57f14185cf18f1a36c60e545865f5472ef10e949
[GitHub/mt8127/android_kernel_alcatel_ttab.git] / security / selinux / hooks.c
1 /*
2 * NSA Security-Enhanced Linux (SELinux) security module
3 *
4 * This file contains the SELinux hook function implementations.
5 *
6 * Authors: Stephen Smalley, <sds@epoch.ncsc.mil>
7 * Chris Vance, <cvance@nai.com>
8 * Wayne Salamon, <wsalamon@nai.com>
9 * James Morris <jmorris@redhat.com>
10 *
11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12 * Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
13 * Eric Paris <eparis@redhat.com>
14 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
15 * <dgoeddel@trustedcs.com>
16 * Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
17 * Paul Moore <paul@paul-moore.com>
18 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
19 * Yuichi Nakamura <ynakam@hitachisoft.jp>
20 *
21 * This program is free software; you can redistribute it and/or modify
22 * it under the terms of the GNU General Public License version 2,
23 * as published by the Free Software Foundation.
24 */
25
26 #include <linux/init.h>
27 #include <linux/kd.h>
28 #include <linux/kernel.h>
29 #include <linux/tracehook.h>
30 #include <linux/errno.h>
31 #include <linux/sched.h>
32 #include <linux/security.h>
33 #include <linux/xattr.h>
34 #include <linux/capability.h>
35 #include <linux/unistd.h>
36 #include <linux/mm.h>
37 #include <linux/mman.h>
38 #include <linux/slab.h>
39 #include <linux/pagemap.h>
40 #include <linux/proc_fs.h>
41 #include <linux/swap.h>
42 #include <linux/spinlock.h>
43 #include <linux/syscalls.h>
44 #include <linux/dcache.h>
45 #include <linux/file.h>
46 #include <linux/fdtable.h>
47 #include <linux/namei.h>
48 #include <linux/mount.h>
49 #include <linux/netfilter_ipv4.h>
50 #include <linux/netfilter_ipv6.h>
51 #include <linux/tty.h>
52 #include <net/icmp.h>
53 #include <net/ip.h> /* for local_port_range[] */
54 #include <net/sock.h>
55 #include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
56 #include <net/inet_connection_sock.h>
57 #include <net/net_namespace.h>
58 #include <net/netlabel.h>
59 #include <linux/uaccess.h>
60 #include <asm/ioctls.h>
61 #include <linux/atomic.h>
62 #include <linux/bitops.h>
63 #include <linux/interrupt.h>
64 #include <linux/netdevice.h> /* for network interface checks */
65 #include <net/netlink.h>
66 #include <linux/tcp.h>
67 #include <linux/udp.h>
68 #include <linux/dccp.h>
69 #include <linux/quota.h>
70 #include <linux/un.h> /* for Unix socket types */
71 #include <net/af_unix.h> /* for Unix socket types */
72 #include <linux/parser.h>
73 #include <linux/nfs_mount.h>
74 #include <net/ipv6.h>
75 #include <linux/hugetlb.h>
76 #include <linux/personality.h>
77 #include <linux/audit.h>
78 #include <linux/string.h>
79 #include <linux/selinux.h>
80 #include <linux/mutex.h>
81 #include <linux/posix-timers.h>
82 #include <linux/syslog.h>
83 #include <linux/user_namespace.h>
84 #include <linux/export.h>
85 #include <linux/msg.h>
86 #include <linux/shm.h>
87
88 #include "avc.h"
89 #include "objsec.h"
90 #include "netif.h"
91 #include "netnode.h"
92 #include "netport.h"
93 #include "xfrm.h"
94 #include "netlabel.h"
95 #include "audit.h"
96 #include "avc_ss.h"
97
98 #define NUM_SEL_MNT_OPTS 5
99
100 extern struct security_operations *security_ops;
101
102 /* SECMARK reference count */
103 static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
104
105 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
106 int selinux_enforcing;
107
108 static int __init enforcing_setup(char *str)
109 {
110 unsigned long enforcing;
111 if (!strict_strtoul(str, 0, &enforcing))
112 selinux_enforcing = enforcing ? 1 : 0;
113 return 1;
114 }
115 __setup("enforcing=", enforcing_setup);
116 #endif
117
118 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
119 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
120
121 static int __init selinux_enabled_setup(char *str)
122 {
123 unsigned long enabled;
124 if (!strict_strtoul(str, 0, &enabled))
125 selinux_enabled = enabled ? 1 : 0;
126 return 1;
127 }
128 __setup("selinux=", selinux_enabled_setup);
129 #else
130 int selinux_enabled = 1;
131 #endif
132
133 static struct kmem_cache *sel_inode_cache;
134
135 /**
136 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
137 *
138 * Description:
139 * This function checks the SECMARK reference counter to see if any SECMARK
140 * targets are currently configured, if the reference counter is greater than
141 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is
142 * enabled, false (0) if SECMARK is disabled.
143 *
144 */
145 static int selinux_secmark_enabled(void)
146 {
147 return (atomic_read(&selinux_secmark_refcount) > 0);
148 }
149
150 /*
151 * initialise the security for the init task
152 */
153 static void cred_init_security(void)
154 {
155 struct cred *cred = (struct cred *) current->real_cred;
156 struct task_security_struct *tsec;
157
158 tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
159 if (!tsec)
160 panic("SELinux: Failed to initialize initial task.\n");
161
162 tsec->osid = tsec->sid = SECINITSID_KERNEL;
163 cred->security = tsec;
164 }
165
166 /*
167 * get the security ID of a set of credentials
168 */
169 static inline u32 cred_sid(const struct cred *cred)
170 {
171 const struct task_security_struct *tsec;
172
173 tsec = cred->security;
174 return tsec->sid;
175 }
176
177 /*
178 * get the objective security ID of a task
179 */
180 static inline u32 task_sid(const struct task_struct *task)
181 {
182 u32 sid;
183
184 rcu_read_lock();
185 sid = cred_sid(__task_cred(task));
186 rcu_read_unlock();
187 return sid;
188 }
189
190 /*
191 * get the subjective security ID of the current task
192 */
193 static inline u32 current_sid(void)
194 {
195 const struct task_security_struct *tsec = current_security();
196
197 return tsec->sid;
198 }
199
200 /* Allocate and free functions for each kind of security blob. */
201
202 static int inode_alloc_security(struct inode *inode)
203 {
204 struct inode_security_struct *isec;
205 u32 sid = current_sid();
206
207 isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
208 if (!isec)
209 return -ENOMEM;
210
211 mutex_init(&isec->lock);
212 INIT_LIST_HEAD(&isec->list);
213 isec->inode = inode;
214 isec->sid = SECINITSID_UNLABELED;
215 isec->sclass = SECCLASS_FILE;
216 isec->task_sid = sid;
217 inode->i_security = isec;
218
219 return 0;
220 }
221
222 static void inode_free_security(struct inode *inode)
223 {
224 struct inode_security_struct *isec = inode->i_security;
225 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
226
227 spin_lock(&sbsec->isec_lock);
228 if (!list_empty(&isec->list))
229 list_del_init(&isec->list);
230 spin_unlock(&sbsec->isec_lock);
231
232 inode->i_security = NULL;
233 kmem_cache_free(sel_inode_cache, isec);
234 }
235
236 static int file_alloc_security(struct file *file)
237 {
238 struct file_security_struct *fsec;
239 u32 sid = current_sid();
240
241 fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL);
242 if (!fsec)
243 return -ENOMEM;
244
245 fsec->sid = sid;
246 fsec->fown_sid = sid;
247 file->f_security = fsec;
248
249 return 0;
250 }
251
252 static void file_free_security(struct file *file)
253 {
254 struct file_security_struct *fsec = file->f_security;
255 file->f_security = NULL;
256 kfree(fsec);
257 }
258
259 static int superblock_alloc_security(struct super_block *sb)
260 {
261 struct superblock_security_struct *sbsec;
262
263 sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
264 if (!sbsec)
265 return -ENOMEM;
266
267 mutex_init(&sbsec->lock);
268 INIT_LIST_HEAD(&sbsec->isec_head);
269 spin_lock_init(&sbsec->isec_lock);
270 sbsec->sb = sb;
271 sbsec->sid = SECINITSID_UNLABELED;
272 sbsec->def_sid = SECINITSID_FILE;
273 sbsec->mntpoint_sid = SECINITSID_UNLABELED;
274 sb->s_security = sbsec;
275
276 return 0;
277 }
278
279 static void superblock_free_security(struct super_block *sb)
280 {
281 struct superblock_security_struct *sbsec = sb->s_security;
282 sb->s_security = NULL;
283 kfree(sbsec);
284 }
285
286 /* The file system's label must be initialized prior to use. */
287
288 static const char *labeling_behaviors[6] = {
289 "uses xattr",
290 "uses transition SIDs",
291 "uses task SIDs",
292 "uses genfs_contexts",
293 "not configured for labeling",
294 "uses mountpoint labeling",
295 };
296
297 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
298
299 static inline int inode_doinit(struct inode *inode)
300 {
301 return inode_doinit_with_dentry(inode, NULL);
302 }
303
304 enum {
305 Opt_error = -1,
306 Opt_context = 1,
307 Opt_fscontext = 2,
308 Opt_defcontext = 3,
309 Opt_rootcontext = 4,
310 Opt_labelsupport = 5,
311 };
312
313 static const match_table_t tokens = {
314 {Opt_context, CONTEXT_STR "%s"},
315 {Opt_fscontext, FSCONTEXT_STR "%s"},
316 {Opt_defcontext, DEFCONTEXT_STR "%s"},
317 {Opt_rootcontext, ROOTCONTEXT_STR "%s"},
318 {Opt_labelsupport, LABELSUPP_STR},
319 {Opt_error, NULL},
320 };
321
322 #define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
323
324 static int may_context_mount_sb_relabel(u32 sid,
325 struct superblock_security_struct *sbsec,
326 const struct cred *cred)
327 {
328 const struct task_security_struct *tsec = cred->security;
329 int rc;
330
331 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
332 FILESYSTEM__RELABELFROM, NULL);
333 if (rc)
334 return rc;
335
336 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
337 FILESYSTEM__RELABELTO, NULL);
338 return rc;
339 }
340
341 static int may_context_mount_inode_relabel(u32 sid,
342 struct superblock_security_struct *sbsec,
343 const struct cred *cred)
344 {
345 const struct task_security_struct *tsec = cred->security;
346 int rc;
347 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
348 FILESYSTEM__RELABELFROM, NULL);
349 if (rc)
350 return rc;
351
352 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
353 FILESYSTEM__ASSOCIATE, NULL);
354 return rc;
355 }
356
357 static int sb_finish_set_opts(struct super_block *sb)
358 {
359 struct superblock_security_struct *sbsec = sb->s_security;
360 struct dentry *root = sb->s_root;
361 struct inode *root_inode = root->d_inode;
362 int rc = 0;
363
364 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
365 /* Make sure that the xattr handler exists and that no
366 error other than -ENODATA is returned by getxattr on
367 the root directory. -ENODATA is ok, as this may be
368 the first boot of the SELinux kernel before we have
369 assigned xattr values to the filesystem. */
370 if (!root_inode->i_op->getxattr) {
371 printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
372 "xattr support\n", sb->s_id, sb->s_type->name);
373 rc = -EOPNOTSUPP;
374 goto out;
375 }
376 rc = root_inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
377 if (rc < 0 && rc != -ENODATA) {
378 if (rc == -EOPNOTSUPP)
379 printk(KERN_WARNING "SELinux: (dev %s, type "
380 "%s) has no security xattr handler\n",
381 sb->s_id, sb->s_type->name);
382 else
383 printk(KERN_WARNING "SELinux: (dev %s, type "
384 "%s) getxattr errno %d\n", sb->s_id,
385 sb->s_type->name, -rc);
386 goto out;
387 }
388 }
389
390 sbsec->flags |= (SE_SBINITIALIZED | SE_SBLABELSUPP);
391
392 if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
393 printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n",
394 sb->s_id, sb->s_type->name);
395 else
396 printk(KERN_DEBUG "SELinux: initialized (dev %s, type %s), %s\n",
397 sb->s_id, sb->s_type->name,
398 labeling_behaviors[sbsec->behavior-1]);
399
400 if (sbsec->behavior == SECURITY_FS_USE_GENFS ||
401 sbsec->behavior == SECURITY_FS_USE_MNTPOINT ||
402 sbsec->behavior == SECURITY_FS_USE_NONE ||
403 sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
404 sbsec->flags &= ~SE_SBLABELSUPP;
405
406 /* Special handling for sysfs. Is genfs but also has setxattr handler*/
407 if (strncmp(sb->s_type->name, "sysfs", sizeof("sysfs")) == 0)
408 sbsec->flags |= SE_SBLABELSUPP;
409
410 /* Initialize the root inode. */
411 rc = inode_doinit_with_dentry(root_inode, root);
412
413 /* Initialize any other inodes associated with the superblock, e.g.
