Gitiles
Code Review Sign In
192.168.1.100 / T106_DC / df7f8babc2c13f7adf53ff8e17580ae47c0e07bf / . / ap / os / linux / linux-3.4.x / security / selinux / hooks.c
blob: cbae6d392087cd05658c899ea52968ce7ab033c9 [file] [log] [blame]
lh9ed821d2023-04-07 01:36:19 -0700[diff] [blame]1/*
2 * NSA Security-Enhanced Linux (SELinux) security module
3 *
4 * This file contains the SELinux hook function implementations.
5 *
6 * Authors: Stephen Smalley, <sds@epoch.ncsc.mil>
7 * Chris Vance, <cvance@nai.com>
8 * Wayne Salamon, <wsalamon@nai.com>
9 * James Morris <jmorris@redhat.com>
10 *
11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12 * Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
13 * Eric Paris <eparis@redhat.com>
14 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
15 * <dgoeddel@trustedcs.com>
16 * Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
17 * Paul Moore <paul@paul-moore.com>
18 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
19 * Yuichi Nakamura <ynakam@hitachisoft.jp>
20 *
21 * This program is free software; you can redistribute it and/or modify
22 * it under the terms of the GNU General Public License version 2,
23 * as published by the Free Software Foundation.
24 */
25
26#include <linux/init.h>
27#include <linux/kd.h>
28#include <linux/kernel.h>
29#include <linux/tracehook.h>
30#include <linux/errno.h>
31#include <linux/sched.h>
32#include <linux/security.h>
33#include <linux/xattr.h>
34#include <linux/capability.h>
35#include <linux/unistd.h>
36#include <linux/mm.h>
37#include <linux/mman.h>
38#include <linux/slab.h>
39#include <linux/pagemap.h>
40#include <linux/proc_fs.h>
41#include <linux/swap.h>
42#include <linux/spinlock.h>
43#include <linux/syscalls.h>
44#include <linux/dcache.h>
45#include <linux/file.h>
46#include <linux/fdtable.h>
47#include <linux/namei.h>
48#include <linux/mount.h>
49#include <linux/netfilter_ipv4.h>
50#include <linux/netfilter_ipv6.h>
51#include <linux/tty.h>
52#include <net/icmp.h>
53#include <net/ip.h> /* for local_port_range[] */
54#include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
55#include <net/inet_connection_sock.h>
56#include <net/net_namespace.h>
57#include <net/netlabel.h>
58#include <linux/uaccess.h>
59#include <asm/ioctls.h>
60#include <linux/atomic.h>
61#include <linux/bitops.h>
62#include <linux/interrupt.h>
63#include <linux/netdevice.h> /* for network interface checks */
64#include <linux/netlink.h>
65#include <linux/tcp.h>
66#include <linux/udp.h>
67#include <linux/dccp.h>
68#include <linux/quota.h>
69#include <linux/un.h> /* for Unix socket types */
70#include <net/af_unix.h> /* for Unix socket types */
71#include <linux/parser.h>
72#include <linux/nfs_mount.h>
73#include <net/ipv6.h>
74#include <linux/hugetlb.h>
75#include <linux/personality.h>
76#include <linux/audit.h>
77#include <linux/string.h>
78#include <linux/selinux.h>
79#include <linux/mutex.h>
80#include <linux/posix-timers.h>
81#include <linux/syslog.h>
82#include <linux/user_namespace.h>
83#include <linux/export.h>
84#include <linux/msg.h>
85#include <linux/shm.h>
86
87#include "avc.h"
88#include "objsec.h"
89#include "netif.h"
90#include "netnode.h"
91#include "netport.h"
92#include "xfrm.h"
93#include "netlabel.h"
94#include "audit.h"
95#include "avc_ss.h"
96
97#define NUM_SEL_MNT_OPTS 5
98
99extern struct security_operations *security_ops;
100
101/* SECMARK reference count */
102static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
103
104#ifdef CONFIG_SECURITY_SELINUX_DEVELOP
105int selinux_enforcing;
106
107static int __init enforcing_setup(char *str)
108{
109 unsigned long enforcing;
110 if (!strict_strtoul(str, 0, &enforcing))
111 selinux_enforcing = enforcing ? 1 : 0;
112 return 1;
113}
114__setup("enforcing=", enforcing_setup);
115#endif
116
117#ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
118int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
119
120static int __init selinux_enabled_setup(char *str)
121{
122 unsigned long enabled;
123 if (!strict_strtoul(str, 0, &enabled))
124 selinux_enabled = enabled ? 1 : 0;
125 return 1;
126}
127__setup("selinux=", selinux_enabled_setup);
128#else
129int selinux_enabled = 1;
130#endif
131
132static struct kmem_cache *sel_inode_cache;
133
134/**
135 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
136 *
137 * Description:
138 * This function checks the SECMARK reference counter to see if any SECMARK
139 * targets are currently configured, if the reference counter is greater than
140 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is
141 * enabled, false (0) if SECMARK is disabled.
142 *
143 */
144static int selinux_secmark_enabled(void)
145{
146 return (atomic_read(&selinux_secmark_refcount) > 0);
147}
148
149/*
150 * initialise the security for the init task
151 */
152static void cred_init_security(void)
153{
154 struct cred *cred = (struct cred *) current->real_cred;
155 struct task_security_struct *tsec;
156
157 tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
158 if (!tsec)
159 panic("SELinux: Failed to initialize initial task.\n");
160
161 tsec->osid = tsec->sid = SECINITSID_KERNEL;
162 cred->security = tsec;
163}
164
165/*
166 * get the security ID of a set of credentials
167 */
168static inline u32 cred_sid(const struct cred *cred)
169{
170 const struct task_security_struct *tsec;
171
172 tsec = cred->security;
173 return tsec->sid;
174}
175
176/*
177 * get the objective security ID of a task
178 */
179static inline u32 task_sid(const struct task_struct *task)
180{
181 u32 sid;
182
183 rcu_read_lock();
184 sid = cred_sid(__task_cred(task));
185 rcu_read_unlock();
186 return sid;
187}
188
189/*
190 * get the subjective security ID of the current task
191 */
192static inline u32 current_sid(void)
193{
194 const struct task_security_struct *tsec = current_security();
195
196 return tsec->sid;
197}
198
199/* Allocate and free functions for each kind of security blob. */
200
201static int inode_alloc_security(struct inode *inode)
202{
203 struct inode_security_struct *isec;
204 u32 sid = current_sid();
205
206 isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
207 if (!isec)
208 return -ENOMEM;
209
210 mutex_init(&isec->lock);
211 INIT_LIST_HEAD(&isec->list);
212 isec->inode = inode;
213 isec->sid = SECINITSID_UNLABELED;
214 isec->sclass = SECCLASS_FILE;
215 isec->task_sid = sid;
216 inode->i_security = isec;
217
218 return 0;
219}
220
221static void inode_free_rcu(struct rcu_head *head)
222{
223 struct inode_security_struct *isec;
224
225 isec = container_of(head, struct inode_security_struct, rcu);
226 kmem_cache_free(sel_inode_cache, isec);
227}
228
229static void inode_free_security(struct inode *inode)
230{
231 struct inode_security_struct *isec = inode->i_security;
232 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
233
234 spin_lock(&sbsec->isec_lock);
235 if (!list_empty(&isec->list))
236 list_del_init(&isec->list);
237 spin_unlock(&sbsec->isec_lock);
238
239 /*
240 * The inode may still be referenced in a path walk and
241 * a call to selinux_inode_permission() can be made
242 * after inode_free_security() is called. Ideally, the VFS
243 * wouldn't do this, but fixing that is a much harder
244 * job. For now, simply free the i_security via RCU, and
245 * leave the current inode->i_security pointer intact.
246 * The inode will be freed after the RCU grace period too.
247 */
248 call_rcu(&isec->rcu, inode_free_rcu);
249}
250
251static int file_alloc_security(struct file *file)
252{
253 struct file_security_struct *fsec;
254 u32 sid = current_sid();
255
256 fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL);
257 if (!fsec)
258 return -ENOMEM;
259
260 fsec->sid = sid;
261 fsec->fown_sid = sid;
262 file->f_security = fsec;
263
264 return 0;
265}
266
267static void file_free_security(struct file *file)
268{
269 struct file_security_struct *fsec = file->f_security;
270 file->f_security = NULL;
271 kfree(fsec);
272}
273
274static int superblock_alloc_security(struct super_block *sb)
275{
276 struct superblock_security_struct *sbsec;
277
278 sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
279 if (!sbsec)
280 return -ENOMEM;
281
282 mutex_init(&sbsec->lock);
283 INIT_LIST_HEAD(&sbsec->isec_head);
284 spin_lock_init(&sbsec->isec_lock);
285 sbsec->sb = sb;
286 sbsec->sid = SECINITSID_UNLABELED;
287 sbsec->def_sid = SECINITSID_FILE;
288 sbsec->mntpoint_sid = SECINITSID_UNLABELED;
289 sb->s_security = sbsec;
290
291 return 0;
292}
293
294static void superblock_free_security(struct super_block *sb)
295{
296 struct superblock_security_struct *sbsec = sb->s_security;
297 sb->s_security = NULL;
298 kfree(sbsec);
299}
300
301/* The file system's label must be initialized prior to use. */
302
303static const char *labeling_behaviors[6] = {
304 "uses xattr",
305 "uses transition SIDs",
306 "uses task SIDs",
307 "uses genfs_contexts",
308 "not configured for labeling",
309 "uses mountpoint labeling",
310};
311
312static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
313
314static inline int inode_doinit(struct inode *inode)
315{
316 return inode_doinit_with_dentry(inode, NULL);
317}
318
319enum {
320 Opt_error = -1,
321 Opt_context = 1,
322 Opt_fscontext = 2,
323 Opt_defcontext = 3,
324 Opt_rootcontext = 4,
325 Opt_labelsupport = 5,
326};
327
328static const match_table_t tokens = {
329 {Opt_context, CONTEXT_STR "%s"},
330 {Opt_fscontext, FSCONTEXT_STR "%s"},
331 {Opt_defcontext, DEFCONTEXT_STR "%s"},
332 {Opt_rootcontext, ROOTCONTEXT_STR "%s"},
333 {Opt_labelsupport, LABELSUPP_STR},
334 {Opt_error, NULL},
335};
336
337#define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
338
339static int may_context_mount_sb_relabel(u32 sid,
340 struct superblock_security_struct *sbsec,
341 const struct cred *cred)
342{
343 const struct task_security_struct *tsec = cred->security;
344 int rc;
345
346 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
347 FILESYSTEM__RELABELFROM, NULL);
348 if (rc)
349 return rc;
350
351 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
352 FILESYSTEM__RELABELTO, NULL);
353 return rc;
354}
355
356static int may_context_mount_inode_relabel(u32 sid,
357 struct superblock_security_struct *sbsec,
358 const struct cred *cred)
359{
360 const struct task_security_struct *tsec = cred->security;
361 int rc;
362 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
363 FILESYSTEM__RELABELFROM, NULL);
364 if (rc)
365 return rc;
366
367 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
368 FILESYSTEM__ASSOCIATE, NULL);
369 return rc;
370}
371
372static int sb_finish_set_opts(struct super_block *sb)
373{
374 struct superblock_security_struct *sbsec = sb->s_security;
375 struct dentry *root = sb->s_root;
376 struct inode *root_inode = root->d_inode;
377 int rc = 0;
378
379 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
380 /* Make sure that the xattr handler exists and that no
381 error other than -ENODATA is returned by getxattr on
382 the root directory. -ENODATA is ok, as this may be
383 the first boot of the SELinux kernel before we have
384 assigned xattr values to the filesystem. */
385 if (!root_inode->i_op->getxattr) {
386 printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
387 "xattr support\n", sb->s_id, sb->s_type->name);
388 rc = -EOPNOTSUPP;
389 goto out;
390 }
391 rc = root_inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
392 if (rc < 0 && rc != -ENODATA) {
393 if (rc == -EOPNOTSUPP)
394 printk(KERN_WARNING "SELinux: (dev %s, type "
395 "%s) has no security xattr handler\n",
396 sb->s_id, sb->s_type->name);
397 else
398 printk(KERN_WARNING "SELinux: (dev %s, type "
399 "%s) getxattr errno %d\n", sb->s_id,
400 sb->s_type->name, -rc);
401 goto out;
402 }
403 }
404
405 sbsec->flags |= (SE_SBINITIALIZED | SE_SBLABELSUPP);
406
407 if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
408 printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n",
409 sb->s_id, sb->s_type->name);
410 else
411 printk(KERN_DEBUG "SELinux: initialized (dev %s, type %s), %s\n",
412 sb->s_id, sb->s_type->name,
413 labeling_behaviors[sbsec->behavior-1]);
414
415 if (sbsec->behavior == SECURITY_FS_USE_GENFS ||
416 sbsec->behavior == SECURITY_FS_USE_MNTPOINT ||
417 sbsec->behavior == SECURITY_FS_USE_NONE ||
418 sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
419 sbsec->flags &= ~SE_SBLABELSUPP;
420
421 /* Special handling for sysfs. Is genfs but also has setxattr handler*/
422 if (strncmp(sb->s_type->name, "sysfs", sizeof("sysfs")) == 0)
423 sbsec->flags |= SE_SBLABELSUPP;
424
425 /* Initialize the root inode. */
426 rc = inode_doinit_with_dentry(root_inode, root);
427
428 /* Initialize any other inodes associated with the superblock, e.g.
429 inodes created prior to initial policy load or inodes created
430 during get_sb by a pseudo filesystem that directly
431 populates itself. */
432 spin_lock(&sbsec->isec_lock);
433next_inode:
434 if (!list_empty(&sbsec->isec_head)) {
435 struct inode_security_struct *isec =
436 list_entry(sbsec->isec_head.next,
437 struct inode_security_struct, list);
438 struct inode *inode = isec->inode;
439 list_del_init(&isec->list);
440 spin_unlock(&sbsec->isec_lock);
441 inode = igrab(inode);
442 if (inode) {
443 if (!IS_PRIVATE(inode))
444 inode_doinit(inode);
445 iput(inode);
446 }
447 spin_lock(&sbsec->isec_lock);
448 goto next_inode;
449 }
450 spin_unlock(&sbsec->isec_lock);
451out:
452 return rc;
453}
454
455/*
456 * This function should allow an FS to ask what it's mount security
457 * options were so it can use those later for submounts, displaying
458 * mount options, or whatever.
459 */
460static int selinux_get_mnt_opts(const struct super_block *sb,
461 struct security_mnt_opts *opts)
462{
463 int rc = 0, i;
464 struct superblock_security_struct *sbsec = sb->s_security;
465 char *context = NULL;
466 u32 len;
467 char tmp;
468
469 security_init_mnt_opts(opts);
470
471 if (!(sbsec->flags & SE_SBINITIALIZED))
472 return -EINVAL;
473
474 if (!ss_initialized)
475 return -EINVAL;
476
477 tmp = sbsec->flags & SE_MNTMASK;
478 /* count the number of mount options for this sb */
479 for (i = 0; i < 8; i++) {
480 if (tmp & 0x01)
481 opts->num_mnt_opts++;
482 tmp >>= 1;
483 }
484 /* Check if the Label support flag is set */
485 if (sbsec->flags & SE_SBLABELSUPP)
486 opts->num_mnt_opts++;
487
488 opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
489 if (!opts->mnt_opts) {
490 rc = -ENOMEM;
491 goto out_free;
492 }
493
494 opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
495 if (!opts->mnt_opts_flags) {
496 rc = -ENOMEM;
497 goto out_free;
498 }
499
500 i = 0;
501 if (sbsec->flags & FSCONTEXT_MNT) {
502 rc = security_sid_to_context(sbsec->sid, &context, &len);
503 if (rc)
504 goto out_free;
505 opts->mnt_opts[i] = context;
506 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
507 }
508 if (sbsec->flags & CONTEXT_MNT) {
509 rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len);
510 if (rc)
511 goto out_free;
512 opts->mnt_opts[i] = context;
513 opts->mnt_opts_flags[i++] = CONTEXT_MNT;
514 }
515 if (sbsec->flags & DEFCONTEXT_MNT) {
516 rc = security_sid_to_context(sbsec->def_sid, &context, &len);
517 if (rc)
518 goto out_free;
519 opts->mnt_opts[i] = context;
520 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
521 }
522 if (sbsec->flags & ROOTCONTEXT_MNT) {
523 struct inode *root = sbsec->sb->s_root->d_inode;
524 struct inode_security_struct *isec = root->i_security;
525
526 rc = security_sid_to_context(isec->sid, &context, &len);
527 if (rc)
528 goto out_free;
529 opts->mnt_opts[i] = context;
530 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
531 }
532 if (sbsec->flags & SE_SBLABELSUPP) {
533 opts->mnt_opts[i] = NULL;
534 opts->mnt_opts_flags[i++] = SE_SBLABELSUPP;
535 }
536
537 BUG_ON(i != opts->num_mnt_opts);
538
539 return 0;
540
541out_free:
542 security_free_mnt_opts(opts);
543 return rc;
544}
545
546static int bad_option(struct superblock_security_struct *sbsec, char flag,
547 u32 old_sid, u32 new_sid)
548{
549 char mnt_flags = sbsec->flags & SE_MNTMASK;
550
551 /* check if the old mount command had the same options */
552 if (sbsec->flags & SE_SBINITIALIZED)
553 if (!(sbsec->flags & flag) ||
554 (old_sid != new_sid))
555 return 1;
556
557 /* check if we were passed the same options twice,
558 * aka someone passed context=a,context=b
559 */
560 if (!(sbsec->flags & SE_SBINITIALIZED))
561 if (mnt_flags & flag)
562 return 1;
563 return 0;
564}
565
566/*
567 * Allow filesystems with binary mount data to explicitly set mount point
568 * labeling information.
569 */
570static int selinux_set_mnt_opts(struct super_block *sb,
571 struct security_mnt_opts *opts)
572{
573 const struct cred *cred = current_cred();
574 int rc = 0, i;
575 struct superblock_security_struct *sbsec = sb->s_security;
576 const char *name = sb->s_type->name;
577 struct inode *inode = sbsec->sb->s_root->d_inode;
578 struct inode_security_struct *root_isec = inode->i_security;
579 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
580 u32 defcontext_sid = 0;
581 char **mount_options = opts->mnt_opts;
582 int *flags = opts->mnt_opts_flags;
583 int num_opts = opts->num_mnt_opts;
584
585 mutex_lock(&sbsec->lock);
586
587 if (!ss_initialized) {
588 if (!num_opts) {
589 /* Defer initialization until selinux_complete_init,
590 after the initial policy is loaded and the security
591 server is ready to handle calls. */
592 goto out;
593 }
594 rc = -EINVAL;
595 printk(KERN_WARNING "SELinux: Unable to set superblock options "
596 "before the security server is initialized\n");
597 goto out;
598 }
599
600 /*
601 * Binary mount data FS will come through this function twice. Once
602 * from an explicit call and once from the generic calls from the vfs.
603 * Since the generic VFS calls will not contain any security mount data
604 * we need to skip the double mount verification.
605 *
606 * This does open a hole in which we will not notice if the first
607 * mount using this sb set explict options and a second mount using
608 * this sb does not set any security options. (The first options
609 * will be used for both mounts)
610 */
611 if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
612 && (num_opts == 0))
613 goto out;
614
615 /*
616 * parse the mount options, check if they are valid sids.
617 * also check if someone is trying to mount the same sb more
618 * than once with different security options.
619 */
620 for (i = 0; i < num_opts; i++) {
621 u32 sid;
622
623 if (flags[i] == SE_SBLABELSUPP)
624 continue;
625 rc = security_context_to_sid(mount_options[i],
626 strlen(mount_options[i]), &sid);
627 if (rc) {
628 printk(KERN_WARNING "SELinux: security_context_to_sid"
629 "(%s) failed for (dev %s, type %s) errno=%d\n",
630 mount_options[i], sb->s_id, name, rc);
631 goto out;
632 }
633 switch (flags[i]) {
634 case FSCONTEXT_MNT:
635 fscontext_sid = sid;
636
637 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
638 fscontext_sid))
639 goto out_double_mount;
640
641 sbsec->flags |= FSCONTEXT_MNT;
642 break;
643 case CONTEXT_MNT:
644 context_sid = sid;
645
646 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
647 context_sid))
648 goto out_double_mount;
649
650 sbsec->flags |= CONTEXT_MNT;
651 break;
652 case ROOTCONTEXT_MNT:
653 rootcontext_sid = sid;
654
655 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
656 rootcontext_sid))
657 goto out_double_mount;
658
659 sbsec->flags |= ROOTCONTEXT_MNT;
660
661 break;
662 case DEFCONTEXT_MNT:
663 defcontext_sid = sid;
664
665 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
666 defcontext_sid))
667 goto out_double_mount;
668
669 sbsec->flags |= DEFCONTEXT_MNT;
670
671 break;
672 default:
673 rc = -EINVAL;
674 goto out;
675 }
676 }
677
678 if (sbsec->flags & SE_SBINITIALIZED) {
679 /* previously mounted with options, but not on this attempt? */
680 if ((sbsec->flags & SE_MNTMASK) && !num_opts)
681 goto out_double_mount;
682 rc = 0;
683 goto out;
684 }
685
686 if (strcmp(sb->s_type->name, "proc") == 0)
687 sbsec->flags |= SE_SBPROC;
688
689 /* Determine the labeling behavior to use for this filesystem type. */
690 rc = security_fs_use((sbsec->flags & SE_SBPROC) ? "proc" : sb->s_type->name, &sbsec->behavior, &sbsec->sid);
691 if (rc) {
692 printk(KERN_WARNING "%s: security_fs_use(%s) returned %d\n",
693 __func__, sb->s_type->name, rc);
694 goto out;
695 }
696
697 /* sets the context of the superblock for the fs being mounted. */
698 if (fscontext_sid) {
699 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
700 if (rc)
701 goto out;
702
703 sbsec->sid = fscontext_sid;
704 }
705
706 /*
707 * Switch to using mount point labeling behavior.
708 * sets the label used on all file below the mountpoint, and will set
709 * the superblock context if not already set.
