93c809a6e4fac5c1535650a2adb4d4811669c810
[deliverable/linux.git] / security / selinux / hooks.c
1 /*
2 * NSA Security-Enhanced Linux (SELinux) security module
3 *
4 * This file contains the SELinux hook function implementations.
5 *
6 * Authors: Stephen Smalley, <sds@epoch.ncsc.mil>
7 * Chris Vance, <cvance@nai.com>
8 * Wayne Salamon, <wsalamon@nai.com>
9 * James Morris <jmorris@redhat.com>
10 *
11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12 * Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com>
13 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
14 * <dgoeddel@trustedcs.com>
15 * Copyright (C) 2006, 2007 Hewlett-Packard Development Company, L.P.
16 * Paul Moore <paul.moore@hp.com>
17 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
18 * Yuichi Nakamura <ynakam@hitachisoft.jp>
19 *
20 * This program is free software; you can redistribute it and/or modify
21 * it under the terms of the GNU General Public License version 2,
22 * as published by the Free Software Foundation.
23 */
24
25 #include <linux/init.h>
26 #include <linux/kernel.h>
27 #include <linux/ptrace.h>
28 #include <linux/errno.h>
29 #include <linux/sched.h>
30 #include <linux/security.h>
31 #include <linux/xattr.h>
32 #include <linux/capability.h>
33 #include <linux/unistd.h>
34 #include <linux/mm.h>
35 #include <linux/mman.h>
36 #include <linux/slab.h>
37 #include <linux/pagemap.h>
38 #include <linux/swap.h>
39 #include <linux/spinlock.h>
40 #include <linux/syscalls.h>
41 #include <linux/file.h>
42 #include <linux/namei.h>
43 #include <linux/mount.h>
44 #include <linux/ext2_fs.h>
45 #include <linux/proc_fs.h>
46 #include <linux/kd.h>
47 #include <linux/netfilter_ipv4.h>
48 #include <linux/netfilter_ipv6.h>
49 #include <linux/tty.h>
50 #include <net/icmp.h>
51 #include <net/ip.h> /* for local_port_range[] */
52 #include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
53 #include <net/net_namespace.h>
54 #include <net/netlabel.h>
55 #include <asm/uaccess.h>
56 #include <asm/ioctls.h>
57 #include <asm/atomic.h>
58 #include <linux/bitops.h>
59 #include <linux/interrupt.h>
60 #include <linux/netdevice.h> /* for network interface checks */
61 #include <linux/netlink.h>
62 #include <linux/tcp.h>
63 #include <linux/udp.h>
64 #include <linux/dccp.h>
65 #include <linux/quota.h>
66 #include <linux/un.h> /* for Unix socket types */
67 #include <net/af_unix.h> /* for Unix socket types */
68 #include <linux/parser.h>
69 #include <linux/nfs_mount.h>
70 #include <net/ipv6.h>
71 #include <linux/hugetlb.h>
72 #include <linux/personality.h>
73 #include <linux/sysctl.h>
74 #include <linux/audit.h>
75 #include <linux/string.h>
76 #include <linux/selinux.h>
77 #include <linux/mutex.h>
78
79 #include "avc.h"
80 #include "objsec.h"
81 #include "netif.h"
82 #include "netnode.h"
83 #include "xfrm.h"
84 #include "netlabel.h"
85
86 #define XATTR_SELINUX_SUFFIX "selinux"
87 #define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX
88
89 #define NUM_SEL_MNT_OPTS 4
90
91 extern unsigned int policydb_loaded_version;
92 extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm);
93 extern int selinux_compat_net;
94 extern struct security_operations *security_ops;
95
96 /* SECMARK reference count */
97 atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
98
99 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
100 int selinux_enforcing = 0;
101
102 static int __init enforcing_setup(char *str)
103 {
104 selinux_enforcing = simple_strtol(str,NULL,0);
105 return 1;
106 }
107 __setup("enforcing=", enforcing_setup);
108 #endif
109
110 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
111 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
112
113 static int __init selinux_enabled_setup(char *str)
114 {
115 selinux_enabled = simple_strtol(str, NULL, 0);
116 return 1;
117 }
118 __setup("selinux=", selinux_enabled_setup);
119 #else
120 int selinux_enabled = 1;
121 #endif
122
123 /* Original (dummy) security module. */
124 static struct security_operations *original_ops = NULL;
125
126 /* Minimal support for a secondary security module,
127 just to allow the use of the dummy or capability modules.
128 The owlsm module can alternatively be used as a secondary
129 module as long as CONFIG_OWLSM_FD is not enabled. */
130 static struct security_operations *secondary_ops = NULL;
131
132 /* Lists of inode and superblock security structures initialized
133 before the policy was loaded. */
134 static LIST_HEAD(superblock_security_head);
135 static DEFINE_SPINLOCK(sb_security_lock);
136
137 static struct kmem_cache *sel_inode_cache;
138
139 /**
140 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
141 *
142 * Description:
143 * This function checks the SECMARK reference counter to see if any SECMARK
144 * targets are currently configured, if the reference counter is greater than
145 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is
146 * enabled, false (0) if SECMARK is disabled.
147 *
148 */
149 static int selinux_secmark_enabled(void)
150 {
151 return (atomic_read(&selinux_secmark_refcount) > 0);
152 }
153
154 /* Allocate and free functions for each kind of security blob. */
155
156 static int task_alloc_security(struct task_struct *task)
157 {
158 struct task_security_struct *tsec;
159
160 tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
161 if (!tsec)
162 return -ENOMEM;
163
164 tsec->osid = tsec->sid = SECINITSID_UNLABELED;
165 task->security = tsec;
166
167 return 0;
168 }
169
170 static void task_free_security(struct task_struct *task)
171 {
172 struct task_security_struct *tsec = task->security;
173 task->security = NULL;
174 kfree(tsec);
175 }
176
177 static int inode_alloc_security(struct inode *inode)
178 {
179 struct task_security_struct *tsec = current->security;
180 struct inode_security_struct *isec;
181
182 isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
183 if (!isec)
184 return -ENOMEM;
185
186 mutex_init(&isec->lock);
187 INIT_LIST_HEAD(&isec->list);
188 isec->inode = inode;
189 isec->sid = SECINITSID_UNLABELED;
190 isec->sclass = SECCLASS_FILE;
191 isec->task_sid = tsec->sid;
192 inode->i_security = isec;
193
194 return 0;
195 }
196
197 static void inode_free_security(struct inode *inode)
198 {
199 struct inode_security_struct *isec = inode->i_security;
200 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
201
202 spin_lock(&sbsec->isec_lock);
203 if (!list_empty(&isec->list))
204 list_del_init(&isec->list);
205 spin_unlock(&sbsec->isec_lock);
206
207 inode->i_security = NULL;
208 kmem_cache_free(sel_inode_cache, isec);
209 }
210
211 static int file_alloc_security(struct file *file)
212 {
213 struct task_security_struct *tsec = current->security;
214 struct file_security_struct *fsec;
215
216 fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL);
217 if (!fsec)
218 return -ENOMEM;
219
220 fsec->sid = tsec->sid;
221 fsec->fown_sid = tsec->sid;
222 file->f_security = fsec;
223
224 return 0;
225 }
226
227 static void file_free_security(struct file *file)
228 {
229 struct file_security_struct *fsec = file->f_security;
230 file->f_security = NULL;
231 kfree(fsec);
232 }
233
234 static int superblock_alloc_security(struct super_block *sb)
235 {
236 struct superblock_security_struct *sbsec;
237
238 sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
239 if (!sbsec)
240 return -ENOMEM;
241
242 mutex_init(&sbsec->lock);
243 INIT_LIST_HEAD(&sbsec->list);
244 INIT_LIST_HEAD(&sbsec->isec_head);
245 spin_lock_init(&sbsec->isec_lock);
246 sbsec->sb = sb;
247 sbsec->sid = SECINITSID_UNLABELED;
248 sbsec->def_sid = SECINITSID_FILE;
249 sbsec->mntpoint_sid = SECINITSID_UNLABELED;
250 sb->s_security = sbsec;
251
252 return 0;
253 }
254
255 static void superblock_free_security(struct super_block *sb)
256 {
257 struct superblock_security_struct *sbsec = sb->s_security;
258
259 spin_lock(&sb_security_lock);
260 if (!list_empty(&sbsec->list))
261 list_del_init(&sbsec->list);
262 spin_unlock(&sb_security_lock);
263
264 sb->s_security = NULL;
265 kfree(sbsec);
266 }
267
268 static int sk_alloc_security(struct sock *sk, int family, gfp_t priority)
269 {
270 struct sk_security_struct *ssec;
271
272 ssec = kzalloc(sizeof(*ssec), priority);
273 if (!ssec)
274 return -ENOMEM;
275
276 ssec->peer_sid = SECINITSID_UNLABELED;
277 ssec->sid = SECINITSID_UNLABELED;
278 sk->sk_security = ssec;
279
280 selinux_netlbl_sk_security_reset(ssec, family);
281
282 return 0;
283 }
284
285 static void sk_free_security(struct sock *sk)
286 {
287 struct sk_security_struct *ssec = sk->sk_security;
288
289 sk->sk_security = NULL;
290 kfree(ssec);
291 }
292
293 /* The security server must be initialized before
294 any labeling or access decisions can be provided. */
295 extern int ss_initialized;
296
297 /* The file system's label must be initialized prior to use. */
298
299 static char *labeling_behaviors[6] = {
300 "uses xattr",
301 "uses transition SIDs",
302 "uses task SIDs",
303 "uses genfs_contexts",
304 "not configured for labeling",
305 "uses mountpoint labeling",
306 };
307
308 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
309
310 static inline int inode_doinit(struct inode *inode)
311 {
312 return inode_doinit_with_dentry(inode, NULL);
313 }
314
315 enum {
316 Opt_error = -1,
317 Opt_context = 1,
318 Opt_fscontext = 2,
319 Opt_defcontext = 3,
320 Opt_rootcontext = 4,
321 };
322
323 static match_table_t tokens = {
324 {Opt_context, CONTEXT_STR "%s"},
325 {Opt_fscontext, FSCONTEXT_STR "%s"},
326 {Opt_defcontext, DEFCONTEXT_STR "%s"},
327 {Opt_rootcontext, ROOTCONTEXT_STR "%s"},
328 {Opt_error, NULL},
329 };
330
331 #define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
332
333 static int may_context_mount_sb_relabel(u32 sid,
334 struct superblock_security_struct *sbsec,
335 struct task_security_struct *tsec)
336 {
337 int rc;
338
339 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
340 FILESYSTEM__RELABELFROM, NULL);
341 if (rc)
342 return rc;
343
344 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
345 FILESYSTEM__RELABELTO, NULL);
346 return rc;
347 }
348
349 static int may_context_mount_inode_relabel(u32 sid,
350 struct superblock_security_struct *sbsec,
351 struct task_security_struct *tsec)
352 {
353 int rc;
354 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
355 FILESYSTEM__RELABELFROM, NULL);
356 if (rc)
357 return rc;
358
359 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
360 FILESYSTEM__ASSOCIATE, NULL);
361 return rc;
362 }
363
364 static int sb_finish_set_opts(struct super_block *sb)
365 {
366 struct superblock_security_struct *sbsec = sb->s_security;
367 struct dentry *root = sb->s_root;
368 struct inode *root_inode = root->d_inode;
369 int rc = 0;
370
371 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
372 /* Make sure that the xattr handler exists and that no
373 error other than -ENODATA is returned by getxattr on
374 the root directory. -ENODATA is ok, as this may be
375 the first boot of the SELinux kernel before we have
376 assigned xattr values to the filesystem. */
377 if (!root_inode->i_op->getxattr) {
378 printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
379 "xattr support\n", sb->s_id, sb->s_type->name);
380 rc = -EOPNOTSUPP;
381 goto out;
382 }
383 rc = root_inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
384 if (rc < 0 && rc != -ENODATA) {
385 if (rc == -EOPNOTSUPP)
386 printk(KERN_WARNING "SELinux: (dev %s, type "
387 "%s) has no security xattr handler\n",
388 sb->s_id, sb->s_type->name);
389 else
390 printk(KERN_WARNING "SELinux: (dev %s, type "
391 "%s) getxattr errno %d\n", sb->s_id,
392 sb->s_type->name, -rc);
393 goto out;
394 }
395 }
396
397 sbsec->initialized = 1;
398
399 if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
400 printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n",
401 sb->s_id, sb->s_type->name);
402 else
403 printk(KERN_DEBUG "SELinux: initialized (dev %s, type %s), %s\n",
404 sb->s_id, sb->s_type->name,
405 labeling_behaviors[sbsec->behavior-1]);
406
407 /* Initialize the root inode. */
408 rc = inode_doinit_with_dentry(root_inode, root);
409
410 /* Initialize any other inodes associated with the superblock, e.g.
411 inodes created prior to initial policy load or inodes created
412 during get_sb by a pseudo filesystem that directly
413 populates itself. */
414 spin_lock(&sbsec->isec_lock);
415 next_inode:
416 if (!list_empty(&sbsec->isec_head)) {
417 struct inode_security_struct *isec =
418 list_entry(sbsec->isec_head.next,
419 struct inode_security_struct, list);
420 struct inode *inode = isec->inode;
421 spin_unlock(&sbsec->isec_lock);
422 inode = igrab(inode);
423 if (inode) {
424 if (!IS_PRIVATE(inode))
425 inode_doinit(inode);
426 iput(inode);
427 }
428 spin_lock(&sbsec->isec_lock);
429 list_del_init(&isec->list);
430 goto next_inode;
431 }
432 spin_unlock(&sbsec->isec_lock);
433 out:
434 return rc;
435 }
436
437 /*
438 * This function should allow an FS to ask what it's mount security
439 * options were so it can use those later for submounts, displaying
440 * mount options, or whatever.
441 */
442 static int selinux_get_mnt_opts(const struct super_block *sb,
443 struct security_mnt_opts *opts)
444 {
445 int rc = 0, i;
446 struct superblock_security_struct *sbsec = sb->s_security;
447 char *context = NULL;
448 u32 len;
449 char tmp;
450
451 security_init_mnt_opts(opts);
452
453 if (!sbsec->initialized)
454 return -EINVAL;
455
456 if (!ss_initialized)
457 return -EINVAL;
458
459 /*
460 * if we ever use sbsec flags for anything other than tracking mount
461 * settings this is going to need a mask
462 */
463 tmp = sbsec->flags;
464 /* count the number of mount options for this sb */
465 for (i = 0; i < 8; i++) {
466 if (tmp & 0x01)
467 opts->num_mnt_opts++;
468 tmp >>= 1;
469 }
470
471 opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
472 if (!opts->mnt_opts) {
473 rc = -ENOMEM;
474 goto out_free;
475 }
476
477 opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
478 if (!opts->mnt_opts_flags) {
479 rc = -ENOMEM;
480 goto out_free;
481 }
482
483 i = 0;
484 if (sbsec->flags & FSCONTEXT_MNT) {
485 rc = security_sid_to_context(sbsec->sid, &context, &len);
486 if (rc)
487 goto out_free;
488 opts->mnt_opts[i] = context;
489 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
490 }
491 if (sbsec->flags & CONTEXT_MNT) {
492 rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len);
493 if (rc)
494 goto out_free;
495 opts->mnt_opts[i] = context;
496 opts->mnt_opts_flags[i++] = CONTEXT_MNT;
497 }
498 if (sbsec->flags & DEFCONTEXT_MNT) {
499 rc = security_sid_to_context(sbsec->def_sid, &context, &len);
500 if (rc)
501 goto out_free;
502 opts->mnt_opts[i] = context;
503 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
504 }
505 if (sbsec->flags & ROOTCONTEXT_MNT) {
506 struct inode *root = sbsec->sb->s_root->d_inode;
507 struct inode_security_struct *isec = root->i_security;
508
509 rc = security_sid_to_context(isec->sid, &context, &len);
510 if (rc)
511 goto out_free;
512 opts->mnt_opts[i] = context;
513 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
514 }
515
516 BUG_ON(i != opts->num_mnt_opts);
517
518 return 0;
519
520 out_free:
521 security_free_mnt_opts(opts);
522 return rc;
523 }
524
525 static int bad_option(struct superblock_security_struct *sbsec, char flag,
526 u32 old_sid, u32 new_sid)
527 {
528 /* check if the old mount command had the same options */
529 if (sbsec->initialized)
530 if (!(sbsec->flags & flag) ||
531 (old_sid != new_sid))
532 return 1;
533
534 /* check if we were passed the same options twice,
535 * aka someone passed context=a,context=b
536 */
537 if (!sbsec->initialized)
538 if (sbsec->flags & flag)
539 return 1;
540 return 0;
541 }
542
543 /*
544 * Allow filesystems with binary mount data to explicitly set mount point
545 * labeling information.
546 */
547 static int selinux_set_mnt_opts(struct super_block *sb,
548 struct security_mnt_opts *opts)
549 {
550 int rc = 0, i;
551 struct task_security_struct *tsec = current->security;
552 struct superblock_security_struct *sbsec = sb->s_security;
553 const char *name = sb->s_type->name;
554 struct inode *inode = sbsec->sb->s_root->d_inode;
555 struct inode_security_struct *root_isec = inode->i_security;
556 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
557 u32 defcontext_sid = 0;
558 char **mount_options = opts->mnt_opts;
559 int *flags = opts->mnt_opts_flags;
560 int num_opts = opts->num_mnt_opts;
561
562 mutex_lock(&sbsec->lock);
563
564 if (!ss_initialized) {
565 if (!num_opts) {
566 /* Defer initialization until selinux_complete_init,
567 after the initial policy is loaded and the security
568 server is ready to handle calls. */
569 spin_lock(&sb_security_lock);
570 if (list_empty(&sbsec->list))
571 list_add(&sbsec->list, &superblock_security_head);
572 spin_unlock(&sb_security_lock);
573 goto out;
574 }
575 rc = -EINVAL;
576 printk(KERN_WARNING "Unable to set superblock options before "
577 "the security server is initialized\n");
578 goto out;
579 }
580
581 /*
582 * Binary mount data FS will come through this function twice. Once
583 * from an explicit call and once from the generic calls from the vfs.
584 * Since the generic VFS calls will not contain any security mount data
585 * we need to skip the double mount verification.
586 *
587 * This does open a hole in which we will not notice if the first
588 * mount using this sb set explict options and a second mount using
589 * this sb does not set any security options. (The first options
590 * will be used for both mounts)
591 */
592 if (sbsec->initialized && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
593 && (num_opts == 0))
594 goto out;
595
596 /*
597 * parse the mount options, check if they are valid sids.
598 * also check if someone is trying to mount the same sb more
599 * than once with different security options.
600 */
601 for (i = 0; i < num_opts; i++) {
602 u32 sid;
603 rc = security_context_to_sid(mount_options[i],
604 strlen(mount_options[i]), &sid);
605 if (rc) {
606 printk(KERN_WARNING "SELinux: security_context_to_sid"
607 "(%s) failed for (dev %s, type %s) errno=%d\n",
608 mount_options[i], sb->s_id, name, rc);
609 goto out;
610 }
611 switch (flags[i]) {
612 case FSCONTEXT_MNT:
613 fscontext_sid = sid;
614
615 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
616 fscontext_sid))
617 goto out_double_mount;
618
619 sbsec->flags |= FSCONTEXT_MNT;
620 break;
621 case CONTEXT_MNT:
622 context_sid = sid;
623
624 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
625 context_sid))
626 goto out_double_mount;
627
628 sbsec->flags |= CONTEXT_MNT;
629 break;
630 case ROOTCONTEXT_MNT:
631 rootcontext_sid = sid;
632
633 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
634 rootcontext_sid))
635 goto out_double_mount;
636
637 sbsec->flags |= ROOTCONTEXT_MNT;
638
639 break;
640 case DEFCONTEXT_MNT:
641 defcontext_sid = sid;
642
643 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
644 defcontext_sid))
645 goto out_double_mount;
646
647 sbsec->flags |= DEFCONTEXT_MNT;
648
649 break;
650 default:
651 rc = -EINVAL;
652 goto out;
653 }
654 }
655
656 if (sbsec->initialized) {
657 /* previously mounted with options, but not on this attempt? */
658 if (sbsec->flags && !num_opts)
659 goto out_double_mount;
660 rc = 0;
661 goto out;
662 }
663
664 if (strcmp(sb->s_type->name, "proc") == 0)
665 sbsec->proc = 1;
666
667 /* Determine the labeling behavior to use for this filesystem type. */
668 rc = security_fs_use(sb->s_type->name, &sbsec->behavior, &sbsec->sid);
669 if (rc) {
670 printk(KERN_WARNING "%s: security_fs_use(%s) returned %d\n",
671 __func__, sb->s_type->name, rc);
672 goto out;
673 }
674
675 /* sets the context of the superblock for the fs being mounted. */
676 if (fscontext_sid) {
677
678 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, tsec);
679 if (rc)
680 goto out;
681
682 sbsec->sid = fscontext_sid;
683 }
684
685 /*
686 * Switch to using mount point labeling behavior.
687 * sets the label used on all file below the mountpoint, and will set
688 * the superblock context if not already set.
