projects / deliverable / linux.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
selinux: correct locking in selinux_netlbl_socket_connect)
[deliverable/linux.git] / security / selinux / hooks.c
1 /*
2 * NSA Security-Enhanced Linux (SELinux) security module
3 *
4 * This file contains the SELinux hook function implementations.
5 *
6 * Authors: Stephen Smalley, <sds@epoch.ncsc.mil>
7 * Chris Vance, <cvance@nai.com>
8 * Wayne Salamon, <wsalamon@nai.com>
9 * James Morris <jmorris@redhat.com>
10 *
11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12 * Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
13 * Eric Paris <eparis@redhat.com>
14 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
15 * <dgoeddel@trustedcs.com>
16 * Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
17 * Paul Moore <paul@paul-moore.com>
18 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
19 * Yuichi Nakamura <ynakam@hitachisoft.jp>
20 *
21 * This program is free software; you can redistribute it and/or modify
22 * it under the terms of the GNU General Public License version 2,
23 * as published by the Free Software Foundation.
24 */
25
26 #include <linux/init.h>
27 #include <linux/kd.h>
28 #include <linux/kernel.h>
29 #include <linux/tracehook.h>
30 #include <linux/errno.h>
31 #include <linux/sched.h>
32 #include <linux/security.h>
33 #include <linux/xattr.h>
34 #include <linux/capability.h>
35 #include <linux/unistd.h>
36 #include <linux/mm.h>
37 #include <linux/mman.h>
38 #include <linux/slab.h>
39 #include <linux/pagemap.h>
40 #include <linux/proc_fs.h>
41 #include <linux/swap.h>
42 #include <linux/spinlock.h>
43 #include <linux/syscalls.h>
44 #include <linux/dcache.h>
45 #include <linux/file.h>
46 #include <linux/fdtable.h>
47 #include <linux/namei.h>
48 #include <linux/mount.h>
49 #include <linux/netfilter_ipv4.h>
50 #include <linux/netfilter_ipv6.h>
51 #include <linux/tty.h>
52 #include <net/icmp.h>
53 #include <net/ip.h> /* for local_port_range[] */
54 #include <net/sock.h>
55 #include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
56 #include <net/net_namespace.h>
57 #include <net/netlabel.h>
58 #include <linux/uaccess.h>
59 #include <asm/ioctls.h>
60 #include <linux/atomic.h>
61 #include <linux/bitops.h>
62 #include <linux/interrupt.h>
63 #include <linux/netdevice.h> /* for network interface checks */
64 #include <net/netlink.h>
65 #include <linux/tcp.h>
66 #include <linux/udp.h>
67 #include <linux/dccp.h>
68 #include <linux/quota.h>
69 #include <linux/un.h> /* for Unix socket types */
70 #include <net/af_unix.h> /* for Unix socket types */
71 #include <linux/parser.h>
72 #include <linux/nfs_mount.h>
73 #include <net/ipv6.h>
74 #include <linux/hugetlb.h>
75 #include <linux/personality.h>
76 #include <linux/audit.h>
77 #include <linux/string.h>
78 #include <linux/selinux.h>
79 #include <linux/mutex.h>
80 #include <linux/posix-timers.h>
81 #include <linux/syslog.h>
82 #include <linux/user_namespace.h>
83 #include <linux/export.h>
84 #include <linux/security.h>
85 #include <linux/msg.h>
86 #include <linux/shm.h>
87
88 #include "avc.h"
89 #include "objsec.h"
90 #include "netif.h"
91 #include "netnode.h"
92 #include "netport.h"
93 #include "xfrm.h"
94 #include "netlabel.h"
95 #include "audit.h"
96 #include "avc_ss.h"
97
98 #define SB_TYPE_FMT "%s%s%s"
99 #define SB_SUBTYPE(sb) (sb->s_subtype && sb->s_subtype[0])
100 #define SB_TYPE_ARGS(sb) sb->s_type->name, SB_SUBTYPE(sb) ? "." : "", SB_SUBTYPE(sb) ? sb->s_subtype : ""
101
102 extern struct security_operations *security_ops;
103
104 /* SECMARK reference count */
105 static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
106
107 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
108 int selinux_enforcing;
109
110 static int __init enforcing_setup(char *str)
111 {
112 unsigned long enforcing;
113 if (!strict_strtoul(str, 0, &enforcing))
114 selinux_enforcing = enforcing ? 1 : 0;
115 return 1;
116 }
117 __setup("enforcing=", enforcing_setup);
118 #endif
119
120 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
121 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
122
123 static int __init selinux_enabled_setup(char *str)
124 {
125 unsigned long enabled;
126 if (!strict_strtoul(str, 0, &enabled))
127 selinux_enabled = enabled ? 1 : 0;
128 return 1;
129 }
130 __setup("selinux=", selinux_enabled_setup);
131 #else
132 int selinux_enabled = 1;
133 #endif
134
135 static struct kmem_cache *sel_inode_cache;
136
137 /**
138 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
139 *
140 * Description:
141 * This function checks the SECMARK reference counter to see if any SECMARK
142 * targets are currently configured, if the reference counter is greater than
143 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is
144 * enabled, false (0) if SECMARK is disabled. If the always_check_network
145 * policy capability is enabled, SECMARK is always considered enabled.
146 *
147 */
148 static int selinux_secmark_enabled(void)
149 {
150 return (selinux_policycap_alwaysnetwork || atomic_read(&selinux_secmark_refcount));
151 }
152
153 /**
154 * selinux_peerlbl_enabled - Check to see if peer labeling is currently enabled
155 *
156 * Description:
157 * This function checks if NetLabel or labeled IPSEC is enabled. Returns true
158 * (1) if any are enabled or false (0) if neither are enabled. If the
159 * always_check_network policy capability is enabled, peer labeling
160 * is always considered enabled.
161 *
162 */
163 static int selinux_peerlbl_enabled(void)
164 {
165 return (selinux_policycap_alwaysnetwork || netlbl_enabled() || selinux_xfrm_enabled());
166 }
167
168 /*
169 * initialise the security for the init task
170 */
171 static void cred_init_security(void)
172 {
173 struct cred *cred = (struct cred *) current->real_cred;
174 struct task_security_struct *tsec;
175
176 tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
177 if (!tsec)
178 panic("SELinux: Failed to initialize initial task.\n");
179
180 tsec->osid = tsec->sid = SECINITSID_KERNEL;
181 cred->security = tsec;
182 }
183
184 /*
185 * get the security ID of a set of credentials
186 */
187 static inline u32 cred_sid(const struct cred *cred)
188 {
189 const struct task_security_struct *tsec;
190
191 tsec = cred->security;
192 return tsec->sid;
193 }
194
195 /*
196 * get the objective security ID of a task
197 */
198 static inline u32 task_sid(const struct task_struct *task)
199 {
200 u32 sid;
201
202 rcu_read_lock();
203 sid = cred_sid(__task_cred(task));
204 rcu_read_unlock();
205 return sid;
206 }
207
208 /*
209 * get the subjective security ID of the current task
210 */
211 static inline u32 current_sid(void)
212 {
213 const struct task_security_struct *tsec = current_security();
214
215 return tsec->sid;
216 }
217
218 /* Allocate and free functions for each kind of security blob. */
219
220 static int inode_alloc_security(struct inode *inode)
221 {
222 struct inode_security_struct *isec;
223 u32 sid = current_sid();
224
225 isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
226 if (!isec)
227 return -ENOMEM;
228
229 mutex_init(&isec->lock);
230 INIT_LIST_HEAD(&isec->list);
231 isec->inode = inode;
232 isec->sid = SECINITSID_UNLABELED;
233 isec->sclass = SECCLASS_FILE;
234 isec->task_sid = sid;
235 inode->i_security = isec;
236
237 return 0;
238 }
239
240 static void inode_free_security(struct inode *inode)
241 {
242 struct inode_security_struct *isec = inode->i_security;
243 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
244
245 spin_lock(&sbsec->isec_lock);
246 if (!list_empty(&isec->list))
247 list_del_init(&isec->list);
248 spin_unlock(&sbsec->isec_lock);
249
250 inode->i_security = NULL;
251 kmem_cache_free(sel_inode_cache, isec);
252 }
253
254 static int file_alloc_security(struct file *file)
255 {
256 struct file_security_struct *fsec;
257 u32 sid = current_sid();
258
259 fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL);
260 if (!fsec)
261 return -ENOMEM;
262
263 fsec->sid = sid;
264 fsec->fown_sid = sid;
265 file->f_security = fsec;
266
267 return 0;
268 }
269
270 static void file_free_security(struct file *file)
271 {
272 struct file_security_struct *fsec = file->f_security;
273 file->f_security = NULL;
274 kfree(fsec);
275 }
276
277 static int superblock_alloc_security(struct super_block *sb)
278 {
279 struct superblock_security_struct *sbsec;
280
281 sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
282 if (!sbsec)
283 return -ENOMEM;
284
285 mutex_init(&sbsec->lock);
286 INIT_LIST_HEAD(&sbsec->isec_head);
287 spin_lock_init(&sbsec->isec_lock);
288 sbsec->sb = sb;
289 sbsec->sid = SECINITSID_UNLABELED;
290 sbsec->def_sid = SECINITSID_FILE;
291 sbsec->mntpoint_sid = SECINITSID_UNLABELED;
292 sb->s_security = sbsec;
293
294 return 0;
295 }
296
297 static void superblock_free_security(struct super_block *sb)
298 {
299 struct superblock_security_struct *sbsec = sb->s_security;
300 sb->s_security = NULL;
301 kfree(sbsec);
302 }
303
304 /* The file system's label must be initialized prior to use. */
305
306 static const char *labeling_behaviors[7] = {
307 "uses xattr",
308 "uses transition SIDs",
309 "uses task SIDs",
310 "uses genfs_contexts",
311 "not configured for labeling",
312 "uses mountpoint labeling",
313 "uses native labeling",
314 };
315
316 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
317
318 static inline int inode_doinit(struct inode *inode)
319 {
320 return inode_doinit_with_dentry(inode, NULL);
321 }
322
323 enum {
324 Opt_error = -1,
325 Opt_context = 1,
326 Opt_fscontext = 2,
327 Opt_defcontext = 3,
328 Opt_rootcontext = 4,
329 Opt_labelsupport = 5,
330 Opt_nextmntopt = 6,
331 };
332
333 #define NUM_SEL_MNT_OPTS (Opt_nextmntopt - 1)
334
335 static const match_table_t tokens = {
336 {Opt_context, CONTEXT_STR "%s"},
337 {Opt_fscontext, FSCONTEXT_STR "%s"},
338 {Opt_defcontext, DEFCONTEXT_STR "%s"},
339 {Opt_rootcontext, ROOTCONTEXT_STR "%s"},
340 {Opt_labelsupport, LABELSUPP_STR},
341 {Opt_error, NULL},
342 };
343
344 #define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
345
346 static int may_context_mount_sb_relabel(u32 sid,
347 struct superblock_security_struct *sbsec,
348 const struct cred *cred)
349 {
350 const struct task_security_struct *tsec = cred->security;
351 int rc;
352
353 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
354 FILESYSTEM__RELABELFROM, NULL);
355 if (rc)
356 return rc;
357
358 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
359 FILESYSTEM__RELABELTO, NULL);
360 return rc;
361 }
362
363 static int may_context_mount_inode_relabel(u32 sid,
364 struct superblock_security_struct *sbsec,
365 const struct cred *cred)
366 {
367 const struct task_security_struct *tsec = cred->security;
368 int rc;
369 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
370 FILESYSTEM__RELABELFROM, NULL);
371 if (rc)
372 return rc;
373
374 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
375 FILESYSTEM__ASSOCIATE, NULL);
376 return rc;
377 }
378
379 static int selinux_is_sblabel_mnt(struct super_block *sb)
380 {
381 struct superblock_security_struct *sbsec = sb->s_security;
382
383 if (sbsec->behavior == SECURITY_FS_USE_XATTR ||
384 sbsec->behavior == SECURITY_FS_USE_TRANS ||
385 sbsec->behavior == SECURITY_FS_USE_TASK)
386 return 1;
387
388 /* Special handling for sysfs. Is genfs but also has setxattr handler*/
389 if (strncmp(sb->s_type->name, "sysfs", sizeof("sysfs")) == 0)
390 return 1;
391
392 /*
393 * Special handling for rootfs. Is genfs but supports
394 * setting SELinux context on in-core inodes.
395 */
396 if (strncmp(sb->s_type->name, "rootfs", sizeof("rootfs")) == 0)
397 return 1;
398
399 return 0;
400 }
401
402 static int sb_finish_set_opts(struct super_block *sb)
403 {
404 struct superblock_security_struct *sbsec = sb->s_security;
405 struct dentry *root = sb->s_root;
406 struct inode *root_inode = root->d_inode;
407 int rc = 0;
408
409 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
410 /* Make sure that the xattr handler exists and that no
411 error other than -ENODATA is returned by getxattr on
412 the root directory. -ENODATA is ok, as this may be
413 the first boot of the SELinux kernel before we have
414 assigned xattr values to the filesystem. */
415 if (!root_inode->i_op->getxattr) {
416 printk(KERN_WARNING "SELinux: (dev %s, type "SB_TYPE_FMT") has no "
417 "xattr support\n", sb->s_id, SB_TYPE_ARGS(sb));
418 rc = -EOPNOTSUPP;
419 goto out;
420 }
421 rc = root_inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
422 if (rc < 0 && rc != -ENODATA) {
423 if (rc == -EOPNOTSUPP)
424 printk(KERN_WARNING "SELinux: (dev %s, type "
425 SB_TYPE_FMT") has no security xattr handler\n",
426 sb->s_id, SB_TYPE_ARGS(sb));
427 else
428 printk(KERN_WARNING "SELinux: (dev %s, type "
429 SB_TYPE_FMT") getxattr errno %d\n", sb->s_id,
430 SB_TYPE_ARGS(sb), -rc);
431 goto out;
432 }
433 }
434
435 if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
436 printk(KERN_ERR "SELinux: initialized (dev %s, type "SB_TYPE_FMT"), unknown behavior\n",
437 sb->s_id, SB_TYPE_ARGS(sb));
438 else
439 printk(KERN_DEBUG "SELinux: initialized (dev %s, type "SB_TYPE_FMT"), %s\n",
440 sb->s_id, SB_TYPE_ARGS(sb),
441 labeling_behaviors[sbsec->behavior-1]);
442
443 sbsec->flags |= SE_SBINITIALIZED;
444 if (selinux_is_sblabel_mnt(sb))
445 sbsec->flags |= SBLABEL_MNT;
446
447 /* Initialize the root inode. */
448 rc = inode_doinit_with_dentry(root_inode, root);
449
450 /* Initialize any other inodes associated with the superblock, e.g.
451 inodes created prior to initial policy load or inodes created
452 during get_sb by a pseudo filesystem that directly
453 populates itself. */
454 spin_lock(&sbsec->isec_lock);
455 next_inode:
456 if (!list_empty(&sbsec->isec_head)) {
457 struct inode_security_struct *isec =
458 list_entry(sbsec->isec_head.next,
459 struct inode_security_struct, list);
460 struct inode *inode = isec->inode;
461 spin_unlock(&sbsec->isec_lock);
462 inode = igrab(inode);
463 if (inode) {
464 if (!IS_PRIVATE(inode))
465 inode_doinit(inode);
466 iput(inode);
467 }
468 spin_lock(&sbsec->isec_lock);
469 list_del_init(&isec->list);
470 goto next_inode;
471 }
472 spin_unlock(&sbsec->isec_lock);
473 out:
474 return rc;
475 }
476
477 /*
478 * This function should allow an FS to ask what it's mount security
479 * options were so it can use those later for submounts, displaying
480 * mount options, or whatever.
481 */
482 static int selinux_get_mnt_opts(const struct super_block *sb,
483 struct security_mnt_opts *opts)
484 {
485 int rc = 0, i;
486 struct superblock_security_struct *sbsec = sb->s_security;
487 char *context = NULL;
488 u32 len;
489 char tmp;
490
491 security_init_mnt_opts(opts);
492
493 if (!(sbsec->flags & SE_SBINITIALIZED))
494 return -EINVAL;
495
496 if (!ss_initialized)
497 return -EINVAL;
498
499 /* make sure we always check enough bits to cover the mask */
500 BUILD_BUG_ON(SE_MNTMASK >= (1 << NUM_SEL_MNT_OPTS));
501
502 tmp = sbsec->flags & SE_MNTMASK;
503 /* count the number of mount options for this sb */
504 for (i = 0; i < NUM_SEL_MNT_OPTS; i++) {
505 if (tmp & 0x01)
506 opts->num_mnt_opts++;
507 tmp >>= 1;
508 }
509 /* Check if the Label support flag is set */
510 if (sbsec->flags & SBLABEL_MNT)
511 opts->num_mnt_opts++;
512
513 opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
514 if (!opts->mnt_opts) {
515 rc = -ENOMEM;
516 goto out_free;
517 }
518
519 opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
520 if (!opts->mnt_opts_flags) {
521 rc = -ENOMEM;
522 goto out_free;
523 }
524
525 i = 0;
526 if (sbsec->flags & FSCONTEXT_MNT) {
527 rc = security_sid_to_context(sbsec->sid, &context, &len);
528 if (rc)
529 goto out_free;
530 opts->mnt_opts[i] = context;
531 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
532 }
533 if (sbsec->flags & CONTEXT_MNT) {
534 rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len);
535 if (rc)
536 goto out_free;
537 opts->mnt_opts[i] = context;
538 opts->mnt_opts_flags[i++] = CONTEXT_MNT;
539 }
540 if (sbsec->flags & DEFCONTEXT_MNT) {
541 rc = security_sid_to_context(sbsec->def_sid, &context, &len);
542 if (rc)
543 goto out_free;
544 opts->mnt_opts[i] = context;
545 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
546 }
547 if (sbsec->flags & ROOTCONTEXT_MNT) {
548 struct inode *root = sbsec->sb->s_root->d_inode;
549 struct inode_security_struct *isec = root->i_security;
550
551 rc = security_sid_to_context(isec->sid, &context, &len);
552 if (rc)
553 goto out_free;
554 opts->mnt_opts[i] = context;
555 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
556 }
557 if (sbsec->flags & SBLABEL_MNT) {
558 opts->mnt_opts[i] = NULL;
559 opts->mnt_opts_flags[i++] = SBLABEL_MNT;
560 }
561
562 BUG_ON(i != opts->num_mnt_opts);
563
564 return 0;
565
566 out_free:
567 security_free_mnt_opts(opts);
568 return rc;
569 }
570
571 static int bad_option(struct superblock_security_struct *sbsec, char flag,
572 u32 old_sid, u32 new_sid)
573 {
574 char mnt_flags = sbsec->flags & SE_MNTMASK;
575
576 /* check if the old mount command had the same options */
577 if (sbsec->flags & SE_SBINITIALIZED)
578 if (!(sbsec->flags & flag) ||
579 (old_sid != new_sid))
580 return 1;
581
582 /* check if we were passed the same options twice,
583 * aka someone passed context=a,context=b
584 */
585 if (!(sbsec->flags & SE_SBINITIALIZED))
586 if (mnt_flags & flag)
587 return 1;
588 return 0;
589 }
590
591 /*
592 * Allow filesystems with binary mount data to explicitly set mount point
593 * labeling information.
594 */
595 static int selinux_set_mnt_opts(struct super_block *sb,
596 struct security_mnt_opts *opts,
597 unsigned long kern_flags,
598 unsigned long *set_kern_flags)
599 {
600 const struct cred *cred = current_cred();
601 int rc = 0, i;
602 struct superblock_security_struct *sbsec = sb->s_security;
603 struct inode *inode = sbsec->sb->s_root->d_inode;
604 struct inode_security_struct *root_isec = inode->i_security;
605 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
606 u32 defcontext_sid = 0;
607 char **mount_options = opts->mnt_opts;
608 int *flags = opts->mnt_opts_flags;
609 int num_opts = opts->num_mnt_opts;
610
611 mutex_lock(&sbsec->lock);
612
613 if (!ss_initialized) {
614 if (!num_opts) {
615 /* Defer initialization until selinux_complete_init,
616 after the initial policy is loaded and the security
617 server is ready to handle calls. */
618 goto out;
619 }
620 rc = -EINVAL;
621 printk(KERN_WARNING "SELinux: Unable to set superblock options "
622 "before the security server is initialized\n");
623 goto out;
624 }
625 if (kern_flags && !set_kern_flags) {
626 /* Specifying internal flags without providing a place to
627 * place the results is not allowed */
628 rc = -EINVAL;
629 goto out;
630 }
631
632 /*
633 * Binary mount data FS will come through this function twice. Once
634 * from an explicit call and once from the generic calls from the vfs.
635 * Since the generic VFS calls will not contain any security mount data
636 * we need to skip the double mount verification.
637 *
638 * This does open a hole in which we will not notice if the first
639 * mount using this sb set explict options and a second mount using
640 * this sb does not set any security options. (The first options
641 * will be used for both mounts)
642 */
643 if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
644 && (num_opts == 0))
645 goto out;
646
647 /*
648 * parse the mount options, check if they are valid sids.
649 * also check if someone is trying to mount the same sb more
650 * than once with different security options.
651 */
652 for (i = 0; i < num_opts; i++) {
653 u32 sid;
654
655 if (flags[i] == SBLABEL_MNT)
656 continue;
657 rc = security_context_to_sid(mount_options[i],
658 strlen(mount_options[i]), &sid);
659 if (rc) {
660 printk(KERN_WARNING "SELinux: security_context_to_sid"
661 "(%s) failed for (dev %s, type "SB_TYPE_FMT") errno=%d\n",
662 mount_options[i], sb->s_id, SB_TYPE_ARGS(sb), rc);
663 goto out;
664 }
665 switch (flags[i]) {
666 case FSCONTEXT_MNT:
667 fscontext_sid = sid;
668
669 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
670 fscontext_sid))
671 goto out_double_mount;
672
673 sbsec->flags |= FSCONTEXT_MNT;
674 break;
675 case CONTEXT_MNT:
676 context_sid = sid;
677
678 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
679 context_sid))
680 goto out_double_mount;
681
682 sbsec->flags |= CONTEXT_MNT;
683 break;
684 case ROOTCONTEXT_MNT:
685 rootcontext_sid = sid;
686
687 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
688 rootcontext_sid))
689 goto out_double_mount;
690
691 sbsec->flags |= ROOTCONTEXT_MNT;
692
693 break;
694 case DEFCONTEXT_MNT:
695 defcontext_sid = sid;
696
697 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
698 defcontext_sid))
699 goto out_double_mount;
700
701 sbsec->flags |= DEFCONTEXT_MNT;
702
703 break;
704 default:
705 rc = -EINVAL;
706 goto out;
707 }
708 }
709
710 if (sbsec->flags & SE_SBINITIALIZED) {
711 /* previously mounted with options, but not on this attempt? */
712 if ((sbsec->flags & SE_MNTMASK) && !num_opts)
713 goto out_double_mount;
714 rc = 0;
715 goto out;
716 }
717
718 if (strcmp(sb->s_type->name, "proc") == 0)
719 sbsec->flags |= SE_SBPROC;
720
721 if (!sbsec->behavior) {
722 /*
723 * Determine the labeling behavior to use for this
724 * filesystem type.
725 */
726 rc = security_fs_use(sb);
727 if (rc) {
728 printk(KERN_WARNING
729 "%s: security_fs_use(%s) returned %d\n",
730 __func__, sb->s_type->name, rc);
731 goto out;
732 }
733 }
734 /* sets the context of the superblock for the fs being mounted. */
735 if (fscontext_sid) {
736 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
737 if (rc)
738 goto out;
739
740 sbsec->sid = fscontext_sid;
741 }
742
743 /*
744 * Switch to using mount point labeling behavior.
745 * sets the label used on all file below the mountpoint, and will set
746 * the superblock context if not already set.
