search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
CRED: Inaugurate COW credentials
[linux-2.6/mini2440.git] / security / selinux / hooks.c
blobc71bba78872f2a05db4cf51b85a0e3f04e07bc3b
1 /*
2 * NSA Security-Enhanced Linux (SELinux) security module
3 *
4 * This file contains the SELinux hook function implementations.
5 *
6 * Authors: Stephen Smalley, <sds@epoch.ncsc.mil>
7 * Chris Vance, <cvance@nai.com>
8 * Wayne Salamon, <wsalamon@nai.com>
9 * James Morris <jmorris@redhat.com>
10 *
11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12 * Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
13 * Eric Paris <eparis@redhat.com>
14 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
15 * <dgoeddel@trustedcs.com>
16 * Copyright (C) 2006, 2007 Hewlett-Packard Development Company, L.P.
17 * Paul Moore <paul.moore@hp.com>
18 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
19 * Yuichi Nakamura <ynakam@hitachisoft.jp>
20 *
21 * This program is free software; you can redistribute it and/or modify
22 * it under the terms of the GNU General Public License version 2,
23 * as published by the Free Software Foundation.
24 */
25
26 #include <linux/init.h>
27 #include <linux/kernel.h>
28 #include <linux/tracehook.h>
29 #include <linux/errno.h>
30 #include <linux/sched.h>
31 #include <linux/security.h>
32 #include <linux/xattr.h>
33 #include <linux/capability.h>
34 #include <linux/unistd.h>
35 #include <linux/mm.h>
36 #include <linux/mman.h>
37 #include <linux/slab.h>
38 #include <linux/pagemap.h>
39 #include <linux/swap.h>
40 #include <linux/spinlock.h>
41 #include <linux/syscalls.h>
42 #include <linux/file.h>
43 #include <linux/fdtable.h>
44 #include <linux/namei.h>
45 #include <linux/mount.h>
46 #include <linux/proc_fs.h>
47 #include <linux/netfilter_ipv4.h>
48 #include <linux/netfilter_ipv6.h>
49 #include <linux/tty.h>
50 #include <net/icmp.h>
51 #include <net/ip.h> /* for local_port_range[] */
52 #include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
53 #include <net/net_namespace.h>
54 #include <net/netlabel.h>
55 #include <linux/uaccess.h>
56 #include <asm/ioctls.h>
57 #include <asm/atomic.h>
58 #include <linux/bitops.h>
59 #include <linux/interrupt.h>
60 #include <linux/netdevice.h> /* for network interface checks */
61 #include <linux/netlink.h>
62 #include <linux/tcp.h>
63 #include <linux/udp.h>
64 #include <linux/dccp.h>
65 #include <linux/quota.h>
66 #include <linux/un.h> /* for Unix socket types */
67 #include <net/af_unix.h> /* for Unix socket types */
68 #include <linux/parser.h>
69 #include <linux/nfs_mount.h>
70 #include <net/ipv6.h>
71 #include <linux/hugetlb.h>
72 #include <linux/personality.h>
73 #include <linux/sysctl.h>
74 #include <linux/audit.h>
75 #include <linux/string.h>
76 #include <linux/selinux.h>
77 #include <linux/mutex.h>
78 #include <linux/posix-timers.h>
79
80 #include "avc.h"
81 #include "objsec.h"
82 #include "netif.h"
83 #include "netnode.h"
84 #include "netport.h"
85 #include "xfrm.h"
86 #include "netlabel.h"
87 #include "audit.h"
88
89 #define XATTR_SELINUX_SUFFIX "selinux"
90 #define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX
91
92 #define NUM_SEL_MNT_OPTS 4
93
94 extern unsigned int policydb_loaded_version;
95 extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm);
96 extern int selinux_compat_net;
97 extern struct security_operations *security_ops;
98
99 /* SECMARK reference count */
100 atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
101
102 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
103 int selinux_enforcing;
104
105 static int __init enforcing_setup(char *str)
106 {
107 unsigned long enforcing;
108 if (!strict_strtoul(str, 0, &enforcing))
109 selinux_enforcing = enforcing ? 1 : 0;
110 return 1;
111 }
112 __setup("enforcing=", enforcing_setup);
113 #endif
114
115 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
116 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
117
118 static int __init selinux_enabled_setup(char *str)
119 {
120 unsigned long enabled;
121 if (!strict_strtoul(str, 0, &enabled))
122 selinux_enabled = enabled ? 1 : 0;
123 return 1;
124 }
125 __setup("selinux=", selinux_enabled_setup);
126 #else
127 int selinux_enabled = 1;
128 #endif
129
130
131 /*
132 * Minimal support for a secondary security module,
133 * just to allow the use of the capability module.
134 */
135 static struct security_operations *secondary_ops;
136
137 /* Lists of inode and superblock security structures initialized
138 before the policy was loaded. */
139 static LIST_HEAD(superblock_security_head);
140 static DEFINE_SPINLOCK(sb_security_lock);
141
142 static struct kmem_cache *sel_inode_cache;
143
144 /**
145 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
146 *
147 * Description:
148 * This function checks the SECMARK reference counter to see if any SECMARK
149 * targets are currently configured, if the reference counter is greater than
150 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is
151 * enabled, false (0) if SECMARK is disabled.
152 *
153 */
154 static int selinux_secmark_enabled(void)
155 {
156 return (atomic_read(&selinux_secmark_refcount) > 0);
157 }
158
159 /*
160 * initialise the security for the init task
161 */
162 static void cred_init_security(void)
163 {
164 struct cred *cred = (struct cred *) current->cred;
165 struct task_security_struct *tsec;
166
167 tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
168 if (!tsec)
169 panic("SELinux: Failed to initialize initial task.\n");
170
171 tsec->osid = tsec->sid = SECINITSID_KERNEL;
172 cred->security = tsec;
173 }
174
175 /*
176 * get the security ID of a set of credentials
177 */
178 static inline u32 cred_sid(const struct cred *cred)
179 {
180 const struct task_security_struct *tsec;
181
182 tsec = cred->security;
183 return tsec->sid;
184 }
185
186 /*
187 * get the security ID of a task
188 */
189 static inline u32 task_sid(const struct task_struct *task)
190 {
191 u32 sid;
192
193 rcu_read_lock();
194 sid = cred_sid(__task_cred(task));
195 rcu_read_unlock();
196 return sid;
197 }
198
199 /*
200 * get the security ID of the current task
201 */
202 static inline u32 current_sid(void)
203 {
204 const struct task_security_struct *tsec = current_cred()->security;
205
206 return tsec->sid;
207 }
208
209 /* Allocate and free functions for each kind of security blob. */
210
211 static int inode_alloc_security(struct inode *inode)
212 {
213 struct inode_security_struct *isec;
214 u32 sid = current_sid();
215
216 isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
217 if (!isec)
218 return -ENOMEM;
219
220 mutex_init(&isec->lock);
221 INIT_LIST_HEAD(&isec->list);
222 isec->inode = inode;
223 isec->sid = SECINITSID_UNLABELED;
224 isec->sclass = SECCLASS_FILE;
225 isec->task_sid = sid;
226 inode->i_security = isec;
227
228 return 0;
229 }
230
231 static void inode_free_security(struct inode *inode)
232 {
233 struct inode_security_struct *isec = inode->i_security;
234 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
235
236 spin_lock(&sbsec->isec_lock);
237 if (!list_empty(&isec->list))
238 list_del_init(&isec->list);
239 spin_unlock(&sbsec->isec_lock);
240
241 inode->i_security = NULL;
242 kmem_cache_free(sel_inode_cache, isec);
243 }
244
245 static int file_alloc_security(struct file *file)
246 {
247 struct file_security_struct *fsec;
248 u32 sid = current_sid();
249
250 fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL);
251 if (!fsec)
252 return -ENOMEM;
253
254 fsec->sid = sid;
255 fsec->fown_sid = sid;
256 file->f_security = fsec;
257
258 return 0;
259 }
260
261 static void file_free_security(struct file *file)
262 {
263 struct file_security_struct *fsec = file->f_security;
264 file->f_security = NULL;
265 kfree(fsec);
266 }
267
268 static int superblock_alloc_security(struct super_block *sb)
269 {
270 struct superblock_security_struct *sbsec;
271
272 sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
273 if (!sbsec)
274 return -ENOMEM;
275
276 mutex_init(&sbsec->lock);
277 INIT_LIST_HEAD(&sbsec->list);
278 INIT_LIST_HEAD(&sbsec->isec_head);
279 spin_lock_init(&sbsec->isec_lock);
280 sbsec->sb = sb;
281 sbsec->sid = SECINITSID_UNLABELED;
282 sbsec->def_sid = SECINITSID_FILE;
283 sbsec->mntpoint_sid = SECINITSID_UNLABELED;
284 sb->s_security = sbsec;
285
286 return 0;
287 }
288
289 static void superblock_free_security(struct super_block *sb)
290 {
291 struct superblock_security_struct *sbsec = sb->s_security;
292
293 spin_lock(&sb_security_lock);
294 if (!list_empty(&sbsec->list))
295 list_del_init(&sbsec->list);
296 spin_unlock(&sb_security_lock);
297
298 sb->s_security = NULL;
299 kfree(sbsec);
300 }
301
302 static int sk_alloc_security(struct sock *sk, int family, gfp_t priority)
303 {
304 struct sk_security_struct *ssec;
305
306 ssec = kzalloc(sizeof(*ssec), priority);
307 if (!ssec)
308 return -ENOMEM;
309
310 ssec->peer_sid = SECINITSID_UNLABELED;
311 ssec->sid = SECINITSID_UNLABELED;
312 sk->sk_security = ssec;
313
314 selinux_netlbl_sk_security_reset(ssec, family);
315
316 return 0;
317 }
318
319 static void sk_free_security(struct sock *sk)
320 {
321 struct sk_security_struct *ssec = sk->sk_security;
322
323 sk->sk_security = NULL;
324 selinux_netlbl_sk_security_free(ssec);
325 kfree(ssec);
326 }
327
328 /* The security server must be initialized before
329 any labeling or access decisions can be provided. */
330 extern int ss_initialized;
331
332 /* The file system's label must be initialized prior to use. */
333
334 static char *labeling_behaviors[6] = {
335 "uses xattr",
336 "uses transition SIDs",
337 "uses task SIDs",
338 "uses genfs_contexts",
339 "not configured for labeling",
340 "uses mountpoint labeling",
341 };
342
343 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
344
345 static inline int inode_doinit(struct inode *inode)
346 {
347 return inode_doinit_with_dentry(inode, NULL);
348 }
349
350 enum {
351 Opt_error = -1,
352 Opt_context = 1,
353 Opt_fscontext = 2,
354 Opt_defcontext = 3,
355 Opt_rootcontext = 4,
356 };
357
358 static const match_table_t tokens = {
359 {Opt_context, CONTEXT_STR "%s"},
360 {Opt_fscontext, FSCONTEXT_STR "%s"},
361 {Opt_defcontext, DEFCONTEXT_STR "%s"},
362 {Opt_rootcontext, ROOTCONTEXT_STR "%s"},
363 {Opt_error, NULL},
364 };
365
366 #define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
367
368 static int may_context_mount_sb_relabel(u32 sid,
369 struct superblock_security_struct *sbsec,
370 const struct cred *cred)
371 {
372 const struct task_security_struct *tsec = cred->security;
373 int rc;
374
375 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
376 FILESYSTEM__RELABELFROM, NULL);
377 if (rc)
378 return rc;
379
380 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
381 FILESYSTEM__RELABELTO, NULL);
382 return rc;
383 }
384
385 static int may_context_mount_inode_relabel(u32 sid,
386 struct superblock_security_struct *sbsec,
387 const struct cred *cred)
388 {
389 const struct task_security_struct *tsec = cred->security;
390 int rc;
391 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
392 FILESYSTEM__RELABELFROM, NULL);
393 if (rc)
394 return rc;
395
396 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
397 FILESYSTEM__ASSOCIATE, NULL);
398 return rc;
399 }
400
401 static int sb_finish_set_opts(struct super_block *sb)
402 {
403 struct superblock_security_struct *sbsec = sb->s_security;
404 struct dentry *root = sb->s_root;
405 struct inode *root_inode = root->d_inode;
406 int rc = 0;
407
408 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
409 /* Make sure that the xattr handler exists and that no
410 error other than -ENODATA is returned by getxattr on
411 the root directory. -ENODATA is ok, as this may be
412 the first boot of the SELinux kernel before we have
413 assigned xattr values to the filesystem. */
414 if (!root_inode->i_op->getxattr) {
415 printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
416 "xattr support\n", sb->s_id, sb->s_type->name);
417 rc = -EOPNOTSUPP;
418 goto out;
419 }
420 rc = root_inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
421 if (rc < 0 && rc != -ENODATA) {
422 if (rc == -EOPNOTSUPP)
423 printk(KERN_WARNING "SELinux: (dev %s, type "
424 "%s) has no security xattr handler\n",
425 sb->s_id, sb->s_type->name);
426 else
427 printk(KERN_WARNING "SELinux: (dev %s, type "
428 "%s) getxattr errno %d\n", sb->s_id,
429 sb->s_type->name, -rc);
430 goto out;
431 }
432 }
433
434 sbsec->initialized = 1;
435
436 if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
437 printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n",
438 sb->s_id, sb->s_type->name);
439 else
440 printk(KERN_DEBUG "SELinux: initialized (dev %s, type %s), %s\n",
441 sb->s_id, sb->s_type->name,
442 labeling_behaviors[sbsec->behavior-1]);
443
444 /* Initialize the root inode. */
445 rc = inode_doinit_with_dentry(root_inode, root);
446
447 /* Initialize any other inodes associated with the superblock, e.g.
448 inodes created prior to initial policy load or inodes created
449 during get_sb by a pseudo filesystem that directly
450 populates itself. */
451 spin_lock(&sbsec->isec_lock);
452 next_inode:
453 if (!list_empty(&sbsec->isec_head)) {
454 struct inode_security_struct *isec =
455 list_entry(sbsec->isec_head.next,
456 struct inode_security_struct, list);
457 struct inode *inode = isec->inode;
458 spin_unlock(&sbsec->isec_lock);
459 inode = igrab(inode);
460 if (inode) {
461 if (!IS_PRIVATE(inode))
462 inode_doinit(inode);
463 iput(inode);
464 }
465 spin_lock(&sbsec->isec_lock);
466 list_del_init(&isec->list);
467 goto next_inode;
468 }
469 spin_unlock(&sbsec->isec_lock);
470 out:
471 return rc;
472 }
473
474 /*
475 * This function should allow an FS to ask what it's mount security
476 * options were so it can use those later for submounts, displaying
477 * mount options, or whatever.
478 */
479 static int selinux_get_mnt_opts(const struct super_block *sb,
480 struct security_mnt_opts *opts)
481 {
482 int rc = 0, i;
483 struct superblock_security_struct *sbsec = sb->s_security;
484 char *context = NULL;
485 u32 len;
486 char tmp;
487
488 security_init_mnt_opts(opts);
489
490 if (!sbsec->initialized)
491 return -EINVAL;
492
493 if (!ss_initialized)
494 return -EINVAL;
495
496 /*
497 * if we ever use sbsec flags for anything other than tracking mount
498 * settings this is going to need a mask
499 */
500 tmp = sbsec->flags;
501 /* count the number of mount options for this sb */
502 for (i = 0; i < 8; i++) {
503 if (tmp & 0x01)
504 opts->num_mnt_opts++;
505 tmp >>= 1;
506 }
507
508 opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
509 if (!opts->mnt_opts) {
510 rc = -ENOMEM;
511 goto out_free;
512 }
513
514 opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
515 if (!opts->mnt_opts_flags) {
516 rc = -ENOMEM;
517 goto out_free;
518 }
519
520 i = 0;
521 if (sbsec->flags & FSCONTEXT_MNT) {
522 rc = security_sid_to_context(sbsec->sid, &context, &len);
523 if (rc)
524 goto out_free;
525 opts->mnt_opts[i] = context;
526 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
527 }
528 if (sbsec->flags & CONTEXT_MNT) {
529 rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len);
530 if (rc)
531 goto out_free;
532 opts->mnt_opts[i] = context;
533 opts->mnt_opts_flags[i++] = CONTEXT_MNT;
534 }
535 if (sbsec->flags & DEFCONTEXT_MNT) {
536 rc = security_sid_to_context(sbsec->def_sid, &context, &len);
537 if (rc)
538 goto out_free;
539 opts->mnt_opts[i] = context;
540 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
541 }
542 if (sbsec->flags & ROOTCONTEXT_MNT) {
543 struct inode *root = sbsec->sb->s_root->d_inode;
544 struct inode_security_struct *isec = root->i_security;
545
546 rc = security_sid_to_context(isec->sid, &context, &len);
547 if (rc)
548 goto out_free;
549 opts->mnt_opts[i] = context;
550 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
551 }
552
553 BUG_ON(i != opts->num_mnt_opts);
554
555 return 0;
556
557 out_free:
558 security_free_mnt_opts(opts);
559 return rc;
560 }
561
562 static int bad_option(struct superblock_security_struct *sbsec, char flag,
563 u32 old_sid, u32 new_sid)
564 {
565 /* check if the old mount command had the same options */
566 if (sbsec->initialized)
567 if (!(sbsec->flags & flag) ||
568 (old_sid != new_sid))
569 return 1;
570
571 /* check if we were passed the same options twice,
572 * aka someone passed context=a,context=b
573 */
574 if (!sbsec->initialized)
575 if (sbsec->flags & flag)
576 return 1;
577 return 0;
578 }
579
580 /*
581 * Allow filesystems with binary mount data to explicitly set mount point
582 * labeling information.
583 */
584 static int selinux_set_mnt_opts(struct super_block *sb,
585 struct security_mnt_opts *opts)
586 {
587 const struct cred *cred = current_cred();
588 int rc = 0, i;
589 struct superblock_security_struct *sbsec = sb->s_security;
590 const char *name = sb->s_type->name;
591 struct inode *inode = sbsec->sb->s_root->d_inode;
592 struct inode_security_struct *root_isec = inode->i_security;
593 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
594 u32 defcontext_sid = 0;
595 char **mount_options = opts->mnt_opts;
596 int *flags = opts->mnt_opts_flags;
597 int num_opts = opts->num_mnt_opts;
598
599 mutex_lock(&sbsec->lock);
600
601 if (!ss_initialized) {
602 if (!num_opts) {
603 /* Defer initialization until selinux_complete_init,
604 after the initial policy is loaded and the security
605 server is ready to handle calls. */
606 spin_lock(&sb_security_lock);
607 if (list_empty(&sbsec->list))
608 list_add(&sbsec->list, &superblock_security_head);
609 spin_unlock(&sb_security_lock);
610 goto out;
611 }
612 rc = -EINVAL;
613 printk(KERN_WARNING "SELinux: Unable to set superblock options "
614 "before the security server is initialized\n");
615 goto out;
616 }
617
618 /*
619 * Binary mount data FS will come through this function twice. Once
620 * from an explicit call and once from the generic calls from the vfs.
621 * Since the generic VFS calls will not contain any security mount data
622 * we need to skip the double mount verification.
623 *
624 * This does open a hole in which we will not notice if the first
625 * mount using this sb set explict options and a second mount using
626 * this sb does not set any security options. (The first options
627 * will be used for both mounts)
628 */
629 if (sbsec->initialized && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
630 && (num_opts == 0))
631 goto out;
632
633 /*
634 * parse the mount options, check if they are valid sids.
635 * also check if someone is trying to mount the same sb more
636 * than once with different security options.
637 */
638 for (i = 0; i < num_opts; i++) {
639 u32 sid;
640 rc = security_context_to_sid(mount_options[i],
641 strlen(mount_options[i]), &sid);
642 if (rc) {
643 printk(KERN_WARNING "SELinux: security_context_to_sid"
644 "(%s) failed for (dev %s, type %s) errno=%d\n",
645 mount_options[i], sb->s_id, name, rc);
646 goto out;
647 }
648 switch (flags[i]) {
649 case FSCONTEXT_MNT:
650 fscontext_sid = sid;
651
652 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
653 fscontext_sid))
654 goto out_double_mount;
655
656 sbsec->flags |= FSCONTEXT_MNT;
657 break;
658 case CONTEXT_MNT:
659 context_sid = sid;
660
661 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
662 context_sid))
663 goto out_double_mount;
664
665 sbsec->flags |= CONTEXT_MNT;
666 break;
667 case ROOTCONTEXT_MNT:
668 rootcontext_sid = sid;
669
670 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
671 rootcontext_sid))
672 goto out_double_mount;
673
674 sbsec->flags |= ROOTCONTEXT_MNT;
675
676 break;
677 case DEFCONTEXT_MNT:
678 defcontext_sid = sid;
679
680 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
681 defcontext_sid))
682 goto out_double_mount;
683
684 sbsec->flags |= DEFCONTEXT_MNT;
685
686 break;
687 default:
688 rc = -EINVAL;
689 goto out;
690 }
691 }
692
693 if (sbsec->initialized) {
694 /* previously mounted with options, but not on this attempt? */
695 if (sbsec->flags && !num_opts)
696 goto out_double_mount;
697 rc = 0;
698 goto out;
699 }
700
701 if (strcmp(sb->s_type->name, "proc") == 0)
702 sbsec->proc = 1;
703
704 /* Determine the labeling behavior to use for this filesystem type. */
705 rc = security_fs_use(sb->s_type->name, &sbsec->behavior, &sbsec->sid);
706 if (rc) {
707 printk(KERN_WARNING "%s: security_fs_use(%s) returned %d\n",
708 __func__, sb->s_type->name, rc);
709 goto out;
710 }
711
712 /* sets the context of the superblock for the fs being mounted. */
713 if (fscontext_sid) {
714 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
715 if (rc)
716 goto out;
717
718 sbsec->sid = fscontext_sid;
719 }
720
721 /*
722 * Switch to using mount point labeling behavior.
723 * sets the label used on all file below the mountpoint, and will set
724 * the superblock context if not already set.
