projects / deliverable / linux.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Merge tag 'rpmsg-v4.7' of git://github.com/andersson/remoteproc
[deliverable/linux.git] / security / selinux / hooks.c
1 /*
2 * NSA Security-Enhanced Linux (SELinux) security module
3 *
4 * This file contains the SELinux hook function implementations.
5 *
6 * Authors: Stephen Smalley, <sds@epoch.ncsc.mil>
7 * Chris Vance, <cvance@nai.com>
8 * Wayne Salamon, <wsalamon@nai.com>
9 * James Morris <jmorris@redhat.com>
10 *
11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12 * Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
13 * Eric Paris <eparis@redhat.com>
14 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
15 * <dgoeddel@trustedcs.com>
16 * Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
17 * Paul Moore <paul@paul-moore.com>
18 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
19 * Yuichi Nakamura <ynakam@hitachisoft.jp>
20 *
21 * This program is free software; you can redistribute it and/or modify
22 * it under the terms of the GNU General Public License version 2,
23 * as published by the Free Software Foundation.
24 */
25
26 #include <linux/init.h>
27 #include <linux/kd.h>
28 #include <linux/kernel.h>
29 #include <linux/tracehook.h>
30 #include <linux/errno.h>
31 #include <linux/sched.h>
32 #include <linux/lsm_hooks.h>
33 #include <linux/xattr.h>
34 #include <linux/capability.h>
35 #include <linux/unistd.h>
36 #include <linux/mm.h>
37 #include <linux/mman.h>
38 #include <linux/slab.h>
39 #include <linux/pagemap.h>
40 #include <linux/proc_fs.h>
41 #include <linux/swap.h>
42 #include <linux/spinlock.h>
43 #include <linux/syscalls.h>
44 #include <linux/dcache.h>
45 #include <linux/file.h>
46 #include <linux/fdtable.h>
47 #include <linux/namei.h>
48 #include <linux/mount.h>
49 #include <linux/netfilter_ipv4.h>
50 #include <linux/netfilter_ipv6.h>
51 #include <linux/tty.h>
52 #include <net/icmp.h>
53 #include <net/ip.h> /* for local_port_range[] */
54 #include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
55 #include <net/inet_connection_sock.h>
56 #include <net/net_namespace.h>
57 #include <net/netlabel.h>
58 #include <linux/uaccess.h>
59 #include <asm/ioctls.h>
60 #include <linux/atomic.h>
61 #include <linux/bitops.h>
62 #include <linux/interrupt.h>
63 #include <linux/netdevice.h> /* for network interface checks */
64 #include <net/netlink.h>
65 #include <linux/tcp.h>
66 #include <linux/udp.h>
67 #include <linux/dccp.h>
68 #include <linux/quota.h>
69 #include <linux/un.h> /* for Unix socket types */
70 #include <net/af_unix.h> /* for Unix socket types */
71 #include <linux/parser.h>
72 #include <linux/nfs_mount.h>
73 #include <net/ipv6.h>
74 #include <linux/hugetlb.h>
75 #include <linux/personality.h>
76 #include <linux/audit.h>
77 #include <linux/string.h>
78 #include <linux/selinux.h>
79 #include <linux/mutex.h>
80 #include <linux/posix-timers.h>
81 #include <linux/syslog.h>
82 #include <linux/user_namespace.h>
83 #include <linux/export.h>
84 #include <linux/msg.h>
85 #include <linux/shm.h>
86
87 #include "avc.h"
88 #include "objsec.h"
89 #include "netif.h"
90 #include "netnode.h"
91 #include "netport.h"
92 #include "xfrm.h"
93 #include "netlabel.h"
94 #include "audit.h"
95 #include "avc_ss.h"
96
97 /* SECMARK reference count */
98 static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
99
100 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
101 int selinux_enforcing;
102
103 static int __init enforcing_setup(char *str)
104 {
105 unsigned long enforcing;
106 if (!kstrtoul(str, 0, &enforcing))
107 selinux_enforcing = enforcing ? 1 : 0;
108 return 1;
109 }
110 __setup("enforcing=", enforcing_setup);
111 #endif
112
113 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
114 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
115
116 static int __init selinux_enabled_setup(char *str)
117 {
118 unsigned long enabled;
119 if (!kstrtoul(str, 0, &enabled))
120 selinux_enabled = enabled ? 1 : 0;
121 return 1;
122 }
123 __setup("selinux=", selinux_enabled_setup);
124 #else
125 int selinux_enabled = 1;
126 #endif
127
128 static struct kmem_cache *sel_inode_cache;
129 static struct kmem_cache *file_security_cache;
130
131 /**
132 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
133 *
134 * Description:
135 * This function checks the SECMARK reference counter to see if any SECMARK
136 * targets are currently configured, if the reference counter is greater than
137 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is
138 * enabled, false (0) if SECMARK is disabled. If the always_check_network
139 * policy capability is enabled, SECMARK is always considered enabled.
140 *
141 */
142 static int selinux_secmark_enabled(void)
143 {
144 return (selinux_policycap_alwaysnetwork || atomic_read(&selinux_secmark_refcount));
145 }
146
147 /**
148 * selinux_peerlbl_enabled - Check to see if peer labeling is currently enabled
149 *
150 * Description:
151 * This function checks if NetLabel or labeled IPSEC is enabled. Returns true
152 * (1) if any are enabled or false (0) if neither are enabled. If the
153 * always_check_network policy capability is enabled, peer labeling
154 * is always considered enabled.
155 *
156 */
157 static int selinux_peerlbl_enabled(void)
158 {
159 return (selinux_policycap_alwaysnetwork || netlbl_enabled() || selinux_xfrm_enabled());
160 }
161
162 static int selinux_netcache_avc_callback(u32 event)
163 {
164 if (event == AVC_CALLBACK_RESET) {
165 sel_netif_flush();
166 sel_netnode_flush();
167 sel_netport_flush();
168 synchronize_net();
169 }
170 return 0;
171 }
172
173 /*
174 * initialise the security for the init task
175 */
176 static void cred_init_security(void)
177 {
178 struct cred *cred = (struct cred *) current->real_cred;
179 struct task_security_struct *tsec;
180
181 tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
182 if (!tsec)
183 panic("SELinux: Failed to initialize initial task.\n");
184
185 tsec->osid = tsec->sid = SECINITSID_KERNEL;
186 cred->security = tsec;
187 }
188
189 /*
190 * get the security ID of a set of credentials
191 */
192 static inline u32 cred_sid(const struct cred *cred)
193 {
194 const struct task_security_struct *tsec;
195
196 tsec = cred->security;
197 return tsec->sid;
198 }
199
200 /*
201 * get the objective security ID of a task
202 */
203 static inline u32 task_sid(const struct task_struct *task)
204 {
205 u32 sid;
206
207 rcu_read_lock();
208 sid = cred_sid(__task_cred(task));
209 rcu_read_unlock();
210 return sid;
211 }
212
213 /*
214 * get the subjective security ID of the current task
215 */
216 static inline u32 current_sid(void)
217 {
218 const struct task_security_struct *tsec = current_security();
219
220 return tsec->sid;
221 }
222
223 /* Allocate and free functions for each kind of security blob. */
224
225 static int inode_alloc_security(struct inode *inode)
226 {
227 struct inode_security_struct *isec;
228 u32 sid = current_sid();
229
230 isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
231 if (!isec)
232 return -ENOMEM;
233
234 mutex_init(&isec->lock);
235 INIT_LIST_HEAD(&isec->list);
236 isec->inode = inode;
237 isec->sid = SECINITSID_UNLABELED;
238 isec->sclass = SECCLASS_FILE;
239 isec->task_sid = sid;
240 inode->i_security = isec;
241
242 return 0;
243 }
244
245 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
246
247 /*
248 * Try reloading inode security labels that have been marked as invalid. The
249 * @may_sleep parameter indicates when sleeping and thus reloading labels is
250 * allowed; when set to false, returns ERR_PTR(-ECHILD) when the label is
251 * invalid. The @opt_dentry parameter should be set to a dentry of the inode;
252 * when no dentry is available, set it to NULL instead.
253 */
254 static int __inode_security_revalidate(struct inode *inode,
255 struct dentry *opt_dentry,
256 bool may_sleep)
257 {
258 struct inode_security_struct *isec = inode->i_security;
259
260 might_sleep_if(may_sleep);
261
262 if (isec->initialized == LABEL_INVALID) {
263 if (!may_sleep)
264 return -ECHILD;
265
266 /*
267 * Try reloading the inode security label. This will fail if
268 * @opt_dentry is NULL and no dentry for this inode can be
269 * found; in that case, continue using the old label.
270 */
271 inode_doinit_with_dentry(inode, opt_dentry);
272 }
273 return 0;
274 }
275
276 static struct inode_security_struct *inode_security_novalidate(struct inode *inode)
277 {
278 return inode->i_security;
279 }
280
281 static struct inode_security_struct *inode_security_rcu(struct inode *inode, bool rcu)
282 {
283 int error;
284
285 error = __inode_security_revalidate(inode, NULL, !rcu);
286 if (error)
287 return ERR_PTR(error);
288 return inode->i_security;
289 }
290
291 /*
292 * Get the security label of an inode.
293 */
294 static struct inode_security_struct *inode_security(struct inode *inode)
295 {
296 __inode_security_revalidate(inode, NULL, true);
297 return inode->i_security;
298 }
299
300 /*
301 * Get the security label of a dentry's backing inode.
302 */
303 static struct inode_security_struct *backing_inode_security(struct dentry *dentry)
304 {
305 struct inode *inode = d_backing_inode(dentry);
306
307 __inode_security_revalidate(inode, dentry, true);
308 return inode->i_security;
309 }
310
311 static void inode_free_rcu(struct rcu_head *head)
312 {
313 struct inode_security_struct *isec;
314
315 isec = container_of(head, struct inode_security_struct, rcu);
316 kmem_cache_free(sel_inode_cache, isec);
317 }
318
319 static void inode_free_security(struct inode *inode)
320 {
321 struct inode_security_struct *isec = inode->i_security;
322 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
323
324 /*
325 * As not all inode security structures are in a list, we check for
326 * empty list outside of the lock to make sure that we won't waste
327 * time taking a lock doing nothing.
328 *
329 * The list_del_init() function can be safely called more than once.
330 * It should not be possible for this function to be called with
331 * concurrent list_add(), but for better safety against future changes
332 * in the code, we use list_empty_careful() here.
333 */
334 if (!list_empty_careful(&isec->list)) {
335 spin_lock(&sbsec->isec_lock);
336 list_del_init(&isec->list);
337 spin_unlock(&sbsec->isec_lock);
338 }
339
340 /*
341 * The inode may still be referenced in a path walk and
342 * a call to selinux_inode_permission() can be made
343 * after inode_free_security() is called. Ideally, the VFS
344 * wouldn't do this, but fixing that is a much harder
345 * job. For now, simply free the i_security via RCU, and
346 * leave the current inode->i_security pointer intact.
347 * The inode will be freed after the RCU grace period too.
348 */
349 call_rcu(&isec->rcu, inode_free_rcu);
350 }
351
352 static int file_alloc_security(struct file *file)
353 {
354 struct file_security_struct *fsec;
355 u32 sid = current_sid();
356
357 fsec = kmem_cache_zalloc(file_security_cache, GFP_KERNEL);
358 if (!fsec)
359 return -ENOMEM;
360
361 fsec->sid = sid;
362 fsec->fown_sid = sid;
363 file->f_security = fsec;
364
365 return 0;
366 }
367
368 static void file_free_security(struct file *file)
369 {
370 struct file_security_struct *fsec = file->f_security;
371 file->f_security = NULL;
372 kmem_cache_free(file_security_cache, fsec);
373 }
374
375 static int superblock_alloc_security(struct super_block *sb)
376 {
377 struct superblock_security_struct *sbsec;
378
379 sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
380 if (!sbsec)
381 return -ENOMEM;
382
383 mutex_init(&sbsec->lock);
384 INIT_LIST_HEAD(&sbsec->isec_head);
385 spin_lock_init(&sbsec->isec_lock);
386 sbsec->sb = sb;
387 sbsec->sid = SECINITSID_UNLABELED;
388 sbsec->def_sid = SECINITSID_FILE;
389 sbsec->mntpoint_sid = SECINITSID_UNLABELED;
390 sb->s_security = sbsec;
391
392 return 0;
393 }
394
395 static void superblock_free_security(struct super_block *sb)
396 {
397 struct superblock_security_struct *sbsec = sb->s_security;
398 sb->s_security = NULL;
399 kfree(sbsec);
400 }
401
402 /* The file system's label must be initialized prior to use. */
403
404 static const char *labeling_behaviors[7] = {
405 "uses xattr",
406 "uses transition SIDs",
407 "uses task SIDs",
408 "uses genfs_contexts",
409 "not configured for labeling",
410 "uses mountpoint labeling",
411 "uses native labeling",
412 };
413
414 static inline int inode_doinit(struct inode *inode)
415 {
416 return inode_doinit_with_dentry(inode, NULL);
417 }
418
419 enum {
420 Opt_error = -1,
421 Opt_context = 1,
422 Opt_fscontext = 2,
423 Opt_defcontext = 3,
424 Opt_rootcontext = 4,
425 Opt_labelsupport = 5,
426 Opt_nextmntopt = 6,
427 };
428
429 #define NUM_SEL_MNT_OPTS (Opt_nextmntopt - 1)
430
431 static const match_table_t tokens = {
432 {Opt_context, CONTEXT_STR "%s"},
433 {Opt_fscontext, FSCONTEXT_STR "%s"},
434 {Opt_defcontext, DEFCONTEXT_STR "%s"},
435 {Opt_rootcontext, ROOTCONTEXT_STR "%s"},
436 {Opt_labelsupport, LABELSUPP_STR},
437 {Opt_error, NULL},
438 };
439
440 #define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
441
442 static int may_context_mount_sb_relabel(u32 sid,
443 struct superblock_security_struct *sbsec,
444 const struct cred *cred)
445 {
446 const struct task_security_struct *tsec = cred->security;
447 int rc;
448
449 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
450 FILESYSTEM__RELABELFROM, NULL);
451 if (rc)
452 return rc;
453
454 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
455 FILESYSTEM__RELABELTO, NULL);
456 return rc;
457 }
458
459 static int may_context_mount_inode_relabel(u32 sid,
460 struct superblock_security_struct *sbsec,
461 const struct cred *cred)
462 {
463 const struct task_security_struct *tsec = cred->security;
464 int rc;
465 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
466 FILESYSTEM__RELABELFROM, NULL);
467 if (rc)
468 return rc;
469
470 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
471 FILESYSTEM__ASSOCIATE, NULL);
472 return rc;
473 }
474
475 static int selinux_is_sblabel_mnt(struct super_block *sb)
476 {
477 struct superblock_security_struct *sbsec = sb->s_security;
478
479 return sbsec->behavior == SECURITY_FS_USE_XATTR ||
480 sbsec->behavior == SECURITY_FS_USE_TRANS ||
481 sbsec->behavior == SECURITY_FS_USE_TASK ||
482 sbsec->behavior == SECURITY_FS_USE_NATIVE ||
483 /* Special handling. Genfs but also in-core setxattr handler */
484 !strcmp(sb->s_type->name, "sysfs") ||
485 !strcmp(sb->s_type->name, "pstore") ||
486 !strcmp(sb->s_type->name, "debugfs") ||
487 !strcmp(sb->s_type->name, "rootfs");
488 }
489
490 static int sb_finish_set_opts(struct super_block *sb)
491 {
492 struct superblock_security_struct *sbsec = sb->s_security;
493 struct dentry *root = sb->s_root;
494 struct inode *root_inode = d_backing_inode(root);
495 int rc = 0;
496
497 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
498 /* Make sure that the xattr handler exists and that no
499 error other than -ENODATA is returned by getxattr on
500 the root directory. -ENODATA is ok, as this may be
501 the first boot of the SELinux kernel before we have
502 assigned xattr values to the filesystem. */
503 if (!root_inode->i_op->getxattr) {
504 printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
505 "xattr support\n", sb->s_id, sb->s_type->name);
506 rc = -EOPNOTSUPP;
507 goto out;
508 }
509 rc = root_inode->i_op->getxattr(root, root_inode,
510 XATTR_NAME_SELINUX, NULL, 0);
511 if (rc < 0 && rc != -ENODATA) {
512 if (rc == -EOPNOTSUPP)
513 printk(KERN_WARNING "SELinux: (dev %s, type "
514 "%s) has no security xattr handler\n",
515 sb->s_id, sb->s_type->name);
516 else
517 printk(KERN_WARNING "SELinux: (dev %s, type "
518 "%s) getxattr errno %d\n", sb->s_id,
519 sb->s_type->name, -rc);
520 goto out;
521 }
522 }
523
524 if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
525 printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n",
526 sb->s_id, sb->s_type->name);
527
528 sbsec->flags |= SE_SBINITIALIZED;
529 if (selinux_is_sblabel_mnt(sb))
530 sbsec->flags |= SBLABEL_MNT;
531
532 /* Initialize the root inode. */
533 rc = inode_doinit_with_dentry(root_inode, root);
534
535 /* Initialize any other inodes associated with the superblock, e.g.
536 inodes created prior to initial policy load or inodes created
537 during get_sb by a pseudo filesystem that directly
538 populates itself. */
539 spin_lock(&sbsec->isec_lock);
540 next_inode:
541 if (!list_empty(&sbsec->isec_head)) {
542 struct inode_security_struct *isec =
543 list_entry(sbsec->isec_head.next,
544 struct inode_security_struct, list);
545 struct inode *inode = isec->inode;
546 list_del_init(&isec->list);
547 spin_unlock(&sbsec->isec_lock);
548 inode = igrab(inode);
549 if (inode) {
550 if (!IS_PRIVATE(inode))
551 inode_doinit(inode);
552 iput(inode);
553 }
554 spin_lock(&sbsec->isec_lock);
555 goto next_inode;
556 }
557 spin_unlock(&sbsec->isec_lock);
558 out:
559 return rc;
560 }
561
562 /*
563 * This function should allow an FS to ask what it's mount security
564 * options were so it can use those later for submounts, displaying
565 * mount options, or whatever.
566 */
567 static int selinux_get_mnt_opts(const struct super_block *sb,
568 struct security_mnt_opts *opts)
569 {
570 int rc = 0, i;
571 struct superblock_security_struct *sbsec = sb->s_security;
572 char *context = NULL;
573 u32 len;
574 char tmp;
575
576 security_init_mnt_opts(opts);
577
578 if (!(sbsec->flags & SE_SBINITIALIZED))
579 return -EINVAL;
580
581 if (!ss_initialized)
582 return -EINVAL;
583
584 /* make sure we always check enough bits to cover the mask */
585 BUILD_BUG_ON(SE_MNTMASK >= (1 << NUM_SEL_MNT_OPTS));
586
587 tmp = sbsec->flags & SE_MNTMASK;
588 /* count the number of mount options for this sb */
589 for (i = 0; i < NUM_SEL_MNT_OPTS; i++) {
590 if (tmp & 0x01)
591 opts->num_mnt_opts++;
592 tmp >>= 1;
593 }
594 /* Check if the Label support flag is set */
595 if (sbsec->flags & SBLABEL_MNT)
596 opts->num_mnt_opts++;
597
598 opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
599 if (!opts->mnt_opts) {
600 rc = -ENOMEM;
601 goto out_free;
602 }
603
604 opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
605 if (!opts->mnt_opts_flags) {
606 rc = -ENOMEM;
607 goto out_free;
608 }
609
610 i = 0;
611 if (sbsec->flags & FSCONTEXT_MNT) {
612 rc = security_sid_to_context(sbsec->sid, &context, &len);
613 if (rc)
614 goto out_free;
615 opts->mnt_opts[i] = context;
616 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
617 }
618 if (sbsec->flags & CONTEXT_MNT) {
619 rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len);
620 if (rc)
621 goto out_free;
622 opts->mnt_opts[i] = context;
623 opts->mnt_opts_flags[i++] = CONTEXT_MNT;
624 }
625 if (sbsec->flags & DEFCONTEXT_MNT) {
626 rc = security_sid_to_context(sbsec->def_sid, &context, &len);
627 if (rc)
628 goto out_free;
629 opts->mnt_opts[i] = context;
630 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
631 }
632 if (sbsec->flags & ROOTCONTEXT_MNT) {
633 struct dentry *root = sbsec->sb->s_root;
634 struct inode_security_struct *isec = backing_inode_security(root);
635
636 rc = security_sid_to_context(isec->sid, &context, &len);
637 if (rc)
638 goto out_free;
639 opts->mnt_opts[i] = context;
640 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
641 }
642 if (sbsec->flags & SBLABEL_MNT) {
643 opts->mnt_opts[i] = NULL;
644 opts->mnt_opts_flags[i++] = SBLABEL_MNT;
645 }
646
647 BUG_ON(i != opts->num_mnt_opts);
648
649 return 0;
650
651 out_free:
652 security_free_mnt_opts(opts);
653 return rc;
654 }
655
656 static int bad_option(struct superblock_security_struct *sbsec, char flag,
657 u32 old_sid, u32 new_sid)
658 {
659 char mnt_flags = sbsec->flags & SE_MNTMASK;
660
661 /* check if the old mount command had the same options */
662 if (sbsec->flags & SE_SBINITIALIZED)
663 if (!(sbsec->flags & flag) ||
664 (old_sid != new_sid))
665 return 1;
666
667 /* check if we were passed the same options twice,
668 * aka someone passed context=a,context=b
669 */
670 if (!(sbsec->flags & SE_SBINITIALIZED))
671 if (mnt_flags & flag)
672 return 1;
673 return 0;
674 }
675
676 /*
677 * Allow filesystems with binary mount data to explicitly set mount point
678 * labeling information.
679 */
680 static int selinux_set_mnt_opts(struct super_block *sb,
681 struct security_mnt_opts *opts,
682 unsigned long kern_flags,
683 unsigned long *set_kern_flags)
684 {
685 const struct cred *cred = current_cred();
686 int rc = 0, i;
687 struct superblock_security_struct *sbsec = sb->s_security;
688 const char *name = sb->s_type->name;
689 struct dentry *root = sbsec->sb->s_root;
690 struct inode_security_struct *root_isec = backing_inode_security(root);
691 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
692 u32 defcontext_sid = 0;
693 char **mount_options = opts->mnt_opts;
694 int *flags = opts->mnt_opts_flags;
695 int num_opts = opts->num_mnt_opts;
696
697 mutex_lock(&sbsec->lock);
698
699 if (!ss_initialized) {
700 if (!num_opts) {
701 /* Defer initialization until selinux_complete_init,
702 after the initial policy is loaded and the security
703 server is ready to handle calls. */
704 goto out;
705 }
706 rc = -EINVAL;
707 printk(KERN_WARNING "SELinux: Unable to set superblock options "
708 "before the security server is initialized\n");
709 goto out;
710 }
711 if (kern_flags && !set_kern_flags) {
712 /* Specifying internal flags without providing a place to
713 * place the results is not allowed */
714 rc = -EINVAL;
715 goto out;
716 }
717
718 /*
719 * Binary mount data FS will come through this function twice. Once
720 * from an explicit call and once from the generic calls from the vfs.
721 * Since the generic VFS calls will not contain any security mount data
722 * we need to skip the double mount verification.
723 *
724 * This does open a hole in which we will not notice if the first
725 * mount using this sb set explict options and a second mount using
726 * this sb does not set any security options. (The first options
727 * will be used for both mounts)
728 */
729 if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
730 && (num_opts == 0))
731 goto out;
732
733 /*
734 * parse the mount options, check if they are valid sids.
735 * also check if someone is trying to mount the same sb more
736 * than once with different security options.
737 */
738 for (i = 0; i < num_opts; i++) {
739 u32 sid;
740
741 if (flags[i] == SBLABEL_MNT)
742 continue;
743 rc = security_context_str_to_sid(mount_options[i], &sid, GFP_KERNEL);
744 if (rc) {
745 printk(KERN_WARNING "SELinux: security_context_str_to_sid"
746 "(%s) failed for (dev %s, type %s) errno=%d\n",
747 mount_options[i], sb->s_id, name, rc);
748 goto out;
749 }
750 switch (flags[i]) {
751 case FSCONTEXT_MNT:
752 fscontext_sid = sid;
753
754 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
755 fscontext_sid))
756 goto out_double_mount;
757
758 sbsec->flags |= FSCONTEXT_MNT;
759 break;
760 case CONTEXT_MNT:
761 context_sid = sid;
762
763 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
764 context_sid))
765 goto out_double_mount;
766
767 sbsec->flags |= CONTEXT_MNT;
768 break;
769 case ROOTCONTEXT_MNT:
770 rootcontext_sid = sid;
771
772 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
773 rootcontext_sid))
774 goto out_double_mount;
775
776 sbsec->flags |= ROOTCONTEXT_MNT;
777
778 break;
779 case DEFCONTEXT_MNT:
780 defcontext_sid = sid;
781
782 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
783 defcontext_sid))
784 goto out_double_mount;
785
786 sbsec->flags |= DEFCONTEXT_MNT;
787
788 break;
789 default:
790 rc = -EINVAL;
791 goto out;
792 }
793 }
794
795 if (sbsec->flags & SE_SBINITIALIZED) {
796 /* previously mounted with options, but not on this attempt? */
797 if ((sbsec->flags & SE_MNTMASK) && !num_opts)
798 goto out_double_mount;
799 rc = 0;
800 goto out;
801 }
802
803 if (strcmp(sb->s_type->name, "proc") == 0)
804 sbsec->flags |= SE_SBPROC | SE_SBGENFS;
805
806 if (!strcmp(sb->s_type->name, "debugfs") ||
807 !strcmp(sb->s_type->name, "sysfs") ||
808 !strcmp(sb->s_type->name, "pstore"))
809 sbsec->flags |= SE_SBGENFS;
810
811 if (!sbsec->behavior) {
812 /*
813 * Determine the labeling behavior to use for this
814 * filesystem type.
815 */
816 rc = security_fs_use(sb);
817 if (rc) {
818 printk(KERN_WARNING
819 "%s: security_fs_use(%s) returned %d\n",
820 __func__, sb->s_type->name, rc);
821 goto out;
822 }
823 }
824 /* sets the context of the superblock for the fs being mounted. */
825 if (fscontext_sid) {
826 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
827 if (rc)
828 goto out;
829
830 sbsec->sid = fscontext_sid;
831 }
832
833 /*
834 * Switch to using mount point labeling behavior.
835 * sets the label used on all file below the mountpoint, and will set
836 * the superblock context if not already set.