747 */
748 if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !context_sid) {
749 sbsec->behavior = SECURITY_FS_USE_NATIVE;
750 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
751 }
752
753 if (context_sid) {
754 if (!fscontext_sid) {
755 rc = may_context_mount_sb_relabel(context_sid, sbsec,
756 cred);
757 if (rc)
758 goto out;
759 sbsec->sid = context_sid;
760 } else {
761 rc = may_context_mount_inode_relabel(context_sid, sbsec,
762 cred);
763 if (rc)
764 goto out;
765 }
766 if (!rootcontext_sid)
767 rootcontext_sid = context_sid;
768
769 sbsec->mntpoint_sid = context_sid;
770 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
771 }
772
773 if (rootcontext_sid) {
774 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
775 cred);
776 if (rc)
777 goto out;
778
779 root_isec->sid = rootcontext_sid;
780 root_isec->initialized = 1;
781 }
782
783 if (defcontext_sid) {
784 if (sbsec->behavior != SECURITY_FS_USE_XATTR &&
785 sbsec->behavior != SECURITY_FS_USE_NATIVE) {
786 rc = -EINVAL;
787 printk(KERN_WARNING "SELinux: defcontext option is "
788 "invalid for this filesystem type\n");
789 goto out;
790 }
791
792 if (defcontext_sid != sbsec->def_sid) {
793 rc = may_context_mount_inode_relabel(defcontext_sid,
794 sbsec, cred);
795 if (rc)
796 goto out;
797 }
798
799 sbsec->def_sid = defcontext_sid;
800 }
801
802 rc = sb_finish_set_opts(sb);
803 out:
804 mutex_unlock(&sbsec->lock);
805 return rc;
806 out_double_mount:
807 rc = -EINVAL;
808 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, different "
809 "security settings for (dev %s, type "SB_TYPE_FMT")\n", sb->s_id,
810 SB_TYPE_ARGS(sb));
811 goto out;
812 }
813
814 static int selinux_cmp_sb_context(const struct super_block *oldsb,
815 const struct super_block *newsb)
816 {
817 struct superblock_security_struct *old = oldsb->s_security;
818 struct superblock_security_struct *new = newsb->s_security;
819 char oldflags = old->flags & SE_MNTMASK;
820 char newflags = new->flags & SE_MNTMASK;
821
822 if (oldflags != newflags)
823 goto mismatch;
824 if ((oldflags & FSCONTEXT_MNT) && old->sid != new->sid)
825 goto mismatch;
826 if ((oldflags & CONTEXT_MNT) && old->mntpoint_sid != new->mntpoint_sid)
827 goto mismatch;
828 if ((oldflags & DEFCONTEXT_MNT) && old->def_sid != new->def_sid)
829 goto mismatch;
830 if (oldflags & ROOTCONTEXT_MNT) {
831 struct inode_security_struct *oldroot = oldsb->s_root->d_inode->i_security;
832 struct inode_security_struct *newroot = newsb->s_root->d_inode->i_security;
833 if (oldroot->sid != newroot->sid)
834 goto mismatch;
835 }
836 return 0;
837 mismatch:
838 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, "
839 "different security settings for (dev %s, "
840 "type %s)\n", newsb->s_id, newsb->s_type->name);
841 return -EBUSY;
842 }
843
844 static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
845 struct super_block *newsb)
846 {
847 const struct superblock_security_struct *oldsbsec = oldsb->s_security;
848 struct superblock_security_struct *newsbsec = newsb->s_security;
849
850 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT);
851 int set_context = (oldsbsec->flags & CONTEXT_MNT);
852 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT);
853
854 /*
855 * if the parent was able to be mounted it clearly had no special lsm
856 * mount options. thus we can safely deal with this superblock later
857 */
858 if (!ss_initialized)
859 return 0;
860
861 /* how can we clone if the old one wasn't set up?? */
862 BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
863
864 /* if fs is reusing a sb, make sure that the contexts match */
865 if (newsbsec->flags & SE_SBINITIALIZED)
866 return selinux_cmp_sb_context(oldsb, newsb);
867
868 mutex_lock(&newsbsec->lock);
869
870 newsbsec->flags = oldsbsec->flags;
871
872 newsbsec->sid = oldsbsec->sid;
873 newsbsec->def_sid = oldsbsec->def_sid;
874 newsbsec->behavior = oldsbsec->behavior;
875
876 if (set_context) {
877 u32 sid = oldsbsec->mntpoint_sid;
878
879 if (!set_fscontext)
880 newsbsec->sid = sid;
881 if (!set_rootcontext) {
882 struct inode *newinode = newsb->s_root->d_inode;
883 struct inode_security_struct *newisec = newinode->i_security;
884 newisec->sid = sid;
885 }
886 newsbsec->mntpoint_sid = sid;
887 }
888 if (set_rootcontext) {
889 const struct inode *oldinode = oldsb->s_root->d_inode;
890 const struct inode_security_struct *oldisec = oldinode->i_security;
891 struct inode *newinode = newsb->s_root->d_inode;
892 struct inode_security_struct *newisec = newinode->i_security;
893
894 newisec->sid = oldisec->sid;
895 }
896
897 sb_finish_set_opts(newsb);
898 mutex_unlock(&newsbsec->lock);
899 return 0;
900 }
901
902 static int selinux_parse_opts_str(char *options,
903 struct security_mnt_opts *opts)
904 {
905 char *p;
906 char *context = NULL, *defcontext = NULL;
907 char *fscontext = NULL, *rootcontext = NULL;
908 int rc, num_mnt_opts = 0;
909
910 opts->num_mnt_opts = 0;
911
912 /* Standard string-based options. */
913 while ((p = strsep(&options, "|")) != NULL) {
914 int token;
915 substring_t args[MAX_OPT_ARGS];
916
917 if (!*p)
918 continue;
919
920 token = match_token(p, tokens, args);
921
922 switch (token) {
923 case Opt_context:
924 if (context || defcontext) {
925 rc = -EINVAL;
926 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
927 goto out_err;
928 }
929 context = match_strdup(&args[0]);
930 if (!context) {
931 rc = -ENOMEM;
932 goto out_err;
933 }
934 break;
935
936 case Opt_fscontext:
937 if (fscontext) {
938 rc = -EINVAL;
939 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
940 goto out_err;
941 }
942 fscontext = match_strdup(&args[0]);
943 if (!fscontext) {
944 rc = -ENOMEM;
945 goto out_err;
946 }
947 break;
948
949 case Opt_rootcontext:
950 if (rootcontext) {
951 rc = -EINVAL;
952 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
953 goto out_err;
954 }
955 rootcontext = match_strdup(&args[0]);
956 if (!rootcontext) {
957 rc = -ENOMEM;
958 goto out_err;
959 }
960 break;
961
962 case Opt_defcontext:
963 if (context || defcontext) {
964 rc = -EINVAL;
965 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
966 goto out_err;
967 }
968 defcontext = match_strdup(&args[0]);
969 if (!defcontext) {
970 rc = -ENOMEM;
971 goto out_err;
972 }
973 break;
974 case Opt_labelsupport:
975 break;
976 default:
977 rc = -EINVAL;
978 printk(KERN_WARNING "SELinux: unknown mount option\n");
979 goto out_err;
980
981 }
982 }
983
984 rc = -ENOMEM;
985 opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_ATOMIC);
986 if (!opts->mnt_opts)
987 goto out_err;
988
989 opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int), GFP_ATOMIC);
990 if (!opts->mnt_opts_flags) {
991 kfree(opts->mnt_opts);
992 goto out_err;
993 }
994
995 if (fscontext) {
996 opts->mnt_opts[num_mnt_opts] = fscontext;
997 opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
998 }
999 if (context) {
1000 opts->mnt_opts[num_mnt_opts] = context;
1001 opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
1002 }
1003 if (rootcontext) {
1004 opts->mnt_opts[num_mnt_opts] = rootcontext;
1005 opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
1006 }
1007 if (defcontext) {
1008 opts->mnt_opts[num_mnt_opts] = defcontext;
1009 opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
1010 }
1011
1012 opts->num_mnt_opts = num_mnt_opts;
1013 return 0;
1014
1015 out_err:
1016 kfree(context);
1017 kfree(defcontext);
1018 kfree(fscontext);
1019 kfree(rootcontext);
1020 return rc;
1021 }
1022 /*
1023 * string mount options parsing and call set the sbsec
1024 */
1025 static int superblock_doinit(struct super_block *sb, void *data)
1026 {
1027 int rc = 0;
1028 char *options = data;
1029 struct security_mnt_opts opts;
1030
1031 security_init_mnt_opts(&opts);
1032
1033 if (!data)
1034 goto out;
1035
1036 BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
1037
1038 rc = selinux_parse_opts_str(options, &opts);
1039 if (rc)
1040 goto out_err;
1041
1042 out:
1043 rc = selinux_set_mnt_opts(sb, &opts, 0, NULL);
1044
1045 out_err:
1046 security_free_mnt_opts(&opts);
1047 return rc;
1048 }
1049
1050 static void selinux_write_opts(struct seq_file *m,
1051 struct security_mnt_opts *opts)
1052 {
1053 int i;
1054 char *prefix;
1055
1056 for (i = 0; i < opts->num_mnt_opts; i++) {
1057 char *has_comma;
1058
1059 if (opts->mnt_opts[i])
1060 has_comma = strchr(opts->mnt_opts[i], ',');
1061 else
1062 has_comma = NULL;
1063
1064 switch (opts->mnt_opts_flags[i]) {
1065 case CONTEXT_MNT:
1066 prefix = CONTEXT_STR;
1067 break;
1068 case FSCONTEXT_MNT:
1069 prefix = FSCONTEXT_STR;
1070 break;
1071 case ROOTCONTEXT_MNT:
1072 prefix = ROOTCONTEXT_STR;
1073 break;
1074 case DEFCONTEXT_MNT:
1075 prefix = DEFCONTEXT_STR;
1076 break;
1077 case SBLABEL_MNT:
1078 seq_putc(m, ',');
1079 seq_puts(m, LABELSUPP_STR);
1080 continue;
1081 default:
1082 BUG();
1083 return;
1084 };
1085 /* we need a comma before each option */
1086 seq_putc(m, ',');
1087 seq_puts(m, prefix);
1088 if (has_comma)
1089 seq_putc(m, '\"');
1090 seq_puts(m, opts->mnt_opts[i]);
1091 if (has_comma)
1092 seq_putc(m, '\"');
1093 }
1094 }
1095
1096 static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1097 {
1098 struct security_mnt_opts opts;
1099 int rc;
1100
1101 rc = selinux_get_mnt_opts(sb, &opts);
1102 if (rc) {
1103 /* before policy load we may get EINVAL, don't show anything */
1104 if (rc == -EINVAL)
1105 rc = 0;
1106 return rc;
1107 }
1108
1109 selinux_write_opts(m, &opts);
1110
1111 security_free_mnt_opts(&opts);
1112
1113 return rc;
1114 }
1115
1116 static inline u16 inode_mode_to_security_class(umode_t mode)
1117 {
1118 switch (mode & S_IFMT) {
1119 case S_IFSOCK:
1120 return SECCLASS_SOCK_FILE;
1121 case S_IFLNK:
1122 return SECCLASS_LNK_FILE;
1123 case S_IFREG:
1124 return SECCLASS_FILE;
1125 case S_IFBLK:
1126 return SECCLASS_BLK_FILE;
1127 case S_IFDIR:
1128 return SECCLASS_DIR;
1129 case S_IFCHR:
1130 return SECCLASS_CHR_FILE;
1131 case S_IFIFO:
1132 return SECCLASS_FIFO_FILE;
1133
1134 }
1135
1136 return SECCLASS_FILE;
1137 }
1138
1139 static inline int default_protocol_stream(int protocol)
1140 {
1141 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
1142 }
1143
1144 static inline int default_protocol_dgram(int protocol)
1145 {
1146 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1147 }
1148
1149 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1150 {
1151 switch (family) {
1152 case PF_UNIX:
1153 switch (type) {
1154 case SOCK_STREAM:
1155 case SOCK_SEQPACKET:
1156 return SECCLASS_UNIX_STREAM_SOCKET;
1157 case SOCK_DGRAM:
1158 return SECCLASS_UNIX_DGRAM_SOCKET;
1159 }
1160 break;
1161 case PF_INET:
1162 case PF_INET6:
1163 switch (type) {
1164 case SOCK_STREAM:
1165 if (default_protocol_stream(protocol))
1166 return SECCLASS_TCP_SOCKET;
1167 else
1168 return SECCLASS_RAWIP_SOCKET;
1169 case SOCK_DGRAM:
1170 if (default_protocol_dgram(protocol))
1171 return SECCLASS_UDP_SOCKET;
1172 else
1173 return SECCLASS_RAWIP_SOCKET;
1174 case SOCK_DCCP:
1175 return SECCLASS_DCCP_SOCKET;
1176 default:
1177 return SECCLASS_RAWIP_SOCKET;
1178 }
1179 break;
1180 case PF_NETLINK:
1181 switch (protocol) {
1182 case NETLINK_ROUTE:
1183 return SECCLASS_NETLINK_ROUTE_SOCKET;
1184 case NETLINK_FIREWALL:
1185 return SECCLASS_NETLINK_FIREWALL_SOCKET;
1186 case NETLINK_SOCK_DIAG:
1187 return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1188 case NETLINK_NFLOG:
1189 return SECCLASS_NETLINK_NFLOG_SOCKET;
1190 case NETLINK_XFRM:
1191 return SECCLASS_NETLINK_XFRM_SOCKET;
1192 case NETLINK_SELINUX:
1193 return SECCLASS_NETLINK_SELINUX_SOCKET;
1194 case NETLINK_AUDIT:
1195 return SECCLASS_NETLINK_AUDIT_SOCKET;
1196 case NETLINK_IP6_FW:
1197 return SECCLASS_NETLINK_IP6FW_SOCKET;
1198 case NETLINK_DNRTMSG:
1199 return SECCLASS_NETLINK_DNRT_SOCKET;
1200 case NETLINK_KOBJECT_UEVENT:
1201 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1202 default:
1203 return SECCLASS_NETLINK_SOCKET;
1204 }
1205 case PF_PACKET:
1206 return SECCLASS_PACKET_SOCKET;
1207 case PF_KEY:
1208 return SECCLASS_KEY_SOCKET;
1209 case PF_APPLETALK:
1210 return SECCLASS_APPLETALK_SOCKET;
1211 }
1212
1213 return SECCLASS_SOCKET;
1214 }
1215
1216 #ifdef CONFIG_PROC_FS
1217 static int selinux_proc_get_sid(struct dentry *dentry,
1218 u16 tclass,
1219 u32 *sid)
1220 {
1221 int rc;
1222 char *buffer, *path;
1223
1224 buffer = (char *)__get_free_page(GFP_KERNEL);
1225 if (!buffer)
1226 return -ENOMEM;
1227
1228 path = dentry_path_raw(dentry, buffer, PAGE_SIZE);
1229 if (IS_ERR(path))
1230 rc = PTR_ERR(path);
1231 else {
1232 /* each process gets a /proc/PID/ entry. Strip off the
1233 * PID part to get a valid selinux labeling.
1234 * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
1235 while (path[1] >= '0' && path[1] <= '9') {
1236 path[1] = '/';
1237 path++;
1238 }
1239 rc = security_genfs_sid("proc", path, tclass, sid);
1240 }
1241 free_page((unsigned long)buffer);
1242 return rc;
1243 }
1244 #else
1245 static int selinux_proc_get_sid(struct dentry *dentry,
1246 u16 tclass,
1247 u32 *sid)
1248 {
1249 return -EINVAL;
1250 }
1251 #endif
1252
1253 /* The inode's security attributes must be initialized before first use. */
1254 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1255 {
1256 struct superblock_security_struct *sbsec = NULL;
1257 struct inode_security_struct *isec = inode->i_security;
1258 u32 sid;
1259 struct dentry *dentry;
1260 #define INITCONTEXTLEN 255
1261 char *context = NULL;
1262 unsigned len = 0;
1263 int rc = 0;
1264
1265 if (isec->initialized)
1266 goto out;
1267
1268 mutex_lock(&isec->lock);
1269 if (isec->initialized)
1270 goto out_unlock;
1271
1272 sbsec = inode->i_sb->s_security;
1273 if (!(sbsec->flags & SE_SBINITIALIZED)) {
1274 /* Defer initialization until selinux_complete_init,
1275 after the initial policy is loaded and the security
1276 server is ready to handle calls. */
1277 spin_lock(&sbsec->isec_lock);
1278 if (list_empty(&isec->list))
1279 list_add(&isec->list, &sbsec->isec_head);
1280 spin_unlock(&sbsec->isec_lock);
1281 goto out_unlock;
1282 }
1283
1284 switch (sbsec->behavior) {
1285 case SECURITY_FS_USE_NATIVE:
1286 break;
1287 case SECURITY_FS_USE_XATTR:
1288 if (!inode->i_op->getxattr) {
1289 isec->sid = sbsec->def_sid;
1290 break;
1291 }
1292
1293 /* Need a dentry, since the xattr API requires one.
1294 Life would be simpler if we could just pass the inode. */
1295 if (opt_dentry) {
1296 /* Called from d_instantiate or d_splice_alias. */
1297 dentry = dget(opt_dentry);
1298 } else {
1299 /* Called from selinux_complete_init, try to find a dentry. */
1300 dentry = d_find_alias(inode);
1301 }
1302 if (!dentry) {
1303 /*
1304 * this is can be hit on boot when a file is accessed
1305 * before the policy is loaded. When we load policy we
1306 * may find inodes that have no dentry on the
1307 * sbsec->isec_head list. No reason to complain as these
1308 * will get fixed up the next time we go through
1309 * inode_doinit with a dentry, before these inodes could
1310 * be used again by userspace.
1311 */
1312 goto out_unlock;
1313 }
1314
1315 len = INITCONTEXTLEN;
1316 context = kmalloc(len+1, GFP_NOFS);
1317 if (!context) {
1318 rc = -ENOMEM;
1319 dput(dentry);
1320 goto out_unlock;
1321 }
1322 context[len] = '\0';
1323 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1324 context, len);
1325 if (rc == -ERANGE) {
1326 kfree(context);
1327
1328 /* Need a larger buffer. Query for the right size. */
1329 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1330 NULL, 0);
1331 if (rc < 0) {
1332 dput(dentry);
1333 goto out_unlock;
1334 }
1335 len = rc;
1336 context = kmalloc(len+1, GFP_NOFS);
1337 if (!context) {
1338 rc = -ENOMEM;
1339 dput(dentry);
1340 goto out_unlock;
1341 }
1342 context[len] = '\0';
1343 rc = inode->i_op->getxattr(dentry,
1344 XATTR_NAME_SELINUX,
1345 context, len);
1346 }
1347 dput(dentry);
1348 if (rc < 0) {
1349 if (rc != -ENODATA) {
1350 printk(KERN_WARNING "SELinux: %s: getxattr returned "
1351 "%d for dev=%s ino=%ld\n", __func__,
1352 -rc, inode->i_sb->s_id, inode->i_ino);
1353 kfree(context);
1354 goto out_unlock;
1355 }
1356 /* Map ENODATA to the default file SID */
1357 sid = sbsec->def_sid;
1358 rc = 0;
1359 } else {
1360 rc = security_context_to_sid_default(context, rc, &sid,
1361 sbsec->def_sid,
1362 GFP_NOFS);
1363 if (rc) {
1364 char *dev = inode->i_sb->s_id;
1365 unsigned long ino = inode->i_ino;
1366
1367 if (rc == -EINVAL) {
1368 if (printk_ratelimit())
1369 printk(KERN_NOTICE "SELinux: inode=%lu on dev=%s was found to have an invalid "
1370 "context=%s. This indicates you may need to relabel the inode or the "
1371 "filesystem in question.\n", ino, dev, context);
1372 } else {
1373 printk(KERN_WARNING "SELinux: %s: context_to_sid(%s) "
1374 "returned %d for dev=%s ino=%ld\n",
1375 __func__, context, -rc, dev, ino);
1376 }
1377 kfree(context);
1378 /* Leave with the unlabeled SID */
1379 rc = 0;
1380 break;
1381 }
1382 }
1383 kfree(context);
1384 isec->sid = sid;
1385 break;
1386 case SECURITY_FS_USE_TASK:
1387 isec->sid = isec->task_sid;
1388 break;
1389 case SECURITY_FS_USE_TRANS:
1390 /* Default to the fs SID. */
1391 isec->sid = sbsec->sid;
1392
1393 /* Try to obtain a transition SID. */
1394 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1395 rc = security_transition_sid(isec->task_sid, sbsec->sid,
1396 isec->sclass, NULL, &sid);
1397 if (rc)
1398 goto out_unlock;
1399 isec->sid = sid;
1400 break;
1401 case SECURITY_FS_USE_MNTPOINT:
1402 isec->sid = sbsec->mntpoint_sid;
1403 break;
1404 default:
1405 /* Default to the fs superblock SID. */
1406 isec->sid = sbsec->sid;
1407
1408 if ((sbsec->flags & SE_SBPROC) && !S_ISLNK(inode->i_mode)) {
1409 if (opt_dentry) {
1410 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1411 rc = selinux_proc_get_sid(opt_dentry,
1412 isec->sclass,
1413 &sid);
1414 if (rc)
1415 goto out_unlock;
1416 isec->sid = sid;
1417 }
1418 }
1419 break;
1420 }
1421
1422 isec->initialized = 1;
1423
1424 out_unlock:
1425 mutex_unlock(&isec->lock);
1426 out:
1427 if (isec->sclass == SECCLASS_FILE)
1428 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1429 return rc;
1430 }
1431
1432 /* Convert a Linux signal to an access vector. */
1433 static inline u32 signal_to_av(int sig)
1434 {
1435 u32 perm = 0;
1436
1437 switch (sig) {
1438 case SIGCHLD:
1439 /* Commonly granted from child to parent. */
1440 perm = PROCESS__SIGCHLD;
1441 break;
1442 case SIGKILL:
1443 /* Cannot be caught or ignored */
1444 perm = PROCESS__SIGKILL;
1445 break;
1446 case SIGSTOP:
1447 /* Cannot be caught or ignored */
1448 perm = PROCESS__SIGSTOP;
1449 break;
1450 default:
1451 /* All other signals. */
1452 perm = PROCESS__SIGNAL;
1453 break;
1454 }
1455
1456 return perm;
1457 }
1458
1459 /*
1460 * Check permission between a pair of credentials
1461 * fork check, ptrace check, etc.
1462 */
1463 static int cred_has_perm(const struct cred *actor,
1464 const struct cred *target,
1465 u32 perms)
1466 {
1467 u32 asid = cred_sid(actor), tsid = cred_sid(target);
1468
1469 return avc_has_perm(asid, tsid, SECCLASS_PROCESS, perms, NULL);
1470 }
1471
1472 /*
1473 * Check permission between a pair of tasks, e.g. signal checks,
1474 * fork check, ptrace check, etc.
1475 * tsk1 is the actor and tsk2 is the target
1476 * - this uses the default subjective creds of tsk1
1477 */
1478 static int task_has_perm(const struct task_struct *tsk1,
1479 const struct task_struct *tsk2,
1480 u32 perms)
1481 {
1482 const struct task_security_struct *__tsec1, *__tsec2;
1483 u32 sid1, sid2;
1484
1485 rcu_read_lock();
1486 __tsec1 = __task_cred(tsk1)->security; sid1 = __tsec1->sid;
1487 __tsec2 = __task_cred(tsk2)->security; sid2 = __tsec2->sid;
1488 rcu_read_unlock();
1489 return avc_has_perm(sid1, sid2, SECCLASS_PROCESS, perms, NULL);
1490 }
1491
1492 /*
1493 * Check permission between current and another task, e.g. signal checks,
1494 * fork check, ptrace check, etc.
1495 * current is the actor and tsk2 is the target
1496 * - this uses current's subjective creds
1497 */
1498 static int current_has_perm(const struct task_struct *tsk,
1499 u32 perms)
1500 {
1501 u32 sid, tsid;
1502
1503 sid = current_sid();
1504 tsid = task_sid(tsk);
1505 return avc_has_perm(sid, tsid, SECCLASS_PROCESS, perms, NULL);
1506 }
1507
1508 #if CAP_LAST_CAP > 63
1509 #error Fix SELinux to handle capabilities > 63.
1510 #endif
1511
1512 /* Check whether a task is allowed to use a capability. */
1513 static int cred_has_capability(const struct cred *cred,
1514 int cap, int audit)
1515 {
1516 struct common_audit_data ad;
1517 struct av_decision avd;
1518 u16 sclass;
1519 u32 sid = cred_sid(cred);
1520 u32 av = CAP_TO_MASK(cap);
1521 int rc;
1522
1523 ad.type = LSM_AUDIT_DATA_CAP;
1524 ad.u.cap = cap;
1525
1526 switch (CAP_TO_INDEX(cap)) {
1527 case 0:
1528 sclass = SECCLASS_CAPABILITY;
1529 break;
1530 case 1:
1531 sclass = SECCLASS_CAPABILITY2;
1532 break;
1533 default:
1534 printk(KERN_ERR
1535 "SELinux: out of range capability %d\n", cap);
1536 BUG();
1537 return -EINVAL;
1538 }
1539
1540 rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd);
1541 if (audit == SECURITY_CAP_AUDIT) {
1542 int rc2 = avc_audit(sid, sid, sclass, av, &avd, rc, &ad, 0);
1543 if (rc2)
1544 return rc2;
1545 }
1546 return rc;
1547 }
1548
1549 /* Check whether a task is allowed to use a system operation. */
1550 static int task_has_system(struct task_struct *tsk,
1551 u32 perms)
1552 {
1553 u32 sid = task_sid(tsk);
1554
1555 return avc_has_perm(sid, SECINITSID_KERNEL,
1556 SECCLASS_SYSTEM, perms, NULL);
1557 }
1558
1559 /* Check whether a task has a particular permission to an inode.
