projects / deliverable / linux.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Merge branch 'tty-next' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty-2.6
[deliverable/linux.git] / security / selinux / hooks.c
1 /*
2 * NSA Security-Enhanced Linux (SELinux) security module
3 *
4 * This file contains the SELinux hook function implementations.
5 *
6 * Authors: Stephen Smalley, <sds@epoch.ncsc.mil>
7 * Chris Vance, <cvance@nai.com>
8 * Wayne Salamon, <wsalamon@nai.com>
9 * James Morris <jmorris@redhat.com>
10 *
11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12 * Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
13 * Eric Paris <eparis@redhat.com>
14 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
15 * <dgoeddel@trustedcs.com>
16 * Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
17 * Paul Moore <paul.moore@hp.com>
18 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
19 * Yuichi Nakamura <ynakam@hitachisoft.jp>
20 *
21 * This program is free software; you can redistribute it and/or modify
22 * it under the terms of the GNU General Public License version 2,
23 * as published by the Free Software Foundation.
24 */
25
26 #include <linux/init.h>
27 #include <linux/kd.h>
28 #include <linux/kernel.h>
29 #include <linux/tracehook.h>
30 #include <linux/errno.h>
31 #include <linux/ext2_fs.h>
32 #include <linux/sched.h>
33 #include <linux/security.h>
34 #include <linux/xattr.h>
35 #include <linux/capability.h>
36 #include <linux/unistd.h>
37 #include <linux/mm.h>
38 #include <linux/mman.h>
39 #include <linux/slab.h>
40 #include <linux/pagemap.h>
41 #include <linux/proc_fs.h>
42 #include <linux/swap.h>
43 #include <linux/spinlock.h>
44 #include <linux/syscalls.h>
45 #include <linux/dcache.h>
46 #include <linux/file.h>
47 #include <linux/fdtable.h>
48 #include <linux/namei.h>
49 #include <linux/mount.h>
50 #include <linux/netfilter_ipv4.h>
51 #include <linux/netfilter_ipv6.h>
52 #include <linux/tty.h>
53 #include <net/icmp.h>
54 #include <net/ip.h> /* for local_port_range[] */
55 #include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
56 #include <net/net_namespace.h>
57 #include <net/netlabel.h>
58 #include <linux/uaccess.h>
59 #include <asm/ioctls.h>
60 #include <asm/atomic.h>
61 #include <linux/bitops.h>
62 #include <linux/interrupt.h>
63 #include <linux/netdevice.h> /* for network interface checks */
64 #include <linux/netlink.h>
65 #include <linux/tcp.h>
66 #include <linux/udp.h>
67 #include <linux/dccp.h>
68 #include <linux/quota.h>
69 #include <linux/un.h> /* for Unix socket types */
70 #include <net/af_unix.h> /* for Unix socket types */
71 #include <linux/parser.h>
72 #include <linux/nfs_mount.h>
73 #include <net/ipv6.h>
74 #include <linux/hugetlb.h>
75 #include <linux/personality.h>
76 #include <linux/audit.h>
77 #include <linux/string.h>
78 #include <linux/selinux.h>
79 #include <linux/mutex.h>
80 #include <linux/posix-timers.h>
81 #include <linux/syslog.h>
82
83 #include "avc.h"
84 #include "objsec.h"
85 #include "netif.h"
86 #include "netnode.h"
87 #include "netport.h"
88 #include "xfrm.h"
89 #include "netlabel.h"
90 #include "audit.h"
91
92 #define NUM_SEL_MNT_OPTS 5
93
94 extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm);
95 extern struct security_operations *security_ops;
96
97 /* SECMARK reference count */
98 atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
99
100 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
101 int selinux_enforcing;
102
103 static int __init enforcing_setup(char *str)
104 {
105 unsigned long enforcing;
106 if (!strict_strtoul(str, 0, &enforcing))
107 selinux_enforcing = enforcing ? 1 : 0;
108 return 1;
109 }
110 __setup("enforcing=", enforcing_setup);
111 #endif
112
113 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
114 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
115
116 static int __init selinux_enabled_setup(char *str)
117 {
118 unsigned long enabled;
119 if (!strict_strtoul(str, 0, &enabled))
120 selinux_enabled = enabled ? 1 : 0;
121 return 1;
122 }
123 __setup("selinux=", selinux_enabled_setup);
124 #else
125 int selinux_enabled = 1;
126 #endif
127
128 static struct kmem_cache *sel_inode_cache;
129
130 /**
131 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
132 *
133 * Description:
134 * This function checks the SECMARK reference counter to see if any SECMARK
135 * targets are currently configured, if the reference counter is greater than
136 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is
137 * enabled, false (0) if SECMARK is disabled.
138 *
139 */
140 static int selinux_secmark_enabled(void)
141 {
142 return (atomic_read(&selinux_secmark_refcount) > 0);
143 }
144
145 /*
146 * initialise the security for the init task
147 */
148 static void cred_init_security(void)
149 {
150 struct cred *cred = (struct cred *) current->real_cred;
151 struct task_security_struct *tsec;
152
153 tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
154 if (!tsec)
155 panic("SELinux: Failed to initialize initial task.\n");
156
157 tsec->osid = tsec->sid = SECINITSID_KERNEL;
158 cred->security = tsec;
159 }
160
161 /*
162 * get the security ID of a set of credentials
163 */
164 static inline u32 cred_sid(const struct cred *cred)
165 {
166 const struct task_security_struct *tsec;
167
168 tsec = cred->security;
169 return tsec->sid;
170 }
171
172 /*
173 * get the objective security ID of a task
174 */
175 static inline u32 task_sid(const struct task_struct *task)
176 {
177 u32 sid;
178
179 rcu_read_lock();
180 sid = cred_sid(__task_cred(task));
181 rcu_read_unlock();
182 return sid;
183 }
184
185 /*
186 * get the subjective security ID of the current task
187 */
188 static inline u32 current_sid(void)
189 {
190 const struct task_security_struct *tsec = current_security();
191
192 return tsec->sid;
193 }
194
195 /* Allocate and free functions for each kind of security blob. */
196
197 static int inode_alloc_security(struct inode *inode)
198 {
199 struct inode_security_struct *isec;
200 u32 sid = current_sid();
201
202 isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
203 if (!isec)
204 return -ENOMEM;
205
206 mutex_init(&isec->lock);
207 INIT_LIST_HEAD(&isec->list);
208 isec->inode = inode;
209 isec->sid = SECINITSID_UNLABELED;
210 isec->sclass = SECCLASS_FILE;
211 isec->task_sid = sid;
212 inode->i_security = isec;
213
214 return 0;
215 }
216
217 static void inode_free_security(struct inode *inode)
218 {
219 struct inode_security_struct *isec = inode->i_security;
220 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
221
222 spin_lock(&sbsec->isec_lock);
223 if (!list_empty(&isec->list))
224 list_del_init(&isec->list);
225 spin_unlock(&sbsec->isec_lock);
226
227 inode->i_security = NULL;
228 kmem_cache_free(sel_inode_cache, isec);
229 }
230
231 static int file_alloc_security(struct file *file)
232 {
233 struct file_security_struct *fsec;
234 u32 sid = current_sid();
235
236 fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL);
237 if (!fsec)
238 return -ENOMEM;
239
240 fsec->sid = sid;
241 fsec->fown_sid = sid;
242 file->f_security = fsec;
243
244 return 0;
245 }
246
247 static void file_free_security(struct file *file)
248 {
249 struct file_security_struct *fsec = file->f_security;
250 file->f_security = NULL;
251 kfree(fsec);
252 }
253
254 static int superblock_alloc_security(struct super_block *sb)
255 {
256 struct superblock_security_struct *sbsec;
257
258 sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
259 if (!sbsec)
260 return -ENOMEM;
261
262 mutex_init(&sbsec->lock);
263 INIT_LIST_HEAD(&sbsec->isec_head);
264 spin_lock_init(&sbsec->isec_lock);
265 sbsec->sb = sb;
266 sbsec->sid = SECINITSID_UNLABELED;
267 sbsec->def_sid = SECINITSID_FILE;
268 sbsec->mntpoint_sid = SECINITSID_UNLABELED;
269 sb->s_security = sbsec;
270
271 return 0;
272 }
273
274 static void superblock_free_security(struct super_block *sb)
275 {
276 struct superblock_security_struct *sbsec = sb->s_security;
277 sb->s_security = NULL;
278 kfree(sbsec);
279 }
280
281 /* The security server must be initialized before
282 any labeling or access decisions can be provided. */
283 extern int ss_initialized;
284
285 /* The file system's label must be initialized prior to use. */
286
287 static const char *labeling_behaviors[6] = {
288 "uses xattr",
289 "uses transition SIDs",
290 "uses task SIDs",
291 "uses genfs_contexts",
292 "not configured for labeling",
293 "uses mountpoint labeling",
294 };
295
296 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
297
298 static inline int inode_doinit(struct inode *inode)
299 {
300 return inode_doinit_with_dentry(inode, NULL);
301 }
302
303 enum {
304 Opt_error = -1,
305 Opt_context = 1,
306 Opt_fscontext = 2,
307 Opt_defcontext = 3,
308 Opt_rootcontext = 4,
309 Opt_labelsupport = 5,
310 };
311
312 static const match_table_t tokens = {
313 {Opt_context, CONTEXT_STR "%s"},
314 {Opt_fscontext, FSCONTEXT_STR "%s"},
315 {Opt_defcontext, DEFCONTEXT_STR "%s"},
316 {Opt_rootcontext, ROOTCONTEXT_STR "%s"},
317 {Opt_labelsupport, LABELSUPP_STR},
318 {Opt_error, NULL},
319 };
320
321 #define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
322
323 static int may_context_mount_sb_relabel(u32 sid,
324 struct superblock_security_struct *sbsec,
325 const struct cred *cred)
326 {
327 const struct task_security_struct *tsec = cred->security;
328 int rc;
329
330 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
331 FILESYSTEM__RELABELFROM, NULL);
332 if (rc)
333 return rc;
334
335 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
336 FILESYSTEM__RELABELTO, NULL);
337 return rc;
338 }
339
340 static int may_context_mount_inode_relabel(u32 sid,
341 struct superblock_security_struct *sbsec,
342 const struct cred *cred)
343 {
344 const struct task_security_struct *tsec = cred->security;
345 int rc;
346 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
347 FILESYSTEM__RELABELFROM, NULL);
348 if (rc)
349 return rc;
350
351 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
352 FILESYSTEM__ASSOCIATE, NULL);
353 return rc;
354 }
355
356 static int sb_finish_set_opts(struct super_block *sb)
357 {
358 struct superblock_security_struct *sbsec = sb->s_security;
359 struct dentry *root = sb->s_root;
360 struct inode *root_inode = root->d_inode;
361 int rc = 0;
362
363 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
364 /* Make sure that the xattr handler exists and that no
365 error other than -ENODATA is returned by getxattr on
366 the root directory. -ENODATA is ok, as this may be
367 the first boot of the SELinux kernel before we have
368 assigned xattr values to the filesystem. */
369 if (!root_inode->i_op->getxattr) {
370 printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
371 "xattr support\n", sb->s_id, sb->s_type->name);
372 rc = -EOPNOTSUPP;
373 goto out;
374 }
375 rc = root_inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
376 if (rc < 0 && rc != -ENODATA) {
377 if (rc == -EOPNOTSUPP)
378 printk(KERN_WARNING "SELinux: (dev %s, type "
379 "%s) has no security xattr handler\n",
380 sb->s_id, sb->s_type->name);
381 else
382 printk(KERN_WARNING "SELinux: (dev %s, type "
383 "%s) getxattr errno %d\n", sb->s_id,
384 sb->s_type->name, -rc);
385 goto out;
386 }
387 }
388
389 sbsec->flags |= (SE_SBINITIALIZED | SE_SBLABELSUPP);
390
391 if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
392 printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n",
393 sb->s_id, sb->s_type->name);
394 else
395 printk(KERN_DEBUG "SELinux: initialized (dev %s, type %s), %s\n",
396 sb->s_id, sb->s_type->name,
397 labeling_behaviors[sbsec->behavior-1]);
398
399 if (sbsec->behavior == SECURITY_FS_USE_GENFS ||
400 sbsec->behavior == SECURITY_FS_USE_MNTPOINT ||
401 sbsec->behavior == SECURITY_FS_USE_NONE ||
402 sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
403 sbsec->flags &= ~SE_SBLABELSUPP;
404
405 /* Special handling for sysfs. Is genfs but also has setxattr handler*/
406 if (strncmp(sb->s_type->name, "sysfs", sizeof("sysfs")) == 0)
407 sbsec->flags |= SE_SBLABELSUPP;
408
409 /* Initialize the root inode. */
410 rc = inode_doinit_with_dentry(root_inode, root);
411
412 /* Initialize any other inodes associated with the superblock, e.g.
413 inodes created prior to initial policy load or inodes created
414 during get_sb by a pseudo filesystem that directly
415 populates itself. */
416 spin_lock(&sbsec->isec_lock);
417 next_inode:
418 if (!list_empty(&sbsec->isec_head)) {
419 struct inode_security_struct *isec =
420 list_entry(sbsec->isec_head.next,
421 struct inode_security_struct, list);
422 struct inode *inode = isec->inode;
423 spin_unlock(&sbsec->isec_lock);
424 inode = igrab(inode);
425 if (inode) {
426 if (!IS_PRIVATE(inode))
427 inode_doinit(inode);
428 iput(inode);
429 }
430 spin_lock(&sbsec->isec_lock);
431 list_del_init(&isec->list);
432 goto next_inode;
433 }
434 spin_unlock(&sbsec->isec_lock);
435 out:
436 return rc;
437 }
438
439 /*
440 * This function should allow an FS to ask what it's mount security
441 * options were so it can use those later for submounts, displaying
442 * mount options, or whatever.
443 */
444 static int selinux_get_mnt_opts(const struct super_block *sb,
445 struct security_mnt_opts *opts)
446 {
447 int rc = 0, i;
448 struct superblock_security_struct *sbsec = sb->s_security;
449 char *context = NULL;
450 u32 len;
451 char tmp;
452
453 security_init_mnt_opts(opts);
454
455 if (!(sbsec->flags & SE_SBINITIALIZED))
456 return -EINVAL;
457
458 if (!ss_initialized)
459 return -EINVAL;
460
461 tmp = sbsec->flags & SE_MNTMASK;
462 /* count the number of mount options for this sb */
463 for (i = 0; i < 8; i++) {
464 if (tmp & 0x01)
465 opts->num_mnt_opts++;
466 tmp >>= 1;
467 }
468 /* Check if the Label support flag is set */
469 if (sbsec->flags & SE_SBLABELSUPP)
470 opts->num_mnt_opts++;
471
472 opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
473 if (!opts->mnt_opts) {
474 rc = -ENOMEM;
475 goto out_free;
476 }
477
478 opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
479 if (!opts->mnt_opts_flags) {
480 rc = -ENOMEM;
481 goto out_free;
482 }
483
484 i = 0;
485 if (sbsec->flags & FSCONTEXT_MNT) {
486 rc = security_sid_to_context(sbsec->sid, &context, &len);
487 if (rc)
488 goto out_free;
489 opts->mnt_opts[i] = context;
490 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
491 }
492 if (sbsec->flags & CONTEXT_MNT) {
493 rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len);
494 if (rc)
495 goto out_free;
496 opts->mnt_opts[i] = context;
497 opts->mnt_opts_flags[i++] = CONTEXT_MNT;
498 }
499 if (sbsec->flags & DEFCONTEXT_MNT) {
500 rc = security_sid_to_context(sbsec->def_sid, &context, &len);
501 if (rc)
502 goto out_free;
503 opts->mnt_opts[i] = context;
504 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
505 }
506 if (sbsec->flags & ROOTCONTEXT_MNT) {
507 struct inode *root = sbsec->sb->s_root->d_inode;
508 struct inode_security_struct *isec = root->i_security;
509
510 rc = security_sid_to_context(isec->sid, &context, &len);
511 if (rc)
512 goto out_free;
513 opts->mnt_opts[i] = context;
514 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
515 }
516 if (sbsec->flags & SE_SBLABELSUPP) {
517 opts->mnt_opts[i] = NULL;
518 opts->mnt_opts_flags[i++] = SE_SBLABELSUPP;
519 }
520
521 BUG_ON(i != opts->num_mnt_opts);
522
523 return 0;
524
525 out_free:
526 security_free_mnt_opts(opts);
527 return rc;
528 }
529
530 static int bad_option(struct superblock_security_struct *sbsec, char flag,
531 u32 old_sid, u32 new_sid)
532 {
533 char mnt_flags = sbsec->flags & SE_MNTMASK;
534
535 /* check if the old mount command had the same options */
536 if (sbsec->flags & SE_SBINITIALIZED)
537 if (!(sbsec->flags & flag) ||
538 (old_sid != new_sid))
539 return 1;
540
541 /* check if we were passed the same options twice,
542 * aka someone passed context=a,context=b
543 */
544 if (!(sbsec->flags & SE_SBINITIALIZED))
545 if (mnt_flags & flag)
546 return 1;
547 return 0;
548 }
549
550 /*
551 * Allow filesystems with binary mount data to explicitly set mount point
552 * labeling information.
553 */
554 static int selinux_set_mnt_opts(struct super_block *sb,
555 struct security_mnt_opts *opts)
556 {
557 const struct cred *cred = current_cred();
558 int rc = 0, i;
559 struct superblock_security_struct *sbsec = sb->s_security;
560 const char *name = sb->s_type->name;
561 struct inode *inode = sbsec->sb->s_root->d_inode;
562 struct inode_security_struct *root_isec = inode->i_security;
563 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
564 u32 defcontext_sid = 0;
565 char **mount_options = opts->mnt_opts;
566 int *flags = opts->mnt_opts_flags;
567 int num_opts = opts->num_mnt_opts;
568
569 mutex_lock(&sbsec->lock);
570
571 if (!ss_initialized) {
572 if (!num_opts) {
573 /* Defer initialization until selinux_complete_init,
574 after the initial policy is loaded and the security
575 server is ready to handle calls. */
576 goto out;
577 }
578 rc = -EINVAL;
579 printk(KERN_WARNING "SELinux: Unable to set superblock options "
580 "before the security server is initialized\n");
581 goto out;
582 }
583
584 /*
585 * Binary mount data FS will come through this function twice. Once
586 * from an explicit call and once from the generic calls from the vfs.
587 * Since the generic VFS calls will not contain any security mount data
588 * we need to skip the double mount verification.
589 *
590 * This does open a hole in which we will not notice if the first
591 * mount using this sb set explict options and a second mount using
592 * this sb does not set any security options. (The first options
593 * will be used for both mounts)
594 */
595 if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
596 && (num_opts == 0))
597 goto out;
598
599 /*
600 * parse the mount options, check if they are valid sids.
601 * also check if someone is trying to mount the same sb more
602 * than once with different security options.
603 */
604 for (i = 0; i < num_opts; i++) {
605 u32 sid;
606
607 if (flags[i] == SE_SBLABELSUPP)
608 continue;
609 rc = security_context_to_sid(mount_options[i],
610 strlen(mount_options[i]), &sid);
611 if (rc) {
612 printk(KERN_WARNING "SELinux: security_context_to_sid"
613 "(%s) failed for (dev %s, type %s) errno=%d\n",
614 mount_options[i], sb->s_id, name, rc);
615 goto out;
616 }
617 switch (flags[i]) {
618 case FSCONTEXT_MNT:
619 fscontext_sid = sid;
620
621 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
622 fscontext_sid))
623 goto out_double_mount;
624
625 sbsec->flags |= FSCONTEXT_MNT;
626 break;
627 case CONTEXT_MNT:
628 context_sid = sid;
629
630 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
631 context_sid))
632 goto out_double_mount;
633
634 sbsec->flags |= CONTEXT_MNT;
635 break;
636 case ROOTCONTEXT_MNT:
637 rootcontext_sid = sid;
638
639 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
640 rootcontext_sid))
641 goto out_double_mount;
642
643 sbsec->flags |= ROOTCONTEXT_MNT;
644
645 break;
646 case DEFCONTEXT_MNT:
647 defcontext_sid = sid;
648
649 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
650 defcontext_sid))
651 goto out_double_mount;
652
653 sbsec->flags |= DEFCONTEXT_MNT;
654
655 break;
656 default:
657 rc = -EINVAL;
658 goto out;
659 }
660 }
661
662 if (sbsec->flags & SE_SBINITIALIZED) {
663 /* previously mounted with options, but not on this attempt? */
664 if ((sbsec->flags & SE_MNTMASK) && !num_opts)
665 goto out_double_mount;
666 rc = 0;
667 goto out;
668 }
669
670 if (strcmp(sb->s_type->name, "proc") == 0)
671 sbsec->flags |= SE_SBPROC;
672
673 /* Determine the labeling behavior to use for this filesystem type. */
674 rc = security_fs_use((sbsec->flags & SE_SBPROC) ? "proc" : sb->s_type->name, &sbsec->behavior, &sbsec->sid);
675 if (rc) {
676 printk(KERN_WARNING "%s: security_fs_use(%s) returned %d\n",
677 __func__, sb->s_type->name, rc);
678 goto out;
679 }
680
681 /* sets the context of the superblock for the fs being mounted. */
682 if (fscontext_sid) {
683 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
684 if (rc)
685 goto out;
686
687 sbsec->sid = fscontext_sid;
688 }
689
690 /*
691 * Switch to using mount point labeling behavior.
692 * sets the label used on all file below the mountpoint, and will set
693 * the superblock context if not already set.
