search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
security: code cleanup
[linux-2.6/openmoko-kernel/knife-kernel.git] / security / selinux / hooks.c
blob973e31eb109786384d1fb2c65692b2ed07dd90b0
1 /*
2 * NSA Security-Enhanced Linux (SELinux) security module
3 *
4 * This file contains the SELinux hook function implementations.
5 *
6 * Authors: Stephen Smalley, <sds@epoch.ncsc.mil>
7 * Chris Vance, <cvance@nai.com>
8 * Wayne Salamon, <wsalamon@nai.com>
9 * James Morris <jmorris@redhat.com>
10 *
11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12 * Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com>
13 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
14 * <dgoeddel@trustedcs.com>
15 * Copyright (C) 2006, 2007 Hewlett-Packard Development Company, L.P.
16 * Paul Moore <paul.moore@hp.com>
17 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
18 * Yuichi Nakamura <ynakam@hitachisoft.jp>
19 *
20 * This program is free software; you can redistribute it and/or modify
21 * it under the terms of the GNU General Public License version 2,
22 * as published by the Free Software Foundation.
23 */
24
25 #include <linux/init.h>
26 #include <linux/kernel.h>
27 #include <linux/ptrace.h>
28 #include <linux/errno.h>
29 #include <linux/sched.h>
30 #include <linux/security.h>
31 #include <linux/xattr.h>
32 #include <linux/capability.h>
33 #include <linux/unistd.h>
34 #include <linux/mm.h>
35 #include <linux/mman.h>
36 #include <linux/slab.h>
37 #include <linux/pagemap.h>
38 #include <linux/swap.h>
39 #include <linux/spinlock.h>
40 #include <linux/syscalls.h>
41 #include <linux/file.h>
42 #include <linux/namei.h>
43 #include <linux/mount.h>
44 #include <linux/ext2_fs.h>
45 #include <linux/proc_fs.h>
46 #include <linux/kd.h>
47 #include <linux/netfilter_ipv4.h>
48 #include <linux/netfilter_ipv6.h>
49 #include <linux/tty.h>
50 #include <net/icmp.h>
51 #include <net/ip.h> /* for local_port_range[] */
52 #include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
53 #include <net/net_namespace.h>
54 #include <net/netlabel.h>
55 #include <asm/uaccess.h>
56 #include <asm/ioctls.h>
57 #include <asm/atomic.h>
58 #include <linux/bitops.h>
59 #include <linux/interrupt.h>
60 #include <linux/netdevice.h> /* for network interface checks */
61 #include <linux/netlink.h>
62 #include <linux/tcp.h>
63 #include <linux/udp.h>
64 #include <linux/dccp.h>
65 #include <linux/quota.h>
66 #include <linux/un.h> /* for Unix socket types */
67 #include <net/af_unix.h> /* for Unix socket types */
68 #include <linux/parser.h>
69 #include <linux/nfs_mount.h>
70 #include <net/ipv6.h>
71 #include <linux/hugetlb.h>
72 #include <linux/personality.h>
73 #include <linux/sysctl.h>
74 #include <linux/audit.h>
75 #include <linux/string.h>
76 #include <linux/selinux.h>
77 #include <linux/mutex.h>
78
79 #include "avc.h"
80 #include "objsec.h"
81 #include "netif.h"
82 #include "netnode.h"
83 #include "xfrm.h"
84 #include "netlabel.h"
85
86 #define XATTR_SELINUX_SUFFIX "selinux"
87 #define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX
88
89 #define NUM_SEL_MNT_OPTS 4
90
91 extern unsigned int policydb_loaded_version;
92 extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm);
93 extern int selinux_compat_net;
94 extern struct security_operations *security_ops;
95
96 /* SECMARK reference count */
97 atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
98
99 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
100 int selinux_enforcing = 0;
101
102 static int __init enforcing_setup(char *str)
103 {
104 selinux_enforcing = simple_strtol(str,NULL,0);
105 return 1;
106 }
107 __setup("enforcing=", enforcing_setup);
108 #endif
109
110 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
111 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
112
113 static int __init selinux_enabled_setup(char *str)
114 {
115 selinux_enabled = simple_strtol(str, NULL, 0);
116 return 1;
117 }
118 __setup("selinux=", selinux_enabled_setup);
119 #else
120 int selinux_enabled = 1;
121 #endif
122
123 /* Original (dummy) security module. */
124 static struct security_operations *original_ops = NULL;
125
126 /* Minimal support for a secondary security module,
127 just to allow the use of the dummy or capability modules.
128 The owlsm module can alternatively be used as a secondary
129 module as long as CONFIG_OWLSM_FD is not enabled. */
130 static struct security_operations *secondary_ops = NULL;
131
132 /* Lists of inode and superblock security structures initialized
133 before the policy was loaded. */
134 static LIST_HEAD(superblock_security_head);
135 static DEFINE_SPINLOCK(sb_security_lock);
136
137 static struct kmem_cache *sel_inode_cache;
138
139 /**
140 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
141 *
142 * Description:
143 * This function checks the SECMARK reference counter to see if any SECMARK
144 * targets are currently configured, if the reference counter is greater than
145 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is
146 * enabled, false (0) if SECMARK is disabled.
147 *
148 */
149 static int selinux_secmark_enabled(void)
150 {
151 return (atomic_read(&selinux_secmark_refcount) > 0);
152 }
153
154 /* Allocate and free functions for each kind of security blob. */
155
156 static int task_alloc_security(struct task_struct *task)
157 {
158 struct task_security_struct *tsec;
159
160 tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
161 if (!tsec)
162 return -ENOMEM;
163
164 tsec->osid = tsec->sid = tsec->ptrace_sid = SECINITSID_UNLABELED;
165 task->security = tsec;
166
167 return 0;
168 }
169
170 static void task_free_security(struct task_struct *task)
171 {
172 struct task_security_struct *tsec = task->security;
173 task->security = NULL;
174 kfree(tsec);
175 }
176
177 static int inode_alloc_security(struct inode *inode)
178 {
179 struct task_security_struct *tsec = current->security;
180 struct inode_security_struct *isec;
181
182 isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
183 if (!isec)
184 return -ENOMEM;
185
186 mutex_init(&isec->lock);
187 INIT_LIST_HEAD(&isec->list);
188 isec->inode = inode;
189 isec->sid = SECINITSID_UNLABELED;
190 isec->sclass = SECCLASS_FILE;
191 isec->task_sid = tsec->sid;
192 inode->i_security = isec;
193
194 return 0;
195 }
196
197 static void inode_free_security(struct inode *inode)
198 {
199 struct inode_security_struct *isec = inode->i_security;
200 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
201
202 spin_lock(&sbsec->isec_lock);
203 if (!list_empty(&isec->list))
204 list_del_init(&isec->list);
205 spin_unlock(&sbsec->isec_lock);
206
207 inode->i_security = NULL;
208 kmem_cache_free(sel_inode_cache, isec);
209 }
210
211 static int file_alloc_security(struct file *file)
212 {
213 struct task_security_struct *tsec = current->security;
214 struct file_security_struct *fsec;
215
216 fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL);
217 if (!fsec)
218 return -ENOMEM;
219
220 fsec->sid = tsec->sid;
221 fsec->fown_sid = tsec->sid;
222 file->f_security = fsec;
223
224 return 0;
225 }
226
227 static void file_free_security(struct file *file)
228 {
229 struct file_security_struct *fsec = file->f_security;
230 file->f_security = NULL;
231 kfree(fsec);
232 }
233
234 static int superblock_alloc_security(struct super_block *sb)
235 {
236 struct superblock_security_struct *sbsec;
237
238 sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
239 if (!sbsec)
240 return -ENOMEM;
241
242 mutex_init(&sbsec->lock);
243 INIT_LIST_HEAD(&sbsec->list);
244 INIT_LIST_HEAD(&sbsec->isec_head);
245 spin_lock_init(&sbsec->isec_lock);
246 sbsec->sb = sb;
247 sbsec->sid = SECINITSID_UNLABELED;
248 sbsec->def_sid = SECINITSID_FILE;
249 sbsec->mntpoint_sid = SECINITSID_UNLABELED;
250 sb->s_security = sbsec;
251
252 return 0;
253 }
254
255 static void superblock_free_security(struct super_block *sb)
256 {
257 struct superblock_security_struct *sbsec = sb->s_security;
258
259 spin_lock(&sb_security_lock);
260 if (!list_empty(&sbsec->list))
261 list_del_init(&sbsec->list);
262 spin_unlock(&sb_security_lock);
263
264 sb->s_security = NULL;
265 kfree(sbsec);
266 }
267
268 static int sk_alloc_security(struct sock *sk, int family, gfp_t priority)
269 {
270 struct sk_security_struct *ssec;
271
272 ssec = kzalloc(sizeof(*ssec), priority);
273 if (!ssec)
274 return -ENOMEM;
275
276 ssec->peer_sid = SECINITSID_UNLABELED;
277 ssec->sid = SECINITSID_UNLABELED;
278 sk->sk_security = ssec;
279
280 selinux_netlbl_sk_security_reset(ssec, family);
281
282 return 0;
283 }
284
285 static void sk_free_security(struct sock *sk)
286 {
287 struct sk_security_struct *ssec = sk->sk_security;
288
289 sk->sk_security = NULL;
290 kfree(ssec);
291 }
292
293 /* The security server must be initialized before
294 any labeling or access decisions can be provided. */
295 extern int ss_initialized;
296
297 /* The file system's label must be initialized prior to use. */
298
299 static char *labeling_behaviors[6] = {
300 "uses xattr",
301 "uses transition SIDs",
302 "uses task SIDs",
303 "uses genfs_contexts",
304 "not configured for labeling",
305 "uses mountpoint labeling",
306 };
307
308 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
309
310 static inline int inode_doinit(struct inode *inode)
311 {
312 return inode_doinit_with_dentry(inode, NULL);
313 }
314
315 enum {
316 Opt_error = -1,
317 Opt_context = 1,
318 Opt_fscontext = 2,
319 Opt_defcontext = 3,
320 Opt_rootcontext = 4,
321 };
322
323 static match_table_t tokens = {
324 {Opt_context, "context=%s"},
325 {Opt_fscontext, "fscontext=%s"},
326 {Opt_defcontext, "defcontext=%s"},
327 {Opt_rootcontext, "rootcontext=%s"},
328 {Opt_error, NULL},
329 };
330
331 #define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
332
333 static int may_context_mount_sb_relabel(u32 sid,
334 struct superblock_security_struct *sbsec,
335 struct task_security_struct *tsec)
336 {
337 int rc;
338
339 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
340 FILESYSTEM__RELABELFROM, NULL);
341 if (rc)
342 return rc;
343
344 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
345 FILESYSTEM__RELABELTO, NULL);
346 return rc;
347 }
348
349 static int may_context_mount_inode_relabel(u32 sid,
350 struct superblock_security_struct *sbsec,
351 struct task_security_struct *tsec)
352 {
353 int rc;
354 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
355 FILESYSTEM__RELABELFROM, NULL);
356 if (rc)
357 return rc;
358
359 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
360 FILESYSTEM__ASSOCIATE, NULL);
361 return rc;
362 }
363
364 static int sb_finish_set_opts(struct super_block *sb)
365 {
366 struct superblock_security_struct *sbsec = sb->s_security;
367 struct dentry *root = sb->s_root;
368 struct inode *root_inode = root->d_inode;
369 int rc = 0;
370
371 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
372 /* Make sure that the xattr handler exists and that no
373 error other than -ENODATA is returned by getxattr on
374 the root directory. -ENODATA is ok, as this may be
375 the first boot of the SELinux kernel before we have
376 assigned xattr values to the filesystem. */
377 if (!root_inode->i_op->getxattr) {
378 printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
379 "xattr support\n", sb->s_id, sb->s_type->name);
380 rc = -EOPNOTSUPP;
381 goto out;
382 }
383 rc = root_inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
384 if (rc < 0 && rc != -ENODATA) {
385 if (rc == -EOPNOTSUPP)
386 printk(KERN_WARNING "SELinux: (dev %s, type "
387 "%s) has no security xattr handler\n",
388 sb->s_id, sb->s_type->name);
389 else
390 printk(KERN_WARNING "SELinux: (dev %s, type "
391 "%s) getxattr errno %d\n", sb->s_id,
392 sb->s_type->name, -rc);
393 goto out;
394 }
395 }
396
397 sbsec->initialized = 1;
398
399 if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
400 printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n",
401 sb->s_id, sb->s_type->name);
402 else
403 printk(KERN_DEBUG "SELinux: initialized (dev %s, type %s), %s\n",
404 sb->s_id, sb->s_type->name,
405 labeling_behaviors[sbsec->behavior-1]);
406
407 /* Initialize the root inode. */
408 rc = inode_doinit_with_dentry(root_inode, root);
409
410 /* Initialize any other inodes associated with the superblock, e.g.
411 inodes created prior to initial policy load or inodes created
412 during get_sb by a pseudo filesystem that directly
413 populates itself. */
414 spin_lock(&sbsec->isec_lock);
415 next_inode:
416 if (!list_empty(&sbsec->isec_head)) {
417 struct inode_security_struct *isec =
418 list_entry(sbsec->isec_head.next,
419 struct inode_security_struct, list);
420 struct inode *inode = isec->inode;
421 spin_unlock(&sbsec->isec_lock);
422 inode = igrab(inode);
423 if (inode) {
424 if (!IS_PRIVATE(inode))
425 inode_doinit(inode);
426 iput(inode);
427 }
428 spin_lock(&sbsec->isec_lock);
429 list_del_init(&isec->list);
430 goto next_inode;
431 }
432 spin_unlock(&sbsec->isec_lock);
433 out:
434 return rc;
435 }
436
437 /*
438 * This function should allow an FS to ask what it's mount security
439 * options were so it can use those later for submounts, displaying
440 * mount options, or whatever.
441 */
442 static int selinux_get_mnt_opts(const struct super_block *sb,
443 struct security_mnt_opts *opts)
444 {
445 int rc = 0, i;
446 struct superblock_security_struct *sbsec = sb->s_security;
447 char *context = NULL;
448 u32 len;
449 char tmp;
450
451 security_init_mnt_opts(opts);
452
453 if (!sbsec->initialized)
454 return -EINVAL;
455
456 if (!ss_initialized)
457 return -EINVAL;
458
459 /*
460 * if we ever use sbsec flags for anything other than tracking mount
461 * settings this is going to need a mask
462 */
463 tmp = sbsec->flags;
464 /* count the number of mount options for this sb */
465 for (i = 0; i < 8; i++) {
466 if (tmp & 0x01)
467 opts->num_mnt_opts++;
468 tmp >>= 1;
469 }
470
471 opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
472 if (!opts->mnt_opts) {
473 rc = -ENOMEM;
474 goto out_free;
475 }
476
477 opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
478 if (!opts->mnt_opts_flags) {
479 rc = -ENOMEM;
480 goto out_free;
481 }
482
483 i = 0;
484 if (sbsec->flags & FSCONTEXT_MNT) {
485 rc = security_sid_to_context(sbsec->sid, &context, &len);
486 if (rc)
487 goto out_free;
488 opts->mnt_opts[i] = context;
489 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
490 }
491 if (sbsec->flags & CONTEXT_MNT) {
492 rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len);
493 if (rc)
494 goto out_free;
495 opts->mnt_opts[i] = context;
496 opts->mnt_opts_flags[i++] = CONTEXT_MNT;
497 }
498 if (sbsec->flags & DEFCONTEXT_MNT) {
499 rc = security_sid_to_context(sbsec->def_sid, &context, &len);
500 if (rc)
501 goto out_free;
502 opts->mnt_opts[i] = context;
503 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
504 }
505 if (sbsec->flags & ROOTCONTEXT_MNT) {
506 struct inode *root = sbsec->sb->s_root->d_inode;
507 struct inode_security_struct *isec = root->i_security;
508
509 rc = security_sid_to_context(isec->sid, &context, &len);
510 if (rc)
511 goto out_free;
512 opts->mnt_opts[i] = context;
513 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
514 }
515
516 BUG_ON(i != opts->num_mnt_opts);
517
518 return 0;
519
520 out_free:
521 security_free_mnt_opts(opts);
522 return rc;
523 }
524
525 static int bad_option(struct superblock_security_struct *sbsec, char flag,
526 u32 old_sid, u32 new_sid)
527 {
528 /* check if the old mount command had the same options */
529 if (sbsec->initialized)
530 if (!(sbsec->flags & flag) ||
531 (old_sid != new_sid))
532 return 1;
533
534 /* check if we were passed the same options twice,
535 * aka someone passed context=a,context=b
536 */
537 if (!sbsec->initialized)
538 if (sbsec->flags & flag)
539 return 1;
540 return 0;
541 }
542
543 /*
544 * Allow filesystems with binary mount data to explicitly set mount point
545 * labeling information.
546 */
547 static int selinux_set_mnt_opts(struct super_block *sb,
548 struct security_mnt_opts *opts)
549 {
550 int rc = 0, i;
551 struct task_security_struct *tsec = current->security;
552 struct superblock_security_struct *sbsec = sb->s_security;
553 const char *name = sb->s_type->name;
554 struct inode *inode = sbsec->sb->s_root->d_inode;
555 struct inode_security_struct *root_isec = inode->i_security;
556 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
557 u32 defcontext_sid = 0;
558 char **mount_options = opts->mnt_opts;
559 int *flags = opts->mnt_opts_flags;
560 int num_opts = opts->num_mnt_opts;
561
562 mutex_lock(&sbsec->lock);
563
564 if (!ss_initialized) {
565 if (!num_opts) {
566 /* Defer initialization until selinux_complete_init,
567 after the initial policy is loaded and the security
568 server is ready to handle calls. */
569 spin_lock(&sb_security_lock);
570 if (list_empty(&sbsec->list))
571 list_add(&sbsec->list, &superblock_security_head);
572 spin_unlock(&sb_security_lock);
573 goto out;
574 }
575 rc = -EINVAL;
576 printk(KERN_WARNING "Unable to set superblock options before "
577 "the security server is initialized\n");
578 goto out;
579 }
580
581 /*
582 * Binary mount data FS will come through this function twice. Once
583 * from an explicit call and once from the generic calls from the vfs.
584 * Since the generic VFS calls will not contain any security mount data
585 * we need to skip the double mount verification.
586 *
587 * This does open a hole in which we will not notice if the first
588 * mount using this sb set explict options and a second mount using
589 * this sb does not set any security options. (The first options
590 * will be used for both mounts)
591 */
592 if (sbsec->initialized && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
593 && (num_opts == 0))
594 goto out;
595
596 /*
597 * parse the mount options, check if they are valid sids.
598 * also check if someone is trying to mount the same sb more
599 * than once with different security options.
600 */
601 for (i = 0; i < num_opts; i++) {
602 u32 sid;
603 rc = security_context_to_sid(mount_options[i],
604 strlen(mount_options[i]), &sid);
605 if (rc) {
606 printk(KERN_WARNING "SELinux: security_context_to_sid"
607 "(%s) failed for (dev %s, type %s) errno=%d\n",
608 mount_options[i], sb->s_id, name, rc);
609 goto out;
610 }
611 switch (flags[i]) {
612 case FSCONTEXT_MNT:
613 fscontext_sid = sid;
614
615 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
616 fscontext_sid))
617 goto out_double_mount;
618
619 sbsec->flags |= FSCONTEXT_MNT;
620 break;
621 case CONTEXT_MNT:
622 context_sid = sid;
623
624 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
625 context_sid))
626 goto out_double_mount;
627
628 sbsec->flags |= CONTEXT_MNT;
629 break;
630 case ROOTCONTEXT_MNT:
631 rootcontext_sid = sid;
632
633 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
634 rootcontext_sid))
635 goto out_double_mount;
636
637 sbsec->flags |= ROOTCONTEXT_MNT;
638
639 break;
640 case DEFCONTEXT_MNT:
641 defcontext_sid = sid;
642
643 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
644 defcontext_sid))
645 goto out_double_mount;
646
647 sbsec->flags |= DEFCONTEXT_MNT;
648
649 break;
650 default:
651 rc = -EINVAL;
652 goto out;
653 }
654 }
655
656 if (sbsec->initialized) {
657 /* previously mounted with options, but not on this attempt? */
658 if (sbsec->flags && !num_opts)
659 goto out_double_mount;
660 rc = 0;
661 goto out;
662 }
663
664 if (strcmp(sb->s_type->name, "proc") == 0)
665 sbsec->proc = 1;
666
667 /* Determine the labeling behavior to use for this filesystem type. */
668 rc = security_fs_use(sb->s_type->name, &sbsec->behavior, &sbsec->sid);
669 if (rc) {
670 printk(KERN_WARNING "%s: security_fs_use(%s) returned %d\n",
671 __func__, sb->s_type->name, rc);
672 goto out;
673 }
674
675 /* sets the context of the superblock for the fs being mounted. */
676 if (fscontext_sid) {
677
678 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, tsec);
679 if (rc)
680 goto out;
681
682 sbsec->sid = fscontext_sid;
683 }
684
685 /*
686 * Switch to using mount point labeling behavior.
687 * sets the label used on all file below the mountpoint, and will set
688 * the superblock context if not already set.
