search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Merge git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux-2.6
[wrt350n-kernel.git] / security / selinux / hooks.c
blob1ed49957f60b77d675fa4b0f3769d8831f7985d9
1 /*
2 * NSA Security-Enhanced Linux (SELinux) security module
3 *
4 * This file contains the SELinux hook function implementations.
5 *
6 * Authors: Stephen Smalley, <sds@epoch.ncsc.mil>
7 * Chris Vance, <cvance@nai.com>
8 * Wayne Salamon, <wsalamon@nai.com>
9 * James Morris <jmorris@redhat.com>
10 *
11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12 * Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com>
13 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
14 * <dgoeddel@trustedcs.com>
15 * Copyright (C) 2006, 2007 Hewlett-Packard Development Company, L.P.
16 * Paul Moore <paul.moore@hp.com>
17 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
18 * Yuichi Nakamura <ynakam@hitachisoft.jp>
19 *
20 * This program is free software; you can redistribute it and/or modify
21 * it under the terms of the GNU General Public License version 2,
22 * as published by the Free Software Foundation.
23 */
24
25 #include <linux/init.h>
26 #include <linux/kernel.h>
27 #include <linux/ptrace.h>
28 #include <linux/errno.h>
29 #include <linux/sched.h>
30 #include <linux/security.h>
31 #include <linux/xattr.h>
32 #include <linux/capability.h>
33 #include <linux/unistd.h>
34 #include <linux/mm.h>
35 #include <linux/mman.h>
36 #include <linux/slab.h>
37 #include <linux/pagemap.h>
38 #include <linux/swap.h>
39 #include <linux/spinlock.h>
40 #include <linux/syscalls.h>
41 #include <linux/file.h>
42 #include <linux/namei.h>
43 #include <linux/mount.h>
44 #include <linux/ext2_fs.h>
45 #include <linux/proc_fs.h>
46 #include <linux/kd.h>
47 #include <linux/netfilter_ipv4.h>
48 #include <linux/netfilter_ipv6.h>
49 #include <linux/tty.h>
50 #include <net/icmp.h>
51 #include <net/ip.h> /* for local_port_range[] */
52 #include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
53 #include <net/net_namespace.h>
54 #include <net/netlabel.h>
55 #include <asm/uaccess.h>
56 #include <asm/ioctls.h>
57 #include <asm/atomic.h>
58 #include <linux/bitops.h>
59 #include <linux/interrupt.h>
60 #include <linux/netdevice.h> /* for network interface checks */
61 #include <linux/netlink.h>
62 #include <linux/tcp.h>
63 #include <linux/udp.h>
64 #include <linux/dccp.h>
65 #include <linux/quota.h>
66 #include <linux/un.h> /* for Unix socket types */
67 #include <net/af_unix.h> /* for Unix socket types */
68 #include <linux/parser.h>
69 #include <linux/nfs_mount.h>
70 #include <net/ipv6.h>
71 #include <linux/hugetlb.h>
72 #include <linux/personality.h>
73 #include <linux/sysctl.h>
74 #include <linux/audit.h>
75 #include <linux/string.h>
76 #include <linux/selinux.h>
77 #include <linux/mutex.h>
78
79 #include "avc.h"
80 #include "objsec.h"
81 #include "netif.h"
82 #include "netnode.h"
83 #include "xfrm.h"
84 #include "netlabel.h"
85
86 #define XATTR_SELINUX_SUFFIX "selinux"
87 #define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX
88
89 #define NUM_SEL_MNT_OPTS 4
90
91 extern unsigned int policydb_loaded_version;
92 extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm);
93 extern int selinux_compat_net;
94 extern struct security_operations *security_ops;
95
96 /* SECMARK reference count */
97 atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
98
99 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
100 int selinux_enforcing = 0;
101
102 static int __init enforcing_setup(char *str)
103 {
104 selinux_enforcing = simple_strtol(str,NULL,0);
105 return 1;
106 }
107 __setup("enforcing=", enforcing_setup);
108 #endif
109
110 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
111 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
112
113 static int __init selinux_enabled_setup(char *str)
114 {
115 selinux_enabled = simple_strtol(str, NULL, 0);
116 return 1;
117 }
118 __setup("selinux=", selinux_enabled_setup);
119 #else
120 int selinux_enabled = 1;
121 #endif
122
123 /* Original (dummy) security module. */
124 static struct security_operations *original_ops = NULL;
125
126 /* Minimal support for a secondary security module,
127 just to allow the use of the dummy or capability modules.
128 The owlsm module can alternatively be used as a secondary
129 module as long as CONFIG_OWLSM_FD is not enabled. */
130 static struct security_operations *secondary_ops = NULL;
131
132 /* Lists of inode and superblock security structures initialized
133 before the policy was loaded. */
134 static LIST_HEAD(superblock_security_head);
135 static DEFINE_SPINLOCK(sb_security_lock);
136
137 static struct kmem_cache *sel_inode_cache;
138
139 /**
140 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
141 *
142 * Description:
143 * This function checks the SECMARK reference counter to see if any SECMARK
144 * targets are currently configured, if the reference counter is greater than
145 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is
146 * enabled, false (0) if SECMARK is disabled.
147 *
148 */
149 static int selinux_secmark_enabled(void)
150 {
151 return (atomic_read(&selinux_secmark_refcount) > 0);
152 }
153
154 /* Allocate and free functions for each kind of security blob. */
155
156 static int task_alloc_security(struct task_struct *task)
157 {
158 struct task_security_struct *tsec;
159
160 tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
161 if (!tsec)
162 return -ENOMEM;
163
164 tsec->task = task;
165 tsec->osid = tsec->sid = tsec->ptrace_sid = SECINITSID_UNLABELED;
166 task->security = tsec;
167
168 return 0;
169 }
170
171 static void task_free_security(struct task_struct *task)
172 {
173 struct task_security_struct *tsec = task->security;
174 task->security = NULL;
175 kfree(tsec);
176 }
177
178 static int inode_alloc_security(struct inode *inode)
179 {
180 struct task_security_struct *tsec = current->security;
181 struct inode_security_struct *isec;
182
183 isec = kmem_cache_zalloc(sel_inode_cache, GFP_KERNEL);
184 if (!isec)
185 return -ENOMEM;
186
187 mutex_init(&isec->lock);
188 INIT_LIST_HEAD(&isec->list);
189 isec->inode = inode;
190 isec->sid = SECINITSID_UNLABELED;
191 isec->sclass = SECCLASS_FILE;
192 isec->task_sid = tsec->sid;
193 inode->i_security = isec;
194
195 return 0;
196 }
197
198 static void inode_free_security(struct inode *inode)
199 {
200 struct inode_security_struct *isec = inode->i_security;
201 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
202
203 spin_lock(&sbsec->isec_lock);
204 if (!list_empty(&isec->list))
205 list_del_init(&isec->list);
206 spin_unlock(&sbsec->isec_lock);
207
208 inode->i_security = NULL;
209 kmem_cache_free(sel_inode_cache, isec);
210 }
211
212 static int file_alloc_security(struct file *file)
213 {
214 struct task_security_struct *tsec = current->security;
215 struct file_security_struct *fsec;
216
217 fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL);
218 if (!fsec)
219 return -ENOMEM;
220
221 fsec->file = file;
222 fsec->sid = tsec->sid;
223 fsec->fown_sid = tsec->sid;
224 file->f_security = fsec;
225
226 return 0;
227 }
228
229 static void file_free_security(struct file *file)
230 {
231 struct file_security_struct *fsec = file->f_security;
232 file->f_security = NULL;
233 kfree(fsec);
234 }
235
236 static int superblock_alloc_security(struct super_block *sb)
237 {
238 struct superblock_security_struct *sbsec;
239
240 sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
241 if (!sbsec)
242 return -ENOMEM;
243
244 mutex_init(&sbsec->lock);
245 INIT_LIST_HEAD(&sbsec->list);
246 INIT_LIST_HEAD(&sbsec->isec_head);
247 spin_lock_init(&sbsec->isec_lock);
248 sbsec->sb = sb;
249 sbsec->sid = SECINITSID_UNLABELED;
250 sbsec->def_sid = SECINITSID_FILE;
251 sbsec->mntpoint_sid = SECINITSID_UNLABELED;
252 sb->s_security = sbsec;
253
254 return 0;
255 }
256
257 static void superblock_free_security(struct super_block *sb)
258 {
259 struct superblock_security_struct *sbsec = sb->s_security;
260
261 spin_lock(&sb_security_lock);
262 if (!list_empty(&sbsec->list))
263 list_del_init(&sbsec->list);
264 spin_unlock(&sb_security_lock);
265
266 sb->s_security = NULL;
267 kfree(sbsec);
268 }
269
270 static int sk_alloc_security(struct sock *sk, int family, gfp_t priority)
271 {
272 struct sk_security_struct *ssec;
273
274 ssec = kzalloc(sizeof(*ssec), priority);
275 if (!ssec)
276 return -ENOMEM;
277
278 ssec->sk = sk;
279 ssec->peer_sid = SECINITSID_UNLABELED;
280 ssec->sid = SECINITSID_UNLABELED;
281 sk->sk_security = ssec;
282
283 selinux_netlbl_sk_security_init(ssec, family);
284
285 return 0;
286 }
287
288 static void sk_free_security(struct sock *sk)
289 {
290 struct sk_security_struct *ssec = sk->sk_security;
291
292 sk->sk_security = NULL;
293 kfree(ssec);
294 }
295
296 /* The security server must be initialized before
297 any labeling or access decisions can be provided. */
298 extern int ss_initialized;
299
300 /* The file system's label must be initialized prior to use. */
301
302 static char *labeling_behaviors[6] = {
303 "uses xattr",
304 "uses transition SIDs",
305 "uses task SIDs",
306 "uses genfs_contexts",
307 "not configured for labeling",
308 "uses mountpoint labeling",
309 };
310
311 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
312
313 static inline int inode_doinit(struct inode *inode)
314 {
315 return inode_doinit_with_dentry(inode, NULL);
316 }
317
318 enum {
319 Opt_error = -1,
320 Opt_context = 1,
321 Opt_fscontext = 2,
322 Opt_defcontext = 3,
323 Opt_rootcontext = 4,
324 };
325
326 static match_table_t tokens = {
327 {Opt_context, "context=%s"},
328 {Opt_fscontext, "fscontext=%s"},
329 {Opt_defcontext, "defcontext=%s"},
330 {Opt_rootcontext, "rootcontext=%s"},
331 {Opt_error, NULL},
332 };
333
334 #define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
335
336 static int may_context_mount_sb_relabel(u32 sid,
337 struct superblock_security_struct *sbsec,
338 struct task_security_struct *tsec)
339 {
340 int rc;
341
342 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
343 FILESYSTEM__RELABELFROM, NULL);
344 if (rc)
345 return rc;
346
347 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
348 FILESYSTEM__RELABELTO, NULL);
349 return rc;
350 }
351
352 static int may_context_mount_inode_relabel(u32 sid,
353 struct superblock_security_struct *sbsec,
354 struct task_security_struct *tsec)
355 {
356 int rc;
357 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
358 FILESYSTEM__RELABELFROM, NULL);
359 if (rc)
360 return rc;
361
362 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
363 FILESYSTEM__ASSOCIATE, NULL);
364 return rc;
365 }
366
367 static int sb_finish_set_opts(struct super_block *sb)
368 {
369 struct superblock_security_struct *sbsec = sb->s_security;
370 struct dentry *root = sb->s_root;
371 struct inode *root_inode = root->d_inode;
372 int rc = 0;
373
374 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
375 /* Make sure that the xattr handler exists and that no
376 error other than -ENODATA is returned by getxattr on
377 the root directory. -ENODATA is ok, as this may be
378 the first boot of the SELinux kernel before we have
379 assigned xattr values to the filesystem. */
380 if (!root_inode->i_op->getxattr) {
381 printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
382 "xattr support\n", sb->s_id, sb->s_type->name);
383 rc = -EOPNOTSUPP;
384 goto out;
385 }
386 rc = root_inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
387 if (rc < 0 && rc != -ENODATA) {
388 if (rc == -EOPNOTSUPP)
389 printk(KERN_WARNING "SELinux: (dev %s, type "
390 "%s) has no security xattr handler\n",
391 sb->s_id, sb->s_type->name);
392 else
393 printk(KERN_WARNING "SELinux: (dev %s, type "
394 "%s) getxattr errno %d\n", sb->s_id,
395 sb->s_type->name, -rc);
396 goto out;
397 }
398 }
399
400 sbsec->initialized = 1;
401
402 if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
403 printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n",
404 sb->s_id, sb->s_type->name);
405 else
406 printk(KERN_DEBUG "SELinux: initialized (dev %s, type %s), %s\n",
407 sb->s_id, sb->s_type->name,
408 labeling_behaviors[sbsec->behavior-1]);
409
410 /* Initialize the root inode. */
411 rc = inode_doinit_with_dentry(root_inode, root);
412
413 /* Initialize any other inodes associated with the superblock, e.g.
414 inodes created prior to initial policy load or inodes created
415 during get_sb by a pseudo filesystem that directly
416 populates itself. */
417 spin_lock(&sbsec->isec_lock);
418 next_inode:
419 if (!list_empty(&sbsec->isec_head)) {
420 struct inode_security_struct *isec =
421 list_entry(sbsec->isec_head.next,
422 struct inode_security_struct, list);
423 struct inode *inode = isec->inode;
424 spin_unlock(&sbsec->isec_lock);
425 inode = igrab(inode);
426 if (inode) {
427 if (!IS_PRIVATE(inode))
428 inode_doinit(inode);
429 iput(inode);
430 }
431 spin_lock(&sbsec->isec_lock);
432 list_del_init(&isec->list);
433 goto next_inode;
434 }
435 spin_unlock(&sbsec->isec_lock);
436 out:
437 return rc;
438 }
439
440 /*
441 * This function should allow an FS to ask what it's mount security
442 * options were so it can use those later for submounts, displaying
443 * mount options, or whatever.
444 */
445 static int selinux_get_mnt_opts(const struct super_block *sb,
446 <<<<<<< HEAD:security/selinux/hooks.c
447 char ***mount_options, int **mnt_opts_flags,
448 int *num_opts)
449 =======
450 struct security_mnt_opts *opts)
451 >>>>>>> 264e3e889d86e552b4191d69bb60f4f3b383135a:security/selinux/hooks.c
452 {
453 int rc = 0, i;
454 struct superblock_security_struct *sbsec = sb->s_security;
455 char *context = NULL;
456 u32 len;
457 char tmp;
458
459 <<<<<<< HEAD:security/selinux/hooks.c
460 *num_opts = 0;
461 *mount_options = NULL;
462 *mnt_opts_flags = NULL;
463 =======
464 security_init_mnt_opts(opts);
465 >>>>>>> 264e3e889d86e552b4191d69bb60f4f3b383135a:security/selinux/hooks.c
466
467 if (!sbsec->initialized)
468 return -EINVAL;
469
470 if (!ss_initialized)
471 return -EINVAL;
472
473 /*
474 * if we ever use sbsec flags for anything other than tracking mount
475 * settings this is going to need a mask
476 */
477 tmp = sbsec->flags;
478 /* count the number of mount options for this sb */
479 for (i = 0; i < 8; i++) {
480 if (tmp & 0x01)
481 <<<<<<< HEAD:security/selinux/hooks.c
482 (*num_opts)++;
483 =======
484 opts->num_mnt_opts++;
485 >>>>>>> 264e3e889d86e552b4191d69bb60f4f3b383135a:security/selinux/hooks.c
486 tmp >>= 1;
487 }
488
489 <<<<<<< HEAD:security/selinux/hooks.c
490 *mount_options = kcalloc(*num_opts, sizeof(char *), GFP_ATOMIC);
491 if (!*mount_options) {
492 =======
493 opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
494 if (!opts->mnt_opts) {
495 >>>>>>> 264e3e889d86e552b4191d69bb60f4f3b383135a:security/selinux/hooks.c
496 rc = -ENOMEM;
497 goto out_free;
498 }
499
500 <<<<<<< HEAD:security/selinux/hooks.c
501 *mnt_opts_flags = kcalloc(*num_opts, sizeof(int), GFP_ATOMIC);
502 if (!*mnt_opts_flags) {
503 =======
504 opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
505 if (!opts->mnt_opts_flags) {
506 >>>>>>> 264e3e889d86e552b4191d69bb60f4f3b383135a:security/selinux/hooks.c
507 rc = -ENOMEM;
508 goto out_free;
509 }
510
511 i = 0;
512 if (sbsec->flags & FSCONTEXT_MNT) {
513 rc = security_sid_to_context(sbsec->sid, &context, &len);
514 if (rc)
515 goto out_free;
516 <<<<<<< HEAD:security/selinux/hooks.c
517 (*mount_options)[i] = context;
518 (*mnt_opts_flags)[i++] = FSCONTEXT_MNT;
519 =======
520 opts->mnt_opts[i] = context;
521 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
522 >>>>>>> 264e3e889d86e552b4191d69bb60f4f3b383135a:security/selinux/hooks.c
523 }
524 if (sbsec->flags & CONTEXT_MNT) {
525 rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len);
526 if (rc)
527 goto out_free;
528 <<<<<<< HEAD:security/selinux/hooks.c
529 (*mount_options)[i] = context;
530 (*mnt_opts_flags)[i++] = CONTEXT_MNT;
531 =======
532 opts->mnt_opts[i] = context;
533 opts->mnt_opts_flags[i++] = CONTEXT_MNT;
534 >>>>>>> 264e3e889d86e552b4191d69bb60f4f3b383135a:security/selinux/hooks.c
535 }
536 if (sbsec->flags & DEFCONTEXT_MNT) {
537 rc = security_sid_to_context(sbsec->def_sid, &context, &len);
538 if (rc)
539 goto out_free;
540 <<<<<<< HEAD:security/selinux/hooks.c
541 (*mount_options)[i] = context;
542 (*mnt_opts_flags)[i++] = DEFCONTEXT_MNT;
543 =======
544 opts->mnt_opts[i] = context;
545 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
546 >>>>>>> 264e3e889d86e552b4191d69bb60f4f3b383135a:security/selinux/hooks.c
547 }
548 if (sbsec->flags & ROOTCONTEXT_MNT) {
549 struct inode *root = sbsec->sb->s_root->d_inode;
550 struct inode_security_struct *isec = root->i_security;
551
552 rc = security_sid_to_context(isec->sid, &context, &len);
553 if (rc)
554 goto out_free;
555 <<<<<<< HEAD:security/selinux/hooks.c
556 (*mount_options)[i] = context;
557 (*mnt_opts_flags)[i++] = ROOTCONTEXT_MNT;
558 =======
559 opts->mnt_opts[i] = context;
560 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
561 >>>>>>> 264e3e889d86e552b4191d69bb60f4f3b383135a:security/selinux/hooks.c
562 }
563
564 <<<<<<< HEAD:security/selinux/hooks.c
565 BUG_ON(i != *num_opts);
566 =======
567 BUG_ON(i != opts->num_mnt_opts);
568 >>>>>>> 264e3e889d86e552b4191d69bb60f4f3b383135a:security/selinux/hooks.c
569
570 return 0;
571
572 out_free:
573 <<<<<<< HEAD:security/selinux/hooks.c
574 /* don't leak context string if security_sid_to_context had an error */
575 if (*mount_options && i)
576 for (; i > 0; i--)
577 kfree((*mount_options)[i-1]);
578 kfree(*mount_options);
579 *mount_options = NULL;
580 kfree(*mnt_opts_flags);
581 *mnt_opts_flags = NULL;
582 *num_opts = 0;
583 =======
584 security_free_mnt_opts(opts);
585 >>>>>>> 264e3e889d86e552b4191d69bb60f4f3b383135a:security/selinux/hooks.c
586 return rc;
587 }
588
589 static int bad_option(struct superblock_security_struct *sbsec, char flag,
590 u32 old_sid, u32 new_sid)
591 {
592 /* check if the old mount command had the same options */
593 if (sbsec->initialized)
594 if (!(sbsec->flags & flag) ||
595 (old_sid != new_sid))
596 return 1;
597
598 /* check if we were passed the same options twice,
599 * aka someone passed context=a,context=b
600 */
601 if (!sbsec->initialized)
602 if (sbsec->flags & flag)
603 return 1;
604 return 0;
605 }
606 <<<<<<< HEAD:security/selinux/hooks.c
607 =======
608
609 >>>>>>> 264e3e889d86e552b4191d69bb60f4f3b383135a:security/selinux/hooks.c
610 /*
611 * Allow filesystems with binary mount data to explicitly set mount point
612 * labeling information.
613 */
614 <<<<<<< HEAD:security/selinux/hooks.c
615 static int selinux_set_mnt_opts(struct super_block *sb, char **mount_options,
616 int *flags, int num_opts)
617 =======
618 static int selinux_set_mnt_opts(struct super_block *sb,
619 struct security_mnt_opts *opts)
620 >>>>>>> 264e3e889d86e552b4191d69bb60f4f3b383135a:security/selinux/hooks.c
621 {
622 int rc = 0, i;
623 struct task_security_struct *tsec = current->security;
624 struct superblock_security_struct *sbsec = sb->s_security;
625 const char *name = sb->s_type->name;
626 struct inode *inode = sbsec->sb->s_root->d_inode;
627 struct inode_security_struct *root_isec = inode->i_security;
628 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
629 u32 defcontext_sid = 0;
630 <<<<<<< HEAD:security/selinux/hooks.c
631 =======
632 char **mount_options = opts->mnt_opts;
633 int *flags = opts->mnt_opts_flags;
634 int num_opts = opts->num_mnt_opts;
635 >>>>>>> 264e3e889d86e552b4191d69bb60f4f3b383135a:security/selinux/hooks.c
636
637 mutex_lock(&sbsec->lock);
638
639 if (!ss_initialized) {
640 if (!num_opts) {
641 /* Defer initialization until selinux_complete_init,
642 after the initial policy is loaded and the security
643 server is ready to handle calls. */
644 spin_lock(&sb_security_lock);
645 if (list_empty(&sbsec->list))
646 list_add(&sbsec->list, &superblock_security_head);
647 spin_unlock(&sb_security_lock);
648 goto out;
649 }
650 rc = -EINVAL;
651 printk(KERN_WARNING "Unable to set superblock options before "
652 "the security server is initialized\n");
653 goto out;
654 }
655
656 /*
657 <<<<<<< HEAD:security/selinux/hooks.c
658 =======
659 * Binary mount data FS will come through this function twice. Once
660 * from an explicit call and once from the generic calls from the vfs.
661 * Since the generic VFS calls will not contain any security mount data
662 * we need to skip the double mount verification.
663 *
664 * This does open a hole in which we will not notice if the first
665 * mount using this sb set explict options and a second mount using
666 * this sb does not set any security options. (The first options
667 * will be used for both mounts)
668 */
669 if (sbsec->initialized && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
670 && (num_opts == 0))
671 goto out;
672
673 /*
674 >>>>>>> 264e3e889d86e552b4191d69bb60f4f3b383135a:security/selinux/hooks.c
675 * parse the mount options, check if they are valid sids.
676 * also check if someone is trying to mount the same sb more
677 * than once with different security options.
