search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
x86: include proper prototypes for rodata_test
[linux-2.6/btrfs-unstable.git] / security / selinux / hooks.c
blob44f16d9041e3896b2444f2fc77f14c5d3181cde1
1 /*
2 * NSA Security-Enhanced Linux (SELinux) security module
3 *
4 * This file contains the SELinux hook function implementations.
5 *
6 * Authors: Stephen Smalley, <sds@epoch.ncsc.mil>
7 * Chris Vance, <cvance@nai.com>
8 * Wayne Salamon, <wsalamon@nai.com>
9 * James Morris <jmorris@redhat.com>
10 *
11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12 * Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com>
13 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
14 * <dgoeddel@trustedcs.com>
15 * Copyright (C) 2006, 2007 Hewlett-Packard Development Company, L.P.
16 * Paul Moore <paul.moore@hp.com>
17 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
18 * Yuichi Nakamura <ynakam@hitachisoft.jp>
19 *
20 * This program is free software; you can redistribute it and/or modify
21 * it under the terms of the GNU General Public License version 2,
22 * as published by the Free Software Foundation.
23 */
24
25 #include <linux/init.h>
26 #include <linux/kernel.h>
27 #include <linux/ptrace.h>
28 #include <linux/errno.h>
29 #include <linux/sched.h>
30 #include <linux/security.h>
31 #include <linux/xattr.h>
32 #include <linux/capability.h>
33 #include <linux/unistd.h>
34 #include <linux/mm.h>
35 #include <linux/mman.h>
36 #include <linux/slab.h>
37 #include <linux/pagemap.h>
38 #include <linux/swap.h>
39 #include <linux/spinlock.h>
40 #include <linux/syscalls.h>
41 #include <linux/file.h>
42 #include <linux/namei.h>
43 #include <linux/mount.h>
44 #include <linux/ext2_fs.h>
45 #include <linux/proc_fs.h>
46 #include <linux/kd.h>
47 #include <linux/netfilter_ipv4.h>
48 #include <linux/netfilter_ipv6.h>
49 #include <linux/tty.h>
50 #include <net/icmp.h>
51 #include <net/ip.h> /* for local_port_range[] */
52 #include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
53 #include <net/net_namespace.h>
54 #include <net/netlabel.h>
55 #include <asm/uaccess.h>
56 #include <asm/ioctls.h>
57 #include <asm/atomic.h>
58 #include <linux/bitops.h>
59 #include <linux/interrupt.h>
60 #include <linux/netdevice.h> /* for network interface checks */
61 #include <linux/netlink.h>
62 #include <linux/tcp.h>
63 #include <linux/udp.h>
64 #include <linux/dccp.h>
65 #include <linux/quota.h>
66 #include <linux/un.h> /* for Unix socket types */
67 #include <net/af_unix.h> /* for Unix socket types */
68 #include <linux/parser.h>
69 #include <linux/nfs_mount.h>
70 #include <net/ipv6.h>
71 #include <linux/hugetlb.h>
72 #include <linux/personality.h>
73 #include <linux/sysctl.h>
74 #include <linux/audit.h>
75 #include <linux/string.h>
76 #include <linux/selinux.h>
77 #include <linux/mutex.h>
78
79 #include "avc.h"
80 #include "objsec.h"
81 #include "netif.h"
82 #include "netnode.h"
83 #include "xfrm.h"
84 #include "netlabel.h"
85
86 #define XATTR_SELINUX_SUFFIX "selinux"
87 #define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX
88
89 #define NUM_SEL_MNT_OPTS 4
90
91 extern unsigned int policydb_loaded_version;
92 extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm);
93 extern int selinux_compat_net;
94 extern struct security_operations *security_ops;
95
96 /* SECMARK reference count */
97 atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
98
99 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
100 int selinux_enforcing = 0;
101
102 static int __init enforcing_setup(char *str)
103 {
104 selinux_enforcing = simple_strtol(str,NULL,0);
105 return 1;
106 }
107 __setup("enforcing=", enforcing_setup);
108 #endif
109
110 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
111 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
112
113 static int __init selinux_enabled_setup(char *str)
114 {
115 selinux_enabled = simple_strtol(str, NULL, 0);
116 return 1;
117 }
118 __setup("selinux=", selinux_enabled_setup);
119 #else
120 int selinux_enabled = 1;
121 #endif
122
123 /* Original (dummy) security module. */
124 static struct security_operations *original_ops = NULL;
125
126 /* Minimal support for a secondary security module,
127 just to allow the use of the dummy or capability modules.
128 The owlsm module can alternatively be used as a secondary
129 module as long as CONFIG_OWLSM_FD is not enabled. */
130 static struct security_operations *secondary_ops = NULL;
131
132 /* Lists of inode and superblock security structures initialized
133 before the policy was loaded. */
134 static LIST_HEAD(superblock_security_head);
135 static DEFINE_SPINLOCK(sb_security_lock);
136
137 static struct kmem_cache *sel_inode_cache;
138
139 /**
140 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
141 *
142 * Description:
143 * This function checks the SECMARK reference counter to see if any SECMARK
144 * targets are currently configured, if the reference counter is greater than
145 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is
146 * enabled, false (0) if SECMARK is disabled.
147 *
148 */
149 static int selinux_secmark_enabled(void)
150 {
151 return (atomic_read(&selinux_secmark_refcount) > 0);
152 }
153
154 /* Allocate and free functions for each kind of security blob. */
155
156 static int task_alloc_security(struct task_struct *task)
157 {
158 struct task_security_struct *tsec;
159
160 tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
161 if (!tsec)
162 return -ENOMEM;
163
164 tsec->task = task;
165 tsec->osid = tsec->sid = tsec->ptrace_sid = SECINITSID_UNLABELED;
166 task->security = tsec;
167
168 return 0;
169 }
170
171 static void task_free_security(struct task_struct *task)
172 {
173 struct task_security_struct *tsec = task->security;
174 task->security = NULL;
175 kfree(tsec);
176 }
177
178 static int inode_alloc_security(struct inode *inode)
179 {
180 struct task_security_struct *tsec = current->security;
181 struct inode_security_struct *isec;
182
183 isec = kmem_cache_zalloc(sel_inode_cache, GFP_KERNEL);
184 if (!isec)
185 return -ENOMEM;
186
187 mutex_init(&isec->lock);
188 INIT_LIST_HEAD(&isec->list);
189 isec->inode = inode;
190 isec->sid = SECINITSID_UNLABELED;
191 isec->sclass = SECCLASS_FILE;
192 isec->task_sid = tsec->sid;
193 inode->i_security = isec;
194
195 return 0;
196 }
197
198 static void inode_free_security(struct inode *inode)
199 {
200 struct inode_security_struct *isec = inode->i_security;
201 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
202
203 spin_lock(&sbsec->isec_lock);
204 if (!list_empty(&isec->list))
205 list_del_init(&isec->list);
206 spin_unlock(&sbsec->isec_lock);
207
208 inode->i_security = NULL;
209 kmem_cache_free(sel_inode_cache, isec);
210 }
211
212 static int file_alloc_security(struct file *file)
213 {
214 struct task_security_struct *tsec = current->security;
215 struct file_security_struct *fsec;
216
217 fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL);
218 if (!fsec)
219 return -ENOMEM;
220
221 fsec->file = file;
222 fsec->sid = tsec->sid;
223 fsec->fown_sid = tsec->sid;
224 file->f_security = fsec;
225
226 return 0;
227 }
228
229 static void file_free_security(struct file *file)
230 {
231 struct file_security_struct *fsec = file->f_security;
232 file->f_security = NULL;
233 kfree(fsec);
234 }
235
236 static int superblock_alloc_security(struct super_block *sb)
237 {
238 struct superblock_security_struct *sbsec;
239
240 sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
241 if (!sbsec)
242 return -ENOMEM;
243
244 mutex_init(&sbsec->lock);
245 INIT_LIST_HEAD(&sbsec->list);
246 INIT_LIST_HEAD(&sbsec->isec_head);
247 spin_lock_init(&sbsec->isec_lock);
248 sbsec->sb = sb;
249 sbsec->sid = SECINITSID_UNLABELED;
250 sbsec->def_sid = SECINITSID_FILE;
251 sbsec->mntpoint_sid = SECINITSID_UNLABELED;
252 sb->s_security = sbsec;
253
254 return 0;
255 }
256
257 static void superblock_free_security(struct super_block *sb)
258 {
259 struct superblock_security_struct *sbsec = sb->s_security;
260
261 spin_lock(&sb_security_lock);
262 if (!list_empty(&sbsec->list))
263 list_del_init(&sbsec->list);
264 spin_unlock(&sb_security_lock);
265
266 sb->s_security = NULL;
267 kfree(sbsec);
268 }
269
270 static int sk_alloc_security(struct sock *sk, int family, gfp_t priority)
271 {
272 struct sk_security_struct *ssec;
273
274 ssec = kzalloc(sizeof(*ssec), priority);
275 if (!ssec)
276 return -ENOMEM;
277
278 ssec->sk = sk;
279 ssec->peer_sid = SECINITSID_UNLABELED;
280 ssec->sid = SECINITSID_UNLABELED;
281 sk->sk_security = ssec;
282
283 selinux_netlbl_sk_security_init(ssec, family);
284
285 return 0;
286 }
287
288 static void sk_free_security(struct sock *sk)
289 {
290 struct sk_security_struct *ssec = sk->sk_security;
291
292 sk->sk_security = NULL;
293 kfree(ssec);
294 }
295
296 /* The security server must be initialized before
297 any labeling or access decisions can be provided. */
298 extern int ss_initialized;
299
300 /* The file system's label must be initialized prior to use. */
301
302 static char *labeling_behaviors[6] = {
303 "uses xattr",
304 "uses transition SIDs",
305 "uses task SIDs",
306 "uses genfs_contexts",
307 "not configured for labeling",
308 "uses mountpoint labeling",
309 };
310
311 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
312
313 static inline int inode_doinit(struct inode *inode)
314 {
315 return inode_doinit_with_dentry(inode, NULL);
316 }
317
318 enum {
319 Opt_error = -1,
320 Opt_context = 1,
321 Opt_fscontext = 2,
322 Opt_defcontext = 3,
323 Opt_rootcontext = 4,
324 };
325
326 static match_table_t tokens = {
327 {Opt_context, "context=%s"},
328 {Opt_fscontext, "fscontext=%s"},
329 {Opt_defcontext, "defcontext=%s"},
330 {Opt_rootcontext, "rootcontext=%s"},
331 {Opt_error, NULL},
332 };
333
334 #define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
335
336 static int may_context_mount_sb_relabel(u32 sid,
337 struct superblock_security_struct *sbsec,
338 struct task_security_struct *tsec)
339 {
340 int rc;
341
342 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
343 FILESYSTEM__RELABELFROM, NULL);
344 if (rc)
345 return rc;
346
347 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
348 FILESYSTEM__RELABELTO, NULL);
349 return rc;
350 }
351
352 static int may_context_mount_inode_relabel(u32 sid,
353 struct superblock_security_struct *sbsec,
354 struct task_security_struct *tsec)
355 {
356 int rc;
357 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
358 FILESYSTEM__RELABELFROM, NULL);
359 if (rc)
360 return rc;
361
362 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
363 FILESYSTEM__ASSOCIATE, NULL);
364 return rc;
365 }
366
367 static int sb_finish_set_opts(struct super_block *sb)
368 {
369 struct superblock_security_struct *sbsec = sb->s_security;
370 struct dentry *root = sb->s_root;
371 struct inode *root_inode = root->d_inode;
372 int rc = 0;
373
374 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
375 /* Make sure that the xattr handler exists and that no
376 error other than -ENODATA is returned by getxattr on
377 the root directory. -ENODATA is ok, as this may be
378 the first boot of the SELinux kernel before we have
379 assigned xattr values to the filesystem. */
380 if (!root_inode->i_op->getxattr) {
381 printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
382 "xattr support\n", sb->s_id, sb->s_type->name);
383 rc = -EOPNOTSUPP;
384 goto out;
385 }
386 rc = root_inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
387 if (rc < 0 && rc != -ENODATA) {
388 if (rc == -EOPNOTSUPP)
389 printk(KERN_WARNING "SELinux: (dev %s, type "
390 "%s) has no security xattr handler\n",
391 sb->s_id, sb->s_type->name);
392 else
393 printk(KERN_WARNING "SELinux: (dev %s, type "
394 "%s) getxattr errno %d\n", sb->s_id,
395 sb->s_type->name, -rc);
396 goto out;
397 }
398 }
399
400 sbsec->initialized = 1;
401
402 if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
403 printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n",
404 sb->s_id, sb->s_type->name);
405 else
406 printk(KERN_DEBUG "SELinux: initialized (dev %s, type %s), %s\n",
407 sb->s_id, sb->s_type->name,
408 labeling_behaviors[sbsec->behavior-1]);
409
410 /* Initialize the root inode. */
411 rc = inode_doinit_with_dentry(root_inode, root);
412
413 /* Initialize any other inodes associated with the superblock, e.g.
414 inodes created prior to initial policy load or inodes created
415 during get_sb by a pseudo filesystem that directly
416 populates itself. */
417 spin_lock(&sbsec->isec_lock);
418 next_inode:
419 if (!list_empty(&sbsec->isec_head)) {
420 struct inode_security_struct *isec =
421 list_entry(sbsec->isec_head.next,
422 struct inode_security_struct, list);
423 struct inode *inode = isec->inode;
424 spin_unlock(&sbsec->isec_lock);
425 inode = igrab(inode);
426 if (inode) {
427 if (!IS_PRIVATE(inode))
428 inode_doinit(inode);
429 iput(inode);
430 }
431 spin_lock(&sbsec->isec_lock);
432 list_del_init(&isec->list);
433 goto next_inode;
434 }
435 spin_unlock(&sbsec->isec_lock);
436 out:
437 return rc;
438 }
439
440 /*
441 * This function should allow an FS to ask what it's mount security
442 * options were so it can use those later for submounts, displaying
443 * mount options, or whatever.
444 */
445 static int selinux_get_mnt_opts(const struct super_block *sb,
446 char ***mount_options, int **mnt_opts_flags,
447 int *num_opts)
448 {
449 int rc = 0, i;
450 struct superblock_security_struct *sbsec = sb->s_security;
451 char *context = NULL;
452 u32 len;
453 char tmp;
454
455 *num_opts = 0;
456 *mount_options = NULL;
457 *mnt_opts_flags = NULL;
458
459 if (!sbsec->initialized)
460 return -EINVAL;
461
462 if (!ss_initialized)
463 return -EINVAL;
464
465 /*
466 * if we ever use sbsec flags for anything other than tracking mount
467 * settings this is going to need a mask
468 */
469 tmp = sbsec->flags;
470 /* count the number of mount options for this sb */
471 for (i = 0; i < 8; i++) {
472 if (tmp & 0x01)
473 (*num_opts)++;
474 tmp >>= 1;
475 }
476
477 *mount_options = kcalloc(*num_opts, sizeof(char *), GFP_ATOMIC);
478 if (!*mount_options) {
479 rc = -ENOMEM;
480 goto out_free;
481 }
482
483 *mnt_opts_flags = kcalloc(*num_opts, sizeof(int), GFP_ATOMIC);
484 if (!*mnt_opts_flags) {
485 rc = -ENOMEM;
486 goto out_free;
487 }
488
489 i = 0;
490 if (sbsec->flags & FSCONTEXT_MNT) {
491 rc = security_sid_to_context(sbsec->sid, &context, &len);
492 if (rc)
493 goto out_free;
494 (*mount_options)[i] = context;
495 (*mnt_opts_flags)[i++] = FSCONTEXT_MNT;
496 }
497 if (sbsec->flags & CONTEXT_MNT) {
498 rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len);
499 if (rc)
500 goto out_free;
501 (*mount_options)[i] = context;
502 (*mnt_opts_flags)[i++] = CONTEXT_MNT;
503 }
504 if (sbsec->flags & DEFCONTEXT_MNT) {
505 rc = security_sid_to_context(sbsec->def_sid, &context, &len);
506 if (rc)
507 goto out_free;
508 (*mount_options)[i] = context;
509 (*mnt_opts_flags)[i++] = DEFCONTEXT_MNT;
510 }
511 if (sbsec->flags & ROOTCONTEXT_MNT) {
512 struct inode *root = sbsec->sb->s_root->d_inode;
513 struct inode_security_struct *isec = root->i_security;
514
515 rc = security_sid_to_context(isec->sid, &context, &len);
516 if (rc)
517 goto out_free;
518 (*mount_options)[i] = context;
519 (*mnt_opts_flags)[i++] = ROOTCONTEXT_MNT;
520 }
521
522 BUG_ON(i != *num_opts);
523
524 return 0;
525
526 out_free:
527 /* don't leak context string if security_sid_to_context had an error */
528 if (*mount_options && i)
529 for (; i > 0; i--)
530 kfree((*mount_options)[i-1]);
531 kfree(*mount_options);
532 *mount_options = NULL;
533 kfree(*mnt_opts_flags);
534 *mnt_opts_flags = NULL;
535 *num_opts = 0;
536 return rc;
537 }
538
539 static int bad_option(struct superblock_security_struct *sbsec, char flag,
540 u32 old_sid, u32 new_sid)
541 {
542 /* check if the old mount command had the same options */
543 if (sbsec->initialized)
544 if (!(sbsec->flags & flag) ||
545 (old_sid != new_sid))
546 return 1;
547
548 /* check if we were passed the same options twice,
549 * aka someone passed context=a,context=b
550 */
551 if (!sbsec->initialized)
552 if (sbsec->flags & flag)
553 return 1;
554 return 0;
555 }
556 /*
557 * Allow filesystems with binary mount data to explicitly set mount point
558 * labeling information.
559 */
560 static int selinux_set_mnt_opts(struct super_block *sb, char **mount_options,
561 int *flags, int num_opts)
562 {
563 int rc = 0, i;
564 struct task_security_struct *tsec = current->security;
565 struct superblock_security_struct *sbsec = sb->s_security;
566 const char *name = sb->s_type->name;
567 struct inode *inode = sbsec->sb->s_root->d_inode;
568 struct inode_security_struct *root_isec = inode->i_security;
569 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
570 u32 defcontext_sid = 0;
571
572 mutex_lock(&sbsec->lock);
573
574 if (!ss_initialized) {
575 if (!num_opts) {
576 /* Defer initialization until selinux_complete_init,
577 after the initial policy is loaded and the security
578 server is ready to handle calls. */
579 spin_lock(&sb_security_lock);
580 if (list_empty(&sbsec->list))
581 list_add(&sbsec->list, &superblock_security_head);
582 spin_unlock(&sb_security_lock);
583 goto out;
584 }
585 rc = -EINVAL;
586 printk(KERN_WARNING "Unable to set superblock options before "
587 "the security server is initialized\n");
588 goto out;
589 }
590
591 /*
592 * parse the mount options, check if they are valid sids.
593 * also check if someone is trying to mount the same sb more
594 * than once with different security options.
595 */
596 for (i = 0; i < num_opts; i++) {
597 u32 sid;
598 rc = security_context_to_sid(mount_options[i],
599 strlen(mount_options[i]), &sid);
600 if (rc) {
601 printk(KERN_WARNING "SELinux: security_context_to_sid"
602 "(%s) failed for (dev %s, type %s) errno=%d\n",
603 mount_options[i], sb->s_id, name, rc);
604 goto out;
605 }
606 switch (flags[i]) {
607 case FSCONTEXT_MNT:
608 fscontext_sid = sid;
609
610 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
611 fscontext_sid))
612 goto out_double_mount;
613
614 sbsec->flags |= FSCONTEXT_MNT;
615 break;
616 case CONTEXT_MNT:
617 context_sid = sid;
618
619 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
620 context_sid))
621 goto out_double_mount;
622
623 sbsec->flags |= CONTEXT_MNT;
624 break;
625 case ROOTCONTEXT_MNT:
626 rootcontext_sid = sid;
627
628 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
629 rootcontext_sid))
630 goto out_double_mount;
631
632 sbsec->flags |= ROOTCONTEXT_MNT;
633
634 break;
635 case DEFCONTEXT_MNT:
636 defcontext_sid = sid;
637
638 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
639 defcontext_sid))
640 goto out_double_mount;
641
642 sbsec->flags |= DEFCONTEXT_MNT;
643
644 break;
645 default:
646 rc = -EINVAL;
647 goto out;
648 }
649 }
650
651 if (sbsec->initialized) {
652 /* previously mounted with options, but not on this attempt? */
653 if (sbsec->flags && !num_opts)
654 goto out_double_mount;
655 rc = 0;
656 goto out;
657 }
658
659 if (strcmp(sb->s_type->name, "proc") == 0)
660 sbsec->proc = 1;
661
662 /* Determine the labeling behavior to use for this filesystem type. */
663 rc = security_fs_use(sb->s_type->name, &sbsec->behavior, &sbsec->sid);
664 if (rc) {
665 printk(KERN_WARNING "%s: security_fs_use(%s) returned %d\n",
666 __FUNCTION__, sb->s_type->name, rc);
667 goto out;
668 }
669
670 /* sets the context of the superblock for the fs being mounted. */
671 if (fscontext_sid) {
672
673 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, tsec);
674 if (rc)
675 goto out;
676
677 sbsec->sid = fscontext_sid;
678 }
679
680 /*
681 * Switch to using mount point labeling behavior.
682 * sets the label used on all file below the mountpoint, and will set
683 * the superblock context if not already set.