689 */
690 if (context_sid) {
691 if (!fscontext_sid) {
692 rc = may_context_mount_sb_relabel(context_sid, sbsec, tsec);
693 if (rc)
694 goto out;
695 sbsec->sid = context_sid;
696 } else {
697 rc = may_context_mount_inode_relabel(context_sid, sbsec, tsec);
698 if (rc)
699 goto out;
700 }
701 if (!rootcontext_sid)
702 rootcontext_sid = context_sid;
703
704 sbsec->mntpoint_sid = context_sid;
705 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
706 }
707
708 if (rootcontext_sid) {
709 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec, tsec);
710 if (rc)
711 goto out;
712
713 root_isec->sid = rootcontext_sid;
714 root_isec->initialized = 1;
715 }
716
717 if (defcontext_sid) {
718 if (sbsec->behavior != SECURITY_FS_USE_XATTR) {
719 rc = -EINVAL;
720 printk(KERN_WARNING "SELinux: defcontext option is "
721 "invalid for this filesystem type\n");
722 goto out;
723 }
724
725 if (defcontext_sid != sbsec->def_sid) {
726 rc = may_context_mount_inode_relabel(defcontext_sid,
727 sbsec, tsec);
728 if (rc)
729 goto out;
730 }
731
732 sbsec->def_sid = defcontext_sid;
733 }
734
735 rc = sb_finish_set_opts(sb);
736 out:
737 mutex_unlock(&sbsec->lock);
738 return rc;
739 out_double_mount:
740 rc = -EINVAL;
741 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, different "
742 "security settings for (dev %s, type %s)\n", sb->s_id, name);
743 goto out;
744 }
745
746 static void selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
747 struct super_block *newsb)
748 {
749 const struct superblock_security_struct *oldsbsec = oldsb->s_security;
750 struct superblock_security_struct *newsbsec = newsb->s_security;
751
752 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT);
753 int set_context = (oldsbsec->flags & CONTEXT_MNT);
754 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT);
755
756 /* we can't error, we can't save the info, this shouldn't get called
757 * this early in the boot process. */
758 BUG_ON(!ss_initialized);
759
760 /* how can we clone if the old one wasn't set up?? */
761 BUG_ON(!oldsbsec->initialized);
762
763 /* if fs is reusing a sb, just let its options stand... */
764 if (newsbsec->initialized)
765 return;
766
767 mutex_lock(&newsbsec->lock);
768
769 newsbsec->flags = oldsbsec->flags;
770
771 newsbsec->sid = oldsbsec->sid;
772 newsbsec->def_sid = oldsbsec->def_sid;
773 newsbsec->behavior = oldsbsec->behavior;
774
775 if (set_context) {
776 u32 sid = oldsbsec->mntpoint_sid;
777
778 if (!set_fscontext)
779 newsbsec->sid = sid;
780 if (!set_rootcontext) {
781 struct inode *newinode = newsb->s_root->d_inode;
782 struct inode_security_struct *newisec = newinode->i_security;
783 newisec->sid = sid;
784 }
785 newsbsec->mntpoint_sid = sid;
786 }
787 if (set_rootcontext) {
788 const struct inode *oldinode = oldsb->s_root->d_inode;
789 const struct inode_security_struct *oldisec = oldinode->i_security;
790 struct inode *newinode = newsb->s_root->d_inode;
791 struct inode_security_struct *newisec = newinode->i_security;
792
793 newisec->sid = oldisec->sid;
794 }
795
796 sb_finish_set_opts(newsb);
797 mutex_unlock(&newsbsec->lock);
798 }
799
800 static int selinux_parse_opts_str(char *options,
801 struct security_mnt_opts *opts)
802 {
803 char *p;
804 char *context = NULL, *defcontext = NULL;
805 char *fscontext = NULL, *rootcontext = NULL;
806 int rc, num_mnt_opts = 0;
807
808 opts->num_mnt_opts = 0;
809
810 /* Standard string-based options. */
811 while ((p = strsep(&options, "|")) != NULL) {
812 int token;
813 substring_t args[MAX_OPT_ARGS];
814
815 if (!*p)
816 continue;
817
818 token = match_token(p, tokens, args);
819
820 switch (token) {
821 case Opt_context:
822 if (context || defcontext) {
823 rc = -EINVAL;
824 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
825 goto out_err;
826 }
827 context = match_strdup(&args[0]);
828 if (!context) {
829 rc = -ENOMEM;
830 goto out_err;
831 }
832 break;
833
834 case Opt_fscontext:
835 if (fscontext) {
836 rc = -EINVAL;
837 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
838 goto out_err;
839 }
840 fscontext = match_strdup(&args[0]);
841 if (!fscontext) {
842 rc = -ENOMEM;
843 goto out_err;
844 }
845 break;
846
847 case Opt_rootcontext:
848 if (rootcontext) {
849 rc = -EINVAL;
850 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
851 goto out_err;
852 }
853 rootcontext = match_strdup(&args[0]);
854 if (!rootcontext) {
855 rc = -ENOMEM;
856 goto out_err;
857 }
858 break;
859
860 case Opt_defcontext:
861 if (context || defcontext) {
862 rc = -EINVAL;
863 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
864 goto out_err;
865 }
866 defcontext = match_strdup(&args[0]);
867 if (!defcontext) {
868 rc = -ENOMEM;
869 goto out_err;
870 }
871 break;
872
873 default:
874 rc = -EINVAL;
875 printk(KERN_WARNING "SELinux: unknown mount option\n");
876 goto out_err;
877
878 }
879 }
880
881 rc = -ENOMEM;
882 opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_ATOMIC);
883 if (!opts->mnt_opts)
884 goto out_err;
885
886 opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int), GFP_ATOMIC);
887 if (!opts->mnt_opts_flags) {
888 kfree(opts->mnt_opts);
889 goto out_err;
890 }
891
892 if (fscontext) {
893 opts->mnt_opts[num_mnt_opts] = fscontext;
894 opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
895 }
896 if (context) {
897 opts->mnt_opts[num_mnt_opts] = context;
898 opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
899 }
900 if (rootcontext) {
901 opts->mnt_opts[num_mnt_opts] = rootcontext;
902 opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
903 }
904 if (defcontext) {
905 opts->mnt_opts[num_mnt_opts] = defcontext;
906 opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
907 }
908
909 opts->num_mnt_opts = num_mnt_opts;
910 return 0;
911
912 out_err:
913 kfree(context);
914 kfree(defcontext);
915 kfree(fscontext);
916 kfree(rootcontext);
917 return rc;
918 }
919 /*
920 * string mount options parsing and call set the sbsec
921 */
922 static int superblock_doinit(struct super_block *sb, void *data)
923 {
924 int rc = 0;
925 char *options = data;
926 struct security_mnt_opts opts;
927
928 security_init_mnt_opts(&opts);
929
930 if (!data)
931 goto out;
932
933 BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
934
935 rc = selinux_parse_opts_str(options, &opts);
936 if (rc)
937 goto out_err;
938
939 out:
940 rc = selinux_set_mnt_opts(sb, &opts);
941
942 out_err:
943 security_free_mnt_opts(&opts);
944 return rc;
945 }
946
947 static inline u16 inode_mode_to_security_class(umode_t mode)
948 {
949 switch (mode & S_IFMT) {
950 case S_IFSOCK:
951 return SECCLASS_SOCK_FILE;
952 case S_IFLNK:
953 return SECCLASS_LNK_FILE;
954 case S_IFREG:
955 return SECCLASS_FILE;
956 case S_IFBLK:
957 return SECCLASS_BLK_FILE;
958 case S_IFDIR:
959 return SECCLASS_DIR;
960 case S_IFCHR:
961 return SECCLASS_CHR_FILE;
962 case S_IFIFO:
963 return SECCLASS_FIFO_FILE;
964
965 }
966
967 return SECCLASS_FILE;
968 }
969
970 static inline int default_protocol_stream(int protocol)
971 {
972 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
973 }
974
975 static inline int default_protocol_dgram(int protocol)
976 {
977 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
978 }
979
980 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
981 {
982 switch (family) {
983 case PF_UNIX:
984 switch (type) {
985 case SOCK_STREAM:
986 case SOCK_SEQPACKET:
987 return SECCLASS_UNIX_STREAM_SOCKET;
988 case SOCK_DGRAM:
989 return SECCLASS_UNIX_DGRAM_SOCKET;
990 }
991 break;
992 case PF_INET:
993 case PF_INET6:
994 switch (type) {
995 case SOCK_STREAM:
996 if (default_protocol_stream(protocol))
997 return SECCLASS_TCP_SOCKET;
998 else
999 return SECCLASS_RAWIP_SOCKET;
1000 case SOCK_DGRAM:
1001 if (default_protocol_dgram(protocol))
1002 return SECCLASS_UDP_SOCKET;
1003 else
1004 return SECCLASS_RAWIP_SOCKET;
1005 case SOCK_DCCP:
1006 return SECCLASS_DCCP_SOCKET;
1007 default:
1008 return SECCLASS_RAWIP_SOCKET;
1009 }
1010 break;
1011 case PF_NETLINK:
1012 switch (protocol) {
1013 case NETLINK_ROUTE:
1014 return SECCLASS_NETLINK_ROUTE_SOCKET;
1015 case NETLINK_FIREWALL:
1016 return SECCLASS_NETLINK_FIREWALL_SOCKET;
1017 case NETLINK_INET_DIAG:
1018 return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1019 case NETLINK_NFLOG:
1020 return SECCLASS_NETLINK_NFLOG_SOCKET;
1021 case NETLINK_XFRM:
1022 return SECCLASS_NETLINK_XFRM_SOCKET;
1023 case NETLINK_SELINUX:
1024 return SECCLASS_NETLINK_SELINUX_SOCKET;
1025 case NETLINK_AUDIT:
1026 return SECCLASS_NETLINK_AUDIT_SOCKET;
1027 case NETLINK_IP6_FW:
1028 return SECCLASS_NETLINK_IP6FW_SOCKET;
1029 case NETLINK_DNRTMSG:
1030 return SECCLASS_NETLINK_DNRT_SOCKET;
1031 case NETLINK_KOBJECT_UEVENT:
1032 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1033 default:
1034 return SECCLASS_NETLINK_SOCKET;
1035 }
1036 case PF_PACKET:
1037 return SECCLASS_PACKET_SOCKET;
1038 case PF_KEY:
1039 return SECCLASS_KEY_SOCKET;
1040 case PF_APPLETALK:
1041 return SECCLASS_APPLETALK_SOCKET;
1042 }
1043
1044 return SECCLASS_SOCKET;
1045 }
1046
1047 #ifdef CONFIG_PROC_FS
1048 static int selinux_proc_get_sid(struct proc_dir_entry *de,
1049 u16 tclass,
1050 u32 *sid)
1051 {
1052 int buflen, rc;
1053 char *buffer, *path, *end;
1054
1055 buffer = (char*)__get_free_page(GFP_KERNEL);
1056 if (!buffer)
1057 return -ENOMEM;
1058
1059 buflen = PAGE_SIZE;
1060 end = buffer+buflen;
1061 *--end = '\0';
1062 buflen--;
1063 path = end-1;
1064 *path = '/';
1065 while (de && de != de->parent) {
1066 buflen -= de->namelen + 1;
1067 if (buflen < 0)
1068 break;
1069 end -= de->namelen;
1070 memcpy(end, de->name, de->namelen);
1071 *--end = '/';
1072 path = end;
1073 de = de->parent;
1074 }
1075 rc = security_genfs_sid("proc", path, tclass, sid);
1076 free_page((unsigned long)buffer);
1077 return rc;
1078 }
1079 #else
1080 static int selinux_proc_get_sid(struct proc_dir_entry *de,
1081 u16 tclass,
1082 u32 *sid)
1083 {
1084 return -EINVAL;
1085 }
1086 #endif
1087
1088 /* The inode's security attributes must be initialized before first use. */
1089 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1090 {
1091 struct superblock_security_struct *sbsec = NULL;
1092 struct inode_security_struct *isec = inode->i_security;
1093 u32 sid;
1094 struct dentry *dentry;
1095 #define INITCONTEXTLEN 255
1096 char *context = NULL;
1097 unsigned len = 0;
1098 int rc = 0;
1099
1100 if (isec->initialized)
1101 goto out;
1102
1103 mutex_lock(&isec->lock);
1104 if (isec->initialized)
1105 goto out_unlock;
1106
1107 sbsec = inode->i_sb->s_security;
1108 if (!sbsec->initialized) {
1109 /* Defer initialization until selinux_complete_init,
1110 after the initial policy is loaded and the security
1111 server is ready to handle calls. */
1112 spin_lock(&sbsec->isec_lock);
1113 if (list_empty(&isec->list))
1114 list_add(&isec->list, &sbsec->isec_head);
1115 spin_unlock(&sbsec->isec_lock);
1116 goto out_unlock;
1117 }
1118
1119 switch (sbsec->behavior) {
1120 case SECURITY_FS_USE_XATTR:
1121 if (!inode->i_op->getxattr) {
1122 isec->sid = sbsec->def_sid;
1123 break;
1124 }
1125
1126 /* Need a dentry, since the xattr API requires one.
1127 Life would be simpler if we could just pass the inode. */
1128 if (opt_dentry) {
1129 /* Called from d_instantiate or d_splice_alias. */
1130 dentry = dget(opt_dentry);
1131 } else {
1132 /* Called from selinux_complete_init, try to find a dentry. */
1133 dentry = d_find_alias(inode);
1134 }
1135 if (!dentry) {
1136 printk(KERN_WARNING "%s: no dentry for dev=%s "
1137 "ino=%ld\n", __func__, inode->i_sb->s_id,
1138 inode->i_ino);
1139 goto out_unlock;
1140 }
1141
1142 len = INITCONTEXTLEN;
1143 context = kmalloc(len, GFP_NOFS);
1144 if (!context) {
1145 rc = -ENOMEM;
1146 dput(dentry);
1147 goto out_unlock;
1148 }
1149 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1150 context, len);
1151 if (rc == -ERANGE) {
1152 /* Need a larger buffer. Query for the right size. */
1153 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1154 NULL, 0);
1155 if (rc < 0) {
1156 dput(dentry);
1157 goto out_unlock;
1158 }
1159 kfree(context);
1160 len = rc;
1161 context = kmalloc(len, GFP_NOFS);
1162 if (!context) {
1163 rc = -ENOMEM;
1164 dput(dentry);
1165 goto out_unlock;
1166 }
1167 rc = inode->i_op->getxattr(dentry,
1168 XATTR_NAME_SELINUX,
1169 context, len);
1170 }
1171 dput(dentry);
1172 if (rc < 0) {
1173 if (rc != -ENODATA) {
1174 printk(KERN_WARNING "%s: getxattr returned "
1175 "%d for dev=%s ino=%ld\n", __func__,
1176 -rc, inode->i_sb->s_id, inode->i_ino);
1177 kfree(context);
1178 goto out_unlock;
1179 }
1180 /* Map ENODATA to the default file SID */
1181 sid = sbsec->def_sid;
1182 rc = 0;
1183 } else {
1184 rc = security_context_to_sid_default(context, rc, &sid,
1185 sbsec->def_sid,
1186 GFP_NOFS);
1187 if (rc) {
1188 printk(KERN_WARNING "%s: context_to_sid(%s) "
1189 "returned %d for dev=%s ino=%ld\n",
1190 __func__, context, -rc,
1191 inode->i_sb->s_id, inode->i_ino);
1192 kfree(context);
1193 /* Leave with the unlabeled SID */
1194 rc = 0;
1195 break;
1196 }
1197 }
1198 kfree(context);
1199 isec->sid = sid;
1200 break;
1201 case SECURITY_FS_USE_TASK:
1202 isec->sid = isec->task_sid;
1203 break;
1204 case SECURITY_FS_USE_TRANS:
1205 /* Default to the fs SID. */
1206 isec->sid = sbsec->sid;
1207
1208 /* Try to obtain a transition SID. */
1209 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1210 rc = security_transition_sid(isec->task_sid,
1211 sbsec->sid,
1212 isec->sclass,
1213 &sid);
1214 if (rc)
1215 goto out_unlock;
1216 isec->sid = sid;
1217 break;
1218 case SECURITY_FS_USE_MNTPOINT:
1219 isec->sid = sbsec->mntpoint_sid;
1220 break;
1221 default:
1222 /* Default to the fs superblock SID. */
1223 isec->sid = sbsec->sid;
1224
1225 if (sbsec->proc) {
1226 struct proc_inode *proci = PROC_I(inode);
1227 if (proci->pde) {
1228 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1229 rc = selinux_proc_get_sid(proci->pde,
1230 isec->sclass,
1231 &sid);
1232 if (rc)
1233 goto out_unlock;
1234 isec->sid = sid;
1235 }
1236 }
1237 break;
1238 }
1239
1240 isec->initialized = 1;
1241
1242 out_unlock:
1243 mutex_unlock(&isec->lock);
1244 out:
1245 if (isec->sclass == SECCLASS_FILE)
1246 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1247 return rc;
1248 }
1249
1250 /* Convert a Linux signal to an access vector. */
1251 static inline u32 signal_to_av(int sig)
1252 {
1253 u32 perm = 0;
1254
1255 switch (sig) {
1256 case SIGCHLD:
1257 /* Commonly granted from child to parent. */
1258 perm = PROCESS__SIGCHLD;
1259 break;
1260 case SIGKILL:
1261 /* Cannot be caught or ignored */
1262 perm = PROCESS__SIGKILL;
1263 break;
1264 case SIGSTOP:
1265 /* Cannot be caught or ignored */
1266 perm = PROCESS__SIGSTOP;
1267 break;
1268 default:
1269 /* All other signals. */
1270 perm = PROCESS__SIGNAL;
1271 break;
1272 }
1273
1274 return perm;
1275 }
1276
1277 /* Check permission betweeen a pair of tasks, e.g. signal checks,
1278 fork check, ptrace check, etc. */
1279 static int task_has_perm(struct task_struct *tsk1,
1280 struct task_struct *tsk2,
1281 u32 perms)
1282 {
1283 struct task_security_struct *tsec1, *tsec2;
1284
1285 tsec1 = tsk1->security;
1286 tsec2 = tsk2->security;
1287 return avc_has_perm(tsec1->sid, tsec2->sid,
1288 SECCLASS_PROCESS, perms, NULL);
1289 }
1290
1291 #if CAP_LAST_CAP > 63
1292 #error Fix SELinux to handle capabilities > 63.
1293 #endif
1294
1295 /* Check whether a task is allowed to use a capability. */
1296 static int task_has_capability(struct task_struct *tsk,
1297 int cap)
1298 {
1299 struct task_security_struct *tsec;
1300 struct avc_audit_data ad;
1301 u16 sclass;
1302 u32 av = CAP_TO_MASK(cap);
1303
1304 tsec = tsk->security;
1305
1306 AVC_AUDIT_DATA_INIT(&ad,CAP);
1307 ad.tsk = tsk;
1308 ad.u.cap = cap;
1309
1310 switch (CAP_TO_INDEX(cap)) {
1311 case 0:
1312 sclass = SECCLASS_CAPABILITY;
1313 break;
1314 case 1:
1315 sclass = SECCLASS_CAPABILITY2;
1316 break;
1317 default:
1318 printk(KERN_ERR
1319 "SELinux: out of range capability %d\n", cap);
1320 BUG();
1321 }
1322 return avc_has_perm(tsec->sid, tsec->sid, sclass, av, &ad);
1323 }
1324
1325 /* Check whether a task is allowed to use a system operation. */
1326 static int task_has_system(struct task_struct *tsk,
1327 u32 perms)
1328 {
1329 struct task_security_struct *tsec;
1330
1331 tsec = tsk->security;
1332
1333 return avc_has_perm(tsec->sid, SECINITSID_KERNEL,
1334 SECCLASS_SYSTEM, perms, NULL);
1335 }
1336
1337 /* Check whether a task has a particular permission to an inode.
1338 The 'adp' parameter is optional and allows other audit
1339 data to be passed (e.g. the dentry). */
1340 static int inode_has_perm(struct task_struct *tsk,
1341 struct inode *inode,
1342 u32 perms,
1343 struct avc_audit_data *adp)
1344 {
1345 struct task_security_struct *tsec;
1346 struct inode_security_struct *isec;
1347 struct avc_audit_data ad;
1348
1349 if (unlikely (IS_PRIVATE (inode)))
1350 return 0;
1351
1352 tsec = tsk->security;
1353 isec = inode->i_security;
1354
1355 if (!adp) {
1356 adp = &ad;
1357 AVC_AUDIT_DATA_INIT(&ad, FS);
1358 ad.u.fs.inode = inode;
1359 }
1360
1361 return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, adp);
1362 }
1363
1364 /* Same as inode_has_perm, but pass explicit audit data containing
1365 the dentry to help the auditing code to more easily generate the
1366 pathname if needed. */
1367 static inline int dentry_has_perm(struct task_struct *tsk,
1368 struct vfsmount *mnt,
1369 struct dentry *dentry,
1370 u32 av)
1371 {
1372 struct inode *inode = dentry->d_inode;
1373 struct avc_audit_data ad;
1374 AVC_AUDIT_DATA_INIT(&ad,FS);
1375 ad.u.fs.path.mnt = mnt;
1376 ad.u.fs.path.dentry = dentry;
1377 return inode_has_perm(tsk, inode, av, &ad);
1378 }
1379
1380 /* Check whether a task can use an open file descriptor to
1381 access an inode in a given way. Check access to the
1382 descriptor itself, and then use dentry_has_perm to
1383 check a particular permission to the file.
