (sid != fsec->sid) {
1679 rc = avc_has_perm(sid, fsec->sid,
1680 SECCLASS_FD,
1681 FD__USE,
1682 &ad);
1683 if (rc)
1684 goto out;
1685 }
1686
1687 /* av is zero if only checking access to the descriptor. */
1688 rc = 0;
1689 if (av)
1690 rc = inode_has_perm(cred, inode, av, &ad);
1691
1692 out:
1693 return rc;
1694 }
1695
1696 /*
1697 * Determine the label for an inode that might be unioned.
1698 */
1699 static int selinux_determine_inode_label(const struct inode *dir,
1700 const struct qstr *name,
1701 u16 tclass,
1702 u32 *_new_isid)
1703 {
1704 const struct superblock_security_struct *sbsec = dir->i_sb->s_security;
1705 const struct inode_security_struct *dsec = dir->i_security;
1706 const struct task_security_struct *tsec = current_security();
1707
1708 if ((sbsec->flags & SE_SBINITIALIZED) &&
1709 (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)) {
1710 *_new_isid = sbsec->mntpoint_sid;
1711 } else if ((sbsec->flags & SBLABEL_MNT) &&
1712 tsec->create_sid) {
1713 *_new_isid = tsec->create_sid;
1714 } else {
1715 return security_transition_sid(tsec->sid, dsec->sid, tclass,
1716 name, _new_isid);
1717 }
1718
1719 return 0;
1720 }
1721
1722 /* Check whether a task can create a file. */
1723 static int may_create(struct inode *dir,
1724 struct dentry *dentry,
1725 u16 tclass)
1726 {
1727 const struct task_security_struct *tsec = current_security();
1728 struct inode_security_struct *dsec;
1729 struct superblock_security_struct *sbsec;
1730 u32 sid, newsid;
1731 struct common_audit_data ad;
1732 int rc;
1733
1734 dsec = dir->i_security;
1735 sbsec = dir->i_sb->s_security;
1736
1737 sid = tsec->sid;
1738
1739 ad.type = LSM_AUDIT_DATA_DENTRY;
1740 ad.u.dentry = dentry;
1741
1742 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR,
1743 DIR__ADD_NAME | DIR__SEARCH,
1744 &ad);
1745 if (rc)
1746 return rc;
1747
1748 rc = selinux_determine_inode_label(dir, &dentry->d_name, tclass,
1749 &newsid);
1750 if (rc)
1751 return rc;
1752
1753 rc = avc_has_perm(sid, newsid, tclass, FILE__CREATE, &ad);
1754 if (rc)
1755 return rc;
1756
1757 return avc_has_perm(newsid, sbsec->sid,
1758 SECCLASS_FILESYSTEM,
1759 FILESYSTEM__ASSOCIATE, &ad);
1760 }
1761
1762 /* Check whether a task can create a key. */
1763 static int may_create_key(u32 ksid,
1764 struct task_struct *ctx)
1765 {
1766 u32 sid = task_sid(ctx);
1767
1768 return avc_has_perm(sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL);
1769 }
1770
1771 #define MAY_LINK 0
1772 #define MAY_UNLINK 1
1773 #define MAY_RMDIR 2
1774
1775 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1776 static int may_link(struct inode *dir,
1777 struct dentry *dentry,
1778 int kind)
1779
1780 {
1781 struct inode_security_struct *dsec, *isec;
1782 struct common_audit_data ad;
1783 u32 sid = current_sid();
1784 u32 av;
1785 int rc;
1786
1787 dsec = dir->i_security;
1788 isec = d_backing_inode(dentry)->i_security;
1789
1790 ad.type = LSM_AUDIT_DATA_DENTRY;
1791 ad.u.dentry = dentry;
1792
1793 av = DIR__SEARCH;
1794 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1795 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, av, &ad);
1796 if (rc)
1797 return rc;
1798
1799 switch (kind) {
1800 case MAY_LINK:
1801 av = FILE__LINK;
1802 break;
1803 case MAY_UNLINK:
1804 av = FILE__UNLINK;
1805 break;
1806 case MAY_RMDIR:
1807 av = DIR__RMDIR;
1808 break;
1809 default:
1810 printk(KERN_WARNING "SELinux: %s: unrecognized kind %d\n",
1811 __func__, kind);
1812 return 0;
1813 }
1814
1815 rc = avc_has_perm(sid, isec->sid, isec->sclass, av, &ad);
1816 return rc;
1817 }
1818
1819 static inline int may_rename(struct inode *old_dir,
1820 struct dentry *old_dentry,
1821 struct inode *new_dir,
1822 struct dentry *new_dentry)
1823 {
1824 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1825 struct common_audit_data ad;
1826 u32 sid = current_sid();
1827 u32 av;
1828 int old_is_dir, new_is_dir;
1829 int rc;
1830
1831 old_dsec = old_dir->i_security;
1832 old_isec = d_backing_inode(old_dentry)->i_security;
1833 old_is_dir = d_is_dir(old_dentry);
1834 new_dsec = new_dir->i_security;
1835
1836 ad.type = LSM_AUDIT_DATA_DENTRY;
1837
1838 ad.u.dentry = old_dentry;
1839 rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR,
1840 DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1841 if (rc)
1842 return rc;
1843 rc = avc_has_perm(sid, old_isec->sid,
1844 old_isec->sclass, FILE__RENAME, &ad);
1845 if (rc)
1846 return rc;
1847 if (old_is_dir && new_dir != old_dir) {
1848 rc = avc_has_perm(sid, old_isec->sid,
1849 old_isec->sclass, DIR__REPARENT, &ad);
1850 if (rc)
1851 return rc;
1852 }
1853
1854 ad.u.dentry = new_dentry;
1855 av = DIR__ADD_NAME | DIR__SEARCH;
1856 if (d_is_positive(new_dentry))
1857 av |= DIR__REMOVE_NAME;
1858 rc = avc_has_perm(sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1859 if (rc)
1860 return rc;
1861 if (d_is_positive(new_dentry)) {
1862 new_isec = d_backing_inode(new_dentry)->i_security;
1863 new_is_dir = d_is_dir(new_dentry);
1864 rc = avc_has_perm(sid, new_isec->sid,
1865 new_isec->sclass,
1866 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1867 if (rc)
1868 return rc;
1869 }
1870
1871 return 0;
1872 }
1873
1874 /* Check whether a task can perform a filesystem operation. */
1875 static int superblock_has_perm(const struct cred *cred,
1876 struct super_block *sb,
1877 u32 perms,
1878 struct common_audit_data *ad)
1879 {
1880 struct superblock_security_struct *sbsec;
1881 u32 sid = cred_sid(cred);
1882
1883 sbsec = sb->s_security;
1884 return avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
1885 }
1886
1887 /* Convert a Linux mode and permission mask to an access vector. */
1888 static inline u32 file_mask_to_av(int mode, int mask)
1889 {
1890 u32 av = 0;
1891
1892 if (!S_ISDIR(mode)) {
1893 if (mask & MAY_EXEC)
1894 av |= FILE__EXECUTE;
1895 if (mask & MAY_READ)
1896 av |= FILE__READ;
1897
1898 if (mask & MAY_APPEND)
1899 av |= FILE__APPEND;
1900 else if (mask & MAY_WRITE)
1901 av |= FILE__WRITE;
1902
1903 } else {
1904 if (mask & MAY_EXEC)
1905 av |= DIR__SEARCH;
1906 if (mask & MAY_WRITE)
1907 av |= DIR__WRITE;
1908 if (mask & MAY_READ)
1909 av |= DIR__READ;
1910 }
1911
1912 return av;
1913 }
1914
1915 /* Convert a Linux file to an access vector. */
1916 static inline u32 file_to_av(struct file *file)
1917 {
1918 u32 av = 0;
1919
1920 if (file->f_mode & FMODE_READ)
1921 av |= FILE__READ;
1922 if (file->f_mode & FMODE_WRITE) {
1923 if (file->f_flags & O_APPEND)
1924 av |= FILE__APPEND;
1925 else
1926 av |= FILE__WRITE;
1927 }
1928 if (!av) {
1929 /*
1930 * Special file opened with flags 3 for ioctl-only use.
1931 */
1932 av = FILE__IOCTL;
1933 }
1934
1935 return av;
1936 }
1937
1938 /*
1939 * Convert a file to an access vector and include the correct open
1940 * open permission.
1941 */
1942 static inline u32 open_file_to_av(struct file *file)
1943 {
1944 u32 av = file_to_av(file);
1945 struct inode *inode = file_inode(file);
1946
1947 if (selinux_policycap_openperm && inode->i_sb->s_magic != SOCKFS_MAGIC)
1948 av |= FILE__OPEN;
1949
1950 return av;
1951 }
1952
1953 /* Hook functions begin here. */
1954
1955 static int selinux_binder_set_context_mgr(struct task_struct *mgr)
1956 {
1957 u32 mysid = current_sid();
1958 u32 mgrsid = task_sid(mgr);
1959
1960 return avc_has_perm(mysid, mgrsid, SECCLASS_BINDER,
1961 BINDER__SET_CONTEXT_MGR, NULL);
1962 }
1963
1964 static int selinux_binder_transaction(struct task_struct *from,
1965 struct task_struct *to)
1966 {
1967 u32 mysid = current_sid();
1968 u32 fromsid = task_sid(from);
1969 u32 tosid = task_sid(to);
1970 int rc;
1971
1972 if (mysid != fromsid) {
1973 rc = avc_has_perm(mysid, fromsid, SECCLASS_BINDER,
1974 BINDER__IMPERSONATE, NULL);
1975 if (rc)
1976 return rc;
1977 }
1978
1979 return avc_has_perm(fromsid, tosid, SECCLASS_BINDER, BINDER__CALL,
1980 NULL);
1981 }
1982
1983 static int selinux_binder_transfer_binder(struct task_struct *from,
1984 struct task_struct *to)
1985 {
1986 u32 fromsid = task_sid(from);
1987 u32 tosid = task_sid(to);
1988
1989 return avc_has_perm(fromsid, tosid, SECCLASS_BINDER, BINDER__TRANSFER,
1990 NULL);
1991 }
1992
1993 static int selinux_binder_transfer_file(struct task_struct *from,
1994 struct task_struct *to,
1995 struct file *file)
1996 {
1997 u32 sid = task_sid(to);
1998 struct file_security_struct *fsec = file->f_security;
1999 struct inode *inode = d_backing_inode(file->f_path.dentry);
2000 struct inode_security_struct *isec = inode->i_security;
2001 struct common_audit_data ad;
2002 int rc;
2003
2004 ad.type = LSM_AUDIT_DATA_PATH;
2005 ad.u.path = file->f_path;
2006
2007 if (sid != fsec->sid) {
2008 rc = avc_has_perm(sid, fsec->sid,
2009 SECCLASS_FD,
2010 FD__USE,
2011 &ad);
2012 if (rc)
2013 return rc;
2014 }
2015
2016 if (unlikely(IS_PRIVATE(inode)))
2017 return 0;
2018
2019 return avc_has_perm(sid, isec->sid, isec->sclass, file_to_av(file),
2020 &ad);
2021 }
2022
2023 static int selinux_ptrace_access_check(struct task_struct *child,
2024 unsigned int mode)
2025 {
2026 if (mode & PTRACE_MODE_READ) {
2027 u32 sid = current_sid();
2028 u32 csid = task_sid(child);
2029 return avc_has_perm(sid, csid, SECCLASS_FILE, FILE__READ, NULL);
2030 }
2031
2032 return current_has_perm(child, PROCESS__PTRACE);
2033 }
2034
2035 static int selinux_ptrace_traceme(struct task_struct *parent)
2036 {
2037 return task_has_perm(parent, current, PROCESS__PTRACE);
2038 }
2039
2040 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
2041 kernel_cap_t *inheritable, kernel_cap_t *permitted)
2042 {
2043 return current_has_perm(target, PROCESS__GETCAP);
2044 }
2045
2046 static int selinux_capset(struct cred *new, const struct cred *old,
2047 const kernel_cap_t *effective,
2048 const kernel_cap_t *inheritable,
2049 const kernel_cap_t *permitted)
2050 {
2051 return cred_has_perm(old, new, PROCESS__SETCAP);
2052 }
2053
2054 /*
2055 * (This comment used to live with the selinux_task_setuid hook,
2056 * which was removed).
2057 *
2058 * Since setuid only affects the current process, and since the SELinux
2059 * controls are not based on the Linux identity attributes, SELinux does not
2060 * need to control this operation. However, SELinux does control the use of
2061 * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
2062 */
2063
2064 static int selinux_capable(const struct cred *cred, struct user_namespace *ns,
2065 int cap, int audit)
2066 {
2067 return cred_has_capability(cred, cap, audit);
2068 }
2069
2070 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
2071 {
2072 const struct cred *cred = current_cred();
2073 int rc = 0;
2074
2075 if (!sb)
2076 return 0;
2077
2078 switch (cmds) {
2079 case Q_SYNC:
2080 case Q_QUOTAON:
2081 case Q_QUOTAOFF:
2082 case Q_SETINFO:
2083 case Q_SETQUOTA:
2084 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
2085 break;
2086 case Q_GETFMT:
2087 case Q_GETINFO:
2088 case Q_GETQUOTA:
2089 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
2090 break;
2091 default:
2092 rc = 0; /* let the kernel handle invalid cmds */
2093 break;
2094 }
2095 return rc;
2096 }
2097
2098 static int selinux_quota_on(struct dentry *dentry)
2099 {
2100 const struct cred *cred = current_cred();
2101
2102 return dentry_has_perm(cred, dentry, FILE__QUOTAON);
2103 }
2104
2105 static int selinux_syslog(int type)
2106 {
2107 int rc;
2108
2109 switch (type) {
2110 case SYSLOG_ACTION_READ_ALL: /* Read last kernel messages */
2111 case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */
2112 rc = task_has_system(current, SYSTEM__SYSLOG_READ);
2113 break;
2114 case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */
2115 case SYSLOG_ACTION_CONSOLE_ON: /* Enable logging to console */
2116 /* Set level of messages printed to console */
2117 case SYSLOG_ACTION_CONSOLE_LEVEL:
2118 rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
2119 break;
2120 case SYSLOG_ACTION_CLOSE: /* Close log */
2121 case SYSLOG_ACTION_OPEN: /* Open log */
2122 case SYSLOG_ACTION_READ: /* Read from log */
2123 case SYSLOG_ACTION_READ_CLEAR: /* Read/clear last kernel messages */
2124 case SYSLOG_ACTION_CLEAR: /* Clear ring buffer */
2125 default:
2126 rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
2127 break;
2128 }
2129 return rc;
2130 }
2131
2132 /*
2133 * Check that a process has enough memory to allocate a new virtual
2134 * mapping. 0 means there is enough memory for the allocation to
2135 * succeed and -ENOMEM implies there is not.
2136 *
2137 * Do not audit the selinux permission check, as this is applied to all
2138 * processes that allocate mappings.
2139 */
2140 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
2141 {
2142 int rc, cap_sys_admin = 0;
2143
2144 rc = cred_has_capability(current_cred(), CAP_SYS_ADMIN,
2145 SECURITY_CAP_NOAUDIT);
2146 if (rc == 0)
2147 cap_sys_admin = 1;
2148
2149 return cap_sys_admin;
2150 }
2151
2152 /* binprm security operations */
2153
2154 static int check_nnp_nosuid(const struct linux_binprm *bprm,
2155 const struct task_security_struct *old_tsec,
2156 const struct task_security_struct *new_tsec)
2157 {
2158 int nnp = (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS);
2159 int nosuid = (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID);
2160 int rc;
2161
2162 if (!nnp && !nosuid)
2163 return 0; /* neither NNP nor nosuid */
2164
2165 if (new_tsec->sid == old_tsec->sid)
2166 return 0; /* No change in credentials */
2167
2168 /*
2169 * The only transitions we permit under NNP or nosuid
2170 * are transitions to bounded SIDs, i.e. SIDs that are
2171 * guaranteed to only be allowed a subset of the permissions
2172 * of the current SID.
2173 */
2174 rc = security_bounded_transition(old_tsec->sid, new_tsec->sid);
2175 if (rc) {
2176 /*
2177 * On failure, preserve the errno values for NNP vs nosuid.
2178 * NNP: Operation not permitted for caller.
2179 * nosuid: Permission denied to file.
2180 */
2181 if (nnp)
2182 return -EPERM;
2183 else
2184 return -EACCES;
2185 }
2186 return 0;
2187 }
2188
2189 static int selinux_bprm_set_creds(struct linux_binprm *bprm)
2190 {
2191 const struct task_security_struct *old_tsec;
2192 struct task_security_struct *new_tsec;
2193 struct inode_security_struct *isec;
2194 struct common_audit_data ad;
2195 struct inode *inode = file_inode(bprm->file);
2196 int rc;
2197
2198 /* SELinux context only depends on initial program or script and not
2199 * the script interpreter */
2200 if (bprm->cred_prepared)
2201 return 0;
2202
2203 old_tsec = current_security();
2204 new_tsec = bprm->cred->security;
2205 isec = inode->i_security;
2206
2207 /* Default to the current task SID. */
2208 new_tsec->sid = old_tsec->sid;
2209 new_tsec->osid = old_tsec->sid;
2210
2211 /* Reset fs, key, and sock SIDs on execve. */
2212 new_tsec->create_sid = 0;
2213 new_tsec->keycreate_sid = 0;
2214 new_tsec->sockcreate_sid = 0;
2215
2216 if (old_tsec->exec_sid) {
2217 new_tsec->sid = old_tsec->exec_sid;
2218 /* Reset exec SID on execve. */
2219 new_tsec->exec_sid = 0;
2220
2221 /* Fail on NNP or nosuid if not an allowed transition. */
2222 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2223 if (rc)
2224 return rc;
2225 } else {
2226 /* Check for a default transition on this program. */
2227 rc = security_transition_sid(old_tsec->sid, isec->sid,
2228 SECCLASS_PROCESS, NULL,
2229 &new_tsec->sid);
2230 if (rc)
2231 return rc;
2232
2233 /*
2234 * Fallback to old SID on NNP or nosuid if not an allowed
2235 * transition.