837 */
838 if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !context_sid) {
839 sbsec->behavior = SECURITY_FS_USE_NATIVE;
840 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
841 }
842
843 if (context_sid) {
844 if (!fscontext_sid) {
845 rc = may_context_mount_sb_relabel(context_sid, sbsec,
846 cred);
847 if (rc)
848 goto out;
849 sbsec->sid = context_sid;
850 } else {
851 rc = may_context_mount_inode_relabel(context_sid, sbsec,
852 cred);
853 if (rc)
854 goto out;
855 }
856 if (!rootcontext_sid)
857 rootcontext_sid = context_sid;
858
859 sbsec->mntpoint_sid = context_sid;
860 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
861 }
862
863 if (rootcontext_sid) {
864 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
865 cred);
866 if (rc)
867 goto out;
868
869 root_isec->sid = rootcontext_sid;
870 root_isec->initialized = LABEL_INITIALIZED;
871 }
872
873 if (defcontext_sid) {
874 if (sbsec->behavior != SECURITY_FS_USE_XATTR &&
875 sbsec->behavior != SECURITY_FS_USE_NATIVE) {
876 rc = -EINVAL;
877 printk(KERN_WARNING "SELinux: defcontext option is "
878 "invalid for this filesystem type\n");
879 goto out;
880 }
881
882 if (defcontext_sid != sbsec->def_sid) {
883 rc = may_context_mount_inode_relabel(defcontext_sid,
884 sbsec, cred);
885 if (rc)
886 goto out;
887 }
888
889 sbsec->def_sid = defcontext_sid;
890 }
891
892 rc = sb_finish_set_opts(sb);
893 out:
894 mutex_unlock(&sbsec->lock);
895 return rc;
896 out_double_mount:
897 rc = -EINVAL;
898 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, different "
899 "security settings for (dev %s, type %s)\n", sb->s_id, name);
900 goto out;
901 }
902
903 static int selinux_cmp_sb_context(const struct super_block *oldsb,
904 const struct super_block *newsb)
905 {
906 struct superblock_security_struct *old = oldsb->s_security;
907 struct superblock_security_struct *new = newsb->s_security;
908 char oldflags = old->flags & SE_MNTMASK;
909 char newflags = new->flags & SE_MNTMASK;
910
911 if (oldflags != newflags)
912 goto mismatch;
913 if ((oldflags & FSCONTEXT_MNT) && old->sid != new->sid)
914 goto mismatch;
915 if ((oldflags & CONTEXT_MNT) && old->mntpoint_sid != new->mntpoint_sid)
916 goto mismatch;
917 if ((oldflags & DEFCONTEXT_MNT) && old->def_sid != new->def_sid)
918 goto mismatch;
919 if (oldflags & ROOTCONTEXT_MNT) {
920 struct inode_security_struct *oldroot = backing_inode_security(oldsb->s_root);
921 struct inode_security_struct *newroot = backing_inode_security(newsb->s_root);
922 if (oldroot->sid != newroot->sid)
923 goto mismatch;
924 }
925 return 0;
926 mismatch:
927 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, "
928 "different security settings for (dev %s, "
929 "type %s)\n", newsb->s_id, newsb->s_type->name);
930 return -EBUSY;
931 }
932
933 static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
934 struct super_block *newsb)
935 {
936 const struct superblock_security_struct *oldsbsec = oldsb->s_security;
937 struct superblock_security_struct *newsbsec = newsb->s_security;
938
939 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT);
940 int set_context = (oldsbsec->flags & CONTEXT_MNT);
941 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT);
942
943 /*
944 * if the parent was able to be mounted it clearly had no special lsm
945 * mount options. thus we can safely deal with this superblock later
946 */
947 if (!ss_initialized)
948 return 0;
949
950 /* how can we clone if the old one wasn't set up?? */
951 BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
952
953 /* if fs is reusing a sb, make sure that the contexts match */
954 if (newsbsec->flags & SE_SBINITIALIZED)
955 return selinux_cmp_sb_context(oldsb, newsb);
956
957 mutex_lock(&newsbsec->lock);
958
959 newsbsec->flags = oldsbsec->flags;
960
961 newsbsec->sid = oldsbsec->sid;
962 newsbsec->def_sid = oldsbsec->def_sid;
963 newsbsec->behavior = oldsbsec->behavior;
964
965 if (set_context) {
966 u32 sid = oldsbsec->mntpoint_sid;
967
968 if (!set_fscontext)
969 newsbsec->sid = sid;
970 if (!set_rootcontext) {
971 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
972 newisec->sid = sid;
973 }
974 newsbsec->mntpoint_sid = sid;
975 }
976 if (set_rootcontext) {
977 const struct inode_security_struct *oldisec = backing_inode_security(oldsb->s_root);
978 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
979
980 newisec->sid = oldisec->sid;
981 }
982
983 sb_finish_set_opts(newsb);
984 mutex_unlock(&newsbsec->lock);
985 return 0;
986 }
987
988 static int selinux_parse_opts_str(char *options,
989 struct security_mnt_opts *opts)
990 {
991 char *p;
992 char *context = NULL, *defcontext = NULL;
993 char *fscontext = NULL, *rootcontext = NULL;
994 int rc, num_mnt_opts = 0;
995
996 opts->num_mnt_opts = 0;
997
998 /* Standard string-based options. */
999 while ((p = strsep(&options, "|")) != NULL) {
1000 int token;
1001 substring_t args[MAX_OPT_ARGS];
1002
1003 if (!*p)
1004 continue;
1005
1006 token = match_token(p, tokens, args);
1007
1008 switch (token) {
1009 case Opt_context:
1010 if (context || defcontext) {
1011 rc = -EINVAL;
1012 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1013 goto out_err;
1014 }
1015 context = match_strdup(&args[0]);
1016 if (!context) {
1017 rc = -ENOMEM;
1018 goto out_err;
1019 }
1020 break;
1021
1022 case Opt_fscontext:
1023 if (fscontext) {
1024 rc = -EINVAL;
1025 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1026 goto out_err;
1027 }
1028 fscontext = match_strdup(&args[0]);
1029 if (!fscontext) {
1030 rc = -ENOMEM;
1031 goto out_err;
1032 }
1033 break;
1034
1035 case Opt_rootcontext:
1036 if (rootcontext) {
1037 rc = -EINVAL;
1038 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1039 goto out_err;
1040 }
1041 rootcontext = match_strdup(&args[0]);
1042 if (!rootcontext) {
1043 rc = -ENOMEM;
1044 goto out_err;
1045 }
1046 break;
1047
1048 case Opt_defcontext:
1049 if (context || defcontext) {
1050 rc = -EINVAL;
1051 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1052 goto out_err;
1053 }
1054 defcontext = match_strdup(&args[0]);
1055 if (!defcontext) {
1056 rc = -ENOMEM;
1057 goto out_err;
1058 }
1059 break;
1060 case Opt_labelsupport:
1061 break;
1062 default:
1063 rc = -EINVAL;
1064 printk(KERN_WARNING "SELinux: unknown mount option\n");
1065 goto out_err;
1066
1067 }
1068 }
1069
1070 rc = -ENOMEM;
1071 opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_ATOMIC);
1072 if (!opts->mnt_opts)
1073 goto out_err;
1074
1075 opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int), GFP_ATOMIC);
1076 if (!opts->mnt_opts_flags) {
1077 kfree(opts->mnt_opts);
1078 goto out_err;
1079 }
1080
1081 if (fscontext) {
1082 opts->mnt_opts[num_mnt_opts] = fscontext;
1083 opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
1084 }
1085 if (context) {
1086 opts->mnt_opts[num_mnt_opts] = context;
1087 opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
1088 }
1089 if (rootcontext) {
1090 opts->mnt_opts[num_mnt_opts] = rootcontext;
1091 opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
1092 }
1093 if (defcontext) {
1094 opts->mnt_opts[num_mnt_opts] = defcontext;
1095 opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
1096 }
1097
1098 opts->num_mnt_opts = num_mnt_opts;
1099 return 0;
1100
1101 out_err:
1102 kfree(context);
1103 kfree(defcontext);
1104 kfree(fscontext);
1105 kfree(rootcontext);
1106 return rc;
1107 }
1108 /*
1109 * string mount options parsing and call set the sbsec
1110 */
1111 static int superblock_doinit(struct super_block *sb, void *data)
1112 {
1113 int rc = 0;
1114 char *options = data;
1115 struct security_mnt_opts opts;
1116
1117 security_init_mnt_opts(&opts);
1118
1119 if (!data)
1120 goto out;
1121
1122 BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
1123
1124 rc = selinux_parse_opts_str(options, &opts);
1125 if (rc)
1126 goto out_err;
1127
1128 out:
1129 rc = selinux_set_mnt_opts(sb, &opts, 0, NULL);
1130
1131 out_err:
1132 security_free_mnt_opts(&opts);
1133 return rc;
1134 }
1135
1136 static void selinux_write_opts(struct seq_file *m,
1137 struct security_mnt_opts *opts)
1138 {
1139 int i;
1140 char *prefix;
1141
1142 for (i = 0; i < opts->num_mnt_opts; i++) {
1143 char *has_comma;
1144
1145 if (opts->mnt_opts[i])
1146 has_comma = strchr(opts->mnt_opts[i], ',');
1147 else
1148 has_comma = NULL;
1149
1150 switch (opts->mnt_opts_flags[i]) {
1151 case CONTEXT_MNT:
1152 prefix = CONTEXT_STR;
1153 break;
1154 case FSCONTEXT_MNT:
1155 prefix = FSCONTEXT_STR;
1156 break;
1157 case ROOTCONTEXT_MNT:
1158 prefix = ROOTCONTEXT_STR;
1159 break;
1160 case DEFCONTEXT_MNT:
1161 prefix = DEFCONTEXT_STR;
1162 break;
1163 case SBLABEL_MNT:
1164 seq_putc(m, ',');
1165 seq_puts(m, LABELSUPP_STR);
1166 continue;
1167 default:
1168 BUG();
1169 return;
1170 };
1171 /* we need a comma before each option */
1172 seq_putc(m, ',');
1173 seq_puts(m, prefix);
1174 if (has_comma)
1175 seq_putc(m, '\"');
1176 seq_escape(m, opts->mnt_opts[i], "\"\n\\");
1177 if (has_comma)
1178 seq_putc(m, '\"');
1179 }
1180 }
1181
1182 static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1183 {
1184 struct security_mnt_opts opts;
1185 int rc;
1186
1187 rc = selinux_get_mnt_opts(sb, &opts);
1188 if (rc) {
1189 /* before policy load we may get EINVAL, don't show anything */
1190 if (rc == -EINVAL)
1191 rc = 0;
1192 return rc;
1193 }
1194
1195 selinux_write_opts(m, &opts);
1196
1197 security_free_mnt_opts(&opts);
1198
1199 return rc;
1200 }
1201
1202 static inline u16 inode_mode_to_security_class(umode_t mode)
1203 {
1204 switch (mode & S_IFMT) {
1205 case S_IFSOCK:
1206 return SECCLASS_SOCK_FILE;
1207 case S_IFLNK:
1208 return SECCLASS_LNK_FILE;
1209 case S_IFREG:
1210 return SECCLASS_FILE;
1211 case S_IFBLK:
1212 return SECCLASS_BLK_FILE;
1213 case S_IFDIR:
1214 return SECCLASS_DIR;
1215 case S_IFCHR:
1216 return SECCLASS_CHR_FILE;
1217 case S_IFIFO:
1218 return SECCLASS_FIFO_FILE;
1219
1220 }
1221
1222 return SECCLASS_FILE;
1223 }
1224
1225 static inline int default_protocol_stream(int protocol)
1226 {
1227 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
1228 }
1229
1230 static inline int default_protocol_dgram(int protocol)
1231 {
1232 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1233 }
1234
1235 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1236 {
1237 switch (family) {
1238 case PF_UNIX:
1239 switch (type) {
1240 case SOCK_STREAM:
1241 case SOCK_SEQPACKET:
1242 return SECCLASS_UNIX_STREAM_SOCKET;
1243 case SOCK_DGRAM:
1244 return SECCLASS_UNIX_DGRAM_SOCKET;
1245 }
1246 break;
1247 case PF_INET:
1248 case PF_INET6:
1249 switch (type) {
1250 case SOCK_STREAM:
1251 if (default_protocol_stream(protocol))
1252 return SECCLASS_TCP_SOCKET;
1253 else
1254 return SECCLASS_RAWIP_SOCKET;
1255 case SOCK_DGRAM:
1256 if (default_protocol_dgram(protocol))
1257 return SECCLASS_UDP_SOCKET;
1258 else
1259 return SECCLASS_RAWIP_SOCKET;
1260 case SOCK_DCCP:
1261 return SECCLASS_DCCP_SOCKET;
1262 default:
1263 return SECCLASS_RAWIP_SOCKET;
1264 }
1265 break;
1266 case PF_NETLINK:
1267 switch (protocol) {
1268 case NETLINK_ROUTE:
1269 return SECCLASS_NETLINK_ROUTE_SOCKET;
1270 case NETLINK_SOCK_DIAG:
1271 return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1272 case NETLINK_NFLOG:
1273 return SECCLASS_NETLINK_NFLOG_SOCKET;
1274 case NETLINK_XFRM:
1275 return SECCLASS_NETLINK_XFRM_SOCKET;
1276 case NETLINK_SELINUX:
1277 return SECCLASS_NETLINK_SELINUX_SOCKET;
1278 case NETLINK_ISCSI:
1279 return SECCLASS_NETLINK_ISCSI_SOCKET;
1280 case NETLINK_AUDIT:
1281 return SECCLASS_NETLINK_AUDIT_SOCKET;
1282 case NETLINK_FIB_LOOKUP:
1283 return SECCLASS_NETLINK_FIB_LOOKUP_SOCKET;
1284 case NETLINK_CONNECTOR:
1285 return SECCLASS_NETLINK_CONNECTOR_SOCKET;
1286 case NETLINK_NETFILTER:
1287 return SECCLASS_NETLINK_NETFILTER_SOCKET;
1288 case NETLINK_DNRTMSG:
1289 return SECCLASS_NETLINK_DNRT_SOCKET;
1290 case NETLINK_KOBJECT_UEVENT:
1291 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1292 case NETLINK_GENERIC:
1293 return SECCLASS_NETLINK_GENERIC_SOCKET;
1294 case NETLINK_SCSITRANSPORT:
1295 return SECCLASS_NETLINK_SCSITRANSPORT_SOCKET;
1296 case NETLINK_RDMA:
1297 return SECCLASS_NETLINK_RDMA_SOCKET;
1298 case NETLINK_CRYPTO:
1299 return SECCLASS_NETLINK_CRYPTO_SOCKET;
1300 default:
1301 return SECCLASS_NETLINK_SOCKET;
1302 }
1303 case PF_PACKET:
1304 return SECCLASS_PACKET_SOCKET;
1305 case PF_KEY:
1306 return SECCLASS_KEY_SOCKET;
1307 case PF_APPLETALK:
1308 return SECCLASS_APPLETALK_SOCKET;
1309 }
1310
1311 return SECCLASS_SOCKET;
1312 }
1313
1314 static int selinux_genfs_get_sid(struct dentry *dentry,
1315 u16 tclass,
1316 u16 flags,
1317 u32 *sid)
1318 {
1319 int rc;
1320 struct super_block *sb = dentry->d_sb;
1321 char *buffer, *path;
1322
1323 buffer = (char *)__get_free_page(GFP_KERNEL);
1324 if (!buffer)
1325 return -ENOMEM;
1326
1327 path = dentry_path_raw(dentry, buffer, PAGE_SIZE);
1328 if (IS_ERR(path))
1329 rc = PTR_ERR(path);
1330 else {
1331 if (flags & SE_SBPROC) {
1332 /* each process gets a /proc/PID/ entry. Strip off the
1333 * PID part to get a valid selinux labeling.
1334 * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
1335 while (path[1] >= '0' && path[1] <= '9') {
1336 path[1] = '/';
1337 path++;
1338 }
1339 }
1340 rc = security_genfs_sid(sb->s_type->name, path, tclass, sid);
1341 }
1342 free_page((unsigned long)buffer);
1343 return rc;
1344 }
1345
1346 /* The inode's security attributes must be initialized before first use. */
1347 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1348 {
1349 struct superblock_security_struct *sbsec = NULL;
1350 struct inode_security_struct *isec = inode->i_security;
1351 u32 sid;
1352 struct dentry *dentry;
1353 #define INITCONTEXTLEN 255
1354 char *context = NULL;
1355 unsigned len = 0;
1356 int rc = 0;
1357
1358 if (isec->initialized == LABEL_INITIALIZED)
1359 goto out;
1360
1361 mutex_lock(&isec->lock);
1362 if (isec->initialized == LABEL_INITIALIZED)
1363 goto out_unlock;
1364
1365 sbsec = inode->i_sb->s_security;
1366 if (!(sbsec->flags & SE_SBINITIALIZED)) {
1367 /* Defer initialization until selinux_complete_init,
1368 after the initial policy is loaded and the security
1369 server is ready to handle calls. */
1370 spin_lock(&sbsec->isec_lock);
1371 if (list_empty(&isec->list))
1372 list_add(&isec->list, &sbsec->isec_head);
1373 spin_unlock(&sbsec->isec_lock);
1374 goto out_unlock;
1375 }
1376
1377 switch (sbsec->behavior) {
1378 case SECURITY_FS_USE_NATIVE:
1379 break;
1380 case SECURITY_FS_USE_XATTR:
1381 if (!inode->i_op->getxattr) {
1382 isec->sid = sbsec->def_sid;
1383 break;
1384 }
1385
1386 /* Need a dentry, since the xattr API requires one.
1387 Life would be simpler if we could just pass the inode. */
1388 if (opt_dentry) {
1389 /* Called from d_instantiate or d_splice_alias. */
1390 dentry = dget(opt_dentry);
1391 } else {
1392 /* Called from selinux_complete_init, try to find a dentry. */
1393 dentry = d_find_alias(inode);
1394 }
1395 if (!dentry) {
1396 /*
1397 * this is can be hit on boot when a file is accessed
1398 * before the policy is loaded. When we load policy we
1399 * may find inodes that have no dentry on the
1400 * sbsec->isec_head list. No reason to complain as these
1401 * will get fixed up the next time we go through
1402 * inode_doinit with a dentry, before these inodes could
1403 * be used again by userspace.
1404 */
1405 goto out_unlock;
1406 }
1407
1408 len = INITCONTEXTLEN;
1409 context = kmalloc(len+1, GFP_NOFS);
1410 if (!context) {
1411 rc = -ENOMEM;
1412 dput(dentry);
1413 goto out_unlock;
1414 }
1415 context[len] = '\0';
1416 rc = inode->i_op->getxattr(dentry, inode, XATTR_NAME_SELINUX,
1417 context, len);
1418 if (rc == -ERANGE) {
1419 kfree(context);
1420
1421 /* Need a larger buffer. Query for the right size. */
1422 rc = inode->i_op->getxattr(dentry, inode, XATTR_NAME_SELINUX,
1423 NULL, 0);
1424 if (rc < 0) {
1425 dput(dentry);
1426 goto out_unlock;
1427 }
1428 len = rc;
1429 context = kmalloc(len+1, GFP_NOFS);
1430 if (!context) {
1431 rc = -ENOMEM;
1432 dput(dentry);
1433 goto out_unlock;
1434 }
1435 context[len] = '\0';
1436 rc = inode->i_op->getxattr(dentry, inode,
1437 XATTR_NAME_SELINUX,
1438 context, len);
1439 }
1440 dput(dentry);
1441 if (rc < 0) {
1442 if (rc != -ENODATA) {
1443 printk(KERN_WARNING "SELinux: %s: getxattr returned "
1444 "%d for dev=%s ino=%ld\n", __func__,
1445 -rc, inode->i_sb->s_id, inode->i_ino);
1446 kfree(context);
1447 goto out_unlock;
1448 }
1449 /* Map ENODATA to the default file SID */
1450 sid = sbsec->def_sid;
1451 rc = 0;
1452 } else {
1453 rc = security_context_to_sid_default(context, rc, &sid,
1454 sbsec->def_sid,
1455 GFP_NOFS);
1456 if (rc) {
1457 char *dev = inode->i_sb->s_id;
1458 unsigned long ino = inode->i_ino;
1459
1460 if (rc == -EINVAL) {
1461 if (printk_ratelimit())
1462 printk(KERN_NOTICE "SELinux: inode=%lu on dev=%s was found to have an invalid "
1463 "context=%s. This indicates you may need to relabel the inode or the "
1464 "filesystem in question.\n", ino, dev, context);
1465 } else {
1466 printk(KERN_WARNING "SELinux: %s: context_to_sid(%s) "
1467 "returned %d for dev=%s ino=%ld\n",
1468 __func__, context, -rc, dev, ino);
1469 }
1470 kfree(context);
1471 /* Leave with the unlabeled SID */
1472 rc = 0;
1473 break;
1474 }
1475 }
1476 kfree(context);
1477 isec->sid = sid;
1478 break;
1479 case SECURITY_FS_USE_TASK:
1480 isec->sid = isec->task_sid;
1481 break;
1482 case SECURITY_FS_USE_TRANS:
1483 /* Default to the fs SID. */
1484 isec->sid = sbsec->sid;
1485
1486 /* Try to obtain a transition SID. */
1487 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1488 rc = security_transition_sid(isec->task_sid, sbsec->sid,
1489 isec->sclass, NULL, &sid);
1490 if (rc)
1491 goto out_unlock;
1492 isec->sid = sid;
1493 break;
1494 case SECURITY_FS_USE_MNTPOINT:
1495 isec->sid = sbsec->mntpoint_sid;
1496 break;
1497 default:
1498 /* Default to the fs superblock SID. */
1499 isec->sid = sbsec->sid;
1500
1501 if ((sbsec->flags & SE_SBGENFS) && !S_ISLNK(inode->i_mode)) {
1502 /* We must have a dentry to determine the label on
1503 * procfs inodes */
1504 if (opt_dentry)
1505 /* Called from d_instantiate or
1506 * d_splice_alias. */
1507 dentry = dget(opt_dentry);
1508 else
1509 /* Called from selinux_complete_init, try to
1510 * find a dentry. */
1511 dentry = d_find_alias(inode);
1512 /*
1513 * This can be hit on boot when a file is accessed
1514 * before the policy is loaded. When we load policy we
1515 * may find inodes that have no dentry on the
1516 * sbsec->isec_head list. No reason to complain as
1517 * these will get fixed up the next time we go through
1518 * inode_doinit() with a dentry, before these inodes
1519 * could be used again by userspace.
1520 */
1521 if (!dentry)
1522 goto out_unlock;
1523 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1524 rc = selinux_genfs_get_sid(dentry, isec->sclass,
1525 sbsec->flags, &sid);
1526 dput(dentry);
1527 if (rc)
1528 goto out_unlock;
1529 isec->sid = sid;
1530 }
1531 break;
1532 }
1533
1534 isec->initialized = LABEL_INITIALIZED;
1535
1536 out_unlock:
1537 mutex_unlock(&isec->lock);
1538 out:
1539 if (isec->sclass == SECCLASS_FILE)
1540 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1541 return rc;
1542 }
1543
1544 /* Convert a Linux signal to an access vector. */
1545 static inline u32 signal_to_av(int sig)
1546 {
1547 u32 perm = 0;
1548
1549 switch (sig) {
1550 case SIGCHLD:
1551 /* Commonly granted from child to parent. */
1552 perm = PROCESS__SIGCHLD;
1553 break;
1554 case SIGKILL:
1555 /* Cannot be caught or ignored */
1556 perm = PROCESS__SIGKILL;
1557 break;
1558 case SIGSTOP:
1559 /* Cannot be caught or ignored */
1560 perm = PROCESS__SIGSTOP;
1561 break;
1562 default:
1563 /* All other signals. */
1564 perm = PROCESS__SIGNAL;
1565 break;
1566 }
1567
1568 return perm;
1569 }
1570
1571 /*
1572 * Check permission between a pair of credentials
1573 * fork check, ptrace check, etc.
1574 */
1575 static int cred_has_perm(const struct cred *actor,
1576 const struct cred *target,
1577 u32 perms)
1578 {
1579 u32 asid = cred_sid(actor), tsid = cred_sid(target);
1580
1581 return avc_has_perm(asid, tsid, SECCLASS_PROCESS, perms, NULL);
1582 }
1583
1584 /*
1585 * Check permission between a pair of tasks, e.g. signal checks,
1586 * fork check, ptrace check, etc.
1587 * tsk1 is the actor and tsk2 is the target
1588 * - this uses the default subjective creds of tsk1
1589 */
1590 static int task_has_perm(const struct task_struct *tsk1,
1591 const struct task_struct *tsk2,
1592 u32 perms)
1593 {
1594 const struct task_security_struct *__tsec1, *__tsec2;
1595 u32 sid1, sid2;
1596
1597 rcu_read_lock();
1598 __tsec1 = __task_cred(tsk1)->security; sid1 = __tsec1->sid;
1599 __tsec2 = __task_cred(tsk2)->security; sid2 = __tsec2->sid;
1600 rcu_read_unlock();
1601 return avc_has_perm(sid1, sid2, SECCLASS_PROCESS, perms, NULL);
1602 }
1603
1604 /*
1605 * Check permission between current and another task, e.g. signal checks,
1606 * fork check, ptrace check, etc.
1607 * current is the actor and tsk2 is the target
1608 * - this uses current's subjective creds
1609 */
1610 static int current_has_perm(const struct task_struct *tsk,
1611 u32 perms)
1612 {
1613 u32 sid, tsid;
1614
1615 sid = current_sid();
1616 tsid = task_sid(tsk);
1617 return avc_has_perm(sid, tsid, SECCLASS_PROCESS, perms, NULL);
1618 }
1619
1620 #if CAP_LAST_CAP > 63
1621 #error Fix SELinux to handle capabilities > 63.
1622 #endif
1623
1624 /* Check whether a task is allowed to use a capability. */
1625 static int cred_has_capability(const struct cred *cred,
1626 int cap, int audit)
1627 {
1628 struct common_audit_data ad;
1629 struct av_decision avd;
1630 u16 sclass;
1631 u32 sid = cred_sid(cred);
1632 u32 av = CAP_TO_MASK(cap);
1633 int rc;
1634
1635 ad.type = LSM_AUDIT_DATA_CAP;
1636 ad.u.cap = cap;
1637
1638 switch (CAP_TO_INDEX(cap)) {
1639 case 0:
1640 sclass = SECCLASS_CAPABILITY;
1641 break;
1642 case 1:
1643 sclass = SECCLASS_CAPABILITY2;
1644 break;
1645 default:
1646 printk(KERN_ERR
1647 "SELinux: out of range capability %d\n", cap);
1648 BUG();
1649 return -EINVAL;
1650 }
1651
1652 rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd);
1653 if (audit == SECURITY_CAP_AUDIT) {
1654 int rc2 = avc_audit(sid, sid, sclass, av, &avd, rc, &ad, 0);
1655 if (rc2)
1656 return rc2;
1657 }
1658 return rc;
1659 }
1660
1661 /* Check whether a task is allowed to use a system operation. */
1662 static int task_has_system(struct task_struct *tsk,
1663 u32 perms)
1664 {
1665 u32 sid = task_sid(tsk);
1666
1667 return avc_has_perm(sid, SECINITSID_KERNEL,
1668 SECCLASS_SYSTEM, perms, NULL);
1669 }
1670
1671 /* Check whether a task has a particular permission to an inode.
