search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
security: remove register_security hook
[linux-2.6/zen-sources.git] / security / selinux / hooks.c
blob91200feb3f9c3792c2b06218a6ff44c667e168b2
1 /*
2 * NSA Security-Enhanced Linux (SELinux) security module
3 *
4 * This file contains the SELinux hook function implementations.
5 *
6 * Authors: Stephen Smalley, <sds@epoch.ncsc.mil>
7 * Chris Vance, <cvance@nai.com>
8 * Wayne Salamon, <wsalamon@nai.com>
9 * James Morris <jmorris@redhat.com>
10 *
11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12 * Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
13 * Eric Paris <eparis@redhat.com>
14 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
15 * <dgoeddel@trustedcs.com>
16 * Copyright (C) 2006, 2007 Hewlett-Packard Development Company, L.P.
17 * Paul Moore <paul.moore@hp.com>
18 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
19 * Yuichi Nakamura <ynakam@hitachisoft.jp>
20 *
21 * This program is free software; you can redistribute it and/or modify
22 * it under the terms of the GNU General Public License version 2,
23 * as published by the Free Software Foundation.
24 */
25
26 #include <linux/init.h>
27 #include <linux/kernel.h>
28 #include <linux/ptrace.h>
29 #include <linux/errno.h>
30 #include <linux/sched.h>
31 #include <linux/security.h>
32 #include <linux/xattr.h>
33 #include <linux/capability.h>
34 #include <linux/unistd.h>
35 #include <linux/mm.h>
36 #include <linux/mman.h>
37 #include <linux/slab.h>
38 #include <linux/pagemap.h>
39 #include <linux/swap.h>
40 #include <linux/spinlock.h>
41 #include <linux/syscalls.h>
42 #include <linux/file.h>
43 #include <linux/fdtable.h>
44 #include <linux/namei.h>
45 #include <linux/mount.h>
46 #include <linux/proc_fs.h>
47 #include <linux/netfilter_ipv4.h>
48 #include <linux/netfilter_ipv6.h>
49 #include <linux/tty.h>
50 #include <net/icmp.h>
51 #include <net/ip.h> /* for local_port_range[] */
52 #include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
53 #include <net/net_namespace.h>
54 #include <net/netlabel.h>
55 #include <linux/uaccess.h>
56 #include <asm/ioctls.h>
57 #include <asm/atomic.h>
58 #include <linux/bitops.h>
59 #include <linux/interrupt.h>
60 #include <linux/netdevice.h> /* for network interface checks */
61 #include <linux/netlink.h>
62 #include <linux/tcp.h>
63 #include <linux/udp.h>
64 #include <linux/dccp.h>
65 #include <linux/quota.h>
66 #include <linux/un.h> /* for Unix socket types */
67 #include <net/af_unix.h> /* for Unix socket types */
68 #include <linux/parser.h>
69 #include <linux/nfs_mount.h>
70 #include <net/ipv6.h>
71 #include <linux/hugetlb.h>
72 #include <linux/personality.h>
73 #include <linux/sysctl.h>
74 #include <linux/audit.h>
75 #include <linux/string.h>
76 #include <linux/selinux.h>
77 #include <linux/mutex.h>
78
79 #include "avc.h"
80 #include "objsec.h"
81 #include "netif.h"
82 #include "netnode.h"
83 #include "netport.h"
84 #include "xfrm.h"
85 #include "netlabel.h"
86 #include "audit.h"
87
88 #define XATTR_SELINUX_SUFFIX "selinux"
89 #define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX
90
91 #define NUM_SEL_MNT_OPTS 4
92
93 extern unsigned int policydb_loaded_version;
94 extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm);
95 extern int selinux_compat_net;
96 extern struct security_operations *security_ops;
97
98 /* SECMARK reference count */
99 atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
100
101 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
102 int selinux_enforcing;
103
104 static int __init enforcing_setup(char *str)
105 {
106 unsigned long enforcing;
107 if (!strict_strtoul(str, 0, &enforcing))
108 selinux_enforcing = enforcing ? 1 : 0;
109 return 1;
110 }
111 __setup("enforcing=", enforcing_setup);
112 #endif
113
114 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
115 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
116
117 static int __init selinux_enabled_setup(char *str)
118 {
119 unsigned long enabled;
120 if (!strict_strtoul(str, 0, &enabled))
121 selinux_enabled = enabled ? 1 : 0;
122 return 1;
123 }
124 __setup("selinux=", selinux_enabled_setup);
125 #else
126 int selinux_enabled = 1;
127 #endif
128
129
130 /*
131 * Minimal support for a secondary security module,
132 * just to allow the use of the capability module.
133 */
134 static struct security_operations *secondary_ops;
135
136 /* Lists of inode and superblock security structures initialized
137 before the policy was loaded. */
138 static LIST_HEAD(superblock_security_head);
139 static DEFINE_SPINLOCK(sb_security_lock);
140
141 static struct kmem_cache *sel_inode_cache;
142
143 /**
144 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
145 *
146 * Description:
147 * This function checks the SECMARK reference counter to see if any SECMARK
148 * targets are currently configured, if the reference counter is greater than
149 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is
150 * enabled, false (0) if SECMARK is disabled.
151 *
152 */
153 static int selinux_secmark_enabled(void)
154 {
155 return (atomic_read(&selinux_secmark_refcount) > 0);
156 }
157
158 /* Allocate and free functions for each kind of security blob. */
159
160 static int task_alloc_security(struct task_struct *task)
161 {
162 struct task_security_struct *tsec;
163
164 tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
165 if (!tsec)
166 return -ENOMEM;
167
168 tsec->osid = tsec->sid = SECINITSID_UNLABELED;
169 task->security = tsec;
170
171 return 0;
172 }
173
174 static void task_free_security(struct task_struct *task)
175 {
176 struct task_security_struct *tsec = task->security;
177 task->security = NULL;
178 kfree(tsec);
179 }
180
181 static int inode_alloc_security(struct inode *inode)
182 {
183 struct task_security_struct *tsec = current->security;
184 struct inode_security_struct *isec;
185
186 isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
187 if (!isec)
188 return -ENOMEM;
189
190 mutex_init(&isec->lock);
191 INIT_LIST_HEAD(&isec->list);
192 isec->inode = inode;
193 isec->sid = SECINITSID_UNLABELED;
194 isec->sclass = SECCLASS_FILE;
195 isec->task_sid = tsec->sid;
196 inode->i_security = isec;
197
198 return 0;
199 }
200
201 static void inode_free_security(struct inode *inode)
202 {
203 struct inode_security_struct *isec = inode->i_security;
204 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
205
206 spin_lock(&sbsec->isec_lock);
207 if (!list_empty(&isec->list))
208 list_del_init(&isec->list);
209 spin_unlock(&sbsec->isec_lock);
210
211 inode->i_security = NULL;
212 kmem_cache_free(sel_inode_cache, isec);
213 }
214
215 static int file_alloc_security(struct file *file)
216 {
217 struct task_security_struct *tsec = current->security;
218 struct file_security_struct *fsec;
219
220 fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL);
221 if (!fsec)
222 return -ENOMEM;
223
224 fsec->sid = tsec->sid;
225 fsec->fown_sid = tsec->sid;
226 file->f_security = fsec;
227
228 return 0;
229 }
230
231 static void file_free_security(struct file *file)
232 {
233 struct file_security_struct *fsec = file->f_security;
234 file->f_security = NULL;
235 kfree(fsec);
236 }
237
238 static int superblock_alloc_security(struct super_block *sb)
239 {
240 struct superblock_security_struct *sbsec;
241
242 sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
243 if (!sbsec)
244 return -ENOMEM;
245
246 mutex_init(&sbsec->lock);
247 INIT_LIST_HEAD(&sbsec->list);
248 INIT_LIST_HEAD(&sbsec->isec_head);
249 spin_lock_init(&sbsec->isec_lock);
250 sbsec->sb = sb;
251 sbsec->sid = SECINITSID_UNLABELED;
252 sbsec->def_sid = SECINITSID_FILE;
253 sbsec->mntpoint_sid = SECINITSID_UNLABELED;
254 sb->s_security = sbsec;
255
256 return 0;
257 }
258
259 static void superblock_free_security(struct super_block *sb)
260 {
261 struct superblock_security_struct *sbsec = sb->s_security;
262
263 spin_lock(&sb_security_lock);
264 if (!list_empty(&sbsec->list))
265 list_del_init(&sbsec->list);
266 spin_unlock(&sb_security_lock);
267
268 sb->s_security = NULL;
269 kfree(sbsec);
270 }
271
272 static int sk_alloc_security(struct sock *sk, int family, gfp_t priority)
273 {
274 struct sk_security_struct *ssec;
275
276 ssec = kzalloc(sizeof(*ssec), priority);
277 if (!ssec)
278 return -ENOMEM;
279
280 ssec->peer_sid = SECINITSID_UNLABELED;
281 ssec->sid = SECINITSID_UNLABELED;
282 sk->sk_security = ssec;
283
284 selinux_netlbl_sk_security_reset(ssec, family);
285
286 return 0;
287 }
288
289 static void sk_free_security(struct sock *sk)
290 {
291 struct sk_security_struct *ssec = sk->sk_security;
292
293 sk->sk_security = NULL;
294 kfree(ssec);
295 }
296
297 /* The security server must be initialized before
298 any labeling or access decisions can be provided. */
299 extern int ss_initialized;
300
301 /* The file system's label must be initialized prior to use. */
302
303 static char *labeling_behaviors[6] = {
304 "uses xattr",
305 "uses transition SIDs",
306 "uses task SIDs",
307 "uses genfs_contexts",
308 "not configured for labeling",
309 "uses mountpoint labeling",
310 };
311
312 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
313
314 static inline int inode_doinit(struct inode *inode)
315 {
316 return inode_doinit_with_dentry(inode, NULL);
317 }
318
319 enum {
320 Opt_error = -1,
321 Opt_context = 1,
322 Opt_fscontext = 2,
323 Opt_defcontext = 3,
324 Opt_rootcontext = 4,
325 };
326
327 static match_table_t tokens = {
328 {Opt_context, CONTEXT_STR "%s"},
329 {Opt_fscontext, FSCONTEXT_STR "%s"},
330 {Opt_defcontext, DEFCONTEXT_STR "%s"},
331 {Opt_rootcontext, ROOTCONTEXT_STR "%s"},
332 {Opt_error, NULL},
333 };
334
335 #define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
336
337 static int may_context_mount_sb_relabel(u32 sid,
338 struct superblock_security_struct *sbsec,
339 struct task_security_struct *tsec)
340 {
341 int rc;
342
343 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
344 FILESYSTEM__RELABELFROM, NULL);
345 if (rc)
346 return rc;
347
348 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
349 FILESYSTEM__RELABELTO, NULL);
350 return rc;
351 }
352
353 static int may_context_mount_inode_relabel(u32 sid,
354 struct superblock_security_struct *sbsec,
355 struct task_security_struct *tsec)
356 {
357 int rc;
358 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
359 FILESYSTEM__RELABELFROM, NULL);
360 if (rc)
361 return rc;
362
363 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
364 FILESYSTEM__ASSOCIATE, NULL);
365 return rc;
366 }
367
368 static int sb_finish_set_opts(struct super_block *sb)
369 {
370 struct superblock_security_struct *sbsec = sb->s_security;
371 struct dentry *root = sb->s_root;
372 struct inode *root_inode = root->d_inode;
373 int rc = 0;
374
375 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
376 /* Make sure that the xattr handler exists and that no
377 error other than -ENODATA is returned by getxattr on
378 the root directory. -ENODATA is ok, as this may be
379 the first boot of the SELinux kernel before we have
380 assigned xattr values to the filesystem. */
381 if (!root_inode->i_op->getxattr) {
382 printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
383 "xattr support\n", sb->s_id, sb->s_type->name);
384 rc = -EOPNOTSUPP;
385 goto out;
386 }
387 rc = root_inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
388 if (rc < 0 && rc != -ENODATA) {
389 if (rc == -EOPNOTSUPP)
390 printk(KERN_WARNING "SELinux: (dev %s, type "
391 "%s) has no security xattr handler\n",
392 sb->s_id, sb->s_type->name);
393 else
394 printk(KERN_WARNING "SELinux: (dev %s, type "
395 "%s) getxattr errno %d\n", sb->s_id,
396 sb->s_type->name, -rc);
397 goto out;
398 }
399 }
400
401 sbsec->initialized = 1;
402
403 if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
404 printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n",
405 sb->s_id, sb->s_type->name);
406 else
407 printk(KERN_DEBUG "SELinux: initialized (dev %s, type %s), %s\n",
408 sb->s_id, sb->s_type->name,
409 labeling_behaviors[sbsec->behavior-1]);
410
411 /* Initialize the root inode. */
412 rc = inode_doinit_with_dentry(root_inode, root);
413
414 /* Initialize any other inodes associated with the superblock, e.g.
415 inodes created prior to initial policy load or inodes created
416 during get_sb by a pseudo filesystem that directly
417 populates itself. */
418 spin_lock(&sbsec->isec_lock);
419 next_inode:
420 if (!list_empty(&sbsec->isec_head)) {
421 struct inode_security_struct *isec =
422 list_entry(sbsec->isec_head.next,
423 struct inode_security_struct, list);
424 struct inode *inode = isec->inode;
425 spin_unlock(&sbsec->isec_lock);
426 inode = igrab(inode);
427 if (inode) {
428 if (!IS_PRIVATE(inode))
429 inode_doinit(inode);
430 iput(inode);
431 }
432 spin_lock(&sbsec->isec_lock);
433 list_del_init(&isec->list);
434 goto next_inode;
435 }
436 spin_unlock(&sbsec->isec_lock);
437 out:
438 return rc;
439 }
440
441 /*
442 * This function should allow an FS to ask what it's mount security
443 * options were so it can use those later for submounts, displaying
444 * mount options, or whatever.
445 */
446 static int selinux_get_mnt_opts(const struct super_block *sb,
447 struct security_mnt_opts *opts)
448 {
449 int rc = 0, i;
450 struct superblock_security_struct *sbsec = sb->s_security;
451 char *context = NULL;
452 u32 len;
453 char tmp;
454
455 security_init_mnt_opts(opts);
456
457 if (!sbsec->initialized)
458 return -EINVAL;
459
460 if (!ss_initialized)
461 return -EINVAL;
462
463 /*
464 * if we ever use sbsec flags for anything other than tracking mount
465 * settings this is going to need a mask
466 */
467 tmp = sbsec->flags;
468 /* count the number of mount options for this sb */
469 for (i = 0; i < 8; i++) {
470 if (tmp & 0x01)
471 opts->num_mnt_opts++;
472 tmp >>= 1;
473 }
474
475 opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
476 if (!opts->mnt_opts) {
477 rc = -ENOMEM;
478 goto out_free;
479 }
480
481 opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
482 if (!opts->mnt_opts_flags) {
483 rc = -ENOMEM;
484 goto out_free;
485 }
486
487 i = 0;
488 if (sbsec->flags & FSCONTEXT_MNT) {
489 rc = security_sid_to_context(sbsec->sid, &context, &len);
490 if (rc)
491 goto out_free;
492 opts->mnt_opts[i] = context;
493 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
494 }
495 if (sbsec->flags & CONTEXT_MNT) {
496 rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len);
497 if (rc)
498 goto out_free;
499 opts->mnt_opts[i] = context;
500 opts->mnt_opts_flags[i++] = CONTEXT_MNT;
501 }
502 if (sbsec->flags & DEFCONTEXT_MNT) {
503 rc = security_sid_to_context(sbsec->def_sid, &context, &len);
504 if (rc)
505 goto out_free;
506 opts->mnt_opts[i] = context;
507 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
508 }
509 if (sbsec->flags & ROOTCONTEXT_MNT) {
510 struct inode *root = sbsec->sb->s_root->d_inode;
511 struct inode_security_struct *isec = root->i_security;
512
513 rc = security_sid_to_context(isec->sid, &context, &len);
514 if (rc)
515 goto out_free;
516 opts->mnt_opts[i] = context;
517 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
518 }
519
520 BUG_ON(i != opts->num_mnt_opts);
521
522 return 0;
523
524 out_free:
525 security_free_mnt_opts(opts);
526 return rc;
527 }
528
529 static int bad_option(struct superblock_security_struct *sbsec, char flag,
530 u32 old_sid, u32 new_sid)
531 {
532 /* check if the old mount command had the same options */
533 if (sbsec->initialized)
534 if (!(sbsec->flags & flag) ||
535 (old_sid != new_sid))
536 return 1;
537
538 /* check if we were passed the same options twice,
539 * aka someone passed context=a,context=b
540 */
541 if (!sbsec->initialized)
542 if (sbsec->flags & flag)
543 return 1;
544 return 0;
545 }
546
547 /*
548 * Allow filesystems with binary mount data to explicitly set mount point
549 * labeling information.
550 */
551 static int selinux_set_mnt_opts(struct super_block *sb,
552 struct security_mnt_opts *opts)
553 {
554 int rc = 0, i;
555 struct task_security_struct *tsec = current->security;
556 struct superblock_security_struct *sbsec = sb->s_security;
557 const char *name = sb->s_type->name;
558 struct dentry *root = sb->s_root;
559 struct inode *root_inode = root->d_inode;
560 struct inode_security_struct *root_isec = root_inode->i_security;
561 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
562 u32 defcontext_sid = 0;
563 char **mount_options = opts->mnt_opts;
564 int *flags = opts->mnt_opts_flags;
565 int num_opts = opts->num_mnt_opts;
566 bool can_xattr = false;
567
568 mutex_lock(&sbsec->lock);
569
570 if (!ss_initialized) {
571 if (!num_opts) {
572 /* Defer initialization until selinux_complete_init,
573 after the initial policy is loaded and the security
574 server is ready to handle calls. */
575 spin_lock(&sb_security_lock);
576 if (list_empty(&sbsec->list))
577 list_add(&sbsec->list, &superblock_security_head);
578 spin_unlock(&sb_security_lock);
579 goto out;
580 }
581 rc = -EINVAL;
582 printk(KERN_WARNING "SELinux: Unable to set superblock options "
583 "before the security server is initialized\n");
584 goto out;
585 }
586
587 /*
588 * Binary mount data FS will come through this function twice. Once
589 * from an explicit call and once from the generic calls from the vfs.
590 * Since the generic VFS calls will not contain any security mount data
591 * we need to skip the double mount verification.
592 *
593 * This does open a hole in which we will not notice if the first
594 * mount using this sb set explict options and a second mount using
595 * this sb does not set any security options. (The first options
596 * will be used for both mounts)
597 */
598 if (sbsec->initialized && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
599 && (num_opts == 0))
600 goto out;
601
602 /*
603 * parse the mount options, check if they are valid sids.
604 * also check if someone is trying to mount the same sb more
605 * than once with different security options.
606 */
607 for (i = 0; i < num_opts; i++) {
608 u32 sid;
609 rc = security_context_to_sid(mount_options[i],
610 strlen(mount_options[i]), &sid);
611 if (rc) {
612 printk(KERN_WARNING "SELinux: security_context_to_sid"
613 "(%s) failed for (dev %s, type %s) errno=%d\n",
614 mount_options[i], sb->s_id, name, rc);
615 goto out;
616 }
617 switch (flags[i]) {
618 case FSCONTEXT_MNT:
619 fscontext_sid = sid;
620
621 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
622 fscontext_sid))
623 goto out_double_mount;
624
625 sbsec->flags |= FSCONTEXT_MNT;
626 break;
627 case CONTEXT_MNT:
628 context_sid = sid;
629
630 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
631 context_sid))
632 goto out_double_mount;
633
634 sbsec->flags |= CONTEXT_MNT;
635 break;
636 case ROOTCONTEXT_MNT:
637 rootcontext_sid = sid;
638
639 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
640 rootcontext_sid))
641 goto out_double_mount;
642
643 sbsec->flags |= ROOTCONTEXT_MNT;
644
645 break;
646 case DEFCONTEXT_MNT:
647 defcontext_sid = sid;
648
649 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
650 defcontext_sid))
651 goto out_double_mount;
652
653 sbsec->flags |= DEFCONTEXT_MNT;
654
655 break;
656 default:
657 rc = -EINVAL;
658 goto out;
659 }
660 }
661
662 if (sbsec->initialized) {
663 /* previously mounted with options, but not on this attempt? */
664 if (sbsec->flags && !num_opts)
665 goto out_double_mount;
666 rc = 0;
667 goto out;
668 }
669
670 if (strcmp(name, "proc") == 0)
671 sbsec->proc = 1;
672
673 /*
674 * test if the fs supports xattrs, fs_use might make use of this if the
675 * fs has no definition in policy.
676 */
677 if (root_inode->i_op->getxattr) {
678 rc = root_inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
679 if (rc >= 0 || rc == -ENODATA)
680 can_xattr = true;
681 }
682
683 /* Determine the labeling behavior to use for this filesystem type. */
684 rc = security_fs_use(name, &sbsec->behavior, &sbsec->sid, can_xattr);
685 if (rc) {
686 printk(KERN_WARNING "%s: security_fs_use(%s) returned %d\n",
687 __func__, name, rc);
688 goto out;
689 }
690
691 /* sets the context of the superblock for the fs being mounted. */
692 if (fscontext_sid) {
693
694 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, tsec);
695 if (rc)
696 goto out;
697
698 sbsec->sid = fscontext_sid;
699 }
700
701 /*
702 * Switch to using mount point labeling behavior.
703 * sets the label used on all file below the mountpoint, and will set
704 * the superblock context if not already set.
