projects / deliverable / linux.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Merge master.kernel.org:/pub/scm/linux/kernel/git/torvalds/linux-2.6 into for-linus
[deliverable/linux.git] / security / selinux / hooks.c
1 /*
2 * NSA Security-Enhanced Linux (SELinux) security module
3 *
4 * This file contains the SELinux hook function implementations.
5 *
6 * Authors: Stephen Smalley, <sds@epoch.ncsc.mil>
7 * Chris Vance, <cvance@nai.com>
8 * Wayne Salamon, <wsalamon@nai.com>
9 * James Morris <jmorris@redhat.com>
10 *
11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12 * Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com>
13 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
14 * <dgoeddel@trustedcs.com>
15 * Copyright (C) 2006, 2007 Hewlett-Packard Development Company, L.P.
16 * Paul Moore <paul.moore@hp.com>
17 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
18 * Yuichi Nakamura <ynakam@hitachisoft.jp>
19 *
20 * This program is free software; you can redistribute it and/or modify
21 * it under the terms of the GNU General Public License version 2,
22 * as published by the Free Software Foundation.
23 */
24
25 #include <linux/init.h>
26 #include <linux/kernel.h>
27 #include <linux/ptrace.h>
28 #include <linux/errno.h>
29 #include <linux/sched.h>
30 #include <linux/security.h>
31 #include <linux/xattr.h>
32 #include <linux/capability.h>
33 #include <linux/unistd.h>
34 #include <linux/mm.h>
35 #include <linux/mman.h>
36 #include <linux/slab.h>
37 #include <linux/pagemap.h>
38 #include <linux/swap.h>
39 #include <linux/spinlock.h>
40 #include <linux/syscalls.h>
41 #include <linux/file.h>
42 #include <linux/namei.h>
43 #include <linux/mount.h>
44 #include <linux/ext2_fs.h>
45 #include <linux/proc_fs.h>
46 #include <linux/kd.h>
47 #include <linux/netfilter_ipv4.h>
48 #include <linux/netfilter_ipv6.h>
49 #include <linux/tty.h>
50 #include <net/icmp.h>
51 #include <net/ip.h> /* for local_port_range[] */
52 #include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
53 #include <net/net_namespace.h>
54 #include <net/netlabel.h>
55 #include <asm/uaccess.h>
56 #include <asm/ioctls.h>
57 #include <asm/atomic.h>
58 #include <linux/bitops.h>
59 #include <linux/interrupt.h>
60 #include <linux/netdevice.h> /* for network interface checks */
61 #include <linux/netlink.h>
62 #include <linux/tcp.h>
63 #include <linux/udp.h>
64 #include <linux/dccp.h>
65 #include <linux/quota.h>
66 #include <linux/un.h> /* for Unix socket types */
67 #include <net/af_unix.h> /* for Unix socket types */
68 #include <linux/parser.h>
69 #include <linux/nfs_mount.h>
70 #include <net/ipv6.h>
71 #include <linux/hugetlb.h>
72 #include <linux/personality.h>
73 #include <linux/sysctl.h>
74 #include <linux/audit.h>
75 #include <linux/string.h>
76 #include <linux/selinux.h>
77 #include <linux/mutex.h>
78
79 #include "avc.h"
80 #include "objsec.h"
81 #include "netif.h"
82 #include "netnode.h"
83 #include "xfrm.h"
84 #include "netlabel.h"
85
86 #define XATTR_SELINUX_SUFFIX "selinux"
87 #define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX
88
89 #define NUM_SEL_MNT_OPTS 4
90
91 extern unsigned int policydb_loaded_version;
92 extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm);
93 extern int selinux_compat_net;
94 extern struct security_operations *security_ops;
95
96 /* SECMARK reference count */
97 atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
98
99 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
100 int selinux_enforcing = 0;
101
102 static int __init enforcing_setup(char *str)
103 {
104 selinux_enforcing = simple_strtol(str,NULL,0);
105 return 1;
106 }
107 __setup("enforcing=", enforcing_setup);
108 #endif
109
110 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
111 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
112
113 static int __init selinux_enabled_setup(char *str)
114 {
115 selinux_enabled = simple_strtol(str, NULL, 0);
116 return 1;
117 }
118 __setup("selinux=", selinux_enabled_setup);
119 #else
120 int selinux_enabled = 1;
121 #endif
122
123 /* Original (dummy) security module. */
124 static struct security_operations *original_ops = NULL;
125
126 /* Minimal support for a secondary security module,
127 just to allow the use of the dummy or capability modules.
128 The owlsm module can alternatively be used as a secondary
129 module as long as CONFIG_OWLSM_FD is not enabled. */
130 static struct security_operations *secondary_ops = NULL;
131
132 /* Lists of inode and superblock security structures initialized
133 before the policy was loaded. */
134 static LIST_HEAD(superblock_security_head);
135 static DEFINE_SPINLOCK(sb_security_lock);
136
137 static struct kmem_cache *sel_inode_cache;
138
139 /**
140 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
141 *
142 * Description:
143 * This function checks the SECMARK reference counter to see if any SECMARK
144 * targets are currently configured, if the reference counter is greater than
145 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is
146 * enabled, false (0) if SECMARK is disabled.
147 *
148 */
149 static int selinux_secmark_enabled(void)
150 {
151 return (atomic_read(&selinux_secmark_refcount) > 0);
152 }
153
154 /* Allocate and free functions for each kind of security blob. */
155
156 static int task_alloc_security(struct task_struct *task)
157 {
158 struct task_security_struct *tsec;
159
160 tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
161 if (!tsec)
162 return -ENOMEM;
163
164 tsec->task = task;
165 tsec->osid = tsec->sid = tsec->ptrace_sid = SECINITSID_UNLABELED;
166 task->security = tsec;
167
168 return 0;
169 }
170
171 static void task_free_security(struct task_struct *task)
172 {
173 struct task_security_struct *tsec = task->security;
174 task->security = NULL;
175 kfree(tsec);
176 }
177
178 static int inode_alloc_security(struct inode *inode)
179 {
180 struct task_security_struct *tsec = current->security;
181 struct inode_security_struct *isec;
182
183 isec = kmem_cache_zalloc(sel_inode_cache, GFP_KERNEL);
184 if (!isec)
185 return -ENOMEM;
186
187 mutex_init(&isec->lock);
188 INIT_LIST_HEAD(&isec->list);
189 isec->inode = inode;
190 isec->sid = SECINITSID_UNLABELED;
191 isec->sclass = SECCLASS_FILE;
192 isec->task_sid = tsec->sid;
193 inode->i_security = isec;
194
195 return 0;
196 }
197
198 static void inode_free_security(struct inode *inode)
199 {
200 struct inode_security_struct *isec = inode->i_security;
201 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
202
203 spin_lock(&sbsec->isec_lock);
204 if (!list_empty(&isec->list))
205 list_del_init(&isec->list);
206 spin_unlock(&sbsec->isec_lock);
207
208 inode->i_security = NULL;
209 kmem_cache_free(sel_inode_cache, isec);
210 }
211
212 static int file_alloc_security(struct file *file)
213 {
214 struct task_security_struct *tsec = current->security;
215 struct file_security_struct *fsec;
216
217 fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL);
218 if (!fsec)
219 return -ENOMEM;
220
221 fsec->file = file;
222 fsec->sid = tsec->sid;
223 fsec->fown_sid = tsec->sid;
224 file->f_security = fsec;
225
226 return 0;
227 }
228
229 static void file_free_security(struct file *file)
230 {
231 struct file_security_struct *fsec = file->f_security;
232 file->f_security = NULL;
233 kfree(fsec);
234 }
235
236 static int superblock_alloc_security(struct super_block *sb)
237 {
238 struct superblock_security_struct *sbsec;
239
240 sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
241 if (!sbsec)
242 return -ENOMEM;
243
244 mutex_init(&sbsec->lock);
245 INIT_LIST_HEAD(&sbsec->list);
246 INIT_LIST_HEAD(&sbsec->isec_head);
247 spin_lock_init(&sbsec->isec_lock);
248 sbsec->sb = sb;
249 sbsec->sid = SECINITSID_UNLABELED;
250 sbsec->def_sid = SECINITSID_FILE;
251 sbsec->mntpoint_sid = SECINITSID_UNLABELED;
252 sb->s_security = sbsec;
253
254 return 0;
255 }
256
257 static void superblock_free_security(struct super_block *sb)
258 {
259 struct superblock_security_struct *sbsec = sb->s_security;
260
261 spin_lock(&sb_security_lock);
262 if (!list_empty(&sbsec->list))
263 list_del_init(&sbsec->list);
264 spin_unlock(&sb_security_lock);
265
266 sb->s_security = NULL;
267 kfree(sbsec);
268 }
269
270 static int sk_alloc_security(struct sock *sk, int family, gfp_t priority)
271 {
272 struct sk_security_struct *ssec;
273
274 ssec = kzalloc(sizeof(*ssec), priority);
275 if (!ssec)
276 return -ENOMEM;
277
278 ssec->sk = sk;
279 ssec->peer_sid = SECINITSID_UNLABELED;
280 ssec->sid = SECINITSID_UNLABELED;
281 sk->sk_security = ssec;
282
283 selinux_netlbl_sk_security_init(ssec, family);
284
285 return 0;
286 }
287
288 static void sk_free_security(struct sock *sk)
289 {
290 struct sk_security_struct *ssec = sk->sk_security;
291
292 sk->sk_security = NULL;
293 kfree(ssec);
294 }
295
296 /* The security server must be initialized before
297 any labeling or access decisions can be provided. */
298 extern int ss_initialized;
299
300 /* The file system's label must be initialized prior to use. */
301
302 static char *labeling_behaviors[6] = {
303 "uses xattr",
304 "uses transition SIDs",
305 "uses task SIDs",
306 "uses genfs_contexts",
307 "not configured for labeling",
308 "uses mountpoint labeling",
309 };
310
311 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
312
313 static inline int inode_doinit(struct inode *inode)
314 {
315 return inode_doinit_with_dentry(inode, NULL);
316 }
317
318 enum {
319 Opt_error = -1,
320 Opt_context = 1,
321 Opt_fscontext = 2,
322 Opt_defcontext = 3,
323 Opt_rootcontext = 4,
324 };
325
326 static match_table_t tokens = {
327 {Opt_context, "context=%s"},
328 {Opt_fscontext, "fscontext=%s"},
329 {Opt_defcontext, "defcontext=%s"},
330 {Opt_rootcontext, "rootcontext=%s"},
331 {Opt_error, NULL},
332 };
333
334 #define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
335
336 static int may_context_mount_sb_relabel(u32 sid,
337 struct superblock_security_struct *sbsec,
338 struct task_security_struct *tsec)
339 {
340 int rc;
341
342 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
343 FILESYSTEM__RELABELFROM, NULL);
344 if (rc)
345 return rc;
346
347 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
348 FILESYSTEM__RELABELTO, NULL);
349 return rc;
350 }
351
352 static int may_context_mount_inode_relabel(u32 sid,
353 struct superblock_security_struct *sbsec,
354 struct task_security_struct *tsec)
355 {
356 int rc;
357 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
358 FILESYSTEM__RELABELFROM, NULL);
359 if (rc)
360 return rc;
361
362 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
363 FILESYSTEM__ASSOCIATE, NULL);
364 return rc;
365 }
366
367 static int sb_finish_set_opts(struct super_block *sb)
368 {
369 struct superblock_security_struct *sbsec = sb->s_security;
370 struct dentry *root = sb->s_root;
371 struct inode *root_inode = root->d_inode;
372 int rc = 0;
373
374 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
375 /* Make sure that the xattr handler exists and that no
376 error other than -ENODATA is returned by getxattr on
377 the root directory. -ENODATA is ok, as this may be
378 the first boot of the SELinux kernel before we have
379 assigned xattr values to the filesystem. */
380 if (!root_inode->i_op->getxattr) {
381 printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
382 "xattr support\n", sb->s_id, sb->s_type->name);
383 rc = -EOPNOTSUPP;
384 goto out;
385 }
386 rc = root_inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
387 if (rc < 0 && rc != -ENODATA) {
388 if (rc == -EOPNOTSUPP)
389 printk(KERN_WARNING "SELinux: (dev %s, type "
390 "%s) has no security xattr handler\n",
391 sb->s_id, sb->s_type->name);
392 else
393 printk(KERN_WARNING "SELinux: (dev %s, type "
394 "%s) getxattr errno %d\n", sb->s_id,
395 sb->s_type->name, -rc);
396 goto out;
397 }
398 }
399
400 sbsec->initialized = 1;
401
402 if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
403 printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n",
404 sb->s_id, sb->s_type->name);
405 else
406 printk(KERN_DEBUG "SELinux: initialized (dev %s, type %s), %s\n",
407 sb->s_id, sb->s_type->name,
408 labeling_behaviors[sbsec->behavior-1]);
409
410 /* Initialize the root inode. */
411 rc = inode_doinit_with_dentry(root_inode, root);
412
413 /* Initialize any other inodes associated with the superblock, e.g.
414 inodes created prior to initial policy load or inodes created
415 during get_sb by a pseudo filesystem that directly
416 populates itself. */
417 spin_lock(&sbsec->isec_lock);
418 next_inode:
419 if (!list_empty(&sbsec->isec_head)) {
420 struct inode_security_struct *isec =
421 list_entry(sbsec->isec_head.next,
422 struct inode_security_struct, list);
423 struct inode *inode = isec->inode;
424 spin_unlock(&sbsec->isec_lock);
425 inode = igrab(inode);
426 if (inode) {
427 if (!IS_PRIVATE(inode))
428 inode_doinit(inode);
429 iput(inode);
430 }
431 spin_lock(&sbsec->isec_lock);
432 list_del_init(&isec->list);
433 goto next_inode;
434 }
435 spin_unlock(&sbsec->isec_lock);
436 out:
437 return rc;
438 }
439
440 /*
441 * This function should allow an FS to ask what it's mount security
442 * options were so it can use those later for submounts, displaying
443 * mount options, or whatever.
444 */
445 static int selinux_get_mnt_opts(const struct super_block *sb,
446 struct security_mnt_opts *opts)
447 {
448 int rc = 0, i;
449 struct superblock_security_struct *sbsec = sb->s_security;
450 char *context = NULL;
451 u32 len;
452 char tmp;
453
454 security_init_mnt_opts(opts);
455
456 if (!sbsec->initialized)
457 return -EINVAL;
458
459 if (!ss_initialized)
460 return -EINVAL;
461
462 /*
463 * if we ever use sbsec flags for anything other than tracking mount
464 * settings this is going to need a mask
465 */
466 tmp = sbsec->flags;
467 /* count the number of mount options for this sb */
468 for (i = 0; i < 8; i++) {
469 if (tmp & 0x01)
470 opts->num_mnt_opts++;
471 tmp >>= 1;
472 }
473
474 opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
475 if (!opts->mnt_opts) {
476 rc = -ENOMEM;
477 goto out_free;
478 }
479
480 opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
481 if (!opts->mnt_opts_flags) {
482 rc = -ENOMEM;
483 goto out_free;
484 }
485
486 i = 0;
487 if (sbsec->flags & FSCONTEXT_MNT) {
488 rc = security_sid_to_context(sbsec->sid, &context, &len);
489 if (rc)
490 goto out_free;
491 opts->mnt_opts[i] = context;
492 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
493 }
494 if (sbsec->flags & CONTEXT_MNT) {
495 rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len);
496 if (rc)
497 goto out_free;
498 opts->mnt_opts[i] = context;
499 opts->mnt_opts_flags[i++] = CONTEXT_MNT;
500 }
501 if (sbsec->flags & DEFCONTEXT_MNT) {
502 rc = security_sid_to_context(sbsec->def_sid, &context, &len);
503 if (rc)
504 goto out_free;
505 opts->mnt_opts[i] = context;
506 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
507 }
508 if (sbsec->flags & ROOTCONTEXT_MNT) {
509 struct inode *root = sbsec->sb->s_root->d_inode;
510 struct inode_security_struct *isec = root->i_security;
511
512 rc = security_sid_to_context(isec->sid, &context, &len);
513 if (rc)
514 goto out_free;
515 opts->mnt_opts[i] = context;
516 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
517 }
518
519 BUG_ON(i != opts->num_mnt_opts);
520
521 return 0;
522
523 out_free:
524 security_free_mnt_opts(opts);
525 return rc;
526 }
527
528 static int bad_option(struct superblock_security_struct *sbsec, char flag,
529 u32 old_sid, u32 new_sid)
530 {
531 /* check if the old mount command had the same options */
532 if (sbsec->initialized)
533 if (!(sbsec->flags & flag) ||
534 (old_sid != new_sid))
535 return 1;
536
537 /* check if we were passed the same options twice,
538 * aka someone passed context=a,context=b
539 */
540 if (!sbsec->initialized)
541 if (sbsec->flags & flag)
542 return 1;
543 return 0;
544 }
545
546 /*
547 * Allow filesystems with binary mount data to explicitly set mount point
548 * labeling information.
549 */
550 static int selinux_set_mnt_opts(struct super_block *sb,
551 struct security_mnt_opts *opts)
552 {
553 int rc = 0, i;
554 struct task_security_struct *tsec = current->security;
555 struct superblock_security_struct *sbsec = sb->s_security;
556 const char *name = sb->s_type->name;
557 struct inode *inode = sbsec->sb->s_root->d_inode;
558 struct inode_security_struct *root_isec = inode->i_security;
559 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
560 u32 defcontext_sid = 0;
561 char **mount_options = opts->mnt_opts;
562 int *flags = opts->mnt_opts_flags;
563 int num_opts = opts->num_mnt_opts;
564
565 mutex_lock(&sbsec->lock);
566
567 if (!ss_initialized) {
568 if (!num_opts) {
569 /* Defer initialization until selinux_complete_init,
570 after the initial policy is loaded and the security
571 server is ready to handle calls. */
572 spin_lock(&sb_security_lock);
573 if (list_empty(&sbsec->list))
574 list_add(&sbsec->list, &superblock_security_head);
575 spin_unlock(&sb_security_lock);
576 goto out;
577 }
578 rc = -EINVAL;
579 printk(KERN_WARNING "Unable to set superblock options before "
580 "the security server is initialized\n");
581 goto out;
582 }
583
584 /*
585 * Binary mount data FS will come through this function twice. Once
586 * from an explicit call and once from the generic calls from the vfs.
587 * Since the generic VFS calls will not contain any security mount data
588 * we need to skip the double mount verification.
589 *
590 * This does open a hole in which we will not notice if the first
591 * mount using this sb set explict options and a second mount using
592 * this sb does not set any security options. (The first options
593 * will be used for both mounts)
594 */
595 if (sbsec->initialized && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
596 && (num_opts == 0))
597 goto out;
598
599 /*
600 * parse the mount options, check if they are valid sids.
601 * also check if someone is trying to mount the same sb more
602 * than once with different security options.
603 */
604 for (i = 0; i < num_opts; i++) {
605 u32 sid;
606 rc = security_context_to_sid(mount_options[i],
607 strlen(mount_options[i]), &sid);
608 if (rc) {
609 printk(KERN_WARNING "SELinux: security_context_to_sid"
610 "(%s) failed for (dev %s, type %s) errno=%d\n",
611 mount_options[i], sb->s_id, name, rc);
612 goto out;
613 }
614 switch (flags[i]) {
615 case FSCONTEXT_MNT:
616 fscontext_sid = sid;
617
618 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
619 fscontext_sid))
620 goto out_double_mount;
621
622 sbsec->flags |= FSCONTEXT_MNT;
623 break;
624 case CONTEXT_MNT:
625 context_sid = sid;
626
627 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
628 context_sid))
629 goto out_double_mount;
630
631 sbsec->flags |= CONTEXT_MNT;
632 break;
633 case ROOTCONTEXT_MNT:
634 rootcontext_sid = sid;
635
636 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
637 rootcontext_sid))
638 goto out_double_mount;
639
640 sbsec->flags |= ROOTCONTEXT_MNT;
641
642 break;
643 case DEFCONTEXT_MNT:
644 defcontext_sid = sid;
645
646 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
647 defcontext_sid))
648 goto out_double_mount;
649
650 sbsec->flags |= DEFCONTEXT_MNT;
651
652 break;
653 default:
654 rc = -EINVAL;
655 goto out;
656 }
657 }
658
659 if (sbsec->initialized) {
660 /* previously mounted with options, but not on this attempt? */
661 if (sbsec->flags && !num_opts)
662 goto out_double_mount;
663 rc = 0;
664 goto out;
665 }
666
667 if (strcmp(sb->s_type->name, "proc") == 0)
668 sbsec->proc = 1;
669
670 /* Determine the labeling behavior to use for this filesystem type. */
671 rc = security_fs_use(sb->s_type->name, &sbsec->behavior, &sbsec->sid);
672 if (rc) {
673 printk(KERN_WARNING "%s: security_fs_use(%s) returned %d\n",
674 __FUNCTION__, sb->s_type->name, rc);
675 goto out;
676 }
677
678 /* sets the context of the superblock for the fs being mounted. */
679 if (fscontext_sid) {
680
681 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, tsec);
682 if (rc)
683 goto out;
684
685 sbsec->sid = fscontext_sid;
686 }
687
688 /*
689 * Switch to using mount point labeling behavior.
690 * sets the label used on all file below the mountpoint, and will set
691 * the superblock context if not already set.
