projects / deliverable / linux.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
capabilities: remove the task from capable LSM hook entirely
[deliverable/linux.git] / security / selinux / hooks.c
1 /*
2 * NSA Security-Enhanced Linux (SELinux) security module
3 *
4 * This file contains the SELinux hook function implementations.
5 *
6 * Authors: Stephen Smalley, <sds@epoch.ncsc.mil>
7 * Chris Vance, <cvance@nai.com>
8 * Wayne Salamon, <wsalamon@nai.com>
9 * James Morris <jmorris@redhat.com>
10 *
11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12 * Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
13 * Eric Paris <eparis@redhat.com>
14 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
15 * <dgoeddel@trustedcs.com>
16 * Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
17 * Paul Moore <paul@paul-moore.com>
18 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
19 * Yuichi Nakamura <ynakam@hitachisoft.jp>
20 *
21 * This program is free software; you can redistribute it and/or modify
22 * it under the terms of the GNU General Public License version 2,
23 * as published by the Free Software Foundation.
24 */
25
26 #include <linux/init.h>
27 #include <linux/kd.h>
28 #include <linux/kernel.h>
29 #include <linux/tracehook.h>
30 #include <linux/errno.h>
31 #include <linux/ext2_fs.h>
32 #include <linux/sched.h>
33 #include <linux/security.h>
34 #include <linux/xattr.h>
35 #include <linux/capability.h>
36 #include <linux/unistd.h>
37 #include <linux/mm.h>
38 #include <linux/mman.h>
39 #include <linux/slab.h>
40 #include <linux/pagemap.h>
41 #include <linux/proc_fs.h>
42 #include <linux/swap.h>
43 #include <linux/spinlock.h>
44 #include <linux/syscalls.h>
45 #include <linux/dcache.h>
46 #include <linux/file.h>
47 #include <linux/fdtable.h>
48 #include <linux/namei.h>
49 #include <linux/mount.h>
50 #include <linux/netfilter_ipv4.h>
51 #include <linux/netfilter_ipv6.h>
52 #include <linux/tty.h>
53 #include <net/icmp.h>
54 #include <net/ip.h> /* for local_port_range[] */
55 #include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
56 #include <net/net_namespace.h>
57 #include <net/netlabel.h>
58 #include <linux/uaccess.h>
59 #include <asm/ioctls.h>
60 #include <linux/atomic.h>
61 #include <linux/bitops.h>
62 #include <linux/interrupt.h>
63 #include <linux/netdevice.h> /* for network interface checks */
64 #include <linux/netlink.h>
65 #include <linux/tcp.h>
66 #include <linux/udp.h>
67 #include <linux/dccp.h>
68 #include <linux/quota.h>
69 #include <linux/un.h> /* for Unix socket types */
70 #include <net/af_unix.h> /* for Unix socket types */
71 #include <linux/parser.h>
72 #include <linux/nfs_mount.h>
73 #include <net/ipv6.h>
74 #include <linux/hugetlb.h>
75 #include <linux/personality.h>
76 #include <linux/audit.h>
77 #include <linux/string.h>
78 #include <linux/selinux.h>
79 #include <linux/mutex.h>
80 #include <linux/posix-timers.h>
81 #include <linux/syslog.h>
82 #include <linux/user_namespace.h>
83
84 #include "avc.h"
85 #include "objsec.h"
86 #include "netif.h"
87 #include "netnode.h"
88 #include "netport.h"
89 #include "xfrm.h"
90 #include "netlabel.h"
91 #include "audit.h"
92 #include "avc_ss.h"
93
94 #define NUM_SEL_MNT_OPTS 5
95
96 extern struct security_operations *security_ops;
97
98 /* SECMARK reference count */
99 static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
100
101 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
102 int selinux_enforcing;
103
104 static int __init enforcing_setup(char *str)
105 {
106 unsigned long enforcing;
107 if (!strict_strtoul(str, 0, &enforcing))
108 selinux_enforcing = enforcing ? 1 : 0;
109 return 1;
110 }
111 __setup("enforcing=", enforcing_setup);
112 #endif
113
114 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
115 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
116
117 static int __init selinux_enabled_setup(char *str)
118 {
119 unsigned long enabled;
120 if (!strict_strtoul(str, 0, &enabled))
121 selinux_enabled = enabled ? 1 : 0;
122 return 1;
123 }
124 __setup("selinux=", selinux_enabled_setup);
125 #else
126 int selinux_enabled = 1;
127 #endif
128
129 static struct kmem_cache *sel_inode_cache;
130
131 /**
132 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
133 *
134 * Description:
135 * This function checks the SECMARK reference counter to see if any SECMARK
136 * targets are currently configured, if the reference counter is greater than
137 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is
138 * enabled, false (0) if SECMARK is disabled.
139 *
140 */
141 static int selinux_secmark_enabled(void)
142 {
143 return (atomic_read(&selinux_secmark_refcount) > 0);
144 }
145
146 /*
147 * initialise the security for the init task
148 */
149 static void cred_init_security(void)
150 {
151 struct cred *cred = (struct cred *) current->real_cred;
152 struct task_security_struct *tsec;
153
154 tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
155 if (!tsec)
156 panic("SELinux: Failed to initialize initial task.\n");
157
158 tsec->osid = tsec->sid = SECINITSID_KERNEL;
159 cred->security = tsec;
160 }
161
162 /*
163 * get the security ID of a set of credentials
164 */
165 static inline u32 cred_sid(const struct cred *cred)
166 {
167 const struct task_security_struct *tsec;
168
169 tsec = cred->security;
170 return tsec->sid;
171 }
172
173 /*
174 * get the objective security ID of a task
175 */
176 static inline u32 task_sid(const struct task_struct *task)
177 {
178 u32 sid;
179
180 rcu_read_lock();
181 sid = cred_sid(__task_cred(task));
182 rcu_read_unlock();
183 return sid;
184 }
185
186 /*
187 * get the subjective security ID of the current task
188 */
189 static inline u32 current_sid(void)
190 {
191 const struct task_security_struct *tsec = current_security();
192
193 return tsec->sid;
194 }
195
196 /* Allocate and free functions for each kind of security blob. */
197
198 static int inode_alloc_security(struct inode *inode)
199 {
200 struct inode_security_struct *isec;
201 u32 sid = current_sid();
202
203 isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
204 if (!isec)
205 return -ENOMEM;
206
207 mutex_init(&isec->lock);
208 INIT_LIST_HEAD(&isec->list);
209 isec->inode = inode;
210 isec->sid = SECINITSID_UNLABELED;
211 isec->sclass = SECCLASS_FILE;
212 isec->task_sid = sid;
213 inode->i_security = isec;
214
215 return 0;
216 }
217
218 static void inode_free_security(struct inode *inode)
219 {
220 struct inode_security_struct *isec = inode->i_security;
221 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
222
223 spin_lock(&sbsec->isec_lock);
224 if (!list_empty(&isec->list))
225 list_del_init(&isec->list);
226 spin_unlock(&sbsec->isec_lock);
227
228 inode->i_security = NULL;
229 kmem_cache_free(sel_inode_cache, isec);
230 }
231
232 static int file_alloc_security(struct file *file)
233 {
234 struct file_security_struct *fsec;
235 u32 sid = current_sid();
236
237 fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL);
238 if (!fsec)
239 return -ENOMEM;
240
241 fsec->sid = sid;
242 fsec->fown_sid = sid;
243 file->f_security = fsec;
244
245 return 0;
246 }
247
248 static void file_free_security(struct file *file)
249 {
250 struct file_security_struct *fsec = file->f_security;
251 file->f_security = NULL;
252 kfree(fsec);
253 }
254
255 static int superblock_alloc_security(struct super_block *sb)
256 {
257 struct superblock_security_struct *sbsec;
258
259 sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
260 if (!sbsec)
261 return -ENOMEM;
262
263 mutex_init(&sbsec->lock);
264 INIT_LIST_HEAD(&sbsec->isec_head);
265 spin_lock_init(&sbsec->isec_lock);
266 sbsec->sb = sb;
267 sbsec->sid = SECINITSID_UNLABELED;
268 sbsec->def_sid = SECINITSID_FILE;
269 sbsec->mntpoint_sid = SECINITSID_UNLABELED;
270 sb->s_security = sbsec;
271
272 return 0;
273 }
274
275 static void superblock_free_security(struct super_block *sb)
276 {
277 struct superblock_security_struct *sbsec = sb->s_security;
278 sb->s_security = NULL;
279 kfree(sbsec);
280 }
281
282 /* The file system's label must be initialized prior to use. */
283
284 static const char *labeling_behaviors[6] = {
285 "uses xattr",
286 "uses transition SIDs",
287 "uses task SIDs",
288 "uses genfs_contexts",
289 "not configured for labeling",
290 "uses mountpoint labeling",
291 };
292
293 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
294
295 static inline int inode_doinit(struct inode *inode)
296 {
297 return inode_doinit_with_dentry(inode, NULL);
298 }
299
300 enum {
301 Opt_error = -1,
302 Opt_context = 1,
303 Opt_fscontext = 2,
304 Opt_defcontext = 3,
305 Opt_rootcontext = 4,
306 Opt_labelsupport = 5,
307 };
308
309 static const match_table_t tokens = {
310 {Opt_context, CONTEXT_STR "%s"},
311 {Opt_fscontext, FSCONTEXT_STR "%s"},
312 {Opt_defcontext, DEFCONTEXT_STR "%s"},
313 {Opt_rootcontext, ROOTCONTEXT_STR "%s"},
314 {Opt_labelsupport, LABELSUPP_STR},
315 {Opt_error, NULL},
316 };
317
318 #define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
319
320 static int may_context_mount_sb_relabel(u32 sid,
321 struct superblock_security_struct *sbsec,
322 const struct cred *cred)
323 {
324 const struct task_security_struct *tsec = cred->security;
325 int rc;
326
327 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
328 FILESYSTEM__RELABELFROM, NULL);
329 if (rc)
330 return rc;
331
332 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
333 FILESYSTEM__RELABELTO, NULL);
334 return rc;
335 }
336
337 static int may_context_mount_inode_relabel(u32 sid,
338 struct superblock_security_struct *sbsec,
339 const struct cred *cred)
340 {
341 const struct task_security_struct *tsec = cred->security;
342 int rc;
343 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
344 FILESYSTEM__RELABELFROM, NULL);
345 if (rc)
346 return rc;
347
348 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
349 FILESYSTEM__ASSOCIATE, NULL);
350 return rc;
351 }
352
353 static int sb_finish_set_opts(struct super_block *sb)
354 {
355 struct superblock_security_struct *sbsec = sb->s_security;
356 struct dentry *root = sb->s_root;
357 struct inode *root_inode = root->d_inode;
358 int rc = 0;
359
360 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
361 /* Make sure that the xattr handler exists and that no
362 error other than -ENODATA is returned by getxattr on
363 the root directory. -ENODATA is ok, as this may be
364 the first boot of the SELinux kernel before we have
365 assigned xattr values to the filesystem. */
366 if (!root_inode->i_op->getxattr) {
367 printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
368 "xattr support\n", sb->s_id, sb->s_type->name);
369 rc = -EOPNOTSUPP;
370 goto out;
371 }
372 rc = root_inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
373 if (rc < 0 && rc != -ENODATA) {
374 if (rc == -EOPNOTSUPP)
375 printk(KERN_WARNING "SELinux: (dev %s, type "
376 "%s) has no security xattr handler\n",
377 sb->s_id, sb->s_type->name);
378 else
379 printk(KERN_WARNING "SELinux: (dev %s, type "
380 "%s) getxattr errno %d\n", sb->s_id,
381 sb->s_type->name, -rc);
382 goto out;
383 }
384 }
385
386 sbsec->flags |= (SE_SBINITIALIZED | SE_SBLABELSUPP);
387
388 if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
389 printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n",
390 sb->s_id, sb->s_type->name);
391 else
392 printk(KERN_DEBUG "SELinux: initialized (dev %s, type %s), %s\n",
393 sb->s_id, sb->s_type->name,
394 labeling_behaviors[sbsec->behavior-1]);
395
396 if (sbsec->behavior == SECURITY_FS_USE_GENFS ||
397 sbsec->behavior == SECURITY_FS_USE_MNTPOINT ||
398 sbsec->behavior == SECURITY_FS_USE_NONE ||
399 sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
400 sbsec->flags &= ~SE_SBLABELSUPP;
401
402 /* Special handling for sysfs. Is genfs but also has setxattr handler*/
403 if (strncmp(sb->s_type->name, "sysfs", sizeof("sysfs")) == 0)
404 sbsec->flags |= SE_SBLABELSUPP;
405
406 /* Initialize the root inode. */
407 rc = inode_doinit_with_dentry(root_inode, root);
408
409 /* Initialize any other inodes associated with the superblock, e.g.
410 inodes created prior to initial policy load or inodes created
411 during get_sb by a pseudo filesystem that directly
412 populates itself. */
413 spin_lock(&sbsec->isec_lock);
414 next_inode:
415 if (!list_empty(&sbsec->isec_head)) {
416 struct inode_security_struct *isec =
417 list_entry(sbsec->isec_head.next,
418 struct inode_security_struct, list);
419 struct inode *inode = isec->inode;
420 spin_unlock(&sbsec->isec_lock);
421 inode = igrab(inode);
422 if (inode) {
423 if (!IS_PRIVATE(inode))
424 inode_doinit(inode);
425 iput(inode);
426 }
427 spin_lock(&sbsec->isec_lock);
428 list_del_init(&isec->list);
429 goto next_inode;
430 }
431 spin_unlock(&sbsec->isec_lock);
432 out:
433 return rc;
434 }
435
436 /*
437 * This function should allow an FS to ask what it's mount security
438 * options were so it can use those later for submounts, displaying
439 * mount options, or whatever.
440 */
441 static int selinux_get_mnt_opts(const struct super_block *sb,
442 struct security_mnt_opts *opts)
443 {
444 int rc = 0, i;
445 struct superblock_security_struct *sbsec = sb->s_security;
446 char *context = NULL;
447 u32 len;
448 char tmp;
449
450 security_init_mnt_opts(opts);
451
452 if (!(sbsec->flags & SE_SBINITIALIZED))
453 return -EINVAL;
454
455 if (!ss_initialized)
456 return -EINVAL;
457
458 tmp = sbsec->flags & SE_MNTMASK;
459 /* count the number of mount options for this sb */
460 for (i = 0; i < 8; i++) {
461 if (tmp & 0x01)
462 opts->num_mnt_opts++;
463 tmp >>= 1;
464 }
465 /* Check if the Label support flag is set */
466 if (sbsec->flags & SE_SBLABELSUPP)
467 opts->num_mnt_opts++;
468
469 opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
470 if (!opts->mnt_opts) {
471 rc = -ENOMEM;
472 goto out_free;
473 }
474
475 opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
476 if (!opts->mnt_opts_flags) {
477 rc = -ENOMEM;
478 goto out_free;
479 }
480
481 i = 0;
482 if (sbsec->flags & FSCONTEXT_MNT) {
483 rc = security_sid_to_context(sbsec->sid, &context, &len);
484 if (rc)
485 goto out_free;
486 opts->mnt_opts[i] = context;
487 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
488 }
489 if (sbsec->flags & CONTEXT_MNT) {
490 rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len);
491 if (rc)
492 goto out_free;
493 opts->mnt_opts[i] = context;
494 opts->mnt_opts_flags[i++] = CONTEXT_MNT;
495 }
496 if (sbsec->flags & DEFCONTEXT_MNT) {
497 rc = security_sid_to_context(sbsec->def_sid, &context, &len);
498 if (rc)
499 goto out_free;
500 opts->mnt_opts[i] = context;
501 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
502 }
503 if (sbsec->flags & ROOTCONTEXT_MNT) {
504 struct inode *root = sbsec->sb->s_root->d_inode;
505 struct inode_security_struct *isec = root->i_security;
506
507 rc = security_sid_to_context(isec->sid, &context, &len);
508 if (rc)
509 goto out_free;
510 opts->mnt_opts[i] = context;
511 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
512 }
513 if (sbsec->flags & SE_SBLABELSUPP) {
514 opts->mnt_opts[i] = NULL;
515 opts->mnt_opts_flags[i++] = SE_SBLABELSUPP;
516 }
517
518 BUG_ON(i != opts->num_mnt_opts);
519
520 return 0;
521
522 out_free:
523 security_free_mnt_opts(opts);
524 return rc;
525 }
526
527 static int bad_option(struct superblock_security_struct *sbsec, char flag,
528 u32 old_sid, u32 new_sid)
529 {
530 char mnt_flags = sbsec->flags & SE_MNTMASK;
531
532 /* check if the old mount command had the same options */
533 if (sbsec->flags & SE_SBINITIALIZED)
534 if (!(sbsec->flags & flag) ||
535 (old_sid != new_sid))
536 return 1;
537
538 /* check if we were passed the same options twice,
539 * aka someone passed context=a,context=b
540 */
541 if (!(sbsec->flags & SE_SBINITIALIZED))
542 if (mnt_flags & flag)
543 return 1;
544 return 0;
545 }
546
547 /*
548 * Allow filesystems with binary mount data to explicitly set mount point
549 * labeling information.
550 */
551 static int selinux_set_mnt_opts(struct super_block *sb,
552 struct security_mnt_opts *opts)
553 {
554 const struct cred *cred = current_cred();
555 int rc = 0, i;
556 struct superblock_security_struct *sbsec = sb->s_security;
557 const char *name = sb->s_type->name;
558 struct inode *inode = sbsec->sb->s_root->d_inode;
559 struct inode_security_struct *root_isec = inode->i_security;
560 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
561 u32 defcontext_sid = 0;
562 char **mount_options = opts->mnt_opts;
563 int *flags = opts->mnt_opts_flags;
564 int num_opts = opts->num_mnt_opts;
565
566 mutex_lock(&sbsec->lock);
567
568 if (!ss_initialized) {
569 if (!num_opts) {
570 /* Defer initialization until selinux_complete_init,
571 after the initial policy is loaded and the security
572 server is ready to handle calls. */
573 goto out;
574 }
575 rc = -EINVAL;
576 printk(KERN_WARNING "SELinux: Unable to set superblock options "
577 "before the security server is initialized\n");
578 goto out;
579 }
580
581 /*
582 * Binary mount data FS will come through this function twice. Once
583 * from an explicit call and once from the generic calls from the vfs.
584 * Since the generic VFS calls will not contain any security mount data
585 * we need to skip the double mount verification.
586 *
587 * This does open a hole in which we will not notice if the first
588 * mount using this sb set explict options and a second mount using
589 * this sb does not set any security options. (The first options
590 * will be used for both mounts)
591 */
592 if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
593 && (num_opts == 0))
594 goto out;
595
596 /*
597 * parse the mount options, check if they are valid sids.
598 * also check if someone is trying to mount the same sb more
599 * than once with different security options.
600 */
601 for (i = 0; i < num_opts; i++) {
602 u32 sid;
603
604 if (flags[i] == SE_SBLABELSUPP)
605 continue;
606 rc = security_context_to_sid(mount_options[i],
607 strlen(mount_options[i]), &sid);
608 if (rc) {
609 printk(KERN_WARNING "SELinux: security_context_to_sid"
610 "(%s) failed for (dev %s, type %s) errno=%d\n",
611 mount_options[i], sb->s_id, name, rc);
612 goto out;
613 }
614 switch (flags[i]) {
615 case FSCONTEXT_MNT:
616 fscontext_sid = sid;
617
618 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
619 fscontext_sid))
620 goto out_double_mount;
621
622 sbsec->flags |= FSCONTEXT_MNT;
623 break;
624 case CONTEXT_MNT:
625 context_sid = sid;
626
627 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
628 context_sid))
629 goto out_double_mount;
630
631 sbsec->flags |= CONTEXT_MNT;
632 break;
633 case ROOTCONTEXT_MNT:
634 rootcontext_sid = sid;
635
636 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
637 rootcontext_sid))
638 goto out_double_mount;
639
640 sbsec->flags |= ROOTCONTEXT_MNT;
641
642 break;
643 case DEFCONTEXT_MNT:
644 defcontext_sid = sid;
645
646 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
647 defcontext_sid))
648 goto out_double_mount;
649
650 sbsec->flags |= DEFCONTEXT_MNT;
651
652 break;
653 default:
654 rc = -EINVAL;
655 goto out;
656 }
657 }
658
659 if (sbsec->flags & SE_SBINITIALIZED) {
660 /* previously mounted with options, but not on this attempt? */
661 if ((sbsec->flags & SE_MNTMASK) && !num_opts)
662 goto out_double_mount;
663 rc = 0;
664 goto out;
665 }
666
667 if (strcmp(sb->s_type->name, "proc") == 0)
668 sbsec->flags |= SE_SBPROC;
669
670 /* Determine the labeling behavior to use for this filesystem type. */
671 rc = security_fs_use((sbsec->flags & SE_SBPROC) ? "proc" : sb->s_type->name, &sbsec->behavior, &sbsec->sid);
672 if (rc) {
673 printk(KERN_WARNING "%s: security_fs_use(%s) returned %d\n",
674 __func__, sb->s_type->name, rc);
675 goto out;
676 }
677
678 /* sets the context of the superblock for the fs being mounted. */
679 if (fscontext_sid) {
680 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
681 if (rc)
682 goto out;
683
684 sbsec->sid = fscontext_sid;
685 }
686
687 /*
688 * Switch to using mount point labeling behavior.
689 * sets the label used on all file below the mountpoint, and will set
690 * the superblock context if not already set.