1560 The 'adp' parameter is optional and allows other audit
1561 data to be passed (e.g. the dentry). */
1562 static int inode_has_perm(const struct cred *cred,
1563 struct inode *inode,
1564 u32 perms,
1565 struct common_audit_data *adp,
1566 unsigned flags)
1567 {
1568 struct inode_security_struct *isec;
1569 u32 sid;
1570
1571 validate_creds(cred);
1572
1573 if (unlikely(IS_PRIVATE(inode)))
1574 return 0;
1575
1576 sid = cred_sid(cred);
1577 isec = inode->i_security;
1578
1579 return avc_has_perm_flags(sid, isec->sid, isec->sclass, perms, adp, flags);
1580 }
1581
1582 /* Same as inode_has_perm, but pass explicit audit data containing
1583 the dentry to help the auditing code to more easily generate the
1584 pathname if needed. */
1585 static inline int dentry_has_perm(const struct cred *cred,
1586 struct dentry *dentry,
1587 u32 av)
1588 {
1589 struct inode *inode = dentry->d_inode;
1590 struct common_audit_data ad;
1591
1592 ad.type = LSM_AUDIT_DATA_DENTRY;
1593 ad.u.dentry = dentry;
1594 return inode_has_perm(cred, inode, av, &ad, 0);
1595 }
1596
1597 /* Same as inode_has_perm, but pass explicit audit data containing
1598 the path to help the auditing code to more easily generate the
1599 pathname if needed. */
1600 static inline int path_has_perm(const struct cred *cred,
1601 struct path *path,
1602 u32 av)
1603 {
1604 struct inode *inode = path->dentry->d_inode;
1605 struct common_audit_data ad;
1606
1607 ad.type = LSM_AUDIT_DATA_PATH;
1608 ad.u.path = *path;
1609 return inode_has_perm(cred, inode, av, &ad, 0);
1610 }
1611
1612 /* Same as path_has_perm, but uses the inode from the file struct. */
1613 static inline int file_path_has_perm(const struct cred *cred,
1614 struct file *file,
1615 u32 av)
1616 {
1617 struct common_audit_data ad;
1618
1619 ad.type = LSM_AUDIT_DATA_PATH;
1620 ad.u.path = file->f_path;
1621 return inode_has_perm(cred, file_inode(file), av, &ad, 0);
1622 }
1623
1624 /* Check whether a task can use an open file descriptor to
1625 access an inode in a given way. Check access to the
1626 descriptor itself, and then use dentry_has_perm to
1627 check a particular permission to the file.
1628 Access to the descriptor is implicitly granted if it
1629 has the same SID as the process. If av is zero, then
1630 access to the file is not checked, e.g. for cases
1631 where only the descriptor is affected like seek. */
1632 static int file_has_perm(const struct cred *cred,
1633 struct file *file,
1634 u32 av)
1635 {
1636 struct file_security_struct *fsec = file->f_security;
1637 struct inode *inode = file_inode(file);
1638 struct common_audit_data ad;
1639 u32 sid = cred_sid(cred);
1640 int rc;
1641
1642 ad.type = LSM_AUDIT_DATA_PATH;
1643 ad.u.path = file->f_path;
1644
1645 if (sid != fsec->sid) {
1646 rc = avc_has_perm(sid, fsec->sid,
1647 SECCLASS_FD,
1648 FD__USE,
1649 &ad);
1650 if (rc)
1651 goto out;
1652 }
1653
1654 /* av is zero if only checking access to the descriptor. */
1655 rc = 0;
1656 if (av)
1657 rc = inode_has_perm(cred, inode, av, &ad, 0);
1658
1659 out:
1660 return rc;
1661 }
1662
1663 /* Check whether a task can create a file. */
1664 static int may_create(struct inode *dir,
1665 struct dentry *dentry,
1666 u16 tclass)
1667 {
1668 const struct task_security_struct *tsec = current_security();
1669 struct inode_security_struct *dsec;
1670 struct superblock_security_struct *sbsec;
1671 u32 sid, newsid;
1672 struct common_audit_data ad;
1673 int rc;
1674
1675 dsec = dir->i_security;
1676 sbsec = dir->i_sb->s_security;
1677
1678 sid = tsec->sid;
1679 newsid = tsec->create_sid;
1680
1681 ad.type = LSM_AUDIT_DATA_DENTRY;
1682 ad.u.dentry = dentry;
1683
1684 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR,
1685 DIR__ADD_NAME | DIR__SEARCH,
1686 &ad);
1687 if (rc)
1688 return rc;
1689
1690 if (!newsid || !(sbsec->flags & SBLABEL_MNT)) {
1691 rc = security_transition_sid(sid, dsec->sid, tclass,
1692 &dentry->d_name, &newsid);
1693 if (rc)
1694 return rc;
1695 }
1696
1697 rc = avc_has_perm(sid, newsid, tclass, FILE__CREATE, &ad);
1698 if (rc)
1699 return rc;
1700
1701 return avc_has_perm(newsid, sbsec->sid,
1702 SECCLASS_FILESYSTEM,
1703 FILESYSTEM__ASSOCIATE, &ad);
1704 }
1705
1706 /* Check whether a task can create a key. */
1707 static int may_create_key(u32 ksid,
1708 struct task_struct *ctx)
1709 {
1710 u32 sid = task_sid(ctx);
1711
1712 return avc_has_perm(sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL);
1713 }
1714
1715 #define MAY_LINK 0
1716 #define MAY_UNLINK 1
1717 #define MAY_RMDIR 2
1718
1719 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1720 static int may_link(struct inode *dir,
1721 struct dentry *dentry,
1722 int kind)
1723
1724 {
1725 struct inode_security_struct *dsec, *isec;
1726 struct common_audit_data ad;
1727 u32 sid = current_sid();
1728 u32 av;
1729 int rc;
1730
1731 dsec = dir->i_security;
1732 isec = dentry->d_inode->i_security;
1733
1734 ad.type = LSM_AUDIT_DATA_DENTRY;
1735 ad.u.dentry = dentry;
1736
1737 av = DIR__SEARCH;
1738 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1739 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, av, &ad);
1740 if (rc)
1741 return rc;
1742
1743 switch (kind) {
1744 case MAY_LINK:
1745 av = FILE__LINK;
1746 break;
1747 case MAY_UNLINK:
1748 av = FILE__UNLINK;
1749 break;
1750 case MAY_RMDIR:
1751 av = DIR__RMDIR;
1752 break;
1753 default:
1754 printk(KERN_WARNING "SELinux: %s: unrecognized kind %d\n",
1755 __func__, kind);
1756 return 0;
1757 }
1758
1759 rc = avc_has_perm(sid, isec->sid, isec->sclass, av, &ad);
1760 return rc;
1761 }
1762
1763 static inline int may_rename(struct inode *old_dir,
1764 struct dentry *old_dentry,
1765 struct inode *new_dir,
1766 struct dentry *new_dentry)
1767 {
1768 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1769 struct common_audit_data ad;
1770 u32 sid = current_sid();
1771 u32 av;
1772 int old_is_dir, new_is_dir;
1773 int rc;
1774
1775 old_dsec = old_dir->i_security;
1776 old_isec = old_dentry->d_inode->i_security;
1777 old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
1778 new_dsec = new_dir->i_security;
1779
1780 ad.type = LSM_AUDIT_DATA_DENTRY;
1781
1782 ad.u.dentry = old_dentry;
1783 rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR,
1784 DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1785 if (rc)
1786 return rc;
1787 rc = avc_has_perm(sid, old_isec->sid,
1788 old_isec->sclass, FILE__RENAME, &ad);
1789 if (rc)
1790 return rc;
1791 if (old_is_dir && new_dir != old_dir) {
1792 rc = avc_has_perm(sid, old_isec->sid,
1793 old_isec->sclass, DIR__REPARENT, &ad);
1794 if (rc)
1795 return rc;
1796 }
1797
1798 ad.u.dentry = new_dentry;
1799 av = DIR__ADD_NAME | DIR__SEARCH;
1800 if (new_dentry->d_inode)
1801 av |= DIR__REMOVE_NAME;
1802 rc = avc_has_perm(sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1803 if (rc)
1804 return rc;
1805 if (new_dentry->d_inode) {
1806 new_isec = new_dentry->d_inode->i_security;
1807 new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
1808 rc = avc_has_perm(sid, new_isec->sid,
1809 new_isec->sclass,
1810 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1811 if (rc)
1812 return rc;
1813 }
1814
1815 return 0;
1816 }
1817
1818 /* Check whether a task can perform a filesystem operation. */
1819 static int superblock_has_perm(const struct cred *cred,
1820 struct super_block *sb,
1821 u32 perms,
1822 struct common_audit_data *ad)
1823 {
1824 struct superblock_security_struct *sbsec;
1825 u32 sid = cred_sid(cred);
1826
1827 sbsec = sb->s_security;
1828 return avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
1829 }
1830
1831 /* Convert a Linux mode and permission mask to an access vector. */
1832 static inline u32 file_mask_to_av(int mode, int mask)
1833 {
1834 u32 av = 0;
1835
1836 if (!S_ISDIR(mode)) {
1837 if (mask & MAY_EXEC)
1838 av |= FILE__EXECUTE;
1839 if (mask & MAY_READ)
1840 av |= FILE__READ;
1841
1842 if (mask & MAY_APPEND)
1843 av |= FILE__APPEND;
1844 else if (mask & MAY_WRITE)
1845 av |= FILE__WRITE;
1846
1847 } else {
1848 if (mask & MAY_EXEC)
1849 av |= DIR__SEARCH;
1850 if (mask & MAY_WRITE)
1851 av |= DIR__WRITE;
1852 if (mask & MAY_READ)
1853 av |= DIR__READ;
1854 }
1855
1856 return av;
1857 }
1858
1859 /* Convert a Linux file to an access vector. */
1860 static inline u32 file_to_av(struct file *file)
1861 {
1862 u32 av = 0;
1863
1864 if (file->f_mode & FMODE_READ)
1865 av |= FILE__READ;
1866 if (file->f_mode & FMODE_WRITE) {
1867 if (file->f_flags & O_APPEND)
1868 av |= FILE__APPEND;
1869 else
1870 av |= FILE__WRITE;
1871 }
1872 if (!av) {
1873 /*
1874 * Special file opened with flags 3 for ioctl-only use.
1875 */
1876 av = FILE__IOCTL;
1877 }
1878
1879 return av;
1880 }
1881
1882 /*
1883 * Convert a file to an access vector and include the correct open
1884 * open permission.
1885 */
1886 static inline u32 open_file_to_av(struct file *file)
1887 {
1888 u32 av = file_to_av(file);
1889
1890 if (selinux_policycap_openperm)
1891 av |= FILE__OPEN;
1892
1893 return av;
1894 }
1895
1896 /* Hook functions begin here. */
1897
1898 static int selinux_ptrace_access_check(struct task_struct *child,
1899 unsigned int mode)
1900 {
1901 int rc;
1902
1903 rc = cap_ptrace_access_check(child, mode);
1904 if (rc)
1905 return rc;
1906
1907 if (mode & PTRACE_MODE_READ) {
1908 u32 sid = current_sid();
1909 u32 csid = task_sid(child);
1910 return avc_has_perm(sid, csid, SECCLASS_FILE, FILE__READ, NULL);
1911 }
1912
1913 return current_has_perm(child, PROCESS__PTRACE);
1914 }
1915
1916 static int selinux_ptrace_traceme(struct task_struct *parent)
1917 {
1918 int rc;
1919
1920 rc = cap_ptrace_traceme(parent);
1921 if (rc)
1922 return rc;
1923
1924 return task_has_perm(parent, current, PROCESS__PTRACE);
1925 }
1926
1927 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
1928 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1929 {
1930 int error;
1931
1932 error = current_has_perm(target, PROCESS__GETCAP);
1933 if (error)
1934 return error;
1935
1936 return cap_capget(target, effective, inheritable, permitted);
1937 }
1938
1939 static int selinux_capset(struct cred *new, const struct cred *old,
1940 const kernel_cap_t *effective,
1941 const kernel_cap_t *inheritable,
1942 const kernel_cap_t *permitted)
1943 {
1944 int error;
1945
1946 error = cap_capset(new, old,
1947 effective, inheritable, permitted);
1948 if (error)
1949 return error;
1950
1951 return cred_has_perm(old, new, PROCESS__SETCAP);
1952 }
1953
1954 /*
1955 * (This comment used to live with the selinux_task_setuid hook,
1956 * which was removed).
1957 *
1958 * Since setuid only affects the current process, and since the SELinux
1959 * controls are not based on the Linux identity attributes, SELinux does not
1960 * need to control this operation. However, SELinux does control the use of
1961 * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
1962 */
1963
1964 static int selinux_capable(const struct cred *cred, struct user_namespace *ns,
1965 int cap, int audit)
1966 {
1967 int rc;
1968
1969 rc = cap_capable(cred, ns, cap, audit);
1970 if (rc)
1971 return rc;
1972
1973 return cred_has_capability(cred, cap, audit);
1974 }
1975
1976 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
1977 {
1978 const struct cred *cred = current_cred();
1979 int rc = 0;
1980
1981 if (!sb)
1982 return 0;
1983
1984 switch (cmds) {
1985 case Q_SYNC:
1986 case Q_QUOTAON:
1987 case Q_QUOTAOFF:
1988 case Q_SETINFO:
1989 case Q_SETQUOTA:
1990 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
1991 break;
1992 case Q_GETFMT:
1993 case Q_GETINFO:
1994 case Q_GETQUOTA:
1995 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
1996 break;
1997 default:
1998 rc = 0; /* let the kernel handle invalid cmds */
1999 break;
2000 }
2001 return rc;
2002 }
2003
2004 static int selinux_quota_on(struct dentry *dentry)
2005 {
2006 const struct cred *cred = current_cred();
2007
2008 return dentry_has_perm(cred, dentry, FILE__QUOTAON);
2009 }
2010
2011 static int selinux_syslog(int type)
2012 {
2013 int rc;
2014
2015 switch (type) {
2016 case SYSLOG_ACTION_READ_ALL: /* Read last kernel messages */
2017 case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */
2018 rc = task_has_system(current, SYSTEM__SYSLOG_READ);
2019 break;
2020 case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */
2021 case SYSLOG_ACTION_CONSOLE_ON: /* Enable logging to console */
2022 /* Set level of messages printed to console */
2023 case SYSLOG_ACTION_CONSOLE_LEVEL:
2024 rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
2025 break;
2026 case SYSLOG_ACTION_CLOSE: /* Close log */
2027 case SYSLOG_ACTION_OPEN: /* Open log */
2028 case SYSLOG_ACTION_READ: /* Read from log */
2029 case SYSLOG_ACTION_READ_CLEAR: /* Read/clear last kernel messages */
2030 case SYSLOG_ACTION_CLEAR: /* Clear ring buffer */
2031 default:
2032 rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
2033 break;
2034 }
2035 return rc;
2036 }
2037
2038 /*
2039 * Check that a process has enough memory to allocate a new virtual
2040 * mapping. 0 means there is enough memory for the allocation to
2041 * succeed and -ENOMEM implies there is not.
2042 *
2043 * Do not audit the selinux permission check, as this is applied to all
2044 * processes that allocate mappings.
2045 */
2046 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
2047 {
2048 int rc, cap_sys_admin = 0;
2049
2050 rc = selinux_capable(current_cred(), &init_user_ns, CAP_SYS_ADMIN,
2051 SECURITY_CAP_NOAUDIT);
2052 if (rc == 0)
2053 cap_sys_admin = 1;
2054
2055 return __vm_enough_memory(mm, pages, cap_sys_admin);
2056 }
2057
2058 /* binprm security operations */
2059
2060 static int selinux_bprm_set_creds(struct linux_binprm *bprm)
2061 {
2062 const struct task_security_struct *old_tsec;
2063 struct task_security_struct *new_tsec;
2064 struct inode_security_struct *isec;
2065 struct common_audit_data ad;
2066 struct inode *inode = file_inode(bprm->file);
2067 int rc;
2068
2069 rc = cap_bprm_set_creds(bprm);
2070 if (rc)
2071 return rc;
2072
2073 /* SELinux context only depends on initial program or script and not
2074 * the script interpreter */
2075 if (bprm->cred_prepared)
2076 return 0;
2077
2078 old_tsec = current_security();
2079 new_tsec = bprm->cred->security;
2080 isec = inode->i_security;
2081
2082 /* Default to the current task SID. */
2083 new_tsec->sid = old_tsec->sid;
2084 new_tsec->osid = old_tsec->sid;
2085
2086 /* Reset fs, key, and sock SIDs on execve. */
2087 new_tsec->create_sid = 0;
2088 new_tsec->keycreate_sid = 0;
2089 new_tsec->sockcreate_sid = 0;
2090
2091 if (old_tsec->exec_sid) {
2092 new_tsec->sid = old_tsec->exec_sid;
2093 /* Reset exec SID on execve. */
2094 new_tsec->exec_sid = 0;
2095
2096 /*
2097 * Minimize confusion: if no_new_privs and a transition is
2098 * explicitly requested, then fail the exec.
2099 */
2100 if (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS)
2101 return -EPERM;
2102 } else {
2103 /* Check for a default transition on this program. */
2104 rc = security_transition_sid(old_tsec->sid, isec->sid,
2105 SECCLASS_PROCESS, NULL,
2106 &new_tsec->sid);
2107 if (rc)
2108 return rc;
2109 }
2110
2111 ad.type = LSM_AUDIT_DATA_PATH;
2112 ad.u.path = bprm->file->f_path;
2113
2114 if ((bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID) ||
2115 (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS))
2116 new_tsec->sid = old_tsec->sid;
2117
2118 if (new_tsec->sid == old_tsec->sid) {
2119 rc = avc_has_perm(old_tsec->sid, isec->sid,
2120 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2121 if (rc)
2122 return rc;
2123 } else {
2124 /* Check permissions for the transition. */
2125 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2126 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2127 if (rc)
2128 return rc;
2129
2130 rc = avc_has_perm(new_tsec->sid, isec->sid,
2131 SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2132 if (rc)
2133 return rc;
2134
2135 /* Check for shared state */
2136 if (bprm->unsafe & LSM_UNSAFE_SHARE) {
2137 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2138 SECCLASS_PROCESS, PROCESS__SHARE,
2139 NULL);
2140 if (rc)
2141 return -EPERM;
2142 }
2143
2144 /* Make sure that anyone attempting to ptrace over a task that
2145 * changes its SID has the appropriate permit */
2146 if (bprm->unsafe &
2147 (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
2148 struct task_struct *tracer;
2149 struct task_security_struct *sec;
2150 u32 ptsid = 0;
2151
2152 rcu_read_lock();
2153 tracer = ptrace_parent(current);
2154 if (likely(tracer != NULL)) {
2155 sec = __task_cred(tracer)->security;
2156 ptsid = sec->sid;
2157 }
2158 rcu_read_unlock();
2159
2160 if (ptsid != 0) {
2161 rc = avc_has_perm(ptsid, new_tsec->sid,
2162 SECCLASS_PROCESS,
2163 PROCESS__PTRACE, NULL);
2164 if (rc)
2165 return -EPERM;
2166 }
2167 }
2168
2169 /* Clear any possibly unsafe personality bits on exec: */
2170 bprm->per_clear |= PER_CLEAR_ON_SETID;
2171 }
2172
2173 return 0;
2174 }
2175
2176 static int selinux_bprm_secureexec(struct linux_binprm *bprm)
2177 {
2178 const struct task_security_struct *tsec = current_security();
2179 u32 sid, osid;
2180 int atsecure = 0;
2181
2182 sid = tsec->sid;
2183 osid = tsec->osid;
2184
2185 if (osid != sid) {
2186 /* Enable secure mode for SIDs transitions unless
2187 the noatsecure permission is granted between
2188 the two SIDs, i.e. ahp returns 0. */
2189 atsecure = avc_has_perm(osid, sid,
2190 SECCLASS_PROCESS,
2191 PROCESS__NOATSECURE, NULL);
2192 }
2193
2194 return (atsecure || cap_bprm_secureexec(bprm));
2195 }
2196
2197 static int match_file(const void *p, struct file *file, unsigned fd)
2198 {
2199 return file_has_perm(p, file, file_to_av(file)) ? fd + 1 : 0;
2200 }
2201
2202 /* Derived from fs/exec.c:flush_old_files. */
2203 static inline void flush_unauthorized_files(const struct cred *cred,
2204 struct files_struct *files)
2205 {
2206 struct file *file, *devnull = NULL;
2207 struct tty_struct *tty;
2208 int drop_tty = 0;
2209 unsigned n;
2210
2211 tty = get_current_tty();
2212 if (tty) {
2213 spin_lock(&tty_files_lock);
2214 if (!list_empty(&tty->tty_files)) {
2215 struct tty_file_private *file_priv;
2216
2217 /* Revalidate access to controlling tty.
2218 Use file_path_has_perm on the tty path directly
2219 rather than using file_has_perm, as this particular
2220 open file may belong to another process and we are
2221 only interested in the inode-based check here. */
2222 file_priv = list_first_entry(&tty->tty_files,
2223 struct tty_file_private, list);
2224 file = file_priv->file;
2225 if (file_path_has_perm(cred, file, FILE__READ | FILE__WRITE))
2226 drop_tty = 1;
2227 }
2228 spin_unlock(&tty_files_lock);
2229 tty_kref_put(tty);
2230 }
2231 /* Reset controlling tty. */
2232 if (drop_tty)
2233 no_tty();
2234
2235 /* Revalidate access to inherited open files. */
2236 n = iterate_fd(files, 0, match_file, cred);
2237 if (!n) /* none found? */
2238 return;
2239
2240 devnull = dentry_open(&selinux_null, O_RDWR, cred);
2241 if (IS_ERR(devnull))
2242 devnull = NULL;
2243 /* replace all the matching ones with this */
2244 do {
2245 replace_fd(n - 1, devnull, 0);
2246 } while ((n = iterate_fd(files, n, match_file, cred)) != 0);
2247 if (devnull)
2248 fput(devnull);
2249 }
2250
2251 /*
2252 * Prepare a process for imminent new credential changes due to exec
2253 */
2254 static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
2255 {
2256 struct task_security_struct *new_tsec;
2257 struct rlimit *rlim, *initrlim;
2258 int rc, i;
2259
2260 new_tsec = bprm->cred->security;
2261 if (new_tsec->sid == new_tsec->osid)
2262 return;
2263
2264 /* Close files for which the new task SID is not authorized. */
2265 flush_unauthorized_files(bprm->cred, current->files);
2266
2267 /* Always clear parent death signal on SID transitions. */
2268 current->pdeath_signal = 0;
2269
2270 /* Check whether the new SID can inherit resource limits from the old
2271 * SID. If not, reset all soft limits to the lower of the current
2272 * task's hard limit and the init task's soft limit.
2273 *
2274 * Note that the setting of hard limits (even to lower them) can be
2275 * controlled by the setrlimit check. The inclusion of the init task's
2276 * soft limit into the computation is to avoid resetting soft limits
2277 * higher than the default soft limit for cases where the default is
2278 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2279 */
2280 rc = avc_has_perm(new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
2281 PROCESS__RLIMITINH, NULL);
2282 if (rc) {
2283 /* protect against do_prlimit() */
2284 task_lock(current);
2285 for (i = 0; i < RLIM_NLIMITS; i++) {
2286 rlim = current->signal->rlim + i;
2287 initrlim = init_task.signal->rlim + i;
2288 rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
2289 }
2290 task_unlock(current);
2291 update_rlimit_cpu(current, rlimit(RLIMIT_CPU));
2292 }
2293 }
2294
2295 /*
2296 * Clean up the process immediately after the installation of new credentials
2297 * due to exec
2298 */
2299 static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
2300 {
2301 const struct task_security_struct *tsec = current_security();
2302 struct itimerval itimer;
2303 u32 osid, sid;
2304 int rc, i;
2305
2306 osid = tsec->osid;
2307 sid = tsec->sid;
2308
2309 if (sid == osid)
2310 return;
2311
2312 /* Check whether the new SID can inherit signal state from the old SID.
