search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Security: split proc ptrace checking into read vs. attach
[linux-2.6.git] / security / selinux / hooks.c
blob4be156334b22f06a28631cc3952cbd161468f2a0
1 /*
2 * NSA Security-Enhanced Linux (SELinux) security module
3 *
4 * This file contains the SELinux hook function implementations.
5 *
6 * Authors: Stephen Smalley, <sds@epoch.ncsc.mil>
7 * Chris Vance, <cvance@nai.com>
8 * Wayne Salamon, <wsalamon@nai.com>
9 * James Morris <jmorris@redhat.com>
10 *
11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12 * Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com>
13 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
14 * <dgoeddel@trustedcs.com>
15 * Copyright (C) 2006, 2007 Hewlett-Packard Development Company, L.P.
16 * Paul Moore <paul.moore@hp.com>
17 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
18 * Yuichi Nakamura <ynakam@hitachisoft.jp>
19 *
20 * This program is free software; you can redistribute it and/or modify
21 * it under the terms of the GNU General Public License version 2,
22 * as published by the Free Software Foundation.
23 */
24
25 #include <linux/init.h>
26 #include <linux/kernel.h>
27 #include <linux/ptrace.h>
28 #include <linux/errno.h>
29 #include <linux/sched.h>
30 #include <linux/security.h>
31 #include <linux/xattr.h>
32 #include <linux/capability.h>
33 #include <linux/unistd.h>
34 #include <linux/mm.h>
35 #include <linux/mman.h>
36 #include <linux/slab.h>
37 #include <linux/pagemap.h>
38 #include <linux/swap.h>
39 #include <linux/spinlock.h>
40 #include <linux/syscalls.h>
41 #include <linux/file.h>
42 #include <linux/fdtable.h>
43 #include <linux/namei.h>
44 #include <linux/mount.h>
45 #include <linux/ext2_fs.h>
46 #include <linux/proc_fs.h>
47 #include <linux/kd.h>
48 #include <linux/netfilter_ipv4.h>
49 #include <linux/netfilter_ipv6.h>
50 #include <linux/tty.h>
51 #include <net/icmp.h>
52 #include <net/ip.h> /* for local_port_range[] */
53 #include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
54 #include <net/net_namespace.h>
55 #include <net/netlabel.h>
56 #include <linux/uaccess.h>
57 #include <asm/ioctls.h>
58 #include <asm/atomic.h>
59 #include <linux/bitops.h>
60 #include <linux/interrupt.h>
61 #include <linux/netdevice.h> /* for network interface checks */
62 #include <linux/netlink.h>
63 #include <linux/tcp.h>
64 #include <linux/udp.h>
65 #include <linux/dccp.h>
66 #include <linux/quota.h>
67 #include <linux/un.h> /* for Unix socket types */
68 #include <net/af_unix.h> /* for Unix socket types */
69 #include <linux/parser.h>
70 #include <linux/nfs_mount.h>
71 #include <net/ipv6.h>
72 #include <linux/hugetlb.h>
73 #include <linux/personality.h>
74 #include <linux/sysctl.h>
75 #include <linux/audit.h>
76 #include <linux/string.h>
77 #include <linux/selinux.h>
78 #include <linux/mutex.h>
79
80 #include "avc.h"
81 #include "objsec.h"
82 #include "netif.h"
83 #include "netnode.h"
84 #include "netport.h"
85 #include "xfrm.h"
86 #include "netlabel.h"
87 #include "audit.h"
88
89 #define XATTR_SELINUX_SUFFIX "selinux"
90 #define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX
91
92 #define NUM_SEL_MNT_OPTS 4
93
94 extern unsigned int policydb_loaded_version;
95 extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm);
96 extern int selinux_compat_net;
97 extern struct security_operations *security_ops;
98
99 /* SECMARK reference count */
100 atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
101
102 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
103 int selinux_enforcing;
104
105 static int __init enforcing_setup(char *str)
106 {
107 unsigned long enforcing;
108 if (!strict_strtoul(str, 0, &enforcing))
109 selinux_enforcing = enforcing ? 1 : 0;
110 return 1;
111 }
112 __setup("enforcing=", enforcing_setup);
113 #endif
114
115 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
116 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
117
118 static int __init selinux_enabled_setup(char *str)
119 {
120 unsigned long enabled;
121 if (!strict_strtoul(str, 0, &enabled))
122 selinux_enabled = enabled ? 1 : 0;
123 return 1;
124 }
125 __setup("selinux=", selinux_enabled_setup);
126 #else
127 int selinux_enabled = 1;
128 #endif
129
130 /* Original (dummy) security module. */
131 static struct security_operations *original_ops;
132
133 /* Minimal support for a secondary security module,
134 just to allow the use of the dummy or capability modules.
135 The owlsm module can alternatively be used as a secondary
136 module as long as CONFIG_OWLSM_FD is not enabled. */
137 static struct security_operations *secondary_ops;
138
139 /* Lists of inode and superblock security structures initialized
140 before the policy was loaded. */
141 static LIST_HEAD(superblock_security_head);
142 static DEFINE_SPINLOCK(sb_security_lock);
143
144 static struct kmem_cache *sel_inode_cache;
145
146 /**
147 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
148 *
149 * Description:
150 * This function checks the SECMARK reference counter to see if any SECMARK
151 * targets are currently configured, if the reference counter is greater than
152 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is
153 * enabled, false (0) if SECMARK is disabled.
154 *
155 */
156 static int selinux_secmark_enabled(void)
157 {
158 return (atomic_read(&selinux_secmark_refcount) > 0);
159 }
160
161 /* Allocate and free functions for each kind of security blob. */
162
163 static int task_alloc_security(struct task_struct *task)
164 {
165 struct task_security_struct *tsec;
166
167 tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
168 if (!tsec)
169 return -ENOMEM;
170
171 tsec->osid = tsec->sid = SECINITSID_UNLABELED;
172 task->security = tsec;
173
174 return 0;
175 }
176
177 static void task_free_security(struct task_struct *task)
178 {
179 struct task_security_struct *tsec = task->security;
180 task->security = NULL;
181 kfree(tsec);
182 }
183
184 static int inode_alloc_security(struct inode *inode)
185 {
186 struct task_security_struct *tsec = current->security;
187 struct inode_security_struct *isec;
188
189 isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
190 if (!isec)
191 return -ENOMEM;
192
193 mutex_init(&isec->lock);
194 INIT_LIST_HEAD(&isec->list);
195 isec->inode = inode;
196 isec->sid = SECINITSID_UNLABELED;
197 isec->sclass = SECCLASS_FILE;
198 isec->task_sid = tsec->sid;
199 inode->i_security = isec;
200
201 return 0;
202 }
203
204 static void inode_free_security(struct inode *inode)
205 {
206 struct inode_security_struct *isec = inode->i_security;
207 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
208
209 spin_lock(&sbsec->isec_lock);
210 if (!list_empty(&isec->list))
211 list_del_init(&isec->list);
212 spin_unlock(&sbsec->isec_lock);
213
214 inode->i_security = NULL;
215 kmem_cache_free(sel_inode_cache, isec);
216 }
217
218 static int file_alloc_security(struct file *file)
219 {
220 struct task_security_struct *tsec = current->security;
221 struct file_security_struct *fsec;
222
223 fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL);
224 if (!fsec)
225 return -ENOMEM;
226
227 fsec->sid = tsec->sid;
228 fsec->fown_sid = tsec->sid;
229 file->f_security = fsec;
230
231 return 0;
232 }
233
234 static void file_free_security(struct file *file)
235 {
236 struct file_security_struct *fsec = file->f_security;
237 file->f_security = NULL;
238 kfree(fsec);
239 }
240
241 static int superblock_alloc_security(struct super_block *sb)
242 {
243 struct superblock_security_struct *sbsec;
244
245 sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
246 if (!sbsec)
247 return -ENOMEM;
248
249 mutex_init(&sbsec->lock);
250 INIT_LIST_HEAD(&sbsec->list);
251 INIT_LIST_HEAD(&sbsec->isec_head);
252 spin_lock_init(&sbsec->isec_lock);
253 sbsec->sb = sb;
254 sbsec->sid = SECINITSID_UNLABELED;
255 sbsec->def_sid = SECINITSID_FILE;
256 sbsec->mntpoint_sid = SECINITSID_UNLABELED;
257 sb->s_security = sbsec;
258
259 return 0;
260 }
261
262 static void superblock_free_security(struct super_block *sb)
263 {
264 struct superblock_security_struct *sbsec = sb->s_security;
265
266 spin_lock(&sb_security_lock);
267 if (!list_empty(&sbsec->list))
268 list_del_init(&sbsec->list);
269 spin_unlock(&sb_security_lock);
270
271 sb->s_security = NULL;
272 kfree(sbsec);
273 }
274
275 static int sk_alloc_security(struct sock *sk, int family, gfp_t priority)
276 {
277 struct sk_security_struct *ssec;
278
279 ssec = kzalloc(sizeof(*ssec), priority);
280 if (!ssec)
281 return -ENOMEM;
282
283 ssec->peer_sid = SECINITSID_UNLABELED;
284 ssec->sid = SECINITSID_UNLABELED;
285 sk->sk_security = ssec;
286
287 selinux_netlbl_sk_security_reset(ssec, family);
288
289 return 0;
290 }
291
292 static void sk_free_security(struct sock *sk)
293 {
294 struct sk_security_struct *ssec = sk->sk_security;
295
296 sk->sk_security = NULL;
297 kfree(ssec);
298 }
299
300 /* The security server must be initialized before
301 any labeling or access decisions can be provided. */
302 extern int ss_initialized;
303
304 /* The file system's label must be initialized prior to use. */
305
306 static char *labeling_behaviors[6] = {
307 "uses xattr",
308 "uses transition SIDs",
309 "uses task SIDs",
310 "uses genfs_contexts",
311 "not configured for labeling",
312 "uses mountpoint labeling",
313 };
314
315 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
316
317 static inline int inode_doinit(struct inode *inode)
318 {
319 return inode_doinit_with_dentry(inode, NULL);
320 }
321
322 enum {
323 Opt_error = -1,
324 Opt_context = 1,
325 Opt_fscontext = 2,
326 Opt_defcontext = 3,
327 Opt_rootcontext = 4,
328 };
329
330 static match_table_t tokens = {
331 {Opt_context, CONTEXT_STR "%s"},
332 {Opt_fscontext, FSCONTEXT_STR "%s"},
333 {Opt_defcontext, DEFCONTEXT_STR "%s"},
334 {Opt_rootcontext, ROOTCONTEXT_STR "%s"},
335 {Opt_error, NULL},
336 };
337
338 #define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
339
340 static int may_context_mount_sb_relabel(u32 sid,
341 struct superblock_security_struct *sbsec,
342 struct task_security_struct *tsec)
343 {
344 int rc;
345
346 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
347 FILESYSTEM__RELABELFROM, NULL);
348 if (rc)
349 return rc;
350
351 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
352 FILESYSTEM__RELABELTO, NULL);
353 return rc;
354 }
355
356 static int may_context_mount_inode_relabel(u32 sid,
357 struct superblock_security_struct *sbsec,
358 struct task_security_struct *tsec)
359 {
360 int rc;
361 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
362 FILESYSTEM__RELABELFROM, NULL);
363 if (rc)
364 return rc;
365
366 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
367 FILESYSTEM__ASSOCIATE, NULL);
368 return rc;
369 }
370
371 static int sb_finish_set_opts(struct super_block *sb)
372 {
373 struct superblock_security_struct *sbsec = sb->s_security;
374 struct dentry *root = sb->s_root;
375 struct inode *root_inode = root->d_inode;
376 int rc = 0;
377
378 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
379 /* Make sure that the xattr handler exists and that no
380 error other than -ENODATA is returned by getxattr on
381 the root directory. -ENODATA is ok, as this may be
382 the first boot of the SELinux kernel before we have
383 assigned xattr values to the filesystem. */
384 if (!root_inode->i_op->getxattr) {
385 printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
386 "xattr support\n", sb->s_id, sb->s_type->name);
387 rc = -EOPNOTSUPP;
388 goto out;
389 }
390 rc = root_inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
391 if (rc < 0 && rc != -ENODATA) {
392 if (rc == -EOPNOTSUPP)
393 printk(KERN_WARNING "SELinux: (dev %s, type "
394 "%s) has no security xattr handler\n",
395 sb->s_id, sb->s_type->name);
396 else
397 printk(KERN_WARNING "SELinux: (dev %s, type "
398 "%s) getxattr errno %d\n", sb->s_id,
399 sb->s_type->name, -rc);
400 goto out;
401 }
402 }
403
404 sbsec->initialized = 1;
405
406 if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
407 printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n",
408 sb->s_id, sb->s_type->name);
409 else
410 printk(KERN_DEBUG "SELinux: initialized (dev %s, type %s), %s\n",
411 sb->s_id, sb->s_type->name,
412 labeling_behaviors[sbsec->behavior-1]);
413
414 /* Initialize the root inode. */
415 rc = inode_doinit_with_dentry(root_inode, root);
416
417 /* Initialize any other inodes associated with the superblock, e.g.
418 inodes created prior to initial policy load or inodes created
419 during get_sb by a pseudo filesystem that directly
420 populates itself. */
421 spin_lock(&sbsec->isec_lock);
422 next_inode:
423 if (!list_empty(&sbsec->isec_head)) {
424 struct inode_security_struct *isec =
425 list_entry(sbsec->isec_head.next,
426 struct inode_security_struct, list);
427 struct inode *inode = isec->inode;
428 spin_unlock(&sbsec->isec_lock);
429 inode = igrab(inode);
430 if (inode) {
431 if (!IS_PRIVATE(inode))
432 inode_doinit(inode);
433 iput(inode);
434 }
435 spin_lock(&sbsec->isec_lock);
436 list_del_init(&isec->list);
437 goto next_inode;
438 }
439 spin_unlock(&sbsec->isec_lock);
440 out:
441 return rc;
442 }
443
444 /*
445 * This function should allow an FS to ask what it's mount security
446 * options were so it can use those later for submounts, displaying
447 * mount options, or whatever.
448 */
449 static int selinux_get_mnt_opts(const struct super_block *sb,
450 struct security_mnt_opts *opts)
451 {
452 int rc = 0, i;
453 struct superblock_security_struct *sbsec = sb->s_security;
454 char *context = NULL;
455 u32 len;
456 char tmp;
457
458 security_init_mnt_opts(opts);
459
460 if (!sbsec->initialized)
461 return -EINVAL;
462
463 if (!ss_initialized)
464 return -EINVAL;
465
466 /*
467 * if we ever use sbsec flags for anything other than tracking mount
468 * settings this is going to need a mask
469 */
470 tmp = sbsec->flags;
471 /* count the number of mount options for this sb */
472 for (i = 0; i < 8; i++) {
473 if (tmp & 0x01)
474 opts->num_mnt_opts++;
475 tmp >>= 1;
476 }
477
478 opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
479 if (!opts->mnt_opts) {
480 rc = -ENOMEM;
481 goto out_free;
482 }
483
484 opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
485 if (!opts->mnt_opts_flags) {
486 rc = -ENOMEM;
487 goto out_free;
488 }
489
490 i = 0;
491 if (sbsec->flags & FSCONTEXT_MNT) {
492 rc = security_sid_to_context(sbsec->sid, &context, &len);
493 if (rc)
494 goto out_free;
495 opts->mnt_opts[i] = context;
496 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
497 }
498 if (sbsec->flags & CONTEXT_MNT) {
499 rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len);
500 if (rc)
501 goto out_free;
502 opts->mnt_opts[i] = context;
503 opts->mnt_opts_flags[i++] = CONTEXT_MNT;
504 }
505 if (sbsec->flags & DEFCONTEXT_MNT) {
506 rc = security_sid_to_context(sbsec->def_sid, &context, &len);
507 if (rc)
508 goto out_free;
509 opts->mnt_opts[i] = context;
510 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
511 }
512 if (sbsec->flags & ROOTCONTEXT_MNT) {
513 struct inode *root = sbsec->sb->s_root->d_inode;
514 struct inode_security_struct *isec = root->i_security;
515
516 rc = security_sid_to_context(isec->sid, &context, &len);
517 if (rc)
518 goto out_free;
519 opts->mnt_opts[i] = context;
520 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
521 }
522
523 BUG_ON(i != opts->num_mnt_opts);
524
525 return 0;
526
527 out_free:
528 security_free_mnt_opts(opts);
529 return rc;
530 }
531
532 static int bad_option(struct superblock_security_struct *sbsec, char flag,
533 u32 old_sid, u32 new_sid)
534 {
535 /* check if the old mount command had the same options */
536 if (sbsec->initialized)
537 if (!(sbsec->flags & flag) ||
538 (old_sid != new_sid))
539 return 1;
540
541 /* check if we were passed the same options twice,
542 * aka someone passed context=a,context=b
543 */
544 if (!sbsec->initialized)
545 if (sbsec->flags & flag)
546 return 1;
547 return 0;
548 }
549
550 /*
551 * Allow filesystems with binary mount data to explicitly set mount point
552 * labeling information.
553 */
554 static int selinux_set_mnt_opts(struct super_block *sb,
555 struct security_mnt_opts *opts)
556 {
557 int rc = 0, i;
558 struct task_security_struct *tsec = current->security;
559 struct superblock_security_struct *sbsec = sb->s_security;
560 const char *name = sb->s_type->name;
561 struct inode *inode = sbsec->sb->s_root->d_inode;
562 struct inode_security_struct *root_isec = inode->i_security;
563 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
564 u32 defcontext_sid = 0;
565 char **mount_options = opts->mnt_opts;
566 int *flags = opts->mnt_opts_flags;
567 int num_opts = opts->num_mnt_opts;
568
569 mutex_lock(&sbsec->lock);
570
571 if (!ss_initialized) {
572 if (!num_opts) {
573 /* Defer initialization until selinux_complete_init,
574 after the initial policy is loaded and the security
575 server is ready to handle calls. */
576 spin_lock(&sb_security_lock);
577 if (list_empty(&sbsec->list))
578 list_add(&sbsec->list, &superblock_security_head);
579 spin_unlock(&sb_security_lock);
580 goto out;
581 }
582 rc = -EINVAL;
583 printk(KERN_WARNING "SELinux: Unable to set superblock options "
584 "before the security server is initialized\n");
585 goto out;
586 }
587
588 /*
589 * Binary mount data FS will come through this function twice. Once
590 * from an explicit call and once from the generic calls from the vfs.
591 * Since the generic VFS calls will not contain any security mount data
592 * we need to skip the double mount verification.
593 *
594 * This does open a hole in which we will not notice if the first
595 * mount using this sb set explict options and a second mount using
596 * this sb does not set any security options. (The first options
597 * will be used for both mounts)
598 */
599 if (sbsec->initialized && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
600 && (num_opts == 0))
601 goto out;
602
603 /*
604 * parse the mount options, check if they are valid sids.
605 * also check if someone is trying to mount the same sb more
606 * than once with different security options.
607 */
608 for (i = 0; i < num_opts; i++) {
609 u32 sid;
610 rc = security_context_to_sid(mount_options[i],
611 strlen(mount_options[i]), &sid);
612 if (rc) {
613 printk(KERN_WARNING "SELinux: security_context_to_sid"
614 "(%s) failed for (dev %s, type %s) errno=%d\n",
615 mount_options[i], sb->s_id, name, rc);
616 goto out;
617 }
618 switch (flags[i]) {
619 case FSCONTEXT_MNT:
620 fscontext_sid = sid;
621
622 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
623 fscontext_sid))
624 goto out_double_mount;
625
626 sbsec->flags |= FSCONTEXT_MNT;
627 break;
628 case CONTEXT_MNT:
629 context_sid = sid;
630
631 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
632 context_sid))
633 goto out_double_mount;
634
635 sbsec->flags |= CONTEXT_MNT;
636 break;
637 case ROOTCONTEXT_MNT:
638 rootcontext_sid = sid;
639
640 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
641 rootcontext_sid))
642 goto out_double_mount;
643
644 sbsec->flags |= ROOTCONTEXT_MNT;
645
646 break;
647 case DEFCONTEXT_MNT:
648 defcontext_sid = sid;
649
650 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
651 defcontext_sid))
652 goto out_double_mount;
653
654 sbsec->flags |= DEFCONTEXT_MNT;
655
656 break;
657 default:
658 rc = -EINVAL;
659 goto out;
660 }
661 }
662
663 if (sbsec->initialized) {
664 /* previously mounted with options, but not on this attempt? */
665 if (sbsec->flags && !num_opts)
666 goto out_double_mount;
667 rc = 0;
668 goto out;
669 }
670
671 if (strcmp(sb->s_type->name, "proc") == 0)
672 sbsec->proc = 1;
673
674 /* Determine the labeling behavior to use for this filesystem type. */
675 rc = security_fs_use(sb->s_type->name, &sbsec->behavior, &sbsec->sid);
676 if (rc) {
677 printk(KERN_WARNING "%s: security_fs_use(%s) returned %d\n",
678 __func__, sb->s_type->name, rc);
679 goto out;
680 }
681
682 /* sets the context of the superblock for the fs being mounted. */
683 if (fscontext_sid) {
684
685 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, tsec);
686 if (rc)
687 goto out;
688
689 sbsec->sid = fscontext_sid;
690 }
691
692 /*
693 * Switch to using mount point labeling behavior.
694 * sets the label used on all file below the mountpoint, and will set
695 * the superblock context if not already set.