1672 The 'adp' parameter is optional and allows other audit
1673 data to be passed (e.g. the dentry). */
1674 static int inode_has_perm(const struct cred *cred,
1675 struct inode *inode,
1676 u32 perms,
1677 struct common_audit_data *adp)
1678 {
1679 struct inode_security_struct *isec;
1680 u32 sid;
1681
1682 validate_creds(cred);
1683
1684 if (unlikely(IS_PRIVATE(inode)))
1685 return 0;
1686
1687 sid = cred_sid(cred);
1688 isec = inode->i_security;
1689
1690 return avc_has_perm(sid, isec->sid, isec->sclass, perms, adp);
1691 }
1692
1693 /* Same as inode_has_perm, but pass explicit audit data containing
1694 the dentry to help the auditing code to more easily generate the
1695 pathname if needed. */
1696 static inline int dentry_has_perm(const struct cred *cred,
1697 struct dentry *dentry,
1698 u32 av)
1699 {
1700 struct inode *inode = d_backing_inode(dentry);
1701 struct common_audit_data ad;
1702
1703 ad.type = LSM_AUDIT_DATA_DENTRY;
1704 ad.u.dentry = dentry;
1705 __inode_security_revalidate(inode, dentry, true);
1706 return inode_has_perm(cred, inode, av, &ad);
1707 }
1708
1709 /* Same as inode_has_perm, but pass explicit audit data containing
1710 the path to help the auditing code to more easily generate the
1711 pathname if needed. */
1712 static inline int path_has_perm(const struct cred *cred,
1713 const struct path *path,
1714 u32 av)
1715 {
1716 struct inode *inode = d_backing_inode(path->dentry);
1717 struct common_audit_data ad;
1718
1719 ad.type = LSM_AUDIT_DATA_PATH;
1720 ad.u.path = *path;
1721 __inode_security_revalidate(inode, path->dentry, true);
1722 return inode_has_perm(cred, inode, av, &ad);
1723 }
1724
1725 /* Same as path_has_perm, but uses the inode from the file struct. */
1726 static inline int file_path_has_perm(const struct cred *cred,
1727 struct file *file,
1728 u32 av)
1729 {
1730 struct common_audit_data ad;
1731
1732 ad.type = LSM_AUDIT_DATA_PATH;
1733 ad.u.path = file->f_path;
1734 return inode_has_perm(cred, file_inode(file), av, &ad);
1735 }
1736
1737 /* Check whether a task can use an open file descriptor to
1738 access an inode in a given way. Check access to the
1739 descriptor itself, and then use dentry_has_perm to
1740 check a particular permission to the file.
1741 Access to the descriptor is implicitly granted if it
1742 has the same SID as the process. If av is zero, then
1743 access to the file is not checked, e.g. for cases
1744 where only the descriptor is affected like seek. */
1745 static int file_has_perm(const struct cred *cred,
1746 struct file *file,
1747 u32 av)
1748 {
1749 struct file_security_struct *fsec = file->f_security;
1750 struct inode *inode = file_inode(file);
1751 struct common_audit_data ad;
1752 u32 sid = cred_sid(cred);
1753 int rc;
1754
1755 ad.type = LSM_AUDIT_DATA_PATH;
1756 ad.u.path = file->f_path;
1757
1758 if (sid != fsec->sid) {
1759 rc = avc_has_perm(sid, fsec->sid,
1760 SECCLASS_FD,
1761 FD__USE,
1762 &ad);
1763 if (rc)
1764 goto out;
1765 }
1766
1767 /* av is zero if only checking access to the descriptor. */
1768 rc = 0;
1769 if (av)
1770 rc = inode_has_perm(cred, inode, av, &ad);
1771
1772 out:
1773 return rc;
1774 }
1775
1776 /*
1777 * Determine the label for an inode that might be unioned.
1778 */
1779 static int selinux_determine_inode_label(struct inode *dir,
1780 const struct qstr *name,
1781 u16 tclass,
1782 u32 *_new_isid)
1783 {
1784 const struct superblock_security_struct *sbsec = dir->i_sb->s_security;
1785 const struct inode_security_struct *dsec = inode_security(dir);
1786 const struct task_security_struct *tsec = current_security();
1787
1788 if ((sbsec->flags & SE_SBINITIALIZED) &&
1789 (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)) {
1790 *_new_isid = sbsec->mntpoint_sid;
1791 } else if ((sbsec->flags & SBLABEL_MNT) &&
1792 tsec->create_sid) {
1793 *_new_isid = tsec->create_sid;
1794 } else {
1795 return security_transition_sid(tsec->sid, dsec->sid, tclass,
1796 name, _new_isid);
1797 }
1798
1799 return 0;
1800 }
1801
1802 /* Check whether a task can create a file. */
1803 static int may_create(struct inode *dir,
1804 struct dentry *dentry,
1805 u16 tclass)
1806 {
1807 const struct task_security_struct *tsec = current_security();
1808 struct inode_security_struct *dsec;
1809 struct superblock_security_struct *sbsec;
1810 u32 sid, newsid;
1811 struct common_audit_data ad;
1812 int rc;
1813
1814 dsec = inode_security(dir);
1815 sbsec = dir->i_sb->s_security;
1816
1817 sid = tsec->sid;
1818
1819 ad.type = LSM_AUDIT_DATA_DENTRY;
1820 ad.u.dentry = dentry;
1821
1822 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR,
1823 DIR__ADD_NAME | DIR__SEARCH,
1824 &ad);
1825 if (rc)
1826 return rc;
1827
1828 rc = selinux_determine_inode_label(dir, &dentry->d_name, tclass,
1829 &newsid);
1830 if (rc)
1831 return rc;
1832
1833 rc = avc_has_perm(sid, newsid, tclass, FILE__CREATE, &ad);
1834 if (rc)
1835 return rc;
1836
1837 return avc_has_perm(newsid, sbsec->sid,
1838 SECCLASS_FILESYSTEM,
1839 FILESYSTEM__ASSOCIATE, &ad);
1840 }
1841
1842 /* Check whether a task can create a key. */
1843 static int may_create_key(u32 ksid,
1844 struct task_struct *ctx)
1845 {
1846 u32 sid = task_sid(ctx);
1847
1848 return avc_has_perm(sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL);
1849 }
1850
1851 #define MAY_LINK 0
1852 #define MAY_UNLINK 1
1853 #define MAY_RMDIR 2
1854
1855 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1856 static int may_link(struct inode *dir,
1857 struct dentry *dentry,
1858 int kind)
1859
1860 {
1861 struct inode_security_struct *dsec, *isec;
1862 struct common_audit_data ad;
1863 u32 sid = current_sid();
1864 u32 av;
1865 int rc;
1866
1867 dsec = inode_security(dir);
1868 isec = backing_inode_security(dentry);
1869
1870 ad.type = LSM_AUDIT_DATA_DENTRY;
1871 ad.u.dentry = dentry;
1872
1873 av = DIR__SEARCH;
1874 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1875 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, av, &ad);
1876 if (rc)
1877 return rc;
1878
1879 switch (kind) {
1880 case MAY_LINK:
1881 av = FILE__LINK;
1882 break;
1883 case MAY_UNLINK:
1884 av = FILE__UNLINK;
1885 break;
1886 case MAY_RMDIR:
1887 av = DIR__RMDIR;
1888 break;
1889 default:
1890 printk(KERN_WARNING "SELinux: %s: unrecognized kind %d\n",
1891 __func__, kind);
1892 return 0;
1893 }
1894
1895 rc = avc_has_perm(sid, isec->sid, isec->sclass, av, &ad);
1896 return rc;
1897 }
1898
1899 static inline int may_rename(struct inode *old_dir,
1900 struct dentry *old_dentry,
1901 struct inode *new_dir,
1902 struct dentry *new_dentry)
1903 {
1904 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1905 struct common_audit_data ad;
1906 u32 sid = current_sid();
1907 u32 av;
1908 int old_is_dir, new_is_dir;
1909 int rc;
1910
1911 old_dsec = inode_security(old_dir);
1912 old_isec = backing_inode_security(old_dentry);
1913 old_is_dir = d_is_dir(old_dentry);
1914 new_dsec = inode_security(new_dir);
1915
1916 ad.type = LSM_AUDIT_DATA_DENTRY;
1917
1918 ad.u.dentry = old_dentry;
1919 rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR,
1920 DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1921 if (rc)
1922 return rc;
1923 rc = avc_has_perm(sid, old_isec->sid,
1924 old_isec->sclass, FILE__RENAME, &ad);
1925 if (rc)
1926 return rc;
1927 if (old_is_dir && new_dir != old_dir) {
1928 rc = avc_has_perm(sid, old_isec->sid,
1929 old_isec->sclass, DIR__REPARENT, &ad);
1930 if (rc)
1931 return rc;
1932 }
1933
1934 ad.u.dentry = new_dentry;
1935 av = DIR__ADD_NAME | DIR__SEARCH;
1936 if (d_is_positive(new_dentry))
1937 av |= DIR__REMOVE_NAME;
1938 rc = avc_has_perm(sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1939 if (rc)
1940 return rc;
1941 if (d_is_positive(new_dentry)) {
1942 new_isec = backing_inode_security(new_dentry);
1943 new_is_dir = d_is_dir(new_dentry);
1944 rc = avc_has_perm(sid, new_isec->sid,
1945 new_isec->sclass,
1946 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1947 if (rc)
1948 return rc;
1949 }
1950
1951 return 0;
1952 }
1953
1954 /* Check whether a task can perform a filesystem operation. */
1955 static int superblock_has_perm(const struct cred *cred,
1956 struct super_block *sb,
1957 u32 perms,
1958 struct common_audit_data *ad)
1959 {
1960 struct superblock_security_struct *sbsec;
1961 u32 sid = cred_sid(cred);
1962
1963 sbsec = sb->s_security;
1964 return avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
1965 }
1966
1967 /* Convert a Linux mode and permission mask to an access vector. */
1968 static inline u32 file_mask_to_av(int mode, int mask)
1969 {
1970 u32 av = 0;
1971
1972 if (!S_ISDIR(mode)) {
1973 if (mask & MAY_EXEC)
1974 av |= FILE__EXECUTE;
1975 if (mask & MAY_READ)
1976 av |= FILE__READ;
1977
1978 if (mask & MAY_APPEND)
1979 av |= FILE__APPEND;
1980 else if (mask & MAY_WRITE)
1981 av |= FILE__WRITE;
1982
1983 } else {
1984 if (mask & MAY_EXEC)
1985 av |= DIR__SEARCH;
1986 if (mask & MAY_WRITE)
1987 av |= DIR__WRITE;
1988 if (mask & MAY_READ)
1989 av |= DIR__READ;
1990 }
1991
1992 return av;
1993 }
1994
1995 /* Convert a Linux file to an access vector. */
1996 static inline u32 file_to_av(struct file *file)
1997 {
1998 u32 av = 0;
1999
2000 if (file->f_mode & FMODE_READ)
2001 av |= FILE__READ;
2002 if (file->f_mode & FMODE_WRITE) {
2003 if (file->f_flags & O_APPEND)
2004 av |= FILE__APPEND;
2005 else
2006 av |= FILE__WRITE;
2007 }
2008 if (!av) {
2009 /*
2010 * Special file opened with flags 3 for ioctl-only use.
2011 */
2012 av = FILE__IOCTL;
2013 }
2014
2015 return av;
2016 }
2017
2018 /*
2019 * Convert a file to an access vector and include the correct open
2020 * open permission.
2021 */
2022 static inline u32 open_file_to_av(struct file *file)
2023 {
2024 u32 av = file_to_av(file);
2025
2026 if (selinux_policycap_openperm)
2027 av |= FILE__OPEN;
2028
2029 return av;
2030 }
2031
2032 /* Hook functions begin here. */
2033
2034 static int selinux_binder_set_context_mgr(struct task_struct *mgr)
2035 {
2036 u32 mysid = current_sid();
2037 u32 mgrsid = task_sid(mgr);
2038
2039 return avc_has_perm(mysid, mgrsid, SECCLASS_BINDER,
2040 BINDER__SET_CONTEXT_MGR, NULL);
2041 }
2042
2043 static int selinux_binder_transaction(struct task_struct *from,
2044 struct task_struct *to)
2045 {
2046 u32 mysid = current_sid();
2047 u32 fromsid = task_sid(from);
2048 u32 tosid = task_sid(to);
2049 int rc;
2050
2051 if (mysid != fromsid) {
2052 rc = avc_has_perm(mysid, fromsid, SECCLASS_BINDER,
2053 BINDER__IMPERSONATE, NULL);
2054 if (rc)
2055 return rc;
2056 }
2057
2058 return avc_has_perm(fromsid, tosid, SECCLASS_BINDER, BINDER__CALL,
2059 NULL);
2060 }
2061
2062 static int selinux_binder_transfer_binder(struct task_struct *from,
2063 struct task_struct *to)
2064 {
2065 u32 fromsid = task_sid(from);
2066 u32 tosid = task_sid(to);
2067
2068 return avc_has_perm(fromsid, tosid, SECCLASS_BINDER, BINDER__TRANSFER,
2069 NULL);
2070 }
2071
2072 static int selinux_binder_transfer_file(struct task_struct *from,
2073 struct task_struct *to,
2074 struct file *file)
2075 {
2076 u32 sid = task_sid(to);
2077 struct file_security_struct *fsec = file->f_security;
2078 struct dentry *dentry = file->f_path.dentry;
2079 struct inode_security_struct *isec = backing_inode_security(dentry);
2080 struct common_audit_data ad;
2081 int rc;
2082
2083 ad.type = LSM_AUDIT_DATA_PATH;
2084 ad.u.path = file->f_path;
2085
2086 if (sid != fsec->sid) {
2087 rc = avc_has_perm(sid, fsec->sid,
2088 SECCLASS_FD,
2089 FD__USE,
2090 &ad);
2091 if (rc)
2092 return rc;
2093 }
2094
2095 if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))
2096 return 0;
2097
2098 return avc_has_perm(sid, isec->sid, isec->sclass, file_to_av(file),
2099 &ad);
2100 }
2101
2102 static int selinux_ptrace_access_check(struct task_struct *child,
2103 unsigned int mode)
2104 {
2105 if (mode & PTRACE_MODE_READ) {
2106 u32 sid = current_sid();
2107 u32 csid = task_sid(child);
2108 return avc_has_perm(sid, csid, SECCLASS_FILE, FILE__READ, NULL);
2109 }
2110
2111 return current_has_perm(child, PROCESS__PTRACE);
2112 }
2113
2114 static int selinux_ptrace_traceme(struct task_struct *parent)
2115 {
2116 return task_has_perm(parent, current, PROCESS__PTRACE);
2117 }
2118
2119 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
2120 kernel_cap_t *inheritable, kernel_cap_t *permitted)
2121 {
2122 return current_has_perm(target, PROCESS__GETCAP);
2123 }
2124
2125 static int selinux_capset(struct cred *new, const struct cred *old,
2126 const kernel_cap_t *effective,
2127 const kernel_cap_t *inheritable,
2128 const kernel_cap_t *permitted)
2129 {
2130 return cred_has_perm(old, new, PROCESS__SETCAP);
2131 }
2132
2133 /*
2134 * (This comment used to live with the selinux_task_setuid hook,
2135 * which was removed).
2136 *
2137 * Since setuid only affects the current process, and since the SELinux
2138 * controls are not based on the Linux identity attributes, SELinux does not
2139 * need to control this operation. However, SELinux does control the use of
2140 * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
2141 */
2142
2143 static int selinux_capable(const struct cred *cred, struct user_namespace *ns,
2144 int cap, int audit)
2145 {
2146 return cred_has_capability(cred, cap, audit);
2147 }
2148
2149 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
2150 {
2151 const struct cred *cred = current_cred();
2152 int rc = 0;
2153
2154 if (!sb)
2155 return 0;
2156
2157 switch (cmds) {
2158 case Q_SYNC:
2159 case Q_QUOTAON:
2160 case Q_QUOTAOFF:
2161 case Q_SETINFO:
2162 case Q_SETQUOTA:
2163 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
2164 break;
2165 case Q_GETFMT:
2166 case Q_GETINFO:
2167 case Q_GETQUOTA:
2168 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
2169 break;
2170 default:
2171 rc = 0; /* let the kernel handle invalid cmds */
2172 break;
2173 }
2174 return rc;
2175 }
2176
2177 static int selinux_quota_on(struct dentry *dentry)
2178 {
2179 const struct cred *cred = current_cred();
2180
2181 return dentry_has_perm(cred, dentry, FILE__QUOTAON);
2182 }
2183
2184 static int selinux_syslog(int type)
2185 {
2186 int rc;
2187
2188 switch (type) {
2189 case SYSLOG_ACTION_READ_ALL: /* Read last kernel messages */
2190 case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */
2191 rc = task_has_system(current, SYSTEM__SYSLOG_READ);
2192 break;
2193 case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */
2194 case SYSLOG_ACTION_CONSOLE_ON: /* Enable logging to console */
2195 /* Set level of messages printed to console */
2196 case SYSLOG_ACTION_CONSOLE_LEVEL:
2197 rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
2198 break;
2199 case SYSLOG_ACTION_CLOSE: /* Close log */
2200 case SYSLOG_ACTION_OPEN: /* Open log */
2201 case SYSLOG_ACTION_READ: /* Read from log */
2202 case SYSLOG_ACTION_READ_CLEAR: /* Read/clear last kernel messages */
2203 case SYSLOG_ACTION_CLEAR: /* Clear ring buffer */
2204 default:
2205 rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
2206 break;
2207 }
2208 return rc;
2209 }
2210
2211 /*
2212 * Check that a process has enough memory to allocate a new virtual
2213 * mapping. 0 means there is enough memory for the allocation to
2214 * succeed and -ENOMEM implies there is not.
2215 *
2216 * Do not audit the selinux permission check, as this is applied to all
2217 * processes that allocate mappings.
2218 */
2219 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
2220 {
2221 int rc, cap_sys_admin = 0;
2222
2223 rc = cred_has_capability(current_cred(), CAP_SYS_ADMIN,
2224 SECURITY_CAP_NOAUDIT);
2225 if (rc == 0)
2226 cap_sys_admin = 1;
2227
2228 return cap_sys_admin;
2229 }
2230
2231 /* binprm security operations */
2232
2233 static int check_nnp_nosuid(const struct linux_binprm *bprm,
2234 const struct task_security_struct *old_tsec,
2235 const struct task_security_struct *new_tsec)
2236 {
2237 int nnp = (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS);
2238 int nosuid = (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID);
2239 int rc;
2240
2241 if (!nnp && !nosuid)
2242 return 0; /* neither NNP nor nosuid */
2243
2244 if (new_tsec->sid == old_tsec->sid)
2245 return 0; /* No change in credentials */
2246
2247 /*
2248 * The only transitions we permit under NNP or nosuid
2249 * are transitions to bounded SIDs, i.e. SIDs that are
2250 * guaranteed to only be allowed a subset of the permissions
2251 * of the current SID.
2252 */
2253 rc = security_bounded_transition(old_tsec->sid, new_tsec->sid);
2254 if (rc) {
2255 /*
2256 * On failure, preserve the errno values for NNP vs nosuid.
2257 * NNP: Operation not permitted for caller.
2258 * nosuid: Permission denied to file.
2259 */
2260 if (nnp)
2261 return -EPERM;
2262 else
2263 return -EACCES;
2264 }
2265 return 0;
2266 }
2267
2268 static int selinux_bprm_set_creds(struct linux_binprm *bprm)
2269 {
2270 const struct task_security_struct *old_tsec;
2271 struct task_security_struct *new_tsec;
2272 struct inode_security_struct *isec;
2273 struct common_audit_data ad;
2274 struct inode *inode = file_inode(bprm->file);
2275 int rc;
2276
2277 /* SELinux context only depends on initial program or script and not
2278 * the script interpreter */
2279 if (bprm->cred_prepared)
2280 return 0;
2281
2282 old_tsec = current_security();
2283 new_tsec = bprm->cred->security;
2284 isec = inode_security(inode);
2285
2286 /* Default to the current task SID. */
2287 new_tsec->sid = old_tsec->sid;
2288 new_tsec->osid = old_tsec->sid;
2289
2290 /* Reset fs, key, and sock SIDs on execve. */
2291 new_tsec->create_sid = 0;
2292 new_tsec->keycreate_sid = 0;
2293 new_tsec->sockcreate_sid = 0;
2294
2295 if (old_tsec->exec_sid) {
2296 new_tsec->sid = old_tsec->exec_sid;
2297 /* Reset exec SID on execve. */
2298 new_tsec->exec_sid = 0;
2299
2300 /* Fail on NNP or nosuid if not an allowed transition. */
2301 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2302 if (rc)
2303 return rc;
2304 } else {
2305 /* Check for a default transition on this program. */
2306 rc = security_transition_sid(old_tsec->sid, isec->sid,
2307 SECCLASS_PROCESS, NULL,
2308 &new_tsec->sid);
2309 if (rc)
2310 return rc;
2311
2312 /*
2313 * Fallback to old SID on NNP or nosuid if not an allowed
2314 * transition.
2315 */
2316 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2317 if (rc)
2318 new_tsec->sid = old_tsec->sid;
2319 }
2320
2321 ad.type = LSM_AUDIT_DATA_PATH;
2322 ad.u.path = bprm->file->f_path;
2323
2324 if (new_tsec->sid == old_tsec->sid) {
2325 rc = avc_has_perm(old_tsec->sid, isec->sid,
2326 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2327 if (rc)
2328 return rc;
2329 } else {
2330 /* Check permissions for the transition. */
2331 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2332 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2333 if (rc)
2334 return rc;
2335
2336 rc = avc_has_perm(new_tsec->sid, isec->sid,
2337 SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2338 if (rc)
2339 return rc;
2340
2341 /* Check for shared state */
2342 if (bprm->unsafe & LSM_UNSAFE_SHARE) {
2343 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2344 SECCLASS_PROCESS, PROCESS__SHARE,
2345 NULL);
2346 if (rc)
2347 return -EPERM;
2348 }
2349
2350 /* Make sure that anyone attempting to ptrace over a task that
2351 * changes its SID has the appropriate permit */
2352 if (bprm->unsafe &
2353 (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
2354 struct task_struct *tracer;
2355 struct task_security_struct *sec;
2356 u32 ptsid = 0;
2357
2358 rcu_read_lock();
2359 tracer = ptrace_parent(current);
2360 if (likely(tracer != NULL)) {
2361 sec = __task_cred(tracer)->security;
2362 ptsid = sec->sid;
2363 }
2364 rcu_read_unlock();
2365
2366 if (ptsid != 0) {
2367 rc = avc_has_perm(ptsid, new_tsec->sid,
2368 SECCLASS_PROCESS,
2369 PROCESS__PTRACE, NULL);
2370 if (rc)
2371 return -EPERM;
2372 }
2373 }
2374
2375 /* Clear any possibly unsafe personality bits on exec: */
2376 bprm->per_clear |= PER_CLEAR_ON_SETID;
2377 }
2378
2379 return 0;
2380 }
2381
2382 static int selinux_bprm_secureexec(struct linux_binprm *bprm)
2383 {
2384 const struct task_security_struct *tsec = current_security();
2385 u32 sid, osid;
2386 int atsecure = 0;
2387
2388 sid = tsec->sid;
2389 osid = tsec->osid;
2390
2391 if (osid != sid) {
2392 /* Enable secure mode for SIDs transitions unless
2393 the noatsecure permission is granted between
2394 the two SIDs, i.e. ahp returns 0. */
2395 atsecure = avc_has_perm(osid, sid,
2396 SECCLASS_PROCESS,
2397 PROCESS__NOATSECURE, NULL);
2398 }
2399
2400 return !!atsecure;
2401 }
2402
2403 static int match_file(const void *p, struct file *file, unsigned fd)
2404 {
2405 return file_has_perm(p, file, file_to_av(file)) ? fd + 1 : 0;
2406 }
2407
2408 /* Derived from fs/exec.c:flush_old_files. */
2409 static inline void flush_unauthorized_files(const struct cred *cred,
2410 struct files_struct *files)
2411 {
2412 struct file *file, *devnull = NULL;
2413 struct tty_struct *tty;
2414 int drop_tty = 0;
2415 unsigned n;
2416
2417 tty = get_current_tty();
2418 if (tty) {
2419 spin_lock(&tty->files_lock);
2420 if (!list_empty(&tty->tty_files)) {
2421 struct tty_file_private *file_priv;
2422
2423 /* Revalidate access to controlling tty.
2424 Use file_path_has_perm on the tty path directly
2425 rather than using file_has_perm, as this particular
2426 open file may belong to another process and we are
2427 only interested in the inode-based check here. */
2428 file_priv = list_first_entry(&tty->tty_files,
2429 struct tty_file_private, list);
2430 file = file_priv->file;
2431 if (file_path_has_perm(cred, file, FILE__READ | FILE__WRITE))
2432 drop_tty = 1;
2433 }
2434 spin_unlock(&tty->files_lock);
2435 tty_kref_put(tty);
2436 }
2437 /* Reset controlling tty. */
2438 if (drop_tty)
2439 no_tty();
2440
2441 /* Revalidate access to inherited open files. */
2442 n = iterate_fd(files, 0, match_file, cred);
2443 if (!n) /* none found? */
2444 return;
2445
2446 devnull = dentry_open(&selinux_null, O_RDWR, cred);
2447 if (IS_ERR(devnull))
2448 devnull = NULL;
2449 /* replace all the matching ones with this */
2450 do {
2451 replace_fd(n - 1, devnull, 0);
2452 } while ((n = iterate_fd(files, n, match_file, cred)) != 0);
2453 if (devnull)
2454 fput(devnull);
2455 }
2456
2457 /*
2458 * Prepare a process for imminent new credential changes due to exec
2459 */
2460 static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
2461 {
2462 struct task_security_struct *new_tsec;
2463 struct rlimit *rlim, *initrlim;
2464 int rc, i;
2465
2466 new_tsec = bprm->cred->security;
2467 if (new_tsec->sid == new_tsec->osid)
2468 return;
2469
2470 /* Close files for which the new task SID is not authorized. */
2471 flush_unauthorized_files(bprm->cred, current->files);
2472
2473 /* Always clear parent death signal on SID transitions. */
2474 current->pdeath_signal = 0;
2475
2476 /* Check whether the new SID can inherit resource limits from the old
2477 * SID. If not, reset all soft limits to the lower of the current
2478 * task's hard limit and the init task's soft limit.