684 */
685 if (context_sid) {
686 if (!fscontext_sid) {
687 rc = may_context_mount_sb_relabel(context_sid, sbsec, tsec);
688 if (rc)
689 goto out;
690 sbsec->sid = context_sid;
691 } else {
692 rc = may_context_mount_inode_relabel(context_sid, sbsec, tsec);
693 if (rc)
694 goto out;
695 }
696 if (!rootcontext_sid)
697 rootcontext_sid = context_sid;
698
699 sbsec->mntpoint_sid = context_sid;
700 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
701 }
702
703 if (rootcontext_sid) {
704 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec, tsec);
705 if (rc)
706 goto out;
707
708 root_isec->sid = rootcontext_sid;
709 root_isec->initialized = 1;
710 }
711
712 if (defcontext_sid) {
713 if (sbsec->behavior != SECURITY_FS_USE_XATTR) {
714 rc = -EINVAL;
715 printk(KERN_WARNING "SELinux: defcontext option is "
716 "invalid for this filesystem type\n");
717 goto out;
718 }
719
720 if (defcontext_sid != sbsec->def_sid) {
721 rc = may_context_mount_inode_relabel(defcontext_sid,
722 sbsec, tsec);
723 if (rc)
724 goto out;
725 }
726
727 sbsec->def_sid = defcontext_sid;
728 }
729
730 rc = sb_finish_set_opts(sb);
731 out:
732 mutex_unlock(&sbsec->lock);
733 return rc;
734 out_double_mount:
735 rc = -EINVAL;
736 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, different "
737 "security settings for (dev %s, type %s)\n", sb->s_id, name);
738 goto out;
739 }
740
741 static void selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
742 struct super_block *newsb)
743 {
744 const struct superblock_security_struct *oldsbsec = oldsb->s_security;
745 struct superblock_security_struct *newsbsec = newsb->s_security;
746
747 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT);
748 int set_context = (oldsbsec->flags & CONTEXT_MNT);
749 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT);
750
751 /* we can't error, we can't save the info, this shouldn't get called
752 * this early in the boot process. */
753 BUG_ON(!ss_initialized);
754
755 /* this might go away sometime down the line if there is a new user
756 * of clone, but for now, nfs better not get here... */
757 BUG_ON(newsbsec->initialized);
758
759 /* how can we clone if the old one wasn't set up?? */
760 BUG_ON(!oldsbsec->initialized);
761
762 mutex_lock(&newsbsec->lock);
763
764 newsbsec->flags = oldsbsec->flags;
765
766 newsbsec->sid = oldsbsec->sid;
767 newsbsec->def_sid = oldsbsec->def_sid;
768 newsbsec->behavior = oldsbsec->behavior;
769
770 if (set_context) {
771 u32 sid = oldsbsec->mntpoint_sid;
772
773 if (!set_fscontext)
774 newsbsec->sid = sid;
775 if (!set_rootcontext) {
776 struct inode *newinode = newsb->s_root->d_inode;
777 struct inode_security_struct *newisec = newinode->i_security;
778 newisec->sid = sid;
779 }
780 newsbsec->mntpoint_sid = sid;
781 }
782 if (set_rootcontext) {
783 const struct inode *oldinode = oldsb->s_root->d_inode;
784 const struct inode_security_struct *oldisec = oldinode->i_security;
785 struct inode *newinode = newsb->s_root->d_inode;
786 struct inode_security_struct *newisec = newinode->i_security;
787
788 newisec->sid = oldisec->sid;
789 }
790
791 sb_finish_set_opts(newsb);
792 mutex_unlock(&newsbsec->lock);
793 }
794
795 /*
796 * string mount options parsing and call set the sbsec
797 */
798 static int superblock_doinit(struct super_block *sb, void *data)
799 {
800 char *context = NULL, *defcontext = NULL;
801 char *fscontext = NULL, *rootcontext = NULL;
802 int rc = 0;
803 char *p, *options = data;
804 /* selinux only know about a fixed number of mount options */
805 char *mnt_opts[NUM_SEL_MNT_OPTS];
806 int mnt_opts_flags[NUM_SEL_MNT_OPTS], num_mnt_opts = 0;
807
808 if (!data)
809 goto out;
810
811 /* with the nfs patch this will become a goto out; */
812 if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA) {
813 const char *name = sb->s_type->name;
814 /* NFS we understand. */
815 if (!strcmp(name, "nfs")) {
816 struct nfs_mount_data *d = data;
817
818 if (d->version != NFS_MOUNT_VERSION)
819 goto out;
820
821 if (d->context[0]) {
822 context = kstrdup(d->context, GFP_KERNEL);
823 if (!context) {
824 rc = -ENOMEM;
825 goto out;
826 }
827 }
828 goto build_flags;
829 } else
830 goto out;
831 }
832
833 /* Standard string-based options. */
834 while ((p = strsep(&options, "|")) != NULL) {
835 int token;
836 substring_t args[MAX_OPT_ARGS];
837
838 if (!*p)
839 continue;
840
841 token = match_token(p, tokens, args);
842
843 switch (token) {
844 case Opt_context:
845 if (context || defcontext) {
846 rc = -EINVAL;
847 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
848 goto out_err;
849 }
850 context = match_strdup(&args[0]);
851 if (!context) {
852 rc = -ENOMEM;
853 goto out_err;
854 }
855 break;
856
857 case Opt_fscontext:
858 if (fscontext) {
859 rc = -EINVAL;
860 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
861 goto out_err;
862 }
863 fscontext = match_strdup(&args[0]);
864 if (!fscontext) {
865 rc = -ENOMEM;
866 goto out_err;
867 }
868 break;
869
870 case Opt_rootcontext:
871 if (rootcontext) {
872 rc = -EINVAL;
873 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
874 goto out_err;
875 }
876 rootcontext = match_strdup(&args[0]);
877 if (!rootcontext) {
878 rc = -ENOMEM;
879 goto out_err;
880 }
881 break;
882
883 case Opt_defcontext:
884 if (context || defcontext) {
885 rc = -EINVAL;
886 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
887 goto out_err;
888 }
889 defcontext = match_strdup(&args[0]);
890 if (!defcontext) {
891 rc = -ENOMEM;
892 goto out_err;
893 }
894 break;
895
896 default:
897 rc = -EINVAL;
898 printk(KERN_WARNING "SELinux: unknown mount option\n");
899 goto out_err;
900
901 }
902 }
903
904 build_flags:
905 if (fscontext) {
906 mnt_opts[num_mnt_opts] = fscontext;
907 mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
908 }
909 if (context) {
910 mnt_opts[num_mnt_opts] = context;
911 mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
912 }
913 if (rootcontext) {
914 mnt_opts[num_mnt_opts] = rootcontext;
915 mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
916 }
917 if (defcontext) {
918 mnt_opts[num_mnt_opts] = defcontext;
919 mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
920 }
921
922 out:
923 rc = selinux_set_mnt_opts(sb, mnt_opts, mnt_opts_flags, num_mnt_opts);
924 out_err:
925 kfree(context);
926 kfree(defcontext);
927 kfree(fscontext);
928 kfree(rootcontext);
929 return rc;
930 }
931
932 static inline u16 inode_mode_to_security_class(umode_t mode)
933 {
934 switch (mode & S_IFMT) {
935 case S_IFSOCK:
936 return SECCLASS_SOCK_FILE;
937 case S_IFLNK:
938 return SECCLASS_LNK_FILE;
939 case S_IFREG:
940 return SECCLASS_FILE;
941 case S_IFBLK:
942 return SECCLASS_BLK_FILE;
943 case S_IFDIR:
944 return SECCLASS_DIR;
945 case S_IFCHR:
946 return SECCLASS_CHR_FILE;
947 case S_IFIFO:
948 return SECCLASS_FIFO_FILE;
949
950 }
951
952 return SECCLASS_FILE;
953 }
954
955 static inline int default_protocol_stream(int protocol)
956 {
957 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
958 }
959
960 static inline int default_protocol_dgram(int protocol)
961 {
962 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
963 }
964
965 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
966 {
967 switch (family) {
968 case PF_UNIX:
969 switch (type) {
970 case SOCK_STREAM:
971 case SOCK_SEQPACKET:
972 return SECCLASS_UNIX_STREAM_SOCKET;
973 case SOCK_DGRAM:
974 return SECCLASS_UNIX_DGRAM_SOCKET;
975 }
976 break;
977 case PF_INET:
978 case PF_INET6:
979 switch (type) {
980 case SOCK_STREAM:
981 if (default_protocol_stream(protocol))
982 return SECCLASS_TCP_SOCKET;
983 else
984 return SECCLASS_RAWIP_SOCKET;
985 case SOCK_DGRAM:
986 if (default_protocol_dgram(protocol))
987 return SECCLASS_UDP_SOCKET;
988 else
989 return SECCLASS_RAWIP_SOCKET;
990 case SOCK_DCCP:
991 return SECCLASS_DCCP_SOCKET;
992 default:
993 return SECCLASS_RAWIP_SOCKET;
994 }
995 break;
996 case PF_NETLINK:
997 switch (protocol) {
998 case NETLINK_ROUTE:
999 return SECCLASS_NETLINK_ROUTE_SOCKET;
1000 case NETLINK_FIREWALL:
1001 return SECCLASS_NETLINK_FIREWALL_SOCKET;
1002 case NETLINK_INET_DIAG:
1003 return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1004 case NETLINK_NFLOG:
1005 return SECCLASS_NETLINK_NFLOG_SOCKET;
1006 case NETLINK_XFRM:
1007 return SECCLASS_NETLINK_XFRM_SOCKET;
1008 case NETLINK_SELINUX:
1009 return SECCLASS_NETLINK_SELINUX_SOCKET;
1010 case NETLINK_AUDIT:
1011 return SECCLASS_NETLINK_AUDIT_SOCKET;
1012 case NETLINK_IP6_FW:
1013 return SECCLASS_NETLINK_IP6FW_SOCKET;
1014 case NETLINK_DNRTMSG:
1015 return SECCLASS_NETLINK_DNRT_SOCKET;
1016 case NETLINK_KOBJECT_UEVENT:
1017 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1018 default:
1019 return SECCLASS_NETLINK_SOCKET;
1020 }
1021 case PF_PACKET:
1022 return SECCLASS_PACKET_SOCKET;
1023 case PF_KEY:
1024 return SECCLASS_KEY_SOCKET;
1025 case PF_APPLETALK:
1026 return SECCLASS_APPLETALK_SOCKET;
1027 }
1028
1029 return SECCLASS_SOCKET;
1030 }
1031
1032 #ifdef CONFIG_PROC_FS
1033 static int selinux_proc_get_sid(struct proc_dir_entry *de,
1034 u16 tclass,
1035 u32 *sid)
1036 {
1037 int buflen, rc;
1038 char *buffer, *path, *end;
1039
1040 buffer = (char*)__get_free_page(GFP_KERNEL);
1041 if (!buffer)
1042 return -ENOMEM;
1043
1044 buflen = PAGE_SIZE;
1045 end = buffer+buflen;
1046 *--end = '\0';
1047 buflen--;
1048 path = end-1;
1049 *path = '/';
1050 while (de && de != de->parent) {
1051 buflen -= de->namelen + 1;
1052 if (buflen < 0)
1053 break;
1054 end -= de->namelen;
1055 memcpy(end, de->name, de->namelen);
1056 *--end = '/';
1057 path = end;
1058 de = de->parent;
1059 }
1060 rc = security_genfs_sid("proc", path, tclass, sid);
1061 free_page((unsigned long)buffer);
1062 return rc;
1063 }
1064 #else
1065 static int selinux_proc_get_sid(struct proc_dir_entry *de,
1066 u16 tclass,
1067 u32 *sid)
1068 {
1069 return -EINVAL;
1070 }
1071 #endif
1072
1073 /* The inode's security attributes must be initialized before first use. */
1074 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1075 {
1076 struct superblock_security_struct *sbsec = NULL;
1077 struct inode_security_struct *isec = inode->i_security;
1078 u32 sid;
1079 struct dentry *dentry;
1080 #define INITCONTEXTLEN 255
1081 char *context = NULL;
1082 unsigned len = 0;
1083 int rc = 0;
1084
1085 if (isec->initialized)
1086 goto out;
1087
1088 mutex_lock(&isec->lock);
1089 if (isec->initialized)
1090 goto out_unlock;
1091
1092 sbsec = inode->i_sb->s_security;
1093 if (!sbsec->initialized) {
1094 /* Defer initialization until selinux_complete_init,
1095 after the initial policy is loaded and the security
1096 server is ready to handle calls. */
1097 spin_lock(&sbsec->isec_lock);
1098 if (list_empty(&isec->list))
1099 list_add(&isec->list, &sbsec->isec_head);
1100 spin_unlock(&sbsec->isec_lock);
1101 goto out_unlock;
1102 }
1103
1104 switch (sbsec->behavior) {
1105 case SECURITY_FS_USE_XATTR:
1106 if (!inode->i_op->getxattr) {
1107 isec->sid = sbsec->def_sid;
1108 break;
1109 }
1110
1111 /* Need a dentry, since the xattr API requires one.
1112 Life would be simpler if we could just pass the inode. */
1113 if (opt_dentry) {
1114 /* Called from d_instantiate or d_splice_alias. */
1115 dentry = dget(opt_dentry);
1116 } else {
1117 /* Called from selinux_complete_init, try to find a dentry. */
1118 dentry = d_find_alias(inode);
1119 }
1120 if (!dentry) {
1121 printk(KERN_WARNING "%s: no dentry for dev=%s "
1122 "ino=%ld\n", __FUNCTION__, inode->i_sb->s_id,
1123 inode->i_ino);
1124 goto out_unlock;
1125 }
1126
1127 len = INITCONTEXTLEN;
1128 context = kmalloc(len, GFP_KERNEL);
1129 if (!context) {
1130 rc = -ENOMEM;
1131 dput(dentry);
1132 goto out_unlock;
1133 }
1134 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1135 context, len);
1136 if (rc == -ERANGE) {
1137 /* Need a larger buffer. Query for the right size. */
1138 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1139 NULL, 0);
1140 if (rc < 0) {
1141 dput(dentry);
1142 goto out_unlock;
1143 }
1144 kfree(context);
1145 len = rc;
1146 context = kmalloc(len, GFP_KERNEL);
1147 if (!context) {
1148 rc = -ENOMEM;
1149 dput(dentry);
1150 goto out_unlock;
1151 }
1152 rc = inode->i_op->getxattr(dentry,
1153 XATTR_NAME_SELINUX,
1154 context, len);
1155 }
1156 dput(dentry);
1157 if (rc < 0) {
1158 if (rc != -ENODATA) {
1159 printk(KERN_WARNING "%s: getxattr returned "
1160 "%d for dev=%s ino=%ld\n", __FUNCTION__,
1161 -rc, inode->i_sb->s_id, inode->i_ino);
1162 kfree(context);
1163 goto out_unlock;
1164 }
1165 /* Map ENODATA to the default file SID */
1166 sid = sbsec->def_sid;
1167 rc = 0;
1168 } else {
1169 rc = security_context_to_sid_default(context, rc, &sid,
1170 sbsec->def_sid);
1171 if (rc) {
1172 printk(KERN_WARNING "%s: context_to_sid(%s) "
1173 "returned %d for dev=%s ino=%ld\n",
1174 __FUNCTION__, context, -rc,
1175 inode->i_sb->s_id, inode->i_ino);
1176 kfree(context);
1177 /* Leave with the unlabeled SID */
1178 rc = 0;
1179 break;
1180 }
1181 }
1182 kfree(context);
1183 isec->sid = sid;
1184 break;
1185 case SECURITY_FS_USE_TASK:
1186 isec->sid = isec->task_sid;
1187 break;
1188 case SECURITY_FS_USE_TRANS:
1189 /* Default to the fs SID. */
1190 isec->sid = sbsec->sid;
1191
1192 /* Try to obtain a transition SID. */
1193 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1194 rc = security_transition_sid(isec->task_sid,
1195 sbsec->sid,
1196 isec->sclass,
1197 &sid);
1198 if (rc)
1199 goto out_unlock;
1200 isec->sid = sid;
1201 break;
1202 case SECURITY_FS_USE_MNTPOINT:
1203 isec->sid = sbsec->mntpoint_sid;
1204 break;
1205 default:
1206 /* Default to the fs superblock SID. */
1207 isec->sid = sbsec->sid;
1208
1209 if (sbsec->proc) {
1210 struct proc_inode *proci = PROC_I(inode);
1211 if (proci->pde) {
1212 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1213 rc = selinux_proc_get_sid(proci->pde,
1214 isec->sclass,
1215 &sid);
1216 if (rc)
1217 goto out_unlock;
1218 isec->sid = sid;
1219 }
1220 }
1221 break;
1222 }
1223
1224 isec->initialized = 1;
1225
1226 out_unlock:
1227 mutex_unlock(&isec->lock);
1228 out:
1229 if (isec->sclass == SECCLASS_FILE)
1230 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1231 return rc;
1232 }
1233
1234 /* Convert a Linux signal to an access vector. */
1235 static inline u32 signal_to_av(int sig)
1236 {
1237 u32 perm = 0;
1238
1239 switch (sig) {
1240 case SIGCHLD:
1241 /* Commonly granted from child to parent. */
1242 perm = PROCESS__SIGCHLD;
1243 break;
1244 case SIGKILL:
1245 /* Cannot be caught or ignored */
1246 perm = PROCESS__SIGKILL;
1247 break;
1248 case SIGSTOP:
1249 /* Cannot be caught or ignored */
1250 perm = PROCESS__SIGSTOP;
1251 break;
1252 default:
1253 /* All other signals. */
1254 perm = PROCESS__SIGNAL;
1255 break;
1256 }
1257
1258 return perm;
1259 }
1260
1261 /* Check permission betweeen a pair of tasks, e.g. signal checks,
1262 fork check, ptrace check, etc. */
1263 static int task_has_perm(struct task_struct *tsk1,
1264 struct task_struct *tsk2,
1265 u32 perms)
1266 {
1267 struct task_security_struct *tsec1, *tsec2;
1268
1269 tsec1 = tsk1->security;
1270 tsec2 = tsk2->security;
1271 return avc_has_perm(tsec1->sid, tsec2->sid,
1272 SECCLASS_PROCESS, perms, NULL);
1273 }
1274
1275 #if CAP_LAST_CAP > 63
1276 #error Fix SELinux to handle capabilities > 63.
1277 #endif
1278
1279 /* Check whether a task is allowed to use a capability. */
1280 static int task_has_capability(struct task_struct *tsk,
1281 int cap)
1282 {
1283 struct task_security_struct *tsec;
1284 struct avc_audit_data ad;
1285 u16 sclass;
1286 u32 av = CAP_TO_MASK(cap);
1287
1288 tsec = tsk->security;
1289
1290 AVC_AUDIT_DATA_INIT(&ad,CAP);
1291 ad.tsk = tsk;
1292 ad.u.cap = cap;
1293
1294 switch (CAP_TO_INDEX(cap)) {
1295 case 0:
1296 sclass = SECCLASS_CAPABILITY;
1297 break;
1298 case 1:
1299 sclass = SECCLASS_CAPABILITY2;
1300 break;
1301 default:
1302 printk(KERN_ERR
1303 "SELinux: out of range capability %d\n", cap);
1304 BUG();
1305 }
1306 return avc_has_perm(tsec->sid, tsec->sid, sclass, av, &ad);
1307 }
1308
1309 /* Check whether a task is allowed to use a system operation. */
1310 static int task_has_system(struct task_struct *tsk,
1311 u32 perms)
1312 {
1313 struct task_security_struct *tsec;
1314
1315 tsec = tsk->security;
1316
1317 return avc_has_perm(tsec->sid, SECINITSID_KERNEL,
1318 SECCLASS_SYSTEM, perms, NULL);
1319 }
1320
1321 /* Check whether a task has a particular permission to an inode.
1322 The 'adp' parameter is optional and allows other audit
1323 data to be passed (e.g. the dentry). */
1324 static int inode_has_perm(struct task_struct *tsk,
1325 struct inode *inode,
1326 u32 perms,
1327 struct avc_audit_data *adp)
1328 {
1329 struct task_security_struct *tsec;
1330 struct inode_security_struct *isec;
1331 struct avc_audit_data ad;
1332
1333 if (unlikely (IS_PRIVATE (inode)))
1334 return 0;
1335
1336 tsec = tsk->security;
1337 isec = inode->i_security;
1338
1339 if (!adp) {
1340 adp = &ad;
1341 AVC_AUDIT_DATA_INIT(&ad, FS);
1342 ad.u.fs.inode = inode;
1343 }
1344
1345 return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, adp);
1346 }
1347
1348 /* Same as inode_has_perm, but pass explicit audit data containing
1349 the dentry to help the auditing code to more easily generate the
1350 pathname if needed. */
1351 static inline int dentry_has_perm(struct task_struct *tsk,
1352 struct vfsmount *mnt,
1353 struct dentry *dentry,
1354 u32 av)
1355 {
1356 struct inode *inode = dentry->d_inode;
1357 struct avc_audit_data ad;
1358 AVC_AUDIT_DATA_INIT(&ad,FS);
1359 ad.u.fs.mnt = mnt;
1360 ad.u.fs.dentry = dentry;
1361 return inode_has_perm(tsk, inode, av, &ad);
1362 }
1363
1364 /* Check whether a task can use an open file descriptor to
1365 access an inode in a given way. Check access to the
1366 descriptor itself, and then use dentry_has_perm to
1367 check a particular permission to the file.
