]> git.proxmox.com Git - mirror_ubuntu-bionic-kernel.git/blob - security/selinux/hooks.c
projects / mirror_ubuntu-bionic-kernel.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
[PATCH] slab: remove kmem_cache_t
[mirror_ubuntu-bionic-kernel.git] / security / selinux / hooks.c
1 /*
2 * NSA Security-Enhanced Linux (SELinux) security module
3 *
4 * This file contains the SELinux hook function implementations.
5 *
6 * Authors: Stephen Smalley, <sds@epoch.ncsc.mil>
7 * Chris Vance, <cvance@nai.com>
8 * Wayne Salamon, <wsalamon@nai.com>
9 * James Morris <jmorris@redhat.com>
10 *
11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12 * Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com>
13 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
14 * <dgoeddel@trustedcs.com>
15 * Copyright (C) 2006 Hewlett-Packard Development Company, L.P.
16 * Paul Moore, <paul.moore@hp.com>
17 *
18 * This program is free software; you can redistribute it and/or modify
19 * it under the terms of the GNU General Public License version 2,
20 * as published by the Free Software Foundation.
21 */
22
23 #include <linux/module.h>
24 #include <linux/init.h>
25 #include <linux/kernel.h>
26 #include <linux/ptrace.h>
27 #include <linux/errno.h>
28 #include <linux/sched.h>
29 #include <linux/security.h>
30 #include <linux/xattr.h>
31 #include <linux/capability.h>
32 #include <linux/unistd.h>
33 #include <linux/mm.h>
34 #include <linux/mman.h>
35 #include <linux/slab.h>
36 #include <linux/pagemap.h>
37 #include <linux/swap.h>
38 #include <linux/smp_lock.h>
39 #include <linux/spinlock.h>
40 #include <linux/syscalls.h>
41 #include <linux/file.h>
42 #include <linux/namei.h>
43 #include <linux/mount.h>
44 #include <linux/ext2_fs.h>
45 #include <linux/proc_fs.h>
46 #include <linux/kd.h>
47 #include <linux/netfilter_ipv4.h>
48 #include <linux/netfilter_ipv6.h>
49 #include <linux/tty.h>
50 #include <net/icmp.h>
51 #include <net/ip.h> /* for sysctl_local_port_range[] */
52 #include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
53 #include <asm/uaccess.h>
54 #include <asm/ioctls.h>
55 #include <linux/bitops.h>
56 #include <linux/interrupt.h>
57 #include <linux/netdevice.h> /* for network interface checks */
58 #include <linux/netlink.h>
59 #include <linux/tcp.h>
60 #include <linux/udp.h>
61 #include <linux/dccp.h>
62 #include <linux/quota.h>
63 #include <linux/un.h> /* for Unix socket types */
64 #include <net/af_unix.h> /* for Unix socket types */
65 #include <linux/parser.h>
66 #include <linux/nfs_mount.h>
67 #include <net/ipv6.h>
68 #include <linux/hugetlb.h>
69 #include <linux/personality.h>
70 #include <linux/sysctl.h>
71 #include <linux/audit.h>
72 #include <linux/string.h>
73 #include <linux/selinux.h>
74 #include <linux/mutex.h>
75
76 #include "avc.h"
77 #include "objsec.h"
78 #include "netif.h"
79 #include "xfrm.h"
80 #include "selinux_netlabel.h"
81
82 #define XATTR_SELINUX_SUFFIX "selinux"
83 #define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX
84
85 extern unsigned int policydb_loaded_version;
86 extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm);
87 extern int selinux_compat_net;
88
89 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
90 int selinux_enforcing = 0;
91
92 static int __init enforcing_setup(char *str)
93 {
94 selinux_enforcing = simple_strtol(str,NULL,0);
95 return 1;
96 }
97 __setup("enforcing=", enforcing_setup);
98 #endif
99
100 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
101 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
102
103 static int __init selinux_enabled_setup(char *str)
104 {
105 selinux_enabled = simple_strtol(str, NULL, 0);
106 return 1;
107 }
108 __setup("selinux=", selinux_enabled_setup);
109 #else
110 int selinux_enabled = 1;
111 #endif
112
113 /* Original (dummy) security module. */
114 static struct security_operations *original_ops = NULL;
115
116 /* Minimal support for a secondary security module,
117 just to allow the use of the dummy or capability modules.
118 The owlsm module can alternatively be used as a secondary
119 module as long as CONFIG_OWLSM_FD is not enabled. */
120 static struct security_operations *secondary_ops = NULL;
121
122 /* Lists of inode and superblock security structures initialized
123 before the policy was loaded. */
124 static LIST_HEAD(superblock_security_head);
125 static DEFINE_SPINLOCK(sb_security_lock);
126
127 static struct kmem_cache *sel_inode_cache;
128
129 /* Return security context for a given sid or just the context
130 length if the buffer is null or length is 0 */
131 static int selinux_getsecurity(u32 sid, void *buffer, size_t size)
132 {
133 char *context;
134 unsigned len;
135 int rc;
136
137 rc = security_sid_to_context(sid, &context, &len);
138 if (rc)
139 return rc;
140
141 if (!buffer || !size)
142 goto getsecurity_exit;
143
144 if (size < len) {
145 len = -ERANGE;
146 goto getsecurity_exit;
147 }
148 memcpy(buffer, context, len);
149
150 getsecurity_exit:
151 kfree(context);
152 return len;
153 }
154
155 /* Allocate and free functions for each kind of security blob. */
156
157 static int task_alloc_security(struct task_struct *task)
158 {
159 struct task_security_struct *tsec;
160
161 tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
162 if (!tsec)
163 return -ENOMEM;
164
165 tsec->task = task;
166 tsec->osid = tsec->sid = tsec->ptrace_sid = SECINITSID_UNLABELED;
167 task->security = tsec;
168
169 return 0;
170 }
171
172 static void task_free_security(struct task_struct *task)
173 {
174 struct task_security_struct *tsec = task->security;
175 task->security = NULL;
176 kfree(tsec);
177 }
178
179 static int inode_alloc_security(struct inode *inode)
180 {
181 struct task_security_struct *tsec = current->security;
182 struct inode_security_struct *isec;
183
184 isec = kmem_cache_alloc(sel_inode_cache, GFP_KERNEL);
185 if (!isec)
186 return -ENOMEM;
187
188 memset(isec, 0, sizeof(*isec));
189 mutex_init(&isec->lock);
190 INIT_LIST_HEAD(&isec->list);
191 isec->inode = inode;
192 isec->sid = SECINITSID_UNLABELED;
193 isec->sclass = SECCLASS_FILE;
194 isec->task_sid = tsec->sid;
195 inode->i_security = isec;
196
197 return 0;
198 }
199
200 static void inode_free_security(struct inode *inode)
201 {
202 struct inode_security_struct *isec = inode->i_security;
203 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
204
205 spin_lock(&sbsec->isec_lock);
206 if (!list_empty(&isec->list))
207 list_del_init(&isec->list);
208 spin_unlock(&sbsec->isec_lock);
209
210 inode->i_security = NULL;
211 kmem_cache_free(sel_inode_cache, isec);
212 }
213
214 static int file_alloc_security(struct file *file)
215 {
216 struct task_security_struct *tsec = current->security;
217 struct file_security_struct *fsec;
218
219 fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL);
220 if (!fsec)
221 return -ENOMEM;
222
223 fsec->file = file;
224 fsec->sid = tsec->sid;
225 fsec->fown_sid = tsec->sid;
226 file->f_security = fsec;
227
228 return 0;
229 }
230
231 static void file_free_security(struct file *file)
232 {
233 struct file_security_struct *fsec = file->f_security;
234 file->f_security = NULL;
235 kfree(fsec);
236 }
237
238 static int superblock_alloc_security(struct super_block *sb)
239 {
240 struct superblock_security_struct *sbsec;
241
242 sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
243 if (!sbsec)
244 return -ENOMEM;
245
246 mutex_init(&sbsec->lock);
247 INIT_LIST_HEAD(&sbsec->list);
248 INIT_LIST_HEAD(&sbsec->isec_head);
249 spin_lock_init(&sbsec->isec_lock);
250 sbsec->sb = sb;
251 sbsec->sid = SECINITSID_UNLABELED;
252 sbsec->def_sid = SECINITSID_FILE;
253 sbsec->mntpoint_sid = SECINITSID_UNLABELED;
254 sb->s_security = sbsec;
255
256 return 0;
257 }
258
259 static void superblock_free_security(struct super_block *sb)
260 {
261 struct superblock_security_struct *sbsec = sb->s_security;
262
263 spin_lock(&sb_security_lock);
264 if (!list_empty(&sbsec->list))
265 list_del_init(&sbsec->list);
266 spin_unlock(&sb_security_lock);
267
268 sb->s_security = NULL;
269 kfree(sbsec);
270 }
271
272 static int sk_alloc_security(struct sock *sk, int family, gfp_t priority)
273 {
274 struct sk_security_struct *ssec;
275
276 ssec = kzalloc(sizeof(*ssec), priority);
277 if (!ssec)
278 return -ENOMEM;
279
280 ssec->sk = sk;
281 ssec->peer_sid = SECINITSID_UNLABELED;
282 ssec->sid = SECINITSID_UNLABELED;
283 sk->sk_security = ssec;
284
285 selinux_netlbl_sk_security_init(ssec, family);
286
287 return 0;
288 }
289
290 static void sk_free_security(struct sock *sk)
291 {
292 struct sk_security_struct *ssec = sk->sk_security;
293
294 sk->sk_security = NULL;
295 kfree(ssec);
296 }
297
298 /* The security server must be initialized before
299 any labeling or access decisions can be provided. */
300 extern int ss_initialized;
301
302 /* The file system's label must be initialized prior to use. */
303
304 static char *labeling_behaviors[6] = {
305 "uses xattr",
306 "uses transition SIDs",
307 "uses task SIDs",
308 "uses genfs_contexts",
309 "not configured for labeling",
310 "uses mountpoint labeling",
311 };
312
313 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
314
315 static inline int inode_doinit(struct inode *inode)
316 {
317 return inode_doinit_with_dentry(inode, NULL);
318 }
319
320 enum {
321 Opt_context = 1,
322 Opt_fscontext = 2,
323 Opt_defcontext = 4,
324 Opt_rootcontext = 8,
325 };
326
327 static match_table_t tokens = {
328 {Opt_context, "context=%s"},
329 {Opt_fscontext, "fscontext=%s"},
330 {Opt_defcontext, "defcontext=%s"},
331 {Opt_rootcontext, "rootcontext=%s"},
332 };
333
334 #define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
335
336 static int may_context_mount_sb_relabel(u32 sid,
337 struct superblock_security_struct *sbsec,
338 struct task_security_struct *tsec)
339 {
340 int rc;
341
342 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
343 FILESYSTEM__RELABELFROM, NULL);
344 if (rc)
345 return rc;
346
347 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
348 FILESYSTEM__RELABELTO, NULL);
349 return rc;
350 }
351
352 static int may_context_mount_inode_relabel(u32 sid,
353 struct superblock_security_struct *sbsec,
354 struct task_security_struct *tsec)
355 {
356 int rc;
357 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
358 FILESYSTEM__RELABELFROM, NULL);
359 if (rc)
360 return rc;
361
362 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
363 FILESYSTEM__ASSOCIATE, NULL);
364 return rc;
365 }
366
367 static int try_context_mount(struct super_block *sb, void *data)
368 {
369 char *context = NULL, *defcontext = NULL;
370 char *fscontext = NULL, *rootcontext = NULL;
371 const char *name;
372 u32 sid;
373 int alloc = 0, rc = 0, seen = 0;
374 struct task_security_struct *tsec = current->security;
375 struct superblock_security_struct *sbsec = sb->s_security;
376
377 if (!data)
378 goto out;
379
380 name = sb->s_type->name;
381
382 if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA) {
383
384 /* NFS we understand. */
385 if (!strcmp(name, "nfs")) {
386 struct nfs_mount_data *d = data;
387
388 if (d->version < NFS_MOUNT_VERSION)
389 goto out;
390
391 if (d->context[0]) {
392 context = d->context;
393 seen |= Opt_context;
394 }
395 } else
396 goto out;
397
398 } else {
399 /* Standard string-based options. */
400 char *p, *options = data;
401
402 while ((p = strsep(&options, "|")) != NULL) {
403 int token;
404 substring_t args[MAX_OPT_ARGS];
405
406 if (!*p)
407 continue;
408
409 token = match_token(p, tokens, args);
410
411 switch (token) {
412 case Opt_context:
413 if (seen & (Opt_context|Opt_defcontext)) {
414 rc = -EINVAL;
415 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
416 goto out_free;
417 }
418 context = match_strdup(&args[0]);
419 if (!context) {
420 rc = -ENOMEM;
421 goto out_free;
422 }
423 if (!alloc)
424 alloc = 1;
425 seen |= Opt_context;
426 break;
427
428 case Opt_fscontext:
429 if (seen & Opt_fscontext) {
430 rc = -EINVAL;
431 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
432 goto out_free;
433 }
434 fscontext = match_strdup(&args[0]);
435 if (!fscontext) {
436 rc = -ENOMEM;
437 goto out_free;
438 }
439 if (!alloc)
440 alloc = 1;
441 seen |= Opt_fscontext;
442 break;
443
444 case Opt_rootcontext:
445 if (seen & Opt_rootcontext) {
446 rc = -EINVAL;
447 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
448 goto out_free;
449 }
450 rootcontext = match_strdup(&args[0]);
451 if (!rootcontext) {
452 rc = -ENOMEM;
453 goto out_free;
454 }
455 if (!alloc)
456 alloc = 1;
457 seen |= Opt_rootcontext;
458 break;
459
460 case Opt_defcontext:
461 if (sbsec->behavior != SECURITY_FS_USE_XATTR) {
462 rc = -EINVAL;
463 printk(KERN_WARNING "SELinux: "
464 "defcontext option is invalid "
465 "for this filesystem type\n");
466 goto out_free;
467 }
468 if (seen & (Opt_context|Opt_defcontext)) {
469 rc = -EINVAL;
470 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
471 goto out_free;
472 }
473 defcontext = match_strdup(&args[0]);
474 if (!defcontext) {
475 rc = -ENOMEM;
476 goto out_free;
477 }
478 if (!alloc)
479 alloc = 1;
480 seen |= Opt_defcontext;
481 break;
482
483 default:
484 rc = -EINVAL;
485 printk(KERN_WARNING "SELinux: unknown mount "
486 "option\n");
487 goto out_free;
488
489 }
490 }
491 }
492
493 if (!seen)
494 goto out;
495
496 /* sets the context of the superblock for the fs being mounted. */
497 if (fscontext) {
498 rc = security_context_to_sid(fscontext, strlen(fscontext), &sid);
499 if (rc) {
500 printk(KERN_WARNING "SELinux: security_context_to_sid"
501 "(%s) failed for (dev %s, type %s) errno=%d\n",
502 fscontext, sb->s_id, name, rc);
503 goto out_free;
504 }
505
506 rc = may_context_mount_sb_relabel(sid, sbsec, tsec);
507 if (rc)
508 goto out_free;
509
510 sbsec->sid = sid;
511 }
512
513 /*
514 * Switch to using mount point labeling behavior.
515 * sets the label used on all file below the mountpoint, and will set
516 * the superblock context if not already set.
517 */
518 if (context) {
519 rc = security_context_to_sid(context, strlen(context), &sid);
520 if (rc) {
521 printk(KERN_WARNING "SELinux: security_context_to_sid"
522 "(%s) failed for (dev %s, type %s) errno=%d\n",
523 context, sb->s_id, name, rc);
524 goto out_free;
525 }
526
527 if (!fscontext) {
528 rc = may_context_mount_sb_relabel(sid, sbsec, tsec);
529 if (rc)
530 goto out_free;
531 sbsec->sid = sid;
532 } else {
533 rc = may_context_mount_inode_relabel(sid, sbsec, tsec);
534 if (rc)
535 goto out_free;
536 }
537 sbsec->mntpoint_sid = sid;
538
539 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
540 }
541
542 if (rootcontext) {
543 struct inode *inode = sb->s_root->d_inode;
544 struct inode_security_struct *isec = inode->i_security;
545 rc = security_context_to_sid(rootcontext, strlen(rootcontext), &sid);
546 if (rc) {
547 printk(KERN_WARNING "SELinux: security_context_to_sid"
548 "(%s) failed for (dev %s, type %s) errno=%d\n",
549 rootcontext, sb->s_id, name, rc);
550 goto out_free;
551 }
552
553 rc = may_context_mount_inode_relabel(sid, sbsec, tsec);
554 if (rc)
555 goto out_free;
556
557 isec->sid = sid;
558 isec->initialized = 1;
559 }
560
561 if (defcontext) {
562 rc = security_context_to_sid(defcontext, strlen(defcontext), &sid);
563 if (rc) {
564 printk(KERN_WARNING "SELinux: security_context_to_sid"
565 "(%s) failed for (dev %s, type %s) errno=%d\n",
566 defcontext, sb->s_id, name, rc);
567 goto out_free;
568 }
569
570 if (sid == sbsec->def_sid)
571 goto out_free;
572
573 rc = may_context_mount_inode_relabel(sid, sbsec, tsec);
574 if (rc)
575 goto out_free;
576
577 sbsec->def_sid = sid;
578 }
579
580 out_free:
581 if (alloc) {
582 kfree(context);
583 kfree(defcontext);
584 kfree(fscontext);
585 kfree(rootcontext);
586 }
587 out:
588 return rc;
589 }
590
591 static int superblock_doinit(struct super_block *sb, void *data)
592 {
593 struct superblock_security_struct *sbsec = sb->s_security;
594 struct dentry *root = sb->s_root;
595 struct inode *inode = root->d_inode;
596 int rc = 0;
597
598 mutex_lock(&sbsec->lock);
599 if (sbsec->initialized)
600 goto out;
601
602 if (!ss_initialized) {
603 /* Defer initialization until selinux_complete_init,
604 after the initial policy is loaded and the security
605 server is ready to handle calls. */
606 spin_lock(&sb_security_lock);
607 if (list_empty(&sbsec->list))
608 list_add(&sbsec->list, &superblock_security_head);
609 spin_unlock(&sb_security_lock);
610 goto out;
611 }
612
613 /* Determine the labeling behavior to use for this filesystem type. */
614 rc = security_fs_use(sb->s_type->name, &sbsec->behavior, &sbsec->sid);
615 if (rc) {
616 printk(KERN_WARNING "%s: security_fs_use(%s) returned %d\n",
617 __FUNCTION__, sb->s_type->name, rc);
618 goto out;
619 }
620
621 rc = try_context_mount(sb, data);
622 if (rc)
623 goto out;
624
625 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
626 /* Make sure that the xattr handler exists and that no
627 error other than -ENODATA is returned by getxattr on
628 the root directory. -ENODATA is ok, as this may be
629 the first boot of the SELinux kernel before we have
630 assigned xattr values to the filesystem. */
631 if (!inode->i_op->getxattr) {
632 printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
633 "xattr support\n", sb->s_id, sb->s_type->name);
634 rc = -EOPNOTSUPP;
635 goto out;
636 }
637 rc = inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
638 if (rc < 0 && rc != -ENODATA) {
639 if (rc == -EOPNOTSUPP)
640 printk(KERN_WARNING "SELinux: (dev %s, type "
641 "%s) has no security xattr handler\n",
642 sb->s_id, sb->s_type->name);
643 else
644 printk(KERN_WARNING "SELinux: (dev %s, type "
645 "%s) getxattr errno %d\n", sb->s_id,
646 sb->s_type->name, -rc);
647 goto out;
648 }
649 }
650
651 if (strcmp(sb->s_type->name, "proc") == 0)
652 sbsec->proc = 1;
653
654 sbsec->initialized = 1;
655
656 if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors)) {
657 printk(KERN_INFO "SELinux: initialized (dev %s, type %s), unknown behavior\n",
658 sb->s_id, sb->s_type->name);
659 }
660 else {
661 printk(KERN_INFO "SELinux: initialized (dev %s, type %s), %s\n",
662 sb->s_id, sb->s_type->name,
663 labeling_behaviors[sbsec->behavior-1]);
664 }
665
666 /* Initialize the root inode. */
667 rc = inode_doinit_with_dentry(sb->s_root->d_inode, sb->s_root);
668
669 /* Initialize any other inodes associated with the superblock, e.g.
