projects / deliverable / linux.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
SELinux: use new audit hooks, remove redundant exports
[deliverable/linux.git] / security / selinux / hooks.c
1 /*
2 * NSA Security-Enhanced Linux (SELinux) security module
3 *
4 * This file contains the SELinux hook function implementations.
5 *
6 * Authors: Stephen Smalley, <sds@epoch.ncsc.mil>
7 * Chris Vance, <cvance@nai.com>
8 * Wayne Salamon, <wsalamon@nai.com>
9 * James Morris <jmorris@redhat.com>
10 *
11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12 * Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com>
13 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
14 * <dgoeddel@trustedcs.com>
15 * Copyright (C) 2006, 2007 Hewlett-Packard Development Company, L.P.
16 * Paul Moore <paul.moore@hp.com>
17 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
18 * Yuichi Nakamura <ynakam@hitachisoft.jp>
19 *
20 * This program is free software; you can redistribute it and/or modify
21 * it under the terms of the GNU General Public License version 2,
22 * as published by the Free Software Foundation.
23 */
24
25 #include <linux/init.h>
26 #include <linux/kernel.h>
27 #include <linux/ptrace.h>
28 #include <linux/errno.h>
29 #include <linux/sched.h>
30 #include <linux/security.h>
31 #include <linux/xattr.h>
32 #include <linux/capability.h>
33 #include <linux/unistd.h>
34 #include <linux/mm.h>
35 #include <linux/mman.h>
36 #include <linux/slab.h>
37 #include <linux/pagemap.h>
38 #include <linux/swap.h>
39 #include <linux/spinlock.h>
40 #include <linux/syscalls.h>
41 #include <linux/file.h>
42 #include <linux/namei.h>
43 #include <linux/mount.h>
44 #include <linux/ext2_fs.h>
45 #include <linux/proc_fs.h>
46 #include <linux/kd.h>
47 #include <linux/netfilter_ipv4.h>
48 #include <linux/netfilter_ipv6.h>
49 #include <linux/tty.h>
50 #include <net/icmp.h>
51 #include <net/ip.h> /* for local_port_range[] */
52 #include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
53 #include <net/net_namespace.h>
54 #include <net/netlabel.h>
55 #include <asm/uaccess.h>
56 #include <asm/ioctls.h>
57 #include <asm/atomic.h>
58 #include <linux/bitops.h>
59 #include <linux/interrupt.h>
60 #include <linux/netdevice.h> /* for network interface checks */
61 #include <linux/netlink.h>
62 #include <linux/tcp.h>
63 #include <linux/udp.h>
64 #include <linux/dccp.h>
65 #include <linux/quota.h>
66 #include <linux/un.h> /* for Unix socket types */
67 #include <net/af_unix.h> /* for Unix socket types */
68 #include <linux/parser.h>
69 #include <linux/nfs_mount.h>
70 #include <net/ipv6.h>
71 #include <linux/hugetlb.h>
72 #include <linux/personality.h>
73 #include <linux/sysctl.h>
74 #include <linux/audit.h>
75 #include <linux/string.h>
76 #include <linux/selinux.h>
77 #include <linux/mutex.h>
78
79 #include "avc.h"
80 #include "objsec.h"
81 #include "netif.h"
82 #include "netnode.h"
83 #include "netport.h"
84 #include "xfrm.h"
85 #include "netlabel.h"
86 #include "audit.h"
87
88 #define XATTR_SELINUX_SUFFIX "selinux"
89 #define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX
90
91 #define NUM_SEL_MNT_OPTS 4
92
93 extern unsigned int policydb_loaded_version;
94 extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm);
95 extern int selinux_compat_net;
96 extern struct security_operations *security_ops;
97
98 /* SECMARK reference count */
99 atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
100
101 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
102 int selinux_enforcing = 0;
103
104 static int __init enforcing_setup(char *str)
105 {
106 selinux_enforcing = simple_strtol(str,NULL,0);
107 return 1;
108 }
109 __setup("enforcing=", enforcing_setup);
110 #endif
111
112 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
113 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
114
115 static int __init selinux_enabled_setup(char *str)
116 {
117 selinux_enabled = simple_strtol(str, NULL, 0);
118 return 1;
119 }
120 __setup("selinux=", selinux_enabled_setup);
121 #else
122 int selinux_enabled = 1;
123 #endif
124
125 /* Original (dummy) security module. */
126 static struct security_operations *original_ops = NULL;
127
128 /* Minimal support for a secondary security module,
129 just to allow the use of the dummy or capability modules.
130 The owlsm module can alternatively be used as a secondary
131 module as long as CONFIG_OWLSM_FD is not enabled. */
132 static struct security_operations *secondary_ops = NULL;
133
134 /* Lists of inode and superblock security structures initialized
135 before the policy was loaded. */
136 static LIST_HEAD(superblock_security_head);
137 static DEFINE_SPINLOCK(sb_security_lock);
138
139 static struct kmem_cache *sel_inode_cache;
140
141 /**
142 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
143 *
144 * Description:
145 * This function checks the SECMARK reference counter to see if any SECMARK
146 * targets are currently configured, if the reference counter is greater than
147 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is
148 * enabled, false (0) if SECMARK is disabled.
149 *
150 */
151 static int selinux_secmark_enabled(void)
152 {
153 return (atomic_read(&selinux_secmark_refcount) > 0);
154 }
155
156 /* Allocate and free functions for each kind of security blob. */
157
158 static int task_alloc_security(struct task_struct *task)
159 {
160 struct task_security_struct *tsec;
161
162 tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
163 if (!tsec)
164 return -ENOMEM;
165
166 tsec->osid = tsec->sid = SECINITSID_UNLABELED;
167 task->security = tsec;
168
169 return 0;
170 }
171
172 static void task_free_security(struct task_struct *task)
173 {
174 struct task_security_struct *tsec = task->security;
175 task->security = NULL;
176 kfree(tsec);
177 }
178
179 static int inode_alloc_security(struct inode *inode)
180 {
181 struct task_security_struct *tsec = current->security;
182 struct inode_security_struct *isec;
183
184 isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
185 if (!isec)
186 return -ENOMEM;
187
188 mutex_init(&isec->lock);
189 INIT_LIST_HEAD(&isec->list);
190 isec->inode = inode;
191 isec->sid = SECINITSID_UNLABELED;
192 isec->sclass = SECCLASS_FILE;
193 isec->task_sid = tsec->sid;
194 inode->i_security = isec;
195
196 return 0;
197 }
198
199 static void inode_free_security(struct inode *inode)
200 {
201 struct inode_security_struct *isec = inode->i_security;
202 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
203
204 spin_lock(&sbsec->isec_lock);
205 if (!list_empty(&isec->list))
206 list_del_init(&isec->list);
207 spin_unlock(&sbsec->isec_lock);
208
209 inode->i_security = NULL;
210 kmem_cache_free(sel_inode_cache, isec);
211 }
212
213 static int file_alloc_security(struct file *file)
214 {
215 struct task_security_struct *tsec = current->security;
216 struct file_security_struct *fsec;
217
218 fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL);
219 if (!fsec)
220 return -ENOMEM;
221
222 fsec->sid = tsec->sid;
223 fsec->fown_sid = tsec->sid;
224 file->f_security = fsec;
225
226 return 0;
227 }
228
229 static void file_free_security(struct file *file)
230 {
231 struct file_security_struct *fsec = file->f_security;
232 file->f_security = NULL;
233 kfree(fsec);
234 }
235
236 static int superblock_alloc_security(struct super_block *sb)
237 {
238 struct superblock_security_struct *sbsec;
239
240 sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
241 if (!sbsec)
242 return -ENOMEM;
243
244 mutex_init(&sbsec->lock);
245 INIT_LIST_HEAD(&sbsec->list);
246 INIT_LIST_HEAD(&sbsec->isec_head);
247 spin_lock_init(&sbsec->isec_lock);
248 sbsec->sb = sb;
249 sbsec->sid = SECINITSID_UNLABELED;
250 sbsec->def_sid = SECINITSID_FILE;
251 sbsec->mntpoint_sid = SECINITSID_UNLABELED;
252 sb->s_security = sbsec;
253
254 return 0;
255 }
256
257 static void superblock_free_security(struct super_block *sb)
258 {
259 struct superblock_security_struct *sbsec = sb->s_security;
260
261 spin_lock(&sb_security_lock);
262 if (!list_empty(&sbsec->list))
263 list_del_init(&sbsec->list);
264 spin_unlock(&sb_security_lock);
265
266 sb->s_security = NULL;
267 kfree(sbsec);
268 }
269
270 static int sk_alloc_security(struct sock *sk, int family, gfp_t priority)
271 {
272 struct sk_security_struct *ssec;
273
274 ssec = kzalloc(sizeof(*ssec), priority);
275 if (!ssec)
276 return -ENOMEM;
277
278 ssec->peer_sid = SECINITSID_UNLABELED;
279 ssec->sid = SECINITSID_UNLABELED;
280 sk->sk_security = ssec;
281
282 selinux_netlbl_sk_security_reset(ssec, family);
283
284 return 0;
285 }
286
287 static void sk_free_security(struct sock *sk)
288 {
289 struct sk_security_struct *ssec = sk->sk_security;
290
291 sk->sk_security = NULL;
292 kfree(ssec);
293 }
294
295 /* The security server must be initialized before
296 any labeling or access decisions can be provided. */
297 extern int ss_initialized;
298
299 /* The file system's label must be initialized prior to use. */
300
301 static char *labeling_behaviors[6] = {
302 "uses xattr",
303 "uses transition SIDs",
304 "uses task SIDs",
305 "uses genfs_contexts",
306 "not configured for labeling",
307 "uses mountpoint labeling",
308 };
309
310 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
311
312 static inline int inode_doinit(struct inode *inode)
313 {
314 return inode_doinit_with_dentry(inode, NULL);
315 }
316
317 enum {
318 Opt_error = -1,
319 Opt_context = 1,
320 Opt_fscontext = 2,
321 Opt_defcontext = 3,
322 Opt_rootcontext = 4,
323 };
324
325 static match_table_t tokens = {
326 {Opt_context, CONTEXT_STR "%s"},
327 {Opt_fscontext, FSCONTEXT_STR "%s"},
328 {Opt_defcontext, DEFCONTEXT_STR "%s"},
329 {Opt_rootcontext, ROOTCONTEXT_STR "%s"},
330 {Opt_error, NULL},
331 };
332
333 #define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
334
335 static int may_context_mount_sb_relabel(u32 sid,
336 struct superblock_security_struct *sbsec,
337 struct task_security_struct *tsec)
338 {
339 int rc;
340
341 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
342 FILESYSTEM__RELABELFROM, NULL);
343 if (rc)
344 return rc;
345
346 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
347 FILESYSTEM__RELABELTO, NULL);
348 return rc;
349 }
350
351 static int may_context_mount_inode_relabel(u32 sid,
352 struct superblock_security_struct *sbsec,
353 struct task_security_struct *tsec)
354 {
355 int rc;
356 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
357 FILESYSTEM__RELABELFROM, NULL);
358 if (rc)
359 return rc;
360
361 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
362 FILESYSTEM__ASSOCIATE, NULL);
363 return rc;
364 }
365
366 static int sb_finish_set_opts(struct super_block *sb)
367 {
368 struct superblock_security_struct *sbsec = sb->s_security;
369 struct dentry *root = sb->s_root;
370 struct inode *root_inode = root->d_inode;
371 int rc = 0;
372
373 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
374 /* Make sure that the xattr handler exists and that no
375 error other than -ENODATA is returned by getxattr on
376 the root directory. -ENODATA is ok, as this may be
377 the first boot of the SELinux kernel before we have
378 assigned xattr values to the filesystem. */
379 if (!root_inode->i_op->getxattr) {
380 printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
381 "xattr support\n", sb->s_id, sb->s_type->name);
382 rc = -EOPNOTSUPP;
383 goto out;
384 }
385 rc = root_inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
386 if (rc < 0 && rc != -ENODATA) {
387 if (rc == -EOPNOTSUPP)
388 printk(KERN_WARNING "SELinux: (dev %s, type "
389 "%s) has no security xattr handler\n",
390 sb->s_id, sb->s_type->name);
391 else
392 printk(KERN_WARNING "SELinux: (dev %s, type "
393 "%s) getxattr errno %d\n", sb->s_id,
394 sb->s_type->name, -rc);
395 goto out;
396 }
397 }
398
399 sbsec->initialized = 1;
400
401 if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
402 printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n",
403 sb->s_id, sb->s_type->name);
404 else
405 printk(KERN_DEBUG "SELinux: initialized (dev %s, type %s), %s\n",
406 sb->s_id, sb->s_type->name,
407 labeling_behaviors[sbsec->behavior-1]);
408
409 /* Initialize the root inode. */
410 rc = inode_doinit_with_dentry(root_inode, root);
411
412 /* Initialize any other inodes associated with the superblock, e.g.
413 inodes created prior to initial policy load or inodes created
414 during get_sb by a pseudo filesystem that directly
415 populates itself. */
416 spin_lock(&sbsec->isec_lock);
417 next_inode:
418 if (!list_empty(&sbsec->isec_head)) {
419 struct inode_security_struct *isec =
420 list_entry(sbsec->isec_head.next,
421 struct inode_security_struct, list);
422 struct inode *inode = isec->inode;
423 spin_unlock(&sbsec->isec_lock);
424 inode = igrab(inode);
425 if (inode) {
426 if (!IS_PRIVATE(inode))
427 inode_doinit(inode);
428 iput(inode);
429 }
430 spin_lock(&sbsec->isec_lock);
431 list_del_init(&isec->list);
432 goto next_inode;
433 }
434 spin_unlock(&sbsec->isec_lock);
435 out:
436 return rc;
437 }
438
439 /*
440 * This function should allow an FS to ask what it's mount security
441 * options were so it can use those later for submounts, displaying
442 * mount options, or whatever.
443 */
444 static int selinux_get_mnt_opts(const struct super_block *sb,
445 struct security_mnt_opts *opts)
446 {
447 int rc = 0, i;
448 struct superblock_security_struct *sbsec = sb->s_security;
449 char *context = NULL;
450 u32 len;
451 char tmp;
452
453 security_init_mnt_opts(opts);
454
455 if (!sbsec->initialized)
456 return -EINVAL;
457
458 if (!ss_initialized)
459 return -EINVAL;
460
461 /*
462 * if we ever use sbsec flags for anything other than tracking mount
463 * settings this is going to need a mask
464 */
465 tmp = sbsec->flags;
466 /* count the number of mount options for this sb */
467 for (i = 0; i < 8; i++) {
468 if (tmp & 0x01)
469 opts->num_mnt_opts++;
470 tmp >>= 1;
471 }
472
473 opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
474 if (!opts->mnt_opts) {
475 rc = -ENOMEM;
476 goto out_free;
477 }
478
479 opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
480 if (!opts->mnt_opts_flags) {
481 rc = -ENOMEM;
482 goto out_free;
483 }
484
485 i = 0;
486 if (sbsec->flags & FSCONTEXT_MNT) {
487 rc = security_sid_to_context(sbsec->sid, &context, &len);
488 if (rc)
489 goto out_free;
490 opts->mnt_opts[i] = context;
491 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
492 }
493 if (sbsec->flags & CONTEXT_MNT) {
494 rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len);
495 if (rc)
496 goto out_free;
497 opts->mnt_opts[i] = context;
498 opts->mnt_opts_flags[i++] = CONTEXT_MNT;
499 }
500 if (sbsec->flags & DEFCONTEXT_MNT) {
501 rc = security_sid_to_context(sbsec->def_sid, &context, &len);
502 if (rc)
503 goto out_free;
504 opts->mnt_opts[i] = context;
505 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
506 }
507 if (sbsec->flags & ROOTCONTEXT_MNT) {
508 struct inode *root = sbsec->sb->s_root->d_inode;
509 struct inode_security_struct *isec = root->i_security;
510
511 rc = security_sid_to_context(isec->sid, &context, &len);
512 if (rc)
513 goto out_free;
514 opts->mnt_opts[i] = context;
515 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
516 }
517
518 BUG_ON(i != opts->num_mnt_opts);
519
520 return 0;
521
522 out_free:
523 security_free_mnt_opts(opts);
524 return rc;
525 }
526
527 static int bad_option(struct superblock_security_struct *sbsec, char flag,
528 u32 old_sid, u32 new_sid)
529 {
530 /* check if the old mount command had the same options */
531 if (sbsec->initialized)
532 if (!(sbsec->flags & flag) ||
533 (old_sid != new_sid))
534 return 1;
535
536 /* check if we were passed the same options twice,
537 * aka someone passed context=a,context=b
538 */
539 if (!sbsec->initialized)
540 if (sbsec->flags & flag)
541 return 1;
542 return 0;
543 }
544
545 /*
546 * Allow filesystems with binary mount data to explicitly set mount point
547 * labeling information.
548 */
549 static int selinux_set_mnt_opts(struct super_block *sb,
550 struct security_mnt_opts *opts)
551 {
552 int rc = 0, i;
553 struct task_security_struct *tsec = current->security;
554 struct superblock_security_struct *sbsec = sb->s_security;
555 const char *name = sb->s_type->name;
556 struct inode *inode = sbsec->sb->s_root->d_inode;
557 struct inode_security_struct *root_isec = inode->i_security;
558 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
559 u32 defcontext_sid = 0;
560 char **mount_options = opts->mnt_opts;
561 int *flags = opts->mnt_opts_flags;
562 int num_opts = opts->num_mnt_opts;
563
564 mutex_lock(&sbsec->lock);
565
566 if (!ss_initialized) {
567 if (!num_opts) {
568 /* Defer initialization until selinux_complete_init,
569 after the initial policy is loaded and the security
570 server is ready to handle calls. */
571 spin_lock(&sb_security_lock);
572 if (list_empty(&sbsec->list))
573 list_add(&sbsec->list, &superblock_security_head);
574 spin_unlock(&sb_security_lock);
575 goto out;
576 }
577 rc = -EINVAL;
578 printk(KERN_WARNING "Unable to set superblock options before "
579 "the security server is initialized\n");
580 goto out;
581 }
582
583 /*
584 * Binary mount data FS will come through this function twice. Once
585 * from an explicit call and once from the generic calls from the vfs.
586 * Since the generic VFS calls will not contain any security mount data
587 * we need to skip the double mount verification.
588 *
589 * This does open a hole in which we will not notice if the first
590 * mount using this sb set explict options and a second mount using
591 * this sb does not set any security options. (The first options
592 * will be used for both mounts)
593 */
594 if (sbsec->initialized && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
595 && (num_opts == 0))
596 goto out;
597
598 /*
599 * parse the mount options, check if they are valid sids.
600 * also check if someone is trying to mount the same sb more
601 * than once with different security options.
602 */
603 for (i = 0; i < num_opts; i++) {
604 u32 sid;
605 rc = security_context_to_sid(mount_options[i],
606 strlen(mount_options[i]), &sid);
607 if (rc) {
608 printk(KERN_WARNING "SELinux: security_context_to_sid"
609 "(%s) failed for (dev %s, type %s) errno=%d\n",
610 mount_options[i], sb->s_id, name, rc);
611 goto out;
612 }
613 switch (flags[i]) {
614 case FSCONTEXT_MNT:
615 fscontext_sid = sid;
616
617 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
618 fscontext_sid))
619 goto out_double_mount;
620
621 sbsec->flags |= FSCONTEXT_MNT;
622 break;
623 case CONTEXT_MNT:
624 context_sid = sid;
625
626 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
627 context_sid))
628 goto out_double_mount;
629
630 sbsec->flags |= CONTEXT_MNT;
631 break;
632 case ROOTCONTEXT_MNT:
633 rootcontext_sid = sid;
634
635 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
636 rootcontext_sid))
637 goto out_double_mount;
638
639 sbsec->flags |= ROOTCONTEXT_MNT;
640
641 break;
642 case DEFCONTEXT_MNT:
643 defcontext_sid = sid;
644
645 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
646 defcontext_sid))
647 goto out_double_mount;
648
649 sbsec->flags |= DEFCONTEXT_MNT;
650
651 break;
652 default:
653 rc = -EINVAL;
654 goto out;
655 }
656 }
657
658 if (sbsec->initialized) {
659 /* previously mounted with options, but not on this attempt? */
660 if (sbsec->flags && !num_opts)
661 goto out_double_mount;
662 rc = 0;
663 goto out;
664 }
665
666 if (strcmp(sb->s_type->name, "proc") == 0)
667 sbsec->proc = 1;
668
669 /* Determine the labeling behavior to use for this filesystem type. */
670 rc = security_fs_use(sb->s_type->name, &sbsec->behavior, &sbsec->sid);
671 if (rc) {
672 printk(KERN_WARNING "%s: security_fs_use(%s) returned %d\n",
673 __func__, sb->s_type->name, rc);
674 goto out;
675 }
676
677 /* sets the context of the superblock for the fs being mounted. */
678 if (fscontext_sid) {
679
680 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, tsec);
681 if (rc)
682 goto out;
683
684 sbsec->sid = fscontext_sid;
685 }
686
687 /*
688 * Switch to using mount point labeling behavior.
689 * sets the label used on all file below the mountpoint, and will set
690 * the superblock context if not already set.
