]> git.proxmox.com Git - mirror_ubuntu-hirsute-kernel.git/blob - security/selinux/hooks.c
projects / mirror_ubuntu-hirsute-kernel.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
userns: rename is_owner_or_cap to inode_owner_or_capable
[mirror_ubuntu-hirsute-kernel.git] / security / selinux / hooks.c
1 /*
2 * NSA Security-Enhanced Linux (SELinux) security module
3 *
4 * This file contains the SELinux hook function implementations.
5 *
6 * Authors: Stephen Smalley, <sds@epoch.ncsc.mil>
7 * Chris Vance, <cvance@nai.com>
8 * Wayne Salamon, <wsalamon@nai.com>
9 * James Morris <jmorris@redhat.com>
10 *
11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12 * Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
13 * Eric Paris <eparis@redhat.com>
14 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
15 * <dgoeddel@trustedcs.com>
16 * Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
17 * Paul Moore <paul.moore@hp.com>
18 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
19 * Yuichi Nakamura <ynakam@hitachisoft.jp>
20 *
21 * This program is free software; you can redistribute it and/or modify
22 * it under the terms of the GNU General Public License version 2,
23 * as published by the Free Software Foundation.
24 */
25
26 #include <linux/init.h>
27 #include <linux/kd.h>
28 #include <linux/kernel.h>
29 #include <linux/tracehook.h>
30 #include <linux/errno.h>
31 #include <linux/ext2_fs.h>
32 #include <linux/sched.h>
33 #include <linux/security.h>
34 #include <linux/xattr.h>
35 #include <linux/capability.h>
36 #include <linux/unistd.h>
37 #include <linux/mm.h>
38 #include <linux/mman.h>
39 #include <linux/slab.h>
40 #include <linux/pagemap.h>
41 #include <linux/proc_fs.h>
42 #include <linux/swap.h>
43 #include <linux/spinlock.h>
44 #include <linux/syscalls.h>
45 #include <linux/dcache.h>
46 #include <linux/file.h>
47 #include <linux/fdtable.h>
48 #include <linux/namei.h>
49 #include <linux/mount.h>
50 #include <linux/netfilter_ipv4.h>
51 #include <linux/netfilter_ipv6.h>
52 #include <linux/tty.h>
53 #include <net/icmp.h>
54 #include <net/ip.h> /* for local_port_range[] */
55 #include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
56 #include <net/net_namespace.h>
57 #include <net/netlabel.h>
58 #include <linux/uaccess.h>
59 #include <asm/ioctls.h>
60 #include <asm/atomic.h>
61 #include <linux/bitops.h>
62 #include <linux/interrupt.h>
63 #include <linux/netdevice.h> /* for network interface checks */
64 #include <linux/netlink.h>
65 #include <linux/tcp.h>
66 #include <linux/udp.h>
67 #include <linux/dccp.h>
68 #include <linux/quota.h>
69 #include <linux/un.h> /* for Unix socket types */
70 #include <net/af_unix.h> /* for Unix socket types */
71 #include <linux/parser.h>
72 #include <linux/nfs_mount.h>
73 #include <net/ipv6.h>
74 #include <linux/hugetlb.h>
75 #include <linux/personality.h>
76 #include <linux/audit.h>
77 #include <linux/string.h>
78 #include <linux/selinux.h>
79 #include <linux/mutex.h>
80 #include <linux/posix-timers.h>
81 #include <linux/syslog.h>
82 #include <linux/user_namespace.h>
83
84 #include "avc.h"
85 #include "objsec.h"
86 #include "netif.h"
87 #include "netnode.h"
88 #include "netport.h"
89 #include "xfrm.h"
90 #include "netlabel.h"
91 #include "audit.h"
92
93 #define NUM_SEL_MNT_OPTS 5
94
95 extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm);
96 extern struct security_operations *security_ops;
97
98 /* SECMARK reference count */
99 atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
100
101 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
102 int selinux_enforcing;
103
104 static int __init enforcing_setup(char *str)
105 {
106 unsigned long enforcing;
107 if (!strict_strtoul(str, 0, &enforcing))
108 selinux_enforcing = enforcing ? 1 : 0;
109 return 1;
110 }
111 __setup("enforcing=", enforcing_setup);
112 #endif
113
114 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
115 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
116
117 static int __init selinux_enabled_setup(char *str)
118 {
119 unsigned long enabled;
120 if (!strict_strtoul(str, 0, &enabled))
121 selinux_enabled = enabled ? 1 : 0;
122 return 1;
123 }
124 __setup("selinux=", selinux_enabled_setup);
125 #else
126 int selinux_enabled = 1;
127 #endif
128
129 static struct kmem_cache *sel_inode_cache;
130
131 /**
132 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
133 *
134 * Description:
135 * This function checks the SECMARK reference counter to see if any SECMARK
136 * targets are currently configured, if the reference counter is greater than
137 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is
138 * enabled, false (0) if SECMARK is disabled.
139 *
140 */
141 static int selinux_secmark_enabled(void)
142 {
143 return (atomic_read(&selinux_secmark_refcount) > 0);
144 }
145
146 /*
147 * initialise the security for the init task
148 */
149 static void cred_init_security(void)
150 {
151 struct cred *cred = (struct cred *) current->real_cred;
152 struct task_security_struct *tsec;
153
154 tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
155 if (!tsec)
156 panic("SELinux: Failed to initialize initial task.\n");
157
158 tsec->osid = tsec->sid = SECINITSID_KERNEL;
159 cred->security = tsec;
160 }
161
162 /*
163 * get the security ID of a set of credentials
164 */
165 static inline u32 cred_sid(const struct cred *cred)
166 {
167 const struct task_security_struct *tsec;
168
169 tsec = cred->security;
170 return tsec->sid;
171 }
172
173 /*
174 * get the objective security ID of a task
175 */
176 static inline u32 task_sid(const struct task_struct *task)
177 {
178 u32 sid;
179
180 rcu_read_lock();
181 sid = cred_sid(__task_cred(task));
182 rcu_read_unlock();
183 return sid;
184 }
185
186 /*
187 * get the subjective security ID of the current task
188 */
189 static inline u32 current_sid(void)
190 {
191 const struct task_security_struct *tsec = current_security();
192
193 return tsec->sid;
194 }
195
196 /* Allocate and free functions for each kind of security blob. */
197
198 static int inode_alloc_security(struct inode *inode)
199 {
200 struct inode_security_struct *isec;
201 u32 sid = current_sid();
202
203 isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
204 if (!isec)
205 return -ENOMEM;
206
207 mutex_init(&isec->lock);
208 INIT_LIST_HEAD(&isec->list);
209 isec->inode = inode;
210 isec->sid = SECINITSID_UNLABELED;
211 isec->sclass = SECCLASS_FILE;
212 isec->task_sid = sid;
213 inode->i_security = isec;
214
215 return 0;
216 }
217
218 static void inode_free_security(struct inode *inode)
219 {
220 struct inode_security_struct *isec = inode->i_security;
221 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
222
223 spin_lock(&sbsec->isec_lock);
224 if (!list_empty(&isec->list))
225 list_del_init(&isec->list);
226 spin_unlock(&sbsec->isec_lock);
227
228 inode->i_security = NULL;
229 kmem_cache_free(sel_inode_cache, isec);
230 }
231
232 static int file_alloc_security(struct file *file)
233 {
234 struct file_security_struct *fsec;
235 u32 sid = current_sid();
236
237 fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL);
238 if (!fsec)
239 return -ENOMEM;
240
241 fsec->sid = sid;
242 fsec->fown_sid = sid;
243 file->f_security = fsec;
244
245 return 0;
246 }
247
248 static void file_free_security(struct file *file)
249 {
250 struct file_security_struct *fsec = file->f_security;
251 file->f_security = NULL;
252 kfree(fsec);
253 }
254
255 static int superblock_alloc_security(struct super_block *sb)
256 {
257 struct superblock_security_struct *sbsec;
258
259 sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
260 if (!sbsec)
261 return -ENOMEM;
262
263 mutex_init(&sbsec->lock);
264 INIT_LIST_HEAD(&sbsec->isec_head);
265 spin_lock_init(&sbsec->isec_lock);
266 sbsec->sb = sb;
267 sbsec->sid = SECINITSID_UNLABELED;
268 sbsec->def_sid = SECINITSID_FILE;
269 sbsec->mntpoint_sid = SECINITSID_UNLABELED;
270 sb->s_security = sbsec;
271
272 return 0;
273 }
274
275 static void superblock_free_security(struct super_block *sb)
276 {
277 struct superblock_security_struct *sbsec = sb->s_security;
278 sb->s_security = NULL;
279 kfree(sbsec);
280 }
281
282 /* The security server must be initialized before
283 any labeling or access decisions can be provided. */
284 extern int ss_initialized;
285
286 /* The file system's label must be initialized prior to use. */
287
288 static const char *labeling_behaviors[6] = {
289 "uses xattr",
290 "uses transition SIDs",
291 "uses task SIDs",
292 "uses genfs_contexts",
293 "not configured for labeling",
294 "uses mountpoint labeling",
295 };
296
297 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
298
299 static inline int inode_doinit(struct inode *inode)
300 {
301 return inode_doinit_with_dentry(inode, NULL);
302 }
303
304 enum {
305 Opt_error = -1,
306 Opt_context = 1,
307 Opt_fscontext = 2,
308 Opt_defcontext = 3,
309 Opt_rootcontext = 4,
310 Opt_labelsupport = 5,
311 };
312
313 static const match_table_t tokens = {
314 {Opt_context, CONTEXT_STR "%s"},
315 {Opt_fscontext, FSCONTEXT_STR "%s"},
316 {Opt_defcontext, DEFCONTEXT_STR "%s"},
317 {Opt_rootcontext, ROOTCONTEXT_STR "%s"},
318 {Opt_labelsupport, LABELSUPP_STR},
319 {Opt_error, NULL},
320 };
321
322 #define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
323
324 static int may_context_mount_sb_relabel(u32 sid,
325 struct superblock_security_struct *sbsec,
326 const struct cred *cred)
327 {
328 const struct task_security_struct *tsec = cred->security;
329 int rc;
330
331 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
332 FILESYSTEM__RELABELFROM, NULL);
333 if (rc)
334 return rc;
335
336 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
337 FILESYSTEM__RELABELTO, NULL);
338 return rc;
339 }
340
341 static int may_context_mount_inode_relabel(u32 sid,
342 struct superblock_security_struct *sbsec,
343 const struct cred *cred)
344 {
345 const struct task_security_struct *tsec = cred->security;
346 int rc;
347 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
348 FILESYSTEM__RELABELFROM, NULL);
349 if (rc)
350 return rc;
351
352 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
353 FILESYSTEM__ASSOCIATE, NULL);
354 return rc;
355 }
356
357 static int sb_finish_set_opts(struct super_block *sb)
358 {
359 struct superblock_security_struct *sbsec = sb->s_security;
360 struct dentry *root = sb->s_root;
361 struct inode *root_inode = root->d_inode;
362 int rc = 0;
363
364 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
365 /* Make sure that the xattr handler exists and that no
366 error other than -ENODATA is returned by getxattr on
367 the root directory. -ENODATA is ok, as this may be
368 the first boot of the SELinux kernel before we have
369 assigned xattr values to the filesystem. */
370 if (!root_inode->i_op->getxattr) {
371 printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
372 "xattr support\n", sb->s_id, sb->s_type->name);
373 rc = -EOPNOTSUPP;
374 goto out;
375 }
376 rc = root_inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
377 if (rc < 0 && rc != -ENODATA) {
378 if (rc == -EOPNOTSUPP)
379 printk(KERN_WARNING "SELinux: (dev %s, type "
380 "%s) has no security xattr handler\n",
381 sb->s_id, sb->s_type->name);
382 else
383 printk(KERN_WARNING "SELinux: (dev %s, type "
384 "%s) getxattr errno %d\n", sb->s_id,
385 sb->s_type->name, -rc);
386 goto out;
387 }
388 }
389
390 sbsec->flags |= (SE_SBINITIALIZED | SE_SBLABELSUPP);
391
392 if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
393 printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n",
394 sb->s_id, sb->s_type->name);
395 else
396 printk(KERN_DEBUG "SELinux: initialized (dev %s, type %s), %s\n",
397 sb->s_id, sb->s_type->name,
398 labeling_behaviors[sbsec->behavior-1]);
399
400 if (sbsec->behavior == SECURITY_FS_USE_GENFS ||
401 sbsec->behavior == SECURITY_FS_USE_MNTPOINT ||
402 sbsec->behavior == SECURITY_FS_USE_NONE ||
403 sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
404 sbsec->flags &= ~SE_SBLABELSUPP;
405
406 /* Special handling for sysfs. Is genfs but also has setxattr handler*/
407 if (strncmp(sb->s_type->name, "sysfs", sizeof("sysfs")) == 0)
408 sbsec->flags |= SE_SBLABELSUPP;
409
410 /* Initialize the root inode. */
411 rc = inode_doinit_with_dentry(root_inode, root);
412
413 /* Initialize any other inodes associated with the superblock, e.g.
414 inodes created prior to initial policy load or inodes created
415 during get_sb by a pseudo filesystem that directly
416 populates itself. */
417 spin_lock(&sbsec->isec_lock);
418 next_inode:
419 if (!list_empty(&sbsec->isec_head)) {
420 struct inode_security_struct *isec =
421 list_entry(sbsec->isec_head.next,
422 struct inode_security_struct, list);
423 struct inode *inode = isec->inode;
424 spin_unlock(&sbsec->isec_lock);
425 inode = igrab(inode);
426 if (inode) {
427 if (!IS_PRIVATE(inode))
428 inode_doinit(inode);
429 iput(inode);
430 }
431 spin_lock(&sbsec->isec_lock);
432 list_del_init(&isec->list);
433 goto next_inode;
434 }
435 spin_unlock(&sbsec->isec_lock);
436 out:
437 return rc;
438 }
439
440 /*
441 * This function should allow an FS to ask what it's mount security
442 * options were so it can use those later for submounts, displaying
443 * mount options, or whatever.
444 */
445 static int selinux_get_mnt_opts(const struct super_block *sb,
446 struct security_mnt_opts *opts)
447 {
448 int rc = 0, i;
449 struct superblock_security_struct *sbsec = sb->s_security;
450 char *context = NULL;
451 u32 len;
452 char tmp;
453
454 security_init_mnt_opts(opts);
455
456 if (!(sbsec->flags & SE_SBINITIALIZED))
457 return -EINVAL;
458
459 if (!ss_initialized)
460 return -EINVAL;
461
462 tmp = sbsec->flags & SE_MNTMASK;
463 /* count the number of mount options for this sb */
464 for (i = 0; i < 8; i++) {
465 if (tmp & 0x01)
466 opts->num_mnt_opts++;
467 tmp >>= 1;
468 }
469 /* Check if the Label support flag is set */
470 if (sbsec->flags & SE_SBLABELSUPP)
471 opts->num_mnt_opts++;
472
473 opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
474 if (!opts->mnt_opts) {
475 rc = -ENOMEM;
476 goto out_free;
477 }
478
479 opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
480 if (!opts->mnt_opts_flags) {
481 rc = -ENOMEM;
482 goto out_free;
483 }
484
485 i = 0;
486 if (sbsec->flags & FSCONTEXT_MNT) {
487 rc = security_sid_to_context(sbsec->sid, &context, &len);
488 if (rc)
489 goto out_free;
490 opts->mnt_opts[i] = context;
491 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
492 }
493 if (sbsec->flags & CONTEXT_MNT) {
494 rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len);
495 if (rc)
496 goto out_free;
497 opts->mnt_opts[i] = context;
498 opts->mnt_opts_flags[i++] = CONTEXT_MNT;
499 }
500 if (sbsec->flags & DEFCONTEXT_MNT) {
501 rc = security_sid_to_context(sbsec->def_sid, &context, &len);
502 if (rc)
503 goto out_free;
504 opts->mnt_opts[i] = context;
505 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
506 }
507 if (sbsec->flags & ROOTCONTEXT_MNT) {
508 struct inode *root = sbsec->sb->s_root->d_inode;
509 struct inode_security_struct *isec = root->i_security;
510
511 rc = security_sid_to_context(isec->sid, &context, &len);
512 if (rc)
513 goto out_free;
514 opts->mnt_opts[i] = context;
515 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
516 }
517 if (sbsec->flags & SE_SBLABELSUPP) {
518 opts->mnt_opts[i] = NULL;
519 opts->mnt_opts_flags[i++] = SE_SBLABELSUPP;
520 }
521
522 BUG_ON(i != opts->num_mnt_opts);
523
524 return 0;
525
526 out_free:
527 security_free_mnt_opts(opts);
528 return rc;
529 }
530
531 static int bad_option(struct superblock_security_struct *sbsec, char flag,
532 u32 old_sid, u32 new_sid)
533 {
534 char mnt_flags = sbsec->flags & SE_MNTMASK;
535
536 /* check if the old mount command had the same options */
537 if (sbsec->flags & SE_SBINITIALIZED)
538 if (!(sbsec->flags & flag) ||
539 (old_sid != new_sid))
540 return 1;
541
542 /* check if we were passed the same options twice,
543 * aka someone passed context=a,context=b
544 */
545 if (!(sbsec->flags & SE_SBINITIALIZED))
546 if (mnt_flags & flag)
547 return 1;
548 return 0;
549 }
550
551 /*
552 * Allow filesystems with binary mount data to explicitly set mount point
553 * labeling information.
554 */
555 static int selinux_set_mnt_opts(struct super_block *sb,
556 struct security_mnt_opts *opts)
557 {
558 const struct cred *cred = current_cred();
559 int rc = 0, i;
560 struct superblock_security_struct *sbsec = sb->s_security;
561 const char *name = sb->s_type->name;
562 struct inode *inode = sbsec->sb->s_root->d_inode;
563 struct inode_security_struct *root_isec = inode->i_security;
564 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
565 u32 defcontext_sid = 0;
566 char **mount_options = opts->mnt_opts;
567 int *flags = opts->mnt_opts_flags;
568 int num_opts = opts->num_mnt_opts;
569
570 mutex_lock(&sbsec->lock);
571
572 if (!ss_initialized) {
573 if (!num_opts) {
574 /* Defer initialization until selinux_complete_init,
575 after the initial policy is loaded and the security
576 server is ready to handle calls. */
577 goto out;
578 }
579 rc = -EINVAL;
580 printk(KERN_WARNING "SELinux: Unable to set superblock options "
581 "before the security server is initialized\n");
582 goto out;
583 }
584
585 /*
586 * Binary mount data FS will come through this function twice. Once
587 * from an explicit call and once from the generic calls from the vfs.
588 * Since the generic VFS calls will not contain any security mount data
589 * we need to skip the double mount verification.
590 *
591 * This does open a hole in which we will not notice if the first
592 * mount using this sb set explict options and a second mount using
593 * this sb does not set any security options. (The first options
594 * will be used for both mounts)
595 */
596 if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
597 && (num_opts == 0))
598 goto out;
599
600 /*
601 * parse the mount options, check if they are valid sids.
602 * also check if someone is trying to mount the same sb more
603 * than once with different security options.
604 */
605 for (i = 0; i < num_opts; i++) {
606 u32 sid;
607
608 if (flags[i] == SE_SBLABELSUPP)
609 continue;
610 rc = security_context_to_sid(mount_options[i],
611 strlen(mount_options[i]), &sid);
612 if (rc) {
613 printk(KERN_WARNING "SELinux: security_context_to_sid"
614 "(%s) failed for (dev %s, type %s) errno=%d\n",
615 mount_options[i], sb->s_id, name, rc);
616 goto out;
617 }
618 switch (flags[i]) {
619 case FSCONTEXT_MNT:
620 fscontext_sid = sid;
621
622 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
623 fscontext_sid))
624 goto out_double_mount;
625
626 sbsec->flags |= FSCONTEXT_MNT;
627 break;
628 case CONTEXT_MNT:
629 context_sid = sid;
630
631 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
632 context_sid))
633 goto out_double_mount;
634
635 sbsec->flags |= CONTEXT_MNT;
636 break;
637 case ROOTCONTEXT_MNT:
638 rootcontext_sid = sid;
639
640 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
641 rootcontext_sid))
642 goto out_double_mount;
643
644 sbsec->flags |= ROOTCONTEXT_MNT;
645
646 break;
647 case DEFCONTEXT_MNT:
648 defcontext_sid = sid;
649
650 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
651 defcontext_sid))
652 goto out_double_mount;
653
654 sbsec->flags |= DEFCONTEXT_MNT;
655
656 break;
657 default:
658 rc = -EINVAL;
659 goto out;
660 }
661 }
662
663 if (sbsec->flags & SE_SBINITIALIZED) {
664 /* previously mounted with options, but not on this attempt? */
665 if ((sbsec->flags & SE_MNTMASK) && !num_opts)
666 goto out_double_mount;
667 rc = 0;
668 goto out;
669 }
670
671 if (strcmp(sb->s_type->name, "proc") == 0)
672 sbsec->flags |= SE_SBPROC;
673
674 /* Determine the labeling behavior to use for this filesystem type. */
675 rc = security_fs_use((sbsec->flags & SE_SBPROC) ? "proc" : sb->s_type->name, &sbsec->behavior, &sbsec->sid);
676 if (rc) {
677 printk(KERN_WARNING "%s: security_fs_use(%s) returned %d\n",
678 __func__, sb->s_type->name, rc);
679 goto out;
680 }
681
682 /* sets the context of the superblock for the fs being mounted. */
683 if (fscontext_sid) {
684 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
685 if (rc)
686 goto out;
687
688 sbsec->sid = fscontext_sid;
689 }
690
691 /*
692 * Switch to using mount point labeling behavior.
693 * sets the label used on all file below the mountpoint, and will set
694 * the superblock context if not already set.