705 */
706 if (context_sid) {
707 if (!fscontext_sid) {
708 rc = may_context_mount_sb_relabel(context_sid, sbsec, tsec);
709 if (rc)
710 goto out;
711 sbsec->sid = context_sid;
712 } else {
713 rc = may_context_mount_inode_relabel(context_sid, sbsec, tsec);
714 if (rc)
715 goto out;
716 }
717 if (!rootcontext_sid)
718 rootcontext_sid = context_sid;
719
720 sbsec->mntpoint_sid = context_sid;
721 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
722 }
723
724 if (rootcontext_sid) {
725 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec, tsec);
726 if (rc)
727 goto out;
728
729 root_isec->sid = rootcontext_sid;
730 root_isec->initialized = 1;
731 }
732
733 if (defcontext_sid) {
734 if (sbsec->behavior != SECURITY_FS_USE_XATTR) {
735 rc = -EINVAL;
736 printk(KERN_WARNING "SELinux: defcontext option is "
737 "invalid for this filesystem type\n");
738 goto out;
739 }
740
741 if (defcontext_sid != sbsec->def_sid) {
742 rc = may_context_mount_inode_relabel(defcontext_sid,
743 sbsec, tsec);
744 if (rc)
745 goto out;
746 }
747
748 sbsec->def_sid = defcontext_sid;
749 }
750
751 rc = sb_finish_set_opts(sb);
752 out:
753 mutex_unlock(&sbsec->lock);
754 return rc;
755 out_double_mount:
756 rc = -EINVAL;
757 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, different "
758 "security settings for (dev %s, type %s)\n", sb->s_id, name);
759 goto out;
760 }
761
762 static void selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
763 struct super_block *newsb)
764 {
765 const struct superblock_security_struct *oldsbsec = oldsb->s_security;
766 struct superblock_security_struct *newsbsec = newsb->s_security;
767
768 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT);
769 int set_context = (oldsbsec->flags & CONTEXT_MNT);
770 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT);
771
772 /*
773 * if the parent was able to be mounted it clearly had no special lsm
774 * mount options. thus we can safely put this sb on the list and deal
775 * with it later
776 */
777 if (!ss_initialized) {
778 spin_lock(&sb_security_lock);
779 if (list_empty(&newsbsec->list))
780 list_add(&newsbsec->list, &superblock_security_head);
781 spin_unlock(&sb_security_lock);
782 return;
783 }
784
785 /* how can we clone if the old one wasn't set up?? */
786 BUG_ON(!oldsbsec->initialized);
787
788 /* if fs is reusing a sb, just let its options stand... */
789 if (newsbsec->initialized)
790 return;
791
792 mutex_lock(&newsbsec->lock);
793
794 newsbsec->flags = oldsbsec->flags;
795
796 newsbsec->sid = oldsbsec->sid;
797 newsbsec->def_sid = oldsbsec->def_sid;
798 newsbsec->behavior = oldsbsec->behavior;
799
800 if (set_context) {
801 u32 sid = oldsbsec->mntpoint_sid;
802
803 if (!set_fscontext)
804 newsbsec->sid = sid;
805 if (!set_rootcontext) {
806 struct inode *newinode = newsb->s_root->d_inode;
807 struct inode_security_struct *newisec = newinode->i_security;
808 newisec->sid = sid;
809 }
810 newsbsec->mntpoint_sid = sid;
811 }
812 if (set_rootcontext) {
813 const struct inode *oldinode = oldsb->s_root->d_inode;
814 const struct inode_security_struct *oldisec = oldinode->i_security;
815 struct inode *newinode = newsb->s_root->d_inode;
816 struct inode_security_struct *newisec = newinode->i_security;
817
818 newisec->sid = oldisec->sid;
819 }
820
821 sb_finish_set_opts(newsb);
822 mutex_unlock(&newsbsec->lock);
823 }
824
825 static int selinux_parse_opts_str(char *options,
826 struct security_mnt_opts *opts)
827 {
828 char *p;
829 char *context = NULL, *defcontext = NULL;
830 char *fscontext = NULL, *rootcontext = NULL;
831 int rc, num_mnt_opts = 0;
832
833 opts->num_mnt_opts = 0;
834
835 /* Standard string-based options. */
836 while ((p = strsep(&options, "|")) != NULL) {
837 int token;
838 substring_t args[MAX_OPT_ARGS];
839
840 if (!*p)
841 continue;
842
843 token = match_token(p, tokens, args);
844
845 switch (token) {
846 case Opt_context:
847 if (context || defcontext) {
848 rc = -EINVAL;
849 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
850 goto out_err;
851 }
852 context = match_strdup(&args[0]);
853 if (!context) {
854 rc = -ENOMEM;
855 goto out_err;
856 }
857 break;
858
859 case Opt_fscontext:
860 if (fscontext) {
861 rc = -EINVAL;
862 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
863 goto out_err;
864 }
865 fscontext = match_strdup(&args[0]);
866 if (!fscontext) {
867 rc = -ENOMEM;
868 goto out_err;
869 }
870 break;
871
872 case Opt_rootcontext:
873 if (rootcontext) {
874 rc = -EINVAL;
875 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
876 goto out_err;
877 }
878 rootcontext = match_strdup(&args[0]);
879 if (!rootcontext) {
880 rc = -ENOMEM;
881 goto out_err;
882 }
883 break;
884
885 case Opt_defcontext:
886 if (context || defcontext) {
887 rc = -EINVAL;
888 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
889 goto out_err;
890 }
891 defcontext = match_strdup(&args[0]);
892 if (!defcontext) {
893 rc = -ENOMEM;
894 goto out_err;
895 }
896 break;
897
898 default:
899 rc = -EINVAL;
900 printk(KERN_WARNING "SELinux: unknown mount option\n");
901 goto out_err;
902
903 }
904 }
905
906 rc = -ENOMEM;
907 opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_ATOMIC);
908 if (!opts->mnt_opts)
909 goto out_err;
910
911 opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int), GFP_ATOMIC);
912 if (!opts->mnt_opts_flags) {
913 kfree(opts->mnt_opts);
914 goto out_err;
915 }
916
917 if (fscontext) {
918 opts->mnt_opts[num_mnt_opts] = fscontext;
919 opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
920 }
921 if (context) {
922 opts->mnt_opts[num_mnt_opts] = context;
923 opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
924 }
925 if (rootcontext) {
926 opts->mnt_opts[num_mnt_opts] = rootcontext;
927 opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
928 }
929 if (defcontext) {
930 opts->mnt_opts[num_mnt_opts] = defcontext;
931 opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
932 }
933
934 opts->num_mnt_opts = num_mnt_opts;
935 return 0;
936
937 out_err:
938 kfree(context);
939 kfree(defcontext);
940 kfree(fscontext);
941 kfree(rootcontext);
942 return rc;
943 }
944 /*
945 * string mount options parsing and call set the sbsec
946 */
947 static int superblock_doinit(struct super_block *sb, void *data)
948 {
949 int rc = 0;
950 char *options = data;
951 struct security_mnt_opts opts;
952
953 security_init_mnt_opts(&opts);
954
955 if (!data)
956 goto out;
957
958 BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
959
960 rc = selinux_parse_opts_str(options, &opts);
961 if (rc)
962 goto out_err;
963
964 out:
965 rc = selinux_set_mnt_opts(sb, &opts);
966
967 out_err:
968 security_free_mnt_opts(&opts);
969 return rc;
970 }
971
972 void selinux_write_opts(struct seq_file *m, struct security_mnt_opts *opts)
973 {
974 int i;
975 char *prefix;
976
977 for (i = 0; i < opts->num_mnt_opts; i++) {
978 char *has_comma = strchr(opts->mnt_opts[i], ',');
979
980 switch (opts->mnt_opts_flags[i]) {
981 case CONTEXT_MNT:
982 prefix = CONTEXT_STR;
983 break;
984 case FSCONTEXT_MNT:
985 prefix = FSCONTEXT_STR;
986 break;
987 case ROOTCONTEXT_MNT:
988 prefix = ROOTCONTEXT_STR;
989 break;
990 case DEFCONTEXT_MNT:
991 prefix = DEFCONTEXT_STR;
992 break;
993 default:
994 BUG();
995 };
996 /* we need a comma before each option */
997 seq_putc(m, ',');
998 seq_puts(m, prefix);
999 if (has_comma)
1000 seq_putc(m, '\"');
1001 seq_puts(m, opts->mnt_opts[i]);
1002 if (has_comma)
1003 seq_putc(m, '\"');
1004 }
1005 }
1006
1007 static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1008 {
1009 struct security_mnt_opts opts;
1010 int rc;
1011
1012 rc = selinux_get_mnt_opts(sb, &opts);
1013 if (rc)
1014 return rc;
1015
1016 selinux_write_opts(m, &opts);
1017
1018 security_free_mnt_opts(&opts);
1019
1020 return rc;
1021 }
1022
1023 static inline u16 inode_mode_to_security_class(umode_t mode)
1024 {
1025 switch (mode & S_IFMT) {
1026 case S_IFSOCK:
1027 return SECCLASS_SOCK_FILE;
1028 case S_IFLNK:
1029 return SECCLASS_LNK_FILE;
1030 case S_IFREG:
1031 return SECCLASS_FILE;
1032 case S_IFBLK:
1033 return SECCLASS_BLK_FILE;
1034 case S_IFDIR:
1035 return SECCLASS_DIR;
1036 case S_IFCHR:
1037 return SECCLASS_CHR_FILE;
1038 case S_IFIFO:
1039 return SECCLASS_FIFO_FILE;
1040
1041 }
1042
1043 return SECCLASS_FILE;
1044 }
1045
1046 static inline int default_protocol_stream(int protocol)
1047 {
1048 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
1049 }
1050
1051 static inline int default_protocol_dgram(int protocol)
1052 {
1053 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1054 }
1055
1056 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1057 {
1058 switch (family) {
1059 case PF_UNIX:
1060 switch (type) {
1061 case SOCK_STREAM:
1062 case SOCK_SEQPACKET:
1063 return SECCLASS_UNIX_STREAM_SOCKET;
1064 case SOCK_DGRAM:
1065 return SECCLASS_UNIX_DGRAM_SOCKET;
1066 }
1067 break;
1068 case PF_INET:
1069 case PF_INET6:
1070 switch (type) {
1071 case SOCK_STREAM:
1072 if (default_protocol_stream(protocol))
1073 return SECCLASS_TCP_SOCKET;
1074 else
1075 return SECCLASS_RAWIP_SOCKET;
1076 case SOCK_DGRAM:
1077 if (default_protocol_dgram(protocol))
1078 return SECCLASS_UDP_SOCKET;
1079 else
1080 return SECCLASS_RAWIP_SOCKET;
1081 case SOCK_DCCP:
1082 return SECCLASS_DCCP_SOCKET;
1083 default:
1084 return SECCLASS_RAWIP_SOCKET;
1085 }
1086 break;
1087 case PF_NETLINK:
1088 switch (protocol) {
1089 case NETLINK_ROUTE:
1090 return SECCLASS_NETLINK_ROUTE_SOCKET;
1091 case NETLINK_FIREWALL:
1092 return SECCLASS_NETLINK_FIREWALL_SOCKET;
1093 case NETLINK_INET_DIAG:
1094 return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1095 case NETLINK_NFLOG:
1096 return SECCLASS_NETLINK_NFLOG_SOCKET;
1097 case NETLINK_XFRM:
1098 return SECCLASS_NETLINK_XFRM_SOCKET;
1099 case NETLINK_SELINUX:
1100 return SECCLASS_NETLINK_SELINUX_SOCKET;
1101 case NETLINK_AUDIT:
1102 return SECCLASS_NETLINK_AUDIT_SOCKET;
1103 case NETLINK_IP6_FW:
1104 return SECCLASS_NETLINK_IP6FW_SOCKET;
1105 case NETLINK_DNRTMSG:
1106 return SECCLASS_NETLINK_DNRT_SOCKET;
1107 case NETLINK_KOBJECT_UEVENT:
1108 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1109 default:
1110 return SECCLASS_NETLINK_SOCKET;
1111 }
1112 case PF_PACKET:
1113 return SECCLASS_PACKET_SOCKET;
1114 case PF_KEY:
1115 return SECCLASS_KEY_SOCKET;
1116 case PF_APPLETALK:
1117 return SECCLASS_APPLETALK_SOCKET;
1118 }
1119
1120 return SECCLASS_SOCKET;
1121 }
1122
1123 #ifdef CONFIG_PROC_FS
1124 static int selinux_proc_get_sid(struct proc_dir_entry *de,
1125 u16 tclass,
1126 u32 *sid)
1127 {
1128 int buflen, rc;
1129 char *buffer, *path, *end;
1130
1131 buffer = (char *)__get_free_page(GFP_KERNEL);
1132 if (!buffer)
1133 return -ENOMEM;
1134
1135 buflen = PAGE_SIZE;
1136 end = buffer+buflen;
1137 *--end = '\0';
1138 buflen--;
1139 path = end-1;
1140 *path = '/';
1141 while (de && de != de->parent) {
1142 buflen -= de->namelen + 1;
1143 if (buflen < 0)
1144 break;
1145 end -= de->namelen;
1146 memcpy(end, de->name, de->namelen);
1147 *--end = '/';
1148 path = end;
1149 de = de->parent;
1150 }
1151 rc = security_genfs_sid("proc", path, tclass, sid);
1152 free_page((unsigned long)buffer);
1153 return rc;
1154 }
1155 #else
1156 static int selinux_proc_get_sid(struct proc_dir_entry *de,
1157 u16 tclass,
1158 u32 *sid)
1159 {
1160 return -EINVAL;
1161 }
1162 #endif
1163
1164 /* The inode's security attributes must be initialized before first use. */
1165 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1166 {
1167 struct superblock_security_struct *sbsec = NULL;
1168 struct inode_security_struct *isec = inode->i_security;
1169 u32 sid;
1170 struct dentry *dentry;
1171 #define INITCONTEXTLEN 255
1172 char *context = NULL;
1173 unsigned len = 0;
1174 int rc = 0;
1175
1176 if (isec->initialized)
1177 goto out;
1178
1179 mutex_lock(&isec->lock);
1180 if (isec->initialized)
1181 goto out_unlock;
1182
1183 sbsec = inode->i_sb->s_security;
1184 if (!sbsec->initialized) {
1185 /* Defer initialization until selinux_complete_init,
1186 after the initial policy is loaded and the security
1187 server is ready to handle calls. */
1188 spin_lock(&sbsec->isec_lock);
1189 if (list_empty(&isec->list))
1190 list_add(&isec->list, &sbsec->isec_head);
1191 spin_unlock(&sbsec->isec_lock);
1192 goto out_unlock;
1193 }
1194
1195 switch (sbsec->behavior) {
1196 case SECURITY_FS_USE_XATTR:
1197 if (!inode->i_op->getxattr) {
1198 isec->sid = sbsec->def_sid;
1199 break;
1200 }
1201
1202 /* Need a dentry, since the xattr API requires one.
1203 Life would be simpler if we could just pass the inode. */
1204 if (opt_dentry) {
1205 /* Called from d_instantiate or d_splice_alias. */
1206 dentry = dget(opt_dentry);
1207 } else {
1208 /* Called from selinux_complete_init, try to find a dentry. */
1209 dentry = d_find_alias(inode);
1210 }
1211 if (!dentry) {
1212 printk(KERN_WARNING "SELinux: %s: no dentry for dev=%s "
1213 "ino=%ld\n", __func__, inode->i_sb->s_id,
1214 inode->i_ino);
1215 goto out_unlock;
1216 }
1217
1218 len = INITCONTEXTLEN;
1219 context = kmalloc(len, GFP_NOFS);
1220 if (!context) {
1221 rc = -ENOMEM;
1222 dput(dentry);
1223 goto out_unlock;
1224 }
1225 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1226 context, len);
1227 if (rc == -ERANGE) {
1228 /* Need a larger buffer. Query for the right size. */
1229 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1230 NULL, 0);
1231 if (rc < 0) {
1232 dput(dentry);
1233 goto out_unlock;
1234 }
1235 kfree(context);
1236 len = rc;
1237 context = kmalloc(len, GFP_NOFS);
1238 if (!context) {
1239 rc = -ENOMEM;
1240 dput(dentry);
1241 goto out_unlock;
1242 }
1243 rc = inode->i_op->getxattr(dentry,
1244 XATTR_NAME_SELINUX,
1245 context, len);
1246 }
1247 dput(dentry);
1248 if (rc < 0) {
1249 if (rc != -ENODATA) {
1250 printk(KERN_WARNING "SELinux: %s: getxattr returned "
1251 "%d for dev=%s ino=%ld\n", __func__,
1252 -rc, inode->i_sb->s_id, inode->i_ino);
1253 kfree(context);
1254 goto out_unlock;
1255 }
1256 /* Map ENODATA to the default file SID */
1257 sid = sbsec->def_sid;
1258 rc = 0;
1259 } else {
1260 rc = security_context_to_sid_default(context, rc, &sid,
1261 sbsec->def_sid,
1262 GFP_NOFS);
1263 if (rc) {
1264 printk(KERN_WARNING "SELinux: %s: context_to_sid(%s) "
1265 "returned %d for dev=%s ino=%ld\n",
1266 __func__, context, -rc,
1267 inode->i_sb->s_id, inode->i_ino);
1268 kfree(context);
1269 /* Leave with the unlabeled SID */
1270 rc = 0;
1271 break;
1272 }
1273 }
1274 kfree(context);
1275 isec->sid = sid;
1276 break;
1277 case SECURITY_FS_USE_TASK:
1278 isec->sid = isec->task_sid;
1279 break;
1280 case SECURITY_FS_USE_TRANS:
1281 /* Default to the fs SID. */
1282 isec->sid = sbsec->sid;
1283
1284 /* Try to obtain a transition SID. */
1285 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1286 rc = security_transition_sid(isec->task_sid,
1287 sbsec->sid,
1288 isec->sclass,
1289 &sid);
1290 if (rc)
1291 goto out_unlock;
1292 isec->sid = sid;
1293 break;
1294 case SECURITY_FS_USE_MNTPOINT:
1295 isec->sid = sbsec->mntpoint_sid;
1296 break;
1297 default:
1298 /* Default to the fs superblock SID. */
1299 isec->sid = sbsec->sid;
1300
1301 if (sbsec->proc) {
1302 struct proc_inode *proci = PROC_I(inode);
1303 if (proci->pde) {
1304 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1305 rc = selinux_proc_get_sid(proci->pde,
1306 isec->sclass,
1307 &sid);
1308 if (rc)
1309 goto out_unlock;
1310 isec->sid = sid;
1311 }
1312 }
1313 break;
1314 }
1315
1316 isec->initialized = 1;
1317
1318 out_unlock:
1319 mutex_unlock(&isec->lock);
1320 out:
1321 if (isec->sclass == SECCLASS_FILE)
1322 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1323 return rc;
1324 }
1325
1326 /* Convert a Linux signal to an access vector. */
1327 static inline u32 signal_to_av(int sig)
1328 {
1329 u32 perm = 0;
1330
1331 switch (sig) {
1332 case SIGCHLD:
1333 /* Commonly granted from child to parent. */
1334 perm = PROCESS__SIGCHLD;
1335 break;
1336 case SIGKILL:
1337 /* Cannot be caught or ignored */
1338 perm = PROCESS__SIGKILL;
1339 break;
1340 case SIGSTOP:
1341 /* Cannot be caught or ignored */
1342 perm = PROCESS__SIGSTOP;
1343 break;
1344 default:
1345 /* All other signals. */
1346 perm = PROCESS__SIGNAL;
1347 break;
1348 }
1349
1350 return perm;
1351 }
1352
1353 /* Check permission betweeen a pair of tasks, e.g. signal checks,
1354 fork check, ptrace check, etc. */
1355 static int task_has_perm(struct task_struct *tsk1,
1356 struct task_struct *tsk2,
1357 u32 perms)
1358 {
1359 struct task_security_struct *tsec1, *tsec2;
1360
1361 tsec1 = tsk1->security;
1362 tsec2 = tsk2->security;
1363 return avc_has_perm(tsec1->sid, tsec2->sid,
1364 SECCLASS_PROCESS, perms, NULL);
1365 }
1366
1367 #if CAP_LAST_CAP > 63
1368 #error Fix SELinux to handle capabilities > 63.
1369 #endif
1370
1371 /* Check whether a task is allowed to use a capability. */
1372 static int task_has_capability(struct task_struct *tsk,
1373 int cap)
1374 {
1375 struct task_security_struct *tsec;
1376 struct avc_audit_data ad;
1377 u16 sclass;
1378 u32 av = CAP_TO_MASK(cap);
1379
1380 tsec = tsk->security;
1381
1382 AVC_AUDIT_DATA_INIT(&ad, CAP);
1383 ad.tsk = tsk;
1384 ad.u.cap = cap;
1385
1386 switch (CAP_TO_INDEX(cap)) {
1387 case 0:
1388 sclass = SECCLASS_CAPABILITY;
1389 break;
1390 case 1:
1391 sclass = SECCLASS_CAPABILITY2;
1392 break;
1393 default:
1394 printk(KERN_ERR
1395 "SELinux: out of range capability %d\n", cap);
1396 BUG();
1397 }
1398 return avc_has_perm(tsec->sid, tsec->sid, sclass, av, &ad);
1399 }
1400
1401 /* Check whether a task is allowed to use a system operation. */
1402 static int task_has_system(struct task_struct *tsk,
1403 u32 perms)
1404 {
1405 struct task_security_struct *tsec;
1406
1407 tsec = tsk->security;
1408
1409 return avc_has_perm(tsec->sid, SECINITSID_KERNEL,
1410 SECCLASS_SYSTEM, perms, NULL);
1411 }
1412
1413 /* Check whether a task has a particular permission to an inode.
1414 The 'adp' parameter is optional and allows other audit
1415 data to be passed (e.g. the dentry). */
1416 static int inode_has_perm(struct task_struct *tsk,
1417 struct inode *inode,
1418 u32 perms,
1419 struct avc_audit_data *adp)
1420 {
1421 struct task_security_struct *tsec;
1422 struct inode_security_struct *isec;
1423 struct avc_audit_data ad;
1424
1425 if (unlikely(IS_PRIVATE(inode)))
1426 return 0;
1427
1428 tsec = tsk->security;
1429 isec = inode->i_security;
1430
1431 if (!adp) {
1432 adp = &ad;
1433 AVC_AUDIT_DATA_INIT(&ad, FS);
1434 ad.u.fs.inode = inode;
1435 }
1436
1437 return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, adp);
1438 }
1439
1440 /* Same as inode_has_perm, but pass explicit audit data containing
1441 the dentry to help the auditing code to more easily generate the
1442 pathname if needed. */
1443 static inline int dentry_has_perm(struct task_struct *tsk,
1444 struct vfsmount *mnt,
1445 struct dentry *dentry,
1446 u32 av)
1447 {
1448 struct inode *inode = dentry->d_inode;
1449 struct avc_audit_data ad;
1450 AVC_AUDIT_DATA_INIT(&ad, FS);
1451 ad.u.fs.path.mnt = mnt;
1452 ad.u.fs.path.dentry = dentry;
1453 return inode_has_perm(tsk, inode, av, &ad);
1454 }
1455
1456 /* Check whether a task can use an open file descriptor to
1457 access an inode in a given way. Check access to the
1458 descriptor itself, and then use dentry_has_perm to
1459 check a particular permission to the file.