1384 Access to the descriptor is implicitly granted if it
1385 has the same SID as the process. If av is zero, then
1386 access to the file is not checked, e.g. for cases
1387 where only the descriptor is affected like seek. */
1388 static int file_has_perm(struct task_struct *tsk,
1389 struct file *file,
1390 u32 av)
1391 {
1392 struct task_security_struct *tsec = tsk->security;
1393 struct file_security_struct *fsec = file->f_security;
1394 struct inode *inode = file->f_path.dentry->d_inode;
1395 struct avc_audit_data ad;
1396 int rc;
1397
1398 AVC_AUDIT_DATA_INIT(&ad, FS);
1399 ad.u.fs.path = file->f_path;
1400
1401 if (tsec->sid != fsec->sid) {
1402 rc = avc_has_perm(tsec->sid, fsec->sid,
1403 SECCLASS_FD,
1404 FD__USE,
1405 &ad);
1406 if (rc)
1407 return rc;
1408 }
1409
1410 /* av is zero if only checking access to the descriptor. */
1411 if (av)
1412 return inode_has_perm(tsk, inode, av, &ad);
1413
1414 return 0;
1415 }
1416
1417 /* Check whether a task can create a file. */
1418 static int may_create(struct inode *dir,
1419 struct dentry *dentry,
1420 u16 tclass)
1421 {
1422 struct task_security_struct *tsec;
1423 struct inode_security_struct *dsec;
1424 struct superblock_security_struct *sbsec;
1425 u32 newsid;
1426 struct avc_audit_data ad;
1427 int rc;
1428
1429 tsec = current->security;
1430 dsec = dir->i_security;
1431 sbsec = dir->i_sb->s_security;
1432
1433 AVC_AUDIT_DATA_INIT(&ad, FS);
1434 ad.u.fs.path.dentry = dentry;
1435
1436 rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR,
1437 DIR__ADD_NAME | DIR__SEARCH,
1438 &ad);
1439 if (rc)
1440 return rc;
1441
1442 if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
1443 newsid = tsec->create_sid;
1444 } else {
1445 rc = security_transition_sid(tsec->sid, dsec->sid, tclass,
1446 &newsid);
1447 if (rc)
1448 return rc;
1449 }
1450
1451 rc = avc_has_perm(tsec->sid, newsid, tclass, FILE__CREATE, &ad);
1452 if (rc)
1453 return rc;
1454
1455 return avc_has_perm(newsid, sbsec->sid,
1456 SECCLASS_FILESYSTEM,
1457 FILESYSTEM__ASSOCIATE, &ad);
1458 }
1459
1460 /* Check whether a task can create a key. */
1461 static int may_create_key(u32 ksid,
1462 struct task_struct *ctx)
1463 {
1464 struct task_security_struct *tsec;
1465
1466 tsec = ctx->security;
1467
1468 return avc_has_perm(tsec->sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL);
1469 }
1470
1471 #define MAY_LINK 0
1472 #define MAY_UNLINK 1
1473 #define MAY_RMDIR 2
1474
1475 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1476 static int may_link(struct inode *dir,
1477 struct dentry *dentry,
1478 int kind)
1479
1480 {
1481 struct task_security_struct *tsec;
1482 struct inode_security_struct *dsec, *isec;
1483 struct avc_audit_data ad;
1484 u32 av;
1485 int rc;
1486
1487 tsec = current->security;
1488 dsec = dir->i_security;
1489 isec = dentry->d_inode->i_security;
1490
1491 AVC_AUDIT_DATA_INIT(&ad, FS);
1492 ad.u.fs.path.dentry = dentry;
1493
1494 av = DIR__SEARCH;
1495 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1496 rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR, av, &ad);
1497 if (rc)
1498 return rc;
1499
1500 switch (kind) {
1501 case MAY_LINK:
1502 av = FILE__LINK;
1503 break;
1504 case MAY_UNLINK:
1505 av = FILE__UNLINK;
1506 break;
1507 case MAY_RMDIR:
1508 av = DIR__RMDIR;
1509 break;
1510 default:
1511 printk(KERN_WARNING "may_link: unrecognized kind %d\n", kind);
1512 return 0;
1513 }
1514
1515 rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass, av, &ad);
1516 return rc;
1517 }
1518
1519 static inline int may_rename(struct inode *old_dir,
1520 struct dentry *old_dentry,
1521 struct inode *new_dir,
1522 struct dentry *new_dentry)
1523 {
1524 struct task_security_struct *tsec;
1525 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1526 struct avc_audit_data ad;
1527 u32 av;
1528 int old_is_dir, new_is_dir;
1529 int rc;
1530
1531 tsec = current->security;
1532 old_dsec = old_dir->i_security;
1533 old_isec = old_dentry->d_inode->i_security;
1534 old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
1535 new_dsec = new_dir->i_security;
1536
1537 AVC_AUDIT_DATA_INIT(&ad, FS);
1538
1539 ad.u.fs.path.dentry = old_dentry;
1540 rc = avc_has_perm(tsec->sid, old_dsec->sid, SECCLASS_DIR,
1541 DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1542 if (rc)
1543 return rc;
1544 rc = avc_has_perm(tsec->sid, old_isec->sid,
1545 old_isec->sclass, FILE__RENAME, &ad);
1546 if (rc)
1547 return rc;
1548 if (old_is_dir && new_dir != old_dir) {
1549 rc = avc_has_perm(tsec->sid, old_isec->sid,
1550 old_isec->sclass, DIR__REPARENT, &ad);
1551 if (rc)
1552 return rc;
1553 }
1554
1555 ad.u.fs.path.dentry = new_dentry;
1556 av = DIR__ADD_NAME | DIR__SEARCH;
1557 if (new_dentry->d_inode)
1558 av |= DIR__REMOVE_NAME;
1559 rc = avc_has_perm(tsec->sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1560 if (rc)
1561 return rc;
1562 if (new_dentry->d_inode) {
1563 new_isec = new_dentry->d_inode->i_security;
1564 new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
1565 rc = avc_has_perm(tsec->sid, new_isec->sid,
1566 new_isec->sclass,
1567 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1568 if (rc)
1569 return rc;
1570 }
1571
1572 return 0;
1573 }
1574
1575 /* Check whether a task can perform a filesystem operation. */
1576 static int superblock_has_perm(struct task_struct *tsk,
1577 struct super_block *sb,
1578 u32 perms,
1579 struct avc_audit_data *ad)
1580 {
1581 struct task_security_struct *tsec;
1582 struct superblock_security_struct *sbsec;
1583
1584 tsec = tsk->security;
1585 sbsec = sb->s_security;
1586 return avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
1587 perms, ad);
1588 }
1589
1590 /* Convert a Linux mode and permission mask to an access vector. */
1591 static inline u32 file_mask_to_av(int mode, int mask)
1592 {
1593 u32 av = 0;
1594
1595 if ((mode & S_IFMT) != S_IFDIR) {
1596 if (mask & MAY_EXEC)
1597 av |= FILE__EXECUTE;
1598 if (mask & MAY_READ)
1599 av |= FILE__READ;
1600
1601 if (mask & MAY_APPEND)
1602 av |= FILE__APPEND;
1603 else if (mask & MAY_WRITE)
1604 av |= FILE__WRITE;
1605
1606 } else {
1607 if (mask & MAY_EXEC)
1608 av |= DIR__SEARCH;
1609 if (mask & MAY_WRITE)
1610 av |= DIR__WRITE;
1611 if (mask & MAY_READ)
1612 av |= DIR__READ;
1613 }
1614
1615 return av;
1616 }
1617
1618 /*
1619 * Convert a file mask to an access vector and include the correct open
1620 * open permission.
1621 */
1622 static inline u32 open_file_mask_to_av(int mode, int mask)
1623 {
1624 u32 av = file_mask_to_av(mode, mask);
1625
1626 if (selinux_policycap_openperm) {
1627 /*
1628 * lnk files and socks do not really have an 'open'
1629 */
1630 if (S_ISREG(mode))
1631 av |= FILE__OPEN;
1632 else if (S_ISCHR(mode))
1633 av |= CHR_FILE__OPEN;
1634 else if (S_ISBLK(mode))
1635 av |= BLK_FILE__OPEN;
1636 else if (S_ISFIFO(mode))
1637 av |= FIFO_FILE__OPEN;
1638 else if (S_ISDIR(mode))
1639 av |= DIR__OPEN;
1640 else
1641 printk(KERN_ERR "SELinux: WARNING: inside open_file_to_av "
1642 "with unknown mode:%x\n", mode);
1643 }
1644 return av;
1645 }
1646
1647 /* Convert a Linux file to an access vector. */
1648 static inline u32 file_to_av(struct file *file)
1649 {
1650 u32 av = 0;
1651
1652 if (file->f_mode & FMODE_READ)
1653 av |= FILE__READ;
1654 if (file->f_mode & FMODE_WRITE) {
1655 if (file->f_flags & O_APPEND)
1656 av |= FILE__APPEND;
1657 else
1658 av |= FILE__WRITE;
1659 }
1660 if (!av) {
1661 /*
1662 * Special file opened with flags 3 for ioctl-only use.
1663 */
1664 av = FILE__IOCTL;
1665 }
1666
1667 return av;
1668 }
1669
1670 /* Hook functions begin here. */
1671
1672 static int selinux_ptrace(struct task_struct *parent, struct task_struct *child)
1673 {
1674 struct task_security_struct *psec = parent->security;
1675 struct task_security_struct *csec = child->security;
1676 int rc;
1677
1678 rc = secondary_ops->ptrace(parent,child);
1679 if (rc)
1680 return rc;
1681
1682 rc = task_has_perm(parent, child, PROCESS__PTRACE);
1683 /* Save the SID of the tracing process for later use in apply_creds. */
1684 if (!(child->ptrace & PT_PTRACED) && !rc)
1685 csec->ptrace_sid = psec->sid;
1686 return rc;
1687 }
1688
1689 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
1690 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1691 {
1692 int error;
1693
1694 error = task_has_perm(current, target, PROCESS__GETCAP);
1695 if (error)
1696 return error;
1697
1698 return secondary_ops->capget(target, effective, inheritable, permitted);
1699 }
1700
1701 static int selinux_capset_check(struct task_struct *target, kernel_cap_t *effective,
1702 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1703 {
1704 int error;
1705
1706 error = secondary_ops->capset_check(target, effective, inheritable, permitted);
1707 if (error)
1708 return error;
1709
1710 return task_has_perm(current, target, PROCESS__SETCAP);
1711 }
1712
1713 static void selinux_capset_set(struct task_struct *target, kernel_cap_t *effective,
1714 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1715 {
1716 secondary_ops->capset_set(target, effective, inheritable, permitted);
1717 }
1718
1719 static int selinux_capable(struct task_struct *tsk, int cap)
1720 {
1721 int rc;
1722
1723 rc = secondary_ops->capable(tsk, cap);
1724 if (rc)
1725 return rc;
1726
1727 return task_has_capability(tsk,cap);
1728 }
1729
1730 static int selinux_sysctl_get_sid(ctl_table *table, u16 tclass, u32 *sid)
1731 {
1732 int buflen, rc;
1733 char *buffer, *path, *end;
1734
1735 rc = -ENOMEM;
1736 buffer = (char*)__get_free_page(GFP_KERNEL);
1737 if (!buffer)
1738 goto out;
1739
1740 buflen = PAGE_SIZE;
1741 end = buffer+buflen;
1742 *--end = '\0';
1743 buflen--;
1744 path = end-1;
1745 *path = '/';
1746 while (table) {
1747 const char *name = table->procname;
1748 size_t namelen = strlen(name);
1749 buflen -= namelen + 1;
1750 if (buflen < 0)
1751 goto out_free;
1752 end -= namelen;
1753 memcpy(end, name, namelen);
1754 *--end = '/';
1755 path = end;
1756 table = table->parent;
1757 }
1758 buflen -= 4;
1759 if (buflen < 0)
1760 goto out_free;
1761 end -= 4;
1762 memcpy(end, "/sys", 4);
1763 path = end;
1764 rc = security_genfs_sid("proc", path, tclass, sid);
1765 out_free:
1766 free_page((unsigned long)buffer);
1767 out:
1768 return rc;
1769 }
1770
1771 static int selinux_sysctl(ctl_table *table, int op)
1772 {
1773 int error = 0;
1774 u32 av;
1775 struct task_security_struct *tsec;
1776 u32 tsid;
1777 int rc;
1778
1779 rc = secondary_ops->sysctl(table, op);
1780 if (rc)
1781 return rc;
1782
1783 tsec = current->security;
1784
1785 rc = selinux_sysctl_get_sid(table, (op == 0001) ?
1786 SECCLASS_DIR : SECCLASS_FILE, &tsid);
1787 if (rc) {
1788 /* Default to the well-defined sysctl SID. */
1789 tsid = SECINITSID_SYSCTL;
1790 }
1791
1792 /* The op values are "defined" in sysctl.c, thereby creating
1793 * a bad coupling between this module and sysctl.c */
1794 if(op == 001) {
1795 error = avc_has_perm(tsec->sid, tsid,
1796 SECCLASS_DIR, DIR__SEARCH, NULL);
1797 } else {
1798 av = 0;
1799 if (op & 004)
1800 av |= FILE__READ;
1801 if (op & 002)
1802 av |= FILE__WRITE;
1803 if (av)
1804 error = avc_has_perm(tsec->sid, tsid,
1805 SECCLASS_FILE, av, NULL);
1806 }
1807
1808 return error;
1809 }
1810
1811 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
1812 {
1813 int rc = 0;
1814
1815 if (!sb)
1816 return 0;
1817
1818 switch (cmds) {
1819 case Q_SYNC:
1820 case Q_QUOTAON:
1821 case Q_QUOTAOFF:
1822 case Q_SETINFO:
1823 case Q_SETQUOTA:
1824 rc = superblock_has_perm(current,
1825 sb,
1826 FILESYSTEM__QUOTAMOD, NULL);
1827 break;
1828 case Q_GETFMT:
1829 case Q_GETINFO:
1830 case Q_GETQUOTA:
1831 rc = superblock_has_perm(current,
1832 sb,
1833 FILESYSTEM__QUOTAGET, NULL);
1834 break;
1835 default:
1836 rc = 0; /* let the kernel handle invalid cmds */
1837 break;
1838 }
1839 return rc;
1840 }
1841
1842 static int selinux_quota_on(struct dentry *dentry)
1843 {
1844 return dentry_has_perm(current, NULL, dentry, FILE__QUOTAON);
1845 }
1846
1847 static int selinux_syslog(int type)
1848 {
1849 int rc;
1850
1851 rc = secondary_ops->syslog(type);
1852 if (rc)
1853 return rc;
1854
1855 switch (type) {
1856 case 3: /* Read last kernel messages */
1857 case 10: /* Return size of the log buffer */
1858 rc = task_has_system(current, SYSTEM__SYSLOG_READ);
1859 break;
1860 case 6: /* Disable logging to console */
1861 case 7: /* Enable logging to console */
1862 case 8: /* Set level of messages printed to console */
1863 rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
1864 break;
1865 case 0: /* Close log */
1866 case 1: /* Open log */
1867 case 2: /* Read from log */
1868 case 4: /* Read/clear last kernel messages */
1869 case 5: /* Clear ring buffer */
1870 default:
1871 rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
1872 break;
1873 }
1874 return rc;
1875 }
1876
1877 /*
1878 * Check that a process has enough memory to allocate a new virtual
1879 * mapping. 0 means there is enough memory for the allocation to
1880 * succeed and -ENOMEM implies there is not.
1881 *
1882 * Note that secondary_ops->capable and task_has_perm_noaudit return 0
1883 * if the capability is granted, but __vm_enough_memory requires 1 if
1884 * the capability is granted.
1885 *
1886 * Do not audit the selinux permission check, as this is applied to all
1887 * processes that allocate mappings.
1888 */
1889 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
1890 {
1891 int rc, cap_sys_admin = 0;
1892 struct task_security_struct *tsec = current->security;
1893
1894 rc = secondary_ops->capable(current, CAP_SYS_ADMIN);
1895 if (rc == 0)
1896 rc = avc_has_perm_noaudit(tsec->sid, tsec->sid,
1897 SECCLASS_CAPABILITY,
1898 CAP_TO_MASK(CAP_SYS_ADMIN),
1899 0,
1900 NULL);
1901
1902 if (rc == 0)
1903 cap_sys_admin = 1;
1904
1905 return __vm_enough_memory(mm, pages, cap_sys_admin);
1906 }
1907
1908 /* binprm security operations */
1909
1910 static int selinux_bprm_alloc_security(struct linux_binprm *bprm)
1911 {
1912 struct bprm_security_struct *bsec;
1913
1914 bsec = kzalloc(sizeof(struct bprm_security_struct), GFP_KERNEL);
1915 if (!bsec)
1916 return -ENOMEM;
1917
1918 bsec->sid = SECINITSID_UNLABELED;
1919 bsec->set = 0;
1920
1921 bprm->security = bsec;
1922 return 0;
1923 }
1924
1925 static int selinux_bprm_set_security(struct linux_binprm *bprm)
1926 {
1927 struct task_security_struct *tsec;
1928 struct inode *inode = bprm->file->f_path.dentry->d_inode;
1929 struct inode_security_struct *isec;
1930 struct bprm_security_struct *bsec;
1931 u32 newsid;
1932 struct avc_audit_data ad;
1933 int rc;
1934
1935 rc = secondary_ops->bprm_set_security(bprm);
1936 if (rc)
1937 return rc;
1938
1939 bsec = bprm->security;
1940
1941 if (bsec->set)
1942 return 0;
1943
1944 tsec = current->security;
1945 isec = inode->i_security;
1946
1947 /* Default to the current task SID. */
1948 bsec->sid = tsec->sid;
1949
1950 /* Reset fs, key, and sock SIDs on execve. */
1951 tsec->create_sid = 0;
1952 tsec->keycreate_sid = 0;
1953 tsec->sockcreate_sid = 0;
1954
1955 if (tsec->exec_sid) {
1956 newsid = tsec->exec_sid;
1957 /* Reset exec SID on execve. */
1958 tsec->exec_sid = 0;
1959 } else {
1960 /* Check for a default transition on this program. */
1961 rc = security_transition_sid(tsec->sid, isec->sid,
1962 SECCLASS_PROCESS, &newsid);
1963 if (rc)
1964 return rc;
1965 }
1966
1967 AVC_AUDIT_DATA_INIT(&ad, FS);
1968 ad.u.fs.path = bprm->file->f_path;
1969
1970 if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID)
1971 newsid = tsec->sid;
1972
1973 if (tsec->sid == newsid) {
1974 rc = avc_has_perm(tsec->sid, isec->sid,
1975 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
1976 if (rc)
1977 return rc;
1978 } else {
1979 /* Check permissions for the transition. */
1980 rc = avc_has_perm(tsec->sid, newsid,
1981 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
1982 if (rc)
1983 return rc;
1984
1985 rc = avc_has_perm(newsid, isec->sid,
1986 SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
1987 if (rc)
1988 return rc;
1989
1990 /* Clear any possibly unsafe personality bits on exec: */
1991 current->personality &= ~PER_CLEAR_ON_SETID;
1992
1993 /* Set the security field to the new SID. */
1994 bsec->sid = newsid;
1995 }
1996
1997 bsec->set = 1;
1998 return 0;
1999 }
2000
2001 static int selinux_bprm_check_security (struct linux_binprm *bprm)
2002 {
2003 return secondary_ops->bprm_check_security(bprm);
2004 }
2005
2006
2007 static int selinux_bprm_secureexec (struct linux_binprm *bprm)
2008 {
2009 struct task_security_struct *tsec = current->security;
2010 int atsecure = 0;
2011
2012 if (tsec->osid != tsec->sid) {
2013 /* Enable secure mode for SIDs transitions unless
2014 the noatsecure permission is granted between
2015 the two SIDs, i.e. ahp returns 0. */
2016 atsecure = avc_has_perm(tsec->osid, tsec->sid,
2017 SECCLASS_PROCESS,
2018 PROCESS__NOATSECURE, NULL);
2019 }
2020
2021 return (atsecure || secondary_ops->bprm_secureexec(bprm));
2022 }
2023
2024 static void selinux_bprm_free_security(struct linux_binprm *bprm)
2025 {
2026 kfree(bprm->security);
2027 bprm->security = NULL;
2028 }
2029
2030 extern struct vfsmount *selinuxfs_mount;
2031 extern struct dentry *selinux_null;
2032
2033 /* Derived from fs/exec.c:flush_old_files. */
2034 static inline void flush_unauthorized_files(struct files_struct * files)
2035 {
2036 struct avc_audit_data ad;
2037 struct file *file, *devnull = NULL;
2038 struct tty_struct *tty;
2039 struct fdtable *fdt;
2040 long j = -1;
2041 int drop_tty = 0;
2042
2043 mutex_lock(&tty_mutex);
2044 tty = get_current_tty();
2045 if (tty) {
2046 file_list_lock();
2047 file = list_entry(tty->tty_files.next, typeof(*file), f_u.fu_list);
2048 if (file) {
2049 /* Revalidate access to controlling tty.
2050 Use inode_has_perm on the tty inode directly rather
2051 than using file_has_perm, as this particular open
2052 file may belong to another process and we are only
2053 interested in the inode-based check here. */
2054 struct inode *inode = file->f_path.dentry->d_inode;
2055 if (inode_has_perm(current, inode,
2056 FILE__READ | FILE__WRITE, NULL)) {
2057 drop_tty = 1;
2058 }
2059 }
2060 file_list_unlock();
2061 }
2062 mutex_unlock(&tty_mutex);
2063 /* Reset controlling tty. */
2064 if (drop_tty)
2065 no_tty();
2066
2067 /* Revalidate access to inherited open files. */
2068
2069 AVC_AUDIT_DATA_INIT(&ad,FS);
2070
2071 spin_lock(&files->file_lock);
2072 for (;;) {
2073 unsigned long set, i;
2074 int fd;
2075
2076 j++;
2077 i = j * __NFDBITS;
2078 fdt = files_fdtable(files);
2079 if (i >= fdt->max_fds)
2080 break;
2081 set = fdt->open_fds->fds_bits[j];
2082 if (!set)
2083 continue;
2084 spin_unlock(&files->file_lock);
2085 for ( ; set ; i++,set >>= 1) {
2086 if (set & 1) {
2087 file = fget(i);
2088 if (!file)
2089 continue;
2090 if (file_has_perm(current,
2091 file,
2092 file_to_av(file))) {
2093 sys_close(i);
2094 fd = get_unused_fd();
2095 if (fd != i) {
2096 if (fd >= 0)
2097 put_unused_fd(fd);
2098 fput(file);
2099 continue;
2100 }
2101 if (devnull) {
2102 get_file(devnull);
2103 } else {
2104 devnull = dentry_open(dget(selinux_null), mntget(selinuxfs_mount), O_RDWR);
2105 if (IS_ERR(devnull)) {
2106 devnull = NULL;
2107 put_unused_fd(fd);
2108 fput(file);
2109 continue;
2110 }
2111 }
2112 fd_install(fd, devnull);
2113 }
2114 fput(file);
2115 }
2116 }
2117 spin_lock(&files->file_lock);
2118
2119 }
2120 spin_unlock(&files->file_lock);
2121 }
2122
2123 static void selinux_bprm_apply_creds(struct linux_binprm *bprm, int unsafe)
2124 {
2125 struct task_security_struct *tsec;
2126 struct bprm_security_struct *bsec;
2127 u32 sid;
2128 int rc;
2129
2130 secondary_ops->bprm_apply_creds(bprm, unsafe);
2131
2132 tsec = current->security;
2133
2134 bsec = bprm->security;
2135 sid = bsec->sid;
2136
2137 tsec->osid = tsec->sid;
2138 bsec->unsafe = 0;
2139 if (tsec->sid != sid) {
2140 /* Check for shared state. If not ok, leave SID
2141 unchanged and kill. */
2142 if (unsafe & LSM_UNSAFE_SHARE) {
2143 rc = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
2144 PROCESS__SHARE, NULL);
2145 if (rc) {
2146 bsec->unsafe = 1;
2147 return;
2148 }
2149 }
2150
2151 /* Check for ptracing, and update the task SID if ok.
2152 Otherwise, leave SID unchanged and kill. */
2153 if (unsafe & (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
2154 rc = avc_has_perm(tsec->ptrace_sid, sid,
2155 SECCLASS_PROCESS, PROCESS__PTRACE,
2156 NULL);
2157 if (rc) {
2158 bsec->unsafe = 1;
2159 return;
2160 }
2161 }
2162 tsec->sid = sid;
2163 }
2164 }
2165
2166 /*
2167 * called after apply_creds without the task lock held
2168 */
2169 static void selinux_bprm_post_apply_creds(struct linux_binprm *bprm)
2170 {
2171 struct task_security_struct *tsec;
2172 struct rlimit *rlim, *initrlim;
2173 struct itimerval itimer;
2174 struct bprm_security_struct *bsec;
2175 int rc, i;
2176
2177 tsec = current->security;
2178 bsec = bprm->security;
2179
2180 if (bsec->unsafe) {
2181 force_sig_specific(SIGKILL, current);
2182 return;
2183 }
2184 if (tsec->osid == tsec->sid)
2185 return;
2186
2187 /* Close files for which the new task SID is not authorized. */
2188 flush_unauthorized_files(current->files);
2189
2190 /* Check whether the new SID can inherit signal state
2191 from the old SID. If not, clear itimers to avoid
2192 subsequent signal generation and flush and unblock
2193 signals. This must occur _after_ the task SID has
2194 been updated so that any kill done after the flush
2195 will be checked against the new SID. */
2196 rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
2197 PROCESS__SIGINH, NULL);
2198 if (rc) {
2199 memset(&itimer, 0, sizeof itimer);
2200 for (i = 0; i < 3; i++)
2201 do_setitimer(i, &itimer, NULL);
2202 flush_signals(current);
2203 spin_lock_irq(&current->sighand->siglock);
2204 flush_signal_handlers(current, 1);
2205 sigemptyset(&current->blocked);
2206 recalc_sigpending();
2207 spin_unlock_irq(&current->sighand->siglock);
2208 }
2209
2210 /* Always clear parent death signal on SID transitions. */
2211 current->pdeath_signal = 0;
2212
2213 /* Check whether the new SID can inherit resource limits
2214 from the old SID. If not, reset all soft limits to
2215 the lower of the current task's hard limit and the init
2216 task's soft limit. Note that the setting of hard limits
2217 (even to lower them) can be controlled by the setrlimit
2218 check. The inclusion of the init task's soft limit into
2219 the computation is to avoid resetting soft limits higher
2220 than the default soft limit for cases where the default
2221 is lower than the hard limit, e.g. RLIMIT_CORE or
2222 RLIMIT_STACK.*/
2223 rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
2224 PROCESS__RLIMITINH, NULL);
2225 if (rc) {
2226 for (i = 0; i < RLIM_NLIMITS; i++) {
2227 rlim = current->signal->rlim + i;
2228 initrlim = init_task.signal->rlim+i;
2229 rlim->rlim_cur = min(rlim->rlim_max,initrlim->rlim_cur);
2230 }
2231 if (current->signal->rlim[RLIMIT_CPU].rlim_cur != RLIM_INFINITY) {
2232 /*
2233 * This will cause RLIMIT_CPU calculations
2234 * to be refigured.