692 */
693 if (context_sid) {
694 if (!fscontext_sid) {
695 rc = may_context_mount_sb_relabel(context_sid, sbsec, tsec);
696 if (rc)
697 goto out;
698 sbsec->sid = context_sid;
699 } else {
700 rc = may_context_mount_inode_relabel(context_sid, sbsec, tsec);
701 if (rc)
702 goto out;
703 }
704 if (!rootcontext_sid)
705 rootcontext_sid = context_sid;
706
707 sbsec->mntpoint_sid = context_sid;
708 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
709 }
710
711 if (rootcontext_sid) {
712 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec, tsec);
713 if (rc)
714 goto out;
715
716 root_isec->sid = rootcontext_sid;
717 root_isec->initialized = 1;
718 }
719
720 if (defcontext_sid) {
721 if (sbsec->behavior != SECURITY_FS_USE_XATTR) {
722 rc = -EINVAL;
723 printk(KERN_WARNING "SELinux: defcontext option is "
724 "invalid for this filesystem type\n");
725 goto out;
726 }
727
728 if (defcontext_sid != sbsec->def_sid) {
729 rc = may_context_mount_inode_relabel(defcontext_sid,
730 sbsec, tsec);
731 if (rc)
732 goto out;
733 }
734
735 sbsec->def_sid = defcontext_sid;
736 }
737
738 rc = sb_finish_set_opts(sb);
739 out:
740 mutex_unlock(&sbsec->lock);
741 return rc;
742 out_double_mount:
743 rc = -EINVAL;
744 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, different "
745 "security settings for (dev %s, type %s)\n", sb->s_id, name);
746 goto out;
747 }
748
749 static void selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
750 struct super_block *newsb)
751 {
752 const struct superblock_security_struct *oldsbsec = oldsb->s_security;
753 struct superblock_security_struct *newsbsec = newsb->s_security;
754
755 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT);
756 int set_context = (oldsbsec->flags & CONTEXT_MNT);
757 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT);
758
759 /* we can't error, we can't save the info, this shouldn't get called
760 * this early in the boot process. */
761 BUG_ON(!ss_initialized);
762
763 /* this might go away sometime down the line if there is a new user
764 * of clone, but for now, nfs better not get here... */
765 BUG_ON(newsbsec->initialized);
766
767 /* how can we clone if the old one wasn't set up?? */
768 BUG_ON(!oldsbsec->initialized);
769
770 mutex_lock(&newsbsec->lock);
771
772 newsbsec->flags = oldsbsec->flags;
773
774 newsbsec->sid = oldsbsec->sid;
775 newsbsec->def_sid = oldsbsec->def_sid;
776 newsbsec->behavior = oldsbsec->behavior;
777
778 if (set_context) {
779 u32 sid = oldsbsec->mntpoint_sid;
780
781 if (!set_fscontext)
782 newsbsec->sid = sid;
783 if (!set_rootcontext) {
784 struct inode *newinode = newsb->s_root->d_inode;
785 struct inode_security_struct *newisec = newinode->i_security;
786 newisec->sid = sid;
787 }
788 newsbsec->mntpoint_sid = sid;
789 }
790 if (set_rootcontext) {
791 const struct inode *oldinode = oldsb->s_root->d_inode;
792 const struct inode_security_struct *oldisec = oldinode->i_security;
793 struct inode *newinode = newsb->s_root->d_inode;
794 struct inode_security_struct *newisec = newinode->i_security;
795
796 newisec->sid = oldisec->sid;
797 }
798
799 sb_finish_set_opts(newsb);
800 mutex_unlock(&newsbsec->lock);
801 }
802
803 static int selinux_parse_opts_str(char *options,
804 struct security_mnt_opts *opts)
805 {
806 char *p;
807 char *context = NULL, *defcontext = NULL;
808 char *fscontext = NULL, *rootcontext = NULL;
809 int rc, num_mnt_opts = 0;
810
811 opts->num_mnt_opts = 0;
812
813 /* Standard string-based options. */
814 while ((p = strsep(&options, "|")) != NULL) {
815 int token;
816 substring_t args[MAX_OPT_ARGS];
817
818 if (!*p)
819 continue;
820
821 token = match_token(p, tokens, args);
822
823 switch (token) {
824 case Opt_context:
825 if (context || defcontext) {
826 rc = -EINVAL;
827 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
828 goto out_err;
829 }
830 context = match_strdup(&args[0]);
831 if (!context) {
832 rc = -ENOMEM;
833 goto out_err;
834 }
835 break;
836
837 case Opt_fscontext:
838 if (fscontext) {
839 rc = -EINVAL;
840 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
841 goto out_err;
842 }
843 fscontext = match_strdup(&args[0]);
844 if (!fscontext) {
845 rc = -ENOMEM;
846 goto out_err;
847 }
848 break;
849
850 case Opt_rootcontext:
851 if (rootcontext) {
852 rc = -EINVAL;
853 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
854 goto out_err;
855 }
856 rootcontext = match_strdup(&args[0]);
857 if (!rootcontext) {
858 rc = -ENOMEM;
859 goto out_err;
860 }
861 break;
862
863 case Opt_defcontext:
864 if (context || defcontext) {
865 rc = -EINVAL;
866 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
867 goto out_err;
868 }
869 defcontext = match_strdup(&args[0]);
870 if (!defcontext) {
871 rc = -ENOMEM;
872 goto out_err;
873 }
874 break;
875
876 default:
877 rc = -EINVAL;
878 printk(KERN_WARNING "SELinux: unknown mount option\n");
879 goto out_err;
880
881 }
882 }
883
884 rc = -ENOMEM;
885 opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_ATOMIC);
886 if (!opts->mnt_opts)
887 goto out_err;
888
889 opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int), GFP_ATOMIC);
890 if (!opts->mnt_opts_flags) {
891 kfree(opts->mnt_opts);
892 goto out_err;
893 }
894
895 if (fscontext) {
896 opts->mnt_opts[num_mnt_opts] = fscontext;
897 opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
898 }
899 if (context) {
900 opts->mnt_opts[num_mnt_opts] = context;
901 opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
902 }
903 if (rootcontext) {
904 opts->mnt_opts[num_mnt_opts] = rootcontext;
905 opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
906 }
907 if (defcontext) {
908 opts->mnt_opts[num_mnt_opts] = defcontext;
909 opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
910 }
911
912 opts->num_mnt_opts = num_mnt_opts;
913 return 0;
914
915 out_err:
916 kfree(context);
917 kfree(defcontext);
918 kfree(fscontext);
919 kfree(rootcontext);
920 return rc;
921 }
922 /*
923 * string mount options parsing and call set the sbsec
924 */
925 static int superblock_doinit(struct super_block *sb, void *data)
926 {
927 int rc = 0;
928 char *options = data;
929 struct security_mnt_opts opts;
930
931 security_init_mnt_opts(&opts);
932
933 if (!data)
934 goto out;
935
936 BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
937
938 rc = selinux_parse_opts_str(options, &opts);
939 if (rc)
940 goto out_err;
941
942 out:
943 rc = selinux_set_mnt_opts(sb, &opts);
944
945 out_err:
946 security_free_mnt_opts(&opts);
947 return rc;
948 }
949
950 static inline u16 inode_mode_to_security_class(umode_t mode)
951 {
952 switch (mode & S_IFMT) {
953 case S_IFSOCK:
954 return SECCLASS_SOCK_FILE;
955 case S_IFLNK:
956 return SECCLASS_LNK_FILE;
957 case S_IFREG:
958 return SECCLASS_FILE;
959 case S_IFBLK:
960 return SECCLASS_BLK_FILE;
961 case S_IFDIR:
962 return SECCLASS_DIR;
963 case S_IFCHR:
964 return SECCLASS_CHR_FILE;
965 case S_IFIFO:
966 return SECCLASS_FIFO_FILE;
967
968 }
969
970 return SECCLASS_FILE;
971 }
972
973 static inline int default_protocol_stream(int protocol)
974 {
975 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
976 }
977
978 static inline int default_protocol_dgram(int protocol)
979 {
980 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
981 }
982
983 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
984 {
985 switch (family) {
986 case PF_UNIX:
987 switch (type) {
988 case SOCK_STREAM:
989 case SOCK_SEQPACKET:
990 return SECCLASS_UNIX_STREAM_SOCKET;
991 case SOCK_DGRAM:
992 return SECCLASS_UNIX_DGRAM_SOCKET;
993 }
994 break;
995 case PF_INET:
996 case PF_INET6:
997 switch (type) {
998 case SOCK_STREAM:
999 if (default_protocol_stream(protocol))
1000 return SECCLASS_TCP_SOCKET;
1001 else
1002 return SECCLASS_RAWIP_SOCKET;
1003 case SOCK_DGRAM:
1004 if (default_protocol_dgram(protocol))
1005 return SECCLASS_UDP_SOCKET;
1006 else
1007 return SECCLASS_RAWIP_SOCKET;
1008 case SOCK_DCCP:
1009 return SECCLASS_DCCP_SOCKET;
1010 default:
1011 return SECCLASS_RAWIP_SOCKET;
1012 }
1013 break;
1014 case PF_NETLINK:
1015 switch (protocol) {
1016 case NETLINK_ROUTE:
1017 return SECCLASS_NETLINK_ROUTE_SOCKET;
1018 case NETLINK_FIREWALL:
1019 return SECCLASS_NETLINK_FIREWALL_SOCKET;
1020 case NETLINK_INET_DIAG:
1021 return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1022 case NETLINK_NFLOG:
1023 return SECCLASS_NETLINK_NFLOG_SOCKET;
1024 case NETLINK_XFRM:
1025 return SECCLASS_NETLINK_XFRM_SOCKET;
1026 case NETLINK_SELINUX:
1027 return SECCLASS_NETLINK_SELINUX_SOCKET;
1028 case NETLINK_AUDIT:
1029 return SECCLASS_NETLINK_AUDIT_SOCKET;
1030 case NETLINK_IP6_FW:
1031 return SECCLASS_NETLINK_IP6FW_SOCKET;
1032 case NETLINK_DNRTMSG:
1033 return SECCLASS_NETLINK_DNRT_SOCKET;
1034 case NETLINK_KOBJECT_UEVENT:
1035 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1036 default:
1037 return SECCLASS_NETLINK_SOCKET;
1038 }
1039 case PF_PACKET:
1040 return SECCLASS_PACKET_SOCKET;
1041 case PF_KEY:
1042 return SECCLASS_KEY_SOCKET;
1043 case PF_APPLETALK:
1044 return SECCLASS_APPLETALK_SOCKET;
1045 }
1046
1047 return SECCLASS_SOCKET;
1048 }
1049
1050 #ifdef CONFIG_PROC_FS
1051 static int selinux_proc_get_sid(struct proc_dir_entry *de,
1052 u16 tclass,
1053 u32 *sid)
1054 {
1055 int buflen, rc;
1056 char *buffer, *path, *end;
1057
1058 buffer = (char*)__get_free_page(GFP_KERNEL);
1059 if (!buffer)
1060 return -ENOMEM;
1061
1062 buflen = PAGE_SIZE;
1063 end = buffer+buflen;
1064 *--end = '\0';
1065 buflen--;
1066 path = end-1;
1067 *path = '/';
1068 while (de && de != de->parent) {
1069 buflen -= de->namelen + 1;
1070 if (buflen < 0)
1071 break;
1072 end -= de->namelen;
1073 memcpy(end, de->name, de->namelen);
1074 *--end = '/';
1075 path = end;
1076 de = de->parent;
1077 }
1078 rc = security_genfs_sid("proc", path, tclass, sid);
1079 free_page((unsigned long)buffer);
1080 return rc;
1081 }
1082 #else
1083 static int selinux_proc_get_sid(struct proc_dir_entry *de,
1084 u16 tclass,
1085 u32 *sid)
1086 {
1087 return -EINVAL;
1088 }
1089 #endif
1090
1091 /* The inode's security attributes must be initialized before first use. */
1092 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1093 {
1094 struct superblock_security_struct *sbsec = NULL;
1095 struct inode_security_struct *isec = inode->i_security;
1096 u32 sid;
1097 struct dentry *dentry;
1098 #define INITCONTEXTLEN 255
1099 char *context = NULL;
1100 unsigned len = 0;
1101 int rc = 0;
1102
1103 if (isec->initialized)
1104 goto out;
1105
1106 mutex_lock(&isec->lock);
1107 if (isec->initialized)
1108 goto out_unlock;
1109
1110 sbsec = inode->i_sb->s_security;
1111 if (!sbsec->initialized) {
1112 /* Defer initialization until selinux_complete_init,
1113 after the initial policy is loaded and the security
1114 server is ready to handle calls. */
1115 spin_lock(&sbsec->isec_lock);
1116 if (list_empty(&isec->list))
1117 list_add(&isec->list, &sbsec->isec_head);
1118 spin_unlock(&sbsec->isec_lock);
1119 goto out_unlock;
1120 }
1121
1122 switch (sbsec->behavior) {
1123 case SECURITY_FS_USE_XATTR:
1124 if (!inode->i_op->getxattr) {
1125 isec->sid = sbsec->def_sid;
1126 break;
1127 }
1128
1129 /* Need a dentry, since the xattr API requires one.
1130 Life would be simpler if we could just pass the inode. */
1131 if (opt_dentry) {
1132 /* Called from d_instantiate or d_splice_alias. */
1133 dentry = dget(opt_dentry);
1134 } else {
1135 /* Called from selinux_complete_init, try to find a dentry. */
1136 dentry = d_find_alias(inode);
1137 }
1138 if (!dentry) {
1139 printk(KERN_WARNING "%s: no dentry for dev=%s "
1140 "ino=%ld\n", __FUNCTION__, inode->i_sb->s_id,
1141 inode->i_ino);
1142 goto out_unlock;
1143 }
1144
1145 len = INITCONTEXTLEN;
1146 context = kmalloc(len, GFP_KERNEL);
1147 if (!context) {
1148 rc = -ENOMEM;
1149 dput(dentry);
1150 goto out_unlock;
1151 }
1152 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1153 context, len);
1154 if (rc == -ERANGE) {
1155 /* Need a larger buffer. Query for the right size. */
1156 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1157 NULL, 0);
1158 if (rc < 0) {
1159 dput(dentry);
1160 goto out_unlock;
1161 }
1162 kfree(context);
1163 len = rc;
1164 context = kmalloc(len, GFP_KERNEL);
1165 if (!context) {
1166 rc = -ENOMEM;
1167 dput(dentry);
1168 goto out_unlock;
1169 }
1170 rc = inode->i_op->getxattr(dentry,
1171 XATTR_NAME_SELINUX,
1172 context, len);
1173 }
1174 dput(dentry);
1175 if (rc < 0) {
1176 if (rc != -ENODATA) {
1177 printk(KERN_WARNING "%s: getxattr returned "
1178 "%d for dev=%s ino=%ld\n", __FUNCTION__,
1179 -rc, inode->i_sb->s_id, inode->i_ino);
1180 kfree(context);
1181 goto out_unlock;
1182 }
1183 /* Map ENODATA to the default file SID */
1184 sid = sbsec->def_sid;
1185 rc = 0;
1186 } else {
1187 rc = security_context_to_sid_default(context, rc, &sid,
1188 sbsec->def_sid);
1189 if (rc) {
1190 printk(KERN_WARNING "%s: context_to_sid(%s) "
1191 "returned %d for dev=%s ino=%ld\n",
1192 __FUNCTION__, context, -rc,
1193 inode->i_sb->s_id, inode->i_ino);
1194 kfree(context);
1195 /* Leave with the unlabeled SID */
1196 rc = 0;
1197 break;
1198 }
1199 }
1200 kfree(context);
1201 isec->sid = sid;
1202 break;
1203 case SECURITY_FS_USE_TASK:
1204 isec->sid = isec->task_sid;
1205 break;
1206 case SECURITY_FS_USE_TRANS:
1207 /* Default to the fs SID. */
1208 isec->sid = sbsec->sid;
1209
1210 /* Try to obtain a transition SID. */
1211 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1212 rc = security_transition_sid(isec->task_sid,
1213 sbsec->sid,
1214 isec->sclass,
1215 &sid);
1216 if (rc)
1217 goto out_unlock;
1218 isec->sid = sid;
1219 break;
1220 case SECURITY_FS_USE_MNTPOINT:
1221 isec->sid = sbsec->mntpoint_sid;
1222 break;
1223 default:
1224 /* Default to the fs superblock SID. */
1225 isec->sid = sbsec->sid;
1226
1227 if (sbsec->proc) {
1228 struct proc_inode *proci = PROC_I(inode);
1229 if (proci->pde) {
1230 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1231 rc = selinux_proc_get_sid(proci->pde,
1232 isec->sclass,
1233 &sid);
1234 if (rc)
1235 goto out_unlock;
1236 isec->sid = sid;
1237 }
1238 }
1239 break;
1240 }
1241
1242 isec->initialized = 1;
1243
1244 out_unlock:
1245 mutex_unlock(&isec->lock);
1246 out:
1247 if (isec->sclass == SECCLASS_FILE)
1248 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1249 return rc;
1250 }
1251
1252 /* Convert a Linux signal to an access vector. */
1253 static inline u32 signal_to_av(int sig)
1254 {
1255 u32 perm = 0;
1256
1257 switch (sig) {
1258 case SIGCHLD:
1259 /* Commonly granted from child to parent. */
1260 perm = PROCESS__SIGCHLD;
1261 break;
1262 case SIGKILL:
1263 /* Cannot be caught or ignored */
1264 perm = PROCESS__SIGKILL;
1265 break;
1266 case SIGSTOP:
1267 /* Cannot be caught or ignored */
1268 perm = PROCESS__SIGSTOP;
1269 break;
1270 default:
1271 /* All other signals. */
1272 perm = PROCESS__SIGNAL;
1273 break;
1274 }
1275
1276 return perm;
1277 }
1278
1279 /* Check permission betweeen a pair of tasks, e.g. signal checks,
1280 fork check, ptrace check, etc. */
1281 static int task_has_perm(struct task_struct *tsk1,
1282 struct task_struct *tsk2,
1283 u32 perms)
1284 {
1285 struct task_security_struct *tsec1, *tsec2;
1286
1287 tsec1 = tsk1->security;
1288 tsec2 = tsk2->security;
1289 return avc_has_perm(tsec1->sid, tsec2->sid,
1290 SECCLASS_PROCESS, perms, NULL);
1291 }
1292
1293 #if CAP_LAST_CAP > 63
1294 #error Fix SELinux to handle capabilities > 63.
1295 #endif
1296
1297 /* Check whether a task is allowed to use a capability. */
1298 static int task_has_capability(struct task_struct *tsk,
1299 int cap)
1300 {
1301 struct task_security_struct *tsec;
1302 struct avc_audit_data ad;
1303 u16 sclass;
1304 u32 av = CAP_TO_MASK(cap);
1305
1306 tsec = tsk->security;
1307
1308 AVC_AUDIT_DATA_INIT(&ad,CAP);
1309 ad.tsk = tsk;
1310 ad.u.cap = cap;
1311
1312 switch (CAP_TO_INDEX(cap)) {
1313 case 0:
1314 sclass = SECCLASS_CAPABILITY;
1315 break;
1316 case 1:
1317 sclass = SECCLASS_CAPABILITY2;
1318 break;
1319 default:
1320 printk(KERN_ERR
1321 "SELinux: out of range capability %d\n", cap);
1322 BUG();
1323 }
1324 return avc_has_perm(tsec->sid, tsec->sid, sclass, av, &ad);
1325 }
1326
1327 /* Check whether a task is allowed to use a system operation. */
1328 static int task_has_system(struct task_struct *tsk,
1329 u32 perms)
1330 {
1331 struct task_security_struct *tsec;
1332
1333 tsec = tsk->security;
1334
1335 return avc_has_perm(tsec->sid, SECINITSID_KERNEL,
1336 SECCLASS_SYSTEM, perms, NULL);
1337 }
1338
1339 /* Check whether a task has a particular permission to an inode.
1340 The 'adp' parameter is optional and allows other audit
1341 data to be passed (e.g. the dentry). */
1342 static int inode_has_perm(struct task_struct *tsk,
1343 struct inode *inode,
1344 u32 perms,
1345 struct avc_audit_data *adp)
1346 {
1347 struct task_security_struct *tsec;
1348 struct inode_security_struct *isec;
1349 struct avc_audit_data ad;
1350
1351 if (unlikely (IS_PRIVATE (inode)))
1352 return 0;
1353
1354 tsec = tsk->security;
1355 isec = inode->i_security;
1356
1357 if (!adp) {
1358 adp = &ad;
1359 AVC_AUDIT_DATA_INIT(&ad, FS);
1360 ad.u.fs.inode = inode;
1361 }
1362
1363 return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, adp);
1364 }
1365
1366 /* Same as inode_has_perm, but pass explicit audit data containing
1367 the dentry to help the auditing code to more easily generate the
1368 pathname if needed. */
1369 static inline int dentry_has_perm(struct task_struct *tsk,
1370 struct vfsmount *mnt,
1371 struct dentry *dentry,
1372 u32 av)
1373 {
1374 struct inode *inode = dentry->d_inode;
1375 struct avc_audit_data ad;
1376 AVC_AUDIT_DATA_INIT(&ad,FS);
1377 ad.u.fs.path.mnt = mnt;
1378 ad.u.fs.path.dentry = dentry;
1379 return inode_has_perm(tsk, inode, av, &ad);
1380 }
1381
1382 /* Check whether a task can use an open file descriptor to
1383 access an inode in a given way. Check access to the
1384 descriptor itself, and then use dentry_has_perm to
1385 check a particular permission to the file.