2236 */
2237 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2238 if (rc)
2239 new_tsec->sid = old_tsec->sid;
2240 }
2241
2242 ad.type = LSM_AUDIT_DATA_PATH;
2243 ad.u.path = bprm->file->f_path;
2244
2245 if (new_tsec->sid == old_tsec->sid) {
2246 rc = avc_has_perm(old_tsec->sid, isec->sid,
2247 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2248 if (rc)
2249 return rc;
2250 } else {
2251 /* Check permissions for the transition. */
2252 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2253 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2254 if (rc)
2255 return rc;
2256
2257 rc = avc_has_perm(new_tsec->sid, isec->sid,
2258 SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2259 if (rc)
2260 return rc;
2261
2262 /* Check for shared state */
2263 if (bprm->unsafe & LSM_UNSAFE_SHARE) {
2264 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2265 SECCLASS_PROCESS, PROCESS__SHARE,
2266 NULL);
2267 if (rc)
2268 return -EPERM;
2269 }
2270
2271 /* Make sure that anyone attempting to ptrace over a task that
2272 * changes its SID has the appropriate permit */
2273 if (bprm->unsafe &
2274 (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
2275 struct task_struct *tracer;
2276 struct task_security_struct *sec;
2277 u32 ptsid = 0;
2278
2279 rcu_read_lock();
2280 tracer = ptrace_parent(current);
2281 if (likely(tracer != NULL)) {
2282 sec = __task_cred(tracer)->security;
2283 ptsid = sec->sid;
2284 }
2285 rcu_read_unlock();
2286
2287 if (ptsid != 0) {
2288 rc = avc_has_perm(ptsid, new_tsec->sid,
2289 SECCLASS_PROCESS,
2290 PROCESS__PTRACE, NULL);
2291 if (rc)
2292 return -EPERM;
2293 }
2294 }
2295
2296 /* Clear any possibly unsafe personality bits on exec: */
2297 bprm->per_clear |= PER_CLEAR_ON_SETID;
2298 }
2299
2300 return 0;
2301 }
2302
2303 static int selinux_bprm_secureexec(struct linux_binprm *bprm)
2304 {
2305 const struct task_security_struct *tsec = current_security();
2306 u32 sid, osid;
2307 int atsecure = 0;
2308
2309 sid = tsec->sid;
2310 osid = tsec->osid;
2311
2312 if (osid != sid) {
2313 /* Enable secure mode for SIDs transitions unless
2314 the noatsecure permission is granted between
2315 the two SIDs, i.e. ahp returns 0. */
2316 atsecure = avc_has_perm(osid, sid,
2317 SECCLASS_PROCESS,
2318 PROCESS__NOATSECURE, NULL);
2319 }
2320
2321 return !!atsecure;
2322 }
2323
2324 static int match_file(const void *p, struct file *file, unsigned fd)
2325 {
2326 return file_has_perm(p, file, file_to_av(file)) ? fd + 1 : 0;
2327 }
2328
2329 /* Derived from fs/exec.c:flush_old_files. */
2330 static inline void flush_unauthorized_files(const struct cred *cred,
2331 struct files_struct *files)
2332 {
2333 struct file *file, *devnull = NULL;
2334 struct tty_struct *tty;
2335 int drop_tty = 0;
2336 unsigned n;
2337
2338 tty = get_current_tty();
2339 if (tty) {
2340 spin_lock(&tty_files_lock);
2341 if (!list_empty(&tty->tty_files)) {
2342 struct tty_file_private *file_priv;
2343
2344 /* Revalidate access to controlling tty.
2345 Use file_path_has_perm on the tty path directly
2346 rather than using file_has_perm, as this particular
2347 open file may belong to another process and we are
2348 only interested in the inode-based check here. */
2349 file_priv = list_first_entry(&tty->tty_files,
2350 struct tty_file_private, list);
2351 file = file_priv->file;
2352 if (file_path_has_perm(cred, file, FILE__READ | FILE__WRITE))
2353 drop_tty = 1;
2354 }
2355 spin_unlock(&tty_files_lock);
2356 tty_kref_put(tty);
2357 }
2358 /* Reset controlling tty. */
2359 if (drop_tty)
2360 no_tty();
2361
2362 /* Revalidate access to inherited open files. */
2363 n = iterate_fd(files, 0, match_file, cred);
2364 if (!n) /* none found? */
2365 return;
2366
2367 devnull = dentry_open(&selinux_null, O_RDWR, cred);
2368 if (IS_ERR(devnull))
2369 devnull = NULL;
2370 /* replace all the matching ones with this */
2371 do {
2372 replace_fd(n - 1, devnull, 0);
2373 } while ((n = iterate_fd(files, n, match_file, cred)) != 0);
2374 if (devnull)
2375 fput(devnull);
2376 }
2377
2378 /*
2379 * Prepare a process for imminent new credential changes due to exec
2380 */
2381 static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
2382 {
2383 struct task_security_struct *new_tsec;
2384 struct rlimit *rlim, *initrlim;
2385 int rc, i;
2386
2387 new_tsec = bprm->cred->security;
2388 if (new_tsec->sid == new_tsec->osid)
2389 return;
2390
2391 /* Close files for which the new task SID is not authorized. */
2392 flush_unauthorized_files(bprm->cred, current->files);
2393
2394 /* Always clear parent death signal on SID transitions. */
2395 current->pdeath_signal = 0;
2396
2397 /* Check whether the new SID can inherit resource limits from the old
2398 * SID. If not, reset all soft limits to the lower of the current
2399 * task's hard limit and the init task's soft limit.
2400 *
2401 * Note that the setting of hard limits (even to lower them) can be
2402 * controlled by the setrlimit check. The inclusion of the init task's
2403 * soft limit into the computation is to avoid resetting soft limits
2404 * higher than the default soft limit for cases where the default is
2405 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2406 */
2407 rc = avc_has_perm(new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
2408 PROCESS__RLIMITINH, NULL);
2409 if (rc) {
2410 /* protect against do_prlimit() */
2411 task_lock(current);
2412 for (i = 0; i < RLIM_NLIMITS; i++) {
2413 rlim = current->signal->rlim + i;
2414 initrlim = init_task.signal->rlim + i;
2415 rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
2416 }
2417 task_unlock(current);
2418 update_rlimit_cpu(current, rlimit(RLIMIT_CPU));
2419 }
2420 }
2421
2422 /*
2423 * Clean up the process immediately after the installation of new credentials
2424 * due to exec
2425 */
2426 static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
2427 {
2428 const struct task_security_struct *tsec = current_security();
2429 struct itimerval itimer;
2430 u32 osid, sid;
2431 int rc, i;
2432
2433 osid = tsec->osid;
2434 sid = tsec->sid;
2435
2436 if (sid == osid)
2437 return;
2438
2439 /* Check whether the new SID can inherit signal state from the old SID.
2440 * If not, clear itimers to avoid subsequent signal generation and
2441 * flush and unblock signals.
2442 *
2443 * This must occur _after_ the task SID has been updated so that any
2444 * kill done after the flush will be checked against the new SID.
2445 */
2446 rc = avc_has_perm(osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
2447 if (rc) {
2448 memset(&itimer, 0, sizeof itimer);
2449 for (i = 0; i < 3; i++)
2450 do_setitimer(i, &itimer, NULL);
2451 spin_lock_irq(&current->sighand->siglock);
2452 if (!fatal_signal_pending(current)) {
2453 flush_sigqueue(&current->pending);
2454 flush_sigqueue(&current->signal->shared_pending);
2455 flush_signal_handlers(current, 1);
2456 sigemptyset(&current->blocked);
2457 recalc_sigpending();
2458 }
2459 spin_unlock_irq(&current->sighand->siglock);
2460 }
2461
2462 /* Wake up the parent if it is waiting so that it can recheck
2463 * wait permission to the new task SID. */
2464 read_lock(&tasklist_lock);
2465 __wake_up_parent(current, current->real_parent);
2466 read_unlock(&tasklist_lock);
2467 }
2468
2469 /* superblock security operations */
2470
2471 static int selinux_sb_alloc_security(struct super_block *sb)
2472 {
2473 return superblock_alloc_security(sb);
2474 }
2475
2476 static void selinux_sb_free_security(struct super_block *sb)
2477 {
2478 superblock_free_security(sb);
2479 }
2480
2481 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2482 {
2483 if (plen > olen)
2484 return 0;
2485
2486 return !memcmp(prefix, option, plen);
2487 }
2488
2489 static inline int selinux_option(char *option, int len)
2490 {
2491 return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) ||
2492 match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) ||
2493 match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) ||
2494 match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len) ||
2495 match_prefix(LABELSUPP_STR, sizeof(LABELSUPP_STR)-1, option, len));
2496 }
2497
2498 static inline void take_option(char **to, char *from, int *first, int len)
2499 {
2500 if (!*first) {
2501 **to = ',';
2502 *to += 1;
2503 } else
2504 *first = 0;
2505 memcpy(*to, from, len);
2506 *to += len;
2507 }
2508
2509 static inline void take_selinux_option(char **to, char *from, int *first,
2510 int len)
2511 {
2512 int current_size = 0;
2513
2514 if (!*first) {
2515 **to = '|';
2516 *to += 1;
2517 } else
2518 *first = 0;
2519
2520 while (current_size < len) {
2521 if (*from != '"') {
2522 **to = *from;
2523 *to += 1;
2524 }
2525 from += 1;
2526 current_size += 1;
2527 }
2528 }
2529
2530 static int selinux_sb_copy_data(char *orig, char *copy)
2531 {
2532 int fnosec, fsec, rc = 0;
2533 char *in_save, *in_curr, *in_end;
2534 char *sec_curr, *nosec_save, *nosec;
2535 int open_quote = 0;
2536
2537 in_curr = orig;
2538 sec_curr = copy;
2539
2540 nosec = (char *)get_zeroed_page(GFP_KERNEL);
2541 if (!nosec) {
2542 rc = -ENOMEM;
2543 goto out;
2544 }
2545
2546 nosec_save = nosec;
2547 fnosec = fsec = 1;
2548 in_save = in_end = orig;
2549
2550 do {
2551 if (*in_end == '"')
2552 open_quote = !open_quote;
2553 if ((*in_end == ',' && open_quote == 0) ||
2554 *in_end == '\0') {
2555 int len = in_end - in_curr;
2556
2557 if (selinux_option(in_curr, len))
2558 take_selinux_option(&sec_curr, in_curr, &fsec, len);
2559 else
2560 take_option(&nosec, in_curr, &fnosec, len);
2561
2562 in_curr = in_end + 1;
2563 }
2564 } while (*in_end++);
2565
2566 strcpy(in_save, nosec_save);
2567 free_page((unsigned long)nosec_save);
2568 out:
2569 return rc;
2570 }
2571
2572 static int selinux_sb_remount(struct super_block *sb, void *data)
2573 {
2574 int rc, i, *flags;
2575 struct security_mnt_opts opts;
2576 char *secdata, **mount_options;
2577 struct superblock_security_struct *sbsec = sb->s_security;
2578
2579 if (!(sbsec->flags & SE_SBINITIALIZED))
2580 return 0;
2581
2582 if (!data)
2583 return 0;
2584
2585 if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
2586 return 0;
2587
2588 security_init_mnt_opts(&opts);
2589 secdata = alloc_secdata();
2590 if (!secdata)
2591 return -ENOMEM;
2592 rc = selinux_sb_copy_data(data, secdata);
2593 if (rc)
2594 goto out_free_secdata;
2595
2596 rc = selinux_parse_opts_str(secdata, &opts);
2597 if (rc)
2598 goto out_free_secdata;
2599
2600 mount_options = opts.mnt_opts;
2601 flags = opts.mnt_opts_flags;
2602
2603 for (i = 0; i < opts.num_mnt_opts; i++) {
2604 u32 sid;
2605
2606 if (flags[i] == SBLABEL_MNT)
2607 continue;
2608 rc = security_context_str_to_sid(mount_options[i], &sid, GFP_KERNEL);
2609 if (rc) {
2610 printk(KERN_WARNING "SELinux: security_context_str_to_sid"
2611 "(%s) failed for (dev %s, type %s) errno=%d\n",
2612 mount_options[i], sb->s_id, sb->s_type->name, rc);
2613 goto out_free_opts;
2614 }
2615 rc = -EINVAL;
2616 switch (flags[i]) {
2617 case FSCONTEXT_MNT:
2618 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid))
2619 goto out_bad_option;
2620 break;
2621 case CONTEXT_MNT:
2622 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid))
2623 goto out_bad_option;
2624 break;
2625 case ROOTCONTEXT_MNT: {
2626 struct inode_security_struct *root_isec;
2627 root_isec = d_backing_inode(sb->s_root)->i_security;
2628
2629 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid))
2630 goto out_bad_option;
2631 break;
2632 }
2633 case DEFCONTEXT_MNT:
2634 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid))
2635 goto out_bad_option;
2636 break;
2637 default:
2638 goto out_free_opts;
2639 }
2640 }
2641
2642 rc = 0;
2643 out_free_opts:
2644 security_free_mnt_opts(&opts);
2645 out_free_secdata:
2646 free_secdata(secdata);
2647 return rc;
2648 out_bad_option:
2649 printk(KERN_WARNING "SELinux: unable to change security options "
2650 "during remount (dev %s, type=%s)\n", sb->s_id,
2651 sb->s_type->name);
2652 goto out_free_opts;
2653 }
2654
2655 static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data)
2656 {
2657 const struct cred *cred = current_cred();
2658 struct common_audit_data ad;
2659 int rc;
2660
2661 rc = superblock_doinit(sb, data);
2662 if (rc)
2663 return rc;
2664
2665 /* Allow all mounts performed by the kernel */
2666 if (flags & MS_KERNMOUNT)
2667 return 0;
2668
2669 ad.type = LSM_AUDIT_DATA_DENTRY;
2670 ad.u.dentry = sb->s_root;
2671 return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
2672 }
2673
2674 static int selinux_sb_statfs(struct dentry *dentry)
2675 {
2676 const struct cred *cred = current_cred();
2677 struct common_audit_data ad;
2678
2679 ad.type = LSM_AUDIT_DATA_DENTRY;
2680 ad.u.dentry = dentry->d_sb->s_root;
2681 return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2682 }
2683
2684 static int selinux_mount(const char *dev_name,
2685 struct path *path,
2686 const char *type,
2687 unsigned long flags,
2688 void *data)
2689 {
2690 const struct cred *cred = current_cred();
2691
2692 if (flags & MS_REMOUNT)
2693 return superblock_has_perm(cred, path->dentry->d_sb,
2694 FILESYSTEM__REMOUNT, NULL);
2695 else
2696 return path_has_perm(cred, path, FILE__MOUNTON);
2697 }
2698
2699 static int selinux_umount(struct vfsmount *mnt, int flags)
2700 {
2701 const struct cred *cred = current_cred();
2702
2703 return superblock_has_perm(cred, mnt->mnt_sb,
2704 FILESYSTEM__UNMOUNT, NULL);
2705 }
2706
2707 /* inode security operations */
2708
2709 static int selinux_inode_alloc_security(struct inode *inode)
2710 {
2711 return inode_alloc_security(inode);
2712 }
2713
2714 static void selinux_inode_free_security(struct inode *inode)
2715 {
2716 inode_free_security(inode);
2717 }
2718
2719 static int selinux_dentry_init_security(struct dentry *dentry, int mode,
2720 struct qstr *name, void **ctx,
2721 u32 *ctxlen)
2722 {
2723 u32 newsid;
2724 int rc;
2725
2726 rc = selinux_determine_inode_label(d_inode(dentry->d_parent), name,
2727 inode_mode_to_security_class(mode),
2728 &newsid);
2729 if (rc)
2730 return rc;
2731
2732 return security_sid_to_context(newsid, (char **)ctx, ctxlen);
2733 }
2734
2735 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2736 const struct qstr *qstr,
2737 const char **name,
2738 void **value, size_t *len)
2739 {
2740 const struct task_security_struct *tsec = current_security();
2741 struct inode_security_struct *dsec;
2742 struct superblock_security_struct *sbsec;
2743 u32 sid, newsid, clen;
2744 int rc;
2745 char *context;
2746
2747 dsec = dir->i_security;
2748 sbsec = dir->i_sb->s_security;
2749
2750 sid = tsec->sid;
2751 newsid = tsec->create_sid;
2752
2753 rc = selinux_determine_inode_label(
2754 dir, qstr,
2755 inode_mode_to_security_class(inode->i_mode),
2756 &newsid);
2757 if (rc)
2758 return rc;
2759
2760 /* Possibly defer initialization to selinux_complete_init. */
2761 if (sbsec->flags & SE_SBINITIALIZED) {
2762 struct inode_security_struct *isec = inode->i_security;
2763 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2764 isec->sid = newsid;
2765 isec->initialized = 1;
2766 }
2767
2768 if (!ss_initialized || !(sbsec->flags & SBLABEL_MNT))
2769 return -EOPNOTSUPP;
2770
2771 if (name)
2772 *name = XATTR_SELINUX_SUFFIX;
2773
2774 if (value && len) {
2775 rc = security_sid_to_context_force(newsid, &context, &clen);
2776 if (rc)
2777 return rc;
2778 *value = context;
2779 *len = clen;
2780 }
2781
2782 return 0;
2783 }
2784
2785 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode)
2786 {
2787 return may_create(dir, dentry, SECCLASS_FILE);
2788 }
2789
2790 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2791 {
2792 return may_link(dir, old_dentry, MAY_LINK);
2793 }
2794
2795 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2796 {
2797 return may_link(dir, dentry, MAY_UNLINK);
2798 }
2799
2800 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2801 {
2802 return may_create(dir, dentry, SECCLASS_LNK_FILE);
2803 }
2804
2805 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask)
2806 {
2807 return may_create(dir, dentry, SECCLASS_DIR);
2808 }
2809
2810 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2811 {
2812 return may_link(dir, dentry, MAY_RMDIR);
2813 }
2814
2815 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
2816 {
2817 return may_create(dir, dentry, inode_mode_to_security_class(mode));
2818 }
2819
2820 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2821 struct inode *new_inode, struct dentry *new_dentry)
2822 {
2823 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2824 }
2825
2826 static int selinux_inode_readlink(struct dentry *dentry)
2827 {
2828 const struct cred *cred = current_cred();
2829
2830 return dentry_has_perm(cred, dentry, FILE__READ);
2831 }
2832
2833 static int selinux_inode_follow_link(struct dentry *dentry, struct inode *inode,
2834 bool rcu)
2835 {
2836 const struct cred *cred = current_cred();
2837 struct common_audit_data ad;
2838 struct inode_security_struct *isec;
2839 u32 sid;
2840
2841 validate_creds(cred);
2842
2843 ad.type = LSM_AUDIT_DATA_DENTRY;
2844 ad.u.dentry = dentry;
2845 sid = cred_sid(cred);
2846 isec = inode->i_security;
2847
2848 return avc_has_perm_flags(sid, isec->sid, isec->sclass, FILE__READ, &ad,
2849 rcu ? MAY_NOT_BLOCK : 0);
2850 }
2851
2852 static noinline int audit_inode_permission(struct inode *inode,
2853 u32 perms, u32 audited, u32 denied,
2854 int result,
2855 unsigned flags)
2856 {
2857 struct common_audit_data ad;
2858 struct inode_security_struct *isec = inode->i_security;
2859 int rc;
2860
2861 ad.type = LSM_AUDIT_DATA_INODE;
2862 ad.u.inode = inode;
2863
2864 rc = slow_avc_audit(current_sid(), isec->sid, isec->sclass, perms,
2865 audited, denied, result, &ad, flags);
2866 if (rc)
2867 return rc;
2868 return 0;
2869 }
2870
2871 static int selinux_inode_permission(struct inode *inode, int mask)
2872 {
2873 const struct cred *cred = current_cred();
2874 u32 perms;
2875 bool from_access;
2876 unsigned flags = mask & MAY_NOT_BLOCK;
2877 struct inode_security_struct *isec;
2878 u32 sid;
2879 struct av_decision avd;
2880 int rc, rc2;
2881 u32 audited, denied;
2882
2883 from_access = mask & MAY_ACCESS;
2884 mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
2885
2886 /* No permission to check. Existence test. */
2887 if (!mask)
2888 return 0;
2889
2890 validate_creds(cred);
2891
2892 if (unlikely(IS_PRIVATE(inode)))
2893 return 0;
2894
2895 perms = file_mask_to_av(inode->i_mode, mask);
2896
2897 sid = cred_sid(cred);
2898 isec = inode->i_security;
2899
2900 rc = avc_has_perm_noaudit(sid, isec->sid, isec->sclass, perms, 0, &avd);
2901 audited = avc_audit_required(perms, &avd, rc,
2902 from_access ? FILE__AUDIT_ACCESS : 0,
2903 &denied);
2904 if (likely(!audited))
2905 return rc;
2906
2907 rc2 = audit_inode_permission(inode, perms, audited, denied, rc, flags);
2908 if (rc2)
2909 return rc2;
2910 return rc;
2911 }
2912
2913 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2914 {
2915 const struct cred *cred = current_cred();
2916 struct inode *inode = d_backing_inode(dentry);
2917 unsigned int ia_valid = iattr->ia_valid;
2918 __u32 av = FILE__WRITE;
2919
2920 /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
2921 if (ia_valid & ATTR_FORCE) {
2922 ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE |
2923 ATTR_FORCE);
2924 if (!ia_valid)
2925 return 0;
2926 }
2927
2928 if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2929 ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
2930 return dentry_has_perm(cred, dentry, FILE__SETATTR);
2931
2932 if (selinux_policycap_openperm &&
2933 inode->i_sb->s_magic != SOCKFS_MAGIC &&
2934 (ia_valid & ATTR_SIZE) &&
2935 !(ia_valid & ATTR_FILE))
2936 av |= FILE__OPEN;
2937
2938 return dentry_has_perm(cred, dentry, av);
2939 }
2940
2941 static int selinux_inode_getattr(const struct path *path)
2942 {
2943 return path_has_perm(current_cred(), path, FILE__GETATTR);
2944 }
2945
2946 static int selinux_inode_setotherxattr(struct dentry *dentry, const char *name)
2947 {
2948 const struct cred *cred = current_cred();
2949
2950 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2951 sizeof XATTR_SECURITY_PREFIX - 1)) {
2952 if (!strcmp(name, XATTR_NAME_CAPS)) {
2953 if (!capable(CAP_SETFCAP))
2954 return -EPERM;
2955 } else if (!capable(CAP_SYS_ADMIN)) {
2956 /* A different attribute in the security namespace.