678 */
679 for (i = 0; i < num_opts; i++) {
680 u32 sid;
681 rc = security_context_to_sid(mount_options[i],
682 strlen(mount_options[i]), &sid);
683 if (rc) {
684 printk(KERN_WARNING "SELinux: security_context_to_sid"
685 "(%s) failed for (dev %s, type %s) errno=%d\n",
686 mount_options[i], sb->s_id, name, rc);
687 goto out;
688 }
689 switch (flags[i]) {
690 case FSCONTEXT_MNT:
691 fscontext_sid = sid;
692
693 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
694 fscontext_sid))
695 goto out_double_mount;
696
697 sbsec->flags |= FSCONTEXT_MNT;
698 break;
699 case CONTEXT_MNT:
700 context_sid = sid;
701
702 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
703 context_sid))
704 goto out_double_mount;
705
706 sbsec->flags |= CONTEXT_MNT;
707 break;
708 case ROOTCONTEXT_MNT:
709 rootcontext_sid = sid;
710
711 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
712 rootcontext_sid))
713 goto out_double_mount;
714
715 sbsec->flags |= ROOTCONTEXT_MNT;
716
717 break;
718 case DEFCONTEXT_MNT:
719 defcontext_sid = sid;
720
721 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
722 defcontext_sid))
723 goto out_double_mount;
724
725 sbsec->flags |= DEFCONTEXT_MNT;
726
727 break;
728 default:
729 rc = -EINVAL;
730 goto out;
731 }
732 }
733
734 if (sbsec->initialized) {
735 /* previously mounted with options, but not on this attempt? */
736 if (sbsec->flags && !num_opts)
737 goto out_double_mount;
738 rc = 0;
739 goto out;
740 }
741
742 if (strcmp(sb->s_type->name, "proc") == 0)
743 sbsec->proc = 1;
744
745 /* Determine the labeling behavior to use for this filesystem type. */
746 rc = security_fs_use(sb->s_type->name, &sbsec->behavior, &sbsec->sid);
747 if (rc) {
748 printk(KERN_WARNING "%s: security_fs_use(%s) returned %d\n",
749 __FUNCTION__, sb->s_type->name, rc);
750 goto out;
751 }
752
753 /* sets the context of the superblock for the fs being mounted. */
754 if (fscontext_sid) {
755
756 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, tsec);
757 if (rc)
758 goto out;
759
760 sbsec->sid = fscontext_sid;
761 }
762
763 /*
764 * Switch to using mount point labeling behavior.
765 * sets the label used on all file below the mountpoint, and will set
766 * the superblock context if not already set.
767 */
768 if (context_sid) {
769 if (!fscontext_sid) {
770 rc = may_context_mount_sb_relabel(context_sid, sbsec, tsec);
771 if (rc)
772 goto out;
773 sbsec->sid = context_sid;
774 } else {
775 rc = may_context_mount_inode_relabel(context_sid, sbsec, tsec);
776 if (rc)
777 goto out;
778 }
779 if (!rootcontext_sid)
780 rootcontext_sid = context_sid;
781
782 sbsec->mntpoint_sid = context_sid;
783 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
784 }
785
786 if (rootcontext_sid) {
787 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec, tsec);
788 if (rc)
789 goto out;
790
791 root_isec->sid = rootcontext_sid;
792 root_isec->initialized = 1;
793 }
794
795 if (defcontext_sid) {
796 if (sbsec->behavior != SECURITY_FS_USE_XATTR) {
797 rc = -EINVAL;
798 printk(KERN_WARNING "SELinux: defcontext option is "
799 "invalid for this filesystem type\n");
800 goto out;
801 }
802
803 if (defcontext_sid != sbsec->def_sid) {
804 rc = may_context_mount_inode_relabel(defcontext_sid,
805 sbsec, tsec);
806 if (rc)
807 goto out;
808 }
809
810 sbsec->def_sid = defcontext_sid;
811 }
812
813 rc = sb_finish_set_opts(sb);
814 out:
815 mutex_unlock(&sbsec->lock);
816 return rc;
817 out_double_mount:
818 rc = -EINVAL;
819 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, different "
820 "security settings for (dev %s, type %s)\n", sb->s_id, name);
821 goto out;
822 }
823
824 static void selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
825 struct super_block *newsb)
826 {
827 const struct superblock_security_struct *oldsbsec = oldsb->s_security;
828 struct superblock_security_struct *newsbsec = newsb->s_security;
829
830 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT);
831 int set_context = (oldsbsec->flags & CONTEXT_MNT);
832 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT);
833
834 /* we can't error, we can't save the info, this shouldn't get called
835 * this early in the boot process. */
836 BUG_ON(!ss_initialized);
837
838 /* this might go away sometime down the line if there is a new user
839 * of clone, but for now, nfs better not get here... */
840 BUG_ON(newsbsec->initialized);
841
842 /* how can we clone if the old one wasn't set up?? */
843 BUG_ON(!oldsbsec->initialized);
844
845 mutex_lock(&newsbsec->lock);
846
847 newsbsec->flags = oldsbsec->flags;
848
849 newsbsec->sid = oldsbsec->sid;
850 newsbsec->def_sid = oldsbsec->def_sid;
851 newsbsec->behavior = oldsbsec->behavior;
852
853 if (set_context) {
854 u32 sid = oldsbsec->mntpoint_sid;
855
856 if (!set_fscontext)
857 newsbsec->sid = sid;
858 if (!set_rootcontext) {
859 struct inode *newinode = newsb->s_root->d_inode;
860 struct inode_security_struct *newisec = newinode->i_security;
861 newisec->sid = sid;
862 }
863 newsbsec->mntpoint_sid = sid;
864 }
865 if (set_rootcontext) {
866 const struct inode *oldinode = oldsb->s_root->d_inode;
867 const struct inode_security_struct *oldisec = oldinode->i_security;
868 struct inode *newinode = newsb->s_root->d_inode;
869 struct inode_security_struct *newisec = newinode->i_security;
870
871 newisec->sid = oldisec->sid;
872 }
873
874 sb_finish_set_opts(newsb);
875 mutex_unlock(&newsbsec->lock);
876 }
877
878 <<<<<<< HEAD:security/selinux/hooks.c
879 /*
880 * string mount options parsing and call set the sbsec
881 */
882 static int superblock_doinit(struct super_block *sb, void *data)
883 =======
884 static int selinux_parse_opts_str(char *options,
885 struct security_mnt_opts *opts)
886 >>>>>>> 264e3e889d86e552b4191d69bb60f4f3b383135a:security/selinux/hooks.c
887 {
888 <<<<<<< HEAD:security/selinux/hooks.c
889 =======
890 char *p;
891 >>>>>>> 264e3e889d86e552b4191d69bb60f4f3b383135a:security/selinux/hooks.c
892 char *context = NULL, *defcontext = NULL;
893 char *fscontext = NULL, *rootcontext = NULL;
894 <<<<<<< HEAD:security/selinux/hooks.c
895 int rc = 0;
896 char *p, *options = data;
897 /* selinux only know about a fixed number of mount options */
898 char *mnt_opts[NUM_SEL_MNT_OPTS];
899 int mnt_opts_flags[NUM_SEL_MNT_OPTS], num_mnt_opts = 0;
900
901 if (!data)
902 goto out;
903 =======
904 int rc, num_mnt_opts = 0;
905 >>>>>>> 264e3e889d86e552b4191d69bb60f4f3b383135a:security/selinux/hooks.c
906
907 <<<<<<< HEAD:security/selinux/hooks.c
908 /* with the nfs patch this will become a goto out; */
909 if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA) {
910 const char *name = sb->s_type->name;
911 /* NFS we understand. */
912 if (!strcmp(name, "nfs")) {
913 struct nfs_mount_data *d = data;
914
915 if (d->version != NFS_MOUNT_VERSION)
916 goto out;
917
918 if (d->context[0]) {
919 context = kstrdup(d->context, GFP_KERNEL);
920 if (!context) {
921 rc = -ENOMEM;
922 goto out;
923 }
924 }
925 goto build_flags;
926 } else
927 goto out;
928 }
929 =======
930 opts->num_mnt_opts = 0;
931 >>>>>>> 264e3e889d86e552b4191d69bb60f4f3b383135a:security/selinux/hooks.c
932
933 /* Standard string-based options. */
934 while ((p = strsep(&options, "|")) != NULL) {
935 int token;
936 substring_t args[MAX_OPT_ARGS];
937
938 if (!*p)
939 continue;
940
941 token = match_token(p, tokens, args);
942
943 switch (token) {
944 case Opt_context:
945 if (context || defcontext) {
946 rc = -EINVAL;
947 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
948 goto out_err;
949 }
950 context = match_strdup(&args[0]);
951 if (!context) {
952 rc = -ENOMEM;
953 goto out_err;
954 }
955 break;
956
957 case Opt_fscontext:
958 if (fscontext) {
959 rc = -EINVAL;
960 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
961 goto out_err;
962 }
963 fscontext = match_strdup(&args[0]);
964 if (!fscontext) {
965 rc = -ENOMEM;
966 goto out_err;
967 }
968 break;
969
970 case Opt_rootcontext:
971 if (rootcontext) {
972 rc = -EINVAL;
973 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
974 goto out_err;
975 }
976 rootcontext = match_strdup(&args[0]);
977 if (!rootcontext) {
978 rc = -ENOMEM;
979 goto out_err;
980 }
981 break;
982
983 case Opt_defcontext:
984 if (context || defcontext) {
985 rc = -EINVAL;
986 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
987 goto out_err;
988 }
989 defcontext = match_strdup(&args[0]);
990 if (!defcontext) {
991 rc = -ENOMEM;
992 goto out_err;
993 }
994 break;
995
996 default:
997 rc = -EINVAL;
998 printk(KERN_WARNING "SELinux: unknown mount option\n");
999 goto out_err;
1000
1001 }
1002 }
1003
1004 <<<<<<< HEAD:security/selinux/hooks.c
1005 build_flags:
1006 =======
1007 rc = -ENOMEM;
1008 opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_ATOMIC);
1009 if (!opts->mnt_opts)
1010 goto out_err;
1011
1012 opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int), GFP_ATOMIC);
1013 if (!opts->mnt_opts_flags) {
1014 kfree(opts->mnt_opts);
1015 goto out_err;
1016 }
1017
1018 >>>>>>> 264e3e889d86e552b4191d69bb60f4f3b383135a:security/selinux/hooks.c
1019 if (fscontext) {
1020 <<<<<<< HEAD:security/selinux/hooks.c
1021 mnt_opts[num_mnt_opts] = fscontext;
1022 mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
1023 =======
1024 opts->mnt_opts[num_mnt_opts] = fscontext;
1025 opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
1026 >>>>>>> 264e3e889d86e552b4191d69bb60f4f3b383135a:security/selinux/hooks.c
1027 }
1028 if (context) {
1029 <<<<<<< HEAD:security/selinux/hooks.c
1030 mnt_opts[num_mnt_opts] = context;
1031 mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
1032 =======
1033 opts->mnt_opts[num_mnt_opts] = context;
1034 opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
1035 >>>>>>> 264e3e889d86e552b4191d69bb60f4f3b383135a:security/selinux/hooks.c
1036 }
1037 if (rootcontext) {
1038 <<<<<<< HEAD:security/selinux/hooks.c
1039 mnt_opts[num_mnt_opts] = rootcontext;
1040 mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
1041 =======
1042 opts->mnt_opts[num_mnt_opts] = rootcontext;
1043 opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
1044 >>>>>>> 264e3e889d86e552b4191d69bb60f4f3b383135a:security/selinux/hooks.c
1045 }
1046 if (defcontext) {
1047 <<<<<<< HEAD:security/selinux/hooks.c
1048 mnt_opts[num_mnt_opts] = defcontext;
1049 mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
1050 =======
1051 opts->mnt_opts[num_mnt_opts] = defcontext;
1052 opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
1053 >>>>>>> 264e3e889d86e552b4191d69bb60f4f3b383135a:security/selinux/hooks.c
1054 }
1055
1056 <<<<<<< HEAD:security/selinux/hooks.c
1057 out:
1058 rc = selinux_set_mnt_opts(sb, mnt_opts, mnt_opts_flags, num_mnt_opts);
1059 =======
1060 opts->num_mnt_opts = num_mnt_opts;
1061 return 0;
1062
1063 >>>>>>> 264e3e889d86e552b4191d69bb60f4f3b383135a:security/selinux/hooks.c
1064 out_err:
1065 kfree(context);
1066 kfree(defcontext);
1067 kfree(fscontext);
1068 kfree(rootcontext);
1069 return rc;
1070 }
1071 <<<<<<< HEAD:security/selinux/hooks.c
1072 =======
1073 /*
1074 * string mount options parsing and call set the sbsec
1075 */
1076 static int superblock_doinit(struct super_block *sb, void *data)
1077 {
1078 int rc = 0;
1079 char *options = data;
1080 struct security_mnt_opts opts;
1081
1082 security_init_mnt_opts(&opts);
1083
1084 if (!data)
1085 goto out;
1086
1087 BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
1088
1089 rc = selinux_parse_opts_str(options, &opts);
1090 if (rc)
1091 goto out_err;
1092
1093 out:
1094 rc = selinux_set_mnt_opts(sb, &opts);
1095
1096 out_err:
1097 security_free_mnt_opts(&opts);
1098 return rc;
1099 }
1100 >>>>>>> 264e3e889d86e552b4191d69bb60f4f3b383135a:security/selinux/hooks.c
1101
1102 static inline u16 inode_mode_to_security_class(umode_t mode)
1103 {
1104 switch (mode & S_IFMT) {
1105 case S_IFSOCK:
1106 return SECCLASS_SOCK_FILE;
1107 case S_IFLNK:
1108 return SECCLASS_LNK_FILE;
1109 case S_IFREG:
1110 return SECCLASS_FILE;
1111 case S_IFBLK:
1112 return SECCLASS_BLK_FILE;
1113 case S_IFDIR:
1114 return SECCLASS_DIR;
1115 case S_IFCHR:
1116 return SECCLASS_CHR_FILE;
1117 case S_IFIFO:
1118 return SECCLASS_FIFO_FILE;
1119
1120 }
1121
1122 return SECCLASS_FILE;
1123 }
1124
1125 static inline int default_protocol_stream(int protocol)
1126 {
1127 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
1128 }
1129
1130 static inline int default_protocol_dgram(int protocol)
1131 {
1132 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1133 }
1134
1135 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1136 {
1137 switch (family) {
1138 case PF_UNIX:
1139 switch (type) {
1140 case SOCK_STREAM:
1141 case SOCK_SEQPACKET:
1142 return SECCLASS_UNIX_STREAM_SOCKET;
1143 case SOCK_DGRAM:
1144 return SECCLASS_UNIX_DGRAM_SOCKET;
1145 }
1146 break;
1147 case PF_INET:
1148 case PF_INET6:
1149 switch (type) {
1150 case SOCK_STREAM:
1151 if (default_protocol_stream(protocol))
1152 return SECCLASS_TCP_SOCKET;
1153 else
1154 return SECCLASS_RAWIP_SOCKET;
1155 case SOCK_DGRAM:
1156 if (default_protocol_dgram(protocol))
1157 return SECCLASS_UDP_SOCKET;
1158 else
1159 return SECCLASS_RAWIP_SOCKET;
1160 case SOCK_DCCP:
1161 return SECCLASS_DCCP_SOCKET;
1162 default:
1163 return SECCLASS_RAWIP_SOCKET;
1164 }
1165 break;
1166 case PF_NETLINK:
1167 switch (protocol) {
1168 case NETLINK_ROUTE:
1169 return SECCLASS_NETLINK_ROUTE_SOCKET;
1170 case NETLINK_FIREWALL:
1171 return SECCLASS_NETLINK_FIREWALL_SOCKET;
1172 case NETLINK_INET_DIAG:
1173 return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1174 case NETLINK_NFLOG:
1175 return SECCLASS_NETLINK_NFLOG_SOCKET;
1176 case NETLINK_XFRM:
1177 return SECCLASS_NETLINK_XFRM_SOCKET;
1178 case NETLINK_SELINUX:
1179 return SECCLASS_NETLINK_SELINUX_SOCKET;
1180 case NETLINK_AUDIT:
1181 return SECCLASS_NETLINK_AUDIT_SOCKET;
1182 case NETLINK_IP6_FW:
1183 return SECCLASS_NETLINK_IP6FW_SOCKET;
1184 case NETLINK_DNRTMSG:
1185 return SECCLASS_NETLINK_DNRT_SOCKET;
1186 case NETLINK_KOBJECT_UEVENT:
1187 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1188 default:
1189 return SECCLASS_NETLINK_SOCKET;
1190 }
1191 case PF_PACKET:
1192 return SECCLASS_PACKET_SOCKET;
1193 case PF_KEY:
1194 return SECCLASS_KEY_SOCKET;
1195 case PF_APPLETALK:
1196 return SECCLASS_APPLETALK_SOCKET;
1197 }
1198
1199 return SECCLASS_SOCKET;
1200 }
1201
1202 #ifdef CONFIG_PROC_FS
1203 static int selinux_proc_get_sid(struct proc_dir_entry *de,
1204 u16 tclass,
1205 u32 *sid)
1206 {
1207 int buflen, rc;
1208 char *buffer, *path, *end;
1209
1210 buffer = (char*)__get_free_page(GFP_KERNEL);
1211 if (!buffer)
1212 return -ENOMEM;
1213
1214 buflen = PAGE_SIZE;
1215 end = buffer+buflen;
1216 *--end = '\0';
1217 buflen--;
1218 path = end-1;
1219 *path = '/';
1220 while (de && de != de->parent) {
1221 buflen -= de->namelen + 1;
1222 if (buflen < 0)
1223 break;
1224 end -= de->namelen;
1225 memcpy(end, de->name, de->namelen);
1226 *--end = '/';
1227 path = end;
1228 de = de->parent;
1229 }
1230 rc = security_genfs_sid("proc", path, tclass, sid);
1231 free_page((unsigned long)buffer);
1232 return rc;
1233 }
1234 #else
1235 static int selinux_proc_get_sid(struct proc_dir_entry *de,
1236 u16 tclass,
1237 u32 *sid)
1238 {
1239 return -EINVAL;
1240 }
1241 #endif
1242
1243 /* The inode's security attributes must be initialized before first use. */
1244 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1245 {
1246 struct superblock_security_struct *sbsec = NULL;
1247 struct inode_security_struct *isec = inode->i_security;
1248 u32 sid;
1249 struct dentry *dentry;
1250 #define INITCONTEXTLEN 255
1251 char *context = NULL;
1252 unsigned len = 0;
1253 int rc = 0;
1254
1255 if (isec->initialized)
1256 goto out;
1257
1258 mutex_lock(&isec->lock);
1259 if (isec->initialized)
1260 goto out_unlock;
1261
1262 sbsec = inode->i_sb->s_security;
1263 if (!sbsec->initialized) {
1264 /* Defer initialization until selinux_complete_init,
1265 after the initial policy is loaded and the security
1266 server is ready to handle calls. */
1267 spin_lock(&sbsec->isec_lock);
1268 if (list_empty(&isec->list))
1269 list_add(&isec->list, &sbsec->isec_head);
1270 spin_unlock(&sbsec->isec_lock);
1271 goto out_unlock;
1272 }
1273
1274 switch (sbsec->behavior) {
1275 case SECURITY_FS_USE_XATTR:
1276 if (!inode->i_op->getxattr) {
1277 isec->sid = sbsec->def_sid;
1278 break;
1279 }
1280
1281 /* Need a dentry, since the xattr API requires one.
1282 Life would be simpler if we could just pass the inode. */
1283 if (opt_dentry) {
1284 /* Called from d_instantiate or d_splice_alias. */
1285 dentry = dget(opt_dentry);
1286 } else {
1287 /* Called from selinux_complete_init, try to find a dentry. */
1288 dentry = d_find_alias(inode);
1289 }
1290 if (!dentry) {
1291 printk(KERN_WARNING "%s: no dentry for dev=%s "
1292 "ino=%ld\n", __FUNCTION__, inode->i_sb->s_id,
1293 inode->i_ino);
1294 goto out_unlock;
1295 }
1296
1297 len = INITCONTEXTLEN;
1298 context = kmalloc(len, GFP_KERNEL);
1299 if (!context) {
1300 rc = -ENOMEM;
1301 dput(dentry);
1302 goto out_unlock;
1303 }
1304 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1305 context, len);
1306 if (rc == -ERANGE) {
1307 /* Need a larger buffer. Query for the right size. */
1308 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1309 NULL, 0);
1310 if (rc < 0) {
1311 dput(dentry);
1312 goto out_unlock;
1313 }
1314 kfree(context);
1315 len = rc;
1316 context = kmalloc(len, GFP_KERNEL);
1317 if (!context) {
1318 rc = -ENOMEM;
1319 dput(dentry);
1320 goto out_unlock;
1321 }
1322 rc = inode->i_op->getxattr(dentry,
1323 XATTR_NAME_SELINUX,
1324 context, len);
1325 }
1326 dput(dentry);
1327 if (rc < 0) {
1328 if (rc != -ENODATA) {
1329 printk(KERN_WARNING "%s: getxattr returned "
1330 "%d for dev=%s ino=%ld\n", __FUNCTION__,
1331 -rc, inode->i_sb->s_id, inode->i_ino);
1332 kfree(context);
1333 goto out_unlock;
1334 }
1335 /* Map ENODATA to the default file SID */
1336 sid = sbsec->def_sid;
1337 rc = 0;
1338 } else {
1339 rc = security_context_to_sid_default(context, rc, &sid,
1340 sbsec->def_sid);
1341 if (rc) {
1342 printk(KERN_WARNING "%s: context_to_sid(%s) "
1343 "returned %d for dev=%s ino=%ld\n",
1344 __FUNCTION__, context, -rc,
1345 inode->i_sb->s_id, inode->i_ino);
1346 kfree(context);
1347 /* Leave with the unlabeled SID */
1348 rc = 0;
1349 break;
1350 }
1351 }
1352 kfree(context);
1353 isec->sid = sid;
1354 break;
1355 case SECURITY_FS_USE_TASK:
1356 isec->sid = isec->task_sid;
1357 break;
1358 case SECURITY_FS_USE_TRANS:
1359 /* Default to the fs SID. */
1360 isec->sid = sbsec->sid;
1361
1362 /* Try to obtain a transition SID. */
1363 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1364 rc = security_transition_sid(isec->task_sid,
1365 sbsec->sid,
1366 isec->sclass,
1367 &sid);
1368 if (rc)
1369 goto out_unlock;
1370 isec->sid = sid;
1371 break;
1372 case SECURITY_FS_USE_MNTPOINT:
1373 isec->sid = sbsec->mntpoint_sid;
1374 break;
1375 default:
1376 /* Default to the fs superblock SID. */
1377 isec->sid = sbsec->sid;
1378
1379 if (sbsec->proc) {
1380 struct proc_inode *proci = PROC_I(inode);
1381 if (proci->pde) {
1382 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1383 rc = selinux_proc_get_sid(proci->pde,
1384 isec->sclass,
1385 &sid);
1386 if (rc)
1387 goto out_unlock;
1388 isec->sid = sid;
1389 }
1390 }
1391 break;
1392 }
1393
1394 isec->initialized = 1;
1395
1396 out_unlock:
1397 mutex_unlock(&isec->lock);
1398 out:
1399 if (isec->sclass == SECCLASS_FILE)
1400 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1401 return rc;
1402 }
1403
1404 /* Convert a Linux signal to an access vector. */
1405 static inline u32 signal_to_av(int sig)
1406 {
1407 u32 perm = 0;
1408
1409 switch (sig) {
1410 case SIGCHLD:
1411 /* Commonly granted from child to parent. */
1412 perm = PROCESS__SIGCHLD;
1413 break;
1414 case SIGKILL:
1415 /* Cannot be caught or ignored */
1416 perm = PROCESS__SIGKILL;
1417 break;
1418 case SIGSTOP:
1419 /* Cannot be caught or ignored */
1420 perm = PROCESS__SIGSTOP;
1421 break;
1422 default:
1423 /* All other signals. */
1424 perm = PROCESS__SIGNAL;
1425 break;
1426 }
1427
1428 return perm;
1429 }
1430
1431 /* Check permission betweeen a pair of tasks, e.g. signal checks,
1432 fork check, ptrace check, etc. */
1433 static int task_has_perm(struct task_struct *tsk1,
1434 struct task_struct *tsk2,
1435 u32 perms)
1436 {
1437 struct task_security_struct *tsec1, *tsec2;
1438
1439 tsec1 = tsk1->security;
1440 tsec2 = tsk2->security;
1441 return avc_has_perm(tsec1->sid, tsec2->sid,
1442 SECCLASS_PROCESS, perms, NULL);
1443 }
1444
1445 #if CAP_LAST_CAP > 63
1446 #error Fix SELinux to handle capabilities > 63.