670 inodes created prior to initial policy load or inodes created
671 during get_sb by a pseudo filesystem that directly
672 populates itself. */
673 spin_lock(&sbsec->isec_lock);
674 next_inode:
675 if (!list_empty(&sbsec->isec_head)) {
676 struct inode_security_struct *isec =
677 list_entry(sbsec->isec_head.next,
678 struct inode_security_struct, list);
679 struct inode *inode = isec->inode;
680 spin_unlock(&sbsec->isec_lock);
681 inode = igrab(inode);
682 if (inode) {
683 if (!IS_PRIVATE (inode))
684 inode_doinit(inode);
685 iput(inode);
686 }
687 spin_lock(&sbsec->isec_lock);
688 list_del_init(&isec->list);
689 goto next_inode;
690 }
691 spin_unlock(&sbsec->isec_lock);
692 out:
693 mutex_unlock(&sbsec->lock);
694 return rc;
695 }
696
697 static inline u16 inode_mode_to_security_class(umode_t mode)
698 {
699 switch (mode & S_IFMT) {
700 case S_IFSOCK:
701 return SECCLASS_SOCK_FILE;
702 case S_IFLNK:
703 return SECCLASS_LNK_FILE;
704 case S_IFREG:
705 return SECCLASS_FILE;
706 case S_IFBLK:
707 return SECCLASS_BLK_FILE;
708 case S_IFDIR:
709 return SECCLASS_DIR;
710 case S_IFCHR:
711 return SECCLASS_CHR_FILE;
712 case S_IFIFO:
713 return SECCLASS_FIFO_FILE;
714
715 }
716
717 return SECCLASS_FILE;
718 }
719
720 static inline int default_protocol_stream(int protocol)
721 {
722 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
723 }
724
725 static inline int default_protocol_dgram(int protocol)
726 {
727 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
728 }
729
730 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
731 {
732 switch (family) {
733 case PF_UNIX:
734 switch (type) {
735 case SOCK_STREAM:
736 case SOCK_SEQPACKET:
737 return SECCLASS_UNIX_STREAM_SOCKET;
738 case SOCK_DGRAM:
739 return SECCLASS_UNIX_DGRAM_SOCKET;
740 }
741 break;
742 case PF_INET:
743 case PF_INET6:
744 switch (type) {
745 case SOCK_STREAM:
746 if (default_protocol_stream(protocol))
747 return SECCLASS_TCP_SOCKET;
748 else
749 return SECCLASS_RAWIP_SOCKET;
750 case SOCK_DGRAM:
751 if (default_protocol_dgram(protocol))
752 return SECCLASS_UDP_SOCKET;
753 else
754 return SECCLASS_RAWIP_SOCKET;
755 case SOCK_DCCP:
756 return SECCLASS_DCCP_SOCKET;
757 default:
758 return SECCLASS_RAWIP_SOCKET;
759 }
760 break;
761 case PF_NETLINK:
762 switch (protocol) {
763 case NETLINK_ROUTE:
764 return SECCLASS_NETLINK_ROUTE_SOCKET;
765 case NETLINK_FIREWALL:
766 return SECCLASS_NETLINK_FIREWALL_SOCKET;
767 case NETLINK_INET_DIAG:
768 return SECCLASS_NETLINK_TCPDIAG_SOCKET;
769 case NETLINK_NFLOG:
770 return SECCLASS_NETLINK_NFLOG_SOCKET;
771 case NETLINK_XFRM:
772 return SECCLASS_NETLINK_XFRM_SOCKET;
773 case NETLINK_SELINUX:
774 return SECCLASS_NETLINK_SELINUX_SOCKET;
775 case NETLINK_AUDIT:
776 return SECCLASS_NETLINK_AUDIT_SOCKET;
777 case NETLINK_IP6_FW:
778 return SECCLASS_NETLINK_IP6FW_SOCKET;
779 case NETLINK_DNRTMSG:
780 return SECCLASS_NETLINK_DNRT_SOCKET;
781 case NETLINK_KOBJECT_UEVENT:
782 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
783 default:
784 return SECCLASS_NETLINK_SOCKET;
785 }
786 case PF_PACKET:
787 return SECCLASS_PACKET_SOCKET;
788 case PF_KEY:
789 return SECCLASS_KEY_SOCKET;
790 case PF_APPLETALK:
791 return SECCLASS_APPLETALK_SOCKET;
792 }
793
794 return SECCLASS_SOCKET;
795 }
796
797 #ifdef CONFIG_PROC_FS
798 static int selinux_proc_get_sid(struct proc_dir_entry *de,
799 u16 tclass,
800 u32 *sid)
801 {
802 int buflen, rc;
803 char *buffer, *path, *end;
804
805 buffer = (char*)__get_free_page(GFP_KERNEL);
806 if (!buffer)
807 return -ENOMEM;
808
809 buflen = PAGE_SIZE;
810 end = buffer+buflen;
811 *--end = '\0';
812 buflen--;
813 path = end-1;
814 *path = '/';
815 while (de && de != de->parent) {
816 buflen -= de->namelen + 1;
817 if (buflen < 0)
818 break;
819 end -= de->namelen;
820 memcpy(end, de->name, de->namelen);
821 *--end = '/';
822 path = end;
823 de = de->parent;
824 }
825 rc = security_genfs_sid("proc", path, tclass, sid);
826 free_page((unsigned long)buffer);
827 return rc;
828 }
829 #else
830 static int selinux_proc_get_sid(struct proc_dir_entry *de,
831 u16 tclass,
832 u32 *sid)
833 {
834 return -EINVAL;
835 }
836 #endif
837
838 /* The inode's security attributes must be initialized before first use. */
839 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
840 {
841 struct superblock_security_struct *sbsec = NULL;
842 struct inode_security_struct *isec = inode->i_security;
843 u32 sid;
844 struct dentry *dentry;
845 #define INITCONTEXTLEN 255
846 char *context = NULL;
847 unsigned len = 0;
848 int rc = 0;
849
850 if (isec->initialized)
851 goto out;
852
853 mutex_lock(&isec->lock);
854 if (isec->initialized)
855 goto out_unlock;
856
857 sbsec = inode->i_sb->s_security;
858 if (!sbsec->initialized) {
859 /* Defer initialization until selinux_complete_init,
860 after the initial policy is loaded and the security
861 server is ready to handle calls. */
862 spin_lock(&sbsec->isec_lock);
863 if (list_empty(&isec->list))
864 list_add(&isec->list, &sbsec->isec_head);
865 spin_unlock(&sbsec->isec_lock);
866 goto out_unlock;
867 }
868
869 switch (sbsec->behavior) {
870 case SECURITY_FS_USE_XATTR:
871 if (!inode->i_op->getxattr) {
872 isec->sid = sbsec->def_sid;
873 break;
874 }
875
876 /* Need a dentry, since the xattr API requires one.
877 Life would be simpler if we could just pass the inode. */
878 if (opt_dentry) {
879 /* Called from d_instantiate or d_splice_alias. */
880 dentry = dget(opt_dentry);
881 } else {
882 /* Called from selinux_complete_init, try to find a dentry. */
883 dentry = d_find_alias(inode);
884 }
885 if (!dentry) {
886 printk(KERN_WARNING "%s: no dentry for dev=%s "
887 "ino=%ld\n", __FUNCTION__, inode->i_sb->s_id,
888 inode->i_ino);
889 goto out_unlock;
890 }
891
892 len = INITCONTEXTLEN;
893 context = kmalloc(len, GFP_KERNEL);
894 if (!context) {
895 rc = -ENOMEM;
896 dput(dentry);
897 goto out_unlock;
898 }
899 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
900 context, len);
901 if (rc == -ERANGE) {
902 /* Need a larger buffer. Query for the right size. */
903 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
904 NULL, 0);
905 if (rc < 0) {
906 dput(dentry);
907 goto out_unlock;
908 }
909 kfree(context);
910 len = rc;
911 context = kmalloc(len, GFP_KERNEL);
912 if (!context) {
913 rc = -ENOMEM;
914 dput(dentry);
915 goto out_unlock;
916 }
917 rc = inode->i_op->getxattr(dentry,
918 XATTR_NAME_SELINUX,
919 context, len);
920 }
921 dput(dentry);
922 if (rc < 0) {
923 if (rc != -ENODATA) {
924 printk(KERN_WARNING "%s: getxattr returned "
925 "%d for dev=%s ino=%ld\n", __FUNCTION__,
926 -rc, inode->i_sb->s_id, inode->i_ino);
927 kfree(context);
928 goto out_unlock;
929 }
930 /* Map ENODATA to the default file SID */
931 sid = sbsec->def_sid;
932 rc = 0;
933 } else {
934 rc = security_context_to_sid_default(context, rc, &sid,
935 sbsec->def_sid);
936 if (rc) {
937 printk(KERN_WARNING "%s: context_to_sid(%s) "
938 "returned %d for dev=%s ino=%ld\n",
939 __FUNCTION__, context, -rc,
940 inode->i_sb->s_id, inode->i_ino);
941 kfree(context);
942 /* Leave with the unlabeled SID */
943 rc = 0;
944 break;
945 }
946 }
947 kfree(context);
948 isec->sid = sid;
949 break;
950 case SECURITY_FS_USE_TASK:
951 isec->sid = isec->task_sid;
952 break;
953 case SECURITY_FS_USE_TRANS:
954 /* Default to the fs SID. */
955 isec->sid = sbsec->sid;
956
957 /* Try to obtain a transition SID. */
958 isec->sclass = inode_mode_to_security_class(inode->i_mode);
959 rc = security_transition_sid(isec->task_sid,
960 sbsec->sid,
961 isec->sclass,
962 &sid);
963 if (rc)
964 goto out_unlock;
965 isec->sid = sid;
966 break;
967 case SECURITY_FS_USE_MNTPOINT:
968 isec->sid = sbsec->mntpoint_sid;
969 break;
970 default:
971 /* Default to the fs superblock SID. */
972 isec->sid = sbsec->sid;
973
974 if (sbsec->proc) {
975 struct proc_inode *proci = PROC_I(inode);
976 if (proci->pde) {
977 isec->sclass = inode_mode_to_security_class(inode->i_mode);
978 rc = selinux_proc_get_sid(proci->pde,
979 isec->sclass,
980 &sid);
981 if (rc)
982 goto out_unlock;
983 isec->sid = sid;
984 }
985 }
986 break;
987 }
988
989 isec->initialized = 1;
990
991 out_unlock:
992 mutex_unlock(&isec->lock);
993 out:
994 if (isec->sclass == SECCLASS_FILE)
995 isec->sclass = inode_mode_to_security_class(inode->i_mode);
996 return rc;
997 }
998
999 /* Convert a Linux signal to an access vector. */
1000 static inline u32 signal_to_av(int sig)
1001 {
1002 u32 perm = 0;
1003
1004 switch (sig) {
1005 case SIGCHLD:
1006 /* Commonly granted from child to parent. */
1007 perm = PROCESS__SIGCHLD;
1008 break;
1009 case SIGKILL:
1010 /* Cannot be caught or ignored */
1011 perm = PROCESS__SIGKILL;
1012 break;
1013 case SIGSTOP:
1014 /* Cannot be caught or ignored */
1015 perm = PROCESS__SIGSTOP;
1016 break;
1017 default:
1018 /* All other signals. */
1019 perm = PROCESS__SIGNAL;
1020 break;
1021 }
1022
1023 return perm;
1024 }
1025
1026 /* Check permission betweeen a pair of tasks, e.g. signal checks,
1027 fork check, ptrace check, etc. */
1028 static int task_has_perm(struct task_struct *tsk1,
1029 struct task_struct *tsk2,
1030 u32 perms)
1031 {
1032 struct task_security_struct *tsec1, *tsec2;
1033
1034 tsec1 = tsk1->security;
1035 tsec2 = tsk2->security;
1036 return avc_has_perm(tsec1->sid, tsec2->sid,
1037 SECCLASS_PROCESS, perms, NULL);
1038 }
1039
1040 /* Check whether a task is allowed to use a capability. */
1041 static int task_has_capability(struct task_struct *tsk,
1042 int cap)
1043 {
1044 struct task_security_struct *tsec;
1045 struct avc_audit_data ad;
1046
1047 tsec = tsk->security;
1048
1049 AVC_AUDIT_DATA_INIT(&ad,CAP);
1050 ad.tsk = tsk;
1051 ad.u.cap = cap;
1052
1053 return avc_has_perm(tsec->sid, tsec->sid,
1054 SECCLASS_CAPABILITY, CAP_TO_MASK(cap), &ad);
1055 }
1056
1057 /* Check whether a task is allowed to use a system operation. */
1058 static int task_has_system(struct task_struct *tsk,
1059 u32 perms)
1060 {
1061 struct task_security_struct *tsec;
1062
1063 tsec = tsk->security;
1064
1065 return avc_has_perm(tsec->sid, SECINITSID_KERNEL,
1066 SECCLASS_SYSTEM, perms, NULL);
1067 }
1068
1069 /* Check whether a task has a particular permission to an inode.
1070 The 'adp' parameter is optional and allows other audit
1071 data to be passed (e.g. the dentry). */
1072 static int inode_has_perm(struct task_struct *tsk,
1073 struct inode *inode,
1074 u32 perms,
1075 struct avc_audit_data *adp)
1076 {
1077 struct task_security_struct *tsec;
1078 struct inode_security_struct *isec;
1079 struct avc_audit_data ad;
1080
1081 tsec = tsk->security;
1082 isec = inode->i_security;
1083
1084 if (!adp) {
1085 adp = &ad;
1086 AVC_AUDIT_DATA_INIT(&ad, FS);
1087 ad.u.fs.inode = inode;
1088 }
1089
1090 return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, adp);
1091 }
1092
1093 /* Same as inode_has_perm, but pass explicit audit data containing
1094 the dentry to help the auditing code to more easily generate the
1095 pathname if needed. */
1096 static inline int dentry_has_perm(struct task_struct *tsk,
1097 struct vfsmount *mnt,
1098 struct dentry *dentry,
1099 u32 av)
1100 {
1101 struct inode *inode = dentry->d_inode;
1102 struct avc_audit_data ad;
1103 AVC_AUDIT_DATA_INIT(&ad,FS);
1104 ad.u.fs.mnt = mnt;
1105 ad.u.fs.dentry = dentry;
1106 return inode_has_perm(tsk, inode, av, &ad);
1107 }
1108
1109 /* Check whether a task can use an open file descriptor to
1110 access an inode in a given way. Check access to the
1111 descriptor itself, and then use dentry_has_perm to
1112 check a particular permission to the file.
1113 Access to the descriptor is implicitly granted if it
1114 has the same SID as the process. If av is zero, then
1115 access to the file is not checked, e.g. for cases
1116 where only the descriptor is affected like seek. */
1117 static int file_has_perm(struct task_struct *tsk,
1118 struct file *file,
1119 u32 av)
1120 {
1121 struct task_security_struct *tsec = tsk->security;
1122 struct file_security_struct *fsec = file->f_security;
1123 struct vfsmount *mnt = file->f_vfsmnt;
1124 struct dentry *dentry = file->f_dentry;
1125 struct inode *inode = dentry->d_inode;
1126 struct avc_audit_data ad;
1127 int rc;
1128
1129 AVC_AUDIT_DATA_INIT(&ad, FS);
1130 ad.u.fs.mnt = mnt;
1131 ad.u.fs.dentry = dentry;
1132
1133 if (tsec->sid != fsec->sid) {
1134 rc = avc_has_perm(tsec->sid, fsec->sid,
1135 SECCLASS_FD,
1136 FD__USE,
1137 &ad);
1138 if (rc)
1139 return rc;
1140 }
1141
1142 /* av is zero if only checking access to the descriptor. */
1143 if (av)
1144 return inode_has_perm(tsk, inode, av, &ad);
1145
1146 return 0;
1147 }
1148
1149 /* Check whether a task can create a file. */
1150 static int may_create(struct inode *dir,
1151 struct dentry *dentry,
1152 u16 tclass)
1153 {
1154 struct task_security_struct *tsec;
1155 struct inode_security_struct *dsec;
1156 struct superblock_security_struct *sbsec;
1157 u32 newsid;
1158 struct avc_audit_data ad;
1159 int rc;
1160
1161 tsec = current->security;
1162 dsec = dir->i_security;
1163 sbsec = dir->i_sb->s_security;
1164
1165 AVC_AUDIT_DATA_INIT(&ad, FS);
1166 ad.u.fs.dentry = dentry;
1167
1168 rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR,
1169 DIR__ADD_NAME | DIR__SEARCH,
1170 &ad);
1171 if (rc)
1172 return rc;
1173
1174 if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
1175 newsid = tsec->create_sid;
1176 } else {
1177 rc = security_transition_sid(tsec->sid, dsec->sid, tclass,
1178 &newsid);
1179 if (rc)
1180 return rc;
1181 }
1182
1183 rc = avc_has_perm(tsec->sid, newsid, tclass, FILE__CREATE, &ad);
1184 if (rc)
1185 return rc;
1186
1187 return avc_has_perm(newsid, sbsec->sid,
1188 SECCLASS_FILESYSTEM,
1189 FILESYSTEM__ASSOCIATE, &ad);
1190 }
1191
1192 /* Check whether a task can create a key. */
1193 static int may_create_key(u32 ksid,
1194 struct task_struct *ctx)
1195 {
1196 struct task_security_struct *tsec;
1197
1198 tsec = ctx->security;
1199
1200 return avc_has_perm(tsec->sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL);
1201 }
1202
1203 #define MAY_LINK 0
1204 #define MAY_UNLINK 1
1205 #define MAY_RMDIR 2
1206
1207 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1208 static int may_link(struct inode *dir,
1209 struct dentry *dentry,
1210 int kind)
1211
1212 {
1213 struct task_security_struct *tsec;
1214 struct inode_security_struct *dsec, *isec;
1215 struct avc_audit_data ad;
1216 u32 av;
1217 int rc;
1218
1219 tsec = current->security;
1220 dsec = dir->i_security;
1221 isec = dentry->d_inode->i_security;
1222
1223 AVC_AUDIT_DATA_INIT(&ad, FS);
1224 ad.u.fs.dentry = dentry;
1225
1226 av = DIR__SEARCH;
1227 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1228 rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR, av, &ad);
1229 if (rc)
1230 return rc;
1231
1232 switch (kind) {
1233 case MAY_LINK:
1234 av = FILE__LINK;
1235 break;
1236 case MAY_UNLINK:
1237 av = FILE__UNLINK;
1238 break;
1239 case MAY_RMDIR:
1240 av = DIR__RMDIR;
1241 break;
1242 default:
1243 printk(KERN_WARNING "may_link: unrecognized kind %d\n", kind);
1244 return 0;
1245 }
1246
1247 rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass, av, &ad);
1248 return rc;
1249 }
1250
1251 static inline int may_rename(struct inode *old_dir,
1252 struct dentry *old_dentry,
1253 struct inode *new_dir,
1254 struct dentry *new_dentry)
1255 {
1256 struct task_security_struct *tsec;
1257 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1258 struct avc_audit_data ad;
1259 u32 av;
1260 int old_is_dir, new_is_dir;
1261 int rc;
1262
1263 tsec = current->security;
1264 old_dsec = old_dir->i_security;
1265 old_isec = old_dentry->d_inode->i_security;
1266 old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
1267 new_dsec = new_dir->i_security;
1268
1269 AVC_AUDIT_DATA_INIT(&ad, FS);
1270
1271 ad.u.fs.dentry = old_dentry;
1272 rc = avc_has_perm(tsec->sid, old_dsec->sid, SECCLASS_DIR,
1273 DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1274 if (rc)
1275 return rc;
1276 rc = avc_has_perm(tsec->sid, old_isec->sid,
1277 old_isec->sclass, FILE__RENAME, &ad);
1278 if (rc)
1279 return rc;
1280 if (old_is_dir && new_dir != old_dir) {
1281 rc = avc_has_perm(tsec->sid, old_isec->sid,
1282 old_isec->sclass, DIR__REPARENT, &ad);
1283 if (rc)
1284 return rc;
1285 }
1286
1287 ad.u.fs.dentry = new_dentry;
1288 av = DIR__ADD_NAME | DIR__SEARCH;
1289 if (new_dentry->d_inode)
1290 av |= DIR__REMOVE_NAME;
1291 rc = avc_has_perm(tsec->sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1292 if (rc)
1293 return rc;
1294 if (new_dentry->d_inode) {
1295 new_isec = new_dentry->d_inode->i_security;
1296 new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
1297 rc = avc_has_perm(tsec->sid, new_isec->sid,
1298 new_isec->sclass,
1299 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1300 if (rc)
1301 return rc;
1302 }
1303
1304 return 0;
1305 }
1306
1307 /* Check whether a task can perform a filesystem operation. */
1308 static int superblock_has_perm(struct task_struct *tsk,
1309 struct super_block *sb,
1310 u32 perms,
1311 struct avc_audit_data *ad)
1312 {
1313 struct task_security_struct *tsec;
1314 struct superblock_security_struct *sbsec;
1315
1316 tsec = tsk->security;
1317 sbsec = sb->s_security;
1318 return avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
1319 perms, ad);
1320 }
1321
1322 /* Convert a Linux mode and permission mask to an access vector. */
1323 static inline u32 file_mask_to_av(int mode, int mask)
1324 {
1325 u32 av = 0;
1326
1327 if ((mode & S_IFMT) != S_IFDIR) {
1328 if (mask & MAY_EXEC)
1329 av |= FILE__EXECUTE;
1330 if (mask & MAY_READ)
1331 av |= FILE__READ;
1332
1333 if (mask & MAY_APPEND)
1334 av |= FILE__APPEND;
1335 else if (mask & MAY_WRITE)
1336 av |= FILE__WRITE;
1337
1338 } else {
1339 if (mask & MAY_EXEC)
1340 av |= DIR__SEARCH;
1341 if (mask & MAY_WRITE)
1342 av |= DIR__WRITE;
1343 if (mask & MAY_READ)
1344 av |= DIR__READ;
1345 }
1346
1347 return av;
1348 }
1349
1350 /* Convert a Linux file to an access vector. */
1351 static inline u32 file_to_av(struct file *file)
1352 {
1353 u32 av = 0;
1354
1355 if (file->f_mode & FMODE_READ)
1356 av |= FILE__READ;
1357 if (file->f_mode & FMODE_WRITE) {
1358 if (file->f_flags & O_APPEND)
1359 av |= FILE__APPEND;
1360 else
1361 av |= FILE__WRITE;
1362 }
1363
1364 return av;
1365 }
1366
1367 /* Hook functions begin here. */
1368
1369 static int selinux_ptrace(struct task_struct *parent, struct task_struct *child)
1370 {
1371 struct task_security_struct *psec = parent->security;
1372 struct task_security_struct *csec = child->security;
1373 int rc;
1374
1375 rc = secondary_ops->ptrace(parent,child);
1376 if (rc)
1377 return rc;
1378
1379 rc = task_has_perm(parent, child, PROCESS__PTRACE);
1380 /* Save the SID of the tracing process for later use in apply_creds. */
1381 if (!(child->ptrace & PT_PTRACED) && !rc)
1382 csec->ptrace_sid = psec->sid;
1383 return rc;
1384 }
1385
1386 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
1387 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1388 {
1389 int error;
1390
1391 error = task_has_perm(current, target, PROCESS__GETCAP);
1392 if (error)
1393 return error;
1394
1395 return secondary_ops->capget(target, effective, inheritable, permitted);
1396 }
1397
1398 static int selinux_capset_check(struct task_struct *target, kernel_cap_t *effective,
1399 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1400 {
1401 int error;
1402
1403 error = secondary_ops->capset_check(target, effective, inheritable, permitted);
1404 if (error)
1405 return error;
1406
1407 return task_has_perm(current, target, PROCESS__SETCAP);
1408 }
1409
1410 static void selinux_capset_set(struct task_struct *target, kernel_cap_t *effective,
1411 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1412 {
1413 secondary_ops->capset_set(target, effective, inheritable, permitted);
1414 }
1415
1416 static int selinux_capable(struct task_struct *tsk, int cap)
1417 {
1418 int rc;
1419
1420 rc = secondary_ops->capable(tsk, cap);
1421 if (rc)
1422 return rc;
1423
1424 return task_has_capability(tsk,cap);
1425 }
1426
1427 static int selinux_sysctl(ctl_table *table, int op)
1428 {
1429 int error = 0;
1430 u32 av;
1431 struct task_security_struct *tsec;
1432 u32 tsid;
1433 int rc;
1434
1435 rc = secondary_ops->sysctl(table, op);
1436 if (rc)
1437 return rc;
1438
1439 tsec = current->security;
1440
1441 rc = selinux_proc_get_sid(table->de, (op == 001) ?