2957 Restrict to administrator. */
2958 return -EPERM;
2959 }
2960 }
2961
2962 /* Not an attribute we recognize, so just check the
2963 ordinary setattr permission. */
2964 return dentry_has_perm(cred, dentry, FILE__SETATTR);
2965 }
2966
2967 static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
2968 const void *value, size_t size, int flags)
2969 {
2970 struct inode *inode = d_backing_inode(dentry);
2971 struct inode_security_struct *isec = inode->i_security;
2972 struct superblock_security_struct *sbsec;
2973 struct common_audit_data ad;
2974 u32 newsid, sid = current_sid();
2975 int rc = 0;
2976
2977 if (strcmp(name, XATTR_NAME_SELINUX))
2978 return selinux_inode_setotherxattr(dentry, name);
2979
2980 sbsec = inode->i_sb->s_security;
2981 if (!(sbsec->flags & SBLABEL_MNT))
2982 return -EOPNOTSUPP;
2983
2984 if (!inode_owner_or_capable(inode))
2985 return -EPERM;
2986
2987 ad.type = LSM_AUDIT_DATA_DENTRY;
2988 ad.u.dentry = dentry;
2989
2990 rc = avc_has_perm(sid, isec->sid, isec->sclass,
2991 FILE__RELABELFROM, &ad);
2992 if (rc)
2993 return rc;
2994
2995 rc = security_context_to_sid(value, size, &newsid, GFP_KERNEL);
2996 if (rc == -EINVAL) {
2997 if (!capable(CAP_MAC_ADMIN)) {
2998 struct audit_buffer *ab;
2999 size_t audit_size;
3000 const char *str;
3001
3002 /* We strip a nul only if it is at the end, otherwise the
3003 * context contains a nul and we should audit that */
3004 if (value) {
3005 str = value;
3006 if (str[size - 1] == '\0')
3007 audit_size = size - 1;
3008 else
3009 audit_size = size;
3010 } else {
3011 str = "";
3012 audit_size = 0;
3013 }
3014 ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR);
3015 audit_log_format(ab, "op=setxattr invalid_context=");
3016 audit_log_n_untrustedstring(ab, value, audit_size);
3017 audit_log_end(ab);
3018
3019 return rc;
3020 }
3021 rc = security_context_to_sid_force(value, size, &newsid);
3022 }
3023 if (rc)
3024 return rc;
3025
3026 rc = avc_has_perm(sid, newsid, isec->sclass,
3027 FILE__RELABELTO, &ad);
3028 if (rc)
3029 return rc;
3030
3031 rc = security_validate_transition(isec->sid, newsid, sid,
3032 isec->sclass);
3033 if (rc)
3034 return rc;
3035
3036 return avc_has_perm(newsid,
3037 sbsec->sid,
3038 SECCLASS_FILESYSTEM,
3039 FILESYSTEM__ASSOCIATE,
3040 &ad);
3041 }
3042
3043 static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
3044 const void *value, size_t size,
3045 int flags)
3046 {
3047 struct inode *inode = d_backing_inode(dentry);
3048 struct inode_security_struct *isec = inode->i_security;
3049 u32 newsid;
3050 int rc;
3051
3052 if (strcmp(name, XATTR_NAME_SELINUX)) {
3053 /* Not an attribute we recognize, so nothing to do. */
3054 return;
3055 }
3056
3057 rc = security_context_to_sid_force(value, size, &newsid);
3058 if (rc) {
3059 printk(KERN_ERR "SELinux: unable to map context to SID"
3060 "for (%s, %lu), rc=%d\n",
3061 inode->i_sb->s_id, inode->i_ino, -rc);
3062 return;
3063 }
3064
3065 isec->sclass = inode_mode_to_security_class(inode->i_mode);
3066 isec->sid = newsid;
3067 isec->initialized = 1;
3068
3069 return;
3070 }
3071
3072 static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
3073 {
3074 const struct cred *cred = current_cred();
3075
3076 return dentry_has_perm(cred, dentry, FILE__GETATTR);
3077 }
3078
3079 static int selinux_inode_listxattr(struct dentry *dentry)
3080 {
3081 const struct cred *cred = current_cred();
3082
3083 return dentry_has_perm(cred, dentry, FILE__GETATTR);
3084 }
3085
3086 static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
3087 {
3088 if (strcmp(name, XATTR_NAME_SELINUX))
3089 return selinux_inode_setotherxattr(dentry, name);
3090
3091 /* No one is allowed to remove a SELinux security label.
3092 You can change the label, but all data must be labeled. */
3093 return -EACCES;
3094 }
3095
3096 /*
3097 * Copy the inode security context value to the user.
3098 *
3099 * Permission check is handled by selinux_inode_getxattr hook.
3100 */
3101 static int selinux_inode_getsecurity(const struct inode *inode, const char *name, void **buffer, bool alloc)
3102 {
3103 u32 size;
3104 int error;
3105 char *context = NULL;
3106 struct inode_security_struct *isec = inode->i_security;
3107
3108 if (strcmp(name, XATTR_SELINUX_SUFFIX))
3109 return -EOPNOTSUPP;
3110
3111 /*
3112 * If the caller has CAP_MAC_ADMIN, then get the raw context
3113 * value even if it is not defined by current policy; otherwise,
3114 * use the in-core value under current policy.
3115 * Use the non-auditing forms of the permission checks since
3116 * getxattr may be called by unprivileged processes commonly
3117 * and lack of permission just means that we fall back to the
3118 * in-core context value, not a denial.
3119 */
3120 error = cap_capable(current_cred(), &init_user_ns, CAP_MAC_ADMIN,
3121 SECURITY_CAP_NOAUDIT);
3122 if (!error)
3123 error = cred_has_capability(current_cred(), CAP_MAC_ADMIN,
3124 SECURITY_CAP_NOAUDIT);
3125 if (!error)
3126 error = security_sid_to_context_force(isec->sid, &context,
3127 &size);
3128 else
3129 error = security_sid_to_context(isec->sid, &context, &size);
3130 if (error)
3131 return error;
3132 error = size;
3133 if (alloc) {
3134 *buffer = context;
3135 goto out_nofree;
3136 }
3137 kfree(context);
3138 out_nofree:
3139 return error;
3140 }
3141
3142 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
3143 const void *value, size_t size, int flags)
3144 {
3145 struct inode_security_struct *isec = inode->i_security;
3146 u32 newsid;
3147 int rc;
3148
3149 if (strcmp(name, XATTR_SELINUX_SUFFIX))
3150 return -EOPNOTSUPP;
3151
3152 if (!value || !size)
3153 return -EACCES;
3154
3155 rc = security_context_to_sid(value, size, &newsid, GFP_KERNEL);
3156 if (rc)
3157 return rc;
3158
3159 isec->sclass = inode_mode_to_security_class(inode->i_mode);
3160 isec->sid = newsid;
3161 isec->initialized = 1;
3162 return 0;
3163 }
3164
3165 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
3166 {
3167 const int len = sizeof(XATTR_NAME_SELINUX);
3168 if (buffer && len <= buffer_size)
3169 memcpy(buffer, XATTR_NAME_SELINUX, len);
3170 return len;
3171 }
3172
3173 static void selinux_inode_getsecid(const struct inode *inode, u32 *secid)
3174 {
3175 struct inode_security_struct *isec = inode->i_security;
3176 *secid = isec->sid;
3177 }
3178
3179 /* file security operations */
3180
3181 static int selinux_revalidate_file_permission(struct file *file, int mask)
3182 {
3183 const struct cred *cred = current_cred();
3184 struct inode *inode = file_inode(file);
3185
3186 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
3187 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
3188 mask |= MAY_APPEND;
3189
3190 return file_has_perm(cred, file,
3191 file_mask_to_av(inode->i_mode, mask));
3192 }
3193
3194 static int selinux_file_permission(struct file *file, int mask)
3195 {
3196 struct inode *inode = file_inode(file);
3197 struct file_security_struct *fsec = file->f_security;
3198 struct inode_security_struct *isec = inode->i_security;
3199 u32 sid = current_sid();
3200
3201 if (!mask)
3202 /* No permission to check. Existence test. */
3203 return 0;
3204
3205 if (sid == fsec->sid && fsec->isid == isec->sid &&
3206 fsec->pseqno == avc_policy_seqno())
3207 /* No change since file_open check. */
3208 return 0;
3209
3210 return selinux_revalidate_file_permission(file, mask);
3211 }
3212
3213 static int selinux_file_alloc_security(struct file *file)
3214 {
3215 return file_alloc_security(file);
3216 }
3217
3218 static void selinux_file_free_security(struct file *file)
3219 {
3220 file_free_security(file);
3221 }
3222
3223 /*
3224 * Check whether a task has the ioctl permission and cmd
3225 * operation to an inode.
3226 */
3227 static int ioctl_has_perm(const struct cred *cred, struct file *file,
3228 u32 requested, u16 cmd)
3229 {
3230 struct common_audit_data ad;
3231 struct file_security_struct *fsec = file->f_security;
3232 struct inode *inode = file_inode(file);
3233 struct inode_security_struct *isec = inode->i_security;
3234 struct lsm_ioctlop_audit ioctl;
3235 u32 ssid = cred_sid(cred);
3236 int rc;
3237 u8 driver = cmd >> 8;
3238 u8 xperm = cmd & 0xff;
3239
3240 ad.type = LSM_AUDIT_DATA_IOCTL_OP;
3241 ad.u.op = &ioctl;
3242 ad.u.op->cmd = cmd;
3243 ad.u.op->path = file->f_path;
3244
3245 if (ssid != fsec->sid) {
3246 rc = avc_has_perm(ssid, fsec->sid,
3247 SECCLASS_FD,
3248 FD__USE,
3249 &ad);
3250 if (rc)
3251 goto out;
3252 }
3253
3254 if (unlikely(IS_PRIVATE(inode)))
3255 return 0;
3256
3257 rc = avc_has_extended_perms(ssid, isec->sid, isec->sclass,
3258 requested, driver, xperm, &ad);
3259 out:
3260 return rc;
3261 }
3262
3263 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
3264 unsigned long arg)
3265 {
3266 const struct cred *cred = current_cred();
3267 int error = 0;
3268
3269 switch (cmd) {
3270 case FIONREAD:
3271 /* fall through */
3272 case FIBMAP:
3273 /* fall through */
3274 case FIGETBSZ:
3275 /* fall through */
3276 case FS_IOC_GETFLAGS:
3277 /* fall through */
3278 case FS_IOC_GETVERSION:
3279 error = file_has_perm(cred, file, FILE__GETATTR);
3280 break;
3281
3282 case FS_IOC_SETFLAGS:
3283 /* fall through */
3284 case FS_IOC_SETVERSION:
3285 error = file_has_perm(cred, file, FILE__SETATTR);
3286 break;
3287
3288 /* sys_ioctl() checks */
3289 case FIONBIO:
3290 /* fall through */
3291 case FIOASYNC:
3292 error = file_has_perm(cred, file, 0);
3293 break;
3294
3295 case KDSKBENT:
3296 case KDSKBSENT:
3297 error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG,
3298 SECURITY_CAP_AUDIT);
3299 break;
3300
3301 /* default case assumes that the command will go
3302 * to the file's ioctl() function.
3303 */
3304 default:
3305 error = ioctl_has_perm(cred, file, FILE__IOCTL, (u16) cmd);
3306 }
3307 return error;
3308 }
3309
3310 static int default_noexec;
3311
3312 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
3313 {
3314 const struct cred *cred = current_cred();
3315 int rc = 0;
3316
3317 if (default_noexec &&
3318 (prot & PROT_EXEC) && (!file || IS_PRIVATE(file_inode(file)) ||
3319 (!shared && (prot & PROT_WRITE)))) {
3320 /*
3321 * We are making executable an anonymous mapping or a
3322 * private file mapping that will also be writable.
3323 * This has an additional check.
3324 */
3325 rc = cred_has_perm(cred, cred, PROCESS__EXECMEM);
3326 if (rc)
3327 goto error;
3328 }
3329
3330 if (file) {
3331 /* read access is always possible with a mapping */
3332 u32 av = FILE__READ;
3333
3334 /* write access only matters if the mapping is shared */
3335 if (shared && (prot & PROT_WRITE))
3336 av |= FILE__WRITE;
3337
3338 if (prot & PROT_EXEC)
3339 av |= FILE__EXECUTE;
3340
3341 return file_has_perm(cred, file, av);
3342 }
3343
3344 error:
3345 return rc;
3346 }
3347
3348 static int selinux_mmap_addr(unsigned long addr)
3349 {
3350 int rc = 0;
3351
3352 if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
3353 u32 sid = current_sid();
3354 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
3355 MEMPROTECT__MMAP_ZERO, NULL);
3356 }
3357
3358 return rc;
3359 }
3360
3361 static int selinux_mmap_file(struct file *file, unsigned long reqprot,
3362 unsigned long prot, unsigned long flags)
3363 {
3364 if (selinux_checkreqprot)
3365 prot = reqprot;
3366
3367 return file_map_prot_check(file, prot,
3368 (flags & MAP_TYPE) == MAP_SHARED);
3369 }
3370
3371 static int selinux_file_mprotect(struct vm_area_struct *vma,
3372 unsigned long reqprot,
3373 unsigned long prot)
3374 {
3375 const struct cred *cred = current_cred();
3376
3377 if (selinux_checkreqprot)
3378 prot = reqprot;
3379
3380 if (default_noexec &&
3381 (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
3382 int rc = 0;
3383 if (vma->vm_start >= vma->vm_mm->start_brk &&
3384 vma->vm_end <= vma->vm_mm->brk) {
3385 rc = cred_has_perm(cred, cred, PROCESS__EXECHEAP);
3386 } else if (!vma->vm_file &&
3387 vma->vm_start <= vma->vm_mm->start_stack &&
3388 vma->vm_end >= vma->vm_mm->start_stack) {
3389 rc = current_has_perm(current, PROCESS__EXECSTACK);
3390 } else if (vma->vm_file && vma->anon_vma) {
3391 /*
3392 * We are making executable a file mapping that has
3393 * had some COW done. Since pages might have been
3394 * written, check ability to execute the possibly
3395 * modified content. This typically should only
3396 * occur for text relocations.
3397 */
3398 rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD);
3399 }
3400 if (rc)
3401 return rc;
3402 }
3403
3404 return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
3405 }
3406
3407 static int selinux_file_lock(struct file *file, unsigned int cmd)
3408 {
3409 const struct cred *cred = current_cred();
3410
3411 return file_has_perm(cred, file, FILE__LOCK);
3412 }
3413
3414 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
3415 unsigned long arg)
3416 {
3417 const struct cred *cred = current_cred();
3418 int err = 0;
3419
3420 switch (cmd) {
3421 case F_SETFL:
3422 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
3423 err = file_has_perm(cred, file, FILE__WRITE);
3424 break;
3425 }
3426 /* fall through */
3427 case F_SETOWN:
3428 case F_SETSIG:
3429 case F_GETFL:
3430 case F_GETOWN:
3431 case F_GETSIG:
3432 case F_GETOWNER_UIDS:
3433 /* Just check FD__USE permission */
3434 err = file_has_perm(cred, file, 0);
3435 break;
3436 case F_GETLK:
3437 case F_SETLK:
3438 case F_SETLKW:
3439 case F_OFD_GETLK:
3440 case F_OFD_SETLK:
3441 case F_OFD_SETLKW:
3442 #if BITS_PER_LONG == 32
3443 case F_GETLK64:
3444 case F_SETLK64:
3445 case F_SETLKW64:
3446 #endif
3447 err = file_has_perm(cred, file, FILE__LOCK);
3448 break;
3449 }
3450
3451 return err;
3452 }
3453
3454 static void selinux_file_set_fowner(struct file *file)
3455 {
3456 struct file_security_struct *fsec;
3457
3458 fsec = file->f_security;
3459 fsec->fown_sid = current_sid();
3460 }
3461
3462 static int selinux_file_send_sigiotask(struct task_struct *tsk,
3463 struct fown_struct *fown, int signum)
3464 {
3465 struct file *file;
3466 u32 sid = task_sid(tsk);
3467 u32 perm;
3468 struct file_security_struct *fsec;
3469
3470 /* struct fown_struct is never outside the context of a struct file */
3471 file = container_of(fown, struct file, f_owner);
3472
3473 fsec = file->f_security;
3474
3475 if (!signum)
3476 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
3477 else
3478 perm = signal_to_av(signum);
3479
3480 return avc_has_perm(fsec->fown_sid, sid,
3481 SECCLASS_PROCESS, perm, NULL);
3482 }
3483
3484 static int selinux_file_receive(struct file *file)
3485 {
3486 const struct cred *cred = current_cred();
3487
3488 return file_has_perm(cred, file, file_to_av(file));
3489 }
3490
3491 static int selinux_file_open(struct file *file, const struct cred *cred)
3492 {
3493 struct file_security_struct *fsec;
3494 struct inode_security_struct *isec;
3495
3496 fsec = file->f_security;
3497 isec = file_inode(file)->i_security;
3498 /*
3499 * Save inode label and policy sequence number
3500 * at open-time so that selinux_file_permission
3501 * can determine whether revalidation is necessary.
3502 * Task label is already saved in the file security
3503 * struct as its SID.
3504 */
3505 fsec->isid = isec->sid;
3506 fsec->pseqno = avc_policy_seqno();
3507 /*
3508 * Since the inode label or policy seqno may have changed
3509 * between the selinux_inode_permission check and the saving
3510 * of state above, recheck that access is still permitted.
3511 * Otherwise, access might never be revalidated against the
3512 * new inode label or new policy.
3513 * This check is not redundant - do not remove.
