]> git.proxmox.com Git - mirror_ubuntu-eoan-kernel.git/blob - security/selinux/hooks.c
projects / mirror_ubuntu-eoan-kernel.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
selinux: quiet the filesystem labeling behavior message
[mirror_ubuntu-eoan-kernel.git] / security / selinux / hooks.c
1 /*
2 * NSA Security-Enhanced Linux (SELinux) security module
3 *
4 * This file contains the SELinux hook function implementations.
5 *
6 * Authors: Stephen Smalley, <sds@epoch.ncsc.mil>
7 * Chris Vance, <cvance@nai.com>
8 * Wayne Salamon, <wsalamon@nai.com>
9 * James Morris <jmorris@redhat.com>
10 *
11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12 * Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
13 * Eric Paris <eparis@redhat.com>
14 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
15 * <dgoeddel@trustedcs.com>
16 * Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
17 * Paul Moore <paul@paul-moore.com>
18 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
19 * Yuichi Nakamura <ynakam@hitachisoft.jp>
20 *
21 * This program is free software; you can redistribute it and/or modify
22 * it under the terms of the GNU General Public License version 2,
23 * as published by the Free Software Foundation.
24 */
25
26 #include <linux/init.h>
27 #include <linux/kd.h>
28 #include <linux/kernel.h>
29 #include <linux/tracehook.h>
30 #include <linux/errno.h>
31 #include <linux/sched.h>
32 #include <linux/security.h>
33 #include <linux/xattr.h>
34 #include <linux/capability.h>
35 #include <linux/unistd.h>
36 #include <linux/mm.h>
37 #include <linux/mman.h>
38 #include <linux/slab.h>
39 #include <linux/pagemap.h>
40 #include <linux/proc_fs.h>
41 #include <linux/swap.h>
42 #include <linux/spinlock.h>
43 #include <linux/syscalls.h>
44 #include <linux/dcache.h>
45 #include <linux/file.h>
46 #include <linux/fdtable.h>
47 #include <linux/namei.h>
48 #include <linux/mount.h>
49 #include <linux/netfilter_ipv4.h>
50 #include <linux/netfilter_ipv6.h>
51 #include <linux/tty.h>
52 #include <net/icmp.h>
53 #include <net/ip.h> /* for local_port_range[] */
54 #include <net/sock.h>
55 #include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
56 #include <net/inet_connection_sock.h>
57 #include <net/net_namespace.h>
58 #include <net/netlabel.h>
59 #include <linux/uaccess.h>
60 #include <asm/ioctls.h>
61 #include <linux/atomic.h>
62 #include <linux/bitops.h>
63 #include <linux/interrupt.h>
64 #include <linux/netdevice.h> /* for network interface checks */
65 #include <net/netlink.h>
66 #include <linux/tcp.h>
67 #include <linux/udp.h>
68 #include <linux/dccp.h>
69 #include <linux/quota.h>
70 #include <linux/un.h> /* for Unix socket types */
71 #include <net/af_unix.h> /* for Unix socket types */
72 #include <linux/parser.h>
73 #include <linux/nfs_mount.h>
74 #include <net/ipv6.h>
75 #include <linux/hugetlb.h>
76 #include <linux/personality.h>
77 #include <linux/audit.h>
78 #include <linux/string.h>
79 #include <linux/selinux.h>
80 #include <linux/mutex.h>
81 #include <linux/posix-timers.h>
82 #include <linux/syslog.h>
83 #include <linux/user_namespace.h>
84 #include <linux/export.h>
85 #include <linux/msg.h>
86 #include <linux/shm.h>
87
88 #include "avc.h"
89 #include "objsec.h"
90 #include "netif.h"
91 #include "netnode.h"
92 #include "netport.h"
93 #include "xfrm.h"
94 #include "netlabel.h"
95 #include "audit.h"
96 #include "avc_ss.h"
97
98 /* SECMARK reference count */
99 static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
100
101 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
102 int selinux_enforcing;
103
104 static int __init enforcing_setup(char *str)
105 {
106 unsigned long enforcing;
107 if (!kstrtoul(str, 0, &enforcing))
108 selinux_enforcing = enforcing ? 1 : 0;
109 return 1;
110 }
111 __setup("enforcing=", enforcing_setup);
112 #endif
113
114 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
115 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
116
117 static int __init selinux_enabled_setup(char *str)
118 {
119 unsigned long enabled;
120 if (!kstrtoul(str, 0, &enabled))
121 selinux_enabled = enabled ? 1 : 0;
122 return 1;
123 }
124 __setup("selinux=", selinux_enabled_setup);
125 #else
126 int selinux_enabled = 1;
127 #endif
128
129 static struct kmem_cache *sel_inode_cache;
130
131 /**
132 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
133 *
134 * Description:
135 * This function checks the SECMARK reference counter to see if any SECMARK
136 * targets are currently configured, if the reference counter is greater than
137 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is
138 * enabled, false (0) if SECMARK is disabled. If the always_check_network
139 * policy capability is enabled, SECMARK is always considered enabled.
140 *
141 */
142 static int selinux_secmark_enabled(void)
143 {
144 return (selinux_policycap_alwaysnetwork || atomic_read(&selinux_secmark_refcount));
145 }
146
147 /**
148 * selinux_peerlbl_enabled - Check to see if peer labeling is currently enabled
149 *
150 * Description:
151 * This function checks if NetLabel or labeled IPSEC is enabled. Returns true
152 * (1) if any are enabled or false (0) if neither are enabled. If the
153 * always_check_network policy capability is enabled, peer labeling
154 * is always considered enabled.
155 *
156 */
157 static int selinux_peerlbl_enabled(void)
158 {
159 return (selinux_policycap_alwaysnetwork || netlbl_enabled() || selinux_xfrm_enabled());
160 }
161
162 static int selinux_netcache_avc_callback(u32 event)
163 {
164 if (event == AVC_CALLBACK_RESET) {
165 sel_netif_flush();
166 sel_netnode_flush();
167 sel_netport_flush();
168 synchronize_net();
169 }
170 return 0;
171 }
172
173 /*
174 * initialise the security for the init task
175 */
176 static void cred_init_security(void)
177 {
178 struct cred *cred = (struct cred *) current->real_cred;
179 struct task_security_struct *tsec;
180
181 tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
182 if (!tsec)
183 panic("SELinux: Failed to initialize initial task.\n");
184
185 tsec->osid = tsec->sid = SECINITSID_KERNEL;
186 cred->security = tsec;
187 }
188
189 /*
190 * get the security ID of a set of credentials
191 */
192 static inline u32 cred_sid(const struct cred *cred)
193 {
194 const struct task_security_struct *tsec;
195
196 tsec = cred->security;
197 return tsec->sid;
198 }
199
200 /*
201 * get the objective security ID of a task
202 */
203 static inline u32 task_sid(const struct task_struct *task)
204 {
205 u32 sid;
206
207 rcu_read_lock();
208 sid = cred_sid(__task_cred(task));
209 rcu_read_unlock();
210 return sid;
211 }
212
213 /*
214 * get the subjective security ID of the current task
215 */
216 static inline u32 current_sid(void)
217 {
218 const struct task_security_struct *tsec = current_security();
219
220 return tsec->sid;
221 }
222
223 /* Allocate and free functions for each kind of security blob. */
224
225 static int inode_alloc_security(struct inode *inode)
226 {
227 struct inode_security_struct *isec;
228 u32 sid = current_sid();
229
230 isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
231 if (!isec)
232 return -ENOMEM;
233
234 mutex_init(&isec->lock);
235 INIT_LIST_HEAD(&isec->list);
236 isec->inode = inode;
237 isec->sid = SECINITSID_UNLABELED;
238 isec->sclass = SECCLASS_FILE;
239 isec->task_sid = sid;
240 inode->i_security = isec;
241
242 return 0;
243 }
244
245 static void inode_free_rcu(struct rcu_head *head)
246 {
247 struct inode_security_struct *isec;
248
249 isec = container_of(head, struct inode_security_struct, rcu);
250 kmem_cache_free(sel_inode_cache, isec);
251 }
252
253 static void inode_free_security(struct inode *inode)
254 {
255 struct inode_security_struct *isec = inode->i_security;
256 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
257
258 spin_lock(&sbsec->isec_lock);
259 if (!list_empty(&isec->list))
260 list_del_init(&isec->list);
261 spin_unlock(&sbsec->isec_lock);
262
263 /*
264 * The inode may still be referenced in a path walk and
265 * a call to selinux_inode_permission() can be made
266 * after inode_free_security() is called. Ideally, the VFS
267 * wouldn't do this, but fixing that is a much harder
268 * job. For now, simply free the i_security via RCU, and
269 * leave the current inode->i_security pointer intact.
270 * The inode will be freed after the RCU grace period too.
271 */
272 call_rcu(&isec->rcu, inode_free_rcu);
273 }
274
275 static int file_alloc_security(struct file *file)
276 {
277 struct file_security_struct *fsec;
278 u32 sid = current_sid();
279
280 fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL);
281 if (!fsec)
282 return -ENOMEM;
283
284 fsec->sid = sid;
285 fsec->fown_sid = sid;
286 file->f_security = fsec;
287
288 return 0;
289 }
290
291 static void file_free_security(struct file *file)
292 {
293 struct file_security_struct *fsec = file->f_security;
294 file->f_security = NULL;
295 kfree(fsec);
296 }
297
298 static int superblock_alloc_security(struct super_block *sb)
299 {
300 struct superblock_security_struct *sbsec;
301
302 sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
303 if (!sbsec)
304 return -ENOMEM;
305
306 mutex_init(&sbsec->lock);
307 INIT_LIST_HEAD(&sbsec->isec_head);
308 spin_lock_init(&sbsec->isec_lock);
309 sbsec->sb = sb;
310 sbsec->sid = SECINITSID_UNLABELED;
311 sbsec->def_sid = SECINITSID_FILE;
312 sbsec->mntpoint_sid = SECINITSID_UNLABELED;
313 sb->s_security = sbsec;
314
315 return 0;
316 }
317
318 static void superblock_free_security(struct super_block *sb)
319 {
320 struct superblock_security_struct *sbsec = sb->s_security;
321 sb->s_security = NULL;
322 kfree(sbsec);
323 }
324
325 /* The file system's label must be initialized prior to use. */
326
327 static const char *labeling_behaviors[7] = {
328 "uses xattr",
329 "uses transition SIDs",
330 "uses task SIDs",
331 "uses genfs_contexts",
332 "not configured for labeling",
333 "uses mountpoint labeling",
334 "uses native labeling",
335 };
336
337 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
338
339 static inline int inode_doinit(struct inode *inode)
340 {
341 return inode_doinit_with_dentry(inode, NULL);
342 }
343
344 enum {
345 Opt_error = -1,
346 Opt_context = 1,
347 Opt_fscontext = 2,
348 Opt_defcontext = 3,
349 Opt_rootcontext = 4,
350 Opt_labelsupport = 5,
351 Opt_nextmntopt = 6,
352 };
353
354 #define NUM_SEL_MNT_OPTS (Opt_nextmntopt - 1)
355
356 static const match_table_t tokens = {
357 {Opt_context, CONTEXT_STR "%s"},
358 {Opt_fscontext, FSCONTEXT_STR "%s"},
359 {Opt_defcontext, DEFCONTEXT_STR "%s"},
360 {Opt_rootcontext, ROOTCONTEXT_STR "%s"},
361 {Opt_labelsupport, LABELSUPP_STR},
362 {Opt_error, NULL},
363 };
364
365 #define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
366
367 static int may_context_mount_sb_relabel(u32 sid,
368 struct superblock_security_struct *sbsec,
369 const struct cred *cred)
370 {
371 const struct task_security_struct *tsec = cred->security;
372 int rc;
373
374 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
375 FILESYSTEM__RELABELFROM, NULL);
376 if (rc)
377 return rc;
378
379 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
380 FILESYSTEM__RELABELTO, NULL);
381 return rc;
382 }
383
384 static int may_context_mount_inode_relabel(u32 sid,
385 struct superblock_security_struct *sbsec,
386 const struct cred *cred)
387 {
388 const struct task_security_struct *tsec = cred->security;
389 int rc;
390 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
391 FILESYSTEM__RELABELFROM, NULL);
392 if (rc)
393 return rc;
394
395 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
396 FILESYSTEM__ASSOCIATE, NULL);
397 return rc;
398 }
399
400 static int selinux_is_sblabel_mnt(struct super_block *sb)
401 {
402 struct superblock_security_struct *sbsec = sb->s_security;
403
404 if (sbsec->behavior == SECURITY_FS_USE_XATTR ||
405 sbsec->behavior == SECURITY_FS_USE_TRANS ||
406 sbsec->behavior == SECURITY_FS_USE_TASK)
407 return 1;
408
409 /* Special handling for sysfs. Is genfs but also has setxattr handler*/
410 if (strncmp(sb->s_type->name, "sysfs", sizeof("sysfs")) == 0)
411 return 1;
412
413 /*
414 * Special handling for rootfs. Is genfs but supports
415 * setting SELinux context on in-core inodes.
416 */
417 if (strncmp(sb->s_type->name, "rootfs", sizeof("rootfs")) == 0)
418 return 1;
419
420 return 0;
421 }
422
423 static int sb_finish_set_opts(struct super_block *sb)
424 {
425 struct superblock_security_struct *sbsec = sb->s_security;
426 struct dentry *root = sb->s_root;
427 struct inode *root_inode = root->d_inode;
428 int rc = 0;
429
430 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
431 /* Make sure that the xattr handler exists and that no
432 error other than -ENODATA is returned by getxattr on
433 the root directory. -ENODATA is ok, as this may be
434 the first boot of the SELinux kernel before we have
435 assigned xattr values to the filesystem. */
436 if (!root_inode->i_op->getxattr) {
437 printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
438 "xattr support\n", sb->s_id, sb->s_type->name);
439 rc = -EOPNOTSUPP;
440 goto out;
441 }
442 rc = root_inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
443 if (rc < 0 && rc != -ENODATA) {
444 if (rc == -EOPNOTSUPP)
445 printk(KERN_WARNING "SELinux: (dev %s, type "
446 "%s) has no security xattr handler\n",
447 sb->s_id, sb->s_type->name);
448 else
449 printk(KERN_WARNING "SELinux: (dev %s, type "
450 "%s) getxattr errno %d\n", sb->s_id,
451 sb->s_type->name, -rc);
452 goto out;
453 }
454 }
455
456 if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
457 printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n",
458 sb->s_id, sb->s_type->name);
459
460 sbsec->flags |= SE_SBINITIALIZED;
461 if (selinux_is_sblabel_mnt(sb))
462 sbsec->flags |= SBLABEL_MNT;
463
464 /* Initialize the root inode. */
465 rc = inode_doinit_with_dentry(root_inode, root);
466
467 /* Initialize any other inodes associated with the superblock, e.g.
468 inodes created prior to initial policy load or inodes created
469 during get_sb by a pseudo filesystem that directly
470 populates itself. */
471 spin_lock(&sbsec->isec_lock);
472 next_inode:
473 if (!list_empty(&sbsec->isec_head)) {
474 struct inode_security_struct *isec =
475 list_entry(sbsec->isec_head.next,
476 struct inode_security_struct, list);
477 struct inode *inode = isec->inode;
478 list_del_init(&isec->list);
479 spin_unlock(&sbsec->isec_lock);
480 inode = igrab(inode);
481 if (inode) {
482 if (!IS_PRIVATE(inode))
483 inode_doinit(inode);
484 iput(inode);
485 }
486 spin_lock(&sbsec->isec_lock);
487 goto next_inode;
488 }
489 spin_unlock(&sbsec->isec_lock);
490 out:
491 return rc;
492 }
493
494 /*
495 * This function should allow an FS to ask what it's mount security
496 * options were so it can use those later for submounts, displaying
497 * mount options, or whatever.
498 */
499 static int selinux_get_mnt_opts(const struct super_block *sb,
500 struct security_mnt_opts *opts)
501 {
502 int rc = 0, i;
503 struct superblock_security_struct *sbsec = sb->s_security;
504 char *context = NULL;
505 u32 len;
506 char tmp;
507
508 security_init_mnt_opts(opts);
509
510 if (!(sbsec->flags & SE_SBINITIALIZED))
511 return -EINVAL;
512
513 if (!ss_initialized)
514 return -EINVAL;
515
516 /* make sure we always check enough bits to cover the mask */
517 BUILD_BUG_ON(SE_MNTMASK >= (1 << NUM_SEL_MNT_OPTS));
518
519 tmp = sbsec->flags & SE_MNTMASK;
520 /* count the number of mount options for this sb */
521 for (i = 0; i < NUM_SEL_MNT_OPTS; i++) {
522 if (tmp & 0x01)
523 opts->num_mnt_opts++;
524 tmp >>= 1;
525 }
526 /* Check if the Label support flag is set */
527 if (sbsec->flags & SBLABEL_MNT)
528 opts->num_mnt_opts++;
529
530 opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
531 if (!opts->mnt_opts) {
532 rc = -ENOMEM;
533 goto out_free;
534 }
535
536 opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
537 if (!opts->mnt_opts_flags) {
538 rc = -ENOMEM;
539 goto out_free;
540 }
541
542 i = 0;
543 if (sbsec->flags & FSCONTEXT_MNT) {
544 rc = security_sid_to_context(sbsec->sid, &context, &len);
545 if (rc)
546 goto out_free;
547 opts->mnt_opts[i] = context;
548 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
549 }
550 if (sbsec->flags & CONTEXT_MNT) {
551 rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len);
552 if (rc)
553 goto out_free;
554 opts->mnt_opts[i] = context;
555 opts->mnt_opts_flags[i++] = CONTEXT_MNT;
556 }
557 if (sbsec->flags & DEFCONTEXT_MNT) {
558 rc = security_sid_to_context(sbsec->def_sid, &context, &len);
559 if (rc)
560 goto out_free;
561 opts->mnt_opts[i] = context;
562 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
563 }
564 if (sbsec->flags & ROOTCONTEXT_MNT) {
565 struct inode *root = sbsec->sb->s_root->d_inode;
566 struct inode_security_struct *isec = root->i_security;
567
568 rc = security_sid_to_context(isec->sid, &context, &len);
569 if (rc)
570 goto out_free;
571 opts->mnt_opts[i] = context;
572 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
573 }
574 if (sbsec->flags & SBLABEL_MNT) {
575 opts->mnt_opts[i] = NULL;
576 opts->mnt_opts_flags[i++] = SBLABEL_MNT;
577 }
578
579 BUG_ON(i != opts->num_mnt_opts);
580
581 return 0;
582
583 out_free:
584 security_free_mnt_opts(opts);
585 return rc;
586 }
587
588 static int bad_option(struct superblock_security_struct *sbsec, char flag,
589 u32 old_sid, u32 new_sid)
590 {
591 char mnt_flags = sbsec->flags & SE_MNTMASK;
592
593 /* check if the old mount command had the same options */
594 if (sbsec->flags & SE_SBINITIALIZED)
595 if (!(sbsec->flags & flag) ||
596 (old_sid != new_sid))
597 return 1;
598
599 /* check if we were passed the same options twice,
600 * aka someone passed context=a,context=b
601 */
602 if (!(sbsec->flags & SE_SBINITIALIZED))
603 if (mnt_flags & flag)
604 return 1;
605 return 0;
606 }
607
608 /*
609 * Allow filesystems with binary mount data to explicitly set mount point
610 * labeling information.
611 */
612 static int selinux_set_mnt_opts(struct super_block *sb,
613 struct security_mnt_opts *opts,
614 unsigned long kern_flags,
615 unsigned long *set_kern_flags)
616 {
617 const struct cred *cred = current_cred();
618 int rc = 0, i;
619 struct superblock_security_struct *sbsec = sb->s_security;
620 const char *name = sb->s_type->name;
621 struct inode *inode = sbsec->sb->s_root->d_inode;
622 struct inode_security_struct *root_isec = inode->i_security;
623 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
624 u32 defcontext_sid = 0;
625 char **mount_options = opts->mnt_opts;
626 int *flags = opts->mnt_opts_flags;
627 int num_opts = opts->num_mnt_opts;
628
629 mutex_lock(&sbsec->lock);
630
631 if (!ss_initialized) {
632 if (!num_opts) {
633 /* Defer initialization until selinux_complete_init,
634 after the initial policy is loaded and the security
635 server is ready to handle calls. */
636 goto out;
637 }
638 rc = -EINVAL;
639 printk(KERN_WARNING "SELinux: Unable to set superblock options "
640 "before the security server is initialized\n");
641 goto out;
642 }
643 if (kern_flags && !set_kern_flags) {
644 /* Specifying internal flags without providing a place to
645 * place the results is not allowed */
646 rc = -EINVAL;
647 goto out;
648 }
649
650 /*
651 * Binary mount data FS will come through this function twice. Once
652 * from an explicit call and once from the generic calls from the vfs.
653 * Since the generic VFS calls will not contain any security mount data
654 * we need to skip the double mount verification.
655 *
656 * This does open a hole in which we will not notice if the first
657 * mount using this sb set explict options and a second mount using
658 * this sb does not set any security options. (The first options
659 * will be used for both mounts)
660 */
661 if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
662 && (num_opts == 0))
663 goto out;
664
665 /*
666 * parse the mount options, check if they are valid sids.
667 * also check if someone is trying to mount the same sb more
668 * than once with different security options.
669 */
670 for (i = 0; i < num_opts; i++) {
671 u32 sid;
672
673 if (flags[i] == SBLABEL_MNT)
674 continue;
675 rc = security_context_to_sid(mount_options[i],
676 strlen(mount_options[i]), &sid, GFP_KERNEL);
677 if (rc) {
678 printk(KERN_WARNING "SELinux: security_context_to_sid"
679 "(%s) failed for (dev %s, type %s) errno=%d\n",
680 mount_options[i], sb->s_id, name, rc);
681 goto out;
682 }
683 switch (flags[i]) {
684 case FSCONTEXT_MNT:
685 fscontext_sid = sid;
686
687 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
688 fscontext_sid))
689 goto out_double_mount;
690
691 sbsec->flags |= FSCONTEXT_MNT;
692 break;
693 case CONTEXT_MNT:
694 context_sid = sid;
695
696 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
697 context_sid))
698 goto out_double_mount;
699
700 sbsec->flags |= CONTEXT_MNT;
701 break;
702 case ROOTCONTEXT_MNT:
703 rootcontext_sid = sid;
704
705 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
706 rootcontext_sid))
707 goto out_double_mount;
708
709 sbsec->flags |= ROOTCONTEXT_MNT;
710
711 break;
712 case DEFCONTEXT_MNT:
713 defcontext_sid = sid;
714
715 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
716 defcontext_sid))
717 goto out_double_mount;
718
719 sbsec->flags |= DEFCONTEXT_MNT;
720
721 break;
722 default:
723 rc = -EINVAL;
724 goto out;
725 }
726 }
727
728 if (sbsec->flags & SE_SBINITIALIZED) {
729 /* previously mounted with options, but not on this attempt? */
730 if ((sbsec->flags & SE_MNTMASK) && !num_opts)
731 goto out_double_mount;
732 rc = 0;
733 goto out;
734 }
735
736 if (strcmp(sb->s_type->name, "proc") == 0)
737 sbsec->flags |= SE_SBPROC;
738
739 if (!sbsec->behavior) {
740 /*
741 * Determine the labeling behavior to use for this
742 * filesystem type.
743 */
744 rc = security_fs_use(sb);
745 if (rc) {
746 printk(KERN_WARNING
747 "%s: security_fs_use(%s) returned %d\n",
748 __func__, sb->s_type->name, rc);
749 goto out;
750 }
751 }
752 /* sets the context of the superblock for the fs being mounted. */
753 if (fscontext_sid) {
754 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
755 if (rc)
756 goto out;
757
758 sbsec->sid = fscontext_sid;
759 }
760
761 /*
762 * Switch to using mount point labeling behavior.
763 * sets the label used on all file below the mountpoint, and will set
764 * the superblock context if not already set.