2479 *
2480 * Note that the setting of hard limits (even to lower them) can be
2481 * controlled by the setrlimit check. The inclusion of the init task's
2482 * soft limit into the computation is to avoid resetting soft limits
2483 * higher than the default soft limit for cases where the default is
2484 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2485 */
2486 rc = avc_has_perm(new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
2487 PROCESS__RLIMITINH, NULL);
2488 if (rc) {
2489 /* protect against do_prlimit() */
2490 task_lock(current);
2491 for (i = 0; i < RLIM_NLIMITS; i++) {
2492 rlim = current->signal->rlim + i;
2493 initrlim = init_task.signal->rlim + i;
2494 rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
2495 }
2496 task_unlock(current);
2497 update_rlimit_cpu(current, rlimit(RLIMIT_CPU));
2498 }
2499 }
2500
2501 /*
2502 * Clean up the process immediately after the installation of new credentials
2503 * due to exec
2504 */
2505 static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
2506 {
2507 const struct task_security_struct *tsec = current_security();
2508 struct itimerval itimer;
2509 u32 osid, sid;
2510 int rc, i;
2511
2512 osid = tsec->osid;
2513 sid = tsec->sid;
2514
2515 if (sid == osid)
2516 return;
2517
2518 /* Check whether the new SID can inherit signal state from the old SID.
2519 * If not, clear itimers to avoid subsequent signal generation and
2520 * flush and unblock signals.
2521 *
2522 * This must occur _after_ the task SID has been updated so that any
2523 * kill done after the flush will be checked against the new SID.
2524 */
2525 rc = avc_has_perm(osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
2526 if (rc) {
2527 memset(&itimer, 0, sizeof itimer);
2528 for (i = 0; i < 3; i++)
2529 do_setitimer(i, &itimer, NULL);
2530 spin_lock_irq(&current->sighand->siglock);
2531 if (!fatal_signal_pending(current)) {
2532 flush_sigqueue(&current->pending);
2533 flush_sigqueue(&current->signal->shared_pending);
2534 flush_signal_handlers(current, 1);
2535 sigemptyset(&current->blocked);
2536 recalc_sigpending();
2537 }
2538 spin_unlock_irq(&current->sighand->siglock);
2539 }
2540
2541 /* Wake up the parent if it is waiting so that it can recheck
2542 * wait permission to the new task SID. */
2543 read_lock(&tasklist_lock);
2544 __wake_up_parent(current, current->real_parent);
2545 read_unlock(&tasklist_lock);
2546 }
2547
2548 /* superblock security operations */
2549
2550 static int selinux_sb_alloc_security(struct super_block *sb)
2551 {
2552 return superblock_alloc_security(sb);
2553 }
2554
2555 static void selinux_sb_free_security(struct super_block *sb)
2556 {
2557 superblock_free_security(sb);
2558 }
2559
2560 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2561 {
2562 if (plen > olen)
2563 return 0;
2564
2565 return !memcmp(prefix, option, plen);
2566 }
2567
2568 static inline int selinux_option(char *option, int len)
2569 {
2570 return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) ||
2571 match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) ||
2572 match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) ||
2573 match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len) ||
2574 match_prefix(LABELSUPP_STR, sizeof(LABELSUPP_STR)-1, option, len));
2575 }
2576
2577 static inline void take_option(char **to, char *from, int *first, int len)
2578 {
2579 if (!*first) {
2580 **to = ',';
2581 *to += 1;
2582 } else
2583 *first = 0;
2584 memcpy(*to, from, len);
2585 *to += len;
2586 }
2587
2588 static inline void take_selinux_option(char **to, char *from, int *first,
2589 int len)
2590 {
2591 int current_size = 0;
2592
2593 if (!*first) {
2594 **to = '|';
2595 *to += 1;
2596 } else
2597 *first = 0;
2598
2599 while (current_size < len) {
2600 if (*from != '"') {
2601 **to = *from;
2602 *to += 1;
2603 }
2604 from += 1;
2605 current_size += 1;
2606 }
2607 }
2608
2609 static int selinux_sb_copy_data(char *orig, char *copy)
2610 {
2611 int fnosec, fsec, rc = 0;
2612 char *in_save, *in_curr, *in_end;
2613 char *sec_curr, *nosec_save, *nosec;
2614 int open_quote = 0;
2615
2616 in_curr = orig;
2617 sec_curr = copy;
2618
2619 nosec = (char *)get_zeroed_page(GFP_KERNEL);
2620 if (!nosec) {
2621 rc = -ENOMEM;
2622 goto out;
2623 }
2624
2625 nosec_save = nosec;
2626 fnosec = fsec = 1;
2627 in_save = in_end = orig;
2628
2629 do {
2630 if (*in_end == '"')
2631 open_quote = !open_quote;
2632 if ((*in_end == ',' && open_quote == 0) ||
2633 *in_end == '\0') {
2634 int len = in_end - in_curr;
2635
2636 if (selinux_option(in_curr, len))
2637 take_selinux_option(&sec_curr, in_curr, &fsec, len);
2638 else
2639 take_option(&nosec, in_curr, &fnosec, len);
2640
2641 in_curr = in_end + 1;
2642 }
2643 } while (*in_end++);
2644
2645 strcpy(in_save, nosec_save);
2646 free_page((unsigned long)nosec_save);
2647 out:
2648 return rc;
2649 }
2650
2651 static int selinux_sb_remount(struct super_block *sb, void *data)
2652 {
2653 int rc, i, *flags;
2654 struct security_mnt_opts opts;
2655 char *secdata, **mount_options;
2656 struct superblock_security_struct *sbsec = sb->s_security;
2657
2658 if (!(sbsec->flags & SE_SBINITIALIZED))
2659 return 0;
2660
2661 if (!data)
2662 return 0;
2663
2664 if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
2665 return 0;
2666
2667 security_init_mnt_opts(&opts);
2668 secdata = alloc_secdata();
2669 if (!secdata)
2670 return -ENOMEM;
2671 rc = selinux_sb_copy_data(data, secdata);
2672 if (rc)
2673 goto out_free_secdata;
2674
2675 rc = selinux_parse_opts_str(secdata, &opts);
2676 if (rc)
2677 goto out_free_secdata;
2678
2679 mount_options = opts.mnt_opts;
2680 flags = opts.mnt_opts_flags;
2681
2682 for (i = 0; i < opts.num_mnt_opts; i++) {
2683 u32 sid;
2684
2685 if (flags[i] == SBLABEL_MNT)
2686 continue;
2687 rc = security_context_str_to_sid(mount_options[i], &sid, GFP_KERNEL);
2688 if (rc) {
2689 printk(KERN_WARNING "SELinux: security_context_str_to_sid"
2690 "(%s) failed for (dev %s, type %s) errno=%d\n",
2691 mount_options[i], sb->s_id, sb->s_type->name, rc);
2692 goto out_free_opts;
2693 }
2694 rc = -EINVAL;
2695 switch (flags[i]) {
2696 case FSCONTEXT_MNT:
2697 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid))
2698 goto out_bad_option;
2699 break;
2700 case CONTEXT_MNT:
2701 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid))
2702 goto out_bad_option;
2703 break;
2704 case ROOTCONTEXT_MNT: {
2705 struct inode_security_struct *root_isec;
2706 root_isec = backing_inode_security(sb->s_root);
2707
2708 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid))
2709 goto out_bad_option;
2710 break;
2711 }
2712 case DEFCONTEXT_MNT:
2713 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid))
2714 goto out_bad_option;
2715 break;
2716 default:
2717 goto out_free_opts;
2718 }
2719 }
2720
2721 rc = 0;
2722 out_free_opts:
2723 security_free_mnt_opts(&opts);
2724 out_free_secdata:
2725 free_secdata(secdata);
2726 return rc;
2727 out_bad_option:
2728 printk(KERN_WARNING "SELinux: unable to change security options "
2729 "during remount (dev %s, type=%s)\n", sb->s_id,
2730 sb->s_type->name);
2731 goto out_free_opts;
2732 }
2733
2734 static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data)
2735 {
2736 const struct cred *cred = current_cred();
2737 struct common_audit_data ad;
2738 int rc;
2739
2740 rc = superblock_doinit(sb, data);
2741 if (rc)
2742 return rc;
2743
2744 /* Allow all mounts performed by the kernel */
2745 if (flags & MS_KERNMOUNT)
2746 return 0;
2747
2748 ad.type = LSM_AUDIT_DATA_DENTRY;
2749 ad.u.dentry = sb->s_root;
2750 return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
2751 }
2752
2753 static int selinux_sb_statfs(struct dentry *dentry)
2754 {
2755 const struct cred *cred = current_cred();
2756 struct common_audit_data ad;
2757
2758 ad.type = LSM_AUDIT_DATA_DENTRY;
2759 ad.u.dentry = dentry->d_sb->s_root;
2760 return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2761 }
2762
2763 static int selinux_mount(const char *dev_name,
2764 const struct path *path,
2765 const char *type,
2766 unsigned long flags,
2767 void *data)
2768 {
2769 const struct cred *cred = current_cred();
2770
2771 if (flags & MS_REMOUNT)
2772 return superblock_has_perm(cred, path->dentry->d_sb,
2773 FILESYSTEM__REMOUNT, NULL);
2774 else
2775 return path_has_perm(cred, path, FILE__MOUNTON);
2776 }
2777
2778 static int selinux_umount(struct vfsmount *mnt, int flags)
2779 {
2780 const struct cred *cred = current_cred();
2781
2782 return superblock_has_perm(cred, mnt->mnt_sb,
2783 FILESYSTEM__UNMOUNT, NULL);
2784 }
2785
2786 /* inode security operations */
2787
2788 static int selinux_inode_alloc_security(struct inode *inode)
2789 {
2790 return inode_alloc_security(inode);
2791 }
2792
2793 static void selinux_inode_free_security(struct inode *inode)
2794 {
2795 inode_free_security(inode);
2796 }
2797
2798 static int selinux_dentry_init_security(struct dentry *dentry, int mode,
2799 struct qstr *name, void **ctx,
2800 u32 *ctxlen)
2801 {
2802 u32 newsid;
2803 int rc;
2804
2805 rc = selinux_determine_inode_label(d_inode(dentry->d_parent), name,
2806 inode_mode_to_security_class(mode),
2807 &newsid);
2808 if (rc)
2809 return rc;
2810
2811 return security_sid_to_context(newsid, (char **)ctx, ctxlen);
2812 }
2813
2814 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2815 const struct qstr *qstr,
2816 const char **name,
2817 void **value, size_t *len)
2818 {
2819 const struct task_security_struct *tsec = current_security();
2820 struct superblock_security_struct *sbsec;
2821 u32 sid, newsid, clen;
2822 int rc;
2823 char *context;
2824
2825 sbsec = dir->i_sb->s_security;
2826
2827 sid = tsec->sid;
2828 newsid = tsec->create_sid;
2829
2830 rc = selinux_determine_inode_label(
2831 dir, qstr,
2832 inode_mode_to_security_class(inode->i_mode),
2833 &newsid);
2834 if (rc)
2835 return rc;
2836
2837 /* Possibly defer initialization to selinux_complete_init. */
2838 if (sbsec->flags & SE_SBINITIALIZED) {
2839 struct inode_security_struct *isec = inode->i_security;
2840 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2841 isec->sid = newsid;
2842 isec->initialized = LABEL_INITIALIZED;
2843 }
2844
2845 if (!ss_initialized || !(sbsec->flags & SBLABEL_MNT))
2846 return -EOPNOTSUPP;
2847
2848 if (name)
2849 *name = XATTR_SELINUX_SUFFIX;
2850
2851 if (value && len) {
2852 rc = security_sid_to_context_force(newsid, &context, &clen);
2853 if (rc)
2854 return rc;
2855 *value = context;
2856 *len = clen;
2857 }
2858
2859 return 0;
2860 }
2861
2862 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode)
2863 {
2864 return may_create(dir, dentry, SECCLASS_FILE);
2865 }
2866
2867 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2868 {
2869 return may_link(dir, old_dentry, MAY_LINK);
2870 }
2871
2872 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2873 {
2874 return may_link(dir, dentry, MAY_UNLINK);
2875 }
2876
2877 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2878 {
2879 return may_create(dir, dentry, SECCLASS_LNK_FILE);
2880 }
2881
2882 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask)
2883 {
2884 return may_create(dir, dentry, SECCLASS_DIR);
2885 }
2886
2887 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2888 {
2889 return may_link(dir, dentry, MAY_RMDIR);
2890 }
2891
2892 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
2893 {
2894 return may_create(dir, dentry, inode_mode_to_security_class(mode));
2895 }
2896
2897 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2898 struct inode *new_inode, struct dentry *new_dentry)
2899 {
2900 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2901 }
2902
2903 static int selinux_inode_readlink(struct dentry *dentry)
2904 {
2905 const struct cred *cred = current_cred();
2906
2907 return dentry_has_perm(cred, dentry, FILE__READ);
2908 }
2909
2910 static int selinux_inode_follow_link(struct dentry *dentry, struct inode *inode,
2911 bool rcu)
2912 {
2913 const struct cred *cred = current_cred();
2914 struct common_audit_data ad;
2915 struct inode_security_struct *isec;
2916 u32 sid;
2917
2918 validate_creds(cred);
2919
2920 ad.type = LSM_AUDIT_DATA_DENTRY;
2921 ad.u.dentry = dentry;
2922 sid = cred_sid(cred);
2923 isec = inode_security_rcu(inode, rcu);
2924 if (IS_ERR(isec))
2925 return PTR_ERR(isec);
2926
2927 return avc_has_perm_flags(sid, isec->sid, isec->sclass, FILE__READ, &ad,
2928 rcu ? MAY_NOT_BLOCK : 0);
2929 }
2930
2931 static noinline int audit_inode_permission(struct inode *inode,
2932 u32 perms, u32 audited, u32 denied,
2933 int result,
2934 unsigned flags)
2935 {
2936 struct common_audit_data ad;
2937 struct inode_security_struct *isec = inode->i_security;
2938 int rc;
2939
2940 ad.type = LSM_AUDIT_DATA_INODE;
2941 ad.u.inode = inode;
2942
2943 rc = slow_avc_audit(current_sid(), isec->sid, isec->sclass, perms,
2944 audited, denied, result, &ad, flags);
2945 if (rc)
2946 return rc;
2947 return 0;
2948 }
2949
2950 static int selinux_inode_permission(struct inode *inode, int mask)
2951 {
2952 const struct cred *cred = current_cred();
2953 u32 perms;
2954 bool from_access;
2955 unsigned flags = mask & MAY_NOT_BLOCK;
2956 struct inode_security_struct *isec;
2957 u32 sid;
2958 struct av_decision avd;
2959 int rc, rc2;
2960 u32 audited, denied;
2961
2962 from_access = mask & MAY_ACCESS;
2963 mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
2964
2965 /* No permission to check. Existence test. */
2966 if (!mask)
2967 return 0;
2968
2969 validate_creds(cred);
2970
2971 if (unlikely(IS_PRIVATE(inode)))
2972 return 0;
2973
2974 perms = file_mask_to_av(inode->i_mode, mask);
2975
2976 sid = cred_sid(cred);
2977 isec = inode_security_rcu(inode, flags & MAY_NOT_BLOCK);
2978 if (IS_ERR(isec))
2979 return PTR_ERR(isec);
2980
2981 rc = avc_has_perm_noaudit(sid, isec->sid, isec->sclass, perms, 0, &avd);
2982 audited = avc_audit_required(perms, &avd, rc,
2983 from_access ? FILE__AUDIT_ACCESS : 0,
2984 &denied);
2985 if (likely(!audited))
2986 return rc;
2987
2988 rc2 = audit_inode_permission(inode, perms, audited, denied, rc, flags);
2989 if (rc2)
2990 return rc2;
2991 return rc;
2992 }
2993
2994 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2995 {
2996 const struct cred *cred = current_cred();
2997 unsigned int ia_valid = iattr->ia_valid;
2998 __u32 av = FILE__WRITE;
2999
3000 /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
3001 if (ia_valid & ATTR_FORCE) {
3002 ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE |
3003 ATTR_FORCE);
3004 if (!ia_valid)
3005 return 0;
3006 }
3007
3008 if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
3009 ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
3010 return dentry_has_perm(cred, dentry, FILE__SETATTR);
3011
3012 if (selinux_policycap_openperm && (ia_valid & ATTR_SIZE)
3013 && !(ia_valid & ATTR_FILE))
3014 av |= FILE__OPEN;
3015
3016 return dentry_has_perm(cred, dentry, av);
3017 }
3018
3019 static int selinux_inode_getattr(const struct path *path)
3020 {
3021 return path_has_perm(current_cred(), path, FILE__GETATTR);
3022 }
3023
3024 static int selinux_inode_setotherxattr(struct dentry *dentry, const char *name)
3025 {
3026 const struct cred *cred = current_cred();
3027
3028 if (!strncmp(name, XATTR_SECURITY_PREFIX,
3029 sizeof XATTR_SECURITY_PREFIX - 1)) {
3030 if (!strcmp(name, XATTR_NAME_CAPS)) {
3031 if (!capable(CAP_SETFCAP))
3032 return -EPERM;
3033 } else if (!capable(CAP_SYS_ADMIN)) {
3034 /* A different attribute in the security namespace.
3035 Restrict to administrator. */
3036 return -EPERM;
3037 }
3038 }
3039
3040 /* Not an attribute we recognize, so just check the
3041 ordinary setattr permission. */
3042 return dentry_has_perm(cred, dentry, FILE__SETATTR);
3043 }
3044
3045 static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
3046 const void *value, size_t size, int flags)
3047 {
3048 struct inode *inode = d_backing_inode(dentry);
3049 struct inode_security_struct *isec = backing_inode_security(dentry);
3050 struct superblock_security_struct *sbsec;
3051 struct common_audit_data ad;
3052 u32 newsid, sid = current_sid();
3053 int rc = 0;
3054
3055 if (strcmp(name, XATTR_NAME_SELINUX))
3056 return selinux_inode_setotherxattr(dentry, name);
3057
3058 sbsec = inode->i_sb->s_security;
3059 if (!(sbsec->flags & SBLABEL_MNT))
3060 return -EOPNOTSUPP;
3061
3062 if (!inode_owner_or_capable(inode))
3063 return -EPERM;
3064
3065 ad.type = LSM_AUDIT_DATA_DENTRY;
3066 ad.u.dentry = dentry;
3067
3068 rc = avc_has_perm(sid, isec->sid, isec->sclass,
3069 FILE__RELABELFROM, &ad);
3070 if (rc)
3071 return rc;
3072
3073 rc = security_context_to_sid(value, size, &newsid, GFP_KERNEL);
3074 if (rc == -EINVAL) {
3075 if (!capable(CAP_MAC_ADMIN)) {
3076 struct audit_buffer *ab;
3077 size_t audit_size;
3078 const char *str;
3079
3080 /* We strip a nul only if it is at the end, otherwise the
3081 * context contains a nul and we should audit that */
3082 if (value) {
3083 str = value;
3084 if (str[size - 1] == '\0')
3085 audit_size = size - 1;
3086 else
3087 audit_size = size;
3088 } else {
3089 str = "";
3090 audit_size = 0;
3091 }
3092 ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR);
3093 audit_log_format(ab, "op=setxattr invalid_context=");
3094 audit_log_n_untrustedstring(ab, value, audit_size);
3095 audit_log_end(ab);
3096
3097 return rc;
3098 }
3099 rc = security_context_to_sid_force(value, size, &newsid);
3100 }
3101 if (rc)
3102 return rc;
3103
3104 rc = avc_has_perm(sid, newsid, isec->sclass,
3105 FILE__RELABELTO, &ad);
3106 if (rc)
3107 return rc;
3108
3109 rc = security_validate_transition(isec->sid, newsid, sid,
3110 isec->sclass);
3111 if (rc)
3112 return rc;
3113
3114 return avc_has_perm(newsid,
3115 sbsec->sid,
3116 SECCLASS_FILESYSTEM,
3117 FILESYSTEM__ASSOCIATE,
3118 &ad);
3119 }
3120
3121 static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
3122 const void *value, size_t size,
3123 int flags)
3124 {
3125 struct inode *inode = d_backing_inode(dentry);
3126 struct inode_security_struct *isec = backing_inode_security(dentry);
3127 u32 newsid;
3128 int rc;
3129
3130 if (strcmp(name, XATTR_NAME_SELINUX)) {
3131 /* Not an attribute we recognize, so nothing to do. */
3132 return;
3133 }
3134
3135 rc = security_context_to_sid_force(value, size, &newsid);
3136 if (rc) {
3137 printk(KERN_ERR "SELinux: unable to map context to SID"
3138 "for (%s, %lu), rc=%d\n",
3139 inode->i_sb->s_id, inode->i_ino, -rc);
3140 return;
3141 }
3142
3143 isec->sclass = inode_mode_to_security_class(inode->i_mode);
3144 isec->sid = newsid;
3145 isec->initialized = LABEL_INITIALIZED;
3146
3147 return;
3148 }
3149
3150 static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
3151 {
3152 const struct cred *cred = current_cred();
3153
3154 return dentry_has_perm(cred, dentry, FILE__GETATTR);
3155 }
3156
3157 static int selinux_inode_listxattr(struct dentry *dentry)
3158 {
3159 const struct cred *cred = current_cred();
3160
3161 return dentry_has_perm(cred, dentry, FILE__GETATTR);
3162 }
3163
3164 static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
3165 {
3166 if (strcmp(name, XATTR_NAME_SELINUX))
3167 return selinux_inode_setotherxattr(dentry, name);
3168
3169 /* No one is allowed to remove a SELinux security label.
3170 You can change the label, but all data must be labeled. */
3171 return -EACCES;
3172 }
3173
3174 /*
3175 * Copy the inode security context value to the user.
3176 *
3177 * Permission check is handled by selinux_inode_getxattr hook.
3178 */
3179 static int selinux_inode_getsecurity(struct inode *inode, const char *name, void **buffer, bool alloc)
3180 {
3181 u32 size;
3182 int error;
3183 char *context = NULL;
3184 struct inode_security_struct *isec = inode_security(inode);
3185
3186 if (strcmp(name, XATTR_SELINUX_SUFFIX))
3187 return -EOPNOTSUPP;
3188
3189 /*
3190 * If the caller has CAP_MAC_ADMIN, then get the raw context
3191 * value even if it is not defined by current policy; otherwise,
3192 * use the in-core value under current policy.
3193 * Use the non-auditing forms of the permission checks since
3194 * getxattr may be called by unprivileged processes commonly
3195 * and lack of permission just means that we fall back to the
3196 * in-core context value, not a denial.
3197 */
3198 error = cap_capable(current_cred(), &init_user_ns, CAP_MAC_ADMIN,
3199 SECURITY_CAP_NOAUDIT);
3200 if (!error)
3201 error = cred_has_capability(current_cred(), CAP_MAC_ADMIN,
3202 SECURITY_CAP_NOAUDIT);
3203 if (!error)
3204 error = security_sid_to_context_force(isec->sid, &context,
3205 &size);
3206 else
3207 error = security_sid_to_context(isec->sid, &context, &size);
3208 if (error)
3209 return error;
3210 error = size;
3211 if (alloc) {
3212 *buffer = context;
3213 goto out_nofree;
3214 }
3215 kfree(context);
3216 out_nofree:
3217 return error;
3218 }
3219
3220 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
3221 const void *value, size_t size, int flags)
3222 {
3223 struct inode_security_struct *isec = inode_security(inode);
3224 u32 newsid;
3225 int rc;
3226
3227 if (strcmp(name, XATTR_SELINUX_SUFFIX))
3228 return -EOPNOTSUPP;
3229
3230 if (!value || !size)
3231 return -EACCES;
3232
3233 rc = security_context_to_sid(value, size, &newsid, GFP_KERNEL);
3234 if (rc)
3235 return rc;
3236
3237 isec->sclass = inode_mode_to_security_class(inode->i_mode);
3238 isec->sid = newsid;
3239 isec->initialized = LABEL_INITIALIZED;
3240 return 0;
3241 }
3242
3243 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
3244 {
3245 const int len = sizeof(XATTR_NAME_SELINUX);
3246 if (buffer && len <= buffer_size)
3247 memcpy(buffer, XATTR_NAME_SELINUX, len);
3248 return len;
3249 }
3250
3251 static void selinux_inode_getsecid(struct inode *inode, u32 *secid)
3252 {
3253 struct inode_security_struct *isec = inode_security_novalidate(inode);
3254 *secid = isec->sid;
3255 }
3256
3257 /* file security operations */
3258
3259 static int selinux_revalidate_file_permission(struct file *file, int mask)
3260 {
3261 const struct cred *cred = current_cred();
3262 struct inode *inode = file_inode(file);
3263
3264 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
3265 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
3266 mask |= MAY_APPEND;
3267
3268 return file_has_perm(cred, file,
3269 file_mask_to_av(inode->i_mode, mask));
3270 }
3271
3272 static int selinux_file_permission(struct file *file, int mask)
3273 {
3274 struct inode *inode = file_inode(file);
3275 struct file_security_struct *fsec = file->f_security;
3276 struct inode_security_struct *isec;
3277 u32 sid = current_sid();
3278
3279 if (!mask)
3280 /* No permission to check. Existence test. */
3281 return 0;
3282
3283 isec = inode_security(inode);
3284 if (sid == fsec->sid && fsec->isid == isec->sid &&
3285 fsec->pseqno == avc_policy_seqno())
3286 /* No change since file_open check. */
3287 return 0;
3288
3289 return selinux_revalidate_file_permission(file, mask);
3290 }
3291
3292 static int selinux_file_alloc_security(struct file *file)
3293 {
3294 return file_alloc_security(file);
3295 }
3296
3297 static void selinux_file_free_security(struct file *file)
3298 {
3299 file_free_security(file);
3300 }
3301
3302 /*
3303 * Check whether a task has the ioctl permission and cmd
3304 * operation to an inode.