695 */
696 if (context_sid) {
697 if (!fscontext_sid) {
698 rc = may_context_mount_sb_relabel(context_sid, sbsec,
699 cred);
700 if (rc)
701 goto out;
702 sbsec->sid = context_sid;
703 } else {
704 rc = may_context_mount_inode_relabel(context_sid, sbsec,
705 cred);
706 if (rc)
707 goto out;
708 }
709 if (!rootcontext_sid)
710 rootcontext_sid = context_sid;
711
712 sbsec->mntpoint_sid = context_sid;
713 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
714 }
715
716 if (rootcontext_sid) {
717 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
718 cred);
719 if (rc)
720 goto out;
721
722 root_isec->sid = rootcontext_sid;
723 root_isec->initialized = 1;
724 }
725
726 if (defcontext_sid) {
727 if (sbsec->behavior != SECURITY_FS_USE_XATTR) {
728 rc = -EINVAL;
729 printk(KERN_WARNING "SELinux: defcontext option is "
730 "invalid for this filesystem type\n");
731 goto out;
732 }
733
734 if (defcontext_sid != sbsec->def_sid) {
735 rc = may_context_mount_inode_relabel(defcontext_sid,
736 sbsec, cred);
737 if (rc)
738 goto out;
739 }
740
741 sbsec->def_sid = defcontext_sid;
742 }
743
744 rc = sb_finish_set_opts(sb);
745 out:
746 mutex_unlock(&sbsec->lock);
747 return rc;
748 out_double_mount:
749 rc = -EINVAL;
750 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, different "
751 "security settings for (dev %s, type %s)\n", sb->s_id, name);
752 goto out;
753 }
754
755 static void selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
756 struct super_block *newsb)
757 {
758 const struct superblock_security_struct *oldsbsec = oldsb->s_security;
759 struct superblock_security_struct *newsbsec = newsb->s_security;
760
761 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT);
762 int set_context = (oldsbsec->flags & CONTEXT_MNT);
763 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT);
764
765 /*
766 * if the parent was able to be mounted it clearly had no special lsm
767 * mount options. thus we can safely deal with this superblock later
768 */
769 if (!ss_initialized)
770 return;
771
772 /* how can we clone if the old one wasn't set up?? */
773 BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
774
775 /* if fs is reusing a sb, just let its options stand... */
776 if (newsbsec->flags & SE_SBINITIALIZED)
777 return;
778
779 mutex_lock(&newsbsec->lock);
780
781 newsbsec->flags = oldsbsec->flags;
782
783 newsbsec->sid = oldsbsec->sid;
784 newsbsec->def_sid = oldsbsec->def_sid;
785 newsbsec->behavior = oldsbsec->behavior;
786
787 if (set_context) {
788 u32 sid = oldsbsec->mntpoint_sid;
789
790 if (!set_fscontext)
791 newsbsec->sid = sid;
792 if (!set_rootcontext) {
793 struct inode *newinode = newsb->s_root->d_inode;
794 struct inode_security_struct *newisec = newinode->i_security;
795 newisec->sid = sid;
796 }
797 newsbsec->mntpoint_sid = sid;
798 }
799 if (set_rootcontext) {
800 const struct inode *oldinode = oldsb->s_root->d_inode;
801 const struct inode_security_struct *oldisec = oldinode->i_security;
802 struct inode *newinode = newsb->s_root->d_inode;
803 struct inode_security_struct *newisec = newinode->i_security;
804
805 newisec->sid = oldisec->sid;
806 }
807
808 sb_finish_set_opts(newsb);
809 mutex_unlock(&newsbsec->lock);
810 }
811
812 static int selinux_parse_opts_str(char *options,
813 struct security_mnt_opts *opts)
814 {
815 char *p;
816 char *context = NULL, *defcontext = NULL;
817 char *fscontext = NULL, *rootcontext = NULL;
818 int rc, num_mnt_opts = 0;
819
820 opts->num_mnt_opts = 0;
821
822 /* Standard string-based options. */
823 while ((p = strsep(&options, "|")) != NULL) {
824 int token;
825 substring_t args[MAX_OPT_ARGS];
826
827 if (!*p)
828 continue;
829
830 token = match_token(p, tokens, args);
831
832 switch (token) {
833 case Opt_context:
834 if (context || defcontext) {
835 rc = -EINVAL;
836 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
837 goto out_err;
838 }
839 context = match_strdup(&args[0]);
840 if (!context) {
841 rc = -ENOMEM;
842 goto out_err;
843 }
844 break;
845
846 case Opt_fscontext:
847 if (fscontext) {
848 rc = -EINVAL;
849 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
850 goto out_err;
851 }
852 fscontext = match_strdup(&args[0]);
853 if (!fscontext) {
854 rc = -ENOMEM;
855 goto out_err;
856 }
857 break;
858
859 case Opt_rootcontext:
860 if (rootcontext) {
861 rc = -EINVAL;
862 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
863 goto out_err;
864 }
865 rootcontext = match_strdup(&args[0]);
866 if (!rootcontext) {
867 rc = -ENOMEM;
868 goto out_err;
869 }
870 break;
871
872 case Opt_defcontext:
873 if (context || defcontext) {
874 rc = -EINVAL;
875 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
876 goto out_err;
877 }
878 defcontext = match_strdup(&args[0]);
879 if (!defcontext) {
880 rc = -ENOMEM;
881 goto out_err;
882 }
883 break;
884 case Opt_labelsupport:
885 break;
886 default:
887 rc = -EINVAL;
888 printk(KERN_WARNING "SELinux: unknown mount option\n");
889 goto out_err;
890
891 }
892 }
893
894 rc = -ENOMEM;
895 opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_ATOMIC);
896 if (!opts->mnt_opts)
897 goto out_err;
898
899 opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int), GFP_ATOMIC);
900 if (!opts->mnt_opts_flags) {
901 kfree(opts->mnt_opts);
902 goto out_err;
903 }
904
905 if (fscontext) {
906 opts->mnt_opts[num_mnt_opts] = fscontext;
907 opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
908 }
909 if (context) {
910 opts->mnt_opts[num_mnt_opts] = context;
911 opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
912 }
913 if (rootcontext) {
914 opts->mnt_opts[num_mnt_opts] = rootcontext;
915 opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
916 }
917 if (defcontext) {
918 opts->mnt_opts[num_mnt_opts] = defcontext;
919 opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
920 }
921
922 opts->num_mnt_opts = num_mnt_opts;
923 return 0;
924
925 out_err:
926 kfree(context);
927 kfree(defcontext);
928 kfree(fscontext);
929 kfree(rootcontext);
930 return rc;
931 }
932 /*
933 * string mount options parsing and call set the sbsec
934 */
935 static int superblock_doinit(struct super_block *sb, void *data)
936 {
937 int rc = 0;
938 char *options = data;
939 struct security_mnt_opts opts;
940
941 security_init_mnt_opts(&opts);
942
943 if (!data)
944 goto out;
945
946 BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
947
948 rc = selinux_parse_opts_str(options, &opts);
949 if (rc)
950 goto out_err;
951
952 out:
953 rc = selinux_set_mnt_opts(sb, &opts);
954
955 out_err:
956 security_free_mnt_opts(&opts);
957 return rc;
958 }
959
960 static void selinux_write_opts(struct seq_file *m,
961 struct security_mnt_opts *opts)
962 {
963 int i;
964 char *prefix;
965
966 for (i = 0; i < opts->num_mnt_opts; i++) {
967 char *has_comma;
968
969 if (opts->mnt_opts[i])
970 has_comma = strchr(opts->mnt_opts[i], ',');
971 else
972 has_comma = NULL;
973
974 switch (opts->mnt_opts_flags[i]) {
975 case CONTEXT_MNT:
976 prefix = CONTEXT_STR;
977 break;
978 case FSCONTEXT_MNT:
979 prefix = FSCONTEXT_STR;
980 break;
981 case ROOTCONTEXT_MNT:
982 prefix = ROOTCONTEXT_STR;
983 break;
984 case DEFCONTEXT_MNT:
985 prefix = DEFCONTEXT_STR;
986 break;
987 case SE_SBLABELSUPP:
988 seq_putc(m, ',');
989 seq_puts(m, LABELSUPP_STR);
990 continue;
991 default:
992 BUG();
993 };
994 /* we need a comma before each option */
995 seq_putc(m, ',');
996 seq_puts(m, prefix);
997 if (has_comma)
998 seq_putc(m, '\"');
999 seq_puts(m, opts->mnt_opts[i]);
1000 if (has_comma)
1001 seq_putc(m, '\"');
1002 }
1003 }
1004
1005 static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1006 {
1007 struct security_mnt_opts opts;
1008 int rc;
1009
1010 rc = selinux_get_mnt_opts(sb, &opts);
1011 if (rc) {
1012 /* before policy load we may get EINVAL, don't show anything */
1013 if (rc == -EINVAL)
1014 rc = 0;
1015 return rc;
1016 }
1017
1018 selinux_write_opts(m, &opts);
1019
1020 security_free_mnt_opts(&opts);
1021
1022 return rc;
1023 }
1024
1025 static inline u16 inode_mode_to_security_class(umode_t mode)
1026 {
1027 switch (mode & S_IFMT) {
1028 case S_IFSOCK:
1029 return SECCLASS_SOCK_FILE;
1030 case S_IFLNK:
1031 return SECCLASS_LNK_FILE;
1032 case S_IFREG:
1033 return SECCLASS_FILE;
1034 case S_IFBLK:
1035 return SECCLASS_BLK_FILE;
1036 case S_IFDIR:
1037 return SECCLASS_DIR;
1038 case S_IFCHR:
1039 return SECCLASS_CHR_FILE;
1040 case S_IFIFO:
1041 return SECCLASS_FIFO_FILE;
1042
1043 }
1044
1045 return SECCLASS_FILE;
1046 }
1047
1048 static inline int default_protocol_stream(int protocol)
1049 {
1050 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
1051 }
1052
1053 static inline int default_protocol_dgram(int protocol)
1054 {
1055 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1056 }
1057
1058 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1059 {
1060 switch (family) {
1061 case PF_UNIX:
1062 switch (type) {
1063 case SOCK_STREAM:
1064 case SOCK_SEQPACKET:
1065 return SECCLASS_UNIX_STREAM_SOCKET;
1066 case SOCK_DGRAM:
1067 return SECCLASS_UNIX_DGRAM_SOCKET;
1068 }
1069 break;
1070 case PF_INET:
1071 case PF_INET6:
1072 switch (type) {
1073 case SOCK_STREAM:
1074 if (default_protocol_stream(protocol))
1075 return SECCLASS_TCP_SOCKET;
1076 else
1077 return SECCLASS_RAWIP_SOCKET;
1078 case SOCK_DGRAM:
1079 if (default_protocol_dgram(protocol))
1080 return SECCLASS_UDP_SOCKET;
1081 else
1082 return SECCLASS_RAWIP_SOCKET;
1083 case SOCK_DCCP:
1084 return SECCLASS_DCCP_SOCKET;
1085 default:
1086 return SECCLASS_RAWIP_SOCKET;
1087 }
1088 break;
1089 case PF_NETLINK:
1090 switch (protocol) {
1091 case NETLINK_ROUTE:
1092 return SECCLASS_NETLINK_ROUTE_SOCKET;
1093 case NETLINK_FIREWALL:
1094 return SECCLASS_NETLINK_FIREWALL_SOCKET;
1095 case NETLINK_INET_DIAG:
1096 return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1097 case NETLINK_NFLOG:
1098 return SECCLASS_NETLINK_NFLOG_SOCKET;
1099 case NETLINK_XFRM:
1100 return SECCLASS_NETLINK_XFRM_SOCKET;
1101 case NETLINK_SELINUX:
1102 return SECCLASS_NETLINK_SELINUX_SOCKET;
1103 case NETLINK_AUDIT:
1104 return SECCLASS_NETLINK_AUDIT_SOCKET;
1105 case NETLINK_IP6_FW:
1106 return SECCLASS_NETLINK_IP6FW_SOCKET;
1107 case NETLINK_DNRTMSG:
1108 return SECCLASS_NETLINK_DNRT_SOCKET;
1109 case NETLINK_KOBJECT_UEVENT:
1110 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1111 default:
1112 return SECCLASS_NETLINK_SOCKET;
1113 }
1114 case PF_PACKET:
1115 return SECCLASS_PACKET_SOCKET;
1116 case PF_KEY:
1117 return SECCLASS_KEY_SOCKET;
1118 case PF_APPLETALK:
1119 return SECCLASS_APPLETALK_SOCKET;
1120 }
1121
1122 return SECCLASS_SOCKET;
1123 }
1124
1125 #ifdef CONFIG_PROC_FS
1126 static int selinux_proc_get_sid(struct dentry *dentry,
1127 u16 tclass,
1128 u32 *sid)
1129 {
1130 int rc;
1131 char *buffer, *path;
1132
1133 buffer = (char *)__get_free_page(GFP_KERNEL);
1134 if (!buffer)
1135 return -ENOMEM;
1136
1137 path = dentry_path_raw(dentry, buffer, PAGE_SIZE);
1138 if (IS_ERR(path))
1139 rc = PTR_ERR(path);
1140 else {
1141 /* each process gets a /proc/PID/ entry. Strip off the
1142 * PID part to get a valid selinux labeling.
1143 * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
1144 while (path[1] >= '0' && path[1] <= '9') {
1145 path[1] = '/';
1146 path++;
1147 }
1148 rc = security_genfs_sid("proc", path, tclass, sid);
1149 }
1150 free_page((unsigned long)buffer);
1151 return rc;
1152 }
1153 #else
1154 static int selinux_proc_get_sid(struct dentry *dentry,
1155 u16 tclass,
1156 u32 *sid)
1157 {
1158 return -EINVAL;
1159 }
1160 #endif
1161
1162 /* The inode's security attributes must be initialized before first use. */
1163 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1164 {
1165 struct superblock_security_struct *sbsec = NULL;
1166 struct inode_security_struct *isec = inode->i_security;
1167 u32 sid;
1168 struct dentry *dentry;
1169 #define INITCONTEXTLEN 255
1170 char *context = NULL;
1171 unsigned len = 0;
1172 int rc = 0;
1173
1174 if (isec->initialized)
1175 goto out;
1176
1177 mutex_lock(&isec->lock);
1178 if (isec->initialized)
1179 goto out_unlock;
1180
1181 sbsec = inode->i_sb->s_security;
1182 if (!(sbsec->flags & SE_SBINITIALIZED)) {
1183 /* Defer initialization until selinux_complete_init,
1184 after the initial policy is loaded and the security
1185 server is ready to handle calls. */
1186 spin_lock(&sbsec->isec_lock);
1187 if (list_empty(&isec->list))
1188 list_add(&isec->list, &sbsec->isec_head);
1189 spin_unlock(&sbsec->isec_lock);
1190 goto out_unlock;
1191 }
1192
1193 switch (sbsec->behavior) {
1194 case SECURITY_FS_USE_XATTR:
1195 if (!inode->i_op->getxattr) {
1196 isec->sid = sbsec->def_sid;
1197 break;
1198 }
1199
1200 /* Need a dentry, since the xattr API requires one.
1201 Life would be simpler if we could just pass the inode. */
1202 if (opt_dentry) {
1203 /* Called from d_instantiate or d_splice_alias. */
1204 dentry = dget(opt_dentry);
1205 } else {
1206 /* Called from selinux_complete_init, try to find a dentry. */
1207 dentry = d_find_alias(inode);
1208 }
1209 if (!dentry) {
1210 /*
1211 * this is can be hit on boot when a file is accessed
1212 * before the policy is loaded. When we load policy we
1213 * may find inodes that have no dentry on the
1214 * sbsec->isec_head list. No reason to complain as these
1215 * will get fixed up the next time we go through
1216 * inode_doinit with a dentry, before these inodes could
1217 * be used again by userspace.
1218 */
1219 goto out_unlock;
1220 }
1221
1222 len = INITCONTEXTLEN;
1223 context = kmalloc(len+1, GFP_NOFS);
1224 if (!context) {
1225 rc = -ENOMEM;
1226 dput(dentry);
1227 goto out_unlock;
1228 }
1229 context[len] = '\0';
1230 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1231 context, len);
1232 if (rc == -ERANGE) {
1233 kfree(context);
1234
1235 /* Need a larger buffer. Query for the right size. */
1236 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1237 NULL, 0);
1238 if (rc < 0) {
1239 dput(dentry);
1240 goto out_unlock;
1241 }
1242 len = rc;
1243 context = kmalloc(len+1, GFP_NOFS);
1244 if (!context) {
1245 rc = -ENOMEM;
1246 dput(dentry);
1247 goto out_unlock;
1248 }
1249 context[len] = '\0';
1250 rc = inode->i_op->getxattr(dentry,
1251 XATTR_NAME_SELINUX,
1252 context, len);
1253 }
1254 dput(dentry);
1255 if (rc < 0) {
1256 if (rc != -ENODATA) {
1257 printk(KERN_WARNING "SELinux: %s: getxattr returned "
1258 "%d for dev=%s ino=%ld\n", __func__,
1259 -rc, inode->i_sb->s_id, inode->i_ino);
1260 kfree(context);
1261 goto out_unlock;
1262 }
1263 /* Map ENODATA to the default file SID */
1264 sid = sbsec->def_sid;
1265 rc = 0;
1266 } else {
1267 rc = security_context_to_sid_default(context, rc, &sid,
1268 sbsec->def_sid,
1269 GFP_NOFS);
1270 if (rc) {
1271 char *dev = inode->i_sb->s_id;
1272 unsigned long ino = inode->i_ino;
1273
1274 if (rc == -EINVAL) {
1275 if (printk_ratelimit())
1276 printk(KERN_NOTICE "SELinux: inode=%lu on dev=%s was found to have an invalid "
1277 "context=%s. This indicates you may need to relabel the inode or the "
1278 "filesystem in question.\n", ino, dev, context);
1279 } else {
1280 printk(KERN_WARNING "SELinux: %s: context_to_sid(%s) "
1281 "returned %d for dev=%s ino=%ld\n",
1282 __func__, context, -rc, dev, ino);
1283 }
1284 kfree(context);
1285 /* Leave with the unlabeled SID */
1286 rc = 0;
1287 break;
1288 }
1289 }
1290 kfree(context);
1291 isec->sid = sid;
1292 break;
1293 case SECURITY_FS_USE_TASK:
1294 isec->sid = isec->task_sid;
1295 break;
1296 case SECURITY_FS_USE_TRANS:
1297 /* Default to the fs SID. */
1298 isec->sid = sbsec->sid;
1299
1300 /* Try to obtain a transition SID. */
1301 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1302 rc = security_transition_sid(isec->task_sid, sbsec->sid,
1303 isec->sclass, NULL, &sid);
1304 if (rc)
1305 goto out_unlock;
1306 isec->sid = sid;
1307 break;
1308 case SECURITY_FS_USE_MNTPOINT:
1309 isec->sid = sbsec->mntpoint_sid;
1310 break;
1311 default:
1312 /* Default to the fs superblock SID. */
1313 isec->sid = sbsec->sid;
1314
1315 if ((sbsec->flags & SE_SBPROC) && !S_ISLNK(inode->i_mode)) {
1316 if (opt_dentry) {
1317 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1318 rc = selinux_proc_get_sid(opt_dentry,
1319 isec->sclass,
1320 &sid);
1321 if (rc)
1322 goto out_unlock;
1323 isec->sid = sid;
1324 }
1325 }
1326 break;
1327 }
1328
1329 isec->initialized = 1;
1330
1331 out_unlock:
1332 mutex_unlock(&isec->lock);
1333 out:
1334 if (isec->sclass == SECCLASS_FILE)
1335 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1336 return rc;
1337 }
1338
1339 /* Convert a Linux signal to an access vector. */
1340 static inline u32 signal_to_av(int sig)
1341 {
1342 u32 perm = 0;
1343
1344 switch (sig) {
1345 case SIGCHLD:
1346 /* Commonly granted from child to parent. */
1347 perm = PROCESS__SIGCHLD;
1348 break;
1349 case SIGKILL:
1350 /* Cannot be caught or ignored */
1351 perm = PROCESS__SIGKILL;
1352 break;
1353 case SIGSTOP:
1354 /* Cannot be caught or ignored */
1355 perm = PROCESS__SIGSTOP;
1356 break;
1357 default:
1358 /* All other signals. */
1359 perm = PROCESS__SIGNAL;
1360 break;
1361 }
1362
1363 return perm;
1364 }
1365
1366 /*
1367 * Check permission between a pair of credentials
1368 * fork check, ptrace check, etc.
1369 */
1370 static int cred_has_perm(const struct cred *actor,
1371 const struct cred *target,
1372 u32 perms)
1373 {
1374 u32 asid = cred_sid(actor), tsid = cred_sid(target);
1375
1376 return avc_has_perm(asid, tsid, SECCLASS_PROCESS, perms, NULL);
1377 }
1378
1379 /*
1380 * Check permission between a pair of tasks, e.g. signal checks,
1381 * fork check, ptrace check, etc.
1382 * tsk1 is the actor and tsk2 is the target
1383 * - this uses the default subjective creds of tsk1
1384 */
1385 static int task_has_perm(const struct task_struct *tsk1,
1386 const struct task_struct *tsk2,
1387 u32 perms)
1388 {
1389 const struct task_security_struct *__tsec1, *__tsec2;
1390 u32 sid1, sid2;
1391
1392 rcu_read_lock();
1393 __tsec1 = __task_cred(tsk1)->security; sid1 = __tsec1->sid;
1394 __tsec2 = __task_cred(tsk2)->security; sid2 = __tsec2->sid;
1395 rcu_read_unlock();
1396 return avc_has_perm(sid1, sid2, SECCLASS_PROCESS, perms, NULL);
1397 }
1398
1399 /*
1400 * Check permission between current and another task, e.g. signal checks,
1401 * fork check, ptrace check, etc.
1402 * current is the actor and tsk2 is the target
1403 * - this uses current's subjective creds
1404 */
1405 static int current_has_perm(const struct task_struct *tsk,
1406 u32 perms)
1407 {
1408 u32 sid, tsid;
1409
1410 sid = current_sid();
1411 tsid = task_sid(tsk);
1412 return avc_has_perm(sid, tsid, SECCLASS_PROCESS, perms, NULL);
1413 }
1414
1415 #if CAP_LAST_CAP > 63
1416 #error Fix SELinux to handle capabilities > 63.
1417 #endif
1418
1419 /* Check whether a task is allowed to use a capability. */
1420 static int task_has_capability(struct task_struct *tsk,
1421 const struct cred *cred,
1422 int cap, int audit)
1423 {
1424 struct common_audit_data ad;
1425 struct av_decision avd;
1426 u16 sclass;
1427 u32 sid = cred_sid(cred);
1428 u32 av = CAP_TO_MASK(cap);
1429 int rc;
1430
1431 COMMON_AUDIT_DATA_INIT(&ad, CAP);
1432 ad.tsk = tsk;
1433 ad.u.cap = cap;
1434
1435 switch (CAP_TO_INDEX(cap)) {
1436 case 0:
1437 sclass = SECCLASS_CAPABILITY;
1438 break;
1439 case 1:
1440 sclass = SECCLASS_CAPABILITY2;
1441 break;
1442 default:
1443 printk(KERN_ERR
1444 "SELinux: out of range capability %d\n", cap);
1445 BUG();
1446 }
1447
1448 rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd);
1449 if (audit == SECURITY_CAP_AUDIT)
1450 avc_audit(sid, sid, sclass, av, &avd, rc, &ad);
1451 return rc;
1452 }
1453
1454 /* Check whether a task is allowed to use a system operation. */
1455 static int task_has_system(struct task_struct *tsk,
1456 u32 perms)
1457 {
1458 u32 sid = task_sid(tsk);
1459
1460 return avc_has_perm(sid, SECINITSID_KERNEL,
1461 SECCLASS_SYSTEM, perms, NULL);
1462 }
1463
1464 /* Check whether a task has a particular permission to an inode.
1465 The 'adp' parameter is optional and allows other audit
1466 data to be passed (e.g. the dentry). */
1467 static int inode_has_perm(const struct cred *cred,
1468 struct inode *inode,
1469 u32 perms,
1470 struct common_audit_data *adp)
1471 {
1472 struct inode_security_struct *isec;
1473 struct common_audit_data ad;
1474 u32 sid;
1475
1476 validate_creds(cred);
1477
1478 if (unlikely(IS_PRIVATE(inode)))
1479 return 0;
1480
1481 sid = cred_sid(cred);
1482 isec = inode->i_security;
1483
1484 if (!adp) {
1485 adp = &ad;
1486 COMMON_AUDIT_DATA_INIT(&ad, FS);
1487 ad.u.fs.inode = inode;
1488 }
1489
1490 return avc_has_perm(sid, isec->sid, isec->sclass, perms, adp);
1491 }
1492
1493 /* Same as inode_has_perm, but pass explicit audit data containing
1494 the dentry to help the auditing code to more easily generate the
1495 pathname if needed. */
1496 static inline int dentry_has_perm(const struct cred *cred,
1497 struct vfsmount *mnt,
1498 struct dentry *dentry,
1499 u32 av)
1500 {
1501 struct inode *inode = dentry->d_inode;
1502 struct common_audit_data ad;
1503
1504 COMMON_AUDIT_DATA_INIT(&ad, FS);
1505 ad.u.fs.path.mnt = mnt;
1506 ad.u.fs.path.dentry = dentry;
1507 return inode_has_perm(cred, inode, av, &ad);
1508 }
1509
1510 /* Check whether a task can use an open file descriptor to
1511 access an inode in a given way. Check access to the
1512 descriptor itself, and then use dentry_has_perm to
1513 check a particular permission to the file.