2235 */
2236 current->it_prof_expires = jiffies_to_cputime(1);
2237 }
2238 }
2239
2240 /* Wake up the parent if it is waiting so that it can
2241 recheck wait permission to the new task SID. */
2242 wake_up_interruptible(&current->parent->signal->wait_chldexit);
2243 }
2244
2245 /* superblock security operations */
2246
2247 static int selinux_sb_alloc_security(struct super_block *sb)
2248 {
2249 return superblock_alloc_security(sb);
2250 }
2251
2252 static void selinux_sb_free_security(struct super_block *sb)
2253 {
2254 superblock_free_security(sb);
2255 }
2256
2257 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2258 {
2259 if (plen > olen)
2260 return 0;
2261
2262 return !memcmp(prefix, option, plen);
2263 }
2264
2265 static inline int selinux_option(char *option, int len)
2266 {
2267 return (match_prefix("context=", sizeof("context=")-1, option, len) ||
2268 match_prefix("fscontext=", sizeof("fscontext=")-1, option, len) ||
2269 match_prefix("defcontext=", sizeof("defcontext=")-1, option, len) ||
2270 match_prefix("rootcontext=", sizeof("rootcontext=")-1, option, len));
2271 }
2272
2273 static inline void take_option(char **to, char *from, int *first, int len)
2274 {
2275 if (!*first) {
2276 **to = ',';
2277 *to += 1;
2278 } else
2279 *first = 0;
2280 memcpy(*to, from, len);
2281 *to += len;
2282 }
2283
2284 static inline void take_selinux_option(char **to, char *from, int *first,
2285 int len)
2286 {
2287 int current_size = 0;
2288
2289 if (!*first) {
2290 **to = '|';
2291 *to += 1;
2292 }
2293 else
2294 *first = 0;
2295
2296 while (current_size < len) {
2297 if (*from != '"') {
2298 **to = *from;
2299 *to += 1;
2300 }
2301 from += 1;
2302 current_size += 1;
2303 }
2304 }
2305
2306 static int selinux_sb_copy_data(char *orig, char *copy)
2307 {
2308 int fnosec, fsec, rc = 0;
2309 char *in_save, *in_curr, *in_end;
2310 char *sec_curr, *nosec_save, *nosec;
2311 int open_quote = 0;
2312
2313 in_curr = orig;
2314 sec_curr = copy;
2315
2316 nosec = (char *)get_zeroed_page(GFP_KERNEL);
2317 if (!nosec) {
2318 rc = -ENOMEM;
2319 goto out;
2320 }
2321
2322 nosec_save = nosec;
2323 fnosec = fsec = 1;
2324 in_save = in_end = orig;
2325
2326 do {
2327 if (*in_end == '"')
2328 open_quote = !open_quote;
2329 if ((*in_end == ',' && open_quote == 0) ||
2330 *in_end == '\0') {
2331 int len = in_end - in_curr;
2332
2333 if (selinux_option(in_curr, len))
2334 take_selinux_option(&sec_curr, in_curr, &fsec, len);
2335 else
2336 take_option(&nosec, in_curr, &fnosec, len);
2337
2338 in_curr = in_end + 1;
2339 }
2340 } while (*in_end++);
2341
2342 strcpy(in_save, nosec_save);
2343 free_page((unsigned long)nosec_save);
2344 out:
2345 return rc;
2346 }
2347
2348 static int selinux_sb_kern_mount(struct super_block *sb, void *data)
2349 {
2350 struct avc_audit_data ad;
2351 int rc;
2352
2353 rc = superblock_doinit(sb, data);
2354 if (rc)
2355 return rc;
2356
2357 AVC_AUDIT_DATA_INIT(&ad,FS);
2358 ad.u.fs.path.dentry = sb->s_root;
2359 return superblock_has_perm(current, sb, FILESYSTEM__MOUNT, &ad);
2360 }
2361
2362 static int selinux_sb_statfs(struct dentry *dentry)
2363 {
2364 struct avc_audit_data ad;
2365
2366 AVC_AUDIT_DATA_INIT(&ad,FS);
2367 ad.u.fs.path.dentry = dentry->d_sb->s_root;
2368 return superblock_has_perm(current, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2369 }
2370
2371 static int selinux_mount(char * dev_name,
2372 struct nameidata *nd,
2373 char * type,
2374 unsigned long flags,
2375 void * data)
2376 {
2377 int rc;
2378
2379 rc = secondary_ops->sb_mount(dev_name, nd, type, flags, data);
2380 if (rc)
2381 return rc;
2382
2383 if (flags & MS_REMOUNT)
2384 return superblock_has_perm(current, nd->path.mnt->mnt_sb,
2385 FILESYSTEM__REMOUNT, NULL);
2386 else
2387 return dentry_has_perm(current, nd->path.mnt, nd->path.dentry,
2388 FILE__MOUNTON);
2389 }
2390
2391 static int selinux_umount(struct vfsmount *mnt, int flags)
2392 {
2393 int rc;
2394
2395 rc = secondary_ops->sb_umount(mnt, flags);
2396 if (rc)
2397 return rc;
2398
2399 return superblock_has_perm(current,mnt->mnt_sb,
2400 FILESYSTEM__UNMOUNT,NULL);
2401 }
2402
2403 /* inode security operations */
2404
2405 static int selinux_inode_alloc_security(struct inode *inode)
2406 {
2407 return inode_alloc_security(inode);
2408 }
2409
2410 static void selinux_inode_free_security(struct inode *inode)
2411 {
2412 inode_free_security(inode);
2413 }
2414
2415 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2416 char **name, void **value,
2417 size_t *len)
2418 {
2419 struct task_security_struct *tsec;
2420 struct inode_security_struct *dsec;
2421 struct superblock_security_struct *sbsec;
2422 u32 newsid, clen;
2423 int rc;
2424 char *namep = NULL, *context;
2425
2426 tsec = current->security;
2427 dsec = dir->i_security;
2428 sbsec = dir->i_sb->s_security;
2429
2430 if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
2431 newsid = tsec->create_sid;
2432 } else {
2433 rc = security_transition_sid(tsec->sid, dsec->sid,
2434 inode_mode_to_security_class(inode->i_mode),
2435 &newsid);
2436 if (rc) {
2437 printk(KERN_WARNING "%s: "
2438 "security_transition_sid failed, rc=%d (dev=%s "
2439 "ino=%ld)\n",
2440 __func__,
2441 -rc, inode->i_sb->s_id, inode->i_ino);
2442 return rc;
2443 }
2444 }
2445
2446 /* Possibly defer initialization to selinux_complete_init. */
2447 if (sbsec->initialized) {
2448 struct inode_security_struct *isec = inode->i_security;
2449 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2450 isec->sid = newsid;
2451 isec->initialized = 1;
2452 }
2453
2454 if (!ss_initialized || sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2455 return -EOPNOTSUPP;
2456
2457 if (name) {
2458 namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_NOFS);
2459 if (!namep)
2460 return -ENOMEM;
2461 *name = namep;
2462 }
2463
2464 if (value && len) {
2465 rc = security_sid_to_context(newsid, &context, &clen);
2466 if (rc) {
2467 kfree(namep);
2468 return rc;
2469 }
2470 *value = context;
2471 *len = clen;
2472 }
2473
2474 return 0;
2475 }
2476
2477 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, int mask)
2478 {
2479 return may_create(dir, dentry, SECCLASS_FILE);
2480 }
2481
2482 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2483 {
2484 int rc;
2485
2486 rc = secondary_ops->inode_link(old_dentry,dir,new_dentry);
2487 if (rc)
2488 return rc;
2489 return may_link(dir, old_dentry, MAY_LINK);
2490 }
2491
2492 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2493 {
2494 int rc;
2495
2496 rc = secondary_ops->inode_unlink(dir, dentry);
2497 if (rc)
2498 return rc;
2499 return may_link(dir, dentry, MAY_UNLINK);
2500 }
2501
2502 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2503 {
2504 return may_create(dir, dentry, SECCLASS_LNK_FILE);
2505 }
2506
2507 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, int mask)
2508 {
2509 return may_create(dir, dentry, SECCLASS_DIR);
2510 }
2511
2512 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2513 {
2514 return may_link(dir, dentry, MAY_RMDIR);
2515 }
2516
2517 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
2518 {
2519 int rc;
2520
2521 rc = secondary_ops->inode_mknod(dir, dentry, mode, dev);
2522 if (rc)
2523 return rc;
2524
2525 return may_create(dir, dentry, inode_mode_to_security_class(mode));
2526 }
2527
2528 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2529 struct inode *new_inode, struct dentry *new_dentry)
2530 {
2531 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2532 }
2533
2534 static int selinux_inode_readlink(struct dentry *dentry)
2535 {
2536 return dentry_has_perm(current, NULL, dentry, FILE__READ);
2537 }
2538
2539 static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2540 {
2541 int rc;
2542
2543 rc = secondary_ops->inode_follow_link(dentry,nameidata);
2544 if (rc)
2545 return rc;
2546 return dentry_has_perm(current, NULL, dentry, FILE__READ);
2547 }
2548
2549 static int selinux_inode_permission(struct inode *inode, int mask,
2550 struct nameidata *nd)
2551 {
2552 int rc;
2553
2554 rc = secondary_ops->inode_permission(inode, mask, nd);
2555 if (rc)
2556 return rc;
2557
2558 if (!mask) {
2559 /* No permission to check. Existence test. */
2560 return 0;
2561 }
2562
2563 return inode_has_perm(current, inode,
2564 open_file_mask_to_av(inode->i_mode, mask), NULL);
2565 }
2566
2567 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2568 {
2569 int rc;
2570
2571 rc = secondary_ops->inode_setattr(dentry, iattr);
2572 if (rc)
2573 return rc;
2574
2575 if (iattr->ia_valid & ATTR_FORCE)
2576 return 0;
2577
2578 if (iattr->ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2579 ATTR_ATIME_SET | ATTR_MTIME_SET))
2580 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2581
2582 return dentry_has_perm(current, NULL, dentry, FILE__WRITE);
2583 }
2584
2585 static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
2586 {
2587 return dentry_has_perm(current, mnt, dentry, FILE__GETATTR);
2588 }
2589
2590 static int selinux_inode_setotherxattr(struct dentry *dentry, char *name)
2591 {
2592 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2593 sizeof XATTR_SECURITY_PREFIX - 1)) {
2594 if (!strcmp(name, XATTR_NAME_CAPS)) {
2595 if (!capable(CAP_SETFCAP))
2596 return -EPERM;
2597 } else if (!capable(CAP_SYS_ADMIN)) {
2598 /* A different attribute in the security namespace.
2599 Restrict to administrator. */
2600 return -EPERM;
2601 }
2602 }
2603
2604 /* Not an attribute we recognize, so just check the
2605 ordinary setattr permission. */
2606 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2607 }
2608
2609 static int selinux_inode_setxattr(struct dentry *dentry, char *name, void *value, size_t size, int flags)
2610 {
2611 struct task_security_struct *tsec = current->security;
2612 struct inode *inode = dentry->d_inode;
2613 struct inode_security_struct *isec = inode->i_security;
2614 struct superblock_security_struct *sbsec;
2615 struct avc_audit_data ad;
2616 u32 newsid;
2617 int rc = 0;
2618
2619 if (strcmp(name, XATTR_NAME_SELINUX))
2620 return selinux_inode_setotherxattr(dentry, name);
2621
2622 sbsec = inode->i_sb->s_security;
2623 if (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2624 return -EOPNOTSUPP;
2625
2626 if (!is_owner_or_cap(inode))
2627 return -EPERM;
2628
2629 AVC_AUDIT_DATA_INIT(&ad,FS);
2630 ad.u.fs.path.dentry = dentry;
2631
2632 rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass,
2633 FILE__RELABELFROM, &ad);
2634 if (rc)
2635 return rc;
2636
2637 rc = security_context_to_sid(value, size, &newsid);
2638 if (rc)
2639 return rc;
2640
2641 rc = avc_has_perm(tsec->sid, newsid, isec->sclass,
2642 FILE__RELABELTO, &ad);
2643 if (rc)
2644 return rc;
2645
2646 rc = security_validate_transition(isec->sid, newsid, tsec->sid,
2647 isec->sclass);
2648 if (rc)
2649 return rc;
2650
2651 return avc_has_perm(newsid,
2652 sbsec->sid,
2653 SECCLASS_FILESYSTEM,
2654 FILESYSTEM__ASSOCIATE,
2655 &ad);
2656 }
2657
2658 static void selinux_inode_post_setxattr(struct dentry *dentry, char *name,
2659 void *value, size_t size, int flags)
2660 {
2661 struct inode *inode = dentry->d_inode;
2662 struct inode_security_struct *isec = inode->i_security;
2663 u32 newsid;
2664 int rc;
2665
2666 if (strcmp(name, XATTR_NAME_SELINUX)) {
2667 /* Not an attribute we recognize, so nothing to do. */
2668 return;
2669 }
2670
2671 rc = security_context_to_sid(value, size, &newsid);
2672 if (rc) {
2673 printk(KERN_WARNING "%s: unable to obtain SID for context "
2674 "%s, rc=%d\n", __func__, (char *)value, -rc);
2675 return;
2676 }
2677
2678 isec->sid = newsid;
2679 return;
2680 }
2681
2682 static int selinux_inode_getxattr (struct dentry *dentry, char *name)
2683 {
2684 return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2685 }
2686
2687 static int selinux_inode_listxattr (struct dentry *dentry)
2688 {
2689 return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2690 }
2691
2692 static int selinux_inode_removexattr (struct dentry *dentry, char *name)
2693 {
2694 if (strcmp(name, XATTR_NAME_SELINUX))
2695 return selinux_inode_setotherxattr(dentry, name);
2696
2697 /* No one is allowed to remove a SELinux security label.
2698 You can change the label, but all data must be labeled. */
2699 return -EACCES;
2700 }
2701
2702 /*
2703 * Copy the in-core inode security context value to the user. If the
2704 * getxattr() prior to this succeeded, check to see if we need to
2705 * canonicalize the value to be finally returned to the user.
2706 *
2707 * Permission check is handled by selinux_inode_getxattr hook.
2708 */
2709 static int selinux_inode_getsecurity(const struct inode *inode, const char *name, void **buffer, bool alloc)
2710 {
2711 u32 size;
2712 int error;
2713 char *context = NULL;
2714 struct inode_security_struct *isec = inode->i_security;
2715
2716 if (strcmp(name, XATTR_SELINUX_SUFFIX))
2717 return -EOPNOTSUPP;
2718
2719 error = security_sid_to_context(isec->sid, &context, &size);
2720 if (error)
2721 return error;
2722 error = size;
2723 if (alloc) {
2724 *buffer = context;
2725 goto out_nofree;
2726 }
2727 kfree(context);
2728 out_nofree:
2729 return error;
2730 }
2731
2732 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
2733 const void *value, size_t size, int flags)
2734 {
2735 struct inode_security_struct *isec = inode->i_security;
2736 u32 newsid;
2737 int rc;
2738
2739 if (strcmp(name, XATTR_SELINUX_SUFFIX))
2740 return -EOPNOTSUPP;
2741
2742 if (!value || !size)
2743 return -EACCES;
2744
2745 rc = security_context_to_sid((void*)value, size, &newsid);
2746 if (rc)
2747 return rc;
2748
2749 isec->sid = newsid;
2750 return 0;
2751 }
2752
2753 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
2754 {
2755 const int len = sizeof(XATTR_NAME_SELINUX);
2756 if (buffer && len <= buffer_size)
2757 memcpy(buffer, XATTR_NAME_SELINUX, len);
2758 return len;
2759 }
2760
2761 static int selinux_inode_need_killpriv(struct dentry *dentry)
2762 {
2763 return secondary_ops->inode_need_killpriv(dentry);
2764 }
2765
2766 static int selinux_inode_killpriv(struct dentry *dentry)
2767 {
2768 return secondary_ops->inode_killpriv(dentry);
2769 }
2770
2771 /* file security operations */
2772
2773 static int selinux_revalidate_file_permission(struct file *file, int mask)
2774 {
2775 int rc;
2776 struct inode *inode = file->f_path.dentry->d_inode;
2777
2778 if (!mask) {
2779 /* No permission to check. Existence test. */
2780 return 0;
2781 }
2782
2783 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
2784 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
2785 mask |= MAY_APPEND;
2786
2787 rc = file_has_perm(current, file,
2788 file_mask_to_av(inode->i_mode, mask));
2789 if (rc)
2790 return rc;
2791
2792 return selinux_netlbl_inode_permission(inode, mask);
2793 }
2794
2795 static int selinux_file_permission(struct file *file, int mask)
2796 {
2797 struct inode *inode = file->f_path.dentry->d_inode;
2798 struct task_security_struct *tsec = current->security;
2799 struct file_security_struct *fsec = file->f_security;
2800 struct inode_security_struct *isec = inode->i_security;
2801
2802 if (!mask) {
2803 /* No permission to check. Existence test. */
2804 return 0;
2805 }
2806
2807 if (tsec->sid == fsec->sid && fsec->isid == isec->sid
2808 && fsec->pseqno == avc_policy_seqno())
2809 return selinux_netlbl_inode_permission(inode, mask);
2810
2811 return selinux_revalidate_file_permission(file, mask);
2812 }
2813
2814 static int selinux_file_alloc_security(struct file *file)
2815 {
2816 return file_alloc_security(file);
2817 }
2818
2819 static void selinux_file_free_security(struct file *file)
2820 {
2821 file_free_security(file);
2822 }
2823
2824 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
2825 unsigned long arg)
2826 {
2827 int error = 0;
2828
2829 switch (cmd) {
2830 case FIONREAD:
2831 /* fall through */
2832 case FIBMAP:
2833 /* fall through */
2834 case FIGETBSZ:
2835 /* fall through */
2836 case EXT2_IOC_GETFLAGS:
2837 /* fall through */
2838 case EXT2_IOC_GETVERSION:
2839 error = file_has_perm(current, file, FILE__GETATTR);
2840 break;
2841
2842 case EXT2_IOC_SETFLAGS:
2843 /* fall through */
2844 case EXT2_IOC_SETVERSION:
2845 error = file_has_perm(current, file, FILE__SETATTR);
2846 break;
2847
2848 /* sys_ioctl() checks */
2849 case FIONBIO:
2850 /* fall through */
2851 case FIOASYNC:
2852 error = file_has_perm(current, file, 0);
2853 break;
2854
2855 case KDSKBENT:
2856 case KDSKBSENT:
2857 error = task_has_capability(current,CAP_SYS_TTY_CONFIG);
2858 break;
2859
2860 /* default case assumes that the command will go
2861 * to the file's ioctl() function.
2862 */
2863 default:
2864 error = file_has_perm(current, file, FILE__IOCTL);
2865
2866 }
2867 return error;
2868 }
2869
2870 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
2871 {
2872 #ifndef CONFIG_PPC32
2873 if ((prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
2874 /*
2875 * We are making executable an anonymous mapping or a
2876 * private file mapping that will also be writable.
2877 * This has an additional check.
2878 */
2879 int rc = task_has_perm(current, current, PROCESS__EXECMEM);
2880 if (rc)
2881 return rc;
2882 }
2883 #endif
2884
2885 if (file) {
2886 /* read access is always possible with a mapping */
2887 u32 av = FILE__READ;
2888
2889 /* write access only matters if the mapping is shared */
2890 if (shared && (prot & PROT_WRITE))
2891 av |= FILE__WRITE;
2892
2893 if (prot & PROT_EXEC)
2894 av |= FILE__EXECUTE;
2895
2896 return file_has_perm(current, file, av);
2897 }
2898 return 0;
2899 }
2900
2901 static int selinux_file_mmap(struct file *file, unsigned long reqprot,
2902 unsigned long prot, unsigned long flags,
2903 unsigned long addr, unsigned long addr_only)
2904 {
2905 int rc = 0;
2906 u32 sid = ((struct task_security_struct*)(current->security))->sid;
2907
2908 if (addr < mmap_min_addr)
2909 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
2910 MEMPROTECT__MMAP_ZERO, NULL);
2911 if (rc || addr_only)
2912 return rc;
2913
2914 if (selinux_checkreqprot)
2915 prot = reqprot;
2916
2917 return file_map_prot_check(file, prot,
2918 (flags & MAP_TYPE) == MAP_SHARED);
2919 }
2920
2921 static int selinux_file_mprotect(struct vm_area_struct *vma,
2922 unsigned long reqprot,
2923 unsigned long prot)
2924 {
2925 int rc;
2926
2927 rc = secondary_ops->file_mprotect(vma, reqprot, prot);
2928 if (rc)
2929 return rc;
2930
2931 if (selinux_checkreqprot)
2932 prot = reqprot;
2933
2934 #ifndef CONFIG_PPC32
2935 if ((prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
2936 rc = 0;
2937 if (vma->vm_start >= vma->vm_mm->start_brk &&
2938 vma->vm_end <= vma->vm_mm->brk) {
2939 rc = task_has_perm(current, current,
2940 PROCESS__EXECHEAP);
2941 } else if (!vma->vm_file &&
2942 vma->vm_start <= vma->vm_mm->start_stack &&
2943 vma->vm_end >= vma->vm_mm->start_stack) {
2944 rc = task_has_perm(current, current, PROCESS__EXECSTACK);
2945 } else if (vma->vm_file && vma->anon_vma) {
2946 /*
2947 * We are making executable a file mapping that has
2948 * had some COW done. Since pages might have been
2949 * written, check ability to execute the possibly
2950 * modified content. This typically should only
2951 * occur for text relocations.