689 */
690 if (context_sid) {
691 if (!fscontext_sid) {
692 rc = may_context_mount_sb_relabel(context_sid, sbsec, tsec);
693 if (rc)
694 goto out;
695 sbsec->sid = context_sid;
696 } else {
697 rc = may_context_mount_inode_relabel(context_sid, sbsec, tsec);
698 if (rc)
699 goto out;
700 }
701 if (!rootcontext_sid)
702 rootcontext_sid = context_sid;
703
704 sbsec->mntpoint_sid = context_sid;
705 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
706 }
707
708 if (rootcontext_sid) {
709 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec, tsec);
710 if (rc)
711 goto out;
712
713 root_isec->sid = rootcontext_sid;
714 root_isec->initialized = 1;
715 }
716
717 if (defcontext_sid) {
718 if (sbsec->behavior != SECURITY_FS_USE_XATTR) {
719 rc = -EINVAL;
720 printk(KERN_WARNING "SELinux: defcontext option is "
721 "invalid for this filesystem type\n");
722 goto out;
723 }
724
725 if (defcontext_sid != sbsec->def_sid) {
726 rc = may_context_mount_inode_relabel(defcontext_sid,
727 sbsec, tsec);
728 if (rc)
729 goto out;
730 }
731
732 sbsec->def_sid = defcontext_sid;
733 }
734
735 rc = sb_finish_set_opts(sb);
736 out:
737 mutex_unlock(&sbsec->lock);
738 return rc;
739 out_double_mount:
740 rc = -EINVAL;
741 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, different "
742 "security settings for (dev %s, type %s)\n", sb->s_id, name);
743 goto out;
744 }
745
746 static void selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
747 struct super_block *newsb)
748 {
749 const struct superblock_security_struct *oldsbsec = oldsb->s_security;
750 struct superblock_security_struct *newsbsec = newsb->s_security;
751
752 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT);
753 int set_context = (oldsbsec->flags & CONTEXT_MNT);
754 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT);
755
756 /* we can't error, we can't save the info, this shouldn't get called
757 * this early in the boot process. */
758 BUG_ON(!ss_initialized);
759
760 /* how can we clone if the old one wasn't set up?? */
761 BUG_ON(!oldsbsec->initialized);
762
763 /* if fs is reusing a sb, just let its options stand... */
764 if (newsbsec->initialized)
765 return;
766
767 mutex_lock(&newsbsec->lock);
768
769 newsbsec->flags = oldsbsec->flags;
770
771 newsbsec->sid = oldsbsec->sid;
772 newsbsec->def_sid = oldsbsec->def_sid;
773 newsbsec->behavior = oldsbsec->behavior;
774
775 if (set_context) {
776 u32 sid = oldsbsec->mntpoint_sid;
777
778 if (!set_fscontext)
779 newsbsec->sid = sid;
780 if (!set_rootcontext) {
781 struct inode *newinode = newsb->s_root->d_inode;
782 struct inode_security_struct *newisec = newinode->i_security;
783 newisec->sid = sid;
784 }
785 newsbsec->mntpoint_sid = sid;
786 }
787 if (set_rootcontext) {
788 const struct inode *oldinode = oldsb->s_root->d_inode;
789 const struct inode_security_struct *oldisec = oldinode->i_security;
790 struct inode *newinode = newsb->s_root->d_inode;
791 struct inode_security_struct *newisec = newinode->i_security;
792
793 newisec->sid = oldisec->sid;
794 }
795
796 sb_finish_set_opts(newsb);
797 mutex_unlock(&newsbsec->lock);
798 }
799
800 static int selinux_parse_opts_str(char *options,
801 struct security_mnt_opts *opts)
802 {
803 char *p;
804 char *context = NULL, *defcontext = NULL;
805 char *fscontext = NULL, *rootcontext = NULL;
806 int rc, num_mnt_opts = 0;
807
808 opts->num_mnt_opts = 0;
809
810 /* Standard string-based options. */
811 while ((p = strsep(&options, "|")) != NULL) {
812 int token;
813 substring_t args[MAX_OPT_ARGS];
814
815 if (!*p)
816 continue;
817
818 token = match_token(p, tokens, args);
819
820 switch (token) {
821 case Opt_context:
822 if (context || defcontext) {
823 rc = -EINVAL;
824 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
825 goto out_err;
826 }
827 context = match_strdup(&args[0]);
828 if (!context) {
829 rc = -ENOMEM;
830 goto out_err;
831 }
832 break;
833
834 case Opt_fscontext:
835 if (fscontext) {
836 rc = -EINVAL;
837 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
838 goto out_err;
839 }
840 fscontext = match_strdup(&args[0]);
841 if (!fscontext) {
842 rc = -ENOMEM;
843 goto out_err;
844 }
845 break;
846
847 case Opt_rootcontext:
848 if (rootcontext) {
849 rc = -EINVAL;
850 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
851 goto out_err;
852 }
853 rootcontext = match_strdup(&args[0]);
854 if (!rootcontext) {
855 rc = -ENOMEM;
856 goto out_err;
857 }
858 break;
859
860 case Opt_defcontext:
861 if (context || defcontext) {
862 rc = -EINVAL;
863 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
864 goto out_err;
865 }
866 defcontext = match_strdup(&args[0]);
867 if (!defcontext) {
868 rc = -ENOMEM;
869 goto out_err;
870 }
871 break;
872
873 default:
874 rc = -EINVAL;
875 printk(KERN_WARNING "SELinux: unknown mount option\n");
876 goto out_err;
877
878 }
879 }
880
881 rc = -ENOMEM;
882 opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_ATOMIC);
883 if (!opts->mnt_opts)
884 goto out_err;
885
886 opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int), GFP_ATOMIC);
887 if (!opts->mnt_opts_flags) {
888 kfree(opts->mnt_opts);
889 goto out_err;
890 }
891
892 if (fscontext) {
893 opts->mnt_opts[num_mnt_opts] = fscontext;
894 opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
895 }
896 if (context) {
897 opts->mnt_opts[num_mnt_opts] = context;
898 opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
899 }
900 if (rootcontext) {
901 opts->mnt_opts[num_mnt_opts] = rootcontext;
902 opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
903 }
904 if (defcontext) {
905 opts->mnt_opts[num_mnt_opts] = defcontext;
906 opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
907 }
908
909 opts->num_mnt_opts = num_mnt_opts;
910 return 0;
911
912 out_err:
913 kfree(context);
914 kfree(defcontext);
915 kfree(fscontext);
916 kfree(rootcontext);
917 return rc;
918 }
919 /*
920 * string mount options parsing and call set the sbsec
921 */
922 static int superblock_doinit(struct super_block *sb, void *data)
923 {
924 int rc = 0;
925 char *options = data;
926 struct security_mnt_opts opts;
927
928 security_init_mnt_opts(&opts);
929
930 if (!data)
931 goto out;
932
933 BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
934
935 rc = selinux_parse_opts_str(options, &opts);
936 if (rc)
937 goto out_err;
938
939 out:
940 rc = selinux_set_mnt_opts(sb, &opts);
941
942 out_err:
943 security_free_mnt_opts(&opts);
944 return rc;
945 }
946
947 static inline u16 inode_mode_to_security_class(umode_t mode)
948 {
949 switch (mode & S_IFMT) {
950 case S_IFSOCK:
951 return SECCLASS_SOCK_FILE;
952 case S_IFLNK:
953 return SECCLASS_LNK_FILE;
954 case S_IFREG:
955 return SECCLASS_FILE;
956 case S_IFBLK:
957 return SECCLASS_BLK_FILE;
958 case S_IFDIR:
959 return SECCLASS_DIR;
960 case S_IFCHR:
961 return SECCLASS_CHR_FILE;
962 case S_IFIFO:
963 return SECCLASS_FIFO_FILE;
964
965 }
966
967 return SECCLASS_FILE;
968 }
969
970 static inline int default_protocol_stream(int protocol)
971 {
972 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
973 }
974
975 static inline int default_protocol_dgram(int protocol)
976 {
977 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
978 }
979
980 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
981 {
982 switch (family) {
983 case PF_UNIX:
984 switch (type) {
985 case SOCK_STREAM:
986 case SOCK_SEQPACKET:
987 return SECCLASS_UNIX_STREAM_SOCKET;
988 case SOCK_DGRAM:
989 return SECCLASS_UNIX_DGRAM_SOCKET;
990 }
991 break;
992 case PF_INET:
993 case PF_INET6:
994 switch (type) {
995 case SOCK_STREAM:
996 if (default_protocol_stream(protocol))
997 return SECCLASS_TCP_SOCKET;
998 else
999 return SECCLASS_RAWIP_SOCKET;
1000 case SOCK_DGRAM:
1001 if (default_protocol_dgram(protocol))
1002 return SECCLASS_UDP_SOCKET;
1003 else
1004 return SECCLASS_RAWIP_SOCKET;
1005 case SOCK_DCCP:
1006 return SECCLASS_DCCP_SOCKET;
1007 default:
1008 return SECCLASS_RAWIP_SOCKET;
1009 }
1010 break;
1011 case PF_NETLINK:
1012 switch (protocol) {
1013 case NETLINK_ROUTE:
1014 return SECCLASS_NETLINK_ROUTE_SOCKET;
1015 case NETLINK_FIREWALL:
1016 return SECCLASS_NETLINK_FIREWALL_SOCKET;
1017 case NETLINK_INET_DIAG:
1018 return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1019 case NETLINK_NFLOG:
1020 return SECCLASS_NETLINK_NFLOG_SOCKET;
1021 case NETLINK_XFRM:
1022 return SECCLASS_NETLINK_XFRM_SOCKET;
1023 case NETLINK_SELINUX:
1024 return SECCLASS_NETLINK_SELINUX_SOCKET;
1025 case NETLINK_AUDIT:
1026 return SECCLASS_NETLINK_AUDIT_SOCKET;
1027 case NETLINK_IP6_FW:
1028 return SECCLASS_NETLINK_IP6FW_SOCKET;
1029 case NETLINK_DNRTMSG:
1030 return SECCLASS_NETLINK_DNRT_SOCKET;
1031 case NETLINK_KOBJECT_UEVENT:
1032 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1033 default:
1034 return SECCLASS_NETLINK_SOCKET;
1035 }
1036 case PF_PACKET:
1037 return SECCLASS_PACKET_SOCKET;
1038 case PF_KEY:
1039 return SECCLASS_KEY_SOCKET;
1040 case PF_APPLETALK:
1041 return SECCLASS_APPLETALK_SOCKET;
1042 }
1043
1044 return SECCLASS_SOCKET;
1045 }
1046
1047 #ifdef CONFIG_PROC_FS
1048 static int selinux_proc_get_sid(struct proc_dir_entry *de,
1049 u16 tclass,
1050 u32 *sid)
1051 {
1052 int buflen, rc;
1053 char *buffer, *path, *end;
1054
1055 buffer = (char*)__get_free_page(GFP_KERNEL);
1056 if (!buffer)
1057 return -ENOMEM;
1058
1059 buflen = PAGE_SIZE;
1060 end = buffer+buflen;
1061 *--end = '\0';
1062 buflen--;
1063 path = end-1;
1064 *path = '/';
1065 while (de && de != de->parent) {
1066 buflen -= de->namelen + 1;
1067 if (buflen < 0)
1068 break;
1069 end -= de->namelen;
1070 memcpy(end, de->name, de->namelen);
1071 *--end = '/';
1072 path = end;
1073 de = de->parent;
1074 }
1075 rc = security_genfs_sid("proc", path, tclass, sid);
1076 free_page((unsigned long)buffer);
1077 return rc;
1078 }
1079 #else
1080 static int selinux_proc_get_sid(struct proc_dir_entry *de,
1081 u16 tclass,
1082 u32 *sid)
1083 {
1084 return -EINVAL;
1085 }
1086 #endif
1087
1088 /* The inode's security attributes must be initialized before first use. */
1089 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1090 {
1091 struct superblock_security_struct *sbsec = NULL;
1092 struct inode_security_struct *isec = inode->i_security;
1093 u32 sid;
1094 struct dentry *dentry;
1095 #define INITCONTEXTLEN 255
1096 char *context = NULL;
1097 unsigned len = 0;
1098 int rc = 0;
1099
1100 if (isec->initialized)
1101 goto out;
1102
1103 mutex_lock(&isec->lock);
1104 if (isec->initialized)
1105 goto out_unlock;
1106
1107 sbsec = inode->i_sb->s_security;
1108 if (!sbsec->initialized) {
1109 /* Defer initialization until selinux_complete_init,
1110 after the initial policy is loaded and the security
1111 server is ready to handle calls. */
1112 spin_lock(&sbsec->isec_lock);
1113 if (list_empty(&isec->list))
1114 list_add(&isec->list, &sbsec->isec_head);
1115 spin_unlock(&sbsec->isec_lock);
1116 goto out_unlock;
1117 }
1118
1119 switch (sbsec->behavior) {
1120 case SECURITY_FS_USE_XATTR:
1121 if (!inode->i_op->getxattr) {
1122 isec->sid = sbsec->def_sid;
1123 break;
1124 }
1125
1126 /* Need a dentry, since the xattr API requires one.
1127 Life would be simpler if we could just pass the inode. */
1128 if (opt_dentry) {
1129 /* Called from d_instantiate or d_splice_alias. */
1130 dentry = dget(opt_dentry);
1131 } else {
1132 /* Called from selinux_complete_init, try to find a dentry. */
1133 dentry = d_find_alias(inode);
1134 }
1135 if (!dentry) {
1136 printk(KERN_WARNING "%s: no dentry for dev=%s "
1137 "ino=%ld\n", __func__, inode->i_sb->s_id,
1138 inode->i_ino);
1139 goto out_unlock;
1140 }
1141
1142 len = INITCONTEXTLEN;
1143 context = kmalloc(len, GFP_NOFS);
1144 if (!context) {
1145 rc = -ENOMEM;
1146 dput(dentry);
1147 goto out_unlock;
1148 }
1149 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1150 context, len);
1151 if (rc == -ERANGE) {
1152 /* Need a larger buffer. Query for the right size. */
1153 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1154 NULL, 0);
1155 if (rc < 0) {
1156 dput(dentry);
1157 goto out_unlock;
1158 }
1159 kfree(context);
1160 len = rc;
1161 context = kmalloc(len, GFP_NOFS);
1162 if (!context) {
1163 rc = -ENOMEM;
1164 dput(dentry);
1165 goto out_unlock;
1166 }
1167 rc = inode->i_op->getxattr(dentry,
1168 XATTR_NAME_SELINUX,
1169 context, len);
1170 }
1171 dput(dentry);
1172 if (rc < 0) {
1173 if (rc != -ENODATA) {
1174 printk(KERN_WARNING "%s: getxattr returned "
1175 "%d for dev=%s ino=%ld\n", __func__,
1176 -rc, inode->i_sb->s_id, inode->i_ino);
1177 kfree(context);
1178 goto out_unlock;
1179 }
1180 /* Map ENODATA to the default file SID */
1181 sid = sbsec->def_sid;
1182 rc = 0;
1183 } else {
1184 rc = security_context_to_sid_default(context, rc, &sid,
1185 sbsec->def_sid,
1186 GFP_NOFS);
1187 if (rc) {
1188 printk(KERN_WARNING "%s: context_to_sid(%s) "
1189 "returned %d for dev=%s ino=%ld\n",
1190 __func__, context, -rc,
1191 inode->i_sb->s_id, inode->i_ino);
1192 kfree(context);
1193 /* Leave with the unlabeled SID */
1194 rc = 0;
1195 break;
1196 }
1197 }
1198 kfree(context);
1199 isec->sid = sid;
1200 break;
1201 case SECURITY_FS_USE_TASK:
1202 isec->sid = isec->task_sid;
1203 break;
1204 case SECURITY_FS_USE_TRANS:
1205 /* Default to the fs SID. */
1206 isec->sid = sbsec->sid;
1207
1208 /* Try to obtain a transition SID. */
1209 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1210 rc = security_transition_sid(isec->task_sid,
1211 sbsec->sid,
1212 isec->sclass,
1213 &sid);
1214 if (rc)
1215 goto out_unlock;
1216 isec->sid = sid;
1217 break;
1218 case SECURITY_FS_USE_MNTPOINT:
1219 isec->sid = sbsec->mntpoint_sid;
1220 break;
1221 default:
1222 /* Default to the fs superblock SID. */
1223 isec->sid = sbsec->sid;
1224
1225 if (sbsec->proc) {
1226 struct proc_inode *proci = PROC_I(inode);
1227 if (proci->pde) {
1228 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1229 rc = selinux_proc_get_sid(proci->pde,
1230 isec->sclass,
1231 &sid);
1232 if (rc)
1233 goto out_unlock;
1234 isec->sid = sid;
1235 }
1236 }
1237 break;
1238 }
1239
1240 isec->initialized = 1;
1241
1242 out_unlock:
1243 mutex_unlock(&isec->lock);
1244 out:
1245 if (isec->sclass == SECCLASS_FILE)
1246 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1247 return rc;
1248 }
1249
1250 /* Convert a Linux signal to an access vector. */
1251 static inline u32 signal_to_av(int sig)
1252 {
1253 u32 perm = 0;
1254
1255 switch (sig) {
1256 case SIGCHLD:
1257 /* Commonly granted from child to parent. */
1258 perm = PROCESS__SIGCHLD;
1259 break;
1260 case SIGKILL:
1261 /* Cannot be caught or ignored */
1262 perm = PROCESS__SIGKILL;
1263 break;
1264 case SIGSTOP:
1265 /* Cannot be caught or ignored */
1266 perm = PROCESS__SIGSTOP;
1267 break;
1268 default:
1269 /* All other signals. */
1270 perm = PROCESS__SIGNAL;
1271 break;
1272 }
1273
1274 return perm;
1275 }
1276
1277 /* Check permission betweeen a pair of tasks, e.g. signal checks,
1278 fork check, ptrace check, etc. */
1279 static int task_has_perm(struct task_struct *tsk1,
1280 struct task_struct *tsk2,
1281 u32 perms)
1282 {
1283 struct task_security_struct *tsec1, *tsec2;
1284
1285 tsec1 = tsk1->security;
1286 tsec2 = tsk2->security;
1287 return avc_has_perm(tsec1->sid, tsec2->sid,
1288 SECCLASS_PROCESS, perms, NULL);
1289 }
1290
1291 #if CAP_LAST_CAP > 63
1292 #error Fix SELinux to handle capabilities > 63.
1293 #endif
1294
1295 /* Check whether a task is allowed to use a capability. */
1296 static int task_has_capability(struct task_struct *tsk,
1297 int cap)
1298 {
1299 struct task_security_struct *tsec;
1300 struct avc_audit_data ad;
1301 u16 sclass;
1302 u32 av = CAP_TO_MASK(cap);
1303
1304 tsec = tsk->security;
1305
1306 AVC_AUDIT_DATA_INIT(&ad,CAP);
1307 ad.tsk = tsk;
1308 ad.u.cap = cap;
1309
1310 switch (CAP_TO_INDEX(cap)) {
1311 case 0:
1312 sclass = SECCLASS_CAPABILITY;
1313 break;
1314 case 1:
1315 sclass = SECCLASS_CAPABILITY2;
1316 break;
1317 default:
1318 printk(KERN_ERR
1319 "SELinux: out of range capability %d\n", cap);
1320 BUG();
1321 }
1322 return avc_has_perm(tsec->sid, tsec->sid, sclass, av, &ad);
1323 }
1324
1325 /* Check whether a task is allowed to use a system operation. */
1326 static int task_has_system(struct task_struct *tsk,
1327 u32 perms)
1328 {
1329 struct task_security_struct *tsec;
1330
1331 tsec = tsk->security;
1332
1333 return avc_has_perm(tsec->sid, SECINITSID_KERNEL,
1334 SECCLASS_SYSTEM, perms, NULL);
1335 }
1336
1337 /* Check whether a task has a particular permission to an inode.
1338 The 'adp' parameter is optional and allows other audit
1339 data to be passed (e.g. the dentry). */
1340 static int inode_has_perm(struct task_struct *tsk,
1341 struct inode *inode,
1342 u32 perms,
1343 struct avc_audit_data *adp)
1344 {
1345 struct task_security_struct *tsec;
1346 struct inode_security_struct *isec;
1347 struct avc_audit_data ad;
1348
1349 if (unlikely (IS_PRIVATE (inode)))
1350 return 0;
1351
1352 tsec = tsk->security;
1353 isec = inode->i_security;
1354
1355 if (!adp) {
1356 adp = &ad;
1357 AVC_AUDIT_DATA_INIT(&ad, FS);
1358 ad.u.fs.inode = inode;
1359 }
1360
1361 return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, adp);
1362 }
1363
1364 /* Same as inode_has_perm, but pass explicit audit data containing
1365 the dentry to help the auditing code to more easily generate the
1366 pathname if needed. */
1367 static inline int dentry_has_perm(struct task_struct *tsk,
1368 struct vfsmount *mnt,
1369 struct dentry *dentry,
1370 u32 av)
1371 {
1372 struct inode *inode = dentry->d_inode;
1373 struct avc_audit_data ad;
1374 AVC_AUDIT_DATA_INIT(&ad,FS);
1375 ad.u.fs.path.mnt = mnt;
1376 ad.u.fs.path.dentry = dentry;
1377 return inode_has_perm(tsk, inode, av, &ad);
1378 }
1379
1380 /* Check whether a task can use an open file descriptor to
1381 access an inode in a given way. Check access to the
1382 descriptor itself, and then use dentry_has_perm to
1383 check a particular permission to the file.