1514 Access to the descriptor is implicitly granted if it
1515 has the same SID as the process. If av is zero, then
1516 access to the file is not checked, e.g. for cases
1517 where only the descriptor is affected like seek. */
1518 static int file_has_perm(const struct cred *cred,
1519 struct file *file,
1520 u32 av)
1521 {
1522 struct file_security_struct *fsec = file->f_security;
1523 struct inode *inode = file->f_path.dentry->d_inode;
1524 struct common_audit_data ad;
1525 u32 sid = cred_sid(cred);
1526 int rc;
1527
1528 COMMON_AUDIT_DATA_INIT(&ad, FS);
1529 ad.u.fs.path = file->f_path;
1530
1531 if (sid != fsec->sid) {
1532 rc = avc_has_perm(sid, fsec->sid,
1533 SECCLASS_FD,
1534 FD__USE,
1535 &ad);
1536 if (rc)
1537 goto out;
1538 }
1539
1540 /* av is zero if only checking access to the descriptor. */
1541 rc = 0;
1542 if (av)
1543 rc = inode_has_perm(cred, inode, av, &ad);
1544
1545 out:
1546 return rc;
1547 }
1548
1549 /* Check whether a task can create a file. */
1550 static int may_create(struct inode *dir,
1551 struct dentry *dentry,
1552 u16 tclass)
1553 {
1554 const struct task_security_struct *tsec = current_security();
1555 struct inode_security_struct *dsec;
1556 struct superblock_security_struct *sbsec;
1557 u32 sid, newsid;
1558 struct common_audit_data ad;
1559 int rc;
1560
1561 dsec = dir->i_security;
1562 sbsec = dir->i_sb->s_security;
1563
1564 sid = tsec->sid;
1565 newsid = tsec->create_sid;
1566
1567 COMMON_AUDIT_DATA_INIT(&ad, FS);
1568 ad.u.fs.path.dentry = dentry;
1569
1570 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR,
1571 DIR__ADD_NAME | DIR__SEARCH,
1572 &ad);
1573 if (rc)
1574 return rc;
1575
1576 if (!newsid || !(sbsec->flags & SE_SBLABELSUPP)) {
1577 rc = security_transition_sid(sid, dsec->sid, tclass, NULL, &newsid);
1578 if (rc)
1579 return rc;
1580 }
1581
1582 rc = avc_has_perm(sid, newsid, tclass, FILE__CREATE, &ad);
1583 if (rc)
1584 return rc;
1585
1586 return avc_has_perm(newsid, sbsec->sid,
1587 SECCLASS_FILESYSTEM,
1588 FILESYSTEM__ASSOCIATE, &ad);
1589 }
1590
1591 /* Check whether a task can create a key. */
1592 static int may_create_key(u32 ksid,
1593 struct task_struct *ctx)
1594 {
1595 u32 sid = task_sid(ctx);
1596
1597 return avc_has_perm(sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL);
1598 }
1599
1600 #define MAY_LINK 0
1601 #define MAY_UNLINK 1
1602 #define MAY_RMDIR 2
1603
1604 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1605 static int may_link(struct inode *dir,
1606 struct dentry *dentry,
1607 int kind)
1608
1609 {
1610 struct inode_security_struct *dsec, *isec;
1611 struct common_audit_data ad;
1612 u32 sid = current_sid();
1613 u32 av;
1614 int rc;
1615
1616 dsec = dir->i_security;
1617 isec = dentry->d_inode->i_security;
1618
1619 COMMON_AUDIT_DATA_INIT(&ad, FS);
1620 ad.u.fs.path.dentry = dentry;
1621
1622 av = DIR__SEARCH;
1623 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1624 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, av, &ad);
1625 if (rc)
1626 return rc;
1627
1628 switch (kind) {
1629 case MAY_LINK:
1630 av = FILE__LINK;
1631 break;
1632 case MAY_UNLINK:
1633 av = FILE__UNLINK;
1634 break;
1635 case MAY_RMDIR:
1636 av = DIR__RMDIR;
1637 break;
1638 default:
1639 printk(KERN_WARNING "SELinux: %s: unrecognized kind %d\n",
1640 __func__, kind);
1641 return 0;
1642 }
1643
1644 rc = avc_has_perm(sid, isec->sid, isec->sclass, av, &ad);
1645 return rc;
1646 }
1647
1648 static inline int may_rename(struct inode *old_dir,
1649 struct dentry *old_dentry,
1650 struct inode *new_dir,
1651 struct dentry *new_dentry)
1652 {
1653 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1654 struct common_audit_data ad;
1655 u32 sid = current_sid();
1656 u32 av;
1657 int old_is_dir, new_is_dir;
1658 int rc;
1659
1660 old_dsec = old_dir->i_security;
1661 old_isec = old_dentry->d_inode->i_security;
1662 old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
1663 new_dsec = new_dir->i_security;
1664
1665 COMMON_AUDIT_DATA_INIT(&ad, FS);
1666
1667 ad.u.fs.path.dentry = old_dentry;
1668 rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR,
1669 DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1670 if (rc)
1671 return rc;
1672 rc = avc_has_perm(sid, old_isec->sid,
1673 old_isec->sclass, FILE__RENAME, &ad);
1674 if (rc)
1675 return rc;
1676 if (old_is_dir && new_dir != old_dir) {
1677 rc = avc_has_perm(sid, old_isec->sid,
1678 old_isec->sclass, DIR__REPARENT, &ad);
1679 if (rc)
1680 return rc;
1681 }
1682
1683 ad.u.fs.path.dentry = new_dentry;
1684 av = DIR__ADD_NAME | DIR__SEARCH;
1685 if (new_dentry->d_inode)
1686 av |= DIR__REMOVE_NAME;
1687 rc = avc_has_perm(sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1688 if (rc)
1689 return rc;
1690 if (new_dentry->d_inode) {
1691 new_isec = new_dentry->d_inode->i_security;
1692 new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
1693 rc = avc_has_perm(sid, new_isec->sid,
1694 new_isec->sclass,
1695 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1696 if (rc)
1697 return rc;
1698 }
1699
1700 return 0;
1701 }
1702
1703 /* Check whether a task can perform a filesystem operation. */
1704 static int superblock_has_perm(const struct cred *cred,
1705 struct super_block *sb,
1706 u32 perms,
1707 struct common_audit_data *ad)
1708 {
1709 struct superblock_security_struct *sbsec;
1710 u32 sid = cred_sid(cred);
1711
1712 sbsec = sb->s_security;
1713 return avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
1714 }
1715
1716 /* Convert a Linux mode and permission mask to an access vector. */
1717 static inline u32 file_mask_to_av(int mode, int mask)
1718 {
1719 u32 av = 0;
1720
1721 if ((mode & S_IFMT) != S_IFDIR) {
1722 if (mask & MAY_EXEC)
1723 av |= FILE__EXECUTE;
1724 if (mask & MAY_READ)
1725 av |= FILE__READ;
1726
1727 if (mask & MAY_APPEND)
1728 av |= FILE__APPEND;
1729 else if (mask & MAY_WRITE)
1730 av |= FILE__WRITE;
1731
1732 } else {
1733 if (mask & MAY_EXEC)
1734 av |= DIR__SEARCH;
1735 if (mask & MAY_WRITE)
1736 av |= DIR__WRITE;
1737 if (mask & MAY_READ)
1738 av |= DIR__READ;
1739 }
1740
1741 return av;
1742 }
1743
1744 /* Convert a Linux file to an access vector. */
1745 static inline u32 file_to_av(struct file *file)
1746 {
1747 u32 av = 0;
1748
1749 if (file->f_mode & FMODE_READ)
1750 av |= FILE__READ;
1751 if (file->f_mode & FMODE_WRITE) {
1752 if (file->f_flags & O_APPEND)
1753 av |= FILE__APPEND;
1754 else
1755 av |= FILE__WRITE;
1756 }
1757 if (!av) {
1758 /*
1759 * Special file opened with flags 3 for ioctl-only use.
1760 */
1761 av = FILE__IOCTL;
1762 }
1763
1764 return av;
1765 }
1766
1767 /*
1768 * Convert a file to an access vector and include the correct open
1769 * open permission.
1770 */
1771 static inline u32 open_file_to_av(struct file *file)
1772 {
1773 u32 av = file_to_av(file);
1774
1775 if (selinux_policycap_openperm)
1776 av |= FILE__OPEN;
1777
1778 return av;
1779 }
1780
1781 /* Hook functions begin here. */
1782
1783 static int selinux_ptrace_access_check(struct task_struct *child,
1784 unsigned int mode)
1785 {
1786 int rc;
1787
1788 rc = cap_ptrace_access_check(child, mode);
1789 if (rc)
1790 return rc;
1791
1792 if (mode == PTRACE_MODE_READ) {
1793 u32 sid = current_sid();
1794 u32 csid = task_sid(child);
1795 return avc_has_perm(sid, csid, SECCLASS_FILE, FILE__READ, NULL);
1796 }
1797
1798 return current_has_perm(child, PROCESS__PTRACE);
1799 }
1800
1801 static int selinux_ptrace_traceme(struct task_struct *parent)
1802 {
1803 int rc;
1804
1805 rc = cap_ptrace_traceme(parent);
1806 if (rc)
1807 return rc;
1808
1809 return task_has_perm(parent, current, PROCESS__PTRACE);
1810 }
1811
1812 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
1813 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1814 {
1815 int error;
1816
1817 error = current_has_perm(target, PROCESS__GETCAP);
1818 if (error)
1819 return error;
1820
1821 return cap_capget(target, effective, inheritable, permitted);
1822 }
1823
1824 static int selinux_capset(struct cred *new, const struct cred *old,
1825 const kernel_cap_t *effective,
1826 const kernel_cap_t *inheritable,
1827 const kernel_cap_t *permitted)
1828 {
1829 int error;
1830
1831 error = cap_capset(new, old,
1832 effective, inheritable, permitted);
1833 if (error)
1834 return error;
1835
1836 return cred_has_perm(old, new, PROCESS__SETCAP);
1837 }
1838
1839 /*
1840 * (This comment used to live with the selinux_task_setuid hook,
1841 * which was removed).
1842 *
1843 * Since setuid only affects the current process, and since the SELinux
1844 * controls are not based on the Linux identity attributes, SELinux does not
1845 * need to control this operation. However, SELinux does control the use of
1846 * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
1847 */
1848
1849 static int selinux_capable(struct task_struct *tsk, const struct cred *cred,
1850 struct user_namespace *ns, int cap, int audit)
1851 {
1852 int rc;
1853
1854 rc = cap_capable(tsk, cred, ns, cap, audit);
1855 if (rc)
1856 return rc;
1857
1858 return task_has_capability(tsk, cred, cap, audit);
1859 }
1860
1861 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
1862 {
1863 const struct cred *cred = current_cred();
1864 int rc = 0;
1865
1866 if (!sb)
1867 return 0;
1868
1869 switch (cmds) {
1870 case Q_SYNC:
1871 case Q_QUOTAON:
1872 case Q_QUOTAOFF:
1873 case Q_SETINFO:
1874 case Q_SETQUOTA:
1875 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
1876 break;
1877 case Q_GETFMT:
1878 case Q_GETINFO:
1879 case Q_GETQUOTA:
1880 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
1881 break;
1882 default:
1883 rc = 0; /* let the kernel handle invalid cmds */
1884 break;
1885 }
1886 return rc;
1887 }
1888
1889 static int selinux_quota_on(struct dentry *dentry)
1890 {
1891 const struct cred *cred = current_cred();
1892
1893 return dentry_has_perm(cred, NULL, dentry, FILE__QUOTAON);
1894 }
1895
1896 static int selinux_syslog(int type)
1897 {
1898 int rc;
1899
1900 switch (type) {
1901 case SYSLOG_ACTION_READ_ALL: /* Read last kernel messages */
1902 case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */
1903 rc = task_has_system(current, SYSTEM__SYSLOG_READ);
1904 break;
1905 case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */
1906 case SYSLOG_ACTION_CONSOLE_ON: /* Enable logging to console */
1907 /* Set level of messages printed to console */
1908 case SYSLOG_ACTION_CONSOLE_LEVEL:
1909 rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
1910 break;
1911 case SYSLOG_ACTION_CLOSE: /* Close log */
1912 case SYSLOG_ACTION_OPEN: /* Open log */
1913 case SYSLOG_ACTION_READ: /* Read from log */
1914 case SYSLOG_ACTION_READ_CLEAR: /* Read/clear last kernel messages */
1915 case SYSLOG_ACTION_CLEAR: /* Clear ring buffer */
1916 default:
1917 rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
1918 break;
1919 }
1920 return rc;
1921 }
1922
1923 /*
1924 * Check that a process has enough memory to allocate a new virtual
1925 * mapping. 0 means there is enough memory for the allocation to
1926 * succeed and -ENOMEM implies there is not.
1927 *
1928 * Do not audit the selinux permission check, as this is applied to all
1929 * processes that allocate mappings.
1930 */
1931 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
1932 {
1933 int rc, cap_sys_admin = 0;
1934
1935 rc = selinux_capable(current, current_cred(),
1936 &init_user_ns, CAP_SYS_ADMIN,
1937 SECURITY_CAP_NOAUDIT);
1938 if (rc == 0)
1939 cap_sys_admin = 1;
1940
1941 return __vm_enough_memory(mm, pages, cap_sys_admin);
1942 }
1943
1944 /* binprm security operations */
1945
1946 static int selinux_bprm_set_creds(struct linux_binprm *bprm)
1947 {
1948 const struct task_security_struct *old_tsec;
1949 struct task_security_struct *new_tsec;
1950 struct inode_security_struct *isec;
1951 struct common_audit_data ad;
1952 struct inode *inode = bprm->file->f_path.dentry->d_inode;
1953 int rc;
1954
1955 rc = cap_bprm_set_creds(bprm);
1956 if (rc)
1957 return rc;
1958
1959 /* SELinux context only depends on initial program or script and not
1960 * the script interpreter */
1961 if (bprm->cred_prepared)
1962 return 0;
1963
1964 old_tsec = current_security();
1965 new_tsec = bprm->cred->security;
1966 isec = inode->i_security;
1967
1968 /* Default to the current task SID. */
1969 new_tsec->sid = old_tsec->sid;
1970 new_tsec->osid = old_tsec->sid;
1971
1972 /* Reset fs, key, and sock SIDs on execve. */
1973 new_tsec->create_sid = 0;
1974 new_tsec->keycreate_sid = 0;
1975 new_tsec->sockcreate_sid = 0;
1976
1977 if (old_tsec->exec_sid) {
1978 new_tsec->sid = old_tsec->exec_sid;
1979 /* Reset exec SID on execve. */
1980 new_tsec->exec_sid = 0;
1981 } else {
1982 /* Check for a default transition on this program. */
1983 rc = security_transition_sid(old_tsec->sid, isec->sid,
1984 SECCLASS_PROCESS, NULL,
1985 &new_tsec->sid);
1986 if (rc)
1987 return rc;
1988 }
1989
1990 COMMON_AUDIT_DATA_INIT(&ad, FS);
1991 ad.u.fs.path = bprm->file->f_path;
1992
1993 if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID)
1994 new_tsec->sid = old_tsec->sid;
1995
1996 if (new_tsec->sid == old_tsec->sid) {
1997 rc = avc_has_perm(old_tsec->sid, isec->sid,
1998 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
1999 if (rc)
2000 return rc;
2001 } else {
2002 /* Check permissions for the transition. */
2003 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2004 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2005 if (rc)
2006 return rc;
2007
2008 rc = avc_has_perm(new_tsec->sid, isec->sid,
2009 SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2010 if (rc)
2011 return rc;
2012
2013 /* Check for shared state */
2014 if (bprm->unsafe & LSM_UNSAFE_SHARE) {
2015 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2016 SECCLASS_PROCESS, PROCESS__SHARE,
2017 NULL);
2018 if (rc)
2019 return -EPERM;
2020 }
2021
2022 /* Make sure that anyone attempting to ptrace over a task that
2023 * changes its SID has the appropriate permit */
2024 if (bprm->unsafe &
2025 (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
2026 struct task_struct *tracer;
2027 struct task_security_struct *sec;
2028 u32 ptsid = 0;
2029
2030 rcu_read_lock();
2031 tracer = tracehook_tracer_task(current);
2032 if (likely(tracer != NULL)) {
2033 sec = __task_cred(tracer)->security;
2034 ptsid = sec->sid;
2035 }
2036 rcu_read_unlock();
2037
2038 if (ptsid != 0) {
2039 rc = avc_has_perm(ptsid, new_tsec->sid,
2040 SECCLASS_PROCESS,
2041 PROCESS__PTRACE, NULL);
2042 if (rc)
2043 return -EPERM;
2044 }
2045 }
2046
2047 /* Clear any possibly unsafe personality bits on exec: */
2048 bprm->per_clear |= PER_CLEAR_ON_SETID;
2049 }
2050
2051 return 0;
2052 }
2053
2054 static int selinux_bprm_secureexec(struct linux_binprm *bprm)
2055 {
2056 const struct task_security_struct *tsec = current_security();
2057 u32 sid, osid;
2058 int atsecure = 0;
2059
2060 sid = tsec->sid;
2061 osid = tsec->osid;
2062
2063 if (osid != sid) {
2064 /* Enable secure mode for SIDs transitions unless
2065 the noatsecure permission is granted between
2066 the two SIDs, i.e. ahp returns 0. */
2067 atsecure = avc_has_perm(osid, sid,
2068 SECCLASS_PROCESS,
2069 PROCESS__NOATSECURE, NULL);
2070 }
2071
2072 return (atsecure || cap_bprm_secureexec(bprm));
2073 }
2074
2075 extern struct vfsmount *selinuxfs_mount;
2076 extern struct dentry *selinux_null;
2077
2078 /* Derived from fs/exec.c:flush_old_files. */
2079 static inline void flush_unauthorized_files(const struct cred *cred,
2080 struct files_struct *files)
2081 {
2082 struct common_audit_data ad;
2083 struct file *file, *devnull = NULL;
2084 struct tty_struct *tty;
2085 struct fdtable *fdt;
2086 long j = -1;
2087 int drop_tty = 0;
2088
2089 tty = get_current_tty();
2090 if (tty) {
2091 spin_lock(&tty_files_lock);
2092 if (!list_empty(&tty->tty_files)) {
2093 struct tty_file_private *file_priv;
2094 struct inode *inode;
2095
2096 /* Revalidate access to controlling tty.
2097 Use inode_has_perm on the tty inode directly rather
2098 than using file_has_perm, as this particular open
2099 file may belong to another process and we are only
2100 interested in the inode-based check here. */
2101 file_priv = list_first_entry(&tty->tty_files,
2102 struct tty_file_private, list);
2103 file = file_priv->file;
2104 inode = file->f_path.dentry->d_inode;
2105 if (inode_has_perm(cred, inode,
2106 FILE__READ | FILE__WRITE, NULL)) {
2107 drop_tty = 1;
2108 }
2109 }
2110 spin_unlock(&tty_files_lock);
2111 tty_kref_put(tty);
2112 }
2113 /* Reset controlling tty. */
2114 if (drop_tty)
2115 no_tty();
2116
2117 /* Revalidate access to inherited open files. */
2118
2119 COMMON_AUDIT_DATA_INIT(&ad, FS);
2120
2121 spin_lock(&files->file_lock);
2122 for (;;) {
2123 unsigned long set, i;
2124 int fd;
2125
2126 j++;
2127 i = j * __NFDBITS;
2128 fdt = files_fdtable(files);
2129 if (i >= fdt->max_fds)
2130 break;
2131 set = fdt->open_fds->fds_bits[j];
2132 if (!set)
2133 continue;
2134 spin_unlock(&files->file_lock);
2135 for ( ; set ; i++, set >>= 1) {
2136 if (set & 1) {
2137 file = fget(i);
2138 if (!file)
2139 continue;
2140 if (file_has_perm(cred,
2141 file,
2142 file_to_av(file))) {
2143 sys_close(i);
2144 fd = get_unused_fd();
2145 if (fd != i) {
2146 if (fd >= 0)
2147 put_unused_fd(fd);
2148 fput(file);
2149 continue;
2150 }
2151 if (devnull) {
2152 get_file(devnull);
2153 } else {
2154 devnull = dentry_open(
2155 dget(selinux_null),
2156 mntget(selinuxfs_mount),
2157 O_RDWR, cred);
2158 if (IS_ERR(devnull)) {
2159 devnull = NULL;
2160 put_unused_fd(fd);
2161 fput(file);
2162 continue;
2163 }
2164 }
2165 fd_install(fd, devnull);
2166 }
2167 fput(file);
2168 }
2169 }
2170 spin_lock(&files->file_lock);
2171
2172 }
2173 spin_unlock(&files->file_lock);
2174 }
2175
2176 /*
2177 * Prepare a process for imminent new credential changes due to exec
2178 */
2179 static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
2180 {
2181 struct task_security_struct *new_tsec;
2182 struct rlimit *rlim, *initrlim;
2183 int rc, i;
2184
2185 new_tsec = bprm->cred->security;
2186 if (new_tsec->sid == new_tsec->osid)
2187 return;
2188
2189 /* Close files for which the new task SID is not authorized. */
2190 flush_unauthorized_files(bprm->cred, current->files);
2191
2192 /* Always clear parent death signal on SID transitions. */
2193 current->pdeath_signal = 0;
2194
2195 /* Check whether the new SID can inherit resource limits from the old
2196 * SID. If not, reset all soft limits to the lower of the current
2197 * task's hard limit and the init task's soft limit.
2198 *
2199 * Note that the setting of hard limits (even to lower them) can be
2200 * controlled by the setrlimit check. The inclusion of the init task's
2201 * soft limit into the computation is to avoid resetting soft limits
2202 * higher than the default soft limit for cases where the default is
2203 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2204 */
2205 rc = avc_has_perm(new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
2206 PROCESS__RLIMITINH, NULL);
2207 if (rc) {
2208 /* protect against do_prlimit() */
2209 task_lock(current);
2210 for (i = 0; i < RLIM_NLIMITS; i++) {
2211 rlim = current->signal->rlim + i;
2212 initrlim = init_task.signal->rlim + i;
2213 rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
2214 }
2215 task_unlock(current);
2216 update_rlimit_cpu(current, rlimit(RLIMIT_CPU));
2217 }
2218 }
2219
2220 /*
2221 * Clean up the process immediately after the installation of new credentials
2222 * due to exec
2223 */
2224 static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
2225 {
2226 const struct task_security_struct *tsec = current_security();
2227 struct itimerval itimer;
2228 u32 osid, sid;
2229 int rc, i;
2230
2231 osid = tsec->osid;
2232 sid = tsec->sid;
2233
2234 if (sid == osid)
2235 return;
2236
2237 /* Check whether the new SID can inherit signal state from the old SID.
2238 * If not, clear itimers to avoid subsequent signal generation and
2239 * flush and unblock signals.