1386 Access to the descriptor is implicitly granted if it
1387 has the same SID as the process. If av is zero, then
1388 access to the file is not checked, e.g. for cases
1389 where only the descriptor is affected like seek. */
1390 static int file_has_perm(struct task_struct *tsk,
1391 struct file *file,
1392 u32 av)
1393 {
1394 struct task_security_struct *tsec = tsk->security;
1395 struct file_security_struct *fsec = file->f_security;
1396 struct inode *inode = file->f_path.dentry->d_inode;
1397 struct avc_audit_data ad;
1398 int rc;
1399
1400 AVC_AUDIT_DATA_INIT(&ad, FS);
1401 ad.u.fs.path = file->f_path;
1402
1403 if (tsec->sid != fsec->sid) {
1404 rc = avc_has_perm(tsec->sid, fsec->sid,
1405 SECCLASS_FD,
1406 FD__USE,
1407 &ad);
1408 if (rc)
1409 return rc;
1410 }
1411
1412 /* av is zero if only checking access to the descriptor. */
1413 if (av)
1414 return inode_has_perm(tsk, inode, av, &ad);
1415
1416 return 0;
1417 }
1418
1419 /* Check whether a task can create a file. */
1420 static int may_create(struct inode *dir,
1421 struct dentry *dentry,
1422 u16 tclass)
1423 {
1424 struct task_security_struct *tsec;
1425 struct inode_security_struct *dsec;
1426 struct superblock_security_struct *sbsec;
1427 u32 newsid;
1428 struct avc_audit_data ad;
1429 int rc;
1430
1431 tsec = current->security;
1432 dsec = dir->i_security;
1433 sbsec = dir->i_sb->s_security;
1434
1435 AVC_AUDIT_DATA_INIT(&ad, FS);
1436 ad.u.fs.path.dentry = dentry;
1437
1438 rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR,
1439 DIR__ADD_NAME | DIR__SEARCH,
1440 &ad);
1441 if (rc)
1442 return rc;
1443
1444 if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
1445 newsid = tsec->create_sid;
1446 } else {
1447 rc = security_transition_sid(tsec->sid, dsec->sid, tclass,
1448 &newsid);
1449 if (rc)
1450 return rc;
1451 }
1452
1453 rc = avc_has_perm(tsec->sid, newsid, tclass, FILE__CREATE, &ad);
1454 if (rc)
1455 return rc;
1456
1457 return avc_has_perm(newsid, sbsec->sid,
1458 SECCLASS_FILESYSTEM,
1459 FILESYSTEM__ASSOCIATE, &ad);
1460 }
1461
1462 /* Check whether a task can create a key. */
1463 static int may_create_key(u32 ksid,
1464 struct task_struct *ctx)
1465 {
1466 struct task_security_struct *tsec;
1467
1468 tsec = ctx->security;
1469
1470 return avc_has_perm(tsec->sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL);
1471 }
1472
1473 #define MAY_LINK 0
1474 #define MAY_UNLINK 1
1475 #define MAY_RMDIR 2
1476
1477 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1478 static int may_link(struct inode *dir,
1479 struct dentry *dentry,
1480 int kind)
1481
1482 {
1483 struct task_security_struct *tsec;
1484 struct inode_security_struct *dsec, *isec;
1485 struct avc_audit_data ad;
1486 u32 av;
1487 int rc;
1488
1489 tsec = current->security;
1490 dsec = dir->i_security;
1491 isec = dentry->d_inode->i_security;
1492
1493 AVC_AUDIT_DATA_INIT(&ad, FS);
1494 ad.u.fs.path.dentry = dentry;
1495
1496 av = DIR__SEARCH;
1497 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1498 rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR, av, &ad);
1499 if (rc)
1500 return rc;
1501
1502 switch (kind) {
1503 case MAY_LINK:
1504 av = FILE__LINK;
1505 break;
1506 case MAY_UNLINK:
1507 av = FILE__UNLINK;
1508 break;
1509 case MAY_RMDIR:
1510 av = DIR__RMDIR;
1511 break;
1512 default:
1513 printk(KERN_WARNING "may_link: unrecognized kind %d\n", kind);
1514 return 0;
1515 }
1516
1517 rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass, av, &ad);
1518 return rc;
1519 }
1520
1521 static inline int may_rename(struct inode *old_dir,
1522 struct dentry *old_dentry,
1523 struct inode *new_dir,
1524 struct dentry *new_dentry)
1525 {
1526 struct task_security_struct *tsec;
1527 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1528 struct avc_audit_data ad;
1529 u32 av;
1530 int old_is_dir, new_is_dir;
1531 int rc;
1532
1533 tsec = current->security;
1534 old_dsec = old_dir->i_security;
1535 old_isec = old_dentry->d_inode->i_security;
1536 old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
1537 new_dsec = new_dir->i_security;
1538
1539 AVC_AUDIT_DATA_INIT(&ad, FS);
1540
1541 ad.u.fs.path.dentry = old_dentry;
1542 rc = avc_has_perm(tsec->sid, old_dsec->sid, SECCLASS_DIR,
1543 DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1544 if (rc)
1545 return rc;
1546 rc = avc_has_perm(tsec->sid, old_isec->sid,
1547 old_isec->sclass, FILE__RENAME, &ad);
1548 if (rc)
1549 return rc;
1550 if (old_is_dir && new_dir != old_dir) {
1551 rc = avc_has_perm(tsec->sid, old_isec->sid,
1552 old_isec->sclass, DIR__REPARENT, &ad);
1553 if (rc)
1554 return rc;
1555 }
1556
1557 ad.u.fs.path.dentry = new_dentry;
1558 av = DIR__ADD_NAME | DIR__SEARCH;
1559 if (new_dentry->d_inode)
1560 av |= DIR__REMOVE_NAME;
1561 rc = avc_has_perm(tsec->sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1562 if (rc)
1563 return rc;
1564 if (new_dentry->d_inode) {
1565 new_isec = new_dentry->d_inode->i_security;
1566 new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
1567 rc = avc_has_perm(tsec->sid, new_isec->sid,
1568 new_isec->sclass,
1569 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1570 if (rc)
1571 return rc;
1572 }
1573
1574 return 0;
1575 }
1576
1577 /* Check whether a task can perform a filesystem operation. */
1578 static int superblock_has_perm(struct task_struct *tsk,
1579 struct super_block *sb,
1580 u32 perms,
1581 struct avc_audit_data *ad)
1582 {
1583 struct task_security_struct *tsec;
1584 struct superblock_security_struct *sbsec;
1585
1586 tsec = tsk->security;
1587 sbsec = sb->s_security;
1588 return avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
1589 perms, ad);
1590 }
1591
1592 /* Convert a Linux mode and permission mask to an access vector. */
1593 static inline u32 file_mask_to_av(int mode, int mask)
1594 {
1595 u32 av = 0;
1596
1597 if ((mode & S_IFMT) != S_IFDIR) {
1598 if (mask & MAY_EXEC)
1599 av |= FILE__EXECUTE;
1600 if (mask & MAY_READ)
1601 av |= FILE__READ;
1602
1603 if (mask & MAY_APPEND)
1604 av |= FILE__APPEND;
1605 else if (mask & MAY_WRITE)
1606 av |= FILE__WRITE;
1607
1608 } else {
1609 if (mask & MAY_EXEC)
1610 av |= DIR__SEARCH;
1611 if (mask & MAY_WRITE)
1612 av |= DIR__WRITE;
1613 if (mask & MAY_READ)
1614 av |= DIR__READ;
1615 }
1616
1617 return av;
1618 }
1619
1620 /* Convert a Linux file to an access vector. */
1621 static inline u32 file_to_av(struct file *file)
1622 {
1623 u32 av = 0;
1624
1625 if (file->f_mode & FMODE_READ)
1626 av |= FILE__READ;
1627 if (file->f_mode & FMODE_WRITE) {
1628 if (file->f_flags & O_APPEND)
1629 av |= FILE__APPEND;
1630 else
1631 av |= FILE__WRITE;
1632 }
1633
1634 return av;
1635 }
1636
1637 /* Hook functions begin here. */
1638
1639 static int selinux_ptrace(struct task_struct *parent, struct task_struct *child)
1640 {
1641 struct task_security_struct *psec = parent->security;
1642 struct task_security_struct *csec = child->security;
1643 int rc;
1644
1645 rc = secondary_ops->ptrace(parent,child);
1646 if (rc)
1647 return rc;
1648
1649 rc = task_has_perm(parent, child, PROCESS__PTRACE);
1650 /* Save the SID of the tracing process for later use in apply_creds. */
1651 if (!(child->ptrace & PT_PTRACED) && !rc)
1652 csec->ptrace_sid = psec->sid;
1653 return rc;
1654 }
1655
1656 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
1657 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1658 {
1659 int error;
1660
1661 error = task_has_perm(current, target, PROCESS__GETCAP);
1662 if (error)
1663 return error;
1664
1665 return secondary_ops->capget(target, effective, inheritable, permitted);
1666 }
1667
1668 static int selinux_capset_check(struct task_struct *target, kernel_cap_t *effective,
1669 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1670 {
1671 int error;
1672
1673 error = secondary_ops->capset_check(target, effective, inheritable, permitted);
1674 if (error)
1675 return error;
1676
1677 return task_has_perm(current, target, PROCESS__SETCAP);
1678 }
1679
1680 static void selinux_capset_set(struct task_struct *target, kernel_cap_t *effective,
1681 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1682 {
1683 secondary_ops->capset_set(target, effective, inheritable, permitted);
1684 }
1685
1686 static int selinux_capable(struct task_struct *tsk, int cap)
1687 {
1688 int rc;
1689
1690 rc = secondary_ops->capable(tsk, cap);
1691 if (rc)
1692 return rc;
1693
1694 return task_has_capability(tsk,cap);
1695 }
1696
1697 static int selinux_sysctl_get_sid(ctl_table *table, u16 tclass, u32 *sid)
1698 {
1699 int buflen, rc;
1700 char *buffer, *path, *end;
1701
1702 rc = -ENOMEM;
1703 buffer = (char*)__get_free_page(GFP_KERNEL);
1704 if (!buffer)
1705 goto out;
1706
1707 buflen = PAGE_SIZE;
1708 end = buffer+buflen;
1709 *--end = '\0';
1710 buflen--;
1711 path = end-1;
1712 *path = '/';
1713 while (table) {
1714 const char *name = table->procname;
1715 size_t namelen = strlen(name);
1716 buflen -= namelen + 1;
1717 if (buflen < 0)
1718 goto out_free;
1719 end -= namelen;
1720 memcpy(end, name, namelen);
1721 *--end = '/';
1722 path = end;
1723 table = table->parent;
1724 }
1725 buflen -= 4;
1726 if (buflen < 0)
1727 goto out_free;
1728 end -= 4;
1729 memcpy(end, "/sys", 4);
1730 path = end;
1731 rc = security_genfs_sid("proc", path, tclass, sid);
1732 out_free:
1733 free_page((unsigned long)buffer);
1734 out:
1735 return rc;
1736 }
1737
1738 static int selinux_sysctl(ctl_table *table, int op)
1739 {
1740 int error = 0;
1741 u32 av;
1742 struct task_security_struct *tsec;
1743 u32 tsid;
1744 int rc;
1745
1746 rc = secondary_ops->sysctl(table, op);
1747 if (rc)
1748 return rc;
1749
1750 tsec = current->security;
1751
1752 rc = selinux_sysctl_get_sid(table, (op == 0001) ?
1753 SECCLASS_DIR : SECCLASS_FILE, &tsid);
1754 if (rc) {
1755 /* Default to the well-defined sysctl SID. */
1756 tsid = SECINITSID_SYSCTL;
1757 }
1758
1759 /* The op values are "defined" in sysctl.c, thereby creating
1760 * a bad coupling between this module and sysctl.c */
1761 if(op == 001) {
1762 error = avc_has_perm(tsec->sid, tsid,
1763 SECCLASS_DIR, DIR__SEARCH, NULL);
1764 } else {
1765 av = 0;
1766 if (op & 004)
1767 av |= FILE__READ;
1768 if (op & 002)
1769 av |= FILE__WRITE;
1770 if (av)
1771 error = avc_has_perm(tsec->sid, tsid,
1772 SECCLASS_FILE, av, NULL);
1773 }
1774
1775 return error;
1776 }
1777
1778 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
1779 {
1780 int rc = 0;
1781
1782 if (!sb)
1783 return 0;
1784
1785 switch (cmds) {
1786 case Q_SYNC:
1787 case Q_QUOTAON:
1788 case Q_QUOTAOFF:
1789 case Q_SETINFO:
1790 case Q_SETQUOTA:
1791 rc = superblock_has_perm(current,
1792 sb,
1793 FILESYSTEM__QUOTAMOD, NULL);
1794 break;
1795 case Q_GETFMT:
1796 case Q_GETINFO:
1797 case Q_GETQUOTA:
1798 rc = superblock_has_perm(current,
1799 sb,
1800 FILESYSTEM__QUOTAGET, NULL);
1801 break;
1802 default:
1803 rc = 0; /* let the kernel handle invalid cmds */
1804 break;
1805 }
1806 return rc;
1807 }
1808
1809 static int selinux_quota_on(struct dentry *dentry)
1810 {
1811 return dentry_has_perm(current, NULL, dentry, FILE__QUOTAON);
1812 }
1813
1814 static int selinux_syslog(int type)
1815 {
1816 int rc;
1817
1818 rc = secondary_ops->syslog(type);
1819 if (rc)
1820 return rc;
1821
1822 switch (type) {
1823 case 3: /* Read last kernel messages */
1824 case 10: /* Return size of the log buffer */
1825 rc = task_has_system(current, SYSTEM__SYSLOG_READ);
1826 break;
1827 case 6: /* Disable logging to console */
1828 case 7: /* Enable logging to console */
1829 case 8: /* Set level of messages printed to console */
1830 rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
1831 break;
1832 case 0: /* Close log */
1833 case 1: /* Open log */
1834 case 2: /* Read from log */
1835 case 4: /* Read/clear last kernel messages */
1836 case 5: /* Clear ring buffer */
1837 default:
1838 rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
1839 break;
1840 }
1841 return rc;
1842 }
1843
1844 /*
1845 * Check that a process has enough memory to allocate a new virtual
1846 * mapping. 0 means there is enough memory for the allocation to
1847 * succeed and -ENOMEM implies there is not.
1848 *
1849 * Note that secondary_ops->capable and task_has_perm_noaudit return 0
1850 * if the capability is granted, but __vm_enough_memory requires 1 if
1851 * the capability is granted.
1852 *
1853 * Do not audit the selinux permission check, as this is applied to all
1854 * processes that allocate mappings.
1855 */
1856 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
1857 {
1858 int rc, cap_sys_admin = 0;
1859 struct task_security_struct *tsec = current->security;
1860
1861 rc = secondary_ops->capable(current, CAP_SYS_ADMIN);
1862 if (rc == 0)
1863 rc = avc_has_perm_noaudit(tsec->sid, tsec->sid,
1864 SECCLASS_CAPABILITY,
1865 CAP_TO_MASK(CAP_SYS_ADMIN),
1866 0,
1867 NULL);
1868
1869 if (rc == 0)
1870 cap_sys_admin = 1;
1871
1872 return __vm_enough_memory(mm, pages, cap_sys_admin);
1873 }
1874
1875 /* binprm security operations */
1876
1877 static int selinux_bprm_alloc_security(struct linux_binprm *bprm)
1878 {
1879 struct bprm_security_struct *bsec;
1880
1881 bsec = kzalloc(sizeof(struct bprm_security_struct), GFP_KERNEL);
1882 if (!bsec)
1883 return -ENOMEM;
1884
1885 bsec->bprm = bprm;
1886 bsec->sid = SECINITSID_UNLABELED;
1887 bsec->set = 0;
1888
1889 bprm->security = bsec;
1890 return 0;
1891 }
1892
1893 static int selinux_bprm_set_security(struct linux_binprm *bprm)
1894 {
1895 struct task_security_struct *tsec;
1896 struct inode *inode = bprm->file->f_path.dentry->d_inode;
1897 struct inode_security_struct *isec;
1898 struct bprm_security_struct *bsec;
1899 u32 newsid;
1900 struct avc_audit_data ad;
1901 int rc;
1902
1903 rc = secondary_ops->bprm_set_security(bprm);
1904 if (rc)
1905 return rc;
1906
1907 bsec = bprm->security;
1908
1909 if (bsec->set)
1910 return 0;
1911
1912 tsec = current->security;
1913 isec = inode->i_security;
1914
1915 /* Default to the current task SID. */
1916 bsec->sid = tsec->sid;
1917
1918 /* Reset fs, key, and sock SIDs on execve. */
1919 tsec->create_sid = 0;
1920 tsec->keycreate_sid = 0;
1921 tsec->sockcreate_sid = 0;
1922
1923 if (tsec->exec_sid) {
1924 newsid = tsec->exec_sid;
1925 /* Reset exec SID on execve. */
1926 tsec->exec_sid = 0;
1927 } else {
1928 /* Check for a default transition on this program. */
1929 rc = security_transition_sid(tsec->sid, isec->sid,
1930 SECCLASS_PROCESS, &newsid);
1931 if (rc)
1932 return rc;
1933 }
1934
1935 AVC_AUDIT_DATA_INIT(&ad, FS);
1936 ad.u.fs.path = bprm->file->f_path;
1937
1938 if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID)
1939 newsid = tsec->sid;
1940
1941 if (tsec->sid == newsid) {
1942 rc = avc_has_perm(tsec->sid, isec->sid,
1943 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
1944 if (rc)
1945 return rc;
1946 } else {
1947 /* Check permissions for the transition. */
1948 rc = avc_has_perm(tsec->sid, newsid,
1949 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
1950 if (rc)
1951 return rc;
1952
1953 rc = avc_has_perm(newsid, isec->sid,
1954 SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
1955 if (rc)
1956 return rc;
1957
1958 /* Clear any possibly unsafe personality bits on exec: */
1959 current->personality &= ~PER_CLEAR_ON_SETID;
1960
1961 /* Set the security field to the new SID. */
1962 bsec->sid = newsid;
1963 }
1964
1965 bsec->set = 1;
1966 return 0;
1967 }
1968
1969 static int selinux_bprm_check_security (struct linux_binprm *bprm)
1970 {
1971 return secondary_ops->bprm_check_security(bprm);
1972 }
1973
1974
1975 static int selinux_bprm_secureexec (struct linux_binprm *bprm)
1976 {
1977 struct task_security_struct *tsec = current->security;
1978 int atsecure = 0;
1979
1980 if (tsec->osid != tsec->sid) {
1981 /* Enable secure mode for SIDs transitions unless
1982 the noatsecure permission is granted between
1983 the two SIDs, i.e. ahp returns 0. */
1984 atsecure = avc_has_perm(tsec->osid, tsec->sid,
1985 SECCLASS_PROCESS,
1986 PROCESS__NOATSECURE, NULL);
1987 }
1988
1989 return (atsecure || secondary_ops->bprm_secureexec(bprm));
1990 }
1991
1992 static void selinux_bprm_free_security(struct linux_binprm *bprm)
1993 {
1994 kfree(bprm->security);
1995 bprm->security = NULL;
1996 }
1997
1998 extern struct vfsmount *selinuxfs_mount;
1999 extern struct dentry *selinux_null;
2000
2001 /* Derived from fs/exec.c:flush_old_files. */
2002 static inline void flush_unauthorized_files(struct files_struct * files)
2003 {
2004 struct avc_audit_data ad;
2005 struct file *file, *devnull = NULL;
2006 struct tty_struct *tty;
2007 struct fdtable *fdt;
2008 long j = -1;
2009 int drop_tty = 0;
2010
2011 mutex_lock(&tty_mutex);
2012 tty = get_current_tty();
2013 if (tty) {
2014 file_list_lock();
2015 file = list_entry(tty->tty_files.next, typeof(*file), f_u.fu_list);
2016 if (file) {
2017 /* Revalidate access to controlling tty.
2018 Use inode_has_perm on the tty inode directly rather
2019 than using file_has_perm, as this particular open
2020 file may belong to another process and we are only
2021 interested in the inode-based check here. */
2022 struct inode *inode = file->f_path.dentry->d_inode;
2023 if (inode_has_perm(current, inode,
2024 FILE__READ | FILE__WRITE, NULL)) {
2025 drop_tty = 1;
2026 }
2027 }
2028 file_list_unlock();
2029 }
2030 mutex_unlock(&tty_mutex);
2031 /* Reset controlling tty. */
2032 if (drop_tty)
2033 no_tty();
2034
2035 /* Revalidate access to inherited open files. */
2036
2037 AVC_AUDIT_DATA_INIT(&ad,FS);
2038
2039 spin_lock(&files->file_lock);
2040 for (;;) {
2041 unsigned long set, i;
2042 int fd;
2043
2044 j++;
2045 i = j * __NFDBITS;
2046 fdt = files_fdtable(files);
2047 if (i >= fdt->max_fds)
2048 break;
2049 set = fdt->open_fds->fds_bits[j];
2050 if (!set)
2051 continue;
2052 spin_unlock(&files->file_lock);
2053 for ( ; set ; i++,set >>= 1) {
2054 if (set & 1) {
2055 file = fget(i);
2056 if (!file)
2057 continue;
2058 if (file_has_perm(current,
2059 file,
2060 file_to_av(file))) {
2061 sys_close(i);
2062 fd = get_unused_fd();
2063 if (fd != i) {
2064 if (fd >= 0)
2065 put_unused_fd(fd);
2066 fput(file);
2067 continue;
2068 }
2069 if (devnull) {
2070 get_file(devnull);
2071 } else {
2072 devnull = dentry_open(dget(selinux_null), mntget(selinuxfs_mount), O_RDWR);
2073 if (IS_ERR(devnull)) {
2074 devnull = NULL;
2075 put_unused_fd(fd);
2076 fput(file);
2077 continue;
2078 }
2079 }
2080 fd_install(fd, devnull);
2081 }
2082 fput(file);
2083 }
2084 }
2085 spin_lock(&files->file_lock);
2086
2087 }
2088 spin_unlock(&files->file_lock);
2089 }
2090
2091 static void selinux_bprm_apply_creds(struct linux_binprm *bprm, int unsafe)
2092 {
2093 struct task_security_struct *tsec;
2094 struct bprm_security_struct *bsec;
2095 u32 sid;
2096 int rc;
2097
2098 secondary_ops->bprm_apply_creds(bprm, unsafe);
2099
2100 tsec = current->security;
2101
2102 bsec = bprm->security;
2103 sid = bsec->sid;
2104
2105 tsec->osid = tsec->sid;
2106 bsec->unsafe = 0;
2107 if (tsec->sid != sid) {
2108 /* Check for shared state. If not ok, leave SID
2109 unchanged and kill. */
2110 if (unsafe & LSM_UNSAFE_SHARE) {
2111 rc = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
2112 PROCESS__SHARE, NULL);
2113 if (rc) {
2114 bsec->unsafe = 1;
2115 return;
2116 }
2117 }
2118
2119 /* Check for ptracing, and update the task SID if ok.
2120 Otherwise, leave SID unchanged and kill. */
2121 if (unsafe & (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
2122 rc = avc_has_perm(tsec->ptrace_sid, sid,
2123 SECCLASS_PROCESS, PROCESS__PTRACE,
2124 NULL);
2125 if (rc) {
2126 bsec->unsafe = 1;
2127 return;
2128 }
2129 }
2130 tsec->sid = sid;
2131 }
2132 }
2133
2134 /*
2135 * called after apply_creds without the task lock held
2136 */
2137 static void selinux_bprm_post_apply_creds(struct linux_binprm *bprm)
2138 {
2139 struct task_security_struct *tsec;
2140 struct rlimit *rlim, *initrlim;
2141 struct itimerval itimer;
2142 struct bprm_security_struct *bsec;
2143 int rc, i;
2144
2145 tsec = current->security;
2146 bsec = bprm->security;
2147
2148 if (bsec->unsafe) {
2149 force_sig_specific(SIGKILL, current);
2150 return;
2151 }
2152 if (tsec->osid == tsec->sid)
2153 return;
2154
2155 /* Close files for which the new task SID is not authorized. */
2156 flush_unauthorized_files(current->files);
2157
2158 /* Check whether the new SID can inherit signal state
2159 from the old SID. If not, clear itimers to avoid
2160 subsequent signal generation and flush and unblock
2161 signals. This must occur _after_ the task SID has
2162 been updated so that any kill done after the flush
2163 will be checked against the new SID. */
2164 rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
2165 PROCESS__SIGINH, NULL);
2166 if (rc) {
2167 memset(&itimer, 0, sizeof itimer);
2168 for (i = 0; i < 3; i++)
2169 do_setitimer(i, &itimer, NULL);
2170 flush_signals(current);
2171 spin_lock_irq(&current->sighand->siglock);
2172 flush_signal_handlers(current, 1);
2173 sigemptyset(&current->blocked);
2174 recalc_sigpending();
2175 spin_unlock_irq(&current->sighand->siglock);
2176 }
2177
2178 /* Always clear parent death signal on SID transitions. */
2179 current->pdeath_signal = 0;
2180
2181 /* Check whether the new SID can inherit resource limits
2182 from the old SID. If not, reset all soft limits to
2183 the lower of the current task's hard limit and the init
2184 task's soft limit. Note that the setting of hard limits
2185 (even to lower them) can be controlled by the setrlimit
2186 check. The inclusion of the init task's soft limit into
2187 the computation is to avoid resetting soft limits higher
2188 than the default soft limit for cases where the default
2189 is lower than the hard limit, e.g. RLIMIT_CORE or
2190 RLIMIT_STACK.*/
2191 rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
2192 PROCESS__RLIMITINH, NULL);
2193 if (rc) {
2194 for (i = 0; i < RLIM_NLIMITS; i++) {
2195 rlim = current->signal->rlim + i;
2196 initrlim = init_task.signal->rlim+i;
2197 rlim->rlim_cur = min(rlim->rlim_max,initrlim->rlim_cur);
2198 }
2199 if (current->signal->rlim[RLIMIT_CPU].rlim_cur != RLIM_INFINITY) {
2200 /*
2201 * This will cause RLIMIT_CPU calculations
2202 * to be refigured.