3305 */
3306 static int ioctl_has_perm(const struct cred *cred, struct file *file,
3307 u32 requested, u16 cmd)
3308 {
3309 struct common_audit_data ad;
3310 struct file_security_struct *fsec = file->f_security;
3311 struct inode *inode = file_inode(file);
3312 struct inode_security_struct *isec = inode_security(inode);
3313 struct lsm_ioctlop_audit ioctl;
3314 u32 ssid = cred_sid(cred);
3315 int rc;
3316 u8 driver = cmd >> 8;
3317 u8 xperm = cmd & 0xff;
3318
3319 ad.type = LSM_AUDIT_DATA_IOCTL_OP;
3320 ad.u.op = &ioctl;
3321 ad.u.op->cmd = cmd;
3322 ad.u.op->path = file->f_path;
3323
3324 if (ssid != fsec->sid) {
3325 rc = avc_has_perm(ssid, fsec->sid,
3326 SECCLASS_FD,
3327 FD__USE,
3328 &ad);
3329 if (rc)
3330 goto out;
3331 }
3332
3333 if (unlikely(IS_PRIVATE(inode)))
3334 return 0;
3335
3336 rc = avc_has_extended_perms(ssid, isec->sid, isec->sclass,
3337 requested, driver, xperm, &ad);
3338 out:
3339 return rc;
3340 }
3341
3342 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
3343 unsigned long arg)
3344 {
3345 const struct cred *cred = current_cred();
3346 int error = 0;
3347
3348 switch (cmd) {
3349 case FIONREAD:
3350 /* fall through */
3351 case FIBMAP:
3352 /* fall through */
3353 case FIGETBSZ:
3354 /* fall through */
3355 case FS_IOC_GETFLAGS:
3356 /* fall through */
3357 case FS_IOC_GETVERSION:
3358 error = file_has_perm(cred, file, FILE__GETATTR);
3359 break;
3360
3361 case FS_IOC_SETFLAGS:
3362 /* fall through */
3363 case FS_IOC_SETVERSION:
3364 error = file_has_perm(cred, file, FILE__SETATTR);
3365 break;
3366
3367 /* sys_ioctl() checks */
3368 case FIONBIO:
3369 /* fall through */
3370 case FIOASYNC:
3371 error = file_has_perm(cred, file, 0);
3372 break;
3373
3374 case KDSKBENT:
3375 case KDSKBSENT:
3376 error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG,
3377 SECURITY_CAP_AUDIT);
3378 break;
3379
3380 /* default case assumes that the command will go
3381 * to the file's ioctl() function.
3382 */
3383 default:
3384 error = ioctl_has_perm(cred, file, FILE__IOCTL, (u16) cmd);
3385 }
3386 return error;
3387 }
3388
3389 static int default_noexec;
3390
3391 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
3392 {
3393 const struct cred *cred = current_cred();
3394 int rc = 0;
3395
3396 if (default_noexec &&
3397 (prot & PROT_EXEC) && (!file || IS_PRIVATE(file_inode(file)) ||
3398 (!shared && (prot & PROT_WRITE)))) {
3399 /*
3400 * We are making executable an anonymous mapping or a
3401 * private file mapping that will also be writable.
3402 * This has an additional check.
3403 */
3404 rc = cred_has_perm(cred, cred, PROCESS__EXECMEM);
3405 if (rc)
3406 goto error;
3407 }
3408
3409 if (file) {
3410 /* read access is always possible with a mapping */
3411 u32 av = FILE__READ;
3412
3413 /* write access only matters if the mapping is shared */
3414 if (shared && (prot & PROT_WRITE))
3415 av |= FILE__WRITE;
3416
3417 if (prot & PROT_EXEC)
3418 av |= FILE__EXECUTE;
3419
3420 return file_has_perm(cred, file, av);
3421 }
3422
3423 error:
3424 return rc;
3425 }
3426
3427 static int selinux_mmap_addr(unsigned long addr)
3428 {
3429 int rc = 0;
3430
3431 if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
3432 u32 sid = current_sid();
3433 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
3434 MEMPROTECT__MMAP_ZERO, NULL);
3435 }
3436
3437 return rc;
3438 }
3439
3440 static int selinux_mmap_file(struct file *file, unsigned long reqprot,
3441 unsigned long prot, unsigned long flags)
3442 {
3443 if (selinux_checkreqprot)
3444 prot = reqprot;
3445
3446 return file_map_prot_check(file, prot,
3447 (flags & MAP_TYPE) == MAP_SHARED);
3448 }
3449
3450 static int selinux_file_mprotect(struct vm_area_struct *vma,
3451 unsigned long reqprot,
3452 unsigned long prot)
3453 {
3454 const struct cred *cred = current_cred();
3455
3456 if (selinux_checkreqprot)
3457 prot = reqprot;
3458
3459 if (default_noexec &&
3460 (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
3461 int rc = 0;
3462 if (vma->vm_start >= vma->vm_mm->start_brk &&
3463 vma->vm_end <= vma->vm_mm->brk) {
3464 rc = cred_has_perm(cred, cred, PROCESS__EXECHEAP);
3465 } else if (!vma->vm_file &&
3466 vma->vm_start <= vma->vm_mm->start_stack &&
3467 vma->vm_end >= vma->vm_mm->start_stack) {
3468 rc = current_has_perm(current, PROCESS__EXECSTACK);
3469 } else if (vma->vm_file && vma->anon_vma) {
3470 /*
3471 * We are making executable a file mapping that has
3472 * had some COW done. Since pages might have been
3473 * written, check ability to execute the possibly
3474 * modified content. This typically should only
3475 * occur for text relocations.
3476 */
3477 rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD);
3478 }
3479 if (rc)
3480 return rc;
3481 }
3482
3483 return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
3484 }
3485
3486 static int selinux_file_lock(struct file *file, unsigned int cmd)
3487 {
3488 const struct cred *cred = current_cred();
3489
3490 return file_has_perm(cred, file, FILE__LOCK);
3491 }
3492
3493 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
3494 unsigned long arg)
3495 {
3496 const struct cred *cred = current_cred();
3497 int err = 0;
3498
3499 switch (cmd) {
3500 case F_SETFL:
3501 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
3502 err = file_has_perm(cred, file, FILE__WRITE);
3503 break;
3504 }
3505 /* fall through */
3506 case F_SETOWN:
3507 case F_SETSIG:
3508 case F_GETFL:
3509 case F_GETOWN:
3510 case F_GETSIG:
3511 case F_GETOWNER_UIDS:
3512 /* Just check FD__USE permission */
3513 err = file_has_perm(cred, file, 0);
3514 break;
3515 case F_GETLK:
3516 case F_SETLK:
3517 case F_SETLKW:
3518 case F_OFD_GETLK:
3519 case F_OFD_SETLK:
3520 case F_OFD_SETLKW:
3521 #if BITS_PER_LONG == 32
3522 case F_GETLK64:
3523 case F_SETLK64:
3524 case F_SETLKW64:
3525 #endif
3526 err = file_has_perm(cred, file, FILE__LOCK);
3527 break;
3528 }
3529
3530 return err;
3531 }
3532
3533 static void selinux_file_set_fowner(struct file *file)
3534 {
3535 struct file_security_struct *fsec;
3536
3537 fsec = file->f_security;
3538 fsec->fown_sid = current_sid();
3539 }
3540
3541 static int selinux_file_send_sigiotask(struct task_struct *tsk,
3542 struct fown_struct *fown, int signum)
3543 {
3544 struct file *file;
3545 u32 sid = task_sid(tsk);
3546 u32 perm;
3547 struct file_security_struct *fsec;
3548
3549 /* struct fown_struct is never outside the context of a struct file */
3550 file = container_of(fown, struct file, f_owner);
3551
3552 fsec = file->f_security;
3553
3554 if (!signum)
3555 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
3556 else
3557 perm = signal_to_av(signum);
3558
3559 return avc_has_perm(fsec->fown_sid, sid,
3560 SECCLASS_PROCESS, perm, NULL);
3561 }
3562
3563 static int selinux_file_receive(struct file *file)
3564 {
3565 const struct cred *cred = current_cred();
3566
3567 return file_has_perm(cred, file, file_to_av(file));
3568 }
3569
3570 static int selinux_file_open(struct file *file, const struct cred *cred)
3571 {
3572 struct file_security_struct *fsec;
3573 struct inode_security_struct *isec;
3574
3575 fsec = file->f_security;
3576 isec = inode_security(file_inode(file));
3577 /*
3578 * Save inode label and policy sequence number
3579 * at open-time so that selinux_file_permission
3580 * can determine whether revalidation is necessary.
3581 * Task label is already saved in the file security
3582 * struct as its SID.
3583 */
3584 fsec->isid = isec->sid;
3585 fsec->pseqno = avc_policy_seqno();
3586 /*
3587 * Since the inode label or policy seqno may have changed
3588 * between the selinux_inode_permission check and the saving
3589 * of state above, recheck that access is still permitted.
3590 * Otherwise, access might never be revalidated against the
3591 * new inode label or new policy.
3592 * This check is not redundant - do not remove.
3593 */
3594 return file_path_has_perm(cred, file, open_file_to_av(file));
3595 }
3596
3597 /* task security operations */
3598
3599 static int selinux_task_create(unsigned long clone_flags)
3600 {
3601 return current_has_perm(current, PROCESS__FORK);
3602 }
3603
3604 /*
3605 * allocate the SELinux part of blank credentials
3606 */
3607 static int selinux_cred_alloc_blank(struct cred *cred, gfp_t gfp)
3608 {
3609 struct task_security_struct *tsec;
3610
3611 tsec = kzalloc(sizeof(struct task_security_struct), gfp);
3612 if (!tsec)
3613 return -ENOMEM;
3614
3615 cred->security = tsec;
3616 return 0;
3617 }
3618
3619 /*
3620 * detach and free the LSM part of a set of credentials
3621 */
3622 static void selinux_cred_free(struct cred *cred)
3623 {
3624 struct task_security_struct *tsec = cred->security;
3625
3626 /*
3627 * cred->security == NULL if security_cred_alloc_blank() or
3628 * security_prepare_creds() returned an error.
3629 */
3630 BUG_ON(cred->security && (unsigned long) cred->security < PAGE_SIZE);
3631 cred->security = (void *) 0x7UL;
3632 kfree(tsec);
3633 }
3634
3635 /*
3636 * prepare a new set of credentials for modification
3637 */
3638 static int selinux_cred_prepare(struct cred *new, const struct cred *old,
3639 gfp_t gfp)
3640 {
3641 const struct task_security_struct *old_tsec;
3642 struct task_security_struct *tsec;
3643
3644 old_tsec = old->security;
3645
3646 tsec = kmemdup(old_tsec, sizeof(struct task_security_struct), gfp);
3647 if (!tsec)
3648 return -ENOMEM;
3649
3650 new->security = tsec;
3651 return 0;
3652 }
3653
3654 /*
3655 * transfer the SELinux data to a blank set of creds
3656 */
3657 static void selinux_cred_transfer(struct cred *new, const struct cred *old)
3658 {
3659 const struct task_security_struct *old_tsec = old->security;
3660 struct task_security_struct *tsec = new->security;
3661
3662 *tsec = *old_tsec;
3663 }
3664
3665 /*
3666 * set the security data for a kernel service
3667 * - all the creation contexts are set to unlabelled
3668 */
3669 static int selinux_kernel_act_as(struct cred *new, u32 secid)
3670 {
3671 struct task_security_struct *tsec = new->security;
3672 u32 sid = current_sid();
3673 int ret;
3674
3675 ret = avc_has_perm(sid, secid,
3676 SECCLASS_KERNEL_SERVICE,
3677 KERNEL_SERVICE__USE_AS_OVERRIDE,
3678 NULL);
3679 if (ret == 0) {
3680 tsec->sid = secid;
3681 tsec->create_sid = 0;
3682 tsec->keycreate_sid = 0;
3683 tsec->sockcreate_sid = 0;
3684 }
3685 return ret;
3686 }
3687
3688 /*
3689 * set the file creation context in a security record to the same as the
3690 * objective context of the specified inode
3691 */
3692 static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode)
3693 {
3694 struct inode_security_struct *isec = inode_security(inode);
3695 struct task_security_struct *tsec = new->security;
3696 u32 sid = current_sid();
3697 int ret;
3698
3699 ret = avc_has_perm(sid, isec->sid,
3700 SECCLASS_KERNEL_SERVICE,
3701 KERNEL_SERVICE__CREATE_FILES_AS,
3702 NULL);
3703
3704 if (ret == 0)
3705 tsec->create_sid = isec->sid;
3706 return ret;
3707 }
3708
3709 static int selinux_kernel_module_request(char *kmod_name)
3710 {
3711 u32 sid;
3712 struct common_audit_data ad;
3713
3714 sid = task_sid(current);
3715
3716 ad.type = LSM_AUDIT_DATA_KMOD;
3717 ad.u.kmod_name = kmod_name;
3718
3719 return avc_has_perm(sid, SECINITSID_KERNEL, SECCLASS_SYSTEM,
3720 SYSTEM__MODULE_REQUEST, &ad);
3721 }
3722
3723 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
3724 {
3725 return current_has_perm(p, PROCESS__SETPGID);
3726 }
3727
3728 static int selinux_task_getpgid(struct task_struct *p)
3729 {
3730 return current_has_perm(p, PROCESS__GETPGID);
3731 }
3732
3733 static int selinux_task_getsid(struct task_struct *p)
3734 {
3735 return current_has_perm(p, PROCESS__GETSESSION);
3736 }
3737
3738 static void selinux_task_getsecid(struct task_struct *p, u32 *secid)
3739 {
3740 *secid = task_sid(p);
3741 }
3742
3743 static int selinux_task_setnice(struct task_struct *p, int nice)
3744 {
3745 return current_has_perm(p, PROCESS__SETSCHED);
3746 }
3747
3748 static int selinux_task_setioprio(struct task_struct *p, int ioprio)
3749 {
3750 return current_has_perm(p, PROCESS__SETSCHED);
3751 }
3752
3753 static int selinux_task_getioprio(struct task_struct *p)
3754 {
3755 return current_has_perm(p, PROCESS__GETSCHED);
3756 }
3757
3758 static int selinux_task_setrlimit(struct task_struct *p, unsigned int resource,
3759 struct rlimit *new_rlim)
3760 {
3761 struct rlimit *old_rlim = p->signal->rlim + resource;
3762
3763 /* Control the ability to change the hard limit (whether
3764 lowering or raising it), so that the hard limit can
3765 later be used as a safe reset point for the soft limit
3766 upon context transitions. See selinux_bprm_committing_creds. */
3767 if (old_rlim->rlim_max != new_rlim->rlim_max)
3768 return current_has_perm(p, PROCESS__SETRLIMIT);
3769
3770 return 0;
3771 }
3772
3773 static int selinux_task_setscheduler(struct task_struct *p)
3774 {
3775 return current_has_perm(p, PROCESS__SETSCHED);
3776 }
3777
3778 static int selinux_task_getscheduler(struct task_struct *p)
3779 {
3780 return current_has_perm(p, PROCESS__GETSCHED);
3781 }
3782
3783 static int selinux_task_movememory(struct task_struct *p)
3784 {
3785 return current_has_perm(p, PROCESS__SETSCHED);
3786 }
3787
3788 static int selinux_task_kill(struct task_struct *p, struct siginfo *info,
3789 int sig, u32 secid)
3790 {
3791 u32 perm;
3792 int rc;
3793
3794 if (!sig)
3795 perm = PROCESS__SIGNULL; /* null signal; existence test */
3796 else
3797 perm = signal_to_av(sig);
3798 if (secid)
3799 rc = avc_has_perm(secid, task_sid(p),
3800 SECCLASS_PROCESS, perm, NULL);
3801 else
3802 rc = current_has_perm(p, perm);
3803 return rc;
3804 }
3805
3806 static int selinux_task_wait(struct task_struct *p)
3807 {
3808 return task_has_perm(p, current, PROCESS__SIGCHLD);
3809 }
3810
3811 static void selinux_task_to_inode(struct task_struct *p,
3812 struct inode *inode)
3813 {
3814 struct inode_security_struct *isec = inode->i_security;
3815 u32 sid = task_sid(p);
3816
3817 isec->sid = sid;
3818 isec->initialized = LABEL_INITIALIZED;
3819 }
3820
3821 /* Returns error only if unable to parse addresses */
3822 static int selinux_parse_skb_ipv4(struct sk_buff *skb,
3823 struct common_audit_data *ad, u8 *proto)
3824 {
3825 int offset, ihlen, ret = -EINVAL;
3826 struct iphdr _iph, *ih;
3827
3828 offset = skb_network_offset(skb);
3829 ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
3830 if (ih == NULL)
3831 goto out;
3832
3833 ihlen = ih->ihl * 4;
3834 if (ihlen < sizeof(_iph))
3835 goto out;
3836
3837 ad->u.net->v4info.saddr = ih->saddr;
3838 ad->u.net->v4info.daddr = ih->daddr;
3839 ret = 0;
3840
3841 if (proto)
3842 *proto = ih->protocol;
3843
3844 switch (ih->protocol) {
3845 case IPPROTO_TCP: {
3846 struct tcphdr _tcph, *th;
3847
3848 if (ntohs(ih->frag_off) & IP_OFFSET)
3849 break;
3850
3851 offset += ihlen;
3852 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3853 if (th == NULL)
3854 break;
3855
3856 ad->u.net->sport = th->source;
3857 ad->u.net->dport = th->dest;
3858 break;
3859 }
3860
3861 case IPPROTO_UDP: {
3862 struct udphdr _udph, *uh;
3863
3864 if (ntohs(ih->frag_off) & IP_OFFSET)
3865 break;
3866
3867 offset += ihlen;
3868 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3869 if (uh == NULL)
3870 break;
3871
3872 ad->u.net->sport = uh->source;
3873 ad->u.net->dport = uh->dest;
3874 break;
3875 }
3876
3877 case IPPROTO_DCCP: {
3878 struct dccp_hdr _dccph, *dh;
3879
3880 if (ntohs(ih->frag_off) & IP_OFFSET)
3881 break;
3882
3883 offset += ihlen;
3884 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3885 if (dh == NULL)
3886 break;
3887
3888 ad->u.net->sport = dh->dccph_sport;
3889 ad->u.net->dport = dh->dccph_dport;
3890 break;
3891 }
3892
3893 default:
3894 break;
3895 }
3896 out:
3897 return ret;
3898 }
3899
3900 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3901
3902 /* Returns error only if unable to parse addresses */
3903 static int selinux_parse_skb_ipv6(struct sk_buff *skb,
3904 struct common_audit_data *ad, u8 *proto)
3905 {
3906 u8 nexthdr;
3907 int ret = -EINVAL, offset;
3908 struct ipv6hdr _ipv6h, *ip6;
3909 __be16 frag_off;
3910
3911 offset = skb_network_offset(skb);
3912 ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
3913 if (ip6 == NULL)
3914 goto out;
3915
3916 ad->u.net->v6info.saddr = ip6->saddr;
3917 ad->u.net->v6info.daddr = ip6->daddr;
3918 ret = 0;
3919
3920 nexthdr = ip6->nexthdr;
3921 offset += sizeof(_ipv6h);
3922 offset = ipv6_skip_exthdr(skb, offset, &nexthdr, &frag_off);
3923 if (offset < 0)
3924 goto out;
3925
3926 if (proto)
3927 *proto = nexthdr;
3928
3929 switch (nexthdr) {
3930 case IPPROTO_TCP: {
3931 struct tcphdr _tcph, *th;
3932
3933 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3934 if (th == NULL)
3935 break;
3936
3937 ad->u.net->sport = th->source;
3938 ad->u.net->dport = th->dest;
3939 break;
3940 }
3941
3942 case IPPROTO_UDP: {
3943 struct udphdr _udph, *uh;
3944
3945 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3946 if (uh == NULL)
3947 break;
3948
3949 ad->u.net->sport = uh->source;
3950 ad->u.net->dport = uh->dest;
3951 break;
3952 }
3953
3954 case IPPROTO_DCCP: {
3955 struct dccp_hdr _dccph, *dh;
3956
3957 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3958 if (dh == NULL)
3959 break;
3960
3961 ad->u.net->sport = dh->dccph_sport;
3962 ad->u.net->dport = dh->dccph_dport;
3963 break;
3964 }
3965
3966 /* includes fragments */
3967 default:
3968 break;
3969 }
3970 out:
3971 return ret;
3972 }
3973
3974 #endif /* IPV6 */
3975
3976 static int selinux_parse_skb(struct sk_buff *skb, struct common_audit_data *ad,
3977 char **_addrp, int src, u8 *proto)
3978 {
3979 char *addrp;
3980 int ret;
3981
3982 switch (ad->u.net->family) {
3983 case PF_INET:
3984 ret = selinux_parse_skb_ipv4(skb, ad, proto);
3985 if (ret)
3986 goto parse_error;
3987 addrp = (char *)(src ? &ad->u.net->v4info.saddr :
3988 &ad->u.net->v4info.daddr);
3989 goto okay;
3990
3991 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3992 case PF_INET6:
3993 ret = selinux_parse_skb_ipv6(skb, ad, proto);
3994 if (ret)
3995 goto parse_error;
3996 addrp = (char *)(src ? &ad->u.net->v6info.saddr :
3997 &ad->u.net->v6info.daddr);
3998 goto okay;
3999 #endif /* IPV6 */
4000 default:
4001 addrp = NULL;
4002 goto okay;
4003 }
4004
4005 parse_error:
4006 printk(KERN_WARNING
4007 "SELinux: failure in selinux_parse_skb(),"
4008 " unable to parse packet\n");
4009 return ret;
4010
4011 okay:
4012 if (_addrp)
4013 *_addrp = addrp;
4014 return 0;
4015 }
4016
4017 /**
4018 * selinux_skb_peerlbl_sid - Determine the peer label of a packet
4019 * @skb: the packet
4020 * @family: protocol family
4021 * @sid: the packet's peer label SID
4022 *
4023 * Description:
4024 * Check the various different forms of network peer labeling and determine
4025 * the peer label/SID for the packet; most of the magic actually occurs in
4026 * the security server function security_net_peersid_cmp(). The function
4027 * returns zero if the value in @sid is valid (although it may be SECSID_NULL)
4028 * or -EACCES if @sid is invalid due to inconsistencies with the different
4029 * peer labels.
4030 *
4031 */
4032 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
4033 {
4034 int err;
4035 u32 xfrm_sid;
4036 u32 nlbl_sid;
4037 u32 nlbl_type;
4038
4039 err = selinux_xfrm_skb_sid(skb, &xfrm_sid);
4040 if (unlikely(err))
4041 return -EACCES;
4042 err = selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid);
4043 if (unlikely(err))
4044 return -EACCES;
4045
4046 err = security_net_peersid_resolve(nlbl_sid, nlbl_type, xfrm_sid, sid);
4047 if (unlikely(err)) {
4048 printk(KERN_WARNING
4049 "SELinux: failure in selinux_skb_peerlbl_sid(),"
4050 " unable to determine packet's peer label\n");
4051 return -EACCES;
4052 }
4053
4054 return 0;
4055 }
4056
4057 /**
4058 * selinux_conn_sid - Determine the child socket label for a connection
4059 * @sk_sid: the parent socket's SID
4060 * @skb_sid: the packet's SID
4061 * @conn_sid: the resulting connection SID
4062 *
4063 * If @skb_sid is valid then the user:role:type information from @sk_sid is
4064 * combined with the MLS information from @skb_sid in order to create
4065 * @conn_sid. If @skb_sid is not valid then then @conn_sid is simply a copy
4066 * of @sk_sid. Returns zero on success, negative values on failure.
4067 *
4068 */
4069 static int selinux_conn_sid(u32 sk_sid, u32 skb_sid, u32 *conn_sid)
4070 {
4071 int err = 0;
4072
4073 if (skb_sid != SECSID_NULL)
4074 err = security_sid_mls_copy(sk_sid, skb_sid, conn_sid);
4075 else
4076 *conn_sid = sk_sid;
4077
4078 return err;
4079 }
4080
4081 /* socket security operations */
4082
4083 static int socket_sockcreate_sid(const struct task_security_struct *tsec,
4084 u16 secclass, u32 *socksid)
4085 {
4086 if (tsec->sockcreate_sid > SECSID_NULL) {
4087 *socksid = tsec->sockcreate_sid;
4088 return 0;
4089 }
4090
4091 return security_transition_sid(tsec->sid, tsec->sid, secclass, NULL,
4092 socksid);
4093 }
4094
4095 static int sock_has_perm(struct task_struct *task, struct sock *sk, u32 perms)
4096 {
4097 struct sk_security_struct *sksec = sk->sk_security;
4098 struct common_audit_data ad;
4099 struct lsm_network_audit net = {0,};
4100 u32 tsid = task_sid(task);
4101
4102 if (sksec->sid == SECINITSID_KERNEL)
4103 return 0;
4104
4105 ad.type = LSM_AUDIT_DATA_NET;
4106 ad.u.net = &net;
4107 ad.u.net->sk = sk;
4108
4109 return avc_has_perm(tsid, sksec->sid, sksec->sclass, perms, &ad);
4110 }
4111
4112 static int selinux_socket_create(int family, int type,
4113 int protocol, int kern)
4114 {
4115 const struct task_security_struct *tsec = current_security();
4116 u32 newsid;
4117 u16 secclass;
4118 int rc;
4119
4120 if (kern)
4121 return 0;
4122
4123 secclass = socket_type_to_security_class(family, type, protocol);
4124 rc = socket_sockcreate_sid(tsec, secclass, &newsid);
4125 if (rc)
4126 return rc;
4127
4128 return avc_has_perm(tsec->sid, newsid, secclass, SOCKET__CREATE, NULL);
4129 }
4130
4131 static int selinux_socket_post_create(struct socket *sock, int family,
4132 int type, int protocol, int kern)
4133 {
4134 const struct task_security_struct *tsec = current_security();
4135 struct inode_security_struct *isec = inode_security_novalidate(SOCK_INODE(sock));
4136 struct sk_security_struct *sksec;
4137 int err = 0;
4138
4139 isec->sclass = socket_type_to_security_class(family, type, protocol);
4140
4141 if (kern)
4142 isec->sid = SECINITSID_KERNEL;
4143 else {
4144 err = socket_sockcreate_sid(tsec, isec->sclass, &(isec->sid));
4145 if (err)
4146 return err;
4147 }
4148
4149 isec->initialized = LABEL_INITIALIZED;
4150
4151 if (sock->sk) {
4152 sksec = sock->sk->sk_security;
4153 sksec->sid = isec->sid;
4154 sksec->sclass = isec->sclass;
4155 err = selinux_netlbl_socket_post_create(sock->sk, family);
4156 }
4157
4158 return err;
4159 }
4160
4161 /* Range of port numbers used to automatically bind.