1368 Access to the descriptor is implicitly granted if it
1369 has the same SID as the process. If av is zero, then
1370 access to the file is not checked, e.g. for cases
1371 where only the descriptor is affected like seek. */
1372 static int file_has_perm(struct task_struct *tsk,
1373 struct file *file,
1374 u32 av)
1375 {
1376 struct task_security_struct *tsec = tsk->security;
1377 struct file_security_struct *fsec = file->f_security;
1378 struct vfsmount *mnt = file->f_path.mnt;
1379 struct dentry *dentry = file->f_path.dentry;
1380 struct inode *inode = dentry->d_inode;
1381 struct avc_audit_data ad;
1382 int rc;
1383
1384 AVC_AUDIT_DATA_INIT(&ad, FS);
1385 ad.u.fs.mnt = mnt;
1386 ad.u.fs.dentry = dentry;
1387
1388 if (tsec->sid != fsec->sid) {
1389 rc = avc_has_perm(tsec->sid, fsec->sid,
1390 SECCLASS_FD,
1391 FD__USE,
1392 &ad);
1393 if (rc)
1394 return rc;
1395 }
1396
1397 /* av is zero if only checking access to the descriptor. */
1398 if (av)
1399 return inode_has_perm(tsk, inode, av, &ad);
1400
1401 return 0;
1402 }
1403
1404 /* Check whether a task can create a file. */
1405 static int may_create(struct inode *dir,
1406 struct dentry *dentry,
1407 u16 tclass)
1408 {
1409 struct task_security_struct *tsec;
1410 struct inode_security_struct *dsec;
1411 struct superblock_security_struct *sbsec;
1412 u32 newsid;
1413 struct avc_audit_data ad;
1414 int rc;
1415
1416 tsec = current->security;
1417 dsec = dir->i_security;
1418 sbsec = dir->i_sb->s_security;
1419
1420 AVC_AUDIT_DATA_INIT(&ad, FS);
1421 ad.u.fs.dentry = dentry;
1422
1423 rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR,
1424 DIR__ADD_NAME | DIR__SEARCH,
1425 &ad);
1426 if (rc)
1427 return rc;
1428
1429 if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
1430 newsid = tsec->create_sid;
1431 } else {
1432 rc = security_transition_sid(tsec->sid, dsec->sid, tclass,
1433 &newsid);
1434 if (rc)
1435 return rc;
1436 }
1437
1438 rc = avc_has_perm(tsec->sid, newsid, tclass, FILE__CREATE, &ad);
1439 if (rc)
1440 return rc;
1441
1442 return avc_has_perm(newsid, sbsec->sid,
1443 SECCLASS_FILESYSTEM,
1444 FILESYSTEM__ASSOCIATE, &ad);
1445 }
1446
1447 /* Check whether a task can create a key. */
1448 static int may_create_key(u32 ksid,
1449 struct task_struct *ctx)
1450 {
1451 struct task_security_struct *tsec;
1452
1453 tsec = ctx->security;
1454
1455 return avc_has_perm(tsec->sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL);
1456 }
1457
1458 #define MAY_LINK 0
1459 #define MAY_UNLINK 1
1460 #define MAY_RMDIR 2
1461
1462 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1463 static int may_link(struct inode *dir,
1464 struct dentry *dentry,
1465 int kind)
1466
1467 {
1468 struct task_security_struct *tsec;
1469 struct inode_security_struct *dsec, *isec;
1470 struct avc_audit_data ad;
1471 u32 av;
1472 int rc;
1473
1474 tsec = current->security;
1475 dsec = dir->i_security;
1476 isec = dentry->d_inode->i_security;
1477
1478 AVC_AUDIT_DATA_INIT(&ad, FS);
1479 ad.u.fs.dentry = dentry;
1480
1481 av = DIR__SEARCH;
1482 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1483 rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR, av, &ad);
1484 if (rc)
1485 return rc;
1486
1487 switch (kind) {
1488 case MAY_LINK:
1489 av = FILE__LINK;
1490 break;
1491 case MAY_UNLINK:
1492 av = FILE__UNLINK;
1493 break;
1494 case MAY_RMDIR:
1495 av = DIR__RMDIR;
1496 break;
1497 default:
1498 printk(KERN_WARNING "may_link: unrecognized kind %d\n", kind);
1499 return 0;
1500 }
1501
1502 rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass, av, &ad);
1503 return rc;
1504 }
1505
1506 static inline int may_rename(struct inode *old_dir,
1507 struct dentry *old_dentry,
1508 struct inode *new_dir,
1509 struct dentry *new_dentry)
1510 {
1511 struct task_security_struct *tsec;
1512 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1513 struct avc_audit_data ad;
1514 u32 av;
1515 int old_is_dir, new_is_dir;
1516 int rc;
1517
1518 tsec = current->security;
1519 old_dsec = old_dir->i_security;
1520 old_isec = old_dentry->d_inode->i_security;
1521 old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
1522 new_dsec = new_dir->i_security;
1523
1524 AVC_AUDIT_DATA_INIT(&ad, FS);
1525
1526 ad.u.fs.dentry = old_dentry;
1527 rc = avc_has_perm(tsec->sid, old_dsec->sid, SECCLASS_DIR,
1528 DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1529 if (rc)
1530 return rc;
1531 rc = avc_has_perm(tsec->sid, old_isec->sid,
1532 old_isec->sclass, FILE__RENAME, &ad);
1533 if (rc)
1534 return rc;
1535 if (old_is_dir && new_dir != old_dir) {
1536 rc = avc_has_perm(tsec->sid, old_isec->sid,
1537 old_isec->sclass, DIR__REPARENT, &ad);
1538 if (rc)
1539 return rc;
1540 }
1541
1542 ad.u.fs.dentry = new_dentry;
1543 av = DIR__ADD_NAME | DIR__SEARCH;
1544 if (new_dentry->d_inode)
1545 av |= DIR__REMOVE_NAME;
1546 rc = avc_has_perm(tsec->sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1547 if (rc)
1548 return rc;
1549 if (new_dentry->d_inode) {
1550 new_isec = new_dentry->d_inode->i_security;
1551 new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
1552 rc = avc_has_perm(tsec->sid, new_isec->sid,
1553 new_isec->sclass,
1554 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1555 if (rc)
1556 return rc;
1557 }
1558
1559 return 0;
1560 }
1561
1562 /* Check whether a task can perform a filesystem operation. */
1563 static int superblock_has_perm(struct task_struct *tsk,
1564 struct super_block *sb,
1565 u32 perms,
1566 struct avc_audit_data *ad)
1567 {
1568 struct task_security_struct *tsec;
1569 struct superblock_security_struct *sbsec;
1570
1571 tsec = tsk->security;
1572 sbsec = sb->s_security;
1573 return avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
1574 perms, ad);
1575 }
1576
1577 /* Convert a Linux mode and permission mask to an access vector. */
1578 static inline u32 file_mask_to_av(int mode, int mask)
1579 {
1580 u32 av = 0;
1581
1582 if ((mode & S_IFMT) != S_IFDIR) {
1583 if (mask & MAY_EXEC)
1584 av |= FILE__EXECUTE;
1585 if (mask & MAY_READ)
1586 av |= FILE__READ;
1587
1588 if (mask & MAY_APPEND)
1589 av |= FILE__APPEND;
1590 else if (mask & MAY_WRITE)
1591 av |= FILE__WRITE;
1592
1593 } else {
1594 if (mask & MAY_EXEC)
1595 av |= DIR__SEARCH;
1596 if (mask & MAY_WRITE)
1597 av |= DIR__WRITE;
1598 if (mask & MAY_READ)
1599 av |= DIR__READ;
1600 }
1601
1602 return av;
1603 }
1604
1605 /* Convert a Linux file to an access vector. */
1606 static inline u32 file_to_av(struct file *file)
1607 {
1608 u32 av = 0;
1609
1610 if (file->f_mode & FMODE_READ)
1611 av |= FILE__READ;
1612 if (file->f_mode & FMODE_WRITE) {
1613 if (file->f_flags & O_APPEND)
1614 av |= FILE__APPEND;
1615 else
1616 av |= FILE__WRITE;
1617 }
1618
1619 return av;
1620 }
1621
1622 /* Hook functions begin here. */
1623
1624 static int selinux_ptrace(struct task_struct *parent, struct task_struct *child)
1625 {
1626 struct task_security_struct *psec = parent->security;
1627 struct task_security_struct *csec = child->security;
1628 int rc;
1629
1630 rc = secondary_ops->ptrace(parent,child);
1631 if (rc)
1632 return rc;
1633
1634 rc = task_has_perm(parent, child, PROCESS__PTRACE);
1635 /* Save the SID of the tracing process for later use in apply_creds. */
1636 if (!(child->ptrace & PT_PTRACED) && !rc)
1637 csec->ptrace_sid = psec->sid;
1638 return rc;
1639 }
1640
1641 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
1642 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1643 {
1644 int error;
1645
1646 error = task_has_perm(current, target, PROCESS__GETCAP);
1647 if (error)
1648 return error;
1649
1650 return secondary_ops->capget(target, effective, inheritable, permitted);
1651 }
1652
1653 static int selinux_capset_check(struct task_struct *target, kernel_cap_t *effective,
1654 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1655 {
1656 int error;
1657
1658 error = secondary_ops->capset_check(target, effective, inheritable, permitted);
1659 if (error)
1660 return error;
1661
1662 return task_has_perm(current, target, PROCESS__SETCAP);
1663 }
1664
1665 static void selinux_capset_set(struct task_struct *target, kernel_cap_t *effective,
1666 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1667 {
1668 secondary_ops->capset_set(target, effective, inheritable, permitted);
1669 }
1670
1671 static int selinux_capable(struct task_struct *tsk, int cap)
1672 {
1673 int rc;
1674
1675 rc = secondary_ops->capable(tsk, cap);
1676 if (rc)
1677 return rc;
1678
1679 return task_has_capability(tsk,cap);
1680 }
1681
1682 static int selinux_sysctl_get_sid(ctl_table *table, u16 tclass, u32 *sid)
1683 {
1684 int buflen, rc;
1685 char *buffer, *path, *end;
1686
1687 rc = -ENOMEM;
1688 buffer = (char*)__get_free_page(GFP_KERNEL);
1689 if (!buffer)
1690 goto out;
1691
1692 buflen = PAGE_SIZE;
1693 end = buffer+buflen;
1694 *--end = '\0';
1695 buflen--;
1696 path = end-1;
1697 *path = '/';
1698 while (table) {
1699 const char *name = table->procname;
1700 size_t namelen = strlen(name);
1701 buflen -= namelen + 1;
1702 if (buflen < 0)
1703 goto out_free;
1704 end -= namelen;
1705 memcpy(end, name, namelen);
1706 *--end = '/';
1707 path = end;
1708 table = table->parent;
1709 }
1710 buflen -= 4;
1711 if (buflen < 0)
1712 goto out_free;
1713 end -= 4;
1714 memcpy(end, "/sys", 4);
1715 path = end;
1716 rc = security_genfs_sid("proc", path, tclass, sid);
1717 out_free:
1718 free_page((unsigned long)buffer);
1719 out:
1720 return rc;
1721 }
1722
1723 static int selinux_sysctl(ctl_table *table, int op)
1724 {
1725 int error = 0;
1726 u32 av;
1727 struct task_security_struct *tsec;
1728 u32 tsid;
1729 int rc;
1730
1731 rc = secondary_ops->sysctl(table, op);
1732 if (rc)
1733 return rc;
1734
1735 tsec = current->security;
1736
1737 rc = selinux_sysctl_get_sid(table, (op == 0001) ?
1738 SECCLASS_DIR : SECCLASS_FILE, &tsid);
1739 if (rc) {
1740 /* Default to the well-defined sysctl SID. */
1741 tsid = SECINITSID_SYSCTL;
1742 }
1743
1744 /* The op values are "defined" in sysctl.c, thereby creating
1745 * a bad coupling between this module and sysctl.c */
1746 if(op == 001) {
1747 error = avc_has_perm(tsec->sid, tsid,
1748 SECCLASS_DIR, DIR__SEARCH, NULL);
1749 } else {
1750 av = 0;
1751 if (op & 004)
1752 av |= FILE__READ;
1753 if (op & 002)
1754 av |= FILE__WRITE;
1755 if (av)
1756 error = avc_has_perm(tsec->sid, tsid,
1757 SECCLASS_FILE, av, NULL);
1758 }
1759
1760 return error;
1761 }
1762
1763 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
1764 {
1765 int rc = 0;
1766
1767 if (!sb)
1768 return 0;
1769
1770 switch (cmds) {
1771 case Q_SYNC:
1772 case Q_QUOTAON:
1773 case Q_QUOTAOFF:
1774 case Q_SETINFO:
1775 case Q_SETQUOTA:
1776 rc = superblock_has_perm(current,
1777 sb,
1778 FILESYSTEM__QUOTAMOD, NULL);
1779 break;
1780 case Q_GETFMT:
1781 case Q_GETINFO:
1782 case Q_GETQUOTA:
1783 rc = superblock_has_perm(current,
1784 sb,
1785 FILESYSTEM__QUOTAGET, NULL);
1786 break;
1787 default:
1788 rc = 0; /* let the kernel handle invalid cmds */
1789 break;
1790 }
1791 return rc;
1792 }
1793
1794 static int selinux_quota_on(struct dentry *dentry)
1795 {
1796 return dentry_has_perm(current, NULL, dentry, FILE__QUOTAON);
1797 }
1798
1799 static int selinux_syslog(int type)
1800 {
1801 int rc;
1802
1803 rc = secondary_ops->syslog(type);
1804 if (rc)
1805 return rc;
1806
1807 switch (type) {
1808 case 3: /* Read last kernel messages */
1809 case 10: /* Return size of the log buffer */
1810 rc = task_has_system(current, SYSTEM__SYSLOG_READ);
1811 break;
1812 case 6: /* Disable logging to console */
1813 case 7: /* Enable logging to console */
1814 case 8: /* Set level of messages printed to console */
1815 rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
1816 break;
1817 case 0: /* Close log */
1818 case 1: /* Open log */
1819 case 2: /* Read from log */
1820 case 4: /* Read/clear last kernel messages */
1821 case 5: /* Clear ring buffer */
1822 default:
1823 rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
1824 break;
1825 }
1826 return rc;
1827 }
1828
1829 /*
1830 * Check that a process has enough memory to allocate a new virtual
1831 * mapping. 0 means there is enough memory for the allocation to
1832 * succeed and -ENOMEM implies there is not.
1833 *
1834 * Note that secondary_ops->capable and task_has_perm_noaudit return 0
1835 * if the capability is granted, but __vm_enough_memory requires 1 if
1836 * the capability is granted.
1837 *
1838 * Do not audit the selinux permission check, as this is applied to all
1839 * processes that allocate mappings.
1840 */
1841 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
1842 {
1843 int rc, cap_sys_admin = 0;
1844 struct task_security_struct *tsec = current->security;
1845
1846 rc = secondary_ops->capable(current, CAP_SYS_ADMIN);
1847 if (rc == 0)
1848 rc = avc_has_perm_noaudit(tsec->sid, tsec->sid,
1849 SECCLASS_CAPABILITY,
1850 CAP_TO_MASK(CAP_SYS_ADMIN),
1851 0,
1852 NULL);
1853
1854 if (rc == 0)
1855 cap_sys_admin = 1;
1856
1857 return __vm_enough_memory(mm, pages, cap_sys_admin);
1858 }
1859
1860 /* binprm security operations */
1861
1862 static int selinux_bprm_alloc_security(struct linux_binprm *bprm)
1863 {
1864 struct bprm_security_struct *bsec;
1865
1866 bsec = kzalloc(sizeof(struct bprm_security_struct), GFP_KERNEL);
1867 if (!bsec)
1868 return -ENOMEM;
1869
1870 bsec->bprm = bprm;
1871 bsec->sid = SECINITSID_UNLABELED;
1872 bsec->set = 0;
1873
1874 bprm->security = bsec;
1875 return 0;
1876 }
1877
1878 static int selinux_bprm_set_security(struct linux_binprm *bprm)
1879 {
1880 struct task_security_struct *tsec;
1881 struct inode *inode = bprm->file->f_path.dentry->d_inode;
1882 struct inode_security_struct *isec;
1883 struct bprm_security_struct *bsec;
1884 u32 newsid;
1885 struct avc_audit_data ad;
1886 int rc;
1887
1888 rc = secondary_ops->bprm_set_security(bprm);
1889 if (rc)
1890 return rc;
1891
1892 bsec = bprm->security;
1893
1894 if (bsec->set)
1895 return 0;
1896
1897 tsec = current->security;
1898 isec = inode->i_security;
1899
1900 /* Default to the current task SID. */
1901 bsec->sid = tsec->sid;
1902
1903 /* Reset fs, key, and sock SIDs on execve. */
1904 tsec->create_sid = 0;
1905 tsec->keycreate_sid = 0;
1906 tsec->sockcreate_sid = 0;
1907
1908 if (tsec->exec_sid) {
1909 newsid = tsec->exec_sid;
1910 /* Reset exec SID on execve. */
1911 tsec->exec_sid = 0;
1912 } else {
1913 /* Check for a default transition on this program. */
1914 rc = security_transition_sid(tsec->sid, isec->sid,
1915 SECCLASS_PROCESS, &newsid);
1916 if (rc)
1917 return rc;
1918 }
1919
1920 AVC_AUDIT_DATA_INIT(&ad, FS);
1921 ad.u.fs.mnt = bprm->file->f_path.mnt;
1922 ad.u.fs.dentry = bprm->file->f_path.dentry;
1923
1924 if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID)
1925 newsid = tsec->sid;
1926
1927 if (tsec->sid == newsid) {
1928 rc = avc_has_perm(tsec->sid, isec->sid,
1929 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
1930 if (rc)
1931 return rc;
1932 } else {
1933 /* Check permissions for the transition. */
1934 rc = avc_has_perm(tsec->sid, newsid,
1935 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
1936 if (rc)
1937 return rc;
1938
1939 rc = avc_has_perm(newsid, isec->sid,
1940 SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
1941 if (rc)
1942 return rc;
1943
1944 /* Clear any possibly unsafe personality bits on exec: */
1945 current->personality &= ~PER_CLEAR_ON_SETID;
1946
1947 /* Set the security field to the new SID. */
1948 bsec->sid = newsid;
1949 }
1950
1951 bsec->set = 1;
1952 return 0;
1953 }
1954
1955 static int selinux_bprm_check_security (struct linux_binprm *bprm)
1956 {
1957 return secondary_ops->bprm_check_security(bprm);
1958 }
1959
1960
1961 static int selinux_bprm_secureexec (struct linux_binprm *bprm)
1962 {
1963 struct task_security_struct *tsec = current->security;
1964 int atsecure = 0;
1965
1966 if (tsec->osid != tsec->sid) {
1967 /* Enable secure mode for SIDs transitions unless
1968 the noatsecure permission is granted between
1969 the two SIDs, i.e. ahp returns 0. */
1970 atsecure = avc_has_perm(tsec->osid, tsec->sid,
1971 SECCLASS_PROCESS,
1972 PROCESS__NOATSECURE, NULL);
1973 }
1974
1975 return (atsecure || secondary_ops->bprm_secureexec(bprm));
1976 }
1977
1978 static void selinux_bprm_free_security(struct linux_binprm *bprm)
1979 {
1980 kfree(bprm->security);
1981 bprm->security = NULL;
1982 }
1983
1984 extern struct vfsmount *selinuxfs_mount;
1985 extern struct dentry *selinux_null;
1986
1987 /* Derived from fs/exec.c:flush_old_files. */
1988 static inline void flush_unauthorized_files(struct files_struct * files)
1989 {
1990 struct avc_audit_data ad;
1991 struct file *file, *devnull = NULL;
1992 struct tty_struct *tty;
1993 struct fdtable *fdt;
1994 long j = -1;
1995 int drop_tty = 0;
1996
1997 mutex_lock(&tty_mutex);
1998 tty = get_current_tty();
1999 if (tty) {
2000 file_list_lock();
2001 file = list_entry(tty->tty_files.next, typeof(*file), f_u.fu_list);
2002 if (file) {
2003 /* Revalidate access to controlling tty.
2004 Use inode_has_perm on the tty inode directly rather
2005 than using file_has_perm, as this particular open
2006 file may belong to another process and we are only
2007 interested in the inode-based check here. */
2008 struct inode *inode = file->f_path.dentry->d_inode;
2009 if (inode_has_perm(current, inode,
2010 FILE__READ | FILE__WRITE, NULL)) {
2011 drop_tty = 1;
2012 }
2013 }
2014 file_list_unlock();
2015 }
2016 mutex_unlock(&tty_mutex);
2017 /* Reset controlling tty. */
2018 if (drop_tty)
2019 no_tty();
2020
2021 /* Revalidate access to inherited open files. */
2022
2023 AVC_AUDIT_DATA_INIT(&ad,FS);
2024
2025 spin_lock(&files->file_lock);
2026 for (;;) {
2027 unsigned long set, i;
2028 int fd;
2029
2030 j++;
2031 i = j * __NFDBITS;
2032 fdt = files_fdtable(files);
2033 if (i >= fdt->max_fds)
2034 break;
2035 set = fdt->open_fds->fds_bits[j];
2036 if (!set)
2037 continue;
2038 spin_unlock(&files->file_lock);
2039 for ( ; set ; i++,set >>= 1) {
2040 if (set & 1) {
2041 file = fget(i);
2042 if (!file)
2043 continue;
2044 if (file_has_perm(current,
2045 file,
2046 file_to_av(file))) {
2047 sys_close(i);
2048 fd = get_unused_fd();
2049 if (fd != i) {
2050 if (fd >= 0)
2051 put_unused_fd(fd);
2052 fput(file);
2053 continue;
2054 }
2055 if (devnull) {
2056 get_file(devnull);
2057 } else {
2058 devnull = dentry_open(dget(selinux_null), mntget(selinuxfs_mount), O_RDWR);
2059 if (IS_ERR(devnull)) {
2060 devnull = NULL;
2061 put_unused_fd(fd);
2062 fput(file);
2063 continue;
2064 }
2065 }
2066 fd_install(fd, devnull);
2067 }
2068 fput(file);
2069 }
2070 }
2071 spin_lock(&files->file_lock);
2072
2073 }
2074 spin_unlock(&files->file_lock);
2075 }
2076
2077 static void selinux_bprm_apply_creds(struct linux_binprm *bprm, int unsafe)
2078 {
2079 struct task_security_struct *tsec;
2080 struct bprm_security_struct *bsec;
2081 u32 sid;
2082 int rc;
2083
2084 secondary_ops->bprm_apply_creds(bprm, unsafe);
2085
2086 tsec = current->security;
2087
2088 bsec = bprm->security;
2089 sid = bsec->sid;
2090
2091 tsec->osid = tsec->sid;
2092 bsec->unsafe = 0;
2093 if (tsec->sid != sid) {
2094 /* Check for shared state. If not ok, leave SID
2095 unchanged and kill. */
2096 if (unsafe & LSM_UNSAFE_SHARE) {
2097 rc = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
2098 PROCESS__SHARE, NULL);
2099 if (rc) {
2100 bsec->unsafe = 1;
2101 return;
2102 }
2103 }
2104
2105 /* Check for ptracing, and update the task SID if ok.
2106 Otherwise, leave SID unchanged and kill. */
2107 if (unsafe & (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
2108 rc = avc_has_perm(tsec->ptrace_sid, sid,
2109 SECCLASS_PROCESS, PROCESS__PTRACE,
2110 NULL);
2111 if (rc) {
2112 bsec->unsafe = 1;
2113 return;
2114 }
2115 }
2116 tsec->sid = sid;
2117 }
2118 }
2119
2120 /*
2121 * called after apply_creds without the task lock held
2122 */
2123 static void selinux_bprm_post_apply_creds(struct linux_binprm *bprm)
2124 {
2125 struct task_security_struct *tsec;
2126 struct rlimit *rlim, *initrlim;
2127 struct itimerval itimer;
2128 struct bprm_security_struct *bsec;
2129 int rc, i;
2130
2131 tsec = current->security;
2132 bsec = bprm->security;
2133
2134 if (bsec->unsafe) {
2135 force_sig_specific(SIGKILL, current);
2136 return;
2137 }
2138 if (tsec->osid == tsec->sid)
2139 return;
2140
2141 /* Close files for which the new task SID is not authorized. */
2142 flush_unauthorized_files(current->files);
2143
2144 /* Check whether the new SID can inherit signal state
2145 from the old SID. If not, clear itimers to avoid
2146 subsequent signal generation and flush and unblock
2147 signals. This must occur _after_ the task SID has
2148 been updated so that any kill done after the flush
2149 will be checked against the new SID. */
2150 rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
2151 PROCESS__SIGINH, NULL);
2152 if (rc) {
2153 memset(&itimer, 0, sizeof itimer);
2154 for (i = 0; i < 3; i++)
2155 do_setitimer(i, &itimer, NULL);
2156 flush_signals(current);
2157 spin_lock_irq(&current->sighand->siglock);
2158 flush_signal_handlers(current, 1);
2159 sigemptyset(&current->blocked);
2160 recalc_sigpending();
2161 spin_unlock_irq(&current->sighand->siglock);
2162 }
2163
2164 /* Always clear parent death signal on SID transitions. */
2165 current->pdeath_signal = 0;
2166
2167 /* Check whether the new SID can inherit resource limits
2168 from the old SID. If not, reset all soft limits to
2169 the lower of the current task's hard limit and the init
2170 task's soft limit. Note that the setting of hard limits
2171 (even to lower them) can be controlled by the setrlimit
2172 check. The inclusion of the init task's soft limit into
2173 the computation is to avoid resetting soft limits higher
2174 than the default soft limit for cases where the default
2175 is lower than the hard limit, e.g. RLIMIT_CORE or
2176 RLIMIT_STACK.*/
2177 rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
2178 PROCESS__RLIMITINH, NULL);
2179 if (rc) {
2180 for (i = 0; i < RLIM_NLIMITS; i++) {
2181 rlim = current->signal->rlim + i;
2182 initrlim = init_task.signal->rlim+i;
2183 rlim->rlim_cur = min(rlim->rlim_max,initrlim->rlim_cur);
2184 }
2185 if (current->signal->rlim[RLIMIT_CPU].rlim_cur != RLIM_INFINITY) {
2186 /*
2187 * This will cause RLIMIT_CPU calculations
2188 * to be refigured.