694 */
695 if (context_sid) {
696 if (!fscontext_sid) {
697 rc = may_context_mount_sb_relabel(context_sid, sbsec,
698 cred);
699 if (rc)
700 goto out;
701 sbsec->sid = context_sid;
702 } else {
703 rc = may_context_mount_inode_relabel(context_sid, sbsec,
704 cred);
705 if (rc)
706 goto out;
707 }
708 if (!rootcontext_sid)
709 rootcontext_sid = context_sid;
710
711 sbsec->mntpoint_sid = context_sid;
712 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
713 }
714
715 if (rootcontext_sid) {
716 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
717 cred);
718 if (rc)
719 goto out;
720
721 root_isec->sid = rootcontext_sid;
722 root_isec->initialized = 1;
723 }
724
725 if (defcontext_sid) {
726 if (sbsec->behavior != SECURITY_FS_USE_XATTR) {
727 rc = -EINVAL;
728 printk(KERN_WARNING "SELinux: defcontext option is "
729 "invalid for this filesystem type\n");
730 goto out;
731 }
732
733 if (defcontext_sid != sbsec->def_sid) {
734 rc = may_context_mount_inode_relabel(defcontext_sid,
735 sbsec, cred);
736 if (rc)
737 goto out;
738 }
739
740 sbsec->def_sid = defcontext_sid;
741 }
742
743 rc = sb_finish_set_opts(sb);
744 out:
745 mutex_unlock(&sbsec->lock);
746 return rc;
747 out_double_mount:
748 rc = -EINVAL;
749 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, different "
750 "security settings for (dev %s, type %s)\n", sb->s_id, name);
751 goto out;
752 }
753
754 static void selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
755 struct super_block *newsb)
756 {
757 const struct superblock_security_struct *oldsbsec = oldsb->s_security;
758 struct superblock_security_struct *newsbsec = newsb->s_security;
759
760 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT);
761 int set_context = (oldsbsec->flags & CONTEXT_MNT);
762 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT);
763
764 /*
765 * if the parent was able to be mounted it clearly had no special lsm
766 * mount options. thus we can safely deal with this superblock later
767 */
768 if (!ss_initialized)
769 return;
770
771 /* how can we clone if the old one wasn't set up?? */
772 BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
773
774 /* if fs is reusing a sb, just let its options stand... */
775 if (newsbsec->flags & SE_SBINITIALIZED)
776 return;
777
778 mutex_lock(&newsbsec->lock);
779
780 newsbsec->flags = oldsbsec->flags;
781
782 newsbsec->sid = oldsbsec->sid;
783 newsbsec->def_sid = oldsbsec->def_sid;
784 newsbsec->behavior = oldsbsec->behavior;
785
786 if (set_context) {
787 u32 sid = oldsbsec->mntpoint_sid;
788
789 if (!set_fscontext)
790 newsbsec->sid = sid;
791 if (!set_rootcontext) {
792 struct inode *newinode = newsb->s_root->d_inode;
793 struct inode_security_struct *newisec = newinode->i_security;
794 newisec->sid = sid;
795 }
796 newsbsec->mntpoint_sid = sid;
797 }
798 if (set_rootcontext) {
799 const struct inode *oldinode = oldsb->s_root->d_inode;
800 const struct inode_security_struct *oldisec = oldinode->i_security;
801 struct inode *newinode = newsb->s_root->d_inode;
802 struct inode_security_struct *newisec = newinode->i_security;
803
804 newisec->sid = oldisec->sid;
805 }
806
807 sb_finish_set_opts(newsb);
808 mutex_unlock(&newsbsec->lock);
809 }
810
811 static int selinux_parse_opts_str(char *options,
812 struct security_mnt_opts *opts)
813 {
814 char *p;
815 char *context = NULL, *defcontext = NULL;
816 char *fscontext = NULL, *rootcontext = NULL;
817 int rc, num_mnt_opts = 0;
818
819 opts->num_mnt_opts = 0;
820
821 /* Standard string-based options. */
822 while ((p = strsep(&options, "|")) != NULL) {
823 int token;
824 substring_t args[MAX_OPT_ARGS];
825
826 if (!*p)
827 continue;
828
829 token = match_token(p, tokens, args);
830
831 switch (token) {
832 case Opt_context:
833 if (context || defcontext) {
834 rc = -EINVAL;
835 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
836 goto out_err;
837 }
838 context = match_strdup(&args[0]);
839 if (!context) {
840 rc = -ENOMEM;
841 goto out_err;
842 }
843 break;
844
845 case Opt_fscontext:
846 if (fscontext) {
847 rc = -EINVAL;
848 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
849 goto out_err;
850 }
851 fscontext = match_strdup(&args[0]);
852 if (!fscontext) {
853 rc = -ENOMEM;
854 goto out_err;
855 }
856 break;
857
858 case Opt_rootcontext:
859 if (rootcontext) {
860 rc = -EINVAL;
861 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
862 goto out_err;
863 }
864 rootcontext = match_strdup(&args[0]);
865 if (!rootcontext) {
866 rc = -ENOMEM;
867 goto out_err;
868 }
869 break;
870
871 case Opt_defcontext:
872 if (context || defcontext) {
873 rc = -EINVAL;
874 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
875 goto out_err;
876 }
877 defcontext = match_strdup(&args[0]);
878 if (!defcontext) {
879 rc = -ENOMEM;
880 goto out_err;
881 }
882 break;
883 case Opt_labelsupport:
884 break;
885 default:
886 rc = -EINVAL;
887 printk(KERN_WARNING "SELinux: unknown mount option\n");
888 goto out_err;
889
890 }
891 }
892
893 rc = -ENOMEM;
894 opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_ATOMIC);
895 if (!opts->mnt_opts)
896 goto out_err;
897
898 opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int), GFP_ATOMIC);
899 if (!opts->mnt_opts_flags) {
900 kfree(opts->mnt_opts);
901 goto out_err;
902 }
903
904 if (fscontext) {
905 opts->mnt_opts[num_mnt_opts] = fscontext;
906 opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
907 }
908 if (context) {
909 opts->mnt_opts[num_mnt_opts] = context;
910 opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
911 }
912 if (rootcontext) {
913 opts->mnt_opts[num_mnt_opts] = rootcontext;
914 opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
915 }
916 if (defcontext) {
917 opts->mnt_opts[num_mnt_opts] = defcontext;
918 opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
919 }
920
921 opts->num_mnt_opts = num_mnt_opts;
922 return 0;
923
924 out_err:
925 kfree(context);
926 kfree(defcontext);
927 kfree(fscontext);
928 kfree(rootcontext);
929 return rc;
930 }
931 /*
932 * string mount options parsing and call set the sbsec
933 */
934 static int superblock_doinit(struct super_block *sb, void *data)
935 {
936 int rc = 0;
937 char *options = data;
938 struct security_mnt_opts opts;
939
940 security_init_mnt_opts(&opts);
941
942 if (!data)
943 goto out;
944
945 BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
946
947 rc = selinux_parse_opts_str(options, &opts);
948 if (rc)
949 goto out_err;
950
951 out:
952 rc = selinux_set_mnt_opts(sb, &opts);
953
954 out_err:
955 security_free_mnt_opts(&opts);
956 return rc;
957 }
958
959 static void selinux_write_opts(struct seq_file *m,
960 struct security_mnt_opts *opts)
961 {
962 int i;
963 char *prefix;
964
965 for (i = 0; i < opts->num_mnt_opts; i++) {
966 char *has_comma;
967
968 if (opts->mnt_opts[i])
969 has_comma = strchr(opts->mnt_opts[i], ',');
970 else
971 has_comma = NULL;
972
973 switch (opts->mnt_opts_flags[i]) {
974 case CONTEXT_MNT:
975 prefix = CONTEXT_STR;
976 break;
977 case FSCONTEXT_MNT:
978 prefix = FSCONTEXT_STR;
979 break;
980 case ROOTCONTEXT_MNT:
981 prefix = ROOTCONTEXT_STR;
982 break;
983 case DEFCONTEXT_MNT:
984 prefix = DEFCONTEXT_STR;
985 break;
986 case SE_SBLABELSUPP:
987 seq_putc(m, ',');
988 seq_puts(m, LABELSUPP_STR);
989 continue;
990 default:
991 BUG();
992 };
993 /* we need a comma before each option */
994 seq_putc(m, ',');
995 seq_puts(m, prefix);
996 if (has_comma)
997 seq_putc(m, '\"');
998 seq_puts(m, opts->mnt_opts[i]);
999 if (has_comma)
1000 seq_putc(m, '\"');
1001 }
1002 }
1003
1004 static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1005 {
1006 struct security_mnt_opts opts;
1007 int rc;
1008
1009 rc = selinux_get_mnt_opts(sb, &opts);
1010 if (rc) {
1011 /* before policy load we may get EINVAL, don't show anything */
1012 if (rc == -EINVAL)
1013 rc = 0;
1014 return rc;
1015 }
1016
1017 selinux_write_opts(m, &opts);
1018
1019 security_free_mnt_opts(&opts);
1020
1021 return rc;
1022 }
1023
1024 static inline u16 inode_mode_to_security_class(umode_t mode)
1025 {
1026 switch (mode & S_IFMT) {
1027 case S_IFSOCK:
1028 return SECCLASS_SOCK_FILE;
1029 case S_IFLNK:
1030 return SECCLASS_LNK_FILE;
1031 case S_IFREG:
1032 return SECCLASS_FILE;
1033 case S_IFBLK:
1034 return SECCLASS_BLK_FILE;
1035 case S_IFDIR:
1036 return SECCLASS_DIR;
1037 case S_IFCHR:
1038 return SECCLASS_CHR_FILE;
1039 case S_IFIFO:
1040 return SECCLASS_FIFO_FILE;
1041
1042 }
1043
1044 return SECCLASS_FILE;
1045 }
1046
1047 static inline int default_protocol_stream(int protocol)
1048 {
1049 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
1050 }
1051
1052 static inline int default_protocol_dgram(int protocol)
1053 {
1054 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1055 }
1056
1057 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1058 {
1059 switch (family) {
1060 case PF_UNIX:
1061 switch (type) {
1062 case SOCK_STREAM:
1063 case SOCK_SEQPACKET:
1064 return SECCLASS_UNIX_STREAM_SOCKET;
1065 case SOCK_DGRAM:
1066 return SECCLASS_UNIX_DGRAM_SOCKET;
1067 }
1068 break;
1069 case PF_INET:
1070 case PF_INET6:
1071 switch (type) {
1072 case SOCK_STREAM:
1073 if (default_protocol_stream(protocol))
1074 return SECCLASS_TCP_SOCKET;
1075 else
1076 return SECCLASS_RAWIP_SOCKET;
1077 case SOCK_DGRAM:
1078 if (default_protocol_dgram(protocol))
1079 return SECCLASS_UDP_SOCKET;
1080 else
1081 return SECCLASS_RAWIP_SOCKET;
1082 case SOCK_DCCP:
1083 return SECCLASS_DCCP_SOCKET;
1084 default:
1085 return SECCLASS_RAWIP_SOCKET;
1086 }
1087 break;
1088 case PF_NETLINK:
1089 switch (protocol) {
1090 case NETLINK_ROUTE:
1091 return SECCLASS_NETLINK_ROUTE_SOCKET;
1092 case NETLINK_FIREWALL:
1093 return SECCLASS_NETLINK_FIREWALL_SOCKET;
1094 case NETLINK_INET_DIAG:
1095 return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1096 case NETLINK_NFLOG:
1097 return SECCLASS_NETLINK_NFLOG_SOCKET;
1098 case NETLINK_XFRM:
1099 return SECCLASS_NETLINK_XFRM_SOCKET;
1100 case NETLINK_SELINUX:
1101 return SECCLASS_NETLINK_SELINUX_SOCKET;
1102 case NETLINK_AUDIT:
1103 return SECCLASS_NETLINK_AUDIT_SOCKET;
1104 case NETLINK_IP6_FW:
1105 return SECCLASS_NETLINK_IP6FW_SOCKET;
1106 case NETLINK_DNRTMSG:
1107 return SECCLASS_NETLINK_DNRT_SOCKET;
1108 case NETLINK_KOBJECT_UEVENT:
1109 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1110 default:
1111 return SECCLASS_NETLINK_SOCKET;
1112 }
1113 case PF_PACKET:
1114 return SECCLASS_PACKET_SOCKET;
1115 case PF_KEY:
1116 return SECCLASS_KEY_SOCKET;
1117 case PF_APPLETALK:
1118 return SECCLASS_APPLETALK_SOCKET;
1119 }
1120
1121 return SECCLASS_SOCKET;
1122 }
1123
1124 #ifdef CONFIG_PROC_FS
1125 static int selinux_proc_get_sid(struct dentry *dentry,
1126 u16 tclass,
1127 u32 *sid)
1128 {
1129 int rc;
1130 char *buffer, *path;
1131
1132 buffer = (char *)__get_free_page(GFP_KERNEL);
1133 if (!buffer)
1134 return -ENOMEM;
1135
1136 path = dentry_path_raw(dentry, buffer, PAGE_SIZE);
1137 if (IS_ERR(path))
1138 rc = PTR_ERR(path);
1139 else {
1140 /* each process gets a /proc/PID/ entry. Strip off the
1141 * PID part to get a valid selinux labeling.
1142 * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
1143 while (path[1] >= '0' && path[1] <= '9') {
1144 path[1] = '/';
1145 path++;
1146 }
1147 rc = security_genfs_sid("proc", path, tclass, sid);
1148 }
1149 free_page((unsigned long)buffer);
1150 return rc;
1151 }
1152 #else
1153 static int selinux_proc_get_sid(struct dentry *dentry,
1154 u16 tclass,
1155 u32 *sid)
1156 {
1157 return -EINVAL;
1158 }
1159 #endif
1160
1161 /* The inode's security attributes must be initialized before first use. */
1162 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1163 {
1164 struct superblock_security_struct *sbsec = NULL;
1165 struct inode_security_struct *isec = inode->i_security;
1166 u32 sid;
1167 struct dentry *dentry;
1168 #define INITCONTEXTLEN 255
1169 char *context = NULL;
1170 unsigned len = 0;
1171 int rc = 0;
1172
1173 if (isec->initialized)
1174 goto out;
1175
1176 mutex_lock(&isec->lock);
1177 if (isec->initialized)
1178 goto out_unlock;
1179
1180 sbsec = inode->i_sb->s_security;
1181 if (!(sbsec->flags & SE_SBINITIALIZED)) {
1182 /* Defer initialization until selinux_complete_init,
1183 after the initial policy is loaded and the security
1184 server is ready to handle calls. */
1185 spin_lock(&sbsec->isec_lock);
1186 if (list_empty(&isec->list))
1187 list_add(&isec->list, &sbsec->isec_head);
1188 spin_unlock(&sbsec->isec_lock);
1189 goto out_unlock;
1190 }
1191
1192 switch (sbsec->behavior) {
1193 case SECURITY_FS_USE_XATTR:
1194 if (!inode->i_op->getxattr) {
1195 isec->sid = sbsec->def_sid;
1196 break;
1197 }
1198
1199 /* Need a dentry, since the xattr API requires one.
1200 Life would be simpler if we could just pass the inode. */
1201 if (opt_dentry) {
1202 /* Called from d_instantiate or d_splice_alias. */
1203 dentry = dget(opt_dentry);
1204 } else {
1205 /* Called from selinux_complete_init, try to find a dentry. */
1206 dentry = d_find_alias(inode);
1207 }
1208 if (!dentry) {
1209 /*
1210 * this is can be hit on boot when a file is accessed
1211 * before the policy is loaded. When we load policy we
1212 * may find inodes that have no dentry on the
1213 * sbsec->isec_head list. No reason to complain as these
1214 * will get fixed up the next time we go through
1215 * inode_doinit with a dentry, before these inodes could
1216 * be used again by userspace.
1217 */
1218 goto out_unlock;
1219 }
1220
1221 len = INITCONTEXTLEN;
1222 context = kmalloc(len+1, GFP_NOFS);
1223 if (!context) {
1224 rc = -ENOMEM;
1225 dput(dentry);
1226 goto out_unlock;
1227 }
1228 context[len] = '\0';
1229 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1230 context, len);
1231 if (rc == -ERANGE) {
1232 kfree(context);
1233
1234 /* Need a larger buffer. Query for the right size. */
1235 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1236 NULL, 0);
1237 if (rc < 0) {
1238 dput(dentry);
1239 goto out_unlock;
1240 }
1241 len = rc;
1242 context = kmalloc(len+1, GFP_NOFS);
1243 if (!context) {
1244 rc = -ENOMEM;
1245 dput(dentry);
1246 goto out_unlock;
1247 }
1248 context[len] = '\0';
1249 rc = inode->i_op->getxattr(dentry,
1250 XATTR_NAME_SELINUX,
1251 context, len);
1252 }
1253 dput(dentry);
1254 if (rc < 0) {
1255 if (rc != -ENODATA) {
1256 printk(KERN_WARNING "SELinux: %s: getxattr returned "
1257 "%d for dev=%s ino=%ld\n", __func__,
1258 -rc, inode->i_sb->s_id, inode->i_ino);
1259 kfree(context);
1260 goto out_unlock;
1261 }
1262 /* Map ENODATA to the default file SID */
1263 sid = sbsec->def_sid;
1264 rc = 0;
1265 } else {
1266 rc = security_context_to_sid_default(context, rc, &sid,
1267 sbsec->def_sid,
1268 GFP_NOFS);
1269 if (rc) {
1270 char *dev = inode->i_sb->s_id;
1271 unsigned long ino = inode->i_ino;
1272
1273 if (rc == -EINVAL) {
1274 if (printk_ratelimit())
1275 printk(KERN_NOTICE "SELinux: inode=%lu on dev=%s was found to have an invalid "
1276 "context=%s. This indicates you may need to relabel the inode or the "
1277 "filesystem in question.\n", ino, dev, context);
1278 } else {
1279 printk(KERN_WARNING "SELinux: %s: context_to_sid(%s) "
1280 "returned %d for dev=%s ino=%ld\n",
1281 __func__, context, -rc, dev, ino);
1282 }
1283 kfree(context);
1284 /* Leave with the unlabeled SID */
1285 rc = 0;
1286 break;
1287 }
1288 }
1289 kfree(context);
1290 isec->sid = sid;
1291 break;
1292 case SECURITY_FS_USE_TASK:
1293 isec->sid = isec->task_sid;
1294 break;
1295 case SECURITY_FS_USE_TRANS:
1296 /* Default to the fs SID. */
1297 isec->sid = sbsec->sid;
1298
1299 /* Try to obtain a transition SID. */
1300 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1301 rc = security_transition_sid(isec->task_sid, sbsec->sid,
1302 isec->sclass, NULL, &sid);
1303 if (rc)
1304 goto out_unlock;
1305 isec->sid = sid;
1306 break;
1307 case SECURITY_FS_USE_MNTPOINT:
1308 isec->sid = sbsec->mntpoint_sid;
1309 break;
1310 default:
1311 /* Default to the fs superblock SID. */
1312 isec->sid = sbsec->sid;
1313
1314 if ((sbsec->flags & SE_SBPROC) && !S_ISLNK(inode->i_mode)) {
1315 if (opt_dentry) {
1316 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1317 rc = selinux_proc_get_sid(opt_dentry,
1318 isec->sclass,
1319 &sid);
1320 if (rc)
1321 goto out_unlock;
1322 isec->sid = sid;
1323 }
1324 }
1325 break;
1326 }
1327
1328 isec->initialized = 1;
1329
1330 out_unlock:
1331 mutex_unlock(&isec->lock);
1332 out:
1333 if (isec->sclass == SECCLASS_FILE)
1334 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1335 return rc;
1336 }
1337
1338 /* Convert a Linux signal to an access vector. */
1339 static inline u32 signal_to_av(int sig)
1340 {
1341 u32 perm = 0;
1342
1343 switch (sig) {
1344 case SIGCHLD:
1345 /* Commonly granted from child to parent. */
1346 perm = PROCESS__SIGCHLD;
1347 break;
1348 case SIGKILL:
1349 /* Cannot be caught or ignored */
1350 perm = PROCESS__SIGKILL;
1351 break;
1352 case SIGSTOP:
1353 /* Cannot be caught or ignored */
1354 perm = PROCESS__SIGSTOP;
1355 break;
1356 default:
1357 /* All other signals. */
1358 perm = PROCESS__SIGNAL;
1359 break;
1360 }
1361
1362 return perm;
1363 }
1364
1365 /*
1366 * Check permission between a pair of credentials
1367 * fork check, ptrace check, etc.
1368 */
1369 static int cred_has_perm(const struct cred *actor,
1370 const struct cred *target,
1371 u32 perms)
1372 {
1373 u32 asid = cred_sid(actor), tsid = cred_sid(target);
1374
1375 return avc_has_perm(asid, tsid, SECCLASS_PROCESS, perms, NULL);
1376 }
1377
1378 /*
1379 * Check permission between a pair of tasks, e.g. signal checks,
1380 * fork check, ptrace check, etc.
1381 * tsk1 is the actor and tsk2 is the target
1382 * - this uses the default subjective creds of tsk1
1383 */
1384 static int task_has_perm(const struct task_struct *tsk1,
1385 const struct task_struct *tsk2,
1386 u32 perms)
1387 {
1388 const struct task_security_struct *__tsec1, *__tsec2;
1389 u32 sid1, sid2;
1390
1391 rcu_read_lock();
1392 __tsec1 = __task_cred(tsk1)->security; sid1 = __tsec1->sid;
1393 __tsec2 = __task_cred(tsk2)->security; sid2 = __tsec2->sid;
1394 rcu_read_unlock();
1395 return avc_has_perm(sid1, sid2, SECCLASS_PROCESS, perms, NULL);
1396 }
1397
1398 /*
1399 * Check permission between current and another task, e.g. signal checks,
1400 * fork check, ptrace check, etc.
1401 * current is the actor and tsk2 is the target
1402 * - this uses current's subjective creds
1403 */
1404 static int current_has_perm(const struct task_struct *tsk,
1405 u32 perms)
1406 {
1407 u32 sid, tsid;
1408
1409 sid = current_sid();
1410 tsid = task_sid(tsk);
1411 return avc_has_perm(sid, tsid, SECCLASS_PROCESS, perms, NULL);
1412 }
1413
1414 #if CAP_LAST_CAP > 63
1415 #error Fix SELinux to handle capabilities > 63.
1416 #endif
1417
1418 /* Check whether a task is allowed to use a capability. */
1419 static int task_has_capability(struct task_struct *tsk,
1420 const struct cred *cred,
1421 int cap, int audit)
1422 {
1423 struct common_audit_data ad;
1424 struct av_decision avd;
1425 u16 sclass;
1426 u32 sid = cred_sid(cred);
1427 u32 av = CAP_TO_MASK(cap);
1428 int rc;
1429
1430 COMMON_AUDIT_DATA_INIT(&ad, CAP);
1431 ad.tsk = tsk;
1432 ad.u.cap = cap;
1433
1434 switch (CAP_TO_INDEX(cap)) {
1435 case 0:
1436 sclass = SECCLASS_CAPABILITY;
1437 break;
1438 case 1:
1439 sclass = SECCLASS_CAPABILITY2;
1440 break;
1441 default:
1442 printk(KERN_ERR
1443 "SELinux: out of range capability %d\n", cap);
1444 BUG();
1445 }
1446
1447 rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd);
1448 if (audit == SECURITY_CAP_AUDIT)
1449 avc_audit(sid, sid, sclass, av, &avd, rc, &ad);
1450 return rc;
1451 }
1452
1453 /* Check whether a task is allowed to use a system operation. */
1454 static int task_has_system(struct task_struct *tsk,
1455 u32 perms)
1456 {
1457 u32 sid = task_sid(tsk);
1458
1459 return avc_has_perm(sid, SECINITSID_KERNEL,
1460 SECCLASS_SYSTEM, perms, NULL);
1461 }
1462
1463 /* Check whether a task has a particular permission to an inode.
1464 The 'adp' parameter is optional and allows other audit
1465 data to be passed (e.g. the dentry). */
1466 static int inode_has_perm(const struct cred *cred,
1467 struct inode *inode,
1468 u32 perms,
1469 struct common_audit_data *adp)
1470 {
1471 struct inode_security_struct *isec;
1472 struct common_audit_data ad;
1473 u32 sid;
1474
1475 validate_creds(cred);
1476
1477 if (unlikely(IS_PRIVATE(inode)))
1478 return 0;
1479
1480 sid = cred_sid(cred);
1481 isec = inode->i_security;
1482
1483 if (!adp) {
1484 adp = &ad;
1485 COMMON_AUDIT_DATA_INIT(&ad, FS);
1486 ad.u.fs.inode = inode;
1487 }
1488
1489 return avc_has_perm(sid, isec->sid, isec->sclass, perms, adp);
1490 }
1491
1492 /* Same as inode_has_perm, but pass explicit audit data containing
1493 the dentry to help the auditing code to more easily generate the
1494 pathname if needed. */
1495 static inline int dentry_has_perm(const struct cred *cred,
1496 struct vfsmount *mnt,
1497 struct dentry *dentry,
1498 u32 av)
1499 {
1500 struct inode *inode = dentry->d_inode;
1501 struct common_audit_data ad;
1502
1503 COMMON_AUDIT_DATA_INIT(&ad, FS);
1504 ad.u.fs.path.mnt = mnt;
1505 ad.u.fs.path.dentry = dentry;
1506 return inode_has_perm(cred, inode, av, &ad);
1507 }
1508
1509 /* Check whether a task can use an open file descriptor to
1510 access an inode in a given way. Check access to the
1511 descriptor itself, and then use dentry_has_perm to
1512 check a particular permission to the file.