725 */
726 if (context_sid) {
727 if (!fscontext_sid) {
728 rc = may_context_mount_sb_relabel(context_sid, sbsec,
729 cred);
730 if (rc)
731 goto out;
732 sbsec->sid = context_sid;
733 } else {
734 rc = may_context_mount_inode_relabel(context_sid, sbsec,
735 cred);
736 if (rc)
737 goto out;
738 }
739 if (!rootcontext_sid)
740 rootcontext_sid = context_sid;
741
742 sbsec->mntpoint_sid = context_sid;
743 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
744 }
745
746 if (rootcontext_sid) {
747 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
748 cred);
749 if (rc)
750 goto out;
751
752 root_isec->sid = rootcontext_sid;
753 root_isec->initialized = 1;
754 }
755
756 if (defcontext_sid) {
757 if (sbsec->behavior != SECURITY_FS_USE_XATTR) {
758 rc = -EINVAL;
759 printk(KERN_WARNING "SELinux: defcontext option is "
760 "invalid for this filesystem type\n");
761 goto out;
762 }
763
764 if (defcontext_sid != sbsec->def_sid) {
765 rc = may_context_mount_inode_relabel(defcontext_sid,
766 sbsec, cred);
767 if (rc)
768 goto out;
769 }
770
771 sbsec->def_sid = defcontext_sid;
772 }
773
774 rc = sb_finish_set_opts(sb);
775 out:
776 mutex_unlock(&sbsec->lock);
777 return rc;
778 out_double_mount:
779 rc = -EINVAL;
780 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, different "
781 "security settings for (dev %s, type %s)\n", sb->s_id, name);
782 goto out;
783 }
784
785 static void selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
786 struct super_block *newsb)
787 {
788 const struct superblock_security_struct *oldsbsec = oldsb->s_security;
789 struct superblock_security_struct *newsbsec = newsb->s_security;
790
791 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT);
792 int set_context = (oldsbsec->flags & CONTEXT_MNT);
793 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT);
794
795 /*
796 * if the parent was able to be mounted it clearly had no special lsm
797 * mount options. thus we can safely put this sb on the list and deal
798 * with it later
799 */
800 if (!ss_initialized) {
801 spin_lock(&sb_security_lock);
802 if (list_empty(&newsbsec->list))
803 list_add(&newsbsec->list, &superblock_security_head);
804 spin_unlock(&sb_security_lock);
805 return;
806 }
807
808 /* how can we clone if the old one wasn't set up?? */
809 BUG_ON(!oldsbsec->initialized);
810
811 /* if fs is reusing a sb, just let its options stand... */
812 if (newsbsec->initialized)
813 return;
814
815 mutex_lock(&newsbsec->lock);
816
817 newsbsec->flags = oldsbsec->flags;
818
819 newsbsec->sid = oldsbsec->sid;
820 newsbsec->def_sid = oldsbsec->def_sid;
821 newsbsec->behavior = oldsbsec->behavior;
822
823 if (set_context) {
824 u32 sid = oldsbsec->mntpoint_sid;
825
826 if (!set_fscontext)
827 newsbsec->sid = sid;
828 if (!set_rootcontext) {
829 struct inode *newinode = newsb->s_root->d_inode;
830 struct inode_security_struct *newisec = newinode->i_security;
831 newisec->sid = sid;
832 }
833 newsbsec->mntpoint_sid = sid;
834 }
835 if (set_rootcontext) {
836 const struct inode *oldinode = oldsb->s_root->d_inode;
837 const struct inode_security_struct *oldisec = oldinode->i_security;
838 struct inode *newinode = newsb->s_root->d_inode;
839 struct inode_security_struct *newisec = newinode->i_security;
840
841 newisec->sid = oldisec->sid;
842 }
843
844 sb_finish_set_opts(newsb);
845 mutex_unlock(&newsbsec->lock);
846 }
847
848 static int selinux_parse_opts_str(char *options,
849 struct security_mnt_opts *opts)
850 {
851 char *p;
852 char *context = NULL, *defcontext = NULL;
853 char *fscontext = NULL, *rootcontext = NULL;
854 int rc, num_mnt_opts = 0;
855
856 opts->num_mnt_opts = 0;
857
858 /* Standard string-based options. */
859 while ((p = strsep(&options, "|")) != NULL) {
860 int token;
861 substring_t args[MAX_OPT_ARGS];
862
863 if (!*p)
864 continue;
865
866 token = match_token(p, tokens, args);
867
868 switch (token) {
869 case Opt_context:
870 if (context || defcontext) {
871 rc = -EINVAL;
872 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
873 goto out_err;
874 }
875 context = match_strdup(&args[0]);
876 if (!context) {
877 rc = -ENOMEM;
878 goto out_err;
879 }
880 break;
881
882 case Opt_fscontext:
883 if (fscontext) {
884 rc = -EINVAL;
885 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
886 goto out_err;
887 }
888 fscontext = match_strdup(&args[0]);
889 if (!fscontext) {
890 rc = -ENOMEM;
891 goto out_err;
892 }
893 break;
894
895 case Opt_rootcontext:
896 if (rootcontext) {
897 rc = -EINVAL;
898 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
899 goto out_err;
900 }
901 rootcontext = match_strdup(&args[0]);
902 if (!rootcontext) {
903 rc = -ENOMEM;
904 goto out_err;
905 }
906 break;
907
908 case Opt_defcontext:
909 if (context || defcontext) {
910 rc = -EINVAL;
911 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
912 goto out_err;
913 }
914 defcontext = match_strdup(&args[0]);
915 if (!defcontext) {
916 rc = -ENOMEM;
917 goto out_err;
918 }
919 break;
920
921 default:
922 rc = -EINVAL;
923 printk(KERN_WARNING "SELinux: unknown mount option\n");
924 goto out_err;
925
926 }
927 }
928
929 rc = -ENOMEM;
930 opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_ATOMIC);
931 if (!opts->mnt_opts)
932 goto out_err;
933
934 opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int), GFP_ATOMIC);
935 if (!opts->mnt_opts_flags) {
936 kfree(opts->mnt_opts);
937 goto out_err;
938 }
939
940 if (fscontext) {
941 opts->mnt_opts[num_mnt_opts] = fscontext;
942 opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
943 }
944 if (context) {
945 opts->mnt_opts[num_mnt_opts] = context;
946 opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
947 }
948 if (rootcontext) {
949 opts->mnt_opts[num_mnt_opts] = rootcontext;
950 opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
951 }
952 if (defcontext) {
953 opts->mnt_opts[num_mnt_opts] = defcontext;
954 opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
955 }
956
957 opts->num_mnt_opts = num_mnt_opts;
958 return 0;
959
960 out_err:
961 kfree(context);
962 kfree(defcontext);
963 kfree(fscontext);
964 kfree(rootcontext);
965 return rc;
966 }
967 /*
968 * string mount options parsing and call set the sbsec
969 */
970 static int superblock_doinit(struct super_block *sb, void *data)
971 {
972 int rc = 0;
973 char *options = data;
974 struct security_mnt_opts opts;
975
976 security_init_mnt_opts(&opts);
977
978 if (!data)
979 goto out;
980
981 BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
982
983 rc = selinux_parse_opts_str(options, &opts);
984 if (rc)
985 goto out_err;
986
987 out:
988 rc = selinux_set_mnt_opts(sb, &opts);
989
990 out_err:
991 security_free_mnt_opts(&opts);
992 return rc;
993 }
994
995 static void selinux_write_opts(struct seq_file *m,
996 struct security_mnt_opts *opts)
997 {
998 int i;
999 char *prefix;
1000
1001 for (i = 0; i < opts->num_mnt_opts; i++) {
1002 char *has_comma = strchr(opts->mnt_opts[i], ',');
1003
1004 switch (opts->mnt_opts_flags[i]) {
1005 case CONTEXT_MNT:
1006 prefix = CONTEXT_STR;
1007 break;
1008 case FSCONTEXT_MNT:
1009 prefix = FSCONTEXT_STR;
1010 break;
1011 case ROOTCONTEXT_MNT:
1012 prefix = ROOTCONTEXT_STR;
1013 break;
1014 case DEFCONTEXT_MNT:
1015 prefix = DEFCONTEXT_STR;
1016 break;
1017 default:
1018 BUG();
1019 };
1020 /* we need a comma before each option */
1021 seq_putc(m, ',');
1022 seq_puts(m, prefix);
1023 if (has_comma)
1024 seq_putc(m, '\"');
1025 seq_puts(m, opts->mnt_opts[i]);
1026 if (has_comma)
1027 seq_putc(m, '\"');
1028 }
1029 }
1030
1031 static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1032 {
1033 struct security_mnt_opts opts;
1034 int rc;
1035
1036 rc = selinux_get_mnt_opts(sb, &opts);
1037 if (rc) {
1038 /* before policy load we may get EINVAL, don't show anything */
1039 if (rc == -EINVAL)
1040 rc = 0;
1041 return rc;
1042 }
1043
1044 selinux_write_opts(m, &opts);
1045
1046 security_free_mnt_opts(&opts);
1047
1048 return rc;
1049 }
1050
1051 static inline u16 inode_mode_to_security_class(umode_t mode)
1052 {
1053 switch (mode & S_IFMT) {
1054 case S_IFSOCK:
1055 return SECCLASS_SOCK_FILE;
1056 case S_IFLNK:
1057 return SECCLASS_LNK_FILE;
1058 case S_IFREG:
1059 return SECCLASS_FILE;
1060 case S_IFBLK:
1061 return SECCLASS_BLK_FILE;
1062 case S_IFDIR:
1063 return SECCLASS_DIR;
1064 case S_IFCHR:
1065 return SECCLASS_CHR_FILE;
1066 case S_IFIFO:
1067 return SECCLASS_FIFO_FILE;
1068
1069 }
1070
1071 return SECCLASS_FILE;
1072 }
1073
1074 static inline int default_protocol_stream(int protocol)
1075 {
1076 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
1077 }
1078
1079 static inline int default_protocol_dgram(int protocol)
1080 {
1081 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1082 }
1083
1084 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1085 {
1086 switch (family) {
1087 case PF_UNIX:
1088 switch (type) {
1089 case SOCK_STREAM:
1090 case SOCK_SEQPACKET:
1091 return SECCLASS_UNIX_STREAM_SOCKET;
1092 case SOCK_DGRAM:
1093 return SECCLASS_UNIX_DGRAM_SOCKET;
1094 }
1095 break;
1096 case PF_INET:
1097 case PF_INET6:
1098 switch (type) {
1099 case SOCK_STREAM:
1100 if (default_protocol_stream(protocol))
1101 return SECCLASS_TCP_SOCKET;
1102 else
1103 return SECCLASS_RAWIP_SOCKET;
1104 case SOCK_DGRAM:
1105 if (default_protocol_dgram(protocol))
1106 return SECCLASS_UDP_SOCKET;
1107 else
1108 return SECCLASS_RAWIP_SOCKET;
1109 case SOCK_DCCP:
1110 return SECCLASS_DCCP_SOCKET;
1111 default:
1112 return SECCLASS_RAWIP_SOCKET;
1113 }
1114 break;
1115 case PF_NETLINK:
1116 switch (protocol) {
1117 case NETLINK_ROUTE:
1118 return SECCLASS_NETLINK_ROUTE_SOCKET;
1119 case NETLINK_FIREWALL:
1120 return SECCLASS_NETLINK_FIREWALL_SOCKET;
1121 case NETLINK_INET_DIAG:
1122 return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1123 case NETLINK_NFLOG:
1124 return SECCLASS_NETLINK_NFLOG_SOCKET;
1125 case NETLINK_XFRM:
1126 return SECCLASS_NETLINK_XFRM_SOCKET;
1127 case NETLINK_SELINUX:
1128 return SECCLASS_NETLINK_SELINUX_SOCKET;
1129 case NETLINK_AUDIT:
1130 return SECCLASS_NETLINK_AUDIT_SOCKET;
1131 case NETLINK_IP6_FW:
1132 return SECCLASS_NETLINK_IP6FW_SOCKET;
1133 case NETLINK_DNRTMSG:
1134 return SECCLASS_NETLINK_DNRT_SOCKET;
1135 case NETLINK_KOBJECT_UEVENT:
1136 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1137 default:
1138 return SECCLASS_NETLINK_SOCKET;
1139 }
1140 case PF_PACKET:
1141 return SECCLASS_PACKET_SOCKET;
1142 case PF_KEY:
1143 return SECCLASS_KEY_SOCKET;
1144 case PF_APPLETALK:
1145 return SECCLASS_APPLETALK_SOCKET;
1146 }
1147
1148 return SECCLASS_SOCKET;
1149 }
1150
1151 #ifdef CONFIG_PROC_FS
1152 static int selinux_proc_get_sid(struct proc_dir_entry *de,
1153 u16 tclass,
1154 u32 *sid)
1155 {
1156 int buflen, rc;
1157 char *buffer, *path, *end;
1158
1159 buffer = (char *)__get_free_page(GFP_KERNEL);
1160 if (!buffer)
1161 return -ENOMEM;
1162
1163 buflen = PAGE_SIZE;
1164 end = buffer+buflen;
1165 *--end = '\0';
1166 buflen--;
1167 path = end-1;
1168 *path = '/';
1169 while (de && de != de->parent) {
1170 buflen -= de->namelen + 1;
1171 if (buflen < 0)
1172 break;
1173 end -= de->namelen;
1174 memcpy(end, de->name, de->namelen);
1175 *--end = '/';
1176 path = end;
1177 de = de->parent;
1178 }
1179 rc = security_genfs_sid("proc", path, tclass, sid);
1180 free_page((unsigned long)buffer);
1181 return rc;
1182 }
1183 #else
1184 static int selinux_proc_get_sid(struct proc_dir_entry *de,
1185 u16 tclass,
1186 u32 *sid)
1187 {
1188 return -EINVAL;
1189 }
1190 #endif
1191
1192 /* The inode's security attributes must be initialized before first use. */
1193 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1194 {
1195 struct superblock_security_struct *sbsec = NULL;
1196 struct inode_security_struct *isec = inode->i_security;
1197 u32 sid;
1198 struct dentry *dentry;
1199 #define INITCONTEXTLEN 255
1200 char *context = NULL;
1201 unsigned len = 0;
1202 int rc = 0;
1203
1204 if (isec->initialized)
1205 goto out;
1206
1207 mutex_lock(&isec->lock);
1208 if (isec->initialized)
1209 goto out_unlock;
1210
1211 sbsec = inode->i_sb->s_security;
1212 if (!sbsec->initialized) {
1213 /* Defer initialization until selinux_complete_init,
1214 after the initial policy is loaded and the security
1215 server is ready to handle calls. */
1216 spin_lock(&sbsec->isec_lock);
1217 if (list_empty(&isec->list))
1218 list_add(&isec->list, &sbsec->isec_head);
1219 spin_unlock(&sbsec->isec_lock);
1220 goto out_unlock;
1221 }
1222
1223 switch (sbsec->behavior) {
1224 case SECURITY_FS_USE_XATTR:
1225 if (!inode->i_op->getxattr) {
1226 isec->sid = sbsec->def_sid;
1227 break;
1228 }
1229
1230 /* Need a dentry, since the xattr API requires one.
1231 Life would be simpler if we could just pass the inode. */
1232 if (opt_dentry) {
1233 /* Called from d_instantiate or d_splice_alias. */
1234 dentry = dget(opt_dentry);
1235 } else {
1236 /* Called from selinux_complete_init, try to find a dentry. */
1237 dentry = d_find_alias(inode);
1238 }
1239 if (!dentry) {
1240 printk(KERN_WARNING "SELinux: %s: no dentry for dev=%s "
1241 "ino=%ld\n", __func__, inode->i_sb->s_id,
1242 inode->i_ino);
1243 goto out_unlock;
1244 }
1245
1246 len = INITCONTEXTLEN;
1247 context = kmalloc(len, GFP_NOFS);
1248 if (!context) {
1249 rc = -ENOMEM;
1250 dput(dentry);
1251 goto out_unlock;
1252 }
1253 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1254 context, len);
1255 if (rc == -ERANGE) {
1256 /* Need a larger buffer. Query for the right size. */
1257 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1258 NULL, 0);
1259 if (rc < 0) {
1260 dput(dentry);
1261 goto out_unlock;
1262 }
1263 kfree(context);
1264 len = rc;
1265 context = kmalloc(len, GFP_NOFS);
1266 if (!context) {
1267 rc = -ENOMEM;
1268 dput(dentry);
1269 goto out_unlock;
1270 }
1271 rc = inode->i_op->getxattr(dentry,
1272 XATTR_NAME_SELINUX,
1273 context, len);
1274 }
1275 dput(dentry);
1276 if (rc < 0) {
1277 if (rc != -ENODATA) {
1278 printk(KERN_WARNING "SELinux: %s: getxattr returned "
1279 "%d for dev=%s ino=%ld\n", __func__,
1280 -rc, inode->i_sb->s_id, inode->i_ino);
1281 kfree(context);
1282 goto out_unlock;
1283 }
1284 /* Map ENODATA to the default file SID */
1285 sid = sbsec->def_sid;
1286 rc = 0;
1287 } else {
1288 rc = security_context_to_sid_default(context, rc, &sid,
1289 sbsec->def_sid,
1290 GFP_NOFS);
1291 if (rc) {
1292 printk(KERN_WARNING "SELinux: %s: context_to_sid(%s) "
1293 "returned %d for dev=%s ino=%ld\n",
1294 __func__, context, -rc,
1295 inode->i_sb->s_id, inode->i_ino);
1296 kfree(context);
1297 /* Leave with the unlabeled SID */
1298 rc = 0;
1299 break;
1300 }
1301 }
1302 kfree(context);
1303 isec->sid = sid;
1304 break;
1305 case SECURITY_FS_USE_TASK:
1306 isec->sid = isec->task_sid;
1307 break;
1308 case SECURITY_FS_USE_TRANS:
1309 /* Default to the fs SID. */
1310 isec->sid = sbsec->sid;
1311
1312 /* Try to obtain a transition SID. */
1313 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1314 rc = security_transition_sid(isec->task_sid,
1315 sbsec->sid,
1316 isec->sclass,
1317 &sid);
1318 if (rc)
1319 goto out_unlock;
1320 isec->sid = sid;
1321 break;
1322 case SECURITY_FS_USE_MNTPOINT:
1323 isec->sid = sbsec->mntpoint_sid;
1324 break;
1325 default:
1326 /* Default to the fs superblock SID. */
1327 isec->sid = sbsec->sid;
1328
1329 if (sbsec->proc && !S_ISLNK(inode->i_mode)) {
1330 struct proc_inode *proci = PROC_I(inode);
1331 if (proci->pde) {
1332 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1333 rc = selinux_proc_get_sid(proci->pde,
1334 isec->sclass,
1335 &sid);
1336 if (rc)
1337 goto out_unlock;
1338 isec->sid = sid;
1339 }
1340 }
1341 break;
1342 }
1343
1344 isec->initialized = 1;
1345
1346 out_unlock:
1347 mutex_unlock(&isec->lock);
1348 out:
1349 if (isec->sclass == SECCLASS_FILE)
1350 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1351 return rc;
1352 }
1353
1354 /* Convert a Linux signal to an access vector. */
1355 static inline u32 signal_to_av(int sig)
1356 {
1357 u32 perm = 0;
1358
1359 switch (sig) {
1360 case SIGCHLD:
1361 /* Commonly granted from child to parent. */
1362 perm = PROCESS__SIGCHLD;
1363 break;
1364 case SIGKILL:
1365 /* Cannot be caught or ignored */
1366 perm = PROCESS__SIGKILL;
1367 break;
1368 case SIGSTOP:
1369 /* Cannot be caught or ignored */
1370 perm = PROCESS__SIGSTOP;
1371 break;
1372 default:
1373 /* All other signals. */
1374 perm = PROCESS__SIGNAL;
1375 break;
1376 }
1377
1378 return perm;
1379 }
1380
1381 /*
1382 * Check permission between a pair of credentials
1383 * fork check, ptrace check, etc.
1384 */
1385 static int cred_has_perm(const struct cred *actor,
1386 const struct cred *target,
1387 u32 perms)
1388 {
1389 u32 asid = cred_sid(actor), tsid = cred_sid(target);
1390
1391 return avc_has_perm(asid, tsid, SECCLASS_PROCESS, perms, NULL);
1392 }
1393
1394 /*
1395 * Check permission between a pair of tasks, e.g. signal checks,
1396 * fork check, ptrace check, etc.
1397 * tsk1 is the actor and tsk2 is the target
1398 */
1399 static int task_has_perm(const struct task_struct *tsk1,
1400 const struct task_struct *tsk2,
1401 u32 perms)
1402 {
1403 const struct task_security_struct *__tsec1, *__tsec2;
1404 u32 sid1, sid2;
1405
1406 rcu_read_lock();
1407 __tsec1 = __task_cred(tsk1)->security; sid1 = __tsec1->sid;
1408 __tsec2 = __task_cred(tsk2)->security; sid2 = __tsec2->sid;
1409 rcu_read_unlock();
1410 return avc_has_perm(sid1, sid2, SECCLASS_PROCESS, perms, NULL);
1411 }
1412
1413 #if CAP_LAST_CAP > 63
1414 #error Fix SELinux to handle capabilities > 63.
1415 #endif
1416
1417 /* Check whether a task is allowed to use a capability. */
1418 static int task_has_capability(struct task_struct *tsk,
1419 int cap, int audit)
1420 {
1421 struct avc_audit_data ad;
1422 struct av_decision avd;
1423 u16 sclass;
1424 u32 sid = task_sid(tsk);
1425 u32 av = CAP_TO_MASK(cap);
1426 int rc;
1427
1428 AVC_AUDIT_DATA_INIT(&ad, CAP);
1429 ad.tsk = tsk;
1430 ad.u.cap = cap;
1431
1432 switch (CAP_TO_INDEX(cap)) {
1433 case 0:
1434 sclass = SECCLASS_CAPABILITY;
1435 break;
1436 case 1:
1437 sclass = SECCLASS_CAPABILITY2;
1438 break;
1439 default:
1440 printk(KERN_ERR
1441 "SELinux: out of range capability %d\n", cap);
1442 BUG();
1443 }
1444
1445 rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd);
1446 if (audit == SECURITY_CAP_AUDIT)
1447 avc_audit(sid, sid, sclass, av, &avd, rc, &ad);
1448 return rc;
1449 }
1450
1451 /* Check whether a task is allowed to use a system operation. */
1452 static int task_has_system(struct task_struct *tsk,
1453 u32 perms)
1454 {
1455 u32 sid = task_sid(tsk);
1456
1457 return avc_has_perm(sid, SECINITSID_KERNEL,
1458 SECCLASS_SYSTEM, perms, NULL);
1459 }
1460
1461 /* Check whether a task has a particular permission to an inode.
1462 The 'adp' parameter is optional and allows other audit
1463 data to be passed (e.g. the dentry). */
1464 static int inode_has_perm(const struct cred *cred,
1465 struct inode *inode,
1466 u32 perms,
1467 struct avc_audit_data *adp)
1468 {
1469 struct inode_security_struct *isec;
1470 struct avc_audit_data ad;
1471 u32 sid;
1472
1473 if (unlikely(IS_PRIVATE(inode)))
1474 return 0;
1475
1476 sid = cred_sid(cred);
1477 isec = inode->i_security;
1478
1479 if (!adp) {
1480 adp = &ad;
1481 AVC_AUDIT_DATA_INIT(&ad, FS);
1482 ad.u.fs.inode = inode;
1483 }
1484
1485 return avc_has_perm(sid, isec->sid, isec->sclass, perms, adp);
1486 }
1487
1488 /* Same as inode_has_perm, but pass explicit audit data containing
1489 the dentry to help the auditing code to more easily generate the
1490 pathname if needed. */
1491 static inline int dentry_has_perm(const struct cred *cred,
1492 struct vfsmount *mnt,
1493 struct dentry *dentry,
1494 u32 av)
1495 {
1496 struct inode *inode = dentry->d_inode;
1497 struct avc_audit_data ad;
1498
1499 AVC_AUDIT_DATA_INIT(&ad, FS);
1500 ad.u.fs.path.mnt = mnt;
1501 ad.u.fs.path.dentry = dentry;
1502 return inode_has_perm(cred, inode, av, &ad);
1503 }
1504
1505 /* Check whether a task can use an open file descriptor to
1506 access an inode in a given way. Check access to the
1507 descriptor itself, and then use dentry_has_perm to
1508 check a particular permission to the file.