691 */
692 if (context_sid) {
693 if (!fscontext_sid) {
694 rc = may_context_mount_sb_relabel(context_sid, sbsec,
695 cred);
696 if (rc)
697 goto out;
698 sbsec->sid = context_sid;
699 } else {
700 rc = may_context_mount_inode_relabel(context_sid, sbsec,
701 cred);
702 if (rc)
703 goto out;
704 }
705 if (!rootcontext_sid)
706 rootcontext_sid = context_sid;
707
708 sbsec->mntpoint_sid = context_sid;
709 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
710 }
711
712 if (rootcontext_sid) {
713 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
714 cred);
715 if (rc)
716 goto out;
717
718 root_isec->sid = rootcontext_sid;
719 root_isec->initialized = 1;
720 }
721
722 if (defcontext_sid) {
723 if (sbsec->behavior != SECURITY_FS_USE_XATTR) {
724 rc = -EINVAL;
725 printk(KERN_WARNING "SELinux: defcontext option is "
726 "invalid for this filesystem type\n");
727 goto out;
728 }
729
730 if (defcontext_sid != sbsec->def_sid) {
731 rc = may_context_mount_inode_relabel(defcontext_sid,
732 sbsec, cred);
733 if (rc)
734 goto out;
735 }
736
737 sbsec->def_sid = defcontext_sid;
738 }
739
740 rc = sb_finish_set_opts(sb);
741 out:
742 mutex_unlock(&sbsec->lock);
743 return rc;
744 out_double_mount:
745 rc = -EINVAL;
746 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, different "
747 "security settings for (dev %s, type %s)\n", sb->s_id, name);
748 goto out;
749 }
750
751 static void selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
752 struct super_block *newsb)
753 {
754 const struct superblock_security_struct *oldsbsec = oldsb->s_security;
755 struct superblock_security_struct *newsbsec = newsb->s_security;
756
757 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT);
758 int set_context = (oldsbsec->flags & CONTEXT_MNT);
759 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT);
760
761 /*
762 * if the parent was able to be mounted it clearly had no special lsm
763 * mount options. thus we can safely deal with this superblock later
764 */
765 if (!ss_initialized)
766 return;
767
768 /* how can we clone if the old one wasn't set up?? */
769 BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
770
771 /* if fs is reusing a sb, just let its options stand... */
772 if (newsbsec->flags & SE_SBINITIALIZED)
773 return;
774
775 mutex_lock(&newsbsec->lock);
776
777 newsbsec->flags = oldsbsec->flags;
778
779 newsbsec->sid = oldsbsec->sid;
780 newsbsec->def_sid = oldsbsec->def_sid;
781 newsbsec->behavior = oldsbsec->behavior;
782
783 if (set_context) {
784 u32 sid = oldsbsec->mntpoint_sid;
785
786 if (!set_fscontext)
787 newsbsec->sid = sid;
788 if (!set_rootcontext) {
789 struct inode *newinode = newsb->s_root->d_inode;
790 struct inode_security_struct *newisec = newinode->i_security;
791 newisec->sid = sid;
792 }
793 newsbsec->mntpoint_sid = sid;
794 }
795 if (set_rootcontext) {
796 const struct inode *oldinode = oldsb->s_root->d_inode;
797 const struct inode_security_struct *oldisec = oldinode->i_security;
798 struct inode *newinode = newsb->s_root->d_inode;
799 struct inode_security_struct *newisec = newinode->i_security;
800
801 newisec->sid = oldisec->sid;
802 }
803
804 sb_finish_set_opts(newsb);
805 mutex_unlock(&newsbsec->lock);
806 }
807
808 static int selinux_parse_opts_str(char *options,
809 struct security_mnt_opts *opts)
810 {
811 char *p;
812 char *context = NULL, *defcontext = NULL;
813 char *fscontext = NULL, *rootcontext = NULL;
814 int rc, num_mnt_opts = 0;
815
816 opts->num_mnt_opts = 0;
817
818 /* Standard string-based options. */
819 while ((p = strsep(&options, "|")) != NULL) {
820 int token;
821 substring_t args[MAX_OPT_ARGS];
822
823 if (!*p)
824 continue;
825
826 token = match_token(p, tokens, args);
827
828 switch (token) {
829 case Opt_context:
830 if (context || defcontext) {
831 rc = -EINVAL;
832 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
833 goto out_err;
834 }
835 context = match_strdup(&args[0]);
836 if (!context) {
837 rc = -ENOMEM;
838 goto out_err;
839 }
840 break;
841
842 case Opt_fscontext:
843 if (fscontext) {
844 rc = -EINVAL;
845 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
846 goto out_err;
847 }
848 fscontext = match_strdup(&args[0]);
849 if (!fscontext) {
850 rc = -ENOMEM;
851 goto out_err;
852 }
853 break;
854
855 case Opt_rootcontext:
856 if (rootcontext) {
857 rc = -EINVAL;
858 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
859 goto out_err;
860 }
861 rootcontext = match_strdup(&args[0]);
862 if (!rootcontext) {
863 rc = -ENOMEM;
864 goto out_err;
865 }
866 break;
867
868 case Opt_defcontext:
869 if (context || defcontext) {
870 rc = -EINVAL;
871 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
872 goto out_err;
873 }
874 defcontext = match_strdup(&args[0]);
875 if (!defcontext) {
876 rc = -ENOMEM;
877 goto out_err;
878 }
879 break;
880 case Opt_labelsupport:
881 break;
882 default:
883 rc = -EINVAL;
884 printk(KERN_WARNING "SELinux: unknown mount option\n");
885 goto out_err;
886
887 }
888 }
889
890 rc = -ENOMEM;
891 opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_ATOMIC);
892 if (!opts->mnt_opts)
893 goto out_err;
894
895 opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int), GFP_ATOMIC);
896 if (!opts->mnt_opts_flags) {
897 kfree(opts->mnt_opts);
898 goto out_err;
899 }
900
901 if (fscontext) {
902 opts->mnt_opts[num_mnt_opts] = fscontext;
903 opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
904 }
905 if (context) {
906 opts->mnt_opts[num_mnt_opts] = context;
907 opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
908 }
909 if (rootcontext) {
910 opts->mnt_opts[num_mnt_opts] = rootcontext;
911 opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
912 }
913 if (defcontext) {
914 opts->mnt_opts[num_mnt_opts] = defcontext;
915 opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
916 }
917
918 opts->num_mnt_opts = num_mnt_opts;
919 return 0;
920
921 out_err:
922 kfree(context);
923 kfree(defcontext);
924 kfree(fscontext);
925 kfree(rootcontext);
926 return rc;
927 }
928 /*
929 * string mount options parsing and call set the sbsec
930 */
931 static int superblock_doinit(struct super_block *sb, void *data)
932 {
933 int rc = 0;
934 char *options = data;
935 struct security_mnt_opts opts;
936
937 security_init_mnt_opts(&opts);
938
939 if (!data)
940 goto out;
941
942 BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
943
944 rc = selinux_parse_opts_str(options, &opts);
945 if (rc)
946 goto out_err;
947
948 out:
949 rc = selinux_set_mnt_opts(sb, &opts);
950
951 out_err:
952 security_free_mnt_opts(&opts);
953 return rc;
954 }
955
956 static void selinux_write_opts(struct seq_file *m,
957 struct security_mnt_opts *opts)
958 {
959 int i;
960 char *prefix;
961
962 for (i = 0; i < opts->num_mnt_opts; i++) {
963 char *has_comma;
964
965 if (opts->mnt_opts[i])
966 has_comma = strchr(opts->mnt_opts[i], ',');
967 else
968 has_comma = NULL;
969
970 switch (opts->mnt_opts_flags[i]) {
971 case CONTEXT_MNT:
972 prefix = CONTEXT_STR;
973 break;
974 case FSCONTEXT_MNT:
975 prefix = FSCONTEXT_STR;
976 break;
977 case ROOTCONTEXT_MNT:
978 prefix = ROOTCONTEXT_STR;
979 break;
980 case DEFCONTEXT_MNT:
981 prefix = DEFCONTEXT_STR;
982 break;
983 case SE_SBLABELSUPP:
984 seq_putc(m, ',');
985 seq_puts(m, LABELSUPP_STR);
986 continue;
987 default:
988 BUG();
989 return;
990 };
991 /* we need a comma before each option */
992 seq_putc(m, ',');
993 seq_puts(m, prefix);
994 if (has_comma)
995 seq_putc(m, '\"');
996 seq_puts(m, opts->mnt_opts[i]);
997 if (has_comma)
998 seq_putc(m, '\"');
999 }
1000 }
1001
1002 static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1003 {
1004 struct security_mnt_opts opts;
1005 int rc;
1006
1007 rc = selinux_get_mnt_opts(sb, &opts);
1008 if (rc) {
1009 /* before policy load we may get EINVAL, don't show anything */
1010 if (rc == -EINVAL)
1011 rc = 0;
1012 return rc;
1013 }
1014
1015 selinux_write_opts(m, &opts);
1016
1017 security_free_mnt_opts(&opts);
1018
1019 return rc;
1020 }
1021
1022 static inline u16 inode_mode_to_security_class(umode_t mode)
1023 {
1024 switch (mode & S_IFMT) {
1025 case S_IFSOCK:
1026 return SECCLASS_SOCK_FILE;
1027 case S_IFLNK:
1028 return SECCLASS_LNK_FILE;
1029 case S_IFREG:
1030 return SECCLASS_FILE;
1031 case S_IFBLK:
1032 return SECCLASS_BLK_FILE;
1033 case S_IFDIR:
1034 return SECCLASS_DIR;
1035 case S_IFCHR:
1036 return SECCLASS_CHR_FILE;
1037 case S_IFIFO:
1038 return SECCLASS_FIFO_FILE;
1039
1040 }
1041
1042 return SECCLASS_FILE;
1043 }
1044
1045 static inline int default_protocol_stream(int protocol)
1046 {
1047 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
1048 }
1049
1050 static inline int default_protocol_dgram(int protocol)
1051 {
1052 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1053 }
1054
1055 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1056 {
1057 switch (family) {
1058 case PF_UNIX:
1059 switch (type) {
1060 case SOCK_STREAM:
1061 case SOCK_SEQPACKET:
1062 return SECCLASS_UNIX_STREAM_SOCKET;
1063 case SOCK_DGRAM:
1064 return SECCLASS_UNIX_DGRAM_SOCKET;
1065 }
1066 break;
1067 case PF_INET:
1068 case PF_INET6:
1069 switch (type) {
1070 case SOCK_STREAM:
1071 if (default_protocol_stream(protocol))
1072 return SECCLASS_TCP_SOCKET;
1073 else
1074 return SECCLASS_RAWIP_SOCKET;
1075 case SOCK_DGRAM:
1076 if (default_protocol_dgram(protocol))
1077 return SECCLASS_UDP_SOCKET;
1078 else
1079 return SECCLASS_RAWIP_SOCKET;
1080 case SOCK_DCCP:
1081 return SECCLASS_DCCP_SOCKET;
1082 default:
1083 return SECCLASS_RAWIP_SOCKET;
1084 }
1085 break;
1086 case PF_NETLINK:
1087 switch (protocol) {
1088 case NETLINK_ROUTE:
1089 return SECCLASS_NETLINK_ROUTE_SOCKET;
1090 case NETLINK_FIREWALL:
1091 return SECCLASS_NETLINK_FIREWALL_SOCKET;
1092 case NETLINK_INET_DIAG:
1093 return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1094 case NETLINK_NFLOG:
1095 return SECCLASS_NETLINK_NFLOG_SOCKET;
1096 case NETLINK_XFRM:
1097 return SECCLASS_NETLINK_XFRM_SOCKET;
1098 case NETLINK_SELINUX:
1099 return SECCLASS_NETLINK_SELINUX_SOCKET;
1100 case NETLINK_AUDIT:
1101 return SECCLASS_NETLINK_AUDIT_SOCKET;
1102 case NETLINK_IP6_FW:
1103 return SECCLASS_NETLINK_IP6FW_SOCKET;
1104 case NETLINK_DNRTMSG:
1105 return SECCLASS_NETLINK_DNRT_SOCKET;
1106 case NETLINK_KOBJECT_UEVENT:
1107 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1108 default:
1109 return SECCLASS_NETLINK_SOCKET;
1110 }
1111 case PF_PACKET:
1112 return SECCLASS_PACKET_SOCKET;
1113 case PF_KEY:
1114 return SECCLASS_KEY_SOCKET;
1115 case PF_APPLETALK:
1116 return SECCLASS_APPLETALK_SOCKET;
1117 }
1118
1119 return SECCLASS_SOCKET;
1120 }
1121
1122 #ifdef CONFIG_PROC_FS
1123 static int selinux_proc_get_sid(struct dentry *dentry,
1124 u16 tclass,
1125 u32 *sid)
1126 {
1127 int rc;
1128 char *buffer, *path;
1129
1130 buffer = (char *)__get_free_page(GFP_KERNEL);
1131 if (!buffer)
1132 return -ENOMEM;
1133
1134 path = dentry_path_raw(dentry, buffer, PAGE_SIZE);
1135 if (IS_ERR(path))
1136 rc = PTR_ERR(path);
1137 else {
1138 /* each process gets a /proc/PID/ entry. Strip off the
1139 * PID part to get a valid selinux labeling.
1140 * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
1141 while (path[1] >= '0' && path[1] <= '9') {
1142 path[1] = '/';
1143 path++;
1144 }
1145 rc = security_genfs_sid("proc", path, tclass, sid);
1146 }
1147 free_page((unsigned long)buffer);
1148 return rc;
1149 }
1150 #else
1151 static int selinux_proc_get_sid(struct dentry *dentry,
1152 u16 tclass,
1153 u32 *sid)
1154 {
1155 return -EINVAL;
1156 }
1157 #endif
1158
1159 /* The inode's security attributes must be initialized before first use. */
1160 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1161 {
1162 struct superblock_security_struct *sbsec = NULL;
1163 struct inode_security_struct *isec = inode->i_security;
1164 u32 sid;
1165 struct dentry *dentry;
1166 #define INITCONTEXTLEN 255
1167 char *context = NULL;
1168 unsigned len = 0;
1169 int rc = 0;
1170
1171 if (isec->initialized)
1172 goto out;
1173
1174 mutex_lock(&isec->lock);
1175 if (isec->initialized)
1176 goto out_unlock;
1177
1178 sbsec = inode->i_sb->s_security;
1179 if (!(sbsec->flags & SE_SBINITIALIZED)) {
1180 /* Defer initialization until selinux_complete_init,
1181 after the initial policy is loaded and the security
1182 server is ready to handle calls. */
1183 spin_lock(&sbsec->isec_lock);
1184 if (list_empty(&isec->list))
1185 list_add(&isec->list, &sbsec->isec_head);
1186 spin_unlock(&sbsec->isec_lock);
1187 goto out_unlock;
1188 }
1189
1190 switch (sbsec->behavior) {
1191 case SECURITY_FS_USE_XATTR:
1192 if (!inode->i_op->getxattr) {
1193 isec->sid = sbsec->def_sid;
1194 break;
1195 }
1196
1197 /* Need a dentry, since the xattr API requires one.
1198 Life would be simpler if we could just pass the inode. */
1199 if (opt_dentry) {
1200 /* Called from d_instantiate or d_splice_alias. */
1201 dentry = dget(opt_dentry);
1202 } else {
1203 /* Called from selinux_complete_init, try to find a dentry. */
1204 dentry = d_find_alias(inode);
1205 }
1206 if (!dentry) {
1207 /*
1208 * this is can be hit on boot when a file is accessed
1209 * before the policy is loaded. When we load policy we
1210 * may find inodes that have no dentry on the
1211 * sbsec->isec_head list. No reason to complain as these
1212 * will get fixed up the next time we go through
1213 * inode_doinit with a dentry, before these inodes could
1214 * be used again by userspace.
1215 */
1216 goto out_unlock;
1217 }
1218
1219 len = INITCONTEXTLEN;
1220 context = kmalloc(len+1, GFP_NOFS);
1221 if (!context) {
1222 rc = -ENOMEM;
1223 dput(dentry);
1224 goto out_unlock;
1225 }
1226 context[len] = '\0';
1227 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1228 context, len);
1229 if (rc == -ERANGE) {
1230 kfree(context);
1231
1232 /* Need a larger buffer. Query for the right size. */
1233 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1234 NULL, 0);
1235 if (rc < 0) {
1236 dput(dentry);
1237 goto out_unlock;
1238 }
1239 len = rc;
1240 context = kmalloc(len+1, GFP_NOFS);
1241 if (!context) {
1242 rc = -ENOMEM;
1243 dput(dentry);
1244 goto out_unlock;
1245 }
1246 context[len] = '\0';
1247 rc = inode->i_op->getxattr(dentry,
1248 XATTR_NAME_SELINUX,
1249 context, len);
1250 }
1251 dput(dentry);
1252 if (rc < 0) {
1253 if (rc != -ENODATA) {
1254 printk(KERN_WARNING "SELinux: %s: getxattr returned "
1255 "%d for dev=%s ino=%ld\n", __func__,
1256 -rc, inode->i_sb->s_id, inode->i_ino);
1257 kfree(context);
1258 goto out_unlock;
1259 }
1260 /* Map ENODATA to the default file SID */
1261 sid = sbsec->def_sid;
1262 rc = 0;
1263 } else {
1264 rc = security_context_to_sid_default(context, rc, &sid,
1265 sbsec->def_sid,
1266 GFP_NOFS);
1267 if (rc) {
1268 char *dev = inode->i_sb->s_id;
1269 unsigned long ino = inode->i_ino;
1270
1271 if (rc == -EINVAL) {
1272 if (printk_ratelimit())
1273 printk(KERN_NOTICE "SELinux: inode=%lu on dev=%s was found to have an invalid "
1274 "context=%s. This indicates you may need to relabel the inode or the "
1275 "filesystem in question.\n", ino, dev, context);
1276 } else {
1277 printk(KERN_WARNING "SELinux: %s: context_to_sid(%s) "
1278 "returned %d for dev=%s ino=%ld\n",
1279 __func__, context, -rc, dev, ino);
1280 }
1281 kfree(context);
1282 /* Leave with the unlabeled SID */
1283 rc = 0;
1284 break;
1285 }
1286 }
1287 kfree(context);
1288 isec->sid = sid;
1289 break;
1290 case SECURITY_FS_USE_TASK:
1291 isec->sid = isec->task_sid;
1292 break;
1293 case SECURITY_FS_USE_TRANS:
1294 /* Default to the fs SID. */
1295 isec->sid = sbsec->sid;
1296
1297 /* Try to obtain a transition SID. */
1298 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1299 rc = security_transition_sid(isec->task_sid, sbsec->sid,
1300 isec->sclass, NULL, &sid);
1301 if (rc)
1302 goto out_unlock;
1303 isec->sid = sid;
1304 break;
1305 case SECURITY_FS_USE_MNTPOINT:
1306 isec->sid = sbsec->mntpoint_sid;
1307 break;
1308 default:
1309 /* Default to the fs superblock SID. */
1310 isec->sid = sbsec->sid;
1311
1312 if ((sbsec->flags & SE_SBPROC) && !S_ISLNK(inode->i_mode)) {
1313 if (opt_dentry) {
1314 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1315 rc = selinux_proc_get_sid(opt_dentry,
1316 isec->sclass,
1317 &sid);
1318 if (rc)
1319 goto out_unlock;
1320 isec->sid = sid;
1321 }
1322 }
1323 break;
1324 }
1325
1326 isec->initialized = 1;
1327
1328 out_unlock:
1329 mutex_unlock(&isec->lock);
1330 out:
1331 if (isec->sclass == SECCLASS_FILE)
1332 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1333 return rc;
1334 }
1335
1336 /* Convert a Linux signal to an access vector. */
1337 static inline u32 signal_to_av(int sig)
1338 {
1339 u32 perm = 0;
1340
1341 switch (sig) {
1342 case SIGCHLD:
1343 /* Commonly granted from child to parent. */
1344 perm = PROCESS__SIGCHLD;
1345 break;
1346 case SIGKILL:
1347 /* Cannot be caught or ignored */
1348 perm = PROCESS__SIGKILL;
1349 break;
1350 case SIGSTOP:
1351 /* Cannot be caught or ignored */
1352 perm = PROCESS__SIGSTOP;
1353 break;
1354 default:
1355 /* All other signals. */
1356 perm = PROCESS__SIGNAL;
1357 break;
1358 }
1359
1360 return perm;
1361 }
1362
1363 /*
1364 * Check permission between a pair of credentials
1365 * fork check, ptrace check, etc.
1366 */
1367 static int cred_has_perm(const struct cred *actor,
1368 const struct cred *target,
1369 u32 perms)
1370 {
1371 u32 asid = cred_sid(actor), tsid = cred_sid(target);
1372
1373 return avc_has_perm(asid, tsid, SECCLASS_PROCESS, perms, NULL);
1374 }
1375
1376 /*
1377 * Check permission between a pair of tasks, e.g. signal checks,
1378 * fork check, ptrace check, etc.
1379 * tsk1 is the actor and tsk2 is the target
1380 * - this uses the default subjective creds of tsk1
1381 */
1382 static int task_has_perm(const struct task_struct *tsk1,
1383 const struct task_struct *tsk2,
1384 u32 perms)
1385 {
1386 const struct task_security_struct *__tsec1, *__tsec2;
1387 u32 sid1, sid2;
1388
1389 rcu_read_lock();
1390 __tsec1 = __task_cred(tsk1)->security; sid1 = __tsec1->sid;
1391 __tsec2 = __task_cred(tsk2)->security; sid2 = __tsec2->sid;
1392 rcu_read_unlock();
1393 return avc_has_perm(sid1, sid2, SECCLASS_PROCESS, perms, NULL);
1394 }
1395
1396 /*
1397 * Check permission between current and another task, e.g. signal checks,
1398 * fork check, ptrace check, etc.
1399 * current is the actor and tsk2 is the target
1400 * - this uses current's subjective creds
1401 */
1402 static int current_has_perm(const struct task_struct *tsk,
1403 u32 perms)
1404 {
1405 u32 sid, tsid;
1406
1407 sid = current_sid();
1408 tsid = task_sid(tsk);
1409 return avc_has_perm(sid, tsid, SECCLASS_PROCESS, perms, NULL);
1410 }
1411
1412 #if CAP_LAST_CAP > 63
1413 #error Fix SELinux to handle capabilities > 63.
1414 #endif
1415
1416 /* Check whether a task is allowed to use a capability. */
1417 static int cred_has_capability(const struct cred *cred,
1418 int cap, int audit)
1419 {
1420 struct common_audit_data ad;
1421 struct av_decision avd;
1422 u16 sclass;
1423 u32 sid = cred_sid(cred);
1424 u32 av = CAP_TO_MASK(cap);
1425 int rc;
1426
1427 COMMON_AUDIT_DATA_INIT(&ad, CAP);
1428 ad.tsk = current;
1429 ad.u.cap = cap;
1430
1431 switch (CAP_TO_INDEX(cap)) {
1432 case 0:
1433 sclass = SECCLASS_CAPABILITY;
1434 break;
1435 case 1:
1436 sclass = SECCLASS_CAPABILITY2;
1437 break;
1438 default:
1439 printk(KERN_ERR
1440 "SELinux: out of range capability %d\n", cap);
1441 BUG();
1442 return -EINVAL;
1443 }
1444
1445 rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd);
1446 if (audit == SECURITY_CAP_AUDIT) {
1447 int rc2 = avc_audit(sid, sid, sclass, av, &avd, rc, &ad, 0);
1448 if (rc2)
1449 return rc2;
1450 }
1451 return rc;
1452 }
1453
1454 /* Check whether a task is allowed to use a system operation. */
1455 static int task_has_system(struct task_struct *tsk,
1456 u32 perms)
1457 {
1458 u32 sid = task_sid(tsk);
1459
1460 return avc_has_perm(sid, SECINITSID_KERNEL,
1461 SECCLASS_SYSTEM, perms, NULL);
1462 }
1463
1464 /* Check whether a task has a particular permission to an inode.
1465 The 'adp' parameter is optional and allows other audit
1466 data to be passed (e.g. the dentry). */
1467 static int inode_has_perm(const struct cred *cred,
1468 struct inode *inode,
1469 u32 perms,
1470 struct common_audit_data *adp,
1471 unsigned flags)
1472 {
1473 struct inode_security_struct *isec;
1474 u32 sid;
1475
1476 validate_creds(cred);
1477
1478 if (unlikely(IS_PRIVATE(inode)))
1479 return 0;
1480
1481 sid = cred_sid(cred);
1482 isec = inode->i_security;
1483
1484 return avc_has_perm_flags(sid, isec->sid, isec->sclass, perms, adp, flags);
1485 }
1486
1487 static int inode_has_perm_noadp(const struct cred *cred,
1488 struct inode *inode,
1489 u32 perms,
1490 unsigned flags)
1491 {
1492 struct common_audit_data ad;
1493
1494 COMMON_AUDIT_DATA_INIT(&ad, INODE);
1495 ad.u.inode = inode;
1496 return inode_has_perm(cred, inode, perms, &ad, flags);
1497 }
1498
1499 /* Same as inode_has_perm, but pass explicit audit data containing
1500 the dentry to help the auditing code to more easily generate the
1501 pathname if needed. */
1502 static inline int dentry_has_perm(const struct cred *cred,
1503 struct dentry *dentry,
1504 u32 av)
1505 {
1506 struct inode *inode = dentry->d_inode;
1507 struct common_audit_data ad;
1508
1509 COMMON_AUDIT_DATA_INIT(&ad, DENTRY);
1510 ad.u.dentry = dentry;
1511 return inode_has_perm(cred, inode, av, &ad, 0);
1512 }
1513
1514 /* Same as inode_has_perm, but pass explicit audit data containing
1515 the path to help the auditing code to more easily generate the
1516 pathname if needed. */
1517 static inline int path_has_perm(const struct cred *cred,
1518 struct path *path,
1519 u32 av)
1520 {
1521 struct inode *inode = path->dentry->d_inode;
1522 struct common_audit_data ad;
1523
1524 COMMON_AUDIT_DATA_INIT(&ad, PATH);
1525 ad.u.path = *path;
1526 return inode_has_perm(cred, inode, av, &ad, 0);
1527 }
1528
1529 /* Check whether a task can use an open file descriptor to
1530 access an inode in a given way. Check access to the
1531 descriptor itself, and then use dentry_has_perm to
1532 check a particular permission to the file.