1384 Access to the descriptor is implicitly granted if it
1385 has the same SID as the process. If av is zero, then
1386 access to the file is not checked, e.g. for cases
1387 where only the descriptor is affected like seek. */
1388 static int file_has_perm(struct task_struct *tsk,
1389 struct file *file,
1390 u32 av)
1391 {
1392 struct task_security_struct *tsec = tsk->security;
1393 struct file_security_struct *fsec = file->f_security;
1394 struct inode *inode = file->f_path.dentry->d_inode;
1395 struct avc_audit_data ad;
1396 int rc;
1397
1398 AVC_AUDIT_DATA_INIT(&ad, FS);
1399 ad.u.fs.path = file->f_path;
1400
1401 if (tsec->sid != fsec->sid) {
1402 rc = avc_has_perm(tsec->sid, fsec->sid,
1403 SECCLASS_FD,
1404 FD__USE,
1405 &ad);
1406 if (rc)
1407 return rc;
1408 }
1409
1410 /* av is zero if only checking access to the descriptor. */
1411 if (av)
1412 return inode_has_perm(tsk, inode, av, &ad);
1413
1414 return 0;
1415 }
1416
1417 /* Check whether a task can create a file. */
1418 static int may_create(struct inode *dir,
1419 struct dentry *dentry,
1420 u16 tclass)
1421 {
1422 struct task_security_struct *tsec;
1423 struct inode_security_struct *dsec;
1424 struct superblock_security_struct *sbsec;
1425 u32 newsid;
1426 struct avc_audit_data ad;
1427 int rc;
1428
1429 tsec = current->security;
1430 dsec = dir->i_security;
1431 sbsec = dir->i_sb->s_security;
1432
1433 AVC_AUDIT_DATA_INIT(&ad, FS);
1434 ad.u.fs.path.dentry = dentry;
1435
1436 rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR,
1437 DIR__ADD_NAME | DIR__SEARCH,
1438 &ad);
1439 if (rc)
1440 return rc;
1441
1442 if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
1443 newsid = tsec->create_sid;
1444 } else {
1445 rc = security_transition_sid(tsec->sid, dsec->sid, tclass,
1446 &newsid);
1447 if (rc)
1448 return rc;
1449 }
1450
1451 rc = avc_has_perm(tsec->sid, newsid, tclass, FILE__CREATE, &ad);
1452 if (rc)
1453 return rc;
1454
1455 return avc_has_perm(newsid, sbsec->sid,
1456 SECCLASS_FILESYSTEM,
1457 FILESYSTEM__ASSOCIATE, &ad);
1458 }
1459
1460 /* Check whether a task can create a key. */
1461 static int may_create_key(u32 ksid,
1462 struct task_struct *ctx)
1463 {
1464 struct task_security_struct *tsec;
1465
1466 tsec = ctx->security;
1467
1468 return avc_has_perm(tsec->sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL);
1469 }
1470
1471 #define MAY_LINK 0
1472 #define MAY_UNLINK 1
1473 #define MAY_RMDIR 2
1474
1475 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1476 static int may_link(struct inode *dir,
1477 struct dentry *dentry,
1478 int kind)
1479
1480 {
1481 struct task_security_struct *tsec;
1482 struct inode_security_struct *dsec, *isec;
1483 struct avc_audit_data ad;
1484 u32 av;
1485 int rc;
1486
1487 tsec = current->security;
1488 dsec = dir->i_security;
1489 isec = dentry->d_inode->i_security;
1490
1491 AVC_AUDIT_DATA_INIT(&ad, FS);
1492 ad.u.fs.path.dentry = dentry;
1493
1494 av = DIR__SEARCH;
1495 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1496 rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR, av, &ad);
1497 if (rc)
1498 return rc;
1499
1500 switch (kind) {
1501 case MAY_LINK:
1502 av = FILE__LINK;
1503 break;
1504 case MAY_UNLINK:
1505 av = FILE__UNLINK;
1506 break;
1507 case MAY_RMDIR:
1508 av = DIR__RMDIR;
1509 break;
1510 default:
1511 printk(KERN_WARNING "may_link: unrecognized kind %d\n", kind);
1512 return 0;
1513 }
1514
1515 rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass, av, &ad);
1516 return rc;
1517 }
1518
1519 static inline int may_rename(struct inode *old_dir,
1520 struct dentry *old_dentry,
1521 struct inode *new_dir,
1522 struct dentry *new_dentry)
1523 {
1524 struct task_security_struct *tsec;
1525 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1526 struct avc_audit_data ad;
1527 u32 av;
1528 int old_is_dir, new_is_dir;
1529 int rc;
1530
1531 tsec = current->security;
1532 old_dsec = old_dir->i_security;
1533 old_isec = old_dentry->d_inode->i_security;
1534 old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
1535 new_dsec = new_dir->i_security;
1536
1537 AVC_AUDIT_DATA_INIT(&ad, FS);
1538
1539 ad.u.fs.path.dentry = old_dentry;
1540 rc = avc_has_perm(tsec->sid, old_dsec->sid, SECCLASS_DIR,
1541 DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1542 if (rc)
1543 return rc;
1544 rc = avc_has_perm(tsec->sid, old_isec->sid,
1545 old_isec->sclass, FILE__RENAME, &ad);
1546 if (rc)
1547 return rc;
1548 if (old_is_dir && new_dir != old_dir) {
1549 rc = avc_has_perm(tsec->sid, old_isec->sid,
1550 old_isec->sclass, DIR__REPARENT, &ad);
1551 if (rc)
1552 return rc;
1553 }
1554
1555 ad.u.fs.path.dentry = new_dentry;
1556 av = DIR__ADD_NAME | DIR__SEARCH;
1557 if (new_dentry->d_inode)
1558 av |= DIR__REMOVE_NAME;
1559 rc = avc_has_perm(tsec->sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1560 if (rc)
1561 return rc;
1562 if (new_dentry->d_inode) {
1563 new_isec = new_dentry->d_inode->i_security;
1564 new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
1565 rc = avc_has_perm(tsec->sid, new_isec->sid,
1566 new_isec->sclass,
1567 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1568 if (rc)
1569 return rc;
1570 }
1571
1572 return 0;
1573 }
1574
1575 /* Check whether a task can perform a filesystem operation. */
1576 static int superblock_has_perm(struct task_struct *tsk,
1577 struct super_block *sb,
1578 u32 perms,
1579 struct avc_audit_data *ad)
1580 {
1581 struct task_security_struct *tsec;
1582 struct superblock_security_struct *sbsec;
1583
1584 tsec = tsk->security;
1585 sbsec = sb->s_security;
1586 return avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
1587 perms, ad);
1588 }
1589
1590 /* Convert a Linux mode and permission mask to an access vector. */
1591 static inline u32 file_mask_to_av(int mode, int mask)
1592 {
1593 u32 av = 0;
1594
1595 if ((mode & S_IFMT) != S_IFDIR) {
1596 if (mask & MAY_EXEC)
1597 av |= FILE__EXECUTE;
1598 if (mask & MAY_READ)
1599 av |= FILE__READ;
1600
1601 if (mask & MAY_APPEND)
1602 av |= FILE__APPEND;
1603 else if (mask & MAY_WRITE)
1604 av |= FILE__WRITE;
1605
1606 } else {
1607 if (mask & MAY_EXEC)
1608 av |= DIR__SEARCH;
1609 if (mask & MAY_WRITE)
1610 av |= DIR__WRITE;
1611 if (mask & MAY_READ)
1612 av |= DIR__READ;
1613 }
1614
1615 return av;
1616 }
1617
1618 /*
1619 * Convert a file mask to an access vector and include the correct open
1620 * open permission.
1621 */
1622 static inline u32 open_file_mask_to_av(int mode, int mask)
1623 {
1624 u32 av = file_mask_to_av(mode, mask);
1625
1626 if (selinux_policycap_openperm) {
1627 /*
1628 * lnk files and socks do not really have an 'open'
1629 */
1630 if (S_ISREG(mode))
1631 av |= FILE__OPEN;
1632 else if (S_ISCHR(mode))
1633 av |= CHR_FILE__OPEN;
1634 else if (S_ISBLK(mode))
1635 av |= BLK_FILE__OPEN;
1636 else if (S_ISFIFO(mode))
1637 av |= FIFO_FILE__OPEN;
1638 else if (S_ISDIR(mode))
1639 av |= DIR__OPEN;
1640 else
1641 printk(KERN_ERR "SELinux: WARNING: inside open_file_to_av "
1642 "with unknown mode:%x\n", mode);
1643 }
1644 return av;
1645 }
1646
1647 /* Convert a Linux file to an access vector. */
1648 static inline u32 file_to_av(struct file *file)
1649 {
1650 u32 av = 0;
1651
1652 if (file->f_mode & FMODE_READ)
1653 av |= FILE__READ;
1654 if (file->f_mode & FMODE_WRITE) {
1655 if (file->f_flags & O_APPEND)
1656 av |= FILE__APPEND;
1657 else
1658 av |= FILE__WRITE;
1659 }
1660 if (!av) {
1661 /*
1662 * Special file opened with flags 3 for ioctl-only use.
1663 */
1664 av = FILE__IOCTL;
1665 }
1666
1667 return av;
1668 }
1669
1670 /* Hook functions begin here. */
1671
1672 static int selinux_ptrace(struct task_struct *parent, struct task_struct *child)
1673 {
1674 int rc;
1675
1676 rc = secondary_ops->ptrace(parent,child);
1677 if (rc)
1678 return rc;
1679
1680 return task_has_perm(parent, child, PROCESS__PTRACE);
1681 }
1682
1683 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
1684 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1685 {
1686 int error;
1687
1688 error = task_has_perm(current, target, PROCESS__GETCAP);
1689 if (error)
1690 return error;
1691
1692 return secondary_ops->capget(target, effective, inheritable, permitted);
1693 }
1694
1695 static int selinux_capset_check(struct task_struct *target, kernel_cap_t *effective,
1696 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1697 {
1698 int error;
1699
1700 error = secondary_ops->capset_check(target, effective, inheritable, permitted);
1701 if (error)
1702 return error;
1703
1704 return task_has_perm(current, target, PROCESS__SETCAP);
1705 }
1706
1707 static void selinux_capset_set(struct task_struct *target, kernel_cap_t *effective,
1708 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1709 {
1710 secondary_ops->capset_set(target, effective, inheritable, permitted);
1711 }
1712
1713 static int selinux_capable(struct task_struct *tsk, int cap)
1714 {
1715 int rc;
1716
1717 rc = secondary_ops->capable(tsk, cap);
1718 if (rc)
1719 return rc;
1720
1721 return task_has_capability(tsk,cap);
1722 }
1723
1724 static int selinux_sysctl_get_sid(ctl_table *table, u16 tclass, u32 *sid)
1725 {
1726 int buflen, rc;
1727 char *buffer, *path, *end;
1728
1729 rc = -ENOMEM;
1730 buffer = (char*)__get_free_page(GFP_KERNEL);
1731 if (!buffer)
1732 goto out;
1733
1734 buflen = PAGE_SIZE;
1735 end = buffer+buflen;
1736 *--end = '\0';
1737 buflen--;
1738 path = end-1;
1739 *path = '/';
1740 while (table) {
1741 const char *name = table->procname;
1742 size_t namelen = strlen(name);
1743 buflen -= namelen + 1;
1744 if (buflen < 0)
1745 goto out_free;
1746 end -= namelen;
1747 memcpy(end, name, namelen);
1748 *--end = '/';
1749 path = end;
1750 table = table->parent;
1751 }
1752 buflen -= 4;
1753 if (buflen < 0)
1754 goto out_free;
1755 end -= 4;
1756 memcpy(end, "/sys", 4);
1757 path = end;
1758 rc = security_genfs_sid("proc", path, tclass, sid);
1759 out_free:
1760 free_page((unsigned long)buffer);
1761 out:
1762 return rc;
1763 }
1764
1765 static int selinux_sysctl(ctl_table *table, int op)
1766 {
1767 int error = 0;
1768 u32 av;
1769 struct task_security_struct *tsec;
1770 u32 tsid;
1771 int rc;
1772
1773 rc = secondary_ops->sysctl(table, op);
1774 if (rc)
1775 return rc;
1776
1777 tsec = current->security;
1778
1779 rc = selinux_sysctl_get_sid(table, (op == 0001) ?
1780 SECCLASS_DIR : SECCLASS_FILE, &tsid);
1781 if (rc) {
1782 /* Default to the well-defined sysctl SID. */
1783 tsid = SECINITSID_SYSCTL;
1784 }
1785
1786 /* The op values are "defined" in sysctl.c, thereby creating
1787 * a bad coupling between this module and sysctl.c */
1788 if(op == 001) {
1789 error = avc_has_perm(tsec->sid, tsid,
1790 SECCLASS_DIR, DIR__SEARCH, NULL);
1791 } else {
1792 av = 0;
1793 if (op & 004)
1794 av |= FILE__READ;
1795 if (op & 002)
1796 av |= FILE__WRITE;
1797 if (av)
1798 error = avc_has_perm(tsec->sid, tsid,
1799 SECCLASS_FILE, av, NULL);
1800 }
1801
1802 return error;
1803 }
1804
1805 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
1806 {
1807 int rc = 0;
1808
1809 if (!sb)
1810 return 0;
1811
1812 switch (cmds) {
1813 case Q_SYNC:
1814 case Q_QUOTAON:
1815 case Q_QUOTAOFF:
1816 case Q_SETINFO:
1817 case Q_SETQUOTA:
1818 rc = superblock_has_perm(current,
1819 sb,
1820 FILESYSTEM__QUOTAMOD, NULL);
1821 break;
1822 case Q_GETFMT:
1823 case Q_GETINFO:
1824 case Q_GETQUOTA:
1825 rc = superblock_has_perm(current,
1826 sb,
1827 FILESYSTEM__QUOTAGET, NULL);
1828 break;
1829 default:
1830 rc = 0; /* let the kernel handle invalid cmds */
1831 break;
1832 }
1833 return rc;
1834 }
1835
1836 static int selinux_quota_on(struct dentry *dentry)
1837 {
1838 return dentry_has_perm(current, NULL, dentry, FILE__QUOTAON);
1839 }
1840
1841 static int selinux_syslog(int type)
1842 {
1843 int rc;
1844
1845 rc = secondary_ops->syslog(type);
1846 if (rc)
1847 return rc;
1848
1849 switch (type) {
1850 case 3: /* Read last kernel messages */
1851 case 10: /* Return size of the log buffer */
1852 rc = task_has_system(current, SYSTEM__SYSLOG_READ);
1853 break;
1854 case 6: /* Disable logging to console */
1855 case 7: /* Enable logging to console */
1856 case 8: /* Set level of messages printed to console */
1857 rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
1858 break;
1859 case 0: /* Close log */
1860 case 1: /* Open log */
1861 case 2: /* Read from log */
1862 case 4: /* Read/clear last kernel messages */
1863 case 5: /* Clear ring buffer */
1864 default:
1865 rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
1866 break;
1867 }
1868 return rc;
1869 }
1870
1871 /*
1872 * Check that a process has enough memory to allocate a new virtual
1873 * mapping. 0 means there is enough memory for the allocation to
1874 * succeed and -ENOMEM implies there is not.
1875 *
1876 * Note that secondary_ops->capable and task_has_perm_noaudit return 0
1877 * if the capability is granted, but __vm_enough_memory requires 1 if
1878 * the capability is granted.
1879 *
1880 * Do not audit the selinux permission check, as this is applied to all
1881 * processes that allocate mappings.
1882 */
1883 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
1884 {
1885 int rc, cap_sys_admin = 0;
1886 struct task_security_struct *tsec = current->security;
1887
1888 rc = secondary_ops->capable(current, CAP_SYS_ADMIN);
1889 if (rc == 0)
1890 rc = avc_has_perm_noaudit(tsec->sid, tsec->sid,
1891 SECCLASS_CAPABILITY,
1892 CAP_TO_MASK(CAP_SYS_ADMIN),
1893 0,
1894 NULL);
1895
1896 if (rc == 0)
1897 cap_sys_admin = 1;
1898
1899 return __vm_enough_memory(mm, pages, cap_sys_admin);
1900 }
1901
1902 /**
1903 * task_tracer_task - return the task that is tracing the given task
1904 * @task: task to consider
1905 *
1906 * Returns NULL if noone is tracing @task, or the &struct task_struct
1907 * pointer to its tracer.
1908 *
1909 * Must be called under rcu_read_lock().
1910 */
1911 static struct task_struct *task_tracer_task(struct task_struct *task)
1912 {
1913 if (task->ptrace & PT_PTRACED)
1914 return rcu_dereference(task->parent);
1915 return NULL;
1916 }
1917
1918 /* binprm security operations */
1919
1920 static int selinux_bprm_alloc_security(struct linux_binprm *bprm)
1921 {
1922 struct bprm_security_struct *bsec;
1923
1924 bsec = kzalloc(sizeof(struct bprm_security_struct), GFP_KERNEL);
1925 if (!bsec)
1926 return -ENOMEM;
1927
1928 bsec->sid = SECINITSID_UNLABELED;
1929 bsec->set = 0;
1930
1931 bprm->security = bsec;
1932 return 0;
1933 }
1934
1935 static int selinux_bprm_set_security(struct linux_binprm *bprm)
1936 {
1937 struct task_security_struct *tsec;
1938 struct inode *inode = bprm->file->f_path.dentry->d_inode;
1939 struct inode_security_struct *isec;
1940 struct bprm_security_struct *bsec;
1941 u32 newsid;
1942 struct avc_audit_data ad;
1943 int rc;
1944
1945 rc = secondary_ops->bprm_set_security(bprm);
1946 if (rc)
1947 return rc;
1948
1949 bsec = bprm->security;
1950
1951 if (bsec->set)
1952 return 0;
1953
1954 tsec = current->security;
1955 isec = inode->i_security;
1956
1957 /* Default to the current task SID. */
1958 bsec->sid = tsec->sid;
1959
1960 /* Reset fs, key, and sock SIDs on execve. */
1961 tsec->create_sid = 0;
1962 tsec->keycreate_sid = 0;
1963 tsec->sockcreate_sid = 0;
1964
1965 if (tsec->exec_sid) {
1966 newsid = tsec->exec_sid;
1967 /* Reset exec SID on execve. */
1968 tsec->exec_sid = 0;
1969 } else {
1970 /* Check for a default transition on this program. */
1971 rc = security_transition_sid(tsec->sid, isec->sid,
1972 SECCLASS_PROCESS, &newsid);
1973 if (rc)
1974 return rc;
1975 }
1976
1977 AVC_AUDIT_DATA_INIT(&ad, FS);
1978 ad.u.fs.path = bprm->file->f_path;
1979
1980 if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID)
1981 newsid = tsec->sid;
1982
1983 if (tsec->sid == newsid) {
1984 rc = avc_has_perm(tsec->sid, isec->sid,
1985 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
1986 if (rc)
1987 return rc;
1988 } else {
1989 /* Check permissions for the transition. */
1990 rc = avc_has_perm(tsec->sid, newsid,
1991 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
1992 if (rc)
1993 return rc;
1994
1995 rc = avc_has_perm(newsid, isec->sid,
1996 SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
1997 if (rc)
1998 return rc;
1999
2000 /* Clear any possibly unsafe personality bits on exec: */
2001 current->personality &= ~PER_CLEAR_ON_SETID;
2002
2003 /* Set the security field to the new SID. */
2004 bsec->sid = newsid;
2005 }
2006
2007 bsec->set = 1;
2008 return 0;
2009 }
2010
2011 static int selinux_bprm_check_security (struct linux_binprm *bprm)
2012 {
2013 return secondary_ops->bprm_check_security(bprm);
2014 }
2015
2016
2017 static int selinux_bprm_secureexec (struct linux_binprm *bprm)
2018 {
2019 struct task_security_struct *tsec = current->security;
2020 int atsecure = 0;
2021
2022 if (tsec->osid != tsec->sid) {
2023 /* Enable secure mode for SIDs transitions unless
2024 the noatsecure permission is granted between
2025 the two SIDs, i.e. ahp returns 0. */
2026 atsecure = avc_has_perm(tsec->osid, tsec->sid,
2027 SECCLASS_PROCESS,
2028 PROCESS__NOATSECURE, NULL);
2029 }
2030
2031 return (atsecure || secondary_ops->bprm_secureexec(bprm));
2032 }
2033
2034 static void selinux_bprm_free_security(struct linux_binprm *bprm)
2035 {
2036 kfree(bprm->security);
2037 bprm->security = NULL;
2038 }
2039
2040 extern struct vfsmount *selinuxfs_mount;
2041 extern struct dentry *selinux_null;
2042
2043 /* Derived from fs/exec.c:flush_old_files. */
2044 static inline void flush_unauthorized_files(struct files_struct * files)
2045 {
2046 struct avc_audit_data ad;
2047 struct file *file, *devnull = NULL;
2048 struct tty_struct *tty;
2049 struct fdtable *fdt;
2050 long j = -1;
2051 int drop_tty = 0;
2052
2053 mutex_lock(&tty_mutex);
2054 tty = get_current_tty();
2055 if (tty) {
2056 file_list_lock();
2057 file = list_entry(tty->tty_files.next, typeof(*file), f_u.fu_list);
2058 if (file) {
2059 /* Revalidate access to controlling tty.
2060 Use inode_has_perm on the tty inode directly rather
2061 than using file_has_perm, as this particular open
2062 file may belong to another process and we are only
2063 interested in the inode-based check here. */
2064 struct inode *inode = file->f_path.dentry->d_inode;
2065 if (inode_has_perm(current, inode,
2066 FILE__READ | FILE__WRITE, NULL)) {
2067 drop_tty = 1;
2068 }
2069 }
2070 file_list_unlock();
2071 }
2072 mutex_unlock(&tty_mutex);
2073 /* Reset controlling tty. */
2074 if (drop_tty)
2075 no_tty();
2076
2077 /* Revalidate access to inherited open files. */
2078
2079 AVC_AUDIT_DATA_INIT(&ad,FS);
2080
2081 spin_lock(&files->file_lock);
2082 for (;;) {
2083 unsigned long set, i;
2084 int fd;
2085
2086 j++;
2087 i = j * __NFDBITS;
2088 fdt = files_fdtable(files);
2089 if (i >= fdt->max_fds)
2090 break;
2091 set = fdt->open_fds->fds_bits[j];
2092 if (!set)
2093 continue;
2094 spin_unlock(&files->file_lock);
2095 for ( ; set ; i++,set >>= 1) {
2096 if (set & 1) {
2097 file = fget(i);
2098 if (!file)
2099 continue;
2100 if (file_has_perm(current,
2101 file,
2102 file_to_av(file))) {
2103 sys_close(i);
2104 fd = get_unused_fd();
2105 if (fd != i) {
2106 if (fd >= 0)
2107 put_unused_fd(fd);
2108 fput(file);
2109 continue;
2110 }
2111 if (devnull) {
2112 get_file(devnull);
2113 } else {
2114 devnull = dentry_open(dget(selinux_null), mntget(selinuxfs_mount), O_RDWR);
2115 if (IS_ERR(devnull)) {
2116 devnull = NULL;
2117 put_unused_fd(fd);
2118 fput(file);
2119 continue;
2120 }
2121 }
2122 fd_install(fd, devnull);
2123 }
2124 fput(file);
2125 }
2126 }
2127 spin_lock(&files->file_lock);
2128
2129 }
2130 spin_unlock(&files->file_lock);
2131 }
2132
2133 static void selinux_bprm_apply_creds(struct linux_binprm *bprm, int unsafe)
2134 {
2135 struct task_security_struct *tsec;
2136 struct bprm_security_struct *bsec;
2137 u32 sid;
2138 int rc;
2139
2140 secondary_ops->bprm_apply_creds(bprm, unsafe);
2141
2142 tsec = current->security;
2143
2144 bsec = bprm->security;
2145 sid = bsec->sid;
2146
2147 tsec->osid = tsec->sid;
2148 bsec->unsafe = 0;
2149 if (tsec->sid != sid) {
2150 /* Check for shared state. If not ok, leave SID
2151 unchanged and kill. */
2152 if (unsafe & LSM_UNSAFE_SHARE) {
2153 rc = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
2154 PROCESS__SHARE, NULL);
2155 if (rc) {
2156 bsec->unsafe = 1;
2157 return;
2158 }
2159 }
2160
2161 /* Check for ptracing, and update the task SID if ok.