2313 * If not, clear itimers to avoid subsequent signal generation and
2314 * flush and unblock signals.
2315 *
2316 * This must occur _after_ the task SID has been updated so that any
2317 * kill done after the flush will be checked against the new SID.
2318 */
2319 rc = avc_has_perm(osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
2320 if (rc) {
2321 memset(&itimer, 0, sizeof itimer);
2322 for (i = 0; i < 3; i++)
2323 do_setitimer(i, &itimer, NULL);
2324 spin_lock_irq(&current->sighand->siglock);
2325 if (!(current->signal->flags & SIGNAL_GROUP_EXIT)) {
2326 __flush_signals(current);
2327 flush_signal_handlers(current, 1);
2328 sigemptyset(&current->blocked);
2329 }
2330 spin_unlock_irq(&current->sighand->siglock);
2331 }
2332
2333 /* Wake up the parent if it is waiting so that it can recheck
2334 * wait permission to the new task SID. */
2335 read_lock(&tasklist_lock);
2336 __wake_up_parent(current, current->real_parent);
2337 read_unlock(&tasklist_lock);
2338 }
2339
2340 /* superblock security operations */
2341
2342 static int selinux_sb_alloc_security(struct super_block *sb)
2343 {
2344 return superblock_alloc_security(sb);
2345 }
2346
2347 static void selinux_sb_free_security(struct super_block *sb)
2348 {
2349 superblock_free_security(sb);
2350 }
2351
2352 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2353 {
2354 if (plen > olen)
2355 return 0;
2356
2357 return !memcmp(prefix, option, plen);
2358 }
2359
2360 static inline int selinux_option(char *option, int len)
2361 {
2362 return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) ||
2363 match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) ||
2364 match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) ||
2365 match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len) ||
2366 match_prefix(LABELSUPP_STR, sizeof(LABELSUPP_STR)-1, option, len));
2367 }
2368
2369 static inline void take_option(char **to, char *from, int *first, int len)
2370 {
2371 if (!*first) {
2372 **to = ',';
2373 *to += 1;
2374 } else
2375 *first = 0;
2376 memcpy(*to, from, len);
2377 *to += len;
2378 }
2379
2380 static inline void take_selinux_option(char **to, char *from, int *first,
2381 int len)
2382 {
2383 int current_size = 0;
2384
2385 if (!*first) {
2386 **to = '|';
2387 *to += 1;
2388 } else
2389 *first = 0;
2390
2391 while (current_size < len) {
2392 if (*from != '"') {
2393 **to = *from;
2394 *to += 1;
2395 }
2396 from += 1;
2397 current_size += 1;
2398 }
2399 }
2400
2401 static int selinux_sb_copy_data(char *orig, char *copy)
2402 {
2403 int fnosec, fsec, rc = 0;
2404 char *in_save, *in_curr, *in_end;
2405 char *sec_curr, *nosec_save, *nosec;
2406 int open_quote = 0;
2407
2408 in_curr = orig;
2409 sec_curr = copy;
2410
2411 nosec = (char *)get_zeroed_page(GFP_KERNEL);
2412 if (!nosec) {
2413 rc = -ENOMEM;
2414 goto out;
2415 }
2416
2417 nosec_save = nosec;
2418 fnosec = fsec = 1;
2419 in_save = in_end = orig;
2420
2421 do {
2422 if (*in_end == '"')
2423 open_quote = !open_quote;
2424 if ((*in_end == ',' && open_quote == 0) ||
2425 *in_end == '\0') {
2426 int len = in_end - in_curr;
2427
2428 if (selinux_option(in_curr, len))
2429 take_selinux_option(&sec_curr, in_curr, &fsec, len);
2430 else
2431 take_option(&nosec, in_curr, &fnosec, len);
2432
2433 in_curr = in_end + 1;
2434 }
2435 } while (*in_end++);
2436
2437 strcpy(in_save, nosec_save);
2438 free_page((unsigned long)nosec_save);
2439 out:
2440 return rc;
2441 }
2442
2443 static int selinux_sb_remount(struct super_block *sb, void *data)
2444 {
2445 int rc, i, *flags;
2446 struct security_mnt_opts opts;
2447 char *secdata, **mount_options;
2448 struct superblock_security_struct *sbsec = sb->s_security;
2449
2450 if (!(sbsec->flags & SE_SBINITIALIZED))
2451 return 0;
2452
2453 if (!data)
2454 return 0;
2455
2456 if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
2457 return 0;
2458
2459 security_init_mnt_opts(&opts);
2460 secdata = alloc_secdata();
2461 if (!secdata)
2462 return -ENOMEM;
2463 rc = selinux_sb_copy_data(data, secdata);
2464 if (rc)
2465 goto out_free_secdata;
2466
2467 rc = selinux_parse_opts_str(secdata, &opts);
2468 if (rc)
2469 goto out_free_secdata;
2470
2471 mount_options = opts.mnt_opts;
2472 flags = opts.mnt_opts_flags;
2473
2474 for (i = 0; i < opts.num_mnt_opts; i++) {
2475 u32 sid;
2476 size_t len;
2477
2478 if (flags[i] == SBLABEL_MNT)
2479 continue;
2480 len = strlen(mount_options[i]);
2481 rc = security_context_to_sid(mount_options[i], len, &sid);
2482 if (rc) {
2483 printk(KERN_WARNING "SELinux: security_context_to_sid"
2484 "(%s) failed for (dev %s, type "SB_TYPE_FMT") errno=%d\n",
2485 mount_options[i], sb->s_id, SB_TYPE_ARGS(sb), rc);
2486 goto out_free_opts;
2487 }
2488 rc = -EINVAL;
2489 switch (flags[i]) {
2490 case FSCONTEXT_MNT:
2491 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid))
2492 goto out_bad_option;
2493 break;
2494 case CONTEXT_MNT:
2495 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid))
2496 goto out_bad_option;
2497 break;
2498 case ROOTCONTEXT_MNT: {
2499 struct inode_security_struct *root_isec;
2500 root_isec = sb->s_root->d_inode->i_security;
2501
2502 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid))
2503 goto out_bad_option;
2504 break;
2505 }
2506 case DEFCONTEXT_MNT:
2507 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid))
2508 goto out_bad_option;
2509 break;
2510 default:
2511 goto out_free_opts;
2512 }
2513 }
2514
2515 rc = 0;
2516 out_free_opts:
2517 security_free_mnt_opts(&opts);
2518 out_free_secdata:
2519 free_secdata(secdata);
2520 return rc;
2521 out_bad_option:
2522 printk(KERN_WARNING "SELinux: unable to change security options "
2523 "during remount (dev %s, type "SB_TYPE_FMT")\n", sb->s_id,
2524 SB_TYPE_ARGS(sb));
2525 goto out_free_opts;
2526 }
2527
2528 static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data)
2529 {
2530 const struct cred *cred = current_cred();
2531 struct common_audit_data ad;
2532 int rc;
2533
2534 rc = superblock_doinit(sb, data);
2535 if (rc)
2536 return rc;
2537
2538 /* Allow all mounts performed by the kernel */
2539 if (flags & MS_KERNMOUNT)
2540 return 0;
2541
2542 ad.type = LSM_AUDIT_DATA_DENTRY;
2543 ad.u.dentry = sb->s_root;
2544 return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
2545 }
2546
2547 static int selinux_sb_statfs(struct dentry *dentry)
2548 {
2549 const struct cred *cred = current_cred();
2550 struct common_audit_data ad;
2551
2552 ad.type = LSM_AUDIT_DATA_DENTRY;
2553 ad.u.dentry = dentry->d_sb->s_root;
2554 return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2555 }
2556
2557 static int selinux_mount(const char *dev_name,
2558 struct path *path,
2559 const char *type,
2560 unsigned long flags,
2561 void *data)
2562 {
2563 const struct cred *cred = current_cred();
2564
2565 if (flags & MS_REMOUNT)
2566 return superblock_has_perm(cred, path->dentry->d_sb,
2567 FILESYSTEM__REMOUNT, NULL);
2568 else
2569 return path_has_perm(cred, path, FILE__MOUNTON);
2570 }
2571
2572 static int selinux_umount(struct vfsmount *mnt, int flags)
2573 {
2574 const struct cred *cred = current_cred();
2575
2576 return superblock_has_perm(cred, mnt->mnt_sb,
2577 FILESYSTEM__UNMOUNT, NULL);
2578 }
2579
2580 /* inode security operations */
2581
2582 static int selinux_inode_alloc_security(struct inode *inode)
2583 {
2584 return inode_alloc_security(inode);
2585 }
2586
2587 static void selinux_inode_free_security(struct inode *inode)
2588 {
2589 inode_free_security(inode);
2590 }
2591
2592 static int selinux_dentry_init_security(struct dentry *dentry, int mode,
2593 struct qstr *name, void **ctx,
2594 u32 *ctxlen)
2595 {
2596 const struct cred *cred = current_cred();
2597 struct task_security_struct *tsec;
2598 struct inode_security_struct *dsec;
2599 struct superblock_security_struct *sbsec;
2600 struct inode *dir = dentry->d_parent->d_inode;
2601 u32 newsid;
2602 int rc;
2603
2604 tsec = cred->security;
2605 dsec = dir->i_security;
2606 sbsec = dir->i_sb->s_security;
2607
2608 if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
2609 newsid = tsec->create_sid;
2610 } else {
2611 rc = security_transition_sid(tsec->sid, dsec->sid,
2612 inode_mode_to_security_class(mode),
2613 name,
2614 &newsid);
2615 if (rc) {
2616 printk(KERN_WARNING
2617 "%s: security_transition_sid failed, rc=%d\n",
2618 __func__, -rc);
2619 return rc;
2620 }
2621 }
2622
2623 return security_sid_to_context(newsid, (char **)ctx, ctxlen);
2624 }
2625
2626 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2627 const struct qstr *qstr, char **name,
2628 void **value, size_t *len)
2629 {
2630 const struct task_security_struct *tsec = current_security();
2631 struct inode_security_struct *dsec;
2632 struct superblock_security_struct *sbsec;
2633 u32 sid, newsid, clen;
2634 int rc;
2635 char *namep = NULL, *context;
2636
2637 dsec = dir->i_security;
2638 sbsec = dir->i_sb->s_security;
2639
2640 sid = tsec->sid;
2641 newsid = tsec->create_sid;
2642
2643 if ((sbsec->flags & SE_SBINITIALIZED) &&
2644 (sbsec->behavior == SECURITY_FS_USE_MNTPOINT))
2645 newsid = sbsec->mntpoint_sid;
2646 else if (!newsid || !(sbsec->flags & SBLABEL_MNT)) {
2647 rc = security_transition_sid(sid, dsec->sid,
2648 inode_mode_to_security_class(inode->i_mode),
2649 qstr, &newsid);
2650 if (rc) {
2651 printk(KERN_WARNING "%s: "
2652 "security_transition_sid failed, rc=%d (dev=%s "
2653 "ino=%ld)\n",
2654 __func__,
2655 -rc, inode->i_sb->s_id, inode->i_ino);
2656 return rc;
2657 }
2658 }
2659
2660 /* Possibly defer initialization to selinux_complete_init. */
2661 if (sbsec->flags & SE_SBINITIALIZED) {
2662 struct inode_security_struct *isec = inode->i_security;
2663 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2664 isec->sid = newsid;
2665 isec->initialized = 1;
2666 }
2667
2668 if (!ss_initialized || !(sbsec->flags & SBLABEL_MNT))
2669 return -EOPNOTSUPP;
2670
2671 if (name) {
2672 namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_NOFS);
2673 if (!namep)
2674 return -ENOMEM;
2675 *name = namep;
2676 }
2677
2678 if (value && len) {
2679 rc = security_sid_to_context_force(newsid, &context, &clen);
2680 if (rc) {
2681 kfree(namep);
2682 return rc;
2683 }
2684 *value = context;
2685 *len = clen;
2686 }
2687
2688 return 0;
2689 }
2690
2691 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode)
2692 {
2693 return may_create(dir, dentry, SECCLASS_FILE);
2694 }
2695
2696 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2697 {
2698 return may_link(dir, old_dentry, MAY_LINK);
2699 }
2700
2701 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2702 {
2703 return may_link(dir, dentry, MAY_UNLINK);
2704 }
2705
2706 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2707 {
2708 return may_create(dir, dentry, SECCLASS_LNK_FILE);
2709 }
2710
2711 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask)
2712 {
2713 return may_create(dir, dentry, SECCLASS_DIR);
2714 }
2715
2716 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2717 {
2718 return may_link(dir, dentry, MAY_RMDIR);
2719 }
2720
2721 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
2722 {
2723 return may_create(dir, dentry, inode_mode_to_security_class(mode));
2724 }
2725
2726 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2727 struct inode *new_inode, struct dentry *new_dentry)
2728 {
2729 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2730 }
2731
2732 static int selinux_inode_readlink(struct dentry *dentry)
2733 {
2734 const struct cred *cred = current_cred();
2735
2736 return dentry_has_perm(cred, dentry, FILE__READ);
2737 }
2738
2739 static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2740 {
2741 const struct cred *cred = current_cred();
2742
2743 return dentry_has_perm(cred, dentry, FILE__READ);
2744 }
2745
2746 static noinline int audit_inode_permission(struct inode *inode,
2747 u32 perms, u32 audited, u32 denied,
2748 unsigned flags)
2749 {
2750 struct common_audit_data ad;
2751 struct inode_security_struct *isec = inode->i_security;
2752 int rc;
2753
2754 ad.type = LSM_AUDIT_DATA_INODE;
2755 ad.u.inode = inode;
2756
2757 rc = slow_avc_audit(current_sid(), isec->sid, isec->sclass, perms,
2758 audited, denied, &ad, flags);
2759 if (rc)
2760 return rc;
2761 return 0;
2762 }
2763
2764 static int selinux_inode_permission(struct inode *inode, int mask)
2765 {
2766 const struct cred *cred = current_cred();
2767 u32 perms;
2768 bool from_access;
2769 unsigned flags = mask & MAY_NOT_BLOCK;
2770 struct inode_security_struct *isec;
2771 u32 sid;
2772 struct av_decision avd;
2773 int rc, rc2;
2774 u32 audited, denied;
2775
2776 from_access = mask & MAY_ACCESS;
2777 mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
2778
2779 /* No permission to check. Existence test. */
2780 if (!mask)
2781 return 0;
2782
2783 validate_creds(cred);
2784
2785 if (unlikely(IS_PRIVATE(inode)))
2786 return 0;
2787
2788 perms = file_mask_to_av(inode->i_mode, mask);
2789
2790 sid = cred_sid(cred);
2791 isec = inode->i_security;
2792
2793 rc = avc_has_perm_noaudit(sid, isec->sid, isec->sclass, perms, 0, &avd);
2794 audited = avc_audit_required(perms, &avd, rc,
2795 from_access ? FILE__AUDIT_ACCESS : 0,
2796 &denied);
2797 if (likely(!audited))
2798 return rc;
2799
2800 rc2 = audit_inode_permission(inode, perms, audited, denied, flags);
2801 if (rc2)
2802 return rc2;
2803 return rc;
2804 }
2805
2806 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2807 {
2808 const struct cred *cred = current_cred();
2809 unsigned int ia_valid = iattr->ia_valid;
2810 __u32 av = FILE__WRITE;
2811
2812 /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
2813 if (ia_valid & ATTR_FORCE) {
2814 ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE |
2815 ATTR_FORCE);
2816 if (!ia_valid)
2817 return 0;
2818 }
2819
2820 if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2821 ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
2822 return dentry_has_perm(cred, dentry, FILE__SETATTR);
2823
2824 if (selinux_policycap_openperm && (ia_valid & ATTR_SIZE))
2825 av |= FILE__OPEN;
2826
2827 return dentry_has_perm(cred, dentry, av);
2828 }
2829
2830 static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
2831 {
2832 const struct cred *cred = current_cred();
2833 struct path path;
2834
2835 path.dentry = dentry;
2836 path.mnt = mnt;
2837
2838 return path_has_perm(cred, &path, FILE__GETATTR);
2839 }
2840
2841 static int selinux_inode_setotherxattr(struct dentry *dentry, const char *name)
2842 {
2843 const struct cred *cred = current_cred();
2844
2845 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2846 sizeof XATTR_SECURITY_PREFIX - 1)) {
2847 if (!strcmp(name, XATTR_NAME_CAPS)) {
2848 if (!capable(CAP_SETFCAP))
2849 return -EPERM;
2850 } else if (!capable(CAP_SYS_ADMIN)) {
2851 /* A different attribute in the security namespace.
2852 Restrict to administrator. */
2853 return -EPERM;
2854 }
2855 }
2856
2857 /* Not an attribute we recognize, so just check the
2858 ordinary setattr permission. */
2859 return dentry_has_perm(cred, dentry, FILE__SETATTR);
2860 }
2861
2862 static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
2863 const void *value, size_t size, int flags)
2864 {
2865 struct inode *inode = dentry->d_inode;
2866 struct inode_security_struct *isec = inode->i_security;
2867 struct superblock_security_struct *sbsec;
2868 struct common_audit_data ad;
2869 u32 newsid, sid = current_sid();
2870 int rc = 0;
2871
2872 if (strcmp(name, XATTR_NAME_SELINUX))
2873 return selinux_inode_setotherxattr(dentry, name);
2874
2875 sbsec = inode->i_sb->s_security;
2876 if (!(sbsec->flags & SBLABEL_MNT))
2877 return -EOPNOTSUPP;
2878
2879 if (!inode_owner_or_capable(inode))
2880 return -EPERM;
2881
2882 ad.type = LSM_AUDIT_DATA_DENTRY;
2883 ad.u.dentry = dentry;
2884
2885 rc = avc_has_perm(sid, isec->sid, isec->sclass,
2886 FILE__RELABELFROM, &ad);
2887 if (rc)
2888 return rc;
2889
2890 rc = security_context_to_sid(value, size, &newsid);
2891 if (rc == -EINVAL) {
2892 if (!capable(CAP_MAC_ADMIN)) {
2893 struct audit_buffer *ab;
2894 size_t audit_size;
2895 const char *str;
2896
2897 /* We strip a nul only if it is at the end, otherwise the
2898 * context contains a nul and we should audit that */
2899 if (value) {
2900 str = value;
2901 if (str[size - 1] == '\0')
2902 audit_size = size - 1;
2903 else
2904 audit_size = size;
2905 } else {
2906 str = "";
2907 audit_size = 0;
2908 }
2909 ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR);
2910 audit_log_format(ab, "op=setxattr invalid_context=");
2911 audit_log_n_untrustedstring(ab, value, audit_size);
2912 audit_log_end(ab);
2913
2914 return rc;
2915 }
2916 rc = security_context_to_sid_force(value, size, &newsid);
2917 }
2918 if (rc)
2919 return rc;
2920
2921 rc = avc_has_perm(sid, newsid, isec->sclass,
2922 FILE__RELABELTO, &ad);
2923 if (rc)
2924 return rc;
2925
2926 rc = security_validate_transition(isec->sid, newsid, sid,
2927 isec->sclass);
2928 if (rc)
2929 return rc;
2930
2931 return avc_has_perm(newsid,
2932 sbsec->sid,
2933 SECCLASS_FILESYSTEM,
2934 FILESYSTEM__ASSOCIATE,
2935 &ad);
2936 }
2937
2938 static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
2939 const void *value, size_t size,
2940 int flags)
2941 {
2942 struct inode *inode = dentry->d_inode;
2943 struct inode_security_struct *isec = inode->i_security;
2944 u32 newsid;
2945 int rc;
2946
2947 if (strcmp(name, XATTR_NAME_SELINUX)) {
2948 /* Not an attribute we recognize, so nothing to do. */
2949 return;
2950 }
2951
2952 rc = security_context_to_sid_force(value, size, &newsid);
2953 if (rc) {
2954 printk(KERN_ERR "SELinux: unable to map context to SID"
2955 "for (%s, %lu), rc=%d\n",
2956 inode->i_sb->s_id, inode->i_ino, -rc);
2957 return;
2958 }
2959
2960 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2961 isec->sid = newsid;
2962 isec->initialized = 1;
2963
2964 return;
2965 }
2966
2967 static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
2968 {
2969 const struct cred *cred = current_cred();
2970
2971 return dentry_has_perm(cred, dentry, FILE__GETATTR);
2972 }
2973
2974 static int selinux_inode_listxattr(struct dentry *dentry)
2975 {
2976 const struct cred *cred = current_cred();
2977
2978 return dentry_has_perm(cred, dentry, FILE__GETATTR);
2979 }
2980
2981 static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
2982 {
2983 if (strcmp(name, XATTR_NAME_SELINUX))
2984 return selinux_inode_setotherxattr(dentry, name);
2985
2986 /* No one is allowed to remove a SELinux security label.
2987 You can change the label, but all data must be labeled. */
2988 return -EACCES;
2989 }
2990
2991 /*
2992 * Copy the inode security context value to the user.
2993 *
2994 * Permission check is handled by selinux_inode_getxattr hook.
2995 */
2996 static int selinux_inode_getsecurity(const struct inode *inode, const char *name, void **buffer, bool alloc)
2997 {
2998 u32 size;
2999 int error;
3000 char *context = NULL;
3001 struct inode_security_struct *isec = inode->i_security;
3002
3003 if (strcmp(name, XATTR_SELINUX_SUFFIX))
3004 return -EOPNOTSUPP;
3005
3006 /*
3007 * If the caller has CAP_MAC_ADMIN, then get the raw context
3008 * value even if it is not defined by current policy; otherwise,
3009 * use the in-core value under current policy.
3010 * Use the non-auditing forms of the permission checks since
3011 * getxattr may be called by unprivileged processes commonly
3012 * and lack of permission just means that we fall back to the
3013 * in-core context value, not a denial.
3014 */
3015 error = selinux_capable(current_cred(), &init_user_ns, CAP_MAC_ADMIN,
3016 SECURITY_CAP_NOAUDIT);
3017 if (!error)
3018 error = security_sid_to_context_force(isec->sid, &context,
3019 &size);
3020 else
3021 error = security_sid_to_context(isec->sid, &context, &size);
3022 if (error)
3023 return error;
3024 error = size;
3025 if (alloc) {
3026 *buffer = context;
3027 goto out_nofree;
3028 }
3029 kfree(context);
3030 out_nofree:
3031 return error;
3032 }
3033
3034 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
3035 const void *value, size_t size, int flags)
3036 {
3037 struct inode_security_struct *isec = inode->i_security;
3038 u32 newsid;
3039 int rc;
3040
3041 if (strcmp(name, XATTR_SELINUX_SUFFIX))
3042 return -EOPNOTSUPP;
3043
3044 if (!value || !size)
3045 return -EACCES;
3046
3047 rc = security_context_to_sid((void *)value, size, &newsid);
3048 if (rc)
3049 return rc;
3050
3051 isec->sclass = inode_mode_to_security_class(inode->i_mode);
3052 isec->sid = newsid;
3053 isec->initialized = 1;
3054 return 0;
3055 }
3056
3057 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
3058 {
3059 const int len = sizeof(XATTR_NAME_SELINUX);
3060 if (buffer && len <= buffer_size)
3061 memcpy(buffer, XATTR_NAME_SELINUX, len);
3062 return len;
3063 }
3064
3065 static void selinux_inode_getsecid(const struct inode *inode, u32 *secid)
3066 {
3067 struct inode_security_struct *isec = inode->i_security;
3068 *secid = isec->sid;
3069 }
3070
3071 /* file security operations */
3072
3073 static int selinux_revalidate_file_permission(struct file *file, int mask)
3074 {
3075 const struct cred *cred = current_cred();
3076 struct inode *inode = file_inode(file);
3077
3078 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
3079 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
3080 mask |= MAY_APPEND;
3081
3082 return file_has_perm(cred, file,
3083 file_mask_to_av(inode->i_mode, mask));
3084 }
3085
3086 static int selinux_file_permission(struct file *file, int mask)
3087 {
3088 struct inode *inode = file_inode(file);
3089 struct file_security_struct *fsec = file->f_security;
3090 struct inode_security_struct *isec = inode->i_security;
3091 u32 sid = current_sid();
3092
3093 if (!mask)
3094 /* No permission to check. Existence test. */
3095 return 0;
3096
3097 if (sid == fsec->sid && fsec->isid == isec->sid &&
3098 fsec->pseqno == avc_policy_seqno())
3099 /* No change since file_open check. */
3100 return 0;
3101
3102 return selinux_revalidate_file_permission(file, mask);
3103 }
3104
3105 static int selinux_file_alloc_security(struct file *file)
3106 {
3107 return file_alloc_security(file);
3108 }
3109
3110 static void selinux_file_free_security(struct file *file)
3111 {
3112 file_free_security(file);
3113 }
3114
3115 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
3116 unsigned long arg)
3117 {
3118 const struct cred *cred = current_cred();
3119 int error = 0;
3120
3121 switch (cmd) {
3122 case FIONREAD:
3123 /* fall through */
3124 case FIBMAP:
3125 /* fall through */
3126 case FIGETBSZ:
3127 /* fall through */
3128 case FS_IOC_GETFLAGS:
3129 /* fall through */
3130 case FS_IOC_GETVERSION:
3131 error = file_has_perm(cred, file, FILE__GETATTR);
3132 break;
3133
3134 case FS_IOC_SETFLAGS:
3135 /* fall through */
3136 case FS_IOC_SETVERSION:
3137 error = file_has_perm(cred, file, FILE__SETATTR);
3138 break;
3139
3140 /* sys_ioctl() checks */
3141 case FIONBIO:
3142 /* fall through */
3143 case FIOASYNC:
3144 error = file_has_perm(cred, file, 0);
3145 break;
3146
3147 case KDSKBENT:
3148 case KDSKBSENT:
3149 error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG,
3150 SECURITY_CAP_AUDIT);
3151 break;
3152
3153 /* default case assumes that the command will go
3154 * to the file's ioctl() function.