414 inodes created prior to initial policy load or inodes created
415 during get_sb by a pseudo filesystem that directly
416 populates itself. */
417 spin_lock(&sbsec->isec_lock);
418 next_inode:
419 if (!list_empty(&sbsec->isec_head)) {
420 struct inode_security_struct *isec =
421 list_entry(sbsec->isec_head.next,
422 struct inode_security_struct, list);
423 struct inode *inode = isec->inode;
424 spin_unlock(&sbsec->isec_lock);
425 inode = igrab(inode);
426 if (inode) {
427 if (!IS_PRIVATE(inode))
428 inode_doinit(inode);
429 iput(inode);
430 }
431 spin_lock(&sbsec->isec_lock);
432 list_del_init(&isec->list);
433 goto next_inode;
434 }
435 spin_unlock(&sbsec->isec_lock);
436 out:
437 return rc;
438 }
439
440 /*
441 * This function should allow an FS to ask what it's mount security
442 * options were so it can use those later for submounts, displaying
443 * mount options, or whatever.
444 */
445 static int selinux_get_mnt_opts(const struct super_block *sb,
446 struct security_mnt_opts *opts)
447 {
448 int rc = 0, i;
449 struct superblock_security_struct *sbsec = sb->s_security;
450 char *context = NULL;
451 u32 len;
452 char tmp;
453
454 security_init_mnt_opts(opts);
455
456 if (!(sbsec->flags & SE_SBINITIALIZED))
457 return -EINVAL;
458
459 if (!ss_initialized)
460 return -EINVAL;
461
462 tmp = sbsec->flags & SE_MNTMASK;
463 /* count the number of mount options for this sb */
464 for (i = 0; i < 8; i++) {
465 if (tmp & 0x01)
466 opts->num_mnt_opts++;
467 tmp >>= 1;
468 }
469 /* Check if the Label support flag is set */
470 if (sbsec->flags & SE_SBLABELSUPP)
471 opts->num_mnt_opts++;
472
473 opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
474 if (!opts->mnt_opts) {
475 rc = -ENOMEM;
476 goto out_free;
477 }
478
479 opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
480 if (!opts->mnt_opts_flags) {
481 rc = -ENOMEM;
482 goto out_free;
483 }
484
485 i = 0;
486 if (sbsec->flags & FSCONTEXT_MNT) {
487 rc = security_sid_to_context(sbsec->sid, &context, &len);
488 if (rc)
489 goto out_free;
490 opts->mnt_opts[i] = context;
491 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
492 }
493 if (sbsec->flags & CONTEXT_MNT) {
494 rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len);
495 if (rc)
496 goto out_free;
497 opts->mnt_opts[i] = context;
498 opts->mnt_opts_flags[i++] = CONTEXT_MNT;
499 }
500 if (sbsec->flags & DEFCONTEXT_MNT) {
501 rc = security_sid_to_context(sbsec->def_sid, &context, &len);
502 if (rc)
503 goto out_free;
504 opts->mnt_opts[i] = context;
505 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
506 }
507 if (sbsec->flags & ROOTCONTEXT_MNT) {
508 struct inode *root = sbsec->sb->s_root->d_inode;
509 struct inode_security_struct *isec = root->i_security;
510
511 rc = security_sid_to_context(isec->sid, &context, &len);
512 if (rc)
513 goto out_free;
514 opts->mnt_opts[i] = context;
515 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
516 }
517 if (sbsec->flags & SE_SBLABELSUPP) {
518 opts->mnt_opts[i] = NULL;
519 opts->mnt_opts_flags[i++] = SE_SBLABELSUPP;
520 }
521
522 BUG_ON(i != opts->num_mnt_opts);
523
524 return 0;
525
526 out_free:
527 security_free_mnt_opts(opts);
528 return rc;
529 }
530
531 static int bad_option(struct superblock_security_struct *sbsec, char flag,
532 u32 old_sid, u32 new_sid)
533 {
534 char mnt_flags = sbsec->flags & SE_MNTMASK;
535
536 /* check if the old mount command had the same options */
537 if (sbsec->flags & SE_SBINITIALIZED)
538 if (!(sbsec->flags & flag) ||
539 (old_sid != new_sid))
540 return 1;
541
542 /* check if we were passed the same options twice,
543 * aka someone passed context=a,context=b
544 */
545 if (!(sbsec->flags & SE_SBINITIALIZED))
546 if (mnt_flags & flag)
547 return 1;
548 return 0;
549 }
550
551 /*
552 * Allow filesystems with binary mount data to explicitly set mount point
553 * labeling information.
554 */
555 static int selinux_set_mnt_opts(struct super_block *sb,
556 struct security_mnt_opts *opts)
557 {
558 const struct cred *cred = current_cred();
559 int rc = 0, i;
560 struct superblock_security_struct *sbsec = sb->s_security;
561 const char *name = sb->s_type->name;
562 struct inode *inode = sbsec->sb->s_root->d_inode;
563 struct inode_security_struct *root_isec = inode->i_security;
564 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
565 u32 defcontext_sid = 0;
566 char **mount_options = opts->mnt_opts;
567 int *flags = opts->mnt_opts_flags;
568 int num_opts = opts->num_mnt_opts;
569
570 mutex_lock(&sbsec->lock);
571
572 if (!ss_initialized) {
573 if (!num_opts) {
574 /* Defer initialization until selinux_complete_init,
575 after the initial policy is loaded and the security
576 server is ready to handle calls. */
577 goto out;
578 }
579 rc = -EINVAL;
580 printk(KERN_WARNING "SELinux: Unable to set superblock options "
581 "before the security server is initialized\n");
582 goto out;
583 }
584
585 /*
586 * Binary mount data FS will come through this function twice. Once
587 * from an explicit call and once from the generic calls from the vfs.
588 * Since the generic VFS calls will not contain any security mount data
589 * we need to skip the double mount verification.
590 *
591 * This does open a hole in which we will not notice if the first
592 * mount using this sb set explict options and a second mount using
593 * this sb does not set any security options. (The first options
594 * will be used for both mounts)
595 */
596 if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
597 && (num_opts == 0))
598 goto out;
599
600 /*
601 * parse the mount options, check if they are valid sids.
602 * also check if someone is trying to mount the same sb more
603 * than once with different security options.
604 */
605 for (i = 0; i < num_opts; i++) {
606 u32 sid;
607
608 if (flags[i] == SE_SBLABELSUPP)
609 continue;
610 rc = security_context_to_sid(mount_options[i],
611 strlen(mount_options[i]), &sid);
612 if (rc) {
613 printk(KERN_WARNING "SELinux: security_context_to_sid"
614 "(%s) failed for (dev %s, type %s) errno=%d\n",
615 mount_options[i], sb->s_id, name, rc);
616 goto out;
617 }
618 switch (flags[i]) {
619 case FSCONTEXT_MNT:
620 fscontext_sid = sid;
621
622 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
623 fscontext_sid))
624 goto out_double_mount;
625
626 sbsec->flags |= FSCONTEXT_MNT;
627 break;
628 case CONTEXT_MNT:
629 context_sid = sid;
630
631 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
632 context_sid))
633 goto out_double_mount;
634
635 sbsec->flags |= CONTEXT_MNT;
636 break;
637 case ROOTCONTEXT_MNT:
638 rootcontext_sid = sid;
639
640 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
641 rootcontext_sid))
642 goto out_double_mount;
643
644 sbsec->flags |= ROOTCONTEXT_MNT;
645
646 break;
647 case DEFCONTEXT_MNT:
648 defcontext_sid = sid;
649
650 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
651 defcontext_sid))
652 goto out_double_mount;
653
654 sbsec->flags |= DEFCONTEXT_MNT;
655
656 break;
657 default:
658 rc = -EINVAL;
659 goto out;
660 }
661 }
662
663 if (sbsec->flags & SE_SBINITIALIZED) {
664 /* previously mounted with options, but not on this attempt? */
665 if ((sbsec->flags & SE_MNTMASK) && !num_opts)
666 goto out_double_mount;
667 rc = 0;
668 goto out;
669 }
670
671 if (strcmp(sb->s_type->name, "proc") == 0)
672 sbsec->flags |= SE_SBPROC;
673
674 /* Determine the labeling behavior to use for this filesystem type. */
675 rc = security_fs_use((sbsec->flags & SE_SBPROC) ? "proc" : sb->s_type->name, &sbsec->behavior, &sbsec->sid);
676 if (rc) {
677 printk(KERN_WARNING "%s: security_fs_use(%s) returned %d\n",
678 __func__, sb->s_type->name, rc);
679 goto out;
680 }
681
682 /* sets the context of the superblock for the fs being mounted. */
683 if (fscontext_sid) {
684 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
685 if (rc)
686 goto out;
687
688 sbsec->sid = fscontext_sid;
689 }
690
691 /*
692 * Switch to using mount point labeling behavior.
693 * sets the label used on all file below the mountpoint, and will set
694 * the superblock context if not already set.