2240 *
2241 * This must occur _after_ the task SID has been updated so that any
2242 * kill done after the flush will be checked against the new SID.
2243 */
2244 rc = avc_has_perm(osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
2245 if (rc) {
2246 memset(&itimer, 0, sizeof itimer);
2247 for (i = 0; i < 3; i++)
2248 do_setitimer(i, &itimer, NULL);
2249 spin_lock_irq(&current->sighand->siglock);
2250 if (!(current->signal->flags & SIGNAL_GROUP_EXIT)) {
2251 __flush_signals(current);
2252 flush_signal_handlers(current, 1);
2253 sigemptyset(&current->blocked);
2254 }
2255 spin_unlock_irq(&current->sighand->siglock);
2256 }
2257
2258 /* Wake up the parent if it is waiting so that it can recheck
2259 * wait permission to the new task SID. */
2260 read_lock(&tasklist_lock);
2261 __wake_up_parent(current, current->real_parent);
2262 read_unlock(&tasklist_lock);
2263 }
2264
2265 /* superblock security operations */
2266
2267 static int selinux_sb_alloc_security(struct super_block *sb)
2268 {
2269 return superblock_alloc_security(sb);
2270 }
2271
2272 static void selinux_sb_free_security(struct super_block *sb)
2273 {
2274 superblock_free_security(sb);
2275 }
2276
2277 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2278 {
2279 if (plen > olen)
2280 return 0;
2281
2282 return !memcmp(prefix, option, plen);
2283 }
2284
2285 static inline int selinux_option(char *option, int len)
2286 {
2287 return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) ||
2288 match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) ||
2289 match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) ||
2290 match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len) ||
2291 match_prefix(LABELSUPP_STR, sizeof(LABELSUPP_STR)-1, option, len));
2292 }
2293
2294 static inline void take_option(char **to, char *from, int *first, int len)
2295 {
2296 if (!*first) {
2297 **to = ',';
2298 *to += 1;
2299 } else
2300 *first = 0;
2301 memcpy(*to, from, len);
2302 *to += len;
2303 }
2304
2305 static inline void take_selinux_option(char **to, char *from, int *first,
2306 int len)
2307 {
2308 int current_size = 0;
2309
2310 if (!*first) {
2311 **to = '|';
2312 *to += 1;
2313 } else
2314 *first = 0;
2315
2316 while (current_size < len) {
2317 if (*from != '"') {
2318 **to = *from;
2319 *to += 1;
2320 }
2321 from += 1;
2322 current_size += 1;
2323 }
2324 }
2325
2326 static int selinux_sb_copy_data(char *orig, char *copy)
2327 {
2328 int fnosec, fsec, rc = 0;
2329 char *in_save, *in_curr, *in_end;
2330 char *sec_curr, *nosec_save, *nosec;
2331 int open_quote = 0;
2332
2333 in_curr = orig;
2334 sec_curr = copy;
2335
2336 nosec = (char *)get_zeroed_page(GFP_KERNEL);
2337 if (!nosec) {
2338 rc = -ENOMEM;
2339 goto out;
2340 }
2341
2342 nosec_save = nosec;
2343 fnosec = fsec = 1;
2344 in_save = in_end = orig;
2345
2346 do {
2347 if (*in_end == '"')
2348 open_quote = !open_quote;
2349 if ((*in_end == ',' && open_quote == 0) ||
2350 *in_end == '\0') {
2351 int len = in_end - in_curr;
2352
2353 if (selinux_option(in_curr, len))
2354 take_selinux_option(&sec_curr, in_curr, &fsec, len);
2355 else
2356 take_option(&nosec, in_curr, &fnosec, len);
2357
2358 in_curr = in_end + 1;
2359 }
2360 } while (*in_end++);
2361
2362 strcpy(in_save, nosec_save);
2363 free_page((unsigned long)nosec_save);
2364 out:
2365 return rc;
2366 }
2367
2368 static int selinux_sb_remount(struct super_block *sb, void *data)
2369 {
2370 int rc, i, *flags;
2371 struct security_mnt_opts opts;
2372 char *secdata, **mount_options;
2373 struct superblock_security_struct *sbsec = sb->s_security;
2374
2375 if (!(sbsec->flags & SE_SBINITIALIZED))
2376 return 0;
2377
2378 if (!data)
2379 return 0;
2380
2381 if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
2382 return 0;
2383
2384 security_init_mnt_opts(&opts);
2385 secdata = alloc_secdata();
2386 if (!secdata)
2387 return -ENOMEM;
2388 rc = selinux_sb_copy_data(data, secdata);
2389 if (rc)
2390 goto out_free_secdata;
2391
2392 rc = selinux_parse_opts_str(secdata, &opts);
2393 if (rc)
2394 goto out_free_secdata;
2395
2396 mount_options = opts.mnt_opts;
2397 flags = opts.mnt_opts_flags;
2398
2399 for (i = 0; i < opts.num_mnt_opts; i++) {
2400 u32 sid;
2401 size_t len;
2402
2403 if (flags[i] == SE_SBLABELSUPP)
2404 continue;
2405 len = strlen(mount_options[i]);
2406 rc = security_context_to_sid(mount_options[i], len, &sid);
2407 if (rc) {
2408 printk(KERN_WARNING "SELinux: security_context_to_sid"
2409 "(%s) failed for (dev %s, type %s) errno=%d\n",
2410 mount_options[i], sb->s_id, sb->s_type->name, rc);
2411 goto out_free_opts;
2412 }
2413 rc = -EINVAL;
2414 switch (flags[i]) {
2415 case FSCONTEXT_MNT:
2416 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid))
2417 goto out_bad_option;
2418 break;
2419 case CONTEXT_MNT:
2420 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid))
2421 goto out_bad_option;
2422 break;
2423 case ROOTCONTEXT_MNT: {
2424 struct inode_security_struct *root_isec;
2425 root_isec = sb->s_root->d_inode->i_security;
2426
2427 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid))
2428 goto out_bad_option;
2429 break;
2430 }
2431 case DEFCONTEXT_MNT:
2432 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid))
2433 goto out_bad_option;
2434 break;
2435 default:
2436 goto out_free_opts;
2437 }
2438 }
2439
2440 rc = 0;
2441 out_free_opts:
2442 security_free_mnt_opts(&opts);
2443 out_free_secdata:
2444 free_secdata(secdata);
2445 return rc;
2446 out_bad_option:
2447 printk(KERN_WARNING "SELinux: unable to change security options "
2448 "during remount (dev %s, type=%s)\n", sb->s_id,
2449 sb->s_type->name);
2450 goto out_free_opts;
2451 }
2452
2453 static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data)
2454 {
2455 const struct cred *cred = current_cred();
2456 struct common_audit_data ad;
2457 int rc;
2458
2459 rc = superblock_doinit(sb, data);
2460 if (rc)
2461 return rc;
2462
2463 /* Allow all mounts performed by the kernel */
2464 if (flags & MS_KERNMOUNT)
2465 return 0;
2466
2467 COMMON_AUDIT_DATA_INIT(&ad, FS);
2468 ad.u.fs.path.dentry = sb->s_root;
2469 return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
2470 }
2471
2472 static int selinux_sb_statfs(struct dentry *dentry)
2473 {
2474 const struct cred *cred = current_cred();
2475 struct common_audit_data ad;
2476
2477 COMMON_AUDIT_DATA_INIT(&ad, FS);
2478 ad.u.fs.path.dentry = dentry->d_sb->s_root;
2479 return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2480 }
2481
2482 static int selinux_mount(char *dev_name,
2483 struct path *path,
2484 char *type,
2485 unsigned long flags,
2486 void *data)
2487 {
2488 const struct cred *cred = current_cred();
2489
2490 if (flags & MS_REMOUNT)
2491 return superblock_has_perm(cred, path->mnt->mnt_sb,
2492 FILESYSTEM__REMOUNT, NULL);
2493 else
2494 return dentry_has_perm(cred, path->mnt, path->dentry,
2495 FILE__MOUNTON);
2496 }
2497
2498 static int selinux_umount(struct vfsmount *mnt, int flags)
2499 {
2500 const struct cred *cred = current_cred();
2501
2502 return superblock_has_perm(cred, mnt->mnt_sb,
2503 FILESYSTEM__UNMOUNT, NULL);
2504 }
2505
2506 /* inode security operations */
2507
2508 static int selinux_inode_alloc_security(struct inode *inode)
2509 {
2510 return inode_alloc_security(inode);
2511 }
2512
2513 static void selinux_inode_free_security(struct inode *inode)
2514 {
2515 inode_free_security(inode);
2516 }
2517
2518 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2519 const struct qstr *qstr, char **name,
2520 void **value, size_t *len)
2521 {
2522 const struct task_security_struct *tsec = current_security();
2523 struct inode_security_struct *dsec;
2524 struct superblock_security_struct *sbsec;
2525 u32 sid, newsid, clen;
2526 int rc;
2527 char *namep = NULL, *context;
2528
2529 dsec = dir->i_security;
2530 sbsec = dir->i_sb->s_security;
2531
2532 sid = tsec->sid;
2533 newsid = tsec->create_sid;
2534
2535 if ((sbsec->flags & SE_SBINITIALIZED) &&
2536 (sbsec->behavior == SECURITY_FS_USE_MNTPOINT))
2537 newsid = sbsec->mntpoint_sid;
2538 else if (!newsid || !(sbsec->flags & SE_SBLABELSUPP)) {
2539 rc = security_transition_sid(sid, dsec->sid,
2540 inode_mode_to_security_class(inode->i_mode),
2541 qstr, &newsid);
2542 if (rc) {
2543 printk(KERN_WARNING "%s: "
2544 "security_transition_sid failed, rc=%d (dev=%s "
2545 "ino=%ld)\n",
2546 __func__,
2547 -rc, inode->i_sb->s_id, inode->i_ino);
2548 return rc;
2549 }
2550 }
2551
2552 /* Possibly defer initialization to selinux_complete_init. */
2553 if (sbsec->flags & SE_SBINITIALIZED) {
2554 struct inode_security_struct *isec = inode->i_security;
2555 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2556 isec->sid = newsid;
2557 isec->initialized = 1;
2558 }
2559
2560 if (!ss_initialized || !(sbsec->flags & SE_SBLABELSUPP))
2561 return -EOPNOTSUPP;
2562
2563 if (name) {
2564 namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_NOFS);
2565 if (!namep)
2566 return -ENOMEM;
2567 *name = namep;
2568 }
2569
2570 if (value && len) {
2571 rc = security_sid_to_context_force(newsid, &context, &clen);
2572 if (rc) {
2573 kfree(namep);
2574 return rc;
2575 }
2576 *value = context;
2577 *len = clen;
2578 }
2579
2580 return 0;
2581 }
2582
2583 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, int mask)
2584 {
2585 return may_create(dir, dentry, SECCLASS_FILE);
2586 }
2587
2588 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2589 {
2590 return may_link(dir, old_dentry, MAY_LINK);
2591 }
2592
2593 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2594 {
2595 return may_link(dir, dentry, MAY_UNLINK);
2596 }
2597
2598 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2599 {
2600 return may_create(dir, dentry, SECCLASS_LNK_FILE);
2601 }
2602
2603 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, int mask)
2604 {
2605 return may_create(dir, dentry, SECCLASS_DIR);
2606 }
2607
2608 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2609 {
2610 return may_link(dir, dentry, MAY_RMDIR);
2611 }
2612
2613 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
2614 {
2615 return may_create(dir, dentry, inode_mode_to_security_class(mode));
2616 }
2617
2618 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2619 struct inode *new_inode, struct dentry *new_dentry)
2620 {
2621 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2622 }
2623
2624 static int selinux_inode_readlink(struct dentry *dentry)
2625 {
2626 const struct cred *cred = current_cred();
2627
2628 return dentry_has_perm(cred, NULL, dentry, FILE__READ);
2629 }
2630
2631 static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2632 {
2633 const struct cred *cred = current_cred();
2634
2635 return dentry_has_perm(cred, NULL, dentry, FILE__READ);
2636 }
2637
2638 static int selinux_inode_permission(struct inode *inode, int mask)
2639 {
2640 const struct cred *cred = current_cred();
2641 struct common_audit_data ad;
2642 u32 perms;
2643 bool from_access;
2644
2645 from_access = mask & MAY_ACCESS;
2646 mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
2647
2648 /* No permission to check. Existence test. */
2649 if (!mask)
2650 return 0;
2651
2652 COMMON_AUDIT_DATA_INIT(&ad, FS);
2653 ad.u.fs.inode = inode;
2654
2655 if (from_access)
2656 ad.selinux_audit_data.auditdeny |= FILE__AUDIT_ACCESS;
2657
2658 perms = file_mask_to_av(inode->i_mode, mask);
2659
2660 return inode_has_perm(cred, inode, perms, &ad);
2661 }
2662
2663 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2664 {
2665 const struct cred *cred = current_cred();
2666 unsigned int ia_valid = iattr->ia_valid;
2667
2668 /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
2669 if (ia_valid & ATTR_FORCE) {
2670 ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE |
2671 ATTR_FORCE);
2672 if (!ia_valid)
2673 return 0;
2674 }
2675
2676 if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2677 ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
2678 return dentry_has_perm(cred, NULL, dentry, FILE__SETATTR);
2679
2680 return dentry_has_perm(cred, NULL, dentry, FILE__WRITE);
2681 }
2682
2683 static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
2684 {
2685 const struct cred *cred = current_cred();
2686
2687 return dentry_has_perm(cred, mnt, dentry, FILE__GETATTR);
2688 }
2689
2690 static int selinux_inode_setotherxattr(struct dentry *dentry, const char *name)
2691 {
2692 const struct cred *cred = current_cred();
2693
2694 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2695 sizeof XATTR_SECURITY_PREFIX - 1)) {
2696 if (!strcmp(name, XATTR_NAME_CAPS)) {
2697 if (!capable(CAP_SETFCAP))
2698 return -EPERM;
2699 } else if (!capable(CAP_SYS_ADMIN)) {
2700 /* A different attribute in the security namespace.
2701 Restrict to administrator. */
2702 return -EPERM;
2703 }
2704 }
2705
2706 /* Not an attribute we recognize, so just check the
2707 ordinary setattr permission. */
2708 return dentry_has_perm(cred, NULL, dentry, FILE__SETATTR);
2709 }
2710
2711 static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
2712 const void *value, size_t size, int flags)
2713 {
2714 struct inode *inode = dentry->d_inode;
2715 struct inode_security_struct *isec = inode->i_security;
2716 struct superblock_security_struct *sbsec;
2717 struct common_audit_data ad;
2718 u32 newsid, sid = current_sid();
2719 int rc = 0;
2720
2721 if (strcmp(name, XATTR_NAME_SELINUX))
2722 return selinux_inode_setotherxattr(dentry, name);
2723
2724 sbsec = inode->i_sb->s_security;
2725 if (!(sbsec->flags & SE_SBLABELSUPP))
2726 return -EOPNOTSUPP;
2727
2728 if (!inode_owner_or_capable(inode))
2729 return -EPERM;
2730
2731 COMMON_AUDIT_DATA_INIT(&ad, FS);
2732 ad.u.fs.path.dentry = dentry;
2733
2734 rc = avc_has_perm(sid, isec->sid, isec->sclass,
2735 FILE__RELABELFROM, &ad);
2736 if (rc)
2737 return rc;
2738
2739 rc = security_context_to_sid(value, size, &newsid);
2740 if (rc == -EINVAL) {
2741 if (!capable(CAP_MAC_ADMIN))
2742 return rc;
2743 rc = security_context_to_sid_force(value, size, &newsid);
2744 }
2745 if (rc)
2746 return rc;
2747
2748 rc = avc_has_perm(sid, newsid, isec->sclass,
2749 FILE__RELABELTO, &ad);
2750 if (rc)
2751 return rc;
2752
2753 rc = security_validate_transition(isec->sid, newsid, sid,
2754 isec->sclass);
2755 if (rc)
2756 return rc;
2757
2758 return avc_has_perm(newsid,
2759 sbsec->sid,
2760 SECCLASS_FILESYSTEM,
2761 FILESYSTEM__ASSOCIATE,
2762 &ad);
2763 }
2764
2765 static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
2766 const void *value, size_t size,
2767 int flags)
2768 {
2769 struct inode *inode = dentry->d_inode;
2770 struct inode_security_struct *isec = inode->i_security;
2771 u32 newsid;
2772 int rc;
2773
2774 if (strcmp(name, XATTR_NAME_SELINUX)) {
2775 /* Not an attribute we recognize, so nothing to do. */
2776 return;
2777 }
2778
2779 rc = security_context_to_sid_force(value, size, &newsid);
2780 if (rc) {
2781 printk(KERN_ERR "SELinux: unable to map context to SID"
2782 "for (%s, %lu), rc=%d\n",
2783 inode->i_sb->s_id, inode->i_ino, -rc);
2784 return;
2785 }
2786
2787 isec->sid = newsid;
2788 return;
2789 }
2790
2791 static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
2792 {
2793 const struct cred *cred = current_cred();
2794
2795 return dentry_has_perm(cred, NULL, dentry, FILE__GETATTR);
2796 }
2797
2798 static int selinux_inode_listxattr(struct dentry *dentry)
2799 {
2800 const struct cred *cred = current_cred();
2801
2802 return dentry_has_perm(cred, NULL, dentry, FILE__GETATTR);
2803 }
2804
2805 static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
2806 {
2807 if (strcmp(name, XATTR_NAME_SELINUX))
2808 return selinux_inode_setotherxattr(dentry, name);
2809
2810 /* No one is allowed to remove a SELinux security label.
2811 You can change the label, but all data must be labeled. */
2812 return -EACCES;
2813 }
2814
2815 /*
2816 * Copy the inode security context value to the user.
2817 *
2818 * Permission check is handled by selinux_inode_getxattr hook.
2819 */
2820 static int selinux_inode_getsecurity(const struct inode *inode, const char *name, void **buffer, bool alloc)
2821 {
2822 u32 size;
2823 int error;
2824 char *context = NULL;
2825 struct inode_security_struct *isec = inode->i_security;
2826
2827 if (strcmp(name, XATTR_SELINUX_SUFFIX))
2828 return -EOPNOTSUPP;
2829
2830 /*
2831 * If the caller has CAP_MAC_ADMIN, then get the raw context
2832 * value even if it is not defined by current policy; otherwise,
2833 * use the in-core value under current policy.
2834 * Use the non-auditing forms of the permission checks since
2835 * getxattr may be called by unprivileged processes commonly
2836 * and lack of permission just means that we fall back to the
2837 * in-core context value, not a denial.
2838 */
2839 error = selinux_capable(current, current_cred(),
2840 &init_user_ns, CAP_MAC_ADMIN,
2841 SECURITY_CAP_NOAUDIT);
2842 if (!error)
2843 error = security_sid_to_context_force(isec->sid, &context,
2844 &size);
2845 else
2846 error = security_sid_to_context(isec->sid, &context, &size);
2847 if (error)
2848 return error;
2849 error = size;
2850 if (alloc) {
2851 *buffer = context;
2852 goto out_nofree;
2853 }
2854 kfree(context);
2855 out_nofree:
2856 return error;
2857 }
2858
2859 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
2860 const void *value, size_t size, int flags)
2861 {
2862 struct inode_security_struct *isec = inode->i_security;
2863 u32 newsid;
2864 int rc;
2865
2866 if (strcmp(name, XATTR_SELINUX_SUFFIX))
2867 return -EOPNOTSUPP;
2868
2869 if (!value || !size)
2870 return -EACCES;
2871
2872 rc = security_context_to_sid((void *)value, size, &newsid);
2873 if (rc)
2874 return rc;
2875
2876 isec->sid = newsid;
2877 isec->initialized = 1;
2878 return 0;
2879 }
2880
2881 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
2882 {
2883 const int len = sizeof(XATTR_NAME_SELINUX);
2884 if (buffer && len <= buffer_size)
2885 memcpy(buffer, XATTR_NAME_SELINUX, len);
2886 return len;
2887 }
2888
2889 static void selinux_inode_getsecid(const struct inode *inode, u32 *secid)
2890 {
2891 struct inode_security_struct *isec = inode->i_security;
2892 *secid = isec->sid;
2893 }
2894
2895 /* file security operations */
2896
2897 static int selinux_revalidate_file_permission(struct file *file, int mask)
2898 {
2899 const struct cred *cred = current_cred();
2900 struct inode *inode = file->f_path.dentry->d_inode;
2901
2902 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
2903 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
2904 mask |= MAY_APPEND;
2905
2906 return file_has_perm(cred, file,
2907 file_mask_to_av(inode->i_mode, mask));
2908 }
2909
2910 static int selinux_file_permission(struct file *file, int mask)
2911 {
2912 struct inode *inode = file->f_path.dentry->d_inode;
2913 struct file_security_struct *fsec = file->f_security;
2914 struct inode_security_struct *isec = inode->i_security;
2915 u32 sid = current_sid();
2916
2917 if (!mask)
2918 /* No permission to check. Existence test. */
2919 return 0;
2920
2921 if (sid == fsec->sid && fsec->isid == isec->sid &&
2922 fsec->pseqno == avc_policy_seqno())
2923 /* No change since dentry_open check. */
2924 return 0;
2925
2926 return selinux_revalidate_file_permission(file, mask);
2927 }
2928
2929 static int selinux_file_alloc_security(struct file *file)
2930 {
2931 return file_alloc_security(file);
2932 }
2933
2934 static void selinux_file_free_security(struct file *file)
2935 {
2936 file_free_security(file);
2937 }
2938
2939 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
2940 unsigned long arg)
2941 {
2942 const struct cred *cred = current_cred();
2943 int error = 0;
2944
2945 switch (cmd) {
2946 case FIONREAD:
2947 /* fall through */
2948 case FIBMAP:
2949 /* fall through */
2950 case FIGETBSZ:
2951 /* fall through */
2952 case EXT2_IOC_GETFLAGS:
2953 /* fall through */
2954 case EXT2_IOC_GETVERSION:
2955 error = file_has_perm(cred, file, FILE__GETATTR);
2956 break;
2957
2958 case EXT2_IOC_SETFLAGS:
2959 /* fall through */
2960 case EXT2_IOC_SETVERSION:
2961 error = file_has_perm(cred, file, FILE__SETATTR);
2962 break;
2963
2964 /* sys_ioctl() checks */
2965 case FIONBIO:
2966 /* fall through */
2967 case FIOASYNC:
2968 error = file_has_perm(cred, file, 0);
2969 break;
2970
2971 case KDSKBENT:
2972 case KDSKBSENT:
2973 error = task_has_capability(current, cred, CAP_SYS_TTY_CONFIG,
2974 SECURITY_CAP_AUDIT);
2975 break;
2976
2977 /* default case assumes that the command will go
2978 * to the file's ioctl() function.
2979 */
2980 default:
2981 error = file_has_perm(cred, file, FILE__IOCTL);
2982 }
2983 return error;
2984 }
2985
2986 static int default_noexec;
2987
2988 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
2989 {
2990 const struct cred *cred = current_cred();
2991 int rc = 0;
2992
2993 if (default_noexec &&
2994 (prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
2995 /*
2996 * We are making executable an anonymous mapping or a
2997 * private file mapping that will also be writable.
2998 * This has an additional check.