3155 */
3156 default:
3157 error = file_has_perm(cred, file, FILE__IOCTL);
3158 }
3159 return error;
3160 }
3161
3162 static int default_noexec;
3163
3164 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
3165 {
3166 const struct cred *cred = current_cred();
3167 int rc = 0;
3168
3169 if (default_noexec &&
3170 (prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
3171 /*
3172 * We are making executable an anonymous mapping or a
3173 * private file mapping that will also be writable.
3174 * This has an additional check.
3175 */
3176 rc = cred_has_perm(cred, cred, PROCESS__EXECMEM);
3177 if (rc)
3178 goto error;
3179 }
3180
3181 if (file) {
3182 /* read access is always possible with a mapping */
3183 u32 av = FILE__READ;
3184
3185 /* write access only matters if the mapping is shared */
3186 if (shared && (prot & PROT_WRITE))
3187 av |= FILE__WRITE;
3188
3189 if (prot & PROT_EXEC)
3190 av |= FILE__EXECUTE;
3191
3192 return file_has_perm(cred, file, av);
3193 }
3194
3195 error:
3196 return rc;
3197 }
3198
3199 static int selinux_mmap_addr(unsigned long addr)
3200 {
3201 int rc = 0;
3202 u32 sid = current_sid();
3203
3204 /*
3205 * notice that we are intentionally putting the SELinux check before
3206 * the secondary cap_file_mmap check. This is such a likely attempt
3207 * at bad behaviour/exploit that we always want to get the AVC, even
3208 * if DAC would have also denied the operation.
3209 */
3210 if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
3211 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
3212 MEMPROTECT__MMAP_ZERO, NULL);
3213 if (rc)
3214 return rc;
3215 }
3216
3217 /* do DAC check on address space usage */
3218 return cap_mmap_addr(addr);
3219 }
3220
3221 static int selinux_mmap_file(struct file *file, unsigned long reqprot,
3222 unsigned long prot, unsigned long flags)
3223 {
3224 if (selinux_checkreqprot)
3225 prot = reqprot;
3226
3227 return file_map_prot_check(file, prot,
3228 (flags & MAP_TYPE) == MAP_SHARED);
3229 }
3230
3231 static int selinux_file_mprotect(struct vm_area_struct *vma,
3232 unsigned long reqprot,
3233 unsigned long prot)
3234 {
3235 const struct cred *cred = current_cred();
3236
3237 if (selinux_checkreqprot)
3238 prot = reqprot;
3239
3240 if (default_noexec &&
3241 (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
3242 int rc = 0;
3243 if (vma->vm_start >= vma->vm_mm->start_brk &&
3244 vma->vm_end <= vma->vm_mm->brk) {
3245 rc = cred_has_perm(cred, cred, PROCESS__EXECHEAP);
3246 } else if (!vma->vm_file &&
3247 vma->vm_start <= vma->vm_mm->start_stack &&
3248 vma->vm_end >= vma->vm_mm->start_stack) {
3249 rc = current_has_perm(current, PROCESS__EXECSTACK);
3250 } else if (vma->vm_file && vma->anon_vma) {
3251 /*
3252 * We are making executable a file mapping that has
3253 * had some COW done. Since pages might have been
3254 * written, check ability to execute the possibly
3255 * modified content. This typically should only
3256 * occur for text relocations.
3257 */
3258 rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD);
3259 }
3260 if (rc)
3261 return rc;
3262 }
3263
3264 return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
3265 }
3266
3267 static int selinux_file_lock(struct file *file, unsigned int cmd)
3268 {
3269 const struct cred *cred = current_cred();
3270
3271 return file_has_perm(cred, file, FILE__LOCK);
3272 }
3273
3274 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
3275 unsigned long arg)
3276 {
3277 const struct cred *cred = current_cred();
3278 int err = 0;
3279
3280 switch (cmd) {
3281 case F_SETFL:
3282 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
3283 err = file_has_perm(cred, file, FILE__WRITE);
3284 break;
3285 }
3286 /* fall through */
3287 case F_SETOWN:
3288 case F_SETSIG:
3289 case F_GETFL:
3290 case F_GETOWN:
3291 case F_GETSIG:
3292 case F_GETOWNER_UIDS:
3293 /* Just check FD__USE permission */
3294 err = file_has_perm(cred, file, 0);
3295 break;
3296 case F_GETLK:
3297 case F_SETLK:
3298 case F_SETLKW:
3299 #if BITS_PER_LONG == 32
3300 case F_GETLK64:
3301 case F_SETLK64:
3302 case F_SETLKW64:
3303 #endif
3304 err = file_has_perm(cred, file, FILE__LOCK);
3305 break;
3306 }
3307
3308 return err;
3309 }
3310
3311 static int selinux_file_set_fowner(struct file *file)
3312 {
3313 struct file_security_struct *fsec;
3314
3315 fsec = file->f_security;
3316 fsec->fown_sid = current_sid();
3317
3318 return 0;
3319 }
3320
3321 static int selinux_file_send_sigiotask(struct task_struct *tsk,
3322 struct fown_struct *fown, int signum)
3323 {
3324 struct file *file;
3325 u32 sid = task_sid(tsk);
3326 u32 perm;
3327 struct file_security_struct *fsec;
3328
3329 /* struct fown_struct is never outside the context of a struct file */
3330 file = container_of(fown, struct file, f_owner);
3331
3332 fsec = file->f_security;
3333
3334 if (!signum)
3335 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
3336 else
3337 perm = signal_to_av(signum);
3338
3339 return avc_has_perm(fsec->fown_sid, sid,
3340 SECCLASS_PROCESS, perm, NULL);
3341 }
3342
3343 static int selinux_file_receive(struct file *file)
3344 {
3345 const struct cred *cred = current_cred();
3346
3347 return file_has_perm(cred, file, file_to_av(file));
3348 }
3349
3350 static int selinux_file_open(struct file *file, const struct cred *cred)
3351 {
3352 struct file_security_struct *fsec;
3353 struct inode_security_struct *isec;
3354
3355 fsec = file->f_security;
3356 isec = file_inode(file)->i_security;
3357 /*
3358 * Save inode label and policy sequence number
3359 * at open-time so that selinux_file_permission
3360 * can determine whether revalidation is necessary.
3361 * Task label is already saved in the file security
3362 * struct as its SID.
3363 */
3364 fsec->isid = isec->sid;
3365 fsec->pseqno = avc_policy_seqno();
3366 /*
3367 * Since the inode label or policy seqno may have changed
3368 * between the selinux_inode_permission check and the saving
3369 * of state above, recheck that access is still permitted.
3370 * Otherwise, access might never be revalidated against the
3371 * new inode label or new policy.
3372 * This check is not redundant - do not remove.
3373 */
3374 return file_path_has_perm(cred, file, open_file_to_av(file));
3375 }
3376
3377 /* task security operations */
3378
3379 static int selinux_task_create(unsigned long clone_flags)
3380 {
3381 return current_has_perm(current, PROCESS__FORK);
3382 }
3383
3384 /*
3385 * allocate the SELinux part of blank credentials
3386 */
3387 static int selinux_cred_alloc_blank(struct cred *cred, gfp_t gfp)
3388 {
3389 struct task_security_struct *tsec;
3390
3391 tsec = kzalloc(sizeof(struct task_security_struct), gfp);
3392 if (!tsec)
3393 return -ENOMEM;
3394
3395 cred->security = tsec;
3396 return 0;
3397 }
3398
3399 /*
3400 * detach and free the LSM part of a set of credentials
3401 */
3402 static void selinux_cred_free(struct cred *cred)
3403 {
3404 struct task_security_struct *tsec = cred->security;
3405
3406 /*
3407 * cred->security == NULL if security_cred_alloc_blank() or
3408 * security_prepare_creds() returned an error.
3409 */
3410 BUG_ON(cred->security && (unsigned long) cred->security < PAGE_SIZE);
3411 cred->security = (void *) 0x7UL;
3412 kfree(tsec);
3413 }
3414
3415 /*
3416 * prepare a new set of credentials for modification
3417 */
3418 static int selinux_cred_prepare(struct cred *new, const struct cred *old,
3419 gfp_t gfp)
3420 {
3421 const struct task_security_struct *old_tsec;
3422 struct task_security_struct *tsec;
3423
3424 old_tsec = old->security;
3425
3426 tsec = kmemdup(old_tsec, sizeof(struct task_security_struct), gfp);
3427 if (!tsec)
3428 return -ENOMEM;
3429
3430 new->security = tsec;
3431 return 0;
3432 }
3433
3434 /*
3435 * transfer the SELinux data to a blank set of creds
3436 */
3437 static void selinux_cred_transfer(struct cred *new, const struct cred *old)
3438 {
3439 const struct task_security_struct *old_tsec = old->security;
3440 struct task_security_struct *tsec = new->security;
3441
3442 *tsec = *old_tsec;
3443 }
3444
3445 /*
3446 * set the security data for a kernel service
3447 * - all the creation contexts are set to unlabelled
3448 */
3449 static int selinux_kernel_act_as(struct cred *new, u32 secid)
3450 {
3451 struct task_security_struct *tsec = new->security;
3452 u32 sid = current_sid();
3453 int ret;
3454
3455 ret = avc_has_perm(sid, secid,
3456 SECCLASS_KERNEL_SERVICE,
3457 KERNEL_SERVICE__USE_AS_OVERRIDE,
3458 NULL);
3459 if (ret == 0) {
3460 tsec->sid = secid;
3461 tsec->create_sid = 0;
3462 tsec->keycreate_sid = 0;
3463 tsec->sockcreate_sid = 0;
3464 }
3465 return ret;
3466 }
3467
3468 /*
3469 * set the file creation context in a security record to the same as the
3470 * objective context of the specified inode
3471 */
3472 static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode)
3473 {
3474 struct inode_security_struct *isec = inode->i_security;
3475 struct task_security_struct *tsec = new->security;
3476 u32 sid = current_sid();
3477 int ret;
3478
3479 ret = avc_has_perm(sid, isec->sid,
3480 SECCLASS_KERNEL_SERVICE,
3481 KERNEL_SERVICE__CREATE_FILES_AS,
3482 NULL);
3483
3484 if (ret == 0)
3485 tsec->create_sid = isec->sid;
3486 return ret;
3487 }
3488
3489 static int selinux_kernel_module_request(char *kmod_name)
3490 {
3491 u32 sid;
3492 struct common_audit_data ad;
3493
3494 sid = task_sid(current);
3495
3496 ad.type = LSM_AUDIT_DATA_KMOD;
3497 ad.u.kmod_name = kmod_name;
3498
3499 return avc_has_perm(sid, SECINITSID_KERNEL, SECCLASS_SYSTEM,
3500 SYSTEM__MODULE_REQUEST, &ad);
3501 }
3502
3503 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
3504 {
3505 return current_has_perm(p, PROCESS__SETPGID);
3506 }
3507
3508 static int selinux_task_getpgid(struct task_struct *p)
3509 {
3510 return current_has_perm(p, PROCESS__GETPGID);
3511 }
3512
3513 static int selinux_task_getsid(struct task_struct *p)
3514 {
3515 return current_has_perm(p, PROCESS__GETSESSION);
3516 }
3517
3518 static void selinux_task_getsecid(struct task_struct *p, u32 *secid)
3519 {
3520 *secid = task_sid(p);
3521 }
3522
3523 static int selinux_task_setnice(struct task_struct *p, int nice)
3524 {
3525 int rc;
3526
3527 rc = cap_task_setnice(p, nice);
3528 if (rc)
3529 return rc;
3530
3531 return current_has_perm(p, PROCESS__SETSCHED);
3532 }
3533
3534 static int selinux_task_setioprio(struct task_struct *p, int ioprio)
3535 {
3536 int rc;
3537
3538 rc = cap_task_setioprio(p, ioprio);
3539 if (rc)
3540 return rc;
3541
3542 return current_has_perm(p, PROCESS__SETSCHED);
3543 }
3544
3545 static int selinux_task_getioprio(struct task_struct *p)
3546 {
3547 return current_has_perm(p, PROCESS__GETSCHED);
3548 }
3549
3550 static int selinux_task_setrlimit(struct task_struct *p, unsigned int resource,
3551 struct rlimit *new_rlim)
3552 {
3553 struct rlimit *old_rlim = p->signal->rlim + resource;
3554
3555 /* Control the ability to change the hard limit (whether
3556 lowering or raising it), so that the hard limit can
3557 later be used as a safe reset point for the soft limit
3558 upon context transitions. See selinux_bprm_committing_creds. */
3559 if (old_rlim->rlim_max != new_rlim->rlim_max)
3560 return current_has_perm(p, PROCESS__SETRLIMIT);
3561
3562 return 0;
3563 }
3564
3565 static int selinux_task_setscheduler(struct task_struct *p)
3566 {
3567 int rc;
3568
3569 rc = cap_task_setscheduler(p);
3570 if (rc)
3571 return rc;
3572
3573 return current_has_perm(p, PROCESS__SETSCHED);
3574 }
3575
3576 static int selinux_task_getscheduler(struct task_struct *p)
3577 {
3578 return current_has_perm(p, PROCESS__GETSCHED);
3579 }
3580
3581 static int selinux_task_movememory(struct task_struct *p)
3582 {
3583 return current_has_perm(p, PROCESS__SETSCHED);
3584 }
3585
3586 static int selinux_task_kill(struct task_struct *p, struct siginfo *info,
3587 int sig, u32 secid)
3588 {
3589 u32 perm;
3590 int rc;
3591
3592 if (!sig)
3593 perm = PROCESS__SIGNULL; /* null signal; existence test */
3594 else
3595 perm = signal_to_av(sig);
3596 if (secid)
3597 rc = avc_has_perm(secid, task_sid(p),
3598 SECCLASS_PROCESS, perm, NULL);
3599 else
3600 rc = current_has_perm(p, perm);
3601 return rc;
3602 }
3603
3604 static int selinux_task_wait(struct task_struct *p)
3605 {
3606 return task_has_perm(p, current, PROCESS__SIGCHLD);
3607 }
3608
3609 static void selinux_task_to_inode(struct task_struct *p,
3610 struct inode *inode)
3611 {
3612 struct inode_security_struct *isec = inode->i_security;
3613 u32 sid = task_sid(p);
3614
3615 isec->sid = sid;
3616 isec->initialized = 1;
3617 }
3618
3619 /* Returns error only if unable to parse addresses */
3620 static int selinux_parse_skb_ipv4(struct sk_buff *skb,
3621 struct common_audit_data *ad, u8 *proto)
3622 {
3623 int offset, ihlen, ret = -EINVAL;
3624 struct iphdr _iph, *ih;
3625
3626 offset = skb_network_offset(skb);
3627 ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
3628 if (ih == NULL)
3629 goto out;
3630
3631 ihlen = ih->ihl * 4;
3632 if (ihlen < sizeof(_iph))
3633 goto out;
3634
3635 ad->u.net->v4info.saddr = ih->saddr;
3636 ad->u.net->v4info.daddr = ih->daddr;
3637 ret = 0;
3638
3639 if (proto)
3640 *proto = ih->protocol;
3641
3642 switch (ih->protocol) {
3643 case IPPROTO_TCP: {
3644 struct tcphdr _tcph, *th;
3645
3646 if (ntohs(ih->frag_off) & IP_OFFSET)
3647 break;
3648
3649 offset += ihlen;
3650 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3651 if (th == NULL)
3652 break;
3653
3654 ad->u.net->sport = th->source;
3655 ad->u.net->dport = th->dest;
3656 break;
3657 }
3658
3659 case IPPROTO_UDP: {
3660 struct udphdr _udph, *uh;
3661
3662 if (ntohs(ih->frag_off) & IP_OFFSET)
3663 break;
3664
3665 offset += ihlen;
3666 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3667 if (uh == NULL)
3668 break;
3669
3670 ad->u.net->sport = uh->source;
3671 ad->u.net->dport = uh->dest;
3672 break;
3673 }
3674
3675 case IPPROTO_DCCP: {
3676 struct dccp_hdr _dccph, *dh;
3677
3678 if (ntohs(ih->frag_off) & IP_OFFSET)
3679 break;
3680
3681 offset += ihlen;
3682 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3683 if (dh == NULL)
3684 break;
3685
3686 ad->u.net->sport = dh->dccph_sport;
3687 ad->u.net->dport = dh->dccph_dport;
3688 break;
3689 }
3690
3691 default:
3692 break;
3693 }
3694 out:
3695 return ret;
3696 }
3697
3698 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3699
3700 /* Returns error only if unable to parse addresses */
3701 static int selinux_parse_skb_ipv6(struct sk_buff *skb,
3702 struct common_audit_data *ad, u8 *proto)
3703 {
3704 u8 nexthdr;
3705 int ret = -EINVAL, offset;
3706 struct ipv6hdr _ipv6h, *ip6;
3707 __be16 frag_off;
3708
3709 offset = skb_network_offset(skb);
3710 ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
3711 if (ip6 == NULL)
3712 goto out;
3713
3714 ad->u.net->v6info.saddr = ip6->saddr;
3715 ad->u.net->v6info.daddr = ip6->daddr;
3716 ret = 0;
3717
3718 nexthdr = ip6->nexthdr;
3719 offset += sizeof(_ipv6h);
3720 offset = ipv6_skip_exthdr(skb, offset, &nexthdr, &frag_off);
3721 if (offset < 0)
3722 goto out;
3723
3724 if (proto)
3725 *proto = nexthdr;
3726
3727 switch (nexthdr) {
3728 case IPPROTO_TCP: {
3729 struct tcphdr _tcph, *th;
3730
3731 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3732 if (th == NULL)
3733 break;
3734
3735 ad->u.net->sport = th->source;
3736 ad->u.net->dport = th->dest;
3737 break;
3738 }
3739
3740 case IPPROTO_UDP: {
3741 struct udphdr _udph, *uh;
3742
3743 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3744 if (uh == NULL)
3745 break;
3746
3747 ad->u.net->sport = uh->source;
3748 ad->u.net->dport = uh->dest;
3749 break;
3750 }
3751
3752 case IPPROTO_DCCP: {
3753 struct dccp_hdr _dccph, *dh;
3754
3755 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3756 if (dh == NULL)
3757 break;
3758
3759 ad->u.net->sport = dh->dccph_sport;
3760 ad->u.net->dport = dh->dccph_dport;
3761 break;
3762 }
3763
3764 /* includes fragments */
3765 default:
3766 break;
3767 }
3768 out:
3769 return ret;
3770 }
3771
3772 #endif /* IPV6 */
3773
3774 static int selinux_parse_skb(struct sk_buff *skb, struct common_audit_data *ad,
3775 char **_addrp, int src, u8 *proto)
3776 {
3777 char *addrp;
3778 int ret;
3779
3780 switch (ad->u.net->family) {
3781 case PF_INET:
3782 ret = selinux_parse_skb_ipv4(skb, ad, proto);
3783 if (ret)
3784 goto parse_error;
3785 addrp = (char *)(src ? &ad->u.net->v4info.saddr :
3786 &ad->u.net->v4info.daddr);
3787 goto okay;
3788
3789 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3790 case PF_INET6:
3791 ret = selinux_parse_skb_ipv6(skb, ad, proto);
3792 if (ret)
3793 goto parse_error;
3794 addrp = (char *)(src ? &ad->u.net->v6info.saddr :
3795 &ad->u.net->v6info.daddr);
3796 goto okay;
3797 #endif /* IPV6 */
3798 default:
3799 addrp = NULL;
3800 goto okay;
3801 }
3802
3803 parse_error:
3804 printk(KERN_WARNING
3805 "SELinux: failure in selinux_parse_skb(),"
3806 " unable to parse packet\n");
3807 return ret;
3808
3809 okay:
3810 if (_addrp)
3811 *_addrp = addrp;
3812 return 0;
3813 }
3814
3815 /**
3816 * selinux_skb_peerlbl_sid - Determine the peer label of a packet
3817 * @skb: the packet
3818 * @family: protocol family
3819 * @sid: the packet's peer label SID
3820 *
3821 * Description:
3822 * Check the various different forms of network peer labeling and determine
3823 * the peer label/SID for the packet; most of the magic actually occurs in
3824 * the security server function security_net_peersid_cmp(). The function
3825 * returns zero if the value in @sid is valid (although it may be SECSID_NULL)
3826 * or -EACCES if @sid is invalid due to inconsistencies with the different
3827 * peer labels.
3828 *
3829 */
3830 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
3831 {
3832 int err;
3833 u32 xfrm_sid;
3834 u32 nlbl_sid;
3835 u32 nlbl_type;
3836
3837 err = selinux_skb_xfrm_sid(skb, &xfrm_sid);
3838 if (unlikely(err))
3839 return -EACCES;
3840 err = selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid);
3841 if (unlikely(err))
3842 return -EACCES;
3843
3844 err = security_net_peersid_resolve(nlbl_sid, nlbl_type, xfrm_sid, sid);
3845 if (unlikely(err)) {
3846 printk(KERN_WARNING
3847 "SELinux: failure in selinux_skb_peerlbl_sid(),"
3848 " unable to determine packet's peer label\n");
3849 return -EACCES;
3850 }
3851
3852 return 0;
3853 }
3854
3855 /* socket security operations */
3856
3857 static int socket_sockcreate_sid(const struct task_security_struct *tsec,
3858 u16 secclass, u32 *socksid)
3859 {
3860 if (tsec->sockcreate_sid > SECSID_NULL) {
3861 *socksid = tsec->sockcreate_sid;
3862 return 0;
3863 }
3864
3865 return security_transition_sid(tsec->sid, tsec->sid, secclass, NULL,
3866 socksid);
3867 }
3868
3869 static int sock_has_perm(struct task_struct *task, struct sock *sk, u32 perms)
3870 {
3871 struct sk_security_struct *sksec = sk->sk_security;
3872 struct common_audit_data ad;
3873 struct lsm_network_audit net = {0,};
3874 u32 tsid = task_sid(task);
3875
3876 if (sksec->sid == SECINITSID_KERNEL)
3877 return 0;
3878
3879 ad.type = LSM_AUDIT_DATA_NET;
3880 ad.u.net = &net;
3881 ad.u.net->sk = sk;
3882
3883 return avc_has_perm(tsid, sksec->sid, sksec->sclass, perms, &ad);
3884 }
3885
3886 static int selinux_socket_create(int family, int type,
3887 int protocol, int kern)
3888 {
3889 const struct task_security_struct *tsec = current_security();
3890 u32 newsid;
3891 u16 secclass;
3892 int rc;
3893
3894 if (kern)
3895 return 0;
3896
3897 secclass = socket_type_to_security_class(family, type, protocol);
3898 rc = socket_sockcreate_sid(tsec, secclass, &newsid);
3899 if (rc)
3900 return rc;
3901
3902 return avc_has_perm(tsec->sid, newsid, secclass, SOCKET__CREATE, NULL);
3903 }
3904
3905 static int selinux_socket_post_create(struct socket *sock, int family,
3906 int type, int protocol, int kern)
3907 {
3908 const struct task_security_struct *tsec = current_security();
3909 struct inode_security_struct *isec = SOCK_INODE(sock)->i_security;
3910 struct sk_security_struct *sksec;
3911 int err = 0;
3912
3913 isec->sclass = socket_type_to_security_class(family, type, protocol);
3914
3915 if (kern)
3916 isec->sid = SECINITSID_KERNEL;
3917 else {
3918 err = socket_sockcreate_sid(tsec, isec->sclass, &(isec->sid));
3919 if (err)
3920 return err;
3921 }
3922
3923 isec->initialized = 1;
3924
3925 if (sock->sk) {
3926 sksec = sock->sk->sk_security;
3927 sksec->sid = isec->sid;
3928 sksec->sclass = isec->sclass;
3929 err = selinux_netlbl_socket_post_create(sock->sk, family);
3930 }
3931
3932 return err;
3933 }
3934
3935 /* Range of port numbers used to automatically bind.