1509 Access to the descriptor is implicitly granted if it
1510 has the same SID as the process. If av is zero, then
1511 access to the file is not checked, e.g. for cases
1512 where only the descriptor is affected like seek. */
1513 static int file_has_perm(const struct cred *cred,
1514 struct file *file,
1515 u32 av)
1516 {
1517 struct file_security_struct *fsec = file->f_security;
1518 struct inode *inode = file->f_path.dentry->d_inode;
1519 struct avc_audit_data ad;
1520 u32 sid = cred_sid(cred);
1521 int rc;
1522
1523 AVC_AUDIT_DATA_INIT(&ad, FS);
1524 ad.u.fs.path = file->f_path;
1525
1526 if (sid != fsec->sid) {
1527 rc = avc_has_perm(sid, fsec->sid,
1528 SECCLASS_FD,
1529 FD__USE,
1530 &ad);
1531 if (rc)
1532 goto out;
1533 }
1534
1535 /* av is zero if only checking access to the descriptor. */
1536 rc = 0;
1537 if (av)
1538 rc = inode_has_perm(cred, inode, av, &ad);
1539
1540 out:
1541 return rc;
1542 }
1543
1544 /* Check whether a task can create a file. */
1545 static int may_create(struct inode *dir,
1546 struct dentry *dentry,
1547 u16 tclass)
1548 {
1549 const struct cred *cred = current_cred();
1550 const struct task_security_struct *tsec = cred->security;
1551 struct inode_security_struct *dsec;
1552 struct superblock_security_struct *sbsec;
1553 u32 sid, newsid;
1554 struct avc_audit_data ad;
1555 int rc;
1556
1557 dsec = dir->i_security;
1558 sbsec = dir->i_sb->s_security;
1559
1560 sid = tsec->sid;
1561 newsid = tsec->create_sid;
1562
1563 AVC_AUDIT_DATA_INIT(&ad, FS);
1564 ad.u.fs.path.dentry = dentry;
1565
1566 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR,
1567 DIR__ADD_NAME | DIR__SEARCH,
1568 &ad);
1569 if (rc)
1570 return rc;
1571
1572 if (!newsid || sbsec->behavior == SECURITY_FS_USE_MNTPOINT) {
1573 rc = security_transition_sid(sid, dsec->sid, tclass, &newsid);
1574 if (rc)
1575 return rc;
1576 }
1577
1578 rc = avc_has_perm(sid, newsid, tclass, FILE__CREATE, &ad);
1579 if (rc)
1580 return rc;
1581
1582 return avc_has_perm(newsid, sbsec->sid,
1583 SECCLASS_FILESYSTEM,
1584 FILESYSTEM__ASSOCIATE, &ad);
1585 }
1586
1587 /* Check whether a task can create a key. */
1588 static int may_create_key(u32 ksid,
1589 struct task_struct *ctx)
1590 {
1591 u32 sid = task_sid(ctx);
1592
1593 return avc_has_perm(sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL);
1594 }
1595
1596 #define MAY_LINK 0
1597 #define MAY_UNLINK 1
1598 #define MAY_RMDIR 2
1599
1600 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1601 static int may_link(struct inode *dir,
1602 struct dentry *dentry,
1603 int kind)
1604
1605 {
1606 struct inode_security_struct *dsec, *isec;
1607 struct avc_audit_data ad;
1608 u32 sid = current_sid();
1609 u32 av;
1610 int rc;
1611
1612 dsec = dir->i_security;
1613 isec = dentry->d_inode->i_security;
1614
1615 AVC_AUDIT_DATA_INIT(&ad, FS);
1616 ad.u.fs.path.dentry = dentry;
1617
1618 av = DIR__SEARCH;
1619 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1620 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, av, &ad);
1621 if (rc)
1622 return rc;
1623
1624 switch (kind) {
1625 case MAY_LINK:
1626 av = FILE__LINK;
1627 break;
1628 case MAY_UNLINK:
1629 av = FILE__UNLINK;
1630 break;
1631 case MAY_RMDIR:
1632 av = DIR__RMDIR;
1633 break;
1634 default:
1635 printk(KERN_WARNING "SELinux: %s: unrecognized kind %d\n",
1636 __func__, kind);
1637 return 0;
1638 }
1639
1640 rc = avc_has_perm(sid, isec->sid, isec->sclass, av, &ad);
1641 return rc;
1642 }
1643
1644 static inline int may_rename(struct inode *old_dir,
1645 struct dentry *old_dentry,
1646 struct inode *new_dir,
1647 struct dentry *new_dentry)
1648 {
1649 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1650 struct avc_audit_data ad;
1651 u32 sid = current_sid();
1652 u32 av;
1653 int old_is_dir, new_is_dir;
1654 int rc;
1655
1656 old_dsec = old_dir->i_security;
1657 old_isec = old_dentry->d_inode->i_security;
1658 old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
1659 new_dsec = new_dir->i_security;
1660
1661 AVC_AUDIT_DATA_INIT(&ad, FS);
1662
1663 ad.u.fs.path.dentry = old_dentry;
1664 rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR,
1665 DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1666 if (rc)
1667 return rc;
1668 rc = avc_has_perm(sid, old_isec->sid,
1669 old_isec->sclass, FILE__RENAME, &ad);
1670 if (rc)
1671 return rc;
1672 if (old_is_dir && new_dir != old_dir) {
1673 rc = avc_has_perm(sid, old_isec->sid,
1674 old_isec->sclass, DIR__REPARENT, &ad);
1675 if (rc)
1676 return rc;
1677 }
1678
1679 ad.u.fs.path.dentry = new_dentry;
1680 av = DIR__ADD_NAME | DIR__SEARCH;
1681 if (new_dentry->d_inode)
1682 av |= DIR__REMOVE_NAME;
1683 rc = avc_has_perm(sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1684 if (rc)
1685 return rc;
1686 if (new_dentry->d_inode) {
1687 new_isec = new_dentry->d_inode->i_security;
1688 new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
1689 rc = avc_has_perm(sid, new_isec->sid,
1690 new_isec->sclass,
1691 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1692 if (rc)
1693 return rc;
1694 }
1695
1696 return 0;
1697 }
1698
1699 /* Check whether a task can perform a filesystem operation. */
1700 static int superblock_has_perm(const struct cred *cred,
1701 struct super_block *sb,
1702 u32 perms,
1703 struct avc_audit_data *ad)
1704 {
1705 struct superblock_security_struct *sbsec;
1706 u32 sid = cred_sid(cred);
1707
1708 sbsec = sb->s_security;
1709 return avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
1710 }
1711
1712 /* Convert a Linux mode and permission mask to an access vector. */
1713 static inline u32 file_mask_to_av(int mode, int mask)
1714 {
1715 u32 av = 0;
1716
1717 if ((mode & S_IFMT) != S_IFDIR) {
1718 if (mask & MAY_EXEC)
1719 av |= FILE__EXECUTE;
1720 if (mask & MAY_READ)
1721 av |= FILE__READ;
1722
1723 if (mask & MAY_APPEND)
1724 av |= FILE__APPEND;
1725 else if (mask & MAY_WRITE)
1726 av |= FILE__WRITE;
1727
1728 } else {
1729 if (mask & MAY_EXEC)
1730 av |= DIR__SEARCH;
1731 if (mask & MAY_WRITE)
1732 av |= DIR__WRITE;
1733 if (mask & MAY_READ)
1734 av |= DIR__READ;
1735 }
1736
1737 return av;
1738 }
1739
1740 /* Convert a Linux file to an access vector. */
1741 static inline u32 file_to_av(struct file *file)
1742 {
1743 u32 av = 0;
1744
1745 if (file->f_mode & FMODE_READ)
1746 av |= FILE__READ;
1747 if (file->f_mode & FMODE_WRITE) {
1748 if (file->f_flags & O_APPEND)
1749 av |= FILE__APPEND;
1750 else
1751 av |= FILE__WRITE;
1752 }
1753 if (!av) {
1754 /*
1755 * Special file opened with flags 3 for ioctl-only use.
1756 */
1757 av = FILE__IOCTL;
1758 }
1759
1760 return av;
1761 }
1762
1763 /*
1764 * Convert a file to an access vector and include the correct open
1765 * open permission.
1766 */
1767 static inline u32 open_file_to_av(struct file *file)
1768 {
1769 u32 av = file_to_av(file);
1770
1771 if (selinux_policycap_openperm) {
1772 mode_t mode = file->f_path.dentry->d_inode->i_mode;
1773 /*
1774 * lnk files and socks do not really have an 'open'
1775 */
1776 if (S_ISREG(mode))
1777 av |= FILE__OPEN;
1778 else if (S_ISCHR(mode))
1779 av |= CHR_FILE__OPEN;
1780 else if (S_ISBLK(mode))
1781 av |= BLK_FILE__OPEN;
1782 else if (S_ISFIFO(mode))
1783 av |= FIFO_FILE__OPEN;
1784 else if (S_ISDIR(mode))
1785 av |= DIR__OPEN;
1786 else
1787 printk(KERN_ERR "SELinux: WARNING: inside %s with "
1788 "unknown mode:%o\n", __func__, mode);
1789 }
1790 return av;
1791 }
1792
1793 /* Hook functions begin here. */
1794
1795 static int selinux_ptrace_may_access(struct task_struct *child,
1796 unsigned int mode)
1797 {
1798 int rc;
1799
1800 rc = secondary_ops->ptrace_may_access(child, mode);
1801 if (rc)
1802 return rc;
1803
1804 if (mode == PTRACE_MODE_READ) {
1805 u32 sid = current_sid();
1806 u32 csid = task_sid(child);
1807 return avc_has_perm(sid, csid, SECCLASS_FILE, FILE__READ, NULL);
1808 }
1809
1810 return task_has_perm(current, child, PROCESS__PTRACE);
1811 }
1812
1813 static int selinux_ptrace_traceme(struct task_struct *parent)
1814 {
1815 int rc;
1816
1817 rc = secondary_ops->ptrace_traceme(parent);
1818 if (rc)
1819 return rc;
1820
1821 return task_has_perm(parent, current, PROCESS__PTRACE);
1822 }
1823
1824 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
1825 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1826 {
1827 int error;
1828
1829 error = task_has_perm(current, target, PROCESS__GETCAP);
1830 if (error)
1831 return error;
1832
1833 return secondary_ops->capget(target, effective, inheritable, permitted);
1834 }
1835
1836 static int selinux_capset(struct cred *new, const struct cred *old,
1837 const kernel_cap_t *effective,
1838 const kernel_cap_t *inheritable,
1839 const kernel_cap_t *permitted)
1840 {
1841 int error;
1842
1843 error = secondary_ops->capset(new, old,
1844 effective, inheritable, permitted);
1845 if (error)
1846 return error;
1847
1848 return cred_has_perm(old, new, PROCESS__SETCAP);
1849 }
1850
1851 static int selinux_capable(struct task_struct *tsk, int cap, int audit)
1852 {
1853 int rc;
1854
1855 rc = secondary_ops->capable(tsk, cap, audit);
1856 if (rc)
1857 return rc;
1858
1859 return task_has_capability(tsk, cap, audit);
1860 }
1861
1862 static int selinux_sysctl_get_sid(ctl_table *table, u16 tclass, u32 *sid)
1863 {
1864 int buflen, rc;
1865 char *buffer, *path, *end;
1866
1867 rc = -ENOMEM;
1868 buffer = (char *)__get_free_page(GFP_KERNEL);
1869 if (!buffer)
1870 goto out;
1871
1872 buflen = PAGE_SIZE;
1873 end = buffer+buflen;
1874 *--end = '\0';
1875 buflen--;
1876 path = end-1;
1877 *path = '/';
1878 while (table) {
1879 const char *name = table->procname;
1880 size_t namelen = strlen(name);
1881 buflen -= namelen + 1;
1882 if (buflen < 0)
1883 goto out_free;
1884 end -= namelen;
1885 memcpy(end, name, namelen);
1886 *--end = '/';
1887 path = end;
1888 table = table->parent;
1889 }
1890 buflen -= 4;
1891 if (buflen < 0)
1892 goto out_free;
1893 end -= 4;
1894 memcpy(end, "/sys", 4);
1895 path = end;
1896 rc = security_genfs_sid("proc", path, tclass, sid);
1897 out_free:
1898 free_page((unsigned long)buffer);
1899 out:
1900 return rc;
1901 }
1902
1903 static int selinux_sysctl(ctl_table *table, int op)
1904 {
1905 int error = 0;
1906 u32 av;
1907 u32 tsid, sid;
1908 int rc;
1909
1910 rc = secondary_ops->sysctl(table, op);
1911 if (rc)
1912 return rc;
1913
1914 sid = current_sid();
1915
1916 rc = selinux_sysctl_get_sid(table, (op == 0001) ?
1917 SECCLASS_DIR : SECCLASS_FILE, &tsid);
1918 if (rc) {
1919 /* Default to the well-defined sysctl SID. */
1920 tsid = SECINITSID_SYSCTL;
1921 }
1922
1923 /* The op values are "defined" in sysctl.c, thereby creating
1924 * a bad coupling between this module and sysctl.c */
1925 if (op == 001) {
1926 error = avc_has_perm(sid, tsid,
1927 SECCLASS_DIR, DIR__SEARCH, NULL);
1928 } else {
1929 av = 0;
1930 if (op & 004)
1931 av |= FILE__READ;
1932 if (op & 002)
1933 av |= FILE__WRITE;
1934 if (av)
1935 error = avc_has_perm(sid, tsid,
1936 SECCLASS_FILE, av, NULL);
1937 }
1938
1939 return error;
1940 }
1941
1942 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
1943 {
1944 const struct cred *cred = current_cred();
1945 int rc = 0;
1946
1947 if (!sb)
1948 return 0;
1949
1950 switch (cmds) {
1951 case Q_SYNC:
1952 case Q_QUOTAON:
1953 case Q_QUOTAOFF:
1954 case Q_SETINFO:
1955 case Q_SETQUOTA:
1956 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
1957 break;
1958 case Q_GETFMT:
1959 case Q_GETINFO:
1960 case Q_GETQUOTA:
1961 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
1962 break;
1963 default:
1964 rc = 0; /* let the kernel handle invalid cmds */
1965 break;
1966 }
1967 return rc;
1968 }
1969
1970 static int selinux_quota_on(struct dentry *dentry)
1971 {
1972 const struct cred *cred = current_cred();
1973
1974 return dentry_has_perm(cred, NULL, dentry, FILE__QUOTAON);
1975 }
1976
1977 static int selinux_syslog(int type)
1978 {
1979 int rc;
1980
1981 rc = secondary_ops->syslog(type);
1982 if (rc)
1983 return rc;
1984
1985 switch (type) {
1986 case 3: /* Read last kernel messages */
1987 case 10: /* Return size of the log buffer */
1988 rc = task_has_system(current, SYSTEM__SYSLOG_READ);
1989 break;
1990 case 6: /* Disable logging to console */
1991 case 7: /* Enable logging to console */
1992 case 8: /* Set level of messages printed to console */
1993 rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
1994 break;
1995 case 0: /* Close log */
1996 case 1: /* Open log */
1997 case 2: /* Read from log */
1998 case 4: /* Read/clear last kernel messages */
1999 case 5: /* Clear ring buffer */
2000 default:
2001 rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
2002 break;
2003 }
2004 return rc;
2005 }
2006
2007 /*
2008 * Check that a process has enough memory to allocate a new virtual
2009 * mapping. 0 means there is enough memory for the allocation to
2010 * succeed and -ENOMEM implies there is not.
2011 *
2012 * Note that secondary_ops->capable and task_has_perm_noaudit return 0
2013 * if the capability is granted, but __vm_enough_memory requires 1 if
2014 * the capability is granted.
2015 *
2016 * Do not audit the selinux permission check, as this is applied to all
2017 * processes that allocate mappings.
2018 */
2019 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
2020 {
2021 int rc, cap_sys_admin = 0;
2022
2023 rc = selinux_capable(current, CAP_SYS_ADMIN, SECURITY_CAP_NOAUDIT);
2024 if (rc == 0)
2025 cap_sys_admin = 1;
2026
2027 return __vm_enough_memory(mm, pages, cap_sys_admin);
2028 }
2029
2030 /* binprm security operations */
2031
2032 static int selinux_bprm_alloc_security(struct linux_binprm *bprm)
2033 {
2034 struct bprm_security_struct *bsec;
2035
2036 bsec = kzalloc(sizeof(struct bprm_security_struct), GFP_KERNEL);
2037 if (!bsec)
2038 return -ENOMEM;
2039
2040 bsec->sid = SECINITSID_UNLABELED;
2041 bsec->set = 0;
2042
2043 bprm->security = bsec;
2044 return 0;
2045 }
2046
2047 static int selinux_bprm_set_security(struct linux_binprm *bprm)
2048 {
2049 struct task_security_struct *tsec;
2050 struct inode *inode = bprm->file->f_path.dentry->d_inode;
2051 struct inode_security_struct *isec;
2052 struct bprm_security_struct *bsec;
2053 u32 newsid;
2054 struct avc_audit_data ad;
2055 int rc;
2056
2057 rc = secondary_ops->bprm_set_security(bprm);
2058 if (rc)
2059 return rc;
2060
2061 bsec = bprm->security;
2062
2063 if (bsec->set)
2064 return 0;
2065
2066 tsec = current_security();
2067 isec = inode->i_security;
2068
2069 /* Default to the current task SID. */
2070 bsec->sid = tsec->sid;
2071
2072 /* Reset fs, key, and sock SIDs on execve. */
2073 tsec->create_sid = 0;
2074 tsec->keycreate_sid = 0;
2075 tsec->sockcreate_sid = 0;
2076
2077 if (tsec->exec_sid) {
2078 newsid = tsec->exec_sid;
2079 /* Reset exec SID on execve. */
2080 tsec->exec_sid = 0;
2081 } else {
2082 /* Check for a default transition on this program. */
2083 rc = security_transition_sid(tsec->sid, isec->sid,
2084 SECCLASS_PROCESS, &newsid);
2085 if (rc)
2086 return rc;
2087 }
2088
2089 AVC_AUDIT_DATA_INIT(&ad, FS);
2090 ad.u.fs.path = bprm->file->f_path;
2091
2092 if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID)
2093 newsid = tsec->sid;
2094
2095 if (tsec->sid == newsid) {
2096 rc = avc_has_perm(tsec->sid, isec->sid,
2097 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2098 if (rc)
2099 return rc;
2100 } else {
2101 /* Check permissions for the transition. */
2102 rc = avc_has_perm(tsec->sid, newsid,
2103 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2104 if (rc)
2105 return rc;
2106
2107 rc = avc_has_perm(newsid, isec->sid,
2108 SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2109 if (rc)
2110 return rc;
2111
2112 /* Clear any possibly unsafe personality bits on exec: */
2113 current->personality &= ~PER_CLEAR_ON_SETID;
2114
2115 /* Set the security field to the new SID. */
2116 bsec->sid = newsid;
2117 }
2118
2119 bsec->set = 1;
2120 return 0;
2121 }
2122
2123 static int selinux_bprm_check_security(struct linux_binprm *bprm)
2124 {
2125 return secondary_ops->bprm_check_security(bprm);
2126 }
2127
2128
2129 static int selinux_bprm_secureexec(struct linux_binprm *bprm)
2130 {
2131 const struct cred *cred = current_cred();
2132 const struct task_security_struct *tsec = cred->security;
2133 u32 sid, osid;
2134 int atsecure = 0;
2135
2136 sid = tsec->sid;
2137 osid = tsec->osid;
2138
2139 if (osid != sid) {
2140 /* Enable secure mode for SIDs transitions unless
2141 the noatsecure permission is granted between
2142 the two SIDs, i.e. ahp returns 0. */
2143 atsecure = avc_has_perm(osid, sid,
2144 SECCLASS_PROCESS,
2145 PROCESS__NOATSECURE, NULL);
2146 }
2147
2148 return (atsecure || secondary_ops->bprm_secureexec(bprm));
2149 }
2150
2151 static void selinux_bprm_free_security(struct linux_binprm *bprm)
2152 {
2153 kfree(bprm->security);
2154 bprm->security = NULL;
2155 }
2156
2157 extern struct vfsmount *selinuxfs_mount;
2158 extern struct dentry *selinux_null;
2159
2160 /* Derived from fs/exec.c:flush_old_files. */
2161 static inline void flush_unauthorized_files(const struct cred *cred,
2162 struct files_struct *files)
2163 {
2164 struct avc_audit_data ad;
2165 struct file *file, *devnull = NULL;
2166 struct tty_struct *tty;
2167 struct fdtable *fdt;
2168 long j = -1;
2169 int drop_tty = 0;
2170
2171 tty = get_current_tty();
2172 if (tty) {
2173 file_list_lock();
2174 if (!list_empty(&tty->tty_files)) {
2175 struct inode *inode;
2176
2177 /* Revalidate access to controlling tty.
2178 Use inode_has_perm on the tty inode directly rather
2179 than using file_has_perm, as this particular open
2180 file may belong to another process and we are only
2181 interested in the inode-based check here. */
2182 file = list_first_entry(&tty->tty_files, struct file, f_u.fu_list);
2183 inode = file->f_path.dentry->d_inode;
2184 if (inode_has_perm(cred, inode,
2185 FILE__READ | FILE__WRITE, NULL)) {
2186 drop_tty = 1;
2187 }
2188 }
2189 file_list_unlock();
2190 tty_kref_put(tty);
2191 }
2192 /* Reset controlling tty. */
2193 if (drop_tty)
2194 no_tty();
2195
2196 /* Revalidate access to inherited open files. */
2197
2198 AVC_AUDIT_DATA_INIT(&ad, FS);
2199
2200 spin_lock(&files->file_lock);
2201 for (;;) {
2202 unsigned long set, i;
2203 int fd;
2204
2205 j++;
2206 i = j * __NFDBITS;
2207 fdt = files_fdtable(files);
2208 if (i >= fdt->max_fds)
2209 break;
2210 set = fdt->open_fds->fds_bits[j];
2211 if (!set)
2212 continue;
2213 spin_unlock(&files->file_lock);
2214 for ( ; set ; i++, set >>= 1) {
2215 if (set & 1) {
2216 file = fget(i);
2217 if (!file)
2218 continue;
2219 if (file_has_perm(cred,
2220 file,
2221 file_to_av(file))) {
2222 sys_close(i);
2223 fd = get_unused_fd();
2224 if (fd != i) {
2225 if (fd >= 0)
2226 put_unused_fd(fd);
2227 fput(file);
2228 continue;
2229 }
2230 if (devnull) {
2231 get_file(devnull);
2232 } else {
2233 devnull = dentry_open(
2234 dget(selinux_null),
2235 mntget(selinuxfs_mount),
2236 O_RDWR, cred);
2237 if (IS_ERR(devnull)) {
2238 devnull = NULL;
2239 put_unused_fd(fd);
2240 fput(file);
2241 continue;
2242 }
2243 }
2244 fd_install(fd, devnull);
2245 }
2246 fput(file);
2247 }
2248 }
2249 spin_lock(&files->file_lock);
2250
2251 }
2252 spin_unlock(&files->file_lock);
2253 }
2254
2255 static int selinux_bprm_apply_creds(struct linux_binprm *bprm, int unsafe)
2256 {
2257 struct task_security_struct *tsec;
2258 struct bprm_security_struct *bsec;
2259 struct cred *new;
2260 u32 sid;
2261 int rc;
2262
2263 rc = secondary_ops->bprm_apply_creds(bprm, unsafe);
2264 if (rc < 0)
2265 return rc;
2266
2267 new = prepare_creds();
2268 if (!new)
2269 return -ENOMEM;
2270
2271 tsec = new->security;
2272
2273 bsec = bprm->security;
2274 sid = bsec->sid;
2275
2276 tsec->osid = tsec->sid;
2277 bsec->unsafe = 0;
2278 if (tsec->sid != sid) {
2279 /* Check for shared state. If not ok, leave SID
2280 unchanged and kill. */
2281 if (unsafe & LSM_UNSAFE_SHARE) {
2282 rc = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
2283 PROCESS__SHARE, NULL);
2284 if (rc) {
2285 bsec->unsafe = 1;
2286 goto out;
2287 }
2288 }
2289
2290 /* Check for ptracing, and update the task SID if ok.