2162 Otherwise, leave SID unchanged and kill. */
2163 if (unsafe & (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
2164 struct task_struct *tracer;
2165 struct task_security_struct *sec;
2166 u32 ptsid = 0;
2167
2168 rcu_read_lock();
2169 tracer = task_tracer_task(current);
2170 if (likely(tracer != NULL)) {
2171 sec = tracer->security;
2172 ptsid = sec->sid;
2173 }
2174 rcu_read_unlock();
2175
2176 if (ptsid != 0) {
2177 rc = avc_has_perm(ptsid, sid, SECCLASS_PROCESS,
2178 PROCESS__PTRACE, NULL);
2179 if (rc) {
2180 bsec->unsafe = 1;
2181 return;
2182 }
2183 }
2184 }
2185 tsec->sid = sid;
2186 }
2187 }
2188
2189 /*
2190 * called after apply_creds without the task lock held
2191 */
2192 static void selinux_bprm_post_apply_creds(struct linux_binprm *bprm)
2193 {
2194 struct task_security_struct *tsec;
2195 struct rlimit *rlim, *initrlim;
2196 struct itimerval itimer;
2197 struct bprm_security_struct *bsec;
2198 int rc, i;
2199
2200 tsec = current->security;
2201 bsec = bprm->security;
2202
2203 if (bsec->unsafe) {
2204 force_sig_specific(SIGKILL, current);
2205 return;
2206 }
2207 if (tsec->osid == tsec->sid)
2208 return;
2209
2210 /* Close files for which the new task SID is not authorized. */
2211 flush_unauthorized_files(current->files);
2212
2213 /* Check whether the new SID can inherit signal state
2214 from the old SID. If not, clear itimers to avoid
2215 subsequent signal generation and flush and unblock
2216 signals. This must occur _after_ the task SID has
2217 been updated so that any kill done after the flush
2218 will be checked against the new SID. */
2219 rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
2220 PROCESS__SIGINH, NULL);
2221 if (rc) {
2222 memset(&itimer, 0, sizeof itimer);
2223 for (i = 0; i < 3; i++)
2224 do_setitimer(i, &itimer, NULL);
2225 flush_signals(current);
2226 spin_lock_irq(&current->sighand->siglock);
2227 flush_signal_handlers(current, 1);
2228 sigemptyset(&current->blocked);
2229 recalc_sigpending();
2230 spin_unlock_irq(&current->sighand->siglock);
2231 }
2232
2233 /* Always clear parent death signal on SID transitions. */
2234 current->pdeath_signal = 0;
2235
2236 /* Check whether the new SID can inherit resource limits
2237 from the old SID. If not, reset all soft limits to
2238 the lower of the current task's hard limit and the init
2239 task's soft limit. Note that the setting of hard limits
2240 (even to lower them) can be controlled by the setrlimit
2241 check. The inclusion of the init task's soft limit into
2242 the computation is to avoid resetting soft limits higher
2243 than the default soft limit for cases where the default
2244 is lower than the hard limit, e.g. RLIMIT_CORE or
2245 RLIMIT_STACK.*/
2246 rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
2247 PROCESS__RLIMITINH, NULL);
2248 if (rc) {
2249 for (i = 0; i < RLIM_NLIMITS; i++) {
2250 rlim = current->signal->rlim + i;
2251 initrlim = init_task.signal->rlim+i;
2252 rlim->rlim_cur = min(rlim->rlim_max,initrlim->rlim_cur);
2253 }
2254 if (current->signal->rlim[RLIMIT_CPU].rlim_cur != RLIM_INFINITY) {
2255 /*
2256 * This will cause RLIMIT_CPU calculations
2257 * to be refigured.
2258 */
2259 current->it_prof_expires = jiffies_to_cputime(1);
2260 }
2261 }
2262
2263 /* Wake up the parent if it is waiting so that it can
2264 recheck wait permission to the new task SID. */
2265 wake_up_interruptible(&current->parent->signal->wait_chldexit);
2266 }
2267
2268 /* superblock security operations */
2269
2270 static int selinux_sb_alloc_security(struct super_block *sb)
2271 {
2272 return superblock_alloc_security(sb);
2273 }
2274
2275 static void selinux_sb_free_security(struct super_block *sb)
2276 {
2277 superblock_free_security(sb);
2278 }
2279
2280 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2281 {
2282 if (plen > olen)
2283 return 0;
2284
2285 return !memcmp(prefix, option, plen);
2286 }
2287
2288 static inline int selinux_option(char *option, int len)
2289 {
2290 return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) ||
2291 match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) ||
2292 match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) ||
2293 match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len));
2294 }
2295
2296 static inline void take_option(char **to, char *from, int *first, int len)
2297 {
2298 if (!*first) {
2299 **to = ',';
2300 *to += 1;
2301 } else
2302 *first = 0;
2303 memcpy(*to, from, len);
2304 *to += len;
2305 }
2306
2307 static inline void take_selinux_option(char **to, char *from, int *first,
2308 int len)
2309 {
2310 int current_size = 0;
2311
2312 if (!*first) {
2313 **to = '|';
2314 *to += 1;
2315 }
2316 else
2317 *first = 0;
2318
2319 while (current_size < len) {
2320 if (*from != '"') {
2321 **to = *from;
2322 *to += 1;
2323 }
2324 from += 1;
2325 current_size += 1;
2326 }
2327 }
2328
2329 static int selinux_sb_copy_data(char *orig, char *copy)
2330 {
2331 int fnosec, fsec, rc = 0;
2332 char *in_save, *in_curr, *in_end;
2333 char *sec_curr, *nosec_save, *nosec;
2334 int open_quote = 0;
2335
2336 in_curr = orig;
2337 sec_curr = copy;
2338
2339 nosec = (char *)get_zeroed_page(GFP_KERNEL);
2340 if (!nosec) {
2341 rc = -ENOMEM;
2342 goto out;
2343 }
2344
2345 nosec_save = nosec;
2346 fnosec = fsec = 1;
2347 in_save = in_end = orig;
2348
2349 do {
2350 if (*in_end == '"')
2351 open_quote = !open_quote;
2352 if ((*in_end == ',' && open_quote == 0) ||
2353 *in_end == '\0') {
2354 int len = in_end - in_curr;
2355
2356 if (selinux_option(in_curr, len))
2357 take_selinux_option(&sec_curr, in_curr, &fsec, len);
2358 else
2359 take_option(&nosec, in_curr, &fnosec, len);
2360
2361 in_curr = in_end + 1;
2362 }
2363 } while (*in_end++);
2364
2365 strcpy(in_save, nosec_save);
2366 free_page((unsigned long)nosec_save);
2367 out:
2368 return rc;
2369 }
2370
2371 static int selinux_sb_kern_mount(struct super_block *sb, void *data)
2372 {
2373 struct avc_audit_data ad;
2374 int rc;
2375
2376 rc = superblock_doinit(sb, data);
2377 if (rc)
2378 return rc;
2379
2380 AVC_AUDIT_DATA_INIT(&ad,FS);
2381 ad.u.fs.path.dentry = sb->s_root;
2382 return superblock_has_perm(current, sb, FILESYSTEM__MOUNT, &ad);
2383 }
2384
2385 static int selinux_sb_statfs(struct dentry *dentry)
2386 {
2387 struct avc_audit_data ad;
2388
2389 AVC_AUDIT_DATA_INIT(&ad,FS);
2390 ad.u.fs.path.dentry = dentry->d_sb->s_root;
2391 return superblock_has_perm(current, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2392 }
2393
2394 static int selinux_mount(char * dev_name,
2395 struct nameidata *nd,
2396 char * type,
2397 unsigned long flags,
2398 void * data)
2399 {
2400 int rc;
2401
2402 rc = secondary_ops->sb_mount(dev_name, nd, type, flags, data);
2403 if (rc)
2404 return rc;
2405
2406 if (flags & MS_REMOUNT)
2407 return superblock_has_perm(current, nd->path.mnt->mnt_sb,
2408 FILESYSTEM__REMOUNT, NULL);
2409 else
2410 return dentry_has_perm(current, nd->path.mnt, nd->path.dentry,
2411 FILE__MOUNTON);
2412 }
2413
2414 static int selinux_umount(struct vfsmount *mnt, int flags)
2415 {
2416 int rc;
2417
2418 rc = secondary_ops->sb_umount(mnt, flags);
2419 if (rc)
2420 return rc;
2421
2422 return superblock_has_perm(current,mnt->mnt_sb,
2423 FILESYSTEM__UNMOUNT,NULL);
2424 }
2425
2426 /* inode security operations */
2427
2428 static int selinux_inode_alloc_security(struct inode *inode)
2429 {
2430 return inode_alloc_security(inode);
2431 }
2432
2433 static void selinux_inode_free_security(struct inode *inode)
2434 {
2435 inode_free_security(inode);
2436 }
2437
2438 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2439 char **name, void **value,
2440 size_t *len)
2441 {
2442 struct task_security_struct *tsec;
2443 struct inode_security_struct *dsec;
2444 struct superblock_security_struct *sbsec;
2445 u32 newsid, clen;
2446 int rc;
2447 char *namep = NULL, *context;
2448
2449 tsec = current->security;
2450 dsec = dir->i_security;
2451 sbsec = dir->i_sb->s_security;
2452
2453 if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
2454 newsid = tsec->create_sid;
2455 } else {
2456 rc = security_transition_sid(tsec->sid, dsec->sid,
2457 inode_mode_to_security_class(inode->i_mode),
2458 &newsid);
2459 if (rc) {
2460 printk(KERN_WARNING "%s: "
2461 "security_transition_sid failed, rc=%d (dev=%s "
2462 "ino=%ld)\n",
2463 __func__,
2464 -rc, inode->i_sb->s_id, inode->i_ino);
2465 return rc;
2466 }
2467 }
2468
2469 /* Possibly defer initialization to selinux_complete_init. */
2470 if (sbsec->initialized) {
2471 struct inode_security_struct *isec = inode->i_security;
2472 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2473 isec->sid = newsid;
2474 isec->initialized = 1;
2475 }
2476
2477 if (!ss_initialized || sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2478 return -EOPNOTSUPP;
2479
2480 if (name) {
2481 namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_NOFS);
2482 if (!namep)
2483 return -ENOMEM;
2484 *name = namep;
2485 }
2486
2487 if (value && len) {
2488 rc = security_sid_to_context(newsid, &context, &clen);
2489 if (rc) {
2490 kfree(namep);
2491 return rc;
2492 }
2493 *value = context;
2494 *len = clen;
2495 }
2496
2497 return 0;
2498 }
2499
2500 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, int mask)
2501 {
2502 return may_create(dir, dentry, SECCLASS_FILE);
2503 }
2504
2505 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2506 {
2507 int rc;
2508
2509 rc = secondary_ops->inode_link(old_dentry,dir,new_dentry);
2510 if (rc)
2511 return rc;
2512 return may_link(dir, old_dentry, MAY_LINK);
2513 }
2514
2515 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2516 {
2517 int rc;
2518
2519 rc = secondary_ops->inode_unlink(dir, dentry);
2520 if (rc)
2521 return rc;
2522 return may_link(dir, dentry, MAY_UNLINK);
2523 }
2524
2525 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2526 {
2527 return may_create(dir, dentry, SECCLASS_LNK_FILE);
2528 }
2529
2530 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, int mask)
2531 {
2532 return may_create(dir, dentry, SECCLASS_DIR);
2533 }
2534
2535 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2536 {
2537 return may_link(dir, dentry, MAY_RMDIR);
2538 }
2539
2540 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
2541 {
2542 int rc;
2543
2544 rc = secondary_ops->inode_mknod(dir, dentry, mode, dev);
2545 if (rc)
2546 return rc;
2547
2548 return may_create(dir, dentry, inode_mode_to_security_class(mode));
2549 }
2550
2551 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2552 struct inode *new_inode, struct dentry *new_dentry)
2553 {
2554 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2555 }
2556
2557 static int selinux_inode_readlink(struct dentry *dentry)
2558 {
2559 return dentry_has_perm(current, NULL, dentry, FILE__READ);
2560 }
2561
2562 static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2563 {
2564 int rc;
2565
2566 rc = secondary_ops->inode_follow_link(dentry,nameidata);
2567 if (rc)
2568 return rc;
2569 return dentry_has_perm(current, NULL, dentry, FILE__READ);
2570 }
2571
2572 static int selinux_inode_permission(struct inode *inode, int mask,
2573 struct nameidata *nd)
2574 {
2575 int rc;
2576
2577 rc = secondary_ops->inode_permission(inode, mask, nd);
2578 if (rc)
2579 return rc;
2580
2581 if (!mask) {
2582 /* No permission to check. Existence test. */
2583 return 0;
2584 }
2585
2586 return inode_has_perm(current, inode,
2587 open_file_mask_to_av(inode->i_mode, mask), NULL);
2588 }
2589
2590 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2591 {
2592 int rc;
2593
2594 rc = secondary_ops->inode_setattr(dentry, iattr);
2595 if (rc)
2596 return rc;
2597
2598 if (iattr->ia_valid & ATTR_FORCE)
2599 return 0;
2600
2601 if (iattr->ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2602 ATTR_ATIME_SET | ATTR_MTIME_SET))
2603 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2604
2605 return dentry_has_perm(current, NULL, dentry, FILE__WRITE);
2606 }
2607
2608 static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
2609 {
2610 return dentry_has_perm(current, mnt, dentry, FILE__GETATTR);
2611 }
2612
2613 static int selinux_inode_setotherxattr(struct dentry *dentry, char *name)
2614 {
2615 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2616 sizeof XATTR_SECURITY_PREFIX - 1)) {
2617 if (!strcmp(name, XATTR_NAME_CAPS)) {
2618 if (!capable(CAP_SETFCAP))
2619 return -EPERM;
2620 } else if (!capable(CAP_SYS_ADMIN)) {
2621 /* A different attribute in the security namespace.
2622 Restrict to administrator. */
2623 return -EPERM;
2624 }
2625 }
2626
2627 /* Not an attribute we recognize, so just check the
2628 ordinary setattr permission. */
2629 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2630 }
2631
2632 static int selinux_inode_setxattr(struct dentry *dentry, char *name, void *value, size_t size, int flags)
2633 {
2634 struct task_security_struct *tsec = current->security;
2635 struct inode *inode = dentry->d_inode;
2636 struct inode_security_struct *isec = inode->i_security;
2637 struct superblock_security_struct *sbsec;
2638 struct avc_audit_data ad;
2639 u32 newsid;
2640 int rc = 0;
2641
2642 if (strcmp(name, XATTR_NAME_SELINUX))
2643 return selinux_inode_setotherxattr(dentry, name);
2644
2645 sbsec = inode->i_sb->s_security;
2646 if (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2647 return -EOPNOTSUPP;
2648
2649 if (!is_owner_or_cap(inode))
2650 return -EPERM;
2651
2652 AVC_AUDIT_DATA_INIT(&ad,FS);
2653 ad.u.fs.path.dentry = dentry;
2654
2655 rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass,
2656 FILE__RELABELFROM, &ad);
2657 if (rc)
2658 return rc;
2659
2660 rc = security_context_to_sid(value, size, &newsid);
2661 if (rc)
2662 return rc;
2663
2664 rc = avc_has_perm(tsec->sid, newsid, isec->sclass,
2665 FILE__RELABELTO, &ad);
2666 if (rc)
2667 return rc;
2668
2669 rc = security_validate_transition(isec->sid, newsid, tsec->sid,
2670 isec->sclass);
2671 if (rc)
2672 return rc;
2673
2674 return avc_has_perm(newsid,
2675 sbsec->sid,
2676 SECCLASS_FILESYSTEM,
2677 FILESYSTEM__ASSOCIATE,
2678 &ad);
2679 }
2680
2681 static void selinux_inode_post_setxattr(struct dentry *dentry, char *name,
2682 void *value, size_t size, int flags)
2683 {
2684 struct inode *inode = dentry->d_inode;
2685 struct inode_security_struct *isec = inode->i_security;
2686 u32 newsid;
2687 int rc;
2688
2689 if (strcmp(name, XATTR_NAME_SELINUX)) {
2690 /* Not an attribute we recognize, so nothing to do. */
2691 return;
2692 }
2693
2694 rc = security_context_to_sid(value, size, &newsid);
2695 if (rc) {
2696 printk(KERN_WARNING "%s: unable to obtain SID for context "
2697 "%s, rc=%d\n", __func__, (char *)value, -rc);
2698 return;
2699 }
2700
2701 isec->sid = newsid;
2702 return;
2703 }
2704
2705 static int selinux_inode_getxattr (struct dentry *dentry, char *name)
2706 {
2707 return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2708 }
2709
2710 static int selinux_inode_listxattr (struct dentry *dentry)
2711 {
2712 return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2713 }
2714
2715 static int selinux_inode_removexattr (struct dentry *dentry, char *name)
2716 {
2717 if (strcmp(name, XATTR_NAME_SELINUX))
2718 return selinux_inode_setotherxattr(dentry, name);
2719
2720 /* No one is allowed to remove a SELinux security label.
2721 You can change the label, but all data must be labeled. */
2722 return -EACCES;
2723 }
2724
2725 /*
2726 * Copy the in-core inode security context value to the user. If the
2727 * getxattr() prior to this succeeded, check to see if we need to
2728 * canonicalize the value to be finally returned to the user.
2729 *
2730 * Permission check is handled by selinux_inode_getxattr hook.
2731 */
2732 static int selinux_inode_getsecurity(const struct inode *inode, const char *name, void **buffer, bool alloc)
2733 {
2734 u32 size;
2735 int error;
2736 char *context = NULL;
2737 struct inode_security_struct *isec = inode->i_security;
2738
2739 if (strcmp(name, XATTR_SELINUX_SUFFIX))
2740 return -EOPNOTSUPP;
2741
2742 error = security_sid_to_context(isec->sid, &context, &size);
2743 if (error)
2744 return error;
2745 error = size;
2746 if (alloc) {
2747 *buffer = context;
2748 goto out_nofree;
2749 }
2750 kfree(context);
2751 out_nofree:
2752 return error;
2753 }
2754
2755 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
2756 const void *value, size_t size, int flags)
2757 {
2758 struct inode_security_struct *isec = inode->i_security;
2759 u32 newsid;
2760 int rc;
2761
2762 if (strcmp(name, XATTR_SELINUX_SUFFIX))
2763 return -EOPNOTSUPP;
2764
2765 if (!value || !size)
2766 return -EACCES;
2767
2768 rc = security_context_to_sid((void*)value, size, &newsid);
2769 if (rc)
2770 return rc;
2771
2772 isec->sid = newsid;
2773 return 0;
2774 }
2775
2776 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
2777 {
2778 const int len = sizeof(XATTR_NAME_SELINUX);
2779 if (buffer && len <= buffer_size)
2780 memcpy(buffer, XATTR_NAME_SELINUX, len);
2781 return len;
2782 }
2783
2784 static int selinux_inode_need_killpriv(struct dentry *dentry)
2785 {
2786 return secondary_ops->inode_need_killpriv(dentry);
2787 }
2788
2789 static int selinux_inode_killpriv(struct dentry *dentry)
2790 {
2791 return secondary_ops->inode_killpriv(dentry);
2792 }
2793
2794 /* file security operations */
2795
2796 static int selinux_revalidate_file_permission(struct file *file, int mask)
2797 {
2798 int rc;
2799 struct inode *inode = file->f_path.dentry->d_inode;
2800
2801 if (!mask) {
2802 /* No permission to check. Existence test. */
2803 return 0;
2804 }
2805
2806 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
2807 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
2808 mask |= MAY_APPEND;
2809
2810 rc = file_has_perm(current, file,
2811 file_mask_to_av(inode->i_mode, mask));
2812 if (rc)
2813 return rc;
2814
2815 return selinux_netlbl_inode_permission(inode, mask);
2816 }
2817
2818 static int selinux_file_permission(struct file *file, int mask)
2819 {
2820 struct inode *inode = file->f_path.dentry->d_inode;
2821 struct task_security_struct *tsec = current->security;
2822 struct file_security_struct *fsec = file->f_security;
2823 struct inode_security_struct *isec = inode->i_security;
2824
2825 if (!mask) {
2826 /* No permission to check. Existence test. */
2827 return 0;
2828 }
2829
2830 if (tsec->sid == fsec->sid && fsec->isid == isec->sid
2831 && fsec->pseqno == avc_policy_seqno())
2832 return selinux_netlbl_inode_permission(inode, mask);
2833
2834 return selinux_revalidate_file_permission(file, mask);
2835 }
2836
2837 static int selinux_file_alloc_security(struct file *file)
2838 {
2839 return file_alloc_security(file);
2840 }
2841
2842 static void selinux_file_free_security(struct file *file)
2843 {
2844 file_free_security(file);
2845 }
2846
2847 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
2848 unsigned long arg)
2849 {
2850 int error = 0;
2851
2852 switch (cmd) {
2853 case FIONREAD:
2854 /* fall through */
2855 case FIBMAP:
2856 /* fall through */
2857 case FIGETBSZ:
2858 /* fall through */
2859 case EXT2_IOC_GETFLAGS:
2860 /* fall through */
2861 case EXT2_IOC_GETVERSION:
2862 error = file_has_perm(current, file, FILE__GETATTR);
2863 break;
2864
2865 case EXT2_IOC_SETFLAGS:
2866 /* fall through */
2867 case EXT2_IOC_SETVERSION:
2868 error = file_has_perm(current, file, FILE__SETATTR);
2869 break;
2870
2871 /* sys_ioctl() checks */
2872 case FIONBIO:
2873 /* fall through */
2874 case FIOASYNC:
2875 error = file_has_perm(current, file, 0);
2876 break;
2877
2878 case KDSKBENT:
2879 case KDSKBSENT:
2880 error = task_has_capability(current,CAP_SYS_TTY_CONFIG);
2881 break;
2882
2883 /* default case assumes that the command will go
2884 * to the file's ioctl() function.
2885 */
2886 default:
2887 error = file_has_perm(current, file, FILE__IOCTL);
2888
2889 }
2890 return error;
2891 }
2892
2893 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
2894 {
2895 #ifndef CONFIG_PPC32
2896 if ((prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
2897 /*
2898 * We are making executable an anonymous mapping or a
2899 * private file mapping that will also be writable.
2900 * This has an additional check.
2901 */
2902 int rc = task_has_perm(current, current, PROCESS__EXECMEM);
2903 if (rc)
2904 return rc;
2905 }
2906 #endif
2907
2908 if (file) {
2909 /* read access is always possible with a mapping */
2910 u32 av = FILE__READ;
2911
2912 /* write access only matters if the mapping is shared */
2913 if (shared && (prot & PROT_WRITE))
2914 av |= FILE__WRITE;
2915
2916 if (prot & PROT_EXEC)
2917 av |= FILE__EXECUTE;
2918
2919 return file_has_perm(current, file, av);
2920 }
2921 return 0;
2922 }
2923
2924 static int selinux_file_mmap(struct file *file, unsigned long reqprot,
2925 unsigned long prot, unsigned long flags,
2926 unsigned long addr, unsigned long addr_only)
2927 {
2928 int rc = 0;
2929 u32 sid = ((struct task_security_struct*)(current->security))->sid;
2930
2931 if (addr < mmap_min_addr)
2932 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
2933 MEMPROTECT__MMAP_ZERO, NULL);
2934 if (rc || addr_only)
2935 return rc;
2936
2937 if (selinux_checkreqprot)
2938 prot = reqprot;
2939
2940 return file_map_prot_check(file, prot,
2941 (flags & MAP_TYPE) == MAP_SHARED);
2942 }
2943
2944 static int selinux_file_mprotect(struct vm_area_struct *vma,
2945 unsigned long reqprot,
2946 unsigned long prot)
2947 {
2948 int rc;
2949
2950 rc = secondary_ops->file_mprotect(vma, reqprot, prot);
2951 if (rc)
2952 return rc;
2953
2954 if (selinux_checkreqprot)
2955 prot = reqprot;
2956
2957 #ifndef CONFIG_PPC32
2958 if ((prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
2959 rc = 0;
2960 if (vma->vm_start >= vma->vm_mm->start_brk &&
2961 vma->vm_end <= vma->vm_mm->brk) {
2962 rc = task_has_perm(current, current,
2963 PROCESS__EXECHEAP);
2964 } else if (!vma->vm_file &&
2965 vma->vm_start <= vma->vm_mm->start_stack &&
2966 vma->vm_end >= vma->vm_mm->start_stack) {
2967 rc = task_has_perm(current, current, PROCESS__EXECSTACK);
2968 } else if (vma->vm_file && vma->anon_vma) {
2969 /*
2970 * We are making executable a file mapping that has
2971 * had some COW done. Since pages might have been
2972 * written, check ability to execute the possibly
2973 * modified content. This typically should only
2974 * occur for text relocations.