2203 */
2204 current->it_prof_expires = jiffies_to_cputime(1);
2205 }
2206 }
2207
2208 /* Wake up the parent if it is waiting so that it can
2209 recheck wait permission to the new task SID. */
2210 wake_up_interruptible(&current->parent->signal->wait_chldexit);
2211 }
2212
2213 /* superblock security operations */
2214
2215 static int selinux_sb_alloc_security(struct super_block *sb)
2216 {
2217 return superblock_alloc_security(sb);
2218 }
2219
2220 static void selinux_sb_free_security(struct super_block *sb)
2221 {
2222 superblock_free_security(sb);
2223 }
2224
2225 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2226 {
2227 if (plen > olen)
2228 return 0;
2229
2230 return !memcmp(prefix, option, plen);
2231 }
2232
2233 static inline int selinux_option(char *option, int len)
2234 {
2235 return (match_prefix("context=", sizeof("context=")-1, option, len) ||
2236 match_prefix("fscontext=", sizeof("fscontext=")-1, option, len) ||
2237 match_prefix("defcontext=", sizeof("defcontext=")-1, option, len) ||
2238 match_prefix("rootcontext=", sizeof("rootcontext=")-1, option, len));
2239 }
2240
2241 static inline void take_option(char **to, char *from, int *first, int len)
2242 {
2243 if (!*first) {
2244 **to = ',';
2245 *to += 1;
2246 } else
2247 *first = 0;
2248 memcpy(*to, from, len);
2249 *to += len;
2250 }
2251
2252 static inline void take_selinux_option(char **to, char *from, int *first,
2253 int len)
2254 {
2255 int current_size = 0;
2256
2257 if (!*first) {
2258 **to = '|';
2259 *to += 1;
2260 }
2261 else
2262 *first = 0;
2263
2264 while (current_size < len) {
2265 if (*from != '"') {
2266 **to = *from;
2267 *to += 1;
2268 }
2269 from += 1;
2270 current_size += 1;
2271 }
2272 }
2273
2274 static int selinux_sb_copy_data(char *orig, char *copy)
2275 {
2276 int fnosec, fsec, rc = 0;
2277 char *in_save, *in_curr, *in_end;
2278 char *sec_curr, *nosec_save, *nosec;
2279 int open_quote = 0;
2280
2281 in_curr = orig;
2282 sec_curr = copy;
2283
2284 nosec = (char *)get_zeroed_page(GFP_KERNEL);
2285 if (!nosec) {
2286 rc = -ENOMEM;
2287 goto out;
2288 }
2289
2290 nosec_save = nosec;
2291 fnosec = fsec = 1;
2292 in_save = in_end = orig;
2293
2294 do {
2295 if (*in_end == '"')
2296 open_quote = !open_quote;
2297 if ((*in_end == ',' && open_quote == 0) ||
2298 *in_end == '\0') {
2299 int len = in_end - in_curr;
2300
2301 if (selinux_option(in_curr, len))
2302 take_selinux_option(&sec_curr, in_curr, &fsec, len);
2303 else
2304 take_option(&nosec, in_curr, &fnosec, len);
2305
2306 in_curr = in_end + 1;
2307 }
2308 } while (*in_end++);
2309
2310 strcpy(in_save, nosec_save);
2311 free_page((unsigned long)nosec_save);
2312 out:
2313 return rc;
2314 }
2315
2316 static int selinux_sb_kern_mount(struct super_block *sb, void *data)
2317 {
2318 struct avc_audit_data ad;
2319 int rc;
2320
2321 rc = superblock_doinit(sb, data);
2322 if (rc)
2323 return rc;
2324
2325 AVC_AUDIT_DATA_INIT(&ad,FS);
2326 ad.u.fs.path.dentry = sb->s_root;
2327 return superblock_has_perm(current, sb, FILESYSTEM__MOUNT, &ad);
2328 }
2329
2330 static int selinux_sb_statfs(struct dentry *dentry)
2331 {
2332 struct avc_audit_data ad;
2333
2334 AVC_AUDIT_DATA_INIT(&ad,FS);
2335 ad.u.fs.path.dentry = dentry->d_sb->s_root;
2336 return superblock_has_perm(current, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2337 }
2338
2339 static int selinux_mount(char * dev_name,
2340 struct nameidata *nd,
2341 char * type,
2342 unsigned long flags,
2343 void * data)
2344 {
2345 int rc;
2346
2347 rc = secondary_ops->sb_mount(dev_name, nd, type, flags, data);
2348 if (rc)
2349 return rc;
2350
2351 if (flags & MS_REMOUNT)
2352 return superblock_has_perm(current, nd->path.mnt->mnt_sb,
2353 FILESYSTEM__REMOUNT, NULL);
2354 else
2355 return dentry_has_perm(current, nd->path.mnt, nd->path.dentry,
2356 FILE__MOUNTON);
2357 }
2358
2359 static int selinux_umount(struct vfsmount *mnt, int flags)
2360 {
2361 int rc;
2362
2363 rc = secondary_ops->sb_umount(mnt, flags);
2364 if (rc)
2365 return rc;
2366
2367 return superblock_has_perm(current,mnt->mnt_sb,
2368 FILESYSTEM__UNMOUNT,NULL);
2369 }
2370
2371 /* inode security operations */
2372
2373 static int selinux_inode_alloc_security(struct inode *inode)
2374 {
2375 return inode_alloc_security(inode);
2376 }
2377
2378 static void selinux_inode_free_security(struct inode *inode)
2379 {
2380 inode_free_security(inode);
2381 }
2382
2383 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2384 char **name, void **value,
2385 size_t *len)
2386 {
2387 struct task_security_struct *tsec;
2388 struct inode_security_struct *dsec;
2389 struct superblock_security_struct *sbsec;
2390 u32 newsid, clen;
2391 int rc;
2392 char *namep = NULL, *context;
2393
2394 tsec = current->security;
2395 dsec = dir->i_security;
2396 sbsec = dir->i_sb->s_security;
2397
2398 if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
2399 newsid = tsec->create_sid;
2400 } else {
2401 rc = security_transition_sid(tsec->sid, dsec->sid,
2402 inode_mode_to_security_class(inode->i_mode),
2403 &newsid);
2404 if (rc) {
2405 printk(KERN_WARNING "%s: "
2406 "security_transition_sid failed, rc=%d (dev=%s "
2407 "ino=%ld)\n",
2408 __FUNCTION__,
2409 -rc, inode->i_sb->s_id, inode->i_ino);
2410 return rc;
2411 }
2412 }
2413
2414 /* Possibly defer initialization to selinux_complete_init. */
2415 if (sbsec->initialized) {
2416 struct inode_security_struct *isec = inode->i_security;
2417 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2418 isec->sid = newsid;
2419 isec->initialized = 1;
2420 }
2421
2422 if (!ss_initialized || sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2423 return -EOPNOTSUPP;
2424
2425 if (name) {
2426 namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_KERNEL);
2427 if (!namep)
2428 return -ENOMEM;
2429 *name = namep;
2430 }
2431
2432 if (value && len) {
2433 rc = security_sid_to_context(newsid, &context, &clen);
2434 if (rc) {
2435 kfree(namep);
2436 return rc;
2437 }
2438 *value = context;
2439 *len = clen;
2440 }
2441
2442 return 0;
2443 }
2444
2445 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, int mask)
2446 {
2447 return may_create(dir, dentry, SECCLASS_FILE);
2448 }
2449
2450 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2451 {
2452 int rc;
2453
2454 rc = secondary_ops->inode_link(old_dentry,dir,new_dentry);
2455 if (rc)
2456 return rc;
2457 return may_link(dir, old_dentry, MAY_LINK);
2458 }
2459
2460 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2461 {
2462 int rc;
2463
2464 rc = secondary_ops->inode_unlink(dir, dentry);
2465 if (rc)
2466 return rc;
2467 return may_link(dir, dentry, MAY_UNLINK);
2468 }
2469
2470 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2471 {
2472 return may_create(dir, dentry, SECCLASS_LNK_FILE);
2473 }
2474
2475 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, int mask)
2476 {
2477 return may_create(dir, dentry, SECCLASS_DIR);
2478 }
2479
2480 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2481 {
2482 return may_link(dir, dentry, MAY_RMDIR);
2483 }
2484
2485 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
2486 {
2487 int rc;
2488
2489 rc = secondary_ops->inode_mknod(dir, dentry, mode, dev);
2490 if (rc)
2491 return rc;
2492
2493 return may_create(dir, dentry, inode_mode_to_security_class(mode));
2494 }
2495
2496 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2497 struct inode *new_inode, struct dentry *new_dentry)
2498 {
2499 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2500 }
2501
2502 static int selinux_inode_readlink(struct dentry *dentry)
2503 {
2504 return dentry_has_perm(current, NULL, dentry, FILE__READ);
2505 }
2506
2507 static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2508 {
2509 int rc;
2510
2511 rc = secondary_ops->inode_follow_link(dentry,nameidata);
2512 if (rc)
2513 return rc;
2514 return dentry_has_perm(current, NULL, dentry, FILE__READ);
2515 }
2516
2517 static int selinux_inode_permission(struct inode *inode, int mask,
2518 struct nameidata *nd)
2519 {
2520 int rc;
2521
2522 rc = secondary_ops->inode_permission(inode, mask, nd);
2523 if (rc)
2524 return rc;
2525
2526 if (!mask) {
2527 /* No permission to check. Existence test. */
2528 return 0;
2529 }
2530
2531 return inode_has_perm(current, inode,
2532 file_mask_to_av(inode->i_mode, mask), NULL);
2533 }
2534
2535 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2536 {
2537 int rc;
2538
2539 rc = secondary_ops->inode_setattr(dentry, iattr);
2540 if (rc)
2541 return rc;
2542
2543 if (iattr->ia_valid & ATTR_FORCE)
2544 return 0;
2545
2546 if (iattr->ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2547 ATTR_ATIME_SET | ATTR_MTIME_SET))
2548 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2549
2550 return dentry_has_perm(current, NULL, dentry, FILE__WRITE);
2551 }
2552
2553 static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
2554 {
2555 return dentry_has_perm(current, mnt, dentry, FILE__GETATTR);
2556 }
2557
2558 static int selinux_inode_setotherxattr(struct dentry *dentry, char *name)
2559 {
2560 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2561 sizeof XATTR_SECURITY_PREFIX - 1)) {
2562 if (!strcmp(name, XATTR_NAME_CAPS)) {
2563 if (!capable(CAP_SETFCAP))
2564 return -EPERM;
2565 } else if (!capable(CAP_SYS_ADMIN)) {
2566 /* A different attribute in the security namespace.
2567 Restrict to administrator. */
2568 return -EPERM;
2569 }
2570 }
2571
2572 /* Not an attribute we recognize, so just check the
2573 ordinary setattr permission. */
2574 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2575 }
2576
2577 static int selinux_inode_setxattr(struct dentry *dentry, char *name, void *value, size_t size, int flags)
2578 {
2579 struct task_security_struct *tsec = current->security;
2580 struct inode *inode = dentry->d_inode;
2581 struct inode_security_struct *isec = inode->i_security;
2582 struct superblock_security_struct *sbsec;
2583 struct avc_audit_data ad;
2584 u32 newsid;
2585 int rc = 0;
2586
2587 if (strcmp(name, XATTR_NAME_SELINUX))
2588 return selinux_inode_setotherxattr(dentry, name);
2589
2590 sbsec = inode->i_sb->s_security;
2591 if (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2592 return -EOPNOTSUPP;
2593
2594 if (!is_owner_or_cap(inode))
2595 return -EPERM;
2596
2597 AVC_AUDIT_DATA_INIT(&ad,FS);
2598 ad.u.fs.path.dentry = dentry;
2599
2600 rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass,
2601 FILE__RELABELFROM, &ad);
2602 if (rc)
2603 return rc;
2604
2605 rc = security_context_to_sid(value, size, &newsid);
2606 if (rc)
2607 return rc;
2608
2609 rc = avc_has_perm(tsec->sid, newsid, isec->sclass,
2610 FILE__RELABELTO, &ad);
2611 if (rc)
2612 return rc;
2613
2614 rc = security_validate_transition(isec->sid, newsid, tsec->sid,
2615 isec->sclass);
2616 if (rc)
2617 return rc;
2618
2619 return avc_has_perm(newsid,
2620 sbsec->sid,
2621 SECCLASS_FILESYSTEM,
2622 FILESYSTEM__ASSOCIATE,
2623 &ad);
2624 }
2625
2626 static void selinux_inode_post_setxattr(struct dentry *dentry, char *name,
2627 void *value, size_t size, int flags)
2628 {
2629 struct inode *inode = dentry->d_inode;
2630 struct inode_security_struct *isec = inode->i_security;
2631 u32 newsid;
2632 int rc;
2633
2634 if (strcmp(name, XATTR_NAME_SELINUX)) {
2635 /* Not an attribute we recognize, so nothing to do. */
2636 return;
2637 }
2638
2639 rc = security_context_to_sid(value, size, &newsid);
2640 if (rc) {
2641 printk(KERN_WARNING "%s: unable to obtain SID for context "
2642 "%s, rc=%d\n", __FUNCTION__, (char*)value, -rc);
2643 return;
2644 }
2645
2646 isec->sid = newsid;
2647 return;
2648 }
2649
2650 static int selinux_inode_getxattr (struct dentry *dentry, char *name)
2651 {
2652 return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2653 }
2654
2655 static int selinux_inode_listxattr (struct dentry *dentry)
2656 {
2657 return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2658 }
2659
2660 static int selinux_inode_removexattr (struct dentry *dentry, char *name)
2661 {
2662 if (strcmp(name, XATTR_NAME_SELINUX))
2663 return selinux_inode_setotherxattr(dentry, name);
2664
2665 /* No one is allowed to remove a SELinux security label.
2666 You can change the label, but all data must be labeled. */
2667 return -EACCES;
2668 }
2669
2670 /*
2671 * Copy the in-core inode security context value to the user. If the
2672 * getxattr() prior to this succeeded, check to see if we need to
2673 * canonicalize the value to be finally returned to the user.
2674 *
2675 * Permission check is handled by selinux_inode_getxattr hook.
2676 */
2677 static int selinux_inode_getsecurity(const struct inode *inode, const char *name, void **buffer, bool alloc)
2678 {
2679 u32 size;
2680 int error;
2681 char *context = NULL;
2682 struct inode_security_struct *isec = inode->i_security;
2683
2684 if (strcmp(name, XATTR_SELINUX_SUFFIX))
2685 return -EOPNOTSUPP;
2686
2687 error = security_sid_to_context(isec->sid, &context, &size);
2688 if (error)
2689 return error;
2690 error = size;
2691 if (alloc) {
2692 *buffer = context;
2693 goto out_nofree;
2694 }
2695 kfree(context);
2696 out_nofree:
2697 return error;
2698 }
2699
2700 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
2701 const void *value, size_t size, int flags)
2702 {
2703 struct inode_security_struct *isec = inode->i_security;
2704 u32 newsid;
2705 int rc;
2706
2707 if (strcmp(name, XATTR_SELINUX_SUFFIX))
2708 return -EOPNOTSUPP;
2709
2710 if (!value || !size)
2711 return -EACCES;
2712
2713 rc = security_context_to_sid((void*)value, size, &newsid);
2714 if (rc)
2715 return rc;
2716
2717 isec->sid = newsid;
2718 return 0;
2719 }
2720
2721 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
2722 {
2723 const int len = sizeof(XATTR_NAME_SELINUX);
2724 if (buffer && len <= buffer_size)
2725 memcpy(buffer, XATTR_NAME_SELINUX, len);
2726 return len;
2727 }
2728
2729 static int selinux_inode_need_killpriv(struct dentry *dentry)
2730 {
2731 return secondary_ops->inode_need_killpriv(dentry);
2732 }
2733
2734 static int selinux_inode_killpriv(struct dentry *dentry)
2735 {
2736 return secondary_ops->inode_killpriv(dentry);
2737 }
2738
2739 /* file security operations */
2740
2741 static int selinux_revalidate_file_permission(struct file *file, int mask)
2742 {
2743 int rc;
2744 struct inode *inode = file->f_path.dentry->d_inode;
2745
2746 if (!mask) {
2747 /* No permission to check. Existence test. */
2748 return 0;
2749 }
2750
2751 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
2752 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
2753 mask |= MAY_APPEND;
2754
2755 rc = file_has_perm(current, file,
2756 file_mask_to_av(inode->i_mode, mask));
2757 if (rc)
2758 return rc;
2759
2760 return selinux_netlbl_inode_permission(inode, mask);
2761 }
2762
2763 static int selinux_file_permission(struct file *file, int mask)
2764 {
2765 struct inode *inode = file->f_path.dentry->d_inode;
2766 struct task_security_struct *tsec = current->security;
2767 struct file_security_struct *fsec = file->f_security;
2768 struct inode_security_struct *isec = inode->i_security;
2769
2770 if (!mask) {
2771 /* No permission to check. Existence test. */
2772 return 0;
2773 }
2774
2775 if (tsec->sid == fsec->sid && fsec->isid == isec->sid
2776 && fsec->pseqno == avc_policy_seqno())
2777 return selinux_netlbl_inode_permission(inode, mask);
2778
2779 return selinux_revalidate_file_permission(file, mask);
2780 }
2781
2782 static int selinux_file_alloc_security(struct file *file)
2783 {
2784 return file_alloc_security(file);
2785 }
2786
2787 static void selinux_file_free_security(struct file *file)
2788 {
2789 file_free_security(file);
2790 }
2791
2792 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
2793 unsigned long arg)
2794 {
2795 int error = 0;
2796
2797 switch (cmd) {
2798 case FIONREAD:
2799 /* fall through */
2800 case FIBMAP:
2801 /* fall through */
2802 case FIGETBSZ:
2803 /* fall through */
2804 case EXT2_IOC_GETFLAGS:
2805 /* fall through */
2806 case EXT2_IOC_GETVERSION:
2807 error = file_has_perm(current, file, FILE__GETATTR);
2808 break;
2809
2810 case EXT2_IOC_SETFLAGS:
2811 /* fall through */
2812 case EXT2_IOC_SETVERSION:
2813 error = file_has_perm(current, file, FILE__SETATTR);
2814 break;
2815
2816 /* sys_ioctl() checks */
2817 case FIONBIO:
2818 /* fall through */
2819 case FIOASYNC:
2820 error = file_has_perm(current, file, 0);
2821 break;
2822
2823 case KDSKBENT:
2824 case KDSKBSENT:
2825 error = task_has_capability(current,CAP_SYS_TTY_CONFIG);
2826 break;
2827
2828 /* default case assumes that the command will go
2829 * to the file's ioctl() function.
2830 */
2831 default:
2832 error = file_has_perm(current, file, FILE__IOCTL);
2833
2834 }
2835 return error;
2836 }
2837
2838 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
2839 {
2840 #ifndef CONFIG_PPC32
2841 if ((prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
2842 /*
2843 * We are making executable an anonymous mapping or a
2844 * private file mapping that will also be writable.
2845 * This has an additional check.
2846 */
2847 int rc = task_has_perm(current, current, PROCESS__EXECMEM);
2848 if (rc)
2849 return rc;
2850 }
2851 #endif
2852
2853 if (file) {
2854 /* read access is always possible with a mapping */
2855 u32 av = FILE__READ;
2856
2857 /* write access only matters if the mapping is shared */
2858 if (shared && (prot & PROT_WRITE))
2859 av |= FILE__WRITE;
2860
2861 if (prot & PROT_EXEC)
2862 av |= FILE__EXECUTE;
2863
2864 return file_has_perm(current, file, av);
2865 }
2866 return 0;
2867 }
2868
2869 static int selinux_file_mmap(struct file *file, unsigned long reqprot,
2870 unsigned long prot, unsigned long flags,
2871 unsigned long addr, unsigned long addr_only)
2872 {
2873 int rc = 0;
2874 u32 sid = ((struct task_security_struct*)(current->security))->sid;
2875
2876 if (addr < mmap_min_addr)
2877 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
2878 MEMPROTECT__MMAP_ZERO, NULL);
2879 if (rc || addr_only)
2880 return rc;
2881
2882 if (selinux_checkreqprot)
2883 prot = reqprot;
2884
2885 return file_map_prot_check(file, prot,
2886 (flags & MAP_TYPE) == MAP_SHARED);
2887 }
2888
2889 static int selinux_file_mprotect(struct vm_area_struct *vma,
2890 unsigned long reqprot,
2891 unsigned long prot)
2892 {
2893 int rc;
2894
2895 rc = secondary_ops->file_mprotect(vma, reqprot, prot);
2896 if (rc)
2897 return rc;
2898
2899 if (selinux_checkreqprot)
2900 prot = reqprot;
2901
2902 #ifndef CONFIG_PPC32
2903 if ((prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
2904 rc = 0;
2905 if (vma->vm_start >= vma->vm_mm->start_brk &&
2906 vma->vm_end <= vma->vm_mm->brk) {
2907 rc = task_has_perm(current, current,
2908 PROCESS__EXECHEAP);
2909 } else if (!vma->vm_file &&
2910 vma->vm_start <= vma->vm_mm->start_stack &&
2911 vma->vm_end >= vma->vm_mm->start_stack) {
2912 rc = task_has_perm(current, current, PROCESS__EXECSTACK);
2913 } else if (vma->vm_file && vma->anon_vma) {
2914 /*
2915 * We are making executable a file mapping that has
2916 * had some COW done. Since pages might have been
2917 * written, check ability to execute the possibly
2918 * modified content. This typically should only
2919 * occur for text relocations.
