projects / GitHub / mt8127 / android_kernel_alcatel_ttab.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
selinux: correctly label /proc inodes in use before the policy is loaded
[GitHub/mt8127/android_kernel_alcatel_ttab.git] / security / selinux / hooks.c
1 /*
2 * NSA Security-Enhanced Linux (SELinux) security module
3 *
4 * This file contains the SELinux hook function implementations.
5 *
6 * Authors: Stephen Smalley, <sds@epoch.ncsc.mil>
7 * Chris Vance, <cvance@nai.com>
8 * Wayne Salamon, <wsalamon@nai.com>
9 * James Morris <jmorris@redhat.com>
10 *
11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12 * Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
13 * Eric Paris <eparis@redhat.com>
14 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
15 * <dgoeddel@trustedcs.com>
16 * Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
17 * Paul Moore <paul@paul-moore.com>
18 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
19 * Yuichi Nakamura <ynakam@hitachisoft.jp>
20 *
21 * This program is free software; you can redistribute it and/or modify
22 * it under the terms of the GNU General Public License version 2,
23 * as published by the Free Software Foundation.
24 */
25
26 #include <linux/init.h>
27 #include <linux/kd.h>
28 #include <linux/kernel.h>
29 #include <linux/tracehook.h>
30 #include <linux/errno.h>
31 #include <linux/sched.h>
32 #include <linux/security.h>
33 #include <linux/xattr.h>
34 #include <linux/capability.h>
35 #include <linux/unistd.h>
36 #include <linux/mm.h>
37 #include <linux/mman.h>
38 #include <linux/slab.h>
39 #include <linux/pagemap.h>
40 #include <linux/proc_fs.h>
41 #include <linux/swap.h>
42 #include <linux/spinlock.h>
43 #include <linux/syscalls.h>
44 #include <linux/dcache.h>
45 #include <linux/file.h>
46 #include <linux/fdtable.h>
47 #include <linux/namei.h>
48 #include <linux/mount.h>
49 #include <linux/netfilter_ipv4.h>
50 #include <linux/netfilter_ipv6.h>
51 #include <linux/tty.h>
52 #include <net/icmp.h>
53 #include <net/ip.h> /* for local_port_range[] */
54 #include <net/sock.h>
55 #include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
56 #include <net/inet_connection_sock.h>
57 #include <net/net_namespace.h>
58 #include <net/netlabel.h>
59 #include <linux/uaccess.h>
60 #include <asm/ioctls.h>
61 #include <linux/atomic.h>
62 #include <linux/bitops.h>
63 #include <linux/interrupt.h>
64 #include <linux/netdevice.h> /* for network interface checks */
65 #include <net/netlink.h>
66 #include <linux/tcp.h>
67 #include <linux/udp.h>
68 #include <linux/dccp.h>
69 #include <linux/quota.h>
70 #include <linux/un.h> /* for Unix socket types */
71 #include <net/af_unix.h> /* for Unix socket types */
72 #include <linux/parser.h>
73 #include <linux/nfs_mount.h>
74 #include <net/ipv6.h>
75 #include <linux/hugetlb.h>
76 #include <linux/personality.h>
77 #include <linux/audit.h>
78 #include <linux/string.h>
79 #include <linux/selinux.h>
80 #include <linux/mutex.h>
81 #include <linux/posix-timers.h>
82 #include <linux/syslog.h>
83 #include <linux/user_namespace.h>
84 #include <linux/export.h>
85 #include <linux/msg.h>
86 #include <linux/shm.h>
87
88 #include "avc.h"
89 #include "objsec.h"
90 #include "netif.h"
91 #include "netnode.h"
92 #include "netport.h"
93 #include "xfrm.h"
94 #include "netlabel.h"
95 #include "audit.h"
96 #include "avc_ss.h"
97
98 #define NUM_SEL_MNT_OPTS 5
99
100 extern struct security_operations *security_ops;
101
102 /* SECMARK reference count */
103 static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
104
105 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
106 int selinux_enforcing;
107
108 static int __init enforcing_setup(char *str)
109 {
110 unsigned long enforcing;
111 if (!strict_strtoul(str, 0, &enforcing))
112 selinux_enforcing = enforcing ? 1 : 0;
113 return 1;
114 }
115 __setup("enforcing=", enforcing_setup);
116 #endif
117
118 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
119 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
120
121 static int __init selinux_enabled_setup(char *str)
122 {
123 unsigned long enabled;
124 if (!strict_strtoul(str, 0, &enabled))
125 selinux_enabled = enabled ? 1 : 0;
126 return 1;
127 }
128 __setup("selinux=", selinux_enabled_setup);
129 #else
130 int selinux_enabled = 1;
131 #endif
132
133 static struct kmem_cache *sel_inode_cache;
134
135 /**
136 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
137 *
138 * Description:
139 * This function checks the SECMARK reference counter to see if any SECMARK
140 * targets are currently configured, if the reference counter is greater than
141 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is
142 * enabled, false (0) if SECMARK is disabled.
143 *
144 */
145 static int selinux_secmark_enabled(void)
146 {
147 return (atomic_read(&selinux_secmark_refcount) > 0);
148 }
149
150 /*
151 * initialise the security for the init task
152 */
153 static void cred_init_security(void)
154 {
155 struct cred *cred = (struct cred *) current->real_cred;
156 struct task_security_struct *tsec;
157
158 tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
159 if (!tsec)
160 panic("SELinux: Failed to initialize initial task.\n");
161
162 tsec->osid = tsec->sid = SECINITSID_KERNEL;
163 cred->security = tsec;
164 }
165
166 /*
167 * get the security ID of a set of credentials
168 */
169 static inline u32 cred_sid(const struct cred *cred)
170 {
171 const struct task_security_struct *tsec;
172
173 tsec = cred->security;
174 return tsec->sid;
175 }
176
177 /*
178 * get the objective security ID of a task
179 */
180 static inline u32 task_sid(const struct task_struct *task)
181 {
182 u32 sid;
183
184 rcu_read_lock();
185 sid = cred_sid(__task_cred(task));
186 rcu_read_unlock();
187 return sid;
188 }
189
190 /*
191 * get the subjective security ID of the current task
192 */
193 static inline u32 current_sid(void)
194 {
195 const struct task_security_struct *tsec = current_security();
196
197 return tsec->sid;
198 }
199
200 /* Allocate and free functions for each kind of security blob. */
201
202 static int inode_alloc_security(struct inode *inode)
203 {
204 struct inode_security_struct *isec;
205 u32 sid = current_sid();
206
207 isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
208 if (!isec)
209 return -ENOMEM;
210
211 mutex_init(&isec->lock);
212 INIT_LIST_HEAD(&isec->list);
213 isec->inode = inode;
214 isec->sid = SECINITSID_UNLABELED;
215 isec->sclass = SECCLASS_FILE;
216 isec->task_sid = sid;
217 inode->i_security = isec;
218
219 return 0;
220 }
221
222 static void inode_free_rcu(struct rcu_head *head)
223 {
224 struct inode_security_struct *isec;
225
226 isec = container_of(head, struct inode_security_struct, rcu);
227 kmem_cache_free(sel_inode_cache, isec);
228 }
229
230 static void inode_free_security(struct inode *inode)
231 {
232 struct inode_security_struct *isec = inode->i_security;
233 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
234
235 spin_lock(&sbsec->isec_lock);
236 if (!list_empty(&isec->list))
237 list_del_init(&isec->list);
238 spin_unlock(&sbsec->isec_lock);
239
240 /*
241 * The inode may still be referenced in a path walk and
242 * a call to selinux_inode_permission() can be made
243 * after inode_free_security() is called. Ideally, the VFS
244 * wouldn't do this, but fixing that is a much harder
245 * job. For now, simply free the i_security via RCU, and
246 * leave the current inode->i_security pointer intact.
247 * The inode will be freed after the RCU grace period too.
248 */
249 call_rcu(&isec->rcu, inode_free_rcu);
250 }
251
252 static int file_alloc_security(struct file *file)
253 {
254 struct file_security_struct *fsec;
255 u32 sid = current_sid();
256
257 fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL);
258 if (!fsec)
259 return -ENOMEM;
260
261 fsec->sid = sid;
262 fsec->fown_sid = sid;
263 file->f_security = fsec;
264
265 return 0;
266 }
267
268 static void file_free_security(struct file *file)
269 {
270 struct file_security_struct *fsec = file->f_security;
271 file->f_security = NULL;
272 kfree(fsec);
273 }
274
275 static int superblock_alloc_security(struct super_block *sb)
276 {
277 struct superblock_security_struct *sbsec;
278
279 sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
280 if (!sbsec)
281 return -ENOMEM;
282
283 mutex_init(&sbsec->lock);
284 INIT_LIST_HEAD(&sbsec->isec_head);
285 spin_lock_init(&sbsec->isec_lock);
286 sbsec->sb = sb;
287 sbsec->sid = SECINITSID_UNLABELED;
288 sbsec->def_sid = SECINITSID_FILE;
289 sbsec->mntpoint_sid = SECINITSID_UNLABELED;
290 sb->s_security = sbsec;
291
292 return 0;
293 }
294
295 static void superblock_free_security(struct super_block *sb)
296 {
297 struct superblock_security_struct *sbsec = sb->s_security;
298 sb->s_security = NULL;
299 kfree(sbsec);
300 }
301
302 /* The file system's label must be initialized prior to use. */
303
304 static const char *labeling_behaviors[6] = {
305 "uses xattr",
306 "uses transition SIDs",
307 "uses task SIDs",
308 "uses genfs_contexts",
309 "not configured for labeling",
310 "uses mountpoint labeling",
311 };
312
313 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
314
315 static inline int inode_doinit(struct inode *inode)
316 {
317 return inode_doinit_with_dentry(inode, NULL);
318 }
319
320 enum {
321 Opt_error = -1,
322 Opt_context = 1,
323 Opt_fscontext = 2,
324 Opt_defcontext = 3,
325 Opt_rootcontext = 4,
326 Opt_labelsupport = 5,
327 };
328
329 static const match_table_t tokens = {
330 {Opt_context, CONTEXT_STR "%s"},
331 {Opt_fscontext, FSCONTEXT_STR "%s"},
332 {Opt_defcontext, DEFCONTEXT_STR "%s"},
333 {Opt_rootcontext, ROOTCONTEXT_STR "%s"},
334 {Opt_labelsupport, LABELSUPP_STR},
335 {Opt_error, NULL},
336 };
337
338 #define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
339
340 static int may_context_mount_sb_relabel(u32 sid,
341 struct superblock_security_struct *sbsec,
342 const struct cred *cred)
343 {
344 const struct task_security_struct *tsec = cred->security;
345 int rc;
346
347 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
348 FILESYSTEM__RELABELFROM, NULL);
349 if (rc)
350 return rc;
351
352 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
353 FILESYSTEM__RELABELTO, NULL);
354 return rc;
355 }
356
357 static int may_context_mount_inode_relabel(u32 sid,
358 struct superblock_security_struct *sbsec,
359 const struct cred *cred)
360 {
361 const struct task_security_struct *tsec = cred->security;
362 int rc;
363 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
364 FILESYSTEM__RELABELFROM, NULL);
365 if (rc)
366 return rc;
367
368 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
369 FILESYSTEM__ASSOCIATE, NULL);
370 return rc;
371 }
372
373 static int sb_finish_set_opts(struct super_block *sb)
374 {
375 struct superblock_security_struct *sbsec = sb->s_security;
376 struct dentry *root = sb->s_root;
377 struct inode *root_inode = root->d_inode;
378 int rc = 0;
379
380 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
381 /* Make sure that the xattr handler exists and that no
382 error other than -ENODATA is returned by getxattr on
383 the root directory. -ENODATA is ok, as this may be
384 the first boot of the SELinux kernel before we have
385 assigned xattr values to the filesystem. */
386 if (!root_inode->i_op->getxattr) {
387 printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
388 "xattr support\n", sb->s_id, sb->s_type->name);
389 rc = -EOPNOTSUPP;
390 goto out;
391 }
392 rc = root_inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
393 if (rc < 0 && rc != -ENODATA) {
394 if (rc == -EOPNOTSUPP)
395 printk(KERN_WARNING "SELinux: (dev %s, type "
396 "%s) has no security xattr handler\n",
397 sb->s_id, sb->s_type->name);
398 else
399 printk(KERN_WARNING "SELinux: (dev %s, type "
400 "%s) getxattr errno %d\n", sb->s_id,
401 sb->s_type->name, -rc);
402 goto out;
403 }
404 }
405
406 sbsec->flags |= (SE_SBINITIALIZED | SE_SBLABELSUPP);
407
408 if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
409 printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n",
410 sb->s_id, sb->s_type->name);
411 else
412 printk(KERN_DEBUG "SELinux: initialized (dev %s, type %s), %s\n",
413 sb->s_id, sb->s_type->name,
414 labeling_behaviors[sbsec->behavior-1]);
415
416 if (sbsec->behavior == SECURITY_FS_USE_GENFS ||
417 sbsec->behavior == SECURITY_FS_USE_MNTPOINT ||
418 sbsec->behavior == SECURITY_FS_USE_NONE ||
419 sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
420 sbsec->flags &= ~SE_SBLABELSUPP;
421
422 /* Special handling for sysfs. Is genfs but also has setxattr handler*/
423 if (strncmp(sb->s_type->name, "sysfs", sizeof("sysfs")) == 0)
424 sbsec->flags |= SE_SBLABELSUPP;
425
426 /* Initialize the root inode. */
427 rc = inode_doinit_with_dentry(root_inode, root);
428
429 /* Initialize any other inodes associated with the superblock, e.g.
430 inodes created prior to initial policy load or inodes created
431 during get_sb by a pseudo filesystem that directly
432 populates itself. */
433 spin_lock(&sbsec->isec_lock);
434 next_inode:
435 if (!list_empty(&sbsec->isec_head)) {
436 struct inode_security_struct *isec =
437 list_entry(sbsec->isec_head.next,
438 struct inode_security_struct, list);
439 struct inode *inode = isec->inode;
440 spin_unlock(&sbsec->isec_lock);
441 inode = igrab(inode);
442 if (inode) {
443 if (!IS_PRIVATE(inode))
444 inode_doinit(inode);
445 iput(inode);
446 }
447 spin_lock(&sbsec->isec_lock);
448 list_del_init(&isec->list);
449 goto next_inode;
450 }
451 spin_unlock(&sbsec->isec_lock);
452 out:
453 return rc;
454 }
455
456 /*
457 * This function should allow an FS to ask what it's mount security
458 * options were so it can use those later for submounts, displaying
459 * mount options, or whatever.
460 */
461 static int selinux_get_mnt_opts(const struct super_block *sb,
462 struct security_mnt_opts *opts)
463 {
464 int rc = 0, i;
465 struct superblock_security_struct *sbsec = sb->s_security;
466 char *context = NULL;
467 u32 len;
468 char tmp;
469
470 security_init_mnt_opts(opts);
471
472 if (!(sbsec->flags & SE_SBINITIALIZED))
473 return -EINVAL;
474
475 if (!ss_initialized)
476 return -EINVAL;
477
478 tmp = sbsec->flags & SE_MNTMASK;
479 /* count the number of mount options for this sb */
480 for (i = 0; i < 8; i++) {
481 if (tmp & 0x01)
482 opts->num_mnt_opts++;
483 tmp >>= 1;
484 }
485 /* Check if the Label support flag is set */
486 if (sbsec->flags & SE_SBLABELSUPP)
487 opts->num_mnt_opts++;
488
489 opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
490 if (!opts->mnt_opts) {
491 rc = -ENOMEM;
492 goto out_free;
493 }
494
495 opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
496 if (!opts->mnt_opts_flags) {
497 rc = -ENOMEM;
498 goto out_free;
499 }
500
501 i = 0;
502 if (sbsec->flags & FSCONTEXT_MNT) {
503 rc = security_sid_to_context(sbsec->sid, &context, &len);
504 if (rc)
505 goto out_free;
506 opts->mnt_opts[i] = context;
507 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
508 }
509 if (sbsec->flags & CONTEXT_MNT) {
510 rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len);
511 if (rc)
512 goto out_free;
513 opts->mnt_opts[i] = context;
514 opts->mnt_opts_flags[i++] = CONTEXT_MNT;
515 }
516 if (sbsec->flags & DEFCONTEXT_MNT) {
517 rc = security_sid_to_context(sbsec->def_sid, &context, &len);
518 if (rc)
519 goto out_free;
520 opts->mnt_opts[i] = context;
521 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
522 }
523 if (sbsec->flags & ROOTCONTEXT_MNT) {
524 struct inode *root = sbsec->sb->s_root->d_inode;
525 struct inode_security_struct *isec = root->i_security;
526
527 rc = security_sid_to_context(isec->sid, &context, &len);
528 if (rc)
529 goto out_free;
530 opts->mnt_opts[i] = context;
531 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
532 }
533 if (sbsec->flags & SE_SBLABELSUPP) {
534 opts->mnt_opts[i] = NULL;
535 opts->mnt_opts_flags[i++] = SE_SBLABELSUPP;
536 }
537
538 BUG_ON(i != opts->num_mnt_opts);
539
540 return 0;
541
542 out_free:
543 security_free_mnt_opts(opts);
544 return rc;
545 }
546
547 static int bad_option(struct superblock_security_struct *sbsec, char flag,
548 u32 old_sid, u32 new_sid)
549 {
550 char mnt_flags = sbsec->flags & SE_MNTMASK;
551
552 /* check if the old mount command had the same options */
553 if (sbsec->flags & SE_SBINITIALIZED)
554 if (!(sbsec->flags & flag) ||
555 (old_sid != new_sid))
556 return 1;
557
558 /* check if we were passed the same options twice,
559 * aka someone passed context=a,context=b
560 */
561 if (!(sbsec->flags & SE_SBINITIALIZED))
562 if (mnt_flags & flag)
563 return 1;
564 return 0;
565 }
566
567 /*
568 * Allow filesystems with binary mount data to explicitly set mount point
569 * labeling information.
570 */
571 static int selinux_set_mnt_opts(struct super_block *sb,
572 struct security_mnt_opts *opts)
573 {
574 const struct cred *cred = current_cred();
575 int rc = 0, i;
576 struct superblock_security_struct *sbsec = sb->s_security;
577 const char *name = sb->s_type->name;
578 struct inode *inode = sbsec->sb->s_root->d_inode;
579 struct inode_security_struct *root_isec = inode->i_security;
580 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
581 u32 defcontext_sid = 0;
582 char **mount_options = opts->mnt_opts;
583 int *flags = opts->mnt_opts_flags;
584 int num_opts = opts->num_mnt_opts;
585
586 mutex_lock(&sbsec->lock);
587
588 if (!ss_initialized) {
589 if (!num_opts) {
590 /* Defer initialization until selinux_complete_init,
591 after the initial policy is loaded and the security
592 server is ready to handle calls. */
593 goto out;
594 }
595 rc = -EINVAL;
596 printk(KERN_WARNING "SELinux: Unable to set superblock options "
597 "before the security server is initialized\n");
598 goto out;
599 }
600
601 /*
602 * Binary mount data FS will come through this function twice. Once
603 * from an explicit call and once from the generic calls from the vfs.
604 * Since the generic VFS calls will not contain any security mount data
605 * we need to skip the double mount verification.
606 *
607 * This does open a hole in which we will not notice if the first
608 * mount using this sb set explict options and a second mount using
609 * this sb does not set any security options. (The first options
610 * will be used for both mounts)
611 */
612 if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
613 && (num_opts == 0))
614 goto out;
615
616 /*
617 * parse the mount options, check if they are valid sids.
618 * also check if someone is trying to mount the same sb more
619 * than once with different security options.
620 */
621 for (i = 0; i < num_opts; i++) {
622 u32 sid;
623
624 if (flags[i] == SE_SBLABELSUPP)
625 continue;
626 rc = security_context_to_sid(mount_options[i],
627 strlen(mount_options[i]), &sid);
628 if (rc) {
629 printk(KERN_WARNING "SELinux: security_context_to_sid"
630 "(%s) failed for (dev %s, type %s) errno=%d\n",
631 mount_options[i], sb->s_id, name, rc);
632 goto out;
633 }
634 switch (flags[i]) {
635 case FSCONTEXT_MNT:
636 fscontext_sid = sid;
637
638 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
639 fscontext_sid))
640 goto out_double_mount;
641
642 sbsec->flags |= FSCONTEXT_MNT;
643 break;
644 case CONTEXT_MNT:
645 context_sid = sid;
646
647 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
648 context_sid))
649 goto out_double_mount;
650
651 sbsec->flags |= CONTEXT_MNT;
652 break;
653 case ROOTCONTEXT_MNT:
654 rootcontext_sid = sid;
655
656 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
657 rootcontext_sid))
658 goto out_double_mount;
659
660 sbsec->flags |= ROOTCONTEXT_MNT;
661
662 break;
663 case DEFCONTEXT_MNT:
664 defcontext_sid = sid;
665
666 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
667 defcontext_sid))
668 goto out_double_mount;
669
670 sbsec->flags |= DEFCONTEXT_MNT;
671
672 break;
673 default:
674 rc = -EINVAL;
675 goto out;
676 }
677 }
678
679 if (sbsec->flags & SE_SBINITIALIZED) {
680 /* previously mounted with options, but not on this attempt? */
681 if ((sbsec->flags & SE_MNTMASK) && !num_opts)
682 goto out_double_mount;
683 rc = 0;
684 goto out;
685 }
686
687 if (strcmp(sb->s_type->name, "proc") == 0)
688 sbsec->flags |= SE_SBPROC;
689
690 /* Determine the labeling behavior to use for this filesystem type. */
691 rc = security_fs_use((sbsec->flags & SE_SBPROC) ? "proc" : sb->s_type->name, &sbsec->behavior, &sbsec->sid);
692 if (rc) {
693 printk(KERN_WARNING "%s: security_fs_use(%s) returned %d\n",
694 __func__, sb->s_type->name, rc);
695 goto out;
696 }
697
698 /* sets the context of the superblock for the fs being mounted. */
699 if (fscontext_sid) {
700 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
701 if (rc)
702 goto out;
703
704 sbsec->sid = fscontext_sid;
705 }
706
707 /*
708 * Switch to using mount point labeling behavior.
709 * sets the label used on all file below the mountpoint, and will set
710 * the superblock context if not already set.