765 */
766 if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !context_sid) {
767 sbsec->behavior = SECURITY_FS_USE_NATIVE;
768 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
769 }
770
771 if (context_sid) {
772 if (!fscontext_sid) {
773 rc = may_context_mount_sb_relabel(context_sid, sbsec,
774 cred);
775 if (rc)
776 goto out;
777 sbsec->sid = context_sid;
778 } else {
779 rc = may_context_mount_inode_relabel(context_sid, sbsec,
780 cred);
781 if (rc)
782 goto out;
783 }
784 if (!rootcontext_sid)
785 rootcontext_sid = context_sid;
786
787 sbsec->mntpoint_sid = context_sid;
788 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
789 }
790
791 if (rootcontext_sid) {
792 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
793 cred);
794 if (rc)
795 goto out;
796
797 root_isec->sid = rootcontext_sid;
798 root_isec->initialized = 1;
799 }
800
801 if (defcontext_sid) {
802 if (sbsec->behavior != SECURITY_FS_USE_XATTR &&
803 sbsec->behavior != SECURITY_FS_USE_NATIVE) {
804 rc = -EINVAL;
805 printk(KERN_WARNING "SELinux: defcontext option is "
806 "invalid for this filesystem type\n");
807 goto out;
808 }
809
810 if (defcontext_sid != sbsec->def_sid) {
811 rc = may_context_mount_inode_relabel(defcontext_sid,
812 sbsec, cred);
813 if (rc)
814 goto out;
815 }
816
817 sbsec->def_sid = defcontext_sid;
818 }
819
820 rc = sb_finish_set_opts(sb);
821 out:
822 mutex_unlock(&sbsec->lock);
823 return rc;
824 out_double_mount:
825 rc = -EINVAL;
826 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, different "
827 "security settings for (dev %s, type %s)\n", sb->s_id, name);
828 goto out;
829 }
830
831 static int selinux_cmp_sb_context(const struct super_block *oldsb,
832 const struct super_block *newsb)
833 {
834 struct superblock_security_struct *old = oldsb->s_security;
835 struct superblock_security_struct *new = newsb->s_security;
836 char oldflags = old->flags & SE_MNTMASK;
837 char newflags = new->flags & SE_MNTMASK;
838
839 if (oldflags != newflags)
840 goto mismatch;
841 if ((oldflags & FSCONTEXT_MNT) && old->sid != new->sid)
842 goto mismatch;
843 if ((oldflags & CONTEXT_MNT) && old->mntpoint_sid != new->mntpoint_sid)
844 goto mismatch;
845 if ((oldflags & DEFCONTEXT_MNT) && old->def_sid != new->def_sid)
846 goto mismatch;
847 if (oldflags & ROOTCONTEXT_MNT) {
848 struct inode_security_struct *oldroot = oldsb->s_root->d_inode->i_security;
849 struct inode_security_struct *newroot = newsb->s_root->d_inode->i_security;
850 if (oldroot->sid != newroot->sid)
851 goto mismatch;
852 }
853 return 0;
854 mismatch:
855 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, "
856 "different security settings for (dev %s, "
857 "type %s)\n", newsb->s_id, newsb->s_type->name);
858 return -EBUSY;
859 }
860
861 static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
862 struct super_block *newsb)
863 {
864 const struct superblock_security_struct *oldsbsec = oldsb->s_security;
865 struct superblock_security_struct *newsbsec = newsb->s_security;
866
867 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT);
868 int set_context = (oldsbsec->flags & CONTEXT_MNT);
869 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT);
870
871 /*
872 * if the parent was able to be mounted it clearly had no special lsm
873 * mount options. thus we can safely deal with this superblock later
874 */
875 if (!ss_initialized)
876 return 0;
877
878 /* how can we clone if the old one wasn't set up?? */
879 BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
880
881 /* if fs is reusing a sb, make sure that the contexts match */
882 if (newsbsec->flags & SE_SBINITIALIZED)
883 return selinux_cmp_sb_context(oldsb, newsb);
884
885 mutex_lock(&newsbsec->lock);
886
887 newsbsec->flags = oldsbsec->flags;
888
889 newsbsec->sid = oldsbsec->sid;
890 newsbsec->def_sid = oldsbsec->def_sid;
891 newsbsec->behavior = oldsbsec->behavior;
892
893 if (set_context) {
894 u32 sid = oldsbsec->mntpoint_sid;
895
896 if (!set_fscontext)
897 newsbsec->sid = sid;
898 if (!set_rootcontext) {
899 struct inode *newinode = newsb->s_root->d_inode;
900 struct inode_security_struct *newisec = newinode->i_security;
901 newisec->sid = sid;
902 }
903 newsbsec->mntpoint_sid = sid;
904 }
905 if (set_rootcontext) {
906 const struct inode *oldinode = oldsb->s_root->d_inode;
907 const struct inode_security_struct *oldisec = oldinode->i_security;
908 struct inode *newinode = newsb->s_root->d_inode;
909 struct inode_security_struct *newisec = newinode->i_security;
910
911 newisec->sid = oldisec->sid;
912 }
913
914 sb_finish_set_opts(newsb);
915 mutex_unlock(&newsbsec->lock);
916 return 0;
917 }
918
919 static int selinux_parse_opts_str(char *options,
920 struct security_mnt_opts *opts)
921 {
922 char *p;
923 char *context = NULL, *defcontext = NULL;
924 char *fscontext = NULL, *rootcontext = NULL;
925 int rc, num_mnt_opts = 0;
926
927 opts->num_mnt_opts = 0;
928
929 /* Standard string-based options. */
930 while ((p = strsep(&options, "|")) != NULL) {
931 int token;
932 substring_t args[MAX_OPT_ARGS];
933
934 if (!*p)
935 continue;
936
937 token = match_token(p, tokens, args);
938
939 switch (token) {
940 case Opt_context:
941 if (context || defcontext) {
942 rc = -EINVAL;
943 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
944 goto out_err;
945 }
946 context = match_strdup(&args[0]);
947 if (!context) {
948 rc = -ENOMEM;
949 goto out_err;
950 }
951 break;
952
953 case Opt_fscontext:
954 if (fscontext) {
955 rc = -EINVAL;
956 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
957 goto out_err;
958 }
959 fscontext = match_strdup(&args[0]);
960 if (!fscontext) {
961 rc = -ENOMEM;
962 goto out_err;
963 }
964 break;
965
966 case Opt_rootcontext:
967 if (rootcontext) {
968 rc = -EINVAL;
969 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
970 goto out_err;
971 }
972 rootcontext = match_strdup(&args[0]);
973 if (!rootcontext) {
974 rc = -ENOMEM;
975 goto out_err;
976 }
977 break;
978
979 case Opt_defcontext:
980 if (context || defcontext) {
981 rc = -EINVAL;
982 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
983 goto out_err;
984 }
985 defcontext = match_strdup(&args[0]);
986 if (!defcontext) {
987 rc = -ENOMEM;
988 goto out_err;
989 }
990 break;
991 case Opt_labelsupport:
992 break;
993 default:
994 rc = -EINVAL;
995 printk(KERN_WARNING "SELinux: unknown mount option\n");
996 goto out_err;
997
998 }
999 }
1000
1001 rc = -ENOMEM;
1002 opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_ATOMIC);
1003 if (!opts->mnt_opts)
1004 goto out_err;
1005
1006 opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int), GFP_ATOMIC);
1007 if (!opts->mnt_opts_flags) {
1008 kfree(opts->mnt_opts);
1009 goto out_err;
1010 }
1011
1012 if (fscontext) {
1013 opts->mnt_opts[num_mnt_opts] = fscontext;
1014 opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
1015 }
1016 if (context) {
1017 opts->mnt_opts[num_mnt_opts] = context;
1018 opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
1019 }
1020 if (rootcontext) {
1021 opts->mnt_opts[num_mnt_opts] = rootcontext;
1022 opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
1023 }
1024 if (defcontext) {
1025 opts->mnt_opts[num_mnt_opts] = defcontext;
1026 opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
1027 }
1028
1029 opts->num_mnt_opts = num_mnt_opts;
1030 return 0;
1031
1032 out_err:
1033 kfree(context);
1034 kfree(defcontext);
1035 kfree(fscontext);
1036 kfree(rootcontext);
1037 return rc;
1038 }
1039 /*
1040 * string mount options parsing and call set the sbsec
1041 */
1042 static int superblock_doinit(struct super_block *sb, void *data)
1043 {
1044 int rc = 0;
1045 char *options = data;
1046 struct security_mnt_opts opts;
1047
1048 security_init_mnt_opts(&opts);
1049
1050 if (!data)
1051 goto out;
1052
1053 BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
1054
1055 rc = selinux_parse_opts_str(options, &opts);
1056 if (rc)
1057 goto out_err;
1058
1059 out:
1060 rc = selinux_set_mnt_opts(sb, &opts, 0, NULL);
1061
1062 out_err:
1063 security_free_mnt_opts(&opts);
1064 return rc;
1065 }
1066
1067 static void selinux_write_opts(struct seq_file *m,
1068 struct security_mnt_opts *opts)
1069 {
1070 int i;
1071 char *prefix;
1072
1073 for (i = 0; i < opts->num_mnt_opts; i++) {
1074 char *has_comma;
1075
1076 if (opts->mnt_opts[i])
1077 has_comma = strchr(opts->mnt_opts[i], ',');
1078 else
1079 has_comma = NULL;
1080
1081 switch (opts->mnt_opts_flags[i]) {
1082 case CONTEXT_MNT:
1083 prefix = CONTEXT_STR;
1084 break;
1085 case FSCONTEXT_MNT:
1086 prefix = FSCONTEXT_STR;
1087 break;
1088 case ROOTCONTEXT_MNT:
1089 prefix = ROOTCONTEXT_STR;
1090 break;
1091 case DEFCONTEXT_MNT:
1092 prefix = DEFCONTEXT_STR;
1093 break;
1094 case SBLABEL_MNT:
1095 seq_putc(m, ',');
1096 seq_puts(m, LABELSUPP_STR);
1097 continue;
1098 default:
1099 BUG();
1100 return;
1101 };
1102 /* we need a comma before each option */
1103 seq_putc(m, ',');
1104 seq_puts(m, prefix);
1105 if (has_comma)
1106 seq_putc(m, '\"');
1107 seq_puts(m, opts->mnt_opts[i]);
1108 if (has_comma)
1109 seq_putc(m, '\"');
1110 }
1111 }
1112
1113 static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1114 {
1115 struct security_mnt_opts opts;
1116 int rc;
1117
1118 rc = selinux_get_mnt_opts(sb, &opts);
1119 if (rc) {
1120 /* before policy load we may get EINVAL, don't show anything */
1121 if (rc == -EINVAL)
1122 rc = 0;
1123 return rc;
1124 }
1125
1126 selinux_write_opts(m, &opts);
1127
1128 security_free_mnt_opts(&opts);
1129
1130 return rc;
1131 }
1132
1133 static inline u16 inode_mode_to_security_class(umode_t mode)
1134 {
1135 switch (mode & S_IFMT) {
1136 case S_IFSOCK:
1137 return SECCLASS_SOCK_FILE;
1138 case S_IFLNK:
1139 return SECCLASS_LNK_FILE;
1140 case S_IFREG:
1141 return SECCLASS_FILE;
1142 case S_IFBLK:
1143 return SECCLASS_BLK_FILE;
1144 case S_IFDIR:
1145 return SECCLASS_DIR;
1146 case S_IFCHR:
1147 return SECCLASS_CHR_FILE;
1148 case S_IFIFO:
1149 return SECCLASS_FIFO_FILE;
1150
1151 }
1152
1153 return SECCLASS_FILE;
1154 }
1155
1156 static inline int default_protocol_stream(int protocol)
1157 {
1158 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
1159 }
1160
1161 static inline int default_protocol_dgram(int protocol)
1162 {
1163 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1164 }
1165
1166 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1167 {
1168 switch (family) {
1169 case PF_UNIX:
1170 switch (type) {
1171 case SOCK_STREAM:
1172 case SOCK_SEQPACKET:
1173 return SECCLASS_UNIX_STREAM_SOCKET;
1174 case SOCK_DGRAM:
1175 return SECCLASS_UNIX_DGRAM_SOCKET;
1176 }
1177 break;
1178 case PF_INET:
1179 case PF_INET6:
1180 switch (type) {
1181 case SOCK_STREAM:
1182 if (default_protocol_stream(protocol))
1183 return SECCLASS_TCP_SOCKET;
1184 else
1185 return SECCLASS_RAWIP_SOCKET;
1186 case SOCK_DGRAM:
1187 if (default_protocol_dgram(protocol))
1188 return SECCLASS_UDP_SOCKET;
1189 else
1190 return SECCLASS_RAWIP_SOCKET;
1191 case SOCK_DCCP:
1192 return SECCLASS_DCCP_SOCKET;
1193 default:
1194 return SECCLASS_RAWIP_SOCKET;
1195 }
1196 break;
1197 case PF_NETLINK:
1198 switch (protocol) {
1199 case NETLINK_ROUTE:
1200 return SECCLASS_NETLINK_ROUTE_SOCKET;
1201 case NETLINK_FIREWALL:
1202 return SECCLASS_NETLINK_FIREWALL_SOCKET;
1203 case NETLINK_SOCK_DIAG:
1204 return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1205 case NETLINK_NFLOG:
1206 return SECCLASS_NETLINK_NFLOG_SOCKET;
1207 case NETLINK_XFRM:
1208 return SECCLASS_NETLINK_XFRM_SOCKET;
1209 case NETLINK_SELINUX:
1210 return SECCLASS_NETLINK_SELINUX_SOCKET;
1211 case NETLINK_AUDIT:
1212 return SECCLASS_NETLINK_AUDIT_SOCKET;
1213 case NETLINK_IP6_FW:
1214 return SECCLASS_NETLINK_IP6FW_SOCKET;
1215 case NETLINK_DNRTMSG:
1216 return SECCLASS_NETLINK_DNRT_SOCKET;
1217 case NETLINK_KOBJECT_UEVENT:
1218 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1219 default:
1220 return SECCLASS_NETLINK_SOCKET;
1221 }
1222 case PF_PACKET:
1223 return SECCLASS_PACKET_SOCKET;
1224 case PF_KEY:
1225 return SECCLASS_KEY_SOCKET;
1226 case PF_APPLETALK:
1227 return SECCLASS_APPLETALK_SOCKET;
1228 }
1229
1230 return SECCLASS_SOCKET;
1231 }
1232
1233 #ifdef CONFIG_PROC_FS
1234 static int selinux_proc_get_sid(struct dentry *dentry,
1235 u16 tclass,
1236 u32 *sid)
1237 {
1238 int rc;
1239 char *buffer, *path;
1240
1241 buffer = (char *)__get_free_page(GFP_KERNEL);
1242 if (!buffer)
1243 return -ENOMEM;
1244
1245 path = dentry_path_raw(dentry, buffer, PAGE_SIZE);
1246 if (IS_ERR(path))
1247 rc = PTR_ERR(path);
1248 else {
1249 /* each process gets a /proc/PID/ entry. Strip off the
1250 * PID part to get a valid selinux labeling.
1251 * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
1252 while (path[1] >= '0' && path[1] <= '9') {
1253 path[1] = '/';
1254 path++;
1255 }
1256 rc = security_genfs_sid("proc", path, tclass, sid);
1257 }
1258 free_page((unsigned long)buffer);
1259 return rc;
1260 }
1261 #else
1262 static int selinux_proc_get_sid(struct dentry *dentry,
1263 u16 tclass,
1264 u32 *sid)
1265 {
1266 return -EINVAL;
1267 }
1268 #endif
1269
1270 /* The inode's security attributes must be initialized before first use. */
1271 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1272 {
1273 struct superblock_security_struct *sbsec = NULL;
1274 struct inode_security_struct *isec = inode->i_security;
1275 u32 sid;
1276 struct dentry *dentry;
1277 #define INITCONTEXTLEN 255
1278 char *context = NULL;
1279 unsigned len = 0;
1280 int rc = 0;
1281
1282 if (isec->initialized)
1283 goto out;
1284
1285 mutex_lock(&isec->lock);
1286 if (isec->initialized)
1287 goto out_unlock;
1288
1289 sbsec = inode->i_sb->s_security;
1290 if (!(sbsec->flags & SE_SBINITIALIZED)) {
1291 /* Defer initialization until selinux_complete_init,
1292 after the initial policy is loaded and the security
1293 server is ready to handle calls. */
1294 spin_lock(&sbsec->isec_lock);
1295 if (list_empty(&isec->list))
1296 list_add(&isec->list, &sbsec->isec_head);
1297 spin_unlock(&sbsec->isec_lock);
1298 goto out_unlock;
1299 }
1300
1301 switch (sbsec->behavior) {
1302 case SECURITY_FS_USE_NATIVE:
1303 break;
1304 case SECURITY_FS_USE_XATTR:
1305 if (!inode->i_op->getxattr) {
1306 isec->sid = sbsec->def_sid;
1307 break;
1308 }
1309
1310 /* Need a dentry, since the xattr API requires one.
1311 Life would be simpler if we could just pass the inode. */
1312 if (opt_dentry) {
1313 /* Called from d_instantiate or d_splice_alias. */
1314 dentry = dget(opt_dentry);
1315 } else {
1316 /* Called from selinux_complete_init, try to find a dentry. */
1317 dentry = d_find_alias(inode);
1318 }
1319 if (!dentry) {
1320 /*
1321 * this is can be hit on boot when a file is accessed
1322 * before the policy is loaded. When we load policy we
1323 * may find inodes that have no dentry on the
1324 * sbsec->isec_head list. No reason to complain as these
1325 * will get fixed up the next time we go through
1326 * inode_doinit with a dentry, before these inodes could
1327 * be used again by userspace.
1328 */
1329 goto out_unlock;
1330 }
1331
1332 len = INITCONTEXTLEN;
1333 context = kmalloc(len+1, GFP_NOFS);
1334 if (!context) {
1335 rc = -ENOMEM;
1336 dput(dentry);
1337 goto out_unlock;
1338 }
1339 context[len] = '\0';
1340 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1341 context, len);
1342 if (rc == -ERANGE) {
1343 kfree(context);
1344
1345 /* Need a larger buffer. Query for the right size. */
1346 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1347 NULL, 0);
1348 if (rc < 0) {
1349 dput(dentry);
1350 goto out_unlock;
1351 }
1352 len = rc;
1353 context = kmalloc(len+1, GFP_NOFS);
1354 if (!context) {
1355 rc = -ENOMEM;
1356 dput(dentry);
1357 goto out_unlock;
1358 }
1359 context[len] = '\0';
1360 rc = inode->i_op->getxattr(dentry,
1361 XATTR_NAME_SELINUX,
1362 context, len);
1363 }
1364 dput(dentry);
1365 if (rc < 0) {
1366 if (rc != -ENODATA) {
1367 printk(KERN_WARNING "SELinux: %s: getxattr returned "
1368 "%d for dev=%s ino=%ld\n", __func__,
1369 -rc, inode->i_sb->s_id, inode->i_ino);
1370 kfree(context);
1371 goto out_unlock;
1372 }
1373 /* Map ENODATA to the default file SID */
1374 sid = sbsec->def_sid;
1375 rc = 0;
1376 } else {
1377 rc = security_context_to_sid_default(context, rc, &sid,
1378 sbsec->def_sid,
1379 GFP_NOFS);
1380 if (rc) {
1381 char *dev = inode->i_sb->s_id;
1382 unsigned long ino = inode->i_ino;
1383
1384 if (rc == -EINVAL) {
1385 if (printk_ratelimit())
1386 printk(KERN_NOTICE "SELinux: inode=%lu on dev=%s was found to have an invalid "
1387 "context=%s. This indicates you may need to relabel the inode or the "
1388 "filesystem in question.\n", ino, dev, context);
1389 } else {
1390 printk(KERN_WARNING "SELinux: %s: context_to_sid(%s) "
1391 "returned %d for dev=%s ino=%ld\n",
1392 __func__, context, -rc, dev, ino);
1393 }
1394 kfree(context);
1395 /* Leave with the unlabeled SID */
1396 rc = 0;
1397 break;
1398 }
1399 }
1400 kfree(context);
1401 isec->sid = sid;
1402 break;
1403 case SECURITY_FS_USE_TASK:
1404 isec->sid = isec->task_sid;
1405 break;
1406 case SECURITY_FS_USE_TRANS:
1407 /* Default to the fs SID. */
1408 isec->sid = sbsec->sid;
1409
1410 /* Try to obtain a transition SID. */
1411 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1412 rc = security_transition_sid(isec->task_sid, sbsec->sid,
1413 isec->sclass, NULL, &sid);
1414 if (rc)
1415 goto out_unlock;
1416 isec->sid = sid;
1417 break;
1418 case SECURITY_FS_USE_MNTPOINT:
1419 isec->sid = sbsec->mntpoint_sid;
1420 break;
1421 default:
1422 /* Default to the fs superblock SID. */
1423 isec->sid = sbsec->sid;
1424
1425 if ((sbsec->flags & SE_SBPROC) && !S_ISLNK(inode->i_mode)) {
1426 /* We must have a dentry to determine the label on
1427 * procfs inodes */
1428 if (opt_dentry)
1429 /* Called from d_instantiate or
1430 * d_splice_alias. */
1431 dentry = dget(opt_dentry);
1432 else
1433 /* Called from selinux_complete_init, try to
1434 * find a dentry. */
1435 dentry = d_find_alias(inode);
1436 /*
1437 * This can be hit on boot when a file is accessed
1438 * before the policy is loaded. When we load policy we
1439 * may find inodes that have no dentry on the
1440 * sbsec->isec_head list. No reason to complain as
1441 * these will get fixed up the next time we go through
1442 * inode_doinit() with a dentry, before these inodes
1443 * could be used again by userspace.
1444 */
1445 if (!dentry)
1446 goto out_unlock;
1447 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1448 rc = selinux_proc_get_sid(dentry, isec->sclass, &sid);
1449 dput(dentry);
1450 if (rc)
1451 goto out_unlock;
1452 isec->sid = sid;
1453 }
1454 break;
1455 }
1456
1457 isec->initialized = 1;
1458
1459 out_unlock:
1460 mutex_unlock(&isec->lock);
1461 out:
1462 if (isec->sclass == SECCLASS_FILE)
1463 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1464 return rc;
1465 }
1466
1467 /* Convert a Linux signal to an access vector. */
1468 static inline u32 signal_to_av(int sig)
1469 {
1470 u32 perm = 0;
1471
1472 switch (sig) {
1473 case SIGCHLD:
1474 /* Commonly granted from child to parent. */
1475 perm = PROCESS__SIGCHLD;
1476 break;
1477 case SIGKILL:
1478 /* Cannot be caught or ignored */
1479 perm = PROCESS__SIGKILL;
1480 break;
1481 case SIGSTOP:
1482 /* Cannot be caught or ignored */
1483 perm = PROCESS__SIGSTOP;
1484 break;
1485 default:
1486 /* All other signals. */
1487 perm = PROCESS__SIGNAL;
1488 break;
1489 }
1490
1491 return perm;
1492 }
1493
1494 /*
1495 * Check permission between a pair of credentials
1496 * fork check, ptrace check, etc.
1497 */
1498 static int cred_has_perm(const struct cred *actor,
1499 const struct cred *target,
1500 u32 perms)
1501 {
1502 u32 asid = cred_sid(actor), tsid = cred_sid(target);
1503
1504 return avc_has_perm(asid, tsid, SECCLASS_PROCESS, perms, NULL);
1505 }
1506
1507 /*
1508 * Check permission between a pair of tasks, e.g. signal checks,
1509 * fork check, ptrace check, etc.
1510 * tsk1 is the actor and tsk2 is the target
1511 * - this uses the default subjective creds of tsk1
1512 */
1513 static int task_has_perm(const struct task_struct *tsk1,
1514 const struct task_struct *tsk2,
1515 u32 perms)
1516 {
1517 const struct task_security_struct *__tsec1, *__tsec2;
1518 u32 sid1, sid2;
1519
1520 rcu_read_lock();
1521 __tsec1 = __task_cred(tsk1)->security; sid1 = __tsec1->sid;
1522 __tsec2 = __task_cred(tsk2)->security; sid2 = __tsec2->sid;
1523 rcu_read_unlock();
1524 return avc_has_perm(sid1, sid2, SECCLASS_PROCESS, perms, NULL);
1525 }
1526
1527 /*
1528 * Check permission between current and another task, e.g. signal checks,
1529 * fork check, ptrace check, etc.
1530 * current is the actor and tsk2 is the target
1531 * - this uses current's subjective creds
1532 */
1533 static int current_has_perm(const struct task_struct *tsk,
1534 u32 perms)
1535 {
1536 u32 sid, tsid;
1537
1538 sid = current_sid();
1539 tsid = task_sid(tsk);
1540 return avc_has_perm(sid, tsid, SECCLASS_PROCESS, perms, NULL);
1541 }
1542
1543 #if CAP_LAST_CAP > 63
1544 #error Fix SELinux to handle capabilities > 63.
1545 #endif
1546
1547 /* Check whether a task is allowed to use a capability. */
1548 static int cred_has_capability(const struct cred *cred,
1549 int cap, int audit)
1550 {
1551 struct common_audit_data ad;
1552 struct av_decision avd;
1553 u16 sclass;
1554 u32 sid = cred_sid(cred);
1555 u32 av = CAP_TO_MASK(cap);
1556 int rc;
1557
1558 ad.type = LSM_AUDIT_DATA_CAP;
1559 ad.u.cap = cap;
1560
1561 switch (CAP_TO_INDEX(cap)) {
1562 case 0:
1563 sclass = SECCLASS_CAPABILITY;
1564 break;
1565 case 1:
1566 sclass = SECCLASS_CAPABILITY2;
1567 break;
1568 default:
1569 printk(KERN_ERR
1570 "SELinux: out of range capability %d\n", cap);
1571 BUG();
1572 return -EINVAL;
1573 }
1574
1575 rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd);
1576 if (audit == SECURITY_CAP_AUDIT) {
1577 int rc2 = avc_audit(sid, sid, sclass, av, &avd, rc, &ad);
1578 if (rc2)
1579 return rc2;
1580 }
1581 return rc;
1582 }
1583
1584 /* Check whether a task is allowed to use a system operation. */
1585 static int task_has_system(struct task_struct *tsk,
1586 u32 perms)
1587 {
1588 u32 sid = task_sid(tsk);
1589
1590 return avc_has_perm(sid, SECINITSID_KERNEL,
1591 SECCLASS_SYSTEM, perms, NULL);
1592 }
1593
1594 /* Check whether a task has a particular permission to an inode.