696 */
697 if (context_sid) {
698 if (!fscontext_sid) {
699 rc = may_context_mount_sb_relabel(context_sid, sbsec, tsec);
700 if (rc)
701 goto out;
702 sbsec->sid = context_sid;
703 } else {
704 rc = may_context_mount_inode_relabel(context_sid, sbsec, tsec);
705 if (rc)
706 goto out;
707 }
708 if (!rootcontext_sid)
709 rootcontext_sid = context_sid;
710
711 sbsec->mntpoint_sid = context_sid;
712 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
713 }
714
715 if (rootcontext_sid) {
716 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec, tsec);
717 if (rc)
718 goto out;
719
720 root_isec->sid = rootcontext_sid;
721 root_isec->initialized = 1;
722 }
723
724 if (defcontext_sid) {
725 if (sbsec->behavior != SECURITY_FS_USE_XATTR) {
726 rc = -EINVAL;
727 printk(KERN_WARNING "SELinux: defcontext option is "
728 "invalid for this filesystem type\n");
729 goto out;
730 }
731
732 if (defcontext_sid != sbsec->def_sid) {
733 rc = may_context_mount_inode_relabel(defcontext_sid,
734 sbsec, tsec);
735 if (rc)
736 goto out;
737 }
738
739 sbsec->def_sid = defcontext_sid;
740 }
741
742 rc = sb_finish_set_opts(sb);
743 out:
744 mutex_unlock(&sbsec->lock);
745 return rc;
746 out_double_mount:
747 rc = -EINVAL;
748 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, different "
749 "security settings for (dev %s, type %s)\n", sb->s_id, name);
750 goto out;
751 }
752
753 static void selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
754 struct super_block *newsb)
755 {
756 const struct superblock_security_struct *oldsbsec = oldsb->s_security;
757 struct superblock_security_struct *newsbsec = newsb->s_security;
758
759 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT);
760 int set_context = (oldsbsec->flags & CONTEXT_MNT);
761 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT);
762
763 /*
764 * if the parent was able to be mounted it clearly had no special lsm
765 * mount options. thus we can safely put this sb on the list and deal
766 * with it later
767 */
768 if (!ss_initialized) {
769 spin_lock(&sb_security_lock);
770 if (list_empty(&newsbsec->list))
771 list_add(&newsbsec->list, &superblock_security_head);
772 spin_unlock(&sb_security_lock);
773 return;
774 }
775
776 /* how can we clone if the old one wasn't set up?? */
777 BUG_ON(!oldsbsec->initialized);
778
779 /* if fs is reusing a sb, just let its options stand... */
780 if (newsbsec->initialized)
781 return;
782
783 mutex_lock(&newsbsec->lock);
784
785 newsbsec->flags = oldsbsec->flags;
786
787 newsbsec->sid = oldsbsec->sid;
788 newsbsec->def_sid = oldsbsec->def_sid;
789 newsbsec->behavior = oldsbsec->behavior;
790
791 if (set_context) {
792 u32 sid = oldsbsec->mntpoint_sid;
793
794 if (!set_fscontext)
795 newsbsec->sid = sid;
796 if (!set_rootcontext) {
797 struct inode *newinode = newsb->s_root->d_inode;
798 struct inode_security_struct *newisec = newinode->i_security;
799 newisec->sid = sid;
800 }
801 newsbsec->mntpoint_sid = sid;
802 }
803 if (set_rootcontext) {
804 const struct inode *oldinode = oldsb->s_root->d_inode;
805 const struct inode_security_struct *oldisec = oldinode->i_security;
806 struct inode *newinode = newsb->s_root->d_inode;
807 struct inode_security_struct *newisec = newinode->i_security;
808
809 newisec->sid = oldisec->sid;
810 }
811
812 sb_finish_set_opts(newsb);
813 mutex_unlock(&newsbsec->lock);
814 }
815
816 static int selinux_parse_opts_str(char *options,
817 struct security_mnt_opts *opts)
818 {
819 char *p;
820 char *context = NULL, *defcontext = NULL;
821 char *fscontext = NULL, *rootcontext = NULL;
822 int rc, num_mnt_opts = 0;
823
824 opts->num_mnt_opts = 0;
825
826 /* Standard string-based options. */
827 while ((p = strsep(&options, "|")) != NULL) {
828 int token;
829 substring_t args[MAX_OPT_ARGS];
830
831 if (!*p)
832 continue;
833
834 token = match_token(p, tokens, args);
835
836 switch (token) {
837 case Opt_context:
838 if (context || defcontext) {
839 rc = -EINVAL;
840 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
841 goto out_err;
842 }
843 context = match_strdup(&args[0]);
844 if (!context) {
845 rc = -ENOMEM;
846 goto out_err;
847 }
848 break;
849
850 case Opt_fscontext:
851 if (fscontext) {
852 rc = -EINVAL;
853 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
854 goto out_err;
855 }
856 fscontext = match_strdup(&args[0]);
857 if (!fscontext) {
858 rc = -ENOMEM;
859 goto out_err;
860 }
861 break;
862
863 case Opt_rootcontext:
864 if (rootcontext) {
865 rc = -EINVAL;
866 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
867 goto out_err;
868 }
869 rootcontext = match_strdup(&args[0]);
870 if (!rootcontext) {
871 rc = -ENOMEM;
872 goto out_err;
873 }
874 break;
875
876 case Opt_defcontext:
877 if (context || defcontext) {
878 rc = -EINVAL;
879 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
880 goto out_err;
881 }
882 defcontext = match_strdup(&args[0]);
883 if (!defcontext) {
884 rc = -ENOMEM;
885 goto out_err;
886 }
887 break;
888
889 default:
890 rc = -EINVAL;
891 printk(KERN_WARNING "SELinux: unknown mount option\n");
892 goto out_err;
893
894 }
895 }
896
897 rc = -ENOMEM;
898 opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_ATOMIC);
899 if (!opts->mnt_opts)
900 goto out_err;
901
902 opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int), GFP_ATOMIC);
903 if (!opts->mnt_opts_flags) {
904 kfree(opts->mnt_opts);
905 goto out_err;
906 }
907
908 if (fscontext) {
909 opts->mnt_opts[num_mnt_opts] = fscontext;
910 opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
911 }
912 if (context) {
913 opts->mnt_opts[num_mnt_opts] = context;
914 opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
915 }
916 if (rootcontext) {
917 opts->mnt_opts[num_mnt_opts] = rootcontext;
918 opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
919 }
920 if (defcontext) {
921 opts->mnt_opts[num_mnt_opts] = defcontext;
922 opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
923 }
924
925 opts->num_mnt_opts = num_mnt_opts;
926 return 0;
927
928 out_err:
929 kfree(context);
930 kfree(defcontext);
931 kfree(fscontext);
932 kfree(rootcontext);
933 return rc;
934 }
935 /*
936 * string mount options parsing and call set the sbsec
937 */
938 static int superblock_doinit(struct super_block *sb, void *data)
939 {
940 int rc = 0;
941 char *options = data;
942 struct security_mnt_opts opts;
943
944 security_init_mnt_opts(&opts);
945
946 if (!data)
947 goto out;
948
949 BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
950
951 rc = selinux_parse_opts_str(options, &opts);
952 if (rc)
953 goto out_err;
954
955 out:
956 rc = selinux_set_mnt_opts(sb, &opts);
957
958 out_err:
959 security_free_mnt_opts(&opts);
960 return rc;
961 }
962
963 static inline u16 inode_mode_to_security_class(umode_t mode)
964 {
965 switch (mode & S_IFMT) {
966 case S_IFSOCK:
967 return SECCLASS_SOCK_FILE;
968 case S_IFLNK:
969 return SECCLASS_LNK_FILE;
970 case S_IFREG:
971 return SECCLASS_FILE;
972 case S_IFBLK:
973 return SECCLASS_BLK_FILE;
974 case S_IFDIR:
975 return SECCLASS_DIR;
976 case S_IFCHR:
977 return SECCLASS_CHR_FILE;
978 case S_IFIFO:
979 return SECCLASS_FIFO_FILE;
980
981 }
982
983 return SECCLASS_FILE;
984 }
985
986 static inline int default_protocol_stream(int protocol)
987 {
988 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
989 }
990
991 static inline int default_protocol_dgram(int protocol)
992 {
993 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
994 }
995
996 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
997 {
998 switch (family) {
999 case PF_UNIX:
1000 switch (type) {
1001 case SOCK_STREAM:
1002 case SOCK_SEQPACKET:
1003 return SECCLASS_UNIX_STREAM_SOCKET;
1004 case SOCK_DGRAM:
1005 return SECCLASS_UNIX_DGRAM_SOCKET;
1006 }
1007 break;
1008 case PF_INET:
1009 case PF_INET6:
1010 switch (type) {
1011 case SOCK_STREAM:
1012 if (default_protocol_stream(protocol))
1013 return SECCLASS_TCP_SOCKET;
1014 else
1015 return SECCLASS_RAWIP_SOCKET;
1016 case SOCK_DGRAM:
1017 if (default_protocol_dgram(protocol))
1018 return SECCLASS_UDP_SOCKET;
1019 else
1020 return SECCLASS_RAWIP_SOCKET;
1021 case SOCK_DCCP:
1022 return SECCLASS_DCCP_SOCKET;
1023 default:
1024 return SECCLASS_RAWIP_SOCKET;
1025 }
1026 break;
1027 case PF_NETLINK:
1028 switch (protocol) {
1029 case NETLINK_ROUTE:
1030 return SECCLASS_NETLINK_ROUTE_SOCKET;
1031 case NETLINK_FIREWALL:
1032 return SECCLASS_NETLINK_FIREWALL_SOCKET;
1033 case NETLINK_INET_DIAG:
1034 return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1035 case NETLINK_NFLOG:
1036 return SECCLASS_NETLINK_NFLOG_SOCKET;
1037 case NETLINK_XFRM:
1038 return SECCLASS_NETLINK_XFRM_SOCKET;
1039 case NETLINK_SELINUX:
1040 return SECCLASS_NETLINK_SELINUX_SOCKET;
1041 case NETLINK_AUDIT:
1042 return SECCLASS_NETLINK_AUDIT_SOCKET;
1043 case NETLINK_IP6_FW:
1044 return SECCLASS_NETLINK_IP6FW_SOCKET;
1045 case NETLINK_DNRTMSG:
1046 return SECCLASS_NETLINK_DNRT_SOCKET;
1047 case NETLINK_KOBJECT_UEVENT:
1048 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1049 default:
1050 return SECCLASS_NETLINK_SOCKET;
1051 }
1052 case PF_PACKET:
1053 return SECCLASS_PACKET_SOCKET;
1054 case PF_KEY:
1055 return SECCLASS_KEY_SOCKET;
1056 case PF_APPLETALK:
1057 return SECCLASS_APPLETALK_SOCKET;
1058 }
1059
1060 return SECCLASS_SOCKET;
1061 }
1062
1063 #ifdef CONFIG_PROC_FS
1064 static int selinux_proc_get_sid(struct proc_dir_entry *de,
1065 u16 tclass,
1066 u32 *sid)
1067 {
1068 int buflen, rc;
1069 char *buffer, *path, *end;
1070
1071 buffer = (char *)__get_free_page(GFP_KERNEL);
1072 if (!buffer)
1073 return -ENOMEM;
1074
1075 buflen = PAGE_SIZE;
1076 end = buffer+buflen;
1077 *--end = '\0';
1078 buflen--;
1079 path = end-1;
1080 *path = '/';
1081 while (de && de != de->parent) {
1082 buflen -= de->namelen + 1;
1083 if (buflen < 0)
1084 break;
1085 end -= de->namelen;
1086 memcpy(end, de->name, de->namelen);
1087 *--end = '/';
1088 path = end;
1089 de = de->parent;
1090 }
1091 rc = security_genfs_sid("proc", path, tclass, sid);
1092 free_page((unsigned long)buffer);
1093 return rc;
1094 }
1095 #else
1096 static int selinux_proc_get_sid(struct proc_dir_entry *de,
1097 u16 tclass,
1098 u32 *sid)
1099 {
1100 return -EINVAL;
1101 }
1102 #endif
1103
1104 /* The inode's security attributes must be initialized before first use. */
1105 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1106 {
1107 struct superblock_security_struct *sbsec = NULL;
1108 struct inode_security_struct *isec = inode->i_security;
1109 u32 sid;
1110 struct dentry *dentry;
1111 #define INITCONTEXTLEN 255
1112 char *context = NULL;
1113 unsigned len = 0;
1114 int rc = 0;
1115
1116 if (isec->initialized)
1117 goto out;
1118
1119 mutex_lock(&isec->lock);
1120 if (isec->initialized)
1121 goto out_unlock;
1122
1123 sbsec = inode->i_sb->s_security;
1124 if (!sbsec->initialized) {
1125 /* Defer initialization until selinux_complete_init,
1126 after the initial policy is loaded and the security
1127 server is ready to handle calls. */
1128 spin_lock(&sbsec->isec_lock);
1129 if (list_empty(&isec->list))
1130 list_add(&isec->list, &sbsec->isec_head);
1131 spin_unlock(&sbsec->isec_lock);
1132 goto out_unlock;
1133 }
1134
1135 switch (sbsec->behavior) {
1136 case SECURITY_FS_USE_XATTR:
1137 if (!inode->i_op->getxattr) {
1138 isec->sid = sbsec->def_sid;
1139 break;
1140 }
1141
1142 /* Need a dentry, since the xattr API requires one.
1143 Life would be simpler if we could just pass the inode. */
1144 if (opt_dentry) {
1145 /* Called from d_instantiate or d_splice_alias. */
1146 dentry = dget(opt_dentry);
1147 } else {
1148 /* Called from selinux_complete_init, try to find a dentry. */
1149 dentry = d_find_alias(inode);
1150 }
1151 if (!dentry) {
1152 printk(KERN_WARNING "SELinux: %s: no dentry for dev=%s "
1153 "ino=%ld\n", __func__, inode->i_sb->s_id,
1154 inode->i_ino);
1155 goto out_unlock;
1156 }
1157
1158 len = INITCONTEXTLEN;
1159 context = kmalloc(len, GFP_NOFS);
1160 if (!context) {
1161 rc = -ENOMEM;
1162 dput(dentry);
1163 goto out_unlock;
1164 }
1165 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1166 context, len);
1167 if (rc == -ERANGE) {
1168 /* Need a larger buffer. Query for the right size. */
1169 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1170 NULL, 0);
1171 if (rc < 0) {
1172 dput(dentry);
1173 goto out_unlock;
1174 }
1175 kfree(context);
1176 len = rc;
1177 context = kmalloc(len, GFP_NOFS);
1178 if (!context) {
1179 rc = -ENOMEM;
1180 dput(dentry);
1181 goto out_unlock;
1182 }
1183 rc = inode->i_op->getxattr(dentry,
1184 XATTR_NAME_SELINUX,
1185 context, len);
1186 }
1187 dput(dentry);
1188 if (rc < 0) {
1189 if (rc != -ENODATA) {
1190 printk(KERN_WARNING "SELinux: %s: getxattr returned "
1191 "%d for dev=%s ino=%ld\n", __func__,
1192 -rc, inode->i_sb->s_id, inode->i_ino);
1193 kfree(context);
1194 goto out_unlock;
1195 }
1196 /* Map ENODATA to the default file SID */
1197 sid = sbsec->def_sid;
1198 rc = 0;
1199 } else {
1200 rc = security_context_to_sid_default(context, rc, &sid,
1201 sbsec->def_sid,
1202 GFP_NOFS);
1203 if (rc) {
1204 printk(KERN_WARNING "SELinux: %s: context_to_sid(%s) "
1205 "returned %d for dev=%s ino=%ld\n",
1206 __func__, context, -rc,
1207 inode->i_sb->s_id, inode->i_ino);
1208 kfree(context);
1209 /* Leave with the unlabeled SID */
1210 rc = 0;
1211 break;
1212 }
1213 }
1214 kfree(context);
1215 isec->sid = sid;
1216 break;
1217 case SECURITY_FS_USE_TASK:
1218 isec->sid = isec->task_sid;
1219 break;
1220 case SECURITY_FS_USE_TRANS:
1221 /* Default to the fs SID. */
1222 isec->sid = sbsec->sid;
1223
1224 /* Try to obtain a transition SID. */
1225 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1226 rc = security_transition_sid(isec->task_sid,
1227 sbsec->sid,
1228 isec->sclass,
1229 &sid);
1230 if (rc)
1231 goto out_unlock;
1232 isec->sid = sid;
1233 break;
1234 case SECURITY_FS_USE_MNTPOINT:
1235 isec->sid = sbsec->mntpoint_sid;
1236 break;
1237 default:
1238 /* Default to the fs superblock SID. */
1239 isec->sid = sbsec->sid;
1240
1241 if (sbsec->proc) {
1242 struct proc_inode *proci = PROC_I(inode);
1243 if (proci->pde) {
1244 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1245 rc = selinux_proc_get_sid(proci->pde,
1246 isec->sclass,
1247 &sid);
1248 if (rc)
1249 goto out_unlock;
1250 isec->sid = sid;
1251 }
1252 }
1253 break;
1254 }
1255
1256 isec->initialized = 1;
1257
1258 out_unlock:
1259 mutex_unlock(&isec->lock);
1260 out:
1261 if (isec->sclass == SECCLASS_FILE)
1262 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1263 return rc;
1264 }
1265
1266 /* Convert a Linux signal to an access vector. */
1267 static inline u32 signal_to_av(int sig)
1268 {
1269 u32 perm = 0;
1270
1271 switch (sig) {
1272 case SIGCHLD:
1273 /* Commonly granted from child to parent. */
1274 perm = PROCESS__SIGCHLD;
1275 break;
1276 case SIGKILL:
1277 /* Cannot be caught or ignored */
1278 perm = PROCESS__SIGKILL;
1279 break;
1280 case SIGSTOP:
1281 /* Cannot be caught or ignored */
1282 perm = PROCESS__SIGSTOP;
1283 break;
1284 default:
1285 /* All other signals. */
1286 perm = PROCESS__SIGNAL;
1287 break;
1288 }
1289
1290 return perm;
1291 }
1292
1293 /* Check permission betweeen a pair of tasks, e.g. signal checks,
1294 fork check, ptrace check, etc. */
1295 static int task_has_perm(struct task_struct *tsk1,
1296 struct task_struct *tsk2,
1297 u32 perms)
1298 {
1299 struct task_security_struct *tsec1, *tsec2;
1300
1301 tsec1 = tsk1->security;
1302 tsec2 = tsk2->security;
1303 return avc_has_perm(tsec1->sid, tsec2->sid,
1304 SECCLASS_PROCESS, perms, NULL);
1305 }
1306
1307 #if CAP_LAST_CAP > 63
1308 #error Fix SELinux to handle capabilities > 63.
1309 #endif
1310
1311 /* Check whether a task is allowed to use a capability. */
1312 static int task_has_capability(struct task_struct *tsk,
1313 int cap)
1314 {
1315 struct task_security_struct *tsec;
1316 struct avc_audit_data ad;
1317 u16 sclass;
1318 u32 av = CAP_TO_MASK(cap);
1319
1320 tsec = tsk->security;
1321
1322 AVC_AUDIT_DATA_INIT(&ad, CAP);
1323 ad.tsk = tsk;
1324 ad.u.cap = cap;
1325
1326 switch (CAP_TO_INDEX(cap)) {
1327 case 0:
1328 sclass = SECCLASS_CAPABILITY;
1329 break;
1330 case 1:
1331 sclass = SECCLASS_CAPABILITY2;
1332 break;
1333 default:
1334 printk(KERN_ERR
1335 "SELinux: out of range capability %d\n", cap);
1336 BUG();
1337 }
1338 return avc_has_perm(tsec->sid, tsec->sid, sclass, av, &ad);
1339 }
1340
1341 /* Check whether a task is allowed to use a system operation. */
1342 static int task_has_system(struct task_struct *tsk,
1343 u32 perms)
1344 {
1345 struct task_security_struct *tsec;
1346
1347 tsec = tsk->security;
1348
1349 return avc_has_perm(tsec->sid, SECINITSID_KERNEL,
1350 SECCLASS_SYSTEM, perms, NULL);
1351 }
1352
1353 /* Check whether a task has a particular permission to an inode.
1354 The 'adp' parameter is optional and allows other audit
1355 data to be passed (e.g. the dentry). */
1356 static int inode_has_perm(struct task_struct *tsk,
1357 struct inode *inode,
1358 u32 perms,
1359 struct avc_audit_data *adp)
1360 {
1361 struct task_security_struct *tsec;
1362 struct inode_security_struct *isec;
1363 struct avc_audit_data ad;
1364
1365 if (unlikely(IS_PRIVATE(inode)))
1366 return 0;
1367
1368 tsec = tsk->security;
1369 isec = inode->i_security;
1370
1371 if (!adp) {
1372 adp = &ad;
1373 AVC_AUDIT_DATA_INIT(&ad, FS);
1374 ad.u.fs.inode = inode;
1375 }
1376
1377 return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, adp);
1378 }
1379
1380 /* Same as inode_has_perm, but pass explicit audit data containing
1381 the dentry to help the auditing code to more easily generate the
1382 pathname if needed. */
1383 static inline int dentry_has_perm(struct task_struct *tsk,
1384 struct vfsmount *mnt,
1385 struct dentry *dentry,
1386 u32 av)
1387 {
1388 struct inode *inode = dentry->d_inode;
1389 struct avc_audit_data ad;
1390 AVC_AUDIT_DATA_INIT(&ad, FS);
1391 ad.u.fs.path.mnt = mnt;
1392 ad.u.fs.path.dentry = dentry;
1393 return inode_has_perm(tsk, inode, av, &ad);
1394 }
1395
1396 /* Check whether a task can use an open file descriptor to
1397 access an inode in a given way. Check access to the
1398 descriptor itself, and then use dentry_has_perm to
1399 check a particular permission to the file.