711 */
712 if (context_sid) {
713 if (!fscontext_sid) {
714 rc = may_context_mount_sb_relabel(context_sid, sbsec,
715 cred);
716 if (rc)
717 goto out;
718 sbsec->sid = context_sid;
719 } else {
720 rc = may_context_mount_inode_relabel(context_sid, sbsec,
721 cred);
722 if (rc)
723 goto out;
724 }
725 if (!rootcontext_sid)
726 rootcontext_sid = context_sid;
727
728 sbsec->mntpoint_sid = context_sid;
729 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
730 }
731
732 if (rootcontext_sid) {
733 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
734 cred);
735 if (rc)
736 goto out;
737
738 root_isec->sid = rootcontext_sid;
739 root_isec->initialized = 1;
740 }
741
742 if (defcontext_sid) {
743 if (sbsec->behavior != SECURITY_FS_USE_XATTR) {
744 rc = -EINVAL;
745 printk(KERN_WARNING "SELinux: defcontext option is "
746 "invalid for this filesystem type\n");
747 goto out;
748 }
749
750 if (defcontext_sid != sbsec->def_sid) {
751 rc = may_context_mount_inode_relabel(defcontext_sid,
752 sbsec, cred);
753 if (rc)
754 goto out;
755 }
756
757 sbsec->def_sid = defcontext_sid;
758 }
759
760 rc = sb_finish_set_opts(sb);
761 out:
762 mutex_unlock(&sbsec->lock);
763 return rc;
764 out_double_mount:
765 rc = -EINVAL;
766 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, different "
767 "security settings for (dev %s, type %s)\n", sb->s_id, name);
768 goto out;
769 }
770
771 static int selinux_cmp_sb_context(const struct super_block *oldsb,
772 const struct super_block *newsb)
773 {
774 struct superblock_security_struct *old = oldsb->s_security;
775 struct superblock_security_struct *new = newsb->s_security;
776 char oldflags = old->flags & SE_MNTMASK;
777 char newflags = new->flags & SE_MNTMASK;
778
779 if (oldflags != newflags)
780 goto mismatch;
781 if ((oldflags & FSCONTEXT_MNT) && old->sid != new->sid)
782 goto mismatch;
783 if ((oldflags & CONTEXT_MNT) && old->mntpoint_sid != new->mntpoint_sid)
784 goto mismatch;
785 if ((oldflags & DEFCONTEXT_MNT) && old->def_sid != new->def_sid)
786 goto mismatch;
787 if (oldflags & ROOTCONTEXT_MNT) {
788 struct inode_security_struct *oldroot = oldsb->s_root->d_inode->i_security;
789 struct inode_security_struct *newroot = newsb->s_root->d_inode->i_security;
790 if (oldroot->sid != newroot->sid)
791 goto mismatch;
792 }
793 return 0;
794 mismatch:
795 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, "
796 "different security settings for (dev %s, "
797 "type %s)\n", newsb->s_id, newsb->s_type->name);
798 return -EBUSY;
799 }
800
801 static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
802 struct super_block *newsb)
803 {
804 const struct superblock_security_struct *oldsbsec = oldsb->s_security;
805 struct superblock_security_struct *newsbsec = newsb->s_security;
806
807 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT);
808 int set_context = (oldsbsec->flags & CONTEXT_MNT);
809 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT);
810
811 /*
812 * if the parent was able to be mounted it clearly had no special lsm
813 * mount options. thus we can safely deal with this superblock later
814 */
815 if (!ss_initialized)
816 return 0;
817
818 /* how can we clone if the old one wasn't set up?? */
819 BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
820
821 /* if fs is reusing a sb, make sure that the contexts match */
822 if (newsbsec->flags & SE_SBINITIALIZED)
823 return selinux_cmp_sb_context(oldsb, newsb);
824
825 mutex_lock(&newsbsec->lock);
826
827 newsbsec->flags = oldsbsec->flags;
828
829 newsbsec->sid = oldsbsec->sid;
830 newsbsec->def_sid = oldsbsec->def_sid;
831 newsbsec->behavior = oldsbsec->behavior;
832
833 if (set_context) {
834 u32 sid = oldsbsec->mntpoint_sid;
835
836 if (!set_fscontext)
837 newsbsec->sid = sid;
838 if (!set_rootcontext) {
839 struct inode *newinode = newsb->s_root->d_inode;
840 struct inode_security_struct *newisec = newinode->i_security;
841 newisec->sid = sid;
842 }
843 newsbsec->mntpoint_sid = sid;
844 }
845 if (set_rootcontext) {
846 const struct inode *oldinode = oldsb->s_root->d_inode;
847 const struct inode_security_struct *oldisec = oldinode->i_security;
848 struct inode *newinode = newsb->s_root->d_inode;
849 struct inode_security_struct *newisec = newinode->i_security;
850
851 newisec->sid = oldisec->sid;
852 }
853
854 sb_finish_set_opts(newsb);
855 mutex_unlock(&newsbsec->lock);
856 return 0;
857 }
858
859 static int selinux_parse_opts_str(char *options,
860 struct security_mnt_opts *opts)
861 {
862 char *p;
863 char *context = NULL, *defcontext = NULL;
864 char *fscontext = NULL, *rootcontext = NULL;
865 int rc, num_mnt_opts = 0;
866
867 opts->num_mnt_opts = 0;
868
869 /* Standard string-based options. */
870 while ((p = strsep(&options, "|")) != NULL) {
871 int token;
872 substring_t args[MAX_OPT_ARGS];
873
874 if (!*p)
875 continue;
876
877 token = match_token(p, tokens, args);
878
879 switch (token) {
880 case Opt_context:
881 if (context || defcontext) {
882 rc = -EINVAL;
883 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
884 goto out_err;
885 }
886 context = match_strdup(&args[0]);
887 if (!context) {
888 rc = -ENOMEM;
889 goto out_err;
890 }
891 break;
892
893 case Opt_fscontext:
894 if (fscontext) {
895 rc = -EINVAL;
896 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
897 goto out_err;
898 }
899 fscontext = match_strdup(&args[0]);
900 if (!fscontext) {
901 rc = -ENOMEM;
902 goto out_err;
903 }
904 break;
905
906 case Opt_rootcontext:
907 if (rootcontext) {
908 rc = -EINVAL;
909 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
910 goto out_err;
911 }
912 rootcontext = match_strdup(&args[0]);
913 if (!rootcontext) {
914 rc = -ENOMEM;
915 goto out_err;
916 }
917 break;
918
919 case Opt_defcontext:
920 if (context || defcontext) {
921 rc = -EINVAL;
922 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
923 goto out_err;
924 }
925 defcontext = match_strdup(&args[0]);
926 if (!defcontext) {
927 rc = -ENOMEM;
928 goto out_err;
929 }
930 break;
931 case Opt_labelsupport:
932 break;
933 default:
934 rc = -EINVAL;
935 printk(KERN_WARNING "SELinux: unknown mount option\n");
936 goto out_err;
937
938 }
939 }
940
941 rc = -ENOMEM;
942 opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_ATOMIC);
943 if (!opts->mnt_opts)
944 goto out_err;
945
946 opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int), GFP_ATOMIC);
947 if (!opts->mnt_opts_flags) {
948 kfree(opts->mnt_opts);
949 goto out_err;
950 }
951
952 if (fscontext) {
953 opts->mnt_opts[num_mnt_opts] = fscontext;
954 opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
955 }
956 if (context) {
957 opts->mnt_opts[num_mnt_opts] = context;
958 opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
959 }
960 if (rootcontext) {
961 opts->mnt_opts[num_mnt_opts] = rootcontext;
962 opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
963 }
964 if (defcontext) {
965 opts->mnt_opts[num_mnt_opts] = defcontext;
966 opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
967 }
968
969 opts->num_mnt_opts = num_mnt_opts;
970 return 0;
971
972 out_err:
973 kfree(context);
974 kfree(defcontext);
975 kfree(fscontext);
976 kfree(rootcontext);
977 return rc;
978 }
979 /*
980 * string mount options parsing and call set the sbsec
981 */
982 static int superblock_doinit(struct super_block *sb, void *data)
983 {
984 int rc = 0;
985 char *options = data;
986 struct security_mnt_opts opts;
987
988 security_init_mnt_opts(&opts);
989
990 if (!data)
991 goto out;
992
993 BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
994
995 rc = selinux_parse_opts_str(options, &opts);
996 if (rc)
997 goto out_err;
998
999 out:
1000 rc = selinux_set_mnt_opts(sb, &opts);
1001
1002 out_err:
1003 security_free_mnt_opts(&opts);
1004 return rc;
1005 }
1006
1007 static void selinux_write_opts(struct seq_file *m,
1008 struct security_mnt_opts *opts)
1009 {
1010 int i;
1011 char *prefix;
1012
1013 for (i = 0; i < opts->num_mnt_opts; i++) {
1014 char *has_comma;
1015
1016 if (opts->mnt_opts[i])
1017 has_comma = strchr(opts->mnt_opts[i], ',');
1018 else
1019 has_comma = NULL;
1020
1021 switch (opts->mnt_opts_flags[i]) {
1022 case CONTEXT_MNT:
1023 prefix = CONTEXT_STR;
1024 break;
1025 case FSCONTEXT_MNT:
1026 prefix = FSCONTEXT_STR;
1027 break;
1028 case ROOTCONTEXT_MNT:
1029 prefix = ROOTCONTEXT_STR;
1030 break;
1031 case DEFCONTEXT_MNT:
1032 prefix = DEFCONTEXT_STR;
1033 break;
1034 case SE_SBLABELSUPP:
1035 seq_putc(m, ',');
1036 seq_puts(m, LABELSUPP_STR);
1037 continue;
1038 default:
1039 BUG();
1040 return;
1041 };
1042 /* we need a comma before each option */
1043 seq_putc(m, ',');
1044 seq_puts(m, prefix);
1045 if (has_comma)
1046 seq_putc(m, '\"');
1047 seq_puts(m, opts->mnt_opts[i]);
1048 if (has_comma)
1049 seq_putc(m, '\"');
1050 }
1051 }
1052
1053 static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1054 {
1055 struct security_mnt_opts opts;
1056 int rc;
1057
1058 rc = selinux_get_mnt_opts(sb, &opts);
1059 if (rc) {
1060 /* before policy load we may get EINVAL, don't show anything */
1061 if (rc == -EINVAL)
1062 rc = 0;
1063 return rc;
1064 }
1065
1066 selinux_write_opts(m, &opts);
1067
1068 security_free_mnt_opts(&opts);
1069
1070 return rc;
1071 }
1072
1073 static inline u16 inode_mode_to_security_class(umode_t mode)
1074 {
1075 switch (mode & S_IFMT) {
1076 case S_IFSOCK:
1077 return SECCLASS_SOCK_FILE;
1078 case S_IFLNK:
1079 return SECCLASS_LNK_FILE;
1080 case S_IFREG:
1081 return SECCLASS_FILE;
1082 case S_IFBLK:
1083 return SECCLASS_BLK_FILE;
1084 case S_IFDIR:
1085 return SECCLASS_DIR;
1086 case S_IFCHR:
1087 return SECCLASS_CHR_FILE;
1088 case S_IFIFO:
1089 return SECCLASS_FIFO_FILE;
1090
1091 }
1092
1093 return SECCLASS_FILE;
1094 }
1095
1096 static inline int default_protocol_stream(int protocol)
1097 {
1098 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
1099 }
1100
1101 static inline int default_protocol_dgram(int protocol)
1102 {
1103 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1104 }
1105
1106 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1107 {
1108 switch (family) {
1109 case PF_UNIX:
1110 switch (type) {
1111 case SOCK_STREAM:
1112 case SOCK_SEQPACKET:
1113 return SECCLASS_UNIX_STREAM_SOCKET;
1114 case SOCK_DGRAM:
1115 return SECCLASS_UNIX_DGRAM_SOCKET;
1116 }
1117 break;
1118 case PF_INET:
1119 case PF_INET6:
1120 switch (type) {
1121 case SOCK_STREAM:
1122 if (default_protocol_stream(protocol))
1123 return SECCLASS_TCP_SOCKET;
1124 else
1125 return SECCLASS_RAWIP_SOCKET;
1126 case SOCK_DGRAM:
1127 if (default_protocol_dgram(protocol))
1128 return SECCLASS_UDP_SOCKET;
1129 else
1130 return SECCLASS_RAWIP_SOCKET;
1131 case SOCK_DCCP:
1132 return SECCLASS_DCCP_SOCKET;
1133 default:
1134 return SECCLASS_RAWIP_SOCKET;
1135 }
1136 break;
1137 case PF_NETLINK:
1138 switch (protocol) {
1139 case NETLINK_ROUTE:
1140 return SECCLASS_NETLINK_ROUTE_SOCKET;
1141 case NETLINK_FIREWALL:
1142 return SECCLASS_NETLINK_FIREWALL_SOCKET;
1143 case NETLINK_SOCK_DIAG:
1144 return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1145 case NETLINK_NFLOG:
1146 return SECCLASS_NETLINK_NFLOG_SOCKET;
1147 case NETLINK_XFRM:
1148 return SECCLASS_NETLINK_XFRM_SOCKET;
1149 case NETLINK_SELINUX:
1150 return SECCLASS_NETLINK_SELINUX_SOCKET;
1151 case NETLINK_AUDIT:
1152 return SECCLASS_NETLINK_AUDIT_SOCKET;
1153 case NETLINK_IP6_FW:
1154 return SECCLASS_NETLINK_IP6FW_SOCKET;
1155 case NETLINK_DNRTMSG:
1156 return SECCLASS_NETLINK_DNRT_SOCKET;
1157 case NETLINK_KOBJECT_UEVENT:
1158 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1159 default:
1160 return SECCLASS_NETLINK_SOCKET;
1161 }
1162 case PF_PACKET:
1163 return SECCLASS_PACKET_SOCKET;
1164 case PF_KEY:
1165 return SECCLASS_KEY_SOCKET;
1166 case PF_APPLETALK:
1167 return SECCLASS_APPLETALK_SOCKET;
1168 }
1169
1170 return SECCLASS_SOCKET;
1171 }
1172
1173 #ifdef CONFIG_PROC_FS
1174 static int selinux_proc_get_sid(struct dentry *dentry,
1175 u16 tclass,
1176 u32 *sid)
1177 {
1178 int rc;
1179 char *buffer, *path;
1180
1181 buffer = (char *)__get_free_page(GFP_KERNEL);
1182 if (!buffer)
1183 return -ENOMEM;
1184
1185 path = dentry_path_raw(dentry, buffer, PAGE_SIZE);
1186 if (IS_ERR(path))
1187 rc = PTR_ERR(path);
1188 else {
1189 /* each process gets a /proc/PID/ entry. Strip off the
1190 * PID part to get a valid selinux labeling.
1191 * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
1192 while (path[1] >= '0' && path[1] <= '9') {
1193 path[1] = '/';
1194 path++;
1195 }
1196 rc = security_genfs_sid("proc", path, tclass, sid);
1197 }
1198 free_page((unsigned long)buffer);
1199 return rc;
1200 }
1201 #else
1202 static int selinux_proc_get_sid(struct dentry *dentry,
1203 u16 tclass,
1204 u32 *sid)
1205 {
1206 return -EINVAL;
1207 }
1208 #endif
1209
1210 /* The inode's security attributes must be initialized before first use. */
1211 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1212 {
1213 struct superblock_security_struct *sbsec = NULL;
1214 struct inode_security_struct *isec = inode->i_security;
1215 u32 sid;
1216 struct dentry *dentry;
1217 #define INITCONTEXTLEN 255
1218 char *context = NULL;
1219 unsigned len = 0;
1220 int rc = 0;
1221
1222 if (isec->initialized)
1223 goto out;
1224
1225 mutex_lock(&isec->lock);
1226 if (isec->initialized)
1227 goto out_unlock;
1228
1229 sbsec = inode->i_sb->s_security;
1230 if (!(sbsec->flags & SE_SBINITIALIZED)) {
1231 /* Defer initialization until selinux_complete_init,
1232 after the initial policy is loaded and the security
1233 server is ready to handle calls. */
1234 spin_lock(&sbsec->isec_lock);
1235 if (list_empty(&isec->list))
1236 list_add(&isec->list, &sbsec->isec_head);
1237 spin_unlock(&sbsec->isec_lock);
1238 goto out_unlock;
1239 }
1240
1241 switch (sbsec->behavior) {
1242 case SECURITY_FS_USE_XATTR:
1243 if (!inode->i_op->getxattr) {
1244 isec->sid = sbsec->def_sid;
1245 break;
1246 }
1247
1248 /* Need a dentry, since the xattr API requires one.
1249 Life would be simpler if we could just pass the inode. */
1250 if (opt_dentry) {
1251 /* Called from d_instantiate or d_splice_alias. */
1252 dentry = dget(opt_dentry);
1253 } else {
1254 /* Called from selinux_complete_init, try to find a dentry. */
1255 dentry = d_find_alias(inode);
1256 }
1257 if (!dentry) {
1258 /*
1259 * this is can be hit on boot when a file is accessed
1260 * before the policy is loaded. When we load policy we
1261 * may find inodes that have no dentry on the
1262 * sbsec->isec_head list. No reason to complain as these
1263 * will get fixed up the next time we go through
1264 * inode_doinit with a dentry, before these inodes could
1265 * be used again by userspace.
1266 */
1267 goto out_unlock;
1268 }
1269
1270 len = INITCONTEXTLEN;
1271 context = kmalloc(len+1, GFP_NOFS);
1272 if (!context) {
1273 rc = -ENOMEM;
1274 dput(dentry);
1275 goto out_unlock;
1276 }
1277 context[len] = '\0';
1278 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1279 context, len);
1280 if (rc == -ERANGE) {
1281 kfree(context);
1282
1283 /* Need a larger buffer. Query for the right size. */
1284 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1285 NULL, 0);
1286 if (rc < 0) {
1287 dput(dentry);
1288 goto out_unlock;
1289 }
1290 len = rc;
1291 context = kmalloc(len+1, GFP_NOFS);
1292 if (!context) {
1293 rc = -ENOMEM;
1294 dput(dentry);
1295 goto out_unlock;
1296 }
1297 context[len] = '\0';
1298 rc = inode->i_op->getxattr(dentry,
1299 XATTR_NAME_SELINUX,
1300 context, len);
1301 }
1302 dput(dentry);
1303 if (rc < 0) {
1304 if (rc != -ENODATA) {
1305 printk(KERN_WARNING "SELinux: %s: getxattr returned "
1306 "%d for dev=%s ino=%ld\n", __func__,
1307 -rc, inode->i_sb->s_id, inode->i_ino);
1308 kfree(context);
1309 goto out_unlock;
1310 }
1311 /* Map ENODATA to the default file SID */
1312 sid = sbsec->def_sid;
1313 rc = 0;
1314 } else {
1315 rc = security_context_to_sid_default(context, rc, &sid,
1316 sbsec->def_sid,
1317 GFP_NOFS);
1318 if (rc) {
1319 char *dev = inode->i_sb->s_id;
1320 unsigned long ino = inode->i_ino;
1321
1322 if (rc == -EINVAL) {
1323 if (printk_ratelimit())
1324 printk(KERN_NOTICE "SELinux: inode=%lu on dev=%s was found to have an invalid "
1325 "context=%s. This indicates you may need to relabel the inode or the "
1326 "filesystem in question.\n", ino, dev, context);
1327 } else {
1328 printk(KERN_WARNING "SELinux: %s: context_to_sid(%s) "
1329 "returned %d for dev=%s ino=%ld\n",
1330 __func__, context, -rc, dev, ino);
1331 }
1332 kfree(context);
1333 /* Leave with the unlabeled SID */
1334 rc = 0;
1335 break;
1336 }
1337 }
1338 kfree(context);
1339 isec->sid = sid;
1340 break;
1341 case SECURITY_FS_USE_TASK:
1342 isec->sid = isec->task_sid;
1343 break;
1344 case SECURITY_FS_USE_TRANS:
1345 /* Default to the fs SID. */
1346 isec->sid = sbsec->sid;
1347
1348 /* Try to obtain a transition SID. */
1349 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1350 rc = security_transition_sid(isec->task_sid, sbsec->sid,
1351 isec->sclass, NULL, &sid);
1352 if (rc)
1353 goto out_unlock;
1354 isec->sid = sid;
1355 break;
1356 case SECURITY_FS_USE_MNTPOINT:
1357 isec->sid = sbsec->mntpoint_sid;
1358 break;
1359 default:
1360 /* Default to the fs superblock SID. */
1361 isec->sid = sbsec->sid;
1362
1363 if ((sbsec->flags & SE_SBPROC) && !S_ISLNK(inode->i_mode)) {
1364 /* We must have a dentry to determine the label on
1365 * procfs inodes */
1366 if (opt_dentry)
1367 /* Called from d_instantiate or
1368 * d_splice_alias. */
1369 dentry = dget(opt_dentry);
1370 else
1371 /* Called from selinux_complete_init, try to
1372 * find a dentry. */
1373 dentry = d_find_alias(inode);
1374 /*
1375 * This can be hit on boot when a file is accessed
1376 * before the policy is loaded. When we load policy we
1377 * may find inodes that have no dentry on the
1378 * sbsec->isec_head list. No reason to complain as
1379 * these will get fixed up the next time we go through
1380 * inode_doinit() with a dentry, before these inodes
1381 * could be used again by userspace.
1382 */
1383 if (!dentry)
1384 goto out_unlock;
1385 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1386 rc = selinux_proc_get_sid(dentry, isec->sclass, &sid);
1387 dput(dentry);
1388 if (rc)
1389 goto out_unlock;
1390 isec->sid = sid;
1391 }
1392 break;
1393 }
1394
1395 isec->initialized = 1;
1396
1397 out_unlock:
1398 mutex_unlock(&isec->lock);
1399 out:
1400 if (isec->sclass == SECCLASS_FILE)
1401 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1402 return rc;
1403 }
1404
1405 /* Convert a Linux signal to an access vector. */
1406 static inline u32 signal_to_av(int sig)
1407 {
1408 u32 perm = 0;
1409
1410 switch (sig) {
1411 case SIGCHLD:
1412 /* Commonly granted from child to parent. */
1413 perm = PROCESS__SIGCHLD;
1414 break;
1415 case SIGKILL:
1416 /* Cannot be caught or ignored */
1417 perm = PROCESS__SIGKILL;
1418 break;
1419 case SIGSTOP:
1420 /* Cannot be caught or ignored */
1421 perm = PROCESS__SIGSTOP;
1422 break;
1423 default:
1424 /* All other signals. */
1425 perm = PROCESS__SIGNAL;
1426 break;
1427 }
1428
1429 return perm;
1430 }
1431
1432 /*
1433 * Check permission between a pair of credentials
1434 * fork check, ptrace check, etc.
1435 */
1436 static int cred_has_perm(const struct cred *actor,
1437 const struct cred *target,
1438 u32 perms)
1439 {
1440 u32 asid = cred_sid(actor), tsid = cred_sid(target);
1441
1442 return avc_has_perm(asid, tsid, SECCLASS_PROCESS, perms, NULL);
1443 }
1444
1445 /*
1446 * Check permission between a pair of tasks, e.g. signal checks,
1447 * fork check, ptrace check, etc.
1448 * tsk1 is the actor and tsk2 is the target
1449 * - this uses the default subjective creds of tsk1
1450 */
1451 static int task_has_perm(const struct task_struct *tsk1,
1452 const struct task_struct *tsk2,
1453 u32 perms)
1454 {
1455 const struct task_security_struct *__tsec1, *__tsec2;
1456 u32 sid1, sid2;
1457
1458 rcu_read_lock();
1459 __tsec1 = __task_cred(tsk1)->security; sid1 = __tsec1->sid;
1460 __tsec2 = __task_cred(tsk2)->security; sid2 = __tsec2->sid;
1461 rcu_read_unlock();
1462 return avc_has_perm(sid1, sid2, SECCLASS_PROCESS, perms, NULL);
1463 }
1464
1465 /*
1466 * Check permission between current and another task, e.g. signal checks,
1467 * fork check, ptrace check, etc.
1468 * current is the actor and tsk2 is the target
1469 * - this uses current's subjective creds
1470 */
1471 static int current_has_perm(const struct task_struct *tsk,
1472 u32 perms)
1473 {
1474 u32 sid, tsid;
1475
1476 sid = current_sid();
1477 tsid = task_sid(tsk);
1478 return avc_has_perm(sid, tsid, SECCLASS_PROCESS, perms, NULL);
1479 }
1480
1481 #if CAP_LAST_CAP > 63
1482 #error Fix SELinux to handle capabilities > 63.
1483 #endif
1484
1485 /* Check whether a task is allowed to use a capability. */
1486 static int cred_has_capability(const struct cred *cred,
1487 int cap, int audit)
1488 {
1489 struct common_audit_data ad;
1490 struct av_decision avd;
1491 u16 sclass;
1492 u32 sid = cred_sid(cred);
1493 u32 av = CAP_TO_MASK(cap);
1494 int rc;
1495
1496 ad.type = LSM_AUDIT_DATA_CAP;
1497 ad.u.cap = cap;
1498
1499 switch (CAP_TO_INDEX(cap)) {
1500 case 0:
1501 sclass = SECCLASS_CAPABILITY;
1502 break;
1503 case 1:
1504 sclass = SECCLASS_CAPABILITY2;
1505 break;
1506 default:
1507 printk(KERN_ERR
1508 "SELinux: out of range capability %d\n", cap);
1509 BUG();
1510 return -EINVAL;
1511 }
1512
1513 rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd);
1514 if (audit == SECURITY_CAP_AUDIT) {
1515 int rc2 = avc_audit(sid, sid, sclass, av, &avd, rc, &ad, 0);
1516 if (rc2)
1517 return rc2;
1518 }
1519 return rc;
1520 }
1521
1522 /* Check whether a task is allowed to use a system operation. */
1523 static int task_has_system(struct task_struct *tsk,
1524 u32 perms)
1525 {
1526 u32 sid = task_sid(tsk);
1527
1528 return avc_has_perm(sid, SECINITSID_KERNEL,
1529 SECCLASS_SYSTEM, perms, NULL);
1530 }
1531
1532 /* Check whether a task has a particular permission to an inode.