2952 */
2953 rc = file_has_perm(current, vma->vm_file,
2954 FILE__EXECMOD);
2955 }
2956 if (rc)
2957 return rc;
2958 }
2959 #endif
2960
2961 return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
2962 }
2963
2964 static int selinux_file_lock(struct file *file, unsigned int cmd)
2965 {
2966 return file_has_perm(current, file, FILE__LOCK);
2967 }
2968
2969 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
2970 unsigned long arg)
2971 {
2972 int err = 0;
2973
2974 switch (cmd) {
2975 case F_SETFL:
2976 if (!file->f_path.dentry || !file->f_path.dentry->d_inode) {
2977 err = -EINVAL;
2978 break;
2979 }
2980
2981 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
2982 err = file_has_perm(current, file,FILE__WRITE);
2983 break;
2984 }
2985 /* fall through */
2986 case F_SETOWN:
2987 case F_SETSIG:
2988 case F_GETFL:
2989 case F_GETOWN:
2990 case F_GETSIG:
2991 /* Just check FD__USE permission */
2992 err = file_has_perm(current, file, 0);
2993 break;
2994 case F_GETLK:
2995 case F_SETLK:
2996 case F_SETLKW:
2997 #if BITS_PER_LONG == 32
2998 case F_GETLK64:
2999 case F_SETLK64:
3000 case F_SETLKW64:
3001 #endif
3002 if (!file->f_path.dentry || !file->f_path.dentry->d_inode) {
3003 err = -EINVAL;
3004 break;
3005 }
3006 err = file_has_perm(current, file, FILE__LOCK);
3007 break;
3008 }
3009
3010 return err;
3011 }
3012
3013 static int selinux_file_set_fowner(struct file *file)
3014 {
3015 struct task_security_struct *tsec;
3016 struct file_security_struct *fsec;
3017
3018 tsec = current->security;
3019 fsec = file->f_security;
3020 fsec->fown_sid = tsec->sid;
3021
3022 return 0;
3023 }
3024
3025 static int selinux_file_send_sigiotask(struct task_struct *tsk,
3026 struct fown_struct *fown, int signum)
3027 {
3028 struct file *file;
3029 u32 perm;
3030 struct task_security_struct *tsec;
3031 struct file_security_struct *fsec;
3032
3033 /* struct fown_struct is never outside the context of a struct file */
3034 file = container_of(fown, struct file, f_owner);
3035
3036 tsec = tsk->security;
3037 fsec = file->f_security;
3038
3039 if (!signum)
3040 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
3041 else
3042 perm = signal_to_av(signum);
3043
3044 return avc_has_perm(fsec->fown_sid, tsec->sid,
3045 SECCLASS_PROCESS, perm, NULL);
3046 }
3047
3048 static int selinux_file_receive(struct file *file)
3049 {
3050 return file_has_perm(current, file, file_to_av(file));
3051 }
3052
3053 static int selinux_dentry_open(struct file *file)
3054 {
3055 struct file_security_struct *fsec;
3056 struct inode *inode;
3057 struct inode_security_struct *isec;
3058 inode = file->f_path.dentry->d_inode;
3059 fsec = file->f_security;
3060 isec = inode->i_security;
3061 /*
3062 * Save inode label and policy sequence number
3063 * at open-time so that selinux_file_permission
3064 * can determine whether revalidation is necessary.
3065 * Task label is already saved in the file security
3066 * struct as its SID.
3067 */
3068 fsec->isid = isec->sid;
3069 fsec->pseqno = avc_policy_seqno();
3070 /*
3071 * Since the inode label or policy seqno may have changed
3072 * between the selinux_inode_permission check and the saving
3073 * of state above, recheck that access is still permitted.
3074 * Otherwise, access might never be revalidated against the
3075 * new inode label or new policy.
3076 * This check is not redundant - do not remove.
3077 */
3078 return inode_has_perm(current, inode, file_to_av(file), NULL);
3079 }
3080
3081 /* task security operations */
3082
3083 static int selinux_task_create(unsigned long clone_flags)
3084 {
3085 int rc;
3086
3087 rc = secondary_ops->task_create(clone_flags);
3088 if (rc)
3089 return rc;
3090
3091 return task_has_perm(current, current, PROCESS__FORK);
3092 }
3093
3094 static int selinux_task_alloc_security(struct task_struct *tsk)
3095 {
3096 struct task_security_struct *tsec1, *tsec2;
3097 int rc;
3098
3099 tsec1 = current->security;
3100
3101 rc = task_alloc_security(tsk);
3102 if (rc)
3103 return rc;
3104 tsec2 = tsk->security;
3105
3106 tsec2->osid = tsec1->osid;
3107 tsec2->sid = tsec1->sid;
3108
3109 /* Retain the exec, fs, key, and sock SIDs across fork */
3110 tsec2->exec_sid = tsec1->exec_sid;
3111 tsec2->create_sid = tsec1->create_sid;
3112 tsec2->keycreate_sid = tsec1->keycreate_sid;
3113 tsec2->sockcreate_sid = tsec1->sockcreate_sid;
3114
3115 /* Retain ptracer SID across fork, if any.
3116 This will be reset by the ptrace hook upon any
3117 subsequent ptrace_attach operations. */
3118 tsec2->ptrace_sid = tsec1->ptrace_sid;
3119
3120 return 0;
3121 }
3122
3123 static void selinux_task_free_security(struct task_struct *tsk)
3124 {
3125 task_free_security(tsk);
3126 }
3127
3128 static int selinux_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
3129 {
3130 /* Since setuid only affects the current process, and
3131 since the SELinux controls are not based on the Linux
3132 identity attributes, SELinux does not need to control
3133 this operation. However, SELinux does control the use
3134 of the CAP_SETUID and CAP_SETGID capabilities using the
3135 capable hook. */
3136 return 0;
3137 }
3138
3139 static int selinux_task_post_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
3140 {
3141 return secondary_ops->task_post_setuid(id0,id1,id2,flags);
3142 }
3143
3144 static int selinux_task_setgid(gid_t id0, gid_t id1, gid_t id2, int flags)
3145 {
3146 /* See the comment for setuid above. */
3147 return 0;
3148 }
3149
3150 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
3151 {
3152 return task_has_perm(current, p, PROCESS__SETPGID);
3153 }
3154
3155 static int selinux_task_getpgid(struct task_struct *p)
3156 {
3157 return task_has_perm(current, p, PROCESS__GETPGID);
3158 }
3159
3160 static int selinux_task_getsid(struct task_struct *p)
3161 {
3162 return task_has_perm(current, p, PROCESS__GETSESSION);
3163 }
3164
3165 static void selinux_task_getsecid(struct task_struct *p, u32 *secid)
3166 {
3167 selinux_get_task_sid(p, secid);
3168 }
3169
3170 static int selinux_task_setgroups(struct group_info *group_info)
3171 {
3172 /* See the comment for setuid above. */
3173 return 0;
3174 }
3175
3176 static int selinux_task_setnice(struct task_struct *p, int nice)
3177 {
3178 int rc;
3179
3180 rc = secondary_ops->task_setnice(p, nice);
3181 if (rc)
3182 return rc;
3183
3184 return task_has_perm(current,p, PROCESS__SETSCHED);
3185 }
3186
3187 static int selinux_task_setioprio(struct task_struct *p, int ioprio)
3188 {
3189 int rc;
3190
3191 rc = secondary_ops->task_setioprio(p, ioprio);
3192 if (rc)
3193 return rc;
3194
3195 return task_has_perm(current, p, PROCESS__SETSCHED);
3196 }
3197
3198 static int selinux_task_getioprio(struct task_struct *p)
3199 {
3200 return task_has_perm(current, p, PROCESS__GETSCHED);
3201 }
3202
3203 static int selinux_task_setrlimit(unsigned int resource, struct rlimit *new_rlim)
3204 {
3205 struct rlimit *old_rlim = current->signal->rlim + resource;
3206 int rc;
3207
3208 rc = secondary_ops->task_setrlimit(resource, new_rlim);
3209 if (rc)
3210 return rc;
3211
3212 /* Control the ability to change the hard limit (whether
3213 lowering or raising it), so that the hard limit can
3214 later be used as a safe reset point for the soft limit
3215 upon context transitions. See selinux_bprm_apply_creds. */
3216 if (old_rlim->rlim_max != new_rlim->rlim_max)
3217 return task_has_perm(current, current, PROCESS__SETRLIMIT);
3218
3219 return 0;
3220 }
3221
3222 static int selinux_task_setscheduler(struct task_struct *p, int policy, struct sched_param *lp)
3223 {
3224 int rc;
3225
3226 rc = secondary_ops->task_setscheduler(p, policy, lp);
3227 if (rc)
3228 return rc;
3229
3230 return task_has_perm(current, p, PROCESS__SETSCHED);
3231 }
3232
3233 static int selinux_task_getscheduler(struct task_struct *p)
3234 {
3235 return task_has_perm(current, p, PROCESS__GETSCHED);
3236 }
3237
3238 static int selinux_task_movememory(struct task_struct *p)
3239 {
3240 return task_has_perm(current, p, PROCESS__SETSCHED);
3241 }
3242
3243 static int selinux_task_kill(struct task_struct *p, struct siginfo *info,
3244 int sig, u32 secid)
3245 {
3246 u32 perm;
3247 int rc;
3248 struct task_security_struct *tsec;
3249
3250 rc = secondary_ops->task_kill(p, info, sig, secid);
3251 if (rc)
3252 return rc;
3253
3254 if (info != SEND_SIG_NOINFO && (is_si_special(info) || SI_FROMKERNEL(info)))
3255 return 0;
3256
3257 if (!sig)
3258 perm = PROCESS__SIGNULL; /* null signal; existence test */
3259 else
3260 perm = signal_to_av(sig);
3261 tsec = p->security;
3262 if (secid)
3263 rc = avc_has_perm(secid, tsec->sid, SECCLASS_PROCESS, perm, NULL);
3264 else
3265 rc = task_has_perm(current, p, perm);
3266 return rc;
3267 }
3268
3269 static int selinux_task_prctl(int option,
3270 unsigned long arg2,
3271 unsigned long arg3,
3272 unsigned long arg4,
3273 unsigned long arg5)
3274 {
3275 /* The current prctl operations do not appear to require
3276 any SELinux controls since they merely observe or modify
3277 the state of the current process. */
3278 return 0;
3279 }
3280
3281 static int selinux_task_wait(struct task_struct *p)
3282 {
3283 return task_has_perm(p, current, PROCESS__SIGCHLD);
3284 }
3285
3286 static void selinux_task_reparent_to_init(struct task_struct *p)
3287 {
3288 struct task_security_struct *tsec;
3289
3290 secondary_ops->task_reparent_to_init(p);
3291
3292 tsec = p->security;
3293 tsec->osid = tsec->sid;
3294 tsec->sid = SECINITSID_KERNEL;
3295 return;
3296 }
3297
3298 static void selinux_task_to_inode(struct task_struct *p,
3299 struct inode *inode)
3300 {
3301 struct task_security_struct *tsec = p->security;
3302 struct inode_security_struct *isec = inode->i_security;
3303
3304 isec->sid = tsec->sid;
3305 isec->initialized = 1;
3306 return;
3307 }
3308
3309 /* Returns error only if unable to parse addresses */
3310 static int selinux_parse_skb_ipv4(struct sk_buff *skb,
3311 struct avc_audit_data *ad, u8 *proto)
3312 {
3313 int offset, ihlen, ret = -EINVAL;
3314 struct iphdr _iph, *ih;
3315
3316 offset = skb_network_offset(skb);
3317 ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
3318 if (ih == NULL)
3319 goto out;
3320
3321 ihlen = ih->ihl * 4;
3322 if (ihlen < sizeof(_iph))
3323 goto out;
3324
3325 ad->u.net.v4info.saddr = ih->saddr;
3326 ad->u.net.v4info.daddr = ih->daddr;
3327 ret = 0;
3328
3329 if (proto)
3330 *proto = ih->protocol;
3331
3332 switch (ih->protocol) {
3333 case IPPROTO_TCP: {
3334 struct tcphdr _tcph, *th;
3335
3336 if (ntohs(ih->frag_off) & IP_OFFSET)
3337 break;
3338
3339 offset += ihlen;
3340 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3341 if (th == NULL)
3342 break;
3343
3344 ad->u.net.sport = th->source;
3345 ad->u.net.dport = th->dest;
3346 break;
3347 }
3348
3349 case IPPROTO_UDP: {
3350 struct udphdr _udph, *uh;
3351
3352 if (ntohs(ih->frag_off) & IP_OFFSET)
3353 break;
3354
3355 offset += ihlen;
3356 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3357 if (uh == NULL)
3358 break;
3359
3360 ad->u.net.sport = uh->source;
3361 ad->u.net.dport = uh->dest;
3362 break;
3363 }
3364
3365 case IPPROTO_DCCP: {
3366 struct dccp_hdr _dccph, *dh;
3367
3368 if (ntohs(ih->frag_off) & IP_OFFSET)
3369 break;
3370
3371 offset += ihlen;
3372 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3373 if (dh == NULL)
3374 break;
3375
3376 ad->u.net.sport = dh->dccph_sport;
3377 ad->u.net.dport = dh->dccph_dport;
3378 break;
3379 }
3380
3381 default:
3382 break;
3383 }
3384 out:
3385 return ret;
3386 }
3387
3388 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3389
3390 /* Returns error only if unable to parse addresses */
3391 static int selinux_parse_skb_ipv6(struct sk_buff *skb,
3392 struct avc_audit_data *ad, u8 *proto)
3393 {
3394 u8 nexthdr;
3395 int ret = -EINVAL, offset;
3396 struct ipv6hdr _ipv6h, *ip6;
3397
3398 offset = skb_network_offset(skb);
3399 ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
3400 if (ip6 == NULL)
3401 goto out;
3402
3403 ipv6_addr_copy(&ad->u.net.v6info.saddr, &ip6->saddr);
3404 ipv6_addr_copy(&ad->u.net.v6info.daddr, &ip6->daddr);
3405 ret = 0;
3406
3407 nexthdr = ip6->nexthdr;
3408 offset += sizeof(_ipv6h);
3409 offset = ipv6_skip_exthdr(skb, offset, &nexthdr);
3410 if (offset < 0)
3411 goto out;
3412
3413 if (proto)
3414 *proto = nexthdr;
3415
3416 switch (nexthdr) {
3417 case IPPROTO_TCP: {
3418 struct tcphdr _tcph, *th;
3419
3420 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3421 if (th == NULL)
3422 break;
3423
3424 ad->u.net.sport = th->source;
3425 ad->u.net.dport = th->dest;
3426 break;
3427 }
3428
3429 case IPPROTO_UDP: {
3430 struct udphdr _udph, *uh;
3431
3432 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3433 if (uh == NULL)
3434 break;
3435
3436 ad->u.net.sport = uh->source;
3437 ad->u.net.dport = uh->dest;
3438 break;
3439 }
3440
3441 case IPPROTO_DCCP: {
3442 struct dccp_hdr _dccph, *dh;
3443
3444 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3445 if (dh == NULL)
3446 break;
3447
3448 ad->u.net.sport = dh->dccph_sport;
3449 ad->u.net.dport = dh->dccph_dport;
3450 break;
3451 }
3452
3453 /* includes fragments */
3454 default:
3455 break;
3456 }
3457 out:
3458 return ret;
3459 }
3460
3461 #endif /* IPV6 */
3462
3463 static int selinux_parse_skb(struct sk_buff *skb, struct avc_audit_data *ad,
3464 char **addrp, int src, u8 *proto)
3465 {
3466 int ret = 0;
3467
3468 switch (ad->u.net.family) {
3469 case PF_INET:
3470 ret = selinux_parse_skb_ipv4(skb, ad, proto);
3471 if (ret || !addrp)
3472 break;
3473 *addrp = (char *)(src ? &ad->u.net.v4info.saddr :
3474 &ad->u.net.v4info.daddr);
3475 break;
3476
3477 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3478 case PF_INET6:
3479 ret = selinux_parse_skb_ipv6(skb, ad, proto);
3480 if (ret || !addrp)
3481 break;
3482 *addrp = (char *)(src ? &ad->u.net.v6info.saddr :
3483 &ad->u.net.v6info.daddr);
3484 break;
3485 #endif /* IPV6 */
3486 default:
3487 break;
3488 }
3489
3490 if (unlikely(ret))
3491 printk(KERN_WARNING
3492 "SELinux: failure in selinux_parse_skb(),"
3493 " unable to parse packet\n");
3494
3495 return ret;
3496 }
3497
3498 /**
3499 * selinux_skb_peerlbl_sid - Determine the peer label of a packet
3500 * @skb: the packet
3501 * @family: protocol family
3502 * @sid: the packet's peer label SID
3503 *
3504 * Description:
3505 * Check the various different forms of network peer labeling and determine
3506 * the peer label/SID for the packet; most of the magic actually occurs in
3507 * the security server function security_net_peersid_cmp(). The function
3508 * returns zero if the value in @sid is valid (although it may be SECSID_NULL)
3509 * or -EACCES if @sid is invalid due to inconsistencies with the different
3510 * peer labels.
3511 *
3512 */
3513 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
3514 {
3515 int err;
3516 u32 xfrm_sid;
3517 u32 nlbl_sid;
3518 u32 nlbl_type;
3519
3520 selinux_skb_xfrm_sid(skb, &xfrm_sid);
3521 selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid);
3522
3523 err = security_net_peersid_resolve(nlbl_sid, nlbl_type, xfrm_sid, sid);
3524 if (unlikely(err)) {
3525 printk(KERN_WARNING
3526 "SELinux: failure in selinux_skb_peerlbl_sid(),"
3527 " unable to determine packet's peer label\n");
3528 return -EACCES;
3529 }
3530
3531 return 0;
3532 }
3533
3534 /* socket security operations */
3535 static int socket_has_perm(struct task_struct *task, struct socket *sock,
3536 u32 perms)
3537 {
3538 struct inode_security_struct *isec;
3539 struct task_security_struct *tsec;
3540 struct avc_audit_data ad;
3541 int err = 0;
3542
3543 tsec = task->security;
3544 isec = SOCK_INODE(sock)->i_security;
3545
3546 if (isec->sid == SECINITSID_KERNEL)
3547 goto out;
3548
3549 AVC_AUDIT_DATA_INIT(&ad,NET);
3550 ad.u.net.sk = sock->sk;
3551 err = avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, &ad);
3552
3553 out:
3554 return err;
3555 }
3556
3557 static int selinux_socket_create(int family, int type,
3558 int protocol, int kern)
3559 {
3560 int err = 0;
3561 struct task_security_struct *tsec;
3562 u32 newsid;
3563
3564 if (kern)
3565 goto out;
3566
3567 tsec = current->security;
3568 newsid = tsec->sockcreate_sid ? : tsec->sid;
3569 err = avc_has_perm(tsec->sid, newsid,
3570 socket_type_to_security_class(family, type,
3571 protocol), SOCKET__CREATE, NULL);
3572
3573 out:
3574 return err;
3575 }
3576
3577 static int selinux_socket_post_create(struct socket *sock, int family,
3578 int type, int protocol, int kern)
3579 {
3580 int err = 0;
3581 struct inode_security_struct *isec;
3582 struct task_security_struct *tsec;
3583 struct sk_security_struct *sksec;
3584 u32 newsid;
3585
3586 isec = SOCK_INODE(sock)->i_security;
3587
3588 tsec = current->security;
3589 newsid = tsec->sockcreate_sid ? : tsec->sid;
3590 isec->sclass = socket_type_to_security_class(family, type, protocol);
3591 isec->sid = kern ? SECINITSID_KERNEL : newsid;
3592 isec->initialized = 1;
3593
3594 if (sock->sk) {
3595 sksec = sock->sk->sk_security;
3596 sksec->sid = isec->sid;
3597 sksec->sclass = isec->sclass;
3598 err = selinux_netlbl_socket_post_create(sock);
3599 }
3600
3601 return err;
3602 }
3603
3604 /* Range of port numbers used to automatically bind.
3605 Need to determine whether we should perform a name_bind
3606 permission check between the socket and the port number. */
3607
3608 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
3609 {
3610 u16 family;
3611 int err;
3612
3613 err = socket_has_perm(current, sock, SOCKET__BIND);
3614 if (err)
3615 goto out;
3616
3617 /*
3618 * If PF_INET or PF_INET6, check name_bind permission for the port.
3619 * Multiple address binding for SCTP is not supported yet: we just
3620 * check the first address now.
3621 */
3622 family = sock->sk->sk_family;
3623 if (family == PF_INET || family == PF_INET6) {
3624 char *addrp;
3625 struct inode_security_struct *isec;
3626 struct task_security_struct *tsec;
3627 struct avc_audit_data ad;
3628 struct sockaddr_in *addr4 = NULL;
3629 struct sockaddr_in6 *addr6 = NULL;
3630 unsigned short snum;
3631 struct sock *sk = sock->sk;
3632 u32 sid, node_perm, addrlen;
3633
3634 tsec = current->security;
3635 isec = SOCK_INODE(sock)->i_security;
3636
3637 if (family == PF_INET) {
3638 addr4 = (struct sockaddr_in *)address;
3639 snum = ntohs(addr4->sin_port);
3640 addrlen = sizeof(addr4->sin_addr.s_addr);
3641 addrp = (char *)&addr4->sin_addr.s_addr;
3642 } else {
3643 addr6 = (struct sockaddr_in6 *)address;
3644 snum = ntohs(addr6->sin6_port);
3645 addrlen = sizeof(addr6->sin6_addr.s6_addr);
3646 addrp = (char *)&addr6->sin6_addr.s6_addr;
3647 }
3648
3649 if (snum) {
3650 int low, high;
3651
3652 inet_get_local_port_range(&low, &high);
3653
3654 if (snum < max(PROT_SOCK, low) || snum > high) {
3655 err = security_port_sid(sk->sk_family,
3656 sk->sk_type,
3657 sk->sk_protocol, snum,
3658 &sid);
3659 if (err)
3660 goto out;
3661 AVC_AUDIT_DATA_INIT(&ad,NET);
3662 ad.u.net.sport = htons(snum);
3663 ad.u.net.family = family;
3664 err = avc_has_perm(isec->sid, sid,
3665 isec->sclass,
3666 SOCKET__NAME_BIND, &ad);
3667 if (err)
3668 goto out;
3669 }
3670 }
3671
3672 switch(isec->sclass) {
3673 case SECCLASS_TCP_SOCKET:
3674 node_perm = TCP_SOCKET__NODE_BIND;
3675 break;
3676
3677 case SECCLASS_UDP_SOCKET:
3678 node_perm = UDP_SOCKET__NODE_BIND;
3679 break;
3680
3681 case SECCLASS_DCCP_SOCKET:
3682 node_perm = DCCP_SOCKET__NODE_BIND;
3683 break;
3684
3685 default:
3686 node_perm = RAWIP_SOCKET__NODE_BIND;
3687 break;
3688 }
3689
3690 err = sel_netnode_sid(addrp, family, &sid);
3691 if (err)
3692 goto out;
3693
3694 AVC_AUDIT_DATA_INIT(&ad,NET);
3695 ad.u.net.sport = htons(snum);
3696 ad.u.net.family = family;
3697
3698 if (family == PF_INET)
3699 ad.u.net.v4info.saddr = addr4->sin_addr.s_addr;
3700 else
3701 ipv6_addr_copy(&ad.u.net.v6info.saddr, &addr6->sin6_addr);
3702
3703 err = avc_has_perm(isec->sid, sid,
3704 isec->sclass, node_perm, &ad);
3705 if (err)
3706 goto out;
3707 }
3708 out:
3709 return err;
3710 }
3711
3712 static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
3713 {
3714 struct inode_security_struct *isec;
3715 int err;
3716
3717 err = socket_has_perm(current, sock, SOCKET__CONNECT);
3718 if (err)
3719 return err;
3720
3721 /*
3722 * If a TCP or DCCP socket, check name_connect permission for the port.