1513 Access to the descriptor is implicitly granted if it
1514 has the same SID as the process. If av is zero, then
1515 access to the file is not checked, e.g. for cases
1516 where only the descriptor is affected like seek. */
1517 static int file_has_perm(const struct cred *cred,
1518 struct file *file,
1519 u32 av)
1520 {
1521 struct file_security_struct *fsec = file->f_security;
1522 struct inode *inode = file->f_path.dentry->d_inode;
1523 struct common_audit_data ad;
1524 u32 sid = cred_sid(cred);
1525 int rc;
1526
1527 COMMON_AUDIT_DATA_INIT(&ad, FS);
1528 ad.u.fs.path = file->f_path;
1529
1530 if (sid != fsec->sid) {
1531 rc = avc_has_perm(sid, fsec->sid,
1532 SECCLASS_FD,
1533 FD__USE,
1534 &ad);
1535 if (rc)
1536 goto out;
1537 }
1538
1539 /* av is zero if only checking access to the descriptor. */
1540 rc = 0;
1541 if (av)
1542 rc = inode_has_perm(cred, inode, av, &ad);
1543
1544 out:
1545 return rc;
1546 }
1547
1548 /* Check whether a task can create a file. */
1549 static int may_create(struct inode *dir,
1550 struct dentry *dentry,
1551 u16 tclass)
1552 {
1553 const struct task_security_struct *tsec = current_security();
1554 struct inode_security_struct *dsec;
1555 struct superblock_security_struct *sbsec;
1556 u32 sid, newsid;
1557 struct common_audit_data ad;
1558 int rc;
1559
1560 dsec = dir->i_security;
1561 sbsec = dir->i_sb->s_security;
1562
1563 sid = tsec->sid;
1564 newsid = tsec->create_sid;
1565
1566 COMMON_AUDIT_DATA_INIT(&ad, FS);
1567 ad.u.fs.path.dentry = dentry;
1568
1569 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR,
1570 DIR__ADD_NAME | DIR__SEARCH,
1571 &ad);
1572 if (rc)
1573 return rc;
1574
1575 if (!newsid || !(sbsec->flags & SE_SBLABELSUPP)) {
1576 rc = security_transition_sid(sid, dsec->sid, tclass, NULL, &newsid);
1577 if (rc)
1578 return rc;
1579 }
1580
1581 rc = avc_has_perm(sid, newsid, tclass, FILE__CREATE, &ad);
1582 if (rc)
1583 return rc;
1584
1585 return avc_has_perm(newsid, sbsec->sid,
1586 SECCLASS_FILESYSTEM,
1587 FILESYSTEM__ASSOCIATE, &ad);
1588 }
1589
1590 /* Check whether a task can create a key. */
1591 static int may_create_key(u32 ksid,
1592 struct task_struct *ctx)
1593 {
1594 u32 sid = task_sid(ctx);
1595
1596 return avc_has_perm(sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL);
1597 }
1598
1599 #define MAY_LINK 0
1600 #define MAY_UNLINK 1
1601 #define MAY_RMDIR 2
1602
1603 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1604 static int may_link(struct inode *dir,
1605 struct dentry *dentry,
1606 int kind)
1607
1608 {
1609 struct inode_security_struct *dsec, *isec;
1610 struct common_audit_data ad;
1611 u32 sid = current_sid();
1612 u32 av;
1613 int rc;
1614
1615 dsec = dir->i_security;
1616 isec = dentry->d_inode->i_security;
1617
1618 COMMON_AUDIT_DATA_INIT(&ad, FS);
1619 ad.u.fs.path.dentry = dentry;
1620
1621 av = DIR__SEARCH;
1622 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1623 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, av, &ad);
1624 if (rc)
1625 return rc;
1626
1627 switch (kind) {
1628 case MAY_LINK:
1629 av = FILE__LINK;
1630 break;
1631 case MAY_UNLINK:
1632 av = FILE__UNLINK;
1633 break;
1634 case MAY_RMDIR:
1635 av = DIR__RMDIR;
1636 break;
1637 default:
1638 printk(KERN_WARNING "SELinux: %s: unrecognized kind %d\n",
1639 __func__, kind);
1640 return 0;
1641 }
1642
1643 rc = avc_has_perm(sid, isec->sid, isec->sclass, av, &ad);
1644 return rc;
1645 }
1646
1647 static inline int may_rename(struct inode *old_dir,
1648 struct dentry *old_dentry,
1649 struct inode *new_dir,
1650 struct dentry *new_dentry)
1651 {
1652 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1653 struct common_audit_data ad;
1654 u32 sid = current_sid();
1655 u32 av;
1656 int old_is_dir, new_is_dir;
1657 int rc;
1658
1659 old_dsec = old_dir->i_security;
1660 old_isec = old_dentry->d_inode->i_security;
1661 old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
1662 new_dsec = new_dir->i_security;
1663
1664 COMMON_AUDIT_DATA_INIT(&ad, FS);
1665
1666 ad.u.fs.path.dentry = old_dentry;
1667 rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR,
1668 DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1669 if (rc)
1670 return rc;
1671 rc = avc_has_perm(sid, old_isec->sid,
1672 old_isec->sclass, FILE__RENAME, &ad);
1673 if (rc)
1674 return rc;
1675 if (old_is_dir && new_dir != old_dir) {
1676 rc = avc_has_perm(sid, old_isec->sid,
1677 old_isec->sclass, DIR__REPARENT, &ad);
1678 if (rc)
1679 return rc;
1680 }
1681
1682 ad.u.fs.path.dentry = new_dentry;
1683 av = DIR__ADD_NAME | DIR__SEARCH;
1684 if (new_dentry->d_inode)
1685 av |= DIR__REMOVE_NAME;
1686 rc = avc_has_perm(sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1687 if (rc)
1688 return rc;
1689 if (new_dentry->d_inode) {
1690 new_isec = new_dentry->d_inode->i_security;
1691 new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
1692 rc = avc_has_perm(sid, new_isec->sid,
1693 new_isec->sclass,
1694 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1695 if (rc)
1696 return rc;
1697 }
1698
1699 return 0;
1700 }
1701
1702 /* Check whether a task can perform a filesystem operation. */
1703 static int superblock_has_perm(const struct cred *cred,
1704 struct super_block *sb,
1705 u32 perms,
1706 struct common_audit_data *ad)
1707 {
1708 struct superblock_security_struct *sbsec;
1709 u32 sid = cred_sid(cred);
1710
1711 sbsec = sb->s_security;
1712 return avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
1713 }
1714
1715 /* Convert a Linux mode and permission mask to an access vector. */
1716 static inline u32 file_mask_to_av(int mode, int mask)
1717 {
1718 u32 av = 0;
1719
1720 if ((mode & S_IFMT) != S_IFDIR) {
1721 if (mask & MAY_EXEC)
1722 av |= FILE__EXECUTE;
1723 if (mask & MAY_READ)
1724 av |= FILE__READ;
1725
1726 if (mask & MAY_APPEND)
1727 av |= FILE__APPEND;
1728 else if (mask & MAY_WRITE)
1729 av |= FILE__WRITE;
1730
1731 } else {
1732 if (mask & MAY_EXEC)
1733 av |= DIR__SEARCH;
1734 if (mask & MAY_WRITE)
1735 av |= DIR__WRITE;
1736 if (mask & MAY_READ)
1737 av |= DIR__READ;
1738 }
1739
1740 return av;
1741 }
1742
1743 /* Convert a Linux file to an access vector. */
1744 static inline u32 file_to_av(struct file *file)
1745 {
1746 u32 av = 0;
1747
1748 if (file->f_mode & FMODE_READ)
1749 av |= FILE__READ;
1750 if (file->f_mode & FMODE_WRITE) {
1751 if (file->f_flags & O_APPEND)
1752 av |= FILE__APPEND;
1753 else
1754 av |= FILE__WRITE;
1755 }
1756 if (!av) {
1757 /*
1758 * Special file opened with flags 3 for ioctl-only use.
1759 */
1760 av = FILE__IOCTL;
1761 }
1762
1763 return av;
1764 }
1765
1766 /*
1767 * Convert a file to an access vector and include the correct open
1768 * open permission.
1769 */
1770 static inline u32 open_file_to_av(struct file *file)
1771 {
1772 u32 av = file_to_av(file);
1773
1774 if (selinux_policycap_openperm)
1775 av |= FILE__OPEN;
1776
1777 return av;
1778 }
1779
1780 /* Hook functions begin here. */
1781
1782 static int selinux_ptrace_access_check(struct task_struct *child,
1783 unsigned int mode)
1784 {
1785 int rc;
1786
1787 rc = cap_ptrace_access_check(child, mode);
1788 if (rc)
1789 return rc;
1790
1791 if (mode == PTRACE_MODE_READ) {
1792 u32 sid = current_sid();
1793 u32 csid = task_sid(child);
1794 return avc_has_perm(sid, csid, SECCLASS_FILE, FILE__READ, NULL);
1795 }
1796
1797 return current_has_perm(child, PROCESS__PTRACE);
1798 }
1799
1800 static int selinux_ptrace_traceme(struct task_struct *parent)
1801 {
1802 int rc;
1803
1804 rc = cap_ptrace_traceme(parent);
1805 if (rc)
1806 return rc;
1807
1808 return task_has_perm(parent, current, PROCESS__PTRACE);
1809 }
1810
1811 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
1812 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1813 {
1814 int error;
1815
1816 error = current_has_perm(target, PROCESS__GETCAP);
1817 if (error)
1818 return error;
1819
1820 return cap_capget(target, effective, inheritable, permitted);
1821 }
1822
1823 static int selinux_capset(struct cred *new, const struct cred *old,
1824 const kernel_cap_t *effective,
1825 const kernel_cap_t *inheritable,
1826 const kernel_cap_t *permitted)
1827 {
1828 int error;
1829
1830 error = cap_capset(new, old,
1831 effective, inheritable, permitted);
1832 if (error)
1833 return error;
1834
1835 return cred_has_perm(old, new, PROCESS__SETCAP);
1836 }
1837
1838 /*
1839 * (This comment used to live with the selinux_task_setuid hook,
1840 * which was removed).
1841 *
1842 * Since setuid only affects the current process, and since the SELinux
1843 * controls are not based on the Linux identity attributes, SELinux does not
1844 * need to control this operation. However, SELinux does control the use of
1845 * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
1846 */
1847
1848 static int selinux_capable(struct task_struct *tsk, const struct cred *cred,
1849 int cap, int audit)
1850 {
1851 int rc;
1852
1853 rc = cap_capable(tsk, cred, cap, audit);
1854 if (rc)
1855 return rc;
1856
1857 return task_has_capability(tsk, cred, cap, audit);
1858 }
1859
1860 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
1861 {
1862 const struct cred *cred = current_cred();
1863 int rc = 0;
1864
1865 if (!sb)
1866 return 0;
1867
1868 switch (cmds) {
1869 case Q_SYNC:
1870 case Q_QUOTAON:
1871 case Q_QUOTAOFF:
1872 case Q_SETINFO:
1873 case Q_SETQUOTA:
1874 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
1875 break;
1876 case Q_GETFMT:
1877 case Q_GETINFO:
1878 case Q_GETQUOTA:
1879 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
1880 break;
1881 default:
1882 rc = 0; /* let the kernel handle invalid cmds */
1883 break;
1884 }
1885 return rc;
1886 }
1887
1888 static int selinux_quota_on(struct dentry *dentry)
1889 {
1890 const struct cred *cred = current_cred();
1891
1892 return dentry_has_perm(cred, NULL, dentry, FILE__QUOTAON);
1893 }
1894
1895 static int selinux_syslog(int type)
1896 {
1897 int rc;
1898
1899 switch (type) {
1900 case SYSLOG_ACTION_READ_ALL: /* Read last kernel messages */
1901 case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */
1902 rc = task_has_system(current, SYSTEM__SYSLOG_READ);
1903 break;
1904 case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */
1905 case SYSLOG_ACTION_CONSOLE_ON: /* Enable logging to console */
1906 /* Set level of messages printed to console */
1907 case SYSLOG_ACTION_CONSOLE_LEVEL:
1908 rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
1909 break;
1910 case SYSLOG_ACTION_CLOSE: /* Close log */
1911 case SYSLOG_ACTION_OPEN: /* Open log */
1912 case SYSLOG_ACTION_READ: /* Read from log */
1913 case SYSLOG_ACTION_READ_CLEAR: /* Read/clear last kernel messages */
1914 case SYSLOG_ACTION_CLEAR: /* Clear ring buffer */
1915 default:
1916 rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
1917 break;
1918 }
1919 return rc;
1920 }
1921
1922 /*
1923 * Check that a process has enough memory to allocate a new virtual
1924 * mapping. 0 means there is enough memory for the allocation to
1925 * succeed and -ENOMEM implies there is not.
1926 *
1927 * Do not audit the selinux permission check, as this is applied to all
1928 * processes that allocate mappings.
1929 */
1930 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
1931 {
1932 int rc, cap_sys_admin = 0;
1933
1934 rc = selinux_capable(current, current_cred(), CAP_SYS_ADMIN,
1935 SECURITY_CAP_NOAUDIT);
1936 if (rc == 0)
1937 cap_sys_admin = 1;
1938
1939 return __vm_enough_memory(mm, pages, cap_sys_admin);
1940 }
1941
1942 /* binprm security operations */
1943
1944 static int selinux_bprm_set_creds(struct linux_binprm *bprm)
1945 {
1946 const struct task_security_struct *old_tsec;
1947 struct task_security_struct *new_tsec;
1948 struct inode_security_struct *isec;
1949 struct common_audit_data ad;
1950 struct inode *inode = bprm->file->f_path.dentry->d_inode;
1951 int rc;
1952
1953 rc = cap_bprm_set_creds(bprm);
1954 if (rc)
1955 return rc;
1956
1957 /* SELinux context only depends on initial program or script and not
1958 * the script interpreter */
1959 if (bprm->cred_prepared)
1960 return 0;
1961
1962 old_tsec = current_security();
1963 new_tsec = bprm->cred->security;
1964 isec = inode->i_security;
1965
1966 /* Default to the current task SID. */
1967 new_tsec->sid = old_tsec->sid;
1968 new_tsec->osid = old_tsec->sid;
1969
1970 /* Reset fs, key, and sock SIDs on execve. */
1971 new_tsec->create_sid = 0;
1972 new_tsec->keycreate_sid = 0;
1973 new_tsec->sockcreate_sid = 0;
1974
1975 if (old_tsec->exec_sid) {
1976 new_tsec->sid = old_tsec->exec_sid;
1977 /* Reset exec SID on execve. */
1978 new_tsec->exec_sid = 0;
1979 } else {
1980 /* Check for a default transition on this program. */
1981 rc = security_transition_sid(old_tsec->sid, isec->sid,
1982 SECCLASS_PROCESS, NULL,
1983 &new_tsec->sid);
1984 if (rc)
1985 return rc;
1986 }
1987
1988 COMMON_AUDIT_DATA_INIT(&ad, FS);
1989 ad.u.fs.path = bprm->file->f_path;
1990
1991 if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID)
1992 new_tsec->sid = old_tsec->sid;
1993
1994 if (new_tsec->sid == old_tsec->sid) {
1995 rc = avc_has_perm(old_tsec->sid, isec->sid,
1996 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
1997 if (rc)
1998 return rc;
1999 } else {
2000 /* Check permissions for the transition. */
2001 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2002 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2003 if (rc)
2004 return rc;
2005
2006 rc = avc_has_perm(new_tsec->sid, isec->sid,
2007 SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2008 if (rc)
2009 return rc;
2010
2011 /* Check for shared state */
2012 if (bprm->unsafe & LSM_UNSAFE_SHARE) {
2013 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2014 SECCLASS_PROCESS, PROCESS__SHARE,
2015 NULL);
2016 if (rc)
2017 return -EPERM;
2018 }
2019
2020 /* Make sure that anyone attempting to ptrace over a task that
2021 * changes its SID has the appropriate permit */
2022 if (bprm->unsafe &
2023 (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
2024 struct task_struct *tracer;
2025 struct task_security_struct *sec;
2026 u32 ptsid = 0;
2027
2028 rcu_read_lock();
2029 tracer = tracehook_tracer_task(current);
2030 if (likely(tracer != NULL)) {
2031 sec = __task_cred(tracer)->security;
2032 ptsid = sec->sid;
2033 }
2034 rcu_read_unlock();
2035
2036 if (ptsid != 0) {
2037 rc = avc_has_perm(ptsid, new_tsec->sid,
2038 SECCLASS_PROCESS,
2039 PROCESS__PTRACE, NULL);
2040 if (rc)
2041 return -EPERM;
2042 }
2043 }
2044
2045 /* Clear any possibly unsafe personality bits on exec: */
2046 bprm->per_clear |= PER_CLEAR_ON_SETID;
2047 }
2048
2049 return 0;
2050 }
2051
2052 static int selinux_bprm_secureexec(struct linux_binprm *bprm)
2053 {
2054 const struct task_security_struct *tsec = current_security();
2055 u32 sid, osid;
2056 int atsecure = 0;
2057
2058 sid = tsec->sid;
2059 osid = tsec->osid;
2060
2061 if (osid != sid) {
2062 /* Enable secure mode for SIDs transitions unless
2063 the noatsecure permission is granted between
2064 the two SIDs, i.e. ahp returns 0. */
2065 atsecure = avc_has_perm(osid, sid,
2066 SECCLASS_PROCESS,
2067 PROCESS__NOATSECURE, NULL);
2068 }
2069
2070 return (atsecure || cap_bprm_secureexec(bprm));
2071 }
2072
2073 extern struct vfsmount *selinuxfs_mount;
2074 extern struct dentry *selinux_null;
2075
2076 /* Derived from fs/exec.c:flush_old_files. */
2077 static inline void flush_unauthorized_files(const struct cred *cred,
2078 struct files_struct *files)
2079 {
2080 struct common_audit_data ad;
2081 struct file *file, *devnull = NULL;
2082 struct tty_struct *tty;
2083 struct fdtable *fdt;
2084 long j = -1;
2085 int drop_tty = 0;
2086
2087 tty = get_current_tty();
2088 if (tty) {
2089 spin_lock(&tty_files_lock);
2090 if (!list_empty(&tty->tty_files)) {
2091 struct tty_file_private *file_priv;
2092 struct inode *inode;
2093
2094 /* Revalidate access to controlling tty.
2095 Use inode_has_perm on the tty inode directly rather
2096 than using file_has_perm, as this particular open
2097 file may belong to another process and we are only
2098 interested in the inode-based check here. */
2099 file_priv = list_first_entry(&tty->tty_files,
2100 struct tty_file_private, list);
2101 file = file_priv->file;
2102 inode = file->f_path.dentry->d_inode;
2103 if (inode_has_perm(cred, inode,
2104 FILE__READ | FILE__WRITE, NULL)) {
2105 drop_tty = 1;
2106 }
2107 }
2108 spin_unlock(&tty_files_lock);
2109 tty_kref_put(tty);
2110 }
2111 /* Reset controlling tty. */
2112 if (drop_tty)
2113 no_tty();
2114
2115 /* Revalidate access to inherited open files. */
2116
2117 COMMON_AUDIT_DATA_INIT(&ad, FS);
2118
2119 spin_lock(&files->file_lock);
2120 for (;;) {
2121 unsigned long set, i;
2122 int fd;
2123
2124 j++;
2125 i = j * __NFDBITS;
2126 fdt = files_fdtable(files);
2127 if (i >= fdt->max_fds)
2128 break;
2129 set = fdt->open_fds->fds_bits[j];
2130 if (!set)
2131 continue;
2132 spin_unlock(&files->file_lock);
2133 for ( ; set ; i++, set >>= 1) {
2134 if (set & 1) {
2135 file = fget(i);
2136 if (!file)
2137 continue;
2138 if (file_has_perm(cred,
2139 file,
2140 file_to_av(file))) {
2141 sys_close(i);
2142 fd = get_unused_fd();
2143 if (fd != i) {
2144 if (fd >= 0)
2145 put_unused_fd(fd);
2146 fput(file);
2147 continue;
2148 }
2149 if (devnull) {
2150 get_file(devnull);
2151 } else {
2152 devnull = dentry_open(
2153 dget(selinux_null),
2154 mntget(selinuxfs_mount),
2155 O_RDWR, cred);
2156 if (IS_ERR(devnull)) {
2157 devnull = NULL;
2158 put_unused_fd(fd);
2159 fput(file);
2160 continue;
2161 }
2162 }
2163 fd_install(fd, devnull);
2164 }
2165 fput(file);
2166 }
2167 }
2168 spin_lock(&files->file_lock);
2169
2170 }
2171 spin_unlock(&files->file_lock);
2172 }
2173
2174 /*
2175 * Prepare a process for imminent new credential changes due to exec
2176 */
2177 static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
2178 {
2179 struct task_security_struct *new_tsec;
2180 struct rlimit *rlim, *initrlim;
2181 int rc, i;
2182
2183 new_tsec = bprm->cred->security;
2184 if (new_tsec->sid == new_tsec->osid)
2185 return;
2186
2187 /* Close files for which the new task SID is not authorized. */
2188 flush_unauthorized_files(bprm->cred, current->files);
2189
2190 /* Always clear parent death signal on SID transitions. */
2191 current->pdeath_signal = 0;
2192
2193 /* Check whether the new SID can inherit resource limits from the old
2194 * SID. If not, reset all soft limits to the lower of the current
2195 * task's hard limit and the init task's soft limit.
2196 *
2197 * Note that the setting of hard limits (even to lower them) can be
2198 * controlled by the setrlimit check. The inclusion of the init task's
2199 * soft limit into the computation is to avoid resetting soft limits
2200 * higher than the default soft limit for cases where the default is
2201 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2202 */
2203 rc = avc_has_perm(new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
2204 PROCESS__RLIMITINH, NULL);
2205 if (rc) {
2206 /* protect against do_prlimit() */
2207 task_lock(current);
2208 for (i = 0; i < RLIM_NLIMITS; i++) {
2209 rlim = current->signal->rlim + i;
2210 initrlim = init_task.signal->rlim + i;
2211 rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
2212 }
2213 task_unlock(current);
2214 update_rlimit_cpu(current, rlimit(RLIMIT_CPU));
2215 }
2216 }
2217
2218 /*
2219 * Clean up the process immediately after the installation of new credentials
2220 * due to exec
2221 */
2222 static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
2223 {
2224 const struct task_security_struct *tsec = current_security();
2225 struct itimerval itimer;
2226 u32 osid, sid;
2227 int rc, i;
2228
2229 osid = tsec->osid;
2230 sid = tsec->sid;
2231
2232 if (sid == osid)
2233 return;
2234
2235 /* Check whether the new SID can inherit signal state from the old SID.
2236 * If not, clear itimers to avoid subsequent signal generation and
2237 * flush and unblock signals.
2238 *
2239 * This must occur _after_ the task SID has been updated so that any
2240 * kill done after the flush will be checked against the new SID.