1400 Access to the descriptor is implicitly granted if it
1401 has the same SID as the process. If av is zero, then
1402 access to the file is not checked, e.g. for cases
1403 where only the descriptor is affected like seek. */
1404 static int file_has_perm(struct task_struct *tsk,
1405 struct file *file,
1406 u32 av)
1407 {
1408 struct task_security_struct *tsec = tsk->security;
1409 struct file_security_struct *fsec = file->f_security;
1410 struct inode *inode = file->f_path.dentry->d_inode;
1411 struct avc_audit_data ad;
1412 int rc;
1413
1414 AVC_AUDIT_DATA_INIT(&ad, FS);
1415 ad.u.fs.path = file->f_path;
1416
1417 if (tsec->sid != fsec->sid) {
1418 rc = avc_has_perm(tsec->sid, fsec->sid,
1419 SECCLASS_FD,
1420 FD__USE,
1421 &ad);
1422 if (rc)
1423 return rc;
1424 }
1425
1426 /* av is zero if only checking access to the descriptor. */
1427 if (av)
1428 return inode_has_perm(tsk, inode, av, &ad);
1429
1430 return 0;
1431 }
1432
1433 /* Check whether a task can create a file. */
1434 static int may_create(struct inode *dir,
1435 struct dentry *dentry,
1436 u16 tclass)
1437 {
1438 struct task_security_struct *tsec;
1439 struct inode_security_struct *dsec;
1440 struct superblock_security_struct *sbsec;
1441 u32 newsid;
1442 struct avc_audit_data ad;
1443 int rc;
1444
1445 tsec = current->security;
1446 dsec = dir->i_security;
1447 sbsec = dir->i_sb->s_security;
1448
1449 AVC_AUDIT_DATA_INIT(&ad, FS);
1450 ad.u.fs.path.dentry = dentry;
1451
1452 rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR,
1453 DIR__ADD_NAME | DIR__SEARCH,
1454 &ad);
1455 if (rc)
1456 return rc;
1457
1458 if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
1459 newsid = tsec->create_sid;
1460 } else {
1461 rc = security_transition_sid(tsec->sid, dsec->sid, tclass,
1462 &newsid);
1463 if (rc)
1464 return rc;
1465 }
1466
1467 rc = avc_has_perm(tsec->sid, newsid, tclass, FILE__CREATE, &ad);
1468 if (rc)
1469 return rc;
1470
1471 return avc_has_perm(newsid, sbsec->sid,
1472 SECCLASS_FILESYSTEM,
1473 FILESYSTEM__ASSOCIATE, &ad);
1474 }
1475
1476 /* Check whether a task can create a key. */
1477 static int may_create_key(u32 ksid,
1478 struct task_struct *ctx)
1479 {
1480 struct task_security_struct *tsec;
1481
1482 tsec = ctx->security;
1483
1484 return avc_has_perm(tsec->sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL);
1485 }
1486
1487 #define MAY_LINK 0
1488 #define MAY_UNLINK 1
1489 #define MAY_RMDIR 2
1490
1491 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1492 static int may_link(struct inode *dir,
1493 struct dentry *dentry,
1494 int kind)
1495
1496 {
1497 struct task_security_struct *tsec;
1498 struct inode_security_struct *dsec, *isec;
1499 struct avc_audit_data ad;
1500 u32 av;
1501 int rc;
1502
1503 tsec = current->security;
1504 dsec = dir->i_security;
1505 isec = dentry->d_inode->i_security;
1506
1507 AVC_AUDIT_DATA_INIT(&ad, FS);
1508 ad.u.fs.path.dentry = dentry;
1509
1510 av = DIR__SEARCH;
1511 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1512 rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR, av, &ad);
1513 if (rc)
1514 return rc;
1515
1516 switch (kind) {
1517 case MAY_LINK:
1518 av = FILE__LINK;
1519 break;
1520 case MAY_UNLINK:
1521 av = FILE__UNLINK;
1522 break;
1523 case MAY_RMDIR:
1524 av = DIR__RMDIR;
1525 break;
1526 default:
1527 printk(KERN_WARNING "SELinux: %s: unrecognized kind %d\n",
1528 __func__, kind);
1529 return 0;
1530 }
1531
1532 rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass, av, &ad);
1533 return rc;
1534 }
1535
1536 static inline int may_rename(struct inode *old_dir,
1537 struct dentry *old_dentry,
1538 struct inode *new_dir,
1539 struct dentry *new_dentry)
1540 {
1541 struct task_security_struct *tsec;
1542 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1543 struct avc_audit_data ad;
1544 u32 av;
1545 int old_is_dir, new_is_dir;
1546 int rc;
1547
1548 tsec = current->security;
1549 old_dsec = old_dir->i_security;
1550 old_isec = old_dentry->d_inode->i_security;
1551 old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
1552 new_dsec = new_dir->i_security;
1553
1554 AVC_AUDIT_DATA_INIT(&ad, FS);
1555
1556 ad.u.fs.path.dentry = old_dentry;
1557 rc = avc_has_perm(tsec->sid, old_dsec->sid, SECCLASS_DIR,
1558 DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1559 if (rc)
1560 return rc;
1561 rc = avc_has_perm(tsec->sid, old_isec->sid,
1562 old_isec->sclass, FILE__RENAME, &ad);
1563 if (rc)
1564 return rc;
1565 if (old_is_dir && new_dir != old_dir) {
1566 rc = avc_has_perm(tsec->sid, old_isec->sid,
1567 old_isec->sclass, DIR__REPARENT, &ad);
1568 if (rc)
1569 return rc;
1570 }
1571
1572 ad.u.fs.path.dentry = new_dentry;
1573 av = DIR__ADD_NAME | DIR__SEARCH;
1574 if (new_dentry->d_inode)
1575 av |= DIR__REMOVE_NAME;
1576 rc = avc_has_perm(tsec->sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1577 if (rc)
1578 return rc;
1579 if (new_dentry->d_inode) {
1580 new_isec = new_dentry->d_inode->i_security;
1581 new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
1582 rc = avc_has_perm(tsec->sid, new_isec->sid,
1583 new_isec->sclass,
1584 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1585 if (rc)
1586 return rc;
1587 }
1588
1589 return 0;
1590 }
1591
1592 /* Check whether a task can perform a filesystem operation. */
1593 static int superblock_has_perm(struct task_struct *tsk,
1594 struct super_block *sb,
1595 u32 perms,
1596 struct avc_audit_data *ad)
1597 {
1598 struct task_security_struct *tsec;
1599 struct superblock_security_struct *sbsec;
1600
1601 tsec = tsk->security;
1602 sbsec = sb->s_security;
1603 return avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
1604 perms, ad);
1605 }
1606
1607 /* Convert a Linux mode and permission mask to an access vector. */
1608 static inline u32 file_mask_to_av(int mode, int mask)
1609 {
1610 u32 av = 0;
1611
1612 if ((mode & S_IFMT) != S_IFDIR) {
1613 if (mask & MAY_EXEC)
1614 av |= FILE__EXECUTE;
1615 if (mask & MAY_READ)
1616 av |= FILE__READ;
1617
1618 if (mask & MAY_APPEND)
1619 av |= FILE__APPEND;
1620 else if (mask & MAY_WRITE)
1621 av |= FILE__WRITE;
1622
1623 } else {
1624 if (mask & MAY_EXEC)
1625 av |= DIR__SEARCH;
1626 if (mask & MAY_WRITE)
1627 av |= DIR__WRITE;
1628 if (mask & MAY_READ)
1629 av |= DIR__READ;
1630 }
1631
1632 return av;
1633 }
1634
1635 /*
1636 * Convert a file mask to an access vector and include the correct open
1637 * open permission.
1638 */
1639 static inline u32 open_file_mask_to_av(int mode, int mask)
1640 {
1641 u32 av = file_mask_to_av(mode, mask);
1642
1643 if (selinux_policycap_openperm) {
1644 /*
1645 * lnk files and socks do not really have an 'open'
1646 */
1647 if (S_ISREG(mode))
1648 av |= FILE__OPEN;
1649 else if (S_ISCHR(mode))
1650 av |= CHR_FILE__OPEN;
1651 else if (S_ISBLK(mode))
1652 av |= BLK_FILE__OPEN;
1653 else if (S_ISFIFO(mode))
1654 av |= FIFO_FILE__OPEN;
1655 else if (S_ISDIR(mode))
1656 av |= DIR__OPEN;
1657 else
1658 printk(KERN_ERR "SELinux: WARNING: inside %s with "
1659 "unknown mode:%x\n", __func__, mode);
1660 }
1661 return av;
1662 }
1663
1664 /* Convert a Linux file to an access vector. */
1665 static inline u32 file_to_av(struct file *file)
1666 {
1667 u32 av = 0;
1668
1669 if (file->f_mode & FMODE_READ)
1670 av |= FILE__READ;
1671 if (file->f_mode & FMODE_WRITE) {
1672 if (file->f_flags & O_APPEND)
1673 av |= FILE__APPEND;
1674 else
1675 av |= FILE__WRITE;
1676 }
1677 if (!av) {
1678 /*
1679 * Special file opened with flags 3 for ioctl-only use.
1680 */
1681 av = FILE__IOCTL;
1682 }
1683
1684 return av;
1685 }
1686
1687 /* Hook functions begin here. */
1688
1689 static int selinux_ptrace(struct task_struct *parent,
1690 struct task_struct *child,
1691 unsigned int mode)
1692 {
1693 int rc;
1694
1695 rc = secondary_ops->ptrace(parent, child, mode);
1696 if (rc)
1697 return rc;
1698
1699 if (mode == PTRACE_MODE_READ) {
1700 struct task_security_struct *tsec = parent->security;
1701 struct task_security_struct *csec = child->security;
1702 return avc_has_perm(tsec->sid, csec->sid,
1703 SECCLASS_FILE, FILE__READ, NULL);
1704 }
1705
1706 return task_has_perm(parent, child, PROCESS__PTRACE);
1707 }
1708
1709 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
1710 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1711 {
1712 int error;
1713
1714 error = task_has_perm(current, target, PROCESS__GETCAP);
1715 if (error)
1716 return error;
1717
1718 return secondary_ops->capget(target, effective, inheritable, permitted);
1719 }
1720
1721 static int selinux_capset_check(struct task_struct *target, kernel_cap_t *effective,
1722 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1723 {
1724 int error;
1725
1726 error = secondary_ops->capset_check(target, effective, inheritable, permitted);
1727 if (error)
1728 return error;
1729
1730 return task_has_perm(current, target, PROCESS__SETCAP);
1731 }
1732
1733 static void selinux_capset_set(struct task_struct *target, kernel_cap_t *effective,
1734 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1735 {
1736 secondary_ops->capset_set(target, effective, inheritable, permitted);
1737 }
1738
1739 static int selinux_capable(struct task_struct *tsk, int cap)
1740 {
1741 int rc;
1742
1743 rc = secondary_ops->capable(tsk, cap);
1744 if (rc)
1745 return rc;
1746
1747 return task_has_capability(tsk, cap);
1748 }
1749
1750 static int selinux_sysctl_get_sid(ctl_table *table, u16 tclass, u32 *sid)
1751 {
1752 int buflen, rc;
1753 char *buffer, *path, *end;
1754
1755 rc = -ENOMEM;
1756 buffer = (char *)__get_free_page(GFP_KERNEL);
1757 if (!buffer)
1758 goto out;
1759
1760 buflen = PAGE_SIZE;
1761 end = buffer+buflen;
1762 *--end = '\0';
1763 buflen--;
1764 path = end-1;
1765 *path = '/';
1766 while (table) {
1767 const char *name = table->procname;
1768 size_t namelen = strlen(name);
1769 buflen -= namelen + 1;
1770 if (buflen < 0)
1771 goto out_free;
1772 end -= namelen;
1773 memcpy(end, name, namelen);
1774 *--end = '/';
1775 path = end;
1776 table = table->parent;
1777 }
1778 buflen -= 4;
1779 if (buflen < 0)
1780 goto out_free;
1781 end -= 4;
1782 memcpy(end, "/sys", 4);
1783 path = end;
1784 rc = security_genfs_sid("proc", path, tclass, sid);
1785 out_free:
1786 free_page((unsigned long)buffer);
1787 out:
1788 return rc;
1789 }
1790
1791 static int selinux_sysctl(ctl_table *table, int op)
1792 {
1793 int error = 0;
1794 u32 av;
1795 struct task_security_struct *tsec;
1796 u32 tsid;
1797 int rc;
1798
1799 rc = secondary_ops->sysctl(table, op);
1800 if (rc)
1801 return rc;
1802
1803 tsec = current->security;
1804
1805 rc = selinux_sysctl_get_sid(table, (op == 0001) ?
1806 SECCLASS_DIR : SECCLASS_FILE, &tsid);
1807 if (rc) {
1808 /* Default to the well-defined sysctl SID. */
1809 tsid = SECINITSID_SYSCTL;
1810 }
1811
1812 /* The op values are "defined" in sysctl.c, thereby creating
1813 * a bad coupling between this module and sysctl.c */
1814 if (op == 001) {
1815 error = avc_has_perm(tsec->sid, tsid,
1816 SECCLASS_DIR, DIR__SEARCH, NULL);
1817 } else {
1818 av = 0;
1819 if (op & 004)
1820 av |= FILE__READ;
1821 if (op & 002)
1822 av |= FILE__WRITE;
1823 if (av)
1824 error = avc_has_perm(tsec->sid, tsid,
1825 SECCLASS_FILE, av, NULL);
1826 }
1827
1828 return error;
1829 }
1830
1831 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
1832 {
1833 int rc = 0;
1834
1835 if (!sb)
1836 return 0;
1837
1838 switch (cmds) {
1839 case Q_SYNC:
1840 case Q_QUOTAON:
1841 case Q_QUOTAOFF:
1842 case Q_SETINFO:
1843 case Q_SETQUOTA:
1844 rc = superblock_has_perm(current, sb, FILESYSTEM__QUOTAMOD,
1845 NULL);
1846 break;
1847 case Q_GETFMT:
1848 case Q_GETINFO:
1849 case Q_GETQUOTA:
1850 rc = superblock_has_perm(current, sb, FILESYSTEM__QUOTAGET,
1851 NULL);
1852 break;
1853 default:
1854 rc = 0; /* let the kernel handle invalid cmds */
1855 break;
1856 }
1857 return rc;
1858 }
1859
1860 static int selinux_quota_on(struct dentry *dentry)
1861 {
1862 return dentry_has_perm(current, NULL, dentry, FILE__QUOTAON);
1863 }
1864
1865 static int selinux_syslog(int type)
1866 {
1867 int rc;
1868
1869 rc = secondary_ops->syslog(type);
1870 if (rc)
1871 return rc;
1872
1873 switch (type) {
1874 case 3: /* Read last kernel messages */
1875 case 10: /* Return size of the log buffer */
1876 rc = task_has_system(current, SYSTEM__SYSLOG_READ);
1877 break;
1878 case 6: /* Disable logging to console */
1879 case 7: /* Enable logging to console */
1880 case 8: /* Set level of messages printed to console */
1881 rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
1882 break;
1883 case 0: /* Close log */
1884 case 1: /* Open log */
1885 case 2: /* Read from log */
1886 case 4: /* Read/clear last kernel messages */
1887 case 5: /* Clear ring buffer */
1888 default:
1889 rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
1890 break;
1891 }
1892 return rc;
1893 }
1894
1895 /*
1896 * Check that a process has enough memory to allocate a new virtual
1897 * mapping. 0 means there is enough memory for the allocation to
1898 * succeed and -ENOMEM implies there is not.
1899 *
1900 * Note that secondary_ops->capable and task_has_perm_noaudit return 0
1901 * if the capability is granted, but __vm_enough_memory requires 1 if
1902 * the capability is granted.
1903 *
1904 * Do not audit the selinux permission check, as this is applied to all
1905 * processes that allocate mappings.
1906 */
1907 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
1908 {
1909 int rc, cap_sys_admin = 0;
1910 struct task_security_struct *tsec = current->security;
1911
1912 rc = secondary_ops->capable(current, CAP_SYS_ADMIN);
1913 if (rc == 0)
1914 rc = avc_has_perm_noaudit(tsec->sid, tsec->sid,
1915 SECCLASS_CAPABILITY,
1916 CAP_TO_MASK(CAP_SYS_ADMIN),
1917 0,
1918 NULL);
1919
1920 if (rc == 0)
1921 cap_sys_admin = 1;
1922
1923 return __vm_enough_memory(mm, pages, cap_sys_admin);
1924 }
1925
1926 /**
1927 * task_tracer_task - return the task that is tracing the given task
1928 * @task: task to consider
1929 *
1930 * Returns NULL if noone is tracing @task, or the &struct task_struct
1931 * pointer to its tracer.
1932 *
1933 * Must be called under rcu_read_lock().
1934 */
1935 static struct task_struct *task_tracer_task(struct task_struct *task)
1936 {
1937 if (task->ptrace & PT_PTRACED)
1938 return rcu_dereference(task->parent);
1939 return NULL;
1940 }
1941
1942 /* binprm security operations */
1943
1944 static int selinux_bprm_alloc_security(struct linux_binprm *bprm)
1945 {
1946 struct bprm_security_struct *bsec;
1947
1948 bsec = kzalloc(sizeof(struct bprm_security_struct), GFP_KERNEL);
1949 if (!bsec)
1950 return -ENOMEM;
1951
1952 bsec->sid = SECINITSID_UNLABELED;
1953 bsec->set = 0;
1954
1955 bprm->security = bsec;
1956 return 0;
1957 }
1958
1959 static int selinux_bprm_set_security(struct linux_binprm *bprm)
1960 {
1961 struct task_security_struct *tsec;
1962 struct inode *inode = bprm->file->f_path.dentry->d_inode;
1963 struct inode_security_struct *isec;
1964 struct bprm_security_struct *bsec;
1965 u32 newsid;
1966 struct avc_audit_data ad;
1967 int rc;
1968
1969 rc = secondary_ops->bprm_set_security(bprm);
1970 if (rc)
1971 return rc;
1972
1973 bsec = bprm->security;
1974
1975 if (bsec->set)
1976 return 0;
1977
1978 tsec = current->security;
1979 isec = inode->i_security;
1980
1981 /* Default to the current task SID. */
1982 bsec->sid = tsec->sid;
1983
1984 /* Reset fs, key, and sock SIDs on execve. */
1985 tsec->create_sid = 0;
1986 tsec->keycreate_sid = 0;
1987 tsec->sockcreate_sid = 0;
1988
1989 if (tsec->exec_sid) {
1990 newsid = tsec->exec_sid;
1991 /* Reset exec SID on execve. */
1992 tsec->exec_sid = 0;
1993 } else {
1994 /* Check for a default transition on this program. */
1995 rc = security_transition_sid(tsec->sid, isec->sid,
1996 SECCLASS_PROCESS, &newsid);
1997 if (rc)
1998 return rc;
1999 }
2000
2001 AVC_AUDIT_DATA_INIT(&ad, FS);
2002 ad.u.fs.path = bprm->file->f_path;
2003
2004 if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID)
2005 newsid = tsec->sid;
2006
2007 if (tsec->sid == newsid) {
2008 rc = avc_has_perm(tsec->sid, isec->sid,
2009 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2010 if (rc)
2011 return rc;
2012 } else {
2013 /* Check permissions for the transition. */
2014 rc = avc_has_perm(tsec->sid, newsid,
2015 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2016 if (rc)
2017 return rc;
2018
2019 rc = avc_has_perm(newsid, isec->sid,
2020 SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2021 if (rc)
2022 return rc;
2023
2024 /* Clear any possibly unsafe personality bits on exec: */
2025 current->personality &= ~PER_CLEAR_ON_SETID;
2026
2027 /* Set the security field to the new SID. */
2028 bsec->sid = newsid;
2029 }
2030
2031 bsec->set = 1;
2032 return 0;
2033 }
2034
2035 static int selinux_bprm_check_security(struct linux_binprm *bprm)
2036 {
2037 return secondary_ops->bprm_check_security(bprm);
2038 }
2039
2040
2041 static int selinux_bprm_secureexec(struct linux_binprm *bprm)
2042 {
2043 struct task_security_struct *tsec = current->security;
2044 int atsecure = 0;
2045
2046 if (tsec->osid != tsec->sid) {
2047 /* Enable secure mode for SIDs transitions unless
2048 the noatsecure permission is granted between
2049 the two SIDs, i.e. ahp returns 0. */
2050 atsecure = avc_has_perm(tsec->osid, tsec->sid,
2051 SECCLASS_PROCESS,
2052 PROCESS__NOATSECURE, NULL);
2053 }
2054
2055 return (atsecure || secondary_ops->bprm_secureexec(bprm));
2056 }
2057
2058 static void selinux_bprm_free_security(struct linux_binprm *bprm)
2059 {
2060 kfree(bprm->security);
2061 bprm->security = NULL;
2062 }
2063
2064 extern struct vfsmount *selinuxfs_mount;
2065 extern struct dentry *selinux_null;
2066
2067 /* Derived from fs/exec.c:flush_old_files. */
2068 static inline void flush_unauthorized_files(struct files_struct *files)
2069 {
2070 struct avc_audit_data ad;
2071 struct file *file, *devnull = NULL;
2072 struct tty_struct *tty;
2073 struct fdtable *fdt;
2074 long j = -1;
2075 int drop_tty = 0;
2076
2077 mutex_lock(&tty_mutex);
2078 tty = get_current_tty();
2079 if (tty) {
2080 file_list_lock();
2081 file = list_entry(tty->tty_files.next, typeof(*file), f_u.fu_list);
2082 if (file) {
2083 /* Revalidate access to controlling tty.
2084 Use inode_has_perm on the tty inode directly rather
2085 than using file_has_perm, as this particular open
2086 file may belong to another process and we are only
2087 interested in the inode-based check here. */
2088 struct inode *inode = file->f_path.dentry->d_inode;
2089 if (inode_has_perm(current, inode,
2090 FILE__READ | FILE__WRITE, NULL)) {
2091 drop_tty = 1;
2092 }
2093 }
2094 file_list_unlock();
2095 }
2096 mutex_unlock(&tty_mutex);
2097 /* Reset controlling tty. */
2098 if (drop_tty)
2099 no_tty();
2100
2101 /* Revalidate access to inherited open files. */
2102
2103 AVC_AUDIT_DATA_INIT(&ad, FS);
2104
2105 spin_lock(&files->file_lock);
2106 for (;;) {
2107 unsigned long set, i;
2108 int fd;
2109
2110 j++;
2111 i = j * __NFDBITS;
2112 fdt = files_fdtable(files);
2113 if (i >= fdt->max_fds)
2114 break;
2115 set = fdt->open_fds->fds_bits[j];
2116 if (!set)
2117 continue;
2118 spin_unlock(&files->file_lock);
2119 for ( ; set ; i++, set >>= 1) {
2120 if (set & 1) {
2121 file = fget(i);
2122 if (!file)
2123 continue;
2124 if (file_has_perm(current,
2125 file,
2126 file_to_av(file))) {
2127 sys_close(i);
2128 fd = get_unused_fd();
2129 if (fd != i) {
2130 if (fd >= 0)
2131 put_unused_fd(fd);
2132 fput(file);
2133 continue;
2134 }
2135 if (devnull) {
2136 get_file(devnull);
2137 } else {
2138 devnull = dentry_open(dget(selinux_null), mntget(selinuxfs_mount), O_RDWR);
2139 if (IS_ERR(devnull)) {
2140 devnull = NULL;
2141 put_unused_fd(fd);
2142 fput(file);
2143 continue;
2144 }
2145 }
2146 fd_install(fd, devnull);
2147 }
2148 fput(file);
2149 }
2150 }
2151 spin_lock(&files->file_lock);
2152
2153 }
2154 spin_unlock(&files->file_lock);
2155 }
2156
2157 static void selinux_bprm_apply_creds(struct linux_binprm *bprm, int unsafe)
2158 {
2159 struct task_security_struct *tsec;
2160 struct bprm_security_struct *bsec;
2161 u32 sid;
2162 int rc;
2163
2164 secondary_ops->bprm_apply_creds(bprm, unsafe);
2165
2166 tsec = current->security;
2167
2168 bsec = bprm->security;
2169 sid = bsec->sid;
2170
2171 tsec->osid = tsec->sid;
2172 bsec->unsafe = 0;
2173 if (tsec->sid != sid) {
2174 /* Check for shared state. If not ok, leave SID
2175 unchanged and kill. */
2176 if (unsafe & LSM_UNSAFE_SHARE) {
2177 rc = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
2178 PROCESS__SHARE, NULL);
2179 if (rc) {
2180 bsec->unsafe = 1;
2181 return;
2182 }
2183 }
2184
2185 /* Check for ptracing, and update the task SID if ok.