695 */
696 if (context_sid) {
697 if (!fscontext_sid) {
698 rc = may_context_mount_sb_relabel(context_sid, sbsec,
699 cred);
700 if (rc)
701 goto out;
702 sbsec->sid = context_sid;
703 } else {
704 rc = may_context_mount_inode_relabel(context_sid, sbsec,
705 cred);
706 if (rc)
707 goto out;
708 }
709 if (!rootcontext_sid)
710 rootcontext_sid = context_sid;
711
712 sbsec->mntpoint_sid = context_sid;
713 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
714 }
715
716 if (rootcontext_sid) {
717 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
718 cred);
719 if (rc)
720 goto out;
721
722 root_isec->sid = rootcontext_sid;
723 root_isec->initialized = 1;
724 }
725
726 if (defcontext_sid) {
727 if (sbsec->behavior != SECURITY_FS_USE_XATTR) {
728 rc = -EINVAL;
729 printk(KERN_WARNING "SELinux: defcontext option is "
730 "invalid for this filesystem type\n");
731 goto out;
732 }
733
734 if (defcontext_sid != sbsec->def_sid) {
735 rc = may_context_mount_inode_relabel(defcontext_sid,
736 sbsec, cred);
737 if (rc)
738 goto out;
739 }
740
741 sbsec->def_sid = defcontext_sid;
742 }
743
744 rc = sb_finish_set_opts(sb);
745 out:
746 mutex_unlock(&sbsec->lock);
747 return rc;
748 out_double_mount:
749 rc = -EINVAL;
750 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, different "
751 "security settings for (dev %s, type %s)\n", sb->s_id, name);
752 goto out;
753 }
754
755 static int selinux_cmp_sb_context(const struct super_block *oldsb,
756 const struct super_block *newsb)
757 {
758 struct superblock_security_struct *old = oldsb->s_security;
759 struct superblock_security_struct *new = newsb->s_security;
760 char oldflags = old->flags & SE_MNTMASK;
761 char newflags = new->flags & SE_MNTMASK;
762
763 if (oldflags != newflags)
764 goto mismatch;
765 if ((oldflags & FSCONTEXT_MNT) && old->sid != new->sid)
766 goto mismatch;
767 if ((oldflags & CONTEXT_MNT) && old->mntpoint_sid != new->mntpoint_sid)
768 goto mismatch;
769 if ((oldflags & DEFCONTEXT_MNT) && old->def_sid != new->def_sid)
770 goto mismatch;
771 if (oldflags & ROOTCONTEXT_MNT) {
772 struct inode_security_struct *oldroot = oldsb->s_root->d_inode->i_security;
773 struct inode_security_struct *newroot = newsb->s_root->d_inode->i_security;
774 if (oldroot->sid != newroot->sid)
775 goto mismatch;
776 }
777 return 0;
778 mismatch:
779 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, "
780 "different security settings for (dev %s, "
781 "type %s)\n", newsb->s_id, newsb->s_type->name);
782 return -EBUSY;
783 }
784
785 static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
786 struct super_block *newsb)
787 {
788 const struct superblock_security_struct *oldsbsec = oldsb->s_security;
789 struct superblock_security_struct *newsbsec = newsb->s_security;
790
791 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT);
792 int set_context = (oldsbsec->flags & CONTEXT_MNT);
793 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT);
794
795 /*
796 * if the parent was able to be mounted it clearly had no special lsm
797 * mount options. thus we can safely deal with this superblock later
798 */
799 if (!ss_initialized)
800 return 0;
801
802 /* how can we clone if the old one wasn't set up?? */
803 BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
804
805 /* if fs is reusing a sb, make sure that the contexts match */
806 if (newsbsec->flags & SE_SBINITIALIZED)
807 return selinux_cmp_sb_context(oldsb, newsb);
808
809 mutex_lock(&newsbsec->lock);
810
811 newsbsec->flags = oldsbsec->flags;
812
813 newsbsec->sid = oldsbsec->sid;
814 newsbsec->def_sid = oldsbsec->def_sid;
815 newsbsec->behavior = oldsbsec->behavior;
816
817 if (set_context) {
818 u32 sid = oldsbsec->mntpoint_sid;
819
820 if (!set_fscontext)
821 newsbsec->sid = sid;
822 if (!set_rootcontext) {
823 struct inode *newinode = newsb->s_root->d_inode;
824 struct inode_security_struct *newisec = newinode->i_security;
825 newisec->sid = sid;
826 }
827 newsbsec->mntpoint_sid = sid;
828 }
829 if (set_rootcontext) {
830 const struct inode *oldinode = oldsb->s_root->d_inode;
831 const struct inode_security_struct *oldisec = oldinode->i_security;
832 struct inode *newinode = newsb->s_root->d_inode;
833 struct inode_security_struct *newisec = newinode->i_security;
834
835 newisec->sid = oldisec->sid;
836 }
837
838 sb_finish_set_opts(newsb);
839 mutex_unlock(&newsbsec->lock);
840 return 0;
841 }
842
843 static int selinux_parse_opts_str(char *options,
844 struct security_mnt_opts *opts)
845 {
846 char *p;
847 char *context = NULL, *defcontext = NULL;
848 char *fscontext = NULL, *rootcontext = NULL;
849 int rc, num_mnt_opts = 0;
850
851 opts->num_mnt_opts = 0;
852
853 /* Standard string-based options. */
854 while ((p = strsep(&options, "|")) != NULL) {
855 int token;
856 substring_t args[MAX_OPT_ARGS];
857
858 if (!*p)
859 continue;
860
861 token = match_token(p, tokens, args);
862
863 switch (token) {
864 case Opt_context:
865 if (context || defcontext) {
866 rc = -EINVAL;
867 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
868 goto out_err;
869 }
870 context = match_strdup(&args[0]);
871 if (!context) {
872 rc = -ENOMEM;
873 goto out_err;
874 }
875 break;
876
877 case Opt_fscontext:
878 if (fscontext) {
879 rc = -EINVAL;
880 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
881 goto out_err;
882 }
883 fscontext = match_strdup(&args[0]);
884 if (!fscontext) {
885 rc = -ENOMEM;
886 goto out_err;
887 }
888 break;
889
890 case Opt_rootcontext:
891 if (rootcontext) {
892 rc = -EINVAL;
893 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
894 goto out_err;
895 }
896 rootcontext = match_strdup(&args[0]);
897 if (!rootcontext) {
898 rc = -ENOMEM;
899 goto out_err;
900 }
901 break;
902
903 case Opt_defcontext:
904 if (context || defcontext) {
905 rc = -EINVAL;
906 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
907 goto out_err;
908 }
909 defcontext = match_strdup(&args[0]);
910 if (!defcontext) {
911 rc = -ENOMEM;
912 goto out_err;
913 }
914 break;
915 case Opt_labelsupport:
916 break;
917 default:
918 rc = -EINVAL;
919 printk(KERN_WARNING "SELinux: unknown mount option\n");
920 goto out_err;
921
922 }
923 }
924
925 rc = -ENOMEM;
926 opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_ATOMIC);
927 if (!opts->mnt_opts)
928 goto out_err;
929
930 opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int), GFP_ATOMIC);
931 if (!opts->mnt_opts_flags) {
932 kfree(opts->mnt_opts);
933 goto out_err;
934 }
935
936 if (fscontext) {
937 opts->mnt_opts[num_mnt_opts] = fscontext;
938 opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
939 }
940 if (context) {
941 opts->mnt_opts[num_mnt_opts] = context;
942 opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
943 }
944 if (rootcontext) {
945 opts->mnt_opts[num_mnt_opts] = rootcontext;
946 opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
947 }
948 if (defcontext) {
949 opts->mnt_opts[num_mnt_opts] = defcontext;
950 opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
951 }
952
953 opts->num_mnt_opts = num_mnt_opts;
954 return 0;
955
956 out_err:
957 kfree(context);
958 kfree(defcontext);
959 kfree(fscontext);
960 kfree(rootcontext);
961 return rc;
962 }
963 /*
964 * string mount options parsing and call set the sbsec
965 */
966 static int superblock_doinit(struct super_block *sb, void *data)
967 {
968 int rc = 0;
969 char *options = data;
970 struct security_mnt_opts opts;
971
972 security_init_mnt_opts(&opts);
973
974 if (!data)
975 goto out;
976
977 BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
978
979 rc = selinux_parse_opts_str(options, &opts);
980 if (rc)
981 goto out_err;
982
983 out:
984 rc = selinux_set_mnt_opts(sb, &opts);
985
986 out_err:
987 security_free_mnt_opts(&opts);
988 return rc;
989 }
990
991 static void selinux_write_opts(struct seq_file *m,
992 struct security_mnt_opts *opts)
993 {
994 int i;
995 char *prefix;
996
997 for (i = 0; i < opts->num_mnt_opts; i++) {
998 char *has_comma;
999
1000 if (opts->mnt_opts[i])
1001 has_comma = strchr(opts->mnt_opts[i], ',');
1002 else
1003 has_comma = NULL;
1004
1005 switch (opts->mnt_opts_flags[i]) {
1006 case CONTEXT_MNT:
1007 prefix = CONTEXT_STR;
1008 break;
1009 case FSCONTEXT_MNT:
1010 prefix = FSCONTEXT_STR;
1011 break;
1012 case ROOTCONTEXT_MNT:
1013 prefix = ROOTCONTEXT_STR;
1014 break;
1015 case DEFCONTEXT_MNT:
1016 prefix = DEFCONTEXT_STR;
1017 break;
1018 case SE_SBLABELSUPP:
1019 seq_putc(m, ',');
1020 seq_puts(m, LABELSUPP_STR);
1021 continue;
1022 default:
1023 BUG();
1024 return;
1025 };
1026 /* we need a comma before each option */
1027 seq_putc(m, ',');
1028 seq_puts(m, prefix);
1029 if (has_comma)
1030 seq_putc(m, '\"');
1031 seq_puts(m, opts->mnt_opts[i]);
1032 if (has_comma)
1033 seq_putc(m, '\"');
1034 }
1035 }
1036
1037 static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1038 {
1039 struct security_mnt_opts opts;
1040 int rc;
1041
1042 rc = selinux_get_mnt_opts(sb, &opts);
1043 if (rc) {
1044 /* before policy load we may get EINVAL, don't show anything */
1045 if (rc == -EINVAL)
1046 rc = 0;
1047 return rc;
1048 }
1049
1050 selinux_write_opts(m, &opts);
1051
1052 security_free_mnt_opts(&opts);
1053
1054 return rc;
1055 }
1056
1057 static inline u16 inode_mode_to_security_class(umode_t mode)
1058 {
1059 switch (mode & S_IFMT) {
1060 case S_IFSOCK:
1061 return SECCLASS_SOCK_FILE;
1062 case S_IFLNK:
1063 return SECCLASS_LNK_FILE;
1064 case S_IFREG:
1065 return SECCLASS_FILE;
1066 case S_IFBLK:
1067 return SECCLASS_BLK_FILE;
1068 case S_IFDIR:
1069 return SECCLASS_DIR;
1070 case S_IFCHR:
1071 return SECCLASS_CHR_FILE;
1072 case S_IFIFO:
1073 return SECCLASS_FIFO_FILE;
1074
1075 }
1076
1077 return SECCLASS_FILE;
1078 }
1079
1080 static inline int default_protocol_stream(int protocol)
1081 {
1082 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
1083 }
1084
1085 static inline int default_protocol_dgram(int protocol)
1086 {
1087 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1088 }
1089
1090 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1091 {
1092 switch (family) {
1093 case PF_UNIX:
1094 switch (type) {
1095 case SOCK_STREAM:
1096 case SOCK_SEQPACKET:
1097 return SECCLASS_UNIX_STREAM_SOCKET;
1098 case SOCK_DGRAM:
1099 return SECCLASS_UNIX_DGRAM_SOCKET;
1100 }
1101 break;
1102 case PF_INET:
1103 case PF_INET6:
1104 switch (type) {
1105 case SOCK_STREAM:
1106 if (default_protocol_stream(protocol))
1107 return SECCLASS_TCP_SOCKET;
1108 else
1109 return SECCLASS_RAWIP_SOCKET;
1110 case SOCK_DGRAM:
1111 if (default_protocol_dgram(protocol))
1112 return SECCLASS_UDP_SOCKET;
1113 else
1114 return SECCLASS_RAWIP_SOCKET;
1115 case SOCK_DCCP:
1116 return SECCLASS_DCCP_SOCKET;
1117 default:
1118 return SECCLASS_RAWIP_SOCKET;
1119 }
1120 break;
1121 case PF_NETLINK:
1122 switch (protocol) {
1123 case NETLINK_ROUTE:
1124 return SECCLASS_NETLINK_ROUTE_SOCKET;
1125 case NETLINK_FIREWALL:
1126 return SECCLASS_NETLINK_FIREWALL_SOCKET;
1127 case NETLINK_SOCK_DIAG:
1128 return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1129 case NETLINK_NFLOG:
1130 return SECCLASS_NETLINK_NFLOG_SOCKET;
1131 case NETLINK_XFRM:
1132 return SECCLASS_NETLINK_XFRM_SOCKET;
1133 case NETLINK_SELINUX:
1134 return SECCLASS_NETLINK_SELINUX_SOCKET;
1135 case NETLINK_AUDIT:
1136 return SECCLASS_NETLINK_AUDIT_SOCKET;
1137 case NETLINK_IP6_FW:
1138 return SECCLASS_NETLINK_IP6FW_SOCKET;
1139 case NETLINK_DNRTMSG:
1140 return SECCLASS_NETLINK_DNRT_SOCKET;
1141 case NETLINK_KOBJECT_UEVENT:
1142 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1143 default:
1144 return SECCLASS_NETLINK_SOCKET;
1145 }
1146 case PF_PACKET:
1147 return SECCLASS_PACKET_SOCKET;
1148 case PF_KEY:
1149 return SECCLASS_KEY_SOCKET;
1150 case PF_APPLETALK:
1151 return SECCLASS_APPLETALK_SOCKET;
1152 }
1153
1154 return SECCLASS_SOCKET;
1155 }
1156
1157 #ifdef CONFIG_PROC_FS
1158 static int selinux_proc_get_sid(struct dentry *dentry,
1159 u16 tclass,
1160 u32 *sid)
1161 {
1162 int rc;
1163 char *buffer, *path;
1164
1165 buffer = (char *)__get_free_page(GFP_KERNEL);
1166 if (!buffer)
1167 return -ENOMEM;
1168
1169 path = dentry_path_raw(dentry, buffer, PAGE_SIZE);
1170 if (IS_ERR(path))
1171 rc = PTR_ERR(path);
1172 else {
1173 /* each process gets a /proc/PID/ entry. Strip off the
1174 * PID part to get a valid selinux labeling.