691 */
692 if (context_sid) {
693 if (!fscontext_sid) {
694 rc = may_context_mount_sb_relabel(context_sid, sbsec, tsec);
695 if (rc)
696 goto out;
697 sbsec->sid = context_sid;
698 } else {
699 rc = may_context_mount_inode_relabel(context_sid, sbsec, tsec);
700 if (rc)
701 goto out;
702 }
703 if (!rootcontext_sid)
704 rootcontext_sid = context_sid;
705
706 sbsec->mntpoint_sid = context_sid;
707 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
708 }
709
710 if (rootcontext_sid) {
711 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec, tsec);
712 if (rc)
713 goto out;
714
715 root_isec->sid = rootcontext_sid;
716 root_isec->initialized = 1;
717 }
718
719 if (defcontext_sid) {
720 if (sbsec->behavior != SECURITY_FS_USE_XATTR) {
721 rc = -EINVAL;
722 printk(KERN_WARNING "SELinux: defcontext option is "
723 "invalid for this filesystem type\n");
724 goto out;
725 }
726
727 if (defcontext_sid != sbsec->def_sid) {
728 rc = may_context_mount_inode_relabel(defcontext_sid,
729 sbsec, tsec);
730 if (rc)
731 goto out;
732 }
733
734 sbsec->def_sid = defcontext_sid;
735 }
736
737 rc = sb_finish_set_opts(sb);
738 out:
739 mutex_unlock(&sbsec->lock);
740 return rc;
741 out_double_mount:
742 rc = -EINVAL;
743 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, different "
744 "security settings for (dev %s, type %s)\n", sb->s_id, name);
745 goto out;
746 }
747
748 static void selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
749 struct super_block *newsb)
750 {
751 const struct superblock_security_struct *oldsbsec = oldsb->s_security;
752 struct superblock_security_struct *newsbsec = newsb->s_security;
753
754 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT);
755 int set_context = (oldsbsec->flags & CONTEXT_MNT);
756 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT);
757
758 /* we can't error, we can't save the info, this shouldn't get called
759 * this early in the boot process. */
760 BUG_ON(!ss_initialized);
761
762 /* how can we clone if the old one wasn't set up?? */
763 BUG_ON(!oldsbsec->initialized);
764
765 /* if fs is reusing a sb, just let its options stand... */
766 if (newsbsec->initialized)
767 return;
768
769 mutex_lock(&newsbsec->lock);
770
771 newsbsec->flags = oldsbsec->flags;
772
773 newsbsec->sid = oldsbsec->sid;
774 newsbsec->def_sid = oldsbsec->def_sid;
775 newsbsec->behavior = oldsbsec->behavior;
776
777 if (set_context) {
778 u32 sid = oldsbsec->mntpoint_sid;
779
780 if (!set_fscontext)
781 newsbsec->sid = sid;
782 if (!set_rootcontext) {
783 struct inode *newinode = newsb->s_root->d_inode;
784 struct inode_security_struct *newisec = newinode->i_security;
785 newisec->sid = sid;
786 }
787 newsbsec->mntpoint_sid = sid;
788 }
789 if (set_rootcontext) {
790 const struct inode *oldinode = oldsb->s_root->d_inode;
791 const struct inode_security_struct *oldisec = oldinode->i_security;
792 struct inode *newinode = newsb->s_root->d_inode;
793 struct inode_security_struct *newisec = newinode->i_security;
794
795 newisec->sid = oldisec->sid;
796 }
797
798 sb_finish_set_opts(newsb);
799 mutex_unlock(&newsbsec->lock);
800 }
801
802 static int selinux_parse_opts_str(char *options,
803 struct security_mnt_opts *opts)
804 {
805 char *p;
806 char *context = NULL, *defcontext = NULL;
807 char *fscontext = NULL, *rootcontext = NULL;
808 int rc, num_mnt_opts = 0;
809
810 opts->num_mnt_opts = 0;
811
812 /* Standard string-based options. */
813 while ((p = strsep(&options, "|")) != NULL) {
814 int token;
815 substring_t args[MAX_OPT_ARGS];
816
817 if (!*p)
818 continue;
819
820 token = match_token(p, tokens, args);
821
822 switch (token) {
823 case Opt_context:
824 if (context || defcontext) {
825 rc = -EINVAL;
826 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
827 goto out_err;
828 }
829 context = match_strdup(&args[0]);
830 if (!context) {
831 rc = -ENOMEM;
832 goto out_err;
833 }
834 break;
835
836 case Opt_fscontext:
837 if (fscontext) {
838 rc = -EINVAL;
839 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
840 goto out_err;
841 }
842 fscontext = match_strdup(&args[0]);
843 if (!fscontext) {
844 rc = -ENOMEM;
845 goto out_err;
846 }
847 break;
848
849 case Opt_rootcontext:
850 if (rootcontext) {
851 rc = -EINVAL;
852 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
853 goto out_err;
854 }
855 rootcontext = match_strdup(&args[0]);
856 if (!rootcontext) {
857 rc = -ENOMEM;
858 goto out_err;
859 }
860 break;
861
862 case Opt_defcontext:
863 if (context || defcontext) {
864 rc = -EINVAL;
865 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
866 goto out_err;
867 }
868 defcontext = match_strdup(&args[0]);
869 if (!defcontext) {
870 rc = -ENOMEM;
871 goto out_err;
872 }
873 break;
874
875 default:
876 rc = -EINVAL;
877 printk(KERN_WARNING "SELinux: unknown mount option\n");
878 goto out_err;
879
880 }
881 }
882
883 rc = -ENOMEM;
884 opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_ATOMIC);
885 if (!opts->mnt_opts)
886 goto out_err;
887
888 opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int), GFP_ATOMIC);
889 if (!opts->mnt_opts_flags) {
890 kfree(opts->mnt_opts);
891 goto out_err;
892 }
893
894 if (fscontext) {
895 opts->mnt_opts[num_mnt_opts] = fscontext;
896 opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
897 }
898 if (context) {
899 opts->mnt_opts[num_mnt_opts] = context;
900 opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
901 }
902 if (rootcontext) {
903 opts->mnt_opts[num_mnt_opts] = rootcontext;
904 opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
905 }
906 if (defcontext) {
907 opts->mnt_opts[num_mnt_opts] = defcontext;
908 opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
909 }
910
911 opts->num_mnt_opts = num_mnt_opts;
912 return 0;
913
914 out_err:
915 kfree(context);
916 kfree(defcontext);
917 kfree(fscontext);
918 kfree(rootcontext);
919 return rc;
920 }
921 /*
922 * string mount options parsing and call set the sbsec
923 */
924 static int superblock_doinit(struct super_block *sb, void *data)
925 {
926 int rc = 0;
927 char *options = data;
928 struct security_mnt_opts opts;
929
930 security_init_mnt_opts(&opts);
931
932 if (!data)
933 goto out;
934
935 BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
936
937 rc = selinux_parse_opts_str(options, &opts);
938 if (rc)
939 goto out_err;
940
941 out:
942 rc = selinux_set_mnt_opts(sb, &opts);
943
944 out_err:
945 security_free_mnt_opts(&opts);
946 return rc;
947 }
948
949 static inline u16 inode_mode_to_security_class(umode_t mode)
950 {
951 switch (mode & S_IFMT) {
952 case S_IFSOCK:
953 return SECCLASS_SOCK_FILE;
954 case S_IFLNK:
955 return SECCLASS_LNK_FILE;
956 case S_IFREG:
957 return SECCLASS_FILE;
958 case S_IFBLK:
959 return SECCLASS_BLK_FILE;
960 case S_IFDIR:
961 return SECCLASS_DIR;
962 case S_IFCHR:
963 return SECCLASS_CHR_FILE;
964 case S_IFIFO:
965 return SECCLASS_FIFO_FILE;
966
967 }
968
969 return SECCLASS_FILE;
970 }
971
972 static inline int default_protocol_stream(int protocol)
973 {
974 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
975 }
976
977 static inline int default_protocol_dgram(int protocol)
978 {
979 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
980 }
981
982 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
983 {
984 switch (family) {
985 case PF_UNIX:
986 switch (type) {
987 case SOCK_STREAM:
988 case SOCK_SEQPACKET:
989 return SECCLASS_UNIX_STREAM_SOCKET;
990 case SOCK_DGRAM:
991 return SECCLASS_UNIX_DGRAM_SOCKET;
992 }
993 break;
994 case PF_INET:
995 case PF_INET6:
996 switch (type) {
997 case SOCK_STREAM:
998 if (default_protocol_stream(protocol))
999 return SECCLASS_TCP_SOCKET;
1000 else
1001 return SECCLASS_RAWIP_SOCKET;
1002 case SOCK_DGRAM:
1003 if (default_protocol_dgram(protocol))
1004 return SECCLASS_UDP_SOCKET;
1005 else
1006 return SECCLASS_RAWIP_SOCKET;
1007 case SOCK_DCCP:
1008 return SECCLASS_DCCP_SOCKET;
1009 default:
1010 return SECCLASS_RAWIP_SOCKET;
1011 }
1012 break;
1013 case PF_NETLINK:
1014 switch (protocol) {
1015 case NETLINK_ROUTE:
1016 return SECCLASS_NETLINK_ROUTE_SOCKET;
1017 case NETLINK_FIREWALL:
1018 return SECCLASS_NETLINK_FIREWALL_SOCKET;
1019 case NETLINK_INET_DIAG:
1020 return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1021 case NETLINK_NFLOG:
1022 return SECCLASS_NETLINK_NFLOG_SOCKET;
1023 case NETLINK_XFRM:
1024 return SECCLASS_NETLINK_XFRM_SOCKET;
1025 case NETLINK_SELINUX:
1026 return SECCLASS_NETLINK_SELINUX_SOCKET;
1027 case NETLINK_AUDIT:
1028 return SECCLASS_NETLINK_AUDIT_SOCKET;
1029 case NETLINK_IP6_FW:
1030 return SECCLASS_NETLINK_IP6FW_SOCKET;
1031 case NETLINK_DNRTMSG:
1032 return SECCLASS_NETLINK_DNRT_SOCKET;
1033 case NETLINK_KOBJECT_UEVENT:
1034 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1035 default:
1036 return SECCLASS_NETLINK_SOCKET;
1037 }
1038 case PF_PACKET:
1039 return SECCLASS_PACKET_SOCKET;
1040 case PF_KEY:
1041 return SECCLASS_KEY_SOCKET;
1042 case PF_APPLETALK:
1043 return SECCLASS_APPLETALK_SOCKET;
1044 }
1045
1046 return SECCLASS_SOCKET;
1047 }
1048
1049 #ifdef CONFIG_PROC_FS
1050 static int selinux_proc_get_sid(struct proc_dir_entry *de,
1051 u16 tclass,
1052 u32 *sid)
1053 {
1054 int buflen, rc;
1055 char *buffer, *path, *end;
1056
1057 buffer = (char*)__get_free_page(GFP_KERNEL);
1058 if (!buffer)
1059 return -ENOMEM;
1060
1061 buflen = PAGE_SIZE;
1062 end = buffer+buflen;
1063 *--end = '\0';
1064 buflen--;
1065 path = end-1;
1066 *path = '/';
1067 while (de && de != de->parent) {
1068 buflen -= de->namelen + 1;
1069 if (buflen < 0)
1070 break;
1071 end -= de->namelen;
1072 memcpy(end, de->name, de->namelen);
1073 *--end = '/';
1074 path = end;
1075 de = de->parent;
1076 }
1077 rc = security_genfs_sid("proc", path, tclass, sid);
1078 free_page((unsigned long)buffer);
1079 return rc;
1080 }
1081 #else
1082 static int selinux_proc_get_sid(struct proc_dir_entry *de,
1083 u16 tclass,
1084 u32 *sid)
1085 {
1086 return -EINVAL;
1087 }
1088 #endif
1089
1090 /* The inode's security attributes must be initialized before first use. */
1091 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1092 {
1093 struct superblock_security_struct *sbsec = NULL;
1094 struct inode_security_struct *isec = inode->i_security;
1095 u32 sid;
1096 struct dentry *dentry;
1097 #define INITCONTEXTLEN 255
1098 char *context = NULL;
1099 unsigned len = 0;
1100 int rc = 0;
1101
1102 if (isec->initialized)
1103 goto out;
1104
1105 mutex_lock(&isec->lock);
1106 if (isec->initialized)
1107 goto out_unlock;
1108
1109 sbsec = inode->i_sb->s_security;
1110 if (!sbsec->initialized) {
1111 /* Defer initialization until selinux_complete_init,
1112 after the initial policy is loaded and the security
1113 server is ready to handle calls. */
1114 spin_lock(&sbsec->isec_lock);
1115 if (list_empty(&isec->list))
1116 list_add(&isec->list, &sbsec->isec_head);
1117 spin_unlock(&sbsec->isec_lock);
1118 goto out_unlock;
1119 }
1120
1121 switch (sbsec->behavior) {
1122 case SECURITY_FS_USE_XATTR:
1123 if (!inode->i_op->getxattr) {
1124 isec->sid = sbsec->def_sid;
1125 break;
1126 }
1127
1128 /* Need a dentry, since the xattr API requires one.
1129 Life would be simpler if we could just pass the inode. */
1130 if (opt_dentry) {
1131 /* Called from d_instantiate or d_splice_alias. */
1132 dentry = dget(opt_dentry);
1133 } else {
1134 /* Called from selinux_complete_init, try to find a dentry. */
1135 dentry = d_find_alias(inode);
1136 }
1137 if (!dentry) {
1138 printk(KERN_WARNING "%s: no dentry for dev=%s "
1139 "ino=%ld\n", __func__, inode->i_sb->s_id,
1140 inode->i_ino);
1141 goto out_unlock;
1142 }
1143
1144 len = INITCONTEXTLEN;
1145 context = kmalloc(len, GFP_NOFS);
1146 if (!context) {
1147 rc = -ENOMEM;
1148 dput(dentry);
1149 goto out_unlock;
1150 }
1151 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1152 context, len);
1153 if (rc == -ERANGE) {
1154 /* Need a larger buffer. Query for the right size. */
1155 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1156 NULL, 0);
1157 if (rc < 0) {
1158 dput(dentry);
1159 goto out_unlock;
1160 }
1161 kfree(context);
1162 len = rc;
1163 context = kmalloc(len, GFP_NOFS);
1164 if (!context) {
1165 rc = -ENOMEM;
1166 dput(dentry);
1167 goto out_unlock;
1168 }
1169 rc = inode->i_op->getxattr(dentry,
1170 XATTR_NAME_SELINUX,
1171 context, len);
1172 }
1173 dput(dentry);
1174 if (rc < 0) {
1175 if (rc != -ENODATA) {
1176 printk(KERN_WARNING "%s: getxattr returned "
1177 "%d for dev=%s ino=%ld\n", __func__,
1178 -rc, inode->i_sb->s_id, inode->i_ino);
1179 kfree(context);
1180 goto out_unlock;
1181 }
1182 /* Map ENODATA to the default file SID */
1183 sid = sbsec->def_sid;
1184 rc = 0;
1185 } else {
1186 rc = security_context_to_sid_default(context, rc, &sid,
1187 sbsec->def_sid,
1188 GFP_NOFS);
1189 if (rc) {
1190 printk(KERN_WARNING "%s: context_to_sid(%s) "
1191 "returned %d for dev=%s ino=%ld\n",
1192 __func__, context, -rc,
1193 inode->i_sb->s_id, inode->i_ino);
1194 kfree(context);
1195 /* Leave with the unlabeled SID */
1196 rc = 0;
1197 break;
1198 }
1199 }
1200 kfree(context);
1201 isec->sid = sid;
1202 break;
1203 case SECURITY_FS_USE_TASK:
1204 isec->sid = isec->task_sid;
1205 break;
1206 case SECURITY_FS_USE_TRANS:
1207 /* Default to the fs SID. */
1208 isec->sid = sbsec->sid;
1209
1210 /* Try to obtain a transition SID. */
1211 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1212 rc = security_transition_sid(isec->task_sid,
1213 sbsec->sid,
1214 isec->sclass,
1215 &sid);
1216 if (rc)
1217 goto out_unlock;
1218 isec->sid = sid;
1219 break;
1220 case SECURITY_FS_USE_MNTPOINT:
1221 isec->sid = sbsec->mntpoint_sid;
1222 break;
1223 default:
1224 /* Default to the fs superblock SID. */
1225 isec->sid = sbsec->sid;
1226
1227 if (sbsec->proc) {
1228 struct proc_inode *proci = PROC_I(inode);
1229 if (proci->pde) {
1230 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1231 rc = selinux_proc_get_sid(proci->pde,
1232 isec->sclass,
1233 &sid);
1234 if (rc)
1235 goto out_unlock;
1236 isec->sid = sid;
1237 }
1238 }
1239 break;
1240 }
1241
1242 isec->initialized = 1;
1243
1244 out_unlock:
1245 mutex_unlock(&isec->lock);
1246 out:
1247 if (isec->sclass == SECCLASS_FILE)
1248 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1249 return rc;
1250 }
1251
1252 /* Convert a Linux signal to an access vector. */
1253 static inline u32 signal_to_av(int sig)
1254 {
1255 u32 perm = 0;
1256
1257 switch (sig) {
1258 case SIGCHLD:
1259 /* Commonly granted from child to parent. */
1260 perm = PROCESS__SIGCHLD;
1261 break;
1262 case SIGKILL:
1263 /* Cannot be caught or ignored */
1264 perm = PROCESS__SIGKILL;
1265 break;
1266 case SIGSTOP:
1267 /* Cannot be caught or ignored */
1268 perm = PROCESS__SIGSTOP;
1269 break;
1270 default:
1271 /* All other signals. */
1272 perm = PROCESS__SIGNAL;
1273 break;
1274 }
1275
1276 return perm;
1277 }
1278
1279 /* Check permission betweeen a pair of tasks, e.g. signal checks,
1280 fork check, ptrace check, etc. */
1281 static int task_has_perm(struct task_struct *tsk1,
1282 struct task_struct *tsk2,
1283 u32 perms)
1284 {
1285 struct task_security_struct *tsec1, *tsec2;
1286
1287 tsec1 = tsk1->security;
1288 tsec2 = tsk2->security;
1289 return avc_has_perm(tsec1->sid, tsec2->sid,
1290 SECCLASS_PROCESS, perms, NULL);
1291 }
1292
1293 #if CAP_LAST_CAP > 63
1294 #error Fix SELinux to handle capabilities > 63.
1295 #endif
1296
1297 /* Check whether a task is allowed to use a capability. */
1298 static int task_has_capability(struct task_struct *tsk,
1299 int cap)
1300 {
1301 struct task_security_struct *tsec;
1302 struct avc_audit_data ad;
1303 u16 sclass;
1304 u32 av = CAP_TO_MASK(cap);
1305
1306 tsec = tsk->security;
1307
1308 AVC_AUDIT_DATA_INIT(&ad,CAP);
1309 ad.tsk = tsk;
1310 ad.u.cap = cap;
1311
1312 switch (CAP_TO_INDEX(cap)) {
1313 case 0:
1314 sclass = SECCLASS_CAPABILITY;
1315 break;
1316 case 1:
1317 sclass = SECCLASS_CAPABILITY2;
1318 break;
1319 default:
1320 printk(KERN_ERR
1321 "SELinux: out of range capability %d\n", cap);
1322 BUG();
1323 }
1324 return avc_has_perm(tsec->sid, tsec->sid, sclass, av, &ad);
1325 }
1326
1327 /* Check whether a task is allowed to use a system operation. */
1328 static int task_has_system(struct task_struct *tsk,
1329 u32 perms)
1330 {
1331 struct task_security_struct *tsec;
1332
1333 tsec = tsk->security;
1334
1335 return avc_has_perm(tsec->sid, SECINITSID_KERNEL,
1336 SECCLASS_SYSTEM, perms, NULL);
1337 }
1338
1339 /* Check whether a task has a particular permission to an inode.
1340 The 'adp' parameter is optional and allows other audit
1341 data to be passed (e.g. the dentry). */
1342 static int inode_has_perm(struct task_struct *tsk,
1343 struct inode *inode,
1344 u32 perms,
1345 struct avc_audit_data *adp)
1346 {
1347 struct task_security_struct *tsec;
1348 struct inode_security_struct *isec;
1349 struct avc_audit_data ad;
1350
1351 if (unlikely (IS_PRIVATE (inode)))
1352 return 0;
1353
1354 tsec = tsk->security;
1355 isec = inode->i_security;
1356
1357 if (!adp) {
1358 adp = &ad;
1359 AVC_AUDIT_DATA_INIT(&ad, FS);
1360 ad.u.fs.inode = inode;
1361 }
1362
1363 return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, adp);
1364 }
1365
1366 /* Same as inode_has_perm, but pass explicit audit data containing
1367 the dentry to help the auditing code to more easily generate the
1368 pathname if needed. */
1369 static inline int dentry_has_perm(struct task_struct *tsk,
1370 struct vfsmount *mnt,
1371 struct dentry *dentry,
1372 u32 av)
1373 {
1374 struct inode *inode = dentry->d_inode;
1375 struct avc_audit_data ad;
1376 AVC_AUDIT_DATA_INIT(&ad,FS);
1377 ad.u.fs.path.mnt = mnt;
1378 ad.u.fs.path.dentry = dentry;
1379 return inode_has_perm(tsk, inode, av, &ad);
1380 }
1381
1382 /* Check whether a task can use an open file descriptor to
1383 access an inode in a given way. Check access to the
1384 descriptor itself, and then use dentry_has_perm to
1385 check a particular permission to the file.