2186 Otherwise, leave SID unchanged and kill. */
2187 if (unsafe & (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
2188 struct task_struct *tracer;
2189 struct task_security_struct *sec;
2190 u32 ptsid = 0;
2191
2192 rcu_read_lock();
2193 tracer = task_tracer_task(current);
2194 if (likely(tracer != NULL)) {
2195 sec = tracer->security;
2196 ptsid = sec->sid;
2197 }
2198 rcu_read_unlock();
2199
2200 if (ptsid != 0) {
2201 rc = avc_has_perm(ptsid, sid, SECCLASS_PROCESS,
2202 PROCESS__PTRACE, NULL);
2203 if (rc) {
2204 bsec->unsafe = 1;
2205 return;
2206 }
2207 }
2208 }
2209 tsec->sid = sid;
2210 }
2211 }
2212
2213 /*
2214 * called after apply_creds without the task lock held
2215 */
2216 static void selinux_bprm_post_apply_creds(struct linux_binprm *bprm)
2217 {
2218 struct task_security_struct *tsec;
2219 struct rlimit *rlim, *initrlim;
2220 struct itimerval itimer;
2221 struct bprm_security_struct *bsec;
2222 int rc, i;
2223
2224 tsec = current->security;
2225 bsec = bprm->security;
2226
2227 if (bsec->unsafe) {
2228 force_sig_specific(SIGKILL, current);
2229 return;
2230 }
2231 if (tsec->osid == tsec->sid)
2232 return;
2233
2234 /* Close files for which the new task SID is not authorized. */
2235 flush_unauthorized_files(current->files);
2236
2237 /* Check whether the new SID can inherit signal state
2238 from the old SID. If not, clear itimers to avoid
2239 subsequent signal generation and flush and unblock
2240 signals. This must occur _after_ the task SID has
2241 been updated so that any kill done after the flush
2242 will be checked against the new SID. */
2243 rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
2244 PROCESS__SIGINH, NULL);
2245 if (rc) {
2246 memset(&itimer, 0, sizeof itimer);
2247 for (i = 0; i < 3; i++)
2248 do_setitimer(i, &itimer, NULL);
2249 flush_signals(current);
2250 spin_lock_irq(&current->sighand->siglock);
2251 flush_signal_handlers(current, 1);
2252 sigemptyset(&current->blocked);
2253 recalc_sigpending();
2254 spin_unlock_irq(&current->sighand->siglock);
2255 }
2256
2257 /* Always clear parent death signal on SID transitions. */
2258 current->pdeath_signal = 0;
2259
2260 /* Check whether the new SID can inherit resource limits
2261 from the old SID. If not, reset all soft limits to
2262 the lower of the current task's hard limit and the init
2263 task's soft limit. Note that the setting of hard limits
2264 (even to lower them) can be controlled by the setrlimit
2265 check. The inclusion of the init task's soft limit into
2266 the computation is to avoid resetting soft limits higher
2267 than the default soft limit for cases where the default
2268 is lower than the hard limit, e.g. RLIMIT_CORE or
2269 RLIMIT_STACK.*/
2270 rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
2271 PROCESS__RLIMITINH, NULL);
2272 if (rc) {
2273 for (i = 0; i < RLIM_NLIMITS; i++) {
2274 rlim = current->signal->rlim + i;
2275 initrlim = init_task.signal->rlim+i;
2276 rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
2277 }
2278 if (current->signal->rlim[RLIMIT_CPU].rlim_cur != RLIM_INFINITY) {
2279 /*
2280 * This will cause RLIMIT_CPU calculations
2281 * to be refigured.
2282 */
2283 current->it_prof_expires = jiffies_to_cputime(1);
2284 }
2285 }
2286
2287 /* Wake up the parent if it is waiting so that it can
2288 recheck wait permission to the new task SID. */
2289 wake_up_interruptible(&current->parent->signal->wait_chldexit);
2290 }
2291
2292 /* superblock security operations */
2293
2294 static int selinux_sb_alloc_security(struct super_block *sb)
2295 {
2296 return superblock_alloc_security(sb);
2297 }
2298
2299 static void selinux_sb_free_security(struct super_block *sb)
2300 {
2301 superblock_free_security(sb);
2302 }
2303
2304 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2305 {
2306 if (plen > olen)
2307 return 0;
2308
2309 return !memcmp(prefix, option, plen);
2310 }
2311
2312 static inline int selinux_option(char *option, int len)
2313 {
2314 return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) ||
2315 match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) ||
2316 match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) ||
2317 match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len));
2318 }
2319
2320 static inline void take_option(char **to, char *from, int *first, int len)
2321 {
2322 if (!*first) {
2323 **to = ',';
2324 *to += 1;
2325 } else
2326 *first = 0;
2327 memcpy(*to, from, len);
2328 *to += len;
2329 }
2330
2331 static inline void take_selinux_option(char **to, char *from, int *first,
2332 int len)
2333 {
2334 int current_size = 0;
2335
2336 if (!*first) {
2337 **to = '|';
2338 *to += 1;
2339 } else
2340 *first = 0;
2341
2342 while (current_size < len) {
2343 if (*from != '"') {
2344 **to = *from;
2345 *to += 1;
2346 }
2347 from += 1;
2348 current_size += 1;
2349 }
2350 }
2351
2352 static int selinux_sb_copy_data(char *orig, char *copy)
2353 {
2354 int fnosec, fsec, rc = 0;
2355 char *in_save, *in_curr, *in_end;
2356 char *sec_curr, *nosec_save, *nosec;
2357 int open_quote = 0;
2358
2359 in_curr = orig;
2360 sec_curr = copy;
2361
2362 nosec = (char *)get_zeroed_page(GFP_KERNEL);
2363 if (!nosec) {
2364 rc = -ENOMEM;
2365 goto out;
2366 }
2367
2368 nosec_save = nosec;
2369 fnosec = fsec = 1;
2370 in_save = in_end = orig;
2371
2372 do {
2373 if (*in_end == '"')
2374 open_quote = !open_quote;
2375 if ((*in_end == ',' && open_quote == 0) ||
2376 *in_end == '\0') {
2377 int len = in_end - in_curr;
2378
2379 if (selinux_option(in_curr, len))
2380 take_selinux_option(&sec_curr, in_curr, &fsec, len);
2381 else
2382 take_option(&nosec, in_curr, &fnosec, len);
2383
2384 in_curr = in_end + 1;
2385 }
2386 } while (*in_end++);
2387
2388 strcpy(in_save, nosec_save);
2389 free_page((unsigned long)nosec_save);
2390 out:
2391 return rc;
2392 }
2393
2394 static int selinux_sb_kern_mount(struct super_block *sb, void *data)
2395 {
2396 struct avc_audit_data ad;
2397 int rc;
2398
2399 rc = superblock_doinit(sb, data);
2400 if (rc)
2401 return rc;
2402
2403 AVC_AUDIT_DATA_INIT(&ad, FS);
2404 ad.u.fs.path.dentry = sb->s_root;
2405 return superblock_has_perm(current, sb, FILESYSTEM__MOUNT, &ad);
2406 }
2407
2408 static int selinux_sb_statfs(struct dentry *dentry)
2409 {
2410 struct avc_audit_data ad;
2411
2412 AVC_AUDIT_DATA_INIT(&ad, FS);
2413 ad.u.fs.path.dentry = dentry->d_sb->s_root;
2414 return superblock_has_perm(current, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2415 }
2416
2417 static int selinux_mount(char *dev_name,
2418 struct path *path,
2419 char *type,
2420 unsigned long flags,
2421 void *data)
2422 {
2423 int rc;
2424
2425 rc = secondary_ops->sb_mount(dev_name, path, type, flags, data);
2426 if (rc)
2427 return rc;
2428
2429 if (flags & MS_REMOUNT)
2430 return superblock_has_perm(current, path->mnt->mnt_sb,
2431 FILESYSTEM__REMOUNT, NULL);
2432 else
2433 return dentry_has_perm(current, path->mnt, path->dentry,
2434 FILE__MOUNTON);
2435 }
2436
2437 static int selinux_umount(struct vfsmount *mnt, int flags)
2438 {
2439 int rc;
2440
2441 rc = secondary_ops->sb_umount(mnt, flags);
2442 if (rc)
2443 return rc;
2444
2445 return superblock_has_perm(current, mnt->mnt_sb,
2446 FILESYSTEM__UNMOUNT, NULL);
2447 }
2448
2449 /* inode security operations */
2450
2451 static int selinux_inode_alloc_security(struct inode *inode)
2452 {
2453 return inode_alloc_security(inode);
2454 }
2455
2456 static void selinux_inode_free_security(struct inode *inode)
2457 {
2458 inode_free_security(inode);
2459 }
2460
2461 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2462 char **name, void **value,
2463 size_t *len)
2464 {
2465 struct task_security_struct *tsec;
2466 struct inode_security_struct *dsec;
2467 struct superblock_security_struct *sbsec;
2468 u32 newsid, clen;
2469 int rc;
2470 char *namep = NULL, *context;
2471
2472 tsec = current->security;
2473 dsec = dir->i_security;
2474 sbsec = dir->i_sb->s_security;
2475
2476 if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
2477 newsid = tsec->create_sid;
2478 } else {
2479 rc = security_transition_sid(tsec->sid, dsec->sid,
2480 inode_mode_to_security_class(inode->i_mode),
2481 &newsid);
2482 if (rc) {
2483 printk(KERN_WARNING "%s: "
2484 "security_transition_sid failed, rc=%d (dev=%s "
2485 "ino=%ld)\n",
2486 __func__,
2487 -rc, inode->i_sb->s_id, inode->i_ino);
2488 return rc;
2489 }
2490 }
2491
2492 /* Possibly defer initialization to selinux_complete_init. */
2493 if (sbsec->initialized) {
2494 struct inode_security_struct *isec = inode->i_security;
2495 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2496 isec->sid = newsid;
2497 isec->initialized = 1;
2498 }
2499
2500 if (!ss_initialized || sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2501 return -EOPNOTSUPP;
2502
2503 if (name) {
2504 namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_NOFS);
2505 if (!namep)
2506 return -ENOMEM;
2507 *name = namep;
2508 }
2509
2510 if (value && len) {
2511 rc = security_sid_to_context_force(newsid, &context, &clen);
2512 if (rc) {
2513 kfree(namep);
2514 return rc;
2515 }
2516 *value = context;
2517 *len = clen;
2518 }
2519
2520 return 0;
2521 }
2522
2523 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, int mask)
2524 {
2525 return may_create(dir, dentry, SECCLASS_FILE);
2526 }
2527
2528 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2529 {
2530 int rc;
2531
2532 rc = secondary_ops->inode_link(old_dentry, dir, new_dentry);
2533 if (rc)
2534 return rc;
2535 return may_link(dir, old_dentry, MAY_LINK);
2536 }
2537
2538 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2539 {
2540 int rc;
2541
2542 rc = secondary_ops->inode_unlink(dir, dentry);
2543 if (rc)
2544 return rc;
2545 return may_link(dir, dentry, MAY_UNLINK);
2546 }
2547
2548 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2549 {
2550 return may_create(dir, dentry, SECCLASS_LNK_FILE);
2551 }
2552
2553 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, int mask)
2554 {
2555 return may_create(dir, dentry, SECCLASS_DIR);
2556 }
2557
2558 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2559 {
2560 return may_link(dir, dentry, MAY_RMDIR);
2561 }
2562
2563 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
2564 {
2565 int rc;
2566
2567 rc = secondary_ops->inode_mknod(dir, dentry, mode, dev);
2568 if (rc)
2569 return rc;
2570
2571 return may_create(dir, dentry, inode_mode_to_security_class(mode));
2572 }
2573
2574 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2575 struct inode *new_inode, struct dentry *new_dentry)
2576 {
2577 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2578 }
2579
2580 static int selinux_inode_readlink(struct dentry *dentry)
2581 {
2582 return dentry_has_perm(current, NULL, dentry, FILE__READ);
2583 }
2584
2585 static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2586 {
2587 int rc;
2588
2589 rc = secondary_ops->inode_follow_link(dentry, nameidata);
2590 if (rc)
2591 return rc;
2592 return dentry_has_perm(current, NULL, dentry, FILE__READ);
2593 }
2594
2595 static int selinux_inode_permission(struct inode *inode, int mask,
2596 struct nameidata *nd)
2597 {
2598 int rc;
2599
2600 rc = secondary_ops->inode_permission(inode, mask, nd);
2601 if (rc)
2602 return rc;
2603
2604 if (!mask) {
2605 /* No permission to check. Existence test. */
2606 return 0;
2607 }
2608
2609 return inode_has_perm(current, inode,
2610 open_file_mask_to_av(inode->i_mode, mask), NULL);
2611 }
2612
2613 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2614 {
2615 int rc;
2616
2617 rc = secondary_ops->inode_setattr(dentry, iattr);
2618 if (rc)
2619 return rc;
2620
2621 if (iattr->ia_valid & ATTR_FORCE)
2622 return 0;
2623
2624 if (iattr->ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2625 ATTR_ATIME_SET | ATTR_MTIME_SET))
2626 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2627
2628 return dentry_has_perm(current, NULL, dentry, FILE__WRITE);
2629 }
2630
2631 static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
2632 {
2633 return dentry_has_perm(current, mnt, dentry, FILE__GETATTR);
2634 }
2635
2636 static int selinux_inode_setotherxattr(struct dentry *dentry, const char *name)
2637 {
2638 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2639 sizeof XATTR_SECURITY_PREFIX - 1)) {
2640 if (!strcmp(name, XATTR_NAME_CAPS)) {
2641 if (!capable(CAP_SETFCAP))
2642 return -EPERM;
2643 } else if (!capable(CAP_SYS_ADMIN)) {
2644 /* A different attribute in the security namespace.
2645 Restrict to administrator. */
2646 return -EPERM;
2647 }
2648 }
2649
2650 /* Not an attribute we recognize, so just check the
2651 ordinary setattr permission. */
2652 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2653 }
2654
2655 static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
2656 const void *value, size_t size, int flags)
2657 {
2658 struct task_security_struct *tsec = current->security;
2659 struct inode *inode = dentry->d_inode;
2660 struct inode_security_struct *isec = inode->i_security;
2661 struct superblock_security_struct *sbsec;
2662 struct avc_audit_data ad;
2663 u32 newsid;
2664 int rc = 0;
2665
2666 if (strcmp(name, XATTR_NAME_SELINUX))
2667 return selinux_inode_setotherxattr(dentry, name);
2668
2669 sbsec = inode->i_sb->s_security;
2670 if (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2671 return -EOPNOTSUPP;
2672
2673 if (!is_owner_or_cap(inode))
2674 return -EPERM;
2675
2676 AVC_AUDIT_DATA_INIT(&ad, FS);
2677 ad.u.fs.path.dentry = dentry;
2678
2679 rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass,
2680 FILE__RELABELFROM, &ad);
2681 if (rc)
2682 return rc;
2683
2684 rc = security_context_to_sid(value, size, &newsid);
2685 if (rc == -EINVAL) {
2686 if (!capable(CAP_MAC_ADMIN))
2687 return rc;
2688 rc = security_context_to_sid_force(value, size, &newsid);
2689 }
2690 if (rc)
2691 return rc;
2692
2693 rc = avc_has_perm(tsec->sid, newsid, isec->sclass,
2694 FILE__RELABELTO, &ad);
2695 if (rc)
2696 return rc;
2697
2698 rc = security_validate_transition(isec->sid, newsid, tsec->sid,
2699 isec->sclass);
2700 if (rc)
2701 return rc;
2702
2703 return avc_has_perm(newsid,
2704 sbsec->sid,
2705 SECCLASS_FILESYSTEM,
2706 FILESYSTEM__ASSOCIATE,
2707 &ad);
2708 }
2709
2710 static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
2711 const void *value, size_t size,
2712 int flags)
2713 {
2714 struct inode *inode = dentry->d_inode;
2715 struct inode_security_struct *isec = inode->i_security;
2716 u32 newsid;
2717 int rc;
2718
2719 if (strcmp(name, XATTR_NAME_SELINUX)) {
2720 /* Not an attribute we recognize, so nothing to do. */
2721 return;
2722 }
2723
2724 rc = security_context_to_sid_force(value, size, &newsid);
2725 if (rc) {
2726 printk(KERN_ERR "SELinux: unable to map context to SID"
2727 "for (%s, %lu), rc=%d\n",
2728 inode->i_sb->s_id, inode->i_ino, -rc);
2729 return;
2730 }
2731
2732 isec->sid = newsid;
2733 return;
2734 }
2735
2736 static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
2737 {
2738 return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2739 }
2740
2741 static int selinux_inode_listxattr(struct dentry *dentry)
2742 {
2743 return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2744 }
2745
2746 static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
2747 {
2748 if (strcmp(name, XATTR_NAME_SELINUX))
2749 return selinux_inode_setotherxattr(dentry, name);
2750
2751 /* No one is allowed to remove a SELinux security label.
2752 You can change the label, but all data must be labeled. */
2753 return -EACCES;
2754 }
2755
2756 /*
2757 * Copy the in-core inode security context value to the user. If the
2758 * getxattr() prior to this succeeded, check to see if we need to
2759 * canonicalize the value to be finally returned to the user.
2760 *
2761 * Permission check is handled by selinux_inode_getxattr hook.
2762 */
2763 static int selinux_inode_getsecurity(const struct inode *inode, const char *name, void **buffer, bool alloc)
2764 {
2765 u32 size;
2766 int error;
2767 char *context = NULL;
2768 struct inode_security_struct *isec = inode->i_security;
2769
2770 if (strcmp(name, XATTR_SELINUX_SUFFIX))
2771 return -EOPNOTSUPP;
2772
2773 error = security_sid_to_context(isec->sid, &context, &size);
2774 if (error)
2775 return error;
2776 error = size;
2777 if (alloc) {
2778 *buffer = context;
2779 goto out_nofree;
2780 }
2781 kfree(context);
2782 out_nofree:
2783 return error;
2784 }
2785
2786 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
2787 const void *value, size_t size, int flags)
2788 {
2789 struct inode_security_struct *isec = inode->i_security;
2790 u32 newsid;
2791 int rc;
2792
2793 if (strcmp(name, XATTR_SELINUX_SUFFIX))
2794 return -EOPNOTSUPP;
2795
2796 if (!value || !size)
2797 return -EACCES;
2798
2799 rc = security_context_to_sid((void *)value, size, &newsid);
2800 if (rc)
2801 return rc;
2802
2803 isec->sid = newsid;
2804 return 0;
2805 }
2806
2807 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
2808 {
2809 const int len = sizeof(XATTR_NAME_SELINUX);
2810 if (buffer && len <= buffer_size)
2811 memcpy(buffer, XATTR_NAME_SELINUX, len);
2812 return len;
2813 }
2814
2815 static int selinux_inode_need_killpriv(struct dentry *dentry)
2816 {
2817 return secondary_ops->inode_need_killpriv(dentry);
2818 }
2819
2820 static int selinux_inode_killpriv(struct dentry *dentry)
2821 {
2822 return secondary_ops->inode_killpriv(dentry);
2823 }
2824
2825 static void selinux_inode_getsecid(const struct inode *inode, u32 *secid)
2826 {
2827 struct inode_security_struct *isec = inode->i_security;
2828 *secid = isec->sid;
2829 }
2830
2831 /* file security operations */
2832
2833 static int selinux_revalidate_file_permission(struct file *file, int mask)
2834 {
2835 int rc;
2836 struct inode *inode = file->f_path.dentry->d_inode;
2837
2838 if (!mask) {
2839 /* No permission to check. Existence test. */
2840 return 0;
2841 }
2842
2843 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
2844 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
2845 mask |= MAY_APPEND;
2846
2847 rc = file_has_perm(current, file,
2848 file_mask_to_av(inode->i_mode, mask));
2849 if (rc)
2850 return rc;
2851
2852 return selinux_netlbl_inode_permission(inode, mask);
2853 }
2854
2855 static int selinux_file_permission(struct file *file, int mask)
2856 {
2857 struct inode *inode = file->f_path.dentry->d_inode;
2858 struct task_security_struct *tsec = current->security;
2859 struct file_security_struct *fsec = file->f_security;
2860 struct inode_security_struct *isec = inode->i_security;
2861
2862 if (!mask) {
2863 /* No permission to check. Existence test. */
2864 return 0;
2865 }
2866
2867 if (tsec->sid == fsec->sid && fsec->isid == isec->sid
2868 && fsec->pseqno == avc_policy_seqno())
2869 return selinux_netlbl_inode_permission(inode, mask);
2870
2871 return selinux_revalidate_file_permission(file, mask);
2872 }
2873
2874 static int selinux_file_alloc_security(struct file *file)
2875 {
2876 return file_alloc_security(file);
2877 }
2878
2879 static void selinux_file_free_security(struct file *file)
2880 {
2881 file_free_security(file);
2882 }
2883
2884 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
2885 unsigned long arg)
2886 {
2887 int error = 0;
2888
2889 switch (cmd) {
2890 case FIONREAD:
2891 /* fall through */
2892 case FIBMAP:
2893 /* fall through */
2894 case FIGETBSZ:
2895 /* fall through */
2896 case EXT2_IOC_GETFLAGS:
2897 /* fall through */
2898 case EXT2_IOC_GETVERSION:
2899 error = file_has_perm(current, file, FILE__GETATTR);
2900 break;
2901
2902 case EXT2_IOC_SETFLAGS:
2903 /* fall through */
2904 case EXT2_IOC_SETVERSION:
2905 error = file_has_perm(current, file, FILE__SETATTR);
2906 break;
2907
2908 /* sys_ioctl() checks */
2909 case FIONBIO:
2910 /* fall through */
2911 case FIOASYNC:
2912 error = file_has_perm(current, file, 0);
2913 break;
2914
2915 case KDSKBENT:
2916 case KDSKBSENT:
2917 error = task_has_capability(current, CAP_SYS_TTY_CONFIG);
2918 break;
2919
2920 /* default case assumes that the command will go
2921 * to the file's ioctl() function.
2922 */
2923 default:
2924 error = file_has_perm(current, file, FILE__IOCTL);
2925 }
2926 return error;
2927 }
2928
2929 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
2930 {
2931 #ifndef CONFIG_PPC32
2932 if ((prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
2933 /*
2934 * We are making executable an anonymous mapping or a
2935 * private file mapping that will also be writable.
2936 * This has an additional check.
2937 */
2938 int rc = task_has_perm(current, current, PROCESS__EXECMEM);
2939 if (rc)
2940 return rc;
2941 }
2942 #endif
2943
2944 if (file) {
2945 /* read access is always possible with a mapping */
2946 u32 av = FILE__READ;
2947
2948 /* write access only matters if the mapping is shared */
2949 if (shared && (prot & PROT_WRITE))
2950 av |= FILE__WRITE;
2951
2952 if (prot & PROT_EXEC)
2953 av |= FILE__EXECUTE;
2954
2955 return file_has_perm(current, file, av);
2956 }
2957 return 0;
2958 }
2959
2960 static int selinux_file_mmap(struct file *file, unsigned long reqprot,
2961 unsigned long prot, unsigned long flags,
2962 unsigned long addr, unsigned long addr_only)
2963 {
2964 int rc = 0;
2965 u32 sid = ((struct task_security_struct *)(current->security))->sid;
2966
2967 if (addr < mmap_min_addr)
2968 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
2969 MEMPROTECT__MMAP_ZERO, NULL);
2970 if (rc || addr_only)
2971 return rc;
2972
2973 if (selinux_checkreqprot)
2974 prot = reqprot;
2975
2976 return file_map_prot_check(file, prot,
2977 (flags & MAP_TYPE) == MAP_SHARED);
2978 }
2979
2980 static int selinux_file_mprotect(struct vm_area_struct *vma,
2981 unsigned long reqprot,
2982 unsigned long prot)
2983 {
2984 int rc;
2985
2986 rc = secondary_ops->file_mprotect(vma, reqprot, prot);
2987 if (rc)
2988 return rc;
2989
2990 if (selinux_checkreqprot)
2991 prot = reqprot;
2992
2993 #ifndef CONFIG_PPC32
2994 if ((prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
2995 rc = 0;
2996 if (vma->vm_start >= vma->vm_mm->start_brk &&
2997 vma->vm_end <= vma->vm_mm->brk) {
2998 rc = task_has_perm(current, current,
2999 PROCESS__EXECHEAP);
3000 } else if (!vma->vm_file &&
3001 vma->vm_start <= vma->vm_mm->start_stack &&
3002 vma->vm_end >= vma->vm_mm->start_stack) {
3003 rc = task_has_perm(current, current, PROCESS__EXECSTACK);
3004 } else if (vma->vm_file && vma->anon_vma) {
3005 /*
3006 * We are making executable a file mapping that has
3007 * had some COW done. Since pages might have been
3008 * written, check ability to execute the possibly
3009 * modified content. This typically should only
3010 * occur for text relocations.