3936 Need to determine whether we should perform a name_bind
3937 permission check between the socket and the port number. */
3938
3939 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
3940 {
3941 struct sock *sk = sock->sk;
3942 u16 family;
3943 int err;
3944
3945 err = sock_has_perm(current, sk, SOCKET__BIND);
3946 if (err)
3947 goto out;
3948
3949 /*
3950 * If PF_INET or PF_INET6, check name_bind permission for the port.
3951 * Multiple address binding for SCTP is not supported yet: we just
3952 * check the first address now.
3953 */
3954 family = sk->sk_family;
3955 if (family == PF_INET || family == PF_INET6) {
3956 char *addrp;
3957 struct sk_security_struct *sksec = sk->sk_security;
3958 struct common_audit_data ad;
3959 struct lsm_network_audit net = {0,};
3960 struct sockaddr_in *addr4 = NULL;
3961 struct sockaddr_in6 *addr6 = NULL;
3962 unsigned short snum;
3963 u32 sid, node_perm;
3964
3965 if (family == PF_INET) {
3966 addr4 = (struct sockaddr_in *)address;
3967 snum = ntohs(addr4->sin_port);
3968 addrp = (char *)&addr4->sin_addr.s_addr;
3969 } else {
3970 addr6 = (struct sockaddr_in6 *)address;
3971 snum = ntohs(addr6->sin6_port);
3972 addrp = (char *)&addr6->sin6_addr.s6_addr;
3973 }
3974
3975 if (snum) {
3976 int low, high;
3977
3978 inet_get_local_port_range(&low, &high);
3979
3980 if (snum < max(PROT_SOCK, low) || snum > high) {
3981 err = sel_netport_sid(sk->sk_protocol,
3982 snum, &sid);
3983 if (err)
3984 goto out;
3985 ad.type = LSM_AUDIT_DATA_NET;
3986 ad.u.net = &net;
3987 ad.u.net->sport = htons(snum);
3988 ad.u.net->family = family;
3989 err = avc_has_perm(sksec->sid, sid,
3990 sksec->sclass,
3991 SOCKET__NAME_BIND, &ad);
3992 if (err)
3993 goto out;
3994 }
3995 }
3996
3997 switch (sksec->sclass) {
3998 case SECCLASS_TCP_SOCKET:
3999 node_perm = TCP_SOCKET__NODE_BIND;
4000 break;
4001
4002 case SECCLASS_UDP_SOCKET:
4003 node_perm = UDP_SOCKET__NODE_BIND;
4004 break;
4005
4006 case SECCLASS_DCCP_SOCKET:
4007 node_perm = DCCP_SOCKET__NODE_BIND;
4008 break;
4009
4010 default:
4011 node_perm = RAWIP_SOCKET__NODE_BIND;
4012 break;
4013 }
4014
4015 err = sel_netnode_sid(addrp, family, &sid);
4016 if (err)
4017 goto out;
4018
4019 ad.type = LSM_AUDIT_DATA_NET;
4020 ad.u.net = &net;
4021 ad.u.net->sport = htons(snum);
4022 ad.u.net->family = family;
4023
4024 if (family == PF_INET)
4025 ad.u.net->v4info.saddr = addr4->sin_addr.s_addr;
4026 else
4027 ad.u.net->v6info.saddr = addr6->sin6_addr;
4028
4029 err = avc_has_perm(sksec->sid, sid,
4030 sksec->sclass, node_perm, &ad);
4031 if (err)
4032 goto out;
4033 }
4034 out:
4035 return err;
4036 }
4037
4038 static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
4039 {
4040 struct sock *sk = sock->sk;
4041 struct sk_security_struct *sksec = sk->sk_security;
4042 int err;
4043
4044 err = sock_has_perm(current, sk, SOCKET__CONNECT);
4045 if (err)
4046 return err;
4047
4048 /*
4049 * If a TCP or DCCP socket, check name_connect permission for the port.
4050 */
4051 if (sksec->sclass == SECCLASS_TCP_SOCKET ||
4052 sksec->sclass == SECCLASS_DCCP_SOCKET) {
4053 struct common_audit_data ad;
4054 struct lsm_network_audit net = {0,};
4055 struct sockaddr_in *addr4 = NULL;
4056 struct sockaddr_in6 *addr6 = NULL;
4057 unsigned short snum;
4058 u32 sid, perm;
4059
4060 if (sk->sk_family == PF_INET) {
4061 addr4 = (struct sockaddr_in *)address;
4062 if (addrlen < sizeof(struct sockaddr_in))
4063 return -EINVAL;
4064 snum = ntohs(addr4->sin_port);
4065 } else {
4066 addr6 = (struct sockaddr_in6 *)address;
4067 if (addrlen < SIN6_LEN_RFC2133)
4068 return -EINVAL;
4069 snum = ntohs(addr6->sin6_port);
4070 }
4071
4072 err = sel_netport_sid(sk->sk_protocol, snum, &sid);
4073 if (err)
4074 goto out;
4075
4076 perm = (sksec->sclass == SECCLASS_TCP_SOCKET) ?
4077 TCP_SOCKET__NAME_CONNECT : DCCP_SOCKET__NAME_CONNECT;
4078
4079 ad.type = LSM_AUDIT_DATA_NET;
4080 ad.u.net = &net;
4081 ad.u.net->dport = htons(snum);
4082 ad.u.net->family = sk->sk_family;
4083 err = avc_has_perm(sksec->sid, sid, sksec->sclass, perm, &ad);
4084 if (err)
4085 goto out;
4086 }
4087
4088 err = selinux_netlbl_socket_connect(sk, address);
4089
4090 out:
4091 return err;
4092 }
4093
4094 static int selinux_socket_listen(struct socket *sock, int backlog)
4095 {
4096 return sock_has_perm(current, sock->sk, SOCKET__LISTEN);
4097 }
4098
4099 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
4100 {
4101 int err;
4102 struct inode_security_struct *isec;
4103 struct inode_security_struct *newisec;
4104
4105 err = sock_has_perm(current, sock->sk, SOCKET__ACCEPT);
4106 if (err)
4107 return err;
4108
4109 newisec = SOCK_INODE(newsock)->i_security;
4110
4111 isec = SOCK_INODE(sock)->i_security;
4112 newisec->sclass = isec->sclass;
4113 newisec->sid = isec->sid;
4114 newisec->initialized = 1;
4115
4116 return 0;
4117 }
4118
4119 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
4120 int size)
4121 {
4122 return sock_has_perm(current, sock->sk, SOCKET__WRITE);
4123 }
4124
4125 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
4126 int size, int flags)
4127 {
4128 return sock_has_perm(current, sock->sk, SOCKET__READ);
4129 }
4130
4131 static int selinux_socket_getsockname(struct socket *sock)
4132 {
4133 return sock_has_perm(current, sock->sk, SOCKET__GETATTR);
4134 }
4135
4136 static int selinux_socket_getpeername(struct socket *sock)
4137 {
4138 return sock_has_perm(current, sock->sk, SOCKET__GETATTR);
4139 }
4140
4141 static int selinux_socket_setsockopt(struct socket *sock, int level, int optname)
4142 {
4143 int err;
4144
4145 err = sock_has_perm(current, sock->sk, SOCKET__SETOPT);
4146 if (err)
4147 return err;
4148
4149 return selinux_netlbl_socket_setsockopt(sock, level, optname);
4150 }
4151
4152 static int selinux_socket_getsockopt(struct socket *sock, int level,
4153 int optname)
4154 {
4155 return sock_has_perm(current, sock->sk, SOCKET__GETOPT);
4156 }
4157
4158 static int selinux_socket_shutdown(struct socket *sock, int how)
4159 {
4160 return sock_has_perm(current, sock->sk, SOCKET__SHUTDOWN);
4161 }
4162
4163 static int selinux_socket_unix_stream_connect(struct sock *sock,
4164 struct sock *other,
4165 struct sock *newsk)
4166 {
4167 struct sk_security_struct *sksec_sock = sock->sk_security;
4168 struct sk_security_struct *sksec_other = other->sk_security;
4169 struct sk_security_struct *sksec_new = newsk->sk_security;
4170 struct common_audit_data ad;
4171 struct lsm_network_audit net = {0,};
4172 int err;
4173
4174 ad.type = LSM_AUDIT_DATA_NET;
4175 ad.u.net = &net;
4176 ad.u.net->sk = other;
4177
4178 err = avc_has_perm(sksec_sock->sid, sksec_other->sid,
4179 sksec_other->sclass,
4180 UNIX_STREAM_SOCKET__CONNECTTO, &ad);
4181 if (err)
4182 return err;
4183
4184 /* server child socket */
4185 sksec_new->peer_sid = sksec_sock->sid;
4186 err = security_sid_mls_copy(sksec_other->sid, sksec_sock->sid,
4187 &sksec_new->sid);
4188 if (err)
4189 return err;
4190
4191 /* connecting socket */
4192 sksec_sock->peer_sid = sksec_new->sid;
4193
4194 return 0;
4195 }
4196
4197 static int selinux_socket_unix_may_send(struct socket *sock,
4198 struct socket *other)
4199 {
4200 struct sk_security_struct *ssec = sock->sk->sk_security;
4201 struct sk_security_struct *osec = other->sk->sk_security;
4202 struct common_audit_data ad;
4203 struct lsm_network_audit net = {0,};
4204
4205 ad.type = LSM_AUDIT_DATA_NET;
4206 ad.u.net = &net;
4207 ad.u.net->sk = other->sk;
4208
4209 return avc_has_perm(ssec->sid, osec->sid, osec->sclass, SOCKET__SENDTO,
4210 &ad);
4211 }
4212
4213 static int selinux_inet_sys_rcv_skb(int ifindex, char *addrp, u16 family,
4214 u32 peer_sid,
4215 struct common_audit_data *ad)
4216 {
4217 int err;
4218 u32 if_sid;
4219 u32 node_sid;
4220
4221 err = sel_netif_sid(ifindex, &if_sid);
4222 if (err)
4223 return err;
4224 err = avc_has_perm(peer_sid, if_sid,
4225 SECCLASS_NETIF, NETIF__INGRESS, ad);
4226 if (err)
4227 return err;
4228
4229 err = sel_netnode_sid(addrp, family, &node_sid);
4230 if (err)
4231 return err;
4232 return avc_has_perm(peer_sid, node_sid,
4233 SECCLASS_NODE, NODE__RECVFROM, ad);
4234 }
4235
4236 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
4237 u16 family)
4238 {
4239 int err = 0;
4240 struct sk_security_struct *sksec = sk->sk_security;
4241 u32 sk_sid = sksec->sid;
4242 struct common_audit_data ad;
4243 struct lsm_network_audit net = {0,};
4244 char *addrp;
4245
4246 ad.type = LSM_AUDIT_DATA_NET;
4247 ad.u.net = &net;
4248 ad.u.net->netif = skb->skb_iif;
4249 ad.u.net->family = family;
4250 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4251 if (err)
4252 return err;
4253
4254 if (selinux_secmark_enabled()) {
4255 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4256 PACKET__RECV, &ad);
4257 if (err)
4258 return err;
4259 }
4260
4261 err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, &ad);
4262 if (err)
4263 return err;
4264 err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad);
4265
4266 return err;
4267 }
4268
4269 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
4270 {
4271 int err;
4272 struct sk_security_struct *sksec = sk->sk_security;
4273 u16 family = sk->sk_family;
4274 u32 sk_sid = sksec->sid;
4275 struct common_audit_data ad;
4276 struct lsm_network_audit net = {0,};
4277 char *addrp;
4278 u8 secmark_active;
4279 u8 peerlbl_active;
4280
4281 if (family != PF_INET && family != PF_INET6)
4282 return 0;
4283
4284 /* Handle mapped IPv4 packets arriving via IPv6 sockets */
4285 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4286 family = PF_INET;
4287
4288 /* If any sort of compatibility mode is enabled then handoff processing
4289 * to the selinux_sock_rcv_skb_compat() function to deal with the
4290 * special handling. We do this in an attempt to keep this function
4291 * as fast and as clean as possible. */
4292 if (!selinux_policycap_netpeer)
4293 return selinux_sock_rcv_skb_compat(sk, skb, family);
4294
4295 secmark_active = selinux_secmark_enabled();
4296 peerlbl_active = selinux_peerlbl_enabled();
4297 if (!secmark_active && !peerlbl_active)
4298 return 0;
4299
4300 ad.type = LSM_AUDIT_DATA_NET;
4301 ad.u.net = &net;
4302 ad.u.net->netif = skb->skb_iif;
4303 ad.u.net->family = family;
4304 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4305 if (err)
4306 return err;
4307
4308 if (peerlbl_active) {
4309 u32 peer_sid;
4310
4311 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
4312 if (err)
4313 return err;
4314 err = selinux_inet_sys_rcv_skb(skb->skb_iif, addrp, family,
4315 peer_sid, &ad);
4316 if (err) {
4317 selinux_netlbl_err(skb, err, 0);
4318 return err;
4319 }
4320 err = avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER,
4321 PEER__RECV, &ad);
4322 if (err)
4323 selinux_netlbl_err(skb, err, 0);
4324 }
4325
4326 if (secmark_active) {
4327 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4328 PACKET__RECV, &ad);
4329 if (err)
4330 return err;
4331 }
4332
4333 return err;
4334 }
4335
4336 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval,
4337 int __user *optlen, unsigned len)
4338 {
4339 int err = 0;
4340 char *scontext;
4341 u32 scontext_len;
4342 struct sk_security_struct *sksec = sock->sk->sk_security;
4343 u32 peer_sid = SECSID_NULL;
4344
4345 if (sksec->sclass == SECCLASS_UNIX_STREAM_SOCKET ||
4346 sksec->sclass == SECCLASS_TCP_SOCKET)
4347 peer_sid = sksec->peer_sid;
4348 if (peer_sid == SECSID_NULL)
4349 return -ENOPROTOOPT;
4350
4351 err = security_sid_to_context(peer_sid, &scontext, &scontext_len);
4352 if (err)
4353 return err;
4354
4355 if (scontext_len > len) {
4356 err = -ERANGE;
4357 goto out_len;
4358 }
4359
4360 if (copy_to_user(optval, scontext, scontext_len))
4361 err = -EFAULT;
4362
4363 out_len:
4364 if (put_user(scontext_len, optlen))
4365 err = -EFAULT;
4366 kfree(scontext);
4367 return err;
4368 }
4369
4370 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
4371 {
4372 u32 peer_secid = SECSID_NULL;
4373 u16 family;
4374
4375 if (skb && skb->protocol == htons(ETH_P_IP))
4376 family = PF_INET;
4377 else if (skb && skb->protocol == htons(ETH_P_IPV6))
4378 family = PF_INET6;
4379 else if (sock)
4380 family = sock->sk->sk_family;
4381 else
4382 goto out;
4383
4384 if (sock && family == PF_UNIX)
4385 selinux_inode_getsecid(SOCK_INODE(sock), &peer_secid);
4386 else if (skb)
4387 selinux_skb_peerlbl_sid(skb, family, &peer_secid);
4388
4389 out:
4390 *secid = peer_secid;
4391 if (peer_secid == SECSID_NULL)
4392 return -EINVAL;
4393 return 0;
4394 }
4395
4396 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
4397 {
4398 struct sk_security_struct *sksec;
4399
4400 sksec = kzalloc(sizeof(*sksec), priority);
4401 if (!sksec)
4402 return -ENOMEM;
4403
4404 sksec->peer_sid = SECINITSID_UNLABELED;
4405 sksec->sid = SECINITSID_UNLABELED;
4406 selinux_netlbl_sk_security_reset(sksec);
4407 sk->sk_security = sksec;
4408
4409 return 0;
4410 }
4411
4412 static void selinux_sk_free_security(struct sock *sk)
4413 {
4414 struct sk_security_struct *sksec = sk->sk_security;
4415
4416 sk->sk_security = NULL;
4417 selinux_netlbl_sk_security_free(sksec);
4418 kfree(sksec);
4419 }
4420
4421 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
4422 {
4423 struct sk_security_struct *sksec = sk->sk_security;
4424 struct sk_security_struct *newsksec = newsk->sk_security;
4425
4426 newsksec->sid = sksec->sid;
4427 newsksec->peer_sid = sksec->peer_sid;
4428 newsksec->sclass = sksec->sclass;
4429
4430 selinux_netlbl_sk_security_reset(newsksec);
4431 }
4432
4433 static void selinux_sk_getsecid(struct sock *sk, u32 *secid)
4434 {
4435 if (!sk)
4436 *secid = SECINITSID_ANY_SOCKET;
4437 else {
4438 struct sk_security_struct *sksec = sk->sk_security;
4439
4440 *secid = sksec->sid;
4441 }
4442 }
4443
4444 static void selinux_sock_graft(struct sock *sk, struct socket *parent)
4445 {
4446 struct inode_security_struct *isec = SOCK_INODE(parent)->i_security;
4447 struct sk_security_struct *sksec = sk->sk_security;
4448
4449 if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
4450 sk->sk_family == PF_UNIX)
4451 isec->sid = sksec->sid;
4452 sksec->sclass = isec->sclass;
4453 }
4454
4455 static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
4456 struct request_sock *req)
4457 {
4458 struct sk_security_struct *sksec = sk->sk_security;
4459 int err;
4460 u16 family = sk->sk_family;
4461 u32 newsid;
4462 u32 peersid;
4463
4464 /* handle mapped IPv4 packets arriving via IPv6 sockets */
4465 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4466 family = PF_INET;
4467
4468 err = selinux_skb_peerlbl_sid(skb, family, &peersid);
4469 if (err)
4470 return err;
4471 if (peersid == SECSID_NULL) {
4472 req->secid = sksec->sid;
4473 req->peer_secid = SECSID_NULL;
4474 } else {
4475 err = security_sid_mls_copy(sksec->sid, peersid, &newsid);
4476 if (err)
4477 return err;
4478 req->secid = newsid;
4479 req->peer_secid = peersid;
4480 }
4481
4482 return selinux_netlbl_inet_conn_request(req, family);
4483 }
4484
4485 static void selinux_inet_csk_clone(struct sock *newsk,
4486 const struct request_sock *req)
4487 {
4488 struct sk_security_struct *newsksec = newsk->sk_security;
4489
4490 newsksec->sid = req->secid;
4491 newsksec->peer_sid = req->peer_secid;
4492 /* NOTE: Ideally, we should also get the isec->sid for the
4493 new socket in sync, but we don't have the isec available yet.