710 */
711 if (context_sid) {
712 if (!fscontext_sid) {
713 rc = may_context_mount_sb_relabel(context_sid, sbsec,
714 cred);
715 if (rc)
716 goto out;
717 sbsec->sid = context_sid;
718 } else {
719 rc = may_context_mount_inode_relabel(context_sid, sbsec,
720 cred);
721 if (rc)
722 goto out;
723 }
724 if (!rootcontext_sid)
725 rootcontext_sid = context_sid;
726
727 sbsec->mntpoint_sid = context_sid;
728 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
729 }
730
731 if (rootcontext_sid) {
732 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
733 cred);
734 if (rc)
735 goto out;
736
737 root_isec->sid = rootcontext_sid;
738 root_isec->initialized = 1;
739 }
740
741 if (defcontext_sid) {
742 if (sbsec->behavior != SECURITY_FS_USE_XATTR) {
743 rc = -EINVAL;
744 printk(KERN_WARNING "SELinux: defcontext option is "
745 "invalid for this filesystem type\n");
746 goto out;
747 }
748
749 if (defcontext_sid != sbsec->def_sid) {
750 rc = may_context_mount_inode_relabel(defcontext_sid,
751 sbsec, cred);
752 if (rc)
753 goto out;
754 }
755
756 sbsec->def_sid = defcontext_sid;
757 }
758
759 rc = sb_finish_set_opts(sb);
760out:
761 mutex_unlock(&sbsec->lock);
762 return rc;
763out_double_mount:
764 rc = -EINVAL;
765 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, different "
766 "security settings for (dev %s, type %s)\n", sb->s_id, name);
767 goto out;
768}
769
770static void selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
771 struct super_block *newsb)
772{
773 const struct superblock_security_struct *oldsbsec = oldsb->s_security;
774 struct superblock_security_struct *newsbsec = newsb->s_security;
775
776 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT);
777 int set_context = (oldsbsec->flags & CONTEXT_MNT);
778 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT);
779
780 /*
781 * if the parent was able to be mounted it clearly had no special lsm
782 * mount options. thus we can safely deal with this superblock later
783 */
784 if (!ss_initialized)
785 return;
786
787 /* how can we clone if the old one wasn't set up?? */
788 BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
789
790 /* if fs is reusing a sb, just let its options stand... */
791 if (newsbsec->flags & SE_SBINITIALIZED)
792 return;
793
794 mutex_lock(&newsbsec->lock);
795
796 newsbsec->flags = oldsbsec->flags;
797
798 newsbsec->sid = oldsbsec->sid;
799 newsbsec->def_sid = oldsbsec->def_sid;
800 newsbsec->behavior = oldsbsec->behavior;
801
802 if (set_context) {
803 u32 sid = oldsbsec->mntpoint_sid;
804
805 if (!set_fscontext)
806 newsbsec->sid = sid;
807 if (!set_rootcontext) {
808 struct inode *newinode = newsb->s_root->d_inode;
809 struct inode_security_struct *newisec = newinode->i_security;
810 newisec->sid = sid;
811 }
812 newsbsec->mntpoint_sid = sid;
813 }
814 if (set_rootcontext) {
815 const struct inode *oldinode = oldsb->s_root->d_inode;
816 const struct inode_security_struct *oldisec = oldinode->i_security;
817 struct inode *newinode = newsb->s_root->d_inode;
818 struct inode_security_struct *newisec = newinode->i_security;
819
820 newisec->sid = oldisec->sid;
821 }
822
823 sb_finish_set_opts(newsb);
824 mutex_unlock(&newsbsec->lock);
825}
826
827static int selinux_parse_opts_str(char *options,
828 struct security_mnt_opts *opts)
829{
830 char *p;
831 char *context = NULL, *defcontext = NULL;
832 char *fscontext = NULL, *rootcontext = NULL;
833 int rc, num_mnt_opts = 0;
834
835 opts->num_mnt_opts = 0;
836
837 /* Standard string-based options. */
838 while ((p = strsep(&options, "|")) != NULL) {
839 int token;
840 substring_t args[MAX_OPT_ARGS];
841
842 if (!*p)
843 continue;
844
845 token = match_token(p, tokens, args);
846
847 switch (token) {
848 case Opt_context:
849 if (context || defcontext) {
850 rc = -EINVAL;
851 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
852 goto out_err;
853 }
854 context = match_strdup(&args[0]);
855 if (!context) {
856 rc = -ENOMEM;
857 goto out_err;
858 }
859 break;
860
861 case Opt_fscontext:
862 if (fscontext) {
863 rc = -EINVAL;
864 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
865 goto out_err;
866 }
867 fscontext = match_strdup(&args[0]);
868 if (!fscontext) {
869 rc = -ENOMEM;
870 goto out_err;
871 }
872 break;
873
874 case Opt_rootcontext:
875 if (rootcontext) {
876 rc = -EINVAL;
877 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
878 goto out_err;
879 }
880 rootcontext = match_strdup(&args[0]);
881 if (!rootcontext) {
882 rc = -ENOMEM;
883 goto out_err;
884 }
885 break;
886
887 case Opt_defcontext:
888 if (context || defcontext) {
889 rc = -EINVAL;
890 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
891 goto out_err;
892 }
893 defcontext = match_strdup(&args[0]);
894 if (!defcontext) {
895 rc = -ENOMEM;
896 goto out_err;
897 }
898 break;
899 case Opt_labelsupport:
900 break;
901 default:
902 rc = -EINVAL;
903 printk(KERN_WARNING "SELinux: unknown mount option\n");
904 goto out_err;
905
906 }
907 }
908
909 rc = -ENOMEM;
910 opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_ATOMIC);
911 if (!opts->mnt_opts)
912 goto out_err;
913
914 opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int), GFP_ATOMIC);
915 if (!opts->mnt_opts_flags) {
916 kfree(opts->mnt_opts);
917 goto out_err;
918 }
919
920 if (fscontext) {
921 opts->mnt_opts[num_mnt_opts] = fscontext;
922 opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
923 }
924 if (context) {
925 opts->mnt_opts[num_mnt_opts] = context;
926 opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
927 }
928 if (rootcontext) {
929 opts->mnt_opts[num_mnt_opts] = rootcontext;
930 opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
931 }
932 if (defcontext) {
933 opts->mnt_opts[num_mnt_opts] = defcontext;
934 opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
935 }
936
937 opts->num_mnt_opts = num_mnt_opts;
938 return 0;
939
940out_err:
941 kfree(context);
942 kfree(defcontext);
943 kfree(fscontext);
944 kfree(rootcontext);
945 return rc;
946}
947/*
948 * string mount options parsing and call set the sbsec
949 */
950static int superblock_doinit(struct super_block *sb, void *data)
951{
952 int rc = 0;
953 char *options = data;
954 struct security_mnt_opts opts;
955
956 security_init_mnt_opts(&opts);
957
958 if (!data)
959 goto out;
960
961 BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
962
963 rc = selinux_parse_opts_str(options, &opts);
964 if (rc)
965 goto out_err;
966
967out:
968 rc = selinux_set_mnt_opts(sb, &opts);
969
970out_err:
971 security_free_mnt_opts(&opts);
972 return rc;
973}
974
975static void selinux_write_opts(struct seq_file *m,
976 struct security_mnt_opts *opts)
977{
978 int i;
979 char *prefix;
980
981 for (i = 0; i < opts->num_mnt_opts; i++) {
982 char *has_comma;
983
984 if (opts->mnt_opts[i])
985 has_comma = strchr(opts->mnt_opts[i], ',');
986 else
987 has_comma = NULL;
988
989 switch (opts->mnt_opts_flags[i]) {
990 case CONTEXT_MNT:
991 prefix = CONTEXT_STR;
992 break;
993 case FSCONTEXT_MNT:
994 prefix = FSCONTEXT_STR;
995 break;
996 case ROOTCONTEXT_MNT:
997 prefix = ROOTCONTEXT_STR;
998 break;
999 case DEFCONTEXT_MNT:
1000 prefix = DEFCONTEXT_STR;
1001 break;
1002 case SE_SBLABELSUPP:
1003 seq_putc(m, ',');
1004 seq_puts(m, LABELSUPP_STR);
1005 continue;
1006 default:
1007 BUG();
1008 return;
1009 };
1010 /* we need a comma before each option */
1011 seq_putc(m, ',');
1012 seq_puts(m, prefix);
1013 if (has_comma)
1014 seq_putc(m, '\"');
1015 seq_puts(m, opts->mnt_opts[i]);
1016 if (has_comma)
1017 seq_putc(m, '\"');
1018 }
1019}
1020
1021static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1022{
1023 struct security_mnt_opts opts;
1024 int rc;
1025
1026 rc = selinux_get_mnt_opts(sb, &opts);
1027 if (rc) {
1028 /* before policy load we may get EINVAL, don't show anything */
1029 if (rc == -EINVAL)
1030 rc = 0;
1031 return rc;
1032 }
1033
1034 selinux_write_opts(m, &opts);
1035
1036 security_free_mnt_opts(&opts);
1037
1038 return rc;
1039}
1040
1041static inline u16 inode_mode_to_security_class(umode_t mode)
1042{
1043 switch (mode & S_IFMT) {
1044 case S_IFSOCK:
1045 return SECCLASS_SOCK_FILE;
1046 case S_IFLNK:
1047 return SECCLASS_LNK_FILE;
1048 case S_IFREG:
1049 return SECCLASS_FILE;
1050 case S_IFBLK:
1051 return SECCLASS_BLK_FILE;
1052 case S_IFDIR:
1053 return SECCLASS_DIR;
1054 case S_IFCHR:
1055 return SECCLASS_CHR_FILE;
1056 case S_IFIFO:
1057 return SECCLASS_FIFO_FILE;
1058
1059 }
1060
1061 return SECCLASS_FILE;
1062}
1063
1064static inline int default_protocol_stream(int protocol)
1065{
1066 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
1067}
1068
1069static inline int default_protocol_dgram(int protocol)
1070{
1071 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1072}
1073
1074static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1075{
1076 switch (family) {
1077 case PF_UNIX:
1078 switch (type) {
1079 case SOCK_STREAM:
1080 case SOCK_SEQPACKET:
1081 return SECCLASS_UNIX_STREAM_SOCKET;
1082 case SOCK_DGRAM:
1083 return SECCLASS_UNIX_DGRAM_SOCKET;
1084 }
1085 break;
1086 case PF_INET:
1087 case PF_INET6:
1088 switch (type) {
1089 case SOCK_STREAM:
1090 if (default_protocol_stream(protocol))
1091 return SECCLASS_TCP_SOCKET;
1092 else
1093 return SECCLASS_RAWIP_SOCKET;
1094 case SOCK_DGRAM:
1095 if (default_protocol_dgram(protocol))
1096 return SECCLASS_UDP_SOCKET;
1097 else
1098 return SECCLASS_RAWIP_SOCKET;
1099 case SOCK_DCCP:
1100 return SECCLASS_DCCP_SOCKET;
1101 default:
1102 return SECCLASS_RAWIP_SOCKET;
1103 }
1104 break;
1105 case PF_NETLINK:
1106 switch (protocol) {
1107 case NETLINK_ROUTE:
1108 return SECCLASS_NETLINK_ROUTE_SOCKET;
1109 case NETLINK_FIREWALL:
1110 return SECCLASS_NETLINK_FIREWALL_SOCKET;
1111 case NETLINK_SOCK_DIAG:
1112 return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1113 case NETLINK_NFLOG:
1114 return SECCLASS_NETLINK_NFLOG_SOCKET;
1115 case NETLINK_XFRM:
1116 return SECCLASS_NETLINK_XFRM_SOCKET;
1117 case NETLINK_SELINUX:
1118 return SECCLASS_NETLINK_SELINUX_SOCKET;
1119 case NETLINK_AUDIT:
1120 return SECCLASS_NETLINK_AUDIT_SOCKET;
1121 case NETLINK_IP6_FW:
1122 return SECCLASS_NETLINK_IP6FW_SOCKET;
1123 case NETLINK_DNRTMSG:
1124 return SECCLASS_NETLINK_DNRT_SOCKET;
1125 case NETLINK_KOBJECT_UEVENT:
1126 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1127 default:
1128 return SECCLASS_NETLINK_SOCKET;
1129 }
1130 case PF_PACKET:
1131 return SECCLASS_PACKET_SOCKET;
1132 case PF_KEY:
1133 return SECCLASS_KEY_SOCKET;
1134 case PF_APPLETALK:
1135 return SECCLASS_APPLETALK_SOCKET;
1136 }
1137
1138 return SECCLASS_SOCKET;
1139}
1140
1141#ifdef CONFIG_PROC_FS
1142static int selinux_proc_get_sid(struct dentry *dentry,
1143 u16 tclass,
1144 u32 *sid)
1145{
1146 int rc;
1147 char *buffer, *path;
1148
1149 buffer = (char *)__get_free_page(GFP_KERNEL);
1150 if (!buffer)
1151 return -ENOMEM;
1152
1153 path = dentry_path_raw(dentry, buffer, PAGE_SIZE);
1154 if (IS_ERR(path))
1155 rc = PTR_ERR(path);
1156 else {
1157 /* each process gets a /proc/PID/ entry. Strip off the
1158 * PID part to get a valid selinux labeling.
1159 * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
1160 while (path[1] >= '0' && path[1] <= '9') {
1161 path[1] = '/';
1162 path++;
1163 }
1164 rc = security_genfs_sid("proc", path, tclass, sid);
1165 }
1166 free_page((unsigned long)buffer);
1167 return rc;
1168}
1169#else
1170static int selinux_proc_get_sid(struct dentry *dentry,
1171 u16 tclass,
1172 u32 *sid)
1173{
1174 return -EINVAL;
1175}
1176#endif
1177
1178/* The inode's security attributes must be initialized before first use. */
1179static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1180{
1181 struct superblock_security_struct *sbsec = NULL;
1182 struct inode_security_struct *isec = inode->i_security;
1183 u32 sid;
1184 struct dentry *dentry;
1185#define INITCONTEXTLEN 255
1186 char *context = NULL;
1187 unsigned len = 0;
1188 int rc = 0;
1189
1190 if (isec->initialized)
1191 goto out;
1192
1193 mutex_lock(&isec->lock);
1194 if (isec->initialized)
1195 goto out_unlock;
1196
1197 sbsec = inode->i_sb->s_security;
1198 if (!(sbsec->flags & SE_SBINITIALIZED)) {
1199 /* Defer initialization until selinux_complete_init,
1200 after the initial policy is loaded and the security
1201 server is ready to handle calls. */
1202 spin_lock(&sbsec->isec_lock);
1203 if (list_empty(&isec->list))
1204 list_add(&isec->list, &sbsec->isec_head);
1205 spin_unlock(&sbsec->isec_lock);
1206 goto out_unlock;
1207 }
1208
1209 switch (sbsec->behavior) {
1210 case SECURITY_FS_USE_XATTR:
1211 if (!inode->i_op->getxattr) {
1212 isec->sid = sbsec->def_sid;
1213 break;
1214 }
1215
1216 /* Need a dentry, since the xattr API requires one.
1217 Life would be simpler if we could just pass the inode. */
1218 if (opt_dentry) {
1219 /* Called from d_instantiate or d_splice_alias. */
1220 dentry = dget(opt_dentry);
1221 } else {
1222 /* Called from selinux_complete_init, try to find a dentry. */
1223 dentry = d_find_alias(inode);
1224 }
1225 if (!dentry) {
1226 /*
1227 * this is can be hit on boot when a file is accessed
1228 * before the policy is loaded. When we load policy we
1229 * may find inodes that have no dentry on the
1230 * sbsec->isec_head list. No reason to complain as these
1231 * will get fixed up the next time we go through
1232 * inode_doinit with a dentry, before these inodes could
1233 * be used again by userspace.
1234 */
1235 goto out_unlock;
1236 }
1237
1238 len = INITCONTEXTLEN;
1239 context = kmalloc(len+1, GFP_NOFS);
1240 if (!context) {
1241 rc = -ENOMEM;
1242 dput(dentry);
1243 goto out_unlock;
1244 }
1245 context[len] = '\0';
1246 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1247 context, len);
1248 if (rc == -ERANGE) {
1249 kfree(context);
1250
1251 /* Need a larger buffer. Query for the right size. */
1252 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1253 NULL, 0);
1254 if (rc < 0) {
1255 dput(dentry);
1256 goto out_unlock;
1257 }
1258 len = rc;
1259 context = kmalloc(len+1, GFP_NOFS);
1260 if (!context) {
1261 rc = -ENOMEM;
1262 dput(dentry);
1263 goto out_unlock;
1264 }
1265 context[len] = '\0';
1266 rc = inode->i_op->getxattr(dentry,
1267 XATTR_NAME_SELINUX,
1268 context, len);
1269 }
1270 dput(dentry);
1271 if (rc < 0) {
1272 if (rc != -ENODATA) {
1273 printk(KERN_WARNING "SELinux: %s: getxattr returned "
1274 "%d for dev=%s ino=%ld\n", __func__,
1275 -rc, inode->i_sb->s_id, inode->i_ino);
1276 kfree(context);
1277 goto out_unlock;
1278 }
1279 /* Map ENODATA to the default file SID */
1280 sid = sbsec->def_sid;
1281 rc = 0;
1282 } else {
1283 rc = security_context_to_sid_default(context, rc, &sid,
1284 sbsec->def_sid,
1285 GFP_NOFS);
1286 if (rc) {
1287 char *dev = inode->i_sb->s_id;
1288 unsigned long ino = inode->i_ino;
1289
1290 if (rc == -EINVAL) {
1291 if (printk_ratelimit())
1292 printk(KERN_NOTICE "SELinux: inode=%lu on dev=%s was found to have an invalid "
1293 "context=%s. This indicates you may need to relabel the inode or the "
1294 "filesystem in question.\n", ino, dev, context);
1295 } else {
1296 printk(KERN_WARNING "SELinux: %s: context_to_sid(%s) "
1297 "returned %d for dev=%s ino=%ld\n",
1298 __func__, context, -rc, dev, ino);
1299 }
1300 kfree(context);
1301 /* Leave with the unlabeled SID */
1302 rc = 0;
1303 break;
1304 }
1305 }
1306 kfree(context);
1307 isec->sid = sid;
1308 break;
1309 case SECURITY_FS_USE_TASK:
1310 isec->sid = isec->task_sid;
1311 break;
1312 case SECURITY_FS_USE_TRANS:
1313 /* Default to the fs SID. */
1314 isec->sid = sbsec->sid;
1315
1316 /* Try to obtain a transition SID. */
1317 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1318 rc = security_transition_sid(isec->task_sid, sbsec->sid,
1319 isec->sclass, NULL, &sid);
1320 if (rc)
1321 goto out_unlock;
1322 isec->sid = sid;
1323 break;
1324 case SECURITY_FS_USE_MNTPOINT:
1325 isec->sid = sbsec->mntpoint_sid;
1326 break;
1327 default:
1328 /* Default to the fs superblock SID. */
1329 isec->sid = sbsec->sid;
1330
1331 if ((sbsec->flags & SE_SBPROC) && !S_ISLNK(inode->i_mode)) {
1332 /* We must have a dentry to determine the label on
1333 * procfs inodes */
1334 if (opt_dentry)
1335 /* Called from d_instantiate or
1336 * d_splice_alias. */
1337 dentry = dget(opt_dentry);
1338 else
1339 /* Called from selinux_complete_init, try to
1340 * find a dentry. */
1341 dentry = d_find_alias(inode);
1342 /*
1343 * This can be hit on boot when a file is accessed
1344 * before the policy is loaded. When we load policy we
1345 * may find inodes that have no dentry on the
1346 * sbsec->isec_head list. No reason to complain as
1347 * these will get fixed up the next time we go through
1348 * inode_doinit() with a dentry, before these inodes
1349 * could be used again by userspace.
1350 */
1351 if (!dentry)
1352 goto out_unlock;
1353 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1354 rc = selinux_proc_get_sid(dentry, isec->sclass, &sid);
1355 dput(dentry);
1356 if (rc)
1357 goto out_unlock;
1358 isec->sid = sid;
1359 }
1360 break;
1361 }
1362
1363 isec->initialized = 1;
1364
1365out_unlock:
1366 mutex_unlock(&isec->lock);
1367out:
1368 if (isec->sclass == SECCLASS_FILE)
1369 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1370 return rc;
1371}
1372
1373/* Convert a Linux signal to an access vector. */
1374static inline u32 signal_to_av(int sig)
1375{
1376 u32 perm = 0;
1377
1378 switch (sig) {
1379 case SIGCHLD:
1380 /* Commonly granted from child to parent. */
1381 perm = PROCESS__SIGCHLD;
1382 break;
1383 case SIGKILL:
1384 /* Cannot be caught or ignored */
1385 perm = PROCESS__SIGKILL;
1386 break;
1387 case SIGSTOP:
1388 /* Cannot be caught or ignored */
1389 perm = PROCESS__SIGSTOP;
1390 break;
1391 default:
1392 /* All other signals. */
1393 perm = PROCESS__SIGNAL;
1394 break;
1395 }
1396
1397 return perm;
1398}
1399
1400/*
1401 * Check permission between a pair of credentials
1402 * fork check, ptrace check, etc.
1403 */
1404static int cred_has_perm(const struct cred *actor,
1405 const struct cred *target,
1406 u32 perms)
1407{
1408 u32 asid = cred_sid(actor), tsid = cred_sid(target);
1409
1410 return avc_has_perm(asid, tsid, SECCLASS_PROCESS, perms, NULL);
1411}
1412
1413/*
1414 * Check permission between a pair of tasks, e.g. signal checks,
1415 * fork check, ptrace check, etc.
1416 * tsk1 is the actor and tsk2 is the target
1417 * - this uses the default subjective creds of tsk1
1418 */
1419static int task_has_perm(const struct task_struct *tsk1,
1420 const struct task_struct *tsk2,
1421 u32 perms)
1422{
1423 const struct task_security_struct *__tsec1, *__tsec2;
1424 u32 sid1, sid2;
1425
1426 rcu_read_lock();
1427 __tsec1 = __task_cred(tsk1)->security; sid1 = __tsec1->sid;
1428 __tsec2 = __task_cred(tsk2)->security; sid2 = __tsec2->sid;
1429 rcu_read_unlock();
1430 return avc_has_perm(sid1, sid2, SECCLASS_PROCESS, perms, NULL);
1431}
1432
1433/*
1434 * Check permission between current and another task, e.g. signal checks,
1435 * fork check, ptrace check, etc.
1436 * current is the actor and tsk2 is the target
1437 * - this uses current's subjective creds
1438 */
1439static int current_has_perm(const struct task_struct *tsk,
1440 u32 perms)
1441{
1442 u32 sid, tsid;
1443
1444 sid = current_sid();
1445 tsid = task_sid(tsk);
1446 return avc_has_perm(sid, tsid, SECCLASS_PROCESS, perms, NULL);
1447}
1448
1449#if CAP_LAST_CAP > 63
1450#error Fix SELinux to handle capabilities > 63.
1451#endif
1452
1453/* Check whether a task is allowed to use a capability. */
1454static int cred_has_capability(const struct cred *cred,
1455 int cap, int audit)
1456{
1457 struct common_audit_data ad;
1458 struct selinux_audit_data sad = {0,};
1459 struct av_decision avd;
1460 u16 sclass;
1461 u32 sid = cred_sid(cred);
1462 u32 av = CAP_TO_MASK(cap);
1463 int rc;
1464
1465 COMMON_AUDIT_DATA_INIT(&ad, CAP);
1466 ad.selinux_audit_data = &sad;
1467 ad.tsk = current;
1468 ad.u.cap = cap;
1469
1470 switch (CAP_TO_INDEX(cap)) {
1471 case 0:
1472 sclass = SECCLASS_CAPABILITY;
1473 break;
1474 case 1:
1475 sclass = SECCLASS_CAPABILITY2;
1476 break;
1477 default:
1478 printk(KERN_ERR
1479 "SELinux: out of range capability %d\n", cap);
1480 BUG();
1481 return -EINVAL;
1482 }
1483
1484 rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd);
1485 if (audit == SECURITY_CAP_AUDIT) {
1486 int rc2 = avc_audit(sid, sid, sclass, av, &avd, rc, &ad, 0);
1487 if (rc2)
1488 return rc2;
1489 }
1490 return rc;
1491}
1492
1493/* Check whether a task is allowed to use a system operation. */
1494static int task_has_system(struct task_struct *tsk,
1495 u32 perms)
1496{
1497 u32 sid = task_sid(tsk);
1498
1499 return avc_has_perm(sid, SECINITSID_KERNEL,
1500 SECCLASS_SYSTEM, perms, NULL);
1501}
1502
1503/* Check whether a task has a particular permission to an inode.
1504 The 'adp' parameter is optional and allows other audit
1505 data to be passed (e.g. the dentry). */
1506static int inode_has_perm(const struct cred *cred,
1507 struct inode *inode,
1508 u32 perms,
1509 struct common_audit_data *adp,
1510 unsigned flags)
1511{
1512 struct inode_security_struct *isec;
1513 u32 sid;
1514
1515 validate_creds(cred);
1516
1517 if (unlikely(IS_PRIVATE(inode)))
1518 return 0;
1519
1520 sid = cred_sid(cred);
1521 isec = inode->i_security;
1522
1523 return avc_has_perm_flags(sid, isec->sid, isec->sclass, perms, adp, flags);
1524}
1525
1526static int inode_has_perm_noadp(const struct cred *cred,
1527 struct inode *inode,
1528 u32 perms,
1529 unsigned flags)
1530{
1531 struct common_audit_data ad;
1532 struct selinux_audit_data sad = {0,};
1533
1534 COMMON_AUDIT_DATA_INIT(&ad, INODE);
1535 ad.u.inode = inode;
1536 ad.selinux_audit_data = &sad;
1537 return inode_has_perm(cred, inode, perms, &ad, flags);
1538}
1539
1540/* Same as inode_has_perm, but pass explicit audit data containing
1541 the dentry to help the auditing code to more easily generate the
1542 pathname if needed. */
1543static inline int dentry_has_perm(const struct cred *cred,
1544 struct dentry *dentry,
1545 u32 av)
1546{
1547 struct inode *inode = dentry->d_inode;
1548 struct common_audit_data ad;
1549 struct selinux_audit_data sad = {0,};
1550
1551 COMMON_AUDIT_DATA_INIT(&ad, DENTRY);
1552 ad.u.dentry = dentry;
1553 ad.selinux_audit_data = &sad;
1554 return inode_has_perm(cred, inode, av, &ad, 0);
1555}
1556
1557/* Same as inode_has_perm, but pass explicit audit data containing
1558 the path to help the auditing code to more easily generate the
1559 pathname if needed. */
1560static inline int path_has_perm(const struct cred *cred,
1561 struct path *path,
1562 u32 av)
1563{
1564 struct inode *inode = path->dentry->d_inode;
1565 struct common_audit_data ad;
1566 struct selinux_audit_data sad = {0,};
1567
1568 COMMON_AUDIT_DATA_INIT(&ad, PATH);
1569 ad.u.path = *path;
1570 ad.selinux_audit_data = &sad;
1571 return inode_has_perm(cred, inode, av, &ad, 0);
1572}
1573
1574/* Check whether a task can use an open file descriptor to
1575 access an inode in a given way. Check access to the
1576 descriptor itself, and then use dentry_has_perm to
1577 check a particular permission to the file.