2241 */
2242 rc = avc_has_perm(osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
2243 if (rc) {
2244 memset(&itimer, 0, sizeof itimer);
2245 for (i = 0; i < 3; i++)
2246 do_setitimer(i, &itimer, NULL);
2247 spin_lock_irq(&current->sighand->siglock);
2248 if (!(current->signal->flags & SIGNAL_GROUP_EXIT)) {
2249 __flush_signals(current);
2250 flush_signal_handlers(current, 1);
2251 sigemptyset(&current->blocked);
2252 }
2253 spin_unlock_irq(&current->sighand->siglock);
2254 }
2255
2256 /* Wake up the parent if it is waiting so that it can recheck
2257 * wait permission to the new task SID. */
2258 read_lock(&tasklist_lock);
2259 __wake_up_parent(current, current->real_parent);
2260 read_unlock(&tasklist_lock);
2261 }
2262
2263 /* superblock security operations */
2264
2265 static int selinux_sb_alloc_security(struct super_block *sb)
2266 {
2267 return superblock_alloc_security(sb);
2268 }
2269
2270 static void selinux_sb_free_security(struct super_block *sb)
2271 {
2272 superblock_free_security(sb);
2273 }
2274
2275 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2276 {
2277 if (plen > olen)
2278 return 0;
2279
2280 return !memcmp(prefix, option, plen);
2281 }
2282
2283 static inline int selinux_option(char *option, int len)
2284 {
2285 return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) ||
2286 match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) ||
2287 match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) ||
2288 match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len) ||
2289 match_prefix(LABELSUPP_STR, sizeof(LABELSUPP_STR)-1, option, len));
2290 }
2291
2292 static inline void take_option(char **to, char *from, int *first, int len)
2293 {
2294 if (!*first) {
2295 **to = ',';
2296 *to += 1;
2297 } else
2298 *first = 0;
2299 memcpy(*to, from, len);
2300 *to += len;
2301 }
2302
2303 static inline void take_selinux_option(char **to, char *from, int *first,
2304 int len)
2305 {
2306 int current_size = 0;
2307
2308 if (!*first) {
2309 **to = '|';
2310 *to += 1;
2311 } else
2312 *first = 0;
2313
2314 while (current_size < len) {
2315 if (*from != '"') {
2316 **to = *from;
2317 *to += 1;
2318 }
2319 from += 1;
2320 current_size += 1;
2321 }
2322 }
2323
2324 static int selinux_sb_copy_data(char *orig, char *copy)
2325 {
2326 int fnosec, fsec, rc = 0;
2327 char *in_save, *in_curr, *in_end;
2328 char *sec_curr, *nosec_save, *nosec;
2329 int open_quote = 0;
2330
2331 in_curr = orig;
2332 sec_curr = copy;
2333
2334 nosec = (char *)get_zeroed_page(GFP_KERNEL);
2335 if (!nosec) {
2336 rc = -ENOMEM;
2337 goto out;
2338 }
2339
2340 nosec_save = nosec;
2341 fnosec = fsec = 1;
2342 in_save = in_end = orig;
2343
2344 do {
2345 if (*in_end == '"')
2346 open_quote = !open_quote;
2347 if ((*in_end == ',' && open_quote == 0) ||
2348 *in_end == '\0') {
2349 int len = in_end - in_curr;
2350
2351 if (selinux_option(in_curr, len))
2352 take_selinux_option(&sec_curr, in_curr, &fsec, len);
2353 else
2354 take_option(&nosec, in_curr, &fnosec, len);
2355
2356 in_curr = in_end + 1;
2357 }
2358 } while (*in_end++);
2359
2360 strcpy(in_save, nosec_save);
2361 free_page((unsigned long)nosec_save);
2362 out:
2363 return rc;
2364 }
2365
2366 static int selinux_sb_remount(struct super_block *sb, void *data)
2367 {
2368 int rc, i, *flags;
2369 struct security_mnt_opts opts;
2370 char *secdata, **mount_options;
2371 struct superblock_security_struct *sbsec = sb->s_security;
2372
2373 if (!(sbsec->flags & SE_SBINITIALIZED))
2374 return 0;
2375
2376 if (!data)
2377 return 0;
2378
2379 if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
2380 return 0;
2381
2382 security_init_mnt_opts(&opts);
2383 secdata = alloc_secdata();
2384 if (!secdata)
2385 return -ENOMEM;
2386 rc = selinux_sb_copy_data(data, secdata);
2387 if (rc)
2388 goto out_free_secdata;
2389
2390 rc = selinux_parse_opts_str(secdata, &opts);
2391 if (rc)
2392 goto out_free_secdata;
2393
2394 mount_options = opts.mnt_opts;
2395 flags = opts.mnt_opts_flags;
2396
2397 for (i = 0; i < opts.num_mnt_opts; i++) {
2398 u32 sid;
2399 size_t len;
2400
2401 if (flags[i] == SE_SBLABELSUPP)
2402 continue;
2403 len = strlen(mount_options[i]);
2404 rc = security_context_to_sid(mount_options[i], len, &sid);
2405 if (rc) {
2406 printk(KERN_WARNING "SELinux: security_context_to_sid"
2407 "(%s) failed for (dev %s, type %s) errno=%d\n",
2408 mount_options[i], sb->s_id, sb->s_type->name, rc);
2409 goto out_free_opts;
2410 }
2411 rc = -EINVAL;
2412 switch (flags[i]) {
2413 case FSCONTEXT_MNT:
2414 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid))
2415 goto out_bad_option;
2416 break;
2417 case CONTEXT_MNT:
2418 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid))
2419 goto out_bad_option;
2420 break;
2421 case ROOTCONTEXT_MNT: {
2422 struct inode_security_struct *root_isec;
2423 root_isec = sb->s_root->d_inode->i_security;
2424
2425 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid))
2426 goto out_bad_option;
2427 break;
2428 }
2429 case DEFCONTEXT_MNT:
2430 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid))
2431 goto out_bad_option;
2432 break;
2433 default:
2434 goto out_free_opts;
2435 }
2436 }
2437
2438 rc = 0;
2439 out_free_opts:
2440 security_free_mnt_opts(&opts);
2441 out_free_secdata:
2442 free_secdata(secdata);
2443 return rc;
2444 out_bad_option:
2445 printk(KERN_WARNING "SELinux: unable to change security options "
2446 "during remount (dev %s, type=%s)\n", sb->s_id,
2447 sb->s_type->name);
2448 goto out_free_opts;
2449 }
2450
2451 static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data)
2452 {
2453 const struct cred *cred = current_cred();
2454 struct common_audit_data ad;
2455 int rc;
2456
2457 rc = superblock_doinit(sb, data);
2458 if (rc)
2459 return rc;
2460
2461 /* Allow all mounts performed by the kernel */
2462 if (flags & MS_KERNMOUNT)
2463 return 0;
2464
2465 COMMON_AUDIT_DATA_INIT(&ad, FS);
2466 ad.u.fs.path.dentry = sb->s_root;
2467 return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
2468 }
2469
2470 static int selinux_sb_statfs(struct dentry *dentry)
2471 {
2472 const struct cred *cred = current_cred();
2473 struct common_audit_data ad;
2474
2475 COMMON_AUDIT_DATA_INIT(&ad, FS);
2476 ad.u.fs.path.dentry = dentry->d_sb->s_root;
2477 return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2478 }
2479
2480 static int selinux_mount(char *dev_name,
2481 struct path *path,
2482 char *type,
2483 unsigned long flags,
2484 void *data)
2485 {
2486 const struct cred *cred = current_cred();
2487
2488 if (flags & MS_REMOUNT)
2489 return superblock_has_perm(cred, path->mnt->mnt_sb,
2490 FILESYSTEM__REMOUNT, NULL);
2491 else
2492 return dentry_has_perm(cred, path->mnt, path->dentry,
2493 FILE__MOUNTON);
2494 }
2495
2496 static int selinux_umount(struct vfsmount *mnt, int flags)
2497 {
2498 const struct cred *cred = current_cred();
2499
2500 return superblock_has_perm(cred, mnt->mnt_sb,
2501 FILESYSTEM__UNMOUNT, NULL);
2502 }
2503
2504 /* inode security operations */
2505
2506 static int selinux_inode_alloc_security(struct inode *inode)
2507 {
2508 return inode_alloc_security(inode);
2509 }
2510
2511 static void selinux_inode_free_security(struct inode *inode)
2512 {
2513 inode_free_security(inode);
2514 }
2515
2516 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2517 const struct qstr *qstr, char **name,
2518 void **value, size_t *len)
2519 {
2520 const struct task_security_struct *tsec = current_security();
2521 struct inode_security_struct *dsec;
2522 struct superblock_security_struct *sbsec;
2523 u32 sid, newsid, clen;
2524 int rc;
2525 char *namep = NULL, *context;
2526
2527 dsec = dir->i_security;
2528 sbsec = dir->i_sb->s_security;
2529
2530 sid = tsec->sid;
2531 newsid = tsec->create_sid;
2532
2533 if ((sbsec->flags & SE_SBINITIALIZED) &&
2534 (sbsec->behavior == SECURITY_FS_USE_MNTPOINT))
2535 newsid = sbsec->mntpoint_sid;
2536 else if (!newsid || !(sbsec->flags & SE_SBLABELSUPP)) {
2537 rc = security_transition_sid(sid, dsec->sid,
2538 inode_mode_to_security_class(inode->i_mode),
2539 qstr, &newsid);
2540 if (rc) {
2541 printk(KERN_WARNING "%s: "
2542 "security_transition_sid failed, rc=%d (dev=%s "
2543 "ino=%ld)\n",
2544 __func__,
2545 -rc, inode->i_sb->s_id, inode->i_ino);
2546 return rc;
2547 }
2548 }
2549
2550 /* Possibly defer initialization to selinux_complete_init. */
2551 if (sbsec->flags & SE_SBINITIALIZED) {
2552 struct inode_security_struct *isec = inode->i_security;
2553 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2554 isec->sid = newsid;
2555 isec->initialized = 1;
2556 }
2557
2558 if (!ss_initialized || !(sbsec->flags & SE_SBLABELSUPP))
2559 return -EOPNOTSUPP;
2560
2561 if (name) {
2562 namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_NOFS);
2563 if (!namep)
2564 return -ENOMEM;
2565 *name = namep;
2566 }
2567
2568 if (value && len) {
2569 rc = security_sid_to_context_force(newsid, &context, &clen);
2570 if (rc) {
2571 kfree(namep);
2572 return rc;
2573 }
2574 *value = context;
2575 *len = clen;
2576 }
2577
2578 return 0;
2579 }
2580
2581 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, int mask)
2582 {
2583 return may_create(dir, dentry, SECCLASS_FILE);
2584 }
2585
2586 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2587 {
2588 return may_link(dir, old_dentry, MAY_LINK);
2589 }
2590
2591 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2592 {
2593 return may_link(dir, dentry, MAY_UNLINK);
2594 }
2595
2596 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2597 {
2598 return may_create(dir, dentry, SECCLASS_LNK_FILE);
2599 }
2600
2601 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, int mask)
2602 {
2603 return may_create(dir, dentry, SECCLASS_DIR);
2604 }
2605
2606 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2607 {
2608 return may_link(dir, dentry, MAY_RMDIR);
2609 }
2610
2611 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
2612 {
2613 return may_create(dir, dentry, inode_mode_to_security_class(mode));
2614 }
2615
2616 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2617 struct inode *new_inode, struct dentry *new_dentry)
2618 {
2619 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2620 }
2621
2622 static int selinux_inode_readlink(struct dentry *dentry)
2623 {
2624 const struct cred *cred = current_cred();
2625
2626 return dentry_has_perm(cred, NULL, dentry, FILE__READ);
2627 }
2628
2629 static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2630 {
2631 const struct cred *cred = current_cred();
2632
2633 return dentry_has_perm(cred, NULL, dentry, FILE__READ);
2634 }
2635
2636 static int selinux_inode_permission(struct inode *inode, int mask)
2637 {
2638 const struct cred *cred = current_cred();
2639 struct common_audit_data ad;
2640 u32 perms;
2641 bool from_access;
2642
2643 from_access = mask & MAY_ACCESS;
2644 mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
2645
2646 /* No permission to check. Existence test. */
2647 if (!mask)
2648 return 0;
2649
2650 COMMON_AUDIT_DATA_INIT(&ad, FS);
2651 ad.u.fs.inode = inode;
2652
2653 if (from_access)
2654 ad.selinux_audit_data.auditdeny |= FILE__AUDIT_ACCESS;
2655
2656 perms = file_mask_to_av(inode->i_mode, mask);
2657
2658 return inode_has_perm(cred, inode, perms, &ad);
2659 }
2660
2661 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2662 {
2663 const struct cred *cred = current_cred();
2664 unsigned int ia_valid = iattr->ia_valid;
2665
2666 /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
2667 if (ia_valid & ATTR_FORCE) {
2668 ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE |
2669 ATTR_FORCE);
2670 if (!ia_valid)
2671 return 0;
2672 }
2673
2674 if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2675 ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
2676 return dentry_has_perm(cred, NULL, dentry, FILE__SETATTR);
2677
2678 return dentry_has_perm(cred, NULL, dentry, FILE__WRITE);
2679 }
2680
2681 static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
2682 {
2683 const struct cred *cred = current_cred();
2684
2685 return dentry_has_perm(cred, mnt, dentry, FILE__GETATTR);
2686 }
2687
2688 static int selinux_inode_setotherxattr(struct dentry *dentry, const char *name)
2689 {
2690 const struct cred *cred = current_cred();
2691
2692 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2693 sizeof XATTR_SECURITY_PREFIX - 1)) {
2694 if (!strcmp(name, XATTR_NAME_CAPS)) {
2695 if (!capable(CAP_SETFCAP))
2696 return -EPERM;
2697 } else if (!capable(CAP_SYS_ADMIN)) {
2698 /* A different attribute in the security namespace.
2699 Restrict to administrator. */
2700 return -EPERM;
2701 }
2702 }
2703
2704 /* Not an attribute we recognize, so just check the
2705 ordinary setattr permission. */
2706 return dentry_has_perm(cred, NULL, dentry, FILE__SETATTR);
2707 }
2708
2709 static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
2710 const void *value, size_t size, int flags)
2711 {
2712 struct inode *inode = dentry->d_inode;
2713 struct inode_security_struct *isec = inode->i_security;
2714 struct superblock_security_struct *sbsec;
2715 struct common_audit_data ad;
2716 u32 newsid, sid = current_sid();
2717 int rc = 0;
2718
2719 if (strcmp(name, XATTR_NAME_SELINUX))
2720 return selinux_inode_setotherxattr(dentry, name);
2721
2722 sbsec = inode->i_sb->s_security;
2723 if (!(sbsec->flags & SE_SBLABELSUPP))
2724 return -EOPNOTSUPP;
2725
2726 if (!is_owner_or_cap(inode))
2727 return -EPERM;
2728
2729 COMMON_AUDIT_DATA_INIT(&ad, FS);
2730 ad.u.fs.path.dentry = dentry;
2731
2732 rc = avc_has_perm(sid, isec->sid, isec->sclass,
2733 FILE__RELABELFROM, &ad);
2734 if (rc)
2735 return rc;
2736
2737 rc = security_context_to_sid(value, size, &newsid);
2738 if (rc == -EINVAL) {
2739 if (!capable(CAP_MAC_ADMIN))
2740 return rc;
2741 rc = security_context_to_sid_force(value, size, &newsid);
2742 }
2743 if (rc)
2744 return rc;
2745
2746 rc = avc_has_perm(sid, newsid, isec->sclass,
2747 FILE__RELABELTO, &ad);
2748 if (rc)
2749 return rc;
2750
2751 rc = security_validate_transition(isec->sid, newsid, sid,
2752 isec->sclass);
2753 if (rc)
2754 return rc;
2755
2756 return avc_has_perm(newsid,
2757 sbsec->sid,
2758 SECCLASS_FILESYSTEM,
2759 FILESYSTEM__ASSOCIATE,
2760 &ad);
2761 }
2762
2763 static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
2764 const void *value, size_t size,
2765 int flags)
2766 {
2767 struct inode *inode = dentry->d_inode;
2768 struct inode_security_struct *isec = inode->i_security;
2769 u32 newsid;
2770 int rc;
2771
2772 if (strcmp(name, XATTR_NAME_SELINUX)) {
2773 /* Not an attribute we recognize, so nothing to do. */
2774 return;
2775 }
2776
2777 rc = security_context_to_sid_force(value, size, &newsid);
2778 if (rc) {
2779 printk(KERN_ERR "SELinux: unable to map context to SID"
2780 "for (%s, %lu), rc=%d\n",
2781 inode->i_sb->s_id, inode->i_ino, -rc);
2782 return;
2783 }
2784
2785 isec->sid = newsid;
2786 return;
2787 }
2788
2789 static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
2790 {
2791 const struct cred *cred = current_cred();
2792
2793 return dentry_has_perm(cred, NULL, dentry, FILE__GETATTR);
2794 }
2795
2796 static int selinux_inode_listxattr(struct dentry *dentry)
2797 {
2798 const struct cred *cred = current_cred();
2799
2800 return dentry_has_perm(cred, NULL, dentry, FILE__GETATTR);
2801 }
2802
2803 static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
2804 {
2805 if (strcmp(name, XATTR_NAME_SELINUX))
2806 return selinux_inode_setotherxattr(dentry, name);
2807
2808 /* No one is allowed to remove a SELinux security label.
2809 You can change the label, but all data must be labeled. */
2810 return -EACCES;
2811 }
2812
2813 /*
2814 * Copy the inode security context value to the user.
2815 *
2816 * Permission check is handled by selinux_inode_getxattr hook.
2817 */
2818 static int selinux_inode_getsecurity(const struct inode *inode, const char *name, void **buffer, bool alloc)
2819 {
2820 u32 size;
2821 int error;
2822 char *context = NULL;
2823 struct inode_security_struct *isec = inode->i_security;
2824
2825 if (strcmp(name, XATTR_SELINUX_SUFFIX))
2826 return -EOPNOTSUPP;
2827
2828 /*
2829 * If the caller has CAP_MAC_ADMIN, then get the raw context
2830 * value even if it is not defined by current policy; otherwise,
2831 * use the in-core value under current policy.
2832 * Use the non-auditing forms of the permission checks since
2833 * getxattr may be called by unprivileged processes commonly
2834 * and lack of permission just means that we fall back to the
2835 * in-core context value, not a denial.
2836 */
2837 error = selinux_capable(current, current_cred(), CAP_MAC_ADMIN,
2838 SECURITY_CAP_NOAUDIT);
2839 if (!error)
2840 error = security_sid_to_context_force(isec->sid, &context,
2841 &size);
2842 else
2843 error = security_sid_to_context(isec->sid, &context, &size);
2844 if (error)
2845 return error;
2846 error = size;
2847 if (alloc) {
2848 *buffer = context;
2849 goto out_nofree;
2850 }
2851 kfree(context);
2852 out_nofree:
2853 return error;
2854 }
2855
2856 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
2857 const void *value, size_t size, int flags)
2858 {
2859 struct inode_security_struct *isec = inode->i_security;
2860 u32 newsid;
2861 int rc;
2862
2863 if (strcmp(name, XATTR_SELINUX_SUFFIX))
2864 return -EOPNOTSUPP;
2865
2866 if (!value || !size)
2867 return -EACCES;
2868
2869 rc = security_context_to_sid((void *)value, size, &newsid);
2870 if (rc)
2871 return rc;
2872
2873 isec->sid = newsid;
2874 isec->initialized = 1;
2875 return 0;
2876 }
2877
2878 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
2879 {
2880 const int len = sizeof(XATTR_NAME_SELINUX);
2881 if (buffer && len <= buffer_size)
2882 memcpy(buffer, XATTR_NAME_SELINUX, len);
2883 return len;
2884 }
2885
2886 static void selinux_inode_getsecid(const struct inode *inode, u32 *secid)
2887 {
2888 struct inode_security_struct *isec = inode->i_security;
2889 *secid = isec->sid;
2890 }
2891
2892 /* file security operations */
2893
2894 static int selinux_revalidate_file_permission(struct file *file, int mask)
2895 {
2896 const struct cred *cred = current_cred();
2897 struct inode *inode = file->f_path.dentry->d_inode;
2898
2899 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
2900 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
2901 mask |= MAY_APPEND;
2902
2903 return file_has_perm(cred, file,
2904 file_mask_to_av(inode->i_mode, mask));
2905 }
2906
2907 static int selinux_file_permission(struct file *file, int mask)
2908 {
2909 struct inode *inode = file->f_path.dentry->d_inode;
2910 struct file_security_struct *fsec = file->f_security;
2911 struct inode_security_struct *isec = inode->i_security;
2912 u32 sid = current_sid();
2913
2914 if (!mask)
2915 /* No permission to check. Existence test. */
2916 return 0;
2917
2918 if (sid == fsec->sid && fsec->isid == isec->sid &&
2919 fsec->pseqno == avc_policy_seqno())
2920 /* No change since dentry_open check. */
2921 return 0;
2922
2923 return selinux_revalidate_file_permission(file, mask);
2924 }
2925
2926 static int selinux_file_alloc_security(struct file *file)
2927 {
2928 return file_alloc_security(file);
2929 }
2930
2931 static void selinux_file_free_security(struct file *file)
2932 {
2933 file_free_security(file);
2934 }
2935
2936 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
2937 unsigned long arg)
2938 {
2939 const struct cred *cred = current_cred();
2940 int error = 0;
2941
2942 switch (cmd) {
2943 case FIONREAD:
2944 /* fall through */
2945 case FIBMAP:
2946 /* fall through */
2947 case FIGETBSZ:
2948 /* fall through */
2949 case EXT2_IOC_GETFLAGS:
2950 /* fall through */
2951 case EXT2_IOC_GETVERSION:
2952 error = file_has_perm(cred, file, FILE__GETATTR);
2953 break;
2954
2955 case EXT2_IOC_SETFLAGS:
2956 /* fall through */
2957 case EXT2_IOC_SETVERSION:
2958 error = file_has_perm(cred, file, FILE__SETATTR);
2959 break;
2960
2961 /* sys_ioctl() checks */
2962 case FIONBIO:
2963 /* fall through */
2964 case FIOASYNC:
2965 error = file_has_perm(cred, file, 0);
2966 break;
2967
2968 case KDSKBENT:
2969 case KDSKBSENT:
2970 error = task_has_capability(current, cred, CAP_SYS_TTY_CONFIG,
2971 SECURITY_CAP_AUDIT);
2972 break;
2973
2974 /* default case assumes that the command will go
2975 * to the file's ioctl() function.
2976 */
2977 default:
2978 error = file_has_perm(cred, file, FILE__IOCTL);
2979 }
2980 return error;
2981 }
2982
2983 static int default_noexec;
2984
2985 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
2986 {
2987 const struct cred *cred = current_cred();
2988 int rc = 0;
2989
2990 if (default_noexec &&
2991 (prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
2992 /*
2993 * We are making executable an anonymous mapping or a
2994 * private file mapping that will also be writable.
2995 * This has an additional check.