1175 * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
1176 while (path[1] >= '0' && path[1] <= '9') {
1177 path[1] = '/';
1178 path++;
1179 }
1180 rc = security_genfs_sid("proc", path, tclass, sid);
1181 }
1182 free_page((unsigned long)buffer);
1183 return rc;
1184 }
1185 #else
1186 static int selinux_proc_get_sid(struct dentry *dentry,
1187 u16 tclass,
1188 u32 *sid)
1189 {
1190 return -EINVAL;
1191 }
1192 #endif
1193
1194 /* The inode's security attributes must be initialized before first use. */
1195 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1196 {
1197 struct superblock_security_struct *sbsec = NULL;
1198 struct inode_security_struct *isec = inode->i_security;
1199 u32 sid;
1200 struct dentry *dentry;
1201 #define INITCONTEXTLEN 255
1202 char *context = NULL;
1203 unsigned len = 0;
1204 int rc = 0;
1205
1206 if (isec->initialized)
1207 goto out;
1208
1209 mutex_lock(&isec->lock);
1210 if (isec->initialized)
1211 goto out_unlock;
1212
1213 sbsec = inode->i_sb->s_security;
1214 if (!(sbsec->flags & SE_SBINITIALIZED)) {
1215 /* Defer initialization until selinux_complete_init,
1216 after the initial policy is loaded and the security
1217 server is ready to handle calls. */
1218 spin_lock(&sbsec->isec_lock);
1219 if (list_empty(&isec->list))
1220 list_add(&isec->list, &sbsec->isec_head);
1221 spin_unlock(&sbsec->isec_lock);
1222 goto out_unlock;
1223 }
1224
1225 switch (sbsec->behavior) {
1226 case SECURITY_FS_USE_XATTR:
1227 if (!inode->i_op->getxattr) {
1228 isec->sid = sbsec->def_sid;
1229 break;
1230 }
1231
1232 /* Need a dentry, since the xattr API requires one.
1233 Life would be simpler if we could just pass the inode. */
1234 if (opt_dentry) {
1235 /* Called from d_instantiate or d_splice_alias. */
1236 dentry = dget(opt_dentry);
1237 } else {
1238 /* Called from selinux_complete_init, try to find a dentry. */
1239 dentry = d_find_alias(inode);
1240 }
1241 if (!dentry) {
1242 /*
1243 * this is can be hit on boot when a file is accessed
1244 * before the policy is loaded. When we load policy we
1245 * may find inodes that have no dentry on the
1246 * sbsec->isec_head list. No reason to complain as these
1247 * will get fixed up the next time we go through
1248 * inode_doinit with a dentry, before these inodes could
1249 * be used again by userspace.
1250 */
1251 goto out_unlock;
1252 }
1253
1254 len = INITCONTEXTLEN;
1255 context = kmalloc(len+1, GFP_NOFS);
1256 if (!context) {
1257 rc = -ENOMEM;
1258 dput(dentry);
1259 goto out_unlock;
1260 }
1261 context[len] = '\0';
1262 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1263 context, len);
1264 if (rc == -ERANGE) {
1265 kfree(context);
1266
1267 /* Need a larger buffer. Query for the right size. */
1268 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1269 NULL, 0);
1270 if (rc < 0) {
1271 dput(dentry);
1272 goto out_unlock;
1273 }
1274 len = rc;
1275 context = kmalloc(len+1, GFP_NOFS);
1276 if (!context) {
1277 rc = -ENOMEM;
1278 dput(dentry);
1279 goto out_unlock;
1280 }
1281 context[len] = '\0';
1282 rc = inode->i_op->getxattr(dentry,
1283 XATTR_NAME_SELINUX,
1284 context, len);
1285 }
1286 dput(dentry);
1287 if (rc < 0) {
1288 if (rc != -ENODATA) {
1289 printk(KERN_WARNING "SELinux: %s: getxattr returned "
1290 "%d for dev=%s ino=%ld\n", __func__,
1291 -rc, inode->i_sb->s_id, inode->i_ino);
1292 kfree(context);
1293 goto out_unlock;
1294 }
1295 /* Map ENODATA to the default file SID */
1296 sid = sbsec->def_sid;
1297 rc = 0;
1298 } else {
1299 rc = security_context_to_sid_default(context, rc, &sid,
1300 sbsec->def_sid,
1301 GFP_NOFS);
1302 if (rc) {
1303 char *dev = inode->i_sb->s_id;
1304 unsigned long ino = inode->i_ino;
1305
1306 if (rc == -EINVAL) {
1307 if (printk_ratelimit())
1308 printk(KERN_NOTICE "SELinux: inode=%lu on dev=%s was found to have an invalid "
1309 "context=%s. This indicates you may need to relabel the inode or the "
1310 "filesystem in question.\n", ino, dev, context);
1311 } else {
1312 printk(KERN_WARNING "SELinux: %s: context_to_sid(%s) "
1313 "returned %d for dev=%s ino=%ld\n",
1314 __func__, context, -rc, dev, ino);
1315 }
1316 kfree(context);
1317 /* Leave with the unlabeled SID */
1318 rc = 0;
1319 break;
1320 }
1321 }
1322 kfree(context);
1323 isec->sid = sid;
1324 break;
1325 case SECURITY_FS_USE_TASK:
1326 isec->sid = isec->task_sid;
1327 break;
1328 case SECURITY_FS_USE_TRANS:
1329 /* Default to the fs SID. */
1330 isec->sid = sbsec->sid;
1331
1332 /* Try to obtain a transition SID. */
1333 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1334 rc = security_transition_sid(isec->task_sid, sbsec->sid,
1335 isec->sclass, NULL, &sid);
1336 if (rc)
1337 goto out_unlock;
1338 isec->sid = sid;
1339 break;
1340 case SECURITY_FS_USE_MNTPOINT:
1341 isec->sid = sbsec->mntpoint_sid;
1342 break;
1343 default:
1344 /* Default to the fs superblock SID. */
1345 isec->sid = sbsec->sid;
1346
1347 if ((sbsec->flags & SE_SBPROC) && !S_ISLNK(inode->i_mode)) {
1348 if (opt_dentry) {
1349 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1350 rc = selinux_proc_get_sid(opt_dentry,
1351 isec->sclass,
1352 &sid);
1353 if (rc)
1354 goto out_unlock;
1355 isec->sid = sid;
1356 }
1357 }
1358 break;
1359 }
1360
1361 isec->initialized = 1;
1362
1363 out_unlock:
1364 mutex_unlock(&isec->lock);
1365 out:
1366 if (isec->sclass == SECCLASS_FILE)
1367 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1368 return rc;
1369 }
1370
1371 /* Convert a Linux signal to an access vector. */
1372 static inline u32 signal_to_av(int sig)
1373 {
1374 u32 perm = 0;
1375
1376 switch (sig) {
1377 case SIGCHLD:
1378 /* Commonly granted from child to parent. */
1379 perm = PROCESS__SIGCHLD;
1380 break;
1381 case SIGKILL:
1382 /* Cannot be caught or ignored */
1383 perm = PROCESS__SIGKILL;
1384 break;
1385 case SIGSTOP:
1386 /* Cannot be caught or ignored */
1387 perm = PROCESS__SIGSTOP;
1388 break;
1389 default:
1390 /* All other signals. */
1391 perm = PROCESS__SIGNAL;
1392 break;
1393 }
1394
1395 return perm;
1396 }
1397
1398 /*
1399 * Check permission between a pair of credentials
1400 * fork check, ptrace check, etc.
1401 */
1402 static int cred_has_perm(const struct cred *actor,
1403 const struct cred *target,
1404 u32 perms)
1405 {
1406 u32 asid = cred_sid(actor), tsid = cred_sid(target);
1407
1408 return avc_has_perm(asid, tsid, SECCLASS_PROCESS, perms, NULL);
1409 }
1410
1411 /*
1412 * Check permission between a pair of tasks, e.g. signal checks,
1413 * fork check, ptrace check, etc.
1414 * tsk1 is the actor and tsk2 is the target
1415 * - this uses the default subjective creds of tsk1
1416 */
1417 static int task_has_perm(const struct task_struct *tsk1,
1418 const struct task_struct *tsk2,
1419 u32 perms)
1420 {
1421 const struct task_security_struct *__tsec1, *__tsec2;
1422 u32 sid1, sid2;
1423
1424 rcu_read_lock();
1425 __tsec1 = __task_cred(tsk1)->security; sid1 = __tsec1->sid;
1426 __tsec2 = __task_cred(tsk2)->security; sid2 = __tsec2->sid;
1427 rcu_read_unlock();
1428 return avc_has_perm(sid1, sid2, SECCLASS_PROCESS, perms, NULL);
1429 }
1430
1431 /*
1432 * Check permission between current and another task, e.g. signal checks,
1433 * fork check, ptrace check, etc.
1434 * current is the actor and tsk2 is the target
1435 * - this uses current's subjective creds
1436 */
1437 static int current_has_perm(const struct task_struct *tsk,
1438 u32 perms)
1439 {
1440 u32 sid, tsid;
1441
1442 sid = current_sid();
1443 tsid = task_sid(tsk);
1444 return avc_has_perm(sid, tsid, SECCLASS_PROCESS, perms, NULL);
1445 }
1446
1447 #if CAP_LAST_CAP > 63
1448 #error Fix SELinux to handle capabilities > 63.
1449 #endif
1450
1451 /* Check whether a task is allowed to use a capability. */
1452 static int cred_has_capability(const struct cred *cred,
1453 int cap, int audit)
1454 {
1455 struct common_audit_data ad;
1456 struct av_decision avd;
1457 u16 sclass;
1458 u32 sid = cred_sid(cred);
1459 u32 av = CAP_TO_MASK(cap);
1460 int rc;
1461
1462 ad.type = LSM_AUDIT_DATA_CAP;
1463 ad.u.cap = cap;
1464
1465 switch (CAP_TO_INDEX(cap)) {
1466 case 0:
1467 sclass = SECCLASS_CAPABILITY;
1468 break;
1469 case 1:
1470 sclass = SECCLASS_CAPABILITY2;
1471 break;
1472 default:
1473 printk(KERN_ERR
1474 "SELinux: out of range capability %d\n", cap);
1475 BUG();
1476 return -EINVAL;
1477 }
1478
1479 rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd);
1480 if (audit == SECURITY_CAP_AUDIT) {
1481 int rc2 = avc_audit(sid, sid, sclass, av, &avd, rc, &ad, 0);
1482 if (rc2)
1483 return rc2;
1484 }
1485 return rc;
1486 }
1487
1488 /* Check whether a task is allowed to use a system operation. */
1489 static int task_has_system(struct task_struct *tsk,
1490 u32 perms)
1491 {
1492 u32 sid = task_sid(tsk);
1493
1494 return avc_has_perm(sid, SECINITSID_KERNEL,
1495 SECCLASS_SYSTEM, perms, NULL);
1496 }
1497
1498 /* Check whether a task has a particular permission to an inode.