1578 Access to the descriptor is implicitly granted if it
1579 has the same SID as the process. If av is zero, then
1580 access to the file is not checked, e.g. for cases
1581 where only the descriptor is affected like seek. */
1582static int file_has_perm(const struct cred *cred,
1583 struct file *file,
1584 u32 av)
1585{
1586 struct file_security_struct *fsec = file->f_security;
1587 struct inode *inode = file->f_path.dentry->d_inode;
1588 struct common_audit_data ad;
1589 struct selinux_audit_data sad = {0,};
1590 u32 sid = cred_sid(cred);
1591 int rc;
1592
1593 COMMON_AUDIT_DATA_INIT(&ad, PATH);
1594 ad.u.path = file->f_path;
1595 ad.selinux_audit_data = &sad;
1596
1597 if (sid != fsec->sid) {
1598 rc = avc_has_perm(sid, fsec->sid,
1599 SECCLASS_FD,
1600 FD__USE,
1601 &ad);
1602 if (rc)
1603 goto out;
1604 }
1605
1606 /* av is zero if only checking access to the descriptor. */
1607 rc = 0;
1608 if (av)
1609 rc = inode_has_perm(cred, inode, av, &ad, 0);
1610
1611out:
1612 return rc;
1613}
1614
1615/* Check whether a task can create a file. */
1616static int may_create(struct inode *dir,
1617 struct dentry *dentry,
1618 u16 tclass)
1619{
1620 const struct task_security_struct *tsec = current_security();
1621 struct inode_security_struct *dsec;
1622 struct superblock_security_struct *sbsec;
1623 u32 sid, newsid;
1624 struct common_audit_data ad;
1625 struct selinux_audit_data sad = {0,};
1626 int rc;
1627
1628 dsec = dir->i_security;
1629 sbsec = dir->i_sb->s_security;
1630
1631 sid = tsec->sid;
1632 newsid = tsec->create_sid;
1633
1634 COMMON_AUDIT_DATA_INIT(&ad, DENTRY);
1635 ad.u.dentry = dentry;
1636 ad.selinux_audit_data = &sad;
1637
1638 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR,
1639 DIR__ADD_NAME | DIR__SEARCH,
1640 &ad);
1641 if (rc)
1642 return rc;
1643
1644 if (!newsid || !(sbsec->flags & SE_SBLABELSUPP)) {
1645 rc = security_transition_sid(sid, dsec->sid, tclass,
1646 &dentry->d_name, &newsid);
1647 if (rc)
1648 return rc;
1649 }
1650
1651 rc = avc_has_perm(sid, newsid, tclass, FILE__CREATE, &ad);
1652 if (rc)
1653 return rc;
1654
1655 return avc_has_perm(newsid, sbsec->sid,
1656 SECCLASS_FILESYSTEM,
1657 FILESYSTEM__ASSOCIATE, &ad);
1658}
1659
1660/* Check whether a task can create a key. */
1661static int may_create_key(u32 ksid,
1662 struct task_struct *ctx)
1663{
1664 u32 sid = task_sid(ctx);
1665
1666 return avc_has_perm(sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL);
1667}
1668
1669#define MAY_LINK 0
1670#define MAY_UNLINK 1
1671#define MAY_RMDIR 2
1672
1673/* Check whether a task can link, unlink, or rmdir a file/directory. */
1674static int may_link(struct inode *dir,
1675 struct dentry *dentry,
1676 int kind)
1677
1678{
1679 struct inode_security_struct *dsec, *isec;
1680 struct common_audit_data ad;
1681 struct selinux_audit_data sad = {0,};
1682 u32 sid = current_sid();
1683 u32 av;
1684 int rc;
1685
1686 dsec = dir->i_security;
1687 isec = dentry->d_inode->i_security;
1688
1689 COMMON_AUDIT_DATA_INIT(&ad, DENTRY);
1690 ad.u.dentry = dentry;
1691 ad.selinux_audit_data = &sad;
1692
1693 av = DIR__SEARCH;
1694 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1695 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, av, &ad);
1696 if (rc)
1697 return rc;
1698
1699 switch (kind) {
1700 case MAY_LINK:
1701 av = FILE__LINK;
1702 break;
1703 case MAY_UNLINK:
1704 av = FILE__UNLINK;
1705 break;
1706 case MAY_RMDIR:
1707 av = DIR__RMDIR;
1708 break;
1709 default:
1710 printk(KERN_WARNING "SELinux: %s: unrecognized kind %d\n",
1711 __func__, kind);
1712 return 0;
1713 }
1714
1715 rc = avc_has_perm(sid, isec->sid, isec->sclass, av, &ad);
1716 return rc;
1717}
1718
1719static inline int may_rename(struct inode *old_dir,
1720 struct dentry *old_dentry,
1721 struct inode *new_dir,
1722 struct dentry *new_dentry)
1723{
1724 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1725 struct common_audit_data ad;
1726 struct selinux_audit_data sad = {0,};
1727 u32 sid = current_sid();
1728 u32 av;
1729 int old_is_dir, new_is_dir;
1730 int rc;
1731
1732 old_dsec = old_dir->i_security;
1733 old_isec = old_dentry->d_inode->i_security;
1734 old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
1735 new_dsec = new_dir->i_security;
1736
1737 COMMON_AUDIT_DATA_INIT(&ad, DENTRY);
1738 ad.selinux_audit_data = &sad;
1739
1740 ad.u.dentry = old_dentry;
1741 rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR,
1742 DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1743 if (rc)
1744 return rc;
1745 rc = avc_has_perm(sid, old_isec->sid,
1746 old_isec->sclass, FILE__RENAME, &ad);
1747 if (rc)
1748 return rc;
1749 if (old_is_dir && new_dir != old_dir) {
1750 rc = avc_has_perm(sid, old_isec->sid,
1751 old_isec->sclass, DIR__REPARENT, &ad);
1752 if (rc)
1753 return rc;
1754 }
1755
1756 ad.u.dentry = new_dentry;
1757 av = DIR__ADD_NAME | DIR__SEARCH;
1758 if (new_dentry->d_inode)
1759 av |= DIR__REMOVE_NAME;
1760 rc = avc_has_perm(sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1761 if (rc)
1762 return rc;
1763 if (new_dentry->d_inode) {
1764 new_isec = new_dentry->d_inode->i_security;
1765 new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
1766 rc = avc_has_perm(sid, new_isec->sid,
1767 new_isec->sclass,
1768 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1769 if (rc)
1770 return rc;
1771 }
1772
1773 return 0;
1774}
1775
1776/* Check whether a task can perform a filesystem operation. */
1777static int superblock_has_perm(const struct cred *cred,
1778 struct super_block *sb,
1779 u32 perms,
1780 struct common_audit_data *ad)
1781{
1782 struct superblock_security_struct *sbsec;
1783 u32 sid = cred_sid(cred);
1784
1785 sbsec = sb->s_security;
1786 return avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
1787}
1788
1789/* Convert a Linux mode and permission mask to an access vector. */
1790static inline u32 file_mask_to_av(int mode, int mask)
1791{
1792 u32 av = 0;
1793
1794 if (!S_ISDIR(mode)) {
1795 if (mask & MAY_EXEC)
1796 av |= FILE__EXECUTE;
1797 if (mask & MAY_READ)
1798 av |= FILE__READ;
1799
1800 if (mask & MAY_APPEND)
1801 av |= FILE__APPEND;
1802 else if (mask & MAY_WRITE)
1803 av |= FILE__WRITE;
1804
1805 } else {
1806 if (mask & MAY_EXEC)
1807 av |= DIR__SEARCH;
1808 if (mask & MAY_WRITE)
1809 av |= DIR__WRITE;
1810 if (mask & MAY_READ)
1811 av |= DIR__READ;
1812 }
1813
1814 return av;
1815}
1816
1817/* Convert a Linux file to an access vector. */
1818static inline u32 file_to_av(struct file *file)
1819{
1820 u32 av = 0;
1821
1822 if (file->f_mode & FMODE_READ)
1823 av |= FILE__READ;
1824 if (file->f_mode & FMODE_WRITE) {
1825 if (file->f_flags & O_APPEND)
1826 av |= FILE__APPEND;
1827 else
1828 av |= FILE__WRITE;
1829 }
1830 if (!av) {
1831 /*
1832 * Special file opened with flags 3 for ioctl-only use.
1833 */
1834 av = FILE__IOCTL;
1835 }
1836
1837 return av;
1838}
1839
1840/*
1841 * Convert a file to an access vector and include the correct open
1842 * open permission.
1843 */
1844static inline u32 open_file_to_av(struct file *file)
1845{
1846 u32 av = file_to_av(file);
1847
1848 if (selinux_policycap_openperm)
1849 av |= FILE__OPEN;
1850
1851 return av;
1852}
1853
1854/* Hook functions begin here. */
1855
1856static int selinux_ptrace_access_check(struct task_struct *child,
1857 unsigned int mode)
1858{
1859 int rc;
1860
1861 rc = cap_ptrace_access_check(child, mode);
1862 if (rc)
1863 return rc;
1864
1865 if (mode & PTRACE_MODE_READ) {
1866 u32 sid = current_sid();
1867 u32 csid = task_sid(child);
1868 return avc_has_perm(sid, csid, SECCLASS_FILE, FILE__READ, NULL);
1869 }
1870
1871 return current_has_perm(child, PROCESS__PTRACE);
1872}
1873
1874static int selinux_ptrace_traceme(struct task_struct *parent)
1875{
1876 int rc;
1877
1878 rc = cap_ptrace_traceme(parent);
1879 if (rc)
1880 return rc;
1881
1882 return task_has_perm(parent, current, PROCESS__PTRACE);
1883}
1884
1885static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
1886 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1887{
1888 int error;
1889
1890 error = current_has_perm(target, PROCESS__GETCAP);
1891 if (error)
1892 return error;
1893
1894 return cap_capget(target, effective, inheritable, permitted);
1895}
1896
1897static int selinux_capset(struct cred *new, const struct cred *old,
1898 const kernel_cap_t *effective,
1899 const kernel_cap_t *inheritable,
1900 const kernel_cap_t *permitted)
1901{
1902 int error;
1903
1904 error = cap_capset(new, old,
1905 effective, inheritable, permitted);
1906 if (error)
1907 return error;
1908
1909 return cred_has_perm(old, new, PROCESS__SETCAP);
1910}
1911
1912/*
1913 * (This comment used to live with the selinux_task_setuid hook,
1914 * which was removed).
1915 *
1916 * Since setuid only affects the current process, and since the SELinux
1917 * controls are not based on the Linux identity attributes, SELinux does not
1918 * need to control this operation. However, SELinux does control the use of
1919 * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
1920 */
1921
1922static int selinux_capable(const struct cred *cred, struct user_namespace *ns,
1923 int cap, int audit)
1924{
1925 int rc;
1926
1927 rc = cap_capable(cred, ns, cap, audit);
1928 if (rc)
1929 return rc;
1930
1931 return cred_has_capability(cred, cap, audit);
1932}
1933
1934static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
1935{
1936 const struct cred *cred = current_cred();
1937 int rc = 0;
1938
1939 if (!sb)
1940 return 0;
1941
1942 switch (cmds) {
1943 case Q_SYNC:
1944 case Q_QUOTAON:
1945 case Q_QUOTAOFF:
1946 case Q_SETINFO:
1947 case Q_SETQUOTA:
1948 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
1949 break;
1950 case Q_GETFMT:
1951 case Q_GETINFO:
1952 case Q_GETQUOTA:
1953 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
1954 break;
1955 default:
1956 rc = 0; /* let the kernel handle invalid cmds */
1957 break;
1958 }
1959 return rc;
1960}
1961
1962static int selinux_quota_on(struct dentry *dentry)
1963{
1964 const struct cred *cred = current_cred();
1965
1966 return dentry_has_perm(cred, dentry, FILE__QUOTAON);
1967}
1968
1969static int selinux_syslog(int type)
1970{
1971 int rc;
1972
1973 switch (type) {
1974 case SYSLOG_ACTION_READ_ALL: /* Read last kernel messages */
1975 case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */
1976 rc = task_has_system(current, SYSTEM__SYSLOG_READ);
1977 break;
1978 case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */
1979 case SYSLOG_ACTION_CONSOLE_ON: /* Enable logging to console */
1980 /* Set level of messages printed to console */
1981 case SYSLOG_ACTION_CONSOLE_LEVEL:
1982 rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
1983 break;
1984 case SYSLOG_ACTION_CLOSE: /* Close log */
1985 case SYSLOG_ACTION_OPEN: /* Open log */
1986 case SYSLOG_ACTION_READ: /* Read from log */
1987 case SYSLOG_ACTION_READ_CLEAR: /* Read/clear last kernel messages */
1988 case SYSLOG_ACTION_CLEAR: /* Clear ring buffer */
1989 default:
1990 rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
1991 break;
1992 }
1993 return rc;
1994}
1995
1996/*
1997 * Check that a process has enough memory to allocate a new virtual
1998 * mapping. 0 means there is enough memory for the allocation to
1999 * succeed and -ENOMEM implies there is not.
2000 *
2001 * Do not audit the selinux permission check, as this is applied to all
2002 * processes that allocate mappings.
2003 */
2004static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
2005{
2006 int rc, cap_sys_admin = 0;
2007
2008 rc = selinux_capable(current_cred(), &init_user_ns, CAP_SYS_ADMIN,
2009 SECURITY_CAP_NOAUDIT);
2010 if (rc == 0)
2011 cap_sys_admin = 1;
2012
2013 return __vm_enough_memory(mm, pages, cap_sys_admin);
2014}
2015
2016/* binprm security operations */
2017
2018static int selinux_bprm_set_creds(struct linux_binprm *bprm)
2019{
2020 const struct task_security_struct *old_tsec;
2021 struct task_security_struct *new_tsec;
2022 struct inode_security_struct *isec;
2023 struct common_audit_data ad;
2024 struct selinux_audit_data sad = {0,};
2025 struct inode *inode = bprm->file->f_path.dentry->d_inode;
2026 int rc;
2027
2028 rc = cap_bprm_set_creds(bprm);
2029 if (rc)
2030 return rc;
2031
2032 /* SELinux context only depends on initial program or script and not
2033 * the script interpreter */
2034 if (bprm->cred_prepared)
2035 return 0;
2036
2037 old_tsec = current_security();
2038 new_tsec = bprm->cred->security;
2039 isec = inode->i_security;
2040
2041 /* Default to the current task SID. */
2042 new_tsec->sid = old_tsec->sid;
2043 new_tsec->osid = old_tsec->sid;
2044
2045 /* Reset fs, key, and sock SIDs on execve. */
2046 new_tsec->create_sid = 0;
2047 new_tsec->keycreate_sid = 0;
2048 new_tsec->sockcreate_sid = 0;
2049
2050 if (old_tsec->exec_sid) {
2051 new_tsec->sid = old_tsec->exec_sid;
2052 /* Reset exec SID on execve. */
2053 new_tsec->exec_sid = 0;
2054 } else {
2055 /* Check for a default transition on this program. */
2056 rc = security_transition_sid(old_tsec->sid, isec->sid,
2057 SECCLASS_PROCESS, NULL,
2058 &new_tsec->sid);
2059 if (rc)
2060 return rc;
2061 }
2062
2063 COMMON_AUDIT_DATA_INIT(&ad, PATH);
2064 ad.selinux_audit_data = &sad;
2065 ad.u.path = bprm->file->f_path;
2066
2067 if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID)
2068 new_tsec->sid = old_tsec->sid;
2069
2070 if (new_tsec->sid == old_tsec->sid) {
2071 rc = avc_has_perm(old_tsec->sid, isec->sid,
2072 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2073 if (rc)
2074 return rc;
2075 } else {
2076 /* Check permissions for the transition. */
2077 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2078 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2079 if (rc)
2080 return rc;
2081
2082 rc = avc_has_perm(new_tsec->sid, isec->sid,
2083 SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2084 if (rc)
2085 return rc;
2086
2087 /* Check for shared state */
2088 if (bprm->unsafe & LSM_UNSAFE_SHARE) {
2089 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2090 SECCLASS_PROCESS, PROCESS__SHARE,
2091 NULL);
2092 if (rc)
2093 return -EPERM;
2094 }
2095
2096 /* Make sure that anyone attempting to ptrace over a task that
2097 * changes its SID has the appropriate permit */
2098 if (bprm->unsafe &
2099 (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
2100 struct task_struct *tracer;
2101 struct task_security_struct *sec;
2102 u32 ptsid = 0;
2103
2104 rcu_read_lock();
2105 tracer = ptrace_parent(current);
2106 if (likely(tracer != NULL)) {
2107 sec = __task_cred(tracer)->security;
2108 ptsid = sec->sid;
2109 }
2110 rcu_read_unlock();
2111
2112 if (ptsid != 0) {
2113 rc = avc_has_perm(ptsid, new_tsec->sid,
2114 SECCLASS_PROCESS,
2115 PROCESS__PTRACE, NULL);
2116 if (rc)
2117 return -EPERM;
2118 }
2119 }
2120
2121 /* Clear any possibly unsafe personality bits on exec: */
2122 bprm->per_clear |= PER_CLEAR_ON_SETID;
2123 }
2124
2125 return 0;
2126}
2127
2128static int selinux_bprm_secureexec(struct linux_binprm *bprm)
2129{
2130 const struct task_security_struct *tsec = current_security();
2131 u32 sid, osid;
2132 int atsecure = 0;
2133
2134 sid = tsec->sid;
2135 osid = tsec->osid;
2136
2137 if (osid != sid) {
2138 /* Enable secure mode for SIDs transitions unless
2139 the noatsecure permission is granted between
2140 the two SIDs, i.e. ahp returns 0. */
2141 atsecure = avc_has_perm(osid, sid,
2142 SECCLASS_PROCESS,
2143 PROCESS__NOATSECURE, NULL);
2144 }
2145
2146 return (atsecure || cap_bprm_secureexec(bprm));
2147}
2148
2149/* Derived from fs/exec.c:flush_old_files. */
2150static inline void flush_unauthorized_files(const struct cred *cred,
2151 struct files_struct *files)
2152{
2153 struct common_audit_data ad;
2154 struct selinux_audit_data sad = {0,};
2155 struct file *file, *devnull = NULL;
2156 struct tty_struct *tty;
2157 struct fdtable *fdt;
2158 long j = -1;
2159 int drop_tty = 0;
2160
2161 tty = get_current_tty();
2162 if (tty) {
2163 spin_lock(&tty_files_lock);
2164 if (!list_empty(&tty->tty_files)) {
2165 struct tty_file_private *file_priv;
2166 struct inode *inode;
2167
2168 /* Revalidate access to controlling tty.
2169 Use inode_has_perm on the tty inode directly rather
2170 than using file_has_perm, as this particular open
2171 file may belong to another process and we are only
2172 interested in the inode-based check here. */
2173 file_priv = list_first_entry(&tty->tty_files,
2174 struct tty_file_private, list);
2175 file = file_priv->file;
2176 inode = file->f_path.dentry->d_inode;
2177 if (inode_has_perm_noadp(cred, inode,
2178 FILE__READ | FILE__WRITE, 0)) {
2179 drop_tty = 1;
2180 }
2181 }
2182 spin_unlock(&tty_files_lock);
2183 tty_kref_put(tty);
2184 }
2185 /* Reset controlling tty. */
2186 if (drop_tty)
2187 no_tty();
2188
2189 /* Revalidate access to inherited open files. */
2190
2191 COMMON_AUDIT_DATA_INIT(&ad, INODE);
2192 ad.selinux_audit_data = &sad;
2193
2194 spin_lock(&files->file_lock);
2195 for (;;) {
2196 unsigned long set, i;
2197 int fd;
2198
2199 j++;
2200 i = j * BITS_PER_LONG;
2201 fdt = files_fdtable(files);
2202 if (i >= fdt->max_fds)
2203 break;
2204 set = fdt->open_fds[j];
2205 if (!set)
2206 continue;
2207 spin_unlock(&files->file_lock);
2208 for ( ; set ; i++, set >>= 1) {
2209 if (set & 1) {
2210 file = fget(i);
2211 if (!file)
2212 continue;
2213 if (file_has_perm(cred,
2214 file,
2215 file_to_av(file))) {
2216 sys_close(i);
2217 fd = get_unused_fd();
2218 if (fd != i) {
2219 if (fd >= 0)
2220 put_unused_fd(fd);
2221 fput(file);
2222 continue;
2223 }
2224 if (devnull) {
2225 get_file(devnull);
2226 } else {
2227 devnull = dentry_open(
2228 dget(selinux_null),
2229 mntget(selinuxfs_mount),
2230 O_RDWR, cred);
2231 if (IS_ERR(devnull)) {
2232 devnull = NULL;
2233 put_unused_fd(fd);
2234 fput(file);
2235 continue;
2236 }
2237 }
2238 fd_install(fd, devnull);
2239 }
2240 fput(file);
2241 }
2242 }
2243 spin_lock(&files->file_lock);
2244
2245 }
2246 spin_unlock(&files->file_lock);
2247}
2248
2249/*
2250 * Prepare a process for imminent new credential changes due to exec
2251 */
2252static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
2253{
2254 struct task_security_struct *new_tsec;
2255 struct rlimit *rlim, *initrlim;
2256 int rc, i;
2257
2258 new_tsec = bprm->cred->security;
2259 if (new_tsec->sid == new_tsec->osid)
2260 return;
2261
2262 /* Close files for which the new task SID is not authorized. */
2263 flush_unauthorized_files(bprm->cred, current->files);
2264
2265 /* Always clear parent death signal on SID transitions. */
2266 current->pdeath_signal = 0;
2267
2268 /* Check whether the new SID can inherit resource limits from the old
2269 * SID. If not, reset all soft limits to the lower of the current
2270 * task's hard limit and the init task's soft limit.
2271 *
2272 * Note that the setting of hard limits (even to lower them) can be
2273 * controlled by the setrlimit check. The inclusion of the init task's
2274 * soft limit into the computation is to avoid resetting soft limits
2275 * higher than the default soft limit for cases where the default is
2276 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2277 */
2278 rc = avc_has_perm(new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
2279 PROCESS__RLIMITINH, NULL);
2280 if (rc) {
2281 /* protect against do_prlimit() */
2282 task_lock(current);
2283 for (i = 0; i < RLIM_NLIMITS; i++) {
2284 rlim = current->signal->rlim + i;
2285 initrlim = init_task.signal->rlim + i;
2286 rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
2287 }
2288 task_unlock(current);
2289 update_rlimit_cpu(current, rlimit(RLIMIT_CPU));
2290 }
2291}
2292
2293/*
2294 * Clean up the process immediately after the installation of new credentials
2295 * due to exec
2296 */
2297static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
2298{
2299 const struct task_security_struct *tsec = current_security();
2300 struct itimerval itimer;
2301 u32 osid, sid;
2302 int rc, i;
2303
2304 osid = tsec->osid;
2305 sid = tsec->sid;
2306
2307 if (sid == osid)
2308 return;
2309
2310 /* Check whether the new SID can inherit signal state from the old SID.
2311 * If not, clear itimers to avoid subsequent signal generation and
2312 * flush and unblock signals.
2313 *
2314 * This must occur _after_ the task SID has been updated so that any
2315 * kill done after the flush will be checked against the new SID.