1533 The 'adp' parameter is optional and allows other audit
1534 data to be passed (e.g. the dentry). */
1535 static int inode_has_perm(const struct cred *cred,
1536 struct inode *inode,
1537 u32 perms,
1538 struct common_audit_data *adp,
1539 unsigned flags)
1540 {
1541 struct inode_security_struct *isec;
1542 u32 sid;
1543
1544 validate_creds(cred);
1545
1546 if (unlikely(IS_PRIVATE(inode)))
1547 return 0;
1548
1549 sid = cred_sid(cred);
1550 isec = inode->i_security;
1551
1552 return avc_has_perm_flags(sid, isec->sid, isec->sclass, perms, adp, flags);
1553 }
1554
1555 /* Same as inode_has_perm, but pass explicit audit data containing
1556 the dentry to help the auditing code to more easily generate the
1557 pathname if needed. */
1558 static inline int dentry_has_perm(const struct cred *cred,
1559 struct dentry *dentry,
1560 u32 av)
1561 {
1562 struct inode *inode = dentry->d_inode;
1563 struct common_audit_data ad;
1564
1565 ad.type = LSM_AUDIT_DATA_DENTRY;
1566 ad.u.dentry = dentry;
1567 return inode_has_perm(cred, inode, av, &ad, 0);
1568 }
1569
1570 /* Same as inode_has_perm, but pass explicit audit data containing
1571 the path to help the auditing code to more easily generate the
1572 pathname if needed. */
1573 static inline int path_has_perm(const struct cred *cred,
1574 struct path *path,
1575 u32 av)
1576 {
1577 struct inode *inode = path->dentry->d_inode;
1578 struct common_audit_data ad;
1579
1580 ad.type = LSM_AUDIT_DATA_PATH;
1581 ad.u.path = *path;
1582 return inode_has_perm(cred, inode, av, &ad, 0);
1583 }
1584
1585 /* Check whether a task can use an open file descriptor to
1586 access an inode in a given way. Check access to the
1587 descriptor itself, and then use dentry_has_perm to
1588 check a particular permission to the file.
1589 Access to the descriptor is implicitly granted if it
1590 has the same SID as the process. If av is zero, then
1591 access to the file is not checked, e.g. for cases
1592 where only the descriptor is affected like seek. */
1593 static int file_has_perm(const struct cred *cred,
1594 struct file *file,
1595 u32 av)
1596 {
1597 struct file_security_struct *fsec = file->f_security;
1598 struct inode *inode = file_inode(file);
1599 struct common_audit_data ad;
1600 u32 sid = cred_sid(cred);
1601 int rc;
1602
1603 ad.type = LSM_AUDIT_DATA_PATH;
1604 ad.u.path = file->f_path;
1605
1606 if (sid != fsec->sid) {
1607 rc = avc_has_perm(sid, fsec->sid,
1608 SECCLASS_FD,
1609 FD__USE,
1610 &ad);
1611 if (rc)
1612 goto out;
1613 }
1614
1615 /* av is zero if only checking access to the descriptor. */
1616 rc = 0;
1617 if (av)
1618 rc = inode_has_perm(cred, inode, av, &ad, 0);
1619
1620 out:
1621 return rc;
1622 }
1623
1624 /* Check whether a task can create a file. */
1625 static int may_create(struct inode *dir,
1626 struct dentry *dentry,
1627 u16 tclass)
1628 {
1629 const struct task_security_struct *tsec = current_security();
1630 struct inode_security_struct *dsec;
1631 struct superblock_security_struct *sbsec;
1632 u32 sid, newsid;
1633 struct common_audit_data ad;
1634 int rc;
1635
1636 dsec = dir->i_security;
1637 sbsec = dir->i_sb->s_security;
1638
1639 sid = tsec->sid;
1640 newsid = tsec->create_sid;
1641
1642 ad.type = LSM_AUDIT_DATA_DENTRY;
1643 ad.u.dentry = dentry;
1644
1645 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR,
1646 DIR__ADD_NAME | DIR__SEARCH,
1647 &ad);
1648 if (rc)
1649 return rc;
1650
1651 if (!newsid || !(sbsec->flags & SE_SBLABELSUPP)) {
1652 rc = security_transition_sid(sid, dsec->sid, tclass,
1653 &dentry->d_name, &newsid);
1654 if (rc)
1655 return rc;
1656 }
1657
1658 rc = avc_has_perm(sid, newsid, tclass, FILE__CREATE, &ad);
1659 if (rc)
1660 return rc;
1661
1662 return avc_has_perm(newsid, sbsec->sid,
1663 SECCLASS_FILESYSTEM,
1664 FILESYSTEM__ASSOCIATE, &ad);
1665 }
1666
1667 /* Check whether a task can create a key. */
1668 static int may_create_key(u32 ksid,
1669 struct task_struct *ctx)
1670 {
1671 u32 sid = task_sid(ctx);
1672
1673 return avc_has_perm(sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL);
1674 }
1675
1676 #define MAY_LINK 0
1677 #define MAY_UNLINK 1
1678 #define MAY_RMDIR 2
1679
1680 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1681 static int may_link(struct inode *dir,
1682 struct dentry *dentry,
1683 int kind)
1684
1685 {
1686 struct inode_security_struct *dsec, *isec;
1687 struct common_audit_data ad;
1688 u32 sid = current_sid();
1689 u32 av;
1690 int rc;
1691
1692 dsec = dir->i_security;
1693 isec = dentry->d_inode->i_security;
1694
1695 ad.type = LSM_AUDIT_DATA_DENTRY;
1696 ad.u.dentry = dentry;
1697
1698 av = DIR__SEARCH;
1699 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1700 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, av, &ad);
1701 if (rc)
1702 return rc;
1703
1704 switch (kind) {
1705 case MAY_LINK:
1706 av = FILE__LINK;
1707 break;
1708 case MAY_UNLINK:
1709 av = FILE__UNLINK;
1710 break;
1711 case MAY_RMDIR:
1712 av = DIR__RMDIR;
1713 break;
1714 default:
1715 printk(KERN_WARNING "SELinux: %s: unrecognized kind %d\n",
1716 __func__, kind);
1717 return 0;
1718 }
1719
1720 rc = avc_has_perm(sid, isec->sid, isec->sclass, av, &ad);
1721 return rc;
1722 }
1723
1724 static inline int may_rename(struct inode *old_dir,
1725 struct dentry *old_dentry,
1726 struct inode *new_dir,
1727 struct dentry *new_dentry)
1728 {
1729 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1730 struct common_audit_data ad;
1731 u32 sid = current_sid();
1732 u32 av;
1733 int old_is_dir, new_is_dir;
1734 int rc;
1735
1736 old_dsec = old_dir->i_security;
1737 old_isec = old_dentry->d_inode->i_security;
1738 old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
1739 new_dsec = new_dir->i_security;
1740
1741 ad.type = LSM_AUDIT_DATA_DENTRY;
1742
1743 ad.u.dentry = old_dentry;
1744 rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR,
1745 DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1746 if (rc)
1747 return rc;
1748 rc = avc_has_perm(sid, old_isec->sid,
1749 old_isec->sclass, FILE__RENAME, &ad);
1750 if (rc)
1751 return rc;
1752 if (old_is_dir && new_dir != old_dir) {
1753 rc = avc_has_perm(sid, old_isec->sid,
1754 old_isec->sclass, DIR__REPARENT, &ad);
1755 if (rc)
1756 return rc;
1757 }
1758
1759 ad.u.dentry = new_dentry;
1760 av = DIR__ADD_NAME | DIR__SEARCH;
1761 if (new_dentry->d_inode)
1762 av |= DIR__REMOVE_NAME;
1763 rc = avc_has_perm(sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1764 if (rc)
1765 return rc;
1766 if (new_dentry->d_inode) {
1767 new_isec = new_dentry->d_inode->i_security;
1768 new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
1769 rc = avc_has_perm(sid, new_isec->sid,
1770 new_isec->sclass,
1771 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1772 if (rc)
1773 return rc;
1774 }
1775
1776 return 0;
1777 }
1778
1779 /* Check whether a task can perform a filesystem operation. */
1780 static int superblock_has_perm(const struct cred *cred,
1781 struct super_block *sb,
1782 u32 perms,
1783 struct common_audit_data *ad)
1784 {
1785 struct superblock_security_struct *sbsec;
1786 u32 sid = cred_sid(cred);
1787
1788 sbsec = sb->s_security;
1789 return avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
1790 }
1791
1792 /* Convert a Linux mode and permission mask to an access vector. */
1793 static inline u32 file_mask_to_av(int mode, int mask)
1794 {
1795 u32 av = 0;
1796
1797 if (!S_ISDIR(mode)) {
1798 if (mask & MAY_EXEC)
1799 av |= FILE__EXECUTE;
1800 if (mask & MAY_READ)
1801 av |= FILE__READ;
1802
1803 if (mask & MAY_APPEND)
1804 av |= FILE__APPEND;
1805 else if (mask & MAY_WRITE)
1806 av |= FILE__WRITE;
1807
1808 } else {
1809 if (mask & MAY_EXEC)
1810 av |= DIR__SEARCH;
1811 if (mask & MAY_WRITE)
1812 av |= DIR__WRITE;
1813 if (mask & MAY_READ)
1814 av |= DIR__READ;
1815 }
1816
1817 return av;
1818 }
1819
1820 /* Convert a Linux file to an access vector. */
1821 static inline u32 file_to_av(struct file *file)
1822 {
1823 u32 av = 0;
1824
1825 if (file->f_mode & FMODE_READ)
1826 av |= FILE__READ;
1827 if (file->f_mode & FMODE_WRITE) {
1828 if (file->f_flags & O_APPEND)
1829 av |= FILE__APPEND;
1830 else
1831 av |= FILE__WRITE;
1832 }
1833 if (!av) {
1834 /*
1835 * Special file opened with flags 3 for ioctl-only use.
1836 */
1837 av = FILE__IOCTL;
1838 }
1839
1840 return av;
1841 }
1842
1843 /*
1844 * Convert a file to an access vector and include the correct open
1845 * open permission.
1846 */
1847 static inline u32 open_file_to_av(struct file *file)
1848 {
1849 u32 av = file_to_av(file);
1850
1851 if (selinux_policycap_openperm)
1852 av |= FILE__OPEN;
1853
1854 return av;
1855 }
1856
1857 /* Hook functions begin here. */
1858
1859 static int selinux_ptrace_access_check(struct task_struct *child,
1860 unsigned int mode)
1861 {
1862 int rc;
1863
1864 rc = cap_ptrace_access_check(child, mode);
1865 if (rc)
1866 return rc;
1867
1868 if (mode & PTRACE_MODE_READ) {
1869 u32 sid = current_sid();
1870 u32 csid = task_sid(child);
1871 return avc_has_perm(sid, csid, SECCLASS_FILE, FILE__READ, NULL);
1872 }
1873
1874 return current_has_perm(child, PROCESS__PTRACE);
1875 }
1876
1877 static int selinux_ptrace_traceme(struct task_struct *parent)
1878 {
1879 int rc;
1880
1881 rc = cap_ptrace_traceme(parent);
1882 if (rc)
1883 return rc;
1884
1885 return task_has_perm(parent, current, PROCESS__PTRACE);
1886 }
1887
1888 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
1889 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1890 {
1891 int error;
1892
1893 error = current_has_perm(target, PROCESS__GETCAP);
1894 if (error)
1895 return error;
1896
1897 return cap_capget(target, effective, inheritable, permitted);
1898 }
1899
1900 static int selinux_capset(struct cred *new, const struct cred *old,
1901 const kernel_cap_t *effective,
1902 const kernel_cap_t *inheritable,
1903 const kernel_cap_t *permitted)
1904 {
1905 int error;
1906
1907 error = cap_capset(new, old,
1908 effective, inheritable, permitted);
1909 if (error)
1910 return error;
1911
1912 return cred_has_perm(old, new, PROCESS__SETCAP);
1913 }
1914
1915 /*
1916 * (This comment used to live with the selinux_task_setuid hook,
1917 * which was removed).
1918 *
1919 * Since setuid only affects the current process, and since the SELinux
1920 * controls are not based on the Linux identity attributes, SELinux does not
1921 * need to control this operation. However, SELinux does control the use of
1922 * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
1923 */
1924
1925 static int selinux_capable(const struct cred *cred, struct user_namespace *ns,
1926 int cap, int audit)
1927 {
1928 int rc;
1929
1930 rc = cap_capable(cred, ns, cap, audit);
1931 if (rc)
1932 return rc;
1933
1934 return cred_has_capability(cred, cap, audit);
1935 }
1936
1937 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
1938 {
1939 const struct cred *cred = current_cred();
1940 int rc = 0;
1941
1942 if (!sb)
1943 return 0;
1944
1945 switch (cmds) {
1946 case Q_SYNC:
1947 case Q_QUOTAON:
1948 case Q_QUOTAOFF:
1949 case Q_SETINFO:
1950 case Q_SETQUOTA:
1951 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
1952 break;
1953 case Q_GETFMT:
1954 case Q_GETINFO:
1955 case Q_GETQUOTA:
1956 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
1957 break;
1958 default:
1959 rc = 0; /* let the kernel handle invalid cmds */
1960 break;
1961 }
1962 return rc;
1963 }
1964
1965 static int selinux_quota_on(struct dentry *dentry)
1966 {
1967 const struct cred *cred = current_cred();
1968
1969 return dentry_has_perm(cred, dentry, FILE__QUOTAON);
1970 }
1971
1972 static int selinux_syslog(int type)
1973 {
1974 int rc;
1975
1976 switch (type) {
1977 case SYSLOG_ACTION_READ_ALL: /* Read last kernel messages */
1978 case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */
1979 rc = task_has_system(current, SYSTEM__SYSLOG_READ);
1980 break;
1981 case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */
1982 case SYSLOG_ACTION_CONSOLE_ON: /* Enable logging to console */
1983 /* Set level of messages printed to console */
1984 case SYSLOG_ACTION_CONSOLE_LEVEL:
1985 rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
1986 break;
1987 case SYSLOG_ACTION_CLOSE: /* Close log */
1988 case SYSLOG_ACTION_OPEN: /* Open log */
1989 case SYSLOG_ACTION_READ: /* Read from log */
1990 case SYSLOG_ACTION_READ_CLEAR: /* Read/clear last kernel messages */
1991 case SYSLOG_ACTION_CLEAR: /* Clear ring buffer */
1992 default:
1993 rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
1994 break;
1995 }
1996 return rc;
1997 }
1998
1999 /*
2000 * Check that a process has enough memory to allocate a new virtual
2001 * mapping. 0 means there is enough memory for the allocation to
2002 * succeed and -ENOMEM implies there is not.
2003 *
2004 * Do not audit the selinux permission check, as this is applied to all
2005 * processes that allocate mappings.
2006 */
2007 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
2008 {
2009 int rc, cap_sys_admin = 0;
2010
2011 rc = selinux_capable(current_cred(), &init_user_ns, CAP_SYS_ADMIN,
2012 SECURITY_CAP_NOAUDIT);
2013 if (rc == 0)
2014 cap_sys_admin = 1;
2015
2016 return __vm_enough_memory(mm, pages, cap_sys_admin);
2017 }
2018
2019 /* binprm security operations */
2020
2021 static int selinux_bprm_set_creds(struct linux_binprm *bprm)
2022 {
2023 const struct task_security_struct *old_tsec;
2024 struct task_security_struct *new_tsec;
2025 struct inode_security_struct *isec;
2026 struct common_audit_data ad;
2027 struct inode *inode = file_inode(bprm->file);
2028 int rc;
2029
2030 rc = cap_bprm_set_creds(bprm);
2031 if (rc)
2032 return rc;
2033
2034 /* SELinux context only depends on initial program or script and not
2035 * the script interpreter */
2036 if (bprm->cred_prepared)
2037 return 0;
2038
2039 old_tsec = current_security();
2040 new_tsec = bprm->cred->security;
2041 isec = inode->i_security;
2042
2043 /* Default to the current task SID. */
2044 new_tsec->sid = old_tsec->sid;
2045 new_tsec->osid = old_tsec->sid;
2046
2047 /* Reset fs, key, and sock SIDs on execve. */
2048 new_tsec->create_sid = 0;
2049 new_tsec->keycreate_sid = 0;
2050 new_tsec->sockcreate_sid = 0;
2051
2052 if (old_tsec->exec_sid) {
2053 new_tsec->sid = old_tsec->exec_sid;
2054 /* Reset exec SID on execve. */
2055 new_tsec->exec_sid = 0;
2056
2057 /*
2058 * Minimize confusion: if no_new_privs and a transition is
2059 * explicitly requested, then fail the exec.
2060 */
2061 if (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS)
2062 return -EPERM;
2063 } else {
2064 /* Check for a default transition on this program. */
2065 rc = security_transition_sid(old_tsec->sid, isec->sid,
2066 SECCLASS_PROCESS, NULL,
2067 &new_tsec->sid);
2068 if (rc)
2069 return rc;
2070 }
2071
2072 ad.type = LSM_AUDIT_DATA_PATH;
2073 ad.u.path = bprm->file->f_path;
2074
2075 if ((bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID) ||
2076 (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS))
2077 new_tsec->sid = old_tsec->sid;
2078
2079 if (new_tsec->sid == old_tsec->sid) {
2080 rc = avc_has_perm(old_tsec->sid, isec->sid,
2081 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2082 if (rc)
2083 return rc;
2084 } else {
2085 /* Check permissions for the transition. */
2086 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2087 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2088 if (rc)
2089 return rc;
2090
2091 rc = avc_has_perm(new_tsec->sid, isec->sid,
2092 SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2093 if (rc)
2094 return rc;
2095
2096 /* Check for shared state */
2097 if (bprm->unsafe & LSM_UNSAFE_SHARE) {
2098 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2099 SECCLASS_PROCESS, PROCESS__SHARE,
2100 NULL);
2101 if (rc)
2102 return -EPERM;
2103 }
2104
2105 /* Make sure that anyone attempting to ptrace over a task that
2106 * changes its SID has the appropriate permit */
2107 if (bprm->unsafe &
2108 (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
2109 struct task_struct *tracer;
2110 struct task_security_struct *sec;
2111 u32 ptsid = 0;
2112
2113 rcu_read_lock();
2114 tracer = ptrace_parent(current);
2115 if (likely(tracer != NULL)) {
2116 sec = __task_cred(tracer)->security;
2117 ptsid = sec->sid;
2118 }
2119 rcu_read_unlock();
2120
2121 if (ptsid != 0) {
2122 rc = avc_has_perm(ptsid, new_tsec->sid,
2123 SECCLASS_PROCESS,
2124 PROCESS__PTRACE, NULL);
2125 if (rc)
2126 return -EPERM;
2127 }
2128 }
2129
2130 /* Clear any possibly unsafe personality bits on exec: */
2131 bprm->per_clear |= PER_CLEAR_ON_SETID;
2132 }
2133
2134 return 0;
2135 }
2136
2137 static int selinux_bprm_secureexec(struct linux_binprm *bprm)
2138 {
2139 const struct task_security_struct *tsec = current_security();
2140 u32 sid, osid;
2141 int atsecure = 0;
2142
2143 sid = tsec->sid;
2144 osid = tsec->osid;
2145
2146 if (osid != sid) {
2147 /* Enable secure mode for SIDs transitions unless
2148 the noatsecure permission is granted between
2149 the two SIDs, i.e. ahp returns 0. */
2150 atsecure = avc_has_perm(osid, sid,
2151 SECCLASS_PROCESS,
2152 PROCESS__NOATSECURE, NULL);
2153 }
2154
2155 return (atsecure || cap_bprm_secureexec(bprm));
2156 }
2157
2158 static int match_file(const void *p, struct file *file, unsigned fd)
2159 {
2160 return file_has_perm(p, file, file_to_av(file)) ? fd + 1 : 0;
2161 }
2162
2163 /* Derived from fs/exec.c:flush_old_files. */
2164 static inline void flush_unauthorized_files(const struct cred *cred,
2165 struct files_struct *files)
2166 {
2167 struct file *file, *devnull = NULL;
2168 struct tty_struct *tty;
2169 int drop_tty = 0;
2170 unsigned n;
2171
2172 tty = get_current_tty();
2173 if (tty) {
2174 spin_lock(&tty_files_lock);
2175 if (!list_empty(&tty->tty_files)) {
2176 struct tty_file_private *file_priv;
2177
2178 /* Revalidate access to controlling tty.
2179 Use path_has_perm on the tty path directly rather
2180 than using file_has_perm, as this particular open
2181 file may belong to another process and we are only
2182 interested in the inode-based check here. */
2183 file_priv = list_first_entry(&tty->tty_files,
2184 struct tty_file_private, list);
2185 file = file_priv->file;
2186 if (path_has_perm(cred, &file->f_path, FILE__READ | FILE__WRITE))
2187 drop_tty = 1;
2188 }
2189 spin_unlock(&tty_files_lock);
2190 tty_kref_put(tty);
2191 }
2192 /* Reset controlling tty. */
2193 if (drop_tty)
2194 no_tty();
2195
2196 /* Revalidate access to inherited open files. */
2197 n = iterate_fd(files, 0, match_file, cred);
2198 if (!n) /* none found? */
2199 return;
2200
2201 devnull = dentry_open(&selinux_null, O_RDWR, cred);
2202 if (IS_ERR(devnull))
2203 devnull = NULL;
2204 /* replace all the matching ones with this */
2205 do {
2206 replace_fd(n - 1, devnull, 0);
2207 } while ((n = iterate_fd(files, n, match_file, cred)) != 0);
2208 if (devnull)
2209 fput(devnull);
2210 }
2211
2212 /*
2213 * Prepare a process for imminent new credential changes due to exec
2214 */
2215 static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
2216 {
2217 struct task_security_struct *new_tsec;
2218 struct rlimit *rlim, *initrlim;
2219 int rc, i;
2220
2221 new_tsec = bprm->cred->security;
2222 if (new_tsec->sid == new_tsec->osid)
2223 return;
2224
2225 /* Close files for which the new task SID is not authorized. */
2226 flush_unauthorized_files(bprm->cred, current->files);
2227
2228 /* Always clear parent death signal on SID transitions. */
2229 current->pdeath_signal = 0;
2230
2231 /* Check whether the new SID can inherit resource limits from the old
2232 * SID. If not, reset all soft limits to the lower of the current
2233 * task's hard limit and the init task's soft limit.
2234 *
2235 * Note that the setting of hard limits (even to lower them) can be
2236 * controlled by the setrlimit check. The inclusion of the init task's
2237 * soft limit into the computation is to avoid resetting soft limits
2238 * higher than the default soft limit for cases where the default is
2239 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2240 */
2241 rc = avc_has_perm(new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
2242 PROCESS__RLIMITINH, NULL);
2243 if (rc) {
2244 /* protect against do_prlimit() */
2245 task_lock(current);
2246 for (i = 0; i < RLIM_NLIMITS; i++) {
2247 rlim = current->signal->rlim + i;
2248 initrlim = init_task.signal->rlim + i;
2249 rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
2250 }
2251 task_unlock(current);
2252 update_rlimit_cpu(current, rlimit(RLIMIT_CPU));
2253 }
2254 }
2255
2256 /*
2257 * Clean up the process immediately after the installation of new credentials
2258 * due to exec
2259 */
2260 static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
2261 {
2262 const struct task_security_struct *tsec = current_security();
2263 struct itimerval itimer;
2264 u32 osid, sid;
2265 int rc, i;
2266
2267 osid = tsec->osid;
2268 sid = tsec->sid;
2269
2270 if (sid == osid)
2271 return;
2272
2273 /* Check whether the new SID can inherit signal state from the old SID.
2274 * If not, clear itimers to avoid subsequent signal generation and
2275 * flush and unblock signals.
2276 *
2277 * This must occur _after_ the task SID has been updated so that any
2278 * kill done after the flush will be checked against the new SID.