1386 Access to the descriptor is implicitly granted if it
1387 has the same SID as the process. If av is zero, then
1388 access to the file is not checked, e.g. for cases
1389 where only the descriptor is affected like seek. */
1390 static int file_has_perm(struct task_struct *tsk,
1391 struct file *file,
1392 u32 av)
1393 {
1394 struct task_security_struct *tsec = tsk->security;
1395 struct file_security_struct *fsec = file->f_security;
1396 struct inode *inode = file->f_path.dentry->d_inode;
1397 struct avc_audit_data ad;
1398 int rc;
1399
1400 AVC_AUDIT_DATA_INIT(&ad, FS);
1401 ad.u.fs.path = file->f_path;
1402
1403 if (tsec->sid != fsec->sid) {
1404 rc = avc_has_perm(tsec->sid, fsec->sid,
1405 SECCLASS_FD,
1406 FD__USE,
1407 &ad);
1408 if (rc)
1409 return rc;
1410 }
1411
1412 /* av is zero if only checking access to the descriptor. */
1413 if (av)
1414 return inode_has_perm(tsk, inode, av, &ad);
1415
1416 return 0;
1417 }
1418
1419 /* Check whether a task can create a file. */
1420 static int may_create(struct inode *dir,
1421 struct dentry *dentry,
1422 u16 tclass)
1423 {
1424 struct task_security_struct *tsec;
1425 struct inode_security_struct *dsec;
1426 struct superblock_security_struct *sbsec;
1427 u32 newsid;
1428 struct avc_audit_data ad;
1429 int rc;
1430
1431 tsec = current->security;
1432 dsec = dir->i_security;
1433 sbsec = dir->i_sb->s_security;
1434
1435 AVC_AUDIT_DATA_INIT(&ad, FS);
1436 ad.u.fs.path.dentry = dentry;
1437
1438 rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR,
1439 DIR__ADD_NAME | DIR__SEARCH,
1440 &ad);
1441 if (rc)
1442 return rc;
1443
1444 if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
1445 newsid = tsec->create_sid;
1446 } else {
1447 rc = security_transition_sid(tsec->sid, dsec->sid, tclass,
1448 &newsid);
1449 if (rc)
1450 return rc;
1451 }
1452
1453 rc = avc_has_perm(tsec->sid, newsid, tclass, FILE__CREATE, &ad);
1454 if (rc)
1455 return rc;
1456
1457 return avc_has_perm(newsid, sbsec->sid,
1458 SECCLASS_FILESYSTEM,
1459 FILESYSTEM__ASSOCIATE, &ad);
1460 }
1461
1462 /* Check whether a task can create a key. */
1463 static int may_create_key(u32 ksid,
1464 struct task_struct *ctx)
1465 {
1466 struct task_security_struct *tsec;
1467
1468 tsec = ctx->security;
1469
1470 return avc_has_perm(tsec->sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL);
1471 }
1472
1473 #define MAY_LINK 0
1474 #define MAY_UNLINK 1
1475 #define MAY_RMDIR 2
1476
1477 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1478 static int may_link(struct inode *dir,
1479 struct dentry *dentry,
1480 int kind)
1481
1482 {
1483 struct task_security_struct *tsec;
1484 struct inode_security_struct *dsec, *isec;
1485 struct avc_audit_data ad;
1486 u32 av;
1487 int rc;
1488
1489 tsec = current->security;
1490 dsec = dir->i_security;
1491 isec = dentry->d_inode->i_security;
1492
1493 AVC_AUDIT_DATA_INIT(&ad, FS);
1494 ad.u.fs.path.dentry = dentry;
1495
1496 av = DIR__SEARCH;
1497 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1498 rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR, av, &ad);
1499 if (rc)
1500 return rc;
1501
1502 switch (kind) {
1503 case MAY_LINK:
1504 av = FILE__LINK;
1505 break;
1506 case MAY_UNLINK:
1507 av = FILE__UNLINK;
1508 break;
1509 case MAY_RMDIR:
1510 av = DIR__RMDIR;
1511 break;
1512 default:
1513 printk(KERN_WARNING "may_link: unrecognized kind %d\n", kind);
1514 return 0;
1515 }
1516
1517 rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass, av, &ad);
1518 return rc;
1519 }
1520
1521 static inline int may_rename(struct inode *old_dir,
1522 struct dentry *old_dentry,
1523 struct inode *new_dir,
1524 struct dentry *new_dentry)
1525 {
1526 struct task_security_struct *tsec;
1527 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1528 struct avc_audit_data ad;
1529 u32 av;
1530 int old_is_dir, new_is_dir;
1531 int rc;
1532
1533 tsec = current->security;
1534 old_dsec = old_dir->i_security;
1535 old_isec = old_dentry->d_inode->i_security;
1536 old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
1537 new_dsec = new_dir->i_security;
1538
1539 AVC_AUDIT_DATA_INIT(&ad, FS);
1540
1541 ad.u.fs.path.dentry = old_dentry;
1542 rc = avc_has_perm(tsec->sid, old_dsec->sid, SECCLASS_DIR,
1543 DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1544 if (rc)
1545 return rc;
1546 rc = avc_has_perm(tsec->sid, old_isec->sid,
1547 old_isec->sclass, FILE__RENAME, &ad);
1548 if (rc)
1549 return rc;
1550 if (old_is_dir && new_dir != old_dir) {
1551 rc = avc_has_perm(tsec->sid, old_isec->sid,
1552 old_isec->sclass, DIR__REPARENT, &ad);
1553 if (rc)
1554 return rc;
1555 }
1556
1557 ad.u.fs.path.dentry = new_dentry;
1558 av = DIR__ADD_NAME | DIR__SEARCH;
1559 if (new_dentry->d_inode)
1560 av |= DIR__REMOVE_NAME;
1561 rc = avc_has_perm(tsec->sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1562 if (rc)
1563 return rc;
1564 if (new_dentry->d_inode) {
1565 new_isec = new_dentry->d_inode->i_security;
1566 new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
1567 rc = avc_has_perm(tsec->sid, new_isec->sid,
1568 new_isec->sclass,
1569 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1570 if (rc)
1571 return rc;
1572 }
1573
1574 return 0;
1575 }
1576
1577 /* Check whether a task can perform a filesystem operation. */
1578 static int superblock_has_perm(struct task_struct *tsk,
1579 struct super_block *sb,
1580 u32 perms,
1581 struct avc_audit_data *ad)
1582 {
1583 struct task_security_struct *tsec;
1584 struct superblock_security_struct *sbsec;
1585
1586 tsec = tsk->security;
1587 sbsec = sb->s_security;
1588 return avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
1589 perms, ad);
1590 }
1591
1592 /* Convert a Linux mode and permission mask to an access vector. */
1593 static inline u32 file_mask_to_av(int mode, int mask)
1594 {
1595 u32 av = 0;
1596
1597 if ((mode & S_IFMT) != S_IFDIR) {
1598 if (mask & MAY_EXEC)
1599 av |= FILE__EXECUTE;
1600 if (mask & MAY_READ)
1601 av |= FILE__READ;
1602
1603 if (mask & MAY_APPEND)
1604 av |= FILE__APPEND;
1605 else if (mask & MAY_WRITE)
1606 av |= FILE__WRITE;
1607
1608 } else {
1609 if (mask & MAY_EXEC)
1610 av |= DIR__SEARCH;
1611 if (mask & MAY_WRITE)
1612 av |= DIR__WRITE;
1613 if (mask & MAY_READ)
1614 av |= DIR__READ;
1615 }
1616
1617 return av;
1618 }
1619
1620 /*
1621 * Convert a file mask to an access vector and include the correct open
1622 * open permission.
1623 */
1624 static inline u32 open_file_mask_to_av(int mode, int mask)
1625 {
1626 u32 av = file_mask_to_av(mode, mask);
1627
1628 if (selinux_policycap_openperm) {
1629 /*
1630 * lnk files and socks do not really have an 'open'
1631 */
1632 if (S_ISREG(mode))
1633 av |= FILE__OPEN;
1634 else if (S_ISCHR(mode))
1635 av |= CHR_FILE__OPEN;
1636 else if (S_ISBLK(mode))
1637 av |= BLK_FILE__OPEN;
1638 else if (S_ISFIFO(mode))
1639 av |= FIFO_FILE__OPEN;
1640 else if (S_ISDIR(mode))
1641 av |= DIR__OPEN;
1642 else
1643 printk(KERN_ERR "SELinux: WARNING: inside open_file_to_av "
1644 "with unknown mode:%x\n", mode);
1645 }
1646 return av;
1647 }
1648
1649 /* Convert a Linux file to an access vector. */
1650 static inline u32 file_to_av(struct file *file)
1651 {
1652 u32 av = 0;
1653
1654 if (file->f_mode & FMODE_READ)
1655 av |= FILE__READ;
1656 if (file->f_mode & FMODE_WRITE) {
1657 if (file->f_flags & O_APPEND)
1658 av |= FILE__APPEND;
1659 else
1660 av |= FILE__WRITE;
1661 }
1662 if (!av) {
1663 /*
1664 * Special file opened with flags 3 for ioctl-only use.
1665 */
1666 av = FILE__IOCTL;
1667 }
1668
1669 return av;
1670 }
1671
1672 /* Hook functions begin here. */
1673
1674 static int selinux_ptrace(struct task_struct *parent, struct task_struct *child)
1675 {
1676 int rc;
1677
1678 rc = secondary_ops->ptrace(parent,child);
1679 if (rc)
1680 return rc;
1681
1682 return task_has_perm(parent, child, PROCESS__PTRACE);
1683 }
1684
1685 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
1686 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1687 {
1688 int error;
1689
1690 error = task_has_perm(current, target, PROCESS__GETCAP);
1691 if (error)
1692 return error;
1693
1694 return secondary_ops->capget(target, effective, inheritable, permitted);
1695 }
1696
1697 static int selinux_capset_check(struct task_struct *target, kernel_cap_t *effective,
1698 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1699 {
1700 int error;
1701
1702 error = secondary_ops->capset_check(target, effective, inheritable, permitted);
1703 if (error)
1704 return error;
1705
1706 return task_has_perm(current, target, PROCESS__SETCAP);
1707 }
1708
1709 static void selinux_capset_set(struct task_struct *target, kernel_cap_t *effective,
1710 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1711 {
1712 secondary_ops->capset_set(target, effective, inheritable, permitted);
1713 }
1714
1715 static int selinux_capable(struct task_struct *tsk, int cap)
1716 {
1717 int rc;
1718
1719 rc = secondary_ops->capable(tsk, cap);
1720 if (rc)
1721 return rc;
1722
1723 return task_has_capability(tsk,cap);
1724 }
1725
1726 static int selinux_sysctl_get_sid(ctl_table *table, u16 tclass, u32 *sid)
1727 {
1728 int buflen, rc;
1729 char *buffer, *path, *end;
1730
1731 rc = -ENOMEM;
1732 buffer = (char*)__get_free_page(GFP_KERNEL);
1733 if (!buffer)
1734 goto out;
1735
1736 buflen = PAGE_SIZE;
1737 end = buffer+buflen;
1738 *--end = '\0';
1739 buflen--;
1740 path = end-1;
1741 *path = '/';
1742 while (table) {
1743 const char *name = table->procname;
1744 size_t namelen = strlen(name);
1745 buflen -= namelen + 1;
1746 if (buflen < 0)
1747 goto out_free;
1748 end -= namelen;
1749 memcpy(end, name, namelen);
1750 *--end = '/';
1751 path = end;
1752 table = table->parent;
1753 }
1754 buflen -= 4;
1755 if (buflen < 0)
1756 goto out_free;
1757 end -= 4;
1758 memcpy(end, "/sys", 4);
1759 path = end;
1760 rc = security_genfs_sid("proc", path, tclass, sid);
1761 out_free:
1762 free_page((unsigned long)buffer);
1763 out:
1764 return rc;
1765 }
1766
1767 static int selinux_sysctl(ctl_table *table, int op)
1768 {
1769 int error = 0;
1770 u32 av;
1771 struct task_security_struct *tsec;
1772 u32 tsid;
1773 int rc;
1774
1775 rc = secondary_ops->sysctl(table, op);
1776 if (rc)
1777 return rc;
1778
1779 tsec = current->security;
1780
1781 rc = selinux_sysctl_get_sid(table, (op == 0001) ?
1782 SECCLASS_DIR : SECCLASS_FILE, &tsid);
1783 if (rc) {
1784 /* Default to the well-defined sysctl SID. */
1785 tsid = SECINITSID_SYSCTL;
1786 }
1787
1788 /* The op values are "defined" in sysctl.c, thereby creating
1789 * a bad coupling between this module and sysctl.c */
1790 if(op == 001) {
1791 error = avc_has_perm(tsec->sid, tsid,
1792 SECCLASS_DIR, DIR__SEARCH, NULL);
1793 } else {
1794 av = 0;
1795 if (op & 004)
1796 av |= FILE__READ;
1797 if (op & 002)
1798 av |= FILE__WRITE;
1799 if (av)
1800 error = avc_has_perm(tsec->sid, tsid,
1801 SECCLASS_FILE, av, NULL);
1802 }
1803
1804 return error;
1805 }
1806
1807 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
1808 {
1809 int rc = 0;
1810
1811 if (!sb)
1812 return 0;
1813
1814 switch (cmds) {
1815 case Q_SYNC:
1816 case Q_QUOTAON:
1817 case Q_QUOTAOFF:
1818 case Q_SETINFO:
1819 case Q_SETQUOTA:
1820 rc = superblock_has_perm(current,
1821 sb,
1822 FILESYSTEM__QUOTAMOD, NULL);
1823 break;
1824 case Q_GETFMT:
1825 case Q_GETINFO:
1826 case Q_GETQUOTA:
1827 rc = superblock_has_perm(current,
1828 sb,
1829 FILESYSTEM__QUOTAGET, NULL);
1830 break;
1831 default:
1832 rc = 0; /* let the kernel handle invalid cmds */
1833 break;
1834 }
1835 return rc;
1836 }
1837
1838 static int selinux_quota_on(struct dentry *dentry)
1839 {
1840 return dentry_has_perm(current, NULL, dentry, FILE__QUOTAON);
1841 }
1842
1843 static int selinux_syslog(int type)
1844 {
1845 int rc;
1846
1847 rc = secondary_ops->syslog(type);
1848 if (rc)
1849 return rc;
1850
1851 switch (type) {
1852 case 3: /* Read last kernel messages */
1853 case 10: /* Return size of the log buffer */
1854 rc = task_has_system(current, SYSTEM__SYSLOG_READ);
1855 break;
1856 case 6: /* Disable logging to console */
1857 case 7: /* Enable logging to console */
1858 case 8: /* Set level of messages printed to console */
1859 rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
1860 break;
1861 case 0: /* Close log */
1862 case 1: /* Open log */
1863 case 2: /* Read from log */
1864 case 4: /* Read/clear last kernel messages */
1865 case 5: /* Clear ring buffer */
1866 default:
1867 rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
1868 break;
1869 }
1870 return rc;
1871 }
1872
1873 /*
1874 * Check that a process has enough memory to allocate a new virtual
1875 * mapping. 0 means there is enough memory for the allocation to
1876 * succeed and -ENOMEM implies there is not.
1877 *
1878 * Note that secondary_ops->capable and task_has_perm_noaudit return 0
1879 * if the capability is granted, but __vm_enough_memory requires 1 if
1880 * the capability is granted.
1881 *
1882 * Do not audit the selinux permission check, as this is applied to all
1883 * processes that allocate mappings.
1884 */
1885 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
1886 {
1887 int rc, cap_sys_admin = 0;
1888 struct task_security_struct *tsec = current->security;
1889
1890 rc = secondary_ops->capable(current, CAP_SYS_ADMIN);
1891 if (rc == 0)
1892 rc = avc_has_perm_noaudit(tsec->sid, tsec->sid,
1893 SECCLASS_CAPABILITY,
1894 CAP_TO_MASK(CAP_SYS_ADMIN),
1895 0,
1896 NULL);
1897
1898 if (rc == 0)
1899 cap_sys_admin = 1;
1900
1901 return __vm_enough_memory(mm, pages, cap_sys_admin);
1902 }
1903
1904 /**
1905 * task_tracer_task - return the task that is tracing the given task
1906 * @task: task to consider
1907 *
1908 * Returns NULL if noone is tracing @task, or the &struct task_struct
1909 * pointer to its tracer.
1910 *
1911 * Must be called under rcu_read_lock().
1912 */
1913 static struct task_struct *task_tracer_task(struct task_struct *task)
1914 {
1915 if (task->ptrace & PT_PTRACED)
1916 return rcu_dereference(task->parent);
1917 return NULL;
1918 }
1919
1920 /* binprm security operations */
1921
1922 static int selinux_bprm_alloc_security(struct linux_binprm *bprm)
1923 {
1924 struct bprm_security_struct *bsec;
1925
1926 bsec = kzalloc(sizeof(struct bprm_security_struct), GFP_KERNEL);
1927 if (!bsec)
1928 return -ENOMEM;
1929
1930 bsec->sid = SECINITSID_UNLABELED;
1931 bsec->set = 0;
1932
1933 bprm->security = bsec;
1934 return 0;
1935 }
1936
1937 static int selinux_bprm_set_security(struct linux_binprm *bprm)
1938 {
1939 struct task_security_struct *tsec;
1940 struct inode *inode = bprm->file->f_path.dentry->d_inode;
1941 struct inode_security_struct *isec;
1942 struct bprm_security_struct *bsec;
1943 u32 newsid;
1944 struct avc_audit_data ad;
1945 int rc;
1946
1947 rc = secondary_ops->bprm_set_security(bprm);
1948 if (rc)
1949 return rc;
1950
1951 bsec = bprm->security;
1952
1953 if (bsec->set)
1954 return 0;
1955
1956 tsec = current->security;
1957 isec = inode->i_security;
1958
1959 /* Default to the current task SID. */
1960 bsec->sid = tsec->sid;
1961
1962 /* Reset fs, key, and sock SIDs on execve. */
1963 tsec->create_sid = 0;
1964 tsec->keycreate_sid = 0;
1965 tsec->sockcreate_sid = 0;
1966
1967 if (tsec->exec_sid) {
1968 newsid = tsec->exec_sid;
1969 /* Reset exec SID on execve. */
1970 tsec->exec_sid = 0;
1971 } else {
1972 /* Check for a default transition on this program. */
1973 rc = security_transition_sid(tsec->sid, isec->sid,
1974 SECCLASS_PROCESS, &newsid);
1975 if (rc)
1976 return rc;
1977 }
1978
1979 AVC_AUDIT_DATA_INIT(&ad, FS);
1980 ad.u.fs.path = bprm->file->f_path;
1981
1982 if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID)
1983 newsid = tsec->sid;
1984
1985 if (tsec->sid == newsid) {
1986 rc = avc_has_perm(tsec->sid, isec->sid,
1987 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
1988 if (rc)
1989 return rc;
1990 } else {
1991 /* Check permissions for the transition. */
1992 rc = avc_has_perm(tsec->sid, newsid,
1993 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
1994 if (rc)
1995 return rc;
1996
1997 rc = avc_has_perm(newsid, isec->sid,
1998 SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
1999 if (rc)
2000 return rc;
2001
2002 /* Clear any possibly unsafe personality bits on exec: */
2003 current->personality &= ~PER_CLEAR_ON_SETID;
2004
2005 /* Set the security field to the new SID. */
2006 bsec->sid = newsid;
2007 }
2008
2009 bsec->set = 1;
2010 return 0;
2011 }
2012
2013 static int selinux_bprm_check_security (struct linux_binprm *bprm)
2014 {
2015 return secondary_ops->bprm_check_security(bprm);
2016 }
2017
2018
2019 static int selinux_bprm_secureexec (struct linux_binprm *bprm)
2020 {
2021 struct task_security_struct *tsec = current->security;
2022 int atsecure = 0;
2023
2024 if (tsec->osid != tsec->sid) {
2025 /* Enable secure mode for SIDs transitions unless
2026 the noatsecure permission is granted between
2027 the two SIDs, i.e. ahp returns 0. */
2028 atsecure = avc_has_perm(tsec->osid, tsec->sid,
2029 SECCLASS_PROCESS,
2030 PROCESS__NOATSECURE, NULL);
2031 }
2032
2033 return (atsecure || secondary_ops->bprm_secureexec(bprm));
2034 }
2035
2036 static void selinux_bprm_free_security(struct linux_binprm *bprm)
2037 {
2038 kfree(bprm->security);
2039 bprm->security = NULL;
2040 }
2041
2042 extern struct vfsmount *selinuxfs_mount;
2043 extern struct dentry *selinux_null;
2044
2045 /* Derived from fs/exec.c:flush_old_files. */
2046 static inline void flush_unauthorized_files(struct files_struct * files)
2047 {
2048 struct avc_audit_data ad;
2049 struct file *file, *devnull = NULL;
2050 struct tty_struct *tty;
2051 struct fdtable *fdt;
2052 long j = -1;
2053 int drop_tty = 0;
2054
2055 mutex_lock(&tty_mutex);
2056 tty = get_current_tty();
2057 if (tty) {
2058 file_list_lock();
2059 file = list_entry(tty->tty_files.next, typeof(*file), f_u.fu_list);
2060 if (file) {
2061 /* Revalidate access to controlling tty.
2062 Use inode_has_perm on the tty inode directly rather
2063 than using file_has_perm, as this particular open
2064 file may belong to another process and we are only
2065 interested in the inode-based check here. */
2066 struct inode *inode = file->f_path.dentry->d_inode;
2067 if (inode_has_perm(current, inode,
2068 FILE__READ | FILE__WRITE, NULL)) {
2069 drop_tty = 1;
2070 }
2071 }
2072 file_list_unlock();
2073 }
2074 mutex_unlock(&tty_mutex);
2075 /* Reset controlling tty. */
2076 if (drop_tty)
2077 no_tty();
2078
2079 /* Revalidate access to inherited open files. */
2080
2081 AVC_AUDIT_DATA_INIT(&ad,FS);
2082
2083 spin_lock(&files->file_lock);
2084 for (;;) {
2085 unsigned long set, i;
2086 int fd;
2087
2088 j++;
2089 i = j * __NFDBITS;
2090 fdt = files_fdtable(files);
2091 if (i >= fdt->max_fds)
2092 break;
2093 set = fdt->open_fds->fds_bits[j];
2094 if (!set)
2095 continue;
2096 spin_unlock(&files->file_lock);
2097 for ( ; set ; i++,set >>= 1) {
2098 if (set & 1) {
2099 file = fget(i);
2100 if (!file)
2101 continue;
2102 if (file_has_perm(current,
2103 file,
2104 file_to_av(file))) {
2105 sys_close(i);
2106 fd = get_unused_fd();
2107 if (fd != i) {
2108 if (fd >= 0)
2109 put_unused_fd(fd);
2110 fput(file);
2111 continue;
2112 }
2113 if (devnull) {
2114 get_file(devnull);
2115 } else {
2116 devnull = dentry_open(dget(selinux_null), mntget(selinuxfs_mount), O_RDWR);
2117 if (IS_ERR(devnull)) {
2118 devnull = NULL;
2119 put_unused_fd(fd);
2120 fput(file);
2121 continue;
2122 }
2123 }
2124 fd_install(fd, devnull);
2125 }
2126 fput(file);
2127 }
2128 }
2129 spin_lock(&files->file_lock);
2130
2131 }
2132 spin_unlock(&files->file_lock);
2133 }
2134
2135 static void selinux_bprm_apply_creds(struct linux_binprm *bprm, int unsafe)
2136 {
2137 struct task_security_struct *tsec;
2138 struct bprm_security_struct *bsec;
2139 u32 sid;
2140 int rc;
2141
2142 secondary_ops->bprm_apply_creds(bprm, unsafe);
2143
2144 tsec = current->security;
2145
2146 bsec = bprm->security;
2147 sid = bsec->sid;
2148
2149 tsec->osid = tsec->sid;
2150 bsec->unsafe = 0;
2151 if (tsec->sid != sid) {
2152 /* Check for shared state. If not ok, leave SID
2153 unchanged and kill. */
2154 if (unsafe & LSM_UNSAFE_SHARE) {
2155 rc = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
2156 PROCESS__SHARE, NULL);
2157 if (rc) {
2158 bsec->unsafe = 1;
2159 return;
2160 }
2161 }
2162
2163 /* Check for ptracing, and update the task SID if ok.