1447 #endif
1448
1449 /* Check whether a task is allowed to use a capability. */
1450 static int task_has_capability(struct task_struct *tsk,
1451 int cap)
1452 {
1453 struct task_security_struct *tsec;
1454 struct avc_audit_data ad;
1455 u16 sclass;
1456 u32 av = CAP_TO_MASK(cap);
1457
1458 tsec = tsk->security;
1459
1460 AVC_AUDIT_DATA_INIT(&ad,CAP);
1461 ad.tsk = tsk;
1462 ad.u.cap = cap;
1463
1464 switch (CAP_TO_INDEX(cap)) {
1465 case 0:
1466 sclass = SECCLASS_CAPABILITY;
1467 break;
1468 case 1:
1469 sclass = SECCLASS_CAPABILITY2;
1470 break;
1471 default:
1472 printk(KERN_ERR
1473 "SELinux: out of range capability %d\n", cap);
1474 BUG();
1475 }
1476 return avc_has_perm(tsec->sid, tsec->sid, sclass, av, &ad);
1477 }
1478
1479 /* Check whether a task is allowed to use a system operation. */
1480 static int task_has_system(struct task_struct *tsk,
1481 u32 perms)
1482 {
1483 struct task_security_struct *tsec;
1484
1485 tsec = tsk->security;
1486
1487 return avc_has_perm(tsec->sid, SECINITSID_KERNEL,
1488 SECCLASS_SYSTEM, perms, NULL);
1489 }
1490
1491 /* Check whether a task has a particular permission to an inode.
1492 The 'adp' parameter is optional and allows other audit
1493 data to be passed (e.g. the dentry). */
1494 static int inode_has_perm(struct task_struct *tsk,
1495 struct inode *inode,
1496 u32 perms,
1497 struct avc_audit_data *adp)
1498 {
1499 struct task_security_struct *tsec;
1500 struct inode_security_struct *isec;
1501 struct avc_audit_data ad;
1502
1503 if (unlikely (IS_PRIVATE (inode)))
1504 return 0;
1505
1506 tsec = tsk->security;
1507 isec = inode->i_security;
1508
1509 if (!adp) {
1510 adp = &ad;
1511 AVC_AUDIT_DATA_INIT(&ad, FS);
1512 ad.u.fs.inode = inode;
1513 }
1514
1515 return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, adp);
1516 }
1517
1518 /* Same as inode_has_perm, but pass explicit audit data containing
1519 the dentry to help the auditing code to more easily generate the
1520 pathname if needed. */
1521 static inline int dentry_has_perm(struct task_struct *tsk,
1522 struct vfsmount *mnt,
1523 struct dentry *dentry,
1524 u32 av)
1525 {
1526 struct inode *inode = dentry->d_inode;
1527 struct avc_audit_data ad;
1528 AVC_AUDIT_DATA_INIT(&ad,FS);
1529 ad.u.fs.path.mnt = mnt;
1530 ad.u.fs.path.dentry = dentry;
1531 return inode_has_perm(tsk, inode, av, &ad);
1532 }
1533
1534 /* Check whether a task can use an open file descriptor to
1535 access an inode in a given way. Check access to the
1536 descriptor itself, and then use dentry_has_perm to
1537 check a particular permission to the file.
1538 Access to the descriptor is implicitly granted if it
1539 has the same SID as the process. If av is zero, then
1540 access to the file is not checked, e.g. for cases
1541 where only the descriptor is affected like seek. */
1542 static int file_has_perm(struct task_struct *tsk,
1543 struct file *file,
1544 u32 av)
1545 {
1546 struct task_security_struct *tsec = tsk->security;
1547 struct file_security_struct *fsec = file->f_security;
1548 struct inode *inode = file->f_path.dentry->d_inode;
1549 struct avc_audit_data ad;
1550 int rc;
1551
1552 AVC_AUDIT_DATA_INIT(&ad, FS);
1553 ad.u.fs.path = file->f_path;
1554
1555 if (tsec->sid != fsec->sid) {
1556 rc = avc_has_perm(tsec->sid, fsec->sid,
1557 SECCLASS_FD,
1558 FD__USE,
1559 &ad);
1560 if (rc)
1561 return rc;
1562 }
1563
1564 /* av is zero if only checking access to the descriptor. */
1565 if (av)
1566 return inode_has_perm(tsk, inode, av, &ad);
1567
1568 return 0;
1569 }
1570
1571 /* Check whether a task can create a file. */
1572 static int may_create(struct inode *dir,
1573 struct dentry *dentry,
1574 u16 tclass)
1575 {
1576 struct task_security_struct *tsec;
1577 struct inode_security_struct *dsec;
1578 struct superblock_security_struct *sbsec;
1579 u32 newsid;
1580 struct avc_audit_data ad;
1581 int rc;
1582
1583 tsec = current->security;
1584 dsec = dir->i_security;
1585 sbsec = dir->i_sb->s_security;
1586
1587 AVC_AUDIT_DATA_INIT(&ad, FS);
1588 ad.u.fs.path.dentry = dentry;
1589
1590 rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR,
1591 DIR__ADD_NAME | DIR__SEARCH,
1592 &ad);
1593 if (rc)
1594 return rc;
1595
1596 if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
1597 newsid = tsec->create_sid;
1598 } else {
1599 rc = security_transition_sid(tsec->sid, dsec->sid, tclass,
1600 &newsid);
1601 if (rc)
1602 return rc;
1603 }
1604
1605 rc = avc_has_perm(tsec->sid, newsid, tclass, FILE__CREATE, &ad);
1606 if (rc)
1607 return rc;
1608
1609 return avc_has_perm(newsid, sbsec->sid,
1610 SECCLASS_FILESYSTEM,
1611 FILESYSTEM__ASSOCIATE, &ad);
1612 }
1613
1614 /* Check whether a task can create a key. */
1615 static int may_create_key(u32 ksid,
1616 struct task_struct *ctx)
1617 {
1618 struct task_security_struct *tsec;
1619
1620 tsec = ctx->security;
1621
1622 return avc_has_perm(tsec->sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL);
1623 }
1624
1625 #define MAY_LINK 0
1626 #define MAY_UNLINK 1
1627 #define MAY_RMDIR 2
1628
1629 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1630 static int may_link(struct inode *dir,
1631 struct dentry *dentry,
1632 int kind)
1633
1634 {
1635 struct task_security_struct *tsec;
1636 struct inode_security_struct *dsec, *isec;
1637 struct avc_audit_data ad;
1638 u32 av;
1639 int rc;
1640
1641 tsec = current->security;
1642 dsec = dir->i_security;
1643 isec = dentry->d_inode->i_security;
1644
1645 AVC_AUDIT_DATA_INIT(&ad, FS);
1646 ad.u.fs.path.dentry = dentry;
1647
1648 av = DIR__SEARCH;
1649 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1650 rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR, av, &ad);
1651 if (rc)
1652 return rc;
1653
1654 switch (kind) {
1655 case MAY_LINK:
1656 av = FILE__LINK;
1657 break;
1658 case MAY_UNLINK:
1659 av = FILE__UNLINK;
1660 break;
1661 case MAY_RMDIR:
1662 av = DIR__RMDIR;
1663 break;
1664 default:
1665 printk(KERN_WARNING "may_link: unrecognized kind %d\n", kind);
1666 return 0;
1667 }
1668
1669 rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass, av, &ad);
1670 return rc;
1671 }
1672
1673 static inline int may_rename(struct inode *old_dir,
1674 struct dentry *old_dentry,
1675 struct inode *new_dir,
1676 struct dentry *new_dentry)
1677 {
1678 struct task_security_struct *tsec;
1679 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1680 struct avc_audit_data ad;
1681 u32 av;
1682 int old_is_dir, new_is_dir;
1683 int rc;
1684
1685 tsec = current->security;
1686 old_dsec = old_dir->i_security;
1687 old_isec = old_dentry->d_inode->i_security;
1688 old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
1689 new_dsec = new_dir->i_security;
1690
1691 AVC_AUDIT_DATA_INIT(&ad, FS);
1692
1693 ad.u.fs.path.dentry = old_dentry;
1694 rc = avc_has_perm(tsec->sid, old_dsec->sid, SECCLASS_DIR,
1695 DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1696 if (rc)
1697 return rc;
1698 rc = avc_has_perm(tsec->sid, old_isec->sid,
1699 old_isec->sclass, FILE__RENAME, &ad);
1700 if (rc)
1701 return rc;
1702 if (old_is_dir && new_dir != old_dir) {
1703 rc = avc_has_perm(tsec->sid, old_isec->sid,
1704 old_isec->sclass, DIR__REPARENT, &ad);
1705 if (rc)
1706 return rc;
1707 }
1708
1709 ad.u.fs.path.dentry = new_dentry;
1710 av = DIR__ADD_NAME | DIR__SEARCH;
1711 if (new_dentry->d_inode)
1712 av |= DIR__REMOVE_NAME;
1713 rc = avc_has_perm(tsec->sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1714 if (rc)
1715 return rc;
1716 if (new_dentry->d_inode) {
1717 new_isec = new_dentry->d_inode->i_security;
1718 new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
1719 rc = avc_has_perm(tsec->sid, new_isec->sid,
1720 new_isec->sclass,
1721 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1722 if (rc)
1723 return rc;
1724 }
1725
1726 return 0;
1727 }
1728
1729 /* Check whether a task can perform a filesystem operation. */
1730 static int superblock_has_perm(struct task_struct *tsk,
1731 struct super_block *sb,
1732 u32 perms,
1733 struct avc_audit_data *ad)
1734 {
1735 struct task_security_struct *tsec;
1736 struct superblock_security_struct *sbsec;
1737
1738 tsec = tsk->security;
1739 sbsec = sb->s_security;
1740 return avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
1741 perms, ad);
1742 }
1743
1744 /* Convert a Linux mode and permission mask to an access vector. */
1745 static inline u32 file_mask_to_av(int mode, int mask)
1746 {
1747 u32 av = 0;
1748
1749 if ((mode & S_IFMT) != S_IFDIR) {
1750 if (mask & MAY_EXEC)
1751 av |= FILE__EXECUTE;
1752 if (mask & MAY_READ)
1753 av |= FILE__READ;
1754
1755 if (mask & MAY_APPEND)
1756 av |= FILE__APPEND;
1757 else if (mask & MAY_WRITE)
1758 av |= FILE__WRITE;
1759
1760 } else {
1761 if (mask & MAY_EXEC)
1762 av |= DIR__SEARCH;
1763 if (mask & MAY_WRITE)
1764 av |= DIR__WRITE;
1765 if (mask & MAY_READ)
1766 av |= DIR__READ;
1767 }
1768
1769 return av;
1770 }
1771
1772 /* Convert a Linux file to an access vector. */
1773 static inline u32 file_to_av(struct file *file)
1774 {
1775 u32 av = 0;
1776
1777 if (file->f_mode & FMODE_READ)
1778 av |= FILE__READ;
1779 if (file->f_mode & FMODE_WRITE) {
1780 if (file->f_flags & O_APPEND)
1781 av |= FILE__APPEND;
1782 else
1783 av |= FILE__WRITE;
1784 }
1785
1786 return av;
1787 }
1788
1789 /* Hook functions begin here. */
1790
1791 static int selinux_ptrace(struct task_struct *parent, struct task_struct *child)
1792 {
1793 struct task_security_struct *psec = parent->security;
1794 struct task_security_struct *csec = child->security;
1795 int rc;
1796
1797 rc = secondary_ops->ptrace(parent,child);
1798 if (rc)
1799 return rc;
1800
1801 rc = task_has_perm(parent, child, PROCESS__PTRACE);
1802 /* Save the SID of the tracing process for later use in apply_creds. */
1803 if (!(child->ptrace & PT_PTRACED) && !rc)
1804 csec->ptrace_sid = psec->sid;
1805 return rc;
1806 }
1807
1808 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
1809 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1810 {
1811 int error;
1812
1813 error = task_has_perm(current, target, PROCESS__GETCAP);
1814 if (error)
1815 return error;
1816
1817 return secondary_ops->capget(target, effective, inheritable, permitted);
1818 }
1819
1820 static int selinux_capset_check(struct task_struct *target, kernel_cap_t *effective,
1821 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1822 {
1823 int error;
1824
1825 error = secondary_ops->capset_check(target, effective, inheritable, permitted);
1826 if (error)
1827 return error;
1828
1829 return task_has_perm(current, target, PROCESS__SETCAP);
1830 }
1831
1832 static void selinux_capset_set(struct task_struct *target, kernel_cap_t *effective,
1833 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1834 {
1835 secondary_ops->capset_set(target, effective, inheritable, permitted);
1836 }
1837
1838 static int selinux_capable(struct task_struct *tsk, int cap)
1839 {
1840 int rc;
1841
1842 rc = secondary_ops->capable(tsk, cap);
1843 if (rc)
1844 return rc;
1845
1846 return task_has_capability(tsk,cap);
1847 }
1848
1849 static int selinux_sysctl_get_sid(ctl_table *table, u16 tclass, u32 *sid)
1850 {
1851 int buflen, rc;
1852 char *buffer, *path, *end;
1853
1854 rc = -ENOMEM;
1855 buffer = (char*)__get_free_page(GFP_KERNEL);
1856 if (!buffer)
1857 goto out;
1858
1859 buflen = PAGE_SIZE;
1860 end = buffer+buflen;
1861 *--end = '\0';
1862 buflen--;
1863 path = end-1;
1864 *path = '/';
1865 while (table) {
1866 const char *name = table->procname;
1867 size_t namelen = strlen(name);
1868 buflen -= namelen + 1;
1869 if (buflen < 0)
1870 goto out_free;
1871 end -= namelen;
1872 memcpy(end, name, namelen);
1873 *--end = '/';
1874 path = end;
1875 table = table->parent;
1876 }
1877 buflen -= 4;
1878 if (buflen < 0)
1879 goto out_free;
1880 end -= 4;
1881 memcpy(end, "/sys", 4);
1882 path = end;
1883 rc = security_genfs_sid("proc", path, tclass, sid);
1884 out_free:
1885 free_page((unsigned long)buffer);
1886 out:
1887 return rc;
1888 }
1889
1890 static int selinux_sysctl(ctl_table *table, int op)
1891 {
1892 int error = 0;
1893 u32 av;
1894 struct task_security_struct *tsec;
1895 u32 tsid;
1896 int rc;
1897
1898 rc = secondary_ops->sysctl(table, op);
1899 if (rc)
1900 return rc;
1901
1902 tsec = current->security;
1903
1904 rc = selinux_sysctl_get_sid(table, (op == 0001) ?
1905 SECCLASS_DIR : SECCLASS_FILE, &tsid);
1906 if (rc) {
1907 /* Default to the well-defined sysctl SID. */
1908 tsid = SECINITSID_SYSCTL;
1909 }
1910
1911 /* The op values are "defined" in sysctl.c, thereby creating
1912 * a bad coupling between this module and sysctl.c */
1913 if(op == 001) {
1914 error = avc_has_perm(tsec->sid, tsid,
1915 SECCLASS_DIR, DIR__SEARCH, NULL);
1916 } else {
1917 av = 0;
1918 if (op & 004)
1919 av |= FILE__READ;
1920 if (op & 002)
1921 av |= FILE__WRITE;
1922 if (av)
1923 error = avc_has_perm(tsec->sid, tsid,
1924 SECCLASS_FILE, av, NULL);
1925 }
1926
1927 return error;
1928 }
1929
1930 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
1931 {
1932 int rc = 0;
1933
1934 if (!sb)
1935 return 0;
1936
1937 switch (cmds) {
1938 case Q_SYNC:
1939 case Q_QUOTAON:
1940 case Q_QUOTAOFF:
1941 case Q_SETINFO:
1942 case Q_SETQUOTA:
1943 rc = superblock_has_perm(current,
1944 sb,
1945 FILESYSTEM__QUOTAMOD, NULL);
1946 break;
1947 case Q_GETFMT:
1948 case Q_GETINFO:
1949 case Q_GETQUOTA:
1950 rc = superblock_has_perm(current,
1951 sb,
1952 FILESYSTEM__QUOTAGET, NULL);
1953 break;
1954 default:
1955 rc = 0; /* let the kernel handle invalid cmds */
1956 break;
1957 }
1958 return rc;
1959 }
1960
1961 static int selinux_quota_on(struct dentry *dentry)
1962 {
1963 return dentry_has_perm(current, NULL, dentry, FILE__QUOTAON);
1964 }
1965
1966 static int selinux_syslog(int type)
1967 {
1968 int rc;
1969
1970 rc = secondary_ops->syslog(type);
1971 if (rc)
1972 return rc;
1973
1974 switch (type) {
1975 case 3: /* Read last kernel messages */
1976 case 10: /* Return size of the log buffer */
1977 rc = task_has_system(current, SYSTEM__SYSLOG_READ);
1978 break;
1979 case 6: /* Disable logging to console */
1980 case 7: /* Enable logging to console */
1981 case 8: /* Set level of messages printed to console */
1982 rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
1983 break;
1984 case 0: /* Close log */
1985 case 1: /* Open log */
1986 case 2: /* Read from log */
1987 case 4: /* Read/clear last kernel messages */
1988 case 5: /* Clear ring buffer */
1989 default:
1990 rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
1991 break;
1992 }
1993 return rc;
1994 }
1995
1996 /*
1997 * Check that a process has enough memory to allocate a new virtual
1998 * mapping. 0 means there is enough memory for the allocation to
1999 * succeed and -ENOMEM implies there is not.
2000 *
2001 * Note that secondary_ops->capable and task_has_perm_noaudit return 0
2002 * if the capability is granted, but __vm_enough_memory requires 1 if
2003 * the capability is granted.
2004 *
2005 * Do not audit the selinux permission check, as this is applied to all
2006 * processes that allocate mappings.
2007 */
2008 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
2009 {
2010 int rc, cap_sys_admin = 0;
2011 struct task_security_struct *tsec = current->security;
2012
2013 rc = secondary_ops->capable(current, CAP_SYS_ADMIN);
2014 if (rc == 0)
2015 rc = avc_has_perm_noaudit(tsec->sid, tsec->sid,
2016 SECCLASS_CAPABILITY,
2017 CAP_TO_MASK(CAP_SYS_ADMIN),
2018 0,
2019 NULL);
2020
2021 if (rc == 0)
2022 cap_sys_admin = 1;
2023
2024 return __vm_enough_memory(mm, pages, cap_sys_admin);
2025 }
2026
2027 /* binprm security operations */
2028
2029 static int selinux_bprm_alloc_security(struct linux_binprm *bprm)
2030 {
2031 struct bprm_security_struct *bsec;
2032
2033 bsec = kzalloc(sizeof(struct bprm_security_struct), GFP_KERNEL);
2034 if (!bsec)
2035 return -ENOMEM;
2036
2037 bsec->bprm = bprm;
2038 bsec->sid = SECINITSID_UNLABELED;
2039 bsec->set = 0;
2040
2041 bprm->security = bsec;
2042 return 0;
2043 }
2044
2045 static int selinux_bprm_set_security(struct linux_binprm *bprm)
2046 {
2047 struct task_security_struct *tsec;
2048 struct inode *inode = bprm->file->f_path.dentry->d_inode;
2049 struct inode_security_struct *isec;
2050 struct bprm_security_struct *bsec;
2051 u32 newsid;
2052 struct avc_audit_data ad;
2053 int rc;
2054
2055 rc = secondary_ops->bprm_set_security(bprm);
2056 if (rc)
2057 return rc;
2058
2059 bsec = bprm->security;
2060
2061 if (bsec->set)
2062 return 0;
2063
2064 tsec = current->security;
2065 isec = inode->i_security;
2066
2067 /* Default to the current task SID. */
2068 bsec->sid = tsec->sid;
2069
2070 /* Reset fs, key, and sock SIDs on execve. */
2071 tsec->create_sid = 0;
2072 tsec->keycreate_sid = 0;
2073 tsec->sockcreate_sid = 0;
2074
2075 if (tsec->exec_sid) {
2076 newsid = tsec->exec_sid;
2077 /* Reset exec SID on execve. */
2078 tsec->exec_sid = 0;
2079 } else {
2080 /* Check for a default transition on this program. */
2081 rc = security_transition_sid(tsec->sid, isec->sid,
2082 SECCLASS_PROCESS, &newsid);
2083 if (rc)
2084 return rc;
2085 }
2086
2087 AVC_AUDIT_DATA_INIT(&ad, FS);
2088 ad.u.fs.path = bprm->file->f_path;
2089
2090 if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID)
2091 newsid = tsec->sid;
2092
2093 if (tsec->sid == newsid) {
2094 rc = avc_has_perm(tsec->sid, isec->sid,
2095 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2096 if (rc)
2097 return rc;
2098 } else {
2099 /* Check permissions for the transition. */
2100 rc = avc_has_perm(tsec->sid, newsid,
2101 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2102 if (rc)
2103 return rc;
2104
2105 rc = avc_has_perm(newsid, isec->sid,
2106 SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2107 if (rc)
2108 return rc;
2109
2110 /* Clear any possibly unsafe personality bits on exec: */
2111 current->personality &= ~PER_CLEAR_ON_SETID;
2112
2113 /* Set the security field to the new SID. */
2114 bsec->sid = newsid;
2115 }
2116
2117 bsec->set = 1;
2118 return 0;
2119 }
2120
2121 static int selinux_bprm_check_security (struct linux_binprm *bprm)
2122 {
2123 return secondary_ops->bprm_check_security(bprm);
2124 }
2125
2126
2127 static int selinux_bprm_secureexec (struct linux_binprm *bprm)
2128 {
2129 struct task_security_struct *tsec = current->security;
2130 int atsecure = 0;
2131
2132 if (tsec->osid != tsec->sid) {
2133 /* Enable secure mode for SIDs transitions unless
2134 the noatsecure permission is granted between
2135 the two SIDs, i.e. ahp returns 0. */
2136 atsecure = avc_has_perm(tsec->osid, tsec->sid,
2137 SECCLASS_PROCESS,
2138 PROCESS__NOATSECURE, NULL);
2139 }
2140
2141 return (atsecure || secondary_ops->bprm_secureexec(bprm));
2142 }
2143
2144 static void selinux_bprm_free_security(struct linux_binprm *bprm)
2145 {
2146 kfree(bprm->security);
2147 bprm->security = NULL;
2148 }
2149
2150 extern struct vfsmount *selinuxfs_mount;
2151 extern struct dentry *selinux_null;
2152
2153 /* Derived from fs/exec.c:flush_old_files. */
2154 static inline void flush_unauthorized_files(struct files_struct * files)
2155 {
2156 struct avc_audit_data ad;
2157 struct file *file, *devnull = NULL;
2158 struct tty_struct *tty;
2159 struct fdtable *fdt;
2160 long j = -1;
2161 int drop_tty = 0;
2162
2163 mutex_lock(&tty_mutex);
2164 tty = get_current_tty();
2165 if (tty) {
2166 file_list_lock();
2167 file = list_entry(tty->tty_files.next, typeof(*file), f_u.fu_list);
2168 if (file) {
2169 /* Revalidate access to controlling tty.