2316 */
2317 rc = avc_has_perm(osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
2318 if (rc) {
2319 memset(&itimer, 0, sizeof itimer);
2320 for (i = 0; i < 3; i++)
2321 do_setitimer(i, &itimer, NULL);
2322 spin_lock_irq(&current->sighand->siglock);
2323 if (!(current->signal->flags & SIGNAL_GROUP_EXIT)) {
2324 __flush_signals(current);
2325 flush_signal_handlers(current, 1);
2326 sigemptyset(&current->blocked);
2327 }
2328 spin_unlock_irq(&current->sighand->siglock);
2329 }
2330
2331 /* Wake up the parent if it is waiting so that it can recheck
2332 * wait permission to the new task SID. */
2333 read_lock(&tasklist_lock);
2334 __wake_up_parent(current, current->real_parent);
2335 read_unlock(&tasklist_lock);
2336}
2337
2338/* superblock security operations */
2339
2340static int selinux_sb_alloc_security(struct super_block *sb)
2341{
2342 return superblock_alloc_security(sb);
2343}
2344
2345static void selinux_sb_free_security(struct super_block *sb)
2346{
2347 superblock_free_security(sb);
2348}
2349
2350static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2351{
2352 if (plen > olen)
2353 return 0;
2354
2355 return !memcmp(prefix, option, plen);
2356}
2357
2358static inline int selinux_option(char *option, int len)
2359{
2360 return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) ||
2361 match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) ||
2362 match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) ||
2363 match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len) ||
2364 match_prefix(LABELSUPP_STR, sizeof(LABELSUPP_STR)-1, option, len));
2365}
2366
2367static inline void take_option(char **to, char *from, int *first, int len)
2368{
2369 if (!*first) {
2370 **to = ',';
2371 *to += 1;
2372 } else
2373 *first = 0;
2374 memcpy(*to, from, len);
2375 *to += len;
2376}
2377
2378static inline void take_selinux_option(char **to, char *from, int *first,
2379 int len)
2380{
2381 int current_size = 0;
2382
2383 if (!*first) {
2384 **to = '|';
2385 *to += 1;
2386 } else
2387 *first = 0;
2388
2389 while (current_size < len) {
2390 if (*from != '"') {
2391 **to = *from;
2392 *to += 1;
2393 }
2394 from += 1;
2395 current_size += 1;
2396 }
2397}
2398
2399static int selinux_sb_copy_data(char *orig, char *copy)
2400{
2401 int fnosec, fsec, rc = 0;
2402 char *in_save, *in_curr, *in_end;
2403 char *sec_curr, *nosec_save, *nosec;
2404 int open_quote = 0;
2405
2406 in_curr = orig;
2407 sec_curr = copy;
2408
2409 nosec = (char *)get_zeroed_page(GFP_KERNEL);
2410 if (!nosec) {
2411 rc = -ENOMEM;
2412 goto out;
2413 }
2414
2415 nosec_save = nosec;
2416 fnosec = fsec = 1;
2417 in_save = in_end = orig;
2418
2419 do {
2420 if (*in_end == '"')
2421 open_quote = !open_quote;
2422 if ((*in_end == ',' && open_quote == 0) ||
2423 *in_end == '\0') {
2424 int len = in_end - in_curr;
2425
2426 if (selinux_option(in_curr, len))
2427 take_selinux_option(&sec_curr, in_curr, &fsec, len);
2428 else
2429 take_option(&nosec, in_curr, &fnosec, len);
2430
2431 in_curr = in_end + 1;
2432 }
2433 } while (*in_end++);
2434
2435 strcpy(in_save, nosec_save);
2436 free_page((unsigned long)nosec_save);
2437out:
2438 return rc;
2439}
2440
2441static int selinux_sb_remount(struct super_block *sb, void *data)
2442{
2443 int rc, i, *flags;
2444 struct security_mnt_opts opts;
2445 char *secdata, **mount_options;
2446 struct superblock_security_struct *sbsec = sb->s_security;
2447
2448 if (!(sbsec->flags & SE_SBINITIALIZED))
2449 return 0;
2450
2451 if (!data)
2452 return 0;
2453
2454 if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
2455 return 0;
2456
2457 security_init_mnt_opts(&opts);
2458 secdata = alloc_secdata();
2459 if (!secdata)
2460 return -ENOMEM;
2461 rc = selinux_sb_copy_data(data, secdata);
2462 if (rc)
2463 goto out_free_secdata;
2464
2465 rc = selinux_parse_opts_str(secdata, &opts);
2466 if (rc)
2467 goto out_free_secdata;
2468
2469 mount_options = opts.mnt_opts;
2470 flags = opts.mnt_opts_flags;
2471
2472 for (i = 0; i < opts.num_mnt_opts; i++) {
2473 u32 sid;
2474 size_t len;
2475
2476 if (flags[i] == SE_SBLABELSUPP)
2477 continue;
2478 len = strlen(mount_options[i]);
2479 rc = security_context_to_sid(mount_options[i], len, &sid);
2480 if (rc) {
2481 printk(KERN_WARNING "SELinux: security_context_to_sid"
2482 "(%s) failed for (dev %s, type %s) errno=%d\n",
2483 mount_options[i], sb->s_id, sb->s_type->name, rc);
2484 goto out_free_opts;
2485 }
2486 rc = -EINVAL;
2487 switch (flags[i]) {
2488 case FSCONTEXT_MNT:
2489 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid))
2490 goto out_bad_option;
2491 break;
2492 case CONTEXT_MNT:
2493 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid))
2494 goto out_bad_option;
2495 break;
2496 case ROOTCONTEXT_MNT: {
2497 struct inode_security_struct *root_isec;
2498 root_isec = sb->s_root->d_inode->i_security;
2499
2500 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid))
2501 goto out_bad_option;
2502 break;
2503 }
2504 case DEFCONTEXT_MNT:
2505 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid))
2506 goto out_bad_option;
2507 break;
2508 default:
2509 goto out_free_opts;
2510 }
2511 }
2512
2513 rc = 0;
2514out_free_opts:
2515 security_free_mnt_opts(&opts);
2516out_free_secdata:
2517 free_secdata(secdata);
2518 return rc;
2519out_bad_option:
2520 printk(KERN_WARNING "SELinux: unable to change security options "
2521 "during remount (dev %s, type=%s)\n", sb->s_id,
2522 sb->s_type->name);
2523 goto out_free_opts;
2524}
2525
2526static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data)
2527{
2528 const struct cred *cred = current_cred();
2529 struct common_audit_data ad;
2530 struct selinux_audit_data sad = {0,};
2531 int rc;
2532
2533 rc = superblock_doinit(sb, data);
2534 if (rc)
2535 return rc;
2536
2537 /* Allow all mounts performed by the kernel */
2538 if (flags & MS_KERNMOUNT)
2539 return 0;
2540
2541 COMMON_AUDIT_DATA_INIT(&ad, DENTRY);
2542 ad.selinux_audit_data = &sad;
2543 ad.u.dentry = sb->s_root;
2544 return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
2545}
2546
2547static int selinux_sb_statfs(struct dentry *dentry)
2548{
2549 const struct cred *cred = current_cred();
2550 struct common_audit_data ad;
2551 struct selinux_audit_data sad = {0,};
2552
2553 COMMON_AUDIT_DATA_INIT(&ad, DENTRY);
2554 ad.selinux_audit_data = &sad;
2555 ad.u.dentry = dentry->d_sb->s_root;
2556 return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2557}
2558
2559static int selinux_mount(char *dev_name,
2560 struct path *path,
2561 char *type,
2562 unsigned long flags,
2563 void *data)
2564{
2565 const struct cred *cred = current_cred();
2566
2567 if (flags & MS_REMOUNT)
2568 return superblock_has_perm(cred, path->dentry->d_sb,
2569 FILESYSTEM__REMOUNT, NULL);
2570 else
2571 return path_has_perm(cred, path, FILE__MOUNTON);
2572}
2573
2574static int selinux_umount(struct vfsmount *mnt, int flags)
2575{
2576 const struct cred *cred = current_cred();
2577
2578 return superblock_has_perm(cred, mnt->mnt_sb,
2579 FILESYSTEM__UNMOUNT, NULL);
2580}
2581
2582/* inode security operations */
2583
2584static int selinux_inode_alloc_security(struct inode *inode)
2585{
2586 return inode_alloc_security(inode);
2587}
2588
2589static void selinux_inode_free_security(struct inode *inode)
2590{
2591 inode_free_security(inode);
2592}
2593
2594static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2595 const struct qstr *qstr, char **name,
2596 void **value, size_t *len)
2597{
2598 const struct task_security_struct *tsec = current_security();
2599 struct inode_security_struct *dsec;
2600 struct superblock_security_struct *sbsec;
2601 u32 sid, newsid, clen;
2602 int rc;
2603 char *namep = NULL, *context;
2604
2605 dsec = dir->i_security;
2606 sbsec = dir->i_sb->s_security;
2607
2608 sid = tsec->sid;
2609 newsid = tsec->create_sid;
2610
2611 if ((sbsec->flags & SE_SBINITIALIZED) &&
2612 (sbsec->behavior == SECURITY_FS_USE_MNTPOINT))
2613 newsid = sbsec->mntpoint_sid;
2614 else if (!newsid || !(sbsec->flags & SE_SBLABELSUPP)) {
2615 rc = security_transition_sid(sid, dsec->sid,
2616 inode_mode_to_security_class(inode->i_mode),
2617 qstr, &newsid);
2618 if (rc) {
2619 printk(KERN_WARNING "%s: "
2620 "security_transition_sid failed, rc=%d (dev=%s "
2621 "ino=%ld)\n",
2622 __func__,
2623 -rc, inode->i_sb->s_id, inode->i_ino);
2624 return rc;
2625 }
2626 }
2627
2628 /* Possibly defer initialization to selinux_complete_init. */
2629 if (sbsec->flags & SE_SBINITIALIZED) {
2630 struct inode_security_struct *isec = inode->i_security;
2631 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2632 isec->sid = newsid;
2633 isec->initialized = 1;
2634 }
2635
2636 if (!ss_initialized || !(sbsec->flags & SE_SBLABELSUPP))
2637 return -EOPNOTSUPP;
2638
2639 if (name) {
2640 namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_NOFS);
2641 if (!namep)
2642 return -ENOMEM;
2643 *name = namep;
2644 }
2645
2646 if (value && len) {
2647 rc = security_sid_to_context_force(newsid, &context, &clen);
2648 if (rc) {
2649 kfree(namep);
2650 return rc;
2651 }
2652 *value = context;
2653 *len = clen;
2654 }
2655
2656 return 0;
2657}
2658
2659static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode)
2660{
2661 return may_create(dir, dentry, SECCLASS_FILE);
2662}
2663
2664static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2665{
2666 return may_link(dir, old_dentry, MAY_LINK);
2667}
2668
2669static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2670{
2671 return may_link(dir, dentry, MAY_UNLINK);
2672}
2673
2674static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2675{
2676 return may_create(dir, dentry, SECCLASS_LNK_FILE);
2677}
2678
2679static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask)
2680{
2681 return may_create(dir, dentry, SECCLASS_DIR);
2682}
2683
2684static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2685{
2686 return may_link(dir, dentry, MAY_RMDIR);
2687}
2688
2689static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
2690{
2691 return may_create(dir, dentry, inode_mode_to_security_class(mode));
2692}
2693
2694static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2695 struct inode *new_inode, struct dentry *new_dentry)
2696{
2697 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2698}
2699
2700static int selinux_inode_readlink(struct dentry *dentry)
2701{
2702 const struct cred *cred = current_cred();
2703
2704 return dentry_has_perm(cred, dentry, FILE__READ);
2705}
2706
2707static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2708{
2709 const struct cred *cred = current_cred();
2710
2711 return dentry_has_perm(cred, dentry, FILE__READ);
2712}
2713
2714static int selinux_inode_permission(struct inode *inode, int mask)
2715{
2716 const struct cred *cred = current_cred();
2717 struct common_audit_data ad;
2718 struct selinux_audit_data sad = {0,};
2719 u32 perms;
2720 bool from_access;
2721 unsigned flags = mask & MAY_NOT_BLOCK;
2722
2723 from_access = mask & MAY_ACCESS;
2724 mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
2725
2726 /* No permission to check. Existence test. */
2727 if (!mask)
2728 return 0;
2729
2730 COMMON_AUDIT_DATA_INIT(&ad, INODE);
2731 ad.selinux_audit_data = &sad;
2732 ad.u.inode = inode;
2733
2734 if (from_access)
2735 ad.selinux_audit_data->auditdeny |= FILE__AUDIT_ACCESS;
2736
2737 perms = file_mask_to_av(inode->i_mode, mask);
2738
2739 return inode_has_perm(cred, inode, perms, &ad, flags);
2740}
2741
2742static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2743{
2744 const struct cred *cred = current_cred();
2745 unsigned int ia_valid = iattr->ia_valid;
2746
2747 /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
2748 if (ia_valid & ATTR_FORCE) {
2749 ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE |
2750 ATTR_FORCE);
2751 if (!ia_valid)
2752 return 0;
2753 }
2754
2755 if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2756 ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
2757 return dentry_has_perm(cred, dentry, FILE__SETATTR);
2758
2759 return dentry_has_perm(cred, dentry, FILE__WRITE);
2760}
2761
2762static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
2763{
2764 const struct cred *cred = current_cred();
2765 struct path path;
2766
2767 path.dentry = dentry;
2768 path.mnt = mnt;
2769
2770 return path_has_perm(cred, &path, FILE__GETATTR);
2771}
2772
2773static int selinux_inode_setotherxattr(struct dentry *dentry, const char *name)
2774{
2775 const struct cred *cred = current_cred();
2776
2777 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2778 sizeof XATTR_SECURITY_PREFIX - 1)) {
2779 if (!strcmp(name, XATTR_NAME_CAPS)) {
2780 if (!capable(CAP_SETFCAP))
2781 return -EPERM;
2782 } else if (!capable(CAP_SYS_ADMIN)) {
2783 /* A different attribute in the security namespace.
2784 Restrict to administrator. */
2785 return -EPERM;
2786 }
2787 }
2788
2789 /* Not an attribute we recognize, so just check the
2790 ordinary setattr permission. */
2791 return dentry_has_perm(cred, dentry, FILE__SETATTR);
2792}
2793
2794static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
2795 const void *value, size_t size, int flags)
2796{
2797 struct inode *inode = dentry->d_inode;
2798 struct inode_security_struct *isec = inode->i_security;
2799 struct superblock_security_struct *sbsec;
2800 struct common_audit_data ad;
2801 struct selinux_audit_data sad = {0,};
2802 u32 newsid, sid = current_sid();
2803 int rc = 0;
2804
2805 if (strcmp(name, XATTR_NAME_SELINUX))
2806 return selinux_inode_setotherxattr(dentry, name);
2807
2808 sbsec = inode->i_sb->s_security;
2809 if (!(sbsec->flags & SE_SBLABELSUPP))
2810 return -EOPNOTSUPP;
2811
2812 if (!inode_owner_or_capable(inode))
2813 return -EPERM;
2814
2815 COMMON_AUDIT_DATA_INIT(&ad, DENTRY);
2816 ad.selinux_audit_data = &sad;
2817 ad.u.dentry = dentry;
2818
2819 rc = avc_has_perm(sid, isec->sid, isec->sclass,
2820 FILE__RELABELFROM, &ad);
2821 if (rc)
2822 return rc;
2823
2824 rc = security_context_to_sid(value, size, &newsid);
2825 if (rc == -EINVAL) {
2826 if (!capable(CAP_MAC_ADMIN))
2827 return rc;
2828 rc = security_context_to_sid_force(value, size, &newsid);
2829 }
2830 if (rc)
2831 return rc;
2832
2833 rc = avc_has_perm(sid, newsid, isec->sclass,
2834 FILE__RELABELTO, &ad);
2835 if (rc)
2836 return rc;
2837
2838 rc = security_validate_transition(isec->sid, newsid, sid,
2839 isec->sclass);
2840 if (rc)
2841 return rc;
2842
2843 return avc_has_perm(newsid,
2844 sbsec->sid,
2845 SECCLASS_FILESYSTEM,
2846 FILESYSTEM__ASSOCIATE,
2847 &ad);
2848}
2849
2850static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
2851 const void *value, size_t size,
2852 int flags)
2853{
2854 struct inode *inode = dentry->d_inode;
2855 struct inode_security_struct *isec = inode->i_security;
2856 u32 newsid;
2857 int rc;
2858
2859 if (strcmp(name, XATTR_NAME_SELINUX)) {
2860 /* Not an attribute we recognize, so nothing to do. */
2861 return;
2862 }
2863
2864 rc = security_context_to_sid_force(value, size, &newsid);
2865 if (rc) {
2866 printk(KERN_ERR "SELinux: unable to map context to SID"
2867 "for (%s, %lu), rc=%d\n",
2868 inode->i_sb->s_id, inode->i_ino, -rc);
2869 return;
2870 }
2871
2872 isec->sid = newsid;
2873 return;
2874}
2875
2876static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
2877{
2878 const struct cred *cred = current_cred();
2879
2880 return dentry_has_perm(cred, dentry, FILE__GETATTR);
2881}
2882
2883static int selinux_inode_listxattr(struct dentry *dentry)
2884{
2885 const struct cred *cred = current_cred();
2886
2887 return dentry_has_perm(cred, dentry, FILE__GETATTR);
2888}
2889
2890static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
2891{
2892 if (strcmp(name, XATTR_NAME_SELINUX))
2893 return selinux_inode_setotherxattr(dentry, name);
2894
2895 /* No one is allowed to remove a SELinux security label.
2896 You can change the label, but all data must be labeled. */
2897 return -EACCES;
2898}
2899
2900/*
2901 * Copy the inode security context value to the user.
2902 *
2903 * Permission check is handled by selinux_inode_getxattr hook.
2904 */
2905static int selinux_inode_getsecurity(const struct inode *inode, const char *name, void **buffer, bool alloc)
2906{
2907 u32 size;
2908 int error;
2909 char *context = NULL;
2910 struct inode_security_struct *isec = inode->i_security;
2911
2912 if (strcmp(name, XATTR_SELINUX_SUFFIX))
2913 return -EOPNOTSUPP;
2914
2915 /*
2916 * If the caller has CAP_MAC_ADMIN, then get the raw context
2917 * value even if it is not defined by current policy; otherwise,
2918 * use the in-core value under current policy.
2919 * Use the non-auditing forms of the permission checks since
2920 * getxattr may be called by unprivileged processes commonly
2921 * and lack of permission just means that we fall back to the
2922 * in-core context value, not a denial.
2923 */
2924 error = selinux_capable(current_cred(), &init_user_ns, CAP_MAC_ADMIN,
2925 SECURITY_CAP_NOAUDIT);
2926 if (!error)
2927 error = security_sid_to_context_force(isec->sid, &context,
2928 &size);
2929 else
2930 error = security_sid_to_context(isec->sid, &context, &size);
2931 if (error)
2932 return error;
2933 error = size;
2934 if (alloc) {
2935 *buffer = context;
2936 goto out_nofree;
2937 }
2938 kfree(context);
2939out_nofree:
2940 return error;
2941}
2942
2943static int selinux_inode_setsecurity(struct inode *inode, const char *name,
2944 const void *value, size_t size, int flags)
2945{
2946 struct inode_security_struct *isec = inode->i_security;
2947 u32 newsid;
2948 int rc;
2949
2950 if (strcmp(name, XATTR_SELINUX_SUFFIX))
2951 return -EOPNOTSUPP;
2952
2953 if (!value || !size)
2954 return -EACCES;
2955
2956 rc = security_context_to_sid((void *)value, size, &newsid);
2957 if (rc)
2958 return rc;
2959
2960 isec->sid = newsid;
2961 isec->initialized = 1;
2962 return 0;
2963}
2964
2965static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
2966{
2967 const int len = sizeof(XATTR_NAME_SELINUX);
2968 if (buffer && len <= buffer_size)
2969 memcpy(buffer, XATTR_NAME_SELINUX, len);
2970 return len;
2971}
2972
2973static void selinux_inode_getsecid(const struct inode *inode, u32 *secid)
2974{
2975 struct inode_security_struct *isec = inode->i_security;
2976 *secid = isec->sid;
2977}
2978
2979/* file security operations */
2980
2981static int selinux_revalidate_file_permission(struct file *file, int mask)
2982{
2983 const struct cred *cred = current_cred();
2984 struct inode *inode = file->f_path.dentry->d_inode;
2985
2986 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
2987 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
2988 mask |= MAY_APPEND;
2989
2990 return file_has_perm(cred, file,
2991 file_mask_to_av(inode->i_mode, mask));
2992}
2993
2994static int selinux_file_permission(struct file *file, int mask)
2995{
2996 struct inode *inode = file->f_path.dentry->d_inode;
2997 struct file_security_struct *fsec = file->f_security;
2998 struct inode_security_struct *isec = inode->i_security;
2999 u32 sid = current_sid();
3000
3001 if (!mask)
3002 /* No permission to check. Existence test. */
3003 return 0;
3004
3005 if (sid == fsec->sid && fsec->isid == isec->sid &&
3006 fsec->pseqno == avc_policy_seqno())
3007 /* No change since dentry_open check. */
3008 return 0;
3009
3010 return selinux_revalidate_file_permission(file, mask);
3011}
3012
3013static int selinux_file_alloc_security(struct file *file)
3014{
3015 return file_alloc_security(file);
3016}
3017
3018static void selinux_file_free_security(struct file *file)
3019{
3020 file_free_security(file);
3021}
3022
3023static int selinux_file_ioctl(struct file *file, unsigned int cmd,
3024 unsigned long arg)
3025{
3026 const struct cred *cred = current_cred();
3027 int error = 0;
3028
3029 switch (cmd) {
3030 case FIONREAD:
3031 /* fall through */
3032 case FIBMAP:
3033 /* fall through */
3034 case FIGETBSZ:
3035 /* fall through */
3036 case FS_IOC_GETFLAGS:
3037 /* fall through */
3038 case FS_IOC_GETVERSION:
3039 error = file_has_perm(cred, file, FILE__GETATTR);
3040 break;
3041
3042 case FS_IOC_SETFLAGS:
3043 /* fall through */
3044 case FS_IOC_SETVERSION:
3045 error = file_has_perm(cred, file, FILE__SETATTR);
3046 break;
3047
3048 /* sys_ioctl() checks */
3049 case FIONBIO:
3050 /* fall through */
3051 case FIOASYNC:
3052 error = file_has_perm(cred, file, 0);
3053 break;
3054
3055 case KDSKBENT:
3056 case KDSKBSENT:
3057 error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG,
3058 SECURITY_CAP_AUDIT);
3059 break;
3060
3061 /* default case assumes that the command will go
3062 * to the file's ioctl() function.
3063 */
3064 default:
3065 error = file_has_perm(cred, file, FILE__IOCTL);
3066 }
3067 return error;
3068}
3069
3070static int default_noexec;
3071
3072static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
3073{
3074 const struct cred *cred = current_cred();
3075 int rc = 0;
3076
3077 if (default_noexec &&
3078 (prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
3079 /*
3080 * We are making executable an anonymous mapping or a
3081 * private file mapping that will also be writable.
3082 * This has an additional check.
3083 */
3084 rc = cred_has_perm(cred, cred, PROCESS__EXECMEM);
3085 if (rc)
3086 goto error;
3087 }
3088
3089 if (file) {
3090 /* read access is always possible with a mapping */
3091 u32 av = FILE__READ;
3092
3093 /* write access only matters if the mapping is shared */
3094 if (shared && (prot & PROT_WRITE))
3095 av |= FILE__WRITE;
3096
3097 if (prot & PROT_EXEC)
3098 av |= FILE__EXECUTE;
3099
3100 return file_has_perm(cred, file, av);
3101 }
3102
3103error:
3104 return rc;
3105}
3106
3107static int selinux_file_mmap(struct file *file, unsigned long reqprot,
3108 unsigned long prot, unsigned long flags,
3109 unsigned long addr, unsigned long addr_only)
3110{
3111 int rc = 0;
3112 u32 sid = current_sid();
3113
3114 /*
3115 * notice that we are intentionally putting the SELinux check before
3116 * the secondary cap_file_mmap check. This is such a likely attempt
3117 * at bad behaviour/exploit that we always want to get the AVC, even
3118 * if DAC would have also denied the operation.