2164 Otherwise, leave SID unchanged and kill. */
2165 if (unsafe & (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
2166 struct task_struct *tracer;
2167 struct task_security_struct *sec;
2168 u32 ptsid = 0;
2169
2170 rcu_read_lock();
2171 tracer = task_tracer_task(current);
2172 if (likely(tracer != NULL)) {
2173 sec = tracer->security;
2174 ptsid = sec->sid;
2175 }
2176 rcu_read_unlock();
2177
2178 if (ptsid != 0) {
2179 rc = avc_has_perm(ptsid, sid, SECCLASS_PROCESS,
2180 PROCESS__PTRACE, NULL);
2181 if (rc) {
2182 bsec->unsafe = 1;
2183 return;
2184 }
2185 }
2186 }
2187 tsec->sid = sid;
2188 }
2189 }
2190
2191 /*
2192 * called after apply_creds without the task lock held
2193 */
2194 static void selinux_bprm_post_apply_creds(struct linux_binprm *bprm)
2195 {
2196 struct task_security_struct *tsec;
2197 struct rlimit *rlim, *initrlim;
2198 struct itimerval itimer;
2199 struct bprm_security_struct *bsec;
2200 int rc, i;
2201
2202 tsec = current->security;
2203 bsec = bprm->security;
2204
2205 if (bsec->unsafe) {
2206 force_sig_specific(SIGKILL, current);
2207 return;
2208 }
2209 if (tsec->osid == tsec->sid)
2210 return;
2211
2212 /* Close files for which the new task SID is not authorized. */
2213 flush_unauthorized_files(current->files);
2214
2215 /* Check whether the new SID can inherit signal state
2216 from the old SID. If not, clear itimers to avoid
2217 subsequent signal generation and flush and unblock
2218 signals. This must occur _after_ the task SID has
2219 been updated so that any kill done after the flush
2220 will be checked against the new SID. */
2221 rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
2222 PROCESS__SIGINH, NULL);
2223 if (rc) {
2224 memset(&itimer, 0, sizeof itimer);
2225 for (i = 0; i < 3; i++)
2226 do_setitimer(i, &itimer, NULL);
2227 flush_signals(current);
2228 spin_lock_irq(&current->sighand->siglock);
2229 flush_signal_handlers(current, 1);
2230 sigemptyset(&current->blocked);
2231 recalc_sigpending();
2232 spin_unlock_irq(&current->sighand->siglock);
2233 }
2234
2235 /* Always clear parent death signal on SID transitions. */
2236 current->pdeath_signal = 0;
2237
2238 /* Check whether the new SID can inherit resource limits
2239 from the old SID. If not, reset all soft limits to
2240 the lower of the current task's hard limit and the init
2241 task's soft limit. Note that the setting of hard limits
2242 (even to lower them) can be controlled by the setrlimit
2243 check. The inclusion of the init task's soft limit into
2244 the computation is to avoid resetting soft limits higher
2245 than the default soft limit for cases where the default
2246 is lower than the hard limit, e.g. RLIMIT_CORE or
2247 RLIMIT_STACK.*/
2248 rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
2249 PROCESS__RLIMITINH, NULL);
2250 if (rc) {
2251 for (i = 0; i < RLIM_NLIMITS; i++) {
2252 rlim = current->signal->rlim + i;
2253 initrlim = init_task.signal->rlim+i;
2254 rlim->rlim_cur = min(rlim->rlim_max,initrlim->rlim_cur);
2255 }
2256 if (current->signal->rlim[RLIMIT_CPU].rlim_cur != RLIM_INFINITY) {
2257 /*
2258 * This will cause RLIMIT_CPU calculations
2259 * to be refigured.
2260 */
2261 current->it_prof_expires = jiffies_to_cputime(1);
2262 }
2263 }
2264
2265 /* Wake up the parent if it is waiting so that it can
2266 recheck wait permission to the new task SID. */
2267 wake_up_interruptible(&current->parent->signal->wait_chldexit);
2268 }
2269
2270 /* superblock security operations */
2271
2272 static int selinux_sb_alloc_security(struct super_block *sb)
2273 {
2274 return superblock_alloc_security(sb);
2275 }
2276
2277 static void selinux_sb_free_security(struct super_block *sb)
2278 {
2279 superblock_free_security(sb);
2280 }
2281
2282 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2283 {
2284 if (plen > olen)
2285 return 0;
2286
2287 return !memcmp(prefix, option, plen);
2288 }
2289
2290 static inline int selinux_option(char *option, int len)
2291 {
2292 return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) ||
2293 match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) ||
2294 match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) ||
2295 match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len));
2296 }
2297
2298 static inline void take_option(char **to, char *from, int *first, int len)
2299 {
2300 if (!*first) {
2301 **to = ',';
2302 *to += 1;
2303 } else
2304 *first = 0;
2305 memcpy(*to, from, len);
2306 *to += len;
2307 }
2308
2309 static inline void take_selinux_option(char **to, char *from, int *first,
2310 int len)
2311 {
2312 int current_size = 0;
2313
2314 if (!*first) {
2315 **to = '|';
2316 *to += 1;
2317 }
2318 else
2319 *first = 0;
2320
2321 while (current_size < len) {
2322 if (*from != '"') {
2323 **to = *from;
2324 *to += 1;
2325 }
2326 from += 1;
2327 current_size += 1;
2328 }
2329 }
2330
2331 static int selinux_sb_copy_data(char *orig, char *copy)
2332 {
2333 int fnosec, fsec, rc = 0;
2334 char *in_save, *in_curr, *in_end;
2335 char *sec_curr, *nosec_save, *nosec;
2336 int open_quote = 0;
2337
2338 in_curr = orig;
2339 sec_curr = copy;
2340
2341 nosec = (char *)get_zeroed_page(GFP_KERNEL);
2342 if (!nosec) {
2343 rc = -ENOMEM;
2344 goto out;
2345 }
2346
2347 nosec_save = nosec;
2348 fnosec = fsec = 1;
2349 in_save = in_end = orig;
2350
2351 do {
2352 if (*in_end == '"')
2353 open_quote = !open_quote;
2354 if ((*in_end == ',' && open_quote == 0) ||
2355 *in_end == '\0') {
2356 int len = in_end - in_curr;
2357
2358 if (selinux_option(in_curr, len))
2359 take_selinux_option(&sec_curr, in_curr, &fsec, len);
2360 else
2361 take_option(&nosec, in_curr, &fnosec, len);
2362
2363 in_curr = in_end + 1;
2364 }
2365 } while (*in_end++);
2366
2367 strcpy(in_save, nosec_save);
2368 free_page((unsigned long)nosec_save);
2369 out:
2370 return rc;
2371 }
2372
2373 static int selinux_sb_kern_mount(struct super_block *sb, void *data)
2374 {
2375 struct avc_audit_data ad;
2376 int rc;
2377
2378 rc = superblock_doinit(sb, data);
2379 if (rc)
2380 return rc;
2381
2382 AVC_AUDIT_DATA_INIT(&ad,FS);
2383 ad.u.fs.path.dentry = sb->s_root;
2384 return superblock_has_perm(current, sb, FILESYSTEM__MOUNT, &ad);
2385 }
2386
2387 static int selinux_sb_statfs(struct dentry *dentry)
2388 {
2389 struct avc_audit_data ad;
2390
2391 AVC_AUDIT_DATA_INIT(&ad,FS);
2392 ad.u.fs.path.dentry = dentry->d_sb->s_root;
2393 return superblock_has_perm(current, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2394 }
2395
2396 static int selinux_mount(char * dev_name,
2397 struct nameidata *nd,
2398 char * type,
2399 unsigned long flags,
2400 void * data)
2401 {
2402 int rc;
2403
2404 rc = secondary_ops->sb_mount(dev_name, nd, type, flags, data);
2405 if (rc)
2406 return rc;
2407
2408 if (flags & MS_REMOUNT)
2409 return superblock_has_perm(current, nd->path.mnt->mnt_sb,
2410 FILESYSTEM__REMOUNT, NULL);
2411 else
2412 return dentry_has_perm(current, nd->path.mnt, nd->path.dentry,
2413 FILE__MOUNTON);
2414 }
2415
2416 static int selinux_umount(struct vfsmount *mnt, int flags)
2417 {
2418 int rc;
2419
2420 rc = secondary_ops->sb_umount(mnt, flags);
2421 if (rc)
2422 return rc;
2423
2424 return superblock_has_perm(current,mnt->mnt_sb,
2425 FILESYSTEM__UNMOUNT,NULL);
2426 }
2427
2428 /* inode security operations */
2429
2430 static int selinux_inode_alloc_security(struct inode *inode)
2431 {
2432 return inode_alloc_security(inode);
2433 }
2434
2435 static void selinux_inode_free_security(struct inode *inode)
2436 {
2437 inode_free_security(inode);
2438 }
2439
2440 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2441 char **name, void **value,
2442 size_t *len)
2443 {
2444 struct task_security_struct *tsec;
2445 struct inode_security_struct *dsec;
2446 struct superblock_security_struct *sbsec;
2447 u32 newsid, clen;
2448 int rc;
2449 char *namep = NULL, *context;
2450
2451 tsec = current->security;
2452 dsec = dir->i_security;
2453 sbsec = dir->i_sb->s_security;
2454
2455 if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
2456 newsid = tsec->create_sid;
2457 } else {
2458 rc = security_transition_sid(tsec->sid, dsec->sid,
2459 inode_mode_to_security_class(inode->i_mode),
2460 &newsid);
2461 if (rc) {
2462 printk(KERN_WARNING "%s: "
2463 "security_transition_sid failed, rc=%d (dev=%s "
2464 "ino=%ld)\n",
2465 __func__,
2466 -rc, inode->i_sb->s_id, inode->i_ino);
2467 return rc;
2468 }
2469 }
2470
2471 /* Possibly defer initialization to selinux_complete_init. */
2472 if (sbsec->initialized) {
2473 struct inode_security_struct *isec = inode->i_security;
2474 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2475 isec->sid = newsid;
2476 isec->initialized = 1;
2477 }
2478
2479 if (!ss_initialized || sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2480 return -EOPNOTSUPP;
2481
2482 if (name) {
2483 namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_NOFS);
2484 if (!namep)
2485 return -ENOMEM;
2486 *name = namep;
2487 }
2488
2489 if (value && len) {
2490 rc = security_sid_to_context(newsid, &context, &clen);
2491 if (rc) {
2492 kfree(namep);
2493 return rc;
2494 }
2495 *value = context;
2496 *len = clen;
2497 }
2498
2499 return 0;
2500 }
2501
2502 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, int mask)
2503 {
2504 return may_create(dir, dentry, SECCLASS_FILE);
2505 }
2506
2507 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2508 {
2509 int rc;
2510
2511 rc = secondary_ops->inode_link(old_dentry,dir,new_dentry);
2512 if (rc)
2513 return rc;
2514 return may_link(dir, old_dentry, MAY_LINK);
2515 }
2516
2517 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2518 {
2519 int rc;
2520
2521 rc = secondary_ops->inode_unlink(dir, dentry);
2522 if (rc)
2523 return rc;
2524 return may_link(dir, dentry, MAY_UNLINK);
2525 }
2526
2527 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2528 {
2529 return may_create(dir, dentry, SECCLASS_LNK_FILE);
2530 }
2531
2532 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, int mask)
2533 {
2534 return may_create(dir, dentry, SECCLASS_DIR);
2535 }
2536
2537 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2538 {
2539 return may_link(dir, dentry, MAY_RMDIR);
2540 }
2541
2542 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
2543 {
2544 int rc;
2545
2546 rc = secondary_ops->inode_mknod(dir, dentry, mode, dev);
2547 if (rc)
2548 return rc;
2549
2550 return may_create(dir, dentry, inode_mode_to_security_class(mode));
2551 }
2552
2553 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2554 struct inode *new_inode, struct dentry *new_dentry)
2555 {
2556 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2557 }
2558
2559 static int selinux_inode_readlink(struct dentry *dentry)
2560 {
2561 return dentry_has_perm(current, NULL, dentry, FILE__READ);
2562 }
2563
2564 static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2565 {
2566 int rc;
2567
2568 rc = secondary_ops->inode_follow_link(dentry,nameidata);
2569 if (rc)
2570 return rc;
2571 return dentry_has_perm(current, NULL, dentry, FILE__READ);
2572 }
2573
2574 static int selinux_inode_permission(struct inode *inode, int mask,
2575 struct nameidata *nd)
2576 {
2577 int rc;
2578
2579 rc = secondary_ops->inode_permission(inode, mask, nd);
2580 if (rc)
2581 return rc;
2582
2583 if (!mask) {
2584 /* No permission to check. Existence test. */
2585 return 0;
2586 }
2587
2588 return inode_has_perm(current, inode,
2589 open_file_mask_to_av(inode->i_mode, mask), NULL);
2590 }
2591
2592 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2593 {
2594 int rc;
2595
2596 rc = secondary_ops->inode_setattr(dentry, iattr);
2597 if (rc)
2598 return rc;
2599
2600 if (iattr->ia_valid & ATTR_FORCE)
2601 return 0;
2602
2603 if (iattr->ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2604 ATTR_ATIME_SET | ATTR_MTIME_SET))
2605 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2606
2607 return dentry_has_perm(current, NULL, dentry, FILE__WRITE);
2608 }
2609
2610 static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
2611 {
2612 return dentry_has_perm(current, mnt, dentry, FILE__GETATTR);
2613 }
2614
2615 static int selinux_inode_setotherxattr(struct dentry *dentry, char *name)
2616 {
2617 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2618 sizeof XATTR_SECURITY_PREFIX - 1)) {
2619 if (!strcmp(name, XATTR_NAME_CAPS)) {
2620 if (!capable(CAP_SETFCAP))
2621 return -EPERM;
2622 } else if (!capable(CAP_SYS_ADMIN)) {
2623 /* A different attribute in the security namespace.
2624 Restrict to administrator. */
2625 return -EPERM;
2626 }
2627 }
2628
2629 /* Not an attribute we recognize, so just check the
2630 ordinary setattr permission. */
2631 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2632 }
2633
2634 static int selinux_inode_setxattr(struct dentry *dentry, char *name, void *value, size_t size, int flags)
2635 {
2636 struct task_security_struct *tsec = current->security;
2637 struct inode *inode = dentry->d_inode;
2638 struct inode_security_struct *isec = inode->i_security;
2639 struct superblock_security_struct *sbsec;
2640 struct avc_audit_data ad;
2641 u32 newsid;
2642 int rc = 0;
2643
2644 if (strcmp(name, XATTR_NAME_SELINUX))
2645 return selinux_inode_setotherxattr(dentry, name);
2646
2647 sbsec = inode->i_sb->s_security;
2648 if (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2649 return -EOPNOTSUPP;
2650
2651 if (!is_owner_or_cap(inode))
2652 return -EPERM;
2653
2654 AVC_AUDIT_DATA_INIT(&ad,FS);
2655 ad.u.fs.path.dentry = dentry;
2656
2657 rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass,
2658 FILE__RELABELFROM, &ad);
2659 if (rc)
2660 return rc;
2661
2662 rc = security_context_to_sid(value, size, &newsid);
2663 if (rc)
2664 return rc;
2665
2666 rc = avc_has_perm(tsec->sid, newsid, isec->sclass,
2667 FILE__RELABELTO, &ad);
2668 if (rc)
2669 return rc;
2670
2671 rc = security_validate_transition(isec->sid, newsid, tsec->sid,
2672 isec->sclass);
2673 if (rc)
2674 return rc;
2675
2676 return avc_has_perm(newsid,
2677 sbsec->sid,
2678 SECCLASS_FILESYSTEM,
2679 FILESYSTEM__ASSOCIATE,
2680 &ad);
2681 }
2682
2683 static void selinux_inode_post_setxattr(struct dentry *dentry, char *name,
2684 void *value, size_t size, int flags)
2685 {
2686 struct inode *inode = dentry->d_inode;
2687 struct inode_security_struct *isec = inode->i_security;
2688 u32 newsid;
2689 int rc;
2690
2691 if (strcmp(name, XATTR_NAME_SELINUX)) {
2692 /* Not an attribute we recognize, so nothing to do. */
2693 return;
2694 }
2695
2696 rc = security_context_to_sid(value, size, &newsid);
2697 if (rc) {
2698 printk(KERN_WARNING "%s: unable to obtain SID for context "
2699 "%s, rc=%d\n", __func__, (char *)value, -rc);
2700 return;
2701 }
2702
2703 isec->sid = newsid;
2704 return;
2705 }
2706
2707 static int selinux_inode_getxattr (struct dentry *dentry, char *name)
2708 {
2709 return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2710 }
2711
2712 static int selinux_inode_listxattr (struct dentry *dentry)
2713 {
2714 return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2715 }
2716
2717 static int selinux_inode_removexattr (struct dentry *dentry, char *name)
2718 {
2719 if (strcmp(name, XATTR_NAME_SELINUX))
2720 return selinux_inode_setotherxattr(dentry, name);
2721
2722 /* No one is allowed to remove a SELinux security label.
2723 You can change the label, but all data must be labeled. */
2724 return -EACCES;
2725 }
2726
2727 /*
2728 * Copy the in-core inode security context value to the user. If the
2729 * getxattr() prior to this succeeded, check to see if we need to
2730 * canonicalize the value to be finally returned to the user.
2731 *
2732 * Permission check is handled by selinux_inode_getxattr hook.
2733 */
2734 static int selinux_inode_getsecurity(const struct inode *inode, const char *name, void **buffer, bool alloc)
2735 {
2736 u32 size;
2737 int error;
2738 char *context = NULL;
2739 struct inode_security_struct *isec = inode->i_security;
2740
2741 if (strcmp(name, XATTR_SELINUX_SUFFIX))
2742 return -EOPNOTSUPP;
2743
2744 error = security_sid_to_context(isec->sid, &context, &size);
2745 if (error)
2746 return error;
2747 error = size;
2748 if (alloc) {
2749 *buffer = context;
2750 goto out_nofree;
2751 }
2752 kfree(context);
2753 out_nofree:
2754 return error;
2755 }
2756
2757 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
2758 const void *value, size_t size, int flags)
2759 {
2760 struct inode_security_struct *isec = inode->i_security;
2761 u32 newsid;
2762 int rc;
2763
2764 if (strcmp(name, XATTR_SELINUX_SUFFIX))
2765 return -EOPNOTSUPP;
2766
2767 if (!value || !size)
2768 return -EACCES;
2769
2770 rc = security_context_to_sid((void*)value, size, &newsid);
2771 if (rc)
2772 return rc;
2773
2774 isec->sid = newsid;
2775 return 0;
2776 }
2777
2778 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
2779 {
2780 const int len = sizeof(XATTR_NAME_SELINUX);
2781 if (buffer && len <= buffer_size)
2782 memcpy(buffer, XATTR_NAME_SELINUX, len);
2783 return len;
2784 }
2785
2786 static int selinux_inode_need_killpriv(struct dentry *dentry)
2787 {
2788 return secondary_ops->inode_need_killpriv(dentry);
2789 }
2790
2791 static int selinux_inode_killpriv(struct dentry *dentry)
2792 {
2793 return secondary_ops->inode_killpriv(dentry);
2794 }
2795
2796 static void selinux_inode_getsecid(const struct inode *inode, u32 *secid)
2797 {
2798 struct inode_security_struct *isec = inode->i_security;
2799 *secid = isec->sid;
2800 }
2801
2802 /* file security operations */
2803
2804 static int selinux_revalidate_file_permission(struct file *file, int mask)
2805 {
2806 int rc;
2807 struct inode *inode = file->f_path.dentry->d_inode;
2808
2809 if (!mask) {
2810 /* No permission to check. Existence test. */
2811 return 0;
2812 }
2813
2814 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
2815 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
2816 mask |= MAY_APPEND;
2817
2818 rc = file_has_perm(current, file,
2819 file_mask_to_av(inode->i_mode, mask));
2820 if (rc)
2821 return rc;
2822
2823 return selinux_netlbl_inode_permission(inode, mask);
2824 }
2825
2826 static int selinux_file_permission(struct file *file, int mask)
2827 {
2828 struct inode *inode = file->f_path.dentry->d_inode;
2829 struct task_security_struct *tsec = current->security;
2830 struct file_security_struct *fsec = file->f_security;
2831 struct inode_security_struct *isec = inode->i_security;
2832
2833 if (!mask) {
2834 /* No permission to check. Existence test. */
2835 return 0;
2836 }
2837
2838 if (tsec->sid == fsec->sid && fsec->isid == isec->sid
2839 && fsec->pseqno == avc_policy_seqno())
2840 return selinux_netlbl_inode_permission(inode, mask);
2841
2842 return selinux_revalidate_file_permission(file, mask);
2843 }
2844
2845 static int selinux_file_alloc_security(struct file *file)
2846 {
2847 return file_alloc_security(file);
2848 }
2849
2850 static void selinux_file_free_security(struct file *file)
2851 {
2852 file_free_security(file);
2853 }
2854
2855 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
2856 unsigned long arg)
2857 {
2858 int error = 0;
2859
2860 switch (cmd) {
2861 case FIONREAD:
2862 /* fall through */
2863 case FIBMAP:
2864 /* fall through */
2865 case FIGETBSZ:
2866 /* fall through */
2867 case EXT2_IOC_GETFLAGS:
2868 /* fall through */
2869 case EXT2_IOC_GETVERSION:
2870 error = file_has_perm(current, file, FILE__GETATTR);
2871 break;
2872
2873 case EXT2_IOC_SETFLAGS:
2874 /* fall through */
2875 case EXT2_IOC_SETVERSION:
2876 error = file_has_perm(current, file, FILE__SETATTR);
2877 break;
2878
2879 /* sys_ioctl() checks */
2880 case FIONBIO:
2881 /* fall through */
2882 case FIOASYNC:
2883 error = file_has_perm(current, file, 0);
2884 break;
2885
2886 case KDSKBENT:
2887 case KDSKBSENT:
2888 error = task_has_capability(current,CAP_SYS_TTY_CONFIG);
2889 break;
2890
2891 /* default case assumes that the command will go
2892 * to the file's ioctl() function.
2893 */
2894 default:
2895 error = file_has_perm(current, file, FILE__IOCTL);
2896
2897 }
2898 return error;
2899 }
2900
2901 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
2902 {
2903 #ifndef CONFIG_PPC32
2904 if ((prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
2905 /*
2906 * We are making executable an anonymous mapping or a
2907 * private file mapping that will also be writable.
2908 * This has an additional check.
2909 */
2910 int rc = task_has_perm(current, current, PROCESS__EXECMEM);
2911 if (rc)
2912 return rc;
2913 }
2914 #endif
2915
2916 if (file) {
2917 /* read access is always possible with a mapping */
2918 u32 av = FILE__READ;
2919
2920 /* write access only matters if the mapping is shared */
2921 if (shared && (prot & PROT_WRITE))
2922 av |= FILE__WRITE;
2923
2924 if (prot & PROT_EXEC)
2925 av |= FILE__EXECUTE;
2926
2927 return file_has_perm(current, file, av);
2928 }
2929 return 0;
2930 }
2931
2932 static int selinux_file_mmap(struct file *file, unsigned long reqprot,
2933 unsigned long prot, unsigned long flags,
2934 unsigned long addr, unsigned long addr_only)
2935 {
2936 int rc = 0;
2937 u32 sid = ((struct task_security_struct*)(current->security))->sid;
2938
2939 if (addr < mmap_min_addr)
2940 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
2941 MEMPROTECT__MMAP_ZERO, NULL);
2942 if (rc || addr_only)
2943 return rc;
2944
2945 if (selinux_checkreqprot)
2946 prot = reqprot;
2947
2948 return file_map_prot_check(file, prot,
2949 (flags & MAP_TYPE) == MAP_SHARED);
2950 }
2951
2952 static int selinux_file_mprotect(struct vm_area_struct *vma,
2953 unsigned long reqprot,
2954 unsigned long prot)
2955 {
2956 int rc;
2957
2958 rc = secondary_ops->file_mprotect(vma, reqprot, prot);
2959 if (rc)
2960 return rc;
2961
2962 if (selinux_checkreqprot)
2963 prot = reqprot;
2964
2965 #ifndef CONFIG_PPC32
2966 if ((prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
2967 rc = 0;
2968 if (vma->vm_start >= vma->vm_mm->start_brk &&
2969 vma->vm_end <= vma->vm_mm->brk) {
2970 rc = task_has_perm(current, current,
2971 PROCESS__EXECHEAP);
2972 } else if (!vma->vm_file &&
2973 vma->vm_start <= vma->vm_mm->start_stack &&
2974 vma->vm_end >= vma->vm_mm->start_stack) {
2975 rc = task_has_perm(current, current, PROCESS__EXECSTACK);
2976 } else if (vma->vm_file && vma->anon_vma) {
2977 /*
2978 * We are making executable a file mapping that has
2979 * had some COW done. Since pages might have been
2980 * written, check ability to execute the possibly
2981 * modified content. This typically should only
2982 * occur for text relocations.