2170 Use inode_has_perm on the tty inode directly rather
2171 than using file_has_perm, as this particular open
2172 file may belong to another process and we are only
2173 interested in the inode-based check here. */
2174 struct inode *inode = file->f_path.dentry->d_inode;
2175 if (inode_has_perm(current, inode,
2176 FILE__READ | FILE__WRITE, NULL)) {
2177 drop_tty = 1;
2178 }
2179 }
2180 file_list_unlock();
2181 }
2182 mutex_unlock(&tty_mutex);
2183 /* Reset controlling tty. */
2184 if (drop_tty)
2185 no_tty();
2186
2187 /* Revalidate access to inherited open files. */
2188
2189 AVC_AUDIT_DATA_INIT(&ad,FS);
2190
2191 spin_lock(&files->file_lock);
2192 for (;;) {
2193 unsigned long set, i;
2194 int fd;
2195
2196 j++;
2197 i = j * __NFDBITS;
2198 fdt = files_fdtable(files);
2199 if (i >= fdt->max_fds)
2200 break;
2201 set = fdt->open_fds->fds_bits[j];
2202 if (!set)
2203 continue;
2204 spin_unlock(&files->file_lock);
2205 for ( ; set ; i++,set >>= 1) {
2206 if (set & 1) {
2207 file = fget(i);
2208 if (!file)
2209 continue;
2210 if (file_has_perm(current,
2211 file,
2212 file_to_av(file))) {
2213 sys_close(i);
2214 fd = get_unused_fd();
2215 if (fd != i) {
2216 if (fd >= 0)
2217 put_unused_fd(fd);
2218 fput(file);
2219 continue;
2220 }
2221 if (devnull) {
2222 get_file(devnull);
2223 } else {
2224 devnull = dentry_open(dget(selinux_null), mntget(selinuxfs_mount), O_RDWR);
2225 if (IS_ERR(devnull)) {
2226 devnull = NULL;
2227 put_unused_fd(fd);
2228 fput(file);
2229 continue;
2230 }
2231 }
2232 fd_install(fd, devnull);
2233 }
2234 fput(file);
2235 }
2236 }
2237 spin_lock(&files->file_lock);
2238
2239 }
2240 spin_unlock(&files->file_lock);
2241 }
2242
2243 static void selinux_bprm_apply_creds(struct linux_binprm *bprm, int unsafe)
2244 {
2245 struct task_security_struct *tsec;
2246 struct bprm_security_struct *bsec;
2247 u32 sid;
2248 int rc;
2249
2250 secondary_ops->bprm_apply_creds(bprm, unsafe);
2251
2252 tsec = current->security;
2253
2254 bsec = bprm->security;
2255 sid = bsec->sid;
2256
2257 tsec->osid = tsec->sid;
2258 bsec->unsafe = 0;
2259 if (tsec->sid != sid) {
2260 /* Check for shared state. If not ok, leave SID
2261 unchanged and kill. */
2262 if (unsafe & LSM_UNSAFE_SHARE) {
2263 rc = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
2264 PROCESS__SHARE, NULL);
2265 if (rc) {
2266 bsec->unsafe = 1;
2267 return;
2268 }
2269 }
2270
2271 /* Check for ptracing, and update the task SID if ok.
2272 Otherwise, leave SID unchanged and kill. */
2273 if (unsafe & (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
2274 rc = avc_has_perm(tsec->ptrace_sid, sid,
2275 SECCLASS_PROCESS, PROCESS__PTRACE,
2276 NULL);
2277 if (rc) {
2278 bsec->unsafe = 1;
2279 return;
2280 }
2281 }
2282 tsec->sid = sid;
2283 }
2284 }
2285
2286 /*
2287 * called after apply_creds without the task lock held
2288 */
2289 static void selinux_bprm_post_apply_creds(struct linux_binprm *bprm)
2290 {
2291 struct task_security_struct *tsec;
2292 struct rlimit *rlim, *initrlim;
2293 struct itimerval itimer;
2294 struct bprm_security_struct *bsec;
2295 int rc, i;
2296
2297 tsec = current->security;
2298 bsec = bprm->security;
2299
2300 if (bsec->unsafe) {
2301 force_sig_specific(SIGKILL, current);
2302 return;
2303 }
2304 if (tsec->osid == tsec->sid)
2305 return;
2306
2307 /* Close files for which the new task SID is not authorized. */
2308 flush_unauthorized_files(current->files);
2309
2310 /* Check whether the new SID can inherit signal state
2311 from the old SID. If not, clear itimers to avoid
2312 subsequent signal generation and flush and unblock
2313 signals. This must occur _after_ the task SID has
2314 been updated so that any kill done after the flush
2315 will be checked against the new SID. */
2316 rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
2317 PROCESS__SIGINH, NULL);
2318 if (rc) {
2319 memset(&itimer, 0, sizeof itimer);
2320 for (i = 0; i < 3; i++)
2321 do_setitimer(i, &itimer, NULL);
2322 flush_signals(current);
2323 spin_lock_irq(&current->sighand->siglock);
2324 flush_signal_handlers(current, 1);
2325 sigemptyset(&current->blocked);
2326 recalc_sigpending();
2327 spin_unlock_irq(&current->sighand->siglock);
2328 }
2329
2330 /* Always clear parent death signal on SID transitions. */
2331 current->pdeath_signal = 0;
2332
2333 /* Check whether the new SID can inherit resource limits
2334 from the old SID. If not, reset all soft limits to
2335 the lower of the current task's hard limit and the init
2336 task's soft limit. Note that the setting of hard limits
2337 (even to lower them) can be controlled by the setrlimit
2338 check. The inclusion of the init task's soft limit into
2339 the computation is to avoid resetting soft limits higher
2340 than the default soft limit for cases where the default
2341 is lower than the hard limit, e.g. RLIMIT_CORE or
2342 RLIMIT_STACK.*/
2343 rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
2344 PROCESS__RLIMITINH, NULL);
2345 if (rc) {
2346 for (i = 0; i < RLIM_NLIMITS; i++) {
2347 rlim = current->signal->rlim + i;
2348 initrlim = init_task.signal->rlim+i;
2349 rlim->rlim_cur = min(rlim->rlim_max,initrlim->rlim_cur);
2350 }
2351 if (current->signal->rlim[RLIMIT_CPU].rlim_cur != RLIM_INFINITY) {
2352 /*
2353 * This will cause RLIMIT_CPU calculations
2354 * to be refigured.
2355 */
2356 current->it_prof_expires = jiffies_to_cputime(1);
2357 }
2358 }
2359
2360 /* Wake up the parent if it is waiting so that it can
2361 recheck wait permission to the new task SID. */
2362 wake_up_interruptible(&current->parent->signal->wait_chldexit);
2363 }
2364
2365 /* superblock security operations */
2366
2367 static int selinux_sb_alloc_security(struct super_block *sb)
2368 {
2369 return superblock_alloc_security(sb);
2370 }
2371
2372 static void selinux_sb_free_security(struct super_block *sb)
2373 {
2374 superblock_free_security(sb);
2375 }
2376
2377 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2378 {
2379 if (plen > olen)
2380 return 0;
2381
2382 return !memcmp(prefix, option, plen);
2383 }
2384
2385 static inline int selinux_option(char *option, int len)
2386 {
2387 return (match_prefix("context=", sizeof("context=")-1, option, len) ||
2388 match_prefix("fscontext=", sizeof("fscontext=")-1, option, len) ||
2389 match_prefix("defcontext=", sizeof("defcontext=")-1, option, len) ||
2390 match_prefix("rootcontext=", sizeof("rootcontext=")-1, option, len));
2391 }
2392
2393 static inline void take_option(char **to, char *from, int *first, int len)
2394 {
2395 if (!*first) {
2396 **to = ',';
2397 *to += 1;
2398 } else
2399 *first = 0;
2400 memcpy(*to, from, len);
2401 *to += len;
2402 }
2403
2404 static inline void take_selinux_option(char **to, char *from, int *first,
2405 int len)
2406 {
2407 int current_size = 0;
2408
2409 if (!*first) {
2410 **to = '|';
2411 *to += 1;
2412 }
2413 else
2414 *first = 0;
2415
2416 while (current_size < len) {
2417 if (*from != '"') {
2418 **to = *from;
2419 *to += 1;
2420 }
2421 from += 1;
2422 current_size += 1;
2423 }
2424 }
2425
2426 <<<<<<< HEAD:security/selinux/hooks.c
2427 static int selinux_sb_copy_data(struct file_system_type *type, void *orig, void *copy)
2428 =======
2429 static int selinux_sb_copy_data(char *orig, char *copy)
2430 >>>>>>> 264e3e889d86e552b4191d69bb60f4f3b383135a:security/selinux/hooks.c
2431 {
2432 int fnosec, fsec, rc = 0;
2433 char *in_save, *in_curr, *in_end;
2434 char *sec_curr, *nosec_save, *nosec;
2435 int open_quote = 0;
2436
2437 in_curr = orig;
2438 sec_curr = copy;
2439
2440 <<<<<<< HEAD:security/selinux/hooks.c
2441 /* Binary mount data: just copy */
2442 if (type->fs_flags & FS_BINARY_MOUNTDATA) {
2443 copy_page(sec_curr, in_curr);
2444 goto out;
2445 }
2446
2447 =======
2448 >>>>>>> 264e3e889d86e552b4191d69bb60f4f3b383135a:security/selinux/hooks.c
2449 nosec = (char *)get_zeroed_page(GFP_KERNEL);
2450 if (!nosec) {
2451 rc = -ENOMEM;
2452 goto out;
2453 }
2454
2455 nosec_save = nosec;
2456 fnosec = fsec = 1;
2457 in_save = in_end = orig;
2458
2459 do {
2460 if (*in_end == '"')
2461 open_quote = !open_quote;
2462 if ((*in_end == ',' && open_quote == 0) ||
2463 *in_end == '\0') {
2464 int len = in_end - in_curr;
2465
2466 if (selinux_option(in_curr, len))
2467 take_selinux_option(&sec_curr, in_curr, &fsec, len);
2468 else
2469 take_option(&nosec, in_curr, &fnosec, len);
2470
2471 in_curr = in_end + 1;
2472 }
2473 } while (*in_end++);
2474
2475 strcpy(in_save, nosec_save);
2476 free_page((unsigned long)nosec_save);
2477 out:
2478 return rc;
2479 }
2480
2481 static int selinux_sb_kern_mount(struct super_block *sb, void *data)
2482 {
2483 struct avc_audit_data ad;
2484 int rc;
2485
2486 rc = superblock_doinit(sb, data);
2487 if (rc)
2488 return rc;
2489
2490 AVC_AUDIT_DATA_INIT(&ad,FS);
2491 ad.u.fs.path.dentry = sb->s_root;
2492 return superblock_has_perm(current, sb, FILESYSTEM__MOUNT, &ad);
2493 }
2494
2495 static int selinux_sb_statfs(struct dentry *dentry)
2496 {
2497 struct avc_audit_data ad;
2498
2499 AVC_AUDIT_DATA_INIT(&ad,FS);
2500 ad.u.fs.path.dentry = dentry->d_sb->s_root;
2501 return superblock_has_perm(current, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2502 }
2503
2504 static int selinux_mount(char * dev_name,
2505 struct nameidata *nd,
2506 char * type,
2507 unsigned long flags,
2508 void * data)
2509 {
2510 int rc;
2511
2512 rc = secondary_ops->sb_mount(dev_name, nd, type, flags, data);
2513 if (rc)
2514 return rc;
2515
2516 if (flags & MS_REMOUNT)
2517 return superblock_has_perm(current, nd->path.mnt->mnt_sb,
2518 FILESYSTEM__REMOUNT, NULL);
2519 else
2520 return dentry_has_perm(current, nd->path.mnt, nd->path.dentry,
2521 FILE__MOUNTON);
2522 }
2523
2524 static int selinux_umount(struct vfsmount *mnt, int flags)
2525 {
2526 int rc;
2527
2528 rc = secondary_ops->sb_umount(mnt, flags);
2529 if (rc)
2530 return rc;
2531
2532 return superblock_has_perm(current,mnt->mnt_sb,
2533 FILESYSTEM__UNMOUNT,NULL);
2534 }
2535
2536 /* inode security operations */
2537
2538 static int selinux_inode_alloc_security(struct inode *inode)
2539 {
2540 return inode_alloc_security(inode);
2541 }
2542
2543 static void selinux_inode_free_security(struct inode *inode)
2544 {
2545 inode_free_security(inode);
2546 }
2547
2548 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2549 char **name, void **value,
2550 size_t *len)
2551 {
2552 struct task_security_struct *tsec;
2553 struct inode_security_struct *dsec;
2554 struct superblock_security_struct *sbsec;
2555 u32 newsid, clen;
2556 int rc;
2557 char *namep = NULL, *context;
2558
2559 tsec = current->security;
2560 dsec = dir->i_security;
2561 sbsec = dir->i_sb->s_security;
2562
2563 if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
2564 newsid = tsec->create_sid;
2565 } else {
2566 rc = security_transition_sid(tsec->sid, dsec->sid,
2567 inode_mode_to_security_class(inode->i_mode),
2568 &newsid);
2569 if (rc) {
2570 printk(KERN_WARNING "%s: "
2571 "security_transition_sid failed, rc=%d (dev=%s "
2572 "ino=%ld)\n",
2573 __FUNCTION__,
2574 -rc, inode->i_sb->s_id, inode->i_ino);
2575 return rc;
2576 }
2577 }
2578
2579 /* Possibly defer initialization to selinux_complete_init. */
2580 if (sbsec->initialized) {
2581 struct inode_security_struct *isec = inode->i_security;
2582 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2583 isec->sid = newsid;
2584 isec->initialized = 1;
2585 }
2586
2587 if (!ss_initialized || sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2588 return -EOPNOTSUPP;
2589
2590 if (name) {
2591 namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_KERNEL);
2592 if (!namep)
2593 return -ENOMEM;
2594 *name = namep;
2595 }
2596
2597 if (value && len) {
2598 rc = security_sid_to_context(newsid, &context, &clen);
2599 if (rc) {
2600 kfree(namep);
2601 return rc;
2602 }
2603 *value = context;
2604 *len = clen;
2605 }
2606
2607 return 0;
2608 }
2609
2610 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, int mask)
2611 {
2612 return may_create(dir, dentry, SECCLASS_FILE);
2613 }
2614
2615 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2616 {
2617 int rc;
2618
2619 rc = secondary_ops->inode_link(old_dentry,dir,new_dentry);
2620 if (rc)
2621 return rc;
2622 return may_link(dir, old_dentry, MAY_LINK);
2623 }
2624
2625 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2626 {
2627 int rc;
2628
2629 rc = secondary_ops->inode_unlink(dir, dentry);
2630 if (rc)
2631 return rc;
2632 return may_link(dir, dentry, MAY_UNLINK);
2633 }
2634
2635 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2636 {
2637 return may_create(dir, dentry, SECCLASS_LNK_FILE);
2638 }
2639
2640 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, int mask)
2641 {
2642 return may_create(dir, dentry, SECCLASS_DIR);
2643 }
2644
2645 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2646 {
2647 return may_link(dir, dentry, MAY_RMDIR);
2648 }
2649
2650 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
2651 {
2652 int rc;
2653
2654 rc = secondary_ops->inode_mknod(dir, dentry, mode, dev);
2655 if (rc)
2656 return rc;
2657
2658 return may_create(dir, dentry, inode_mode_to_security_class(mode));
2659 }
2660
2661 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2662 struct inode *new_inode, struct dentry *new_dentry)
2663 {
2664 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2665 }
2666
2667 static int selinux_inode_readlink(struct dentry *dentry)
2668 {
2669 return dentry_has_perm(current, NULL, dentry, FILE__READ);
2670 }
2671
2672 static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2673 {
2674 int rc;
2675
2676 rc = secondary_ops->inode_follow_link(dentry,nameidata);
2677 if (rc)
2678 return rc;
2679 return dentry_has_perm(current, NULL, dentry, FILE__READ);
2680 }
2681
2682 static int selinux_inode_permission(struct inode *inode, int mask,
2683 struct nameidata *nd)
2684 {
2685 int rc;
2686
2687 rc = secondary_ops->inode_permission(inode, mask, nd);
2688 if (rc)
2689 return rc;
2690
2691 if (!mask) {
2692 /* No permission to check. Existence test. */
2693 return 0;
2694 }
2695
2696 return inode_has_perm(current, inode,
2697 file_mask_to_av(inode->i_mode, mask), NULL);
2698 }
2699
2700 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2701 {
2702 int rc;
2703
2704 rc = secondary_ops->inode_setattr(dentry, iattr);
2705 if (rc)
2706 return rc;
2707
2708 if (iattr->ia_valid & ATTR_FORCE)
2709 return 0;
2710
2711 if (iattr->ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2712 ATTR_ATIME_SET | ATTR_MTIME_SET))
2713 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2714
2715 return dentry_has_perm(current, NULL, dentry, FILE__WRITE);
2716 }
2717
2718 static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
2719 {
2720 return dentry_has_perm(current, mnt, dentry, FILE__GETATTR);
2721 }
2722
2723 static int selinux_inode_setotherxattr(struct dentry *dentry, char *name)
2724 {
2725 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2726 sizeof XATTR_SECURITY_PREFIX - 1)) {
2727 if (!strcmp(name, XATTR_NAME_CAPS)) {
2728 if (!capable(CAP_SETFCAP))
2729 return -EPERM;
2730 } else if (!capable(CAP_SYS_ADMIN)) {
2731 /* A different attribute in the security namespace.
2732 Restrict to administrator. */
2733 return -EPERM;
2734 }
2735 }
2736
2737 /* Not an attribute we recognize, so just check the
2738 ordinary setattr permission. */
2739 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2740 }
2741
2742 static int selinux_inode_setxattr(struct dentry *dentry, char *name, void *value, size_t size, int flags)
2743 {
2744 struct task_security_struct *tsec = current->security;
2745 struct inode *inode = dentry->d_inode;
2746 struct inode_security_struct *isec = inode->i_security;
2747 struct superblock_security_struct *sbsec;
2748 struct avc_audit_data ad;
2749 u32 newsid;
2750 int rc = 0;
2751
2752 if (strcmp(name, XATTR_NAME_SELINUX))
2753 return selinux_inode_setotherxattr(dentry, name);
2754
2755 sbsec = inode->i_sb->s_security;
2756 if (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2757 return -EOPNOTSUPP;
2758
2759 if (!is_owner_or_cap(inode))
2760 return -EPERM;
2761
2762 AVC_AUDIT_DATA_INIT(&ad,FS);
2763 ad.u.fs.path.dentry = dentry;
2764
2765 rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass,
2766 FILE__RELABELFROM, &ad);
2767 if (rc)
2768 return rc;
2769
2770 rc = security_context_to_sid(value, size, &newsid);
2771 if (rc)
2772 return rc;
2773
2774 rc = avc_has_perm(tsec->sid, newsid, isec->sclass,
2775 FILE__RELABELTO, &ad);
2776 if (rc)
2777 return rc;
2778
2779 rc = security_validate_transition(isec->sid, newsid, tsec->sid,
2780 isec->sclass);
2781 if (rc)
2782 return rc;
2783
2784 return avc_has_perm(newsid,
2785 sbsec->sid,
2786 SECCLASS_FILESYSTEM,
2787 FILESYSTEM__ASSOCIATE,
2788 &ad);
2789 }
2790
2791 static void selinux_inode_post_setxattr(struct dentry *dentry, char *name,
2792 void *value, size_t size, int flags)
2793 {
2794 struct inode *inode = dentry->d_inode;
2795 struct inode_security_struct *isec = inode->i_security;
2796 u32 newsid;
2797 int rc;
2798
2799 if (strcmp(name, XATTR_NAME_SELINUX)) {
2800 /* Not an attribute we recognize, so nothing to do. */
2801 return;
2802 }
2803
2804 rc = security_context_to_sid(value, size, &newsid);
2805 if (rc) {
2806 printk(KERN_WARNING "%s: unable to obtain SID for context "
2807 "%s, rc=%d\n", __FUNCTION__, (char*)value, -rc);
2808 return;
2809 }
2810
2811 isec->sid = newsid;
2812 return;
2813 }
2814
2815 static int selinux_inode_getxattr (struct dentry *dentry, char *name)
2816 {
2817 return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2818 }
2819
2820 static int selinux_inode_listxattr (struct dentry *dentry)
2821 {
2822 return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2823 }
2824
2825 static int selinux_inode_removexattr (struct dentry *dentry, char *name)
2826 {
2827 if (strcmp(name, XATTR_NAME_SELINUX))
2828 return selinux_inode_setotherxattr(dentry, name);
2829
2830 /* No one is allowed to remove a SELinux security label.
2831 You can change the label, but all data must be labeled. */
2832 return -EACCES;
2833 }
2834
2835 /*
2836 * Copy the in-core inode security context value to the user. If the
2837 * getxattr() prior to this succeeded, check to see if we need to
2838 * canonicalize the value to be finally returned to the user.
2839 *
2840 * Permission check is handled by selinux_inode_getxattr hook.
2841 */
2842 static int selinux_inode_getsecurity(const struct inode *inode, const char *name, void **buffer, bool alloc)
2843 {
2844 u32 size;
2845 int error;
2846 char *context = NULL;
2847 struct inode_security_struct *isec = inode->i_security;
2848
2849 if (strcmp(name, XATTR_SELINUX_SUFFIX))
2850 return -EOPNOTSUPP;
2851
2852 error = security_sid_to_context(isec->sid, &context, &size);
2853 if (error)
2854 return error;
2855 error = size;
2856 if (alloc) {
2857 *buffer = context;
2858 goto out_nofree;
2859 }
2860 kfree(context);
2861 out_nofree:
2862 return error;
2863 }
2864
2865 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
2866 const void *value, size_t size, int flags)
2867 {
2868 struct inode_security_struct *isec = inode->i_security;
2869 u32 newsid;
2870 int rc;
2871
2872 if (strcmp(name, XATTR_SELINUX_SUFFIX))
2873 return -EOPNOTSUPP;
2874
2875 if (!value || !size)
2876 return -EACCES;
2877
2878 rc = security_context_to_sid((void*)value, size, &newsid);
2879 if (rc)
2880 return rc;
2881
2882 isec->sid = newsid;
2883 return 0;
2884 }
2885
2886 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
2887 {
2888 const int len = sizeof(XATTR_NAME_SELINUX);
2889 if (buffer && len <= buffer_size)
2890 memcpy(buffer, XATTR_NAME_SELINUX, len);
2891 return len;
2892 }
2893
2894 static int selinux_inode_need_killpriv(struct dentry *dentry)
2895 {
2896 return secondary_ops->inode_need_killpriv(dentry);
2897 }
2898
2899 static int selinux_inode_killpriv(struct dentry *dentry)
2900 {
2901 return secondary_ops->inode_killpriv(dentry);
2902 }
2903
2904 /* file security operations */
2905
2906 static int selinux_revalidate_file_permission(struct file *file, int mask)
2907 {
2908 int rc;
2909 struct inode *inode = file->f_path.dentry->d_inode;
2910
2911 if (!mask) {
2912 /* No permission to check. Existence test. */
2913 return 0;
2914 }
2915
2916 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
2917 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
2918 mask |= MAY_APPEND;
2919
2920 rc = file_has_perm(current, file,
2921 file_mask_to_av(inode->i_mode, mask));
2922 if (rc)
2923 return rc;
2924
2925 return selinux_netlbl_inode_permission(inode, mask);
2926 }
2927
2928 static int selinux_file_permission(struct file *file, int mask)
2929 {
2930 struct inode *inode = file->f_path.dentry->d_inode;
2931 struct task_security_struct *tsec = current->security;
2932 struct file_security_struct *fsec = file->f_security;
2933 struct inode_security_struct *isec = inode->i_security;
2934
2935 if (!mask) {
2936 /* No permission to check. Existence test. */
2937 return 0;
2938 }
2939
2940 if (tsec->sid == fsec->sid && fsec->isid == isec->sid
2941 && fsec->pseqno == avc_policy_seqno())
2942 return selinux_netlbl_inode_permission(inode, mask);
2943
2944 return selinux_revalidate_file_permission(file, mask);
2945 }
2946
2947 static int selinux_file_alloc_security(struct file *file)
2948 {
2949 return file_alloc_security(file);
2950 }
2951
2952 static void selinux_file_free_security(struct file *file)
2953 {
2954 file_free_security(file);
2955 }
2956
2957 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
2958 unsigned long arg)
2959 {
2960 int error = 0;
2961
2962 switch (cmd) {
2963 case FIONREAD:
2964 /* fall through */
2965 case FIBMAP:
2966 /* fall through */
2967 case FIGETBSZ:
2968 /* fall through */
2969 case EXT2_IOC_GETFLAGS:
2970 /* fall through */
2971 case EXT2_IOC_GETVERSION:
2972 error = file_has_perm(current, file, FILE__GETATTR);
2973 break;
2974
2975 case EXT2_IOC_SETFLAGS:
2976 /* fall through */
2977 case EXT2_IOC_SETVERSION:
2978 error = file_has_perm(current, file, FILE__SETATTR);
2979 break;
2980
2981 /* sys_ioctl() checks */
2982 case FIONBIO:
2983 /* fall through */
2984 case FIOASYNC:
2985 error = file_has_perm(current, file, 0);
2986 break;
2987
2988 case KDSKBENT:
2989 case KDSKBSENT:
2990 error = task_has_capability(current,CAP_SYS_TTY_CONFIG);
2991 break;
2992
2993 /* default case assumes that the command will go
2994 * to the file's ioctl() function.