3514 */
3515 return file_path_has_perm(cred, file, open_file_to_av(file));
3516 }
3517
3518 /* task security operations */
3519
3520 static int selinux_task_create(unsigned long clone_flags)
3521 {
3522 return current_has_perm(current, PROCESS__FORK);
3523 }
3524
3525 /*
3526 * allocate the SELinux part of blank credentials
3527 */
3528 static int selinux_cred_alloc_blank(struct cred *cred, gfp_t gfp)
3529 {
3530 struct task_security_struct *tsec;
3531
3532 tsec = kzalloc(sizeof(struct task_security_struct), gfp);
3533 if (!tsec)
3534 return -ENOMEM;
3535
3536 cred->security = tsec;
3537 return 0;
3538 }
3539
3540 /*
3541 * detach and free the LSM part of a set of credentials
3542 */
3543 static void selinux_cred_free(struct cred *cred)
3544 {
3545 struct task_security_struct *tsec = cred->security;
3546
3547 /*
3548 * cred->security == NULL if security_cred_alloc_blank() or
3549 * security_prepare_creds() returned an error.
3550 */
3551 BUG_ON(cred->security && (unsigned long) cred->security < PAGE_SIZE);
3552 cred->security = (void *) 0x7UL;
3553 kfree(tsec);
3554 }
3555
3556 /*
3557 * prepare a new set of credentials for modification
3558 */
3559 static int selinux_cred_prepare(struct cred *new, const struct cred *old,
3560 gfp_t gfp)
3561 {
3562 const struct task_security_struct *old_tsec;
3563 struct task_security_struct *tsec;
3564
3565 old_tsec = old->security;
3566
3567 tsec = kmemdup(old_tsec, sizeof(struct task_security_struct), gfp);
3568 if (!tsec)
3569 return -ENOMEM;
3570
3571 new->security = tsec;
3572 return 0;
3573 }
3574
3575 /*
3576 * transfer the SELinux data to a blank set of creds
3577 */
3578 static void selinux_cred_transfer(struct cred *new, const struct cred *old)
3579 {
3580 const struct task_security_struct *old_tsec = old->security;
3581 struct task_security_struct *tsec = new->security;
3582
3583 *tsec = *old_tsec;
3584 }
3585
3586 /*
3587 * set the security data for a kernel service
3588 * - all the creation contexts are set to unlabelled
3589 */
3590 static int selinux_kernel_act_as(struct cred *new, u32 secid)
3591 {
3592 struct task_security_struct *tsec = new->security;
3593 u32 sid = current_sid();
3594 int ret;
3595
3596 ret = avc_has_perm(sid, secid,
3597 SECCLASS_KERNEL_SERVICE,
3598 KERNEL_SERVICE__USE_AS_OVERRIDE,
3599 NULL);
3600 if (ret == 0) {
3601 tsec->sid = secid;
3602 tsec->create_sid = 0;
3603 tsec->keycreate_sid = 0;
3604 tsec->sockcreate_sid = 0;
3605 }
3606 return ret;
3607 }
3608
3609 /*
3610 * set the file creation context in a security record to the same as the
3611 * objective context of the specified inode
3612 */
3613 static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode)
3614 {
3615 struct inode_security_struct *isec = inode->i_security;
3616 struct task_security_struct *tsec = new->security;
3617 u32 sid = current_sid();
3618 int ret;
3619
3620 ret = avc_has_perm(sid, isec->sid,
3621 SECCLASS_KERNEL_SERVICE,
3622 KERNEL_SERVICE__CREATE_FILES_AS,
3623 NULL);
3624
3625 if (ret == 0)
3626 tsec->create_sid = isec->sid;
3627 return ret;
3628 }
3629
3630 static int selinux_kernel_module_request(char *kmod_name)
3631 {
3632 u32 sid;
3633 struct common_audit_data ad;
3634
3635 sid = task_sid(current);
3636
3637 ad.type = LSM_AUDIT_DATA_KMOD;
3638 ad.u.kmod_name = kmod_name;
3639
3640 return avc_has_perm(sid, SECINITSID_KERNEL, SECCLASS_SYSTEM,
3641 SYSTEM__MODULE_REQUEST, &ad);
3642 }
3643
3644 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
3645 {
3646 return current_has_perm(p, PROCESS__SETPGID);
3647 }
3648
3649 static int selinux_task_getpgid(struct task_struct *p)
3650 {
3651 return current_has_perm(p, PROCESS__GETPGID);
3652 }
3653
3654 static int selinux_task_getsid(struct task_struct *p)
3655 {
3656 return current_has_perm(p, PROCESS__GETSESSION);
3657 }
3658
3659 static void selinux_task_getsecid(struct task_struct *p, u32 *secid)
3660 {
3661 *secid = task_sid(p);
3662 }
3663
3664 static int selinux_task_setnice(struct task_struct *p, int nice)
3665 {
3666 return current_has_perm(p, PROCESS__SETSCHED);
3667 }
3668
3669 static int selinux_task_setioprio(struct task_struct *p, int ioprio)
3670 {
3671 return current_has_perm(p, PROCESS__SETSCHED);
3672 }
3673
3674 static int selinux_task_getioprio(struct task_struct *p)
3675 {
3676 return current_has_perm(p, PROCESS__GETSCHED);
3677 }
3678
3679 static int selinux_task_setrlimit(struct task_struct *p, unsigned int resource,
3680 struct rlimit *new_rlim)
3681 {
3682 struct rlimit *old_rlim = p->signal->rlim + resource;
3683
3684 /* Control the ability to change the hard limit (whether
3685 lowering or raising it), so that the hard limit can
3686 later be used as a safe reset point for the soft limit
3687 upon context transitions. See selinux_bprm_committing_creds. */
3688 if (old_rlim->rlim_max != new_rlim->rlim_max)
3689 return current_has_perm(p, PROCESS__SETRLIMIT);
3690
3691 return 0;
3692 }
3693
3694 static int selinux_task_setscheduler(struct task_struct *p)
3695 {
3696 return current_has_perm(p, PROCESS__SETSCHED);
3697 }
3698
3699 static int selinux_task_getscheduler(struct task_struct *p)
3700 {
3701 return current_has_perm(p, PROCESS__GETSCHED);
3702 }
3703
3704 static int selinux_task_movememory(struct task_struct *p)
3705 {
3706 return current_has_perm(p, PROCESS__SETSCHED);
3707 }
3708
3709 static int selinux_task_kill(struct task_struct *p, struct siginfo *info,
3710 int sig, u32 secid)
3711 {
3712 u32 perm;
3713 int rc;
3714
3715 if (!sig)
3716 perm = PROCESS__SIGNULL; /* null signal; existence test */
3717 else
3718 perm = signal_to_av(sig);
3719 if (secid)
3720 rc = avc_has_perm(secid, task_sid(p),
3721 SECCLASS_PROCESS, perm, NULL);
3722 else
3723 rc = current_has_perm(p, perm);
3724 return rc;
3725 }
3726
3727 static int selinux_task_wait(struct task_struct *p)
3728 {
3729 return task_has_perm(p, current, PROCESS__SIGCHLD);
3730 }
3731
3732 static void selinux_task_to_inode(struct task_struct *p,
3733 struct inode *inode)
3734 {
3735 struct inode_security_struct *isec = inode->i_security;
3736 u32 sid = task_sid(p);
3737
3738 isec->sid = sid;
3739 isec->initialized = 1;
3740 }
3741
3742 /* Returns error only if unable to parse addresses */
3743 static int selinux_parse_skb_ipv4(struct sk_buff *skb,
3744 struct common_audit_data *ad, u8 *proto)
3745 {
3746 int offset, ihlen, ret = -EINVAL;
3747 struct iphdr _iph, *ih;
3748
3749 offset = skb_network_offset(skb);
3750 ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
3751 if (ih == NULL)
3752 goto out;
3753
3754 ihlen = ih->ihl * 4;
3755 if (ihlen < sizeof(_iph))
3756 goto out;
3757
3758 ad->u.net->v4info.saddr = ih->saddr;
3759 ad->u.net->v4info.daddr = ih->daddr;
3760 ret = 0;
3761
3762 if (proto)
3763 *proto = ih->protocol;
3764
3765 switch (ih->protocol) {
3766 case IPPROTO_TCP: {
3767 struct tcphdr _tcph, *th;
3768
3769 if (ntohs(ih->frag_off) & IP_OFFSET)
3770 break;
3771
3772 offset += ihlen;
3773 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3774 if (th == NULL)
3775 break;
3776
3777 ad->u.net->sport = th->source;
3778 ad->u.net->dport = th->dest;
3779 break;
3780 }
3781
3782 case IPPROTO_UDP: {
3783 struct udphdr _udph, *uh;
3784
3785 if (ntohs(ih->frag_off) & IP_OFFSET)
3786 break;
3787
3788 offset += ihlen;
3789 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3790 if (uh == NULL)
3791 break;
3792
3793 ad->u.net->sport = uh->source;
3794 ad->u.net->dport = uh->dest;
3795 break;
3796 }
3797
3798 case IPPROTO_DCCP: {
3799 struct dccp_hdr _dccph, *dh;
3800
3801 if (ntohs(ih->frag_off) & IP_OFFSET)
3802 break;
3803
3804 offset += ihlen;
3805 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3806 if (dh == NULL)
3807 break;
3808
3809 ad->u.net->sport = dh->dccph_sport;
3810 ad->u.net->dport = dh->dccph_dport;
3811 break;
3812 }
3813
3814 default:
3815 break;
3816 }
3817 out:
3818 return ret;
3819 }
3820
3821 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3822
3823 /* Returns error only if unable to parse addresses */
3824 static int selinux_parse_skb_ipv6(struct sk_buff *skb,
3825 struct common_audit_data *ad, u8 *proto)
3826 {
3827 u8 nexthdr;
3828 int ret = -EINVAL, offset;
3829 struct ipv6hdr _ipv6h, *ip6;
3830 __be16 frag_off;
3831
3832 offset = skb_network_offset(skb);
3833 ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
3834 if (ip6 == NULL)
3835 goto out;
3836
3837 ad->u.net->v6info.saddr = ip6->saddr;
3838 ad->u.net->v6info.daddr = ip6->daddr;
3839 ret = 0;
3840
3841 nexthdr = ip6->nexthdr;
3842 offset += sizeof(_ipv6h);
3843 offset = ipv6_skip_exthdr(skb, offset, &nexthdr, &frag_off);
3844 if (offset < 0)
3845 goto out;
3846
3847 if (proto)
3848 *proto = nexthdr;
3849
3850 switch (nexthdr) {
3851 case IPPROTO_TCP: {
3852 struct tcphdr _tcph, *th;
3853
3854 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3855 if (th == NULL)
3856 break;
3857
3858 ad->u.net->sport = th->source;
3859 ad->u.net->dport = th->dest;
3860 break;
3861 }
3862
3863 case IPPROTO_UDP: {
3864 struct udphdr _udph, *uh;
3865
3866 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3867 if (uh == NULL)
3868 break;
3869
3870 ad->u.net->sport = uh->source;
3871 ad->u.net->dport = uh->dest;
3872 break;
3873 }
3874
3875 case IPPROTO_DCCP: {
3876 struct dccp_hdr _dccph, *dh;
3877
3878 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3879 if (dh == NULL)
3880 break;
3881
3882 ad->u.net->sport = dh->dccph_sport;
3883 ad->u.net->dport = dh->dccph_dport;
3884 break;
3885 }
3886
3887 /* includes fragments */
3888 default:
3889 break;
3890 }
3891 out:
3892 return ret;
3893 }
3894
3895 #endif /* IPV6 */
3896
3897 static int selinux_parse_skb(struct sk_buff *skb, struct common_audit_data *ad,
3898 char **_addrp, int src, u8 *proto)
3899 {
3900 char *addrp;
3901 int ret;
3902
3903 switch (ad->u.net->family) {
3904 case PF_INET:
3905 ret = selinux_parse_skb_ipv4(skb, ad, proto);
3906 if (ret)
3907 goto parse_error;
3908 addrp = (char *)(src ? &ad->u.net->v4info.saddr :
3909 &ad->u.net->v4info.daddr);
3910 goto okay;
3911
3912 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3913 case PF_INET6:
3914 ret = selinux_parse_skb_ipv6(skb, ad, proto);
3915 if (ret)
3916 goto parse_error;
3917 addrp = (char *)(src ? &ad->u.net->v6info.saddr :
3918 &ad->u.net->v6info.daddr);
3919 goto okay;
3920 #endif /* IPV6 */
3921 default:
3922 addrp = NULL;
3923 goto okay;
3924 }
3925
3926 parse_error:
3927 printk(KERN_WARNING
3928 "SELinux: failure in selinux_parse_skb(),"
3929 " unable to parse packet\n");
3930 return ret;
3931
3932 okay:
3933 if (_addrp)
3934 *_addrp = addrp;
3935 return 0;
3936 }
3937
3938 /**
3939 * selinux_skb_peerlbl_sid - Determine the peer label of a packet
3940 * @skb: the packet
3941 * @family: protocol family
3942 * @sid: the packet's peer label SID
3943 *
3944 * Description:
3945 * Check the various different forms of network peer labeling and determine
3946 * the peer label/SID for the packet; most of the magic actually occurs in
3947 * the security server function security_net_peersid_cmp(). The function
3948 * returns zero if the value in @sid is valid (although it may be SECSID_NULL)
3949 * or -EACCES if @sid is invalid due to inconsistencies with the different
3950 * peer labels.
3951 *
3952 */
3953 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
3954 {
3955 int err;
3956 u32 xfrm_sid;
3957 u32 nlbl_sid;
3958 u32 nlbl_type;
3959
3960 err = selinux_xfrm_skb_sid(skb, &xfrm_sid);
3961 if (unlikely(err))
3962 return -EACCES;
3963 err = selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid);
3964 if (unlikely(err))
3965 return -EACCES;
3966
3967 err = security_net_peersid_resolve(nlbl_sid, nlbl_type, xfrm_sid, sid);
3968 if (unlikely(err)) {
3969 printk(KERN_WARNING
3970 "SELinux: failure in selinux_skb_peerlbl_sid(),"
3971 " unable to determine packet's peer label\n");
3972 return -EACCES;
3973 }
3974
3975 return 0;
3976 }
3977
3978 /**
3979 * selinux_conn_sid - Determine the child socket label for a connection
3980 * @sk_sid: the parent socket's SID
3981 * @skb_sid: the packet's SID
3982 * @conn_sid: the resulting connection SID
3983 *
3984 * If @skb_sid is valid then the user:role:type information from @sk_sid is
3985 * combined with the MLS information from @skb_sid in order to create
3986 * @conn_sid. If @skb_sid is not valid then then @conn_sid is simply a copy
3987 * of @sk_sid. Returns zero on success, negative values on failure.
3988 *
3989 */
3990 static int selinux_conn_sid(u32 sk_sid, u32 skb_sid, u32 *conn_sid)
3991 {
3992 int err = 0;
3993
3994 if (skb_sid != SECSID_NULL)
3995 err = security_sid_mls_copy(sk_sid, skb_sid, conn_sid);
3996 else
3997 *conn_sid = sk_sid;
3998
3999 return err;
4000 }
4001
4002 /* socket security operations */
4003
4004 static int socket_sockcreate_sid(const struct task_security_struct *tsec,
4005 u16 secclass, u32 *socksid)
4006 {
4007 if (tsec->sockcreate_sid > SECSID_NULL) {
4008 *socksid = tsec->sockcreate_sid;
4009 return 0;
4010 }
4011
4012 return security_transition_sid(tsec->sid, tsec->sid, secclass, NULL,
4013 socksid);
4014 }
4015
4016 static int sock_has_perm(struct task_struct *task, struct sock *sk, u32 perms)
4017 {
4018 struct sk_security_struct *sksec = sk->sk_security;
4019 struct common_audit_data ad;
4020 struct lsm_network_audit net = {0,};
4021 u32 tsid = task_sid(task);
4022
4023 if (!sksec)
4024 return -EFAULT;
4025 if (sksec->sid == SECINITSID_KERNEL)
4026 return 0;
4027
4028 ad.type = LSM_AUDIT_DATA_NET;
4029 ad.u.net = &net;
4030 ad.u.net->sk = sk;
4031
4032 return avc_has_perm(tsid, sksec->sid, sksec->sclass, perms, &ad);
4033 }
4034
4035 static int selinux_socket_create(int family, int type,
4036 int protocol, int kern)
4037 {
4038 const struct task_security_struct *tsec = current_security();
4039 u32 newsid;
4040 u16 secclass;
4041 int rc;
4042
4043 if (kern)
4044 return 0;
4045
4046 secclass = socket_type_to_security_class(family, type, protocol);
4047 rc = socket_sockcreate_sid(tsec, secclass, &newsid);
4048 if (rc)
4049 return rc;
4050
4051 return avc_has_perm(tsec->sid, newsid, secclass, SOCKET__CREATE, NULL);
4052 }
4053
4054 static int selinux_socket_post_create(struct socket *sock, int family,
4055 int type, int protocol, int kern)
4056 {
4057 const struct task_security_struct *tsec = current_security();
4058 struct inode_security_struct *isec = SOCK_INODE(sock)->i_security;
4059 struct sk_security_struct *sksec;
4060 int err = 0;
4061
4062 isec->sclass = socket_type_to_security_class(family, type, protocol);
4063
4064 if (kern)
4065 isec->sid = SECINITSID_KERNEL;
4066 else {
4067 err = socket_sockcreate_sid(tsec, isec->sclass, &(isec->sid));
4068 if (err)
4069 return err;
4070 }
4071
4072 isec->initialized = 1;
4073
4074 if (sock->sk) {
4075 sksec = sock->sk->sk_security;
4076 sksec->sid = isec->sid;
4077 sksec->sclass = isec->sclass;
4078 err = selinux_netlbl_socket_post_create(sock->sk, family);
4079 }
4080
4081 return err;
4082 }
4083
4084 /* Range of port numbers used to automatically bind.
4085 Need to determine whether we should perform a name_bind
4086 permission check between the socket and the port number. */
4087
4088 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
4089 {
4090 struct sock *sk = sock->sk;
4091 u16 family;
4092 int err;
4093
4094 err = sock_has_perm(current, sk, SOCKET__BIND);
4095 if (err)
4096 goto out;
4097
4098 /*
4099 * If PF_INET or PF_INET6, check name_bind permission for the port.
4100 * Multiple address binding for SCTP is not supported yet: we just
4101 * check the first address now.