2999 */
3000 rc = cred_has_perm(cred, cred, PROCESS__EXECMEM);
3001 if (rc)
3002 goto error;
3003 }
3004
3005 if (file) {
3006 /* read access is always possible with a mapping */
3007 u32 av = FILE__READ;
3008
3009 /* write access only matters if the mapping is shared */
3010 if (shared && (prot & PROT_WRITE))
3011 av |= FILE__WRITE;
3012
3013 if (prot & PROT_EXEC)
3014 av |= FILE__EXECUTE;
3015
3016 return file_has_perm(cred, file, av);
3017 }
3018
3019 error:
3020 return rc;
3021 }
3022
3023 static int selinux_file_mmap(struct file *file, unsigned long reqprot,
3024 unsigned long prot, unsigned long flags,
3025 unsigned long addr, unsigned long addr_only)
3026 {
3027 int rc = 0;
3028 u32 sid = current_sid();
3029
3030 /*
3031 * notice that we are intentionally putting the SELinux check before
3032 * the secondary cap_file_mmap check. This is such a likely attempt
3033 * at bad behaviour/exploit that we always want to get the AVC, even
3034 * if DAC would have also denied the operation.
3035 */
3036 if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
3037 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
3038 MEMPROTECT__MMAP_ZERO, NULL);
3039 if (rc)
3040 return rc;
3041 }
3042
3043 /* do DAC check on address space usage */
3044 rc = cap_file_mmap(file, reqprot, prot, flags, addr, addr_only);
3045 if (rc || addr_only)
3046 return rc;
3047
3048 if (selinux_checkreqprot)
3049 prot = reqprot;
3050
3051 return file_map_prot_check(file, prot,
3052 (flags & MAP_TYPE) == MAP_SHARED);
3053 }
3054
3055 static int selinux_file_mprotect(struct vm_area_struct *vma,
3056 unsigned long reqprot,
3057 unsigned long prot)
3058 {
3059 const struct cred *cred = current_cred();
3060
3061 if (selinux_checkreqprot)
3062 prot = reqprot;
3063
3064 if (default_noexec &&
3065 (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
3066 int rc = 0;
3067 if (vma->vm_start >= vma->vm_mm->start_brk &&
3068 vma->vm_end <= vma->vm_mm->brk) {
3069 rc = cred_has_perm(cred, cred, PROCESS__EXECHEAP);
3070 } else if (!vma->vm_file &&
3071 vma->vm_start <= vma->vm_mm->start_stack &&
3072 vma->vm_end >= vma->vm_mm->start_stack) {
3073 rc = current_has_perm(current, PROCESS__EXECSTACK);
3074 } else if (vma->vm_file && vma->anon_vma) {
3075 /*
3076 * We are making executable a file mapping that has
3077 * had some COW done. Since pages might have been
3078 * written, check ability to execute the possibly
3079 * modified content. This typically should only
3080 * occur for text relocations.
3081 */
3082 rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD);
3083 }
3084 if (rc)
3085 return rc;
3086 }
3087
3088 return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
3089 }
3090
3091 static int selinux_file_lock(struct file *file, unsigned int cmd)
3092 {
3093 const struct cred *cred = current_cred();
3094
3095 return file_has_perm(cred, file, FILE__LOCK);
3096 }
3097
3098 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
3099 unsigned long arg)
3100 {
3101 const struct cred *cred = current_cred();
3102 int err = 0;
3103
3104 switch (cmd) {
3105 case F_SETFL:
3106 if (!file->f_path.dentry || !file->f_path.dentry->d_inode) {
3107 err = -EINVAL;
3108 break;
3109 }
3110
3111 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
3112 err = file_has_perm(cred, file, FILE__WRITE);
3113 break;
3114 }
3115 /* fall through */
3116 case F_SETOWN:
3117 case F_SETSIG:
3118 case F_GETFL:
3119 case F_GETOWN:
3120 case F_GETSIG:
3121 /* Just check FD__USE permission */
3122 err = file_has_perm(cred, file, 0);
3123 break;
3124 case F_GETLK:
3125 case F_SETLK:
3126 case F_SETLKW:
3127 #if BITS_PER_LONG == 32
3128 case F_GETLK64:
3129 case F_SETLK64:
3130 case F_SETLKW64:
3131 #endif
3132 if (!file->f_path.dentry || !file->f_path.dentry->d_inode) {
3133 err = -EINVAL;
3134 break;
3135 }
3136 err = file_has_perm(cred, file, FILE__LOCK);
3137 break;
3138 }
3139
3140 return err;
3141 }
3142
3143 static int selinux_file_set_fowner(struct file *file)
3144 {
3145 struct file_security_struct *fsec;
3146
3147 fsec = file->f_security;
3148 fsec->fown_sid = current_sid();
3149
3150 return 0;
3151 }
3152
3153 static int selinux_file_send_sigiotask(struct task_struct *tsk,
3154 struct fown_struct *fown, int signum)
3155 {
3156 struct file *file;
3157 u32 sid = task_sid(tsk);
3158 u32 perm;
3159 struct file_security_struct *fsec;
3160
3161 /* struct fown_struct is never outside the context of a struct file */
3162 file = container_of(fown, struct file, f_owner);
3163
3164 fsec = file->f_security;
3165
3166 if (!signum)
3167 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
3168 else
3169 perm = signal_to_av(signum);
3170
3171 return avc_has_perm(fsec->fown_sid, sid,
3172 SECCLASS_PROCESS, perm, NULL);
3173 }
3174
3175 static int selinux_file_receive(struct file *file)
3176 {
3177 const struct cred *cred = current_cred();
3178
3179 return file_has_perm(cred, file, file_to_av(file));
3180 }
3181
3182 static int selinux_dentry_open(struct file *file, const struct cred *cred)
3183 {
3184 struct file_security_struct *fsec;
3185 struct inode *inode;
3186 struct inode_security_struct *isec;
3187
3188 inode = file->f_path.dentry->d_inode;
3189 fsec = file->f_security;
3190 isec = inode->i_security;
3191 /*
3192 * Save inode label and policy sequence number
3193 * at open-time so that selinux_file_permission
3194 * can determine whether revalidation is necessary.
3195 * Task label is already saved in the file security
3196 * struct as its SID.
3197 */
3198 fsec->isid = isec->sid;
3199 fsec->pseqno = avc_policy_seqno();
3200 /*
3201 * Since the inode label or policy seqno may have changed
3202 * between the selinux_inode_permission check and the saving
3203 * of state above, recheck that access is still permitted.
3204 * Otherwise, access might never be revalidated against the
3205 * new inode label or new policy.
3206 * This check is not redundant - do not remove.
3207 */
3208 return inode_has_perm(cred, inode, open_file_to_av(file), NULL);
3209 }
3210
3211 /* task security operations */
3212
3213 static int selinux_task_create(unsigned long clone_flags)
3214 {
3215 return current_has_perm(current, PROCESS__FORK);
3216 }
3217
3218 /*
3219 * allocate the SELinux part of blank credentials
3220 */
3221 static int selinux_cred_alloc_blank(struct cred *cred, gfp_t gfp)
3222 {
3223 struct task_security_struct *tsec;
3224
3225 tsec = kzalloc(sizeof(struct task_security_struct), gfp);
3226 if (!tsec)
3227 return -ENOMEM;
3228
3229 cred->security = tsec;
3230 return 0;
3231 }
3232
3233 /*
3234 * detach and free the LSM part of a set of credentials
3235 */
3236 static void selinux_cred_free(struct cred *cred)
3237 {
3238 struct task_security_struct *tsec = cred->security;
3239
3240 /*
3241 * cred->security == NULL if security_cred_alloc_blank() or
3242 * security_prepare_creds() returned an error.
3243 */
3244 BUG_ON(cred->security && (unsigned long) cred->security < PAGE_SIZE);
3245 cred->security = (void *) 0x7UL;
3246 kfree(tsec);
3247 }
3248
3249 /*
3250 * prepare a new set of credentials for modification
3251 */
3252 static int selinux_cred_prepare(struct cred *new, const struct cred *old,
3253 gfp_t gfp)
3254 {
3255 const struct task_security_struct *old_tsec;
3256 struct task_security_struct *tsec;
3257
3258 old_tsec = old->security;
3259
3260 tsec = kmemdup(old_tsec, sizeof(struct task_security_struct), gfp);
3261 if (!tsec)
3262 return -ENOMEM;
3263
3264 new->security = tsec;
3265 return 0;
3266 }
3267
3268 /*
3269 * transfer the SELinux data to a blank set of creds
3270 */
3271 static void selinux_cred_transfer(struct cred *new, const struct cred *old)
3272 {
3273 const struct task_security_struct *old_tsec = old->security;
3274 struct task_security_struct *tsec = new->security;
3275
3276 *tsec = *old_tsec;
3277 }
3278
3279 /*
3280 * set the security data for a kernel service
3281 * - all the creation contexts are set to unlabelled
3282 */
3283 static int selinux_kernel_act_as(struct cred *new, u32 secid)
3284 {
3285 struct task_security_struct *tsec = new->security;
3286 u32 sid = current_sid();
3287 int ret;
3288
3289 ret = avc_has_perm(sid, secid,
3290 SECCLASS_KERNEL_SERVICE,
3291 KERNEL_SERVICE__USE_AS_OVERRIDE,
3292 NULL);
3293 if (ret == 0) {
3294 tsec->sid = secid;
3295 tsec->create_sid = 0;
3296 tsec->keycreate_sid = 0;
3297 tsec->sockcreate_sid = 0;
3298 }
3299 return ret;
3300 }
3301
3302 /*
3303 * set the file creation context in a security record to the same as the
3304 * objective context of the specified inode
3305 */
3306 static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode)
3307 {
3308 struct inode_security_struct *isec = inode->i_security;
3309 struct task_security_struct *tsec = new->security;
3310 u32 sid = current_sid();
3311 int ret;
3312
3313 ret = avc_has_perm(sid, isec->sid,
3314 SECCLASS_KERNEL_SERVICE,
3315 KERNEL_SERVICE__CREATE_FILES_AS,
3316 NULL);
3317
3318 if (ret == 0)
3319 tsec->create_sid = isec->sid;
3320 return ret;
3321 }
3322
3323 static int selinux_kernel_module_request(char *kmod_name)
3324 {
3325 u32 sid;
3326 struct common_audit_data ad;
3327
3328 sid = task_sid(current);
3329
3330 COMMON_AUDIT_DATA_INIT(&ad, KMOD);
3331 ad.u.kmod_name = kmod_name;
3332
3333 return avc_has_perm(sid, SECINITSID_KERNEL, SECCLASS_SYSTEM,
3334 SYSTEM__MODULE_REQUEST, &ad);
3335 }
3336
3337 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
3338 {
3339 return current_has_perm(p, PROCESS__SETPGID);
3340 }
3341
3342 static int selinux_task_getpgid(struct task_struct *p)
3343 {
3344 return current_has_perm(p, PROCESS__GETPGID);
3345 }
3346
3347 static int selinux_task_getsid(struct task_struct *p)
3348 {
3349 return current_has_perm(p, PROCESS__GETSESSION);
3350 }
3351
3352 static void selinux_task_getsecid(struct task_struct *p, u32 *secid)
3353 {
3354 *secid = task_sid(p);
3355 }
3356
3357 static int selinux_task_setnice(struct task_struct *p, int nice)
3358 {
3359 int rc;
3360
3361 rc = cap_task_setnice(p, nice);
3362 if (rc)
3363 return rc;
3364
3365 return current_has_perm(p, PROCESS__SETSCHED);
3366 }
3367
3368 static int selinux_task_setioprio(struct task_struct *p, int ioprio)
3369 {
3370 int rc;
3371
3372 rc = cap_task_setioprio(p, ioprio);
3373 if (rc)
3374 return rc;
3375
3376 return current_has_perm(p, PROCESS__SETSCHED);
3377 }
3378
3379 static int selinux_task_getioprio(struct task_struct *p)
3380 {
3381 return current_has_perm(p, PROCESS__GETSCHED);
3382 }
3383
3384 static int selinux_task_setrlimit(struct task_struct *p, unsigned int resource,
3385 struct rlimit *new_rlim)
3386 {
3387 struct rlimit *old_rlim = p->signal->rlim + resource;
3388
3389 /* Control the ability to change the hard limit (whether
3390 lowering or raising it), so that the hard limit can
3391 later be used as a safe reset point for the soft limit
3392 upon context transitions. See selinux_bprm_committing_creds. */
3393 if (old_rlim->rlim_max != new_rlim->rlim_max)
3394 return current_has_perm(p, PROCESS__SETRLIMIT);
3395
3396 return 0;
3397 }
3398
3399 static int selinux_task_setscheduler(struct task_struct *p)
3400 {
3401 int rc;
3402
3403 rc = cap_task_setscheduler(p);
3404 if (rc)
3405 return rc;
3406
3407 return current_has_perm(p, PROCESS__SETSCHED);
3408 }
3409
3410 static int selinux_task_getscheduler(struct task_struct *p)
3411 {
3412 return current_has_perm(p, PROCESS__GETSCHED);
3413 }
3414
3415 static int selinux_task_movememory(struct task_struct *p)
3416 {
3417 return current_has_perm(p, PROCESS__SETSCHED);
3418 }
3419
3420 static int selinux_task_kill(struct task_struct *p, struct siginfo *info,
3421 int sig, u32 secid)
3422 {
3423 u32 perm;
3424 int rc;
3425
3426 if (!sig)
3427 perm = PROCESS__SIGNULL; /* null signal; existence test */
3428 else
3429 perm = signal_to_av(sig);
3430 if (secid)
3431 rc = avc_has_perm(secid, task_sid(p),
3432 SECCLASS_PROCESS, perm, NULL);
3433 else
3434 rc = current_has_perm(p, perm);
3435 return rc;
3436 }
3437
3438 static int selinux_task_wait(struct task_struct *p)
3439 {
3440 return task_has_perm(p, current, PROCESS__SIGCHLD);
3441 }
3442
3443 static void selinux_task_to_inode(struct task_struct *p,
3444 struct inode *inode)
3445 {
3446 struct inode_security_struct *isec = inode->i_security;
3447 u32 sid = task_sid(p);
3448
3449 isec->sid = sid;
3450 isec->initialized = 1;
3451 }
3452
3453 /* Returns error only if unable to parse addresses */
3454 static int selinux_parse_skb_ipv4(struct sk_buff *skb,
3455 struct common_audit_data *ad, u8 *proto)
3456 {
3457 int offset, ihlen, ret = -EINVAL;
3458 struct iphdr _iph, *ih;
3459
3460 offset = skb_network_offset(skb);
3461 ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
3462 if (ih == NULL)
3463 goto out;
3464
3465 ihlen = ih->ihl * 4;
3466 if (ihlen < sizeof(_iph))
3467 goto out;
3468
3469 ad->u.net.v4info.saddr = ih->saddr;
3470 ad->u.net.v4info.daddr = ih->daddr;
3471 ret = 0;
3472
3473 if (proto)
3474 *proto = ih->protocol;
3475
3476 switch (ih->protocol) {
3477 case IPPROTO_TCP: {
3478 struct tcphdr _tcph, *th;
3479
3480 if (ntohs(ih->frag_off) & IP_OFFSET)
3481 break;
3482
3483 offset += ihlen;
3484 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3485 if (th == NULL)
3486 break;
3487
3488 ad->u.net.sport = th->source;
3489 ad->u.net.dport = th->dest;
3490 break;
3491 }
3492
3493 case IPPROTO_UDP: {
3494 struct udphdr _udph, *uh;
3495
3496 if (ntohs(ih->frag_off) & IP_OFFSET)
3497 break;
3498
3499 offset += ihlen;
3500 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3501 if (uh == NULL)
3502 break;
3503
3504 ad->u.net.sport = uh->source;
3505 ad->u.net.dport = uh->dest;
3506 break;
3507 }
3508
3509 case IPPROTO_DCCP: {
3510 struct dccp_hdr _dccph, *dh;
3511
3512 if (ntohs(ih->frag_off) & IP_OFFSET)
3513 break;
3514
3515 offset += ihlen;
3516 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3517 if (dh == NULL)
3518 break;
3519
3520 ad->u.net.sport = dh->dccph_sport;
3521 ad->u.net.dport = dh->dccph_dport;
3522 break;
3523 }
3524
3525 default:
3526 break;
3527 }
3528 out:
3529 return ret;
3530 }
3531
3532 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3533
3534 /* Returns error only if unable to parse addresses */
3535 static int selinux_parse_skb_ipv6(struct sk_buff *skb,
3536 struct common_audit_data *ad, u8 *proto)
3537 {
3538 u8 nexthdr;
3539 int ret = -EINVAL, offset;
3540 struct ipv6hdr _ipv6h, *ip6;
3541
3542 offset = skb_network_offset(skb);
3543 ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
3544 if (ip6 == NULL)
3545 goto out;
3546
3547 ipv6_addr_copy(&ad->u.net.v6info.saddr, &ip6->saddr);
3548 ipv6_addr_copy(&ad->u.net.v6info.daddr, &ip6->daddr);
3549 ret = 0;
3550
3551 nexthdr = ip6->nexthdr;
3552 offset += sizeof(_ipv6h);
3553 offset = ipv6_skip_exthdr(skb, offset, &nexthdr);
3554 if (offset < 0)
3555 goto out;
3556
3557 if (proto)
3558 *proto = nexthdr;
3559
3560 switch (nexthdr) {
3561 case IPPROTO_TCP: {
3562 struct tcphdr _tcph, *th;
3563
3564 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3565 if (th == NULL)
3566 break;
3567
3568 ad->u.net.sport = th->source;
3569 ad->u.net.dport = th->dest;
3570 break;
3571 }
3572
3573 case IPPROTO_UDP: {
3574 struct udphdr _udph, *uh;
3575
3576 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3577 if (uh == NULL)
3578 break;
3579
3580 ad->u.net.sport = uh->source;
3581 ad->u.net.dport = uh->dest;
3582 break;
3583 }
3584
3585 case IPPROTO_DCCP: {
3586 struct dccp_hdr _dccph, *dh;
3587
3588 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3589 if (dh == NULL)
3590 break;
3591
3592 ad->u.net.sport = dh->dccph_sport;
3593 ad->u.net.dport = dh->dccph_dport;
3594 break;
3595 }
3596
3597 /* includes fragments */
3598 default:
3599 break;
3600 }
3601 out:
3602 return ret;
3603 }
3604
3605 #endif /* IPV6 */
3606
3607 static int selinux_parse_skb(struct sk_buff *skb, struct common_audit_data *ad,
3608 char **_addrp, int src, u8 *proto)
3609 {
3610 char *addrp;
3611 int ret;
3612
3613 switch (ad->u.net.family) {
3614 case PF_INET:
3615 ret = selinux_parse_skb_ipv4(skb, ad, proto);
3616 if (ret)
3617 goto parse_error;
3618 addrp = (char *)(src ? &ad->u.net.v4info.saddr :
3619 &ad->u.net.v4info.daddr);
3620 goto okay;
3621
3622 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3623 case PF_INET6:
3624 ret = selinux_parse_skb_ipv6(skb, ad, proto);
3625 if (ret)
3626 goto parse_error;
3627 addrp = (char *)(src ? &ad->u.net.v6info.saddr :
3628 &ad->u.net.v6info.daddr);
3629 goto okay;
3630 #endif /* IPV6 */
3631 default:
3632 addrp = NULL;
3633 goto okay;
3634 }
3635
3636 parse_error:
3637 printk(KERN_WARNING
3638 "SELinux: failure in selinux_parse_skb(),"
3639 " unable to parse packet\n");
3640 return ret;
3641
3642 okay:
3643 if (_addrp)
3644 *_addrp = addrp;
3645 return 0;
3646 }
3647
3648 /**
3649 * selinux_skb_peerlbl_sid - Determine the peer label of a packet
3650 * @skb: the packet
3651 * @family: protocol family
3652 * @sid: the packet's peer label SID
3653 *
3654 * Description:
3655 * Check the various different forms of network peer labeling and determine
3656 * the peer label/SID for the packet; most of the magic actually occurs in
3657 * the security server function security_net_peersid_cmp(). The function
3658 * returns zero if the value in @sid is valid (although it may be SECSID_NULL)
3659 * or -EACCES if @sid is invalid due to inconsistencies with the different
3660 * peer labels.
3661 *
3662 */
3663 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
3664 {
3665 int err;
3666 u32 xfrm_sid;
3667 u32 nlbl_sid;
3668 u32 nlbl_type;
3669
3670 selinux_skb_xfrm_sid(skb, &xfrm_sid);
3671 selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid);
3672
3673 err = security_net_peersid_resolve(nlbl_sid, nlbl_type, xfrm_sid, sid);
3674 if (unlikely(err)) {
3675 printk(KERN_WARNING
3676 "SELinux: failure in selinux_skb_peerlbl_sid(),"
3677 " unable to determine packet's peer label\n");
3678 return -EACCES;
3679 }
3680
3681 return 0;
3682 }
3683
3684 /* socket security operations */
3685
3686 static int socket_sockcreate_sid(const struct task_security_struct *tsec,
3687 u16 secclass, u32 *socksid)
3688 {
3689 if (tsec->sockcreate_sid > SECSID_NULL) {
3690 *socksid = tsec->sockcreate_sid;
3691 return 0;
3692 }
3693
3694 return security_transition_sid(tsec->sid, tsec->sid, secclass, NULL,
3695 socksid);
3696 }
3697
3698 static int sock_has_perm(struct task_struct *task, struct sock *sk, u32 perms)
3699 {
3700 struct sk_security_struct *sksec = sk->sk_security;
3701 struct common_audit_data ad;
3702 u32 tsid = task_sid(task);
3703
3704 if (sksec->sid == SECINITSID_KERNEL)
3705 return 0;
3706
3707 COMMON_AUDIT_DATA_INIT(&ad, NET);
3708 ad.u.net.sk = sk;
3709
3710 return avc_has_perm(tsid, sksec->sid, sksec->sclass, perms, &ad);
3711 }
3712
3713 static int selinux_socket_create(int family, int type,
3714 int protocol, int kern)
3715 {
3716 const struct task_security_struct *tsec = current_security();
3717 u32 newsid;
3718 u16 secclass;
3719 int rc;
3720
3721 if (kern)
3722 return 0;
3723
3724 secclass = socket_type_to_security_class(family, type, protocol);
3725 rc = socket_sockcreate_sid(tsec, secclass, &newsid);
3726 if (rc)
3727 return rc;
3728
3729 return avc_has_perm(tsec->sid, newsid, secclass, SOCKET__CREATE, NULL);
3730 }
3731
3732 static int selinux_socket_post_create(struct socket *sock, int family,
3733 int type, int protocol, int kern)
3734 {
3735 const struct task_security_struct *tsec = current_security();
3736 struct inode_security_struct *isec = SOCK_INODE(sock)->i_security;
3737 struct sk_security_struct *sksec;
3738 int err = 0;
3739
3740 isec->sclass = socket_type_to_security_class(family, type, protocol);
3741
3742 if (kern)
3743 isec->sid = SECINITSID_KERNEL;
3744 else {
3745 err = socket_sockcreate_sid(tsec, isec->sclass, &(isec->sid));
3746 if (err)
3747 return err;
3748 }
3749
3750 isec->initialized = 1;
3751
3752 if (sock->sk) {
3753 sksec = sock->sk->sk_security;
3754 sksec->sid = isec->sid;
3755 sksec->sclass = isec->sclass;
3756 err = selinux_netlbl_socket_post_create(sock->sk, family);
3757 }
3758
3759 return err;
3760 }
3761
3762 /* Range of port numbers used to automatically bind.