2983 */
2984 rc = file_has_perm(current, vma->vm_file,
2985 FILE__EXECMOD);
2986 }
2987 if (rc)
2988 return rc;
2989 }
2990 #endif
2991
2992 return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
2993 }
2994
2995 static int selinux_file_lock(struct file *file, unsigned int cmd)
2996 {
2997 return file_has_perm(current, file, FILE__LOCK);
2998 }
2999
3000 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
3001 unsigned long arg)
3002 {
3003 int err = 0;
3004
3005 switch (cmd) {
3006 case F_SETFL:
3007 if (!file->f_path.dentry || !file->f_path.dentry->d_inode) {
3008 err = -EINVAL;
3009 break;
3010 }
3011
3012 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
3013 err = file_has_perm(current, file,FILE__WRITE);
3014 break;
3015 }
3016 /* fall through */
3017 case F_SETOWN:
3018 case F_SETSIG:
3019 case F_GETFL:
3020 case F_GETOWN:
3021 case F_GETSIG:
3022 /* Just check FD__USE permission */
3023 err = file_has_perm(current, file, 0);
3024 break;
3025 case F_GETLK:
3026 case F_SETLK:
3027 case F_SETLKW:
3028 #if BITS_PER_LONG == 32
3029 case F_GETLK64:
3030 case F_SETLK64:
3031 case F_SETLKW64:
3032 #endif
3033 if (!file->f_path.dentry || !file->f_path.dentry->d_inode) {
3034 err = -EINVAL;
3035 break;
3036 }
3037 err = file_has_perm(current, file, FILE__LOCK);
3038 break;
3039 }
3040
3041 return err;
3042 }
3043
3044 static int selinux_file_set_fowner(struct file *file)
3045 {
3046 struct task_security_struct *tsec;
3047 struct file_security_struct *fsec;
3048
3049 tsec = current->security;
3050 fsec = file->f_security;
3051 fsec->fown_sid = tsec->sid;
3052
3053 return 0;
3054 }
3055
3056 static int selinux_file_send_sigiotask(struct task_struct *tsk,
3057 struct fown_struct *fown, int signum)
3058 {
3059 struct file *file;
3060 u32 perm;
3061 struct task_security_struct *tsec;
3062 struct file_security_struct *fsec;
3063
3064 /* struct fown_struct is never outside the context of a struct file */
3065 file = container_of(fown, struct file, f_owner);
3066
3067 tsec = tsk->security;
3068 fsec = file->f_security;
3069
3070 if (!signum)
3071 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
3072 else
3073 perm = signal_to_av(signum);
3074
3075 return avc_has_perm(fsec->fown_sid, tsec->sid,
3076 SECCLASS_PROCESS, perm, NULL);
3077 }
3078
3079 static int selinux_file_receive(struct file *file)
3080 {
3081 return file_has_perm(current, file, file_to_av(file));
3082 }
3083
3084 static int selinux_dentry_open(struct file *file)
3085 {
3086 struct file_security_struct *fsec;
3087 struct inode *inode;
3088 struct inode_security_struct *isec;
3089 inode = file->f_path.dentry->d_inode;
3090 fsec = file->f_security;
3091 isec = inode->i_security;
3092 /*
3093 * Save inode label and policy sequence number
3094 * at open-time so that selinux_file_permission
3095 * can determine whether revalidation is necessary.
3096 * Task label is already saved in the file security
3097 * struct as its SID.
3098 */
3099 fsec->isid = isec->sid;
3100 fsec->pseqno = avc_policy_seqno();
3101 /*
3102 * Since the inode label or policy seqno may have changed
3103 * between the selinux_inode_permission check and the saving
3104 * of state above, recheck that access is still permitted.
3105 * Otherwise, access might never be revalidated against the
3106 * new inode label or new policy.
3107 * This check is not redundant - do not remove.
3108 */
3109 return inode_has_perm(current, inode, file_to_av(file), NULL);
3110 }
3111
3112 /* task security operations */
3113
3114 static int selinux_task_create(unsigned long clone_flags)
3115 {
3116 int rc;
3117
3118 rc = secondary_ops->task_create(clone_flags);
3119 if (rc)
3120 return rc;
3121
3122 return task_has_perm(current, current, PROCESS__FORK);
3123 }
3124
3125 static int selinux_task_alloc_security(struct task_struct *tsk)
3126 {
3127 struct task_security_struct *tsec1, *tsec2;
3128 int rc;
3129
3130 tsec1 = current->security;
3131
3132 rc = task_alloc_security(tsk);
3133 if (rc)
3134 return rc;
3135 tsec2 = tsk->security;
3136
3137 tsec2->osid = tsec1->osid;
3138 tsec2->sid = tsec1->sid;
3139
3140 /* Retain the exec, fs, key, and sock SIDs across fork */
3141 tsec2->exec_sid = tsec1->exec_sid;
3142 tsec2->create_sid = tsec1->create_sid;
3143 tsec2->keycreate_sid = tsec1->keycreate_sid;
3144 tsec2->sockcreate_sid = tsec1->sockcreate_sid;
3145
3146 return 0;
3147 }
3148
3149 static void selinux_task_free_security(struct task_struct *tsk)
3150 {
3151 task_free_security(tsk);
3152 }
3153
3154 static int selinux_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
3155 {
3156 /* Since setuid only affects the current process, and
3157 since the SELinux controls are not based on the Linux
3158 identity attributes, SELinux does not need to control
3159 this operation. However, SELinux does control the use
3160 of the CAP_SETUID and CAP_SETGID capabilities using the
3161 capable hook. */
3162 return 0;
3163 }
3164
3165 static int selinux_task_post_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
3166 {
3167 return secondary_ops->task_post_setuid(id0,id1,id2,flags);
3168 }
3169
3170 static int selinux_task_setgid(gid_t id0, gid_t id1, gid_t id2, int flags)
3171 {
3172 /* See the comment for setuid above. */
3173 return 0;
3174 }
3175
3176 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
3177 {
3178 return task_has_perm(current, p, PROCESS__SETPGID);
3179 }
3180
3181 static int selinux_task_getpgid(struct task_struct *p)
3182 {
3183 return task_has_perm(current, p, PROCESS__GETPGID);
3184 }
3185
3186 static int selinux_task_getsid(struct task_struct *p)
3187 {
3188 return task_has_perm(current, p, PROCESS__GETSESSION);
3189 }
3190
3191 static void selinux_task_getsecid(struct task_struct *p, u32 *secid)
3192 {
3193 struct task_security_struct *tsec = p->security;
3194 *secid = tsec->sid;
3195 }
3196
3197 static int selinux_task_setgroups(struct group_info *group_info)
3198 {
3199 /* See the comment for setuid above. */
3200 return 0;
3201 }
3202
3203 static int selinux_task_setnice(struct task_struct *p, int nice)
3204 {
3205 int rc;
3206
3207 rc = secondary_ops->task_setnice(p, nice);
3208 if (rc)
3209 return rc;
3210
3211 return task_has_perm(current,p, PROCESS__SETSCHED);
3212 }
3213
3214 static int selinux_task_setioprio(struct task_struct *p, int ioprio)
3215 {
3216 int rc;
3217
3218 rc = secondary_ops->task_setioprio(p, ioprio);
3219 if (rc)
3220 return rc;
3221
3222 return task_has_perm(current, p, PROCESS__SETSCHED);
3223 }
3224
3225 static int selinux_task_getioprio(struct task_struct *p)
3226 {
3227 return task_has_perm(current, p, PROCESS__GETSCHED);
3228 }
3229
3230 static int selinux_task_setrlimit(unsigned int resource, struct rlimit *new_rlim)
3231 {
3232 struct rlimit *old_rlim = current->signal->rlim + resource;
3233 int rc;
3234
3235 rc = secondary_ops->task_setrlimit(resource, new_rlim);
3236 if (rc)
3237 return rc;
3238
3239 /* Control the ability to change the hard limit (whether
3240 lowering or raising it), so that the hard limit can
3241 later be used as a safe reset point for the soft limit
3242 upon context transitions. See selinux_bprm_apply_creds. */
3243 if (old_rlim->rlim_max != new_rlim->rlim_max)
3244 return task_has_perm(current, current, PROCESS__SETRLIMIT);
3245
3246 return 0;
3247 }
3248
3249 static int selinux_task_setscheduler(struct task_struct *p, int policy, struct sched_param *lp)
3250 {
3251 int rc;
3252
3253 rc = secondary_ops->task_setscheduler(p, policy, lp);
3254 if (rc)
3255 return rc;
3256
3257 return task_has_perm(current, p, PROCESS__SETSCHED);
3258 }
3259
3260 static int selinux_task_getscheduler(struct task_struct *p)
3261 {
3262 return task_has_perm(current, p, PROCESS__GETSCHED);
3263 }
3264
3265 static int selinux_task_movememory(struct task_struct *p)
3266 {
3267 return task_has_perm(current, p, PROCESS__SETSCHED);
3268 }
3269
3270 static int selinux_task_kill(struct task_struct *p, struct siginfo *info,
3271 int sig, u32 secid)
3272 {
3273 u32 perm;
3274 int rc;
3275 struct task_security_struct *tsec;
3276
3277 rc = secondary_ops->task_kill(p, info, sig, secid);
3278 if (rc)
3279 return rc;
3280
3281 if (info != SEND_SIG_NOINFO && (is_si_special(info) || SI_FROMKERNEL(info)))
3282 return 0;
3283
3284 if (!sig)
3285 perm = PROCESS__SIGNULL; /* null signal; existence test */
3286 else
3287 perm = signal_to_av(sig);
3288 tsec = p->security;
3289 if (secid)
3290 rc = avc_has_perm(secid, tsec->sid, SECCLASS_PROCESS, perm, NULL);
3291 else
3292 rc = task_has_perm(current, p, perm);
3293 return rc;
3294 }
3295
3296 static int selinux_task_prctl(int option,
3297 unsigned long arg2,
3298 unsigned long arg3,
3299 unsigned long arg4,
3300 unsigned long arg5)
3301 {
3302 /* The current prctl operations do not appear to require
3303 any SELinux controls since they merely observe or modify
3304 the state of the current process. */
3305 return 0;
3306 }
3307
3308 static int selinux_task_wait(struct task_struct *p)
3309 {
3310 return task_has_perm(p, current, PROCESS__SIGCHLD);
3311 }
3312
3313 static void selinux_task_reparent_to_init(struct task_struct *p)
3314 {
3315 struct task_security_struct *tsec;
3316
3317 secondary_ops->task_reparent_to_init(p);
3318
3319 tsec = p->security;
3320 tsec->osid = tsec->sid;
3321 tsec->sid = SECINITSID_KERNEL;
3322 return;
3323 }
3324
3325 static void selinux_task_to_inode(struct task_struct *p,
3326 struct inode *inode)
3327 {
3328 struct task_security_struct *tsec = p->security;
3329 struct inode_security_struct *isec = inode->i_security;
3330
3331 isec->sid = tsec->sid;
3332 isec->initialized = 1;
3333 return;
3334 }
3335
3336 /* Returns error only if unable to parse addresses */
3337 static int selinux_parse_skb_ipv4(struct sk_buff *skb,
3338 struct avc_audit_data *ad, u8 *proto)
3339 {
3340 int offset, ihlen, ret = -EINVAL;
3341 struct iphdr _iph, *ih;
3342
3343 offset = skb_network_offset(skb);
3344 ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
3345 if (ih == NULL)
3346 goto out;
3347
3348 ihlen = ih->ihl * 4;
3349 if (ihlen < sizeof(_iph))
3350 goto out;
3351
3352 ad->u.net.v4info.saddr = ih->saddr;
3353 ad->u.net.v4info.daddr = ih->daddr;
3354 ret = 0;
3355
3356 if (proto)
3357 *proto = ih->protocol;
3358
3359 switch (ih->protocol) {
3360 case IPPROTO_TCP: {
3361 struct tcphdr _tcph, *th;
3362
3363 if (ntohs(ih->frag_off) & IP_OFFSET)
3364 break;
3365
3366 offset += ihlen;
3367 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3368 if (th == NULL)
3369 break;
3370
3371 ad->u.net.sport = th->source;
3372 ad->u.net.dport = th->dest;
3373 break;
3374 }
3375
3376 case IPPROTO_UDP: {
3377 struct udphdr _udph, *uh;
3378
3379 if (ntohs(ih->frag_off) & IP_OFFSET)
3380 break;
3381
3382 offset += ihlen;
3383 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3384 if (uh == NULL)
3385 break;
3386
3387 ad->u.net.sport = uh->source;
3388 ad->u.net.dport = uh->dest;
3389 break;
3390 }
3391
3392 case IPPROTO_DCCP: {
3393 struct dccp_hdr _dccph, *dh;
3394
3395 if (ntohs(ih->frag_off) & IP_OFFSET)
3396 break;
3397
3398 offset += ihlen;
3399 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3400 if (dh == NULL)
3401 break;
3402
3403 ad->u.net.sport = dh->dccph_sport;
3404 ad->u.net.dport = dh->dccph_dport;
3405 break;
3406 }
3407
3408 default:
3409 break;
3410 }
3411 out:
3412 return ret;
3413 }
3414
3415 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3416
3417 /* Returns error only if unable to parse addresses */
3418 static int selinux_parse_skb_ipv6(struct sk_buff *skb,
3419 struct avc_audit_data *ad, u8 *proto)
3420 {
3421 u8 nexthdr;
3422 int ret = -EINVAL, offset;
3423 struct ipv6hdr _ipv6h, *ip6;
3424
3425 offset = skb_network_offset(skb);
3426 ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
3427 if (ip6 == NULL)
3428 goto out;
3429
3430 ipv6_addr_copy(&ad->u.net.v6info.saddr, &ip6->saddr);
3431 ipv6_addr_copy(&ad->u.net.v6info.daddr, &ip6->daddr);
3432 ret = 0;
3433
3434 nexthdr = ip6->nexthdr;
3435 offset += sizeof(_ipv6h);
3436 offset = ipv6_skip_exthdr(skb, offset, &nexthdr);
3437 if (offset < 0)
3438 goto out;
3439
3440 if (proto)
3441 *proto = nexthdr;
3442
3443 switch (nexthdr) {
3444 case IPPROTO_TCP: {
3445 struct tcphdr _tcph, *th;
3446
3447 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3448 if (th == NULL)
3449 break;
3450
3451 ad->u.net.sport = th->source;
3452 ad->u.net.dport = th->dest;
3453 break;
3454 }
3455
3456 case IPPROTO_UDP: {
3457 struct udphdr _udph, *uh;
3458
3459 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3460 if (uh == NULL)
3461 break;
3462
3463 ad->u.net.sport = uh->source;
3464 ad->u.net.dport = uh->dest;
3465 break;
3466 }
3467
3468 case IPPROTO_DCCP: {
3469 struct dccp_hdr _dccph, *dh;
3470
3471 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3472 if (dh == NULL)
3473 break;
3474
3475 ad->u.net.sport = dh->dccph_sport;
3476 ad->u.net.dport = dh->dccph_dport;
3477 break;
3478 }
3479
3480 /* includes fragments */
3481 default:
3482 break;
3483 }
3484 out:
3485 return ret;
3486 }
3487
3488 #endif /* IPV6 */
3489
3490 static int selinux_parse_skb(struct sk_buff *skb, struct avc_audit_data *ad,
3491 char **addrp, int src, u8 *proto)
3492 {
3493 int ret = 0;
3494
3495 switch (ad->u.net.family) {
3496 case PF_INET:
3497 ret = selinux_parse_skb_ipv4(skb, ad, proto);
3498 if (ret || !addrp)
3499 break;
3500 *addrp = (char *)(src ? &ad->u.net.v4info.saddr :
3501 &ad->u.net.v4info.daddr);
3502 break;
3503
3504 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3505 case PF_INET6:
3506 ret = selinux_parse_skb_ipv6(skb, ad, proto);
3507 if (ret || !addrp)
3508 break;
3509 *addrp = (char *)(src ? &ad->u.net.v6info.saddr :
3510 &ad->u.net.v6info.daddr);
3511 break;
3512 #endif /* IPV6 */
3513 default:
3514 break;
3515 }
3516
3517 if (unlikely(ret))
3518 printk(KERN_WARNING
3519 "SELinux: failure in selinux_parse_skb(),"
3520 " unable to parse packet\n");
3521
3522 return ret;
3523 }
3524
3525 /**
3526 * selinux_skb_peerlbl_sid - Determine the peer label of a packet
3527 * @skb: the packet
3528 * @family: protocol family
3529 * @sid: the packet's peer label SID
3530 *
3531 * Description:
3532 * Check the various different forms of network peer labeling and determine
3533 * the peer label/SID for the packet; most of the magic actually occurs in
3534 * the security server function security_net_peersid_cmp(). The function
3535 * returns zero if the value in @sid is valid (although it may be SECSID_NULL)
3536 * or -EACCES if @sid is invalid due to inconsistencies with the different
3537 * peer labels.
3538 *
3539 */
3540 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
3541 {
3542 int err;
3543 u32 xfrm_sid;
3544 u32 nlbl_sid;
3545 u32 nlbl_type;
3546
3547 selinux_skb_xfrm_sid(skb, &xfrm_sid);
3548 selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid);
3549
3550 err = security_net_peersid_resolve(nlbl_sid, nlbl_type, xfrm_sid, sid);
3551 if (unlikely(err)) {
3552 printk(KERN_WARNING
3553 "SELinux: failure in selinux_skb_peerlbl_sid(),"
3554 " unable to determine packet's peer label\n");
3555 return -EACCES;
3556 }
3557
3558 return 0;
3559 }
3560
3561 /* socket security operations */
3562 static int socket_has_perm(struct task_struct *task, struct socket *sock,
3563 u32 perms)
3564 {
3565 struct inode_security_struct *isec;
3566 struct task_security_struct *tsec;
3567 struct avc_audit_data ad;
3568 int err = 0;
3569
3570 tsec = task->security;
3571 isec = SOCK_INODE(sock)->i_security;
3572
3573 if (isec->sid == SECINITSID_KERNEL)
3574 goto out;
3575
3576 AVC_AUDIT_DATA_INIT(&ad,NET);
3577 ad.u.net.sk = sock->sk;
3578 err = avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, &ad);
3579
3580 out:
3581 return err;
3582 }
3583
3584 static int selinux_socket_create(int family, int type,
3585 int protocol, int kern)
3586 {
3587 int err = 0;
3588 struct task_security_struct *tsec;
3589 u32 newsid;
3590
3591 if (kern)
3592 goto out;
3593
3594 tsec = current->security;
3595 newsid = tsec->sockcreate_sid ? : tsec->sid;
3596 err = avc_has_perm(tsec->sid, newsid,
3597 socket_type_to_security_class(family, type,
3598 protocol), SOCKET__CREATE, NULL);
3599
3600 out:
3601 return err;
3602 }
3603
3604 static int selinux_socket_post_create(struct socket *sock, int family,
3605 int type, int protocol, int kern)
3606 {
3607 int err = 0;
3608 struct inode_security_struct *isec;
3609 struct task_security_struct *tsec;
3610 struct sk_security_struct *sksec;
3611 u32 newsid;
3612
3613 isec = SOCK_INODE(sock)->i_security;
3614
3615 tsec = current->security;
3616 newsid = tsec->sockcreate_sid ? : tsec->sid;
3617 isec->sclass = socket_type_to_security_class(family, type, protocol);
3618 isec->sid = kern ? SECINITSID_KERNEL : newsid;
3619 isec->initialized = 1;
3620
3621 if (sock->sk) {
3622 sksec = sock->sk->sk_security;
3623 sksec->sid = isec->sid;
3624 sksec->sclass = isec->sclass;
3625 err = selinux_netlbl_socket_post_create(sock);
3626 }
3627
3628 return err;
3629 }
3630
3631 /* Range of port numbers used to automatically bind.
3632 Need to determine whether we should perform a name_bind
3633 permission check between the socket and the port number. */
3634
3635 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
3636 {
3637 u16 family;
3638 int err;
3639
3640 err = socket_has_perm(current, sock, SOCKET__BIND);
3641 if (err)
3642 goto out;
3643
3644 /*
3645 * If PF_INET or PF_INET6, check name_bind permission for the port.
3646 * Multiple address binding for SCTP is not supported yet: we just
3647 * check the first address now.
3648 */
3649 family = sock->sk->sk_family;
3650 if (family == PF_INET || family == PF_INET6) {
3651 char *addrp;
3652 struct inode_security_struct *isec;
3653 struct task_security_struct *tsec;
3654 struct avc_audit_data ad;
3655 struct sockaddr_in *addr4 = NULL;
3656 struct sockaddr_in6 *addr6 = NULL;
3657 unsigned short snum;
3658 struct sock *sk = sock->sk;
3659 u32 sid, node_perm, addrlen;
3660
3661 tsec = current->security;
3662 isec = SOCK_INODE(sock)->i_security;
3663
3664 if (family == PF_INET) {
3665 addr4 = (struct sockaddr_in *)address;
3666 snum = ntohs(addr4->sin_port);
3667 addrlen = sizeof(addr4->sin_addr.s_addr);
3668 addrp = (char *)&addr4->sin_addr.s_addr;
3669 } else {
3670 addr6 = (struct sockaddr_in6 *)address;
3671 snum = ntohs(addr6->sin6_port);
3672 addrlen = sizeof(addr6->sin6_addr.s6_addr);
3673 addrp = (char *)&addr6->sin6_addr.s6_addr;
3674 }
3675
3676 if (snum) {
3677 int low, high;
3678
3679 inet_get_local_port_range(&low, &high);
3680
3681 if (snum < max(PROT_SOCK, low) || snum > high) {
3682 err = sel_netport_sid(sk->sk_protocol,
3683 snum, &sid);
3684 if (err)
3685 goto out;
3686 AVC_AUDIT_DATA_INIT(&ad,NET);
3687 ad.u.net.sport = htons(snum);
3688 ad.u.net.family = family;
3689 err = avc_has_perm(isec->sid, sid,
3690 isec->sclass,
3691 SOCKET__NAME_BIND, &ad);
3692 if (err)
3693 goto out;
3694 }
3695 }
3696
3697 switch(isec->sclass) {
3698 case SECCLASS_TCP_SOCKET:
3699 node_perm = TCP_SOCKET__NODE_BIND;
3700 break;
3701
3702 case SECCLASS_UDP_SOCKET:
3703 node_perm = UDP_SOCKET__NODE_BIND;
3704 break;
3705
3706 case SECCLASS_DCCP_SOCKET:
3707 node_perm = DCCP_SOCKET__NODE_BIND;
3708 break;
3709
3710 default:
3711 node_perm = RAWIP_SOCKET__NODE_BIND;
3712 break;
3713 }
3714
3715 err = sel_netnode_sid(addrp, family, &sid);
3716 if (err)
3717 goto out;
3718
3719 AVC_AUDIT_DATA_INIT(&ad,NET);
3720 ad.u.net.sport = htons(snum);
3721 ad.u.net.family = family;
3722
3723 if (family == PF_INET)
3724 ad.u.net.v4info.saddr = addr4->sin_addr.s_addr;
3725 else
3726 ipv6_addr_copy(&ad.u.net.v6info.saddr, &addr6->sin6_addr);
3727
3728 err = avc_has_perm(isec->sid, sid,
3729 isec->sclass, node_perm, &ad);
3730 if (err)
3731 goto out;
3732 }
3733 out:
3734 return err;
3735 }
3736
3737 static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
3738 {
3739 struct inode_security_struct *isec;
3740 int err;
3741
3742 err = socket_has_perm(current, sock, SOCKET__CONNECT);
3743 if (err)
3744 return err;
3745
3746 /*
3747 * If a TCP or DCCP socket, check name_connect permission for the port.