2920 */
2921 rc = file_has_perm(current, vma->vm_file,
2922 FILE__EXECMOD);
2923 }
2924 if (rc)
2925 return rc;
2926 }
2927 #endif
2928
2929 return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
2930 }
2931
2932 static int selinux_file_lock(struct file *file, unsigned int cmd)
2933 {
2934 return file_has_perm(current, file, FILE__LOCK);
2935 }
2936
2937 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
2938 unsigned long arg)
2939 {
2940 int err = 0;
2941
2942 switch (cmd) {
2943 case F_SETFL:
2944 if (!file->f_path.dentry || !file->f_path.dentry->d_inode) {
2945 err = -EINVAL;
2946 break;
2947 }
2948
2949 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
2950 err = file_has_perm(current, file,FILE__WRITE);
2951 break;
2952 }
2953 /* fall through */
2954 case F_SETOWN:
2955 case F_SETSIG:
2956 case F_GETFL:
2957 case F_GETOWN:
2958 case F_GETSIG:
2959 /* Just check FD__USE permission */
2960 err = file_has_perm(current, file, 0);
2961 break;
2962 case F_GETLK:
2963 case F_SETLK:
2964 case F_SETLKW:
2965 #if BITS_PER_LONG == 32
2966 case F_GETLK64:
2967 case F_SETLK64:
2968 case F_SETLKW64:
2969 #endif
2970 if (!file->f_path.dentry || !file->f_path.dentry->d_inode) {
2971 err = -EINVAL;
2972 break;
2973 }
2974 err = file_has_perm(current, file, FILE__LOCK);
2975 break;
2976 }
2977
2978 return err;
2979 }
2980
2981 static int selinux_file_set_fowner(struct file *file)
2982 {
2983 struct task_security_struct *tsec;
2984 struct file_security_struct *fsec;
2985
2986 tsec = current->security;
2987 fsec = file->f_security;
2988 fsec->fown_sid = tsec->sid;
2989
2990 return 0;
2991 }
2992
2993 static int selinux_file_send_sigiotask(struct task_struct *tsk,
2994 struct fown_struct *fown, int signum)
2995 {
2996 struct file *file;
2997 u32 perm;
2998 struct task_security_struct *tsec;
2999 struct file_security_struct *fsec;
3000
3001 /* struct fown_struct is never outside the context of a struct file */
3002 file = container_of(fown, struct file, f_owner);
3003
3004 tsec = tsk->security;
3005 fsec = file->f_security;
3006
3007 if (!signum)
3008 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
3009 else
3010 perm = signal_to_av(signum);
3011
3012 return avc_has_perm(fsec->fown_sid, tsec->sid,
3013 SECCLASS_PROCESS, perm, NULL);
3014 }
3015
3016 static int selinux_file_receive(struct file *file)
3017 {
3018 return file_has_perm(current, file, file_to_av(file));
3019 }
3020
3021 static int selinux_dentry_open(struct file *file)
3022 {
3023 struct file_security_struct *fsec;
3024 struct inode *inode;
3025 struct inode_security_struct *isec;
3026 inode = file->f_path.dentry->d_inode;
3027 fsec = file->f_security;
3028 isec = inode->i_security;
3029 /*
3030 * Save inode label and policy sequence number
3031 * at open-time so that selinux_file_permission
3032 * can determine whether revalidation is necessary.
3033 * Task label is already saved in the file security
3034 * struct as its SID.
3035 */
3036 fsec->isid = isec->sid;
3037 fsec->pseqno = avc_policy_seqno();
3038 /*
3039 * Since the inode label or policy seqno may have changed
3040 * between the selinux_inode_permission check and the saving
3041 * of state above, recheck that access is still permitted.
3042 * Otherwise, access might never be revalidated against the
3043 * new inode label or new policy.
3044 * This check is not redundant - do not remove.
3045 */
3046 return inode_has_perm(current, inode, file_to_av(file), NULL);
3047 }
3048
3049 /* task security operations */
3050
3051 static int selinux_task_create(unsigned long clone_flags)
3052 {
3053 int rc;
3054
3055 rc = secondary_ops->task_create(clone_flags);
3056 if (rc)
3057 return rc;
3058
3059 return task_has_perm(current, current, PROCESS__FORK);
3060 }
3061
3062 static int selinux_task_alloc_security(struct task_struct *tsk)
3063 {
3064 struct task_security_struct *tsec1, *tsec2;
3065 int rc;
3066
3067 tsec1 = current->security;
3068
3069 rc = task_alloc_security(tsk);
3070 if (rc)
3071 return rc;
3072 tsec2 = tsk->security;
3073
3074 tsec2->osid = tsec1->osid;
3075 tsec2->sid = tsec1->sid;
3076
3077 /* Retain the exec, fs, key, and sock SIDs across fork */
3078 tsec2->exec_sid = tsec1->exec_sid;
3079 tsec2->create_sid = tsec1->create_sid;
3080 tsec2->keycreate_sid = tsec1->keycreate_sid;
3081 tsec2->sockcreate_sid = tsec1->sockcreate_sid;
3082
3083 /* Retain ptracer SID across fork, if any.
3084 This will be reset by the ptrace hook upon any
3085 subsequent ptrace_attach operations. */
3086 tsec2->ptrace_sid = tsec1->ptrace_sid;
3087
3088 return 0;
3089 }
3090
3091 static void selinux_task_free_security(struct task_struct *tsk)
3092 {
3093 task_free_security(tsk);
3094 }
3095
3096 static int selinux_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
3097 {
3098 /* Since setuid only affects the current process, and
3099 since the SELinux controls are not based on the Linux
3100 identity attributes, SELinux does not need to control
3101 this operation. However, SELinux does control the use
3102 of the CAP_SETUID and CAP_SETGID capabilities using the
3103 capable hook. */
3104 return 0;
3105 }
3106
3107 static int selinux_task_post_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
3108 {
3109 return secondary_ops->task_post_setuid(id0,id1,id2,flags);
3110 }
3111
3112 static int selinux_task_setgid(gid_t id0, gid_t id1, gid_t id2, int flags)
3113 {
3114 /* See the comment for setuid above. */
3115 return 0;
3116 }
3117
3118 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
3119 {
3120 return task_has_perm(current, p, PROCESS__SETPGID);
3121 }
3122
3123 static int selinux_task_getpgid(struct task_struct *p)
3124 {
3125 return task_has_perm(current, p, PROCESS__GETPGID);
3126 }
3127
3128 static int selinux_task_getsid(struct task_struct *p)
3129 {
3130 return task_has_perm(current, p, PROCESS__GETSESSION);
3131 }
3132
3133 static void selinux_task_getsecid(struct task_struct *p, u32 *secid)
3134 {
3135 selinux_get_task_sid(p, secid);
3136 }
3137
3138 static int selinux_task_setgroups(struct group_info *group_info)
3139 {
3140 /* See the comment for setuid above. */
3141 return 0;
3142 }
3143
3144 static int selinux_task_setnice(struct task_struct *p, int nice)
3145 {
3146 int rc;
3147
3148 rc = secondary_ops->task_setnice(p, nice);
3149 if (rc)
3150 return rc;
3151
3152 return task_has_perm(current,p, PROCESS__SETSCHED);
3153 }
3154
3155 static int selinux_task_setioprio(struct task_struct *p, int ioprio)
3156 {
3157 int rc;
3158
3159 rc = secondary_ops->task_setioprio(p, ioprio);
3160 if (rc)
3161 return rc;
3162
3163 return task_has_perm(current, p, PROCESS__SETSCHED);
3164 }
3165
3166 static int selinux_task_getioprio(struct task_struct *p)
3167 {
3168 return task_has_perm(current, p, PROCESS__GETSCHED);
3169 }
3170
3171 static int selinux_task_setrlimit(unsigned int resource, struct rlimit *new_rlim)
3172 {
3173 struct rlimit *old_rlim = current->signal->rlim + resource;
3174 int rc;
3175
3176 rc = secondary_ops->task_setrlimit(resource, new_rlim);
3177 if (rc)
3178 return rc;
3179
3180 /* Control the ability to change the hard limit (whether
3181 lowering or raising it), so that the hard limit can
3182 later be used as a safe reset point for the soft limit
3183 upon context transitions. See selinux_bprm_apply_creds. */
3184 if (old_rlim->rlim_max != new_rlim->rlim_max)
3185 return task_has_perm(current, current, PROCESS__SETRLIMIT);
3186
3187 return 0;
3188 }
3189
3190 static int selinux_task_setscheduler(struct task_struct *p, int policy, struct sched_param *lp)
3191 {
3192 int rc;
3193
3194 rc = secondary_ops->task_setscheduler(p, policy, lp);
3195 if (rc)
3196 return rc;
3197
3198 return task_has_perm(current, p, PROCESS__SETSCHED);
3199 }
3200
3201 static int selinux_task_getscheduler(struct task_struct *p)
3202 {
3203 return task_has_perm(current, p, PROCESS__GETSCHED);
3204 }
3205
3206 static int selinux_task_movememory(struct task_struct *p)
3207 {
3208 return task_has_perm(current, p, PROCESS__SETSCHED);
3209 }
3210
3211 static int selinux_task_kill(struct task_struct *p, struct siginfo *info,
3212 int sig, u32 secid)
3213 {
3214 u32 perm;
3215 int rc;
3216 struct task_security_struct *tsec;
3217
3218 rc = secondary_ops->task_kill(p, info, sig, secid);
3219 if (rc)
3220 return rc;
3221
3222 if (info != SEND_SIG_NOINFO && (is_si_special(info) || SI_FROMKERNEL(info)))
3223 return 0;
3224
3225 if (!sig)
3226 perm = PROCESS__SIGNULL; /* null signal; existence test */
3227 else
3228 perm = signal_to_av(sig);
3229 tsec = p->security;
3230 if (secid)
3231 rc = avc_has_perm(secid, tsec->sid, SECCLASS_PROCESS, perm, NULL);
3232 else
3233 rc = task_has_perm(current, p, perm);
3234 return rc;
3235 }
3236
3237 static int selinux_task_prctl(int option,
3238 unsigned long arg2,
3239 unsigned long arg3,
3240 unsigned long arg4,
3241 unsigned long arg5)
3242 {
3243 /* The current prctl operations do not appear to require
3244 any SELinux controls since they merely observe or modify
3245 the state of the current process. */
3246 return 0;
3247 }
3248
3249 static int selinux_task_wait(struct task_struct *p)
3250 {
3251 return task_has_perm(p, current, PROCESS__SIGCHLD);
3252 }
3253
3254 static void selinux_task_reparent_to_init(struct task_struct *p)
3255 {
3256 struct task_security_struct *tsec;
3257
3258 secondary_ops->task_reparent_to_init(p);
3259
3260 tsec = p->security;
3261 tsec->osid = tsec->sid;
3262 tsec->sid = SECINITSID_KERNEL;
3263 return;
3264 }
3265
3266 static void selinux_task_to_inode(struct task_struct *p,
3267 struct inode *inode)
3268 {
3269 struct task_security_struct *tsec = p->security;
3270 struct inode_security_struct *isec = inode->i_security;
3271
3272 isec->sid = tsec->sid;
3273 isec->initialized = 1;
3274 return;
3275 }
3276
3277 /* Returns error only if unable to parse addresses */
3278 static int selinux_parse_skb_ipv4(struct sk_buff *skb,
3279 struct avc_audit_data *ad, u8 *proto)
3280 {
3281 int offset, ihlen, ret = -EINVAL;
3282 struct iphdr _iph, *ih;
3283
3284 offset = skb_network_offset(skb);
3285 ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
3286 if (ih == NULL)
3287 goto out;
3288
3289 ihlen = ih->ihl * 4;
3290 if (ihlen < sizeof(_iph))
3291 goto out;
3292
3293 ad->u.net.v4info.saddr = ih->saddr;
3294 ad->u.net.v4info.daddr = ih->daddr;
3295 ret = 0;
3296
3297 if (proto)
3298 *proto = ih->protocol;
3299
3300 switch (ih->protocol) {
3301 case IPPROTO_TCP: {
3302 struct tcphdr _tcph, *th;
3303
3304 if (ntohs(ih->frag_off) & IP_OFFSET)
3305 break;
3306
3307 offset += ihlen;
3308 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3309 if (th == NULL)
3310 break;
3311
3312 ad->u.net.sport = th->source;
3313 ad->u.net.dport = th->dest;
3314 break;
3315 }
3316
3317 case IPPROTO_UDP: {
3318 struct udphdr _udph, *uh;
3319
3320 if (ntohs(ih->frag_off) & IP_OFFSET)
3321 break;
3322
3323 offset += ihlen;
3324 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3325 if (uh == NULL)
3326 break;
3327
3328 ad->u.net.sport = uh->source;
3329 ad->u.net.dport = uh->dest;
3330 break;
3331 }
3332
3333 case IPPROTO_DCCP: {
3334 struct dccp_hdr _dccph, *dh;
3335
3336 if (ntohs(ih->frag_off) & IP_OFFSET)
3337 break;
3338
3339 offset += ihlen;
3340 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3341 if (dh == NULL)
3342 break;
3343
3344 ad->u.net.sport = dh->dccph_sport;
3345 ad->u.net.dport = dh->dccph_dport;
3346 break;
3347 }
3348
3349 default:
3350 break;
3351 }
3352 out:
3353 return ret;
3354 }
3355
3356 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3357
3358 /* Returns error only if unable to parse addresses */
3359 static int selinux_parse_skb_ipv6(struct sk_buff *skb,
3360 struct avc_audit_data *ad, u8 *proto)
3361 {
3362 u8 nexthdr;
3363 int ret = -EINVAL, offset;
3364 struct ipv6hdr _ipv6h, *ip6;
3365
3366 offset = skb_network_offset(skb);
3367 ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
3368 if (ip6 == NULL)
3369 goto out;
3370
3371 ipv6_addr_copy(&ad->u.net.v6info.saddr, &ip6->saddr);
3372 ipv6_addr_copy(&ad->u.net.v6info.daddr, &ip6->daddr);
3373 ret = 0;
3374
3375 nexthdr = ip6->nexthdr;
3376 offset += sizeof(_ipv6h);
3377 offset = ipv6_skip_exthdr(skb, offset, &nexthdr);
3378 if (offset < 0)
3379 goto out;
3380
3381 if (proto)
3382 *proto = nexthdr;
3383
3384 switch (nexthdr) {
3385 case IPPROTO_TCP: {
3386 struct tcphdr _tcph, *th;
3387
3388 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3389 if (th == NULL)
3390 break;
3391
3392 ad->u.net.sport = th->source;
3393 ad->u.net.dport = th->dest;
3394 break;
3395 }
3396
3397 case IPPROTO_UDP: {
3398 struct udphdr _udph, *uh;
3399
3400 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3401 if (uh == NULL)
3402 break;
3403
3404 ad->u.net.sport = uh->source;
3405 ad->u.net.dport = uh->dest;
3406 break;
3407 }
3408
3409 case IPPROTO_DCCP: {
3410 struct dccp_hdr _dccph, *dh;
3411
3412 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3413 if (dh == NULL)
3414 break;
3415
3416 ad->u.net.sport = dh->dccph_sport;
3417 ad->u.net.dport = dh->dccph_dport;
3418 break;
3419 }
3420
3421 /* includes fragments */
3422 default:
3423 break;
3424 }
3425 out:
3426 return ret;
3427 }
3428
3429 #endif /* IPV6 */
3430
3431 static int selinux_parse_skb(struct sk_buff *skb, struct avc_audit_data *ad,
3432 char **addrp, int src, u8 *proto)
3433 {
3434 int ret = 0;
3435
3436 switch (ad->u.net.family) {
3437 case PF_INET:
3438 ret = selinux_parse_skb_ipv4(skb, ad, proto);
3439 if (ret || !addrp)
3440 break;
3441 *addrp = (char *)(src ? &ad->u.net.v4info.saddr :
3442 &ad->u.net.v4info.daddr);
3443 break;
3444
3445 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3446 case PF_INET6:
3447 ret = selinux_parse_skb_ipv6(skb, ad, proto);
3448 if (ret || !addrp)
3449 break;
3450 *addrp = (char *)(src ? &ad->u.net.v6info.saddr :
3451 &ad->u.net.v6info.daddr);
3452 break;
3453 #endif /* IPV6 */
3454 default:
3455 break;
3456 }
3457
3458 if (unlikely(ret))
3459 printk(KERN_WARNING
3460 "SELinux: failure in selinux_parse_skb(),"
3461 " unable to parse packet\n");
3462
3463 return ret;
3464 }
3465
3466 /**
3467 * selinux_skb_peerlbl_sid - Determine the peer label of a packet
3468 * @skb: the packet
3469 * @family: protocol family
3470 * @sid: the packet's peer label SID
3471 *
3472 * Description:
3473 * Check the various different forms of network peer labeling and determine
3474 * the peer label/SID for the packet; most of the magic actually occurs in
3475 * the security server function security_net_peersid_cmp(). The function
3476 * returns zero if the value in @sid is valid (although it may be SECSID_NULL)
3477 * or -EACCES if @sid is invalid due to inconsistencies with the different
3478 * peer labels.
3479 *
3480 */
3481 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
3482 {
3483 int err;
3484 u32 xfrm_sid;
3485 u32 nlbl_sid;
3486 u32 nlbl_type;
3487
3488 selinux_skb_xfrm_sid(skb, &xfrm_sid);
3489 selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid);
3490
3491 err = security_net_peersid_resolve(nlbl_sid, nlbl_type, xfrm_sid, sid);
3492 if (unlikely(err)) {
3493 printk(KERN_WARNING
3494 "SELinux: failure in selinux_skb_peerlbl_sid(),"
3495 " unable to determine packet's peer label\n");
3496 return -EACCES;
3497 }
3498
3499 return 0;
3500 }
3501
3502 /* socket security operations */
3503 static int socket_has_perm(struct task_struct *task, struct socket *sock,
3504 u32 perms)
3505 {
3506 struct inode_security_struct *isec;
3507 struct task_security_struct *tsec;
3508 struct avc_audit_data ad;
3509 int err = 0;
3510
3511 tsec = task->security;
3512 isec = SOCK_INODE(sock)->i_security;
3513
3514 if (isec->sid == SECINITSID_KERNEL)
3515 goto out;
3516
3517 AVC_AUDIT_DATA_INIT(&ad,NET);
3518 ad.u.net.sk = sock->sk;
3519 err = avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, &ad);
3520
3521 out:
3522 return err;
3523 }
3524
3525 static int selinux_socket_create(int family, int type,
3526 int protocol, int kern)
3527 {
3528 int err = 0;
3529 struct task_security_struct *tsec;
3530 u32 newsid;
3531
3532 if (kern)
3533 goto out;
3534
3535 tsec = current->security;
3536 newsid = tsec->sockcreate_sid ? : tsec->sid;
3537 err = avc_has_perm(tsec->sid, newsid,
3538 socket_type_to_security_class(family, type,
3539 protocol), SOCKET__CREATE, NULL);
3540
3541 out:
3542 return err;
3543 }
3544
3545 static int selinux_socket_post_create(struct socket *sock, int family,
3546 int type, int protocol, int kern)
3547 {
3548 int err = 0;
3549 struct inode_security_struct *isec;
3550 struct task_security_struct *tsec;
3551 struct sk_security_struct *sksec;
3552 u32 newsid;
3553
3554 isec = SOCK_INODE(sock)->i_security;
3555
3556 tsec = current->security;
3557 newsid = tsec->sockcreate_sid ? : tsec->sid;
3558 isec->sclass = socket_type_to_security_class(family, type, protocol);
3559 isec->sid = kern ? SECINITSID_KERNEL : newsid;
3560 isec->initialized = 1;
3561
3562 if (sock->sk) {
3563 sksec = sock->sk->sk_security;
3564 sksec->sid = isec->sid;
3565 sksec->sclass = isec->sclass;
3566 err = selinux_netlbl_socket_post_create(sock);
3567 }
3568
3569 return err;
3570 }
3571
3572 /* Range of port numbers used to automatically bind.
3573 Need to determine whether we should perform a name_bind
3574 permission check between the socket and the port number. */
3575
3576 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
3577 {
3578 u16 family;
3579 int err;
3580
3581 err = socket_has_perm(current, sock, SOCKET__BIND);
3582 if (err)
3583 goto out;
3584
3585 /*
3586 * If PF_INET or PF_INET6, check name_bind permission for the port.
3587 * Multiple address binding for SCTP is not supported yet: we just
3588 * check the first address now.
3589 */
3590 family = sock->sk->sk_family;
3591 if (family == PF_INET || family == PF_INET6) {
3592 char *addrp;
3593 struct inode_security_struct *isec;
3594 struct task_security_struct *tsec;
3595 struct avc_audit_data ad;
3596 struct sockaddr_in *addr4 = NULL;
3597 struct sockaddr_in6 *addr6 = NULL;
3598 unsigned short snum;
3599 struct sock *sk = sock->sk;
3600 u32 sid, node_perm, addrlen;
3601
3602 tsec = current->security;
3603 isec = SOCK_INODE(sock)->i_security;
3604
3605 if (family == PF_INET) {
3606 addr4 = (struct sockaddr_in *)address;
3607 snum = ntohs(addr4->sin_port);
3608 addrlen = sizeof(addr4->sin_addr.s_addr);
3609 addrp = (char *)&addr4->sin_addr.s_addr;
3610 } else {
3611 addr6 = (struct sockaddr_in6 *)address;
3612 snum = ntohs(addr6->sin6_port);
3613 addrlen = sizeof(addr6->sin6_addr.s6_addr);
3614 addrp = (char *)&addr6->sin6_addr.s6_addr;
3615 }
3616
3617 if (snum) {
3618 int low, high;
3619
3620 inet_get_local_port_range(&low, &high);
3621
3622 if (snum < max(PROT_SOCK, low) || snum > high) {
3623 err = security_port_sid(sk->sk_family,
3624 sk->sk_type,
3625 sk->sk_protocol, snum,
3626 &sid);
3627 if (err)
3628 goto out;
3629 AVC_AUDIT_DATA_INIT(&ad,NET);
3630 ad.u.net.sport = htons(snum);
3631 ad.u.net.family = family;
3632 err = avc_has_perm(isec->sid, sid,
3633 isec->sclass,
3634 SOCKET__NAME_BIND, &ad);
3635 if (err)
3636 goto out;
3637 }
3638 }
3639
3640 switch(isec->sclass) {
3641 case SECCLASS_TCP_SOCKET:
3642 node_perm = TCP_SOCKET__NODE_BIND;
3643 break;
3644
3645 case SECCLASS_UDP_SOCKET:
3646 node_perm = UDP_SOCKET__NODE_BIND;
3647 break;
3648
3649 case SECCLASS_DCCP_SOCKET:
3650 node_perm = DCCP_SOCKET__NODE_BIND;
3651 break;
3652
3653 default:
3654 node_perm = RAWIP_SOCKET__NODE_BIND;
3655 break;
3656 }
3657
3658 err = sel_netnode_sid(addrp, family, &sid);
3659 if (err)
3660 goto out;
3661
3662 AVC_AUDIT_DATA_INIT(&ad,NET);
3663 ad.u.net.sport = htons(snum);
3664 ad.u.net.family = family;
3665
3666 if (family == PF_INET)
3667 ad.u.net.v4info.saddr = addr4->sin_addr.s_addr;
3668 else
3669 ipv6_addr_copy(&ad.u.net.v6info.saddr, &addr6->sin6_addr);
3670
3671 err = avc_has_perm(isec->sid, sid,
3672 isec->sclass, node_perm, &ad);
3673 if (err)
3674 goto out;
3675 }
3676 out:
3677 return err;
3678 }
3679
3680 static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
3681 {
3682 struct inode_security_struct *isec;
3683 int err;
3684
3685 err = socket_has_perm(current, sock, SOCKET__CONNECT);
3686 if (err)
3687 return err;
3688
3689 /*
3690 * If a TCP or DCCP socket, check name_connect permission for the port.