1460 Access to the descriptor is implicitly granted if it
1461 has the same SID as the process. If av is zero, then
1462 access to the file is not checked, e.g. for cases
1463 where only the descriptor is affected like seek. */
1464 static int file_has_perm(struct task_struct *tsk,
1465 struct file *file,
1466 u32 av)
1467 {
1468 struct task_security_struct *tsec = tsk->security;
1469 struct file_security_struct *fsec = file->f_security;
1470 struct inode *inode = file->f_path.dentry->d_inode;
1471 struct avc_audit_data ad;
1472 int rc;
1473
1474 AVC_AUDIT_DATA_INIT(&ad, FS);
1475 ad.u.fs.path = file->f_path;
1476
1477 if (tsec->sid != fsec->sid) {
1478 rc = avc_has_perm(tsec->sid, fsec->sid,
1479 SECCLASS_FD,
1480 FD__USE,
1481 &ad);
1482 if (rc)
1483 return rc;
1484 }
1485
1486 /* av is zero if only checking access to the descriptor. */
1487 if (av)
1488 return inode_has_perm(tsk, inode, av, &ad);
1489
1490 return 0;
1491 }
1492
1493 /* Check whether a task can create a file. */
1494 static int may_create(struct inode *dir,
1495 struct dentry *dentry,
1496 u16 tclass)
1497 {
1498 struct task_security_struct *tsec;
1499 struct inode_security_struct *dsec;
1500 struct superblock_security_struct *sbsec;
1501 u32 newsid;
1502 struct avc_audit_data ad;
1503 int rc;
1504
1505 tsec = current->security;
1506 dsec = dir->i_security;
1507 sbsec = dir->i_sb->s_security;
1508
1509 AVC_AUDIT_DATA_INIT(&ad, FS);
1510 ad.u.fs.path.dentry = dentry;
1511
1512 rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR,
1513 DIR__ADD_NAME | DIR__SEARCH,
1514 &ad);
1515 if (rc)
1516 return rc;
1517
1518 if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
1519 newsid = tsec->create_sid;
1520 } else {
1521 rc = security_transition_sid(tsec->sid, dsec->sid, tclass,
1522 &newsid);
1523 if (rc)
1524 return rc;
1525 }
1526
1527 rc = avc_has_perm(tsec->sid, newsid, tclass, FILE__CREATE, &ad);
1528 if (rc)
1529 return rc;
1530
1531 return avc_has_perm(newsid, sbsec->sid,
1532 SECCLASS_FILESYSTEM,
1533 FILESYSTEM__ASSOCIATE, &ad);
1534 }
1535
1536 /* Check whether a task can create a key. */
1537 static int may_create_key(u32 ksid,
1538 struct task_struct *ctx)
1539 {
1540 struct task_security_struct *tsec;
1541
1542 tsec = ctx->security;
1543
1544 return avc_has_perm(tsec->sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL);
1545 }
1546
1547 #define MAY_LINK 0
1548 #define MAY_UNLINK 1
1549 #define MAY_RMDIR 2
1550
1551 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1552 static int may_link(struct inode *dir,
1553 struct dentry *dentry,
1554 int kind)
1555
1556 {
1557 struct task_security_struct *tsec;
1558 struct inode_security_struct *dsec, *isec;
1559 struct avc_audit_data ad;
1560 u32 av;
1561 int rc;
1562
1563 tsec = current->security;
1564 dsec = dir->i_security;
1565 isec = dentry->d_inode->i_security;
1566
1567 AVC_AUDIT_DATA_INIT(&ad, FS);
1568 ad.u.fs.path.dentry = dentry;
1569
1570 av = DIR__SEARCH;
1571 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1572 rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR, av, &ad);
1573 if (rc)
1574 return rc;
1575
1576 switch (kind) {
1577 case MAY_LINK:
1578 av = FILE__LINK;
1579 break;
1580 case MAY_UNLINK:
1581 av = FILE__UNLINK;
1582 break;
1583 case MAY_RMDIR:
1584 av = DIR__RMDIR;
1585 break;
1586 default:
1587 printk(KERN_WARNING "SELinux: %s: unrecognized kind %d\n",
1588 __func__, kind);
1589 return 0;
1590 }
1591
1592 rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass, av, &ad);
1593 return rc;
1594 }
1595
1596 static inline int may_rename(struct inode *old_dir,
1597 struct dentry *old_dentry,
1598 struct inode *new_dir,
1599 struct dentry *new_dentry)
1600 {
1601 struct task_security_struct *tsec;
1602 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1603 struct avc_audit_data ad;
1604 u32 av;
1605 int old_is_dir, new_is_dir;
1606 int rc;
1607
1608 tsec = current->security;
1609 old_dsec = old_dir->i_security;
1610 old_isec = old_dentry->d_inode->i_security;
1611 old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
1612 new_dsec = new_dir->i_security;
1613
1614 AVC_AUDIT_DATA_INIT(&ad, FS);
1615
1616 ad.u.fs.path.dentry = old_dentry;
1617 rc = avc_has_perm(tsec->sid, old_dsec->sid, SECCLASS_DIR,
1618 DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1619 if (rc)
1620 return rc;
1621 rc = avc_has_perm(tsec->sid, old_isec->sid,
1622 old_isec->sclass, FILE__RENAME, &ad);
1623 if (rc)
1624 return rc;
1625 if (old_is_dir && new_dir != old_dir) {
1626 rc = avc_has_perm(tsec->sid, old_isec->sid,
1627 old_isec->sclass, DIR__REPARENT, &ad);
1628 if (rc)
1629 return rc;
1630 }
1631
1632 ad.u.fs.path.dentry = new_dentry;
1633 av = DIR__ADD_NAME | DIR__SEARCH;
1634 if (new_dentry->d_inode)
1635 av |= DIR__REMOVE_NAME;
1636 rc = avc_has_perm(tsec->sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1637 if (rc)
1638 return rc;
1639 if (new_dentry->d_inode) {
1640 new_isec = new_dentry->d_inode->i_security;
1641 new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
1642 rc = avc_has_perm(tsec->sid, new_isec->sid,
1643 new_isec->sclass,
1644 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1645 if (rc)
1646 return rc;
1647 }
1648
1649 return 0;
1650 }
1651
1652 /* Check whether a task can perform a filesystem operation. */
1653 static int superblock_has_perm(struct task_struct *tsk,
1654 struct super_block *sb,
1655 u32 perms,
1656 struct avc_audit_data *ad)
1657 {
1658 struct task_security_struct *tsec;
1659 struct superblock_security_struct *sbsec;
1660
1661 tsec = tsk->security;
1662 sbsec = sb->s_security;
1663 return avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
1664 perms, ad);
1665 }
1666
1667 /* Convert a Linux mode and permission mask to an access vector. */
1668 static inline u32 file_mask_to_av(int mode, int mask)
1669 {
1670 u32 av = 0;
1671
1672 if ((mode & S_IFMT) != S_IFDIR) {
1673 if (mask & MAY_EXEC)
1674 av |= FILE__EXECUTE;
1675 if (mask & MAY_READ)
1676 av |= FILE__READ;
1677
1678 if (mask & MAY_APPEND)
1679 av |= FILE__APPEND;
1680 else if (mask & MAY_WRITE)
1681 av |= FILE__WRITE;
1682
1683 } else {
1684 if (mask & MAY_EXEC)
1685 av |= DIR__SEARCH;
1686 if (mask & MAY_WRITE)
1687 av |= DIR__WRITE;
1688 if (mask & MAY_READ)
1689 av |= DIR__READ;
1690 }
1691
1692 return av;
1693 }
1694
1695 /*
1696 * Convert a file mask to an access vector and include the correct open
1697 * open permission.
1698 */
1699 static inline u32 open_file_mask_to_av(int mode, int mask)
1700 {
1701 u32 av = file_mask_to_av(mode, mask);
1702
1703 if (selinux_policycap_openperm) {
1704 /*
1705 * lnk files and socks do not really have an 'open'
1706 */
1707 if (S_ISREG(mode))
1708 av |= FILE__OPEN;
1709 else if (S_ISCHR(mode))
1710 av |= CHR_FILE__OPEN;
1711 else if (S_ISBLK(mode))
1712 av |= BLK_FILE__OPEN;
1713 else if (S_ISFIFO(mode))
1714 av |= FIFO_FILE__OPEN;
1715 else if (S_ISDIR(mode))
1716 av |= DIR__OPEN;
1717 else
1718 printk(KERN_ERR "SELinux: WARNING: inside %s with "
1719 "unknown mode:%x\n", __func__, mode);
1720 }
1721 return av;
1722 }
1723
1724 /* Convert a Linux file to an access vector. */
1725 static inline u32 file_to_av(struct file *file)
1726 {
1727 u32 av = 0;
1728
1729 if (file->f_mode & FMODE_READ)
1730 av |= FILE__READ;
1731 if (file->f_mode & FMODE_WRITE) {
1732 if (file->f_flags & O_APPEND)
1733 av |= FILE__APPEND;
1734 else
1735 av |= FILE__WRITE;
1736 }
1737 if (!av) {
1738 /*
1739 * Special file opened with flags 3 for ioctl-only use.
1740 */
1741 av = FILE__IOCTL;
1742 }
1743
1744 return av;
1745 }
1746
1747 /* Hook functions begin here. */
1748
1749 static int selinux_ptrace(struct task_struct *parent,
1750 struct task_struct *child,
1751 unsigned int mode)
1752 {
1753 int rc;
1754
1755 rc = secondary_ops->ptrace(parent, child, mode);
1756 if (rc)
1757 return rc;
1758
1759 if (mode == PTRACE_MODE_READ) {
1760 struct task_security_struct *tsec = parent->security;
1761 struct task_security_struct *csec = child->security;
1762 return avc_has_perm(tsec->sid, csec->sid,
1763 SECCLASS_FILE, FILE__READ, NULL);
1764 }
1765
1766 return task_has_perm(parent, child, PROCESS__PTRACE);
1767 }
1768
1769 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
1770 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1771 {
1772 int error;
1773
1774 error = task_has_perm(current, target, PROCESS__GETCAP);
1775 if (error)
1776 return error;
1777
1778 return secondary_ops->capget(target, effective, inheritable, permitted);
1779 }
1780
1781 static int selinux_capset_check(struct task_struct *target, kernel_cap_t *effective,
1782 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1783 {
1784 int error;
1785
1786 error = secondary_ops->capset_check(target, effective, inheritable, permitted);
1787 if (error)
1788 return error;
1789
1790 return task_has_perm(current, target, PROCESS__SETCAP);
1791 }
1792
1793 static void selinux_capset_set(struct task_struct *target, kernel_cap_t *effective,
1794 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1795 {
1796 secondary_ops->capset_set(target, effective, inheritable, permitted);
1797 }
1798
1799 static int selinux_capable(struct task_struct *tsk, int cap)
1800 {
1801 int rc;
1802
1803 rc = secondary_ops->capable(tsk, cap);
1804 if (rc)
1805 return rc;
1806
1807 return task_has_capability(tsk, cap);
1808 }
1809
1810 static int selinux_sysctl_get_sid(ctl_table *table, u16 tclass, u32 *sid)
1811 {
1812 int buflen, rc;
1813 char *buffer, *path, *end;
1814
1815 rc = -ENOMEM;
1816 buffer = (char *)__get_free_page(GFP_KERNEL);
1817 if (!buffer)
1818 goto out;
1819
1820 buflen = PAGE_SIZE;
1821 end = buffer+buflen;
1822 *--end = '\0';
1823 buflen--;
1824 path = end-1;
1825 *path = '/';
1826 while (table) {
1827 const char *name = table->procname;
1828 size_t namelen = strlen(name);
1829 buflen -= namelen + 1;
1830 if (buflen < 0)
1831 goto out_free;
1832 end -= namelen;
1833 memcpy(end, name, namelen);
1834 *--end = '/';
1835 path = end;
1836 table = table->parent;
1837 }
1838 buflen -= 4;
1839 if (buflen < 0)
1840 goto out_free;
1841 end -= 4;
1842 memcpy(end, "/sys", 4);
1843 path = end;
1844 rc = security_genfs_sid("proc", path, tclass, sid);
1845 out_free:
1846 free_page((unsigned long)buffer);
1847 out:
1848 return rc;
1849 }
1850
1851 static int selinux_sysctl(ctl_table *table, int op)
1852 {
1853 int error = 0;
1854 u32 av;
1855 struct task_security_struct *tsec;
1856 u32 tsid;
1857 int rc;
1858
1859 rc = secondary_ops->sysctl(table, op);
1860 if (rc)
1861 return rc;
1862
1863 tsec = current->security;
1864
1865 rc = selinux_sysctl_get_sid(table, (op == 0001) ?
1866 SECCLASS_DIR : SECCLASS_FILE, &tsid);
1867 if (rc) {
1868 /* Default to the well-defined sysctl SID. */
1869 tsid = SECINITSID_SYSCTL;
1870 }
1871
1872 /* The op values are "defined" in sysctl.c, thereby creating
1873 * a bad coupling between this module and sysctl.c */
1874 if (op == 001) {
1875 error = avc_has_perm(tsec->sid, tsid,
1876 SECCLASS_DIR, DIR__SEARCH, NULL);
1877 } else {
1878 av = 0;
1879 if (op & 004)
1880 av |= FILE__READ;
1881 if (op & 002)
1882 av |= FILE__WRITE;
1883 if (av)
1884 error = avc_has_perm(tsec->sid, tsid,
1885 SECCLASS_FILE, av, NULL);
1886 }
1887
1888 return error;
1889 }
1890
1891 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
1892 {
1893 int rc = 0;
1894
1895 if (!sb)
1896 return 0;
1897
1898 switch (cmds) {
1899 case Q_SYNC:
1900 case Q_QUOTAON:
1901 case Q_QUOTAOFF:
1902 case Q_SETINFO:
1903 case Q_SETQUOTA:
1904 rc = superblock_has_perm(current, sb, FILESYSTEM__QUOTAMOD,
1905 NULL);
1906 break;
1907 case Q_GETFMT:
1908 case Q_GETINFO:
1909 case Q_GETQUOTA:
1910 rc = superblock_has_perm(current, sb, FILESYSTEM__QUOTAGET,
1911 NULL);
1912 break;
1913 default:
1914 rc = 0; /* let the kernel handle invalid cmds */
1915 break;
1916 }
1917 return rc;
1918 }
1919
1920 static int selinux_quota_on(struct dentry *dentry)
1921 {
1922 return dentry_has_perm(current, NULL, dentry, FILE__QUOTAON);
1923 }
1924
1925 static int selinux_syslog(int type)
1926 {
1927 int rc;
1928
1929 rc = secondary_ops->syslog(type);
1930 if (rc)
1931 return rc;
1932
1933 switch (type) {
1934 case 3: /* Read last kernel messages */
1935 case 10: /* Return size of the log buffer */
1936 rc = task_has_system(current, SYSTEM__SYSLOG_READ);
1937 break;
1938 case 6: /* Disable logging to console */
1939 case 7: /* Enable logging to console */
1940 case 8: /* Set level of messages printed to console */
1941 rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
1942 break;
1943 case 0: /* Close log */
1944 case 1: /* Open log */
1945 case 2: /* Read from log */
1946 case 4: /* Read/clear last kernel messages */
1947 case 5: /* Clear ring buffer */
1948 default:
1949 rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
1950 break;
1951 }
1952 return rc;
1953 }
1954
1955 /*
1956 * Check that a process has enough memory to allocate a new virtual
1957 * mapping. 0 means there is enough memory for the allocation to
1958 * succeed and -ENOMEM implies there is not.
1959 *
1960 * Note that secondary_ops->capable and task_has_perm_noaudit return 0
1961 * if the capability is granted, but __vm_enough_memory requires 1 if
1962 * the capability is granted.
1963 *
1964 * Do not audit the selinux permission check, as this is applied to all
1965 * processes that allocate mappings.
1966 */
1967 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
1968 {
1969 int rc, cap_sys_admin = 0;
1970 struct task_security_struct *tsec = current->security;
1971
1972 rc = secondary_ops->capable(current, CAP_SYS_ADMIN);
1973 if (rc == 0)
1974 rc = avc_has_perm_noaudit(tsec->sid, tsec->sid,
1975 SECCLASS_CAPABILITY,
1976 CAP_TO_MASK(CAP_SYS_ADMIN),
1977 0,
1978 NULL);
1979
1980 if (rc == 0)
1981 cap_sys_admin = 1;
1982
1983 return __vm_enough_memory(mm, pages, cap_sys_admin);
1984 }
1985
1986 /**
1987 * task_tracer_task - return the task that is tracing the given task
1988 * @task: task to consider
1989 *
1990 * Returns NULL if noone is tracing @task, or the &struct task_struct
1991 * pointer to its tracer.
1992 *
1993 * Must be called under rcu_read_lock().
1994 */
1995 static struct task_struct *task_tracer_task(struct task_struct *task)
1996 {
1997 if (task->ptrace & PT_PTRACED)
1998 return rcu_dereference(task->parent);
1999 return NULL;
2000 }
2001
2002 /* binprm security operations */
2003
2004 static int selinux_bprm_alloc_security(struct linux_binprm *bprm)
2005 {
2006 struct bprm_security_struct *bsec;
2007
2008 bsec = kzalloc(sizeof(struct bprm_security_struct), GFP_KERNEL);
2009 if (!bsec)
2010 return -ENOMEM;
2011
2012 bsec->sid = SECINITSID_UNLABELED;
2013 bsec->set = 0;
2014
2015 bprm->security = bsec;
2016 return 0;
2017 }
2018
2019 static int selinux_bprm_set_security(struct linux_binprm *bprm)
2020 {
2021 struct task_security_struct *tsec;
2022 struct inode *inode = bprm->file->f_path.dentry->d_inode;
2023 struct inode_security_struct *isec;
2024 struct bprm_security_struct *bsec;
2025 u32 newsid;
2026 struct avc_audit_data ad;
2027 int rc;
2028
2029 rc = secondary_ops->bprm_set_security(bprm);
2030 if (rc)
2031 return rc;
2032
2033 bsec = bprm->security;
2034
2035 if (bsec->set)
2036 return 0;
2037
2038 tsec = current->security;
2039 isec = inode->i_security;
2040
2041 /* Default to the current task SID. */
2042 bsec->sid = tsec->sid;
2043
2044 /* Reset fs, key, and sock SIDs on execve. */
2045 tsec->create_sid = 0;
2046 tsec->keycreate_sid = 0;
2047 tsec->sockcreate_sid = 0;
2048
2049 if (tsec->exec_sid) {
2050 newsid = tsec->exec_sid;
2051 /* Reset exec SID on execve. */
2052 tsec->exec_sid = 0;
2053 } else {
2054 /* Check for a default transition on this program. */
2055 rc = security_transition_sid(tsec->sid, isec->sid,
2056 SECCLASS_PROCESS, &newsid);
2057 if (rc)
2058 return rc;
2059 }
2060
2061 AVC_AUDIT_DATA_INIT(&ad, FS);
2062 ad.u.fs.path = bprm->file->f_path;
2063
2064 if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID)
2065 newsid = tsec->sid;
2066
2067 if (tsec->sid == newsid) {
2068 rc = avc_has_perm(tsec->sid, isec->sid,
2069 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2070 if (rc)
2071 return rc;
2072 } else {
2073 /* Check permissions for the transition. */
2074 rc = avc_has_perm(tsec->sid, newsid,
2075 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2076 if (rc)
2077 return rc;
2078
2079 rc = avc_has_perm(newsid, isec->sid,
2080 SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2081 if (rc)
2082 return rc;
2083
2084 /* Clear any possibly unsafe personality bits on exec: */
2085 current->personality &= ~PER_CLEAR_ON_SETID;
2086
2087 /* Set the security field to the new SID. */
2088 bsec->sid = newsid;
2089 }
2090
2091 bsec->set = 1;
2092 return 0;
2093 }
2094
2095 static int selinux_bprm_check_security(struct linux_binprm *bprm)
2096 {
2097 return secondary_ops->bprm_check_security(bprm);
2098 }
2099
2100
2101 static int selinux_bprm_secureexec(struct linux_binprm *bprm)
2102 {
2103 struct task_security_struct *tsec = current->security;
2104 int atsecure = 0;
2105
2106 if (tsec->osid != tsec->sid) {
2107 /* Enable secure mode for SIDs transitions unless
2108 the noatsecure permission is granted between
2109 the two SIDs, i.e. ahp returns 0. */
2110 atsecure = avc_has_perm(tsec->osid, tsec->sid,
2111 SECCLASS_PROCESS,
2112 PROCESS__NOATSECURE, NULL);
2113 }
2114
2115 return (atsecure || secondary_ops->bprm_secureexec(bprm));
2116 }
2117
2118 static void selinux_bprm_free_security(struct linux_binprm *bprm)
2119 {
2120 kfree(bprm->security);
2121 bprm->security = NULL;
2122 }
2123
2124 extern struct vfsmount *selinuxfs_mount;
2125 extern struct dentry *selinux_null;
2126
2127 /* Derived from fs/exec.c:flush_old_files. */
2128 static inline void flush_unauthorized_files(struct files_struct *files)
2129 {
2130 struct avc_audit_data ad;
2131 struct file *file, *devnull = NULL;
2132 struct tty_struct *tty;
2133 struct fdtable *fdt;
2134 long j = -1;
2135 int drop_tty = 0;
2136
2137 mutex_lock(&tty_mutex);
2138 tty = get_current_tty();
2139 if (tty) {
2140 file_list_lock();
2141 file = list_entry(tty->tty_files.next, typeof(*file), f_u.fu_list);
2142 if (file) {
2143 /* Revalidate access to controlling tty.
2144 Use inode_has_perm on the tty inode directly rather
2145 than using file_has_perm, as this particular open
2146 file may belong to another process and we are only
2147 interested in the inode-based check here. */
2148 struct inode *inode = file->f_path.dentry->d_inode;
2149 if (inode_has_perm(current, inode,
2150 FILE__READ | FILE__WRITE, NULL)) {
2151 drop_tty = 1;
2152 }
2153 }
2154 file_list_unlock();
2155 }
2156 mutex_unlock(&tty_mutex);
2157 /* Reset controlling tty. */
2158 if (drop_tty)
2159 no_tty();
2160
2161 /* Revalidate access to inherited open files. */
2162
2163 AVC_AUDIT_DATA_INIT(&ad, FS);
2164
2165 spin_lock(&files->file_lock);
2166 for (;;) {
2167 unsigned long set, i;
2168 int fd;
2169
2170 j++;
2171 i = j * __NFDBITS;
2172 fdt = files_fdtable(files);
2173 if (i >= fdt->max_fds)
2174 break;
2175 set = fdt->open_fds->fds_bits[j];
2176 if (!set)
2177 continue;
2178 spin_unlock(&files->file_lock);
2179 for ( ; set ; i++, set >>= 1) {
2180 if (set & 1) {
2181 file = fget(i);
2182 if (!file)
2183 continue;
2184 if (file_has_perm(current,
2185 file,
2186 file_to_av(file))) {
2187 sys_close(i);
2188 fd = get_unused_fd();
2189 if (fd != i) {
2190 if (fd >= 0)
2191 put_unused_fd(fd);
2192 fput(file);
2193 continue;
2194 }
2195 if (devnull) {
2196 get_file(devnull);
2197 } else {
2198 devnull = dentry_open(dget(selinux_null), mntget(selinuxfs_mount), O_RDWR);
2199 if (IS_ERR(devnull)) {
2200 devnull = NULL;
2201 put_unused_fd(fd);
2202 fput(file);
2203 continue;
2204 }
2205 }
2206 fd_install(fd, devnull);
2207 }
2208 fput(file);
2209 }
2210 }
2211 spin_lock(&files->file_lock);
2212
2213 }
2214 spin_unlock(&files->file_lock);
2215 }
2216
2217 static void selinux_bprm_apply_creds(struct linux_binprm *bprm, int unsafe)
2218 {
2219 struct task_security_struct *tsec;
2220 struct bprm_security_struct *bsec;
2221 u32 sid;
2222 int rc;
2223
2224 secondary_ops->bprm_apply_creds(bprm, unsafe);
2225
2226 tsec = current->security;
2227
2228 bsec = bprm->security;
2229 sid = bsec->sid;
2230
2231 tsec->osid = tsec->sid;
2232 bsec->unsafe = 0;
2233 if (tsec->sid != sid) {
2234 /* Check for shared state. If not ok, leave SID
2235 unchanged and kill. */
2236 if (unsafe & LSM_UNSAFE_SHARE) {
2237 rc = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
2238 PROCESS__SHARE, NULL);
2239 if (rc) {
2240 bsec->unsafe = 1;
2241 return;
2242 }
2243 }
2244
2245 /* Check for ptracing, and update the task SID if ok.