2189 */
2190 current->it_prof_expires = jiffies_to_cputime(1);
2191 }
2192 }
2193
2194 /* Wake up the parent if it is waiting so that it can
2195 recheck wait permission to the new task SID. */
2196 wake_up_interruptible(&current->parent->signal->wait_chldexit);
2197 }
2198
2199 /* superblock security operations */
2200
2201 static int selinux_sb_alloc_security(struct super_block *sb)
2202 {
2203 return superblock_alloc_security(sb);
2204 }
2205
2206 static void selinux_sb_free_security(struct super_block *sb)
2207 {
2208 superblock_free_security(sb);
2209 }
2210
2211 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2212 {
2213 if (plen > olen)
2214 return 0;
2215
2216 return !memcmp(prefix, option, plen);
2217 }
2218
2219 static inline int selinux_option(char *option, int len)
2220 {
2221 return (match_prefix("context=", sizeof("context=")-1, option, len) ||
2222 match_prefix("fscontext=", sizeof("fscontext=")-1, option, len) ||
2223 match_prefix("defcontext=", sizeof("defcontext=")-1, option, len) ||
2224 match_prefix("rootcontext=", sizeof("rootcontext=")-1, option, len));
2225 }
2226
2227 static inline void take_option(char **to, char *from, int *first, int len)
2228 {
2229 if (!*first) {
2230 **to = ',';
2231 *to += 1;
2232 } else
2233 *first = 0;
2234 memcpy(*to, from, len);
2235 *to += len;
2236 }
2237
2238 static inline void take_selinux_option(char **to, char *from, int *first,
2239 int len)
2240 {
2241 int current_size = 0;
2242
2243 if (!*first) {
2244 **to = '|';
2245 *to += 1;
2246 }
2247 else
2248 *first = 0;
2249
2250 while (current_size < len) {
2251 if (*from != '"') {
2252 **to = *from;
2253 *to += 1;
2254 }
2255 from += 1;
2256 current_size += 1;
2257 }
2258 }
2259
2260 static int selinux_sb_copy_data(struct file_system_type *type, void *orig, void *copy)
2261 {
2262 int fnosec, fsec, rc = 0;
2263 char *in_save, *in_curr, *in_end;
2264 char *sec_curr, *nosec_save, *nosec;
2265 int open_quote = 0;
2266
2267 in_curr = orig;
2268 sec_curr = copy;
2269
2270 /* Binary mount data: just copy */
2271 if (type->fs_flags & FS_BINARY_MOUNTDATA) {
2272 copy_page(sec_curr, in_curr);
2273 goto out;
2274 }
2275
2276 nosec = (char *)get_zeroed_page(GFP_KERNEL);
2277 if (!nosec) {
2278 rc = -ENOMEM;
2279 goto out;
2280 }
2281
2282 nosec_save = nosec;
2283 fnosec = fsec = 1;
2284 in_save = in_end = orig;
2285
2286 do {
2287 if (*in_end == '"')
2288 open_quote = !open_quote;
2289 if ((*in_end == ',' && open_quote == 0) ||
2290 *in_end == '\0') {
2291 int len = in_end - in_curr;
2292
2293 if (selinux_option(in_curr, len))
2294 take_selinux_option(&sec_curr, in_curr, &fsec, len);
2295 else
2296 take_option(&nosec, in_curr, &fnosec, len);
2297
2298 in_curr = in_end + 1;
2299 }
2300 } while (*in_end++);
2301
2302 strcpy(in_save, nosec_save);
2303 free_page((unsigned long)nosec_save);
2304 out:
2305 return rc;
2306 }
2307
2308 static int selinux_sb_kern_mount(struct super_block *sb, void *data)
2309 {
2310 struct avc_audit_data ad;
2311 int rc;
2312
2313 rc = superblock_doinit(sb, data);
2314 if (rc)
2315 return rc;
2316
2317 AVC_AUDIT_DATA_INIT(&ad,FS);
2318 ad.u.fs.dentry = sb->s_root;
2319 return superblock_has_perm(current, sb, FILESYSTEM__MOUNT, &ad);
2320 }
2321
2322 static int selinux_sb_statfs(struct dentry *dentry)
2323 {
2324 struct avc_audit_data ad;
2325
2326 AVC_AUDIT_DATA_INIT(&ad,FS);
2327 ad.u.fs.dentry = dentry->d_sb->s_root;
2328 return superblock_has_perm(current, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2329 }
2330
2331 static int selinux_mount(char * dev_name,
2332 struct nameidata *nd,
2333 char * type,
2334 unsigned long flags,
2335 void * data)
2336 {
2337 int rc;
2338
2339 rc = secondary_ops->sb_mount(dev_name, nd, type, flags, data);
2340 if (rc)
2341 return rc;
2342
2343 if (flags & MS_REMOUNT)
2344 return superblock_has_perm(current, nd->mnt->mnt_sb,
2345 FILESYSTEM__REMOUNT, NULL);
2346 else
2347 return dentry_has_perm(current, nd->mnt, nd->dentry,
2348 FILE__MOUNTON);
2349 }
2350
2351 static int selinux_umount(struct vfsmount *mnt, int flags)
2352 {
2353 int rc;
2354
2355 rc = secondary_ops->sb_umount(mnt, flags);
2356 if (rc)
2357 return rc;
2358
2359 return superblock_has_perm(current,mnt->mnt_sb,
2360 FILESYSTEM__UNMOUNT,NULL);
2361 }
2362
2363 /* inode security operations */
2364
2365 static int selinux_inode_alloc_security(struct inode *inode)
2366 {
2367 return inode_alloc_security(inode);
2368 }
2369
2370 static void selinux_inode_free_security(struct inode *inode)
2371 {
2372 inode_free_security(inode);
2373 }
2374
2375 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2376 char **name, void **value,
2377 size_t *len)
2378 {
2379 struct task_security_struct *tsec;
2380 struct inode_security_struct *dsec;
2381 struct superblock_security_struct *sbsec;
2382 u32 newsid, clen;
2383 int rc;
2384 char *namep = NULL, *context;
2385
2386 tsec = current->security;
2387 dsec = dir->i_security;
2388 sbsec = dir->i_sb->s_security;
2389
2390 if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
2391 newsid = tsec->create_sid;
2392 } else {
2393 rc = security_transition_sid(tsec->sid, dsec->sid,
2394 inode_mode_to_security_class(inode->i_mode),
2395 &newsid);
2396 if (rc) {
2397 printk(KERN_WARNING "%s: "
2398 "security_transition_sid failed, rc=%d (dev=%s "
2399 "ino=%ld)\n",
2400 __FUNCTION__,
2401 -rc, inode->i_sb->s_id, inode->i_ino);
2402 return rc;
2403 }
2404 }
2405
2406 /* Possibly defer initialization to selinux_complete_init. */
2407 if (sbsec->initialized) {
2408 struct inode_security_struct *isec = inode->i_security;
2409 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2410 isec->sid = newsid;
2411 isec->initialized = 1;
2412 }
2413
2414 if (!ss_initialized || sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2415 return -EOPNOTSUPP;
2416
2417 if (name) {
2418 namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_KERNEL);
2419 if (!namep)
2420 return -ENOMEM;
2421 *name = namep;
2422 }
2423
2424 if (value && len) {
2425 rc = security_sid_to_context(newsid, &context, &clen);
2426 if (rc) {
2427 kfree(namep);
2428 return rc;
2429 }
2430 *value = context;
2431 *len = clen;
2432 }
2433
2434 return 0;
2435 }
2436
2437 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, int mask)
2438 {
2439 return may_create(dir, dentry, SECCLASS_FILE);
2440 }
2441
2442 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2443 {
2444 int rc;
2445
2446 rc = secondary_ops->inode_link(old_dentry,dir,new_dentry);
2447 if (rc)
2448 return rc;
2449 return may_link(dir, old_dentry, MAY_LINK);
2450 }
2451
2452 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2453 {
2454 int rc;
2455
2456 rc = secondary_ops->inode_unlink(dir, dentry);
2457 if (rc)
2458 return rc;
2459 return may_link(dir, dentry, MAY_UNLINK);
2460 }
2461
2462 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2463 {
2464 return may_create(dir, dentry, SECCLASS_LNK_FILE);
2465 }
2466
2467 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, int mask)
2468 {
2469 return may_create(dir, dentry, SECCLASS_DIR);
2470 }
2471
2472 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2473 {
2474 return may_link(dir, dentry, MAY_RMDIR);
2475 }
2476
2477 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
2478 {
2479 int rc;
2480
2481 rc = secondary_ops->inode_mknod(dir, dentry, mode, dev);
2482 if (rc)
2483 return rc;
2484
2485 return may_create(dir, dentry, inode_mode_to_security_class(mode));
2486 }
2487
2488 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2489 struct inode *new_inode, struct dentry *new_dentry)
2490 {
2491 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2492 }
2493
2494 static int selinux_inode_readlink(struct dentry *dentry)
2495 {
2496 return dentry_has_perm(current, NULL, dentry, FILE__READ);
2497 }
2498
2499 static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2500 {
2501 int rc;
2502
2503 rc = secondary_ops->inode_follow_link(dentry,nameidata);
2504 if (rc)
2505 return rc;
2506 return dentry_has_perm(current, NULL, dentry, FILE__READ);
2507 }
2508
2509 static int selinux_inode_permission(struct inode *inode, int mask,
2510 struct nameidata *nd)
2511 {
2512 int rc;
2513
2514 rc = secondary_ops->inode_permission(inode, mask, nd);
2515 if (rc)
2516 return rc;
2517
2518 if (!mask) {
2519 /* No permission to check. Existence test. */
2520 return 0;
2521 }
2522
2523 return inode_has_perm(current, inode,
2524 file_mask_to_av(inode->i_mode, mask), NULL);
2525 }
2526
2527 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2528 {
2529 int rc;
2530
2531 rc = secondary_ops->inode_setattr(dentry, iattr);
2532 if (rc)
2533 return rc;
2534
2535 if (iattr->ia_valid & ATTR_FORCE)
2536 return 0;
2537
2538 if (iattr->ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2539 ATTR_ATIME_SET | ATTR_MTIME_SET))
2540 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2541
2542 return dentry_has_perm(current, NULL, dentry, FILE__WRITE);
2543 }
2544
2545 static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
2546 {
2547 return dentry_has_perm(current, mnt, dentry, FILE__GETATTR);
2548 }
2549
2550 static int selinux_inode_setotherxattr(struct dentry *dentry, char *name)
2551 {
2552 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2553 sizeof XATTR_SECURITY_PREFIX - 1)) {
2554 if (!strcmp(name, XATTR_NAME_CAPS)) {
2555 if (!capable(CAP_SETFCAP))
2556 return -EPERM;
2557 } else if (!capable(CAP_SYS_ADMIN)) {
2558 /* A different attribute in the security namespace.
2559 Restrict to administrator. */
2560 return -EPERM;
2561 }
2562 }
2563
2564 /* Not an attribute we recognize, so just check the
2565 ordinary setattr permission. */
2566 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2567 }
2568
2569 static int selinux_inode_setxattr(struct dentry *dentry, char *name, void *value, size_t size, int flags)
2570 {
2571 struct task_security_struct *tsec = current->security;
2572 struct inode *inode = dentry->d_inode;
2573 struct inode_security_struct *isec = inode->i_security;
2574 struct superblock_security_struct *sbsec;
2575 struct avc_audit_data ad;
2576 u32 newsid;
2577 int rc = 0;
2578
2579 if (strcmp(name, XATTR_NAME_SELINUX))
2580 return selinux_inode_setotherxattr(dentry, name);
2581
2582 sbsec = inode->i_sb->s_security;
2583 if (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2584 return -EOPNOTSUPP;
2585
2586 if (!is_owner_or_cap(inode))
2587 return -EPERM;
2588
2589 AVC_AUDIT_DATA_INIT(&ad,FS);
2590 ad.u.fs.dentry = dentry;
2591
2592 rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass,
2593 FILE__RELABELFROM, &ad);
2594 if (rc)
2595 return rc;
2596
2597 rc = security_context_to_sid(value, size, &newsid);
2598 if (rc)
2599 return rc;
2600
2601 rc = avc_has_perm(tsec->sid, newsid, isec->sclass,
2602 FILE__RELABELTO, &ad);
2603 if (rc)
2604 return rc;
2605
2606 rc = security_validate_transition(isec->sid, newsid, tsec->sid,
2607 isec->sclass);
2608 if (rc)
2609 return rc;
2610
2611 return avc_has_perm(newsid,
2612 sbsec->sid,
2613 SECCLASS_FILESYSTEM,
2614 FILESYSTEM__ASSOCIATE,
2615 &ad);
2616 }
2617
2618 static void selinux_inode_post_setxattr(struct dentry *dentry, char *name,
2619 void *value, size_t size, int flags)
2620 {
2621 struct inode *inode = dentry->d_inode;
2622 struct inode_security_struct *isec = inode->i_security;
2623 u32 newsid;
2624 int rc;
2625
2626 if (strcmp(name, XATTR_NAME_SELINUX)) {
2627 /* Not an attribute we recognize, so nothing to do. */
2628 return;
2629 }
2630
2631 rc = security_context_to_sid(value, size, &newsid);
2632 if (rc) {
2633 printk(KERN_WARNING "%s: unable to obtain SID for context "
2634 "%s, rc=%d\n", __FUNCTION__, (char*)value, -rc);
2635 return;
2636 }
2637
2638 isec->sid = newsid;
2639 return;
2640 }
2641
2642 static int selinux_inode_getxattr (struct dentry *dentry, char *name)
2643 {
2644 return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2645 }
2646
2647 static int selinux_inode_listxattr (struct dentry *dentry)
2648 {
2649 return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2650 }
2651
2652 static int selinux_inode_removexattr (struct dentry *dentry, char *name)
2653 {
2654 if (strcmp(name, XATTR_NAME_SELINUX))
2655 return selinux_inode_setotherxattr(dentry, name);
2656
2657 /* No one is allowed to remove a SELinux security label.
2658 You can change the label, but all data must be labeled. */
2659 return -EACCES;
2660 }
2661
2662 /*
2663 * Copy the in-core inode security context value to the user. If the
2664 * getxattr() prior to this succeeded, check to see if we need to
2665 * canonicalize the value to be finally returned to the user.
2666 *
2667 * Permission check is handled by selinux_inode_getxattr hook.
2668 */
2669 static int selinux_inode_getsecurity(const struct inode *inode, const char *name, void **buffer, bool alloc)
2670 {
2671 u32 size;
2672 int error;
2673 char *context = NULL;
2674 struct inode_security_struct *isec = inode->i_security;
2675
2676 if (strcmp(name, XATTR_SELINUX_SUFFIX))
2677 return -EOPNOTSUPP;
2678
2679 error = security_sid_to_context(isec->sid, &context, &size);
2680 if (error)
2681 return error;
2682 error = size;
2683 if (alloc) {
2684 *buffer = context;
2685 goto out_nofree;
2686 }
2687 kfree(context);
2688 out_nofree:
2689 return error;
2690 }
2691
2692 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
2693 const void *value, size_t size, int flags)
2694 {
2695 struct inode_security_struct *isec = inode->i_security;
2696 u32 newsid;
2697 int rc;
2698
2699 if (strcmp(name, XATTR_SELINUX_SUFFIX))
2700 return -EOPNOTSUPP;
2701
2702 if (!value || !size)
2703 return -EACCES;
2704
2705 rc = security_context_to_sid((void*)value, size, &newsid);
2706 if (rc)
2707 return rc;
2708
2709 isec->sid = newsid;
2710 return 0;
2711 }
2712
2713 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
2714 {
2715 const int len = sizeof(XATTR_NAME_SELINUX);
2716 if (buffer && len <= buffer_size)
2717 memcpy(buffer, XATTR_NAME_SELINUX, len);
2718 return len;
2719 }
2720
2721 static int selinux_inode_need_killpriv(struct dentry *dentry)
2722 {
2723 return secondary_ops->inode_need_killpriv(dentry);
2724 }
2725
2726 static int selinux_inode_killpriv(struct dentry *dentry)
2727 {
2728 return secondary_ops->inode_killpriv(dentry);
2729 }
2730
2731 /* file security operations */
2732
2733 static int selinux_revalidate_file_permission(struct file *file, int mask)
2734 {
2735 int rc;
2736 struct inode *inode = file->f_path.dentry->d_inode;
2737
2738 if (!mask) {
2739 /* No permission to check. Existence test. */
2740 return 0;
2741 }
2742
2743 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
2744 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
2745 mask |= MAY_APPEND;
2746
2747 rc = file_has_perm(current, file,
2748 file_mask_to_av(inode->i_mode, mask));
2749 if (rc)
2750 return rc;
2751
2752 return selinux_netlbl_inode_permission(inode, mask);
2753 }
2754
2755 static int selinux_file_permission(struct file *file, int mask)
2756 {
2757 struct inode *inode = file->f_path.dentry->d_inode;
2758 struct task_security_struct *tsec = current->security;
2759 struct file_security_struct *fsec = file->f_security;
2760 struct inode_security_struct *isec = inode->i_security;
2761
2762 if (!mask) {
2763 /* No permission to check. Existence test. */
2764 return 0;
2765 }
2766
2767 if (tsec->sid == fsec->sid && fsec->isid == isec->sid
2768 && fsec->pseqno == avc_policy_seqno())
2769 return selinux_netlbl_inode_permission(inode, mask);
2770
2771 return selinux_revalidate_file_permission(file, mask);
2772 }
2773
2774 static int selinux_file_alloc_security(struct file *file)
2775 {
2776 return file_alloc_security(file);
2777 }
2778
2779 static void selinux_file_free_security(struct file *file)
2780 {
2781 file_free_security(file);
2782 }
2783
2784 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
2785 unsigned long arg)
2786 {
2787 int error = 0;
2788
2789 switch (cmd) {
2790 case FIONREAD:
2791 /* fall through */
2792 case FIBMAP:
2793 /* fall through */
2794 case FIGETBSZ:
2795 /* fall through */
2796 case EXT2_IOC_GETFLAGS:
2797 /* fall through */
2798 case EXT2_IOC_GETVERSION:
2799 error = file_has_perm(current, file, FILE__GETATTR);
2800 break;
2801
2802 case EXT2_IOC_SETFLAGS:
2803 /* fall through */
2804 case EXT2_IOC_SETVERSION:
2805 error = file_has_perm(current, file, FILE__SETATTR);
2806 break;
2807
2808 /* sys_ioctl() checks */
2809 case FIONBIO:
2810 /* fall through */
2811 case FIOASYNC:
2812 error = file_has_perm(current, file, 0);
2813 break;
2814
2815 case KDSKBENT:
2816 case KDSKBSENT:
2817 error = task_has_capability(current,CAP_SYS_TTY_CONFIG);
2818 break;
2819
2820 /* default case assumes that the command will go
2821 * to the file's ioctl() function.
2822 */
2823 default:
2824 error = file_has_perm(current, file, FILE__IOCTL);
2825
2826 }
2827 return error;
2828 }
2829
2830 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
2831 {
2832 #ifndef CONFIG_PPC32
2833 if ((prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
2834 /*
2835 * We are making executable an anonymous mapping or a
2836 * private file mapping that will also be writable.
2837 * This has an additional check.
2838 */
2839 int rc = task_has_perm(current, current, PROCESS__EXECMEM);
2840 if (rc)
2841 return rc;
2842 }
2843 #endif
2844
2845 if (file) {
2846 /* read access is always possible with a mapping */
2847 u32 av = FILE__READ;
2848
2849 /* write access only matters if the mapping is shared */
2850 if (shared && (prot & PROT_WRITE))
2851 av |= FILE__WRITE;
2852
2853 if (prot & PROT_EXEC)
2854 av |= FILE__EXECUTE;
2855
2856 return file_has_perm(current, file, av);
2857 }
2858 return 0;
2859 }
2860
2861 static int selinux_file_mmap(struct file *file, unsigned long reqprot,
2862 unsigned long prot, unsigned long flags,
2863 unsigned long addr, unsigned long addr_only)
2864 {
2865 int rc = 0;
2866 u32 sid = ((struct task_security_struct*)(current->security))->sid;
2867
2868 if (addr < mmap_min_addr)
2869 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
2870 MEMPROTECT__MMAP_ZERO, NULL);
2871 if (rc || addr_only)
2872 return rc;
2873
2874 if (selinux_checkreqprot)
2875 prot = reqprot;
2876
2877 return file_map_prot_check(file, prot,
2878 (flags & MAP_TYPE) == MAP_SHARED);
2879 }
2880
2881 static int selinux_file_mprotect(struct vm_area_struct *vma,
2882 unsigned long reqprot,
2883 unsigned long prot)
2884 {
2885 int rc;
2886
2887 rc = secondary_ops->file_mprotect(vma, reqprot, prot);
2888 if (rc)
2889 return rc;
2890
2891 if (selinux_checkreqprot)
2892 prot = reqprot;
2893
2894 #ifndef CONFIG_PPC32
2895 if ((prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
2896 rc = 0;
2897 if (vma->vm_start >= vma->vm_mm->start_brk &&
2898 vma->vm_end <= vma->vm_mm->brk) {
2899 rc = task_has_perm(current, current,
2900 PROCESS__EXECHEAP);
2901 } else if (!vma->vm_file &&
2902 vma->vm_start <= vma->vm_mm->start_stack &&
2903 vma->vm_end >= vma->vm_mm->start_stack) {
2904 rc = task_has_perm(current, current, PROCESS__EXECSTACK);
2905 } else if (vma->vm_file && vma->anon_vma) {
2906 /*
2907 * We are making executable a file mapping that has
2908 * had some COW done. Since pages might have been
2909 * written, check ability to execute the possibly
2910 * modified content. This typically should only
2911 * occur for text relocations.