2975 */
2976 rc = file_has_perm(current, vma->vm_file,
2977 FILE__EXECMOD);
2978 }
2979 if (rc)
2980 return rc;
2981 }
2982 #endif
2983
2984 return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
2985 }
2986
2987 static int selinux_file_lock(struct file *file, unsigned int cmd)
2988 {
2989 return file_has_perm(current, file, FILE__LOCK);
2990 }
2991
2992 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
2993 unsigned long arg)
2994 {
2995 int err = 0;
2996
2997 switch (cmd) {
2998 case F_SETFL:
2999 if (!file->f_path.dentry || !file->f_path.dentry->d_inode) {
3000 err = -EINVAL;
3001 break;
3002 }
3003
3004 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
3005 err = file_has_perm(current, file,FILE__WRITE);
3006 break;
3007 }
3008 /* fall through */
3009 case F_SETOWN:
3010 case F_SETSIG:
3011 case F_GETFL:
3012 case F_GETOWN:
3013 case F_GETSIG:
3014 /* Just check FD__USE permission */
3015 err = file_has_perm(current, file, 0);
3016 break;
3017 case F_GETLK:
3018 case F_SETLK:
3019 case F_SETLKW:
3020 #if BITS_PER_LONG == 32
3021 case F_GETLK64:
3022 case F_SETLK64:
3023 case F_SETLKW64:
3024 #endif
3025 if (!file->f_path.dentry || !file->f_path.dentry->d_inode) {
3026 err = -EINVAL;
3027 break;
3028 }
3029 err = file_has_perm(current, file, FILE__LOCK);
3030 break;
3031 }
3032
3033 return err;
3034 }
3035
3036 static int selinux_file_set_fowner(struct file *file)
3037 {
3038 struct task_security_struct *tsec;
3039 struct file_security_struct *fsec;
3040
3041 tsec = current->security;
3042 fsec = file->f_security;
3043 fsec->fown_sid = tsec->sid;
3044
3045 return 0;
3046 }
3047
3048 static int selinux_file_send_sigiotask(struct task_struct *tsk,
3049 struct fown_struct *fown, int signum)
3050 {
3051 struct file *file;
3052 u32 perm;
3053 struct task_security_struct *tsec;
3054 struct file_security_struct *fsec;
3055
3056 /* struct fown_struct is never outside the context of a struct file */
3057 file = container_of(fown, struct file, f_owner);
3058
3059 tsec = tsk->security;
3060 fsec = file->f_security;
3061
3062 if (!signum)
3063 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
3064 else
3065 perm = signal_to_av(signum);
3066
3067 return avc_has_perm(fsec->fown_sid, tsec->sid,
3068 SECCLASS_PROCESS, perm, NULL);
3069 }
3070
3071 static int selinux_file_receive(struct file *file)
3072 {
3073 return file_has_perm(current, file, file_to_av(file));
3074 }
3075
3076 static int selinux_dentry_open(struct file *file)
3077 {
3078 struct file_security_struct *fsec;
3079 struct inode *inode;
3080 struct inode_security_struct *isec;
3081 inode = file->f_path.dentry->d_inode;
3082 fsec = file->f_security;
3083 isec = inode->i_security;
3084 /*
3085 * Save inode label and policy sequence number
3086 * at open-time so that selinux_file_permission
3087 * can determine whether revalidation is necessary.
3088 * Task label is already saved in the file security
3089 * struct as its SID.
3090 */
3091 fsec->isid = isec->sid;
3092 fsec->pseqno = avc_policy_seqno();
3093 /*
3094 * Since the inode label or policy seqno may have changed
3095 * between the selinux_inode_permission check and the saving
3096 * of state above, recheck that access is still permitted.
3097 * Otherwise, access might never be revalidated against the
3098 * new inode label or new policy.
3099 * This check is not redundant - do not remove.
3100 */
3101 return inode_has_perm(current, inode, file_to_av(file), NULL);
3102 }
3103
3104 /* task security operations */
3105
3106 static int selinux_task_create(unsigned long clone_flags)
3107 {
3108 int rc;
3109
3110 rc = secondary_ops->task_create(clone_flags);
3111 if (rc)
3112 return rc;
3113
3114 return task_has_perm(current, current, PROCESS__FORK);
3115 }
3116
3117 static int selinux_task_alloc_security(struct task_struct *tsk)
3118 {
3119 struct task_security_struct *tsec1, *tsec2;
3120 int rc;
3121
3122 tsec1 = current->security;
3123
3124 rc = task_alloc_security(tsk);
3125 if (rc)
3126 return rc;
3127 tsec2 = tsk->security;
3128
3129 tsec2->osid = tsec1->osid;
3130 tsec2->sid = tsec1->sid;
3131
3132 /* Retain the exec, fs, key, and sock SIDs across fork */
3133 tsec2->exec_sid = tsec1->exec_sid;
3134 tsec2->create_sid = tsec1->create_sid;
3135 tsec2->keycreate_sid = tsec1->keycreate_sid;
3136 tsec2->sockcreate_sid = tsec1->sockcreate_sid;
3137
3138 return 0;
3139 }
3140
3141 static void selinux_task_free_security(struct task_struct *tsk)
3142 {
3143 task_free_security(tsk);
3144 }
3145
3146 static int selinux_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
3147 {
3148 /* Since setuid only affects the current process, and
3149 since the SELinux controls are not based on the Linux
3150 identity attributes, SELinux does not need to control
3151 this operation. However, SELinux does control the use
3152 of the CAP_SETUID and CAP_SETGID capabilities using the
3153 capable hook. */
3154 return 0;
3155 }
3156
3157 static int selinux_task_post_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
3158 {
3159 return secondary_ops->task_post_setuid(id0,id1,id2,flags);
3160 }
3161
3162 static int selinux_task_setgid(gid_t id0, gid_t id1, gid_t id2, int flags)
3163 {
3164 /* See the comment for setuid above. */
3165 return 0;
3166 }
3167
3168 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
3169 {
3170 return task_has_perm(current, p, PROCESS__SETPGID);
3171 }
3172
3173 static int selinux_task_getpgid(struct task_struct *p)
3174 {
3175 return task_has_perm(current, p, PROCESS__GETPGID);
3176 }
3177
3178 static int selinux_task_getsid(struct task_struct *p)
3179 {
3180 return task_has_perm(current, p, PROCESS__GETSESSION);
3181 }
3182
3183 static void selinux_task_getsecid(struct task_struct *p, u32 *secid)
3184 {
3185 selinux_get_task_sid(p, secid);
3186 }
3187
3188 static int selinux_task_setgroups(struct group_info *group_info)
3189 {
3190 /* See the comment for setuid above. */
3191 return 0;
3192 }
3193
3194 static int selinux_task_setnice(struct task_struct *p, int nice)
3195 {
3196 int rc;
3197
3198 rc = secondary_ops->task_setnice(p, nice);
3199 if (rc)
3200 return rc;
3201
3202 return task_has_perm(current,p, PROCESS__SETSCHED);
3203 }
3204
3205 static int selinux_task_setioprio(struct task_struct *p, int ioprio)
3206 {
3207 int rc;
3208
3209 rc = secondary_ops->task_setioprio(p, ioprio);
3210 if (rc)
3211 return rc;
3212
3213 return task_has_perm(current, p, PROCESS__SETSCHED);
3214 }
3215
3216 static int selinux_task_getioprio(struct task_struct *p)
3217 {
3218 return task_has_perm(current, p, PROCESS__GETSCHED);
3219 }
3220
3221 static int selinux_task_setrlimit(unsigned int resource, struct rlimit *new_rlim)
3222 {
3223 struct rlimit *old_rlim = current->signal->rlim + resource;
3224 int rc;
3225
3226 rc = secondary_ops->task_setrlimit(resource, new_rlim);
3227 if (rc)
3228 return rc;
3229
3230 /* Control the ability to change the hard limit (whether
3231 lowering or raising it), so that the hard limit can
3232 later be used as a safe reset point for the soft limit
3233 upon context transitions. See selinux_bprm_apply_creds. */
3234 if (old_rlim->rlim_max != new_rlim->rlim_max)
3235 return task_has_perm(current, current, PROCESS__SETRLIMIT);
3236
3237 return 0;
3238 }
3239
3240 static int selinux_task_setscheduler(struct task_struct *p, int policy, struct sched_param *lp)
3241 {
3242 int rc;
3243
3244 rc = secondary_ops->task_setscheduler(p, policy, lp);
3245 if (rc)
3246 return rc;
3247
3248 return task_has_perm(current, p, PROCESS__SETSCHED);
3249 }
3250
3251 static int selinux_task_getscheduler(struct task_struct *p)
3252 {
3253 return task_has_perm(current, p, PROCESS__GETSCHED);
3254 }
3255
3256 static int selinux_task_movememory(struct task_struct *p)
3257 {
3258 return task_has_perm(current, p, PROCESS__SETSCHED);
3259 }
3260
3261 static int selinux_task_kill(struct task_struct *p, struct siginfo *info,
3262 int sig, u32 secid)
3263 {
3264 u32 perm;
3265 int rc;
3266 struct task_security_struct *tsec;
3267
3268 rc = secondary_ops->task_kill(p, info, sig, secid);
3269 if (rc)
3270 return rc;
3271
3272 if (info != SEND_SIG_NOINFO && (is_si_special(info) || SI_FROMKERNEL(info)))
3273 return 0;
3274
3275 if (!sig)
3276 perm = PROCESS__SIGNULL; /* null signal; existence test */
3277 else
3278 perm = signal_to_av(sig);
3279 tsec = p->security;
3280 if (secid)
3281 rc = avc_has_perm(secid, tsec->sid, SECCLASS_PROCESS, perm, NULL);
3282 else
3283 rc = task_has_perm(current, p, perm);
3284 return rc;
3285 }
3286
3287 static int selinux_task_prctl(int option,
3288 unsigned long arg2,
3289 unsigned long arg3,
3290 unsigned long arg4,
3291 unsigned long arg5)
3292 {
3293 /* The current prctl operations do not appear to require
3294 any SELinux controls since they merely observe or modify
3295 the state of the current process. */
3296 return 0;
3297 }
3298
3299 static int selinux_task_wait(struct task_struct *p)
3300 {
3301 return task_has_perm(p, current, PROCESS__SIGCHLD);
3302 }
3303
3304 static void selinux_task_reparent_to_init(struct task_struct *p)
3305 {
3306 struct task_security_struct *tsec;
3307
3308 secondary_ops->task_reparent_to_init(p);
3309
3310 tsec = p->security;
3311 tsec->osid = tsec->sid;
3312 tsec->sid = SECINITSID_KERNEL;
3313 return;
3314 }
3315
3316 static void selinux_task_to_inode(struct task_struct *p,
3317 struct inode *inode)
3318 {
3319 struct task_security_struct *tsec = p->security;
3320 struct inode_security_struct *isec = inode->i_security;
3321
3322 isec->sid = tsec->sid;
3323 isec->initialized = 1;
3324 return;
3325 }
3326
3327 /* Returns error only if unable to parse addresses */
3328 static int selinux_parse_skb_ipv4(struct sk_buff *skb,
3329 struct avc_audit_data *ad, u8 *proto)
3330 {
3331 int offset, ihlen, ret = -EINVAL;
3332 struct iphdr _iph, *ih;
3333
3334 offset = skb_network_offset(skb);
3335 ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
3336 if (ih == NULL)
3337 goto out;
3338
3339 ihlen = ih->ihl * 4;
3340 if (ihlen < sizeof(_iph))
3341 goto out;
3342
3343 ad->u.net.v4info.saddr = ih->saddr;
3344 ad->u.net.v4info.daddr = ih->daddr;
3345 ret = 0;
3346
3347 if (proto)
3348 *proto = ih->protocol;
3349
3350 switch (ih->protocol) {
3351 case IPPROTO_TCP: {
3352 struct tcphdr _tcph, *th;
3353
3354 if (ntohs(ih->frag_off) & IP_OFFSET)
3355 break;
3356
3357 offset += ihlen;
3358 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3359 if (th == NULL)
3360 break;
3361
3362 ad->u.net.sport = th->source;
3363 ad->u.net.dport = th->dest;
3364 break;
3365 }
3366
3367 case IPPROTO_UDP: {
3368 struct udphdr _udph, *uh;
3369
3370 if (ntohs(ih->frag_off) & IP_OFFSET)
3371 break;
3372
3373 offset += ihlen;
3374 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3375 if (uh == NULL)
3376 break;
3377
3378 ad->u.net.sport = uh->source;
3379 ad->u.net.dport = uh->dest;
3380 break;
3381 }
3382
3383 case IPPROTO_DCCP: {
3384 struct dccp_hdr _dccph, *dh;
3385
3386 if (ntohs(ih->frag_off) & IP_OFFSET)
3387 break;
3388
3389 offset += ihlen;
3390 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3391 if (dh == NULL)
3392 break;
3393
3394 ad->u.net.sport = dh->dccph_sport;
3395 ad->u.net.dport = dh->dccph_dport;
3396 break;
3397 }
3398
3399 default:
3400 break;
3401 }
3402 out:
3403 return ret;
3404 }
3405
3406 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3407
3408 /* Returns error only if unable to parse addresses */
3409 static int selinux_parse_skb_ipv6(struct sk_buff *skb,
3410 struct avc_audit_data *ad, u8 *proto)
3411 {
3412 u8 nexthdr;
3413 int ret = -EINVAL, offset;
3414 struct ipv6hdr _ipv6h, *ip6;
3415
3416 offset = skb_network_offset(skb);
3417 ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
3418 if (ip6 == NULL)
3419 goto out;
3420
3421 ipv6_addr_copy(&ad->u.net.v6info.saddr, &ip6->saddr);
3422 ipv6_addr_copy(&ad->u.net.v6info.daddr, &ip6->daddr);
3423 ret = 0;
3424
3425 nexthdr = ip6->nexthdr;
3426 offset += sizeof(_ipv6h);
3427 offset = ipv6_skip_exthdr(skb, offset, &nexthdr);
3428 if (offset < 0)
3429 goto out;
3430
3431 if (proto)
3432 *proto = nexthdr;
3433
3434 switch (nexthdr) {
3435 case IPPROTO_TCP: {
3436 struct tcphdr _tcph, *th;
3437
3438 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3439 if (th == NULL)
3440 break;
3441
3442 ad->u.net.sport = th->source;
3443 ad->u.net.dport = th->dest;
3444 break;
3445 }
3446
3447 case IPPROTO_UDP: {
3448 struct udphdr _udph, *uh;
3449
3450 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3451 if (uh == NULL)
3452 break;
3453
3454 ad->u.net.sport = uh->source;
3455 ad->u.net.dport = uh->dest;
3456 break;
3457 }
3458
3459 case IPPROTO_DCCP: {
3460 struct dccp_hdr _dccph, *dh;
3461
3462 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3463 if (dh == NULL)
3464 break;
3465
3466 ad->u.net.sport = dh->dccph_sport;
3467 ad->u.net.dport = dh->dccph_dport;
3468 break;
3469 }
3470
3471 /* includes fragments */
3472 default:
3473 break;
3474 }
3475 out:
3476 return ret;
3477 }
3478
3479 #endif /* IPV6 */
3480
3481 static int selinux_parse_skb(struct sk_buff *skb, struct avc_audit_data *ad,
3482 char **addrp, int src, u8 *proto)
3483 {
3484 int ret = 0;
3485
3486 switch (ad->u.net.family) {
3487 case PF_INET:
3488 ret = selinux_parse_skb_ipv4(skb, ad, proto);
3489 if (ret || !addrp)
3490 break;
3491 *addrp = (char *)(src ? &ad->u.net.v4info.saddr :
3492 &ad->u.net.v4info.daddr);
3493 break;
3494
3495 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3496 case PF_INET6:
3497 ret = selinux_parse_skb_ipv6(skb, ad, proto);
3498 if (ret || !addrp)
3499 break;
3500 *addrp = (char *)(src ? &ad->u.net.v6info.saddr :
3501 &ad->u.net.v6info.daddr);
3502 break;
3503 #endif /* IPV6 */
3504 default:
3505 break;
3506 }
3507
3508 if (unlikely(ret))
3509 printk(KERN_WARNING
3510 "SELinux: failure in selinux_parse_skb(),"
3511 " unable to parse packet\n");
3512
3513 return ret;
3514 }
3515
3516 /**
3517 * selinux_skb_peerlbl_sid - Determine the peer label of a packet
3518 * @skb: the packet
3519 * @family: protocol family
3520 * @sid: the packet's peer label SID
3521 *
3522 * Description:
3523 * Check the various different forms of network peer labeling and determine
3524 * the peer label/SID for the packet; most of the magic actually occurs in
3525 * the security server function security_net_peersid_cmp(). The function
3526 * returns zero if the value in @sid is valid (although it may be SECSID_NULL)
3527 * or -EACCES if @sid is invalid due to inconsistencies with the different
3528 * peer labels.
3529 *
3530 */
3531 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
3532 {
3533 int err;
3534 u32 xfrm_sid;
3535 u32 nlbl_sid;
3536 u32 nlbl_type;
3537
3538 selinux_skb_xfrm_sid(skb, &xfrm_sid);
3539 selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid);
3540
3541 err = security_net_peersid_resolve(nlbl_sid, nlbl_type, xfrm_sid, sid);
3542 if (unlikely(err)) {
3543 printk(KERN_WARNING
3544 "SELinux: failure in selinux_skb_peerlbl_sid(),"
3545 " unable to determine packet's peer label\n");
3546 return -EACCES;
3547 }
3548
3549 return 0;
3550 }
3551
3552 /* socket security operations */
3553 static int socket_has_perm(struct task_struct *task, struct socket *sock,
3554 u32 perms)
3555 {
3556 struct inode_security_struct *isec;
3557 struct task_security_struct *tsec;
3558 struct avc_audit_data ad;
3559 int err = 0;
3560
3561 tsec = task->security;
3562 isec = SOCK_INODE(sock)->i_security;
3563
3564 if (isec->sid == SECINITSID_KERNEL)
3565 goto out;
3566
3567 AVC_AUDIT_DATA_INIT(&ad,NET);
3568 ad.u.net.sk = sock->sk;
3569 err = avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, &ad);
3570
3571 out:
3572 return err;
3573 }
3574
3575 static int selinux_socket_create(int family, int type,
3576 int protocol, int kern)
3577 {
3578 int err = 0;
3579 struct task_security_struct *tsec;
3580 u32 newsid;
3581
3582 if (kern)
3583 goto out;
3584
3585 tsec = current->security;
3586 newsid = tsec->sockcreate_sid ? : tsec->sid;
3587 err = avc_has_perm(tsec->sid, newsid,
3588 socket_type_to_security_class(family, type,
3589 protocol), SOCKET__CREATE, NULL);
3590
3591 out:
3592 return err;
3593 }
3594
3595 static int selinux_socket_post_create(struct socket *sock, int family,
3596 int type, int protocol, int kern)
3597 {
3598 int err = 0;
3599 struct inode_security_struct *isec;
3600 struct task_security_struct *tsec;
3601 struct sk_security_struct *sksec;
3602 u32 newsid;
3603
3604 isec = SOCK_INODE(sock)->i_security;
3605
3606 tsec = current->security;
3607 newsid = tsec->sockcreate_sid ? : tsec->sid;
3608 isec->sclass = socket_type_to_security_class(family, type, protocol);
3609 isec->sid = kern ? SECINITSID_KERNEL : newsid;
3610 isec->initialized = 1;
3611
3612 if (sock->sk) {
3613 sksec = sock->sk->sk_security;
3614 sksec->sid = isec->sid;
3615 sksec->sclass = isec->sclass;
3616 err = selinux_netlbl_socket_post_create(sock);
3617 }
3618
3619 return err;
3620 }
3621
3622 /* Range of port numbers used to automatically bind.
3623 Need to determine whether we should perform a name_bind
3624 permission check between the socket and the port number. */
3625
3626 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
3627 {
3628 u16 family;
3629 int err;
3630
3631 err = socket_has_perm(current, sock, SOCKET__BIND);
3632 if (err)
3633 goto out;
3634
3635 /*
3636 * If PF_INET or PF_INET6, check name_bind permission for the port.
3637 * Multiple address binding for SCTP is not supported yet: we just
3638 * check the first address now.
3639 */
3640 family = sock->sk->sk_family;
3641 if (family == PF_INET || family == PF_INET6) {
3642 char *addrp;
3643 struct inode_security_struct *isec;
3644 struct task_security_struct *tsec;
3645 struct avc_audit_data ad;
3646 struct sockaddr_in *addr4 = NULL;
3647 struct sockaddr_in6 *addr6 = NULL;
3648 unsigned short snum;
3649 struct sock *sk = sock->sk;
3650 u32 sid, node_perm, addrlen;
3651
3652 tsec = current->security;
3653 isec = SOCK_INODE(sock)->i_security;
3654
3655 if (family == PF_INET) {
3656 addr4 = (struct sockaddr_in *)address;
3657 snum = ntohs(addr4->sin_port);
3658 addrlen = sizeof(addr4->sin_addr.s_addr);
3659 addrp = (char *)&addr4->sin_addr.s_addr;
3660 } else {
3661 addr6 = (struct sockaddr_in6 *)address;
3662 snum = ntohs(addr6->sin6_port);
3663 addrlen = sizeof(addr6->sin6_addr.s6_addr);
3664 addrp = (char *)&addr6->sin6_addr.s6_addr;
3665 }
3666
3667 if (snum) {
3668 int low, high;
3669
3670 inet_get_local_port_range(&low, &high);
3671
3672 if (snum < max(PROT_SOCK, low) || snum > high) {
3673 err = security_port_sid(sk->sk_family,
3674 sk->sk_type,
3675 sk->sk_protocol, snum,
3676 &sid);
3677 if (err)
3678 goto out;
3679 AVC_AUDIT_DATA_INIT(&ad,NET);
3680 ad.u.net.sport = htons(snum);
3681 ad.u.net.family = family;
3682 err = avc_has_perm(isec->sid, sid,
3683 isec->sclass,
3684 SOCKET__NAME_BIND, &ad);
3685 if (err)
3686 goto out;
3687 }
3688 }
3689
3690 switch(isec->sclass) {
3691 case SECCLASS_TCP_SOCKET:
3692 node_perm = TCP_SOCKET__NODE_BIND;
3693 break;
3694
3695 case SECCLASS_UDP_SOCKET:
3696 node_perm = UDP_SOCKET__NODE_BIND;
3697 break;
3698
3699 case SECCLASS_DCCP_SOCKET:
3700 node_perm = DCCP_SOCKET__NODE_BIND;
3701 break;
3702
3703 default:
3704 node_perm = RAWIP_SOCKET__NODE_BIND;
3705 break;
3706 }
3707
3708 err = sel_netnode_sid(addrp, family, &sid);
3709 if (err)
3710 goto out;
3711
3712 AVC_AUDIT_DATA_INIT(&ad,NET);
3713 ad.u.net.sport = htons(snum);
3714 ad.u.net.family = family;
3715
3716 if (family == PF_INET)
3717 ad.u.net.v4info.saddr = addr4->sin_addr.s_addr;
3718 else
3719 ipv6_addr_copy(&ad.u.net.v6info.saddr, &addr6->sin6_addr);
3720
3721 err = avc_has_perm(isec->sid, sid,
3722 isec->sclass, node_perm, &ad);
3723 if (err)
3724 goto out;
3725 }
3726 out:
3727 return err;
3728 }
3729
3730 static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
3731 {
3732 struct inode_security_struct *isec;
3733 int err;
3734
3735 err = socket_has_perm(current, sock, SOCKET__CONNECT);
3736 if (err)
3737 return err;
3738
3739 /*
3740 * If a TCP or DCCP socket, check name_connect permission for the port.