2246 Otherwise, leave SID unchanged and kill. */
2247 if (unsafe & (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
2248 struct task_struct *tracer;
2249 struct task_security_struct *sec;
2250 u32 ptsid = 0;
2251
2252 rcu_read_lock();
2253 tracer = task_tracer_task(current);
2254 if (likely(tracer != NULL)) {
2255 sec = tracer->security;
2256 ptsid = sec->sid;
2257 }
2258 rcu_read_unlock();
2259
2260 if (ptsid != 0) {
2261 rc = avc_has_perm(ptsid, sid, SECCLASS_PROCESS,
2262 PROCESS__PTRACE, NULL);
2263 if (rc) {
2264 bsec->unsafe = 1;
2265 return;
2266 }
2267 }
2268 }
2269 tsec->sid = sid;
2270 }
2271 }
2272
2273 /*
2274 * called after apply_creds without the task lock held
2275 */
2276 static void selinux_bprm_post_apply_creds(struct linux_binprm *bprm)
2277 {
2278 struct task_security_struct *tsec;
2279 struct rlimit *rlim, *initrlim;
2280 struct itimerval itimer;
2281 struct bprm_security_struct *bsec;
2282 int rc, i;
2283
2284 tsec = current->security;
2285 bsec = bprm->security;
2286
2287 if (bsec->unsafe) {
2288 force_sig_specific(SIGKILL, current);
2289 return;
2290 }
2291 if (tsec->osid == tsec->sid)
2292 return;
2293
2294 /* Close files for which the new task SID is not authorized. */
2295 flush_unauthorized_files(current->files);
2296
2297 /* Check whether the new SID can inherit signal state
2298 from the old SID. If not, clear itimers to avoid
2299 subsequent signal generation and flush and unblock
2300 signals. This must occur _after_ the task SID has
2301 been updated so that any kill done after the flush
2302 will be checked against the new SID. */
2303 rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
2304 PROCESS__SIGINH, NULL);
2305 if (rc) {
2306 memset(&itimer, 0, sizeof itimer);
2307 for (i = 0; i < 3; i++)
2308 do_setitimer(i, &itimer, NULL);
2309 flush_signals(current);
2310 spin_lock_irq(&current->sighand->siglock);
2311 flush_signal_handlers(current, 1);
2312 sigemptyset(&current->blocked);
2313 recalc_sigpending();
2314 spin_unlock_irq(&current->sighand->siglock);
2315 }
2316
2317 /* Always clear parent death signal on SID transitions. */
2318 current->pdeath_signal = 0;
2319
2320 /* Check whether the new SID can inherit resource limits
2321 from the old SID. If not, reset all soft limits to
2322 the lower of the current task's hard limit and the init
2323 task's soft limit. Note that the setting of hard limits
2324 (even to lower them) can be controlled by the setrlimit
2325 check. The inclusion of the init task's soft limit into
2326 the computation is to avoid resetting soft limits higher
2327 than the default soft limit for cases where the default
2328 is lower than the hard limit, e.g. RLIMIT_CORE or
2329 RLIMIT_STACK.*/
2330 rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
2331 PROCESS__RLIMITINH, NULL);
2332 if (rc) {
2333 for (i = 0; i < RLIM_NLIMITS; i++) {
2334 rlim = current->signal->rlim + i;
2335 initrlim = init_task.signal->rlim+i;
2336 rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
2337 }
2338 if (current->signal->rlim[RLIMIT_CPU].rlim_cur != RLIM_INFINITY) {
2339 /*
2340 * This will cause RLIMIT_CPU calculations
2341 * to be refigured.
2342 */
2343 current->it_prof_expires = jiffies_to_cputime(1);
2344 }
2345 }
2346
2347 /* Wake up the parent if it is waiting so that it can
2348 recheck wait permission to the new task SID. */
2349 wake_up_interruptible(&current->parent->signal->wait_chldexit);
2350 }
2351
2352 /* superblock security operations */
2353
2354 static int selinux_sb_alloc_security(struct super_block *sb)
2355 {
2356 return superblock_alloc_security(sb);
2357 }
2358
2359 static void selinux_sb_free_security(struct super_block *sb)
2360 {
2361 superblock_free_security(sb);
2362 }
2363
2364 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2365 {
2366 if (plen > olen)
2367 return 0;
2368
2369 return !memcmp(prefix, option, plen);
2370 }
2371
2372 static inline int selinux_option(char *option, int len)
2373 {
2374 return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) ||
2375 match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) ||
2376 match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) ||
2377 match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len));
2378 }
2379
2380 static inline void take_option(char **to, char *from, int *first, int len)
2381 {
2382 if (!*first) {
2383 **to = ',';
2384 *to += 1;
2385 } else
2386 *first = 0;
2387 memcpy(*to, from, len);
2388 *to += len;
2389 }
2390
2391 static inline void take_selinux_option(char **to, char *from, int *first,
2392 int len)
2393 {
2394 int current_size = 0;
2395
2396 if (!*first) {
2397 **to = '|';
2398 *to += 1;
2399 } else
2400 *first = 0;
2401
2402 while (current_size < len) {
2403 if (*from != '"') {
2404 **to = *from;
2405 *to += 1;
2406 }
2407 from += 1;
2408 current_size += 1;
2409 }
2410 }
2411
2412 static int selinux_sb_copy_data(char *orig, char *copy)
2413 {
2414 int fnosec, fsec, rc = 0;
2415 char *in_save, *in_curr, *in_end;
2416 char *sec_curr, *nosec_save, *nosec;
2417 int open_quote = 0;
2418
2419 in_curr = orig;
2420 sec_curr = copy;
2421
2422 nosec = (char *)get_zeroed_page(GFP_KERNEL);
2423 if (!nosec) {
2424 rc = -ENOMEM;
2425 goto out;
2426 }
2427
2428 nosec_save = nosec;
2429 fnosec = fsec = 1;
2430 in_save = in_end = orig;
2431
2432 do {
2433 if (*in_end == '"')
2434 open_quote = !open_quote;
2435 if ((*in_end == ',' && open_quote == 0) ||
2436 *in_end == '\0') {
2437 int len = in_end - in_curr;
2438
2439 if (selinux_option(in_curr, len))
2440 take_selinux_option(&sec_curr, in_curr, &fsec, len);
2441 else
2442 take_option(&nosec, in_curr, &fnosec, len);
2443
2444 in_curr = in_end + 1;
2445 }
2446 } while (*in_end++);
2447
2448 strcpy(in_save, nosec_save);
2449 free_page((unsigned long)nosec_save);
2450 out:
2451 return rc;
2452 }
2453
2454 static int selinux_sb_kern_mount(struct super_block *sb, void *data)
2455 {
2456 struct avc_audit_data ad;
2457 int rc;
2458
2459 rc = superblock_doinit(sb, data);
2460 if (rc)
2461 return rc;
2462
2463 AVC_AUDIT_DATA_INIT(&ad, FS);
2464 ad.u.fs.path.dentry = sb->s_root;
2465 return superblock_has_perm(current, sb, FILESYSTEM__MOUNT, &ad);
2466 }
2467
2468 static int selinux_sb_statfs(struct dentry *dentry)
2469 {
2470 struct avc_audit_data ad;
2471
2472 AVC_AUDIT_DATA_INIT(&ad, FS);
2473 ad.u.fs.path.dentry = dentry->d_sb->s_root;
2474 return superblock_has_perm(current, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2475 }
2476
2477 static int selinux_mount(char *dev_name,
2478 struct path *path,
2479 char *type,
2480 unsigned long flags,
2481 void *data)
2482 {
2483 int rc;
2484
2485 rc = secondary_ops->sb_mount(dev_name, path, type, flags, data);
2486 if (rc)
2487 return rc;
2488
2489 if (flags & MS_REMOUNT)
2490 return superblock_has_perm(current, path->mnt->mnt_sb,
2491 FILESYSTEM__REMOUNT, NULL);
2492 else
2493 return dentry_has_perm(current, path->mnt, path->dentry,
2494 FILE__MOUNTON);
2495 }
2496
2497 static int selinux_umount(struct vfsmount *mnt, int flags)
2498 {
2499 int rc;
2500
2501 rc = secondary_ops->sb_umount(mnt, flags);
2502 if (rc)
2503 return rc;
2504
2505 return superblock_has_perm(current, mnt->mnt_sb,
2506 FILESYSTEM__UNMOUNT, NULL);
2507 }
2508
2509 /* inode security operations */
2510
2511 static int selinux_inode_alloc_security(struct inode *inode)
2512 {
2513 return inode_alloc_security(inode);
2514 }
2515
2516 static void selinux_inode_free_security(struct inode *inode)
2517 {
2518 inode_free_security(inode);
2519 }
2520
2521 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2522 char **name, void **value,
2523 size_t *len)
2524 {
2525 struct task_security_struct *tsec;
2526 struct inode_security_struct *dsec;
2527 struct superblock_security_struct *sbsec;
2528 u32 newsid, clen;
2529 int rc;
2530 char *namep = NULL, *context;
2531
2532 tsec = current->security;
2533 dsec = dir->i_security;
2534 sbsec = dir->i_sb->s_security;
2535
2536 if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
2537 newsid = tsec->create_sid;
2538 } else {
2539 rc = security_transition_sid(tsec->sid, dsec->sid,
2540 inode_mode_to_security_class(inode->i_mode),
2541 &newsid);
2542 if (rc) {
2543 printk(KERN_WARNING "%s: "
2544 "security_transition_sid failed, rc=%d (dev=%s "
2545 "ino=%ld)\n",
2546 __func__,
2547 -rc, inode->i_sb->s_id, inode->i_ino);
2548 return rc;
2549 }
2550 }
2551
2552 /* Possibly defer initialization to selinux_complete_init. */
2553 if (sbsec->initialized) {
2554 struct inode_security_struct *isec = inode->i_security;
2555 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2556 isec->sid = newsid;
2557 isec->initialized = 1;
2558 }
2559
2560 if (!ss_initialized || sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2561 return -EOPNOTSUPP;
2562
2563 if (name) {
2564 namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_NOFS);
2565 if (!namep)
2566 return -ENOMEM;
2567 *name = namep;
2568 }
2569
2570 if (value && len) {
2571 rc = security_sid_to_context_force(newsid, &context, &clen);
2572 if (rc) {
2573 kfree(namep);
2574 return rc;
2575 }
2576 *value = context;
2577 *len = clen;
2578 }
2579
2580 return 0;
2581 }
2582
2583 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, int mask)
2584 {
2585 return may_create(dir, dentry, SECCLASS_FILE);
2586 }
2587
2588 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2589 {
2590 int rc;
2591
2592 rc = secondary_ops->inode_link(old_dentry, dir, new_dentry);
2593 if (rc)
2594 return rc;
2595 return may_link(dir, old_dentry, MAY_LINK);
2596 }
2597
2598 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2599 {
2600 int rc;
2601
2602 rc = secondary_ops->inode_unlink(dir, dentry);
2603 if (rc)
2604 return rc;
2605 return may_link(dir, dentry, MAY_UNLINK);
2606 }
2607
2608 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2609 {
2610 return may_create(dir, dentry, SECCLASS_LNK_FILE);
2611 }
2612
2613 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, int mask)
2614 {
2615 return may_create(dir, dentry, SECCLASS_DIR);
2616 }
2617
2618 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2619 {
2620 return may_link(dir, dentry, MAY_RMDIR);
2621 }
2622
2623 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
2624 {
2625 int rc;
2626
2627 rc = secondary_ops->inode_mknod(dir, dentry, mode, dev);
2628 if (rc)
2629 return rc;
2630
2631 return may_create(dir, dentry, inode_mode_to_security_class(mode));
2632 }
2633
2634 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2635 struct inode *new_inode, struct dentry *new_dentry)
2636 {
2637 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2638 }
2639
2640 static int selinux_inode_readlink(struct dentry *dentry)
2641 {
2642 return dentry_has_perm(current, NULL, dentry, FILE__READ);
2643 }
2644
2645 static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2646 {
2647 int rc;
2648
2649 rc = secondary_ops->inode_follow_link(dentry, nameidata);
2650 if (rc)
2651 return rc;
2652 return dentry_has_perm(current, NULL, dentry, FILE__READ);
2653 }
2654
2655 static int selinux_inode_permission(struct inode *inode, int mask,
2656 struct nameidata *nd)
2657 {
2658 int rc;
2659
2660 rc = secondary_ops->inode_permission(inode, mask, nd);
2661 if (rc)
2662 return rc;
2663
2664 if (!mask) {
2665 /* No permission to check. Existence test. */
2666 return 0;
2667 }
2668
2669 return inode_has_perm(current, inode,
2670 open_file_mask_to_av(inode->i_mode, mask), NULL);
2671 }
2672
2673 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2674 {
2675 int rc;
2676
2677 rc = secondary_ops->inode_setattr(dentry, iattr);
2678 if (rc)
2679 return rc;
2680
2681 if (iattr->ia_valid & ATTR_FORCE)
2682 return 0;
2683
2684 if (iattr->ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2685 ATTR_ATIME_SET | ATTR_MTIME_SET))
2686 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2687
2688 return dentry_has_perm(current, NULL, dentry, FILE__WRITE);
2689 }
2690
2691 static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
2692 {
2693 return dentry_has_perm(current, mnt, dentry, FILE__GETATTR);
2694 }
2695
2696 static int selinux_inode_setotherxattr(struct dentry *dentry, const char *name)
2697 {
2698 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2699 sizeof XATTR_SECURITY_PREFIX - 1)) {
2700 if (!strcmp(name, XATTR_NAME_CAPS)) {
2701 if (!capable(CAP_SETFCAP))
2702 return -EPERM;
2703 } else if (!capable(CAP_SYS_ADMIN)) {
2704 /* A different attribute in the security namespace.
2705 Restrict to administrator. */
2706 return -EPERM;
2707 }
2708 }
2709
2710 /* Not an attribute we recognize, so just check the
2711 ordinary setattr permission. */
2712 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2713 }
2714
2715 static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
2716 const void *value, size_t size, int flags)
2717 {
2718 struct task_security_struct *tsec = current->security;
2719 struct inode *inode = dentry->d_inode;
2720 struct inode_security_struct *isec = inode->i_security;
2721 struct superblock_security_struct *sbsec;
2722 struct avc_audit_data ad;
2723 u32 newsid;
2724 int rc = 0;
2725
2726 if (strcmp(name, XATTR_NAME_SELINUX))
2727 return selinux_inode_setotherxattr(dentry, name);
2728
2729 sbsec = inode->i_sb->s_security;
2730 if (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2731 return -EOPNOTSUPP;
2732
2733 if (!is_owner_or_cap(inode))
2734 return -EPERM;
2735
2736 AVC_AUDIT_DATA_INIT(&ad, FS);
2737 ad.u.fs.path.dentry = dentry;
2738
2739 rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass,
2740 FILE__RELABELFROM, &ad);
2741 if (rc)
2742 return rc;
2743
2744 rc = security_context_to_sid(value, size, &newsid);
2745 if (rc == -EINVAL) {
2746 if (!capable(CAP_MAC_ADMIN))
2747 return rc;
2748 rc = security_context_to_sid_force(value, size, &newsid);
2749 }
2750 if (rc)
2751 return rc;
2752
2753 rc = avc_has_perm(tsec->sid, newsid, isec->sclass,
2754 FILE__RELABELTO, &ad);
2755 if (rc)
2756 return rc;
2757
2758 rc = security_validate_transition(isec->sid, newsid, tsec->sid,
2759 isec->sclass);
2760 if (rc)
2761 return rc;
2762
2763 return avc_has_perm(newsid,
2764 sbsec->sid,
2765 SECCLASS_FILESYSTEM,
2766 FILESYSTEM__ASSOCIATE,
2767 &ad);
2768 }
2769
2770 static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
2771 const void *value, size_t size,
2772 int flags)
2773 {
2774 struct inode *inode = dentry->d_inode;
2775 struct inode_security_struct *isec = inode->i_security;
2776 u32 newsid;
2777 int rc;
2778
2779 if (strcmp(name, XATTR_NAME_SELINUX)) {
2780 /* Not an attribute we recognize, so nothing to do. */
2781 return;
2782 }
2783
2784 rc = security_context_to_sid_force(value, size, &newsid);
2785 if (rc) {
2786 printk(KERN_ERR "SELinux: unable to map context to SID"
2787 "for (%s, %lu), rc=%d\n",
2788 inode->i_sb->s_id, inode->i_ino, -rc);
2789 return;
2790 }
2791
2792 isec->sid = newsid;
2793 return;
2794 }
2795
2796 static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
2797 {
2798 return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2799 }
2800
2801 static int selinux_inode_listxattr(struct dentry *dentry)
2802 {
2803 return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2804 }
2805
2806 static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
2807 {
2808 if (strcmp(name, XATTR_NAME_SELINUX))
2809 return selinux_inode_setotherxattr(dentry, name);
2810
2811 /* No one is allowed to remove a SELinux security label.
2812 You can change the label, but all data must be labeled. */
2813 return -EACCES;
2814 }
2815
2816 /*
2817 * Copy the inode security context value to the user.
2818 *
2819 * Permission check is handled by selinux_inode_getxattr hook.
2820 */
2821 static int selinux_inode_getsecurity(const struct inode *inode, const char *name, void **buffer, bool alloc)
2822 {
2823 u32 size;
2824 int error;
2825 char *context = NULL;
2826 struct task_security_struct *tsec = current->security;
2827 struct inode_security_struct *isec = inode->i_security;
2828
2829 if (strcmp(name, XATTR_SELINUX_SUFFIX))
2830 return -EOPNOTSUPP;
2831
2832 /*
2833 * If the caller has CAP_MAC_ADMIN, then get the raw context
2834 * value even if it is not defined by current policy; otherwise,
2835 * use the in-core value under current policy.
2836 * Use the non-auditing forms of the permission checks since
2837 * getxattr may be called by unprivileged processes commonly
2838 * and lack of permission just means that we fall back to the
2839 * in-core context value, not a denial.
2840 */
2841 error = secondary_ops->capable(current, CAP_MAC_ADMIN);
2842 if (!error)
2843 error = avc_has_perm_noaudit(tsec->sid, tsec->sid,
2844 SECCLASS_CAPABILITY2,
2845 CAPABILITY2__MAC_ADMIN,
2846 0,
2847 NULL);
2848 if (!error)
2849 error = security_sid_to_context_force(isec->sid, &context,
2850 &size);
2851 else
2852 error = security_sid_to_context(isec->sid, &context, &size);
2853 if (error)
2854 return error;
2855 error = size;
2856 if (alloc) {
2857 *buffer = context;
2858 goto out_nofree;
2859 }
2860 kfree(context);
2861 out_nofree:
2862 return error;
2863 }
2864
2865 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
2866 const void *value, size_t size, int flags)
2867 {
2868 struct inode_security_struct *isec = inode->i_security;
2869 u32 newsid;
2870 int rc;
2871
2872 if (strcmp(name, XATTR_SELINUX_SUFFIX))
2873 return -EOPNOTSUPP;
2874
2875 if (!value || !size)
2876 return -EACCES;
2877
2878 rc = security_context_to_sid((void *)value, size, &newsid);
2879 if (rc)
2880 return rc;
2881
2882 isec->sid = newsid;
2883 return 0;
2884 }
2885
2886 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
2887 {
2888 const int len = sizeof(XATTR_NAME_SELINUX);
2889 if (buffer && len <= buffer_size)
2890 memcpy(buffer, XATTR_NAME_SELINUX, len);
2891 return len;
2892 }
2893
2894 static int selinux_inode_need_killpriv(struct dentry *dentry)
2895 {
2896 return secondary_ops->inode_need_killpriv(dentry);
2897 }
2898
2899 static int selinux_inode_killpriv(struct dentry *dentry)
2900 {
2901 return secondary_ops->inode_killpriv(dentry);
2902 }
2903
2904 static void selinux_inode_getsecid(const struct inode *inode, u32 *secid)
2905 {
2906 struct inode_security_struct *isec = inode->i_security;
2907 *secid = isec->sid;
2908 }
2909
2910 /* file security operations */
2911
2912 static int selinux_revalidate_file_permission(struct file *file, int mask)
2913 {
2914 int rc;
2915 struct inode *inode = file->f_path.dentry->d_inode;
2916
2917 if (!mask) {
2918 /* No permission to check. Existence test. */
2919 return 0;
2920 }
2921
2922 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
2923 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
2924 mask |= MAY_APPEND;
2925
2926 rc = file_has_perm(current, file,
2927 file_mask_to_av(inode->i_mode, mask));
2928 if (rc)
2929 return rc;
2930
2931 return selinux_netlbl_inode_permission(inode, mask);
2932 }
2933
2934 static int selinux_file_permission(struct file *file, int mask)
2935 {
2936 struct inode *inode = file->f_path.dentry->d_inode;
2937 struct task_security_struct *tsec = current->security;
2938 struct file_security_struct *fsec = file->f_security;
2939 struct inode_security_struct *isec = inode->i_security;
2940
2941 if (!mask) {
2942 /* No permission to check. Existence test. */
2943 return 0;
2944 }
2945
2946 if (tsec->sid == fsec->sid && fsec->isid == isec->sid
2947 && fsec->pseqno == avc_policy_seqno())
2948 return selinux_netlbl_inode_permission(inode, mask);
2949
2950 return selinux_revalidate_file_permission(file, mask);
2951 }
2952
2953 static int selinux_file_alloc_security(struct file *file)
2954 {
2955 return file_alloc_security(file);
2956 }
2957
2958 static void selinux_file_free_security(struct file *file)
2959 {
2960 file_free_security(file);
2961 }
2962
2963 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
2964 unsigned long arg)
2965 {
2966 u32 av = 0;
2967
2968 if (_IOC_DIR(cmd) & _IOC_WRITE)
2969 av |= FILE__WRITE;
2970 if (_IOC_DIR(cmd) & _IOC_READ)
2971 av |= FILE__READ;
2972 if (!av)
2973 av = FILE__IOCTL;
2974
2975 return file_has_perm(current, file, av);
2976 }
2977
2978 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
2979 {
2980 #ifndef CONFIG_PPC32
2981 if ((prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
2982 /*
2983 * We are making executable an anonymous mapping or a
2984 * private file mapping that will also be writable.
2985 * This has an additional check.