1499 The 'adp' parameter is optional and allows other audit
1500 data to be passed (e.g. the dentry). */
1501 static int inode_has_perm(const struct cred *cred,
1502 struct inode *inode,
1503 u32 perms,
1504 struct common_audit_data *adp,
1505 unsigned flags)
1506 {
1507 struct inode_security_struct *isec;
1508 u32 sid;
1509
1510 validate_creds(cred);
1511
1512 if (unlikely(IS_PRIVATE(inode)))
1513 return 0;
1514
1515 sid = cred_sid(cred);
1516 isec = inode->i_security;
1517
1518 return avc_has_perm_flags(sid, isec->sid, isec->sclass, perms, adp, flags);
1519 }
1520
1521 /* Same as inode_has_perm, but pass explicit audit data containing
1522 the dentry to help the auditing code to more easily generate the
1523 pathname if needed. */
1524 static inline int dentry_has_perm(const struct cred *cred,
1525 struct dentry *dentry,
1526 u32 av)
1527 {
1528 struct inode *inode = dentry->d_inode;
1529 struct common_audit_data ad;
1530
1531 ad.type = LSM_AUDIT_DATA_DENTRY;
1532 ad.u.dentry = dentry;
1533 return inode_has_perm(cred, inode, av, &ad, 0);
1534 }
1535
1536 /* Same as inode_has_perm, but pass explicit audit data containing
1537 the path to help the auditing code to more easily generate the
1538 pathname if needed. */
1539 static inline int path_has_perm(const struct cred *cred,
1540 struct path *path,
1541 u32 av)
1542 {
1543 struct inode *inode = path->dentry->d_inode;
1544 struct common_audit_data ad;
1545
1546 ad.type = LSM_AUDIT_DATA_PATH;
1547 ad.u.path = *path;
1548 return inode_has_perm(cred, inode, av, &ad, 0);
1549 }
1550
1551 /* Check whether a task can use an open file descriptor to
1552 access an inode in a given way. Check access to the
1553 descriptor itself, and then use dentry_has_perm to
1554 check a particular permission to the file.
1555 Access to the descriptor is implicitly granted if it
1556 has the same SID as the process. If av is zero, then
1557 access to the file is not checked, e.g. for cases
1558 where only the descriptor is affected like seek. */
1559 static int file_has_perm(const struct cred *cred,
1560 struct file *file,
1561 u32 av)
1562 {
1563 struct file_security_struct *fsec = file->f_security;
1564 struct inode *inode = file_inode(file);
1565 struct common_audit_data ad;
1566 u32 sid = cred_sid(cred);
1567 int rc;
1568
1569 ad.type = LSM_AUDIT_DATA_PATH;
1570 ad.u.path = file->f_path;
1571
1572 if (sid != fsec->sid) {
1573 rc = avc_has_perm(sid, fsec->sid,
1574 SECCLASS_FD,
1575 FD__USE,
1576 &ad);
1577 if (rc)
1578 goto out;
1579 }
1580
1581 /* av is zero if only checking access to the descriptor. */
1582 rc = 0;
1583 if (av)
1584 rc = inode_has_perm(cred, inode, av, &ad, 0);
1585
1586 out:
1587 return rc;
1588 }
1589
1590 /* Check whether a task can create a file. */
1591 static int may_create(struct inode *dir,
1592 struct dentry *dentry,
1593 u16 tclass)
1594 {
1595 const struct task_security_struct *tsec = current_security();
1596 struct inode_security_struct *dsec;
1597 struct superblock_security_struct *sbsec;
1598 u32 sid, newsid;
1599 struct common_audit_data ad;
1600 int rc;
1601
1602 dsec = dir->i_security;
1603 sbsec = dir->i_sb->s_security;
1604
1605 sid = tsec->sid;
1606 newsid = tsec->create_sid;
1607
1608 ad.type = LSM_AUDIT_DATA_DENTRY;
1609 ad.u.dentry = dentry;
1610
1611 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR,
1612 DIR__ADD_NAME | DIR__SEARCH,
1613 &ad);
1614 if (rc)
1615 return rc;
1616
1617 if (!newsid || !(sbsec->flags & SE_SBLABELSUPP)) {
1618 rc = security_transition_sid(sid, dsec->sid, tclass,
1619 &dentry->d_name, &newsid);
1620 if (rc)
1621 return rc;
1622 }
1623
1624 rc = avc_has_perm(sid, newsid, tclass, FILE__CREATE, &ad);
1625 if (rc)
1626 return rc;
1627
1628 return avc_has_perm(newsid, sbsec->sid,
1629 SECCLASS_FILESYSTEM,
1630 FILESYSTEM__ASSOCIATE, &ad);
1631 }
1632
1633 /* Check whether a task can create a key. */
1634 static int may_create_key(u32 ksid,
1635 struct task_struct *ctx)
1636 {
1637 u32 sid = task_sid(ctx);
1638
1639 return avc_has_perm(sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL);
1640 }
1641
1642 #define MAY_LINK 0
1643 #define MAY_UNLINK 1
1644 #define MAY_RMDIR 2
1645
1646 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1647 static int may_link(struct inode *dir,
1648 struct dentry *dentry,
1649 int kind)
1650
1651 {
1652 struct inode_security_struct *dsec, *isec;
1653 struct common_audit_data ad;
1654 u32 sid = current_sid();
1655 u32 av;
1656 int rc;
1657
1658 dsec = dir->i_security;
1659 isec = dentry->d_inode->i_security;
1660
1661 ad.type = LSM_AUDIT_DATA_DENTRY;
1662 ad.u.dentry = dentry;
1663
1664 av = DIR__SEARCH;
1665 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1666 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, av, &ad);
1667 if (rc)
1668 return rc;
1669
1670 switch (kind) {
1671 case MAY_LINK:
1672 av = FILE__LINK;
1673 break;
1674 case MAY_UNLINK:
1675 av = FILE__UNLINK;
1676 break;
1677 case MAY_RMDIR:
1678 av = DIR__RMDIR;
1679 break;
1680 default:
1681 printk(KERN_WARNING "SELinux: %s: unrecognized kind %d\n",
1682 __func__, kind);
1683 return 0;
1684 }
1685
1686 rc = avc_has_perm(sid, isec->sid, isec->sclass, av, &ad);
1687 return rc;
1688 }
1689
1690 static inline int may_rename(struct inode *old_dir,
1691 struct dentry *old_dentry,
1692 struct inode *new_dir,
1693 struct dentry *new_dentry)
1694 {
1695 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1696 struct common_audit_data ad;
1697 u32 sid = current_sid();
1698 u32 av;
1699 int old_is_dir, new_is_dir;
1700 int rc;
1701
1702 old_dsec = old_dir->i_security;
1703 old_isec = old_dentry->d_inode->i_security;
1704 old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
1705 new_dsec = new_dir->i_security;
1706
1707 ad.type = LSM_AUDIT_DATA_DENTRY;
1708
1709 ad.u.dentry = old_dentry;
1710 rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR,
1711 DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1712 if (rc)
1713 return rc;
1714 rc = avc_has_perm(sid, old_isec->sid,
1715 old_isec->sclass, FILE__RENAME, &ad);
1716 if (rc)
1717 return rc;
1718 if (old_is_dir && new_dir != old_dir) {
1719 rc = avc_has_perm(sid, old_isec->sid,
1720 old_isec->sclass, DIR__REPARENT, &ad);
1721 if (rc)
1722 return rc;
1723 }
1724
1725 ad.u.dentry = new_dentry;
1726 av = DIR__ADD_NAME | DIR__SEARCH;
1727 if (new_dentry->d_inode)
1728 av |= DIR__REMOVE_NAME;
1729 rc = avc_has_perm(sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1730 if (rc)
1731 return rc;
1732 if (new_dentry->d_inode) {
1733 new_isec = new_dentry->d_inode->i_security;
1734 new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
1735 rc = avc_has_perm(sid, new_isec->sid,
1736 new_isec->sclass,
1737 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1738 if (rc)
1739 return rc;
1740 }
1741
1742 return 0;
1743 }
1744
1745 /* Check whether a task can perform a filesystem operation. */
1746 static int superblock_has_perm(const struct cred *cred,
1747 struct super_block *sb,
1748 u32 perms,
1749 struct common_audit_data *ad)
1750 {
1751 struct superblock_security_struct *sbsec;
1752 u32 sid = cred_sid(cred);
1753
1754 sbsec = sb->s_security;
1755 return avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
1756 }
1757
1758 /* Convert a Linux mode and permission mask to an access vector. */
1759 static inline u32 file_mask_to_av(int mode, int mask)
1760 {
1761 u32 av = 0;
1762
1763 if (!S_ISDIR(mode)) {
1764 if (mask & MAY_EXEC)
1765 av |= FILE__EXECUTE;
1766 if (mask & MAY_READ)
1767 av |= FILE__READ;
1768
1769 if (mask & MAY_APPEND)
1770 av |= FILE__APPEND;
1771 else if (mask & MAY_WRITE)
1772 av |= FILE__WRITE;
1773
1774 } else {
1775 if (mask & MAY_EXEC)
1776 av |= DIR__SEARCH;
1777 if (mask & MAY_WRITE)
1778 av |= DIR__WRITE;
1779 if (mask & MAY_READ)
1780 av |= DIR__READ;
1781 }
1782
1783 return av;
1784 }
1785
1786 /* Convert a Linux file to an access vector. */
1787 static inline u32 file_to_av(struct file *file)
1788 {
1789 u32 av = 0;
1790
1791 if (file->f_mode & FMODE_READ)
1792 av |= FILE__READ;
1793 if (file->f_mode & FMODE_WRITE) {
1794 if (file->f_flags & O_APPEND)
1795 av |= FILE__APPEND;
1796 else
1797 av |= FILE__WRITE;
1798 }
1799 if (!av) {
1800 /*
1801 * Special file opened with flags 3 for ioctl-only use.
1802 */
1803 av = FILE__IOCTL;
1804 }
1805
1806 return av;
1807 }
1808
1809 /*
1810 * Convert a file to an access vector and include the correct open
1811 * open permission.
1812 */
1813 static inline u32 open_file_to_av(struct file *file)
1814 {
1815 u32 av = file_to_av(file);
1816
1817 if (selinux_policycap_openperm)
1818 av |= FILE__OPEN;
1819
1820 return av;
1821 }
1822
1823 /* Hook functions begin here. */
1824
1825 static int selinux_ptrace_access_check(struct task_struct *child,
1826 unsigned int mode)
1827 {
1828 int rc;
1829
1830 rc = cap_ptrace_access_check(child, mode);
1831 if (rc)
1832 return rc;
1833
1834 if (mode & PTRACE_MODE_READ) {
1835 u32 sid = current_sid();
1836 u32 csid = task_sid(child);
1837 return avc_has_perm(sid, csid, SECCLASS_FILE, FILE__READ, NULL);
1838 }
1839
1840 return current_has_perm(child, PROCESS__PTRACE);
1841 }
1842
1843 static int selinux_ptrace_traceme(struct task_struct *parent)
1844 {
1845 int rc;
1846
1847 rc = cap_ptrace_traceme(parent);
1848 if (rc)
1849 return rc;
1850
1851 return task_has_perm(parent, current, PROCESS__PTRACE);
1852 }
1853
1854 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
1855 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1856 {
1857 int error;
1858
1859 error = current_has_perm(target, PROCESS__GETCAP);
1860 if (error)
1861 return error;
1862
1863 return cap_capget(target, effective, inheritable, permitted);
1864 }
1865
1866 static int selinux_capset(struct cred *new, const struct cred *old,
1867 const kernel_cap_t *effective,
1868 const kernel_cap_t *inheritable,
1869 const kernel_cap_t *permitted)
1870 {
1871 int error;
1872
1873 error = cap_capset(new, old,
1874 effective, inheritable, permitted);
1875 if (error)
1876 return error;
1877
1878 return cred_has_perm(old, new, PROCESS__SETCAP);
1879 }
1880
1881 /*
1882 * (This comment used to live with the selinux_task_setuid hook,
1883 * which was removed).