3763 Need to determine whether we should perform a name_bind
3764 permission check between the socket and the port number. */
3765
3766 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
3767 {
3768 struct sock *sk = sock->sk;
3769 u16 family;
3770 int err;
3771
3772 err = sock_has_perm(current, sk, SOCKET__BIND);
3773 if (err)
3774 goto out;
3775
3776 /*
3777 * If PF_INET or PF_INET6, check name_bind permission for the port.
3778 * Multiple address binding for SCTP is not supported yet: we just
3779 * check the first address now.
3780 */
3781 family = sk->sk_family;
3782 if (family == PF_INET || family == PF_INET6) {
3783 char *addrp;
3784 struct sk_security_struct *sksec = sk->sk_security;
3785 struct common_audit_data ad;
3786 struct sockaddr_in *addr4 = NULL;
3787 struct sockaddr_in6 *addr6 = NULL;
3788 unsigned short snum;
3789 u32 sid, node_perm;
3790
3791 if (family == PF_INET) {
3792 addr4 = (struct sockaddr_in *)address;
3793 snum = ntohs(addr4->sin_port);
3794 addrp = (char *)&addr4->sin_addr.s_addr;
3795 } else {
3796 addr6 = (struct sockaddr_in6 *)address;
3797 snum = ntohs(addr6->sin6_port);
3798 addrp = (char *)&addr6->sin6_addr.s6_addr;
3799 }
3800
3801 if (snum) {
3802 int low, high;
3803
3804 inet_get_local_port_range(&low, &high);
3805
3806 if (snum < max(PROT_SOCK, low) || snum > high) {
3807 err = sel_netport_sid(sk->sk_protocol,
3808 snum, &sid);
3809 if (err)
3810 goto out;
3811 COMMON_AUDIT_DATA_INIT(&ad, NET);
3812 ad.u.net.sport = htons(snum);
3813 ad.u.net.family = family;
3814 err = avc_has_perm(sksec->sid, sid,
3815 sksec->sclass,
3816 SOCKET__NAME_BIND, &ad);
3817 if (err)
3818 goto out;
3819 }
3820 }
3821
3822 switch (sksec->sclass) {
3823 case SECCLASS_TCP_SOCKET:
3824 node_perm = TCP_SOCKET__NODE_BIND;
3825 break;
3826
3827 case SECCLASS_UDP_SOCKET:
3828 node_perm = UDP_SOCKET__NODE_BIND;
3829 break;
3830
3831 case SECCLASS_DCCP_SOCKET:
3832 node_perm = DCCP_SOCKET__NODE_BIND;
3833 break;
3834
3835 default:
3836 node_perm = RAWIP_SOCKET__NODE_BIND;
3837 break;
3838 }
3839
3840 err = sel_netnode_sid(addrp, family, &sid);
3841 if (err)
3842 goto out;
3843
3844 COMMON_AUDIT_DATA_INIT(&ad, NET);
3845 ad.u.net.sport = htons(snum);
3846 ad.u.net.family = family;
3847
3848 if (family == PF_INET)
3849 ad.u.net.v4info.saddr = addr4->sin_addr.s_addr;
3850 else
3851 ipv6_addr_copy(&ad.u.net.v6info.saddr, &addr6->sin6_addr);
3852
3853 err = avc_has_perm(sksec->sid, sid,
3854 sksec->sclass, node_perm, &ad);
3855 if (err)
3856 goto out;
3857 }
3858 out:
3859 return err;
3860 }
3861
3862 static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
3863 {
3864 struct sock *sk = sock->sk;
3865 struct sk_security_struct *sksec = sk->sk_security;
3866 int err;
3867
3868 err = sock_has_perm(current, sk, SOCKET__CONNECT);
3869 if (err)
3870 return err;
3871
3872 /*
3873 * If a TCP or DCCP socket, check name_connect permission for the port.
3874 */
3875 if (sksec->sclass == SECCLASS_TCP_SOCKET ||
3876 sksec->sclass == SECCLASS_DCCP_SOCKET) {
3877 struct common_audit_data ad;
3878 struct sockaddr_in *addr4 = NULL;
3879 struct sockaddr_in6 *addr6 = NULL;
3880 unsigned short snum;
3881 u32 sid, perm;
3882
3883 if (sk->sk_family == PF_INET) {
3884 addr4 = (struct sockaddr_in *)address;
3885 if (addrlen < sizeof(struct sockaddr_in))
3886 return -EINVAL;
3887 snum = ntohs(addr4->sin_port);
3888 } else {
3889 addr6 = (struct sockaddr_in6 *)address;
3890 if (addrlen < SIN6_LEN_RFC2133)
3891 return -EINVAL;
3892 snum = ntohs(addr6->sin6_port);
3893 }
3894
3895 err = sel_netport_sid(sk->sk_protocol, snum, &sid);
3896 if (err)
3897 goto out;
3898
3899 perm = (sksec->sclass == SECCLASS_TCP_SOCKET) ?
3900 TCP_SOCKET__NAME_CONNECT : DCCP_SOCKET__NAME_CONNECT;
3901
3902 COMMON_AUDIT_DATA_INIT(&ad, NET);
3903 ad.u.net.dport = htons(snum);
3904 ad.u.net.family = sk->sk_family;
3905 err = avc_has_perm(sksec->sid, sid, sksec->sclass, perm, &ad);
3906 if (err)
3907 goto out;
3908 }
3909
3910 err = selinux_netlbl_socket_connect(sk, address);
3911
3912 out:
3913 return err;
3914 }
3915
3916 static int selinux_socket_listen(struct socket *sock, int backlog)
3917 {
3918 return sock_has_perm(current, sock->sk, SOCKET__LISTEN);
3919 }
3920
3921 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
3922 {
3923 int err;
3924 struct inode_security_struct *isec;
3925 struct inode_security_struct *newisec;
3926
3927 err = sock_has_perm(current, sock->sk, SOCKET__ACCEPT);
3928 if (err)
3929 return err;
3930
3931 newisec = SOCK_INODE(newsock)->i_security;
3932
3933 isec = SOCK_INODE(sock)->i_security;
3934 newisec->sclass = isec->sclass;
3935 newisec->sid = isec->sid;
3936 newisec->initialized = 1;
3937
3938 return 0;
3939 }
3940
3941 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
3942 int size)
3943 {
3944 return sock_has_perm(current, sock->sk, SOCKET__WRITE);
3945 }
3946
3947 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
3948 int size, int flags)
3949 {
3950 return sock_has_perm(current, sock->sk, SOCKET__READ);
3951 }
3952
3953 static int selinux_socket_getsockname(struct socket *sock)
3954 {
3955 return sock_has_perm(current, sock->sk, SOCKET__GETATTR);
3956 }
3957
3958 static int selinux_socket_getpeername(struct socket *sock)
3959 {
3960 return sock_has_perm(current, sock->sk, SOCKET__GETATTR);
3961 }
3962
3963 static int selinux_socket_setsockopt(struct socket *sock, int level, int optname)
3964 {
3965 int err;
3966
3967 err = sock_has_perm(current, sock->sk, SOCKET__SETOPT);
3968 if (err)
3969 return err;
3970
3971 return selinux_netlbl_socket_setsockopt(sock, level, optname);
3972 }
3973
3974 static int selinux_socket_getsockopt(struct socket *sock, int level,
3975 int optname)
3976 {
3977 return sock_has_perm(current, sock->sk, SOCKET__GETOPT);
3978 }
3979
3980 static int selinux_socket_shutdown(struct socket *sock, int how)
3981 {
3982 return sock_has_perm(current, sock->sk, SOCKET__SHUTDOWN);
3983 }
3984
3985 static int selinux_socket_unix_stream_connect(struct sock *sock,
3986 struct sock *other,
3987 struct sock *newsk)
3988 {
3989 struct sk_security_struct *sksec_sock = sock->sk_security;
3990 struct sk_security_struct *sksec_other = other->sk_security;
3991 struct sk_security_struct *sksec_new = newsk->sk_security;
3992 struct common_audit_data ad;
3993 int err;
3994
3995 COMMON_AUDIT_DATA_INIT(&ad, NET);
3996 ad.u.net.sk = other;
3997
3998 err = avc_has_perm(sksec_sock->sid, sksec_other->sid,
3999 sksec_other->sclass,
4000 UNIX_STREAM_SOCKET__CONNECTTO, &ad);
4001 if (err)
4002 return err;
4003
4004 /* server child socket */
4005 sksec_new->peer_sid = sksec_sock->sid;
4006 err = security_sid_mls_copy(sksec_other->sid, sksec_sock->sid,
4007 &sksec_new->sid);
4008 if (err)
4009 return err;
4010
4011 /* connecting socket */
4012 sksec_sock->peer_sid = sksec_new->sid;
4013
4014 return 0;
4015 }
4016
4017 static int selinux_socket_unix_may_send(struct socket *sock,
4018 struct socket *other)
4019 {
4020 struct sk_security_struct *ssec = sock->sk->sk_security;
4021 struct sk_security_struct *osec = other->sk->sk_security;
4022 struct common_audit_data ad;
4023
4024 COMMON_AUDIT_DATA_INIT(&ad, NET);
4025 ad.u.net.sk = other->sk;
4026
4027 return avc_has_perm(ssec->sid, osec->sid, osec->sclass, SOCKET__SENDTO,
4028 &ad);
4029 }
4030
4031 static int selinux_inet_sys_rcv_skb(int ifindex, char *addrp, u16 family,
4032 u32 peer_sid,
4033 struct common_audit_data *ad)
4034 {
4035 int err;
4036 u32 if_sid;
4037 u32 node_sid;
4038
4039 err = sel_netif_sid(ifindex, &if_sid);
4040 if (err)
4041 return err;
4042 err = avc_has_perm(peer_sid, if_sid,
4043 SECCLASS_NETIF, NETIF__INGRESS, ad);
4044 if (err)
4045 return err;
4046
4047 err = sel_netnode_sid(addrp, family, &node_sid);
4048 if (err)
4049 return err;
4050 return avc_has_perm(peer_sid, node_sid,
4051 SECCLASS_NODE, NODE__RECVFROM, ad);
4052 }
4053
4054 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
4055 u16 family)
4056 {
4057 int err = 0;
4058 struct sk_security_struct *sksec = sk->sk_security;
4059 u32 sk_sid = sksec->sid;
4060 struct common_audit_data ad;
4061 char *addrp;
4062
4063 COMMON_AUDIT_DATA_INIT(&ad, NET);
4064 ad.u.net.netif = skb->skb_iif;
4065 ad.u.net.family = family;
4066 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4067 if (err)
4068 return err;
4069
4070 if (selinux_secmark_enabled()) {
4071 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4072 PACKET__RECV, &ad);
4073 if (err)
4074 return err;
4075 }
4076
4077 err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, &ad);
4078 if (err)
4079 return err;
4080 err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad);
4081
4082 return err;
4083 }
4084
4085 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
4086 {
4087 int err;
4088 struct sk_security_struct *sksec = sk->sk_security;
4089 u16 family = sk->sk_family;
4090 u32 sk_sid = sksec->sid;
4091 struct common_audit_data ad;
4092 char *addrp;
4093 u8 secmark_active;
4094 u8 peerlbl_active;
4095
4096 if (family != PF_INET && family != PF_INET6)
4097 return 0;
4098
4099 /* Handle mapped IPv4 packets arriving via IPv6 sockets */
4100 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4101 family = PF_INET;
4102
4103 /* If any sort of compatibility mode is enabled then handoff processing
4104 * to the selinux_sock_rcv_skb_compat() function to deal with the
4105 * special handling. We do this in an attempt to keep this function
4106 * as fast and as clean as possible. */
4107 if (!selinux_policycap_netpeer)
4108 return selinux_sock_rcv_skb_compat(sk, skb, family);
4109
4110 secmark_active = selinux_secmark_enabled();
4111 peerlbl_active = netlbl_enabled() || selinux_xfrm_enabled();
4112 if (!secmark_active && !peerlbl_active)
4113 return 0;
4114
4115 COMMON_AUDIT_DATA_INIT(&ad, NET);
4116 ad.u.net.netif = skb->skb_iif;
4117 ad.u.net.family = family;
4118 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4119 if (err)
4120 return err;
4121
4122 if (peerlbl_active) {
4123 u32 peer_sid;
4124
4125 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
4126 if (err)
4127 return err;
4128 err = selinux_inet_sys_rcv_skb(skb->skb_iif, addrp, family,
4129 peer_sid, &ad);
4130 if (err) {
4131 selinux_netlbl_err(skb, err, 0);
4132 return err;
4133 }
4134 err = avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER,
4135 PEER__RECV, &ad);
4136 if (err)
4137 selinux_netlbl_err(skb, err, 0);
4138 }
4139
4140 if (secmark_active) {
4141 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4142 PACKET__RECV, &ad);
4143 if (err)
4144 return err;
4145 }
4146
4147 return err;
4148 }
4149
4150 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval,
4151 int __user *optlen, unsigned len)
4152 {
4153 int err = 0;
4154 char *scontext;
4155 u32 scontext_len;
4156 struct sk_security_struct *sksec = sock->sk->sk_security;
4157 u32 peer_sid = SECSID_NULL;
4158
4159 if (sksec->sclass == SECCLASS_UNIX_STREAM_SOCKET ||
4160 sksec->sclass == SECCLASS_TCP_SOCKET)
4161 peer_sid = sksec->peer_sid;
4162 if (peer_sid == SECSID_NULL)
4163 return -ENOPROTOOPT;
4164
4165 err = security_sid_to_context(peer_sid, &scontext, &scontext_len);
4166 if (err)
4167 return err;
4168
4169 if (scontext_len > len) {
4170 err = -ERANGE;
4171 goto out_len;
4172 }
4173
4174 if (copy_to_user(optval, scontext, scontext_len))
4175 err = -EFAULT;
4176
4177 out_len:
4178 if (put_user(scontext_len, optlen))
4179 err = -EFAULT;
4180 kfree(scontext);
4181 return err;
4182 }
4183
4184 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
4185 {
4186 u32 peer_secid = SECSID_NULL;
4187 u16 family;
4188
4189 if (skb && skb->protocol == htons(ETH_P_IP))
4190 family = PF_INET;
4191 else if (skb && skb->protocol == htons(ETH_P_IPV6))
4192 family = PF_INET6;
4193 else if (sock)
4194 family = sock->sk->sk_family;
4195 else
4196 goto out;
4197
4198 if (sock && family == PF_UNIX)
4199 selinux_inode_getsecid(SOCK_INODE(sock), &peer_secid);
4200 else if (skb)
4201 selinux_skb_peerlbl_sid(skb, family, &peer_secid);
4202
4203 out:
4204 *secid = peer_secid;
4205 if (peer_secid == SECSID_NULL)
4206 return -EINVAL;
4207 return 0;
4208 }
4209
4210 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
4211 {
4212 struct sk_security_struct *sksec;
4213
4214 sksec = kzalloc(sizeof(*sksec), priority);
4215 if (!sksec)
4216 return -ENOMEM;
4217
4218 sksec->peer_sid = SECINITSID_UNLABELED;
4219 sksec->sid = SECINITSID_UNLABELED;
4220 selinux_netlbl_sk_security_reset(sksec);
4221 sk->sk_security = sksec;
4222
4223 return 0;
4224 }
4225
4226 static void selinux_sk_free_security(struct sock *sk)
4227 {
4228 struct sk_security_struct *sksec = sk->sk_security;
4229
4230 sk->sk_security = NULL;
4231 selinux_netlbl_sk_security_free(sksec);
4232 kfree(sksec);
4233 }
4234
4235 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
4236 {
4237 struct sk_security_struct *sksec = sk->sk_security;
4238 struct sk_security_struct *newsksec = newsk->sk_security;
4239
4240 newsksec->sid = sksec->sid;
4241 newsksec->peer_sid = sksec->peer_sid;
4242 newsksec->sclass = sksec->sclass;
4243
4244 selinux_netlbl_sk_security_reset(newsksec);
4245 }
4246
4247 static void selinux_sk_getsecid(struct sock *sk, u32 *secid)
4248 {
4249 if (!sk)
4250 *secid = SECINITSID_ANY_SOCKET;
4251 else {
4252 struct sk_security_struct *sksec = sk->sk_security;
4253
4254 *secid = sksec->sid;
4255 }
4256 }
4257
4258 static void selinux_sock_graft(struct sock *sk, struct socket *parent)
4259 {
4260 struct inode_security_struct *isec = SOCK_INODE(parent)->i_security;
4261 struct sk_security_struct *sksec = sk->sk_security;
4262
4263 if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
4264 sk->sk_family == PF_UNIX)
4265 isec->sid = sksec->sid;
4266 sksec->sclass = isec->sclass;
4267 }
4268
4269 static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
4270 struct request_sock *req)
4271 {
4272 struct sk_security_struct *sksec = sk->sk_security;
4273 int err;
4274 u16 family = sk->sk_family;
4275 u32 newsid;
4276 u32 peersid;
4277
4278 /* handle mapped IPv4 packets arriving via IPv6 sockets */
4279 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4280 family = PF_INET;
4281
4282 err = selinux_skb_peerlbl_sid(skb, family, &peersid);
4283 if (err)
4284 return err;
4285 if (peersid == SECSID_NULL) {
4286 req->secid = sksec->sid;
4287 req->peer_secid = SECSID_NULL;
4288 } else {
4289 err = security_sid_mls_copy(sksec->sid, peersid, &newsid);
4290 if (err)
4291 return err;
4292 req->secid = newsid;
4293 req->peer_secid = peersid;
4294 }
4295
4296 return selinux_netlbl_inet_conn_request(req, family);
4297 }
4298
4299 static void selinux_inet_csk_clone(struct sock *newsk,
4300 const struct request_sock *req)
4301 {
4302 struct sk_security_struct *newsksec = newsk->sk_security;
4303
4304 newsksec->sid = req->secid;
4305 newsksec->peer_sid = req->peer_secid;
4306 /* NOTE: Ideally, we should also get the isec->sid for the
4307 new socket in sync, but we don't have the isec available yet.
4308 So we will wait until sock_graft to do it, by which
4309 time it will have been created and available. */
4310
4311 /* We don't need to take any sort of lock here as we are the only
4312 * thread with access to newsksec */
4313 selinux_netlbl_inet_csk_clone(newsk, req->rsk_ops->family);
4314 }
4315
4316 static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb)
4317 {
4318 u16 family = sk->sk_family;
4319 struct sk_security_struct *sksec = sk->sk_security;
4320
4321 /* handle mapped IPv4 packets arriving via IPv6 sockets */
4322 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4323 family = PF_INET;
4324
4325 selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid);
4326 }
4327
4328 static int selinux_secmark_relabel_packet(u32 sid)
4329 {
4330 const struct task_security_struct *__tsec;
4331 u32 tsid;
4332
4333 __tsec = current_security();
4334 tsid = __tsec->sid;
4335
4336 return avc_has_perm(tsid, sid, SECCLASS_PACKET, PACKET__RELABELTO, NULL);
4337 }
4338
4339 static void selinux_secmark_refcount_inc(void)
4340 {
4341 atomic_inc(&selinux_secmark_refcount);
4342 }
4343
4344 static void selinux_secmark_refcount_dec(void)
4345 {
4346 atomic_dec(&selinux_secmark_refcount);
4347 }
4348
4349 static void selinux_req_classify_flow(const struct request_sock *req,
4350 struct flowi *fl)
4351 {
4352 fl->flowi_secid = req->secid;
4353 }
4354
4355 static int selinux_tun_dev_create(void)
4356 {
4357 u32 sid = current_sid();
4358
4359 /* we aren't taking into account the "sockcreate" SID since the socket
4360 * that is being created here is not a socket in the traditional sense,
4361 * instead it is a private sock, accessible only to the kernel, and
4362 * representing a wide range of network traffic spanning multiple
4363 * connections unlike traditional sockets - check the TUN driver to
4364 * get a better understanding of why this socket is special */
4365
4366 return avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET, TUN_SOCKET__CREATE,
4367 NULL);
4368 }
4369
4370 static void selinux_tun_dev_post_create(struct sock *sk)
4371 {
4372 struct sk_security_struct *sksec = sk->sk_security;
4373
4374 /* we don't currently perform any NetLabel based labeling here and it
4375 * isn't clear that we would want to do so anyway; while we could apply
4376 * labeling without the support of the TUN user the resulting labeled
4377 * traffic from the other end of the connection would almost certainly
4378 * cause confusion to the TUN user that had no idea network labeling
4379 * protocols were being used */
4380
4381 /* see the comments in selinux_tun_dev_create() about why we don't use
4382 * the sockcreate SID here */
4383
4384 sksec->sid = current_sid();
4385 sksec->sclass = SECCLASS_TUN_SOCKET;
4386 }
4387
4388 static int selinux_tun_dev_attach(struct sock *sk)
4389 {
4390 struct sk_security_struct *sksec = sk->sk_security;
4391 u32 sid = current_sid();
4392 int err;
4393
4394 err = avc_has_perm(sid, sksec->sid, SECCLASS_TUN_SOCKET,
4395 TUN_SOCKET__RELABELFROM, NULL);
4396 if (err)
4397 return err;
4398 err = avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET,
4399 TUN_SOCKET__RELABELTO, NULL);
4400 if (err)
4401 return err;
4402
4403 sksec->sid = sid;
4404
4405 return 0;
4406 }
4407
4408 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
4409 {
4410 int err = 0;
4411 u32 perm;
4412 struct nlmsghdr *nlh;
4413 struct sk_security_struct *sksec = sk->sk_security;
4414
4415 if (skb->len < NLMSG_SPACE(0)) {
4416 err = -EINVAL;
4417 goto out;
4418 }
4419 nlh = nlmsg_hdr(skb);
4420
4421 err = selinux_nlmsg_lookup(sksec->sclass, nlh->nlmsg_type, &perm);
4422 if (err) {
4423 if (err == -EINVAL) {
4424 audit_log(current->audit_context, GFP_KERNEL, AUDIT_SELINUX_ERR,
4425 "SELinux: unrecognized netlink message"
4426 " type=%hu for sclass=%hu\n",
4427 nlh->nlmsg_type, sksec->sclass);
4428 if (!selinux_enforcing || security_get_allow_unknown())
4429 err = 0;
4430 }
4431
4432 /* Ignore */
4433 if (err == -ENOENT)
4434 err = 0;
4435 goto out;
4436 }
4437
4438 err = sock_has_perm(current, sk, perm);
4439 out:
4440 return err;
4441 }
4442
4443 #ifdef CONFIG_NETFILTER
4444
4445 static unsigned int selinux_ip_forward(struct sk_buff *skb, int ifindex,
4446 u16 family)
4447 {
4448 int err;
4449 char *addrp;
4450 u32 peer_sid;
4451 struct common_audit_data ad;
4452 u8 secmark_active;
4453 u8 netlbl_active;
4454 u8 peerlbl_active;
4455
4456 if (!selinux_policycap_netpeer)
4457 return NF_ACCEPT;
4458
4459 secmark_active = selinux_secmark_enabled();
4460 netlbl_active = netlbl_enabled();
4461 peerlbl_active = netlbl_active || selinux_xfrm_enabled();
4462 if (!secmark_active && !peerlbl_active)
4463 return NF_ACCEPT;
4464
4465 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0)
4466 return NF_DROP;
4467
4468 COMMON_AUDIT_DATA_INIT(&ad, NET);
4469 ad.u.net.netif = ifindex;
4470 ad.u.net.family = family;
4471 if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0)
4472 return NF_DROP;
4473
4474 if (peerlbl_active) {
4475 err = selinux_inet_sys_rcv_skb(ifindex, addrp, family,
4476 peer_sid, &ad);
4477 if (err) {
4478 selinux_netlbl_err(skb, err, 1);
4479 return NF_DROP;
4480 }
4481 }
4482
4483 if (secmark_active)
4484 if (avc_has_perm(peer_sid, skb->secmark,
4485 SECCLASS_PACKET, PACKET__FORWARD_IN, &ad))
4486 return NF_DROP;
4487
4488 if (netlbl_active)
4489 /* we do this in the FORWARD path and not the POST_ROUTING
4490 * path because we want to make sure we apply the necessary
4491 * labeling before IPsec is applied so we can leverage AH
4492 * protection */
4493 if (selinux_netlbl_skbuff_setsid(skb, family, peer_sid) != 0)
4494 return NF_DROP;
4495
4496 return NF_ACCEPT;
4497 }
4498
4499 static unsigned int selinux_ipv4_forward(unsigned int hooknum,
4500 struct sk_buff *skb,
4501 const struct net_device *in,
4502 const struct net_device *out,
4503 int (*okfn)(struct sk_buff *))
4504 {
4505 return selinux_ip_forward(skb, in->ifindex, PF_INET);
4506 }
4507
4508 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4509 static unsigned int selinux_ipv6_forward(unsigned int hooknum,
4510 struct sk_buff *skb,
4511 const struct net_device *in,
4512 const struct net_device *out,
4513 int (*okfn)(struct sk_buff *))
4514 {
4515 return selinux_ip_forward(skb, in->ifindex, PF_INET6);
4516 }
4517 #endif /* IPV6 */
4518
4519 static unsigned int selinux_ip_output(struct sk_buff *skb,
4520 u16 family)
4521 {
4522 u32 sid;
4523
4524 if (!netlbl_enabled())
4525 return NF_ACCEPT;
4526
4527 /* we do this in the LOCAL_OUT path and not the POST_ROUTING path
4528 * because we want to make sure we apply the necessary labeling
4529 * before IPsec is applied so we can leverage AH protection */
4530 if (skb->sk) {
4531 struct sk_security_struct *sksec = skb->sk->sk_security;
4532 sid = sksec->sid;
4533 } else
4534 sid = SECINITSID_KERNEL;
4535 if (selinux_netlbl_skbuff_setsid(skb, family, sid) != 0)
4536 return NF_DROP;
4537
4538 return NF_ACCEPT;
4539 }
4540
4541 static unsigned int selinux_ipv4_output(unsigned int hooknum,
4542 struct sk_buff *skb,
4543 const struct net_device *in,
4544 const struct net_device *out,
4545 int (*okfn)(struct sk_buff *))
4546 {
4547 return selinux_ip_output(skb, PF_INET);
4548 }
4549
4550 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
4551 int ifindex,
4552 u16 family)
4553 {
4554 struct sock *sk = skb->sk;
4555 struct sk_security_struct *sksec;
4556 struct common_audit_data ad;
4557 char *addrp;
4558 u8 proto;
4559
4560 if (sk == NULL)
4561 return NF_ACCEPT;
4562 sksec = sk->sk_security;
4563
4564 COMMON_AUDIT_DATA_INIT(&ad, NET);
4565 ad.u.net.netif = ifindex;
4566 ad.u.net.family = family;
4567 if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto))
4568 return NF_DROP;
4569
4570 if (selinux_secmark_enabled())
4571 if (avc_has_perm(sksec->sid, skb->secmark,
4572 SECCLASS_PACKET, PACKET__SEND, &ad))
4573 return NF_DROP_ERR(-ECONNREFUSED);
4574
4575 if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto))
4576 return NF_DROP_ERR(-ECONNREFUSED);
4577
4578 return NF_ACCEPT;
4579 }
4580
4581 static unsigned int selinux_ip_postroute(struct sk_buff *skb, int ifindex,
4582 u16 family)
4583 {
4584 u32 secmark_perm;
4585 u32 peer_sid;
4586 struct sock *sk;
4587 struct common_audit_data ad;
4588 char *addrp;
4589 u8 secmark_active;
4590 u8 peerlbl_active;
4591
4592 /* If any sort of compatibility mode is enabled then handoff processing
4593 * to the selinux_ip_postroute_compat() function to deal with the
4594 * special handling. We do this in an attempt to keep this function
4595 * as fast and as clean as possible. */
4596 if (!selinux_policycap_netpeer)
4597 return selinux_ip_postroute_compat(skb, ifindex, family);
4598 #ifdef CONFIG_XFRM
4599 /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec
4600 * packet transformation so allow the packet to pass without any checks
4601 * since we'll have another chance to perform access control checks
4602 * when the packet is on it's final way out.