1442 SECCLASS_DIR : SECCLASS_FILE, &tsid);
1443 if (rc) {
1444 /* Default to the well-defined sysctl SID. */
1445 tsid = SECINITSID_SYSCTL;
1446 }
1447
1448 /* The op values are "defined" in sysctl.c, thereby creating
1449 * a bad coupling between this module and sysctl.c */
1450 if(op == 001) {
1451 error = avc_has_perm(tsec->sid, tsid,
1452 SECCLASS_DIR, DIR__SEARCH, NULL);
1453 } else {
1454 av = 0;
1455 if (op & 004)
1456 av |= FILE__READ;
1457 if (op & 002)
1458 av |= FILE__WRITE;
1459 if (av)
1460 error = avc_has_perm(tsec->sid, tsid,
1461 SECCLASS_FILE, av, NULL);
1462 }
1463
1464 return error;
1465 }
1466
1467 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
1468 {
1469 int rc = 0;
1470
1471 if (!sb)
1472 return 0;
1473
1474 switch (cmds) {
1475 case Q_SYNC:
1476 case Q_QUOTAON:
1477 case Q_QUOTAOFF:
1478 case Q_SETINFO:
1479 case Q_SETQUOTA:
1480 rc = superblock_has_perm(current,
1481 sb,
1482 FILESYSTEM__QUOTAMOD, NULL);
1483 break;
1484 case Q_GETFMT:
1485 case Q_GETINFO:
1486 case Q_GETQUOTA:
1487 rc = superblock_has_perm(current,
1488 sb,
1489 FILESYSTEM__QUOTAGET, NULL);
1490 break;
1491 default:
1492 rc = 0; /* let the kernel handle invalid cmds */
1493 break;
1494 }
1495 return rc;
1496 }
1497
1498 static int selinux_quota_on(struct dentry *dentry)
1499 {
1500 return dentry_has_perm(current, NULL, dentry, FILE__QUOTAON);
1501 }
1502
1503 static int selinux_syslog(int type)
1504 {
1505 int rc;
1506
1507 rc = secondary_ops->syslog(type);
1508 if (rc)
1509 return rc;
1510
1511 switch (type) {
1512 case 3: /* Read last kernel messages */
1513 case 10: /* Return size of the log buffer */
1514 rc = task_has_system(current, SYSTEM__SYSLOG_READ);
1515 break;
1516 case 6: /* Disable logging to console */
1517 case 7: /* Enable logging to console */
1518 case 8: /* Set level of messages printed to console */
1519 rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
1520 break;
1521 case 0: /* Close log */
1522 case 1: /* Open log */
1523 case 2: /* Read from log */
1524 case 4: /* Read/clear last kernel messages */
1525 case 5: /* Clear ring buffer */
1526 default:
1527 rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
1528 break;
1529 }
1530 return rc;
1531 }
1532
1533 /*
1534 * Check that a process has enough memory to allocate a new virtual
1535 * mapping. 0 means there is enough memory for the allocation to
1536 * succeed and -ENOMEM implies there is not.
1537 *
1538 * Note that secondary_ops->capable and task_has_perm_noaudit return 0
1539 * if the capability is granted, but __vm_enough_memory requires 1 if
1540 * the capability is granted.
1541 *
1542 * Do not audit the selinux permission check, as this is applied to all
1543 * processes that allocate mappings.
1544 */
1545 static int selinux_vm_enough_memory(long pages)
1546 {
1547 int rc, cap_sys_admin = 0;
1548 struct task_security_struct *tsec = current->security;
1549
1550 rc = secondary_ops->capable(current, CAP_SYS_ADMIN);
1551 if (rc == 0)
1552 rc = avc_has_perm_noaudit(tsec->sid, tsec->sid,
1553 SECCLASS_CAPABILITY,
1554 CAP_TO_MASK(CAP_SYS_ADMIN),
1555 NULL);
1556
1557 if (rc == 0)
1558 cap_sys_admin = 1;
1559
1560 return __vm_enough_memory(pages, cap_sys_admin);
1561 }
1562
1563 /* binprm security operations */
1564
1565 static int selinux_bprm_alloc_security(struct linux_binprm *bprm)
1566 {
1567 struct bprm_security_struct *bsec;
1568
1569 bsec = kzalloc(sizeof(struct bprm_security_struct), GFP_KERNEL);
1570 if (!bsec)
1571 return -ENOMEM;
1572
1573 bsec->bprm = bprm;
1574 bsec->sid = SECINITSID_UNLABELED;
1575 bsec->set = 0;
1576
1577 bprm->security = bsec;
1578 return 0;
1579 }
1580
1581 static int selinux_bprm_set_security(struct linux_binprm *bprm)
1582 {
1583 struct task_security_struct *tsec;
1584 struct inode *inode = bprm->file->f_dentry->d_inode;
1585 struct inode_security_struct *isec;
1586 struct bprm_security_struct *bsec;
1587 u32 newsid;
1588 struct avc_audit_data ad;
1589 int rc;
1590
1591 rc = secondary_ops->bprm_set_security(bprm);
1592 if (rc)
1593 return rc;
1594
1595 bsec = bprm->security;
1596
1597 if (bsec->set)
1598 return 0;
1599
1600 tsec = current->security;
1601 isec = inode->i_security;
1602
1603 /* Default to the current task SID. */
1604 bsec->sid = tsec->sid;
1605
1606 /* Reset fs, key, and sock SIDs on execve. */
1607 tsec->create_sid = 0;
1608 tsec->keycreate_sid = 0;
1609 tsec->sockcreate_sid = 0;
1610
1611 if (tsec->exec_sid) {
1612 newsid = tsec->exec_sid;
1613 /* Reset exec SID on execve. */
1614 tsec->exec_sid = 0;
1615 } else {
1616 /* Check for a default transition on this program. */
1617 rc = security_transition_sid(tsec->sid, isec->sid,
1618 SECCLASS_PROCESS, &newsid);
1619 if (rc)
1620 return rc;
1621 }
1622
1623 AVC_AUDIT_DATA_INIT(&ad, FS);
1624 ad.u.fs.mnt = bprm->file->f_vfsmnt;
1625 ad.u.fs.dentry = bprm->file->f_dentry;
1626
1627 if (bprm->file->f_vfsmnt->mnt_flags & MNT_NOSUID)
1628 newsid = tsec->sid;
1629
1630 if (tsec->sid == newsid) {
1631 rc = avc_has_perm(tsec->sid, isec->sid,
1632 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
1633 if (rc)
1634 return rc;
1635 } else {
1636 /* Check permissions for the transition. */
1637 rc = avc_has_perm(tsec->sid, newsid,
1638 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
1639 if (rc)
1640 return rc;
1641
1642 rc = avc_has_perm(newsid, isec->sid,
1643 SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
1644 if (rc)
1645 return rc;
1646
1647 /* Clear any possibly unsafe personality bits on exec: */
1648 current->personality &= ~PER_CLEAR_ON_SETID;
1649
1650 /* Set the security field to the new SID. */
1651 bsec->sid = newsid;
1652 }
1653
1654 bsec->set = 1;
1655 return 0;
1656 }
1657
1658 static int selinux_bprm_check_security (struct linux_binprm *bprm)
1659 {
1660 return secondary_ops->bprm_check_security(bprm);
1661 }
1662
1663
1664 static int selinux_bprm_secureexec (struct linux_binprm *bprm)
1665 {
1666 struct task_security_struct *tsec = current->security;
1667 int atsecure = 0;
1668
1669 if (tsec->osid != tsec->sid) {
1670 /* Enable secure mode for SIDs transitions unless
1671 the noatsecure permission is granted between
1672 the two SIDs, i.e. ahp returns 0. */
1673 atsecure = avc_has_perm(tsec->osid, tsec->sid,
1674 SECCLASS_PROCESS,
1675 PROCESS__NOATSECURE, NULL);
1676 }
1677
1678 return (atsecure || secondary_ops->bprm_secureexec(bprm));
1679 }
1680
1681 static void selinux_bprm_free_security(struct linux_binprm *bprm)
1682 {
1683 kfree(bprm->security);
1684 bprm->security = NULL;
1685 }
1686
1687 extern struct vfsmount *selinuxfs_mount;
1688 extern struct dentry *selinux_null;
1689
1690 /* Derived from fs/exec.c:flush_old_files. */
1691 static inline void flush_unauthorized_files(struct files_struct * files)
1692 {
1693 struct avc_audit_data ad;
1694 struct file *file, *devnull = NULL;
1695 struct tty_struct *tty;
1696 struct fdtable *fdt;
1697 long j = -1;
1698
1699 mutex_lock(&tty_mutex);
1700 tty = current->signal->tty;
1701 if (tty) {
1702 file_list_lock();
1703 file = list_entry(tty->tty_files.next, typeof(*file), f_u.fu_list);
1704 if (file) {
1705 /* Revalidate access to controlling tty.
1706 Use inode_has_perm on the tty inode directly rather
1707 than using file_has_perm, as this particular open
1708 file may belong to another process and we are only
1709 interested in the inode-based check here. */
1710 struct inode *inode = file->f_dentry->d_inode;
1711 if (inode_has_perm(current, inode,
1712 FILE__READ | FILE__WRITE, NULL)) {
1713 /* Reset controlling tty. */
1714 current->signal->tty = NULL;
1715 current->signal->tty_old_pgrp = 0;
1716 }
1717 }
1718 file_list_unlock();
1719 }
1720 mutex_unlock(&tty_mutex);
1721
1722 /* Revalidate access to inherited open files. */
1723
1724 AVC_AUDIT_DATA_INIT(&ad,FS);
1725
1726 spin_lock(&files->file_lock);
1727 for (;;) {
1728 unsigned long set, i;
1729 int fd;
1730
1731 j++;
1732 i = j * __NFDBITS;
1733 fdt = files_fdtable(files);
1734 if (i >= fdt->max_fds || i >= fdt->max_fdset)
1735 break;
1736 set = fdt->open_fds->fds_bits[j];
1737 if (!set)
1738 continue;
1739 spin_unlock(&files->file_lock);
1740 for ( ; set ; i++,set >>= 1) {
1741 if (set & 1) {
1742 file = fget(i);
1743 if (!file)
1744 continue;
1745 if (file_has_perm(current,
1746 file,
1747 file_to_av(file))) {
1748 sys_close(i);
1749 fd = get_unused_fd();
1750 if (fd != i) {
1751 if (fd >= 0)
1752 put_unused_fd(fd);
1753 fput(file);
1754 continue;
1755 }
1756 if (devnull) {
1757 get_file(devnull);
1758 } else {
1759 devnull = dentry_open(dget(selinux_null), mntget(selinuxfs_mount), O_RDWR);
1760 if (IS_ERR(devnull)) {
1761 devnull = NULL;
1762 put_unused_fd(fd);
1763 fput(file);
1764 continue;
1765 }
1766 }
1767 fd_install(fd, devnull);
1768 }
1769 fput(file);
1770 }
1771 }
1772 spin_lock(&files->file_lock);
1773
1774 }
1775 spin_unlock(&files->file_lock);
1776 }
1777
1778 static void selinux_bprm_apply_creds(struct linux_binprm *bprm, int unsafe)
1779 {
1780 struct task_security_struct *tsec;
1781 struct bprm_security_struct *bsec;
1782 u32 sid;
1783 int rc;
1784
1785 secondary_ops->bprm_apply_creds(bprm, unsafe);
1786
1787 tsec = current->security;
1788
1789 bsec = bprm->security;
1790 sid = bsec->sid;
1791
1792 tsec->osid = tsec->sid;
1793 bsec->unsafe = 0;
1794 if (tsec->sid != sid) {
1795 /* Check for shared state. If not ok, leave SID
1796 unchanged and kill. */
1797 if (unsafe & LSM_UNSAFE_SHARE) {
1798 rc = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
1799 PROCESS__SHARE, NULL);
1800 if (rc) {
1801 bsec->unsafe = 1;
1802 return;
1803 }
1804 }
1805
1806 /* Check for ptracing, and update the task SID if ok.
1807 Otherwise, leave SID unchanged and kill. */
1808 if (unsafe & (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
1809 rc = avc_has_perm(tsec->ptrace_sid, sid,
1810 SECCLASS_PROCESS, PROCESS__PTRACE,
1811 NULL);
1812 if (rc) {
1813 bsec->unsafe = 1;
1814 return;
1815 }
1816 }
1817 tsec->sid = sid;
1818 }
1819 }
1820
1821 /*
1822 * called after apply_creds without the task lock held
1823 */
1824 static void selinux_bprm_post_apply_creds(struct linux_binprm *bprm)
1825 {
1826 struct task_security_struct *tsec;
1827 struct rlimit *rlim, *initrlim;
1828 struct itimerval itimer;
1829 struct bprm_security_struct *bsec;
1830 int rc, i;
1831
1832 tsec = current->security;
1833 bsec = bprm->security;
1834
1835 if (bsec->unsafe) {
1836 force_sig_specific(SIGKILL, current);
1837 return;
1838 }
1839 if (tsec->osid == tsec->sid)
1840 return;
1841
1842 /* Close files for which the new task SID is not authorized. */
1843 flush_unauthorized_files(current->files);
1844
1845 /* Check whether the new SID can inherit signal state
1846 from the old SID. If not, clear itimers to avoid
1847 subsequent signal generation and flush and unblock
1848 signals. This must occur _after_ the task SID has
1849 been updated so that any kill done after the flush
1850 will be checked against the new SID. */
1851 rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
1852 PROCESS__SIGINH, NULL);
1853 if (rc) {
1854 memset(&itimer, 0, sizeof itimer);
1855 for (i = 0; i < 3; i++)
1856 do_setitimer(i, &itimer, NULL);
1857 flush_signals(current);
1858 spin_lock_irq(&current->sighand->siglock);
1859 flush_signal_handlers(current, 1);
1860 sigemptyset(&current->blocked);
1861 recalc_sigpending();
1862 spin_unlock_irq(&current->sighand->siglock);
1863 }
1864
1865 /* Check whether the new SID can inherit resource limits
1866 from the old SID. If not, reset all soft limits to
1867 the lower of the current task's hard limit and the init
1868 task's soft limit. Note that the setting of hard limits
1869 (even to lower them) can be controlled by the setrlimit
1870 check. The inclusion of the init task's soft limit into
1871 the computation is to avoid resetting soft limits higher
1872 than the default soft limit for cases where the default
1873 is lower than the hard limit, e.g. RLIMIT_CORE or
1874 RLIMIT_STACK.*/
1875 rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
1876 PROCESS__RLIMITINH, NULL);
1877 if (rc) {
1878 for (i = 0; i < RLIM_NLIMITS; i++) {
1879 rlim = current->signal->rlim + i;
1880 initrlim = init_task.signal->rlim+i;
1881 rlim->rlim_cur = min(rlim->rlim_max,initrlim->rlim_cur);
1882 }
1883 if (current->signal->rlim[RLIMIT_CPU].rlim_cur != RLIM_INFINITY) {
1884 /*
1885 * This will cause RLIMIT_CPU calculations
1886 * to be refigured.