2279 */
2280 rc = avc_has_perm(osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
2281 if (rc) {
2282 memset(&itimer, 0, sizeof itimer);
2283 for (i = 0; i < 3; i++)
2284 do_setitimer(i, &itimer, NULL);
2285 spin_lock_irq(&current->sighand->siglock);
2286 if (!(current->signal->flags & SIGNAL_GROUP_EXIT)) {
2287 __flush_signals(current);
2288 flush_signal_handlers(current, 1);
2289 sigemptyset(&current->blocked);
2290 }
2291 spin_unlock_irq(&current->sighand->siglock);
2292 }
2293
2294 /* Wake up the parent if it is waiting so that it can recheck
2295 * wait permission to the new task SID. */
2296 read_lock(&tasklist_lock);
2297 __wake_up_parent(current, current->real_parent);
2298 read_unlock(&tasklist_lock);
2299 }
2300
2301 /* superblock security operations */
2302
2303 static int selinux_sb_alloc_security(struct super_block *sb)
2304 {
2305 return superblock_alloc_security(sb);
2306 }
2307
2308 static void selinux_sb_free_security(struct super_block *sb)
2309 {
2310 superblock_free_security(sb);
2311 }
2312
2313 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2314 {
2315 if (plen > olen)
2316 return 0;
2317
2318 return !memcmp(prefix, option, plen);
2319 }
2320
2321 static inline int selinux_option(char *option, int len)
2322 {
2323 return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) ||
2324 match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) ||
2325 match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) ||
2326 match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len) ||
2327 match_prefix(LABELSUPP_STR, sizeof(LABELSUPP_STR)-1, option, len));
2328 }
2329
2330 static inline void take_option(char **to, char *from, int *first, int len)
2331 {
2332 if (!*first) {
2333 **to = ',';
2334 *to += 1;
2335 } else
2336 *first = 0;
2337 memcpy(*to, from, len);
2338 *to += len;
2339 }
2340
2341 static inline void take_selinux_option(char **to, char *from, int *first,
2342 int len)
2343 {
2344 int current_size = 0;
2345
2346 if (!*first) {
2347 **to = '|';
2348 *to += 1;
2349 } else
2350 *first = 0;
2351
2352 while (current_size < len) {
2353 if (*from != '"') {
2354 **to = *from;
2355 *to += 1;
2356 }
2357 from += 1;
2358 current_size += 1;
2359 }
2360 }
2361
2362 static int selinux_sb_copy_data(char *orig, char *copy)
2363 {
2364 int fnosec, fsec, rc = 0;
2365 char *in_save, *in_curr, *in_end;
2366 char *sec_curr, *nosec_save, *nosec;
2367 int open_quote = 0;
2368
2369 in_curr = orig;
2370 sec_curr = copy;
2371
2372 nosec = (char *)get_zeroed_page(GFP_KERNEL);
2373 if (!nosec) {
2374 rc = -ENOMEM;
2375 goto out;
2376 }
2377
2378 nosec_save = nosec;
2379 fnosec = fsec = 1;
2380 in_save = in_end = orig;
2381
2382 do {
2383 if (*in_end == '"')
2384 open_quote = !open_quote;
2385 if ((*in_end == ',' && open_quote == 0) ||
2386 *in_end == '\0') {
2387 int len = in_end - in_curr;
2388
2389 if (selinux_option(in_curr, len))
2390 take_selinux_option(&sec_curr, in_curr, &fsec, len);
2391 else
2392 take_option(&nosec, in_curr, &fnosec, len);
2393
2394 in_curr = in_end + 1;
2395 }
2396 } while (*in_end++);
2397
2398 strcpy(in_save, nosec_save);
2399 free_page((unsigned long)nosec_save);
2400 out:
2401 return rc;
2402 }
2403
2404 static int selinux_sb_remount(struct super_block *sb, void *data)
2405 {
2406 int rc, i, *flags;
2407 struct security_mnt_opts opts;
2408 char *secdata, **mount_options;
2409 struct superblock_security_struct *sbsec = sb->s_security;
2410
2411 if (!(sbsec->flags & SE_SBINITIALIZED))
2412 return 0;
2413
2414 if (!data)
2415 return 0;
2416
2417 if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
2418 return 0;
2419
2420 security_init_mnt_opts(&opts);
2421 secdata = alloc_secdata();
2422 if (!secdata)
2423 return -ENOMEM;
2424 rc = selinux_sb_copy_data(data, secdata);
2425 if (rc)
2426 goto out_free_secdata;
2427
2428 rc = selinux_parse_opts_str(secdata, &opts);
2429 if (rc)
2430 goto out_free_secdata;
2431
2432 mount_options = opts.mnt_opts;
2433 flags = opts.mnt_opts_flags;
2434
2435 for (i = 0; i < opts.num_mnt_opts; i++) {
2436 u32 sid;
2437 size_t len;
2438
2439 if (flags[i] == SE_SBLABELSUPP)
2440 continue;
2441 len = strlen(mount_options[i]);
2442 rc = security_context_to_sid(mount_options[i], len, &sid);
2443 if (rc) {
2444 printk(KERN_WARNING "SELinux: security_context_to_sid"
2445 "(%s) failed for (dev %s, type %s) errno=%d\n",
2446 mount_options[i], sb->s_id, sb->s_type->name, rc);
2447 goto out_free_opts;
2448 }
2449 rc = -EINVAL;
2450 switch (flags[i]) {
2451 case FSCONTEXT_MNT:
2452 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid))
2453 goto out_bad_option;
2454 break;
2455 case CONTEXT_MNT:
2456 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid))
2457 goto out_bad_option;
2458 break;
2459 case ROOTCONTEXT_MNT: {
2460 struct inode_security_struct *root_isec;
2461 root_isec = sb->s_root->d_inode->i_security;
2462
2463 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid))
2464 goto out_bad_option;
2465 break;
2466 }
2467 case DEFCONTEXT_MNT:
2468 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid))
2469 goto out_bad_option;
2470 break;
2471 default:
2472 goto out_free_opts;
2473 }
2474 }
2475
2476 rc = 0;
2477 out_free_opts:
2478 security_free_mnt_opts(&opts);
2479 out_free_secdata:
2480 free_secdata(secdata);
2481 return rc;
2482 out_bad_option:
2483 printk(KERN_WARNING "SELinux: unable to change security options "
2484 "during remount (dev %s, type=%s)\n", sb->s_id,
2485 sb->s_type->name);
2486 goto out_free_opts;
2487 }
2488
2489 static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data)
2490 {
2491 const struct cred *cred = current_cred();
2492 struct common_audit_data ad;
2493 int rc;
2494
2495 rc = superblock_doinit(sb, data);
2496 if (rc)
2497 return rc;
2498
2499 /* Allow all mounts performed by the kernel */
2500 if (flags & MS_KERNMOUNT)
2501 return 0;
2502
2503 ad.type = LSM_AUDIT_DATA_DENTRY;
2504 ad.u.dentry = sb->s_root;
2505 return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
2506 }
2507
2508 static int selinux_sb_statfs(struct dentry *dentry)
2509 {
2510 const struct cred *cred = current_cred();
2511 struct common_audit_data ad;
2512
2513 ad.type = LSM_AUDIT_DATA_DENTRY;
2514 ad.u.dentry = dentry->d_sb->s_root;
2515 return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2516 }
2517
2518 static int selinux_mount(const char *dev_name,
2519 struct path *path,
2520 const char *type,
2521 unsigned long flags,
2522 void *data)
2523 {
2524 const struct cred *cred = current_cred();
2525
2526 if (flags & MS_REMOUNT)
2527 return superblock_has_perm(cred, path->dentry->d_sb,
2528 FILESYSTEM__REMOUNT, NULL);
2529 else
2530 return path_has_perm(cred, path, FILE__MOUNTON);
2531 }
2532
2533 static int selinux_umount(struct vfsmount *mnt, int flags)
2534 {
2535 const struct cred *cred = current_cred();
2536
2537 return superblock_has_perm(cred, mnt->mnt_sb,
2538 FILESYSTEM__UNMOUNT, NULL);
2539 }
2540
2541 /* inode security operations */
2542
2543 static int selinux_inode_alloc_security(struct inode *inode)
2544 {
2545 return inode_alloc_security(inode);
2546 }
2547
2548 static void selinux_inode_free_security(struct inode *inode)
2549 {
2550 inode_free_security(inode);
2551 }
2552
2553 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2554 const struct qstr *qstr, char **name,
2555 void **value, size_t *len)
2556 {
2557 const struct task_security_struct *tsec = current_security();
2558 struct inode_security_struct *dsec;
2559 struct superblock_security_struct *sbsec;
2560 u32 sid, newsid, clen;
2561 int rc;
2562 char *namep = NULL, *context;
2563
2564 dsec = dir->i_security;
2565 sbsec = dir->i_sb->s_security;
2566
2567 sid = tsec->sid;
2568 newsid = tsec->create_sid;
2569
2570 if ((sbsec->flags & SE_SBINITIALIZED) &&
2571 (sbsec->behavior == SECURITY_FS_USE_MNTPOINT))
2572 newsid = sbsec->mntpoint_sid;
2573 else if (!newsid || !(sbsec->flags & SE_SBLABELSUPP)) {
2574 rc = security_transition_sid(sid, dsec->sid,
2575 inode_mode_to_security_class(inode->i_mode),
2576 qstr, &newsid);
2577 if (rc) {
2578 printk(KERN_WARNING "%s: "
2579 "security_transition_sid failed, rc=%d (dev=%s "
2580 "ino=%ld)\n",
2581 __func__,
2582 -rc, inode->i_sb->s_id, inode->i_ino);
2583 return rc;
2584 }
2585 }
2586
2587 /* Possibly defer initialization to selinux_complete_init. */
2588 if (sbsec->flags & SE_SBINITIALIZED) {
2589 struct inode_security_struct *isec = inode->i_security;
2590 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2591 isec->sid = newsid;
2592 isec->initialized = 1;
2593 }
2594
2595 if (!ss_initialized || !(sbsec->flags & SE_SBLABELSUPP))
2596 return -EOPNOTSUPP;
2597
2598 if (name) {
2599 namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_NOFS);
2600 if (!namep)
2601 return -ENOMEM;
2602 *name = namep;
2603 }
2604
2605 if (value && len) {
2606 rc = security_sid_to_context_force(newsid, &context, &clen);
2607 if (rc) {
2608 kfree(namep);
2609 return rc;
2610 }
2611 *value = context;
2612 *len = clen;
2613 }
2614
2615 return 0;
2616 }
2617
2618 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode)
2619 {
2620 return may_create(dir, dentry, SECCLASS_FILE);
2621 }
2622
2623 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2624 {
2625 return may_link(dir, old_dentry, MAY_LINK);
2626 }
2627
2628 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2629 {
2630 return may_link(dir, dentry, MAY_UNLINK);
2631 }
2632
2633 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2634 {
2635 return may_create(dir, dentry, SECCLASS_LNK_FILE);
2636 }
2637
2638 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask)
2639 {
2640 return may_create(dir, dentry, SECCLASS_DIR);
2641 }
2642
2643 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2644 {
2645 return may_link(dir, dentry, MAY_RMDIR);
2646 }
2647
2648 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
2649 {
2650 return may_create(dir, dentry, inode_mode_to_security_class(mode));
2651 }
2652
2653 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2654 struct inode *new_inode, struct dentry *new_dentry)
2655 {
2656 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2657 }
2658
2659 static int selinux_inode_readlink(struct dentry *dentry)
2660 {
2661 const struct cred *cred = current_cred();
2662
2663 return dentry_has_perm(cred, dentry, FILE__READ);
2664 }
2665
2666 static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2667 {
2668 const struct cred *cred = current_cred();
2669
2670 return dentry_has_perm(cred, dentry, FILE__READ);
2671 }
2672
2673 static noinline int audit_inode_permission(struct inode *inode,
2674 u32 perms, u32 audited, u32 denied,
2675 unsigned flags)
2676 {
2677 struct common_audit_data ad;
2678 struct inode_security_struct *isec = inode->i_security;
2679 int rc;
2680
2681 ad.type = LSM_AUDIT_DATA_INODE;
2682 ad.u.inode = inode;
2683
2684 rc = slow_avc_audit(current_sid(), isec->sid, isec->sclass, perms,
2685 audited, denied, &ad, flags);
2686 if (rc)
2687 return rc;
2688 return 0;
2689 }
2690
2691 static int selinux_inode_permission(struct inode *inode, int mask)
2692 {
2693 const struct cred *cred = current_cred();
2694 u32 perms;
2695 bool from_access;
2696 unsigned flags = mask & MAY_NOT_BLOCK;
2697 struct inode_security_struct *isec;
2698 u32 sid;
2699 struct av_decision avd;
2700 int rc, rc2;
2701 u32 audited, denied;
2702
2703 from_access = mask & MAY_ACCESS;
2704 mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
2705
2706 /* No permission to check. Existence test. */
2707 if (!mask)
2708 return 0;
2709
2710 validate_creds(cred);
2711
2712 if (unlikely(IS_PRIVATE(inode)))
2713 return 0;
2714
2715 perms = file_mask_to_av(inode->i_mode, mask);
2716
2717 sid = cred_sid(cred);
2718 isec = inode->i_security;
2719
2720 rc = avc_has_perm_noaudit(sid, isec->sid, isec->sclass, perms, 0, &avd);
2721 audited = avc_audit_required(perms, &avd, rc,
2722 from_access ? FILE__AUDIT_ACCESS : 0,
2723 &denied);
2724 if (likely(!audited))
2725 return rc;
2726
2727 rc2 = audit_inode_permission(inode, perms, audited, denied, flags);
2728 if (rc2)
2729 return rc2;
2730 return rc;
2731 }
2732
2733 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2734 {
2735 const struct cred *cred = current_cred();
2736 unsigned int ia_valid = iattr->ia_valid;
2737 __u32 av = FILE__WRITE;
2738
2739 /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
2740 if (ia_valid & ATTR_FORCE) {
2741 ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE |
2742 ATTR_FORCE);
2743 if (!ia_valid)
2744 return 0;
2745 }
2746
2747 if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2748 ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
2749 return dentry_has_perm(cred, dentry, FILE__SETATTR);
2750
2751 if (selinux_policycap_openperm && (ia_valid & ATTR_SIZE))
2752 av |= FILE__OPEN;
2753
2754 return dentry_has_perm(cred, dentry, av);
2755 }
2756
2757 static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
2758 {
2759 const struct cred *cred = current_cred();
2760 struct path path;
2761
2762 path.dentry = dentry;
2763 path.mnt = mnt;
2764
2765 return path_has_perm(cred, &path, FILE__GETATTR);
2766 }
2767
2768 static int selinux_inode_setotherxattr(struct dentry *dentry, const char *name)
2769 {
2770 const struct cred *cred = current_cred();
2771
2772 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2773 sizeof XATTR_SECURITY_PREFIX - 1)) {
2774 if (!strcmp(name, XATTR_NAME_CAPS)) {
2775 if (!capable(CAP_SETFCAP))
2776 return -EPERM;
2777 } else if (!capable(CAP_SYS_ADMIN)) {
2778 /* A different attribute in the security namespace.
2779 Restrict to administrator. */
2780 return -EPERM;
2781 }
2782 }
2783
2784 /* Not an attribute we recognize, so just check the
2785 ordinary setattr permission. */
2786 return dentry_has_perm(cred, dentry, FILE__SETATTR);
2787 }
2788
2789 static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
2790 const void *value, size_t size, int flags)
2791 {
2792 struct inode *inode = dentry->d_inode;
2793 struct inode_security_struct *isec = inode->i_security;
2794 struct superblock_security_struct *sbsec;
2795 struct common_audit_data ad;
2796 u32 newsid, sid = current_sid();
2797 int rc = 0;
2798
2799 if (strcmp(name, XATTR_NAME_SELINUX))
2800 return selinux_inode_setotherxattr(dentry, name);
2801
2802 sbsec = inode->i_sb->s_security;
2803 if (!(sbsec->flags & SE_SBLABELSUPP))
2804 return -EOPNOTSUPP;
2805
2806 if (!inode_owner_or_capable(inode))
2807 return -EPERM;
2808
2809 ad.type = LSM_AUDIT_DATA_DENTRY;
2810 ad.u.dentry = dentry;
2811
2812 rc = avc_has_perm(sid, isec->sid, isec->sclass,
2813 FILE__RELABELFROM, &ad);
2814 if (rc)
2815 return rc;
2816
2817 rc = security_context_to_sid(value, size, &newsid);
2818 if (rc == -EINVAL) {
2819 if (!capable(CAP_MAC_ADMIN)) {
2820 struct audit_buffer *ab;
2821 size_t audit_size;
2822 const char *str;
2823
2824 /* We strip a nul only if it is at the end, otherwise the
2825 * context contains a nul and we should audit that */
2826 if (value) {
2827 str = value;
2828 if (str[size - 1] == '\0')
2829 audit_size = size - 1;
2830 else
2831 audit_size = size;
2832 } else {
2833 str = "";
2834 audit_size = 0;
2835 }
2836 ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR);
2837 audit_log_format(ab, "op=setxattr invalid_context=");
2838 audit_log_n_untrustedstring(ab, value, audit_size);
2839 audit_log_end(ab);
2840
2841 return rc;
2842 }
2843 rc = security_context_to_sid_force(value, size, &newsid);
2844 }
2845 if (rc)
2846 return rc;
2847
2848 rc = avc_has_perm(sid, newsid, isec->sclass,
2849 FILE__RELABELTO, &ad);
2850 if (rc)
2851 return rc;
2852
2853 rc = security_validate_transition(isec->sid, newsid, sid,
2854 isec->sclass);
2855 if (rc)
2856 return rc;
2857
2858 return avc_has_perm(newsid,
2859 sbsec->sid,
2860 SECCLASS_FILESYSTEM,
2861 FILESYSTEM__ASSOCIATE,
2862 &ad);
2863 }
2864
2865 static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
2866 const void *value, size_t size,
2867 int flags)
2868 {
2869 struct inode *inode = dentry->d_inode;
2870 struct inode_security_struct *isec = inode->i_security;
2871 u32 newsid;
2872 int rc;
2873
2874 if (strcmp(name, XATTR_NAME_SELINUX)) {
2875 /* Not an attribute we recognize, so nothing to do. */
2876 return;
2877 }
2878
2879 rc = security_context_to_sid_force(value, size, &newsid);
2880 if (rc) {
2881 printk(KERN_ERR "SELinux: unable to map context to SID"
2882 "for (%s, %lu), rc=%d\n",
2883 inode->i_sb->s_id, inode->i_ino, -rc);
2884 return;
2885 }
2886
2887 isec->sid = newsid;
2888 return;
2889 }
2890
2891 static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
2892 {
2893 const struct cred *cred = current_cred();
2894
2895 return dentry_has_perm(cred, dentry, FILE__GETATTR);
2896 }
2897
2898 static int selinux_inode_listxattr(struct dentry *dentry)
2899 {
2900 const struct cred *cred = current_cred();
2901
2902 return dentry_has_perm(cred, dentry, FILE__GETATTR);
2903 }
2904
2905 static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
2906 {
2907 if (strcmp(name, XATTR_NAME_SELINUX))
2908 return selinux_inode_setotherxattr(dentry, name);
2909
2910 /* No one is allowed to remove a SELinux security label.
2911 You can change the label, but all data must be labeled. */
2912 return -EACCES;
2913 }
2914
2915 /*
2916 * Copy the inode security context value to the user.
2917 *
2918 * Permission check is handled by selinux_inode_getxattr hook.
2919 */
2920 static int selinux_inode_getsecurity(const struct inode *inode, const char *name, void **buffer, bool alloc)
2921 {
2922 u32 size;
2923 int error;
2924 char *context = NULL;
2925 struct inode_security_struct *isec = inode->i_security;
2926
2927 if (strcmp(name, XATTR_SELINUX_SUFFIX))
2928 return -EOPNOTSUPP;
2929
2930 /*
2931 * If the caller has CAP_MAC_ADMIN, then get the raw context
2932 * value even if it is not defined by current policy; otherwise,
2933 * use the in-core value under current policy.
2934 * Use the non-auditing forms of the permission checks since
2935 * getxattr may be called by unprivileged processes commonly
2936 * and lack of permission just means that we fall back to the
2937 * in-core context value, not a denial.
2938 */
2939 error = selinux_capable(current_cred(), &init_user_ns, CAP_MAC_ADMIN,
2940 SECURITY_CAP_NOAUDIT);
2941 if (!error)
2942 error = security_sid_to_context_force(isec->sid, &context,
2943 &size);
2944 else
2945 error = security_sid_to_context(isec->sid, &context, &size);
2946 if (error)
2947 return error;
2948 error = size;
2949 if (alloc) {
2950 *buffer = context;
2951 goto out_nofree;
2952 }
2953 kfree(context);
2954 out_nofree:
2955 return error;
2956 }
2957
2958 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
2959 const void *value, size_t size, int flags)
2960 {
2961 struct inode_security_struct *isec = inode->i_security;
2962 u32 newsid;
2963 int rc;
2964
2965 if (strcmp(name, XATTR_SELINUX_SUFFIX))
2966 return -EOPNOTSUPP;
2967
2968 if (!value || !size)
2969 return -EACCES;
2970
2971 rc = security_context_to_sid((void *)value, size, &newsid);
2972 if (rc)
2973 return rc;
2974
2975 isec->sid = newsid;
2976 isec->initialized = 1;
2977 return 0;
2978 }
2979
2980 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
2981 {
2982 const int len = sizeof(XATTR_NAME_SELINUX);
2983 if (buffer && len <= buffer_size)
2984 memcpy(buffer, XATTR_NAME_SELINUX, len);
2985 return len;
2986 }
2987
2988 static void selinux_inode_getsecid(const struct inode *inode, u32 *secid)
2989 {
2990 struct inode_security_struct *isec = inode->i_security;
2991 *secid = isec->sid;
2992 }
2993
2994 /* file security operations */
2995
2996 static int selinux_revalidate_file_permission(struct file *file, int mask)
2997 {
2998 const struct cred *cred = current_cred();
2999 struct inode *inode = file_inode(file);
3000
3001 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
3002 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
3003 mask |= MAY_APPEND;
3004
3005 return file_has_perm(cred, file,
3006 file_mask_to_av(inode->i_mode, mask));
3007 }
3008
3009 static int selinux_file_permission(struct file *file, int mask)
3010 {
3011 struct inode *inode = file_inode(file);
3012 struct file_security_struct *fsec = file->f_security;
3013 struct inode_security_struct *isec = inode->i_security;
3014 u32 sid = current_sid();
3015
3016 if (!mask)
3017 /* No permission to check. Existence test. */
3018 return 0;
3019
3020 if (sid == fsec->sid && fsec->isid == isec->sid &&
3021 fsec->pseqno == avc_policy_seqno())
3022 /* No change since file_open check. */
3023 return 0;
3024
3025 return selinux_revalidate_file_permission(file, mask);
3026 }
3027
3028 static int selinux_file_alloc_security(struct file *file)
3029 {
3030 return file_alloc_security(file);
3031 }
3032
3033 static void selinux_file_free_security(struct file *file)
3034 {
3035 file_free_security(file);
3036 }
3037
3038 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
3039 unsigned long arg)
3040 {
3041 const struct cred *cred = current_cred();
3042 int error = 0;
3043
3044 switch (cmd) {
3045 case FIONREAD:
3046 /* fall through */
3047 case FIBMAP:
3048 /* fall through */
3049 case FIGETBSZ:
3050 /* fall through */
3051 case FS_IOC_GETFLAGS:
3052 /* fall through */
3053 case FS_IOC_GETVERSION:
3054 error = file_has_perm(cred, file, FILE__GETATTR);
3055 break;
3056
3057 case FS_IOC_SETFLAGS:
3058 /* fall through */
3059 case FS_IOC_SETVERSION:
3060 error = file_has_perm(cred, file, FILE__SETATTR);
3061 break;
3062
3063 /* sys_ioctl() checks */
3064 case FIONBIO:
3065 /* fall through */
3066 case FIOASYNC:
3067 error = file_has_perm(cred, file, 0);
3068 break;
3069
3070 case KDSKBENT:
3071 case KDSKBSENT:
3072 error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG,
3073 SECURITY_CAP_AUDIT);
3074 break;
3075
3076 /* default case assumes that the command will go
3077 * to the file's ioctl() function.
3078 */
3079 default:
3080 error = file_has_perm(cred, file, FILE__IOCTL);
3081 }
3082 return error;
3083 }
3084
3085 static int default_noexec;
3086
3087 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
3088 {
3089 const struct cred *cred = current_cred();
3090 int rc = 0;
3091
3092 if (default_noexec &&
3093 (prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
3094 /*
3095 * We are making executable an anonymous mapping or a
3096 * private file mapping that will also be writable.
3097 * This has an additional check.
3098 */
3099 rc = cred_has_perm(cred, cred, PROCESS__EXECMEM);
3100 if (rc)
3101 goto error;
3102 }
3103
3104 if (file) {
3105 /* read access is always possible with a mapping */
3106 u32 av = FILE__READ;
3107
3108 /* write access only matters if the mapping is shared */
3109 if (shared && (prot & PROT_WRITE))
3110 av |= FILE__WRITE;
3111
3112 if (prot & PROT_EXEC)
3113 av |= FILE__EXECUTE;
3114
3115 return file_has_perm(cred, file, av);
3116 }
3117
3118 error:
3119 return rc;
3120 }
3121
3122 static int selinux_mmap_addr(unsigned long addr)
3123 {
3124 int rc = 0;
3125 u32 sid = current_sid();
3126
3127 /*
3128 * notice that we are intentionally putting the SELinux check before
3129 * the secondary cap_file_mmap check. This is such a likely attempt
3130 * at bad behaviour/exploit that we always want to get the AVC, even
3131 * if DAC would have also denied the operation.