4603 * NOTE: there appear to be some IPv6 multicast cases where skb->dst
4604 * is NULL, in this case go ahead and apply access control. */
4605 if (skb_dst(skb) != NULL && skb_dst(skb)->xfrm != NULL)
4606 return NF_ACCEPT;
4607 #endif
4608 secmark_active = selinux_secmark_enabled();
4609 peerlbl_active = netlbl_enabled() || selinux_xfrm_enabled();
4610 if (!secmark_active && !peerlbl_active)
4611 return NF_ACCEPT;
4612
4613 /* if the packet is being forwarded then get the peer label from the
4614 * packet itself; otherwise check to see if it is from a local
4615 * application or the kernel, if from an application get the peer label
4616 * from the sending socket, otherwise use the kernel's sid */
4617 sk = skb->sk;
4618 if (sk == NULL) {
4619 if (skb->skb_iif) {
4620 secmark_perm = PACKET__FORWARD_OUT;
4621 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid))
4622 return NF_DROP;
4623 } else {
4624 secmark_perm = PACKET__SEND;
4625 peer_sid = SECINITSID_KERNEL;
4626 }
4627 } else {
4628 struct sk_security_struct *sksec = sk->sk_security;
4629 peer_sid = sksec->sid;
4630 secmark_perm = PACKET__SEND;
4631 }
4632
4633 COMMON_AUDIT_DATA_INIT(&ad, NET);
4634 ad.u.net.netif = ifindex;
4635 ad.u.net.family = family;
4636 if (selinux_parse_skb(skb, &ad, &addrp, 0, NULL))
4637 return NF_DROP;
4638
4639 if (secmark_active)
4640 if (avc_has_perm(peer_sid, skb->secmark,
4641 SECCLASS_PACKET, secmark_perm, &ad))
4642 return NF_DROP_ERR(-ECONNREFUSED);
4643
4644 if (peerlbl_active) {
4645 u32 if_sid;
4646 u32 node_sid;
4647
4648 if (sel_netif_sid(ifindex, &if_sid))
4649 return NF_DROP;
4650 if (avc_has_perm(peer_sid, if_sid,
4651 SECCLASS_NETIF, NETIF__EGRESS, &ad))
4652 return NF_DROP_ERR(-ECONNREFUSED);
4653
4654 if (sel_netnode_sid(addrp, family, &node_sid))
4655 return NF_DROP;
4656 if (avc_has_perm(peer_sid, node_sid,
4657 SECCLASS_NODE, NODE__SENDTO, &ad))
4658 return NF_DROP_ERR(-ECONNREFUSED);
4659 }
4660
4661 return NF_ACCEPT;
4662 }
4663
4664 static unsigned int selinux_ipv4_postroute(unsigned int hooknum,
4665 struct sk_buff *skb,
4666 const struct net_device *in,
4667 const struct net_device *out,
4668 int (*okfn)(struct sk_buff *))
4669 {
4670 return selinux_ip_postroute(skb, out->ifindex, PF_INET);
4671 }
4672
4673 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4674 static unsigned int selinux_ipv6_postroute(unsigned int hooknum,
4675 struct sk_buff *skb,
4676 const struct net_device *in,
4677 const struct net_device *out,
4678 int (*okfn)(struct sk_buff *))
4679 {
4680 return selinux_ip_postroute(skb, out->ifindex, PF_INET6);
4681 }
4682 #endif /* IPV6 */
4683
4684 #endif /* CONFIG_NETFILTER */
4685
4686 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
4687 {
4688 int err;
4689
4690 err = cap_netlink_send(sk, skb);
4691 if (err)
4692 return err;
4693
4694 return selinux_nlmsg_perm(sk, skb);
4695 }
4696
4697 static int selinux_netlink_recv(struct sk_buff *skb, int capability)
4698 {
4699 int err;
4700 struct common_audit_data ad;
4701 u32 sid;
4702
4703 err = cap_netlink_recv(skb, capability);
4704 if (err)
4705 return err;
4706
4707 COMMON_AUDIT_DATA_INIT(&ad, CAP);
4708 ad.u.cap = capability;
4709
4710 security_task_getsecid(current, &sid);
4711 return avc_has_perm(sid, sid, SECCLASS_CAPABILITY,
4712 CAP_TO_MASK(capability), &ad);
4713 }
4714
4715 static int ipc_alloc_security(struct task_struct *task,
4716 struct kern_ipc_perm *perm,
4717 u16 sclass)
4718 {
4719 struct ipc_security_struct *isec;
4720 u32 sid;
4721
4722 isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL);
4723 if (!isec)
4724 return -ENOMEM;
4725
4726 sid = task_sid(task);
4727 isec->sclass = sclass;
4728 isec->sid = sid;
4729 perm->security = isec;
4730
4731 return 0;
4732 }
4733
4734 static void ipc_free_security(struct kern_ipc_perm *perm)
4735 {
4736 struct ipc_security_struct *isec = perm->security;
4737 perm->security = NULL;
4738 kfree(isec);
4739 }
4740
4741 static int msg_msg_alloc_security(struct msg_msg *msg)
4742 {
4743 struct msg_security_struct *msec;
4744
4745 msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL);
4746 if (!msec)
4747 return -ENOMEM;
4748
4749 msec->sid = SECINITSID_UNLABELED;
4750 msg->security = msec;
4751
4752 return 0;
4753 }
4754
4755 static void msg_msg_free_security(struct msg_msg *msg)
4756 {
4757 struct msg_security_struct *msec = msg->security;
4758
4759 msg->security = NULL;
4760 kfree(msec);
4761 }
4762
4763 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
4764 u32 perms)
4765 {
4766 struct ipc_security_struct *isec;
4767 struct common_audit_data ad;
4768 u32 sid = current_sid();
4769
4770 isec = ipc_perms->security;
4771
4772 COMMON_AUDIT_DATA_INIT(&ad, IPC);
4773 ad.u.ipc_id = ipc_perms->key;
4774
4775 return avc_has_perm(sid, isec->sid, isec->sclass, perms, &ad);
4776 }
4777
4778 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
4779 {
4780 return msg_msg_alloc_security(msg);
4781 }
4782
4783 static void selinux_msg_msg_free_security(struct msg_msg *msg)
4784 {
4785 msg_msg_free_security(msg);
4786 }
4787
4788 /* message queue security operations */
4789 static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
4790 {
4791 struct ipc_security_struct *isec;
4792 struct common_audit_data ad;
4793 u32 sid = current_sid();
4794 int rc;
4795
4796 rc = ipc_alloc_security(current, &msq->q_perm, SECCLASS_MSGQ);
4797 if (rc)
4798 return rc;
4799
4800 isec = msq->q_perm.security;
4801
4802 COMMON_AUDIT_DATA_INIT(&ad, IPC);
4803 ad.u.ipc_id = msq->q_perm.key;
4804
4805 rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
4806 MSGQ__CREATE, &ad);
4807 if (rc) {
4808 ipc_free_security(&msq->q_perm);
4809 return rc;
4810 }
4811 return 0;
4812 }
4813
4814 static void selinux_msg_queue_free_security(struct msg_queue *msq)
4815 {
4816 ipc_free_security(&msq->q_perm);
4817 }
4818
4819 static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg)
4820 {
4821 struct ipc_security_struct *isec;
4822 struct common_audit_data ad;
4823 u32 sid = current_sid();
4824
4825 isec = msq->q_perm.security;
4826
4827 COMMON_AUDIT_DATA_INIT(&ad, IPC);
4828 ad.u.ipc_id = msq->q_perm.key;
4829
4830 return avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
4831 MSGQ__ASSOCIATE, &ad);
4832 }
4833
4834 static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd)
4835 {
4836 int err;
4837 int perms;
4838
4839 switch (cmd) {
4840 case IPC_INFO:
4841 case MSG_INFO:
4842 /* No specific object, just general system-wide information. */
4843 return task_has_system(current, SYSTEM__IPC_INFO);
4844 case IPC_STAT:
4845 case MSG_STAT:
4846 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
4847 break;
4848 case IPC_SET:
4849 perms = MSGQ__SETATTR;
4850 break;
4851 case IPC_RMID:
4852 perms = MSGQ__DESTROY;
4853 break;
4854 default:
4855 return 0;
4856 }
4857
4858 err = ipc_has_perm(&msq->q_perm, perms);
4859 return err;
4860 }
4861
4862 static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg)
4863 {
4864 struct ipc_security_struct *isec;
4865 struct msg_security_struct *msec;
4866 struct common_audit_data ad;
4867 u32 sid = current_sid();
4868 int rc;
4869
4870 isec = msq->q_perm.security;
4871 msec = msg->security;
4872
4873 /*
4874 * First time through, need to assign label to the message
4875 */
4876 if (msec->sid == SECINITSID_UNLABELED) {
4877 /*
4878 * Compute new sid based on current process and
4879 * message queue this message will be stored in
4880 */
4881 rc = security_transition_sid(sid, isec->sid, SECCLASS_MSG,
4882 NULL, &msec->sid);
4883 if (rc)
4884 return rc;
4885 }
4886
4887 COMMON_AUDIT_DATA_INIT(&ad, IPC);
4888 ad.u.ipc_id = msq->q_perm.key;
4889
4890 /* Can this process write to the queue? */
4891 rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
4892 MSGQ__WRITE, &ad);
4893 if (!rc)
4894 /* Can this process send the message */
4895 rc = avc_has_perm(sid, msec->sid, SECCLASS_MSG,
4896 MSG__SEND, &ad);
4897 if (!rc)
4898 /* Can the message be put in the queue? */
4899 rc = avc_has_perm(msec->sid, isec->sid, SECCLASS_MSGQ,
4900 MSGQ__ENQUEUE, &ad);
4901
4902 return rc;
4903 }
4904
4905 static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
4906 struct task_struct *target,
4907 long type, int mode)
4908 {
4909 struct ipc_security_struct *isec;
4910 struct msg_security_struct *msec;
4911 struct common_audit_data ad;
4912 u32 sid = task_sid(target);
4913 int rc;
4914
4915 isec = msq->q_perm.security;
4916 msec = msg->security;
4917
4918 COMMON_AUDIT_DATA_INIT(&ad, IPC);
4919 ad.u.ipc_id = msq->q_perm.key;
4920
4921 rc = avc_has_perm(sid, isec->sid,
4922 SECCLASS_MSGQ, MSGQ__READ, &ad);
4923 if (!rc)
4924 rc = avc_has_perm(sid, msec->sid,
4925 SECCLASS_MSG, MSG__RECEIVE, &ad);
4926 return rc;
4927 }
4928
4929 /* Shared Memory security operations */
4930 static int selinux_shm_alloc_security(struct shmid_kernel *shp)
4931 {
4932 struct ipc_security_struct *isec;
4933 struct common_audit_data ad;
4934 u32 sid = current_sid();
4935 int rc;
4936
4937 rc = ipc_alloc_security(current, &shp->shm_perm, SECCLASS_SHM);
4938 if (rc)
4939 return rc;
4940
4941 isec = shp->shm_perm.security;
4942
4943 COMMON_AUDIT_DATA_INIT(&ad, IPC);
4944 ad.u.ipc_id = shp->shm_perm.key;
4945
4946 rc = avc_has_perm(sid, isec->sid, SECCLASS_SHM,
4947 SHM__CREATE, &ad);
4948 if (rc) {
4949 ipc_free_security(&shp->shm_perm);
4950 return rc;
4951 }
4952 return 0;
4953 }
4954
4955 static void selinux_shm_free_security(struct shmid_kernel *shp)
4956 {
4957 ipc_free_security(&shp->shm_perm);
4958 }
4959
4960 static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg)
4961 {
4962 struct ipc_security_struct *isec;
4963 struct common_audit_data ad;
4964 u32 sid = current_sid();
4965
4966 isec = shp->shm_perm.security;
4967
4968 COMMON_AUDIT_DATA_INIT(&ad, IPC);
4969 ad.u.ipc_id = shp->shm_perm.key;
4970
4971 return avc_has_perm(sid, isec->sid, SECCLASS_SHM,
4972 SHM__ASSOCIATE, &ad);
4973 }
4974
4975 /* Note, at this point, shp is locked down */
4976 static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd)
4977 {
4978 int perms;
4979 int err;
4980
4981 switch (cmd) {
4982 case IPC_INFO:
4983 case SHM_INFO:
4984 /* No specific object, just general system-wide information. */
4985 return task_has_system(current, SYSTEM__IPC_INFO);
4986 case IPC_STAT:
4987 case SHM_STAT:
4988 perms = SHM__GETATTR | SHM__ASSOCIATE;
4989 break;
4990 case IPC_SET:
4991 perms = SHM__SETATTR;
4992 break;
4993 case SHM_LOCK:
4994 case SHM_UNLOCK:
4995 perms = SHM__LOCK;
4996 break;
4997 case IPC_RMID:
4998 perms = SHM__DESTROY;
4999 break;
5000 default:
5001 return 0;
5002 }
5003
5004 err = ipc_has_perm(&shp->shm_perm, perms);
5005 return err;
5006 }
5007
5008 static int selinux_shm_shmat(struct shmid_kernel *shp,
5009 char __user *shmaddr, int shmflg)
5010 {
5011 u32 perms;
5012
5013 if (shmflg & SHM_RDONLY)
5014 perms = SHM__READ;
5015 else
5016 perms = SHM__READ | SHM__WRITE;
5017
5018 return ipc_has_perm(&shp->shm_perm, perms);
5019 }
5020
5021 /* Semaphore security operations */
5022 static int selinux_sem_alloc_security(struct sem_array *sma)
5023 {
5024 struct ipc_security_struct *isec;
5025 struct common_audit_data ad;
5026 u32 sid = current_sid();
5027 int rc;
5028
5029 rc = ipc_alloc_security(current, &sma->sem_perm, SECCLASS_SEM);
5030 if (rc)
5031 return rc;
5032
5033 isec = sma->sem_perm.security;
5034
5035 COMMON_AUDIT_DATA_INIT(&ad, IPC);
5036 ad.u.ipc_id = sma->sem_perm.key;
5037
5038 rc = avc_has_perm(sid, isec->sid, SECCLASS_SEM,
5039 SEM__CREATE, &ad);
5040 if (rc) {
5041 ipc_free_security(&sma->sem_perm);
5042 return rc;
5043 }
5044 return 0;
5045 }
5046
5047 static void selinux_sem_free_security(struct sem_array *sma)
5048 {
5049 ipc_free_security(&sma->sem_perm);
5050 }
5051
5052 static int selinux_sem_associate(struct sem_array *sma, int semflg)
5053 {
5054 struct ipc_security_struct *isec;
5055 struct common_audit_data ad;
5056 u32 sid = current_sid();
5057
5058 isec = sma->sem_perm.security;
5059
5060 COMMON_AUDIT_DATA_INIT(&ad, IPC);
5061 ad.u.ipc_id = sma->sem_perm.key;
5062
5063 return avc_has_perm(sid, isec->sid, SECCLASS_SEM,
5064 SEM__ASSOCIATE, &ad);
5065 }
5066
5067 /* Note, at this point, sma is locked down */
5068 static int selinux_sem_semctl(struct sem_array *sma, int cmd)
5069 {
5070 int err;
5071 u32 perms;
5072
5073 switch (cmd) {
5074 case IPC_INFO:
5075 case SEM_INFO:
5076 /* No specific object, just general system-wide information. */
5077 return task_has_system(current, SYSTEM__IPC_INFO);
5078 case GETPID:
5079 case GETNCNT:
5080 case GETZCNT:
5081 perms = SEM__GETATTR;
5082 break;
5083 case GETVAL:
5084 case GETALL:
5085 perms = SEM__READ;
5086 break;
5087 case SETVAL:
5088 case SETALL:
5089 perms = SEM__WRITE;
5090 break;
5091 case IPC_RMID:
5092 perms = SEM__DESTROY;
5093 break;
5094 case IPC_SET:
5095 perms = SEM__SETATTR;
5096 break;
5097 case IPC_STAT:
5098 case SEM_STAT:
5099 perms = SEM__GETATTR | SEM__ASSOCIATE;
5100 break;
5101 default:
5102 return 0;
5103 }
5104
5105 err = ipc_has_perm(&sma->sem_perm, perms);
5106 return err;
5107 }
5108
5109 static int selinux_sem_semop(struct sem_array *sma,
5110 struct sembuf *sops, unsigned nsops, int alter)
5111 {
5112 u32 perms;
5113
5114 if (alter)
5115 perms = SEM__READ | SEM__WRITE;
5116 else
5117 perms = SEM__READ;
5118
5119 return ipc_has_perm(&sma->sem_perm, perms);
5120 }
5121
5122 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
5123 {
5124 u32 av = 0;
5125
5126 av = 0;
5127 if (flag & S_IRUGO)
5128 av |= IPC__UNIX_READ;
5129 if (flag & S_IWUGO)
5130 av |= IPC__UNIX_WRITE;
5131
5132 if (av == 0)
5133 return 0;
5134
5135 return ipc_has_perm(ipcp, av);
5136 }
5137
5138 static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
5139 {
5140 struct ipc_security_struct *isec = ipcp->security;
5141 *secid = isec->sid;
5142 }
5143
5144 static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode)
5145 {
5146 if (inode)
5147 inode_doinit_with_dentry(inode, dentry);
5148 }
5149
5150 static int selinux_getprocattr(struct task_struct *p,
5151 char *name, char **value)
5152 {
5153 const struct task_security_struct *__tsec;
5154 u32 sid;
5155 int error;
5156 unsigned len;
5157
5158 if (current != p) {
5159 error = current_has_perm(p, PROCESS__GETATTR);
5160 if (error)
5161 return error;
5162 }
5163
5164 rcu_read_lock();
5165 __tsec = __task_cred(p)->security;
5166
5167 if (!strcmp(name, "current"))
5168 sid = __tsec->sid;
5169 else if (!strcmp(name, "prev"))
5170 sid = __tsec->osid;
5171 else if (!strcmp(name, "exec"))
5172 sid = __tsec->exec_sid;
5173 else if (!strcmp(name, "fscreate"))
5174 sid = __tsec->create_sid;
5175 else if (!strcmp(name, "keycreate"))
5176 sid = __tsec->keycreate_sid;
5177 else if (!strcmp(name, "sockcreate"))
5178 sid = __tsec->sockcreate_sid;
5179 else
5180 goto invalid;
5181 rcu_read_unlock();
5182
5183 if (!sid)
5184 return 0;
5185
5186 error = security_sid_to_context(sid, value, &len);
5187 if (error)
5188 return error;
5189 return len;
5190
5191 invalid:
5192 rcu_read_unlock();
5193 return -EINVAL;
5194 }
5195
5196 static int selinux_setprocattr(struct task_struct *p,
5197 char *name, void *value, size_t size)
5198 {
5199 struct task_security_struct *tsec;
5200 struct task_struct *tracer;
5201 struct cred *new;
5202 u32 sid = 0, ptsid;
5203 int error;
5204 char *str = value;
5205
5206 if (current != p) {
5207 /* SELinux only allows a process to change its own
5208 security attributes. */
5209 return -EACCES;
5210 }
5211
5212 /*
5213 * Basic control over ability to set these attributes at all.