4162 Need to determine whether we should perform a name_bind
4163 permission check between the socket and the port number. */
4164
4165 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
4166 {
4167 struct sock *sk = sock->sk;
4168 u16 family;
4169 int err;
4170
4171 err = sock_has_perm(current, sk, SOCKET__BIND);
4172 if (err)
4173 goto out;
4174
4175 /*
4176 * If PF_INET or PF_INET6, check name_bind permission for the port.
4177 * Multiple address binding for SCTP is not supported yet: we just
4178 * check the first address now.
4179 */
4180 family = sk->sk_family;
4181 if (family == PF_INET || family == PF_INET6) {
4182 char *addrp;
4183 struct sk_security_struct *sksec = sk->sk_security;
4184 struct common_audit_data ad;
4185 struct lsm_network_audit net = {0,};
4186 struct sockaddr_in *addr4 = NULL;
4187 struct sockaddr_in6 *addr6 = NULL;
4188 unsigned short snum;
4189 u32 sid, node_perm;
4190
4191 if (family == PF_INET) {
4192 addr4 = (struct sockaddr_in *)address;
4193 snum = ntohs(addr4->sin_port);
4194 addrp = (char *)&addr4->sin_addr.s_addr;
4195 } else {
4196 addr6 = (struct sockaddr_in6 *)address;
4197 snum = ntohs(addr6->sin6_port);
4198 addrp = (char *)&addr6->sin6_addr.s6_addr;
4199 }
4200
4201 if (snum) {
4202 int low, high;
4203
4204 inet_get_local_port_range(sock_net(sk), &low, &high);
4205
4206 if (snum < max(PROT_SOCK, low) || snum > high) {
4207 err = sel_netport_sid(sk->sk_protocol,
4208 snum, &sid);
4209 if (err)
4210 goto out;
4211 ad.type = LSM_AUDIT_DATA_NET;
4212 ad.u.net = &net;
4213 ad.u.net->sport = htons(snum);
4214 ad.u.net->family = family;
4215 err = avc_has_perm(sksec->sid, sid,
4216 sksec->sclass,
4217 SOCKET__NAME_BIND, &ad);
4218 if (err)
4219 goto out;
4220 }
4221 }
4222
4223 switch (sksec->sclass) {
4224 case SECCLASS_TCP_SOCKET:
4225 node_perm = TCP_SOCKET__NODE_BIND;
4226 break;
4227
4228 case SECCLASS_UDP_SOCKET:
4229 node_perm = UDP_SOCKET__NODE_BIND;
4230 break;
4231
4232 case SECCLASS_DCCP_SOCKET:
4233 node_perm = DCCP_SOCKET__NODE_BIND;
4234 break;
4235
4236 default:
4237 node_perm = RAWIP_SOCKET__NODE_BIND;
4238 break;
4239 }
4240
4241 err = sel_netnode_sid(addrp, family, &sid);
4242 if (err)
4243 goto out;
4244
4245 ad.type = LSM_AUDIT_DATA_NET;
4246 ad.u.net = &net;
4247 ad.u.net->sport = htons(snum);
4248 ad.u.net->family = family;
4249
4250 if (family == PF_INET)
4251 ad.u.net->v4info.saddr = addr4->sin_addr.s_addr;
4252 else
4253 ad.u.net->v6info.saddr = addr6->sin6_addr;
4254
4255 err = avc_has_perm(sksec->sid, sid,
4256 sksec->sclass, node_perm, &ad);
4257 if (err)
4258 goto out;
4259 }
4260 out:
4261 return err;
4262 }
4263
4264 static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
4265 {
4266 struct sock *sk = sock->sk;
4267 struct sk_security_struct *sksec = sk->sk_security;
4268 int err;
4269
4270 err = sock_has_perm(current, sk, SOCKET__CONNECT);
4271 if (err)
4272 return err;
4273
4274 /*
4275 * If a TCP or DCCP socket, check name_connect permission for the port.
4276 */
4277 if (sksec->sclass == SECCLASS_TCP_SOCKET ||
4278 sksec->sclass == SECCLASS_DCCP_SOCKET) {
4279 struct common_audit_data ad;
4280 struct lsm_network_audit net = {0,};
4281 struct sockaddr_in *addr4 = NULL;
4282 struct sockaddr_in6 *addr6 = NULL;
4283 unsigned short snum;
4284 u32 sid, perm;
4285
4286 if (sk->sk_family == PF_INET) {
4287 addr4 = (struct sockaddr_in *)address;
4288 if (addrlen < sizeof(struct sockaddr_in))
4289 return -EINVAL;
4290 snum = ntohs(addr4->sin_port);
4291 } else {
4292 addr6 = (struct sockaddr_in6 *)address;
4293 if (addrlen < SIN6_LEN_RFC2133)
4294 return -EINVAL;
4295 snum = ntohs(addr6->sin6_port);
4296 }
4297
4298 err = sel_netport_sid(sk->sk_protocol, snum, &sid);
4299 if (err)
4300 goto out;
4301
4302 perm = (sksec->sclass == SECCLASS_TCP_SOCKET) ?
4303 TCP_SOCKET__NAME_CONNECT : DCCP_SOCKET__NAME_CONNECT;
4304
4305 ad.type = LSM_AUDIT_DATA_NET;
4306 ad.u.net = &net;
4307 ad.u.net->dport = htons(snum);
4308 ad.u.net->family = sk->sk_family;
4309 err = avc_has_perm(sksec->sid, sid, sksec->sclass, perm, &ad);
4310 if (err)
4311 goto out;
4312 }
4313
4314 err = selinux_netlbl_socket_connect(sk, address);
4315
4316 out:
4317 return err;
4318 }
4319
4320 static int selinux_socket_listen(struct socket *sock, int backlog)
4321 {
4322 return sock_has_perm(current, sock->sk, SOCKET__LISTEN);
4323 }
4324
4325 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
4326 {
4327 int err;
4328 struct inode_security_struct *isec;
4329 struct inode_security_struct *newisec;
4330
4331 err = sock_has_perm(current, sock->sk, SOCKET__ACCEPT);
4332 if (err)
4333 return err;
4334
4335 newisec = inode_security_novalidate(SOCK_INODE(newsock));
4336
4337 isec = inode_security_novalidate(SOCK_INODE(sock));
4338 newisec->sclass = isec->sclass;
4339 newisec->sid = isec->sid;
4340 newisec->initialized = LABEL_INITIALIZED;
4341
4342 return 0;
4343 }
4344
4345 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
4346 int size)
4347 {
4348 return sock_has_perm(current, sock->sk, SOCKET__WRITE);
4349 }
4350
4351 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
4352 int size, int flags)
4353 {
4354 return sock_has_perm(current, sock->sk, SOCKET__READ);
4355 }
4356
4357 static int selinux_socket_getsockname(struct socket *sock)
4358 {
4359 return sock_has_perm(current, sock->sk, SOCKET__GETATTR);
4360 }
4361
4362 static int selinux_socket_getpeername(struct socket *sock)
4363 {
4364 return sock_has_perm(current, sock->sk, SOCKET__GETATTR);
4365 }
4366
4367 static int selinux_socket_setsockopt(struct socket *sock, int level, int optname)
4368 {
4369 int err;
4370
4371 err = sock_has_perm(current, sock->sk, SOCKET__SETOPT);
4372 if (err)
4373 return err;
4374
4375 return selinux_netlbl_socket_setsockopt(sock, level, optname);
4376 }
4377
4378 static int selinux_socket_getsockopt(struct socket *sock, int level,
4379 int optname)
4380 {
4381 return sock_has_perm(current, sock->sk, SOCKET__GETOPT);
4382 }
4383
4384 static int selinux_socket_shutdown(struct socket *sock, int how)
4385 {
4386 return sock_has_perm(current, sock->sk, SOCKET__SHUTDOWN);
4387 }
4388
4389 static int selinux_socket_unix_stream_connect(struct sock *sock,
4390 struct sock *other,
4391 struct sock *newsk)
4392 {
4393 struct sk_security_struct *sksec_sock = sock->sk_security;
4394 struct sk_security_struct *sksec_other = other->sk_security;
4395 struct sk_security_struct *sksec_new = newsk->sk_security;
4396 struct common_audit_data ad;
4397 struct lsm_network_audit net = {0,};
4398 int err;
4399
4400 ad.type = LSM_AUDIT_DATA_NET;
4401 ad.u.net = &net;
4402 ad.u.net->sk = other;
4403
4404 err = avc_has_perm(sksec_sock->sid, sksec_other->sid,
4405 sksec_other->sclass,
4406 UNIX_STREAM_SOCKET__CONNECTTO, &ad);
4407 if (err)
4408 return err;
4409
4410 /* server child socket */
4411 sksec_new->peer_sid = sksec_sock->sid;
4412 err = security_sid_mls_copy(sksec_other->sid, sksec_sock->sid,
4413 &sksec_new->sid);
4414 if (err)
4415 return err;
4416
4417 /* connecting socket */
4418 sksec_sock->peer_sid = sksec_new->sid;
4419
4420 return 0;
4421 }
4422
4423 static int selinux_socket_unix_may_send(struct socket *sock,
4424 struct socket *other)
4425 {
4426 struct sk_security_struct *ssec = sock->sk->sk_security;
4427 struct sk_security_struct *osec = other->sk->sk_security;
4428 struct common_audit_data ad;
4429 struct lsm_network_audit net = {0,};
4430
4431 ad.type = LSM_AUDIT_DATA_NET;
4432 ad.u.net = &net;
4433 ad.u.net->sk = other->sk;
4434
4435 return avc_has_perm(ssec->sid, osec->sid, osec->sclass, SOCKET__SENDTO,
4436 &ad);
4437 }
4438
4439 static int selinux_inet_sys_rcv_skb(struct net *ns, int ifindex,
4440 char *addrp, u16 family, u32 peer_sid,
4441 struct common_audit_data *ad)
4442 {
4443 int err;
4444 u32 if_sid;
4445 u32 node_sid;
4446
4447 err = sel_netif_sid(ns, ifindex, &if_sid);
4448 if (err)
4449 return err;
4450 err = avc_has_perm(peer_sid, if_sid,
4451 SECCLASS_NETIF, NETIF__INGRESS, ad);
4452 if (err)
4453 return err;
4454
4455 err = sel_netnode_sid(addrp, family, &node_sid);
4456 if (err)
4457 return err;
4458 return avc_has_perm(peer_sid, node_sid,
4459 SECCLASS_NODE, NODE__RECVFROM, ad);
4460 }
4461
4462 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
4463 u16 family)
4464 {
4465 int err = 0;
4466 struct sk_security_struct *sksec = sk->sk_security;
4467 u32 sk_sid = sksec->sid;
4468 struct common_audit_data ad;
4469 struct lsm_network_audit net = {0,};
4470 char *addrp;
4471
4472 ad.type = LSM_AUDIT_DATA_NET;
4473 ad.u.net = &net;
4474 ad.u.net->netif = skb->skb_iif;
4475 ad.u.net->family = family;
4476 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4477 if (err)
4478 return err;
4479
4480 if (selinux_secmark_enabled()) {
4481 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4482 PACKET__RECV, &ad);
4483 if (err)
4484 return err;
4485 }
4486
4487 err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, &ad);
4488 if (err)
4489 return err;
4490 err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad);
4491
4492 return err;
4493 }
4494
4495 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
4496 {
4497 int err;
4498 struct sk_security_struct *sksec = sk->sk_security;
4499 u16 family = sk->sk_family;
4500 u32 sk_sid = sksec->sid;
4501 struct common_audit_data ad;
4502 struct lsm_network_audit net = {0,};
4503 char *addrp;
4504 u8 secmark_active;
4505 u8 peerlbl_active;
4506
4507 if (family != PF_INET && family != PF_INET6)
4508 return 0;
4509
4510 /* Handle mapped IPv4 packets arriving via IPv6 sockets */
4511 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4512 family = PF_INET;
4513
4514 /* If any sort of compatibility mode is enabled then handoff processing
4515 * to the selinux_sock_rcv_skb_compat() function to deal with the
4516 * special handling. We do this in an attempt to keep this function
4517 * as fast and as clean as possible. */
4518 if (!selinux_policycap_netpeer)
4519 return selinux_sock_rcv_skb_compat(sk, skb, family);
4520
4521 secmark_active = selinux_secmark_enabled();
4522 peerlbl_active = selinux_peerlbl_enabled();
4523 if (!secmark_active && !peerlbl_active)
4524 return 0;
4525
4526 ad.type = LSM_AUDIT_DATA_NET;
4527 ad.u.net = &net;
4528 ad.u.net->netif = skb->skb_iif;
4529 ad.u.net->family = family;
4530 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4531 if (err)
4532 return err;
4533
4534 if (peerlbl_active) {
4535 u32 peer_sid;
4536
4537 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
4538 if (err)
4539 return err;
4540 err = selinux_inet_sys_rcv_skb(sock_net(sk), skb->skb_iif,
4541 addrp, family, peer_sid, &ad);
4542 if (err) {
4543 selinux_netlbl_err(skb, err, 0);
4544 return err;
4545 }
4546 err = avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER,
4547 PEER__RECV, &ad);
4548 if (err) {
4549 selinux_netlbl_err(skb, err, 0);
4550 return err;
4551 }
4552 }
4553
4554 if (secmark_active) {
4555 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4556 PACKET__RECV, &ad);
4557 if (err)
4558 return err;
4559 }
4560
4561 return err;
4562 }
4563
4564 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval,
4565 int __user *optlen, unsigned len)
4566 {
4567 int err = 0;
4568 char *scontext;
4569 u32 scontext_len;
4570 struct sk_security_struct *sksec = sock->sk->sk_security;
4571 u32 peer_sid = SECSID_NULL;
4572
4573 if (sksec->sclass == SECCLASS_UNIX_STREAM_SOCKET ||
4574 sksec->sclass == SECCLASS_TCP_SOCKET)
4575 peer_sid = sksec->peer_sid;
4576 if (peer_sid == SECSID_NULL)
4577 return -ENOPROTOOPT;
4578
4579 err = security_sid_to_context(peer_sid, &scontext, &scontext_len);
4580 if (err)
4581 return err;
4582
4583 if (scontext_len > len) {
4584 err = -ERANGE;
4585 goto out_len;
4586 }
4587
4588 if (copy_to_user(optval, scontext, scontext_len))
4589 err = -EFAULT;
4590
4591 out_len:
4592 if (put_user(scontext_len, optlen))
4593 err = -EFAULT;
4594 kfree(scontext);
4595 return err;
4596 }
4597
4598 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
4599 {
4600 u32 peer_secid = SECSID_NULL;
4601 u16 family;
4602
4603 if (skb && skb->protocol == htons(ETH_P_IP))
4604 family = PF_INET;
4605 else if (skb && skb->protocol == htons(ETH_P_IPV6))
4606 family = PF_INET6;
4607 else if (sock)
4608 family = sock->sk->sk_family;
4609 else
4610 goto out;
4611
4612 if (sock && family == PF_UNIX)
4613 selinux_inode_getsecid(SOCK_INODE(sock), &peer_secid);
4614 else if (skb)
4615 selinux_skb_peerlbl_sid(skb, family, &peer_secid);
4616
4617 out:
4618 *secid = peer_secid;
4619 if (peer_secid == SECSID_NULL)
4620 return -EINVAL;
4621 return 0;
4622 }
4623
4624 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
4625 {
4626 struct sk_security_struct *sksec;
4627
4628 sksec = kzalloc(sizeof(*sksec), priority);
4629 if (!sksec)
4630 return -ENOMEM;
4631
4632 sksec->peer_sid = SECINITSID_UNLABELED;
4633 sksec->sid = SECINITSID_UNLABELED;
4634 sksec->sclass = SECCLASS_SOCKET;
4635 selinux_netlbl_sk_security_reset(sksec);
4636 sk->sk_security = sksec;
4637
4638 return 0;
4639 }
4640
4641 static void selinux_sk_free_security(struct sock *sk)
4642 {
4643 struct sk_security_struct *sksec = sk->sk_security;
4644
4645 sk->sk_security = NULL;
4646 selinux_netlbl_sk_security_free(sksec);
4647 kfree(sksec);
4648 }
4649
4650 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
4651 {
4652 struct sk_security_struct *sksec = sk->sk_security;
4653 struct sk_security_struct *newsksec = newsk->sk_security;
4654
4655 newsksec->sid = sksec->sid;
4656 newsksec->peer_sid = sksec->peer_sid;
4657 newsksec->sclass = sksec->sclass;
4658
4659 selinux_netlbl_sk_security_reset(newsksec);
4660 }
4661
4662 static void selinux_sk_getsecid(struct sock *sk, u32 *secid)
4663 {
4664 if (!sk)
4665 *secid = SECINITSID_ANY_SOCKET;
4666 else {
4667 struct sk_security_struct *sksec = sk->sk_security;
4668
4669 *secid = sksec->sid;
4670 }
4671 }
4672
4673 static void selinux_sock_graft(struct sock *sk, struct socket *parent)
4674 {
4675 struct inode_security_struct *isec =
4676 inode_security_novalidate(SOCK_INODE(parent));
4677 struct sk_security_struct *sksec = sk->sk_security;
4678
4679 if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
4680 sk->sk_family == PF_UNIX)
4681 isec->sid = sksec->sid;
4682 sksec->sclass = isec->sclass;
4683 }
4684
4685 static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
4686 struct request_sock *req)
4687 {
4688 struct sk_security_struct *sksec = sk->sk_security;
4689 int err;
4690 u16 family = req->rsk_ops->family;
4691 u32 connsid;
4692 u32 peersid;
4693
4694 err = selinux_skb_peerlbl_sid(skb, family, &peersid);
4695 if (err)
4696 return err;
4697 err = selinux_conn_sid(sksec->sid, peersid, &connsid);
4698 if (err)
4699 return err;
4700 req->secid = connsid;
4701 req->peer_secid = peersid;
4702
4703 return selinux_netlbl_inet_conn_request(req, family);
4704 }
4705
4706 static void selinux_inet_csk_clone(struct sock *newsk,
4707 const struct request_sock *req)
4708 {
4709 struct sk_security_struct *newsksec = newsk->sk_security;
4710
4711 newsksec->sid = req->secid;
4712 newsksec->peer_sid = req->peer_secid;
4713 /* NOTE: Ideally, we should also get the isec->sid for the
4714 new socket in sync, but we don't have the isec available yet.
4715 So we will wait until sock_graft to do it, by which
4716 time it will have been created and available. */
4717
4718 /* We don't need to take any sort of lock here as we are the only
4719 * thread with access to newsksec */
4720 selinux_netlbl_inet_csk_clone(newsk, req->rsk_ops->family);
4721 }
4722
4723 static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb)
4724 {
4725 u16 family = sk->sk_family;
4726 struct sk_security_struct *sksec = sk->sk_security;
4727
4728 /* handle mapped IPv4 packets arriving via IPv6 sockets */
4729 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4730 family = PF_INET;
4731
4732 selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid);
4733 }
4734
4735 static int selinux_secmark_relabel_packet(u32 sid)
4736 {
4737 const struct task_security_struct *__tsec;
4738 u32 tsid;
4739
4740 __tsec = current_security();
4741 tsid = __tsec->sid;
4742
4743 return avc_has_perm(tsid, sid, SECCLASS_PACKET, PACKET__RELABELTO, NULL);
4744 }
4745
4746 static void selinux_secmark_refcount_inc(void)
4747 {
4748 atomic_inc(&selinux_secmark_refcount);
4749 }
4750
4751 static void selinux_secmark_refcount_dec(void)
4752 {
4753 atomic_dec(&selinux_secmark_refcount);
4754 }
4755
4756 static void selinux_req_classify_flow(const struct request_sock *req,
4757 struct flowi *fl)
4758 {
4759 fl->flowi_secid = req->secid;
4760 }
4761
4762 static int selinux_tun_dev_alloc_security(void **security)
4763 {
4764 struct tun_security_struct *tunsec;
4765
4766 tunsec = kzalloc(sizeof(*tunsec), GFP_KERNEL);
4767 if (!tunsec)
4768 return -ENOMEM;
4769 tunsec->sid = current_sid();
4770
4771 *security = tunsec;
4772 return 0;
4773 }
4774
4775 static void selinux_tun_dev_free_security(void *security)
4776 {
4777 kfree(security);
4778 }
4779
4780 static int selinux_tun_dev_create(void)
4781 {
4782 u32 sid = current_sid();
4783
4784 /* we aren't taking into account the "sockcreate" SID since the socket
4785 * that is being created here is not a socket in the traditional sense,
4786 * instead it is a private sock, accessible only to the kernel, and
4787 * representing a wide range of network traffic spanning multiple
4788 * connections unlike traditional sockets - check the TUN driver to
4789 * get a better understanding of why this socket is special */
4790
4791 return avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET, TUN_SOCKET__CREATE,
4792 NULL);
4793 }
4794
4795 static int selinux_tun_dev_attach_queue(void *security)
4796 {
4797 struct tun_security_struct *tunsec = security;
4798
4799 return avc_has_perm(current_sid(), tunsec->sid, SECCLASS_TUN_SOCKET,
4800 TUN_SOCKET__ATTACH_QUEUE, NULL);
4801 }
4802
4803 static int selinux_tun_dev_attach(struct sock *sk, void *security)
4804 {
4805 struct tun_security_struct *tunsec = security;
4806 struct sk_security_struct *sksec = sk->sk_security;
4807
4808 /* we don't currently perform any NetLabel based labeling here and it
4809 * isn't clear that we would want to do so anyway; while we could apply
4810 * labeling without the support of the TUN user the resulting labeled
4811 * traffic from the other end of the connection would almost certainly
4812 * cause confusion to the TUN user that had no idea network labeling
4813 * protocols were being used */
4814
4815 sksec->sid = tunsec->sid;
4816 sksec->sclass = SECCLASS_TUN_SOCKET;
4817
4818 return 0;
4819 }
4820
4821 static int selinux_tun_dev_open(void *security)
4822 {
4823 struct tun_security_struct *tunsec = security;
4824 u32 sid = current_sid();
4825 int err;
4826
4827 err = avc_has_perm(sid, tunsec->sid, SECCLASS_TUN_SOCKET,
4828 TUN_SOCKET__RELABELFROM, NULL);
4829 if (err)
4830 return err;
4831 err = avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET,
4832 TUN_SOCKET__RELABELTO, NULL);
4833 if (err)
4834 return err;
4835 tunsec->sid = sid;
4836
4837 return 0;
4838 }
4839
4840 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
4841 {
4842 int err = 0;
4843 u32 perm;
4844 struct nlmsghdr *nlh;
4845 struct sk_security_struct *sksec = sk->sk_security;
4846
4847 if (skb->len < NLMSG_HDRLEN) {
4848 err = -EINVAL;
4849 goto out;
4850 }
4851 nlh = nlmsg_hdr(skb);
4852
4853 err = selinux_nlmsg_lookup(sksec->sclass, nlh->nlmsg_type, &perm);
4854 if (err) {
4855 if (err == -EINVAL) {
4856 pr_warn_ratelimited("SELinux: unrecognized netlink"
4857 " message: protocol=%hu nlmsg_type=%hu sclass=%s"
4858 " pig=%d comm=%s\n",
4859 sk->sk_protocol, nlh->nlmsg_type,
4860 secclass_map[sksec->sclass - 1].name,
4861 task_pid_nr(current), current->comm);
4862 if (!selinux_enforcing || security_get_allow_unknown())
4863 err = 0;
4864 }
4865
4866 /* Ignore */
4867 if (err == -ENOENT)
4868 err = 0;
4869 goto out;
4870 }
4871
4872 err = sock_has_perm(current, sk, perm);
4873 out:
4874 return err;
4875 }
4876
4877 #ifdef CONFIG_NETFILTER
4878
4879 static unsigned int selinux_ip_forward(struct sk_buff *skb,
4880 const struct net_device *indev,
4881 u16 family)
4882 {
4883 int err;
4884 char *addrp;
4885 u32 peer_sid;
4886 struct common_audit_data ad;
4887 struct lsm_network_audit net = {0,};
4888 u8 secmark_active;
4889 u8 netlbl_active;
4890 u8 peerlbl_active;
4891
4892 if (!selinux_policycap_netpeer)
4893 return NF_ACCEPT;
4894
4895 secmark_active = selinux_secmark_enabled();
4896 netlbl_active = netlbl_enabled();
4897 peerlbl_active = selinux_peerlbl_enabled();
4898 if (!secmark_active && !peerlbl_active)
4899 return NF_ACCEPT;
4900
4901 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0)
4902 return NF_DROP;
4903
4904 ad.type = LSM_AUDIT_DATA_NET;
4905 ad.u.net = &net;
4906 ad.u.net->netif = indev->ifindex;
4907 ad.u.net->family = family;
4908 if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0)
4909 return NF_DROP;
4910
4911 if (peerlbl_active) {
4912 err = selinux_inet_sys_rcv_skb(dev_net(indev), indev->ifindex,
4913 addrp, family, peer_sid, &ad);
4914 if (err) {
4915 selinux_netlbl_err(skb, err, 1);
4916 return NF_DROP;
4917 }
4918 }
4919
4920 if (secmark_active)
4921 if (avc_has_perm(peer_sid, skb->secmark,
4922 SECCLASS_PACKET, PACKET__FORWARD_IN, &ad))
4923 return NF_DROP;
4924
4925 if (netlbl_active)
4926 /* we do this in the FORWARD path and not the POST_ROUTING
4927 * path because we want to make sure we apply the necessary
4928 * labeling before IPsec is applied so we can leverage AH
4929 * protection */
4930 if (selinux_netlbl_skbuff_setsid(skb, family, peer_sid) != 0)
4931 return NF_DROP;
4932
4933 return NF_ACCEPT;
4934 }
4935
4936 static unsigned int selinux_ipv4_forward(void *priv,
4937 struct sk_buff *skb,
4938 const struct nf_hook_state *state)
4939 {
4940 return selinux_ip_forward(skb, state->in, PF_INET);
4941 }
4942
4943 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4944 static unsigned int selinux_ipv6_forward(void *priv,
4945 struct sk_buff *skb,
4946 const struct nf_hook_state *state)
4947 {
4948 return selinux_ip_forward(skb, state->in, PF_INET6);
4949 }
4950 #endif /* IPV6 */
4951
4952 static unsigned int selinux_ip_output(struct sk_buff *skb,
4953 u16 family)
4954 {
4955 struct sock *sk;
4956 u32 sid;
4957
4958 if (!netlbl_enabled())
4959 return NF_ACCEPT;
4960
4961 /* we do this in the LOCAL_OUT path and not the POST_ROUTING path
4962 * because we want to make sure we apply the necessary labeling
4963 * before IPsec is applied so we can leverage AH protection */
4964 sk = skb->sk;
4965 if (sk) {
4966 struct sk_security_struct *sksec;
4967
4968 if (sk_listener(sk))
4969 /* if the socket is the listening state then this
4970 * packet is a SYN-ACK packet which means it needs to
4971 * be labeled based on the connection/request_sock and
4972 * not the parent socket. unfortunately, we can't
4973 * lookup the request_sock yet as it isn't queued on
4974 * the parent socket until after the SYN-ACK is sent.