2291 Otherwise, leave SID unchanged and kill. */
2292 if (unsafe & (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
2293 struct task_struct *tracer;
2294 struct task_security_struct *sec;
2295 u32 ptsid = 0;
2296
2297 rcu_read_lock();
2298 tracer = tracehook_tracer_task(current);
2299 if (likely(tracer != NULL)) {
2300 sec = __task_cred(tracer)->security;
2301 ptsid = sec->sid;
2302 }
2303 rcu_read_unlock();
2304
2305 if (ptsid != 0) {
2306 rc = avc_has_perm(ptsid, sid, SECCLASS_PROCESS,
2307 PROCESS__PTRACE, NULL);
2308 if (rc) {
2309 bsec->unsafe = 1;
2310 goto out;
2311 }
2312 }
2313 }
2314 tsec->sid = sid;
2315 }
2316
2317 out:
2318 commit_creds(new);
2319 return 0;
2320 }
2321
2322 /*
2323 * called after apply_creds without the task lock held
2324 */
2325 static void selinux_bprm_post_apply_creds(struct linux_binprm *bprm)
2326 {
2327 const struct cred *cred = current_cred();
2328 struct task_security_struct *tsec;
2329 struct rlimit *rlim, *initrlim;
2330 struct itimerval itimer;
2331 struct bprm_security_struct *bsec;
2332 struct sighand_struct *psig;
2333 int rc, i;
2334 unsigned long flags;
2335
2336 tsec = current_security();
2337 bsec = bprm->security;
2338
2339 if (bsec->unsafe) {
2340 force_sig_specific(SIGKILL, current);
2341 return;
2342 }
2343 if (tsec->osid == tsec->sid)
2344 return;
2345
2346 /* Close files for which the new task SID is not authorized. */
2347 flush_unauthorized_files(cred, current->files);
2348
2349 /* Check whether the new SID can inherit signal state
2350 from the old SID. If not, clear itimers to avoid
2351 subsequent signal generation and flush and unblock
2352 signals. This must occur _after_ the task SID has
2353 been updated so that any kill done after the flush
2354 will be checked against the new SID. */
2355 rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
2356 PROCESS__SIGINH, NULL);
2357 if (rc) {
2358 memset(&itimer, 0, sizeof itimer);
2359 for (i = 0; i < 3; i++)
2360 do_setitimer(i, &itimer, NULL);
2361 flush_signals(current);
2362 spin_lock_irq(&current->sighand->siglock);
2363 flush_signal_handlers(current, 1);
2364 sigemptyset(&current->blocked);
2365 recalc_sigpending();
2366 spin_unlock_irq(&current->sighand->siglock);
2367 }
2368
2369 /* Always clear parent death signal on SID transitions. */
2370 current->pdeath_signal = 0;
2371
2372 /* Check whether the new SID can inherit resource limits
2373 from the old SID. If not, reset all soft limits to
2374 the lower of the current task's hard limit and the init
2375 task's soft limit. Note that the setting of hard limits
2376 (even to lower them) can be controlled by the setrlimit
2377 check. The inclusion of the init task's soft limit into
2378 the computation is to avoid resetting soft limits higher
2379 than the default soft limit for cases where the default
2380 is lower than the hard limit, e.g. RLIMIT_CORE or
2381 RLIMIT_STACK.*/
2382 rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
2383 PROCESS__RLIMITINH, NULL);
2384 if (rc) {
2385 for (i = 0; i < RLIM_NLIMITS; i++) {
2386 rlim = current->signal->rlim + i;
2387 initrlim = init_task.signal->rlim+i;
2388 rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
2389 }
2390 update_rlimit_cpu(rlim->rlim_cur);
2391 }
2392
2393 /* Wake up the parent if it is waiting so that it can
2394 recheck wait permission to the new task SID. */
2395 read_lock_irq(&tasklist_lock);
2396 psig = current->parent->sighand;
2397 spin_lock_irqsave(&psig->siglock, flags);
2398 wake_up_interruptible(&current->parent->signal->wait_chldexit);
2399 spin_unlock_irqrestore(&psig->siglock, flags);
2400 read_unlock_irq(&tasklist_lock);
2401 }
2402
2403 /* superblock security operations */
2404
2405 static int selinux_sb_alloc_security(struct super_block *sb)
2406 {
2407 return superblock_alloc_security(sb);
2408 }
2409
2410 static void selinux_sb_free_security(struct super_block *sb)
2411 {
2412 superblock_free_security(sb);
2413 }
2414
2415 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2416 {
2417 if (plen > olen)
2418 return 0;
2419
2420 return !memcmp(prefix, option, plen);
2421 }
2422
2423 static inline int selinux_option(char *option, int len)
2424 {
2425 return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) ||
2426 match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) ||
2427 match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) ||
2428 match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len));
2429 }
2430
2431 static inline void take_option(char **to, char *from, int *first, int len)
2432 {
2433 if (!*first) {
2434 **to = ',';
2435 *to += 1;
2436 } else
2437 *first = 0;
2438 memcpy(*to, from, len);
2439 *to += len;
2440 }
2441
2442 static inline void take_selinux_option(char **to, char *from, int *first,
2443 int len)
2444 {
2445 int current_size = 0;
2446
2447 if (!*first) {
2448 **to = '|';
2449 *to += 1;
2450 } else
2451 *first = 0;
2452
2453 while (current_size < len) {
2454 if (*from != '"') {
2455 **to = *from;
2456 *to += 1;
2457 }
2458 from += 1;
2459 current_size += 1;
2460 }
2461 }
2462
2463 static int selinux_sb_copy_data(char *orig, char *copy)
2464 {
2465 int fnosec, fsec, rc = 0;
2466 char *in_save, *in_curr, *in_end;
2467 char *sec_curr, *nosec_save, *nosec;
2468 int open_quote = 0;
2469
2470 in_curr = orig;
2471 sec_curr = copy;
2472
2473 nosec = (char *)get_zeroed_page(GFP_KERNEL);
2474 if (!nosec) {
2475 rc = -ENOMEM;
2476 goto out;
2477 }
2478
2479 nosec_save = nosec;
2480 fnosec = fsec = 1;
2481 in_save = in_end = orig;
2482
2483 do {
2484 if (*in_end == '"')
2485 open_quote = !open_quote;
2486 if ((*in_end == ',' && open_quote == 0) ||
2487 *in_end == '\0') {
2488 int len = in_end - in_curr;
2489
2490 if (selinux_option(in_curr, len))
2491 take_selinux_option(&sec_curr, in_curr, &fsec, len);
2492 else
2493 take_option(&nosec, in_curr, &fnosec, len);
2494
2495 in_curr = in_end + 1;
2496 }
2497 } while (*in_end++);
2498
2499 strcpy(in_save, nosec_save);
2500 free_page((unsigned long)nosec_save);
2501 out:
2502 return rc;
2503 }
2504
2505 static int selinux_sb_kern_mount(struct super_block *sb, void *data)
2506 {
2507 const struct cred *cred = current_cred();
2508 struct avc_audit_data ad;
2509 int rc;
2510
2511 rc = superblock_doinit(sb, data);
2512 if (rc)
2513 return rc;
2514
2515 AVC_AUDIT_DATA_INIT(&ad, FS);
2516 ad.u.fs.path.dentry = sb->s_root;
2517 return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
2518 }
2519
2520 static int selinux_sb_statfs(struct dentry *dentry)
2521 {
2522 const struct cred *cred = current_cred();
2523 struct avc_audit_data ad;
2524
2525 AVC_AUDIT_DATA_INIT(&ad, FS);
2526 ad.u.fs.path.dentry = dentry->d_sb->s_root;
2527 return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2528 }
2529
2530 static int selinux_mount(char *dev_name,
2531 struct path *path,
2532 char *type,
2533 unsigned long flags,
2534 void *data)
2535 {
2536 const struct cred *cred = current_cred();
2537 int rc;
2538
2539 rc = secondary_ops->sb_mount(dev_name, path, type, flags, data);
2540 if (rc)
2541 return rc;
2542
2543 if (flags & MS_REMOUNT)
2544 return superblock_has_perm(cred, path->mnt->mnt_sb,
2545 FILESYSTEM__REMOUNT, NULL);
2546 else
2547 return dentry_has_perm(cred, path->mnt, path->dentry,
2548 FILE__MOUNTON);
2549 }
2550
2551 static int selinux_umount(struct vfsmount *mnt, int flags)
2552 {
2553 const struct cred *cred = current_cred();
2554 int rc;
2555
2556 rc = secondary_ops->sb_umount(mnt, flags);
2557 if (rc)
2558 return rc;
2559
2560 return superblock_has_perm(cred, mnt->mnt_sb,
2561 FILESYSTEM__UNMOUNT, NULL);
2562 }
2563
2564 /* inode security operations */
2565
2566 static int selinux_inode_alloc_security(struct inode *inode)
2567 {
2568 return inode_alloc_security(inode);
2569 }
2570
2571 static void selinux_inode_free_security(struct inode *inode)
2572 {
2573 inode_free_security(inode);
2574 }
2575
2576 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2577 char **name, void **value,
2578 size_t *len)
2579 {
2580 const struct cred *cred = current_cred();
2581 const struct task_security_struct *tsec = cred->security;
2582 struct inode_security_struct *dsec;
2583 struct superblock_security_struct *sbsec;
2584 u32 sid, newsid, clen;
2585 int rc;
2586 char *namep = NULL, *context;
2587
2588 dsec = dir->i_security;
2589 sbsec = dir->i_sb->s_security;
2590
2591 sid = tsec->sid;
2592 newsid = tsec->create_sid;
2593
2594 if (!newsid || sbsec->behavior == SECURITY_FS_USE_MNTPOINT) {
2595 rc = security_transition_sid(sid, dsec->sid,
2596 inode_mode_to_security_class(inode->i_mode),
2597 &newsid);
2598 if (rc) {
2599 printk(KERN_WARNING "%s: "
2600 "security_transition_sid failed, rc=%d (dev=%s "
2601 "ino=%ld)\n",
2602 __func__,
2603 -rc, inode->i_sb->s_id, inode->i_ino);
2604 return rc;
2605 }
2606 }
2607
2608 /* Possibly defer initialization to selinux_complete_init. */
2609 if (sbsec->initialized) {
2610 struct inode_security_struct *isec = inode->i_security;
2611 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2612 isec->sid = newsid;
2613 isec->initialized = 1;
2614 }
2615
2616 if (!ss_initialized || sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2617 return -EOPNOTSUPP;
2618
2619 if (name) {
2620 namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_NOFS);
2621 if (!namep)
2622 return -ENOMEM;
2623 *name = namep;
2624 }
2625
2626 if (value && len) {
2627 rc = security_sid_to_context_force(newsid, &context, &clen);
2628 if (rc) {
2629 kfree(namep);
2630 return rc;
2631 }
2632 *value = context;
2633 *len = clen;
2634 }
2635
2636 return 0;
2637 }
2638
2639 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, int mask)
2640 {
2641 return may_create(dir, dentry, SECCLASS_FILE);
2642 }
2643
2644 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2645 {
2646 int rc;
2647
2648 rc = secondary_ops->inode_link(old_dentry, dir, new_dentry);
2649 if (rc)
2650 return rc;
2651 return may_link(dir, old_dentry, MAY_LINK);
2652 }
2653
2654 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2655 {
2656 int rc;
2657
2658 rc = secondary_ops->inode_unlink(dir, dentry);
2659 if (rc)
2660 return rc;
2661 return may_link(dir, dentry, MAY_UNLINK);
2662 }
2663
2664 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2665 {
2666 return may_create(dir, dentry, SECCLASS_LNK_FILE);
2667 }
2668
2669 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, int mask)
2670 {
2671 return may_create(dir, dentry, SECCLASS_DIR);
2672 }
2673
2674 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2675 {
2676 return may_link(dir, dentry, MAY_RMDIR);
2677 }
2678
2679 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
2680 {
2681 int rc;
2682
2683 rc = secondary_ops->inode_mknod(dir, dentry, mode, dev);
2684 if (rc)
2685 return rc;
2686
2687 return may_create(dir, dentry, inode_mode_to_security_class(mode));
2688 }
2689
2690 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2691 struct inode *new_inode, struct dentry *new_dentry)
2692 {
2693 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2694 }
2695
2696 static int selinux_inode_readlink(struct dentry *dentry)
2697 {
2698 const struct cred *cred = current_cred();
2699
2700 return dentry_has_perm(cred, NULL, dentry, FILE__READ);
2701 }
2702
2703 static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2704 {
2705 const struct cred *cred = current_cred();
2706 int rc;
2707
2708 rc = secondary_ops->inode_follow_link(dentry, nameidata);
2709 if (rc)
2710 return rc;
2711 return dentry_has_perm(cred, NULL, dentry, FILE__READ);
2712 }
2713
2714 static int selinux_inode_permission(struct inode *inode, int mask)
2715 {
2716 const struct cred *cred = current_cred();
2717 int rc;
2718
2719 rc = secondary_ops->inode_permission(inode, mask);
2720 if (rc)
2721 return rc;
2722
2723 if (!mask) {
2724 /* No permission to check. Existence test. */
2725 return 0;
2726 }
2727
2728 return inode_has_perm(cred, inode,
2729 file_mask_to_av(inode->i_mode, mask), NULL);
2730 }
2731
2732 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2733 {
2734 const struct cred *cred = current_cred();
2735 int rc;
2736
2737 rc = secondary_ops->inode_setattr(dentry, iattr);
2738 if (rc)
2739 return rc;
2740
2741 if (iattr->ia_valid & ATTR_FORCE)
2742 return 0;
2743
2744 if (iattr->ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2745 ATTR_ATIME_SET | ATTR_MTIME_SET))
2746 return dentry_has_perm(cred, NULL, dentry, FILE__SETATTR);
2747
2748 return dentry_has_perm(cred, NULL, dentry, FILE__WRITE);
2749 }
2750
2751 static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
2752 {
2753 const struct cred *cred = current_cred();
2754
2755 return dentry_has_perm(cred, mnt, dentry, FILE__GETATTR);
2756 }
2757
2758 static int selinux_inode_setotherxattr(struct dentry *dentry, const char *name)
2759 {
2760 const struct cred *cred = current_cred();
2761
2762 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2763 sizeof XATTR_SECURITY_PREFIX - 1)) {
2764 if (!strcmp(name, XATTR_NAME_CAPS)) {
2765 if (!capable(CAP_SETFCAP))
2766 return -EPERM;
2767 } else if (!capable(CAP_SYS_ADMIN)) {
2768 /* A different attribute in the security namespace.
2769 Restrict to administrator. */
2770 return -EPERM;
2771 }
2772 }
2773
2774 /* Not an attribute we recognize, so just check the
2775 ordinary setattr permission. */
2776 return dentry_has_perm(cred, NULL, dentry, FILE__SETATTR);
2777 }
2778
2779 static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
2780 const void *value, size_t size, int flags)
2781 {
2782 struct inode *inode = dentry->d_inode;
2783 struct inode_security_struct *isec = inode->i_security;
2784 struct superblock_security_struct *sbsec;
2785 struct avc_audit_data ad;
2786 u32 newsid, sid = current_sid();
2787 int rc = 0;
2788
2789 if (strcmp(name, XATTR_NAME_SELINUX))
2790 return selinux_inode_setotherxattr(dentry, name);
2791
2792 sbsec = inode->i_sb->s_security;
2793 if (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2794 return -EOPNOTSUPP;
2795
2796 if (!is_owner_or_cap(inode))
2797 return -EPERM;
2798
2799 AVC_AUDIT_DATA_INIT(&ad, FS);
2800 ad.u.fs.path.dentry = dentry;
2801
2802 rc = avc_has_perm(sid, isec->sid, isec->sclass,
2803 FILE__RELABELFROM, &ad);
2804 if (rc)
2805 return rc;
2806
2807 rc = security_context_to_sid(value, size, &newsid);
2808 if (rc == -EINVAL) {
2809 if (!capable(CAP_MAC_ADMIN))
2810 return rc;
2811 rc = security_context_to_sid_force(value, size, &newsid);
2812 }
2813 if (rc)
2814 return rc;
2815
2816 rc = avc_has_perm(sid, newsid, isec->sclass,
2817 FILE__RELABELTO, &ad);
2818 if (rc)
2819 return rc;
2820
2821 rc = security_validate_transition(isec->sid, newsid, sid,
2822 isec->sclass);
2823 if (rc)
2824 return rc;
2825
2826 return avc_has_perm(newsid,
2827 sbsec->sid,
2828 SECCLASS_FILESYSTEM,
2829 FILESYSTEM__ASSOCIATE,
2830 &ad);
2831 }
2832
2833 static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
2834 const void *value, size_t size,
2835 int flags)
2836 {
2837 struct inode *inode = dentry->d_inode;
2838 struct inode_security_struct *isec = inode->i_security;
2839 u32 newsid;
2840 int rc;
2841
2842 if (strcmp(name, XATTR_NAME_SELINUX)) {
2843 /* Not an attribute we recognize, so nothing to do. */
2844 return;
2845 }
2846
2847 rc = security_context_to_sid_force(value, size, &newsid);
2848 if (rc) {
2849 printk(KERN_ERR "SELinux: unable to map context to SID"
2850 "for (%s, %lu), rc=%d\n",
2851 inode->i_sb->s_id, inode->i_ino, -rc);
2852 return;
2853 }
2854
2855 isec->sid = newsid;
2856 return;
2857 }
2858
2859 static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
2860 {
2861 const struct cred *cred = current_cred();
2862
2863 return dentry_has_perm(cred, NULL, dentry, FILE__GETATTR);
2864 }
2865
2866 static int selinux_inode_listxattr(struct dentry *dentry)
2867 {
2868 const struct cred *cred = current_cred();
2869
2870 return dentry_has_perm(cred, NULL, dentry, FILE__GETATTR);
2871 }
2872
2873 static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
2874 {
2875 if (strcmp(name, XATTR_NAME_SELINUX))
2876 return selinux_inode_setotherxattr(dentry, name);
2877
2878 /* No one is allowed to remove a SELinux security label.
2879 You can change the label, but all data must be labeled. */
2880 return -EACCES;
2881 }
2882
2883 /*
2884 * Copy the inode security context value to the user.
2885 *
2886 * Permission check is handled by selinux_inode_getxattr hook.
2887 */
2888 static int selinux_inode_getsecurity(const struct inode *inode, const char *name, void **buffer, bool alloc)
2889 {
2890 u32 size;
2891 int error;
2892 char *context = NULL;
2893 struct inode_security_struct *isec = inode->i_security;
2894
2895 if (strcmp(name, XATTR_SELINUX_SUFFIX))
2896 return -EOPNOTSUPP;
2897
2898 /*
2899 * If the caller has CAP_MAC_ADMIN, then get the raw context
2900 * value even if it is not defined by current policy; otherwise,
2901 * use the in-core value under current policy.
2902 * Use the non-auditing forms of the permission checks since
2903 * getxattr may be called by unprivileged processes commonly
2904 * and lack of permission just means that we fall back to the
2905 * in-core context value, not a denial.
2906 */
2907 error = selinux_capable(current, CAP_MAC_ADMIN, SECURITY_CAP_NOAUDIT);
2908 if (!error)
2909 error = security_sid_to_context_force(isec->sid, &context,
2910 &size);
2911 else
2912 error = security_sid_to_context(isec->sid, &context, &size);
2913 if (error)
2914 return error;
2915 error = size;
2916 if (alloc) {
2917 *buffer = context;
2918 goto out_nofree;
2919 }
2920 kfree(context);
2921 out_nofree:
2922 return error;
2923 }
2924
2925 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
2926 const void *value, size_t size, int flags)
2927 {
2928 struct inode_security_struct *isec = inode->i_security;
2929 u32 newsid;
2930 int rc;
2931
2932 if (strcmp(name, XATTR_SELINUX_SUFFIX))
2933 return -EOPNOTSUPP;
2934
2935 if (!value || !size)
2936 return -EACCES;
2937
2938 rc = security_context_to_sid((void *)value, size, &newsid);
2939 if (rc)
2940 return rc;
2941
2942 isec->sid = newsid;
2943 return 0;
2944 }
2945
2946 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
2947 {
2948 const int len = sizeof(XATTR_NAME_SELINUX);
2949 if (buffer && len <= buffer_size)
2950 memcpy(buffer, XATTR_NAME_SELINUX, len);
2951 return len;
2952 }
2953
2954 static int selinux_inode_need_killpriv(struct dentry *dentry)
2955 {
2956 return secondary_ops->inode_need_killpriv(dentry);
2957 }
2958
2959 static int selinux_inode_killpriv(struct dentry *dentry)
2960 {
2961 return secondary_ops->inode_killpriv(dentry);
2962 }
2963
2964 static void selinux_inode_getsecid(const struct inode *inode, u32 *secid)
2965 {
2966 struct inode_security_struct *isec = inode->i_security;
2967 *secid = isec->sid;
2968 }
2969
2970 /* file security operations */
2971
2972 static int selinux_revalidate_file_permission(struct file *file, int mask)
2973 {
2974 const struct cred *cred = current_cred();
2975 int rc;
2976 struct inode *inode = file->f_path.dentry->d_inode;
2977
2978 if (!mask) {
2979 /* No permission to check. Existence test. */
2980 return 0;
2981 }
2982
2983 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
2984 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
2985 mask |= MAY_APPEND;
2986
2987 rc = file_has_perm(cred, file,
2988 file_mask_to_av(inode->i_mode, mask));
2989 if (rc)
2990 return rc;
2991
2992 return selinux_netlbl_inode_permission(inode, mask);
2993 }
2994
2995 static int selinux_file_permission(struct file *file, int mask)
2996 {
2997 struct inode *inode = file->f_path.dentry->d_inode;
2998 struct file_security_struct *fsec = file->f_security;
2999 struct inode_security_struct *isec = inode->i_security;
3000 u32 sid = current_sid();
3001
3002 if (!mask) {
3003 /* No permission to check. Existence test. */
3004 return 0;
3005 }
3006
3007 if (sid == fsec->sid && fsec->isid == isec->sid
3008 && fsec->pseqno == avc_policy_seqno())
3009 return selinux_netlbl_inode_permission(inode, mask);
3010
3011 return selinux_revalidate_file_permission(file, mask);
3012 }
3013
3014 static int selinux_file_alloc_security(struct file *file)
3015 {
3016 return file_alloc_security(file);
3017 }
3018
3019 static void selinux_file_free_security(struct file *file)
3020 {
3021 file_free_security(file);
3022 }
3023
3024 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
3025 unsigned long arg)
3026 {
3027 const struct cred *cred = current_cred();
3028 u32 av = 0;
3029
3030 if (_IOC_DIR(cmd) & _IOC_WRITE)
3031 av |= FILE__WRITE;
3032 if (_IOC_DIR(cmd) & _IOC_READ)
3033 av |= FILE__READ;
3034 if (!av)
3035 av = FILE__IOCTL;
3036
3037 return file_has_perm(cred, file, av);
3038 }
3039
3040 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
3041 {
3042 const struct cred *cred = current_cred();
3043 int rc = 0;
3044
3045 #ifndef CONFIG_PPC32
3046 if ((prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
3047 /*
3048 * We are making executable an anonymous mapping or a
3049 * private file mapping that will also be writable.
3050 * This has an additional check.