3748 */
3749 isec = SOCK_INODE(sock)->i_security;
3750 if (isec->sclass == SECCLASS_TCP_SOCKET ||
3751 isec->sclass == SECCLASS_DCCP_SOCKET) {
3752 struct sock *sk = sock->sk;
3753 struct avc_audit_data ad;
3754 struct sockaddr_in *addr4 = NULL;
3755 struct sockaddr_in6 *addr6 = NULL;
3756 unsigned short snum;
3757 u32 sid, perm;
3758
3759 if (sk->sk_family == PF_INET) {
3760 addr4 = (struct sockaddr_in *)address;
3761 if (addrlen < sizeof(struct sockaddr_in))
3762 return -EINVAL;
3763 snum = ntohs(addr4->sin_port);
3764 } else {
3765 addr6 = (struct sockaddr_in6 *)address;
3766 if (addrlen < SIN6_LEN_RFC2133)
3767 return -EINVAL;
3768 snum = ntohs(addr6->sin6_port);
3769 }
3770
3771 err = sel_netport_sid(sk->sk_protocol, snum, &sid);
3772 if (err)
3773 goto out;
3774
3775 perm = (isec->sclass == SECCLASS_TCP_SOCKET) ?
3776 TCP_SOCKET__NAME_CONNECT : DCCP_SOCKET__NAME_CONNECT;
3777
3778 AVC_AUDIT_DATA_INIT(&ad,NET);
3779 ad.u.net.dport = htons(snum);
3780 ad.u.net.family = sk->sk_family;
3781 err = avc_has_perm(isec->sid, sid, isec->sclass, perm, &ad);
3782 if (err)
3783 goto out;
3784 }
3785
3786 out:
3787 return err;
3788 }
3789
3790 static int selinux_socket_listen(struct socket *sock, int backlog)
3791 {
3792 return socket_has_perm(current, sock, SOCKET__LISTEN);
3793 }
3794
3795 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
3796 {
3797 int err;
3798 struct inode_security_struct *isec;
3799 struct inode_security_struct *newisec;
3800
3801 err = socket_has_perm(current, sock, SOCKET__ACCEPT);
3802 if (err)
3803 return err;
3804
3805 newisec = SOCK_INODE(newsock)->i_security;
3806
3807 isec = SOCK_INODE(sock)->i_security;
3808 newisec->sclass = isec->sclass;
3809 newisec->sid = isec->sid;
3810 newisec->initialized = 1;
3811
3812 return 0;
3813 }
3814
3815 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
3816 int size)
3817 {
3818 int rc;
3819
3820 rc = socket_has_perm(current, sock, SOCKET__WRITE);
3821 if (rc)
3822 return rc;
3823
3824 return selinux_netlbl_inode_permission(SOCK_INODE(sock), MAY_WRITE);
3825 }
3826
3827 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
3828 int size, int flags)
3829 {
3830 return socket_has_perm(current, sock, SOCKET__READ);
3831 }
3832
3833 static int selinux_socket_getsockname(struct socket *sock)
3834 {
3835 return socket_has_perm(current, sock, SOCKET__GETATTR);
3836 }
3837
3838 static int selinux_socket_getpeername(struct socket *sock)
3839 {
3840 return socket_has_perm(current, sock, SOCKET__GETATTR);
3841 }
3842
3843 static int selinux_socket_setsockopt(struct socket *sock,int level,int optname)
3844 {
3845 int err;
3846
3847 err = socket_has_perm(current, sock, SOCKET__SETOPT);
3848 if (err)
3849 return err;
3850
3851 return selinux_netlbl_socket_setsockopt(sock, level, optname);
3852 }
3853
3854 static int selinux_socket_getsockopt(struct socket *sock, int level,
3855 int optname)
3856 {
3857 return socket_has_perm(current, sock, SOCKET__GETOPT);
3858 }
3859
3860 static int selinux_socket_shutdown(struct socket *sock, int how)
3861 {
3862 return socket_has_perm(current, sock, SOCKET__SHUTDOWN);
3863 }
3864
3865 static int selinux_socket_unix_stream_connect(struct socket *sock,
3866 struct socket *other,
3867 struct sock *newsk)
3868 {
3869 struct sk_security_struct *ssec;
3870 struct inode_security_struct *isec;
3871 struct inode_security_struct *other_isec;
3872 struct avc_audit_data ad;
3873 int err;
3874
3875 err = secondary_ops->unix_stream_connect(sock, other, newsk);
3876 if (err)
3877 return err;
3878
3879 isec = SOCK_INODE(sock)->i_security;
3880 other_isec = SOCK_INODE(other)->i_security;
3881
3882 AVC_AUDIT_DATA_INIT(&ad,NET);
3883 ad.u.net.sk = other->sk;
3884
3885 err = avc_has_perm(isec->sid, other_isec->sid,
3886 isec->sclass,
3887 UNIX_STREAM_SOCKET__CONNECTTO, &ad);
3888 if (err)
3889 return err;
3890
3891 /* connecting socket */
3892 ssec = sock->sk->sk_security;
3893 ssec->peer_sid = other_isec->sid;
3894
3895 /* server child socket */
3896 ssec = newsk->sk_security;
3897 ssec->peer_sid = isec->sid;
3898 err = security_sid_mls_copy(other_isec->sid, ssec->peer_sid, &ssec->sid);
3899
3900 return err;
3901 }
3902
3903 static int selinux_socket_unix_may_send(struct socket *sock,
3904 struct socket *other)
3905 {
3906 struct inode_security_struct *isec;
3907 struct inode_security_struct *other_isec;
3908 struct avc_audit_data ad;
3909 int err;
3910
3911 isec = SOCK_INODE(sock)->i_security;
3912 other_isec = SOCK_INODE(other)->i_security;
3913
3914 AVC_AUDIT_DATA_INIT(&ad,NET);
3915 ad.u.net.sk = other->sk;
3916
3917 err = avc_has_perm(isec->sid, other_isec->sid,
3918 isec->sclass, SOCKET__SENDTO, &ad);
3919 if (err)
3920 return err;
3921
3922 return 0;
3923 }
3924
3925 static int selinux_inet_sys_rcv_skb(int ifindex, char *addrp, u16 family,
3926 u32 peer_sid,
3927 struct avc_audit_data *ad)
3928 {
3929 int err;
3930 u32 if_sid;
3931 u32 node_sid;
3932
3933 err = sel_netif_sid(ifindex, &if_sid);
3934 if (err)
3935 return err;
3936 err = avc_has_perm(peer_sid, if_sid,
3937 SECCLASS_NETIF, NETIF__INGRESS, ad);
3938 if (err)
3939 return err;
3940
3941 err = sel_netnode_sid(addrp, family, &node_sid);
3942 if (err)
3943 return err;
3944 return avc_has_perm(peer_sid, node_sid,
3945 SECCLASS_NODE, NODE__RECVFROM, ad);
3946 }
3947
3948 static int selinux_sock_rcv_skb_iptables_compat(struct sock *sk,
3949 struct sk_buff *skb,
3950 struct avc_audit_data *ad,
3951 u16 family,
3952 char *addrp)
3953 {
3954 int err;
3955 struct sk_security_struct *sksec = sk->sk_security;
3956 u16 sk_class;
3957 u32 netif_perm, node_perm, recv_perm;
3958 u32 port_sid, node_sid, if_sid, sk_sid;
3959
3960 sk_sid = sksec->sid;
3961 sk_class = sksec->sclass;
3962
3963 switch (sk_class) {
3964 case SECCLASS_UDP_SOCKET:
3965 netif_perm = NETIF__UDP_RECV;
3966 node_perm = NODE__UDP_RECV;
3967 recv_perm = UDP_SOCKET__RECV_MSG;
3968 break;
3969 case SECCLASS_TCP_SOCKET:
3970 netif_perm = NETIF__TCP_RECV;
3971 node_perm = NODE__TCP_RECV;
3972 recv_perm = TCP_SOCKET__RECV_MSG;
3973 break;
3974 case SECCLASS_DCCP_SOCKET:
3975 netif_perm = NETIF__DCCP_RECV;
3976 node_perm = NODE__DCCP_RECV;
3977 recv_perm = DCCP_SOCKET__RECV_MSG;
3978 break;
3979 default:
3980 netif_perm = NETIF__RAWIP_RECV;
3981 node_perm = NODE__RAWIP_RECV;
3982 recv_perm = 0;
3983 break;
3984 }
3985
3986 err = sel_netif_sid(skb->iif, &if_sid);
3987 if (err)
3988 return err;
3989 err = avc_has_perm(sk_sid, if_sid, SECCLASS_NETIF, netif_perm, ad);
3990 if (err)
3991 return err;
3992
3993 err = sel_netnode_sid(addrp, family, &node_sid);
3994 if (err)
3995 return err;
3996 err = avc_has_perm(sk_sid, node_sid, SECCLASS_NODE, node_perm, ad);
3997 if (err)
3998 return err;
3999
4000 if (!recv_perm)
4001 return 0;
4002 err = sel_netport_sid(sk->sk_protocol,
4003 ntohs(ad->u.net.sport), &port_sid);
4004 if (unlikely(err)) {
4005 printk(KERN_WARNING
4006 "SELinux: failure in"
4007 " selinux_sock_rcv_skb_iptables_compat(),"
4008 " network port label not found\n");
4009 return err;
4010 }
4011 return avc_has_perm(sk_sid, port_sid, sk_class, recv_perm, ad);
4012 }
4013
4014 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
4015 struct avc_audit_data *ad,
4016 u16 family, char *addrp)
4017 {
4018 int err;
4019 struct sk_security_struct *sksec = sk->sk_security;
4020 u32 peer_sid;
4021 u32 sk_sid = sksec->sid;
4022
4023 if (selinux_compat_net)
4024 err = selinux_sock_rcv_skb_iptables_compat(sk, skb, ad,
4025 family, addrp);
4026 else
4027 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4028 PACKET__RECV, ad);
4029 if (err)
4030 return err;
4031
4032 if (selinux_policycap_netpeer) {
4033 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
4034 if (err)
4035 return err;
4036 err = avc_has_perm(sk_sid, peer_sid,
4037 SECCLASS_PEER, PEER__RECV, ad);
4038 } else {
4039 err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, ad);
4040 if (err)
4041 return err;
4042 err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, ad);
4043 }
4044
4045 return err;
4046 }
4047
4048 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
4049 {
4050 int err;
4051 struct sk_security_struct *sksec = sk->sk_security;
4052 u16 family = sk->sk_family;
4053 u32 sk_sid = sksec->sid;
4054 struct avc_audit_data ad;
4055 char *addrp;
4056
4057 if (family != PF_INET && family != PF_INET6)
4058 return 0;
4059
4060 /* Handle mapped IPv4 packets arriving via IPv6 sockets */
4061 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4062 family = PF_INET;
4063
4064 AVC_AUDIT_DATA_INIT(&ad, NET);
4065 ad.u.net.netif = skb->iif;
4066 ad.u.net.family = family;
4067 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4068 if (err)
4069 return err;
4070
4071 /* If any sort of compatibility mode is enabled then handoff processing
4072 * to the selinux_sock_rcv_skb_compat() function to deal with the
4073 * special handling. We do this in an attempt to keep this function
4074 * as fast and as clean as possible. */
4075 if (selinux_compat_net || !selinux_policycap_netpeer)
4076 return selinux_sock_rcv_skb_compat(sk, skb, &ad,
4077 family, addrp);
4078
4079 if (netlbl_enabled() || selinux_xfrm_enabled()) {
4080 u32 peer_sid;
4081
4082 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
4083 if (err)
4084 return err;
4085 err = selinux_inet_sys_rcv_skb(skb->iif, addrp, family,
4086 peer_sid, &ad);
4087 if (err)
4088 return err;
4089 err = avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER,
4090 PEER__RECV, &ad);
4091 }
4092
4093 if (selinux_secmark_enabled()) {
4094 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4095 PACKET__RECV, &ad);
4096 if (err)
4097 return err;
4098 }
4099
4100 return err;
4101 }
4102
4103 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval,
4104 int __user *optlen, unsigned len)
4105 {
4106 int err = 0;
4107 char *scontext;
4108 u32 scontext_len;
4109 struct sk_security_struct *ssec;
4110 struct inode_security_struct *isec;
4111 u32 peer_sid = SECSID_NULL;
4112
4113 isec = SOCK_INODE(sock)->i_security;
4114
4115 if (isec->sclass == SECCLASS_UNIX_STREAM_SOCKET ||
4116 isec->sclass == SECCLASS_TCP_SOCKET) {
4117 ssec = sock->sk->sk_security;
4118 peer_sid = ssec->peer_sid;
4119 }
4120 if (peer_sid == SECSID_NULL) {
4121 err = -ENOPROTOOPT;
4122 goto out;
4123 }
4124
4125 err = security_sid_to_context(peer_sid, &scontext, &scontext_len);
4126
4127 if (err)
4128 goto out;
4129
4130 if (scontext_len > len) {
4131 err = -ERANGE;
4132 goto out_len;
4133 }
4134
4135 if (copy_to_user(optval, scontext, scontext_len))
4136 err = -EFAULT;
4137
4138 out_len:
4139 if (put_user(scontext_len, optlen))
4140 err = -EFAULT;
4141
4142 kfree(scontext);
4143 out:
4144 return err;
4145 }
4146
4147 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
4148 {
4149 u32 peer_secid = SECSID_NULL;
4150 u16 family;
4151
4152 if (sock)
4153 family = sock->sk->sk_family;
4154 else if (skb && skb->sk)
4155 family = skb->sk->sk_family;
4156 else
4157 goto out;
4158
4159 if (sock && family == PF_UNIX)
4160 selinux_inode_getsecid(SOCK_INODE(sock), &peer_secid);
4161 else if (skb)
4162 selinux_skb_peerlbl_sid(skb, family, &peer_secid);
4163
4164 out:
4165 *secid = peer_secid;
4166 if (peer_secid == SECSID_NULL)
4167 return -EINVAL;
4168 return 0;
4169 }
4170
4171 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
4172 {
4173 return sk_alloc_security(sk, family, priority);
4174 }
4175
4176 static void selinux_sk_free_security(struct sock *sk)
4177 {
4178 sk_free_security(sk);
4179 }
4180
4181 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
4182 {
4183 struct sk_security_struct *ssec = sk->sk_security;
4184 struct sk_security_struct *newssec = newsk->sk_security;
4185
4186 newssec->sid = ssec->sid;
4187 newssec->peer_sid = ssec->peer_sid;
4188 newssec->sclass = ssec->sclass;
4189
4190 selinux_netlbl_sk_security_reset(newssec, newsk->sk_family);
4191 }
4192
4193 static void selinux_sk_getsecid(struct sock *sk, u32 *secid)
4194 {
4195 if (!sk)
4196 *secid = SECINITSID_ANY_SOCKET;
4197 else {
4198 struct sk_security_struct *sksec = sk->sk_security;
4199
4200 *secid = sksec->sid;
4201 }
4202 }
4203
4204 static void selinux_sock_graft(struct sock* sk, struct socket *parent)
4205 {
4206 struct inode_security_struct *isec = SOCK_INODE(parent)->i_security;
4207 struct sk_security_struct *sksec = sk->sk_security;
4208
4209 if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
4210 sk->sk_family == PF_UNIX)
4211 isec->sid = sksec->sid;
4212 sksec->sclass = isec->sclass;
4213
4214 selinux_netlbl_sock_graft(sk, parent);
4215 }
4216
4217 static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
4218 struct request_sock *req)
4219 {
4220 struct sk_security_struct *sksec = sk->sk_security;
4221 int err;
4222 u32 newsid;
4223 u32 peersid;
4224
4225 err = selinux_skb_peerlbl_sid(skb, sk->sk_family, &peersid);
4226 if (err)
4227 return err;
4228 if (peersid == SECSID_NULL) {
4229 req->secid = sksec->sid;
4230 req->peer_secid = SECSID_NULL;
4231 return 0;
4232 }
4233
4234 err = security_sid_mls_copy(sksec->sid, peersid, &newsid);
4235 if (err)
4236 return err;
4237
4238 req->secid = newsid;
4239 req->peer_secid = peersid;
4240 return 0;
4241 }
4242
4243 static void selinux_inet_csk_clone(struct sock *newsk,
4244 const struct request_sock *req)
4245 {
4246 struct sk_security_struct *newsksec = newsk->sk_security;
4247
4248 newsksec->sid = req->secid;
4249 newsksec->peer_sid = req->peer_secid;
4250 /* NOTE: Ideally, we should also get the isec->sid for the
4251 new socket in sync, but we don't have the isec available yet.
4252 So we will wait until sock_graft to do it, by which
4253 time it will have been created and available. */
4254
4255 /* We don't need to take any sort of lock here as we are the only
4256 * thread with access to newsksec */
4257 selinux_netlbl_sk_security_reset(newsksec, req->rsk_ops->family);
4258 }
4259
4260 static void selinux_inet_conn_established(struct sock *sk,
4261 struct sk_buff *skb)
4262 {
4263 struct sk_security_struct *sksec = sk->sk_security;
4264
4265 selinux_skb_peerlbl_sid(skb, sk->sk_family, &sksec->peer_sid);
4266 }
4267
4268 static void selinux_req_classify_flow(const struct request_sock *req,
4269 struct flowi *fl)
4270 {
4271 fl->secid = req->secid;
4272 }
4273
4274 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
4275 {
4276 int err = 0;
4277 u32 perm;
4278 struct nlmsghdr *nlh;
4279 struct socket *sock = sk->sk_socket;
4280 struct inode_security_struct *isec = SOCK_INODE(sock)->i_security;
4281
4282 if (skb->len < NLMSG_SPACE(0)) {
4283 err = -EINVAL;
4284 goto out;
4285 }
4286 nlh = nlmsg_hdr(skb);
4287
4288 err = selinux_nlmsg_lookup(isec->sclass, nlh->nlmsg_type, &perm);
4289 if (err) {
4290 if (err == -EINVAL) {
4291 audit_log(current->audit_context, GFP_KERNEL, AUDIT_SELINUX_ERR,
4292 "SELinux: unrecognized netlink message"
4293 " type=%hu for sclass=%hu\n",
4294 nlh->nlmsg_type, isec->sclass);
4295 if (!selinux_enforcing)
4296 err = 0;
4297 }
4298
4299 /* Ignore */
4300 if (err == -ENOENT)
4301 err = 0;
4302 goto out;
4303 }
4304
4305 err = socket_has_perm(current, sock, perm);
4306 out:
4307 return err;
4308 }
4309
4310 #ifdef CONFIG_NETFILTER
4311
4312 static unsigned int selinux_ip_forward(struct sk_buff *skb, int ifindex,
4313 u16 family)
4314 {
4315 char *addrp;
4316 u32 peer_sid;
4317 struct avc_audit_data ad;
4318 u8 secmark_active;
4319 u8 peerlbl_active;
4320
4321 if (!selinux_policycap_netpeer)
4322 return NF_ACCEPT;
4323
4324 secmark_active = selinux_secmark_enabled();
4325 peerlbl_active = netlbl_enabled() || selinux_xfrm_enabled();
4326 if (!secmark_active && !peerlbl_active)
4327 return NF_ACCEPT;
4328
4329 AVC_AUDIT_DATA_INIT(&ad, NET);
4330 ad.u.net.netif = ifindex;
4331 ad.u.net.family = family;
4332 if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0)
4333 return NF_DROP;
4334
4335 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0)
4336 return NF_DROP;
4337
4338 if (peerlbl_active)
4339 if (selinux_inet_sys_rcv_skb(ifindex, addrp, family,
4340 peer_sid, &ad) != 0)
4341 return NF_DROP;
4342
4343 if (secmark_active)
4344 if (avc_has_perm(peer_sid, skb->secmark,
4345 SECCLASS_PACKET, PACKET__FORWARD_IN, &ad))
4346 return NF_DROP;
4347
4348 return NF_ACCEPT;
4349 }
4350
4351 static unsigned int selinux_ipv4_forward(unsigned int hooknum,
4352 struct sk_buff *skb,
4353 const struct net_device *in,
4354 const struct net_device *out,
4355 int (*okfn)(struct sk_buff *))
4356 {
4357 return selinux_ip_forward(skb, in->ifindex, PF_INET);
4358 }
4359
4360 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4361 static unsigned int selinux_ipv6_forward(unsigned int hooknum,
4362 struct sk_buff *skb,
4363 const struct net_device *in,
4364 const struct net_device *out,
4365 int (*okfn)(struct sk_buff *))
4366 {
4367 return selinux_ip_forward(skb, in->ifindex, PF_INET6);
4368 }
4369 #endif /* IPV6 */
4370
4371 static int selinux_ip_postroute_iptables_compat(struct sock *sk,
4372 int ifindex,
4373 struct avc_audit_data *ad,
4374 u16 family, char *addrp)
4375 {
4376 int err;
4377 struct sk_security_struct *sksec = sk->sk_security;
4378 u16 sk_class;
4379 u32 netif_perm, node_perm, send_perm;
4380 u32 port_sid, node_sid, if_sid, sk_sid;
4381
4382 sk_sid = sksec->sid;
4383 sk_class = sksec->sclass;
4384
4385 switch (sk_class) {
4386 case SECCLASS_UDP_SOCKET:
4387 netif_perm = NETIF__UDP_SEND;
4388 node_perm = NODE__UDP_SEND;
4389 send_perm = UDP_SOCKET__SEND_MSG;
4390 break;
4391 case SECCLASS_TCP_SOCKET:
4392 netif_perm = NETIF__TCP_SEND;
4393 node_perm = NODE__TCP_SEND;
4394 send_perm = TCP_SOCKET__SEND_MSG;
4395 break;
4396 case SECCLASS_DCCP_SOCKET:
4397 netif_perm = NETIF__DCCP_SEND;
4398 node_perm = NODE__DCCP_SEND;
4399 send_perm = DCCP_SOCKET__SEND_MSG;
4400 break;
4401 default:
4402 netif_perm = NETIF__RAWIP_SEND;
4403 node_perm = NODE__RAWIP_SEND;
4404 send_perm = 0;
4405 break;
4406 }
4407
4408 err = sel_netif_sid(ifindex, &if_sid);
4409 if (err)
4410 return err;
4411 err = avc_has_perm(sk_sid, if_sid, SECCLASS_NETIF, netif_perm, ad);
4412 return err;
4413
4414 err = sel_netnode_sid(addrp, family, &node_sid);
4415 if (err)
4416 return err;
4417 err = avc_has_perm(sk_sid, node_sid, SECCLASS_NODE, node_perm, ad);
4418 if (err)
4419 return err;
4420
4421 if (send_perm != 0)
4422 return 0;
4423
4424 err = sel_netport_sid(sk->sk_protocol,
4425 ntohs(ad->u.net.dport), &port_sid);
4426 if (unlikely(err)) {
4427 printk(KERN_WARNING
4428 "SELinux: failure in"
4429 " selinux_ip_postroute_iptables_compat(),"
4430 " network port label not found\n");
4431 return err;
4432 }
4433 return avc_has_perm(sk_sid, port_sid, sk_class, send_perm, ad);
4434 }
4435
4436 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
4437 int ifindex,
4438 struct avc_audit_data *ad,
4439 u16 family,
4440 char *addrp,
4441 u8 proto)
4442 {
4443 struct sock *sk = skb->sk;
4444 struct sk_security_struct *sksec;
4445
4446 if (sk == NULL)
4447 return NF_ACCEPT;
4448 sksec = sk->sk_security;
4449
4450 if (selinux_compat_net) {
4451 if (selinux_ip_postroute_iptables_compat(skb->sk, ifindex,
4452 ad, family, addrp))
4453 return NF_DROP;
4454 } else {
4455 if (avc_has_perm(sksec->sid, skb->secmark,
4456 SECCLASS_PACKET, PACKET__SEND, ad))
4457 return NF_DROP;
4458 }
4459
4460 if (selinux_policycap_netpeer)
4461 if (selinux_xfrm_postroute_last(sksec->sid, skb, ad, proto))
4462 return NF_DROP;
4463
4464 return NF_ACCEPT;
4465 }
4466
4467 static unsigned int selinux_ip_postroute(struct sk_buff *skb, int ifindex,
4468 u16 family)
4469 {
4470 u32 secmark_perm;
4471 u32 peer_sid;
4472 struct sock *sk;
4473 struct avc_audit_data ad;
4474 char *addrp;
4475 u8 proto;
4476 u8 secmark_active;
4477 u8 peerlbl_active;
4478
4479 AVC_AUDIT_DATA_INIT(&ad, NET);
4480 ad.u.net.netif = ifindex;
4481 ad.u.net.family = family;
4482 if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto))
4483 return NF_DROP;
4484
4485 /* If any sort of compatibility mode is enabled then handoff processing
4486 * to the selinux_ip_postroute_compat() function to deal with the
4487 * special handling. We do this in an attempt to keep this function
4488 * as fast and as clean as possible. */
4489 if (selinux_compat_net || !selinux_policycap_netpeer)
4490 return selinux_ip_postroute_compat(skb, ifindex, &ad,
4491 family, addrp, proto);
4492
4493 /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec
4494 * packet transformation so allow the packet to pass without any checks
4495 * since we'll have another chance to perform access control checks
4496 * when the packet is on it's final way out.