3723 */
3724 isec = SOCK_INODE(sock)->i_security;
3725 if (isec->sclass == SECCLASS_TCP_SOCKET ||
3726 isec->sclass == SECCLASS_DCCP_SOCKET) {
3727 struct sock *sk = sock->sk;
3728 struct avc_audit_data ad;
3729 struct sockaddr_in *addr4 = NULL;
3730 struct sockaddr_in6 *addr6 = NULL;
3731 unsigned short snum;
3732 u32 sid, perm;
3733
3734 if (sk->sk_family == PF_INET) {
3735 addr4 = (struct sockaddr_in *)address;
3736 if (addrlen < sizeof(struct sockaddr_in))
3737 return -EINVAL;
3738 snum = ntohs(addr4->sin_port);
3739 } else {
3740 addr6 = (struct sockaddr_in6 *)address;
3741 if (addrlen < SIN6_LEN_RFC2133)
3742 return -EINVAL;
3743 snum = ntohs(addr6->sin6_port);
3744 }
3745
3746 err = security_port_sid(sk->sk_family, sk->sk_type,
3747 sk->sk_protocol, snum, &sid);
3748 if (err)
3749 goto out;
3750
3751 perm = (isec->sclass == SECCLASS_TCP_SOCKET) ?
3752 TCP_SOCKET__NAME_CONNECT : DCCP_SOCKET__NAME_CONNECT;
3753
3754 AVC_AUDIT_DATA_INIT(&ad,NET);
3755 ad.u.net.dport = htons(snum);
3756 ad.u.net.family = sk->sk_family;
3757 err = avc_has_perm(isec->sid, sid, isec->sclass, perm, &ad);
3758 if (err)
3759 goto out;
3760 }
3761
3762 out:
3763 return err;
3764 }
3765
3766 static int selinux_socket_listen(struct socket *sock, int backlog)
3767 {
3768 return socket_has_perm(current, sock, SOCKET__LISTEN);
3769 }
3770
3771 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
3772 {
3773 int err;
3774 struct inode_security_struct *isec;
3775 struct inode_security_struct *newisec;
3776
3777 err = socket_has_perm(current, sock, SOCKET__ACCEPT);
3778 if (err)
3779 return err;
3780
3781 newisec = SOCK_INODE(newsock)->i_security;
3782
3783 isec = SOCK_INODE(sock)->i_security;
3784 newisec->sclass = isec->sclass;
3785 newisec->sid = isec->sid;
3786 newisec->initialized = 1;
3787
3788 return 0;
3789 }
3790
3791 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
3792 int size)
3793 {
3794 int rc;
3795
3796 rc = socket_has_perm(current, sock, SOCKET__WRITE);
3797 if (rc)
3798 return rc;
3799
3800 return selinux_netlbl_inode_permission(SOCK_INODE(sock), MAY_WRITE);
3801 }
3802
3803 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
3804 int size, int flags)
3805 {
3806 return socket_has_perm(current, sock, SOCKET__READ);
3807 }
3808
3809 static int selinux_socket_getsockname(struct socket *sock)
3810 {
3811 return socket_has_perm(current, sock, SOCKET__GETATTR);
3812 }
3813
3814 static int selinux_socket_getpeername(struct socket *sock)
3815 {
3816 return socket_has_perm(current, sock, SOCKET__GETATTR);
3817 }
3818
3819 static int selinux_socket_setsockopt(struct socket *sock,int level,int optname)
3820 {
3821 int err;
3822
3823 err = socket_has_perm(current, sock, SOCKET__SETOPT);
3824 if (err)
3825 return err;
3826
3827 return selinux_netlbl_socket_setsockopt(sock, level, optname);
3828 }
3829
3830 static int selinux_socket_getsockopt(struct socket *sock, int level,
3831 int optname)
3832 {
3833 return socket_has_perm(current, sock, SOCKET__GETOPT);
3834 }
3835
3836 static int selinux_socket_shutdown(struct socket *sock, int how)
3837 {
3838 return socket_has_perm(current, sock, SOCKET__SHUTDOWN);
3839 }
3840
3841 static int selinux_socket_unix_stream_connect(struct socket *sock,
3842 struct socket *other,
3843 struct sock *newsk)
3844 {
3845 struct sk_security_struct *ssec;
3846 struct inode_security_struct *isec;
3847 struct inode_security_struct *other_isec;
3848 struct avc_audit_data ad;
3849 int err;
3850
3851 err = secondary_ops->unix_stream_connect(sock, other, newsk);
3852 if (err)
3853 return err;
3854
3855 isec = SOCK_INODE(sock)->i_security;
3856 other_isec = SOCK_INODE(other)->i_security;
3857
3858 AVC_AUDIT_DATA_INIT(&ad,NET);
3859 ad.u.net.sk = other->sk;
3860
3861 err = avc_has_perm(isec->sid, other_isec->sid,
3862 isec->sclass,
3863 UNIX_STREAM_SOCKET__CONNECTTO, &ad);
3864 if (err)
3865 return err;
3866
3867 /* connecting socket */
3868 ssec = sock->sk->sk_security;
3869 ssec->peer_sid = other_isec->sid;
3870
3871 /* server child socket */
3872 ssec = newsk->sk_security;
3873 ssec->peer_sid = isec->sid;
3874 err = security_sid_mls_copy(other_isec->sid, ssec->peer_sid, &ssec->sid);
3875
3876 return err;
3877 }
3878
3879 static int selinux_socket_unix_may_send(struct socket *sock,
3880 struct socket *other)
3881 {
3882 struct inode_security_struct *isec;
3883 struct inode_security_struct *other_isec;
3884 struct avc_audit_data ad;
3885 int err;
3886
3887 isec = SOCK_INODE(sock)->i_security;
3888 other_isec = SOCK_INODE(other)->i_security;
3889
3890 AVC_AUDIT_DATA_INIT(&ad,NET);
3891 ad.u.net.sk = other->sk;
3892
3893 err = avc_has_perm(isec->sid, other_isec->sid,
3894 isec->sclass, SOCKET__SENDTO, &ad);
3895 if (err)
3896 return err;
3897
3898 return 0;
3899 }
3900
3901 static int selinux_inet_sys_rcv_skb(int ifindex, char *addrp, u16 family,
3902 u32 peer_sid,
3903 struct avc_audit_data *ad)
3904 {
3905 int err;
3906 u32 if_sid;
3907 u32 node_sid;
3908
3909 err = sel_netif_sid(ifindex, &if_sid);
3910 if (err)
3911 return err;
3912 err = avc_has_perm(peer_sid, if_sid,
3913 SECCLASS_NETIF, NETIF__INGRESS, ad);
3914 if (err)
3915 return err;
3916
3917 err = sel_netnode_sid(addrp, family, &node_sid);
3918 if (err)
3919 return err;
3920 return avc_has_perm(peer_sid, node_sid,
3921 SECCLASS_NODE, NODE__RECVFROM, ad);
3922 }
3923
3924 static int selinux_sock_rcv_skb_iptables_compat(struct sock *sk,
3925 struct sk_buff *skb,
3926 struct avc_audit_data *ad,
3927 u16 family,
3928 char *addrp)
3929 {
3930 int err;
3931 struct sk_security_struct *sksec = sk->sk_security;
3932 u16 sk_class;
3933 u32 netif_perm, node_perm, recv_perm;
3934 u32 port_sid, node_sid, if_sid, sk_sid;
3935
3936 sk_sid = sksec->sid;
3937 sk_class = sksec->sclass;
3938
3939 switch (sk_class) {
3940 case SECCLASS_UDP_SOCKET:
3941 netif_perm = NETIF__UDP_RECV;
3942 node_perm = NODE__UDP_RECV;
3943 recv_perm = UDP_SOCKET__RECV_MSG;
3944 break;
3945 case SECCLASS_TCP_SOCKET:
3946 netif_perm = NETIF__TCP_RECV;
3947 node_perm = NODE__TCP_RECV;
3948 recv_perm = TCP_SOCKET__RECV_MSG;
3949 break;
3950 case SECCLASS_DCCP_SOCKET:
3951 netif_perm = NETIF__DCCP_RECV;
3952 node_perm = NODE__DCCP_RECV;
3953 recv_perm = DCCP_SOCKET__RECV_MSG;
3954 break;
3955 default:
3956 netif_perm = NETIF__RAWIP_RECV;
3957 node_perm = NODE__RAWIP_RECV;
3958 recv_perm = 0;
3959 break;
3960 }
3961
3962 err = sel_netif_sid(skb->iif, &if_sid);
3963 if (err)
3964 return err;
3965 err = avc_has_perm(sk_sid, if_sid, SECCLASS_NETIF, netif_perm, ad);
3966 if (err)
3967 return err;
3968
3969 err = sel_netnode_sid(addrp, family, &node_sid);
3970 if (err)
3971 return err;
3972 err = avc_has_perm(sk_sid, node_sid, SECCLASS_NODE, node_perm, ad);
3973 if (err)
3974 return err;
3975
3976 if (!recv_perm)
3977 return 0;
3978 err = security_port_sid(sk->sk_family, sk->sk_type,
3979 sk->sk_protocol, ntohs(ad->u.net.sport),
3980 &port_sid);
3981 if (unlikely(err)) {
3982 printk(KERN_WARNING
3983 "SELinux: failure in"
3984 " selinux_sock_rcv_skb_iptables_compat(),"
3985 " network port label not found\n");
3986 return err;
3987 }
3988 return avc_has_perm(sk_sid, port_sid, sk_class, recv_perm, ad);
3989 }
3990
3991 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
3992 struct avc_audit_data *ad,
3993 u16 family, char *addrp)
3994 {
3995 int err;
3996 struct sk_security_struct *sksec = sk->sk_security;
3997 u32 peer_sid;
3998 u32 sk_sid = sksec->sid;
3999
4000 if (selinux_compat_net)
4001 err = selinux_sock_rcv_skb_iptables_compat(sk, skb, ad,
4002 family, addrp);
4003 else
4004 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4005 PACKET__RECV, ad);
4006 if (err)
4007 return err;
4008
4009 if (selinux_policycap_netpeer) {
4010 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
4011 if (err)
4012 return err;
4013 err = avc_has_perm(sk_sid, peer_sid,
4014 SECCLASS_PEER, PEER__RECV, ad);
4015 } else {
4016 err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, ad);
4017 if (err)
4018 return err;
4019 err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, ad);
4020 }
4021
4022 return err;
4023 }
4024
4025 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
4026 {
4027 int err;
4028 struct sk_security_struct *sksec = sk->sk_security;
4029 u16 family = sk->sk_family;
4030 u32 sk_sid = sksec->sid;
4031 struct avc_audit_data ad;
4032 char *addrp;
4033
4034 if (family != PF_INET && family != PF_INET6)
4035 return 0;
4036
4037 /* Handle mapped IPv4 packets arriving via IPv6 sockets */
4038 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4039 family = PF_INET;
4040
4041 AVC_AUDIT_DATA_INIT(&ad, NET);
4042 ad.u.net.netif = skb->iif;
4043 ad.u.net.family = family;
4044 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4045 if (err)
4046 return err;
4047
4048 /* If any sort of compatibility mode is enabled then handoff processing
4049 * to the selinux_sock_rcv_skb_compat() function to deal with the
4050 * special handling. We do this in an attempt to keep this function
4051 * as fast and as clean as possible. */
4052 if (selinux_compat_net || !selinux_policycap_netpeer)
4053 return selinux_sock_rcv_skb_compat(sk, skb, &ad,
4054 family, addrp);
4055
4056 if (netlbl_enabled() || selinux_xfrm_enabled()) {
4057 u32 peer_sid;
4058
4059 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
4060 if (err)
4061 return err;
4062 err = selinux_inet_sys_rcv_skb(skb->iif, addrp, family,
4063 peer_sid, &ad);
4064 if (err)
4065 return err;
4066 err = avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER,
4067 PEER__RECV, &ad);
4068 }
4069
4070 if (selinux_secmark_enabled()) {
4071 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4072 PACKET__RECV, &ad);
4073 if (err)
4074 return err;
4075 }
4076
4077 return err;
4078 }
4079
4080 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval,
4081 int __user *optlen, unsigned len)
4082 {
4083 int err = 0;
4084 char *scontext;
4085 u32 scontext_len;
4086 struct sk_security_struct *ssec;
4087 struct inode_security_struct *isec;
4088 u32 peer_sid = SECSID_NULL;
4089
4090 isec = SOCK_INODE(sock)->i_security;
4091
4092 if (isec->sclass == SECCLASS_UNIX_STREAM_SOCKET ||
4093 isec->sclass == SECCLASS_TCP_SOCKET) {
4094 ssec = sock->sk->sk_security;
4095 peer_sid = ssec->peer_sid;
4096 }
4097 if (peer_sid == SECSID_NULL) {
4098 err = -ENOPROTOOPT;
4099 goto out;
4100 }
4101
4102 err = security_sid_to_context(peer_sid, &scontext, &scontext_len);
4103
4104 if (err)
4105 goto out;
4106
4107 if (scontext_len > len) {
4108 err = -ERANGE;
4109 goto out_len;
4110 }
4111
4112 if (copy_to_user(optval, scontext, scontext_len))
4113 err = -EFAULT;
4114
4115 out_len:
4116 if (put_user(scontext_len, optlen))
4117 err = -EFAULT;
4118
4119 kfree(scontext);
4120 out:
4121 return err;
4122 }
4123
4124 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
4125 {
4126 u32 peer_secid = SECSID_NULL;
4127 u16 family;
4128
4129 if (sock)
4130 family = sock->sk->sk_family;
4131 else if (skb && skb->sk)
4132 family = skb->sk->sk_family;
4133 else
4134 goto out;
4135
4136 if (sock && family == PF_UNIX)
4137 selinux_get_inode_sid(SOCK_INODE(sock), &peer_secid);
4138 else if (skb)
4139 selinux_skb_peerlbl_sid(skb, family, &peer_secid);
4140
4141 out:
4142 *secid = peer_secid;
4143 if (peer_secid == SECSID_NULL)
4144 return -EINVAL;
4145 return 0;
4146 }
4147
4148 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
4149 {
4150 return sk_alloc_security(sk, family, priority);
4151 }
4152
4153 static void selinux_sk_free_security(struct sock *sk)
4154 {
4155 sk_free_security(sk);
4156 }
4157
4158 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
4159 {
4160 struct sk_security_struct *ssec = sk->sk_security;
4161 struct sk_security_struct *newssec = newsk->sk_security;
4162
4163 newssec->sid = ssec->sid;
4164 newssec->peer_sid = ssec->peer_sid;
4165 newssec->sclass = ssec->sclass;
4166
4167 selinux_netlbl_sk_security_reset(newssec, newsk->sk_family);
4168 }
4169
4170 static void selinux_sk_getsecid(struct sock *sk, u32 *secid)
4171 {
4172 if (!sk)
4173 *secid = SECINITSID_ANY_SOCKET;
4174 else {
4175 struct sk_security_struct *sksec = sk->sk_security;
4176
4177 *secid = sksec->sid;
4178 }
4179 }
4180
4181 static void selinux_sock_graft(struct sock* sk, struct socket *parent)
4182 {
4183 struct inode_security_struct *isec = SOCK_INODE(parent)->i_security;
4184 struct sk_security_struct *sksec = sk->sk_security;
4185
4186 if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
4187 sk->sk_family == PF_UNIX)
4188 isec->sid = sksec->sid;
4189 sksec->sclass = isec->sclass;
4190
4191 selinux_netlbl_sock_graft(sk, parent);
4192 }
4193
4194 static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
4195 struct request_sock *req)
4196 {
4197 struct sk_security_struct *sksec = sk->sk_security;
4198 int err;
4199 u32 newsid;
4200 u32 peersid;
4201
4202 err = selinux_skb_peerlbl_sid(skb, sk->sk_family, &peersid);
4203 if (err)
4204 return err;
4205 if (peersid == SECSID_NULL) {
4206 req->secid = sksec->sid;
4207 req->peer_secid = SECSID_NULL;
4208 return 0;
4209 }
4210
4211 err = security_sid_mls_copy(sksec->sid, peersid, &newsid);
4212 if (err)
4213 return err;
4214
4215 req->secid = newsid;
4216 req->peer_secid = peersid;
4217 return 0;
4218 }
4219
4220 static void selinux_inet_csk_clone(struct sock *newsk,
4221 const struct request_sock *req)
4222 {
4223 struct sk_security_struct *newsksec = newsk->sk_security;
4224
4225 newsksec->sid = req->secid;
4226 newsksec->peer_sid = req->peer_secid;
4227 /* NOTE: Ideally, we should also get the isec->sid for the
4228 new socket in sync, but we don't have the isec available yet.
4229 So we will wait until sock_graft to do it, by which
4230 time it will have been created and available. */
4231
4232 /* We don't need to take any sort of lock here as we are the only
4233 * thread with access to newsksec */
4234 selinux_netlbl_sk_security_reset(newsksec, req->rsk_ops->family);
4235 }
4236
4237 static void selinux_inet_conn_established(struct sock *sk,
4238 struct sk_buff *skb)
4239 {
4240 struct sk_security_struct *sksec = sk->sk_security;
4241
4242 selinux_skb_peerlbl_sid(skb, sk->sk_family, &sksec->peer_sid);
4243 }
4244
4245 static void selinux_req_classify_flow(const struct request_sock *req,
4246 struct flowi *fl)
4247 {
4248 fl->secid = req->secid;
4249 }
4250
4251 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
4252 {
4253 int err = 0;
4254 u32 perm;
4255 struct nlmsghdr *nlh;
4256 struct socket *sock = sk->sk_socket;
4257 struct inode_security_struct *isec = SOCK_INODE(sock)->i_security;
4258
4259 if (skb->len < NLMSG_SPACE(0)) {
4260 err = -EINVAL;
4261 goto out;
4262 }
4263 nlh = nlmsg_hdr(skb);
4264
4265 err = selinux_nlmsg_lookup(isec->sclass, nlh->nlmsg_type, &perm);
4266 if (err) {
4267 if (err == -EINVAL) {
4268 audit_log(current->audit_context, GFP_KERNEL, AUDIT_SELINUX_ERR,
4269 "SELinux: unrecognized netlink message"
4270 " type=%hu for sclass=%hu\n",
4271 nlh->nlmsg_type, isec->sclass);
4272 if (!selinux_enforcing)
4273 err = 0;
4274 }
4275
4276 /* Ignore */
4277 if (err == -ENOENT)
4278 err = 0;
4279 goto out;
4280 }
4281
4282 err = socket_has_perm(current, sock, perm);
4283 out:
4284 return err;
4285 }
4286
4287 #ifdef CONFIG_NETFILTER
4288
4289 static unsigned int selinux_ip_forward(struct sk_buff *skb, int ifindex,
4290 u16 family)
4291 {
4292 char *addrp;
4293 u32 peer_sid;
4294 struct avc_audit_data ad;
4295 u8 secmark_active;
4296 u8 peerlbl_active;
4297
4298 if (!selinux_policycap_netpeer)
4299 return NF_ACCEPT;
4300
4301 secmark_active = selinux_secmark_enabled();
4302 peerlbl_active = netlbl_enabled() || selinux_xfrm_enabled();
4303 if (!secmark_active && !peerlbl_active)
4304 return NF_ACCEPT;
4305
4306 AVC_AUDIT_DATA_INIT(&ad, NET);
4307 ad.u.net.netif = ifindex;
4308 ad.u.net.family = family;
4309 if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0)
4310 return NF_DROP;
4311
4312 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0)
4313 return NF_DROP;
4314
4315 if (peerlbl_active)
4316 if (selinux_inet_sys_rcv_skb(ifindex, addrp, family,
4317 peer_sid, &ad) != 0)
4318 return NF_DROP;
4319
4320 if (secmark_active)
4321 if (avc_has_perm(peer_sid, skb->secmark,
4322 SECCLASS_PACKET, PACKET__FORWARD_IN, &ad))
4323 return NF_DROP;
4324
4325 return NF_ACCEPT;
4326 }
4327
4328 static unsigned int selinux_ipv4_forward(unsigned int hooknum,
4329 struct sk_buff *skb,
4330 const struct net_device *in,
4331 const struct net_device *out,
4332 int (*okfn)(struct sk_buff *))
4333 {
4334 return selinux_ip_forward(skb, in->ifindex, PF_INET);
4335 }
4336
4337 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4338 static unsigned int selinux_ipv6_forward(unsigned int hooknum,
4339 struct sk_buff *skb,
4340 const struct net_device *in,
4341 const struct net_device *out,
4342 int (*okfn)(struct sk_buff *))
4343 {
4344 return selinux_ip_forward(skb, in->ifindex, PF_INET6);
4345 }
4346 #endif /* IPV6 */
4347
4348 static int selinux_ip_postroute_iptables_compat(struct sock *sk,
4349 int ifindex,
4350 struct avc_audit_data *ad,
4351 u16 family, char *addrp)
4352 {
4353 int err;
4354 struct sk_security_struct *sksec = sk->sk_security;
4355 u16 sk_class;
4356 u32 netif_perm, node_perm, send_perm;
4357 u32 port_sid, node_sid, if_sid, sk_sid;
4358
4359 sk_sid = sksec->sid;
4360 sk_class = sksec->sclass;
4361
4362 switch (sk_class) {
4363 case SECCLASS_UDP_SOCKET:
4364 netif_perm = NETIF__UDP_SEND;
4365 node_perm = NODE__UDP_SEND;
4366 send_perm = UDP_SOCKET__SEND_MSG;
4367 break;
4368 case SECCLASS_TCP_SOCKET:
4369 netif_perm = NETIF__TCP_SEND;
4370 node_perm = NODE__TCP_SEND;
4371 send_perm = TCP_SOCKET__SEND_MSG;
4372 break;
4373 case SECCLASS_DCCP_SOCKET:
4374 netif_perm = NETIF__DCCP_SEND;
4375 node_perm = NODE__DCCP_SEND;
4376 send_perm = DCCP_SOCKET__SEND_MSG;
4377 break;
4378 default:
4379 netif_perm = NETIF__RAWIP_SEND;
4380 node_perm = NODE__RAWIP_SEND;
4381 send_perm = 0;
4382 break;
4383 }
4384
4385 err = sel_netif_sid(ifindex, &if_sid);
4386 if (err)
4387 return err;
4388 err = avc_has_perm(sk_sid, if_sid, SECCLASS_NETIF, netif_perm, ad);
4389 return err;
4390
4391 err = sel_netnode_sid(addrp, family, &node_sid);
4392 if (err)
4393 return err;
4394 err = avc_has_perm(sk_sid, node_sid, SECCLASS_NODE, node_perm, ad);
4395 if (err)
4396 return err;
4397
4398 if (send_perm != 0)
4399 return 0;
4400
4401 err = security_port_sid(sk->sk_family, sk->sk_type,
4402 sk->sk_protocol, ntohs(ad->u.net.dport),
4403 &port_sid);
4404 if (unlikely(err)) {
4405 printk(KERN_WARNING
4406 "SELinux: failure in"
4407 " selinux_ip_postroute_iptables_compat(),"
4408 " network port label not found\n");
4409 return err;
4410 }
4411 return avc_has_perm(sk_sid, port_sid, sk_class, send_perm, ad);
4412 }
4413
4414 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
4415 int ifindex,
4416 struct avc_audit_data *ad,
4417 u16 family,
4418 char *addrp,
4419 u8 proto)
4420 {
4421 struct sock *sk = skb->sk;
4422 struct sk_security_struct *sksec;
4423
4424 if (sk == NULL)
4425 return NF_ACCEPT;
4426 sksec = sk->sk_security;
4427
4428 if (selinux_compat_net) {
4429 if (selinux_ip_postroute_iptables_compat(skb->sk, ifindex,
4430 ad, family, addrp))
4431 return NF_DROP;
4432 } else {
4433 if (avc_has_perm(sksec->sid, skb->secmark,
4434 SECCLASS_PACKET, PACKET__SEND, ad))
4435 return NF_DROP;
4436 }
4437
4438 if (selinux_policycap_netpeer)
4439 if (selinux_xfrm_postroute_last(sksec->sid, skb, ad, proto))
4440 return NF_DROP;
4441
4442 return NF_ACCEPT;
4443 }
4444
4445 static unsigned int selinux_ip_postroute(struct sk_buff *skb, int ifindex,
4446 u16 family)
4447 {
4448 u32 secmark_perm;
4449 u32 peer_sid;
4450 struct sock *sk;
4451 struct avc_audit_data ad;
4452 char *addrp;
4453 u8 proto;
4454 u8 secmark_active;
4455 u8 peerlbl_active;
4456
4457 AVC_AUDIT_DATA_INIT(&ad, NET);
4458 ad.u.net.netif = ifindex;
4459 ad.u.net.family = family;
4460 if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto))
4461 return NF_DROP;
4462
4463 /* If any sort of compatibility mode is enabled then handoff processing
4464 * to the selinux_ip_postroute_compat() function to deal with the
4465 * special handling. We do this in an attempt to keep this function
4466 * as fast and as clean as possible. */
4467 if (selinux_compat_net || !selinux_policycap_netpeer)
4468 return selinux_ip_postroute_compat(skb, ifindex, &ad,
4469 family, addrp, proto);
4470
4471 /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec
4472 * packet transformation so allow the packet to pass without any checks
4473 * since we'll have another chance to perform access control checks
4474 * when the packet is on it's final way out.