4975 * the "solution" is to simply pass the packet as-is
4976 * as any IP option based labeling should be copied
4977 * from the initial connection request (in the IP
4978 * layer). it is far from ideal, but until we get a
4979 * security label in the packet itself this is the
4980 * best we can do. */
4981 return NF_ACCEPT;
4982
4983 /* standard practice, label using the parent socket */
4984 sksec = sk->sk_security;
4985 sid = sksec->sid;
4986 } else
4987 sid = SECINITSID_KERNEL;
4988 if (selinux_netlbl_skbuff_setsid(skb, family, sid) != 0)
4989 return NF_DROP;
4990
4991 return NF_ACCEPT;
4992 }
4993
4994 static unsigned int selinux_ipv4_output(void *priv,
4995 struct sk_buff *skb,
4996 const struct nf_hook_state *state)
4997 {
4998 return selinux_ip_output(skb, PF_INET);
4999 }
5000
5001 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
5002 int ifindex,
5003 u16 family)
5004 {
5005 struct sock *sk = skb_to_full_sk(skb);
5006 struct sk_security_struct *sksec;
5007 struct common_audit_data ad;
5008 struct lsm_network_audit net = {0,};
5009 char *addrp;
5010 u8 proto;
5011
5012 if (sk == NULL)
5013 return NF_ACCEPT;
5014 sksec = sk->sk_security;
5015
5016 ad.type = LSM_AUDIT_DATA_NET;
5017 ad.u.net = &net;
5018 ad.u.net->netif = ifindex;
5019 ad.u.net->family = family;
5020 if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto))
5021 return NF_DROP;
5022
5023 if (selinux_secmark_enabled())
5024 if (avc_has_perm(sksec->sid, skb->secmark,
5025 SECCLASS_PACKET, PACKET__SEND, &ad))
5026 return NF_DROP_ERR(-ECONNREFUSED);
5027
5028 if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto))
5029 return NF_DROP_ERR(-ECONNREFUSED);
5030
5031 return NF_ACCEPT;
5032 }
5033
5034 static unsigned int selinux_ip_postroute(struct sk_buff *skb,
5035 const struct net_device *outdev,
5036 u16 family)
5037 {
5038 u32 secmark_perm;
5039 u32 peer_sid;
5040 int ifindex = outdev->ifindex;
5041 struct sock *sk;
5042 struct common_audit_data ad;
5043 struct lsm_network_audit net = {0,};
5044 char *addrp;
5045 u8 secmark_active;
5046 u8 peerlbl_active;
5047
5048 /* If any sort of compatibility mode is enabled then handoff processing
5049 * to the selinux_ip_postroute_compat() function to deal with the
5050 * special handling. We do this in an attempt to keep this function
5051 * as fast and as clean as possible. */
5052 if (!selinux_policycap_netpeer)
5053 return selinux_ip_postroute_compat(skb, ifindex, family);
5054
5055 secmark_active = selinux_secmark_enabled();
5056 peerlbl_active = selinux_peerlbl_enabled();
5057 if (!secmark_active && !peerlbl_active)
5058 return NF_ACCEPT;
5059
5060 sk = skb_to_full_sk(skb);
5061
5062 #ifdef CONFIG_XFRM
5063 /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec
5064 * packet transformation so allow the packet to pass without any checks
5065 * since we'll have another chance to perform access control checks
5066 * when the packet is on it's final way out.
5067 * NOTE: there appear to be some IPv6 multicast cases where skb->dst
5068 * is NULL, in this case go ahead and apply access control.
5069 * NOTE: if this is a local socket (skb->sk != NULL) that is in the
5070 * TCP listening state we cannot wait until the XFRM processing
5071 * is done as we will miss out on the SA label if we do;
5072 * unfortunately, this means more work, but it is only once per
5073 * connection. */
5074 if (skb_dst(skb) != NULL && skb_dst(skb)->xfrm != NULL &&
5075 !(sk && sk_listener(sk)))
5076 return NF_ACCEPT;
5077 #endif
5078
5079 if (sk == NULL) {
5080 /* Without an associated socket the packet is either coming
5081 * from the kernel or it is being forwarded; check the packet
5082 * to determine which and if the packet is being forwarded
5083 * query the packet directly to determine the security label. */
5084 if (skb->skb_iif) {
5085 secmark_perm = PACKET__FORWARD_OUT;
5086 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid))
5087 return NF_DROP;
5088 } else {
5089 secmark_perm = PACKET__SEND;
5090 peer_sid = SECINITSID_KERNEL;
5091 }
5092 } else if (sk_listener(sk)) {
5093 /* Locally generated packet but the associated socket is in the
5094 * listening state which means this is a SYN-ACK packet. In
5095 * this particular case the correct security label is assigned
5096 * to the connection/request_sock but unfortunately we can't
5097 * query the request_sock as it isn't queued on the parent
5098 * socket until after the SYN-ACK packet is sent; the only
5099 * viable choice is to regenerate the label like we do in
5100 * selinux_inet_conn_request(). See also selinux_ip_output()
5101 * for similar problems. */
5102 u32 skb_sid;
5103 struct sk_security_struct *sksec;
5104
5105 sksec = sk->sk_security;
5106 if (selinux_skb_peerlbl_sid(skb, family, &skb_sid))
5107 return NF_DROP;
5108 /* At this point, if the returned skb peerlbl is SECSID_NULL
5109 * and the packet has been through at least one XFRM
5110 * transformation then we must be dealing with the "final"
5111 * form of labeled IPsec packet; since we've already applied
5112 * all of our access controls on this packet we can safely
5113 * pass the packet. */
5114 if (skb_sid == SECSID_NULL) {
5115 switch (family) {
5116 case PF_INET:
5117 if (IPCB(skb)->flags & IPSKB_XFRM_TRANSFORMED)
5118 return NF_ACCEPT;
5119 break;
5120 case PF_INET6:
5121 if (IP6CB(skb)->flags & IP6SKB_XFRM_TRANSFORMED)
5122 return NF_ACCEPT;
5123 break;
5124 default:
5125 return NF_DROP_ERR(-ECONNREFUSED);
5126 }
5127 }
5128 if (selinux_conn_sid(sksec->sid, skb_sid, &peer_sid))
5129 return NF_DROP;
5130 secmark_perm = PACKET__SEND;
5131 } else {
5132 /* Locally generated packet, fetch the security label from the
5133 * associated socket. */
5134 struct sk_security_struct *sksec = sk->sk_security;
5135 peer_sid = sksec->sid;
5136 secmark_perm = PACKET__SEND;
5137 }
5138
5139 ad.type = LSM_AUDIT_DATA_NET;
5140 ad.u.net = &net;
5141 ad.u.net->netif = ifindex;
5142 ad.u.net->family = family;
5143 if (selinux_parse_skb(skb, &ad, &addrp, 0, NULL))
5144 return NF_DROP;
5145
5146 if (secmark_active)
5147 if (avc_has_perm(peer_sid, skb->secmark,
5148 SECCLASS_PACKET, secmark_perm, &ad))
5149 return NF_DROP_ERR(-ECONNREFUSED);
5150
5151 if (peerlbl_active) {
5152 u32 if_sid;
5153 u32 node_sid;
5154
5155 if (sel_netif_sid(dev_net(outdev), ifindex, &if_sid))
5156 return NF_DROP;
5157 if (avc_has_perm(peer_sid, if_sid,
5158 SECCLASS_NETIF, NETIF__EGRESS, &ad))
5159 return NF_DROP_ERR(-ECONNREFUSED);
5160
5161 if (sel_netnode_sid(addrp, family, &node_sid))
5162 return NF_DROP;
5163 if (avc_has_perm(peer_sid, node_sid,
5164 SECCLASS_NODE, NODE__SENDTO, &ad))
5165 return NF_DROP_ERR(-ECONNREFUSED);
5166 }
5167
5168 return NF_ACCEPT;
5169 }
5170
5171 static unsigned int selinux_ipv4_postroute(void *priv,
5172 struct sk_buff *skb,
5173 const struct nf_hook_state *state)
5174 {
5175 return selinux_ip_postroute(skb, state->out, PF_INET);
5176 }
5177
5178 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5179 static unsigned int selinux_ipv6_postroute(void *priv,
5180 struct sk_buff *skb,
5181 const struct nf_hook_state *state)
5182 {
5183 return selinux_ip_postroute(skb, state->out, PF_INET6);
5184 }
5185 #endif /* IPV6 */
5186
5187 #endif /* CONFIG_NETFILTER */
5188
5189 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
5190 {
5191 return selinux_nlmsg_perm(sk, skb);
5192 }
5193
5194 static int ipc_alloc_security(struct task_struct *task,
5195 struct kern_ipc_perm *perm,
5196 u16 sclass)
5197 {
5198 struct ipc_security_struct *isec;
5199 u32 sid;
5200
5201 isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL);
5202 if (!isec)
5203 return -ENOMEM;
5204
5205 sid = task_sid(task);
5206 isec->sclass = sclass;
5207 isec->sid = sid;
5208 perm->security = isec;
5209
5210 return 0;
5211 }
5212
5213 static void ipc_free_security(struct kern_ipc_perm *perm)
5214 {
5215 struct ipc_security_struct *isec = perm->security;
5216 perm->security = NULL;
5217 kfree(isec);
5218 }
5219
5220 static int msg_msg_alloc_security(struct msg_msg *msg)
5221 {
5222 struct msg_security_struct *msec;
5223
5224 msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL);
5225 if (!msec)
5226 return -ENOMEM;
5227
5228 msec->sid = SECINITSID_UNLABELED;
5229 msg->security = msec;
5230
5231 return 0;
5232 }
5233
5234 static void msg_msg_free_security(struct msg_msg *msg)
5235 {
5236 struct msg_security_struct *msec = msg->security;
5237
5238 msg->security = NULL;
5239 kfree(msec);
5240 }
5241
5242 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
5243 u32 perms)
5244 {
5245 struct ipc_security_struct *isec;
5246 struct common_audit_data ad;
5247 u32 sid = current_sid();
5248
5249 isec = ipc_perms->security;
5250
5251 ad.type = LSM_AUDIT_DATA_IPC;
5252 ad.u.ipc_id = ipc_perms->key;
5253
5254 return avc_has_perm(sid, isec->sid, isec->sclass, perms, &ad);
5255 }
5256
5257 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
5258 {
5259 return msg_msg_alloc_security(msg);
5260 }
5261
5262 static void selinux_msg_msg_free_security(struct msg_msg *msg)
5263 {
5264 msg_msg_free_security(msg);
5265 }
5266
5267 /* message queue security operations */
5268 static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
5269 {
5270 struct ipc_security_struct *isec;
5271 struct common_audit_data ad;
5272 u32 sid = current_sid();
5273 int rc;
5274
5275 rc = ipc_alloc_security(current, &msq->q_perm, SECCLASS_MSGQ);
5276 if (rc)
5277 return rc;
5278
5279 isec = msq->q_perm.security;
5280
5281 ad.type = LSM_AUDIT_DATA_IPC;
5282 ad.u.ipc_id = msq->q_perm.key;
5283
5284 rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
5285 MSGQ__CREATE, &ad);
5286 if (rc) {
5287 ipc_free_security(&msq->q_perm);
5288 return rc;
5289 }
5290 return 0;
5291 }
5292
5293 static void selinux_msg_queue_free_security(struct msg_queue *msq)
5294 {
5295 ipc_free_security(&msq->q_perm);
5296 }
5297
5298 static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg)
5299 {
5300 struct ipc_security_struct *isec;
5301 struct common_audit_data ad;
5302 u32 sid = current_sid();
5303
5304 isec = msq->q_perm.security;
5305
5306 ad.type = LSM_AUDIT_DATA_IPC;
5307 ad.u.ipc_id = msq->q_perm.key;
5308
5309 return avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
5310 MSGQ__ASSOCIATE, &ad);
5311 }
5312
5313 static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd)
5314 {
5315 int err;
5316 int perms;
5317
5318 switch (cmd) {
5319 case IPC_INFO:
5320 case MSG_INFO:
5321 /* No specific object, just general system-wide information. */
5322 return task_has_system(current, SYSTEM__IPC_INFO);
5323 case IPC_STAT:
5324 case MSG_STAT:
5325 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
5326 break;
5327 case IPC_SET:
5328 perms = MSGQ__SETATTR;
5329 break;
5330 case IPC_RMID:
5331 perms = MSGQ__DESTROY;
5332 break;
5333 default:
5334 return 0;
5335 }
5336
5337 err = ipc_has_perm(&msq->q_perm, perms);
5338 return err;
5339 }
5340
5341 static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg)
5342 {
5343 struct ipc_security_struct *isec;
5344 struct msg_security_struct *msec;
5345 struct common_audit_data ad;
5346 u32 sid = current_sid();
5347 int rc;
5348
5349 isec = msq->q_perm.security;
5350 msec = msg->security;
5351
5352 /*
5353 * First time through, need to assign label to the message
5354 */
5355 if (msec->sid == SECINITSID_UNLABELED) {
5356 /*
5357 * Compute new sid based on current process and
5358 * message queue this message will be stored in
5359 */
5360 rc = security_transition_sid(sid, isec->sid, SECCLASS_MSG,
5361 NULL, &msec->sid);
5362 if (rc)
5363 return rc;
5364 }
5365
5366 ad.type = LSM_AUDIT_DATA_IPC;
5367 ad.u.ipc_id = msq->q_perm.key;
5368
5369 /* Can this process write to the queue? */
5370 rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
5371 MSGQ__WRITE, &ad);
5372 if (!rc)
5373 /* Can this process send the message */
5374 rc = avc_has_perm(sid, msec->sid, SECCLASS_MSG,
5375 MSG__SEND, &ad);
5376 if (!rc)
5377 /* Can the message be put in the queue? */
5378 rc = avc_has_perm(msec->sid, isec->sid, SECCLASS_MSGQ,
5379 MSGQ__ENQUEUE, &ad);
5380
5381 return rc;
5382 }
5383
5384 static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
5385 struct task_struct *target,
5386 long type, int mode)
5387 {
5388 struct ipc_security_struct *isec;
5389 struct msg_security_struct *msec;
5390 struct common_audit_data ad;
5391 u32 sid = task_sid(target);
5392 int rc;
5393
5394 isec = msq->q_perm.security;
5395 msec = msg->security;
5396
5397 ad.type = LSM_AUDIT_DATA_IPC;
5398 ad.u.ipc_id = msq->q_perm.key;
5399
5400 rc = avc_has_perm(sid, isec->sid,
5401 SECCLASS_MSGQ, MSGQ__READ, &ad);
5402 if (!rc)
5403 rc = avc_has_perm(sid, msec->sid,
5404 SECCLASS_MSG, MSG__RECEIVE, &ad);
5405 return rc;
5406 }
5407
5408 /* Shared Memory security operations */
5409 static int selinux_shm_alloc_security(struct shmid_kernel *shp)
5410 {
5411 struct ipc_security_struct *isec;
5412 struct common_audit_data ad;
5413 u32 sid = current_sid();
5414 int rc;
5415
5416 rc = ipc_alloc_security(current, &shp->shm_perm, SECCLASS_SHM);
5417 if (rc)
5418 return rc;
5419
5420 isec = shp->shm_perm.security;
5421
5422 ad.type = LSM_AUDIT_DATA_IPC;
5423 ad.u.ipc_id = shp->shm_perm.key;
5424
5425 rc = avc_has_perm(sid, isec->sid, SECCLASS_SHM,
5426 SHM__CREATE, &ad);
5427 if (rc) {
5428 ipc_free_security(&shp->shm_perm);
5429 return rc;
5430 }
5431 return 0;
5432 }
5433
5434 static void selinux_shm_free_security(struct shmid_kernel *shp)
5435 {
5436 ipc_free_security(&shp->shm_perm);
5437 }
5438
5439 static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg)
5440 {
5441 struct ipc_security_struct *isec;
5442 struct common_audit_data ad;
5443 u32 sid = current_sid();
5444
5445 isec = shp->shm_perm.security;
5446
5447 ad.type = LSM_AUDIT_DATA_IPC;
5448 ad.u.ipc_id = shp->shm_perm.key;
5449
5450 return avc_has_perm(sid, isec->sid, SECCLASS_SHM,
5451 SHM__ASSOCIATE, &ad);
5452 }
5453
5454 /* Note, at this point, shp is locked down */
5455 static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd)
5456 {
5457 int perms;
5458 int err;
5459
5460 switch (cmd) {
5461 case IPC_INFO:
5462 case SHM_INFO:
5463 /* No specific object, just general system-wide information. */
5464 return task_has_system(current, SYSTEM__IPC_INFO);
5465 case IPC_STAT:
5466 case SHM_STAT:
5467 perms = SHM__GETATTR | SHM__ASSOCIATE;
5468 break;
5469 case IPC_SET:
5470 perms = SHM__SETATTR;
5471 break;
5472 case SHM_LOCK:
5473 case SHM_UNLOCK:
5474 perms = SHM__LOCK;
5475 break;
5476 case IPC_RMID:
5477 perms = SHM__DESTROY;
5478 break;
5479 default:
5480 return 0;
5481 }
5482
5483 err = ipc_has_perm(&shp->shm_perm, perms);
5484 return err;
5485 }
5486
5487 static int selinux_shm_shmat(struct shmid_kernel *shp,
5488 char __user *shmaddr, int shmflg)
5489 {
5490 u32 perms;
5491
5492 if (shmflg & SHM_RDONLY)
5493 perms = SHM__READ;
5494 else
5495 perms = SHM__READ | SHM__WRITE;
5496
5497 return ipc_has_perm(&shp->shm_perm, perms);
5498 }
5499
5500 /* Semaphore security operations */
5501 static int selinux_sem_alloc_security(struct sem_array *sma)
5502 {
5503 struct ipc_security_struct *isec;
5504 struct common_audit_data ad;
5505 u32 sid = current_sid();
5506 int rc;
5507
5508 rc = ipc_alloc_security(current, &sma->sem_perm, SECCLASS_SEM);
5509 if (rc)
5510 return rc;
5511
5512 isec = sma->sem_perm.security;
5513
5514 ad.type = LSM_AUDIT_DATA_IPC;
5515 ad.u.ipc_id = sma->sem_perm.key;
5516
5517 rc = avc_has_perm(sid, isec->sid, SECCLASS_SEM,
5518 SEM__CREATE, &ad);
5519 if (rc) {
5520 ipc_free_security(&sma->sem_perm);
5521 return rc;
5522 }
5523 return 0;
5524 }
5525
5526 static void selinux_sem_free_security(struct sem_array *sma)
5527 {
5528 ipc_free_security(&sma->sem_perm);
5529 }
5530
5531 static int selinux_sem_associate(struct sem_array *sma, int semflg)
5532 {
5533 struct ipc_security_struct *isec;
5534 struct common_audit_data ad;
5535 u32 sid = current_sid();
5536
5537 isec = sma->sem_perm.security;
5538
5539 ad.type = LSM_AUDIT_DATA_IPC;
5540 ad.u.ipc_id = sma->sem_perm.key;
5541
5542 return avc_has_perm(sid, isec->sid, SECCLASS_SEM,
5543 SEM__ASSOCIATE, &ad);
5544 }
5545
5546 /* Note, at this point, sma is locked down */
5547 static int selinux_sem_semctl(struct sem_array *sma, int cmd)
5548 {
5549 int err;
5550 u32 perms;
5551
5552 switch (cmd) {
5553 case IPC_INFO:
5554 case SEM_INFO:
5555 /* No specific object, just general system-wide information. */
5556 return task_has_system(current, SYSTEM__IPC_INFO);
5557 case GETPID:
5558 case GETNCNT:
5559 case GETZCNT:
5560 perms = SEM__GETATTR;
5561 break;
5562 case GETVAL:
5563 case GETALL:
5564 perms = SEM__READ;
5565 break;
5566 case SETVAL:
5567 case SETALL:
5568 perms = SEM__WRITE;
5569 break;
5570 case IPC_RMID:
5571 perms = SEM__DESTROY;
5572 break;
5573 case IPC_SET:
5574 perms = SEM__SETATTR;
5575 break;
5576 case IPC_STAT:
5577 case SEM_STAT:
5578 perms = SEM__GETATTR | SEM__ASSOCIATE;
5579 break;
5580 default:
5581 return 0;
5582 }
5583
5584 err = ipc_has_perm(&sma->sem_perm, perms);
5585 return err;
5586 }
5587
5588 static int selinux_sem_semop(struct sem_array *sma,
5589 struct sembuf *sops, unsigned nsops, int alter)
5590 {
5591 u32 perms;
5592
5593 if (alter)
5594 perms = SEM__READ | SEM__WRITE;
5595 else
5596 perms = SEM__READ;
5597
5598 return ipc_has_perm(&sma->sem_perm, perms);
5599 }
5600
5601 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
5602 {
5603 u32 av = 0;
5604
5605 av = 0;
5606 if (flag & S_IRUGO)
5607 av |= IPC__UNIX_READ;
5608 if (flag & S_IWUGO)
5609 av |= IPC__UNIX_WRITE;
5610
5611 if (av == 0)
5612 return 0;
5613
5614 return ipc_has_perm(ipcp, av);
5615 }
5616
5617 static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
5618 {
5619 struct ipc_security_struct *isec = ipcp->security;
5620 *secid = isec->sid;
5621 }
5622
5623 static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode)
5624 {
5625 if (inode)
5626 inode_doinit_with_dentry(inode, dentry);
5627 }
5628
5629 static int selinux_getprocattr(struct task_struct *p,
5630 char *name, char **value)
5631 {
5632 const struct task_security_struct *__tsec;
5633 u32 sid;
5634 int error;
5635 unsigned len;
5636
5637 if (current != p) {
5638 error = current_has_perm(p, PROCESS__GETATTR);
5639 if (error)
5640 return error;
5641 }
5642
5643 rcu_read_lock();
5644 __tsec = __task_cred(p)->security;
5645
5646 if (!strcmp(name, "current"))
5647 sid = __tsec->sid;
5648 else if (!strcmp(name, "prev"))
5649 sid = __tsec->osid;
5650 else if (!strcmp(name, "exec"))
5651 sid = __tsec->exec_sid;
5652 else if (!strcmp(name, "fscreate"))
5653 sid = __tsec->create_sid;
5654 else if (!strcmp(name, "keycreate"))
5655 sid = __tsec->keycreate_sid;
5656 else if (!strcmp(name, "sockcreate"))
5657 sid = __tsec->sockcreate_sid;
5658 else
5659 goto invalid;
5660 rcu_read_unlock();
5661
5662 if (!sid)
5663 return 0;
5664
5665 error = security_sid_to_context(sid, value, &len);
5666 if (error)
5667 return error;
5668 return len;
5669
5670 invalid:
5671 rcu_read_unlock();
5672 return -EINVAL;
5673 }
5674
5675 static int selinux_setprocattr(struct task_struct *p,
5676 char *name, void *value, size_t size)
5677 {
5678 struct task_security_struct *tsec;
5679 struct task_struct *tracer;
5680 struct cred *new;
5681 u32 sid = 0, ptsid;
5682 int error;
5683 char *str = value;
5684
5685 if (current != p) {
5686 /* SELinux only allows a process to change its own
5687 security attributes. */
5688 return -EACCES;
5689 }
5690
5691 /*
5692 * Basic control over ability to set these attributes at all.
5693 * current == p, but we'll pass them separately in case the
5694 * above restriction is ever removed.
5695 */
5696 if (!strcmp(name, "exec"))
5697 error = current_has_perm(p, PROCESS__SETEXEC);
5698 else if (!strcmp(name, "fscreate"))
5699 error = current_has_perm(p, PROCESS__SETFSCREATE);
5700 else if (!strcmp(name, "keycreate"))
5701 error = current_has_perm(p, PROCESS__SETKEYCREATE);
5702 else if (!strcmp(name, "sockcreate"))
5703 error = current_has_perm(p, PROCESS__SETSOCKCREATE);
5704 else if (!strcmp(name, "current"))
5705 error = current_has_perm(p, PROCESS__SETCURRENT);
5706 else
5707 error = -EINVAL;
5708 if (error)
5709 return error;
5710
5711 /* Obtain a SID for the context, if one was specified. */
5712 if (size && str[1] && str[1] != '\n') {
5713 if (str[size-1] == '\n') {
5714 str[size-1] = 0;
5715 size--;
5716 }
5717 error = security_context_to_sid(value, size, &sid, GFP_KERNEL);
5718 if (error == -EINVAL && !strcmp(name, "fscreate")) {
5719 if (!capable(CAP_MAC_ADMIN)) {
5720 struct audit_buffer *ab;
5721 size_t audit_size;
5722
5723 /* We strip a nul only if it is at the end, otherwise the
5724 * context contains a nul and we should audit that */
5725 if (str[size - 1] == '\0')
5726 audit_size = size - 1;
5727 else
5728 audit_size = size;
5729 ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR);
5730 audit_log_format(ab, "op=fscreate invalid_context=");
5731 audit_log_n_untrustedstring(ab, value, audit_size);
5732 audit_log_end(ab);
5733
5734 return error;
5735 }
5736 error = security_context_to_sid_force(value, size,
5737 &sid);
5738 }
5739 if (error)
5740 return error;
5741 }
5742
5743 new = prepare_creds();
5744 if (!new)
5745 return -ENOMEM;
5746
5747 /* Permission checking based on the specified context is
5748 performed during the actual operation (execve,
5749 open/mkdir/...), when we know the full context of the
5750 operation. See selinux_bprm_set_creds for the execve
5751 checks and may_create for the file creation checks. The
5752 operation will then fail if the context is not permitted. */
5753 tsec = new->security;
5754 if (!strcmp(name, "exec")) {
5755 tsec->exec_sid = sid;
5756 } else if (!strcmp(name, "fscreate")) {
5757 tsec->create_sid = sid;
5758 } else if (!strcmp(name, "keycreate")) {
5759 error = may_create_key(sid, p);
5760 if (error)
5761 goto abort_change;
5762 tsec->keycreate_sid = sid;
5763 } else if (!strcmp(name, "sockcreate")) {
5764 tsec->sockcreate_sid = sid;
5765 } else if (!strcmp(name, "current")) {
5766 error = -EINVAL;
5767 if (sid == 0)
5768 goto abort_change;
5769
5770 /* Only allow single threaded processes to change context */
5771 error = -EPERM;
5772 if (!current_is_single_threaded()) {
5773 error = security_bounded_transition(tsec->sid, sid);
5774 if (error)
5775 goto abort_change;
5776 }
5777
5778 /* Check permissions for the transition. */
5779 error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
5780 PROCESS__DYNTRANSITION, NULL);
5781 if (error)
5782 goto abort_change;
5783
5784 /* Check for ptracing, and update the task SID if ok.