1887 */
1888 current->it_prof_expires = jiffies_to_cputime(1);
1889 }
1890 }
1891
1892 /* Wake up the parent if it is waiting so that it can
1893 recheck wait permission to the new task SID. */
1894 wake_up_interruptible(&current->parent->signal->wait_chldexit);
1895 }
1896
1897 /* superblock security operations */
1898
1899 static int selinux_sb_alloc_security(struct super_block *sb)
1900 {
1901 return superblock_alloc_security(sb);
1902 }
1903
1904 static void selinux_sb_free_security(struct super_block *sb)
1905 {
1906 superblock_free_security(sb);
1907 }
1908
1909 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
1910 {
1911 if (plen > olen)
1912 return 0;
1913
1914 return !memcmp(prefix, option, plen);
1915 }
1916
1917 static inline int selinux_option(char *option, int len)
1918 {
1919 return (match_prefix("context=", sizeof("context=")-1, option, len) ||
1920 match_prefix("fscontext=", sizeof("fscontext=")-1, option, len) ||
1921 match_prefix("defcontext=", sizeof("defcontext=")-1, option, len) ||
1922 match_prefix("rootcontext=", sizeof("rootcontext=")-1, option, len));
1923 }
1924
1925 static inline void take_option(char **to, char *from, int *first, int len)
1926 {
1927 if (!*first) {
1928 **to = ',';
1929 *to += 1;
1930 } else
1931 *first = 0;
1932 memcpy(*to, from, len);
1933 *to += len;
1934 }
1935
1936 static inline void take_selinux_option(char **to, char *from, int *first,
1937 int len)
1938 {
1939 int current_size = 0;
1940
1941 if (!*first) {
1942 **to = '|';
1943 *to += 1;
1944 }
1945 else
1946 *first = 0;
1947
1948 while (current_size < len) {
1949 if (*from != '"') {
1950 **to = *from;
1951 *to += 1;
1952 }
1953 from += 1;
1954 current_size += 1;
1955 }
1956 }
1957
1958 static int selinux_sb_copy_data(struct file_system_type *type, void *orig, void *copy)
1959 {
1960 int fnosec, fsec, rc = 0;
1961 char *in_save, *in_curr, *in_end;
1962 char *sec_curr, *nosec_save, *nosec;
1963 int open_quote = 0;
1964
1965 in_curr = orig;
1966 sec_curr = copy;
1967
1968 /* Binary mount data: just copy */
1969 if (type->fs_flags & FS_BINARY_MOUNTDATA) {
1970 copy_page(sec_curr, in_curr);
1971 goto out;
1972 }
1973
1974 nosec = (char *)get_zeroed_page(GFP_KERNEL);
1975 if (!nosec) {
1976 rc = -ENOMEM;
1977 goto out;
1978 }
1979
1980 nosec_save = nosec;
1981 fnosec = fsec = 1;
1982 in_save = in_end = orig;
1983
1984 do {
1985 if (*in_end == '"')
1986 open_quote = !open_quote;
1987 if ((*in_end == ',' && open_quote == 0) ||
1988 *in_end == '\0') {
1989 int len = in_end - in_curr;
1990
1991 if (selinux_option(in_curr, len))
1992 take_selinux_option(&sec_curr, in_curr, &fsec, len);
1993 else
1994 take_option(&nosec, in_curr, &fnosec, len);
1995
1996 in_curr = in_end + 1;
1997 }
1998 } while (*in_end++);
1999
2000 strcpy(in_save, nosec_save);
2001 free_page((unsigned long)nosec_save);
2002 out:
2003 return rc;
2004 }
2005
2006 static int selinux_sb_kern_mount(struct super_block *sb, void *data)
2007 {
2008 struct avc_audit_data ad;
2009 int rc;
2010
2011 rc = superblock_doinit(sb, data);
2012 if (rc)
2013 return rc;
2014
2015 AVC_AUDIT_DATA_INIT(&ad,FS);
2016 ad.u.fs.dentry = sb->s_root;
2017 return superblock_has_perm(current, sb, FILESYSTEM__MOUNT, &ad);
2018 }
2019
2020 static int selinux_sb_statfs(struct dentry *dentry)
2021 {
2022 struct avc_audit_data ad;
2023
2024 AVC_AUDIT_DATA_INIT(&ad,FS);
2025 ad.u.fs.dentry = dentry->d_sb->s_root;
2026 return superblock_has_perm(current, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2027 }
2028
2029 static int selinux_mount(char * dev_name,
2030 struct nameidata *nd,
2031 char * type,
2032 unsigned long flags,
2033 void * data)
2034 {
2035 int rc;
2036
2037 rc = secondary_ops->sb_mount(dev_name, nd, type, flags, data);
2038 if (rc)
2039 return rc;
2040
2041 if (flags & MS_REMOUNT)
2042 return superblock_has_perm(current, nd->mnt->mnt_sb,
2043 FILESYSTEM__REMOUNT, NULL);
2044 else
2045 return dentry_has_perm(current, nd->mnt, nd->dentry,
2046 FILE__MOUNTON);
2047 }
2048
2049 static int selinux_umount(struct vfsmount *mnt, int flags)
2050 {
2051 int rc;
2052
2053 rc = secondary_ops->sb_umount(mnt, flags);
2054 if (rc)
2055 return rc;
2056
2057 return superblock_has_perm(current,mnt->mnt_sb,
2058 FILESYSTEM__UNMOUNT,NULL);
2059 }
2060
2061 /* inode security operations */
2062
2063 static int selinux_inode_alloc_security(struct inode *inode)
2064 {
2065 return inode_alloc_security(inode);
2066 }
2067
2068 static void selinux_inode_free_security(struct inode *inode)
2069 {
2070 inode_free_security(inode);
2071 }
2072
2073 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2074 char **name, void **value,
2075 size_t *len)
2076 {
2077 struct task_security_struct *tsec;
2078 struct inode_security_struct *dsec;
2079 struct superblock_security_struct *sbsec;
2080 u32 newsid, clen;
2081 int rc;
2082 char *namep = NULL, *context;
2083
2084 tsec = current->security;
2085 dsec = dir->i_security;
2086 sbsec = dir->i_sb->s_security;
2087
2088 if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
2089 newsid = tsec->create_sid;
2090 } else {
2091 rc = security_transition_sid(tsec->sid, dsec->sid,
2092 inode_mode_to_security_class(inode->i_mode),
2093 &newsid);
2094 if (rc) {
2095 printk(KERN_WARNING "%s: "
2096 "security_transition_sid failed, rc=%d (dev=%s "
2097 "ino=%ld)\n",
2098 __FUNCTION__,
2099 -rc, inode->i_sb->s_id, inode->i_ino);
2100 return rc;
2101 }
2102 }
2103
2104 /* Possibly defer initialization to selinux_complete_init. */
2105 if (sbsec->initialized) {
2106 struct inode_security_struct *isec = inode->i_security;
2107 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2108 isec->sid = newsid;
2109 isec->initialized = 1;
2110 }
2111
2112 if (!ss_initialized || sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2113 return -EOPNOTSUPP;
2114
2115 if (name) {
2116 namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_KERNEL);
2117 if (!namep)
2118 return -ENOMEM;
2119 *name = namep;
2120 }
2121
2122 if (value && len) {
2123 rc = security_sid_to_context(newsid, &context, &clen);
2124 if (rc) {
2125 kfree(namep);
2126 return rc;
2127 }
2128 *value = context;
2129 *len = clen;
2130 }
2131
2132 return 0;
2133 }
2134
2135 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, int mask)
2136 {
2137 return may_create(dir, dentry, SECCLASS_FILE);
2138 }
2139
2140 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2141 {
2142 int rc;
2143
2144 rc = secondary_ops->inode_link(old_dentry,dir,new_dentry);
2145 if (rc)
2146 return rc;
2147 return may_link(dir, old_dentry, MAY_LINK);
2148 }
2149
2150 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2151 {
2152 int rc;
2153
2154 rc = secondary_ops->inode_unlink(dir, dentry);
2155 if (rc)
2156 return rc;
2157 return may_link(dir, dentry, MAY_UNLINK);
2158 }
2159
2160 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2161 {
2162 return may_create(dir, dentry, SECCLASS_LNK_FILE);
2163 }
2164
2165 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, int mask)
2166 {
2167 return may_create(dir, dentry, SECCLASS_DIR);
2168 }
2169
2170 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2171 {
2172 return may_link(dir, dentry, MAY_RMDIR);
2173 }
2174
2175 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
2176 {
2177 int rc;
2178
2179 rc = secondary_ops->inode_mknod(dir, dentry, mode, dev);
2180 if (rc)
2181 return rc;
2182
2183 return may_create(dir, dentry, inode_mode_to_security_class(mode));
2184 }
2185
2186 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2187 struct inode *new_inode, struct dentry *new_dentry)
2188 {
2189 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2190 }
2191
2192 static int selinux_inode_readlink(struct dentry *dentry)
2193 {
2194 return dentry_has_perm(current, NULL, dentry, FILE__READ);
2195 }
2196
2197 static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2198 {
2199 int rc;
2200
2201 rc = secondary_ops->inode_follow_link(dentry,nameidata);
2202 if (rc)
2203 return rc;
2204 return dentry_has_perm(current, NULL, dentry, FILE__READ);
2205 }
2206
2207 static int selinux_inode_permission(struct inode *inode, int mask,
2208 struct nameidata *nd)
2209 {
2210 int rc;
2211
2212 rc = secondary_ops->inode_permission(inode, mask, nd);
2213 if (rc)
2214 return rc;
2215
2216 if (!mask) {
2217 /* No permission to check. Existence test. */
2218 return 0;
2219 }
2220
2221 return inode_has_perm(current, inode,
2222 file_mask_to_av(inode->i_mode, mask), NULL);
2223 }
2224
2225 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2226 {
2227 int rc;
2228
2229 rc = secondary_ops->inode_setattr(dentry, iattr);
2230 if (rc)
2231 return rc;
2232
2233 if (iattr->ia_valid & ATTR_FORCE)
2234 return 0;
2235
2236 if (iattr->ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2237 ATTR_ATIME_SET | ATTR_MTIME_SET))
2238 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2239
2240 return dentry_has_perm(current, NULL, dentry, FILE__WRITE);
2241 }
2242
2243 static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
2244 {
2245 return dentry_has_perm(current, mnt, dentry, FILE__GETATTR);
2246 }
2247
2248 static int selinux_inode_setxattr(struct dentry *dentry, char *name, void *value, size_t size, int flags)
2249 {
2250 struct task_security_struct *tsec = current->security;
2251 struct inode *inode = dentry->d_inode;
2252 struct inode_security_struct *isec = inode->i_security;
2253 struct superblock_security_struct *sbsec;
2254 struct avc_audit_data ad;
2255 u32 newsid;
2256 int rc = 0;
2257
2258 if (strcmp(name, XATTR_NAME_SELINUX)) {
2259 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2260 sizeof XATTR_SECURITY_PREFIX - 1) &&
2261 !capable(CAP_SYS_ADMIN)) {
2262 /* A different attribute in the security namespace.
2263 Restrict to administrator. */
2264 return -EPERM;
2265 }
2266
2267 /* Not an attribute we recognize, so just check the
2268 ordinary setattr permission. */
2269 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2270 }
2271
2272 sbsec = inode->i_sb->s_security;
2273 if (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2274 return -EOPNOTSUPP;
2275
2276 if ((current->fsuid != inode->i_uid) && !capable(CAP_FOWNER))
2277 return -EPERM;
2278
2279 AVC_AUDIT_DATA_INIT(&ad,FS);
2280 ad.u.fs.dentry = dentry;
2281
2282 rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass,
2283 FILE__RELABELFROM, &ad);
2284 if (rc)
2285 return rc;
2286
2287 rc = security_context_to_sid(value, size, &newsid);
2288 if (rc)
2289 return rc;
2290
2291 rc = avc_has_perm(tsec->sid, newsid, isec->sclass,
2292 FILE__RELABELTO, &ad);
2293 if (rc)
2294 return rc;
2295
2296 rc = security_validate_transition(isec->sid, newsid, tsec->sid,
2297 isec->sclass);
2298 if (rc)
2299 return rc;
2300
2301 return avc_has_perm(newsid,
2302 sbsec->sid,
2303 SECCLASS_FILESYSTEM,
2304 FILESYSTEM__ASSOCIATE,
2305 &ad);
2306 }
2307
2308 static void selinux_inode_post_setxattr(struct dentry *dentry, char *name,
2309 void *value, size_t size, int flags)
2310 {
2311 struct inode *inode = dentry->d_inode;
2312 struct inode_security_struct *isec = inode->i_security;
2313 u32 newsid;
2314 int rc;
2315
2316 if (strcmp(name, XATTR_NAME_SELINUX)) {
2317 /* Not an attribute we recognize, so nothing to do. */
2318 return;
2319 }
2320
2321 rc = security_context_to_sid(value, size, &newsid);
2322 if (rc) {
2323 printk(KERN_WARNING "%s: unable to obtain SID for context "
2324 "%s, rc=%d\n", __FUNCTION__, (char*)value, -rc);
2325 return;
2326 }
2327
2328 isec->sid = newsid;
2329 return;
2330 }
2331
2332 static int selinux_inode_getxattr (struct dentry *dentry, char *name)
2333 {
2334 return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2335 }
2336
2337 static int selinux_inode_listxattr (struct dentry *dentry)
2338 {
2339 return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2340 }
2341
2342 static int selinux_inode_removexattr (struct dentry *dentry, char *name)
2343 {
2344 if (strcmp(name, XATTR_NAME_SELINUX)) {
2345 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2346 sizeof XATTR_SECURITY_PREFIX - 1) &&
2347 !capable(CAP_SYS_ADMIN)) {
2348 /* A different attribute in the security namespace.
2349 Restrict to administrator. */
2350 return -EPERM;
2351 }
2352
2353 /* Not an attribute we recognize, so just check the
2354 ordinary setattr permission. Might want a separate
2355 permission for removexattr. */
2356 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2357 }
2358
2359 /* No one is allowed to remove a SELinux security label.
2360 You can change the label, but all data must be labeled. */
2361 return -EACCES;
2362 }
2363
2364 static const char *selinux_inode_xattr_getsuffix(void)
2365 {
2366 return XATTR_SELINUX_SUFFIX;
2367 }
2368
2369 /*
2370 * Copy the in-core inode security context value to the user. If the
2371 * getxattr() prior to this succeeded, check to see if we need to
2372 * canonicalize the value to be finally returned to the user.
2373 *
2374 * Permission check is handled by selinux_inode_getxattr hook.
2375 */
2376 static int selinux_inode_getsecurity(const struct inode *inode, const char *name, void *buffer, size_t size, int err)
2377 {
2378 struct inode_security_struct *isec = inode->i_security;
2379
2380 if (strcmp(name, XATTR_SELINUX_SUFFIX))
2381 return -EOPNOTSUPP;
2382
2383 return selinux_getsecurity(isec->sid, buffer, size);
2384 }
2385
2386 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
2387 const void *value, size_t size, int flags)
2388 {
2389 struct inode_security_struct *isec = inode->i_security;
2390 u32 newsid;
2391 int rc;
2392
2393 if (strcmp(name, XATTR_SELINUX_SUFFIX))
2394 return -EOPNOTSUPP;
2395
2396 if (!value || !size)
2397 return -EACCES;
2398
2399 rc = security_context_to_sid((void*)value, size, &newsid);
2400 if (rc)
2401 return rc;
2402
2403 isec->sid = newsid;
2404 return 0;
2405 }
2406
2407 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
2408 {
2409 const int len = sizeof(XATTR_NAME_SELINUX);
2410 if (buffer && len <= buffer_size)
2411 memcpy(buffer, XATTR_NAME_SELINUX, len);
2412 return len;
2413 }
2414
2415 /* file security operations */
2416
2417 static int selinux_file_permission(struct file *file, int mask)
2418 {
2419 int rc;
2420 struct inode *inode = file->f_dentry->d_inode;
2421
2422 if (!mask) {
2423 /* No permission to check. Existence test. */
2424 return 0;
2425 }
2426
2427 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
2428 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
2429 mask |= MAY_APPEND;
2430
2431 rc = file_has_perm(current, file,
2432 file_mask_to_av(inode->i_mode, mask));
2433 if (rc)
2434 return rc;
2435
2436 return selinux_netlbl_inode_permission(inode, mask);
2437 }
2438
2439 static int selinux_file_alloc_security(struct file *file)
2440 {
2441 return file_alloc_security(file);
2442 }
2443
2444 static void selinux_file_free_security(struct file *file)
2445 {
2446 file_free_security(file);
2447 }
2448
2449 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
2450 unsigned long arg)
2451 {
2452 int error = 0;
2453
2454 switch (cmd) {
2455 case FIONREAD:
2456 /* fall through */
2457 case FIBMAP:
2458 /* fall through */
2459 case FIGETBSZ:
2460 /* fall through */
2461 case EXT2_IOC_GETFLAGS:
2462 /* fall through */
2463 case EXT2_IOC_GETVERSION:
2464 error = file_has_perm(current, file, FILE__GETATTR);
2465 break;
2466
2467 case EXT2_IOC_SETFLAGS:
2468 /* fall through */
2469 case EXT2_IOC_SETVERSION:
2470 error = file_has_perm(current, file, FILE__SETATTR);
2471 break;
2472
2473 /* sys_ioctl() checks */
2474 case FIONBIO:
2475 /* fall through */
2476 case FIOASYNC:
2477 error = file_has_perm(current, file, 0);
2478 break;
2479
2480 case KDSKBENT:
2481 case KDSKBSENT:
2482 error = task_has_capability(current,CAP_SYS_TTY_CONFIG);
2483 break;
2484
2485 /* default case assumes that the command will go
2486 * to the file's ioctl() function.
2487 */
2488 default:
2489 error = file_has_perm(current, file, FILE__IOCTL);
2490
2491 }
2492 return error;
2493 }
2494
2495 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
2496 {
2497 #ifndef CONFIG_PPC32
2498 if ((prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
2499 /*
2500 * We are making executable an anonymous mapping or a
2501 * private file mapping that will also be writable.
2502 * This has an additional check.
2503 */
2504 int rc = task_has_perm(current, current, PROCESS__EXECMEM);
2505 if (rc)
2506 return rc;
2507 }
2508 #endif
2509
2510 if (file) {
2511 /* read access is always possible with a mapping */
2512 u32 av = FILE__READ;
2513
2514 /* write access only matters if the mapping is shared */
2515 if (shared && (prot & PROT_WRITE))
2516 av |= FILE__WRITE;
2517
2518 if (prot & PROT_EXEC)
2519 av |= FILE__EXECUTE;
2520
2521 return file_has_perm(current, file, av);
2522 }
2523 return 0;
2524 }
2525
2526 static int selinux_file_mmap(struct file *file, unsigned long reqprot,
2527 unsigned long prot, unsigned long flags)
2528 {
2529 int rc;
2530
2531 rc = secondary_ops->file_mmap(file, reqprot, prot, flags);
2532 if (rc)
2533 return rc;
2534
2535 if (selinux_checkreqprot)
2536 prot = reqprot;
2537
2538 return file_map_prot_check(file, prot,
2539 (flags & MAP_TYPE) == MAP_SHARED);
2540 }
2541
2542 static int selinux_file_mprotect(struct vm_area_struct *vma,
2543 unsigned long reqprot,
2544 unsigned long prot)
2545 {
2546 int rc;
2547
2548 rc = secondary_ops->file_mprotect(vma, reqprot, prot);
2549 if (rc)
2550 return rc;
2551
2552 if (selinux_checkreqprot)
2553 prot = reqprot;
2554
2555 #ifndef CONFIG_PPC32
2556 if ((prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
2557 rc = 0;
2558 if (vma->vm_start >= vma->vm_mm->start_brk &&
2559 vma->vm_end <= vma->vm_mm->brk) {
2560 rc = task_has_perm(current, current,
2561 PROCESS__EXECHEAP);
2562 } else if (!vma->vm_file &&
2563 vma->vm_start <= vma->vm_mm->start_stack &&
2564 vma->vm_end >= vma->vm_mm->start_stack) {
2565 rc = task_has_perm(current, current, PROCESS__EXECSTACK);
2566 } else if (vma->vm_file && vma->anon_vma) {
2567 /*
2568 * We are making executable a file mapping that has
2569 * had some COW done. Since pages might have been
2570 * written, check ability to execute the possibly
2571 * modified content. This typically should only
2572 * occur for text relocations.