4475 * NOTE: there appear to be some IPv6 multicast cases where skb->dst
4476 * is NULL, in this case go ahead and apply access control. */
4477 if (skb->dst != NULL && skb->dst->xfrm != NULL)
4478 return NF_ACCEPT;
4479
4480 secmark_active = selinux_secmark_enabled();
4481 peerlbl_active = netlbl_enabled() || selinux_xfrm_enabled();
4482 if (!secmark_active && !peerlbl_active)
4483 return NF_ACCEPT;
4484
4485 /* if the packet is locally generated (skb->sk != NULL) then use the
4486 * socket's label as the peer label, otherwise the packet is being
4487 * forwarded through this system and we need to fetch the peer label
4488 * directly from the packet */
4489 sk = skb->sk;
4490 if (sk) {
4491 struct sk_security_struct *sksec = sk->sk_security;
4492 peer_sid = sksec->sid;
4493 secmark_perm = PACKET__SEND;
4494 } else {
4495 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid))
4496 return NF_DROP;
4497 secmark_perm = PACKET__FORWARD_OUT;
4498 }
4499
4500 if (secmark_active)
4501 if (avc_has_perm(peer_sid, skb->secmark,
4502 SECCLASS_PACKET, secmark_perm, &ad))
4503 return NF_DROP;
4504
4505 if (peerlbl_active) {
4506 u32 if_sid;
4507 u32 node_sid;
4508
4509 if (sel_netif_sid(ifindex, &if_sid))
4510 return NF_DROP;
4511 if (avc_has_perm(peer_sid, if_sid,
4512 SECCLASS_NETIF, NETIF__EGRESS, &ad))
4513 return NF_DROP;
4514
4515 if (sel_netnode_sid(addrp, family, &node_sid))
4516 return NF_DROP;
4517 if (avc_has_perm(peer_sid, node_sid,
4518 SECCLASS_NODE, NODE__SENDTO, &ad))
4519 return NF_DROP;
4520 }
4521
4522 return NF_ACCEPT;
4523 }
4524
4525 static unsigned int selinux_ipv4_postroute(unsigned int hooknum,
4526 struct sk_buff *skb,
4527 const struct net_device *in,
4528 const struct net_device *out,
4529 int (*okfn)(struct sk_buff *))
4530 {
4531 return selinux_ip_postroute(skb, out->ifindex, PF_INET);
4532 }
4533
4534 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4535 static unsigned int selinux_ipv6_postroute(unsigned int hooknum,
4536 struct sk_buff *skb,
4537 const struct net_device *in,
4538 const struct net_device *out,
4539 int (*okfn)(struct sk_buff *))
4540 {
4541 return selinux_ip_postroute(skb, out->ifindex, PF_INET6);
4542 }
4543 #endif /* IPV6 */
4544
4545 #endif /* CONFIG_NETFILTER */
4546
4547 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
4548 {
4549 int err;
4550
4551 err = secondary_ops->netlink_send(sk, skb);
4552 if (err)
4553 return err;
4554
4555 if (policydb_loaded_version >= POLICYDB_VERSION_NLCLASS)
4556 err = selinux_nlmsg_perm(sk, skb);
4557
4558 return err;
4559 }
4560
4561 static int selinux_netlink_recv(struct sk_buff *skb, int capability)
4562 {
4563 int err;
4564 struct avc_audit_data ad;
4565
4566 err = secondary_ops->netlink_recv(skb, capability);
4567 if (err)
4568 return err;
4569
4570 AVC_AUDIT_DATA_INIT(&ad, CAP);
4571 ad.u.cap = capability;
4572
4573 return avc_has_perm(NETLINK_CB(skb).sid, NETLINK_CB(skb).sid,
4574 SECCLASS_CAPABILITY, CAP_TO_MASK(capability), &ad);
4575 }
4576
4577 static int ipc_alloc_security(struct task_struct *task,
4578 struct kern_ipc_perm *perm,
4579 u16 sclass)
4580 {
4581 struct task_security_struct *tsec = task->security;
4582 struct ipc_security_struct *isec;
4583
4584 isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL);
4585 if (!isec)
4586 return -ENOMEM;
4587
4588 isec->sclass = sclass;
4589 isec->sid = tsec->sid;
4590 perm->security = isec;
4591
4592 return 0;
4593 }
4594
4595 static void ipc_free_security(struct kern_ipc_perm *perm)
4596 {
4597 struct ipc_security_struct *isec = perm->security;
4598 perm->security = NULL;
4599 kfree(isec);
4600 }
4601
4602 static int msg_msg_alloc_security(struct msg_msg *msg)
4603 {
4604 struct msg_security_struct *msec;
4605
4606 msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL);
4607 if (!msec)
4608 return -ENOMEM;
4609
4610 msec->sid = SECINITSID_UNLABELED;
4611 msg->security = msec;
4612
4613 return 0;
4614 }
4615
4616 static void msg_msg_free_security(struct msg_msg *msg)
4617 {
4618 struct msg_security_struct *msec = msg->security;
4619
4620 msg->security = NULL;
4621 kfree(msec);
4622 }
4623
4624 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
4625 u32 perms)
4626 {
4627 struct task_security_struct *tsec;
4628 struct ipc_security_struct *isec;
4629 struct avc_audit_data ad;
4630
4631 tsec = current->security;
4632 isec = ipc_perms->security;
4633
4634 AVC_AUDIT_DATA_INIT(&ad, IPC);
4635 ad.u.ipc_id = ipc_perms->key;
4636
4637 return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, &ad);
4638 }
4639
4640 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
4641 {
4642 return msg_msg_alloc_security(msg);
4643 }
4644
4645 static void selinux_msg_msg_free_security(struct msg_msg *msg)
4646 {
4647 msg_msg_free_security(msg);
4648 }
4649
4650 /* message queue security operations */
4651 static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
4652 {
4653 struct task_security_struct *tsec;
4654 struct ipc_security_struct *isec;
4655 struct avc_audit_data ad;
4656 int rc;
4657
4658 rc = ipc_alloc_security(current, &msq->q_perm, SECCLASS_MSGQ);
4659 if (rc)
4660 return rc;
4661
4662 tsec = current->security;
4663 isec = msq->q_perm.security;
4664
4665 AVC_AUDIT_DATA_INIT(&ad, IPC);
4666 ad.u.ipc_id = msq->q_perm.key;
4667
4668 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
4669 MSGQ__CREATE, &ad);
4670 if (rc) {
4671 ipc_free_security(&msq->q_perm);
4672 return rc;
4673 }
4674 return 0;
4675 }
4676
4677 static void selinux_msg_queue_free_security(struct msg_queue *msq)
4678 {
4679 ipc_free_security(&msq->q_perm);
4680 }
4681
4682 static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg)
4683 {
4684 struct task_security_struct *tsec;
4685 struct ipc_security_struct *isec;
4686 struct avc_audit_data ad;
4687
4688 tsec = current->security;
4689 isec = msq->q_perm.security;
4690
4691 AVC_AUDIT_DATA_INIT(&ad, IPC);
4692 ad.u.ipc_id = msq->q_perm.key;
4693
4694 return avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
4695 MSGQ__ASSOCIATE, &ad);
4696 }
4697
4698 static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd)
4699 {
4700 int err;
4701 int perms;
4702
4703 switch(cmd) {
4704 case IPC_INFO:
4705 case MSG_INFO:
4706 /* No specific object, just general system-wide information. */
4707 return task_has_system(current, SYSTEM__IPC_INFO);
4708 case IPC_STAT:
4709 case MSG_STAT:
4710 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
4711 break;
4712 case IPC_SET:
4713 perms = MSGQ__SETATTR;
4714 break;
4715 case IPC_RMID:
4716 perms = MSGQ__DESTROY;
4717 break;
4718 default:
4719 return 0;
4720 }
4721
4722 err = ipc_has_perm(&msq->q_perm, perms);
4723 return err;
4724 }
4725
4726 static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg)
4727 {
4728 struct task_security_struct *tsec;
4729 struct ipc_security_struct *isec;
4730 struct msg_security_struct *msec;
4731 struct avc_audit_data ad;
4732 int rc;
4733
4734 tsec = current->security;
4735 isec = msq->q_perm.security;
4736 msec = msg->security;
4737
4738 /*
4739 * First time through, need to assign label to the message
4740 */
4741 if (msec->sid == SECINITSID_UNLABELED) {
4742 /*
4743 * Compute new sid based on current process and
4744 * message queue this message will be stored in
4745 */
4746 rc = security_transition_sid(tsec->sid,
4747 isec->sid,
4748 SECCLASS_MSG,
4749 &msec->sid);
4750 if (rc)
4751 return rc;
4752 }
4753
4754 AVC_AUDIT_DATA_INIT(&ad, IPC);
4755 ad.u.ipc_id = msq->q_perm.key;
4756
4757 /* Can this process write to the queue? */
4758 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
4759 MSGQ__WRITE, &ad);
4760 if (!rc)
4761 /* Can this process send the message */
4762 rc = avc_has_perm(tsec->sid, msec->sid,
4763 SECCLASS_MSG, MSG__SEND, &ad);
4764 if (!rc)
4765 /* Can the message be put in the queue? */
4766 rc = avc_has_perm(msec->sid, isec->sid,
4767 SECCLASS_MSGQ, MSGQ__ENQUEUE, &ad);
4768
4769 return rc;
4770 }
4771
4772 static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
4773 struct task_struct *target,
4774 long type, int mode)
4775 {
4776 struct task_security_struct *tsec;
4777 struct ipc_security_struct *isec;
4778 struct msg_security_struct *msec;
4779 struct avc_audit_data ad;
4780 int rc;
4781
4782 tsec = target->security;
4783 isec = msq->q_perm.security;
4784 msec = msg->security;
4785
4786 AVC_AUDIT_DATA_INIT(&ad, IPC);
4787 ad.u.ipc_id = msq->q_perm.key;
4788
4789 rc = avc_has_perm(tsec->sid, isec->sid,
4790 SECCLASS_MSGQ, MSGQ__READ, &ad);
4791 if (!rc)
4792 rc = avc_has_perm(tsec->sid, msec->sid,
4793 SECCLASS_MSG, MSG__RECEIVE, &ad);
4794 return rc;
4795 }
4796
4797 /* Shared Memory security operations */
4798 static int selinux_shm_alloc_security(struct shmid_kernel *shp)
4799 {
4800 struct task_security_struct *tsec;
4801 struct ipc_security_struct *isec;
4802 struct avc_audit_data ad;
4803 int rc;
4804
4805 rc = ipc_alloc_security(current, &shp->shm_perm, SECCLASS_SHM);
4806 if (rc)
4807 return rc;
4808
4809 tsec = current->security;
4810 isec = shp->shm_perm.security;
4811
4812 AVC_AUDIT_DATA_INIT(&ad, IPC);
4813 ad.u.ipc_id = shp->shm_perm.key;
4814
4815 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SHM,
4816 SHM__CREATE, &ad);
4817 if (rc) {
4818 ipc_free_security(&shp->shm_perm);
4819 return rc;
4820 }
4821 return 0;
4822 }
4823
4824 static void selinux_shm_free_security(struct shmid_kernel *shp)
4825 {
4826 ipc_free_security(&shp->shm_perm);
4827 }
4828
4829 static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg)
4830 {
4831 struct task_security_struct *tsec;
4832 struct ipc_security_struct *isec;
4833 struct avc_audit_data ad;
4834
4835 tsec = current->security;
4836 isec = shp->shm_perm.security;
4837
4838 AVC_AUDIT_DATA_INIT(&ad, IPC);
4839 ad.u.ipc_id = shp->shm_perm.key;
4840
4841 return avc_has_perm(tsec->sid, isec->sid, SECCLASS_SHM,
4842 SHM__ASSOCIATE, &ad);
4843 }
4844
4845 /* Note, at this point, shp is locked down */
4846 static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd)
4847 {
4848 int perms;
4849 int err;
4850
4851 switch(cmd) {
4852 case IPC_INFO:
4853 case SHM_INFO:
4854 /* No specific object, just general system-wide information. */
4855 return task_has_system(current, SYSTEM__IPC_INFO);
4856 case IPC_STAT:
4857 case SHM_STAT:
4858 perms = SHM__GETATTR | SHM__ASSOCIATE;
4859 break;
4860 case IPC_SET:
4861 perms = SHM__SETATTR;
4862 break;
4863 case SHM_LOCK:
4864 case SHM_UNLOCK:
4865 perms = SHM__LOCK;
4866 break;
4867 case IPC_RMID:
4868 perms = SHM__DESTROY;
4869 break;
4870 default:
4871 return 0;
4872 }
4873
4874 err = ipc_has_perm(&shp->shm_perm, perms);
4875 return err;
4876 }
4877
4878 static int selinux_shm_shmat(struct shmid_kernel *shp,
4879 char __user *shmaddr, int shmflg)
4880 {
4881 u32 perms;
4882 int rc;
4883
4884 rc = secondary_ops->shm_shmat(shp, shmaddr, shmflg);
4885 if (rc)
4886 return rc;
4887
4888 if (shmflg & SHM_RDONLY)
4889 perms = SHM__READ;
4890 else
4891 perms = SHM__READ | SHM__WRITE;
4892
4893 return ipc_has_perm(&shp->shm_perm, perms);
4894 }
4895
4896 /* Semaphore security operations */
4897 static int selinux_sem_alloc_security(struct sem_array *sma)
4898 {
4899 struct task_security_struct *tsec;
4900 struct ipc_security_struct *isec;
4901 struct avc_audit_data ad;
4902 int rc;
4903
4904 rc = ipc_alloc_security(current, &sma->sem_perm, SECCLASS_SEM);
4905 if (rc)
4906 return rc;
4907
4908 tsec = current->security;
4909 isec = sma->sem_perm.security;
4910
4911 AVC_AUDIT_DATA_INIT(&ad, IPC);
4912 ad.u.ipc_id = sma->sem_perm.key;
4913
4914 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SEM,
4915 SEM__CREATE, &ad);
4916 if (rc) {
4917 ipc_free_security(&sma->sem_perm);
4918 return rc;
4919 }
4920 return 0;
4921 }
4922
4923 static void selinux_sem_free_security(struct sem_array *sma)
4924 {
4925 ipc_free_security(&sma->sem_perm);
4926 }
4927
4928 static int selinux_sem_associate(struct sem_array *sma, int semflg)
4929 {
4930 struct task_security_struct *tsec;
4931 struct ipc_security_struct *isec;
4932 struct avc_audit_data ad;
4933
4934 tsec = current->security;
4935 isec = sma->sem_perm.security;
4936
4937 AVC_AUDIT_DATA_INIT(&ad, IPC);
4938 ad.u.ipc_id = sma->sem_perm.key;
4939
4940 return avc_has_perm(tsec->sid, isec->sid, SECCLASS_SEM,
4941 SEM__ASSOCIATE, &ad);
4942 }
4943
4944 /* Note, at this point, sma is locked down */
4945 static int selinux_sem_semctl(struct sem_array *sma, int cmd)
4946 {
4947 int err;
4948 u32 perms;
4949
4950 switch(cmd) {
4951 case IPC_INFO:
4952 case SEM_INFO:
4953 /* No specific object, just general system-wide information. */
4954 return task_has_system(current, SYSTEM__IPC_INFO);
4955 case GETPID:
4956 case GETNCNT:
4957 case GETZCNT:
4958 perms = SEM__GETATTR;
4959 break;
4960 case GETVAL:
4961 case GETALL:
4962 perms = SEM__READ;
4963 break;
4964 case SETVAL:
4965 case SETALL:
4966 perms = SEM__WRITE;
4967 break;
4968 case IPC_RMID:
4969 perms = SEM__DESTROY;
4970 break;
4971 case IPC_SET:
4972 perms = SEM__SETATTR;
4973 break;
4974 case IPC_STAT:
4975 case SEM_STAT:
4976 perms = SEM__GETATTR | SEM__ASSOCIATE;
4977 break;
4978 default:
4979 return 0;
4980 }
4981
4982 err = ipc_has_perm(&sma->sem_perm, perms);
4983 return err;
4984 }
4985
4986 static int selinux_sem_semop(struct sem_array *sma,
4987 struct sembuf *sops, unsigned nsops, int alter)
4988 {
4989 u32 perms;
4990
4991 if (alter)
4992 perms = SEM__READ | SEM__WRITE;
4993 else
4994 perms = SEM__READ;
4995
4996 return ipc_has_perm(&sma->sem_perm, perms);
4997 }
4998
4999 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
5000 {
5001 u32 av = 0;
5002
5003 av = 0;
5004 if (flag & S_IRUGO)
5005 av |= IPC__UNIX_READ;
5006 if (flag & S_IWUGO)
5007 av |= IPC__UNIX_WRITE;
5008
5009 if (av == 0)
5010 return 0;
5011
5012 return ipc_has_perm(ipcp, av);
5013 }
5014
5015 /* module stacking operations */
5016 static int selinux_register_security (const char *name, struct security_operations *ops)
5017 {
5018 if (secondary_ops != original_ops) {
5019 printk(KERN_ERR "%s: There is already a secondary security "
5020 "module registered.\n", __func__);
5021 return -EINVAL;
5022 }
5023
5024 secondary_ops = ops;
5025
5026 printk(KERN_INFO "%s: Registering secondary module %s\n",
5027 __func__,
5028 name);
5029
5030 return 0;
5031 }
5032
5033 static void selinux_d_instantiate (struct dentry *dentry, struct inode *inode)
5034 {
5035 if (inode)
5036 inode_doinit_with_dentry(inode, dentry);
5037 }
5038
5039 static int selinux_getprocattr(struct task_struct *p,
5040 char *name, char **value)
5041 {
5042 struct task_security_struct *tsec;
5043 u32 sid;
5044 int error;
5045 unsigned len;
5046
5047 if (current != p) {
5048 error = task_has_perm(current, p, PROCESS__GETATTR);
5049 if (error)
5050 return error;
5051 }
5052
5053 tsec = p->security;
5054
5055 if (!strcmp(name, "current"))
5056 sid = tsec->sid;
5057 else if (!strcmp(name, "prev"))
5058 sid = tsec->osid;
5059 else if (!strcmp(name, "exec"))
5060 sid = tsec->exec_sid;
5061 else if (!strcmp(name, "fscreate"))
5062 sid = tsec->create_sid;
5063 else if (!strcmp(name, "keycreate"))
5064 sid = tsec->keycreate_sid;
5065 else if (!strcmp(name, "sockcreate"))
5066 sid = tsec->sockcreate_sid;
5067 else
5068 return -EINVAL;
5069
5070 if (!sid)
5071 return 0;
5072
5073 error = security_sid_to_context(sid, value, &len);
5074 if (error)
5075 return error;
5076 return len;
5077 }
5078
5079 static int selinux_setprocattr(struct task_struct *p,
5080 char *name, void *value, size_t size)
5081 {
5082 struct task_security_struct *tsec;
5083 u32 sid = 0;
5084 int error;
5085 char *str = value;
5086
5087 if (current != p) {
5088 /* SELinux only allows a process to change its own
5089 security attributes. */
5090 return -EACCES;
5091 }
5092
5093 /*
5094 * Basic control over ability to set these attributes at all.