2986 */
2987 int rc = task_has_perm(current, current, PROCESS__EXECMEM);
2988 if (rc)
2989 return rc;
2990 }
2991 #endif
2992
2993 if (file) {
2994 /* read access is always possible with a mapping */
2995 u32 av = FILE__READ;
2996
2997 /* write access only matters if the mapping is shared */
2998 if (shared && (prot & PROT_WRITE))
2999 av |= FILE__WRITE;
3000
3001 if (prot & PROT_EXEC)
3002 av |= FILE__EXECUTE;
3003
3004 return file_has_perm(current, file, av);
3005 }
3006 return 0;
3007 }
3008
3009 static int selinux_file_mmap(struct file *file, unsigned long reqprot,
3010 unsigned long prot, unsigned long flags,
3011 unsigned long addr, unsigned long addr_only)
3012 {
3013 int rc = 0;
3014 u32 sid = ((struct task_security_struct *)(current->security))->sid;
3015
3016 if (addr < mmap_min_addr)
3017 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
3018 MEMPROTECT__MMAP_ZERO, NULL);
3019 if (rc || addr_only)
3020 return rc;
3021
3022 if (selinux_checkreqprot)
3023 prot = reqprot;
3024
3025 return file_map_prot_check(file, prot,
3026 (flags & MAP_TYPE) == MAP_SHARED);
3027 }
3028
3029 static int selinux_file_mprotect(struct vm_area_struct *vma,
3030 unsigned long reqprot,
3031 unsigned long prot)
3032 {
3033 int rc;
3034
3035 rc = secondary_ops->file_mprotect(vma, reqprot, prot);
3036 if (rc)
3037 return rc;
3038
3039 if (selinux_checkreqprot)
3040 prot = reqprot;
3041
3042 #ifndef CONFIG_PPC32
3043 if ((prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
3044 rc = 0;
3045 if (vma->vm_start >= vma->vm_mm->start_brk &&
3046 vma->vm_end <= vma->vm_mm->brk) {
3047 rc = task_has_perm(current, current,
3048 PROCESS__EXECHEAP);
3049 } else if (!vma->vm_file &&
3050 vma->vm_start <= vma->vm_mm->start_stack &&
3051 vma->vm_end >= vma->vm_mm->start_stack) {
3052 rc = task_has_perm(current, current, PROCESS__EXECSTACK);
3053 } else if (vma->vm_file && vma->anon_vma) {
3054 /*
3055 * We are making executable a file mapping that has
3056 * had some COW done. Since pages might have been
3057 * written, check ability to execute the possibly
3058 * modified content. This typically should only
3059 * occur for text relocations.
3060 */
3061 rc = file_has_perm(current, vma->vm_file,
3062 FILE__EXECMOD);
3063 }
3064 if (rc)
3065 return rc;
3066 }
3067 #endif
3068
3069 return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
3070 }
3071
3072 static int selinux_file_lock(struct file *file, unsigned int cmd)
3073 {
3074 return file_has_perm(current, file, FILE__LOCK);
3075 }
3076
3077 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
3078 unsigned long arg)
3079 {
3080 int err = 0;
3081
3082 switch (cmd) {
3083 case F_SETFL:
3084 if (!file->f_path.dentry || !file->f_path.dentry->d_inode) {
3085 err = -EINVAL;
3086 break;
3087 }
3088
3089 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
3090 err = file_has_perm(current, file, FILE__WRITE);
3091 break;
3092 }
3093 /* fall through */
3094 case F_SETOWN:
3095 case F_SETSIG:
3096 case F_GETFL:
3097 case F_GETOWN:
3098 case F_GETSIG:
3099 /* Just check FD__USE permission */
3100 err = file_has_perm(current, file, 0);
3101 break;
3102 case F_GETLK:
3103 case F_SETLK:
3104 case F_SETLKW:
3105 #if BITS_PER_LONG == 32
3106 case F_GETLK64:
3107 case F_SETLK64:
3108 case F_SETLKW64:
3109 #endif
3110 if (!file->f_path.dentry || !file->f_path.dentry->d_inode) {
3111 err = -EINVAL;
3112 break;
3113 }
3114 err = file_has_perm(current, file, FILE__LOCK);
3115 break;
3116 }
3117
3118 return err;
3119 }
3120
3121 static int selinux_file_set_fowner(struct file *file)
3122 {
3123 struct task_security_struct *tsec;
3124 struct file_security_struct *fsec;
3125
3126 tsec = current->security;
3127 fsec = file->f_security;
3128 fsec->fown_sid = tsec->sid;
3129
3130 return 0;
3131 }
3132
3133 static int selinux_file_send_sigiotask(struct task_struct *tsk,
3134 struct fown_struct *fown, int signum)
3135 {
3136 struct file *file;
3137 u32 perm;
3138 struct task_security_struct *tsec;
3139 struct file_security_struct *fsec;
3140
3141 /* struct fown_struct is never outside the context of a struct file */
3142 file = container_of(fown, struct file, f_owner);
3143
3144 tsec = tsk->security;
3145 fsec = file->f_security;
3146
3147 if (!signum)
3148 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
3149 else
3150 perm = signal_to_av(signum);
3151
3152 return avc_has_perm(fsec->fown_sid, tsec->sid,
3153 SECCLASS_PROCESS, perm, NULL);
3154 }
3155
3156 static int selinux_file_receive(struct file *file)
3157 {
3158 return file_has_perm(current, file, file_to_av(file));
3159 }
3160
3161 static int selinux_dentry_open(struct file *file)
3162 {
3163 struct file_security_struct *fsec;
3164 struct inode *inode;
3165 struct inode_security_struct *isec;
3166 inode = file->f_path.dentry->d_inode;
3167 fsec = file->f_security;
3168 isec = inode->i_security;
3169 /*
3170 * Save inode label and policy sequence number
3171 * at open-time so that selinux_file_permission
3172 * can determine whether revalidation is necessary.
3173 * Task label is already saved in the file security
3174 * struct as its SID.
3175 */
3176 fsec->isid = isec->sid;
3177 fsec->pseqno = avc_policy_seqno();
3178 /*
3179 * Since the inode label or policy seqno may have changed
3180 * between the selinux_inode_permission check and the saving
3181 * of state above, recheck that access is still permitted.
3182 * Otherwise, access might never be revalidated against the
3183 * new inode label or new policy.
3184 * This check is not redundant - do not remove.
3185 */
3186 return inode_has_perm(current, inode, file_to_av(file), NULL);
3187 }
3188
3189 /* task security operations */
3190
3191 static int selinux_task_create(unsigned long clone_flags)
3192 {
3193 int rc;
3194
3195 rc = secondary_ops->task_create(clone_flags);
3196 if (rc)
3197 return rc;
3198
3199 return task_has_perm(current, current, PROCESS__FORK);
3200 }
3201
3202 static int selinux_task_alloc_security(struct task_struct *tsk)
3203 {
3204 struct task_security_struct *tsec1, *tsec2;
3205 int rc;
3206
3207 tsec1 = current->security;
3208
3209 rc = task_alloc_security(tsk);
3210 if (rc)
3211 return rc;
3212 tsec2 = tsk->security;
3213
3214 tsec2->osid = tsec1->osid;
3215 tsec2->sid = tsec1->sid;
3216
3217 /* Retain the exec, fs, key, and sock SIDs across fork */
3218 tsec2->exec_sid = tsec1->exec_sid;
3219 tsec2->create_sid = tsec1->create_sid;
3220 tsec2->keycreate_sid = tsec1->keycreate_sid;
3221 tsec2->sockcreate_sid = tsec1->sockcreate_sid;
3222
3223 return 0;
3224 }
3225
3226 static void selinux_task_free_security(struct task_struct *tsk)
3227 {
3228 task_free_security(tsk);
3229 }
3230
3231 static int selinux_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
3232 {
3233 /* Since setuid only affects the current process, and
3234 since the SELinux controls are not based on the Linux
3235 identity attributes, SELinux does not need to control
3236 this operation. However, SELinux does control the use
3237 of the CAP_SETUID and CAP_SETGID capabilities using the
3238 capable hook. */
3239 return 0;
3240 }
3241
3242 static int selinux_task_post_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
3243 {
3244 return secondary_ops->task_post_setuid(id0, id1, id2, flags);
3245 }
3246
3247 static int selinux_task_setgid(gid_t id0, gid_t id1, gid_t id2, int flags)
3248 {
3249 /* See the comment for setuid above. */
3250 return 0;
3251 }
3252
3253 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
3254 {
3255 return task_has_perm(current, p, PROCESS__SETPGID);
3256 }
3257
3258 static int selinux_task_getpgid(struct task_struct *p)
3259 {
3260 return task_has_perm(current, p, PROCESS__GETPGID);
3261 }
3262
3263 static int selinux_task_getsid(struct task_struct *p)
3264 {
3265 return task_has_perm(current, p, PROCESS__GETSESSION);
3266 }
3267
3268 static void selinux_task_getsecid(struct task_struct *p, u32 *secid)
3269 {
3270 struct task_security_struct *tsec = p->security;
3271 *secid = tsec->sid;
3272 }
3273
3274 static int selinux_task_setgroups(struct group_info *group_info)
3275 {
3276 /* See the comment for setuid above. */
3277 return 0;
3278 }
3279
3280 static int selinux_task_setnice(struct task_struct *p, int nice)
3281 {
3282 int rc;
3283
3284 rc = secondary_ops->task_setnice(p, nice);
3285 if (rc)
3286 return rc;
3287
3288 return task_has_perm(current, p, PROCESS__SETSCHED);
3289 }
3290
3291 static int selinux_task_setioprio(struct task_struct *p, int ioprio)
3292 {
3293 int rc;
3294
3295 rc = secondary_ops->task_setioprio(p, ioprio);
3296 if (rc)
3297 return rc;
3298
3299 return task_has_perm(current, p, PROCESS__SETSCHED);
3300 }
3301
3302 static int selinux_task_getioprio(struct task_struct *p)
3303 {
3304 return task_has_perm(current, p, PROCESS__GETSCHED);
3305 }
3306
3307 static int selinux_task_setrlimit(unsigned int resource, struct rlimit *new_rlim)
3308 {
3309 struct rlimit *old_rlim = current->signal->rlim + resource;
3310 int rc;
3311
3312 rc = secondary_ops->task_setrlimit(resource, new_rlim);
3313 if (rc)
3314 return rc;
3315
3316 /* Control the ability to change the hard limit (whether
3317 lowering or raising it), so that the hard limit can
3318 later be used as a safe reset point for the soft limit
3319 upon context transitions. See selinux_bprm_apply_creds. */
3320 if (old_rlim->rlim_max != new_rlim->rlim_max)
3321 return task_has_perm(current, current, PROCESS__SETRLIMIT);
3322
3323 return 0;
3324 }
3325
3326 static int selinux_task_setscheduler(struct task_struct *p, int policy, struct sched_param *lp)
3327 {
3328 int rc;
3329
3330 rc = secondary_ops->task_setscheduler(p, policy, lp);
3331 if (rc)
3332 return rc;
3333
3334 return task_has_perm(current, p, PROCESS__SETSCHED);
3335 }
3336
3337 static int selinux_task_getscheduler(struct task_struct *p)
3338 {
3339 return task_has_perm(current, p, PROCESS__GETSCHED);
3340 }
3341
3342 static int selinux_task_movememory(struct task_struct *p)
3343 {
3344 return task_has_perm(current, p, PROCESS__SETSCHED);
3345 }
3346
3347 static int selinux_task_kill(struct task_struct *p, struct siginfo *info,
3348 int sig, u32 secid)
3349 {
3350 u32 perm;
3351 int rc;
3352 struct task_security_struct *tsec;
3353
3354 rc = secondary_ops->task_kill(p, info, sig, secid);
3355 if (rc)
3356 return rc;
3357
3358 if (!sig)
3359 perm = PROCESS__SIGNULL; /* null signal; existence test */
3360 else
3361 perm = signal_to_av(sig);
3362 tsec = p->security;
3363 if (secid)
3364 rc = avc_has_perm(secid, tsec->sid, SECCLASS_PROCESS, perm, NULL);
3365 else
3366 rc = task_has_perm(current, p, perm);
3367 return rc;
3368 }
3369
3370 static int selinux_task_prctl(int option,
3371 unsigned long arg2,
3372 unsigned long arg3,
3373 unsigned long arg4,
3374 unsigned long arg5,
3375 long *rc_p)
3376 {
3377 /* The current prctl operations do not appear to require
3378 any SELinux controls since they merely observe or modify
3379 the state of the current process. */
3380 return secondary_ops->task_prctl(option, arg2, arg3, arg4, arg5, rc_p);
3381 }
3382
3383 static int selinux_task_wait(struct task_struct *p)
3384 {
3385 return task_has_perm(p, current, PROCESS__SIGCHLD);
3386 }
3387
3388 static void selinux_task_reparent_to_init(struct task_struct *p)
3389 {
3390 struct task_security_struct *tsec;
3391
3392 secondary_ops->task_reparent_to_init(p);
3393
3394 tsec = p->security;
3395 tsec->osid = tsec->sid;
3396 tsec->sid = SECINITSID_KERNEL;
3397 return;
3398 }
3399
3400 static void selinux_task_to_inode(struct task_struct *p,
3401 struct inode *inode)
3402 {
3403 struct task_security_struct *tsec = p->security;
3404 struct inode_security_struct *isec = inode->i_security;
3405
3406 isec->sid = tsec->sid;
3407 isec->initialized = 1;
3408 return;
3409 }
3410
3411 /* Returns error only if unable to parse addresses */
3412 static int selinux_parse_skb_ipv4(struct sk_buff *skb,
3413 struct avc_audit_data *ad, u8 *proto)
3414 {
3415 int offset, ihlen, ret = -EINVAL;
3416 struct iphdr _iph, *ih;
3417
3418 offset = skb_network_offset(skb);
3419 ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
3420 if (ih == NULL)
3421 goto out;
3422
3423 ihlen = ih->ihl * 4;
3424 if (ihlen < sizeof(_iph))
3425 goto out;
3426
3427 ad->u.net.v4info.saddr = ih->saddr;
3428 ad->u.net.v4info.daddr = ih->daddr;
3429 ret = 0;
3430
3431 if (proto)
3432 *proto = ih->protocol;
3433
3434 switch (ih->protocol) {
3435 case IPPROTO_TCP: {
3436 struct tcphdr _tcph, *th;
3437
3438 if (ntohs(ih->frag_off) & IP_OFFSET)
3439 break;
3440
3441 offset += ihlen;
3442 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3443 if (th == NULL)
3444 break;
3445
3446 ad->u.net.sport = th->source;
3447 ad->u.net.dport = th->dest;
3448 break;
3449 }
3450
3451 case IPPROTO_UDP: {
3452 struct udphdr _udph, *uh;
3453
3454 if (ntohs(ih->frag_off) & IP_OFFSET)
3455 break;
3456
3457 offset += ihlen;
3458 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3459 if (uh == NULL)
3460 break;
3461
3462 ad->u.net.sport = uh->source;
3463 ad->u.net.dport = uh->dest;
3464 break;
3465 }
3466
3467 case IPPROTO_DCCP: {
3468 struct dccp_hdr _dccph, *dh;
3469
3470 if (ntohs(ih->frag_off) & IP_OFFSET)
3471 break;
3472
3473 offset += ihlen;
3474 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3475 if (dh == NULL)
3476 break;
3477
3478 ad->u.net.sport = dh->dccph_sport;
3479 ad->u.net.dport = dh->dccph_dport;
3480 break;
3481 }
3482
3483 default:
3484 break;
3485 }
3486 out:
3487 return ret;
3488 }
3489
3490 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3491
3492 /* Returns error only if unable to parse addresses */
3493 static int selinux_parse_skb_ipv6(struct sk_buff *skb,
3494 struct avc_audit_data *ad, u8 *proto)
3495 {
3496 u8 nexthdr;
3497 int ret = -EINVAL, offset;
3498 struct ipv6hdr _ipv6h, *ip6;
3499
3500 offset = skb_network_offset(skb);
3501 ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
3502 if (ip6 == NULL)
3503 goto out;
3504
3505 ipv6_addr_copy(&ad->u.net.v6info.saddr, &ip6->saddr);
3506 ipv6_addr_copy(&ad->u.net.v6info.daddr, &ip6->daddr);
3507 ret = 0;
3508
3509 nexthdr = ip6->nexthdr;
3510 offset += sizeof(_ipv6h);
3511 offset = ipv6_skip_exthdr(skb, offset, &nexthdr);
3512 if (offset < 0)
3513 goto out;
3514
3515 if (proto)
3516 *proto = nexthdr;
3517
3518 switch (nexthdr) {
3519 case IPPROTO_TCP: {
3520 struct tcphdr _tcph, *th;
3521
3522 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3523 if (th == NULL)
3524 break;
3525
3526 ad->u.net.sport = th->source;
3527 ad->u.net.dport = th->dest;
3528 break;
3529 }
3530
3531 case IPPROTO_UDP: {
3532 struct udphdr _udph, *uh;
3533
3534 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3535 if (uh == NULL)
3536 break;
3537
3538 ad->u.net.sport = uh->source;
3539 ad->u.net.dport = uh->dest;
3540 break;
3541 }
3542
3543 case IPPROTO_DCCP: {
3544 struct dccp_hdr _dccph, *dh;
3545
3546 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3547 if (dh == NULL)
3548 break;
3549
3550 ad->u.net.sport = dh->dccph_sport;
3551 ad->u.net.dport = dh->dccph_dport;
3552 break;
3553 }
3554
3555 /* includes fragments */
3556 default:
3557 break;
3558 }
3559 out:
3560 return ret;
3561 }
3562
3563 #endif /* IPV6 */
3564
3565 static int selinux_parse_skb(struct sk_buff *skb, struct avc_audit_data *ad,
3566 char **addrp, int src, u8 *proto)
3567 {
3568 int ret = 0;
3569
3570 switch (ad->u.net.family) {
3571 case PF_INET:
3572 ret = selinux_parse_skb_ipv4(skb, ad, proto);
3573 if (ret || !addrp)
3574 break;
3575 *addrp = (char *)(src ? &ad->u.net.v4info.saddr :
3576 &ad->u.net.v4info.daddr);
3577 break;
3578
3579 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3580 case PF_INET6:
3581 ret = selinux_parse_skb_ipv6(skb, ad, proto);
3582 if (ret || !addrp)
3583 break;
3584 *addrp = (char *)(src ? &ad->u.net.v6info.saddr :
3585 &ad->u.net.v6info.daddr);
3586 break;
3587 #endif /* IPV6 */
3588 default:
3589 break;
3590 }
3591
3592 if (unlikely(ret))
3593 printk(KERN_WARNING
3594 "SELinux: failure in selinux_parse_skb(),"
3595 " unable to parse packet\n");
3596
3597 return ret;
3598 }
3599
3600 /**
3601 * selinux_skb_peerlbl_sid - Determine the peer label of a packet
3602 * @skb: the packet
3603 * @family: protocol family
3604 * @sid: the packet's peer label SID
3605 *
3606 * Description:
3607 * Check the various different forms of network peer labeling and determine
3608 * the peer label/SID for the packet; most of the magic actually occurs in
3609 * the security server function security_net_peersid_cmp(). The function
3610 * returns zero if the value in @sid is valid (although it may be SECSID_NULL)
3611 * or -EACCES if @sid is invalid due to inconsistencies with the different
3612 * peer labels.
3613 *
3614 */
3615 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
3616 {
3617 int err;
3618 u32 xfrm_sid;
3619 u32 nlbl_sid;
3620 u32 nlbl_type;
3621
3622 selinux_skb_xfrm_sid(skb, &xfrm_sid);
3623 selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid);
3624
3625 err = security_net_peersid_resolve(nlbl_sid, nlbl_type, xfrm_sid, sid);
3626 if (unlikely(err)) {
3627 printk(KERN_WARNING
3628 "SELinux: failure in selinux_skb_peerlbl_sid(),"
3629 " unable to determine packet's peer label\n");
3630 return -EACCES;
3631 }
3632
3633 return 0;
3634 }
3635
3636 /* socket security operations */
3637 static int socket_has_perm(struct task_struct *task, struct socket *sock,
3638 u32 perms)
3639 {
3640 struct inode_security_struct *isec;
3641 struct task_security_struct *tsec;
3642 struct avc_audit_data ad;
3643 int err = 0;
3644
3645 tsec = task->security;
3646 isec = SOCK_INODE(sock)->i_security;
3647
3648 if (isec->sid == SECINITSID_KERNEL)
3649 goto out;
3650
3651 AVC_AUDIT_DATA_INIT(&ad, NET);
3652 ad.u.net.sk = sock->sk;
3653 err = avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, &ad);
3654
3655 out:
3656 return err;
3657 }
3658
3659 static int selinux_socket_create(int family, int type,
3660 int protocol, int kern)
3661 {
3662 int err = 0;
3663 struct task_security_struct *tsec;
3664 u32 newsid;
3665
3666 if (kern)
3667 goto out;
3668
3669 tsec = current->security;
3670 newsid = tsec->sockcreate_sid ? : tsec->sid;
3671 err = avc_has_perm(tsec->sid, newsid,
3672 socket_type_to_security_class(family, type,
3673 protocol), SOCKET__CREATE, NULL);
3674
3675 out:
3676 return err;
3677 }
3678
3679 static int selinux_socket_post_create(struct socket *sock, int family,
3680 int type, int protocol, int kern)
3681 {
3682 int err = 0;
3683 struct inode_security_struct *isec;
3684 struct task_security_struct *tsec;
3685 struct sk_security_struct *sksec;
3686 u32 newsid;
3687
3688 isec = SOCK_INODE(sock)->i_security;
3689
3690 tsec = current->security;
3691 newsid = tsec->sockcreate_sid ? : tsec->sid;
3692 isec->sclass = socket_type_to_security_class(family, type, protocol);
3693 isec->sid = kern ? SECINITSID_KERNEL : newsid;
3694 isec->initialized = 1;
3695
3696 if (sock->sk) {
3697 sksec = sock->sk->sk_security;
3698 sksec->sid = isec->sid;
3699 sksec->sclass = isec->sclass;
3700 err = selinux_netlbl_socket_post_create(sock);
3701 }
3702
3703 return err;
3704 }
3705
3706 /* Range of port numbers used to automatically bind.
3707 Need to determine whether we should perform a name_bind
3708 permission check between the socket and the port number. */
3709
3710 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
3711 {
3712 u16 family;
3713 int err;
3714
3715 err = socket_has_perm(current, sock, SOCKET__BIND);
3716 if (err)
3717 goto out;
3718
3719 /*
3720 * If PF_INET or PF_INET6, check name_bind permission for the port.
3721 * Multiple address binding for SCTP is not supported yet: we just
3722 * check the first address now.