3132 */
3133 if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
3134 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
3135 MEMPROTECT__MMAP_ZERO, NULL);
3136 if (rc)
3137 return rc;
3138 }
3139
3140 /* do DAC check on address space usage */
3141 return cap_mmap_addr(addr);
3142 }
3143
3144 static int selinux_mmap_file(struct file *file, unsigned long reqprot,
3145 unsigned long prot, unsigned long flags)
3146 {
3147 if (selinux_checkreqprot)
3148 prot = reqprot;
3149
3150 return file_map_prot_check(file, prot,
3151 (flags & MAP_TYPE) == MAP_SHARED);
3152 }
3153
3154 static int selinux_file_mprotect(struct vm_area_struct *vma,
3155 unsigned long reqprot,
3156 unsigned long prot)
3157 {
3158 const struct cred *cred = current_cred();
3159
3160 if (selinux_checkreqprot)
3161 prot = reqprot;
3162
3163 if (default_noexec &&
3164 (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
3165 int rc = 0;
3166 if (vma->vm_start >= vma->vm_mm->start_brk &&
3167 vma->vm_end <= vma->vm_mm->brk) {
3168 rc = cred_has_perm(cred, cred, PROCESS__EXECHEAP);
3169 } else if (!vma->vm_file &&
3170 vma->vm_start <= vma->vm_mm->start_stack &&
3171 vma->vm_end >= vma->vm_mm->start_stack) {
3172 rc = current_has_perm(current, PROCESS__EXECSTACK);
3173 } else if (vma->vm_file && vma->anon_vma) {
3174 /*
3175 * We are making executable a file mapping that has
3176 * had some COW done. Since pages might have been
3177 * written, check ability to execute the possibly
3178 * modified content. This typically should only
3179 * occur for text relocations.
3180 */
3181 rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD);
3182 }
3183 if (rc)
3184 return rc;
3185 }
3186
3187 return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
3188 }
3189
3190 static int selinux_file_lock(struct file *file, unsigned int cmd)
3191 {
3192 const struct cred *cred = current_cred();
3193
3194 return file_has_perm(cred, file, FILE__LOCK);
3195 }
3196
3197 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
3198 unsigned long arg)
3199 {
3200 const struct cred *cred = current_cred();
3201 int err = 0;
3202
3203 switch (cmd) {
3204 case F_SETFL:
3205 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
3206 err = file_has_perm(cred, file, FILE__WRITE);
3207 break;
3208 }
3209 /* fall through */
3210 case F_SETOWN:
3211 case F_SETSIG:
3212 case F_GETFL:
3213 case F_GETOWN:
3214 case F_GETSIG:
3215 case F_GETOWNER_UIDS:
3216 /* Just check FD__USE permission */
3217 err = file_has_perm(cred, file, 0);
3218 break;
3219 case F_GETLK:
3220 case F_SETLK:
3221 case F_SETLKW:
3222 #if BITS_PER_LONG == 32
3223 case F_GETLK64:
3224 case F_SETLK64:
3225 case F_SETLKW64:
3226 #endif
3227 err = file_has_perm(cred, file, FILE__LOCK);
3228 break;
3229 }
3230
3231 return err;
3232 }
3233
3234 static int selinux_file_set_fowner(struct file *file)
3235 {
3236 struct file_security_struct *fsec;
3237
3238 fsec = file->f_security;
3239 fsec->fown_sid = current_sid();
3240
3241 return 0;
3242 }
3243
3244 static int selinux_file_send_sigiotask(struct task_struct *tsk,
3245 struct fown_struct *fown, int signum)
3246 {
3247 struct file *file;
3248 u32 sid = task_sid(tsk);
3249 u32 perm;
3250 struct file_security_struct *fsec;
3251
3252 /* struct fown_struct is never outside the context of a struct file */
3253 file = container_of(fown, struct file, f_owner);
3254
3255 fsec = file->f_security;
3256
3257 if (!signum)
3258 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
3259 else
3260 perm = signal_to_av(signum);
3261
3262 return avc_has_perm(fsec->fown_sid, sid,
3263 SECCLASS_PROCESS, perm, NULL);
3264 }
3265
3266 static int selinux_file_receive(struct file *file)
3267 {
3268 const struct cred *cred = current_cred();
3269
3270 return file_has_perm(cred, file, file_to_av(file));
3271 }
3272
3273 static int selinux_file_open(struct file *file, const struct cred *cred)
3274 {
3275 struct file_security_struct *fsec;
3276 struct inode_security_struct *isec;
3277
3278 fsec = file->f_security;
3279 isec = file_inode(file)->i_security;
3280 /*
3281 * Save inode label and policy sequence number
3282 * at open-time so that selinux_file_permission
3283 * can determine whether revalidation is necessary.
3284 * Task label is already saved in the file security
3285 * struct as its SID.
3286 */
3287 fsec->isid = isec->sid;
3288 fsec->pseqno = avc_policy_seqno();
3289 /*
3290 * Since the inode label or policy seqno may have changed
3291 * between the selinux_inode_permission check and the saving
3292 * of state above, recheck that access is still permitted.
3293 * Otherwise, access might never be revalidated against the
3294 * new inode label or new policy.
3295 * This check is not redundant - do not remove.
3296 */
3297 return path_has_perm(cred, &file->f_path, open_file_to_av(file));
3298 }
3299
3300 /* task security operations */
3301
3302 static int selinux_task_create(unsigned long clone_flags)
3303 {
3304 return current_has_perm(current, PROCESS__FORK);
3305 }
3306
3307 /*
3308 * allocate the SELinux part of blank credentials
3309 */
3310 static int selinux_cred_alloc_blank(struct cred *cred, gfp_t gfp)
3311 {
3312 struct task_security_struct *tsec;
3313
3314 tsec = kzalloc(sizeof(struct task_security_struct), gfp);
3315 if (!tsec)
3316 return -ENOMEM;
3317
3318 cred->security = tsec;
3319 return 0;
3320 }
3321
3322 /*
3323 * detach and free the LSM part of a set of credentials
3324 */
3325 static void selinux_cred_free(struct cred *cred)
3326 {
3327 struct task_security_struct *tsec = cred->security;
3328
3329 /*
3330 * cred->security == NULL if security_cred_alloc_blank() or
3331 * security_prepare_creds() returned an error.
3332 */
3333 BUG_ON(cred->security && (unsigned long) cred->security < PAGE_SIZE);
3334 cred->security = (void *) 0x7UL;
3335 kfree(tsec);
3336 }
3337
3338 /*
3339 * prepare a new set of credentials for modification
3340 */
3341 static int selinux_cred_prepare(struct cred *new, const struct cred *old,
3342 gfp_t gfp)
3343 {
3344 const struct task_security_struct *old_tsec;
3345 struct task_security_struct *tsec;
3346
3347 old_tsec = old->security;
3348
3349 tsec = kmemdup(old_tsec, sizeof(struct task_security_struct), gfp);
3350 if (!tsec)
3351 return -ENOMEM;
3352
3353 new->security = tsec;
3354 return 0;
3355 }
3356
3357 /*
3358 * transfer the SELinux data to a blank set of creds
3359 */
3360 static void selinux_cred_transfer(struct cred *new, const struct cred *old)
3361 {
3362 const struct task_security_struct *old_tsec = old->security;
3363 struct task_security_struct *tsec = new->security;
3364
3365 *tsec = *old_tsec;
3366 }
3367
3368 /*
3369 * set the security data for a kernel service
3370 * - all the creation contexts are set to unlabelled
3371 */
3372 static int selinux_kernel_act_as(struct cred *new, u32 secid)
3373 {
3374 struct task_security_struct *tsec = new->security;
3375 u32 sid = current_sid();
3376 int ret;
3377
3378 ret = avc_has_perm(sid, secid,
3379 SECCLASS_KERNEL_SERVICE,
3380 KERNEL_SERVICE__USE_AS_OVERRIDE,
3381 NULL);
3382 if (ret == 0) {
3383 tsec->sid = secid;
3384 tsec->create_sid = 0;
3385 tsec->keycreate_sid = 0;
3386 tsec->sockcreate_sid = 0;
3387 }
3388 return ret;
3389 }
3390
3391 /*
3392 * set the file creation context in a security record to the same as the
3393 * objective context of the specified inode
3394 */
3395 static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode)
3396 {
3397 struct inode_security_struct *isec = inode->i_security;
3398 struct task_security_struct *tsec = new->security;
3399 u32 sid = current_sid();
3400 int ret;
3401
3402 ret = avc_has_perm(sid, isec->sid,
3403 SECCLASS_KERNEL_SERVICE,
3404 KERNEL_SERVICE__CREATE_FILES_AS,
3405 NULL);
3406
3407 if (ret == 0)
3408 tsec->create_sid = isec->sid;
3409 return ret;
3410 }
3411
3412 static int selinux_kernel_module_request(char *kmod_name)
3413 {
3414 u32 sid;
3415 struct common_audit_data ad;
3416
3417 sid = task_sid(current);
3418
3419 ad.type = LSM_AUDIT_DATA_KMOD;
3420 ad.u.kmod_name = kmod_name;
3421
3422 return avc_has_perm(sid, SECINITSID_KERNEL, SECCLASS_SYSTEM,
3423 SYSTEM__MODULE_REQUEST, &ad);
3424 }
3425
3426 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
3427 {
3428 return current_has_perm(p, PROCESS__SETPGID);
3429 }
3430
3431 static int selinux_task_getpgid(struct task_struct *p)
3432 {
3433 return current_has_perm(p, PROCESS__GETPGID);
3434 }
3435
3436 static int selinux_task_getsid(struct task_struct *p)
3437 {
3438 return current_has_perm(p, PROCESS__GETSESSION);
3439 }
3440
3441 static void selinux_task_getsecid(struct task_struct *p, u32 *secid)
3442 {
3443 *secid = task_sid(p);
3444 }
3445
3446 static int selinux_task_setnice(struct task_struct *p, int nice)
3447 {
3448 int rc;
3449
3450 rc = cap_task_setnice(p, nice);
3451 if (rc)
3452 return rc;
3453
3454 return current_has_perm(p, PROCESS__SETSCHED);
3455 }
3456
3457 static int selinux_task_setioprio(struct task_struct *p, int ioprio)
3458 {
3459 int rc;
3460
3461 rc = cap_task_setioprio(p, ioprio);
3462 if (rc)
3463 return rc;
3464
3465 return current_has_perm(p, PROCESS__SETSCHED);
3466 }
3467
3468 static int selinux_task_getioprio(struct task_struct *p)
3469 {
3470 return current_has_perm(p, PROCESS__GETSCHED);
3471 }
3472
3473 static int selinux_task_setrlimit(struct task_struct *p, unsigned int resource,
3474 struct rlimit *new_rlim)
3475 {
3476 struct rlimit *old_rlim = p->signal->rlim + resource;
3477
3478 /* Control the ability to change the hard limit (whether
3479 lowering or raising it), so that the hard limit can
3480 later be used as a safe reset point for the soft limit
3481 upon context transitions. See selinux_bprm_committing_creds. */
3482 if (old_rlim->rlim_max != new_rlim->rlim_max)
3483 return current_has_perm(p, PROCESS__SETRLIMIT);
3484
3485 return 0;
3486 }
3487
3488 static int selinux_task_setscheduler(struct task_struct *p)
3489 {
3490 int rc;
3491
3492 rc = cap_task_setscheduler(p);
3493 if (rc)
3494 return rc;
3495
3496 return current_has_perm(p, PROCESS__SETSCHED);
3497 }
3498
3499 static int selinux_task_getscheduler(struct task_struct *p)
3500 {
3501 return current_has_perm(p, PROCESS__GETSCHED);
3502 }
3503
3504 static int selinux_task_movememory(struct task_struct *p)
3505 {
3506 return current_has_perm(p, PROCESS__SETSCHED);
3507 }
3508
3509 static int selinux_task_kill(struct task_struct *p, struct siginfo *info,
3510 int sig, u32 secid)
3511 {
3512 u32 perm;
3513 int rc;
3514
3515 if (!sig)
3516 perm = PROCESS__SIGNULL; /* null signal; existence test */
3517 else
3518 perm = signal_to_av(sig);
3519 if (secid)
3520 rc = avc_has_perm(secid, task_sid(p),
3521 SECCLASS_PROCESS, perm, NULL);
3522 else
3523 rc = current_has_perm(p, perm);
3524 return rc;
3525 }
3526
3527 static int selinux_task_wait(struct task_struct *p)
3528 {
3529 return task_has_perm(p, current, PROCESS__SIGCHLD);
3530 }
3531
3532 static void selinux_task_to_inode(struct task_struct *p,
3533 struct inode *inode)
3534 {
3535 struct inode_security_struct *isec = inode->i_security;
3536 u32 sid = task_sid(p);
3537
3538 isec->sid = sid;
3539 isec->initialized = 1;
3540 }
3541
3542 /* Returns error only if unable to parse addresses */
3543 static int selinux_parse_skb_ipv4(struct sk_buff *skb,
3544 struct common_audit_data *ad, u8 *proto)
3545 {
3546 int offset, ihlen, ret = -EINVAL;
3547 struct iphdr _iph, *ih;
3548
3549 offset = skb_network_offset(skb);
3550 ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
3551 if (ih == NULL)
3552 goto out;
3553
3554 ihlen = ih->ihl * 4;
3555 if (ihlen < sizeof(_iph))
3556 goto out;
3557
3558 ad->u.net->v4info.saddr = ih->saddr;
3559 ad->u.net->v4info.daddr = ih->daddr;
3560 ret = 0;
3561
3562 if (proto)
3563 *proto = ih->protocol;
3564
3565 switch (ih->protocol) {
3566 case IPPROTO_TCP: {
3567 struct tcphdr _tcph, *th;
3568
3569 if (ntohs(ih->frag_off) & IP_OFFSET)
3570 break;
3571
3572 offset += ihlen;
3573 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3574 if (th == NULL)
3575 break;
3576
3577 ad->u.net->sport = th->source;
3578 ad->u.net->dport = th->dest;
3579 break;
3580 }
3581
3582 case IPPROTO_UDP: {
3583 struct udphdr _udph, *uh;
3584
3585 if (ntohs(ih->frag_off) & IP_OFFSET)
3586 break;
3587
3588 offset += ihlen;
3589 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3590 if (uh == NULL)
3591 break;
3592
3593 ad->u.net->sport = uh->source;
3594 ad->u.net->dport = uh->dest;
3595 break;
3596 }
3597
3598 case IPPROTO_DCCP: {
3599 struct dccp_hdr _dccph, *dh;
3600
3601 if (ntohs(ih->frag_off) & IP_OFFSET)
3602 break;
3603
3604 offset += ihlen;
3605 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3606 if (dh == NULL)
3607 break;
3608
3609 ad->u.net->sport = dh->dccph_sport;
3610 ad->u.net->dport = dh->dccph_dport;
3611 break;
3612 }
3613
3614 default:
3615 break;
3616 }
3617 out:
3618 return ret;
3619 }
3620
3621 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3622
3623 /* Returns error only if unable to parse addresses */
3624 static int selinux_parse_skb_ipv6(struct sk_buff *skb,
3625 struct common_audit_data *ad, u8 *proto)
3626 {
3627 u8 nexthdr;
3628 int ret = -EINVAL, offset;
3629 struct ipv6hdr _ipv6h, *ip6;
3630 __be16 frag_off;
3631
3632 offset = skb_network_offset(skb);
3633 ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
3634 if (ip6 == NULL)
3635 goto out;
3636
3637 ad->u.net->v6info.saddr = ip6->saddr;
3638 ad->u.net->v6info.daddr = ip6->daddr;
3639 ret = 0;
3640
3641 nexthdr = ip6->nexthdr;
3642 offset += sizeof(_ipv6h);
3643 offset = ipv6_skip_exthdr(skb, offset, &nexthdr, &frag_off);
3644 if (offset < 0)
3645 goto out;
3646
3647 if (proto)
3648 *proto = nexthdr;
3649
3650 switch (nexthdr) {
3651 case IPPROTO_TCP: {
3652 struct tcphdr _tcph, *th;
3653
3654 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3655 if (th == NULL)
3656 break;
3657
3658 ad->u.net->sport = th->source;
3659 ad->u.net->dport = th->dest;
3660 break;
3661 }
3662
3663 case IPPROTO_UDP: {
3664 struct udphdr _udph, *uh;
3665
3666 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3667 if (uh == NULL)
3668 break;
3669
3670 ad->u.net->sport = uh->source;
3671 ad->u.net->dport = uh->dest;
3672 break;
3673 }
3674
3675 case IPPROTO_DCCP: {
3676 struct dccp_hdr _dccph, *dh;
3677
3678 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3679 if (dh == NULL)
3680 break;
3681
3682 ad->u.net->sport = dh->dccph_sport;
3683 ad->u.net->dport = dh->dccph_dport;
3684 break;
3685 }
3686
3687 /* includes fragments */
3688 default:
3689 break;
3690 }
3691 out:
3692 return ret;
3693 }
3694
3695 #endif /* IPV6 */
3696
3697 static int selinux_parse_skb(struct sk_buff *skb, struct common_audit_data *ad,
3698 char **_addrp, int src, u8 *proto)
3699 {
3700 char *addrp;
3701 int ret;
3702
3703 switch (ad->u.net->family) {
3704 case PF_INET:
3705 ret = selinux_parse_skb_ipv4(skb, ad, proto);
3706 if (ret)
3707 goto parse_error;
3708 addrp = (char *)(src ? &ad->u.net->v4info.saddr :
3709 &ad->u.net->v4info.daddr);
3710 goto okay;
3711
3712 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3713 case PF_INET6:
3714 ret = selinux_parse_skb_ipv6(skb, ad, proto);
3715 if (ret)
3716 goto parse_error;
3717 addrp = (char *)(src ? &ad->u.net->v6info.saddr :
3718 &ad->u.net->v6info.daddr);
3719 goto okay;
3720 #endif /* IPV6 */
3721 default:
3722 addrp = NULL;
3723 goto okay;
3724 }
3725
3726 parse_error:
3727 printk(KERN_WARNING
3728 "SELinux: failure in selinux_parse_skb(),"
3729 " unable to parse packet\n");
3730 return ret;
3731
3732 okay:
3733 if (_addrp)
3734 *_addrp = addrp;
3735 return 0;
3736 }
3737
3738 /**
3739 * selinux_skb_peerlbl_sid - Determine the peer label of a packet
3740 * @skb: the packet
3741 * @family: protocol family
3742 * @sid: the packet's peer label SID
3743 *
3744 * Description:
3745 * Check the various different forms of network peer labeling and determine
3746 * the peer label/SID for the packet; most of the magic actually occurs in
3747 * the security server function security_net_peersid_cmp(). The function
3748 * returns zero if the value in @sid is valid (although it may be SECSID_NULL)
3749 * or -EACCES if @sid is invalid due to inconsistencies with the different
3750 * peer labels.
3751 *
3752 */
3753 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
3754 {
3755 int err;
3756 u32 xfrm_sid;
3757 u32 nlbl_sid;
3758 u32 nlbl_type;
3759
3760 selinux_xfrm_skb_sid(skb, &xfrm_sid);
3761 selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid);
3762
3763 err = security_net_peersid_resolve(nlbl_sid, nlbl_type, xfrm_sid, sid);
3764 if (unlikely(err)) {
3765 printk(KERN_WARNING
3766 "SELinux: failure in selinux_skb_peerlbl_sid(),"
3767 " unable to determine packet's peer label\n");
3768 return -EACCES;
3769 }
3770
3771 return 0;
3772 }
3773
3774 /**
3775 * selinux_conn_sid - Determine the child socket label for a connection
3776 * @sk_sid: the parent socket's SID
3777 * @skb_sid: the packet's SID
3778 * @conn_sid: the resulting connection SID
3779 *
3780 * If @skb_sid is valid then the user:role:type information from @sk_sid is
3781 * combined with the MLS information from @skb_sid in order to create
3782 * @conn_sid. If @skb_sid is not valid then then @conn_sid is simply a copy
3783 * of @sk_sid. Returns zero on success, negative values on failure.
3784 *
3785 */
3786 static int selinux_conn_sid(u32 sk_sid, u32 skb_sid, u32 *conn_sid)
3787 {
3788 int err = 0;
3789
3790 if (skb_sid != SECSID_NULL)
3791 err = security_sid_mls_copy(sk_sid, skb_sid, conn_sid);
3792 else
3793 *conn_sid = sk_sid;
3794
3795 return err;
3796 }
3797
3798 /* socket security operations */
3799
3800 static int socket_sockcreate_sid(const struct task_security_struct *tsec,
3801 u16 secclass, u32 *socksid)
3802 {
3803 if (tsec->sockcreate_sid > SECSID_NULL) {
3804 *socksid = tsec->sockcreate_sid;
3805 return 0;
3806 }
3807
3808 return security_transition_sid(tsec->sid, tsec->sid, secclass, NULL,
3809 socksid);
3810 }
3811
3812 static int sock_has_perm(struct task_struct *task, struct sock *sk, u32 perms)
3813 {
3814 struct sk_security_struct *sksec = sk->sk_security;
3815 struct common_audit_data ad;
3816 struct lsm_network_audit net = {0,};
3817 u32 tsid = task_sid(task);
3818
3819 if (sksec->sid == SECINITSID_KERNEL)
3820 return 0;
3821
3822 ad.type = LSM_AUDIT_DATA_NET;
3823 ad.u.net = &net;
3824 ad.u.net->sk = sk;
3825
3826 return avc_has_perm(tsid, sksec->sid, sksec->sclass, perms, &ad);
3827 }
3828
3829 static int selinux_socket_create(int family, int type,
3830 int protocol, int kern)
3831 {
3832 const struct task_security_struct *tsec = current_security();
3833 u32 newsid;
3834 u16 secclass;
3835 int rc;
3836
3837 if (kern)
3838 return 0;
3839
3840 secclass = socket_type_to_security_class(family, type, protocol);
3841 rc = socket_sockcreate_sid(tsec, secclass, &newsid);
3842 if (rc)
3843 return rc;
3844
3845 return avc_has_perm(tsec->sid, newsid, secclass, SOCKET__CREATE, NULL);
3846 }
3847
3848 static int selinux_socket_post_create(struct socket *sock, int family,
3849 int type, int protocol, int kern)
3850 {
3851 const struct task_security_struct *tsec = current_security();
3852 struct inode_security_struct *isec = SOCK_INODE(sock)->i_security;
3853 struct sk_security_struct *sksec;
3854 int err = 0;
3855
3856 isec->sclass = socket_type_to_security_class(family, type, protocol);
3857
3858 if (kern)
3859 isec->sid = SECINITSID_KERNEL;
3860 else {
3861 err = socket_sockcreate_sid(tsec, isec->sclass, &(isec->sid));
3862 if (err)
3863 return err;
3864 }
3865
3866 isec->initialized = 1;
3867
3868 if (sock->sk) {
3869 sksec = sock->sk->sk_security;
3870 sksec->sid = isec->sid;
3871 sksec->sclass = isec->sclass;
3872 err = selinux_netlbl_socket_post_create(sock->sk, family);
3873 }
3874
3875 return err;
3876 }
3877
3878 /* Range of port numbers used to automatically bind.
3879 Need to determine whether we should perform a name_bind
3880 permission check between the socket and the port number. */
3881
3882 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
3883 {
3884 struct sock *sk = sock->sk;
3885 u16 family;
3886 int err;
3887
3888 err = sock_has_perm(current, sk, SOCKET__BIND);
3889 if (err)
3890 goto out;
3891
3892 /*
3893 * If PF_INET or PF_INET6, check name_bind permission for the port.
3894 * Multiple address binding for SCTP is not supported yet: we just
3895 * check the first address now.