2996 */
2997 rc = cred_has_perm(cred, cred, PROCESS__EXECMEM);
2998 if (rc)
2999 goto error;
3000 }
3001
3002 if (file) {
3003 /* read access is always possible with a mapping */
3004 u32 av = FILE__READ;
3005
3006 /* write access only matters if the mapping is shared */
3007 if (shared && (prot & PROT_WRITE))
3008 av |= FILE__WRITE;
3009
3010 if (prot & PROT_EXEC)
3011 av |= FILE__EXECUTE;
3012
3013 return file_has_perm(cred, file, av);
3014 }
3015
3016 error:
3017 return rc;
3018 }
3019
3020 static int selinux_file_mmap(struct file *file, unsigned long reqprot,
3021 unsigned long prot, unsigned long flags,
3022 unsigned long addr, unsigned long addr_only)
3023 {
3024 int rc = 0;
3025 u32 sid = current_sid();
3026
3027 /*
3028 * notice that we are intentionally putting the SELinux check before
3029 * the secondary cap_file_mmap check. This is such a likely attempt
3030 * at bad behaviour/exploit that we always want to get the AVC, even
3031 * if DAC would have also denied the operation.
3032 */
3033 if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
3034 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
3035 MEMPROTECT__MMAP_ZERO, NULL);
3036 if (rc)
3037 return rc;
3038 }
3039
3040 /* do DAC check on address space usage */
3041 rc = cap_file_mmap(file, reqprot, prot, flags, addr, addr_only);
3042 if (rc || addr_only)
3043 return rc;
3044
3045 if (selinux_checkreqprot)
3046 prot = reqprot;
3047
3048 return file_map_prot_check(file, prot,
3049 (flags & MAP_TYPE) == MAP_SHARED);
3050 }
3051
3052 static int selinux_file_mprotect(struct vm_area_struct *vma,
3053 unsigned long reqprot,
3054 unsigned long prot)
3055 {
3056 const struct cred *cred = current_cred();
3057
3058 if (selinux_checkreqprot)
3059 prot = reqprot;
3060
3061 if (default_noexec &&
3062 (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
3063 int rc = 0;
3064 if (vma->vm_start >= vma->vm_mm->start_brk &&
3065 vma->vm_end <= vma->vm_mm->brk) {
3066 rc = cred_has_perm(cred, cred, PROCESS__EXECHEAP);
3067 } else if (!vma->vm_file &&
3068 vma->vm_start <= vma->vm_mm->start_stack &&
3069 vma->vm_end >= vma->vm_mm->start_stack) {
3070 rc = current_has_perm(current, PROCESS__EXECSTACK);
3071 } else if (vma->vm_file && vma->anon_vma) {
3072 /*
3073 * We are making executable a file mapping that has
3074 * had some COW done. Since pages might have been
3075 * written, check ability to execute the possibly
3076 * modified content. This typically should only
3077 * occur for text relocations.
3078 */
3079 rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD);
3080 }
3081 if (rc)
3082 return rc;
3083 }
3084
3085 return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
3086 }
3087
3088 static int selinux_file_lock(struct file *file, unsigned int cmd)
3089 {
3090 const struct cred *cred = current_cred();
3091
3092 return file_has_perm(cred, file, FILE__LOCK);
3093 }
3094
3095 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
3096 unsigned long arg)
3097 {
3098 const struct cred *cred = current_cred();
3099 int err = 0;
3100
3101 switch (cmd) {
3102 case F_SETFL:
3103 if (!file->f_path.dentry || !file->f_path.dentry->d_inode) {
3104 err = -EINVAL;
3105 break;
3106 }
3107
3108 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
3109 err = file_has_perm(cred, file, FILE__WRITE);
3110 break;
3111 }
3112 /* fall through */
3113 case F_SETOWN:
3114 case F_SETSIG:
3115 case F_GETFL:
3116 case F_GETOWN:
3117 case F_GETSIG:
3118 /* Just check FD__USE permission */
3119 err = file_has_perm(cred, file, 0);
3120 break;
3121 case F_GETLK:
3122 case F_SETLK:
3123 case F_SETLKW:
3124 #if BITS_PER_LONG == 32
3125 case F_GETLK64:
3126 case F_SETLK64:
3127 case F_SETLKW64:
3128 #endif
3129 if (!file->f_path.dentry || !file->f_path.dentry->d_inode) {
3130 err = -EINVAL;
3131 break;
3132 }
3133 err = file_has_perm(cred, file, FILE__LOCK);
3134 break;
3135 }
3136
3137 return err;
3138 }
3139
3140 static int selinux_file_set_fowner(struct file *file)
3141 {
3142 struct file_security_struct *fsec;
3143
3144 fsec = file->f_security;
3145 fsec->fown_sid = current_sid();
3146
3147 return 0;
3148 }
3149
3150 static int selinux_file_send_sigiotask(struct task_struct *tsk,
3151 struct fown_struct *fown, int signum)
3152 {
3153 struct file *file;
3154 u32 sid = task_sid(tsk);
3155 u32 perm;
3156 struct file_security_struct *fsec;
3157
3158 /* struct fown_struct is never outside the context of a struct file */
3159 file = container_of(fown, struct file, f_owner);
3160
3161 fsec = file->f_security;
3162
3163 if (!signum)
3164 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
3165 else
3166 perm = signal_to_av(signum);
3167
3168 return avc_has_perm(fsec->fown_sid, sid,
3169 SECCLASS_PROCESS, perm, NULL);
3170 }
3171
3172 static int selinux_file_receive(struct file *file)
3173 {
3174 const struct cred *cred = current_cred();
3175
3176 return file_has_perm(cred, file, file_to_av(file));
3177 }
3178
3179 static int selinux_dentry_open(struct file *file, const struct cred *cred)
3180 {
3181 struct file_security_struct *fsec;
3182 struct inode *inode;
3183 struct inode_security_struct *isec;
3184
3185 inode = file->f_path.dentry->d_inode;
3186 fsec = file->f_security;
3187 isec = inode->i_security;
3188 /*
3189 * Save inode label and policy sequence number
3190 * at open-time so that selinux_file_permission
3191 * can determine whether revalidation is necessary.
3192 * Task label is already saved in the file security
3193 * struct as its SID.
3194 */
3195 fsec->isid = isec->sid;
3196 fsec->pseqno = avc_policy_seqno();
3197 /*
3198 * Since the inode label or policy seqno may have changed
3199 * between the selinux_inode_permission check and the saving
3200 * of state above, recheck that access is still permitted.
3201 * Otherwise, access might never be revalidated against the
3202 * new inode label or new policy.
3203 * This check is not redundant - do not remove.
3204 */
3205 return inode_has_perm(cred, inode, open_file_to_av(file), NULL);
3206 }
3207
3208 /* task security operations */
3209
3210 static int selinux_task_create(unsigned long clone_flags)
3211 {
3212 return current_has_perm(current, PROCESS__FORK);
3213 }
3214
3215 /*
3216 * allocate the SELinux part of blank credentials
3217 */
3218 static int selinux_cred_alloc_blank(struct cred *cred, gfp_t gfp)
3219 {
3220 struct task_security_struct *tsec;
3221
3222 tsec = kzalloc(sizeof(struct task_security_struct), gfp);
3223 if (!tsec)
3224 return -ENOMEM;
3225
3226 cred->security = tsec;
3227 return 0;
3228 }
3229
3230 /*
3231 * detach and free the LSM part of a set of credentials
3232 */
3233 static void selinux_cred_free(struct cred *cred)
3234 {
3235 struct task_security_struct *tsec = cred->security;
3236
3237 /*
3238 * cred->security == NULL if security_cred_alloc_blank() or
3239 * security_prepare_creds() returned an error.
3240 */
3241 BUG_ON(cred->security && (unsigned long) cred->security < PAGE_SIZE);
3242 cred->security = (void *) 0x7UL;
3243 kfree(tsec);
3244 }
3245
3246 /*
3247 * prepare a new set of credentials for modification
3248 */
3249 static int selinux_cred_prepare(struct cred *new, const struct cred *old,
3250 gfp_t gfp)
3251 {
3252 const struct task_security_struct *old_tsec;
3253 struct task_security_struct *tsec;
3254
3255 old_tsec = old->security;
3256
3257 tsec = kmemdup(old_tsec, sizeof(struct task_security_struct), gfp);
3258 if (!tsec)
3259 return -ENOMEM;
3260
3261 new->security = tsec;
3262 return 0;
3263 }
3264
3265 /*
3266 * transfer the SELinux data to a blank set of creds
3267 */
3268 static void selinux_cred_transfer(struct cred *new, const struct cred *old)
3269 {
3270 const struct task_security_struct *old_tsec = old->security;
3271 struct task_security_struct *tsec = new->security;
3272
3273 *tsec = *old_tsec;
3274 }
3275
3276 /*
3277 * set the security data for a kernel service
3278 * - all the creation contexts are set to unlabelled
3279 */
3280 static int selinux_kernel_act_as(struct cred *new, u32 secid)
3281 {
3282 struct task_security_struct *tsec = new->security;
3283 u32 sid = current_sid();
3284 int ret;
3285
3286 ret = avc_has_perm(sid, secid,
3287 SECCLASS_KERNEL_SERVICE,
3288 KERNEL_SERVICE__USE_AS_OVERRIDE,
3289 NULL);
3290 if (ret == 0) {
3291 tsec->sid = secid;
3292 tsec->create_sid = 0;
3293 tsec->keycreate_sid = 0;
3294 tsec->sockcreate_sid = 0;
3295 }
3296 return ret;
3297 }
3298
3299 /*
3300 * set the file creation context in a security record to the same as the
3301 * objective context of the specified inode
3302 */
3303 static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode)
3304 {
3305 struct inode_security_struct *isec = inode->i_security;
3306 struct task_security_struct *tsec = new->security;
3307 u32 sid = current_sid();
3308 int ret;
3309
3310 ret = avc_has_perm(sid, isec->sid,
3311 SECCLASS_KERNEL_SERVICE,
3312 KERNEL_SERVICE__CREATE_FILES_AS,
3313 NULL);
3314
3315 if (ret == 0)
3316 tsec->create_sid = isec->sid;
3317 return ret;
3318 }
3319
3320 static int selinux_kernel_module_request(char *kmod_name)
3321 {
3322 u32 sid;
3323 struct common_audit_data ad;
3324
3325 sid = task_sid(current);
3326
3327 COMMON_AUDIT_DATA_INIT(&ad, KMOD);
3328 ad.u.kmod_name = kmod_name;
3329
3330 return avc_has_perm(sid, SECINITSID_KERNEL, SECCLASS_SYSTEM,
3331 SYSTEM__MODULE_REQUEST, &ad);
3332 }
3333
3334 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
3335 {
3336 return current_has_perm(p, PROCESS__SETPGID);
3337 }
3338
3339 static int selinux_task_getpgid(struct task_struct *p)
3340 {
3341 return current_has_perm(p, PROCESS__GETPGID);
3342 }
3343
3344 static int selinux_task_getsid(struct task_struct *p)
3345 {
3346 return current_has_perm(p, PROCESS__GETSESSION);
3347 }
3348
3349 static void selinux_task_getsecid(struct task_struct *p, u32 *secid)
3350 {
3351 *secid = task_sid(p);
3352 }
3353
3354 static int selinux_task_setnice(struct task_struct *p, int nice)
3355 {
3356 int rc;
3357
3358 rc = cap_task_setnice(p, nice);
3359 if (rc)
3360 return rc;
3361
3362 return current_has_perm(p, PROCESS__SETSCHED);
3363 }
3364
3365 static int selinux_task_setioprio(struct task_struct *p, int ioprio)
3366 {
3367 int rc;
3368
3369 rc = cap_task_setioprio(p, ioprio);
3370 if (rc)
3371 return rc;
3372
3373 return current_has_perm(p, PROCESS__SETSCHED);
3374 }
3375
3376 static int selinux_task_getioprio(struct task_struct *p)
3377 {
3378 return current_has_perm(p, PROCESS__GETSCHED);
3379 }
3380
3381 static int selinux_task_setrlimit(struct task_struct *p, unsigned int resource,
3382 struct rlimit *new_rlim)
3383 {
3384 struct rlimit *old_rlim = p->signal->rlim + resource;
3385
3386 /* Control the ability to change the hard limit (whether
3387 lowering or raising it), so that the hard limit can
3388 later be used as a safe reset point for the soft limit
3389 upon context transitions. See selinux_bprm_committing_creds. */
3390 if (old_rlim->rlim_max != new_rlim->rlim_max)
3391 return current_has_perm(p, PROCESS__SETRLIMIT);
3392
3393 return 0;
3394 }
3395
3396 static int selinux_task_setscheduler(struct task_struct *p)
3397 {
3398 int rc;
3399
3400 rc = cap_task_setscheduler(p);
3401 if (rc)
3402 return rc;
3403
3404 return current_has_perm(p, PROCESS__SETSCHED);
3405 }
3406
3407 static int selinux_task_getscheduler(struct task_struct *p)
3408 {
3409 return current_has_perm(p, PROCESS__GETSCHED);
3410 }
3411
3412 static int selinux_task_movememory(struct task_struct *p)
3413 {
3414 return current_has_perm(p, PROCESS__SETSCHED);
3415 }
3416
3417 static int selinux_task_kill(struct task_struct *p, struct siginfo *info,
3418 int sig, u32 secid)
3419 {
3420 u32 perm;
3421 int rc;
3422
3423 if (!sig)
3424 perm = PROCESS__SIGNULL; /* null signal; existence test */
3425 else
3426 perm = signal_to_av(sig);
3427 if (secid)
3428 rc = avc_has_perm(secid, task_sid(p),
3429 SECCLASS_PROCESS, perm, NULL);
3430 else
3431 rc = current_has_perm(p, perm);
3432 return rc;
3433 }
3434
3435 static int selinux_task_wait(struct task_struct *p)
3436 {
3437 return task_has_perm(p, current, PROCESS__SIGCHLD);
3438 }
3439
3440 static void selinux_task_to_inode(struct task_struct *p,
3441 struct inode *inode)
3442 {
3443 struct inode_security_struct *isec = inode->i_security;
3444 u32 sid = task_sid(p);
3445
3446 isec->sid = sid;
3447 isec->initialized = 1;
3448 }
3449
3450 /* Returns error only if unable to parse addresses */
3451 static int selinux_parse_skb_ipv4(struct sk_buff *skb,
3452 struct common_audit_data *ad, u8 *proto)
3453 {
3454 int offset, ihlen, ret = -EINVAL;
3455 struct iphdr _iph, *ih;
3456
3457 offset = skb_network_offset(skb);
3458 ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
3459 if (ih == NULL)
3460 goto out;
3461
3462 ihlen = ih->ihl * 4;
3463 if (ihlen < sizeof(_iph))
3464 goto out;
3465
3466 ad->u.net.v4info.saddr = ih->saddr;
3467 ad->u.net.v4info.daddr = ih->daddr;
3468 ret = 0;
3469
3470 if (proto)
3471 *proto = ih->protocol;
3472
3473 switch (ih->protocol) {
3474 case IPPROTO_TCP: {
3475 struct tcphdr _tcph, *th;
3476
3477 if (ntohs(ih->frag_off) & IP_OFFSET)
3478 break;
3479
3480 offset += ihlen;
3481 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3482 if (th == NULL)
3483 break;
3484
3485 ad->u.net.sport = th->source;
3486 ad->u.net.dport = th->dest;
3487 break;
3488 }
3489
3490 case IPPROTO_UDP: {
3491 struct udphdr _udph, *uh;
3492
3493 if (ntohs(ih->frag_off) & IP_OFFSET)
3494 break;
3495
3496 offset += ihlen;
3497 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3498 if (uh == NULL)
3499 break;
3500
3501 ad->u.net.sport = uh->source;
3502 ad->u.net.dport = uh->dest;
3503 break;
3504 }
3505
3506 case IPPROTO_DCCP: {
3507 struct dccp_hdr _dccph, *dh;
3508
3509 if (ntohs(ih->frag_off) & IP_OFFSET)
3510 break;
3511
3512 offset += ihlen;
3513 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3514 if (dh == NULL)
3515 break;
3516
3517 ad->u.net.sport = dh->dccph_sport;
3518 ad->u.net.dport = dh->dccph_dport;
3519 break;
3520 }
3521
3522 default:
3523 break;
3524 }
3525 out:
3526 return ret;
3527 }
3528
3529 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3530
3531 /* Returns error only if unable to parse addresses */
3532 static int selinux_parse_skb_ipv6(struct sk_buff *skb,
3533 struct common_audit_data *ad, u8 *proto)
3534 {
3535 u8 nexthdr;
3536 int ret = -EINVAL, offset;
3537 struct ipv6hdr _ipv6h, *ip6;
3538
3539 offset = skb_network_offset(skb);
3540 ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
3541 if (ip6 == NULL)
3542 goto out;
3543
3544 ipv6_addr_copy(&ad->u.net.v6info.saddr, &ip6->saddr);
3545 ipv6_addr_copy(&ad->u.net.v6info.daddr, &ip6->daddr);
3546 ret = 0;
3547
3548 nexthdr = ip6->nexthdr;
3549 offset += sizeof(_ipv6h);
3550 offset = ipv6_skip_exthdr(skb, offset, &nexthdr);
3551 if (offset < 0)
3552 goto out;
3553
3554 if (proto)
3555 *proto = nexthdr;
3556
3557 switch (nexthdr) {
3558 case IPPROTO_TCP: {
3559 struct tcphdr _tcph, *th;
3560
3561 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3562 if (th == NULL)
3563 break;
3564
3565 ad->u.net.sport = th->source;
3566 ad->u.net.dport = th->dest;
3567 break;
3568 }
3569
3570 case IPPROTO_UDP: {
3571 struct udphdr _udph, *uh;
3572
3573 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3574 if (uh == NULL)
3575 break;
3576
3577 ad->u.net.sport = uh->source;
3578 ad->u.net.dport = uh->dest;
3579 break;
3580 }
3581
3582 case IPPROTO_DCCP: {
3583 struct dccp_hdr _dccph, *dh;
3584
3585 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3586 if (dh == NULL)
3587 break;
3588
3589 ad->u.net.sport = dh->dccph_sport;
3590 ad->u.net.dport = dh->dccph_dport;
3591 break;
3592 }
3593
3594 /* includes fragments */
3595 default:
3596 break;
3597 }
3598 out:
3599 return ret;
3600 }
3601
3602 #endif /* IPV6 */
3603
3604 static int selinux_parse_skb(struct sk_buff *skb, struct common_audit_data *ad,
3605 char **_addrp, int src, u8 *proto)
3606 {
3607 char *addrp;
3608 int ret;
3609
3610 switch (ad->u.net.family) {
3611 case PF_INET:
3612 ret = selinux_parse_skb_ipv4(skb, ad, proto);
3613 if (ret)
3614 goto parse_error;
3615 addrp = (char *)(src ? &ad->u.net.v4info.saddr :
3616 &ad->u.net.v4info.daddr);
3617 goto okay;
3618
3619 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3620 case PF_INET6:
3621 ret = selinux_parse_skb_ipv6(skb, ad, proto);
3622 if (ret)
3623 goto parse_error;
3624 addrp = (char *)(src ? &ad->u.net.v6info.saddr :
3625 &ad->u.net.v6info.daddr);
3626 goto okay;
3627 #endif /* IPV6 */
3628 default:
3629 addrp = NULL;
3630 goto okay;
3631 }
3632
3633 parse_error:
3634 printk(KERN_WARNING
3635 "SELinux: failure in selinux_parse_skb(),"
3636 " unable to parse packet\n");
3637 return ret;
3638
3639 okay:
3640 if (_addrp)
3641 *_addrp = addrp;
3642 return 0;
3643 }
3644
3645 /**
3646 * selinux_skb_peerlbl_sid - Determine the peer label of a packet
3647 * @skb: the packet
3648 * @family: protocol family
3649 * @sid: the packet's peer label SID
3650 *
3651 * Description:
3652 * Check the various different forms of network peer labeling and determine
3653 * the peer label/SID for the packet; most of the magic actually occurs in
3654 * the security server function security_net_peersid_cmp(). The function
3655 * returns zero if the value in @sid is valid (although it may be SECSID_NULL)
3656 * or -EACCES if @sid is invalid due to inconsistencies with the different
3657 * peer labels.
3658 *
3659 */
3660 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
3661 {
3662 int err;
3663 u32 xfrm_sid;
3664 u32 nlbl_sid;
3665 u32 nlbl_type;
3666
3667 selinux_skb_xfrm_sid(skb, &xfrm_sid);
3668 selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid);
3669
3670 err = security_net_peersid_resolve(nlbl_sid, nlbl_type, xfrm_sid, sid);
3671 if (unlikely(err)) {
3672 printk(KERN_WARNING
3673 "SELinux: failure in selinux_skb_peerlbl_sid(),"
3674 " unable to determine packet's peer label\n");
3675 return -EACCES;
3676 }
3677
3678 return 0;
3679 }
3680
3681 /* socket security operations */
3682
3683 static int socket_sockcreate_sid(const struct task_security_struct *tsec,
3684 u16 secclass, u32 *socksid)
3685 {
3686 if (tsec->sockcreate_sid > SECSID_NULL) {
3687 *socksid = tsec->sockcreate_sid;
3688 return 0;
3689 }
3690
3691 return security_transition_sid(tsec->sid, tsec->sid, secclass, NULL,
3692 socksid);
3693 }
3694
3695 static int sock_has_perm(struct task_struct *task, struct sock *sk, u32 perms)
3696 {
3697 struct sk_security_struct *sksec = sk->sk_security;
3698 struct common_audit_data ad;
3699 u32 tsid = task_sid(task);
3700
3701 if (sksec->sid == SECINITSID_KERNEL)
3702 return 0;
3703
3704 COMMON_AUDIT_DATA_INIT(&ad, NET);
3705 ad.u.net.sk = sk;
3706
3707 return avc_has_perm(tsid, sksec->sid, sksec->sclass, perms, &ad);
3708 }
3709
3710 static int selinux_socket_create(int family, int type,
3711 int protocol, int kern)
3712 {
3713 const struct task_security_struct *tsec = current_security();
3714 u32 newsid;
3715 u16 secclass;
3716 int rc;
3717
3718 if (kern)
3719 return 0;
3720
3721 secclass = socket_type_to_security_class(family, type, protocol);
3722 rc = socket_sockcreate_sid(tsec, secclass, &newsid);
3723 if (rc)
3724 return rc;
3725
3726 return avc_has_perm(tsec->sid, newsid, secclass, SOCKET__CREATE, NULL);
3727 }
3728
3729 static int selinux_socket_post_create(struct socket *sock, int family,
3730 int type, int protocol, int kern)
3731 {
3732 const struct task_security_struct *tsec = current_security();
3733 struct inode_security_struct *isec = SOCK_INODE(sock)->i_security;
3734 struct sk_security_struct *sksec;
3735 int err = 0;
3736
3737 isec->sclass = socket_type_to_security_class(family, type, protocol);
3738
3739 if (kern)
3740 isec->sid = SECINITSID_KERNEL;
3741 else {
3742 err = socket_sockcreate_sid(tsec, isec->sclass, &(isec->sid));
3743 if (err)
3744 return err;
3745 }
3746
3747 isec->initialized = 1;
3748
3749 if (sock->sk) {
3750 sksec = sock->sk->sk_security;
3751 sksec->sid = isec->sid;
3752 sksec->sclass = isec->sclass;
3753 err = selinux_netlbl_socket_post_create(sock->sk, family);
3754 }
3755
3756 return err;
3757 }
3758
3759 /* Range of port numbers used to automatically bind.
3760 Need to determine whether we should perform a name_bind
3761 permission check between the socket and the port number. */
3762
3763 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
3764 {
3765 struct sock *sk = sock->sk;
3766 u16 family;
3767 int err;
3768
3769 err = sock_has_perm(current, sk, SOCKET__BIND);
3770 if (err)
3771 goto out;
3772
3773 /*
3774 * If PF_INET or PF_INET6, check name_bind permission for the port.