4102 */
4103 family = sk->sk_family;
4104 if (family == PF_INET || family == PF_INET6) {
4105 char *addrp;
4106 struct sk_security_struct *sksec = sk->sk_security;
4107 struct common_audit_data ad;
4108 struct lsm_network_audit net = {0,};
4109 struct sockaddr_in *addr4 = NULL;
4110 struct sockaddr_in6 *addr6 = NULL;
4111 unsigned short snum;
4112 u32 sid, node_perm;
4113
4114 if (family == PF_INET) {
4115 if (addrlen < sizeof(struct sockaddr_in)) {
4116 err = -EINVAL;
4117 goto out;
4118 }
4119 addr4 = (struct sockaddr_in *)address;
4120 snum = ntohs(addr4->sin_port);
4121 addrp = (char *)&addr4->sin_addr.s_addr;
4122 } else {
4123 if (addrlen < SIN6_LEN_RFC2133) {
4124 err = -EINVAL;
4125 goto out;
4126 }
4127 addr6 = (struct sockaddr_in6 *)address;
4128 snum = ntohs(addr6->sin6_port);
4129 addrp = (char *)&addr6->sin6_addr.s6_addr;
4130 }
4131
4132 if (snum) {
4133 int low, high;
4134
4135 inet_get_local_port_range(sock_net(sk), &low, &high);
4136
4137 if (snum < max(PROT_SOCK, low) || snum > high) {
4138 err = sel_netport_sid(sk->sk_protocol,
4139 snum, &sid);
4140 if (err)
4141 goto out;
4142 ad.type = LSM_AUDIT_DATA_NET;
4143 ad.u.net = &net;
4144 ad.u.net->sport = htons(snum);
4145 ad.u.net->family = family;
4146 err = avc_has_perm(sksec->sid, sid,
4147 sksec->sclass,
4148 SOCKET__NAME_BIND, &ad);
4149 if (err)
4150 goto out;
4151 }
4152 }
4153
4154 switch (sksec->sclass) {
4155 case SECCLASS_TCP_SOCKET:
4156 node_perm = TCP_SOCKET__NODE_BIND;
4157 break;
4158
4159 case SECCLASS_UDP_SOCKET:
4160 node_perm = UDP_SOCKET__NODE_BIND;
4161 break;
4162
4163 case SECCLASS_DCCP_SOCKET:
4164 node_perm = DCCP_SOCKET__NODE_BIND;
4165 break;
4166
4167 default:
4168 node_perm = RAWIP_SOCKET__NODE_BIND;
4169 break;
4170 }
4171
4172 err = sel_netnode_sid(addrp, family, &sid);
4173 if (err)
4174 goto out;
4175
4176 ad.type = LSM_AUDIT_DATA_NET;
4177 ad.u.net = &net;
4178 ad.u.net->sport = htons(snum);
4179 ad.u.net->family = family;
4180
4181 if (family == PF_INET)
4182 ad.u.net->v4info.saddr = addr4->sin_addr.s_addr;
4183 else
4184 ad.u.net->v6info.saddr = addr6->sin6_addr;
4185
4186 err = avc_has_perm(sksec->sid, sid,
4187 sksec->sclass, node_perm, &ad);
4188 if (err)
4189 goto out;
4190 }
4191 out:
4192 return err;
4193 }
4194
4195 static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
4196 {
4197 struct sock *sk = sock->sk;
4198 struct sk_security_struct *sksec = sk->sk_security;
4199 int err;
4200
4201 err = sock_has_perm(current, sk, SOCKET__CONNECT);
4202 if (err)
4203 return err;
4204
4205 /*
4206 * If a TCP or DCCP socket, check name_connect permission for the port.
4207 */
4208 if (sksec->sclass == SECCLASS_TCP_SOCKET ||
4209 sksec->sclass == SECCLASS_DCCP_SOCKET) {
4210 struct common_audit_data ad;
4211 struct lsm_network_audit net = {0,};
4212 struct sockaddr_in *addr4 = NULL;
4213 struct sockaddr_in6 *addr6 = NULL;
4214 unsigned short snum;
4215 u32 sid, perm;
4216
4217 if (sk->sk_family == PF_INET) {
4218 addr4 = (struct sockaddr_in *)address;
4219 if (addrlen < sizeof(struct sockaddr_in))
4220 return -EINVAL;
4221 snum = ntohs(addr4->sin_port);
4222 } else {
4223 addr6 = (struct sockaddr_in6 *)address;
4224 if (addrlen < SIN6_LEN_RFC2133)
4225 return -EINVAL;
4226 snum = ntohs(addr6->sin6_port);
4227 }
4228
4229 err = sel_netport_sid(sk->sk_protocol, snum, &sid);
4230 if (err)
4231 goto out;
4232
4233 perm = (sksec->sclass == SECCLASS_TCP_SOCKET) ?
4234 TCP_SOCKET__NAME_CONNECT : DCCP_SOCKET__NAME_CONNECT;
4235
4236 ad.type = LSM_AUDIT_DATA_NET;
4237 ad.u.net = &net;
4238 ad.u.net->dport = htons(snum);
4239 ad.u.net->family = sk->sk_family;
4240 err = avc_has_perm(sksec->sid, sid, sksec->sclass, perm, &ad);
4241 if (err)
4242 goto out;
4243 }
4244
4245 err = selinux_netlbl_socket_connect(sk, address);
4246
4247 out:
4248 return err;
4249 }
4250
4251 static int selinux_socket_listen(struct socket *sock, int backlog)
4252 {
4253 return sock_has_perm(current, sock->sk, SOCKET__LISTEN);
4254 }
4255
4256 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
4257 {
4258 int err;
4259 struct inode_security_struct *isec;
4260 struct inode_security_struct *newisec;
4261
4262 err = sock_has_perm(current, sock->sk, SOCKET__ACCEPT);
4263 if (err)
4264 return err;
4265
4266 newisec = SOCK_INODE(newsock)->i_security;
4267
4268 isec = SOCK_INODE(sock)->i_security;
4269 newisec->sclass = isec->sclass;
4270 newisec->sid = isec->sid;
4271 newisec->initialized = 1;
4272
4273 return 0;
4274 }
4275
4276 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
4277 int size)
4278 {
4279 return sock_has_perm(current, sock->sk, SOCKET__WRITE);
4280 }
4281
4282 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
4283 int size, int flags)
4284 {
4285 return sock_has_perm(current, sock->sk, SOCKET__READ);
4286 }
4287
4288 static int selinux_socket_getsockname(struct socket *sock)
4289 {
4290 return sock_has_perm(current, sock->sk, SOCKET__GETATTR);
4291 }
4292
4293 static int selinux_socket_getpeername(struct socket *sock)
4294 {
4295 return sock_has_perm(current, sock->sk, SOCKET__GETATTR);
4296 }
4297
4298 static int selinux_socket_setsockopt(struct socket *sock, int level, int optname)
4299 {
4300 int err;
4301
4302 err = sock_has_perm(current, sock->sk, SOCKET__SETOPT);
4303 if (err)
4304 return err;
4305
4306 return selinux_netlbl_socket_setsockopt(sock, level, optname);
4307 }
4308
4309 static int selinux_socket_getsockopt(struct socket *sock, int level,
4310 int optname)
4311 {
4312 return sock_has_perm(current, sock->sk, SOCKET__GETOPT);
4313 }
4314
4315 static int selinux_socket_shutdown(struct socket *sock, int how)
4316 {
4317 return sock_has_perm(current, sock->sk, SOCKET__SHUTDOWN);
4318 }
4319
4320 static int selinux_socket_unix_stream_connect(struct sock *sock,
4321 struct sock *other,
4322 struct sock *newsk)
4323 {
4324 struct sk_security_struct *sksec_sock = sock->sk_security;
4325 struct sk_security_struct *sksec_other = other->sk_security;
4326 struct sk_security_struct *sksec_new = newsk->sk_security;
4327 struct common_audit_data ad;
4328 struct lsm_network_audit net = {0,};
4329 int err;
4330
4331 ad.type = LSM_AUDIT_DATA_NET;
4332 ad.u.net = &net;
4333 ad.u.net->sk = other;
4334
4335 err = avc_has_perm(sksec_sock->sid, sksec_other->sid,
4336 sksec_other->sclass,
4337 UNIX_STREAM_SOCKET__CONNECTTO, &ad);
4338 if (err)
4339 return err;
4340
4341 /* server child socket */
4342 sksec_new->peer_sid = sksec_sock->sid;
4343 err = security_sid_mls_copy(sksec_other->sid, sksec_sock->sid,
4344 &sksec_new->sid);
4345 if (err)
4346 return err;
4347
4348 /* connecting socket */
4349 sksec_sock->peer_sid = sksec_new->sid;
4350
4351 return 0;
4352 }
4353
4354 static int selinux_socket_unix_may_send(struct socket *sock,
4355 struct socket *other)
4356 {
4357 struct sk_security_struct *ssec = sock->sk->sk_security;
4358 struct sk_security_struct *osec = other->sk->sk_security;
4359 struct common_audit_data ad;
4360 struct lsm_network_audit net = {0,};
4361
4362 ad.type = LSM_AUDIT_DATA_NET;
4363 ad.u.net = &net;
4364 ad.u.net->sk = other->sk;
4365
4366 return avc_has_perm(ssec->sid, osec->sid, osec->sclass, SOCKET__SENDTO,
4367 &ad);
4368 }
4369
4370 static int selinux_inet_sys_rcv_skb(struct net *ns, int ifindex,
4371 char *addrp, u16 family, u32 peer_sid,
4372 struct common_audit_data *ad)
4373 {
4374 int err;
4375 u32 if_sid;
4376 u32 node_sid;
4377
4378 err = sel_netif_sid(ns, ifindex, &if_sid);
4379 if (err)
4380 return err;
4381 err = avc_has_perm(peer_sid, if_sid,
4382 SECCLASS_NETIF, NETIF__INGRESS, ad);
4383 if (err)
4384 return err;
4385
4386 err = sel_netnode_sid(addrp, family, &node_sid);
4387 if (err)
4388 return err;
4389 return avc_has_perm(peer_sid, node_sid,
4390 SECCLASS_NODE, NODE__RECVFROM, ad);
4391 }
4392
4393 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
4394 u16 family)
4395 {
4396 int err = 0;
4397 struct sk_security_struct *sksec = sk->sk_security;
4398 u32 sk_sid = sksec->sid;
4399 struct common_audit_data ad;
4400 struct lsm_network_audit net = {0,};
4401 char *addrp;
4402
4403 ad.type = LSM_AUDIT_DATA_NET;
4404 ad.u.net = &net;
4405 ad.u.net->netif = skb->skb_iif;
4406 ad.u.net->family = family;
4407 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4408 if (err)
4409 return err;
4410
4411 if (selinux_secmark_enabled()) {
4412 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4413 PACKET__RECV, &ad);
4414 if (err)
4415 return err;
4416 }
4417
4418 err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, &ad);
4419 if (err)
4420 return err;
4421 err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad);
4422
4423 return err;
4424 }
4425
4426 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
4427 {
4428 int err;
4429 struct sk_security_struct *sksec = sk->sk_security;
4430 u16 family = sk->sk_family;
4431 u32 sk_sid = sksec->sid;
4432 struct common_audit_data ad;
4433 struct lsm_network_audit net = {0,};
4434 char *addrp;
4435 u8 secmark_active;
4436 u8 peerlbl_active;
4437
4438 if (family != PF_INET && family != PF_INET6)
4439 return 0;
4440
4441 /* Handle mapped IPv4 packets arriving via IPv6 sockets */
4442 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4443 family = PF_INET;
4444
4445 /* If any sort of compatibility mode is enabled then handoff processing
4446 * to the selinux_sock_rcv_skb_compat() function to deal with the
4447 * special handling. We do this in an attempt to keep this function
4448 * as fast and as clean as possible. */
4449 if (!selinux_policycap_netpeer)
4450 return selinux_sock_rcv_skb_compat(sk, skb, family);
4451
4452 secmark_active = selinux_secmark_enabled();
4453 peerlbl_active = selinux_peerlbl_enabled();
4454 if (!secmark_active && !peerlbl_active)
4455 return 0;
4456
4457 ad.type = LSM_AUDIT_DATA_NET;
4458 ad.u.net = &net;
4459 ad.u.net->netif = skb->skb_iif;
4460 ad.u.net->family = family;
4461 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4462 if (err)
4463 return err;
4464
4465 if (peerlbl_active) {
4466 u32 peer_sid;
4467
4468 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
4469 if (err)
4470 return err;
4471 err = selinux_inet_sys_rcv_skb(sock_net(sk), skb->skb_iif,
4472 addrp, family, peer_sid, &ad);
4473 if (err) {
4474 selinux_netlbl_err(skb, err, 0);
4475 return err;
4476 }
4477 err = avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER,
4478 PEER__RECV, &ad);
4479 if (err) {
4480 selinux_netlbl_err(skb, err, 0);
4481 return err;
4482 }
4483 }
4484
4485 if (secmark_active) {
4486 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4487 PACKET__RECV, &ad);
4488 if (err)
4489 return err;
4490 }
4491
4492 return err;
4493 }
4494
4495 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval,
4496 int __user *optlen, unsigned len)
4497 {
4498 int err = 0;
4499 char *scontext;
4500 u32 scontext_len;
4501 struct sk_security_struct *sksec = sock->sk->sk_security;
4502 u32 peer_sid = SECSID_NULL;
4503
4504 if (sksec->sclass == SECCLASS_UNIX_STREAM_SOCKET ||
4505 sksec->sclass == SECCLASS_TCP_SOCKET)
4506 peer_sid = sksec->peer_sid;
4507 if (peer_sid == SECSID_NULL)
4508 return -ENOPROTOOPT;
4509
4510 err = security_sid_to_context(peer_sid, &scontext, &scontext_len);
4511 if (err)
4512 return err;
4513
4514 if (scontext_len > len) {
4515 err = -ERANGE;
4516 goto out_len;
4517 }
4518
4519 if (copy_to_user(optval, scontext, scontext_len))
4520 err = -EFAULT;
4521
4522 out_len:
4523 if (put_user(scontext_len, optlen))
4524 err = -EFAULT;
4525 kfree(scontext);
4526 return err;
4527 }
4528
4529 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
4530 {
4531 u32 peer_secid = SECSID_NULL;
4532 u16 family;
4533
4534 if (skb && skb->protocol == htons(ETH_P_IP))
4535 family = PF_INET;
4536 else if (skb && skb->protocol == htons(ETH_P_IPV6))
4537 family = PF_INET6;
4538 else if (sock)
4539 family = sock->sk->sk_family;
4540 else
4541 goto out;
4542
4543 if (sock && family == PF_UNIX)
4544 selinux_inode_getsecid(SOCK_INODE(sock), &peer_secid);
4545 else if (skb)
4546 selinux_skb_peerlbl_sid(skb, family, &peer_secid);
4547
4548 out:
4549 *secid = peer_secid;
4550 if (peer_secid == SECSID_NULL)
4551 return -EINVAL;
4552 return 0;
4553 }
4554
4555 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
4556 {
4557 struct sk_security_struct *sksec;
4558
4559 sksec = kzalloc(sizeof(*sksec), priority);
4560 if (!sksec)
4561 return -ENOMEM;
4562
4563 sksec->peer_sid = SECINITSID_UNLABELED;
4564 sksec->sid = SECINITSID_UNLABELED;
4565 sksec->sclass = SECCLASS_SOCKET;
4566 selinux_netlbl_sk_security_reset(sksec);
4567 sk->sk_security = sksec;
4568
4569 return 0;
4570 }
4571
4572 static void selinux_sk_free_security(struct sock *sk)
4573 {
4574 struct sk_security_struct *sksec = sk->sk_security;
4575
4576 sk->sk_security = NULL;
4577 selinux_netlbl_sk_security_free(sksec);
4578 kfree(sksec);
4579 }
4580
4581 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
4582 {
4583 struct sk_security_struct *sksec = sk->sk_security;
4584 struct sk_security_struct *newsksec = newsk->sk_security;
4585
4586 newsksec->sid = sksec->sid;
4587 newsksec->peer_sid = sksec->peer_sid;
4588 newsksec->sclass = sksec->sclass;
4589
4590 selinux_netlbl_sk_security_reset(newsksec);
4591 }
4592
4593 static void selinux_sk_getsecid(struct sock *sk, u32 *secid)
4594 {
4595 if (!sk)
4596 *secid = SECINITSID_ANY_SOCKET;
4597 else {
4598 struct sk_security_struct *sksec = sk->sk_security;
4599
4600 *secid = sksec->sid;
4601 }
4602 }
4603
4604 static void selinux_sock_graft(struct sock *sk, struct socket *parent)
4605 {
4606 struct inode_security_struct *isec = SOCK_INODE(parent)->i_security;
4607 struct sk_security_struct *sksec = sk->sk_security;
4608
4609 if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
4610 sk->sk_family == PF_UNIX)
4611 isec->sid = sksec->sid;
4612 sksec->sclass = isec->sclass;
4613 }
4614
4615 static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
4616 struct request_sock *req)
4617 {
4618 struct sk_security_struct *sksec = sk->sk_security;
4619 int err;
4620 u16 family = req->rsk_ops->family;
4621 u32 connsid;
4622 u32 peersid;
4623
4624 err = selinux_skb_peerlbl_sid(skb, family, &peersid);
4625 if (err)
4626 return err;
4627 err = selinux_conn_sid(sksec->sid, peersid, &connsid);
4628 if (err)
4629 return err;
4630 req->secid = connsid;
4631 req->peer_secid = peersid;
4632
4633 return selinux_netlbl_inet_conn_request(req, family);
4634 }
4635
4636 static void selinux_inet_csk_clone(struct sock *newsk,
4637 const struct request_sock *req)
4638 {
4639 struct sk_security_struct *newsksec = newsk->sk_security;
4640
4641 newsksec->sid = req->secid;
4642 newsksec->peer_sid = req->peer_secid;
4643 /* NOTE: Ideally, we should also get the isec->sid for the
4644 new socket in sync, but we don't have the isec available yet.