4497 * NOTE: there appear to be some IPv6 multicast cases where skb->dst
4498 * is NULL, in this case go ahead and apply access control. */
4499 if (skb->dst != NULL && skb->dst->xfrm != NULL)
4500 return NF_ACCEPT;
4501
4502 secmark_active = selinux_secmark_enabled();
4503 peerlbl_active = netlbl_enabled() || selinux_xfrm_enabled();
4504 if (!secmark_active && !peerlbl_active)
4505 return NF_ACCEPT;
4506
4507 /* if the packet is locally generated (skb->sk != NULL) then use the
4508 * socket's label as the peer label, otherwise the packet is being
4509 * forwarded through this system and we need to fetch the peer label
4510 * directly from the packet */
4511 sk = skb->sk;
4512 if (sk) {
4513 struct sk_security_struct *sksec = sk->sk_security;
4514 peer_sid = sksec->sid;
4515 secmark_perm = PACKET__SEND;
4516 } else {
4517 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid))
4518 return NF_DROP;
4519 secmark_perm = PACKET__FORWARD_OUT;
4520 }
4521
4522 if (secmark_active)
4523 if (avc_has_perm(peer_sid, skb->secmark,
4524 SECCLASS_PACKET, secmark_perm, &ad))
4525 return NF_DROP;
4526
4527 if (peerlbl_active) {
4528 u32 if_sid;
4529 u32 node_sid;
4530
4531 if (sel_netif_sid(ifindex, &if_sid))
4532 return NF_DROP;
4533 if (avc_has_perm(peer_sid, if_sid,
4534 SECCLASS_NETIF, NETIF__EGRESS, &ad))
4535 return NF_DROP;
4536
4537 if (sel_netnode_sid(addrp, family, &node_sid))
4538 return NF_DROP;
4539 if (avc_has_perm(peer_sid, node_sid,
4540 SECCLASS_NODE, NODE__SENDTO, &ad))
4541 return NF_DROP;
4542 }
4543
4544 return NF_ACCEPT;
4545 }
4546
4547 static unsigned int selinux_ipv4_postroute(unsigned int hooknum,
4548 struct sk_buff *skb,
4549 const struct net_device *in,
4550 const struct net_device *out,
4551 int (*okfn)(struct sk_buff *))
4552 {
4553 return selinux_ip_postroute(skb, out->ifindex, PF_INET);
4554 }
4555
4556 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4557 static unsigned int selinux_ipv6_postroute(unsigned int hooknum,
4558 struct sk_buff *skb,
4559 const struct net_device *in,
4560 const struct net_device *out,
4561 int (*okfn)(struct sk_buff *))
4562 {
4563 return selinux_ip_postroute(skb, out->ifindex, PF_INET6);
4564 }
4565 #endif /* IPV6 */
4566
4567 #endif /* CONFIG_NETFILTER */
4568
4569 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
4570 {
4571 int err;
4572
4573 err = secondary_ops->netlink_send(sk, skb);
4574 if (err)
4575 return err;
4576
4577 if (policydb_loaded_version >= POLICYDB_VERSION_NLCLASS)
4578 err = selinux_nlmsg_perm(sk, skb);
4579
4580 return err;
4581 }
4582
4583 static int selinux_netlink_recv(struct sk_buff *skb, int capability)
4584 {
4585 int err;
4586 struct avc_audit_data ad;
4587
4588 err = secondary_ops->netlink_recv(skb, capability);
4589 if (err)
4590 return err;
4591
4592 AVC_AUDIT_DATA_INIT(&ad, CAP);
4593 ad.u.cap = capability;
4594
4595 return avc_has_perm(NETLINK_CB(skb).sid, NETLINK_CB(skb).sid,
4596 SECCLASS_CAPABILITY, CAP_TO_MASK(capability), &ad);
4597 }
4598
4599 static int ipc_alloc_security(struct task_struct *task,
4600 struct kern_ipc_perm *perm,
4601 u16 sclass)
4602 {
4603 struct task_security_struct *tsec = task->security;
4604 struct ipc_security_struct *isec;
4605
4606 isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL);
4607 if (!isec)
4608 return -ENOMEM;
4609
4610 isec->sclass = sclass;
4611 isec->sid = tsec->sid;
4612 perm->security = isec;
4613
4614 return 0;
4615 }
4616
4617 static void ipc_free_security(struct kern_ipc_perm *perm)
4618 {
4619 struct ipc_security_struct *isec = perm->security;
4620 perm->security = NULL;
4621 kfree(isec);
4622 }
4623
4624 static int msg_msg_alloc_security(struct msg_msg *msg)
4625 {
4626 struct msg_security_struct *msec;
4627
4628 msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL);
4629 if (!msec)
4630 return -ENOMEM;
4631
4632 msec->sid = SECINITSID_UNLABELED;
4633 msg->security = msec;
4634
4635 return 0;
4636 }
4637
4638 static void msg_msg_free_security(struct msg_msg *msg)
4639 {
4640 struct msg_security_struct *msec = msg->security;
4641
4642 msg->security = NULL;
4643 kfree(msec);
4644 }
4645
4646 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
4647 u32 perms)
4648 {
4649 struct task_security_struct *tsec;
4650 struct ipc_security_struct *isec;
4651 struct avc_audit_data ad;
4652
4653 tsec = current->security;
4654 isec = ipc_perms->security;
4655
4656 AVC_AUDIT_DATA_INIT(&ad, IPC);
4657 ad.u.ipc_id = ipc_perms->key;
4658
4659 return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, &ad);
4660 }
4661
4662 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
4663 {
4664 return msg_msg_alloc_security(msg);
4665 }
4666
4667 static void selinux_msg_msg_free_security(struct msg_msg *msg)
4668 {
4669 msg_msg_free_security(msg);
4670 }
4671
4672 /* message queue security operations */
4673 static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
4674 {
4675 struct task_security_struct *tsec;
4676 struct ipc_security_struct *isec;
4677 struct avc_audit_data ad;
4678 int rc;
4679
4680 rc = ipc_alloc_security(current, &msq->q_perm, SECCLASS_MSGQ);
4681 if (rc)
4682 return rc;
4683
4684 tsec = current->security;
4685 isec = msq->q_perm.security;
4686
4687 AVC_AUDIT_DATA_INIT(&ad, IPC);
4688 ad.u.ipc_id = msq->q_perm.key;
4689
4690 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
4691 MSGQ__CREATE, &ad);
4692 if (rc) {
4693 ipc_free_security(&msq->q_perm);
4694 return rc;
4695 }
4696 return 0;
4697 }
4698
4699 static void selinux_msg_queue_free_security(struct msg_queue *msq)
4700 {
4701 ipc_free_security(&msq->q_perm);
4702 }
4703
4704 static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg)
4705 {
4706 struct task_security_struct *tsec;
4707 struct ipc_security_struct *isec;
4708 struct avc_audit_data ad;
4709
4710 tsec = current->security;
4711 isec = msq->q_perm.security;
4712
4713 AVC_AUDIT_DATA_INIT(&ad, IPC);
4714 ad.u.ipc_id = msq->q_perm.key;
4715
4716 return avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
4717 MSGQ__ASSOCIATE, &ad);
4718 }
4719
4720 static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd)
4721 {
4722 int err;
4723 int perms;
4724
4725 switch(cmd) {
4726 case IPC_INFO:
4727 case MSG_INFO:
4728 /* No specific object, just general system-wide information. */
4729 return task_has_system(current, SYSTEM__IPC_INFO);
4730 case IPC_STAT:
4731 case MSG_STAT:
4732 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
4733 break;
4734 case IPC_SET:
4735 perms = MSGQ__SETATTR;
4736 break;
4737 case IPC_RMID:
4738 perms = MSGQ__DESTROY;
4739 break;
4740 default:
4741 return 0;
4742 }
4743
4744 err = ipc_has_perm(&msq->q_perm, perms);
4745 return err;
4746 }
4747
4748 static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg)
4749 {
4750 struct task_security_struct *tsec;
4751 struct ipc_security_struct *isec;
4752 struct msg_security_struct *msec;
4753 struct avc_audit_data ad;
4754 int rc;
4755
4756 tsec = current->security;
4757 isec = msq->q_perm.security;
4758 msec = msg->security;
4759
4760 /*
4761 * First time through, need to assign label to the message
4762 */
4763 if (msec->sid == SECINITSID_UNLABELED) {
4764 /*
4765 * Compute new sid based on current process and
4766 * message queue this message will be stored in
4767 */
4768 rc = security_transition_sid(tsec->sid,
4769 isec->sid,
4770 SECCLASS_MSG,
4771 &msec->sid);
4772 if (rc)
4773 return rc;
4774 }
4775
4776 AVC_AUDIT_DATA_INIT(&ad, IPC);
4777 ad.u.ipc_id = msq->q_perm.key;
4778
4779 /* Can this process write to the queue? */
4780 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
4781 MSGQ__WRITE, &ad);
4782 if (!rc)
4783 /* Can this process send the message */
4784 rc = avc_has_perm(tsec->sid, msec->sid,
4785 SECCLASS_MSG, MSG__SEND, &ad);
4786 if (!rc)
4787 /* Can the message be put in the queue? */
4788 rc = avc_has_perm(msec->sid, isec->sid,
4789 SECCLASS_MSGQ, MSGQ__ENQUEUE, &ad);
4790
4791 return rc;
4792 }
4793
4794 static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
4795 struct task_struct *target,
4796 long type, int mode)
4797 {
4798 struct task_security_struct *tsec;
4799 struct ipc_security_struct *isec;
4800 struct msg_security_struct *msec;
4801 struct avc_audit_data ad;
4802 int rc;
4803
4804 tsec = target->security;
4805 isec = msq->q_perm.security;
4806 msec = msg->security;
4807
4808 AVC_AUDIT_DATA_INIT(&ad, IPC);
4809 ad.u.ipc_id = msq->q_perm.key;
4810
4811 rc = avc_has_perm(tsec->sid, isec->sid,
4812 SECCLASS_MSGQ, MSGQ__READ, &ad);
4813 if (!rc)
4814 rc = avc_has_perm(tsec->sid, msec->sid,
4815 SECCLASS_MSG, MSG__RECEIVE, &ad);
4816 return rc;
4817 }
4818
4819 /* Shared Memory security operations */
4820 static int selinux_shm_alloc_security(struct shmid_kernel *shp)
4821 {
4822 struct task_security_struct *tsec;
4823 struct ipc_security_struct *isec;
4824 struct avc_audit_data ad;
4825 int rc;
4826
4827 rc = ipc_alloc_security(current, &shp->shm_perm, SECCLASS_SHM);
4828 if (rc)
4829 return rc;
4830
4831 tsec = current->security;
4832 isec = shp->shm_perm.security;
4833
4834 AVC_AUDIT_DATA_INIT(&ad, IPC);
4835 ad.u.ipc_id = shp->shm_perm.key;
4836
4837 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SHM,
4838 SHM__CREATE, &ad);
4839 if (rc) {
4840 ipc_free_security(&shp->shm_perm);
4841 return rc;
4842 }
4843 return 0;
4844 }
4845
4846 static void selinux_shm_free_security(struct shmid_kernel *shp)
4847 {
4848 ipc_free_security(&shp->shm_perm);
4849 }
4850
4851 static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg)
4852 {
4853 struct task_security_struct *tsec;
4854 struct ipc_security_struct *isec;
4855 struct avc_audit_data ad;
4856
4857 tsec = current->security;
4858 isec = shp->shm_perm.security;
4859
4860 AVC_AUDIT_DATA_INIT(&ad, IPC);
4861 ad.u.ipc_id = shp->shm_perm.key;
4862
4863 return avc_has_perm(tsec->sid, isec->sid, SECCLASS_SHM,
4864 SHM__ASSOCIATE, &ad);
4865 }
4866
4867 /* Note, at this point, shp is locked down */
4868 static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd)
4869 {
4870 int perms;
4871 int err;
4872
4873 switch(cmd) {
4874 case IPC_INFO:
4875 case SHM_INFO:
4876 /* No specific object, just general system-wide information. */
4877 return task_has_system(current, SYSTEM__IPC_INFO);
4878 case IPC_STAT:
4879 case SHM_STAT:
4880 perms = SHM__GETATTR | SHM__ASSOCIATE;
4881 break;
4882 case IPC_SET:
4883 perms = SHM__SETATTR;
4884 break;
4885 case SHM_LOCK:
4886 case SHM_UNLOCK:
4887 perms = SHM__LOCK;
4888 break;
4889 case IPC_RMID:
4890 perms = SHM__DESTROY;
4891 break;
4892 default:
4893 return 0;
4894 }
4895
4896 err = ipc_has_perm(&shp->shm_perm, perms);
4897 return err;
4898 }
4899
4900 static int selinux_shm_shmat(struct shmid_kernel *shp,
4901 char __user *shmaddr, int shmflg)
4902 {
4903 u32 perms;
4904 int rc;
4905
4906 rc = secondary_ops->shm_shmat(shp, shmaddr, shmflg);
4907 if (rc)
4908 return rc;
4909
4910 if (shmflg & SHM_RDONLY)
4911 perms = SHM__READ;
4912 else
4913 perms = SHM__READ | SHM__WRITE;
4914
4915 return ipc_has_perm(&shp->shm_perm, perms);
4916 }
4917
4918 /* Semaphore security operations */
4919 static int selinux_sem_alloc_security(struct sem_array *sma)
4920 {
4921 struct task_security_struct *tsec;
4922 struct ipc_security_struct *isec;
4923 struct avc_audit_data ad;
4924 int rc;
4925
4926 rc = ipc_alloc_security(current, &sma->sem_perm, SECCLASS_SEM);
4927 if (rc)
4928 return rc;
4929
4930 tsec = current->security;
4931 isec = sma->sem_perm.security;
4932
4933 AVC_AUDIT_DATA_INIT(&ad, IPC);
4934 ad.u.ipc_id = sma->sem_perm.key;
4935
4936 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SEM,
4937 SEM__CREATE, &ad);
4938 if (rc) {
4939 ipc_free_security(&sma->sem_perm);
4940 return rc;
4941 }
4942 return 0;
4943 }
4944
4945 static void selinux_sem_free_security(struct sem_array *sma)
4946 {
4947 ipc_free_security(&sma->sem_perm);
4948 }
4949
4950 static int selinux_sem_associate(struct sem_array *sma, int semflg)
4951 {
4952 struct task_security_struct *tsec;
4953 struct ipc_security_struct *isec;
4954 struct avc_audit_data ad;
4955
4956 tsec = current->security;
4957 isec = sma->sem_perm.security;
4958
4959 AVC_AUDIT_DATA_INIT(&ad, IPC);
4960 ad.u.ipc_id = sma->sem_perm.key;
4961
4962 return avc_has_perm(tsec->sid, isec->sid, SECCLASS_SEM,
4963 SEM__ASSOCIATE, &ad);
4964 }
4965
4966 /* Note, at this point, sma is locked down */
4967 static int selinux_sem_semctl(struct sem_array *sma, int cmd)
4968 {
4969 int err;
4970 u32 perms;
4971
4972 switch(cmd) {
4973 case IPC_INFO:
4974 case SEM_INFO:
4975 /* No specific object, just general system-wide information. */
4976 return task_has_system(current, SYSTEM__IPC_INFO);
4977 case GETPID:
4978 case GETNCNT:
4979 case GETZCNT:
4980 perms = SEM__GETATTR;
4981 break;
4982 case GETVAL:
4983 case GETALL:
4984 perms = SEM__READ;
4985 break;
4986 case SETVAL:
4987 case SETALL:
4988 perms = SEM__WRITE;
4989 break;
4990 case IPC_RMID:
4991 perms = SEM__DESTROY;
4992 break;
4993 case IPC_SET:
4994 perms = SEM__SETATTR;
4995 break;
4996 case IPC_STAT:
4997 case SEM_STAT:
4998 perms = SEM__GETATTR | SEM__ASSOCIATE;
4999 break;
5000 default:
5001 return 0;
5002 }
5003
5004 err = ipc_has_perm(&sma->sem_perm, perms);
5005 return err;
5006 }
5007
5008 static int selinux_sem_semop(struct sem_array *sma,
5009 struct sembuf *sops, unsigned nsops, int alter)
5010 {
5011 u32 perms;
5012
5013 if (alter)
5014 perms = SEM__READ | SEM__WRITE;
5015 else
5016 perms = SEM__READ;
5017
5018 return ipc_has_perm(&sma->sem_perm, perms);
5019 }
5020
5021 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
5022 {
5023 u32 av = 0;
5024
5025 av = 0;
5026 if (flag & S_IRUGO)
5027 av |= IPC__UNIX_READ;
5028 if (flag & S_IWUGO)
5029 av |= IPC__UNIX_WRITE;
5030
5031 if (av == 0)
5032 return 0;
5033
5034 return ipc_has_perm(ipcp, av);
5035 }
5036
5037 static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
5038 {
5039 struct ipc_security_struct *isec = ipcp->security;
5040 *secid = isec->sid;
5041 }
5042
5043 /* module stacking operations */
5044 static int selinux_register_security (const char *name, struct security_operations *ops)
5045 {
5046 if (secondary_ops != original_ops) {
5047 printk(KERN_ERR "%s: There is already a secondary security "
5048 "module registered.\n", __func__);
5049 return -EINVAL;
5050 }
5051
5052 secondary_ops = ops;
5053
5054 printk(KERN_INFO "%s: Registering secondary module %s\n",
5055 __func__,
5056 name);
5057
5058 return 0;
5059 }
5060
5061 static void selinux_d_instantiate (struct dentry *dentry, struct inode *inode)
5062 {
5063 if (inode)
5064 inode_doinit_with_dentry(inode, dentry);
5065 }
5066
5067 static int selinux_getprocattr(struct task_struct *p,
5068 char *name, char **value)
5069 {
5070 struct task_security_struct *tsec;
5071 u32 sid;
5072 int error;
5073 unsigned len;
5074
5075 if (current != p) {
5076 error = task_has_perm(current, p, PROCESS__GETATTR);
5077 if (error)
5078 return error;
5079 }
5080
5081 tsec = p->security;
5082
5083 if (!strcmp(name, "current"))
5084 sid = tsec->sid;
5085 else if (!strcmp(name, "prev"))
5086 sid = tsec->osid;
5087 else if (!strcmp(name, "exec"))
5088 sid = tsec->exec_sid;
5089 else if (!strcmp(name, "fscreate"))
5090 sid = tsec->create_sid;
5091 else if (!strcmp(name, "keycreate"))
5092 sid = tsec->keycreate_sid;
5093 else if (!strcmp(name, "sockcreate"))
5094 sid = tsec->sockcreate_sid;
5095 else
5096 return -EINVAL;
5097
5098 if (!sid)
5099 return 0;
5100
5101 error = security_sid_to_context(sid, value, &len);
5102 if (error)
5103 return error;
5104 return len;
5105 }
5106
5107 static int selinux_setprocattr(struct task_struct *p,
5108 char *name, void *value, size_t size)
5109 {
5110 struct task_security_struct *tsec;
5111 struct task_struct *tracer;
5112 u32 sid = 0;
5113 int error;
5114 char *str = value;
5115
5116 if (current != p) {
5117 /* SELinux only allows a process to change its own
5118 security attributes. */
5119 return -EACCES;
5120 }
5121
5122 /*
5123 * Basic control over ability to set these attributes at all.
5124 * current == p, but we'll pass them separately in case the
5125 * above restriction is ever removed.