5785 Otherwise, leave SID unchanged and fail. */
5786 ptsid = 0;
5787 rcu_read_lock();
5788 tracer = ptrace_parent(p);
5789 if (tracer)
5790 ptsid = task_sid(tracer);
5791 rcu_read_unlock();
5792
5793 if (tracer) {
5794 error = avc_has_perm(ptsid, sid, SECCLASS_PROCESS,
5795 PROCESS__PTRACE, NULL);
5796 if (error)
5797 goto abort_change;
5798 }
5799
5800 tsec->sid = sid;
5801 } else {
5802 error = -EINVAL;
5803 goto abort_change;
5804 }
5805
5806 commit_creds(new);
5807 return size;
5808
5809 abort_change:
5810 abort_creds(new);
5811 return error;
5812 }
5813
5814 static int selinux_ismaclabel(const char *name)
5815 {
5816 return (strcmp(name, XATTR_SELINUX_SUFFIX) == 0);
5817 }
5818
5819 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
5820 {
5821 return security_sid_to_context(secid, secdata, seclen);
5822 }
5823
5824 static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
5825 {
5826 return security_context_to_sid(secdata, seclen, secid, GFP_KERNEL);
5827 }
5828
5829 static void selinux_release_secctx(char *secdata, u32 seclen)
5830 {
5831 kfree(secdata);
5832 }
5833
5834 static void selinux_inode_invalidate_secctx(struct inode *inode)
5835 {
5836 struct inode_security_struct *isec = inode->i_security;
5837
5838 mutex_lock(&isec->lock);
5839 isec->initialized = LABEL_INVALID;
5840 mutex_unlock(&isec->lock);
5841 }
5842
5843 /*
5844 * called with inode->i_mutex locked
5845 */
5846 static int selinux_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen)
5847 {
5848 return selinux_inode_setsecurity(inode, XATTR_SELINUX_SUFFIX, ctx, ctxlen, 0);
5849 }
5850
5851 /*
5852 * called with inode->i_mutex locked
5853 */
5854 static int selinux_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen)
5855 {
5856 return __vfs_setxattr_noperm(dentry, XATTR_NAME_SELINUX, ctx, ctxlen, 0);
5857 }
5858
5859 static int selinux_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen)
5860 {
5861 int len = 0;
5862 len = selinux_inode_getsecurity(inode, XATTR_SELINUX_SUFFIX,
5863 ctx, true);
5864 if (len < 0)
5865 return len;
5866 *ctxlen = len;
5867 return 0;
5868 }
5869 #ifdef CONFIG_KEYS
5870
5871 static int selinux_key_alloc(struct key *k, const struct cred *cred,
5872 unsigned long flags)
5873 {
5874 const struct task_security_struct *tsec;
5875 struct key_security_struct *ksec;
5876
5877 ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL);
5878 if (!ksec)
5879 return -ENOMEM;
5880
5881 tsec = cred->security;
5882 if (tsec->keycreate_sid)
5883 ksec->sid = tsec->keycreate_sid;
5884 else
5885 ksec->sid = tsec->sid;
5886
5887 k->security = ksec;
5888 return 0;
5889 }
5890
5891 static void selinux_key_free(struct key *k)
5892 {
5893 struct key_security_struct *ksec = k->security;
5894
5895 k->security = NULL;
5896 kfree(ksec);
5897 }
5898
5899 static int selinux_key_permission(key_ref_t key_ref,
5900 const struct cred *cred,
5901 unsigned perm)
5902 {
5903 struct key *key;
5904 struct key_security_struct *ksec;
5905 u32 sid;
5906
5907 /* if no specific permissions are requested, we skip the
5908 permission check. No serious, additional covert channels
5909 appear to be created. */
5910 if (perm == 0)
5911 return 0;
5912
5913 sid = cred_sid(cred);
5914
5915 key = key_ref_to_ptr(key_ref);
5916 ksec = key->security;
5917
5918 return avc_has_perm(sid, ksec->sid, SECCLASS_KEY, perm, NULL);
5919 }
5920
5921 static int selinux_key_getsecurity(struct key *key, char **_buffer)
5922 {
5923 struct key_security_struct *ksec = key->security;
5924 char *context = NULL;
5925 unsigned len;
5926 int rc;
5927
5928 rc = security_sid_to_context(ksec->sid, &context, &len);
5929 if (!rc)
5930 rc = len;
5931 *_buffer = context;
5932 return rc;
5933 }
5934
5935 #endif
5936
5937 static struct security_hook_list selinux_hooks[] = {
5938 LSM_HOOK_INIT(binder_set_context_mgr, selinux_binder_set_context_mgr),
5939 LSM_HOOK_INIT(binder_transaction, selinux_binder_transaction),
5940 LSM_HOOK_INIT(binder_transfer_binder, selinux_binder_transfer_binder),
5941 LSM_HOOK_INIT(binder_transfer_file, selinux_binder_transfer_file),
5942
5943 LSM_HOOK_INIT(ptrace_access_check, selinux_ptrace_access_check),
5944 LSM_HOOK_INIT(ptrace_traceme, selinux_ptrace_traceme),
5945 LSM_HOOK_INIT(capget, selinux_capget),
5946 LSM_HOOK_INIT(capset, selinux_capset),
5947 LSM_HOOK_INIT(capable, selinux_capable),
5948 LSM_HOOK_INIT(quotactl, selinux_quotactl),
5949 LSM_HOOK_INIT(quota_on, selinux_quota_on),
5950 LSM_HOOK_INIT(syslog, selinux_syslog),
5951 LSM_HOOK_INIT(vm_enough_memory, selinux_vm_enough_memory),
5952
5953 LSM_HOOK_INIT(netlink_send, selinux_netlink_send),
5954
5955 LSM_HOOK_INIT(bprm_set_creds, selinux_bprm_set_creds),
5956 LSM_HOOK_INIT(bprm_committing_creds, selinux_bprm_committing_creds),
5957 LSM_HOOK_INIT(bprm_committed_creds, selinux_bprm_committed_creds),
5958 LSM_HOOK_INIT(bprm_secureexec, selinux_bprm_secureexec),
5959
5960 LSM_HOOK_INIT(sb_alloc_security, selinux_sb_alloc_security),
5961 LSM_HOOK_INIT(sb_free_security, selinux_sb_free_security),
5962 LSM_HOOK_INIT(sb_copy_data, selinux_sb_copy_data),
5963 LSM_HOOK_INIT(sb_remount, selinux_sb_remount),
5964 LSM_HOOK_INIT(sb_kern_mount, selinux_sb_kern_mount),
5965 LSM_HOOK_INIT(sb_show_options, selinux_sb_show_options),
5966 LSM_HOOK_INIT(sb_statfs, selinux_sb_statfs),
5967 LSM_HOOK_INIT(sb_mount, selinux_mount),
5968 LSM_HOOK_INIT(sb_umount, selinux_umount),
5969 LSM_HOOK_INIT(sb_set_mnt_opts, selinux_set_mnt_opts),
5970 LSM_HOOK_INIT(sb_clone_mnt_opts, selinux_sb_clone_mnt_opts),
5971 LSM_HOOK_INIT(sb_parse_opts_str, selinux_parse_opts_str),
5972
5973 LSM_HOOK_INIT(dentry_init_security, selinux_dentry_init_security),
5974
5975 LSM_HOOK_INIT(inode_alloc_security, selinux_inode_alloc_security),
5976 LSM_HOOK_INIT(inode_free_security, selinux_inode_free_security),
5977 LSM_HOOK_INIT(inode_init_security, selinux_inode_init_security),
5978 LSM_HOOK_INIT(inode_create, selinux_inode_create),
5979 LSM_HOOK_INIT(inode_link, selinux_inode_link),
5980 LSM_HOOK_INIT(inode_unlink, selinux_inode_unlink),
5981 LSM_HOOK_INIT(inode_symlink, selinux_inode_symlink),
5982 LSM_HOOK_INIT(inode_mkdir, selinux_inode_mkdir),
5983 LSM_HOOK_INIT(inode_rmdir, selinux_inode_rmdir),
5984 LSM_HOOK_INIT(inode_mknod, selinux_inode_mknod),
5985 LSM_HOOK_INIT(inode_rename, selinux_inode_rename),
5986 LSM_HOOK_INIT(inode_readlink, selinux_inode_readlink),
5987 LSM_HOOK_INIT(inode_follow_link, selinux_inode_follow_link),
5988 LSM_HOOK_INIT(inode_permission, selinux_inode_permission),
5989 LSM_HOOK_INIT(inode_setattr, selinux_inode_setattr),
5990 LSM_HOOK_INIT(inode_getattr, selinux_inode_getattr),
5991 LSM_HOOK_INIT(inode_setxattr, selinux_inode_setxattr),
5992 LSM_HOOK_INIT(inode_post_setxattr, selinux_inode_post_setxattr),
5993 LSM_HOOK_INIT(inode_getxattr, selinux_inode_getxattr),
5994 LSM_HOOK_INIT(inode_listxattr, selinux_inode_listxattr),
5995 LSM_HOOK_INIT(inode_removexattr, selinux_inode_removexattr),
5996 LSM_HOOK_INIT(inode_getsecurity, selinux_inode_getsecurity),
5997 LSM_HOOK_INIT(inode_setsecurity, selinux_inode_setsecurity),
5998 LSM_HOOK_INIT(inode_listsecurity, selinux_inode_listsecurity),
5999 LSM_HOOK_INIT(inode_getsecid, selinux_inode_getsecid),
6000
6001 LSM_HOOK_INIT(file_permission, selinux_file_permission),
6002 LSM_HOOK_INIT(file_alloc_security, selinux_file_alloc_security),
6003 LSM_HOOK_INIT(file_free_security, selinux_file_free_security),
6004 LSM_HOOK_INIT(file_ioctl, selinux_file_ioctl),
6005 LSM_HOOK_INIT(mmap_file, selinux_mmap_file),
6006 LSM_HOOK_INIT(mmap_addr, selinux_mmap_addr),
6007 LSM_HOOK_INIT(file_mprotect, selinux_file_mprotect),
6008 LSM_HOOK_INIT(file_lock, selinux_file_lock),
6009 LSM_HOOK_INIT(file_fcntl, selinux_file_fcntl),
6010 LSM_HOOK_INIT(file_set_fowner, selinux_file_set_fowner),
6011 LSM_HOOK_INIT(file_send_sigiotask, selinux_file_send_sigiotask),
6012 LSM_HOOK_INIT(file_receive, selinux_file_receive),
6013
6014 LSM_HOOK_INIT(file_open, selinux_file_open),
6015
6016 LSM_HOOK_INIT(task_create, selinux_task_create),
6017 LSM_HOOK_INIT(cred_alloc_blank, selinux_cred_alloc_blank),
6018 LSM_HOOK_INIT(cred_free, selinux_cred_free),
6019 LSM_HOOK_INIT(cred_prepare, selinux_cred_prepare),
6020 LSM_HOOK_INIT(cred_transfer, selinux_cred_transfer),
6021 LSM_HOOK_INIT(kernel_act_as, selinux_kernel_act_as),
6022 LSM_HOOK_INIT(kernel_create_files_as, selinux_kernel_create_files_as),
6023 LSM_HOOK_INIT(kernel_module_request, selinux_kernel_module_request),
6024 LSM_HOOK_INIT(task_setpgid, selinux_task_setpgid),
6025 LSM_HOOK_INIT(task_getpgid, selinux_task_getpgid),
6026 LSM_HOOK_INIT(task_getsid, selinux_task_getsid),
6027 LSM_HOOK_INIT(task_getsecid, selinux_task_getsecid),
6028 LSM_HOOK_INIT(task_setnice, selinux_task_setnice),
6029 LSM_HOOK_INIT(task_setioprio, selinux_task_setioprio),
6030 LSM_HOOK_INIT(task_getioprio, selinux_task_getioprio),
6031 LSM_HOOK_INIT(task_setrlimit, selinux_task_setrlimit),
6032 LSM_HOOK_INIT(task_setscheduler, selinux_task_setscheduler),
6033 LSM_HOOK_INIT(task_getscheduler, selinux_task_getscheduler),
6034 LSM_HOOK_INIT(task_movememory, selinux_task_movememory),
6035 LSM_HOOK_INIT(task_kill, selinux_task_kill),
6036 LSM_HOOK_INIT(task_wait, selinux_task_wait),
6037 LSM_HOOK_INIT(task_to_inode, selinux_task_to_inode),
6038
6039 LSM_HOOK_INIT(ipc_permission, selinux_ipc_permission),
6040 LSM_HOOK_INIT(ipc_getsecid, selinux_ipc_getsecid),
6041
6042 LSM_HOOK_INIT(msg_msg_alloc_security, selinux_msg_msg_alloc_security),
6043 LSM_HOOK_INIT(msg_msg_free_security, selinux_msg_msg_free_security),
6044
6045 LSM_HOOK_INIT(msg_queue_alloc_security,
6046 selinux_msg_queue_alloc_security),
6047 LSM_HOOK_INIT(msg_queue_free_security, selinux_msg_queue_free_security),
6048 LSM_HOOK_INIT(msg_queue_associate, selinux_msg_queue_associate),
6049 LSM_HOOK_INIT(msg_queue_msgctl, selinux_msg_queue_msgctl),
6050 LSM_HOOK_INIT(msg_queue_msgsnd, selinux_msg_queue_msgsnd),
6051 LSM_HOOK_INIT(msg_queue_msgrcv, selinux_msg_queue_msgrcv),
6052
6053 LSM_HOOK_INIT(shm_alloc_security, selinux_shm_alloc_security),
6054 LSM_HOOK_INIT(shm_free_security, selinux_shm_free_security),
6055 LSM_HOOK_INIT(shm_associate, selinux_shm_associate),
6056 LSM_HOOK_INIT(shm_shmctl, selinux_shm_shmctl),
6057 LSM_HOOK_INIT(shm_shmat, selinux_shm_shmat),
6058
6059 LSM_HOOK_INIT(sem_alloc_security, selinux_sem_alloc_security),
6060 LSM_HOOK_INIT(sem_free_security, selinux_sem_free_security),
6061 LSM_HOOK_INIT(sem_associate, selinux_sem_associate),
6062 LSM_HOOK_INIT(sem_semctl, selinux_sem_semctl),
6063 LSM_HOOK_INIT(sem_semop, selinux_sem_semop),
6064
6065 LSM_HOOK_INIT(d_instantiate, selinux_d_instantiate),
6066
6067 LSM_HOOK_INIT(getprocattr, selinux_getprocattr),
6068 LSM_HOOK_INIT(setprocattr, selinux_setprocattr),
6069
6070 LSM_HOOK_INIT(ismaclabel, selinux_ismaclabel),
6071 LSM_HOOK_INIT(secid_to_secctx, selinux_secid_to_secctx),
6072 LSM_HOOK_INIT(secctx_to_secid, selinux_secctx_to_secid),
6073 LSM_HOOK_INIT(release_secctx, selinux_release_secctx),
6074 LSM_HOOK_INIT(inode_invalidate_secctx, selinux_inode_invalidate_secctx),
6075 LSM_HOOK_INIT(inode_notifysecctx, selinux_inode_notifysecctx),
6076 LSM_HOOK_INIT(inode_setsecctx, selinux_inode_setsecctx),
6077 LSM_HOOK_INIT(inode_getsecctx, selinux_inode_getsecctx),
6078
6079 LSM_HOOK_INIT(unix_stream_connect, selinux_socket_unix_stream_connect),
6080 LSM_HOOK_INIT(unix_may_send, selinux_socket_unix_may_send),
6081
6082 LSM_HOOK_INIT(socket_create, selinux_socket_create),
6083 LSM_HOOK_INIT(socket_post_create, selinux_socket_post_create),
6084 LSM_HOOK_INIT(socket_bind, selinux_socket_bind),
6085 LSM_HOOK_INIT(socket_connect, selinux_socket_connect),
6086 LSM_HOOK_INIT(socket_listen, selinux_socket_listen),
6087 LSM_HOOK_INIT(socket_accept, selinux_socket_accept),
6088 LSM_HOOK_INIT(socket_sendmsg, selinux_socket_sendmsg),
6089 LSM_HOOK_INIT(socket_recvmsg, selinux_socket_recvmsg),
6090 LSM_HOOK_INIT(socket_getsockname, selinux_socket_getsockname),
6091 LSM_HOOK_INIT(socket_getpeername, selinux_socket_getpeername),
6092 LSM_HOOK_INIT(socket_getsockopt, selinux_socket_getsockopt),
6093 LSM_HOOK_INIT(socket_setsockopt, selinux_socket_setsockopt),
6094 LSM_HOOK_INIT(socket_shutdown, selinux_socket_shutdown),
6095 LSM_HOOK_INIT(socket_sock_rcv_skb, selinux_socket_sock_rcv_skb),
6096 LSM_HOOK_INIT(socket_getpeersec_stream,
6097 selinux_socket_getpeersec_stream),
6098 LSM_HOOK_INIT(socket_getpeersec_dgram, selinux_socket_getpeersec_dgram),
6099 LSM_HOOK_INIT(sk_alloc_security, selinux_sk_alloc_security),
6100 LSM_HOOK_INIT(sk_free_security, selinux_sk_free_security),
6101 LSM_HOOK_INIT(sk_clone_security, selinux_sk_clone_security),
6102 LSM_HOOK_INIT(sk_getsecid, selinux_sk_getsecid),
6103 LSM_HOOK_INIT(sock_graft, selinux_sock_graft),
6104 LSM_HOOK_INIT(inet_conn_request, selinux_inet_conn_request),
6105 LSM_HOOK_INIT(inet_csk_clone, selinux_inet_csk_clone),
6106 LSM_HOOK_INIT(inet_conn_established, selinux_inet_conn_established),
6107 LSM_HOOK_INIT(secmark_relabel_packet, selinux_secmark_relabel_packet),
6108 LSM_HOOK_INIT(secmark_refcount_inc, selinux_secmark_refcount_inc),
6109 LSM_HOOK_INIT(secmark_refcount_dec, selinux_secmark_refcount_dec),
6110 LSM_HOOK_INIT(req_classify_flow, selinux_req_classify_flow),
6111 LSM_HOOK_INIT(tun_dev_alloc_security, selinux_tun_dev_alloc_security),
6112 LSM_HOOK_INIT(tun_dev_free_security, selinux_tun_dev_free_security),
6113 LSM_HOOK_INIT(tun_dev_create, selinux_tun_dev_create),
6114 LSM_HOOK_INIT(tun_dev_attach_queue, selinux_tun_dev_attach_queue),
6115 LSM_HOOK_INIT(tun_dev_attach, selinux_tun_dev_attach),
6116 LSM_HOOK_INIT(tun_dev_open, selinux_tun_dev_open),
6117
6118 #ifdef CONFIG_SECURITY_NETWORK_XFRM
6119 LSM_HOOK_INIT(xfrm_policy_alloc_security, selinux_xfrm_policy_alloc),
6120 LSM_HOOK_INIT(xfrm_policy_clone_security, selinux_xfrm_policy_clone),
6121 LSM_HOOK_INIT(xfrm_policy_free_security, selinux_xfrm_policy_free),
6122 LSM_HOOK_INIT(xfrm_policy_delete_security, selinux_xfrm_policy_delete),
6123 LSM_HOOK_INIT(xfrm_state_alloc, selinux_xfrm_state_alloc),
6124 LSM_HOOK_INIT(xfrm_state_alloc_acquire,
6125 selinux_xfrm_state_alloc_acquire),
6126 LSM_HOOK_INIT(xfrm_state_free_security, selinux_xfrm_state_free),
6127 LSM_HOOK_INIT(xfrm_state_delete_security, selinux_xfrm_state_delete),
6128 LSM_HOOK_INIT(xfrm_policy_lookup, selinux_xfrm_policy_lookup),
6129 LSM_HOOK_INIT(xfrm_state_pol_flow_match,
6130 selinux_xfrm_state_pol_flow_match),
6131 LSM_HOOK_INIT(xfrm_decode_session, selinux_xfrm_decode_session),
6132 #endif
6133
6134 #ifdef CONFIG_KEYS
6135 LSM_HOOK_INIT(key_alloc, selinux_key_alloc),
6136 LSM_HOOK_INIT(key_free, selinux_key_free),
6137 LSM_HOOK_INIT(key_permission, selinux_key_permission),
6138 LSM_HOOK_INIT(key_getsecurity, selinux_key_getsecurity),
6139 #endif
6140
6141 #ifdef CONFIG_AUDIT
6142 LSM_HOOK_INIT(audit_rule_init, selinux_audit_rule_init),
6143 LSM_HOOK_INIT(audit_rule_known, selinux_audit_rule_known),
6144 LSM_HOOK_INIT(audit_rule_match, selinux_audit_rule_match),
6145 LSM_HOOK_INIT(audit_rule_free, selinux_audit_rule_free),
6146 #endif
6147 };
6148
6149 static __init int selinux_init(void)
6150 {
6151 if (!security_module_enable("selinux")) {
6152 selinux_enabled = 0;
6153 return 0;
6154 }
6155
6156 if (!selinux_enabled) {
6157 printk(KERN_INFO "SELinux: Disabled at boot.\n");
6158 return 0;
6159 }
6160
6161 printk(KERN_INFO "SELinux: Initializing.\n");
6162
6163 /* Set the security state for the initial task. */
6164 cred_init_security();
6165
6166 default_noexec = !(VM_DATA_DEFAULT_FLAGS & VM_EXEC);
6167
6168 sel_inode_cache = kmem_cache_create("selinux_inode_security",
6169 sizeof(struct inode_security_struct),
6170 0, SLAB_PANIC, NULL);
6171 file_security_cache = kmem_cache_create("selinux_file_security",
6172 sizeof(struct file_security_struct),
6173 0, SLAB_PANIC, NULL);
6174 avc_init();
6175
6176 security_add_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks));
6177
6178 if (avc_add_callback(selinux_netcache_avc_callback, AVC_CALLBACK_RESET))
6179 panic("SELinux: Unable to register AVC netcache callback\n");
6180
6181 if (selinux_enforcing)
6182 printk(KERN_DEBUG "SELinux: Starting in enforcing mode\n");
6183 else
6184 printk(KERN_DEBUG "SELinux: Starting in permissive mode\n");
6185
6186 return 0;
6187 }
6188
6189 static void delayed_superblock_init(struct super_block *sb, void *unused)
6190 {
6191 superblock_doinit(sb, NULL);
6192 }
6193
6194 void selinux_complete_init(void)
6195 {
6196 printk(KERN_DEBUG "SELinux: Completing initialization.\n");
6197
6198 /* Set up any superblocks initialized prior to the policy load. */
6199 printk(KERN_DEBUG "SELinux: Setting up existing superblocks.\n");
6200 iterate_supers(delayed_superblock_init, NULL);
6201 }
6202
6203 /* SELinux requires early initialization in order to label
6204 all processes and objects when they are created. */
6205 security_initcall(selinux_init);
6206
6207 #if defined(CONFIG_NETFILTER)
6208
6209 static struct nf_hook_ops selinux_nf_ops[] = {
6210 {
6211 .hook = selinux_ipv4_postroute,
6212 .pf = NFPROTO_IPV4,
6213 .hooknum = NF_INET_POST_ROUTING,
6214 .priority = NF_IP_PRI_SELINUX_LAST,
6215 },
6216 {
6217 .hook = selinux_ipv4_forward,
6218 .pf = NFPROTO_IPV4,
6219 .hooknum = NF_INET_FORWARD,
6220 .priority = NF_IP_PRI_SELINUX_FIRST,
6221 },
6222 {
6223 .hook = selinux_ipv4_output,
6224 .pf = NFPROTO_IPV4,
6225 .hooknum = NF_INET_LOCAL_OUT,
6226 .priority = NF_IP_PRI_SELINUX_FIRST,
6227 },
6228 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
6229 {
6230 .hook = selinux_ipv6_postroute,
6231 .pf = NFPROTO_IPV6,
6232 .hooknum = NF_INET_POST_ROUTING,
6233 .priority = NF_IP6_PRI_SELINUX_LAST,
6234 },
6235 {
6236 .hook = selinux_ipv6_forward,
6237 .pf = NFPROTO_IPV6,
6238 .hooknum = NF_INET_FORWARD,
6239 .priority = NF_IP6_PRI_SELINUX_FIRST,
6240 },
6241 #endif /* IPV6 */
6242 };
6243
6244 static int __init selinux_nf_ip_init(void)
6245 {
6246 int err;
6247
6248 if (!selinux_enabled)
6249 return 0;
6250
6251 printk(KERN_DEBUG "SELinux: Registering netfilter hooks\n");
6252
6253 err = nf_register_hooks(selinux_nf_ops, ARRAY_SIZE(selinux_nf_ops));
6254 if (err)
6255 panic("SELinux: nf_register_hooks: error %d\n", err);
6256
6257 return 0;
6258 }
6259
6260 __initcall(selinux_nf_ip_init);
6261
6262 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
6263 static void selinux_nf_ip_exit(void)
6264 {
6265 printk(KERN_DEBUG "SELinux: Unregistering netfilter hooks\n");
6266
6267 nf_unregister_hooks(selinux_nf_ops, ARRAY_SIZE(selinux_nf_ops));
6268 }
6269 #endif
6270
6271 #else /* CONFIG_NETFILTER */
6272
6273 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
6274 #define selinux_nf_ip_exit()
6275 #endif
6276
6277 #endif /* CONFIG_NETFILTER */
6278
6279 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
6280 static int selinux_disabled;
6281
6282 int selinux_disable(void)
6283 {
6284 if (ss_initialized) {
6285 /* Not permitted after initial policy load. */
6286 return -EINVAL;
6287 }
6288
6289 if (selinux_disabled) {
6290 /* Only do this once. */
6291 return -EINVAL;
6292 }
6293
6294 printk(KERN_INFO "SELinux: Disabled at runtime.\n");
6295
6296 selinux_disabled = 1;
6297 selinux_enabled = 0;
6298
6299 security_delete_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks));
6300
6301 /* Try to destroy the avc node cache */
6302 avc_disable();
6303
6304 /* Unregister netfilter hooks. */
6305 selinux_nf_ip_exit();
6306
6307 /* Unregister selinuxfs. */
6308 exit_sel_fs();
6309
6310 return 0;
6311 }
6312 #endif
Linux kernel - Deliverables
This page took 0.471225 seconds and 6 git commands to generate.