4645 So we will wait until sock_graft to do it, by which
4646 time it will have been created and available. */
4647
4648 /* We don't need to take any sort of lock here as we are the only
4649 * thread with access to newsksec */
4650 selinux_netlbl_inet_csk_clone(newsk, req->rsk_ops->family);
4651 }
4652
4653 static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb)
4654 {
4655 u16 family = sk->sk_family;
4656 struct sk_security_struct *sksec = sk->sk_security;
4657
4658 /* handle mapped IPv4 packets arriving via IPv6 sockets */
4659 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4660 family = PF_INET;
4661
4662 selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid);
4663 }
4664
4665 static int selinux_secmark_relabel_packet(u32 sid)
4666 {
4667 const struct task_security_struct *__tsec;
4668 u32 tsid;
4669
4670 __tsec = current_security();
4671 tsid = __tsec->sid;
4672
4673 return avc_has_perm(tsid, sid, SECCLASS_PACKET, PACKET__RELABELTO, NULL);
4674 }
4675
4676 static void selinux_secmark_refcount_inc(void)
4677 {
4678 atomic_inc(&selinux_secmark_refcount);
4679 }
4680
4681 static void selinux_secmark_refcount_dec(void)
4682 {
4683 atomic_dec(&selinux_secmark_refcount);
4684 }
4685
4686 static void selinux_req_classify_flow(const struct request_sock *req,
4687 struct flowi *fl)
4688 {
4689 fl->flowi_secid = req->secid;
4690 }
4691
4692 static int selinux_tun_dev_alloc_security(void **security)
4693 {
4694 struct tun_security_struct *tunsec;
4695
4696 tunsec = kzalloc(sizeof(*tunsec), GFP_KERNEL);
4697 if (!tunsec)
4698 return -ENOMEM;
4699 tunsec->sid = current_sid();
4700
4701 *security = tunsec;
4702 return 0;
4703 }
4704
4705 static void selinux_tun_dev_free_security(void *security)
4706 {
4707 kfree(security);
4708 }
4709
4710 static int selinux_tun_dev_create(void)
4711 {
4712 u32 sid = current_sid();
4713
4714 /* we aren't taking into account the "sockcreate" SID since the socket
4715 * that is being created here is not a socket in the traditional sense,
4716 * instead it is a private sock, accessible only to the kernel, and
4717 * representing a wide range of network traffic spanning multiple
4718 * connections unlike traditional sockets - check the TUN driver to
4719 * get a better understanding of why this socket is special */
4720
4721 return avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET, TUN_SOCKET__CREATE,
4722 NULL);
4723 }
4724
4725 static int selinux_tun_dev_attach_queue(void *security)
4726 {
4727 struct tun_security_struct *tunsec = security;
4728
4729 return avc_has_perm(current_sid(), tunsec->sid, SECCLASS_TUN_SOCKET,
4730 TUN_SOCKET__ATTACH_QUEUE, NULL);
4731 }
4732
4733 static int selinux_tun_dev_attach(struct sock *sk, void *security)
4734 {
4735 struct tun_security_struct *tunsec = security;
4736 struct sk_security_struct *sksec = sk->sk_security;
4737
4738 /* we don't currently perform any NetLabel based labeling here and it
4739 * isn't clear that we would want to do so anyway; while we could apply
4740 * labeling without the support of the TUN user the resulting labeled
4741 * traffic from the other end of the connection would almost certainly
4742 * cause confusion to the TUN user that had no idea network labeling
4743 * protocols were being used */
4744
4745 sksec->sid = tunsec->sid;
4746 sksec->sclass = SECCLASS_TUN_SOCKET;
4747
4748 return 0;
4749 }
4750
4751 static int selinux_tun_dev_open(void *security)
4752 {
4753 struct tun_security_struct *tunsec = security;
4754 u32 sid = current_sid();
4755 int err;
4756
4757 err = avc_has_perm(sid, tunsec->sid, SECCLASS_TUN_SOCKET,
4758 TUN_SOCKET__RELABELFROM, NULL);
4759 if (err)
4760 return err;
4761 err = avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET,
4762 TUN_SOCKET__RELABELTO, NULL);
4763 if (err)
4764 return err;
4765 tunsec->sid = sid;
4766
4767 return 0;
4768 }
4769
4770 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
4771 {
4772 int err = 0;
4773 u32 perm;
4774 struct nlmsghdr *nlh;
4775 struct sk_security_struct *sksec = sk->sk_security;
4776
4777 if (skb->len < NLMSG_HDRLEN) {
4778 err = -EINVAL;
4779 goto out;
4780 }
4781 nlh = nlmsg_hdr(skb);
4782
4783 err = selinux_nlmsg_lookup(sksec->sclass, nlh->nlmsg_type, &perm);
4784 if (err) {
4785 if (err == -EINVAL) {
4786 printk(KERN_WARNING
4787 "SELinux: unrecognized netlink message:"
4788 " protocol=%hu nlmsg_type=%hu sclass=%s\n",
4789 sk->sk_protocol, nlh->nlmsg_type,
4790 secclass_map[sksec->sclass - 1].name);
4791 if (!selinux_enforcing || security_get_allow_unknown())
4792 err = 0;
4793 }
4794
4795 /* Ignore */
4796 if (err == -ENOENT)
4797 err = 0;
4798 goto out;
4799 }
4800
4801 err = sock_has_perm(current, sk, perm);
4802 out:
4803 return err;
4804 }
4805
4806 #ifdef CONFIG_NETFILTER
4807
4808 static unsigned int selinux_ip_forward(struct sk_buff *skb,
4809 const struct net_device *indev,
4810 u16 family)
4811 {
4812 int err;
4813 char *addrp;
4814 u32 peer_sid;
4815 struct common_audit_data ad;
4816 struct lsm_network_audit net = {0,};
4817 u8 secmark_active;
4818 u8 netlbl_active;
4819 u8 peerlbl_active;
4820
4821 if (!selinux_policycap_netpeer)
4822 return NF_ACCEPT;
4823
4824 secmark_active = selinux_secmark_enabled();
4825 netlbl_active = netlbl_enabled();
4826 peerlbl_active = selinux_peerlbl_enabled();
4827 if (!secmark_active && !peerlbl_active)
4828 return NF_ACCEPT;
4829
4830 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0)
4831 return NF_DROP;
4832
4833 ad.type = LSM_AUDIT_DATA_NET;
4834 ad.u.net = &net;
4835 ad.u.net->netif = indev->ifindex;
4836 ad.u.net->family = family;
4837 if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0)
4838 return NF_DROP;
4839
4840 if (peerlbl_active) {
4841 err = selinux_inet_sys_rcv_skb(dev_net(indev), indev->ifindex,
4842 addrp, family, peer_sid, &ad);
4843 if (err) {
4844 selinux_netlbl_err(skb, err, 1);
4845 return NF_DROP;
4846 }
4847 }
4848
4849 if (secmark_active)
4850 if (avc_has_perm(peer_sid, skb->secmark,
4851 SECCLASS_PACKET, PACKET__FORWARD_IN, &ad))
4852 return NF_DROP;
4853
4854 if (netlbl_active)
4855 /* we do this in the FORWARD path and not the POST_ROUTING
4856 * path because we want to make sure we apply the necessary
4857 * labeling before IPsec is applied so we can leverage AH
4858 * protection */
4859 if (selinux_netlbl_skbuff_setsid(skb, family, peer_sid) != 0)
4860 return NF_DROP;
4861
4862 return NF_ACCEPT;
4863 }
4864
4865 static unsigned int selinux_ipv4_forward(void *priv,
4866 struct sk_buff *skb,
4867 const struct nf_hook_state *state)
4868 {
4869 return selinux_ip_forward(skb, state->in, PF_INET);
4870 }
4871
4872 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4873 static unsigned int selinux_ipv6_forward(void *priv,
4874 struct sk_buff *skb,
4875 const struct nf_hook_state *state)
4876 {
4877 return selinux_ip_forward(skb, state->in, PF_INET6);
4878 }
4879 #endif /* IPV6 */
4880
4881 static unsigned int selinux_ip_output(struct sk_buff *skb,
4882 u16 family)
4883 {
4884 struct sock *sk;
4885 u32 sid;
4886
4887 if (!netlbl_enabled())
4888 return NF_ACCEPT;
4889
4890 /* we do this in the LOCAL_OUT path and not the POST_ROUTING path
4891 * because we want to make sure we apply the necessary labeling
4892 * before IPsec is applied so we can leverage AH protection */
4893 sk = skb->sk;
4894 if (sk) {
4895 struct sk_security_struct *sksec;
4896
4897 if (sk_listener(sk))
4898 /* if the socket is the listening state then this
4899 * packet is a SYN-ACK packet which means it needs to
4900 * be labeled based on the connection/request_sock and
4901 * not the parent socket. unfortunately, we can't
4902 * lookup the request_sock yet as it isn't queued on
4903 * the parent socket until after the SYN-ACK is sent.
4904 * the "solution" is to simply pass the packet as-is
4905 * as any IP option based labeling should be copied
4906 * from the initial connection request (in the IP
4907 * layer). it is far from ideal, but until we get a
4908 * security label in the packet itself this is the
4909 * best we can do. */
4910 return NF_ACCEPT;
4911
4912 /* standard practice, label using the parent socket */
4913 sksec = sk->sk_security;
4914 sid = sksec->sid;
4915 } else
4916 sid = SECINITSID_KERNEL;
4917 if (selinux_netlbl_skbuff_setsid(skb, family, sid) != 0)
4918 return NF_DROP;
4919
4920 return NF_ACCEPT;
4921 }
4922
4923 static unsigned int selinux_ipv4_output(void *priv,
4924 struct sk_buff *skb,
4925 const struct nf_hook_state *state)
4926 {
4927 return selinux_ip_output(skb, PF_INET);
4928 }
4929
4930 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
4931 int ifindex,
4932 u16 family)
4933 {
4934 struct sock *sk = skb_to_full_sk(skb);
4935 struct sk_security_struct *sksec;
4936 struct common_audit_data ad;
4937 struct lsm_network_audit net = {0,};
4938 char *addrp;
4939 u8 proto;
4940
4941 if (sk == NULL)
4942 return NF_ACCEPT;
4943 sksec = sk->sk_security;
4944
4945 ad.type = LSM_AUDIT_DATA_NET;
4946 ad.u.net = &net;
4947 ad.u.net->netif = ifindex;
4948 ad.u.net->family = family;
4949 if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto))
4950 return NF_DROP;
4951
4952 if (selinux_secmark_enabled())
4953 if (avc_has_perm(sksec->sid, skb->secmark,
4954 SECCLASS_PACKET, PACKET__SEND, &ad))
4955 return NF_DROP_ERR(-ECONNREFUSED);
4956
4957 if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto))
4958 return NF_DROP_ERR(-ECONNREFUSED);
4959
4960 return NF_ACCEPT;
4961 }
4962
4963 static unsigned int selinux_ip_postroute(struct sk_buff *skb,
4964 const struct net_device *outdev,
4965 u16 family)
4966 {
4967 u32 secmark_perm;
4968 u32 peer_sid;
4969 int ifindex = outdev->ifindex;
4970 struct sock *sk;
4971 struct common_audit_data ad;
4972 struct lsm_network_audit net = {0,};
4973 char *addrp;
4974 u8 secmark_active;
4975 u8 peerlbl_active;
4976
4977 /* If any sort of compatibility mode is enabled then handoff processing
4978 * to the selinux_ip_postroute_compat() function to deal with the
4979 * special handling. We do this in an attempt to keep this function
4980 * as fast and as clean as possible. */
4981 if (!selinux_policycap_netpeer)
4982 return selinux_ip_postroute_compat(skb, ifindex, family);
4983
4984 secmark_active = selinux_secmark_enabled();
4985 peerlbl_active = selinux_peerlbl_enabled();
4986 if (!secmark_active && !peerlbl_active)
4987 return NF_ACCEPT;
4988
4989 sk = skb_to_full_sk(skb);
4990
4991 #ifdef CONFIG_XFRM
4992 /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec
4993 * packet transformation so allow the packet to pass without any checks
4994 * since we'll have another chance to perform access control checks
4995 * when the packet is on it's final way out.
4996 * NOTE: there appear to be some IPv6 multicast cases where skb->dst
4997 * is NULL, in this case go ahead and apply access control.
4998 * NOTE: if this is a local socket (skb->sk != NULL) that is in the
4999 * TCP listening state we cannot wait until the XFRM processing
5000 * is done as we will miss out on the SA label if we do;
5001 * unfortunately, this means more work, but it is only once per
5002 * connection. */
5003 if (skb_dst(skb) != NULL && skb_dst(skb)->xfrm != NULL &&
5004 !(sk && sk_listener(sk)))
5005 return NF_ACCEPT;
5006 #endif
5007
5008 if (sk == NULL) {
5009 /* Without an associated socket the packet is either coming
5010 * from the kernel or it is being forwarded; check the packet
5011 * to determine which and if the packet is being forwarded
5012 * query the packet directly to determine the security label. */
5013 if (skb->skb_iif) {
5014 secmark_perm = PACKET__FORWARD_OUT;
5015 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid))
5016 return NF_DROP;
5017 } else {
5018 secmark_perm = PACKET__SEND;
5019 peer_sid = SECINITSID_KERNEL;
5020 }
5021 } else if (sk_listener(sk)) {
5022 /* Locally generated packet but the associated socket is in the
5023 * listening state which means this is a SYN-ACK packet. In
5024 * this particular case the correct security label is assigned
5025 * to the connection/request_sock but unfortunately we can't
5026 * query the request_sock as it isn't queued on the parent
5027 * socket until after the SYN-ACK packet is sent; the only
5028 * viable choice is to regenerate the label like we do in
5029 * selinux_inet_conn_request(). See also selinux_ip_output()
5030 * for similar problems. */
5031 u32 skb_sid;
5032 struct sk_security_struct *sksec;
5033
5034 sksec = sk->sk_security;
5035 if (selinux_skb_peerlbl_sid(skb, family, &skb_sid))
5036 return NF_DROP;
5037 /* At this point, if the returned skb peerlbl is SECSID_NULL
5038 * and the packet has been through at least one XFRM
5039 * transformation then we must be dealing with the "final"
5040 * form of labeled IPsec packet; since we've already applied
5041 * all of our access controls on this packet we can safely
5042 * pass the packet. */
5043 if (skb_sid == SECSID_NULL) {
5044 switch (family) {
5045 case PF_INET:
5046 if (IPCB(skb)->flags & IPSKB_XFRM_TRANSFORMED)
5047 return NF_ACCEPT;
5048 break;
5049 case PF_INET6:
5050 if (IP6CB(skb)->flags & IP6SKB_XFRM_TRANSFORMED)
5051 return NF_ACCEPT;
5052 break;
5053 default:
5054 return NF_DROP_ERR(-ECONNREFUSED);
5055 }
5056 }
5057 if (selinux_conn_sid(sksec->sid, skb_sid, &peer_sid))
5058 return NF_DROP;
5059 secmark_perm = PACKET__SEND;
5060 } else {
5061 /* Locally generated packet, fetch the security label from the
5062 * associated socket. */
5063 struct sk_security_struct *sksec = sk->sk_security;
5064 peer_sid = sksec->sid;
5065 secmark_perm = PACKET__SEND;
5066 }
5067
5068 ad.type = LSM_AUDIT_DATA_NET;
5069 ad.u.net = &net;
5070 ad.u.net->netif = ifindex;
5071 ad.u.net->family = family;
5072 if (selinux_parse_skb(skb, &ad, &addrp, 0, NULL))
5073 return NF_DROP;
5074
5075 if (secmark_active)
5076 if (avc_has_perm(peer_sid, skb->secmark,
5077 SECCLASS_PACKET, secmark_perm, &ad))
5078 return NF_DROP_ERR(-ECONNREFUSED);
5079
5080 if (peerlbl_active) {
5081 u32 if_sid;
5082 u32 node_sid;
5083
5084 if (sel_netif_sid(dev_net(outdev), ifindex, &if_sid))
5085 return NF_DROP;
5086 if (avc_has_perm(peer_sid, if_sid,
5087 SECCLASS_NETIF, NETIF__EGRESS, &ad))
5088 return NF_DROP_ERR(-ECONNREFUSED);
5089
5090 if (sel_netnode_sid(addrp, family, &node_sid))
5091 return NF_DROP;
5092 if (avc_has_perm(peer_sid, node_sid,
5093 SECCLASS_NODE, NODE__SENDTO, &ad))
5094 return NF_DROP_ERR(-ECONNREFUSED);
5095 }
5096
5097 return NF_ACCEPT;
5098 }
5099
5100 static unsigned int selinux_ipv4_postroute(void *priv,
5101 struct sk_buff *skb,
5102 const struct nf_hook_state *state)
5103 {
5104 return selinux_ip_postroute(skb, state->out, PF_INET);
5105 }
5106
5107 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5108 static unsigned int selinux_ipv6_postroute(void *priv,
5109 struct sk_buff *skb,
5110 const struct nf_hook_state *state)
5111 {
5112 return selinux_ip_postroute(skb, state->out, PF_INET6);
5113 }
5114 #endif /* IPV6 */
5115
5116 #endif /* CONFIG_NETFILTER */
5117
5118 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
5119 {
5120 return selinux_nlmsg_perm(sk, skb);
5121 }
5122
5123 static int ipc_alloc_security(struct task_struct *task,
5124 struct kern_ipc_perm *perm,
5125 u16 sclass)
5126 {
5127 struct ipc_security_struct *isec;
5128 u32 sid;
5129
5130 isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL);
5131 if (!isec)
5132 return -ENOMEM;
5133
5134 sid = task_sid(task);
5135 isec->sclass = sclass;
5136 isec->sid = sid;
5137 perm->security = isec;
5138
5139 return 0;
5140 }
5141
5142 static void ipc_free_security(struct kern_ipc_perm *perm)
5143 {
5144 struct ipc_security_struct *isec = perm->security;
5145 perm->security = NULL;
5146 kfree(isec);
5147 }
5148
5149 static int msg_msg_alloc_security(struct msg_msg *msg)
5150 {
5151 struct msg_security_struct *msec;
5152
5153 msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL);
5154 if (!msec)
5155 return -ENOMEM;
5156
5157 msec->sid = SECINITSID_UNLABELED;
5158 msg->security = msec;
5159
5160 return 0;
5161 }
5162
5163 static void msg_msg_free_security(struct msg_msg *msg)
5164 {
5165 struct msg_security_struct *msec = msg->security;
5166
5167 msg->security = NULL;
5168 kfree(msec);
5169 }
5170
5171 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
5172 u32 perms)
5173 {
5174 struct ipc_security_struct *isec;
5175 struct common_audit_data ad;
5176 u32 sid = current_sid();
5177
5178 isec = ipc_perms->security;
5179
5180 ad.type = LSM_AUDIT_DATA_IPC;
5181 ad.u.ipc_id = ipc_perms->key;
5182