2573 */
2574 rc = file_has_perm(current, vma->vm_file,
2575 FILE__EXECMOD);
2576 }
2577 if (rc)
2578 return rc;
2579 }
2580 #endif
2581
2582 return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
2583 }
2584
2585 static int selinux_file_lock(struct file *file, unsigned int cmd)
2586 {
2587 return file_has_perm(current, file, FILE__LOCK);
2588 }
2589
2590 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
2591 unsigned long arg)
2592 {
2593 int err = 0;
2594
2595 switch (cmd) {
2596 case F_SETFL:
2597 if (!file->f_dentry || !file->f_dentry->d_inode) {
2598 err = -EINVAL;
2599 break;
2600 }
2601
2602 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
2603 err = file_has_perm(current, file,FILE__WRITE);
2604 break;
2605 }
2606 /* fall through */
2607 case F_SETOWN:
2608 case F_SETSIG:
2609 case F_GETFL:
2610 case F_GETOWN:
2611 case F_GETSIG:
2612 /* Just check FD__USE permission */
2613 err = file_has_perm(current, file, 0);
2614 break;
2615 case F_GETLK:
2616 case F_SETLK:
2617 case F_SETLKW:
2618 #if BITS_PER_LONG == 32
2619 case F_GETLK64:
2620 case F_SETLK64:
2621 case F_SETLKW64:
2622 #endif
2623 if (!file->f_dentry || !file->f_dentry->d_inode) {
2624 err = -EINVAL;
2625 break;
2626 }
2627 err = file_has_perm(current, file, FILE__LOCK);
2628 break;
2629 }
2630
2631 return err;
2632 }
2633
2634 static int selinux_file_set_fowner(struct file *file)
2635 {
2636 struct task_security_struct *tsec;
2637 struct file_security_struct *fsec;
2638
2639 tsec = current->security;
2640 fsec = file->f_security;
2641 fsec->fown_sid = tsec->sid;
2642
2643 return 0;
2644 }
2645
2646 static int selinux_file_send_sigiotask(struct task_struct *tsk,
2647 struct fown_struct *fown, int signum)
2648 {
2649 struct file *file;
2650 u32 perm;
2651 struct task_security_struct *tsec;
2652 struct file_security_struct *fsec;
2653
2654 /* struct fown_struct is never outside the context of a struct file */
2655 file = (struct file *)((long)fown - offsetof(struct file,f_owner));
2656
2657 tsec = tsk->security;
2658 fsec = file->f_security;
2659
2660 if (!signum)
2661 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
2662 else
2663 perm = signal_to_av(signum);
2664
2665 return avc_has_perm(fsec->fown_sid, tsec->sid,
2666 SECCLASS_PROCESS, perm, NULL);
2667 }
2668
2669 static int selinux_file_receive(struct file *file)
2670 {
2671 return file_has_perm(current, file, file_to_av(file));
2672 }
2673
2674 /* task security operations */
2675
2676 static int selinux_task_create(unsigned long clone_flags)
2677 {
2678 int rc;
2679
2680 rc = secondary_ops->task_create(clone_flags);
2681 if (rc)
2682 return rc;
2683
2684 return task_has_perm(current, current, PROCESS__FORK);
2685 }
2686
2687 static int selinux_task_alloc_security(struct task_struct *tsk)
2688 {
2689 struct task_security_struct *tsec1, *tsec2;
2690 int rc;
2691
2692 tsec1 = current->security;
2693
2694 rc = task_alloc_security(tsk);
2695 if (rc)
2696 return rc;
2697 tsec2 = tsk->security;
2698
2699 tsec2->osid = tsec1->osid;
2700 tsec2->sid = tsec1->sid;
2701
2702 /* Retain the exec, fs, key, and sock SIDs across fork */
2703 tsec2->exec_sid = tsec1->exec_sid;
2704 tsec2->create_sid = tsec1->create_sid;
2705 tsec2->keycreate_sid = tsec1->keycreate_sid;
2706 tsec2->sockcreate_sid = tsec1->sockcreate_sid;
2707
2708 /* Retain ptracer SID across fork, if any.
2709 This will be reset by the ptrace hook upon any
2710 subsequent ptrace_attach operations. */
2711 tsec2->ptrace_sid = tsec1->ptrace_sid;
2712
2713 return 0;
2714 }
2715
2716 static void selinux_task_free_security(struct task_struct *tsk)
2717 {
2718 task_free_security(tsk);
2719 }
2720
2721 static int selinux_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
2722 {
2723 /* Since setuid only affects the current process, and
2724 since the SELinux controls are not based on the Linux
2725 identity attributes, SELinux does not need to control
2726 this operation. However, SELinux does control the use
2727 of the CAP_SETUID and CAP_SETGID capabilities using the
2728 capable hook. */
2729 return 0;
2730 }
2731
2732 static int selinux_task_post_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
2733 {
2734 return secondary_ops->task_post_setuid(id0,id1,id2,flags);
2735 }
2736
2737 static int selinux_task_setgid(gid_t id0, gid_t id1, gid_t id2, int flags)
2738 {
2739 /* See the comment for setuid above. */
2740 return 0;
2741 }
2742
2743 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
2744 {
2745 return task_has_perm(current, p, PROCESS__SETPGID);
2746 }
2747
2748 static int selinux_task_getpgid(struct task_struct *p)
2749 {
2750 return task_has_perm(current, p, PROCESS__GETPGID);
2751 }
2752
2753 static int selinux_task_getsid(struct task_struct *p)
2754 {
2755 return task_has_perm(current, p, PROCESS__GETSESSION);
2756 }
2757
2758 static void selinux_task_getsecid(struct task_struct *p, u32 *secid)
2759 {
2760 selinux_get_task_sid(p, secid);
2761 }
2762
2763 static int selinux_task_setgroups(struct group_info *group_info)
2764 {
2765 /* See the comment for setuid above. */
2766 return 0;
2767 }
2768
2769 static int selinux_task_setnice(struct task_struct *p, int nice)
2770 {
2771 int rc;
2772
2773 rc = secondary_ops->task_setnice(p, nice);
2774 if (rc)
2775 return rc;
2776
2777 return task_has_perm(current,p, PROCESS__SETSCHED);
2778 }
2779
2780 static int selinux_task_setioprio(struct task_struct *p, int ioprio)
2781 {
2782 return task_has_perm(current, p, PROCESS__SETSCHED);
2783 }
2784
2785 static int selinux_task_getioprio(struct task_struct *p)
2786 {
2787 return task_has_perm(current, p, PROCESS__GETSCHED);
2788 }
2789
2790 static int selinux_task_setrlimit(unsigned int resource, struct rlimit *new_rlim)
2791 {
2792 struct rlimit *old_rlim = current->signal->rlim + resource;
2793 int rc;
2794
2795 rc = secondary_ops->task_setrlimit(resource, new_rlim);
2796 if (rc)
2797 return rc;
2798
2799 /* Control the ability to change the hard limit (whether
2800 lowering or raising it), so that the hard limit can
2801 later be used as a safe reset point for the soft limit
2802 upon context transitions. See selinux_bprm_apply_creds. */
2803 if (old_rlim->rlim_max != new_rlim->rlim_max)
2804 return task_has_perm(current, current, PROCESS__SETRLIMIT);
2805
2806 return 0;
2807 }
2808
2809 static int selinux_task_setscheduler(struct task_struct *p, int policy, struct sched_param *lp)
2810 {
2811 return task_has_perm(current, p, PROCESS__SETSCHED);
2812 }
2813
2814 static int selinux_task_getscheduler(struct task_struct *p)
2815 {
2816 return task_has_perm(current, p, PROCESS__GETSCHED);
2817 }
2818
2819 static int selinux_task_movememory(struct task_struct *p)
2820 {
2821 return task_has_perm(current, p, PROCESS__SETSCHED);
2822 }
2823
2824 static int selinux_task_kill(struct task_struct *p, struct siginfo *info,
2825 int sig, u32 secid)
2826 {
2827 u32 perm;
2828 int rc;
2829 struct task_security_struct *tsec;
2830
2831 rc = secondary_ops->task_kill(p, info, sig, secid);
2832 if (rc)
2833 return rc;
2834
2835 if (info != SEND_SIG_NOINFO && (is_si_special(info) || SI_FROMKERNEL(info)))
2836 return 0;
2837
2838 if (!sig)
2839 perm = PROCESS__SIGNULL; /* null signal; existence test */
2840 else
2841 perm = signal_to_av(sig);
2842 tsec = p->security;
2843 if (secid)
2844 rc = avc_has_perm(secid, tsec->sid, SECCLASS_PROCESS, perm, NULL);
2845 else
2846 rc = task_has_perm(current, p, perm);
2847 return rc;
2848 }
2849
2850 static int selinux_task_prctl(int option,
2851 unsigned long arg2,
2852 unsigned long arg3,
2853 unsigned long arg4,
2854 unsigned long arg5)
2855 {
2856 /* The current prctl operations do not appear to require
2857 any SELinux controls since they merely observe or modify
2858 the state of the current process. */
2859 return 0;
2860 }
2861
2862 static int selinux_task_wait(struct task_struct *p)
2863 {
2864 u32 perm;
2865
2866 perm = signal_to_av(p->exit_signal);
2867
2868 return task_has_perm(p, current, perm);
2869 }
2870
2871 static void selinux_task_reparent_to_init(struct task_struct *p)
2872 {
2873 struct task_security_struct *tsec;
2874
2875 secondary_ops->task_reparent_to_init(p);
2876
2877 tsec = p->security;
2878 tsec->osid = tsec->sid;
2879 tsec->sid = SECINITSID_KERNEL;
2880 return;
2881 }
2882
2883 static void selinux_task_to_inode(struct task_struct *p,
2884 struct inode *inode)
2885 {
2886 struct task_security_struct *tsec = p->security;
2887 struct inode_security_struct *isec = inode->i_security;
2888
2889 isec->sid = tsec->sid;
2890 isec->initialized = 1;
2891 return;
2892 }
2893
2894 /* Returns error only if unable to parse addresses */
2895 static int selinux_parse_skb_ipv4(struct sk_buff *skb,
2896 struct avc_audit_data *ad, u8 *proto)
2897 {
2898 int offset, ihlen, ret = -EINVAL;
2899 struct iphdr _iph, *ih;
2900
2901 offset = skb->nh.raw - skb->data;
2902 ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
2903 if (ih == NULL)
2904 goto out;
2905
2906 ihlen = ih->ihl * 4;
2907 if (ihlen < sizeof(_iph))
2908 goto out;
2909
2910 ad->u.net.v4info.saddr = ih->saddr;
2911 ad->u.net.v4info.daddr = ih->daddr;
2912 ret = 0;
2913
2914 if (proto)
2915 *proto = ih->protocol;
2916
2917 switch (ih->protocol) {
2918 case IPPROTO_TCP: {
2919 struct tcphdr _tcph, *th;
2920
2921 if (ntohs(ih->frag_off) & IP_OFFSET)
2922 break;
2923
2924 offset += ihlen;
2925 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
2926 if (th == NULL)
2927 break;
2928
2929 ad->u.net.sport = th->source;
2930 ad->u.net.dport = th->dest;
2931 break;
2932 }
2933
2934 case IPPROTO_UDP: {
2935 struct udphdr _udph, *uh;
2936
2937 if (ntohs(ih->frag_off) & IP_OFFSET)
2938 break;
2939
2940 offset += ihlen;
2941 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
2942 if (uh == NULL)
2943 break;
2944
2945 ad->u.net.sport = uh->source;
2946 ad->u.net.dport = uh->dest;
2947 break;
2948 }
2949
2950 case IPPROTO_DCCP: {
2951 struct dccp_hdr _dccph, *dh;
2952
2953 if (ntohs(ih->frag_off) & IP_OFFSET)
2954 break;
2955
2956 offset += ihlen;
2957 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
2958 if (dh == NULL)
2959 break;
2960
2961 ad->u.net.sport = dh->dccph_sport;
2962 ad->u.net.dport = dh->dccph_dport;
2963 break;
2964 }
2965
2966 default:
2967 break;
2968 }
2969 out:
2970 return ret;
2971 }
2972
2973 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
2974
2975 /* Returns error only if unable to parse addresses */
2976 static int selinux_parse_skb_ipv6(struct sk_buff *skb,
2977 struct avc_audit_data *ad, u8 *proto)
2978 {
2979 u8 nexthdr;
2980 int ret = -EINVAL, offset;
2981 struct ipv6hdr _ipv6h, *ip6;
2982
2983 offset = skb->nh.raw - skb->data;
2984 ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
2985 if (ip6 == NULL)
2986 goto out;
2987
2988 ipv6_addr_copy(&ad->u.net.v6info.saddr, &ip6->saddr);
2989 ipv6_addr_copy(&ad->u.net.v6info.daddr, &ip6->daddr);
2990 ret = 0;
2991
2992 nexthdr = ip6->nexthdr;
2993 offset += sizeof(_ipv6h);
2994 offset = ipv6_skip_exthdr(skb, offset, &nexthdr);
2995 if (offset < 0)
2996 goto out;
2997
2998 if (proto)
2999 *proto = nexthdr;
3000
3001 switch (nexthdr) {
3002 case IPPROTO_TCP: {
3003 struct tcphdr _tcph, *th;
3004
3005 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3006 if (th == NULL)
3007 break;
3008
3009 ad->u.net.sport = th->source;
3010 ad->u.net.dport = th->dest;
3011 break;
3012 }
3013
3014 case IPPROTO_UDP: {
3015 struct udphdr _udph, *uh;
3016
3017 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3018 if (uh == NULL)
3019 break;
3020
3021 ad->u.net.sport = uh->source;
3022 ad->u.net.dport = uh->dest;
3023 break;
3024 }
3025
3026 case IPPROTO_DCCP: {
3027 struct dccp_hdr _dccph, *dh;
3028
3029 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3030 if (dh == NULL)
3031 break;
3032
3033 ad->u.net.sport = dh->dccph_sport;
3034 ad->u.net.dport = dh->dccph_dport;
3035 break;
3036 }
3037
3038 /* includes fragments */
3039 default:
3040 break;
3041 }
3042 out:
3043 return ret;
3044 }
3045
3046 #endif /* IPV6 */
3047
3048 static int selinux_parse_skb(struct sk_buff *skb, struct avc_audit_data *ad,
3049 char **addrp, int *len, int src, u8 *proto)
3050 {
3051 int ret = 0;
3052
3053 switch (ad->u.net.family) {
3054 case PF_INET:
3055 ret = selinux_parse_skb_ipv4(skb, ad, proto);
3056 if (ret || !addrp)
3057 break;
3058 *len = 4;
3059 *addrp = (char *)(src ? &ad->u.net.v4info.saddr :
3060 &ad->u.net.v4info.daddr);
3061 break;
3062
3063 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3064 case PF_INET6:
3065 ret = selinux_parse_skb_ipv6(skb, ad, proto);
3066 if (ret || !addrp)
3067 break;
3068 *len = 16;
3069 *addrp = (char *)(src ? &ad->u.net.v6info.saddr :
3070 &ad->u.net.v6info.daddr);
3071 break;
3072 #endif /* IPV6 */
3073 default:
3074 break;
3075 }
3076
3077 return ret;
3078 }
3079
3080 /* socket security operations */
3081 static int socket_has_perm(struct task_struct *task, struct socket *sock,
3082 u32 perms)
3083 {
3084 struct inode_security_struct *isec;
3085 struct task_security_struct *tsec;
3086 struct avc_audit_data ad;
3087 int err = 0;
3088
3089 tsec = task->security;
3090 isec = SOCK_INODE(sock)->i_security;
3091
3092 if (isec->sid == SECINITSID_KERNEL)
3093 goto out;
3094
3095 AVC_AUDIT_DATA_INIT(&ad,NET);
3096 ad.u.net.sk = sock->sk;
3097 err = avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, &ad);
3098
3099 out:
3100 return err;
3101 }
3102
3103 static int selinux_socket_create(int family, int type,
3104 int protocol, int kern)
3105 {
3106 int err = 0;
3107 struct task_security_struct *tsec;
3108 u32 newsid;
3109
3110 if (kern)
3111 goto out;
3112
3113 tsec = current->security;
3114 newsid = tsec->sockcreate_sid ? : tsec->sid;
3115 err = avc_has_perm(tsec->sid, newsid,
3116 socket_type_to_security_class(family, type,
3117 protocol), SOCKET__CREATE, NULL);
3118
3119 out:
3120 return err;
3121 }
3122
3123 static int selinux_socket_post_create(struct socket *sock, int family,
3124 int type, int protocol, int kern)
3125 {
3126 int err = 0;
3127 struct inode_security_struct *isec;
3128 struct task_security_struct *tsec;
3129 struct sk_security_struct *sksec;
3130 u32 newsid;
3131
3132 isec = SOCK_INODE(sock)->i_security;
3133
3134 tsec = current->security;
3135 newsid = tsec->sockcreate_sid ? : tsec->sid;
3136 isec->sclass = socket_type_to_security_class(family, type, protocol);
3137 isec->sid = kern ? SECINITSID_KERNEL : newsid;
3138 isec->initialized = 1;
3139
3140 if (sock->sk) {
3141 sksec = sock->sk->sk_security;
3142 sksec->sid = isec->sid;
3143 err = selinux_netlbl_socket_post_create(sock);
3144 }
3145
3146 return err;
3147 }
3148
3149 /* Range of port numbers used to automatically bind.
3150 Need to determine whether we should perform a name_bind
3151 permission check between the socket and the port number. */
3152 #define ip_local_port_range_0 sysctl_local_port_range[0]
3153 #define ip_local_port_range_1 sysctl_local_port_range[1]
3154
3155 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
3156 {
3157 u16 family;
3158 int err;
3159
3160 err = socket_has_perm(current, sock, SOCKET__BIND);
3161 if (err)
3162 goto out;
3163
3164 /*
3165 * If PF_INET or PF_INET6, check name_bind permission for the port.
3166 * Multiple address binding for SCTP is not supported yet: we just
3167 * check the first address now.
3168 */
3169 family = sock->sk->sk_family;
3170 if (family == PF_INET || family == PF_INET6) {
3171 char *addrp;
3172 struct inode_security_struct *isec;
3173 struct task_security_struct *tsec;
3174 struct avc_audit_data ad;
3175 struct sockaddr_in *addr4 = NULL;
3176 struct sockaddr_in6 *addr6 = NULL;
3177 unsigned short snum;
3178 struct sock *sk = sock->sk;
3179 u32 sid, node_perm, addrlen;
3180
3181 tsec = current->security;
3182 isec = SOCK_INODE(sock)->i_security;
3183
3184 if (family == PF_INET) {
3185 addr4 = (struct sockaddr_in *)address;
3186 snum = ntohs(addr4->sin_port);
3187 addrlen = sizeof(addr4->sin_addr.s_addr);
3188 addrp = (char *)&addr4->sin_addr.s_addr;
3189 } else {
3190 addr6 = (struct sockaddr_in6 *)address;
3191 snum = ntohs(addr6->sin6_port);
3192 addrlen = sizeof(addr6->sin6_addr.s6_addr);
3193 addrp = (char *)&addr6->sin6_addr.s6_addr;
3194 }
3195
3196 if (snum&&(snum < max(PROT_SOCK,ip_local_port_range_0) ||
3197 snum > ip_local_port_range_1)) {
3198 err = security_port_sid(sk->sk_family, sk->sk_type,
3199 sk->sk_protocol, snum, &sid);
3200 if (err)
3201 goto out;
3202 AVC_AUDIT_DATA_INIT(&ad,NET);
3203 ad.u.net.sport = htons(snum);
3204 ad.u.net.family = family;
3205 err = avc_has_perm(isec->sid, sid,
3206 isec->sclass,
3207 SOCKET__NAME_BIND, &ad);
3208 if (err)
3209 goto out;
3210 }
3211
3212 switch(isec->sclass) {
3213 case SECCLASS_TCP_SOCKET:
3214 node_perm = TCP_SOCKET__NODE_BIND;
3215 break;
3216
3217 case SECCLASS_UDP_SOCKET:
3218 node_perm = UDP_SOCKET__NODE_BIND;
3219 break;
3220
3221 case SECCLASS_DCCP_SOCKET:
3222 node_perm = DCCP_SOCKET__NODE_BIND;
3223 break;
3224
3225 default:
3226 node_perm = RAWIP_SOCKET__NODE_BIND;
3227 break;
3228 }
3229
3230 err = security_node_sid(family, addrp, addrlen, &sid);
3231 if (err)
3232 goto out;
3233
3234 AVC_AUDIT_DATA_INIT(&ad,NET);
3235 ad.u.net.sport = htons(snum);
3236 ad.u.net.family = family;
3237
3238 if (family == PF_INET)
3239 ad.u.net.v4info.saddr = addr4->sin_addr.s_addr;
3240 else
3241 ipv6_addr_copy(&ad.u.net.v6info.saddr, &addr6->sin6_addr);
3242
3243 err = avc_has_perm(isec->sid, sid,
3244 isec->sclass, node_perm, &ad);
3245 if (err)
3246 goto out;
3247 }
3248 out:
3249 return err;
3250 }
3251
3252 static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
3253 {
3254 struct inode_security_struct *isec;
3255 int err;
3256
3257 err = socket_has_perm(current, sock, SOCKET__CONNECT);
3258 if (err)
3259 return err;
3260
3261 /*
3262 * If a TCP or DCCP socket, check name_connect permission for the port.