3051 */
3052 rc = cred_has_perm(cred, cred, PROCESS__EXECMEM);
3053 if (rc)
3054 goto error;
3055 }
3056 #endif
3057
3058 if (file) {
3059 /* read access is always possible with a mapping */
3060 u32 av = FILE__READ;
3061
3062 /* write access only matters if the mapping is shared */
3063 if (shared && (prot & PROT_WRITE))
3064 av |= FILE__WRITE;
3065
3066 if (prot & PROT_EXEC)
3067 av |= FILE__EXECUTE;
3068
3069 return file_has_perm(cred, file, av);
3070 }
3071
3072 error:
3073 return rc;
3074 }
3075
3076 static int selinux_file_mmap(struct file *file, unsigned long reqprot,
3077 unsigned long prot, unsigned long flags,
3078 unsigned long addr, unsigned long addr_only)
3079 {
3080 int rc = 0;
3081 u32 sid = current_sid();
3082
3083 if (addr < mmap_min_addr)
3084 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
3085 MEMPROTECT__MMAP_ZERO, NULL);
3086 if (rc || addr_only)
3087 return rc;
3088
3089 if (selinux_checkreqprot)
3090 prot = reqprot;
3091
3092 return file_map_prot_check(file, prot,
3093 (flags & MAP_TYPE) == MAP_SHARED);
3094 }
3095
3096 static int selinux_file_mprotect(struct vm_area_struct *vma,
3097 unsigned long reqprot,
3098 unsigned long prot)
3099 {
3100 const struct cred *cred = current_cred();
3101 int rc;
3102
3103 rc = secondary_ops->file_mprotect(vma, reqprot, prot);
3104 if (rc)
3105 return rc;
3106
3107 if (selinux_checkreqprot)
3108 prot = reqprot;
3109
3110 #ifndef CONFIG_PPC32
3111 if ((prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
3112 rc = 0;
3113 if (vma->vm_start >= vma->vm_mm->start_brk &&
3114 vma->vm_end <= vma->vm_mm->brk) {
3115 rc = cred_has_perm(cred, cred, PROCESS__EXECHEAP);
3116 } else if (!vma->vm_file &&
3117 vma->vm_start <= vma->vm_mm->start_stack &&
3118 vma->vm_end >= vma->vm_mm->start_stack) {
3119 rc = task_has_perm(current, current, PROCESS__EXECSTACK);
3120 } else if (vma->vm_file && vma->anon_vma) {
3121 /*
3122 * We are making executable a file mapping that has
3123 * had some COW done. Since pages might have been
3124 * written, check ability to execute the possibly
3125 * modified content. This typically should only
3126 * occur for text relocations.
3127 */
3128 rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD);
3129 }
3130 if (rc)
3131 return rc;
3132 }
3133 #endif
3134
3135 return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
3136 }
3137
3138 static int selinux_file_lock(struct file *file, unsigned int cmd)
3139 {
3140 const struct cred *cred = current_cred();
3141
3142 return file_has_perm(cred, file, FILE__LOCK);
3143 }
3144
3145 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
3146 unsigned long arg)
3147 {
3148 const struct cred *cred = current_cred();
3149 int err = 0;
3150
3151 switch (cmd) {
3152 case F_SETFL:
3153 if (!file->f_path.dentry || !file->f_path.dentry->d_inode) {
3154 err = -EINVAL;
3155 break;
3156 }
3157
3158 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
3159 err = file_has_perm(cred, file, FILE__WRITE);
3160 break;
3161 }
3162 /* fall through */
3163 case F_SETOWN:
3164 case F_SETSIG:
3165 case F_GETFL:
3166 case F_GETOWN:
3167 case F_GETSIG:
3168 /* Just check FD__USE permission */
3169 err = file_has_perm(cred, file, 0);
3170 break;
3171 case F_GETLK:
3172 case F_SETLK:
3173 case F_SETLKW:
3174 #if BITS_PER_LONG == 32
3175 case F_GETLK64:
3176 case F_SETLK64:
3177 case F_SETLKW64:
3178 #endif
3179 if (!file->f_path.dentry || !file->f_path.dentry->d_inode) {
3180 err = -EINVAL;
3181 break;
3182 }
3183 err = file_has_perm(cred, file, FILE__LOCK);
3184 break;
3185 }
3186
3187 return err;
3188 }
3189
3190 static int selinux_file_set_fowner(struct file *file)
3191 {
3192 struct file_security_struct *fsec;
3193
3194 fsec = file->f_security;
3195 fsec->fown_sid = current_sid();
3196
3197 return 0;
3198 }
3199
3200 static int selinux_file_send_sigiotask(struct task_struct *tsk,
3201 struct fown_struct *fown, int signum)
3202 {
3203 struct file *file;
3204 u32 sid = current_sid();
3205 u32 perm;
3206 struct file_security_struct *fsec;
3207
3208 /* struct fown_struct is never outside the context of a struct file */
3209 file = container_of(fown, struct file, f_owner);
3210
3211 fsec = file->f_security;
3212
3213 if (!signum)
3214 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
3215 else
3216 perm = signal_to_av(signum);
3217
3218 return avc_has_perm(fsec->fown_sid, sid,
3219 SECCLASS_PROCESS, perm, NULL);
3220 }
3221
3222 static int selinux_file_receive(struct file *file)
3223 {
3224 const struct cred *cred = current_cred();
3225
3226 return file_has_perm(cred, file, file_to_av(file));
3227 }
3228
3229 static int selinux_dentry_open(struct file *file, const struct cred *cred)
3230 {
3231 struct file_security_struct *fsec;
3232 struct inode *inode;
3233 struct inode_security_struct *isec;
3234
3235 inode = file->f_path.dentry->d_inode;
3236 fsec = file->f_security;
3237 isec = inode->i_security;
3238 /*
3239 * Save inode label and policy sequence number
3240 * at open-time so that selinux_file_permission
3241 * can determine whether revalidation is necessary.
3242 * Task label is already saved in the file security
3243 * struct as its SID.
3244 */
3245 fsec->isid = isec->sid;
3246 fsec->pseqno = avc_policy_seqno();
3247 /*
3248 * Since the inode label or policy seqno may have changed
3249 * between the selinux_inode_permission check and the saving
3250 * of state above, recheck that access is still permitted.
3251 * Otherwise, access might never be revalidated against the
3252 * new inode label or new policy.
3253 * This check is not redundant - do not remove.
3254 */
3255 return inode_has_perm(cred, inode, open_file_to_av(file), NULL);
3256 }
3257
3258 /* task security operations */
3259
3260 static int selinux_task_create(unsigned long clone_flags)
3261 {
3262 int rc;
3263
3264 rc = secondary_ops->task_create(clone_flags);
3265 if (rc)
3266 return rc;
3267
3268 return task_has_perm(current, current, PROCESS__FORK);
3269 }
3270
3271 /*
3272 * detach and free the LSM part of a set of credentials
3273 */
3274 static void selinux_cred_free(struct cred *cred)
3275 {
3276 struct task_security_struct *tsec = cred->security;
3277 cred->security = NULL;
3278 kfree(tsec);
3279 }
3280
3281 /*
3282 * prepare a new set of credentials for modification
3283 */
3284 static int selinux_cred_prepare(struct cred *new, const struct cred *old,
3285 gfp_t gfp)
3286 {
3287 const struct task_security_struct *old_tsec;
3288 struct task_security_struct *tsec;
3289
3290 old_tsec = old->security;
3291
3292 tsec = kmemdup(old_tsec, sizeof(struct task_security_struct), gfp);
3293 if (!tsec)
3294 return -ENOMEM;
3295
3296 new->security = tsec;
3297 return 0;
3298 }
3299
3300 /*
3301 * commit new credentials
3302 */
3303 static void selinux_cred_commit(struct cred *new, const struct cred *old)
3304 {
3305 secondary_ops->cred_commit(new, old);
3306 }
3307
3308 static int selinux_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
3309 {
3310 /* Since setuid only affects the current process, and
3311 since the SELinux controls are not based on the Linux
3312 identity attributes, SELinux does not need to control
3313 this operation. However, SELinux does control the use
3314 of the CAP_SETUID and CAP_SETGID capabilities using the
3315 capable hook. */
3316 return 0;
3317 }
3318
3319 static int selinux_task_fix_setuid(struct cred *new, const struct cred *old,
3320 int flags)
3321 {
3322 return secondary_ops->task_fix_setuid(new, old, flags);
3323 }
3324
3325 static int selinux_task_setgid(gid_t id0, gid_t id1, gid_t id2, int flags)
3326 {
3327 /* See the comment for setuid above. */
3328 return 0;
3329 }
3330
3331 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
3332 {
3333 return task_has_perm(current, p, PROCESS__SETPGID);
3334 }
3335
3336 static int selinux_task_getpgid(struct task_struct *p)
3337 {
3338 return task_has_perm(current, p, PROCESS__GETPGID);
3339 }
3340
3341 static int selinux_task_getsid(struct task_struct *p)
3342 {
3343 return task_has_perm(current, p, PROCESS__GETSESSION);
3344 }
3345
3346 static void selinux_task_getsecid(struct task_struct *p, u32 *secid)
3347 {
3348 *secid = task_sid(p);
3349 }
3350
3351 static int selinux_task_setgroups(struct group_info *group_info)
3352 {
3353 /* See the comment for setuid above. */
3354 return 0;
3355 }
3356
3357 static int selinux_task_setnice(struct task_struct *p, int nice)
3358 {
3359 int rc;
3360
3361 rc = secondary_ops->task_setnice(p, nice);
3362 if (rc)
3363 return rc;
3364
3365 return task_has_perm(current, p, PROCESS__SETSCHED);
3366 }
3367
3368 static int selinux_task_setioprio(struct task_struct *p, int ioprio)
3369 {
3370 int rc;
3371
3372 rc = secondary_ops->task_setioprio(p, ioprio);
3373 if (rc)
3374 return rc;
3375
3376 return task_has_perm(current, p, PROCESS__SETSCHED);
3377 }
3378
3379 static int selinux_task_getioprio(struct task_struct *p)
3380 {
3381 return task_has_perm(current, p, PROCESS__GETSCHED);
3382 }
3383
3384 static int selinux_task_setrlimit(unsigned int resource, struct rlimit *new_rlim)
3385 {
3386 struct rlimit *old_rlim = current->signal->rlim + resource;
3387 int rc;
3388
3389 rc = secondary_ops->task_setrlimit(resource, new_rlim);
3390 if (rc)
3391 return rc;
3392
3393 /* Control the ability to change the hard limit (whether
3394 lowering or raising it), so that the hard limit can
3395 later be used as a safe reset point for the soft limit
3396 upon context transitions. See selinux_bprm_committing_creds. */
3397 if (old_rlim->rlim_max != new_rlim->rlim_max)
3398 return task_has_perm(current, current, PROCESS__SETRLIMIT);
3399
3400 return 0;
3401 }
3402
3403 static int selinux_task_setscheduler(struct task_struct *p, int policy, struct sched_param *lp)
3404 {
3405 int rc;
3406
3407 rc = secondary_ops->task_setscheduler(p, policy, lp);
3408 if (rc)
3409 return rc;
3410
3411 return task_has_perm(current, p, PROCESS__SETSCHED);
3412 }
3413
3414 static int selinux_task_getscheduler(struct task_struct *p)
3415 {
3416 return task_has_perm(current, p, PROCESS__GETSCHED);
3417 }
3418
3419 static int selinux_task_movememory(struct task_struct *p)
3420 {
3421 return task_has_perm(current, p, PROCESS__SETSCHED);
3422 }
3423
3424 static int selinux_task_kill(struct task_struct *p, struct siginfo *info,
3425 int sig, u32 secid)
3426 {
3427 u32 perm;
3428 int rc;
3429
3430 rc = secondary_ops->task_kill(p, info, sig, secid);
3431 if (rc)
3432 return rc;
3433
3434 if (!sig)
3435 perm = PROCESS__SIGNULL; /* null signal; existence test */
3436 else
3437 perm = signal_to_av(sig);
3438 if (secid)
3439 rc = avc_has_perm(secid, task_sid(p),
3440 SECCLASS_PROCESS, perm, NULL);
3441 else
3442 rc = task_has_perm(current, p, perm);
3443 return rc;
3444 }
3445
3446 static int selinux_task_prctl(int option,
3447 unsigned long arg2,
3448 unsigned long arg3,
3449 unsigned long arg4,
3450 unsigned long arg5)
3451 {
3452 /* The current prctl operations do not appear to require
3453 any SELinux controls since they merely observe or modify
3454 the state of the current process. */
3455 return secondary_ops->task_prctl(option, arg2, arg3, arg4, arg5);
3456 }
3457
3458 static int selinux_task_wait(struct task_struct *p)
3459 {
3460 return task_has_perm(p, current, PROCESS__SIGCHLD);
3461 }
3462
3463 static void selinux_task_to_inode(struct task_struct *p,
3464 struct inode *inode)
3465 {
3466 struct inode_security_struct *isec = inode->i_security;
3467 u32 sid = task_sid(p);
3468
3469 isec->sid = sid;
3470 isec->initialized = 1;
3471 }
3472
3473 /* Returns error only if unable to parse addresses */
3474 static int selinux_parse_skb_ipv4(struct sk_buff *skb,
3475 struct avc_audit_data *ad, u8 *proto)
3476 {
3477 int offset, ihlen, ret = -EINVAL;
3478 struct iphdr _iph, *ih;
3479
3480 offset = skb_network_offset(skb);
3481 ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
3482 if (ih == NULL)
3483 goto out;
3484
3485 ihlen = ih->ihl * 4;
3486 if (ihlen < sizeof(_iph))
3487 goto out;
3488
3489 ad->u.net.v4info.saddr = ih->saddr;
3490 ad->u.net.v4info.daddr = ih->daddr;
3491 ret = 0;
3492
3493 if (proto)
3494 *proto = ih->protocol;
3495
3496 switch (ih->protocol) {
3497 case IPPROTO_TCP: {
3498 struct tcphdr _tcph, *th;
3499
3500 if (ntohs(ih->frag_off) & IP_OFFSET)
3501 break;
3502
3503 offset += ihlen;
3504 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3505 if (th == NULL)
3506 break;
3507
3508 ad->u.net.sport = th->source;
3509 ad->u.net.dport = th->dest;
3510 break;
3511 }
3512
3513 case IPPROTO_UDP: {
3514 struct udphdr _udph, *uh;
3515
3516 if (ntohs(ih->frag_off) & IP_OFFSET)
3517 break;
3518
3519 offset += ihlen;
3520 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3521 if (uh == NULL)
3522 break;
3523
3524 ad->u.net.sport = uh->source;
3525 ad->u.net.dport = uh->dest;
3526 break;
3527 }
3528
3529 case IPPROTO_DCCP: {
3530 struct dccp_hdr _dccph, *dh;
3531
3532 if (ntohs(ih->frag_off) & IP_OFFSET)
3533 break;
3534
3535 offset += ihlen;
3536 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3537 if (dh == NULL)
3538 break;
3539
3540 ad->u.net.sport = dh->dccph_sport;
3541 ad->u.net.dport = dh->dccph_dport;
3542 break;
3543 }
3544
3545 default:
3546 break;
3547 }
3548 out:
3549 return ret;
3550 }
3551
3552 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3553
3554 /* Returns error only if unable to parse addresses */
3555 static int selinux_parse_skb_ipv6(struct sk_buff *skb,
3556 struct avc_audit_data *ad, u8 *proto)
3557 {
3558 u8 nexthdr;
3559 int ret = -EINVAL, offset;
3560 struct ipv6hdr _ipv6h, *ip6;
3561
3562 offset = skb_network_offset(skb);
3563 ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
3564 if (ip6 == NULL)
3565 goto out;
3566
3567 ipv6_addr_copy(&ad->u.net.v6info.saddr, &ip6->saddr);
3568 ipv6_addr_copy(&ad->u.net.v6info.daddr, &ip6->daddr);
3569 ret = 0;
3570
3571 nexthdr = ip6->nexthdr;
3572 offset += sizeof(_ipv6h);
3573 offset = ipv6_skip_exthdr(skb, offset, &nexthdr);
3574 if (offset < 0)
3575 goto out;
3576
3577 if (proto)
3578 *proto = nexthdr;
3579
3580 switch (nexthdr) {
3581 case IPPROTO_TCP: {
3582 struct tcphdr _tcph, *th;
3583
3584 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3585 if (th == NULL)
3586 break;
3587
3588 ad->u.net.sport = th->source;
3589 ad->u.net.dport = th->dest;
3590 break;
3591 }
3592
3593 case IPPROTO_UDP: {
3594 struct udphdr _udph, *uh;
3595
3596 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3597 if (uh == NULL)
3598 break;
3599
3600 ad->u.net.sport = uh->source;
3601 ad->u.net.dport = uh->dest;
3602 break;
3603 }
3604
3605 case IPPROTO_DCCP: {
3606 struct dccp_hdr _dccph, *dh;
3607
3608 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3609 if (dh == NULL)
3610 break;
3611
3612 ad->u.net.sport = dh->dccph_sport;
3613 ad->u.net.dport = dh->dccph_dport;
3614 break;
3615 }
3616
3617 /* includes fragments */
3618 default:
3619 break;
3620 }
3621 out:
3622 return ret;
3623 }
3624
3625 #endif /* IPV6 */
3626
3627 static int selinux_parse_skb(struct sk_buff *skb, struct avc_audit_data *ad,
3628 char **_addrp, int src, u8 *proto)
3629 {
3630 char *addrp;
3631 int ret;
3632
3633 switch (ad->u.net.family) {
3634 case PF_INET:
3635 ret = selinux_parse_skb_ipv4(skb, ad, proto);
3636 if (ret)
3637 goto parse_error;
3638 addrp = (char *)(src ? &ad->u.net.v4info.saddr :
3639 &ad->u.net.v4info.daddr);
3640 goto okay;
3641
3642 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3643 case PF_INET6:
3644 ret = selinux_parse_skb_ipv6(skb, ad, proto);
3645 if (ret)
3646 goto parse_error;
3647 addrp = (char *)(src ? &ad->u.net.v6info.saddr :
3648 &ad->u.net.v6info.daddr);
3649 goto okay;
3650 #endif /* IPV6 */
3651 default:
3652 addrp = NULL;
3653 goto okay;
3654 }
3655
3656 parse_error:
3657 printk(KERN_WARNING
3658 "SELinux: failure in selinux_parse_skb(),"
3659 " unable to parse packet\n");
3660 return ret;
3661
3662 okay:
3663 if (_addrp)
3664 *_addrp = addrp;
3665 return 0;
3666 }
3667
3668 /**
3669 * selinux_skb_peerlbl_sid - Determine the peer label of a packet
3670 * @skb: the packet
3671 * @family: protocol family
3672 * @sid: the packet's peer label SID
3673 *
3674 * Description:
3675 * Check the various different forms of network peer labeling and determine
3676 * the peer label/SID for the packet; most of the magic actually occurs in
3677 * the security server function security_net_peersid_cmp(). The function
3678 * returns zero if the value in @sid is valid (although it may be SECSID_NULL)
3679 * or -EACCES if @sid is invalid due to inconsistencies with the different
3680 * peer labels.
3681 *
3682 */
3683 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
3684 {
3685 int err;
3686 u32 xfrm_sid;
3687 u32 nlbl_sid;
3688 u32 nlbl_type;
3689
3690 selinux_skb_xfrm_sid(skb, &xfrm_sid);
3691 selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid);
3692
3693 err = security_net_peersid_resolve(nlbl_sid, nlbl_type, xfrm_sid, sid);
3694 if (unlikely(err)) {
3695 printk(KERN_WARNING
3696 "SELinux: failure in selinux_skb_peerlbl_sid(),"
3697 " unable to determine packet's peer label\n");
3698 return -EACCES;
3699 }
3700
3701 return 0;
3702 }
3703
3704 /* socket security operations */
3705 static int socket_has_perm(struct task_struct *task, struct socket *sock,
3706 u32 perms)
3707 {
3708 struct inode_security_struct *isec;
3709 struct avc_audit_data ad;
3710 u32 sid;
3711 int err = 0;
3712
3713 isec = SOCK_INODE(sock)->i_security;
3714
3715 if (isec->sid == SECINITSID_KERNEL)
3716 goto out;
3717 sid = task_sid(task);
3718
3719 AVC_AUDIT_DATA_INIT(&ad, NET);
3720 ad.u.net.sk = sock->sk;
3721 err = avc_has_perm(sid, isec->sid, isec->sclass, perms, &ad);
3722
3723 out:
3724 return err;
3725 }
3726
3727 static int selinux_socket_create(int family, int type,
3728 int protocol, int kern)
3729 {
3730 const struct cred *cred = current_cred();
3731 const struct task_security_struct *tsec = cred->security;
3732 u32 sid, newsid;
3733 u16 secclass;
3734 int err = 0;
3735
3736 if (kern)
3737 goto out;
3738
3739 sid = tsec->sid;
3740 newsid = tsec->sockcreate_sid ?: sid;
3741
3742 secclass = socket_type_to_security_class(family, type, protocol);
3743 err = avc_has_perm(sid, newsid, secclass, SOCKET__CREATE, NULL);
3744
3745 out:
3746 return err;
3747 }
3748
3749 static int selinux_socket_post_create(struct socket *sock, int family,
3750 int type, int protocol, int kern)
3751 {
3752 const struct cred *cred = current_cred();
3753 const struct task_security_struct *tsec = cred->security;
3754 struct inode_security_struct *isec;
3755 struct sk_security_struct *sksec;
3756 u32 sid, newsid;
3757 int err = 0;
3758
3759 sid = tsec->sid;
3760 newsid = tsec->sockcreate_sid;
3761
3762 isec = SOCK_INODE(sock)->i_security;
3763
3764 if (kern)
3765 isec->sid = SECINITSID_KERNEL;
3766 else if (newsid)
3767 isec->sid = newsid;
3768 else
3769 isec->sid = sid;
3770
3771 isec->sclass = socket_type_to_security_class(family, type, protocol);
3772 isec->initialized = 1;
3773
3774 if (sock->sk) {
3775 sksec = sock->sk->sk_security;
3776 sksec->sid = isec->sid;
3777 sksec->sclass = isec->sclass;
3778 err = selinux_netlbl_socket_post_create(sock);
3779 }
3780
3781 return err;
3782 }
3783
3784 /* Range of port numbers used to automatically bind.
3785 Need to determine whether we should perform a name_bind
3786 permission check between the socket and the port number. */
3787
3788 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
3789 {
3790 u16 family;
3791 int err;
3792
3793 err = socket_has_perm(current, sock, SOCKET__BIND);
3794 if (err)
3795 goto out;
3796
3797 /*
3798 * If PF_INET or PF_INET6, check name_bind permission for the port.
3799 * Multiple address binding for SCTP is not supported yet: we just
3800 * check the first address now.
3801 */
3802 family = sock->sk->sk_family;
3803 if (family == PF_INET || family == PF_INET6) {
3804 char *addrp;
3805 struct inode_security_struct *isec;
3806 struct avc_audit_data ad;
3807 struct sockaddr_in *addr4 = NULL;
3808 struct sockaddr_in6 *addr6 = NULL;
3809 unsigned short snum;
3810 struct sock *sk = sock->sk;
3811 u32 sid, node_perm;
3812
3813 isec = SOCK_INODE(sock)->i_security;
3814
3815 if (family == PF_INET) {
3816 addr4 = (struct sockaddr_in *)address;
3817 snum = ntohs(addr4->sin_port);
3818 addrp = (char *)&addr4->sin_addr.s_addr;
3819 } else {
3820 addr6 = (struct sockaddr_in6 *)address;
3821 snum = ntohs(addr6->sin6_port);
3822 addrp = (char *)&addr6->sin6_addr.s6_addr;
3823 }
3824
3825 if (snum) {
3826 int low, high;
3827
3828 inet_get_local_port_range(&low, &high);
3829
3830 if (snum < max(PROT_SOCK, low) || snum > high) {
3831 err = sel_netport_sid(sk->sk_protocol,
3832 snum, &sid);
3833 if (err)
3834 goto out;
3835 AVC_AUDIT_DATA_INIT(&ad, NET);
3836 ad.u.net.sport = htons(snum);
3837 ad.u.net.family = family;
3838 err = avc_has_perm(isec->sid, sid,
3839 isec->sclass,
3840 SOCKET__NAME_BIND, &ad);
3841 if (err)
3842 goto out;
3843 }
3844 }
3845
3846 switch (isec->sclass) {
3847 case SECCLASS_TCP_SOCKET:
3848 node_perm = TCP_SOCKET__NODE_BIND;
3849 break;
3850
3851 case SECCLASS_UDP_SOCKET:
3852 node_perm = UDP_SOCKET__NODE_BIND;
3853 break;
3854
3855 case SECCLASS_DCCP_SOCKET:
3856 node_perm = DCCP_SOCKET__NODE_BIND;
3857 break;
3858
3859 default:
3860 node_perm = RAWIP_SOCKET__NODE_BIND;
3861 break;
3862 }
3863
3864 err = sel_netnode_sid(addrp, family, &sid);
3865 if (err)
3866 goto out;
3867
3868 AVC_AUDIT_DATA_INIT(&ad, NET);
3869 ad.u.net.sport = htons(snum);
3870 ad.u.net.family = family;
3871
3872 if (family == PF_INET)
3873 ad.u.net.v4info.saddr = addr4->sin_addr.s_addr;
3874 else
3875 ipv6_addr_copy(&ad.u.net.v6info.saddr, &addr6->sin6_addr);
3876
3877 err = avc_has_perm(isec->sid, sid,
3878 isec->sclass, node_perm, &ad);
3879 if (err)
3880 goto out;
3881 }
3882 out:
3883 return err;
3884 }
3885
3886 static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
3887 {
3888 struct sock *sk = sock->sk;
3889 struct inode_security_struct *isec;
3890 int err;
3891
3892 err = socket_has_perm(current, sock, SOCKET__CONNECT);
3893 if (err)
3894 return err;
3895
3896 /*
3897 * If a TCP or DCCP socket, check name_connect permission for the port.