3691 */
3692 isec = SOCK_INODE(sock)->i_security;
3693 if (isec->sclass == SECCLASS_TCP_SOCKET ||
3694 isec->sclass == SECCLASS_DCCP_SOCKET) {
3695 struct sock *sk = sock->sk;
3696 struct avc_audit_data ad;
3697 struct sockaddr_in *addr4 = NULL;
3698 struct sockaddr_in6 *addr6 = NULL;
3699 unsigned short snum;
3700 u32 sid, perm;
3701
3702 if (sk->sk_family == PF_INET) {
3703 addr4 = (struct sockaddr_in *)address;
3704 if (addrlen < sizeof(struct sockaddr_in))
3705 return -EINVAL;
3706 snum = ntohs(addr4->sin_port);
3707 } else {
3708 addr6 = (struct sockaddr_in6 *)address;
3709 if (addrlen < SIN6_LEN_RFC2133)
3710 return -EINVAL;
3711 snum = ntohs(addr6->sin6_port);
3712 }
3713
3714 err = security_port_sid(sk->sk_family, sk->sk_type,
3715 sk->sk_protocol, snum, &sid);
3716 if (err)
3717 goto out;
3718
3719 perm = (isec->sclass == SECCLASS_TCP_SOCKET) ?
3720 TCP_SOCKET__NAME_CONNECT : DCCP_SOCKET__NAME_CONNECT;
3721
3722 AVC_AUDIT_DATA_INIT(&ad,NET);
3723 ad.u.net.dport = htons(snum);
3724 ad.u.net.family = sk->sk_family;
3725 err = avc_has_perm(isec->sid, sid, isec->sclass, perm, &ad);
3726 if (err)
3727 goto out;
3728 }
3729
3730 out:
3731 return err;
3732 }
3733
3734 static int selinux_socket_listen(struct socket *sock, int backlog)
3735 {
3736 return socket_has_perm(current, sock, SOCKET__LISTEN);
3737 }
3738
3739 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
3740 {
3741 int err;
3742 struct inode_security_struct *isec;
3743 struct inode_security_struct *newisec;
3744
3745 err = socket_has_perm(current, sock, SOCKET__ACCEPT);
3746 if (err)
3747 return err;
3748
3749 newisec = SOCK_INODE(newsock)->i_security;
3750
3751 isec = SOCK_INODE(sock)->i_security;
3752 newisec->sclass = isec->sclass;
3753 newisec->sid = isec->sid;
3754 newisec->initialized = 1;
3755
3756 return 0;
3757 }
3758
3759 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
3760 int size)
3761 {
3762 int rc;
3763
3764 rc = socket_has_perm(current, sock, SOCKET__WRITE);
3765 if (rc)
3766 return rc;
3767
3768 return selinux_netlbl_inode_permission(SOCK_INODE(sock), MAY_WRITE);
3769 }
3770
3771 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
3772 int size, int flags)
3773 {
3774 return socket_has_perm(current, sock, SOCKET__READ);
3775 }
3776
3777 static int selinux_socket_getsockname(struct socket *sock)
3778 {
3779 return socket_has_perm(current, sock, SOCKET__GETATTR);
3780 }
3781
3782 static int selinux_socket_getpeername(struct socket *sock)
3783 {
3784 return socket_has_perm(current, sock, SOCKET__GETATTR);
3785 }
3786
3787 static int selinux_socket_setsockopt(struct socket *sock,int level,int optname)
3788 {
3789 int err;
3790
3791 err = socket_has_perm(current, sock, SOCKET__SETOPT);
3792 if (err)
3793 return err;
3794
3795 return selinux_netlbl_socket_setsockopt(sock, level, optname);
3796 }
3797
3798 static int selinux_socket_getsockopt(struct socket *sock, int level,
3799 int optname)
3800 {
3801 return socket_has_perm(current, sock, SOCKET__GETOPT);
3802 }
3803
3804 static int selinux_socket_shutdown(struct socket *sock, int how)
3805 {
3806 return socket_has_perm(current, sock, SOCKET__SHUTDOWN);
3807 }
3808
3809 static int selinux_socket_unix_stream_connect(struct socket *sock,
3810 struct socket *other,
3811 struct sock *newsk)
3812 {
3813 struct sk_security_struct *ssec;
3814 struct inode_security_struct *isec;
3815 struct inode_security_struct *other_isec;
3816 struct avc_audit_data ad;
3817 int err;
3818
3819 err = secondary_ops->unix_stream_connect(sock, other, newsk);
3820 if (err)
3821 return err;
3822
3823 isec = SOCK_INODE(sock)->i_security;
3824 other_isec = SOCK_INODE(other)->i_security;
3825
3826 AVC_AUDIT_DATA_INIT(&ad,NET);
3827 ad.u.net.sk = other->sk;
3828
3829 err = avc_has_perm(isec->sid, other_isec->sid,
3830 isec->sclass,
3831 UNIX_STREAM_SOCKET__CONNECTTO, &ad);
3832 if (err)
3833 return err;
3834
3835 /* connecting socket */
3836 ssec = sock->sk->sk_security;
3837 ssec->peer_sid = other_isec->sid;
3838
3839 /* server child socket */
3840 ssec = newsk->sk_security;
3841 ssec->peer_sid = isec->sid;
3842 err = security_sid_mls_copy(other_isec->sid, ssec->peer_sid, &ssec->sid);
3843
3844 return err;
3845 }
3846
3847 static int selinux_socket_unix_may_send(struct socket *sock,
3848 struct socket *other)
3849 {
3850 struct inode_security_struct *isec;
3851 struct inode_security_struct *other_isec;
3852 struct avc_audit_data ad;
3853 int err;
3854
3855 isec = SOCK_INODE(sock)->i_security;
3856 other_isec = SOCK_INODE(other)->i_security;
3857
3858 AVC_AUDIT_DATA_INIT(&ad,NET);
3859 ad.u.net.sk = other->sk;
3860
3861 err = avc_has_perm(isec->sid, other_isec->sid,
3862 isec->sclass, SOCKET__SENDTO, &ad);
3863 if (err)
3864 return err;
3865
3866 return 0;
3867 }
3868
3869 static int selinux_inet_sys_rcv_skb(int ifindex, char *addrp, u16 family,
3870 u32 peer_sid,
3871 struct avc_audit_data *ad)
3872 {
3873 int err;
3874 u32 if_sid;
3875 u32 node_sid;
3876
3877 err = sel_netif_sid(ifindex, &if_sid);
3878 if (err)
3879 return err;
3880 err = avc_has_perm(peer_sid, if_sid,
3881 SECCLASS_NETIF, NETIF__INGRESS, ad);
3882 if (err)
3883 return err;
3884
3885 err = sel_netnode_sid(addrp, family, &node_sid);
3886 if (err)
3887 return err;
3888 return avc_has_perm(peer_sid, node_sid,
3889 SECCLASS_NODE, NODE__RECVFROM, ad);
3890 }
3891
3892 static int selinux_sock_rcv_skb_iptables_compat(struct sock *sk,
3893 struct sk_buff *skb,
3894 struct avc_audit_data *ad,
3895 u16 family,
3896 char *addrp)
3897 {
3898 int err;
3899 struct sk_security_struct *sksec = sk->sk_security;
3900 u16 sk_class;
3901 u32 netif_perm, node_perm, recv_perm;
3902 u32 port_sid, node_sid, if_sid, sk_sid;
3903
3904 sk_sid = sksec->sid;
3905 sk_class = sksec->sclass;
3906
3907 switch (sk_class) {
3908 case SECCLASS_UDP_SOCKET:
3909 netif_perm = NETIF__UDP_RECV;
3910 node_perm = NODE__UDP_RECV;
3911 recv_perm = UDP_SOCKET__RECV_MSG;
3912 break;
3913 case SECCLASS_TCP_SOCKET:
3914 netif_perm = NETIF__TCP_RECV;
3915 node_perm = NODE__TCP_RECV;
3916 recv_perm = TCP_SOCKET__RECV_MSG;
3917 break;
3918 case SECCLASS_DCCP_SOCKET:
3919 netif_perm = NETIF__DCCP_RECV;
3920 node_perm = NODE__DCCP_RECV;
3921 recv_perm = DCCP_SOCKET__RECV_MSG;
3922 break;
3923 default:
3924 netif_perm = NETIF__RAWIP_RECV;
3925 node_perm = NODE__RAWIP_RECV;
3926 recv_perm = 0;
3927 break;
3928 }
3929
3930 err = sel_netif_sid(skb->iif, &if_sid);
3931 if (err)
3932 return err;
3933 err = avc_has_perm(sk_sid, if_sid, SECCLASS_NETIF, netif_perm, ad);
3934 if (err)
3935 return err;
3936
3937 err = sel_netnode_sid(addrp, family, &node_sid);
3938 if (err)
3939 return err;
3940 err = avc_has_perm(sk_sid, node_sid, SECCLASS_NODE, node_perm, ad);
3941 if (err)
3942 return err;
3943
3944 if (!recv_perm)
3945 return 0;
3946 err = security_port_sid(sk->sk_family, sk->sk_type,
3947 sk->sk_protocol, ntohs(ad->u.net.sport),
3948 &port_sid);
3949 if (unlikely(err)) {
3950 printk(KERN_WARNING
3951 "SELinux: failure in"
3952 " selinux_sock_rcv_skb_iptables_compat(),"
3953 " network port label not found\n");
3954 return err;
3955 }
3956 return avc_has_perm(sk_sid, port_sid, sk_class, recv_perm, ad);
3957 }
3958
3959 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
3960 struct avc_audit_data *ad,
3961 u16 family, char *addrp)
3962 {
3963 int err;
3964 struct sk_security_struct *sksec = sk->sk_security;
3965 u32 peer_sid;
3966 u32 sk_sid = sksec->sid;
3967
3968 if (selinux_compat_net)
3969 err = selinux_sock_rcv_skb_iptables_compat(sk, skb, ad,
3970 family, addrp);
3971 else
3972 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
3973 PACKET__RECV, ad);
3974 if (err)
3975 return err;
3976
3977 if (selinux_policycap_netpeer) {
3978 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
3979 if (err)
3980 return err;
3981 err = avc_has_perm(sk_sid, peer_sid,
3982 SECCLASS_PEER, PEER__RECV, ad);
3983 } else {
3984 err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, ad);
3985 if (err)
3986 return err;
3987 err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, ad);
3988 }
3989
3990 return err;
3991 }
3992
3993 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
3994 {
3995 int err;
3996 struct sk_security_struct *sksec = sk->sk_security;
3997 u16 family = sk->sk_family;
3998 u32 sk_sid = sksec->sid;
3999 struct avc_audit_data ad;
4000 char *addrp;
4001
4002 if (family != PF_INET && family != PF_INET6)
4003 return 0;
4004
4005 /* Handle mapped IPv4 packets arriving via IPv6 sockets */
4006 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4007 family = PF_INET;
4008
4009 AVC_AUDIT_DATA_INIT(&ad, NET);
4010 ad.u.net.netif = skb->iif;
4011 ad.u.net.family = family;
4012 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4013 if (err)
4014 return err;
4015
4016 /* If any sort of compatibility mode is enabled then handoff processing
4017 * to the selinux_sock_rcv_skb_compat() function to deal with the
4018 * special handling. We do this in an attempt to keep this function
4019 * as fast and as clean as possible. */
4020 if (selinux_compat_net || !selinux_policycap_netpeer)
4021 return selinux_sock_rcv_skb_compat(sk, skb, &ad,
4022 family, addrp);
4023
4024 if (netlbl_enabled() || selinux_xfrm_enabled()) {
4025 u32 peer_sid;
4026
4027 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
4028 if (err)
4029 return err;
4030 err = selinux_inet_sys_rcv_skb(skb->iif, addrp, family,
4031 peer_sid, &ad);
4032 if (err)
4033 return err;
4034 err = avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER,
4035 PEER__RECV, &ad);
4036 }
4037
4038 if (selinux_secmark_enabled()) {
4039 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4040 PACKET__RECV, &ad);
4041 if (err)
4042 return err;
4043 }
4044
4045 return err;
4046 }
4047
4048 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval,
4049 int __user *optlen, unsigned len)
4050 {
4051 int err = 0;
4052 char *scontext;
4053 u32 scontext_len;
4054 struct sk_security_struct *ssec;
4055 struct inode_security_struct *isec;
4056 u32 peer_sid = SECSID_NULL;
4057
4058 isec = SOCK_INODE(sock)->i_security;
4059
4060 if (isec->sclass == SECCLASS_UNIX_STREAM_SOCKET ||
4061 isec->sclass == SECCLASS_TCP_SOCKET) {
4062 ssec = sock->sk->sk_security;
4063 peer_sid = ssec->peer_sid;
4064 }
4065 if (peer_sid == SECSID_NULL) {
4066 err = -ENOPROTOOPT;
4067 goto out;
4068 }
4069
4070 err = security_sid_to_context(peer_sid, &scontext, &scontext_len);
4071
4072 if (err)
4073 goto out;
4074
4075 if (scontext_len > len) {
4076 err = -ERANGE;
4077 goto out_len;
4078 }
4079
4080 if (copy_to_user(optval, scontext, scontext_len))
4081 err = -EFAULT;
4082
4083 out_len:
4084 if (put_user(scontext_len, optlen))
4085 err = -EFAULT;
4086
4087 kfree(scontext);
4088 out:
4089 return err;
4090 }
4091
4092 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
4093 {
4094 u32 peer_secid = SECSID_NULL;
4095 u16 family;
4096
4097 if (sock)
4098 family = sock->sk->sk_family;
4099 else if (skb && skb->sk)
4100 family = skb->sk->sk_family;
4101 else
4102 goto out;
4103
4104 if (sock && family == PF_UNIX)
4105 selinux_get_inode_sid(SOCK_INODE(sock), &peer_secid);
4106 else if (skb)
4107 selinux_skb_peerlbl_sid(skb, family, &peer_secid);
4108
4109 out:
4110 *secid = peer_secid;
4111 if (peer_secid == SECSID_NULL)
4112 return -EINVAL;
4113 return 0;
4114 }
4115
4116 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
4117 {
4118 return sk_alloc_security(sk, family, priority);
4119 }
4120
4121 static void selinux_sk_free_security(struct sock *sk)
4122 {
4123 sk_free_security(sk);
4124 }
4125
4126 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
4127 {
4128 struct sk_security_struct *ssec = sk->sk_security;
4129 struct sk_security_struct *newssec = newsk->sk_security;
4130
4131 newssec->sid = ssec->sid;
4132 newssec->peer_sid = ssec->peer_sid;
4133 newssec->sclass = ssec->sclass;
4134
4135 selinux_netlbl_sk_security_clone(ssec, newssec);
4136 }
4137
4138 static void selinux_sk_getsecid(struct sock *sk, u32 *secid)
4139 {
4140 if (!sk)
4141 *secid = SECINITSID_ANY_SOCKET;
4142 else {
4143 struct sk_security_struct *sksec = sk->sk_security;
4144
4145 *secid = sksec->sid;
4146 }
4147 }
4148
4149 static void selinux_sock_graft(struct sock* sk, struct socket *parent)
4150 {
4151 struct inode_security_struct *isec = SOCK_INODE(parent)->i_security;
4152 struct sk_security_struct *sksec = sk->sk_security;
4153
4154 if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
4155 sk->sk_family == PF_UNIX)
4156 isec->sid = sksec->sid;
4157 sksec->sclass = isec->sclass;
4158
4159 selinux_netlbl_sock_graft(sk, parent);
4160 }
4161
4162 static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
4163 struct request_sock *req)
4164 {
4165 struct sk_security_struct *sksec = sk->sk_security;
4166 int err;
4167 u32 newsid;
4168 u32 peersid;
4169
4170 err = selinux_skb_peerlbl_sid(skb, sk->sk_family, &peersid);
4171 if (err)
4172 return err;
4173 if (peersid == SECSID_NULL) {
4174 req->secid = sksec->sid;
4175 req->peer_secid = SECSID_NULL;
4176 return 0;
4177 }
4178
4179 err = security_sid_mls_copy(sksec->sid, peersid, &newsid);
4180 if (err)
4181 return err;
4182
4183 req->secid = newsid;
4184 req->peer_secid = peersid;
4185 return 0;
4186 }
4187
4188 static void selinux_inet_csk_clone(struct sock *newsk,
4189 const struct request_sock *req)
4190 {
4191 struct sk_security_struct *newsksec = newsk->sk_security;
4192
4193 newsksec->sid = req->secid;
4194 newsksec->peer_sid = req->peer_secid;
4195 /* NOTE: Ideally, we should also get the isec->sid for the
4196 new socket in sync, but we don't have the isec available yet.
4197 So we will wait until sock_graft to do it, by which
4198 time it will have been created and available. */
4199
4200 /* We don't need to take any sort of lock here as we are the only
4201 * thread with access to newsksec */
4202 selinux_netlbl_sk_security_reset(newsksec, req->rsk_ops->family);
4203 }
4204
4205 static void selinux_inet_conn_established(struct sock *sk,
4206 struct sk_buff *skb)
4207 {
4208 struct sk_security_struct *sksec = sk->sk_security;
4209
4210 selinux_skb_peerlbl_sid(skb, sk->sk_family, &sksec->peer_sid);
4211 }
4212
4213 static void selinux_req_classify_flow(const struct request_sock *req,
4214 struct flowi *fl)
4215 {
4216 fl->secid = req->secid;
4217 }
4218
4219 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
4220 {
4221 int err = 0;
4222 u32 perm;
4223 struct nlmsghdr *nlh;
4224 struct socket *sock = sk->sk_socket;
4225 struct inode_security_struct *isec = SOCK_INODE(sock)->i_security;
4226
4227 if (skb->len < NLMSG_SPACE(0)) {
4228 err = -EINVAL;
4229 goto out;
4230 }
4231 nlh = nlmsg_hdr(skb);
4232
4233 err = selinux_nlmsg_lookup(isec->sclass, nlh->nlmsg_type, &perm);
4234 if (err) {
4235 if (err == -EINVAL) {
4236 audit_log(current->audit_context, GFP_KERNEL, AUDIT_SELINUX_ERR,
4237 "SELinux: unrecognized netlink message"
4238 " type=%hu for sclass=%hu\n",
4239 nlh->nlmsg_type, isec->sclass);
4240 if (!selinux_enforcing)
4241 err = 0;
4242 }
4243
4244 /* Ignore */
4245 if (err == -ENOENT)
4246 err = 0;
4247 goto out;
4248 }
4249
4250 err = socket_has_perm(current, sock, perm);
4251 out:
4252 return err;
4253 }
4254
4255 #ifdef CONFIG_NETFILTER
4256
4257 static unsigned int selinux_ip_forward(struct sk_buff *skb, int ifindex,
4258 u16 family)
4259 {
4260 char *addrp;
4261 u32 peer_sid;
4262 struct avc_audit_data ad;
4263 u8 secmark_active;
4264 u8 peerlbl_active;
4265
4266 if (!selinux_policycap_netpeer)
4267 return NF_ACCEPT;
4268
4269 secmark_active = selinux_secmark_enabled();
4270 peerlbl_active = netlbl_enabled() || selinux_xfrm_enabled();
4271 if (!secmark_active && !peerlbl_active)
4272 return NF_ACCEPT;
4273
4274 AVC_AUDIT_DATA_INIT(&ad, NET);
4275 ad.u.net.netif = ifindex;
4276 ad.u.net.family = family;
4277 if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0)
4278 return NF_DROP;
4279
4280 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0)
4281 return NF_DROP;
4282
4283 if (peerlbl_active)
4284 if (selinux_inet_sys_rcv_skb(ifindex, addrp, family,
4285 peer_sid, &ad) != 0)
4286 return NF_DROP;
4287
4288 if (secmark_active)
4289 if (avc_has_perm(peer_sid, skb->secmark,
4290 SECCLASS_PACKET, PACKET__FORWARD_IN, &ad))
4291 return NF_DROP;
4292
4293 return NF_ACCEPT;
4294 }
4295
4296 static unsigned int selinux_ipv4_forward(unsigned int hooknum,
4297 struct sk_buff *skb,
4298 const struct net_device *in,
4299 const struct net_device *out,
4300 int (*okfn)(struct sk_buff *))
4301 {
4302 return selinux_ip_forward(skb, in->ifindex, PF_INET);
4303 }
4304
4305 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4306 static unsigned int selinux_ipv6_forward(unsigned int hooknum,
4307 struct sk_buff *skb,
4308 const struct net_device *in,
4309 const struct net_device *out,
4310 int (*okfn)(struct sk_buff *))
4311 {
4312 return selinux_ip_forward(skb, in->ifindex, PF_INET6);
4313 }
4314 #endif /* IPV6 */
4315
4316 static int selinux_ip_postroute_iptables_compat(struct sock *sk,
4317 int ifindex,
4318 struct avc_audit_data *ad,
4319 u16 family, char *addrp)
4320 {
4321 int err;
4322 struct sk_security_struct *sksec = sk->sk_security;
4323 u16 sk_class;
4324 u32 netif_perm, node_perm, send_perm;
4325 u32 port_sid, node_sid, if_sid, sk_sid;
4326
4327 sk_sid = sksec->sid;
4328 sk_class = sksec->sclass;
4329
4330 switch (sk_class) {
4331 case SECCLASS_UDP_SOCKET:
4332 netif_perm = NETIF__UDP_SEND;
4333 node_perm = NODE__UDP_SEND;
4334 send_perm = UDP_SOCKET__SEND_MSG;
4335 break;
4336 case SECCLASS_TCP_SOCKET:
4337 netif_perm = NETIF__TCP_SEND;
4338 node_perm = NODE__TCP_SEND;
4339 send_perm = TCP_SOCKET__SEND_MSG;
4340 break;
4341 case SECCLASS_DCCP_SOCKET:
4342 netif_perm = NETIF__DCCP_SEND;
4343 node_perm = NODE__DCCP_SEND;
4344 send_perm = DCCP_SOCKET__SEND_MSG;
4345 break;
4346 default:
4347 netif_perm = NETIF__RAWIP_SEND;
4348 node_perm = NODE__RAWIP_SEND;
4349 send_perm = 0;
4350 break;
4351 }
4352
4353 err = sel_netif_sid(ifindex, &if_sid);
4354 if (err)
4355 return err;
4356 err = avc_has_perm(sk_sid, if_sid, SECCLASS_NETIF, netif_perm, ad);
4357 return err;
4358
4359 err = sel_netnode_sid(addrp, family, &node_sid);
4360 if (err)
4361 return err;
4362 err = avc_has_perm(sk_sid, node_sid, SECCLASS_NODE, node_perm, ad);
4363 if (err)
4364 return err;
4365
4366 if (send_perm != 0)
4367 return 0;
4368
4369 err = security_port_sid(sk->sk_family, sk->sk_type,
4370 sk->sk_protocol, ntohs(ad->u.net.dport),
4371 &port_sid);
4372 if (unlikely(err)) {
4373 printk(KERN_WARNING
4374 "SELinux: failure in"
4375 " selinux_ip_postroute_iptables_compat(),"
4376 " network port label not found\n");
4377 return err;
4378 }
4379 return avc_has_perm(sk_sid, port_sid, sk_class, send_perm, ad);
4380 }
4381
4382 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
4383 int ifindex,
4384 struct avc_audit_data *ad,
4385 u16 family,
4386 char *addrp,
4387 u8 proto)
4388 {
4389 struct sock *sk = skb->sk;
4390 struct sk_security_struct *sksec;
4391
4392 if (sk == NULL)
4393 return NF_ACCEPT;
4394 sksec = sk->sk_security;
4395
4396 if (selinux_compat_net) {
4397 if (selinux_ip_postroute_iptables_compat(skb->sk, ifindex,
4398 ad, family, addrp))
4399 return NF_DROP;
4400 } else {
4401 if (avc_has_perm(sksec->sid, skb->secmark,
4402 SECCLASS_PACKET, PACKET__SEND, ad))
4403 return NF_DROP;
4404 }
4405
4406 if (selinux_policycap_netpeer)
4407 if (selinux_xfrm_postroute_last(sksec->sid, skb, ad, proto))
4408 return NF_DROP;
4409
4410 return NF_ACCEPT;
4411 }
4412
4413 static unsigned int selinux_ip_postroute(struct sk_buff *skb, int ifindex,
4414 u16 family)
4415 {
4416 u32 secmark_perm;
4417 u32 peer_sid;
4418 struct sock *sk;
4419 struct avc_audit_data ad;
4420 char *addrp;
4421 u8 proto;
4422 u8 secmark_active;
4423 u8 peerlbl_active;
4424
4425 AVC_AUDIT_DATA_INIT(&ad, NET);
4426 ad.u.net.netif = ifindex;
4427 ad.u.net.family = family;
4428 if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto))
4429 return NF_DROP;
4430
4431 /* If any sort of compatibility mode is enabled then handoff processing
4432 * to the selinux_ip_postroute_compat() function to deal with the
4433 * special handling. We do this in an attempt to keep this function
4434 * as fast and as clean as possible. */
4435 if (selinux_compat_net || !selinux_policycap_netpeer)
4436 return selinux_ip_postroute_compat(skb, ifindex, &ad,
4437 family, addrp, proto);
4438
4439 /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec
4440 * packet transformation so allow the packet to pass without any checks
4441 * since we'll have another chance to perform access control checks
4442 * when the packet is on it's final way out.