5214 * current == p, but we'll pass them separately in case the
5215 * above restriction is ever removed.
5216 */
5217 if (!strcmp(name, "exec"))
5218 error = current_has_perm(p, PROCESS__SETEXEC);
5219 else if (!strcmp(name, "fscreate"))
5220 error = current_has_perm(p, PROCESS__SETFSCREATE);
5221 else if (!strcmp(name, "keycreate"))
5222 error = current_has_perm(p, PROCESS__SETKEYCREATE);
5223 else if (!strcmp(name, "sockcreate"))
5224 error = current_has_perm(p, PROCESS__SETSOCKCREATE);
5225 else if (!strcmp(name, "current"))
5226 error = current_has_perm(p, PROCESS__SETCURRENT);
5227 else
5228 error = -EINVAL;
5229 if (error)
5230 return error;
5231
5232 /* Obtain a SID for the context, if one was specified. */
5233 if (size && str[1] && str[1] != '\n') {
5234 if (str[size-1] == '\n') {
5235 str[size-1] = 0;
5236 size--;
5237 }
5238 error = security_context_to_sid(value, size, &sid);
5239 if (error == -EINVAL && !strcmp(name, "fscreate")) {
5240 if (!capable(CAP_MAC_ADMIN))
5241 return error;
5242 error = security_context_to_sid_force(value, size,
5243 &sid);
5244 }
5245 if (error)
5246 return error;
5247 }
5248
5249 new = prepare_creds();
5250 if (!new)
5251 return -ENOMEM;
5252
5253 /* Permission checking based on the specified context is
5254 performed during the actual operation (execve,
5255 open/mkdir/...), when we know the full context of the
5256 operation. See selinux_bprm_set_creds for the execve
5257 checks and may_create for the file creation checks. The
5258 operation will then fail if the context is not permitted. */
5259 tsec = new->security;
5260 if (!strcmp(name, "exec")) {
5261 tsec->exec_sid = sid;
5262 } else if (!strcmp(name, "fscreate")) {
5263 tsec->create_sid = sid;
5264 } else if (!strcmp(name, "keycreate")) {
5265 error = may_create_key(sid, p);
5266 if (error)
5267 goto abort_change;
5268 tsec->keycreate_sid = sid;
5269 } else if (!strcmp(name, "sockcreate")) {
5270 tsec->sockcreate_sid = sid;
5271 } else if (!strcmp(name, "current")) {
5272 error = -EINVAL;
5273 if (sid == 0)
5274 goto abort_change;
5275
5276 /* Only allow single threaded processes to change context */
5277 error = -EPERM;
5278 if (!current_is_single_threaded()) {
5279 error = security_bounded_transition(tsec->sid, sid);
5280 if (error)
5281 goto abort_change;
5282 }
5283
5284 /* Check permissions for the transition. */
5285 error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
5286 PROCESS__DYNTRANSITION, NULL);
5287 if (error)
5288 goto abort_change;
5289
5290 /* Check for ptracing, and update the task SID if ok.
5291 Otherwise, leave SID unchanged and fail. */
5292 ptsid = 0;
5293 task_lock(p);
5294 tracer = tracehook_tracer_task(p);
5295 if (tracer)
5296 ptsid = task_sid(tracer);
5297 task_unlock(p);
5298
5299 if (tracer) {
5300 error = avc_has_perm(ptsid, sid, SECCLASS_PROCESS,
5301 PROCESS__PTRACE, NULL);
5302 if (error)
5303 goto abort_change;
5304 }
5305
5306 tsec->sid = sid;
5307 } else {
5308 error = -EINVAL;
5309 goto abort_change;
5310 }
5311
5312 commit_creds(new);
5313 return size;
5314
5315 abort_change:
5316 abort_creds(new);
5317 return error;
5318 }
5319
5320 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
5321 {
5322 return security_sid_to_context(secid, secdata, seclen);
5323 }
5324
5325 static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
5326 {
5327 return security_context_to_sid(secdata, seclen, secid);
5328 }
5329
5330 static void selinux_release_secctx(char *secdata, u32 seclen)
5331 {
5332 kfree(secdata);
5333 }
5334
5335 /*
5336 * called with inode->i_mutex locked
5337 */
5338 static int selinux_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen)
5339 {
5340 return selinux_inode_setsecurity(inode, XATTR_SELINUX_SUFFIX, ctx, ctxlen, 0);
5341 }
5342
5343 /*
5344 * called with inode->i_mutex locked
5345 */
5346 static int selinux_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen)
5347 {
5348 return __vfs_setxattr_noperm(dentry, XATTR_NAME_SELINUX, ctx, ctxlen, 0);
5349 }
5350
5351 static int selinux_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen)
5352 {
5353 int len = 0;
5354 len = selinux_inode_getsecurity(inode, XATTR_SELINUX_SUFFIX,
5355 ctx, true);
5356 if (len < 0)
5357 return len;
5358 *ctxlen = len;
5359 return 0;
5360 }
5361 #ifdef CONFIG_KEYS
5362
5363 static int selinux_key_alloc(struct key *k, const struct cred *cred,
5364 unsigned long flags)
5365 {
5366 const struct task_security_struct *tsec;
5367 struct key_security_struct *ksec;
5368
5369 ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL);
5370 if (!ksec)
5371 return -ENOMEM;
5372
5373 tsec = cred->security;
5374 if (tsec->keycreate_sid)
5375 ksec->sid = tsec->keycreate_sid;
5376 else
5377 ksec->sid = tsec->sid;
5378
5379 k->security = ksec;
5380 return 0;
5381 }
5382
5383 static void selinux_key_free(struct key *k)
5384 {
5385 struct key_security_struct *ksec = k->security;
5386
5387 k->security = NULL;
5388 kfree(ksec);
5389 }
5390
5391 static int selinux_key_permission(key_ref_t key_ref,
5392 const struct cred *cred,
5393 key_perm_t perm)
5394 {
5395 struct key *key;
5396 struct key_security_struct *ksec;
5397 u32 sid;
5398
5399 /* if no specific permissions are requested, we skip the
5400 permission check. No serious, additional covert channels
5401 appear to be created. */
5402 if (perm == 0)
5403 return 0;
5404
5405 sid = cred_sid(cred);
5406
5407 key = key_ref_to_ptr(key_ref);
5408 ksec = key->security;
5409
5410 return avc_has_perm(sid, ksec->sid, SECCLASS_KEY, perm, NULL);
5411 }
5412
5413 static int selinux_key_getsecurity(struct key *key, char **_buffer)
5414 {
5415 struct key_security_struct *ksec = key->security;
5416 char *context = NULL;
5417 unsigned len;
5418 int rc;
5419
5420 rc = security_sid_to_context(ksec->sid, &context, &len);
5421 if (!rc)
5422 rc = len;
5423 *_buffer = context;
5424 return rc;
5425 }
5426
5427 #endif
5428
5429 static struct security_operations selinux_ops = {
5430 .name = "selinux",
5431
5432 .ptrace_access_check = selinux_ptrace_access_check,
5433 .ptrace_traceme = selinux_ptrace_traceme,
5434 .capget = selinux_capget,
5435 .capset = selinux_capset,
5436 .capable = selinux_capable,
5437 .quotactl = selinux_quotactl,
5438 .quota_on = selinux_quota_on,
5439 .syslog = selinux_syslog,
5440 .vm_enough_memory = selinux_vm_enough_memory,
5441
5442 .netlink_send = selinux_netlink_send,
5443 .netlink_recv = selinux_netlink_recv,
5444
5445 .bprm_set_creds = selinux_bprm_set_creds,
5446 .bprm_committing_creds = selinux_bprm_committing_creds,
5447 .bprm_committed_creds = selinux_bprm_committed_creds,
5448 .bprm_secureexec = selinux_bprm_secureexec,
5449
5450 .sb_alloc_security = selinux_sb_alloc_security,
5451 .sb_free_security = selinux_sb_free_security,
5452 .sb_copy_data = selinux_sb_copy_data,
5453 .sb_remount = selinux_sb_remount,
5454 .sb_kern_mount = selinux_sb_kern_mount,
5455 .sb_show_options = selinux_sb_show_options,
5456 .sb_statfs = selinux_sb_statfs,
5457 .sb_mount = selinux_mount,
5458 .sb_umount = selinux_umount,
5459 .sb_set_mnt_opts = selinux_set_mnt_opts,
5460 .sb_clone_mnt_opts = selinux_sb_clone_mnt_opts,
5461 .sb_parse_opts_str = selinux_parse_opts_str,
5462
5463
5464 .inode_alloc_security = selinux_inode_alloc_security,
5465 .inode_free_security = selinux_inode_free_security,
5466 .inode_init_security = selinux_inode_init_security,
5467 .inode_create = selinux_inode_create,
5468 .inode_link = selinux_inode_link,
5469 .inode_unlink = selinux_inode_unlink,
5470 .inode_symlink = selinux_inode_symlink,
5471 .inode_mkdir = selinux_inode_mkdir,
5472 .inode_rmdir = selinux_inode_rmdir,
5473 .inode_mknod = selinux_inode_mknod,
5474 .inode_rename = selinux_inode_rename,
5475 .inode_readlink = selinux_inode_readlink,
5476 .inode_follow_link = selinux_inode_follow_link,
5477 .inode_permission = selinux_inode_permission,
5478 .inode_setattr = selinux_inode_setattr,
5479 .inode_getattr = selinux_inode_getattr,
5480 .inode_setxattr = selinux_inode_setxattr,
5481 .inode_post_setxattr = selinux_inode_post_setxattr,
5482 .inode_getxattr = selinux_inode_getxattr,
5483 .inode_listxattr = selinux_inode_listxattr,
5484 .inode_removexattr = selinux_inode_removexattr,
5485 .inode_getsecurity = selinux_inode_getsecurity,
5486 .inode_setsecurity = selinux_inode_setsecurity,
5487 .inode_listsecurity = selinux_inode_listsecurity,
5488 .inode_getsecid = selinux_inode_getsecid,
5489
5490 .file_permission = selinux_file_permission,
5491 .file_alloc_security = selinux_file_alloc_security,
5492 .file_free_security = selinux_file_free_security,
5493 .file_ioctl = selinux_file_ioctl,
5494 .file_mmap = selinux_file_mmap,
5495 .file_mprotect = selinux_file_mprotect,
5496 .file_lock = selinux_file_lock,
5497 .file_fcntl = selinux_file_fcntl,
5498 .file_set_fowner = selinux_file_set_fowner,
5499 .file_send_sigiotask = selinux_file_send_sigiotask,
5500 .file_receive = selinux_file_receive,
5501
5502 .dentry_open = selinux_dentry_open,
5503
5504 .task_create = selinux_task_create,
5505 .cred_alloc_blank = selinux_cred_alloc_blank,
5506 .cred_free = selinux_cred_free,
5507 .cred_prepare = selinux_cred_prepare,
5508 .cred_transfer = selinux_cred_transfer,
5509 .kernel_act_as = selinux_kernel_act_as,
5510 .kernel_create_files_as = selinux_kernel_create_files_as,
5511 .kernel_module_request = selinux_kernel_module_request,
5512 .task_setpgid = selinux_task_setpgid,
5513 .task_getpgid = selinux_task_getpgid,
5514 .task_getsid = selinux_task_getsid,
5515 .task_getsecid = selinux_task_getsecid,
5516 .task_setnice = selinux_task_setnice,
5517 .task_setioprio = selinux_task_setioprio,
5518 .task_getioprio = selinux_task_getioprio,
5519 .task_setrlimit = selinux_task_setrlimit,
5520 .task_setscheduler = selinux_task_setscheduler,
5521 .task_getscheduler = selinux_task_getscheduler,
5522 .task_movememory = selinux_task_movememory,
5523 .task_kill = selinux_task_kill,
5524 .task_wait = selinux_task_wait,
5525 .task_to_inode = selinux_task_to_inode,
5526
5527 .ipc_permission = selinux_ipc_permission,
5528 .ipc_getsecid = selinux_ipc_getsecid,
5529
5530 .msg_msg_alloc_security = selinux_msg_msg_alloc_security,
5531 .msg_msg_free_security = selinux_msg_msg_free_security,
5532
5533 .msg_queue_alloc_security = selinux_msg_queue_alloc_security,
5534 .msg_queue_free_security = selinux_msg_queue_free_security,
5535 .msg_queue_associate = selinux_msg_queue_associate,
5536 .msg_queue_msgctl = selinux_msg_queue_msgctl,
5537 .msg_queue_msgsnd = selinux_msg_queue_msgsnd,
5538 .msg_queue_msgrcv = selinux_msg_queue_msgrcv,
5539
5540 .shm_alloc_security = selinux_shm_alloc_security,
5541 .shm_free_security = selinux_shm_free_security,
5542 .shm_associate = selinux_shm_associate,
5543 .shm_shmctl = selinux_shm_shmctl,
5544 .shm_shmat = selinux_shm_shmat,
5545
5546 .sem_alloc_security = selinux_sem_alloc_security,
5547 .sem_free_security = selinux_sem_free_security,
5548 .sem_associate = selinux_sem_associate,
5549 .sem_semctl = selinux_sem_semctl,
5550 .sem_semop = selinux_sem_semop,
5551
5552 .d_instantiate = selinux_d_instantiate,
5553
5554 .getprocattr = selinux_getprocattr,
5555 .setprocattr = selinux_setprocattr,
5556
5557 .secid_to_secctx = selinux_secid_to_secctx,
5558 .secctx_to_secid = selinux_secctx_to_secid,
5559 .release_secctx = selinux_release_secctx,
5560 .inode_notifysecctx = selinux_inode_notifysecctx,
5561 .inode_setsecctx = selinux_inode_setsecctx,
5562 .inode_getsecctx = selinux_inode_getsecctx,
5563
5564 .unix_stream_connect = selinux_socket_unix_stream_connect,
5565 .unix_may_send = selinux_socket_unix_may_send,
5566
5567 .socket_create = selinux_socket_create,
5568 .socket_post_create = selinux_socket_post_create,
5569 .socket_bind = selinux_socket_bind,
5570 .socket_connect = selinux_socket_connect,
5571 .socket_listen = selinux_socket_listen,
5572 .socket_accept = selinux_socket_accept,
5573 .socket_sendmsg = selinux_socket_sendmsg,
5574 .socket_recvmsg = selinux_socket_recvmsg,
5575 .socket_getsockname = selinux_socket_getsockname,
5576 .socket_getpeername = selinux_socket_getpeername,
5577 .socket_getsockopt = selinux_socket_getsockopt,
5578 .socket_setsockopt = selinux_socket_setsockopt,
5579 .socket_shutdown = selinux_socket_shutdown,
5580 .socket_sock_rcv_skb = selinux_socket_sock_rcv_skb,
5581 .socket_getpeersec_stream = selinux_socket_getpeersec_stream,
5582 .socket_getpeersec_dgram = selinux_socket_getpeersec_dgram,
5583 .sk_alloc_security = selinux_sk_alloc_security,
5584 .sk_free_security = selinux_sk_free_security,
5585 .sk_clone_security = selinux_sk_clone_security,
5586 .sk_getsecid = selinux_sk_getsecid,
5587 .sock_graft = selinux_sock_graft,
5588 .inet_conn_request = selinux_inet_conn_request,
5589 .inet_csk_clone = selinux_inet_csk_clone,
5590 .inet_conn_established = selinux_inet_conn_established,
5591 .secmark_relabel_packet = selinux_secmark_relabel_packet,
5592 .secmark_refcount_inc = selinux_secmark_refcount_inc,
5593 .secmark_refcount_dec = selinux_secmark_refcount_dec,
5594 .req_classify_flow = selinux_req_classify_flow,
5595 .tun_dev_create = selinux_tun_dev_create,
5596 .tun_dev_post_create = selinux_tun_dev_post_create,
5597 .tun_dev_attach = selinux_tun_dev_attach,
5598
5599 #ifdef CONFIG_SECURITY_NETWORK_XFRM
5600 .xfrm_policy_alloc_security = selinux_xfrm_policy_alloc,
5601 .xfrm_policy_clone_security = selinux_xfrm_policy_clone,
5602 .xfrm_policy_free_security = selinux_xfrm_policy_free,
5603 .xfrm_policy_delete_security = selinux_xfrm_policy_delete,
5604 .xfrm_state_alloc_security = selinux_xfrm_state_alloc,
5605 .xfrm_state_free_security = selinux_xfrm_state_free,
5606 .xfrm_state_delete_security = selinux_xfrm_state_delete,
5607 .xfrm_policy_lookup = selinux_xfrm_policy_lookup,
5608 .xfrm_state_pol_flow_match = selinux_xfrm_state_pol_flow_match,
5609 .xfrm_decode_session = selinux_xfrm_decode_session,
5610 #endif
5611
5612 #ifdef CONFIG_KEYS
5613 .key_alloc = selinux_key_alloc,
5614 .key_free = selinux_key_free,
5615 .key_permission = selinux_key_permission,
5616 .key_getsecurity = selinux_key_getsecurity,
5617 #endif
5618
5619 #ifdef CONFIG_AUDIT
5620 .audit_rule_init = selinux_audit_rule_init,
5621 .audit_rule_known = selinux_audit_rule_known,
5622 .audit_rule_match = selinux_audit_rule_match,
5623 .audit_rule_free = selinux_audit_rule_free,
5624 #endif
5625 };
5626
5627 static __init int selinux_init(void)
5628 {
5629 if (!security_module_enable(&selinux_ops)) {
5630 selinux_enabled = 0;
5631 return 0;
5632 }
5633
5634 if (!selinux_enabled) {
5635 printk(KERN_INFO "SELinux: Disabled at boot.\n");
5636 return 0;
5637 }
5638
5639 printk(KERN_INFO "SELinux: Initializing.\n");
5640
5641 /* Set the security state for the initial task. */
5642 cred_init_security();
5643
5644 default_noexec = !(VM_DATA_DEFAULT_FLAGS & VM_EXEC);
5645
5646 sel_inode_cache = kmem_cache_create("selinux_inode_security",
5647 sizeof(struct inode_security_struct),
5648 0, SLAB_PANIC, NULL);
5649 avc_init();
5650
5651 if (register_security(&selinux_ops))
5652 panic("SELinux: Unable to register with kernel.\n");
5653
5654 if (selinux_enforcing)
5655 printk(KERN_DEBUG "SELinux: Starting in enforcing mode\n");
5656 else
5657 printk(KERN_DEBUG "SELinux: Starting in permissive mode\n");
5658
5659 return 0;
5660 }
5661
5662 static void delayed_superblock_init(struct super_block *sb, void *unused)
5663 {
5664 superblock_doinit(sb, NULL);
5665 }
5666
5667 void selinux_complete_init(void)
5668 {
5669 printk(KERN_DEBUG "SELinux: Completing initialization.\n");
5670
5671 /* Set up any superblocks initialized prior to the policy load. */
5672 printk(KERN_DEBUG "SELinux: Setting up existing superblocks.\n");
5673 iterate_supers(delayed_superblock_init, NULL);
5674 }
5675
5676 /* SELinux requires early initialization in order to label
5677 all processes and objects when they are created. */
5678 security_initcall(selinux_init);
5679
5680 #if defined(CONFIG_NETFILTER)
5681
5682 static struct nf_hook_ops selinux_ipv4_ops[] = {
5683 {
5684 .hook = selinux_ipv4_postroute,
5685 .owner = THIS_MODULE,
5686 .pf = PF_INET,
5687 .hooknum = NF_INET_POST_ROUTING,
5688 .priority = NF_IP_PRI_SELINUX_LAST,
5689 },
5690 {
5691 .hook = selinux_ipv4_forward,
5692 .owner = THIS_MODULE,
5693 .pf = PF_INET,
5694 .hooknum = NF_INET_FORWARD,
5695 .priority = NF_IP_PRI_SELINUX_FIRST,
5696 },
5697 {
5698 .hook = selinux_ipv4_output,
5699 .owner = THIS_MODULE,
5700 .pf = PF_INET,
5701 .hooknum = NF_INET_LOCAL_OUT,
5702 .priority = NF_IP_PRI_SELINUX_FIRST,
5703 }
5704 };
5705
5706 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5707
5708 static struct nf_hook_ops selinux_ipv6_ops[] = {
5709 {
5710 .hook = selinux_ipv6_postroute,
5711 .owner = THIS_MODULE,
5712 .pf = PF_INET6,
5713 .hooknum = NF_INET_POST_ROUTING,
5714 .priority = NF_IP6_PRI_SELINUX_LAST,
5715 },
5716 {
5717 .hook = selinux_ipv6_forward,
5718 .owner = THIS_MODULE,
5719 .pf = PF_INET6,
5720 .hooknum = NF_INET_FORWARD,
5721 .priority = NF_IP6_PRI_SELINUX_FIRST,
5722 }
5723 };
5724
5725 #endif /* IPV6 */
5726
5727 static int __init selinux_nf_ip_init(void)
5728 {
5729 int err = 0;
5730
5731 if (!selinux_enabled)
5732 goto out;
5733
5734 printk(KERN_DEBUG "SELinux: Registering netfilter hooks\n");
5735
5736 err = nf_register_hooks(selinux_ipv4_ops, ARRAY_SIZE(selinux_ipv4_ops));
5737 if (err)
5738 panic("SELinux: nf_register_hooks for IPv4: error %d\n", err);
5739
5740 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5741 err = nf_register_hooks(selinux_ipv6_ops, ARRAY_SIZE(selinux_ipv6_ops));
5742 if (err)
5743 panic("SELinux: nf_register_hooks for IPv6: error %d\n", err);
5744 #endif /* IPV6 */
5745
5746 out:
5747 return err;
5748 }
5749
5750 __initcall(selinux_nf_ip_init);
5751
5752 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5753 static void selinux_nf_ip_exit(void)
5754 {
5755 printk(KERN_DEBUG "SELinux: Unregistering netfilter hooks\n");
5756
5757 nf_unregister_hooks(selinux_ipv4_ops, ARRAY_SIZE(selinux_ipv4_ops));
5758 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5759 nf_unregister_hooks(selinux_ipv6_ops, ARRAY_SIZE(selinux_ipv6_ops));
5760 #endif /* IPV6 */
5761 }
5762 #endif
5763
5764 #else /* CONFIG_NETFILTER */
5765
5766 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5767 #define selinux_nf_ip_exit()
5768 #endif
5769
5770 #endif /* CONFIG_NETFILTER */
5771
5772 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5773 static int selinux_disabled;
5774
5775 int selinux_disable(void)
5776 {
5777 extern void exit_sel_fs(void);
5778
5779 if (ss_initialized) {
5780 /* Not permitted after initial policy load. */
5781 return -EINVAL;
5782 }
5783
5784 if (selinux_disabled) {
5785 /* Only do this once. */
5786 return -EINVAL;
5787 }
5788
5789 printk(KERN_INFO "SELinux: Disabled at runtime.\n");
5790
5791 selinux_disabled = 1;
5792 selinux_enabled = 0;
5793
5794 reset_security_ops();
5795
5796 /* Try to destroy the avc node cache */
5797 avc_disable();
5798
5799 /* Unregister netfilter hooks. */
5800 selinux_nf_ip_exit();
5801
5802 /* Unregister selinuxfs. */
5803 exit_sel_fs();
5804
5805 return 0;
5806 }
5807 #endif
Ubuntu Hirsute Linux kernel mirror