3896 */
3897 family = sk->sk_family;
3898 if (family == PF_INET || family == PF_INET6) {
3899 char *addrp;
3900 struct sk_security_struct *sksec = sk->sk_security;
3901 struct common_audit_data ad;
3902 struct lsm_network_audit net = {0,};
3903 struct sockaddr_in *addr4 = NULL;
3904 struct sockaddr_in6 *addr6 = NULL;
3905 unsigned short snum;
3906 u32 sid, node_perm;
3907
3908 if (family == PF_INET) {
3909 addr4 = (struct sockaddr_in *)address;
3910 snum = ntohs(addr4->sin_port);
3911 addrp = (char *)&addr4->sin_addr.s_addr;
3912 } else {
3913 addr6 = (struct sockaddr_in6 *)address;
3914 snum = ntohs(addr6->sin6_port);
3915 addrp = (char *)&addr6->sin6_addr.s6_addr;
3916 }
3917
3918 if (snum) {
3919 int low, high;
3920
3921 inet_get_local_port_range(&low, &high);
3922
3923 if (snum < max(PROT_SOCK, low) || snum > high) {
3924 err = sel_netport_sid(sk->sk_protocol,
3925 snum, &sid);
3926 if (err)
3927 goto out;
3928 ad.type = LSM_AUDIT_DATA_NET;
3929 ad.u.net = &net;
3930 ad.u.net->sport = htons(snum);
3931 ad.u.net->family = family;
3932 err = avc_has_perm(sksec->sid, sid,
3933 sksec->sclass,
3934 SOCKET__NAME_BIND, &ad);
3935 if (err)
3936 goto out;
3937 }
3938 }
3939
3940 switch (sksec->sclass) {
3941 case SECCLASS_TCP_SOCKET:
3942 node_perm = TCP_SOCKET__NODE_BIND;
3943 break;
3944
3945 case SECCLASS_UDP_SOCKET:
3946 node_perm = UDP_SOCKET__NODE_BIND;
3947 break;
3948
3949 case SECCLASS_DCCP_SOCKET:
3950 node_perm = DCCP_SOCKET__NODE_BIND;
3951 break;
3952
3953 default:
3954 node_perm = RAWIP_SOCKET__NODE_BIND;
3955 break;
3956 }
3957
3958 err = sel_netnode_sid(addrp, family, &sid);
3959 if (err)
3960 goto out;
3961
3962 ad.type = LSM_AUDIT_DATA_NET;
3963 ad.u.net = &net;
3964 ad.u.net->sport = htons(snum);
3965 ad.u.net->family = family;
3966
3967 if (family == PF_INET)
3968 ad.u.net->v4info.saddr = addr4->sin_addr.s_addr;
3969 else
3970 ad.u.net->v6info.saddr = addr6->sin6_addr;
3971
3972 err = avc_has_perm(sksec->sid, sid,
3973 sksec->sclass, node_perm, &ad);
3974 if (err)
3975 goto out;
3976 }
3977 out:
3978 return err;
3979 }
3980
3981 static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
3982 {
3983 struct sock *sk = sock->sk;
3984 struct sk_security_struct *sksec = sk->sk_security;
3985 int err;
3986
3987 err = sock_has_perm(current, sk, SOCKET__CONNECT);
3988 if (err)
3989 return err;
3990
3991 /*
3992 * If a TCP or DCCP socket, check name_connect permission for the port.
3993 */
3994 if (sksec->sclass == SECCLASS_TCP_SOCKET ||
3995 sksec->sclass == SECCLASS_DCCP_SOCKET) {
3996 struct common_audit_data ad;
3997 struct lsm_network_audit net = {0,};
3998 struct sockaddr_in *addr4 = NULL;
3999 struct sockaddr_in6 *addr6 = NULL;
4000 unsigned short snum;
4001 u32 sid, perm;
4002
4003 if (sk->sk_family == PF_INET) {
4004 addr4 = (struct sockaddr_in *)address;
4005 if (addrlen < sizeof(struct sockaddr_in))
4006 return -EINVAL;
4007 snum = ntohs(addr4->sin_port);
4008 } else {
4009 addr6 = (struct sockaddr_in6 *)address;
4010 if (addrlen < SIN6_LEN_RFC2133)
4011 return -EINVAL;
4012 snum = ntohs(addr6->sin6_port);
4013 }
4014
4015 err = sel_netport_sid(sk->sk_protocol, snum, &sid);
4016 if (err)
4017 goto out;
4018
4019 perm = (sksec->sclass == SECCLASS_TCP_SOCKET) ?
4020 TCP_SOCKET__NAME_CONNECT : DCCP_SOCKET__NAME_CONNECT;
4021
4022 ad.type = LSM_AUDIT_DATA_NET;
4023 ad.u.net = &net;
4024 ad.u.net->dport = htons(snum);
4025 ad.u.net->family = sk->sk_family;
4026 err = avc_has_perm(sksec->sid, sid, sksec->sclass, perm, &ad);
4027 if (err)
4028 goto out;
4029 }
4030
4031 err = selinux_netlbl_socket_connect(sk, address);
4032
4033 out:
4034 return err;
4035 }
4036
4037 static int selinux_socket_listen(struct socket *sock, int backlog)
4038 {
4039 return sock_has_perm(current, sock->sk, SOCKET__LISTEN);
4040 }
4041
4042 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
4043 {
4044 int err;
4045 struct inode_security_struct *isec;
4046 struct inode_security_struct *newisec;
4047
4048 err = sock_has_perm(current, sock->sk, SOCKET__ACCEPT);
4049 if (err)
4050 return err;
4051
4052 newisec = SOCK_INODE(newsock)->i_security;
4053
4054 isec = SOCK_INODE(sock)->i_security;
4055 newisec->sclass = isec->sclass;
4056 newisec->sid = isec->sid;
4057 newisec->initialized = 1;
4058
4059 return 0;
4060 }
4061
4062 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
4063 int size)
4064 {
4065 return sock_has_perm(current, sock->sk, SOCKET__WRITE);
4066 }
4067
4068 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
4069 int size, int flags)
4070 {
4071 return sock_has_perm(current, sock->sk, SOCKET__READ);
4072 }
4073
4074 static int selinux_socket_getsockname(struct socket *sock)
4075 {
4076 return sock_has_perm(current, sock->sk, SOCKET__GETATTR);
4077 }
4078
4079 static int selinux_socket_getpeername(struct socket *sock)
4080 {
4081 return sock_has_perm(current, sock->sk, SOCKET__GETATTR);
4082 }
4083
4084 static int selinux_socket_setsockopt(struct socket *sock, int level, int optname)
4085 {
4086 int err;
4087
4088 err = sock_has_perm(current, sock->sk, SOCKET__SETOPT);
4089 if (err)
4090 return err;
4091
4092 return selinux_netlbl_socket_setsockopt(sock, level, optname);
4093 }
4094
4095 static int selinux_socket_getsockopt(struct socket *sock, int level,
4096 int optname)
4097 {
4098 return sock_has_perm(current, sock->sk, SOCKET__GETOPT);
4099 }
4100
4101 static int selinux_socket_shutdown(struct socket *sock, int how)
4102 {
4103 return sock_has_perm(current, sock->sk, SOCKET__SHUTDOWN);
4104 }
4105
4106 static int selinux_socket_unix_stream_connect(struct sock *sock,
4107 struct sock *other,
4108 struct sock *newsk)
4109 {
4110 struct sk_security_struct *sksec_sock = sock->sk_security;
4111 struct sk_security_struct *sksec_other = other->sk_security;
4112 struct sk_security_struct *sksec_new = newsk->sk_security;
4113 struct common_audit_data ad;
4114 struct lsm_network_audit net = {0,};
4115 int err;
4116
4117 ad.type = LSM_AUDIT_DATA_NET;
4118 ad.u.net = &net;
4119 ad.u.net->sk = other;
4120
4121 err = avc_has_perm(sksec_sock->sid, sksec_other->sid,
4122 sksec_other->sclass,
4123 UNIX_STREAM_SOCKET__CONNECTTO, &ad);
4124 if (err)
4125 return err;
4126
4127 /* server child socket */
4128 sksec_new->peer_sid = sksec_sock->sid;
4129 err = security_sid_mls_copy(sksec_other->sid, sksec_sock->sid,
4130 &sksec_new->sid);
4131 if (err)
4132 return err;
4133
4134 /* connecting socket */
4135 sksec_sock->peer_sid = sksec_new->sid;
4136
4137 return 0;
4138 }
4139
4140 static int selinux_socket_unix_may_send(struct socket *sock,
4141 struct socket *other)
4142 {
4143 struct sk_security_struct *ssec = sock->sk->sk_security;
4144 struct sk_security_struct *osec = other->sk->sk_security;
4145 struct common_audit_data ad;
4146 struct lsm_network_audit net = {0,};
4147
4148 ad.type = LSM_AUDIT_DATA_NET;
4149 ad.u.net = &net;
4150 ad.u.net->sk = other->sk;
4151
4152 return avc_has_perm(ssec->sid, osec->sid, osec->sclass, SOCKET__SENDTO,
4153 &ad);
4154 }
4155
4156 static int selinux_inet_sys_rcv_skb(int ifindex, char *addrp, u16 family,
4157 u32 peer_sid,
4158 struct common_audit_data *ad)
4159 {
4160 int err;
4161 u32 if_sid;
4162 u32 node_sid;
4163
4164 err = sel_netif_sid(ifindex, &if_sid);
4165 if (err)
4166 return err;
4167 err = avc_has_perm(peer_sid, if_sid,
4168 SECCLASS_NETIF, NETIF__INGRESS, ad);
4169 if (err)
4170 return err;
4171
4172 err = sel_netnode_sid(addrp, family, &node_sid);
4173 if (err)
4174 return err;
4175 return avc_has_perm(peer_sid, node_sid,
4176 SECCLASS_NODE, NODE__RECVFROM, ad);
4177 }
4178
4179 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
4180 u16 family)
4181 {
4182 int err = 0;
4183 struct sk_security_struct *sksec = sk->sk_security;
4184 u32 sk_sid = sksec->sid;
4185 struct common_audit_data ad;
4186 struct lsm_network_audit net = {0,};
4187 char *addrp;
4188
4189 ad.type = LSM_AUDIT_DATA_NET;
4190 ad.u.net = &net;
4191 ad.u.net->netif = skb->skb_iif;
4192 ad.u.net->family = family;
4193 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4194 if (err)
4195 return err;
4196
4197 if (selinux_secmark_enabled()) {
4198 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4199 PACKET__RECV, &ad);
4200 if (err)
4201 return err;
4202 }
4203
4204 err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, &ad);
4205 if (err)
4206 return err;
4207 err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad);
4208
4209 return err;
4210 }
4211
4212 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
4213 {
4214 int err;
4215 struct sk_security_struct *sksec = sk->sk_security;
4216 u16 family = sk->sk_family;
4217 u32 sk_sid = sksec->sid;
4218 struct common_audit_data ad;
4219 struct lsm_network_audit net = {0,};
4220 char *addrp;
4221 u8 secmark_active;
4222 u8 peerlbl_active;
4223
4224 if (family != PF_INET && family != PF_INET6)
4225 return 0;
4226
4227 /* Handle mapped IPv4 packets arriving via IPv6 sockets */
4228 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4229 family = PF_INET;
4230
4231 /* If any sort of compatibility mode is enabled then handoff processing
4232 * to the selinux_sock_rcv_skb_compat() function to deal with the
4233 * special handling. We do this in an attempt to keep this function
4234 * as fast and as clean as possible. */
4235 if (!selinux_policycap_netpeer)
4236 return selinux_sock_rcv_skb_compat(sk, skb, family);
4237
4238 secmark_active = selinux_secmark_enabled();
4239 peerlbl_active = netlbl_enabled() || selinux_xfrm_enabled();
4240 if (!secmark_active && !peerlbl_active)
4241 return 0;
4242
4243 ad.type = LSM_AUDIT_DATA_NET;
4244 ad.u.net = &net;
4245 ad.u.net->netif = skb->skb_iif;
4246 ad.u.net->family = family;
4247 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4248 if (err)
4249 return err;
4250
4251 if (peerlbl_active) {
4252 u32 peer_sid;
4253
4254 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
4255 if (err)
4256 return err;
4257 err = selinux_inet_sys_rcv_skb(skb->skb_iif, addrp, family,
4258 peer_sid, &ad);
4259 if (err) {
4260 selinux_netlbl_err(skb, err, 0);
4261 return err;
4262 }
4263 err = avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER,
4264 PEER__RECV, &ad);
4265 if (err) {
4266 selinux_netlbl_err(skb, err, 0);
4267 return err;
4268 }
4269 }
4270
4271 if (secmark_active) {
4272 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4273 PACKET__RECV, &ad);
4274 if (err)
4275 return err;
4276 }
4277
4278 return err;
4279 }
4280
4281 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval,
4282 int __user *optlen, unsigned len)
4283 {
4284 int err = 0;
4285 char *scontext;
4286 u32 scontext_len;
4287 struct sk_security_struct *sksec = sock->sk->sk_security;
4288 u32 peer_sid = SECSID_NULL;
4289
4290 if (sksec->sclass == SECCLASS_UNIX_STREAM_SOCKET ||
4291 sksec->sclass == SECCLASS_TCP_SOCKET)
4292 peer_sid = sksec->peer_sid;
4293 if (peer_sid == SECSID_NULL)
4294 return -ENOPROTOOPT;
4295
4296 err = security_sid_to_context(peer_sid, &scontext, &scontext_len);
4297 if (err)
4298 return err;
4299
4300 if (scontext_len > len) {
4301 err = -ERANGE;
4302 goto out_len;
4303 }
4304
4305 if (copy_to_user(optval, scontext, scontext_len))
4306 err = -EFAULT;
4307
4308 out_len:
4309 if (put_user(scontext_len, optlen))
4310 err = -EFAULT;
4311 kfree(scontext);
4312 return err;
4313 }
4314
4315 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
4316 {
4317 u32 peer_secid = SECSID_NULL;
4318 u16 family;
4319
4320 if (skb && skb->protocol == htons(ETH_P_IP))
4321 family = PF_INET;
4322 else if (skb && skb->protocol == htons(ETH_P_IPV6))
4323 family = PF_INET6;
4324 else if (sock)
4325 family = sock->sk->sk_family;
4326 else
4327 goto out;
4328
4329 if (sock && family == PF_UNIX)
4330 selinux_inode_getsecid(SOCK_INODE(sock), &peer_secid);
4331 else if (skb)
4332 selinux_skb_peerlbl_sid(skb, family, &peer_secid);
4333
4334 out:
4335 *secid = peer_secid;
4336 if (peer_secid == SECSID_NULL)
4337 return -EINVAL;
4338 return 0;
4339 }
4340
4341 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
4342 {
4343 struct sk_security_struct *sksec;
4344
4345 sksec = kzalloc(sizeof(*sksec), priority);
4346 if (!sksec)
4347 return -ENOMEM;
4348
4349 sksec->peer_sid = SECINITSID_UNLABELED;
4350 sksec->sid = SECINITSID_UNLABELED;
4351 selinux_netlbl_sk_security_reset(sksec);
4352 sk->sk_security = sksec;
4353
4354 return 0;
4355 }
4356
4357 static void selinux_sk_free_security(struct sock *sk)
4358 {
4359 struct sk_security_struct *sksec = sk->sk_security;
4360
4361 sk->sk_security = NULL;
4362 selinux_netlbl_sk_security_free(sksec);
4363 kfree(sksec);
4364 }
4365
4366 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
4367 {
4368 struct sk_security_struct *sksec = sk->sk_security;
4369 struct sk_security_struct *newsksec = newsk->sk_security;
4370
4371 newsksec->sid = sksec->sid;
4372 newsksec->peer_sid = sksec->peer_sid;
4373 newsksec->sclass = sksec->sclass;
4374
4375 selinux_netlbl_sk_security_reset(newsksec);
4376 }
4377
4378 static void selinux_sk_getsecid(struct sock *sk, u32 *secid)
4379 {
4380 if (!sk)
4381 *secid = SECINITSID_ANY_SOCKET;
4382 else {
4383 struct sk_security_struct *sksec = sk->sk_security;
4384
4385 *secid = sksec->sid;
4386 }
4387 }
4388
4389 static void selinux_sock_graft(struct sock *sk, struct socket *parent)
4390 {
4391 struct inode_security_struct *isec = SOCK_INODE(parent)->i_security;
4392 struct sk_security_struct *sksec = sk->sk_security;
4393
4394 if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
4395 sk->sk_family == PF_UNIX)
4396 isec->sid = sksec->sid;
4397 sksec->sclass = isec->sclass;
4398 }
4399
4400 static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
4401 struct request_sock *req)
4402 {
4403 struct sk_security_struct *sksec = sk->sk_security;
4404 int err;
4405 u16 family = sk->sk_family;
4406 u32 connsid;
4407 u32 peersid;
4408
4409 /* handle mapped IPv4 packets arriving via IPv6 sockets */
4410 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4411 family = PF_INET;
4412
4413 err = selinux_skb_peerlbl_sid(skb, family, &peersid);
4414 if (err)
4415 return err;
4416 err = selinux_conn_sid(sksec->sid, peersid, &connsid);
4417 if (err)
4418 return err;
4419 req->secid = connsid;
4420 req->peer_secid = peersid;
4421
4422 return selinux_netlbl_inet_conn_request(req, family);
4423 }
4424
4425 static void selinux_inet_csk_clone(struct sock *newsk,
4426 const struct request_sock *req)
4427 {
4428 struct sk_security_struct *newsksec = newsk->sk_security;
4429
4430 newsksec->sid = req->secid;
4431 newsksec->peer_sid = req->peer_secid;
4432 /* NOTE: Ideally, we should also get the isec->sid for the
4433 new socket in sync, but we don't have the isec available yet.
4434 So we will wait until sock_graft to do it, by which
4435 time it will have been created and available. */
4436
4437 /* We don't need to take any sort of lock here as we are the only
4438 * thread with access to newsksec */
4439 selinux_netlbl_inet_csk_clone(newsk, req->rsk_ops->family);
4440 }
4441
4442 static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb)
4443 {
4444 u16 family = sk->sk_family;
4445 struct sk_security_struct *sksec = sk->sk_security;
4446
4447 /* handle mapped IPv4 packets arriving via IPv6 sockets */
4448 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4449 family = PF_INET;
4450
4451 selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid);
4452 }
4453
4454 static void selinux_skb_owned_by(struct sk_buff *skb, struct sock *sk)
4455 {
4456 skb_set_owner_w(skb, sk);
4457 }
4458
4459 static int selinux_secmark_relabel_packet(u32 sid)
4460 {
4461 const struct task_security_struct *__tsec;
4462 u32 tsid;
4463
4464 __tsec = current_security();
4465 tsid = __tsec->sid;
4466
4467 return avc_has_perm(tsid, sid, SECCLASS_PACKET, PACKET__RELABELTO, NULL);
4468 }
4469
4470 static void selinux_secmark_refcount_inc(void)
4471 {
4472 atomic_inc(&selinux_secmark_refcount);
4473 }
4474
4475 static void selinux_secmark_refcount_dec(void)
4476 {
4477 atomic_dec(&selinux_secmark_refcount);
4478 }
4479
4480 static void selinux_req_classify_flow(const struct request_sock *req,
4481 struct flowi *fl)
4482 {
4483 fl->flowi_secid = req->secid;
4484 }
4485
4486 static int selinux_tun_dev_alloc_security(void **security)
4487 {
4488 struct tun_security_struct *tunsec;
4489
4490 tunsec = kzalloc(sizeof(*tunsec), GFP_KERNEL);
4491 if (!tunsec)
4492 return -ENOMEM;
4493 tunsec->sid = current_sid();
4494
4495 *security = tunsec;
4496 return 0;
4497 }
4498
4499 static void selinux_tun_dev_free_security(void *security)
4500 {
4501 kfree(security);
4502 }
4503
4504 static int selinux_tun_dev_create(void)
4505 {
4506 u32 sid = current_sid();
4507
4508 /* we aren't taking into account the "sockcreate" SID since the socket
4509 * that is being created here is not a socket in the traditional sense,
4510 * instead it is a private sock, accessible only to the kernel, and
4511 * representing a wide range of network traffic spanning multiple
4512 * connections unlike traditional sockets - check the TUN driver to
4513 * get a better understanding of why this socket is special */
4514
4515 return avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET, TUN_SOCKET__CREATE,
4516 NULL);
4517 }
4518
4519 static int selinux_tun_dev_attach_queue(void *security)
4520 {
4521 struct tun_security_struct *tunsec = security;
4522
4523 return avc_has_perm(current_sid(), tunsec->sid, SECCLASS_TUN_SOCKET,
4524 TUN_SOCKET__ATTACH_QUEUE, NULL);
4525 }
4526
4527 static int selinux_tun_dev_attach(struct sock *sk, void *security)
4528 {
4529 struct tun_security_struct *tunsec = security;
4530 struct sk_security_struct *sksec = sk->sk_security;
4531
4532 /* we don't currently perform any NetLabel based labeling here and it
4533 * isn't clear that we would want to do so anyway; while we could apply
4534 * labeling without the support of the TUN user the resulting labeled
4535 * traffic from the other end of the connection would almost certainly
4536 * cause confusion to the TUN user that had no idea network labeling
4537 * protocols were being used */
4538
4539 sksec->sid = tunsec->sid;
4540 sksec->sclass = SECCLASS_TUN_SOCKET;
4541
4542 return 0;
4543 }
4544
4545 static int selinux_tun_dev_open(void *security)
4546 {
4547 struct tun_security_struct *tunsec = security;
4548 u32 sid = current_sid();
4549 int err;
4550
4551 err = avc_has_perm(sid, tunsec->sid, SECCLASS_TUN_SOCKET,
4552 TUN_SOCKET__RELABELFROM, NULL);
4553 if (err)
4554 return err;
4555 err = avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET,
4556 TUN_SOCKET__RELABELTO, NULL);
4557 if (err)
4558 return err;
4559 tunsec->sid = sid;
4560
4561 return 0;
4562 }
4563
4564 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
4565 {
4566 int err = 0;
4567 u32 perm;
4568 struct nlmsghdr *nlh;
4569 struct sk_security_struct *sksec = sk->sk_security;
4570
4571 if (skb->len < NLMSG_HDRLEN) {
4572 err = -EINVAL;
4573 goto out;
4574 }
4575 nlh = nlmsg_hdr(skb);
4576
4577 err = selinux_nlmsg_lookup(sksec->sclass, nlh->nlmsg_type, &perm);
4578 if (err) {
4579 if (err == -EINVAL) {
4580 audit_log(current->audit_context, GFP_KERNEL, AUDIT_SELINUX_ERR,
4581 "SELinux: unrecognized netlink message"
4582 " type=%hu for sclass=%hu\n",
4583 nlh->nlmsg_type, sksec->sclass);
4584 if (!selinux_enforcing || security_get_allow_unknown())
4585 err = 0;
4586 }
4587
4588 /* Ignore */
4589 if (err == -ENOENT)
4590 err = 0;
4591 goto out;
4592 }
4593
4594 err = sock_has_perm(current, sk, perm);
4595 out:
4596 return err;
4597 }
4598
4599 #ifdef CONFIG_NETFILTER
4600
4601 static unsigned int selinux_ip_forward(struct sk_buff *skb, int ifindex,
4602 u16 family)
4603 {
4604 int err;
4605 char *addrp;
4606 u32 peer_sid;
4607 struct common_audit_data ad;
4608 struct lsm_network_audit net = {0,};
4609 u8 secmark_active;
4610 u8 netlbl_active;
4611 u8 peerlbl_active;
4612
4613 if (!selinux_policycap_netpeer)
4614 return NF_ACCEPT;
4615
4616 secmark_active = selinux_secmark_enabled();
4617 netlbl_active = netlbl_enabled();
4618 peerlbl_active = netlbl_active || selinux_xfrm_enabled();
4619 if (!secmark_active && !peerlbl_active)
4620 return NF_ACCEPT;
4621
4622 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0)
4623 return NF_DROP;
4624
4625 ad.type = LSM_AUDIT_DATA_NET;
4626 ad.u.net = &net;
4627 ad.u.net->netif = ifindex;
4628 ad.u.net->family = family;
4629 if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0)
4630 return NF_DROP;
4631
4632 if (peerlbl_active) {
4633 err = selinux_inet_sys_rcv_skb(ifindex, addrp, family,
4634 peer_sid, &ad);
4635 if (err) {
4636 selinux_netlbl_err(skb, err, 1);
4637 return NF_DROP;
4638 }
4639 }
4640
4641 if (secmark_active)
4642 if (avc_has_perm(peer_sid, skb->secmark,
4643 SECCLASS_PACKET, PACKET__FORWARD_IN, &ad))
4644 return NF_DROP;
4645
4646 if (netlbl_active)
4647 /* we do this in the FORWARD path and not the POST_ROUTING
4648 * path because we want to make sure we apply the necessary
4649 * labeling before IPsec is applied so we can leverage AH
4650 * protection */
4651 if (selinux_netlbl_skbuff_setsid(skb, family, peer_sid) != 0)
4652 return NF_DROP;
4653
4654 return NF_ACCEPT;
4655 }
4656
4657 static unsigned int selinux_ipv4_forward(unsigned int hooknum,
4658 struct sk_buff *skb,
4659 const struct net_device *in,
4660 const struct net_device *out,
4661 int (*okfn)(struct sk_buff *))
4662 {
4663 return selinux_ip_forward(skb, in->ifindex, PF_INET);
4664 }
4665
4666 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4667 static unsigned int selinux_ipv6_forward(unsigned int hooknum,
4668 struct sk_buff *skb,
4669 const struct net_device *in,
4670 const struct net_device *out,
4671 int (*okfn)(struct sk_buff *))
4672 {
4673 return selinux_ip_forward(skb, in->ifindex, PF_INET6);
4674 }
4675 #endif /* IPV6 */
4676
4677 static unsigned int selinux_ip_output(struct sk_buff *skb,
4678 u16 family)
4679 {
4680 struct sock *sk;
4681 u32 sid;
4682
4683 if (!netlbl_enabled())
4684 return NF_ACCEPT;
4685
4686 /* we do this in the LOCAL_OUT path and not the POST_ROUTING path
4687 * because we want to make sure we apply the necessary labeling
4688 * before IPsec is applied so we can leverage AH protection */
4689 sk = skb->sk;
4690 if (sk) {
4691 struct sk_security_struct *sksec;
4692
4693 if (sk->sk_state == TCP_LISTEN)
4694 /* if the socket is the listening state then this
4695 * packet is a SYN-ACK packet which means it needs to
4696 * be labeled based on the connection/request_sock and
4697 * not the parent socket. unfortunately, we can't
4698 * lookup the request_sock yet as it isn't queued on
4699 * the parent socket until after the SYN-ACK is sent.