3775 * Multiple address binding for SCTP is not supported yet: we just
3776 * check the first address now.
3777 */
3778 family = sk->sk_family;
3779 if (family == PF_INET || family == PF_INET6) {
3780 char *addrp;
3781 struct sk_security_struct *sksec = sk->sk_security;
3782 struct common_audit_data ad;
3783 struct sockaddr_in *addr4 = NULL;
3784 struct sockaddr_in6 *addr6 = NULL;
3785 unsigned short snum;
3786 u32 sid, node_perm;
3787
3788 if (family == PF_INET) {
3789 addr4 = (struct sockaddr_in *)address;
3790 snum = ntohs(addr4->sin_port);
3791 addrp = (char *)&addr4->sin_addr.s_addr;
3792 } else {
3793 addr6 = (struct sockaddr_in6 *)address;
3794 snum = ntohs(addr6->sin6_port);
3795 addrp = (char *)&addr6->sin6_addr.s6_addr;
3796 }
3797
3798 if (snum) {
3799 int low, high;
3800
3801 inet_get_local_port_range(&low, &high);
3802
3803 if (snum < max(PROT_SOCK, low) || snum > high) {
3804 err = sel_netport_sid(sk->sk_protocol,
3805 snum, &sid);
3806 if (err)
3807 goto out;
3808 COMMON_AUDIT_DATA_INIT(&ad, NET);
3809 ad.u.net.sport = htons(snum);
3810 ad.u.net.family = family;
3811 err = avc_has_perm(sksec->sid, sid,
3812 sksec->sclass,
3813 SOCKET__NAME_BIND, &ad);
3814 if (err)
3815 goto out;
3816 }
3817 }
3818
3819 switch (sksec->sclass) {
3820 case SECCLASS_TCP_SOCKET:
3821 node_perm = TCP_SOCKET__NODE_BIND;
3822 break;
3823
3824 case SECCLASS_UDP_SOCKET:
3825 node_perm = UDP_SOCKET__NODE_BIND;
3826 break;
3827
3828 case SECCLASS_DCCP_SOCKET:
3829 node_perm = DCCP_SOCKET__NODE_BIND;
3830 break;
3831
3832 default:
3833 node_perm = RAWIP_SOCKET__NODE_BIND;
3834 break;
3835 }
3836
3837 err = sel_netnode_sid(addrp, family, &sid);
3838 if (err)
3839 goto out;
3840
3841 COMMON_AUDIT_DATA_INIT(&ad, NET);
3842 ad.u.net.sport = htons(snum);
3843 ad.u.net.family = family;
3844
3845 if (family == PF_INET)
3846 ad.u.net.v4info.saddr = addr4->sin_addr.s_addr;
3847 else
3848 ipv6_addr_copy(&ad.u.net.v6info.saddr, &addr6->sin6_addr);
3849
3850 err = avc_has_perm(sksec->sid, sid,
3851 sksec->sclass, node_perm, &ad);
3852 if (err)
3853 goto out;
3854 }
3855 out:
3856 return err;
3857 }
3858
3859 static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
3860 {
3861 struct sock *sk = sock->sk;
3862 struct sk_security_struct *sksec = sk->sk_security;
3863 int err;
3864
3865 err = sock_has_perm(current, sk, SOCKET__CONNECT);
3866 if (err)
3867 return err;
3868
3869 /*
3870 * If a TCP or DCCP socket, check name_connect permission for the port.
3871 */
3872 if (sksec->sclass == SECCLASS_TCP_SOCKET ||
3873 sksec->sclass == SECCLASS_DCCP_SOCKET) {
3874 struct common_audit_data ad;
3875 struct sockaddr_in *addr4 = NULL;
3876 struct sockaddr_in6 *addr6 = NULL;
3877 unsigned short snum;
3878 u32 sid, perm;
3879
3880 if (sk->sk_family == PF_INET) {
3881 addr4 = (struct sockaddr_in *)address;
3882 if (addrlen < sizeof(struct sockaddr_in))
3883 return -EINVAL;
3884 snum = ntohs(addr4->sin_port);
3885 } else {
3886 addr6 = (struct sockaddr_in6 *)address;
3887 if (addrlen < SIN6_LEN_RFC2133)
3888 return -EINVAL;
3889 snum = ntohs(addr6->sin6_port);
3890 }
3891
3892 err = sel_netport_sid(sk->sk_protocol, snum, &sid);
3893 if (err)
3894 goto out;
3895
3896 perm = (sksec->sclass == SECCLASS_TCP_SOCKET) ?
3897 TCP_SOCKET__NAME_CONNECT : DCCP_SOCKET__NAME_CONNECT;
3898
3899 COMMON_AUDIT_DATA_INIT(&ad, NET);
3900 ad.u.net.dport = htons(snum);
3901 ad.u.net.family = sk->sk_family;
3902 err = avc_has_perm(sksec->sid, sid, sksec->sclass, perm, &ad);
3903 if (err)
3904 goto out;
3905 }
3906
3907 err = selinux_netlbl_socket_connect(sk, address);
3908
3909 out:
3910 return err;
3911 }
3912
3913 static int selinux_socket_listen(struct socket *sock, int backlog)
3914 {
3915 return sock_has_perm(current, sock->sk, SOCKET__LISTEN);
3916 }
3917
3918 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
3919 {
3920 int err;
3921 struct inode_security_struct *isec;
3922 struct inode_security_struct *newisec;
3923
3924 err = sock_has_perm(current, sock->sk, SOCKET__ACCEPT);
3925 if (err)
3926 return err;
3927
3928 newisec = SOCK_INODE(newsock)->i_security;
3929
3930 isec = SOCK_INODE(sock)->i_security;
3931 newisec->sclass = isec->sclass;
3932 newisec->sid = isec->sid;
3933 newisec->initialized = 1;
3934
3935 return 0;
3936 }
3937
3938 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
3939 int size)
3940 {
3941 return sock_has_perm(current, sock->sk, SOCKET__WRITE);
3942 }
3943
3944 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
3945 int size, int flags)
3946 {
3947 return sock_has_perm(current, sock->sk, SOCKET__READ);
3948 }
3949
3950 static int selinux_socket_getsockname(struct socket *sock)
3951 {
3952 return sock_has_perm(current, sock->sk, SOCKET__GETATTR);
3953 }
3954
3955 static int selinux_socket_getpeername(struct socket *sock)
3956 {
3957 return sock_has_perm(current, sock->sk, SOCKET__GETATTR);
3958 }
3959
3960 static int selinux_socket_setsockopt(struct socket *sock, int level, int optname)
3961 {
3962 int err;
3963
3964 err = sock_has_perm(current, sock->sk, SOCKET__SETOPT);
3965 if (err)
3966 return err;
3967
3968 return selinux_netlbl_socket_setsockopt(sock, level, optname);
3969 }
3970
3971 static int selinux_socket_getsockopt(struct socket *sock, int level,
3972 int optname)
3973 {
3974 return sock_has_perm(current, sock->sk, SOCKET__GETOPT);
3975 }
3976
3977 static int selinux_socket_shutdown(struct socket *sock, int how)
3978 {
3979 return sock_has_perm(current, sock->sk, SOCKET__SHUTDOWN);
3980 }
3981
3982 static int selinux_socket_unix_stream_connect(struct sock *sock,
3983 struct sock *other,
3984 struct sock *newsk)
3985 {
3986 struct sk_security_struct *sksec_sock = sock->sk_security;
3987 struct sk_security_struct *sksec_other = other->sk_security;
3988 struct sk_security_struct *sksec_new = newsk->sk_security;
3989 struct common_audit_data ad;
3990 int err;
3991
3992 COMMON_AUDIT_DATA_INIT(&ad, NET);
3993 ad.u.net.sk = other;
3994
3995 err = avc_has_perm(sksec_sock->sid, sksec_other->sid,
3996 sksec_other->sclass,
3997 UNIX_STREAM_SOCKET__CONNECTTO, &ad);
3998 if (err)
3999 return err;
4000
4001 /* server child socket */
4002 sksec_new->peer_sid = sksec_sock->sid;
4003 err = security_sid_mls_copy(sksec_other->sid, sksec_sock->sid,
4004 &sksec_new->sid);
4005 if (err)
4006 return err;
4007
4008 /* connecting socket */
4009 sksec_sock->peer_sid = sksec_new->sid;
4010
4011 return 0;
4012 }
4013
4014 static int selinux_socket_unix_may_send(struct socket *sock,
4015 struct socket *other)
4016 {
4017 struct sk_security_struct *ssec = sock->sk->sk_security;
4018 struct sk_security_struct *osec = other->sk->sk_security;
4019 struct common_audit_data ad;
4020
4021 COMMON_AUDIT_DATA_INIT(&ad, NET);
4022 ad.u.net.sk = other->sk;
4023
4024 return avc_has_perm(ssec->sid, osec->sid, osec->sclass, SOCKET__SENDTO,
4025 &ad);
4026 }
4027
4028 static int selinux_inet_sys_rcv_skb(int ifindex, char *addrp, u16 family,
4029 u32 peer_sid,
4030 struct common_audit_data *ad)
4031 {
4032 int err;
4033 u32 if_sid;
4034 u32 node_sid;
4035
4036 err = sel_netif_sid(ifindex, &if_sid);
4037 if (err)
4038 return err;
4039 err = avc_has_perm(peer_sid, if_sid,
4040 SECCLASS_NETIF, NETIF__INGRESS, ad);
4041 if (err)
4042 return err;
4043
4044 err = sel_netnode_sid(addrp, family, &node_sid);
4045 if (err)
4046 return err;
4047 return avc_has_perm(peer_sid, node_sid,
4048 SECCLASS_NODE, NODE__RECVFROM, ad);
4049 }
4050
4051 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
4052 u16 family)
4053 {
4054 int err = 0;
4055 struct sk_security_struct *sksec = sk->sk_security;
4056 u32 sk_sid = sksec->sid;
4057 struct common_audit_data ad;
4058 char *addrp;
4059
4060 COMMON_AUDIT_DATA_INIT(&ad, NET);
4061 ad.u.net.netif = skb->skb_iif;
4062 ad.u.net.family = family;
4063 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4064 if (err)
4065 return err;
4066
4067 if (selinux_secmark_enabled()) {
4068 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4069 PACKET__RECV, &ad);
4070 if (err)
4071 return err;
4072 }
4073
4074 err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, &ad);
4075 if (err)
4076 return err;
4077 err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad);
4078
4079 return err;
4080 }
4081
4082 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
4083 {
4084 int err;
4085 struct sk_security_struct *sksec = sk->sk_security;
4086 u16 family = sk->sk_family;
4087 u32 sk_sid = sksec->sid;
4088 struct common_audit_data ad;
4089 char *addrp;
4090 u8 secmark_active;
4091 u8 peerlbl_active;
4092
4093 if (family != PF_INET && family != PF_INET6)
4094 return 0;
4095
4096 /* Handle mapped IPv4 packets arriving via IPv6 sockets */
4097 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4098 family = PF_INET;
4099
4100 /* If any sort of compatibility mode is enabled then handoff processing
4101 * to the selinux_sock_rcv_skb_compat() function to deal with the
4102 * special handling. We do this in an attempt to keep this function
4103 * as fast and as clean as possible. */
4104 if (!selinux_policycap_netpeer)
4105 return selinux_sock_rcv_skb_compat(sk, skb, family);
4106
4107 secmark_active = selinux_secmark_enabled();
4108 peerlbl_active = netlbl_enabled() || selinux_xfrm_enabled();
4109 if (!secmark_active && !peerlbl_active)
4110 return 0;
4111
4112 COMMON_AUDIT_DATA_INIT(&ad, NET);
4113 ad.u.net.netif = skb->skb_iif;
4114 ad.u.net.family = family;
4115 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4116 if (err)
4117 return err;
4118
4119 if (peerlbl_active) {
4120 u32 peer_sid;
4121
4122 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
4123 if (err)
4124 return err;
4125 err = selinux_inet_sys_rcv_skb(skb->skb_iif, addrp, family,
4126 peer_sid, &ad);
4127 if (err) {
4128 selinux_netlbl_err(skb, err, 0);
4129 return err;
4130 }
4131 err = avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER,
4132 PEER__RECV, &ad);
4133 if (err)
4134 selinux_netlbl_err(skb, err, 0);
4135 }
4136
4137 if (secmark_active) {
4138 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4139 PACKET__RECV, &ad);
4140 if (err)
4141 return err;
4142 }
4143
4144 return err;
4145 }
4146
4147 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval,
4148 int __user *optlen, unsigned len)
4149 {
4150 int err = 0;
4151 char *scontext;
4152 u32 scontext_len;
4153 struct sk_security_struct *sksec = sock->sk->sk_security;
4154 u32 peer_sid = SECSID_NULL;
4155
4156 if (sksec->sclass == SECCLASS_UNIX_STREAM_SOCKET ||
4157 sksec->sclass == SECCLASS_TCP_SOCKET)
4158 peer_sid = sksec->peer_sid;
4159 if (peer_sid == SECSID_NULL)
4160 return -ENOPROTOOPT;
4161
4162 err = security_sid_to_context(peer_sid, &scontext, &scontext_len);
4163 if (err)
4164 return err;
4165
4166 if (scontext_len > len) {
4167 err = -ERANGE;
4168 goto out_len;
4169 }
4170
4171 if (copy_to_user(optval, scontext, scontext_len))
4172 err = -EFAULT;
4173
4174 out_len:
4175 if (put_user(scontext_len, optlen))
4176 err = -EFAULT;
4177 kfree(scontext);
4178 return err;
4179 }
4180
4181 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
4182 {
4183 u32 peer_secid = SECSID_NULL;
4184 u16 family;
4185
4186 if (skb && skb->protocol == htons(ETH_P_IP))
4187 family = PF_INET;
4188 else if (skb && skb->protocol == htons(ETH_P_IPV6))
4189 family = PF_INET6;
4190 else if (sock)
4191 family = sock->sk->sk_family;
4192 else
4193 goto out;
4194
4195 if (sock && family == PF_UNIX)
4196 selinux_inode_getsecid(SOCK_INODE(sock), &peer_secid);
4197 else if (skb)
4198 selinux_skb_peerlbl_sid(skb, family, &peer_secid);
4199
4200 out:
4201 *secid = peer_secid;
4202 if (peer_secid == SECSID_NULL)
4203 return -EINVAL;
4204 return 0;
4205 }
4206
4207 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
4208 {
4209 struct sk_security_struct *sksec;
4210
4211 sksec = kzalloc(sizeof(*sksec), priority);
4212 if (!sksec)
4213 return -ENOMEM;
4214
4215 sksec->peer_sid = SECINITSID_UNLABELED;
4216 sksec->sid = SECINITSID_UNLABELED;
4217 selinux_netlbl_sk_security_reset(sksec);
4218 sk->sk_security = sksec;
4219
4220 return 0;
4221 }
4222
4223 static void selinux_sk_free_security(struct sock *sk)
4224 {
4225 struct sk_security_struct *sksec = sk->sk_security;
4226
4227 sk->sk_security = NULL;
4228 selinux_netlbl_sk_security_free(sksec);
4229 kfree(sksec);
4230 }
4231
4232 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
4233 {
4234 struct sk_security_struct *sksec = sk->sk_security;
4235 struct sk_security_struct *newsksec = newsk->sk_security;
4236
4237 newsksec->sid = sksec->sid;
4238 newsksec->peer_sid = sksec->peer_sid;
4239 newsksec->sclass = sksec->sclass;
4240
4241 selinux_netlbl_sk_security_reset(newsksec);
4242 }
4243
4244 static void selinux_sk_getsecid(struct sock *sk, u32 *secid)
4245 {
4246 if (!sk)
4247 *secid = SECINITSID_ANY_SOCKET;
4248 else {
4249 struct sk_security_struct *sksec = sk->sk_security;
4250
4251 *secid = sksec->sid;
4252 }
4253 }
4254
4255 static void selinux_sock_graft(struct sock *sk, struct socket *parent)
4256 {
4257 struct inode_security_struct *isec = SOCK_INODE(parent)->i_security;
4258 struct sk_security_struct *sksec = sk->sk_security;
4259
4260 if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
4261 sk->sk_family == PF_UNIX)
4262 isec->sid = sksec->sid;
4263 sksec->sclass = isec->sclass;
4264 }
4265
4266 static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
4267 struct request_sock *req)
4268 {
4269 struct sk_security_struct *sksec = sk->sk_security;
4270 int err;
4271 u16 family = sk->sk_family;
4272 u32 newsid;
4273 u32 peersid;
4274
4275 /* handle mapped IPv4 packets arriving via IPv6 sockets */
4276 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4277 family = PF_INET;
4278
4279 err = selinux_skb_peerlbl_sid(skb, family, &peersid);
4280 if (err)
4281 return err;
4282 if (peersid == SECSID_NULL) {
4283 req->secid = sksec->sid;
4284 req->peer_secid = SECSID_NULL;
4285 } else {
4286 err = security_sid_mls_copy(sksec->sid, peersid, &newsid);
4287 if (err)
4288 return err;
4289 req->secid = newsid;
4290 req->peer_secid = peersid;
4291 }
4292
4293 return selinux_netlbl_inet_conn_request(req, family);
4294 }
4295
4296 static void selinux_inet_csk_clone(struct sock *newsk,
4297 const struct request_sock *req)
4298 {
4299 struct sk_security_struct *newsksec = newsk->sk_security;
4300
4301 newsksec->sid = req->secid;
4302 newsksec->peer_sid = req->peer_secid;
4303 /* NOTE: Ideally, we should also get the isec->sid for the
4304 new socket in sync, but we don't have the isec available yet.
4305 So we will wait until sock_graft to do it, by which
4306 time it will have been created and available. */
4307
4308 /* We don't need to take any sort of lock here as we are the only
4309 * thread with access to newsksec */
4310 selinux_netlbl_inet_csk_clone(newsk, req->rsk_ops->family);
4311 }
4312
4313 static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb)
4314 {
4315 u16 family = sk->sk_family;
4316 struct sk_security_struct *sksec = sk->sk_security;
4317
4318 /* handle mapped IPv4 packets arriving via IPv6 sockets */
4319 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4320 family = PF_INET;
4321
4322 selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid);
4323 }
4324
4325 static int selinux_secmark_relabel_packet(u32 sid)
4326 {
4327 const struct task_security_struct *__tsec;
4328 u32 tsid;
4329
4330 __tsec = current_security();
4331 tsid = __tsec->sid;
4332
4333 return avc_has_perm(tsid, sid, SECCLASS_PACKET, PACKET__RELABELTO, NULL);
4334 }
4335
4336 static void selinux_secmark_refcount_inc(void)
4337 {
4338 atomic_inc(&selinux_secmark_refcount);
4339 }
4340
4341 static void selinux_secmark_refcount_dec(void)
4342 {
4343 atomic_dec(&selinux_secmark_refcount);
4344 }
4345
4346 static void selinux_req_classify_flow(const struct request_sock *req,
4347 struct flowi *fl)
4348 {
4349 fl->secid = req->secid;
4350 }
4351
4352 static int selinux_tun_dev_create(void)
4353 {
4354 u32 sid = current_sid();
4355
4356 /* we aren't taking into account the "sockcreate" SID since the socket
4357 * that is being created here is not a socket in the traditional sense,
4358 * instead it is a private sock, accessible only to the kernel, and
4359 * representing a wide range of network traffic spanning multiple
4360 * connections unlike traditional sockets - check the TUN driver to
4361 * get a better understanding of why this socket is special */
4362
4363 return avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET, TUN_SOCKET__CREATE,
4364 NULL);
4365 }
4366
4367 static void selinux_tun_dev_post_create(struct sock *sk)
4368 {
4369 struct sk_security_struct *sksec = sk->sk_security;
4370
4371 /* we don't currently perform any NetLabel based labeling here and it
4372 * isn't clear that we would want to do so anyway; while we could apply
4373 * labeling without the support of the TUN user the resulting labeled
4374 * traffic from the other end of the connection would almost certainly
4375 * cause confusion to the TUN user that had no idea network labeling
4376 * protocols were being used */
4377
4378 /* see the comments in selinux_tun_dev_create() about why we don't use
4379 * the sockcreate SID here */
4380
4381 sksec->sid = current_sid();
4382 sksec->sclass = SECCLASS_TUN_SOCKET;
4383 }
4384
4385 static int selinux_tun_dev_attach(struct sock *sk)
4386 {
4387 struct sk_security_struct *sksec = sk->sk_security;
4388 u32 sid = current_sid();
4389 int err;
4390
4391 err = avc_has_perm(sid, sksec->sid, SECCLASS_TUN_SOCKET,
4392 TUN_SOCKET__RELABELFROM, NULL);
4393 if (err)
4394 return err;
4395 err = avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET,
4396 TUN_SOCKET__RELABELTO, NULL);
4397 if (err)
4398 return err;
4399
4400 sksec->sid = sid;
4401
4402 return 0;
4403 }
4404
4405 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
4406 {
4407 int err = 0;
4408 u32 perm;
4409 struct nlmsghdr *nlh;
4410 struct sk_security_struct *sksec = sk->sk_security;
4411
4412 if (skb->len < NLMSG_SPACE(0)) {
4413 err = -EINVAL;
4414 goto out;
4415 }
4416 nlh = nlmsg_hdr(skb);
4417
4418 err = selinux_nlmsg_lookup(sksec->sclass, nlh->nlmsg_type, &perm);
4419 if (err) {
4420 if (err == -EINVAL) {
4421 audit_log(current->audit_context, GFP_KERNEL, AUDIT_SELINUX_ERR,
4422 "SELinux: unrecognized netlink message"
4423 " type=%hu for sclass=%hu\n",
4424 nlh->nlmsg_type, sksec->sclass);
4425 if (!selinux_enforcing || security_get_allow_unknown())
4426 err = 0;
4427 }
4428
4429 /* Ignore */
4430 if (err == -ENOENT)
4431 err = 0;
4432 goto out;
4433 }
4434
4435 err = sock_has_perm(current, sk, perm);
4436 out:
4437 return err;
4438 }
4439
4440 #ifdef CONFIG_NETFILTER
4441
4442 static unsigned int selinux_ip_forward(struct sk_buff *skb, int ifindex,
4443 u16 family)
4444 {
4445 int err;
4446 char *addrp;
4447 u32 peer_sid;
4448 struct common_audit_data ad;
4449 u8 secmark_active;
4450 u8 netlbl_active;
4451 u8 peerlbl_active;
4452
4453 if (!selinux_policycap_netpeer)
4454 return NF_ACCEPT;
4455
4456 secmark_active = selinux_secmark_enabled();
4457 netlbl_active = netlbl_enabled();
4458 peerlbl_active = netlbl_active || selinux_xfrm_enabled();
4459 if (!secmark_active && !peerlbl_active)
4460 return NF_ACCEPT;
4461
4462 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0)
4463 return NF_DROP;
4464
4465 COMMON_AUDIT_DATA_INIT(&ad, NET);
4466 ad.u.net.netif = ifindex;
4467 ad.u.net.family = family;
4468 if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0)
4469 return NF_DROP;
4470
4471 if (peerlbl_active) {
4472 err = selinux_inet_sys_rcv_skb(ifindex, addrp, family,
4473 peer_sid, &ad);
4474 if (err) {
4475 selinux_netlbl_err(skb, err, 1);
4476 return NF_DROP;
4477 }
4478 }
4479
4480 if (secmark_active)
4481 if (avc_has_perm(peer_sid, skb->secmark,
4482 SECCLASS_PACKET, PACKET__FORWARD_IN, &ad))
4483 return NF_DROP;
4484
4485 if (netlbl_active)
4486 /* we do this in the FORWARD path and not the POST_ROUTING
4487 * path because we want to make sure we apply the necessary
4488 * labeling before IPsec is applied so we can leverage AH
4489 * protection */
4490 if (selinux_netlbl_skbuff_setsid(skb, family, peer_sid) != 0)
4491 return NF_DROP;
4492
4493 return NF_ACCEPT;
4494 }
4495
4496 static unsigned int selinux_ipv4_forward(unsigned int hooknum,
4497 struct sk_buff *skb,
4498 const struct net_device *in,
4499 const struct net_device *out,
4500 int (*okfn)(struct sk_buff *))
4501 {
4502 return selinux_ip_forward(skb, in->ifindex, PF_INET);
4503 }
4504
4505 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4506 static unsigned int selinux_ipv6_forward(unsigned int hooknum,
4507 struct sk_buff *skb,
4508 const struct net_device *in,
4509 const struct net_device *out,
4510 int (*okfn)(struct sk_buff *))
4511 {
4512 return selinux_ip_forward(skb, in->ifindex, PF_INET6);
4513 }
4514 #endif /* IPV6 */
4515
4516 static unsigned int selinux_ip_output(struct sk_buff *skb,
4517 u16 family)
4518 {
4519 u32 sid;
4520
4521 if (!netlbl_enabled())
4522 return NF_ACCEPT;
4523
4524 /* we do this in the LOCAL_OUT path and not the POST_ROUTING path
4525 * because we want to make sure we apply the necessary labeling
4526 * before IPsec is applied so we can leverage AH protection */
4527 if (skb->sk) {
4528 struct sk_security_struct *sksec = skb->sk->sk_security;
4529 sid = sksec->sid;
4530 } else
4531 sid = SECINITSID_KERNEL;
4532 if (selinux_netlbl_skbuff_setsid(skb, family, sid) != 0)
4533 return NF_DROP;
4534
4535 return NF_ACCEPT;
4536 }
4537
4538 static unsigned int selinux_ipv4_output(unsigned int hooknum,
4539 struct sk_buff *skb,
4540 const struct net_device *in,
4541 const struct net_device *out,
4542 int (*okfn)(struct sk_buff *))
4543 {
4544 return selinux_ip_output(skb, PF_INET);
4545 }
4546
4547 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
4548 int ifindex,
4549 u16 family)
4550 {
4551 struct sock *sk = skb->sk;
4552 struct sk_security_struct *sksec;
4553 struct common_audit_data ad;
4554 char *addrp;
4555 u8 proto;
4556
4557 if (sk == NULL)
4558 return NF_ACCEPT;
4559 sksec = sk->sk_security;
4560
4561 COMMON_AUDIT_DATA_INIT(&ad, NET);
4562 ad.u.net.netif = ifindex;
4563 ad.u.net.family = family;
4564 if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto))
4565 return NF_DROP;
4566
4567 if (selinux_secmark_enabled())
4568 if (avc_has_perm(sksec->sid, skb->secmark,
4569 SECCLASS_PACKET, PACKET__SEND, &ad))
4570 return NF_DROP_ERR(-ECONNREFUSED);
4571
4572 if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto))
4573 return NF_DROP_ERR(-ECONNREFUSED);
4574
4575 return NF_ACCEPT;
4576 }
4577
4578 static unsigned int selinux_ip_postroute(struct sk_buff *skb, int ifindex,
4579 u16 family)
4580 {
4581 u32 secmark_perm;
4582 u32 peer_sid;
4583 struct sock *sk;
4584 struct common_audit_data ad;
4585 char *addrp;
4586 u8 secmark_active;
4587 u8 peerlbl_active;
4588
4589 /* If any sort of compatibility mode is enabled then handoff processing
4590 * to the selinux_ip_postroute_compat() function to deal with the
4591 * special handling. We do this in an attempt to keep this function
4592 * as fast and as clean as possible. */
4593 if (!selinux_policycap_netpeer)
4594 return selinux_ip_postroute_compat(skb, ifindex, family);
4595 #ifdef CONFIG_XFRM
4596 /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec
4597 * packet transformation so allow the packet to pass without any checks
4598 * since we'll have another chance to perform access control checks
4599 * when the packet is on it's final way out.