3263 */
3264 isec = SOCK_INODE(sock)->i_security;
3265 if (isec->sclass == SECCLASS_TCP_SOCKET ||
3266 isec->sclass == SECCLASS_DCCP_SOCKET) {
3267 struct sock *sk = sock->sk;
3268 struct avc_audit_data ad;
3269 struct sockaddr_in *addr4 = NULL;
3270 struct sockaddr_in6 *addr6 = NULL;
3271 unsigned short snum;
3272 u32 sid, perm;
3273
3274 if (sk->sk_family == PF_INET) {
3275 addr4 = (struct sockaddr_in *)address;
3276 if (addrlen < sizeof(struct sockaddr_in))
3277 return -EINVAL;
3278 snum = ntohs(addr4->sin_port);
3279 } else {
3280 addr6 = (struct sockaddr_in6 *)address;
3281 if (addrlen < SIN6_LEN_RFC2133)
3282 return -EINVAL;
3283 snum = ntohs(addr6->sin6_port);
3284 }
3285
3286 err = security_port_sid(sk->sk_family, sk->sk_type,
3287 sk->sk_protocol, snum, &sid);
3288 if (err)
3289 goto out;
3290
3291 perm = (isec->sclass == SECCLASS_TCP_SOCKET) ?
3292 TCP_SOCKET__NAME_CONNECT : DCCP_SOCKET__NAME_CONNECT;
3293
3294 AVC_AUDIT_DATA_INIT(&ad,NET);
3295 ad.u.net.dport = htons(snum);
3296 ad.u.net.family = sk->sk_family;
3297 err = avc_has_perm(isec->sid, sid, isec->sclass, perm, &ad);
3298 if (err)
3299 goto out;
3300 }
3301
3302 out:
3303 return err;
3304 }
3305
3306 static int selinux_socket_listen(struct socket *sock, int backlog)
3307 {
3308 return socket_has_perm(current, sock, SOCKET__LISTEN);
3309 }
3310
3311 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
3312 {
3313 int err;
3314 struct inode_security_struct *isec;
3315 struct inode_security_struct *newisec;
3316
3317 err = socket_has_perm(current, sock, SOCKET__ACCEPT);
3318 if (err)
3319 return err;
3320
3321 newisec = SOCK_INODE(newsock)->i_security;
3322
3323 isec = SOCK_INODE(sock)->i_security;
3324 newisec->sclass = isec->sclass;
3325 newisec->sid = isec->sid;
3326 newisec->initialized = 1;
3327
3328 return 0;
3329 }
3330
3331 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
3332 int size)
3333 {
3334 int rc;
3335
3336 rc = socket_has_perm(current, sock, SOCKET__WRITE);
3337 if (rc)
3338 return rc;
3339
3340 return selinux_netlbl_inode_permission(SOCK_INODE(sock), MAY_WRITE);
3341 }
3342
3343 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
3344 int size, int flags)
3345 {
3346 return socket_has_perm(current, sock, SOCKET__READ);
3347 }
3348
3349 static int selinux_socket_getsockname(struct socket *sock)
3350 {
3351 return socket_has_perm(current, sock, SOCKET__GETATTR);
3352 }
3353
3354 static int selinux_socket_getpeername(struct socket *sock)
3355 {
3356 return socket_has_perm(current, sock, SOCKET__GETATTR);
3357 }
3358
3359 static int selinux_socket_setsockopt(struct socket *sock,int level,int optname)
3360 {
3361 int err;
3362
3363 err = socket_has_perm(current, sock, SOCKET__SETOPT);
3364 if (err)
3365 return err;
3366
3367 return selinux_netlbl_socket_setsockopt(sock, level, optname);
3368 }
3369
3370 static int selinux_socket_getsockopt(struct socket *sock, int level,
3371 int optname)
3372 {
3373 return socket_has_perm(current, sock, SOCKET__GETOPT);
3374 }
3375
3376 static int selinux_socket_shutdown(struct socket *sock, int how)
3377 {
3378 return socket_has_perm(current, sock, SOCKET__SHUTDOWN);
3379 }
3380
3381 static int selinux_socket_unix_stream_connect(struct socket *sock,
3382 struct socket *other,
3383 struct sock *newsk)
3384 {
3385 struct sk_security_struct *ssec;
3386 struct inode_security_struct *isec;
3387 struct inode_security_struct *other_isec;
3388 struct avc_audit_data ad;
3389 int err;
3390
3391 err = secondary_ops->unix_stream_connect(sock, other, newsk);
3392 if (err)
3393 return err;
3394
3395 isec = SOCK_INODE(sock)->i_security;
3396 other_isec = SOCK_INODE(other)->i_security;
3397
3398 AVC_AUDIT_DATA_INIT(&ad,NET);
3399 ad.u.net.sk = other->sk;
3400
3401 err = avc_has_perm(isec->sid, other_isec->sid,
3402 isec->sclass,
3403 UNIX_STREAM_SOCKET__CONNECTTO, &ad);
3404 if (err)
3405 return err;
3406
3407 /* connecting socket */
3408 ssec = sock->sk->sk_security;
3409 ssec->peer_sid = other_isec->sid;
3410
3411 /* server child socket */
3412 ssec = newsk->sk_security;
3413 ssec->peer_sid = isec->sid;
3414 err = security_sid_mls_copy(other_isec->sid, ssec->peer_sid, &ssec->sid);
3415
3416 return err;
3417 }
3418
3419 static int selinux_socket_unix_may_send(struct socket *sock,
3420 struct socket *other)
3421 {
3422 struct inode_security_struct *isec;
3423 struct inode_security_struct *other_isec;
3424 struct avc_audit_data ad;
3425 int err;
3426
3427 isec = SOCK_INODE(sock)->i_security;
3428 other_isec = SOCK_INODE(other)->i_security;
3429
3430 AVC_AUDIT_DATA_INIT(&ad,NET);
3431 ad.u.net.sk = other->sk;
3432
3433 err = avc_has_perm(isec->sid, other_isec->sid,
3434 isec->sclass, SOCKET__SENDTO, &ad);
3435 if (err)
3436 return err;
3437
3438 return 0;
3439 }
3440
3441 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
3442 struct avc_audit_data *ad, u16 family, char *addrp, int len)
3443 {
3444 int err = 0;
3445 u32 netif_perm, node_perm, node_sid, if_sid, recv_perm = 0;
3446 struct socket *sock;
3447 u16 sock_class = 0;
3448 u32 sock_sid = 0;
3449
3450 read_lock_bh(&sk->sk_callback_lock);
3451 sock = sk->sk_socket;
3452 if (sock) {
3453 struct inode *inode;
3454 inode = SOCK_INODE(sock);
3455 if (inode) {
3456 struct inode_security_struct *isec;
3457 isec = inode->i_security;
3458 sock_sid = isec->sid;
3459 sock_class = isec->sclass;
3460 }
3461 }
3462 read_unlock_bh(&sk->sk_callback_lock);
3463 if (!sock_sid)
3464 goto out;
3465
3466 if (!skb->dev)
3467 goto out;
3468
3469 err = sel_netif_sids(skb->dev, &if_sid, NULL);
3470 if (err)
3471 goto out;
3472
3473 switch (sock_class) {
3474 case SECCLASS_UDP_SOCKET:
3475 netif_perm = NETIF__UDP_RECV;
3476 node_perm = NODE__UDP_RECV;
3477 recv_perm = UDP_SOCKET__RECV_MSG;
3478 break;
3479
3480 case SECCLASS_TCP_SOCKET:
3481 netif_perm = NETIF__TCP_RECV;
3482 node_perm = NODE__TCP_RECV;
3483 recv_perm = TCP_SOCKET__RECV_MSG;
3484 break;
3485
3486 case SECCLASS_DCCP_SOCKET:
3487 netif_perm = NETIF__DCCP_RECV;
3488 node_perm = NODE__DCCP_RECV;
3489 recv_perm = DCCP_SOCKET__RECV_MSG;
3490 break;
3491
3492 default:
3493 netif_perm = NETIF__RAWIP_RECV;
3494 node_perm = NODE__RAWIP_RECV;
3495 break;
3496 }
3497
3498 err = avc_has_perm(sock_sid, if_sid, SECCLASS_NETIF, netif_perm, ad);
3499 if (err)
3500 goto out;
3501
3502 err = security_node_sid(family, addrp, len, &node_sid);
3503 if (err)
3504 goto out;
3505
3506 err = avc_has_perm(sock_sid, node_sid, SECCLASS_NODE, node_perm, ad);
3507 if (err)
3508 goto out;
3509
3510 if (recv_perm) {
3511 u32 port_sid;
3512
3513 err = security_port_sid(sk->sk_family, sk->sk_type,
3514 sk->sk_protocol, ntohs(ad->u.net.sport),
3515 &port_sid);
3516 if (err)
3517 goto out;
3518
3519 err = avc_has_perm(sock_sid, port_sid,
3520 sock_class, recv_perm, ad);
3521 }
3522
3523 out:
3524 return err;
3525 }
3526
3527 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
3528 {
3529 u16 family;
3530 char *addrp;
3531 int len, err = 0;
3532 struct avc_audit_data ad;
3533 struct sk_security_struct *sksec = sk->sk_security;
3534
3535 family = sk->sk_family;
3536 if (family != PF_INET && family != PF_INET6)
3537 goto out;
3538
3539 /* Handle mapped IPv4 packets arriving via IPv6 sockets */
3540 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
3541 family = PF_INET;
3542
3543 AVC_AUDIT_DATA_INIT(&ad, NET);
3544 ad.u.net.netif = skb->dev ? skb->dev->name : "[unknown]";
3545 ad.u.net.family = family;
3546
3547 err = selinux_parse_skb(skb, &ad, &addrp, &len, 1, NULL);
3548 if (err)
3549 goto out;
3550
3551 if (selinux_compat_net)
3552 err = selinux_sock_rcv_skb_compat(sk, skb, &ad, family,
3553 addrp, len);
3554 else
3555 err = avc_has_perm(sksec->sid, skb->secmark, SECCLASS_PACKET,
3556 PACKET__RECV, &ad);
3557 if (err)
3558 goto out;
3559
3560 err = selinux_netlbl_sock_rcv_skb(sksec, skb, &ad);
3561 if (err)
3562 goto out;
3563
3564 err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad);
3565 out:
3566 return err;
3567 }
3568
3569 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval,
3570 int __user *optlen, unsigned len)
3571 {
3572 int err = 0;
3573 char *scontext;
3574 u32 scontext_len;
3575 struct sk_security_struct *ssec;
3576 struct inode_security_struct *isec;
3577 u32 peer_sid = SECSID_NULL;
3578
3579 isec = SOCK_INODE(sock)->i_security;
3580
3581 if (isec->sclass == SECCLASS_UNIX_STREAM_SOCKET ||
3582 isec->sclass == SECCLASS_TCP_SOCKET) {
3583 ssec = sock->sk->sk_security;
3584 peer_sid = ssec->peer_sid;
3585 }
3586 if (peer_sid == SECSID_NULL) {
3587 err = -ENOPROTOOPT;
3588 goto out;
3589 }
3590
3591 err = security_sid_to_context(peer_sid, &scontext, &scontext_len);
3592
3593 if (err)
3594 goto out;
3595
3596 if (scontext_len > len) {
3597 err = -ERANGE;
3598 goto out_len;
3599 }
3600
3601 if (copy_to_user(optval, scontext, scontext_len))
3602 err = -EFAULT;
3603
3604 out_len:
3605 if (put_user(scontext_len, optlen))
3606 err = -EFAULT;
3607
3608 kfree(scontext);
3609 out:
3610 return err;
3611 }
3612
3613 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
3614 {
3615 u32 peer_secid = SECSID_NULL;
3616 int err = 0;
3617
3618 if (sock && sock->sk->sk_family == PF_UNIX)
3619 selinux_get_inode_sid(SOCK_INODE(sock), &peer_secid);
3620 else if (skb)
3621 security_skb_extlbl_sid(skb,
3622 SECINITSID_UNLABELED,
3623 &peer_secid);
3624
3625 if (peer_secid == SECSID_NULL)
3626 err = -EINVAL;
3627 *secid = peer_secid;
3628
3629 return err;
3630 }
3631
3632 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
3633 {
3634 return sk_alloc_security(sk, family, priority);
3635 }
3636
3637 static void selinux_sk_free_security(struct sock *sk)
3638 {
3639 sk_free_security(sk);
3640 }
3641
3642 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
3643 {
3644 struct sk_security_struct *ssec = sk->sk_security;
3645 struct sk_security_struct *newssec = newsk->sk_security;
3646
3647 newssec->sid = ssec->sid;
3648 newssec->peer_sid = ssec->peer_sid;
3649
3650 selinux_netlbl_sk_security_clone(ssec, newssec);
3651 }
3652
3653 static void selinux_sk_getsecid(struct sock *sk, u32 *secid)
3654 {
3655 if (!sk)
3656 *secid = SECINITSID_ANY_SOCKET;
3657 else {
3658 struct sk_security_struct *sksec = sk->sk_security;
3659
3660 *secid = sksec->sid;
3661 }
3662 }
3663
3664 static void selinux_sock_graft(struct sock* sk, struct socket *parent)
3665 {
3666 struct inode_security_struct *isec = SOCK_INODE(parent)->i_security;
3667 struct sk_security_struct *sksec = sk->sk_security;
3668
3669 if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
3670 sk->sk_family == PF_UNIX)
3671 isec->sid = sksec->sid;
3672
3673 selinux_netlbl_sock_graft(sk, parent);
3674 }
3675
3676 static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
3677 struct request_sock *req)
3678 {
3679 struct sk_security_struct *sksec = sk->sk_security;
3680 int err;
3681 u32 newsid;
3682 u32 peersid;
3683
3684 security_skb_extlbl_sid(skb, SECINITSID_UNLABELED, &peersid);
3685 if (peersid == SECSID_NULL) {
3686 req->secid = sksec->sid;
3687 req->peer_secid = SECSID_NULL;
3688 return 0;
3689 }
3690
3691 err = security_sid_mls_copy(sksec->sid, peersid, &newsid);
3692 if (err)
3693 return err;
3694
3695 req->secid = newsid;
3696 req->peer_secid = peersid;
3697 return 0;
3698 }
3699
3700 static void selinux_inet_csk_clone(struct sock *newsk,
3701 const struct request_sock *req)
3702 {
3703 struct sk_security_struct *newsksec = newsk->sk_security;
3704
3705 newsksec->sid = req->secid;
3706 newsksec->peer_sid = req->peer_secid;
3707 /* NOTE: Ideally, we should also get the isec->sid for the
3708 new socket in sync, but we don't have the isec available yet.