2912 */
2913 rc = file_has_perm(current, vma->vm_file,
2914 FILE__EXECMOD);
2915 }
2916 if (rc)
2917 return rc;
2918 }
2919 #endif
2920
2921 return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
2922 }
2923
2924 static int selinux_file_lock(struct file *file, unsigned int cmd)
2925 {
2926 return file_has_perm(current, file, FILE__LOCK);
2927 }
2928
2929 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
2930 unsigned long arg)
2931 {
2932 int err = 0;
2933
2934 switch (cmd) {
2935 case F_SETFL:
2936 if (!file->f_path.dentry || !file->f_path.dentry->d_inode) {
2937 err = -EINVAL;
2938 break;
2939 }
2940
2941 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
2942 err = file_has_perm(current, file,FILE__WRITE);
2943 break;
2944 }
2945 /* fall through */
2946 case F_SETOWN:
2947 case F_SETSIG:
2948 case F_GETFL:
2949 case F_GETOWN:
2950 case F_GETSIG:
2951 /* Just check FD__USE permission */
2952 err = file_has_perm(current, file, 0);
2953 break;
2954 case F_GETLK:
2955 case F_SETLK:
2956 case F_SETLKW:
2957 #if BITS_PER_LONG == 32
2958 case F_GETLK64:
2959 case F_SETLK64:
2960 case F_SETLKW64:
2961 #endif
2962 if (!file->f_path.dentry || !file->f_path.dentry->d_inode) {
2963 err = -EINVAL;
2964 break;
2965 }
2966 err = file_has_perm(current, file, FILE__LOCK);
2967 break;
2968 }
2969
2970 return err;
2971 }
2972
2973 static int selinux_file_set_fowner(struct file *file)
2974 {
2975 struct task_security_struct *tsec;
2976 struct file_security_struct *fsec;
2977
2978 tsec = current->security;
2979 fsec = file->f_security;
2980 fsec->fown_sid = tsec->sid;
2981
2982 return 0;
2983 }
2984
2985 static int selinux_file_send_sigiotask(struct task_struct *tsk,
2986 struct fown_struct *fown, int signum)
2987 {
2988 struct file *file;
2989 u32 perm;
2990 struct task_security_struct *tsec;
2991 struct file_security_struct *fsec;
2992
2993 /* struct fown_struct is never outside the context of a struct file */
2994 file = container_of(fown, struct file, f_owner);
2995
2996 tsec = tsk->security;
2997 fsec = file->f_security;
2998
2999 if (!signum)
3000 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
3001 else
3002 perm = signal_to_av(signum);
3003
3004 return avc_has_perm(fsec->fown_sid, tsec->sid,
3005 SECCLASS_PROCESS, perm, NULL);
3006 }
3007
3008 static int selinux_file_receive(struct file *file)
3009 {
3010 return file_has_perm(current, file, file_to_av(file));
3011 }
3012
3013 static int selinux_dentry_open(struct file *file)
3014 {
3015 struct file_security_struct *fsec;
3016 struct inode *inode;
3017 struct inode_security_struct *isec;
3018 inode = file->f_path.dentry->d_inode;
3019 fsec = file->f_security;
3020 isec = inode->i_security;
3021 /*
3022 * Save inode label and policy sequence number
3023 * at open-time so that selinux_file_permission
3024 * can determine whether revalidation is necessary.
3025 * Task label is already saved in the file security
3026 * struct as its SID.
3027 */
3028 fsec->isid = isec->sid;
3029 fsec->pseqno = avc_policy_seqno();
3030 /*
3031 * Since the inode label or policy seqno may have changed
3032 * between the selinux_inode_permission check and the saving
3033 * of state above, recheck that access is still permitted.
3034 * Otherwise, access might never be revalidated against the
3035 * new inode label or new policy.
3036 * This check is not redundant - do not remove.
3037 */
3038 return inode_has_perm(current, inode, file_to_av(file), NULL);
3039 }
3040
3041 /* task security operations */
3042
3043 static int selinux_task_create(unsigned long clone_flags)
3044 {
3045 int rc;
3046
3047 rc = secondary_ops->task_create(clone_flags);
3048 if (rc)
3049 return rc;
3050
3051 return task_has_perm(current, current, PROCESS__FORK);
3052 }
3053
3054 static int selinux_task_alloc_security(struct task_struct *tsk)
3055 {
3056 struct task_security_struct *tsec1, *tsec2;
3057 int rc;
3058
3059 tsec1 = current->security;
3060
3061 rc = task_alloc_security(tsk);
3062 if (rc)
3063 return rc;
3064 tsec2 = tsk->security;
3065
3066 tsec2->osid = tsec1->osid;
3067 tsec2->sid = tsec1->sid;
3068
3069 /* Retain the exec, fs, key, and sock SIDs across fork */
3070 tsec2->exec_sid = tsec1->exec_sid;
3071 tsec2->create_sid = tsec1->create_sid;
3072 tsec2->keycreate_sid = tsec1->keycreate_sid;
3073 tsec2->sockcreate_sid = tsec1->sockcreate_sid;
3074
3075 /* Retain ptracer SID across fork, if any.
3076 This will be reset by the ptrace hook upon any
3077 subsequent ptrace_attach operations. */
3078 tsec2->ptrace_sid = tsec1->ptrace_sid;
3079
3080 return 0;
3081 }
3082
3083 static void selinux_task_free_security(struct task_struct *tsk)
3084 {
3085 task_free_security(tsk);
3086 }
3087
3088 static int selinux_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
3089 {
3090 /* Since setuid only affects the current process, and
3091 since the SELinux controls are not based on the Linux
3092 identity attributes, SELinux does not need to control
3093 this operation. However, SELinux does control the use
3094 of the CAP_SETUID and CAP_SETGID capabilities using the
3095 capable hook. */
3096 return 0;
3097 }
3098
3099 static int selinux_task_post_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
3100 {
3101 return secondary_ops->task_post_setuid(id0,id1,id2,flags);
3102 }
3103
3104 static int selinux_task_setgid(gid_t id0, gid_t id1, gid_t id2, int flags)
3105 {
3106 /* See the comment for setuid above. */
3107 return 0;
3108 }
3109
3110 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
3111 {
3112 return task_has_perm(current, p, PROCESS__SETPGID);
3113 }
3114
3115 static int selinux_task_getpgid(struct task_struct *p)
3116 {
3117 return task_has_perm(current, p, PROCESS__GETPGID);
3118 }
3119
3120 static int selinux_task_getsid(struct task_struct *p)
3121 {
3122 return task_has_perm(current, p, PROCESS__GETSESSION);
3123 }
3124
3125 static void selinux_task_getsecid(struct task_struct *p, u32 *secid)
3126 {
3127 selinux_get_task_sid(p, secid);
3128 }
3129
3130 static int selinux_task_setgroups(struct group_info *group_info)
3131 {
3132 /* See the comment for setuid above. */
3133 return 0;
3134 }
3135
3136 static int selinux_task_setnice(struct task_struct *p, int nice)
3137 {
3138 int rc;
3139
3140 rc = secondary_ops->task_setnice(p, nice);
3141 if (rc)
3142 return rc;
3143
3144 return task_has_perm(current,p, PROCESS__SETSCHED);
3145 }
3146
3147 static int selinux_task_setioprio(struct task_struct *p, int ioprio)
3148 {
3149 int rc;
3150
3151 rc = secondary_ops->task_setioprio(p, ioprio);
3152 if (rc)
3153 return rc;
3154
3155 return task_has_perm(current, p, PROCESS__SETSCHED);
3156 }
3157
3158 static int selinux_task_getioprio(struct task_struct *p)
3159 {
3160 return task_has_perm(current, p, PROCESS__GETSCHED);
3161 }
3162
3163 static int selinux_task_setrlimit(unsigned int resource, struct rlimit *new_rlim)
3164 {
3165 struct rlimit *old_rlim = current->signal->rlim + resource;
3166 int rc;
3167
3168 rc = secondary_ops->task_setrlimit(resource, new_rlim);
3169 if (rc)
3170 return rc;
3171
3172 /* Control the ability to change the hard limit (whether
3173 lowering or raising it), so that the hard limit can
3174 later be used as a safe reset point for the soft limit
3175 upon context transitions. See selinux_bprm_apply_creds. */
3176 if (old_rlim->rlim_max != new_rlim->rlim_max)
3177 return task_has_perm(current, current, PROCESS__SETRLIMIT);
3178
3179 return 0;
3180 }
3181
3182 static int selinux_task_setscheduler(struct task_struct *p, int policy, struct sched_param *lp)
3183 {
3184 int rc;
3185
3186 rc = secondary_ops->task_setscheduler(p, policy, lp);
3187 if (rc)
3188 return rc;
3189
3190 return task_has_perm(current, p, PROCESS__SETSCHED);
3191 }
3192
3193 static int selinux_task_getscheduler(struct task_struct *p)
3194 {
3195 return task_has_perm(current, p, PROCESS__GETSCHED);
3196 }
3197
3198 static int selinux_task_movememory(struct task_struct *p)
3199 {
3200 return task_has_perm(current, p, PROCESS__SETSCHED);
3201 }
3202
3203 static int selinux_task_kill(struct task_struct *p, struct siginfo *info,
3204 int sig, u32 secid)
3205 {
3206 u32 perm;
3207 int rc;
3208 struct task_security_struct *tsec;
3209
3210 rc = secondary_ops->task_kill(p, info, sig, secid);
3211 if (rc)
3212 return rc;
3213
3214 if (info != SEND_SIG_NOINFO && (is_si_special(info) || SI_FROMKERNEL(info)))
3215 return 0;
3216
3217 if (!sig)
3218 perm = PROCESS__SIGNULL; /* null signal; existence test */
3219 else
3220 perm = signal_to_av(sig);
3221 tsec = p->security;
3222 if (secid)
3223 rc = avc_has_perm(secid, tsec->sid, SECCLASS_PROCESS, perm, NULL);
3224 else
3225 rc = task_has_perm(current, p, perm);
3226 return rc;
3227 }
3228
3229 static int selinux_task_prctl(int option,
3230 unsigned long arg2,
3231 unsigned long arg3,
3232 unsigned long arg4,
3233 unsigned long arg5)
3234 {
3235 /* The current prctl operations do not appear to require
3236 any SELinux controls since they merely observe or modify
3237 the state of the current process. */
3238 return 0;
3239 }
3240
3241 static int selinux_task_wait(struct task_struct *p)
3242 {
3243 return task_has_perm(p, current, PROCESS__SIGCHLD);
3244 }
3245
3246 static void selinux_task_reparent_to_init(struct task_struct *p)
3247 {
3248 struct task_security_struct *tsec;
3249
3250 secondary_ops->task_reparent_to_init(p);
3251
3252 tsec = p->security;
3253 tsec->osid = tsec->sid;
3254 tsec->sid = SECINITSID_KERNEL;
3255 return;
3256 }
3257
3258 static void selinux_task_to_inode(struct task_struct *p,
3259 struct inode *inode)
3260 {
3261 struct task_security_struct *tsec = p->security;
3262 struct inode_security_struct *isec = inode->i_security;
3263
3264 isec->sid = tsec->sid;
3265 isec->initialized = 1;
3266 return;
3267 }
3268
3269 /* Returns error only if unable to parse addresses */
3270 static int selinux_parse_skb_ipv4(struct sk_buff *skb,
3271 struct avc_audit_data *ad, u8 *proto)
3272 {
3273 int offset, ihlen, ret = -EINVAL;
3274 struct iphdr _iph, *ih;
3275
3276 offset = skb_network_offset(skb);
3277 ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
3278 if (ih == NULL)
3279 goto out;
3280
3281 ihlen = ih->ihl * 4;
3282 if (ihlen < sizeof(_iph))
3283 goto out;
3284
3285 ad->u.net.v4info.saddr = ih->saddr;
3286 ad->u.net.v4info.daddr = ih->daddr;
3287 ret = 0;
3288
3289 if (proto)
3290 *proto = ih->protocol;
3291
3292 switch (ih->protocol) {
3293 case IPPROTO_TCP: {
3294 struct tcphdr _tcph, *th;
3295
3296 if (ntohs(ih->frag_off) & IP_OFFSET)
3297 break;
3298
3299 offset += ihlen;
3300 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3301 if (th == NULL)
3302 break;
3303
3304 ad->u.net.sport = th->source;
3305 ad->u.net.dport = th->dest;
3306 break;
3307 }
3308
3309 case IPPROTO_UDP: {
3310 struct udphdr _udph, *uh;
3311
3312 if (ntohs(ih->frag_off) & IP_OFFSET)
3313 break;
3314
3315 offset += ihlen;
3316 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3317 if (uh == NULL)
3318 break;
3319
3320 ad->u.net.sport = uh->source;
3321 ad->u.net.dport = uh->dest;
3322 break;
3323 }
3324
3325 case IPPROTO_DCCP: {
3326 struct dccp_hdr _dccph, *dh;
3327
3328 if (ntohs(ih->frag_off) & IP_OFFSET)
3329 break;
3330
3331 offset += ihlen;
3332 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3333 if (dh == NULL)
3334 break;
3335
3336 ad->u.net.sport = dh->dccph_sport;
3337 ad->u.net.dport = dh->dccph_dport;
3338 break;
3339 }
3340
3341 default:
3342 break;
3343 }
3344 out:
3345 return ret;
3346 }
3347
3348 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3349
3350 /* Returns error only if unable to parse addresses */
3351 static int selinux_parse_skb_ipv6(struct sk_buff *skb,
3352 struct avc_audit_data *ad, u8 *proto)
3353 {
3354 u8 nexthdr;
3355 int ret = -EINVAL, offset;
3356 struct ipv6hdr _ipv6h, *ip6;
3357
3358 offset = skb_network_offset(skb);
3359 ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
3360 if (ip6 == NULL)
3361 goto out;
3362
3363 ipv6_addr_copy(&ad->u.net.v6info.saddr, &ip6->saddr);
3364 ipv6_addr_copy(&ad->u.net.v6info.daddr, &ip6->daddr);
3365 ret = 0;
3366
3367 nexthdr = ip6->nexthdr;
3368 offset += sizeof(_ipv6h);
3369 offset = ipv6_skip_exthdr(skb, offset, &nexthdr);
3370 if (offset < 0)
3371 goto out;
3372
3373 if (proto)
3374 *proto = nexthdr;
3375
3376 switch (nexthdr) {
3377 case IPPROTO_TCP: {
3378 struct tcphdr _tcph, *th;
3379
3380 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3381 if (th == NULL)
3382 break;
3383
3384 ad->u.net.sport = th->source;
3385 ad->u.net.dport = th->dest;
3386 break;
3387 }
3388
3389 case IPPROTO_UDP: {
3390 struct udphdr _udph, *uh;
3391
3392 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3393 if (uh == NULL)
3394 break;
3395
3396 ad->u.net.sport = uh->source;
3397 ad->u.net.dport = uh->dest;
3398 break;
3399 }
3400
3401 case IPPROTO_DCCP: {
3402 struct dccp_hdr _dccph, *dh;
3403
3404 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3405 if (dh == NULL)
3406 break;
3407
3408 ad->u.net.sport = dh->dccph_sport;
3409 ad->u.net.dport = dh->dccph_dport;
3410 break;
3411 }
3412
3413 /* includes fragments */
3414 default:
3415 break;
3416 }
3417 out:
3418 return ret;
3419 }
3420
3421 #endif /* IPV6 */
3422
3423 static int selinux_parse_skb(struct sk_buff *skb, struct avc_audit_data *ad,
3424 char **addrp, int src, u8 *proto)
3425 {
3426 int ret = 0;
3427
3428 switch (ad->u.net.family) {
3429 case PF_INET:
3430 ret = selinux_parse_skb_ipv4(skb, ad, proto);
3431 if (ret || !addrp)
3432 break;
3433 *addrp = (char *)(src ? &ad->u.net.v4info.saddr :
3434 &ad->u.net.v4info.daddr);
3435 break;
3436
3437 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3438 case PF_INET6:
3439 ret = selinux_parse_skb_ipv6(skb, ad, proto);
3440 if (ret || !addrp)
3441 break;
3442 *addrp = (char *)(src ? &ad->u.net.v6info.saddr :
3443 &ad->u.net.v6info.daddr);
3444 break;
3445 #endif /* IPV6 */
3446 default:
3447 break;
3448 }
3449
3450 if (unlikely(ret))
3451 printk(KERN_WARNING
3452 "SELinux: failure in selinux_parse_skb(),"
3453 " unable to parse packet\n");
3454
3455 return ret;
3456 }
3457
3458 /**
3459 * selinux_skb_peerlbl_sid - Determine the peer label of a packet
3460 * @skb: the packet
3461 * @family: protocol family
3462 * @sid: the packet's peer label SID
3463 *
3464 * Description:
3465 * Check the various different forms of network peer labeling and determine
3466 * the peer label/SID for the packet; most of the magic actually occurs in
3467 * the security server function security_net_peersid_cmp(). The function
3468 * returns zero if the value in @sid is valid (although it may be SECSID_NULL)
3469 * or -EACCES if @sid is invalid due to inconsistencies with the different
3470 * peer labels.
3471 *
3472 */
3473 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
3474 {
3475 int err;
3476 u32 xfrm_sid;
3477 u32 nlbl_sid;
3478 u32 nlbl_type;
3479
3480 selinux_skb_xfrm_sid(skb, &xfrm_sid);
3481 selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid);
3482
3483 err = security_net_peersid_resolve(nlbl_sid, nlbl_type, xfrm_sid, sid);
3484 if (unlikely(err)) {
3485 printk(KERN_WARNING
3486 "SELinux: failure in selinux_skb_peerlbl_sid(),"
3487 " unable to determine packet's peer label\n");
3488 return -EACCES;
3489 }
3490
3491 return 0;
3492 }
3493
3494 /* socket security operations */
3495 static int socket_has_perm(struct task_struct *task, struct socket *sock,
3496 u32 perms)
3497 {
3498 struct inode_security_struct *isec;
3499 struct task_security_struct *tsec;
3500 struct avc_audit_data ad;
3501 int err = 0;
3502
3503 tsec = task->security;
3504 isec = SOCK_INODE(sock)->i_security;
3505
3506 if (isec->sid == SECINITSID_KERNEL)
3507 goto out;
3508
3509 AVC_AUDIT_DATA_INIT(&ad,NET);
3510 ad.u.net.sk = sock->sk;
3511 err = avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, &ad);
3512
3513 out:
3514 return err;
3515 }
3516
3517 static int selinux_socket_create(int family, int type,
3518 int protocol, int kern)
3519 {
3520 int err = 0;
3521 struct task_security_struct *tsec;
3522 u32 newsid;
3523
3524 if (kern)
3525 goto out;
3526
3527 tsec = current->security;
3528 newsid = tsec->sockcreate_sid ? : tsec->sid;
3529 err = avc_has_perm(tsec->sid, newsid,
3530 socket_type_to_security_class(family, type,
3531 protocol), SOCKET__CREATE, NULL);
3532
3533 out:
3534 return err;
3535 }
3536
3537 static int selinux_socket_post_create(struct socket *sock, int family,
3538 int type, int protocol, int kern)
3539 {
3540 int err = 0;
3541 struct inode_security_struct *isec;
3542 struct task_security_struct *tsec;
3543 struct sk_security_struct *sksec;
3544 u32 newsid;
3545
3546 isec = SOCK_INODE(sock)->i_security;
3547
3548 tsec = current->security;
3549 newsid = tsec->sockcreate_sid ? : tsec->sid;
3550 isec->sclass = socket_type_to_security_class(family, type, protocol);
3551 isec->sid = kern ? SECINITSID_KERNEL : newsid;
3552 isec->initialized = 1;
3553
3554 if (sock->sk) {
3555 sksec = sock->sk->sk_security;
3556 sksec->sid = isec->sid;
3557 sksec->sclass = isec->sclass;
3558 err = selinux_netlbl_socket_post_create(sock);
3559 }
3560
3561 return err;
3562 }
3563
3564 /* Range of port numbers used to automatically bind.
3565 Need to determine whether we should perform a name_bind
3566 permission check between the socket and the port number. */
3567
3568 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
3569 {
3570 u16 family;
3571 int err;
3572
3573 err = socket_has_perm(current, sock, SOCKET__BIND);
3574 if (err)
3575 goto out;
3576
3577 /*
3578 * If PF_INET or PF_INET6, check name_bind permission for the port.
3579 * Multiple address binding for SCTP is not supported yet: we just
3580 * check the first address now.
3581 */
3582 family = sock->sk->sk_family;
3583 if (family == PF_INET || family == PF_INET6) {
3584 char *addrp;
3585 struct inode_security_struct *isec;
3586 struct task_security_struct *tsec;
3587 struct avc_audit_data ad;
3588 struct sockaddr_in *addr4 = NULL;
3589 struct sockaddr_in6 *addr6 = NULL;
3590 unsigned short snum;
3591 struct sock *sk = sock->sk;
3592 u32 sid, node_perm, addrlen;
3593
3594 tsec = current->security;
3595 isec = SOCK_INODE(sock)->i_security;
3596
3597 if (family == PF_INET) {
3598 addr4 = (struct sockaddr_in *)address;
3599 snum = ntohs(addr4->sin_port);
3600 addrlen = sizeof(addr4->sin_addr.s_addr);
3601 addrp = (char *)&addr4->sin_addr.s_addr;
3602 } else {
3603 addr6 = (struct sockaddr_in6 *)address;
3604 snum = ntohs(addr6->sin6_port);
3605 addrlen = sizeof(addr6->sin6_addr.s6_addr);
3606 addrp = (char *)&addr6->sin6_addr.s6_addr;
3607 }
3608
3609 if (snum) {
3610 int low, high;
3611
3612 inet_get_local_port_range(&low, &high);
3613
3614 if (snum < max(PROT_SOCK, low) || snum > high) {
3615 err = security_port_sid(sk->sk_family,
3616 sk->sk_type,
3617 sk->sk_protocol, snum,
3618 &sid);
3619 if (err)
3620 goto out;
3621 AVC_AUDIT_DATA_INIT(&ad,NET);
3622 ad.u.net.sport = htons(snum);
3623 ad.u.net.family = family;
3624 err = avc_has_perm(isec->sid, sid,
3625 isec->sclass,
3626 SOCKET__NAME_BIND, &ad);
3627 if (err)
3628 goto out;
3629 }
3630 }
3631
3632 switch(isec->sclass) {
3633 case SECCLASS_TCP_SOCKET:
3634 node_perm = TCP_SOCKET__NODE_BIND;
3635 break;
3636
3637 case SECCLASS_UDP_SOCKET:
3638 node_perm = UDP_SOCKET__NODE_BIND;
3639 break;
3640
3641 case SECCLASS_DCCP_SOCKET:
3642 node_perm = DCCP_SOCKET__NODE_BIND;
3643 break;
3644
3645 default:
3646 node_perm = RAWIP_SOCKET__NODE_BIND;
3647 break;
3648 }
3649
3650 err = sel_netnode_sid(addrp, family, &sid);
3651 if (err)
3652 goto out;
3653
3654 AVC_AUDIT_DATA_INIT(&ad,NET);
3655 ad.u.net.sport = htons(snum);
3656 ad.u.net.family = family;
3657
3658 if (family == PF_INET)
3659 ad.u.net.v4info.saddr = addr4->sin_addr.s_addr;
3660 else
3661 ipv6_addr_copy(&ad.u.net.v6info.saddr, &addr6->sin6_addr);
3662
3663 err = avc_has_perm(isec->sid, sid,
3664 isec->sclass, node_perm, &ad);
3665 if (err)
3666 goto out;
3667 }
3668 out:
3669 return err;
3670 }
3671
3672 static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
3673 {
3674 struct inode_security_struct *isec;
3675 int err;
3676
3677 err = socket_has_perm(current, sock, SOCKET__CONNECT);
3678 if (err)
3679 return err;
3680
3681 /*
3682 * If a TCP or DCCP socket, check name_connect permission for the port.