4600 * NOTE: there appear to be some IPv6 multicast cases where skb->dst
4601 * is NULL, in this case go ahead and apply access control. */
4602 if (skb_dst(skb) != NULL && skb_dst(skb)->xfrm != NULL)
4603 return NF_ACCEPT;
4604 #endif
4605 secmark_active = selinux_secmark_enabled();
4606 peerlbl_active = netlbl_enabled() || selinux_xfrm_enabled();
4607 if (!secmark_active && !peerlbl_active)
4608 return NF_ACCEPT;
4609
4610 /* if the packet is being forwarded then get the peer label from the
4611 * packet itself; otherwise check to see if it is from a local
4612 * application or the kernel, if from an application get the peer label
4613 * from the sending socket, otherwise use the kernel's sid */
4614 sk = skb->sk;
4615 if (sk == NULL) {
4616 if (skb->skb_iif) {
4617 secmark_perm = PACKET__FORWARD_OUT;
4618 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid))
4619 return NF_DROP;
4620 } else {
4621 secmark_perm = PACKET__SEND;
4622 peer_sid = SECINITSID_KERNEL;
4623 }
4624 } else {
4625 struct sk_security_struct *sksec = sk->sk_security;
4626 peer_sid = sksec->sid;
4627 secmark_perm = PACKET__SEND;
4628 }
4629
4630 COMMON_AUDIT_DATA_INIT(&ad, NET);
4631 ad.u.net.netif = ifindex;
4632 ad.u.net.family = family;
4633 if (selinux_parse_skb(skb, &ad, &addrp, 0, NULL))
4634 return NF_DROP;
4635
4636 if (secmark_active)
4637 if (avc_has_perm(peer_sid, skb->secmark,
4638 SECCLASS_PACKET, secmark_perm, &ad))
4639 return NF_DROP_ERR(-ECONNREFUSED);
4640
4641 if (peerlbl_active) {
4642 u32 if_sid;
4643 u32 node_sid;
4644
4645 if (sel_netif_sid(ifindex, &if_sid))
4646 return NF_DROP;
4647 if (avc_has_perm(peer_sid, if_sid,
4648 SECCLASS_NETIF, NETIF__EGRESS, &ad))
4649 return NF_DROP_ERR(-ECONNREFUSED);
4650
4651 if (sel_netnode_sid(addrp, family, &node_sid))
4652 return NF_DROP;
4653 if (avc_has_perm(peer_sid, node_sid,
4654 SECCLASS_NODE, NODE__SENDTO, &ad))
4655 return NF_DROP_ERR(-ECONNREFUSED);
4656 }
4657
4658 return NF_ACCEPT;
4659 }
4660
4661 static unsigned int selinux_ipv4_postroute(unsigned int hooknum,
4662 struct sk_buff *skb,
4663 const struct net_device *in,
4664 const struct net_device *out,
4665 int (*okfn)(struct sk_buff *))
4666 {
4667 return selinux_ip_postroute(skb, out->ifindex, PF_INET);
4668 }
4669
4670 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4671 static unsigned int selinux_ipv6_postroute(unsigned int hooknum,
4672 struct sk_buff *skb,
4673 const struct net_device *in,
4674 const struct net_device *out,
4675 int (*okfn)(struct sk_buff *))
4676 {
4677 return selinux_ip_postroute(skb, out->ifindex, PF_INET6);
4678 }
4679 #endif /* IPV6 */
4680
4681 #endif /* CONFIG_NETFILTER */
4682
4683 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
4684 {
4685 int err;
4686
4687 err = cap_netlink_send(sk, skb);
4688 if (err)
4689 return err;
4690
4691 return selinux_nlmsg_perm(sk, skb);
4692 }
4693
4694 static int selinux_netlink_recv(struct sk_buff *skb, int capability)
4695 {
4696 int err;
4697 struct common_audit_data ad;
4698
4699 err = cap_netlink_recv(skb, capability);
4700 if (err)
4701 return err;
4702
4703 COMMON_AUDIT_DATA_INIT(&ad, CAP);
4704 ad.u.cap = capability;
4705
4706 return avc_has_perm(NETLINK_CB(skb).sid, NETLINK_CB(skb).sid,
4707 SECCLASS_CAPABILITY, CAP_TO_MASK(capability), &ad);
4708 }
4709
4710 static int ipc_alloc_security(struct task_struct *task,
4711 struct kern_ipc_perm *perm,
4712 u16 sclass)
4713 {
4714 struct ipc_security_struct *isec;
4715 u32 sid;
4716
4717 isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL);
4718 if (!isec)
4719 return -ENOMEM;
4720
4721 sid = task_sid(task);
4722 isec->sclass = sclass;
4723 isec->sid = sid;
4724 perm->security = isec;
4725
4726 return 0;
4727 }
4728
4729 static void ipc_free_security(struct kern_ipc_perm *perm)
4730 {
4731 struct ipc_security_struct *isec = perm->security;
4732 perm->security = NULL;
4733 kfree(isec);
4734 }
4735
4736 static int msg_msg_alloc_security(struct msg_msg *msg)
4737 {
4738 struct msg_security_struct *msec;
4739
4740 msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL);
4741 if (!msec)
4742 return -ENOMEM;
4743
4744 msec->sid = SECINITSID_UNLABELED;
4745 msg->security = msec;
4746
4747 return 0;
4748 }
4749
4750 static void msg_msg_free_security(struct msg_msg *msg)
4751 {
4752 struct msg_security_struct *msec = msg->security;
4753
4754 msg->security = NULL;
4755 kfree(msec);
4756 }
4757
4758 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
4759 u32 perms)
4760 {
4761 struct ipc_security_struct *isec;
4762 struct common_audit_data ad;
4763 u32 sid = current_sid();
4764
4765 isec = ipc_perms->security;
4766
4767 COMMON_AUDIT_DATA_INIT(&ad, IPC);
4768 ad.u.ipc_id = ipc_perms->key;
4769
4770 return avc_has_perm(sid, isec->sid, isec->sclass, perms, &ad);
4771 }
4772
4773 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
4774 {
4775 return msg_msg_alloc_security(msg);
4776 }
4777
4778 static void selinux_msg_msg_free_security(struct msg_msg *msg)
4779 {
4780 msg_msg_free_security(msg);
4781 }
4782
4783 /* message queue security operations */
4784 static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
4785 {
4786 struct ipc_security_struct *isec;
4787 struct common_audit_data ad;
4788 u32 sid = current_sid();
4789 int rc;
4790
4791 rc = ipc_alloc_security(current, &msq->q_perm, SECCLASS_MSGQ);
4792 if (rc)
4793 return rc;
4794
4795 isec = msq->q_perm.security;
4796
4797 COMMON_AUDIT_DATA_INIT(&ad, IPC);
4798 ad.u.ipc_id = msq->q_perm.key;
4799
4800 rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
4801 MSGQ__CREATE, &ad);
4802 if (rc) {
4803 ipc_free_security(&msq->q_perm);
4804 return rc;
4805 }
4806 return 0;
4807 }
4808
4809 static void selinux_msg_queue_free_security(struct msg_queue *msq)
4810 {
4811 ipc_free_security(&msq->q_perm);
4812 }
4813
4814 static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg)
4815 {
4816 struct ipc_security_struct *isec;
4817 struct common_audit_data ad;
4818 u32 sid = current_sid();
4819
4820 isec = msq->q_perm.security;
4821
4822 COMMON_AUDIT_DATA_INIT(&ad, IPC);
4823 ad.u.ipc_id = msq->q_perm.key;
4824
4825 return avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
4826 MSGQ__ASSOCIATE, &ad);
4827 }
4828
4829 static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd)
4830 {
4831 int err;
4832 int perms;
4833
4834 switch (cmd) {
4835 case IPC_INFO:
4836 case MSG_INFO:
4837 /* No specific object, just general system-wide information. */
4838 return task_has_system(current, SYSTEM__IPC_INFO);
4839 case IPC_STAT:
4840 case MSG_STAT:
4841 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
4842 break;
4843 case IPC_SET:
4844 perms = MSGQ__SETATTR;
4845 break;
4846 case IPC_RMID:
4847 perms = MSGQ__DESTROY;
4848 break;
4849 default:
4850 return 0;
4851 }
4852
4853 err = ipc_has_perm(&msq->q_perm, perms);
4854 return err;
4855 }
4856
4857 static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg)
4858 {
4859 struct ipc_security_struct *isec;
4860 struct msg_security_struct *msec;
4861 struct common_audit_data ad;
4862 u32 sid = current_sid();
4863 int rc;
4864
4865 isec = msq->q_perm.security;
4866 msec = msg->security;
4867
4868 /*
4869 * First time through, need to assign label to the message
4870 */
4871 if (msec->sid == SECINITSID_UNLABELED) {
4872 /*
4873 * Compute new sid based on current process and
4874 * message queue this message will be stored in
4875 */
4876 rc = security_transition_sid(sid, isec->sid, SECCLASS_MSG,
4877 NULL, &msec->sid);
4878 if (rc)
4879 return rc;
4880 }
4881
4882 COMMON_AUDIT_DATA_INIT(&ad, IPC);
4883 ad.u.ipc_id = msq->q_perm.key;
4884
4885 /* Can this process write to the queue? */
4886 rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
4887 MSGQ__WRITE, &ad);
4888 if (!rc)
4889 /* Can this process send the message */
4890 rc = avc_has_perm(sid, msec->sid, SECCLASS_MSG,
4891 MSG__SEND, &ad);
4892 if (!rc)
4893 /* Can the message be put in the queue? */
4894 rc = avc_has_perm(msec->sid, isec->sid, SECCLASS_MSGQ,
4895 MSGQ__ENQUEUE, &ad);
4896
4897 return rc;
4898 }
4899
4900 static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
4901 struct task_struct *target,
4902 long type, int mode)
4903 {
4904 struct ipc_security_struct *isec;
4905 struct msg_security_struct *msec;
4906 struct common_audit_data ad;
4907 u32 sid = task_sid(target);
4908 int rc;
4909
4910 isec = msq->q_perm.security;
4911 msec = msg->security;
4912
4913 COMMON_AUDIT_DATA_INIT(&ad, IPC);
4914 ad.u.ipc_id = msq->q_perm.key;
4915
4916 rc = avc_has_perm(sid, isec->sid,
4917 SECCLASS_MSGQ, MSGQ__READ, &ad);
4918 if (!rc)
4919 rc = avc_has_perm(sid, msec->sid,
4920 SECCLASS_MSG, MSG__RECEIVE, &ad);
4921 return rc;
4922 }
4923
4924 /* Shared Memory security operations */
4925 static int selinux_shm_alloc_security(struct shmid_kernel *shp)
4926 {
4927 struct ipc_security_struct *isec;
4928 struct common_audit_data ad;
4929 u32 sid = current_sid();
4930 int rc;
4931
4932 rc = ipc_alloc_security(current, &shp->shm_perm, SECCLASS_SHM);
4933 if (rc)
4934 return rc;
4935
4936 isec = shp->shm_perm.security;
4937
4938 COMMON_AUDIT_DATA_INIT(&ad, IPC);
4939 ad.u.ipc_id = shp->shm_perm.key;
4940
4941 rc = avc_has_perm(sid, isec->sid, SECCLASS_SHM,
4942 SHM__CREATE, &ad);
4943 if (rc) {
4944 ipc_free_security(&shp->shm_perm);
4945 return rc;
4946 }
4947 return 0;
4948 }
4949
4950 static void selinux_shm_free_security(struct shmid_kernel *shp)
4951 {
4952 ipc_free_security(&shp->shm_perm);
4953 }
4954
4955 static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg)
4956 {
4957 struct ipc_security_struct *isec;
4958 struct common_audit_data ad;
4959 u32 sid = current_sid();
4960
4961 isec = shp->shm_perm.security;
4962
4963 COMMON_AUDIT_DATA_INIT(&ad, IPC);
4964 ad.u.ipc_id = shp->shm_perm.key;
4965
4966 return avc_has_perm(sid, isec->sid, SECCLASS_SHM,
4967 SHM__ASSOCIATE, &ad);
4968 }
4969
4970 /* Note, at this point, shp is locked down */
4971 static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd)
4972 {
4973 int perms;
4974 int err;
4975
4976 switch (cmd) {
4977 case IPC_INFO:
4978 case SHM_INFO:
4979 /* No specific object, just general system-wide information. */
4980 return task_has_system(current, SYSTEM__IPC_INFO);
4981 case IPC_STAT:
4982 case SHM_STAT:
4983 perms = SHM__GETATTR | SHM__ASSOCIATE;
4984 break;
4985 case IPC_SET:
4986 perms = SHM__SETATTR;
4987 break;
4988 case SHM_LOCK:
4989 case SHM_UNLOCK:
4990 perms = SHM__LOCK;
4991 break;
4992 case IPC_RMID:
4993 perms = SHM__DESTROY;
4994 break;
4995 default:
4996 return 0;
4997 }
4998
4999 err = ipc_has_perm(&shp->shm_perm, perms);
5000 return err;
5001 }
5002
5003 static int selinux_shm_shmat(struct shmid_kernel *shp,
5004 char __user *shmaddr, int shmflg)
5005 {
5006 u32 perms;
5007
5008 if (shmflg & SHM_RDONLY)
5009 perms = SHM__READ;
5010 else
5011 perms = SHM__READ | SHM__WRITE;
5012
5013 return ipc_has_perm(&shp->shm_perm, perms);
5014 }
5015
5016 /* Semaphore security operations */
5017 static int selinux_sem_alloc_security(struct sem_array *sma)
5018 {
5019 struct ipc_security_struct *isec;
5020 struct common_audit_data ad;
5021 u32 sid = current_sid();
5022 int rc;
5023
5024 rc = ipc_alloc_security(current, &sma->sem_perm, SECCLASS_SEM);
5025 if (rc)
5026 return rc;
5027
5028 isec = sma->sem_perm.security;
5029
5030 COMMON_AUDIT_DATA_INIT(&ad, IPC);
5031 ad.u.ipc_id = sma->sem_perm.key;
5032
5033 rc = avc_has_perm(sid, isec->sid, SECCLASS_SEM,
5034 SEM__CREATE, &ad);
5035 if (rc) {
5036 ipc_free_security(&sma->sem_perm);
5037 return rc;
5038 }
5039 return 0;
5040 }
5041
5042 static void selinux_sem_free_security(struct sem_array *sma)
5043 {
5044 ipc_free_security(&sma->sem_perm);
5045 }
5046
5047 static int selinux_sem_associate(struct sem_array *sma, int semflg)
5048 {
5049 struct ipc_security_struct *isec;
5050 struct common_audit_data ad;
5051 u32 sid = current_sid();
5052
5053 isec = sma->sem_perm.security;
5054
5055 COMMON_AUDIT_DATA_INIT(&ad, IPC);
5056 ad.u.ipc_id = sma->sem_perm.key;
5057
5058 return avc_has_perm(sid, isec->sid, SECCLASS_SEM,
5059 SEM__ASSOCIATE, &ad);
5060 }
5061
5062 /* Note, at this point, sma is locked down */
5063 static int selinux_sem_semctl(struct sem_array *sma, int cmd)
5064 {
5065 int err;
5066 u32 perms;
5067
5068 switch (cmd) {
5069 case IPC_INFO:
5070 case SEM_INFO:
5071 /* No specific object, just general system-wide information. */
5072 return task_has_system(current, SYSTEM__IPC_INFO);
5073 case GETPID:
5074 case GETNCNT:
5075 case GETZCNT:
5076 perms = SEM__GETATTR;
5077 break;
5078 case GETVAL:
5079 case GETALL:
5080 perms = SEM__READ;
5081 break;
5082 case SETVAL:
5083 case SETALL:
5084 perms = SEM__WRITE;
5085 break;
5086 case IPC_RMID:
5087 perms = SEM__DESTROY;
5088 break;
5089 case IPC_SET:
5090 perms = SEM__SETATTR;
5091 break;
5092 case IPC_STAT:
5093 case SEM_STAT:
5094 perms = SEM__GETATTR | SEM__ASSOCIATE;
5095 break;
5096 default:
5097 return 0;
5098 }
5099
5100 err = ipc_has_perm(&sma->sem_perm, perms);
5101 return err;
5102 }
5103
5104 static int selinux_sem_semop(struct sem_array *sma,
5105 struct sembuf *sops, unsigned nsops, int alter)
5106 {
5107 u32 perms;
5108
5109 if (alter)
5110 perms = SEM__READ | SEM__WRITE;
5111 else
5112 perms = SEM__READ;
5113
5114 return ipc_has_perm(&sma->sem_perm, perms);
5115 }
5116
5117 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
5118 {
5119 u32 av = 0;
5120
5121 av = 0;
5122 if (flag & S_IRUGO)
5123 av |= IPC__UNIX_READ;
5124 if (flag & S_IWUGO)
5125 av |= IPC__UNIX_WRITE;
5126
5127 if (av == 0)
5128 return 0;
5129
5130 return ipc_has_perm(ipcp, av);
5131 }
5132
5133 static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
5134 {
5135 struct ipc_security_struct *isec = ipcp->security;
5136 *secid = isec->sid;
5137 }
5138
5139 static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode)
5140 {
5141 if (inode)
5142 inode_doinit_with_dentry(inode, dentry);
5143 }
5144
5145 static int selinux_getprocattr(struct task_struct *p,
5146 char *name, char **value)
5147 {
5148 const struct task_security_struct *__tsec;
5149 u32 sid;
5150 int error;
5151 unsigned len;
5152
5153 if (current != p) {
5154 error = current_has_perm(p, PROCESS__GETATTR);
5155 if (error)
5156 return error;
5157 }
5158
5159 rcu_read_lock();
5160 __tsec = __task_cred(p)->security;
5161
5162 if (!strcmp(name, "current"))
5163 sid = __tsec->sid;
5164 else if (!strcmp(name, "prev"))
5165 sid = __tsec->osid;
5166 else if (!strcmp(name, "exec"))
5167 sid = __tsec->exec_sid;
5168 else if (!strcmp(name, "fscreate"))
5169 sid = __tsec->create_sid;
5170 else if (!strcmp(name, "keycreate"))
5171 sid = __tsec->keycreate_sid;
5172 else if (!strcmp(name, "sockcreate"))
5173 sid = __tsec->sockcreate_sid;
5174 else
5175 goto invalid;
5176 rcu_read_unlock();
5177
5178 if (!sid)
5179 return 0;
5180
5181 error = security_sid_to_context(sid, value, &len);
5182 if (error)
5183 return error;
5184 return len;
5185
5186 invalid:
5187 rcu_read_unlock();
5188 return -EINVAL;
5189 }
5190
5191 static int selinux_setprocattr(struct task_struct *p,
5192 char *name, void *value, size_t size)
5193 {
5194 struct task_security_struct *tsec;
5195 struct task_struct *tracer;
5196 struct cred *new;
5197 u32 sid = 0, ptsid;
5198 int error;
5199 char *str = value;
5200
5201 if (current != p) {
5202 /* SELinux only allows a process to change its own
5203 security attributes. */
5204 return -EACCES;
5205 }
5206
5207 /*
5208 * Basic control over ability to set these attributes at all.