1533 Access to the descriptor is implicitly granted if it
1534 has the same SID as the process. If av is zero, then
1535 access to the file is not checked, e.g. for cases
1536 where only the descriptor is affected like seek. */
1537 static int file_has_perm(const struct cred *cred,
1538 struct file *file,
1539 u32 av)
1540 {
1541 struct file_security_struct *fsec = file->f_security;
1542 struct inode *inode = file->f_path.dentry->d_inode;
1543 struct common_audit_data ad;
1544 u32 sid = cred_sid(cred);
1545 int rc;
1546
1547 COMMON_AUDIT_DATA_INIT(&ad, PATH);
1548 ad.u.path = file->f_path;
1549
1550 if (sid != fsec->sid) {
1551 rc = avc_has_perm(sid, fsec->sid,
1552 SECCLASS_FD,
1553 FD__USE,
1554 &ad);
1555 if (rc)
1556 goto out;
1557 }
1558
1559 /* av is zero if only checking access to the descriptor. */
1560 rc = 0;
1561 if (av)
1562 rc = inode_has_perm(cred, inode, av, &ad, 0);
1563
1564 out:
1565 return rc;
1566 }
1567
1568 /* Check whether a task can create a file. */
1569 static int may_create(struct inode *dir,
1570 struct dentry *dentry,
1571 u16 tclass)
1572 {
1573 const struct task_security_struct *tsec = current_security();
1574 struct inode_security_struct *dsec;
1575 struct superblock_security_struct *sbsec;
1576 u32 sid, newsid;
1577 struct common_audit_data ad;
1578 int rc;
1579
1580 dsec = dir->i_security;
1581 sbsec = dir->i_sb->s_security;
1582
1583 sid = tsec->sid;
1584 newsid = tsec->create_sid;
1585
1586 COMMON_AUDIT_DATA_INIT(&ad, DENTRY);
1587 ad.u.dentry = dentry;
1588
1589 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR,
1590 DIR__ADD_NAME | DIR__SEARCH,
1591 &ad);
1592 if (rc)
1593 return rc;
1594
1595 if (!newsid || !(sbsec->flags & SE_SBLABELSUPP)) {
1596 rc = security_transition_sid(sid, dsec->sid, tclass,
1597 &dentry->d_name, &newsid);
1598 if (rc)
1599 return rc;
1600 }
1601
1602 rc = avc_has_perm(sid, newsid, tclass, FILE__CREATE, &ad);
1603 if (rc)
1604 return rc;
1605
1606 return avc_has_perm(newsid, sbsec->sid,
1607 SECCLASS_FILESYSTEM,
1608 FILESYSTEM__ASSOCIATE, &ad);
1609 }
1610
1611 /* Check whether a task can create a key. */
1612 static int may_create_key(u32 ksid,
1613 struct task_struct *ctx)
1614 {
1615 u32 sid = task_sid(ctx);
1616
1617 return avc_has_perm(sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL);
1618 }
1619
1620 #define MAY_LINK 0
1621 #define MAY_UNLINK 1
1622 #define MAY_RMDIR 2
1623
1624 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1625 static int may_link(struct inode *dir,
1626 struct dentry *dentry,
1627 int kind)
1628
1629 {
1630 struct inode_security_struct *dsec, *isec;
1631 struct common_audit_data ad;
1632 u32 sid = current_sid();
1633 u32 av;
1634 int rc;
1635
1636 dsec = dir->i_security;
1637 isec = dentry->d_inode->i_security;
1638
1639 COMMON_AUDIT_DATA_INIT(&ad, DENTRY);
1640 ad.u.dentry = dentry;
1641
1642 av = DIR__SEARCH;
1643 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1644 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, av, &ad);
1645 if (rc)
1646 return rc;
1647
1648 switch (kind) {
1649 case MAY_LINK:
1650 av = FILE__LINK;
1651 break;
1652 case MAY_UNLINK:
1653 av = FILE__UNLINK;
1654 break;
1655 case MAY_RMDIR:
1656 av = DIR__RMDIR;
1657 break;
1658 default:
1659 printk(KERN_WARNING "SELinux: %s: unrecognized kind %d\n",
1660 __func__, kind);
1661 return 0;
1662 }
1663
1664 rc = avc_has_perm(sid, isec->sid, isec->sclass, av, &ad);
1665 return rc;
1666 }
1667
1668 static inline int may_rename(struct inode *old_dir,
1669 struct dentry *old_dentry,
1670 struct inode *new_dir,
1671 struct dentry *new_dentry)
1672 {
1673 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1674 struct common_audit_data ad;
1675 u32 sid = current_sid();
1676 u32 av;
1677 int old_is_dir, new_is_dir;
1678 int rc;
1679
1680 old_dsec = old_dir->i_security;
1681 old_isec = old_dentry->d_inode->i_security;
1682 old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
1683 new_dsec = new_dir->i_security;
1684
1685 COMMON_AUDIT_DATA_INIT(&ad, DENTRY);
1686
1687 ad.u.dentry = old_dentry;
1688 rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR,
1689 DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1690 if (rc)
1691 return rc;
1692 rc = avc_has_perm(sid, old_isec->sid,
1693 old_isec->sclass, FILE__RENAME, &ad);
1694 if (rc)
1695 return rc;
1696 if (old_is_dir && new_dir != old_dir) {
1697 rc = avc_has_perm(sid, old_isec->sid,
1698 old_isec->sclass, DIR__REPARENT, &ad);
1699 if (rc)
1700 return rc;
1701 }
1702
1703 ad.u.dentry = new_dentry;
1704 av = DIR__ADD_NAME | DIR__SEARCH;
1705 if (new_dentry->d_inode)
1706 av |= DIR__REMOVE_NAME;
1707 rc = avc_has_perm(sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1708 if (rc)
1709 return rc;
1710 if (new_dentry->d_inode) {
1711 new_isec = new_dentry->d_inode->i_security;
1712 new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
1713 rc = avc_has_perm(sid, new_isec->sid,
1714 new_isec->sclass,
1715 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1716 if (rc)
1717 return rc;
1718 }
1719
1720 return 0;
1721 }
1722
1723 /* Check whether a task can perform a filesystem operation. */
1724 static int superblock_has_perm(const struct cred *cred,
1725 struct super_block *sb,
1726 u32 perms,
1727 struct common_audit_data *ad)
1728 {
1729 struct superblock_security_struct *sbsec;
1730 u32 sid = cred_sid(cred);
1731
1732 sbsec = sb->s_security;
1733 return avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
1734 }
1735
1736 /* Convert a Linux mode and permission mask to an access vector. */
1737 static inline u32 file_mask_to_av(int mode, int mask)
1738 {
1739 u32 av = 0;
1740
1741 if ((mode & S_IFMT) != S_IFDIR) {
1742 if (mask & MAY_EXEC)
1743 av |= FILE__EXECUTE;
1744 if (mask & MAY_READ)
1745 av |= FILE__READ;
1746
1747 if (mask & MAY_APPEND)
1748 av |= FILE__APPEND;
1749 else if (mask & MAY_WRITE)
1750 av |= FILE__WRITE;
1751
1752 } else {
1753 if (mask & MAY_EXEC)
1754 av |= DIR__SEARCH;
1755 if (mask & MAY_WRITE)
1756 av |= DIR__WRITE;
1757 if (mask & MAY_READ)
1758 av |= DIR__READ;
1759 }
1760
1761 return av;
1762 }
1763
1764 /* Convert a Linux file to an access vector. */
1765 static inline u32 file_to_av(struct file *file)
1766 {
1767 u32 av = 0;
1768
1769 if (file->f_mode & FMODE_READ)
1770 av |= FILE__READ;
1771 if (file->f_mode & FMODE_WRITE) {
1772 if (file->f_flags & O_APPEND)
1773 av |= FILE__APPEND;
1774 else
1775 av |= FILE__WRITE;
1776 }
1777 if (!av) {
1778 /*
1779 * Special file opened with flags 3 for ioctl-only use.
1780 */
1781 av = FILE__IOCTL;
1782 }
1783
1784 return av;
1785 }
1786
1787 /*
1788 * Convert a file to an access vector and include the correct open
1789 * open permission.
1790 */
1791 static inline u32 open_file_to_av(struct file *file)
1792 {
1793 u32 av = file_to_av(file);
1794
1795 if (selinux_policycap_openperm)
1796 av |= FILE__OPEN;
1797
1798 return av;
1799 }
1800
1801 /* Hook functions begin here. */
1802
1803 static int selinux_ptrace_access_check(struct task_struct *child,
1804 unsigned int mode)
1805 {
1806 int rc;
1807
1808 rc = cap_ptrace_access_check(child, mode);
1809 if (rc)
1810 return rc;
1811
1812 if (mode == PTRACE_MODE_READ) {
1813 u32 sid = current_sid();
1814 u32 csid = task_sid(child);
1815 return avc_has_perm(sid, csid, SECCLASS_FILE, FILE__READ, NULL);
1816 }
1817
1818 return current_has_perm(child, PROCESS__PTRACE);
1819 }
1820
1821 static int selinux_ptrace_traceme(struct task_struct *parent)
1822 {
1823 int rc;
1824
1825 rc = cap_ptrace_traceme(parent);
1826 if (rc)
1827 return rc;
1828
1829 return task_has_perm(parent, current, PROCESS__PTRACE);
1830 }
1831
1832 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
1833 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1834 {
1835 int error;
1836
1837 error = current_has_perm(target, PROCESS__GETCAP);
1838 if (error)
1839 return error;
1840
1841 return cap_capget(target, effective, inheritable, permitted);
1842 }
1843
1844 static int selinux_capset(struct cred *new, const struct cred *old,
1845 const kernel_cap_t *effective,
1846 const kernel_cap_t *inheritable,
1847 const kernel_cap_t *permitted)
1848 {
1849 int error;
1850
1851 error = cap_capset(new, old,
1852 effective, inheritable, permitted);
1853 if (error)
1854 return error;
1855
1856 return cred_has_perm(old, new, PROCESS__SETCAP);
1857 }
1858
1859 /*
1860 * (This comment used to live with the selinux_task_setuid hook,
1861 * which was removed).
1862 *
1863 * Since setuid only affects the current process, and since the SELinux
1864 * controls are not based on the Linux identity attributes, SELinux does not
1865 * need to control this operation. However, SELinux does control the use of
1866 * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
1867 */
1868
1869 static int selinux_capable(const struct cred *cred, struct user_namespace *ns,
1870 int cap, int audit)
1871 {
1872 int rc;
1873
1874 rc = cap_capable(cred, ns, cap, audit);
1875 if (rc)
1876 return rc;
1877
1878 return cred_has_capability(cred, cap, audit);
1879 }
1880
1881 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
1882 {
1883 const struct cred *cred = current_cred();
1884 int rc = 0;
1885
1886 if (!sb)
1887 return 0;
1888
1889 switch (cmds) {
1890 case Q_SYNC:
1891 case Q_QUOTAON:
1892 case Q_QUOTAOFF:
1893 case Q_SETINFO:
1894 case Q_SETQUOTA:
1895 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
1896 break;
1897 case Q_GETFMT:
1898 case Q_GETINFO:
1899 case Q_GETQUOTA:
1900 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
1901 break;
1902 default:
1903 rc = 0; /* let the kernel handle invalid cmds */
1904 break;
1905 }
1906 return rc;
1907 }
1908
1909 static int selinux_quota_on(struct dentry *dentry)
1910 {
1911 const struct cred *cred = current_cred();
1912
1913 return dentry_has_perm(cred, dentry, FILE__QUOTAON);
1914 }
1915
1916 static int selinux_syslog(int type)
1917 {
1918 int rc;
1919
1920 switch (type) {
1921 case SYSLOG_ACTION_READ_ALL: /* Read last kernel messages */
1922 case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */
1923 rc = task_has_system(current, SYSTEM__SYSLOG_READ);
1924 break;
1925 case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */
1926 case SYSLOG_ACTION_CONSOLE_ON: /* Enable logging to console */
1927 /* Set level of messages printed to console */
1928 case SYSLOG_ACTION_CONSOLE_LEVEL:
1929 rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
1930 break;
1931 case SYSLOG_ACTION_CLOSE: /* Close log */
1932 case SYSLOG_ACTION_OPEN: /* Open log */
1933 case SYSLOG_ACTION_READ: /* Read from log */
1934 case SYSLOG_ACTION_READ_CLEAR: /* Read/clear last kernel messages */
1935 case SYSLOG_ACTION_CLEAR: /* Clear ring buffer */
1936 default:
1937 rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
1938 break;
1939 }
1940 return rc;
1941 }
1942
1943 /*
1944 * Check that a process has enough memory to allocate a new virtual
1945 * mapping. 0 means there is enough memory for the allocation to
1946 * succeed and -ENOMEM implies there is not.
1947 *
1948 * Do not audit the selinux permission check, as this is applied to all
1949 * processes that allocate mappings.
1950 */
1951 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
1952 {
1953 int rc, cap_sys_admin = 0;
1954
1955 rc = selinux_capable(current_cred(), &init_user_ns, CAP_SYS_ADMIN,
1956 SECURITY_CAP_NOAUDIT);
1957 if (rc == 0)
1958 cap_sys_admin = 1;
1959
1960 return __vm_enough_memory(mm, pages, cap_sys_admin);
1961 }
1962
1963 /* binprm security operations */
1964
1965 static int selinux_bprm_set_creds(struct linux_binprm *bprm)
1966 {
1967 const struct task_security_struct *old_tsec;
1968 struct task_security_struct *new_tsec;
1969 struct inode_security_struct *isec;
1970 struct common_audit_data ad;
1971 struct inode *inode = bprm->file->f_path.dentry->d_inode;
1972 int rc;
1973
1974 rc = cap_bprm_set_creds(bprm);
1975 if (rc)
1976 return rc;
1977
1978 /* SELinux context only depends on initial program or script and not
1979 * the script interpreter */
1980 if (bprm->cred_prepared)
1981 return 0;
1982
1983 old_tsec = current_security();
1984 new_tsec = bprm->cred->security;
1985 isec = inode->i_security;
1986
1987 /* Default to the current task SID. */
1988 new_tsec->sid = old_tsec->sid;
1989 new_tsec->osid = old_tsec->sid;
1990
1991 /* Reset fs, key, and sock SIDs on execve. */
1992 new_tsec->create_sid = 0;
1993 new_tsec->keycreate_sid = 0;
1994 new_tsec->sockcreate_sid = 0;
1995
1996 if (old_tsec->exec_sid) {
1997 new_tsec->sid = old_tsec->exec_sid;
1998 /* Reset exec SID on execve. */
1999 new_tsec->exec_sid = 0;
2000 } else {
2001 /* Check for a default transition on this program. */
2002 rc = security_transition_sid(old_tsec->sid, isec->sid,
2003 SECCLASS_PROCESS, NULL,
2004 &new_tsec->sid);
2005 if (rc)
2006 return rc;
2007 }
2008
2009 COMMON_AUDIT_DATA_INIT(&ad, PATH);
2010 ad.u.path = bprm->file->f_path;
2011
2012 if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID)
2013 new_tsec->sid = old_tsec->sid;
2014
2015 if (new_tsec->sid == old_tsec->sid) {
2016 rc = avc_has_perm(old_tsec->sid, isec->sid,
2017 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2018 if (rc)
2019 return rc;
2020 } else {
2021 /* Check permissions for the transition. */
2022 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2023 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2024 if (rc)
2025 return rc;
2026
2027 rc = avc_has_perm(new_tsec->sid, isec->sid,
2028 SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2029 if (rc)
2030 return rc;
2031
2032 /* Check for shared state */
2033 if (bprm->unsafe & LSM_UNSAFE_SHARE) {
2034 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2035 SECCLASS_PROCESS, PROCESS__SHARE,
2036 NULL);
2037 if (rc)
2038 return -EPERM;
2039 }
2040
2041 /* Make sure that anyone attempting to ptrace over a task that
2042 * changes its SID has the appropriate permit */
2043 if (bprm->unsafe &
2044 (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
2045 struct task_struct *tracer;
2046 struct task_security_struct *sec;
2047 u32 ptsid = 0;
2048
2049 rcu_read_lock();
2050 tracer = ptrace_parent(current);
2051 if (likely(tracer != NULL)) {
2052 sec = __task_cred(tracer)->security;
2053 ptsid = sec->sid;
2054 }
2055 rcu_read_unlock();
2056
2057 if (ptsid != 0) {
2058 rc = avc_has_perm(ptsid, new_tsec->sid,
2059 SECCLASS_PROCESS,
2060 PROCESS__PTRACE, NULL);
2061 if (rc)
2062 return -EPERM;
2063 }
2064 }
2065
2066 /* Clear any possibly unsafe personality bits on exec: */
2067 bprm->per_clear |= PER_CLEAR_ON_SETID;
2068 }
2069
2070 return 0;
2071 }
2072
2073 static int selinux_bprm_secureexec(struct linux_binprm *bprm)
2074 {
2075 const struct task_security_struct *tsec = current_security();
2076 u32 sid, osid;
2077 int atsecure = 0;
2078
2079 sid = tsec->sid;
2080 osid = tsec->osid;
2081
2082 if (osid != sid) {
2083 /* Enable secure mode for SIDs transitions unless
2084 the noatsecure permission is granted between
2085 the two SIDs, i.e. ahp returns 0. */
2086 atsecure = avc_has_perm(osid, sid,
2087 SECCLASS_PROCESS,
2088 PROCESS__NOATSECURE, NULL);
2089 }
2090
2091 return (atsecure || cap_bprm_secureexec(bprm));
2092 }
2093
2094 /* Derived from fs/exec.c:flush_old_files. */
2095 static inline void flush_unauthorized_files(const struct cred *cred,
2096 struct files_struct *files)
2097 {
2098 struct common_audit_data ad;
2099 struct file *file, *devnull = NULL;
2100 struct tty_struct *tty;
2101 struct fdtable *fdt;
2102 long j = -1;
2103 int drop_tty = 0;
2104
2105 tty = get_current_tty();
2106 if (tty) {
2107 spin_lock(&tty_files_lock);
2108 if (!list_empty(&tty->tty_files)) {
2109 struct tty_file_private *file_priv;
2110 struct inode *inode;
2111
2112 /* Revalidate access to controlling tty.
2113 Use inode_has_perm on the tty inode directly rather
2114 than using file_has_perm, as this particular open
2115 file may belong to another process and we are only
2116 interested in the inode-based check here. */
2117 file_priv = list_first_entry(&tty->tty_files,
2118 struct tty_file_private, list);
2119 file = file_priv->file;
2120 inode = file->f_path.dentry->d_inode;
2121 if (inode_has_perm_noadp(cred, inode,
2122 FILE__READ | FILE__WRITE, 0)) {
2123 drop_tty = 1;
2124 }
2125 }
2126 spin_unlock(&tty_files_lock);
2127 tty_kref_put(tty);
2128 }
2129 /* Reset controlling tty. */
2130 if (drop_tty)
2131 no_tty();
2132
2133 /* Revalidate access to inherited open files. */
2134
2135 COMMON_AUDIT_DATA_INIT(&ad, INODE);
2136
2137 spin_lock(&files->file_lock);
2138 for (;;) {
2139 unsigned long set, i;
2140 int fd;
2141
2142 j++;
2143 i = j * __NFDBITS;
2144 fdt = files_fdtable(files);
2145 if (i >= fdt->max_fds)
2146 break;
2147 set = fdt->open_fds->fds_bits[j];
2148 if (!set)
2149 continue;
2150 spin_unlock(&files->file_lock);
2151 for ( ; set ; i++, set >>= 1) {
2152 if (set & 1) {
2153 file = fget(i);
2154 if (!file)
2155 continue;
2156 if (file_has_perm(cred,
2157 file,
2158 file_to_av(file))) {
2159 sys_close(i);
2160 fd = get_unused_fd();
2161 if (fd != i) {
2162 if (fd >= 0)
2163 put_unused_fd(fd);
2164 fput(file);
2165 continue;
2166 }
2167 if (devnull) {
2168 get_file(devnull);
2169 } else {
2170 devnull = dentry_open(
2171 dget(selinux_null),
2172 mntget(selinuxfs_mount),
2173 O_RDWR, cred);
2174 if (IS_ERR(devnull)) {
2175 devnull = NULL;
2176 put_unused_fd(fd);
2177 fput(file);
2178 continue;
2179 }
2180 }
2181 fd_install(fd, devnull);
2182 }
2183 fput(file);
2184 }
2185 }
2186 spin_lock(&files->file_lock);
2187
2188 }
2189 spin_unlock(&files->file_lock);
2190 }
2191
2192 /*
2193 * Prepare a process for imminent new credential changes due to exec
2194 */
2195 static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
2196 {
2197 struct task_security_struct *new_tsec;
2198 struct rlimit *rlim, *initrlim;
2199 int rc, i;
2200
2201 new_tsec = bprm->cred->security;
2202 if (new_tsec->sid == new_tsec->osid)
2203 return;
2204
2205 /* Close files for which the new task SID is not authorized. */
2206 flush_unauthorized_files(bprm->cred, current->files);
2207
2208 /* Always clear parent death signal on SID transitions. */
2209 current->pdeath_signal = 0;
2210
2211 /* Check whether the new SID can inherit resource limits from the old
2212 * SID. If not, reset all soft limits to the lower of the current
2213 * task's hard limit and the init task's soft limit.
2214 *
2215 * Note that the setting of hard limits (even to lower them) can be
2216 * controlled by the setrlimit check. The inclusion of the init task's
2217 * soft limit into the computation is to avoid resetting soft limits
2218 * higher than the default soft limit for cases where the default is
2219 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2220 */
2221 rc = avc_has_perm(new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
2222 PROCESS__RLIMITINH, NULL);
2223 if (rc) {
2224 /* protect against do_prlimit() */
2225 task_lock(current);
2226 for (i = 0; i < RLIM_NLIMITS; i++) {
2227 rlim = current->signal->rlim + i;
2228 initrlim = init_task.signal->rlim + i;
2229 rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
2230 }
2231 task_unlock(current);
2232 update_rlimit_cpu(current, rlimit(RLIMIT_CPU));
2233 }
2234 }
2235
2236 /*
2237 * Clean up the process immediately after the installation of new credentials
2238 * due to exec
2239 */
2240 static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
2241 {
2242 const struct task_security_struct *tsec = current_security();
2243 struct itimerval itimer;
2244 u32 osid, sid;
2245 int rc, i;
2246
2247 osid = tsec->osid;
2248 sid = tsec->sid;
2249
2250 if (sid == osid)
2251 return;
2252
2253 /* Check whether the new SID can inherit signal state from the old SID.