3683 */
3684 isec = SOCK_INODE(sock)->i_security;
3685 if (isec->sclass == SECCLASS_TCP_SOCKET ||
3686 isec->sclass == SECCLASS_DCCP_SOCKET) {
3687 struct sock *sk = sock->sk;
3688 struct avc_audit_data ad;
3689 struct sockaddr_in *addr4 = NULL;
3690 struct sockaddr_in6 *addr6 = NULL;
3691 unsigned short snum;
3692 u32 sid, perm;
3693
3694 if (sk->sk_family == PF_INET) {
3695 addr4 = (struct sockaddr_in *)address;
3696 if (addrlen < sizeof(struct sockaddr_in))
3697 return -EINVAL;
3698 snum = ntohs(addr4->sin_port);
3699 } else {
3700 addr6 = (struct sockaddr_in6 *)address;
3701 if (addrlen < SIN6_LEN_RFC2133)
3702 return -EINVAL;
3703 snum = ntohs(addr6->sin6_port);
3704 }
3705
3706 err = security_port_sid(sk->sk_family, sk->sk_type,
3707 sk->sk_protocol, snum, &sid);
3708 if (err)
3709 goto out;
3710
3711 perm = (isec->sclass == SECCLASS_TCP_SOCKET) ?
3712 TCP_SOCKET__NAME_CONNECT : DCCP_SOCKET__NAME_CONNECT;
3713
3714 AVC_AUDIT_DATA_INIT(&ad,NET);
3715 ad.u.net.dport = htons(snum);
3716 ad.u.net.family = sk->sk_family;
3717 err = avc_has_perm(isec->sid, sid, isec->sclass, perm, &ad);
3718 if (err)
3719 goto out;
3720 }
3721
3722 out:
3723 return err;
3724 }
3725
3726 static int selinux_socket_listen(struct socket *sock, int backlog)
3727 {
3728 return socket_has_perm(current, sock, SOCKET__LISTEN);
3729 }
3730
3731 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
3732 {
3733 int err;
3734 struct inode_security_struct *isec;
3735 struct inode_security_struct *newisec;
3736
3737 err = socket_has_perm(current, sock, SOCKET__ACCEPT);
3738 if (err)
3739 return err;
3740
3741 newisec = SOCK_INODE(newsock)->i_security;
3742
3743 isec = SOCK_INODE(sock)->i_security;
3744 newisec->sclass = isec->sclass;
3745 newisec->sid = isec->sid;
3746 newisec->initialized = 1;
3747
3748 return 0;
3749 }
3750
3751 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
3752 int size)
3753 {
3754 int rc;
3755
3756 rc = socket_has_perm(current, sock, SOCKET__WRITE);
3757 if (rc)
3758 return rc;
3759
3760 return selinux_netlbl_inode_permission(SOCK_INODE(sock), MAY_WRITE);
3761 }
3762
3763 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
3764 int size, int flags)
3765 {
3766 return socket_has_perm(current, sock, SOCKET__READ);
3767 }
3768
3769 static int selinux_socket_getsockname(struct socket *sock)
3770 {
3771 return socket_has_perm(current, sock, SOCKET__GETATTR);
3772 }
3773
3774 static int selinux_socket_getpeername(struct socket *sock)
3775 {
3776 return socket_has_perm(current, sock, SOCKET__GETATTR);
3777 }
3778
3779 static int selinux_socket_setsockopt(struct socket *sock,int level,int optname)
3780 {
3781 int err;
3782
3783 err = socket_has_perm(current, sock, SOCKET__SETOPT);
3784 if (err)
3785 return err;
3786
3787 return selinux_netlbl_socket_setsockopt(sock, level, optname);
3788 }
3789
3790 static int selinux_socket_getsockopt(struct socket *sock, int level,
3791 int optname)
3792 {
3793 return socket_has_perm(current, sock, SOCKET__GETOPT);
3794 }
3795
3796 static int selinux_socket_shutdown(struct socket *sock, int how)
3797 {
3798 return socket_has_perm(current, sock, SOCKET__SHUTDOWN);
3799 }
3800
3801 static int selinux_socket_unix_stream_connect(struct socket *sock,
3802 struct socket *other,
3803 struct sock *newsk)
3804 {
3805 struct sk_security_struct *ssec;
3806 struct inode_security_struct *isec;
3807 struct inode_security_struct *other_isec;
3808 struct avc_audit_data ad;
3809 int err;
3810
3811 err = secondary_ops->unix_stream_connect(sock, other, newsk);
3812 if (err)
3813 return err;
3814
3815 isec = SOCK_INODE(sock)->i_security;
3816 other_isec = SOCK_INODE(other)->i_security;
3817
3818 AVC_AUDIT_DATA_INIT(&ad,NET);
3819 ad.u.net.sk = other->sk;
3820
3821 err = avc_has_perm(isec->sid, other_isec->sid,
3822 isec->sclass,
3823 UNIX_STREAM_SOCKET__CONNECTTO, &ad);
3824 if (err)
3825 return err;
3826
3827 /* connecting socket */
3828 ssec = sock->sk->sk_security;
3829 ssec->peer_sid = other_isec->sid;
3830
3831 /* server child socket */
3832 ssec = newsk->sk_security;
3833 ssec->peer_sid = isec->sid;
3834 err = security_sid_mls_copy(other_isec->sid, ssec->peer_sid, &ssec->sid);
3835
3836 return err;
3837 }
3838
3839 static int selinux_socket_unix_may_send(struct socket *sock,
3840 struct socket *other)
3841 {
3842 struct inode_security_struct *isec;
3843 struct inode_security_struct *other_isec;
3844 struct avc_audit_data ad;
3845 int err;
3846
3847 isec = SOCK_INODE(sock)->i_security;
3848 other_isec = SOCK_INODE(other)->i_security;
3849
3850 AVC_AUDIT_DATA_INIT(&ad,NET);
3851 ad.u.net.sk = other->sk;
3852
3853 err = avc_has_perm(isec->sid, other_isec->sid,
3854 isec->sclass, SOCKET__SENDTO, &ad);
3855 if (err)
3856 return err;
3857
3858 return 0;
3859 }
3860
3861 static int selinux_inet_sys_rcv_skb(int ifindex, char *addrp, u16 family,
3862 u32 peer_sid,
3863 struct avc_audit_data *ad)
3864 {
3865 int err;
3866 u32 if_sid;
3867 u32 node_sid;
3868
3869 err = sel_netif_sid(ifindex, &if_sid);
3870 if (err)
3871 return err;
3872 err = avc_has_perm(peer_sid, if_sid,
3873 SECCLASS_NETIF, NETIF__INGRESS, ad);
3874 if (err)
3875 return err;
3876
3877 err = sel_netnode_sid(addrp, family, &node_sid);
3878 if (err)
3879 return err;
3880 return avc_has_perm(peer_sid, node_sid,
3881 SECCLASS_NODE, NODE__RECVFROM, ad);
3882 }
3883
3884 static int selinux_sock_rcv_skb_iptables_compat(struct sock *sk,
3885 struct sk_buff *skb,
3886 struct avc_audit_data *ad,
3887 u16 family,
3888 char *addrp)
3889 {
3890 int err;
3891 struct sk_security_struct *sksec = sk->sk_security;
3892 u16 sk_class;
3893 u32 netif_perm, node_perm, recv_perm;
3894 u32 port_sid, node_sid, if_sid, sk_sid;
3895
3896 sk_sid = sksec->sid;
3897 sk_class = sksec->sclass;
3898
3899 switch (sk_class) {
3900 case SECCLASS_UDP_SOCKET:
3901 netif_perm = NETIF__UDP_RECV;
3902 node_perm = NODE__UDP_RECV;
3903 recv_perm = UDP_SOCKET__RECV_MSG;
3904 break;
3905 case SECCLASS_TCP_SOCKET:
3906 netif_perm = NETIF__TCP_RECV;
3907 node_perm = NODE__TCP_RECV;
3908 recv_perm = TCP_SOCKET__RECV_MSG;
3909 break;
3910 case SECCLASS_DCCP_SOCKET:
3911 netif_perm = NETIF__DCCP_RECV;
3912 node_perm = NODE__DCCP_RECV;
3913 recv_perm = DCCP_SOCKET__RECV_MSG;
3914 break;
3915 default:
3916 netif_perm = NETIF__RAWIP_RECV;
3917 node_perm = NODE__RAWIP_RECV;
3918 recv_perm = 0;
3919 break;
3920 }
3921
3922 err = sel_netif_sid(skb->iif, &if_sid);
3923 if (err)
3924 return err;
3925 err = avc_has_perm(sk_sid, if_sid, SECCLASS_NETIF, netif_perm, ad);
3926 if (err)
3927 return err;
3928
3929 err = sel_netnode_sid(addrp, family, &node_sid);
3930 if (err)
3931 return err;
3932 err = avc_has_perm(sk_sid, node_sid, SECCLASS_NODE, node_perm, ad);
3933 if (err)
3934 return err;
3935
3936 if (!recv_perm)
3937 return 0;
3938 err = security_port_sid(sk->sk_family, sk->sk_type,
3939 sk->sk_protocol, ntohs(ad->u.net.sport),
3940 &port_sid);
3941 if (unlikely(err)) {
3942 printk(KERN_WARNING
3943 "SELinux: failure in"
3944 " selinux_sock_rcv_skb_iptables_compat(),"
3945 " network port label not found\n");
3946 return err;
3947 }
3948 return avc_has_perm(sk_sid, port_sid, sk_class, recv_perm, ad);
3949 }
3950
3951 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
3952 struct avc_audit_data *ad,
3953 u16 family, char *addrp)
3954 {
3955 int err;
3956 struct sk_security_struct *sksec = sk->sk_security;
3957 u32 peer_sid;
3958 u32 sk_sid = sksec->sid;
3959
3960 if (selinux_compat_net)
3961 err = selinux_sock_rcv_skb_iptables_compat(sk, skb, ad,
3962 family, addrp);
3963 else
3964 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
3965 PACKET__RECV, ad);
3966 if (err)
3967 return err;
3968
3969 if (selinux_policycap_netpeer) {
3970 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
3971 if (err)
3972 return err;
3973 err = avc_has_perm(sk_sid, peer_sid,
3974 SECCLASS_PEER, PEER__RECV, ad);
3975 } else {
3976 err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, ad);
3977 if (err)
3978 return err;
3979 err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, ad);
3980 }
3981
3982 return err;
3983 }
3984
3985 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
3986 {
3987 int err;
3988 struct sk_security_struct *sksec = sk->sk_security;
3989 u16 family = sk->sk_family;
3990 u32 sk_sid = sksec->sid;
3991 struct avc_audit_data ad;
3992 char *addrp;
3993
3994 if (family != PF_INET && family != PF_INET6)
3995 return 0;
3996
3997 /* Handle mapped IPv4 packets arriving via IPv6 sockets */
3998 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
3999 family = PF_INET;
4000
4001 AVC_AUDIT_DATA_INIT(&ad, NET);
4002 ad.u.net.netif = skb->iif;
4003 ad.u.net.family = family;
4004 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4005 if (err)
4006 return err;
4007
4008 /* If any sort of compatibility mode is enabled then handoff processing
4009 * to the selinux_sock_rcv_skb_compat() function to deal with the
4010 * special handling. We do this in an attempt to keep this function
4011 * as fast and as clean as possible. */
4012 if (selinux_compat_net || !selinux_policycap_netpeer)
4013 return selinux_sock_rcv_skb_compat(sk, skb, &ad,
4014 family, addrp);
4015
4016 if (netlbl_enabled() || selinux_xfrm_enabled()) {
4017 u32 peer_sid;
4018
4019 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
4020 if (err)
4021 return err;
4022 err = selinux_inet_sys_rcv_skb(skb->iif, addrp, family,
4023 peer_sid, &ad);
4024 if (err)
4025 return err;
4026 err = avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER,
4027 PEER__RECV, &ad);
4028 }
4029
4030 if (selinux_secmark_enabled()) {
4031 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4032 PACKET__RECV, &ad);
4033 if (err)
4034 return err;
4035 }
4036
4037 return err;
4038 }
4039
4040 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval,
4041 int __user *optlen, unsigned len)
4042 {
4043 int err = 0;
4044 char *scontext;
4045 u32 scontext_len;
4046 struct sk_security_struct *ssec;
4047 struct inode_security_struct *isec;
4048 u32 peer_sid = SECSID_NULL;
4049
4050 isec = SOCK_INODE(sock)->i_security;
4051
4052 if (isec->sclass == SECCLASS_UNIX_STREAM_SOCKET ||
4053 isec->sclass == SECCLASS_TCP_SOCKET) {
4054 ssec = sock->sk->sk_security;
4055 peer_sid = ssec->peer_sid;
4056 }
4057 if (peer_sid == SECSID_NULL) {
4058 err = -ENOPROTOOPT;
4059 goto out;
4060 }
4061
4062 err = security_sid_to_context(peer_sid, &scontext, &scontext_len);
4063
4064 if (err)
4065 goto out;
4066
4067 if (scontext_len > len) {
4068 err = -ERANGE;
4069 goto out_len;
4070 }
4071
4072 if (copy_to_user(optval, scontext, scontext_len))
4073 err = -EFAULT;
4074
4075 out_len:
4076 if (put_user(scontext_len, optlen))
4077 err = -EFAULT;
4078
4079 kfree(scontext);
4080 out:
4081 return err;
4082 }
4083
4084 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
4085 {
4086 u32 peer_secid = SECSID_NULL;
4087 u16 family;
4088
4089 if (sock)
4090 family = sock->sk->sk_family;
4091 else if (skb && skb->sk)
4092 family = skb->sk->sk_family;
4093 else
4094 goto out;
4095
4096 if (sock && family == PF_UNIX)
4097 selinux_get_inode_sid(SOCK_INODE(sock), &peer_secid);
4098 else if (skb)
4099 selinux_skb_peerlbl_sid(skb, family, &peer_secid);
4100
4101 out:
4102 *secid = peer_secid;
4103 if (peer_secid == SECSID_NULL)
4104 return -EINVAL;
4105 return 0;
4106 }
4107
4108 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
4109 {
4110 return sk_alloc_security(sk, family, priority);
4111 }
4112
4113 static void selinux_sk_free_security(struct sock *sk)
4114 {
4115 sk_free_security(sk);
4116 }
4117
4118 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
4119 {
4120 struct sk_security_struct *ssec = sk->sk_security;
4121 struct sk_security_struct *newssec = newsk->sk_security;
4122
4123 newssec->sid = ssec->sid;
4124 newssec->peer_sid = ssec->peer_sid;
4125 newssec->sclass = ssec->sclass;
4126
4127 selinux_netlbl_sk_security_clone(ssec, newssec);
4128 }
4129
4130 static void selinux_sk_getsecid(struct sock *sk, u32 *secid)
4131 {
4132 if (!sk)
4133 *secid = SECINITSID_ANY_SOCKET;
4134 else {
4135 struct sk_security_struct *sksec = sk->sk_security;
4136
4137 *secid = sksec->sid;
4138 }
4139 }
4140
4141 static void selinux_sock_graft(struct sock* sk, struct socket *parent)
4142 {
4143 struct inode_security_struct *isec = SOCK_INODE(parent)->i_security;
4144 struct sk_security_struct *sksec = sk->sk_security;
4145
4146 if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
4147 sk->sk_family == PF_UNIX)
4148 isec->sid = sksec->sid;
4149 sksec->sclass = isec->sclass;
4150
4151 selinux_netlbl_sock_graft(sk, parent);
4152 }
4153
4154 static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
4155 struct request_sock *req)
4156 {
4157 struct sk_security_struct *sksec = sk->sk_security;
4158 int err;
4159 u32 newsid;
4160 u32 peersid;
4161
4162 err = selinux_skb_peerlbl_sid(skb, sk->sk_family, &peersid);
4163 if (err)
4164 return err;
4165 if (peersid == SECSID_NULL) {
4166 req->secid = sksec->sid;
4167 req->peer_secid = SECSID_NULL;
4168 return 0;
4169 }
4170
4171 err = security_sid_mls_copy(sksec->sid, peersid, &newsid);
4172 if (err)
4173 return err;
4174
4175 req->secid = newsid;
4176 req->peer_secid = peersid;
4177 return 0;
4178 }
4179
4180 static void selinux_inet_csk_clone(struct sock *newsk,
4181 const struct request_sock *req)
4182 {
4183 struct sk_security_struct *newsksec = newsk->sk_security;
4184
4185 newsksec->sid = req->secid;
4186 newsksec->peer_sid = req->peer_secid;
4187 /* NOTE: Ideally, we should also get the isec->sid for the
4188 new socket in sync, but we don't have the isec available yet.
4189 So we will wait until sock_graft to do it, by which
4190 time it will have been created and available. */
4191
4192 /* We don't need to take any sort of lock here as we are the only
4193 * thread with access to newsksec */
4194 selinux_netlbl_sk_security_reset(newsksec, req->rsk_ops->family);
4195 }
4196
4197 static void selinux_inet_conn_established(struct sock *sk,
4198 struct sk_buff *skb)
4199 {
4200 struct sk_security_struct *sksec = sk->sk_security;
4201
4202 selinux_skb_peerlbl_sid(skb, sk->sk_family, &sksec->peer_sid);
4203 }
4204
4205 static void selinux_req_classify_flow(const struct request_sock *req,
4206 struct flowi *fl)
4207 {
4208 fl->secid = req->secid;
4209 }
4210
4211 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
4212 {
4213 int err = 0;
4214 u32 perm;
4215 struct nlmsghdr *nlh;
4216 struct socket *sock = sk->sk_socket;
4217 struct inode_security_struct *isec = SOCK_INODE(sock)->i_security;
4218
4219 if (skb->len < NLMSG_SPACE(0)) {
4220 err = -EINVAL;
4221 goto out;
4222 }
4223 nlh = nlmsg_hdr(skb);
4224
4225 err = selinux_nlmsg_lookup(isec->sclass, nlh->nlmsg_type, &perm);
4226 if (err) {
4227 if (err == -EINVAL) {
4228 audit_log(current->audit_context, GFP_KERNEL, AUDIT_SELINUX_ERR,
4229 "SELinux: unrecognized netlink message"
4230 " type=%hu for sclass=%hu\n",
4231 nlh->nlmsg_type, isec->sclass);
4232 if (!selinux_enforcing)
4233 err = 0;
4234 }
4235
4236 /* Ignore */
4237 if (err == -ENOENT)
4238 err = 0;
4239 goto out;
4240 }
4241
4242 err = socket_has_perm(current, sock, perm);
4243 out:
4244 return err;
4245 }
4246
4247 #ifdef CONFIG_NETFILTER
4248
4249 static unsigned int selinux_ip_forward(struct sk_buff *skb, int ifindex,
4250 u16 family)
4251 {
4252 char *addrp;
4253 u32 peer_sid;
4254 struct avc_audit_data ad;
4255 u8 secmark_active;
4256 u8 peerlbl_active;
4257
4258 if (!selinux_policycap_netpeer)
4259 return NF_ACCEPT;
4260
4261 secmark_active = selinux_secmark_enabled();
4262 peerlbl_active = netlbl_enabled() || selinux_xfrm_enabled();
4263 if (!secmark_active && !peerlbl_active)
4264 return NF_ACCEPT;
4265
4266 AVC_AUDIT_DATA_INIT(&ad, NET);
4267 ad.u.net.netif = ifindex;
4268 ad.u.net.family = family;
4269 if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0)
4270 return NF_DROP;
4271
4272 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0)
4273 return NF_DROP;
4274
4275 if (peerlbl_active)
4276 if (selinux_inet_sys_rcv_skb(ifindex, addrp, family,
4277 peer_sid, &ad) != 0)
4278 return NF_DROP;
4279
4280 if (secmark_active)
4281 if (avc_has_perm(peer_sid, skb->secmark,
4282 SECCLASS_PACKET, PACKET__FORWARD_IN, &ad))
4283 return NF_DROP;
4284
4285 return NF_ACCEPT;
4286 }
4287
4288 static unsigned int selinux_ipv4_forward(unsigned int hooknum,
4289 struct sk_buff *skb,
4290 const struct net_device *in,
4291 const struct net_device *out,
4292 int (*okfn)(struct sk_buff *))
4293 {
4294 return selinux_ip_forward(skb, in->ifindex, PF_INET);
4295 }
4296
4297 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4298 static unsigned int selinux_ipv6_forward(unsigned int hooknum,
4299 struct sk_buff *skb,
4300 const struct net_device *in,
4301 const struct net_device *out,
4302 int (*okfn)(struct sk_buff *))
4303 {
4304 return selinux_ip_forward(skb, in->ifindex, PF_INET6);
4305 }
4306 #endif /* IPV6 */
4307
4308 static int selinux_ip_postroute_iptables_compat(struct sock *sk,
4309 int ifindex,
4310 struct avc_audit_data *ad,
4311 u16 family, char *addrp)
4312 {
4313 int err;
4314 struct sk_security_struct *sksec = sk->sk_security;
4315 u16 sk_class;
4316 u32 netif_perm, node_perm, send_perm;
4317 u32 port_sid, node_sid, if_sid, sk_sid;
4318
4319 sk_sid = sksec->sid;
4320 sk_class = sksec->sclass;
4321
4322 switch (sk_class) {
4323 case SECCLASS_UDP_SOCKET:
4324 netif_perm = NETIF__UDP_SEND;
4325 node_perm = NODE__UDP_SEND;
4326 send_perm = UDP_SOCKET__SEND_MSG;
4327 break;
4328 case SECCLASS_TCP_SOCKET:
4329 netif_perm = NETIF__TCP_SEND;
4330 node_perm = NODE__TCP_SEND;
4331 send_perm = TCP_SOCKET__SEND_MSG;
4332 break;
4333 case SECCLASS_DCCP_SOCKET:
4334 netif_perm = NETIF__DCCP_SEND;
4335 node_perm = NODE__DCCP_SEND;
4336 send_perm = DCCP_SOCKET__SEND_MSG;
4337 break;
4338 default:
4339 netif_perm = NETIF__RAWIP_SEND;
4340 node_perm = NODE__RAWIP_SEND;
4341 send_perm = 0;
4342 break;
4343 }
4344
4345 err = sel_netif_sid(ifindex, &if_sid);
4346 if (err)
4347 return err;
4348 err = avc_has_perm(sk_sid, if_sid, SECCLASS_NETIF, netif_perm, ad);
4349 return err;
4350
4351 err = sel_netnode_sid(addrp, family, &node_sid);
4352 if (err)
4353 return err;
4354 err = avc_has_perm(sk_sid, node_sid, SECCLASS_NODE, node_perm, ad);
4355 if (err)
4356 return err;
4357
4358 if (send_perm != 0)
4359 return 0;
4360
4361 err = security_port_sid(sk->sk_family, sk->sk_type,
4362 sk->sk_protocol, ntohs(ad->u.net.dport),
4363 &port_sid);
4364 if (unlikely(err)) {
4365 printk(KERN_WARNING
4366 "SELinux: failure in"
4367 " selinux_ip_postroute_iptables_compat(),"
4368 " network port label not found\n");
4369 return err;
4370 }
4371 return avc_has_perm(sk_sid, port_sid, sk_class, send_perm, ad);
4372 }
4373
4374 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
4375 int ifindex,
4376 struct avc_audit_data *ad,
4377 u16 family,
4378 char *addrp,
4379 u8 proto)
4380 {
4381 struct sock *sk = skb->sk;
4382 struct sk_security_struct *sksec;
4383
4384 if (sk == NULL)
4385 return NF_ACCEPT;
4386 sksec = sk->sk_security;
4387
4388 if (selinux_compat_net) {
4389 if (selinux_ip_postroute_iptables_compat(skb->sk, ifindex,
4390 ad, family, addrp))
4391 return NF_DROP;
4392 } else {
4393 if (avc_has_perm(sksec->sid, skb->secmark,
4394 SECCLASS_PACKET, PACKET__SEND, ad))
4395 return NF_DROP;
4396 }
4397
4398 if (selinux_policycap_netpeer)
4399 if (selinux_xfrm_postroute_last(sksec->sid, skb, ad, proto))
4400 return NF_DROP;
4401
4402 return NF_ACCEPT;
4403 }
4404
4405 static unsigned int selinux_ip_postroute(struct sk_buff *skb, int ifindex,
4406 u16 family)
4407 {
4408 u32 secmark_perm;
4409 u32 peer_sid;
4410 struct sock *sk;
4411 struct avc_audit_data ad;
4412 char *addrp;
4413 u8 proto;
4414 u8 secmark_active;
4415 u8 peerlbl_active;
4416
4417 AVC_AUDIT_DATA_INIT(&ad, NET);
4418 ad.u.net.netif = ifindex;
4419 ad.u.net.family = family;
4420 if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto))
4421 return NF_DROP;
4422
4423 /* If any sort of compatibility mode is enabled then handoff processing
4424 * to the selinux_ip_postroute_compat() function to deal with the
4425 * special handling. We do this in an attempt to keep this function
4426 * as fast and as clean as possible. */
4427 if (selinux_compat_net || !selinux_policycap_netpeer)
4428 return selinux_ip_postroute_compat(skb, ifindex, &ad,
4429 family, addrp, proto);
4430
4431 /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec
4432 * packet transformation so allow the packet to pass without any checks
4433 * since we'll have another chance to perform access control checks
4434 * when the packet is on it's final way out.