3723 */
3724 family = sock->sk->sk_family;
3725 if (family == PF_INET || family == PF_INET6) {
3726 char *addrp;
3727 struct inode_security_struct *isec;
3728 struct task_security_struct *tsec;
3729 struct avc_audit_data ad;
3730 struct sockaddr_in *addr4 = NULL;
3731 struct sockaddr_in6 *addr6 = NULL;
3732 unsigned short snum;
3733 struct sock *sk = sock->sk;
3734 u32 sid, node_perm;
3735
3736 tsec = current->security;
3737 isec = SOCK_INODE(sock)->i_security;
3738
3739 if (family == PF_INET) {
3740 addr4 = (struct sockaddr_in *)address;
3741 snum = ntohs(addr4->sin_port);
3742 addrp = (char *)&addr4->sin_addr.s_addr;
3743 } else {
3744 addr6 = (struct sockaddr_in6 *)address;
3745 snum = ntohs(addr6->sin6_port);
3746 addrp = (char *)&addr6->sin6_addr.s6_addr;
3747 }
3748
3749 if (snum) {
3750 int low, high;
3751
3752 inet_get_local_port_range(&low, &high);
3753
3754 if (snum < max(PROT_SOCK, low) || snum > high) {
3755 err = sel_netport_sid(sk->sk_protocol,
3756 snum, &sid);
3757 if (err)
3758 goto out;
3759 AVC_AUDIT_DATA_INIT(&ad, NET);
3760 ad.u.net.sport = htons(snum);
3761 ad.u.net.family = family;
3762 err = avc_has_perm(isec->sid, sid,
3763 isec->sclass,
3764 SOCKET__NAME_BIND, &ad);
3765 if (err)
3766 goto out;
3767 }
3768 }
3769
3770 switch (isec->sclass) {
3771 case SECCLASS_TCP_SOCKET:
3772 node_perm = TCP_SOCKET__NODE_BIND;
3773 break;
3774
3775 case SECCLASS_UDP_SOCKET:
3776 node_perm = UDP_SOCKET__NODE_BIND;
3777 break;
3778
3779 case SECCLASS_DCCP_SOCKET:
3780 node_perm = DCCP_SOCKET__NODE_BIND;
3781 break;
3782
3783 default:
3784 node_perm = RAWIP_SOCKET__NODE_BIND;
3785 break;
3786 }
3787
3788 err = sel_netnode_sid(addrp, family, &sid);
3789 if (err)
3790 goto out;
3791
3792 AVC_AUDIT_DATA_INIT(&ad, NET);
3793 ad.u.net.sport = htons(snum);
3794 ad.u.net.family = family;
3795
3796 if (family == PF_INET)
3797 ad.u.net.v4info.saddr = addr4->sin_addr.s_addr;
3798 else
3799 ipv6_addr_copy(&ad.u.net.v6info.saddr, &addr6->sin6_addr);
3800
3801 err = avc_has_perm(isec->sid, sid,
3802 isec->sclass, node_perm, &ad);
3803 if (err)
3804 goto out;
3805 }
3806 out:
3807 return err;
3808 }
3809
3810 static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
3811 {
3812 struct inode_security_struct *isec;
3813 int err;
3814
3815 err = socket_has_perm(current, sock, SOCKET__CONNECT);
3816 if (err)
3817 return err;
3818
3819 /*
3820 * If a TCP or DCCP socket, check name_connect permission for the port.
3821 */
3822 isec = SOCK_INODE(sock)->i_security;
3823 if (isec->sclass == SECCLASS_TCP_SOCKET ||
3824 isec->sclass == SECCLASS_DCCP_SOCKET) {
3825 struct sock *sk = sock->sk;
3826 struct avc_audit_data ad;
3827 struct sockaddr_in *addr4 = NULL;
3828 struct sockaddr_in6 *addr6 = NULL;
3829 unsigned short snum;
3830 u32 sid, perm;
3831
3832 if (sk->sk_family == PF_INET) {
3833 addr4 = (struct sockaddr_in *)address;
3834 if (addrlen < sizeof(struct sockaddr_in))
3835 return -EINVAL;
3836 snum = ntohs(addr4->sin_port);
3837 } else {
3838 addr6 = (struct sockaddr_in6 *)address;
3839 if (addrlen < SIN6_LEN_RFC2133)
3840 return -EINVAL;
3841 snum = ntohs(addr6->sin6_port);
3842 }
3843
3844 err = sel_netport_sid(sk->sk_protocol, snum, &sid);
3845 if (err)
3846 goto out;
3847
3848 perm = (isec->sclass == SECCLASS_TCP_SOCKET) ?
3849 TCP_SOCKET__NAME_CONNECT : DCCP_SOCKET__NAME_CONNECT;
3850
3851 AVC_AUDIT_DATA_INIT(&ad, NET);
3852 ad.u.net.dport = htons(snum);
3853 ad.u.net.family = sk->sk_family;
3854 err = avc_has_perm(isec->sid, sid, isec->sclass, perm, &ad);
3855 if (err)
3856 goto out;
3857 }
3858
3859 out:
3860 return err;
3861 }
3862
3863 static int selinux_socket_listen(struct socket *sock, int backlog)
3864 {
3865 return socket_has_perm(current, sock, SOCKET__LISTEN);
3866 }
3867
3868 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
3869 {
3870 int err;
3871 struct inode_security_struct *isec;
3872 struct inode_security_struct *newisec;
3873
3874 err = socket_has_perm(current, sock, SOCKET__ACCEPT);
3875 if (err)
3876 return err;
3877
3878 newisec = SOCK_INODE(newsock)->i_security;
3879
3880 isec = SOCK_INODE(sock)->i_security;
3881 newisec->sclass = isec->sclass;
3882 newisec->sid = isec->sid;
3883 newisec->initialized = 1;
3884
3885 return 0;
3886 }
3887
3888 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
3889 int size)
3890 {
3891 int rc;
3892
3893 rc = socket_has_perm(current, sock, SOCKET__WRITE);
3894 if (rc)
3895 return rc;
3896
3897 return selinux_netlbl_inode_permission(SOCK_INODE(sock), MAY_WRITE);
3898 }
3899
3900 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
3901 int size, int flags)
3902 {
3903 return socket_has_perm(current, sock, SOCKET__READ);
3904 }
3905
3906 static int selinux_socket_getsockname(struct socket *sock)
3907 {
3908 return socket_has_perm(current, sock, SOCKET__GETATTR);
3909 }
3910
3911 static int selinux_socket_getpeername(struct socket *sock)
3912 {
3913 return socket_has_perm(current, sock, SOCKET__GETATTR);
3914 }
3915
3916 static int selinux_socket_setsockopt(struct socket *sock, int level, int optname)
3917 {
3918 int err;
3919
3920 err = socket_has_perm(current, sock, SOCKET__SETOPT);
3921 if (err)
3922 return err;
3923
3924 return selinux_netlbl_socket_setsockopt(sock, level, optname);
3925 }
3926
3927 static int selinux_socket_getsockopt(struct socket *sock, int level,
3928 int optname)
3929 {
3930 return socket_has_perm(current, sock, SOCKET__GETOPT);
3931 }
3932
3933 static int selinux_socket_shutdown(struct socket *sock, int how)
3934 {
3935 return socket_has_perm(current, sock, SOCKET__SHUTDOWN);
3936 }
3937
3938 static int selinux_socket_unix_stream_connect(struct socket *sock,
3939 struct socket *other,
3940 struct sock *newsk)
3941 {
3942 struct sk_security_struct *ssec;
3943 struct inode_security_struct *isec;
3944 struct inode_security_struct *other_isec;
3945 struct avc_audit_data ad;
3946 int err;
3947
3948 err = secondary_ops->unix_stream_connect(sock, other, newsk);
3949 if (err)
3950 return err;
3951
3952 isec = SOCK_INODE(sock)->i_security;
3953 other_isec = SOCK_INODE(other)->i_security;
3954
3955 AVC_AUDIT_DATA_INIT(&ad, NET);
3956 ad.u.net.sk = other->sk;
3957
3958 err = avc_has_perm(isec->sid, other_isec->sid,
3959 isec->sclass,
3960 UNIX_STREAM_SOCKET__CONNECTTO, &ad);
3961 if (err)
3962 return err;
3963
3964 /* connecting socket */
3965 ssec = sock->sk->sk_security;
3966 ssec->peer_sid = other_isec->sid;
3967
3968 /* server child socket */
3969 ssec = newsk->sk_security;
3970 ssec->peer_sid = isec->sid;
3971 err = security_sid_mls_copy(other_isec->sid, ssec->peer_sid, &ssec->sid);
3972
3973 return err;
3974 }
3975
3976 static int selinux_socket_unix_may_send(struct socket *sock,
3977 struct socket *other)
3978 {
3979 struct inode_security_struct *isec;
3980 struct inode_security_struct *other_isec;
3981 struct avc_audit_data ad;
3982 int err;
3983
3984 isec = SOCK_INODE(sock)->i_security;
3985 other_isec = SOCK_INODE(other)->i_security;
3986
3987 AVC_AUDIT_DATA_INIT(&ad, NET);
3988 ad.u.net.sk = other->sk;
3989
3990 err = avc_has_perm(isec->sid, other_isec->sid,
3991 isec->sclass, SOCKET__SENDTO, &ad);
3992 if (err)
3993 return err;
3994
3995 return 0;
3996 }
3997
3998 static int selinux_inet_sys_rcv_skb(int ifindex, char *addrp, u16 family,
3999 u32 peer_sid,
4000 struct avc_audit_data *ad)
4001 {
4002 int err;
4003 u32 if_sid;
4004 u32 node_sid;
4005
4006 err = sel_netif_sid(ifindex, &if_sid);
4007 if (err)
4008 return err;
4009 err = avc_has_perm(peer_sid, if_sid,
4010 SECCLASS_NETIF, NETIF__INGRESS, ad);
4011 if (err)
4012 return err;
4013
4014 err = sel_netnode_sid(addrp, family, &node_sid);
4015 if (err)
4016 return err;
4017 return avc_has_perm(peer_sid, node_sid,
4018 SECCLASS_NODE, NODE__RECVFROM, ad);
4019 }
4020
4021 static int selinux_sock_rcv_skb_iptables_compat(struct sock *sk,
4022 struct sk_buff *skb,
4023 struct avc_audit_data *ad,
4024 u16 family,
4025 char *addrp)
4026 {
4027 int err;
4028 struct sk_security_struct *sksec = sk->sk_security;
4029 u16 sk_class;
4030 u32 netif_perm, node_perm, recv_perm;
4031 u32 port_sid, node_sid, if_sid, sk_sid;
4032
4033 sk_sid = sksec->sid;
4034 sk_class = sksec->sclass;
4035
4036 switch (sk_class) {
4037 case SECCLASS_UDP_SOCKET:
4038 netif_perm = NETIF__UDP_RECV;
4039 node_perm = NODE__UDP_RECV;
4040 recv_perm = UDP_SOCKET__RECV_MSG;
4041 break;
4042 case SECCLASS_TCP_SOCKET:
4043 netif_perm = NETIF__TCP_RECV;
4044 node_perm = NODE__TCP_RECV;
4045 recv_perm = TCP_SOCKET__RECV_MSG;
4046 break;
4047 case SECCLASS_DCCP_SOCKET:
4048 netif_perm = NETIF__DCCP_RECV;
4049 node_perm = NODE__DCCP_RECV;
4050 recv_perm = DCCP_SOCKET__RECV_MSG;
4051 break;
4052 default:
4053 netif_perm = NETIF__RAWIP_RECV;
4054 node_perm = NODE__RAWIP_RECV;
4055 recv_perm = 0;
4056 break;
4057 }
4058
4059 err = sel_netif_sid(skb->iif, &if_sid);
4060 if (err)
4061 return err;
4062 err = avc_has_perm(sk_sid, if_sid, SECCLASS_NETIF, netif_perm, ad);
4063 if (err)
4064 return err;
4065
4066 err = sel_netnode_sid(addrp, family, &node_sid);
4067 if (err)
4068 return err;
4069 err = avc_has_perm(sk_sid, node_sid, SECCLASS_NODE, node_perm, ad);
4070 if (err)
4071 return err;
4072
4073 if (!recv_perm)
4074 return 0;
4075 err = sel_netport_sid(sk->sk_protocol,
4076 ntohs(ad->u.net.sport), &port_sid);
4077 if (unlikely(err)) {
4078 printk(KERN_WARNING
4079 "SELinux: failure in"
4080 " selinux_sock_rcv_skb_iptables_compat(),"
4081 " network port label not found\n");
4082 return err;
4083 }
4084 return avc_has_perm(sk_sid, port_sid, sk_class, recv_perm, ad);
4085 }
4086
4087 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
4088 struct avc_audit_data *ad,
4089 u16 family, char *addrp)
4090 {
4091 int err;
4092 struct sk_security_struct *sksec = sk->sk_security;
4093 u32 peer_sid;
4094 u32 sk_sid = sksec->sid;
4095
4096 if (selinux_compat_net)
4097 err = selinux_sock_rcv_skb_iptables_compat(sk, skb, ad,
4098 family, addrp);
4099 else
4100 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4101 PACKET__RECV, ad);
4102 if (err)
4103 return err;
4104
4105 if (selinux_policycap_netpeer) {
4106 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
4107 if (err)
4108 return err;
4109 err = avc_has_perm(sk_sid, peer_sid,
4110 SECCLASS_PEER, PEER__RECV, ad);
4111 } else {
4112 err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, ad);
4113 if (err)
4114 return err;
4115 err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, ad);
4116 }
4117
4118 return err;
4119 }
4120
4121 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
4122 {
4123 int err;
4124 struct sk_security_struct *sksec = sk->sk_security;
4125 u16 family = sk->sk_family;
4126 u32 sk_sid = sksec->sid;
4127 struct avc_audit_data ad;
4128 char *addrp;
4129
4130 if (family != PF_INET && family != PF_INET6)
4131 return 0;
4132
4133 /* Handle mapped IPv4 packets arriving via IPv6 sockets */
4134 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4135 family = PF_INET;
4136
4137 AVC_AUDIT_DATA_INIT(&ad, NET);
4138 ad.u.net.netif = skb->iif;
4139 ad.u.net.family = family;
4140 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4141 if (err)
4142 return err;
4143
4144 /* If any sort of compatibility mode is enabled then handoff processing
4145 * to the selinux_sock_rcv_skb_compat() function to deal with the
4146 * special handling. We do this in an attempt to keep this function
4147 * as fast and as clean as possible. */
4148 if (selinux_compat_net || !selinux_policycap_netpeer)
4149 return selinux_sock_rcv_skb_compat(sk, skb, &ad,
4150 family, addrp);
4151
4152 if (netlbl_enabled() || selinux_xfrm_enabled()) {
4153 u32 peer_sid;
4154
4155 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
4156 if (err)
4157 return err;
4158 err = selinux_inet_sys_rcv_skb(skb->iif, addrp, family,
4159 peer_sid, &ad);
4160 if (err)
4161 return err;
4162 err = avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER,
4163 PEER__RECV, &ad);
4164 }
4165
4166 if (selinux_secmark_enabled()) {
4167 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4168 PACKET__RECV, &ad);
4169 if (err)
4170 return err;
4171 }
4172
4173 return err;
4174 }
4175
4176 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval,
4177 int __user *optlen, unsigned len)
4178 {
4179 int err = 0;
4180 char *scontext;
4181 u32 scontext_len;
4182 struct sk_security_struct *ssec;
4183 struct inode_security_struct *isec;
4184 u32 peer_sid = SECSID_NULL;
4185
4186 isec = SOCK_INODE(sock)->i_security;
4187
4188 if (isec->sclass == SECCLASS_UNIX_STREAM_SOCKET ||
4189 isec->sclass == SECCLASS_TCP_SOCKET) {
4190 ssec = sock->sk->sk_security;
4191 peer_sid = ssec->peer_sid;
4192 }
4193 if (peer_sid == SECSID_NULL) {
4194 err = -ENOPROTOOPT;
4195 goto out;
4196 }
4197
4198 err = security_sid_to_context(peer_sid, &scontext, &scontext_len);
4199
4200 if (err)
4201 goto out;
4202
4203 if (scontext_len > len) {
4204 err = -ERANGE;
4205 goto out_len;
4206 }
4207
4208 if (copy_to_user(optval, scontext, scontext_len))
4209 err = -EFAULT;
4210
4211 out_len:
4212 if (put_user(scontext_len, optlen))
4213 err = -EFAULT;
4214
4215 kfree(scontext);
4216 out:
4217 return err;
4218 }
4219
4220 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
4221 {
4222 u32 peer_secid = SECSID_NULL;
4223 u16 family;
4224
4225 if (sock)
4226 family = sock->sk->sk_family;
4227 else if (skb && skb->sk)
4228 family = skb->sk->sk_family;
4229 else
4230 goto out;
4231
4232 if (sock && family == PF_UNIX)
4233 selinux_inode_getsecid(SOCK_INODE(sock), &peer_secid);
4234 else if (skb)
4235 selinux_skb_peerlbl_sid(skb, family, &peer_secid);
4236
4237 out:
4238 *secid = peer_secid;
4239 if (peer_secid == SECSID_NULL)
4240 return -EINVAL;
4241 return 0;
4242 }
4243
4244 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
4245 {
4246 return sk_alloc_security(sk, family, priority);
4247 }
4248
4249 static void selinux_sk_free_security(struct sock *sk)
4250 {
4251 sk_free_security(sk);
4252 }
4253
4254 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
4255 {
4256 struct sk_security_struct *ssec = sk->sk_security;
4257 struct sk_security_struct *newssec = newsk->sk_security;
4258
4259 newssec->sid = ssec->sid;
4260 newssec->peer_sid = ssec->peer_sid;
4261 newssec->sclass = ssec->sclass;
4262
4263 selinux_netlbl_sk_security_reset(newssec, newsk->sk_family);
4264 }
4265
4266 static void selinux_sk_getsecid(struct sock *sk, u32 *secid)
4267 {
4268 if (!sk)
4269 *secid = SECINITSID_ANY_SOCKET;
4270 else {
4271 struct sk_security_struct *sksec = sk->sk_security;
4272
4273 *secid = sksec->sid;
4274 }
4275 }
4276
4277 static void selinux_sock_graft(struct sock *sk, struct socket *parent)
4278 {
4279 struct inode_security_struct *isec = SOCK_INODE(parent)->i_security;
4280 struct sk_security_struct *sksec = sk->sk_security;
4281
4282 if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
4283 sk->sk_family == PF_UNIX)
4284 isec->sid = sksec->sid;
4285 sksec->sclass = isec->sclass;
4286
4287 selinux_netlbl_sock_graft(sk, parent);
4288 }
4289
4290 static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
4291 struct request_sock *req)
4292 {
4293 struct sk_security_struct *sksec = sk->sk_security;
4294 int err;
4295 u32 newsid;
4296 u32 peersid;
4297
4298 err = selinux_skb_peerlbl_sid(skb, sk->sk_family, &peersid);
4299 if (err)
4300 return err;
4301 if (peersid == SECSID_NULL) {
4302 req->secid = sksec->sid;
4303 req->peer_secid = SECSID_NULL;
4304 return 0;
4305 }
4306
4307 err = security_sid_mls_copy(sksec->sid, peersid, &newsid);
4308 if (err)
4309 return err;
4310
4311 req->secid = newsid;
4312 req->peer_secid = peersid;
4313 return 0;
4314 }
4315
4316 static void selinux_inet_csk_clone(struct sock *newsk,
4317 const struct request_sock *req)
4318 {
4319 struct sk_security_struct *newsksec = newsk->sk_security;
4320
4321 newsksec->sid = req->secid;
4322 newsksec->peer_sid = req->peer_secid;
4323 /* NOTE: Ideally, we should also get the isec->sid for the
4324 new socket in sync, but we don't have the isec available yet.
4325 So we will wait until sock_graft to do it, by which
4326 time it will have been created and available. */
4327
4328 /* We don't need to take any sort of lock here as we are the only
4329 * thread with access to newsksec */
4330 selinux_netlbl_sk_security_reset(newsksec, req->rsk_ops->family);
4331 }
4332
4333 static void selinux_inet_conn_established(struct sock *sk,
4334 struct sk_buff *skb)
4335 {
4336 struct sk_security_struct *sksec = sk->sk_security;
4337
4338 selinux_skb_peerlbl_sid(skb, sk->sk_family, &sksec->peer_sid);
4339 }
4340
4341 static void selinux_req_classify_flow(const struct request_sock *req,
4342 struct flowi *fl)
4343 {
4344 fl->secid = req->secid;
4345 }
4346
4347 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
4348 {
4349 int err = 0;
4350 u32 perm;
4351 struct nlmsghdr *nlh;
4352 struct socket *sock = sk->sk_socket;
4353 struct inode_security_struct *isec = SOCK_INODE(sock)->i_security;
4354
4355 if (skb->len < NLMSG_SPACE(0)) {
4356 err = -EINVAL;
4357 goto out;
4358 }
4359 nlh = nlmsg_hdr(skb);
4360
4361 err = selinux_nlmsg_lookup(isec->sclass, nlh->nlmsg_type, &perm);
4362 if (err) {
4363 if (err == -EINVAL) {
4364 audit_log(current->audit_context, GFP_KERNEL, AUDIT_SELINUX_ERR,
4365 "SELinux: unrecognized netlink message"
4366 " type=%hu for sclass=%hu\n",
4367 nlh->nlmsg_type, isec->sclass);
4368 if (!selinux_enforcing)
4369 err = 0;
4370 }
4371
4372 /* Ignore */
4373 if (err == -ENOENT)
4374 err = 0;
4375 goto out;
4376 }
4377
4378 err = socket_has_perm(current, sock, perm);
4379 out:
4380 return err;
4381 }
4382
4383 #ifdef CONFIG_NETFILTER
4384
4385 static unsigned int selinux_ip_forward(struct sk_buff *skb, int ifindex,
4386 u16 family)
4387 {
4388 char *addrp;
4389 u32 peer_sid;
4390 struct avc_audit_data ad;
4391 u8 secmark_active;
4392 u8 peerlbl_active;
4393
4394 if (!selinux_policycap_netpeer)
4395 return NF_ACCEPT;
4396
4397 secmark_active = selinux_secmark_enabled();
4398 peerlbl_active = netlbl_enabled() || selinux_xfrm_enabled();
4399 if (!secmark_active && !peerlbl_active)
4400 return NF_ACCEPT;
4401
4402 AVC_AUDIT_DATA_INIT(&ad, NET);
4403 ad.u.net.netif = ifindex;
4404 ad.u.net.family = family;
4405 if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0)
4406 return NF_DROP;
4407
4408 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0)
4409 return NF_DROP;
4410
4411 if (peerlbl_active)
4412 if (selinux_inet_sys_rcv_skb(ifindex, addrp, family,
4413 peer_sid, &ad) != 0)
4414 return NF_DROP;
4415
4416 if (secmark_active)
4417 if (avc_has_perm(peer_sid, skb->secmark,
4418 SECCLASS_PACKET, PACKET__FORWARD_IN, &ad))
4419 return NF_DROP;
4420
4421 return NF_ACCEPT;
4422 }
4423
4424 static unsigned int selinux_ipv4_forward(unsigned int hooknum,
4425 struct sk_buff *skb,
4426 const struct net_device *in,
4427 const struct net_device *out,
4428 int (*okfn)(struct sk_buff *))
4429 {
4430 return selinux_ip_forward(skb, in->ifindex, PF_INET);
4431 }
4432
4433 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4434 static unsigned int selinux_ipv6_forward(unsigned int hooknum,
4435 struct sk_buff *skb,
4436 const struct net_device *in,
4437 const struct net_device *out,
4438 int (*okfn)(struct sk_buff *))
4439 {
4440 return selinux_ip_forward(skb, in->ifindex, PF_INET6);
4441 }
4442 #endif /* IPV6 */
4443
4444 static int selinux_ip_postroute_iptables_compat(struct sock *sk,
4445 int ifindex,
4446 struct avc_audit_data *ad,
4447 u16 family, char *addrp)
4448 {
4449 int err;
4450 struct sk_security_struct *sksec = sk->sk_security;
4451 u16 sk_class;
4452 u32 netif_perm, node_perm, send_perm;
4453 u32 port_sid, node_sid, if_sid, sk_sid;
4454
4455 sk_sid = sksec->sid;
4456 sk_class = sksec->sclass;
4457
4458 switch (sk_class) {
4459 case SECCLASS_UDP_SOCKET:
4460 netif_perm = NETIF__UDP_SEND;
4461 node_perm = NODE__UDP_SEND;
4462 send_perm = UDP_SOCKET__SEND_MSG;
4463 break;
4464 case SECCLASS_TCP_SOCKET:
4465 netif_perm = NETIF__TCP_SEND;
4466 node_perm = NODE__TCP_SEND;
4467 send_perm = TCP_SOCKET__SEND_MSG;
4468 break;
4469 case SECCLASS_DCCP_SOCKET:
4470 netif_perm = NETIF__DCCP_SEND;
4471 node_perm = NODE__DCCP_SEND;
4472 send_perm = DCCP_SOCKET__SEND_MSG;
4473 break;
4474 default:
4475 netif_perm = NETIF__RAWIP_SEND;
4476 node_perm = NODE__RAWIP_SEND;
4477 send_perm = 0;
4478 break;
4479 }
4480
4481 err = sel_netif_sid(ifindex, &if_sid);
4482 if (err)
4483 return err;
4484 err = avc_has_perm(sk_sid, if_sid, SECCLASS_NETIF, netif_perm, ad);
4485 return err;
4486
4487 err = sel_netnode_sid(addrp, family, &node_sid);
4488 if (err)
4489 return err;
4490 err = avc_has_perm(sk_sid, node_sid, SECCLASS_NODE, node_perm, ad);
4491 if (err)
4492 return err;
4493
4494 if (send_perm != 0)
4495 return 0;
4496
4497 err = sel_netport_sid(sk->sk_protocol,
4498 ntohs(ad->u.net.dport), &port_sid);
4499 if (unlikely(err)) {
4500 printk(KERN_WARNING
4501 "SELinux: failure in"
4502 " selinux_ip_postroute_iptables_compat(),"
4503 " network port label not found\n");
4504 return err;
4505 }
4506 return avc_has_perm(sk_sid, port_sid, sk_class, send_perm, ad);
4507 }
4508
4509 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
4510 int ifindex,
4511 struct avc_audit_data *ad,
4512 u16 family,
4513 char *addrp,
4514 u8 proto)
4515 {
4516 struct sock *sk = skb->sk;
4517 struct sk_security_struct *sksec;
4518
4519 if (sk == NULL)
4520 return NF_ACCEPT;
4521 sksec = sk->sk_security;
4522
4523 if (selinux_compat_net) {
4524 if (selinux_ip_postroute_iptables_compat(skb->sk, ifindex,
4525 ad, family, addrp))
4526 return NF_DROP;
4527 } else {
4528 if (avc_has_perm(sksec->sid, skb->secmark,
4529 SECCLASS_PACKET, PACKET__SEND, ad))
4530 return NF_DROP;
4531 }
4532
4533 if (selinux_policycap_netpeer)
4534 if (selinux_xfrm_postroute_last(sksec->sid, skb, ad, proto))
4535 return NF_DROP;
4536
4537 return NF_ACCEPT;
4538 }
4539
4540 static unsigned int selinux_ip_postroute(struct sk_buff *skb, int ifindex,
4541 u16 family)
4542 {
4543 u32 secmark_perm;
4544 u32 peer_sid;
4545 struct sock *sk;
4546 struct avc_audit_data ad;
4547 char *addrp;
4548 u8 proto;
4549 u8 secmark_active;
4550 u8 peerlbl_active;
4551
4552 AVC_AUDIT_DATA_INIT(&ad, NET);
4553 ad.u.net.netif = ifindex;
4554 ad.u.net.family = family;
4555 if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto))
4556 return NF_DROP;
4557
4558 /* If any sort of compatibility mode is enabled then handoff processing
4559 * to the selinux_ip_postroute_compat() function to deal with the
4560 * special handling. We do this in an attempt to keep this function
4561 * as fast and as clean as possible. */
4562 if (selinux_compat_net || !selinux_policycap_netpeer)
4563 return selinux_ip_postroute_compat(skb, ifindex, &ad,
4564 family, addrp, proto);
4565
4566 /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec
4567 * packet transformation so allow the packet to pass without any checks
4568 * since we'll have another chance to perform access control checks
4569 * when the packet is on it's final way out.