1884 *
1885 * Since setuid only affects the current process, and since the SELinux
1886 * controls are not based on the Linux identity attributes, SELinux does not
1887 * need to control this operation. However, SELinux does control the use of
1888 * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
1889 */
1890
1891 static int selinux_capable(const struct cred *cred, struct user_namespace *ns,
1892 int cap, int audit)
1893 {
1894 int rc;
1895
1896 rc = cap_capable(cred, ns, cap, audit);
1897 if (rc)
1898 return rc;
1899
1900 return cred_has_capability(cred, cap, audit);
1901 }
1902
1903 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
1904 {
1905 const struct cred *cred = current_cred();
1906 int rc = 0;
1907
1908 if (!sb)
1909 return 0;
1910
1911 switch (cmds) {
1912 case Q_SYNC:
1913 case Q_QUOTAON:
1914 case Q_QUOTAOFF:
1915 case Q_SETINFO:
1916 case Q_SETQUOTA:
1917 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
1918 break;
1919 case Q_GETFMT:
1920 case Q_GETINFO:
1921 case Q_GETQUOTA:
1922 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
1923 break;
1924 default:
1925 rc = 0; /* let the kernel handle invalid cmds */
1926 break;
1927 }
1928 return rc;
1929 }
1930
1931 static int selinux_quota_on(struct dentry *dentry)
1932 {
1933 const struct cred *cred = current_cred();
1934
1935 return dentry_has_perm(cred, dentry, FILE__QUOTAON);
1936 }
1937
1938 static int selinux_syslog(int type)
1939 {
1940 int rc;
1941
1942 switch (type) {
1943 case SYSLOG_ACTION_READ_ALL: /* Read last kernel messages */
1944 case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */
1945 rc = task_has_system(current, SYSTEM__SYSLOG_READ);
1946 break;
1947 case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */
1948 case SYSLOG_ACTION_CONSOLE_ON: /* Enable logging to console */
1949 /* Set level of messages printed to console */
1950 case SYSLOG_ACTION_CONSOLE_LEVEL:
1951 rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
1952 break;
1953 case SYSLOG_ACTION_CLOSE: /* Close log */
1954 case SYSLOG_ACTION_OPEN: /* Open log */
1955 case SYSLOG_ACTION_READ: /* Read from log */
1956 case SYSLOG_ACTION_READ_CLEAR: /* Read/clear last kernel messages */
1957 case SYSLOG_ACTION_CLEAR: /* Clear ring buffer */
1958 default:
1959 rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
1960 break;
1961 }
1962 return rc;
1963 }
1964
1965 /*
1966 * Check that a process has enough memory to allocate a new virtual
1967 * mapping. 0 means there is enough memory for the allocation to
1968 * succeed and -ENOMEM implies there is not.
1969 *
1970 * Do not audit the selinux permission check, as this is applied to all
1971 * processes that allocate mappings.
1972 */
1973 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
1974 {
1975 int rc, cap_sys_admin = 0;
1976
1977 rc = selinux_capable(current_cred(), &init_user_ns, CAP_SYS_ADMIN,
1978 SECURITY_CAP_NOAUDIT);
1979 if (rc == 0)
1980 cap_sys_admin = 1;
1981
1982 return __vm_enough_memory(mm, pages, cap_sys_admin);
1983 }
1984
1985 /* binprm security operations */
1986
1987 static int selinux_bprm_set_creds(struct linux_binprm *bprm)
1988 {
1989 const struct task_security_struct *old_tsec;
1990 struct task_security_struct *new_tsec;
1991 struct inode_security_struct *isec;
1992 struct common_audit_data ad;
1993 struct inode *inode = file_inode(bprm->file);
1994 int rc;
1995
1996 rc = cap_bprm_set_creds(bprm);
1997 if (rc)
1998 return rc;
1999
2000 /* SELinux context only depends on initial program or script and not
2001 * the script interpreter */
2002 if (bprm->cred_prepared)
2003 return 0;
2004
2005 old_tsec = current_security();
2006 new_tsec = bprm->cred->security;
2007 isec = inode->i_security;
2008
2009 /* Default to the current task SID. */
2010 new_tsec->sid = old_tsec->sid;
2011 new_tsec->osid = old_tsec->sid;
2012
2013 /* Reset fs, key, and sock SIDs on execve. */
2014 new_tsec->create_sid = 0;
2015 new_tsec->keycreate_sid = 0;
2016 new_tsec->sockcreate_sid = 0;
2017
2018 if (old_tsec->exec_sid) {
2019 new_tsec->sid = old_tsec->exec_sid;
2020 /* Reset exec SID on execve. */
2021 new_tsec->exec_sid = 0;
2022
2023 /*
2024 * Minimize confusion: if no_new_privs and a transition is
2025 * explicitly requested, then fail the exec.
2026 */
2027 if (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS)
2028 return -EPERM;
2029 } else {
2030 /* Check for a default transition on this program. */
2031 rc = security_transition_sid(old_tsec->sid, isec->sid,
2032 SECCLASS_PROCESS, NULL,
2033 &new_tsec->sid);
2034 if (rc)
2035 return rc;
2036 }
2037
2038 ad.type = LSM_AUDIT_DATA_PATH;
2039 ad.u.path = bprm->file->f_path;
2040
2041 if ((bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID) ||
2042 (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS))
2043 new_tsec->sid = old_tsec->sid;
2044
2045 if (new_tsec->sid == old_tsec->sid) {
2046 rc = avc_has_perm(old_tsec->sid, isec->sid,
2047 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2048 if (rc)
2049 return rc;
2050 } else {
2051 /* Check permissions for the transition. */
2052 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2053 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2054 if (rc)
2055 return rc;
2056
2057 rc = avc_has_perm(new_tsec->sid, isec->sid,
2058 SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2059 if (rc)
2060 return rc;
2061
2062 /* Check for shared state */
2063 if (bprm->unsafe & LSM_UNSAFE_SHARE) {
2064 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2065 SECCLASS_PROCESS, PROCESS__SHARE,
2066 NULL);
2067 if (rc)
2068 return -EPERM;
2069 }
2070
2071 /* Make sure that anyone attempting to ptrace over a task that
2072 * changes its SID has the appropriate permit */
2073 if (bprm->unsafe &
2074 (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
2075 struct task_struct *tracer;
2076 struct task_security_struct *sec;
2077 u32 ptsid = 0;
2078
2079 rcu_read_lock();
2080 tracer = ptrace_parent(current);
2081 if (likely(tracer != NULL)) {
2082 sec = __task_cred(tracer)->security;
2083 ptsid = sec->sid;
2084 }
2085 rcu_read_unlock();
2086
2087 if (ptsid != 0) {
2088 rc = avc_has_perm(ptsid, new_tsec->sid,
2089 SECCLASS_PROCESS,
2090 PROCESS__PTRACE, NULL);
2091 if (rc)
2092 return -EPERM;
2093 }
2094 }
2095
2096 /* Clear any possibly unsafe personality bits on exec: */
2097 bprm->per_clear |= PER_CLEAR_ON_SETID;
2098 }
2099
2100 return 0;
2101 }
2102
2103 static int selinux_bprm_secureexec(struct linux_binprm *bprm)
2104 {
2105 const struct task_security_struct *tsec = current_security();
2106 u32 sid, osid;
2107 int atsecure = 0;
2108
2109 sid = tsec->sid;
2110 osid = tsec->osid;
2111
2112 if (osid != sid) {
2113 /* Enable secure mode for SIDs transitions unless
2114 the noatsecure permission is granted between
2115 the two SIDs, i.e. ahp returns 0. */
2116 atsecure = avc_has_perm(osid, sid,
2117 SECCLASS_PROCESS,
2118 PROCESS__NOATSECURE, NULL);
2119 }
2120
2121 return (atsecure || cap_bprm_secureexec(bprm));
2122 }
2123
2124 static int match_file(const void *p, struct file *file, unsigned fd)
2125 {
2126 return file_has_perm(p, file, file_to_av(file)) ? fd + 1 : 0;
2127 }
2128
2129 /* Derived from fs/exec.c:flush_old_files. */
2130 static inline void flush_unauthorized_files(const struct cred *cred,
2131 struct files_struct *files)
2132 {
2133 struct file *file, *devnull = NULL;
2134 struct tty_struct *tty;
2135 int drop_tty = 0;
2136 unsigned n;
2137
2138 tty = get_current_tty();
2139 if (tty) {
2140 spin_lock(&tty_files_lock);
2141 if (!list_empty(&tty->tty_files)) {
2142 struct tty_file_private *file_priv;
2143
2144 /* Revalidate access to controlling tty.
2145 Use path_has_perm on the tty path directly rather
2146 than using file_has_perm, as this particular open
2147 file may belong to another process and we are only
2148 interested in the inode-based check here. */
2149 file_priv = list_first_entry(&tty->tty_files,
2150 struct tty_file_private, list);
2151 file = file_priv->file;
2152 if (path_has_perm(cred, &file->f_path, FILE__READ | FILE__WRITE))
2153 drop_tty = 1;
2154 }
2155 spin_unlock(&tty_files_lock);
2156 tty_kref_put(tty);
2157 }
2158 /* Reset controlling tty. */
2159 if (drop_tty)
2160 no_tty();
2161
2162 /* Revalidate access to inherited open files. */
2163 n = iterate_fd(files, 0, match_file, cred);
2164 if (!n) /* none found? */
2165 return;
2166
2167 devnull = dentry_open(&selinux_null, O_RDWR, cred);
2168 if (IS_ERR(devnull))
2169 devnull = NULL;
2170 /* replace all the matching ones with this */
2171 do {
2172 replace_fd(n - 1, devnull, 0);
2173 } while ((n = iterate_fd(files, n, match_file, cred)) != 0);
2174 if (devnull)
2175 fput(devnull);
2176 }
2177
2178 /*
2179 * Prepare a process for imminent new credential changes due to exec
2180 */
2181 static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
2182 {
2183 struct task_security_struct *new_tsec;
2184 struct rlimit *rlim, *initrlim;
2185 int rc, i;
2186
2187 new_tsec = bprm->cred->security;
2188 if (new_tsec->sid == new_tsec->osid)
2189 return;
2190
2191 /* Close files for which the new task SID is not authorized. */
2192 flush_unauthorized_files(bprm->cred, current->files);
2193
2194 /* Always clear parent death signal on SID transitions. */
2195 current->pdeath_signal = 0;
2196
2197 /* Check whether the new SID can inherit resource limits from the old
2198 * SID. If not, reset all soft limits to the lower of the current
2199 * task's hard limit and the init task's soft limit.
2200 *
2201 * Note that the setting of hard limits (even to lower them) can be
2202 * controlled by the setrlimit check. The inclusion of the init task's
2203 * soft limit into the computation is to avoid resetting soft limits
2204 * higher than the default soft limit for cases where the default is
2205 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2206 */
2207 rc = avc_has_perm(new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
2208 PROCESS__RLIMITINH, NULL);
2209 if (rc) {
2210 /* protect against do_prlimit() */
2211 task_lock(current);
2212 for (i = 0; i < RLIM_NLIMITS; i++) {
2213 rlim = current->signal->rlim + i;
2214 initrlim = init_task.signal->rlim + i;
2215 rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
2216 }
2217 task_unlock(current);
2218 update_rlimit_cpu(current, rlimit(RLIMIT_CPU));
2219 }
2220 }
2221
2222 /*
2223 * Clean up the process immediately after the installation of new credentials
2224 * due to exec
2225 */
2226 static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
2227 {
2228 const struct task_security_struct *tsec = current_security();
2229 struct itimerval itimer;
2230 u32 osid, sid;
2231 int rc, i;
2232
2233 osid = tsec->osid;
2234 sid = tsec->sid;
2235
2236 if (sid == osid)
2237 return;
2238
2239 /* Check whether the new SID can inherit signal state from the old SID.