1595 The 'adp' parameter is optional and allows other audit
1596 data to be passed (e.g. the dentry). */
1597 static int inode_has_perm(const struct cred *cred,
1598 struct inode *inode,
1599 u32 perms,
1600 struct common_audit_data *adp)
1601 {
1602 struct inode_security_struct *isec;
1603 u32 sid;
1604
1605 validate_creds(cred);
1606
1607 if (unlikely(IS_PRIVATE(inode)))
1608 return 0;
1609
1610 sid = cred_sid(cred);
1611 isec = inode->i_security;
1612
1613 return avc_has_perm(sid, isec->sid, isec->sclass, perms, adp);
1614 }
1615
1616 /* Same as inode_has_perm, but pass explicit audit data containing
1617 the dentry to help the auditing code to more easily generate the
1618 pathname if needed. */
1619 static inline int dentry_has_perm(const struct cred *cred,
1620 struct dentry *dentry,
1621 u32 av)
1622 {
1623 struct inode *inode = dentry->d_inode;
1624 struct common_audit_data ad;
1625
1626 ad.type = LSM_AUDIT_DATA_DENTRY;
1627 ad.u.dentry = dentry;
1628 return inode_has_perm(cred, inode, av, &ad);
1629 }
1630
1631 /* Same as inode_has_perm, but pass explicit audit data containing
1632 the path to help the auditing code to more easily generate the
1633 pathname if needed. */
1634 static inline int path_has_perm(const struct cred *cred,
1635 struct path *path,
1636 u32 av)
1637 {
1638 struct inode *inode = path->dentry->d_inode;
1639 struct common_audit_data ad;
1640
1641 ad.type = LSM_AUDIT_DATA_PATH;
1642 ad.u.path = *path;
1643 return inode_has_perm(cred, inode, av, &ad);
1644 }
1645
1646 /* Same as path_has_perm, but uses the inode from the file struct. */
1647 static inline int file_path_has_perm(const struct cred *cred,
1648 struct file *file,
1649 u32 av)
1650 {
1651 struct common_audit_data ad;
1652
1653 ad.type = LSM_AUDIT_DATA_PATH;
1654 ad.u.path = file->f_path;
1655 return inode_has_perm(cred, file_inode(file), av, &ad);
1656 }
1657
1658 /* Check whether a task can use an open file descriptor to
1659 access an inode in a given way. Check access to the
1660 descriptor itself, and then use dentry_has_perm to
1661 check a particular permission to the file.
1662 Access to the descriptor is implicitly granted if it
1663 has the same SID as the process. If av is zero, then
1664 access to the file is not checked, e.g. for cases
1665 where only the descriptor is affected like seek. */
1666 static int file_has_perm(const struct cred *cred,
1667 struct file *file,
1668 u32 av)
1669 {
1670 struct file_security_struct *fsec = file->f_security;
1671 struct inode *inode = file_inode(file);
1672 struct common_audit_data ad;
1673 u32 sid = cred_sid(cred);
1674 int rc;
1675
1676 ad.type = LSM_AUDIT_DATA_PATH;
1677 ad.u.path = file->f_path;
1678
1679 if (sid != fsec->sid) {
1680 rc = avc_has_perm(sid, fsec->sid,
1681 SECCLASS_FD,
1682 FD__USE,
1683 &ad);
1684 if (rc)
1685 goto out;
1686 }
1687
1688 /* av is zero if only checking access to the descriptor. */
1689 rc = 0;
1690 if (av)
1691 rc = inode_has_perm(cred, inode, av, &ad);
1692
1693 out:
1694 return rc;
1695 }
1696
1697 /* Check whether a task can create a file. */
1698 static int may_create(struct inode *dir,
1699 struct dentry *dentry,
1700 u16 tclass)
1701 {
1702 const struct task_security_struct *tsec = current_security();
1703 struct inode_security_struct *dsec;
1704 struct superblock_security_struct *sbsec;
1705 u32 sid, newsid;
1706 struct common_audit_data ad;
1707 int rc;
1708
1709 dsec = dir->i_security;
1710 sbsec = dir->i_sb->s_security;
1711
1712 sid = tsec->sid;
1713 newsid = tsec->create_sid;
1714
1715 ad.type = LSM_AUDIT_DATA_DENTRY;
1716 ad.u.dentry = dentry;
1717
1718 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR,
1719 DIR__ADD_NAME | DIR__SEARCH,
1720 &ad);
1721 if (rc)
1722 return rc;
1723
1724 if (!newsid || !(sbsec->flags & SBLABEL_MNT)) {
1725 rc = security_transition_sid(sid, dsec->sid, tclass,
1726 &dentry->d_name, &newsid);
1727 if (rc)
1728 return rc;
1729 }
1730
1731 rc = avc_has_perm(sid, newsid, tclass, FILE__CREATE, &ad);
1732 if (rc)
1733 return rc;
1734
1735 return avc_has_perm(newsid, sbsec->sid,
1736 SECCLASS_FILESYSTEM,
1737 FILESYSTEM__ASSOCIATE, &ad);
1738 }
1739
1740 /* Check whether a task can create a key. */
1741 static int may_create_key(u32 ksid,
1742 struct task_struct *ctx)
1743 {
1744 u32 sid = task_sid(ctx);
1745
1746 return avc_has_perm(sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL);
1747 }
1748
1749 #define MAY_LINK 0
1750 #define MAY_UNLINK 1
1751 #define MAY_RMDIR 2
1752
1753 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1754 static int may_link(struct inode *dir,
1755 struct dentry *dentry,
1756 int kind)
1757
1758 {
1759 struct inode_security_struct *dsec, *isec;
1760 struct common_audit_data ad;
1761 u32 sid = current_sid();
1762 u32 av;
1763 int rc;
1764
1765 dsec = dir->i_security;
1766 isec = dentry->d_inode->i_security;
1767
1768 ad.type = LSM_AUDIT_DATA_DENTRY;
1769 ad.u.dentry = dentry;
1770
1771 av = DIR__SEARCH;
1772 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1773 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, av, &ad);
1774 if (rc)
1775 return rc;
1776
1777 switch (kind) {
1778 case MAY_LINK:
1779 av = FILE__LINK;
1780 break;
1781 case MAY_UNLINK:
1782 av = FILE__UNLINK;
1783 break;
1784 case MAY_RMDIR:
1785 av = DIR__RMDIR;
1786 break;
1787 default:
1788 printk(KERN_WARNING "SELinux: %s: unrecognized kind %d\n",
1789 __func__, kind);
1790 return 0;
1791 }
1792
1793 rc = avc_has_perm(sid, isec->sid, isec->sclass, av, &ad);
1794 return rc;
1795 }
1796
1797 static inline int may_rename(struct inode *old_dir,
1798 struct dentry *old_dentry,
1799 struct inode *new_dir,
1800 struct dentry *new_dentry)
1801 {
1802 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1803 struct common_audit_data ad;
1804 u32 sid = current_sid();
1805 u32 av;
1806 int old_is_dir, new_is_dir;
1807 int rc;
1808
1809 old_dsec = old_dir->i_security;
1810 old_isec = old_dentry->d_inode->i_security;
1811 old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
1812 new_dsec = new_dir->i_security;
1813
1814 ad.type = LSM_AUDIT_DATA_DENTRY;
1815
1816 ad.u.dentry = old_dentry;
1817 rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR,
1818 DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1819 if (rc)
1820 return rc;
1821 rc = avc_has_perm(sid, old_isec->sid,
1822 old_isec->sclass, FILE__RENAME, &ad);
1823 if (rc)
1824 return rc;
1825 if (old_is_dir && new_dir != old_dir) {
1826 rc = avc_has_perm(sid, old_isec->sid,
1827 old_isec->sclass, DIR__REPARENT, &ad);
1828 if (rc)
1829 return rc;
1830 }
1831
1832 ad.u.dentry = new_dentry;
1833 av = DIR__ADD_NAME | DIR__SEARCH;
1834 if (new_dentry->d_inode)
1835 av |= DIR__REMOVE_NAME;
1836 rc = avc_has_perm(sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1837 if (rc)
1838 return rc;
1839 if (new_dentry->d_inode) {
1840 new_isec = new_dentry->d_inode->i_security;
1841 new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
1842 rc = avc_has_perm(sid, new_isec->sid,
1843 new_isec->sclass,
1844 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1845 if (rc)
1846 return rc;
1847 }
1848
1849 return 0;
1850 }
1851
1852 /* Check whether a task can perform a filesystem operation. */
1853 static int superblock_has_perm(const struct cred *cred,
1854 struct super_block *sb,
1855 u32 perms,
1856 struct common_audit_data *ad)
1857 {
1858 struct superblock_security_struct *sbsec;
1859 u32 sid = cred_sid(cred);
1860
1861 sbsec = sb->s_security;
1862 return avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
1863 }
1864
1865 /* Convert a Linux mode and permission mask to an access vector. */
1866 static inline u32 file_mask_to_av(int mode, int mask)
1867 {
1868 u32 av = 0;
1869
1870 if (!S_ISDIR(mode)) {
1871 if (mask & MAY_EXEC)
1872 av |= FILE__EXECUTE;
1873 if (mask & MAY_READ)
1874 av |= FILE__READ;
1875
1876 if (mask & MAY_APPEND)
1877 av |= FILE__APPEND;
1878 else if (mask & MAY_WRITE)
1879 av |= FILE__WRITE;
1880
1881 } else {
1882 if (mask & MAY_EXEC)
1883 av |= DIR__SEARCH;
1884 if (mask & MAY_WRITE)
1885 av |= DIR__WRITE;
1886 if (mask & MAY_READ)
1887 av |= DIR__READ;
1888 }
1889
1890 return av;
1891 }
1892
1893 /* Convert a Linux file to an access vector. */
1894 static inline u32 file_to_av(struct file *file)
1895 {
1896 u32 av = 0;
1897
1898 if (file->f_mode & FMODE_READ)
1899 av |= FILE__READ;
1900 if (file->f_mode & FMODE_WRITE) {
1901 if (file->f_flags & O_APPEND)
1902 av |= FILE__APPEND;
1903 else
1904 av |= FILE__WRITE;
1905 }
1906 if (!av) {
1907 /*
1908 * Special file opened with flags 3 for ioctl-only use.
1909 */
1910 av = FILE__IOCTL;
1911 }
1912
1913 return av;
1914 }
1915
1916 /*
1917 * Convert a file to an access vector and include the correct open
1918 * open permission.
1919 */
1920 static inline u32 open_file_to_av(struct file *file)
1921 {
1922 u32 av = file_to_av(file);
1923
1924 if (selinux_policycap_openperm)
1925 av |= FILE__OPEN;
1926
1927 return av;
1928 }
1929
1930 /* Hook functions begin here. */
1931
1932 static int selinux_ptrace_access_check(struct task_struct *child,
1933 unsigned int mode)
1934 {
1935 int rc;
1936
1937 rc = cap_ptrace_access_check(child, mode);
1938 if (rc)
1939 return rc;
1940
1941 if (mode & PTRACE_MODE_READ) {
1942 u32 sid = current_sid();
1943 u32 csid = task_sid(child);
1944 return avc_has_perm(sid, csid, SECCLASS_FILE, FILE__READ, NULL);
1945 }
1946
1947 return current_has_perm(child, PROCESS__PTRACE);
1948 }
1949
1950 static int selinux_ptrace_traceme(struct task_struct *parent)
1951 {
1952 int rc;
1953
1954 rc = cap_ptrace_traceme(parent);
1955 if (rc)
1956 return rc;
1957
1958 return task_has_perm(parent, current, PROCESS__PTRACE);
1959 }
1960
1961 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
1962 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1963 {
1964 int error;
1965
1966 error = current_has_perm(target, PROCESS__GETCAP);
1967 if (error)
1968 return error;
1969
1970 return cap_capget(target, effective, inheritable, permitted);
1971 }
1972
1973 static int selinux_capset(struct cred *new, const struct cred *old,
1974 const kernel_cap_t *effective,
1975 const kernel_cap_t *inheritable,
1976 const kernel_cap_t *permitted)
1977 {
1978 int error;
1979
1980 error = cap_capset(new, old,
1981 effective, inheritable, permitted);
1982 if (error)
1983 return error;
1984
1985 return cred_has_perm(old, new, PROCESS__SETCAP);
1986 }
1987
1988 /*
1989 * (This comment used to live with the selinux_task_setuid hook,
1990 * which was removed).
1991 *
1992 * Since setuid only affects the current process, and since the SELinux
1993 * controls are not based on the Linux identity attributes, SELinux does not
1994 * need to control this operation. However, SELinux does control the use of
1995 * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
1996 */
1997
1998 static int selinux_capable(const struct cred *cred, struct user_namespace *ns,
1999 int cap, int audit)
2000 {
2001 int rc;
2002
2003 rc = cap_capable(cred, ns, cap, audit);
2004 if (rc)
2005 return rc;
2006
2007 return cred_has_capability(cred, cap, audit);
2008 }
2009
2010 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
2011 {
2012 const struct cred *cred = current_cred();
2013 int rc = 0;
2014
2015 if (!sb)
2016 return 0;
2017
2018 switch (cmds) {
2019 case Q_SYNC:
2020 case Q_QUOTAON:
2021 case Q_QUOTAOFF:
2022 case Q_SETINFO:
2023 case Q_SETQUOTA:
2024 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
2025 break;
2026 case Q_GETFMT:
2027 case Q_GETINFO:
2028 case Q_GETQUOTA:
2029 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
2030 break;
2031 default:
2032 rc = 0; /* let the kernel handle invalid cmds */
2033 break;
2034 }
2035 return rc;
2036 }
2037
2038 static int selinux_quota_on(struct dentry *dentry)
2039 {
2040 const struct cred *cred = current_cred();
2041
2042 return dentry_has_perm(cred, dentry, FILE__QUOTAON);
2043 }
2044
2045 static int selinux_syslog(int type)
2046 {
2047 int rc;
2048
2049 switch (type) {
2050 case SYSLOG_ACTION_READ_ALL: /* Read last kernel messages */
2051 case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */
2052 rc = task_has_system(current, SYSTEM__SYSLOG_READ);
2053 break;
2054 case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */
2055 case SYSLOG_ACTION_CONSOLE_ON: /* Enable logging to console */
2056 /* Set level of messages printed to console */
2057 case SYSLOG_ACTION_CONSOLE_LEVEL:
2058 rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
2059 break;
2060 case SYSLOG_ACTION_CLOSE: /* Close log */
2061 case SYSLOG_ACTION_OPEN: /* Open log */
2062 case SYSLOG_ACTION_READ: /* Read from log */
2063 case SYSLOG_ACTION_READ_CLEAR: /* Read/clear last kernel messages */
2064 case SYSLOG_ACTION_CLEAR: /* Clear ring buffer */
2065 default:
2066 rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
2067 break;
2068 }
2069 return rc;
2070 }
2071
2072 /*
2073 * Check that a process has enough memory to allocate a new virtual
2074 * mapping. 0 means there is enough memory for the allocation to
2075 * succeed and -ENOMEM implies there is not.
2076 *
2077 * Do not audit the selinux permission check, as this is applied to all
2078 * processes that allocate mappings.
2079 */
2080 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
2081 {
2082 int rc, cap_sys_admin = 0;
2083
2084 rc = selinux_capable(current_cred(), &init_user_ns, CAP_SYS_ADMIN,
2085 SECURITY_CAP_NOAUDIT);
2086 if (rc == 0)
2087 cap_sys_admin = 1;
2088
2089 return __vm_enough_memory(mm, pages, cap_sys_admin);
2090 }
2091
2092 /* binprm security operations */
2093
2094 static int check_nnp_nosuid(const struct linux_binprm *bprm,
2095 const struct task_security_struct *old_tsec,
2096 const struct task_security_struct *new_tsec)
2097 {
2098 int nnp = (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS);
2099 int nosuid = (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID);
2100 int rc;
2101
2102 if (!nnp && !nosuid)
2103 return 0; /* neither NNP nor nosuid */
2104
2105 if (new_tsec->sid == old_tsec->sid)
2106 return 0; /* No change in credentials */
2107
2108 /*
2109 * The only transitions we permit under NNP or nosuid
2110 * are transitions to bounded SIDs, i.e. SIDs that are
2111 * guaranteed to only be allowed a subset of the permissions
2112 * of the current SID.
2113 */
2114 rc = security_bounded_transition(old_tsec->sid, new_tsec->sid);
2115 if (rc) {
2116 /*
2117 * On failure, preserve the errno values for NNP vs nosuid.
2118 * NNP: Operation not permitted for caller.
2119 * nosuid: Permission denied to file.
2120 */
2121 if (nnp)
2122 return -EPERM;
2123 else
2124 return -EACCES;
2125 }
2126 return 0;
2127 }
2128
2129 static int selinux_bprm_set_creds(struct linux_binprm *bprm)
2130 {
2131 const struct task_security_struct *old_tsec;
2132 struct task_security_struct *new_tsec;
2133 struct inode_security_struct *isec;
2134 struct common_audit_data ad;
2135 struct inode *inode = file_inode(bprm->file);
2136 int rc;
2137
2138 rc = cap_bprm_set_creds(bprm);
2139 if (rc)
2140 return rc;
2141
2142 /* SELinux context only depends on initial program or script and not
2143 * the script interpreter */
2144 if (bprm->cred_prepared)
2145 return 0;
2146
2147 old_tsec = current_security();
2148 new_tsec = bprm->cred->security;
2149 isec = inode->i_security;
2150
2151 /* Default to the current task SID. */
2152 new_tsec->sid = old_tsec->sid;
2153 new_tsec->osid = old_tsec->sid;
2154
2155 /* Reset fs, key, and sock SIDs on execve. */
2156 new_tsec->create_sid = 0;
2157 new_tsec->keycreate_sid = 0;
2158 new_tsec->sockcreate_sid = 0;
2159
2160 if (old_tsec->exec_sid) {
2161 new_tsec->sid = old_tsec->exec_sid;
2162 /* Reset exec SID on execve. */
2163 new_tsec->exec_sid = 0;
2164
2165 /* Fail on NNP or nosuid if not an allowed transition. */
2166 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2167 if (rc)
2168 return rc;
2169 } else {
2170 /* Check for a default transition on this program. */
2171 rc = security_transition_sid(old_tsec->sid, isec->sid,
2172 SECCLASS_PROCESS, NULL,
2173 &new_tsec->sid);
2174 if (rc)
2175 return rc;
2176
2177 /*
2178 * Fallback to old SID on NNP or nosuid if not an allowed
2179 * transition.
2180 */
2181 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2182 if (rc)
2183 new_tsec->sid = old_tsec->sid;
2184 }
2185
2186 ad.type = LSM_AUDIT_DATA_PATH;
2187 ad.u.path = bprm->file->f_path;
2188
2189 if (new_tsec->sid == old_tsec->sid) {
2190 rc = avc_has_perm(old_tsec->sid, isec->sid,
2191 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2192 if (rc)
2193 return rc;
2194 } else {
2195 /* Check permissions for the transition. */
2196 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2197 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2198 if (rc)
2199 return rc;
2200
2201 rc = avc_has_perm(new_tsec->sid, isec->sid,
2202 SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2203 if (rc)
2204 return rc;
2205
2206 /* Check for shared state */
2207 if (bprm->unsafe & LSM_UNSAFE_SHARE) {
2208 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2209 SECCLASS_PROCESS, PROCESS__SHARE,
2210 NULL);
2211 if (rc)
2212 return -EPERM;
2213 }
2214
2215 /* Make sure that anyone attempting to ptrace over a task that
2216 * changes its SID has the appropriate permit */
2217 if (bprm->unsafe &
2218 (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
2219 struct task_struct *tracer;
2220 struct task_security_struct *sec;
2221 u32 ptsid = 0;
2222
2223 rcu_read_lock();
2224 tracer = ptrace_parent(current);
2225 if (likely(tracer != NULL)) {
2226 sec = __task_cred(tracer)->security;
2227 ptsid = sec->sid;
2228 }
2229 rcu_read_unlock();
2230
2231 if (ptsid != 0) {
2232 rc = avc_has_perm(ptsid, new_tsec->sid,
2233 SECCLASS_PROCESS,
2234 PROCESS__PTRACE, NULL);
2235 if (rc)
2236 return -EPERM;
2237 }
2238 }
2239
2240 /* Clear any possibly unsafe personality bits on exec: */
2241 bprm->per_clear |= PER_CLEAR_ON_SETID;
2242 }
2243
2244 return 0;
2245 }
2246
2247 static int selinux_bprm_secureexec(struct linux_binprm *bprm)
2248 {
2249 const struct task_security_struct *tsec = current_security();
2250 u32 sid, osid;
2251 int atsecure = 0;
2252
2253 sid = tsec->sid;
2254 osid = tsec->osid;
2255
2256 if (osid != sid) {
2257 /* Enable secure mode for SIDs transitions unless
2258 the noatsecure permission is granted between
2259 the two SIDs, i.e. ahp returns 0. */
2260 atsecure = avc_has_perm(osid, sid,
2261 SECCLASS_PROCESS,
2262 PROCESS__NOATSECURE, NULL);
2263 }
2264
2265 return (atsecure || cap_bprm_secureexec(bprm));
2266 }
2267
2268 static int match_file(const void *p, struct file *file, unsigned fd)
2269 {
2270 return file_has_perm(p, file, file_to_av(file)) ? fd + 1 : 0;
2271 }
2272
2273 /* Derived from fs/exec.c:flush_old_files. */
2274 static inline void flush_unauthorized_files(const struct cred *cred,
2275 struct files_struct *files)
2276 {
2277 struct file *file, *devnull = NULL;
2278 struct tty_struct *tty;
2279 int drop_tty = 0;
2280 unsigned n;
2281
2282 tty = get_current_tty();
2283 if (tty) {
2284 spin_lock(&tty_files_lock);
2285 if (!list_empty(&tty->tty_files)) {
2286 struct tty_file_private *file_priv;
2287
2288 /* Revalidate access to controlling tty.
2289 Use file_path_has_perm on the tty path directly
2290 rather than using file_has_perm, as this particular
2291 open file may belong to another process and we are
2292 only interested in the inode-based check here. */
2293 file_priv = list_first_entry(&tty->tty_files,
2294 struct tty_file_private, list);
2295 file = file_priv->file;
2296 if (file_path_has_perm(cred, file, FILE__READ | FILE__WRITE))
2297 drop_tty = 1;
2298 }
2299 spin_unlock(&tty_files_lock);
2300 tty_kref_put(tty);
2301 }
2302 /* Reset controlling tty. */
2303 if (drop_tty)
2304 no_tty();
2305
2306 /* Revalidate access to inherited open files. */
2307 n = iterate_fd(files, 0, match_file, cred);
2308 if (!n) /* none found? */
2309 return;
2310
2311 devnull = dentry_open(&selinux_null, O_RDWR, cred);
2312 if (IS_ERR(devnull))
2313 devnull = NULL;
2314 /* replace all the matching ones with this */
2315 do {
2316 replace_fd(n - 1, devnull, 0);
2317 } while ((n = iterate_fd(files, n, match_file, cred)) != 0);
2318 if (devnull)
2319 fput(devnull);
2320 }
2321
2322 /*
2323 * Prepare a process for imminent new credential changes due to exec
2324 */
2325 static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
2326 {
2327 struct task_security_struct *new_tsec;
2328 struct rlimit *rlim, *initrlim;
2329 int rc, i;
2330
2331 new_tsec = bprm->cred->security;
2332 if (new_tsec->sid == new_tsec->osid)
2333 return;
2334
2335 /* Close files for which the new task SID is not authorized. */
2336 flush_unauthorized_files(bprm->cred, current->files);
2337
2338 /* Always clear parent death signal on SID transitions. */
2339 current->pdeath_signal = 0;
2340
2341 /* Check whether the new SID can inherit resource limits from the old
2342 * SID. If not, reset all soft limits to the lower of the current
2343 * task's hard limit and the init task's soft limit.
2344 *
2345 * Note that the setting of hard limits (even to lower them) can be
2346 * controlled by the setrlimit check. The inclusion of the init task's
2347 * soft limit into the computation is to avoid resetting soft limits
2348 * higher than the default soft limit for cases where the default is
2349 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2350 */
2351 rc = avc_has_perm(new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
2352 PROCESS__RLIMITINH, NULL);
2353 if (rc) {
2354 /* protect against do_prlimit() */
2355 task_lock(current);
2356 for (i = 0; i < RLIM_NLIMITS; i++) {
2357 rlim = current->signal->rlim + i;
2358 initrlim = init_task.signal->rlim + i;
2359 rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
2360 }
2361 task_unlock(current);
2362 update_rlimit_cpu(current, rlimit(RLIMIT_CPU));
2363 }
2364 }
2365
2366 /*
2367 * Clean up the process immediately after the installation of new credentials
2368 * due to exec
2369 */
2370 static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
2371 {
2372 const struct task_security_struct *tsec = current_security();
2373 struct itimerval itimer;
2374 u32 osid, sid;
2375 int rc, i;
2376
2377 osid = tsec->osid;
2378 sid = tsec->sid;
2379
2380 if (sid == osid)
2381 return;
2382
2383 /* Check whether the new SID can inherit signal state from the old SID.