4494 So we will wait until sock_graft to do it, by which
4495 time it will have been created and available. */
4496
4497 /* We don't need to take any sort of lock here as we are the only
4498 * thread with access to newsksec */
4499 selinux_netlbl_inet_csk_clone(newsk, req->rsk_ops->family);
4500 }
4501
4502 static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb)
4503 {
4504 u16 family = sk->sk_family;
4505 struct sk_security_struct *sksec = sk->sk_security;
4506
4507 /* handle mapped IPv4 packets arriving via IPv6 sockets */
4508 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4509 family = PF_INET;
4510
4511 selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid);
4512 }
4513
4514 static void selinux_skb_owned_by(struct sk_buff *skb, struct sock *sk)
4515 {
4516 skb_set_owner_w(skb, sk);
4517 }
4518
4519 static int selinux_secmark_relabel_packet(u32 sid)
4520 {
4521 const struct task_security_struct *__tsec;
4522 u32 tsid;
4523
4524 __tsec = current_security();
4525 tsid = __tsec->sid;
4526
4527 return avc_has_perm(tsid, sid, SECCLASS_PACKET, PACKET__RELABELTO, NULL);
4528 }
4529
4530 static void selinux_secmark_refcount_inc(void)
4531 {
4532 atomic_inc(&selinux_secmark_refcount);
4533 }
4534
4535 static void selinux_secmark_refcount_dec(void)
4536 {
4537 atomic_dec(&selinux_secmark_refcount);
4538 }
4539
4540 static void selinux_req_classify_flow(const struct request_sock *req,
4541 struct flowi *fl)
4542 {
4543 fl->flowi_secid = req->secid;
4544 }
4545
4546 static int selinux_tun_dev_alloc_security(void **security)
4547 {
4548 struct tun_security_struct *tunsec;
4549
4550 tunsec = kzalloc(sizeof(*tunsec), GFP_KERNEL);
4551 if (!tunsec)
4552 return -ENOMEM;
4553 tunsec->sid = current_sid();
4554
4555 *security = tunsec;
4556 return 0;
4557 }
4558
4559 static void selinux_tun_dev_free_security(void *security)
4560 {
4561 kfree(security);
4562 }
4563
4564 static int selinux_tun_dev_create(void)
4565 {
4566 u32 sid = current_sid();
4567
4568 /* we aren't taking into account the "sockcreate" SID since the socket
4569 * that is being created here is not a socket in the traditional sense,
4570 * instead it is a private sock, accessible only to the kernel, and
4571 * representing a wide range of network traffic spanning multiple
4572 * connections unlike traditional sockets - check the TUN driver to
4573 * get a better understanding of why this socket is special */
4574
4575 return avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET, TUN_SOCKET__CREATE,
4576 NULL);
4577 }
4578
4579 static int selinux_tun_dev_attach_queue(void *security)
4580 {
4581 struct tun_security_struct *tunsec = security;
4582
4583 return avc_has_perm(current_sid(), tunsec->sid, SECCLASS_TUN_SOCKET,
4584 TUN_SOCKET__ATTACH_QUEUE, NULL);
4585 }
4586
4587 static int selinux_tun_dev_attach(struct sock *sk, void *security)
4588 {
4589 struct tun_security_struct *tunsec = security;
4590 struct sk_security_struct *sksec = sk->sk_security;
4591
4592 /* we don't currently perform any NetLabel based labeling here and it
4593 * isn't clear that we would want to do so anyway; while we could apply
4594 * labeling without the support of the TUN user the resulting labeled
4595 * traffic from the other end of the connection would almost certainly
4596 * cause confusion to the TUN user that had no idea network labeling
4597 * protocols were being used */
4598
4599 sksec->sid = tunsec->sid;
4600 sksec->sclass = SECCLASS_TUN_SOCKET;
4601
4602 return 0;
4603 }
4604
4605 static int selinux_tun_dev_open(void *security)
4606 {
4607 struct tun_security_struct *tunsec = security;
4608 u32 sid = current_sid();
4609 int err;
4610
4611 err = avc_has_perm(sid, tunsec->sid, SECCLASS_TUN_SOCKET,
4612 TUN_SOCKET__RELABELFROM, NULL);
4613 if (err)
4614 return err;
4615 err = avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET,
4616 TUN_SOCKET__RELABELTO, NULL);
4617 if (err)
4618 return err;
4619 tunsec->sid = sid;
4620
4621 return 0;
4622 }
4623
4624 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
4625 {
4626 int err = 0;
4627 u32 perm;
4628 struct nlmsghdr *nlh;
4629 struct sk_security_struct *sksec = sk->sk_security;
4630
4631 if (skb->len < NLMSG_HDRLEN) {
4632 err = -EINVAL;
4633 goto out;
4634 }
4635 nlh = nlmsg_hdr(skb);
4636
4637 err = selinux_nlmsg_lookup(sksec->sclass, nlh->nlmsg_type, &perm);
4638 if (err) {
4639 if (err == -EINVAL) {
4640 audit_log(current->audit_context, GFP_KERNEL, AUDIT_SELINUX_ERR,
4641 "SELinux: unrecognized netlink message"
4642 " type=%hu for sclass=%hu\n",
4643 nlh->nlmsg_type, sksec->sclass);
4644 if (!selinux_enforcing || security_get_allow_unknown())
4645 err = 0;
4646 }
4647
4648 /* Ignore */
4649 if (err == -ENOENT)
4650 err = 0;
4651 goto out;
4652 }
4653
4654 err = sock_has_perm(current, sk, perm);
4655 out:
4656 return err;
4657 }
4658
4659 #ifdef CONFIG_NETFILTER
4660
4661 static unsigned int selinux_ip_forward(struct sk_buff *skb, int ifindex,
4662 u16 family)
4663 {
4664 int err;
4665 char *addrp;
4666 u32 peer_sid;
4667 struct common_audit_data ad;
4668 struct lsm_network_audit net = {0,};
4669 u8 secmark_active;
4670 u8 netlbl_active;
4671 u8 peerlbl_active;
4672
4673 if (!selinux_policycap_netpeer)
4674 return NF_ACCEPT;
4675
4676 secmark_active = selinux_secmark_enabled();
4677 netlbl_active = netlbl_enabled();
4678 peerlbl_active = selinux_peerlbl_enabled();
4679 if (!secmark_active && !peerlbl_active)
4680 return NF_ACCEPT;
4681
4682 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0)
4683 return NF_DROP;
4684
4685 ad.type = LSM_AUDIT_DATA_NET;
4686 ad.u.net = &net;
4687 ad.u.net->netif = ifindex;
4688 ad.u.net->family = family;
4689 if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0)
4690 return NF_DROP;
4691
4692 if (peerlbl_active) {
4693 err = selinux_inet_sys_rcv_skb(ifindex, addrp, family,
4694 peer_sid, &ad);
4695 if (err) {
4696 selinux_netlbl_err(skb, err, 1);
4697 return NF_DROP;
4698 }
4699 }
4700
4701 if (secmark_active)
4702 if (avc_has_perm(peer_sid, skb->secmark,
4703 SECCLASS_PACKET, PACKET__FORWARD_IN, &ad))
4704 return NF_DROP;
4705
4706 if (netlbl_active)
4707 /* we do this in the FORWARD path and not the POST_ROUTING
4708 * path because we want to make sure we apply the necessary
4709 * labeling before IPsec is applied so we can leverage AH
4710 * protection */
4711 if (selinux_netlbl_skbuff_setsid(skb, family, peer_sid) != 0)
4712 return NF_DROP;
4713
4714 return NF_ACCEPT;
4715 }
4716
4717 static unsigned int selinux_ipv4_forward(unsigned int hooknum,
4718 struct sk_buff *skb,
4719 const struct net_device *in,
4720 const struct net_device *out,
4721 int (*okfn)(struct sk_buff *))
4722 {
4723 return selinux_ip_forward(skb, in->ifindex, PF_INET);
4724 }
4725
4726 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4727 static unsigned int selinux_ipv6_forward(unsigned int hooknum,
4728 struct sk_buff *skb,
4729 const struct net_device *in,
4730 const struct net_device *out,
4731 int (*okfn)(struct sk_buff *))
4732 {
4733 return selinux_ip_forward(skb, in->ifindex, PF_INET6);
4734 }
4735 #endif /* IPV6 */
4736
4737 static unsigned int selinux_ip_output(struct sk_buff *skb,
4738 u16 family)
4739 {
4740 u32 sid;
4741
4742 if (!netlbl_enabled())
4743 return NF_ACCEPT;
4744
4745 /* we do this in the LOCAL_OUT path and not the POST_ROUTING path
4746 * because we want to make sure we apply the necessary labeling
4747 * before IPsec is applied so we can leverage AH protection */
4748 if (skb->sk) {
4749 struct sk_security_struct *sksec = skb->sk->sk_security;
4750 sid = sksec->sid;
4751 } else
4752 sid = SECINITSID_KERNEL;
4753 if (selinux_netlbl_skbuff_setsid(skb, family, sid) != 0)
4754 return NF_DROP;
4755
4756 return NF_ACCEPT;
4757 }
4758
4759 static unsigned int selinux_ipv4_output(unsigned int hooknum,
4760 struct sk_buff *skb,
4761 const struct net_device *in,
4762 const struct net_device *out,
4763 int (*okfn)(struct sk_buff *))
4764 {
4765 return selinux_ip_output(skb, PF_INET);
4766 }
4767
4768 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
4769 int ifindex,
4770 u16 family)
4771 {
4772 struct sock *sk = skb->sk;
4773 struct sk_security_struct *sksec;
4774 struct common_audit_data ad;
4775 struct lsm_network_audit net = {0,};
4776 char *addrp;
4777 u8 proto;
4778
4779 if (sk == NULL)
4780 return NF_ACCEPT;
4781 sksec = sk->sk_security;
4782
4783 ad.type = LSM_AUDIT_DATA_NET;
4784 ad.u.net = &net;
4785 ad.u.net->netif = ifindex;
4786 ad.u.net->family = family;
4787 if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto))
4788 return NF_DROP;
4789
4790 if (selinux_secmark_enabled())
4791 if (avc_has_perm(sksec->sid, skb->secmark,
4792 SECCLASS_PACKET, PACKET__SEND, &ad))
4793 return NF_DROP_ERR(-ECONNREFUSED);
4794
4795 if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto))
4796 return NF_DROP_ERR(-ECONNREFUSED);
4797
4798 return NF_ACCEPT;
4799 }
4800
4801 static unsigned int selinux_ip_postroute(struct sk_buff *skb, int ifindex,
4802 u16 family)
4803 {
4804 u32 secmark_perm;
4805 u32 peer_sid;
4806 struct sock *sk;
4807 struct common_audit_data ad;
4808 struct lsm_network_audit net = {0,};
4809 char *addrp;
4810 u8 secmark_active;
4811 u8 peerlbl_active;
4812
4813 /* If any sort of compatibility mode is enabled then handoff processing
4814 * to the selinux_ip_postroute_compat() function to deal with the
4815 * special handling. We do this in an attempt to keep this function
4816 * as fast and as clean as possible. */
4817 if (!selinux_policycap_netpeer)
4818 return selinux_ip_postroute_compat(skb, ifindex, family);
4819 #ifdef CONFIG_XFRM
4820 /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec
4821 * packet transformation so allow the packet to pass without any checks
4822 * since we'll have another chance to perform access control checks
4823 * when the packet is on it's final way out.
4824 * NOTE: there appear to be some IPv6 multicast cases where skb->dst
4825 * is NULL, in this case go ahead and apply access control. */
4826 if (skb_dst(skb) != NULL && skb_dst(skb)->xfrm != NULL)
4827 return NF_ACCEPT;
4828 #endif
4829 secmark_active = selinux_secmark_enabled();
4830 peerlbl_active = selinux_peerlbl_enabled();
4831 if (!secmark_active && !peerlbl_active)
4832 return NF_ACCEPT;
4833
4834 /* if the packet is being forwarded then get the peer label from the
4835 * packet itself; otherwise check to see if it is from a local
4836 * application or the kernel, if from an application get the peer label
4837 * from the sending socket, otherwise use the kernel's sid */
4838 sk = skb->sk;
4839 if (sk == NULL) {
4840 if (skb->skb_iif) {
4841 secmark_perm = PACKET__FORWARD_OUT;
4842 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid))
4843 return NF_DROP;
4844 } else {
4845 secmark_perm = PACKET__SEND;
4846 peer_sid = SECINITSID_KERNEL;
4847 }
4848 } else {
4849 struct sk_security_struct *sksec = sk->sk_security;
4850 peer_sid = sksec->sid;
4851 secmark_perm = PACKET__SEND;
4852 }
4853
4854 ad.type = LSM_AUDIT_DATA_NET;
4855 ad.u.net = &net;
4856 ad.u.net->netif = ifindex;
4857 ad.u.net->family = family;
4858 if (selinux_parse_skb(skb, &ad, &addrp, 0, NULL))
4859 return NF_DROP;
4860
4861 if (secmark_active)
4862 if (avc_has_perm(peer_sid, skb->secmark,
4863 SECCLASS_PACKET, secmark_perm, &ad))
4864 return NF_DROP_ERR(-ECONNREFUSED);
4865
4866 if (peerlbl_active) {
4867 u32 if_sid;
4868 u32 node_sid;
4869
4870 if (sel_netif_sid(ifindex, &if_sid))
4871 return NF_DROP;
4872 if (avc_has_perm(peer_sid, if_sid,
4873 SECCLASS_NETIF, NETIF__EGRESS, &ad))
4874 return NF_DROP_ERR(-ECONNREFUSED);
4875
4876 if (sel_netnode_sid(addrp, family, &node_sid))
4877 return NF_DROP;
4878 if (avc_has_perm(peer_sid, node_sid,
4879 SECCLASS_NODE, NODE__SENDTO, &ad))
4880 return NF_DROP_ERR(-ECONNREFUSED);
4881 }
4882
4883 return NF_ACCEPT;
4884 }
4885
4886 static unsigned int selinux_ipv4_postroute(unsigned int hooknum,
4887 struct sk_buff *skb,
4888 const struct net_device *in,
4889 const struct net_device *out,
4890 int (*okfn)(struct sk_buff *))
4891 {
4892 return selinux_ip_postroute(skb, out->ifindex, PF_INET);
4893 }
4894
4895 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4896 static unsigned int selinux_ipv6_postroute(unsigned int hooknum,
4897 struct sk_buff *skb,
4898 const struct net_device *in,
4899 const struct net_device *out,
4900 int (*okfn)(struct sk_buff *))
4901 {
4902 return selinux_ip_postroute(skb, out->ifindex, PF_INET6);
4903 }
4904 #endif /* IPV6 */
4905
4906 #endif /* CONFIG_NETFILTER */
4907
4908 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
4909 {
4910 int err;
4911
4912 err = cap_netlink_send(sk, skb);
4913 if (err)
4914 return err;
4915
4916 return selinux_nlmsg_perm(sk, skb);
4917 }
4918
4919 static int ipc_alloc_security(struct task_struct *task,
4920 struct kern_ipc_perm *perm,
4921 u16 sclass)
4922 {
4923 struct ipc_security_struct *isec;
4924 u32 sid;
4925
4926 isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL);
4927 if (!isec)
4928 return -ENOMEM;
4929
4930 sid = task_sid(task);
4931 isec->sclass = sclass;
4932 isec->sid = sid;
4933 perm->security = isec;
4934
4935 return 0;
4936 }
4937
4938 static void ipc_free_security(struct kern_ipc_perm *perm)
4939 {
4940 struct ipc_security_struct *isec = perm->security;
4941 perm->security = NULL;
4942 kfree(isec);
4943 }
4944
4945 static int msg_msg_alloc_security(struct msg_msg *msg)
4946 {
4947 struct msg_security_struct *msec;
4948
4949 msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL);
4950 if (!msec)
4951 return -ENOMEM;
4952
4953 msec->sid = SECINITSID_UNLABELED;
4954 msg->security = msec;
4955
4956 return 0;
4957 }
4958
4959 static void msg_msg_free_security(struct msg_msg *msg)
4960 {
4961 struct msg_security_struct *msec = msg->security;
4962
4963 msg->security = NULL;
4964 kfree(msec);
4965 }
4966
4967 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
4968 u32 perms)
4969 {
4970 struct ipc_security_struct *isec;
4971 struct common_audit_data ad;
4972 u32 sid = current_sid();
4973
4974 isec = ipc_perms->security;
4975
4976 ad.type = LSM_AUDIT_DATA_IPC;
4977 ad.u.ipc_id = ipc_perms->key;
4978
4979 return avc_has_perm(sid, isec->sid, isec->sclass, perms, &ad);
4980 }
4981
4982 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
4983 {
4984 return msg_msg_alloc_security(msg);
4985 }
4986
4987 static void selinux_msg_msg_free_security(struct msg_msg *msg)
4988 {
4989 msg_msg_free_security(msg);
4990 }
4991
4992 /* message queue security operations */
4993 static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
4994 {
4995 struct ipc_security_struct *isec;
4996 struct common_audit_data ad;
4997 u32 sid = current_sid();
4998 int rc;
4999
5000 rc = ipc_alloc_security(current, &msq->q_perm, SECCLASS_MSGQ);
5001 if (rc)
5002 return rc;
5003
5004 isec = msq->q_perm.security;
5005
5006 ad.type = LSM_AUDIT_DATA_IPC;
5007 ad.u.ipc_id = msq->q_perm.key;
5008
5009 rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
5010 MSGQ__CREATE, &ad);
5011 if (rc) {
5012 ipc_free_security(&msq->q_perm);
5013 return rc;
5014 }
5015 return 0;
5016 }
5017
5018 static void selinux_msg_queue_free_security(struct msg_queue *msq)
5019 {
5020 ipc_free_security(&msq->q_perm);
5021 }
5022
5023 static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg)
5024 {
5025 struct ipc_security_struct *isec;
5026 struct common_audit_data ad;
5027 u32 sid = current_sid();
5028
5029 isec = msq->q_perm.security;
5030
5031 ad.type = LSM_AUDIT_DATA_IPC;
5032 ad.u.ipc_id = msq->q_perm.key;
5033
5034 return avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
5035 MSGQ__ASSOCIATE, &ad);
5036 }
5037
5038 static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd)
5039 {
5040 int err;
5041 int perms;
5042
5043 switch (cmd) {
5044 case IPC_INFO:
5045 case MSG_INFO:
5046 /* No specific object, just general system-wide information. */
5047 return task_has_system(current, SYSTEM__IPC_INFO);
5048 case IPC_STAT:
5049 case MSG_STAT:
5050 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
5051 break;
5052 case IPC_SET:
5053 perms = MSGQ__SETATTR;
5054 break;
5055 case IPC_RMID:
5056 perms = MSGQ__DESTROY;
5057 break;
5058 default:
5059 return 0;
5060 }
5061
5062 err = ipc_has_perm(&msq->q_perm, perms);
5063 return err;
5064 }
5065
5066 static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg)
5067 {
5068 struct ipc_security_struct *isec;
5069 struct msg_security_struct *msec;
5070 struct common_audit_data ad;
5071 u32 sid = current_sid();
5072 int rc;
5073
5074 isec = msq->q_perm.security;
5075 msec = msg->security;
5076
5077 /*
5078 * First time through, need to assign label to the message
5079 */
5080 if (msec->sid == SECINITSID_UNLABELED) {
5081 /*
5082 * Compute new sid based on current process and
5083 * message queue this message will be stored in
5084 */
5085 rc = security_transition_sid(sid, isec->sid, SECCLASS_MSG,
5086 NULL, &msec->sid);
5087 if (rc)
5088 return rc;
5089 }
5090
5091 ad.type = LSM_AUDIT_DATA_IPC;
5092 ad.u.ipc_id = msq->q_perm.key;
5093
5094 /* Can this process write to the queue? */
5095 rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
5096 MSGQ__WRITE, &ad);
5097 if (!rc)
5098 /* Can this process send the message */
5099 rc = avc_has_perm(sid, msec->sid, SECCLASS_MSG,
5100 MSG__SEND, &ad);
5101 if (!rc)
5102 /* Can the message be put in the queue? */
5103 rc = avc_has_perm(msec->sid, isec->sid, SECCLASS_MSGQ,
5104 MSGQ__ENQUEUE, &ad);
5105
5106 return rc;
5107 }
5108
5109 static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
5110 struct task_struct *target,
5111 long type, int mode)
5112 {
5113 struct ipc_security_struct *isec;
5114 struct msg_security_struct *msec;
5115 struct common_audit_data ad;
5116 u32 sid = task_sid(target);
5117 int rc;
5118
5119 isec = msq->q_perm.security;
5120 msec = msg->security;
5121
5122 ad.type = LSM_AUDIT_DATA_IPC;
5123 ad.u.ipc_id = msq->q_perm.key;
5124
5125 rc = avc_has_perm(sid, isec->sid,
5126 SECCLASS_MSGQ, MSGQ__READ, &ad);
5127 if (!rc)
5128 rc = avc_has_perm(sid, msec->sid,
5129 SECCLASS_MSG, MSG__RECEIVE, &ad);
5130 return rc;
5131 }
5132
5133 /* Shared Memory security operations */
5134 static int selinux_shm_alloc_security(struct shmid_kernel *shp)
5135 {
5136 struct ipc_security_struct *isec;
5137 struct common_audit_data ad;
5138 u32 sid = current_sid();
5139 int rc;
5140
5141 rc = ipc_alloc_security(current, &shp->shm_perm, SECCLASS_SHM);
5142 if (rc)
5143 return rc;
5144
5145 isec = shp->shm_perm.security;
5146
5147 ad.type = LSM_AUDIT_DATA_IPC;
5148 ad.u.ipc_id = shp->shm_perm.key;
5149
5150 rc = avc_has_perm(sid, isec->sid, SECCLASS_SHM,
5151 SHM__CREATE, &ad);
5152 if (rc) {
5153 ipc_free_security(&shp->shm_perm);
5154 return rc;
5155 }
5156 return 0;
5157 }
5158
5159 static void selinux_shm_free_security(struct shmid_kernel *shp)
5160 {
5161 ipc_free_security(&shp->shm_perm);
5162 }
5163
5164 static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg)
5165 {
5166 struct ipc_security_struct *isec;
5167 struct common_audit_data ad;
5168 u32 sid = current_sid();
5169
5170 isec = shp->shm_perm.security;
5171
5172 ad.type = LSM_AUDIT_DATA_IPC;
5173 ad.u.ipc_id = shp->shm_perm.key;
5174
5175 return avc_has_perm(sid, isec->sid, SECCLASS_SHM,
5176 SHM__ASSOCIATE, &ad);
5177 }
5178
5179 /* Note, at this point, shp is locked down */
5180 static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd)
5181 {
5182 int perms;
5183 int err;
5184
5185 switch (cmd) {
5186 case IPC_INFO:
5187 case SHM_INFO:
5188 /* No specific object, just general system-wide information. */
5189 return task_has_system(current, SYSTEM__IPC_INFO);
5190 case IPC_STAT:
5191 case SHM_STAT:
5192 perms = SHM__GETATTR | SHM__ASSOCIATE;
5193 break;
5194 case IPC_SET:
5195 perms = SHM__SETATTR;
5196 break;
5197 case SHM_LOCK:
5198 case SHM_UNLOCK:
5199 perms = SHM__LOCK;
5200 break;
5201 case IPC_RMID:
5202 perms = SHM__DESTROY;
5203 break;
5204 default:
5205 return 0;
5206 }
5207
5208 err = ipc_has_perm(&shp->shm_perm, perms);
5209 return err;
5210 }
5211
5212 static int selinux_shm_shmat(struct shmid_kernel *shp,
5213 char __user *shmaddr, int shmflg)
5214 {
5215 u32 perms;
5216
5217 if (shmflg & SHM_RDONLY)
5218 perms = SHM__READ;
5219 else
5220 perms = SHM__READ | SHM__WRITE;
5221
5222 return ipc_has_perm(&shp->shm_perm, perms);
5223 }
5224
5225 /* Semaphore security operations */
5226 static int selinux_sem_alloc_security(struct sem_array *sma)
5227 {
5228 struct ipc_security_struct *isec;
5229 struct common_audit_data ad;
5230 u32 sid = current_sid();
5231 int rc;
5232
5233 rc = ipc_alloc_security(current, &sma->sem_perm, SECCLASS_SEM);
5234 if (rc)
5235 return rc;
5236
5237 isec = sma->sem_perm.security;
5238
5239 ad.type = LSM_AUDIT_DATA_IPC;
5240 ad.u.ipc_id = sma->sem_perm.key;
5241
5242 rc = avc_has_perm(sid, isec->sid, SECCLASS_SEM,
5243 SEM__CREATE, &ad);
5244 if (rc) {
5245 ipc_free_security(&sma->sem_perm);
5246 return rc;
5247 }
5248 return 0;
5249 }
5250
5251 static void selinux_sem_free_security(struct sem_array *sma)
5252 {
5253 ipc_free_security(&sma->sem_perm);
5254 }
5255
5256 static int selinux_sem_associate(struct sem_array *sma, int semflg)
5257 {
5258 struct ipc_security_struct *isec;
5259 struct common_audit_data ad;
5260 u32 sid = current_sid();
5261
5262 isec = sma->sem_perm.security;
5263
5264 ad.type = LSM_AUDIT_DATA_IPC;
5265 ad.u.ipc_id = sma->sem_perm.key;
5266
5267 return avc_has_perm(sid, isec->sid, SECCLASS_SEM,
5268 SEM__ASSOCIATE, &ad);
5269 }
5270
5271 /* Note, at this point, sma is locked down */
5272 static int selinux_sem_semctl(struct sem_array *sma, int cmd)
5273 {
5274 int err;
5275 u32 perms;
5276
5277 switch (cmd) {
5278 case IPC_INFO:
5279 case SEM_INFO:
5280 /* No specific object, just general system-wide information. */
5281 return task_has_system(current, SYSTEM__IPC_INFO);
5282 case GETPID:
5283 case GETNCNT:
5284 case GETZCNT:
5285 perms = SEM__GETATTR;
5286 break;
5287 case GETVAL:
5288 case GETALL:
5289 perms = SEM__READ;
5290 break;
5291 case SETVAL:
5292 case SETALL:
5293 perms = SEM__WRITE;
5294 break;
5295 case IPC_RMID:
5296 perms = SEM__DESTROY;
5297 break;
5298 case IPC_SET:
5299 perms = SEM__SETATTR;
5300 break;
5301 case IPC_STAT:
5302 case SEM_STAT:
5303 perms = SEM__GETATTR | SEM__ASSOCIATE;
5304 break;
5305 default:
5306 return 0;
5307 }
5308
5309 err = ipc_has_perm(&sma->sem_perm, perms);
5310 return err;
5311 }
5312
5313 static int selinux_sem_semop(struct sem_array *sma,
5314 struct sembuf *sops, unsigned nsops, int alter)
5315 {
5316 u32 perms;
5317
5318 if (alter)
5319 perms = SEM__READ | SEM__WRITE;
5320 else
5321 perms = SEM__READ;
5322
5323 return ipc_has_perm(&sma->sem_perm, perms);
5324 }
5325
5326 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
5327 {
5328 u32 av = 0;
5329
5330 av = 0;
5331 if (flag & S_IRUGO)
5332 av |= IPC__UNIX_READ;
5333 if (flag & S_IWUGO)
5334 av |= IPC__UNIX_WRITE;
5335
5336 if (av == 0)
5337 return 0;
5338
5339 return ipc_has_perm(ipcp, av);
5340 }
5341
5342 static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
5343 {
5344 struct ipc_security_struct *isec = ipcp->security;
5345 *secid = isec->sid;
5346 }
5347
5348 static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode)
5349 {
5350 if (inode)
5351 inode_doinit_with_dentry(inode, dentry);
5352 }
5353
5354 static int selinux_getprocattr(struct task_struct *p,
5355 char *name, char **value)
5356 {
5357 const struct task_security_struct *__tsec;
5358 u32 sid;
5359 int error;
5360 unsigned len;
5361
5362 if (current != p) {
5363 error = current_has_perm(p, PROCESS__GETATTR);
5364 if (error)
5365 return error;
5366 }
5367
5368 rcu_read_lock();
5369 __tsec = __task_cred(p)->security;
5370
5371 if (!strcmp(name, "current"))
5372 sid = __tsec->sid;
5373 else if (!strcmp(name, "prev"))
5374 sid = __tsec->osid;
5375 else if (!strcmp(name, "exec"))
5376 sid = __tsec->exec_sid;
5377 else if (!strcmp(name, "fscreate"))
5378 sid = __tsec->create_sid;
5379 else if (!strcmp(name, "keycreate"))
5380 sid = __tsec->keycreate_sid;
5381 else if (!strcmp(name, "sockcreate"))
5382 sid = __tsec->sockcreate_sid;
5383 else
5384 goto invalid;
5385 rcu_read_unlock();
5386
5387 if (!sid)
5388 return 0;
5389
5390 error = security_sid_to_context(sid, value, &len);
5391 if (error)
5392 return error;
5393 return len;
5394
5395 invalid:
5396 rcu_read_unlock();
5397 return -EINVAL;
5398 }
5399
5400 static int selinux_setprocattr(struct task_struct *p,
5401 char *name, void *value, size_t size)
5402 {
5403 struct task_security_struct *tsec;
5404 struct task_struct *tracer;
5405 struct cred *new;
5406 u32 sid = 0, ptsid;
5407 int error;
5408 char *str = value;
5409
5410 if (current != p) {
5411 /* SELinux only allows a process to change its own
5412 security attributes. */
5413 return -EACCES;
5414 }
5415
5416 /*
5417 * Basic control over ability to set these attributes at all.