3011 */
3012 rc = file_has_perm(current, vma->vm_file,
3013 FILE__EXECMOD);
3014 }
3015 if (rc)
3016 return rc;
3017 }
3018 #endif
3019
3020 return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
3021 }
3022
3023 static int selinux_file_lock(struct file *file, unsigned int cmd)
3024 {
3025 return file_has_perm(current, file, FILE__LOCK);
3026 }
3027
3028 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
3029 unsigned long arg)
3030 {
3031 int err = 0;
3032
3033 switch (cmd) {
3034 case F_SETFL:
3035 if (!file->f_path.dentry || !file->f_path.dentry->d_inode) {
3036 err = -EINVAL;
3037 break;
3038 }
3039
3040 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
3041 err = file_has_perm(current, file, FILE__WRITE);
3042 break;
3043 }
3044 /* fall through */
3045 case F_SETOWN:
3046 case F_SETSIG:
3047 case F_GETFL:
3048 case F_GETOWN:
3049 case F_GETSIG:
3050 /* Just check FD__USE permission */
3051 err = file_has_perm(current, file, 0);
3052 break;
3053 case F_GETLK:
3054 case F_SETLK:
3055 case F_SETLKW:
3056 #if BITS_PER_LONG == 32
3057 case F_GETLK64:
3058 case F_SETLK64:
3059 case F_SETLKW64:
3060 #endif
3061 if (!file->f_path.dentry || !file->f_path.dentry->d_inode) {
3062 err = -EINVAL;
3063 break;
3064 }
3065 err = file_has_perm(current, file, FILE__LOCK);
3066 break;
3067 }
3068
3069 return err;
3070 }
3071
3072 static int selinux_file_set_fowner(struct file *file)
3073 {
3074 struct task_security_struct *tsec;
3075 struct file_security_struct *fsec;
3076
3077 tsec = current->security;
3078 fsec = file->f_security;
3079 fsec->fown_sid = tsec->sid;
3080
3081 return 0;
3082 }
3083
3084 static int selinux_file_send_sigiotask(struct task_struct *tsk,
3085 struct fown_struct *fown, int signum)
3086 {
3087 struct file *file;
3088 u32 perm;
3089 struct task_security_struct *tsec;
3090 struct file_security_struct *fsec;
3091
3092 /* struct fown_struct is never outside the context of a struct file */
3093 file = container_of(fown, struct file, f_owner);
3094
3095 tsec = tsk->security;
3096 fsec = file->f_security;
3097
3098 if (!signum)
3099 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
3100 else
3101 perm = signal_to_av(signum);
3102
3103 return avc_has_perm(fsec->fown_sid, tsec->sid,
3104 SECCLASS_PROCESS, perm, NULL);
3105 }
3106
3107 static int selinux_file_receive(struct file *file)
3108 {
3109 return file_has_perm(current, file, file_to_av(file));
3110 }
3111
3112 static int selinux_dentry_open(struct file *file)
3113 {
3114 struct file_security_struct *fsec;
3115 struct inode *inode;
3116 struct inode_security_struct *isec;
3117 inode = file->f_path.dentry->d_inode;
3118 fsec = file->f_security;
3119 isec = inode->i_security;
3120 /*
3121 * Save inode label and policy sequence number
3122 * at open-time so that selinux_file_permission
3123 * can determine whether revalidation is necessary.
3124 * Task label is already saved in the file security
3125 * struct as its SID.
3126 */
3127 fsec->isid = isec->sid;
3128 fsec->pseqno = avc_policy_seqno();
3129 /*
3130 * Since the inode label or policy seqno may have changed
3131 * between the selinux_inode_permission check and the saving
3132 * of state above, recheck that access is still permitted.
3133 * Otherwise, access might never be revalidated against the
3134 * new inode label or new policy.
3135 * This check is not redundant - do not remove.
3136 */
3137 return inode_has_perm(current, inode, file_to_av(file), NULL);
3138 }
3139
3140 /* task security operations */
3141
3142 static int selinux_task_create(unsigned long clone_flags)
3143 {
3144 int rc;
3145
3146 rc = secondary_ops->task_create(clone_flags);
3147 if (rc)
3148 return rc;
3149
3150 return task_has_perm(current, current, PROCESS__FORK);
3151 }
3152
3153 static int selinux_task_alloc_security(struct task_struct *tsk)
3154 {
3155 struct task_security_struct *tsec1, *tsec2;
3156 int rc;
3157
3158 tsec1 = current->security;
3159
3160 rc = task_alloc_security(tsk);
3161 if (rc)
3162 return rc;
3163 tsec2 = tsk->security;
3164
3165 tsec2->osid = tsec1->osid;
3166 tsec2->sid = tsec1->sid;
3167
3168 /* Retain the exec, fs, key, and sock SIDs across fork */
3169 tsec2->exec_sid = tsec1->exec_sid;
3170 tsec2->create_sid = tsec1->create_sid;
3171 tsec2->keycreate_sid = tsec1->keycreate_sid;
3172 tsec2->sockcreate_sid = tsec1->sockcreate_sid;
3173
3174 return 0;
3175 }
3176
3177 static void selinux_task_free_security(struct task_struct *tsk)
3178 {
3179 task_free_security(tsk);
3180 }
3181
3182 static int selinux_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
3183 {
3184 /* Since setuid only affects the current process, and
3185 since the SELinux controls are not based on the Linux
3186 identity attributes, SELinux does not need to control
3187 this operation. However, SELinux does control the use
3188 of the CAP_SETUID and CAP_SETGID capabilities using the
3189 capable hook. */
3190 return 0;
3191 }
3192
3193 static int selinux_task_post_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
3194 {
3195 return secondary_ops->task_post_setuid(id0, id1, id2, flags);
3196 }
3197
3198 static int selinux_task_setgid(gid_t id0, gid_t id1, gid_t id2, int flags)
3199 {
3200 /* See the comment for setuid above. */
3201 return 0;
3202 }
3203
3204 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
3205 {
3206 return task_has_perm(current, p, PROCESS__SETPGID);
3207 }
3208
3209 static int selinux_task_getpgid(struct task_struct *p)
3210 {
3211 return task_has_perm(current, p, PROCESS__GETPGID);
3212 }
3213
3214 static int selinux_task_getsid(struct task_struct *p)
3215 {
3216 return task_has_perm(current, p, PROCESS__GETSESSION);
3217 }
3218
3219 static void selinux_task_getsecid(struct task_struct *p, u32 *secid)
3220 {
3221 struct task_security_struct *tsec = p->security;
3222 *secid = tsec->sid;
3223 }
3224
3225 static int selinux_task_setgroups(struct group_info *group_info)
3226 {
3227 /* See the comment for setuid above. */
3228 return 0;
3229 }
3230
3231 static int selinux_task_setnice(struct task_struct *p, int nice)
3232 {
3233 int rc;
3234
3235 rc = secondary_ops->task_setnice(p, nice);
3236 if (rc)
3237 return rc;
3238
3239 return task_has_perm(current, p, PROCESS__SETSCHED);
3240 }
3241
3242 static int selinux_task_setioprio(struct task_struct *p, int ioprio)
3243 {
3244 int rc;
3245
3246 rc = secondary_ops->task_setioprio(p, ioprio);
3247 if (rc)
3248 return rc;
3249
3250 return task_has_perm(current, p, PROCESS__SETSCHED);
3251 }
3252
3253 static int selinux_task_getioprio(struct task_struct *p)
3254 {
3255 return task_has_perm(current, p, PROCESS__GETSCHED);
3256 }
3257
3258 static int selinux_task_setrlimit(unsigned int resource, struct rlimit *new_rlim)
3259 {
3260 struct rlimit *old_rlim = current->signal->rlim + resource;
3261 int rc;
3262
3263 rc = secondary_ops->task_setrlimit(resource, new_rlim);
3264 if (rc)
3265 return rc;
3266
3267 /* Control the ability to change the hard limit (whether
3268 lowering or raising it), so that the hard limit can
3269 later be used as a safe reset point for the soft limit
3270 upon context transitions. See selinux_bprm_apply_creds. */
3271 if (old_rlim->rlim_max != new_rlim->rlim_max)
3272 return task_has_perm(current, current, PROCESS__SETRLIMIT);
3273
3274 return 0;
3275 }
3276
3277 static int selinux_task_setscheduler(struct task_struct *p, int policy, struct sched_param *lp)
3278 {
3279 int rc;
3280
3281 rc = secondary_ops->task_setscheduler(p, policy, lp);
3282 if (rc)
3283 return rc;
3284
3285 return task_has_perm(current, p, PROCESS__SETSCHED);
3286 }
3287
3288 static int selinux_task_getscheduler(struct task_struct *p)
3289 {
3290 return task_has_perm(current, p, PROCESS__GETSCHED);
3291 }
3292
3293 static int selinux_task_movememory(struct task_struct *p)
3294 {
3295 return task_has_perm(current, p, PROCESS__SETSCHED);
3296 }
3297
3298 static int selinux_task_kill(struct task_struct *p, struct siginfo *info,
3299 int sig, u32 secid)
3300 {
3301 u32 perm;
3302 int rc;
3303 struct task_security_struct *tsec;
3304
3305 rc = secondary_ops->task_kill(p, info, sig, secid);
3306 if (rc)
3307 return rc;
3308
3309 if (!sig)
3310 perm = PROCESS__SIGNULL; /* null signal; existence test */
3311 else
3312 perm = signal_to_av(sig);
3313 tsec = p->security;
3314 if (secid)
3315 rc = avc_has_perm(secid, tsec->sid, SECCLASS_PROCESS, perm, NULL);
3316 else
3317 rc = task_has_perm(current, p, perm);
3318 return rc;
3319 }
3320
3321 static int selinux_task_prctl(int option,
3322 unsigned long arg2,
3323 unsigned long arg3,
3324 unsigned long arg4,
3325 unsigned long arg5,
3326 long *rc_p)
3327 {
3328 /* The current prctl operations do not appear to require
3329 any SELinux controls since they merely observe or modify
3330 the state of the current process. */
3331 return secondary_ops->task_prctl(option, arg2, arg3, arg4, arg5, rc_p);
3332 }
3333
3334 static int selinux_task_wait(struct task_struct *p)
3335 {
3336 return task_has_perm(p, current, PROCESS__SIGCHLD);
3337 }
3338
3339 static void selinux_task_reparent_to_init(struct task_struct *p)
3340 {
3341 struct task_security_struct *tsec;
3342
3343 secondary_ops->task_reparent_to_init(p);
3344
3345 tsec = p->security;
3346 tsec->osid = tsec->sid;
3347 tsec->sid = SECINITSID_KERNEL;
3348 return;
3349 }
3350
3351 static void selinux_task_to_inode(struct task_struct *p,
3352 struct inode *inode)
3353 {
3354 struct task_security_struct *tsec = p->security;
3355 struct inode_security_struct *isec = inode->i_security;
3356
3357 isec->sid = tsec->sid;
3358 isec->initialized = 1;
3359 return;
3360 }
3361
3362 /* Returns error only if unable to parse addresses */
3363 static int selinux_parse_skb_ipv4(struct sk_buff *skb,
3364 struct avc_audit_data *ad, u8 *proto)
3365 {
3366 int offset, ihlen, ret = -EINVAL;
3367 struct iphdr _iph, *ih;
3368
3369 offset = skb_network_offset(skb);
3370 ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
3371 if (ih == NULL)
3372 goto out;
3373
3374 ihlen = ih->ihl * 4;
3375 if (ihlen < sizeof(_iph))
3376 goto out;
3377
3378 ad->u.net.v4info.saddr = ih->saddr;
3379 ad->u.net.v4info.daddr = ih->daddr;
3380 ret = 0;
3381
3382 if (proto)
3383 *proto = ih->protocol;
3384
3385 switch (ih->protocol) {
3386 case IPPROTO_TCP: {
3387 struct tcphdr _tcph, *th;
3388
3389 if (ntohs(ih->frag_off) & IP_OFFSET)
3390 break;
3391
3392 offset += ihlen;
3393 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3394 if (th == NULL)
3395 break;
3396
3397 ad->u.net.sport = th->source;
3398 ad->u.net.dport = th->dest;
3399 break;
3400 }
3401
3402 case IPPROTO_UDP: {
3403 struct udphdr _udph, *uh;
3404
3405 if (ntohs(ih->frag_off) & IP_OFFSET)
3406 break;
3407
3408 offset += ihlen;
3409 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3410 if (uh == NULL)
3411 break;
3412
3413 ad->u.net.sport = uh->source;
3414 ad->u.net.dport = uh->dest;
3415 break;
3416 }
3417
3418 case IPPROTO_DCCP: {
3419 struct dccp_hdr _dccph, *dh;
3420
3421 if (ntohs(ih->frag_off) & IP_OFFSET)
3422 break;
3423
3424 offset += ihlen;
3425 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3426 if (dh == NULL)
3427 break;
3428
3429 ad->u.net.sport = dh->dccph_sport;
3430 ad->u.net.dport = dh->dccph_dport;
3431 break;
3432 }
3433
3434 default:
3435 break;
3436 }
3437 out:
3438 return ret;
3439 }
3440
3441 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3442
3443 /* Returns error only if unable to parse addresses */
3444 static int selinux_parse_skb_ipv6(struct sk_buff *skb,
3445 struct avc_audit_data *ad, u8 *proto)
3446 {
3447 u8 nexthdr;
3448 int ret = -EINVAL, offset;
3449 struct ipv6hdr _ipv6h, *ip6;
3450
3451 offset = skb_network_offset(skb);
3452 ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
3453 if (ip6 == NULL)
3454 goto out;
3455
3456 ipv6_addr_copy(&ad->u.net.v6info.saddr, &ip6->saddr);
3457 ipv6_addr_copy(&ad->u.net.v6info.daddr, &ip6->daddr);
3458 ret = 0;
3459
3460 nexthdr = ip6->nexthdr;
3461 offset += sizeof(_ipv6h);
3462 offset = ipv6_skip_exthdr(skb, offset, &nexthdr);
3463 if (offset < 0)
3464 goto out;
3465
3466 if (proto)
3467 *proto = nexthdr;
3468
3469 switch (nexthdr) {
3470 case IPPROTO_TCP: {
3471 struct tcphdr _tcph, *th;
3472
3473 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3474 if (th == NULL)
3475 break;
3476
3477 ad->u.net.sport = th->source;
3478 ad->u.net.dport = th->dest;
3479 break;
3480 }
3481
3482 case IPPROTO_UDP: {
3483 struct udphdr _udph, *uh;
3484
3485 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3486 if (uh == NULL)
3487 break;
3488
3489 ad->u.net.sport = uh->source;
3490 ad->u.net.dport = uh->dest;
3491 break;
3492 }
3493
3494 case IPPROTO_DCCP: {
3495 struct dccp_hdr _dccph, *dh;
3496
3497 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3498 if (dh == NULL)
3499 break;
3500
3501 ad->u.net.sport = dh->dccph_sport;
3502 ad->u.net.dport = dh->dccph_dport;
3503 break;
3504 }
3505
3506 /* includes fragments */
3507 default:
3508 break;
3509 }
3510 out:
3511 return ret;
3512 }
3513
3514 #endif /* IPV6 */
3515
3516 static int selinux_parse_skb(struct sk_buff *skb, struct avc_audit_data *ad,
3517 char **addrp, int src, u8 *proto)
3518 {
3519 int ret = 0;
3520
3521 switch (ad->u.net.family) {
3522 case PF_INET:
3523 ret = selinux_parse_skb_ipv4(skb, ad, proto);
3524 if (ret || !addrp)
3525 break;
3526 *addrp = (char *)(src ? &ad->u.net.v4info.saddr :
3527 &ad->u.net.v4info.daddr);
3528 break;
3529
3530 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3531 case PF_INET6:
3532 ret = selinux_parse_skb_ipv6(skb, ad, proto);
3533 if (ret || !addrp)
3534 break;
3535 *addrp = (char *)(src ? &ad->u.net.v6info.saddr :
3536 &ad->u.net.v6info.daddr);
3537 break;
3538 #endif /* IPV6 */
3539 default:
3540 break;
3541 }
3542
3543 if (unlikely(ret))
3544 printk(KERN_WARNING
3545 "SELinux: failure in selinux_parse_skb(),"
3546 " unable to parse packet\n");
3547
3548 return ret;
3549 }
3550
3551 /**
3552 * selinux_skb_peerlbl_sid - Determine the peer label of a packet
3553 * @skb: the packet
3554 * @family: protocol family
3555 * @sid: the packet's peer label SID
3556 *
3557 * Description:
3558 * Check the various different forms of network peer labeling and determine
3559 * the peer label/SID for the packet; most of the magic actually occurs in
3560 * the security server function security_net_peersid_cmp(). The function
3561 * returns zero if the value in @sid is valid (although it may be SECSID_NULL)
3562 * or -EACCES if @sid is invalid due to inconsistencies with the different
3563 * peer labels.
3564 *
3565 */
3566 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
3567 {
3568 int err;
3569 u32 xfrm_sid;
3570 u32 nlbl_sid;
3571 u32 nlbl_type;
3572
3573 selinux_skb_xfrm_sid(skb, &xfrm_sid);
3574 selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid);
3575
3576 err = security_net_peersid_resolve(nlbl_sid, nlbl_type, xfrm_sid, sid);
3577 if (unlikely(err)) {
3578 printk(KERN_WARNING
3579 "SELinux: failure in selinux_skb_peerlbl_sid(),"
3580 " unable to determine packet's peer label\n");
3581 return -EACCES;
3582 }
3583
3584 return 0;
3585 }
3586
3587 /* socket security operations */
3588 static int socket_has_perm(struct task_struct *task, struct socket *sock,
3589 u32 perms)
3590 {
3591 struct inode_security_struct *isec;
3592 struct task_security_struct *tsec;
3593 struct avc_audit_data ad;
3594 int err = 0;
3595
3596 tsec = task->security;
3597 isec = SOCK_INODE(sock)->i_security;
3598
3599 if (isec->sid == SECINITSID_KERNEL)
3600 goto out;
3601
3602 AVC_AUDIT_DATA_INIT(&ad, NET);
3603 ad.u.net.sk = sock->sk;
3604 err = avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, &ad);
3605
3606 out:
3607 return err;
3608 }
3609
3610 static int selinux_socket_create(int family, int type,
3611 int protocol, int kern)
3612 {
3613 int err = 0;
3614 struct task_security_struct *tsec;
3615 u32 newsid;
3616
3617 if (kern)
3618 goto out;
3619
3620 tsec = current->security;
3621 newsid = tsec->sockcreate_sid ? : tsec->sid;
3622 err = avc_has_perm(tsec->sid, newsid,
3623 socket_type_to_security_class(family, type,
3624 protocol), SOCKET__CREATE, NULL);
3625
3626 out:
3627 return err;
3628 }
3629
3630 static int selinux_socket_post_create(struct socket *sock, int family,
3631 int type, int protocol, int kern)
3632 {
3633 int err = 0;
3634 struct inode_security_struct *isec;
3635 struct task_security_struct *tsec;
3636 struct sk_security_struct *sksec;
3637 u32 newsid;
3638
3639 isec = SOCK_INODE(sock)->i_security;
3640
3641 tsec = current->security;
3642 newsid = tsec->sockcreate_sid ? : tsec->sid;
3643 isec->sclass = socket_type_to_security_class(family, type, protocol);
3644 isec->sid = kern ? SECINITSID_KERNEL : newsid;
3645 isec->initialized = 1;
3646
3647 if (sock->sk) {
3648 sksec = sock->sk->sk_security;
3649 sksec->sid = isec->sid;
3650 sksec->sclass = isec->sclass;
3651 err = selinux_netlbl_socket_post_create(sock);
3652 }
3653
3654 return err;
3655 }
3656
3657 /* Range of port numbers used to automatically bind.
3658 Need to determine whether we should perform a name_bind
3659 permission check between the socket and the port number. */
3660
3661 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
3662 {
3663 u16 family;
3664 int err;
3665
3666 err = socket_has_perm(current, sock, SOCKET__BIND);
3667 if (err)
3668 goto out;
3669
3670 /*
3671 * If PF_INET or PF_INET6, check name_bind permission for the port.
3672 * Multiple address binding for SCTP is not supported yet: we just
3673 * check the first address now.
3674 */
3675 family = sock->sk->sk_family;
3676 if (family == PF_INET || family == PF_INET6) {
3677 char *addrp;
3678 struct inode_security_struct *isec;
3679 struct task_security_struct *tsec;
3680 struct avc_audit_data ad;
3681 struct sockaddr_in *addr4 = NULL;
3682 struct sockaddr_in6 *addr6 = NULL;
3683 unsigned short snum;
3684 struct sock *sk = sock->sk;
3685 u32 sid, node_perm, addrlen;
3686
3687 tsec = current->security;
3688 isec = SOCK_INODE(sock)->i_security;
3689
3690 if (family == PF_INET) {
3691 addr4 = (struct sockaddr_in *)address;
3692 snum = ntohs(addr4->sin_port);
3693 addrlen = sizeof(addr4->sin_addr.s_addr);
3694 addrp = (char *)&addr4->sin_addr.s_addr;
3695 } else {
3696 addr6 = (struct sockaddr_in6 *)address;
3697 snum = ntohs(addr6->sin6_port);
3698 addrlen = sizeof(addr6->sin6_addr.s6_addr);
3699 addrp = (char *)&addr6->sin6_addr.s6_addr;
3700 }
3701
3702 if (snum) {
3703 int low, high;
3704
3705 inet_get_local_port_range(&low, &high);
3706
3707 if (snum < max(PROT_SOCK, low) || snum > high) {
3708 err = sel_netport_sid(sk->sk_protocol,
3709 snum, &sid);
3710 if (err)
3711 goto out;
3712 AVC_AUDIT_DATA_INIT(&ad, NET);
3713 ad.u.net.sport = htons(snum);
3714 ad.u.net.family = family;
3715 err = avc_has_perm(isec->sid, sid,
3716 isec->sclass,
3717 SOCKET__NAME_BIND, &ad);
3718 if (err)
3719 goto out;
3720 }
3721 }
3722
3723 switch (isec->sclass) {
3724 case SECCLASS_TCP_SOCKET:
3725 node_perm = TCP_SOCKET__NODE_BIND;
3726 break;
3727
3728 case SECCLASS_UDP_SOCKET:
3729 node_perm = UDP_SOCKET__NODE_BIND;
3730 break;
3731
3732 case SECCLASS_DCCP_SOCKET:
3733 node_perm = DCCP_SOCKET__NODE_BIND;
3734 break;
3735
3736 default:
3737 node_perm = RAWIP_SOCKET__NODE_BIND;
3738 break;
3739 }
3740
3741 err = sel_netnode_sid(addrp, family, &sid);
3742 if (err)
3743 goto out;
3744
3745 AVC_AUDIT_DATA_INIT(&ad, NET);
3746 ad.u.net.sport = htons(snum);
3747 ad.u.net.family = family;
3748
3749 if (family == PF_INET)
3750 ad.u.net.v4info.saddr = addr4->sin_addr.s_addr;
3751 else
3752 ipv6_addr_copy(&ad.u.net.v6info.saddr, &addr6->sin6_addr);
3753
3754 err = avc_has_perm(isec->sid, sid,
3755 isec->sclass, node_perm, &ad);
3756 if (err)
3757 goto out;
3758 }
3759 out:
3760 return err;
3761 }
3762
3763 static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
3764 {
3765 struct inode_security_struct *isec;
3766 int err;
3767
3768 err = socket_has_perm(current, sock, SOCKET__CONNECT);
3769 if (err)
3770 return err;
3771
3772 /*
3773 * If a TCP or DCCP socket, check name_connect permission for the port.