2995 */
2996 default:
2997 error = file_has_perm(current, file, FILE__IOCTL);
2998
2999 }
3000 return error;
3001 }
3002
3003 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
3004 {
3005 #ifndef CONFIG_PPC32
3006 if ((prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
3007 /*
3008 * We are making executable an anonymous mapping or a
3009 * private file mapping that will also be writable.
3010 * This has an additional check.
3011 */
3012 int rc = task_has_perm(current, current, PROCESS__EXECMEM);
3013 if (rc)
3014 return rc;
3015 }
3016 #endif
3017
3018 if (file) {
3019 /* read access is always possible with a mapping */
3020 u32 av = FILE__READ;
3021
3022 /* write access only matters if the mapping is shared */
3023 if (shared && (prot & PROT_WRITE))
3024 av |= FILE__WRITE;
3025
3026 if (prot & PROT_EXEC)
3027 av |= FILE__EXECUTE;
3028
3029 return file_has_perm(current, file, av);
3030 }
3031 return 0;
3032 }
3033
3034 static int selinux_file_mmap(struct file *file, unsigned long reqprot,
3035 unsigned long prot, unsigned long flags,
3036 unsigned long addr, unsigned long addr_only)
3037 {
3038 int rc = 0;
3039 u32 sid = ((struct task_security_struct*)(current->security))->sid;
3040
3041 if (addr < mmap_min_addr)
3042 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
3043 MEMPROTECT__MMAP_ZERO, NULL);
3044 if (rc || addr_only)
3045 return rc;
3046
3047 if (selinux_checkreqprot)
3048 prot = reqprot;
3049
3050 return file_map_prot_check(file, prot,
3051 (flags & MAP_TYPE) == MAP_SHARED);
3052 }
3053
3054 static int selinux_file_mprotect(struct vm_area_struct *vma,
3055 unsigned long reqprot,
3056 unsigned long prot)
3057 {
3058 int rc;
3059
3060 rc = secondary_ops->file_mprotect(vma, reqprot, prot);
3061 if (rc)
3062 return rc;
3063
3064 if (selinux_checkreqprot)
3065 prot = reqprot;
3066
3067 #ifndef CONFIG_PPC32
3068 if ((prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
3069 rc = 0;
3070 if (vma->vm_start >= vma->vm_mm->start_brk &&
3071 vma->vm_end <= vma->vm_mm->brk) {
3072 rc = task_has_perm(current, current,
3073 PROCESS__EXECHEAP);
3074 } else if (!vma->vm_file &&
3075 vma->vm_start <= vma->vm_mm->start_stack &&
3076 vma->vm_end >= vma->vm_mm->start_stack) {
3077 rc = task_has_perm(current, current, PROCESS__EXECSTACK);
3078 } else if (vma->vm_file && vma->anon_vma) {
3079 /*
3080 * We are making executable a file mapping that has
3081 * had some COW done. Since pages might have been
3082 * written, check ability to execute the possibly
3083 * modified content. This typically should only
3084 * occur for text relocations.
3085 */
3086 rc = file_has_perm(current, vma->vm_file,
3087 FILE__EXECMOD);
3088 }
3089 if (rc)
3090 return rc;
3091 }
3092 #endif
3093
3094 return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
3095 }
3096
3097 static int selinux_file_lock(struct file *file, unsigned int cmd)
3098 {
3099 return file_has_perm(current, file, FILE__LOCK);
3100 }
3101
3102 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
3103 unsigned long arg)
3104 {
3105 int err = 0;
3106
3107 switch (cmd) {
3108 case F_SETFL:
3109 if (!file->f_path.dentry || !file->f_path.dentry->d_inode) {
3110 err = -EINVAL;
3111 break;
3112 }
3113
3114 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
3115 err = file_has_perm(current, file,FILE__WRITE);
3116 break;
3117 }
3118 /* fall through */
3119 case F_SETOWN:
3120 case F_SETSIG:
3121 case F_GETFL:
3122 case F_GETOWN:
3123 case F_GETSIG:
3124 /* Just check FD__USE permission */
3125 err = file_has_perm(current, file, 0);
3126 break;
3127 case F_GETLK:
3128 case F_SETLK:
3129 case F_SETLKW:
3130 #if BITS_PER_LONG == 32
3131 case F_GETLK64:
3132 case F_SETLK64:
3133 case F_SETLKW64:
3134 #endif
3135 if (!file->f_path.dentry || !file->f_path.dentry->d_inode) {
3136 err = -EINVAL;
3137 break;
3138 }
3139 err = file_has_perm(current, file, FILE__LOCK);
3140 break;
3141 }
3142
3143 return err;
3144 }
3145
3146 static int selinux_file_set_fowner(struct file *file)
3147 {
3148 struct task_security_struct *tsec;
3149 struct file_security_struct *fsec;
3150
3151 tsec = current->security;
3152 fsec = file->f_security;
3153 fsec->fown_sid = tsec->sid;
3154
3155 return 0;
3156 }
3157
3158 static int selinux_file_send_sigiotask(struct task_struct *tsk,
3159 struct fown_struct *fown, int signum)
3160 {
3161 struct file *file;
3162 u32 perm;
3163 struct task_security_struct *tsec;
3164 struct file_security_struct *fsec;
3165
3166 /* struct fown_struct is never outside the context of a struct file */
3167 file = container_of(fown, struct file, f_owner);
3168
3169 tsec = tsk->security;
3170 fsec = file->f_security;
3171
3172 if (!signum)
3173 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
3174 else
3175 perm = signal_to_av(signum);
3176
3177 return avc_has_perm(fsec->fown_sid, tsec->sid,
3178 SECCLASS_PROCESS, perm, NULL);
3179 }
3180
3181 static int selinux_file_receive(struct file *file)
3182 {
3183 return file_has_perm(current, file, file_to_av(file));
3184 }
3185
3186 static int selinux_dentry_open(struct file *file)
3187 {
3188 struct file_security_struct *fsec;
3189 struct inode *inode;
3190 struct inode_security_struct *isec;
3191 inode = file->f_path.dentry->d_inode;
3192 fsec = file->f_security;
3193 isec = inode->i_security;
3194 /*
3195 * Save inode label and policy sequence number
3196 * at open-time so that selinux_file_permission
3197 * can determine whether revalidation is necessary.
3198 * Task label is already saved in the file security
3199 * struct as its SID.
3200 */
3201 fsec->isid = isec->sid;
3202 fsec->pseqno = avc_policy_seqno();
3203 /*
3204 * Since the inode label or policy seqno may have changed
3205 * between the selinux_inode_permission check and the saving
3206 * of state above, recheck that access is still permitted.
3207 * Otherwise, access might never be revalidated against the
3208 * new inode label or new policy.
3209 * This check is not redundant - do not remove.
3210 */
3211 return inode_has_perm(current, inode, file_to_av(file), NULL);
3212 }
3213
3214 /* task security operations */
3215
3216 static int selinux_task_create(unsigned long clone_flags)
3217 {
3218 int rc;
3219
3220 rc = secondary_ops->task_create(clone_flags);
3221 if (rc)
3222 return rc;
3223
3224 return task_has_perm(current, current, PROCESS__FORK);
3225 }
3226
3227 static int selinux_task_alloc_security(struct task_struct *tsk)
3228 {
3229 struct task_security_struct *tsec1, *tsec2;
3230 int rc;
3231
3232 tsec1 = current->security;
3233
3234 rc = task_alloc_security(tsk);
3235 if (rc)
3236 return rc;
3237 tsec2 = tsk->security;
3238
3239 tsec2->osid = tsec1->osid;
3240 tsec2->sid = tsec1->sid;
3241
3242 /* Retain the exec, fs, key, and sock SIDs across fork */
3243 tsec2->exec_sid = tsec1->exec_sid;
3244 tsec2->create_sid = tsec1->create_sid;
3245 tsec2->keycreate_sid = tsec1->keycreate_sid;
3246 tsec2->sockcreate_sid = tsec1->sockcreate_sid;
3247
3248 /* Retain ptracer SID across fork, if any.
3249 This will be reset by the ptrace hook upon any
3250 subsequent ptrace_attach operations. */
3251 tsec2->ptrace_sid = tsec1->ptrace_sid;
3252
3253 return 0;
3254 }
3255
3256 static void selinux_task_free_security(struct task_struct *tsk)
3257 {
3258 task_free_security(tsk);
3259 }
3260
3261 static int selinux_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
3262 {
3263 /* Since setuid only affects the current process, and
3264 since the SELinux controls are not based on the Linux
3265 identity attributes, SELinux does not need to control
3266 this operation. However, SELinux does control the use
3267 of the CAP_SETUID and CAP_SETGID capabilities using the
3268 capable hook. */
3269 return 0;
3270 }
3271
3272 static int selinux_task_post_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
3273 {
3274 return secondary_ops->task_post_setuid(id0,id1,id2,flags);
3275 }
3276
3277 static int selinux_task_setgid(gid_t id0, gid_t id1, gid_t id2, int flags)
3278 {
3279 /* See the comment for setuid above. */
3280 return 0;
3281 }
3282
3283 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
3284 {
3285 return task_has_perm(current, p, PROCESS__SETPGID);
3286 }
3287
3288 static int selinux_task_getpgid(struct task_struct *p)
3289 {
3290 return task_has_perm(current, p, PROCESS__GETPGID);
3291 }
3292
3293 static int selinux_task_getsid(struct task_struct *p)
3294 {
3295 return task_has_perm(current, p, PROCESS__GETSESSION);
3296 }
3297
3298 static void selinux_task_getsecid(struct task_struct *p, u32 *secid)
3299 {
3300 selinux_get_task_sid(p, secid);
3301 }
3302
3303 static int selinux_task_setgroups(struct group_info *group_info)
3304 {
3305 /* See the comment for setuid above. */
3306 return 0;
3307 }
3308
3309 static int selinux_task_setnice(struct task_struct *p, int nice)
3310 {
3311 int rc;
3312
3313 rc = secondary_ops->task_setnice(p, nice);
3314 if (rc)
3315 return rc;
3316
3317 return task_has_perm(current,p, PROCESS__SETSCHED);
3318 }
3319
3320 static int selinux_task_setioprio(struct task_struct *p, int ioprio)
3321 {
3322 int rc;
3323
3324 rc = secondary_ops->task_setioprio(p, ioprio);
3325 if (rc)
3326 return rc;
3327
3328 return task_has_perm(current, p, PROCESS__SETSCHED);
3329 }
3330
3331 static int selinux_task_getioprio(struct task_struct *p)
3332 {
3333 return task_has_perm(current, p, PROCESS__GETSCHED);
3334 }
3335
3336 static int selinux_task_setrlimit(unsigned int resource, struct rlimit *new_rlim)
3337 {
3338 struct rlimit *old_rlim = current->signal->rlim + resource;
3339 int rc;
3340
3341 rc = secondary_ops->task_setrlimit(resource, new_rlim);
3342 if (rc)
3343 return rc;
3344
3345 /* Control the ability to change the hard limit (whether
3346 lowering or raising it), so that the hard limit can
3347 later be used as a safe reset point for the soft limit
3348 upon context transitions. See selinux_bprm_apply_creds. */
3349 if (old_rlim->rlim_max != new_rlim->rlim_max)
3350 return task_has_perm(current, current, PROCESS__SETRLIMIT);
3351
3352 return 0;
3353 }
3354
3355 static int selinux_task_setscheduler(struct task_struct *p, int policy, struct sched_param *lp)
3356 {
3357 int rc;
3358
3359 rc = secondary_ops->task_setscheduler(p, policy, lp);
3360 if (rc)
3361 return rc;
3362
3363 return task_has_perm(current, p, PROCESS__SETSCHED);
3364 }
3365
3366 static int selinux_task_getscheduler(struct task_struct *p)
3367 {
3368 return task_has_perm(current, p, PROCESS__GETSCHED);
3369 }
3370
3371 static int selinux_task_movememory(struct task_struct *p)
3372 {
3373 return task_has_perm(current, p, PROCESS__SETSCHED);
3374 }
3375
3376 static int selinux_task_kill(struct task_struct *p, struct siginfo *info,
3377 int sig, u32 secid)
3378 {
3379 u32 perm;
3380 int rc;
3381 struct task_security_struct *tsec;
3382
3383 rc = secondary_ops->task_kill(p, info, sig, secid);
3384 if (rc)
3385 return rc;
3386
3387 if (info != SEND_SIG_NOINFO && (is_si_special(info) || SI_FROMKERNEL(info)))
3388 return 0;
3389
3390 if (!sig)
3391 perm = PROCESS__SIGNULL; /* null signal; existence test */
3392 else
3393 perm = signal_to_av(sig);
3394 tsec = p->security;
3395 if (secid)
3396 rc = avc_has_perm(secid, tsec->sid, SECCLASS_PROCESS, perm, NULL);
3397 else
3398 rc = task_has_perm(current, p, perm);
3399 return rc;
3400 }
3401
3402 static int selinux_task_prctl(int option,
3403 unsigned long arg2,
3404 unsigned long arg3,
3405 unsigned long arg4,
3406 unsigned long arg5)
3407 {
3408 /* The current prctl operations do not appear to require
3409 any SELinux controls since they merely observe or modify
3410 the state of the current process. */
3411 return 0;
3412 }
3413
3414 static int selinux_task_wait(struct task_struct *p)
3415 {
3416 return task_has_perm(p, current, PROCESS__SIGCHLD);
3417 }
3418
3419 static void selinux_task_reparent_to_init(struct task_struct *p)
3420 {
3421 struct task_security_struct *tsec;
3422
3423 secondary_ops->task_reparent_to_init(p);
3424
3425 tsec = p->security;
3426 tsec->osid = tsec->sid;
3427 tsec->sid = SECINITSID_KERNEL;
3428 return;
3429 }
3430
3431 static void selinux_task_to_inode(struct task_struct *p,
3432 struct inode *inode)
3433 {
3434 struct task_security_struct *tsec = p->security;
3435 struct inode_security_struct *isec = inode->i_security;
3436
3437 isec->sid = tsec->sid;
3438 isec->initialized = 1;
3439 return;
3440 }
3441
3442 /* Returns error only if unable to parse addresses */
3443 static int selinux_parse_skb_ipv4(struct sk_buff *skb,
3444 struct avc_audit_data *ad, u8 *proto)
3445 {
3446 int offset, ihlen, ret = -EINVAL;
3447 struct iphdr _iph, *ih;
3448
3449 offset = skb_network_offset(skb);
3450 ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
3451 if (ih == NULL)
3452 goto out;
3453
3454 ihlen = ih->ihl * 4;
3455 if (ihlen < sizeof(_iph))
3456 goto out;
3457
3458 ad->u.net.v4info.saddr = ih->saddr;
3459 ad->u.net.v4info.daddr = ih->daddr;
3460 ret = 0;
3461
3462 if (proto)
3463 *proto = ih->protocol;
3464
3465 switch (ih->protocol) {
3466 case IPPROTO_TCP: {
3467 struct tcphdr _tcph, *th;
3468
3469 if (ntohs(ih->frag_off) & IP_OFFSET)
3470 break;
3471
3472 offset += ihlen;
3473 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3474 if (th == NULL)
3475 break;
3476
3477 ad->u.net.sport = th->source;
3478 ad->u.net.dport = th->dest;
3479 break;
3480 }
3481
3482 case IPPROTO_UDP: {
3483 struct udphdr _udph, *uh;
3484
3485 if (ntohs(ih->frag_off) & IP_OFFSET)
3486 break;
3487
3488 offset += ihlen;
3489 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3490 if (uh == NULL)
3491 break;
3492
3493 ad->u.net.sport = uh->source;
3494 ad->u.net.dport = uh->dest;
3495 break;
3496 }
3497
3498 case IPPROTO_DCCP: {
3499 struct dccp_hdr _dccph, *dh;
3500
3501 if (ntohs(ih->frag_off) & IP_OFFSET)
3502 break;
3503
3504 offset += ihlen;
3505 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3506 if (dh == NULL)
3507 break;
3508
3509 ad->u.net.sport = dh->dccph_sport;
3510 ad->u.net.dport = dh->dccph_dport;
3511 break;
3512 }
3513
3514 default:
3515 break;
3516 }
3517 out:
3518 return ret;
3519 }
3520
3521 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3522
3523 /* Returns error only if unable to parse addresses */
3524 static int selinux_parse_skb_ipv6(struct sk_buff *skb,
3525 struct avc_audit_data *ad, u8 *proto)
3526 {
3527 u8 nexthdr;
3528 int ret = -EINVAL, offset;
3529 struct ipv6hdr _ipv6h, *ip6;
3530
3531 offset = skb_network_offset(skb);
3532 ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
3533 if (ip6 == NULL)
3534 goto out;
3535
3536 ipv6_addr_copy(&ad->u.net.v6info.saddr, &ip6->saddr);
3537 ipv6_addr_copy(&ad->u.net.v6info.daddr, &ip6->daddr);
3538 ret = 0;
3539
3540 nexthdr = ip6->nexthdr;
3541 offset += sizeof(_ipv6h);
3542 offset = ipv6_skip_exthdr(skb, offset, &nexthdr);
3543 if (offset < 0)
3544 goto out;
3545
3546 if (proto)
3547 *proto = nexthdr;
3548
3549 switch (nexthdr) {
3550 case IPPROTO_TCP: {
3551 struct tcphdr _tcph, *th;
3552
3553 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3554 if (th == NULL)
3555 break;
3556
3557 ad->u.net.sport = th->source;
3558 ad->u.net.dport = th->dest;
3559 break;
3560 }
3561
3562 case IPPROTO_UDP: {
3563 struct udphdr _udph, *uh;
3564
3565 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3566 if (uh == NULL)
3567 break;
3568
3569 ad->u.net.sport = uh->source;
3570 ad->u.net.dport = uh->dest;
3571 break;
3572 }
3573
3574 case IPPROTO_DCCP: {
3575 struct dccp_hdr _dccph, *dh;
3576
3577 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3578 if (dh == NULL)
3579 break;
3580
3581 ad->u.net.sport = dh->dccph_sport;
3582 ad->u.net.dport = dh->dccph_dport;
3583 break;
3584 }
3585
3586 /* includes fragments */
3587 default:
3588 break;
3589 }
3590 out:
3591 return ret;
3592 }
3593
3594 #endif /* IPV6 */
3595
3596 static int selinux_parse_skb(struct sk_buff *skb, struct avc_audit_data *ad,
3597 char **addrp, int src, u8 *proto)
3598 {
3599 int ret = 0;
3600
3601 switch (ad->u.net.family) {
3602 case PF_INET:
3603 ret = selinux_parse_skb_ipv4(skb, ad, proto);
3604 if (ret || !addrp)
3605 break;
3606 *addrp = (char *)(src ? &ad->u.net.v4info.saddr :
3607 &ad->u.net.v4info.daddr);
3608 break;
3609
3610 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3611 case PF_INET6:
3612 ret = selinux_parse_skb_ipv6(skb, ad, proto);
3613 if (ret || !addrp)
3614 break;
3615 *addrp = (char *)(src ? &ad->u.net.v6info.saddr :
3616 &ad->u.net.v6info.daddr);
3617 break;
3618 #endif /* IPV6 */
3619 default:
3620 break;
3621 }
3622
3623 if (unlikely(ret))
3624 printk(KERN_WARNING
3625 "SELinux: failure in selinux_parse_skb(),"
3626 " unable to parse packet\n");
3627
3628 return ret;
3629 }
3630
3631 /**
3632 * selinux_skb_peerlbl_sid - Determine the peer label of a packet
3633 * @skb: the packet
3634 * @family: protocol family
3635 * @sid: the packet's peer label SID
3636 *
3637 * Description:
3638 * Check the various different forms of network peer labeling and determine
3639 * the peer label/SID for the packet; most of the magic actually occurs in
3640 * the security server function security_net_peersid_cmp(). The function
3641 * returns zero if the value in @sid is valid (although it may be SECSID_NULL)
3642 * or -EACCES if @sid is invalid due to inconsistencies with the different
3643 * peer labels.
3644 *
3645 */
3646 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
3647 {
3648 int err;
3649 u32 xfrm_sid;
3650 u32 nlbl_sid;
3651 u32 nlbl_type;
3652
3653 selinux_skb_xfrm_sid(skb, &xfrm_sid);
3654 selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid);
3655
3656 err = security_net_peersid_resolve(nlbl_sid, nlbl_type, xfrm_sid, sid);
3657 if (unlikely(err)) {
3658 printk(KERN_WARNING
3659 "SELinux: failure in selinux_skb_peerlbl_sid(),"
3660 " unable to determine packet's peer label\n");
3661 return -EACCES;
3662 }
3663
3664 return 0;
3665 }
3666
3667 /* socket security operations */
3668 static int socket_has_perm(struct task_struct *task, struct socket *sock,
3669 u32 perms)
3670 {
3671 struct inode_security_struct *isec;
3672 struct task_security_struct *tsec;
3673 struct avc_audit_data ad;
3674 int err = 0;
3675
3676 tsec = task->security;
3677 isec = SOCK_INODE(sock)->i_security;
3678
3679 if (isec->sid == SECINITSID_KERNEL)
3680 goto out;
3681
3682 AVC_AUDIT_DATA_INIT(&ad,NET);
3683 ad.u.net.sk = sock->sk;
3684 err = avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, &ad);
3685
3686 out:
3687 return err;
3688 }
3689
3690 static int selinux_socket_create(int family, int type,
3691 int protocol, int kern)
3692 {
3693 int err = 0;
3694 struct task_security_struct *tsec;
3695 u32 newsid;
3696
3697 if (kern)
3698 goto out;
3699
3700 tsec = current->security;
3701 newsid = tsec->sockcreate_sid ? : tsec->sid;
3702 err = avc_has_perm(tsec->sid, newsid,
3703 socket_type_to_security_class(family, type,
3704 protocol), SOCKET__CREATE, NULL);
3705
3706 out:
3707 return err;
3708 }
3709
3710 static int selinux_socket_post_create(struct socket *sock, int family,
3711 int type, int protocol, int kern)
3712 {
3713 int err = 0;
3714 struct inode_security_struct *isec;
3715 struct task_security_struct *tsec;
3716 struct sk_security_struct *sksec;
3717 u32 newsid;
3718
3719 isec = SOCK_INODE(sock)->i_security;
3720
3721 tsec = current->security;
3722 newsid = tsec->sockcreate_sid ? : tsec->sid;
3723 isec->sclass = socket_type_to_security_class(family, type, protocol);
3724 isec->sid = kern ? SECINITSID_KERNEL : newsid;
3725 isec->initialized = 1;
3726
3727 if (sock->sk) {
3728 sksec = sock->sk->sk_security;
3729 sksec->sid = isec->sid;
3730 sksec->sclass = isec->sclass;
3731 err = selinux_netlbl_socket_post_create(sock);
3732 }
3733
3734 return err;
3735 }
3736
3737 /* Range of port numbers used to automatically bind.