5418 * current == p, but we'll pass them separately in case the
5419 * above restriction is ever removed.
5420 */
5421 if (!strcmp(name, "exec"))
5422 error = current_has_perm(p, PROCESS__SETEXEC);
5423 else if (!strcmp(name, "fscreate"))
5424 error = current_has_perm(p, PROCESS__SETFSCREATE);
5425 else if (!strcmp(name, "keycreate"))
5426 error = current_has_perm(p, PROCESS__SETKEYCREATE);
5427 else if (!strcmp(name, "sockcreate"))
5428 error = current_has_perm(p, PROCESS__SETSOCKCREATE);
5429 else if (!strcmp(name, "current"))
5430 error = current_has_perm(p, PROCESS__SETCURRENT);
5431 else
5432 error = -EINVAL;
5433 if (error)
5434 return error;
5435
5436 /* Obtain a SID for the context, if one was specified. */
5437 if (size && str[1] && str[1] != '\n') {
5438 if (str[size-1] == '\n') {
5439 str[size-1] = 0;
5440 size--;
5441 }
5442 error = security_context_to_sid(value, size, &sid);
5443 if (error == -EINVAL && !strcmp(name, "fscreate")) {
5444 if (!capable(CAP_MAC_ADMIN)) {
5445 struct audit_buffer *ab;
5446 size_t audit_size;
5447
5448 /* We strip a nul only if it is at the end, otherwise the
5449 * context contains a nul and we should audit that */
5450 if (str[size - 1] == '\0')
5451 audit_size = size - 1;
5452 else
5453 audit_size = size;
5454 ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR);
5455 audit_log_format(ab, "op=fscreate invalid_context=");
5456 audit_log_n_untrustedstring(ab, value, audit_size);
5457 audit_log_end(ab);
5458
5459 return error;
5460 }
5461 error = security_context_to_sid_force(value, size,
5462 &sid);
5463 }
5464 if (error)
5465 return error;
5466 }
5467
5468 new = prepare_creds();
5469 if (!new)
5470 return -ENOMEM;
5471
5472 /* Permission checking based on the specified context is
5473 performed during the actual operation (execve,
5474 open/mkdir/...), when we know the full context of the
5475 operation. See selinux_bprm_set_creds for the execve
5476 checks and may_create for the file creation checks. The
5477 operation will then fail if the context is not permitted. */
5478 tsec = new->security;
5479 if (!strcmp(name, "exec")) {
5480 tsec->exec_sid = sid;
5481 } else if (!strcmp(name, "fscreate")) {
5482 tsec->create_sid = sid;
5483 } else if (!strcmp(name, "keycreate")) {
5484 error = may_create_key(sid, p);
5485 if (error)
5486 goto abort_change;
5487 tsec->keycreate_sid = sid;
5488 } else if (!strcmp(name, "sockcreate")) {
5489 tsec->sockcreate_sid = sid;
5490 } else if (!strcmp(name, "current")) {
5491 error = -EINVAL;
5492 if (sid == 0)
5493 goto abort_change;
5494
5495 /* Only allow single threaded processes to change context */
5496 error = -EPERM;
5497 if (!current_is_single_threaded()) {
5498 error = security_bounded_transition(tsec->sid, sid);
5499 if (error)
5500 goto abort_change;
5501 }
5502
5503 /* Check permissions for the transition. */
5504 error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
5505 PROCESS__DYNTRANSITION, NULL);
5506 if (error)
5507 goto abort_change;
5508
5509 /* Check for ptracing, and update the task SID if ok.
5510 Otherwise, leave SID unchanged and fail. */
5511 ptsid = 0;
5512 task_lock(p);
5513 tracer = ptrace_parent(p);
5514 if (tracer)
5515 ptsid = task_sid(tracer);
5516 task_unlock(p);
5517
5518 if (tracer) {
5519 error = avc_has_perm(ptsid, sid, SECCLASS_PROCESS,
5520 PROCESS__PTRACE, NULL);
5521 if (error)
5522 goto abort_change;
5523 }
5524
5525 tsec->sid = sid;
5526 } else {
5527 error = -EINVAL;
5528 goto abort_change;
5529 }
5530
5531 commit_creds(new);
5532 return size;
5533
5534 abort_change:
5535 abort_creds(new);
5536 return error;
5537 }
5538
5539 static int selinux_ismaclabel(const char *name)
5540 {
5541 return (strcmp(name, XATTR_SELINUX_SUFFIX) == 0);
5542 }
5543
5544 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
5545 {
5546 return security_sid_to_context(secid, secdata, seclen);
5547 }
5548
5549 static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
5550 {
5551 return security_context_to_sid(secdata, seclen, secid);
5552 }
5553
5554 static void selinux_release_secctx(char *secdata, u32 seclen)
5555 {
5556 kfree(secdata);
5557 }
5558
5559 /*
5560 * called with inode->i_mutex locked
5561 */
5562 static int selinux_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen)
5563 {
5564 return selinux_inode_setsecurity(inode, XATTR_SELINUX_SUFFIX, ctx, ctxlen, 0);
5565 }
5566
5567 /*
5568 * called with inode->i_mutex locked
5569 */
5570 static int selinux_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen)
5571 {
5572 return __vfs_setxattr_noperm(dentry, XATTR_NAME_SELINUX, ctx, ctxlen, 0);
5573 }
5574
5575 static int selinux_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen)
5576 {
5577 int len = 0;
5578 len = selinux_inode_getsecurity(inode, XATTR_SELINUX_SUFFIX,
5579 ctx, true);
5580 if (len < 0)
5581 return len;
5582 *ctxlen = len;
5583 return 0;
5584 }
5585 #ifdef CONFIG_KEYS
5586
5587 static int selinux_key_alloc(struct key *k, const struct cred *cred,
5588 unsigned long flags)
5589 {
5590 const struct task_security_struct *tsec;
5591 struct key_security_struct *ksec;
5592
5593 ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL);
5594 if (!ksec)
5595 return -ENOMEM;
5596
5597 tsec = cred->security;
5598 if (tsec->keycreate_sid)
5599 ksec->sid = tsec->keycreate_sid;
5600 else
5601 ksec->sid = tsec->sid;
5602
5603 k->security = ksec;
5604 return 0;
5605 }
5606
5607 static void selinux_key_free(struct key *k)
5608 {
5609 struct key_security_struct *ksec = k->security;
5610
5611 k->security = NULL;
5612 kfree(ksec);
5613 }
5614
5615 static int selinux_key_permission(key_ref_t key_ref,
5616 const struct cred *cred,
5617 key_perm_t perm)
5618 {
5619 struct key *key;
5620 struct key_security_struct *ksec;
5621 u32 sid;
5622
5623 /* if no specific permissions are requested, we skip the
5624 permission check. No serious, additional covert channels
5625 appear to be created. */
5626 if (perm == 0)
5627 return 0;
5628
5629 sid = cred_sid(cred);
5630
5631 key = key_ref_to_ptr(key_ref);
5632 ksec = key->security;
5633
5634 return avc_has_perm(sid, ksec->sid, SECCLASS_KEY, perm, NULL);
5635 }
5636
5637 static int selinux_key_getsecurity(struct key *key, char **_buffer)
5638 {
5639 struct key_security_struct *ksec = key->security;
5640 char *context = NULL;
5641 unsigned len;
5642 int rc;
5643
5644 rc = security_sid_to_context(ksec->sid, &context, &len);
5645 if (!rc)
5646 rc = len;
5647 *_buffer = context;
5648 return rc;
5649 }
5650
5651 #endif
5652
5653 static struct security_operations selinux_ops = {
5654 .name = "selinux",
5655
5656 .ptrace_access_check = selinux_ptrace_access_check,
5657 .ptrace_traceme = selinux_ptrace_traceme,
5658 .capget = selinux_capget,
5659 .capset = selinux_capset,
5660 .capable = selinux_capable,
5661 .quotactl = selinux_quotactl,
5662 .quota_on = selinux_quota_on,
5663 .syslog = selinux_syslog,
5664 .vm_enough_memory = selinux_vm_enough_memory,
5665
5666 .netlink_send = selinux_netlink_send,
5667
5668 .bprm_set_creds = selinux_bprm_set_creds,
5669 .bprm_committing_creds = selinux_bprm_committing_creds,
5670 .bprm_committed_creds = selinux_bprm_committed_creds,
5671 .bprm_secureexec = selinux_bprm_secureexec,
5672
5673 .sb_alloc_security = selinux_sb_alloc_security,
5674 .sb_free_security = selinux_sb_free_security,
5675 .sb_copy_data = selinux_sb_copy_data,
5676 .sb_remount = selinux_sb_remount,
5677 .sb_kern_mount = selinux_sb_kern_mount,
5678 .sb_show_options = selinux_sb_show_options,
5679 .sb_statfs = selinux_sb_statfs,
5680 .sb_mount = selinux_mount,
5681 .sb_umount = selinux_umount,
5682 .sb_set_mnt_opts = selinux_set_mnt_opts,
5683 .sb_clone_mnt_opts = selinux_sb_clone_mnt_opts,
5684 .sb_parse_opts_str = selinux_parse_opts_str,
5685
5686 .dentry_init_security = selinux_dentry_init_security,
5687
5688 .inode_alloc_security = selinux_inode_alloc_security,
5689 .inode_free_security = selinux_inode_free_security,
5690 .inode_init_security = selinux_inode_init_security,
5691 .inode_create = selinux_inode_create,
5692 .inode_link = selinux_inode_link,
5693 .inode_unlink = selinux_inode_unlink,
5694 .inode_symlink = selinux_inode_symlink,
5695 .inode_mkdir = selinux_inode_mkdir,
5696 .inode_rmdir = selinux_inode_rmdir,
5697 .inode_mknod = selinux_inode_mknod,
5698 .inode_rename = selinux_inode_rename,
5699 .inode_readlink = selinux_inode_readlink,
5700 .inode_follow_link = selinux_inode_follow_link,
5701 .inode_permission = selinux_inode_permission,
5702 .inode_setattr = selinux_inode_setattr,
5703 .inode_getattr = selinux_inode_getattr,
5704 .inode_setxattr = selinux_inode_setxattr,
5705 .inode_post_setxattr = selinux_inode_post_setxattr,
5706 .inode_getxattr = selinux_inode_getxattr,
5707 .inode_listxattr = selinux_inode_listxattr,
5708 .inode_removexattr = selinux_inode_removexattr,
5709 .inode_getsecurity = selinux_inode_getsecurity,
5710 .inode_setsecurity = selinux_inode_setsecurity,
5711 .inode_listsecurity = selinux_inode_listsecurity,
5712 .inode_getsecid = selinux_inode_getsecid,
5713
5714 .file_permission = selinux_file_permission,
5715 .file_alloc_security = selinux_file_alloc_security,
5716 .file_free_security = selinux_file_free_security,
5717 .file_ioctl = selinux_file_ioctl,
5718 .mmap_file = selinux_mmap_file,
5719 .mmap_addr = selinux_mmap_addr,
5720 .file_mprotect = selinux_file_mprotect,
5721 .file_lock = selinux_file_lock,
5722 .file_fcntl = selinux_file_fcntl,
5723 .file_set_fowner = selinux_file_set_fowner,
5724 .file_send_sigiotask = selinux_file_send_sigiotask,
5725 .file_receive = selinux_file_receive,
5726
5727 .file_open = selinux_file_open,
5728
5729 .task_create = selinux_task_create,
5730 .cred_alloc_blank = selinux_cred_alloc_blank,
5731 .cred_free = selinux_cred_free,
5732 .cred_prepare = selinux_cred_prepare,
5733 .cred_transfer = selinux_cred_transfer,
5734 .kernel_act_as = selinux_kernel_act_as,
5735 .kernel_create_files_as = selinux_kernel_create_files_as,
5736 .kernel_module_request = selinux_kernel_module_request,
5737 .task_setpgid = selinux_task_setpgid,
5738 .task_getpgid = selinux_task_getpgid,
5739 .task_getsid = selinux_task_getsid,
5740 .task_getsecid = selinux_task_getsecid,
5741 .task_setnice = selinux_task_setnice,
5742 .task_setioprio = selinux_task_setioprio,
5743 .task_getioprio = selinux_task_getioprio,
5744 .task_setrlimit = selinux_task_setrlimit,
5745 .task_setscheduler = selinux_task_setscheduler,
5746 .task_getscheduler = selinux_task_getscheduler,
5747 .task_movememory = selinux_task_movememory,
5748 .task_kill = selinux_task_kill,
5749 .task_wait = selinux_task_wait,
5750 .task_to_inode = selinux_task_to_inode,
5751
5752 .ipc_permission = selinux_ipc_permission,
5753 .ipc_getsecid = selinux_ipc_getsecid,
5754
5755 .msg_msg_alloc_security = selinux_msg_msg_alloc_security,
5756 .msg_msg_free_security = selinux_msg_msg_free_security,
5757
5758 .msg_queue_alloc_security = selinux_msg_queue_alloc_security,
5759 .msg_queue_free_security = selinux_msg_queue_free_security,
5760 .msg_queue_associate = selinux_msg_queue_associate,
5761 .msg_queue_msgctl = selinux_msg_queue_msgctl,
5762 .msg_queue_msgsnd = selinux_msg_queue_msgsnd,
5763 .msg_queue_msgrcv = selinux_msg_queue_msgrcv,
5764
5765 .shm_alloc_security = selinux_shm_alloc_security,
5766 .shm_free_security = selinux_shm_free_security,
5767 .shm_associate = selinux_shm_associate,
5768 .shm_shmctl = selinux_shm_shmctl,
5769 .shm_shmat = selinux_shm_shmat,
5770
5771 .sem_alloc_security = selinux_sem_alloc_security,
5772 .sem_free_security = selinux_sem_free_security,
5773 .sem_associate = selinux_sem_associate,
5774 .sem_semctl = selinux_sem_semctl,
5775 .sem_semop = selinux_sem_semop,
5776
5777 .d_instantiate = selinux_d_instantiate,
5778
5779 .getprocattr = selinux_getprocattr,
5780 .setprocattr = selinux_setprocattr,
5781
5782 .ismaclabel = selinux_ismaclabel,
5783 .secid_to_secctx = selinux_secid_to_secctx,
5784 .secctx_to_secid = selinux_secctx_to_secid,
5785 .release_secctx = selinux_release_secctx,
5786 .inode_notifysecctx = selinux_inode_notifysecctx,
5787 .inode_setsecctx = selinux_inode_setsecctx,
5788 .inode_getsecctx = selinux_inode_getsecctx,
5789
5790 .unix_stream_connect = selinux_socket_unix_stream_connect,
5791 .unix_may_send = selinux_socket_unix_may_send,
5792
5793 .socket_create = selinux_socket_create,
5794 .socket_post_create = selinux_socket_post_create,
5795 .socket_bind = selinux_socket_bind,
5796 .socket_connect = selinux_socket_connect,
5797 .socket_listen = selinux_socket_listen,
5798 .socket_accept = selinux_socket_accept,
5799 .socket_sendmsg = selinux_socket_sendmsg,
5800 .socket_recvmsg = selinux_socket_recvmsg,
5801 .socket_getsockname = selinux_socket_getsockname,
5802 .socket_getpeername = selinux_socket_getpeername,
5803 .socket_getsockopt = selinux_socket_getsockopt,
5804 .socket_setsockopt = selinux_socket_setsockopt,
5805 .socket_shutdown = selinux_socket_shutdown,
5806 .socket_sock_rcv_skb = selinux_socket_sock_rcv_skb,
5807 .socket_getpeersec_stream = selinux_socket_getpeersec_stream,
5808 .socket_getpeersec_dgram = selinux_socket_getpeersec_dgram,
5809 .sk_alloc_security = selinux_sk_alloc_security,
5810 .sk_free_security = selinux_sk_free_security,
5811 .sk_clone_security = selinux_sk_clone_security,
5812 .sk_getsecid = selinux_sk_getsecid,
5813 .sock_graft = selinux_sock_graft,
5814 .inet_conn_request = selinux_inet_conn_request,
5815 .inet_csk_clone = selinux_inet_csk_clone,
5816 .inet_conn_established = selinux_inet_conn_established,
5817 .secmark_relabel_packet = selinux_secmark_relabel_packet,
5818 .secmark_refcount_inc = selinux_secmark_refcount_inc,
5819 .secmark_refcount_dec = selinux_secmark_refcount_dec,
5820 .req_classify_flow = selinux_req_classify_flow,
5821 .tun_dev_alloc_security = selinux_tun_dev_alloc_security,
5822 .tun_dev_free_security = selinux_tun_dev_free_security,
5823 .tun_dev_create = selinux_tun_dev_create,
5824 .tun_dev_attach_queue = selinux_tun_dev_attach_queue,
5825 .tun_dev_attach = selinux_tun_dev_attach,
5826 .tun_dev_open = selinux_tun_dev_open,
5827 .skb_owned_by = selinux_skb_owned_by,
5828
5829 #ifdef CONFIG_SECURITY_NETWORK_XFRM
5830 .xfrm_policy_alloc_security = selinux_xfrm_policy_alloc,
5831 .xfrm_policy_clone_security = selinux_xfrm_policy_clone,
5832 .xfrm_policy_free_security = selinux_xfrm_policy_free,
5833 .xfrm_policy_delete_security = selinux_xfrm_policy_delete,
5834 .xfrm_state_alloc = selinux_xfrm_state_alloc,
5835 .xfrm_state_alloc_acquire = selinux_xfrm_state_alloc_acquire,
5836 .xfrm_state_free_security = selinux_xfrm_state_free,
5837 .xfrm_state_delete_security = selinux_xfrm_state_delete,
5838 .xfrm_policy_lookup = selinux_xfrm_policy_lookup,
5839 .xfrm_state_pol_flow_match = selinux_xfrm_state_pol_flow_match,
5840 .xfrm_decode_session = selinux_xfrm_decode_session,
5841 #endif
5842
5843 #ifdef CONFIG_KEYS
5844 .key_alloc = selinux_key_alloc,
5845 .key_free = selinux_key_free,
5846 .key_permission = selinux_key_permission,
5847 .key_getsecurity = selinux_key_getsecurity,
5848 #endif
5849
5850 #ifdef CONFIG_AUDIT
5851 .audit_rule_init = selinux_audit_rule_init,
5852 .audit_rule_known = selinux_audit_rule_known,
5853 .audit_rule_match = selinux_audit_rule_match,
5854 .audit_rule_free = selinux_audit_rule_free,
5855 #endif
5856 };
5857
5858 static __init int selinux_init(void)
5859 {
5860 if (!security_module_enable(&selinux_ops)) {
5861 selinux_enabled = 0;
5862 return 0;
5863 }
5864
5865 if (!selinux_enabled) {
5866 printk(KERN_INFO "SELinux: Disabled at boot.\n");
5867 return 0;
5868 }
5869
5870 printk(KERN_INFO "SELinux: Initializing.\n");
5871
5872 /* Set the security state for the initial task. */
5873 cred_init_security();
5874
5875 default_noexec = !(VM_DATA_DEFAULT_FLAGS & VM_EXEC);
5876
5877 sel_inode_cache = kmem_cache_create("selinux_inode_security",
5878 sizeof(struct inode_security_struct),
5879 0, SLAB_PANIC, NULL);
5880 avc_init();
5881
5882 if (register_security(&selinux_ops))
5883 panic("SELinux: Unable to register with kernel.\n");
5884
5885 if (selinux_enforcing)
5886 printk(KERN_DEBUG "SELinux: Starting in enforcing mode\n");
5887 else
5888 printk(KERN_DEBUG "SELinux: Starting in permissive mode\n");
5889
5890 return 0;
5891 }
5892
5893 static void delayed_superblock_init(struct super_block *sb, void *unused)
5894 {
5895 superblock_doinit(sb, NULL);
5896 }
5897
5898 void selinux_complete_init(void)
5899 {
5900 printk(KERN_DEBUG "SELinux: Completing initialization.\n");
5901
5902 /* Set up any superblocks initialized prior to the policy load. */
5903 printk(KERN_DEBUG "SELinux: Setting up existing superblocks.\n");
5904 iterate_supers(delayed_superblock_init, NULL);
5905 }
5906
5907 /* SELinux requires early initialization in order to label
5908 all processes and objects when they are created. */
5909 security_initcall(selinux_init);
5910
5911 #if defined(CONFIG_NETFILTER)
5912
5913 static struct nf_hook_ops selinux_ipv4_ops[] = {
5914 {
5915 .hook = selinux_ipv4_postroute,
5916 .owner = THIS_MODULE,
5917 .pf = NFPROTO_IPV4,
5918 .hooknum = NF_INET_POST_ROUTING,
5919 .priority = NF_IP_PRI_SELINUX_LAST,
5920 },
5921 {
5922 .hook = selinux_ipv4_forward,
5923 .owner = THIS_MODULE,
5924 .pf = NFPROTO_IPV4,
5925 .hooknum = NF_INET_FORWARD,
5926 .priority = NF_IP_PRI_SELINUX_FIRST,
5927 },
5928 {
5929 .hook = selinux_ipv4_output,
5930 .owner = THIS_MODULE,
5931 .pf = NFPROTO_IPV4,
5932 .hooknum = NF_INET_LOCAL_OUT,
5933 .priority = NF_IP_PRI_SELINUX_FIRST,
5934 }
5935 };
5936
5937 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5938
5939 static struct nf_hook_ops selinux_ipv6_ops[] = {
5940 {
5941 .hook = selinux_ipv6_postroute,
5942 .owner = THIS_MODULE,
5943 .pf = NFPROTO_IPV6,
5944 .hooknum = NF_INET_POST_ROUTING,
5945 .priority = NF_IP6_PRI_SELINUX_LAST,
5946 },
5947 {
5948 .hook = selinux_ipv6_forward,
5949 .owner = THIS_MODULE,
5950 .pf = NFPROTO_IPV6,
5951 .hooknum = NF_INET_FORWARD,
5952 .priority = NF_IP6_PRI_SELINUX_FIRST,
5953 }
5954 };
5955
5956 #endif /* IPV6 */
5957
5958 static int __init selinux_nf_ip_init(void)
5959 {
5960 int err = 0;
5961
5962 if (!selinux_enabled)
5963 goto out;
5964
5965 printk(KERN_DEBUG "SELinux: Registering netfilter hooks\n");
5966
5967 err = nf_register_hooks(selinux_ipv4_ops, ARRAY_SIZE(selinux_ipv4_ops));
5968 if (err)
5969 panic("SELinux: nf_register_hooks for IPv4: error %d\n", err);
5970
5971 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5972 err = nf_register_hooks(selinux_ipv6_ops, ARRAY_SIZE(selinux_ipv6_ops));
5973 if (err)
5974 panic("SELinux: nf_register_hooks for IPv6: error %d\n", err);
5975 #endif /* IPV6 */
5976
5977 out:
5978 return err;
5979 }
5980
5981 __initcall(selinux_nf_ip_init);
5982
5983 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5984 static void selinux_nf_ip_exit(void)
5985 {
5986 printk(KERN_DEBUG "SELinux: Unregistering netfilter hooks\n");
5987
5988 nf_unregister_hooks(selinux_ipv4_ops, ARRAY_SIZE(selinux_ipv4_ops));
5989 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5990 nf_unregister_hooks(selinux_ipv6_ops, ARRAY_SIZE(selinux_ipv6_ops));
5991 #endif /* IPV6 */
5992 }
5993 #endif
5994
5995 #else /* CONFIG_NETFILTER */
5996
5997 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5998 #define selinux_nf_ip_exit()
5999 #endif
6000
6001 #endif /* CONFIG_NETFILTER */
6002
6003 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
6004 static int selinux_disabled;
6005
6006 int selinux_disable(void)
6007 {
6008 if (ss_initialized) {
6009 /* Not permitted after initial policy load. */
6010 return -EINVAL;
6011 }
6012
6013 if (selinux_disabled) {
6014 /* Only do this once. */
6015 return -EINVAL;
6016 }
6017
6018 printk(KERN_INFO "SELinux: Disabled at runtime.\n");
6019
6020 selinux_disabled = 1;
6021 selinux_enabled = 0;
6022
6023 reset_security_ops();
6024
6025 /* Try to destroy the avc node cache */
6026 avc_disable();
6027
6028 /* Unregister netfilter hooks. */
6029 selinux_nf_ip_exit();
6030
6031 /* Unregister selinuxfs. */
6032 exit_sel_fs();
6033
6034 return 0;
6035 }
6036 #endif
Linux kernel - Deliverables
This page took 0.155184 seconds and 5 git commands to generate.