2254 * If not, clear itimers to avoid subsequent signal generation and
2255 * flush and unblock signals.
2256 *
2257 * This must occur _after_ the task SID has been updated so that any
2258 * kill done after the flush will be checked against the new SID.
2259 */
2260 rc = avc_has_perm(osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
2261 if (rc) {
2262 memset(&itimer, 0, sizeof itimer);
2263 for (i = 0; i < 3; i++)
2264 do_setitimer(i, &itimer, NULL);
2265 spin_lock_irq(&current->sighand->siglock);
2266 if (!(current->signal->flags & SIGNAL_GROUP_EXIT)) {
2267 __flush_signals(current);
2268 flush_signal_handlers(current, 1);
2269 sigemptyset(&current->blocked);
2270 }
2271 spin_unlock_irq(&current->sighand->siglock);
2272 }
2273
2274 /* Wake up the parent if it is waiting so that it can recheck
2275 * wait permission to the new task SID. */
2276 read_lock(&tasklist_lock);
2277 __wake_up_parent(current, current->real_parent);
2278 read_unlock(&tasklist_lock);
2279 }
2280
2281 /* superblock security operations */
2282
2283 static int selinux_sb_alloc_security(struct super_block *sb)
2284 {
2285 return superblock_alloc_security(sb);
2286 }
2287
2288 static void selinux_sb_free_security(struct super_block *sb)
2289 {
2290 superblock_free_security(sb);
2291 }
2292
2293 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2294 {
2295 if (plen > olen)
2296 return 0;
2297
2298 return !memcmp(prefix, option, plen);
2299 }
2300
2301 static inline int selinux_option(char *option, int len)
2302 {
2303 return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) ||
2304 match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) ||
2305 match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) ||
2306 match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len) ||
2307 match_prefix(LABELSUPP_STR, sizeof(LABELSUPP_STR)-1, option, len));
2308 }
2309
2310 static inline void take_option(char **to, char *from, int *first, int len)
2311 {
2312 if (!*first) {
2313 **to = ',';
2314 *to += 1;
2315 } else
2316 *first = 0;
2317 memcpy(*to, from, len);
2318 *to += len;
2319 }
2320
2321 static inline void take_selinux_option(char **to, char *from, int *first,
2322 int len)
2323 {
2324 int current_size = 0;
2325
2326 if (!*first) {
2327 **to = '|';
2328 *to += 1;
2329 } else
2330 *first = 0;
2331
2332 while (current_size < len) {
2333 if (*from != '"') {
2334 **to = *from;
2335 *to += 1;
2336 }
2337 from += 1;
2338 current_size += 1;
2339 }
2340 }
2341
2342 static int selinux_sb_copy_data(char *orig, char *copy)
2343 {
2344 int fnosec, fsec, rc = 0;
2345 char *in_save, *in_curr, *in_end;
2346 char *sec_curr, *nosec_save, *nosec;
2347 int open_quote = 0;
2348
2349 in_curr = orig;
2350 sec_curr = copy;
2351
2352 nosec = (char *)get_zeroed_page(GFP_KERNEL);
2353 if (!nosec) {
2354 rc = -ENOMEM;
2355 goto out;
2356 }
2357
2358 nosec_save = nosec;
2359 fnosec = fsec = 1;
2360 in_save = in_end = orig;
2361
2362 do {
2363 if (*in_end == '"')
2364 open_quote = !open_quote;
2365 if ((*in_end == ',' && open_quote == 0) ||
2366 *in_end == '\0') {
2367 int len = in_end - in_curr;
2368
2369 if (selinux_option(in_curr, len))
2370 take_selinux_option(&sec_curr, in_curr, &fsec, len);
2371 else
2372 take_option(&nosec, in_curr, &fnosec, len);
2373
2374 in_curr = in_end + 1;
2375 }
2376 } while (*in_end++);
2377
2378 strcpy(in_save, nosec_save);
2379 free_page((unsigned long)nosec_save);
2380 out:
2381 return rc;
2382 }
2383
2384 static int selinux_sb_remount(struct super_block *sb, void *data)
2385 {
2386 int rc, i, *flags;
2387 struct security_mnt_opts opts;
2388 char *secdata, **mount_options;
2389 struct superblock_security_struct *sbsec = sb->s_security;
2390
2391 if (!(sbsec->flags & SE_SBINITIALIZED))
2392 return 0;
2393
2394 if (!data)
2395 return 0;
2396
2397 if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
2398 return 0;
2399
2400 security_init_mnt_opts(&opts);
2401 secdata = alloc_secdata();
2402 if (!secdata)
2403 return -ENOMEM;
2404 rc = selinux_sb_copy_data(data, secdata);
2405 if (rc)
2406 goto out_free_secdata;
2407
2408 rc = selinux_parse_opts_str(secdata, &opts);
2409 if (rc)
2410 goto out_free_secdata;
2411
2412 mount_options = opts.mnt_opts;
2413 flags = opts.mnt_opts_flags;
2414
2415 for (i = 0; i < opts.num_mnt_opts; i++) {
2416 u32 sid;
2417 size_t len;
2418
2419 if (flags[i] == SE_SBLABELSUPP)
2420 continue;
2421 len = strlen(mount_options[i]);
2422 rc = security_context_to_sid(mount_options[i], len, &sid);
2423 if (rc) {
2424 printk(KERN_WARNING "SELinux: security_context_to_sid"
2425 "(%s) failed for (dev %s, type %s) errno=%d\n",
2426 mount_options[i], sb->s_id, sb->s_type->name, rc);
2427 goto out_free_opts;
2428 }
2429 rc = -EINVAL;
2430 switch (flags[i]) {
2431 case FSCONTEXT_MNT:
2432 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid))
2433 goto out_bad_option;
2434 break;
2435 case CONTEXT_MNT:
2436 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid))
2437 goto out_bad_option;
2438 break;
2439 case ROOTCONTEXT_MNT: {
2440 struct inode_security_struct *root_isec;
2441 root_isec = sb->s_root->d_inode->i_security;
2442
2443 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid))
2444 goto out_bad_option;
2445 break;
2446 }
2447 case DEFCONTEXT_MNT:
2448 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid))
2449 goto out_bad_option;
2450 break;
2451 default:
2452 goto out_free_opts;
2453 }
2454 }
2455
2456 rc = 0;
2457 out_free_opts:
2458 security_free_mnt_opts(&opts);
2459 out_free_secdata:
2460 free_secdata(secdata);
2461 return rc;
2462 out_bad_option:
2463 printk(KERN_WARNING "SELinux: unable to change security options "
2464 "during remount (dev %s, type=%s)\n", sb->s_id,
2465 sb->s_type->name);
2466 goto out_free_opts;
2467 }
2468
2469 static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data)
2470 {
2471 const struct cred *cred = current_cred();
2472 struct common_audit_data ad;
2473 int rc;
2474
2475 rc = superblock_doinit(sb, data);
2476 if (rc)
2477 return rc;
2478
2479 /* Allow all mounts performed by the kernel */
2480 if (flags & MS_KERNMOUNT)
2481 return 0;
2482
2483 COMMON_AUDIT_DATA_INIT(&ad, DENTRY);
2484 ad.u.dentry = sb->s_root;
2485 return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
2486 }
2487
2488 static int selinux_sb_statfs(struct dentry *dentry)
2489 {
2490 const struct cred *cred = current_cred();
2491 struct common_audit_data ad;
2492
2493 COMMON_AUDIT_DATA_INIT(&ad, DENTRY);
2494 ad.u.dentry = dentry->d_sb->s_root;
2495 return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2496 }
2497
2498 static int selinux_mount(char *dev_name,
2499 struct path *path,
2500 char *type,
2501 unsigned long flags,
2502 void *data)
2503 {
2504 const struct cred *cred = current_cred();
2505
2506 if (flags & MS_REMOUNT)
2507 return superblock_has_perm(cred, path->mnt->mnt_sb,
2508 FILESYSTEM__REMOUNT, NULL);
2509 else
2510 return path_has_perm(cred, path, FILE__MOUNTON);
2511 }
2512
2513 static int selinux_umount(struct vfsmount *mnt, int flags)
2514 {
2515 const struct cred *cred = current_cred();
2516
2517 return superblock_has_perm(cred, mnt->mnt_sb,
2518 FILESYSTEM__UNMOUNT, NULL);
2519 }
2520
2521 /* inode security operations */
2522
2523 static int selinux_inode_alloc_security(struct inode *inode)
2524 {
2525 return inode_alloc_security(inode);
2526 }
2527
2528 static void selinux_inode_free_security(struct inode *inode)
2529 {
2530 inode_free_security(inode);
2531 }
2532
2533 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2534 const struct qstr *qstr, char **name,
2535 void **value, size_t *len)
2536 {
2537 const struct task_security_struct *tsec = current_security();
2538 struct inode_security_struct *dsec;
2539 struct superblock_security_struct *sbsec;
2540 u32 sid, newsid, clen;
2541 int rc;
2542 char *namep = NULL, *context;
2543
2544 dsec = dir->i_security;
2545 sbsec = dir->i_sb->s_security;
2546
2547 sid = tsec->sid;
2548 newsid = tsec->create_sid;
2549
2550 if ((sbsec->flags & SE_SBINITIALIZED) &&
2551 (sbsec->behavior == SECURITY_FS_USE_MNTPOINT))
2552 newsid = sbsec->mntpoint_sid;
2553 else if (!newsid || !(sbsec->flags & SE_SBLABELSUPP)) {
2554 rc = security_transition_sid(sid, dsec->sid,
2555 inode_mode_to_security_class(inode->i_mode),
2556 qstr, &newsid);
2557 if (rc) {
2558 printk(KERN_WARNING "%s: "
2559 "security_transition_sid failed, rc=%d (dev=%s "
2560 "ino=%ld)\n",
2561 __func__,
2562 -rc, inode->i_sb->s_id, inode->i_ino);
2563 return rc;
2564 }
2565 }
2566
2567 /* Possibly defer initialization to selinux_complete_init. */
2568 if (sbsec->flags & SE_SBINITIALIZED) {
2569 struct inode_security_struct *isec = inode->i_security;
2570 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2571 isec->sid = newsid;
2572 isec->initialized = 1;
2573 }
2574
2575 if (!ss_initialized || !(sbsec->flags & SE_SBLABELSUPP))
2576 return -EOPNOTSUPP;
2577
2578 if (name) {
2579 namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_NOFS);
2580 if (!namep)
2581 return -ENOMEM;
2582 *name = namep;
2583 }
2584
2585 if (value && len) {
2586 rc = security_sid_to_context_force(newsid, &context, &clen);
2587 if (rc) {
2588 kfree(namep);
2589 return rc;
2590 }
2591 *value = context;
2592 *len = clen;
2593 }
2594
2595 return 0;
2596 }
2597
2598 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, int mask)
2599 {
2600 return may_create(dir, dentry, SECCLASS_FILE);
2601 }
2602
2603 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2604 {
2605 return may_link(dir, old_dentry, MAY_LINK);
2606 }
2607
2608 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2609 {
2610 return may_link(dir, dentry, MAY_UNLINK);
2611 }
2612
2613 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2614 {
2615 return may_create(dir, dentry, SECCLASS_LNK_FILE);
2616 }
2617
2618 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, int mask)
2619 {
2620 return may_create(dir, dentry, SECCLASS_DIR);
2621 }
2622
2623 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2624 {
2625 return may_link(dir, dentry, MAY_RMDIR);
2626 }
2627
2628 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
2629 {
2630 return may_create(dir, dentry, inode_mode_to_security_class(mode));
2631 }
2632
2633 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2634 struct inode *new_inode, struct dentry *new_dentry)
2635 {
2636 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2637 }
2638
2639 static int selinux_inode_readlink(struct dentry *dentry)
2640 {
2641 const struct cred *cred = current_cred();
2642
2643 return dentry_has_perm(cred, dentry, FILE__READ);
2644 }
2645
2646 static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2647 {
2648 const struct cred *cred = current_cred();
2649
2650 return dentry_has_perm(cred, dentry, FILE__READ);
2651 }
2652
2653 static int selinux_inode_permission(struct inode *inode, int mask)
2654 {
2655 const struct cred *cred = current_cred();
2656 struct common_audit_data ad;
2657 u32 perms;
2658 bool from_access;
2659 unsigned flags = mask & MAY_NOT_BLOCK;
2660
2661 from_access = mask & MAY_ACCESS;
2662 mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
2663
2664 /* No permission to check. Existence test. */
2665 if (!mask)
2666 return 0;
2667
2668 COMMON_AUDIT_DATA_INIT(&ad, INODE);
2669 ad.u.inode = inode;
2670
2671 if (from_access)
2672 ad.selinux_audit_data.auditdeny |= FILE__AUDIT_ACCESS;
2673
2674 perms = file_mask_to_av(inode->i_mode, mask);
2675
2676 return inode_has_perm(cred, inode, perms, &ad, flags);
2677 }
2678
2679 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2680 {
2681 const struct cred *cred = current_cred();
2682 unsigned int ia_valid = iattr->ia_valid;
2683
2684 /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
2685 if (ia_valid & ATTR_FORCE) {
2686 ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE |
2687 ATTR_FORCE);
2688 if (!ia_valid)
2689 return 0;
2690 }
2691
2692 if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2693 ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
2694 return dentry_has_perm(cred, dentry, FILE__SETATTR);
2695
2696 return dentry_has_perm(cred, dentry, FILE__WRITE);
2697 }
2698
2699 static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
2700 {
2701 const struct cred *cred = current_cred();
2702 struct path path;
2703
2704 path.dentry = dentry;
2705 path.mnt = mnt;
2706
2707 return path_has_perm(cred, &path, FILE__GETATTR);
2708 }
2709
2710 static int selinux_inode_setotherxattr(struct dentry *dentry, const char *name)
2711 {
2712 const struct cred *cred = current_cred();
2713
2714 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2715 sizeof XATTR_SECURITY_PREFIX - 1)) {
2716 if (!strcmp(name, XATTR_NAME_CAPS)) {
2717 if (!capable(CAP_SETFCAP))
2718 return -EPERM;
2719 } else if (!capable(CAP_SYS_ADMIN)) {
2720 /* A different attribute in the security namespace.
2721 Restrict to administrator. */
2722 return -EPERM;
2723 }
2724 }
2725
2726 /* Not an attribute we recognize, so just check the
2727 ordinary setattr permission. */
2728 return dentry_has_perm(cred, dentry, FILE__SETATTR);
2729 }
2730
2731 static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
2732 const void *value, size_t size, int flags)
2733 {
2734 struct inode *inode = dentry->d_inode;
2735 struct inode_security_struct *isec = inode->i_security;
2736 struct superblock_security_struct *sbsec;
2737 struct common_audit_data ad;
2738 u32 newsid, sid = current_sid();
2739 int rc = 0;
2740
2741 if (strcmp(name, XATTR_NAME_SELINUX))
2742 return selinux_inode_setotherxattr(dentry, name);
2743
2744 sbsec = inode->i_sb->s_security;
2745 if (!(sbsec->flags & SE_SBLABELSUPP))
2746 return -EOPNOTSUPP;
2747
2748 if (!inode_owner_or_capable(inode))
2749 return -EPERM;
2750
2751 COMMON_AUDIT_DATA_INIT(&ad, DENTRY);
2752 ad.u.dentry = dentry;
2753
2754 rc = avc_has_perm(sid, isec->sid, isec->sclass,
2755 FILE__RELABELFROM, &ad);
2756 if (rc)
2757 return rc;
2758
2759 rc = security_context_to_sid(value, size, &newsid);
2760 if (rc == -EINVAL) {
2761 if (!capable(CAP_MAC_ADMIN))
2762 return rc;
2763 rc = security_context_to_sid_force(value, size, &newsid);
2764 }
2765 if (rc)
2766 return rc;
2767
2768 rc = avc_has_perm(sid, newsid, isec->sclass,
2769 FILE__RELABELTO, &ad);
2770 if (rc)
2771 return rc;
2772
2773 rc = security_validate_transition(isec->sid, newsid, sid,
2774 isec->sclass);
2775 if (rc)
2776 return rc;
2777
2778 return avc_has_perm(newsid,
2779 sbsec->sid,
2780 SECCLASS_FILESYSTEM,
2781 FILESYSTEM__ASSOCIATE,
2782 &ad);
2783 }
2784
2785 static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
2786 const void *value, size_t size,
2787 int flags)
2788 {
2789 struct inode *inode = dentry->d_inode;
2790 struct inode_security_struct *isec = inode->i_security;
2791 u32 newsid;
2792 int rc;
2793
2794 if (strcmp(name, XATTR_NAME_SELINUX)) {
2795 /* Not an attribute we recognize, so nothing to do. */
2796 return;
2797 }
2798
2799 rc = security_context_to_sid_force(value, size, &newsid);
2800 if (rc) {
2801 printk(KERN_ERR "SELinux: unable to map context to SID"
2802 "for (%s, %lu), rc=%d\n",
2803 inode->i_sb->s_id, inode->i_ino, -rc);
2804 return;
2805 }
2806
2807 isec->sid = newsid;
2808 return;
2809 }
2810
2811 static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
2812 {
2813 const struct cred *cred = current_cred();
2814
2815 return dentry_has_perm(cred, dentry, FILE__GETATTR);
2816 }
2817
2818 static int selinux_inode_listxattr(struct dentry *dentry)
2819 {
2820 const struct cred *cred = current_cred();
2821
2822 return dentry_has_perm(cred, dentry, FILE__GETATTR);
2823 }
2824
2825 static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
2826 {
2827 if (strcmp(name, XATTR_NAME_SELINUX))
2828 return selinux_inode_setotherxattr(dentry, name);
2829
2830 /* No one is allowed to remove a SELinux security label.
2831 You can change the label, but all data must be labeled. */
2832 return -EACCES;
2833 }
2834
2835 /*
2836 * Copy the inode security context value to the user.
2837 *
2838 * Permission check is handled by selinux_inode_getxattr hook.
2839 */
2840 static int selinux_inode_getsecurity(const struct inode *inode, const char *name, void **buffer, bool alloc)
2841 {
2842 u32 size;
2843 int error;
2844 char *context = NULL;
2845 struct inode_security_struct *isec = inode->i_security;
2846
2847 if (strcmp(name, XATTR_SELINUX_SUFFIX))
2848 return -EOPNOTSUPP;
2849
2850 /*
2851 * If the caller has CAP_MAC_ADMIN, then get the raw context
2852 * value even if it is not defined by current policy; otherwise,
2853 * use the in-core value under current policy.
2854 * Use the non-auditing forms of the permission checks since
2855 * getxattr may be called by unprivileged processes commonly
2856 * and lack of permission just means that we fall back to the
2857 * in-core context value, not a denial.
2858 */
2859 error = selinux_capable(current_cred(), &init_user_ns, CAP_MAC_ADMIN,
2860 SECURITY_CAP_NOAUDIT);
2861 if (!error)
2862 error = security_sid_to_context_force(isec->sid, &context,
2863 &size);
2864 else
2865 error = security_sid_to_context(isec->sid, &context, &size);
2866 if (error)
2867 return error;
2868 error = size;
2869 if (alloc) {
2870 *buffer = context;
2871 goto out_nofree;
2872 }
2873 kfree(context);
2874 out_nofree:
2875 return error;
2876 }
2877
2878 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
2879 const void *value, size_t size, int flags)
2880 {
2881 struct inode_security_struct *isec = inode->i_security;
2882 u32 newsid;
2883 int rc;
2884
2885 if (strcmp(name, XATTR_SELINUX_SUFFIX))
2886 return -EOPNOTSUPP;
2887
2888 if (!value || !size)
2889 return -EACCES;
2890
2891 rc = security_context_to_sid((void *)value, size, &newsid);
2892 if (rc)
2893 return rc;
2894
2895 isec->sid = newsid;
2896 isec->initialized = 1;
2897 return 0;
2898 }
2899
2900 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
2901 {
2902 const int len = sizeof(XATTR_NAME_SELINUX);
2903 if (buffer && len <= buffer_size)
2904 memcpy(buffer, XATTR_NAME_SELINUX, len);
2905 return len;
2906 }
2907
2908 static void selinux_inode_getsecid(const struct inode *inode, u32 *secid)
2909 {
2910 struct inode_security_struct *isec = inode->i_security;
2911 *secid = isec->sid;
2912 }
2913
2914 /* file security operations */
2915
2916 static int selinux_revalidate_file_permission(struct file *file, int mask)
2917 {
2918 const struct cred *cred = current_cred();
2919 struct inode *inode = file->f_path.dentry->d_inode;
2920
2921 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
2922 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
2923 mask |= MAY_APPEND;
2924
2925 return file_has_perm(cred, file,
2926 file_mask_to_av(inode->i_mode, mask));
2927 }
2928
2929 static int selinux_file_permission(struct file *file, int mask)
2930 {
2931 struct inode *inode = file->f_path.dentry->d_inode;
2932 struct file_security_struct *fsec = file->f_security;
2933 struct inode_security_struct *isec = inode->i_security;
2934 u32 sid = current_sid();
2935
2936 if (!mask)
2937 /* No permission to check. Existence test. */
2938 return 0;
2939
2940 if (sid == fsec->sid && fsec->isid == isec->sid &&
2941 fsec->pseqno == avc_policy_seqno())
2942 /* No change since dentry_open check. */
2943 return 0;
2944
2945 return selinux_revalidate_file_permission(file, mask);
2946 }
2947
2948 static int selinux_file_alloc_security(struct file *file)
2949 {
2950 return file_alloc_security(file);
2951 }
2952
2953 static void selinux_file_free_security(struct file *file)
2954 {
2955 file_free_security(file);
2956 }
2957
2958 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
2959 unsigned long arg)
2960 {
2961 const struct cred *cred = current_cred();
2962 int error = 0;
2963
2964 switch (cmd) {
2965 case FIONREAD:
2966 /* fall through */
2967 case FIBMAP:
2968 /* fall through */
2969 case FIGETBSZ:
2970 /* fall through */
2971 case EXT2_IOC_GETFLAGS:
2972 /* fall through */
2973 case EXT2_IOC_GETVERSION:
2974 error = file_has_perm(cred, file, FILE__GETATTR);
2975 break;
2976
2977 case EXT2_IOC_SETFLAGS:
2978 /* fall through */
2979 case EXT2_IOC_SETVERSION:
2980 error = file_has_perm(cred, file, FILE__SETATTR);
2981 break;
2982
2983 /* sys_ioctl() checks */
2984 case FIONBIO:
2985 /* fall through */
2986 case FIOASYNC:
2987 error = file_has_perm(cred, file, 0);
2988 break;
2989
2990 case KDSKBENT:
2991 case KDSKBSENT:
2992 error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG,
2993 SECURITY_CAP_AUDIT);
2994 break;
2995
2996 /* default case assumes that the command will go
2997 * to the file's ioctl() function.
2998 */
2999 default:
3000 error = file_has_perm(cred, file, FILE__IOCTL);
3001 }
3002 return error;
3003 }
3004
3005 static int default_noexec;
3006
3007 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
3008 {
3009 const struct cred *cred = current_cred();
3010 int rc = 0;
3011
3012 if (default_noexec &&
3013 (prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
3014 /*
3015 * We are making executable an anonymous mapping or a
3016 * private file mapping that will also be writable.
3017 * This has an additional check.