2384 * If not, clear itimers to avoid subsequent signal generation and
2385 * flush and unblock signals.
2386 *
2387 * This must occur _after_ the task SID has been updated so that any
2388 * kill done after the flush will be checked against the new SID.
2389 */
2390 rc = avc_has_perm(osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
2391 if (rc) {
2392 memset(&itimer, 0, sizeof itimer);
2393 for (i = 0; i < 3; i++)
2394 do_setitimer(i, &itimer, NULL);
2395 spin_lock_irq(&current->sighand->siglock);
2396 if (!(current->signal->flags & SIGNAL_GROUP_EXIT)) {
2397 __flush_signals(current);
2398 flush_signal_handlers(current, 1);
2399 sigemptyset(&current->blocked);
2400 }
2401 spin_unlock_irq(&current->sighand->siglock);
2402 }
2403
2404 /* Wake up the parent if it is waiting so that it can recheck
2405 * wait permission to the new task SID. */
2406 read_lock(&tasklist_lock);
2407 __wake_up_parent(current, current->real_parent);
2408 read_unlock(&tasklist_lock);
2409 }
2410
2411 /* superblock security operations */
2412
2413 static int selinux_sb_alloc_security(struct super_block *sb)
2414 {
2415 return superblock_alloc_security(sb);
2416 }
2417
2418 static void selinux_sb_free_security(struct super_block *sb)
2419 {
2420 superblock_free_security(sb);
2421 }
2422
2423 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2424 {
2425 if (plen > olen)
2426 return 0;
2427
2428 return !memcmp(prefix, option, plen);
2429 }
2430
2431 static inline int selinux_option(char *option, int len)
2432 {
2433 return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) ||
2434 match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) ||
2435 match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) ||
2436 match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len) ||
2437 match_prefix(LABELSUPP_STR, sizeof(LABELSUPP_STR)-1, option, len));
2438 }
2439
2440 static inline void take_option(char **to, char *from, int *first, int len)
2441 {
2442 if (!*first) {
2443 **to = ',';
2444 *to += 1;
2445 } else
2446 *first = 0;
2447 memcpy(*to, from, len);
2448 *to += len;
2449 }
2450
2451 static inline void take_selinux_option(char **to, char *from, int *first,
2452 int len)
2453 {
2454 int current_size = 0;
2455
2456 if (!*first) {
2457 **to = '|';
2458 *to += 1;
2459 } else
2460 *first = 0;
2461
2462 while (current_size < len) {
2463 if (*from != '"') {
2464 **to = *from;
2465 *to += 1;
2466 }
2467 from += 1;
2468 current_size += 1;
2469 }
2470 }
2471
2472 static int selinux_sb_copy_data(char *orig, char *copy)
2473 {
2474 int fnosec, fsec, rc = 0;
2475 char *in_save, *in_curr, *in_end;
2476 char *sec_curr, *nosec_save, *nosec;
2477 int open_quote = 0;
2478
2479 in_curr = orig;
2480 sec_curr = copy;
2481
2482 nosec = (char *)get_zeroed_page(GFP_KERNEL);
2483 if (!nosec) {
2484 rc = -ENOMEM;
2485 goto out;
2486 }
2487
2488 nosec_save = nosec;
2489 fnosec = fsec = 1;
2490 in_save = in_end = orig;
2491
2492 do {
2493 if (*in_end == '"')
2494 open_quote = !open_quote;
2495 if ((*in_end == ',' && open_quote == 0) ||
2496 *in_end == '\0') {
2497 int len = in_end - in_curr;
2498
2499 if (selinux_option(in_curr, len))
2500 take_selinux_option(&sec_curr, in_curr, &fsec, len);
2501 else
2502 take_option(&nosec, in_curr, &fnosec, len);
2503
2504 in_curr = in_end + 1;
2505 }
2506 } while (*in_end++);
2507
2508 strcpy(in_save, nosec_save);
2509 free_page((unsigned long)nosec_save);
2510 out:
2511 return rc;
2512 }
2513
2514 static int selinux_sb_remount(struct super_block *sb, void *data)
2515 {
2516 int rc, i, *flags;
2517 struct security_mnt_opts opts;
2518 char *secdata, **mount_options;
2519 struct superblock_security_struct *sbsec = sb->s_security;
2520
2521 if (!(sbsec->flags & SE_SBINITIALIZED))
2522 return 0;
2523
2524 if (!data)
2525 return 0;
2526
2527 if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
2528 return 0;
2529
2530 security_init_mnt_opts(&opts);
2531 secdata = alloc_secdata();
2532 if (!secdata)
2533 return -ENOMEM;
2534 rc = selinux_sb_copy_data(data, secdata);
2535 if (rc)
2536 goto out_free_secdata;
2537
2538 rc = selinux_parse_opts_str(secdata, &opts);
2539 if (rc)
2540 goto out_free_secdata;
2541
2542 mount_options = opts.mnt_opts;
2543 flags = opts.mnt_opts_flags;
2544
2545 for (i = 0; i < opts.num_mnt_opts; i++) {
2546 u32 sid;
2547 size_t len;
2548
2549 if (flags[i] == SBLABEL_MNT)
2550 continue;
2551 len = strlen(mount_options[i]);
2552 rc = security_context_to_sid(mount_options[i], len, &sid,
2553 GFP_KERNEL);
2554 if (rc) {
2555 printk(KERN_WARNING "SELinux: security_context_to_sid"
2556 "(%s) failed for (dev %s, type %s) errno=%d\n",
2557 mount_options[i], sb->s_id, sb->s_type->name, rc);
2558 goto out_free_opts;
2559 }
2560 rc = -EINVAL;
2561 switch (flags[i]) {
2562 case FSCONTEXT_MNT:
2563 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid))
2564 goto out_bad_option;
2565 break;
2566 case CONTEXT_MNT:
2567 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid))
2568 goto out_bad_option;
2569 break;
2570 case ROOTCONTEXT_MNT: {
2571 struct inode_security_struct *root_isec;
2572 root_isec = sb->s_root->d_inode->i_security;
2573
2574 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid))
2575 goto out_bad_option;
2576 break;
2577 }
2578 case DEFCONTEXT_MNT:
2579 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid))
2580 goto out_bad_option;
2581 break;
2582 default:
2583 goto out_free_opts;
2584 }
2585 }
2586
2587 rc = 0;
2588 out_free_opts:
2589 security_free_mnt_opts(&opts);
2590 out_free_secdata:
2591 free_secdata(secdata);
2592 return rc;
2593 out_bad_option:
2594 printk(KERN_WARNING "SELinux: unable to change security options "
2595 "during remount (dev %s, type=%s)\n", sb->s_id,
2596 sb->s_type->name);
2597 goto out_free_opts;
2598 }
2599
2600 static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data)
2601 {
2602 const struct cred *cred = current_cred();
2603 struct common_audit_data ad;
2604 int rc;
2605
2606 rc = superblock_doinit(sb, data);
2607 if (rc)
2608 return rc;
2609
2610 /* Allow all mounts performed by the kernel */
2611 if (flags & MS_KERNMOUNT)
2612 return 0;
2613
2614 ad.type = LSM_AUDIT_DATA_DENTRY;
2615 ad.u.dentry = sb->s_root;
2616 return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
2617 }
2618
2619 static int selinux_sb_statfs(struct dentry *dentry)
2620 {
2621 const struct cred *cred = current_cred();
2622 struct common_audit_data ad;
2623
2624 ad.type = LSM_AUDIT_DATA_DENTRY;
2625 ad.u.dentry = dentry->d_sb->s_root;
2626 return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2627 }
2628
2629 static int selinux_mount(const char *dev_name,
2630 struct path *path,
2631 const char *type,
2632 unsigned long flags,
2633 void *data)
2634 {
2635 const struct cred *cred = current_cred();
2636
2637 if (flags & MS_REMOUNT)
2638 return superblock_has_perm(cred, path->dentry->d_sb,
2639 FILESYSTEM__REMOUNT, NULL);
2640 else
2641 return path_has_perm(cred, path, FILE__MOUNTON);
2642 }
2643
2644 static int selinux_umount(struct vfsmount *mnt, int flags)
2645 {
2646 const struct cred *cred = current_cred();
2647
2648 return superblock_has_perm(cred, mnt->mnt_sb,
2649 FILESYSTEM__UNMOUNT, NULL);
2650 }
2651
2652 /* inode security operations */
2653
2654 static int selinux_inode_alloc_security(struct inode *inode)
2655 {
2656 return inode_alloc_security(inode);
2657 }
2658
2659 static void selinux_inode_free_security(struct inode *inode)
2660 {
2661 inode_free_security(inode);
2662 }
2663
2664 static int selinux_dentry_init_security(struct dentry *dentry, int mode,
2665 struct qstr *name, void **ctx,
2666 u32 *ctxlen)
2667 {
2668 const struct cred *cred = current_cred();
2669 struct task_security_struct *tsec;
2670 struct inode_security_struct *dsec;
2671 struct superblock_security_struct *sbsec;
2672 struct inode *dir = dentry->d_parent->d_inode;
2673 u32 newsid;
2674 int rc;
2675
2676 tsec = cred->security;
2677 dsec = dir->i_security;
2678 sbsec = dir->i_sb->s_security;
2679
2680 if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
2681 newsid = tsec->create_sid;
2682 } else {
2683 rc = security_transition_sid(tsec->sid, dsec->sid,
2684 inode_mode_to_security_class(mode),
2685 name,
2686 &newsid);
2687 if (rc) {
2688 printk(KERN_WARNING
2689 "%s: security_transition_sid failed, rc=%d\n",
2690 __func__, -rc);
2691 return rc;
2692 }
2693 }
2694
2695 return security_sid_to_context(newsid, (char **)ctx, ctxlen);
2696 }
2697
2698 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2699 const struct qstr *qstr,
2700 const char **name,
2701 void **value, size_t *len)
2702 {
2703 const struct task_security_struct *tsec = current_security();
2704 struct inode_security_struct *dsec;
2705 struct superblock_security_struct *sbsec;
2706 u32 sid, newsid, clen;
2707 int rc;
2708 char *context;
2709
2710 dsec = dir->i_security;
2711 sbsec = dir->i_sb->s_security;
2712
2713 sid = tsec->sid;
2714 newsid = tsec->create_sid;
2715
2716 if ((sbsec->flags & SE_SBINITIALIZED) &&
2717 (sbsec->behavior == SECURITY_FS_USE_MNTPOINT))
2718 newsid = sbsec->mntpoint_sid;
2719 else if (!newsid || !(sbsec->flags & SBLABEL_MNT)) {
2720 rc = security_transition_sid(sid, dsec->sid,
2721 inode_mode_to_security_class(inode->i_mode),
2722 qstr, &newsid);
2723 if (rc) {
2724 printk(KERN_WARNING "%s: "
2725 "security_transition_sid failed, rc=%d (dev=%s "
2726 "ino=%ld)\n",
2727 __func__,
2728 -rc, inode->i_sb->s_id, inode->i_ino);
2729 return rc;
2730 }
2731 }
2732
2733 /* Possibly defer initialization to selinux_complete_init. */
2734 if (sbsec->flags & SE_SBINITIALIZED) {
2735 struct inode_security_struct *isec = inode->i_security;
2736 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2737 isec->sid = newsid;
2738 isec->initialized = 1;
2739 }
2740
2741 if (!ss_initialized || !(sbsec->flags & SBLABEL_MNT))
2742 return -EOPNOTSUPP;
2743
2744 if (name)
2745 *name = XATTR_SELINUX_SUFFIX;
2746
2747 if (value && len) {
2748 rc = security_sid_to_context_force(newsid, &context, &clen);
2749 if (rc)
2750 return rc;
2751 *value = context;
2752 *len = clen;
2753 }
2754
2755 return 0;
2756 }
2757
2758 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode)
2759 {
2760 return may_create(dir, dentry, SECCLASS_FILE);
2761 }
2762
2763 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2764 {
2765 return may_link(dir, old_dentry, MAY_LINK);
2766 }
2767
2768 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2769 {
2770 return may_link(dir, dentry, MAY_UNLINK);
2771 }
2772
2773 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2774 {
2775 return may_create(dir, dentry, SECCLASS_LNK_FILE);
2776 }
2777
2778 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask)
2779 {
2780 return may_create(dir, dentry, SECCLASS_DIR);
2781 }
2782
2783 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2784 {
2785 return may_link(dir, dentry, MAY_RMDIR);
2786 }
2787
2788 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
2789 {
2790 return may_create(dir, dentry, inode_mode_to_security_class(mode));
2791 }
2792
2793 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2794 struct inode *new_inode, struct dentry *new_dentry)
2795 {
2796 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2797 }
2798
2799 static int selinux_inode_readlink(struct dentry *dentry)
2800 {
2801 const struct cred *cred = current_cred();
2802
2803 return dentry_has_perm(cred, dentry, FILE__READ);
2804 }
2805
2806 static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2807 {
2808 const struct cred *cred = current_cred();
2809
2810 return dentry_has_perm(cred, dentry, FILE__READ);
2811 }
2812
2813 static noinline int audit_inode_permission(struct inode *inode,
2814 u32 perms, u32 audited, u32 denied,
2815 int result,
2816 unsigned flags)
2817 {
2818 struct common_audit_data ad;
2819 struct inode_security_struct *isec = inode->i_security;
2820 int rc;
2821
2822 ad.type = LSM_AUDIT_DATA_INODE;
2823 ad.u.inode = inode;
2824
2825 rc = slow_avc_audit(current_sid(), isec->sid, isec->sclass, perms,
2826 audited, denied, result, &ad, flags);
2827 if (rc)
2828 return rc;
2829 return 0;
2830 }
2831
2832 static int selinux_inode_permission(struct inode *inode, int mask)
2833 {
2834 const struct cred *cred = current_cred();
2835 u32 perms;
2836 bool from_access;
2837 unsigned flags = mask & MAY_NOT_BLOCK;
2838 struct inode_security_struct *isec;
2839 u32 sid;
2840 struct av_decision avd;
2841 int rc, rc2;
2842 u32 audited, denied;
2843
2844 from_access = mask & MAY_ACCESS;
2845 mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
2846
2847 /* No permission to check. Existence test. */
2848 if (!mask)
2849 return 0;
2850
2851 validate_creds(cred);
2852
2853 if (unlikely(IS_PRIVATE(inode)))
2854 return 0;
2855
2856 perms = file_mask_to_av(inode->i_mode, mask);
2857
2858 sid = cred_sid(cred);
2859 isec = inode->i_security;
2860
2861 rc = avc_has_perm_noaudit(sid, isec->sid, isec->sclass, perms, 0, &avd);
2862 audited = avc_audit_required(perms, &avd, rc,
2863 from_access ? FILE__AUDIT_ACCESS : 0,
2864 &denied);
2865 if (likely(!audited))
2866 return rc;
2867
2868 rc2 = audit_inode_permission(inode, perms, audited, denied, rc, flags);
2869 if (rc2)
2870 return rc2;
2871 return rc;
2872 }
2873
2874 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2875 {
2876 const struct cred *cred = current_cred();
2877 unsigned int ia_valid = iattr->ia_valid;
2878 __u32 av = FILE__WRITE;
2879
2880 /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
2881 if (ia_valid & ATTR_FORCE) {
2882 ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE |
2883 ATTR_FORCE);
2884 if (!ia_valid)
2885 return 0;
2886 }
2887
2888 if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2889 ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
2890 return dentry_has_perm(cred, dentry, FILE__SETATTR);
2891
2892 if (selinux_policycap_openperm && (ia_valid & ATTR_SIZE))
2893 av |= FILE__OPEN;
2894
2895 return dentry_has_perm(cred, dentry, av);
2896 }
2897
2898 static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
2899 {
2900 const struct cred *cred = current_cred();
2901 struct path path;
2902
2903 path.dentry = dentry;
2904 path.mnt = mnt;
2905
2906 return path_has_perm(cred, &path, FILE__GETATTR);
2907 }
2908
2909 static int selinux_inode_setotherxattr(struct dentry *dentry, const char *name)
2910 {
2911 const struct cred *cred = current_cred();
2912
2913 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2914 sizeof XATTR_SECURITY_PREFIX - 1)) {
2915 if (!strcmp(name, XATTR_NAME_CAPS)) {
2916 if (!capable(CAP_SETFCAP))
2917 return -EPERM;
2918 } else if (!capable(CAP_SYS_ADMIN)) {
2919 /* A different attribute in the security namespace.
2920 Restrict to administrator. */
2921 return -EPERM;
2922 }
2923 }
2924
2925 /* Not an attribute we recognize, so just check the
2926 ordinary setattr permission. */
2927 return dentry_has_perm(cred, dentry, FILE__SETATTR);
2928 }
2929
2930 static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
2931 const void *value, size_t size, int flags)
2932 {
2933 struct inode *inode = dentry->d_inode;
2934 struct inode_security_struct *isec = inode->i_security;
2935 struct superblock_security_struct *sbsec;
2936 struct common_audit_data ad;
2937 u32 newsid, sid = current_sid();
2938 int rc = 0;
2939
2940 if (strcmp(name, XATTR_NAME_SELINUX))
2941 return selinux_inode_setotherxattr(dentry, name);
2942
2943 sbsec = inode->i_sb->s_security;
2944 if (!(sbsec->flags & SBLABEL_MNT))
2945 return -EOPNOTSUPP;
2946
2947 if (!inode_owner_or_capable(inode))
2948 return -EPERM;
2949
2950 ad.type = LSM_AUDIT_DATA_DENTRY;
2951 ad.u.dentry = dentry;
2952
2953 rc = avc_has_perm(sid, isec->sid, isec->sclass,
2954 FILE__RELABELFROM, &ad);
2955 if (rc)
2956 return rc;
2957
2958 rc = security_context_to_sid(value, size, &newsid, GFP_KERNEL);
2959 if (rc == -EINVAL) {
2960 if (!capable(CAP_MAC_ADMIN)) {
2961 struct audit_buffer *ab;
2962 size_t audit_size;
2963 const char *str;
2964
2965 /* We strip a nul only if it is at the end, otherwise the
2966 * context contains a nul and we should audit that */
2967 if (value) {
2968 str = value;
2969 if (str[size - 1] == '\0')
2970 audit_size = size - 1;
2971 else
2972 audit_size = size;
2973 } else {
2974 str = "";
2975 audit_size = 0;
2976 }
2977 ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR);
2978 audit_log_format(ab, "op=setxattr invalid_context=");
2979 audit_log_n_untrustedstring(ab, value, audit_size);
2980 audit_log_end(ab);
2981
2982 return rc;
2983 }
2984 rc = security_context_to_sid_force(value, size, &newsid);
2985 }
2986 if (rc)
2987 return rc;
2988
2989 rc = avc_has_perm(sid, newsid, isec->sclass,
2990 FILE__RELABELTO, &ad);
2991 if (rc)
2992 return rc;
2993
2994 rc = security_validate_transition(isec->sid, newsid, sid,
2995 isec->sclass);
2996 if (rc)
2997 return rc;
2998
2999 return avc_has_perm(newsid,
3000 sbsec->sid,
3001 SECCLASS_FILESYSTEM,
3002 FILESYSTEM__ASSOCIATE,
3003 &ad);
3004 }
3005
3006 static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
3007 const void *value, size_t size,
3008 int flags)
3009 {
3010 struct inode *inode = dentry->d_inode;
3011 struct inode_security_struct *isec = inode->i_security;
3012 u32 newsid;
3013 int rc;
3014
3015 if (strcmp(name, XATTR_NAME_SELINUX)) {
3016 /* Not an attribute we recognize, so nothing to do. */
3017 return;
3018 }
3019
3020 rc = security_context_to_sid_force(value, size, &newsid);
3021 if (rc) {
3022 printk(KERN_ERR "SELinux: unable to map context to SID"
3023 "for (%s, %lu), rc=%d\n",
3024 inode->i_sb->s_id, inode->i_ino, -rc);
3025 return;
3026 }
3027
3028 isec->sclass = inode_mode_to_security_class(inode->i_mode);
3029 isec->sid = newsid;
3030 isec->initialized = 1;
3031
3032 return;
3033 }
3034
3035 static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
3036 {
3037 const struct cred *cred = current_cred();
3038
3039 return dentry_has_perm(cred, dentry, FILE__GETATTR);
3040 }
3041
3042 static int selinux_inode_listxattr(struct dentry *dentry)
3043 {
3044 const struct cred *cred = current_cred();
3045
3046 return dentry_has_perm(cred, dentry, FILE__GETATTR);
3047 }
3048
3049 static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
3050 {
3051 if (strcmp(name, XATTR_NAME_SELINUX))
3052 return selinux_inode_setotherxattr(dentry, name);
3053
3054 /* No one is allowed to remove a SELinux security label.
3055 You can change the label, but all data must be labeled. */
3056 return -EACCES;
3057 }
3058
3059 /*
3060 * Copy the inode security context value to the user.
3061 *
3062 * Permission check is handled by selinux_inode_getxattr hook.
3063 */
3064 static int selinux_inode_getsecurity(const struct inode *inode, const char *name, void **buffer, bool alloc)
3065 {
3066 u32 size;
3067 int error;
3068 char *context = NULL;
3069 struct inode_security_struct *isec = inode->i_security;
3070
3071 if (strcmp(name, XATTR_SELINUX_SUFFIX))
3072 return -EOPNOTSUPP;
3073
3074 /*
3075 * If the caller has CAP_MAC_ADMIN, then get the raw context
3076 * value even if it is not defined by current policy; otherwise,
3077 * use the in-core value under current policy.
3078 * Use the non-auditing forms of the permission checks since
3079 * getxattr may be called by unprivileged processes commonly
3080 * and lack of permission just means that we fall back to the
3081 * in-core context value, not a denial.
3082 */
3083 error = selinux_capable(current_cred(), &init_user_ns, CAP_MAC_ADMIN,
3084 SECURITY_CAP_NOAUDIT);
3085 if (!error)
3086 error = security_sid_to_context_force(isec->sid, &context,
3087 &size);
3088 else
3089 error = security_sid_to_context(isec->sid, &context, &size);
3090 if (error)
3091 return error;
3092 error = size;
3093 if (alloc) {
3094 *buffer = context;
3095 goto out_nofree;
3096 }
3097 kfree(context);
3098 out_nofree:
3099 return error;
3100 }
3101
3102 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
3103 const void *value, size_t size, int flags)
3104 {
3105 struct inode_security_struct *isec = inode->i_security;
3106 u32 newsid;
3107 int rc;
3108
3109 if (strcmp(name, XATTR_SELINUX_SUFFIX))
3110 return -EOPNOTSUPP;
3111
3112 if (!value || !size)
3113 return -EACCES;
3114
3115 rc = security_context_to_sid((void *)value, size, &newsid, GFP_KERNEL);
3116 if (rc)
3117 return rc;
3118
3119 isec->sclass = inode_mode_to_security_class(inode->i_mode);
3120 isec->sid = newsid;
3121 isec->initialized = 1;
3122 return 0;
3123 }
3124
3125 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
3126 {
3127 const int len = sizeof(XATTR_NAME_SELINUX);
3128 if (buffer && len <= buffer_size)
3129 memcpy(buffer, XATTR_NAME_SELINUX, len);
3130 return len;
3131 }
3132
3133 static void selinux_inode_getsecid(const struct inode *inode, u32 *secid)
3134 {
3135 struct inode_security_struct *isec = inode->i_security;
3136 *secid = isec->sid;
3137 }
3138
3139 /* file security operations */
3140
3141 static int selinux_revalidate_file_permission(struct file *file, int mask)
3142 {
3143 const struct cred *cred = current_cred();
3144 struct inode *inode = file_inode(file);
3145
3146 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
3147 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
3148 mask |= MAY_APPEND;
3149
3150 return file_has_perm(cred, file,
3151 file_mask_to_av(inode->i_mode, mask));
3152 }
3153
3154 static int selinux_file_permission(struct file *file, int mask)
3155 {
3156 struct inode *inode = file_inode(file);
3157 struct file_security_struct *fsec = file->f_security;
3158 struct inode_security_struct *isec = inode->i_security;
3159 u32 sid = current_sid();
3160
3161 if (!mask)
3162 /* No permission to check. Existence test. */
3163 return 0;
3164
3165 if (sid == fsec->sid && fsec->isid == isec->sid &&
3166 fsec->pseqno == avc_policy_seqno())
3167 /* No change since file_open check. */
3168 return 0;
3169
3170 return selinux_revalidate_file_permission(file, mask);
3171 }
3172
3173 static int selinux_file_alloc_security(struct file *file)
3174 {
3175 return file_alloc_security(file);
3176 }
3177
3178 static void selinux_file_free_security(struct file *file)
3179 {
3180 file_free_security(file);
3181 }
3182
3183 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
3184 unsigned long arg)
3185 {
3186 const struct cred *cred = current_cred();
3187 int error = 0;
3188
3189 switch (cmd) {
3190 case FIONREAD:
3191 /* fall through */
3192 case FIBMAP:
3193 /* fall through */
3194 case FIGETBSZ:
3195 /* fall through */
3196 case FS_IOC_GETFLAGS:
3197 /* fall through */
3198 case FS_IOC_GETVERSION:
3199 error = file_has_perm(cred, file, FILE__GETATTR);
3200 break;
3201
3202 case FS_IOC_SETFLAGS:
3203 /* fall through */
3204 case FS_IOC_SETVERSION:
3205 error = file_has_perm(cred, file, FILE__SETATTR);
3206 break;
3207
3208 /* sys_ioctl() checks */
3209 case FIONBIO:
3210 /* fall through */
3211 case FIOASYNC:
3212 error = file_has_perm(cred, file, 0);
3213 break;
3214
3215 case KDSKBENT:
3216 case KDSKBSENT:
3217 error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG,
3218 SECURITY_CAP_AUDIT);
3219 break;
3220
3221 /* default case assumes that the command will go
3222 * to the file's ioctl() function.