4700 * the "solution" is to simply pass the packet as-is
4701 * as any IP option based labeling should be copied
4702 * from the initial connection request (in the IP
4703 * layer). it is far from ideal, but until we get a
4704 * security label in the packet itself this is the
4705 * best we can do. */
4706 return NF_ACCEPT;
4707
4708 /* standard practice, label using the parent socket */
4709 sksec = sk->sk_security;
4710 sid = sksec->sid;
4711 } else
4712 sid = SECINITSID_KERNEL;
4713 if (selinux_netlbl_skbuff_setsid(skb, family, sid) != 0)
4714 return NF_DROP;
4715
4716 return NF_ACCEPT;
4717 }
4718
4719 static unsigned int selinux_ipv4_output(unsigned int hooknum,
4720 struct sk_buff *skb,
4721 const struct net_device *in,
4722 const struct net_device *out,
4723 int (*okfn)(struct sk_buff *))
4724 {
4725 return selinux_ip_output(skb, PF_INET);
4726 }
4727
4728 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
4729 int ifindex,
4730 u16 family)
4731 {
4732 struct sock *sk = skb->sk;
4733 struct sk_security_struct *sksec;
4734 struct common_audit_data ad;
4735 struct lsm_network_audit net = {0,};
4736 char *addrp;
4737 u8 proto;
4738
4739 if (sk == NULL)
4740 return NF_ACCEPT;
4741 sksec = sk->sk_security;
4742
4743 ad.type = LSM_AUDIT_DATA_NET;
4744 ad.u.net = &net;
4745 ad.u.net->netif = ifindex;
4746 ad.u.net->family = family;
4747 if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto))
4748 return NF_DROP;
4749
4750 if (selinux_secmark_enabled())
4751 if (avc_has_perm(sksec->sid, skb->secmark,
4752 SECCLASS_PACKET, PACKET__SEND, &ad))
4753 return NF_DROP_ERR(-ECONNREFUSED);
4754
4755 if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto))
4756 return NF_DROP_ERR(-ECONNREFUSED);
4757
4758 return NF_ACCEPT;
4759 }
4760
4761 static unsigned int selinux_ip_postroute(struct sk_buff *skb, int ifindex,
4762 u16 family)
4763 {
4764 u32 secmark_perm;
4765 u32 peer_sid;
4766 struct sock *sk;
4767 struct common_audit_data ad;
4768 struct lsm_network_audit net = {0,};
4769 char *addrp;
4770 u8 secmark_active;
4771 u8 peerlbl_active;
4772
4773 /* If any sort of compatibility mode is enabled then handoff processing
4774 * to the selinux_ip_postroute_compat() function to deal with the
4775 * special handling. We do this in an attempt to keep this function
4776 * as fast and as clean as possible. */
4777 if (!selinux_policycap_netpeer)
4778 return selinux_ip_postroute_compat(skb, ifindex, family);
4779
4780 secmark_active = selinux_secmark_enabled();
4781 peerlbl_active = netlbl_enabled() || selinux_xfrm_enabled();
4782 if (!secmark_active && !peerlbl_active)
4783 return NF_ACCEPT;
4784
4785 sk = skb->sk;
4786
4787 #ifdef CONFIG_XFRM
4788 /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec
4789 * packet transformation so allow the packet to pass without any checks
4790 * since we'll have another chance to perform access control checks
4791 * when the packet is on it's final way out.
4792 * NOTE: there appear to be some IPv6 multicast cases where skb->dst
4793 * is NULL, in this case go ahead and apply access control.
4794 * is NULL, in this case go ahead and apply access control.
4795 * NOTE: if this is a local socket (skb->sk != NULL) that is in the
4796 * TCP listening state we cannot wait until the XFRM processing
4797 * is done as we will miss out on the SA label if we do;
4798 * unfortunately, this means more work, but it is only once per
4799 * connection. */
4800 if (skb_dst(skb) != NULL && skb_dst(skb)->xfrm != NULL &&
4801 !(sk != NULL && sk->sk_state == TCP_LISTEN))
4802 return NF_ACCEPT;
4803 #endif
4804
4805 if (sk == NULL) {
4806 /* Without an associated socket the packet is either coming
4807 * from the kernel or it is being forwarded; check the packet
4808 * to determine which and if the packet is being forwarded
4809 * query the packet directly to determine the security label. */
4810 if (skb->skb_iif) {
4811 secmark_perm = PACKET__FORWARD_OUT;
4812 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid))
4813 return NF_DROP;
4814 } else {
4815 secmark_perm = PACKET__SEND;
4816 peer_sid = SECINITSID_KERNEL;
4817 }
4818 } else if (sk->sk_state == TCP_LISTEN) {
4819 /* Locally generated packet but the associated socket is in the
4820 * listening state which means this is a SYN-ACK packet. In
4821 * this particular case the correct security label is assigned
4822 * to the connection/request_sock but unfortunately we can't
4823 * query the request_sock as it isn't queued on the parent
4824 * socket until after the SYN-ACK packet is sent; the only
4825 * viable choice is to regenerate the label like we do in
4826 * selinux_inet_conn_request(). See also selinux_ip_output()
4827 * for similar problems. */
4828 u32 skb_sid;
4829 struct sk_security_struct *sksec = sk->sk_security;
4830 if (selinux_skb_peerlbl_sid(skb, family, &skb_sid))
4831 return NF_DROP;
4832 /* At this point, if the returned skb peerlbl is SECSID_NULL
4833 * and the packet has been through at least one XFRM
4834 * transformation then we must be dealing with the "final"
4835 * form of labeled IPsec packet; since we've already applied
4836 * all of our access controls on this packet we can safely
4837 * pass the packet. */
4838 if (skb_sid == SECSID_NULL) {
4839 switch (family) {
4840 case PF_INET:
4841 if (IPCB(skb)->flags & IPSKB_XFRM_TRANSFORMED)
4842 return NF_ACCEPT;
4843 break;
4844 case PF_INET6:
4845 if (IP6CB(skb)->flags & IP6SKB_XFRM_TRANSFORMED)
4846 return NF_ACCEPT;
4847 default:
4848 return NF_DROP_ERR(-ECONNREFUSED);
4849 }
4850 }
4851 if (selinux_conn_sid(sksec->sid, skb_sid, &peer_sid))
4852 return NF_DROP;
4853 secmark_perm = PACKET__SEND;
4854 } else {
4855 /* Locally generated packet, fetch the security label from the
4856 * associated socket. */
4857 struct sk_security_struct *sksec = sk->sk_security;
4858 peer_sid = sksec->sid;
4859 secmark_perm = PACKET__SEND;
4860 }
4861
4862 ad.type = LSM_AUDIT_DATA_NET;
4863 ad.u.net = &net;
4864 ad.u.net->netif = ifindex;
4865 ad.u.net->family = family;
4866 if (selinux_parse_skb(skb, &ad, &addrp, 0, NULL))
4867 return NF_DROP;
4868
4869 if (secmark_active)
4870 if (avc_has_perm(peer_sid, skb->secmark,
4871 SECCLASS_PACKET, secmark_perm, &ad))
4872 return NF_DROP_ERR(-ECONNREFUSED);
4873
4874 if (peerlbl_active) {
4875 u32 if_sid;
4876 u32 node_sid;
4877
4878 if (sel_netif_sid(ifindex, &if_sid))
4879 return NF_DROP;
4880 if (avc_has_perm(peer_sid, if_sid,
4881 SECCLASS_NETIF, NETIF__EGRESS, &ad))
4882 return NF_DROP_ERR(-ECONNREFUSED);
4883
4884 if (sel_netnode_sid(addrp, family, &node_sid))
4885 return NF_DROP;
4886 if (avc_has_perm(peer_sid, node_sid,
4887 SECCLASS_NODE, NODE__SENDTO, &ad))
4888 return NF_DROP_ERR(-ECONNREFUSED);
4889 }
4890
4891 return NF_ACCEPT;
4892 }
4893
4894 static unsigned int selinux_ipv4_postroute(unsigned int hooknum,
4895 struct sk_buff *skb,
4896 const struct net_device *in,
4897 const struct net_device *out,
4898 int (*okfn)(struct sk_buff *))
4899 {
4900 return selinux_ip_postroute(skb, out->ifindex, PF_INET);
4901 }
4902
4903 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4904 static unsigned int selinux_ipv6_postroute(unsigned int hooknum,
4905 struct sk_buff *skb,
4906 const struct net_device *in,
4907 const struct net_device *out,
4908 int (*okfn)(struct sk_buff *))
4909 {
4910 return selinux_ip_postroute(skb, out->ifindex, PF_INET6);
4911 }
4912 #endif /* IPV6 */
4913
4914 #endif /* CONFIG_NETFILTER */
4915
4916 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
4917 {
4918 int err;
4919
4920 err = cap_netlink_send(sk, skb);
4921 if (err)
4922 return err;
4923
4924 return selinux_nlmsg_perm(sk, skb);
4925 }
4926
4927 static int ipc_alloc_security(struct task_struct *task,
4928 struct kern_ipc_perm *perm,
4929 u16 sclass)
4930 {
4931 struct ipc_security_struct *isec;
4932 u32 sid;
4933
4934 isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL);
4935 if (!isec)
4936 return -ENOMEM;
4937
4938 sid = task_sid(task);
4939 isec->sclass = sclass;
4940 isec->sid = sid;
4941 perm->security = isec;
4942
4943 return 0;
4944 }
4945
4946 static void ipc_free_security(struct kern_ipc_perm *perm)
4947 {
4948 struct ipc_security_struct *isec = perm->security;
4949 perm->security = NULL;
4950 kfree(isec);
4951 }
4952
4953 static int msg_msg_alloc_security(struct msg_msg *msg)
4954 {
4955 struct msg_security_struct *msec;
4956
4957 msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL);
4958 if (!msec)
4959 return -ENOMEM;
4960
4961 msec->sid = SECINITSID_UNLABELED;
4962 msg->security = msec;
4963
4964 return 0;
4965 }
4966
4967 static void msg_msg_free_security(struct msg_msg *msg)
4968 {
4969 struct msg_security_struct *msec = msg->security;
4970
4971 msg->security = NULL;
4972 kfree(msec);
4973 }
4974
4975 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
4976 u32 perms)
4977 {
4978 struct ipc_security_struct *isec;
4979 struct common_audit_data ad;
4980 u32 sid = current_sid();
4981
4982 isec = ipc_perms->security;
4983
4984 ad.type = LSM_AUDIT_DATA_IPC;
4985 ad.u.ipc_id = ipc_perms->key;
4986
4987 return avc_has_perm(sid, isec->sid, isec->sclass, perms, &ad);
4988 }
4989
4990 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
4991 {
4992 return msg_msg_alloc_security(msg);
4993 }
4994
4995 static void selinux_msg_msg_free_security(struct msg_msg *msg)
4996 {
4997 msg_msg_free_security(msg);
4998 }
4999
5000 /* message queue security operations */
5001 static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
5002 {
5003 struct ipc_security_struct *isec;
5004 struct common_audit_data ad;
5005 u32 sid = current_sid();
5006 int rc;
5007
5008 rc = ipc_alloc_security(current, &msq->q_perm, SECCLASS_MSGQ);
5009 if (rc)
5010 return rc;
5011
5012 isec = msq->q_perm.security;
5013
5014 ad.type = LSM_AUDIT_DATA_IPC;
5015 ad.u.ipc_id = msq->q_perm.key;
5016
5017 rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
5018 MSGQ__CREATE, &ad);
5019 if (rc) {
5020 ipc_free_security(&msq->q_perm);
5021 return rc;
5022 }
5023 return 0;
5024 }
5025
5026 static void selinux_msg_queue_free_security(struct msg_queue *msq)
5027 {
5028 ipc_free_security(&msq->q_perm);
5029 }
5030
5031 static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg)
5032 {
5033 struct ipc_security_struct *isec;
5034 struct common_audit_data ad;
5035 u32 sid = current_sid();
5036
5037 isec = msq->q_perm.security;
5038
5039 ad.type = LSM_AUDIT_DATA_IPC;
5040 ad.u.ipc_id = msq->q_perm.key;
5041
5042 return avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
5043 MSGQ__ASSOCIATE, &ad);
5044 }
5045
5046 static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd)
5047 {
5048 int err;
5049 int perms;
5050
5051 switch (cmd) {
5052 case IPC_INFO:
5053 case MSG_INFO:
5054 /* No specific object, just general system-wide information. */
5055 return task_has_system(current, SYSTEM__IPC_INFO);
5056 case IPC_STAT:
5057 case MSG_STAT:
5058 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
5059 break;
5060 case IPC_SET:
5061 perms = MSGQ__SETATTR;
5062 break;
5063 case IPC_RMID:
5064 perms = MSGQ__DESTROY;
5065 break;
5066 default:
5067 return 0;
5068 }
5069
5070 err = ipc_has_perm(&msq->q_perm, perms);
5071 return err;
5072 }
5073
5074 static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg)
5075 {
5076 struct ipc_security_struct *isec;
5077 struct msg_security_struct *msec;
5078 struct common_audit_data ad;
5079 u32 sid = current_sid();
5080 int rc;
5081
5082 isec = msq->q_perm.security;
5083 msec = msg->security;
5084
5085 /*
5086 * First time through, need to assign label to the message
5087 */
5088 if (msec->sid == SECINITSID_UNLABELED) {
5089 /*
5090 * Compute new sid based on current process and
5091 * message queue this message will be stored in
5092 */
5093 rc = security_transition_sid(sid, isec->sid, SECCLASS_MSG,
5094 NULL, &msec->sid);
5095 if (rc)
5096 return rc;
5097 }
5098
5099 ad.type = LSM_AUDIT_DATA_IPC;
5100 ad.u.ipc_id = msq->q_perm.key;
5101
5102 /* Can this process write to the queue? */
5103 rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
5104 MSGQ__WRITE, &ad);
5105 if (!rc)
5106 /* Can this process send the message */
5107 rc = avc_has_perm(sid, msec->sid, SECCLASS_MSG,
5108 MSG__SEND, &ad);
5109 if (!rc)
5110 /* Can the message be put in the queue? */
5111 rc = avc_has_perm(msec->sid, isec->sid, SECCLASS_MSGQ,
5112 MSGQ__ENQUEUE, &ad);
5113
5114 return rc;
5115 }
5116
5117 static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
5118 struct task_struct *target,
5119 long type, int mode)
5120 {
5121 struct ipc_security_struct *isec;
5122 struct msg_security_struct *msec;
5123 struct common_audit_data ad;
5124 u32 sid = task_sid(target);
5125 int rc;
5126
5127 isec = msq->q_perm.security;
5128 msec = msg->security;
5129
5130 ad.type = LSM_AUDIT_DATA_IPC;
5131 ad.u.ipc_id = msq->q_perm.key;
5132
5133 rc = avc_has_perm(sid, isec->sid,
5134 SECCLASS_MSGQ, MSGQ__READ, &ad);
5135 if (!rc)
5136 rc = avc_has_perm(sid, msec->sid,
5137 SECCLASS_MSG, MSG__RECEIVE, &ad);
5138 return rc;
5139 }
5140
5141 /* Shared Memory security operations */
5142 static int selinux_shm_alloc_security(struct shmid_kernel *shp)
5143 {
5144 struct ipc_security_struct *isec;
5145 struct common_audit_data ad;
5146 u32 sid = current_sid();
5147 int rc;
5148
5149 rc = ipc_alloc_security(current, &shp->shm_perm, SECCLASS_SHM);
5150 if (rc)
5151 return rc;
5152
5153 isec = shp->shm_perm.security;
5154
5155 ad.type = LSM_AUDIT_DATA_IPC;
5156 ad.u.ipc_id = shp->shm_perm.key;
5157
5158 rc = avc_has_perm(sid, isec->sid, SECCLASS_SHM,
5159 SHM__CREATE, &ad);
5160 if (rc) {
5161 ipc_free_security(&shp->shm_perm);
5162 return rc;
5163 }
5164 return 0;
5165 }
5166
5167 static void selinux_shm_free_security(struct shmid_kernel *shp)
5168 {
5169 ipc_free_security(&shp->shm_perm);
5170 }
5171
5172 static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg)
5173 {
5174 struct ipc_security_struct *isec;
5175 struct common_audit_data ad;
5176 u32 sid = current_sid();
5177
5178 isec = shp->shm_perm.security;
5179
5180 ad.type = LSM_AUDIT_DATA_IPC;
5181 ad.u.ipc_id = shp->shm_perm.key;
5182
5183 return avc_has_perm(sid, isec->sid, SECCLASS_SHM,
5184 SHM__ASSOCIATE, &ad);
5185 }
5186
5187 /* Note, at this point, shp is locked down */
5188 static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd)
5189 {
5190 int perms;
5191 int err;
5192
5193 switch (cmd) {
5194 case IPC_INFO:
5195 case SHM_INFO:
5196 /* No specific object, just general system-wide information. */
5197 return task_has_system(current, SYSTEM__IPC_INFO);
5198 case IPC_STAT:
5199 case SHM_STAT:
5200 perms = SHM__GETATTR | SHM__ASSOCIATE;
5201 break;
5202 case IPC_SET:
5203 perms = SHM__SETATTR;
5204 break;
5205 case SHM_LOCK:
5206 case SHM_UNLOCK:
5207 perms = SHM__LOCK;
5208 break;
5209 case IPC_RMID:
5210 perms = SHM__DESTROY;
5211 break;
5212 default:
5213 return 0;
5214 }
5215
5216 err = ipc_has_perm(&shp->shm_perm, perms);
5217 return err;
5218 }
5219
5220 static int selinux_shm_shmat(struct shmid_kernel *shp,
5221 char __user *shmaddr, int shmflg)
5222 {
5223 u32 perms;
5224
5225 if (shmflg & SHM_RDONLY)
5226 perms = SHM__READ;
5227 else
5228 perms = SHM__READ | SHM__WRITE;
5229
5230 return ipc_has_perm(&shp->shm_perm, perms);
5231 }
5232
5233 /* Semaphore security operations */
5234 static int selinux_sem_alloc_security(struct sem_array *sma)
5235 {
5236 struct ipc_security_struct *isec;
5237 struct common_audit_data ad;
5238 u32 sid = current_sid();
5239 int rc;
5240
5241 rc = ipc_alloc_security(current, &sma->sem_perm, SECCLASS_SEM);
5242 if (rc)
5243 return rc;
5244
5245 isec = sma->sem_perm.security;
5246
5247 ad.type = LSM_AUDIT_DATA_IPC;
5248 ad.u.ipc_id = sma->sem_perm.key;
5249
5250 rc = avc_has_perm(sid, isec->sid, SECCLASS_SEM,
5251 SEM__CREATE, &ad);
5252 if (rc) {
5253 ipc_free_security(&sma->sem_perm);
5254 return rc;
5255 }
5256 return 0;
5257 }
5258
5259 static void selinux_sem_free_security(struct sem_array *sma)
5260 {
5261 ipc_free_security(&sma->sem_perm);
5262 }
5263
5264 static int selinux_sem_associate(struct sem_array *sma, int semflg)
5265 {
5266 struct ipc_security_struct *isec;
5267 struct common_audit_data ad;
5268 u32 sid = current_sid();
5269
5270 isec = sma->sem_perm.security;
5271
5272 ad.type = LSM_AUDIT_DATA_IPC;
5273 ad.u.ipc_id = sma->sem_perm.key;
5274
5275 return avc_has_perm(sid, isec->sid, SECCLASS_SEM,
5276 SEM__ASSOCIATE, &ad);
5277 }
5278
5279 /* Note, at this point, sma is locked down */
5280 static int selinux_sem_semctl(struct sem_array *sma, int cmd)
5281 {
5282 int err;
5283 u32 perms;
5284
5285 switch (cmd) {
5286 case IPC_INFO:
5287 case SEM_INFO:
5288 /* No specific object, just general system-wide information. */
5289 return task_has_system(current, SYSTEM__IPC_INFO);
5290 case GETPID:
5291 case GETNCNT:
5292 case GETZCNT:
5293 perms = SEM__GETATTR;
5294 break;
5295 case GETVAL:
5296 case GETALL:
5297 perms = SEM__READ;
5298 break;
5299 case SETVAL:
5300 case SETALL:
5301 perms = SEM__WRITE;
5302 break;
5303 case IPC_RMID:
5304 perms = SEM__DESTROY;
5305 break;
5306 case IPC_SET:
5307 perms = SEM__SETATTR;
5308 break;
5309 case IPC_STAT:
5310 case SEM_STAT:
5311 perms = SEM__GETATTR | SEM__ASSOCIATE;
5312 break;
5313 default:
5314 return 0;
5315 }
5316
5317 err = ipc_has_perm(&sma->sem_perm, perms);
5318 return err;
5319 }
5320
5321 static int selinux_sem_semop(struct sem_array *sma,
5322 struct sembuf *sops, unsigned nsops, int alter)
5323 {
5324 u32 perms;
5325
5326 if (alter)
5327 perms = SEM__READ | SEM__WRITE;
5328 else
5329 perms = SEM__READ;
5330
5331 return ipc_has_perm(&sma->sem_perm, perms);
5332 }
5333
5334 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
5335 {
5336 u32 av = 0;
5337
5338 av = 0;
5339 if (flag & S_IRUGO)
5340 av |= IPC__UNIX_READ;
5341 if (flag & S_IWUGO)
5342 av |= IPC__UNIX_WRITE;
5343
5344 if (av == 0)
5345 return 0;
5346
5347 return ipc_has_perm(ipcp, av);
5348 }
5349
5350 static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
5351 {
5352 struct ipc_security_struct *isec = ipcp->security;
5353 *secid = isec->sid;
5354 }
5355
5356 static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode)
5357 {
5358 if (inode)
5359 inode_doinit_with_dentry(inode, dentry);
5360 }
5361
5362 static int selinux_getprocattr(struct task_struct *p,
5363 char *name, char **value)
5364 {
5365 const struct task_security_struct *__tsec;
5366 u32 sid;
5367 int error;
5368 unsigned len;
5369
5370 if (current != p) {
5371 error = current_has_perm(p, PROCESS__GETATTR);
5372 if (error)
5373 return error;
5374 }
5375
5376 rcu_read_lock();
5377 __tsec = __task_cred(p)->security;
5378
5379 if (!strcmp(name, "current"))
5380 sid = __tsec->sid;
5381 else if (!strcmp(name, "prev"))
5382 sid = __tsec->osid;
5383 else if (!strcmp(name, "exec"))
5384 sid = __tsec->exec_sid;
5385 else if (!strcmp(name, "fscreate"))
5386 sid = __tsec->create_sid;
5387 else if (!strcmp(name, "keycreate"))
5388 sid = __tsec->keycreate_sid;
5389 else if (!strcmp(name, "sockcreate"))
5390 sid = __tsec->sockcreate_sid;
5391 else
5392 goto invalid;
5393 rcu_read_unlock();
5394
5395 if (!sid)
5396 return 0;
5397
5398 error = security_sid_to_context(sid, value, &len);
5399 if (error)
5400 return error;
5401 return len;
5402
5403 invalid:
5404 rcu_read_unlock();
5405 return -EINVAL;
5406 }
5407
5408 static int selinux_setprocattr(struct task_struct *p,
5409 char *name, void *value, size_t size)
5410 {
5411 struct task_security_struct *tsec;
5412 struct task_struct *tracer;
5413 struct cred *new;
5414 u32 sid = 0, ptsid;
5415 int error;
5416 char *str = value;
5417
5418 if (current != p) {
5419 /* SELinux only allows a process to change its own
5420 security attributes. */
5421 return -EACCES;
5422 }
5423
5424 /*
5425 * Basic control over ability to set these attributes at all.