3018 */
3019 rc = cred_has_perm(cred, cred, PROCESS__EXECMEM);
3020 if (rc)
3021 goto error;
3022 }
3023
3024 if (file) {
3025 /* read access is always possible with a mapping */
3026 u32 av = FILE__READ;
3027
3028 /* write access only matters if the mapping is shared */
3029 if (shared && (prot & PROT_WRITE))
3030 av |= FILE__WRITE;
3031
3032 if (prot & PROT_EXEC)
3033 av |= FILE__EXECUTE;
3034
3035 return file_has_perm(cred, file, av);
3036 }
3037
3038 error:
3039 return rc;
3040 }
3041
3042 static int selinux_file_mmap(struct file *file, unsigned long reqprot,
3043 unsigned long prot, unsigned long flags,
3044 unsigned long addr, unsigned long addr_only)
3045 {
3046 int rc = 0;
3047 u32 sid = current_sid();
3048
3049 /*
3050 * notice that we are intentionally putting the SELinux check before
3051 * the secondary cap_file_mmap check. This is such a likely attempt
3052 * at bad behaviour/exploit that we always want to get the AVC, even
3053 * if DAC would have also denied the operation.
3054 */
3055 if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
3056 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
3057 MEMPROTECT__MMAP_ZERO, NULL);
3058 if (rc)
3059 return rc;
3060 }
3061
3062 /* do DAC check on address space usage */
3063 rc = cap_file_mmap(file, reqprot, prot, flags, addr, addr_only);
3064 if (rc || addr_only)
3065 return rc;
3066
3067 if (selinux_checkreqprot)
3068 prot = reqprot;
3069
3070 return file_map_prot_check(file, prot,
3071 (flags & MAP_TYPE) == MAP_SHARED);
3072 }
3073
3074 static int selinux_file_mprotect(struct vm_area_struct *vma,
3075 unsigned long reqprot,
3076 unsigned long prot)
3077 {
3078 const struct cred *cred = current_cred();
3079
3080 if (selinux_checkreqprot)
3081 prot = reqprot;
3082
3083 if (default_noexec &&
3084 (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
3085 int rc = 0;
3086 if (vma->vm_start >= vma->vm_mm->start_brk &&
3087 vma->vm_end <= vma->vm_mm->brk) {
3088 rc = cred_has_perm(cred, cred, PROCESS__EXECHEAP);
3089 } else if (!vma->vm_file &&
3090 vma->vm_start <= vma->vm_mm->start_stack &&
3091 vma->vm_end >= vma->vm_mm->start_stack) {
3092 rc = current_has_perm(current, PROCESS__EXECSTACK);
3093 } else if (vma->vm_file && vma->anon_vma) {
3094 /*
3095 * We are making executable a file mapping that has
3096 * had some COW done. Since pages might have been
3097 * written, check ability to execute the possibly
3098 * modified content. This typically should only
3099 * occur for text relocations.
3100 */
3101 rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD);
3102 }
3103 if (rc)
3104 return rc;
3105 }
3106
3107 return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
3108 }
3109
3110 static int selinux_file_lock(struct file *file, unsigned int cmd)
3111 {
3112 const struct cred *cred = current_cred();
3113
3114 return file_has_perm(cred, file, FILE__LOCK);
3115 }
3116
3117 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
3118 unsigned long arg)
3119 {
3120 const struct cred *cred = current_cred();
3121 int err = 0;
3122
3123 switch (cmd) {
3124 case F_SETFL:
3125 if (!file->f_path.dentry || !file->f_path.dentry->d_inode) {
3126 err = -EINVAL;
3127 break;
3128 }
3129
3130 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
3131 err = file_has_perm(cred, file, FILE__WRITE);
3132 break;
3133 }
3134 /* fall through */
3135 case F_SETOWN:
3136 case F_SETSIG:
3137 case F_GETFL:
3138 case F_GETOWN:
3139 case F_GETSIG:
3140 /* Just check FD__USE permission */
3141 err = file_has_perm(cred, file, 0);
3142 break;
3143 case F_GETLK:
3144 case F_SETLK:
3145 case F_SETLKW:
3146 #if BITS_PER_LONG == 32
3147 case F_GETLK64:
3148 case F_SETLK64:
3149 case F_SETLKW64:
3150 #endif
3151 if (!file->f_path.dentry || !file->f_path.dentry->d_inode) {
3152 err = -EINVAL;
3153 break;
3154 }
3155 err = file_has_perm(cred, file, FILE__LOCK);
3156 break;
3157 }
3158
3159 return err;
3160 }
3161
3162 static int selinux_file_set_fowner(struct file *file)
3163 {
3164 struct file_security_struct *fsec;
3165
3166 fsec = file->f_security;
3167 fsec->fown_sid = current_sid();
3168
3169 return 0;
3170 }
3171
3172 static int selinux_file_send_sigiotask(struct task_struct *tsk,
3173 struct fown_struct *fown, int signum)
3174 {
3175 struct file *file;
3176 u32 sid = task_sid(tsk);
3177 u32 perm;
3178 struct file_security_struct *fsec;
3179
3180 /* struct fown_struct is never outside the context of a struct file */
3181 file = container_of(fown, struct file, f_owner);
3182
3183 fsec = file->f_security;
3184
3185 if (!signum)
3186 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
3187 else
3188 perm = signal_to_av(signum);
3189
3190 return avc_has_perm(fsec->fown_sid, sid,
3191 SECCLASS_PROCESS, perm, NULL);
3192 }
3193
3194 static int selinux_file_receive(struct file *file)
3195 {
3196 const struct cred *cred = current_cred();
3197
3198 return file_has_perm(cred, file, file_to_av(file));
3199 }
3200
3201 static int selinux_dentry_open(struct file *file, const struct cred *cred)
3202 {
3203 struct file_security_struct *fsec;
3204 struct inode *inode;
3205 struct inode_security_struct *isec;
3206
3207 inode = file->f_path.dentry->d_inode;
3208 fsec = file->f_security;
3209 isec = inode->i_security;
3210 /*
3211 * Save inode label and policy sequence number
3212 * at open-time so that selinux_file_permission
3213 * can determine whether revalidation is necessary.
3214 * Task label is already saved in the file security
3215 * struct as its SID.
3216 */
3217 fsec->isid = isec->sid;
3218 fsec->pseqno = avc_policy_seqno();
3219 /*
3220 * Since the inode label or policy seqno may have changed
3221 * between the selinux_inode_permission check and the saving
3222 * of state above, recheck that access is still permitted.
3223 * Otherwise, access might never be revalidated against the
3224 * new inode label or new policy.
3225 * This check is not redundant - do not remove.
3226 */
3227 return inode_has_perm_noadp(cred, inode, open_file_to_av(file), 0);
3228 }
3229
3230 /* task security operations */
3231
3232 static int selinux_task_create(unsigned long clone_flags)
3233 {
3234 return current_has_perm(current, PROCESS__FORK);
3235 }
3236
3237 /*
3238 * allocate the SELinux part of blank credentials
3239 */
3240 static int selinux_cred_alloc_blank(struct cred *cred, gfp_t gfp)
3241 {
3242 struct task_security_struct *tsec;
3243
3244 tsec = kzalloc(sizeof(struct task_security_struct), gfp);
3245 if (!tsec)
3246 return -ENOMEM;
3247
3248 cred->security = tsec;
3249 return 0;
3250 }
3251
3252 /*
3253 * detach and free the LSM part of a set of credentials
3254 */
3255 static void selinux_cred_free(struct cred *cred)
3256 {
3257 struct task_security_struct *tsec = cred->security;
3258
3259 /*
3260 * cred->security == NULL if security_cred_alloc_blank() or
3261 * security_prepare_creds() returned an error.
3262 */
3263 BUG_ON(cred->security && (unsigned long) cred->security < PAGE_SIZE);
3264 cred->security = (void *) 0x7UL;
3265 kfree(tsec);
3266 }
3267
3268 /*
3269 * prepare a new set of credentials for modification
3270 */
3271 static int selinux_cred_prepare(struct cred *new, const struct cred *old,
3272 gfp_t gfp)
3273 {
3274 const struct task_security_struct *old_tsec;
3275 struct task_security_struct *tsec;
3276
3277 old_tsec = old->security;
3278
3279 tsec = kmemdup(old_tsec, sizeof(struct task_security_struct), gfp);
3280 if (!tsec)
3281 return -ENOMEM;
3282
3283 new->security = tsec;
3284 return 0;
3285 }
3286
3287 /*
3288 * transfer the SELinux data to a blank set of creds
3289 */
3290 static void selinux_cred_transfer(struct cred *new, const struct cred *old)
3291 {
3292 const struct task_security_struct *old_tsec = old->security;
3293 struct task_security_struct *tsec = new->security;
3294
3295 *tsec = *old_tsec;
3296 }
3297
3298 /*
3299 * set the security data for a kernel service
3300 * - all the creation contexts are set to unlabelled
3301 */
3302 static int selinux_kernel_act_as(struct cred *new, u32 secid)
3303 {
3304 struct task_security_struct *tsec = new->security;
3305 u32 sid = current_sid();
3306 int ret;
3307
3308 ret = avc_has_perm(sid, secid,
3309 SECCLASS_KERNEL_SERVICE,
3310 KERNEL_SERVICE__USE_AS_OVERRIDE,
3311 NULL);
3312 if (ret == 0) {
3313 tsec->sid = secid;
3314 tsec->create_sid = 0;
3315 tsec->keycreate_sid = 0;
3316 tsec->sockcreate_sid = 0;
3317 }
3318 return ret;
3319 }
3320
3321 /*
3322 * set the file creation context in a security record to the same as the
3323 * objective context of the specified inode
3324 */
3325 static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode)
3326 {
3327 struct inode_security_struct *isec = inode->i_security;
3328 struct task_security_struct *tsec = new->security;
3329 u32 sid = current_sid();
3330 int ret;
3331
3332 ret = avc_has_perm(sid, isec->sid,
3333 SECCLASS_KERNEL_SERVICE,
3334 KERNEL_SERVICE__CREATE_FILES_AS,
3335 NULL);
3336
3337 if (ret == 0)
3338 tsec->create_sid = isec->sid;
3339 return ret;
3340 }
3341
3342 static int selinux_kernel_module_request(char *kmod_name)
3343 {
3344 u32 sid;
3345 struct common_audit_data ad;
3346
3347 sid = task_sid(current);
3348
3349 COMMON_AUDIT_DATA_INIT(&ad, KMOD);
3350 ad.u.kmod_name = kmod_name;
3351
3352 return avc_has_perm(sid, SECINITSID_KERNEL, SECCLASS_SYSTEM,
3353 SYSTEM__MODULE_REQUEST, &ad);
3354 }
3355
3356 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
3357 {
3358 return current_has_perm(p, PROCESS__SETPGID);
3359 }
3360
3361 static int selinux_task_getpgid(struct task_struct *p)
3362 {
3363 return current_has_perm(p, PROCESS__GETPGID);
3364 }
3365
3366 static int selinux_task_getsid(struct task_struct *p)
3367 {
3368 return current_has_perm(p, PROCESS__GETSESSION);
3369 }
3370
3371 static void selinux_task_getsecid(struct task_struct *p, u32 *secid)
3372 {
3373 *secid = task_sid(p);
3374 }
3375
3376 static int selinux_task_setnice(struct task_struct *p, int nice)
3377 {
3378 int rc;
3379
3380 rc = cap_task_setnice(p, nice);
3381 if (rc)
3382 return rc;
3383
3384 return current_has_perm(p, PROCESS__SETSCHED);
3385 }
3386
3387 static int selinux_task_setioprio(struct task_struct *p, int ioprio)
3388 {
3389 int rc;
3390
3391 rc = cap_task_setioprio(p, ioprio);
3392 if (rc)
3393 return rc;
3394
3395 return current_has_perm(p, PROCESS__SETSCHED);
3396 }
3397
3398 static int selinux_task_getioprio(struct task_struct *p)
3399 {
3400 return current_has_perm(p, PROCESS__GETSCHED);
3401 }
3402
3403 static int selinux_task_setrlimit(struct task_struct *p, unsigned int resource,
3404 struct rlimit *new_rlim)
3405 {
3406 struct rlimit *old_rlim = p->signal->rlim + resource;
3407
3408 /* Control the ability to change the hard limit (whether
3409 lowering or raising it), so that the hard limit can
3410 later be used as a safe reset point for the soft limit
3411 upon context transitions. See selinux_bprm_committing_creds. */
3412 if (old_rlim->rlim_max != new_rlim->rlim_max)
3413 return current_has_perm(p, PROCESS__SETRLIMIT);
3414
3415 return 0;
3416 }
3417
3418 static int selinux_task_setscheduler(struct task_struct *p)
3419 {
3420 int rc;
3421
3422 rc = cap_task_setscheduler(p);
3423 if (rc)
3424 return rc;
3425
3426 return current_has_perm(p, PROCESS__SETSCHED);
3427 }
3428
3429 static int selinux_task_getscheduler(struct task_struct *p)
3430 {
3431 return current_has_perm(p, PROCESS__GETSCHED);
3432 }
3433
3434 static int selinux_task_movememory(struct task_struct *p)
3435 {
3436 return current_has_perm(p, PROCESS__SETSCHED);
3437 }
3438
3439 static int selinux_task_kill(struct task_struct *p, struct siginfo *info,
3440 int sig, u32 secid)
3441 {
3442 u32 perm;
3443 int rc;
3444
3445 if (!sig)
3446 perm = PROCESS__SIGNULL; /* null signal; existence test */
3447 else
3448 perm = signal_to_av(sig);
3449 if (secid)
3450 rc = avc_has_perm(secid, task_sid(p),
3451 SECCLASS_PROCESS, perm, NULL);
3452 else
3453 rc = current_has_perm(p, perm);
3454 return rc;
3455 }
3456
3457 static int selinux_task_wait(struct task_struct *p)
3458 {
3459 return task_has_perm(p, current, PROCESS__SIGCHLD);
3460 }
3461
3462 static void selinux_task_to_inode(struct task_struct *p,
3463 struct inode *inode)
3464 {
3465 struct inode_security_struct *isec = inode->i_security;
3466 u32 sid = task_sid(p);
3467
3468 isec->sid = sid;
3469 isec->initialized = 1;
3470 }
3471
3472 /* Returns error only if unable to parse addresses */
3473 static int selinux_parse_skb_ipv4(struct sk_buff *skb,
3474 struct common_audit_data *ad, u8 *proto)
3475 {
3476 int offset, ihlen, ret = -EINVAL;
3477 struct iphdr _iph, *ih;
3478
3479 offset = skb_network_offset(skb);
3480 ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
3481 if (ih == NULL)
3482 goto out;
3483
3484 ihlen = ih->ihl * 4;
3485 if (ihlen < sizeof(_iph))
3486 goto out;
3487
3488 ad->u.net.v4info.saddr = ih->saddr;
3489 ad->u.net.v4info.daddr = ih->daddr;
3490 ret = 0;
3491
3492 if (proto)
3493 *proto = ih->protocol;
3494
3495 switch (ih->protocol) {
3496 case IPPROTO_TCP: {
3497 struct tcphdr _tcph, *th;
3498
3499 if (ntohs(ih->frag_off) & IP_OFFSET)
3500 break;
3501
3502 offset += ihlen;
3503 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3504 if (th == NULL)
3505 break;
3506
3507 ad->u.net.sport = th->source;
3508 ad->u.net.dport = th->dest;
3509 break;
3510 }
3511
3512 case IPPROTO_UDP: {
3513 struct udphdr _udph, *uh;
3514
3515 if (ntohs(ih->frag_off) & IP_OFFSET)
3516 break;
3517
3518 offset += ihlen;
3519 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3520 if (uh == NULL)
3521 break;
3522
3523 ad->u.net.sport = uh->source;
3524 ad->u.net.dport = uh->dest;
3525 break;
3526 }
3527
3528 case IPPROTO_DCCP: {
3529 struct dccp_hdr _dccph, *dh;
3530
3531 if (ntohs(ih->frag_off) & IP_OFFSET)
3532 break;
3533
3534 offset += ihlen;
3535 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3536 if (dh == NULL)
3537 break;
3538
3539 ad->u.net.sport = dh->dccph_sport;
3540 ad->u.net.dport = dh->dccph_dport;
3541 break;
3542 }
3543
3544 default:
3545 break;
3546 }
3547 out:
3548 return ret;
3549 }
3550
3551 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3552
3553 /* Returns error only if unable to parse addresses */
3554 static int selinux_parse_skb_ipv6(struct sk_buff *skb,
3555 struct common_audit_data *ad, u8 *proto)
3556 {
3557 u8 nexthdr;
3558 int ret = -EINVAL, offset;
3559 struct ipv6hdr _ipv6h, *ip6;
3560
3561 offset = skb_network_offset(skb);
3562 ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
3563 if (ip6 == NULL)
3564 goto out;
3565
3566 ipv6_addr_copy(&ad->u.net.v6info.saddr, &ip6->saddr);
3567 ipv6_addr_copy(&ad->u.net.v6info.daddr, &ip6->daddr);
3568 ret = 0;
3569
3570 nexthdr = ip6->nexthdr;
3571 offset += sizeof(_ipv6h);
3572 offset = ipv6_skip_exthdr(skb, offset, &nexthdr);
3573 if (offset < 0)
3574 goto out;
3575
3576 if (proto)
3577 *proto = nexthdr;
3578
3579 switch (nexthdr) {
3580 case IPPROTO_TCP: {
3581 struct tcphdr _tcph, *th;
3582
3583 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3584 if (th == NULL)
3585 break;
3586
3587 ad->u.net.sport = th->source;
3588 ad->u.net.dport = th->dest;
3589 break;
3590 }
3591
3592 case IPPROTO_UDP: {
3593 struct udphdr _udph, *uh;
3594
3595 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3596 if (uh == NULL)
3597 break;
3598
3599 ad->u.net.sport = uh->source;
3600 ad->u.net.dport = uh->dest;
3601 break;
3602 }
3603
3604 case IPPROTO_DCCP: {
3605 struct dccp_hdr _dccph, *dh;
3606
3607 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3608 if (dh == NULL)
3609 break;
3610
3611 ad->u.net.sport = dh->dccph_sport;
3612 ad->u.net.dport = dh->dccph_dport;
3613 break;
3614 }
3615
3616 /* includes fragments */
3617 default:
3618 break;
3619 }
3620 out:
3621 return ret;
3622 }
3623
3624 #endif /* IPV6 */
3625
3626 static int selinux_parse_skb(struct sk_buff *skb, struct common_audit_data *ad,
3627 char **_addrp, int src, u8 *proto)
3628 {
3629 char *addrp;
3630 int ret;
3631
3632 switch (ad->u.net.family) {
3633 case PF_INET:
3634 ret = selinux_parse_skb_ipv4(skb, ad, proto);
3635 if (ret)
3636 goto parse_error;
3637 addrp = (char *)(src ? &ad->u.net.v4info.saddr :
3638 &ad->u.net.v4info.daddr);
3639 goto okay;
3640
3641 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3642 case PF_INET6:
3643 ret = selinux_parse_skb_ipv6(skb, ad, proto);
3644 if (ret)
3645 goto parse_error;
3646 addrp = (char *)(src ? &ad->u.net.v6info.saddr :
3647 &ad->u.net.v6info.daddr);
3648 goto okay;
3649 #endif /* IPV6 */
3650 default:
3651 addrp = NULL;
3652 goto okay;
3653 }
3654
3655 parse_error:
3656 printk(KERN_WARNING
3657 "SELinux: failure in selinux_parse_skb(),"
3658 " unable to parse packet\n");
3659 return ret;
3660
3661 okay:
3662 if (_addrp)
3663 *_addrp = addrp;
3664 return 0;
3665 }
3666
3667 /**
3668 * selinux_skb_peerlbl_sid - Determine the peer label of a packet
3669 * @skb: the packet
3670 * @family: protocol family
3671 * @sid: the packet's peer label SID
3672 *
3673 * Description:
3674 * Check the various different forms of network peer labeling and determine
3675 * the peer label/SID for the packet; most of the magic actually occurs in
3676 * the security server function security_net_peersid_cmp(). The function
3677 * returns zero if the value in @sid is valid (although it may be SECSID_NULL)
3678 * or -EACCES if @sid is invalid due to inconsistencies with the different
3679 * peer labels.
3680 *
3681 */
3682 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
3683 {
3684 int err;
3685 u32 xfrm_sid;
3686 u32 nlbl_sid;
3687 u32 nlbl_type;
3688
3689 selinux_skb_xfrm_sid(skb, &xfrm_sid);
3690 selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid);
3691
3692 err = security_net_peersid_resolve(nlbl_sid, nlbl_type, xfrm_sid, sid);
3693 if (unlikely(err)) {
3694 printk(KERN_WARNING
3695 "SELinux: failure in selinux_skb_peerlbl_sid(),"
3696 " unable to determine packet's peer label\n");
3697 return -EACCES;
3698 }
3699
3700 return 0;
3701 }
3702
3703 /* socket security operations */
3704
3705 static int socket_sockcreate_sid(const struct task_security_struct *tsec,
3706 u16 secclass, u32 *socksid)
3707 {
3708 if (tsec->sockcreate_sid > SECSID_NULL) {
3709 *socksid = tsec->sockcreate_sid;
3710 return 0;
3711 }
3712
3713 return security_transition_sid(tsec->sid, tsec->sid, secclass, NULL,
3714 socksid);
3715 }
3716
3717 static int sock_has_perm(struct task_struct *task, struct sock *sk, u32 perms)
3718 {
3719 struct sk_security_struct *sksec = sk->sk_security;
3720 struct common_audit_data ad;
3721 u32 tsid = task_sid(task);
3722
3723 if (sksec->sid == SECINITSID_KERNEL)
3724 return 0;
3725
3726 COMMON_AUDIT_DATA_INIT(&ad, NET);
3727 ad.u.net.sk = sk;
3728
3729 return avc_has_perm(tsid, sksec->sid, sksec->sclass, perms, &ad);
3730 }
3731
3732 static int selinux_socket_create(int family, int type,
3733 int protocol, int kern)
3734 {
3735 const struct task_security_struct *tsec = current_security();
3736 u32 newsid;
3737 u16 secclass;
3738 int rc;
3739
3740 if (kern)
3741 return 0;
3742
3743 secclass = socket_type_to_security_class(family, type, protocol);
3744 rc = socket_sockcreate_sid(tsec, secclass, &newsid);
3745 if (rc)
3746 return rc;
3747
3748 return avc_has_perm(tsec->sid, newsid, secclass, SOCKET__CREATE, NULL);
3749 }
3750
3751 static int selinux_socket_post_create(struct socket *sock, int family,
3752 int type, int protocol, int kern)
3753 {
3754 const struct task_security_struct *tsec = current_security();
3755 struct inode_security_struct *isec = SOCK_INODE(sock)->i_security;
3756 struct sk_security_struct *sksec;
3757 int err = 0;
3758
3759 isec->sclass = socket_type_to_security_class(family, type, protocol);
3760
3761 if (kern)
3762 isec->sid = SECINITSID_KERNEL;
3763 else {
3764 err = socket_sockcreate_sid(tsec, isec->sclass, &(isec->sid));
3765 if (err)
3766 return err;
3767 }
3768
3769 isec->initialized = 1;
3770
3771 if (sock->sk) {
3772 sksec = sock->sk->sk_security;
3773 sksec->sid = isec->sid;
3774 sksec->sclass = isec->sclass;
3775 err = selinux_netlbl_socket_post_create(sock->sk, family);
3776 }
3777
3778 return err;
3779 }
3780
3781 /* Range of port numbers used to automatically bind.