2240 * If not, clear itimers to avoid subsequent signal generation and
2241 * flush and unblock signals.
2242 *
2243 * This must occur _after_ the task SID has been updated so that any
2244 * kill done after the flush will be checked against the new SID.
2245 */
2246 rc = avc_has_perm(osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
2247 if (rc) {
2248 memset(&itimer, 0, sizeof itimer);
2249 for (i = 0; i < 3; i++)
2250 do_setitimer(i, &itimer, NULL);
2251 spin_lock_irq(&current->sighand->siglock);
2252 if (!(current->signal->flags & SIGNAL_GROUP_EXIT)) {
2253 __flush_signals(current);
2254 flush_signal_handlers(current, 1);
2255 sigemptyset(&current->blocked);
2256 }
2257 spin_unlock_irq(&current->sighand->siglock);
2258 }
2259
2260 /* Wake up the parent if it is waiting so that it can recheck
2261 * wait permission to the new task SID. */
2262 read_lock(&tasklist_lock);
2263 __wake_up_parent(current, current->real_parent);
2264 read_unlock(&tasklist_lock);
2265 }
2266
2267 /* superblock security operations */
2268
2269 static int selinux_sb_alloc_security(struct super_block *sb)
2270 {
2271 return superblock_alloc_security(sb);
2272 }
2273
2274 static void selinux_sb_free_security(struct super_block *sb)
2275 {
2276 superblock_free_security(sb);
2277 }
2278
2279 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2280 {
2281 if (plen > olen)
2282 return 0;
2283
2284 return !memcmp(prefix, option, plen);
2285 }
2286
2287 static inline int selinux_option(char *option, int len)
2288 {
2289 return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) ||
2290 match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) ||
2291 match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) ||
2292 match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len) ||
2293 match_prefix(LABELSUPP_STR, sizeof(LABELSUPP_STR)-1, option, len));
2294 }
2295
2296 static inline void take_option(char **to, char *from, int *first, int len)
2297 {
2298 if (!*first) {
2299 **to = ',';
2300 *to += 1;
2301 } else
2302 *first = 0;
2303 memcpy(*to, from, len);
2304 *to += len;
2305 }
2306
2307 static inline void take_selinux_option(char **to, char *from, int *first,
2308 int len)
2309 {
2310 int current_size = 0;
2311
2312 if (!*first) {
2313 **to = '|';
2314 *to += 1;
2315 } else
2316 *first = 0;
2317
2318 while (current_size < len) {
2319 if (*from != '"') {
2320 **to = *from;
2321 *to += 1;
2322 }
2323 from += 1;
2324 current_size += 1;
2325 }
2326 }
2327
2328 static int selinux_sb_copy_data(char *orig, char *copy)
2329 {
2330 int fnosec, fsec, rc = 0;
2331 char *in_save, *in_curr, *in_end;
2332 char *sec_curr, *nosec_save, *nosec;
2333 int open_quote = 0;
2334
2335 in_curr = orig;
2336 sec_curr = copy;
2337
2338 nosec = (char *)get_zeroed_page(GFP_KERNEL);
2339 if (!nosec) {
2340 rc = -ENOMEM;
2341 goto out;
2342 }
2343
2344 nosec_save = nosec;
2345 fnosec = fsec = 1;
2346 in_save = in_end = orig;
2347
2348 do {
2349 if (*in_end == '"')
2350 open_quote = !open_quote;
2351 if ((*in_end == ',' && open_quote == 0) ||
2352 *in_end == '\0') {
2353 int len = in_end - in_curr;
2354
2355 if (selinux_option(in_curr, len))
2356 take_selinux_option(&sec_curr, in_curr, &fsec, len);
2357 else
2358 take_option(&nosec, in_curr, &fnosec, len);
2359
2360 in_curr = in_end + 1;
2361 }
2362 } while (*in_end++);
2363
2364 strcpy(in_save, nosec_save);
2365 free_page((unsigned long)nosec_save);
2366 out:
2367 return rc;
2368 }
2369
2370 static int selinux_sb_remount(struct super_block *sb, void *data)
2371 {
2372 int rc, i, *flags;
2373 struct security_mnt_opts opts;
2374 char *secdata, **mount_options;
2375 struct superblock_security_struct *sbsec = sb->s_security;
2376
2377 if (!(sbsec->flags & SE_SBINITIALIZED))
2378 return 0;
2379
2380 if (!data)
2381 return 0;
2382
2383 if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
2384 return 0;
2385
2386 security_init_mnt_opts(&opts);
2387 secdata = alloc_secdata();
2388 if (!secdata)
2389 return -ENOMEM;
2390 rc = selinux_sb_copy_data(data, secdata);
2391 if (rc)
2392 goto out_free_secdata;
2393
2394 rc = selinux_parse_opts_str(secdata, &opts);
2395 if (rc)
2396 goto out_free_secdata;
2397
2398 mount_options = opts.mnt_opts;
2399 flags = opts.mnt_opts_flags;
2400
2401 for (i = 0; i < opts.num_mnt_opts; i++) {
2402 u32 sid;
2403 size_t len;
2404
2405 if (flags[i] == SE_SBLABELSUPP)
2406 continue;
2407 len = strlen(mount_options[i]);
2408 rc = security_context_to_sid(mount_options[i], len, &sid);
2409 if (rc) {
2410 printk(KERN_WARNING "SELinux: security_context_to_sid"
2411 "(%s) failed for (dev %s, type %s) errno=%d\n",
2412 mount_options[i], sb->s_id, sb->s_type->name, rc);
2413 goto out_free_opts;
2414 }
2415 rc = -EINVAL;
2416 switch (flags[i]) {
2417 case FSCONTEXT_MNT:
2418 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid))
2419 goto out_bad_option;
2420 break;
2421 case CONTEXT_MNT:
2422 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid))
2423 goto out_bad_option;
2424 break;
2425 case ROOTCONTEXT_MNT: {
2426 struct inode_security_struct *root_isec;
2427 root_isec = sb->s_root->d_inode->i_security;
2428
2429 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid))
2430 goto out_bad_option;
2431 break;
2432 }
2433 case DEFCONTEXT_MNT:
2434 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid))
2435 goto out_bad_option;
2436 break;
2437 default:
2438 goto out_free_opts;
2439 }
2440 }
2441
2442 rc = 0;
2443 out_free_opts:
2444 security_free_mnt_opts(&opts);
2445 out_free_secdata:
2446 free_secdata(secdata);
2447 return rc;
2448 out_bad_option:
2449 printk(KERN_WARNING "SELinux: unable to change security options "
2450 "during remount (dev %s, type=%s)\n", sb->s_id,
2451 sb->s_type->name);
2452 goto out_free_opts;
2453 }
2454
2455 static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data)
2456 {
2457 const struct cred *cred = current_cred();
2458 struct common_audit_data ad;
2459 int rc;
2460
2461 rc = superblock_doinit(sb, data);
2462 if (rc)
2463 return rc;
2464
2465 /* Allow all mounts performed by the kernel */
2466 if (flags & MS_KERNMOUNT)
2467 return 0;
2468
2469 ad.type = LSM_AUDIT_DATA_DENTRY;
2470 ad.u.dentry = sb->s_root;
2471 return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
2472 }
2473
2474 static int selinux_sb_statfs(struct dentry *dentry)
2475 {
2476 const struct cred *cred = current_cred();
2477 struct common_audit_data ad;
2478
2479 ad.type = LSM_AUDIT_DATA_DENTRY;
2480 ad.u.dentry = dentry->d_sb->s_root;
2481 return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2482 }
2483
2484 static int selinux_mount(const char *dev_name,
2485 struct path *path,
2486 const char *type,
2487 unsigned long flags,
2488 void *data)
2489 {
2490 const struct cred *cred = current_cred();
2491
2492 if (flags & MS_REMOUNT)
2493 return superblock_has_perm(cred, path->dentry->d_sb,
2494 FILESYSTEM__REMOUNT, NULL);
2495 else
2496 return path_has_perm(cred, path, FILE__MOUNTON);
2497 }
2498
2499 static int selinux_umount(struct vfsmount *mnt, int flags)
2500 {
2501 const struct cred *cred = current_cred();
2502
2503 return superblock_has_perm(cred, mnt->mnt_sb,
2504 FILESYSTEM__UNMOUNT, NULL);
2505 }
2506
2507 /* inode security operations */
2508
2509 static int selinux_inode_alloc_security(struct inode *inode)
2510 {
2511 return inode_alloc_security(inode);
2512 }
2513
2514 static void selinux_inode_free_security(struct inode *inode)
2515 {
2516 inode_free_security(inode);
2517 }
2518
2519 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2520 const struct qstr *qstr, char **name,
2521 void **value, size_t *len)
2522 {
2523 const struct task_security_struct *tsec = current_security();
2524 struct inode_security_struct *dsec;
2525 struct superblock_security_struct *sbsec;
2526 u32 sid, newsid, clen;
2527 int rc;
2528 char *namep = NULL, *context;
2529
2530 dsec = dir->i_security;
2531 sbsec = dir->i_sb->s_security;
2532
2533 sid = tsec->sid;
2534 newsid = tsec->create_sid;
2535
2536 if ((sbsec->flags & SE_SBINITIALIZED) &&
2537 (sbsec->behavior == SECURITY_FS_USE_MNTPOINT))
2538 newsid = sbsec->mntpoint_sid;
2539 else if (!newsid || !(sbsec->flags & SE_SBLABELSUPP)) {
2540 rc = security_transition_sid(sid, dsec->sid,
2541 inode_mode_to_security_class(inode->i_mode),
2542 qstr, &newsid);
2543 if (rc) {
2544 printk(KERN_WARNING "%s: "
2545 "security_transition_sid failed, rc=%d (dev=%s "
2546 "ino=%ld)\n",
2547 __func__,
2548 -rc, inode->i_sb->s_id, inode->i_ino);
2549 return rc;
2550 }
2551 }
2552
2553 /* Possibly defer initialization to selinux_complete_init. */
2554 if (sbsec->flags & SE_SBINITIALIZED) {
2555 struct inode_security_struct *isec = inode->i_security;
2556 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2557 isec->sid = newsid;
2558 isec->initialized = 1;
2559 }
2560
2561 if (!ss_initialized || !(sbsec->flags & SE_SBLABELSUPP))
2562 return -EOPNOTSUPP;
2563
2564 if (name) {
2565 namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_NOFS);
2566 if (!namep)
2567 return -ENOMEM;
2568 *name = namep;
2569 }
2570
2571 if (value && len) {
2572 rc = security_sid_to_context_force(newsid, &context, &clen);
2573 if (rc) {
2574 kfree(namep);
2575 return rc;
2576 }
2577 *value = context;
2578 *len = clen;
2579 }
2580
2581 return 0;
2582 }
2583
2584 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode)
2585 {
2586 return may_create(dir, dentry, SECCLASS_FILE);
2587 }
2588
2589 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2590 {
2591 return may_link(dir, old_dentry, MAY_LINK);
2592 }
2593
2594 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2595 {
2596 return may_link(dir, dentry, MAY_UNLINK);
2597 }
2598
2599 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2600 {
2601 return may_create(dir, dentry, SECCLASS_LNK_FILE);
2602 }
2603
2604 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask)
2605 {
2606 return may_create(dir, dentry, SECCLASS_DIR);
2607 }
2608
2609 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2610 {
2611 return may_link(dir, dentry, MAY_RMDIR);
2612 }
2613
2614 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
2615 {
2616 return may_create(dir, dentry, inode_mode_to_security_class(mode));
2617 }
2618
2619 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2620 struct inode *new_inode, struct dentry *new_dentry)
2621 {
2622 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2623 }
2624
2625 static int selinux_inode_readlink(struct dentry *dentry)