3741 */
3742 isec = SOCK_INODE(sock)->i_security;
3743 if (isec->sclass == SECCLASS_TCP_SOCKET ||
3744 isec->sclass == SECCLASS_DCCP_SOCKET) {
3745 struct sock *sk = sock->sk;
3746 struct avc_audit_data ad;
3747 struct sockaddr_in *addr4 = NULL;
3748 struct sockaddr_in6 *addr6 = NULL;
3749 unsigned short snum;
3750 u32 sid, perm;
3751
3752 if (sk->sk_family == PF_INET) {
3753 addr4 = (struct sockaddr_in *)address;
3754 if (addrlen < sizeof(struct sockaddr_in))
3755 return -EINVAL;
3756 snum = ntohs(addr4->sin_port);
3757 } else {
3758 addr6 = (struct sockaddr_in6 *)address;
3759 if (addrlen < SIN6_LEN_RFC2133)
3760 return -EINVAL;
3761 snum = ntohs(addr6->sin6_port);
3762 }
3763
3764 err = security_port_sid(sk->sk_family, sk->sk_type,
3765 sk->sk_protocol, snum, &sid);
3766 if (err)
3767 goto out;
3768
3769 perm = (isec->sclass == SECCLASS_TCP_SOCKET) ?
3770 TCP_SOCKET__NAME_CONNECT : DCCP_SOCKET__NAME_CONNECT;
3771
3772 AVC_AUDIT_DATA_INIT(&ad,NET);
3773 ad.u.net.dport = htons(snum);
3774 ad.u.net.family = sk->sk_family;
3775 err = avc_has_perm(isec->sid, sid, isec->sclass, perm, &ad);
3776 if (err)
3777 goto out;
3778 }
3779
3780 out:
3781 return err;
3782 }
3783
3784 static int selinux_socket_listen(struct socket *sock, int backlog)
3785 {
3786 return socket_has_perm(current, sock, SOCKET__LISTEN);
3787 }
3788
3789 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
3790 {
3791 int err;
3792 struct inode_security_struct *isec;
3793 struct inode_security_struct *newisec;
3794
3795 err = socket_has_perm(current, sock, SOCKET__ACCEPT);
3796 if (err)
3797 return err;
3798
3799 newisec = SOCK_INODE(newsock)->i_security;
3800
3801 isec = SOCK_INODE(sock)->i_security;
3802 newisec->sclass = isec->sclass;
3803 newisec->sid = isec->sid;
3804 newisec->initialized = 1;
3805
3806 return 0;
3807 }
3808
3809 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
3810 int size)
3811 {
3812 int rc;
3813
3814 rc = socket_has_perm(current, sock, SOCKET__WRITE);
3815 if (rc)
3816 return rc;
3817
3818 return selinux_netlbl_inode_permission(SOCK_INODE(sock), MAY_WRITE);
3819 }
3820
3821 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
3822 int size, int flags)
3823 {
3824 return socket_has_perm(current, sock, SOCKET__READ);
3825 }
3826
3827 static int selinux_socket_getsockname(struct socket *sock)
3828 {
3829 return socket_has_perm(current, sock, SOCKET__GETATTR);
3830 }
3831
3832 static int selinux_socket_getpeername(struct socket *sock)
3833 {
3834 return socket_has_perm(current, sock, SOCKET__GETATTR);
3835 }
3836
3837 static int selinux_socket_setsockopt(struct socket *sock,int level,int optname)
3838 {
3839 int err;
3840
3841 err = socket_has_perm(current, sock, SOCKET__SETOPT);
3842 if (err)
3843 return err;
3844
3845 return selinux_netlbl_socket_setsockopt(sock, level, optname);
3846 }
3847
3848 static int selinux_socket_getsockopt(struct socket *sock, int level,
3849 int optname)
3850 {
3851 return socket_has_perm(current, sock, SOCKET__GETOPT);
3852 }
3853
3854 static int selinux_socket_shutdown(struct socket *sock, int how)
3855 {
3856 return socket_has_perm(current, sock, SOCKET__SHUTDOWN);
3857 }
3858
3859 static int selinux_socket_unix_stream_connect(struct socket *sock,
3860 struct socket *other,
3861 struct sock *newsk)
3862 {
3863 struct sk_security_struct *ssec;
3864 struct inode_security_struct *isec;
3865 struct inode_security_struct *other_isec;
3866 struct avc_audit_data ad;
3867 int err;
3868
3869 err = secondary_ops->unix_stream_connect(sock, other, newsk);
3870 if (err)
3871 return err;
3872
3873 isec = SOCK_INODE(sock)->i_security;
3874 other_isec = SOCK_INODE(other)->i_security;
3875
3876 AVC_AUDIT_DATA_INIT(&ad,NET);
3877 ad.u.net.sk = other->sk;
3878
3879 err = avc_has_perm(isec->sid, other_isec->sid,
3880 isec->sclass,
3881 UNIX_STREAM_SOCKET__CONNECTTO, &ad);
3882 if (err)
3883 return err;
3884
3885 /* connecting socket */
3886 ssec = sock->sk->sk_security;
3887 ssec->peer_sid = other_isec->sid;
3888
3889 /* server child socket */
3890 ssec = newsk->sk_security;
3891 ssec->peer_sid = isec->sid;
3892 err = security_sid_mls_copy(other_isec->sid, ssec->peer_sid, &ssec->sid);
3893
3894 return err;
3895 }
3896
3897 static int selinux_socket_unix_may_send(struct socket *sock,
3898 struct socket *other)
3899 {
3900 struct inode_security_struct *isec;
3901 struct inode_security_struct *other_isec;
3902 struct avc_audit_data ad;
3903 int err;
3904
3905 isec = SOCK_INODE(sock)->i_security;
3906 other_isec = SOCK_INODE(other)->i_security;
3907
3908 AVC_AUDIT_DATA_INIT(&ad,NET);
3909 ad.u.net.sk = other->sk;
3910
3911 err = avc_has_perm(isec->sid, other_isec->sid,
3912 isec->sclass, SOCKET__SENDTO, &ad);
3913 if (err)
3914 return err;
3915
3916 return 0;
3917 }
3918
3919 static int selinux_inet_sys_rcv_skb(int ifindex, char *addrp, u16 family,
3920 u32 peer_sid,
3921 struct avc_audit_data *ad)
3922 {
3923 int err;
3924 u32 if_sid;
3925 u32 node_sid;
3926
3927 err = sel_netif_sid(ifindex, &if_sid);
3928 if (err)
3929 return err;
3930 err = avc_has_perm(peer_sid, if_sid,
3931 SECCLASS_NETIF, NETIF__INGRESS, ad);
3932 if (err)
3933 return err;
3934
3935 err = sel_netnode_sid(addrp, family, &node_sid);
3936 if (err)
3937 return err;
3938 return avc_has_perm(peer_sid, node_sid,
3939 SECCLASS_NODE, NODE__RECVFROM, ad);
3940 }
3941
3942 static int selinux_sock_rcv_skb_iptables_compat(struct sock *sk,
3943 struct sk_buff *skb,
3944 struct avc_audit_data *ad,
3945 u16 family,
3946 char *addrp)
3947 {
3948 int err;
3949 struct sk_security_struct *sksec = sk->sk_security;
3950 u16 sk_class;
3951 u32 netif_perm, node_perm, recv_perm;
3952 u32 port_sid, node_sid, if_sid, sk_sid;
3953
3954 sk_sid = sksec->sid;
3955 sk_class = sksec->sclass;
3956
3957 switch (sk_class) {
3958 case SECCLASS_UDP_SOCKET:
3959 netif_perm = NETIF__UDP_RECV;
3960 node_perm = NODE__UDP_RECV;
3961 recv_perm = UDP_SOCKET__RECV_MSG;
3962 break;
3963 case SECCLASS_TCP_SOCKET:
3964 netif_perm = NETIF__TCP_RECV;
3965 node_perm = NODE__TCP_RECV;
3966 recv_perm = TCP_SOCKET__RECV_MSG;
3967 break;
3968 case SECCLASS_DCCP_SOCKET:
3969 netif_perm = NETIF__DCCP_RECV;
3970 node_perm = NODE__DCCP_RECV;
3971 recv_perm = DCCP_SOCKET__RECV_MSG;
3972 break;
3973 default:
3974 netif_perm = NETIF__RAWIP_RECV;
3975 node_perm = NODE__RAWIP_RECV;
3976 recv_perm = 0;
3977 break;
3978 }
3979
3980 err = sel_netif_sid(skb->iif, &if_sid);
3981 if (err)
3982 return err;
3983 err = avc_has_perm(sk_sid, if_sid, SECCLASS_NETIF, netif_perm, ad);
3984 if (err)
3985 return err;
3986
3987 err = sel_netnode_sid(addrp, family, &node_sid);
3988 if (err)
3989 return err;
3990 err = avc_has_perm(sk_sid, node_sid, SECCLASS_NODE, node_perm, ad);
3991 if (err)
3992 return err;
3993
3994 if (!recv_perm)
3995 return 0;
3996 err = security_port_sid(sk->sk_family, sk->sk_type,
3997 sk->sk_protocol, ntohs(ad->u.net.sport),
3998 &port_sid);
3999 if (unlikely(err)) {
4000 printk(KERN_WARNING
4001 "SELinux: failure in"
4002 " selinux_sock_rcv_skb_iptables_compat(),"
4003 " network port label not found\n");
4004 return err;
4005 }
4006 return avc_has_perm(sk_sid, port_sid, sk_class, recv_perm, ad);
4007 }
4008
4009 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
4010 struct avc_audit_data *ad,
4011 u16 family, char *addrp)
4012 {
4013 int err;
4014 struct sk_security_struct *sksec = sk->sk_security;
4015 u32 peer_sid;
4016 u32 sk_sid = sksec->sid;
4017
4018 if (selinux_compat_net)
4019 err = selinux_sock_rcv_skb_iptables_compat(sk, skb, ad,
4020 family, addrp);
4021 else
4022 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4023 PACKET__RECV, ad);
4024 if (err)
4025 return err;
4026
4027 if (selinux_policycap_netpeer) {
4028 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
4029 if (err)
4030 return err;
4031 err = avc_has_perm(sk_sid, peer_sid,
4032 SECCLASS_PEER, PEER__RECV, ad);
4033 } else {
4034 err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, ad);
4035 if (err)
4036 return err;
4037 err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, ad);
4038 }
4039
4040 return err;
4041 }
4042
4043 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
4044 {
4045 int err;
4046 struct sk_security_struct *sksec = sk->sk_security;
4047 u16 family = sk->sk_family;
4048 u32 sk_sid = sksec->sid;
4049 struct avc_audit_data ad;
4050 char *addrp;
4051
4052 if (family != PF_INET && family != PF_INET6)
4053 return 0;
4054
4055 /* Handle mapped IPv4 packets arriving via IPv6 sockets */
4056 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4057 family = PF_INET;
4058
4059 AVC_AUDIT_DATA_INIT(&ad, NET);
4060 ad.u.net.netif = skb->iif;
4061 ad.u.net.family = family;
4062 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4063 if (err)
4064 return err;
4065
4066 /* If any sort of compatibility mode is enabled then handoff processing
4067 * to the selinux_sock_rcv_skb_compat() function to deal with the
4068 * special handling. We do this in an attempt to keep this function
4069 * as fast and as clean as possible. */
4070 if (selinux_compat_net || !selinux_policycap_netpeer)
4071 return selinux_sock_rcv_skb_compat(sk, skb, &ad,
4072 family, addrp);
4073
4074 if (netlbl_enabled() || selinux_xfrm_enabled()) {
4075 u32 peer_sid;
4076
4077 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
4078 if (err)
4079 return err;
4080 err = selinux_inet_sys_rcv_skb(skb->iif, addrp, family,
4081 peer_sid, &ad);
4082 if (err)
4083 return err;
4084 err = avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER,
4085 PEER__RECV, &ad);
4086 }
4087
4088 if (selinux_secmark_enabled()) {
4089 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4090 PACKET__RECV, &ad);
4091 if (err)
4092 return err;
4093 }
4094
4095 return err;
4096 }
4097
4098 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval,
4099 int __user *optlen, unsigned len)
4100 {
4101 int err = 0;
4102 char *scontext;
4103 u32 scontext_len;
4104 struct sk_security_struct *ssec;
4105 struct inode_security_struct *isec;
4106 u32 peer_sid = SECSID_NULL;
4107
4108 isec = SOCK_INODE(sock)->i_security;
4109
4110 if (isec->sclass == SECCLASS_UNIX_STREAM_SOCKET ||
4111 isec->sclass == SECCLASS_TCP_SOCKET) {
4112 ssec = sock->sk->sk_security;
4113 peer_sid = ssec->peer_sid;
4114 }
4115 if (peer_sid == SECSID_NULL) {
4116 err = -ENOPROTOOPT;
4117 goto out;
4118 }
4119
4120 err = security_sid_to_context(peer_sid, &scontext, &scontext_len);
4121
4122 if (err)
4123 goto out;
4124
4125 if (scontext_len > len) {
4126 err = -ERANGE;
4127 goto out_len;
4128 }
4129
4130 if (copy_to_user(optval, scontext, scontext_len))
4131 err = -EFAULT;
4132
4133 out_len:
4134 if (put_user(scontext_len, optlen))
4135 err = -EFAULT;
4136
4137 kfree(scontext);
4138 out:
4139 return err;
4140 }
4141
4142 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
4143 {
4144 u32 peer_secid = SECSID_NULL;
4145 u16 family;
4146
4147 if (sock)
4148 family = sock->sk->sk_family;
4149 else if (skb && skb->sk)
4150 family = skb->sk->sk_family;
4151 else
4152 goto out;
4153
4154 if (sock && family == PF_UNIX)
4155 selinux_get_inode_sid(SOCK_INODE(sock), &peer_secid);
4156 else if (skb)
4157 selinux_skb_peerlbl_sid(skb, family, &peer_secid);
4158
4159 out:
4160 *secid = peer_secid;
4161 if (peer_secid == SECSID_NULL)
4162 return -EINVAL;
4163 return 0;
4164 }
4165
4166 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
4167 {
4168 return sk_alloc_security(sk, family, priority);
4169 }
4170
4171 static void selinux_sk_free_security(struct sock *sk)
4172 {
4173 sk_free_security(sk);
4174 }
4175
4176 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
4177 {
4178 struct sk_security_struct *ssec = sk->sk_security;
4179 struct sk_security_struct *newssec = newsk->sk_security;
4180
4181 newssec->sid = ssec->sid;
4182 newssec->peer_sid = ssec->peer_sid;
4183 newssec->sclass = ssec->sclass;
4184
4185 selinux_netlbl_sk_security_reset(newssec, newsk->sk_family);
4186 }
4187
4188 static void selinux_sk_getsecid(struct sock *sk, u32 *secid)
4189 {
4190 if (!sk)
4191 *secid = SECINITSID_ANY_SOCKET;
4192 else {
4193 struct sk_security_struct *sksec = sk->sk_security;
4194
4195 *secid = sksec->sid;
4196 }
4197 }
4198
4199 static void selinux_sock_graft(struct sock* sk, struct socket *parent)
4200 {
4201 struct inode_security_struct *isec = SOCK_INODE(parent)->i_security;
4202 struct sk_security_struct *sksec = sk->sk_security;
4203
4204 if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
4205 sk->sk_family == PF_UNIX)
4206 isec->sid = sksec->sid;
4207 sksec->sclass = isec->sclass;
4208
4209 selinux_netlbl_sock_graft(sk, parent);
4210 }
4211
4212 static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
4213 struct request_sock *req)
4214 {
4215 struct sk_security_struct *sksec = sk->sk_security;
4216 int err;
4217 u32 newsid;
4218 u32 peersid;
4219
4220 err = selinux_skb_peerlbl_sid(skb, sk->sk_family, &peersid);
4221 if (err)
4222 return err;
4223 if (peersid == SECSID_NULL) {
4224 req->secid = sksec->sid;
4225 req->peer_secid = SECSID_NULL;
4226 return 0;
4227 }
4228
4229 err = security_sid_mls_copy(sksec->sid, peersid, &newsid);
4230 if (err)
4231 return err;
4232
4233 req->secid = newsid;
4234 req->peer_secid = peersid;
4235 return 0;
4236 }
4237
4238 static void selinux_inet_csk_clone(struct sock *newsk,
4239 const struct request_sock *req)
4240 {
4241 struct sk_security_struct *newsksec = newsk->sk_security;
4242
4243 newsksec->sid = req->secid;
4244 newsksec->peer_sid = req->peer_secid;
4245 /* NOTE: Ideally, we should also get the isec->sid for the
4246 new socket in sync, but we don't have the isec available yet.
4247 So we will wait until sock_graft to do it, by which
4248 time it will have been created and available. */
4249
4250 /* We don't need to take any sort of lock here as we are the only
4251 * thread with access to newsksec */
4252 selinux_netlbl_sk_security_reset(newsksec, req->rsk_ops->family);
4253 }
4254
4255 static void selinux_inet_conn_established(struct sock *sk,
4256 struct sk_buff *skb)
4257 {
4258 struct sk_security_struct *sksec = sk->sk_security;
4259
4260 selinux_skb_peerlbl_sid(skb, sk->sk_family, &sksec->peer_sid);
4261 }
4262
4263 static void selinux_req_classify_flow(const struct request_sock *req,
4264 struct flowi *fl)
4265 {
4266 fl->secid = req->secid;
4267 }
4268
4269 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
4270 {
4271 int err = 0;
4272 u32 perm;
4273 struct nlmsghdr *nlh;
4274 struct socket *sock = sk->sk_socket;
4275 struct inode_security_struct *isec = SOCK_INODE(sock)->i_security;
4276
4277 if (skb->len < NLMSG_SPACE(0)) {
4278 err = -EINVAL;
4279 goto out;
4280 }
4281 nlh = nlmsg_hdr(skb);
4282
4283 err = selinux_nlmsg_lookup(isec->sclass, nlh->nlmsg_type, &perm);
4284 if (err) {
4285 if (err == -EINVAL) {
4286 audit_log(current->audit_context, GFP_KERNEL, AUDIT_SELINUX_ERR,
4287 "SELinux: unrecognized netlink message"
4288 " type=%hu for sclass=%hu\n",
4289 nlh->nlmsg_type, isec->sclass);
4290 if (!selinux_enforcing)
4291 err = 0;
4292 }
4293
4294 /* Ignore */
4295 if (err == -ENOENT)
4296 err = 0;
4297 goto out;
4298 }
4299
4300 err = socket_has_perm(current, sock, perm);
4301 out:
4302 return err;
4303 }
4304
4305 #ifdef CONFIG_NETFILTER
4306
4307 static unsigned int selinux_ip_forward(struct sk_buff *skb, int ifindex,
4308 u16 family)
4309 {
4310 char *addrp;
4311 u32 peer_sid;
4312 struct avc_audit_data ad;
4313 u8 secmark_active;
4314 u8 peerlbl_active;
4315
4316 if (!selinux_policycap_netpeer)
4317 return NF_ACCEPT;
4318
4319 secmark_active = selinux_secmark_enabled();
4320 peerlbl_active = netlbl_enabled() || selinux_xfrm_enabled();
4321 if (!secmark_active && !peerlbl_active)
4322 return NF_ACCEPT;
4323
4324 AVC_AUDIT_DATA_INIT(&ad, NET);
4325 ad.u.net.netif = ifindex;
4326 ad.u.net.family = family;
4327 if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0)
4328 return NF_DROP;
4329
4330 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0)
4331 return NF_DROP;
4332
4333 if (peerlbl_active)
4334 if (selinux_inet_sys_rcv_skb(ifindex, addrp, family,
4335 peer_sid, &ad) != 0)
4336 return NF_DROP;
4337
4338 if (secmark_active)
4339 if (avc_has_perm(peer_sid, skb->secmark,
4340 SECCLASS_PACKET, PACKET__FORWARD_IN, &ad))
4341 return NF_DROP;
4342
4343 return NF_ACCEPT;
4344 }
4345
4346 static unsigned int selinux_ipv4_forward(unsigned int hooknum,
4347 struct sk_buff *skb,
4348 const struct net_device *in,
4349 const struct net_device *out,
4350 int (*okfn)(struct sk_buff *))
4351 {
4352 return selinux_ip_forward(skb, in->ifindex, PF_INET);
4353 }
4354
4355 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4356 static unsigned int selinux_ipv6_forward(unsigned int hooknum,
4357 struct sk_buff *skb,
4358 const struct net_device *in,
4359 const struct net_device *out,
4360 int (*okfn)(struct sk_buff *))
4361 {
4362 return selinux_ip_forward(skb, in->ifindex, PF_INET6);
4363 }
4364 #endif /* IPV6 */
4365
4366 static int selinux_ip_postroute_iptables_compat(struct sock *sk,
4367 int ifindex,
4368 struct avc_audit_data *ad,
4369 u16 family, char *addrp)
4370 {
4371 int err;
4372 struct sk_security_struct *sksec = sk->sk_security;
4373 u16 sk_class;
4374 u32 netif_perm, node_perm, send_perm;
4375 u32 port_sid, node_sid, if_sid, sk_sid;
4376
4377 sk_sid = sksec->sid;
4378 sk_class = sksec->sclass;
4379
4380 switch (sk_class) {
4381 case SECCLASS_UDP_SOCKET:
4382 netif_perm = NETIF__UDP_SEND;
4383 node_perm = NODE__UDP_SEND;
4384 send_perm = UDP_SOCKET__SEND_MSG;
4385 break;
4386 case SECCLASS_TCP_SOCKET:
4387 netif_perm = NETIF__TCP_SEND;
4388 node_perm = NODE__TCP_SEND;
4389 send_perm = TCP_SOCKET__SEND_MSG;
4390 break;
4391 case SECCLASS_DCCP_SOCKET:
4392 netif_perm = NETIF__DCCP_SEND;
4393 node_perm = NODE__DCCP_SEND;
4394 send_perm = DCCP_SOCKET__SEND_MSG;
4395 break;
4396 default:
4397 netif_perm = NETIF__RAWIP_SEND;
4398 node_perm = NODE__RAWIP_SEND;
4399 send_perm = 0;
4400 break;
4401 }
4402
4403 err = sel_netif_sid(ifindex, &if_sid);
4404 if (err)
4405 return err;
4406 err = avc_has_perm(sk_sid, if_sid, SECCLASS_NETIF, netif_perm, ad);
4407 return err;
4408
4409 err = sel_netnode_sid(addrp, family, &node_sid);
4410 if (err)
4411 return err;
4412 err = avc_has_perm(sk_sid, node_sid, SECCLASS_NODE, node_perm, ad);
4413 if (err)
4414 return err;
4415
4416 if (send_perm != 0)
4417 return 0;
4418
4419 err = security_port_sid(sk->sk_family, sk->sk_type,
4420 sk->sk_protocol, ntohs(ad->u.net.dport),
4421 &port_sid);
4422 if (unlikely(err)) {
4423 printk(KERN_WARNING
4424 "SELinux: failure in"
4425 " selinux_ip_postroute_iptables_compat(),"
4426 " network port label not found\n");
4427 return err;
4428 }
4429 return avc_has_perm(sk_sid, port_sid, sk_class, send_perm, ad);
4430 }
4431
4432 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
4433 int ifindex,
4434 struct avc_audit_data *ad,
4435 u16 family,
4436 char *addrp,
4437 u8 proto)
4438 {
4439 struct sock *sk = skb->sk;
4440 struct sk_security_struct *sksec;
4441
4442 if (sk == NULL)
4443 return NF_ACCEPT;
4444 sksec = sk->sk_security;
4445
4446 if (selinux_compat_net) {
4447 if (selinux_ip_postroute_iptables_compat(skb->sk, ifindex,
4448 ad, family, addrp))
4449 return NF_DROP;
4450 } else {
4451 if (avc_has_perm(sksec->sid, skb->secmark,
4452 SECCLASS_PACKET, PACKET__SEND, ad))
4453 return NF_DROP;
4454 }
4455
4456 if (selinux_policycap_netpeer)
4457 if (selinux_xfrm_postroute_last(sksec->sid, skb, ad, proto))
4458 return NF_DROP;
4459
4460 return NF_ACCEPT;
4461 }
4462
4463 static unsigned int selinux_ip_postroute(struct sk_buff *skb, int ifindex,
4464 u16 family)
4465 {
4466 u32 secmark_perm;
4467 u32 peer_sid;
4468 struct sock *sk;
4469 struct avc_audit_data ad;
4470 char *addrp;
4471 u8 proto;
4472 u8 secmark_active;
4473 u8 peerlbl_active;
4474
4475 AVC_AUDIT_DATA_INIT(&ad, NET);
4476 ad.u.net.netif = ifindex;
4477 ad.u.net.family = family;
4478 if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto))
4479 return NF_DROP;
4480
4481 /* If any sort of compatibility mode is enabled then handoff processing
4482 * to the selinux_ip_postroute_compat() function to deal with the
4483 * special handling. We do this in an attempt to keep this function
4484 * as fast and as clean as possible. */
4485 if (selinux_compat_net || !selinux_policycap_netpeer)
4486 return selinux_ip_postroute_compat(skb, ifindex, &ad,
4487 family, addrp, proto);
4488
4489 /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec
4490 * packet transformation so allow the packet to pass without any checks
4491 * since we'll have another chance to perform access control checks
4492 * when the packet is on it's final way out.