3782 Need to determine whether we should perform a name_bind
3783 permission check between the socket and the port number. */
3784
3785 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
3786 {
3787 struct sock *sk = sock->sk;
3788 u16 family;
3789 int err;
3790
3791 err = sock_has_perm(current, sk, SOCKET__BIND);
3792 if (err)
3793 goto out;
3794
3795 /*
3796 * If PF_INET or PF_INET6, check name_bind permission for the port.
3797 * Multiple address binding for SCTP is not supported yet: we just
3798 * check the first address now.
3799 */
3800 family = sk->sk_family;
3801 if (family == PF_INET || family == PF_INET6) {
3802 char *addrp;
3803 struct sk_security_struct *sksec = sk->sk_security;
3804 struct common_audit_data ad;
3805 struct sockaddr_in *addr4 = NULL;
3806 struct sockaddr_in6 *addr6 = NULL;
3807 unsigned short snum;
3808 u32 sid, node_perm;
3809
3810 if (family == PF_INET) {
3811 addr4 = (struct sockaddr_in *)address;
3812 snum = ntohs(addr4->sin_port);
3813 addrp = (char *)&addr4->sin_addr.s_addr;
3814 } else {
3815 addr6 = (struct sockaddr_in6 *)address;
3816 snum = ntohs(addr6->sin6_port);
3817 addrp = (char *)&addr6->sin6_addr.s6_addr;
3818 }
3819
3820 if (snum) {
3821 int low, high;
3822
3823 inet_get_local_port_range(&low, &high);
3824
3825 if (snum < max(PROT_SOCK, low) || snum > high) {
3826 err = sel_netport_sid(sk->sk_protocol,
3827 snum, &sid);
3828 if (err)
3829 goto out;
3830 COMMON_AUDIT_DATA_INIT(&ad, NET);
3831 ad.u.net.sport = htons(snum);
3832 ad.u.net.family = family;
3833 err = avc_has_perm(sksec->sid, sid,
3834 sksec->sclass,
3835 SOCKET__NAME_BIND, &ad);
3836 if (err)
3837 goto out;
3838 }
3839 }
3840
3841 switch (sksec->sclass) {
3842 case SECCLASS_TCP_SOCKET:
3843 node_perm = TCP_SOCKET__NODE_BIND;
3844 break;
3845
3846 case SECCLASS_UDP_SOCKET:
3847 node_perm = UDP_SOCKET__NODE_BIND;
3848 break;
3849
3850 case SECCLASS_DCCP_SOCKET:
3851 node_perm = DCCP_SOCKET__NODE_BIND;
3852 break;
3853
3854 default:
3855 node_perm = RAWIP_SOCKET__NODE_BIND;
3856 break;
3857 }
3858
3859 err = sel_netnode_sid(addrp, family, &sid);
3860 if (err)
3861 goto out;
3862
3863 COMMON_AUDIT_DATA_INIT(&ad, NET);
3864 ad.u.net.sport = htons(snum);
3865 ad.u.net.family = family;
3866
3867 if (family == PF_INET)
3868 ad.u.net.v4info.saddr = addr4->sin_addr.s_addr;
3869 else
3870 ipv6_addr_copy(&ad.u.net.v6info.saddr, &addr6->sin6_addr);
3871
3872 err = avc_has_perm(sksec->sid, sid,
3873 sksec->sclass, node_perm, &ad);
3874 if (err)
3875 goto out;
3876 }
3877 out:
3878 return err;
3879 }
3880
3881 static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
3882 {
3883 struct sock *sk = sock->sk;
3884 struct sk_security_struct *sksec = sk->sk_security;
3885 int err;
3886
3887 err = sock_has_perm(current, sk, SOCKET__CONNECT);
3888 if (err)
3889 return err;
3890
3891 /*
3892 * If a TCP or DCCP socket, check name_connect permission for the port.
3893 */
3894 if (sksec->sclass == SECCLASS_TCP_SOCKET ||
3895 sksec->sclass == SECCLASS_DCCP_SOCKET) {
3896 struct common_audit_data ad;
3897 struct sockaddr_in *addr4 = NULL;
3898 struct sockaddr_in6 *addr6 = NULL;
3899 unsigned short snum;
3900 u32 sid, perm;
3901
3902 if (sk->sk_family == PF_INET) {
3903 addr4 = (struct sockaddr_in *)address;
3904 if (addrlen < sizeof(struct sockaddr_in))
3905 return -EINVAL;
3906 snum = ntohs(addr4->sin_port);
3907 } else {
3908 addr6 = (struct sockaddr_in6 *)address;
3909 if (addrlen < SIN6_LEN_RFC2133)
3910 return -EINVAL;
3911 snum = ntohs(addr6->sin6_port);
3912 }
3913
3914 err = sel_netport_sid(sk->sk_protocol, snum, &sid);
3915 if (err)
3916 goto out;
3917
3918 perm = (sksec->sclass == SECCLASS_TCP_SOCKET) ?
3919 TCP_SOCKET__NAME_CONNECT : DCCP_SOCKET__NAME_CONNECT;
3920
3921 COMMON_AUDIT_DATA_INIT(&ad, NET);
3922 ad.u.net.dport = htons(snum);
3923 ad.u.net.family = sk->sk_family;
3924 err = avc_has_perm(sksec->sid, sid, sksec->sclass, perm, &ad);
3925 if (err)
3926 goto out;
3927 }
3928
3929 err = selinux_netlbl_socket_connect(sk, address);
3930
3931 out:
3932 return err;
3933 }
3934
3935 static int selinux_socket_listen(struct socket *sock, int backlog)
3936 {
3937 return sock_has_perm(current, sock->sk, SOCKET__LISTEN);
3938 }
3939
3940 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
3941 {
3942 int err;
3943 struct inode_security_struct *isec;
3944 struct inode_security_struct *newisec;
3945
3946 err = sock_has_perm(current, sock->sk, SOCKET__ACCEPT);
3947 if (err)
3948 return err;
3949
3950 newisec = SOCK_INODE(newsock)->i_security;
3951
3952 isec = SOCK_INODE(sock)->i_security;
3953 newisec->sclass = isec->sclass;
3954 newisec->sid = isec->sid;
3955 newisec->initialized = 1;
3956
3957 return 0;
3958 }
3959
3960 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
3961 int size)
3962 {
3963 return sock_has_perm(current, sock->sk, SOCKET__WRITE);
3964 }
3965
3966 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
3967 int size, int flags)
3968 {
3969 return sock_has_perm(current, sock->sk, SOCKET__READ);
3970 }
3971
3972 static int selinux_socket_getsockname(struct socket *sock)
3973 {
3974 return sock_has_perm(current, sock->sk, SOCKET__GETATTR);
3975 }
3976
3977 static int selinux_socket_getpeername(struct socket *sock)
3978 {
3979 return sock_has_perm(current, sock->sk, SOCKET__GETATTR);
3980 }
3981
3982 static int selinux_socket_setsockopt(struct socket *sock, int level, int optname)
3983 {
3984 int err;
3985
3986 err = sock_has_perm(current, sock->sk, SOCKET__SETOPT);
3987 if (err)
3988 return err;
3989
3990 return selinux_netlbl_socket_setsockopt(sock, level, optname);
3991 }
3992
3993 static int selinux_socket_getsockopt(struct socket *sock, int level,
3994 int optname)
3995 {
3996 return sock_has_perm(current, sock->sk, SOCKET__GETOPT);
3997 }
3998
3999 static int selinux_socket_shutdown(struct socket *sock, int how)
4000 {
4001 return sock_has_perm(current, sock->sk, SOCKET__SHUTDOWN);
4002 }
4003
4004 static int selinux_socket_unix_stream_connect(struct sock *sock,
4005 struct sock *other,
4006 struct sock *newsk)
4007 {
4008 struct sk_security_struct *sksec_sock = sock->sk_security;
4009 struct sk_security_struct *sksec_other = other->sk_security;
4010 struct sk_security_struct *sksec_new = newsk->sk_security;
4011 struct common_audit_data ad;
4012 int err;
4013
4014 COMMON_AUDIT_DATA_INIT(&ad, NET);
4015 ad.u.net.sk = other;
4016
4017 err = avc_has_perm(sksec_sock->sid, sksec_other->sid,
4018 sksec_other->sclass,
4019 UNIX_STREAM_SOCKET__CONNECTTO, &ad);
4020 if (err)
4021 return err;
4022
4023 /* server child socket */
4024 sksec_new->peer_sid = sksec_sock->sid;
4025 err = security_sid_mls_copy(sksec_other->sid, sksec_sock->sid,
4026 &sksec_new->sid);
4027 if (err)
4028 return err;
4029
4030 /* connecting socket */
4031 sksec_sock->peer_sid = sksec_new->sid;
4032
4033 return 0;
4034 }
4035
4036 static int selinux_socket_unix_may_send(struct socket *sock,
4037 struct socket *other)
4038 {
4039 struct sk_security_struct *ssec = sock->sk->sk_security;
4040 struct sk_security_struct *osec = other->sk->sk_security;
4041 struct common_audit_data ad;
4042
4043 COMMON_AUDIT_DATA_INIT(&ad, NET);
4044 ad.u.net.sk = other->sk;
4045
4046 return avc_has_perm(ssec->sid, osec->sid, osec->sclass, SOCKET__SENDTO,
4047 &ad);
4048 }
4049
4050 static int selinux_inet_sys_rcv_skb(int ifindex, char *addrp, u16 family,
4051 u32 peer_sid,
4052 struct common_audit_data *ad)
4053 {
4054 int err;
4055 u32 if_sid;
4056 u32 node_sid;
4057
4058 err = sel_netif_sid(ifindex, &if_sid);
4059 if (err)
4060 return err;
4061 err = avc_has_perm(peer_sid, if_sid,
4062 SECCLASS_NETIF, NETIF__INGRESS, ad);
4063 if (err)
4064 return err;
4065
4066 err = sel_netnode_sid(addrp, family, &node_sid);
4067 if (err)
4068 return err;
4069 return avc_has_perm(peer_sid, node_sid,
4070 SECCLASS_NODE, NODE__RECVFROM, ad);
4071 }
4072
4073 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
4074 u16 family)
4075 {
4076 int err = 0;
4077 struct sk_security_struct *sksec = sk->sk_security;
4078 u32 sk_sid = sksec->sid;
4079 struct common_audit_data ad;
4080 char *addrp;
4081
4082 COMMON_AUDIT_DATA_INIT(&ad, NET);
4083 ad.u.net.netif = skb->skb_iif;
4084 ad.u.net.family = family;
4085 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4086 if (err)
4087 return err;
4088
4089 if (selinux_secmark_enabled()) {
4090 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4091 PACKET__RECV, &ad);
4092 if (err)
4093 return err;
4094 }
4095
4096 err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, &ad);
4097 if (err)
4098 return err;
4099 err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad);
4100
4101 return err;
4102 }
4103
4104 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
4105 {
4106 int err;
4107 struct sk_security_struct *sksec = sk->sk_security;
4108 u16 family = sk->sk_family;
4109 u32 sk_sid = sksec->sid;
4110 struct common_audit_data ad;
4111 char *addrp;
4112 u8 secmark_active;
4113 u8 peerlbl_active;
4114
4115 if (family != PF_INET && family != PF_INET6)
4116 return 0;
4117
4118 /* Handle mapped IPv4 packets arriving via IPv6 sockets */
4119 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4120 family = PF_INET;
4121
4122 /* If any sort of compatibility mode is enabled then handoff processing
4123 * to the selinux_sock_rcv_skb_compat() function to deal with the
4124 * special handling. We do this in an attempt to keep this function
4125 * as fast and as clean as possible. */
4126 if (!selinux_policycap_netpeer)
4127 return selinux_sock_rcv_skb_compat(sk, skb, family);
4128
4129 secmark_active = selinux_secmark_enabled();
4130 peerlbl_active = netlbl_enabled() || selinux_xfrm_enabled();
4131 if (!secmark_active && !peerlbl_active)
4132 return 0;
4133
4134 COMMON_AUDIT_DATA_INIT(&ad, NET);
4135 ad.u.net.netif = skb->skb_iif;
4136 ad.u.net.family = family;
4137 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4138 if (err)
4139 return err;
4140
4141 if (peerlbl_active) {
4142 u32 peer_sid;
4143
4144 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
4145 if (err)
4146 return err;
4147 err = selinux_inet_sys_rcv_skb(skb->skb_iif, addrp, family,
4148 peer_sid, &ad);
4149 if (err) {
4150 selinux_netlbl_err(skb, err, 0);
4151 return err;
4152 }
4153 err = avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER,
4154 PEER__RECV, &ad);
4155 if (err)
4156 selinux_netlbl_err(skb, err, 0);
4157 }
4158
4159 if (secmark_active) {
4160 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4161 PACKET__RECV, &ad);
4162 if (err)
4163 return err;
4164 }
4165
4166 return err;
4167 }
4168
4169 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval,
4170 int __user *optlen, unsigned len)
4171 {
4172 int err = 0;
4173 char *scontext;
4174 u32 scontext_len;
4175 struct sk_security_struct *sksec = sock->sk->sk_security;
4176 u32 peer_sid = SECSID_NULL;
4177
4178 if (sksec->sclass == SECCLASS_UNIX_STREAM_SOCKET ||
4179 sksec->sclass == SECCLASS_TCP_SOCKET)
4180 peer_sid = sksec->peer_sid;
4181 if (peer_sid == SECSID_NULL)
4182 return -ENOPROTOOPT;
4183
4184 err = security_sid_to_context(peer_sid, &scontext, &scontext_len);
4185 if (err)
4186 return err;
4187
4188 if (scontext_len > len) {
4189 err = -ERANGE;
4190 goto out_len;
4191 }
4192
4193 if (copy_to_user(optval, scontext, scontext_len))
4194 err = -EFAULT;
4195
4196 out_len:
4197 if (put_user(scontext_len, optlen))
4198 err = -EFAULT;
4199 kfree(scontext);
4200 return err;
4201 }
4202
4203 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
4204 {
4205 u32 peer_secid = SECSID_NULL;
4206 u16 family;
4207
4208 if (skb && skb->protocol == htons(ETH_P_IP))
4209 family = PF_INET;
4210 else if (skb && skb->protocol == htons(ETH_P_IPV6))
4211 family = PF_INET6;
4212 else if (sock)
4213 family = sock->sk->sk_family;
4214 else
4215 goto out;
4216
4217 if (sock && family == PF_UNIX)
4218 selinux_inode_getsecid(SOCK_INODE(sock), &peer_secid);
4219 else if (skb)
4220 selinux_skb_peerlbl_sid(skb, family, &peer_secid);
4221
4222 out:
4223 *secid = peer_secid;
4224 if (peer_secid == SECSID_NULL)
4225 return -EINVAL;
4226 return 0;
4227 }
4228
4229 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
4230 {
4231 struct sk_security_struct *sksec;
4232
4233 sksec = kzalloc(sizeof(*sksec), priority);
4234 if (!sksec)
4235 return -ENOMEM;
4236
4237 sksec->peer_sid = SECINITSID_UNLABELED;
4238 sksec->sid = SECINITSID_UNLABELED;
4239 selinux_netlbl_sk_security_reset(sksec);
4240 sk->sk_security = sksec;
4241
4242 return 0;
4243 }
4244
4245 static void selinux_sk_free_security(struct sock *sk)
4246 {
4247 struct sk_security_struct *sksec = sk->sk_security;
4248
4249 sk->sk_security = NULL;
4250 selinux_netlbl_sk_security_free(sksec);
4251 kfree(sksec);
4252 }
4253
4254 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
4255 {
4256 struct sk_security_struct *sksec = sk->sk_security;
4257 struct sk_security_struct *newsksec = newsk->sk_security;
4258
4259 newsksec->sid = sksec->sid;
4260 newsksec->peer_sid = sksec->peer_sid;
4261 newsksec->sclass = sksec->sclass;
4262
4263 selinux_netlbl_sk_security_reset(newsksec);
4264 }
4265
4266 static void selinux_sk_getsecid(struct sock *sk, u32 *secid)
4267 {
4268 if (!sk)
4269 *secid = SECINITSID_ANY_SOCKET;
4270 else {
4271 struct sk_security_struct *sksec = sk->sk_security;
4272
4273 *secid = sksec->sid;
4274 }
4275 }
4276
4277 static void selinux_sock_graft(struct sock *sk, struct socket *parent)
4278 {
4279 struct inode_security_struct *isec = SOCK_INODE(parent)->i_security;
4280 struct sk_security_struct *sksec = sk->sk_security;
4281
4282 if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
4283 sk->sk_family == PF_UNIX)
4284 isec->sid = sksec->sid;
4285 sksec->sclass = isec->sclass;
4286 }
4287
4288 static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
4289 struct request_sock *req)
4290 {
4291 struct sk_security_struct *sksec = sk->sk_security;
4292 int err;
4293 u16 family = sk->sk_family;
4294 u32 newsid;
4295 u32 peersid;
4296
4297 /* handle mapped IPv4 packets arriving via IPv6 sockets */
4298 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4299 family = PF_INET;
4300
4301 err = selinux_skb_peerlbl_sid(skb, family, &peersid);
4302 if (err)
4303 return err;
4304 if (peersid == SECSID_NULL) {
4305 req->secid = sksec->sid;
4306 req->peer_secid = SECSID_NULL;
4307 } else {
4308 err = security_sid_mls_copy(sksec->sid, peersid, &newsid);
4309 if (err)
4310 return err;
4311 req->secid = newsid;
4312 req->peer_secid = peersid;
4313 }
4314
4315 return selinux_netlbl_inet_conn_request(req, family);
4316 }
4317
4318 static void selinux_inet_csk_clone(struct sock *newsk,
4319 const struct request_sock *req)
4320 {
4321 struct sk_security_struct *newsksec = newsk->sk_security;
4322
4323 newsksec->sid = req->secid;
4324 newsksec->peer_sid = req->peer_secid;
4325 /* NOTE: Ideally, we should also get the isec->sid for the
4326 new socket in sync, but we don't have the isec available yet.
4327 So we will wait until sock_graft to do it, by which
4328 time it will have been created and available. */
4329
4330 /* We don't need to take any sort of lock here as we are the only
4331 * thread with access to newsksec */
4332 selinux_netlbl_inet_csk_clone(newsk, req->rsk_ops->family);
4333 }
4334
4335 static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb)
4336 {
4337 u16 family = sk->sk_family;
4338 struct sk_security_struct *sksec = sk->sk_security;
4339
4340 /* handle mapped IPv4 packets arriving via IPv6 sockets */
4341 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4342 family = PF_INET;
4343
4344 selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid);
4345 }
4346
4347 static int selinux_secmark_relabel_packet(u32 sid)
4348 {
4349 const struct task_security_struct *__tsec;
4350 u32 tsid;
4351
4352 __tsec = current_security();
4353 tsid = __tsec->sid;
4354
4355 return avc_has_perm(tsid, sid, SECCLASS_PACKET, PACKET__RELABELTO, NULL);
4356 }
4357
4358 static void selinux_secmark_refcount_inc(void)
4359 {
4360 atomic_inc(&selinux_secmark_refcount);
4361 }
4362
4363 static void selinux_secmark_refcount_dec(void)
4364 {
4365 atomic_dec(&selinux_secmark_refcount);
4366 }
4367
4368 static void selinux_req_classify_flow(const struct request_sock *req,
4369 struct flowi *fl)
4370 {
4371 fl->flowi_secid = req->secid;
4372 }
4373
4374 static int selinux_tun_dev_create(void)
4375 {
4376 u32 sid = current_sid();
4377
4378 /* we aren't taking into account the "sockcreate" SID since the socket
4379 * that is being created here is not a socket in the traditional sense,
4380 * instead it is a private sock, accessible only to the kernel, and
4381 * representing a wide range of network traffic spanning multiple
4382 * connections unlike traditional sockets - check the TUN driver to
4383 * get a better understanding of why this socket is special */
4384
4385 return avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET, TUN_SOCKET__CREATE,
4386 NULL);
4387 }
4388
4389 static void selinux_tun_dev_post_create(struct sock *sk)
4390 {
4391 struct sk_security_struct *sksec = sk->sk_security;
4392
4393 /* we don't currently perform any NetLabel based labeling here and it
4394 * isn't clear that we would want to do so anyway; while we could apply
4395 * labeling without the support of the TUN user the resulting labeled
4396 * traffic from the other end of the connection would almost certainly
4397 * cause confusion to the TUN user that had no idea network labeling
4398 * protocols were being used */
4399
4400 /* see the comments in selinux_tun_dev_create() about why we don't use
4401 * the sockcreate SID here */
4402
4403 sksec->sid = current_sid();
4404 sksec->sclass = SECCLASS_TUN_SOCKET;
4405 }
4406
4407 static int selinux_tun_dev_attach(struct sock *sk)
4408 {
4409 struct sk_security_struct *sksec = sk->sk_security;
4410 u32 sid = current_sid();
4411 int err;
4412
4413 err = avc_has_perm(sid, sksec->sid, SECCLASS_TUN_SOCKET,
4414 TUN_SOCKET__RELABELFROM, NULL);
4415 if (err)
4416 return err;
4417 err = avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET,
4418 TUN_SOCKET__RELABELTO, NULL);
4419 if (err)
4420 return err;
4421
4422 sksec->sid = sid;
4423
4424 return 0;
4425 }
4426
4427 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
4428 {
4429 int err = 0;
4430 u32 perm;
4431 struct nlmsghdr *nlh;
4432 struct sk_security_struct *sksec = sk->sk_security;
4433
4434 if (skb->len < NLMSG_SPACE(0)) {
4435 err = -EINVAL;
4436 goto out;
4437 }
4438 nlh = nlmsg_hdr(skb);
4439
4440 err = selinux_nlmsg_lookup(sksec->sclass, nlh->nlmsg_type, &perm);
4441 if (err) {
4442 if (err == -EINVAL) {
4443 audit_log(current->audit_context, GFP_KERNEL, AUDIT_SELINUX_ERR,
4444 "SELinux: unrecognized netlink message"
4445 " type=%hu for sclass=%hu\n",
4446 nlh->nlmsg_type, sksec->sclass);
4447 if (!selinux_enforcing || security_get_allow_unknown())
4448 err = 0;
4449 }
4450
4451 /* Ignore */
4452 if (err == -ENOENT)
4453 err = 0;
4454 goto out;
4455 }
4456
4457 err = sock_has_perm(current, sk, perm);
4458 out:
4459 return err;
4460 }
4461
4462 #ifdef CONFIG_NETFILTER
4463
4464 static unsigned int selinux_ip_forward(struct sk_buff *skb, int ifindex,
4465 u16 family)
4466 {
4467 int err;
4468 char *addrp;
4469 u32 peer_sid;
4470 struct common_audit_data ad;
4471 u8 secmark_active;
4472 u8 netlbl_active;
4473 u8 peerlbl_active;
4474
4475 if (!selinux_policycap_netpeer)
4476 return NF_ACCEPT;
4477
4478 secmark_active = selinux_secmark_enabled();
4479 netlbl_active = netlbl_enabled();
4480 peerlbl_active = netlbl_active || selinux_xfrm_enabled();
4481 if (!secmark_active && !peerlbl_active)
4482 return NF_ACCEPT;
4483
4484 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0)
4485 return NF_DROP;
4486
4487 COMMON_AUDIT_DATA_INIT(&ad, NET);
4488 ad.u.net.netif = ifindex;
4489 ad.u.net.family = family;
4490 if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0)
4491 return NF_DROP;
4492
4493 if (peerlbl_active) {
4494 err = selinux_inet_sys_rcv_skb(ifindex, addrp, family,
4495 peer_sid, &ad);
4496 if (err) {
4497 selinux_netlbl_err(skb, err, 1);
4498 return NF_DROP;
4499 }
4500 }
4501
4502 if (secmark_active)
4503 if (avc_has_perm(peer_sid, skb->secmark,
4504 SECCLASS_PACKET, PACKET__FORWARD_IN, &ad))
4505 return NF_DROP;
4506
4507 if (netlbl_active)
4508 /* we do this in the FORWARD path and not the POST_ROUTING
4509 * path because we want to make sure we apply the necessary
4510 * labeling before IPsec is applied so we can leverage AH
4511 * protection */
4512 if (selinux_netlbl_skbuff_setsid(skb, family, peer_sid) != 0)
4513 return NF_DROP;
4514
4515 return NF_ACCEPT;
4516 }
4517
4518 static unsigned int selinux_ipv4_forward(unsigned int hooknum,
4519 struct sk_buff *skb,
4520 const struct net_device *in,
4521 const struct net_device *out,
4522 int (*okfn)(struct sk_buff *))
4523 {
4524 return selinux_ip_forward(skb, in->ifindex, PF_INET);
4525 }
4526
4527 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4528 static unsigned int selinux_ipv6_forward(unsigned int hooknum,
4529 struct sk_buff *skb,
4530 const struct net_device *in,
4531 const struct net_device *out,
4532 int (*okfn)(struct sk_buff *))
4533 {
4534 return selinux_ip_forward(skb, in->ifindex, PF_INET6);
4535 }
4536 #endif /* IPV6 */
4537
4538 static unsigned int selinux_ip_output(struct sk_buff *skb,
4539 u16 family)
4540 {
4541 u32 sid;
4542
4543 if (!netlbl_enabled())
4544 return NF_ACCEPT;
4545
4546 /* we do this in the LOCAL_OUT path and not the POST_ROUTING path
4547 * because we want to make sure we apply the necessary labeling
4548 * before IPsec is applied so we can leverage AH protection */
4549 if (skb->sk) {
4550 struct sk_security_struct *sksec = skb->sk->sk_security;
4551 sid = sksec->sid;
4552 } else
4553 sid = SECINITSID_KERNEL;
4554 if (selinux_netlbl_skbuff_setsid(skb, family, sid) != 0)
4555 return NF_DROP;
4556
4557 return NF_ACCEPT;
4558 }
4559
4560 static unsigned int selinux_ipv4_output(unsigned int hooknum,
4561 struct sk_buff *skb,
4562 const struct net_device *in,
4563 const struct net_device *out,
4564 int (*okfn)(struct sk_buff *))
4565 {
4566 return selinux_ip_output(skb, PF_INET);
4567 }
4568
4569 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
4570 int ifindex,
4571 u16 family)
4572 {
4573 struct sock *sk = skb->sk;
4574 struct sk_security_struct *sksec;
4575 struct common_audit_data ad;
4576 char *addrp;
4577 u8 proto;
4578
4579 if (sk == NULL)
4580 return NF_ACCEPT;
4581 sksec = sk->sk_security;
4582
4583 COMMON_AUDIT_DATA_INIT(&ad, NET);
4584 ad.u.net.netif = ifindex;
4585 ad.u.net.family = family;
4586 if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto))
4587 return NF_DROP;
4588
4589 if (selinux_secmark_enabled())
4590 if (avc_has_perm(sksec->sid, skb->secmark,
4591 SECCLASS_PACKET, PACKET__SEND, &ad))
4592 return NF_DROP_ERR(-ECONNREFUSED);
4593
4594 if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto))
4595 return NF_DROP_ERR(-ECONNREFUSED);
4596
4597 return NF_ACCEPT;
4598 }
4599
4600 static unsigned int selinux_ip_postroute(struct sk_buff *skb, int ifindex,
4601 u16 family)
4602 {
4603 u32 secmark_perm;
4604 u32 peer_sid;
4605 struct sock *sk;
4606 struct common_audit_data ad;
4607 char *addrp;
4608 u8 secmark_active;
4609 u8 peerlbl_active;
4610
4611 /* If any sort of compatibility mode is enabled then handoff processing
4612 * to the selinux_ip_postroute_compat() function to deal with the
4613 * special handling. We do this in an attempt to keep this function
4614 * as fast and as clean as possible. */
4615 if (!selinux_policycap_netpeer)
4616 return selinux_ip_postroute_compat(skb, ifindex, family);
4617 #ifdef CONFIG_XFRM
4618 /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec
4619 * packet transformation so allow the packet to pass without any checks
4620 * since we'll have another chance to perform access control checks
4621 * when the packet is on it's final way out.