3774 */
3775 isec = SOCK_INODE(sock)->i_security;
3776 if (isec->sclass == SECCLASS_TCP_SOCKET ||
3777 isec->sclass == SECCLASS_DCCP_SOCKET) {
3778 struct sock *sk = sock->sk;
3779 struct avc_audit_data ad;
3780 struct sockaddr_in *addr4 = NULL;
3781 struct sockaddr_in6 *addr6 = NULL;
3782 unsigned short snum;
3783 u32 sid, perm;
3784
3785 if (sk->sk_family == PF_INET) {
3786 addr4 = (struct sockaddr_in *)address;
3787 if (addrlen < sizeof(struct sockaddr_in))
3788 return -EINVAL;
3789 snum = ntohs(addr4->sin_port);
3790 } else {
3791 addr6 = (struct sockaddr_in6 *)address;
3792 if (addrlen < SIN6_LEN_RFC2133)
3793 return -EINVAL;
3794 snum = ntohs(addr6->sin6_port);
3795 }
3796
3797 err = sel_netport_sid(sk->sk_protocol, snum, &sid);
3798 if (err)
3799 goto out;
3800
3801 perm = (isec->sclass == SECCLASS_TCP_SOCKET) ?
3802 TCP_SOCKET__NAME_CONNECT : DCCP_SOCKET__NAME_CONNECT;
3803
3804 AVC_AUDIT_DATA_INIT(&ad, NET);
3805 ad.u.net.dport = htons(snum);
3806 ad.u.net.family = sk->sk_family;
3807 err = avc_has_perm(isec->sid, sid, isec->sclass, perm, &ad);
3808 if (err)
3809 goto out;
3810 }
3811
3812 out:
3813 return err;
3814 }
3815
3816 static int selinux_socket_listen(struct socket *sock, int backlog)
3817 {
3818 return socket_has_perm(current, sock, SOCKET__LISTEN);
3819 }
3820
3821 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
3822 {
3823 int err;
3824 struct inode_security_struct *isec;
3825 struct inode_security_struct *newisec;
3826
3827 err = socket_has_perm(current, sock, SOCKET__ACCEPT);
3828 if (err)
3829 return err;
3830
3831 newisec = SOCK_INODE(newsock)->i_security;
3832
3833 isec = SOCK_INODE(sock)->i_security;
3834 newisec->sclass = isec->sclass;
3835 newisec->sid = isec->sid;
3836 newisec->initialized = 1;
3837
3838 return 0;
3839 }
3840
3841 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
3842 int size)
3843 {
3844 int rc;
3845
3846 rc = socket_has_perm(current, sock, SOCKET__WRITE);
3847 if (rc)
3848 return rc;
3849
3850 return selinux_netlbl_inode_permission(SOCK_INODE(sock), MAY_WRITE);
3851 }
3852
3853 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
3854 int size, int flags)
3855 {
3856 return socket_has_perm(current, sock, SOCKET__READ);
3857 }
3858
3859 static int selinux_socket_getsockname(struct socket *sock)
3860 {
3861 return socket_has_perm(current, sock, SOCKET__GETATTR);
3862 }
3863
3864 static int selinux_socket_getpeername(struct socket *sock)
3865 {
3866 return socket_has_perm(current, sock, SOCKET__GETATTR);
3867 }
3868
3869 static int selinux_socket_setsockopt(struct socket *sock, int level, int optname)
3870 {
3871 int err;
3872
3873 err = socket_has_perm(current, sock, SOCKET__SETOPT);
3874 if (err)
3875 return err;
3876
3877 return selinux_netlbl_socket_setsockopt(sock, level, optname);
3878 }
3879
3880 static int selinux_socket_getsockopt(struct socket *sock, int level,
3881 int optname)
3882 {
3883 return socket_has_perm(current, sock, SOCKET__GETOPT);
3884 }
3885
3886 static int selinux_socket_shutdown(struct socket *sock, int how)
3887 {
3888 return socket_has_perm(current, sock, SOCKET__SHUTDOWN);
3889 }
3890
3891 static int selinux_socket_unix_stream_connect(struct socket *sock,
3892 struct socket *other,
3893 struct sock *newsk)
3894 {
3895 struct sk_security_struct *ssec;
3896 struct inode_security_struct *isec;
3897 struct inode_security_struct *other_isec;
3898 struct avc_audit_data ad;
3899 int err;
3900
3901 err = secondary_ops->unix_stream_connect(sock, other, newsk);
3902 if (err)
3903 return err;
3904
3905 isec = SOCK_INODE(sock)->i_security;
3906 other_isec = SOCK_INODE(other)->i_security;
3907
3908 AVC_AUDIT_DATA_INIT(&ad, NET);
3909 ad.u.net.sk = other->sk;
3910
3911 err = avc_has_perm(isec->sid, other_isec->sid,
3912 isec->sclass,
3913 UNIX_STREAM_SOCKET__CONNECTTO, &ad);
3914 if (err)
3915 return err;
3916
3917 /* connecting socket */
3918 ssec = sock->sk->sk_security;
3919 ssec->peer_sid = other_isec->sid;
3920
3921 /* server child socket */
3922 ssec = newsk->sk_security;
3923 ssec->peer_sid = isec->sid;
3924 err = security_sid_mls_copy(other_isec->sid, ssec->peer_sid, &ssec->sid);
3925
3926 return err;
3927 }
3928
3929 static int selinux_socket_unix_may_send(struct socket *sock,
3930 struct socket *other)
3931 {
3932 struct inode_security_struct *isec;
3933 struct inode_security_struct *other_isec;
3934 struct avc_audit_data ad;
3935 int err;
3936
3937 isec = SOCK_INODE(sock)->i_security;
3938 other_isec = SOCK_INODE(other)->i_security;
3939
3940 AVC_AUDIT_DATA_INIT(&ad, NET);
3941 ad.u.net.sk = other->sk;
3942
3943 err = avc_has_perm(isec->sid, other_isec->sid,
3944 isec->sclass, SOCKET__SENDTO, &ad);
3945 if (err)
3946 return err;
3947
3948 return 0;
3949 }
3950
3951 static int selinux_inet_sys_rcv_skb(int ifindex, char *addrp, u16 family,
3952 u32 peer_sid,
3953 struct avc_audit_data *ad)
3954 {
3955 int err;
3956 u32 if_sid;
3957 u32 node_sid;
3958
3959 err = sel_netif_sid(ifindex, &if_sid);
3960 if (err)
3961 return err;
3962 err = avc_has_perm(peer_sid, if_sid,
3963 SECCLASS_NETIF, NETIF__INGRESS, ad);
3964 if (err)
3965 return err;
3966
3967 err = sel_netnode_sid(addrp, family, &node_sid);
3968 if (err)
3969 return err;
3970 return avc_has_perm(peer_sid, node_sid,
3971 SECCLASS_NODE, NODE__RECVFROM, ad);
3972 }
3973
3974 static int selinux_sock_rcv_skb_iptables_compat(struct sock *sk,
3975 struct sk_buff *skb,
3976 struct avc_audit_data *ad,
3977 u16 family,
3978 char *addrp)
3979 {
3980 int err;
3981 struct sk_security_struct *sksec = sk->sk_security;
3982 u16 sk_class;
3983 u32 netif_perm, node_perm, recv_perm;
3984 u32 port_sid, node_sid, if_sid, sk_sid;
3985
3986 sk_sid = sksec->sid;
3987 sk_class = sksec->sclass;
3988
3989 switch (sk_class) {
3990 case SECCLASS_UDP_SOCKET:
3991 netif_perm = NETIF__UDP_RECV;
3992 node_perm = NODE__UDP_RECV;
3993 recv_perm = UDP_SOCKET__RECV_MSG;
3994 break;
3995 case SECCLASS_TCP_SOCKET:
3996 netif_perm = NETIF__TCP_RECV;
3997 node_perm = NODE__TCP_RECV;
3998 recv_perm = TCP_SOCKET__RECV_MSG;
3999 break;
4000 case SECCLASS_DCCP_SOCKET:
4001 netif_perm = NETIF__DCCP_RECV;
4002 node_perm = NODE__DCCP_RECV;
4003 recv_perm = DCCP_SOCKET__RECV_MSG;
4004 break;
4005 default:
4006 netif_perm = NETIF__RAWIP_RECV;
4007 node_perm = NODE__RAWIP_RECV;
4008 recv_perm = 0;
4009 break;
4010 }
4011
4012 err = sel_netif_sid(skb->iif, &if_sid);
4013 if (err)
4014 return err;
4015 err = avc_has_perm(sk_sid, if_sid, SECCLASS_NETIF, netif_perm, ad);
4016 if (err)
4017 return err;
4018
4019 err = sel_netnode_sid(addrp, family, &node_sid);
4020 if (err)
4021 return err;
4022 err = avc_has_perm(sk_sid, node_sid, SECCLASS_NODE, node_perm, ad);
4023 if (err)
4024 return err;
4025
4026 if (!recv_perm)
4027 return 0;
4028 err = sel_netport_sid(sk->sk_protocol,
4029 ntohs(ad->u.net.sport), &port_sid);
4030 if (unlikely(err)) {
4031 printk(KERN_WARNING
4032 "SELinux: failure in"
4033 " selinux_sock_rcv_skb_iptables_compat(),"
4034 " network port label not found\n");
4035 return err;
4036 }
4037 return avc_has_perm(sk_sid, port_sid, sk_class, recv_perm, ad);
4038 }
4039
4040 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
4041 struct avc_audit_data *ad,
4042 u16 family, char *addrp)
4043 {
4044 int err;
4045 struct sk_security_struct *sksec = sk->sk_security;
4046 u32 peer_sid;
4047 u32 sk_sid = sksec->sid;
4048
4049 if (selinux_compat_net)
4050 err = selinux_sock_rcv_skb_iptables_compat(sk, skb, ad,
4051 family, addrp);
4052 else
4053 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4054 PACKET__RECV, ad);
4055 if (err)
4056 return err;
4057
4058 if (selinux_policycap_netpeer) {
4059 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
4060 if (err)
4061 return err;
4062 err = avc_has_perm(sk_sid, peer_sid,
4063 SECCLASS_PEER, PEER__RECV, ad);
4064 } else {
4065 err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, ad);
4066 if (err)
4067 return err;
4068 err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, ad);
4069 }
4070
4071 return err;
4072 }
4073
4074 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
4075 {
4076 int err;
4077 struct sk_security_struct *sksec = sk->sk_security;
4078 u16 family = sk->sk_family;
4079 u32 sk_sid = sksec->sid;
4080 struct avc_audit_data ad;
4081 char *addrp;
4082
4083 if (family != PF_INET && family != PF_INET6)
4084 return 0;
4085
4086 /* Handle mapped IPv4 packets arriving via IPv6 sockets */
4087 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4088 family = PF_INET;
4089
4090 AVC_AUDIT_DATA_INIT(&ad, NET);
4091 ad.u.net.netif = skb->iif;
4092 ad.u.net.family = family;
4093 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4094 if (err)
4095 return err;
4096
4097 /* If any sort of compatibility mode is enabled then handoff processing
4098 * to the selinux_sock_rcv_skb_compat() function to deal with the
4099 * special handling. We do this in an attempt to keep this function
4100 * as fast and as clean as possible. */
4101 if (selinux_compat_net || !selinux_policycap_netpeer)
4102 return selinux_sock_rcv_skb_compat(sk, skb, &ad,
4103 family, addrp);
4104
4105 if (netlbl_enabled() || selinux_xfrm_enabled()) {
4106 u32 peer_sid;
4107
4108 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
4109 if (err)
4110 return err;
4111 err = selinux_inet_sys_rcv_skb(skb->iif, addrp, family,
4112 peer_sid, &ad);
4113 if (err)
4114 return err;
4115 err = avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER,
4116 PEER__RECV, &ad);
4117 }
4118
4119 if (selinux_secmark_enabled()) {
4120 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4121 PACKET__RECV, &ad);
4122 if (err)
4123 return err;
4124 }
4125
4126 return err;
4127 }
4128
4129 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval,
4130 int __user *optlen, unsigned len)
4131 {
4132 int err = 0;
4133 char *scontext;
4134 u32 scontext_len;
4135 struct sk_security_struct *ssec;
4136 struct inode_security_struct *isec;
4137 u32 peer_sid = SECSID_NULL;
4138
4139 isec = SOCK_INODE(sock)->i_security;
4140
4141 if (isec->sclass == SECCLASS_UNIX_STREAM_SOCKET ||
4142 isec->sclass == SECCLASS_TCP_SOCKET) {
4143 ssec = sock->sk->sk_security;
4144 peer_sid = ssec->peer_sid;
4145 }
4146 if (peer_sid == SECSID_NULL) {
4147 err = -ENOPROTOOPT;
4148 goto out;
4149 }
4150
4151 err = security_sid_to_context(peer_sid, &scontext, &scontext_len);
4152
4153 if (err)
4154 goto out;
4155
4156 if (scontext_len > len) {
4157 err = -ERANGE;
4158 goto out_len;
4159 }
4160
4161 if (copy_to_user(optval, scontext, scontext_len))
4162 err = -EFAULT;
4163
4164 out_len:
4165 if (put_user(scontext_len, optlen))
4166 err = -EFAULT;
4167
4168 kfree(scontext);
4169 out:
4170 return err;
4171 }
4172
4173 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
4174 {
4175 u32 peer_secid = SECSID_NULL;
4176 u16 family;
4177
4178 if (sock)
4179 family = sock->sk->sk_family;
4180 else if (skb && skb->sk)
4181 family = skb->sk->sk_family;
4182 else
4183 goto out;
4184
4185 if (sock && family == PF_UNIX)
4186 selinux_inode_getsecid(SOCK_INODE(sock), &peer_secid);
4187 else if (skb)
4188 selinux_skb_peerlbl_sid(skb, family, &peer_secid);
4189
4190 out:
4191 *secid = peer_secid;
4192 if (peer_secid == SECSID_NULL)
4193 return -EINVAL;
4194 return 0;
4195 }
4196
4197 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
4198 {
4199 return sk_alloc_security(sk, family, priority);
4200 }
4201
4202 static void selinux_sk_free_security(struct sock *sk)
4203 {
4204 sk_free_security(sk);
4205 }
4206
4207 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
4208 {
4209 struct sk_security_struct *ssec = sk->sk_security;
4210 struct sk_security_struct *newssec = newsk->sk_security;
4211
4212 newssec->sid = ssec->sid;
4213 newssec->peer_sid = ssec->peer_sid;
4214 newssec->sclass = ssec->sclass;
4215
4216 selinux_netlbl_sk_security_reset(newssec, newsk->sk_family);
4217 }
4218
4219 static void selinux_sk_getsecid(struct sock *sk, u32 *secid)
4220 {
4221 if (!sk)
4222 *secid = SECINITSID_ANY_SOCKET;
4223 else {
4224 struct sk_security_struct *sksec = sk->sk_security;
4225
4226 *secid = sksec->sid;
4227 }
4228 }
4229
4230 static void selinux_sock_graft(struct sock *sk, struct socket *parent)
4231 {
4232 struct inode_security_struct *isec = SOCK_INODE(parent)->i_security;
4233 struct sk_security_struct *sksec = sk->sk_security;
4234
4235 if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
4236 sk->sk_family == PF_UNIX)
4237 isec->sid = sksec->sid;
4238 sksec->sclass = isec->sclass;
4239
4240 selinux_netlbl_sock_graft(sk, parent);
4241 }
4242
4243 static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
4244 struct request_sock *req)
4245 {
4246 struct sk_security_struct *sksec = sk->sk_security;
4247 int err;
4248 u32 newsid;
4249 u32 peersid;
4250
4251 err = selinux_skb_peerlbl_sid(skb, sk->sk_family, &peersid);
4252 if (err)
4253 return err;
4254 if (peersid == SECSID_NULL) {
4255 req->secid = sksec->sid;
4256 req->peer_secid = SECSID_NULL;
4257 return 0;
4258 }
4259
4260 err = security_sid_mls_copy(sksec->sid, peersid, &newsid);
4261 if (err)
4262 return err;
4263
4264 req->secid = newsid;
4265 req->peer_secid = peersid;
4266 return 0;
4267 }
4268
4269 static void selinux_inet_csk_clone(struct sock *newsk,
4270 const struct request_sock *req)
4271 {
4272 struct sk_security_struct *newsksec = newsk->sk_security;
4273
4274 newsksec->sid = req->secid;
4275 newsksec->peer_sid = req->peer_secid;
4276 /* NOTE: Ideally, we should also get the isec->sid for the
4277 new socket in sync, but we don't have the isec available yet.
4278 So we will wait until sock_graft to do it, by which
4279 time it will have been created and available. */
4280
4281 /* We don't need to take any sort of lock here as we are the only
4282 * thread with access to newsksec */
4283 selinux_netlbl_sk_security_reset(newsksec, req->rsk_ops->family);
4284 }
4285
4286 static void selinux_inet_conn_established(struct sock *sk,
4287 struct sk_buff *skb)
4288 {
4289 struct sk_security_struct *sksec = sk->sk_security;
4290
4291 selinux_skb_peerlbl_sid(skb, sk->sk_family, &sksec->peer_sid);
4292 }
4293
4294 static void selinux_req_classify_flow(const struct request_sock *req,
4295 struct flowi *fl)
4296 {
4297 fl->secid = req->secid;
4298 }
4299
4300 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
4301 {
4302 int err = 0;
4303 u32 perm;
4304 struct nlmsghdr *nlh;
4305 struct socket *sock = sk->sk_socket;
4306 struct inode_security_struct *isec = SOCK_INODE(sock)->i_security;
4307
4308 if (skb->len < NLMSG_SPACE(0)) {
4309 err = -EINVAL;
4310 goto out;
4311 }
4312 nlh = nlmsg_hdr(skb);
4313
4314 err = selinux_nlmsg_lookup(isec->sclass, nlh->nlmsg_type, &perm);
4315 if (err) {
4316 if (err == -EINVAL) {
4317 audit_log(current->audit_context, GFP_KERNEL, AUDIT_SELINUX_ERR,
4318 "SELinux: unrecognized netlink message"
4319 " type=%hu for sclass=%hu\n",
4320 nlh->nlmsg_type, isec->sclass);
4321 if (!selinux_enforcing)
4322 err = 0;
4323 }
4324
4325 /* Ignore */
4326 if (err == -ENOENT)
4327 err = 0;
4328 goto out;
4329 }
4330
4331 err = socket_has_perm(current, sock, perm);
4332 out:
4333 return err;
4334 }
4335
4336 #ifdef CONFIG_NETFILTER
4337
4338 static unsigned int selinux_ip_forward(struct sk_buff *skb, int ifindex,
4339 u16 family)
4340 {
4341 char *addrp;
4342 u32 peer_sid;
4343 struct avc_audit_data ad;
4344 u8 secmark_active;
4345 u8 peerlbl_active;
4346
4347 if (!selinux_policycap_netpeer)
4348 return NF_ACCEPT;
4349
4350 secmark_active = selinux_secmark_enabled();
4351 peerlbl_active = netlbl_enabled() || selinux_xfrm_enabled();
4352 if (!secmark_active && !peerlbl_active)
4353 return NF_ACCEPT;
4354
4355 AVC_AUDIT_DATA_INIT(&ad, NET);
4356 ad.u.net.netif = ifindex;
4357 ad.u.net.family = family;
4358 if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0)
4359 return NF_DROP;
4360
4361 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0)
4362 return NF_DROP;
4363
4364 if (peerlbl_active)
4365 if (selinux_inet_sys_rcv_skb(ifindex, addrp, family,
4366 peer_sid, &ad) != 0)
4367 return NF_DROP;
4368
4369 if (secmark_active)
4370 if (avc_has_perm(peer_sid, skb->secmark,
4371 SECCLASS_PACKET, PACKET__FORWARD_IN, &ad))
4372 return NF_DROP;
4373
4374 return NF_ACCEPT;
4375 }
4376
4377 static unsigned int selinux_ipv4_forward(unsigned int hooknum,
4378 struct sk_buff *skb,
4379 const struct net_device *in,
4380 const struct net_device *out,
4381 int (*okfn)(struct sk_buff *))
4382 {
4383 return selinux_ip_forward(skb, in->ifindex, PF_INET);
4384 }
4385
4386 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4387 static unsigned int selinux_ipv6_forward(unsigned int hooknum,
4388 struct sk_buff *skb,
4389 const struct net_device *in,
4390 const struct net_device *out,
4391 int (*okfn)(struct sk_buff *))
4392 {
4393 return selinux_ip_forward(skb, in->ifindex, PF_INET6);
4394 }
4395 #endif /* IPV6 */
4396
4397 static int selinux_ip_postroute_iptables_compat(struct sock *sk,
4398 int ifindex,
4399 struct avc_audit_data *ad,
4400 u16 family, char *addrp)
4401 {
4402 int err;
4403 struct sk_security_struct *sksec = sk->sk_security;
4404 u16 sk_class;
4405 u32 netif_perm, node_perm, send_perm;
4406 u32 port_sid, node_sid, if_sid, sk_sid;
4407
4408 sk_sid = sksec->sid;
4409 sk_class = sksec->sclass;
4410
4411 switch (sk_class) {
4412 case SECCLASS_UDP_SOCKET:
4413 netif_perm = NETIF__UDP_SEND;
4414 node_perm = NODE__UDP_SEND;
4415 send_perm = UDP_SOCKET__SEND_MSG;
4416 break;
4417 case SECCLASS_TCP_SOCKET:
4418 netif_perm = NETIF__TCP_SEND;
4419 node_perm = NODE__TCP_SEND;
4420 send_perm = TCP_SOCKET__SEND_MSG;
4421 break;
4422 case SECCLASS_DCCP_SOCKET:
4423 netif_perm = NETIF__DCCP_SEND;
4424 node_perm = NODE__DCCP_SEND;
4425 send_perm = DCCP_SOCKET__SEND_MSG;
4426 break;
4427 default:
4428 netif_perm = NETIF__RAWIP_SEND;
4429 node_perm = NODE__RAWIP_SEND;
4430 send_perm = 0;
4431 break;
4432 }
4433
4434 err = sel_netif_sid(ifindex, &if_sid);
4435 if (err)
4436 return err;
4437 err = avc_has_perm(sk_sid, if_sid, SECCLASS_NETIF, netif_perm, ad);
4438 return err;
4439
4440 err = sel_netnode_sid(addrp, family, &node_sid);
4441 if (err)
4442 return err;
4443 err = avc_has_perm(sk_sid, node_sid, SECCLASS_NODE, node_perm, ad);
4444 if (err)
4445 return err;
4446
4447 if (send_perm != 0)
4448 return 0;
4449
4450 err = sel_netport_sid(sk->sk_protocol,
4451 ntohs(ad->u.net.dport), &port_sid);
4452 if (unlikely(err)) {
4453 printk(KERN_WARNING
4454 "SELinux: failure in"
4455 " selinux_ip_postroute_iptables_compat(),"
4456 " network port label not found\n");
4457 return err;
4458 }
4459 return avc_has_perm(sk_sid, port_sid, sk_class, send_perm, ad);
4460 }
4461
4462 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
4463 int ifindex,
4464 struct avc_audit_data *ad,
4465 u16 family,
4466 char *addrp,
4467 u8 proto)
4468 {
4469 struct sock *sk = skb->sk;
4470 struct sk_security_struct *sksec;
4471
4472 if (sk == NULL)
4473 return NF_ACCEPT;
4474 sksec = sk->sk_security;
4475
4476 if (selinux_compat_net) {
4477 if (selinux_ip_postroute_iptables_compat(skb->sk, ifindex,
4478 ad, family, addrp))
4479 return NF_DROP;
4480 } else {
4481 if (avc_has_perm(sksec->sid, skb->secmark,
4482 SECCLASS_PACKET, PACKET__SEND, ad))
4483 return NF_DROP;
4484 }
4485
4486 if (selinux_policycap_netpeer)
4487 if (selinux_xfrm_postroute_last(sksec->sid, skb, ad, proto))
4488 return NF_DROP;
4489
4490 return NF_ACCEPT;
4491 }
4492
4493 static unsigned int selinux_ip_postroute(struct sk_buff *skb, int ifindex,
4494 u16 family)
4495 {
4496 u32 secmark_perm;
4497 u32 peer_sid;
4498 struct sock *sk;
4499 struct avc_audit_data ad;
4500 char *addrp;
4501 u8 proto;
4502 u8 secmark_active;
4503 u8 peerlbl_active;
4504
4505 AVC_AUDIT_DATA_INIT(&ad, NET);
4506 ad.u.net.netif = ifindex;
4507 ad.u.net.family = family;
4508 if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto))
4509 return NF_DROP;
4510
4511 /* If any sort of compatibility mode is enabled then handoff processing
4512 * to the selinux_ip_postroute_compat() function to deal with the
4513 * special handling. We do this in an attempt to keep this function
4514 * as fast and as clean as possible. */
4515 if (selinux_compat_net || !selinux_policycap_netpeer)
4516 return selinux_ip_postroute_compat(skb, ifindex, &ad,
4517 family, addrp, proto);
4518
4519 /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec
4520 * packet transformation so allow the packet to pass without any checks
4521 * since we'll have another chance to perform access control checks
4522 * when the packet is on it's final way out.