4493 * NOTE: there appear to be some IPv6 multicast cases where skb->dst
4494 * is NULL, in this case go ahead and apply access control. */
4495 if (skb->dst != NULL && skb->dst->xfrm != NULL)
4496 return NF_ACCEPT;
4497
4498 secmark_active = selinux_secmark_enabled();
4499 peerlbl_active = netlbl_enabled() || selinux_xfrm_enabled();
4500 if (!secmark_active && !peerlbl_active)
4501 return NF_ACCEPT;
4502
4503 /* if the packet is locally generated (skb->sk != NULL) then use the
4504 * socket's label as the peer label, otherwise the packet is being
4505 * forwarded through this system and we need to fetch the peer label
4506 * directly from the packet */
4507 sk = skb->sk;
4508 if (sk) {
4509 struct sk_security_struct *sksec = sk->sk_security;
4510 peer_sid = sksec->sid;
4511 secmark_perm = PACKET__SEND;
4512 } else {
4513 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid))
4514 return NF_DROP;
4515 secmark_perm = PACKET__FORWARD_OUT;
4516 }
4517
4518 if (secmark_active)
4519 if (avc_has_perm(peer_sid, skb->secmark,
4520 SECCLASS_PACKET, secmark_perm, &ad))
4521 return NF_DROP;
4522
4523 if (peerlbl_active) {
4524 u32 if_sid;
4525 u32 node_sid;
4526
4527 if (sel_netif_sid(ifindex, &if_sid))
4528 return NF_DROP;
4529 if (avc_has_perm(peer_sid, if_sid,
4530 SECCLASS_NETIF, NETIF__EGRESS, &ad))
4531 return NF_DROP;
4532
4533 if (sel_netnode_sid(addrp, family, &node_sid))
4534 return NF_DROP;
4535 if (avc_has_perm(peer_sid, node_sid,
4536 SECCLASS_NODE, NODE__SENDTO, &ad))
4537 return NF_DROP;
4538 }
4539
4540 return NF_ACCEPT;
4541 }
4542
4543 static unsigned int selinux_ipv4_postroute(unsigned int hooknum,
4544 struct sk_buff *skb,
4545 const struct net_device *in,
4546 const struct net_device *out,
4547 int (*okfn)(struct sk_buff *))
4548 {
4549 return selinux_ip_postroute(skb, out->ifindex, PF_INET);
4550 }
4551
4552 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4553 static unsigned int selinux_ipv6_postroute(unsigned int hooknum,
4554 struct sk_buff *skb,
4555 const struct net_device *in,
4556 const struct net_device *out,
4557 int (*okfn)(struct sk_buff *))
4558 {
4559 return selinux_ip_postroute(skb, out->ifindex, PF_INET6);
4560 }
4561 #endif /* IPV6 */
4562
4563 #endif /* CONFIG_NETFILTER */
4564
4565 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
4566 {
4567 int err;
4568
4569 err = secondary_ops->netlink_send(sk, skb);
4570 if (err)
4571 return err;
4572
4573 if (policydb_loaded_version >= POLICYDB_VERSION_NLCLASS)
4574 err = selinux_nlmsg_perm(sk, skb);
4575
4576 return err;
4577 }
4578
4579 static int selinux_netlink_recv(struct sk_buff *skb, int capability)
4580 {
4581 int err;
4582 struct avc_audit_data ad;
4583
4584 err = secondary_ops->netlink_recv(skb, capability);
4585 if (err)
4586 return err;
4587
4588 AVC_AUDIT_DATA_INIT(&ad, CAP);
4589 ad.u.cap = capability;
4590
4591 return avc_has_perm(NETLINK_CB(skb).sid, NETLINK_CB(skb).sid,
4592 SECCLASS_CAPABILITY, CAP_TO_MASK(capability), &ad);
4593 }
4594
4595 static int ipc_alloc_security(struct task_struct *task,
4596 struct kern_ipc_perm *perm,
4597 u16 sclass)
4598 {
4599 struct task_security_struct *tsec = task->security;
4600 struct ipc_security_struct *isec;
4601
4602 isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL);
4603 if (!isec)
4604 return -ENOMEM;
4605
4606 isec->sclass = sclass;
4607 isec->sid = tsec->sid;
4608 perm->security = isec;
4609
4610 return 0;
4611 }
4612
4613 static void ipc_free_security(struct kern_ipc_perm *perm)
4614 {
4615 struct ipc_security_struct *isec = perm->security;
4616 perm->security = NULL;
4617 kfree(isec);
4618 }
4619
4620 static int msg_msg_alloc_security(struct msg_msg *msg)
4621 {
4622 struct msg_security_struct *msec;
4623
4624 msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL);
4625 if (!msec)
4626 return -ENOMEM;
4627
4628 msec->sid = SECINITSID_UNLABELED;
4629 msg->security = msec;
4630
4631 return 0;
4632 }
4633
4634 static void msg_msg_free_security(struct msg_msg *msg)
4635 {
4636 struct msg_security_struct *msec = msg->security;
4637
4638 msg->security = NULL;
4639 kfree(msec);
4640 }
4641
4642 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
4643 u32 perms)
4644 {
4645 struct task_security_struct *tsec;
4646 struct ipc_security_struct *isec;
4647 struct avc_audit_data ad;
4648
4649 tsec = current->security;
4650 isec = ipc_perms->security;
4651
4652 AVC_AUDIT_DATA_INIT(&ad, IPC);
4653 ad.u.ipc_id = ipc_perms->key;
4654
4655 return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, &ad);
4656 }
4657
4658 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
4659 {
4660 return msg_msg_alloc_security(msg);
4661 }
4662
4663 static void selinux_msg_msg_free_security(struct msg_msg *msg)
4664 {
4665 msg_msg_free_security(msg);
4666 }
4667
4668 /* message queue security operations */
4669 static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
4670 {
4671 struct task_security_struct *tsec;
4672 struct ipc_security_struct *isec;
4673 struct avc_audit_data ad;
4674 int rc;
4675
4676 rc = ipc_alloc_security(current, &msq->q_perm, SECCLASS_MSGQ);
4677 if (rc)
4678 return rc;
4679
4680 tsec = current->security;
4681 isec = msq->q_perm.security;
4682
4683 AVC_AUDIT_DATA_INIT(&ad, IPC);
4684 ad.u.ipc_id = msq->q_perm.key;
4685
4686 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
4687 MSGQ__CREATE, &ad);
4688 if (rc) {
4689 ipc_free_security(&msq->q_perm);
4690 return rc;
4691 }
4692 return 0;
4693 }
4694
4695 static void selinux_msg_queue_free_security(struct msg_queue *msq)
4696 {
4697 ipc_free_security(&msq->q_perm);
4698 }
4699
4700 static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg)
4701 {
4702 struct task_security_struct *tsec;
4703 struct ipc_security_struct *isec;
4704 struct avc_audit_data ad;
4705
4706 tsec = current->security;
4707 isec = msq->q_perm.security;
4708
4709 AVC_AUDIT_DATA_INIT(&ad, IPC);
4710 ad.u.ipc_id = msq->q_perm.key;
4711
4712 return avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
4713 MSGQ__ASSOCIATE, &ad);
4714 }
4715
4716 static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd)
4717 {
4718 int err;
4719 int perms;
4720
4721 switch(cmd) {
4722 case IPC_INFO:
4723 case MSG_INFO:
4724 /* No specific object, just general system-wide information. */
4725 return task_has_system(current, SYSTEM__IPC_INFO);
4726 case IPC_STAT:
4727 case MSG_STAT:
4728 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
4729 break;
4730 case IPC_SET:
4731 perms = MSGQ__SETATTR;
4732 break;
4733 case IPC_RMID:
4734 perms = MSGQ__DESTROY;
4735 break;
4736 default:
4737 return 0;
4738 }
4739
4740 err = ipc_has_perm(&msq->q_perm, perms);
4741 return err;
4742 }
4743
4744 static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg)
4745 {
4746 struct task_security_struct *tsec;
4747 struct ipc_security_struct *isec;
4748 struct msg_security_struct *msec;
4749 struct avc_audit_data ad;
4750 int rc;
4751
4752 tsec = current->security;
4753 isec = msq->q_perm.security;
4754 msec = msg->security;
4755
4756 /*
4757 * First time through, need to assign label to the message
4758 */
4759 if (msec->sid == SECINITSID_UNLABELED) {
4760 /*
4761 * Compute new sid based on current process and
4762 * message queue this message will be stored in
4763 */
4764 rc = security_transition_sid(tsec->sid,
4765 isec->sid,
4766 SECCLASS_MSG,
4767 &msec->sid);
4768 if (rc)
4769 return rc;
4770 }
4771
4772 AVC_AUDIT_DATA_INIT(&ad, IPC);
4773 ad.u.ipc_id = msq->q_perm.key;
4774
4775 /* Can this process write to the queue? */
4776 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
4777 MSGQ__WRITE, &ad);
4778 if (!rc)
4779 /* Can this process send the message */
4780 rc = avc_has_perm(tsec->sid, msec->sid,
4781 SECCLASS_MSG, MSG__SEND, &ad);
4782 if (!rc)
4783 /* Can the message be put in the queue? */
4784 rc = avc_has_perm(msec->sid, isec->sid,
4785 SECCLASS_MSGQ, MSGQ__ENQUEUE, &ad);
4786
4787 return rc;
4788 }
4789
4790 static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
4791 struct task_struct *target,
4792 long type, int mode)
4793 {
4794 struct task_security_struct *tsec;
4795 struct ipc_security_struct *isec;
4796 struct msg_security_struct *msec;
4797 struct avc_audit_data ad;
4798 int rc;
4799
4800 tsec = target->security;
4801 isec = msq->q_perm.security;
4802 msec = msg->security;
4803
4804 AVC_AUDIT_DATA_INIT(&ad, IPC);
4805 ad.u.ipc_id = msq->q_perm.key;
4806
4807 rc = avc_has_perm(tsec->sid, isec->sid,
4808 SECCLASS_MSGQ, MSGQ__READ, &ad);
4809 if (!rc)
4810 rc = avc_has_perm(tsec->sid, msec->sid,
4811 SECCLASS_MSG, MSG__RECEIVE, &ad);
4812 return rc;
4813 }
4814
4815 /* Shared Memory security operations */
4816 static int selinux_shm_alloc_security(struct shmid_kernel *shp)
4817 {
4818 struct task_security_struct *tsec;
4819 struct ipc_security_struct *isec;
4820 struct avc_audit_data ad;
4821 int rc;
4822
4823 rc = ipc_alloc_security(current, &shp->shm_perm, SECCLASS_SHM);
4824 if (rc)
4825 return rc;
4826
4827 tsec = current->security;
4828 isec = shp->shm_perm.security;
4829
4830 AVC_AUDIT_DATA_INIT(&ad, IPC);
4831 ad.u.ipc_id = shp->shm_perm.key;
4832
4833 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SHM,
4834 SHM__CREATE, &ad);
4835 if (rc) {
4836 ipc_free_security(&shp->shm_perm);
4837 return rc;
4838 }
4839 return 0;
4840 }
4841
4842 static void selinux_shm_free_security(struct shmid_kernel *shp)
4843 {
4844 ipc_free_security(&shp->shm_perm);
4845 }
4846
4847 static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg)
4848 {
4849 struct task_security_struct *tsec;
4850 struct ipc_security_struct *isec;
4851 struct avc_audit_data ad;
4852
4853 tsec = current->security;
4854 isec = shp->shm_perm.security;
4855
4856 AVC_AUDIT_DATA_INIT(&ad, IPC);
4857 ad.u.ipc_id = shp->shm_perm.key;
4858
4859 return avc_has_perm(tsec->sid, isec->sid, SECCLASS_SHM,
4860 SHM__ASSOCIATE, &ad);
4861 }
4862
4863 /* Note, at this point, shp is locked down */
4864 static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd)
4865 {
4866 int perms;
4867 int err;
4868
4869 switch(cmd) {
4870 case IPC_INFO:
4871 case SHM_INFO:
4872 /* No specific object, just general system-wide information. */
4873 return task_has_system(current, SYSTEM__IPC_INFO);
4874 case IPC_STAT:
4875 case SHM_STAT:
4876 perms = SHM__GETATTR | SHM__ASSOCIATE;
4877 break;
4878 case IPC_SET:
4879 perms = SHM__SETATTR;
4880 break;
4881 case SHM_LOCK:
4882 case SHM_UNLOCK:
4883 perms = SHM__LOCK;
4884 break;
4885 case IPC_RMID:
4886 perms = SHM__DESTROY;
4887 break;
4888 default:
4889 return 0;
4890 }
4891
4892 err = ipc_has_perm(&shp->shm_perm, perms);
4893 return err;
4894 }
4895
4896 static int selinux_shm_shmat(struct shmid_kernel *shp,
4897 char __user *shmaddr, int shmflg)
4898 {
4899 u32 perms;
4900 int rc;
4901
4902 rc = secondary_ops->shm_shmat(shp, shmaddr, shmflg);
4903 if (rc)
4904 return rc;
4905
4906 if (shmflg & SHM_RDONLY)
4907 perms = SHM__READ;
4908 else
4909 perms = SHM__READ | SHM__WRITE;
4910
4911 return ipc_has_perm(&shp->shm_perm, perms);
4912 }
4913
4914 /* Semaphore security operations */
4915 static int selinux_sem_alloc_security(struct sem_array *sma)
4916 {
4917 struct task_security_struct *tsec;
4918 struct ipc_security_struct *isec;
4919 struct avc_audit_data ad;
4920 int rc;
4921
4922 rc = ipc_alloc_security(current, &sma->sem_perm, SECCLASS_SEM);
4923 if (rc)
4924 return rc;
4925
4926 tsec = current->security;
4927 isec = sma->sem_perm.security;
4928
4929 AVC_AUDIT_DATA_INIT(&ad, IPC);
4930 ad.u.ipc_id = sma->sem_perm.key;
4931
4932 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SEM,
4933 SEM__CREATE, &ad);
4934 if (rc) {
4935 ipc_free_security(&sma->sem_perm);
4936 return rc;
4937 }
4938 return 0;
4939 }
4940
4941 static void selinux_sem_free_security(struct sem_array *sma)
4942 {
4943 ipc_free_security(&sma->sem_perm);
4944 }
4945
4946 static int selinux_sem_associate(struct sem_array *sma, int semflg)
4947 {
4948 struct task_security_struct *tsec;
4949 struct ipc_security_struct *isec;
4950 struct avc_audit_data ad;
4951
4952 tsec = current->security;
4953 isec = sma->sem_perm.security;
4954
4955 AVC_AUDIT_DATA_INIT(&ad, IPC);
4956 ad.u.ipc_id = sma->sem_perm.key;
4957
4958 return avc_has_perm(tsec->sid, isec->sid, SECCLASS_SEM,
4959 SEM__ASSOCIATE, &ad);
4960 }
4961
4962 /* Note, at this point, sma is locked down */
4963 static int selinux_sem_semctl(struct sem_array *sma, int cmd)
4964 {
4965 int err;
4966 u32 perms;
4967
4968 switch(cmd) {
4969 case IPC_INFO:
4970 case SEM_INFO:
4971 /* No specific object, just general system-wide information. */
4972 return task_has_system(current, SYSTEM__IPC_INFO);
4973 case GETPID:
4974 case GETNCNT:
4975 case GETZCNT:
4976 perms = SEM__GETATTR;
4977 break;
4978 case GETVAL:
4979 case GETALL:
4980 perms = SEM__READ;
4981 break;
4982 case SETVAL:
4983 case SETALL:
4984 perms = SEM__WRITE;
4985 break;
4986 case IPC_RMID:
4987 perms = SEM__DESTROY;
4988 break;
4989 case IPC_SET:
4990 perms = SEM__SETATTR;
4991 break;
4992 case IPC_STAT:
4993 case SEM_STAT:
4994 perms = SEM__GETATTR | SEM__ASSOCIATE;
4995 break;
4996 default:
4997 return 0;
4998 }
4999
5000 err = ipc_has_perm(&sma->sem_perm, perms);
5001 return err;
5002 }
5003
5004 static int selinux_sem_semop(struct sem_array *sma,
5005 struct sembuf *sops, unsigned nsops, int alter)
5006 {
5007 u32 perms;
5008
5009 if (alter)
5010 perms = SEM__READ | SEM__WRITE;
5011 else
5012 perms = SEM__READ;
5013
5014 return ipc_has_perm(&sma->sem_perm, perms);
5015 }
5016
5017 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
5018 {
5019 u32 av = 0;
5020
5021 av = 0;
5022 if (flag & S_IRUGO)
5023 av |= IPC__UNIX_READ;
5024 if (flag & S_IWUGO)
5025 av |= IPC__UNIX_WRITE;
5026
5027 if (av == 0)
5028 return 0;
5029
5030 return ipc_has_perm(ipcp, av);
5031 }
5032
5033 /* module stacking operations */
5034 static int selinux_register_security (const char *name, struct security_operations *ops)
5035 {
5036 if (secondary_ops != original_ops) {
5037 printk(KERN_ERR "%s: There is already a secondary security "
5038 "module registered.\n", __func__);
5039 return -EINVAL;
5040 }
5041
5042 secondary_ops = ops;
5043
5044 printk(KERN_INFO "%s: Registering secondary module %s\n",
5045 __func__,
5046 name);
5047
5048 return 0;
5049 }
5050
5051 static void selinux_d_instantiate (struct dentry *dentry, struct inode *inode)
5052 {
5053 if (inode)
5054 inode_doinit_with_dentry(inode, dentry);
5055 }
5056
5057 static int selinux_getprocattr(struct task_struct *p,
5058 char *name, char **value)
5059 {
5060 struct task_security_struct *tsec;
5061 u32 sid;
5062 int error;
5063 unsigned len;
5064
5065 if (current != p) {
5066 error = task_has_perm(current, p, PROCESS__GETATTR);
5067 if (error)
5068 return error;
5069 }
5070
5071 tsec = p->security;
5072
5073 if (!strcmp(name, "current"))
5074 sid = tsec->sid;
5075 else if (!strcmp(name, "prev"))
5076 sid = tsec->osid;
5077 else if (!strcmp(name, "exec"))
5078 sid = tsec->exec_sid;
5079 else if (!strcmp(name, "fscreate"))
5080 sid = tsec->create_sid;
5081 else if (!strcmp(name, "keycreate"))
5082 sid = tsec->keycreate_sid;
5083 else if (!strcmp(name, "sockcreate"))
5084 sid = tsec->sockcreate_sid;
5085 else
5086 return -EINVAL;
5087
5088 if (!sid)
5089 return 0;
5090
5091 error = security_sid_to_context(sid, value, &len);
5092 if (error)
5093 return error;
5094 return len;
5095 }
5096
5097 static int selinux_setprocattr(struct task_struct *p,
5098 char *name, void *value, size_t size)
5099 {
5100 struct task_security_struct *tsec;
5101 struct task_struct *tracer;
5102 u32 sid = 0;
5103 int error;
5104 char *str = value;
5105
5106 if (current != p) {
5107 /* SELinux only allows a process to change its own
5108 security attributes. */
5109 return -EACCES;
5110 }
5111
5112 /*
5113 * Basic control over ability to set these attributes at all.