4435 * NOTE: there appear to be some IPv6 multicast cases where skb->dst
4436 * is NULL, in this case go ahead and apply access control. */
4437 if (skb->dst != NULL && skb->dst->xfrm != NULL)
4438 return NF_ACCEPT;
4439
4440 secmark_active = selinux_secmark_enabled();
4441 peerlbl_active = netlbl_enabled() || selinux_xfrm_enabled();
4442 if (!secmark_active && !peerlbl_active)
4443 return NF_ACCEPT;
4444
4445 /* if the packet is locally generated (skb->sk != NULL) then use the
4446 * socket's label as the peer label, otherwise the packet is being
4447 * forwarded through this system and we need to fetch the peer label
4448 * directly from the packet */
4449 sk = skb->sk;
4450 if (sk) {
4451 struct sk_security_struct *sksec = sk->sk_security;
4452 peer_sid = sksec->sid;
4453 secmark_perm = PACKET__SEND;
4454 } else {
4455 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid))
4456 return NF_DROP;
4457 secmark_perm = PACKET__FORWARD_OUT;
4458 }
4459
4460 if (secmark_active)
4461 if (avc_has_perm(peer_sid, skb->secmark,
4462 SECCLASS_PACKET, secmark_perm, &ad))
4463 return NF_DROP;
4464
4465 if (peerlbl_active) {
4466 u32 if_sid;
4467 u32 node_sid;
4468
4469 if (sel_netif_sid(ifindex, &if_sid))
4470 return NF_DROP;
4471 if (avc_has_perm(peer_sid, if_sid,
4472 SECCLASS_NETIF, NETIF__EGRESS, &ad))
4473 return NF_DROP;
4474
4475 if (sel_netnode_sid(addrp, family, &node_sid))
4476 return NF_DROP;
4477 if (avc_has_perm(peer_sid, node_sid,
4478 SECCLASS_NODE, NODE__SENDTO, &ad))
4479 return NF_DROP;
4480 }
4481
4482 return NF_ACCEPT;
4483 }
4484
4485 static unsigned int selinux_ipv4_postroute(unsigned int hooknum,
4486 struct sk_buff *skb,
4487 const struct net_device *in,
4488 const struct net_device *out,
4489 int (*okfn)(struct sk_buff *))
4490 {
4491 return selinux_ip_postroute(skb, out->ifindex, PF_INET);
4492 }
4493
4494 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4495 static unsigned int selinux_ipv6_postroute(unsigned int hooknum,
4496 struct sk_buff *skb,
4497 const struct net_device *in,
4498 const struct net_device *out,
4499 int (*okfn)(struct sk_buff *))
4500 {
4501 return selinux_ip_postroute(skb, out->ifindex, PF_INET6);
4502 }
4503 #endif /* IPV6 */
4504
4505 #endif /* CONFIG_NETFILTER */
4506
4507 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
4508 {
4509 int err;
4510
4511 err = secondary_ops->netlink_send(sk, skb);
4512 if (err)
4513 return err;
4514
4515 if (policydb_loaded_version >= POLICYDB_VERSION_NLCLASS)
4516 err = selinux_nlmsg_perm(sk, skb);
4517
4518 return err;
4519 }
4520
4521 static int selinux_netlink_recv(struct sk_buff *skb, int capability)
4522 {
4523 int err;
4524 struct avc_audit_data ad;
4525
4526 err = secondary_ops->netlink_recv(skb, capability);
4527 if (err)
4528 return err;
4529
4530 AVC_AUDIT_DATA_INIT(&ad, CAP);
4531 ad.u.cap = capability;
4532
4533 return avc_has_perm(NETLINK_CB(skb).sid, NETLINK_CB(skb).sid,
4534 SECCLASS_CAPABILITY, CAP_TO_MASK(capability), &ad);
4535 }
4536
4537 static int ipc_alloc_security(struct task_struct *task,
4538 struct kern_ipc_perm *perm,
4539 u16 sclass)
4540 {
4541 struct task_security_struct *tsec = task->security;
4542 struct ipc_security_struct *isec;
4543
4544 isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL);
4545 if (!isec)
4546 return -ENOMEM;
4547
4548 isec->sclass = sclass;
4549 isec->ipc_perm = perm;
4550 isec->sid = tsec->sid;
4551 perm->security = isec;
4552
4553 return 0;
4554 }
4555
4556 static void ipc_free_security(struct kern_ipc_perm *perm)
4557 {
4558 struct ipc_security_struct *isec = perm->security;
4559 perm->security = NULL;
4560 kfree(isec);
4561 }
4562
4563 static int msg_msg_alloc_security(struct msg_msg *msg)
4564 {
4565 struct msg_security_struct *msec;
4566
4567 msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL);
4568 if (!msec)
4569 return -ENOMEM;
4570
4571 msec->msg = msg;
4572 msec->sid = SECINITSID_UNLABELED;
4573 msg->security = msec;
4574
4575 return 0;
4576 }
4577
4578 static void msg_msg_free_security(struct msg_msg *msg)
4579 {
4580 struct msg_security_struct *msec = msg->security;
4581
4582 msg->security = NULL;
4583 kfree(msec);
4584 }
4585
4586 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
4587 u32 perms)
4588 {
4589 struct task_security_struct *tsec;
4590 struct ipc_security_struct *isec;
4591 struct avc_audit_data ad;
4592
4593 tsec = current->security;
4594 isec = ipc_perms->security;
4595
4596 AVC_AUDIT_DATA_INIT(&ad, IPC);
4597 ad.u.ipc_id = ipc_perms->key;
4598
4599 return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, &ad);
4600 }
4601
4602 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
4603 {
4604 return msg_msg_alloc_security(msg);
4605 }
4606
4607 static void selinux_msg_msg_free_security(struct msg_msg *msg)
4608 {
4609 msg_msg_free_security(msg);
4610 }
4611
4612 /* message queue security operations */
4613 static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
4614 {
4615 struct task_security_struct *tsec;
4616 struct ipc_security_struct *isec;
4617 struct avc_audit_data ad;
4618 int rc;
4619
4620 rc = ipc_alloc_security(current, &msq->q_perm, SECCLASS_MSGQ);
4621 if (rc)
4622 return rc;
4623
4624 tsec = current->security;
4625 isec = msq->q_perm.security;
4626
4627 AVC_AUDIT_DATA_INIT(&ad, IPC);
4628 ad.u.ipc_id = msq->q_perm.key;
4629
4630 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
4631 MSGQ__CREATE, &ad);
4632 if (rc) {
4633 ipc_free_security(&msq->q_perm);
4634 return rc;
4635 }
4636 return 0;
4637 }
4638
4639 static void selinux_msg_queue_free_security(struct msg_queue *msq)
4640 {
4641 ipc_free_security(&msq->q_perm);
4642 }
4643
4644 static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg)
4645 {
4646 struct task_security_struct *tsec;
4647 struct ipc_security_struct *isec;
4648 struct avc_audit_data ad;
4649
4650 tsec = current->security;
4651 isec = msq->q_perm.security;
4652
4653 AVC_AUDIT_DATA_INIT(&ad, IPC);
4654 ad.u.ipc_id = msq->q_perm.key;
4655
4656 return avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
4657 MSGQ__ASSOCIATE, &ad);
4658 }
4659
4660 static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd)
4661 {
4662 int err;
4663 int perms;
4664
4665 switch(cmd) {
4666 case IPC_INFO:
4667 case MSG_INFO:
4668 /* No specific object, just general system-wide information. */
4669 return task_has_system(current, SYSTEM__IPC_INFO);
4670 case IPC_STAT:
4671 case MSG_STAT:
4672 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
4673 break;
4674 case IPC_SET:
4675 perms = MSGQ__SETATTR;
4676 break;
4677 case IPC_RMID:
4678 perms = MSGQ__DESTROY;
4679 break;
4680 default:
4681 return 0;
4682 }
4683
4684 err = ipc_has_perm(&msq->q_perm, perms);
4685 return err;
4686 }
4687
4688 static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg)
4689 {
4690 struct task_security_struct *tsec;
4691 struct ipc_security_struct *isec;
4692 struct msg_security_struct *msec;
4693 struct avc_audit_data ad;
4694 int rc;
4695
4696 tsec = current->security;
4697 isec = msq->q_perm.security;
4698 msec = msg->security;
4699
4700 /*
4701 * First time through, need to assign label to the message
4702 */
4703 if (msec->sid == SECINITSID_UNLABELED) {
4704 /*
4705 * Compute new sid based on current process and
4706 * message queue this message will be stored in
4707 */
4708 rc = security_transition_sid(tsec->sid,
4709 isec->sid,
4710 SECCLASS_MSG,
4711 &msec->sid);
4712 if (rc)
4713 return rc;
4714 }
4715
4716 AVC_AUDIT_DATA_INIT(&ad, IPC);
4717 ad.u.ipc_id = msq->q_perm.key;
4718
4719 /* Can this process write to the queue? */
4720 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
4721 MSGQ__WRITE, &ad);
4722 if (!rc)
4723 /* Can this process send the message */
4724 rc = avc_has_perm(tsec->sid, msec->sid,
4725 SECCLASS_MSG, MSG__SEND, &ad);
4726 if (!rc)
4727 /* Can the message be put in the queue? */
4728 rc = avc_has_perm(msec->sid, isec->sid,
4729 SECCLASS_MSGQ, MSGQ__ENQUEUE, &ad);
4730
4731 return rc;
4732 }
4733
4734 static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
4735 struct task_struct *target,
4736 long type, int mode)
4737 {
4738 struct task_security_struct *tsec;
4739 struct ipc_security_struct *isec;
4740 struct msg_security_struct *msec;
4741 struct avc_audit_data ad;
4742 int rc;
4743
4744 tsec = target->security;
4745 isec = msq->q_perm.security;
4746 msec = msg->security;
4747
4748 AVC_AUDIT_DATA_INIT(&ad, IPC);
4749 ad.u.ipc_id = msq->q_perm.key;
4750
4751 rc = avc_has_perm(tsec->sid, isec->sid,
4752 SECCLASS_MSGQ, MSGQ__READ, &ad);
4753 if (!rc)
4754 rc = avc_has_perm(tsec->sid, msec->sid,
4755 SECCLASS_MSG, MSG__RECEIVE, &ad);
4756 return rc;
4757 }
4758
4759 /* Shared Memory security operations */
4760 static int selinux_shm_alloc_security(struct shmid_kernel *shp)
4761 {
4762 struct task_security_struct *tsec;
4763 struct ipc_security_struct *isec;
4764 struct avc_audit_data ad;
4765 int rc;
4766
4767 rc = ipc_alloc_security(current, &shp->shm_perm, SECCLASS_SHM);
4768 if (rc)
4769 return rc;
4770
4771 tsec = current->security;
4772 isec = shp->shm_perm.security;
4773
4774 AVC_AUDIT_DATA_INIT(&ad, IPC);
4775 ad.u.ipc_id = shp->shm_perm.key;
4776
4777 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SHM,
4778 SHM__CREATE, &ad);
4779 if (rc) {
4780 ipc_free_security(&shp->shm_perm);
4781 return rc;
4782 }
4783 return 0;
4784 }
4785
4786 static void selinux_shm_free_security(struct shmid_kernel *shp)
4787 {
4788 ipc_free_security(&shp->shm_perm);
4789 }
4790
4791 static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg)
4792 {
4793 struct task_security_struct *tsec;
4794 struct ipc_security_struct *isec;
4795 struct avc_audit_data ad;
4796
4797 tsec = current->security;
4798 isec = shp->shm_perm.security;
4799
4800 AVC_AUDIT_DATA_INIT(&ad, IPC);
4801 ad.u.ipc_id = shp->shm_perm.key;
4802
4803 return avc_has_perm(tsec->sid, isec->sid, SECCLASS_SHM,
4804 SHM__ASSOCIATE, &ad);
4805 }
4806
4807 /* Note, at this point, shp is locked down */
4808 static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd)
4809 {
4810 int perms;
4811 int err;
4812
4813 switch(cmd) {
4814 case IPC_INFO:
4815 case SHM_INFO:
4816 /* No specific object, just general system-wide information. */
4817 return task_has_system(current, SYSTEM__IPC_INFO);
4818 case IPC_STAT:
4819 case SHM_STAT:
4820 perms = SHM__GETATTR | SHM__ASSOCIATE;
4821 break;
4822 case IPC_SET:
4823 perms = SHM__SETATTR;
4824 break;
4825 case SHM_LOCK:
4826 case SHM_UNLOCK:
4827 perms = SHM__LOCK;
4828 break;
4829 case IPC_RMID:
4830 perms = SHM__DESTROY;
4831 break;
4832 default:
4833 return 0;
4834 }
4835
4836 err = ipc_has_perm(&shp->shm_perm, perms);
4837 return err;
4838 }
4839
4840 static int selinux_shm_shmat(struct shmid_kernel *shp,
4841 char __user *shmaddr, int shmflg)
4842 {
4843 u32 perms;
4844 int rc;
4845
4846 rc = secondary_ops->shm_shmat(shp, shmaddr, shmflg);
4847 if (rc)
4848 return rc;
4849
4850 if (shmflg & SHM_RDONLY)
4851 perms = SHM__READ;
4852 else
4853 perms = SHM__READ | SHM__WRITE;
4854
4855 return ipc_has_perm(&shp->shm_perm, perms);
4856 }
4857
4858 /* Semaphore security operations */
4859 static int selinux_sem_alloc_security(struct sem_array *sma)
4860 {
4861 struct task_security_struct *tsec;
4862 struct ipc_security_struct *isec;
4863 struct avc_audit_data ad;
4864 int rc;
4865
4866 rc = ipc_alloc_security(current, &sma->sem_perm, SECCLASS_SEM);
4867 if (rc)
4868 return rc;
4869
4870 tsec = current->security;
4871 isec = sma->sem_perm.security;
4872
4873 AVC_AUDIT_DATA_INIT(&ad, IPC);
4874 ad.u.ipc_id = sma->sem_perm.key;
4875
4876 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SEM,
4877 SEM__CREATE, &ad);
4878 if (rc) {
4879 ipc_free_security(&sma->sem_perm);
4880 return rc;
4881 }
4882 return 0;
4883 }
4884
4885 static void selinux_sem_free_security(struct sem_array *sma)
4886 {
4887 ipc_free_security(&sma->sem_perm);
4888 }
4889
4890 static int selinux_sem_associate(struct sem_array *sma, int semflg)
4891 {
4892 struct task_security_struct *tsec;
4893 struct ipc_security_struct *isec;
4894 struct avc_audit_data ad;
4895
4896 tsec = current->security;
4897 isec = sma->sem_perm.security;
4898
4899 AVC_AUDIT_DATA_INIT(&ad, IPC);
4900 ad.u.ipc_id = sma->sem_perm.key;
4901
4902 return avc_has_perm(tsec->sid, isec->sid, SECCLASS_SEM,
4903 SEM__ASSOCIATE, &ad);
4904 }
4905
4906 /* Note, at this point, sma is locked down */
4907 static int selinux_sem_semctl(struct sem_array *sma, int cmd)
4908 {
4909 int err;
4910 u32 perms;
4911
4912 switch(cmd) {
4913 case IPC_INFO:
4914 case SEM_INFO:
4915 /* No specific object, just general system-wide information. */
4916 return task_has_system(current, SYSTEM__IPC_INFO);
4917 case GETPID:
4918 case GETNCNT:
4919 case GETZCNT:
4920 perms = SEM__GETATTR;
4921 break;
4922 case GETVAL:
4923 case GETALL:
4924 perms = SEM__READ;
4925 break;
4926 case SETVAL:
4927 case SETALL:
4928 perms = SEM__WRITE;
4929 break;
4930 case IPC_RMID:
4931 perms = SEM__DESTROY;
4932 break;
4933 case IPC_SET:
4934 perms = SEM__SETATTR;
4935 break;
4936 case IPC_STAT:
4937 case SEM_STAT:
4938 perms = SEM__GETATTR | SEM__ASSOCIATE;
4939 break;
4940 default:
4941 return 0;
4942 }
4943
4944 err = ipc_has_perm(&sma->sem_perm, perms);
4945 return err;
4946 }
4947
4948 static int selinux_sem_semop(struct sem_array *sma,
4949 struct sembuf *sops, unsigned nsops, int alter)
4950 {
4951 u32 perms;
4952
4953 if (alter)
4954 perms = SEM__READ | SEM__WRITE;
4955 else
4956 perms = SEM__READ;
4957
4958 return ipc_has_perm(&sma->sem_perm, perms);
4959 }
4960
4961 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
4962 {
4963 u32 av = 0;
4964
4965 av = 0;
4966 if (flag & S_IRUGO)
4967 av |= IPC__UNIX_READ;
4968 if (flag & S_IWUGO)
4969 av |= IPC__UNIX_WRITE;
4970
4971 if (av == 0)
4972 return 0;
4973
4974 return ipc_has_perm(ipcp, av);
4975 }
4976
4977 /* module stacking operations */
4978 static int selinux_register_security (const char *name, struct security_operations *ops)
4979 {
4980 if (secondary_ops != original_ops) {
4981 printk(KERN_ERR "%s: There is already a secondary security "
4982 "module registered.\n", __FUNCTION__);
4983 return -EINVAL;
4984 }
4985
4986 secondary_ops = ops;
4987
4988 printk(KERN_INFO "%s: Registering secondary module %s\n",
4989 __FUNCTION__,
4990 name);
4991
4992 return 0;
4993 }
4994
4995 static void selinux_d_instantiate (struct dentry *dentry, struct inode *inode)
4996 {
4997 if (inode)
4998 inode_doinit_with_dentry(inode, dentry);
4999 }
5000
5001 static int selinux_getprocattr(struct task_struct *p,
5002 char *name, char **value)
5003 {
5004 struct task_security_struct *tsec;
5005 u32 sid;
5006 int error;
5007 unsigned len;
5008
5009 if (current != p) {
5010 error = task_has_perm(current, p, PROCESS__GETATTR);
5011 if (error)
5012 return error;
5013 }
5014
5015 tsec = p->security;
5016
5017 if (!strcmp(name, "current"))
5018 sid = tsec->sid;
5019 else if (!strcmp(name, "prev"))
5020 sid = tsec->osid;
5021 else if (!strcmp(name, "exec"))
5022 sid = tsec->exec_sid;
5023 else if (!strcmp(name, "fscreate"))
5024 sid = tsec->create_sid;
5025 else if (!strcmp(name, "keycreate"))
5026 sid = tsec->keycreate_sid;
5027 else if (!strcmp(name, "sockcreate"))
5028 sid = tsec->sockcreate_sid;
5029 else
5030 return -EINVAL;
5031
5032 if (!sid)
5033 return 0;
5034
5035 error = security_sid_to_context(sid, value, &len);
5036 if (error)
5037 return error;
5038 return len;
5039 }
5040
5041 static int selinux_setprocattr(struct task_struct *p,
5042 char *name, void *value, size_t size)
5043 {
5044 struct task_security_struct *tsec;
5045 u32 sid = 0;
5046 int error;
5047 char *str = value;
5048
5049 if (current != p) {
5050 /* SELinux only allows a process to change its own
5051 security attributes. */
5052 return -EACCES;
5053 }
5054
5055 /*
5056 * Basic control over ability to set these attributes at all.