3223 */
3224 default:
3225 error = file_has_perm(cred, file, FILE__IOCTL);
3226 }
3227 return error;
3228 }
3229
3230 static int default_noexec;
3231
3232 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
3233 {
3234 const struct cred *cred = current_cred();
3235 int rc = 0;
3236
3237 if (default_noexec &&
3238 (prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
3239 /*
3240 * We are making executable an anonymous mapping or a
3241 * private file mapping that will also be writable.
3242 * This has an additional check.
3243 */
3244 rc = cred_has_perm(cred, cred, PROCESS__EXECMEM);
3245 if (rc)
3246 goto error;
3247 }
3248
3249 if (file) {
3250 /* read access is always possible with a mapping */
3251 u32 av = FILE__READ;
3252
3253 /* write access only matters if the mapping is shared */
3254 if (shared && (prot & PROT_WRITE))
3255 av |= FILE__WRITE;
3256
3257 if (prot & PROT_EXEC)
3258 av |= FILE__EXECUTE;
3259
3260 return file_has_perm(cred, file, av);
3261 }
3262
3263 error:
3264 return rc;
3265 }
3266
3267 static int selinux_mmap_addr(unsigned long addr)
3268 {
3269 int rc;
3270
3271 /* do DAC check on address space usage */
3272 rc = cap_mmap_addr(addr);
3273 if (rc)
3274 return rc;
3275
3276 if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
3277 u32 sid = current_sid();
3278 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
3279 MEMPROTECT__MMAP_ZERO, NULL);
3280 }
3281
3282 return rc;
3283 }
3284
3285 static int selinux_mmap_file(struct file *file, unsigned long reqprot,
3286 unsigned long prot, unsigned long flags)
3287 {
3288 if (selinux_checkreqprot)
3289 prot = reqprot;
3290
3291 return file_map_prot_check(file, prot,
3292 (flags & MAP_TYPE) == MAP_SHARED);
3293 }
3294
3295 static int selinux_file_mprotect(struct vm_area_struct *vma,
3296 unsigned long reqprot,
3297 unsigned long prot)
3298 {
3299 const struct cred *cred = current_cred();
3300
3301 if (selinux_checkreqprot)
3302 prot = reqprot;
3303
3304 if (default_noexec &&
3305 (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
3306 int rc = 0;
3307 if (vma->vm_start >= vma->vm_mm->start_brk &&
3308 vma->vm_end <= vma->vm_mm->brk) {
3309 rc = cred_has_perm(cred, cred, PROCESS__EXECHEAP);
3310 } else if (!vma->vm_file &&
3311 vma->vm_start <= vma->vm_mm->start_stack &&
3312 vma->vm_end >= vma->vm_mm->start_stack) {
3313 rc = current_has_perm(current, PROCESS__EXECSTACK);
3314 } else if (vma->vm_file && vma->anon_vma) {
3315 /*
3316 * We are making executable a file mapping that has
3317 * had some COW done. Since pages might have been
3318 * written, check ability to execute the possibly
3319 * modified content. This typically should only
3320 * occur for text relocations.
3321 */
3322 rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD);
3323 }
3324 if (rc)
3325 return rc;
3326 }
3327
3328 return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
3329 }
3330
3331 static int selinux_file_lock(struct file *file, unsigned int cmd)
3332 {
3333 const struct cred *cred = current_cred();
3334
3335 return file_has_perm(cred, file, FILE__LOCK);
3336 }
3337
3338 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
3339 unsigned long arg)
3340 {
3341 const struct cred *cred = current_cred();
3342 int err = 0;
3343
3344 switch (cmd) {
3345 case F_SETFL:
3346 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
3347 err = file_has_perm(cred, file, FILE__WRITE);
3348 break;
3349 }
3350 /* fall through */
3351 case F_SETOWN:
3352 case F_SETSIG:
3353 case F_GETFL:
3354 case F_GETOWN:
3355 case F_GETSIG:
3356 case F_GETOWNER_UIDS:
3357 /* Just check FD__USE permission */
3358 err = file_has_perm(cred, file, 0);
3359 break;
3360 case F_GETLK:
3361 case F_SETLK:
3362 case F_SETLKW:
3363 case F_OFD_GETLK:
3364 case F_OFD_SETLK:
3365 case F_OFD_SETLKW:
3366 #if BITS_PER_LONG == 32
3367 case F_GETLK64:
3368 case F_SETLK64:
3369 case F_SETLKW64:
3370 #endif
3371 err = file_has_perm(cred, file, FILE__LOCK);
3372 break;
3373 }
3374
3375 return err;
3376 }
3377
3378 static void selinux_file_set_fowner(struct file *file)
3379 {
3380 struct file_security_struct *fsec;
3381
3382 fsec = file->f_security;
3383 fsec->fown_sid = current_sid();
3384 }
3385
3386 static int selinux_file_send_sigiotask(struct task_struct *tsk,
3387 struct fown_struct *fown, int signum)
3388 {
3389 struct file *file;
3390 u32 sid = task_sid(tsk);
3391 u32 perm;
3392 struct file_security_struct *fsec;
3393
3394 /* struct fown_struct is never outside the context of a struct file */
3395 file = container_of(fown, struct file, f_owner);
3396
3397 fsec = file->f_security;
3398
3399 if (!signum)
3400 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
3401 else
3402 perm = signal_to_av(signum);
3403
3404 return avc_has_perm(fsec->fown_sid, sid,
3405 SECCLASS_PROCESS, perm, NULL);
3406 }
3407
3408 static int selinux_file_receive(struct file *file)
3409 {
3410 const struct cred *cred = current_cred();
3411
3412 return file_has_perm(cred, file, file_to_av(file));
3413 }
3414
3415 static int selinux_file_open(struct file *file, const struct cred *cred)
3416 {
3417 struct file_security_struct *fsec;
3418 struct inode_security_struct *isec;
3419
3420 fsec = file->f_security;
3421 isec = file_inode(file)->i_security;
3422 /*
3423 * Save inode label and policy sequence number
3424 * at open-time so that selinux_file_permission
3425 * can determine whether revalidation is necessary.
3426 * Task label is already saved in the file security
3427 * struct as its SID.
3428 */
3429 fsec->isid = isec->sid;
3430 fsec->pseqno = avc_policy_seqno();
3431 /*
3432 * Since the inode label or policy seqno may have changed
3433 * between the selinux_inode_permission check and the saving
3434 * of state above, recheck that access is still permitted.
3435 * Otherwise, access might never be revalidated against the
3436 * new inode label or new policy.
3437 * This check is not redundant - do not remove.
3438 */
3439 return file_path_has_perm(cred, file, open_file_to_av(file));
3440 }
3441
3442 /* task security operations */
3443
3444 static int selinux_task_create(unsigned long clone_flags)
3445 {
3446 return current_has_perm(current, PROCESS__FORK);
3447 }
3448
3449 /*
3450 * allocate the SELinux part of blank credentials
3451 */
3452 static int selinux_cred_alloc_blank(struct cred *cred, gfp_t gfp)
3453 {
3454 struct task_security_struct *tsec;
3455
3456 tsec = kzalloc(sizeof(struct task_security_struct), gfp);
3457 if (!tsec)
3458 return -ENOMEM;
3459
3460 cred->security = tsec;
3461 return 0;
3462 }
3463
3464 /*
3465 * detach and free the LSM part of a set of credentials
3466 */
3467 static void selinux_cred_free(struct cred *cred)
3468 {
3469 struct task_security_struct *tsec = cred->security;
3470
3471 /*
3472 * cred->security == NULL if security_cred_alloc_blank() or
3473 * security_prepare_creds() returned an error.
3474 */
3475 BUG_ON(cred->security && (unsigned long) cred->security < PAGE_SIZE);
3476 cred->security = (void *) 0x7UL;
3477 kfree(tsec);
3478 }
3479
3480 /*
3481 * prepare a new set of credentials for modification
3482 */
3483 static int selinux_cred_prepare(struct cred *new, const struct cred *old,
3484 gfp_t gfp)
3485 {
3486 const struct task_security_struct *old_tsec;
3487 struct task_security_struct *tsec;
3488
3489 old_tsec = old->security;
3490
3491 tsec = kmemdup(old_tsec, sizeof(struct task_security_struct), gfp);
3492 if (!tsec)
3493 return -ENOMEM;
3494
3495 new->security = tsec;
3496 return 0;
3497 }
3498
3499 /*
3500 * transfer the SELinux data to a blank set of creds
3501 */
3502 static void selinux_cred_transfer(struct cred *new, const struct cred *old)
3503 {
3504 const struct task_security_struct *old_tsec = old->security;
3505 struct task_security_struct *tsec = new->security;
3506
3507 *tsec = *old_tsec;
3508 }
3509
3510 /*
3511 * set the security data for a kernel service
3512 * - all the creation contexts are set to unlabelled
3513 */
3514 static int selinux_kernel_act_as(struct cred *new, u32 secid)
3515 {
3516 struct task_security_struct *tsec = new->security;
3517 u32 sid = current_sid();
3518 int ret;
3519
3520 ret = avc_has_perm(sid, secid,
3521 SECCLASS_KERNEL_SERVICE,
3522 KERNEL_SERVICE__USE_AS_OVERRIDE,
3523 NULL);
3524 if (ret == 0) {
3525 tsec->sid = secid;
3526 tsec->create_sid = 0;
3527 tsec->keycreate_sid = 0;
3528 tsec->sockcreate_sid = 0;
3529 }
3530 return ret;
3531 }
3532
3533 /*
3534 * set the file creation context in a security record to the same as the
3535 * objective context of the specified inode
3536 */
3537 static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode)
3538 {
3539 struct inode_security_struct *isec = inode->i_security;
3540 struct task_security_struct *tsec = new->security;
3541 u32 sid = current_sid();
3542 int ret;
3543
3544 ret = avc_has_perm(sid, isec->sid,
3545 SECCLASS_KERNEL_SERVICE,
3546 KERNEL_SERVICE__CREATE_FILES_AS,
3547 NULL);
3548
3549 if (ret == 0)
3550 tsec->create_sid = isec->sid;
3551 return ret;
3552 }
3553
3554 static int selinux_kernel_module_request(char *kmod_name)
3555 {
3556 u32 sid;
3557 struct common_audit_data ad;
3558
3559 sid = task_sid(current);
3560
3561 ad.type = LSM_AUDIT_DATA_KMOD;
3562 ad.u.kmod_name = kmod_name;
3563
3564 return avc_has_perm(sid, SECINITSID_KERNEL, SECCLASS_SYSTEM,
3565 SYSTEM__MODULE_REQUEST, &ad);
3566 }
3567
3568 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
3569 {
3570 return current_has_perm(p, PROCESS__SETPGID);
3571 }
3572
3573 static int selinux_task_getpgid(struct task_struct *p)
3574 {
3575 return current_has_perm(p, PROCESS__GETPGID);
3576 }
3577
3578 static int selinux_task_getsid(struct task_struct *p)
3579 {
3580 return current_has_perm(p, PROCESS__GETSESSION);
3581 }
3582
3583 static void selinux_task_getsecid(struct task_struct *p, u32 *secid)
3584 {
3585 *secid = task_sid(p);
3586 }
3587
3588 static int selinux_task_setnice(struct task_struct *p, int nice)
3589 {
3590 int rc;
3591
3592 rc = cap_task_setnice(p, nice);
3593 if (rc)
3594 return rc;
3595
3596 return current_has_perm(p, PROCESS__SETSCHED);
3597 }
3598
3599 static int selinux_task_setioprio(struct task_struct *p, int ioprio)
3600 {
3601 int rc;
3602
3603 rc = cap_task_setioprio(p, ioprio);
3604 if (rc)
3605 return rc;
3606
3607 return current_has_perm(p, PROCESS__SETSCHED);
3608 }
3609
3610 static int selinux_task_getioprio(struct task_struct *p)
3611 {
3612 return current_has_perm(p, PROCESS__GETSCHED);
3613 }
3614
3615 static int selinux_task_setrlimit(struct task_struct *p, unsigned int resource,
3616 struct rlimit *new_rlim)
3617 {
3618 struct rlimit *old_rlim = p->signal->rlim + resource;
3619
3620 /* Control the ability to change the hard limit (whether
3621 lowering or raising it), so that the hard limit can
3622 later be used as a safe reset point for the soft limit
3623 upon context transitions. See selinux_bprm_committing_creds. */
3624 if (old_rlim->rlim_max != new_rlim->rlim_max)
3625 return current_has_perm(p, PROCESS__SETRLIMIT);
3626
3627 return 0;
3628 }
3629
3630 static int selinux_task_setscheduler(struct task_struct *p)
3631 {
3632 int rc;
3633
3634 rc = cap_task_setscheduler(p);
3635 if (rc)
3636 return rc;
3637
3638 return current_has_perm(p, PROCESS__SETSCHED);
3639 }
3640
3641 static int selinux_task_getscheduler(struct task_struct *p)
3642 {
3643 return current_has_perm(p, PROCESS__GETSCHED);
3644 }
3645
3646 static int selinux_task_movememory(struct task_struct *p)
3647 {
3648 return current_has_perm(p, PROCESS__SETSCHED);
3649 }
3650
3651 static int selinux_task_kill(struct task_struct *p, struct siginfo *info,
3652 int sig, u32 secid)
3653 {
3654 u32 perm;
3655 int rc;
3656
3657 if (!sig)
3658 perm = PROCESS__SIGNULL; /* null signal; existence test */
3659 else
3660 perm = signal_to_av(sig);
3661 if (secid)
3662 rc = avc_has_perm(secid, task_sid(p),
3663 SECCLASS_PROCESS, perm, NULL);
3664 else
3665 rc = current_has_perm(p, perm);
3666 return rc;
3667 }
3668
3669 static int selinux_task_wait(struct task_struct *p)
3670 {
3671 return task_has_perm(p, current, PROCESS__SIGCHLD);
3672 }
3673
3674 static void selinux_task_to_inode(struct task_struct *p,
3675 struct inode *inode)
3676 {
3677 struct inode_security_struct *isec = inode->i_security;
3678 u32 sid = task_sid(p);
3679
3680 isec->sid = sid;
3681 isec->initialized = 1;
3682 }
3683
3684 /* Returns error only if unable to parse addresses */
3685 static int selinux_parse_skb_ipv4(struct sk_buff *skb,
3686 struct common_audit_data *ad, u8 *proto)
3687 {
3688 int offset, ihlen, ret = -EINVAL;
3689 struct iphdr _iph, *ih;
3690
3691 offset = skb_network_offset(skb);
3692 ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
3693 if (ih == NULL)
3694 goto out;
3695
3696 ihlen = ih->ihl * 4;
3697 if (ihlen < sizeof(_iph))
3698 goto out;
3699
3700 ad->u.net->v4info.saddr = ih->saddr;
3701 ad->u.net->v4info.daddr = ih->daddr;
3702 ret = 0;
3703
3704 if (proto)
3705 *proto = ih->protocol;
3706
3707 switch (ih->protocol) {
3708 case IPPROTO_TCP: {
3709 struct tcphdr _tcph, *th;
3710
3711 if (ntohs(ih->frag_off) & IP_OFFSET)
3712 break;
3713
3714 offset += ihlen;
3715 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3716 if (th == NULL)
3717 break;
3718
3719 ad->u.net->sport = th->source;
3720 ad->u.net->dport = th->dest;
3721 break;
3722 }
3723
3724 case IPPROTO_UDP: {
3725 struct udphdr _udph, *uh;
3726
3727 if (ntohs(ih->frag_off) & IP_OFFSET)
3728 break;
3729
3730 offset += ihlen;
3731 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3732 if (uh == NULL)
3733 break;
3734
3735 ad->u.net->sport = uh->source;
3736 ad->u.net->dport = uh->dest;
3737 break;
3738 }
3739
3740 case IPPROTO_DCCP: {
3741 struct dccp_hdr _dccph, *dh;
3742
3743 if (ntohs(ih->frag_off) & IP_OFFSET)
3744 break;
3745
3746 offset += ihlen;
3747 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3748 if (dh == NULL)
3749 break;
3750
3751 ad->u.net->sport = dh->dccph_sport;
3752 ad->u.net->dport = dh->dccph_dport;
3753 break;
3754 }
3755
3756 default:
3757 break;
3758 }
3759 out:
3760 return ret;
3761 }
3762
3763 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3764
3765 /* Returns error only if unable to parse addresses */
3766 static int selinux_parse_skb_ipv6(struct sk_buff *skb,
3767 struct common_audit_data *ad, u8 *proto)
3768 {
3769 u8 nexthdr;
3770 int ret = -EINVAL, offset;
3771 struct ipv6hdr _ipv6h, *ip6;
3772 __be16 frag_off;
3773
3774 offset = skb_network_offset(skb);
3775 ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
3776 if (ip6 == NULL)
3777 goto out;
3778
3779 ad->u.net->v6info.saddr = ip6->saddr;
3780 ad->u.net->v6info.daddr = ip6->daddr;
3781 ret = 0;
3782
3783 nexthdr = ip6->nexthdr;
3784 offset += sizeof(_ipv6h);
3785 offset = ipv6_skip_exthdr(skb, offset, &nexthdr, &frag_off);
3786 if (offset < 0)
3787 goto out;
3788
3789 if (proto)
3790 *proto = nexthdr;
3791
3792 switch (nexthdr) {
3793 case IPPROTO_TCP: {
3794 struct tcphdr _tcph, *th;
3795
3796 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3797 if (th == NULL)
3798 break;
3799
3800 ad->u.net->sport = th->source;
3801 ad->u.net->dport = th->dest;
3802 break;
3803 }
3804
3805 case IPPROTO_UDP: {
3806 struct udphdr _udph, *uh;
3807
3808 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3809 if (uh == NULL)
3810 break;
3811
3812 ad->u.net->sport = uh->source;
3813 ad->u.net->dport = uh->dest;
3814 break;
3815 }
3816
3817 case IPPROTO_DCCP: {
3818 struct dccp_hdr _dccph, *dh;
3819
3820 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3821 if (dh == NULL)
3822 break;
3823
3824 ad->u.net->sport = dh->dccph_sport;
3825 ad->u.net->dport = dh->dccph_dport;
3826 break;
3827 }
3828
3829 /* includes fragments */
3830 default:
3831 break;
3832 }
3833 out:
3834 return ret;
3835 }
3836
3837 #endif /* IPV6 */
3838
3839 static int selinux_parse_skb(struct sk_buff *skb, struct common_audit_data *ad,
3840 char **_addrp, int src, u8 *proto)
3841 {
3842 char *addrp;
3843 int ret;
3844
3845 switch (ad->u.net->family) {
3846 case PF_INET:
3847 ret = selinux_parse_skb_ipv4(skb, ad, proto);
3848 if (ret)
3849 goto parse_error;
3850 addrp = (char *)(src ? &ad->u.net->v4info.saddr :
3851 &ad->u.net->v4info.daddr);
3852 goto okay;
3853
3854 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3855 case PF_INET6:
3856 ret = selinux_parse_skb_ipv6(skb, ad, proto);
3857 if (ret)
3858 goto parse_error;
3859 addrp = (char *)(src ? &ad->u.net->v6info.saddr :
3860 &ad->u.net->v6info.daddr);
3861 goto okay;
3862 #endif /* IPV6 */
3863 default:
3864 addrp = NULL;
3865 goto okay;
3866 }
3867
3868 parse_error:
3869 printk(KERN_WARNING
3870 "SELinux: failure in selinux_parse_skb(),"
3871 " unable to parse packet\n");
3872 return ret;
3873
3874 okay:
3875 if (_addrp)
3876 *_addrp = addrp;
3877 return 0;
3878 }
3879
3880 /**
3881 * selinux_skb_peerlbl_sid - Determine the peer label of a packet
3882 * @skb: the packet
3883 * @family: protocol family
3884 * @sid: the packet's peer label SID
3885 *
3886 * Description:
3887 * Check the various different forms of network peer labeling and determine
3888 * the peer label/SID for the packet; most of the magic actually occurs in
3889 * the security server function security_net_peersid_cmp(). The function
3890 * returns zero if the value in @sid is valid (although it may be SECSID_NULL)
3891 * or -EACCES if @sid is invalid due to inconsistencies with the different
3892 * peer labels.
3893 *
3894 */
3895 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
3896 {
3897 int err;
3898 u32 xfrm_sid;
3899 u32 nlbl_sid;
3900 u32 nlbl_type;
3901
3902 err = selinux_xfrm_skb_sid(skb, &xfrm_sid);
3903 if (unlikely(err))
3904 return -EACCES;
3905 err = selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid);
3906 if (unlikely(err))
3907 return -EACCES;
3908
3909 err = security_net_peersid_resolve(nlbl_sid, nlbl_type, xfrm_sid, sid);
3910 if (unlikely(err)) {
3911 printk(KERN_WARNING
3912 "SELinux: failure in selinux_skb_peerlbl_sid(),"
3913 " unable to determine packet's peer label\n");
3914 return -EACCES;
3915 }
3916
3917 return 0;
3918 }
3919
3920 /**
3921 * selinux_conn_sid - Determine the child socket label for a connection
3922 * @sk_sid: the parent socket's SID
3923 * @skb_sid: the packet's SID
3924 * @conn_sid: the resulting connection SID
3925 *
3926 * If @skb_sid is valid then the user:role:type information from @sk_sid is
3927 * combined with the MLS information from @skb_sid in order to create
3928 * @conn_sid. If @skb_sid is not valid then then @conn_sid is simply a copy
3929 * of @sk_sid. Returns zero on success, negative values on failure.
3930 *
3931 */
3932 static int selinux_conn_sid(u32 sk_sid, u32 skb_sid, u32 *conn_sid)
3933 {
3934 int err = 0;
3935
3936 if (skb_sid != SECSID_NULL)
3937 err = security_sid_mls_copy(sk_sid, skb_sid, conn_sid);
3938 else
3939 *conn_sid = sk_sid;
3940
3941 return err;
3942 }
3943
3944 /* socket security operations */
3945
3946 static int socket_sockcreate_sid(const struct task_security_struct *tsec,
3947 u16 secclass, u32 *socksid)
3948 {
3949 if (tsec->sockcreate_sid > SECSID_NULL) {
3950 *socksid = tsec->sockcreate_sid;
3951 return 0;
3952 }
3953
3954 return security_transition_sid(tsec->sid, tsec->sid, secclass, NULL,
3955 socksid);
3956 }
3957
3958 static int sock_has_perm(struct task_struct *task, struct sock *sk, u32 perms)
3959 {
3960 struct sk_security_struct *sksec = sk->sk_security;
3961 struct common_audit_data ad;
3962 struct lsm_network_audit net = {0,};
3963 u32 tsid = task_sid(task);
3964
3965 if (sksec->sid == SECINITSID_KERNEL)
3966 return 0;
3967
3968 ad.type = LSM_AUDIT_DATA_NET;
3969 ad.u.net = &net;
3970 ad.u.net->sk = sk;
3971
3972 return avc_has_perm(tsid, sksec->sid, sksec->sclass, perms, &ad);
3973 }
3974
3975 static int selinux_socket_create(int family, int type,
3976 int protocol, int kern)
3977 {
3978 const struct task_security_struct *tsec = current_security();
3979 u32 newsid;
3980 u16 secclass;
3981 int rc;
3982
3983 if (kern)
3984 return 0;
3985
3986 secclass = socket_type_to_security_class(family, type, protocol);
3987 rc = socket_sockcreate_sid(tsec, secclass, &newsid);
3988 if (rc)
3989 return rc;
3990
3991 return avc_has_perm(tsec->sid, newsid, secclass, SOCKET__CREATE, NULL);
3992 }
3993
3994 static int selinux_socket_post_create(struct socket *sock, int family,
3995 int type, int protocol, int kern)
3996 {
3997 const struct task_security_struct *tsec = current_security();
3998 struct inode_security_struct *isec = SOCK_INODE(sock)->i_security;
3999 struct sk_security_struct *sksec;
4000 int err = 0;
4001
4002 isec->sclass = socket_type_to_security_class(family, type, protocol);
4003
4004 if (kern)
4005 isec->sid = SECINITSID_KERNEL;
4006 else {
4007 err = socket_sockcreate_sid(tsec, isec->sclass, &(isec->sid));
4008 if (err)
4009 return err;
4010 }
4011
4012 isec->initialized = 1;
4013
4014 if (sock->sk) {
4015 sksec = sock->sk->sk_security;
4016 sksec->sid = isec->sid;
4017 sksec->sclass = isec->sclass;
4018 err = selinux_netlbl_socket_post_create(sock->sk, family);
4019 }
4020
4021 return err;
4022 }
4023
4024 /* Range of port numbers used to automatically bind.