5114 * current == p, but we'll pass them separately in case the
5115 * above restriction is ever removed.
5116 */
5117 if (!strcmp(name, "exec"))
5118 error = task_has_perm(current, p, PROCESS__SETEXEC);
5119 else if (!strcmp(name, "fscreate"))
5120 error = task_has_perm(current, p, PROCESS__SETFSCREATE);
5121 else if (!strcmp(name, "keycreate"))
5122 error = task_has_perm(current, p, PROCESS__SETKEYCREATE);
5123 else if (!strcmp(name, "sockcreate"))
5124 error = task_has_perm(current, p, PROCESS__SETSOCKCREATE);
5125 else if (!strcmp(name, "current"))
5126 error = task_has_perm(current, p, PROCESS__SETCURRENT);
5127 else
5128 error = -EINVAL;
5129 if (error)
5130 return error;
5131
5132 /* Obtain a SID for the context, if one was specified. */
5133 if (size && str[1] && str[1] != '\n') {
5134 if (str[size-1] == '\n') {
5135 str[size-1] = 0;
5136 size--;
5137 }
5138 error = security_context_to_sid(value, size, &sid);
5139 if (error)
5140 return error;
5141 }
5142
5143 /* Permission checking based on the specified context is
5144 performed during the actual operation (execve,
5145 open/mkdir/...), when we know the full context of the
5146 operation. See selinux_bprm_set_security for the execve
5147 checks and may_create for the file creation checks. The
5148 operation will then fail if the context is not permitted. */
5149 tsec = p->security;
5150 if (!strcmp(name, "exec"))
5151 tsec->exec_sid = sid;
5152 else if (!strcmp(name, "fscreate"))
5153 tsec->create_sid = sid;
5154 else if (!strcmp(name, "keycreate")) {
5155 error = may_create_key(sid, p);
5156 if (error)
5157 return error;
5158 tsec->keycreate_sid = sid;
5159 } else if (!strcmp(name, "sockcreate"))
5160 tsec->sockcreate_sid = sid;
5161 else if (!strcmp(name, "current")) {
5162 struct av_decision avd;
5163
5164 if (sid == 0)
5165 return -EINVAL;
5166
5167 /* Only allow single threaded processes to change context */
5168 if (atomic_read(&p->mm->mm_users) != 1) {
5169 struct task_struct *g, *t;
5170 struct mm_struct *mm = p->mm;
5171 read_lock(&tasklist_lock);
5172 do_each_thread(g, t)
5173 if (t->mm == mm && t != p) {
5174 read_unlock(&tasklist_lock);
5175 return -EPERM;
5176 }
5177 while_each_thread(g, t);
5178 read_unlock(&tasklist_lock);
5179 }
5180
5181 /* Check permissions for the transition. */
5182 error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
5183 PROCESS__DYNTRANSITION, NULL);
5184 if (error)
5185 return error;
5186
5187 /* Check for ptracing, and update the task SID if ok.
5188 Otherwise, leave SID unchanged and fail. */
5189 task_lock(p);
5190 rcu_read_lock();
5191 tracer = task_tracer_task(p);
5192 if (tracer != NULL) {
5193 struct task_security_struct *ptsec = tracer->security;
5194 u32 ptsid = ptsec->sid;
5195 rcu_read_unlock();
5196 error = avc_has_perm_noaudit(ptsid, sid,
5197 SECCLASS_PROCESS,
5198 PROCESS__PTRACE, 0, &avd);
5199 if (!error)
5200 tsec->sid = sid;
5201 task_unlock(p);
5202 avc_audit(ptsid, sid, SECCLASS_PROCESS,
5203 PROCESS__PTRACE, &avd, error, NULL);
5204 if (error)
5205 return error;
5206 } else {
5207 rcu_read_unlock();
5208 tsec->sid = sid;
5209 task_unlock(p);
5210 }
5211 }
5212 else
5213 return -EINVAL;
5214
5215 return size;
5216 }
5217
5218 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
5219 {
5220 return security_sid_to_context(secid, secdata, seclen);
5221 }
5222
5223 static int selinux_secctx_to_secid(char *secdata, u32 seclen, u32 *secid)
5224 {
5225 return security_context_to_sid(secdata, seclen, secid);
5226 }
5227
5228 static void selinux_release_secctx(char *secdata, u32 seclen)
5229 {
5230 kfree(secdata);
5231 }
5232
5233 #ifdef CONFIG_KEYS
5234
5235 static int selinux_key_alloc(struct key *k, struct task_struct *tsk,
5236 unsigned long flags)
5237 {
5238 struct task_security_struct *tsec = tsk->security;
5239 struct key_security_struct *ksec;
5240
5241 ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL);
5242 if (!ksec)
5243 return -ENOMEM;
5244
5245 if (tsec->keycreate_sid)
5246 ksec->sid = tsec->keycreate_sid;
5247 else
5248 ksec->sid = tsec->sid;
5249 k->security = ksec;
5250
5251 return 0;
5252 }
5253
5254 static void selinux_key_free(struct key *k)
5255 {
5256 struct key_security_struct *ksec = k->security;
5257
5258 k->security = NULL;
5259 kfree(ksec);
5260 }
5261
5262 static int selinux_key_permission(key_ref_t key_ref,
5263 struct task_struct *ctx,
5264 key_perm_t perm)
5265 {
5266 struct key *key;
5267 struct task_security_struct *tsec;
5268 struct key_security_struct *ksec;
5269
5270 key = key_ref_to_ptr(key_ref);
5271
5272 tsec = ctx->security;
5273 ksec = key->security;
5274
5275 /* if no specific permissions are requested, we skip the
5276 permission check. No serious, additional covert channels
5277 appear to be created. */
5278 if (perm == 0)
5279 return 0;
5280
5281 return avc_has_perm(tsec->sid, ksec->sid,
5282 SECCLASS_KEY, perm, NULL);
5283 }
5284
5285 #endif
5286
5287 static struct security_operations selinux_ops = {
5288 .ptrace = selinux_ptrace,
5289 .capget = selinux_capget,
5290 .capset_check = selinux_capset_check,
5291 .capset_set = selinux_capset_set,
5292 .sysctl = selinux_sysctl,
5293 .capable = selinux_capable,
5294 .quotactl = selinux_quotactl,
5295 .quota_on = selinux_quota_on,
5296 .syslog = selinux_syslog,
5297 .vm_enough_memory = selinux_vm_enough_memory,
5298
5299 .netlink_send = selinux_netlink_send,
5300 .netlink_recv = selinux_netlink_recv,
5301
5302 .bprm_alloc_security = selinux_bprm_alloc_security,
5303 .bprm_free_security = selinux_bprm_free_security,
5304 .bprm_apply_creds = selinux_bprm_apply_creds,
5305 .bprm_post_apply_creds = selinux_bprm_post_apply_creds,
5306 .bprm_set_security = selinux_bprm_set_security,
5307 .bprm_check_security = selinux_bprm_check_security,
5308 .bprm_secureexec = selinux_bprm_secureexec,
5309
5310 .sb_alloc_security = selinux_sb_alloc_security,
5311 .sb_free_security = selinux_sb_free_security,
5312 .sb_copy_data = selinux_sb_copy_data,
5313 .sb_kern_mount = selinux_sb_kern_mount,
5314 .sb_statfs = selinux_sb_statfs,
5315 .sb_mount = selinux_mount,
5316 .sb_umount = selinux_umount,
5317 .sb_get_mnt_opts = selinux_get_mnt_opts,
5318 .sb_set_mnt_opts = selinux_set_mnt_opts,
5319 .sb_clone_mnt_opts = selinux_sb_clone_mnt_opts,
5320 .sb_parse_opts_str = selinux_parse_opts_str,
5321
5322
5323 .inode_alloc_security = selinux_inode_alloc_security,
5324 .inode_free_security = selinux_inode_free_security,
5325 .inode_init_security = selinux_inode_init_security,
5326 .inode_create = selinux_inode_create,
5327 .inode_link = selinux_inode_link,
5328 .inode_unlink = selinux_inode_unlink,
5329 .inode_symlink = selinux_inode_symlink,
5330 .inode_mkdir = selinux_inode_mkdir,
5331 .inode_rmdir = selinux_inode_rmdir,
5332 .inode_mknod = selinux_inode_mknod,
5333 .inode_rename = selinux_inode_rename,
5334 .inode_readlink = selinux_inode_readlink,
5335 .inode_follow_link = selinux_inode_follow_link,
5336 .inode_permission = selinux_inode_permission,
5337 .inode_setattr = selinux_inode_setattr,
5338 .inode_getattr = selinux_inode_getattr,
5339 .inode_setxattr = selinux_inode_setxattr,
5340 .inode_post_setxattr = selinux_inode_post_setxattr,
5341 .inode_getxattr = selinux_inode_getxattr,
5342 .inode_listxattr = selinux_inode_listxattr,
5343 .inode_removexattr = selinux_inode_removexattr,
5344 .inode_getsecurity = selinux_inode_getsecurity,
5345 .inode_setsecurity = selinux_inode_setsecurity,
5346 .inode_listsecurity = selinux_inode_listsecurity,
5347 .inode_need_killpriv = selinux_inode_need_killpriv,
5348 .inode_killpriv = selinux_inode_killpriv,
5349
5350 .file_permission = selinux_file_permission,
5351 .file_alloc_security = selinux_file_alloc_security,
5352 .file_free_security = selinux_file_free_security,
5353 .file_ioctl = selinux_file_ioctl,
5354 .file_mmap = selinux_file_mmap,
5355 .file_mprotect = selinux_file_mprotect,
5356 .file_lock = selinux_file_lock,
5357 .file_fcntl = selinux_file_fcntl,
5358 .file_set_fowner = selinux_file_set_fowner,
5359 .file_send_sigiotask = selinux_file_send_sigiotask,
5360 .file_receive = selinux_file_receive,
5361
5362 .dentry_open = selinux_dentry_open,
5363
5364 .task_create = selinux_task_create,
5365 .task_alloc_security = selinux_task_alloc_security,
5366 .task_free_security = selinux_task_free_security,
5367 .task_setuid = selinux_task_setuid,
5368 .task_post_setuid = selinux_task_post_setuid,
5369 .task_setgid = selinux_task_setgid,
5370 .task_setpgid = selinux_task_setpgid,
5371 .task_getpgid = selinux_task_getpgid,
5372 .task_getsid = selinux_task_getsid,
5373 .task_getsecid = selinux_task_getsecid,
5374 .task_setgroups = selinux_task_setgroups,
5375 .task_setnice = selinux_task_setnice,
5376 .task_setioprio = selinux_task_setioprio,
5377 .task_getioprio = selinux_task_getioprio,
5378 .task_setrlimit = selinux_task_setrlimit,
5379 .task_setscheduler = selinux_task_setscheduler,
5380 .task_getscheduler = selinux_task_getscheduler,
5381 .task_movememory = selinux_task_movememory,
5382 .task_kill = selinux_task_kill,
5383 .task_wait = selinux_task_wait,
5384 .task_prctl = selinux_task_prctl,
5385 .task_reparent_to_init = selinux_task_reparent_to_init,
5386 .task_to_inode = selinux_task_to_inode,
5387
5388 .ipc_permission = selinux_ipc_permission,
5389
5390 .msg_msg_alloc_security = selinux_msg_msg_alloc_security,
5391 .msg_msg_free_security = selinux_msg_msg_free_security,
5392
5393 .msg_queue_alloc_security = selinux_msg_queue_alloc_security,
5394 .msg_queue_free_security = selinux_msg_queue_free_security,
5395 .msg_queue_associate = selinux_msg_queue_associate,
5396 .msg_queue_msgctl = selinux_msg_queue_msgctl,
5397 .msg_queue_msgsnd = selinux_msg_queue_msgsnd,
5398 .msg_queue_msgrcv = selinux_msg_queue_msgrcv,
5399
5400 .shm_alloc_security = selinux_shm_alloc_security,
5401 .shm_free_security = selinux_shm_free_security,
5402 .shm_associate = selinux_shm_associate,
5403 .shm_shmctl = selinux_shm_shmctl,
5404 .shm_shmat = selinux_shm_shmat,
5405
5406 .sem_alloc_security = selinux_sem_alloc_security,
5407 .sem_free_security = selinux_sem_free_security,
5408 .sem_associate = selinux_sem_associate,
5409 .sem_semctl = selinux_sem_semctl,
5410 .sem_semop = selinux_sem_semop,
5411
5412 .register_security = selinux_register_security,
5413
5414 .d_instantiate = selinux_d_instantiate,
5415
5416 .getprocattr = selinux_getprocattr,
5417 .setprocattr = selinux_setprocattr,
5418
5419 .secid_to_secctx = selinux_secid_to_secctx,
5420 .secctx_to_secid = selinux_secctx_to_secid,
5421 .release_secctx = selinux_release_secctx,
5422
5423 .unix_stream_connect = selinux_socket_unix_stream_connect,
5424 .unix_may_send = selinux_socket_unix_may_send,
5425
5426 .socket_create = selinux_socket_create,
5427 .socket_post_create = selinux_socket_post_create,
5428 .socket_bind = selinux_socket_bind,
5429 .socket_connect = selinux_socket_connect,
5430 .socket_listen = selinux_socket_listen,
5431 .socket_accept = selinux_socket_accept,
5432 .socket_sendmsg = selinux_socket_sendmsg,
5433 .socket_recvmsg = selinux_socket_recvmsg,
5434 .socket_getsockname = selinux_socket_getsockname,
5435 .socket_getpeername = selinux_socket_getpeername,
5436 .socket_getsockopt = selinux_socket_getsockopt,
5437 .socket_setsockopt = selinux_socket_setsockopt,
5438 .socket_shutdown = selinux_socket_shutdown,
5439 .socket_sock_rcv_skb = selinux_socket_sock_rcv_skb,
5440 .socket_getpeersec_stream = selinux_socket_getpeersec_stream,
5441 .socket_getpeersec_dgram = selinux_socket_getpeersec_dgram,
5442 .sk_alloc_security = selinux_sk_alloc_security,
5443 .sk_free_security = selinux_sk_free_security,
5444 .sk_clone_security = selinux_sk_clone_security,
5445 .sk_getsecid = selinux_sk_getsecid,
5446 .sock_graft = selinux_sock_graft,
5447 .inet_conn_request = selinux_inet_conn_request,
5448 .inet_csk_clone = selinux_inet_csk_clone,
5449 .inet_conn_established = selinux_inet_conn_established,
5450 .req_classify_flow = selinux_req_classify_flow,
5451
5452 #ifdef CONFIG_SECURITY_NETWORK_XFRM
5453 .xfrm_policy_alloc_security = selinux_xfrm_policy_alloc,
5454 .xfrm_policy_clone_security = selinux_xfrm_policy_clone,
5455 .xfrm_policy_free_security = selinux_xfrm_policy_free,
5456 .xfrm_policy_delete_security = selinux_xfrm_policy_delete,
5457 .xfrm_state_alloc_security = selinux_xfrm_state_alloc,
5458 .xfrm_state_free_security = selinux_xfrm_state_free,
5459 .xfrm_state_delete_security = selinux_xfrm_state_delete,
5460 .xfrm_policy_lookup = selinux_xfrm_policy_lookup,
5461 .xfrm_state_pol_flow_match = selinux_xfrm_state_pol_flow_match,
5462 .xfrm_decode_session = selinux_xfrm_decode_session,
5463 #endif
5464
5465 #ifdef CONFIG_KEYS
5466 .key_alloc = selinux_key_alloc,
5467 .key_free = selinux_key_free,
5468 .key_permission = selinux_key_permission,
5469 #endif
5470 };
5471
5472 static __init int selinux_init(void)
5473 {
5474 struct task_security_struct *tsec;
5475
5476 if (!selinux_enabled) {
5477 printk(KERN_INFO "SELinux: Disabled at boot.\n");
5478 return 0;
5479 }
5480
5481 printk(KERN_INFO "SELinux: Initializing.\n");
5482
5483 /* Set the security state for the initial task. */
5484 if (task_alloc_security(current))
5485 panic("SELinux: Failed to initialize initial task.\n");
5486 tsec = current->security;
5487 tsec->osid = tsec->sid = SECINITSID_KERNEL;
5488
5489 sel_inode_cache = kmem_cache_create("selinux_inode_security",
5490 sizeof(struct inode_security_struct),
5491 0, SLAB_PANIC, NULL);
5492 avc_init();
5493
5494 original_ops = secondary_ops = security_ops;
5495 if (!secondary_ops)
5496 panic ("SELinux: No initial security operations\n");
5497 if (register_security (&selinux_ops))
5498 panic("SELinux: Unable to register with kernel.\n");
5499
5500 if (selinux_enforcing) {
5501 printk(KERN_DEBUG "SELinux: Starting in enforcing mode\n");
5502 } else {
5503 printk(KERN_DEBUG "SELinux: Starting in permissive mode\n");
5504 }
5505
5506 #ifdef CONFIG_KEYS
5507 /* Add security information to initial keyrings */
5508 selinux_key_alloc(&root_user_keyring, current,
5509 KEY_ALLOC_NOT_IN_QUOTA);
5510 selinux_key_alloc(&root_session_keyring, current,
5511 KEY_ALLOC_NOT_IN_QUOTA);
5512 #endif
5513
5514 return 0;
5515 }
5516
5517 void selinux_complete_init(void)
5518 {
5519 printk(KERN_DEBUG "SELinux: Completing initialization.\n");
5520
5521 /* Set up any superblocks initialized prior to the policy load. */
5522 printk(KERN_DEBUG "SELinux: Setting up existing superblocks.\n");
5523 spin_lock(&sb_lock);
5524 spin_lock(&sb_security_lock);
5525 next_sb:
5526 if (!list_empty(&superblock_security_head)) {
5527 struct superblock_security_struct *sbsec =
5528 list_entry(superblock_security_head.next,
5529 struct superblock_security_struct,
5530 list);
5531 struct super_block *sb = sbsec->sb;
5532 sb->s_count++;
5533 spin_unlock(&sb_security_lock);
5534 spin_unlock(&sb_lock);
5535 down_read(&sb->s_umount);
5536 if (sb->s_root)
5537 superblock_doinit(sb, NULL);
5538 drop_super(sb);
5539 spin_lock(&sb_lock);
5540 spin_lock(&sb_security_lock);
5541 list_del_init(&sbsec->list);
5542 goto next_sb;
5543 }
5544 spin_unlock(&sb_security_lock);
5545 spin_unlock(&sb_lock);
5546 }
5547
5548 /* SELinux requires early initialization in order to label
5549 all processes and objects when they are created. */
5550 security_initcall(selinux_init);
5551
5552 #if defined(CONFIG_NETFILTER)
5553
5554 static struct nf_hook_ops selinux_ipv4_ops[] = {
5555 {
5556 .hook = selinux_ipv4_postroute,
5557 .owner = THIS_MODULE,
5558 .pf = PF_INET,
5559 .hooknum = NF_INET_POST_ROUTING,
5560 .priority = NF_IP_PRI_SELINUX_LAST,
5561 },
5562 {
5563 .hook = selinux_ipv4_forward,
5564 .owner = THIS_MODULE,
5565 .pf = PF_INET,
5566 .hooknum = NF_INET_FORWARD,
5567 .priority = NF_IP_PRI_SELINUX_FIRST,
5568 }
5569 };
5570
5571 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5572
5573 static struct nf_hook_ops selinux_ipv6_ops[] = {
5574 {
5575 .hook = selinux_ipv6_postroute,
5576 .owner = THIS_MODULE,
5577 .pf = PF_INET6,
5578 .hooknum = NF_INET_POST_ROUTING,
5579 .priority = NF_IP6_PRI_SELINUX_LAST,
5580 },
5581 {
5582 .hook = selinux_ipv6_forward,
5583 .owner = THIS_MODULE,
5584 .pf = PF_INET6,
5585 .hooknum = NF_INET_FORWARD,
5586 .priority = NF_IP6_PRI_SELINUX_FIRST,
5587 }
5588 };
5589
5590 #endif /* IPV6 */
5591
5592 static int __init selinux_nf_ip_init(void)
5593 {
5594 int err = 0;
5595 u32 iter;
5596
5597 if (!selinux_enabled)
5598 goto out;
5599
5600 printk(KERN_DEBUG "SELinux: Registering netfilter hooks\n");
5601
5602 for (iter = 0; iter < ARRAY_SIZE(selinux_ipv4_ops); iter++) {
5603 err = nf_register_hook(&selinux_ipv4_ops[iter]);
5604 if (err)
5605 panic("SELinux: nf_register_hook for IPv4: error %d\n",
5606 err);
5607 }
5608
5609 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5610 for (iter = 0; iter < ARRAY_SIZE(selinux_ipv6_ops); iter++) {
5611 err = nf_register_hook(&selinux_ipv6_ops[iter]);
5612 if (err)
5613 panic("SELinux: nf_register_hook for IPv6: error %d\n",
5614 err);
5615 }
5616 #endif /* IPV6 */
5617
5618 out:
5619 return err;
5620 }
5621
5622 __initcall(selinux_nf_ip_init);
5623
5624 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5625 static void selinux_nf_ip_exit(void)
5626 {
5627 u32 iter;
5628
5629 printk(KERN_DEBUG "SELinux: Unregistering netfilter hooks\n");
5630
5631 for (iter = 0; iter < ARRAY_SIZE(selinux_ipv4_ops); iter++)
5632 nf_unregister_hook(&selinux_ipv4_ops[iter]);
5633 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5634 for (iter = 0; iter < ARRAY_SIZE(selinux_ipv6_ops); iter++)
5635 nf_unregister_hook(&selinux_ipv6_ops[iter]);
5636 #endif /* IPV6 */
5637 }
5638 #endif
5639
5640 #else /* CONFIG_NETFILTER */
5641
5642 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5643 #define selinux_nf_ip_exit()
5644 #endif
5645
5646 #endif /* CONFIG_NETFILTER */
5647
5648 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5649 int selinux_disable(void)
5650 {
5651 extern void exit_sel_fs(void);
5652 static int selinux_disabled = 0;
5653
5654 if (ss_initialized) {
5655 /* Not permitted after initial policy load. */
5656 return -EINVAL;
5657 }
5658
5659 if (selinux_disabled) {
5660 /* Only do this once. */
5661 return -EINVAL;
5662 }
5663
5664 printk(KERN_INFO "SELinux: Disabled at runtime.\n");
5665
5666 selinux_disabled = 1;
5667 selinux_enabled = 0;
5668
5669 /* Reset security_ops to the secondary module, dummy or capability. */
5670 security_ops = secondary_ops;
5671
5672 /* Unregister netfilter hooks. */
5673 selinux_nf_ip_exit();
5674
5675 /* Unregister selinuxfs. */
5676 exit_sel_fs();
5677
5678 return 0;
5679 }
5680 #endif
This page took 0.136075 seconds and 4 git commands to generate.