3119 */
3120 if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
3121 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
3122 MEMPROTECT__MMAP_ZERO, NULL);
3123 if (rc)
3124 return rc;
3125 }
3126
3127 /* do DAC check on address space usage */
3128 rc = cap_file_mmap(file, reqprot, prot, flags, addr, addr_only);
3129 if (rc || addr_only)
3130 return rc;
3131
3132 if (selinux_checkreqprot)
3133 prot = reqprot;
3134
3135 return file_map_prot_check(file, prot,
3136 (flags & MAP_TYPE) == MAP_SHARED);
3137}
3138
3139static int selinux_file_mprotect(struct vm_area_struct *vma,
3140 unsigned long reqprot,
3141 unsigned long prot)
3142{
3143 const struct cred *cred = current_cred();
3144
3145 if (selinux_checkreqprot)
3146 prot = reqprot;
3147
3148 if (default_noexec &&
3149 (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
3150 int rc = 0;
3151 if (vma->vm_start >= vma->vm_mm->start_brk &&
3152 vma->vm_end <= vma->vm_mm->brk) {
3153 rc = cred_has_perm(cred, cred, PROCESS__EXECHEAP);
3154 } else if (!vma->vm_file &&
3155 vma->vm_start <= vma->vm_mm->start_stack &&
3156 vma->vm_end >= vma->vm_mm->start_stack) {
3157 rc = current_has_perm(current, PROCESS__EXECSTACK);
3158 } else if (vma->vm_file && vma->anon_vma) {
3159 /*
3160 * We are making executable a file mapping that has
3161 * had some COW done. Since pages might have been
3162 * written, check ability to execute the possibly
3163 * modified content. This typically should only
3164 * occur for text relocations.
3165 */
3166 rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD);
3167 }
3168 if (rc)
3169 return rc;
3170 }
3171
3172 return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
3173}
3174
3175static int selinux_file_lock(struct file *file, unsigned int cmd)
3176{
3177 const struct cred *cred = current_cred();
3178
3179 return file_has_perm(cred, file, FILE__LOCK);
3180}
3181
3182static int selinux_file_fcntl(struct file *file, unsigned int cmd,
3183 unsigned long arg)
3184{
3185 const struct cred *cred = current_cred();
3186 int err = 0;
3187
3188 switch (cmd) {
3189 case F_SETFL:
3190 if (!file->f_path.dentry || !file->f_path.dentry->d_inode) {
3191 err = -EINVAL;
3192 break;
3193 }
3194
3195 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
3196 err = file_has_perm(cred, file, FILE__WRITE);
3197 break;
3198 }
3199 /* fall through */
3200 case F_SETOWN:
3201 case F_SETSIG:
3202 case F_GETFL:
3203 case F_GETOWN:
3204 case F_GETSIG:
3205 /* Just check FD__USE permission */
3206 err = file_has_perm(cred, file, 0);
3207 break;
3208 case F_GETLK:
3209 case F_SETLK:
3210 case F_SETLKW:
3211#if BITS_PER_LONG == 32
3212 case F_GETLK64:
3213 case F_SETLK64:
3214 case F_SETLKW64:
3215#endif
3216 if (!file->f_path.dentry || !file->f_path.dentry->d_inode) {
3217 err = -EINVAL;
3218 break;
3219 }
3220 err = file_has_perm(cred, file, FILE__LOCK);
3221 break;
3222 }
3223
3224 return err;
3225}
3226
3227static int selinux_file_set_fowner(struct file *file)
3228{
3229 struct file_security_struct *fsec;
3230
3231 fsec = file->f_security;
3232 fsec->fown_sid = current_sid();
3233
3234 return 0;
3235}
3236
3237static int selinux_file_send_sigiotask(struct task_struct *tsk,
3238 struct fown_struct *fown, int signum)
3239{
3240 struct file *file;
3241 u32 sid = task_sid(tsk);
3242 u32 perm;
3243 struct file_security_struct *fsec;
3244
3245 /* struct fown_struct is never outside the context of a struct file */
3246 file = container_of(fown, struct file, f_owner);
3247
3248 fsec = file->f_security;
3249
3250 if (!signum)
3251 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
3252 else
3253 perm = signal_to_av(signum);
3254
3255 return avc_has_perm(fsec->fown_sid, sid,
3256 SECCLASS_PROCESS, perm, NULL);
3257}
3258
3259static int selinux_file_receive(struct file *file)
3260{
3261 const struct cred *cred = current_cred();
3262
3263 return file_has_perm(cred, file, file_to_av(file));
3264}
3265
3266static int selinux_dentry_open(struct file *file, const struct cred *cred)
3267{
3268 struct file_security_struct *fsec;
3269 struct inode *inode;
3270 struct inode_security_struct *isec;
3271
3272 inode = file->f_path.dentry->d_inode;
3273 fsec = file->f_security;
3274 isec = inode->i_security;
3275 /*
3276 * Save inode label and policy sequence number
3277 * at open-time so that selinux_file_permission
3278 * can determine whether revalidation is necessary.
3279 * Task label is already saved in the file security
3280 * struct as its SID.
3281 */
3282 fsec->isid = isec->sid;
3283 fsec->pseqno = avc_policy_seqno();
3284 /*
3285 * Since the inode label or policy seqno may have changed
3286 * between the selinux_inode_permission check and the saving
3287 * of state above, recheck that access is still permitted.
3288 * Otherwise, access might never be revalidated against the
3289 * new inode label or new policy.
3290 * This check is not redundant - do not remove.
3291 */
3292 return inode_has_perm_noadp(cred, inode, open_file_to_av(file), 0);
3293}
3294
3295/* task security operations */
3296
3297static int selinux_task_create(unsigned long clone_flags)
3298{
3299 return current_has_perm(current, PROCESS__FORK);
3300}
3301
3302/*
3303 * allocate the SELinux part of blank credentials
3304 */
3305static int selinux_cred_alloc_blank(struct cred *cred, gfp_t gfp)
3306{
3307 struct task_security_struct *tsec;
3308
3309 tsec = kzalloc(sizeof(struct task_security_struct), gfp);
3310 if (!tsec)
3311 return -ENOMEM;
3312
3313 cred->security = tsec;
3314 return 0;
3315}
3316
3317/*
3318 * detach and free the LSM part of a set of credentials
3319 */
3320static void selinux_cred_free(struct cred *cred)
3321{
3322 struct task_security_struct *tsec = cred->security;
3323
3324 /*
3325 * cred->security == NULL if security_cred_alloc_blank() or
3326 * security_prepare_creds() returned an error.
3327 */
3328 BUG_ON(cred->security && (unsigned long) cred->security < PAGE_SIZE);
3329 cred->security = (void *) 0x7UL;
3330 kfree(tsec);
3331}
3332
3333/*
3334 * prepare a new set of credentials for modification
3335 */
3336static int selinux_cred_prepare(struct cred *new, const struct cred *old,
3337 gfp_t gfp)
3338{
3339 const struct task_security_struct *old_tsec;
3340 struct task_security_struct *tsec;
3341
3342 old_tsec = old->security;
3343
3344 tsec = kmemdup(old_tsec, sizeof(struct task_security_struct), gfp);
3345 if (!tsec)
3346 return -ENOMEM;
3347
3348 new->security = tsec;
3349 return 0;
3350}
3351
3352/*
3353 * transfer the SELinux data to a blank set of creds
3354 */
3355static void selinux_cred_transfer(struct cred *new, const struct cred *old)
3356{
3357 const struct task_security_struct *old_tsec = old->security;
3358 struct task_security_struct *tsec = new->security;
3359
3360 *tsec = *old_tsec;
3361}
3362
3363/*
3364 * set the security data for a kernel service
3365 * - all the creation contexts are set to unlabelled
3366 */
3367static int selinux_kernel_act_as(struct cred *new, u32 secid)
3368{
3369 struct task_security_struct *tsec = new->security;
3370 u32 sid = current_sid();
3371 int ret;
3372
3373 ret = avc_has_perm(sid, secid,
3374 SECCLASS_KERNEL_SERVICE,
3375 KERNEL_SERVICE__USE_AS_OVERRIDE,
3376 NULL);
3377 if (ret == 0) {
3378 tsec->sid = secid;
3379 tsec->create_sid = 0;
3380 tsec->keycreate_sid = 0;
3381 tsec->sockcreate_sid = 0;
3382 }
3383 return ret;
3384}
3385
3386/*
3387 * set the file creation context in a security record to the same as the
3388 * objective context of the specified inode
3389 */
3390static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode)
3391{
3392 struct inode_security_struct *isec = inode->i_security;
3393 struct task_security_struct *tsec = new->security;
3394 u32 sid = current_sid();
3395 int ret;
3396
3397 ret = avc_has_perm(sid, isec->sid,
3398 SECCLASS_KERNEL_SERVICE,
3399 KERNEL_SERVICE__CREATE_FILES_AS,
3400 NULL);
3401
3402 if (ret == 0)
3403 tsec->create_sid = isec->sid;
3404 return ret;
3405}
3406
3407static int selinux_kernel_module_request(char *kmod_name)
3408{
3409 u32 sid;
3410 struct common_audit_data ad;
3411 struct selinux_audit_data sad = {0,};
3412
3413 sid = task_sid(current);
3414
3415 COMMON_AUDIT_DATA_INIT(&ad, KMOD);
3416 ad.selinux_audit_data = &sad;
3417 ad.u.kmod_name = kmod_name;
3418
3419 return avc_has_perm(sid, SECINITSID_KERNEL, SECCLASS_SYSTEM,
3420 SYSTEM__MODULE_REQUEST, &ad);
3421}
3422
3423static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
3424{
3425 return current_has_perm(p, PROCESS__SETPGID);
3426}
3427
3428static int selinux_task_getpgid(struct task_struct *p)
3429{
3430 return current_has_perm(p, PROCESS__GETPGID);
3431}
3432
3433static int selinux_task_getsid(struct task_struct *p)
3434{
3435 return current_has_perm(p, PROCESS__GETSESSION);
3436}
3437
3438static void selinux_task_getsecid(struct task_struct *p, u32 *secid)
3439{
3440 *secid = task_sid(p);
3441}
3442
3443static int selinux_task_setnice(struct task_struct *p, int nice)
3444{
3445 int rc;
3446
3447 rc = cap_task_setnice(p, nice);
3448 if (rc)
3449 return rc;
3450
3451 return current_has_perm(p, PROCESS__SETSCHED);
3452}
3453
3454static int selinux_task_setioprio(struct task_struct *p, int ioprio)
3455{
3456 int rc;
3457
3458 rc = cap_task_setioprio(p, ioprio);
3459 if (rc)
3460 return rc;
3461
3462 return current_has_perm(p, PROCESS__SETSCHED);
3463}
3464
3465static int selinux_task_getioprio(struct task_struct *p)
3466{
3467 return current_has_perm(p, PROCESS__GETSCHED);
3468}
3469
3470static int selinux_task_setrlimit(struct task_struct *p, unsigned int resource,
3471 struct rlimit *new_rlim)
3472{
3473 struct rlimit *old_rlim = p->signal->rlim + resource;
3474
3475 /* Control the ability to change the hard limit (whether
3476 lowering or raising it), so that the hard limit can
3477 later be used as a safe reset point for the soft limit
3478 upon context transitions. See selinux_bprm_committing_creds. */
3479 if (old_rlim->rlim_max != new_rlim->rlim_max)
3480 return current_has_perm(p, PROCESS__SETRLIMIT);
3481
3482 return 0;
3483}
3484
3485static int selinux_task_setscheduler(struct task_struct *p)
3486{
3487 int rc;
3488
3489 rc = cap_task_setscheduler(p);
3490 if (rc)
3491 return rc;
3492
3493 return current_has_perm(p, PROCESS__SETSCHED);
3494}
3495
3496static int selinux_task_getscheduler(struct task_struct *p)
3497{
3498 return current_has_perm(p, PROCESS__GETSCHED);
3499}
3500
3501static int selinux_task_movememory(struct task_struct *p)
3502{
3503 return current_has_perm(p, PROCESS__SETSCHED);
3504}
3505
3506static int selinux_task_kill(struct task_struct *p, struct siginfo *info,
3507 int sig, u32 secid)
3508{
3509 u32 perm;
3510 int rc;
3511
3512 if (!sig)
3513 perm = PROCESS__SIGNULL; /* null signal; existence test */
3514 else
3515 perm = signal_to_av(sig);
3516 if (secid)
3517 rc = avc_has_perm(secid, task_sid(p),
3518 SECCLASS_PROCESS, perm, NULL);
3519 else
3520 rc = current_has_perm(p, perm);
3521 return rc;
3522}
3523
3524static int selinux_task_wait(struct task_struct *p)
3525{
3526 return task_has_perm(p, current, PROCESS__SIGCHLD);
3527}
3528
3529static void selinux_task_to_inode(struct task_struct *p,
3530 struct inode *inode)
3531{
3532 struct inode_security_struct *isec = inode->i_security;
3533 u32 sid = task_sid(p);
3534
3535 isec->sid = sid;
3536 isec->initialized = 1;
3537}
3538
3539/* Returns error only if unable to parse addresses */
3540static int selinux_parse_skb_ipv4(struct sk_buff *skb,
3541 struct common_audit_data *ad, u8 *proto)
3542{
3543 int offset, ihlen, ret = -EINVAL;
3544 struct iphdr _iph, *ih;
3545
3546 offset = skb_network_offset(skb);
3547 ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
3548 if (ih == NULL)
3549 goto out;
3550
3551 ihlen = ih->ihl * 4;
3552 if (ihlen < sizeof(_iph))
3553 goto out;
3554
3555 ad->u.net->v4info.saddr = ih->saddr;
3556 ad->u.net->v4info.daddr = ih->daddr;
3557 ret = 0;
3558
3559 if (proto)
3560 *proto = ih->protocol;
3561
3562 switch (ih->protocol) {
3563 case IPPROTO_TCP: {
3564 struct tcphdr _tcph, *th;
3565
3566 if (ntohs(ih->frag_off) & IP_OFFSET)
3567 break;
3568
3569 offset += ihlen;
3570 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3571 if (th == NULL)
3572 break;
3573
3574 ad->u.net->sport = th->source;
3575 ad->u.net->dport = th->dest;
3576 break;
3577 }
3578
3579 case IPPROTO_UDP: {
3580 struct udphdr _udph, *uh;
3581
3582 if (ntohs(ih->frag_off) & IP_OFFSET)
3583 break;
3584
3585 offset += ihlen;
3586 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3587 if (uh == NULL)
3588 break;
3589
3590 ad->u.net->sport = uh->source;
3591 ad->u.net->dport = uh->dest;
3592 break;
3593 }
3594
3595 case IPPROTO_DCCP: {
3596 struct dccp_hdr _dccph, *dh;
3597
3598 if (ntohs(ih->frag_off) & IP_OFFSET)
3599 break;
3600
3601 offset += ihlen;
3602 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3603 if (dh == NULL)
3604 break;
3605
3606 ad->u.net->sport = dh->dccph_sport;
3607 ad->u.net->dport = dh->dccph_dport;
3608 break;
3609 }
3610
3611 default:
3612 break;
3613 }
3614out:
3615 return ret;
3616}
3617
3618#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3619
3620/* Returns error only if unable to parse addresses */
3621static int selinux_parse_skb_ipv6(struct sk_buff *skb,
3622 struct common_audit_data *ad, u8 *proto)
3623{
3624 u8 nexthdr;
3625 int ret = -EINVAL, offset;
3626 struct ipv6hdr _ipv6h, *ip6;
3627 __be16 frag_off;
3628
3629 offset = skb_network_offset(skb);
3630 ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
3631 if (ip6 == NULL)
3632 goto out;
3633
3634 ad->u.net->v6info.saddr = ip6->saddr;
3635 ad->u.net->v6info.daddr = ip6->daddr;
3636 ret = 0;
3637
3638 nexthdr = ip6->nexthdr;
3639 offset += sizeof(_ipv6h);
3640 offset = ipv6_skip_exthdr(skb, offset, &nexthdr, &frag_off);
3641 if (offset < 0)
3642 goto out;
3643
3644 if (proto)
3645 *proto = nexthdr;
3646
3647 switch (nexthdr) {
3648 case IPPROTO_TCP: {
3649 struct tcphdr _tcph, *th;
3650
3651 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3652 if (th == NULL)
3653 break;
3654
3655 ad->u.net->sport = th->source;
3656 ad->u.net->dport = th->dest;
3657 break;
3658 }
3659
3660 case IPPROTO_UDP: {
3661 struct udphdr _udph, *uh;
3662
3663 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3664 if (uh == NULL)
3665 break;
3666
3667 ad->u.net->sport = uh->source;
3668 ad->u.net->dport = uh->dest;
3669 break;
3670 }
3671
3672 case IPPROTO_DCCP: {
3673 struct dccp_hdr _dccph, *dh;
3674
3675 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3676 if (dh == NULL)
3677 break;
3678
3679 ad->u.net->sport = dh->dccph_sport;
3680 ad->u.net->dport = dh->dccph_dport;
3681 break;
3682 }
3683
3684 /* includes fragments */
3685 default:
3686 break;
3687 }
3688out:
3689 return ret;
3690}
3691
3692#endif /* IPV6 */
3693
3694static int selinux_parse_skb(struct sk_buff *skb, struct common_audit_data *ad,
3695 char **_addrp, int src, u8 *proto)
3696{
3697 char *addrp;
3698 int ret;
3699
3700 switch (ad->u.net->family) {
3701 case PF_INET:
3702 ret = selinux_parse_skb_ipv4(skb, ad, proto);
3703 if (ret)
3704 goto parse_error;
3705 addrp = (char *)(src ? &ad->u.net->v4info.saddr :
3706 &ad->u.net->v4info.daddr);
3707 goto okay;
3708
3709#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3710 case PF_INET6:
3711 ret = selinux_parse_skb_ipv6(skb, ad, proto);
3712 if (ret)
3713 goto parse_error;
3714 addrp = (char *)(src ? &ad->u.net->v6info.saddr :
3715 &ad->u.net->v6info.daddr);
3716 goto okay;
3717#endif /* IPV6 */
3718 default:
3719 addrp = NULL;
3720 goto okay;
3721 }
3722
3723parse_error:
3724 printk(KERN_WARNING
3725 "SELinux: failure in selinux_parse_skb(),"
3726 " unable to parse packet\n");
3727 return ret;
3728
3729okay:
3730 if (_addrp)
3731 *_addrp = addrp;
3732 return 0;
3733}
3734
3735/**
3736 * selinux_skb_peerlbl_sid - Determine the peer label of a packet
3737 * @skb: the packet
3738 * @family: protocol family
3739 * @sid: the packet's peer label SID
3740 *
3741 * Description:
3742 * Check the various different forms of network peer labeling and determine
3743 * the peer label/SID for the packet; most of the magic actually occurs in
3744 * the security server function security_net_peersid_cmp(). The function
3745 * returns zero if the value in @sid is valid (although it may be SECSID_NULL)
3746 * or -EACCES if @sid is invalid due to inconsistencies with the different
3747 * peer labels.
3748 *
3749 */
3750static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
3751{
3752 int err;
3753 u32 xfrm_sid;
3754 u32 nlbl_sid;
3755 u32 nlbl_type;
3756
3757 selinux_xfrm_skb_sid(skb, &xfrm_sid);
3758 selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid);
3759
3760 err = security_net_peersid_resolve(nlbl_sid, nlbl_type, xfrm_sid, sid);
3761 if (unlikely(err)) {
3762 printk(KERN_WARNING
3763 "SELinux: failure in selinux_skb_peerlbl_sid(),"
3764 " unable to determine packet's peer label\n");
3765 return -EACCES;
3766 }
3767
3768 return 0;
3769}
3770
3771/**
3772 * selinux_conn_sid - Determine the child socket label for a connection
3773 * @sk_sid: the parent socket's SID
3774 * @skb_sid: the packet's SID
3775 * @conn_sid: the resulting connection SID
3776 *
3777 * If @skb_sid is valid then the user:role:type information from @sk_sid is
3778 * combined with the MLS information from @skb_sid in order to create
3779 * @conn_sid. If @skb_sid is not valid then then @conn_sid is simply a copy
3780 * of @sk_sid. Returns zero on success, negative values on failure.
3781 *
3782 */
3783static int selinux_conn_sid(u32 sk_sid, u32 skb_sid, u32 *conn_sid)
3784{
3785 int err = 0;
3786
3787 if (skb_sid != SECSID_NULL)
3788 err = security_sid_mls_copy(sk_sid, skb_sid, conn_sid);
3789 else
3790 *conn_sid = sk_sid;
3791
3792 return err;
3793}
3794
3795/* socket security operations */
3796
3797static int socket_sockcreate_sid(const struct task_security_struct *tsec,
3798 u16 secclass, u32 *socksid)
3799{
3800 if (tsec->sockcreate_sid > SECSID_NULL) {
3801 *socksid = tsec->sockcreate_sid;
3802 return 0;
3803 }
3804
3805 return security_transition_sid(tsec->sid, tsec->sid, secclass, NULL,
3806 socksid);
3807}
3808
3809static int sock_has_perm(struct task_struct *task, struct sock *sk, u32 perms)
3810{
3811 struct sk_security_struct *sksec = sk->sk_security;
3812 struct common_audit_data ad;
3813 struct selinux_audit_data sad = {0,};
3814 struct lsm_network_audit net = {0,};
3815 u32 tsid = task_sid(task);
3816
3817 if (sksec->sid == SECINITSID_KERNEL)
3818 return 0;
3819
3820 COMMON_AUDIT_DATA_INIT(&ad, NET);
3821 ad.selinux_audit_data = &sad;
3822 ad.u.net = &net;
3823 ad.u.net->sk = sk;
3824
3825 return avc_has_perm(tsid, sksec->sid, sksec->sclass, perms, &ad);
3826}
3827
3828static int selinux_socket_create(int family, int type,
3829 int protocol, int kern)
3830{
3831 const struct task_security_struct *tsec = current_security();
3832 u32 newsid;
3833 u16 secclass;
3834 int rc;
3835
3836 if (kern)
3837 return 0;
3838
3839 secclass = socket_type_to_security_class(family, type, protocol);
3840 rc = socket_sockcreate_sid(tsec, secclass, &newsid);
3841 if (rc)
3842 return rc;
3843
3844 return avc_has_perm(tsec->sid, newsid, secclass, SOCKET__CREATE, NULL);
3845}
3846
3847static int selinux_socket_post_create(struct socket *sock, int family,
3848 int type, int protocol, int kern)
3849{
3850 const struct task_security_struct *tsec = current_security();
3851 struct inode_security_struct *isec = SOCK_INODE(sock)->i_security;
3852 struct sk_security_struct *sksec;
3853 int err = 0;
3854
3855 isec->sclass = socket_type_to_security_class(family, type, protocol);
3856
3857 if (kern)
3858 isec->sid = SECINITSID_KERNEL;
3859 else {
3860 err = socket_sockcreate_sid(tsec, isec->sclass, &(isec->sid));
3861 if (err)
3862 return err;
3863 }
3864
3865 isec->initialized = 1;
3866
3867 if (sock->sk) {
3868 sksec = sock->sk->sk_security;
3869 sksec->sid = isec->sid;
3870 sksec->sclass = isec->sclass;
3871 err = selinux_netlbl_socket_post_create(sock->sk, family);
3872 }
3873
3874 return err;
3875}
3876
3877/* Range of port numbers used to automatically bind.
3878 Need to determine whether we should perform a name_bind
3879 permission check between the socket and the port number. */
3880
3881static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
3882{
3883 struct sock *sk = sock->sk;
3884 u16 family;
3885 int err;
3886
3887 err = sock_has_perm(current, sk, SOCKET__BIND);
3888 if (err)
3889 goto out;
3890
3891 /*
3892 * If PF_INET or PF_INET6, check name_bind permission for the port.
3893 * Multiple address binding for SCTP is not supported yet: we just
3894 * check the first address now.