5126 */
5127 if (!strcmp(name, "exec"))
5128 error = task_has_perm(current, p, PROCESS__SETEXEC);
5129 else if (!strcmp(name, "fscreate"))
5130 error = task_has_perm(current, p, PROCESS__SETFSCREATE);
5131 else if (!strcmp(name, "keycreate"))
5132 error = task_has_perm(current, p, PROCESS__SETKEYCREATE);
5133 else if (!strcmp(name, "sockcreate"))
5134 error = task_has_perm(current, p, PROCESS__SETSOCKCREATE);
5135 else if (!strcmp(name, "current"))
5136 error = task_has_perm(current, p, PROCESS__SETCURRENT);
5137 else
5138 error = -EINVAL;
5139 if (error)
5140 return error;
5141
5142 /* Obtain a SID for the context, if one was specified. */
5143 if (size && str[1] && str[1] != '\n') {
5144 if (str[size-1] == '\n') {
5145 str[size-1] = 0;
5146 size--;
5147 }
5148 error = security_context_to_sid(value, size, &sid);
5149 if (error)
5150 return error;
5151 }
5152
5153 /* Permission checking based on the specified context is
5154 performed during the actual operation (execve,
5155 open/mkdir/...), when we know the full context of the
5156 operation. See selinux_bprm_set_security for the execve
5157 checks and may_create for the file creation checks. The
5158 operation will then fail if the context is not permitted. */
5159 tsec = p->security;
5160 if (!strcmp(name, "exec"))
5161 tsec->exec_sid = sid;
5162 else if (!strcmp(name, "fscreate"))
5163 tsec->create_sid = sid;
5164 else if (!strcmp(name, "keycreate")) {
5165 error = may_create_key(sid, p);
5166 if (error)
5167 return error;
5168 tsec->keycreate_sid = sid;
5169 } else if (!strcmp(name, "sockcreate"))
5170 tsec->sockcreate_sid = sid;
5171 else if (!strcmp(name, "current")) {
5172 struct av_decision avd;
5173
5174 if (sid == 0)
5175 return -EINVAL;
5176
5177 /* Only allow single threaded processes to change context */
5178 if (atomic_read(&p->mm->mm_users) != 1) {
5179 struct task_struct *g, *t;
5180 struct mm_struct *mm = p->mm;
5181 read_lock(&tasklist_lock);
5182 do_each_thread(g, t)
5183 if (t->mm == mm && t != p) {
5184 read_unlock(&tasklist_lock);
5185 return -EPERM;
5186 }
5187 while_each_thread(g, t);
5188 read_unlock(&tasklist_lock);
5189 }
5190
5191 /* Check permissions for the transition. */
5192 error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
5193 PROCESS__DYNTRANSITION, NULL);
5194 if (error)
5195 return error;
5196
5197 /* Check for ptracing, and update the task SID if ok.
5198 Otherwise, leave SID unchanged and fail. */
5199 task_lock(p);
5200 rcu_read_lock();
5201 tracer = task_tracer_task(p);
5202 if (tracer != NULL) {
5203 struct task_security_struct *ptsec = tracer->security;
5204 u32 ptsid = ptsec->sid;
5205 rcu_read_unlock();
5206 error = avc_has_perm_noaudit(ptsid, sid,
5207 SECCLASS_PROCESS,
5208 PROCESS__PTRACE, 0, &avd);
5209 if (!error)
5210 tsec->sid = sid;
5211 task_unlock(p);
5212 avc_audit(ptsid, sid, SECCLASS_PROCESS,
5213 PROCESS__PTRACE, &avd, error, NULL);
5214 if (error)
5215 return error;
5216 } else {
5217 rcu_read_unlock();
5218 tsec->sid = sid;
5219 task_unlock(p);
5220 }
5221 }
5222 else
5223 return -EINVAL;
5224
5225 return size;
5226 }
5227
5228 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
5229 {
5230 return security_sid_to_context(secid, secdata, seclen);
5231 }
5232
5233 static int selinux_secctx_to_secid(char *secdata, u32 seclen, u32 *secid)
5234 {
5235 return security_context_to_sid(secdata, seclen, secid);
5236 }
5237
5238 static void selinux_release_secctx(char *secdata, u32 seclen)
5239 {
5240 kfree(secdata);
5241 }
5242
5243 #ifdef CONFIG_KEYS
5244
5245 static int selinux_key_alloc(struct key *k, struct task_struct *tsk,
5246 unsigned long flags)
5247 {
5248 struct task_security_struct *tsec = tsk->security;
5249 struct key_security_struct *ksec;
5250
5251 ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL);
5252 if (!ksec)
5253 return -ENOMEM;
5254
5255 if (tsec->keycreate_sid)
5256 ksec->sid = tsec->keycreate_sid;
5257 else
5258 ksec->sid = tsec->sid;
5259 k->security = ksec;
5260
5261 return 0;
5262 }
5263
5264 static void selinux_key_free(struct key *k)
5265 {
5266 struct key_security_struct *ksec = k->security;
5267
5268 k->security = NULL;
5269 kfree(ksec);
5270 }
5271
5272 static int selinux_key_permission(key_ref_t key_ref,
5273 struct task_struct *ctx,
5274 key_perm_t perm)
5275 {
5276 struct key *key;
5277 struct task_security_struct *tsec;
5278 struct key_security_struct *ksec;
5279
5280 key = key_ref_to_ptr(key_ref);
5281
5282 tsec = ctx->security;
5283 ksec = key->security;
5284
5285 /* if no specific permissions are requested, we skip the
5286 permission check. No serious, additional covert channels
5287 appear to be created. */
5288 if (perm == 0)
5289 return 0;
5290
5291 return avc_has_perm(tsec->sid, ksec->sid,
5292 SECCLASS_KEY, perm, NULL);
5293 }
5294
5295 #endif
5296
5297 static struct security_operations selinux_ops = {
5298 .ptrace = selinux_ptrace,
5299 .capget = selinux_capget,
5300 .capset_check = selinux_capset_check,
5301 .capset_set = selinux_capset_set,
5302 .sysctl = selinux_sysctl,
5303 .capable = selinux_capable,
5304 .quotactl = selinux_quotactl,
5305 .quota_on = selinux_quota_on,
5306 .syslog = selinux_syslog,
5307 .vm_enough_memory = selinux_vm_enough_memory,
5308
5309 .netlink_send = selinux_netlink_send,
5310 .netlink_recv = selinux_netlink_recv,
5311
5312 .bprm_alloc_security = selinux_bprm_alloc_security,
5313 .bprm_free_security = selinux_bprm_free_security,
5314 .bprm_apply_creds = selinux_bprm_apply_creds,
5315 .bprm_post_apply_creds = selinux_bprm_post_apply_creds,
5316 .bprm_set_security = selinux_bprm_set_security,
5317 .bprm_check_security = selinux_bprm_check_security,
5318 .bprm_secureexec = selinux_bprm_secureexec,
5319
5320 .sb_alloc_security = selinux_sb_alloc_security,
5321 .sb_free_security = selinux_sb_free_security,
5322 .sb_copy_data = selinux_sb_copy_data,
5323 .sb_kern_mount = selinux_sb_kern_mount,
5324 .sb_statfs = selinux_sb_statfs,
5325 .sb_mount = selinux_mount,
5326 .sb_umount = selinux_umount,
5327 .sb_get_mnt_opts = selinux_get_mnt_opts,
5328 .sb_set_mnt_opts = selinux_set_mnt_opts,
5329 .sb_clone_mnt_opts = selinux_sb_clone_mnt_opts,
5330 .sb_parse_opts_str = selinux_parse_opts_str,
5331
5332
5333 .inode_alloc_security = selinux_inode_alloc_security,
5334 .inode_free_security = selinux_inode_free_security,
5335 .inode_init_security = selinux_inode_init_security,
5336 .inode_create = selinux_inode_create,
5337 .inode_link = selinux_inode_link,
5338 .inode_unlink = selinux_inode_unlink,
5339 .inode_symlink = selinux_inode_symlink,
5340 .inode_mkdir = selinux_inode_mkdir,
5341 .inode_rmdir = selinux_inode_rmdir,
5342 .inode_mknod = selinux_inode_mknod,
5343 .inode_rename = selinux_inode_rename,
5344 .inode_readlink = selinux_inode_readlink,
5345 .inode_follow_link = selinux_inode_follow_link,
5346 .inode_permission = selinux_inode_permission,
5347 .inode_setattr = selinux_inode_setattr,
5348 .inode_getattr = selinux_inode_getattr,
5349 .inode_setxattr = selinux_inode_setxattr,
5350 .inode_post_setxattr = selinux_inode_post_setxattr,
5351 .inode_getxattr = selinux_inode_getxattr,
5352 .inode_listxattr = selinux_inode_listxattr,
5353 .inode_removexattr = selinux_inode_removexattr,
5354 .inode_getsecurity = selinux_inode_getsecurity,
5355 .inode_setsecurity = selinux_inode_setsecurity,
5356 .inode_listsecurity = selinux_inode_listsecurity,
5357 .inode_need_killpriv = selinux_inode_need_killpriv,
5358 .inode_killpriv = selinux_inode_killpriv,
5359 .inode_getsecid = selinux_inode_getsecid,
5360
5361 .file_permission = selinux_file_permission,
5362 .file_alloc_security = selinux_file_alloc_security,
5363 .file_free_security = selinux_file_free_security,
5364 .file_ioctl = selinux_file_ioctl,
5365 .file_mmap = selinux_file_mmap,
5366 .file_mprotect = selinux_file_mprotect,
5367 .file_lock = selinux_file_lock,
5368 .file_fcntl = selinux_file_fcntl,
5369 .file_set_fowner = selinux_file_set_fowner,
5370 .file_send_sigiotask = selinux_file_send_sigiotask,
5371 .file_receive = selinux_file_receive,
5372
5373 .dentry_open = selinux_dentry_open,
5374
5375 .task_create = selinux_task_create,
5376 .task_alloc_security = selinux_task_alloc_security,
5377 .task_free_security = selinux_task_free_security,
5378 .task_setuid = selinux_task_setuid,
5379 .task_post_setuid = selinux_task_post_setuid,
5380 .task_setgid = selinux_task_setgid,
5381 .task_setpgid = selinux_task_setpgid,
5382 .task_getpgid = selinux_task_getpgid,
5383 .task_getsid = selinux_task_getsid,
5384 .task_getsecid = selinux_task_getsecid,
5385 .task_setgroups = selinux_task_setgroups,
5386 .task_setnice = selinux_task_setnice,
5387 .task_setioprio = selinux_task_setioprio,
5388 .task_getioprio = selinux_task_getioprio,
5389 .task_setrlimit = selinux_task_setrlimit,
5390 .task_setscheduler = selinux_task_setscheduler,
5391 .task_getscheduler = selinux_task_getscheduler,
5392 .task_movememory = selinux_task_movememory,
5393 .task_kill = selinux_task_kill,
5394 .task_wait = selinux_task_wait,
5395 .task_prctl = selinux_task_prctl,
5396 .task_reparent_to_init = selinux_task_reparent_to_init,
5397 .task_to_inode = selinux_task_to_inode,
5398
5399 .ipc_permission = selinux_ipc_permission,
5400 .ipc_getsecid = selinux_ipc_getsecid,
5401
5402 .msg_msg_alloc_security = selinux_msg_msg_alloc_security,
5403 .msg_msg_free_security = selinux_msg_msg_free_security,
5404
5405 .msg_queue_alloc_security = selinux_msg_queue_alloc_security,
5406 .msg_queue_free_security = selinux_msg_queue_free_security,
5407 .msg_queue_associate = selinux_msg_queue_associate,
5408 .msg_queue_msgctl = selinux_msg_queue_msgctl,
5409 .msg_queue_msgsnd = selinux_msg_queue_msgsnd,
5410 .msg_queue_msgrcv = selinux_msg_queue_msgrcv,
5411
5412 .shm_alloc_security = selinux_shm_alloc_security,
5413 .shm_free_security = selinux_shm_free_security,
5414 .shm_associate = selinux_shm_associate,
5415 .shm_shmctl = selinux_shm_shmctl,
5416 .shm_shmat = selinux_shm_shmat,
5417
5418 .sem_alloc_security = selinux_sem_alloc_security,
5419 .sem_free_security = selinux_sem_free_security,
5420 .sem_associate = selinux_sem_associate,
5421 .sem_semctl = selinux_sem_semctl,
5422 .sem_semop = selinux_sem_semop,
5423
5424 .register_security = selinux_register_security,
5425
5426 .d_instantiate = selinux_d_instantiate,
5427
5428 .getprocattr = selinux_getprocattr,
5429 .setprocattr = selinux_setprocattr,
5430
5431 .secid_to_secctx = selinux_secid_to_secctx,
5432 .secctx_to_secid = selinux_secctx_to_secid,
5433 .release_secctx = selinux_release_secctx,
5434
5435 .unix_stream_connect = selinux_socket_unix_stream_connect,
5436 .unix_may_send = selinux_socket_unix_may_send,
5437
5438 .socket_create = selinux_socket_create,
5439 .socket_post_create = selinux_socket_post_create,
5440 .socket_bind = selinux_socket_bind,
5441 .socket_connect = selinux_socket_connect,
5442 .socket_listen = selinux_socket_listen,
5443 .socket_accept = selinux_socket_accept,
5444 .socket_sendmsg = selinux_socket_sendmsg,
5445 .socket_recvmsg = selinux_socket_recvmsg,
5446 .socket_getsockname = selinux_socket_getsockname,
5447 .socket_getpeername = selinux_socket_getpeername,
5448 .socket_getsockopt = selinux_socket_getsockopt,
5449 .socket_setsockopt = selinux_socket_setsockopt,
5450 .socket_shutdown = selinux_socket_shutdown,
5451 .socket_sock_rcv_skb = selinux_socket_sock_rcv_skb,
5452 .socket_getpeersec_stream = selinux_socket_getpeersec_stream,
5453 .socket_getpeersec_dgram = selinux_socket_getpeersec_dgram,
5454 .sk_alloc_security = selinux_sk_alloc_security,
5455 .sk_free_security = selinux_sk_free_security,
5456 .sk_clone_security = selinux_sk_clone_security,
5457 .sk_getsecid = selinux_sk_getsecid,
5458 .sock_graft = selinux_sock_graft,
5459 .inet_conn_request = selinux_inet_conn_request,
5460 .inet_csk_clone = selinux_inet_csk_clone,
5461 .inet_conn_established = selinux_inet_conn_established,
5462 .req_classify_flow = selinux_req_classify_flow,
5463
5464 #ifdef CONFIG_SECURITY_NETWORK_XFRM
5465 .xfrm_policy_alloc_security = selinux_xfrm_policy_alloc,
5466 .xfrm_policy_clone_security = selinux_xfrm_policy_clone,
5467 .xfrm_policy_free_security = selinux_xfrm_policy_free,
5468 .xfrm_policy_delete_security = selinux_xfrm_policy_delete,
5469 .xfrm_state_alloc_security = selinux_xfrm_state_alloc,
5470 .xfrm_state_free_security = selinux_xfrm_state_free,
5471 .xfrm_state_delete_security = selinux_xfrm_state_delete,
5472 .xfrm_policy_lookup = selinux_xfrm_policy_lookup,
5473 .xfrm_state_pol_flow_match = selinux_xfrm_state_pol_flow_match,
5474 .xfrm_decode_session = selinux_xfrm_decode_session,
5475 #endif
5476
5477 #ifdef CONFIG_KEYS
5478 .key_alloc = selinux_key_alloc,
5479 .key_free = selinux_key_free,
5480 .key_permission = selinux_key_permission,
5481 #endif
5482
5483 #ifdef CONFIG_AUDIT
5484 .audit_rule_init = selinux_audit_rule_init,
5485 .audit_rule_known = selinux_audit_rule_known,
5486 .audit_rule_match = selinux_audit_rule_match,
5487 .audit_rule_free = selinux_audit_rule_free,
5488 #endif
5489 };
5490
5491 static __init int selinux_init(void)
5492 {
5493 struct task_security_struct *tsec;
5494
5495 if (!selinux_enabled) {
5496 printk(KERN_INFO "SELinux: Disabled at boot.\n");
5497 return 0;
5498 }
5499
5500 printk(KERN_INFO "SELinux: Initializing.\n");
5501
5502 /* Set the security state for the initial task. */
5503 if (task_alloc_security(current))
5504 panic("SELinux: Failed to initialize initial task.\n");
5505 tsec = current->security;
5506 tsec->osid = tsec->sid = SECINITSID_KERNEL;
5507
5508 sel_inode_cache = kmem_cache_create("selinux_inode_security",
5509 sizeof(struct inode_security_struct),
5510 0, SLAB_PANIC, NULL);
5511 avc_init();
5512
5513 original_ops = secondary_ops = security_ops;
5514 if (!secondary_ops)
5515 panic ("SELinux: No initial security operations\n");
5516 if (register_security (&selinux_ops))
5517 panic("SELinux: Unable to register with kernel.\n");
5518
5519 if (selinux_enforcing) {
5520 printk(KERN_DEBUG "SELinux: Starting in enforcing mode\n");
5521 } else {
5522 printk(KERN_DEBUG "SELinux: Starting in permissive mode\n");
5523 }
5524
5525 #ifdef CONFIG_KEYS
5526 /* Add security information to initial keyrings */
5527 selinux_key_alloc(&root_user_keyring, current,
5528 KEY_ALLOC_NOT_IN_QUOTA);
5529 selinux_key_alloc(&root_session_keyring, current,
5530 KEY_ALLOC_NOT_IN_QUOTA);
5531 #endif
5532
5533 return 0;
5534 }
5535
5536 void selinux_complete_init(void)
5537 {
5538 printk(KERN_DEBUG "SELinux: Completing initialization.\n");
5539
5540 /* Set up any superblocks initialized prior to the policy load. */
5541 printk(KERN_DEBUG "SELinux: Setting up existing superblocks.\n");
5542 spin_lock(&sb_lock);
5543 spin_lock(&sb_security_lock);
5544 next_sb:
5545 if (!list_empty(&superblock_security_head)) {
5546 struct superblock_security_struct *sbsec =
5547 list_entry(superblock_security_head.next,
5548 struct superblock_security_struct,
5549 list);
5550 struct super_block *sb = sbsec->sb;
5551 sb->s_count++;
5552 spin_unlock(&sb_security_lock);
5553 spin_unlock(&sb_lock);
5554 down_read(&sb->s_umount);
5555 if (sb->s_root)
5556 superblock_doinit(sb, NULL);
5557 drop_super(sb);
5558 spin_lock(&sb_lock);
5559 spin_lock(&sb_security_lock);
5560 list_del_init(&sbsec->list);
5561 goto next_sb;
5562 }
5563 spin_unlock(&sb_security_lock);
5564 spin_unlock(&sb_lock);
5565 }
5566
5567 /* SELinux requires early initialization in order to label
5568 all processes and objects when they are created. */
5569 security_initcall(selinux_init);
5570
5571 #if defined(CONFIG_NETFILTER)
5572
5573 static struct nf_hook_ops selinux_ipv4_ops[] = {
5574 {
5575 .hook = selinux_ipv4_postroute,
5576 .owner = THIS_MODULE,
5577 .pf = PF_INET,
5578 .hooknum = NF_INET_POST_ROUTING,
5579 .priority = NF_IP_PRI_SELINUX_LAST,
5580 },
5581 {
5582 .hook = selinux_ipv4_forward,
5583 .owner = THIS_MODULE,
5584 .pf = PF_INET,
5585 .hooknum = NF_INET_FORWARD,
5586 .priority = NF_IP_PRI_SELINUX_FIRST,
5587 }
5588 };
5589
5590 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5591
5592 static struct nf_hook_ops selinux_ipv6_ops[] = {
5593 {
5594 .hook = selinux_ipv6_postroute,
5595 .owner = THIS_MODULE,
5596 .pf = PF_INET6,
5597 .hooknum = NF_INET_POST_ROUTING,
5598 .priority = NF_IP6_PRI_SELINUX_LAST,
5599 },
5600 {
5601 .hook = selinux_ipv6_forward,
5602 .owner = THIS_MODULE,
5603 .pf = PF_INET6,
5604 .hooknum = NF_INET_FORWARD,
5605 .priority = NF_IP6_PRI_SELINUX_FIRST,
5606 }
5607 };
5608
5609 #endif /* IPV6 */
5610
5611 static int __init selinux_nf_ip_init(void)
5612 {
5613 int err = 0;
5614 u32 iter;
5615
5616 if (!selinux_enabled)
5617 goto out;
5618
5619 printk(KERN_DEBUG "SELinux: Registering netfilter hooks\n");
5620
5621 for (iter = 0; iter < ARRAY_SIZE(selinux_ipv4_ops); iter++) {
5622 err = nf_register_hook(&selinux_ipv4_ops[iter]);
5623 if (err)
5624 panic("SELinux: nf_register_hook for IPv4: error %d\n",
5625 err);
5626 }
5627
5628 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5629 for (iter = 0; iter < ARRAY_SIZE(selinux_ipv6_ops); iter++) {
5630 err = nf_register_hook(&selinux_ipv6_ops[iter]);
5631 if (err)
5632 panic("SELinux: nf_register_hook for IPv6: error %d\n",
5633 err);
5634 }
5635 #endif /* IPV6 */
5636
5637 out:
5638 return err;
5639 }
5640
5641 __initcall(selinux_nf_ip_init);
5642
5643 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5644 static void selinux_nf_ip_exit(void)
5645 {
5646 u32 iter;
5647
5648 printk(KERN_DEBUG "SELinux: Unregistering netfilter hooks\n");
5649
5650 for (iter = 0; iter < ARRAY_SIZE(selinux_ipv4_ops); iter++)
5651 nf_unregister_hook(&selinux_ipv4_ops[iter]);
5652 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5653 for (iter = 0; iter < ARRAY_SIZE(selinux_ipv6_ops); iter++)
5654 nf_unregister_hook(&selinux_ipv6_ops[iter]);
5655 #endif /* IPV6 */
5656 }
5657 #endif
5658
5659 #else /* CONFIG_NETFILTER */
5660
5661 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5662 #define selinux_nf_ip_exit()
5663 #endif
5664
5665 #endif /* CONFIG_NETFILTER */
5666
5667 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5668 int selinux_disable(void)
5669 {
5670 extern void exit_sel_fs(void);
5671 static int selinux_disabled = 0;
5672
5673 if (ss_initialized) {
5674 /* Not permitted after initial policy load. */
5675 return -EINVAL;
5676 }
5677
5678 if (selinux_disabled) {
5679 /* Only do this once. */
5680 return -EINVAL;
5681 }
5682
5683 printk(KERN_INFO "SELinux: Disabled at runtime.\n");
5684
5685 selinux_disabled = 1;
5686 selinux_enabled = 0;
5687
5688 /* Reset security_ops to the secondary module, dummy or capability. */
5689 security_ops = secondary_ops;
5690
5691 /* Unregister netfilter hooks. */
5692 selinux_nf_ip_exit();
5693
5694 /* Unregister selinuxfs. */
5695 exit_sel_fs();
5696
5697 return 0;
5698 }
5699 #endif
Linux kernel - Deliverables
This page took 0.158172 seconds and 5 git commands to generate.