3898 */
3899 isec = SOCK_INODE(sock)->i_security;
3900 if (isec->sclass == SECCLASS_TCP_SOCKET ||
3901 isec->sclass == SECCLASS_DCCP_SOCKET) {
3902 struct avc_audit_data ad;
3903 struct sockaddr_in *addr4 = NULL;
3904 struct sockaddr_in6 *addr6 = NULL;
3905 unsigned short snum;
3906 u32 sid, perm;
3907
3908 if (sk->sk_family == PF_INET) {
3909 addr4 = (struct sockaddr_in *)address;
3910 if (addrlen < sizeof(struct sockaddr_in))
3911 return -EINVAL;
3912 snum = ntohs(addr4->sin_port);
3913 } else {
3914 addr6 = (struct sockaddr_in6 *)address;
3915 if (addrlen < SIN6_LEN_RFC2133)
3916 return -EINVAL;
3917 snum = ntohs(addr6->sin6_port);
3918 }
3919
3920 err = sel_netport_sid(sk->sk_protocol, snum, &sid);
3921 if (err)
3922 goto out;
3923
3924 perm = (isec->sclass == SECCLASS_TCP_SOCKET) ?
3925 TCP_SOCKET__NAME_CONNECT : DCCP_SOCKET__NAME_CONNECT;
3926
3927 AVC_AUDIT_DATA_INIT(&ad, NET);
3928 ad.u.net.dport = htons(snum);
3929 ad.u.net.family = sk->sk_family;
3930 err = avc_has_perm(isec->sid, sid, isec->sclass, perm, &ad);
3931 if (err)
3932 goto out;
3933 }
3934
3935 err = selinux_netlbl_socket_connect(sk, address);
3936
3937 out:
3938 return err;
3939 }
3940
3941 static int selinux_socket_listen(struct socket *sock, int backlog)
3942 {
3943 return socket_has_perm(current, sock, SOCKET__LISTEN);
3944 }
3945
3946 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
3947 {
3948 int err;
3949 struct inode_security_struct *isec;
3950 struct inode_security_struct *newisec;
3951
3952 err = socket_has_perm(current, sock, SOCKET__ACCEPT);
3953 if (err)
3954 return err;
3955
3956 newisec = SOCK_INODE(newsock)->i_security;
3957
3958 isec = SOCK_INODE(sock)->i_security;
3959 newisec->sclass = isec->sclass;
3960 newisec->sid = isec->sid;
3961 newisec->initialized = 1;
3962
3963 return 0;
3964 }
3965
3966 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
3967 int size)
3968 {
3969 int rc;
3970
3971 rc = socket_has_perm(current, sock, SOCKET__WRITE);
3972 if (rc)
3973 return rc;
3974
3975 return selinux_netlbl_inode_permission(SOCK_INODE(sock), MAY_WRITE);
3976 }
3977
3978 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
3979 int size, int flags)
3980 {
3981 return socket_has_perm(current, sock, SOCKET__READ);
3982 }
3983
3984 static int selinux_socket_getsockname(struct socket *sock)
3985 {
3986 return socket_has_perm(current, sock, SOCKET__GETATTR);
3987 }
3988
3989 static int selinux_socket_getpeername(struct socket *sock)
3990 {
3991 return socket_has_perm(current, sock, SOCKET__GETATTR);
3992 }
3993
3994 static int selinux_socket_setsockopt(struct socket *sock, int level, int optname)
3995 {
3996 int err;
3997
3998 err = socket_has_perm(current, sock, SOCKET__SETOPT);
3999 if (err)
4000 return err;
4001
4002 return selinux_netlbl_socket_setsockopt(sock, level, optname);
4003 }
4004
4005 static int selinux_socket_getsockopt(struct socket *sock, int level,
4006 int optname)
4007 {
4008 return socket_has_perm(current, sock, SOCKET__GETOPT);
4009 }
4010
4011 static int selinux_socket_shutdown(struct socket *sock, int how)
4012 {
4013 return socket_has_perm(current, sock, SOCKET__SHUTDOWN);
4014 }
4015
4016 static int selinux_socket_unix_stream_connect(struct socket *sock,
4017 struct socket *other,
4018 struct sock *newsk)
4019 {
4020 struct sk_security_struct *ssec;
4021 struct inode_security_struct *isec;
4022 struct inode_security_struct *other_isec;
4023 struct avc_audit_data ad;
4024 int err;
4025
4026 err = secondary_ops->unix_stream_connect(sock, other, newsk);
4027 if (err)
4028 return err;
4029
4030 isec = SOCK_INODE(sock)->i_security;
4031 other_isec = SOCK_INODE(other)->i_security;
4032
4033 AVC_AUDIT_DATA_INIT(&ad, NET);
4034 ad.u.net.sk = other->sk;
4035
4036 err = avc_has_perm(isec->sid, other_isec->sid,
4037 isec->sclass,
4038 UNIX_STREAM_SOCKET__CONNECTTO, &ad);
4039 if (err)
4040 return err;
4041
4042 /* connecting socket */
4043 ssec = sock->sk->sk_security;
4044 ssec->peer_sid = other_isec->sid;
4045
4046 /* server child socket */
4047 ssec = newsk->sk_security;
4048 ssec->peer_sid = isec->sid;
4049 err = security_sid_mls_copy(other_isec->sid, ssec->peer_sid, &ssec->sid);
4050
4051 return err;
4052 }
4053
4054 static int selinux_socket_unix_may_send(struct socket *sock,
4055 struct socket *other)
4056 {
4057 struct inode_security_struct *isec;
4058 struct inode_security_struct *other_isec;
4059 struct avc_audit_data ad;
4060 int err;
4061
4062 isec = SOCK_INODE(sock)->i_security;
4063 other_isec = SOCK_INODE(other)->i_security;
4064
4065 AVC_AUDIT_DATA_INIT(&ad, NET);
4066 ad.u.net.sk = other->sk;
4067
4068 err = avc_has_perm(isec->sid, other_isec->sid,
4069 isec->sclass, SOCKET__SENDTO, &ad);
4070 if (err)
4071 return err;
4072
4073 return 0;
4074 }
4075
4076 static int selinux_inet_sys_rcv_skb(int ifindex, char *addrp, u16 family,
4077 u32 peer_sid,
4078 struct avc_audit_data *ad)
4079 {
4080 int err;
4081 u32 if_sid;
4082 u32 node_sid;
4083
4084 err = sel_netif_sid(ifindex, &if_sid);
4085 if (err)
4086 return err;
4087 err = avc_has_perm(peer_sid, if_sid,
4088 SECCLASS_NETIF, NETIF__INGRESS, ad);
4089 if (err)
4090 return err;
4091
4092 err = sel_netnode_sid(addrp, family, &node_sid);
4093 if (err)
4094 return err;
4095 return avc_has_perm(peer_sid, node_sid,
4096 SECCLASS_NODE, NODE__RECVFROM, ad);
4097 }
4098
4099 static int selinux_sock_rcv_skb_iptables_compat(struct sock *sk,
4100 struct sk_buff *skb,
4101 struct avc_audit_data *ad,
4102 u16 family,
4103 char *addrp)
4104 {
4105 int err;
4106 struct sk_security_struct *sksec = sk->sk_security;
4107 u16 sk_class;
4108 u32 netif_perm, node_perm, recv_perm;
4109 u32 port_sid, node_sid, if_sid, sk_sid;
4110
4111 sk_sid = sksec->sid;
4112 sk_class = sksec->sclass;
4113
4114 switch (sk_class) {
4115 case SECCLASS_UDP_SOCKET:
4116 netif_perm = NETIF__UDP_RECV;
4117 node_perm = NODE__UDP_RECV;
4118 recv_perm = UDP_SOCKET__RECV_MSG;
4119 break;
4120 case SECCLASS_TCP_SOCKET:
4121 netif_perm = NETIF__TCP_RECV;
4122 node_perm = NODE__TCP_RECV;
4123 recv_perm = TCP_SOCKET__RECV_MSG;
4124 break;
4125 case SECCLASS_DCCP_SOCKET:
4126 netif_perm = NETIF__DCCP_RECV;
4127 node_perm = NODE__DCCP_RECV;
4128 recv_perm = DCCP_SOCKET__RECV_MSG;
4129 break;
4130 default:
4131 netif_perm = NETIF__RAWIP_RECV;
4132 node_perm = NODE__RAWIP_RECV;
4133 recv_perm = 0;
4134 break;
4135 }
4136
4137 err = sel_netif_sid(skb->iif, &if_sid);
4138 if (err)
4139 return err;
4140 err = avc_has_perm(sk_sid, if_sid, SECCLASS_NETIF, netif_perm, ad);
4141 if (err)
4142 return err;
4143
4144 err = sel_netnode_sid(addrp, family, &node_sid);
4145 if (err)
4146 return err;
4147 err = avc_has_perm(sk_sid, node_sid, SECCLASS_NODE, node_perm, ad);
4148 if (err)
4149 return err;
4150
4151 if (!recv_perm)
4152 return 0;
4153 err = sel_netport_sid(sk->sk_protocol,
4154 ntohs(ad->u.net.sport), &port_sid);
4155 if (unlikely(err)) {
4156 printk(KERN_WARNING
4157 "SELinux: failure in"
4158 " selinux_sock_rcv_skb_iptables_compat(),"
4159 " network port label not found\n");
4160 return err;
4161 }
4162 return avc_has_perm(sk_sid, port_sid, sk_class, recv_perm, ad);
4163 }
4164
4165 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
4166 u16 family)
4167 {
4168 int err;
4169 struct sk_security_struct *sksec = sk->sk_security;
4170 u32 peer_sid;
4171 u32 sk_sid = sksec->sid;
4172 struct avc_audit_data ad;
4173 char *addrp;
4174
4175 AVC_AUDIT_DATA_INIT(&ad, NET);
4176 ad.u.net.netif = skb->iif;
4177 ad.u.net.family = family;
4178 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4179 if (err)
4180 return err;
4181
4182 if (selinux_compat_net)
4183 err = selinux_sock_rcv_skb_iptables_compat(sk, skb, &ad,
4184 family, addrp);
4185 else
4186 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4187 PACKET__RECV, &ad);
4188 if (err)
4189 return err;
4190
4191 if (selinux_policycap_netpeer) {
4192 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
4193 if (err)
4194 return err;
4195 err = avc_has_perm(sk_sid, peer_sid,
4196 SECCLASS_PEER, PEER__RECV, &ad);
4197 if (err)
4198 selinux_netlbl_err(skb, err, 0);
4199 } else {
4200 err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, &ad);
4201 if (err)
4202 return err;
4203 err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad);
4204 }
4205
4206 return err;
4207 }
4208
4209 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
4210 {
4211 int err;
4212 struct sk_security_struct *sksec = sk->sk_security;
4213 u16 family = sk->sk_family;
4214 u32 sk_sid = sksec->sid;
4215 struct avc_audit_data ad;
4216 char *addrp;
4217 u8 secmark_active;
4218 u8 peerlbl_active;
4219
4220 if (family != PF_INET && family != PF_INET6)
4221 return 0;
4222
4223 /* Handle mapped IPv4 packets arriving via IPv6 sockets */
4224 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4225 family = PF_INET;
4226
4227 /* If any sort of compatibility mode is enabled then handoff processing
4228 * to the selinux_sock_rcv_skb_compat() function to deal with the
4229 * special handling. We do this in an attempt to keep this function
4230 * as fast and as clean as possible. */
4231 if (selinux_compat_net || !selinux_policycap_netpeer)
4232 return selinux_sock_rcv_skb_compat(sk, skb, family);
4233
4234 secmark_active = selinux_secmark_enabled();
4235 peerlbl_active = netlbl_enabled() || selinux_xfrm_enabled();
4236 if (!secmark_active && !peerlbl_active)
4237 return 0;
4238
4239 AVC_AUDIT_DATA_INIT(&ad, NET);
4240 ad.u.net.netif = skb->iif;
4241 ad.u.net.family = family;
4242 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4243 if (err)
4244 return err;
4245
4246 if (peerlbl_active) {
4247 u32 peer_sid;
4248
4249 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
4250 if (err)
4251 return err;
4252 err = selinux_inet_sys_rcv_skb(skb->iif, addrp, family,
4253 peer_sid, &ad);
4254 if (err) {
4255 selinux_netlbl_err(skb, err, 0);
4256 return err;
4257 }
4258 err = avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER,
4259 PEER__RECV, &ad);
4260 if (err)
4261 selinux_netlbl_err(skb, err, 0);
4262 }
4263
4264 if (secmark_active) {
4265 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4266 PACKET__RECV, &ad);
4267 if (err)
4268 return err;
4269 }
4270
4271 return err;
4272 }
4273
4274 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval,
4275 int __user *optlen, unsigned len)
4276 {
4277 int err = 0;
4278 char *scontext;
4279 u32 scontext_len;
4280 struct sk_security_struct *ssec;
4281 struct inode_security_struct *isec;
4282 u32 peer_sid = SECSID_NULL;
4283
4284 isec = SOCK_INODE(sock)->i_security;
4285
4286 if (isec->sclass == SECCLASS_UNIX_STREAM_SOCKET ||
4287 isec->sclass == SECCLASS_TCP_SOCKET) {
4288 ssec = sock->sk->sk_security;
4289 peer_sid = ssec->peer_sid;
4290 }
4291 if (peer_sid == SECSID_NULL) {
4292 err = -ENOPROTOOPT;
4293 goto out;
4294 }
4295
4296 err = security_sid_to_context(peer_sid, &scontext, &scontext_len);
4297
4298 if (err)
4299 goto out;
4300
4301 if (scontext_len > len) {
4302 err = -ERANGE;
4303 goto out_len;
4304 }
4305
4306 if (copy_to_user(optval, scontext, scontext_len))
4307 err = -EFAULT;
4308
4309 out_len:
4310 if (put_user(scontext_len, optlen))
4311 err = -EFAULT;
4312
4313 kfree(scontext);
4314 out:
4315 return err;
4316 }
4317
4318 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
4319 {
4320 u32 peer_secid = SECSID_NULL;
4321 u16 family;
4322
4323 if (skb && skb->protocol == htons(ETH_P_IP))
4324 family = PF_INET;
4325 else if (skb && skb->protocol == htons(ETH_P_IPV6))
4326 family = PF_INET6;
4327 else if (sock)
4328 family = sock->sk->sk_family;
4329 else
4330 goto out;
4331
4332 if (sock && family == PF_UNIX)
4333 selinux_inode_getsecid(SOCK_INODE(sock), &peer_secid);
4334 else if (skb)
4335 selinux_skb_peerlbl_sid(skb, family, &peer_secid);
4336
4337 out:
4338 *secid = peer_secid;
4339 if (peer_secid == SECSID_NULL)
4340 return -EINVAL;
4341 return 0;
4342 }
4343
4344 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
4345 {
4346 return sk_alloc_security(sk, family, priority);
4347 }
4348
4349 static void selinux_sk_free_security(struct sock *sk)
4350 {
4351 sk_free_security(sk);
4352 }
4353
4354 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
4355 {
4356 struct sk_security_struct *ssec = sk->sk_security;
4357 struct sk_security_struct *newssec = newsk->sk_security;
4358
4359 newssec->sid = ssec->sid;
4360 newssec->peer_sid = ssec->peer_sid;
4361 newssec->sclass = ssec->sclass;
4362
4363 selinux_netlbl_sk_security_reset(newssec, newsk->sk_family);
4364 }
4365
4366 static void selinux_sk_getsecid(struct sock *sk, u32 *secid)
4367 {
4368 if (!sk)
4369 *secid = SECINITSID_ANY_SOCKET;
4370 else {
4371 struct sk_security_struct *sksec = sk->sk_security;
4372
4373 *secid = sksec->sid;
4374 }
4375 }
4376
4377 static void selinux_sock_graft(struct sock *sk, struct socket *parent)
4378 {
4379 struct inode_security_struct *isec = SOCK_INODE(parent)->i_security;
4380 struct sk_security_struct *sksec = sk->sk_security;
4381
4382 if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
4383 sk->sk_family == PF_UNIX)
4384 isec->sid = sksec->sid;
4385 sksec->sclass = isec->sclass;
4386 }
4387
4388 static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
4389 struct request_sock *req)
4390 {
4391 struct sk_security_struct *sksec = sk->sk_security;
4392 int err;
4393 u16 family = sk->sk_family;
4394 u32 newsid;
4395 u32 peersid;
4396
4397 /* handle mapped IPv4 packets arriving via IPv6 sockets */
4398 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4399 family = PF_INET;
4400
4401 err = selinux_skb_peerlbl_sid(skb, family, &peersid);
4402 if (err)
4403 return err;
4404 if (peersid == SECSID_NULL) {
4405 req->secid = sksec->sid;
4406 req->peer_secid = SECSID_NULL;
4407 return 0;
4408 }
4409
4410 err = security_sid_mls_copy(sksec->sid, peersid, &newsid);
4411 if (err)
4412 return err;
4413
4414 req->secid = newsid;
4415 req->peer_secid = peersid;
4416 return 0;
4417 }
4418
4419 static void selinux_inet_csk_clone(struct sock *newsk,
4420 const struct request_sock *req)
4421 {
4422 struct sk_security_struct *newsksec = newsk->sk_security;
4423
4424 newsksec->sid = req->secid;
4425 newsksec->peer_sid = req->peer_secid;
4426 /* NOTE: Ideally, we should also get the isec->sid for the
4427 new socket in sync, but we don't have the isec available yet.
4428 So we will wait until sock_graft to do it, by which
4429 time it will have been created and available. */
4430
4431 /* We don't need to take any sort of lock here as we are the only
4432 * thread with access to newsksec */
4433 selinux_netlbl_sk_security_reset(newsksec, req->rsk_ops->family);
4434 }
4435
4436 static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb)
4437 {
4438 u16 family = sk->sk_family;
4439 struct sk_security_struct *sksec = sk->sk_security;
4440
4441 /* handle mapped IPv4 packets arriving via IPv6 sockets */
4442 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4443 family = PF_INET;
4444
4445 selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid);
4446
4447 selinux_netlbl_inet_conn_established(sk, family);
4448 }
4449
4450 static void selinux_req_classify_flow(const struct request_sock *req,
4451 struct flowi *fl)
4452 {
4453 fl->secid = req->secid;
4454 }
4455
4456 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
4457 {
4458 int err = 0;
4459 u32 perm;
4460 struct nlmsghdr *nlh;
4461 struct socket *sock = sk->sk_socket;
4462 struct inode_security_struct *isec = SOCK_INODE(sock)->i_security;
4463
4464 if (skb->len < NLMSG_SPACE(0)) {
4465 err = -EINVAL;
4466 goto out;
4467 }
4468 nlh = nlmsg_hdr(skb);
4469
4470 err = selinux_nlmsg_lookup(isec->sclass, nlh->nlmsg_type, &perm);
4471 if (err) {
4472 if (err == -EINVAL) {
4473 audit_log(current->audit_context, GFP_KERNEL, AUDIT_SELINUX_ERR,
4474 "SELinux: unrecognized netlink message"
4475 " type=%hu for sclass=%hu\n",
4476 nlh->nlmsg_type, isec->sclass);
4477 if (!selinux_enforcing || security_get_allow_unknown())
4478 err = 0;
4479 }
4480
4481 /* Ignore */
4482 if (err == -ENOENT)
4483 err = 0;
4484 goto out;
4485 }
4486
4487 err = socket_has_perm(current, sock, perm);
4488 out:
4489 return err;
4490 }
4491
4492 #ifdef CONFIG_NETFILTER
4493
4494 static unsigned int selinux_ip_forward(struct sk_buff *skb, int ifindex,
4495 u16 family)
4496 {
4497 int err;
4498 char *addrp;
4499 u32 peer_sid;
4500 struct avc_audit_data ad;
4501 u8 secmark_active;
4502 u8 netlbl_active;
4503 u8 peerlbl_active;
4504
4505 if (!selinux_policycap_netpeer)
4506 return NF_ACCEPT;
4507
4508 secmark_active = selinux_secmark_enabled();
4509 netlbl_active = netlbl_enabled();
4510 peerlbl_active = netlbl_active || selinux_xfrm_enabled();
4511 if (!secmark_active && !peerlbl_active)
4512 return NF_ACCEPT;
4513
4514 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0)
4515 return NF_DROP;
4516
4517 AVC_AUDIT_DATA_INIT(&ad, NET);
4518 ad.u.net.netif = ifindex;
4519 ad.u.net.family = family;
4520 if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0)
4521 return NF_DROP;
4522
4523 if (peerlbl_active) {
4524 err = selinux_inet_sys_rcv_skb(ifindex, addrp, family,
4525 peer_sid, &ad);
4526 if (err) {
4527 selinux_netlbl_err(skb, err, 1);
4528 return NF_DROP;
4529 }
4530 }
4531
4532 if (secmark_active)
4533 if (avc_has_perm(peer_sid, skb->secmark,
4534 SECCLASS_PACKET, PACKET__FORWARD_IN, &ad))
4535 return NF_DROP;
4536
4537 if (netlbl_active)
4538 /* we do this in the FORWARD path and not the POST_ROUTING
4539 * path because we want to make sure we apply the necessary
4540 * labeling before IPsec is applied so we can leverage AH
4541 * protection */
4542 if (selinux_netlbl_skbuff_setsid(skb, family, peer_sid) != 0)
4543 return NF_DROP;
4544
4545 return NF_ACCEPT;
4546 }
4547
4548 static unsigned int selinux_ipv4_forward(unsigned int hooknum,
4549 struct sk_buff *skb,
4550 const struct net_device *in,
4551 const struct net_device *out,
4552 int (*okfn)(struct sk_buff *))
4553 {
4554 return selinux_ip_forward(skb, in->ifindex, PF_INET);
4555 }
4556
4557 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4558 static unsigned int selinux_ipv6_forward(unsigned int hooknum,
4559 struct sk_buff *skb,
4560 const struct net_device *in,
4561 const struct net_device *out,
4562 int (*okfn)(struct sk_buff *))
4563 {
4564 return selinux_ip_forward(skb, in->ifindex, PF_INET6);
4565 }
4566 #endif /* IPV6 */
4567
4568 static unsigned int selinux_ip_output(struct sk_buff *skb,
4569 u16 family)
4570 {
4571 u32 sid;
4572
4573 if (!netlbl_enabled())
4574 return NF_ACCEPT;
4575
4576 /* we do this in the LOCAL_OUT path and not the POST_ROUTING path
4577 * because we want to make sure we apply the necessary labeling
4578 * before IPsec is applied so we can leverage AH protection */
4579 if (skb->sk) {
4580 struct sk_security_struct *sksec = skb->sk->sk_security;
4581 sid = sksec->sid;
4582 } else
4583 sid = SECINITSID_KERNEL;
4584 if (selinux_netlbl_skbuff_setsid(skb, family, sid) != 0)
4585 return NF_DROP;
4586
4587 return NF_ACCEPT;
4588 }
4589
4590 static unsigned int selinux_ipv4_output(unsigned int hooknum,
4591 struct sk_buff *skb,
4592 const struct net_device *in,
4593 const struct net_device *out,
4594 int (*okfn)(struct sk_buff *))
4595 {
4596 return selinux_ip_output(skb, PF_INET);
4597 }
4598
4599 static int selinux_ip_postroute_iptables_compat(struct sock *sk,
4600 int ifindex,
4601 struct avc_audit_data *ad,
4602 u16 family, char *addrp)
4603 {
4604 int err;
4605 struct sk_security_struct *sksec = sk->sk_security;
4606 u16 sk_class;
4607 u32 netif_perm, node_perm, send_perm;
4608 u32 port_sid, node_sid, if_sid, sk_sid;
4609
4610 sk_sid = sksec->sid;
4611 sk_class = sksec->sclass;
4612
4613 switch (sk_class) {
4614 case SECCLASS_UDP_SOCKET:
4615 netif_perm = NETIF__UDP_SEND;
4616 node_perm = NODE__UDP_SEND;
4617 send_perm = UDP_SOCKET__SEND_MSG;
4618 break;
4619 case SECCLASS_TCP_SOCKET:
4620 netif_perm = NETIF__TCP_SEND;
4621 node_perm = NODE__TCP_SEND;
4622 send_perm = TCP_SOCKET__SEND_MSG;
4623 break;
4624 case SECCLASS_DCCP_SOCKET:
4625 netif_perm = NETIF__DCCP_SEND;
4626 node_perm = NODE__DCCP_SEND;
4627 send_perm = DCCP_SOCKET__SEND_MSG;
4628 break;
4629 default:
4630 netif_perm = NETIF__RAWIP_SEND;
4631 node_perm = NODE__RAWIP_SEND;
4632 send_perm = 0;
4633 break;
4634 }
4635
4636 err = sel_netif_sid(ifindex, &if_sid);
4637 if (err)
4638 return err;
4639 err = avc_has_perm(sk_sid, if_sid, SECCLASS_NETIF, netif_perm, ad);
4640 return err;
4641
4642 err = sel_netnode_sid(addrp, family, &node_sid);
4643 if (err)
4644 return err;
4645 err = avc_has_perm(sk_sid, node_sid, SECCLASS_NODE, node_perm, ad);
4646 if (err)
4647 return err;
4648
4649 if (send_perm != 0)
4650 return 0;
4651
4652 err = sel_netport_sid(sk->sk_protocol,
4653 ntohs(ad->u.net.dport), &port_sid);
4654 if (unlikely(err)) {
4655 printk(KERN_WARNING
4656 "SELinux: failure in"
4657 " selinux_ip_postroute_iptables_compat(),"
4658 " network port label not found\n");
4659 return err;
4660 }
4661 return avc_has_perm(sk_sid, port_sid, sk_class, send_perm, ad);
4662 }
4663
4664 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
4665 int ifindex,
4666 u16 family)
4667 {
4668 struct sock *sk = skb->sk;
4669 struct sk_security_struct *sksec;
4670 struct avc_audit_data ad;
4671 char *addrp;
4672 u8 proto;
4673
4674 if (sk == NULL)
4675 return NF_ACCEPT;
4676 sksec = sk->sk_security;
4677
4678 AVC_AUDIT_DATA_INIT(&ad, NET);
4679 ad.u.net.netif = ifindex;
4680 ad.u.net.family = family;
4681 if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto))
4682 return NF_DROP;
4683
4684 if (selinux_compat_net) {
4685 if (selinux_ip_postroute_iptables_compat(skb->sk, ifindex,
4686 &ad, family, addrp))
4687 return NF_DROP;
4688 } else {
4689 if (avc_has_perm(sksec->sid, skb->secmark,
4690 SECCLASS_PACKET, PACKET__SEND, &ad))
4691 return NF_DROP;
4692 }
4693
4694 if (selinux_policycap_netpeer)
4695 if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto))
4696 return NF_DROP;
4697
4698 return NF_ACCEPT;
4699 }
4700
4701 static unsigned int selinux_ip_postroute(struct sk_buff *skb, int ifindex,
4702 u16 family)
4703 {
4704 u32 secmark_perm;
4705 u32 peer_sid;
4706 struct sock *sk;
4707 struct avc_audit_data ad;
4708 char *addrp;
4709 u8 secmark_active;
4710 u8 peerlbl_active;
4711
4712 /* If any sort of compatibility mode is enabled then handoff processing
4713 * to the selinux_ip_postroute_compat() function to deal with the
4714 * special handling. We do this in an attempt to keep this function
4715 * as fast and as clean as possible. */
4716 if (selinux_compat_net || !selinux_policycap_netpeer)
4717 return selinux_ip_postroute_compat(skb, ifindex, family);
4718
4719 /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec
4720 * packet transformation so allow the packet to pass without any checks
4721 * since we'll have another chance to perform access control checks
4722 * when the packet is on it's final way out.