4523 * NOTE: there appear to be some IPv6 multicast cases where skb->dst
4524 * is NULL, in this case go ahead and apply access control. */
4525 if (skb->dst != NULL && skb->dst->xfrm != NULL)
4526 return NF_ACCEPT;
4527
4528 secmark_active = selinux_secmark_enabled();
4529 peerlbl_active = netlbl_enabled() || selinux_xfrm_enabled();
4530 if (!secmark_active && !peerlbl_active)
4531 return NF_ACCEPT;
4532
4533 /* if the packet is locally generated (skb->sk != NULL) then use the
4534 * socket's label as the peer label, otherwise the packet is being
4535 * forwarded through this system and we need to fetch the peer label
4536 * directly from the packet */
4537 sk = skb->sk;
4538 if (sk) {
4539 struct sk_security_struct *sksec = sk->sk_security;
4540 peer_sid = sksec->sid;
4541 secmark_perm = PACKET__SEND;
4542 } else {
4543 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid))
4544 return NF_DROP;
4545 secmark_perm = PACKET__FORWARD_OUT;
4546 }
4547
4548 if (secmark_active)
4549 if (avc_has_perm(peer_sid, skb->secmark,
4550 SECCLASS_PACKET, secmark_perm, &ad))
4551 return NF_DROP;
4552
4553 if (peerlbl_active) {
4554 u32 if_sid;
4555 u32 node_sid;
4556
4557 if (sel_netif_sid(ifindex, &if_sid))
4558 return NF_DROP;
4559 if (avc_has_perm(peer_sid, if_sid,
4560 SECCLASS_NETIF, NETIF__EGRESS, &ad))
4561 return NF_DROP;
4562
4563 if (sel_netnode_sid(addrp, family, &node_sid))
4564 return NF_DROP;
4565 if (avc_has_perm(peer_sid, node_sid,
4566 SECCLASS_NODE, NODE__SENDTO, &ad))
4567 return NF_DROP;
4568 }
4569
4570 return NF_ACCEPT;
4571 }
4572
4573 static unsigned int selinux_ipv4_postroute(unsigned int hooknum,
4574 struct sk_buff *skb,
4575 const struct net_device *in,
4576 const struct net_device *out,
4577 int (*okfn)(struct sk_buff *))
4578 {
4579 return selinux_ip_postroute(skb, out->ifindex, PF_INET);
4580 }
4581
4582 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4583 static unsigned int selinux_ipv6_postroute(unsigned int hooknum,
4584 struct sk_buff *skb,
4585 const struct net_device *in,
4586 const struct net_device *out,
4587 int (*okfn)(struct sk_buff *))
4588 {
4589 return selinux_ip_postroute(skb, out->ifindex, PF_INET6);
4590 }
4591 #endif /* IPV6 */
4592
4593 #endif /* CONFIG_NETFILTER */
4594
4595 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
4596 {
4597 int err;
4598
4599 err = secondary_ops->netlink_send(sk, skb);
4600 if (err)
4601 return err;
4602
4603 if (policydb_loaded_version >= POLICYDB_VERSION_NLCLASS)
4604 err = selinux_nlmsg_perm(sk, skb);
4605
4606 return err;
4607 }
4608
4609 static int selinux_netlink_recv(struct sk_buff *skb, int capability)
4610 {
4611 int err;
4612 struct avc_audit_data ad;
4613
4614 err = secondary_ops->netlink_recv(skb, capability);
4615 if (err)
4616 return err;
4617
4618 AVC_AUDIT_DATA_INIT(&ad, CAP);
4619 ad.u.cap = capability;
4620
4621 return avc_has_perm(NETLINK_CB(skb).sid, NETLINK_CB(skb).sid,
4622 SECCLASS_CAPABILITY, CAP_TO_MASK(capability), &ad);
4623 }
4624
4625 static int ipc_alloc_security(struct task_struct *task,
4626 struct kern_ipc_perm *perm,
4627 u16 sclass)
4628 {
4629 struct task_security_struct *tsec = task->security;
4630 struct ipc_security_struct *isec;
4631
4632 isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL);
4633 if (!isec)
4634 return -ENOMEM;
4635
4636 isec->sclass = sclass;
4637 isec->sid = tsec->sid;
4638 perm->security = isec;
4639
4640 return 0;
4641 }
4642
4643 static void ipc_free_security(struct kern_ipc_perm *perm)
4644 {
4645 struct ipc_security_struct *isec = perm->security;
4646 perm->security = NULL;
4647 kfree(isec);
4648 }
4649
4650 static int msg_msg_alloc_security(struct msg_msg *msg)
4651 {
4652 struct msg_security_struct *msec;
4653
4654 msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL);
4655 if (!msec)
4656 return -ENOMEM;
4657
4658 msec->sid = SECINITSID_UNLABELED;
4659 msg->security = msec;
4660
4661 return 0;
4662 }
4663
4664 static void msg_msg_free_security(struct msg_msg *msg)
4665 {
4666 struct msg_security_struct *msec = msg->security;
4667
4668 msg->security = NULL;
4669 kfree(msec);
4670 }
4671
4672 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
4673 u32 perms)
4674 {
4675 struct task_security_struct *tsec;
4676 struct ipc_security_struct *isec;
4677 struct avc_audit_data ad;
4678
4679 tsec = current->security;
4680 isec = ipc_perms->security;
4681
4682 AVC_AUDIT_DATA_INIT(&ad, IPC);
4683 ad.u.ipc_id = ipc_perms->key;
4684
4685 return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, &ad);
4686 }
4687
4688 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
4689 {
4690 return msg_msg_alloc_security(msg);
4691 }
4692
4693 static void selinux_msg_msg_free_security(struct msg_msg *msg)
4694 {
4695 msg_msg_free_security(msg);
4696 }
4697
4698 /* message queue security operations */
4699 static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
4700 {
4701 struct task_security_struct *tsec;
4702 struct ipc_security_struct *isec;
4703 struct avc_audit_data ad;
4704 int rc;
4705
4706 rc = ipc_alloc_security(current, &msq->q_perm, SECCLASS_MSGQ);
4707 if (rc)
4708 return rc;
4709
4710 tsec = current->security;
4711 isec = msq->q_perm.security;
4712
4713 AVC_AUDIT_DATA_INIT(&ad, IPC);
4714 ad.u.ipc_id = msq->q_perm.key;
4715
4716 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
4717 MSGQ__CREATE, &ad);
4718 if (rc) {
4719 ipc_free_security(&msq->q_perm);
4720 return rc;
4721 }
4722 return 0;
4723 }
4724
4725 static void selinux_msg_queue_free_security(struct msg_queue *msq)
4726 {
4727 ipc_free_security(&msq->q_perm);
4728 }
4729
4730 static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg)
4731 {
4732 struct task_security_struct *tsec;
4733 struct ipc_security_struct *isec;
4734 struct avc_audit_data ad;
4735
4736 tsec = current->security;
4737 isec = msq->q_perm.security;
4738
4739 AVC_AUDIT_DATA_INIT(&ad, IPC);
4740 ad.u.ipc_id = msq->q_perm.key;
4741
4742 return avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
4743 MSGQ__ASSOCIATE, &ad);
4744 }
4745
4746 static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd)
4747 {
4748 int err;
4749 int perms;
4750
4751 switch (cmd) {
4752 case IPC_INFO:
4753 case MSG_INFO:
4754 /* No specific object, just general system-wide information. */
4755 return task_has_system(current, SYSTEM__IPC_INFO);
4756 case IPC_STAT:
4757 case MSG_STAT:
4758 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
4759 break;
4760 case IPC_SET:
4761 perms = MSGQ__SETATTR;
4762 break;
4763 case IPC_RMID:
4764 perms = MSGQ__DESTROY;
4765 break;
4766 default:
4767 return 0;
4768 }
4769
4770 err = ipc_has_perm(&msq->q_perm, perms);
4771 return err;
4772 }
4773
4774 static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg)
4775 {
4776 struct task_security_struct *tsec;
4777 struct ipc_security_struct *isec;
4778 struct msg_security_struct *msec;
4779 struct avc_audit_data ad;
4780 int rc;
4781
4782 tsec = current->security;
4783 isec = msq->q_perm.security;
4784 msec = msg->security;
4785
4786 /*
4787 * First time through, need to assign label to the message
4788 */
4789 if (msec->sid == SECINITSID_UNLABELED) {
4790 /*
4791 * Compute new sid based on current process and
4792 * message queue this message will be stored in
4793 */
4794 rc = security_transition_sid(tsec->sid,
4795 isec->sid,
4796 SECCLASS_MSG,
4797 &msec->sid);
4798 if (rc)
4799 return rc;
4800 }
4801
4802 AVC_AUDIT_DATA_INIT(&ad, IPC);
4803 ad.u.ipc_id = msq->q_perm.key;
4804
4805 /* Can this process write to the queue? */
4806 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
4807 MSGQ__WRITE, &ad);
4808 if (!rc)
4809 /* Can this process send the message */
4810 rc = avc_has_perm(tsec->sid, msec->sid,
4811 SECCLASS_MSG, MSG__SEND, &ad);
4812 if (!rc)
4813 /* Can the message be put in the queue? */
4814 rc = avc_has_perm(msec->sid, isec->sid,
4815 SECCLASS_MSGQ, MSGQ__ENQUEUE, &ad);
4816
4817 return rc;
4818 }
4819
4820 static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
4821 struct task_struct *target,
4822 long type, int mode)
4823 {
4824 struct task_security_struct *tsec;
4825 struct ipc_security_struct *isec;
4826 struct msg_security_struct *msec;
4827 struct avc_audit_data ad;
4828 int rc;
4829
4830 tsec = target->security;
4831 isec = msq->q_perm.security;
4832 msec = msg->security;
4833
4834 AVC_AUDIT_DATA_INIT(&ad, IPC);
4835 ad.u.ipc_id = msq->q_perm.key;
4836
4837 rc = avc_has_perm(tsec->sid, isec->sid,
4838 SECCLASS_MSGQ, MSGQ__READ, &ad);
4839 if (!rc)
4840 rc = avc_has_perm(tsec->sid, msec->sid,
4841 SECCLASS_MSG, MSG__RECEIVE, &ad);
4842 return rc;
4843 }
4844
4845 /* Shared Memory security operations */
4846 static int selinux_shm_alloc_security(struct shmid_kernel *shp)
4847 {
4848 struct task_security_struct *tsec;
4849 struct ipc_security_struct *isec;
4850 struct avc_audit_data ad;
4851 int rc;
4852
4853 rc = ipc_alloc_security(current, &shp->shm_perm, SECCLASS_SHM);
4854 if (rc)
4855 return rc;
4856
4857 tsec = current->security;
4858 isec = shp->shm_perm.security;
4859
4860 AVC_AUDIT_DATA_INIT(&ad, IPC);
4861 ad.u.ipc_id = shp->shm_perm.key;
4862
4863 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SHM,
4864 SHM__CREATE, &ad);
4865 if (rc) {
4866 ipc_free_security(&shp->shm_perm);
4867 return rc;
4868 }
4869 return 0;
4870 }
4871
4872 static void selinux_shm_free_security(struct shmid_kernel *shp)
4873 {
4874 ipc_free_security(&shp->shm_perm);
4875 }
4876
4877 static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg)
4878 {
4879 struct task_security_struct *tsec;
4880 struct ipc_security_struct *isec;
4881 struct avc_audit_data ad;
4882
4883 tsec = current->security;
4884 isec = shp->shm_perm.security;
4885
4886 AVC_AUDIT_DATA_INIT(&ad, IPC);
4887 ad.u.ipc_id = shp->shm_perm.key;
4888
4889 return avc_has_perm(tsec->sid, isec->sid, SECCLASS_SHM,
4890 SHM__ASSOCIATE, &ad);
4891 }
4892
4893 /* Note, at this point, shp is locked down */
4894 static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd)
4895 {
4896 int perms;
4897 int err;
4898
4899 switch (cmd) {
4900 case IPC_INFO:
4901 case SHM_INFO:
4902 /* No specific object, just general system-wide information. */
4903 return task_has_system(current, SYSTEM__IPC_INFO);
4904 case IPC_STAT:
4905 case SHM_STAT:
4906 perms = SHM__GETATTR | SHM__ASSOCIATE;
4907 break;
4908 case IPC_SET:
4909 perms = SHM__SETATTR;
4910 break;
4911 case SHM_LOCK:
4912 case SHM_UNLOCK:
4913 perms = SHM__LOCK;
4914 break;
4915 case IPC_RMID:
4916 perms = SHM__DESTROY;
4917 break;
4918 default:
4919 return 0;
4920 }
4921
4922 err = ipc_has_perm(&shp->shm_perm, perms);
4923 return err;
4924 }
4925
4926 static int selinux_shm_shmat(struct shmid_kernel *shp,
4927 char __user *shmaddr, int shmflg)
4928 {
4929 u32 perms;
4930 int rc;
4931
4932 rc = secondary_ops->shm_shmat(shp, shmaddr, shmflg);
4933 if (rc)
4934 return rc;
4935
4936 if (shmflg & SHM_RDONLY)
4937 perms = SHM__READ;
4938 else
4939 perms = SHM__READ | SHM__WRITE;
4940
4941 return ipc_has_perm(&shp->shm_perm, perms);
4942 }
4943
4944 /* Semaphore security operations */
4945 static int selinux_sem_alloc_security(struct sem_array *sma)
4946 {
4947 struct task_security_struct *tsec;
4948 struct ipc_security_struct *isec;
4949 struct avc_audit_data ad;
4950 int rc;
4951
4952 rc = ipc_alloc_security(current, &sma->sem_perm, SECCLASS_SEM);
4953 if (rc)
4954 return rc;
4955
4956 tsec = current->security;
4957 isec = sma->sem_perm.security;
4958
4959 AVC_AUDIT_DATA_INIT(&ad, IPC);
4960 ad.u.ipc_id = sma->sem_perm.key;
4961
4962 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SEM,
4963 SEM__CREATE, &ad);
4964 if (rc) {
4965 ipc_free_security(&sma->sem_perm);
4966 return rc;
4967 }
4968 return 0;
4969 }
4970
4971 static void selinux_sem_free_security(struct sem_array *sma)
4972 {
4973 ipc_free_security(&sma->sem_perm);
4974 }
4975
4976 static int selinux_sem_associate(struct sem_array *sma, int semflg)
4977 {
4978 struct task_security_struct *tsec;
4979 struct ipc_security_struct *isec;
4980 struct avc_audit_data ad;
4981
4982 tsec = current->security;
4983 isec = sma->sem_perm.security;
4984
4985 AVC_AUDIT_DATA_INIT(&ad, IPC);
4986 ad.u.ipc_id = sma->sem_perm.key;
4987
4988 return avc_has_perm(tsec->sid, isec->sid, SECCLASS_SEM,
4989 SEM__ASSOCIATE, &ad);
4990 }
4991
4992 /* Note, at this point, sma is locked down */
4993 static int selinux_sem_semctl(struct sem_array *sma, int cmd)
4994 {
4995 int err;
4996 u32 perms;
4997
4998 switch (cmd) {
4999 case IPC_INFO:
5000 case SEM_INFO:
5001 /* No specific object, just general system-wide information. */
5002 return task_has_system(current, SYSTEM__IPC_INFO);
5003 case GETPID:
5004 case GETNCNT:
5005 case GETZCNT:
5006 perms = SEM__GETATTR;
5007 break;
5008 case GETVAL:
5009 case GETALL:
5010 perms = SEM__READ;
5011 break;
5012 case SETVAL:
5013 case SETALL:
5014 perms = SEM__WRITE;
5015 break;
5016 case IPC_RMID:
5017 perms = SEM__DESTROY;
5018 break;
5019 case IPC_SET:
5020 perms = SEM__SETATTR;
5021 break;
5022 case IPC_STAT:
5023 case SEM_STAT:
5024 perms = SEM__GETATTR | SEM__ASSOCIATE;
5025 break;
5026 default:
5027 return 0;
5028 }
5029
5030 err = ipc_has_perm(&sma->sem_perm, perms);
5031 return err;
5032 }
5033
5034 static int selinux_sem_semop(struct sem_array *sma,
5035 struct sembuf *sops, unsigned nsops, int alter)
5036 {
5037 u32 perms;
5038
5039 if (alter)
5040 perms = SEM__READ | SEM__WRITE;
5041 else
5042 perms = SEM__READ;
5043
5044 return ipc_has_perm(&sma->sem_perm, perms);
5045 }
5046
5047 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
5048 {
5049 u32 av = 0;
5050
5051 av = 0;
5052 if (flag & S_IRUGO)
5053 av |= IPC__UNIX_READ;
5054 if (flag & S_IWUGO)
5055 av |= IPC__UNIX_WRITE;
5056
5057 if (av == 0)
5058 return 0;
5059
5060 return ipc_has_perm(ipcp, av);
5061 }
5062
5063 static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
5064 {
5065 struct ipc_security_struct *isec = ipcp->security;
5066 *secid = isec->sid;
5067 }
5068
5069 /* module stacking operations */
5070 static int selinux_register_security(const char *name, struct security_operations *ops)
5071 {
5072 if (secondary_ops != original_ops) {
5073 printk(KERN_ERR "%s: There is already a secondary security "
5074 "module registered.\n", __func__);
5075 return -EINVAL;
5076 }
5077
5078 secondary_ops = ops;
5079
5080 printk(KERN_INFO "%s: Registering secondary module %s\n",
5081 __func__,
5082 name);
5083
5084 return 0;
5085 }
5086
5087 static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode)
5088 {
5089 if (inode)
5090 inode_doinit_with_dentry(inode, dentry);
5091 }
5092
5093 static int selinux_getprocattr(struct task_struct *p,
5094 char *name, char **value)
5095 {
5096 struct task_security_struct *tsec;
5097 u32 sid;
5098 int error;
5099 unsigned len;
5100
5101 if (current != p) {
5102 error = task_has_perm(current, p, PROCESS__GETATTR);
5103 if (error)
5104 return error;
5105 }
5106
5107 tsec = p->security;
5108
5109 if (!strcmp(name, "current"))
5110 sid = tsec->sid;
5111 else if (!strcmp(name, "prev"))
5112 sid = tsec->osid;
5113 else if (!strcmp(name, "exec"))
5114 sid = tsec->exec_sid;
5115 else if (!strcmp(name, "fscreate"))
5116 sid = tsec->create_sid;
5117 else if (!strcmp(name, "keycreate"))
5118 sid = tsec->keycreate_sid;
5119 else if (!strcmp(name, "sockcreate"))
5120 sid = tsec->sockcreate_sid;
5121 else
5122 return -EINVAL;
5123
5124 if (!sid)
5125 return 0;
5126
5127 error = security_sid_to_context(sid, value, &len);
5128 if (error)
5129 return error;
5130 return len;
5131 }
5132
5133 static int selinux_setprocattr(struct task_struct *p,
5134 char *name, void *value, size_t size)
5135 {
5136 struct task_security_struct *tsec;
5137 struct task_struct *tracer;
5138 u32 sid = 0;
5139 int error;
5140 char *str = value;
5141
5142 if (current != p) {
5143 /* SELinux only allows a process to change its own
5144 security attributes. */
5145 return -EACCES;
5146 }
5147
5148 /*
5149 * Basic control over ability to set these attributes at all.
5150 * current == p, but we'll pass them separately in case the
5151 * above restriction is ever removed.