5183 return avc_has_perm(sid, isec->sid, isec->sclass, perms, &ad);
5184 }
5185
5186 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
5187 {
5188 return msg_msg_alloc_security(msg);
5189 }
5190
5191 static void selinux_msg_msg_free_security(struct msg_msg *msg)
5192 {
5193 msg_msg_free_security(msg);
5194 }
5195
5196 /* message queue security operations */
5197 static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
5198 {
5199 struct ipc_security_struct *isec;
5200 struct common_audit_data ad;
5201 u32 sid = current_sid();
5202 int rc;
5203
5204 rc = ipc_alloc_security(current, &msq->q_perm, SECCLASS_MSGQ);
5205 if (rc)
5206 return rc;
5207
5208 isec = msq->q_perm.security;
5209
5210 ad.type = LSM_AUDIT_DATA_IPC;
5211 ad.u.ipc_id = msq->q_perm.key;
5212
5213 rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
5214 MSGQ__CREATE, &ad);
5215 if (rc) {
5216 ipc_free_security(&msq->q_perm);
5217 return rc;
5218 }
5219 return 0;
5220 }
5221
5222 static void selinux_msg_queue_free_security(struct msg_queue *msq)
5223 {
5224 ipc_free_security(&msq->q_perm);
5225 }
5226
5227 static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg)
5228 {
5229 struct ipc_security_struct *isec;
5230 struct common_audit_data ad;
5231 u32 sid = current_sid();
5232
5233 isec = msq->q_perm.security;
5234
5235 ad.type = LSM_AUDIT_DATA_IPC;
5236 ad.u.ipc_id = msq->q_perm.key;
5237
5238 return avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
5239 MSGQ__ASSOCIATE, &ad);
5240 }
5241
5242 static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd)
5243 {
5244 int err;
5245 int perms;
5246
5247 switch (cmd) {
5248 case IPC_INFO:
5249 case MSG_INFO:
5250 /* No specific object, just general system-wide information. */
5251 return task_has_system(current, SYSTEM__IPC_INFO);
5252 case IPC_STAT:
5253 case MSG_STAT:
5254 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
5255 break;
5256 case IPC_SET:
5257 perms = MSGQ__SETATTR;
5258 break;
5259 case IPC_RMID:
5260 perms = MSGQ__DESTROY;
5261 break;
5262 default:
5263 return 0;
5264 }
5265
5266 err = ipc_has_perm(&msq->q_perm, perms);
5267 return err;
5268 }
5269
5270 static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg)
5271 {
5272 struct ipc_security_struct *isec;
5273 struct msg_security_struct *msec;
5274 struct common_audit_data ad;
5275 u32 sid = current_sid();
5276 int rc;
5277
5278 isec = msq->q_perm.security;
5279 msec = msg->security;
5280
5281 /*
5282 * First time through, need to assign label to the message
5283 */
5284 if (msec->sid == SECINITSID_UNLABELED) {
5285 /*
5286 * Compute new sid based on current process and
5287 * message queue this message will be stored in
5288 */
5289 rc = security_transition_sid(sid, isec->sid, SECCLASS_MSG,
5290 NULL, &msec->sid);
5291 if (rc)
5292 return rc;
5293 }
5294
5295 ad.type = LSM_AUDIT_DATA_IPC;
5296 ad.u.ipc_id = msq->q_perm.key;
5297
5298 /* Can this process write to the queue? */
5299 rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
5300 MSGQ__WRITE, &ad);
5301 if (!rc)
5302 /* Can this process send the message */
5303 rc = avc_has_perm(sid, msec->sid, SECCLASS_MSG,
5304 MSG__SEND, &ad);
5305 if (!rc)
5306 /* Can the message be put in the queue? */
5307 rc = avc_has_perm(msec->sid, isec->sid, SECCLASS_MSGQ,
5308 MSGQ__ENQUEUE, &ad);
5309
5310 return rc;
5311 }
5312
5313 static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
5314 struct task_struct *target,
5315 long type, int mode)
5316 {
5317 struct ipc_security_struct *isec;
5318 struct msg_security_struct *msec;
5319 struct common_audit_data ad;
5320 u32 sid = task_sid(target);
5321 int rc;
5322
5323 isec = msq->q_perm.security;
5324 msec = msg->security;
5325
5326 ad.type = LSM_AUDIT_DATA_IPC;
5327 ad.u.ipc_id = msq->q_perm.key;
5328
5329 rc = avc_has_perm(sid, isec->sid,
5330 SECCLASS_MSGQ, MSGQ__READ, &ad);
5331 if (!rc)
5332 rc = avc_has_perm(sid, msec->sid,
5333 SECCLASS_MSG, MSG__RECEIVE, &ad);
5334 return rc;
5335 }
5336
5337 /* Shared Memory security operations */
5338 static int selinux_shm_alloc_security(struct shmid_kernel *shp)
5339 {
5340 struct ipc_security_struct *isec;
5341 struct common_audit_data ad;
5342 u32 sid = current_sid();
5343 int rc;
5344
5345 rc = ipc_alloc_security(current, &shp->shm_perm, SECCLASS_SHM);
5346 if (rc)
5347 return rc;
5348
5349 isec = shp->shm_perm.security;
5350
5351 ad.type = LSM_AUDIT_DATA_IPC;
5352 ad.u.ipc_id = shp->shm_perm.key;
5353
5354 rc = avc_has_perm(sid, isec->sid, SECCLASS_SHM,
5355 SHM__CREATE, &ad);
5356 if (rc) {
5357 ipc_free_security(&shp->shm_perm);
5358 return rc;
5359 }
5360 return 0;
5361 }
5362
5363 static void selinux_shm_free_security(struct shmid_kernel *shp)
5364 {
5365 ipc_free_security(&shp->shm_perm);
5366 }
5367
5368 static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg)
5369 {
5370 struct ipc_security_struct *isec;
5371 struct common_audit_data ad;
5372 u32 sid = current_sid();
5373
5374 isec = shp->shm_perm.security;
5375
5376 ad.type = LSM_AUDIT_DATA_IPC;
5377 ad.u.ipc_id = shp->shm_perm.key;
5378
5379 return avc_has_perm(sid, isec->sid, SECCLASS_SHM,
5380 SHM__ASSOCIATE, &ad);
5381 }
5382
5383 /* Note, at this point, shp is locked down */
5384 static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd)
5385 {
5386 int perms;
5387 int err;
5388
5389 switch (cmd) {
5390 case IPC_INFO:
5391 case SHM_INFO:
5392 /* No specific object, just general system-wide information. */
5393 return task_has_system(current, SYSTEM__IPC_INFO);
5394 case IPC_STAT:
5395 case SHM_STAT:
5396 perms = SHM__GETATTR | SHM__ASSOCIATE;
5397 break;
5398 case IPC_SET:
5399 perms = SHM__SETATTR;
5400 break;
5401 case SHM_LOCK:
5402 case SHM_UNLOCK:
5403 perms = SHM__LOCK;
5404 break;
5405 case IPC_RMID:
5406 perms = SHM__DESTROY;
5407 break;
5408 default:
5409 return 0;
5410 }
5411
5412 err = ipc_has_perm(&shp->shm_perm, perms);
5413 return err;
5414 }
5415
5416 static int selinux_shm_shmat(struct shmid_kernel *shp,
5417 char __user *shmaddr, int shmflg)
5418 {
5419 u32 perms;
5420
5421 if (shmflg & SHM_RDONLY)
5422 perms = SHM__READ;
5423 else
5424 perms = SHM__READ | SHM__WRITE;
5425
5426 return ipc_has_perm(&shp->shm_perm, perms);
5427 }
5428
5429 /* Semaphore security operations */
5430 static int selinux_sem_alloc_security(struct sem_array *sma)
5431 {
5432 struct ipc_security_struct *isec;
5433 struct common_audit_data ad;
5434 u32 sid = current_sid();
5435 int rc;
5436
5437 rc = ipc_alloc_security(current, &sma->sem_perm, SECCLASS_SEM);
5438 if (rc)
5439 return rc;
5440
5441 isec = sma->sem_perm.security;
5442
5443 ad.type = LSM_AUDIT_DATA_IPC;
5444 ad.u.ipc_id = sma->sem_perm.key;
5445
5446 rc = avc_has_perm(sid, isec->sid, SECCLASS_SEM,
5447 SEM__CREATE, &ad);
5448 if (rc) {
5449 ipc_free_security(&sma->sem_perm);
5450 return rc;
5451 }
5452 return 0;
5453 }
5454
5455 static void selinux_sem_free_security(struct sem_array *sma)
5456 {
5457 ipc_free_security(&sma->sem_perm);
5458 }
5459
5460 static int selinux_sem_associate(struct sem_array *sma, int semflg)
5461 {
5462 struct ipc_security_struct *isec;
5463 struct common_audit_data ad;
5464 u32 sid = current_sid();
5465
5466 isec = sma->sem_perm.security;
5467
5468 ad.type = LSM_AUDIT_DATA_IPC;
5469 ad.u.ipc_id = sma->sem_perm.key;
5470
5471 return avc_has_perm(sid, isec->sid, SECCLASS_SEM,
5472 SEM__ASSOCIATE, &ad);
5473 }
5474
5475 /* Note, at this point, sma is locked down */
5476 static int selinux_sem_semctl(struct sem_array *sma, int cmd)
5477 {
5478 int err;
5479 u32 perms;
5480
5481 switch (cmd) {
5482 case IPC_INFO:
5483 case SEM_INFO:
5484 /* No specific object, just general system-wide information. */
5485 return task_has_system(current, SYSTEM__IPC_INFO);
5486 case GETPID:
5487 case GETNCNT:
5488 case GETZCNT:
5489 perms = SEM__GETATTR;
5490 break;
5491 case GETVAL:
5492 case GETALL:
5493 perms = SEM__READ;
5494 break;
5495 case SETVAL:
5496 case SETALL:
5497 perms = SEM__WRITE;
5498 break;
5499 case IPC_RMID:
5500 perms = SEM__DESTROY;
5501 break;
5502 case IPC_SET:
5503 perms = SEM__SETATTR;
5504 break;
5505 case IPC_STAT:
5506 case SEM_STAT:
5507 perms = SEM__GETATTR | SEM__ASSOCIATE;
5508 break;
5509 default:
5510 return 0;
5511 }
5512
5513 err = ipc_has_perm(&sma->sem_perm, perms);
5514 return err;
5515 }
5516
5517 static int selinux_sem_semop(struct sem_array *sma,
5518 struct sembuf *sops, unsigned nsops, int alter)
5519 {
5520 u32 perms;
5521
5522 if (alter)
5523 perms = SEM__READ | SEM__WRITE;
5524 else
5525 perms = SEM__READ;
5526
5527 return ipc_has_perm(&sma->sem_perm, perms);
5528 }
5529
5530 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
5531 {
5532 u32 av = 0;
5533
5534 av = 0;
5535 if (flag & S_IRUGO)
5536 av |= IPC__UNIX_READ;
5537 if (flag & S_IWUGO)
5538 av |= IPC__UNIX_WRITE;
5539
5540 if (av == 0)
5541 return 0;
5542
5543 return ipc_has_perm(ipcp, av);
5544 }
5545
5546 static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
5547 {
5548 struct ipc_security_struct *isec = ipcp->security;
5549 *secid = isec->sid;
5550 }
5551
5552 static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode)
5553 {
5554 if (inode)
5555 inode_doinit_with_dentry(inode, dentry);
5556 }
5557
5558 static int selinux_getprocattr(struct task_struct *p,
5559 char *name, char **value)
5560 {
5561 const struct task_security_struct *__tsec;
5562 u32 sid;
5563 int error;
5564 unsigned len;
5565
5566 if (current != p) {
5567 error = current_has_perm(p, PROCESS__GETATTR);
5568 if (error)
5569 return error;
5570 }
5571
5572 rcu_read_lock();
5573 __tsec = __task_cred(p)->security;
5574
5575 if (!strcmp(name, "current"))
5576 sid = __tsec->sid;
5577 else if (!strcmp(name, "prev"))
5578 sid = __tsec->osid;
5579 else if (!strcmp(name, "exec"))
5580 sid = __tsec->exec_sid;
5581 else if (!strcmp(name, "fscreate"))
5582 sid = __tsec->create_sid;
5583 else if (!strcmp(name, "keycreate"))
5584 sid = __tsec->keycreate_sid;
5585 else if (!strcmp(name, "sockcreate"))
5586 sid = __tsec->sockcreate_sid;
5587 else
5588 goto invalid;
5589 rcu_read_unlock();
5590
5591 if (!sid)
5592 return 0;
5593
5594 error = security_sid_to_context(sid, value, &len);
5595 if (error)
5596 return error;
5597 return len;
5598
5599 invalid:
5600 rcu_read_unlock();
5601 return -EINVAL;
5602 }
5603
5604 static int selinux_setprocattr(struct task_struct *p,
5605 char *name, void *value, size_t size)
5606 {
5607 struct task_security_struct *tsec;
5608 struct task_struct *tracer;
5609 struct cred *new;
5610 u32 sid = 0, ptsid;
5611 int error;
5612 char *str = value;
5613
5614 if (current != p) {
5615 /* SELinux only allows a process to change its own
5616 security attributes. */
5617 return -EACCES;
5618 }
5619
5620 /*
5621 * Basic control over ability to set these attributes at all.
5622 * current == p, but we'll pass them separately in case the
5623 * above restriction is ever removed.
5624 */
5625 if (!strcmp(name, "exec"))
5626 error = current_has_perm(p, PROCESS__SETEXEC);
5627 else if (!strcmp(name, "fscreate"))
5628 error = current_has_perm(p, PROCESS__SETFSCREATE);
5629 else if (!strcmp(name, "keycreate"))
5630 error = current_has_perm(p, PROCESS__SETKEYCREATE);
5631 else if (!strcmp(name, "sockcreate"))
5632 error = current_has_perm(p, PROCESS__SETSOCKCREATE);
5633 else if (!strcmp(name, "current"))
5634 error = current_has_perm(p, PROCESS__SETCURRENT);
5635 else
5636 error = -EINVAL;
5637 if (error)
5638 return error;
5639
5640 /* Obtain a SID for the context, if one was specified. */
5641 if (size && str[0] && str[0] != '\n') {
5642 if (str[size-1] == '\n') {
5643 str[size-1] = 0;
5644 size--;
5645 }
5646 error = security_context_to_sid(value, size, &sid, GFP_KERNEL);
5647 if (error == -EINVAL && !strcmp(name, "fscreate")) {
5648 if (!capable(CAP_MAC_ADMIN)) {
5649 struct audit_buffer *ab;
5650 size_t audit_size;
5651
5652 /* We strip a nul only if it is at the end, otherwise the
5653 * context contains a nul and we should audit that */
5654 if (str[size - 1] == '\0')
5655 audit_size = size - 1;
5656 else
5657 audit_size = size;
5658 ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR);
5659 audit_log_format(ab, "op=fscreate invalid_context=");
5660 audit_log_n_untrustedstring(ab, value, audit_size);
5661 audit_log_end(ab);
5662
5663 return error;
5664 }
5665 error = security_context_to_sid_force(value, size,
5666 &sid);
5667 }
5668 if (error)
5669 return error;
5670 }
5671
5672 new = prepare_creds();
5673 if (!new)
5674 return -ENOMEM;
5675
5676 /* Permission checking based on the specified context is
5677 performed during the actual operation (execve,
5678 open/mkdir/...), when we know the full context of the
5679 operation. See selinux_bprm_set_creds for the execve
5680 checks and may_create for the file creation checks. The
5681 operation will then fail if the context is not permitted. */
5682 tsec = new->security;
5683 if (!strcmp(name, "exec")) {
5684 tsec->exec_sid = sid;
5685 } else if (!strcmp(name, "fscreate")) {
5686 tsec->create_sid = sid;
5687 } else if (!strcmp(name, "keycreate")) {
5688 error = may_create_key(sid, p);
5689 if (error)
5690 goto abort_change;
5691 tsec->keycreate_sid = sid;
5692 } else if (!strcmp(name, "sockcreate")) {
5693 tsec->sockcreate_sid = sid;
5694 } else if (!strcmp(name, "current")) {
5695 error = -EINVAL;
5696 if (sid == 0)
5697 goto abort_change;
5698
5699 /* Only allow single threaded processes to change context */
5700 error = -EPERM;
5701 if (!current_is_single_threaded()) {
5702 error = security_bounded_transition(tsec->sid, sid);
5703 if (error)
5704 goto abort_change;
5705 }
5706
5707 /* Check permissions for the transition. */
5708 error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
5709 PROCESS__DYNTRANSITION, NULL);
5710 if (error)
5711 goto abort_change;
5712
5713 /* Check for ptracing, and update the task SID if ok.
5714 Otherwise, leave SID unchanged and fail. */
5715 ptsid = 0;
5716 rcu_read_lock();
5717 tracer = ptrace_parent(p);
5718 if (tracer)
5719 ptsid = task_sid(tracer);
5720 rcu_read_unlock();
5721
5722 if (tracer) {
5723 error = avc_has_perm(ptsid, sid, SECCLASS_PROCESS,
5724 PROCESS__PTRACE, NULL);
5725 if (error)
5726 goto abort_change;
5727 }
5728
5729 tsec->sid = sid;
5730 } else {
5731 error = -EINVAL;
5732 goto abort_change;
5733 }
5734
5735 commit_creds(new);
5736 return size;
5737
5738 abort_change:
5739 abort_creds(new);
5740 return error;
5741 }
5742
5743 static int selinux_ismaclabel(const char *name)
5744 {
5745 return (strcmp(name, XATTR_SELINUX_SUFFIX) == 0);
5746 }
5747
5748 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
5749 {
5750 return security_sid_to_context(secid, secdata, seclen);
5751 }
5752
5753 static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
5754 {
5755 return security_context_to_sid(secdata, seclen, secid, GFP_KERNEL);
5756 }
5757
5758 static void selinux_release_secctx(char *secdata, u32 seclen)
5759 {
5760 kfree(secdata);
5761 }
5762
5763 /*
5764 * called with inode->i_mutex locked
5765 */
5766 static int selinux_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen)
5767 {
5768 return selinux_inode_setsecurity(inode, XATTR_SELINUX_SUFFIX, ctx, ctxlen, 0);
5769 }
5770
5771 /*
5772 * called with inode->i_mutex locked
5773 */
5774 static int selinux_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen)
5775 {
5776 return __vfs_setxattr_noperm(dentry, XATTR_NAME_SELINUX, ctx, ctxlen, 0);
5777 }
5778
5779 static int selinux_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen)
5780 {
5781 int len = 0;
5782 len = selinux_inode_getsecurity(inode, XATTR_SELINUX_SUFFIX,
5783 ctx, true);
5784 if (len < 0)
5785 return len;
5786 *ctxlen = len;
5787 return 0;
5788 }
5789 #ifdef CONFIG_KEYS
5790
5791 static int selinux_key_alloc(struct key *k, const struct cred *cred,
5792 unsigned long flags)
5793 {
5794 const struct task_security_struct *tsec;
5795 struct key_security_struct *ksec;
5796
5797 ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL);
5798 if (!ksec)
5799 return -ENOMEM;
5800
5801 tsec = cred->security;
5802 if (tsec->keycreate_sid)
5803 ksec->sid = tsec->keycreate_sid;
5804 else
5805 ksec->sid = tsec->sid;
5806
5807 k->security = ksec;
5808 return 0;
5809 }
5810
5811 static void selinux_key_free(struct key *k)
5812 {
5813 struct key_security_struct *ksec = k->security;
5814
5815 k->security = NULL;
5816 kfree(ksec);
5817 }
5818
5819 static int selinux_key_permission(key_ref_t key_ref,
5820 const struct cred *cred,
5821 unsigned perm)
5822 {
5823 struct key *key;
5824 struct key_security_struct *ksec;