3738 Need to determine whether we should perform a name_bind
3739 permission check between the socket and the port number. */
3740
3741 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
3742 {
3743 u16 family;
3744 int err;
3745
3746 err = socket_has_perm(current, sock, SOCKET__BIND);
3747 if (err)
3748 goto out;
3749
3750 /*
3751 * If PF_INET or PF_INET6, check name_bind permission for the port.
3752 * Multiple address binding for SCTP is not supported yet: we just
3753 * check the first address now.
3754 */
3755 family = sock->sk->sk_family;
3756 if (family == PF_INET || family == PF_INET6) {
3757 char *addrp;
3758 struct inode_security_struct *isec;
3759 struct task_security_struct *tsec;
3760 struct avc_audit_data ad;
3761 struct sockaddr_in *addr4 = NULL;
3762 struct sockaddr_in6 *addr6 = NULL;
3763 unsigned short snum;
3764 struct sock *sk = sock->sk;
3765 u32 sid, node_perm, addrlen;
3766
3767 tsec = current->security;
3768 isec = SOCK_INODE(sock)->i_security;
3769
3770 if (family == PF_INET) {
3771 addr4 = (struct sockaddr_in *)address;
3772 snum = ntohs(addr4->sin_port);
3773 addrlen = sizeof(addr4->sin_addr.s_addr);
3774 addrp = (char *)&addr4->sin_addr.s_addr;
3775 } else {
3776 addr6 = (struct sockaddr_in6 *)address;
3777 snum = ntohs(addr6->sin6_port);
3778 addrlen = sizeof(addr6->sin6_addr.s6_addr);
3779 addrp = (char *)&addr6->sin6_addr.s6_addr;
3780 }
3781
3782 if (snum) {
3783 int low, high;
3784
3785 inet_get_local_port_range(&low, &high);
3786
3787 if (snum < max(PROT_SOCK, low) || snum > high) {
3788 err = security_port_sid(sk->sk_family,
3789 sk->sk_type,
3790 sk->sk_protocol, snum,
3791 &sid);
3792 if (err)
3793 goto out;
3794 AVC_AUDIT_DATA_INIT(&ad,NET);
3795 ad.u.net.sport = htons(snum);
3796 ad.u.net.family = family;
3797 err = avc_has_perm(isec->sid, sid,
3798 isec->sclass,
3799 SOCKET__NAME_BIND, &ad);
3800 if (err)
3801 goto out;
3802 }
3803 }
3804
3805 switch(isec->sclass) {
3806 case SECCLASS_TCP_SOCKET:
3807 node_perm = TCP_SOCKET__NODE_BIND;
3808 break;
3809
3810 case SECCLASS_UDP_SOCKET:
3811 node_perm = UDP_SOCKET__NODE_BIND;
3812 break;
3813
3814 case SECCLASS_DCCP_SOCKET:
3815 node_perm = DCCP_SOCKET__NODE_BIND;
3816 break;
3817
3818 default:
3819 node_perm = RAWIP_SOCKET__NODE_BIND;
3820 break;
3821 }
3822
3823 err = sel_netnode_sid(addrp, family, &sid);
3824 if (err)
3825 goto out;
3826
3827 AVC_AUDIT_DATA_INIT(&ad,NET);
3828 ad.u.net.sport = htons(snum);
3829 ad.u.net.family = family;
3830
3831 if (family == PF_INET)
3832 ad.u.net.v4info.saddr = addr4->sin_addr.s_addr;
3833 else
3834 ipv6_addr_copy(&ad.u.net.v6info.saddr, &addr6->sin6_addr);
3835
3836 err = avc_has_perm(isec->sid, sid,
3837 isec->sclass, node_perm, &ad);
3838 if (err)
3839 goto out;
3840 }
3841 out:
3842 return err;
3843 }
3844
3845 static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
3846 {
3847 struct inode_security_struct *isec;
3848 int err;
3849
3850 err = socket_has_perm(current, sock, SOCKET__CONNECT);
3851 if (err)
3852 return err;
3853
3854 /*
3855 * If a TCP or DCCP socket, check name_connect permission for the port.
3856 */
3857 isec = SOCK_INODE(sock)->i_security;
3858 if (isec->sclass == SECCLASS_TCP_SOCKET ||
3859 isec->sclass == SECCLASS_DCCP_SOCKET) {
3860 struct sock *sk = sock->sk;
3861 struct avc_audit_data ad;
3862 struct sockaddr_in *addr4 = NULL;
3863 struct sockaddr_in6 *addr6 = NULL;
3864 unsigned short snum;
3865 u32 sid, perm;
3866
3867 if (sk->sk_family == PF_INET) {
3868 addr4 = (struct sockaddr_in *)address;
3869 if (addrlen < sizeof(struct sockaddr_in))
3870 return -EINVAL;
3871 snum = ntohs(addr4->sin_port);
3872 } else {
3873 addr6 = (struct sockaddr_in6 *)address;
3874 if (addrlen < SIN6_LEN_RFC2133)
3875 return -EINVAL;
3876 snum = ntohs(addr6->sin6_port);
3877 }
3878
3879 err = security_port_sid(sk->sk_family, sk->sk_type,
3880 sk->sk_protocol, snum, &sid);
3881 if (err)
3882 goto out;
3883
3884 perm = (isec->sclass == SECCLASS_TCP_SOCKET) ?
3885 TCP_SOCKET__NAME_CONNECT : DCCP_SOCKET__NAME_CONNECT;
3886
3887 AVC_AUDIT_DATA_INIT(&ad,NET);
3888 ad.u.net.dport = htons(snum);
3889 ad.u.net.family = sk->sk_family;
3890 err = avc_has_perm(isec->sid, sid, isec->sclass, perm, &ad);
3891 if (err)
3892 goto out;
3893 }
3894
3895 out:
3896 return err;
3897 }
3898
3899 static int selinux_socket_listen(struct socket *sock, int backlog)
3900 {
3901 return socket_has_perm(current, sock, SOCKET__LISTEN);
3902 }
3903
3904 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
3905 {
3906 int err;
3907 struct inode_security_struct *isec;
3908 struct inode_security_struct *newisec;
3909
3910 err = socket_has_perm(current, sock, SOCKET__ACCEPT);
3911 if (err)
3912 return err;
3913
3914 newisec = SOCK_INODE(newsock)->i_security;
3915
3916 isec = SOCK_INODE(sock)->i_security;
3917 newisec->sclass = isec->sclass;
3918 newisec->sid = isec->sid;
3919 newisec->initialized = 1;
3920
3921 return 0;
3922 }
3923
3924 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
3925 int size)
3926 {
3927 int rc;
3928
3929 rc = socket_has_perm(current, sock, SOCKET__WRITE);
3930 if (rc)
3931 return rc;
3932
3933 return selinux_netlbl_inode_permission(SOCK_INODE(sock), MAY_WRITE);
3934 }
3935
3936 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
3937 int size, int flags)
3938 {
3939 return socket_has_perm(current, sock, SOCKET__READ);
3940 }
3941
3942 static int selinux_socket_getsockname(struct socket *sock)
3943 {
3944 return socket_has_perm(current, sock, SOCKET__GETATTR);
3945 }
3946
3947 static int selinux_socket_getpeername(struct socket *sock)
3948 {
3949 return socket_has_perm(current, sock, SOCKET__GETATTR);
3950 }
3951
3952 static int selinux_socket_setsockopt(struct socket *sock,int level,int optname)
3953 {
3954 int err;
3955
3956 err = socket_has_perm(current, sock, SOCKET__SETOPT);
3957 if (err)
3958 return err;
3959
3960 return selinux_netlbl_socket_setsockopt(sock, level, optname);
3961 }
3962
3963 static int selinux_socket_getsockopt(struct socket *sock, int level,
3964 int optname)
3965 {
3966 return socket_has_perm(current, sock, SOCKET__GETOPT);
3967 }
3968
3969 static int selinux_socket_shutdown(struct socket *sock, int how)
3970 {
3971 return socket_has_perm(current, sock, SOCKET__SHUTDOWN);
3972 }
3973
3974 static int selinux_socket_unix_stream_connect(struct socket *sock,
3975 struct socket *other,
3976 struct sock *newsk)
3977 {
3978 struct sk_security_struct *ssec;
3979 struct inode_security_struct *isec;
3980 struct inode_security_struct *other_isec;
3981 struct avc_audit_data ad;
3982 int err;
3983
3984 err = secondary_ops->unix_stream_connect(sock, other, newsk);
3985 if (err)
3986 return err;
3987
3988 isec = SOCK_INODE(sock)->i_security;
3989 other_isec = SOCK_INODE(other)->i_security;
3990
3991 AVC_AUDIT_DATA_INIT(&ad,NET);
3992 ad.u.net.sk = other->sk;
3993
3994 err = avc_has_perm(isec->sid, other_isec->sid,
3995 isec->sclass,
3996 UNIX_STREAM_SOCKET__CONNECTTO, &ad);
3997 if (err)
3998 return err;
3999
4000 /* connecting socket */
4001 ssec = sock->sk->sk_security;
4002 ssec->peer_sid = other_isec->sid;
4003
4004 /* server child socket */
4005 ssec = newsk->sk_security;
4006 ssec->peer_sid = isec->sid;
4007 err = security_sid_mls_copy(other_isec->sid, ssec->peer_sid, &ssec->sid);
4008
4009 return err;
4010 }
4011
4012 static int selinux_socket_unix_may_send(struct socket *sock,
4013 struct socket *other)
4014 {
4015 struct inode_security_struct *isec;
4016 struct inode_security_struct *other_isec;
4017 struct avc_audit_data ad;
4018 int err;
4019
4020 isec = SOCK_INODE(sock)->i_security;
4021 other_isec = SOCK_INODE(other)->i_security;
4022
4023 AVC_AUDIT_DATA_INIT(&ad,NET);
4024 ad.u.net.sk = other->sk;
4025
4026 err = avc_has_perm(isec->sid, other_isec->sid,
4027 isec->sclass, SOCKET__SENDTO, &ad);
4028 if (err)
4029 return err;
4030
4031 return 0;
4032 }
4033
4034 static int selinux_inet_sys_rcv_skb(int ifindex, char *addrp, u16 family,
4035 u32 peer_sid,
4036 struct avc_audit_data *ad)
4037 {
4038 int err;
4039 u32 if_sid;
4040 u32 node_sid;
4041
4042 err = sel_netif_sid(ifindex, &if_sid);
4043 if (err)
4044 return err;
4045 err = avc_has_perm(peer_sid, if_sid,
4046 SECCLASS_NETIF, NETIF__INGRESS, ad);
4047 if (err)
4048 return err;
4049
4050 err = sel_netnode_sid(addrp, family, &node_sid);
4051 if (err)
4052 return err;
4053 return avc_has_perm(peer_sid, node_sid,
4054 SECCLASS_NODE, NODE__RECVFROM, ad);
4055 }
4056
4057 static int selinux_sock_rcv_skb_iptables_compat(struct sock *sk,
4058 struct sk_buff *skb,
4059 struct avc_audit_data *ad,
4060 u16 family,
4061 char *addrp)
4062 {
4063 int err;
4064 struct sk_security_struct *sksec = sk->sk_security;
4065 u16 sk_class;
4066 u32 netif_perm, node_perm, recv_perm;
4067 u32 port_sid, node_sid, if_sid, sk_sid;
4068
4069 sk_sid = sksec->sid;
4070 sk_class = sksec->sclass;
4071
4072 switch (sk_class) {
4073 case SECCLASS_UDP_SOCKET:
4074 netif_perm = NETIF__UDP_RECV;
4075 node_perm = NODE__UDP_RECV;
4076 recv_perm = UDP_SOCKET__RECV_MSG;
4077 break;
4078 case SECCLASS_TCP_SOCKET:
4079 netif_perm = NETIF__TCP_RECV;
4080 node_perm = NODE__TCP_RECV;
4081 recv_perm = TCP_SOCKET__RECV_MSG;
4082 break;
4083 case SECCLASS_DCCP_SOCKET:
4084 netif_perm = NETIF__DCCP_RECV;
4085 node_perm = NODE__DCCP_RECV;
4086 recv_perm = DCCP_SOCKET__RECV_MSG;
4087 break;
4088 default:
4089 netif_perm = NETIF__RAWIP_RECV;
4090 node_perm = NODE__RAWIP_RECV;
4091 recv_perm = 0;
4092 break;
4093 }
4094
4095 err = sel_netif_sid(skb->iif, &if_sid);
4096 if (err)
4097 return err;
4098 err = avc_has_perm(sk_sid, if_sid, SECCLASS_NETIF, netif_perm, ad);
4099 if (err)
4100 return err;
4101
4102 err = sel_netnode_sid(addrp, family, &node_sid);
4103 if (err)
4104 return err;
4105 err = avc_has_perm(sk_sid, node_sid, SECCLASS_NODE, node_perm, ad);
4106 if (err)
4107 return err;
4108
4109 if (!recv_perm)
4110 return 0;
4111 err = security_port_sid(sk->sk_family, sk->sk_type,
4112 sk->sk_protocol, ntohs(ad->u.net.sport),
4113 &port_sid);
4114 if (unlikely(err)) {
4115 printk(KERN_WARNING
4116 "SELinux: failure in"
4117 " selinux_sock_rcv_skb_iptables_compat(),"
4118 " network port label not found\n");
4119 return err;
4120 }
4121 return avc_has_perm(sk_sid, port_sid, sk_class, recv_perm, ad);
4122 }
4123
4124 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
4125 struct avc_audit_data *ad,
4126 u16 family, char *addrp)
4127 {
4128 int err;
4129 struct sk_security_struct *sksec = sk->sk_security;
4130 u32 peer_sid;
4131 u32 sk_sid = sksec->sid;
4132
4133 if (selinux_compat_net)
4134 err = selinux_sock_rcv_skb_iptables_compat(sk, skb, ad,
4135 family, addrp);
4136 else
4137 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4138 PACKET__RECV, ad);
4139 if (err)
4140 return err;
4141
4142 if (selinux_policycap_netpeer) {
4143 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
4144 if (err)
4145 return err;
4146 err = avc_has_perm(sk_sid, peer_sid,
4147 SECCLASS_PEER, PEER__RECV, ad);
4148 } else {
4149 err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, ad);
4150 if (err)
4151 return err;
4152 err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, ad);
4153 }
4154
4155 return err;
4156 }
4157
4158 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
4159 {
4160 int err;
4161 struct sk_security_struct *sksec = sk->sk_security;
4162 u16 family = sk->sk_family;
4163 u32 sk_sid = sksec->sid;
4164 struct avc_audit_data ad;
4165 char *addrp;
4166
4167 if (family != PF_INET && family != PF_INET6)
4168 return 0;
4169
4170 /* Handle mapped IPv4 packets arriving via IPv6 sockets */
4171 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4172 family = PF_INET;
4173
4174 AVC_AUDIT_DATA_INIT(&ad, NET);
4175 ad.u.net.netif = skb->iif;
4176 ad.u.net.family = family;
4177 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4178 if (err)
4179 return err;
4180
4181 /* If any sort of compatibility mode is enabled then handoff processing
4182 * to the selinux_sock_rcv_skb_compat() function to deal with the
4183 * special handling. We do this in an attempt to keep this function
4184 * as fast and as clean as possible. */
4185 if (selinux_compat_net || !selinux_policycap_netpeer)
4186 return selinux_sock_rcv_skb_compat(sk, skb, &ad,
4187 family, addrp);
4188
4189 if (netlbl_enabled() || selinux_xfrm_enabled()) {
4190 u32 peer_sid;
4191
4192 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
4193 if (err)
4194 return err;
4195 err = selinux_inet_sys_rcv_skb(skb->iif, addrp, family,
4196 peer_sid, &ad);
4197 if (err)
4198 return err;
4199 err = avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER,
4200 PEER__RECV, &ad);
4201 }
4202
4203 if (selinux_secmark_enabled()) {
4204 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4205 PACKET__RECV, &ad);
4206 if (err)
4207 return err;
4208 }
4209
4210 return err;
4211 }
4212
4213 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval,
4214 int __user *optlen, unsigned len)
4215 {
4216 int err = 0;
4217 char *scontext;
4218 u32 scontext_len;
4219 struct sk_security_struct *ssec;
4220 struct inode_security_struct *isec;
4221 u32 peer_sid = SECSID_NULL;
4222
4223 isec = SOCK_INODE(sock)->i_security;
4224
4225 if (isec->sclass == SECCLASS_UNIX_STREAM_SOCKET ||
4226 isec->sclass == SECCLASS_TCP_SOCKET) {
4227 ssec = sock->sk->sk_security;
4228 peer_sid = ssec->peer_sid;
4229 }
4230 if (peer_sid == SECSID_NULL) {
4231 err = -ENOPROTOOPT;
4232 goto out;
4233 }
4234
4235 err = security_sid_to_context(peer_sid, &scontext, &scontext_len);
4236
4237 if (err)
4238 goto out;
4239
4240 if (scontext_len > len) {
4241 err = -ERANGE;
4242 goto out_len;
4243 }
4244
4245 if (copy_to_user(optval, scontext, scontext_len))
4246 err = -EFAULT;
4247
4248 out_len:
4249 if (put_user(scontext_len, optlen))
4250 err = -EFAULT;
4251
4252 kfree(scontext);
4253 out:
4254 return err;
4255 }
4256
4257 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
4258 {
4259 u32 peer_secid = SECSID_NULL;
4260 u16 family;
4261
4262 if (sock)
4263 family = sock->sk->sk_family;
4264 else if (skb && skb->sk)
4265 family = skb->sk->sk_family;
4266 else
4267 goto out;
4268
4269 if (sock && family == PF_UNIX)
4270 selinux_get_inode_sid(SOCK_INODE(sock), &peer_secid);
4271 else if (skb)
4272 selinux_skb_peerlbl_sid(skb, family, &peer_secid);
4273
4274 out:
4275 *secid = peer_secid;
4276 if (peer_secid == SECSID_NULL)
4277 return -EINVAL;
4278 return 0;
4279 }
4280
4281 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
4282 {
4283 return sk_alloc_security(sk, family, priority);
4284 }
4285
4286 static void selinux_sk_free_security(struct sock *sk)
4287 {
4288 sk_free_security(sk);
4289 }
4290
4291 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
4292 {
4293 struct sk_security_struct *ssec = sk->sk_security;
4294 struct sk_security_struct *newssec = newsk->sk_security;
4295
4296 newssec->sid = ssec->sid;
4297 newssec->peer_sid = ssec->peer_sid;
4298 newssec->sclass = ssec->sclass;
4299
4300 selinux_netlbl_sk_security_clone(ssec, newssec);
4301 }
4302
4303 static void selinux_sk_getsecid(struct sock *sk, u32 *secid)
4304 {
4305 if (!sk)
4306 *secid = SECINITSID_ANY_SOCKET;
4307 else {
4308 struct sk_security_struct *sksec = sk->sk_security;
4309
4310 *secid = sksec->sid;
4311 }
4312 }
4313
4314 static void selinux_sock_graft(struct sock* sk, struct socket *parent)
4315 {
4316 struct inode_security_struct *isec = SOCK_INODE(parent)->i_security;
4317 struct sk_security_struct *sksec = sk->sk_security;
4318
4319 if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
4320 sk->sk_family == PF_UNIX)
4321 isec->sid = sksec->sid;
4322 sksec->sclass = isec->sclass;
4323
4324 selinux_netlbl_sock_graft(sk, parent);
4325 }
4326
4327 static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
4328 struct request_sock *req)
4329 {
4330 struct sk_security_struct *sksec = sk->sk_security;
4331 int err;
4332 u32 newsid;
4333 u32 peersid;
4334
4335 err = selinux_skb_peerlbl_sid(skb, sk->sk_family, &peersid);
4336 if (err)
4337 return err;
4338 if (peersid == SECSID_NULL) {
4339 req->secid = sksec->sid;
4340 req->peer_secid = SECSID_NULL;
4341 return 0;
4342 }
4343
4344 err = security_sid_mls_copy(sksec->sid, peersid, &newsid);
4345 if (err)
4346 return err;
4347
4348 req->secid = newsid;
4349 req->peer_secid = peersid;
4350 return 0;
4351 }
4352
4353 static void selinux_inet_csk_clone(struct sock *newsk,
4354 const struct request_sock *req)
4355 {
4356 struct sk_security_struct *newsksec = newsk->sk_security;
4357
4358 newsksec->sid = req->secid;
4359 newsksec->peer_sid = req->peer_secid;
4360 /* NOTE: Ideally, we should also get the isec->sid for the
4361 new socket in sync, but we don't have the isec available yet.