4443 * NOTE: there appear to be some IPv6 multicast cases where skb->dst
4444 * is NULL, in this case go ahead and apply access control. */
4445 if (skb->dst != NULL && skb->dst->xfrm != NULL)
4446 return NF_ACCEPT;
4447
4448 secmark_active = selinux_secmark_enabled();
4449 peerlbl_active = netlbl_enabled() || selinux_xfrm_enabled();
4450 if (!secmark_active && !peerlbl_active)
4451 return NF_ACCEPT;
4452
4453 /* if the packet is locally generated (skb->sk != NULL) then use the
4454 * socket's label as the peer label, otherwise the packet is being
4455 * forwarded through this system and we need to fetch the peer label
4456 * directly from the packet */
4457 sk = skb->sk;
4458 if (sk) {
4459 struct sk_security_struct *sksec = sk->sk_security;
4460 peer_sid = sksec->sid;
4461 secmark_perm = PACKET__SEND;
4462 } else {
4463 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid))
4464 return NF_DROP;
4465 secmark_perm = PACKET__FORWARD_OUT;
4466 }
4467
4468 if (secmark_active)
4469 if (avc_has_perm(peer_sid, skb->secmark,
4470 SECCLASS_PACKET, secmark_perm, &ad))
4471 return NF_DROP;
4472
4473 if (peerlbl_active) {
4474 u32 if_sid;
4475 u32 node_sid;
4476
4477 if (sel_netif_sid(ifindex, &if_sid))
4478 return NF_DROP;
4479 if (avc_has_perm(peer_sid, if_sid,
4480 SECCLASS_NETIF, NETIF__EGRESS, &ad))
4481 return NF_DROP;
4482
4483 if (sel_netnode_sid(addrp, family, &node_sid))
4484 return NF_DROP;
4485 if (avc_has_perm(peer_sid, node_sid,
4486 SECCLASS_NODE, NODE__SENDTO, &ad))
4487 return NF_DROP;
4488 }
4489
4490 return NF_ACCEPT;
4491 }
4492
4493 static unsigned int selinux_ipv4_postroute(unsigned int hooknum,
4494 struct sk_buff *skb,
4495 const struct net_device *in,
4496 const struct net_device *out,
4497 int (*okfn)(struct sk_buff *))
4498 {
4499 return selinux_ip_postroute(skb, out->ifindex, PF_INET);
4500 }
4501
4502 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4503 static unsigned int selinux_ipv6_postroute(unsigned int hooknum,
4504 struct sk_buff *skb,
4505 const struct net_device *in,
4506 const struct net_device *out,
4507 int (*okfn)(struct sk_buff *))
4508 {
4509 return selinux_ip_postroute(skb, out->ifindex, PF_INET6);
4510 }
4511 #endif /* IPV6 */
4512
4513 #endif /* CONFIG_NETFILTER */
4514
4515 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
4516 {
4517 int err;
4518
4519 err = secondary_ops->netlink_send(sk, skb);
4520 if (err)
4521 return err;
4522
4523 if (policydb_loaded_version >= POLICYDB_VERSION_NLCLASS)
4524 err = selinux_nlmsg_perm(sk, skb);
4525
4526 return err;
4527 }
4528
4529 static int selinux_netlink_recv(struct sk_buff *skb, int capability)
4530 {
4531 int err;
4532 struct avc_audit_data ad;
4533
4534 err = secondary_ops->netlink_recv(skb, capability);
4535 if (err)
4536 return err;
4537
4538 AVC_AUDIT_DATA_INIT(&ad, CAP);
4539 ad.u.cap = capability;
4540
4541 return avc_has_perm(NETLINK_CB(skb).sid, NETLINK_CB(skb).sid,
4542 SECCLASS_CAPABILITY, CAP_TO_MASK(capability), &ad);
4543 }
4544
4545 static int ipc_alloc_security(struct task_struct *task,
4546 struct kern_ipc_perm *perm,
4547 u16 sclass)
4548 {
4549 struct task_security_struct *tsec = task->security;
4550 struct ipc_security_struct *isec;
4551
4552 isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL);
4553 if (!isec)
4554 return -ENOMEM;
4555
4556 isec->sclass = sclass;
4557 isec->ipc_perm = perm;
4558 isec->sid = tsec->sid;
4559 perm->security = isec;
4560
4561 return 0;
4562 }
4563
4564 static void ipc_free_security(struct kern_ipc_perm *perm)
4565 {
4566 struct ipc_security_struct *isec = perm->security;
4567 perm->security = NULL;
4568 kfree(isec);
4569 }
4570
4571 static int msg_msg_alloc_security(struct msg_msg *msg)
4572 {
4573 struct msg_security_struct *msec;
4574
4575 msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL);
4576 if (!msec)
4577 return -ENOMEM;
4578
4579 msec->msg = msg;
4580 msec->sid = SECINITSID_UNLABELED;
4581 msg->security = msec;
4582
4583 return 0;
4584 }
4585
4586 static void msg_msg_free_security(struct msg_msg *msg)
4587 {
4588 struct msg_security_struct *msec = msg->security;
4589
4590 msg->security = NULL;
4591 kfree(msec);
4592 }
4593
4594 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
4595 u32 perms)
4596 {
4597 struct task_security_struct *tsec;
4598 struct ipc_security_struct *isec;
4599 struct avc_audit_data ad;
4600
4601 tsec = current->security;
4602 isec = ipc_perms->security;
4603
4604 AVC_AUDIT_DATA_INIT(&ad, IPC);
4605 ad.u.ipc_id = ipc_perms->key;
4606
4607 return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, &ad);
4608 }
4609
4610 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
4611 {
4612 return msg_msg_alloc_security(msg);
4613 }
4614
4615 static void selinux_msg_msg_free_security(struct msg_msg *msg)
4616 {
4617 msg_msg_free_security(msg);
4618 }
4619
4620 /* message queue security operations */
4621 static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
4622 {
4623 struct task_security_struct *tsec;
4624 struct ipc_security_struct *isec;
4625 struct avc_audit_data ad;
4626 int rc;
4627
4628 rc = ipc_alloc_security(current, &msq->q_perm, SECCLASS_MSGQ);
4629 if (rc)
4630 return rc;
4631
4632 tsec = current->security;
4633 isec = msq->q_perm.security;
4634
4635 AVC_AUDIT_DATA_INIT(&ad, IPC);
4636 ad.u.ipc_id = msq->q_perm.key;
4637
4638 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
4639 MSGQ__CREATE, &ad);
4640 if (rc) {
4641 ipc_free_security(&msq->q_perm);
4642 return rc;
4643 }
4644 return 0;
4645 }
4646
4647 static void selinux_msg_queue_free_security(struct msg_queue *msq)
4648 {
4649 ipc_free_security(&msq->q_perm);
4650 }
4651
4652 static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg)
4653 {
4654 struct task_security_struct *tsec;
4655 struct ipc_security_struct *isec;
4656 struct avc_audit_data ad;
4657
4658 tsec = current->security;
4659 isec = msq->q_perm.security;
4660
4661 AVC_AUDIT_DATA_INIT(&ad, IPC);
4662 ad.u.ipc_id = msq->q_perm.key;
4663
4664 return avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
4665 MSGQ__ASSOCIATE, &ad);
4666 }
4667
4668 static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd)
4669 {
4670 int err;
4671 int perms;
4672
4673 switch(cmd) {
4674 case IPC_INFO:
4675 case MSG_INFO:
4676 /* No specific object, just general system-wide information. */
4677 return task_has_system(current, SYSTEM__IPC_INFO);
4678 case IPC_STAT:
4679 case MSG_STAT:
4680 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
4681 break;
4682 case IPC_SET:
4683 perms = MSGQ__SETATTR;
4684 break;
4685 case IPC_RMID:
4686 perms = MSGQ__DESTROY;
4687 break;
4688 default:
4689 return 0;
4690 }
4691
4692 err = ipc_has_perm(&msq->q_perm, perms);
4693 return err;
4694 }
4695
4696 static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg)
4697 {
4698 struct task_security_struct *tsec;
4699 struct ipc_security_struct *isec;
4700 struct msg_security_struct *msec;
4701 struct avc_audit_data ad;
4702 int rc;
4703
4704 tsec = current->security;
4705 isec = msq->q_perm.security;
4706 msec = msg->security;
4707
4708 /*
4709 * First time through, need to assign label to the message
4710 */
4711 if (msec->sid == SECINITSID_UNLABELED) {
4712 /*
4713 * Compute new sid based on current process and
4714 * message queue this message will be stored in
4715 */
4716 rc = security_transition_sid(tsec->sid,
4717 isec->sid,
4718 SECCLASS_MSG,
4719 &msec->sid);
4720 if (rc)
4721 return rc;
4722 }
4723
4724 AVC_AUDIT_DATA_INIT(&ad, IPC);
4725 ad.u.ipc_id = msq->q_perm.key;
4726
4727 /* Can this process write to the queue? */
4728 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
4729 MSGQ__WRITE, &ad);
4730 if (!rc)
4731 /* Can this process send the message */
4732 rc = avc_has_perm(tsec->sid, msec->sid,
4733 SECCLASS_MSG, MSG__SEND, &ad);
4734 if (!rc)
4735 /* Can the message be put in the queue? */
4736 rc = avc_has_perm(msec->sid, isec->sid,
4737 SECCLASS_MSGQ, MSGQ__ENQUEUE, &ad);
4738
4739 return rc;
4740 }
4741
4742 static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
4743 struct task_struct *target,
4744 long type, int mode)
4745 {
4746 struct task_security_struct *tsec;
4747 struct ipc_security_struct *isec;
4748 struct msg_security_struct *msec;
4749 struct avc_audit_data ad;
4750 int rc;
4751
4752 tsec = target->security;
4753 isec = msq->q_perm.security;
4754 msec = msg->security;
4755
4756 AVC_AUDIT_DATA_INIT(&ad, IPC);
4757 ad.u.ipc_id = msq->q_perm.key;
4758
4759 rc = avc_has_perm(tsec->sid, isec->sid,
4760 SECCLASS_MSGQ, MSGQ__READ, &ad);
4761 if (!rc)
4762 rc = avc_has_perm(tsec->sid, msec->sid,
4763 SECCLASS_MSG, MSG__RECEIVE, &ad);
4764 return rc;
4765 }
4766
4767 /* Shared Memory security operations */
4768 static int selinux_shm_alloc_security(struct shmid_kernel *shp)
4769 {
4770 struct task_security_struct *tsec;
4771 struct ipc_security_struct *isec;
4772 struct avc_audit_data ad;
4773 int rc;
4774
4775 rc = ipc_alloc_security(current, &shp->shm_perm, SECCLASS_SHM);
4776 if (rc)
4777 return rc;
4778
4779 tsec = current->security;
4780 isec = shp->shm_perm.security;
4781
4782 AVC_AUDIT_DATA_INIT(&ad, IPC);
4783 ad.u.ipc_id = shp->shm_perm.key;
4784
4785 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SHM,
4786 SHM__CREATE, &ad);
4787 if (rc) {
4788 ipc_free_security(&shp->shm_perm);
4789 return rc;
4790 }
4791 return 0;
4792 }
4793
4794 static void selinux_shm_free_security(struct shmid_kernel *shp)
4795 {
4796 ipc_free_security(&shp->shm_perm);
4797 }
4798
4799 static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg)
4800 {
4801 struct task_security_struct *tsec;
4802 struct ipc_security_struct *isec;
4803 struct avc_audit_data ad;
4804
4805 tsec = current->security;
4806 isec = shp->shm_perm.security;
4807
4808 AVC_AUDIT_DATA_INIT(&ad, IPC);
4809 ad.u.ipc_id = shp->shm_perm.key;
4810
4811 return avc_has_perm(tsec->sid, isec->sid, SECCLASS_SHM,
4812 SHM__ASSOCIATE, &ad);
4813 }
4814
4815 /* Note, at this point, shp is locked down */
4816 static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd)
4817 {
4818 int perms;
4819 int err;
4820
4821 switch(cmd) {
4822 case IPC_INFO:
4823 case SHM_INFO:
4824 /* No specific object, just general system-wide information. */
4825 return task_has_system(current, SYSTEM__IPC_INFO);
4826 case IPC_STAT:
4827 case SHM_STAT:
4828 perms = SHM__GETATTR | SHM__ASSOCIATE;
4829 break;
4830 case IPC_SET:
4831 perms = SHM__SETATTR;
4832 break;
4833 case SHM_LOCK:
4834 case SHM_UNLOCK:
4835 perms = SHM__LOCK;
4836 break;
4837 case IPC_RMID:
4838 perms = SHM__DESTROY;
4839 break;
4840 default:
4841 return 0;
4842 }
4843
4844 err = ipc_has_perm(&shp->shm_perm, perms);
4845 return err;
4846 }
4847
4848 static int selinux_shm_shmat(struct shmid_kernel *shp,
4849 char __user *shmaddr, int shmflg)
4850 {
4851 u32 perms;
4852 int rc;
4853
4854 rc = secondary_ops->shm_shmat(shp, shmaddr, shmflg);
4855 if (rc)
4856 return rc;
4857
4858 if (shmflg & SHM_RDONLY)
4859 perms = SHM__READ;
4860 else
4861 perms = SHM__READ | SHM__WRITE;
4862
4863 return ipc_has_perm(&shp->shm_perm, perms);
4864 }
4865
4866 /* Semaphore security operations */
4867 static int selinux_sem_alloc_security(struct sem_array *sma)
4868 {
4869 struct task_security_struct *tsec;
4870 struct ipc_security_struct *isec;
4871 struct avc_audit_data ad;
4872 int rc;
4873
4874 rc = ipc_alloc_security(current, &sma->sem_perm, SECCLASS_SEM);
4875 if (rc)
4876 return rc;
4877
4878 tsec = current->security;
4879 isec = sma->sem_perm.security;
4880
4881 AVC_AUDIT_DATA_INIT(&ad, IPC);
4882 ad.u.ipc_id = sma->sem_perm.key;
4883
4884 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SEM,
4885 SEM__CREATE, &ad);
4886 if (rc) {
4887 ipc_free_security(&sma->sem_perm);
4888 return rc;
4889 }
4890 return 0;
4891 }
4892
4893 static void selinux_sem_free_security(struct sem_array *sma)
4894 {
4895 ipc_free_security(&sma->sem_perm);
4896 }
4897
4898 static int selinux_sem_associate(struct sem_array *sma, int semflg)
4899 {
4900 struct task_security_struct *tsec;
4901 struct ipc_security_struct *isec;
4902 struct avc_audit_data ad;
4903
4904 tsec = current->security;
4905 isec = sma->sem_perm.security;
4906
4907 AVC_AUDIT_DATA_INIT(&ad, IPC);
4908 ad.u.ipc_id = sma->sem_perm.key;
4909
4910 return avc_has_perm(tsec->sid, isec->sid, SECCLASS_SEM,
4911 SEM__ASSOCIATE, &ad);
4912 }
4913
4914 /* Note, at this point, sma is locked down */
4915 static int selinux_sem_semctl(struct sem_array *sma, int cmd)
4916 {
4917 int err;
4918 u32 perms;
4919
4920 switch(cmd) {
4921 case IPC_INFO:
4922 case SEM_INFO:
4923 /* No specific object, just general system-wide information. */
4924 return task_has_system(current, SYSTEM__IPC_INFO);
4925 case GETPID:
4926 case GETNCNT:
4927 case GETZCNT:
4928 perms = SEM__GETATTR;
4929 break;
4930 case GETVAL:
4931 case GETALL:
4932 perms = SEM__READ;
4933 break;
4934 case SETVAL:
4935 case SETALL:
4936 perms = SEM__WRITE;
4937 break;
4938 case IPC_RMID:
4939 perms = SEM__DESTROY;
4940 break;
4941 case IPC_SET:
4942 perms = SEM__SETATTR;
4943 break;
4944 case IPC_STAT:
4945 case SEM_STAT:
4946 perms = SEM__GETATTR | SEM__ASSOCIATE;
4947 break;
4948 default:
4949 return 0;
4950 }
4951
4952 err = ipc_has_perm(&sma->sem_perm, perms);
4953 return err;
4954 }
4955
4956 static int selinux_sem_semop(struct sem_array *sma,
4957 struct sembuf *sops, unsigned nsops, int alter)
4958 {
4959 u32 perms;
4960
4961 if (alter)
4962 perms = SEM__READ | SEM__WRITE;
4963 else
4964 perms = SEM__READ;
4965
4966 return ipc_has_perm(&sma->sem_perm, perms);
4967 }
4968
4969 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
4970 {
4971 u32 av = 0;
4972
4973 av = 0;
4974 if (flag & S_IRUGO)
4975 av |= IPC__UNIX_READ;
4976 if (flag & S_IWUGO)
4977 av |= IPC__UNIX_WRITE;
4978
4979 if (av == 0)
4980 return 0;
4981
4982 return ipc_has_perm(ipcp, av);
4983 }
4984
4985 /* module stacking operations */
4986 static int selinux_register_security (const char *name, struct security_operations *ops)
4987 {
4988 if (secondary_ops != original_ops) {
4989 printk(KERN_ERR "%s: There is already a secondary security "
4990 "module registered.\n", __FUNCTION__);
4991 return -EINVAL;
4992 }
4993
4994 secondary_ops = ops;
4995
4996 printk(KERN_INFO "%s: Registering secondary module %s\n",
4997 __FUNCTION__,
4998 name);
4999
5000 return 0;
5001 }
5002
5003 static void selinux_d_instantiate (struct dentry *dentry, struct inode *inode)
5004 {
5005 if (inode)
5006 inode_doinit_with_dentry(inode, dentry);
5007 }
5008
5009 static int selinux_getprocattr(struct task_struct *p,
5010 char *name, char **value)
5011 {
5012 struct task_security_struct *tsec;
5013 u32 sid;
5014 int error;
5015 unsigned len;
5016
5017 if (current != p) {
5018 error = task_has_perm(current, p, PROCESS__GETATTR);
5019 if (error)
5020 return error;
5021 }
5022
5023 tsec = p->security;
5024
5025 if (!strcmp(name, "current"))
5026 sid = tsec->sid;
5027 else if (!strcmp(name, "prev"))
5028 sid = tsec->osid;
5029 else if (!strcmp(name, "exec"))
5030 sid = tsec->exec_sid;
5031 else if (!strcmp(name, "fscreate"))
5032 sid = tsec->create_sid;
5033 else if (!strcmp(name, "keycreate"))
5034 sid = tsec->keycreate_sid;
5035 else if (!strcmp(name, "sockcreate"))
5036 sid = tsec->sockcreate_sid;
5037 else
5038 return -EINVAL;
5039
5040 if (!sid)
5041 return 0;
5042
5043 error = security_sid_to_context(sid, value, &len);
5044 if (error)
5045 return error;
5046 return len;
5047 }
5048
5049 static int selinux_setprocattr(struct task_struct *p,
5050 char *name, void *value, size_t size)
5051 {
5052 struct task_security_struct *tsec;
5053 u32 sid = 0;
5054 int error;
5055 char *str = value;
5056
5057 if (current != p) {
5058 /* SELinux only allows a process to change its own
5059 security attributes. */
5060 return -EACCES;
5061 }
5062
5063 /*
5064 * Basic control over ability to set these attributes at all.