5825 u32 sid;
5826
5827 /* if no specific permissions are requested, we skip the
5828 permission check. No serious, additional covert channels
5829 appear to be created. */
5830 if (perm == 0)
5831 return 0;
5832
5833 sid = cred_sid(cred);
5834
5835 key = key_ref_to_ptr(key_ref);
5836 ksec = key->security;
5837
5838 return avc_has_perm(sid, ksec->sid, SECCLASS_KEY, perm, NULL);
5839 }
5840
5841 static int selinux_key_getsecurity(struct key *key, char **_buffer)
5842 {
5843 struct key_security_struct *ksec = key->security;
5844 char *context = NULL;
5845 unsigned len;
5846 int rc;
5847
5848 rc = security_sid_to_context(ksec->sid, &context, &len);
5849 if (!rc)
5850 rc = len;
5851 *_buffer = context;
5852 return rc;
5853 }
5854
5855 #endif
5856
5857 static struct security_hook_list selinux_hooks[] = {
5858 LSM_HOOK_INIT(binder_set_context_mgr, selinux_binder_set_context_mgr),
5859 LSM_HOOK_INIT(binder_transaction, selinux_binder_transaction),
5860 LSM_HOOK_INIT(binder_transfer_binder, selinux_binder_transfer_binder),
5861 LSM_HOOK_INIT(binder_transfer_file, selinux_binder_transfer_file),
5862
5863 LSM_HOOK_INIT(ptrace_access_check, selinux_ptrace_access_check),
5864 LSM_HOOK_INIT(ptrace_traceme, selinux_ptrace_traceme),
5865 LSM_HOOK_INIT(capget, selinux_capget),
5866 LSM_HOOK_INIT(capset, selinux_capset),
5867 LSM_HOOK_INIT(capable, selinux_capable),
5868 LSM_HOOK_INIT(quotactl, selinux_quotactl),
5869 LSM_HOOK_INIT(quota_on, selinux_quota_on),
5870 LSM_HOOK_INIT(syslog, selinux_syslog),
5871 LSM_HOOK_INIT(vm_enough_memory, selinux_vm_enough_memory),
5872
5873 LSM_HOOK_INIT(netlink_send, selinux_netlink_send),
5874
5875 LSM_HOOK_INIT(bprm_set_creds, selinux_bprm_set_creds),
5876 LSM_HOOK_INIT(bprm_committing_creds, selinux_bprm_committing_creds),
5877 LSM_HOOK_INIT(bprm_committed_creds, selinux_bprm_committed_creds),
5878 LSM_HOOK_INIT(bprm_secureexec, selinux_bprm_secureexec),
5879
5880 LSM_HOOK_INIT(sb_alloc_security, selinux_sb_alloc_security),
5881 LSM_HOOK_INIT(sb_free_security, selinux_sb_free_security),
5882 LSM_HOOK_INIT(sb_copy_data, selinux_sb_copy_data),
5883 LSM_HOOK_INIT(sb_remount, selinux_sb_remount),
5884 LSM_HOOK_INIT(sb_kern_mount, selinux_sb_kern_mount),
5885 LSM_HOOK_INIT(sb_show_options, selinux_sb_show_options),
5886 LSM_HOOK_INIT(sb_statfs, selinux_sb_statfs),
5887 LSM_HOOK_INIT(sb_mount, selinux_mount),
5888 LSM_HOOK_INIT(sb_umount, selinux_umount),
5889 LSM_HOOK_INIT(sb_set_mnt_opts, selinux_set_mnt_opts),
5890 LSM_HOOK_INIT(sb_clone_mnt_opts, selinux_sb_clone_mnt_opts),
5891 LSM_HOOK_INIT(sb_parse_opts_str, selinux_parse_opts_str),
5892
5893 LSM_HOOK_INIT(dentry_init_security, selinux_dentry_init_security),
5894
5895 LSM_HOOK_INIT(inode_alloc_security, selinux_inode_alloc_security),
5896 LSM_HOOK_INIT(inode_free_security, selinux_inode_free_security),
5897 LSM_HOOK_INIT(inode_init_security, selinux_inode_init_security),
5898 LSM_HOOK_INIT(inode_create, selinux_inode_create),
5899 LSM_HOOK_INIT(inode_link, selinux_inode_link),
5900 LSM_HOOK_INIT(inode_unlink, selinux_inode_unlink),
5901 LSM_HOOK_INIT(inode_symlink, selinux_inode_symlink),
5902 LSM_HOOK_INIT(inode_mkdir, selinux_inode_mkdir),
5903 LSM_HOOK_INIT(inode_rmdir, selinux_inode_rmdir),
5904 LSM_HOOK_INIT(inode_mknod, selinux_inode_mknod),
5905 LSM_HOOK_INIT(inode_rename, selinux_inode_rename),
5906 LSM_HOOK_INIT(inode_readlink, selinux_inode_readlink),
5907 LSM_HOOK_INIT(inode_follow_link, selinux_inode_follow_link),
5908 LSM_HOOK_INIT(inode_permission, selinux_inode_permission),
5909 LSM_HOOK_INIT(inode_setattr, selinux_inode_setattr),
5910 LSM_HOOK_INIT(inode_getattr, selinux_inode_getattr),
5911 LSM_HOOK_INIT(inode_setxattr, selinux_inode_setxattr),
5912 LSM_HOOK_INIT(inode_post_setxattr, selinux_inode_post_setxattr),
5913 LSM_HOOK_INIT(inode_getxattr, selinux_inode_getxattr),
5914 LSM_HOOK_INIT(inode_listxattr, selinux_inode_listxattr),
5915 LSM_HOOK_INIT(inode_removexattr, selinux_inode_removexattr),
5916 LSM_HOOK_INIT(inode_getsecurity, selinux_inode_getsecurity),
5917 LSM_HOOK_INIT(inode_setsecurity, selinux_inode_setsecurity),
5918 LSM_HOOK_INIT(inode_listsecurity, selinux_inode_listsecurity),
5919 LSM_HOOK_INIT(inode_getsecid, selinux_inode_getsecid),
5920
5921 LSM_HOOK_INIT(file_permission, selinux_file_permission),
5922 LSM_HOOK_INIT(file_alloc_security, selinux_file_alloc_security),
5923 LSM_HOOK_INIT(file_free_security, selinux_file_free_security),
5924 LSM_HOOK_INIT(file_ioctl, selinux_file_ioctl),
5925 LSM_HOOK_INIT(mmap_file, selinux_mmap_file),
5926 LSM_HOOK_INIT(mmap_addr, selinux_mmap_addr),
5927 LSM_HOOK_INIT(file_mprotect, selinux_file_mprotect),
5928 LSM_HOOK_INIT(file_lock, selinux_file_lock),
5929 LSM_HOOK_INIT(file_fcntl, selinux_file_fcntl),
5930 LSM_HOOK_INIT(file_set_fowner, selinux_file_set_fowner),
5931 LSM_HOOK_INIT(file_send_sigiotask, selinux_file_send_sigiotask),
5932 LSM_HOOK_INIT(file_receive, selinux_file_receive),
5933
5934 LSM_HOOK_INIT(file_open, selinux_file_open),
5935
5936 LSM_HOOK_INIT(task_create, selinux_task_create),
5937 LSM_HOOK_INIT(cred_alloc_blank, selinux_cred_alloc_blank),
5938 LSM_HOOK_INIT(cred_free, selinux_cred_free),
5939 LSM_HOOK_INIT(cred_prepare, selinux_cred_prepare),
5940 LSM_HOOK_INIT(cred_transfer, selinux_cred_transfer),
5941 LSM_HOOK_INIT(kernel_act_as, selinux_kernel_act_as),
5942 LSM_HOOK_INIT(kernel_create_files_as, selinux_kernel_create_files_as),
5943 LSM_HOOK_INIT(kernel_module_request, selinux_kernel_module_request),
5944 LSM_HOOK_INIT(task_setpgid, selinux_task_setpgid),
5945 LSM_HOOK_INIT(task_getpgid, selinux_task_getpgid),
5946 LSM_HOOK_INIT(task_getsid, selinux_task_getsid),
5947 LSM_HOOK_INIT(task_getsecid, selinux_task_getsecid),
5948 LSM_HOOK_INIT(task_setnice, selinux_task_setnice),
5949 LSM_HOOK_INIT(task_setioprio, selinux_task_setioprio),
5950 LSM_HOOK_INIT(task_getioprio, selinux_task_getioprio),
5951 LSM_HOOK_INIT(task_setrlimit, selinux_task_setrlimit),
5952 LSM_HOOK_INIT(task_setscheduler, selinux_task_setscheduler),
5953 LSM_HOOK_INIT(task_getscheduler, selinux_task_getscheduler),
5954 LSM_HOOK_INIT(task_movememory, selinux_task_movememory),
5955 LSM_HOOK_INIT(task_kill, selinux_task_kill),
5956 LSM_HOOK_INIT(task_wait, selinux_task_wait),
5957 LSM_HOOK_INIT(task_to_inode, selinux_task_to_inode),
5958
5959 LSM_HOOK_INIT(ipc_permission, selinux_ipc_permission),
5960 LSM_HOOK_INIT(ipc_getsecid, selinux_ipc_getsecid),
5961
5962 LSM_HOOK_INIT(msg_msg_alloc_security, selinux_msg_msg_alloc_security),
5963 LSM_HOOK_INIT(msg_msg_free_security, selinux_msg_msg_free_security),
5964
5965 LSM_HOOK_INIT(msg_queue_alloc_security,
5966 selinux_msg_queue_alloc_security),
5967 LSM_HOOK_INIT(msg_queue_free_security, selinux_msg_queue_free_security),
5968 LSM_HOOK_INIT(msg_queue_associate, selinux_msg_queue_associate),
5969 LSM_HOOK_INIT(msg_queue_msgctl, selinux_msg_queue_msgctl),
5970 LSM_HOOK_INIT(msg_queue_msgsnd, selinux_msg_queue_msgsnd),
5971 LSM_HOOK_INIT(msg_queue_msgrcv, selinux_msg_queue_msgrcv),
5972
5973 LSM_HOOK_INIT(shm_alloc_security, selinux_shm_alloc_security),
5974 LSM_HOOK_INIT(shm_free_security, selinux_shm_free_security),
5975 LSM_HOOK_INIT(shm_associate, selinux_shm_associate),
5976 LSM_HOOK_INIT(shm_shmctl, selinux_shm_shmctl),
5977 LSM_HOOK_INIT(shm_shmat, selinux_shm_shmat),
5978
5979 LSM_HOOK_INIT(sem_alloc_security, selinux_sem_alloc_security),
5980 LSM_HOOK_INIT(sem_free_security, selinux_sem_free_security),
5981 LSM_HOOK_INIT(sem_associate, selinux_sem_associate),
5982 LSM_HOOK_INIT(sem_semctl, selinux_sem_semctl),
5983 LSM_HOOK_INIT(sem_semop, selinux_sem_semop),
5984
5985 LSM_HOOK_INIT(d_instantiate, selinux_d_instantiate),
5986
5987 LSM_HOOK_INIT(getprocattr, selinux_getprocattr),
5988 LSM_HOOK_INIT(setprocattr, selinux_setprocattr),
5989
5990 LSM_HOOK_INIT(ismaclabel, selinux_ismaclabel),
5991 LSM_HOOK_INIT(secid_to_secctx, selinux_secid_to_secctx),
5992 LSM_HOOK_INIT(secctx_to_secid, selinux_secctx_to_secid),
5993 LSM_HOOK_INIT(release_secctx, selinux_release_secctx),
5994 LSM_HOOK_INIT(inode_notifysecctx, selinux_inode_notifysecctx),
5995 LSM_HOOK_INIT(inode_setsecctx, selinux_inode_setsecctx),
5996 LSM_HOOK_INIT(inode_getsecctx, selinux_inode_getsecctx),
5997
5998 LSM_HOOK_INIT(unix_stream_connect, selinux_socket_unix_stream_connect),
5999 LSM_HOOK_INIT(unix_may_send, selinux_socket_unix_may_send),
6000
6001 LSM_HOOK_INIT(socket_create, selinux_socket_create),
6002 LSM_HOOK_INIT(socket_post_create, selinux_socket_post_create),
6003 LSM_HOOK_INIT(socket_bind, selinux_socket_bind),
6004 LSM_HOOK_INIT(socket_connect, selinux_socket_connect),
6005 LSM_HOOK_INIT(socket_listen, selinux_socket_listen),
6006 LSM_HOOK_INIT(socket_accept, selinux_socket_accept),
6007 LSM_HOOK_INIT(socket_sendmsg, selinux_socket_sendmsg),
6008 LSM_HOOK_INIT(socket_recvmsg, selinux_socket_recvmsg),
6009 LSM_HOOK_INIT(socket_getsockname, selinux_socket_getsockname),
6010 LSM_HOOK_INIT(socket_getpeername, selinux_socket_getpeername),
6011 LSM_HOOK_INIT(socket_getsockopt, selinux_socket_getsockopt),
6012 LSM_HOOK_INIT(socket_setsockopt, selinux_socket_setsockopt),
6013 LSM_HOOK_INIT(socket_shutdown, selinux_socket_shutdown),
6014 LSM_HOOK_INIT(socket_sock_rcv_skb, selinux_socket_sock_rcv_skb),
6015 LSM_HOOK_INIT(socket_getpeersec_stream,
6016 selinux_socket_getpeersec_stream),
6017 LSM_HOOK_INIT(socket_getpeersec_dgram, selinux_socket_getpeersec_dgram),
6018 LSM_HOOK_INIT(sk_alloc_security, selinux_sk_alloc_security),
6019 LSM_HOOK_INIT(sk_free_security, selinux_sk_free_security),
6020 LSM_HOOK_INIT(sk_clone_security, selinux_sk_clone_security),
6021 LSM_HOOK_INIT(sk_getsecid, selinux_sk_getsecid),
6022 LSM_HOOK_INIT(sock_graft, selinux_sock_graft),
6023 LSM_HOOK_INIT(inet_conn_request, selinux_inet_conn_request),
6024 LSM_HOOK_INIT(inet_csk_clone, selinux_inet_csk_clone),
6025 LSM_HOOK_INIT(inet_conn_established, selinux_inet_conn_established),
6026 LSM_HOOK_INIT(secmark_relabel_packet, selinux_secmark_relabel_packet),
6027 LSM_HOOK_INIT(secmark_refcount_inc, selinux_secmark_refcount_inc),
6028 LSM_HOOK_INIT(secmark_refcount_dec, selinux_secmark_refcount_dec),
6029 LSM_HOOK_INIT(req_classify_flow, selinux_req_classify_flow),
6030 LSM_HOOK_INIT(tun_dev_alloc_security, selinux_tun_dev_alloc_security),
6031 LSM_HOOK_INIT(tun_dev_free_security, selinux_tun_dev_free_security),
6032 LSM_HOOK_INIT(tun_dev_create, selinux_tun_dev_create),
6033 LSM_HOOK_INIT(tun_dev_attach_queue, selinux_tun_dev_attach_queue),
6034 LSM_HOOK_INIT(tun_dev_attach, selinux_tun_dev_attach),
6035 LSM_HOOK_INIT(tun_dev_open, selinux_tun_dev_open),
6036
6037 #ifdef CONFIG_SECURITY_NETWORK_XFRM
6038 LSM_HOOK_INIT(xfrm_policy_alloc_security, selinux_xfrm_policy_alloc),
6039 LSM_HOOK_INIT(xfrm_policy_clone_security, selinux_xfrm_policy_clone),
6040 LSM_HOOK_INIT(xfrm_policy_free_security, selinux_xfrm_policy_free),
6041 LSM_HOOK_INIT(xfrm_policy_delete_security, selinux_xfrm_policy_delete),
6042 LSM_HOOK_INIT(xfrm_state_alloc, selinux_xfrm_state_alloc),
6043 LSM_HOOK_INIT(xfrm_state_alloc_acquire,
6044 selinux_xfrm_state_alloc_acquire),
6045 LSM_HOOK_INIT(xfrm_state_free_security, selinux_xfrm_state_free),
6046 LSM_HOOK_INIT(xfrm_state_delete_security, selinux_xfrm_state_delete),
6047 LSM_HOOK_INIT(xfrm_policy_lookup, selinux_xfrm_policy_lookup),
6048 LSM_HOOK_INIT(xfrm_state_pol_flow_match,
6049 selinux_xfrm_state_pol_flow_match),
6050 LSM_HOOK_INIT(xfrm_decode_session, selinux_xfrm_decode_session),
6051 #endif
6052
6053 #ifdef CONFIG_KEYS
6054 LSM_HOOK_INIT(key_alloc, selinux_key_alloc),
6055 LSM_HOOK_INIT(key_free, selinux_key_free),
6056 LSM_HOOK_INIT(key_permission, selinux_key_permission),
6057 LSM_HOOK_INIT(key_getsecurity, selinux_key_getsecurity),
6058 #endif
6059
6060 #ifdef CONFIG_AUDIT
6061 LSM_HOOK_INIT(audit_rule_init, selinux_audit_rule_init),
6062 LSM_HOOK_INIT(audit_rule_known, selinux_audit_rule_known),
6063 LSM_HOOK_INIT(audit_rule_match, selinux_audit_rule_match),
6064 LSM_HOOK_INIT(audit_rule_free, selinux_audit_rule_free),
6065 #endif
6066 };
6067
6068 static __init int selinux_init(void)
6069 {
6070 if (!security_module_enable("selinux")) {
6071 selinux_enabled = 0;
6072 return 0;
6073 }
6074
6075 if (!selinux_enabled) {
6076 printk(KERN_INFO "SELinux: Disabled at boot.\n");
6077 return 0;
6078 }
6079
6080 printk(KERN_INFO "SELinux: Initializing.\n");
6081
6082 /* Set the security state for the initial task. */
6083 cred_init_security();
6084
6085 default_noexec = !(VM_DATA_DEFAULT_FLAGS & VM_EXEC);
6086
6087 sel_inode_cache = kmem_cache_create("selinux_inode_security",
6088 sizeof(struct inode_security_struct),
6089 0, SLAB_PANIC, NULL);
6090 file_security_cache = kmem_cache_create("selinux_file_security",
6091 sizeof(struct file_security_struct),
6092 0, SLAB_PANIC, NULL);
6093 avc_init();
6094
6095 security_add_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks));
6096
6097 if (avc_add_callback(selinux_netcache_avc_callback, AVC_CALLBACK_RESET))
6098 panic("SELinux: Unable to register AVC netcache callback\n");
6099
6100 if (selinux_enforcing)
6101 printk(KERN_DEBUG "SELinux: Starting in enforcing mode\n");
6102 else
6103 printk(KERN_DEBUG "SELinux: Starting in permissive mode\n");
6104
6105 return 0;
6106 }
6107
6108 static void delayed_superblock_init(struct super_block *sb, void *unused)
6109 {
6110 superblock_doinit(sb, NULL);
6111 }
6112
6113 void selinux_complete_init(void)
6114 {
6115 printk(KERN_DEBUG "SELinux: Completing initialization.\n");
6116
6117 /* Set up any superblocks initialized prior to the policy load. */
6118 printk(KERN_DEBUG "SELinux: Setting up existing superblocks.\n");
6119 iterate_supers(delayed_superblock_init, NULL);
6120 }
6121
6122 /* SELinux requires early initialization in order to label
6123 all processes and objects when they are created. */
6124 security_initcall(selinux_init);
6125
6126 #if defined(CONFIG_NETFILTER)
6127
6128 static struct nf_hook_ops selinux_nf_ops[] = {
6129 {
6130 .hook = selinux_ipv4_postroute,
6131 .pf = NFPROTO_IPV4,
6132 .hooknum = NF_INET_POST_ROUTING,
6133 .priority = NF_IP_PRI_SELINUX_LAST,
6134 },
6135 {
6136 .hook = selinux_ipv4_forward,
6137 .pf = NFPROTO_IPV4,
6138 .hooknum = NF_INET_FORWARD,
6139 .priority = NF_IP_PRI_SELINUX_FIRST,
6140 },
6141 {
6142 .hook = selinux_ipv4_output,
6143 .pf = NFPROTO_IPV4,
6144 .hooknum = NF_INET_LOCAL_OUT,
6145 .priority = NF_IP_PRI_SELINUX_FIRST,
6146 },
6147 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
6148 {
6149 .hook = selinux_ipv6_postroute,
6150 .pf = NFPROTO_IPV6,
6151 .hooknum = NF_INET_POST_ROUTING,
6152 .priority = NF_IP6_PRI_SELINUX_LAST,
6153 },
6154 {
6155 .hook = selinux_ipv6_forward,
6156 .pf = NFPROTO_IPV6,
6157 .hooknum = NF_INET_FORWARD,
6158 .priority = NF_IP6_PRI_SELINUX_FIRST,
6159 },
6160 #endif /* IPV6 */
6161 };
6162
6163 static int __init selinux_nf_ip_init(void)
6164 {
6165 int err;
6166
6167 if (!selinux_enabled)
6168 return 0;
6169
6170 printk(KERN_DEBUG "SELinux: Registering netfilter hooks\n");
6171
6172 err = nf_register_hooks(selinux_nf_ops, ARRAY_SIZE(selinux_nf_ops));
6173 if (err)
6174 panic("SELinux: nf_register_hooks: error %d\n", err);
6175
6176 return 0;
6177 }
6178
6179 __initcall(selinux_nf_ip_init);
6180
6181 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
6182 static void selinux_nf_ip_exit(void)
6183 {
6184 printk(KERN_DEBUG "SELinux: Unregistering netfilter hooks\n");
6185
6186 nf_unregister_hooks(selinux_nf_ops, ARRAY_SIZE(selinux_nf_ops));
6187 }
6188 #endif
6189
6190 #else /* CONFIG_NETFILTER */
6191
6192 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
6193 #define selinux_nf_ip_exit()
6194 #endif
6195
6196 #endif /* CONFIG_NETFILTER */
6197
6198 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
6199 static int selinux_disabled;
6200
6201 int selinux_disable(void)
6202 {
6203 if (ss_initialized) {
6204 /* Not permitted after initial policy load. */
6205 return -EINVAL;
6206 }
6207
6208 if (selinux_disabled) {
6209 /* Only do this once. */
6210 return -EINVAL;
6211 }
6212
6213 printk(KERN_INFO "SELinux: Disabled at runtime.\n");
6214
6215 selinux_disabled = 1;
6216 selinux_enabled = 0;
6217
6218 security_delete_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks));
6219
6220 /* Try to destroy the avc node cache */
6221 avc_disable();
6222
6223 /* Unregister netfilter hooks. */
6224 selinux_nf_ip_exit();
6225
6226 /* Unregister selinuxfs. */
6227 exit_sel_fs();
6228
6229 return 0;
6230 }
6231 #endif
Linux with added FPC-III support