4362 So we will wait until sock_graft to do it, by which
4363 time it will have been created and available. */
4364
4365 /* We don't need to take any sort of lock here as we are the only
4366 * thread with access to newsksec */
4367 selinux_netlbl_sk_security_reset(newsksec, req->rsk_ops->family);
4368 }
4369
4370 static void selinux_inet_conn_established(struct sock *sk,
4371 struct sk_buff *skb)
4372 {
4373 struct sk_security_struct *sksec = sk->sk_security;
4374
4375 selinux_skb_peerlbl_sid(skb, sk->sk_family, &sksec->peer_sid);
4376 }
4377
4378 static void selinux_req_classify_flow(const struct request_sock *req,
4379 struct flowi *fl)
4380 {
4381 fl->secid = req->secid;
4382 }
4383
4384 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
4385 {
4386 int err = 0;
4387 u32 perm;
4388 struct nlmsghdr *nlh;
4389 struct socket *sock = sk->sk_socket;
4390 struct inode_security_struct *isec = SOCK_INODE(sock)->i_security;
4391
4392 if (skb->len < NLMSG_SPACE(0)) {
4393 err = -EINVAL;
4394 goto out;
4395 }
4396 nlh = nlmsg_hdr(skb);
4397
4398 err = selinux_nlmsg_lookup(isec->sclass, nlh->nlmsg_type, &perm);
4399 if (err) {
4400 if (err == -EINVAL) {
4401 audit_log(current->audit_context, GFP_KERNEL, AUDIT_SELINUX_ERR,
4402 "SELinux: unrecognized netlink message"
4403 " type=%hu for sclass=%hu\n",
4404 nlh->nlmsg_type, isec->sclass);
4405 if (!selinux_enforcing)
4406 err = 0;
4407 }
4408
4409 /* Ignore */
4410 if (err == -ENOENT)
4411 err = 0;
4412 goto out;
4413 }
4414
4415 err = socket_has_perm(current, sock, perm);
4416 out:
4417 return err;
4418 }
4419
4420 #ifdef CONFIG_NETFILTER
4421
4422 static unsigned int selinux_ip_forward(struct sk_buff *skb, int ifindex,
4423 u16 family)
4424 {
4425 char *addrp;
4426 u32 peer_sid;
4427 struct avc_audit_data ad;
4428 u8 secmark_active;
4429 u8 peerlbl_active;
4430
4431 if (!selinux_policycap_netpeer)
4432 return NF_ACCEPT;
4433
4434 secmark_active = selinux_secmark_enabled();
4435 peerlbl_active = netlbl_enabled() || selinux_xfrm_enabled();
4436 if (!secmark_active && !peerlbl_active)
4437 return NF_ACCEPT;
4438
4439 AVC_AUDIT_DATA_INIT(&ad, NET);
4440 ad.u.net.netif = ifindex;
4441 ad.u.net.family = family;
4442 if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0)
4443 return NF_DROP;
4444
4445 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0)
4446 return NF_DROP;
4447
4448 if (peerlbl_active)
4449 if (selinux_inet_sys_rcv_skb(ifindex, addrp, family,
4450 peer_sid, &ad) != 0)
4451 return NF_DROP;
4452
4453 if (secmark_active)
4454 if (avc_has_perm(peer_sid, skb->secmark,
4455 SECCLASS_PACKET, PACKET__FORWARD_IN, &ad))
4456 return NF_DROP;
4457
4458 return NF_ACCEPT;
4459 }
4460
4461 static unsigned int selinux_ipv4_forward(unsigned int hooknum,
4462 struct sk_buff *skb,
4463 const struct net_device *in,
4464 const struct net_device *out,
4465 int (*okfn)(struct sk_buff *))
4466 {
4467 return selinux_ip_forward(skb, in->ifindex, PF_INET);
4468 }
4469
4470 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4471 static unsigned int selinux_ipv6_forward(unsigned int hooknum,
4472 struct sk_buff *skb,
4473 const struct net_device *in,
4474 const struct net_device *out,
4475 int (*okfn)(struct sk_buff *))
4476 {
4477 return selinux_ip_forward(skb, in->ifindex, PF_INET6);
4478 }
4479 #endif /* IPV6 */
4480
4481 static int selinux_ip_postroute_iptables_compat(struct sock *sk,
4482 int ifindex,
4483 struct avc_audit_data *ad,
4484 u16 family, char *addrp)
4485 {
4486 int err;
4487 struct sk_security_struct *sksec = sk->sk_security;
4488 u16 sk_class;
4489 u32 netif_perm, node_perm, send_perm;
4490 u32 port_sid, node_sid, if_sid, sk_sid;
4491
4492 sk_sid = sksec->sid;
4493 sk_class = sksec->sclass;
4494
4495 switch (sk_class) {
4496 case SECCLASS_UDP_SOCKET:
4497 netif_perm = NETIF__UDP_SEND;
4498 node_perm = NODE__UDP_SEND;
4499 send_perm = UDP_SOCKET__SEND_MSG;
4500 break;
4501 case SECCLASS_TCP_SOCKET:
4502 netif_perm = NETIF__TCP_SEND;
4503 node_perm = NODE__TCP_SEND;
4504 send_perm = TCP_SOCKET__SEND_MSG;
4505 break;
4506 case SECCLASS_DCCP_SOCKET:
4507 netif_perm = NETIF__DCCP_SEND;
4508 node_perm = NODE__DCCP_SEND;
4509 send_perm = DCCP_SOCKET__SEND_MSG;
4510 break;
4511 default:
4512 netif_perm = NETIF__RAWIP_SEND;
4513 node_perm = NODE__RAWIP_SEND;
4514 send_perm = 0;
4515 break;
4516 }
4517
4518 err = sel_netif_sid(ifindex, &if_sid);
4519 if (err)
4520 return err;
4521 err = avc_has_perm(sk_sid, if_sid, SECCLASS_NETIF, netif_perm, ad);
4522 return err;
4523
4524 err = sel_netnode_sid(addrp, family, &node_sid);
4525 if (err)
4526 return err;
4527 err = avc_has_perm(sk_sid, node_sid, SECCLASS_NODE, node_perm, ad);
4528 if (err)
4529 return err;
4530
4531 if (send_perm != 0)
4532 return 0;
4533
4534 err = security_port_sid(sk->sk_family, sk->sk_type,
4535 sk->sk_protocol, ntohs(ad->u.net.dport),
4536 &port_sid);
4537 if (unlikely(err)) {
4538 printk(KERN_WARNING
4539 "SELinux: failure in"
4540 " selinux_ip_postroute_iptables_compat(),"
4541 " network port label not found\n");
4542 return err;
4543 }
4544 return avc_has_perm(sk_sid, port_sid, sk_class, send_perm, ad);
4545 }
4546
4547 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
4548 int ifindex,
4549 struct avc_audit_data *ad,
4550 u16 family,
4551 char *addrp,
4552 u8 proto)
4553 {
4554 struct sock *sk = skb->sk;
4555 struct sk_security_struct *sksec;
4556
4557 if (sk == NULL)
4558 return NF_ACCEPT;
4559 sksec = sk->sk_security;
4560
4561 if (selinux_compat_net) {
4562 if (selinux_ip_postroute_iptables_compat(skb->sk, ifindex,
4563 ad, family, addrp))
4564 return NF_DROP;
4565 } else {
4566 if (avc_has_perm(sksec->sid, skb->secmark,
4567 SECCLASS_PACKET, PACKET__SEND, ad))
4568 return NF_DROP;
4569 }
4570
4571 if (selinux_policycap_netpeer)
4572 if (selinux_xfrm_postroute_last(sksec->sid, skb, ad, proto))
4573 return NF_DROP;
4574
4575 return NF_ACCEPT;
4576 }
4577
4578 static unsigned int selinux_ip_postroute(struct sk_buff *skb, int ifindex,
4579 u16 family)
4580 {
4581 u32 secmark_perm;
4582 u32 peer_sid;
4583 struct sock *sk;
4584 struct avc_audit_data ad;
4585 char *addrp;
4586 u8 proto;
4587 u8 secmark_active;
4588 u8 peerlbl_active;
4589
4590 AVC_AUDIT_DATA_INIT(&ad, NET);
4591 ad.u.net.netif = ifindex;
4592 ad.u.net.family = family;
4593 if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto))
4594 return NF_DROP;
4595
4596 /* If any sort of compatibility mode is enabled then handoff processing
4597 * to the selinux_ip_postroute_compat() function to deal with the
4598 * special handling. We do this in an attempt to keep this function
4599 * as fast and as clean as possible. */
4600 if (selinux_compat_net || !selinux_policycap_netpeer)
4601 return selinux_ip_postroute_compat(skb, ifindex, &ad,
4602 family, addrp, proto);
4603
4604 /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec
4605 * packet transformation so allow the packet to pass without any checks
4606 * since we'll have another chance to perform access control checks
4607 * when the packet is on it's final way out.
4608 * NOTE: there appear to be some IPv6 multicast cases where skb->dst
4609 * is NULL, in this case go ahead and apply access control. */
4610 if (skb->dst != NULL && skb->dst->xfrm != NULL)
4611 return NF_ACCEPT;
4612
4613 secmark_active = selinux_secmark_enabled();
4614 peerlbl_active = netlbl_enabled() || selinux_xfrm_enabled();
4615 if (!secmark_active && !peerlbl_active)
4616 return NF_ACCEPT;
4617
4618 /* if the packet is locally generated (skb->sk != NULL) then use the
4619 * socket's label as the peer label, otherwise the packet is being
4620 * forwarded through this system and we need to fetch the peer label
4621 * directly from the packet */
4622 sk = skb->sk;
4623 if (sk) {
4624 struct sk_security_struct *sksec = sk->sk_security;
4625 peer_sid = sksec->sid;
4626 secmark_perm = PACKET__SEND;
4627 } else {
4628 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid))
4629 return NF_DROP;
4630 secmark_perm = PACKET__FORWARD_OUT;
4631 }
4632
4633 if (secmark_active)
4634 if (avc_has_perm(peer_sid, skb->secmark,
4635 SECCLASS_PACKET, secmark_perm, &ad))
4636 return NF_DROP;
4637
4638 if (peerlbl_active) {
4639 u32 if_sid;
4640 u32 node_sid;
4641
4642 if (sel_netif_sid(ifindex, &if_sid))
4643 return NF_DROP;
4644 if (avc_has_perm(peer_sid, if_sid,
4645 SECCLASS_NETIF, NETIF__EGRESS, &ad))
4646 return NF_DROP;
4647
4648 if (sel_netnode_sid(addrp, family, &node_sid))
4649 return NF_DROP;
4650 if (avc_has_perm(peer_sid, node_sid,
4651 SECCLASS_NODE, NODE__SENDTO, &ad))
4652 return NF_DROP;
4653 }
4654
4655 return NF_ACCEPT;
4656 }
4657
4658 static unsigned int selinux_ipv4_postroute(unsigned int hooknum,
4659 struct sk_buff *skb,
4660 const struct net_device *in,
4661 const struct net_device *out,
4662 int (*okfn)(struct sk_buff *))
4663 {
4664 return selinux_ip_postroute(skb, out->ifindex, PF_INET);
4665 }
4666
4667 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4668 static unsigned int selinux_ipv6_postroute(unsigned int hooknum,
4669 struct sk_buff *skb,
4670 const struct net_device *in,
4671 const struct net_device *out,
4672 int (*okfn)(struct sk_buff *))
4673 {
4674 return selinux_ip_postroute(skb, out->ifindex, PF_INET6);
4675 }
4676 #endif /* IPV6 */
4677
4678 #endif /* CONFIG_NETFILTER */
4679
4680 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
4681 {
4682 int err;
4683
4684 err = secondary_ops->netlink_send(sk, skb);
4685 if (err)
4686 return err;
4687
4688 if (policydb_loaded_version >= POLICYDB_VERSION_NLCLASS)
4689 err = selinux_nlmsg_perm(sk, skb);
4690
4691 return err;
4692 }
4693
4694 static int selinux_netlink_recv(struct sk_buff *skb, int capability)
4695 {
4696 int err;
4697 struct avc_audit_data ad;
4698
4699 err = secondary_ops->netlink_recv(skb, capability);
4700 if (err)
4701 return err;
4702
4703 AVC_AUDIT_DATA_INIT(&ad, CAP);
4704 ad.u.cap = capability;
4705
4706 return avc_has_perm(NETLINK_CB(skb).sid, NETLINK_CB(skb).sid,
4707 SECCLASS_CAPABILITY, CAP_TO_MASK(capability), &ad);
4708 }
4709
4710 static int ipc_alloc_security(struct task_struct *task,
4711 struct kern_ipc_perm *perm,
4712 u16 sclass)
4713 {
4714 struct task_security_struct *tsec = task->security;
4715 struct ipc_security_struct *isec;
4716
4717 isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL);
4718 if (!isec)
4719 return -ENOMEM;
4720
4721 isec->sclass = sclass;
4722 isec->ipc_perm = perm;
4723 isec->sid = tsec->sid;
4724 perm->security = isec;
4725
4726 return 0;
4727 }
4728
4729 static void ipc_free_security(struct kern_ipc_perm *perm)
4730 {
4731 struct ipc_security_struct *isec = perm->security;
4732 perm->security = NULL;
4733 kfree(isec);
4734 }
4735
4736 static int msg_msg_alloc_security(struct msg_msg *msg)
4737 {
4738 struct msg_security_struct *msec;
4739
4740 msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL);
4741 if (!msec)
4742 return -ENOMEM;
4743
4744 msec->msg = msg;
4745 msec->sid = SECINITSID_UNLABELED;
4746 msg->security = msec;
4747
4748 return 0;
4749 }
4750
4751 static void msg_msg_free_security(struct msg_msg *msg)
4752 {
4753 struct msg_security_struct *msec = msg->security;
4754
4755 msg->security = NULL;
4756 kfree(msec);
4757 }
4758
4759 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
4760 u32 perms)
4761 {
4762 struct task_security_struct *tsec;
4763 struct ipc_security_struct *isec;
4764 struct avc_audit_data ad;
4765
4766 tsec = current->security;
4767 isec = ipc_perms->security;
4768
4769 AVC_AUDIT_DATA_INIT(&ad, IPC);
4770 ad.u.ipc_id = ipc_perms->key;
4771
4772 return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, &ad);
4773 }
4774
4775 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
4776 {
4777 return msg_msg_alloc_security(msg);
4778 }
4779
4780 static void selinux_msg_msg_free_security(struct msg_msg *msg)
4781 {
4782 msg_msg_free_security(msg);
4783 }
4784
4785 /* message queue security operations */
4786 static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
4787 {
4788 struct task_security_struct *tsec;
4789 struct ipc_security_struct *isec;
4790 struct avc_audit_data ad;
4791 int rc;
4792
4793 rc = ipc_alloc_security(current, &msq->q_perm, SECCLASS_MSGQ);
4794 if (rc)
4795 return rc;
4796
4797 tsec = current->security;
4798 isec = msq->q_perm.security;
4799
4800 AVC_AUDIT_DATA_INIT(&ad, IPC);
4801 ad.u.ipc_id = msq->q_perm.key;
4802
4803 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
4804 MSGQ__CREATE, &ad);
4805 if (rc) {
4806 ipc_free_security(&msq->q_perm);
4807 return rc;
4808 }
4809 return 0;
4810 }
4811
4812 static void selinux_msg_queue_free_security(struct msg_queue *msq)
4813 {
4814 ipc_free_security(&msq->q_perm);
4815 }
4816
4817 static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg)
4818 {
4819 struct task_security_struct *tsec;
4820 struct ipc_security_struct *isec;
4821 struct avc_audit_data ad;
4822
4823 tsec = current->security;
4824 isec = msq->q_perm.security;
4825
4826 AVC_AUDIT_DATA_INIT(&ad, IPC);
4827 ad.u.ipc_id = msq->q_perm.key;
4828
4829 return avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
4830 MSGQ__ASSOCIATE, &ad);
4831 }
4832
4833 static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd)
4834 {
4835 int err;
4836 int perms;
4837
4838 switch(cmd) {
4839 case IPC_INFO:
4840 case MSG_INFO:
4841 /* No specific object, just general system-wide information. */
4842 return task_has_system(current, SYSTEM__IPC_INFO);
4843 case IPC_STAT:
4844 case MSG_STAT:
4845 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
4846 break;
4847 case IPC_SET:
4848 perms = MSGQ__SETATTR;
4849 break;
4850 case IPC_RMID:
4851 perms = MSGQ__DESTROY;
4852 break;
4853 default:
4854 return 0;
4855 }
4856
4857 err = ipc_has_perm(&msq->q_perm, perms);
4858 return err;
4859 }
4860
4861 static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg)
4862 {
4863 struct task_security_struct *tsec;
4864 struct ipc_security_struct *isec;
4865 struct msg_security_struct *msec;
4866 struct avc_audit_data ad;
4867 int rc;
4868
4869 tsec = current->security;
4870 isec = msq->q_perm.security;
4871 msec = msg->security;
4872
4873 /*
4874 * First time through, need to assign label to the message
4875 */
4876 if (msec->sid == SECINITSID_UNLABELED) {
4877 /*
4878 * Compute new sid based on current process and
4879 * message queue this message will be stored in
4880 */
4881 rc = security_transition_sid(tsec->sid,
4882 isec->sid,
4883 SECCLASS_MSG,
4884 &msec->sid);
4885 if (rc)
4886 return rc;
4887 }
4888
4889 AVC_AUDIT_DATA_INIT(&ad, IPC);
4890 ad.u.ipc_id = msq->q_perm.key;
4891
4892 /* Can this process write to the queue? */
4893 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
4894 MSGQ__WRITE, &ad);
4895 if (!rc)
4896 /* Can this process send the message */
4897 rc = avc_has_perm(tsec->sid, msec->sid,
4898 SECCLASS_MSG, MSG__SEND, &ad);
4899 if (!rc)
4900 /* Can the message be put in the queue? */
4901 rc = avc_has_perm(msec->sid, isec->sid,
4902 SECCLASS_MSGQ, MSGQ__ENQUEUE, &ad);
4903
4904 return rc;
4905 }
4906
4907 static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
4908 struct task_struct *target,
4909 long type, int mode)
4910 {
4911 struct task_security_struct *tsec;
4912 struct ipc_security_struct *isec;
4913 struct msg_security_struct *msec;
4914 struct avc_audit_data ad;
4915 int rc;
4916
4917 tsec = target->security;
4918 isec = msq->q_perm.security;
4919 msec = msg->security;
4920
4921 AVC_AUDIT_DATA_INIT(&ad, IPC);
4922 ad.u.ipc_id = msq->q_perm.key;
4923
4924 rc = avc_has_perm(tsec->sid, isec->sid,
4925 SECCLASS_MSGQ, MSGQ__READ, &ad);
4926 if (!rc)
4927 rc = avc_has_perm(tsec->sid, msec->sid,
4928 SECCLASS_MSG, MSG__RECEIVE, &ad);
4929 return rc;
4930 }
4931
4932 /* Shared Memory security operations */
4933 static int selinux_shm_alloc_security(struct shmid_kernel *shp)
4934 {
4935 struct task_security_struct *tsec;
4936 struct ipc_security_struct *isec;
4937 struct avc_audit_data ad;
4938 int rc;
4939
4940 rc = ipc_alloc_security(current, &shp->shm_perm, SECCLASS_SHM);
4941 if (rc)
4942 return rc;
4943
4944 tsec = current->security;
4945 isec = shp->shm_perm.security;
4946
4947 AVC_AUDIT_DATA_INIT(&ad, IPC);
4948 ad.u.ipc_id = shp->shm_perm.key;
4949
4950 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SHM,
4951 SHM__CREATE, &ad);
4952 if (rc) {
4953 ipc_free_security(&shp->shm_perm);
4954 return rc;
4955 }
4956 return 0;
4957 }
4958
4959 static void selinux_shm_free_security(struct shmid_kernel *shp)
4960 {
4961 ipc_free_security(&shp->shm_perm);
4962 }
4963
4964 static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg)
4965 {
4966 struct task_security_struct *tsec;
4967 struct ipc_security_struct *isec;
4968 struct avc_audit_data ad;
4969
4970 tsec = current->security;
4971 isec = shp->shm_perm.security;
4972
4973 AVC_AUDIT_DATA_INIT(&ad, IPC);
4974 ad.u.ipc_id = shp->shm_perm.key;
4975
4976 return avc_has_perm(tsec->sid, isec->sid, SECCLASS_SHM,
4977 SHM__ASSOCIATE, &ad);
4978 }
4979
4980 /* Note, at this point, shp is locked down */
4981 static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd)
4982 {
4983 int perms;
4984 int err;
4985
4986 switch(cmd) {
4987 case IPC_INFO:
4988 case SHM_INFO:
4989 /* No specific object, just general system-wide information. */
4990 return task_has_system(current, SYSTEM__IPC_INFO);
4991 case IPC_STAT:
4992 case SHM_STAT:
4993 perms = SHM__GETATTR | SHM__ASSOCIATE;
4994 break;
4995 case IPC_SET:
4996 perms = SHM__SETATTR;
4997 break;
4998 case SHM_LOCK:
4999 case SHM_UNLOCK:
5000 perms = SHM__LOCK;
5001 break;
5002 case IPC_RMID:
5003 perms = SHM__DESTROY;
5004 break;
5005 default:
5006 return 0;
5007 }
5008
5009 err = ipc_has_perm(&shp->shm_perm, perms);
5010 return err;
5011 }
5012
5013 static int selinux_shm_shmat(struct shmid_kernel *shp,
5014 char __user *shmaddr, int shmflg)
5015 {
5016 u32 perms;
5017 int rc;
5018
5019 rc = secondary_ops->shm_shmat(shp, shmaddr, shmflg);
5020 if (rc)
5021 return rc;
5022
5023 if (shmflg & SHM_RDONLY)
5024 perms = SHM__READ;
5025 else
5026 perms = SHM__READ | SHM__WRITE;
5027
5028 return ipc_has_perm(&shp->shm_perm, perms);
5029 }
5030
5031 /* Semaphore security operations */
5032 static int selinux_sem_alloc_security(struct sem_array *sma)
5033 {
5034 struct task_security_struct *tsec;
5035 struct ipc_security_struct *isec;
5036 struct avc_audit_data ad;
5037 int rc;
5038
5039 rc = ipc_alloc_security(current, &sma->sem_perm, SECCLASS_SEM);
5040 if (rc)
5041 return rc;
5042
5043 tsec = current->security;
5044 isec = sma->sem_perm.security;
5045
5046 AVC_AUDIT_DATA_INIT(&ad, IPC);
5047 ad.u.ipc_id = sma->sem_perm.key;
5048
5049 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SEM,
5050 SEM__CREATE, &ad);
5051 if (rc) {
5052 ipc_free_security(&sma->sem_perm);
5053 return rc;
5054 }
5055 return 0;
5056 }
5057
5058 static void selinux_sem_free_security(struct sem_array *sma)
5059 {
5060 ipc_free_security(&sma->sem_perm);
5061 }
5062
5063 static int selinux_sem_associate(struct sem_array *sma, int semflg)
5064 {
5065 struct task_security_struct *tsec;
5066 struct ipc_security_struct *isec;
5067 struct avc_audit_data ad;
5068
5069 tsec = current->security;
5070 isec = sma->sem_perm.security;
5071
5072 AVC_AUDIT_DATA_INIT(&ad, IPC);
5073 ad.u.ipc_id = sma->sem_perm.key;
5074
5075 return avc_has_perm(tsec->sid, isec->sid, SECCLASS_SEM,
5076 SEM__ASSOCIATE, &ad);
5077 }
5078
5079 /* Note, at this point, sma is locked down */
5080 static int selinux_sem_semctl(struct sem_array *sma, int cmd)
5081 {
5082 int err;
5083 u32 perms;
5084
5085 switch(cmd) {
5086 case IPC_INFO:
5087 case SEM_INFO:
5088 /* No specific object, just general system-wide information. */
5089 return task_has_system(current, SYSTEM__IPC_INFO);
5090 case GETPID:
5091 case GETNCNT:
5092 case GETZCNT:
5093 perms = SEM__GETATTR;
5094 break;
5095 case GETVAL:
5096 case GETALL:
5097 perms = SEM__READ;
5098 break;
5099 case SETVAL:
5100 case SETALL:
5101 perms = SEM__WRITE;
5102 break;
5103 case IPC_RMID:
5104 perms = SEM__DESTROY;
5105 break;
5106 case IPC_SET:
5107 perms = SEM__SETATTR;
5108 break;
5109 case IPC_STAT:
5110 case SEM_STAT:
5111 perms = SEM__GETATTR | SEM__ASSOCIATE;
5112 break;
5113 default:
5114 return 0;
5115 }
5116
5117 err = ipc_has_perm(&sma->sem_perm, perms);
5118 return err;
5119 }
5120
5121 static int selinux_sem_semop(struct sem_array *sma,
5122 struct sembuf *sops, unsigned nsops, int alter)
5123 {
5124 u32 perms;
5125
5126 if (alter)
5127 perms = SEM__READ | SEM__WRITE;
5128 else
5129 perms = SEM__READ;
5130
5131 return ipc_has_perm(&sma->sem_perm, perms);
5132 }
5133
5134 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
5135 {
5136 u32 av = 0;
5137
5138 av = 0;
5139 if (flag & S_IRUGO)
5140 av |= IPC__UNIX_READ;
5141 if (flag & S_IWUGO)
5142 av |= IPC__UNIX_WRITE;
5143
5144 if (av == 0)
5145 return 0;
5146
5147 return ipc_has_perm(ipcp, av);
5148 }
5149
5150 /* module stacking operations */
5151 static int selinux_register_security (const char *name, struct security_operations *ops)
5152 {
5153 if (secondary_ops != original_ops) {
5154 printk(KERN_ERR "%s: There is already a secondary security "
5155 "module registered.\n", __FUNCTION__);
5156 return -EINVAL;
5157 }
5158
5159 secondary_ops = ops;
5160
5161 printk(KERN_INFO "%s: Registering secondary module %s\n",
5162 __FUNCTION__,
5163 name);
5164
5165 return 0;
5166 }
5167
5168 static void selinux_d_instantiate (struct dentry *dentry, struct inode *inode)
5169 {
5170 if (inode)
5171 inode_doinit_with_dentry(inode, dentry);
5172 }
5173
5174 static int selinux_getprocattr(struct task_struct *p,
5175 char *name, char **value)
5176 {
5177 struct task_security_struct *tsec;
5178 u32 sid;
5179 int error;
5180 unsigned len;
5181
5182 if (current != p) {
5183 error = task_has_perm(current, p, PROCESS__GETATTR);
5184 if (error)
5185 return error;
5186 }
5187
5188 tsec = p->security;
5189
5190 if (!strcmp(name, "current"))
5191 sid = tsec->sid;
5192 else if (!strcmp(name, "prev"))
5193 sid = tsec->osid;
5194 else if (!strcmp(name, "exec"))
5195 sid = tsec->exec_sid;
5196 else if (!strcmp(name, "fscreate"))
5197 sid = tsec->create_sid;
5198 else if (!strcmp(name, "keycreate"))
5199 sid = tsec->keycreate_sid;
5200 else if (!strcmp(name, "sockcreate"))
5201 sid = tsec->sockcreate_sid;
5202 else
5203 return -EINVAL;
5204
5205 if (!sid)
5206 return 0;
5207
5208 error = security_sid_to_context(sid, value, &len);
5209 if (error)
5210 return error;
5211 return len;
5212 }
5213
5214 static int selinux_setprocattr(struct task_struct *p,
5215 char *name, void *value, size_t size)
5216 {
5217 struct task_security_struct *tsec;
5218 u32 sid = 0;
5219 int error;
5220 char *str = value;
5221
5222 if (current != p) {
5223 /* SELinux only allows a process to change its own
5224 security attributes. */
5225 return -EACCES;
5226 }
5227
5228 /*
5229 * Basic control over ability to set these attributes at all.