4025 Need to determine whether we should perform a name_bind
4026 permission check between the socket and the port number. */
4027
4028 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
4029 {
4030 struct sock *sk = sock->sk;
4031 u16 family;
4032 int err;
4033
4034 err = sock_has_perm(current, sk, SOCKET__BIND);
4035 if (err)
4036 goto out;
4037
4038 /*
4039 * If PF_INET or PF_INET6, check name_bind permission for the port.
4040 * Multiple address binding for SCTP is not supported yet: we just
4041 * check the first address now.
4042 */
4043 family = sk->sk_family;
4044 if (family == PF_INET || family == PF_INET6) {
4045 char *addrp;
4046 struct sk_security_struct *sksec = sk->sk_security;
4047 struct common_audit_data ad;
4048 struct lsm_network_audit net = {0,};
4049 struct sockaddr_in *addr4 = NULL;
4050 struct sockaddr_in6 *addr6 = NULL;
4051 unsigned short snum;
4052 u32 sid, node_perm;
4053
4054 if (family == PF_INET) {
4055 addr4 = (struct sockaddr_in *)address;
4056 snum = ntohs(addr4->sin_port);
4057 addrp = (char *)&addr4->sin_addr.s_addr;
4058 } else {
4059 addr6 = (struct sockaddr_in6 *)address;
4060 snum = ntohs(addr6->sin6_port);
4061 addrp = (char *)&addr6->sin6_addr.s6_addr;
4062 }
4063
4064 if (snum) {
4065 int low, high;
4066
4067 inet_get_local_port_range(sock_net(sk), &low, &high);
4068
4069 if (snum < max(PROT_SOCK, low) || snum > high) {
4070 err = sel_netport_sid(sk->sk_protocol,
4071 snum, &sid);
4072 if (err)
4073 goto out;
4074 ad.type = LSM_AUDIT_DATA_NET;
4075 ad.u.net = &net;
4076 ad.u.net->sport = htons(snum);
4077 ad.u.net->family = family;
4078 err = avc_has_perm(sksec->sid, sid,
4079 sksec->sclass,
4080 SOCKET__NAME_BIND, &ad);
4081 if (err)
4082 goto out;
4083 }
4084 }
4085
4086 switch (sksec->sclass) {
4087 case SECCLASS_TCP_SOCKET:
4088 node_perm = TCP_SOCKET__NODE_BIND;
4089 break;
4090
4091 case SECCLASS_UDP_SOCKET:
4092 node_perm = UDP_SOCKET__NODE_BIND;
4093 break;
4094
4095 case SECCLASS_DCCP_SOCKET:
4096 node_perm = DCCP_SOCKET__NODE_BIND;
4097 break;
4098
4099 default:
4100 node_perm = RAWIP_SOCKET__NODE_BIND;
4101 break;
4102 }
4103
4104 err = sel_netnode_sid(addrp, family, &sid);
4105 if (err)
4106 goto out;
4107
4108 ad.type = LSM_AUDIT_DATA_NET;
4109 ad.u.net = &net;
4110 ad.u.net->sport = htons(snum);
4111 ad.u.net->family = family;
4112
4113 if (family == PF_INET)
4114 ad.u.net->v4info.saddr = addr4->sin_addr.s_addr;
4115 else
4116 ad.u.net->v6info.saddr = addr6->sin6_addr;
4117
4118 err = avc_has_perm(sksec->sid, sid,
4119 sksec->sclass, node_perm, &ad);
4120 if (err)
4121 goto out;
4122 }
4123 out:
4124 return err;
4125 }
4126
4127 static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
4128 {
4129 struct sock *sk = sock->sk;
4130 struct sk_security_struct *sksec = sk->sk_security;
4131 int err;
4132
4133 err = sock_has_perm(current, sk, SOCKET__CONNECT);
4134 if (err)
4135 return err;
4136
4137 /*
4138 * If a TCP or DCCP socket, check name_connect permission for the port.
4139 */
4140 if (sksec->sclass == SECCLASS_TCP_SOCKET ||
4141 sksec->sclass == SECCLASS_DCCP_SOCKET) {
4142 struct common_audit_data ad;
4143 struct lsm_network_audit net = {0,};
4144 struct sockaddr_in *addr4 = NULL;
4145 struct sockaddr_in6 *addr6 = NULL;
4146 unsigned short snum;
4147 u32 sid, perm;
4148
4149 if (sk->sk_family == PF_INET) {
4150 addr4 = (struct sockaddr_in *)address;
4151 if (addrlen < sizeof(struct sockaddr_in))
4152 return -EINVAL;
4153 snum = ntohs(addr4->sin_port);
4154 } else {
4155 addr6 = (struct sockaddr_in6 *)address;
4156 if (addrlen < SIN6_LEN_RFC2133)
4157 return -EINVAL;
4158 snum = ntohs(addr6->sin6_port);
4159 }
4160
4161 err = sel_netport_sid(sk->sk_protocol, snum, &sid);
4162 if (err)
4163 goto out;
4164
4165 perm = (sksec->sclass == SECCLASS_TCP_SOCKET) ?
4166 TCP_SOCKET__NAME_CONNECT : DCCP_SOCKET__NAME_CONNECT;
4167
4168 ad.type = LSM_AUDIT_DATA_NET;
4169 ad.u.net = &net;
4170 ad.u.net->dport = htons(snum);
4171 ad.u.net->family = sk->sk_family;
4172 err = avc_has_perm(sksec->sid, sid, sksec->sclass, perm, &ad);
4173 if (err)
4174 goto out;
4175 }
4176
4177 err = selinux_netlbl_socket_connect(sk, address);
4178
4179 out:
4180 return err;
4181 }
4182
4183 static int selinux_socket_listen(struct socket *sock, int backlog)
4184 {
4185 return sock_has_perm(current, sock->sk, SOCKET__LISTEN);
4186 }
4187
4188 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
4189 {
4190 int err;
4191 struct inode_security_struct *isec;
4192 struct inode_security_struct *newisec;
4193
4194 err = sock_has_perm(current, sock->sk, SOCKET__ACCEPT);
4195 if (err)
4196 return err;
4197
4198 newisec = SOCK_INODE(newsock)->i_security;
4199
4200 isec = SOCK_INODE(sock)->i_security;
4201 newisec->sclass = isec->sclass;
4202 newisec->sid = isec->sid;
4203 newisec->initialized = 1;
4204
4205 return 0;
4206 }
4207
4208 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
4209 int size)
4210 {
4211 return sock_has_perm(current, sock->sk, SOCKET__WRITE);
4212 }
4213
4214 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
4215 int size, int flags)
4216 {
4217 return sock_has_perm(current, sock->sk, SOCKET__READ);
4218 }
4219
4220 static int selinux_socket_getsockname(struct socket *sock)
4221 {
4222 return sock_has_perm(current, sock->sk, SOCKET__GETATTR);
4223 }
4224
4225 static int selinux_socket_getpeername(struct socket *sock)
4226 {
4227 return sock_has_perm(current, sock->sk, SOCKET__GETATTR);
4228 }
4229
4230 static int selinux_socket_setsockopt(struct socket *sock, int level, int optname)
4231 {
4232 int err;
4233
4234 err = sock_has_perm(current, sock->sk, SOCKET__SETOPT);
4235 if (err)
4236 return err;
4237
4238 return selinux_netlbl_socket_setsockopt(sock, level, optname);
4239 }
4240
4241 static int selinux_socket_getsockopt(struct socket *sock, int level,
4242 int optname)
4243 {
4244 return sock_has_perm(current, sock->sk, SOCKET__GETOPT);
4245 }
4246
4247 static int selinux_socket_shutdown(struct socket *sock, int how)
4248 {
4249 return sock_has_perm(current, sock->sk, SOCKET__SHUTDOWN);
4250 }
4251
4252 static int selinux_socket_unix_stream_connect(struct sock *sock,
4253 struct sock *other,
4254 struct sock *newsk)
4255 {
4256 struct sk_security_struct *sksec_sock = sock->sk_security;
4257 struct sk_security_struct *sksec_other = other->sk_security;
4258 struct sk_security_struct *sksec_new = newsk->sk_security;
4259 struct common_audit_data ad;
4260 struct lsm_network_audit net = {0,};
4261 int err;
4262
4263 ad.type = LSM_AUDIT_DATA_NET;
4264 ad.u.net = &net;
4265 ad.u.net->sk = other;
4266
4267 err = avc_has_perm(sksec_sock->sid, sksec_other->sid,
4268 sksec_other->sclass,
4269 UNIX_STREAM_SOCKET__CONNECTTO, &ad);
4270 if (err)
4271 return err;
4272
4273 /* server child socket */
4274 sksec_new->peer_sid = sksec_sock->sid;
4275 err = security_sid_mls_copy(sksec_other->sid, sksec_sock->sid,
4276 &sksec_new->sid);
4277 if (err)
4278 return err;
4279
4280 /* connecting socket */
4281 sksec_sock->peer_sid = sksec_new->sid;
4282
4283 return 0;
4284 }
4285
4286 static int selinux_socket_unix_may_send(struct socket *sock,
4287 struct socket *other)
4288 {
4289 struct sk_security_struct *ssec = sock->sk->sk_security;
4290 struct sk_security_struct *osec = other->sk->sk_security;
4291 struct common_audit_data ad;
4292 struct lsm_network_audit net = {0,};
4293
4294 ad.type = LSM_AUDIT_DATA_NET;
4295 ad.u.net = &net;
4296 ad.u.net->sk = other->sk;
4297
4298 return avc_has_perm(ssec->sid, osec->sid, osec->sclass, SOCKET__SENDTO,
4299 &ad);
4300 }
4301
4302 static int selinux_inet_sys_rcv_skb(struct net *ns, int ifindex,
4303 char *addrp, u16 family, u32 peer_sid,
4304 struct common_audit_data *ad)
4305 {
4306 int err;
4307 u32 if_sid;
4308 u32 node_sid;
4309
4310 err = sel_netif_sid(ns, ifindex, &if_sid);
4311 if (err)
4312 return err;
4313 err = avc_has_perm(peer_sid, if_sid,
4314 SECCLASS_NETIF, NETIF__INGRESS, ad);
4315 if (err)
4316 return err;
4317
4318 err = sel_netnode_sid(addrp, family, &node_sid);
4319 if (err)
4320 return err;
4321 return avc_has_perm(peer_sid, node_sid,
4322 SECCLASS_NODE, NODE__RECVFROM, ad);
4323 }
4324
4325 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
4326 u16 family)
4327 {
4328 int err = 0;
4329 struct sk_security_struct *sksec = sk->sk_security;
4330 u32 sk_sid = sksec->sid;
4331 struct common_audit_data ad;
4332 struct lsm_network_audit net = {0,};
4333 char *addrp;
4334
4335 ad.type = LSM_AUDIT_DATA_NET;
4336 ad.u.net = &net;
4337 ad.u.net->netif = skb->skb_iif;
4338 ad.u.net->family = family;
4339 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4340 if (err)
4341 return err;
4342
4343 if (selinux_secmark_enabled()) {
4344 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4345 PACKET__RECV, &ad);
4346 if (err)
4347 return err;
4348 }
4349
4350 err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, &ad);
4351 if (err)
4352 return err;
4353 err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad);
4354
4355 return err;
4356 }
4357
4358 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
4359 {
4360 int err;
4361 struct sk_security_struct *sksec = sk->sk_security;
4362 u16 family = sk->sk_family;
4363 u32 sk_sid = sksec->sid;
4364 struct common_audit_data ad;
4365 struct lsm_network_audit net = {0,};
4366 char *addrp;
4367 u8 secmark_active;
4368 u8 peerlbl_active;
4369
4370 if (family != PF_INET && family != PF_INET6)
4371 return 0;
4372
4373 /* Handle mapped IPv4 packets arriving via IPv6 sockets */
4374 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4375 family = PF_INET;
4376
4377 /* If any sort of compatibility mode is enabled then handoff processing
4378 * to the selinux_sock_rcv_skb_compat() function to deal with the
4379 * special handling. We do this in an attempt to keep this function
4380 * as fast and as clean as possible. */
4381 if (!selinux_policycap_netpeer)
4382 return selinux_sock_rcv_skb_compat(sk, skb, family);
4383
4384 secmark_active = selinux_secmark_enabled();
4385 peerlbl_active = selinux_peerlbl_enabled();
4386 if (!secmark_active && !peerlbl_active)
4387 return 0;
4388
4389 ad.type = LSM_AUDIT_DATA_NET;
4390 ad.u.net = &net;
4391 ad.u.net->netif = skb->skb_iif;
4392 ad.u.net->family = family;
4393 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4394 if (err)
4395 return err;
4396
4397 if (peerlbl_active) {
4398 u32 peer_sid;
4399
4400 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
4401 if (err)
4402 return err;
4403 err = selinux_inet_sys_rcv_skb(sock_net(sk), skb->skb_iif,
4404 addrp, family, peer_sid, &ad);
4405 if (err) {
4406 selinux_netlbl_err(skb, err, 0);
4407 return err;
4408 }
4409 err = avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER,
4410 PEER__RECV, &ad);
4411 if (err) {
4412 selinux_netlbl_err(skb, err, 0);
4413 return err;
4414 }
4415 }
4416
4417 if (secmark_active) {
4418 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4419 PACKET__RECV, &ad);
4420 if (err)
4421 return err;
4422 }
4423
4424 return err;
4425 }
4426
4427 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval,
4428 int __user *optlen, unsigned len)
4429 {
4430 int err = 0;
4431 char *scontext;
4432 u32 scontext_len;
4433 struct sk_security_struct *sksec = sock->sk->sk_security;
4434 u32 peer_sid = SECSID_NULL;
4435
4436 if (sksec->sclass == SECCLASS_UNIX_STREAM_SOCKET ||
4437 sksec->sclass == SECCLASS_TCP_SOCKET)
4438 peer_sid = sksec->peer_sid;
4439 if (peer_sid == SECSID_NULL)
4440 return -ENOPROTOOPT;
4441
4442 err = security_sid_to_context(peer_sid, &scontext, &scontext_len);
4443 if (err)
4444 return err;
4445
4446 if (scontext_len > len) {
4447 err = -ERANGE;
4448 goto out_len;
4449 }
4450
4451 if (copy_to_user(optval, scontext, scontext_len))
4452 err = -EFAULT;
4453
4454 out_len:
4455 if (put_user(scontext_len, optlen))
4456 err = -EFAULT;
4457 kfree(scontext);
4458 return err;
4459 }
4460
4461 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
4462 {
4463 u32 peer_secid = SECSID_NULL;
4464 u16 family;
4465
4466 if (skb && skb->protocol == htons(ETH_P_IP))
4467 family = PF_INET;
4468 else if (skb && skb->protocol == htons(ETH_P_IPV6))
4469 family = PF_INET6;
4470 else if (sock)
4471 family = sock->sk->sk_family;
4472 else
4473 goto out;
4474
4475 if (sock && family == PF_UNIX)
4476 selinux_inode_getsecid(SOCK_INODE(sock), &peer_secid);
4477 else if (skb)
4478 selinux_skb_peerlbl_sid(skb, family, &peer_secid);
4479
4480 out:
4481 *secid = peer_secid;
4482 if (peer_secid == SECSID_NULL)
4483 return -EINVAL;
4484 return 0;
4485 }
4486
4487 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
4488 {
4489 struct sk_security_struct *sksec;
4490
4491 sksec = kzalloc(sizeof(*sksec), priority);
4492 if (!sksec)
4493 return -ENOMEM;
4494
4495 sksec->peer_sid = SECINITSID_UNLABELED;
4496 sksec->sid = SECINITSID_UNLABELED;
4497 selinux_netlbl_sk_security_reset(sksec);
4498 sk->sk_security = sksec;
4499
4500 return 0;
4501 }
4502
4503 static void selinux_sk_free_security(struct sock *sk)
4504 {
4505 struct sk_security_struct *sksec = sk->sk_security;
4506
4507 sk->sk_security = NULL;
4508 selinux_netlbl_sk_security_free(sksec);
4509 kfree(sksec);
4510 }
4511
4512 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
4513 {
4514 struct sk_security_struct *sksec = sk->sk_security;
4515 struct sk_security_struct *newsksec = newsk->sk_security;
4516
4517 newsksec->sid = sksec->sid;
4518 newsksec->peer_sid = sksec->peer_sid;
4519 newsksec->sclass = sksec->sclass;
4520
4521 selinux_netlbl_sk_security_reset(newsksec);
4522 }
4523
4524 static void selinux_sk_getsecid(struct sock *sk, u32 *secid)
4525 {
4526 if (!sk)
4527 *secid = SECINITSID_ANY_SOCKET;
4528 else {
4529 struct sk_security_struct *sksec = sk->sk_security;
4530
4531 *secid = sksec->sid;
4532 }
4533 }
4534
4535 static void selinux_sock_graft(struct sock *sk, struct socket *parent)
4536 {
4537 struct inode_security_struct *isec = SOCK_INODE(parent)->i_security;
4538 struct sk_security_struct *sksec = sk->sk_security;
4539
4540 if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
4541 sk->sk_family == PF_UNIX)
4542 isec->sid = sksec->sid;
4543 sksec->sclass = isec->sclass;
4544 }
4545
4546 static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
4547 struct request_sock *req)
4548 {
4549 struct sk_security_struct *sksec = sk->sk_security;
4550 int err;
4551 u16 family = req->rsk_ops->family;
4552 u32 connsid;
4553 u32 peersid;
4554
4555 err = selinux_skb_peerlbl_sid(skb, family, &peersid);
4556 if (err)
4557 return err;
4558 err = selinux_conn_sid(sksec->sid, peersid, &connsid);
4559 if (err)
4560 return err;
4561 req->secid = connsid;
4562 req->peer_secid = peersid;
4563
4564 return selinux_netlbl_inet_conn_request(req, family);
4565 }
4566
4567 static void selinux_inet_csk_clone(struct sock *newsk,
4568 const struct request_sock *req)
4569 {
4570 struct sk_security_struct *newsksec = newsk->sk_security;
4571
4572 newsksec->sid = req->secid;
4573 newsksec->peer_sid = req->peer_secid;
4574 /* NOTE: Ideally, we should also get the isec->sid for the
4575 new socket in sync, but we don't have the isec available yet.
4576 So we will wait until sock_graft to do it, by which
4577 time it will have been created and available. */
4578
4579 /* We don't need to take any sort of lock here as we are the only
4580 * thread with access to newsksec */
4581 selinux_netlbl_inet_csk_clone(newsk, req->rsk_ops->family);
4582 }
4583
4584 static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb)
4585 {
4586 u16 family = sk->sk_family;
4587 struct sk_security_struct *sksec = sk->sk_security;
4588
4589 /* handle mapped IPv4 packets arriving via IPv6 sockets */
4590 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4591 family = PF_INET;
4592
4593 selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid);
4594 }
4595
4596 static void selinux_skb_owned_by(struct sk_buff *skb, struct sock *sk)
4597 {
4598 skb_set_owner_w(skb, sk);
4599 }
4600
4601 static int selinux_secmark_relabel_packet(u32 sid)
4602 {
4603 const struct task_security_struct *__tsec;
4604 u32 tsid;
4605
4606 __tsec = current_security();
4607 tsid = __tsec->sid;
4608
4609 return avc_has_perm(tsid, sid, SECCLASS_PACKET, PACKET__RELABELTO, NULL);
4610 }
4611
4612 static void selinux_secmark_refcount_inc(void)
4613 {
4614 atomic_inc(&selinux_secmark_refcount);
4615 }
4616
4617 static void selinux_secmark_refcount_dec(void)
4618 {
4619 atomic_dec(&selinux_secmark_refcount);
4620 }
4621
4622 static void selinux_req_classify_flow(const struct request_sock *req,
4623 struct flowi *fl)
4624 {
4625 fl->flowi_secid = req->secid;
4626 }
4627
4628 static int selinux_tun_dev_alloc_security(void **security)
4629 {
4630 struct tun_security_struct *tunsec;
4631
4632 tunsec = kzalloc(sizeof(*tunsec), GFP_KERNEL);
4633 if (!tunsec)
4634 return -ENOMEM;
4635 tunsec->sid = current_sid();
4636
4637 *security = tunsec;
4638 return 0;
4639 }
4640
4641 static void selinux_tun_dev_free_security(void *security)
4642 {
4643 kfree(security);
4644 }
4645
4646 static int selinux_tun_dev_create(void)
4647 {
4648 u32 sid = current_sid();
4649
4650 /* we aren't taking into account the "sockcreate" SID since the socket
4651 * that is being created here is not a socket in the traditional sense,
4652 * instead it is a private sock, accessible only to the kernel, and
4653 * representing a wide range of network traffic spanning multiple
4654 * connections unlike traditional sockets - check the TUN driver to
4655 * get a better understanding of why this socket is special */
4656
4657 return avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET, TUN_SOCKET__CREATE,
4658 NULL);
4659 }
4660
4661 static int selinux_tun_dev_attach_queue(void *security)
4662 {
4663 struct tun_security_struct *tunsec = security;
4664
4665 return avc_has_perm(current_sid(), tunsec->sid, SECCLASS_TUN_SOCKET,
4666 TUN_SOCKET__ATTACH_QUEUE, NULL);
4667 }
4668
4669 static int selinux_tun_dev_attach(struct sock *sk, void *security)
4670 {
4671 struct tun_security_struct *tunsec = security;
4672 struct sk_security_struct *sksec = sk->sk_security;
4673
4674 /* we don't currently perform any NetLabel based labeling here and it
4675 * isn't clear that we would want to do so anyway; while we could apply
4676 * labeling without the support of the TUN user the resulting labeled
4677 * traffic from the other end of the connection would almost certainly
4678 * cause confusion to the TUN user that had no idea network labeling
4679 * protocols were being used */
4680
4681 sksec->sid = tunsec->sid;
4682 sksec->sclass = SECCLASS_TUN_SOCKET;
4683
4684 return 0;
4685 }
4686
4687 static int selinux_tun_dev_open(void *security)
4688 {
4689 struct tun_security_struct *tunsec = security;
4690 u32 sid = current_sid();
4691 int err;
4692
4693 err = avc_has_perm(sid, tunsec->sid, SECCLASS_TUN_SOCKET,
4694 TUN_SOCKET__RELABELFROM, NULL);
4695 if (err)
4696 return err;
4697 err = avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET,
4698 TUN_SOCKET__RELABELTO, NULL);
4699 if (err)
4700 return err;
4701 tunsec->sid = sid;
4702
4703 return 0;
4704 }
4705
4706 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
4707 {
4708 int err = 0;
4709 u32 perm;
4710 struct nlmsghdr *nlh;
4711 struct sk_security_struct *sksec = sk->sk_security;
4712
4713 if (skb->len < NLMSG_HDRLEN) {
4714 err = -EINVAL;
4715 goto out;
4716 }
4717 nlh = nlmsg_hdr(skb);
4718
4719 err = selinux_nlmsg_lookup(sksec->sclass, nlh->nlmsg_type, &perm);
4720 if (err) {
4721 if (err == -EINVAL) {
4722 printk(KERN_WARNING
4723 "SELinux: unrecognized netlink message:"
4724 " protocol=%hu nlmsg_type=%hu sclass=%hu\n",
4725 sk->sk_protocol, nlh->nlmsg_type, sksec->sclass);
4726 if (!selinux_enforcing || security_get_allow_unknown())
4727 err = 0;
4728 }
4729
4730 /* Ignore */
4731 if (err == -ENOENT)
4732 err = 0;
4733 goto out;
4734 }
4735
4736 err = sock_has_perm(current, sk, perm);
4737 out:
4738 return err;
4739 }
4740
4741 #ifdef CONFIG_NETFILTER
4742
4743 static unsigned int selinux_ip_forward(struct sk_buff *skb,
4744 const struct net_device *indev,
4745 u16 family)
4746 {
4747 int err;
4748 char *addrp;
4749 u32 peer_sid;
4750 struct common_audit_data ad;
4751 struct lsm_network_audit net = {0,};
4752 u8 secmark_active;
4753 u8 netlbl_active;
4754 u8 peerlbl_active;
4755
4756 if (!selinux_policycap_netpeer)
4757 return NF_ACCEPT;
4758
4759 secmark_active = selinux_secmark_enabled();
4760 netlbl_active = netlbl_enabled();
4761 peerlbl_active = selinux_peerlbl_enabled();
4762 if (!secmark_active && !peerlbl_active)
4763 return NF_ACCEPT;
4764
4765 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0)
4766 return NF_DROP;
4767
4768 ad.type = LSM_AUDIT_DATA_NET;
4769 ad.u.net = &net;
4770 ad.u.net->netif = indev->ifindex;
4771 ad.u.net->family = family;
4772 if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0)
4773 return NF_DROP;
4774
4775 if (peerlbl_active) {
4776 err = selinux_inet_sys_rcv_skb(dev_net(indev), indev->ifindex,
4777 addrp, family, peer_sid, &ad);
4778 if (err) {
4779 selinux_netlbl_err(skb, err, 1);
4780 return NF_DROP;
4781 }
4782 }
4783
4784 if (secmark_active)
4785 if (avc_has_perm(peer_sid, skb->secmark,
4786 SECCLASS_PACKET, PACKET__FORWARD_IN, &ad))
4787 return NF_DROP;
4788
4789 if (netlbl_active)
4790 /* we do this in the FORWARD path and not the POST_ROUTING
4791 * path because we want to make sure we apply the necessary
4792 * labeling before IPsec is applied so we can leverage AH
4793 * protection */
4794 if (selinux_netlbl_skbuff_setsid(skb, family, peer_sid) != 0)
4795 return NF_DROP;
4796
4797 return NF_ACCEPT;
4798 }
4799
4800 static unsigned int selinux_ipv4_forward(const struct nf_hook_ops *ops,
4801 struct sk_buff *skb,
4802 const struct net_device *in,
4803 const struct net_device *out,
4804 int (*okfn)(struct sk_buff *))
4805 {
4806 return selinux_ip_forward(skb, in, PF_INET);
4807 }
4808
4809 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4810 static unsigned int selinux_ipv6_forward(const struct nf_hook_ops *ops,
4811 struct sk_buff *skb,
4812 const struct net_device *in,
4813 const struct net_device *out,
4814 int (*okfn)(struct sk_buff *))
4815 {
4816 return selinux_ip_forward(skb, in, PF_INET6);
4817 }
4818 #endif /* IPV6 */
4819
4820 static unsigned int selinux_ip_output(struct sk_buff *skb,
4821 u16 family)
4822 {
4823 struct sock *sk;
4824 u32 sid;
4825
4826 if (!netlbl_enabled())
4827 return NF_ACCEPT;
4828
4829 /* we do this in the LOCAL_OUT path and not the POST_ROUTING path
4830 * because we want to make sure we apply the necessary labeling
4831 * before IPsec is applied so we can leverage AH protection */
4832 sk = skb->sk;
4833 if (sk) {
4834 struct sk_security_struct *sksec;
4835
4836 if (sk->sk_state == TCP_LISTEN)
4837 /* if the socket is the listening state then this
4838 * packet is a SYN-ACK packet which means it needs to
4839 * be labeled based on the connection/request_sock and
4840 * not the parent socket. unfortunately, we can't
4841 * lookup the request_sock yet as it isn't queued on
4842 * the parent socket until after the SYN-ACK is sent.