3709 So we will wait until sock_graft to do it, by which
3710 time it will have been created and available. */
3711
3712 /* We don't need to take any sort of lock here as we are the only
3713 * thread with access to newsksec */
3714 selinux_netlbl_sk_security_reset(newsksec, req->rsk_ops->family);
3715 }
3716
3717 static void selinux_inet_conn_established(struct sock *sk,
3718 struct sk_buff *skb)
3719 {
3720 struct sk_security_struct *sksec = sk->sk_security;
3721
3722 security_skb_extlbl_sid(skb, SECINITSID_UNLABELED, &sksec->peer_sid);
3723 }
3724
3725 static void selinux_req_classify_flow(const struct request_sock *req,
3726 struct flowi *fl)
3727 {
3728 fl->secid = req->secid;
3729 }
3730
3731 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
3732 {
3733 int err = 0;
3734 u32 perm;
3735 struct nlmsghdr *nlh;
3736 struct socket *sock = sk->sk_socket;
3737 struct inode_security_struct *isec = SOCK_INODE(sock)->i_security;
3738
3739 if (skb->len < NLMSG_SPACE(0)) {
3740 err = -EINVAL;
3741 goto out;
3742 }
3743 nlh = (struct nlmsghdr *)skb->data;
3744
3745 err = selinux_nlmsg_lookup(isec->sclass, nlh->nlmsg_type, &perm);
3746 if (err) {
3747 if (err == -EINVAL) {
3748 audit_log(current->audit_context, GFP_KERNEL, AUDIT_SELINUX_ERR,
3749 "SELinux: unrecognized netlink message"
3750 " type=%hu for sclass=%hu\n",
3751 nlh->nlmsg_type, isec->sclass);
3752 if (!selinux_enforcing)
3753 err = 0;
3754 }
3755
3756 /* Ignore */
3757 if (err == -ENOENT)
3758 err = 0;
3759 goto out;
3760 }
3761
3762 err = socket_has_perm(current, sock, perm);
3763 out:
3764 return err;
3765 }
3766
3767 #ifdef CONFIG_NETFILTER
3768
3769 static int selinux_ip_postroute_last_compat(struct sock *sk, struct net_device *dev,
3770 struct avc_audit_data *ad,
3771 u16 family, char *addrp, int len)
3772 {
3773 int err = 0;
3774 u32 netif_perm, node_perm, node_sid, if_sid, send_perm = 0;
3775 struct socket *sock;
3776 struct inode *inode;
3777 struct inode_security_struct *isec;
3778
3779 sock = sk->sk_socket;
3780 if (!sock)
3781 goto out;
3782
3783 inode = SOCK_INODE(sock);
3784 if (!inode)
3785 goto out;
3786
3787 isec = inode->i_security;
3788
3789 err = sel_netif_sids(dev, &if_sid, NULL);
3790 if (err)
3791 goto out;
3792
3793 switch (isec->sclass) {
3794 case SECCLASS_UDP_SOCKET:
3795 netif_perm = NETIF__UDP_SEND;
3796 node_perm = NODE__UDP_SEND;
3797 send_perm = UDP_SOCKET__SEND_MSG;
3798 break;
3799
3800 case SECCLASS_TCP_SOCKET:
3801 netif_perm = NETIF__TCP_SEND;
3802 node_perm = NODE__TCP_SEND;
3803 send_perm = TCP_SOCKET__SEND_MSG;
3804 break;
3805
3806 case SECCLASS_DCCP_SOCKET:
3807 netif_perm = NETIF__DCCP_SEND;
3808 node_perm = NODE__DCCP_SEND;
3809 send_perm = DCCP_SOCKET__SEND_MSG;
3810 break;
3811
3812 default:
3813 netif_perm = NETIF__RAWIP_SEND;
3814 node_perm = NODE__RAWIP_SEND;
3815 break;
3816 }
3817
3818 err = avc_has_perm(isec->sid, if_sid, SECCLASS_NETIF, netif_perm, ad);
3819 if (err)
3820 goto out;
3821
3822 err = security_node_sid(family, addrp, len, &node_sid);
3823 if (err)
3824 goto out;
3825
3826 err = avc_has_perm(isec->sid, node_sid, SECCLASS_NODE, node_perm, ad);
3827 if (err)
3828 goto out;
3829
3830 if (send_perm) {
3831 u32 port_sid;
3832
3833 err = security_port_sid(sk->sk_family,
3834 sk->sk_type,
3835 sk->sk_protocol,
3836 ntohs(ad->u.net.dport),
3837 &port_sid);
3838 if (err)
3839 goto out;
3840
3841 err = avc_has_perm(isec->sid, port_sid, isec->sclass,
3842 send_perm, ad);
3843 }
3844 out:
3845 return err;
3846 }
3847
3848 static unsigned int selinux_ip_postroute_last(unsigned int hooknum,
3849 struct sk_buff **pskb,
3850 const struct net_device *in,
3851 const struct net_device *out,
3852 int (*okfn)(struct sk_buff *),
3853 u16 family)
3854 {
3855 char *addrp;
3856 int len, err = 0;
3857 struct sock *sk;
3858 struct sk_buff *skb = *pskb;
3859 struct avc_audit_data ad;
3860 struct net_device *dev = (struct net_device *)out;
3861 struct sk_security_struct *sksec;
3862 u8 proto;
3863
3864 sk = skb->sk;
3865 if (!sk)
3866 goto out;
3867
3868 sksec = sk->sk_security;
3869
3870 AVC_AUDIT_DATA_INIT(&ad, NET);
3871 ad.u.net.netif = dev->name;
3872 ad.u.net.family = family;
3873
3874 err = selinux_parse_skb(skb, &ad, &addrp, &len, 0, &proto);
3875 if (err)
3876 goto out;
3877
3878 if (selinux_compat_net)
3879 err = selinux_ip_postroute_last_compat(sk, dev, &ad,
3880 family, addrp, len);
3881 else
3882 err = avc_has_perm(sksec->sid, skb->secmark, SECCLASS_PACKET,
3883 PACKET__SEND, &ad);
3884
3885 if (err)
3886 goto out;
3887
3888 err = selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto);
3889 out:
3890 return err ? NF_DROP : NF_ACCEPT;
3891 }
3892
3893 static unsigned int selinux_ipv4_postroute_last(unsigned int hooknum,
3894 struct sk_buff **pskb,
3895 const struct net_device *in,
3896 const struct net_device *out,
3897 int (*okfn)(struct sk_buff *))
3898 {
3899 return selinux_ip_postroute_last(hooknum, pskb, in, out, okfn, PF_INET);
3900 }
3901
3902 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3903
3904 static unsigned int selinux_ipv6_postroute_last(unsigned int hooknum,
3905 struct sk_buff **pskb,
3906 const struct net_device *in,
3907 const struct net_device *out,
3908 int (*okfn)(struct sk_buff *))
3909 {
3910 return selinux_ip_postroute_last(hooknum, pskb, in, out, okfn, PF_INET6);
3911 }
3912
3913 #endif /* IPV6 */
3914
3915 #endif /* CONFIG_NETFILTER */
3916
3917 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
3918 {
3919 int err;
3920
3921 err = secondary_ops->netlink_send(sk, skb);
3922 if (err)
3923 return err;
3924
3925 if (policydb_loaded_version >= POLICYDB_VERSION_NLCLASS)
3926 err = selinux_nlmsg_perm(sk, skb);
3927
3928 return err;
3929 }
3930
3931 static int selinux_netlink_recv(struct sk_buff *skb, int capability)
3932 {
3933 int err;
3934 struct avc_audit_data ad;
3935
3936 err = secondary_ops->netlink_recv(skb, capability);
3937 if (err)
3938 return err;
3939
3940 AVC_AUDIT_DATA_INIT(&ad, CAP);
3941 ad.u.cap = capability;
3942
3943 return avc_has_perm(NETLINK_CB(skb).sid, NETLINK_CB(skb).sid,
3944 SECCLASS_CAPABILITY, CAP_TO_MASK(capability), &ad);
3945 }
3946
3947 static int ipc_alloc_security(struct task_struct *task,
3948 struct kern_ipc_perm *perm,
3949 u16 sclass)
3950 {
3951 struct task_security_struct *tsec = task->security;
3952 struct ipc_security_struct *isec;
3953
3954 isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL);
3955 if (!isec)
3956 return -ENOMEM;
3957
3958 isec->sclass = sclass;
3959 isec->ipc_perm = perm;
3960 isec->sid = tsec->sid;
3961 perm->security = isec;
3962
3963 return 0;
3964 }
3965
3966 static void ipc_free_security(struct kern_ipc_perm *perm)
3967 {
3968 struct ipc_security_struct *isec = perm->security;
3969 perm->security = NULL;
3970 kfree(isec);
3971 }
3972
3973 static int msg_msg_alloc_security(struct msg_msg *msg)
3974 {
3975 struct msg_security_struct *msec;
3976
3977 msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL);
3978 if (!msec)
3979 return -ENOMEM;
3980
3981 msec->msg = msg;
3982 msec->sid = SECINITSID_UNLABELED;
3983 msg->security = msec;
3984
3985 return 0;
3986 }
3987
3988 static void msg_msg_free_security(struct msg_msg *msg)
3989 {
3990 struct msg_security_struct *msec = msg->security;
3991
3992 msg->security = NULL;
3993 kfree(msec);
3994 }
3995
3996 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
3997 u32 perms)
3998 {
3999 struct task_security_struct *tsec;
4000 struct ipc_security_struct *isec;
4001 struct avc_audit_data ad;
4002
4003 tsec = current->security;
4004 isec = ipc_perms->security;
4005
4006 AVC_AUDIT_DATA_INIT(&ad, IPC);
4007 ad.u.ipc_id = ipc_perms->key;
4008
4009 return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, &ad);
4010 }
4011
4012 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
4013 {
4014 return msg_msg_alloc_security(msg);
4015 }
4016
4017 static void selinux_msg_msg_free_security(struct msg_msg *msg)
4018 {
4019 msg_msg_free_security(msg);
4020 }
4021
4022 /* message queue security operations */
4023 static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
4024 {
4025 struct task_security_struct *tsec;
4026 struct ipc_security_struct *isec;
4027 struct avc_audit_data ad;
4028 int rc;
4029
4030 rc = ipc_alloc_security(current, &msq->q_perm, SECCLASS_MSGQ);
4031 if (rc)
4032 return rc;
4033
4034 tsec = current->security;
4035 isec = msq->q_perm.security;
4036
4037 AVC_AUDIT_DATA_INIT(&ad, IPC);
4038 ad.u.ipc_id = msq->q_perm.key;
4039
4040 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
4041 MSGQ__CREATE, &ad);
4042 if (rc) {
4043 ipc_free_security(&msq->q_perm);
4044 return rc;
4045 }
4046 return 0;
4047 }
4048
4049 static void selinux_msg_queue_free_security(struct msg_queue *msq)
4050 {
4051 ipc_free_security(&msq->q_perm);
4052 }
4053
4054 static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg)
4055 {
4056 struct task_security_struct *tsec;
4057 struct ipc_security_struct *isec;
4058 struct avc_audit_data ad;
4059
4060 tsec = current->security;
4061 isec = msq->q_perm.security;
4062
4063 AVC_AUDIT_DATA_INIT(&ad, IPC);
4064 ad.u.ipc_id = msq->q_perm.key;
4065
4066 return avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
4067 MSGQ__ASSOCIATE, &ad);
4068 }
4069
4070 static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd)
4071 {
4072 int err;
4073 int perms;
4074
4075 switch(cmd) {
4076 case IPC_INFO:
4077 case MSG_INFO:
4078 /* No specific object, just general system-wide information. */
4079 return task_has_system(current, SYSTEM__IPC_INFO);
4080 case IPC_STAT:
4081 case MSG_STAT:
4082 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
4083 break;
4084 case IPC_SET:
4085 perms = MSGQ__SETATTR;
4086 break;
4087 case IPC_RMID:
4088 perms = MSGQ__DESTROY;
4089 break;
4090 default:
4091 return 0;
4092 }
4093
4094 err = ipc_has_perm(&msq->q_perm, perms);
4095 return err;
4096 }
4097
4098 static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg)
4099 {
4100 struct task_security_struct *tsec;
4101 struct ipc_security_struct *isec;
4102 struct msg_security_struct *msec;
4103 struct avc_audit_data ad;
4104 int rc;
4105
4106 tsec = current->security;
4107 isec = msq->q_perm.security;
4108 msec = msg->security;
4109
4110 /*
4111 * First time through, need to assign label to the message
4112 */
4113 if (msec->sid == SECINITSID_UNLABELED) {
4114 /*
4115 * Compute new sid based on current process and
4116 * message queue this message will be stored in
4117 */
4118 rc = security_transition_sid(tsec->sid,
4119 isec->sid,
4120 SECCLASS_MSG,
4121 &msec->sid);
4122 if (rc)
4123 return rc;
4124 }
4125
4126 AVC_AUDIT_DATA_INIT(&ad, IPC);
4127 ad.u.ipc_id = msq->q_perm.key;
4128
4129 /* Can this process write to the queue? */
4130 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
4131 MSGQ__WRITE, &ad);
4132 if (!rc)
4133 /* Can this process send the message */
4134 rc = avc_has_perm(tsec->sid, msec->sid,
4135 SECCLASS_MSG, MSG__SEND, &ad);
4136 if (!rc)
4137 /* Can the message be put in the queue? */
4138 rc = avc_has_perm(msec->sid, isec->sid,
4139 SECCLASS_MSGQ, MSGQ__ENQUEUE, &ad);
4140
4141 return rc;
4142 }
4143
4144 static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
4145 struct task_struct *target,
4146 long type, int mode)
4147 {
4148 struct task_security_struct *tsec;
4149 struct ipc_security_struct *isec;
4150 struct msg_security_struct *msec;
4151 struct avc_audit_data ad;
4152 int rc;
4153
4154 tsec = target->security;
4155 isec = msq->q_perm.security;
4156 msec = msg->security;
4157
4158 AVC_AUDIT_DATA_INIT(&ad, IPC);
4159 ad.u.ipc_id = msq->q_perm.key;
4160
4161 rc = avc_has_perm(tsec->sid, isec->sid,
4162 SECCLASS_MSGQ, MSGQ__READ, &ad);
4163 if (!rc)
4164 rc = avc_has_perm(tsec->sid, msec->sid,
4165 SECCLASS_MSG, MSG__RECEIVE, &ad);
4166 return rc;
4167 }
4168
4169 /* Shared Memory security operations */
4170 static int selinux_shm_alloc_security(struct shmid_kernel *shp)
4171 {
4172 struct task_security_struct *tsec;
4173 struct ipc_security_struct *isec;
4174 struct avc_audit_data ad;
4175 int rc;
4176
4177 rc = ipc_alloc_security(current, &shp->shm_perm, SECCLASS_SHM);
4178 if (rc)
4179 return rc;
4180
4181 tsec = current->security;
4182 isec = shp->shm_perm.security;
4183
4184 AVC_AUDIT_DATA_INIT(&ad, IPC);
4185 ad.u.ipc_id = shp->shm_perm.key;
4186
4187 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SHM,
4188 SHM__CREATE, &ad);
4189 if (rc) {
4190 ipc_free_security(&shp->shm_perm);
4191 return rc;
4192 }
4193 return 0;
4194 }
4195
4196 static void selinux_shm_free_security(struct shmid_kernel *shp)
4197 {
4198 ipc_free_security(&shp->shm_perm);
4199 }
4200
4201 static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg)
4202 {
4203 struct task_security_struct *tsec;
4204 struct ipc_security_struct *isec;
4205 struct avc_audit_data ad;
4206
4207 tsec = current->security;
4208 isec = shp->shm_perm.security;
4209
4210 AVC_AUDIT_DATA_INIT(&ad, IPC);
4211 ad.u.ipc_id = shp->shm_perm.key;
4212
4213 return avc_has_perm(tsec->sid, isec->sid, SECCLASS_SHM,
4214 SHM__ASSOCIATE, &ad);
4215 }
4216
4217 /* Note, at this point, shp is locked down */
4218 static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd)
4219 {
4220 int perms;
4221 int err;
4222
4223 switch(cmd) {
4224 case IPC_INFO:
4225 case SHM_INFO:
4226 /* No specific object, just general system-wide information. */
4227 return task_has_system(current, SYSTEM__IPC_INFO);
4228 case IPC_STAT:
4229 case SHM_STAT:
4230 perms = SHM__GETATTR | SHM__ASSOCIATE;
4231 break;
4232 case IPC_SET:
4233 perms = SHM__SETATTR;
4234 break;
4235 case SHM_LOCK:
4236 case SHM_UNLOCK:
4237 perms = SHM__LOCK;
4238 break;
4239 case IPC_RMID:
4240 perms = SHM__DESTROY;
4241 break;
4242 default:
4243 return 0;
4244 }
4245
4246 err = ipc_has_perm(&shp->shm_perm, perms);
4247 return err;
4248 }
4249
4250 static int selinux_shm_shmat(struct shmid_kernel *shp,
4251 char __user *shmaddr, int shmflg)
4252 {
4253 u32 perms;
4254 int rc;
4255
4256 rc = secondary_ops->shm_shmat(shp, shmaddr, shmflg);
4257 if (rc)
4258 return rc;
4259
4260 if (shmflg & SHM_RDONLY)
4261 perms = SHM__READ;
4262 else
4263 perms = SHM__READ | SHM__WRITE;
4264
4265 return ipc_has_perm(&shp->shm_perm, perms);
4266 }
4267
4268 /* Semaphore security operations */
4269 static int selinux_sem_alloc_security(struct sem_array *sma)
4270 {
4271 struct task_security_struct *tsec;
4272 struct ipc_security_struct *isec;
4273 struct avc_audit_data ad;
4274 int rc;
4275
4276 rc = ipc_alloc_security(current, &sma->sem_perm, SECCLASS_SEM);
4277 if (rc)
4278 return rc;
4279
4280 tsec = current->security;
4281 isec = sma->sem_perm.security;
4282
4283 AVC_AUDIT_DATA_INIT(&ad, IPC);
4284 ad.u.ipc_id = sma->sem_perm.key;
4285
4286 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SEM,
4287 SEM__CREATE, &ad);
4288 if (rc) {
4289 ipc_free_security(&sma->sem_perm);
4290 return rc;
4291 }
4292 return 0;
4293 }
4294
4295 static void selinux_sem_free_security(struct sem_array *sma)
4296 {
4297 ipc_free_security(&sma->sem_perm);
4298 }
4299
4300 static int selinux_sem_associate(struct sem_array *sma, int semflg)
4301 {
4302 struct task_security_struct *tsec;
4303 struct ipc_security_struct *isec;
4304 struct avc_audit_data ad;
4305
4306 tsec = current->security;
4307 isec = sma->sem_perm.security;
4308
4309 AVC_AUDIT_DATA_INIT(&ad, IPC);
4310 ad.u.ipc_id = sma->sem_perm.key;
4311
4312 return avc_has_perm(tsec->sid, isec->sid, SECCLASS_SEM,
4313 SEM__ASSOCIATE, &ad);
4314 }
4315
4316 /* Note, at this point, sma is locked down */
4317 static int selinux_sem_semctl(struct sem_array *sma, int cmd)
4318 {
4319 int err;
4320 u32 perms;
4321
4322 switch(cmd) {
4323 case IPC_INFO:
4324 case SEM_INFO:
4325 /* No specific object, just general system-wide information. */
4326 return task_has_system(current, SYSTEM__IPC_INFO);
4327 case GETPID:
4328 case GETNCNT:
4329 case GETZCNT:
4330 perms = SEM__GETATTR;
4331 break;
4332 case GETVAL:
4333 case GETALL:
4334 perms = SEM__READ;
4335 break;
4336 case SETVAL:
4337 case SETALL:
4338 perms = SEM__WRITE;
4339 break;
4340 case IPC_RMID:
4341 perms = SEM__DESTROY;
4342 break;
4343 case IPC_SET:
4344 perms = SEM__SETATTR;
4345 break;
4346 case IPC_STAT:
4347 case SEM_STAT:
4348 perms = SEM__GETATTR | SEM__ASSOCIATE;
4349 break;
4350 default:
4351 return 0;
4352 }
4353
4354 err = ipc_has_perm(&sma->sem_perm, perms);
4355 return err;
4356 }
4357
4358 static int selinux_sem_semop(struct sem_array *sma,
4359 struct sembuf *sops, unsigned nsops, int alter)
4360 {
4361 u32 perms;
4362
4363 if (alter)
4364 perms = SEM__READ | SEM__WRITE;
4365 else
4366 perms = SEM__READ;
4367
4368 return ipc_has_perm(&sma->sem_perm, perms);
4369 }
4370
4371 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
4372 {
4373 u32 av = 0;
4374
4375 av = 0;
4376 if (flag & S_IRUGO)
4377 av |= IPC__UNIX_READ;
4378 if (flag & S_IWUGO)
4379 av |= IPC__UNIX_WRITE;
4380
4381 if (av == 0)
4382 return 0;
4383
4384 return ipc_has_perm(ipcp, av);
4385 }
4386
4387 /* module stacking operations */
4388 static int selinux_register_security (const char *name, struct security_operations *ops)
4389 {
4390 if (secondary_ops != original_ops) {
4391 printk(KERN_INFO "%s: There is already a secondary security "
4392 "module registered.\n", __FUNCTION__);
4393 return -EINVAL;
4394 }
4395
4396 secondary_ops = ops;
4397
4398 printk(KERN_INFO "%s: Registering secondary module %s\n",
4399 __FUNCTION__,
4400 name);
4401
4402 return 0;
4403 }
4404
4405 static int selinux_unregister_security (const char *name, struct security_operations *ops)
4406 {
4407 if (ops != secondary_ops) {
4408 printk (KERN_INFO "%s: trying to unregister a security module "
4409 "that is not registered.\n", __FUNCTION__);
4410 return -EINVAL;
4411 }
4412
4413 secondary_ops = original_ops;
4414
4415 return 0;
4416 }
4417
4418 static void selinux_d_instantiate (struct dentry *dentry, struct inode *inode)
4419 {
4420 if (inode)
4421 inode_doinit_with_dentry(inode, dentry);
4422 }
4423
4424 static int selinux_getprocattr(struct task_struct *p,
4425 char *name, void *value, size_t size)
4426 {
4427 struct task_security_struct *tsec;
4428 u32 sid;
4429 int error;
4430
4431 if (current != p) {
4432 error = task_has_perm(current, p, PROCESS__GETATTR);
4433 if (error)
4434 return error;
4435 }
4436
4437 tsec = p->security;
4438
4439 if (!strcmp(name, "current"))
4440 sid = tsec->sid;
4441 else if (!strcmp(name, "prev"))
4442 sid = tsec->osid;
4443 else if (!strcmp(name, "exec"))
4444 sid = tsec->exec_sid;
4445 else if (!strcmp(name, "fscreate"))
4446 sid = tsec->create_sid;
4447 else if (!strcmp(name, "keycreate"))
4448 sid = tsec->keycreate_sid;
4449 else if (!strcmp(name, "sockcreate"))
4450 sid = tsec->sockcreate_sid;
4451 else
4452 return -EINVAL;
4453
4454 if (!sid)
4455 return 0;
4456
4457 return selinux_getsecurity(sid, value, size);
4458 }
4459
4460 static int selinux_setprocattr(struct task_struct *p,
4461 char *name, void *value, size_t size)
4462 {
4463 struct task_security_struct *tsec;
4464 u32 sid = 0;
4465 int error;
4466 char *str = value;
4467
4468 if (current != p) {
4469 /* SELinux only allows a process to change its own
4470 security attributes. */
4471 return -EACCES;
4472 }
4473
4474 /*
4475 * Basic control over ability to set these attributes at all.
4476 * current == p, but we'll pass them separately in case the
4477 * above restriction is ever removed.