4570 * NOTE: there appear to be some IPv6 multicast cases where skb->dst
4571 * is NULL, in this case go ahead and apply access control. */
4572 if (skb->dst != NULL && skb->dst->xfrm != NULL)
4573 return NF_ACCEPT;
4574
4575 secmark_active = selinux_secmark_enabled();
4576 peerlbl_active = netlbl_enabled() || selinux_xfrm_enabled();
4577 if (!secmark_active && !peerlbl_active)
4578 return NF_ACCEPT;
4579
4580 /* if the packet is locally generated (skb->sk != NULL) then use the
4581 * socket's label as the peer label, otherwise the packet is being
4582 * forwarded through this system and we need to fetch the peer label
4583 * directly from the packet */
4584 sk = skb->sk;
4585 if (sk) {
4586 struct sk_security_struct *sksec = sk->sk_security;
4587 peer_sid = sksec->sid;
4588 secmark_perm = PACKET__SEND;
4589 } else {
4590 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid))
4591 return NF_DROP;
4592 secmark_perm = PACKET__FORWARD_OUT;
4593 }
4594
4595 if (secmark_active)
4596 if (avc_has_perm(peer_sid, skb->secmark,
4597 SECCLASS_PACKET, secmark_perm, &ad))
4598 return NF_DROP;
4599
4600 if (peerlbl_active) {
4601 u32 if_sid;
4602 u32 node_sid;
4603
4604 if (sel_netif_sid(ifindex, &if_sid))
4605 return NF_DROP;
4606 if (avc_has_perm(peer_sid, if_sid,
4607 SECCLASS_NETIF, NETIF__EGRESS, &ad))
4608 return NF_DROP;
4609
4610 if (sel_netnode_sid(addrp, family, &node_sid))
4611 return NF_DROP;
4612 if (avc_has_perm(peer_sid, node_sid,
4613 SECCLASS_NODE, NODE__SENDTO, &ad))
4614 return NF_DROP;
4615 }
4616
4617 return NF_ACCEPT;
4618 }
4619
4620 static unsigned int selinux_ipv4_postroute(unsigned int hooknum,
4621 struct sk_buff *skb,
4622 const struct net_device *in,
4623 const struct net_device *out,
4624 int (*okfn)(struct sk_buff *))
4625 {
4626 return selinux_ip_postroute(skb, out->ifindex, PF_INET);
4627 }
4628
4629 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4630 static unsigned int selinux_ipv6_postroute(unsigned int hooknum,
4631 struct sk_buff *skb,
4632 const struct net_device *in,
4633 const struct net_device *out,
4634 int (*okfn)(struct sk_buff *))
4635 {
4636 return selinux_ip_postroute(skb, out->ifindex, PF_INET6);
4637 }
4638 #endif /* IPV6 */
4639
4640 #endif /* CONFIG_NETFILTER */
4641
4642 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
4643 {
4644 int err;
4645
4646 err = secondary_ops->netlink_send(sk, skb);
4647 if (err)
4648 return err;
4649
4650 if (policydb_loaded_version >= POLICYDB_VERSION_NLCLASS)
4651 err = selinux_nlmsg_perm(sk, skb);
4652
4653 return err;
4654 }
4655
4656 static int selinux_netlink_recv(struct sk_buff *skb, int capability)
4657 {
4658 int err;
4659 struct avc_audit_data ad;
4660
4661 err = secondary_ops->netlink_recv(skb, capability);
4662 if (err)
4663 return err;
4664
4665 AVC_AUDIT_DATA_INIT(&ad, CAP);
4666 ad.u.cap = capability;
4667
4668 return avc_has_perm(NETLINK_CB(skb).sid, NETLINK_CB(skb).sid,
4669 SECCLASS_CAPABILITY, CAP_TO_MASK(capability), &ad);
4670 }
4671
4672 static int ipc_alloc_security(struct task_struct *task,
4673 struct kern_ipc_perm *perm,
4674 u16 sclass)
4675 {
4676 struct task_security_struct *tsec = task->security;
4677 struct ipc_security_struct *isec;
4678
4679 isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL);
4680 if (!isec)
4681 return -ENOMEM;
4682
4683 isec->sclass = sclass;
4684 isec->sid = tsec->sid;
4685 perm->security = isec;
4686
4687 return 0;
4688 }
4689
4690 static void ipc_free_security(struct kern_ipc_perm *perm)
4691 {
4692 struct ipc_security_struct *isec = perm->security;
4693 perm->security = NULL;
4694 kfree(isec);
4695 }
4696
4697 static int msg_msg_alloc_security(struct msg_msg *msg)
4698 {
4699 struct msg_security_struct *msec;
4700
4701 msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL);
4702 if (!msec)
4703 return -ENOMEM;
4704
4705 msec->sid = SECINITSID_UNLABELED;
4706 msg->security = msec;
4707
4708 return 0;
4709 }
4710
4711 static void msg_msg_free_security(struct msg_msg *msg)
4712 {
4713 struct msg_security_struct *msec = msg->security;
4714
4715 msg->security = NULL;
4716 kfree(msec);
4717 }
4718
4719 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
4720 u32 perms)
4721 {
4722 struct task_security_struct *tsec;
4723 struct ipc_security_struct *isec;
4724 struct avc_audit_data ad;
4725
4726 tsec = current->security;
4727 isec = ipc_perms->security;
4728
4729 AVC_AUDIT_DATA_INIT(&ad, IPC);
4730 ad.u.ipc_id = ipc_perms->key;
4731
4732 return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, &ad);
4733 }
4734
4735 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
4736 {
4737 return msg_msg_alloc_security(msg);
4738 }
4739
4740 static void selinux_msg_msg_free_security(struct msg_msg *msg)
4741 {
4742 msg_msg_free_security(msg);
4743 }
4744
4745 /* message queue security operations */
4746 static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
4747 {
4748 struct task_security_struct *tsec;
4749 struct ipc_security_struct *isec;
4750 struct avc_audit_data ad;
4751 int rc;
4752
4753 rc = ipc_alloc_security(current, &msq->q_perm, SECCLASS_MSGQ);
4754 if (rc)
4755 return rc;
4756
4757 tsec = current->security;
4758 isec = msq->q_perm.security;
4759
4760 AVC_AUDIT_DATA_INIT(&ad, IPC);
4761 ad.u.ipc_id = msq->q_perm.key;
4762
4763 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
4764 MSGQ__CREATE, &ad);
4765 if (rc) {
4766 ipc_free_security(&msq->q_perm);
4767 return rc;
4768 }
4769 return 0;
4770 }
4771
4772 static void selinux_msg_queue_free_security(struct msg_queue *msq)
4773 {
4774 ipc_free_security(&msq->q_perm);
4775 }
4776
4777 static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg)
4778 {
4779 struct task_security_struct *tsec;
4780 struct ipc_security_struct *isec;
4781 struct avc_audit_data ad;
4782
4783 tsec = current->security;
4784 isec = msq->q_perm.security;
4785
4786 AVC_AUDIT_DATA_INIT(&ad, IPC);
4787 ad.u.ipc_id = msq->q_perm.key;
4788
4789 return avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
4790 MSGQ__ASSOCIATE, &ad);
4791 }
4792
4793 static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd)
4794 {
4795 int err;
4796 int perms;
4797
4798 switch (cmd) {
4799 case IPC_INFO:
4800 case MSG_INFO:
4801 /* No specific object, just general system-wide information. */
4802 return task_has_system(current, SYSTEM__IPC_INFO);
4803 case IPC_STAT:
4804 case MSG_STAT:
4805 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
4806 break;
4807 case IPC_SET:
4808 perms = MSGQ__SETATTR;
4809 break;
4810 case IPC_RMID:
4811 perms = MSGQ__DESTROY;
4812 break;
4813 default:
4814 return 0;
4815 }
4816
4817 err = ipc_has_perm(&msq->q_perm, perms);
4818 return err;
4819 }
4820
4821 static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg)
4822 {
4823 struct task_security_struct *tsec;
4824 struct ipc_security_struct *isec;
4825 struct msg_security_struct *msec;
4826 struct avc_audit_data ad;
4827 int rc;
4828
4829 tsec = current->security;
4830 isec = msq->q_perm.security;
4831 msec = msg->security;
4832
4833 /*
4834 * First time through, need to assign label to the message
4835 */
4836 if (msec->sid == SECINITSID_UNLABELED) {
4837 /*
4838 * Compute new sid based on current process and
4839 * message queue this message will be stored in
4840 */
4841 rc = security_transition_sid(tsec->sid,
4842 isec->sid,
4843 SECCLASS_MSG,
4844 &msec->sid);
4845 if (rc)
4846 return rc;
4847 }
4848
4849 AVC_AUDIT_DATA_INIT(&ad, IPC);
4850 ad.u.ipc_id = msq->q_perm.key;
4851
4852 /* Can this process write to the queue? */
4853 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
4854 MSGQ__WRITE, &ad);
4855 if (!rc)
4856 /* Can this process send the message */
4857 rc = avc_has_perm(tsec->sid, msec->sid,
4858 SECCLASS_MSG, MSG__SEND, &ad);
4859 if (!rc)
4860 /* Can the message be put in the queue? */
4861 rc = avc_has_perm(msec->sid, isec->sid,
4862 SECCLASS_MSGQ, MSGQ__ENQUEUE, &ad);
4863
4864 return rc;
4865 }
4866
4867 static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
4868 struct task_struct *target,
4869 long type, int mode)
4870 {
4871 struct task_security_struct *tsec;
4872 struct ipc_security_struct *isec;
4873 struct msg_security_struct *msec;
4874 struct avc_audit_data ad;
4875 int rc;
4876
4877 tsec = target->security;
4878 isec = msq->q_perm.security;
4879 msec = msg->security;
4880
4881 AVC_AUDIT_DATA_INIT(&ad, IPC);
4882 ad.u.ipc_id = msq->q_perm.key;
4883
4884 rc = avc_has_perm(tsec->sid, isec->sid,
4885 SECCLASS_MSGQ, MSGQ__READ, &ad);
4886 if (!rc)
4887 rc = avc_has_perm(tsec->sid, msec->sid,
4888 SECCLASS_MSG, MSG__RECEIVE, &ad);
4889 return rc;
4890 }
4891
4892 /* Shared Memory security operations */
4893 static int selinux_shm_alloc_security(struct shmid_kernel *shp)
4894 {
4895 struct task_security_struct *tsec;
4896 struct ipc_security_struct *isec;
4897 struct avc_audit_data ad;
4898 int rc;
4899
4900 rc = ipc_alloc_security(current, &shp->shm_perm, SECCLASS_SHM);
4901 if (rc)
4902 return rc;
4903
4904 tsec = current->security;
4905 isec = shp->shm_perm.security;
4906
4907 AVC_AUDIT_DATA_INIT(&ad, IPC);
4908 ad.u.ipc_id = shp->shm_perm.key;
4909
4910 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SHM,
4911 SHM__CREATE, &ad);
4912 if (rc) {
4913 ipc_free_security(&shp->shm_perm);
4914 return rc;
4915 }
4916 return 0;
4917 }
4918
4919 static void selinux_shm_free_security(struct shmid_kernel *shp)
4920 {
4921 ipc_free_security(&shp->shm_perm);
4922 }
4923
4924 static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg)
4925 {
4926 struct task_security_struct *tsec;
4927 struct ipc_security_struct *isec;
4928 struct avc_audit_data ad;
4929
4930 tsec = current->security;
4931 isec = shp->shm_perm.security;
4932
4933 AVC_AUDIT_DATA_INIT(&ad, IPC);
4934 ad.u.ipc_id = shp->shm_perm.key;
4935
4936 return avc_has_perm(tsec->sid, isec->sid, SECCLASS_SHM,
4937 SHM__ASSOCIATE, &ad);
4938 }
4939
4940 /* Note, at this point, shp is locked down */
4941 static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd)
4942 {
4943 int perms;
4944 int err;
4945
4946 switch (cmd) {
4947 case IPC_INFO:
4948 case SHM_INFO:
4949 /* No specific object, just general system-wide information. */
4950 return task_has_system(current, SYSTEM__IPC_INFO);
4951 case IPC_STAT:
4952 case SHM_STAT:
4953 perms = SHM__GETATTR | SHM__ASSOCIATE;
4954 break;
4955 case IPC_SET:
4956 perms = SHM__SETATTR;
4957 break;
4958 case SHM_LOCK:
4959 case SHM_UNLOCK:
4960 perms = SHM__LOCK;
4961 break;
4962 case IPC_RMID:
4963 perms = SHM__DESTROY;
4964 break;
4965 default:
4966 return 0;
4967 }
4968
4969 err = ipc_has_perm(&shp->shm_perm, perms);
4970 return err;
4971 }
4972
4973 static int selinux_shm_shmat(struct shmid_kernel *shp,
4974 char __user *shmaddr, int shmflg)
4975 {
4976 u32 perms;
4977 int rc;
4978
4979 rc = secondary_ops->shm_shmat(shp, shmaddr, shmflg);
4980 if (rc)
4981 return rc;
4982
4983 if (shmflg & SHM_RDONLY)
4984 perms = SHM__READ;
4985 else
4986 perms = SHM__READ | SHM__WRITE;
4987
4988 return ipc_has_perm(&shp->shm_perm, perms);
4989 }
4990
4991 /* Semaphore security operations */
4992 static int selinux_sem_alloc_security(struct sem_array *sma)
4993 {
4994 struct task_security_struct *tsec;
4995 struct ipc_security_struct *isec;
4996 struct avc_audit_data ad;
4997 int rc;
4998
4999 rc = ipc_alloc_security(current, &sma->sem_perm, SECCLASS_SEM);
5000 if (rc)
5001 return rc;
5002
5003 tsec = current->security;
5004 isec = sma->sem_perm.security;
5005
5006 AVC_AUDIT_DATA_INIT(&ad, IPC);
5007 ad.u.ipc_id = sma->sem_perm.key;
5008
5009 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SEM,
5010 SEM__CREATE, &ad);
5011 if (rc) {
5012 ipc_free_security(&sma->sem_perm);
5013 return rc;
5014 }
5015 return 0;
5016 }
5017
5018 static void selinux_sem_free_security(struct sem_array *sma)
5019 {
5020 ipc_free_security(&sma->sem_perm);
5021 }
5022
5023 static int selinux_sem_associate(struct sem_array *sma, int semflg)
5024 {
5025 struct task_security_struct *tsec;
5026 struct ipc_security_struct *isec;
5027 struct avc_audit_data ad;
5028
5029 tsec = current->security;
5030 isec = sma->sem_perm.security;
5031
5032 AVC_AUDIT_DATA_INIT(&ad, IPC);
5033 ad.u.ipc_id = sma->sem_perm.key;
5034
5035 return avc_has_perm(tsec->sid, isec->sid, SECCLASS_SEM,
5036 SEM__ASSOCIATE, &ad);
5037 }
5038
5039 /* Note, at this point, sma is locked down */
5040 static int selinux_sem_semctl(struct sem_array *sma, int cmd)
5041 {
5042 int err;
5043 u32 perms;
5044
5045 switch (cmd) {
5046 case IPC_INFO:
5047 case SEM_INFO:
5048 /* No specific object, just general system-wide information. */
5049 return task_has_system(current, SYSTEM__IPC_INFO);
5050 case GETPID:
5051 case GETNCNT:
5052 case GETZCNT:
5053 perms = SEM__GETATTR;
5054 break;
5055 case GETVAL:
5056 case GETALL:
5057 perms = SEM__READ;
5058 break;
5059 case SETVAL:
5060 case SETALL:
5061 perms = SEM__WRITE;
5062 break;
5063 case IPC_RMID:
5064 perms = SEM__DESTROY;
5065 break;
5066 case IPC_SET:
5067 perms = SEM__SETATTR;
5068 break;
5069 case IPC_STAT:
5070 case SEM_STAT:
5071 perms = SEM__GETATTR | SEM__ASSOCIATE;
5072 break;
5073 default:
5074 return 0;
5075 }
5076
5077 err = ipc_has_perm(&sma->sem_perm, perms);
5078 return err;
5079 }
5080
5081 static int selinux_sem_semop(struct sem_array *sma,
5082 struct sembuf *sops, unsigned nsops, int alter)
5083 {
5084 u32 perms;
5085
5086 if (alter)
5087 perms = SEM__READ | SEM__WRITE;
5088 else
5089 perms = SEM__READ;
5090
5091 return ipc_has_perm(&sma->sem_perm, perms);
5092 }
5093
5094 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
5095 {
5096 u32 av = 0;
5097
5098 av = 0;
5099 if (flag & S_IRUGO)
5100 av |= IPC__UNIX_READ;
5101 if (flag & S_IWUGO)
5102 av |= IPC__UNIX_WRITE;
5103
5104 if (av == 0)
5105 return 0;
5106
5107 return ipc_has_perm(ipcp, av);
5108 }
5109
5110 static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
5111 {
5112 struct ipc_security_struct *isec = ipcp->security;
5113 *secid = isec->sid;
5114 }
5115
5116 static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode)
5117 {
5118 if (inode)
5119 inode_doinit_with_dentry(inode, dentry);
5120 }
5121
5122 static int selinux_getprocattr(struct task_struct *p,
5123 char *name, char **value)
5124 {
5125 struct task_security_struct *tsec;
5126 u32 sid;
5127 int error;
5128 unsigned len;
5129
5130 if (current != p) {
5131 error = task_has_perm(current, p, PROCESS__GETATTR);
5132 if (error)
5133 return error;
5134 }
5135
5136 tsec = p->security;
5137
5138 if (!strcmp(name, "current"))
5139 sid = tsec->sid;
5140 else if (!strcmp(name, "prev"))
5141 sid = tsec->osid;
5142 else if (!strcmp(name, "exec"))
5143 sid = tsec->exec_sid;
5144 else if (!strcmp(name, "fscreate"))
5145 sid = tsec->create_sid;
5146 else if (!strcmp(name, "keycreate"))
5147 sid = tsec->keycreate_sid;
5148 else if (!strcmp(name, "sockcreate"))
5149 sid = tsec->sockcreate_sid;
5150 else
5151 return -EINVAL;
5152
5153 if (!sid)
5154 return 0;
5155
5156 error = security_sid_to_context(sid, value, &len);
5157 if (error)
5158 return error;
5159 return len;
5160 }
5161
5162 static int selinux_setprocattr(struct task_struct *p,
5163 char *name, void *value, size_t size)
5164 {
5165 struct task_security_struct *tsec;
5166 struct task_struct *tracer;
5167 u32 sid = 0;
5168 int error;
5169 char *str = value;
5170
5171 if (current != p) {
5172 /* SELinux only allows a process to change its own
5173 security attributes. */
5174 return -EACCES;
5175 }
5176
5177 /*
5178 * Basic control over ability to set these attributes at all.
5179 * current == p, but we'll pass them separately in case the
5180 * above restriction is ever removed.