4843 * the "solution" is to simply pass the packet as-is
4844 * as any IP option based labeling should be copied
4845 * from the initial connection request (in the IP
4846 * layer). it is far from ideal, but until we get a
4847 * security label in the packet itself this is the
4848 * best we can do. */
4849 return NF_ACCEPT;
4850
4851 /* standard practice, label using the parent socket */
4852 sksec = sk->sk_security;
4853 sid = sksec->sid;
4854 } else
4855 sid = SECINITSID_KERNEL;
4856 if (selinux_netlbl_skbuff_setsid(skb, family, sid) != 0)
4857 return NF_DROP;
4858
4859 return NF_ACCEPT;
4860 }
4861
4862 static unsigned int selinux_ipv4_output(const struct nf_hook_ops *ops,
4863 struct sk_buff *skb,
4864 const struct net_device *in,
4865 const struct net_device *out,
4866 int (*okfn)(struct sk_buff *))
4867 {
4868 return selinux_ip_output(skb, PF_INET);
4869 }
4870
4871 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
4872 int ifindex,
4873 u16 family)
4874 {
4875 struct sock *sk = skb->sk;
4876 struct sk_security_struct *sksec;
4877 struct common_audit_data ad;
4878 struct lsm_network_audit net = {0,};
4879 char *addrp;
4880 u8 proto;
4881
4882 if (sk == NULL)
4883 return NF_ACCEPT;
4884 sksec = sk->sk_security;
4885
4886 ad.type = LSM_AUDIT_DATA_NET;
4887 ad.u.net = &net;
4888 ad.u.net->netif = ifindex;
4889 ad.u.net->family = family;
4890 if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto))
4891 return NF_DROP;
4892
4893 if (selinux_secmark_enabled())
4894 if (avc_has_perm(sksec->sid, skb->secmark,
4895 SECCLASS_PACKET, PACKET__SEND, &ad))
4896 return NF_DROP_ERR(-ECONNREFUSED);
4897
4898 if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto))
4899 return NF_DROP_ERR(-ECONNREFUSED);
4900
4901 return NF_ACCEPT;
4902 }
4903
4904 static unsigned int selinux_ip_postroute(struct sk_buff *skb,
4905 const struct net_device *outdev,
4906 u16 family)
4907 {
4908 u32 secmark_perm;
4909 u32 peer_sid;
4910 int ifindex = outdev->ifindex;
4911 struct sock *sk;
4912 struct common_audit_data ad;
4913 struct lsm_network_audit net = {0,};
4914 char *addrp;
4915 u8 secmark_active;
4916 u8 peerlbl_active;
4917
4918 /* If any sort of compatibility mode is enabled then handoff processing
4919 * to the selinux_ip_postroute_compat() function to deal with the
4920 * special handling. We do this in an attempt to keep this function
4921 * as fast and as clean as possible. */
4922 if (!selinux_policycap_netpeer)
4923 return selinux_ip_postroute_compat(skb, ifindex, family);
4924
4925 secmark_active = selinux_secmark_enabled();
4926 peerlbl_active = selinux_peerlbl_enabled();
4927 if (!secmark_active && !peerlbl_active)
4928 return NF_ACCEPT;
4929
4930 sk = skb->sk;
4931
4932 #ifdef CONFIG_XFRM
4933 /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec
4934 * packet transformation so allow the packet to pass without any checks
4935 * since we'll have another chance to perform access control checks
4936 * when the packet is on it's final way out.
4937 * NOTE: there appear to be some IPv6 multicast cases where skb->dst
4938 * is NULL, in this case go ahead and apply access control.
4939 * NOTE: if this is a local socket (skb->sk != NULL) that is in the
4940 * TCP listening state we cannot wait until the XFRM processing
4941 * is done as we will miss out on the SA label if we do;
4942 * unfortunately, this means more work, but it is only once per
4943 * connection. */
4944 if (skb_dst(skb) != NULL && skb_dst(skb)->xfrm != NULL &&
4945 !(sk != NULL && sk->sk_state == TCP_LISTEN))
4946 return NF_ACCEPT;
4947 #endif
4948
4949 if (sk == NULL) {
4950 /* Without an associated socket the packet is either coming
4951 * from the kernel or it is being forwarded; check the packet
4952 * to determine which and if the packet is being forwarded
4953 * query the packet directly to determine the security label. */
4954 if (skb->skb_iif) {
4955 secmark_perm = PACKET__FORWARD_OUT;
4956 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid))
4957 return NF_DROP;
4958 } else {
4959 secmark_perm = PACKET__SEND;
4960 peer_sid = SECINITSID_KERNEL;
4961 }
4962 } else if (sk->sk_state == TCP_LISTEN) {
4963 /* Locally generated packet but the associated socket is in the
4964 * listening state which means this is a SYN-ACK packet. In
4965 * this particular case the correct security label is assigned
4966 * to the connection/request_sock but unfortunately we can't
4967 * query the request_sock as it isn't queued on the parent
4968 * socket until after the SYN-ACK packet is sent; the only
4969 * viable choice is to regenerate the label like we do in
4970 * selinux_inet_conn_request(). See also selinux_ip_output()
4971 * for similar problems. */
4972 u32 skb_sid;
4973 struct sk_security_struct *sksec = sk->sk_security;
4974 if (selinux_skb_peerlbl_sid(skb, family, &skb_sid))
4975 return NF_DROP;
4976 /* At this point, if the returned skb peerlbl is SECSID_NULL
4977 * and the packet has been through at least one XFRM
4978 * transformation then we must be dealing with the "final"
4979 * form of labeled IPsec packet; since we've already applied
4980 * all of our access controls on this packet we can safely
4981 * pass the packet. */
4982 if (skb_sid == SECSID_NULL) {
4983 switch (family) {
4984 case PF_INET:
4985 if (IPCB(skb)->flags & IPSKB_XFRM_TRANSFORMED)
4986 return NF_ACCEPT;
4987 break;
4988 case PF_INET6:
4989 if (IP6CB(skb)->flags & IP6SKB_XFRM_TRANSFORMED)
4990 return NF_ACCEPT;
4991 break;
4992 default:
4993 return NF_DROP_ERR(-ECONNREFUSED);
4994 }
4995 }
4996 if (selinux_conn_sid(sksec->sid, skb_sid, &peer_sid))
4997 return NF_DROP;
4998 secmark_perm = PACKET__SEND;
4999 } else {
5000 /* Locally generated packet, fetch the security label from the
5001 * associated socket. */
5002 struct sk_security_struct *sksec = sk->sk_security;
5003 peer_sid = sksec->sid;
5004 secmark_perm = PACKET__SEND;
5005 }
5006
5007 ad.type = LSM_AUDIT_DATA_NET;
5008 ad.u.net = &net;
5009 ad.u.net->netif = ifindex;
5010 ad.u.net->family = family;
5011 if (selinux_parse_skb(skb, &ad, &addrp, 0, NULL))
5012 return NF_DROP;
5013
5014 if (secmark_active)
5015 if (avc_has_perm(peer_sid, skb->secmark,
5016 SECCLASS_PACKET, secmark_perm, &ad))
5017 return NF_DROP_ERR(-ECONNREFUSED);
5018
5019 if (peerlbl_active) {
5020 u32 if_sid;
5021 u32 node_sid;
5022
5023 if (sel_netif_sid(dev_net(outdev), ifindex, &if_sid))
5024 return NF_DROP;
5025 if (avc_has_perm(peer_sid, if_sid,
5026 SECCLASS_NETIF, NETIF__EGRESS, &ad))
5027 return NF_DROP_ERR(-ECONNREFUSED);
5028
5029 if (sel_netnode_sid(addrp, family, &node_sid))
5030 return NF_DROP;
5031 if (avc_has_perm(peer_sid, node_sid,
5032 SECCLASS_NODE, NODE__SENDTO, &ad))
5033 return NF_DROP_ERR(-ECONNREFUSED);
5034 }
5035
5036 return NF_ACCEPT;
5037 }
5038
5039 static unsigned int selinux_ipv4_postroute(const struct nf_hook_ops *ops,
5040 struct sk_buff *skb,
5041 const struct net_device *in,
5042 const struct net_device *out,
5043 int (*okfn)(struct sk_buff *))
5044 {
5045 return selinux_ip_postroute(skb, out, PF_INET);
5046 }
5047
5048 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5049 static unsigned int selinux_ipv6_postroute(const struct nf_hook_ops *ops,
5050 struct sk_buff *skb,
5051 const struct net_device *in,
5052 const struct net_device *out,
5053 int (*okfn)(struct sk_buff *))
5054 {
5055 return selinux_ip_postroute(skb, out, PF_INET6);
5056 }
5057 #endif /* IPV6 */
5058
5059 #endif /* CONFIG_NETFILTER */
5060
5061 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
5062 {
5063 int err;
5064
5065 err = cap_netlink_send(sk, skb);
5066 if (err)
5067 return err;
5068
5069 return selinux_nlmsg_perm(sk, skb);
5070 }
5071
5072 static int ipc_alloc_security(struct task_struct *task,
5073 struct kern_ipc_perm *perm,
5074 u16 sclass)
5075 {
5076 struct ipc_security_struct *isec;
5077 u32 sid;
5078
5079 isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL);
5080 if (!isec)
5081 return -ENOMEM;
5082
5083 sid = task_sid(task);
5084 isec->sclass = sclass;
5085 isec->sid = sid;
5086 perm->security = isec;
5087
5088 return 0;
5089 }
5090
5091 static void ipc_free_security(struct kern_ipc_perm *perm)
5092 {
5093 struct ipc_security_struct *isec = perm->security;
5094 perm->security = NULL;
5095 kfree(isec);
5096 }
5097
5098 static int msg_msg_alloc_security(struct msg_msg *msg)
5099 {
5100 struct msg_security_struct *msec;
5101
5102 msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL);
5103 if (!msec)
5104 return -ENOMEM;
5105
5106 msec->sid = SECINITSID_UNLABELED;
5107 msg->security = msec;
5108
5109 return 0;
5110 }
5111
5112 static void msg_msg_free_security(struct msg_msg *msg)
5113 {
5114 struct msg_security_struct *msec = msg->security;
5115
5116 msg->security = NULL;
5117 kfree(msec);
5118 }
5119
5120 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
5121 u32 perms)
5122 {
5123 struct ipc_security_struct *isec;
5124 struct common_audit_data ad;
5125 u32 sid = current_sid();
5126
5127 isec = ipc_perms->security;
5128
5129 ad.type = LSM_AUDIT_DATA_IPC;
5130 ad.u.ipc_id = ipc_perms->key;
5131
5132 return avc_has_perm(sid, isec->sid, isec->sclass, perms, &ad);
5133 }
5134
5135 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
5136 {
5137 return msg_msg_alloc_security(msg);
5138 }
5139
5140 static void selinux_msg_msg_free_security(struct msg_msg *msg)
5141 {
5142 msg_msg_free_security(msg);
5143 }
5144
5145 /* message queue security operations */
5146 static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
5147 {
5148 struct ipc_security_struct *isec;
5149 struct common_audit_data ad;
5150 u32 sid = current_sid();
5151 int rc;
5152
5153 rc = ipc_alloc_security(current, &msq->q_perm, SECCLASS_MSGQ);
5154 if (rc)
5155 return rc;
5156
5157 isec = msq->q_perm.security;
5158
5159 ad.type = LSM_AUDIT_DATA_IPC;
5160 ad.u.ipc_id = msq->q_perm.key;
5161
5162 rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
5163 MSGQ__CREATE, &ad);
5164 if (rc) {
5165 ipc_free_security(&msq->q_perm);
5166 return rc;
5167 }
5168 return 0;
5169 }
5170
5171 static void selinux_msg_queue_free_security(struct msg_queue *msq)
5172 {
5173 ipc_free_security(&msq->q_perm);
5174 }
5175
5176 static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg)
5177 {
5178 struct ipc_security_struct *isec;
5179 struct common_audit_data ad;
5180 u32 sid = current_sid();
5181
5182 isec = msq->q_perm.security;
5183
5184 ad.type = LSM_AUDIT_DATA_IPC;
5185 ad.u.ipc_id = msq->q_perm.key;
5186
5187 return avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
5188 MSGQ__ASSOCIATE, &ad);
5189 }
5190
5191 static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd)
5192 {
5193 int err;
5194 int perms;
5195
5196 switch (cmd) {
5197 case IPC_INFO:
5198 case MSG_INFO:
5199 /* No specific object, just general system-wide information. */
5200 return task_has_system(current, SYSTEM__IPC_INFO);
5201 case IPC_STAT:
5202 case MSG_STAT:
5203 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
5204 break;
5205 case IPC_SET:
5206 perms = MSGQ__SETATTR;
5207 break;
5208 case IPC_RMID:
5209 perms = MSGQ__DESTROY;
5210 break;
5211 default:
5212 return 0;
5213 }
5214
5215 err = ipc_has_perm(&msq->q_perm, perms);
5216 return err;
5217 }
5218
5219 static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg)
5220 {
5221 struct ipc_security_struct *isec;
5222 struct msg_security_struct *msec;
5223 struct common_audit_data ad;
5224 u32 sid = current_sid();
5225 int rc;
5226
5227 isec = msq->q_perm.security;
5228 msec = msg->security;
5229
5230 /*
5231 * First time through, need to assign label to the message
5232 */
5233 if (msec->sid == SECINITSID_UNLABELED) {
5234 /*
5235 * Compute new sid based on current process and
5236 * message queue this message will be stored in
5237 */
5238 rc = security_transition_sid(sid, isec->sid, SECCLASS_MSG,
5239 NULL, &msec->sid);
5240 if (rc)
5241 return rc;
5242 }
5243
5244 ad.type = LSM_AUDIT_DATA_IPC;
5245 ad.u.ipc_id = msq->q_perm.key;
5246
5247 /* Can this process write to the queue? */
5248 rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
5249 MSGQ__WRITE, &ad);
5250 if (!rc)
5251 /* Can this process send the message */
5252 rc = avc_has_perm(sid, msec->sid, SECCLASS_MSG,
5253 MSG__SEND, &ad);
5254 if (!rc)
5255 /* Can the message be put in the queue? */
5256 rc = avc_has_perm(msec->sid, isec->sid, SECCLASS_MSGQ,
5257 MSGQ__ENQUEUE, &ad);
5258
5259 return rc;
5260 }
5261
5262 static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
5263 struct task_struct *target,
5264 long type, int mode)
5265 {
5266 struct ipc_security_struct *isec;
5267 struct msg_security_struct *msec;
5268 struct common_audit_data ad;
5269 u32 sid = task_sid(target);
5270 int rc;
5271
5272 isec = msq->q_perm.security;
5273 msec = msg->security;
5274
5275 ad.type = LSM_AUDIT_DATA_IPC;
5276 ad.u.ipc_id = msq->q_perm.key;
5277
5278 rc = avc_has_perm(sid, isec->sid,
5279 SECCLASS_MSGQ, MSGQ__READ, &ad);
5280 if (!rc)
5281 rc = avc_has_perm(sid, msec->sid,
5282 SECCLASS_MSG, MSG__RECEIVE, &ad);
5283 return rc;
5284 }
5285
5286 /* Shared Memory security operations */
5287 static int selinux_shm_alloc_security(struct shmid_kernel *shp)
5288 {
5289 struct ipc_security_struct *isec;
5290 struct common_audit_data ad;
5291 u32 sid = current_sid();
5292 int rc;
5293
5294 rc = ipc_alloc_security(current, &shp->shm_perm, SECCLASS_SHM);
5295 if (rc)
5296 return rc;
5297
5298 isec = shp->shm_perm.security;
5299
5300 ad.type = LSM_AUDIT_DATA_IPC;
5301 ad.u.ipc_id = shp->shm_perm.key;
5302
5303 rc = avc_has_perm(sid, isec->sid, SECCLASS_SHM,
5304 SHM__CREATE, &ad);
5305 if (rc) {
5306 ipc_free_security(&shp->shm_perm);
5307 return rc;
5308 }
5309 return 0;
5310 }
5311
5312 static void selinux_shm_free_security(struct shmid_kernel *shp)
5313 {
5314 ipc_free_security(&shp->shm_perm);
5315 }
5316
5317 static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg)
5318 {
5319 struct ipc_security_struct *isec;
5320 struct common_audit_data ad;
5321 u32 sid = current_sid();
5322
5323 isec = shp->shm_perm.security;
5324
5325 ad.type = LSM_AUDIT_DATA_IPC;
5326 ad.u.ipc_id = shp->shm_perm.key;
5327
5328 return avc_has_perm(sid, isec->sid, SECCLASS_SHM,
5329 SHM__ASSOCIATE, &ad);
5330 }
5331
5332 /* Note, at this point, shp is locked down */
5333 static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd)
5334 {
5335 int perms;
5336 int err;
5337
5338 switch (cmd) {
5339 case IPC_INFO:
5340 case SHM_INFO:
5341 /* No specific object, just general system-wide information. */
5342 return task_has_system(current, SYSTEM__IPC_INFO);
5343 case IPC_STAT:
5344 case SHM_STAT:
5345 perms = SHM__GETATTR | SHM__ASSOCIATE;
5346 break;
5347 case IPC_SET:
5348 perms = SHM__SETATTR;
5349 break;
5350 case SHM_LOCK:
5351 case SHM_UNLOCK:
5352 perms = SHM__LOCK;
5353 break;
5354 case IPC_RMID:
5355 perms = SHM__DESTROY;
5356 break;
5357 default:
5358 return 0;
5359 }
5360
5361 err = ipc_has_perm(&shp->shm_perm, perms);
5362 return err;
5363 }
5364
5365 static int selinux_shm_shmat(struct shmid_kernel *shp,
5366 char __user *shmaddr, int shmflg)
5367 {
5368 u32 perms;
5369
5370 if (shmflg & SHM_RDONLY)
5371 perms = SHM__READ;
5372 else
5373 perms = SHM__READ | SHM__WRITE;
5374
5375 return ipc_has_perm(&shp->shm_perm, perms);
5376 }
5377
5378 /* Semaphore security operations */
5379 static int selinux_sem_alloc_security(struct sem_array *sma)
5380 {
5381 struct ipc_security_struct *isec;
5382 struct common_audit_data ad;
5383 u32 sid = current_sid();
5384 int rc;
5385
5386 rc = ipc_alloc_security(current, &sma->sem_perm, SECCLASS_SEM);
5387 if (rc)
5388 return rc;
5389
5390 isec = sma->sem_perm.security;
5391
5392 ad.type = LSM_AUDIT_DATA_IPC;
5393 ad.u.ipc_id = sma->sem_perm.key;
5394
5395 rc = avc_has_perm(sid, isec->sid, SECCLASS_SEM,
5396 SEM__CREATE, &ad);
5397 if (rc) {
5398 ipc_free_security(&sma->sem_perm);
5399 return rc;
5400 }
5401 return 0;
5402 }
5403
5404 static void selinux_sem_free_security(struct sem_array *sma)
5405 {
5406 ipc_free_security(&sma->sem_perm);
5407 }
5408
5409 static int selinux_sem_associate(struct sem_array *sma, int semflg)
5410 {
5411 struct ipc_security_struct *isec;
5412 struct common_audit_data ad;
5413 u32 sid = current_sid();
5414
5415 isec = sma->sem_perm.security;
5416
5417 ad.type = LSM_AUDIT_DATA_IPC;
5418 ad.u.ipc_id = sma->sem_perm.key;
5419
5420 return avc_has_perm(sid, isec->sid, SECCLASS_SEM,
5421 SEM__ASSOCIATE, &ad);
5422 }
5423
5424 /* Note, at this point, sma is locked down */
5425 static int selinux_sem_semctl(struct sem_array *sma, int cmd)
5426 {
5427 int err;
5428 u32 perms;
5429
5430 switch (cmd) {
5431 case IPC_INFO:
5432 case SEM_INFO:
5433 /* No specific object, just general system-wide information. */
5434 return task_has_system(current, SYSTEM__IPC_INFO);
5435 case GETPID:
5436 case GETNCNT:
5437 case GETZCNT:
5438 perms = SEM__GETATTR;
5439 break;
5440 case GETVAL:
5441 case GETALL:
5442 perms = SEM__READ;
5443 break;
5444 case SETVAL:
5445 case SETALL:
5446 perms = SEM__WRITE;
5447 break;
5448 case IPC_RMID:
5449 perms = SEM__DESTROY;
5450 break;
5451 case IPC_SET:
5452 perms = SEM__SETATTR;
5453 break;
5454 case IPC_STAT:
5455 case SEM_STAT:
5456 perms = SEM__GETATTR | SEM__ASSOCIATE;
5457 break;
5458 default:
5459 return 0;
5460 }
5461
5462 err = ipc_has_perm(&sma->sem_perm, perms);
5463 return err;
5464 }
5465
5466 static int selinux_sem_semop(struct sem_array *sma,
5467 struct sembuf *sops, unsigned nsops, int alter)
5468 {
5469 u32 perms;
5470
5471 if (alter)
5472 perms = SEM__READ | SEM__WRITE;
5473 else
5474 perms = SEM__READ;
5475
5476 return ipc_has_perm(&sma->sem_perm, perms);
5477 }
5478
5479 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
5480 {
5481 u32 av = 0;
5482
5483 av = 0;
5484 if (flag & S_IRUGO)
5485 av |= IPC__UNIX_READ;
5486 if (flag & S_IWUGO)
5487 av |= IPC__UNIX_WRITE;
5488
5489 if (av == 0)
5490 return 0;
5491
5492 return ipc_has_perm(ipcp, av);
5493 }
5494
5495 static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
5496 {
5497 struct ipc_security_struct *isec = ipcp->security;
5498 *secid = isec->sid;
5499 }
5500
5501 static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode)
5502 {
5503 if (inode)
5504 inode_doinit_with_dentry(inode, dentry);
5505 }
5506
5507 static int selinux_getprocattr(struct task_struct *p,
5508 char *name, char **value)
5509 {
5510 const struct task_security_struct *__tsec;
5511 u32 sid;
5512 int error;
5513 unsigned len;
5514
5515 if (current != p) {
5516 error = current_has_perm(p, PROCESS__GETATTR);
5517 if (error)
5518 return error;
5519 }
5520
5521 rcu_read_lock();
5522 __tsec = __task_cred(p)->security;
5523
5524 if (!strcmp(name, "current"))
5525 sid = __tsec->sid;
5526 else if (!strcmp(name, "prev"))
5527 sid = __tsec->osid;
5528 else if (!strcmp(name, "exec"))
5529 sid = __tsec->exec_sid;
5530 else if (!strcmp(name, "fscreate"))
5531 sid = __tsec->create_sid;
5532 else if (!strcmp(name, "keycreate"))
5533 sid = __tsec->keycreate_sid;
5534 else if (!strcmp(name, "sockcreate"))
5535 sid = __tsec->sockcreate_sid;
5536 else
5537 goto invalid;
5538 rcu_read_unlock();
5539
5540 if (!sid)
5541 return 0;
5542
5543 error = security_sid_to_context(sid, value, &len);
5544 if (error)
5545 return error;
5546 return len;
5547
5548 invalid:
5549 rcu_read_unlock();
5550 return -EINVAL;
5551 }
5552
5553 static int selinux_setprocattr(struct task_struct *p,
5554 char *name, void *value, size_t size)
5555 {
5556 struct task_security_struct *tsec;
5557 struct task_struct *tracer;
5558 struct cred *new;
5559 u32 sid = 0, ptsid;
5560 int error;
5561 char *str = value;
5562
5563 if (current != p) {
5564 /* SELinux only allows a process to change its own
5565 security attributes. */
5566 return -EACCES;
5567 }
5568
5569 /*
5570 * Basic control over ability to set these attributes at all.