5152 */
5153 if (!strcmp(name, "exec"))
5154 error = task_has_perm(current, p, PROCESS__SETEXEC);
5155 else if (!strcmp(name, "fscreate"))
5156 error = task_has_perm(current, p, PROCESS__SETFSCREATE);
5157 else if (!strcmp(name, "keycreate"))
5158 error = task_has_perm(current, p, PROCESS__SETKEYCREATE);
5159 else if (!strcmp(name, "sockcreate"))
5160 error = task_has_perm(current, p, PROCESS__SETSOCKCREATE);
5161 else if (!strcmp(name, "current"))
5162 error = task_has_perm(current, p, PROCESS__SETCURRENT);
5163 else
5164 error = -EINVAL;
5165 if (error)
5166 return error;
5167
5168 /* Obtain a SID for the context, if one was specified. */
5169 if (size && str[1] && str[1] != '\n') {
5170 if (str[size-1] == '\n') {
5171 str[size-1] = 0;
5172 size--;
5173 }
5174 error = security_context_to_sid(value, size, &sid);
5175 if (error == -EINVAL && !strcmp(name, "fscreate")) {
5176 if (!capable(CAP_MAC_ADMIN))
5177 return error;
5178 error = security_context_to_sid_force(value, size,
5179 &sid);
5180 }
5181 if (error)
5182 return error;
5183 }
5184
5185 /* Permission checking based on the specified context is
5186 performed during the actual operation (execve,
5187 open/mkdir/...), when we know the full context of the
5188 operation. See selinux_bprm_set_security for the execve
5189 checks and may_create for the file creation checks. The
5190 operation will then fail if the context is not permitted. */
5191 tsec = p->security;
5192 if (!strcmp(name, "exec"))
5193 tsec->exec_sid = sid;
5194 else if (!strcmp(name, "fscreate"))
5195 tsec->create_sid = sid;
5196 else if (!strcmp(name, "keycreate")) {
5197 error = may_create_key(sid, p);
5198 if (error)
5199 return error;
5200 tsec->keycreate_sid = sid;
5201 } else if (!strcmp(name, "sockcreate"))
5202 tsec->sockcreate_sid = sid;
5203 else if (!strcmp(name, "current")) {
5204 struct av_decision avd;
5205
5206 if (sid == 0)
5207 return -EINVAL;
5208
5209 /* Only allow single threaded processes to change context */
5210 if (atomic_read(&p->mm->mm_users) != 1) {
5211 struct task_struct *g, *t;
5212 struct mm_struct *mm = p->mm;
5213 read_lock(&tasklist_lock);
5214 do_each_thread(g, t)
5215 if (t->mm == mm && t != p) {
5216 read_unlock(&tasklist_lock);
5217 return -EPERM;
5218 }
5219 while_each_thread(g, t);
5220 read_unlock(&tasklist_lock);
5221 }
5222
5223 /* Check permissions for the transition. */
5224 error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
5225 PROCESS__DYNTRANSITION, NULL);
5226 if (error)
5227 return error;
5228
5229 /* Check for ptracing, and update the task SID if ok.
5230 Otherwise, leave SID unchanged and fail. */
5231 task_lock(p);
5232 rcu_read_lock();
5233 tracer = task_tracer_task(p);
5234 if (tracer != NULL) {
5235 struct task_security_struct *ptsec = tracer->security;
5236 u32 ptsid = ptsec->sid;
5237 rcu_read_unlock();
5238 error = avc_has_perm_noaudit(ptsid, sid,
5239 SECCLASS_PROCESS,
5240 PROCESS__PTRACE, 0, &avd);
5241 if (!error)
5242 tsec->sid = sid;
5243 task_unlock(p);
5244 avc_audit(ptsid, sid, SECCLASS_PROCESS,
5245 PROCESS__PTRACE, &avd, error, NULL);
5246 if (error)
5247 return error;
5248 } else {
5249 rcu_read_unlock();
5250 tsec->sid = sid;
5251 task_unlock(p);
5252 }
5253 } else
5254 return -EINVAL;
5255
5256 return size;
5257 }
5258
5259 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
5260 {
5261 return security_sid_to_context(secid, secdata, seclen);
5262 }
5263
5264 static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
5265 {
5266 return security_context_to_sid(secdata, seclen, secid);
5267 }
5268
5269 static void selinux_release_secctx(char *secdata, u32 seclen)
5270 {
5271 kfree(secdata);
5272 }
5273
5274 #ifdef CONFIG_KEYS
5275
5276 static int selinux_key_alloc(struct key *k, struct task_struct *tsk,
5277 unsigned long flags)
5278 {
5279 struct task_security_struct *tsec = tsk->security;
5280 struct key_security_struct *ksec;
5281
5282 ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL);
5283 if (!ksec)
5284 return -ENOMEM;
5285
5286 if (tsec->keycreate_sid)
5287 ksec->sid = tsec->keycreate_sid;
5288 else
5289 ksec->sid = tsec->sid;
5290 k->security = ksec;
5291
5292 return 0;
5293 }
5294
5295 static void selinux_key_free(struct key *k)
5296 {
5297 struct key_security_struct *ksec = k->security;
5298
5299 k->security = NULL;
5300 kfree(ksec);
5301 }
5302
5303 static int selinux_key_permission(key_ref_t key_ref,
5304 struct task_struct *ctx,
5305 key_perm_t perm)
5306 {
5307 struct key *key;
5308 struct task_security_struct *tsec;
5309 struct key_security_struct *ksec;
5310
5311 key = key_ref_to_ptr(key_ref);
5312
5313 tsec = ctx->security;
5314 ksec = key->security;
5315
5316 /* if no specific permissions are requested, we skip the
5317 permission check. No serious, additional covert channels
5318 appear to be created. */
5319 if (perm == 0)
5320 return 0;
5321
5322 return avc_has_perm(tsec->sid, ksec->sid,
5323 SECCLASS_KEY, perm, NULL);
5324 }
5325
5326 static int selinux_key_getsecurity(struct key *key, char **_buffer)
5327 {
5328 struct key_security_struct *ksec = key->security;
5329 char *context = NULL;
5330 unsigned len;
5331 int rc;
5332
5333 rc = security_sid_to_context(ksec->sid, &context, &len);
5334 if (!rc)
5335 rc = len;
5336 *_buffer = context;
5337 return rc;
5338 }
5339
5340 #endif
5341
5342 static struct security_operations selinux_ops = {
5343 .name = "selinux",
5344
5345 .ptrace = selinux_ptrace,
5346 .capget = selinux_capget,
5347 .capset_check = selinux_capset_check,
5348 .capset_set = selinux_capset_set,
5349 .sysctl = selinux_sysctl,
5350 .capable = selinux_capable,
5351 .quotactl = selinux_quotactl,
5352 .quota_on = selinux_quota_on,
5353 .syslog = selinux_syslog,
5354 .vm_enough_memory = selinux_vm_enough_memory,
5355
5356 .netlink_send = selinux_netlink_send,
5357 .netlink_recv = selinux_netlink_recv,
5358
5359 .bprm_alloc_security = selinux_bprm_alloc_security,
5360 .bprm_free_security = selinux_bprm_free_security,
5361 .bprm_apply_creds = selinux_bprm_apply_creds,
5362 .bprm_post_apply_creds = selinux_bprm_post_apply_creds,
5363 .bprm_set_security = selinux_bprm_set_security,
5364 .bprm_check_security = selinux_bprm_check_security,
5365 .bprm_secureexec = selinux_bprm_secureexec,
5366
5367 .sb_alloc_security = selinux_sb_alloc_security,
5368 .sb_free_security = selinux_sb_free_security,
5369 .sb_copy_data = selinux_sb_copy_data,
5370 .sb_kern_mount = selinux_sb_kern_mount,
5371 .sb_statfs = selinux_sb_statfs,
5372 .sb_mount = selinux_mount,
5373 .sb_umount = selinux_umount,
5374 .sb_get_mnt_opts = selinux_get_mnt_opts,
5375 .sb_set_mnt_opts = selinux_set_mnt_opts,
5376 .sb_clone_mnt_opts = selinux_sb_clone_mnt_opts,
5377 .sb_parse_opts_str = selinux_parse_opts_str,
5378
5379
5380 .inode_alloc_security = selinux_inode_alloc_security,
5381 .inode_free_security = selinux_inode_free_security,
5382 .inode_init_security = selinux_inode_init_security,
5383 .inode_create = selinux_inode_create,
5384 .inode_link = selinux_inode_link,
5385 .inode_unlink = selinux_inode_unlink,
5386 .inode_symlink = selinux_inode_symlink,
5387 .inode_mkdir = selinux_inode_mkdir,
5388 .inode_rmdir = selinux_inode_rmdir,
5389 .inode_mknod = selinux_inode_mknod,
5390 .inode_rename = selinux_inode_rename,
5391 .inode_readlink = selinux_inode_readlink,
5392 .inode_follow_link = selinux_inode_follow_link,
5393 .inode_permission = selinux_inode_permission,
5394 .inode_setattr = selinux_inode_setattr,
5395 .inode_getattr = selinux_inode_getattr,
5396 .inode_setxattr = selinux_inode_setxattr,
5397 .inode_post_setxattr = selinux_inode_post_setxattr,
5398 .inode_getxattr = selinux_inode_getxattr,
5399 .inode_listxattr = selinux_inode_listxattr,
5400 .inode_removexattr = selinux_inode_removexattr,
5401 .inode_getsecurity = selinux_inode_getsecurity,
5402 .inode_setsecurity = selinux_inode_setsecurity,
5403 .inode_listsecurity = selinux_inode_listsecurity,
5404 .inode_need_killpriv = selinux_inode_need_killpriv,
5405 .inode_killpriv = selinux_inode_killpriv,
5406 .inode_getsecid = selinux_inode_getsecid,
5407
5408 .file_permission = selinux_file_permission,
5409 .file_alloc_security = selinux_file_alloc_security,
5410 .file_free_security = selinux_file_free_security,
5411 .file_ioctl = selinux_file_ioctl,
5412 .file_mmap = selinux_file_mmap,
5413 .file_mprotect = selinux_file_mprotect,
5414 .file_lock = selinux_file_lock,
5415 .file_fcntl = selinux_file_fcntl,
5416 .file_set_fowner = selinux_file_set_fowner,
5417 .file_send_sigiotask = selinux_file_send_sigiotask,
5418 .file_receive = selinux_file_receive,
5419
5420 .dentry_open = selinux_dentry_open,
5421
5422 .task_create = selinux_task_create,
5423 .task_alloc_security = selinux_task_alloc_security,
5424 .task_free_security = selinux_task_free_security,
5425 .task_setuid = selinux_task_setuid,
5426 .task_post_setuid = selinux_task_post_setuid,
5427 .task_setgid = selinux_task_setgid,
5428 .task_setpgid = selinux_task_setpgid,
5429 .task_getpgid = selinux_task_getpgid,
5430 .task_getsid = selinux_task_getsid,
5431 .task_getsecid = selinux_task_getsecid,
5432 .task_setgroups = selinux_task_setgroups,
5433 .task_setnice = selinux_task_setnice,
5434 .task_setioprio = selinux_task_setioprio,
5435 .task_getioprio = selinux_task_getioprio,
5436 .task_setrlimit = selinux_task_setrlimit,
5437 .task_setscheduler = selinux_task_setscheduler,
5438 .task_getscheduler = selinux_task_getscheduler,
5439 .task_movememory = selinux_task_movememory,
5440 .task_kill = selinux_task_kill,
5441 .task_wait = selinux_task_wait,
5442 .task_prctl = selinux_task_prctl,
5443 .task_reparent_to_init = selinux_task_reparent_to_init,
5444 .task_to_inode = selinux_task_to_inode,
5445
5446 .ipc_permission = selinux_ipc_permission,
5447 .ipc_getsecid = selinux_ipc_getsecid,
5448
5449 .msg_msg_alloc_security = selinux_msg_msg_alloc_security,
5450 .msg_msg_free_security = selinux_msg_msg_free_security,
5451
5452 .msg_queue_alloc_security = selinux_msg_queue_alloc_security,
5453 .msg_queue_free_security = selinux_msg_queue_free_security,
5454 .msg_queue_associate = selinux_msg_queue_associate,
5455 .msg_queue_msgctl = selinux_msg_queue_msgctl,
5456 .msg_queue_msgsnd = selinux_msg_queue_msgsnd,
5457 .msg_queue_msgrcv = selinux_msg_queue_msgrcv,
5458
5459 .shm_alloc_security = selinux_shm_alloc_security,
5460 .shm_free_security = selinux_shm_free_security,
5461 .shm_associate = selinux_shm_associate,
5462 .shm_shmctl = selinux_shm_shmctl,
5463 .shm_shmat = selinux_shm_shmat,
5464
5465 .sem_alloc_security = selinux_sem_alloc_security,
5466 .sem_free_security = selinux_sem_free_security,
5467 .sem_associate = selinux_sem_associate,
5468 .sem_semctl = selinux_sem_semctl,
5469 .sem_semop = selinux_sem_semop,
5470
5471 .register_security = selinux_register_security,
5472
5473 .d_instantiate = selinux_d_instantiate,
5474
5475 .getprocattr = selinux_getprocattr,
5476 .setprocattr = selinux_setprocattr,
5477
5478 .secid_to_secctx = selinux_secid_to_secctx,
5479 .secctx_to_secid = selinux_secctx_to_secid,
5480 .release_secctx = selinux_release_secctx,
5481
5482 .unix_stream_connect = selinux_socket_unix_stream_connect,
5483 .unix_may_send = selinux_socket_unix_may_send,
5484
5485 .socket_create = selinux_socket_create,
5486 .socket_post_create = selinux_socket_post_create,
5487 .socket_bind = selinux_socket_bind,
5488 .socket_connect = selinux_socket_connect,
5489 .socket_listen = selinux_socket_listen,
5490 .socket_accept = selinux_socket_accept,
5491 .socket_sendmsg = selinux_socket_sendmsg,
5492 .socket_recvmsg = selinux_socket_recvmsg,
5493 .socket_getsockname = selinux_socket_getsockname,
5494 .socket_getpeername = selinux_socket_getpeername,
5495 .socket_getsockopt = selinux_socket_getsockopt,
5496 .socket_setsockopt = selinux_socket_setsockopt,
5497 .socket_shutdown = selinux_socket_shutdown,
5498 .socket_sock_rcv_skb = selinux_socket_sock_rcv_skb,
5499 .socket_getpeersec_stream = selinux_socket_getpeersec_stream,
5500 .socket_getpeersec_dgram = selinux_socket_getpeersec_dgram,
5501 .sk_alloc_security = selinux_sk_alloc_security,
5502 .sk_free_security = selinux_sk_free_security,
5503 .sk_clone_security = selinux_sk_clone_security,
5504 .sk_getsecid = selinux_sk_getsecid,
5505 .sock_graft = selinux_sock_graft,
5506 .inet_conn_request = selinux_inet_conn_request,
5507 .inet_csk_clone = selinux_inet_csk_clone,
5508 .inet_conn_established = selinux_inet_conn_established,
5509 .req_classify_flow = selinux_req_classify_flow,
5510
5511 #ifdef CONFIG_SECURITY_NETWORK_XFRM
5512 .xfrm_policy_alloc_security = selinux_xfrm_policy_alloc,
5513 .xfrm_policy_clone_security = selinux_xfrm_policy_clone,
5514 .xfrm_policy_free_security = selinux_xfrm_policy_free,
5515 .xfrm_policy_delete_security = selinux_xfrm_policy_delete,
5516 .xfrm_state_alloc_security = selinux_xfrm_state_alloc,
5517 .xfrm_state_free_security = selinux_xfrm_state_free,
5518 .xfrm_state_delete_security = selinux_xfrm_state_delete,
5519 .xfrm_policy_lookup = selinux_xfrm_policy_lookup,
5520 .xfrm_state_pol_flow_match = selinux_xfrm_state_pol_flow_match,
5521 .xfrm_decode_session = selinux_xfrm_decode_session,
5522 #endif
5523
5524 #ifdef CONFIG_KEYS
5525 .key_alloc = selinux_key_alloc,
5526 .key_free = selinux_key_free,
5527 .key_permission = selinux_key_permission,
5528 .key_getsecurity = selinux_key_getsecurity,
5529 #endif
5530
5531 #ifdef CONFIG_AUDIT
5532 .audit_rule_init = selinux_audit_rule_init,
5533 .audit_rule_known = selinux_audit_rule_known,
5534 .audit_rule_match = selinux_audit_rule_match,
5535 .audit_rule_free = selinux_audit_rule_free,
5536 #endif
5537 };
5538
5539 static __init int selinux_init(void)
5540 {
5541 struct task_security_struct *tsec;
5542
5543 if (!security_module_enable(&selinux_ops)) {
5544 selinux_enabled = 0;
5545 return 0;
5546 }
5547
5548 if (!selinux_enabled) {
5549 printk(KERN_INFO "SELinux: Disabled at boot.\n");
5550 return 0;
5551 }
5552
5553 printk(KERN_INFO "SELinux: Initializing.\n");
5554
5555 /* Set the security state for the initial task. */
5556 if (task_alloc_security(current))
5557 panic("SELinux: Failed to initialize initial task.\n");
5558 tsec = current->security;
5559 tsec->osid = tsec->sid = SECINITSID_KERNEL;
5560
5561 sel_inode_cache = kmem_cache_create("selinux_inode_security",
5562 sizeof(struct inode_security_struct),
5563 0, SLAB_PANIC, NULL);
5564 avc_init();
5565
5566 original_ops = secondary_ops = security_ops;
5567 if (!secondary_ops)
5568 panic("SELinux: No initial security operations\n");
5569 if (register_security(&selinux_ops))
5570 panic("SELinux: Unable to register with kernel.\n");
5571
5572 if (selinux_enforcing)
5573 printk(KERN_DEBUG "SELinux: Starting in enforcing mode\n");
5574 else
5575 printk(KERN_DEBUG "SELinux: Starting in permissive mode\n");
5576
5577 return 0;
5578 }
5579
5580 void selinux_complete_init(void)
5581 {
5582 printk(KERN_DEBUG "SELinux: Completing initialization.\n");
5583
5584 /* Set up any superblocks initialized prior to the policy load. */
5585 printk(KERN_DEBUG "SELinux: Setting up existing superblocks.\n");
5586 spin_lock(&sb_lock);
5587 spin_lock(&sb_security_lock);
5588 next_sb:
5589 if (!list_empty(&superblock_security_head)) {
5590 struct superblock_security_struct *sbsec =
5591 list_entry(superblock_security_head.next,
5592 struct superblock_security_struct,
5593 list);
5594 struct super_block *sb = sbsec->sb;
5595 sb->s_count++;
5596 spin_unlock(&sb_security_lock);
5597 spin_unlock(&sb_lock);
5598 down_read(&sb->s_umount);
5599 if (sb->s_root)
5600 superblock_doinit(sb, NULL);
5601 drop_super(sb);
5602 spin_lock(&sb_lock);
5603 spin_lock(&sb_security_lock);
5604 list_del_init(&sbsec->list);
5605 goto next_sb;
5606 }
5607 spin_unlock(&sb_security_lock);
5608 spin_unlock(&sb_lock);
5609 }
5610
5611 /* SELinux requires early initialization in order to label
5612 all processes and objects when they are created. */
5613 security_initcall(selinux_init);
5614
5615 #if defined(CONFIG_NETFILTER)
5616
5617 static struct nf_hook_ops selinux_ipv4_ops[] = {
5618 {
5619 .hook = selinux_ipv4_postroute,
5620 .owner = THIS_MODULE,
5621 .pf = PF_INET,
5622 .hooknum = NF_INET_POST_ROUTING,
5623 .priority = NF_IP_PRI_SELINUX_LAST,
5624 },
5625 {
5626 .hook = selinux_ipv4_forward,
5627 .owner = THIS_MODULE,
5628 .pf = PF_INET,
5629 .hooknum = NF_INET_FORWARD,
5630 .priority = NF_IP_PRI_SELINUX_FIRST,
5631 }
5632 };
5633
5634 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5635
5636 static struct nf_hook_ops selinux_ipv6_ops[] = {
5637 {
5638 .hook = selinux_ipv6_postroute,
5639 .owner = THIS_MODULE,
5640 .pf = PF_INET6,
5641 .hooknum = NF_INET_POST_ROUTING,
5642 .priority = NF_IP6_PRI_SELINUX_LAST,
5643 },
5644 {
5645 .hook = selinux_ipv6_forward,
5646 .owner = THIS_MODULE,
5647 .pf = PF_INET6,
5648 .hooknum = NF_INET_FORWARD,
5649 .priority = NF_IP6_PRI_SELINUX_FIRST,
5650 }
5651 };
5652
5653 #endif /* IPV6 */
5654
5655 static int __init selinux_nf_ip_init(void)
5656 {
5657 int err = 0;
5658 u32 iter;
5659
5660 if (!selinux_enabled)
5661 goto out;
5662
5663 printk(KERN_DEBUG "SELinux: Registering netfilter hooks\n");
5664
5665 for (iter = 0; iter < ARRAY_SIZE(selinux_ipv4_ops); iter++) {
5666 err = nf_register_hook(&selinux_ipv4_ops[iter]);
5667 if (err)
5668 panic("SELinux: nf_register_hook for IPv4: error %d\n",
5669 err);
5670 }
5671
5672 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5673 for (iter = 0; iter < ARRAY_SIZE(selinux_ipv6_ops); iter++) {
5674 err = nf_register_hook(&selinux_ipv6_ops[iter]);
5675 if (err)
5676 panic("SELinux: nf_register_hook for IPv6: error %d\n",
5677 err);
5678 }
5679 #endif /* IPV6 */
5680
5681 out:
5682 return err;
5683 }
5684
5685 __initcall(selinux_nf_ip_init);
5686
5687 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5688 static void selinux_nf_ip_exit(void)
5689 {
5690 u32 iter;
5691
5692 printk(KERN_DEBUG "SELinux: Unregistering netfilter hooks\n");
5693
5694 for (iter = 0; iter < ARRAY_SIZE(selinux_ipv4_ops); iter++)
5695 nf_unregister_hook(&selinux_ipv4_ops[iter]);
5696 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5697 for (iter = 0; iter < ARRAY_SIZE(selinux_ipv6_ops); iter++)
5698 nf_unregister_hook(&selinux_ipv6_ops[iter]);
5699 #endif /* IPV6 */
5700 }
5701 #endif
5702
5703 #else /* CONFIG_NETFILTER */
5704
5705 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5706 #define selinux_nf_ip_exit()
5707 #endif
5708
5709 #endif /* CONFIG_NETFILTER */
5710
5711 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5712 static int selinux_disabled;
5713
5714 int selinux_disable(void)
5715 {
5716 extern void exit_sel_fs(void);
5717
5718 if (ss_initialized) {
5719 /* Not permitted after initial policy load. */
5720 return -EINVAL;
5721 }
5722
5723 if (selinux_disabled) {
5724 /* Only do this once. */
5725 return -EINVAL;
5726 }
5727
5728 printk(KERN_INFO "SELinux: Disabled at runtime.\n");
5729
5730 selinux_disabled = 1;
5731 selinux_enabled = 0;
5732
5733 /* Reset security_ops to the secondary module, dummy or capability. */
5734 security_ops = secondary_ops;
5735
5736 /* Unregister netfilter hooks. */
5737 selinux_nf_ip_exit();
5738
5739 /* Unregister selinuxfs. */
5740 exit_sel_fs();
5741
5742 return 0;
5743 }
5744 #endif
Linus' kernel tree