4723 * NOTE: there appear to be some IPv6 multicast cases where skb->dst
4724 * is NULL, in this case go ahead and apply access control. */
4725 if (skb->dst != NULL && skb->dst->xfrm != NULL)
4726 return NF_ACCEPT;
4727
4728 secmark_active = selinux_secmark_enabled();
4729 peerlbl_active = netlbl_enabled() || selinux_xfrm_enabled();
4730 if (!secmark_active && !peerlbl_active)
4731 return NF_ACCEPT;
4732
4733 /* if the packet is being forwarded then get the peer label from the
4734 * packet itself; otherwise check to see if it is from a local
4735 * application or the kernel, if from an application get the peer label
4736 * from the sending socket, otherwise use the kernel's sid */
4737 sk = skb->sk;
4738 if (sk == NULL) {
4739 switch (family) {
4740 case PF_INET:
4741 if (IPCB(skb)->flags & IPSKB_FORWARDED)
4742 secmark_perm = PACKET__FORWARD_OUT;
4743 else
4744 secmark_perm = PACKET__SEND;
4745 break;
4746 case PF_INET6:
4747 if (IP6CB(skb)->flags & IP6SKB_FORWARDED)
4748 secmark_perm = PACKET__FORWARD_OUT;
4749 else
4750 secmark_perm = PACKET__SEND;
4751 break;
4752 default:
4753 return NF_DROP;
4754 }
4755 if (secmark_perm == PACKET__FORWARD_OUT) {
4756 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid))
4757 return NF_DROP;
4758 } else
4759 peer_sid = SECINITSID_KERNEL;
4760 } else {
4761 struct sk_security_struct *sksec = sk->sk_security;
4762 peer_sid = sksec->sid;
4763 secmark_perm = PACKET__SEND;
4764 }
4765
4766 AVC_AUDIT_DATA_INIT(&ad, NET);
4767 ad.u.net.netif = ifindex;
4768 ad.u.net.family = family;
4769 if (selinux_parse_skb(skb, &ad, &addrp, 0, NULL))
4770 return NF_DROP;
4771
4772 if (secmark_active)
4773 if (avc_has_perm(peer_sid, skb->secmark,
4774 SECCLASS_PACKET, secmark_perm, &ad))
4775 return NF_DROP;
4776
4777 if (peerlbl_active) {
4778 u32 if_sid;
4779 u32 node_sid;
4780
4781 if (sel_netif_sid(ifindex, &if_sid))
4782 return NF_DROP;
4783 if (avc_has_perm(peer_sid, if_sid,
4784 SECCLASS_NETIF, NETIF__EGRESS, &ad))
4785 return NF_DROP;
4786
4787 if (sel_netnode_sid(addrp, family, &node_sid))
4788 return NF_DROP;
4789 if (avc_has_perm(peer_sid, node_sid,
4790 SECCLASS_NODE, NODE__SENDTO, &ad))
4791 return NF_DROP;
4792 }
4793
4794 return NF_ACCEPT;
4795 }
4796
4797 static unsigned int selinux_ipv4_postroute(unsigned int hooknum,
4798 struct sk_buff *skb,
4799 const struct net_device *in,
4800 const struct net_device *out,
4801 int (*okfn)(struct sk_buff *))
4802 {
4803 return selinux_ip_postroute(skb, out->ifindex, PF_INET);
4804 }
4805
4806 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4807 static unsigned int selinux_ipv6_postroute(unsigned int hooknum,
4808 struct sk_buff *skb,
4809 const struct net_device *in,
4810 const struct net_device *out,
4811 int (*okfn)(struct sk_buff *))
4812 {
4813 return selinux_ip_postroute(skb, out->ifindex, PF_INET6);
4814 }
4815 #endif /* IPV6 */
4816
4817 #endif /* CONFIG_NETFILTER */
4818
4819 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
4820 {
4821 int err;
4822
4823 err = secondary_ops->netlink_send(sk, skb);
4824 if (err)
4825 return err;
4826
4827 if (policydb_loaded_version >= POLICYDB_VERSION_NLCLASS)
4828 err = selinux_nlmsg_perm(sk, skb);
4829
4830 return err;
4831 }
4832
4833 static int selinux_netlink_recv(struct sk_buff *skb, int capability)
4834 {
4835 int err;
4836 struct avc_audit_data ad;
4837
4838 err = secondary_ops->netlink_recv(skb, capability);
4839 if (err)
4840 return err;
4841
4842 AVC_AUDIT_DATA_INIT(&ad, CAP);
4843 ad.u.cap = capability;
4844
4845 return avc_has_perm(NETLINK_CB(skb).sid, NETLINK_CB(skb).sid,
4846 SECCLASS_CAPABILITY, CAP_TO_MASK(capability), &ad);
4847 }
4848
4849 static int ipc_alloc_security(struct task_struct *task,
4850 struct kern_ipc_perm *perm,
4851 u16 sclass)
4852 {
4853 struct ipc_security_struct *isec;
4854 u32 sid;
4855
4856 isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL);
4857 if (!isec)
4858 return -ENOMEM;
4859
4860 sid = task_sid(task);
4861 isec->sclass = sclass;
4862 isec->sid = sid;
4863 perm->security = isec;
4864
4865 return 0;
4866 }
4867
4868 static void ipc_free_security(struct kern_ipc_perm *perm)
4869 {
4870 struct ipc_security_struct *isec = perm->security;
4871 perm->security = NULL;
4872 kfree(isec);
4873 }
4874
4875 static int msg_msg_alloc_security(struct msg_msg *msg)
4876 {
4877 struct msg_security_struct *msec;
4878
4879 msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL);
4880 if (!msec)
4881 return -ENOMEM;
4882
4883 msec->sid = SECINITSID_UNLABELED;
4884 msg->security = msec;
4885
4886 return 0;
4887 }
4888
4889 static void msg_msg_free_security(struct msg_msg *msg)
4890 {
4891 struct msg_security_struct *msec = msg->security;
4892
4893 msg->security = NULL;
4894 kfree(msec);
4895 }
4896
4897 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
4898 u32 perms)
4899 {
4900 struct ipc_security_struct *isec;
4901 struct avc_audit_data ad;
4902 u32 sid = current_sid();
4903
4904 isec = ipc_perms->security;
4905
4906 AVC_AUDIT_DATA_INIT(&ad, IPC);
4907 ad.u.ipc_id = ipc_perms->key;
4908
4909 return avc_has_perm(sid, isec->sid, isec->sclass, perms, &ad);
4910 }
4911
4912 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
4913 {
4914 return msg_msg_alloc_security(msg);
4915 }
4916
4917 static void selinux_msg_msg_free_security(struct msg_msg *msg)
4918 {
4919 msg_msg_free_security(msg);
4920 }
4921
4922 /* message queue security operations */
4923 static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
4924 {
4925 struct ipc_security_struct *isec;
4926 struct avc_audit_data ad;
4927 u32 sid = current_sid();
4928 int rc;
4929
4930 rc = ipc_alloc_security(current, &msq->q_perm, SECCLASS_MSGQ);
4931 if (rc)
4932 return rc;
4933
4934 isec = msq->q_perm.security;
4935
4936 AVC_AUDIT_DATA_INIT(&ad, IPC);
4937 ad.u.ipc_id = msq->q_perm.key;
4938
4939 rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
4940 MSGQ__CREATE, &ad);
4941 if (rc) {
4942 ipc_free_security(&msq->q_perm);
4943 return rc;
4944 }
4945 return 0;
4946 }
4947
4948 static void selinux_msg_queue_free_security(struct msg_queue *msq)
4949 {
4950 ipc_free_security(&msq->q_perm);
4951 }
4952
4953 static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg)
4954 {
4955 struct ipc_security_struct *isec;
4956 struct avc_audit_data ad;
4957 u32 sid = current_sid();
4958
4959 isec = msq->q_perm.security;
4960
4961 AVC_AUDIT_DATA_INIT(&ad, IPC);
4962 ad.u.ipc_id = msq->q_perm.key;
4963
4964 return avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
4965 MSGQ__ASSOCIATE, &ad);
4966 }
4967
4968 static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd)
4969 {
4970 int err;
4971 int perms;
4972
4973 switch (cmd) {
4974 case IPC_INFO:
4975 case MSG_INFO:
4976 /* No specific object, just general system-wide information. */
4977 return task_has_system(current, SYSTEM__IPC_INFO);
4978 case IPC_STAT:
4979 case MSG_STAT:
4980 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
4981 break;
4982 case IPC_SET:
4983 perms = MSGQ__SETATTR;
4984 break;
4985 case IPC_RMID:
4986 perms = MSGQ__DESTROY;
4987 break;
4988 default:
4989 return 0;
4990 }
4991
4992 err = ipc_has_perm(&msq->q_perm, perms);
4993 return err;
4994 }
4995
4996 static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg)
4997 {
4998 struct ipc_security_struct *isec;
4999 struct msg_security_struct *msec;
5000 struct avc_audit_data ad;
5001 u32 sid = current_sid();
5002 int rc;
5003
5004 isec = msq->q_perm.security;
5005 msec = msg->security;
5006
5007 /*
5008 * First time through, need to assign label to the message
5009 */
5010 if (msec->sid == SECINITSID_UNLABELED) {
5011 /*
5012 * Compute new sid based on current process and
5013 * message queue this message will be stored in
5014 */
5015 rc = security_transition_sid(sid, isec->sid, SECCLASS_MSG,
5016 &msec->sid);
5017 if (rc)
5018 return rc;
5019 }
5020
5021 AVC_AUDIT_DATA_INIT(&ad, IPC);
5022 ad.u.ipc_id = msq->q_perm.key;
5023
5024 /* Can this process write to the queue? */
5025 rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
5026 MSGQ__WRITE, &ad);
5027 if (!rc)
5028 /* Can this process send the message */
5029 rc = avc_has_perm(sid, msec->sid, SECCLASS_MSG,
5030 MSG__SEND, &ad);
5031 if (!rc)
5032 /* Can the message be put in the queue? */
5033 rc = avc_has_perm(msec->sid, isec->sid, SECCLASS_MSGQ,
5034 MSGQ__ENQUEUE, &ad);
5035
5036 return rc;
5037 }
5038
5039 static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
5040 struct task_struct *target,
5041 long type, int mode)
5042 {
5043 struct ipc_security_struct *isec;
5044 struct msg_security_struct *msec;
5045 struct avc_audit_data ad;
5046 u32 sid = task_sid(target);
5047 int rc;
5048
5049 isec = msq->q_perm.security;
5050 msec = msg->security;
5051
5052 AVC_AUDIT_DATA_INIT(&ad, IPC);
5053 ad.u.ipc_id = msq->q_perm.key;
5054
5055 rc = avc_has_perm(sid, isec->sid,
5056 SECCLASS_MSGQ, MSGQ__READ, &ad);
5057 if (!rc)
5058 rc = avc_has_perm(sid, msec->sid,
5059 SECCLASS_MSG, MSG__RECEIVE, &ad);
5060 return rc;
5061 }
5062
5063 /* Shared Memory security operations */
5064 static int selinux_shm_alloc_security(struct shmid_kernel *shp)
5065 {
5066 struct ipc_security_struct *isec;
5067 struct avc_audit_data ad;
5068 u32 sid = current_sid();
5069 int rc;
5070
5071 rc = ipc_alloc_security(current, &shp->shm_perm, SECCLASS_SHM);
5072 if (rc)
5073 return rc;
5074
5075 isec = shp->shm_perm.security;
5076
5077 AVC_AUDIT_DATA_INIT(&ad, IPC);
5078 ad.u.ipc_id = shp->shm_perm.key;
5079
5080 rc = avc_has_perm(sid, isec->sid, SECCLASS_SHM,
5081 SHM__CREATE, &ad);
5082 if (rc) {
5083 ipc_free_security(&shp->shm_perm);
5084 return rc;
5085 }
5086 return 0;
5087 }
5088
5089 static void selinux_shm_free_security(struct shmid_kernel *shp)
5090 {
5091 ipc_free_security(&shp->shm_perm);
5092 }
5093
5094 static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg)
5095 {
5096 struct ipc_security_struct *isec;
5097 struct avc_audit_data ad;
5098 u32 sid = current_sid();
5099
5100 isec = shp->shm_perm.security;
5101
5102 AVC_AUDIT_DATA_INIT(&ad, IPC);
5103 ad.u.ipc_id = shp->shm_perm.key;
5104
5105 return avc_has_perm(sid, isec->sid, SECCLASS_SHM,
5106 SHM__ASSOCIATE, &ad);
5107 }
5108
5109 /* Note, at this point, shp is locked down */
5110 static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd)
5111 {
5112 int perms;
5113 int err;
5114
5115 switch (cmd) {
5116 case IPC_INFO:
5117 case SHM_INFO:
5118 /* No specific object, just general system-wide information. */
5119 return task_has_system(current, SYSTEM__IPC_INFO);
5120 case IPC_STAT:
5121 case SHM_STAT:
5122 perms = SHM__GETATTR | SHM__ASSOCIATE;
5123 break;
5124 case IPC_SET:
5125 perms = SHM__SETATTR;
5126 break;
5127 case SHM_LOCK:
5128 case SHM_UNLOCK:
5129 perms = SHM__LOCK;
5130 break;
5131 case IPC_RMID:
5132 perms = SHM__DESTROY;
5133 break;
5134 default:
5135 return 0;
5136 }
5137
5138 err = ipc_has_perm(&shp->shm_perm, perms);
5139 return err;
5140 }
5141
5142 static int selinux_shm_shmat(struct shmid_kernel *shp,
5143 char __user *shmaddr, int shmflg)
5144 {
5145 u32 perms;
5146 int rc;
5147
5148 rc = secondary_ops->shm_shmat(shp, shmaddr, shmflg);
5149 if (rc)
5150 return rc;
5151
5152 if (shmflg & SHM_RDONLY)
5153 perms = SHM__READ;
5154 else
5155 perms = SHM__READ | SHM__WRITE;
5156
5157 return ipc_has_perm(&shp->shm_perm, perms);
5158 }
5159
5160 /* Semaphore security operations */
5161 static int selinux_sem_alloc_security(struct sem_array *sma)
5162 {
5163 struct ipc_security_struct *isec;
5164 struct avc_audit_data ad;
5165 u32 sid = current_sid();
5166 int rc;
5167
5168 rc = ipc_alloc_security(current, &sma->sem_perm, SECCLASS_SEM);
5169 if (rc)
5170 return rc;
5171
5172 isec = sma->sem_perm.security;
5173
5174 AVC_AUDIT_DATA_INIT(&ad, IPC);
5175 ad.u.ipc_id = sma->sem_perm.key;
5176
5177 rc = avc_has_perm(sid, isec->sid, SECCLASS_SEM,
5178 SEM__CREATE, &ad);
5179 if (rc) {
5180 ipc_free_security(&sma->sem_perm);
5181 return rc;
5182 }
5183 return 0;
5184 }
5185
5186 static void selinux_sem_free_security(struct sem_array *sma)
5187 {
5188 ipc_free_security(&sma->sem_perm);
5189 }
5190
5191 static int selinux_sem_associate(struct sem_array *sma, int semflg)
5192 {
5193 struct ipc_security_struct *isec;
5194 struct avc_audit_data ad;
5195 u32 sid = current_sid();
5196
5197 isec = sma->sem_perm.security;
5198
5199 AVC_AUDIT_DATA_INIT(&ad, IPC);
5200 ad.u.ipc_id = sma->sem_perm.key;
5201
5202 return avc_has_perm(sid, isec->sid, SECCLASS_SEM,
5203 SEM__ASSOCIATE, &ad);
5204 }
5205
5206 /* Note, at this point, sma is locked down */
5207 static int selinux_sem_semctl(struct sem_array *sma, int cmd)
5208 {
5209 int err;
5210 u32 perms;
5211
5212 switch (cmd) {
5213 case IPC_INFO:
5214 case SEM_INFO:
5215 /* No specific object, just general system-wide information. */
5216 return task_has_system(current, SYSTEM__IPC_INFO);
5217 case GETPID:
5218 case GETNCNT:
5219 case GETZCNT:
5220 perms = SEM__GETATTR;
5221 break;
5222 case GETVAL:
5223 case GETALL:
5224 perms = SEM__READ;
5225 break;
5226 case SETVAL:
5227 case SETALL:
5228 perms = SEM__WRITE;
5229 break;
5230 case IPC_RMID:
5231 perms = SEM__DESTROY;
5232 break;
5233 case IPC_SET:
5234 perms = SEM__SETATTR;
5235 break;
5236 case IPC_STAT:
5237 case SEM_STAT:
5238 perms = SEM__GETATTR | SEM__ASSOCIATE;
5239 break;
5240 default:
5241 return 0;
5242 }
5243
5244 err = ipc_has_perm(&sma->sem_perm, perms);
5245 return err;
5246 }
5247
5248 static int selinux_sem_semop(struct sem_array *sma,
5249 struct sembuf *sops, unsigned nsops, int alter)
5250 {
5251 u32 perms;
5252
5253 if (alter)
5254 perms = SEM__READ | SEM__WRITE;
5255 else
5256 perms = SEM__READ;
5257
5258 return ipc_has_perm(&sma->sem_perm, perms);
5259 }
5260
5261 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
5262 {
5263 u32 av = 0;
5264
5265 av = 0;
5266 if (flag & S_IRUGO)
5267 av |= IPC__UNIX_READ;
5268 if (flag & S_IWUGO)
5269 av |= IPC__UNIX_WRITE;
5270
5271 if (av == 0)
5272 return 0;
5273
5274 return ipc_has_perm(ipcp, av);
5275 }
5276
5277 static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
5278 {
5279 struct ipc_security_struct *isec = ipcp->security;
5280 *secid = isec->sid;
5281 }
5282
5283 static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode)
5284 {
5285 if (inode)
5286 inode_doinit_with_dentry(inode, dentry);
5287 }
5288
5289 static int selinux_getprocattr(struct task_struct *p,
5290 char *name, char **value)
5291 {
5292 const struct task_security_struct *__tsec;
5293 u32 sid;
5294 int error;
5295 unsigned len;
5296
5297 if (current != p) {
5298 error = task_has_perm(current, p, PROCESS__GETATTR);
5299 if (error)
5300 return error;
5301 }
5302
5303 rcu_read_lock();
5304 __tsec = __task_cred(p)->security;
5305
5306 if (!strcmp(name, "current"))
5307 sid = __tsec->sid;
5308 else if (!strcmp(name, "prev"))
5309 sid = __tsec->osid;
5310 else if (!strcmp(name, "exec"))
5311 sid = __tsec->exec_sid;
5312 else if (!strcmp(name, "fscreate"))
5313 sid = __tsec->create_sid;
5314 else if (!strcmp(name, "keycreate"))
5315 sid = __tsec->keycreate_sid;
5316 else if (!strcmp(name, "sockcreate"))
5317 sid = __tsec->sockcreate_sid;
5318 else
5319 goto invalid;
5320 rcu_read_unlock();
5321
5322 if (!sid)
5323 return 0;
5324
5325 error = security_sid_to_context(sid, value, &len);
5326 if (error)
5327 return error;
5328 return len;
5329
5330 invalid:
5331 rcu_read_unlock();
5332 return -EINVAL;
5333 }
5334
5335 static int selinux_setprocattr(struct task_struct *p,
5336 char *name, void *value, size_t size)
5337 {
5338 struct task_security_struct *tsec;
5339 struct task_struct *tracer;
5340 struct cred *new;
5341 u32 sid = 0, ptsid;
5342 int error;
5343 char *str = value;
5344
5345 if (current != p) {
5346 /* SELinux only allows a process to change its own
5347 security attributes. */
5348 return -EACCES;
5349 }
5350
5351 /*
5352 * Basic control over ability to set these attributes at all.