5230 * current == p, but we'll pass them separately in case the
5231 * above restriction is ever removed.
5232 */
5233 if (!strcmp(name, "exec"))
5234 error = task_has_perm(current, p, PROCESS__SETEXEC);
5235 else if (!strcmp(name, "fscreate"))
5236 error = task_has_perm(current, p, PROCESS__SETFSCREATE);
5237 else if (!strcmp(name, "keycreate"))
5238 error = task_has_perm(current, p, PROCESS__SETKEYCREATE);
5239 else if (!strcmp(name, "sockcreate"))
5240 error = task_has_perm(current, p, PROCESS__SETSOCKCREATE);
5241 else if (!strcmp(name, "current"))
5242 error = task_has_perm(current, p, PROCESS__SETCURRENT);
5243 else
5244 error = -EINVAL;
5245 if (error)
5246 return error;
5247
5248 /* Obtain a SID for the context, if one was specified. */
5249 if (size && str[1] && str[1] != '\n') {
5250 if (str[size-1] == '\n') {
5251 str[size-1] = 0;
5252 size--;
5253 }
5254 error = security_context_to_sid(value, size, &sid);
5255 if (error)
5256 return error;
5257 }
5258
5259 /* Permission checking based on the specified context is
5260 performed during the actual operation (execve,
5261 open/mkdir/...), when we know the full context of the
5262 operation. See selinux_bprm_set_security for the execve
5263 checks and may_create for the file creation checks. The
5264 operation will then fail if the context is not permitted. */
5265 tsec = p->security;
5266 if (!strcmp(name, "exec"))
5267 tsec->exec_sid = sid;
5268 else if (!strcmp(name, "fscreate"))
5269 tsec->create_sid = sid;
5270 else if (!strcmp(name, "keycreate")) {
5271 error = may_create_key(sid, p);
5272 if (error)
5273 return error;
5274 tsec->keycreate_sid = sid;
5275 } else if (!strcmp(name, "sockcreate"))
5276 tsec->sockcreate_sid = sid;
5277 else if (!strcmp(name, "current")) {
5278 struct av_decision avd;
5279
5280 if (sid == 0)
5281 return -EINVAL;
5282
5283 /* Only allow single threaded processes to change context */
5284 if (atomic_read(&p->mm->mm_users) != 1) {
5285 struct task_struct *g, *t;
5286 struct mm_struct *mm = p->mm;
5287 read_lock(&tasklist_lock);
5288 do_each_thread(g, t)
5289 if (t->mm == mm && t != p) {
5290 read_unlock(&tasklist_lock);
5291 return -EPERM;
5292 }
5293 while_each_thread(g, t);
5294 read_unlock(&tasklist_lock);
5295 }
5296
5297 /* Check permissions for the transition. */
5298 error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
5299 PROCESS__DYNTRANSITION, NULL);
5300 if (error)
5301 return error;
5302
5303 /* Check for ptracing, and update the task SID if ok.
5304 Otherwise, leave SID unchanged and fail. */
5305 task_lock(p);
5306 if (p->ptrace & PT_PTRACED) {
5307 error = avc_has_perm_noaudit(tsec->ptrace_sid, sid,
5308 SECCLASS_PROCESS,
5309 PROCESS__PTRACE, 0, &avd);
5310 if (!error)
5311 tsec->sid = sid;
5312 task_unlock(p);
5313 avc_audit(tsec->ptrace_sid, sid, SECCLASS_PROCESS,
5314 PROCESS__PTRACE, &avd, error, NULL);
5315 if (error)
5316 return error;
5317 } else {
5318 tsec->sid = sid;
5319 task_unlock(p);
5320 }
5321 }
5322 else
5323 return -EINVAL;
5324
5325 return size;
5326 }
5327
5328 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
5329 {
5330 return security_sid_to_context(secid, secdata, seclen);
5331 }
5332
5333 static int selinux_secctx_to_secid(char *secdata, u32 seclen, u32 *secid)
5334 {
5335 return security_context_to_sid(secdata, seclen, secid);
5336 }
5337
5338 static void selinux_release_secctx(char *secdata, u32 seclen)
5339 {
5340 kfree(secdata);
5341 }
5342
5343 #ifdef CONFIG_KEYS
5344
5345 static int selinux_key_alloc(struct key *k, struct task_struct *tsk,
5346 unsigned long flags)
5347 {
5348 struct task_security_struct *tsec = tsk->security;
5349 struct key_security_struct *ksec;
5350
5351 ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL);
5352 if (!ksec)
5353 return -ENOMEM;
5354
5355 ksec->obj = k;
5356 if (tsec->keycreate_sid)
5357 ksec->sid = tsec->keycreate_sid;
5358 else
5359 ksec->sid = tsec->sid;
5360 k->security = ksec;
5361
5362 return 0;
5363 }
5364
5365 static void selinux_key_free(struct key *k)
5366 {
5367 struct key_security_struct *ksec = k->security;
5368
5369 k->security = NULL;
5370 kfree(ksec);
5371 }
5372
5373 static int selinux_key_permission(key_ref_t key_ref,
5374 struct task_struct *ctx,
5375 key_perm_t perm)
5376 {
5377 struct key *key;
5378 struct task_security_struct *tsec;
5379 struct key_security_struct *ksec;
5380
5381 key = key_ref_to_ptr(key_ref);
5382
5383 tsec = ctx->security;
5384 ksec = key->security;
5385
5386 /* if no specific permissions are requested, we skip the
5387 permission check. No serious, additional covert channels
5388 appear to be created. */
5389 if (perm == 0)
5390 return 0;
5391
5392 return avc_has_perm(tsec->sid, ksec->sid,
5393 SECCLASS_KEY, perm, NULL);
5394 }
5395
5396 #endif
5397
5398 static struct security_operations selinux_ops = {
5399 .ptrace = selinux_ptrace,
5400 .capget = selinux_capget,
5401 .capset_check = selinux_capset_check,
5402 .capset_set = selinux_capset_set,
5403 .sysctl = selinux_sysctl,
5404 .capable = selinux_capable,
5405 .quotactl = selinux_quotactl,
5406 .quota_on = selinux_quota_on,
5407 .syslog = selinux_syslog,
5408 .vm_enough_memory = selinux_vm_enough_memory,
5409
5410 .netlink_send = selinux_netlink_send,
5411 .netlink_recv = selinux_netlink_recv,
5412
5413 .bprm_alloc_security = selinux_bprm_alloc_security,
5414 .bprm_free_security = selinux_bprm_free_security,
5415 .bprm_apply_creds = selinux_bprm_apply_creds,
5416 .bprm_post_apply_creds = selinux_bprm_post_apply_creds,
5417 .bprm_set_security = selinux_bprm_set_security,
5418 .bprm_check_security = selinux_bprm_check_security,
5419 .bprm_secureexec = selinux_bprm_secureexec,
5420
5421 .sb_alloc_security = selinux_sb_alloc_security,
5422 .sb_free_security = selinux_sb_free_security,
5423 .sb_copy_data = selinux_sb_copy_data,
5424 .sb_kern_mount = selinux_sb_kern_mount,
5425 .sb_statfs = selinux_sb_statfs,
5426 .sb_mount = selinux_mount,
5427 .sb_umount = selinux_umount,
5428 .sb_get_mnt_opts = selinux_get_mnt_opts,
5429 .sb_set_mnt_opts = selinux_set_mnt_opts,
5430 .sb_clone_mnt_opts = selinux_sb_clone_mnt_opts,
5431 <<<<<<< HEAD:security/selinux/hooks.c
5432 =======
5433 .sb_parse_opts_str = selinux_parse_opts_str,
5434
5435 >>>>>>> 264e3e889d86e552b4191d69bb60f4f3b383135a:security/selinux/hooks.c
5436
5437 .inode_alloc_security = selinux_inode_alloc_security,
5438 .inode_free_security = selinux_inode_free_security,
5439 .inode_init_security = selinux_inode_init_security,
5440 .inode_create = selinux_inode_create,
5441 .inode_link = selinux_inode_link,
5442 .inode_unlink = selinux_inode_unlink,
5443 .inode_symlink = selinux_inode_symlink,
5444 .inode_mkdir = selinux_inode_mkdir,
5445 .inode_rmdir = selinux_inode_rmdir,
5446 .inode_mknod = selinux_inode_mknod,
5447 .inode_rename = selinux_inode_rename,
5448 .inode_readlink = selinux_inode_readlink,
5449 .inode_follow_link = selinux_inode_follow_link,
5450 .inode_permission = selinux_inode_permission,
5451 .inode_setattr = selinux_inode_setattr,
5452 .inode_getattr = selinux_inode_getattr,
5453 .inode_setxattr = selinux_inode_setxattr,
5454 .inode_post_setxattr = selinux_inode_post_setxattr,
5455 .inode_getxattr = selinux_inode_getxattr,
5456 .inode_listxattr = selinux_inode_listxattr,
5457 .inode_removexattr = selinux_inode_removexattr,
5458 .inode_getsecurity = selinux_inode_getsecurity,
5459 .inode_setsecurity = selinux_inode_setsecurity,
5460 .inode_listsecurity = selinux_inode_listsecurity,
5461 .inode_need_killpriv = selinux_inode_need_killpriv,
5462 .inode_killpriv = selinux_inode_killpriv,
5463
5464 .file_permission = selinux_file_permission,
5465 .file_alloc_security = selinux_file_alloc_security,
5466 .file_free_security = selinux_file_free_security,
5467 .file_ioctl = selinux_file_ioctl,
5468 .file_mmap = selinux_file_mmap,
5469 .file_mprotect = selinux_file_mprotect,
5470 .file_lock = selinux_file_lock,
5471 .file_fcntl = selinux_file_fcntl,
5472 .file_set_fowner = selinux_file_set_fowner,
5473 .file_send_sigiotask = selinux_file_send_sigiotask,
5474 .file_receive = selinux_file_receive,
5475
5476 .dentry_open = selinux_dentry_open,
5477
5478 .task_create = selinux_task_create,
5479 .task_alloc_security = selinux_task_alloc_security,
5480 .task_free_security = selinux_task_free_security,
5481 .task_setuid = selinux_task_setuid,
5482 .task_post_setuid = selinux_task_post_setuid,
5483 .task_setgid = selinux_task_setgid,
5484 .task_setpgid = selinux_task_setpgid,
5485 .task_getpgid = selinux_task_getpgid,
5486 .task_getsid = selinux_task_getsid,
5487 .task_getsecid = selinux_task_getsecid,
5488 .task_setgroups = selinux_task_setgroups,
5489 .task_setnice = selinux_task_setnice,
5490 .task_setioprio = selinux_task_setioprio,
5491 .task_getioprio = selinux_task_getioprio,
5492 .task_setrlimit = selinux_task_setrlimit,
5493 .task_setscheduler = selinux_task_setscheduler,
5494 .task_getscheduler = selinux_task_getscheduler,
5495 .task_movememory = selinux_task_movememory,
5496 .task_kill = selinux_task_kill,
5497 .task_wait = selinux_task_wait,
5498 .task_prctl = selinux_task_prctl,
5499 .task_reparent_to_init = selinux_task_reparent_to_init,
5500 .task_to_inode = selinux_task_to_inode,
5501
5502 .ipc_permission = selinux_ipc_permission,
5503
5504 .msg_msg_alloc_security = selinux_msg_msg_alloc_security,
5505 .msg_msg_free_security = selinux_msg_msg_free_security,
5506
5507 .msg_queue_alloc_security = selinux_msg_queue_alloc_security,
5508 .msg_queue_free_security = selinux_msg_queue_free_security,
5509 .msg_queue_associate = selinux_msg_queue_associate,
5510 .msg_queue_msgctl = selinux_msg_queue_msgctl,
5511 .msg_queue_msgsnd = selinux_msg_queue_msgsnd,
5512 .msg_queue_msgrcv = selinux_msg_queue_msgrcv,
5513
5514 .shm_alloc_security = selinux_shm_alloc_security,
5515 .shm_free_security = selinux_shm_free_security,
5516 .shm_associate = selinux_shm_associate,
5517 .shm_shmctl = selinux_shm_shmctl,
5518 .shm_shmat = selinux_shm_shmat,
5519
5520 .sem_alloc_security = selinux_sem_alloc_security,
5521 .sem_free_security = selinux_sem_free_security,
5522 .sem_associate = selinux_sem_associate,
5523 .sem_semctl = selinux_sem_semctl,
5524 .sem_semop = selinux_sem_semop,
5525
5526 .register_security = selinux_register_security,
5527
5528 .d_instantiate = selinux_d_instantiate,
5529
5530 .getprocattr = selinux_getprocattr,
5531 .setprocattr = selinux_setprocattr,
5532
5533 .secid_to_secctx = selinux_secid_to_secctx,
5534 .secctx_to_secid = selinux_secctx_to_secid,
5535 .release_secctx = selinux_release_secctx,
5536
5537 .unix_stream_connect = selinux_socket_unix_stream_connect,
5538 .unix_may_send = selinux_socket_unix_may_send,
5539
5540 .socket_create = selinux_socket_create,
5541 .socket_post_create = selinux_socket_post_create,
5542 .socket_bind = selinux_socket_bind,
5543 .socket_connect = selinux_socket_connect,
5544 .socket_listen = selinux_socket_listen,
5545 .socket_accept = selinux_socket_accept,
5546 .socket_sendmsg = selinux_socket_sendmsg,
5547 .socket_recvmsg = selinux_socket_recvmsg,
5548 .socket_getsockname = selinux_socket_getsockname,
5549 .socket_getpeername = selinux_socket_getpeername,
5550 .socket_getsockopt = selinux_socket_getsockopt,
5551 .socket_setsockopt = selinux_socket_setsockopt,
5552 .socket_shutdown = selinux_socket_shutdown,
5553 .socket_sock_rcv_skb = selinux_socket_sock_rcv_skb,
5554 .socket_getpeersec_stream = selinux_socket_getpeersec_stream,
5555 .socket_getpeersec_dgram = selinux_socket_getpeersec_dgram,
5556 .sk_alloc_security = selinux_sk_alloc_security,
5557 .sk_free_security = selinux_sk_free_security,
5558 .sk_clone_security = selinux_sk_clone_security,
5559 .sk_getsecid = selinux_sk_getsecid,
5560 .sock_graft = selinux_sock_graft,
5561 .inet_conn_request = selinux_inet_conn_request,
5562 .inet_csk_clone = selinux_inet_csk_clone,
5563 .inet_conn_established = selinux_inet_conn_established,
5564 .req_classify_flow = selinux_req_classify_flow,
5565
5566 #ifdef CONFIG_SECURITY_NETWORK_XFRM
5567 .xfrm_policy_alloc_security = selinux_xfrm_policy_alloc,
5568 .xfrm_policy_clone_security = selinux_xfrm_policy_clone,
5569 .xfrm_policy_free_security = selinux_xfrm_policy_free,
5570 .xfrm_policy_delete_security = selinux_xfrm_policy_delete,
5571 .xfrm_state_alloc_security = selinux_xfrm_state_alloc,
5572 .xfrm_state_free_security = selinux_xfrm_state_free,
5573 .xfrm_state_delete_security = selinux_xfrm_state_delete,
5574 .xfrm_policy_lookup = selinux_xfrm_policy_lookup,
5575 .xfrm_state_pol_flow_match = selinux_xfrm_state_pol_flow_match,
5576 .xfrm_decode_session = selinux_xfrm_decode_session,
5577 #endif
5578
5579 #ifdef CONFIG_KEYS
5580 .key_alloc = selinux_key_alloc,
5581 .key_free = selinux_key_free,
5582 .key_permission = selinux_key_permission,
5583 #endif
5584 };
5585
5586 static __init int selinux_init(void)
5587 {
5588 struct task_security_struct *tsec;
5589
5590 if (!selinux_enabled) {
5591 printk(KERN_INFO "SELinux: Disabled at boot.\n");
5592 return 0;
5593 }
5594
5595 printk(KERN_INFO "SELinux: Initializing.\n");
5596
5597 /* Set the security state for the initial task. */
5598 if (task_alloc_security(current))
5599 panic("SELinux: Failed to initialize initial task.\n");
5600 tsec = current->security;
5601 tsec->osid = tsec->sid = SECINITSID_KERNEL;
5602
5603 sel_inode_cache = kmem_cache_create("selinux_inode_security",
5604 sizeof(struct inode_security_struct),
5605 0, SLAB_PANIC, NULL);
5606 avc_init();
5607
5608 original_ops = secondary_ops = security_ops;
5609 if (!secondary_ops)
5610 panic ("SELinux: No initial security operations\n");
5611 if (register_security (&selinux_ops))
5612 panic("SELinux: Unable to register with kernel.\n");
5613
5614 if (selinux_enforcing) {
5615 printk(KERN_DEBUG "SELinux: Starting in enforcing mode\n");
5616 } else {
5617 printk(KERN_DEBUG "SELinux: Starting in permissive mode\n");
5618 }
5619
5620 #ifdef CONFIG_KEYS
5621 /* Add security information to initial keyrings */
5622 selinux_key_alloc(&root_user_keyring, current,
5623 KEY_ALLOC_NOT_IN_QUOTA);
5624 selinux_key_alloc(&root_session_keyring, current,
5625 KEY_ALLOC_NOT_IN_QUOTA);
5626 #endif
5627
5628 return 0;
5629 }
5630
5631 void selinux_complete_init(void)
5632 {
5633 printk(KERN_DEBUG "SELinux: Completing initialization.\n");
5634
5635 /* Set up any superblocks initialized prior to the policy load. */
5636 printk(KERN_DEBUG "SELinux: Setting up existing superblocks.\n");
5637 spin_lock(&sb_lock);
5638 spin_lock(&sb_security_lock);
5639 next_sb:
5640 if (!list_empty(&superblock_security_head)) {
5641 struct superblock_security_struct *sbsec =
5642 list_entry(superblock_security_head.next,
5643 struct superblock_security_struct,
5644 list);
5645 struct super_block *sb = sbsec->sb;
5646 sb->s_count++;
5647 spin_unlock(&sb_security_lock);
5648 spin_unlock(&sb_lock);
5649 down_read(&sb->s_umount);
5650 if (sb->s_root)
5651 superblock_doinit(sb, NULL);
5652 drop_super(sb);
5653 spin_lock(&sb_lock);
5654 spin_lock(&sb_security_lock);
5655 list_del_init(&sbsec->list);
5656 goto next_sb;
5657 }
5658 spin_unlock(&sb_security_lock);
5659 spin_unlock(&sb_lock);
5660 }
5661
5662 /* SELinux requires early initialization in order to label
5663 all processes and objects when they are created. */
5664 security_initcall(selinux_init);
5665
5666 #if defined(CONFIG_NETFILTER)
5667
5668 static struct nf_hook_ops selinux_ipv4_ops[] = {
5669 {
5670 .hook = selinux_ipv4_postroute,
5671 .owner = THIS_MODULE,
5672 .pf = PF_INET,
5673 .hooknum = NF_INET_POST_ROUTING,
5674 .priority = NF_IP_PRI_SELINUX_LAST,
5675 },
5676 {
5677 .hook = selinux_ipv4_forward,
5678 .owner = THIS_MODULE,
5679 .pf = PF_INET,
5680 .hooknum = NF_INET_FORWARD,
5681 .priority = NF_IP_PRI_SELINUX_FIRST,
5682 }
5683 };
5684
5685 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5686
5687 static struct nf_hook_ops selinux_ipv6_ops[] = {
5688 {
5689 .hook = selinux_ipv6_postroute,
5690 .owner = THIS_MODULE,
5691 .pf = PF_INET6,
5692 .hooknum = NF_INET_POST_ROUTING,
5693 .priority = NF_IP6_PRI_SELINUX_LAST,
5694 },
5695 {
5696 .hook = selinux_ipv6_forward,
5697 .owner = THIS_MODULE,
5698 .pf = PF_INET6,
5699 .hooknum = NF_INET_FORWARD,
5700 .priority = NF_IP6_PRI_SELINUX_FIRST,
5701 }
5702 };
5703
5704 #endif /* IPV6 */
5705
5706 static int __init selinux_nf_ip_init(void)
5707 {
5708 int err = 0;
5709 u32 iter;
5710
5711 if (!selinux_enabled)
5712 goto out;
5713
5714 printk(KERN_DEBUG "SELinux: Registering netfilter hooks\n");
5715
5716 for (iter = 0; iter < ARRAY_SIZE(selinux_ipv4_ops); iter++) {
5717 err = nf_register_hook(&selinux_ipv4_ops[iter]);
5718 if (err)
5719 panic("SELinux: nf_register_hook for IPv4: error %d\n",
5720 err);
5721 }
5722
5723 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5724 for (iter = 0; iter < ARRAY_SIZE(selinux_ipv6_ops); iter++) {
5725 err = nf_register_hook(&selinux_ipv6_ops[iter]);
5726 if (err)
5727 panic("SELinux: nf_register_hook for IPv6: error %d\n",
5728 err);
5729 }
5730 #endif /* IPV6 */
5731
5732 out:
5733 return err;
5734 }
5735
5736 __initcall(selinux_nf_ip_init);
5737
5738 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5739 static void selinux_nf_ip_exit(void)
5740 {
5741 u32 iter;
5742
5743 printk(KERN_DEBUG "SELinux: Unregistering netfilter hooks\n");
5744
5745 for (iter = 0; iter < ARRAY_SIZE(selinux_ipv4_ops); iter++)
5746 nf_unregister_hook(&selinux_ipv4_ops[iter]);
5747 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5748 for (iter = 0; iter < ARRAY_SIZE(selinux_ipv6_ops); iter++)
5749 nf_unregister_hook(&selinux_ipv6_ops[iter]);
5750 #endif /* IPV6 */
5751 }
5752 #endif
5753
5754 #else /* CONFIG_NETFILTER */
5755
5756 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5757 #define selinux_nf_ip_exit()
5758 #endif
5759
5760 #endif /* CONFIG_NETFILTER */
5761
5762 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5763 int selinux_disable(void)
5764 {
5765 extern void exit_sel_fs(void);
5766 static int selinux_disabled = 0;
5767
5768 if (ss_initialized) {
5769 /* Not permitted after initial policy load. */
5770 return -EINVAL;
5771 }
5772
5773 if (selinux_disabled) {
5774 /* Only do this once. */
5775 return -EINVAL;
5776 }
5777
5778 printk(KERN_INFO "SELinux: Disabled at runtime.\n");
5779
5780 selinux_disabled = 1;
5781 selinux_enabled = 0;
5782
5783 /* Reset security_ops to the secondary module, dummy or capability. */
5784 security_ops = secondary_ops;
5785
5786 /* Unregister netfilter hooks. */
5787 selinux_nf_ip_exit();
5788
5789 /* Unregister selinuxfs. */
5790 exit_sel_fs();
5791
5792 return 0;
5793 }
5794 #endif
5795
5796
WRT350N Kernel Patches