5057 * current == p, but we'll pass them separately in case the
5058 * above restriction is ever removed.
5059 */
5060 if (!strcmp(name, "exec"))
5061 error = task_has_perm(current, p, PROCESS__SETEXEC);
5062 else if (!strcmp(name, "fscreate"))
5063 error = task_has_perm(current, p, PROCESS__SETFSCREATE);
5064 else if (!strcmp(name, "keycreate"))
5065 error = task_has_perm(current, p, PROCESS__SETKEYCREATE);
5066 else if (!strcmp(name, "sockcreate"))
5067 error = task_has_perm(current, p, PROCESS__SETSOCKCREATE);
5068 else if (!strcmp(name, "current"))
5069 error = task_has_perm(current, p, PROCESS__SETCURRENT);
5070 else
5071 error = -EINVAL;
5072 if (error)
5073 return error;
5074
5075 /* Obtain a SID for the context, if one was specified. */
5076 if (size && str[1] && str[1] != '\n') {
5077 if (str[size-1] == '\n') {
5078 str[size-1] = 0;
5079 size--;
5080 }
5081 error = security_context_to_sid(value, size, &sid);
5082 if (error)
5083 return error;
5084 }
5085
5086 /* Permission checking based on the specified context is
5087 performed during the actual operation (execve,
5088 open/mkdir/...), when we know the full context of the
5089 operation. See selinux_bprm_set_security for the execve
5090 checks and may_create for the file creation checks. The
5091 operation will then fail if the context is not permitted. */
5092 tsec = p->security;
5093 if (!strcmp(name, "exec"))
5094 tsec->exec_sid = sid;
5095 else if (!strcmp(name, "fscreate"))
5096 tsec->create_sid = sid;
5097 else if (!strcmp(name, "keycreate")) {
5098 error = may_create_key(sid, p);
5099 if (error)
5100 return error;
5101 tsec->keycreate_sid = sid;
5102 } else if (!strcmp(name, "sockcreate"))
5103 tsec->sockcreate_sid = sid;
5104 else if (!strcmp(name, "current")) {
5105 struct av_decision avd;
5106
5107 if (sid == 0)
5108 return -EINVAL;
5109
5110 /* Only allow single threaded processes to change context */
5111 if (atomic_read(&p->mm->mm_users) != 1) {
5112 struct task_struct *g, *t;
5113 struct mm_struct *mm = p->mm;
5114 read_lock(&tasklist_lock);
5115 do_each_thread(g, t)
5116 if (t->mm == mm && t != p) {
5117 read_unlock(&tasklist_lock);
5118 return -EPERM;
5119 }
5120 while_each_thread(g, t);
5121 read_unlock(&tasklist_lock);
5122 }
5123
5124 /* Check permissions for the transition. */
5125 error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
5126 PROCESS__DYNTRANSITION, NULL);
5127 if (error)
5128 return error;
5129
5130 /* Check for ptracing, and update the task SID if ok.
5131 Otherwise, leave SID unchanged and fail. */
5132 task_lock(p);
5133 if (p->ptrace & PT_PTRACED) {
5134 error = avc_has_perm_noaudit(tsec->ptrace_sid, sid,
5135 SECCLASS_PROCESS,
5136 PROCESS__PTRACE, 0, &avd);
5137 if (!error)
5138 tsec->sid = sid;
5139 task_unlock(p);
5140 avc_audit(tsec->ptrace_sid, sid, SECCLASS_PROCESS,
5141 PROCESS__PTRACE, &avd, error, NULL);
5142 if (error)
5143 return error;
5144 } else {
5145 tsec->sid = sid;
5146 task_unlock(p);
5147 }
5148 }
5149 else
5150 return -EINVAL;
5151
5152 return size;
5153 }
5154
5155 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
5156 {
5157 return security_sid_to_context(secid, secdata, seclen);
5158 }
5159
5160 static int selinux_secctx_to_secid(char *secdata, u32 seclen, u32 *secid)
5161 {
5162 return security_context_to_sid(secdata, seclen, secid);
5163 }
5164
5165 static void selinux_release_secctx(char *secdata, u32 seclen)
5166 {
5167 kfree(secdata);
5168 }
5169
5170 #ifdef CONFIG_KEYS
5171
5172 static int selinux_key_alloc(struct key *k, struct task_struct *tsk,
5173 unsigned long flags)
5174 {
5175 struct task_security_struct *tsec = tsk->security;
5176 struct key_security_struct *ksec;
5177
5178 ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL);
5179 if (!ksec)
5180 return -ENOMEM;
5181
5182 ksec->obj = k;
5183 if (tsec->keycreate_sid)
5184 ksec->sid = tsec->keycreate_sid;
5185 else
5186 ksec->sid = tsec->sid;
5187 k->security = ksec;
5188
5189 return 0;
5190 }
5191
5192 static void selinux_key_free(struct key *k)
5193 {
5194 struct key_security_struct *ksec = k->security;
5195
5196 k->security = NULL;
5197 kfree(ksec);
5198 }
5199
5200 static int selinux_key_permission(key_ref_t key_ref,
5201 struct task_struct *ctx,
5202 key_perm_t perm)
5203 {
5204 struct key *key;
5205 struct task_security_struct *tsec;
5206 struct key_security_struct *ksec;
5207
5208 key = key_ref_to_ptr(key_ref);
5209
5210 tsec = ctx->security;
5211 ksec = key->security;
5212
5213 /* if no specific permissions are requested, we skip the
5214 permission check. No serious, additional covert channels
5215 appear to be created. */
5216 if (perm == 0)
5217 return 0;
5218
5219 return avc_has_perm(tsec->sid, ksec->sid,
5220 SECCLASS_KEY, perm, NULL);
5221 }
5222
5223 #endif
5224
5225 static struct security_operations selinux_ops = {
5226 .ptrace = selinux_ptrace,
5227 .capget = selinux_capget,
5228 .capset_check = selinux_capset_check,
5229 .capset_set = selinux_capset_set,
5230 .sysctl = selinux_sysctl,
5231 .capable = selinux_capable,
5232 .quotactl = selinux_quotactl,
5233 .quota_on = selinux_quota_on,
5234 .syslog = selinux_syslog,
5235 .vm_enough_memory = selinux_vm_enough_memory,
5236
5237 .netlink_send = selinux_netlink_send,
5238 .netlink_recv = selinux_netlink_recv,
5239
5240 .bprm_alloc_security = selinux_bprm_alloc_security,
5241 .bprm_free_security = selinux_bprm_free_security,
5242 .bprm_apply_creds = selinux_bprm_apply_creds,
5243 .bprm_post_apply_creds = selinux_bprm_post_apply_creds,
5244 .bprm_set_security = selinux_bprm_set_security,
5245 .bprm_check_security = selinux_bprm_check_security,
5246 .bprm_secureexec = selinux_bprm_secureexec,
5247
5248 .sb_alloc_security = selinux_sb_alloc_security,
5249 .sb_free_security = selinux_sb_free_security,
5250 .sb_copy_data = selinux_sb_copy_data,
5251 .sb_kern_mount = selinux_sb_kern_mount,
5252 .sb_statfs = selinux_sb_statfs,
5253 .sb_mount = selinux_mount,
5254 .sb_umount = selinux_umount,
5255 .sb_get_mnt_opts = selinux_get_mnt_opts,
5256 .sb_set_mnt_opts = selinux_set_mnt_opts,
5257 .sb_clone_mnt_opts = selinux_sb_clone_mnt_opts,
5258
5259 .inode_alloc_security = selinux_inode_alloc_security,
5260 .inode_free_security = selinux_inode_free_security,
5261 .inode_init_security = selinux_inode_init_security,
5262 .inode_create = selinux_inode_create,
5263 .inode_link = selinux_inode_link,
5264 .inode_unlink = selinux_inode_unlink,
5265 .inode_symlink = selinux_inode_symlink,
5266 .inode_mkdir = selinux_inode_mkdir,
5267 .inode_rmdir = selinux_inode_rmdir,
5268 .inode_mknod = selinux_inode_mknod,
5269 .inode_rename = selinux_inode_rename,
5270 .inode_readlink = selinux_inode_readlink,
5271 .inode_follow_link = selinux_inode_follow_link,
5272 .inode_permission = selinux_inode_permission,
5273 .inode_setattr = selinux_inode_setattr,
5274 .inode_getattr = selinux_inode_getattr,
5275 .inode_setxattr = selinux_inode_setxattr,
5276 .inode_post_setxattr = selinux_inode_post_setxattr,
5277 .inode_getxattr = selinux_inode_getxattr,
5278 .inode_listxattr = selinux_inode_listxattr,
5279 .inode_removexattr = selinux_inode_removexattr,
5280 .inode_getsecurity = selinux_inode_getsecurity,
5281 .inode_setsecurity = selinux_inode_setsecurity,
5282 .inode_listsecurity = selinux_inode_listsecurity,
5283 .inode_need_killpriv = selinux_inode_need_killpriv,
5284 .inode_killpriv = selinux_inode_killpriv,
5285
5286 .file_permission = selinux_file_permission,
5287 .file_alloc_security = selinux_file_alloc_security,
5288 .file_free_security = selinux_file_free_security,
5289 .file_ioctl = selinux_file_ioctl,
5290 .file_mmap = selinux_file_mmap,
5291 .file_mprotect = selinux_file_mprotect,
5292 .file_lock = selinux_file_lock,
5293 .file_fcntl = selinux_file_fcntl,
5294 .file_set_fowner = selinux_file_set_fowner,
5295 .file_send_sigiotask = selinux_file_send_sigiotask,
5296 .file_receive = selinux_file_receive,
5297
5298 .dentry_open = selinux_dentry_open,
5299
5300 .task_create = selinux_task_create,
5301 .task_alloc_security = selinux_task_alloc_security,
5302 .task_free_security = selinux_task_free_security,
5303 .task_setuid = selinux_task_setuid,
5304 .task_post_setuid = selinux_task_post_setuid,
5305 .task_setgid = selinux_task_setgid,
5306 .task_setpgid = selinux_task_setpgid,
5307 .task_getpgid = selinux_task_getpgid,
5308 .task_getsid = selinux_task_getsid,
5309 .task_getsecid = selinux_task_getsecid,
5310 .task_setgroups = selinux_task_setgroups,
5311 .task_setnice = selinux_task_setnice,
5312 .task_setioprio = selinux_task_setioprio,
5313 .task_getioprio = selinux_task_getioprio,
5314 .task_setrlimit = selinux_task_setrlimit,
5315 .task_setscheduler = selinux_task_setscheduler,
5316 .task_getscheduler = selinux_task_getscheduler,
5317 .task_movememory = selinux_task_movememory,
5318 .task_kill = selinux_task_kill,
5319 .task_wait = selinux_task_wait,
5320 .task_prctl = selinux_task_prctl,
5321 .task_reparent_to_init = selinux_task_reparent_to_init,
5322 .task_to_inode = selinux_task_to_inode,
5323
5324 .ipc_permission = selinux_ipc_permission,
5325
5326 .msg_msg_alloc_security = selinux_msg_msg_alloc_security,
5327 .msg_msg_free_security = selinux_msg_msg_free_security,
5328
5329 .msg_queue_alloc_security = selinux_msg_queue_alloc_security,
5330 .msg_queue_free_security = selinux_msg_queue_free_security,
5331 .msg_queue_associate = selinux_msg_queue_associate,
5332 .msg_queue_msgctl = selinux_msg_queue_msgctl,
5333 .msg_queue_msgsnd = selinux_msg_queue_msgsnd,
5334 .msg_queue_msgrcv = selinux_msg_queue_msgrcv,
5335
5336 .shm_alloc_security = selinux_shm_alloc_security,
5337 .shm_free_security = selinux_shm_free_security,
5338 .shm_associate = selinux_shm_associate,
5339 .shm_shmctl = selinux_shm_shmctl,
5340 .shm_shmat = selinux_shm_shmat,
5341
5342 .sem_alloc_security = selinux_sem_alloc_security,
5343 .sem_free_security = selinux_sem_free_security,
5344 .sem_associate = selinux_sem_associate,
5345 .sem_semctl = selinux_sem_semctl,
5346 .sem_semop = selinux_sem_semop,
5347
5348 .register_security = selinux_register_security,
5349
5350 .d_instantiate = selinux_d_instantiate,
5351
5352 .getprocattr = selinux_getprocattr,
5353 .setprocattr = selinux_setprocattr,
5354
5355 .secid_to_secctx = selinux_secid_to_secctx,
5356 .secctx_to_secid = selinux_secctx_to_secid,
5357 .release_secctx = selinux_release_secctx,
5358
5359 .unix_stream_connect = selinux_socket_unix_stream_connect,
5360 .unix_may_send = selinux_socket_unix_may_send,
5361
5362 .socket_create = selinux_socket_create,
5363 .socket_post_create = selinux_socket_post_create,
5364 .socket_bind = selinux_socket_bind,
5365 .socket_connect = selinux_socket_connect,
5366 .socket_listen = selinux_socket_listen,
5367 .socket_accept = selinux_socket_accept,
5368 .socket_sendmsg = selinux_socket_sendmsg,
5369 .socket_recvmsg = selinux_socket_recvmsg,
5370 .socket_getsockname = selinux_socket_getsockname,
5371 .socket_getpeername = selinux_socket_getpeername,
5372 .socket_getsockopt = selinux_socket_getsockopt,
5373 .socket_setsockopt = selinux_socket_setsockopt,
5374 .socket_shutdown = selinux_socket_shutdown,
5375 .socket_sock_rcv_skb = selinux_socket_sock_rcv_skb,
5376 .socket_getpeersec_stream = selinux_socket_getpeersec_stream,
5377 .socket_getpeersec_dgram = selinux_socket_getpeersec_dgram,
5378 .sk_alloc_security = selinux_sk_alloc_security,
5379 .sk_free_security = selinux_sk_free_security,
5380 .sk_clone_security = selinux_sk_clone_security,
5381 .sk_getsecid = selinux_sk_getsecid,
5382 .sock_graft = selinux_sock_graft,
5383 .inet_conn_request = selinux_inet_conn_request,
5384 .inet_csk_clone = selinux_inet_csk_clone,
5385 .inet_conn_established = selinux_inet_conn_established,
5386 .req_classify_flow = selinux_req_classify_flow,
5387
5388 #ifdef CONFIG_SECURITY_NETWORK_XFRM
5389 .xfrm_policy_alloc_security = selinux_xfrm_policy_alloc,
5390 .xfrm_policy_clone_security = selinux_xfrm_policy_clone,
5391 .xfrm_policy_free_security = selinux_xfrm_policy_free,
5392 .xfrm_policy_delete_security = selinux_xfrm_policy_delete,
5393 .xfrm_state_alloc_security = selinux_xfrm_state_alloc,
5394 .xfrm_state_free_security = selinux_xfrm_state_free,
5395 .xfrm_state_delete_security = selinux_xfrm_state_delete,
5396 .xfrm_policy_lookup = selinux_xfrm_policy_lookup,
5397 .xfrm_state_pol_flow_match = selinux_xfrm_state_pol_flow_match,
5398 .xfrm_decode_session = selinux_xfrm_decode_session,
5399 #endif
5400
5401 #ifdef CONFIG_KEYS
5402 .key_alloc = selinux_key_alloc,
5403 .key_free = selinux_key_free,
5404 .key_permission = selinux_key_permission,
5405 #endif
5406 };
5407
5408 static __init int selinux_init(void)
5409 {
5410 struct task_security_struct *tsec;
5411
5412 if (!selinux_enabled) {
5413 printk(KERN_INFO "SELinux: Disabled at boot.\n");
5414 return 0;
5415 }
5416
5417 printk(KERN_INFO "SELinux: Initializing.\n");
5418
5419 /* Set the security state for the initial task. */
5420 if (task_alloc_security(current))
5421 panic("SELinux: Failed to initialize initial task.\n");
5422 tsec = current->security;
5423 tsec->osid = tsec->sid = SECINITSID_KERNEL;
5424
5425 sel_inode_cache = kmem_cache_create("selinux_inode_security",
5426 sizeof(struct inode_security_struct),
5427 0, SLAB_PANIC, NULL);
5428 avc_init();
5429
5430 original_ops = secondary_ops = security_ops;
5431 if (!secondary_ops)
5432 panic ("SELinux: No initial security operations\n");
5433 if (register_security (&selinux_ops))
5434 panic("SELinux: Unable to register with kernel.\n");
5435
5436 if (selinux_enforcing) {
5437 printk(KERN_DEBUG "SELinux: Starting in enforcing mode\n");
5438 } else {
5439 printk(KERN_DEBUG "SELinux: Starting in permissive mode\n");
5440 }
5441
5442 #ifdef CONFIG_KEYS
5443 /* Add security information to initial keyrings */
5444 selinux_key_alloc(&root_user_keyring, current,
5445 KEY_ALLOC_NOT_IN_QUOTA);
5446 selinux_key_alloc(&root_session_keyring, current,
5447 KEY_ALLOC_NOT_IN_QUOTA);
5448 #endif
5449
5450 return 0;
5451 }
5452
5453 void selinux_complete_init(void)
5454 {
5455 printk(KERN_DEBUG "SELinux: Completing initialization.\n");
5456
5457 /* Set up any superblocks initialized prior to the policy load. */
5458 printk(KERN_DEBUG "SELinux: Setting up existing superblocks.\n");
5459 spin_lock(&sb_lock);
5460 spin_lock(&sb_security_lock);
5461 next_sb:
5462 if (!list_empty(&superblock_security_head)) {
5463 struct superblock_security_struct *sbsec =
5464 list_entry(superblock_security_head.next,
5465 struct superblock_security_struct,
5466 list);
5467 struct super_block *sb = sbsec->sb;
5468 sb->s_count++;
5469 spin_unlock(&sb_security_lock);
5470 spin_unlock(&sb_lock);
5471 down_read(&sb->s_umount);
5472 if (sb->s_root)
5473 superblock_doinit(sb, NULL);
5474 drop_super(sb);
5475 spin_lock(&sb_lock);
5476 spin_lock(&sb_security_lock);
5477 list_del_init(&sbsec->list);
5478 goto next_sb;
5479 }
5480 spin_unlock(&sb_security_lock);
5481 spin_unlock(&sb_lock);
5482 }
5483
5484 /* SELinux requires early initialization in order to label
5485 all processes and objects when they are created. */
5486 security_initcall(selinux_init);
5487
5488 #if defined(CONFIG_NETFILTER)
5489
5490 static struct nf_hook_ops selinux_ipv4_ops[] = {
5491 {
5492 .hook = selinux_ipv4_postroute,
5493 .owner = THIS_MODULE,
5494 .pf = PF_INET,
5495 .hooknum = NF_INET_POST_ROUTING,
5496 .priority = NF_IP_PRI_SELINUX_LAST,
5497 },
5498 {
5499 .hook = selinux_ipv4_forward,
5500 .owner = THIS_MODULE,
5501 .pf = PF_INET,
5502 .hooknum = NF_INET_FORWARD,
5503 .priority = NF_IP_PRI_SELINUX_FIRST,
5504 }
5505 };
5506
5507 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5508
5509 static struct nf_hook_ops selinux_ipv6_ops[] = {
5510 {
5511 .hook = selinux_ipv6_postroute,
5512 .owner = THIS_MODULE,
5513 .pf = PF_INET6,
5514 .hooknum = NF_INET_POST_ROUTING,
5515 .priority = NF_IP6_PRI_SELINUX_LAST,
5516 },
5517 {
5518 .hook = selinux_ipv6_forward,
5519 .owner = THIS_MODULE,
5520 .pf = PF_INET6,
5521 .hooknum = NF_INET_FORWARD,
5522 .priority = NF_IP6_PRI_SELINUX_FIRST,
5523 }
5524 };
5525
5526 #endif /* IPV6 */
5527
5528 static int __init selinux_nf_ip_init(void)
5529 {
5530 int err = 0;
5531 u32 iter;
5532
5533 if (!selinux_enabled)
5534 goto out;
5535
5536 printk(KERN_DEBUG "SELinux: Registering netfilter hooks\n");
5537
5538 for (iter = 0; iter < ARRAY_SIZE(selinux_ipv4_ops); iter++) {
5539 err = nf_register_hook(&selinux_ipv4_ops[iter]);
5540 if (err)
5541 panic("SELinux: nf_register_hook for IPv4: error %d\n",
5542 err);
5543 }
5544
5545 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5546 for (iter = 0; iter < ARRAY_SIZE(selinux_ipv6_ops); iter++) {
5547 err = nf_register_hook(&selinux_ipv6_ops[iter]);
5548 if (err)
5549 panic("SELinux: nf_register_hook for IPv6: error %d\n",
5550 err);
5551 }
5552 #endif /* IPV6 */
5553
5554 out:
5555 return err;
5556 }
5557
5558 __initcall(selinux_nf_ip_init);
5559
5560 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5561 static void selinux_nf_ip_exit(void)
5562 {
5563 u32 iter;
5564
5565 printk(KERN_DEBUG "SELinux: Unregistering netfilter hooks\n");
5566
5567 for (iter = 0; iter < ARRAY_SIZE(selinux_ipv4_ops); iter++)
5568 nf_unregister_hook(&selinux_ipv4_ops[iter]);
5569 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5570 for (iter = 0; iter < ARRAY_SIZE(selinux_ipv6_ops); iter++)
5571 nf_unregister_hook(&selinux_ipv6_ops[iter]);
5572 #endif /* IPV6 */
5573 }
5574 #endif
5575
5576 #else /* CONFIG_NETFILTER */
5577
5578 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5579 #define selinux_nf_ip_exit()
5580 #endif
5581
5582 #endif /* CONFIG_NETFILTER */
5583
5584 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5585 int selinux_disable(void)
5586 {
5587 extern void exit_sel_fs(void);
5588 static int selinux_disabled = 0;
5589
5590 if (ss_initialized) {
5591 /* Not permitted after initial policy load. */
5592 return -EINVAL;
5593 }
5594
5595 if (selinux_disabled) {
5596 /* Only do this once. */
5597 return -EINVAL;
5598 }
5599
5600 printk(KERN_INFO "SELinux: Disabled at runtime.\n");
5601
5602 selinux_disabled = 1;
5603 selinux_enabled = 0;
5604
5605 /* Reset security_ops to the secondary module, dummy or capability. */
5606 security_ops = secondary_ops;
5607
5608 /* Unregister netfilter hooks. */
5609 selinux_nf_ip_exit();
5610
5611 /* Unregister selinuxfs. */
5612 exit_sel_fs();
5613
5614 return 0;
5615 }
5616 #endif
5617
5618
(deprecated) Btrfs devel tree