5181 */
5182 if (!strcmp(name, "exec"))
5183 error = task_has_perm(current, p, PROCESS__SETEXEC);
5184 else if (!strcmp(name, "fscreate"))
5185 error = task_has_perm(current, p, PROCESS__SETFSCREATE);
5186 else if (!strcmp(name, "keycreate"))
5187 error = task_has_perm(current, p, PROCESS__SETKEYCREATE);
5188 else if (!strcmp(name, "sockcreate"))
5189 error = task_has_perm(current, p, PROCESS__SETSOCKCREATE);
5190 else if (!strcmp(name, "current"))
5191 error = task_has_perm(current, p, PROCESS__SETCURRENT);
5192 else
5193 error = -EINVAL;
5194 if (error)
5195 return error;
5196
5197 /* Obtain a SID for the context, if one was specified. */
5198 if (size && str[1] && str[1] != '\n') {
5199 if (str[size-1] == '\n') {
5200 str[size-1] = 0;
5201 size--;
5202 }
5203 error = security_context_to_sid(value, size, &sid);
5204 if (error == -EINVAL && !strcmp(name, "fscreate")) {
5205 if (!capable(CAP_MAC_ADMIN))
5206 return error;
5207 error = security_context_to_sid_force(value, size,
5208 &sid);
5209 }
5210 if (error)
5211 return error;
5212 }
5213
5214 /* Permission checking based on the specified context is
5215 performed during the actual operation (execve,
5216 open/mkdir/...), when we know the full context of the
5217 operation. See selinux_bprm_set_security for the execve
5218 checks and may_create for the file creation checks. The
5219 operation will then fail if the context is not permitted. */
5220 tsec = p->security;
5221 if (!strcmp(name, "exec"))
5222 tsec->exec_sid = sid;
5223 else if (!strcmp(name, "fscreate"))
5224 tsec->create_sid = sid;
5225 else if (!strcmp(name, "keycreate")) {
5226 error = may_create_key(sid, p);
5227 if (error)
5228 return error;
5229 tsec->keycreate_sid = sid;
5230 } else if (!strcmp(name, "sockcreate"))
5231 tsec->sockcreate_sid = sid;
5232 else if (!strcmp(name, "current")) {
5233 struct av_decision avd;
5234
5235 if (sid == 0)
5236 return -EINVAL;
5237
5238 /* Only allow single threaded processes to change context */
5239 if (atomic_read(&p->mm->mm_users) != 1) {
5240 struct task_struct *g, *t;
5241 struct mm_struct *mm = p->mm;
5242 read_lock(&tasklist_lock);
5243 do_each_thread(g, t) {
5244 if (t->mm == mm && t != p) {
5245 read_unlock(&tasklist_lock);
5246 return -EPERM;
5247 }
5248 } while_each_thread(g, t);
5249 read_unlock(&tasklist_lock);
5250 }
5251
5252 /* Check permissions for the transition. */
5253 error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
5254 PROCESS__DYNTRANSITION, NULL);
5255 if (error)
5256 return error;
5257
5258 /* Check for ptracing, and update the task SID if ok.
5259 Otherwise, leave SID unchanged and fail. */
5260 task_lock(p);
5261 rcu_read_lock();
5262 tracer = task_tracer_task(p);
5263 if (tracer != NULL) {
5264 struct task_security_struct *ptsec = tracer->security;
5265 u32 ptsid = ptsec->sid;
5266 rcu_read_unlock();
5267 error = avc_has_perm_noaudit(ptsid, sid,
5268 SECCLASS_PROCESS,
5269 PROCESS__PTRACE, 0, &avd);
5270 if (!error)
5271 tsec->sid = sid;
5272 task_unlock(p);
5273 avc_audit(ptsid, sid, SECCLASS_PROCESS,
5274 PROCESS__PTRACE, &avd, error, NULL);
5275 if (error)
5276 return error;
5277 } else {
5278 rcu_read_unlock();
5279 tsec->sid = sid;
5280 task_unlock(p);
5281 }
5282 } else
5283 return -EINVAL;
5284
5285 return size;
5286 }
5287
5288 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
5289 {
5290 return security_sid_to_context(secid, secdata, seclen);
5291 }
5292
5293 static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
5294 {
5295 return security_context_to_sid(secdata, seclen, secid);
5296 }
5297
5298 static void selinux_release_secctx(char *secdata, u32 seclen)
5299 {
5300 kfree(secdata);
5301 }
5302
5303 #ifdef CONFIG_KEYS
5304
5305 static int selinux_key_alloc(struct key *k, struct task_struct *tsk,
5306 unsigned long flags)
5307 {
5308 struct task_security_struct *tsec = tsk->security;
5309 struct key_security_struct *ksec;
5310
5311 ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL);
5312 if (!ksec)
5313 return -ENOMEM;
5314
5315 if (tsec->keycreate_sid)
5316 ksec->sid = tsec->keycreate_sid;
5317 else
5318 ksec->sid = tsec->sid;
5319 k->security = ksec;
5320
5321 return 0;
5322 }
5323
5324 static void selinux_key_free(struct key *k)
5325 {
5326 struct key_security_struct *ksec = k->security;
5327
5328 k->security = NULL;
5329 kfree(ksec);
5330 }
5331
5332 static int selinux_key_permission(key_ref_t key_ref,
5333 struct task_struct *ctx,
5334 key_perm_t perm)
5335 {
5336 struct key *key;
5337 struct task_security_struct *tsec;
5338 struct key_security_struct *ksec;
5339
5340 key = key_ref_to_ptr(key_ref);
5341
5342 tsec = ctx->security;
5343 ksec = key->security;
5344
5345 /* if no specific permissions are requested, we skip the
5346 permission check. No serious, additional covert channels
5347 appear to be created. */
5348 if (perm == 0)
5349 return 0;
5350
5351 return avc_has_perm(tsec->sid, ksec->sid,
5352 SECCLASS_KEY, perm, NULL);
5353 }
5354
5355 static int selinux_key_getsecurity(struct key *key, char **_buffer)
5356 {
5357 struct key_security_struct *ksec = key->security;
5358 char *context = NULL;
5359 unsigned len;
5360 int rc;
5361
5362 rc = security_sid_to_context(ksec->sid, &context, &len);
5363 if (!rc)
5364 rc = len;
5365 *_buffer = context;
5366 return rc;
5367 }
5368
5369 #endif
5370
5371 static struct security_operations selinux_ops = {
5372 .name = "selinux",
5373
5374 .ptrace = selinux_ptrace,
5375 .capget = selinux_capget,
5376 .capset_check = selinux_capset_check,
5377 .capset_set = selinux_capset_set,
5378 .sysctl = selinux_sysctl,
5379 .capable = selinux_capable,
5380 .quotactl = selinux_quotactl,
5381 .quota_on = selinux_quota_on,
5382 .syslog = selinux_syslog,
5383 .vm_enough_memory = selinux_vm_enough_memory,
5384
5385 .netlink_send = selinux_netlink_send,
5386 .netlink_recv = selinux_netlink_recv,
5387
5388 .bprm_alloc_security = selinux_bprm_alloc_security,
5389 .bprm_free_security = selinux_bprm_free_security,
5390 .bprm_apply_creds = selinux_bprm_apply_creds,
5391 .bprm_post_apply_creds = selinux_bprm_post_apply_creds,
5392 .bprm_set_security = selinux_bprm_set_security,
5393 .bprm_check_security = selinux_bprm_check_security,
5394 .bprm_secureexec = selinux_bprm_secureexec,
5395
5396 .sb_alloc_security = selinux_sb_alloc_security,
5397 .sb_free_security = selinux_sb_free_security,
5398 .sb_copy_data = selinux_sb_copy_data,
5399 .sb_kern_mount = selinux_sb_kern_mount,
5400 .sb_show_options = selinux_sb_show_options,
5401 .sb_statfs = selinux_sb_statfs,
5402 .sb_mount = selinux_mount,
5403 .sb_umount = selinux_umount,
5404 .sb_set_mnt_opts = selinux_set_mnt_opts,
5405 .sb_clone_mnt_opts = selinux_sb_clone_mnt_opts,
5406 .sb_parse_opts_str = selinux_parse_opts_str,
5407
5408
5409 .inode_alloc_security = selinux_inode_alloc_security,
5410 .inode_free_security = selinux_inode_free_security,
5411 .inode_init_security = selinux_inode_init_security,
5412 .inode_create = selinux_inode_create,
5413 .inode_link = selinux_inode_link,
5414 .inode_unlink = selinux_inode_unlink,
5415 .inode_symlink = selinux_inode_symlink,
5416 .inode_mkdir = selinux_inode_mkdir,
5417 .inode_rmdir = selinux_inode_rmdir,
5418 .inode_mknod = selinux_inode_mknod,
5419 .inode_rename = selinux_inode_rename,
5420 .inode_readlink = selinux_inode_readlink,
5421 .inode_follow_link = selinux_inode_follow_link,
5422 .inode_permission = selinux_inode_permission,
5423 .inode_setattr = selinux_inode_setattr,
5424 .inode_getattr = selinux_inode_getattr,
5425 .inode_setxattr = selinux_inode_setxattr,
5426 .inode_post_setxattr = selinux_inode_post_setxattr,
5427 .inode_getxattr = selinux_inode_getxattr,
5428 .inode_listxattr = selinux_inode_listxattr,
5429 .inode_removexattr = selinux_inode_removexattr,
5430 .inode_getsecurity = selinux_inode_getsecurity,
5431 .inode_setsecurity = selinux_inode_setsecurity,
5432 .inode_listsecurity = selinux_inode_listsecurity,
5433 .inode_need_killpriv = selinux_inode_need_killpriv,
5434 .inode_killpriv = selinux_inode_killpriv,
5435 .inode_getsecid = selinux_inode_getsecid,
5436
5437 .file_permission = selinux_file_permission,
5438 .file_alloc_security = selinux_file_alloc_security,
5439 .file_free_security = selinux_file_free_security,
5440 .file_ioctl = selinux_file_ioctl,
5441 .file_mmap = selinux_file_mmap,
5442 .file_mprotect = selinux_file_mprotect,
5443 .file_lock = selinux_file_lock,
5444 .file_fcntl = selinux_file_fcntl,
5445 .file_set_fowner = selinux_file_set_fowner,
5446 .file_send_sigiotask = selinux_file_send_sigiotask,
5447 .file_receive = selinux_file_receive,
5448
5449 .dentry_open = selinux_dentry_open,
5450
5451 .task_create = selinux_task_create,
5452 .task_alloc_security = selinux_task_alloc_security,
5453 .task_free_security = selinux_task_free_security,
5454 .task_setuid = selinux_task_setuid,
5455 .task_post_setuid = selinux_task_post_setuid,
5456 .task_setgid = selinux_task_setgid,
5457 .task_setpgid = selinux_task_setpgid,
5458 .task_getpgid = selinux_task_getpgid,
5459 .task_getsid = selinux_task_getsid,
5460 .task_getsecid = selinux_task_getsecid,
5461 .task_setgroups = selinux_task_setgroups,
5462 .task_setnice = selinux_task_setnice,
5463 .task_setioprio = selinux_task_setioprio,
5464 .task_getioprio = selinux_task_getioprio,
5465 .task_setrlimit = selinux_task_setrlimit,
5466 .task_setscheduler = selinux_task_setscheduler,
5467 .task_getscheduler = selinux_task_getscheduler,
5468 .task_movememory = selinux_task_movememory,
5469 .task_kill = selinux_task_kill,
5470 .task_wait = selinux_task_wait,
5471 .task_prctl = selinux_task_prctl,
5472 .task_reparent_to_init = selinux_task_reparent_to_init,
5473 .task_to_inode = selinux_task_to_inode,
5474
5475 .ipc_permission = selinux_ipc_permission,
5476 .ipc_getsecid = selinux_ipc_getsecid,
5477
5478 .msg_msg_alloc_security = selinux_msg_msg_alloc_security,
5479 .msg_msg_free_security = selinux_msg_msg_free_security,
5480
5481 .msg_queue_alloc_security = selinux_msg_queue_alloc_security,
5482 .msg_queue_free_security = selinux_msg_queue_free_security,
5483 .msg_queue_associate = selinux_msg_queue_associate,
5484 .msg_queue_msgctl = selinux_msg_queue_msgctl,
5485 .msg_queue_msgsnd = selinux_msg_queue_msgsnd,
5486 .msg_queue_msgrcv = selinux_msg_queue_msgrcv,
5487
5488 .shm_alloc_security = selinux_shm_alloc_security,
5489 .shm_free_security = selinux_shm_free_security,
5490 .shm_associate = selinux_shm_associate,
5491 .shm_shmctl = selinux_shm_shmctl,
5492 .shm_shmat = selinux_shm_shmat,
5493
5494 .sem_alloc_security = selinux_sem_alloc_security,
5495 .sem_free_security = selinux_sem_free_security,
5496 .sem_associate = selinux_sem_associate,
5497 .sem_semctl = selinux_sem_semctl,
5498 .sem_semop = selinux_sem_semop,
5499
5500 .d_instantiate = selinux_d_instantiate,
5501
5502 .getprocattr = selinux_getprocattr,
5503 .setprocattr = selinux_setprocattr,
5504
5505 .secid_to_secctx = selinux_secid_to_secctx,
5506 .secctx_to_secid = selinux_secctx_to_secid,
5507 .release_secctx = selinux_release_secctx,
5508
5509 .unix_stream_connect = selinux_socket_unix_stream_connect,
5510 .unix_may_send = selinux_socket_unix_may_send,
5511
5512 .socket_create = selinux_socket_create,
5513 .socket_post_create = selinux_socket_post_create,
5514 .socket_bind = selinux_socket_bind,
5515 .socket_connect = selinux_socket_connect,
5516 .socket_listen = selinux_socket_listen,
5517 .socket_accept = selinux_socket_accept,
5518 .socket_sendmsg = selinux_socket_sendmsg,
5519 .socket_recvmsg = selinux_socket_recvmsg,
5520 .socket_getsockname = selinux_socket_getsockname,
5521 .socket_getpeername = selinux_socket_getpeername,
5522 .socket_getsockopt = selinux_socket_getsockopt,
5523 .socket_setsockopt = selinux_socket_setsockopt,
5524 .socket_shutdown = selinux_socket_shutdown,
5525 .socket_sock_rcv_skb = selinux_socket_sock_rcv_skb,
5526 .socket_getpeersec_stream = selinux_socket_getpeersec_stream,
5527 .socket_getpeersec_dgram = selinux_socket_getpeersec_dgram,
5528 .sk_alloc_security = selinux_sk_alloc_security,
5529 .sk_free_security = selinux_sk_free_security,
5530 .sk_clone_security = selinux_sk_clone_security,
5531 .sk_getsecid = selinux_sk_getsecid,
5532 .sock_graft = selinux_sock_graft,
5533 .inet_conn_request = selinux_inet_conn_request,
5534 .inet_csk_clone = selinux_inet_csk_clone,
5535 .inet_conn_established = selinux_inet_conn_established,
5536 .req_classify_flow = selinux_req_classify_flow,
5537
5538 #ifdef CONFIG_SECURITY_NETWORK_XFRM
5539 .xfrm_policy_alloc_security = selinux_xfrm_policy_alloc,
5540 .xfrm_policy_clone_security = selinux_xfrm_policy_clone,
5541 .xfrm_policy_free_security = selinux_xfrm_policy_free,
5542 .xfrm_policy_delete_security = selinux_xfrm_policy_delete,
5543 .xfrm_state_alloc_security = selinux_xfrm_state_alloc,
5544 .xfrm_state_free_security = selinux_xfrm_state_free,
5545 .xfrm_state_delete_security = selinux_xfrm_state_delete,
5546 .xfrm_policy_lookup = selinux_xfrm_policy_lookup,
5547 .xfrm_state_pol_flow_match = selinux_xfrm_state_pol_flow_match,
5548 .xfrm_decode_session = selinux_xfrm_decode_session,
5549 #endif
5550
5551 #ifdef CONFIG_KEYS
5552 .key_alloc = selinux_key_alloc,
5553 .key_free = selinux_key_free,
5554 .key_permission = selinux_key_permission,
5555 .key_getsecurity = selinux_key_getsecurity,
5556 #endif
5557
5558 #ifdef CONFIG_AUDIT
5559 .audit_rule_init = selinux_audit_rule_init,
5560 .audit_rule_known = selinux_audit_rule_known,
5561 .audit_rule_match = selinux_audit_rule_match,
5562 .audit_rule_free = selinux_audit_rule_free,
5563 #endif
5564 };
5565
5566 static __init int selinux_init(void)
5567 {
5568 struct task_security_struct *tsec;
5569
5570 if (!security_module_enable(&selinux_ops)) {
5571 selinux_enabled = 0;
5572 return 0;
5573 }
5574
5575 if (!selinux_enabled) {
5576 printk(KERN_INFO "SELinux: Disabled at boot.\n");
5577 return 0;
5578 }
5579
5580 printk(KERN_INFO "SELinux: Initializing.\n");
5581
5582 /* Set the security state for the initial task. */
5583 if (task_alloc_security(current))
5584 panic("SELinux: Failed to initialize initial task.\n");
5585 tsec = current->security;
5586 tsec->osid = tsec->sid = SECINITSID_KERNEL;
5587
5588 sel_inode_cache = kmem_cache_create("selinux_inode_security",
5589 sizeof(struct inode_security_struct),
5590 0, SLAB_PANIC, NULL);
5591 avc_init();
5592
5593 secondary_ops = security_ops;
5594 if (!secondary_ops)
5595 panic("SELinux: No initial security operations\n");
5596 if (register_security(&selinux_ops))
5597 panic("SELinux: Unable to register with kernel.\n");
5598
5599 if (selinux_enforcing)
5600 printk(KERN_DEBUG "SELinux: Starting in enforcing mode\n");
5601 else
5602 printk(KERN_DEBUG "SELinux: Starting in permissive mode\n");
5603
5604 return 0;
5605 }
5606
5607 void selinux_complete_init(void)
5608 {
5609 printk(KERN_DEBUG "SELinux: Completing initialization.\n");
5610
5611 /* Set up any superblocks initialized prior to the policy load. */
5612 printk(KERN_DEBUG "SELinux: Setting up existing superblocks.\n");
5613 spin_lock(&sb_lock);
5614 spin_lock(&sb_security_lock);
5615 next_sb:
5616 if (!list_empty(&superblock_security_head)) {
5617 struct superblock_security_struct *sbsec =
5618 list_entry(superblock_security_head.next,
5619 struct superblock_security_struct,
5620 list);
5621 struct super_block *sb = sbsec->sb;
5622 sb->s_count++;
5623 spin_unlock(&sb_security_lock);
5624 spin_unlock(&sb_lock);
5625 down_read(&sb->s_umount);
5626 if (sb->s_root)
5627 superblock_doinit(sb, NULL);
5628 drop_super(sb);
5629 spin_lock(&sb_lock);
5630 spin_lock(&sb_security_lock);
5631 list_del_init(&sbsec->list);
5632 goto next_sb;
5633 }
5634 spin_unlock(&sb_security_lock);
5635 spin_unlock(&sb_lock);
5636 }
5637
5638 /* SELinux requires early initialization in order to label
5639 all processes and objects when they are created. */
5640 security_initcall(selinux_init);
5641
5642 #if defined(CONFIG_NETFILTER)
5643
5644 static struct nf_hook_ops selinux_ipv4_ops[] = {
5645 {
5646 .hook = selinux_ipv4_postroute,
5647 .owner = THIS_MODULE,
5648 .pf = PF_INET,
5649 .hooknum = NF_INET_POST_ROUTING,
5650 .priority = NF_IP_PRI_SELINUX_LAST,
5651 },
5652 {
5653 .hook = selinux_ipv4_forward,
5654 .owner = THIS_MODULE,
5655 .pf = PF_INET,
5656 .hooknum = NF_INET_FORWARD,
5657 .priority = NF_IP_PRI_SELINUX_FIRST,
5658 }
5659 };
5660
5661 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5662
5663 static struct nf_hook_ops selinux_ipv6_ops[] = {
5664 {
5665 .hook = selinux_ipv6_postroute,
5666 .owner = THIS_MODULE,
5667 .pf = PF_INET6,
5668 .hooknum = NF_INET_POST_ROUTING,
5669 .priority = NF_IP6_PRI_SELINUX_LAST,
5670 },
5671 {
5672 .hook = selinux_ipv6_forward,
5673 .owner = THIS_MODULE,
5674 .pf = PF_INET6,
5675 .hooknum = NF_INET_FORWARD,
5676 .priority = NF_IP6_PRI_SELINUX_FIRST,
5677 }
5678 };
5679
5680 #endif /* IPV6 */
5681
5682 static int __init selinux_nf_ip_init(void)
5683 {
5684 int err = 0;
5685 u32 iter;
5686
5687 if (!selinux_enabled)
5688 goto out;
5689
5690 printk(KERN_DEBUG "SELinux: Registering netfilter hooks\n");
5691
5692 for (iter = 0; iter < ARRAY_SIZE(selinux_ipv4_ops); iter++) {
5693 err = nf_register_hook(&selinux_ipv4_ops[iter]);
5694 if (err)
5695 panic("SELinux: nf_register_hook for IPv4: error %d\n",
5696 err);
5697 }
5698
5699 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5700 for (iter = 0; iter < ARRAY_SIZE(selinux_ipv6_ops); iter++) {
5701 err = nf_register_hook(&selinux_ipv6_ops[iter]);
5702 if (err)
5703 panic("SELinux: nf_register_hook for IPv6: error %d\n",
5704 err);
5705 }
5706 #endif /* IPV6 */
5707
5708 out:
5709 return err;
5710 }
5711
5712 __initcall(selinux_nf_ip_init);
5713
5714 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5715 static void selinux_nf_ip_exit(void)
5716 {
5717 u32 iter;
5718
5719 printk(KERN_DEBUG "SELinux: Unregistering netfilter hooks\n");
5720
5721 for (iter = 0; iter < ARRAY_SIZE(selinux_ipv4_ops); iter++)
5722 nf_unregister_hook(&selinux_ipv4_ops[iter]);
5723 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5724 for (iter = 0; iter < ARRAY_SIZE(selinux_ipv6_ops); iter++)
5725 nf_unregister_hook(&selinux_ipv6_ops[iter]);
5726 #endif /* IPV6 */
5727 }
5728 #endif
5729
5730 #else /* CONFIG_NETFILTER */
5731
5732 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5733 #define selinux_nf_ip_exit()
5734 #endif
5735
5736 #endif /* CONFIG_NETFILTER */
5737
5738 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5739 static int selinux_disabled;
5740
5741 int selinux_disable(void)
5742 {
5743 extern void exit_sel_fs(void);
5744
5745 if (ss_initialized) {
5746 /* Not permitted after initial policy load. */
5747 return -EINVAL;
5748 }
5749
5750 if (selinux_disabled) {
5751 /* Only do this once. */
5752 return -EINVAL;
5753 }
5754
5755 printk(KERN_INFO "SELinux: Disabled at runtime.\n");
5756
5757 selinux_disabled = 1;
5758 selinux_enabled = 0;
5759
5760 /* Reset security_ops to the secondary module, dummy or capability. */
5761 security_ops = secondary_ops;
5762
5763 /* Unregister netfilter hooks. */
5764 selinux_nf_ip_exit();
5765
5766 /* Unregister selinuxfs. */
5767 exit_sel_fs();
5768
5769 return 0;
5770 }
5771 #endif
Stable & featurefull patchset based on Linus's git branch