3895 */
3896 family = sk->sk_family;
3897 if (family == PF_INET || family == PF_INET6) {
3898 char *addrp;
3899 struct sk_security_struct *sksec = sk->sk_security;
3900 struct common_audit_data ad;
3901 struct selinux_audit_data sad = {0,};
3902 struct lsm_network_audit net = {0,};
3903 struct sockaddr_in *addr4 = NULL;
3904 struct sockaddr_in6 *addr6 = NULL;
3905 unsigned short snum;
3906 u32 sid, node_perm;
3907
3908 if (family == PF_INET) {
3909 addr4 = (struct sockaddr_in *)address;
3910 snum = ntohs(addr4->sin_port);
3911 addrp = (char *)&addr4->sin_addr.s_addr;
3912 } else {
3913 addr6 = (struct sockaddr_in6 *)address;
3914 snum = ntohs(addr6->sin6_port);
3915 addrp = (char *)&addr6->sin6_addr.s6_addr;
3916 }
3917
3918 if (snum) {
3919 int low, high;
3920
3921 inet_get_local_port_range(&low, &high);
3922
3923 if (snum < max(PROT_SOCK, low) || snum > high) {
3924 err = sel_netport_sid(sk->sk_protocol,
3925 snum, &sid);
3926 if (err)
3927 goto out;
3928 COMMON_AUDIT_DATA_INIT(&ad, NET);
3929 ad.selinux_audit_data = &sad;
3930 ad.u.net = &net;
3931 ad.u.net->sport = htons(snum);
3932 ad.u.net->family = family;
3933 err = avc_has_perm(sksec->sid, sid,
3934 sksec->sclass,
3935 SOCKET__NAME_BIND, &ad);
3936 if (err)
3937 goto out;
3938 }
3939 }
3940
3941 switch (sksec->sclass) {
3942 case SECCLASS_TCP_SOCKET:
3943 node_perm = TCP_SOCKET__NODE_BIND;
3944 break;
3945
3946 case SECCLASS_UDP_SOCKET:
3947 node_perm = UDP_SOCKET__NODE_BIND;
3948 break;
3949
3950 case SECCLASS_DCCP_SOCKET:
3951 node_perm = DCCP_SOCKET__NODE_BIND;
3952 break;
3953
3954 default:
3955 node_perm = RAWIP_SOCKET__NODE_BIND;
3956 break;
3957 }
3958
3959 err = sel_netnode_sid(addrp, family, &sid);
3960 if (err)
3961 goto out;
3962
3963 COMMON_AUDIT_DATA_INIT(&ad, NET);
3964 ad.selinux_audit_data = &sad;
3965 ad.u.net = &net;
3966 ad.u.net->sport = htons(snum);
3967 ad.u.net->family = family;
3968
3969 if (family == PF_INET)
3970 ad.u.net->v4info.saddr = addr4->sin_addr.s_addr;
3971 else
3972 ad.u.net->v6info.saddr = addr6->sin6_addr;
3973
3974 err = avc_has_perm(sksec->sid, sid,
3975 sksec->sclass, node_perm, &ad);
3976 if (err)
3977 goto out;
3978 }
3979out:
3980 return err;
3981}
3982
3983static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
3984{
3985 struct sock *sk = sock->sk;
3986 struct sk_security_struct *sksec = sk->sk_security;
3987 int err;
3988
3989 err = sock_has_perm(current, sk, SOCKET__CONNECT);
3990 if (err)
3991 return err;
3992
3993 /*
3994 * If a TCP or DCCP socket, check name_connect permission for the port.
3995 */
3996 if (sksec->sclass == SECCLASS_TCP_SOCKET ||
3997 sksec->sclass == SECCLASS_DCCP_SOCKET) {
3998 struct common_audit_data ad;
3999 struct selinux_audit_data sad = {0,};
4000 struct lsm_network_audit net = {0,};
4001 struct sockaddr_in *addr4 = NULL;
4002 struct sockaddr_in6 *addr6 = NULL;
4003 unsigned short snum;
4004 u32 sid, perm;
4005
4006 if (sk->sk_family == PF_INET) {
4007 addr4 = (struct sockaddr_in *)address;
4008 if (addrlen < sizeof(struct sockaddr_in))
4009 return -EINVAL;
4010 snum = ntohs(addr4->sin_port);
4011 } else {
4012 addr6 = (struct sockaddr_in6 *)address;
4013 if (addrlen < SIN6_LEN_RFC2133)
4014 return -EINVAL;
4015 snum = ntohs(addr6->sin6_port);
4016 }
4017
4018 err = sel_netport_sid(sk->sk_protocol, snum, &sid);
4019 if (err)
4020 goto out;
4021
4022 perm = (sksec->sclass == SECCLASS_TCP_SOCKET) ?
4023 TCP_SOCKET__NAME_CONNECT : DCCP_SOCKET__NAME_CONNECT;
4024
4025 COMMON_AUDIT_DATA_INIT(&ad, NET);
4026 ad.selinux_audit_data = &sad;
4027 ad.u.net = &net;
4028 ad.u.net->dport = htons(snum);
4029 ad.u.net->family = sk->sk_family;
4030 err = avc_has_perm(sksec->sid, sid, sksec->sclass, perm, &ad);
4031 if (err)
4032 goto out;
4033 }
4034
4035 err = selinux_netlbl_socket_connect(sk, address);
4036
4037out:
4038 return err;
4039}
4040
4041static int selinux_socket_listen(struct socket *sock, int backlog)
4042{
4043 return sock_has_perm(current, sock->sk, SOCKET__LISTEN);
4044}
4045
4046static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
4047{
4048 int err;
4049 struct inode_security_struct *isec;
4050 struct inode_security_struct *newisec;
4051
4052 err = sock_has_perm(current, sock->sk, SOCKET__ACCEPT);
4053 if (err)
4054 return err;
4055
4056 newisec = SOCK_INODE(newsock)->i_security;
4057
4058 isec = SOCK_INODE(sock)->i_security;
4059 newisec->sclass = isec->sclass;
4060 newisec->sid = isec->sid;
4061 newisec->initialized = 1;
4062
4063 return 0;
4064}
4065
4066static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
4067 int size)
4068{
4069 return sock_has_perm(current, sock->sk, SOCKET__WRITE);
4070}
4071
4072static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
4073 int size, int flags)
4074{
4075 return sock_has_perm(current, sock->sk, SOCKET__READ);
4076}
4077
4078static int selinux_socket_getsockname(struct socket *sock)
4079{
4080 return sock_has_perm(current, sock->sk, SOCKET__GETATTR);
4081}
4082
4083static int selinux_socket_getpeername(struct socket *sock)
4084{
4085 return sock_has_perm(current, sock->sk, SOCKET__GETATTR);
4086}
4087
4088static int selinux_socket_setsockopt(struct socket *sock, int level, int optname)
4089{
4090 int err;
4091
4092 err = sock_has_perm(current, sock->sk, SOCKET__SETOPT);
4093 if (err)
4094 return err;
4095
4096 return selinux_netlbl_socket_setsockopt(sock, level, optname);
4097}
4098
4099static int selinux_socket_getsockopt(struct socket *sock, int level,
4100 int optname)
4101{
4102 return sock_has_perm(current, sock->sk, SOCKET__GETOPT);
4103}
4104
4105static int selinux_socket_shutdown(struct socket *sock, int how)
4106{
4107 return sock_has_perm(current, sock->sk, SOCKET__SHUTDOWN);
4108}
4109
4110static int selinux_socket_unix_stream_connect(struct sock *sock,
4111 struct sock *other,
4112 struct sock *newsk)
4113{
4114 struct sk_security_struct *sksec_sock = sock->sk_security;
4115 struct sk_security_struct *sksec_other = other->sk_security;
4116 struct sk_security_struct *sksec_new = newsk->sk_security;
4117 struct common_audit_data ad;
4118 struct selinux_audit_data sad = {0,};
4119 struct lsm_network_audit net = {0,};
4120 int err;
4121
4122 COMMON_AUDIT_DATA_INIT(&ad, NET);
4123 ad.selinux_audit_data = &sad;
4124 ad.u.net = &net;
4125 ad.u.net->sk = other;
4126
4127 err = avc_has_perm(sksec_sock->sid, sksec_other->sid,
4128 sksec_other->sclass,
4129 UNIX_STREAM_SOCKET__CONNECTTO, &ad);
4130 if (err)
4131 return err;
4132
4133 /* server child socket */
4134 sksec_new->peer_sid = sksec_sock->sid;
4135 err = security_sid_mls_copy(sksec_other->sid, sksec_sock->sid,
4136 &sksec_new->sid);
4137 if (err)
4138 return err;
4139
4140 /* connecting socket */
4141 sksec_sock->peer_sid = sksec_new->sid;
4142
4143 return 0;
4144}
4145
4146static int selinux_socket_unix_may_send(struct socket *sock,
4147 struct socket *other)
4148{
4149 struct sk_security_struct *ssec = sock->sk->sk_security;
4150 struct sk_security_struct *osec = other->sk->sk_security;
4151 struct common_audit_data ad;
4152 struct selinux_audit_data sad = {0,};
4153 struct lsm_network_audit net = {0,};
4154
4155 COMMON_AUDIT_DATA_INIT(&ad, NET);
4156 ad.selinux_audit_data = &sad;
4157 ad.u.net = &net;
4158 ad.u.net->sk = other->sk;
4159
4160 return avc_has_perm(ssec->sid, osec->sid, osec->sclass, SOCKET__SENDTO,
4161 &ad);
4162}
4163
4164static int selinux_inet_sys_rcv_skb(int ifindex, char *addrp, u16 family,
4165 u32 peer_sid,
4166 struct common_audit_data *ad)
4167{
4168 int err;
4169 u32 if_sid;
4170 u32 node_sid;
4171
4172 err = sel_netif_sid(ifindex, &if_sid);
4173 if (err)
4174 return err;
4175 err = avc_has_perm(peer_sid, if_sid,
4176 SECCLASS_NETIF, NETIF__INGRESS, ad);
4177 if (err)
4178 return err;
4179
4180 err = sel_netnode_sid(addrp, family, &node_sid);
4181 if (err)
4182 return err;
4183 return avc_has_perm(peer_sid, node_sid,
4184 SECCLASS_NODE, NODE__RECVFROM, ad);
4185}
4186
4187static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
4188 u16 family)
4189{
4190 int err = 0;
4191 struct sk_security_struct *sksec = sk->sk_security;
4192 u32 sk_sid = sksec->sid;
4193 struct common_audit_data ad;
4194 struct selinux_audit_data sad = {0,};
4195 struct lsm_network_audit net = {0,};
4196 char *addrp;
4197
4198 COMMON_AUDIT_DATA_INIT(&ad, NET);
4199 ad.selinux_audit_data = &sad;
4200 ad.u.net = &net;
4201 ad.u.net->netif = skb->skb_iif;
4202 ad.u.net->family = family;
4203 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4204 if (err)
4205 return err;
4206
4207 if (selinux_secmark_enabled()) {
4208 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4209 PACKET__RECV, &ad);
4210 if (err)
4211 return err;
4212 }
4213
4214 err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, &ad);
4215 if (err)
4216 return err;
4217 err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad);
4218
4219 return err;
4220}
4221
4222static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
4223{
4224 int err;
4225 struct sk_security_struct *sksec = sk->sk_security;
4226 u16 family = sk->sk_family;
4227 u32 sk_sid = sksec->sid;
4228 struct common_audit_data ad;
4229 struct selinux_audit_data sad = {0,};
4230 struct lsm_network_audit net = {0,};
4231 char *addrp;
4232 u8 secmark_active;
4233 u8 peerlbl_active;
4234
4235 if (family != PF_INET && family != PF_INET6)
4236 return 0;
4237
4238 /* Handle mapped IPv4 packets arriving via IPv6 sockets */
4239 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4240 family = PF_INET;
4241
4242 /* If any sort of compatibility mode is enabled then handoff processing
4243 * to the selinux_sock_rcv_skb_compat() function to deal with the
4244 * special handling. We do this in an attempt to keep this function
4245 * as fast and as clean as possible. */
4246 if (!selinux_policycap_netpeer)
4247 return selinux_sock_rcv_skb_compat(sk, skb, family);
4248
4249 secmark_active = selinux_secmark_enabled();
4250 peerlbl_active = netlbl_enabled() || selinux_xfrm_enabled();
4251 if (!secmark_active && !peerlbl_active)
4252 return 0;
4253
4254 COMMON_AUDIT_DATA_INIT(&ad, NET);
4255 ad.selinux_audit_data = &sad;
4256 ad.u.net = &net;
4257 ad.u.net->netif = skb->skb_iif;
4258 ad.u.net->family = family;
4259 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4260 if (err)
4261 return err;
4262
4263 if (peerlbl_active) {
4264 u32 peer_sid;
4265
4266 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
4267 if (err)
4268 return err;
4269 err = selinux_inet_sys_rcv_skb(skb->skb_iif, addrp, family,
4270 peer_sid, &ad);
4271 if (err) {
4272 selinux_netlbl_err(skb, err, 0);
4273 return err;
4274 }
4275 err = avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER,
4276 PEER__RECV, &ad);
4277 if (err) {
4278 selinux_netlbl_err(skb, err, 0);
4279 return err;
4280 }
4281 }
4282
4283 if (secmark_active) {
4284 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4285 PACKET__RECV, &ad);
4286 if (err)
4287 return err;
4288 }
4289
4290 return err;
4291}
4292
4293static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval,
4294 int __user *optlen, unsigned len)
4295{
4296 int err = 0;
4297 char *scontext;
4298 u32 scontext_len;
4299 struct sk_security_struct *sksec = sock->sk->sk_security;
4300 u32 peer_sid = SECSID_NULL;
4301
4302 if (sksec->sclass == SECCLASS_UNIX_STREAM_SOCKET ||
4303 sksec->sclass == SECCLASS_TCP_SOCKET)
4304 peer_sid = sksec->peer_sid;
4305 if (peer_sid == SECSID_NULL)
4306 return -ENOPROTOOPT;
4307
4308 err = security_sid_to_context(peer_sid, &scontext, &scontext_len);
4309 if (err)
4310 return err;
4311
4312 if (scontext_len > len) {
4313 err = -ERANGE;
4314 goto out_len;
4315 }
4316
4317 if (copy_to_user(optval, scontext, scontext_len))
4318 err = -EFAULT;
4319
4320out_len:
4321 if (put_user(scontext_len, optlen))
4322 err = -EFAULT;
4323 kfree(scontext);
4324 return err;
4325}
4326
4327static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
4328{
4329 u32 peer_secid = SECSID_NULL;
4330 u16 family;
4331
4332 if (skb && skb->protocol == htons(ETH_P_IP))
4333 family = PF_INET;
4334 else if (skb && skb->protocol == htons(ETH_P_IPV6))
4335 family = PF_INET6;
4336 else if (sock)
4337 family = sock->sk->sk_family;
4338 else
4339 goto out;
4340
4341 if (sock && family == PF_UNIX)
4342 selinux_inode_getsecid(SOCK_INODE(sock), &peer_secid);
4343 else if (skb)
4344 selinux_skb_peerlbl_sid(skb, family, &peer_secid);
4345
4346out:
4347 *secid = peer_secid;
4348 if (peer_secid == SECSID_NULL)
4349 return -EINVAL;
4350 return 0;
4351}
4352
4353static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
4354{
4355 struct sk_security_struct *sksec;
4356
4357 sksec = kzalloc(sizeof(*sksec), priority);
4358 if (!sksec)
4359 return -ENOMEM;
4360
4361 sksec->peer_sid = SECINITSID_UNLABELED;
4362 sksec->sid = SECINITSID_UNLABELED;
4363 selinux_netlbl_sk_security_reset(sksec);
4364 sk->sk_security = sksec;
4365
4366 return 0;
4367}
4368
4369static void selinux_sk_free_security(struct sock *sk)
4370{
4371 struct sk_security_struct *sksec = sk->sk_security;
4372
4373 sk->sk_security = NULL;
4374 selinux_netlbl_sk_security_free(sksec);
4375 kfree(sksec);
4376}
4377
4378static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
4379{
4380 struct sk_security_struct *sksec = sk->sk_security;
4381 struct sk_security_struct *newsksec = newsk->sk_security;
4382
4383 newsksec->sid = sksec->sid;
4384 newsksec->peer_sid = sksec->peer_sid;
4385 newsksec->sclass = sksec->sclass;
4386
4387 selinux_netlbl_sk_security_reset(newsksec);
4388}
4389
4390static void selinux_sk_getsecid(struct sock *sk, u32 *secid)
4391{
4392 if (!sk)
4393 *secid = SECINITSID_ANY_SOCKET;
4394 else {
4395 struct sk_security_struct *sksec = sk->sk_security;
4396
4397 *secid = sksec->sid;
4398 }
4399}
4400
4401static void selinux_sock_graft(struct sock *sk, struct socket *parent)
4402{
4403 struct inode_security_struct *isec = SOCK_INODE(parent)->i_security;
4404 struct sk_security_struct *sksec = sk->sk_security;
4405
4406 if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
4407 sk->sk_family == PF_UNIX)
4408 isec->sid = sksec->sid;
4409 sksec->sclass = isec->sclass;
4410}
4411
4412static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
4413 struct request_sock *req)
4414{
4415 struct sk_security_struct *sksec = sk->sk_security;
4416 int err;
4417 u16 family = sk->sk_family;
4418 u32 connsid;
4419 u32 peersid;
4420
4421 /* handle mapped IPv4 packets arriving via IPv6 sockets */
4422 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4423 family = PF_INET;
4424
4425 err = selinux_skb_peerlbl_sid(skb, family, &peersid);
4426 if (err)
4427 return err;
4428 err = selinux_conn_sid(sksec->sid, peersid, &connsid);
4429 if (err)
4430 return err;
4431 req->secid = connsid;
4432 req->peer_secid = peersid;
4433
4434 return selinux_netlbl_inet_conn_request(req, family);
4435}
4436
4437static void selinux_inet_csk_clone(struct sock *newsk,
4438 const struct request_sock *req)
4439{
4440 struct sk_security_struct *newsksec = newsk->sk_security;
4441
4442 newsksec->sid = req->secid;
4443 newsksec->peer_sid = req->peer_secid;
4444 /* NOTE: Ideally, we should also get the isec->sid for the
4445 new socket in sync, but we don't have the isec available yet.
4446 So we will wait until sock_graft to do it, by which
4447 time it will have been created and available. */
4448
4449 /* We don't need to take any sort of lock here as we are the only
4450 * thread with access to newsksec */
4451 selinux_netlbl_inet_csk_clone(newsk, req->rsk_ops->family);
4452}
4453
4454static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb)
4455{
4456 u16 family = sk->sk_family;
4457 struct sk_security_struct *sksec = sk->sk_security;
4458
4459 /* handle mapped IPv4 packets arriving via IPv6 sockets */
4460 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4461 family = PF_INET;
4462
4463 selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid);
4464}
4465
4466static int selinux_secmark_relabel_packet(u32 sid)
4467{
4468 const struct task_security_struct *__tsec;
4469 u32 tsid;
4470
4471 __tsec = current_security();
4472 tsid = __tsec->sid;
4473
4474 return avc_has_perm(tsid, sid, SECCLASS_PACKET, PACKET__RELABELTO, NULL);
4475}
4476
4477static void selinux_secmark_refcount_inc(void)
4478{
4479 atomic_inc(&selinux_secmark_refcount);
4480}
4481
4482static void selinux_secmark_refcount_dec(void)
4483{
4484 atomic_dec(&selinux_secmark_refcount);
4485}
4486
4487static void selinux_req_classify_flow(const struct request_sock *req,
4488 struct flowi *fl)
4489{
4490 fl->flowi_secid = req->secid;
4491}
4492
4493static int selinux_tun_dev_create(void)
4494{
4495 u32 sid = current_sid();
4496
4497 /* we aren't taking into account the "sockcreate" SID since the socket
4498 * that is being created here is not a socket in the traditional sense,
4499 * instead it is a private sock, accessible only to the kernel, and
4500 * representing a wide range of network traffic spanning multiple
4501 * connections unlike traditional sockets - check the TUN driver to
4502 * get a better understanding of why this socket is special */
4503
4504 return avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET, TUN_SOCKET__CREATE,
4505 NULL);
4506}
4507
4508static void selinux_tun_dev_post_create(struct sock *sk)
4509{
4510 struct sk_security_struct *sksec = sk->sk_security;
4511
4512 /* we don't currently perform any NetLabel based labeling here and it
4513 * isn't clear that we would want to do so anyway; while we could apply
4514 * labeling without the support of the TUN user the resulting labeled
4515 * traffic from the other end of the connection would almost certainly
4516 * cause confusion to the TUN user that had no idea network labeling
4517 * protocols were being used */
4518
4519 /* see the comments in selinux_tun_dev_create() about why we don't use
4520 * the sockcreate SID here */
4521
4522 sksec->sid = current_sid();
4523 sksec->sclass = SECCLASS_TUN_SOCKET;
4524}
4525
4526static int selinux_tun_dev_attach(struct sock *sk)
4527{
4528 struct sk_security_struct *sksec = sk->sk_security;
4529 u32 sid = current_sid();
4530 int err;
4531
4532 err = avc_has_perm(sid, sksec->sid, SECCLASS_TUN_SOCKET,
4533 TUN_SOCKET__RELABELFROM, NULL);
4534 if (err)
4535 return err;
4536 err = avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET,
4537 TUN_SOCKET__RELABELTO, NULL);
4538 if (err)
4539 return err;
4540
4541 sksec->sid = sid;
4542
4543 return 0;
4544}
4545
4546static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
4547{
4548 int err = 0;
4549 u32 perm;
4550 struct nlmsghdr *nlh;
4551 struct sk_security_struct *sksec = sk->sk_security;
4552
4553 if (skb->len < NLMSG_SPACE(0)) {
4554 err = -EINVAL;
4555 goto out;
4556 }
4557 nlh = nlmsg_hdr(skb);
4558
4559 err = selinux_nlmsg_lookup(sksec->sclass, nlh->nlmsg_type, &perm);
4560 if (err) {
4561 if (err == -EINVAL) {
4562 audit_log(current->audit_context, GFP_KERNEL, AUDIT_SELINUX_ERR,
4563 "SELinux: unrecognized netlink message"
4564 " type=%hu for sclass=%hu\n",
4565 nlh->nlmsg_type, sksec->sclass);
4566 if (!selinux_enforcing || security_get_allow_unknown())
4567 err = 0;
4568 }
4569
4570 /* Ignore */
4571 if (err == -ENOENT)
4572 err = 0;
4573 goto out;
4574 }
4575
4576 err = sock_has_perm(current, sk, perm);
4577out:
4578 return err;
4579}
4580
4581#ifdef CONFIG_NETFILTER
4582
4583static unsigned int selinux_ip_forward(struct sk_buff *skb, int ifindex,
4584 u16 family)
4585{
4586 int err;
4587 char *addrp;
4588 u32 peer_sid;
4589 struct common_audit_data ad;
4590 struct selinux_audit_data sad = {0,};
4591 struct lsm_network_audit net = {0,};
4592 u8 secmark_active;
4593 u8 netlbl_active;
4594 u8 peerlbl_active;
4595
4596 if (!selinux_policycap_netpeer)
4597 return NF_ACCEPT;
4598
4599 secmark_active = selinux_secmark_enabled();
4600 netlbl_active = netlbl_enabled();
4601 peerlbl_active = netlbl_active || selinux_xfrm_enabled();
4602 if (!secmark_active && !peerlbl_active)
4603 return NF_ACCEPT;
4604
4605 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0)
4606 return NF_DROP;
4607
4608 COMMON_AUDIT_DATA_INIT(&ad, NET);
4609 ad.selinux_audit_data = &sad;
4610 ad.u.net = &net;
4611 ad.u.net->netif = ifindex;
4612 ad.u.net->family = family;
4613 if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0)
4614 return NF_DROP;
4615
4616 if (peerlbl_active) {
4617 err = selinux_inet_sys_rcv_skb(ifindex, addrp, family,
4618 peer_sid, &ad);
4619 if (err) {
4620 selinux_netlbl_err(skb, err, 1);
4621 return NF_DROP;
4622 }
4623 }
4624
4625 if (secmark_active)
4626 if (avc_has_perm(peer_sid, skb->secmark,
4627 SECCLASS_PACKET, PACKET__FORWARD_IN, &ad))
4628 return NF_DROP;
4629
4630 if (netlbl_active)
4631 /* we do this in the FORWARD path and not the POST_ROUTING
4632 * path because we want to make sure we apply the necessary
4633 * labeling before IPsec is applied so we can leverage AH
4634 * protection */
4635 if (selinux_netlbl_skbuff_setsid(skb, family, peer_sid) != 0)
4636 return NF_DROP;
4637
4638 return NF_ACCEPT;
4639}
4640
4641static unsigned int selinux_ipv4_forward(unsigned int hooknum,
4642 struct sk_buff *skb,
4643 const struct net_device *in,
4644 const struct net_device *out,
4645 int (*okfn)(struct sk_buff *))
4646{
4647 return selinux_ip_forward(skb, in->ifindex, PF_INET);
4648}
4649
4650#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4651static unsigned int selinux_ipv6_forward(unsigned int hooknum,
4652 struct sk_buff *skb,
4653 const struct net_device *in,
4654 const struct net_device *out,
4655 int (*okfn)(struct sk_buff *))
4656{
4657 return selinux_ip_forward(skb, in->ifindex, PF_INET6);
4658}
4659#endif /* IPV6 */
4660
4661static unsigned int selinux_ip_output(struct sk_buff *skb,
4662 u16 family)
4663{
4664 struct sock *sk;
4665 u32 sid;
4666
4667 if (!netlbl_enabled())
4668 return NF_ACCEPT;
4669
4670 /* we do this in the LOCAL_OUT path and not the POST_ROUTING path
4671 * because we want to make sure we apply the necessary labeling
4672 * before IPsec is applied so we can leverage AH protection */
4673 sk = skb->sk;
4674 if (sk) {
4675 struct sk_security_struct *sksec;
4676
4677 if (sk->sk_state == TCP_LISTEN)
4678 /* if the socket is the listening state then this
4679 * packet is a SYN-ACK packet which means it needs to
4680 * be labeled based on the connection/request_sock and
4681 * not the parent socket. unfortunately, we can't
4682 * lookup the request_sock yet as it isn't queued on
4683 * the parent socket until after the SYN-ACK is sent.