4622 * NOTE: there appear to be some IPv6 multicast cases where skb->dst
4623 * is NULL, in this case go ahead and apply access control. */
4624 if (skb_dst(skb) != NULL && skb_dst(skb)->xfrm != NULL)
4625 return NF_ACCEPT;
4626 #endif
4627 secmark_active = selinux_secmark_enabled();
4628 peerlbl_active = netlbl_enabled() || selinux_xfrm_enabled();
4629 if (!secmark_active && !peerlbl_active)
4630 return NF_ACCEPT;
4631
4632 /* if the packet is being forwarded then get the peer label from the
4633 * packet itself; otherwise check to see if it is from a local
4634 * application or the kernel, if from an application get the peer label
4635 * from the sending socket, otherwise use the kernel's sid */
4636 sk = skb->sk;
4637 if (sk == NULL) {
4638 if (skb->skb_iif) {
4639 secmark_perm = PACKET__FORWARD_OUT;
4640 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid))
4641 return NF_DROP;
4642 } else {
4643 secmark_perm = PACKET__SEND;
4644 peer_sid = SECINITSID_KERNEL;
4645 }
4646 } else {
4647 struct sk_security_struct *sksec = sk->sk_security;
4648 peer_sid = sksec->sid;
4649 secmark_perm = PACKET__SEND;
4650 }
4651
4652 COMMON_AUDIT_DATA_INIT(&ad, NET);
4653 ad.u.net.netif = ifindex;
4654 ad.u.net.family = family;
4655 if (selinux_parse_skb(skb, &ad, &addrp, 0, NULL))
4656 return NF_DROP;
4657
4658 if (secmark_active)
4659 if (avc_has_perm(peer_sid, skb->secmark,
4660 SECCLASS_PACKET, secmark_perm, &ad))
4661 return NF_DROP_ERR(-ECONNREFUSED);
4662
4663 if (peerlbl_active) {
4664 u32 if_sid;
4665 u32 node_sid;
4666
4667 if (sel_netif_sid(ifindex, &if_sid))
4668 return NF_DROP;
4669 if (avc_has_perm(peer_sid, if_sid,
4670 SECCLASS_NETIF, NETIF__EGRESS, &ad))
4671 return NF_DROP_ERR(-ECONNREFUSED);
4672
4673 if (sel_netnode_sid(addrp, family, &node_sid))
4674 return NF_DROP;
4675 if (avc_has_perm(peer_sid, node_sid,
4676 SECCLASS_NODE, NODE__SENDTO, &ad))
4677 return NF_DROP_ERR(-ECONNREFUSED);
4678 }
4679
4680 return NF_ACCEPT;
4681 }
4682
4683 static unsigned int selinux_ipv4_postroute(unsigned int hooknum,
4684 struct sk_buff *skb,
4685 const struct net_device *in,
4686 const struct net_device *out,
4687 int (*okfn)(struct sk_buff *))
4688 {
4689 return selinux_ip_postroute(skb, out->ifindex, PF_INET);
4690 }
4691
4692 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4693 static unsigned int selinux_ipv6_postroute(unsigned int hooknum,
4694 struct sk_buff *skb,
4695 const struct net_device *in,
4696 const struct net_device *out,
4697 int (*okfn)(struct sk_buff *))
4698 {
4699 return selinux_ip_postroute(skb, out->ifindex, PF_INET6);
4700 }
4701 #endif /* IPV6 */
4702
4703 #endif /* CONFIG_NETFILTER */
4704
4705 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
4706 {
4707 int err;
4708
4709 err = cap_netlink_send(sk, skb);
4710 if (err)
4711 return err;
4712
4713 return selinux_nlmsg_perm(sk, skb);
4714 }
4715
4716 static int selinux_netlink_recv(struct sk_buff *skb, int capability)
4717 {
4718 int err;
4719 struct common_audit_data ad;
4720 u32 sid;
4721
4722 err = cap_netlink_recv(skb, capability);
4723 if (err)
4724 return err;
4725
4726 COMMON_AUDIT_DATA_INIT(&ad, CAP);
4727 ad.u.cap = capability;
4728
4729 security_task_getsecid(current, &sid);
4730 return avc_has_perm(sid, sid, SECCLASS_CAPABILITY,
4731 CAP_TO_MASK(capability), &ad);
4732 }
4733
4734 static int ipc_alloc_security(struct task_struct *task,
4735 struct kern_ipc_perm *perm,
4736 u16 sclass)
4737 {
4738 struct ipc_security_struct *isec;
4739 u32 sid;
4740
4741 isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL);
4742 if (!isec)
4743 return -ENOMEM;
4744
4745 sid = task_sid(task);
4746 isec->sclass = sclass;
4747 isec->sid = sid;
4748 perm->security = isec;
4749
4750 return 0;
4751 }
4752
4753 static void ipc_free_security(struct kern_ipc_perm *perm)
4754 {
4755 struct ipc_security_struct *isec = perm->security;
4756 perm->security = NULL;
4757 kfree(isec);
4758 }
4759
4760 static int msg_msg_alloc_security(struct msg_msg *msg)
4761 {
4762 struct msg_security_struct *msec;
4763
4764 msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL);
4765 if (!msec)
4766 return -ENOMEM;
4767
4768 msec->sid = SECINITSID_UNLABELED;
4769 msg->security = msec;
4770
4771 return 0;
4772 }
4773
4774 static void msg_msg_free_security(struct msg_msg *msg)
4775 {
4776 struct msg_security_struct *msec = msg->security;
4777
4778 msg->security = NULL;
4779 kfree(msec);
4780 }
4781
4782 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
4783 u32 perms)
4784 {
4785 struct ipc_security_struct *isec;
4786 struct common_audit_data ad;
4787 u32 sid = current_sid();
4788
4789 isec = ipc_perms->security;
4790
4791 COMMON_AUDIT_DATA_INIT(&ad, IPC);
4792 ad.u.ipc_id = ipc_perms->key;
4793
4794 return avc_has_perm(sid, isec->sid, isec->sclass, perms, &ad);
4795 }
4796
4797 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
4798 {
4799 return msg_msg_alloc_security(msg);
4800 }
4801
4802 static void selinux_msg_msg_free_security(struct msg_msg *msg)
4803 {
4804 msg_msg_free_security(msg);
4805 }
4806
4807 /* message queue security operations */
4808 static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
4809 {
4810 struct ipc_security_struct *isec;
4811 struct common_audit_data ad;
4812 u32 sid = current_sid();
4813 int rc;
4814
4815 rc = ipc_alloc_security(current, &msq->q_perm, SECCLASS_MSGQ);
4816 if (rc)
4817 return rc;
4818
4819 isec = msq->q_perm.security;
4820
4821 COMMON_AUDIT_DATA_INIT(&ad, IPC);
4822 ad.u.ipc_id = msq->q_perm.key;
4823
4824 rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
4825 MSGQ__CREATE, &ad);
4826 if (rc) {
4827 ipc_free_security(&msq->q_perm);
4828 return rc;
4829 }
4830 return 0;
4831 }
4832
4833 static void selinux_msg_queue_free_security(struct msg_queue *msq)
4834 {
4835 ipc_free_security(&msq->q_perm);
4836 }
4837
4838 static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg)
4839 {
4840 struct ipc_security_struct *isec;
4841 struct common_audit_data ad;
4842 u32 sid = current_sid();
4843
4844 isec = msq->q_perm.security;
4845
4846 COMMON_AUDIT_DATA_INIT(&ad, IPC);
4847 ad.u.ipc_id = msq->q_perm.key;
4848
4849 return avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
4850 MSGQ__ASSOCIATE, &ad);
4851 }
4852
4853 static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd)
4854 {
4855 int err;
4856 int perms;
4857
4858 switch (cmd) {
4859 case IPC_INFO:
4860 case MSG_INFO:
4861 /* No specific object, just general system-wide information. */
4862 return task_has_system(current, SYSTEM__IPC_INFO);
4863 case IPC_STAT:
4864 case MSG_STAT:
4865 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
4866 break;
4867 case IPC_SET:
4868 perms = MSGQ__SETATTR;
4869 break;
4870 case IPC_RMID:
4871 perms = MSGQ__DESTROY;
4872 break;
4873 default:
4874 return 0;
4875 }
4876
4877 err = ipc_has_perm(&msq->q_perm, perms);
4878 return err;
4879 }
4880
4881 static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg)
4882 {
4883 struct ipc_security_struct *isec;
4884 struct msg_security_struct *msec;
4885 struct common_audit_data ad;
4886 u32 sid = current_sid();
4887 int rc;
4888
4889 isec = msq->q_perm.security;
4890 msec = msg->security;
4891
4892 /*
4893 * First time through, need to assign label to the message
4894 */
4895 if (msec->sid == SECINITSID_UNLABELED) {
4896 /*
4897 * Compute new sid based on current process and
4898 * message queue this message will be stored in
4899 */
4900 rc = security_transition_sid(sid, isec->sid, SECCLASS_MSG,
4901 NULL, &msec->sid);
4902 if (rc)
4903 return rc;
4904 }
4905
4906 COMMON_AUDIT_DATA_INIT(&ad, IPC);
4907 ad.u.ipc_id = msq->q_perm.key;
4908
4909 /* Can this process write to the queue? */
4910 rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
4911 MSGQ__WRITE, &ad);
4912 if (!rc)
4913 /* Can this process send the message */
4914 rc = avc_has_perm(sid, msec->sid, SECCLASS_MSG,
4915 MSG__SEND, &ad);
4916 if (!rc)
4917 /* Can the message be put in the queue? */
4918 rc = avc_has_perm(msec->sid, isec->sid, SECCLASS_MSGQ,
4919 MSGQ__ENQUEUE, &ad);
4920
4921 return rc;
4922 }
4923
4924 static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
4925 struct task_struct *target,
4926 long type, int mode)
4927 {
4928 struct ipc_security_struct *isec;
4929 struct msg_security_struct *msec;
4930 struct common_audit_data ad;
4931 u32 sid = task_sid(target);
4932 int rc;
4933
4934 isec = msq->q_perm.security;
4935 msec = msg->security;
4936
4937 COMMON_AUDIT_DATA_INIT(&ad, IPC);
4938 ad.u.ipc_id = msq->q_perm.key;
4939
4940 rc = avc_has_perm(sid, isec->sid,
4941 SECCLASS_MSGQ, MSGQ__READ, &ad);
4942 if (!rc)
4943 rc = avc_has_perm(sid, msec->sid,
4944 SECCLASS_MSG, MSG__RECEIVE, &ad);
4945 return rc;
4946 }
4947
4948 /* Shared Memory security operations */
4949 static int selinux_shm_alloc_security(struct shmid_kernel *shp)
4950 {
4951 struct ipc_security_struct *isec;
4952 struct common_audit_data ad;
4953 u32 sid = current_sid();
4954 int rc;
4955
4956 rc = ipc_alloc_security(current, &shp->shm_perm, SECCLASS_SHM);
4957 if (rc)
4958 return rc;
4959
4960 isec = shp->shm_perm.security;
4961
4962 COMMON_AUDIT_DATA_INIT(&ad, IPC);
4963 ad.u.ipc_id = shp->shm_perm.key;
4964
4965 rc = avc_has_perm(sid, isec->sid, SECCLASS_SHM,
4966 SHM__CREATE, &ad);
4967 if (rc) {
4968 ipc_free_security(&shp->shm_perm);
4969 return rc;
4970 }
4971 return 0;
4972 }
4973
4974 static void selinux_shm_free_security(struct shmid_kernel *shp)
4975 {
4976 ipc_free_security(&shp->shm_perm);
4977 }
4978
4979 static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg)
4980 {
4981 struct ipc_security_struct *isec;
4982 struct common_audit_data ad;
4983 u32 sid = current_sid();
4984
4985 isec = shp->shm_perm.security;
4986
4987 COMMON_AUDIT_DATA_INIT(&ad, IPC);
4988 ad.u.ipc_id = shp->shm_perm.key;
4989
4990 return avc_has_perm(sid, isec->sid, SECCLASS_SHM,
4991 SHM__ASSOCIATE, &ad);
4992 }
4993
4994 /* Note, at this point, shp is locked down */
4995 static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd)
4996 {
4997 int perms;
4998 int err;
4999
5000 switch (cmd) {
5001 case IPC_INFO:
5002 case SHM_INFO:
5003 /* No specific object, just general system-wide information. */
5004 return task_has_system(current, SYSTEM__IPC_INFO);
5005 case IPC_STAT:
5006 case SHM_STAT:
5007 perms = SHM__GETATTR | SHM__ASSOCIATE;
5008 break;
5009 case IPC_SET:
5010 perms = SHM__SETATTR;
5011 break;
5012 case SHM_LOCK:
5013 case SHM_UNLOCK:
5014 perms = SHM__LOCK;
5015 break;
5016 case IPC_RMID:
5017 perms = SHM__DESTROY;
5018 break;
5019 default:
5020 return 0;
5021 }
5022
5023 err = ipc_has_perm(&shp->shm_perm, perms);
5024 return err;
5025 }
5026
5027 static int selinux_shm_shmat(struct shmid_kernel *shp,
5028 char __user *shmaddr, int shmflg)
5029 {
5030 u32 perms;
5031
5032 if (shmflg & SHM_RDONLY)
5033 perms = SHM__READ;
5034 else
5035 perms = SHM__READ | SHM__WRITE;
5036
5037 return ipc_has_perm(&shp->shm_perm, perms);
5038 }
5039
5040 /* Semaphore security operations */
5041 static int selinux_sem_alloc_security(struct sem_array *sma)
5042 {
5043 struct ipc_security_struct *isec;
5044 struct common_audit_data ad;
5045 u32 sid = current_sid();
5046 int rc;
5047
5048 rc = ipc_alloc_security(current, &sma->sem_perm, SECCLASS_SEM);
5049 if (rc)
5050 return rc;
5051
5052 isec = sma->sem_perm.security;
5053
5054 COMMON_AUDIT_DATA_INIT(&ad, IPC);
5055 ad.u.ipc_id = sma->sem_perm.key;
5056
5057 rc = avc_has_perm(sid, isec->sid, SECCLASS_SEM,
5058 SEM__CREATE, &ad);
5059 if (rc) {
5060 ipc_free_security(&sma->sem_perm);
5061 return rc;
5062 }
5063 return 0;
5064 }
5065
5066 static void selinux_sem_free_security(struct sem_array *sma)
5067 {
5068 ipc_free_security(&sma->sem_perm);
5069 }
5070
5071 static int selinux_sem_associate(struct sem_array *sma, int semflg)
5072 {
5073 struct ipc_security_struct *isec;
5074 struct common_audit_data ad;
5075 u32 sid = current_sid();
5076
5077 isec = sma->sem_perm.security;
5078
5079 COMMON_AUDIT_DATA_INIT(&ad, IPC);
5080 ad.u.ipc_id = sma->sem_perm.key;
5081
5082 return avc_has_perm(sid, isec->sid, SECCLASS_SEM,
5083 SEM__ASSOCIATE, &ad);
5084 }
5085
5086 /* Note, at this point, sma is locked down */
5087 static int selinux_sem_semctl(struct sem_array *sma, int cmd)
5088 {
5089 int err;
5090 u32 perms;
5091
5092 switch (cmd) {
5093 case IPC_INFO:
5094 case SEM_INFO:
5095 /* No specific object, just general system-wide information. */
5096 return task_has_system(current, SYSTEM__IPC_INFO);
5097 case GETPID:
5098 case GETNCNT:
5099 case GETZCNT:
5100 perms = SEM__GETATTR;
5101 break;
5102 case GETVAL:
5103 case GETALL:
5104 perms = SEM__READ;
5105 break;
5106 case SETVAL:
5107 case SETALL:
5108 perms = SEM__WRITE;
5109 break;
5110 case IPC_RMID:
5111 perms = SEM__DESTROY;
5112 break;
5113 case IPC_SET:
5114 perms = SEM__SETATTR;
5115 break;
5116 case IPC_STAT:
5117 case SEM_STAT:
5118 perms = SEM__GETATTR | SEM__ASSOCIATE;
5119 break;
5120 default:
5121 return 0;
5122 }
5123
5124 err = ipc_has_perm(&sma->sem_perm, perms);
5125 return err;
5126 }
5127
5128 static int selinux_sem_semop(struct sem_array *sma,
5129 struct sembuf *sops, unsigned nsops, int alter)
5130 {
5131 u32 perms;
5132
5133 if (alter)
5134 perms = SEM__READ | SEM__WRITE;
5135 else
5136 perms = SEM__READ;
5137
5138 return ipc_has_perm(&sma->sem_perm, perms);
5139 }
5140
5141 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
5142 {
5143 u32 av = 0;
5144
5145 av = 0;
5146 if (flag & S_IRUGO)
5147 av |= IPC__UNIX_READ;
5148 if (flag & S_IWUGO)
5149 av |= IPC__UNIX_WRITE;
5150
5151 if (av == 0)
5152 return 0;
5153
5154 return ipc_has_perm(ipcp, av);
5155 }
5156
5157 static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
5158 {
5159 struct ipc_security_struct *isec = ipcp->security;
5160 *secid = isec->sid;
5161 }
5162
5163 static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode)
5164 {
5165 if (inode)
5166 inode_doinit_with_dentry(inode, dentry);
5167 }
5168
5169 static int selinux_getprocattr(struct task_struct *p,
5170 char *name, char **value)
5171 {
5172 const struct task_security_struct *__tsec;
5173 u32 sid;
5174 int error;
5175 unsigned len;
5176
5177 if (current != p) {
5178 error = current_has_perm(p, PROCESS__GETATTR);
5179 if (error)
5180 return error;
5181 }
5182
5183 rcu_read_lock();
5184 __tsec = __task_cred(p)->security;
5185
5186 if (!strcmp(name, "current"))
5187 sid = __tsec->sid;
5188 else if (!strcmp(name, "prev"))
5189 sid = __tsec->osid;
5190 else if (!strcmp(name, "exec"))
5191 sid = __tsec->exec_sid;
5192 else if (!strcmp(name, "fscreate"))
5193 sid = __tsec->create_sid;
5194 else if (!strcmp(name, "keycreate"))
5195 sid = __tsec->keycreate_sid;
5196 else if (!strcmp(name, "sockcreate"))
5197 sid = __tsec->sockcreate_sid;
5198 else
5199 goto invalid;
5200 rcu_read_unlock();
5201
5202 if (!sid)
5203 return 0;
5204
5205 error = security_sid_to_context(sid, value, &len);
5206 if (error)
5207 return error;
5208 return len;
5209
5210 invalid:
5211 rcu_read_unlock();
5212 return -EINVAL;
5213 }
5214
5215 static int selinux_setprocattr(struct task_struct *p,
5216 char *name, void *value, size_t size)
5217 {
5218 struct task_security_struct *tsec;
5219 struct task_struct *tracer;
5220 struct cred *new;
5221 u32 sid = 0, ptsid;
5222 int error;
5223 char *str = value;
5224
5225 if (current != p) {
5226 /* SELinux only allows a process to change its own
5227 security attributes. */
5228 return -EACCES;
5229 }
5230
5231 /*
5232 * Basic control over ability to set these attributes at all.