5209 * current == p, but we'll pass them separately in case the
5210 * above restriction is ever removed.
5211 */
5212 if (!strcmp(name, "exec"))
5213 error = current_has_perm(p, PROCESS__SETEXEC);
5214 else if (!strcmp(name, "fscreate"))
5215 error = current_has_perm(p, PROCESS__SETFSCREATE);
5216 else if (!strcmp(name, "keycreate"))
5217 error = current_has_perm(p, PROCESS__SETKEYCREATE);
5218 else if (!strcmp(name, "sockcreate"))
5219 error = current_has_perm(p, PROCESS__SETSOCKCREATE);
5220 else if (!strcmp(name, "current"))
5221 error = current_has_perm(p, PROCESS__SETCURRENT);
5222 else
5223 error = -EINVAL;
5224 if (error)
5225 return error;
5226
5227 /* Obtain a SID for the context, if one was specified. */
5228 if (size && str[1] && str[1] != '\n') {
5229 if (str[size-1] == '\n') {
5230 str[size-1] = 0;
5231 size--;
5232 }
5233 error = security_context_to_sid(value, size, &sid);
5234 if (error == -EINVAL && !strcmp(name, "fscreate")) {
5235 if (!capable(CAP_MAC_ADMIN))
5236 return error;
5237 error = security_context_to_sid_force(value, size,
5238 &sid);
5239 }
5240 if (error)
5241 return error;
5242 }
5243
5244 new = prepare_creds();
5245 if (!new)
5246 return -ENOMEM;
5247
5248 /* Permission checking based on the specified context is
5249 performed during the actual operation (execve,
5250 open/mkdir/...), when we know the full context of the
5251 operation. See selinux_bprm_set_creds for the execve
5252 checks and may_create for the file creation checks. The
5253 operation will then fail if the context is not permitted. */
5254 tsec = new->security;
5255 if (!strcmp(name, "exec")) {
5256 tsec->exec_sid = sid;
5257 } else if (!strcmp(name, "fscreate")) {
5258 tsec->create_sid = sid;
5259 } else if (!strcmp(name, "keycreate")) {
5260 error = may_create_key(sid, p);
5261 if (error)
5262 goto abort_change;
5263 tsec->keycreate_sid = sid;
5264 } else if (!strcmp(name, "sockcreate")) {
5265 tsec->sockcreate_sid = sid;
5266 } else if (!strcmp(name, "current")) {
5267 error = -EINVAL;
5268 if (sid == 0)
5269 goto abort_change;
5270
5271 /* Only allow single threaded processes to change context */
5272 error = -EPERM;
5273 if (!current_is_single_threaded()) {
5274 error = security_bounded_transition(tsec->sid, sid);
5275 if (error)
5276 goto abort_change;
5277 }
5278
5279 /* Check permissions for the transition. */
5280 error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
5281 PROCESS__DYNTRANSITION, NULL);
5282 if (error)
5283 goto abort_change;
5284
5285 /* Check for ptracing, and update the task SID if ok.
5286 Otherwise, leave SID unchanged and fail. */
5287 ptsid = 0;
5288 task_lock(p);
5289 tracer = tracehook_tracer_task(p);
5290 if (tracer)
5291 ptsid = task_sid(tracer);
5292 task_unlock(p);
5293
5294 if (tracer) {
5295 error = avc_has_perm(ptsid, sid, SECCLASS_PROCESS,
5296 PROCESS__PTRACE, NULL);
5297 if (error)
5298 goto abort_change;
5299 }
5300
5301 tsec->sid = sid;
5302 } else {
5303 error = -EINVAL;
5304 goto abort_change;
5305 }
5306
5307 commit_creds(new);
5308 return size;
5309
5310 abort_change:
5311 abort_creds(new);
5312 return error;
5313 }
5314
5315 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
5316 {
5317 return security_sid_to_context(secid, secdata, seclen);
5318 }
5319
5320 static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
5321 {
5322 return security_context_to_sid(secdata, seclen, secid);
5323 }
5324
5325 static void selinux_release_secctx(char *secdata, u32 seclen)
5326 {
5327 kfree(secdata);
5328 }
5329
5330 /*
5331 * called with inode->i_mutex locked
5332 */
5333 static int selinux_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen)
5334 {
5335 return selinux_inode_setsecurity(inode, XATTR_SELINUX_SUFFIX, ctx, ctxlen, 0);
5336 }
5337
5338 /*
5339 * called with inode->i_mutex locked
5340 */
5341 static int selinux_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen)
5342 {
5343 return __vfs_setxattr_noperm(dentry, XATTR_NAME_SELINUX, ctx, ctxlen, 0);
5344 }
5345
5346 static int selinux_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen)
5347 {
5348 int len = 0;
5349 len = selinux_inode_getsecurity(inode, XATTR_SELINUX_SUFFIX,
5350 ctx, true);
5351 if (len < 0)
5352 return len;
5353 *ctxlen = len;
5354 return 0;
5355 }
5356 #ifdef CONFIG_KEYS
5357
5358 static int selinux_key_alloc(struct key *k, const struct cred *cred,
5359 unsigned long flags)
5360 {
5361 const struct task_security_struct *tsec;
5362 struct key_security_struct *ksec;
5363
5364 ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL);
5365 if (!ksec)
5366 return -ENOMEM;
5367
5368 tsec = cred->security;
5369 if (tsec->keycreate_sid)
5370 ksec->sid = tsec->keycreate_sid;
5371 else
5372 ksec->sid = tsec->sid;
5373
5374 k->security = ksec;
5375 return 0;
5376 }
5377
5378 static void selinux_key_free(struct key *k)
5379 {
5380 struct key_security_struct *ksec = k->security;
5381
5382 k->security = NULL;
5383 kfree(ksec);
5384 }
5385
5386 static int selinux_key_permission(key_ref_t key_ref,
5387 const struct cred *cred,
5388 key_perm_t perm)
5389 {
5390 struct key *key;
5391 struct key_security_struct *ksec;
5392 u32 sid;
5393
5394 /* if no specific permissions are requested, we skip the
5395 permission check. No serious, additional covert channels
5396 appear to be created. */
5397 if (perm == 0)
5398 return 0;
5399
5400 sid = cred_sid(cred);
5401
5402 key = key_ref_to_ptr(key_ref);
5403 ksec = key->security;
5404
5405 return avc_has_perm(sid, ksec->sid, SECCLASS_KEY, perm, NULL);
5406 }
5407
5408 static int selinux_key_getsecurity(struct key *key, char **_buffer)
5409 {
5410 struct key_security_struct *ksec = key->security;
5411 char *context = NULL;
5412 unsigned len;
5413 int rc;
5414
5415 rc = security_sid_to_context(ksec->sid, &context, &len);
5416 if (!rc)
5417 rc = len;
5418 *_buffer = context;
5419 return rc;
5420 }
5421
5422 #endif
5423
5424 static struct security_operations selinux_ops = {
5425 .name = "selinux",
5426
5427 .ptrace_access_check = selinux_ptrace_access_check,
5428 .ptrace_traceme = selinux_ptrace_traceme,
5429 .capget = selinux_capget,
5430 .capset = selinux_capset,
5431 .capable = selinux_capable,
5432 .quotactl = selinux_quotactl,
5433 .quota_on = selinux_quota_on,
5434 .syslog = selinux_syslog,
5435 .vm_enough_memory = selinux_vm_enough_memory,
5436
5437 .netlink_send = selinux_netlink_send,
5438 .netlink_recv = selinux_netlink_recv,
5439
5440 .bprm_set_creds = selinux_bprm_set_creds,
5441 .bprm_committing_creds = selinux_bprm_committing_creds,
5442 .bprm_committed_creds = selinux_bprm_committed_creds,
5443 .bprm_secureexec = selinux_bprm_secureexec,
5444
5445 .sb_alloc_security = selinux_sb_alloc_security,
5446 .sb_free_security = selinux_sb_free_security,
5447 .sb_copy_data = selinux_sb_copy_data,
5448 .sb_remount = selinux_sb_remount,
5449 .sb_kern_mount = selinux_sb_kern_mount,
5450 .sb_show_options = selinux_sb_show_options,
5451 .sb_statfs = selinux_sb_statfs,
5452 .sb_mount = selinux_mount,
5453 .sb_umount = selinux_umount,
5454 .sb_set_mnt_opts = selinux_set_mnt_opts,
5455 .sb_clone_mnt_opts = selinux_sb_clone_mnt_opts,
5456 .sb_parse_opts_str = selinux_parse_opts_str,
5457
5458
5459 .inode_alloc_security = selinux_inode_alloc_security,
5460 .inode_free_security = selinux_inode_free_security,
5461 .inode_init_security = selinux_inode_init_security,
5462 .inode_create = selinux_inode_create,
5463 .inode_link = selinux_inode_link,
5464 .inode_unlink = selinux_inode_unlink,
5465 .inode_symlink = selinux_inode_symlink,
5466 .inode_mkdir = selinux_inode_mkdir,
5467 .inode_rmdir = selinux_inode_rmdir,
5468 .inode_mknod = selinux_inode_mknod,
5469 .inode_rename = selinux_inode_rename,
5470 .inode_readlink = selinux_inode_readlink,
5471 .inode_follow_link = selinux_inode_follow_link,
5472 .inode_permission = selinux_inode_permission,
5473 .inode_setattr = selinux_inode_setattr,
5474 .inode_getattr = selinux_inode_getattr,
5475 .inode_setxattr = selinux_inode_setxattr,
5476 .inode_post_setxattr = selinux_inode_post_setxattr,
5477 .inode_getxattr = selinux_inode_getxattr,
5478 .inode_listxattr = selinux_inode_listxattr,
5479 .inode_removexattr = selinux_inode_removexattr,
5480 .inode_getsecurity = selinux_inode_getsecurity,
5481 .inode_setsecurity = selinux_inode_setsecurity,
5482 .inode_listsecurity = selinux_inode_listsecurity,
5483 .inode_getsecid = selinux_inode_getsecid,
5484
5485 .file_permission = selinux_file_permission,
5486 .file_alloc_security = selinux_file_alloc_security,
5487 .file_free_security = selinux_file_free_security,
5488 .file_ioctl = selinux_file_ioctl,
5489 .file_mmap = selinux_file_mmap,
5490 .file_mprotect = selinux_file_mprotect,
5491 .file_lock = selinux_file_lock,
5492 .file_fcntl = selinux_file_fcntl,
5493 .file_set_fowner = selinux_file_set_fowner,
5494 .file_send_sigiotask = selinux_file_send_sigiotask,
5495 .file_receive = selinux_file_receive,
5496
5497 .dentry_open = selinux_dentry_open,
5498
5499 .task_create = selinux_task_create,
5500 .cred_alloc_blank = selinux_cred_alloc_blank,
5501 .cred_free = selinux_cred_free,
5502 .cred_prepare = selinux_cred_prepare,
5503 .cred_transfer = selinux_cred_transfer,
5504 .kernel_act_as = selinux_kernel_act_as,
5505 .kernel_create_files_as = selinux_kernel_create_files_as,
5506 .kernel_module_request = selinux_kernel_module_request,
5507 .task_setpgid = selinux_task_setpgid,
5508 .task_getpgid = selinux_task_getpgid,
5509 .task_getsid = selinux_task_getsid,
5510 .task_getsecid = selinux_task_getsecid,
5511 .task_setnice = selinux_task_setnice,
5512 .task_setioprio = selinux_task_setioprio,
5513 .task_getioprio = selinux_task_getioprio,
5514 .task_setrlimit = selinux_task_setrlimit,
5515 .task_setscheduler = selinux_task_setscheduler,
5516 .task_getscheduler = selinux_task_getscheduler,
5517 .task_movememory = selinux_task_movememory,
5518 .task_kill = selinux_task_kill,
5519 .task_wait = selinux_task_wait,
5520 .task_to_inode = selinux_task_to_inode,
5521
5522 .ipc_permission = selinux_ipc_permission,
5523 .ipc_getsecid = selinux_ipc_getsecid,
5524
5525 .msg_msg_alloc_security = selinux_msg_msg_alloc_security,
5526 .msg_msg_free_security = selinux_msg_msg_free_security,
5527
5528 .msg_queue_alloc_security = selinux_msg_queue_alloc_security,
5529 .msg_queue_free_security = selinux_msg_queue_free_security,
5530 .msg_queue_associate = selinux_msg_queue_associate,
5531 .msg_queue_msgctl = selinux_msg_queue_msgctl,
5532 .msg_queue_msgsnd = selinux_msg_queue_msgsnd,
5533 .msg_queue_msgrcv = selinux_msg_queue_msgrcv,
5534
5535 .shm_alloc_security = selinux_shm_alloc_security,
5536 .shm_free_security = selinux_shm_free_security,
5537 .shm_associate = selinux_shm_associate,
5538 .shm_shmctl = selinux_shm_shmctl,
5539 .shm_shmat = selinux_shm_shmat,
5540
5541 .sem_alloc_security = selinux_sem_alloc_security,
5542 .sem_free_security = selinux_sem_free_security,
5543 .sem_associate = selinux_sem_associate,
5544 .sem_semctl = selinux_sem_semctl,
5545 .sem_semop = selinux_sem_semop,
5546
5547 .d_instantiate = selinux_d_instantiate,
5548
5549 .getprocattr = selinux_getprocattr,
5550 .setprocattr = selinux_setprocattr,
5551
5552 .secid_to_secctx = selinux_secid_to_secctx,
5553 .secctx_to_secid = selinux_secctx_to_secid,
5554 .release_secctx = selinux_release_secctx,
5555 .inode_notifysecctx = selinux_inode_notifysecctx,
5556 .inode_setsecctx = selinux_inode_setsecctx,
5557 .inode_getsecctx = selinux_inode_getsecctx,
5558
5559 .unix_stream_connect = selinux_socket_unix_stream_connect,
5560 .unix_may_send = selinux_socket_unix_may_send,
5561
5562 .socket_create = selinux_socket_create,
5563 .socket_post_create = selinux_socket_post_create,
5564 .socket_bind = selinux_socket_bind,
5565 .socket_connect = selinux_socket_connect,
5566 .socket_listen = selinux_socket_listen,
5567 .socket_accept = selinux_socket_accept,
5568 .socket_sendmsg = selinux_socket_sendmsg,
5569 .socket_recvmsg = selinux_socket_recvmsg,
5570 .socket_getsockname = selinux_socket_getsockname,
5571 .socket_getpeername = selinux_socket_getpeername,
5572 .socket_getsockopt = selinux_socket_getsockopt,
5573 .socket_setsockopt = selinux_socket_setsockopt,
5574 .socket_shutdown = selinux_socket_shutdown,
5575 .socket_sock_rcv_skb = selinux_socket_sock_rcv_skb,
5576 .socket_getpeersec_stream = selinux_socket_getpeersec_stream,
5577 .socket_getpeersec_dgram = selinux_socket_getpeersec_dgram,
5578 .sk_alloc_security = selinux_sk_alloc_security,
5579 .sk_free_security = selinux_sk_free_security,
5580 .sk_clone_security = selinux_sk_clone_security,
5581 .sk_getsecid = selinux_sk_getsecid,
5582 .sock_graft = selinux_sock_graft,
5583 .inet_conn_request = selinux_inet_conn_request,
5584 .inet_csk_clone = selinux_inet_csk_clone,
5585 .inet_conn_established = selinux_inet_conn_established,
5586 .secmark_relabel_packet = selinux_secmark_relabel_packet,
5587 .secmark_refcount_inc = selinux_secmark_refcount_inc,
5588 .secmark_refcount_dec = selinux_secmark_refcount_dec,
5589 .req_classify_flow = selinux_req_classify_flow,
5590 .tun_dev_create = selinux_tun_dev_create,
5591 .tun_dev_post_create = selinux_tun_dev_post_create,
5592 .tun_dev_attach = selinux_tun_dev_attach,
5593
5594 #ifdef CONFIG_SECURITY_NETWORK_XFRM
5595 .xfrm_policy_alloc_security = selinux_xfrm_policy_alloc,
5596 .xfrm_policy_clone_security = selinux_xfrm_policy_clone,
5597 .xfrm_policy_free_security = selinux_xfrm_policy_free,
5598 .xfrm_policy_delete_security = selinux_xfrm_policy_delete,
5599 .xfrm_state_alloc_security = selinux_xfrm_state_alloc,
5600 .xfrm_state_free_security = selinux_xfrm_state_free,
5601 .xfrm_state_delete_security = selinux_xfrm_state_delete,
5602 .xfrm_policy_lookup = selinux_xfrm_policy_lookup,
5603 .xfrm_state_pol_flow_match = selinux_xfrm_state_pol_flow_match,
5604 .xfrm_decode_session = selinux_xfrm_decode_session,
5605 #endif
5606
5607 #ifdef CONFIG_KEYS
5608 .key_alloc = selinux_key_alloc,
5609 .key_free = selinux_key_free,
5610 .key_permission = selinux_key_permission,
5611 .key_getsecurity = selinux_key_getsecurity,
5612 #endif
5613
5614 #ifdef CONFIG_AUDIT
5615 .audit_rule_init = selinux_audit_rule_init,
5616 .audit_rule_known = selinux_audit_rule_known,
5617 .audit_rule_match = selinux_audit_rule_match,
5618 .audit_rule_free = selinux_audit_rule_free,
5619 #endif
5620 };
5621
5622 static __init int selinux_init(void)
5623 {
5624 if (!security_module_enable(&selinux_ops)) {
5625 selinux_enabled = 0;
5626 return 0;
5627 }
5628
5629 if (!selinux_enabled) {
5630 printk(KERN_INFO "SELinux: Disabled at boot.\n");
5631 return 0;
5632 }
5633
5634 printk(KERN_INFO "SELinux: Initializing.\n");
5635
5636 /* Set the security state for the initial task. */
5637 cred_init_security();
5638
5639 default_noexec = !(VM_DATA_DEFAULT_FLAGS & VM_EXEC);
5640
5641 sel_inode_cache = kmem_cache_create("selinux_inode_security",
5642 sizeof(struct inode_security_struct),
5643 0, SLAB_PANIC, NULL);
5644 avc_init();
5645
5646 if (register_security(&selinux_ops))
5647 panic("SELinux: Unable to register with kernel.\n");
5648
5649 if (selinux_enforcing)
5650 printk(KERN_DEBUG "SELinux: Starting in enforcing mode\n");
5651 else
5652 printk(KERN_DEBUG "SELinux: Starting in permissive mode\n");
5653
5654 return 0;
5655 }
5656
5657 static void delayed_superblock_init(struct super_block *sb, void *unused)
5658 {
5659 superblock_doinit(sb, NULL);
5660 }
5661
5662 void selinux_complete_init(void)
5663 {
5664 printk(KERN_DEBUG "SELinux: Completing initialization.\n");
5665
5666 /* Set up any superblocks initialized prior to the policy load. */
5667 printk(KERN_DEBUG "SELinux: Setting up existing superblocks.\n");
5668 iterate_supers(delayed_superblock_init, NULL);
5669 }
5670
5671 /* SELinux requires early initialization in order to label
5672 all processes and objects when they are created. */
5673 security_initcall(selinux_init);
5674
5675 #if defined(CONFIG_NETFILTER)
5676
5677 static struct nf_hook_ops selinux_ipv4_ops[] = {
5678 {
5679 .hook = selinux_ipv4_postroute,
5680 .owner = THIS_MODULE,
5681 .pf = PF_INET,
5682 .hooknum = NF_INET_POST_ROUTING,
5683 .priority = NF_IP_PRI_SELINUX_LAST,
5684 },
5685 {
5686 .hook = selinux_ipv4_forward,
5687 .owner = THIS_MODULE,
5688 .pf = PF_INET,
5689 .hooknum = NF_INET_FORWARD,
5690 .priority = NF_IP_PRI_SELINUX_FIRST,
5691 },
5692 {
5693 .hook = selinux_ipv4_output,
5694 .owner = THIS_MODULE,
5695 .pf = PF_INET,
5696 .hooknum = NF_INET_LOCAL_OUT,
5697 .priority = NF_IP_PRI_SELINUX_FIRST,
5698 }
5699 };
5700
5701 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5702
5703 static struct nf_hook_ops selinux_ipv6_ops[] = {
5704 {
5705 .hook = selinux_ipv6_postroute,
5706 .owner = THIS_MODULE,
5707 .pf = PF_INET6,
5708 .hooknum = NF_INET_POST_ROUTING,
5709 .priority = NF_IP6_PRI_SELINUX_LAST,
5710 },
5711 {
5712 .hook = selinux_ipv6_forward,
5713 .owner = THIS_MODULE,
5714 .pf = PF_INET6,
5715 .hooknum = NF_INET_FORWARD,
5716 .priority = NF_IP6_PRI_SELINUX_FIRST,
5717 }
5718 };
5719
5720 #endif /* IPV6 */
5721
5722 static int __init selinux_nf_ip_init(void)
5723 {
5724 int err = 0;
5725
5726 if (!selinux_enabled)
5727 goto out;
5728
5729 printk(KERN_DEBUG "SELinux: Registering netfilter hooks\n");
5730
5731 err = nf_register_hooks(selinux_ipv4_ops, ARRAY_SIZE(selinux_ipv4_ops));
5732 if (err)
5733 panic("SELinux: nf_register_hooks for IPv4: error %d\n", err);
5734
5735 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5736 err = nf_register_hooks(selinux_ipv6_ops, ARRAY_SIZE(selinux_ipv6_ops));
5737 if (err)
5738 panic("SELinux: nf_register_hooks for IPv6: error %d\n", err);
5739 #endif /* IPV6 */
5740
5741 out:
5742 return err;
5743 }
5744
5745 __initcall(selinux_nf_ip_init);
5746
5747 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5748 static void selinux_nf_ip_exit(void)
5749 {
5750 printk(KERN_DEBUG "SELinux: Unregistering netfilter hooks\n");
5751
5752 nf_unregister_hooks(selinux_ipv4_ops, ARRAY_SIZE(selinux_ipv4_ops));
5753 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5754 nf_unregister_hooks(selinux_ipv6_ops, ARRAY_SIZE(selinux_ipv6_ops));
5755 #endif /* IPV6 */
5756 }
5757 #endif
5758
5759 #else /* CONFIG_NETFILTER */
5760
5761 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5762 #define selinux_nf_ip_exit()
5763 #endif
5764
5765 #endif /* CONFIG_NETFILTER */
5766
5767 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5768 static int selinux_disabled;
5769
5770 int selinux_disable(void)
5771 {
5772 extern void exit_sel_fs(void);
5773
5774 if (ss_initialized) {
5775 /* Not permitted after initial policy load. */
5776 return -EINVAL;
5777 }
5778
5779 if (selinux_disabled) {
5780 /* Only do this once. */
5781 return -EINVAL;
5782 }
5783
5784 printk(KERN_INFO "SELinux: Disabled at runtime.\n");
5785
5786 selinux_disabled = 1;
5787 selinux_enabled = 0;
5788
5789 reset_security_ops();
5790
5791 /* Try to destroy the avc node cache */
5792 avc_disable();
5793
5794 /* Unregister netfilter hooks. */
5795 selinux_nf_ip_exit();
5796
5797 /* Unregister selinuxfs. */
5798 exit_sel_fs();
5799
5800 return 0;
5801 }
5802 #endif
Linux kernel - Deliverables
This page took 0.152383 seconds and 6 git commands to generate.