4684 * the "solution" is to simply pass the packet as-is
4685 * as any IP option based labeling should be copied
4686 * from the initial connection request (in the IP
4687 * layer). it is far from ideal, but until we get a
4688 * security label in the packet itself this is the
4689 * best we can do. */
4690 return NF_ACCEPT;
4691
4692 /* standard practice, label using the parent socket */
4693 sksec = sk->sk_security;
4694 sid = sksec->sid;
4695 } else
4696 sid = SECINITSID_KERNEL;
4697 if (selinux_netlbl_skbuff_setsid(skb, family, sid) != 0)
4698 return NF_DROP;
4699
4700 return NF_ACCEPT;
4701}
4702
4703static unsigned int selinux_ipv4_output(unsigned int hooknum,
4704 struct sk_buff *skb,
4705 const struct net_device *in,
4706 const struct net_device *out,
4707 int (*okfn)(struct sk_buff *))
4708{
4709 return selinux_ip_output(skb, PF_INET);
4710}
4711
4712static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
4713 int ifindex,
4714 u16 family)
4715{
4716 struct sock *sk = skb->sk;
4717 struct sk_security_struct *sksec;
4718 struct common_audit_data ad;
4719 struct selinux_audit_data sad = {0,};
4720 struct lsm_network_audit net = {0,};
4721 char *addrp;
4722 u8 proto;
4723
4724 if (sk == NULL)
4725 return NF_ACCEPT;
4726 sksec = sk->sk_security;
4727
4728 COMMON_AUDIT_DATA_INIT(&ad, NET);
4729 ad.selinux_audit_data = &sad;
4730 ad.u.net = &net;
4731 ad.u.net->netif = ifindex;
4732 ad.u.net->family = family;
4733 if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto))
4734 return NF_DROP;
4735
4736 if (selinux_secmark_enabled())
4737 if (avc_has_perm(sksec->sid, skb->secmark,
4738 SECCLASS_PACKET, PACKET__SEND, &ad))
4739 return NF_DROP_ERR(-ECONNREFUSED);
4740
4741 if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto))
4742 return NF_DROP_ERR(-ECONNREFUSED);
4743
4744 return NF_ACCEPT;
4745}
4746
4747static unsigned int selinux_ip_postroute(struct sk_buff *skb, int ifindex,
4748 u16 family)
4749{
4750 u32 secmark_perm;
4751 u32 peer_sid;
4752 struct sock *sk;
4753 struct common_audit_data ad;
4754 struct selinux_audit_data sad = {0,};
4755 struct lsm_network_audit net = {0,};
4756 char *addrp;
4757 u8 secmark_active;
4758 u8 peerlbl_active;
4759
4760 /* If any sort of compatibility mode is enabled then handoff processing
4761 * to the selinux_ip_postroute_compat() function to deal with the
4762 * special handling. We do this in an attempt to keep this function
4763 * as fast and as clean as possible. */
4764 if (!selinux_policycap_netpeer)
4765 return selinux_ip_postroute_compat(skb, ifindex, family);
4766
4767 secmark_active = selinux_secmark_enabled();
4768 peerlbl_active = netlbl_enabled() || selinux_xfrm_enabled();
4769 if (!secmark_active && !peerlbl_active)
4770 return NF_ACCEPT;
4771
4772 sk = skb->sk;
4773
4774#ifdef CONFIG_XFRM
4775 /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec
4776 * packet transformation so allow the packet to pass without any checks
4777 * since we'll have another chance to perform access control checks
4778 * when the packet is on it's final way out.
4779 * NOTE: there appear to be some IPv6 multicast cases where skb->dst
4780 * is NULL, in this case go ahead and apply access control.
4781 * is NULL, in this case go ahead and apply access control.
4782 * NOTE: if this is a local socket (skb->sk != NULL) that is in the
4783 * TCP listening state we cannot wait until the XFRM processing
4784 * is done as we will miss out on the SA label if we do;
4785 * unfortunately, this means more work, but it is only once per
4786 * connection. */
4787 if (skb_dst(skb) != NULL && skb_dst(skb)->xfrm != NULL &&
4788 !(sk != NULL && sk->sk_state == TCP_LISTEN))
4789 return NF_ACCEPT;
4790#endif
4791
4792 if (sk == NULL) {
4793 /* Without an associated socket the packet is either coming
4794 * from the kernel or it is being forwarded; check the packet
4795 * to determine which and if the packet is being forwarded
4796 * query the packet directly to determine the security label. */
4797 if (skb->skb_iif) {
4798 secmark_perm = PACKET__FORWARD_OUT;
4799 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid))
4800 return NF_DROP;
4801 } else {
4802 secmark_perm = PACKET__SEND;
4803 peer_sid = SECINITSID_KERNEL;
4804 }
4805 } else if (sk->sk_state == TCP_LISTEN) {
4806 /* Locally generated packet but the associated socket is in the
4807 * listening state which means this is a SYN-ACK packet. In
4808 * this particular case the correct security label is assigned
4809 * to the connection/request_sock but unfortunately we can't
4810 * query the request_sock as it isn't queued on the parent
4811 * socket until after the SYN-ACK packet is sent; the only
4812 * viable choice is to regenerate the label like we do in
4813 * selinux_inet_conn_request(). See also selinux_ip_output()
4814 * for similar problems. */
4815 u32 skb_sid;
4816 struct sk_security_struct *sksec = sk->sk_security;
4817 if (selinux_skb_peerlbl_sid(skb, family, &skb_sid))
4818 return NF_DROP;
4819 /* At this point, if the returned skb peerlbl is SECSID_NULL
4820 * and the packet has been through at least one XFRM
4821 * transformation then we must be dealing with the "final"
4822 * form of labeled IPsec packet; since we've already applied
4823 * all of our access controls on this packet we can safely
4824 * pass the packet. */
4825 if (skb_sid == SECSID_NULL) {
4826 switch (family) {
4827 case PF_INET:
4828 if (IPCB(skb)->flags & IPSKB_XFRM_TRANSFORMED)
4829 return NF_ACCEPT;
4830 break;
4831 case PF_INET6:
4832 if (IP6CB(skb)->flags & IP6SKB_XFRM_TRANSFORMED)
4833 return NF_ACCEPT;
4834 default:
4835 return NF_DROP_ERR(-ECONNREFUSED);
4836 }
4837 }
4838 if (selinux_conn_sid(sksec->sid, skb_sid, &peer_sid))
4839 return NF_DROP;
4840 secmark_perm = PACKET__SEND;
4841 } else {
4842 /* Locally generated packet, fetch the security label from the
4843 * associated socket. */
4844 struct sk_security_struct *sksec = sk->sk_security;
4845 peer_sid = sksec->sid;
4846 secmark_perm = PACKET__SEND;
4847 }
4848
4849 COMMON_AUDIT_DATA_INIT(&ad, NET);
4850 ad.selinux_audit_data = &sad;
4851 ad.u.net = &net;
4852 ad.u.net->netif = ifindex;
4853 ad.u.net->family = family;
4854 if (selinux_parse_skb(skb, &ad, &addrp, 0, NULL))
4855 return NF_DROP;
4856
4857 if (secmark_active)
4858 if (avc_has_perm(peer_sid, skb->secmark,
4859 SECCLASS_PACKET, secmark_perm, &ad))
4860 return NF_DROP_ERR(-ECONNREFUSED);
4861
4862 if (peerlbl_active) {
4863 u32 if_sid;
4864 u32 node_sid;
4865
4866 if (sel_netif_sid(ifindex, &if_sid))
4867 return NF_DROP;
4868 if (avc_has_perm(peer_sid, if_sid,
4869 SECCLASS_NETIF, NETIF__EGRESS, &ad))
4870 return NF_DROP_ERR(-ECONNREFUSED);
4871
4872 if (sel_netnode_sid(addrp, family, &node_sid))
4873 return NF_DROP;
4874 if (avc_has_perm(peer_sid, node_sid,
4875 SECCLASS_NODE, NODE__SENDTO, &ad))
4876 return NF_DROP_ERR(-ECONNREFUSED);
4877 }
4878
4879 return NF_ACCEPT;
4880}
4881
4882static unsigned int selinux_ipv4_postroute(unsigned int hooknum,
4883 struct sk_buff *skb,
4884 const struct net_device *in,
4885 const struct net_device *out,
4886 int (*okfn)(struct sk_buff *))
4887{
4888 return selinux_ip_postroute(skb, out->ifindex, PF_INET);
4889}
4890
4891#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4892static unsigned int selinux_ipv6_postroute(unsigned int hooknum,
4893 struct sk_buff *skb,
4894 const struct net_device *in,
4895 const struct net_device *out,
4896 int (*okfn)(struct sk_buff *))
4897{
4898 return selinux_ip_postroute(skb, out->ifindex, PF_INET6);
4899}
4900#endif /* IPV6 */
4901
4902#endif /* CONFIG_NETFILTER */
4903
4904static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
4905{
4906 int err;
4907
4908 err = cap_netlink_send(sk, skb);
4909 if (err)
4910 return err;
4911
4912 return selinux_nlmsg_perm(sk, skb);
4913}
4914
4915static int ipc_alloc_security(struct task_struct *task,
4916 struct kern_ipc_perm *perm,
4917 u16 sclass)
4918{
4919 struct ipc_security_struct *isec;
4920 u32 sid;
4921
4922 isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL);
4923 if (!isec)
4924 return -ENOMEM;
4925
4926 sid = task_sid(task);
4927 isec->sclass = sclass;
4928 isec->sid = sid;
4929 perm->security = isec;
4930
4931 return 0;
4932}
4933
4934static void ipc_free_security(struct kern_ipc_perm *perm)
4935{
4936 struct ipc_security_struct *isec = perm->security;
4937 perm->security = NULL;
4938 kfree(isec);
4939}
4940
4941static int msg_msg_alloc_security(struct msg_msg *msg)
4942{
4943 struct msg_security_struct *msec;
4944
4945 msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL);
4946 if (!msec)
4947 return -ENOMEM;
4948
4949 msec->sid = SECINITSID_UNLABELED;
4950 msg->security = msec;
4951
4952 return 0;
4953}
4954
4955static void msg_msg_free_security(struct msg_msg *msg)
4956{
4957 struct msg_security_struct *msec = msg->security;
4958
4959 msg->security = NULL;
4960 kfree(msec);
4961}
4962
4963static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
4964 u32 perms)
4965{
4966 struct ipc_security_struct *isec;
4967 struct common_audit_data ad;
4968 struct selinux_audit_data sad = {0,};
4969 u32 sid = current_sid();
4970
4971 isec = ipc_perms->security;
4972
4973 COMMON_AUDIT_DATA_INIT(&ad, IPC);
4974 ad.selinux_audit_data = &sad;
4975 ad.u.ipc_id = ipc_perms->key;
4976
4977 return avc_has_perm(sid, isec->sid, isec->sclass, perms, &ad);
4978}
4979
4980static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
4981{
4982 return msg_msg_alloc_security(msg);
4983}
4984
4985static void selinux_msg_msg_free_security(struct msg_msg *msg)
4986{
4987 msg_msg_free_security(msg);
4988}
4989
4990/* message queue security operations */
4991static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
4992{
4993 struct ipc_security_struct *isec;
4994 struct common_audit_data ad;
4995 struct selinux_audit_data sad = {0,};
4996 u32 sid = current_sid();
4997 int rc;
4998
4999 rc = ipc_alloc_security(current, &msq->q_perm, SECCLASS_MSGQ);
5000 if (rc)
5001 return rc;
5002
5003 isec = msq->q_perm.security;
5004
5005 COMMON_AUDIT_DATA_INIT(&ad, IPC);
5006 ad.selinux_audit_data = &sad;
5007 ad.u.ipc_id = msq->q_perm.key;
5008
5009 rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
5010 MSGQ__CREATE, &ad);
5011 if (rc) {
5012 ipc_free_security(&msq->q_perm);
5013 return rc;
5014 }
5015 return 0;
5016}
5017
5018static void selinux_msg_queue_free_security(struct msg_queue *msq)
5019{
5020 ipc_free_security(&msq->q_perm);
5021}
5022
5023static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg)
5024{
5025 struct ipc_security_struct *isec;
5026 struct common_audit_data ad;
5027 struct selinux_audit_data sad = {0,};
5028 u32 sid = current_sid();
5029
5030 isec = msq->q_perm.security;
5031
5032 COMMON_AUDIT_DATA_INIT(&ad, IPC);
5033 ad.selinux_audit_data = &sad;
5034 ad.u.ipc_id = msq->q_perm.key;
5035
5036 return avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
5037 MSGQ__ASSOCIATE, &ad);
5038}
5039
5040static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd)
5041{
5042 int err;
5043 int perms;
5044
5045 switch (cmd) {
5046 case IPC_INFO:
5047 case MSG_INFO:
5048 /* No specific object, just general system-wide information. */
5049 return task_has_system(current, SYSTEM__IPC_INFO);
5050 case IPC_STAT:
5051 case MSG_STAT:
5052 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
5053 break;
5054 case IPC_SET:
5055 perms = MSGQ__SETATTR;
5056 break;
5057 case IPC_RMID:
5058 perms = MSGQ__DESTROY;
5059 break;
5060 default:
5061 return 0;
5062 }
5063
5064 err = ipc_has_perm(&msq->q_perm, perms);
5065 return err;
5066}
5067
5068static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg)
5069{
5070 struct ipc_security_struct *isec;
5071 struct msg_security_struct *msec;
5072 struct common_audit_data ad;
5073 struct selinux_audit_data sad = {0,};
5074 u32 sid = current_sid();
5075 int rc;
5076
5077 isec = msq->q_perm.security;
5078 msec = msg->security;
5079
5080 /*
5081 * First time through, need to assign label to the message
5082 */
5083 if (msec->sid == SECINITSID_UNLABELED) {
5084 /*
5085 * Compute new sid based on current process and
5086 * message queue this message will be stored in
5087 */
5088 rc = security_transition_sid(sid, isec->sid, SECCLASS_MSG,
5089 NULL, &msec->sid);
5090 if (rc)
5091 return rc;
5092 }
5093
5094 COMMON_AUDIT_DATA_INIT(&ad, IPC);
5095 ad.selinux_audit_data = &sad;
5096 ad.u.ipc_id = msq->q_perm.key;
5097
5098 /* Can this process write to the queue? */
5099 rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
5100 MSGQ__WRITE, &ad);
5101 if (!rc)
5102 /* Can this process send the message */
5103 rc = avc_has_perm(sid, msec->sid, SECCLASS_MSG,
5104 MSG__SEND, &ad);
5105 if (!rc)
5106 /* Can the message be put in the queue? */
5107 rc = avc_has_perm(msec->sid, isec->sid, SECCLASS_MSGQ,
5108 MSGQ__ENQUEUE, &ad);
5109
5110 return rc;
5111}
5112
5113static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
5114 struct task_struct *target,
5115 long type, int mode)
5116{
5117 struct ipc_security_struct *isec;
5118 struct msg_security_struct *msec;
5119 struct common_audit_data ad;
5120 struct selinux_audit_data sad = {0,};
5121 u32 sid = task_sid(target);
5122 int rc;
5123
5124 isec = msq->q_perm.security;
5125 msec = msg->security;
5126
5127 COMMON_AUDIT_DATA_INIT(&ad, IPC);
5128 ad.selinux_audit_data = &sad;
5129 ad.u.ipc_id = msq->q_perm.key;
5130
5131 rc = avc_has_perm(sid, isec->sid,
5132 SECCLASS_MSGQ, MSGQ__READ, &ad);
5133 if (!rc)
5134 rc = avc_has_perm(sid, msec->sid,
5135 SECCLASS_MSG, MSG__RECEIVE, &ad);
5136 return rc;
5137}
5138
5139/* Shared Memory security operations */
5140static int selinux_shm_alloc_security(struct shmid_kernel *shp)
5141{
5142 struct ipc_security_struct *isec;
5143 struct common_audit_data ad;
5144 struct selinux_audit_data sad = {0,};
5145 u32 sid = current_sid();
5146 int rc;
5147
5148 rc = ipc_alloc_security(current, &shp->shm_perm, SECCLASS_SHM);
5149 if (rc)
5150 return rc;
5151
5152 isec = shp->shm_perm.security;
5153
5154 COMMON_AUDIT_DATA_INIT(&ad, IPC);
5155 ad.selinux_audit_data = &sad;
5156 ad.u.ipc_id = shp->shm_perm.key;
5157
5158 rc = avc_has_perm(sid, isec->sid, SECCLASS_SHM,
5159 SHM__CREATE, &ad);
5160 if (rc) {
5161 ipc_free_security(&shp->shm_perm);
5162 return rc;
5163 }
5164 return 0;
5165}
5166
5167static void selinux_shm_free_security(struct shmid_kernel *shp)
5168{
5169 ipc_free_security(&shp->shm_perm);
5170}
5171
5172static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg)
5173{
5174 struct ipc_security_struct *isec;
5175 struct common_audit_data ad;
5176 struct selinux_audit_data sad = {0,};
5177 u32 sid = current_sid();
5178
5179 isec = shp->shm_perm.security;
5180
5181 COMMON_AUDIT_DATA_INIT(&ad, IPC);
5182 ad.selinux_audit_data = &sad;
5183 ad.u.ipc_id = shp->shm_perm.key;
5184
5185 return avc_has_perm(sid, isec->sid, SECCLASS_SHM,
5186 SHM__ASSOCIATE, &ad);
5187}
5188
5189/* Note, at this point, shp is locked down */
5190static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd)
5191{
5192 int perms;
5193 int err;
5194
5195 switch (cmd) {
5196 case IPC_INFO:
5197 case SHM_INFO:
5198 /* No specific object, just general system-wide information. */
5199 return task_has_system(current, SYSTEM__IPC_INFO);
5200 case IPC_STAT:
5201 case SHM_STAT:
5202 perms = SHM__GETATTR | SHM__ASSOCIATE;
5203 break;
5204 case IPC_SET:
5205 perms = SHM__SETATTR;
5206 break;
5207 case SHM_LOCK:
5208 case SHM_UNLOCK:
5209 perms = SHM__LOCK;
5210 break;
5211 case IPC_RMID:
5212 perms = SHM__DESTROY;
5213 break;
5214 default:
5215 return 0;
5216 }
5217
5218 err = ipc_has_perm(&shp->shm_perm, perms);
5219 return err;
5220}
5221
5222static int selinux_shm_shmat(struct shmid_kernel *shp,
5223 char __user *shmaddr, int shmflg)
5224{
5225 u32 perms;
5226
5227 if (shmflg & SHM_RDONLY)
5228 perms = SHM__READ;
5229 else
5230 perms = SHM__READ | SHM__WRITE;
5231
5232 return ipc_has_perm(&shp->shm_perm, perms);
5233}
5234
5235/* Semaphore security operations */
5236static int selinux_sem_alloc_security(struct sem_array *sma)
5237{
5238 struct ipc_security_struct *isec;
5239 struct common_audit_data ad;
5240 struct selinux_audit_data sad = {0,};
5241 u32 sid = current_sid();
5242 int rc;
5243
5244 rc = ipc_alloc_security(current, &sma->sem_perm, SECCLASS_SEM);
5245 if (rc)
5246 return rc;
5247
5248 isec = sma->sem_perm.security;
5249
5250 COMMON_AUDIT_DATA_INIT(&ad, IPC);
5251 ad.selinux_audit_data = &sad;
5252 ad.u.ipc_id = sma->sem_perm.key;
5253
5254 rc = avc_has_perm(sid, isec->sid, SECCLASS_SEM,
5255 SEM__CREATE, &ad);
5256 if (rc) {
5257 ipc_free_security(&sma->sem_perm);
5258 return rc;
5259 }
5260 return 0;
5261}
5262
5263static void selinux_sem_free_security(struct sem_array *sma)
5264{
5265 ipc_free_security(&sma->sem_perm);
5266}
5267
5268static int selinux_sem_associate(struct sem_array *sma, int semflg)
5269{
5270 struct ipc_security_struct *isec;
5271 struct common_audit_data ad;
5272 struct selinux_audit_data sad = {0,};
5273 u32 sid = current_sid();
5274
5275 isec = sma->sem_perm.security;
5276
5277 COMMON_AUDIT_DATA_INIT(&ad, IPC);
5278 ad.selinux_audit_data = &sad;
5279 ad.u.ipc_id = sma->sem_perm.key;
5280
5281 return avc_has_perm(sid, isec->sid, SECCLASS_SEM,
5282 SEM__ASSOCIATE, &ad);
5283}
5284
5285/* Note, at this point, sma is locked down */
5286static int selinux_sem_semctl(struct sem_array *sma, int cmd)
5287{
5288 int err;
5289 u32 perms;
5290
5291 switch (cmd) {
5292 case IPC_INFO:
5293 case SEM_INFO:
5294 /* No specific object, just general system-wide information. */
5295 return task_has_system(current, SYSTEM__IPC_INFO);
5296 case GETPID:
5297 case GETNCNT:
5298 case GETZCNT:
5299 perms = SEM__GETATTR;
5300 break;
5301 case GETVAL:
5302 case GETALL:
5303 perms = SEM__READ;
5304 break;
5305 case SETVAL:
5306 case SETALL:
5307 perms = SEM__WRITE;
5308 break;
5309 case IPC_RMID:
5310 perms = SEM__DESTROY;
5311 break;
5312 case IPC_SET:
5313 perms = SEM__SETATTR;
5314 break;
5315 case IPC_STAT:
5316 case SEM_STAT:
5317 perms = SEM__GETATTR | SEM__ASSOCIATE;
5318 break;
5319 default:
5320 return 0;
5321 }
5322
5323 err = ipc_has_perm(&sma->sem_perm, perms);
5324 return err;
5325}
5326
5327static int selinux_sem_semop(struct sem_array *sma,
5328 struct sembuf *sops, unsigned nsops, int alter)
5329{
5330 u32 perms;
5331
5332 if (alter)
5333 perms = SEM__READ | SEM__WRITE;
5334 else
5335 perms = SEM__READ;
5336
5337 return ipc_has_perm(&sma->sem_perm, perms);
5338}
5339
5340static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
5341{
5342 u32 av = 0;
5343
5344 av = 0;
5345 if (flag & S_IRUGO)
5346 av |= IPC__UNIX_READ;
5347 if (flag & S_IWUGO)
5348 av |= IPC__UNIX_WRITE;
5349
5350 if (av == 0)
5351 return 0;
5352
5353 return ipc_has_perm(ipcp, av);
5354}
5355
5356static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
5357{
5358 struct ipc_security_struct *isec = ipcp->security;
5359 *secid = isec->sid;
5360}
5361
5362static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode)
5363{
5364 if (inode)
5365 inode_doinit_with_dentry(inode, dentry);
5366}
5367
5368static int selinux_getprocattr(struct task_struct *p,
5369 char *name, char **value)
5370{
5371 const struct task_security_struct *__tsec;
5372 u32 sid;
5373 int error;
5374 unsigned len;
5375
5376 if (current != p) {
5377 error = current_has_perm(p, PROCESS__GETATTR);
5378 if (error)
5379 return error;
5380 }
5381
5382 rcu_read_lock();
5383 __tsec = __task_cred(p)->security;
5384
5385 if (!strcmp(name, "current"))
5386 sid = __tsec->sid;
5387 else if (!strcmp(name, "prev"))
5388 sid = __tsec->osid;
5389 else if (!strcmp(name, "exec"))
5390 sid = __tsec->exec_sid;
5391 else if (!strcmp(name, "fscreate"))
5392 sid = __tsec->create_sid;
5393 else if (!strcmp(name, "keycreate"))
5394 sid = __tsec->keycreate_sid;
5395 else if (!strcmp(name, "sockcreate"))
5396 sid = __tsec->sockcreate_sid;
5397 else
5398 goto invalid;
5399 rcu_read_unlock();
5400
5401 if (!sid)
5402 return 0;
5403
5404 error = security_sid_to_context(sid, value, &len);
5405 if (error)
5406 return error;
5407 return len;
5408
5409invalid:
5410 rcu_read_unlock();
5411 return -EINVAL;
5412}
5413
5414static int selinux_setprocattr(struct task_struct *p,
5415 char *name, void *value, size_t size)
5416{
5417 struct task_security_struct *tsec;
5418 struct task_struct *tracer;
5419 struct cred *new;
5420 u32 sid = 0, ptsid;
5421 int error;
5422 char *str = value;
5423
5424 if (current != p) {
5425 /* SELinux only allows a process to change its own
5426 security attributes. */
5427 return -EACCES;
5428 }
5429
5430 /*
5431 * Basic control over ability to set these attributes at all.