5233 * current == p, but we'll pass them separately in case the
5234 * above restriction is ever removed.
5235 */
5236 if (!strcmp(name, "exec"))
5237 error = current_has_perm(p, PROCESS__SETEXEC);
5238 else if (!strcmp(name, "fscreate"))
5239 error = current_has_perm(p, PROCESS__SETFSCREATE);
5240 else if (!strcmp(name, "keycreate"))
5241 error = current_has_perm(p, PROCESS__SETKEYCREATE);
5242 else if (!strcmp(name, "sockcreate"))
5243 error = current_has_perm(p, PROCESS__SETSOCKCREATE);
5244 else if (!strcmp(name, "current"))
5245 error = current_has_perm(p, PROCESS__SETCURRENT);
5246 else
5247 error = -EINVAL;
5248 if (error)
5249 return error;
5250
5251 /* Obtain a SID for the context, if one was specified. */
5252 if (size && str[1] && str[1] != '\n') {
5253 if (str[size-1] == '\n') {
5254 str[size-1] = 0;
5255 size--;
5256 }
5257 error = security_context_to_sid(value, size, &sid);
5258 if (error == -EINVAL && !strcmp(name, "fscreate")) {
5259 if (!capable(CAP_MAC_ADMIN))
5260 return error;
5261 error = security_context_to_sid_force(value, size,
5262 &sid);
5263 }
5264 if (error)
5265 return error;
5266 }
5267
5268 new = prepare_creds();
5269 if (!new)
5270 return -ENOMEM;
5271
5272 /* Permission checking based on the specified context is
5273 performed during the actual operation (execve,
5274 open/mkdir/...), when we know the full context of the
5275 operation. See selinux_bprm_set_creds for the execve
5276 checks and may_create for the file creation checks. The
5277 operation will then fail if the context is not permitted. */
5278 tsec = new->security;
5279 if (!strcmp(name, "exec")) {
5280 tsec->exec_sid = sid;
5281 } else if (!strcmp(name, "fscreate")) {
5282 tsec->create_sid = sid;
5283 } else if (!strcmp(name, "keycreate")) {
5284 error = may_create_key(sid, p);
5285 if (error)
5286 goto abort_change;
5287 tsec->keycreate_sid = sid;
5288 } else if (!strcmp(name, "sockcreate")) {
5289 tsec->sockcreate_sid = sid;
5290 } else if (!strcmp(name, "current")) {
5291 error = -EINVAL;
5292 if (sid == 0)
5293 goto abort_change;
5294
5295 /* Only allow single threaded processes to change context */
5296 error = -EPERM;
5297 if (!current_is_single_threaded()) {
5298 error = security_bounded_transition(tsec->sid, sid);
5299 if (error)
5300 goto abort_change;
5301 }
5302
5303 /* Check permissions for the transition. */
5304 error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
5305 PROCESS__DYNTRANSITION, NULL);
5306 if (error)
5307 goto abort_change;
5308
5309 /* Check for ptracing, and update the task SID if ok.
5310 Otherwise, leave SID unchanged and fail. */
5311 ptsid = 0;
5312 task_lock(p);
5313 tracer = ptrace_parent(p);
5314 if (tracer)
5315 ptsid = task_sid(tracer);
5316 task_unlock(p);
5317
5318 if (tracer) {
5319 error = avc_has_perm(ptsid, sid, SECCLASS_PROCESS,
5320 PROCESS__PTRACE, NULL);
5321 if (error)
5322 goto abort_change;
5323 }
5324
5325 tsec->sid = sid;
5326 } else {
5327 error = -EINVAL;
5328 goto abort_change;
5329 }
5330
5331 commit_creds(new);
5332 return size;
5333
5334 abort_change:
5335 abort_creds(new);
5336 return error;
5337 }
5338
5339 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
5340 {
5341 return security_sid_to_context(secid, secdata, seclen);
5342 }
5343
5344 static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
5345 {
5346 return security_context_to_sid(secdata, seclen, secid);
5347 }
5348
5349 static void selinux_release_secctx(char *secdata, u32 seclen)
5350 {
5351 kfree(secdata);
5352 }
5353
5354 /*
5355 * called with inode->i_mutex locked
5356 */
5357 static int selinux_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen)
5358 {
5359 return selinux_inode_setsecurity(inode, XATTR_SELINUX_SUFFIX, ctx, ctxlen, 0);
5360 }
5361
5362 /*
5363 * called with inode->i_mutex locked
5364 */
5365 static int selinux_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen)
5366 {
5367 return __vfs_setxattr_noperm(dentry, XATTR_NAME_SELINUX, ctx, ctxlen, 0);
5368 }
5369
5370 static int selinux_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen)
5371 {
5372 int len = 0;
5373 len = selinux_inode_getsecurity(inode, XATTR_SELINUX_SUFFIX,
5374 ctx, true);
5375 if (len < 0)
5376 return len;
5377 *ctxlen = len;
5378 return 0;
5379 }
5380 #ifdef CONFIG_KEYS
5381
5382 static int selinux_key_alloc(struct key *k, const struct cred *cred,
5383 unsigned long flags)
5384 {
5385 const struct task_security_struct *tsec;
5386 struct key_security_struct *ksec;
5387
5388 ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL);
5389 if (!ksec)
5390 return -ENOMEM;
5391
5392 tsec = cred->security;
5393 if (tsec->keycreate_sid)
5394 ksec->sid = tsec->keycreate_sid;
5395 else
5396 ksec->sid = tsec->sid;
5397
5398 k->security = ksec;
5399 return 0;
5400 }
5401
5402 static void selinux_key_free(struct key *k)
5403 {
5404 struct key_security_struct *ksec = k->security;
5405
5406 k->security = NULL;
5407 kfree(ksec);
5408 }
5409
5410 static int selinux_key_permission(key_ref_t key_ref,
5411 const struct cred *cred,
5412 key_perm_t perm)
5413 {
5414 struct key *key;
5415 struct key_security_struct *ksec;
5416 u32 sid;
5417
5418 /* if no specific permissions are requested, we skip the
5419 permission check. No serious, additional covert channels
5420 appear to be created. */
5421 if (perm == 0)
5422 return 0;
5423
5424 sid = cred_sid(cred);
5425
5426 key = key_ref_to_ptr(key_ref);
5427 ksec = key->security;
5428
5429 return avc_has_perm(sid, ksec->sid, SECCLASS_KEY, perm, NULL);
5430 }
5431
5432 static int selinux_key_getsecurity(struct key *key, char **_buffer)
5433 {
5434 struct key_security_struct *ksec = key->security;
5435 char *context = NULL;
5436 unsigned len;
5437 int rc;
5438
5439 rc = security_sid_to_context(ksec->sid, &context, &len);
5440 if (!rc)
5441 rc = len;
5442 *_buffer = context;
5443 return rc;
5444 }
5445
5446 #endif
5447
5448 static struct security_operations selinux_ops = {
5449 .name = "selinux",
5450
5451 .ptrace_access_check = selinux_ptrace_access_check,
5452 .ptrace_traceme = selinux_ptrace_traceme,
5453 .capget = selinux_capget,
5454 .capset = selinux_capset,
5455 .capable = selinux_capable,
5456 .quotactl = selinux_quotactl,
5457 .quota_on = selinux_quota_on,
5458 .syslog = selinux_syslog,
5459 .vm_enough_memory = selinux_vm_enough_memory,
5460
5461 .netlink_send = selinux_netlink_send,
5462 .netlink_recv = selinux_netlink_recv,
5463
5464 .bprm_set_creds = selinux_bprm_set_creds,
5465 .bprm_committing_creds = selinux_bprm_committing_creds,
5466 .bprm_committed_creds = selinux_bprm_committed_creds,
5467 .bprm_secureexec = selinux_bprm_secureexec,
5468
5469 .sb_alloc_security = selinux_sb_alloc_security,
5470 .sb_free_security = selinux_sb_free_security,
5471 .sb_copy_data = selinux_sb_copy_data,
5472 .sb_remount = selinux_sb_remount,
5473 .sb_kern_mount = selinux_sb_kern_mount,
5474 .sb_show_options = selinux_sb_show_options,
5475 .sb_statfs = selinux_sb_statfs,
5476 .sb_mount = selinux_mount,
5477 .sb_umount = selinux_umount,
5478 .sb_set_mnt_opts = selinux_set_mnt_opts,
5479 .sb_clone_mnt_opts = selinux_sb_clone_mnt_opts,
5480 .sb_parse_opts_str = selinux_parse_opts_str,
5481
5482
5483 .inode_alloc_security = selinux_inode_alloc_security,
5484 .inode_free_security = selinux_inode_free_security,
5485 .inode_init_security = selinux_inode_init_security,
5486 .inode_create = selinux_inode_create,
5487 .inode_link = selinux_inode_link,
5488 .inode_unlink = selinux_inode_unlink,
5489 .inode_symlink = selinux_inode_symlink,
5490 .inode_mkdir = selinux_inode_mkdir,
5491 .inode_rmdir = selinux_inode_rmdir,
5492 .inode_mknod = selinux_inode_mknod,
5493 .inode_rename = selinux_inode_rename,
5494 .inode_readlink = selinux_inode_readlink,
5495 .inode_follow_link = selinux_inode_follow_link,
5496 .inode_permission = selinux_inode_permission,
5497 .inode_setattr = selinux_inode_setattr,
5498 .inode_getattr = selinux_inode_getattr,
5499 .inode_setxattr = selinux_inode_setxattr,
5500 .inode_post_setxattr = selinux_inode_post_setxattr,
5501 .inode_getxattr = selinux_inode_getxattr,
5502 .inode_listxattr = selinux_inode_listxattr,
5503 .inode_removexattr = selinux_inode_removexattr,
5504 .inode_getsecurity = selinux_inode_getsecurity,
5505 .inode_setsecurity = selinux_inode_setsecurity,
5506 .inode_listsecurity = selinux_inode_listsecurity,
5507 .inode_getsecid = selinux_inode_getsecid,
5508
5509 .file_permission = selinux_file_permission,
5510 .file_alloc_security = selinux_file_alloc_security,
5511 .file_free_security = selinux_file_free_security,
5512 .file_ioctl = selinux_file_ioctl,
5513 .file_mmap = selinux_file_mmap,
5514 .file_mprotect = selinux_file_mprotect,
5515 .file_lock = selinux_file_lock,
5516 .file_fcntl = selinux_file_fcntl,
5517 .file_set_fowner = selinux_file_set_fowner,
5518 .file_send_sigiotask = selinux_file_send_sigiotask,
5519 .file_receive = selinux_file_receive,
5520
5521 .dentry_open = selinux_dentry_open,
5522
5523 .task_create = selinux_task_create,
5524 .cred_alloc_blank = selinux_cred_alloc_blank,
5525 .cred_free = selinux_cred_free,
5526 .cred_prepare = selinux_cred_prepare,
5527 .cred_transfer = selinux_cred_transfer,
5528 .kernel_act_as = selinux_kernel_act_as,
5529 .kernel_create_files_as = selinux_kernel_create_files_as,
5530 .kernel_module_request = selinux_kernel_module_request,
5531 .task_setpgid = selinux_task_setpgid,
5532 .task_getpgid = selinux_task_getpgid,
5533 .task_getsid = selinux_task_getsid,
5534 .task_getsecid = selinux_task_getsecid,
5535 .task_setnice = selinux_task_setnice,
5536 .task_setioprio = selinux_task_setioprio,
5537 .task_getioprio = selinux_task_getioprio,
5538 .task_setrlimit = selinux_task_setrlimit,
5539 .task_setscheduler = selinux_task_setscheduler,
5540 .task_getscheduler = selinux_task_getscheduler,
5541 .task_movememory = selinux_task_movememory,
5542 .task_kill = selinux_task_kill,
5543 .task_wait = selinux_task_wait,
5544 .task_to_inode = selinux_task_to_inode,
5545
5546 .ipc_permission = selinux_ipc_permission,
5547 .ipc_getsecid = selinux_ipc_getsecid,
5548
5549 .msg_msg_alloc_security = selinux_msg_msg_alloc_security,
5550 .msg_msg_free_security = selinux_msg_msg_free_security,
5551
5552 .msg_queue_alloc_security = selinux_msg_queue_alloc_security,
5553 .msg_queue_free_security = selinux_msg_queue_free_security,
5554 .msg_queue_associate = selinux_msg_queue_associate,
5555 .msg_queue_msgctl = selinux_msg_queue_msgctl,
5556 .msg_queue_msgsnd = selinux_msg_queue_msgsnd,
5557 .msg_queue_msgrcv = selinux_msg_queue_msgrcv,
5558
5559 .shm_alloc_security = selinux_shm_alloc_security,
5560 .shm_free_security = selinux_shm_free_security,
5561 .shm_associate = selinux_shm_associate,
5562 .shm_shmctl = selinux_shm_shmctl,
5563 .shm_shmat = selinux_shm_shmat,
5564
5565 .sem_alloc_security = selinux_sem_alloc_security,
5566 .sem_free_security = selinux_sem_free_security,
5567 .sem_associate = selinux_sem_associate,
5568 .sem_semctl = selinux_sem_semctl,
5569 .sem_semop = selinux_sem_semop,
5570
5571 .d_instantiate = selinux_d_instantiate,
5572
5573 .getprocattr = selinux_getprocattr,
5574 .setprocattr = selinux_setprocattr,
5575
5576 .secid_to_secctx = selinux_secid_to_secctx,
5577 .secctx_to_secid = selinux_secctx_to_secid,
5578 .release_secctx = selinux_release_secctx,
5579 .inode_notifysecctx = selinux_inode_notifysecctx,
5580 .inode_setsecctx = selinux_inode_setsecctx,
5581 .inode_getsecctx = selinux_inode_getsecctx,
5582
5583 .unix_stream_connect = selinux_socket_unix_stream_connect,
5584 .unix_may_send = selinux_socket_unix_may_send,
5585
5586 .socket_create = selinux_socket_create,
5587 .socket_post_create = selinux_socket_post_create,
5588 .socket_bind = selinux_socket_bind,
5589 .socket_connect = selinux_socket_connect,
5590 .socket_listen = selinux_socket_listen,
5591 .socket_accept = selinux_socket_accept,
5592 .socket_sendmsg = selinux_socket_sendmsg,
5593 .socket_recvmsg = selinux_socket_recvmsg,
5594 .socket_getsockname = selinux_socket_getsockname,
5595 .socket_getpeername = selinux_socket_getpeername,
5596 .socket_getsockopt = selinux_socket_getsockopt,
5597 .socket_setsockopt = selinux_socket_setsockopt,
5598 .socket_shutdown = selinux_socket_shutdown,
5599 .socket_sock_rcv_skb = selinux_socket_sock_rcv_skb,
5600 .socket_getpeersec_stream = selinux_socket_getpeersec_stream,
5601 .socket_getpeersec_dgram = selinux_socket_getpeersec_dgram,
5602 .sk_alloc_security = selinux_sk_alloc_security,
5603 .sk_free_security = selinux_sk_free_security,
5604 .sk_clone_security = selinux_sk_clone_security,
5605 .sk_getsecid = selinux_sk_getsecid,
5606 .sock_graft = selinux_sock_graft,
5607 .inet_conn_request = selinux_inet_conn_request,
5608 .inet_csk_clone = selinux_inet_csk_clone,
5609 .inet_conn_established = selinux_inet_conn_established,
5610 .secmark_relabel_packet = selinux_secmark_relabel_packet,
5611 .secmark_refcount_inc = selinux_secmark_refcount_inc,
5612 .secmark_refcount_dec = selinux_secmark_refcount_dec,
5613 .req_classify_flow = selinux_req_classify_flow,
5614 .tun_dev_create = selinux_tun_dev_create,
5615 .tun_dev_post_create = selinux_tun_dev_post_create,
5616 .tun_dev_attach = selinux_tun_dev_attach,
5617
5618 #ifdef CONFIG_SECURITY_NETWORK_XFRM
5619 .xfrm_policy_alloc_security = selinux_xfrm_policy_alloc,
5620 .xfrm_policy_clone_security = selinux_xfrm_policy_clone,
5621 .xfrm_policy_free_security = selinux_xfrm_policy_free,
5622 .xfrm_policy_delete_security = selinux_xfrm_policy_delete,
5623 .xfrm_state_alloc_security = selinux_xfrm_state_alloc,
5624 .xfrm_state_free_security = selinux_xfrm_state_free,
5625 .xfrm_state_delete_security = selinux_xfrm_state_delete,
5626 .xfrm_policy_lookup = selinux_xfrm_policy_lookup,
5627 .xfrm_state_pol_flow_match = selinux_xfrm_state_pol_flow_match,
5628 .xfrm_decode_session = selinux_xfrm_decode_session,
5629 #endif
5630
5631 #ifdef CONFIG_KEYS
5632 .key_alloc = selinux_key_alloc,
5633 .key_free = selinux_key_free,
5634 .key_permission = selinux_key_permission,
5635 .key_getsecurity = selinux_key_getsecurity,
5636 #endif
5637
5638 #ifdef CONFIG_AUDIT
5639 .audit_rule_init = selinux_audit_rule_init,
5640 .audit_rule_known = selinux_audit_rule_known,
5641 .audit_rule_match = selinux_audit_rule_match,
5642 .audit_rule_free = selinux_audit_rule_free,
5643 #endif
5644 };
5645
5646 static __init int selinux_init(void)
5647 {
5648 if (!security_module_enable(&selinux_ops)) {
5649 selinux_enabled = 0;
5650 return 0;
5651 }
5652
5653 if (!selinux_enabled) {
5654 printk(KERN_INFO "SELinux: Disabled at boot.\n");
5655 return 0;
5656 }
5657
5658 printk(KERN_INFO "SELinux: Initializing.\n");
5659
5660 /* Set the security state for the initial task. */
5661 cred_init_security();
5662
5663 default_noexec = !(VM_DATA_DEFAULT_FLAGS & VM_EXEC);
5664
5665 sel_inode_cache = kmem_cache_create("selinux_inode_security",
5666 sizeof(struct inode_security_struct),
5667 0, SLAB_PANIC, NULL);
5668 avc_init();
5669
5670 if (register_security(&selinux_ops))
5671 panic("SELinux: Unable to register with kernel.\n");
5672
5673 if (selinux_enforcing)
5674 printk(KERN_DEBUG "SELinux: Starting in enforcing mode\n");
5675 else
5676 printk(KERN_DEBUG "SELinux: Starting in permissive mode\n");
5677
5678 return 0;
5679 }
5680
5681 static void delayed_superblock_init(struct super_block *sb, void *unused)
5682 {
5683 superblock_doinit(sb, NULL);
5684 }
5685
5686 void selinux_complete_init(void)
5687 {
5688 printk(KERN_DEBUG "SELinux: Completing initialization.\n");
5689
5690 /* Set up any superblocks initialized prior to the policy load. */
5691 printk(KERN_DEBUG "SELinux: Setting up existing superblocks.\n");
5692 iterate_supers(delayed_superblock_init, NULL);
5693 }
5694
5695 /* SELinux requires early initialization in order to label
5696 all processes and objects when they are created. */
5697 security_initcall(selinux_init);
5698
5699 #if defined(CONFIG_NETFILTER)
5700
5701 static struct nf_hook_ops selinux_ipv4_ops[] = {
5702 {
5703 .hook = selinux_ipv4_postroute,
5704 .owner = THIS_MODULE,
5705 .pf = PF_INET,
5706 .hooknum = NF_INET_POST_ROUTING,
5707 .priority = NF_IP_PRI_SELINUX_LAST,
5708 },
5709 {
5710 .hook = selinux_ipv4_forward,
5711 .owner = THIS_MODULE,
5712 .pf = PF_INET,
5713 .hooknum = NF_INET_FORWARD,
5714 .priority = NF_IP_PRI_SELINUX_FIRST,
5715 },
5716 {
5717 .hook = selinux_ipv4_output,
5718 .owner = THIS_MODULE,
5719 .pf = PF_INET,
5720 .hooknum = NF_INET_LOCAL_OUT,
5721 .priority = NF_IP_PRI_SELINUX_FIRST,
5722 }
5723 };
5724
5725 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5726
5727 static struct nf_hook_ops selinux_ipv6_ops[] = {
5728 {
5729 .hook = selinux_ipv6_postroute,
5730 .owner = THIS_MODULE,
5731 .pf = PF_INET6,
5732 .hooknum = NF_INET_POST_ROUTING,
5733 .priority = NF_IP6_PRI_SELINUX_LAST,
5734 },
5735 {
5736 .hook = selinux_ipv6_forward,
5737 .owner = THIS_MODULE,
5738 .pf = PF_INET6,
5739 .hooknum = NF_INET_FORWARD,
5740 .priority = NF_IP6_PRI_SELINUX_FIRST,
5741 }
5742 };
5743
5744 #endif /* IPV6 */
5745
5746 static int __init selinux_nf_ip_init(void)
5747 {
5748 int err = 0;
5749
5750 if (!selinux_enabled)
5751 goto out;
5752
5753 printk(KERN_DEBUG "SELinux: Registering netfilter hooks\n");
5754
5755 err = nf_register_hooks(selinux_ipv4_ops, ARRAY_SIZE(selinux_ipv4_ops));
5756 if (err)
5757 panic("SELinux: nf_register_hooks for IPv4: error %d\n", err);
5758
5759 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5760 err = nf_register_hooks(selinux_ipv6_ops, ARRAY_SIZE(selinux_ipv6_ops));
5761 if (err)
5762 panic("SELinux: nf_register_hooks for IPv6: error %d\n", err);
5763 #endif /* IPV6 */
5764
5765 out:
5766 return err;
5767 }
5768
5769 __initcall(selinux_nf_ip_init);
5770
5771 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5772 static void selinux_nf_ip_exit(void)
5773 {
5774 printk(KERN_DEBUG "SELinux: Unregistering netfilter hooks\n");
5775
5776 nf_unregister_hooks(selinux_ipv4_ops, ARRAY_SIZE(selinux_ipv4_ops));
5777 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5778 nf_unregister_hooks(selinux_ipv6_ops, ARRAY_SIZE(selinux_ipv6_ops));
5779 #endif /* IPV6 */
5780 }
5781 #endif
5782
5783 #else /* CONFIG_NETFILTER */
5784
5785 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5786 #define selinux_nf_ip_exit()
5787 #endif
5788
5789 #endif /* CONFIG_NETFILTER */
5790
5791 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5792 static int selinux_disabled;
5793
5794 int selinux_disable(void)
5795 {
5796 if (ss_initialized) {
5797 /* Not permitted after initial policy load. */
5798 return -EINVAL;
5799 }
5800
5801 if (selinux_disabled) {
5802 /* Only do this once. */
5803 return -EINVAL;
5804 }
5805
5806 printk(KERN_INFO "SELinux: Disabled at runtime.\n");
5807
5808 selinux_disabled = 1;
5809 selinux_enabled = 0;
5810
5811 reset_security_ops();
5812
5813 /* Try to destroy the avc node cache */
5814 avc_disable();
5815
5816 /* Unregister netfilter hooks. */
5817 selinux_nf_ip_exit();
5818
5819 /* Unregister selinuxfs. */
5820 exit_sel_fs();
5821
5822 return 0;
5823 }
5824 #endif
Linux kernel - Deliverables
This page took 0.157257 seconds and 5 git commands to generate.