5426 * current == p, but we'll pass them separately in case the
5427 * above restriction is ever removed.
5428 */
5429 if (!strcmp(name, "exec"))
5430 error = current_has_perm(p, PROCESS__SETEXEC);
5431 else if (!strcmp(name, "fscreate"))
5432 error = current_has_perm(p, PROCESS__SETFSCREATE);
5433 else if (!strcmp(name, "keycreate"))
5434 error = current_has_perm(p, PROCESS__SETKEYCREATE);
5435 else if (!strcmp(name, "sockcreate"))
5436 error = current_has_perm(p, PROCESS__SETSOCKCREATE);
5437 else if (!strcmp(name, "current"))
5438 error = current_has_perm(p, PROCESS__SETCURRENT);
5439 else
5440 error = -EINVAL;
5441 if (error)
5442 return error;
5443
5444 /* Obtain a SID for the context, if one was specified. */
5445 if (size && str[1] && str[1] != '\n') {
5446 if (str[size-1] == '\n') {
5447 str[size-1] = 0;
5448 size--;
5449 }
5450 error = security_context_to_sid(value, size, &sid);
5451 if (error == -EINVAL && !strcmp(name, "fscreate")) {
5452 if (!capable(CAP_MAC_ADMIN)) {
5453 struct audit_buffer *ab;
5454 size_t audit_size;
5455
5456 /* We strip a nul only if it is at the end, otherwise the
5457 * context contains a nul and we should audit that */
5458 if (str[size - 1] == '\0')
5459 audit_size = size - 1;
5460 else
5461 audit_size = size;
5462 ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR);
5463 audit_log_format(ab, "op=fscreate invalid_context=");
5464 audit_log_n_untrustedstring(ab, value, audit_size);
5465 audit_log_end(ab);
5466
5467 return error;
5468 }
5469 error = security_context_to_sid_force(value, size,
5470 &sid);
5471 }
5472 if (error)
5473 return error;
5474 }
5475
5476 new = prepare_creds();
5477 if (!new)
5478 return -ENOMEM;
5479
5480 /* Permission checking based on the specified context is
5481 performed during the actual operation (execve,
5482 open/mkdir/...), when we know the full context of the
5483 operation. See selinux_bprm_set_creds for the execve
5484 checks and may_create for the file creation checks. The
5485 operation will then fail if the context is not permitted. */
5486 tsec = new->security;
5487 if (!strcmp(name, "exec")) {
5488 tsec->exec_sid = sid;
5489 } else if (!strcmp(name, "fscreate")) {
5490 tsec->create_sid = sid;
5491 } else if (!strcmp(name, "keycreate")) {
5492 error = may_create_key(sid, p);
5493 if (error)
5494 goto abort_change;
5495 tsec->keycreate_sid = sid;
5496 } else if (!strcmp(name, "sockcreate")) {
5497 tsec->sockcreate_sid = sid;
5498 } else if (!strcmp(name, "current")) {
5499 error = -EINVAL;
5500 if (sid == 0)
5501 goto abort_change;
5502
5503 /* Only allow single threaded processes to change context */
5504 error = -EPERM;
5505 if (!current_is_single_threaded()) {
5506 error = security_bounded_transition(tsec->sid, sid);
5507 if (error)
5508 goto abort_change;
5509 }
5510
5511 /* Check permissions for the transition. */
5512 error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
5513 PROCESS__DYNTRANSITION, NULL);
5514 if (error)
5515 goto abort_change;
5516
5517 /* Check for ptracing, and update the task SID if ok.
5518 Otherwise, leave SID unchanged and fail. */
5519 ptsid = 0;
5520 rcu_read_lock();
5521 tracer = ptrace_parent(p);
5522 if (tracer)
5523 ptsid = task_sid(tracer);
5524 rcu_read_unlock();
5525
5526 if (tracer) {
5527 error = avc_has_perm(ptsid, sid, SECCLASS_PROCESS,
5528 PROCESS__PTRACE, NULL);
5529 if (error)
5530 goto abort_change;
5531 }
5532
5533 tsec->sid = sid;
5534 } else {
5535 error = -EINVAL;
5536 goto abort_change;
5537 }
5538
5539 commit_creds(new);
5540 return size;
5541
5542 abort_change:
5543 abort_creds(new);
5544 return error;
5545 }
5546
5547 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
5548 {
5549 return security_sid_to_context(secid, secdata, seclen);
5550 }
5551
5552 static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
5553 {
5554 return security_context_to_sid(secdata, seclen, secid);
5555 }
5556
5557 static void selinux_release_secctx(char *secdata, u32 seclen)
5558 {
5559 kfree(secdata);
5560 }
5561
5562 /*
5563 * called with inode->i_mutex locked
5564 */
5565 static int selinux_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen)
5566 {
5567 return selinux_inode_setsecurity(inode, XATTR_SELINUX_SUFFIX, ctx, ctxlen, 0);
5568 }
5569
5570 /*
5571 * called with inode->i_mutex locked
5572 */
5573 static int selinux_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen)
5574 {
5575 return __vfs_setxattr_noperm(dentry, XATTR_NAME_SELINUX, ctx, ctxlen, 0);
5576 }
5577
5578 static int selinux_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen)
5579 {
5580 int len = 0;
5581 len = selinux_inode_getsecurity(inode, XATTR_SELINUX_SUFFIX,
5582 ctx, true);
5583 if (len < 0)
5584 return len;
5585 *ctxlen = len;
5586 return 0;
5587 }
5588 #ifdef CONFIG_KEYS
5589
5590 static int selinux_key_alloc(struct key *k, const struct cred *cred,
5591 unsigned long flags)
5592 {
5593 const struct task_security_struct *tsec;
5594 struct key_security_struct *ksec;
5595
5596 ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL);
5597 if (!ksec)
5598 return -ENOMEM;
5599
5600 tsec = cred->security;
5601 if (tsec->keycreate_sid)
5602 ksec->sid = tsec->keycreate_sid;
5603 else
5604 ksec->sid = tsec->sid;
5605
5606 k->security = ksec;
5607 return 0;
5608 }
5609
5610 static void selinux_key_free(struct key *k)
5611 {
5612 struct key_security_struct *ksec = k->security;
5613
5614 k->security = NULL;
5615 kfree(ksec);
5616 }
5617
5618 static int selinux_key_permission(key_ref_t key_ref,
5619 const struct cred *cred,
5620 key_perm_t perm)
5621 {
5622 struct key *key;
5623 struct key_security_struct *ksec;
5624 u32 sid;
5625
5626 /* if no specific permissions are requested, we skip the
5627 permission check. No serious, additional covert channels
5628 appear to be created. */
5629 if (perm == 0)
5630 return 0;
5631
5632 sid = cred_sid(cred);
5633
5634 key = key_ref_to_ptr(key_ref);
5635 ksec = key->security;
5636
5637 return avc_has_perm(sid, ksec->sid, SECCLASS_KEY, perm, NULL);
5638 }
5639
5640 static int selinux_key_getsecurity(struct key *key, char **_buffer)
5641 {
5642 struct key_security_struct *ksec = key->security;
5643 char *context = NULL;
5644 unsigned len;
5645 int rc;
5646
5647 rc = security_sid_to_context(ksec->sid, &context, &len);
5648 if (!rc)
5649 rc = len;
5650 *_buffer = context;
5651 return rc;
5652 }
5653
5654 #endif
5655
5656 static struct security_operations selinux_ops = {
5657 .name = "selinux",
5658
5659 .ptrace_access_check = selinux_ptrace_access_check,
5660 .ptrace_traceme = selinux_ptrace_traceme,
5661 .capget = selinux_capget,
5662 .capset = selinux_capset,
5663 .capable = selinux_capable,
5664 .quotactl = selinux_quotactl,
5665 .quota_on = selinux_quota_on,
5666 .syslog = selinux_syslog,
5667 .vm_enough_memory = selinux_vm_enough_memory,
5668
5669 .netlink_send = selinux_netlink_send,
5670
5671 .bprm_set_creds = selinux_bprm_set_creds,
5672 .bprm_committing_creds = selinux_bprm_committing_creds,
5673 .bprm_committed_creds = selinux_bprm_committed_creds,
5674 .bprm_secureexec = selinux_bprm_secureexec,
5675
5676 .sb_alloc_security = selinux_sb_alloc_security,
5677 .sb_free_security = selinux_sb_free_security,
5678 .sb_copy_data = selinux_sb_copy_data,
5679 .sb_remount = selinux_sb_remount,
5680 .sb_kern_mount = selinux_sb_kern_mount,
5681 .sb_show_options = selinux_sb_show_options,
5682 .sb_statfs = selinux_sb_statfs,
5683 .sb_mount = selinux_mount,
5684 .sb_umount = selinux_umount,
5685 .sb_set_mnt_opts = selinux_set_mnt_opts,
5686 .sb_clone_mnt_opts = selinux_sb_clone_mnt_opts,
5687 .sb_parse_opts_str = selinux_parse_opts_str,
5688
5689
5690 .inode_alloc_security = selinux_inode_alloc_security,
5691 .inode_free_security = selinux_inode_free_security,
5692 .inode_init_security = selinux_inode_init_security,
5693 .inode_create = selinux_inode_create,
5694 .inode_link = selinux_inode_link,
5695 .inode_unlink = selinux_inode_unlink,
5696 .inode_symlink = selinux_inode_symlink,
5697 .inode_mkdir = selinux_inode_mkdir,
5698 .inode_rmdir = selinux_inode_rmdir,
5699 .inode_mknod = selinux_inode_mknod,
5700 .inode_rename = selinux_inode_rename,
5701 .inode_readlink = selinux_inode_readlink,
5702 .inode_follow_link = selinux_inode_follow_link,
5703 .inode_permission = selinux_inode_permission,
5704 .inode_setattr = selinux_inode_setattr,
5705 .inode_getattr = selinux_inode_getattr,
5706 .inode_setxattr = selinux_inode_setxattr,
5707 .inode_post_setxattr = selinux_inode_post_setxattr,
5708 .inode_getxattr = selinux_inode_getxattr,
5709 .inode_listxattr = selinux_inode_listxattr,
5710 .inode_removexattr = selinux_inode_removexattr,
5711 .inode_getsecurity = selinux_inode_getsecurity,
5712 .inode_setsecurity = selinux_inode_setsecurity,
5713 .inode_listsecurity = selinux_inode_listsecurity,
5714 .inode_getsecid = selinux_inode_getsecid,
5715
5716 .file_permission = selinux_file_permission,
5717 .file_alloc_security = selinux_file_alloc_security,
5718 .file_free_security = selinux_file_free_security,
5719 .file_ioctl = selinux_file_ioctl,
5720 .mmap_file = selinux_mmap_file,
5721 .mmap_addr = selinux_mmap_addr,
5722 .file_mprotect = selinux_file_mprotect,
5723 .file_lock = selinux_file_lock,
5724 .file_fcntl = selinux_file_fcntl,
5725 .file_set_fowner = selinux_file_set_fowner,
5726 .file_send_sigiotask = selinux_file_send_sigiotask,
5727 .file_receive = selinux_file_receive,
5728
5729 .file_open = selinux_file_open,
5730
5731 .task_create = selinux_task_create,
5732 .cred_alloc_blank = selinux_cred_alloc_blank,
5733 .cred_free = selinux_cred_free,
5734 .cred_prepare = selinux_cred_prepare,
5735 .cred_transfer = selinux_cred_transfer,
5736 .kernel_act_as = selinux_kernel_act_as,
5737 .kernel_create_files_as = selinux_kernel_create_files_as,
5738 .kernel_module_request = selinux_kernel_module_request,
5739 .task_setpgid = selinux_task_setpgid,
5740 .task_getpgid = selinux_task_getpgid,
5741 .task_getsid = selinux_task_getsid,
5742 .task_getsecid = selinux_task_getsecid,
5743 .task_setnice = selinux_task_setnice,
5744 .task_setioprio = selinux_task_setioprio,
5745 .task_getioprio = selinux_task_getioprio,
5746 .task_setrlimit = selinux_task_setrlimit,
5747 .task_setscheduler = selinux_task_setscheduler,
5748 .task_getscheduler = selinux_task_getscheduler,
5749 .task_movememory = selinux_task_movememory,
5750 .task_kill = selinux_task_kill,
5751 .task_wait = selinux_task_wait,
5752 .task_to_inode = selinux_task_to_inode,
5753
5754 .ipc_permission = selinux_ipc_permission,
5755 .ipc_getsecid = selinux_ipc_getsecid,
5756
5757 .msg_msg_alloc_security = selinux_msg_msg_alloc_security,
5758 .msg_msg_free_security = selinux_msg_msg_free_security,
5759
5760 .msg_queue_alloc_security = selinux_msg_queue_alloc_security,
5761 .msg_queue_free_security = selinux_msg_queue_free_security,
5762 .msg_queue_associate = selinux_msg_queue_associate,
5763 .msg_queue_msgctl = selinux_msg_queue_msgctl,
5764 .msg_queue_msgsnd = selinux_msg_queue_msgsnd,
5765 .msg_queue_msgrcv = selinux_msg_queue_msgrcv,
5766
5767 .shm_alloc_security = selinux_shm_alloc_security,
5768 .shm_free_security = selinux_shm_free_security,
5769 .shm_associate = selinux_shm_associate,
5770 .shm_shmctl = selinux_shm_shmctl,
5771 .shm_shmat = selinux_shm_shmat,
5772
5773 .sem_alloc_security = selinux_sem_alloc_security,
5774 .sem_free_security = selinux_sem_free_security,
5775 .sem_associate = selinux_sem_associate,
5776 .sem_semctl = selinux_sem_semctl,
5777 .sem_semop = selinux_sem_semop,
5778
5779 .d_instantiate = selinux_d_instantiate,
5780
5781 .getprocattr = selinux_getprocattr,
5782 .setprocattr = selinux_setprocattr,
5783
5784 .secid_to_secctx = selinux_secid_to_secctx,
5785 .secctx_to_secid = selinux_secctx_to_secid,
5786 .release_secctx = selinux_release_secctx,
5787 .inode_notifysecctx = selinux_inode_notifysecctx,
5788 .inode_setsecctx = selinux_inode_setsecctx,
5789 .inode_getsecctx = selinux_inode_getsecctx,
5790
5791 .unix_stream_connect = selinux_socket_unix_stream_connect,
5792 .unix_may_send = selinux_socket_unix_may_send,
5793
5794 .socket_create = selinux_socket_create,
5795 .socket_post_create = selinux_socket_post_create,
5796 .socket_bind = selinux_socket_bind,
5797 .socket_connect = selinux_socket_connect,
5798 .socket_listen = selinux_socket_listen,
5799 .socket_accept = selinux_socket_accept,
5800 .socket_sendmsg = selinux_socket_sendmsg,
5801 .socket_recvmsg = selinux_socket_recvmsg,
5802 .socket_getsockname = selinux_socket_getsockname,
5803 .socket_getpeername = selinux_socket_getpeername,
5804 .socket_getsockopt = selinux_socket_getsockopt,
5805 .socket_setsockopt = selinux_socket_setsockopt,
5806 .socket_shutdown = selinux_socket_shutdown,
5807 .socket_sock_rcv_skb = selinux_socket_sock_rcv_skb,
5808 .socket_getpeersec_stream = selinux_socket_getpeersec_stream,
5809 .socket_getpeersec_dgram = selinux_socket_getpeersec_dgram,
5810 .sk_alloc_security = selinux_sk_alloc_security,
5811 .sk_free_security = selinux_sk_free_security,
5812 .sk_clone_security = selinux_sk_clone_security,
5813 .sk_getsecid = selinux_sk_getsecid,
5814 .sock_graft = selinux_sock_graft,
5815 .inet_conn_request = selinux_inet_conn_request,
5816 .inet_csk_clone = selinux_inet_csk_clone,
5817 .inet_conn_established = selinux_inet_conn_established,
5818 .secmark_relabel_packet = selinux_secmark_relabel_packet,
5819 .secmark_refcount_inc = selinux_secmark_refcount_inc,
5820 .secmark_refcount_dec = selinux_secmark_refcount_dec,
5821 .req_classify_flow = selinux_req_classify_flow,
5822 .tun_dev_alloc_security = selinux_tun_dev_alloc_security,
5823 .tun_dev_free_security = selinux_tun_dev_free_security,
5824 .tun_dev_create = selinux_tun_dev_create,
5825 .tun_dev_attach_queue = selinux_tun_dev_attach_queue,
5826 .tun_dev_attach = selinux_tun_dev_attach,
5827 .tun_dev_open = selinux_tun_dev_open,
5828 .skb_owned_by = selinux_skb_owned_by,
5829
5830 #ifdef CONFIG_SECURITY_NETWORK_XFRM
5831 .xfrm_policy_alloc_security = selinux_xfrm_policy_alloc,
5832 .xfrm_policy_clone_security = selinux_xfrm_policy_clone,
5833 .xfrm_policy_free_security = selinux_xfrm_policy_free,
5834 .xfrm_policy_delete_security = selinux_xfrm_policy_delete,
5835 .xfrm_state_alloc_security = selinux_xfrm_state_alloc,
5836 .xfrm_state_free_security = selinux_xfrm_state_free,
5837 .xfrm_state_delete_security = selinux_xfrm_state_delete,
5838 .xfrm_policy_lookup = selinux_xfrm_policy_lookup,
5839 .xfrm_state_pol_flow_match = selinux_xfrm_state_pol_flow_match,
5840 .xfrm_decode_session = selinux_xfrm_decode_session,
5841 #endif
5842
5843 #ifdef CONFIG_KEYS
5844 .key_alloc = selinux_key_alloc,
5845 .key_free = selinux_key_free,
5846 .key_permission = selinux_key_permission,
5847 .key_getsecurity = selinux_key_getsecurity,
5848 #endif
5849
5850 #ifdef CONFIG_AUDIT
5851 .audit_rule_init = selinux_audit_rule_init,
5852 .audit_rule_known = selinux_audit_rule_known,
5853 .audit_rule_match = selinux_audit_rule_match,
5854 .audit_rule_free = selinux_audit_rule_free,
5855 #endif
5856 };
5857
5858 static __init int selinux_init(void)
5859 {
5860 if (!security_module_enable(&selinux_ops)) {
5861 selinux_enabled = 0;
5862 return 0;
5863 }
5864
5865 if (!selinux_enabled) {
5866 printk(KERN_INFO "SELinux: Disabled at boot.\n");
5867 return 0;
5868 }
5869
5870 printk(KERN_INFO "SELinux: Initializing.\n");
5871
5872 /* Set the security state for the initial task. */
5873 cred_init_security();
5874
5875 default_noexec = !(VM_DATA_DEFAULT_FLAGS & VM_EXEC);
5876
5877 sel_inode_cache = kmem_cache_create("selinux_inode_security",
5878 sizeof(struct inode_security_struct),
5879 0, SLAB_PANIC, NULL);
5880 avc_init();
5881
5882 if (register_security(&selinux_ops))
5883 panic("SELinux: Unable to register with kernel.\n");
5884
5885 if (selinux_enforcing)
5886 printk(KERN_DEBUG "SELinux: Starting in enforcing mode\n");
5887 else
5888 printk(KERN_DEBUG "SELinux: Starting in permissive mode\n");
5889
5890 return 0;
5891 }
5892
5893 static void delayed_superblock_init(struct super_block *sb, void *unused)
5894 {
5895 superblock_doinit(sb, NULL);
5896 }
5897
5898 void selinux_complete_init(void)
5899 {
5900 printk(KERN_DEBUG "SELinux: Completing initialization.\n");
5901
5902 /* Set up any superblocks initialized prior to the policy load. */
5903 printk(KERN_DEBUG "SELinux: Setting up existing superblocks.\n");
5904 iterate_supers(delayed_superblock_init, NULL);
5905 }
5906
5907 /* SELinux requires early initialization in order to label
5908 all processes and objects when they are created. */
5909 security_initcall(selinux_init);
5910
5911 #if defined(CONFIG_NETFILTER)
5912
5913 static struct nf_hook_ops selinux_ipv4_ops[] = {
5914 {
5915 .hook = selinux_ipv4_postroute,
5916 .owner = THIS_MODULE,
5917 .pf = NFPROTO_IPV4,
5918 .hooknum = NF_INET_POST_ROUTING,
5919 .priority = NF_IP_PRI_SELINUX_LAST,
5920 },
5921 {
5922 .hook = selinux_ipv4_forward,
5923 .owner = THIS_MODULE,
5924 .pf = NFPROTO_IPV4,
5925 .hooknum = NF_INET_FORWARD,
5926 .priority = NF_IP_PRI_SELINUX_FIRST,
5927 },
5928 {
5929 .hook = selinux_ipv4_output,
5930 .owner = THIS_MODULE,
5931 .pf = NFPROTO_IPV4,
5932 .hooknum = NF_INET_LOCAL_OUT,
5933 .priority = NF_IP_PRI_SELINUX_FIRST,
5934 }
5935 };
5936
5937 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5938
5939 static struct nf_hook_ops selinux_ipv6_ops[] = {
5940 {
5941 .hook = selinux_ipv6_postroute,
5942 .owner = THIS_MODULE,
5943 .pf = NFPROTO_IPV6,
5944 .hooknum = NF_INET_POST_ROUTING,
5945 .priority = NF_IP6_PRI_SELINUX_LAST,
5946 },
5947 {
5948 .hook = selinux_ipv6_forward,
5949 .owner = THIS_MODULE,
5950 .pf = NFPROTO_IPV6,
5951 .hooknum = NF_INET_FORWARD,
5952 .priority = NF_IP6_PRI_SELINUX_FIRST,
5953 }
5954 };
5955
5956 #endif /* IPV6 */
5957
5958 static int __init selinux_nf_ip_init(void)
5959 {
5960 int err = 0;
5961
5962 if (!selinux_enabled)
5963 goto out;
5964
5965 printk(KERN_DEBUG "SELinux: Registering netfilter hooks\n");
5966
5967 err = nf_register_hooks(selinux_ipv4_ops, ARRAY_SIZE(selinux_ipv4_ops));
5968 if (err)
5969 panic("SELinux: nf_register_hooks for IPv4: error %d\n", err);
5970
5971 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5972 err = nf_register_hooks(selinux_ipv6_ops, ARRAY_SIZE(selinux_ipv6_ops));
5973 if (err)
5974 panic("SELinux: nf_register_hooks for IPv6: error %d\n", err);
5975 #endif /* IPV6 */
5976
5977 out:
5978 return err;
5979 }
5980
5981 __initcall(selinux_nf_ip_init);
5982
5983 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5984 static void selinux_nf_ip_exit(void)
5985 {
5986 printk(KERN_DEBUG "SELinux: Unregistering netfilter hooks\n");
5987
5988 nf_unregister_hooks(selinux_ipv4_ops, ARRAY_SIZE(selinux_ipv4_ops));
5989 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5990 nf_unregister_hooks(selinux_ipv6_ops, ARRAY_SIZE(selinux_ipv6_ops));
5991 #endif /* IPV6 */
5992 }
5993 #endif
5994
5995 #else /* CONFIG_NETFILTER */
5996
5997 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5998 #define selinux_nf_ip_exit()
5999 #endif
6000
6001 #endif /* CONFIG_NETFILTER */
6002
6003 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
6004 static int selinux_disabled;
6005
6006 int selinux_disable(void)
6007 {
6008 if (ss_initialized) {
6009 /* Not permitted after initial policy load. */
6010 return -EINVAL;
6011 }
6012
6013 if (selinux_disabled) {
6014 /* Only do this once. */
6015 return -EINVAL;
6016 }
6017
6018 printk(KERN_INFO "SELinux: Disabled at runtime.\n");
6019
6020 selinux_disabled = 1;
6021 selinux_enabled = 0;
6022
6023 reset_security_ops();
6024
6025 /* Try to destroy the avc node cache */
6026 avc_disable();
6027
6028 /* Unregister netfilter hooks. */
6029 selinux_nf_ip_exit();
6030
6031 /* Unregister selinuxfs. */
6032 exit_sel_fs();
6033
6034 return 0;
6035 }
6036 #endif
kernel source for telekom puls (alcatel/mediatek)