5095 * current == p, but we'll pass them separately in case the
5096 * above restriction is ever removed.
5097 */
5098 if (!strcmp(name, "exec"))
5099 error = task_has_perm(current, p, PROCESS__SETEXEC);
5100 else if (!strcmp(name, "fscreate"))
5101 error = task_has_perm(current, p, PROCESS__SETFSCREATE);
5102 else if (!strcmp(name, "keycreate"))
5103 error = task_has_perm(current, p, PROCESS__SETKEYCREATE);
5104 else if (!strcmp(name, "sockcreate"))
5105 error = task_has_perm(current, p, PROCESS__SETSOCKCREATE);
5106 else if (!strcmp(name, "current"))
5107 error = task_has_perm(current, p, PROCESS__SETCURRENT);
5108 else
5109 error = -EINVAL;
5110 if (error)
5111 return error;
5112
5113 /* Obtain a SID for the context, if one was specified. */
5114 if (size && str[1] && str[1] != '\n') {
5115 if (str[size-1] == '\n') {
5116 str[size-1] = 0;
5117 size--;
5118 }
5119 error = security_context_to_sid(value, size, &sid);
5120 if (error)
5121 return error;
5122 }
5123
5124 /* Permission checking based on the specified context is
5125 performed during the actual operation (execve,
5126 open/mkdir/...), when we know the full context of the
5127 operation. See selinux_bprm_set_security for the execve
5128 checks and may_create for the file creation checks. The
5129 operation will then fail if the context is not permitted. */
5130 tsec = p->security;
5131 if (!strcmp(name, "exec"))
5132 tsec->exec_sid = sid;
5133 else if (!strcmp(name, "fscreate"))
5134 tsec->create_sid = sid;
5135 else if (!strcmp(name, "keycreate")) {
5136 error = may_create_key(sid, p);
5137 if (error)
5138 return error;
5139 tsec->keycreate_sid = sid;
5140 } else if (!strcmp(name, "sockcreate"))
5141 tsec->sockcreate_sid = sid;
5142 else if (!strcmp(name, "current")) {
5143 struct av_decision avd;
5144
5145 if (sid == 0)
5146 return -EINVAL;
5147
5148 /* Only allow single threaded processes to change context */
5149 if (atomic_read(&p->mm->mm_users) != 1) {
5150 struct task_struct *g, *t;
5151 struct mm_struct *mm = p->mm;
5152 read_lock(&tasklist_lock);
5153 do_each_thread(g, t)
5154 if (t->mm == mm && t != p) {
5155 read_unlock(&tasklist_lock);
5156 return -EPERM;
5157 }
5158 while_each_thread(g, t);
5159 read_unlock(&tasklist_lock);
5160 }
5161
5162 /* Check permissions for the transition. */
5163 error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
5164 PROCESS__DYNTRANSITION, NULL);
5165 if (error)
5166 return error;
5167
5168 /* Check for ptracing, and update the task SID if ok.
5169 Otherwise, leave SID unchanged and fail. */
5170 task_lock(p);
5171 if (p->ptrace & PT_PTRACED) {
5172 error = avc_has_perm_noaudit(tsec->ptrace_sid, sid,
5173 SECCLASS_PROCESS,
5174 PROCESS__PTRACE, 0, &avd);
5175 if (!error)
5176 tsec->sid = sid;
5177 task_unlock(p);
5178 avc_audit(tsec->ptrace_sid, sid, SECCLASS_PROCESS,
5179 PROCESS__PTRACE, &avd, error, NULL);
5180 if (error)
5181 return error;
5182 } else {
5183 tsec->sid = sid;
5184 task_unlock(p);
5185 }
5186 }
5187 else
5188 return -EINVAL;
5189
5190 return size;
5191 }
5192
5193 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
5194 {
5195 return security_sid_to_context(secid, secdata, seclen);
5196 }
5197
5198 static int selinux_secctx_to_secid(char *secdata, u32 seclen, u32 *secid)
5199 {
5200 return security_context_to_sid(secdata, seclen, secid);
5201 }
5202
5203 static void selinux_release_secctx(char *secdata, u32 seclen)
5204 {
5205 kfree(secdata);
5206 }
5207
5208 #ifdef CONFIG_KEYS
5209
5210 static int selinux_key_alloc(struct key *k, struct task_struct *tsk,
5211 unsigned long flags)
5212 {
5213 struct task_security_struct *tsec = tsk->security;
5214 struct key_security_struct *ksec;
5215
5216 ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL);
5217 if (!ksec)
5218 return -ENOMEM;
5219
5220 if (tsec->keycreate_sid)
5221 ksec->sid = tsec->keycreate_sid;
5222 else
5223 ksec->sid = tsec->sid;
5224 k->security = ksec;
5225
5226 return 0;
5227 }
5228
5229 static void selinux_key_free(struct key *k)
5230 {
5231 struct key_security_struct *ksec = k->security;
5232
5233 k->security = NULL;
5234 kfree(ksec);
5235 }
5236
5237 static int selinux_key_permission(key_ref_t key_ref,
5238 struct task_struct *ctx,
5239 key_perm_t perm)
5240 {
5241 struct key *key;
5242 struct task_security_struct *tsec;
5243 struct key_security_struct *ksec;
5244
5245 key = key_ref_to_ptr(key_ref);
5246
5247 tsec = ctx->security;
5248 ksec = key->security;
5249
5250 /* if no specific permissions are requested, we skip the
5251 permission check. No serious, additional covert channels
5252 appear to be created. */
5253 if (perm == 0)
5254 return 0;
5255
5256 return avc_has_perm(tsec->sid, ksec->sid,
5257 SECCLASS_KEY, perm, NULL);
5258 }
5259
5260 #endif
5261
5262 static struct security_operations selinux_ops = {
5263 .ptrace = selinux_ptrace,
5264 .capget = selinux_capget,
5265 .capset_check = selinux_capset_check,
5266 .capset_set = selinux_capset_set,
5267 .sysctl = selinux_sysctl,
5268 .capable = selinux_capable,
5269 .quotactl = selinux_quotactl,
5270 .quota_on = selinux_quota_on,
5271 .syslog = selinux_syslog,
5272 .vm_enough_memory = selinux_vm_enough_memory,
5273
5274 .netlink_send = selinux_netlink_send,
5275 .netlink_recv = selinux_netlink_recv,
5276
5277 .bprm_alloc_security = selinux_bprm_alloc_security,
5278 .bprm_free_security = selinux_bprm_free_security,
5279 .bprm_apply_creds = selinux_bprm_apply_creds,
5280 .bprm_post_apply_creds = selinux_bprm_post_apply_creds,
5281 .bprm_set_security = selinux_bprm_set_security,
5282 .bprm_check_security = selinux_bprm_check_security,
5283 .bprm_secureexec = selinux_bprm_secureexec,
5284
5285 .sb_alloc_security = selinux_sb_alloc_security,
5286 .sb_free_security = selinux_sb_free_security,
5287 .sb_copy_data = selinux_sb_copy_data,
5288 .sb_kern_mount = selinux_sb_kern_mount,
5289 .sb_statfs = selinux_sb_statfs,
5290 .sb_mount = selinux_mount,
5291 .sb_umount = selinux_umount,
5292 .sb_get_mnt_opts = selinux_get_mnt_opts,
5293 .sb_set_mnt_opts = selinux_set_mnt_opts,
5294 .sb_clone_mnt_opts = selinux_sb_clone_mnt_opts,
5295 .sb_parse_opts_str = selinux_parse_opts_str,
5296
5297
5298 .inode_alloc_security = selinux_inode_alloc_security,
5299 .inode_free_security = selinux_inode_free_security,
5300 .inode_init_security = selinux_inode_init_security,
5301 .inode_create = selinux_inode_create,
5302 .inode_link = selinux_inode_link,
5303 .inode_unlink = selinux_inode_unlink,
5304 .inode_symlink = selinux_inode_symlink,
5305 .inode_mkdir = selinux_inode_mkdir,
5306 .inode_rmdir = selinux_inode_rmdir,
5307 .inode_mknod = selinux_inode_mknod,
5308 .inode_rename = selinux_inode_rename,
5309 .inode_readlink = selinux_inode_readlink,
5310 .inode_follow_link = selinux_inode_follow_link,
5311 .inode_permission = selinux_inode_permission,
5312 .inode_setattr = selinux_inode_setattr,
5313 .inode_getattr = selinux_inode_getattr,
5314 .inode_setxattr = selinux_inode_setxattr,
5315 .inode_post_setxattr = selinux_inode_post_setxattr,
5316 .inode_getxattr = selinux_inode_getxattr,
5317 .inode_listxattr = selinux_inode_listxattr,
5318 .inode_removexattr = selinux_inode_removexattr,
5319 .inode_getsecurity = selinux_inode_getsecurity,
5320 .inode_setsecurity = selinux_inode_setsecurity,
5321 .inode_listsecurity = selinux_inode_listsecurity,
5322 .inode_need_killpriv = selinux_inode_need_killpriv,
5323 .inode_killpriv = selinux_inode_killpriv,
5324
5325 .file_permission = selinux_file_permission,
5326 .file_alloc_security = selinux_file_alloc_security,
5327 .file_free_security = selinux_file_free_security,
5328 .file_ioctl = selinux_file_ioctl,
5329 .file_mmap = selinux_file_mmap,
5330 .file_mprotect = selinux_file_mprotect,
5331 .file_lock = selinux_file_lock,
5332 .file_fcntl = selinux_file_fcntl,
5333 .file_set_fowner = selinux_file_set_fowner,
5334 .file_send_sigiotask = selinux_file_send_sigiotask,
5335 .file_receive = selinux_file_receive,
5336
5337 .dentry_open = selinux_dentry_open,
5338
5339 .task_create = selinux_task_create,
5340 .task_alloc_security = selinux_task_alloc_security,
5341 .task_free_security = selinux_task_free_security,
5342 .task_setuid = selinux_task_setuid,
5343 .task_post_setuid = selinux_task_post_setuid,
5344 .task_setgid = selinux_task_setgid,
5345 .task_setpgid = selinux_task_setpgid,
5346 .task_getpgid = selinux_task_getpgid,
5347 .task_getsid = selinux_task_getsid,
5348 .task_getsecid = selinux_task_getsecid,
5349 .task_setgroups = selinux_task_setgroups,
5350 .task_setnice = selinux_task_setnice,
5351 .task_setioprio = selinux_task_setioprio,
5352 .task_getioprio = selinux_task_getioprio,
5353 .task_setrlimit = selinux_task_setrlimit,
5354 .task_setscheduler = selinux_task_setscheduler,
5355 .task_getscheduler = selinux_task_getscheduler,
5356 .task_movememory = selinux_task_movememory,
5357 .task_kill = selinux_task_kill,
5358 .task_wait = selinux_task_wait,
5359 .task_prctl = selinux_task_prctl,
5360 .task_reparent_to_init = selinux_task_reparent_to_init,
5361 .task_to_inode = selinux_task_to_inode,
5362
5363 .ipc_permission = selinux_ipc_permission,
5364
5365 .msg_msg_alloc_security = selinux_msg_msg_alloc_security,
5366 .msg_msg_free_security = selinux_msg_msg_free_security,
5367
5368 .msg_queue_alloc_security = selinux_msg_queue_alloc_security,
5369 .msg_queue_free_security = selinux_msg_queue_free_security,
5370 .msg_queue_associate = selinux_msg_queue_associate,
5371 .msg_queue_msgctl = selinux_msg_queue_msgctl,
5372 .msg_queue_msgsnd = selinux_msg_queue_msgsnd,
5373 .msg_queue_msgrcv = selinux_msg_queue_msgrcv,
5374
5375 .shm_alloc_security = selinux_shm_alloc_security,
5376 .shm_free_security = selinux_shm_free_security,
5377 .shm_associate = selinux_shm_associate,
5378 .shm_shmctl = selinux_shm_shmctl,
5379 .shm_shmat = selinux_shm_shmat,
5380
5381 .sem_alloc_security = selinux_sem_alloc_security,
5382 .sem_free_security = selinux_sem_free_security,
5383 .sem_associate = selinux_sem_associate,
5384 .sem_semctl = selinux_sem_semctl,
5385 .sem_semop = selinux_sem_semop,
5386
5387 .register_security = selinux_register_security,
5388
5389 .d_instantiate = selinux_d_instantiate,
5390
5391 .getprocattr = selinux_getprocattr,
5392 .setprocattr = selinux_setprocattr,
5393
5394 .secid_to_secctx = selinux_secid_to_secctx,
5395 .secctx_to_secid = selinux_secctx_to_secid,
5396 .release_secctx = selinux_release_secctx,
5397
5398 .unix_stream_connect = selinux_socket_unix_stream_connect,
5399 .unix_may_send = selinux_socket_unix_may_send,
5400
5401 .socket_create = selinux_socket_create,
5402 .socket_post_create = selinux_socket_post_create,
5403 .socket_bind = selinux_socket_bind,
5404 .socket_connect = selinux_socket_connect,
5405 .socket_listen = selinux_socket_listen,
5406 .socket_accept = selinux_socket_accept,
5407 .socket_sendmsg = selinux_socket_sendmsg,
5408 .socket_recvmsg = selinux_socket_recvmsg,
5409 .socket_getsockname = selinux_socket_getsockname,
5410 .socket_getpeername = selinux_socket_getpeername,
5411 .socket_getsockopt = selinux_socket_getsockopt,
5412 .socket_setsockopt = selinux_socket_setsockopt,
5413 .socket_shutdown = selinux_socket_shutdown,
5414 .socket_sock_rcv_skb = selinux_socket_sock_rcv_skb,
5415 .socket_getpeersec_stream = selinux_socket_getpeersec_stream,
5416 .socket_getpeersec_dgram = selinux_socket_getpeersec_dgram,
5417 .sk_alloc_security = selinux_sk_alloc_security,
5418 .sk_free_security = selinux_sk_free_security,
5419 .sk_clone_security = selinux_sk_clone_security,
5420 .sk_getsecid = selinux_sk_getsecid,
5421 .sock_graft = selinux_sock_graft,
5422 .inet_conn_request = selinux_inet_conn_request,
5423 .inet_csk_clone = selinux_inet_csk_clone,
5424 .inet_conn_established = selinux_inet_conn_established,
5425 .req_classify_flow = selinux_req_classify_flow,
5426
5427 #ifdef CONFIG_SECURITY_NETWORK_XFRM
5428 .xfrm_policy_alloc_security = selinux_xfrm_policy_alloc,
5429 .xfrm_policy_clone_security = selinux_xfrm_policy_clone,
5430 .xfrm_policy_free_security = selinux_xfrm_policy_free,
5431 .xfrm_policy_delete_security = selinux_xfrm_policy_delete,
5432 .xfrm_state_alloc_security = selinux_xfrm_state_alloc,
5433 .xfrm_state_free_security = selinux_xfrm_state_free,
5434 .xfrm_state_delete_security = selinux_xfrm_state_delete,
5435 .xfrm_policy_lookup = selinux_xfrm_policy_lookup,
5436 .xfrm_state_pol_flow_match = selinux_xfrm_state_pol_flow_match,
5437 .xfrm_decode_session = selinux_xfrm_decode_session,
5438 #endif
5439
5440 #ifdef CONFIG_KEYS
5441 .key_alloc = selinux_key_alloc,
5442 .key_free = selinux_key_free,
5443 .key_permission = selinux_key_permission,
5444 #endif
5445 };
5446
5447 static __init int selinux_init(void)
5448 {
5449 struct task_security_struct *tsec;
5450
5451 if (!selinux_enabled) {
5452 printk(KERN_INFO "SELinux: Disabled at boot.\n");
5453 return 0;
5454 }
5455
5456 printk(KERN_INFO "SELinux: Initializing.\n");
5457
5458 /* Set the security state for the initial task. */
5459 if (task_alloc_security(current))
5460 panic("SELinux: Failed to initialize initial task.\n");
5461 tsec = current->security;
5462 tsec->osid = tsec->sid = SECINITSID_KERNEL;
5463
5464 sel_inode_cache = kmem_cache_create("selinux_inode_security",
5465 sizeof(struct inode_security_struct),
5466 0, SLAB_PANIC, NULL);
5467 avc_init();
5468
5469 original_ops = secondary_ops = security_ops;
5470 if (!secondary_ops)
5471 panic ("SELinux: No initial security operations\n");
5472 if (register_security (&selinux_ops))
5473 panic("SELinux: Unable to register with kernel.\n");
5474
5475 if (selinux_enforcing) {
5476 printk(KERN_DEBUG "SELinux: Starting in enforcing mode\n");
5477 } else {
5478 printk(KERN_DEBUG "SELinux: Starting in permissive mode\n");
5479 }
5480
5481 #ifdef CONFIG_KEYS
5482 /* Add security information to initial keyrings */
5483 selinux_key_alloc(&root_user_keyring, current,
5484 KEY_ALLOC_NOT_IN_QUOTA);
5485 selinux_key_alloc(&root_session_keyring, current,
5486 KEY_ALLOC_NOT_IN_QUOTA);
5487 #endif
5488
5489 return 0;
5490 }
5491
5492 void selinux_complete_init(void)
5493 {
5494 printk(KERN_DEBUG "SELinux: Completing initialization.\n");
5495
5496 /* Set up any superblocks initialized prior to the policy load. */
5497 printk(KERN_DEBUG "SELinux: Setting up existing superblocks.\n");
5498 spin_lock(&sb_lock);
5499 spin_lock(&sb_security_lock);
5500 next_sb:
5501 if (!list_empty(&superblock_security_head)) {
5502 struct superblock_security_struct *sbsec =
5503 list_entry(superblock_security_head.next,
5504 struct superblock_security_struct,
5505 list);
5506 struct super_block *sb = sbsec->sb;
5507 sb->s_count++;
5508 spin_unlock(&sb_security_lock);
5509 spin_unlock(&sb_lock);
5510 down_read(&sb->s_umount);
5511 if (sb->s_root)
5512 superblock_doinit(sb, NULL);
5513 drop_super(sb);
5514 spin_lock(&sb_lock);
5515 spin_lock(&sb_security_lock);
5516 list_del_init(&sbsec->list);
5517 goto next_sb;
5518 }
5519 spin_unlock(&sb_security_lock);
5520 spin_unlock(&sb_lock);
5521 }
5522
5523 /* SELinux requires early initialization in order to label
5524 all processes and objects when they are created. */
5525 security_initcall(selinux_init);
5526
5527 #if defined(CONFIG_NETFILTER)
5528
5529 static struct nf_hook_ops selinux_ipv4_ops[] = {
5530 {
5531 .hook = selinux_ipv4_postroute,
5532 .owner = THIS_MODULE,
5533 .pf = PF_INET,
5534 .hooknum = NF_INET_POST_ROUTING,
5535 .priority = NF_IP_PRI_SELINUX_LAST,
5536 },
5537 {
5538 .hook = selinux_ipv4_forward,
5539 .owner = THIS_MODULE,
5540 .pf = PF_INET,
5541 .hooknum = NF_INET_FORWARD,
5542 .priority = NF_IP_PRI_SELINUX_FIRST,
5543 }
5544 };
5545
5546 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5547
5548 static struct nf_hook_ops selinux_ipv6_ops[] = {
5549 {
5550 .hook = selinux_ipv6_postroute,
5551 .owner = THIS_MODULE,
5552 .pf = PF_INET6,
5553 .hooknum = NF_INET_POST_ROUTING,
5554 .priority = NF_IP6_PRI_SELINUX_LAST,
5555 },
5556 {
5557 .hook = selinux_ipv6_forward,
5558 .owner = THIS_MODULE,
5559 .pf = PF_INET6,
5560 .hooknum = NF_INET_FORWARD,
5561 .priority = NF_IP6_PRI_SELINUX_FIRST,
5562 }
5563 };
5564
5565 #endif /* IPV6 */
5566
5567 static int __init selinux_nf_ip_init(void)
5568 {
5569 int err = 0;
5570 u32 iter;
5571
5572 if (!selinux_enabled)
5573 goto out;
5574
5575 printk(KERN_DEBUG "SELinux: Registering netfilter hooks\n");
5576
5577 for (iter = 0; iter < ARRAY_SIZE(selinux_ipv4_ops); iter++) {
5578 err = nf_register_hook(&selinux_ipv4_ops[iter]);
5579 if (err)
5580 panic("SELinux: nf_register_hook for IPv4: error %d\n",
5581 err);
5582 }
5583
5584 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5585 for (iter = 0; iter < ARRAY_SIZE(selinux_ipv6_ops); iter++) {
5586 err = nf_register_hook(&selinux_ipv6_ops[iter]);
5587 if (err)
5588 panic("SELinux: nf_register_hook for IPv6: error %d\n",
5589 err);
5590 }
5591 #endif /* IPV6 */
5592
5593 out:
5594 return err;
5595 }
5596
5597 __initcall(selinux_nf_ip_init);
5598
5599 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5600 static void selinux_nf_ip_exit(void)
5601 {
5602 u32 iter;
5603
5604 printk(KERN_DEBUG "SELinux: Unregistering netfilter hooks\n");
5605
5606 for (iter = 0; iter < ARRAY_SIZE(selinux_ipv4_ops); iter++)
5607 nf_unregister_hook(&selinux_ipv4_ops[iter]);
5608 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5609 for (iter = 0; iter < ARRAY_SIZE(selinux_ipv6_ops); iter++)
5610 nf_unregister_hook(&selinux_ipv6_ops[iter]);
5611 #endif /* IPV6 */
5612 }
5613 #endif
5614
5615 #else /* CONFIG_NETFILTER */
5616
5617 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5618 #define selinux_nf_ip_exit()
5619 #endif
5620
5621 #endif /* CONFIG_NETFILTER */
5622
5623 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5624 int selinux_disable(void)
5625 {
5626 extern void exit_sel_fs(void);
5627 static int selinux_disabled = 0;
5628
5629 if (ss_initialized) {
5630 /* Not permitted after initial policy load. */
5631 return -EINVAL;
5632 }
5633
5634 if (selinux_disabled) {
5635 /* Only do this once. */
5636 return -EINVAL;
5637 }
5638
5639 printk(KERN_INFO "SELinux: Disabled at runtime.\n");
5640
5641 selinux_disabled = 1;
5642 selinux_enabled = 0;
5643
5644 /* Reset security_ops to the secondary module, dummy or capability. */
5645 security_ops = secondary_ops;
5646
5647 /* Unregister netfilter hooks. */
5648 selinux_nf_ip_exit();
5649
5650 /* Unregister selinuxfs. */
5651 exit_sel_fs();
5652
5653 return 0;
5654 }
5655 #endif
5656
5657
Community contributions to the Openmoko Kernel