4478 */
4479 if (!strcmp(name, "exec"))
4480 error = task_has_perm(current, p, PROCESS__SETEXEC);
4481 else if (!strcmp(name, "fscreate"))
4482 error = task_has_perm(current, p, PROCESS__SETFSCREATE);
4483 else if (!strcmp(name, "keycreate"))
4484 error = task_has_perm(current, p, PROCESS__SETKEYCREATE);
4485 else if (!strcmp(name, "sockcreate"))
4486 error = task_has_perm(current, p, PROCESS__SETSOCKCREATE);
4487 else if (!strcmp(name, "current"))
4488 error = task_has_perm(current, p, PROCESS__SETCURRENT);
4489 else
4490 error = -EINVAL;
4491 if (error)
4492 return error;
4493
4494 /* Obtain a SID for the context, if one was specified. */
4495 if (size && str[1] && str[1] != '\n') {
4496 if (str[size-1] == '\n') {
4497 str[size-1] = 0;
4498 size--;
4499 }
4500 error = security_context_to_sid(value, size, &sid);
4501 if (error)
4502 return error;
4503 }
4504
4505 /* Permission checking based on the specified context is
4506 performed during the actual operation (execve,
4507 open/mkdir/...), when we know the full context of the
4508 operation. See selinux_bprm_set_security for the execve
4509 checks and may_create for the file creation checks. The
4510 operation will then fail if the context is not permitted. */
4511 tsec = p->security;
4512 if (!strcmp(name, "exec"))
4513 tsec->exec_sid = sid;
4514 else if (!strcmp(name, "fscreate"))
4515 tsec->create_sid = sid;
4516 else if (!strcmp(name, "keycreate")) {
4517 error = may_create_key(sid, p);
4518 if (error)
4519 return error;
4520 tsec->keycreate_sid = sid;
4521 } else if (!strcmp(name, "sockcreate"))
4522 tsec->sockcreate_sid = sid;
4523 else if (!strcmp(name, "current")) {
4524 struct av_decision avd;
4525
4526 if (sid == 0)
4527 return -EINVAL;
4528
4529 /* Only allow single threaded processes to change context */
4530 if (atomic_read(&p->mm->mm_users) != 1) {
4531 struct task_struct *g, *t;
4532 struct mm_struct *mm = p->mm;
4533 read_lock(&tasklist_lock);
4534 do_each_thread(g, t)
4535 if (t->mm == mm && t != p) {
4536 read_unlock(&tasklist_lock);
4537 return -EPERM;
4538 }
4539 while_each_thread(g, t);
4540 read_unlock(&tasklist_lock);
4541 }
4542
4543 /* Check permissions for the transition. */
4544 error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
4545 PROCESS__DYNTRANSITION, NULL);
4546 if (error)
4547 return error;
4548
4549 /* Check for ptracing, and update the task SID if ok.
4550 Otherwise, leave SID unchanged and fail. */
4551 task_lock(p);
4552 if (p->ptrace & PT_PTRACED) {
4553 error = avc_has_perm_noaudit(tsec->ptrace_sid, sid,
4554 SECCLASS_PROCESS,
4555 PROCESS__PTRACE, &avd);
4556 if (!error)
4557 tsec->sid = sid;
4558 task_unlock(p);
4559 avc_audit(tsec->ptrace_sid, sid, SECCLASS_PROCESS,
4560 PROCESS__PTRACE, &avd, error, NULL);
4561 if (error)
4562 return error;
4563 } else {
4564 tsec->sid = sid;
4565 task_unlock(p);
4566 }
4567 }
4568 else
4569 return -EINVAL;
4570
4571 return size;
4572 }
4573
4574 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
4575 {
4576 return security_sid_to_context(secid, secdata, seclen);
4577 }
4578
4579 static void selinux_release_secctx(char *secdata, u32 seclen)
4580 {
4581 if (secdata)
4582 kfree(secdata);
4583 }
4584
4585 #ifdef CONFIG_KEYS
4586
4587 static int selinux_key_alloc(struct key *k, struct task_struct *tsk,
4588 unsigned long flags)
4589 {
4590 struct task_security_struct *tsec = tsk->security;
4591 struct key_security_struct *ksec;
4592
4593 ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL);
4594 if (!ksec)
4595 return -ENOMEM;
4596
4597 ksec->obj = k;
4598 if (tsec->keycreate_sid)
4599 ksec->sid = tsec->keycreate_sid;
4600 else
4601 ksec->sid = tsec->sid;
4602 k->security = ksec;
4603
4604 return 0;
4605 }
4606
4607 static void selinux_key_free(struct key *k)
4608 {
4609 struct key_security_struct *ksec = k->security;
4610
4611 k->security = NULL;
4612 kfree(ksec);
4613 }
4614
4615 static int selinux_key_permission(key_ref_t key_ref,
4616 struct task_struct *ctx,
4617 key_perm_t perm)
4618 {
4619 struct key *key;
4620 struct task_security_struct *tsec;
4621 struct key_security_struct *ksec;
4622
4623 key = key_ref_to_ptr(key_ref);
4624
4625 tsec = ctx->security;
4626 ksec = key->security;
4627
4628 /* if no specific permissions are requested, we skip the
4629 permission check. No serious, additional covert channels
4630 appear to be created. */
4631 if (perm == 0)
4632 return 0;
4633
4634 return avc_has_perm(tsec->sid, ksec->sid,
4635 SECCLASS_KEY, perm, NULL);
4636 }
4637
4638 #endif
4639
4640 static struct security_operations selinux_ops = {
4641 .ptrace = selinux_ptrace,
4642 .capget = selinux_capget,
4643 .capset_check = selinux_capset_check,
4644 .capset_set = selinux_capset_set,
4645 .sysctl = selinux_sysctl,
4646 .capable = selinux_capable,
4647 .quotactl = selinux_quotactl,
4648 .quota_on = selinux_quota_on,
4649 .syslog = selinux_syslog,
4650 .vm_enough_memory = selinux_vm_enough_memory,
4651
4652 .netlink_send = selinux_netlink_send,
4653 .netlink_recv = selinux_netlink_recv,
4654
4655 .bprm_alloc_security = selinux_bprm_alloc_security,
4656 .bprm_free_security = selinux_bprm_free_security,
4657 .bprm_apply_creds = selinux_bprm_apply_creds,
4658 .bprm_post_apply_creds = selinux_bprm_post_apply_creds,
4659 .bprm_set_security = selinux_bprm_set_security,
4660 .bprm_check_security = selinux_bprm_check_security,
4661 .bprm_secureexec = selinux_bprm_secureexec,
4662
4663 .sb_alloc_security = selinux_sb_alloc_security,
4664 .sb_free_security = selinux_sb_free_security,
4665 .sb_copy_data = selinux_sb_copy_data,
4666 .sb_kern_mount = selinux_sb_kern_mount,
4667 .sb_statfs = selinux_sb_statfs,
4668 .sb_mount = selinux_mount,
4669 .sb_umount = selinux_umount,
4670
4671 .inode_alloc_security = selinux_inode_alloc_security,
4672 .inode_free_security = selinux_inode_free_security,
4673 .inode_init_security = selinux_inode_init_security,
4674 .inode_create = selinux_inode_create,
4675 .inode_link = selinux_inode_link,
4676 .inode_unlink = selinux_inode_unlink,
4677 .inode_symlink = selinux_inode_symlink,
4678 .inode_mkdir = selinux_inode_mkdir,
4679 .inode_rmdir = selinux_inode_rmdir,
4680 .inode_mknod = selinux_inode_mknod,
4681 .inode_rename = selinux_inode_rename,
4682 .inode_readlink = selinux_inode_readlink,
4683 .inode_follow_link = selinux_inode_follow_link,
4684 .inode_permission = selinux_inode_permission,
4685 .inode_setattr = selinux_inode_setattr,
4686 .inode_getattr = selinux_inode_getattr,
4687 .inode_setxattr = selinux_inode_setxattr,
4688 .inode_post_setxattr = selinux_inode_post_setxattr,
4689 .inode_getxattr = selinux_inode_getxattr,
4690 .inode_listxattr = selinux_inode_listxattr,
4691 .inode_removexattr = selinux_inode_removexattr,
4692 .inode_xattr_getsuffix = selinux_inode_xattr_getsuffix,
4693 .inode_getsecurity = selinux_inode_getsecurity,
4694 .inode_setsecurity = selinux_inode_setsecurity,
4695 .inode_listsecurity = selinux_inode_listsecurity,
4696
4697 .file_permission = selinux_file_permission,
4698 .file_alloc_security = selinux_file_alloc_security,
4699 .file_free_security = selinux_file_free_security,
4700 .file_ioctl = selinux_file_ioctl,
4701 .file_mmap = selinux_file_mmap,
4702 .file_mprotect = selinux_file_mprotect,
4703 .file_lock = selinux_file_lock,
4704 .file_fcntl = selinux_file_fcntl,
4705 .file_set_fowner = selinux_file_set_fowner,
4706 .file_send_sigiotask = selinux_file_send_sigiotask,
4707 .file_receive = selinux_file_receive,
4708
4709 .task_create = selinux_task_create,
4710 .task_alloc_security = selinux_task_alloc_security,
4711 .task_free_security = selinux_task_free_security,
4712 .task_setuid = selinux_task_setuid,
4713 .task_post_setuid = selinux_task_post_setuid,
4714 .task_setgid = selinux_task_setgid,
4715 .task_setpgid = selinux_task_setpgid,
4716 .task_getpgid = selinux_task_getpgid,
4717 .task_getsid = selinux_task_getsid,
4718 .task_getsecid = selinux_task_getsecid,
4719 .task_setgroups = selinux_task_setgroups,
4720 .task_setnice = selinux_task_setnice,
4721 .task_setioprio = selinux_task_setioprio,
4722 .task_getioprio = selinux_task_getioprio,
4723 .task_setrlimit = selinux_task_setrlimit,
4724 .task_setscheduler = selinux_task_setscheduler,
4725 .task_getscheduler = selinux_task_getscheduler,
4726 .task_movememory = selinux_task_movememory,
4727 .task_kill = selinux_task_kill,
4728 .task_wait = selinux_task_wait,
4729 .task_prctl = selinux_task_prctl,
4730 .task_reparent_to_init = selinux_task_reparent_to_init,
4731 .task_to_inode = selinux_task_to_inode,
4732
4733 .ipc_permission = selinux_ipc_permission,
4734
4735 .msg_msg_alloc_security = selinux_msg_msg_alloc_security,
4736 .msg_msg_free_security = selinux_msg_msg_free_security,
4737
4738 .msg_queue_alloc_security = selinux_msg_queue_alloc_security,
4739 .msg_queue_free_security = selinux_msg_queue_free_security,
4740 .msg_queue_associate = selinux_msg_queue_associate,
4741 .msg_queue_msgctl = selinux_msg_queue_msgctl,
4742 .msg_queue_msgsnd = selinux_msg_queue_msgsnd,
4743 .msg_queue_msgrcv = selinux_msg_queue_msgrcv,
4744
4745 .shm_alloc_security = selinux_shm_alloc_security,
4746 .shm_free_security = selinux_shm_free_security,
4747 .shm_associate = selinux_shm_associate,
4748 .shm_shmctl = selinux_shm_shmctl,
4749 .shm_shmat = selinux_shm_shmat,
4750
4751 .sem_alloc_security = selinux_sem_alloc_security,
4752 .sem_free_security = selinux_sem_free_security,
4753 .sem_associate = selinux_sem_associate,
4754 .sem_semctl = selinux_sem_semctl,
4755 .sem_semop = selinux_sem_semop,
4756
4757 .register_security = selinux_register_security,
4758 .unregister_security = selinux_unregister_security,
4759
4760 .d_instantiate = selinux_d_instantiate,
4761
4762 .getprocattr = selinux_getprocattr,
4763 .setprocattr = selinux_setprocattr,
4764
4765 .secid_to_secctx = selinux_secid_to_secctx,
4766 .release_secctx = selinux_release_secctx,
4767
4768 .unix_stream_connect = selinux_socket_unix_stream_connect,
4769 .unix_may_send = selinux_socket_unix_may_send,
4770
4771 .socket_create = selinux_socket_create,
4772 .socket_post_create = selinux_socket_post_create,
4773 .socket_bind = selinux_socket_bind,
4774 .socket_connect = selinux_socket_connect,
4775 .socket_listen = selinux_socket_listen,
4776 .socket_accept = selinux_socket_accept,
4777 .socket_sendmsg = selinux_socket_sendmsg,
4778 .socket_recvmsg = selinux_socket_recvmsg,
4779 .socket_getsockname = selinux_socket_getsockname,
4780 .socket_getpeername = selinux_socket_getpeername,
4781 .socket_getsockopt = selinux_socket_getsockopt,
4782 .socket_setsockopt = selinux_socket_setsockopt,
4783 .socket_shutdown = selinux_socket_shutdown,
4784 .socket_sock_rcv_skb = selinux_socket_sock_rcv_skb,
4785 .socket_getpeersec_stream = selinux_socket_getpeersec_stream,
4786 .socket_getpeersec_dgram = selinux_socket_getpeersec_dgram,
4787 .sk_alloc_security = selinux_sk_alloc_security,
4788 .sk_free_security = selinux_sk_free_security,
4789 .sk_clone_security = selinux_sk_clone_security,
4790 .sk_getsecid = selinux_sk_getsecid,
4791 .sock_graft = selinux_sock_graft,
4792 .inet_conn_request = selinux_inet_conn_request,
4793 .inet_csk_clone = selinux_inet_csk_clone,
4794 .inet_conn_established = selinux_inet_conn_established,
4795 .req_classify_flow = selinux_req_classify_flow,
4796
4797 #ifdef CONFIG_SECURITY_NETWORK_XFRM
4798 .xfrm_policy_alloc_security = selinux_xfrm_policy_alloc,
4799 .xfrm_policy_clone_security = selinux_xfrm_policy_clone,
4800 .xfrm_policy_free_security = selinux_xfrm_policy_free,
4801 .xfrm_policy_delete_security = selinux_xfrm_policy_delete,
4802 .xfrm_state_alloc_security = selinux_xfrm_state_alloc,
4803 .xfrm_state_free_security = selinux_xfrm_state_free,
4804 .xfrm_state_delete_security = selinux_xfrm_state_delete,
4805 .xfrm_policy_lookup = selinux_xfrm_policy_lookup,
4806 .xfrm_state_pol_flow_match = selinux_xfrm_state_pol_flow_match,
4807 .xfrm_decode_session = selinux_xfrm_decode_session,
4808 #endif
4809
4810 #ifdef CONFIG_KEYS
4811 .key_alloc = selinux_key_alloc,
4812 .key_free = selinux_key_free,
4813 .key_permission = selinux_key_permission,
4814 #endif
4815 };
4816
4817 static __init int selinux_init(void)
4818 {
4819 struct task_security_struct *tsec;
4820
4821 if (!selinux_enabled) {
4822 printk(KERN_INFO "SELinux: Disabled at boot.\n");
4823 return 0;
4824 }
4825
4826 printk(KERN_INFO "SELinux: Initializing.\n");
4827
4828 /* Set the security state for the initial task. */
4829 if (task_alloc_security(current))
4830 panic("SELinux: Failed to initialize initial task.\n");
4831 tsec = current->security;
4832 tsec->osid = tsec->sid = SECINITSID_KERNEL;
4833
4834 sel_inode_cache = kmem_cache_create("selinux_inode_security",
4835 sizeof(struct inode_security_struct),
4836 0, SLAB_PANIC, NULL, NULL);
4837 avc_init();
4838
4839 original_ops = secondary_ops = security_ops;
4840 if (!secondary_ops)
4841 panic ("SELinux: No initial security operations\n");
4842 if (register_security (&selinux_ops))
4843 panic("SELinux: Unable to register with kernel.\n");
4844
4845 if (selinux_enforcing) {
4846 printk(KERN_INFO "SELinux: Starting in enforcing mode\n");
4847 } else {
4848 printk(KERN_INFO "SELinux: Starting in permissive mode\n");
4849 }
4850
4851 #ifdef CONFIG_KEYS
4852 /* Add security information to initial keyrings */
4853 selinux_key_alloc(&root_user_keyring, current,
4854 KEY_ALLOC_NOT_IN_QUOTA);
4855 selinux_key_alloc(&root_session_keyring, current,
4856 KEY_ALLOC_NOT_IN_QUOTA);
4857 #endif
4858
4859 return 0;
4860 }
4861
4862 void selinux_complete_init(void)
4863 {
4864 printk(KERN_INFO "SELinux: Completing initialization.\n");
4865
4866 /* Set up any superblocks initialized prior to the policy load. */
4867 printk(KERN_INFO "SELinux: Setting up existing superblocks.\n");
4868 spin_lock(&sb_lock);
4869 spin_lock(&sb_security_lock);
4870 next_sb:
4871 if (!list_empty(&superblock_security_head)) {
4872 struct superblock_security_struct *sbsec =
4873 list_entry(superblock_security_head.next,
4874 struct superblock_security_struct,
4875 list);
4876 struct super_block *sb = sbsec->sb;
4877 sb->s_count++;
4878 spin_unlock(&sb_security_lock);
4879 spin_unlock(&sb_lock);
4880 down_read(&sb->s_umount);
4881 if (sb->s_root)
4882 superblock_doinit(sb, NULL);
4883 drop_super(sb);
4884 spin_lock(&sb_lock);
4885 spin_lock(&sb_security_lock);
4886 list_del_init(&sbsec->list);
4887 goto next_sb;
4888 }
4889 spin_unlock(&sb_security_lock);
4890 spin_unlock(&sb_lock);
4891 }
4892
4893 /* SELinux requires early initialization in order to label
4894 all processes and objects when they are created. */
4895 security_initcall(selinux_init);
4896
4897 #if defined(CONFIG_NETFILTER)
4898
4899 static struct nf_hook_ops selinux_ipv4_op = {
4900 .hook = selinux_ipv4_postroute_last,
4901 .owner = THIS_MODULE,
4902 .pf = PF_INET,
4903 .hooknum = NF_IP_POST_ROUTING,
4904 .priority = NF_IP_PRI_SELINUX_LAST,
4905 };
4906
4907 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4908
4909 static struct nf_hook_ops selinux_ipv6_op = {
4910 .hook = selinux_ipv6_postroute_last,
4911 .owner = THIS_MODULE,
4912 .pf = PF_INET6,
4913 .hooknum = NF_IP6_POST_ROUTING,
4914 .priority = NF_IP6_PRI_SELINUX_LAST,
4915 };
4916
4917 #endif /* IPV6 */
4918
4919 static int __init selinux_nf_ip_init(void)
4920 {
4921 int err = 0;
4922
4923 if (!selinux_enabled)
4924 goto out;
4925
4926 printk(KERN_INFO "SELinux: Registering netfilter hooks\n");
4927
4928 err = nf_register_hook(&selinux_ipv4_op);
4929 if (err)
4930 panic("SELinux: nf_register_hook for IPv4: error %d\n", err);
4931
4932 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4933
4934 err = nf_register_hook(&selinux_ipv6_op);
4935 if (err)
4936 panic("SELinux: nf_register_hook for IPv6: error %d\n", err);
4937
4938 #endif /* IPV6 */
4939
4940 out:
4941 return err;
4942 }
4943
4944 __initcall(selinux_nf_ip_init);
4945
4946 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
4947 static void selinux_nf_ip_exit(void)
4948 {
4949 printk(KERN_INFO "SELinux: Unregistering netfilter hooks\n");
4950
4951 nf_unregister_hook(&selinux_ipv4_op);
4952 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4953 nf_unregister_hook(&selinux_ipv6_op);
4954 #endif /* IPV6 */
4955 }
4956 #endif
4957
4958 #else /* CONFIG_NETFILTER */
4959
4960 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
4961 #define selinux_nf_ip_exit()
4962 #endif
4963
4964 #endif /* CONFIG_NETFILTER */
4965
4966 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
4967 int selinux_disable(void)
4968 {
4969 extern void exit_sel_fs(void);
4970 static int selinux_disabled = 0;
4971
4972 if (ss_initialized) {
4973 /* Not permitted after initial policy load. */
4974 return -EINVAL;
4975 }
4976
4977 if (selinux_disabled) {
4978 /* Only do this once. */
4979 return -EINVAL;
4980 }
4981
4982 printk(KERN_INFO "SELinux: Disabled at runtime.\n");
4983
4984 selinux_disabled = 1;
4985 selinux_enabled = 0;
4986
4987 /* Reset security_ops to the secondary module, dummy or capability. */
4988 security_ops = secondary_ops;
4989
4990 /* Unregister netfilter hooks. */
4991 selinux_nf_ip_exit();
4992
4993 /* Unregister selinuxfs. */
4994 exit_sel_fs();
4995
4996 return 0;
4997 }
4998 #endif
4999
5000
ubuntu-bionic-kernel mirror