5432 * current == p, but we'll pass them separately in case the
5433 * above restriction is ever removed.
5434 */
5435 if (!strcmp(name, "exec"))
5436 error = current_has_perm(p, PROCESS__SETEXEC);
5437 else if (!strcmp(name, "fscreate"))
5438 error = current_has_perm(p, PROCESS__SETFSCREATE);
5439 else if (!strcmp(name, "keycreate"))
5440 error = current_has_perm(p, PROCESS__SETKEYCREATE);
5441 else if (!strcmp(name, "sockcreate"))
5442 error = current_has_perm(p, PROCESS__SETSOCKCREATE);
5443 else if (!strcmp(name, "current"))
5444 error = current_has_perm(p, PROCESS__SETCURRENT);
5445 else
5446 error = -EINVAL;
5447 if (error)
5448 return error;
5449
5450 /* Obtain a SID for the context, if one was specified. */
5451 if (size && str[1] && str[1] != '\n') {
5452 if (str[size-1] == '\n') {
5453 str[size-1] = 0;
5454 size--;
5455 }
5456 error = security_context_to_sid(value, size, &sid);
5457 if (error == -EINVAL && !strcmp(name, "fscreate")) {
5458 if (!capable(CAP_MAC_ADMIN))
5459 return error;
5460 error = security_context_to_sid_force(value, size,
5461 &sid);
5462 }
5463 if (error)
5464 return error;
5465 }
5466
5467 new = prepare_creds();
5468 if (!new)
5469 return -ENOMEM;
5470
5471 /* Permission checking based on the specified context is
5472 performed during the actual operation (execve,
5473 open/mkdir/...), when we know the full context of the
5474 operation. See selinux_bprm_set_creds for the execve
5475 checks and may_create for the file creation checks. The
5476 operation will then fail if the context is not permitted. */
5477 tsec = new->security;
5478 if (!strcmp(name, "exec")) {
5479 tsec->exec_sid = sid;
5480 } else if (!strcmp(name, "fscreate")) {
5481 tsec->create_sid = sid;
5482 } else if (!strcmp(name, "keycreate")) {
5483 error = may_create_key(sid, p);
5484 if (error)
5485 goto abort_change;
5486 tsec->keycreate_sid = sid;
5487 } else if (!strcmp(name, "sockcreate")) {
5488 tsec->sockcreate_sid = sid;
5489 } else if (!strcmp(name, "current")) {
5490 error = -EINVAL;
5491 if (sid == 0)
5492 goto abort_change;
5493
5494 /* Only allow single threaded processes to change context */
5495 error = -EPERM;
5496 if (!current_is_single_threaded()) {
5497 error = security_bounded_transition(tsec->sid, sid);
5498 if (error)
5499 goto abort_change;
5500 }
5501
5502 /* Check permissions for the transition. */
5503 error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
5504 PROCESS__DYNTRANSITION, NULL);
5505 if (error)
5506 goto abort_change;
5507
5508 /* Check for ptracing, and update the task SID if ok.
5509 Otherwise, leave SID unchanged and fail. */
5510 ptsid = 0;
5511 rcu_read_lock();
5512 tracer = ptrace_parent(p);
5513 if (tracer)
5514 ptsid = task_sid(tracer);
5515 rcu_read_unlock();
5516
5517 if (tracer) {
5518 error = avc_has_perm(ptsid, sid, SECCLASS_PROCESS,
5519 PROCESS__PTRACE, NULL);
5520 if (error)
5521 goto abort_change;
5522 }
5523
5524 tsec->sid = sid;
5525 } else {
5526 error = -EINVAL;
5527 goto abort_change;
5528 }
5529
5530 commit_creds(new);
5531 return size;
5532
5533abort_change:
5534 abort_creds(new);
5535 return error;
5536}
5537
5538static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
5539{
5540 return security_sid_to_context(secid, secdata, seclen);
5541}
5542
5543static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
5544{
5545 return security_context_to_sid(secdata, seclen, secid);
5546}
5547
5548static void selinux_release_secctx(char *secdata, u32 seclen)
5549{
5550 kfree(secdata);
5551}
5552
5553/*
5554 * called with inode->i_mutex locked
5555 */
5556static int selinux_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen)
5557{
5558 return selinux_inode_setsecurity(inode, XATTR_SELINUX_SUFFIX, ctx, ctxlen, 0);
5559}
5560
5561/*
5562 * called with inode->i_mutex locked
5563 */
5564static int selinux_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen)
5565{
5566 return __vfs_setxattr_noperm(dentry, XATTR_NAME_SELINUX, ctx, ctxlen, 0);
5567}
5568
5569static int selinux_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen)
5570{
5571 int len = 0;
5572 len = selinux_inode_getsecurity(inode, XATTR_SELINUX_SUFFIX,
5573 ctx, true);
5574 if (len < 0)
5575 return len;
5576 *ctxlen = len;
5577 return 0;
5578}
5579#ifdef CONFIG_KEYS
5580
5581static int selinux_key_alloc(struct key *k, const struct cred *cred,
5582 unsigned long flags)
5583{
5584 const struct task_security_struct *tsec;
5585 struct key_security_struct *ksec;
5586
5587 ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL);
5588 if (!ksec)
5589 return -ENOMEM;
5590
5591 tsec = cred->security;
5592 if (tsec->keycreate_sid)
5593 ksec->sid = tsec->keycreate_sid;
5594 else
5595 ksec->sid = tsec->sid;
5596
5597 k->security = ksec;
5598 return 0;
5599}
5600
5601static void selinux_key_free(struct key *k)
5602{
5603 struct key_security_struct *ksec = k->security;
5604
5605 k->security = NULL;
5606 kfree(ksec);
5607}
5608
5609static int selinux_key_permission(key_ref_t key_ref,
5610 const struct cred *cred,
5611 key_perm_t perm)
5612{
5613 struct key *key;
5614 struct key_security_struct *ksec;
5615 u32 sid;
5616
5617 /* if no specific permissions are requested, we skip the
5618 permission check. No serious, additional covert channels
5619 appear to be created. */
5620 if (perm == 0)
5621 return 0;
5622
5623 sid = cred_sid(cred);
5624
5625 key = key_ref_to_ptr(key_ref);
5626 ksec = key->security;
5627
5628 return avc_has_perm(sid, ksec->sid, SECCLASS_KEY, perm, NULL);
5629}
5630
5631static int selinux_key_getsecurity(struct key *key, char **_buffer)
5632{
5633 struct key_security_struct *ksec = key->security;
5634 char *context = NULL;
5635 unsigned len;
5636 int rc;
5637
5638 rc = security_sid_to_context(ksec->sid, &context, &len);
5639 if (!rc)
5640 rc = len;
5641 *_buffer = context;
5642 return rc;
5643}
5644
5645#endif
5646
5647static struct security_operations selinux_ops = {
5648 .name = "selinux",
5649
5650 .ptrace_access_check = selinux_ptrace_access_check,
5651 .ptrace_traceme = selinux_ptrace_traceme,
5652 .capget = selinux_capget,
5653 .capset = selinux_capset,
5654 .capable = selinux_capable,
5655 .quotactl = selinux_quotactl,
5656 .quota_on = selinux_quota_on,
5657 .syslog = selinux_syslog,
5658 .vm_enough_memory = selinux_vm_enough_memory,
5659
5660 .netlink_send = selinux_netlink_send,
5661
5662 .bprm_set_creds = selinux_bprm_set_creds,
5663 .bprm_committing_creds = selinux_bprm_committing_creds,
5664 .bprm_committed_creds = selinux_bprm_committed_creds,
5665 .bprm_secureexec = selinux_bprm_secureexec,
5666
5667 .sb_alloc_security = selinux_sb_alloc_security,
5668 .sb_free_security = selinux_sb_free_security,
5669 .sb_copy_data = selinux_sb_copy_data,
5670 .sb_remount = selinux_sb_remount,
5671 .sb_kern_mount = selinux_sb_kern_mount,
5672 .sb_show_options = selinux_sb_show_options,
5673 .sb_statfs = selinux_sb_statfs,
5674 .sb_mount = selinux_mount,
5675 .sb_umount = selinux_umount,
5676 .sb_set_mnt_opts = selinux_set_mnt_opts,
5677 .sb_clone_mnt_opts = selinux_sb_clone_mnt_opts,
5678 .sb_parse_opts_str = selinux_parse_opts_str,
5679
5680
5681 .inode_alloc_security = selinux_inode_alloc_security,
5682 .inode_free_security = selinux_inode_free_security,
5683 .inode_init_security = selinux_inode_init_security,
5684 .inode_create = selinux_inode_create,
5685 .inode_link = selinux_inode_link,
5686 .inode_unlink = selinux_inode_unlink,
5687 .inode_symlink = selinux_inode_symlink,
5688 .inode_mkdir = selinux_inode_mkdir,
5689 .inode_rmdir = selinux_inode_rmdir,
5690 .inode_mknod = selinux_inode_mknod,
5691 .inode_rename = selinux_inode_rename,
5692 .inode_readlink = selinux_inode_readlink,
5693 .inode_follow_link = selinux_inode_follow_link,
5694 .inode_permission = selinux_inode_permission,
5695 .inode_setattr = selinux_inode_setattr,
5696 .inode_getattr = selinux_inode_getattr,
5697 .inode_setxattr = selinux_inode_setxattr,
5698 .inode_post_setxattr = selinux_inode_post_setxattr,
5699 .inode_getxattr = selinux_inode_getxattr,
5700 .inode_listxattr = selinux_inode_listxattr,
5701 .inode_removexattr = selinux_inode_removexattr,
5702 .inode_getsecurity = selinux_inode_getsecurity,
5703 .inode_setsecurity = selinux_inode_setsecurity,
5704 .inode_listsecurity = selinux_inode_listsecurity,
5705 .inode_getsecid = selinux_inode_getsecid,
5706
5707 .file_permission = selinux_file_permission,
5708 .file_alloc_security = selinux_file_alloc_security,
5709 .file_free_security = selinux_file_free_security,
5710 .file_ioctl = selinux_file_ioctl,
5711 .file_mmap = selinux_file_mmap,
5712 .file_mprotect = selinux_file_mprotect,
5713 .file_lock = selinux_file_lock,
5714 .file_fcntl = selinux_file_fcntl,
5715 .file_set_fowner = selinux_file_set_fowner,
5716 .file_send_sigiotask = selinux_file_send_sigiotask,
5717 .file_receive = selinux_file_receive,
5718
5719 .dentry_open = selinux_dentry_open,
5720
5721 .task_create = selinux_task_create,
5722 .cred_alloc_blank = selinux_cred_alloc_blank,
5723 .cred_free = selinux_cred_free,
5724 .cred_prepare = selinux_cred_prepare,
5725 .cred_transfer = selinux_cred_transfer,
5726 .kernel_act_as = selinux_kernel_act_as,
5727 .kernel_create_files_as = selinux_kernel_create_files_as,
5728 .kernel_module_request = selinux_kernel_module_request,
5729 .task_setpgid = selinux_task_setpgid,
5730 .task_getpgid = selinux_task_getpgid,
5731 .task_getsid = selinux_task_getsid,
5732 .task_getsecid = selinux_task_getsecid,
5733 .task_setnice = selinux_task_setnice,
5734 .task_setioprio = selinux_task_setioprio,
5735 .task_getioprio = selinux_task_getioprio,
5736 .task_setrlimit = selinux_task_setrlimit,
5737 .task_setscheduler = selinux_task_setscheduler,
5738 .task_getscheduler = selinux_task_getscheduler,
5739 .task_movememory = selinux_task_movememory,
5740 .task_kill = selinux_task_kill,
5741 .task_wait = selinux_task_wait,
5742 .task_to_inode = selinux_task_to_inode,
5743
5744 .ipc_permission = selinux_ipc_permission,
5745 .ipc_getsecid = selinux_ipc_getsecid,
5746
5747 .msg_msg_alloc_security = selinux_msg_msg_alloc_security,
5748 .msg_msg_free_security = selinux_msg_msg_free_security,
5749
5750 .msg_queue_alloc_security = selinux_msg_queue_alloc_security,
5751 .msg_queue_free_security = selinux_msg_queue_free_security,
5752 .msg_queue_associate = selinux_msg_queue_associate,
5753 .msg_queue_msgctl = selinux_msg_queue_msgctl,
5754 .msg_queue_msgsnd = selinux_msg_queue_msgsnd,
5755 .msg_queue_msgrcv = selinux_msg_queue_msgrcv,
5756
5757 .shm_alloc_security = selinux_shm_alloc_security,
5758 .shm_free_security = selinux_shm_free_security,
5759 .shm_associate = selinux_shm_associate,
5760 .shm_shmctl = selinux_shm_shmctl,
5761 .shm_shmat = selinux_shm_shmat,
5762
5763 .sem_alloc_security = selinux_sem_alloc_security,
5764 .sem_free_security = selinux_sem_free_security,
5765 .sem_associate = selinux_sem_associate,
5766 .sem_semctl = selinux_sem_semctl,
5767 .sem_semop = selinux_sem_semop,
5768
5769 .d_instantiate = selinux_d_instantiate,
5770
5771 .getprocattr = selinux_getprocattr,
5772 .setprocattr = selinux_setprocattr,
5773
5774 .secid_to_secctx = selinux_secid_to_secctx,
5775 .secctx_to_secid = selinux_secctx_to_secid,
5776 .release_secctx = selinux_release_secctx,
5777 .inode_notifysecctx = selinux_inode_notifysecctx,
5778 .inode_setsecctx = selinux_inode_setsecctx,
5779 .inode_getsecctx = selinux_inode_getsecctx,
5780
5781 .unix_stream_connect = selinux_socket_unix_stream_connect,
5782 .unix_may_send = selinux_socket_unix_may_send,
5783
5784 .socket_create = selinux_socket_create,
5785 .socket_post_create = selinux_socket_post_create,
5786 .socket_bind = selinux_socket_bind,
5787 .socket_connect = selinux_socket_connect,
5788 .socket_listen = selinux_socket_listen,
5789 .socket_accept = selinux_socket_accept,
5790 .socket_sendmsg = selinux_socket_sendmsg,
5791 .socket_recvmsg = selinux_socket_recvmsg,
5792 .socket_getsockname = selinux_socket_getsockname,
5793 .socket_getpeername = selinux_socket_getpeername,
5794 .socket_getsockopt = selinux_socket_getsockopt,
5795 .socket_setsockopt = selinux_socket_setsockopt,
5796 .socket_shutdown = selinux_socket_shutdown,
5797 .socket_sock_rcv_skb = selinux_socket_sock_rcv_skb,
5798 .socket_getpeersec_stream = selinux_socket_getpeersec_stream,
5799 .socket_getpeersec_dgram = selinux_socket_getpeersec_dgram,
5800 .sk_alloc_security = selinux_sk_alloc_security,
5801 .sk_free_security = selinux_sk_free_security,
5802 .sk_clone_security = selinux_sk_clone_security,
5803 .sk_getsecid = selinux_sk_getsecid,
5804 .sock_graft = selinux_sock_graft,
5805 .inet_conn_request = selinux_inet_conn_request,
5806 .inet_csk_clone = selinux_inet_csk_clone,
5807 .inet_conn_established = selinux_inet_conn_established,
5808 .secmark_relabel_packet = selinux_secmark_relabel_packet,
5809 .secmark_refcount_inc = selinux_secmark_refcount_inc,
5810 .secmark_refcount_dec = selinux_secmark_refcount_dec,
5811 .req_classify_flow = selinux_req_classify_flow,
5812 .tun_dev_create = selinux_tun_dev_create,
5813 .tun_dev_post_create = selinux_tun_dev_post_create,
5814 .tun_dev_attach = selinux_tun_dev_attach,
5815
5816#ifdef CONFIG_SECURITY_NETWORK_XFRM
5817 .xfrm_policy_alloc_security = selinux_xfrm_policy_alloc,
5818 .xfrm_policy_clone_security = selinux_xfrm_policy_clone,
5819 .xfrm_policy_free_security = selinux_xfrm_policy_free,
5820 .xfrm_policy_delete_security = selinux_xfrm_policy_delete,
5821 .xfrm_state_alloc_security = selinux_xfrm_state_alloc,
5822 .xfrm_state_free_security = selinux_xfrm_state_free,
5823 .xfrm_state_delete_security = selinux_xfrm_state_delete,
5824 .xfrm_policy_lookup = selinux_xfrm_policy_lookup,
5825 .xfrm_state_pol_flow_match = selinux_xfrm_state_pol_flow_match,
5826 .xfrm_decode_session = selinux_xfrm_decode_session,
5827#endif
5828
5829#ifdef CONFIG_KEYS
5830 .key_alloc = selinux_key_alloc,
5831 .key_free = selinux_key_free,
5832 .key_permission = selinux_key_permission,
5833 .key_getsecurity = selinux_key_getsecurity,
5834#endif
5835
5836#ifdef CONFIG_AUDIT
5837 .audit_rule_init = selinux_audit_rule_init,
5838 .audit_rule_known = selinux_audit_rule_known,
5839 .audit_rule_match = selinux_audit_rule_match,
5840 .audit_rule_free = selinux_audit_rule_free,
5841#endif
5842};
5843
5844static __init int selinux_init(void)
5845{
5846 if (!security_module_enable(&selinux_ops)) {
5847 selinux_enabled = 0;
5848 return 0;
5849 }
5850
5851 if (!selinux_enabled) {
5852 printk(KERN_INFO "SELinux: Disabled at boot.\n");
5853 return 0;
5854 }
5855
5856 printk(KERN_INFO "SELinux: Initializing.\n");
5857
5858 /* Set the security state for the initial task. */
5859 cred_init_security();
5860
5861 default_noexec = !(VM_DATA_DEFAULT_FLAGS & VM_EXEC);
5862
5863 sel_inode_cache = kmem_cache_create("selinux_inode_security",
5864 sizeof(struct inode_security_struct),
5865 0, SLAB_PANIC, NULL);
5866 avc_init();
5867
5868 if (register_security(&selinux_ops))
5869 panic("SELinux: Unable to register with kernel.\n");
5870
5871 if (selinux_enforcing)
5872 printk(KERN_DEBUG "SELinux: Starting in enforcing mode\n");
5873 else
5874 printk(KERN_DEBUG "SELinux: Starting in permissive mode\n");
5875
5876 return 0;
5877}
5878
5879static void delayed_superblock_init(struct super_block *sb, void *unused)
5880{
5881 superblock_doinit(sb, NULL);
5882}
5883
5884void selinux_complete_init(void)
5885{
5886 printk(KERN_DEBUG "SELinux: Completing initialization.\n");
5887
5888 /* Set up any superblocks initialized prior to the policy load. */
5889 printk(KERN_DEBUG "SELinux: Setting up existing superblocks.\n");
5890 iterate_supers(delayed_superblock_init, NULL);
5891}
5892
5893/* SELinux requires early initialization in order to label
5894 all processes and objects when they are created. */
5895security_initcall(selinux_init);
5896
5897#if defined(CONFIG_NETFILTER)
5898
5899static struct nf_hook_ops selinux_ipv4_ops[] = {
5900 {
5901 .hook = selinux_ipv4_postroute,
5902 .owner = THIS_MODULE,
5903 .pf = PF_INET,
5904 .hooknum = NF_INET_POST_ROUTING,
5905 .priority = NF_IP_PRI_SELINUX_LAST,
5906 },
5907 {
5908 .hook = selinux_ipv4_forward,
5909 .owner = THIS_MODULE,
5910 .pf = PF_INET,
5911 .hooknum = NF_INET_FORWARD,
5912 .priority = NF_IP_PRI_SELINUX_FIRST,
5913 },
5914 {
5915 .hook = selinux_ipv4_output,
5916 .owner = THIS_MODULE,
5917 .pf = PF_INET,
5918 .hooknum = NF_INET_LOCAL_OUT,
5919 .priority = NF_IP_PRI_SELINUX_FIRST,
5920 }
5921};
5922
5923#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5924
5925static struct nf_hook_ops selinux_ipv6_ops[] = {
5926 {
5927 .hook = selinux_ipv6_postroute,
5928 .owner = THIS_MODULE,
5929 .pf = PF_INET6,
5930 .hooknum = NF_INET_POST_ROUTING,
5931 .priority = NF_IP6_PRI_SELINUX_LAST,
5932 },
5933 {
5934 .hook = selinux_ipv6_forward,
5935 .owner = THIS_MODULE,
5936 .pf = PF_INET6,
5937 .hooknum = NF_INET_FORWARD,
5938 .priority = NF_IP6_PRI_SELINUX_FIRST,
5939 }
5940};
5941
5942#endif /* IPV6 */
5943
5944static int __init selinux_nf_ip_init(void)
5945{
5946 int err = 0;
5947
5948 if (!selinux_enabled)
5949 goto out;
5950
5951 printk(KERN_DEBUG "SELinux: Registering netfilter hooks\n");
5952
5953 err = nf_register_hooks(selinux_ipv4_ops, ARRAY_SIZE(selinux_ipv4_ops));
5954 if (err)
5955 panic("SELinux: nf_register_hooks for IPv4: error %d\n", err);
5956
5957#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5958 err = nf_register_hooks(selinux_ipv6_ops, ARRAY_SIZE(selinux_ipv6_ops));
5959 if (err)
5960 panic("SELinux: nf_register_hooks for IPv6: error %d\n", err);
5961#endif /* IPV6 */
5962
5963out:
5964 return err;
5965}
5966
5967__initcall(selinux_nf_ip_init);
5968
5969#ifdef CONFIG_SECURITY_SELINUX_DISABLE
5970static void selinux_nf_ip_exit(void)
5971{
5972 printk(KERN_DEBUG "SELinux: Unregistering netfilter hooks\n");
5973
5974 nf_unregister_hooks(selinux_ipv4_ops, ARRAY_SIZE(selinux_ipv4_ops));
5975#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5976 nf_unregister_hooks(selinux_ipv6_ops, ARRAY_SIZE(selinux_ipv6_ops));
5977#endif /* IPV6 */
5978}
5979#endif
5980
5981#else /* CONFIG_NETFILTER */
5982
5983#ifdef CONFIG_SECURITY_SELINUX_DISABLE
5984#define selinux_nf_ip_exit()
5985#endif
5986
5987#endif /* CONFIG_NETFILTER */
5988
5989#ifdef CONFIG_SECURITY_SELINUX_DISABLE
5990static int selinux_disabled;
5991
5992int selinux_disable(void)
5993{
5994 if (ss_initialized) {
5995 /* Not permitted after initial policy load. */
5996 return -EINVAL;
5997 }
5998
5999 if (selinux_disabled) {
6000 /* Only do this once. */
6001 return -EINVAL;
6002 }
6003
6004 printk(KERN_INFO "SELinux: Disabled at runtime.\n");
6005
6006 selinux_disabled = 1;
6007 selinux_enabled = 0;
6008
6009 reset_security_ops();
6010
6011 /* Try to destroy the avc node cache */
6012 avc_disable();
6013
6014 /* Unregister netfilter hooks. */
6015 selinux_nf_ip_exit();
6016
6017 /* Unregister selinuxfs. */
6018 exit_sel_fs();
6019
6020 return 0;
6021}
6022#endif