5353 * current == p, but we'll pass them separately in case the
5354 * above restriction is ever removed.
5355 */
5356 if (!strcmp(name, "exec"))
5357 error = task_has_perm(current, p, PROCESS__SETEXEC);
5358 else if (!strcmp(name, "fscreate"))
5359 error = task_has_perm(current, p, PROCESS__SETFSCREATE);
5360 else if (!strcmp(name, "keycreate"))
5361 error = task_has_perm(current, p, PROCESS__SETKEYCREATE);
5362 else if (!strcmp(name, "sockcreate"))
5363 error = task_has_perm(current, p, PROCESS__SETSOCKCREATE);
5364 else if (!strcmp(name, "current"))
5365 error = task_has_perm(current, p, PROCESS__SETCURRENT);
5366 else
5367 error = -EINVAL;
5368 if (error)
5369 return error;
5370
5371 /* Obtain a SID for the context, if one was specified. */
5372 if (size && str[1] && str[1] != '\n') {
5373 if (str[size-1] == '\n') {
5374 str[size-1] = 0;
5375 size--;
5376 }
5377 error = security_context_to_sid(value, size, &sid);
5378 if (error == -EINVAL && !strcmp(name, "fscreate")) {
5379 if (!capable(CAP_MAC_ADMIN))
5380 return error;
5381 error = security_context_to_sid_force(value, size,
5382 &sid);
5383 }
5384 if (error)
5385 return error;
5386 }
5387
5388 new = prepare_creds();
5389 if (!new)
5390 return -ENOMEM;
5391
5392 /* Permission checking based on the specified context is
5393 performed during the actual operation (execve,
5394 open/mkdir/...), when we know the full context of the
5395 operation. See selinux_bprm_set_creds for the execve
5396 checks and may_create for the file creation checks. The
5397 operation will then fail if the context is not permitted. */
5398 tsec = new->security;
5399 if (!strcmp(name, "exec")) {
5400 tsec->exec_sid = sid;
5401 } else if (!strcmp(name, "fscreate")) {
5402 tsec->create_sid = sid;
5403 } else if (!strcmp(name, "keycreate")) {
5404 error = may_create_key(sid, p);
5405 if (error)
5406 goto abort_change;
5407 tsec->keycreate_sid = sid;
5408 } else if (!strcmp(name, "sockcreate")) {
5409 tsec->sockcreate_sid = sid;
5410 } else if (!strcmp(name, "current")) {
5411 error = -EINVAL;
5412 if (sid == 0)
5413 goto abort_change;
5414
5415 /* Only allow single threaded processes to change context */
5416 error = -EPERM;
5417 if (!is_single_threaded(p)) {
5418 error = security_bounded_transition(tsec->sid, sid);
5419 if (error)
5420 goto abort_change;
5421 }
5422
5423 /* Check permissions for the transition. */
5424 error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
5425 PROCESS__DYNTRANSITION, NULL);
5426 if (error)
5427 goto abort_change;
5428
5429 /* Check for ptracing, and update the task SID if ok.
5430 Otherwise, leave SID unchanged and fail. */
5431 ptsid = 0;
5432 task_lock(p);
5433 tracer = tracehook_tracer_task(p);
5434 if (tracer)
5435 ptsid = task_sid(tracer);
5436 task_unlock(p);
5437
5438 if (tracer) {
5439 error = avc_has_perm(ptsid, sid, SECCLASS_PROCESS,
5440 PROCESS__PTRACE, NULL);
5441 if (error)
5442 goto abort_change;
5443 }
5444
5445 tsec->sid = sid;
5446 } else {
5447 error = -EINVAL;
5448 goto abort_change;
5449 }
5450
5451 commit_creds(new);
5452 return size;
5453
5454 abort_change:
5455 abort_creds(new);
5456 return error;
5457 }
5458
5459 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
5460 {
5461 return security_sid_to_context(secid, secdata, seclen);
5462 }
5463
5464 static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
5465 {
5466 return security_context_to_sid(secdata, seclen, secid);
5467 }
5468
5469 static void selinux_release_secctx(char *secdata, u32 seclen)
5470 {
5471 kfree(secdata);
5472 }
5473
5474 #ifdef CONFIG_KEYS
5475
5476 static int selinux_key_alloc(struct key *k, const struct cred *cred,
5477 unsigned long flags)
5478 {
5479 const struct task_security_struct *tsec;
5480 struct key_security_struct *ksec;
5481
5482 ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL);
5483 if (!ksec)
5484 return -ENOMEM;
5485
5486 tsec = cred->security;
5487 if (tsec->keycreate_sid)
5488 ksec->sid = tsec->keycreate_sid;
5489 else
5490 ksec->sid = tsec->sid;
5491
5492 k->security = ksec;
5493 return 0;
5494 }
5495
5496 static void selinux_key_free(struct key *k)
5497 {
5498 struct key_security_struct *ksec = k->security;
5499
5500 k->security = NULL;
5501 kfree(ksec);
5502 }
5503
5504 static int selinux_key_permission(key_ref_t key_ref,
5505 const struct cred *cred,
5506 key_perm_t perm)
5507 {
5508 struct key *key;
5509 struct key_security_struct *ksec;
5510 u32 sid;
5511
5512 /* if no specific permissions are requested, we skip the
5513 permission check. No serious, additional covert channels
5514 appear to be created. */
5515 if (perm == 0)
5516 return 0;
5517
5518 sid = cred_sid(cred);
5519
5520 key = key_ref_to_ptr(key_ref);
5521 ksec = key->security;
5522
5523 return avc_has_perm(sid, ksec->sid, SECCLASS_KEY, perm, NULL);
5524 }
5525
5526 static int selinux_key_getsecurity(struct key *key, char **_buffer)
5527 {
5528 struct key_security_struct *ksec = key->security;
5529 char *context = NULL;
5530 unsigned len;
5531 int rc;
5532
5533 rc = security_sid_to_context(ksec->sid, &context, &len);
5534 if (!rc)
5535 rc = len;
5536 *_buffer = context;
5537 return rc;
5538 }
5539
5540 #endif
5541
5542 static struct security_operations selinux_ops = {
5543 .name = "selinux",
5544
5545 .ptrace_may_access = selinux_ptrace_may_access,
5546 .ptrace_traceme = selinux_ptrace_traceme,
5547 .capget = selinux_capget,
5548 .capset = selinux_capset,
5549 .sysctl = selinux_sysctl,
5550 .capable = selinux_capable,
5551 .quotactl = selinux_quotactl,
5552 .quota_on = selinux_quota_on,
5553 .syslog = selinux_syslog,
5554 .vm_enough_memory = selinux_vm_enough_memory,
5555
5556 .netlink_send = selinux_netlink_send,
5557 .netlink_recv = selinux_netlink_recv,
5558
5559 .bprm_alloc_security = selinux_bprm_alloc_security,
5560 .bprm_free_security = selinux_bprm_free_security,
5561 .bprm_apply_creds = selinux_bprm_apply_creds,
5562 .bprm_post_apply_creds = selinux_bprm_post_apply_creds,
5563 .bprm_set_security = selinux_bprm_set_security,
5564 .bprm_check_security = selinux_bprm_check_security,
5565 .bprm_secureexec = selinux_bprm_secureexec,
5566
5567 .sb_alloc_security = selinux_sb_alloc_security,
5568 .sb_free_security = selinux_sb_free_security,
5569 .sb_copy_data = selinux_sb_copy_data,
5570 .sb_kern_mount = selinux_sb_kern_mount,
5571 .sb_show_options = selinux_sb_show_options,
5572 .sb_statfs = selinux_sb_statfs,
5573 .sb_mount = selinux_mount,
5574 .sb_umount = selinux_umount,
5575 .sb_set_mnt_opts = selinux_set_mnt_opts,
5576 .sb_clone_mnt_opts = selinux_sb_clone_mnt_opts,
5577 .sb_parse_opts_str = selinux_parse_opts_str,
5578
5579
5580 .inode_alloc_security = selinux_inode_alloc_security,
5581 .inode_free_security = selinux_inode_free_security,
5582 .inode_init_security = selinux_inode_init_security,
5583 .inode_create = selinux_inode_create,
5584 .inode_link = selinux_inode_link,
5585 .inode_unlink = selinux_inode_unlink,
5586 .inode_symlink = selinux_inode_symlink,
5587 .inode_mkdir = selinux_inode_mkdir,
5588 .inode_rmdir = selinux_inode_rmdir,
5589 .inode_mknod = selinux_inode_mknod,
5590 .inode_rename = selinux_inode_rename,
5591 .inode_readlink = selinux_inode_readlink,
5592 .inode_follow_link = selinux_inode_follow_link,
5593 .inode_permission = selinux_inode_permission,
5594 .inode_setattr = selinux_inode_setattr,
5595 .inode_getattr = selinux_inode_getattr,
5596 .inode_setxattr = selinux_inode_setxattr,
5597 .inode_post_setxattr = selinux_inode_post_setxattr,
5598 .inode_getxattr = selinux_inode_getxattr,
5599 .inode_listxattr = selinux_inode_listxattr,
5600 .inode_removexattr = selinux_inode_removexattr,
5601 .inode_getsecurity = selinux_inode_getsecurity,
5602 .inode_setsecurity = selinux_inode_setsecurity,
5603 .inode_listsecurity = selinux_inode_listsecurity,
5604 .inode_need_killpriv = selinux_inode_need_killpriv,
5605 .inode_killpriv = selinux_inode_killpriv,
5606 .inode_getsecid = selinux_inode_getsecid,
5607
5608 .file_permission = selinux_file_permission,
5609 .file_alloc_security = selinux_file_alloc_security,
5610 .file_free_security = selinux_file_free_security,
5611 .file_ioctl = selinux_file_ioctl,
5612 .file_mmap = selinux_file_mmap,
5613 .file_mprotect = selinux_file_mprotect,
5614 .file_lock = selinux_file_lock,
5615 .file_fcntl = selinux_file_fcntl,
5616 .file_set_fowner = selinux_file_set_fowner,
5617 .file_send_sigiotask = selinux_file_send_sigiotask,
5618 .file_receive = selinux_file_receive,
5619
5620 .dentry_open = selinux_dentry_open,
5621
5622 .task_create = selinux_task_create,
5623 .cred_free = selinux_cred_free,
5624 .cred_prepare = selinux_cred_prepare,
5625 .cred_commit = selinux_cred_commit,
5626 .task_setuid = selinux_task_setuid,
5627 .task_fix_setuid = selinux_task_fix_setuid,
5628 .task_setgid = selinux_task_setgid,
5629 .task_setpgid = selinux_task_setpgid,
5630 .task_getpgid = selinux_task_getpgid,
5631 .task_getsid = selinux_task_getsid,
5632 .task_getsecid = selinux_task_getsecid,
5633 .task_setgroups = selinux_task_setgroups,
5634 .task_setnice = selinux_task_setnice,
5635 .task_setioprio = selinux_task_setioprio,
5636 .task_getioprio = selinux_task_getioprio,
5637 .task_setrlimit = selinux_task_setrlimit,
5638 .task_setscheduler = selinux_task_setscheduler,
5639 .task_getscheduler = selinux_task_getscheduler,
5640 .task_movememory = selinux_task_movememory,
5641 .task_kill = selinux_task_kill,
5642 .task_wait = selinux_task_wait,
5643 .task_prctl = selinux_task_prctl,
5644 .task_to_inode = selinux_task_to_inode,
5645
5646 .ipc_permission = selinux_ipc_permission,
5647 .ipc_getsecid = selinux_ipc_getsecid,
5648
5649 .msg_msg_alloc_security = selinux_msg_msg_alloc_security,
5650 .msg_msg_free_security = selinux_msg_msg_free_security,
5651
5652 .msg_queue_alloc_security = selinux_msg_queue_alloc_security,
5653 .msg_queue_free_security = selinux_msg_queue_free_security,
5654 .msg_queue_associate = selinux_msg_queue_associate,
5655 .msg_queue_msgctl = selinux_msg_queue_msgctl,
5656 .msg_queue_msgsnd = selinux_msg_queue_msgsnd,
5657 .msg_queue_msgrcv = selinux_msg_queue_msgrcv,
5658
5659 .shm_alloc_security = selinux_shm_alloc_security,
5660 .shm_free_security = selinux_shm_free_security,
5661 .shm_associate = selinux_shm_associate,
5662 .shm_shmctl = selinux_shm_shmctl,
5663 .shm_shmat = selinux_shm_shmat,
5664
5665 .sem_alloc_security = selinux_sem_alloc_security,
5666 .sem_free_security = selinux_sem_free_security,
5667 .sem_associate = selinux_sem_associate,
5668 .sem_semctl = selinux_sem_semctl,
5669 .sem_semop = selinux_sem_semop,
5670
5671 .d_instantiate = selinux_d_instantiate,
5672
5673 .getprocattr = selinux_getprocattr,
5674 .setprocattr = selinux_setprocattr,
5675
5676 .secid_to_secctx = selinux_secid_to_secctx,
5677 .secctx_to_secid = selinux_secctx_to_secid,
5678 .release_secctx = selinux_release_secctx,
5679
5680 .unix_stream_connect = selinux_socket_unix_stream_connect,
5681 .unix_may_send = selinux_socket_unix_may_send,
5682
5683 .socket_create = selinux_socket_create,
5684 .socket_post_create = selinux_socket_post_create,
5685 .socket_bind = selinux_socket_bind,
5686 .socket_connect = selinux_socket_connect,
5687 .socket_listen = selinux_socket_listen,
5688 .socket_accept = selinux_socket_accept,
5689 .socket_sendmsg = selinux_socket_sendmsg,
5690 .socket_recvmsg = selinux_socket_recvmsg,
5691 .socket_getsockname = selinux_socket_getsockname,
5692 .socket_getpeername = selinux_socket_getpeername,
5693 .socket_getsockopt = selinux_socket_getsockopt,
5694 .socket_setsockopt = selinux_socket_setsockopt,
5695 .socket_shutdown = selinux_socket_shutdown,
5696 .socket_sock_rcv_skb = selinux_socket_sock_rcv_skb,
5697 .socket_getpeersec_stream = selinux_socket_getpeersec_stream,
5698 .socket_getpeersec_dgram = selinux_socket_getpeersec_dgram,
5699 .sk_alloc_security = selinux_sk_alloc_security,
5700 .sk_free_security = selinux_sk_free_security,
5701 .sk_clone_security = selinux_sk_clone_security,
5702 .sk_getsecid = selinux_sk_getsecid,
5703 .sock_graft = selinux_sock_graft,
5704 .inet_conn_request = selinux_inet_conn_request,
5705 .inet_csk_clone = selinux_inet_csk_clone,
5706 .inet_conn_established = selinux_inet_conn_established,
5707 .req_classify_flow = selinux_req_classify_flow,
5708
5709 #ifdef CONFIG_SECURITY_NETWORK_XFRM
5710 .xfrm_policy_alloc_security = selinux_xfrm_policy_alloc,
5711 .xfrm_policy_clone_security = selinux_xfrm_policy_clone,
5712 .xfrm_policy_free_security = selinux_xfrm_policy_free,
5713 .xfrm_policy_delete_security = selinux_xfrm_policy_delete,
5714 .xfrm_state_alloc_security = selinux_xfrm_state_alloc,
5715 .xfrm_state_free_security = selinux_xfrm_state_free,
5716 .xfrm_state_delete_security = selinux_xfrm_state_delete,
5717 .xfrm_policy_lookup = selinux_xfrm_policy_lookup,
5718 .xfrm_state_pol_flow_match = selinux_xfrm_state_pol_flow_match,
5719 .xfrm_decode_session = selinux_xfrm_decode_session,
5720 #endif
5721
5722 #ifdef CONFIG_KEYS
5723 .key_alloc = selinux_key_alloc,
5724 .key_free = selinux_key_free,
5725 .key_permission = selinux_key_permission,
5726 .key_getsecurity = selinux_key_getsecurity,
5727 #endif
5728
5729 #ifdef CONFIG_AUDIT
5730 .audit_rule_init = selinux_audit_rule_init,
5731 .audit_rule_known = selinux_audit_rule_known,
5732 .audit_rule_match = selinux_audit_rule_match,
5733 .audit_rule_free = selinux_audit_rule_free,
5734 #endif
5735 };
5736
5737 static __init int selinux_init(void)
5738 {
5739 if (!security_module_enable(&selinux_ops)) {
5740 selinux_enabled = 0;
5741 return 0;
5742 }
5743
5744 if (!selinux_enabled) {
5745 printk(KERN_INFO "SELinux: Disabled at boot.\n");
5746 return 0;
5747 }
5748
5749 printk(KERN_INFO "SELinux: Initializing.\n");
5750
5751 /* Set the security state for the initial task. */
5752 cred_init_security();
5753
5754 sel_inode_cache = kmem_cache_create("selinux_inode_security",
5755 sizeof(struct inode_security_struct),
5756 0, SLAB_PANIC, NULL);
5757 avc_init();
5758
5759 secondary_ops = security_ops;
5760 if (!secondary_ops)
5761 panic("SELinux: No initial security operations\n");
5762 if (register_security(&selinux_ops))
5763 panic("SELinux: Unable to register with kernel.\n");
5764
5765 if (selinux_enforcing)
5766 printk(KERN_DEBUG "SELinux: Starting in enforcing mode\n");
5767 else
5768 printk(KERN_DEBUG "SELinux: Starting in permissive mode\n");
5769
5770 return 0;
5771 }
5772
5773 void selinux_complete_init(void)
5774 {
5775 printk(KERN_DEBUG "SELinux: Completing initialization.\n");
5776
5777 /* Set up any superblocks initialized prior to the policy load. */
5778 printk(KERN_DEBUG "SELinux: Setting up existing superblocks.\n");
5779 spin_lock(&sb_lock);
5780 spin_lock(&sb_security_lock);
5781 next_sb:
5782 if (!list_empty(&superblock_security_head)) {
5783 struct superblock_security_struct *sbsec =
5784 list_entry(superblock_security_head.next,
5785 struct superblock_security_struct,
5786 list);
5787 struct super_block *sb = sbsec->sb;
5788 sb->s_count++;
5789 spin_unlock(&sb_security_lock);
5790 spin_unlock(&sb_lock);
5791 down_read(&sb->s_umount);
5792 if (sb->s_root)
5793 superblock_doinit(sb, NULL);
5794 drop_super(sb);
5795 spin_lock(&sb_lock);
5796 spin_lock(&sb_security_lock);
5797 list_del_init(&sbsec->list);
5798 goto next_sb;
5799 }
5800 spin_unlock(&sb_security_lock);
5801 spin_unlock(&sb_lock);
5802 }
5803
5804 /* SELinux requires early initialization in order to label
5805 all processes and objects when they are created. */
5806 security_initcall(selinux_init);
5807
5808 #if defined(CONFIG_NETFILTER)
5809
5810 static struct nf_hook_ops selinux_ipv4_ops[] = {
5811 {
5812 .hook = selinux_ipv4_postroute,
5813 .owner = THIS_MODULE,
5814 .pf = PF_INET,
5815 .hooknum = NF_INET_POST_ROUTING,
5816 .priority = NF_IP_PRI_SELINUX_LAST,
5817 },
5818 {
5819 .hook = selinux_ipv4_forward,
5820 .owner = THIS_MODULE,
5821 .pf = PF_INET,
5822 .hooknum = NF_INET_FORWARD,
5823 .priority = NF_IP_PRI_SELINUX_FIRST,
5824 },
5825 {
5826 .hook = selinux_ipv4_output,
5827 .owner = THIS_MODULE,
5828 .pf = PF_INET,
5829 .hooknum = NF_INET_LOCAL_OUT,
5830 .priority = NF_IP_PRI_SELINUX_FIRST,
5831 }
5832 };
5833
5834 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5835
5836 static struct nf_hook_ops selinux_ipv6_ops[] = {
5837 {
5838 .hook = selinux_ipv6_postroute,
5839 .owner = THIS_MODULE,
5840 .pf = PF_INET6,
5841 .hooknum = NF_INET_POST_ROUTING,
5842 .priority = NF_IP6_PRI_SELINUX_LAST,
5843 },
5844 {
5845 .hook = selinux_ipv6_forward,
5846 .owner = THIS_MODULE,
5847 .pf = PF_INET6,
5848 .hooknum = NF_INET_FORWARD,
5849 .priority = NF_IP6_PRI_SELINUX_FIRST,
5850 }
5851 };
5852
5853 #endif /* IPV6 */
5854
5855 static int __init selinux_nf_ip_init(void)
5856 {
5857 int err = 0;
5858
5859 if (!selinux_enabled)
5860 goto out;
5861
5862 printk(KERN_DEBUG "SELinux: Registering netfilter hooks\n");
5863
5864 err = nf_register_hooks(selinux_ipv4_ops, ARRAY_SIZE(selinux_ipv4_ops));
5865 if (err)
5866 panic("SELinux: nf_register_hooks for IPv4: error %d\n", err);
5867
5868 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5869 err = nf_register_hooks(selinux_ipv6_ops, ARRAY_SIZE(selinux_ipv6_ops));
5870 if (err)
5871 panic("SELinux: nf_register_hooks for IPv6: error %d\n", err);
5872 #endif /* IPV6 */
5873
5874 out:
5875 return err;
5876 }
5877
5878 __initcall(selinux_nf_ip_init);
5879
5880 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5881 static void selinux_nf_ip_exit(void)
5882 {
5883 printk(KERN_DEBUG "SELinux: Unregistering netfilter hooks\n");
5884
5885 nf_unregister_hooks(selinux_ipv4_ops, ARRAY_SIZE(selinux_ipv4_ops));
5886 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5887 nf_unregister_hooks(selinux_ipv6_ops, ARRAY_SIZE(selinux_ipv6_ops));
5888 #endif /* IPV6 */
5889 }
5890 #endif
5891
5892 #else /* CONFIG_NETFILTER */
5893
5894 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5895 #define selinux_nf_ip_exit()
5896 #endif
5897
5898 #endif /* CONFIG_NETFILTER */
5899
5900 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5901 static int selinux_disabled;
5902
5903 int selinux_disable(void)
5904 {
5905 extern void exit_sel_fs(void);
5906
5907 if (ss_initialized) {
5908 /* Not permitted after initial policy load. */
5909 return -EINVAL;
5910 }
5911
5912 if (selinux_disabled) {
5913 /* Only do this once. */
5914 return -EINVAL;
5915 }
5916
5917 printk(KERN_INFO "SELinux: Disabled at runtime.\n");
5918
5919 selinux_disabled = 1;
5920 selinux_enabled = 0;
5921
5922 /* Reset security_ops to the secondary module, dummy or capability. */
5923 security_ops = secondary_ops;
5924
5925 /* Unregister netfilter hooks. */
5926 selinux_nf_ip_exit();
5927
5928 /* Unregister selinuxfs. */
5929 exit_sel_fs();
5930
5931 return 0;
5932 }
5933 #endif
Support for the Chinese Samsung S3C2440 based development boards