5571 * current == p, but we'll pass them separately in case the
5572 * above restriction is ever removed.
5573 */
5574 if (!strcmp(name, "exec"))
5575 error = current_has_perm(p, PROCESS__SETEXEC);
5576 else if (!strcmp(name, "fscreate"))
5577 error = current_has_perm(p, PROCESS__SETFSCREATE);
5578 else if (!strcmp(name, "keycreate"))
5579 error = current_has_perm(p, PROCESS__SETKEYCREATE);
5580 else if (!strcmp(name, "sockcreate"))
5581 error = current_has_perm(p, PROCESS__SETSOCKCREATE);
5582 else if (!strcmp(name, "current"))
5583 error = current_has_perm(p, PROCESS__SETCURRENT);
5584 else
5585 error = -EINVAL;
5586 if (error)
5587 return error;
5588
5589 /* Obtain a SID for the context, if one was specified. */
5590 if (size && str[1] && str[1] != '\n') {
5591 if (str[size-1] == '\n') {
5592 str[size-1] = 0;
5593 size--;
5594 }
5595 error = security_context_to_sid(value, size, &sid, GFP_KERNEL);
5596 if (error == -EINVAL && !strcmp(name, "fscreate")) {
5597 if (!capable(CAP_MAC_ADMIN)) {
5598 struct audit_buffer *ab;
5599 size_t audit_size;
5600
5601 /* We strip a nul only if it is at the end, otherwise the
5602 * context contains a nul and we should audit that */
5603 if (str[size - 1] == '\0')
5604 audit_size = size - 1;
5605 else
5606 audit_size = size;
5607 ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR);
5608 audit_log_format(ab, "op=fscreate invalid_context=");
5609 audit_log_n_untrustedstring(ab, value, audit_size);
5610 audit_log_end(ab);
5611
5612 return error;
5613 }
5614 error = security_context_to_sid_force(value, size,
5615 &sid);
5616 }
5617 if (error)
5618 return error;
5619 }
5620
5621 new = prepare_creds();
5622 if (!new)
5623 return -ENOMEM;
5624
5625 /* Permission checking based on the specified context is
5626 performed during the actual operation (execve,
5627 open/mkdir/...), when we know the full context of the
5628 operation. See selinux_bprm_set_creds for the execve
5629 checks and may_create for the file creation checks. The
5630 operation will then fail if the context is not permitted. */
5631 tsec = new->security;
5632 if (!strcmp(name, "exec")) {
5633 tsec->exec_sid = sid;
5634 } else if (!strcmp(name, "fscreate")) {
5635 tsec->create_sid = sid;
5636 } else if (!strcmp(name, "keycreate")) {
5637 error = may_create_key(sid, p);
5638 if (error)
5639 goto abort_change;
5640 tsec->keycreate_sid = sid;
5641 } else if (!strcmp(name, "sockcreate")) {
5642 tsec->sockcreate_sid = sid;
5643 } else if (!strcmp(name, "current")) {
5644 error = -EINVAL;
5645 if (sid == 0)
5646 goto abort_change;
5647
5648 /* Only allow single threaded processes to change context */
5649 error = -EPERM;
5650 if (!current_is_single_threaded()) {
5651 error = security_bounded_transition(tsec->sid, sid);
5652 if (error)
5653 goto abort_change;
5654 }
5655
5656 /* Check permissions for the transition. */
5657 error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
5658 PROCESS__DYNTRANSITION, NULL);
5659 if (error)
5660 goto abort_change;
5661
5662 /* Check for ptracing, and update the task SID if ok.
5663 Otherwise, leave SID unchanged and fail. */
5664 ptsid = 0;
5665 rcu_read_lock();
5666 tracer = ptrace_parent(p);
5667 if (tracer)
5668 ptsid = task_sid(tracer);
5669 rcu_read_unlock();
5670
5671 if (tracer) {
5672 error = avc_has_perm(ptsid, sid, SECCLASS_PROCESS,
5673 PROCESS__PTRACE, NULL);
5674 if (error)
5675 goto abort_change;
5676 }
5677
5678 tsec->sid = sid;
5679 } else {
5680 error = -EINVAL;
5681 goto abort_change;
5682 }
5683
5684 commit_creds(new);
5685 return size;
5686
5687 abort_change:
5688 abort_creds(new);
5689 return error;
5690 }
5691
5692 static int selinux_ismaclabel(const char *name)
5693 {
5694 return (strcmp(name, XATTR_SELINUX_SUFFIX) == 0);
5695 }
5696
5697 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
5698 {
5699 return security_sid_to_context(secid, secdata, seclen);
5700 }
5701
5702 static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
5703 {
5704 return security_context_to_sid(secdata, seclen, secid, GFP_KERNEL);
5705 }
5706
5707 static void selinux_release_secctx(char *secdata, u32 seclen)
5708 {
5709 kfree(secdata);
5710 }
5711
5712 /*
5713 * called with inode->i_mutex locked
5714 */
5715 static int selinux_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen)
5716 {
5717 return selinux_inode_setsecurity(inode, XATTR_SELINUX_SUFFIX, ctx, ctxlen, 0);
5718 }
5719
5720 /*
5721 * called with inode->i_mutex locked
5722 */
5723 static int selinux_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen)
5724 {
5725 return __vfs_setxattr_noperm(dentry, XATTR_NAME_SELINUX, ctx, ctxlen, 0);
5726 }
5727
5728 static int selinux_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen)
5729 {
5730 int len = 0;
5731 len = selinux_inode_getsecurity(inode, XATTR_SELINUX_SUFFIX,
5732 ctx, true);
5733 if (len < 0)
5734 return len;
5735 *ctxlen = len;
5736 return 0;
5737 }
5738 #ifdef CONFIG_KEYS
5739
5740 static int selinux_key_alloc(struct key *k, const struct cred *cred,
5741 unsigned long flags)
5742 {
5743 const struct task_security_struct *tsec;
5744 struct key_security_struct *ksec;
5745
5746 ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL);
5747 if (!ksec)
5748 return -ENOMEM;
5749
5750 tsec = cred->security;
5751 if (tsec->keycreate_sid)
5752 ksec->sid = tsec->keycreate_sid;
5753 else
5754 ksec->sid = tsec->sid;
5755
5756 k->security = ksec;
5757 return 0;
5758 }
5759
5760 static void selinux_key_free(struct key *k)
5761 {
5762 struct key_security_struct *ksec = k->security;
5763
5764 k->security = NULL;
5765 kfree(ksec);
5766 }
5767
5768 static int selinux_key_permission(key_ref_t key_ref,
5769 const struct cred *cred,
5770 unsigned perm)
5771 {
5772 struct key *key;
5773 struct key_security_struct *ksec;
5774 u32 sid;
5775
5776 /* if no specific permissions are requested, we skip the
5777 permission check. No serious, additional covert channels
5778 appear to be created. */
5779 if (perm == 0)
5780 return 0;
5781
5782 sid = cred_sid(cred);
5783
5784 key = key_ref_to_ptr(key_ref);
5785 ksec = key->security;
5786
5787 return avc_has_perm(sid, ksec->sid, SECCLASS_KEY, perm, NULL);
5788 }
5789
5790 static int selinux_key_getsecurity(struct key *key, char **_buffer)
5791 {
5792 struct key_security_struct *ksec = key->security;
5793 char *context = NULL;
5794 unsigned len;
5795 int rc;
5796
5797 rc = security_sid_to_context(ksec->sid, &context, &len);
5798 if (!rc)
5799 rc = len;
5800 *_buffer = context;
5801 return rc;
5802 }
5803
5804 #endif
5805
5806 static struct security_operations selinux_ops = {
5807 .name = "selinux",
5808
5809 .ptrace_access_check = selinux_ptrace_access_check,
5810 .ptrace_traceme = selinux_ptrace_traceme,
5811 .capget = selinux_capget,
5812 .capset = selinux_capset,
5813 .capable = selinux_capable,
5814 .quotactl = selinux_quotactl,
5815 .quota_on = selinux_quota_on,
5816 .syslog = selinux_syslog,
5817 .vm_enough_memory = selinux_vm_enough_memory,
5818
5819 .netlink_send = selinux_netlink_send,
5820
5821 .bprm_set_creds = selinux_bprm_set_creds,
5822 .bprm_committing_creds = selinux_bprm_committing_creds,
5823 .bprm_committed_creds = selinux_bprm_committed_creds,
5824 .bprm_secureexec = selinux_bprm_secureexec,
5825
5826 .sb_alloc_security = selinux_sb_alloc_security,
5827 .sb_free_security = selinux_sb_free_security,
5828 .sb_copy_data = selinux_sb_copy_data,
5829 .sb_remount = selinux_sb_remount,
5830 .sb_kern_mount = selinux_sb_kern_mount,
5831 .sb_show_options = selinux_sb_show_options,
5832 .sb_statfs = selinux_sb_statfs,
5833 .sb_mount = selinux_mount,
5834 .sb_umount = selinux_umount,
5835 .sb_set_mnt_opts = selinux_set_mnt_opts,
5836 .sb_clone_mnt_opts = selinux_sb_clone_mnt_opts,
5837 .sb_parse_opts_str = selinux_parse_opts_str,
5838
5839 .dentry_init_security = selinux_dentry_init_security,
5840
5841 .inode_alloc_security = selinux_inode_alloc_security,
5842 .inode_free_security = selinux_inode_free_security,
5843 .inode_init_security = selinux_inode_init_security,
5844 .inode_create = selinux_inode_create,
5845 .inode_link = selinux_inode_link,
5846 .inode_unlink = selinux_inode_unlink,
5847 .inode_symlink = selinux_inode_symlink,
5848 .inode_mkdir = selinux_inode_mkdir,
5849 .inode_rmdir = selinux_inode_rmdir,
5850 .inode_mknod = selinux_inode_mknod,
5851 .inode_rename = selinux_inode_rename,
5852 .inode_readlink = selinux_inode_readlink,
5853 .inode_follow_link = selinux_inode_follow_link,
5854 .inode_permission = selinux_inode_permission,
5855 .inode_setattr = selinux_inode_setattr,
5856 .inode_getattr = selinux_inode_getattr,
5857 .inode_setxattr = selinux_inode_setxattr,
5858 .inode_post_setxattr = selinux_inode_post_setxattr,
5859 .inode_getxattr = selinux_inode_getxattr,
5860 .inode_listxattr = selinux_inode_listxattr,
5861 .inode_removexattr = selinux_inode_removexattr,
5862 .inode_getsecurity = selinux_inode_getsecurity,
5863 .inode_setsecurity = selinux_inode_setsecurity,
5864 .inode_listsecurity = selinux_inode_listsecurity,
5865 .inode_getsecid = selinux_inode_getsecid,
5866
5867 .file_permission = selinux_file_permission,
5868 .file_alloc_security = selinux_file_alloc_security,
5869 .file_free_security = selinux_file_free_security,
5870 .file_ioctl = selinux_file_ioctl,
5871 .mmap_file = selinux_mmap_file,
5872 .mmap_addr = selinux_mmap_addr,
5873 .file_mprotect = selinux_file_mprotect,
5874 .file_lock = selinux_file_lock,
5875 .file_fcntl = selinux_file_fcntl,
5876 .file_set_fowner = selinux_file_set_fowner,
5877 .file_send_sigiotask = selinux_file_send_sigiotask,
5878 .file_receive = selinux_file_receive,
5879
5880 .file_open = selinux_file_open,
5881
5882 .task_create = selinux_task_create,
5883 .cred_alloc_blank = selinux_cred_alloc_blank,
5884 .cred_free = selinux_cred_free,
5885 .cred_prepare = selinux_cred_prepare,
5886 .cred_transfer = selinux_cred_transfer,
5887 .kernel_act_as = selinux_kernel_act_as,
5888 .kernel_create_files_as = selinux_kernel_create_files_as,
5889 .kernel_module_request = selinux_kernel_module_request,
5890 .task_setpgid = selinux_task_setpgid,
5891 .task_getpgid = selinux_task_getpgid,
5892 .task_getsid = selinux_task_getsid,
5893 .task_getsecid = selinux_task_getsecid,
5894 .task_setnice = selinux_task_setnice,
5895 .task_setioprio = selinux_task_setioprio,
5896 .task_getioprio = selinux_task_getioprio,
5897 .task_setrlimit = selinux_task_setrlimit,
5898 .task_setscheduler = selinux_task_setscheduler,
5899 .task_getscheduler = selinux_task_getscheduler,
5900 .task_movememory = selinux_task_movememory,
5901 .task_kill = selinux_task_kill,
5902 .task_wait = selinux_task_wait,
5903 .task_to_inode = selinux_task_to_inode,
5904
5905 .ipc_permission = selinux_ipc_permission,
5906 .ipc_getsecid = selinux_ipc_getsecid,
5907
5908 .msg_msg_alloc_security = selinux_msg_msg_alloc_security,
5909 .msg_msg_free_security = selinux_msg_msg_free_security,
5910
5911 .msg_queue_alloc_security = selinux_msg_queue_alloc_security,
5912 .msg_queue_free_security = selinux_msg_queue_free_security,
5913 .msg_queue_associate = selinux_msg_queue_associate,
5914 .msg_queue_msgctl = selinux_msg_queue_msgctl,
5915 .msg_queue_msgsnd = selinux_msg_queue_msgsnd,
5916 .msg_queue_msgrcv = selinux_msg_queue_msgrcv,
5917
5918 .shm_alloc_security = selinux_shm_alloc_security,
5919 .shm_free_security = selinux_shm_free_security,
5920 .shm_associate = selinux_shm_associate,
5921 .shm_shmctl = selinux_shm_shmctl,
5922 .shm_shmat = selinux_shm_shmat,
5923
5924 .sem_alloc_security = selinux_sem_alloc_security,
5925 .sem_free_security = selinux_sem_free_security,
5926 .sem_associate = selinux_sem_associate,
5927 .sem_semctl = selinux_sem_semctl,
5928 .sem_semop = selinux_sem_semop,
5929
5930 .d_instantiate = selinux_d_instantiate,
5931
5932 .getprocattr = selinux_getprocattr,
5933 .setprocattr = selinux_setprocattr,
5934
5935 .ismaclabel = selinux_ismaclabel,
5936 .secid_to_secctx = selinux_secid_to_secctx,
5937 .secctx_to_secid = selinux_secctx_to_secid,
5938 .release_secctx = selinux_release_secctx,
5939 .inode_notifysecctx = selinux_inode_notifysecctx,
5940 .inode_setsecctx = selinux_inode_setsecctx,
5941 .inode_getsecctx = selinux_inode_getsecctx,
5942
5943 .unix_stream_connect = selinux_socket_unix_stream_connect,
5944 .unix_may_send = selinux_socket_unix_may_send,
5945
5946 .socket_create = selinux_socket_create,
5947 .socket_post_create = selinux_socket_post_create,
5948 .socket_bind = selinux_socket_bind,
5949 .socket_connect = selinux_socket_connect,
5950 .socket_listen = selinux_socket_listen,
5951 .socket_accept = selinux_socket_accept,
5952 .socket_sendmsg = selinux_socket_sendmsg,
5953 .socket_recvmsg = selinux_socket_recvmsg,
5954 .socket_getsockname = selinux_socket_getsockname,
5955 .socket_getpeername = selinux_socket_getpeername,
5956 .socket_getsockopt = selinux_socket_getsockopt,
5957 .socket_setsockopt = selinux_socket_setsockopt,
5958 .socket_shutdown = selinux_socket_shutdown,
5959 .socket_sock_rcv_skb = selinux_socket_sock_rcv_skb,
5960 .socket_getpeersec_stream = selinux_socket_getpeersec_stream,
5961 .socket_getpeersec_dgram = selinux_socket_getpeersec_dgram,
5962 .sk_alloc_security = selinux_sk_alloc_security,
5963 .sk_free_security = selinux_sk_free_security,
5964 .sk_clone_security = selinux_sk_clone_security,
5965 .sk_getsecid = selinux_sk_getsecid,
5966 .sock_graft = selinux_sock_graft,
5967 .inet_conn_request = selinux_inet_conn_request,
5968 .inet_csk_clone = selinux_inet_csk_clone,
5969 .inet_conn_established = selinux_inet_conn_established,
5970 .secmark_relabel_packet = selinux_secmark_relabel_packet,
5971 .secmark_refcount_inc = selinux_secmark_refcount_inc,
5972 .secmark_refcount_dec = selinux_secmark_refcount_dec,
5973 .req_classify_flow = selinux_req_classify_flow,
5974 .tun_dev_alloc_security = selinux_tun_dev_alloc_security,
5975 .tun_dev_free_security = selinux_tun_dev_free_security,
5976 .tun_dev_create = selinux_tun_dev_create,
5977 .tun_dev_attach_queue = selinux_tun_dev_attach_queue,
5978 .tun_dev_attach = selinux_tun_dev_attach,
5979 .tun_dev_open = selinux_tun_dev_open,
5980 .skb_owned_by = selinux_skb_owned_by,
5981
5982 #ifdef CONFIG_SECURITY_NETWORK_XFRM
5983 .xfrm_policy_alloc_security = selinux_xfrm_policy_alloc,
5984 .xfrm_policy_clone_security = selinux_xfrm_policy_clone,
5985 .xfrm_policy_free_security = selinux_xfrm_policy_free,
5986 .xfrm_policy_delete_security = selinux_xfrm_policy_delete,
5987 .xfrm_state_alloc = selinux_xfrm_state_alloc,
5988 .xfrm_state_alloc_acquire = selinux_xfrm_state_alloc_acquire,
5989 .xfrm_state_free_security = selinux_xfrm_state_free,
5990 .xfrm_state_delete_security = selinux_xfrm_state_delete,
5991 .xfrm_policy_lookup = selinux_xfrm_policy_lookup,
5992 .xfrm_state_pol_flow_match = selinux_xfrm_state_pol_flow_match,
5993 .xfrm_decode_session = selinux_xfrm_decode_session,
5994 #endif
5995
5996 #ifdef CONFIG_KEYS
5997 .key_alloc = selinux_key_alloc,
5998 .key_free = selinux_key_free,
5999 .key_permission = selinux_key_permission,
6000 .key_getsecurity = selinux_key_getsecurity,
6001 #endif
6002
6003 #ifdef CONFIG_AUDIT
6004 .audit_rule_init = selinux_audit_rule_init,
6005 .audit_rule_known = selinux_audit_rule_known,
6006 .audit_rule_match = selinux_audit_rule_match,
6007 .audit_rule_free = selinux_audit_rule_free,
6008 #endif
6009 };
6010
6011 static __init int selinux_init(void)
6012 {
6013 if (!security_module_enable(&selinux_ops)) {
6014 selinux_enabled = 0;
6015 return 0;
6016 }
6017
6018 if (!selinux_enabled) {
6019 printk(KERN_INFO "SELinux: Disabled at boot.\n");
6020 return 0;
6021 }
6022
6023 printk(KERN_INFO "SELinux: Initializing.\n");
6024
6025 /* Set the security state for the initial task. */
6026 cred_init_security();
6027
6028 default_noexec = !(VM_DATA_DEFAULT_FLAGS & VM_EXEC);
6029
6030 sel_inode_cache = kmem_cache_create("selinux_inode_security",
6031 sizeof(struct inode_security_struct),
6032 0, SLAB_PANIC, NULL);
6033 avc_init();
6034
6035 if (register_security(&selinux_ops))
6036 panic("SELinux: Unable to register with kernel.\n");
6037
6038 if (avc_add_callback(selinux_netcache_avc_callback, AVC_CALLBACK_RESET))
6039 panic("SELinux: Unable to register AVC netcache callback\n");
6040
6041 if (selinux_enforcing)
6042 printk(KERN_DEBUG "SELinux: Starting in enforcing mode\n");
6043 else
6044 printk(KERN_DEBUG "SELinux: Starting in permissive mode\n");
6045
6046 return 0;
6047 }
6048
6049 static void delayed_superblock_init(struct super_block *sb, void *unused)
6050 {
6051 superblock_doinit(sb, NULL);
6052 }
6053
6054 void selinux_complete_init(void)
6055 {
6056 printk(KERN_DEBUG "SELinux: Completing initialization.\n");
6057
6058 /* Set up any superblocks initialized prior to the policy load. */
6059 printk(KERN_DEBUG "SELinux: Setting up existing superblocks.\n");
6060 iterate_supers(delayed_superblock_init, NULL);
6061 }
6062
6063 /* SELinux requires early initialization in order to label
6064 all processes and objects when they are created. */
6065 security_initcall(selinux_init);
6066
6067 #if defined(CONFIG_NETFILTER)
6068
6069 static struct nf_hook_ops selinux_nf_ops[] = {
6070 {
6071 .hook = selinux_ipv4_postroute,
6072 .owner = THIS_MODULE,
6073 .pf = NFPROTO_IPV4,
6074 .hooknum = NF_INET_POST_ROUTING,
6075 .priority = NF_IP_PRI_SELINUX_LAST,
6076 },
6077 {
6078 .hook = selinux_ipv4_forward,
6079 .owner = THIS_MODULE,
6080 .pf = NFPROTO_IPV4,
6081 .hooknum = NF_INET_FORWARD,
6082 .priority = NF_IP_PRI_SELINUX_FIRST,
6083 },
6084 {
6085 .hook = selinux_ipv4_output,
6086 .owner = THIS_MODULE,
6087 .pf = NFPROTO_IPV4,
6088 .hooknum = NF_INET_LOCAL_OUT,
6089 .priority = NF_IP_PRI_SELINUX_FIRST,
6090 },
6091 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
6092 {
6093 .hook = selinux_ipv6_postroute,
6094 .owner = THIS_MODULE,
6095 .pf = NFPROTO_IPV6,
6096 .hooknum = NF_INET_POST_ROUTING,
6097 .priority = NF_IP6_PRI_SELINUX_LAST,
6098 },
6099 {
6100 .hook = selinux_ipv6_forward,
6101 .owner = THIS_MODULE,
6102 .pf = NFPROTO_IPV6,
6103 .hooknum = NF_INET_FORWARD,
6104 .priority = NF_IP6_PRI_SELINUX_FIRST,
6105 },
6106 #endif /* IPV6 */
6107 };
6108
6109 static int __init selinux_nf_ip_init(void)
6110 {
6111 int err;
6112
6113 if (!selinux_enabled)
6114 return 0;
6115
6116 printk(KERN_DEBUG "SELinux: Registering netfilter hooks\n");
6117
6118 err = nf_register_hooks(selinux_nf_ops, ARRAY_SIZE(selinux_nf_ops));
6119 if (err)
6120 panic("SELinux: nf_register_hooks: error %d\n", err);
6121
6122 return 0;
6123 }
6124
6125 __initcall(selinux_nf_ip_init);
6126
6127 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
6128 static void selinux_nf_ip_exit(void)
6129 {
6130 printk(KERN_DEBUG "SELinux: Unregistering netfilter hooks\n");
6131
6132 nf_unregister_hooks(selinux_nf_ops, ARRAY_SIZE(selinux_nf_ops));
6133 }
6134 #endif
6135
6136 #else /* CONFIG_NETFILTER */
6137
6138 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
6139 #define selinux_nf_ip_exit()
6140 #endif
6141
6142 #endif /* CONFIG_NETFILTER */
6143
6144 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
6145 static int selinux_disabled;
6146
6147 int selinux_disable(void)
6148 {
6149 if (ss_initialized) {
6150 /* Not permitted after initial policy load. */
6151 return -EINVAL;
6152 }
6153
6154 if (selinux_disabled) {
6155 /* Only do this once. */
6156 return -EINVAL;
6157 }
6158
6159 printk(KERN_INFO "SELinux: Disabled at runtime.\n");
6160
6161 selinux_disabled = 1;
6162 selinux_enabled = 0;
6163
6164 reset_security_ops();
6165
6166 /* Try to destroy the avc node cache */
6167 avc_disable();
6168
6169 /* Unregister netfilter hooks. */
6170 selinux_nf_ip_exit();
6171
6172 /* Unregister selinuxfs. */
6173 exit_sel_fs();
6174
6175 return 0;
6176 }
6177 #endif
Ubuntu Eoan Linux kernel mirror