5065 * current == p, but we'll pass them separately in case the
5066 * above restriction is ever removed.
5067 */
5068 if (!strcmp(name, "exec"))
5069 error = task_has_perm(current, p, PROCESS__SETEXEC);
5070 else if (!strcmp(name, "fscreate"))
5071 error = task_has_perm(current, p, PROCESS__SETFSCREATE);
5072 else if (!strcmp(name, "keycreate"))
5073 error = task_has_perm(current, p, PROCESS__SETKEYCREATE);
5074 else if (!strcmp(name, "sockcreate"))
5075 error = task_has_perm(current, p, PROCESS__SETSOCKCREATE);
5076 else if (!strcmp(name, "current"))
5077 error = task_has_perm(current, p, PROCESS__SETCURRENT);
5078 else
5079 error = -EINVAL;
5080 if (error)
5081 return error;
5082
5083 /* Obtain a SID for the context, if one was specified. */
5084 if (size && str[1] && str[1] != '\n') {
5085 if (str[size-1] == '\n') {
5086 str[size-1] = 0;
5087 size--;
5088 }
5089 error = security_context_to_sid(value, size, &sid);
5090 if (error)
5091 return error;
5092 }
5093
5094 /* Permission checking based on the specified context is
5095 performed during the actual operation (execve,
5096 open/mkdir/...), when we know the full context of the
5097 operation. See selinux_bprm_set_security for the execve
5098 checks and may_create for the file creation checks. The
5099 operation will then fail if the context is not permitted. */
5100 tsec = p->security;
5101 if (!strcmp(name, "exec"))
5102 tsec->exec_sid = sid;
5103 else if (!strcmp(name, "fscreate"))
5104 tsec->create_sid = sid;
5105 else if (!strcmp(name, "keycreate")) {
5106 error = may_create_key(sid, p);
5107 if (error)
5108 return error;
5109 tsec->keycreate_sid = sid;
5110 } else if (!strcmp(name, "sockcreate"))
5111 tsec->sockcreate_sid = sid;
5112 else if (!strcmp(name, "current")) {
5113 struct av_decision avd;
5114
5115 if (sid == 0)
5116 return -EINVAL;
5117
5118 /* Only allow single threaded processes to change context */
5119 if (atomic_read(&p->mm->mm_users) != 1) {
5120 struct task_struct *g, *t;
5121 struct mm_struct *mm = p->mm;
5122 read_lock(&tasklist_lock);
5123 do_each_thread(g, t)
5124 if (t->mm == mm && t != p) {
5125 read_unlock(&tasklist_lock);
5126 return -EPERM;
5127 }
5128 while_each_thread(g, t);
5129 read_unlock(&tasklist_lock);
5130 }
5131
5132 /* Check permissions for the transition. */
5133 error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
5134 PROCESS__DYNTRANSITION, NULL);
5135 if (error)
5136 return error;
5137
5138 /* Check for ptracing, and update the task SID if ok.
5139 Otherwise, leave SID unchanged and fail. */
5140 task_lock(p);
5141 if (p->ptrace & PT_PTRACED) {
5142 error = avc_has_perm_noaudit(tsec->ptrace_sid, sid,
5143 SECCLASS_PROCESS,
5144 PROCESS__PTRACE, 0, &avd);
5145 if (!error)
5146 tsec->sid = sid;
5147 task_unlock(p);
5148 avc_audit(tsec->ptrace_sid, sid, SECCLASS_PROCESS,
5149 PROCESS__PTRACE, &avd, error, NULL);
5150 if (error)
5151 return error;
5152 } else {
5153 tsec->sid = sid;
5154 task_unlock(p);
5155 }
5156 }
5157 else
5158 return -EINVAL;
5159
5160 return size;
5161 }
5162
5163 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
5164 {
5165 return security_sid_to_context(secid, secdata, seclen);
5166 }
5167
5168 static int selinux_secctx_to_secid(char *secdata, u32 seclen, u32 *secid)
5169 {
5170 return security_context_to_sid(secdata, seclen, secid);
5171 }
5172
5173 static void selinux_release_secctx(char *secdata, u32 seclen)
5174 {
5175 kfree(secdata);
5176 }
5177
5178 #ifdef CONFIG_KEYS
5179
5180 static int selinux_key_alloc(struct key *k, struct task_struct *tsk,
5181 unsigned long flags)
5182 {
5183 struct task_security_struct *tsec = tsk->security;
5184 struct key_security_struct *ksec;
5185
5186 ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL);
5187 if (!ksec)
5188 return -ENOMEM;
5189
5190 ksec->obj = k;
5191 if (tsec->keycreate_sid)
5192 ksec->sid = tsec->keycreate_sid;
5193 else
5194 ksec->sid = tsec->sid;
5195 k->security = ksec;
5196
5197 return 0;
5198 }
5199
5200 static void selinux_key_free(struct key *k)
5201 {
5202 struct key_security_struct *ksec = k->security;
5203
5204 k->security = NULL;
5205 kfree(ksec);
5206 }
5207
5208 static int selinux_key_permission(key_ref_t key_ref,
5209 struct task_struct *ctx,
5210 key_perm_t perm)
5211 {
5212 struct key *key;
5213 struct task_security_struct *tsec;
5214 struct key_security_struct *ksec;
5215
5216 key = key_ref_to_ptr(key_ref);
5217
5218 tsec = ctx->security;
5219 ksec = key->security;
5220
5221 /* if no specific permissions are requested, we skip the
5222 permission check. No serious, additional covert channels
5223 appear to be created. */
5224 if (perm == 0)
5225 return 0;
5226
5227 return avc_has_perm(tsec->sid, ksec->sid,
5228 SECCLASS_KEY, perm, NULL);
5229 }
5230
5231 #endif
5232
5233 static struct security_operations selinux_ops = {
5234 .ptrace = selinux_ptrace,
5235 .capget = selinux_capget,
5236 .capset_check = selinux_capset_check,
5237 .capset_set = selinux_capset_set,
5238 .sysctl = selinux_sysctl,
5239 .capable = selinux_capable,
5240 .quotactl = selinux_quotactl,
5241 .quota_on = selinux_quota_on,
5242 .syslog = selinux_syslog,
5243 .vm_enough_memory = selinux_vm_enough_memory,
5244
5245 .netlink_send = selinux_netlink_send,
5246 .netlink_recv = selinux_netlink_recv,
5247
5248 .bprm_alloc_security = selinux_bprm_alloc_security,
5249 .bprm_free_security = selinux_bprm_free_security,
5250 .bprm_apply_creds = selinux_bprm_apply_creds,
5251 .bprm_post_apply_creds = selinux_bprm_post_apply_creds,
5252 .bprm_set_security = selinux_bprm_set_security,
5253 .bprm_check_security = selinux_bprm_check_security,
5254 .bprm_secureexec = selinux_bprm_secureexec,
5255
5256 .sb_alloc_security = selinux_sb_alloc_security,
5257 .sb_free_security = selinux_sb_free_security,
5258 .sb_copy_data = selinux_sb_copy_data,
5259 .sb_kern_mount = selinux_sb_kern_mount,
5260 .sb_statfs = selinux_sb_statfs,
5261 .sb_mount = selinux_mount,
5262 .sb_umount = selinux_umount,
5263 .sb_get_mnt_opts = selinux_get_mnt_opts,
5264 .sb_set_mnt_opts = selinux_set_mnt_opts,
5265 .sb_clone_mnt_opts = selinux_sb_clone_mnt_opts,
5266 .sb_parse_opts_str = selinux_parse_opts_str,
5267
5268
5269 .inode_alloc_security = selinux_inode_alloc_security,
5270 .inode_free_security = selinux_inode_free_security,
5271 .inode_init_security = selinux_inode_init_security,
5272 .inode_create = selinux_inode_create,
5273 .inode_link = selinux_inode_link,
5274 .inode_unlink = selinux_inode_unlink,
5275 .inode_symlink = selinux_inode_symlink,
5276 .inode_mkdir = selinux_inode_mkdir,
5277 .inode_rmdir = selinux_inode_rmdir,
5278 .inode_mknod = selinux_inode_mknod,
5279 .inode_rename = selinux_inode_rename,
5280 .inode_readlink = selinux_inode_readlink,
5281 .inode_follow_link = selinux_inode_follow_link,
5282 .inode_permission = selinux_inode_permission,
5283 .inode_setattr = selinux_inode_setattr,
5284 .inode_getattr = selinux_inode_getattr,
5285 .inode_setxattr = selinux_inode_setxattr,
5286 .inode_post_setxattr = selinux_inode_post_setxattr,
5287 .inode_getxattr = selinux_inode_getxattr,
5288 .inode_listxattr = selinux_inode_listxattr,
5289 .inode_removexattr = selinux_inode_removexattr,
5290 .inode_getsecurity = selinux_inode_getsecurity,
5291 .inode_setsecurity = selinux_inode_setsecurity,
5292 .inode_listsecurity = selinux_inode_listsecurity,
5293 .inode_need_killpriv = selinux_inode_need_killpriv,
5294 .inode_killpriv = selinux_inode_killpriv,
5295
5296 .file_permission = selinux_file_permission,
5297 .file_alloc_security = selinux_file_alloc_security,
5298 .file_free_security = selinux_file_free_security,
5299 .file_ioctl = selinux_file_ioctl,
5300 .file_mmap = selinux_file_mmap,
5301 .file_mprotect = selinux_file_mprotect,
5302 .file_lock = selinux_file_lock,
5303 .file_fcntl = selinux_file_fcntl,
5304 .file_set_fowner = selinux_file_set_fowner,
5305 .file_send_sigiotask = selinux_file_send_sigiotask,
5306 .file_receive = selinux_file_receive,
5307
5308 .dentry_open = selinux_dentry_open,
5309
5310 .task_create = selinux_task_create,
5311 .task_alloc_security = selinux_task_alloc_security,
5312 .task_free_security = selinux_task_free_security,
5313 .task_setuid = selinux_task_setuid,
5314 .task_post_setuid = selinux_task_post_setuid,
5315 .task_setgid = selinux_task_setgid,
5316 .task_setpgid = selinux_task_setpgid,
5317 .task_getpgid = selinux_task_getpgid,
5318 .task_getsid = selinux_task_getsid,
5319 .task_getsecid = selinux_task_getsecid,
5320 .task_setgroups = selinux_task_setgroups,
5321 .task_setnice = selinux_task_setnice,
5322 .task_setioprio = selinux_task_setioprio,
5323 .task_getioprio = selinux_task_getioprio,
5324 .task_setrlimit = selinux_task_setrlimit,
5325 .task_setscheduler = selinux_task_setscheduler,
5326 .task_getscheduler = selinux_task_getscheduler,
5327 .task_movememory = selinux_task_movememory,
5328 .task_kill = selinux_task_kill,
5329 .task_wait = selinux_task_wait,
5330 .task_prctl = selinux_task_prctl,
5331 .task_reparent_to_init = selinux_task_reparent_to_init,
5332 .task_to_inode = selinux_task_to_inode,
5333
5334 .ipc_permission = selinux_ipc_permission,
5335
5336 .msg_msg_alloc_security = selinux_msg_msg_alloc_security,
5337 .msg_msg_free_security = selinux_msg_msg_free_security,
5338
5339 .msg_queue_alloc_security = selinux_msg_queue_alloc_security,
5340 .msg_queue_free_security = selinux_msg_queue_free_security,
5341 .msg_queue_associate = selinux_msg_queue_associate,
5342 .msg_queue_msgctl = selinux_msg_queue_msgctl,
5343 .msg_queue_msgsnd = selinux_msg_queue_msgsnd,
5344 .msg_queue_msgrcv = selinux_msg_queue_msgrcv,
5345
5346 .shm_alloc_security = selinux_shm_alloc_security,
5347 .shm_free_security = selinux_shm_free_security,
5348 .shm_associate = selinux_shm_associate,
5349 .shm_shmctl = selinux_shm_shmctl,
5350 .shm_shmat = selinux_shm_shmat,
5351
5352 .sem_alloc_security = selinux_sem_alloc_security,
5353 .sem_free_security = selinux_sem_free_security,
5354 .sem_associate = selinux_sem_associate,
5355 .sem_semctl = selinux_sem_semctl,
5356 .sem_semop = selinux_sem_semop,
5357
5358 .register_security = selinux_register_security,
5359
5360 .d_instantiate = selinux_d_instantiate,
5361
5362 .getprocattr = selinux_getprocattr,
5363 .setprocattr = selinux_setprocattr,
5364
5365 .secid_to_secctx = selinux_secid_to_secctx,
5366 .secctx_to_secid = selinux_secctx_to_secid,
5367 .release_secctx = selinux_release_secctx,
5368
5369 .unix_stream_connect = selinux_socket_unix_stream_connect,
5370 .unix_may_send = selinux_socket_unix_may_send,
5371
5372 .socket_create = selinux_socket_create,
5373 .socket_post_create = selinux_socket_post_create,
5374 .socket_bind = selinux_socket_bind,
5375 .socket_connect = selinux_socket_connect,
5376 .socket_listen = selinux_socket_listen,
5377 .socket_accept = selinux_socket_accept,
5378 .socket_sendmsg = selinux_socket_sendmsg,
5379 .socket_recvmsg = selinux_socket_recvmsg,
5380 .socket_getsockname = selinux_socket_getsockname,
5381 .socket_getpeername = selinux_socket_getpeername,
5382 .socket_getsockopt = selinux_socket_getsockopt,
5383 .socket_setsockopt = selinux_socket_setsockopt,
5384 .socket_shutdown = selinux_socket_shutdown,
5385 .socket_sock_rcv_skb = selinux_socket_sock_rcv_skb,
5386 .socket_getpeersec_stream = selinux_socket_getpeersec_stream,
5387 .socket_getpeersec_dgram = selinux_socket_getpeersec_dgram,
5388 .sk_alloc_security = selinux_sk_alloc_security,
5389 .sk_free_security = selinux_sk_free_security,
5390 .sk_clone_security = selinux_sk_clone_security,
5391 .sk_getsecid = selinux_sk_getsecid,
5392 .sock_graft = selinux_sock_graft,
5393 .inet_conn_request = selinux_inet_conn_request,
5394 .inet_csk_clone = selinux_inet_csk_clone,
5395 .inet_conn_established = selinux_inet_conn_established,
5396 .req_classify_flow = selinux_req_classify_flow,
5397
5398 #ifdef CONFIG_SECURITY_NETWORK_XFRM
5399 .xfrm_policy_alloc_security = selinux_xfrm_policy_alloc,
5400 .xfrm_policy_clone_security = selinux_xfrm_policy_clone,
5401 .xfrm_policy_free_security = selinux_xfrm_policy_free,
5402 .xfrm_policy_delete_security = selinux_xfrm_policy_delete,
5403 .xfrm_state_alloc_security = selinux_xfrm_state_alloc,
5404 .xfrm_state_free_security = selinux_xfrm_state_free,
5405 .xfrm_state_delete_security = selinux_xfrm_state_delete,
5406 .xfrm_policy_lookup = selinux_xfrm_policy_lookup,
5407 .xfrm_state_pol_flow_match = selinux_xfrm_state_pol_flow_match,
5408 .xfrm_decode_session = selinux_xfrm_decode_session,
5409 #endif
5410
5411 #ifdef CONFIG_KEYS
5412 .key_alloc = selinux_key_alloc,
5413 .key_free = selinux_key_free,
5414 .key_permission = selinux_key_permission,
5415 #endif
5416 };
5417
5418 static __init int selinux_init(void)
5419 {
5420 struct task_security_struct *tsec;
5421
5422 if (!selinux_enabled) {
5423 printk(KERN_INFO "SELinux: Disabled at boot.\n");
5424 return 0;
5425 }
5426
5427 printk(KERN_INFO "SELinux: Initializing.\n");
5428
5429 /* Set the security state for the initial task. */
5430 if (task_alloc_security(current))
5431 panic("SELinux: Failed to initialize initial task.\n");
5432 tsec = current->security;
5433 tsec->osid = tsec->sid = SECINITSID_KERNEL;
5434
5435 sel_inode_cache = kmem_cache_create("selinux_inode_security",
5436 sizeof(struct inode_security_struct),
5437 0, SLAB_PANIC, NULL);
5438 avc_init();
5439
5440 original_ops = secondary_ops = security_ops;
5441 if (!secondary_ops)
5442 panic ("SELinux: No initial security operations\n");
5443 if (register_security (&selinux_ops))
5444 panic("SELinux: Unable to register with kernel.\n");
5445
5446 if (selinux_enforcing) {
5447 printk(KERN_DEBUG "SELinux: Starting in enforcing mode\n");
5448 } else {
5449 printk(KERN_DEBUG "SELinux: Starting in permissive mode\n");
5450 }
5451
5452 #ifdef CONFIG_KEYS
5453 /* Add security information to initial keyrings */
5454 selinux_key_alloc(&root_user_keyring, current,
5455 KEY_ALLOC_NOT_IN_QUOTA);
5456 selinux_key_alloc(&root_session_keyring, current,
5457 KEY_ALLOC_NOT_IN_QUOTA);
5458 #endif
5459
5460 return 0;
5461 }
5462
5463 void selinux_complete_init(void)
5464 {
5465 printk(KERN_DEBUG "SELinux: Completing initialization.\n");
5466
5467 /* Set up any superblocks initialized prior to the policy load. */
5468 printk(KERN_DEBUG "SELinux: Setting up existing superblocks.\n");
5469 spin_lock(&sb_lock);
5470 spin_lock(&sb_security_lock);
5471 next_sb:
5472 if (!list_empty(&superblock_security_head)) {
5473 struct superblock_security_struct *sbsec =
5474 list_entry(superblock_security_head.next,
5475 struct superblock_security_struct,
5476 list);
5477 struct super_block *sb = sbsec->sb;
5478 sb->s_count++;
5479 spin_unlock(&sb_security_lock);
5480 spin_unlock(&sb_lock);
5481 down_read(&sb->s_umount);
5482 if (sb->s_root)
5483 superblock_doinit(sb, NULL);
5484 drop_super(sb);
5485 spin_lock(&sb_lock);
5486 spin_lock(&sb_security_lock);
5487 list_del_init(&sbsec->list);
5488 goto next_sb;
5489 }
5490 spin_unlock(&sb_security_lock);
5491 spin_unlock(&sb_lock);
5492 }
5493
5494 /* SELinux requires early initialization in order to label
5495 all processes and objects when they are created. */
5496 security_initcall(selinux_init);
5497
5498 #if defined(CONFIG_NETFILTER)
5499
5500 static struct nf_hook_ops selinux_ipv4_ops[] = {
5501 {
5502 .hook = selinux_ipv4_postroute,
5503 .owner = THIS_MODULE,
5504 .pf = PF_INET,
5505 .hooknum = NF_INET_POST_ROUTING,
5506 .priority = NF_IP_PRI_SELINUX_LAST,
5507 },
5508 {
5509 .hook = selinux_ipv4_forward,
5510 .owner = THIS_MODULE,
5511 .pf = PF_INET,
5512 .hooknum = NF_INET_FORWARD,
5513 .priority = NF_IP_PRI_SELINUX_FIRST,
5514 }
5515 };
5516
5517 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5518
5519 static struct nf_hook_ops selinux_ipv6_ops[] = {
5520 {
5521 .hook = selinux_ipv6_postroute,
5522 .owner = THIS_MODULE,
5523 .pf = PF_INET6,
5524 .hooknum = NF_INET_POST_ROUTING,
5525 .priority = NF_IP6_PRI_SELINUX_LAST,
5526 },
5527 {
5528 .hook = selinux_ipv6_forward,
5529 .owner = THIS_MODULE,
5530 .pf = PF_INET6,
5531 .hooknum = NF_INET_FORWARD,
5532 .priority = NF_IP6_PRI_SELINUX_FIRST,
5533 }
5534 };
5535
5536 #endif /* IPV6 */
5537
5538 static int __init selinux_nf_ip_init(void)
5539 {
5540 int err = 0;
5541 u32 iter;
5542
5543 if (!selinux_enabled)
5544 goto out;
5545
5546 printk(KERN_DEBUG "SELinux: Registering netfilter hooks\n");
5547
5548 for (iter = 0; iter < ARRAY_SIZE(selinux_ipv4_ops); iter++) {
5549 err = nf_register_hook(&selinux_ipv4_ops[iter]);
5550 if (err)
5551 panic("SELinux: nf_register_hook for IPv4: error %d\n",
5552 err);
5553 }
5554
5555 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5556 for (iter = 0; iter < ARRAY_SIZE(selinux_ipv6_ops); iter++) {
5557 err = nf_register_hook(&selinux_ipv6_ops[iter]);
5558 if (err)
5559 panic("SELinux: nf_register_hook for IPv6: error %d\n",
5560 err);
5561 }
5562 #endif /* IPV6 */
5563
5564 out:
5565 return err;
5566 }
5567
5568 __initcall(selinux_nf_ip_init);
5569
5570 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5571 static void selinux_nf_ip_exit(void)
5572 {
5573 u32 iter;
5574
5575 printk(KERN_DEBUG "SELinux: Unregistering netfilter hooks\n");
5576
5577 for (iter = 0; iter < ARRAY_SIZE(selinux_ipv4_ops); iter++)
5578 nf_unregister_hook(&selinux_ipv4_ops[iter]);
5579 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5580 for (iter = 0; iter < ARRAY_SIZE(selinux_ipv6_ops); iter++)
5581 nf_unregister_hook(&selinux_ipv6_ops[iter]);
5582 #endif /* IPV6 */
5583 }
5584 #endif
5585
5586 #else /* CONFIG_NETFILTER */
5587
5588 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5589 #define selinux_nf_ip_exit()
5590 #endif
5591
5592 #endif /* CONFIG_NETFILTER */
5593
5594 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5595 int selinux_disable(void)
5596 {
5597 extern void exit_sel_fs(void);
5598 static int selinux_disabled = 0;
5599
5600 if (ss_initialized) {
5601 /* Not permitted after initial policy load. */
5602 return -EINVAL;
5603 }
5604
5605 if (selinux_disabled) {
5606 /* Only do this once. */
5607 return -EINVAL;
5608 }
5609
5610 printk(KERN_INFO "SELinux: Disabled at runtime.\n");
5611
5612 selinux_disabled = 1;
5613 selinux_enabled = 0;
5614
5615 /* Reset security_ops to the secondary module, dummy or capability. */
5616 security_ops = secondary_ops;
5617
5618 /* Unregister netfilter hooks. */
5619 selinux_nf_ip_exit();
5620
5621 /* Unregister selinuxfs. */
5622 exit_sel_fs();
5623
5624 return 0;
5625 }
5626 #endif
5627
5628
Linux kernel - Deliverables
This page took 0.210292 seconds and 6 git commands to generate.