2626 {
2627 const struct cred *cred = current_cred();
2628
2629 return dentry_has_perm(cred, dentry, FILE__READ);
2630 }
2631
2632 static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2633 {
2634 const struct cred *cred = current_cred();
2635
2636 return dentry_has_perm(cred, dentry, FILE__READ);
2637 }
2638
2639 static noinline int audit_inode_permission(struct inode *inode,
2640 u32 perms, u32 audited, u32 denied,
2641 unsigned flags)
2642 {
2643 struct common_audit_data ad;
2644 struct inode_security_struct *isec = inode->i_security;
2645 int rc;
2646
2647 ad.type = LSM_AUDIT_DATA_INODE;
2648 ad.u.inode = inode;
2649
2650 rc = slow_avc_audit(current_sid(), isec->sid, isec->sclass, perms,
2651 audited, denied, &ad, flags);
2652 if (rc)
2653 return rc;
2654 return 0;
2655 }
2656
2657 static int selinux_inode_permission(struct inode *inode, int mask)
2658 {
2659 const struct cred *cred = current_cred();
2660 u32 perms;
2661 bool from_access;
2662 unsigned flags = mask & MAY_NOT_BLOCK;
2663 struct inode_security_struct *isec;
2664 u32 sid;
2665 struct av_decision avd;
2666 int rc, rc2;
2667 u32 audited, denied;
2668
2669 from_access = mask & MAY_ACCESS;
2670 mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
2671
2672 /* No permission to check. Existence test. */
2673 if (!mask)
2674 return 0;
2675
2676 validate_creds(cred);
2677
2678 if (unlikely(IS_PRIVATE(inode)))
2679 return 0;
2680
2681 perms = file_mask_to_av(inode->i_mode, mask);
2682
2683 sid = cred_sid(cred);
2684 isec = inode->i_security;
2685
2686 rc = avc_has_perm_noaudit(sid, isec->sid, isec->sclass, perms, 0, &avd);
2687 audited = avc_audit_required(perms, &avd, rc,
2688 from_access ? FILE__AUDIT_ACCESS : 0,
2689 &denied);
2690 if (likely(!audited))
2691 return rc;
2692
2693 rc2 = audit_inode_permission(inode, perms, audited, denied, flags);
2694 if (rc2)
2695 return rc2;
2696 return rc;
2697 }
2698
2699 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2700 {
2701 const struct cred *cred = current_cred();
2702 unsigned int ia_valid = iattr->ia_valid;
2703 __u32 av = FILE__WRITE;
2704
2705 /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
2706 if (ia_valid & ATTR_FORCE) {
2707 ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE |
2708 ATTR_FORCE);
2709 if (!ia_valid)
2710 return 0;
2711 }
2712
2713 if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2714 ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
2715 return dentry_has_perm(cred, dentry, FILE__SETATTR);
2716
2717 if (selinux_policycap_openperm && (ia_valid & ATTR_SIZE))
2718 av |= FILE__OPEN;
2719
2720 return dentry_has_perm(cred, dentry, av);
2721 }
2722
2723 static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
2724 {
2725 const struct cred *cred = current_cred();
2726 struct path path;
2727
2728 path.dentry = dentry;
2729 path.mnt = mnt;
2730
2731 return path_has_perm(cred, &path, FILE__GETATTR);
2732 }
2733
2734 static int selinux_inode_setotherxattr(struct dentry *dentry, const char *name)
2735 {
2736 const struct cred *cred = current_cred();
2737
2738 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2739 sizeof XATTR_SECURITY_PREFIX - 1)) {
2740 if (!strcmp(name, XATTR_NAME_CAPS)) {
2741 if (!capable(CAP_SETFCAP))
2742 return -EPERM;
2743 } else if (!capable(CAP_SYS_ADMIN)) {
2744 /* A different attribute in the security namespace.
2745 Restrict to administrator. */
2746 return -EPERM;
2747 }
2748 }
2749
2750 /* Not an attribute we recognize, so just check the
2751 ordinary setattr permission. */
2752 return dentry_has_perm(cred, dentry, FILE__SETATTR);
2753 }
2754
2755 static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
2756 const void *value, size_t size, int flags)
2757 {
2758 struct inode *inode = dentry->d_inode;
2759 struct inode_security_struct *isec = inode->i_security;
2760 struct superblock_security_struct *sbsec;
2761 struct common_audit_data ad;
2762 u32 newsid, sid = current_sid();
2763 int rc = 0;
2764
2765 if (strcmp(name, XATTR_NAME_SELINUX))
2766 return selinux_inode_setotherxattr(dentry, name);
2767
2768 sbsec = inode->i_sb->s_security;
2769 if (!(sbsec->flags & SE_SBLABELSUPP))
2770 return -EOPNOTSUPP;
2771
2772 if (!inode_owner_or_capable(inode))
2773 return -EPERM;
2774
2775 ad.type = LSM_AUDIT_DATA_DENTRY;
2776 ad.u.dentry = dentry;
2777
2778 rc = avc_has_perm(sid, isec->sid, isec->sclass,
2779 FILE__RELABELFROM, &ad);
2780 if (rc)
2781 return rc;
2782
2783 rc = security_context_to_sid(value, size, &newsid);
2784 if (rc == -EINVAL) {
2785 if (!capable(CAP_MAC_ADMIN)) {
2786 struct audit_buffer *ab;
2787 size_t audit_size;
2788 const char *str;
2789
2790 /* We strip a nul only if it is at the end, otherwise the
2791 * context contains a nul and we should audit that */
2792 if (value) {
2793 str = value;
2794 if (str[size - 1] == '\0')
2795 audit_size = size - 1;
2796 else
2797 audit_size = size;
2798 } else {
2799 str = "";
2800 audit_size = 0;
2801 }
2802 ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR);
2803 audit_log_format(ab, "op=setxattr invalid_context=");
2804 audit_log_n_untrustedstring(ab, value, audit_size);
2805 audit_log_end(ab);
2806
2807 return rc;
2808 }
2809 rc = security_context_to_sid_force(value, size, &newsid);
2810 }
2811 if (rc)
2812 return rc;
2813
2814 rc = avc_has_perm(sid, newsid, isec->sclass,
2815 FILE__RELABELTO, &ad);
2816 if (rc)
2817 return rc;
2818
2819 rc = security_validate_transition(isec->sid, newsid, sid,
2820 isec->sclass);
2821 if (rc)
2822 return rc;
2823
2824 return avc_has_perm(newsid,
2825 sbsec->sid,
2826 SECCLASS_FILESYSTEM,
2827 FILESYSTEM__ASSOCIATE,
2828 &ad);
2829 }
2830
2831 static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
2832 const void *value, size_t size,
2833 int flags)
2834 {
2835 struct inode *inode = dentry->d_inode;
2836 struct inode_security_struct *isec = inode->i_security;
2837 u32 newsid;
2838 int rc;
2839
2840 if (strcmp(name, XATTR_NAME_SELINUX)) {
2841 /* Not an attribute we recognize, so nothing to do. */
2842 return;
2843 }
2844
2845 rc = security_context_to_sid_force(value, size, &newsid);
2846 if (rc) {
2847 printk(KERN_ERR "SELinux: unable to map context to SID"
2848 "for (%s, %lu), rc=%d\n",
2849 inode->i_sb->s_id, inode->i_ino, -rc);
2850 return;
2851 }
2852
2853 isec->sid = newsid;
2854 return;
2855 }
2856
2857 static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
2858 {
2859 const struct cred *cred = current_cred();
2860
2861 return dentry_has_perm(cred, dentry, FILE__GETATTR);
2862 }
2863
2864 static int selinux_inode_listxattr(struct dentry *dentry)
2865 {
2866 const struct cred *cred = current_cred();
2867
2868 return dentry_has_perm(cred, dentry, FILE__GETATTR);
2869 }
2870
2871 static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
2872 {
2873 if (strcmp(name, XATTR_NAME_SELINUX))
2874 return selinux_inode_setotherxattr(dentry, name);
2875
2876 /* No one is allowed to remove a SELinux security label.
2877 You can change the label, but all data must be labeled. */
2878 return -EACCES;
2879 }
2880
2881 /*
2882 * Copy the inode security context value to the user.
2883 *
2884 * Permission check is handled by selinux_inode_getxattr hook.
2885 */
2886 static int selinux_inode_getsecurity(const struct inode *inode, const char *name, void **buffer, bool alloc)
2887 {
2888 u32 size;
2889 int error;
2890 char *context = NULL;
2891 struct inode_security_struct *isec = inode->i_security;
2892
2893 if (strcmp(name, XATTR_SELINUX_SUFFIX))
2894 return -EOPNOTSUPP;
2895
2896 /*
2897 * If the caller has CAP_MAC_ADMIN, then get the raw context
2898 * value even if it is not defined by current policy; otherwise,
2899 * use the in-core value under current policy.
2900 * Use the non-auditing forms of the permission checks since
2901 * getxattr may be called by unprivileged processes commonly
2902 * and lack of permission just means that we fall back to the
2903 * in-core context value, not a denial.
2904 */
2905 error = selinux_capable(current_cred(), &init_user_ns, CAP_MAC_ADMIN,
2906 SECURITY_CAP_NOAUDIT);
2907 if (!error)
2908 error = security_sid_to_context_force(isec->sid, &context,
2909 &size);
2910 else
2911 error = security_sid_to_context(isec->sid, &context, &size);
2912 if (error)
2913 return error;
2914 error = size;
2915 if (alloc) {
2916 *buffer = context;
2917 goto out_nofree;
2918 }
2919 kfree(context);
2920 out_nofree:
2921 return error;
2922 }
2923
2924 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
2925 const void *value, size_t size, int flags)
2926 {
2927 struct inode_security_struct *isec = inode->i_security;
2928 u32 newsid;
2929 int rc;
2930
2931 if (strcmp(name, XATTR_SELINUX_SUFFIX))
2932 return -EOPNOTSUPP;
2933
2934 if (!value || !size)
2935 return -EACCES;
2936
2937 rc = security_context_to_sid((void *)value, size, &newsid);
2938 if (rc)
2939 return rc;
2940
2941 isec->sid = newsid;
2942 isec->initialized = 1;
2943 return 0;
2944 }
2945
2946 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
2947 {
2948 const int len = sizeof(XATTR_NAME_SELINUX);
2949 if (buffer && len <= buffer_size)
2950 memcpy(buffer, XATTR_NAME_SELINUX, len);
2951 return len;
2952 }
2953
2954 static void selinux_inode_getsecid(const struct inode *inode, u32 *secid)
2955 {
2956 struct inode_security_struct *isec = inode->i_security;
2957 *secid = isec->sid;
2958 }
2959
2960 /* file security operations */
2961
2962 static int selinux_revalidate_file_permission(struct file *file, int mask)
2963 {
2964 const struct cred *cred = current_cred();
2965 struct inode *inode = file_inode(file);
2966
2967 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
2968 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
2969 mask |= MAY_APPEND;
2970
2971 return file_has_perm(cred, file,
2972 file_mask_to_av(inode->i_mode, mask));
2973 }
2974
2975 static int selinux_file_permission(struct file *file, int mask)
2976 {
2977 struct inode *inode = file_inode(file);
2978 struct file_security_struct *fsec = file->f_security;
2979 struct inode_security_struct *isec = inode->i_security;
2980 u32 sid = current_sid();
2981
2982 if (!mask)
2983 /* No permission to check. Existence test. */
2984 return 0;
2985
2986 if (sid == fsec->sid && fsec->isid == isec->sid &&
2987 fsec->pseqno == avc_policy_seqno())
2988 /* No change since file_open check. */
2989 return 0;
2990
2991 return selinux_revalidate_file_permission(file, mask);
2992 }
2993
2994 static int selinux_file_alloc_security(struct file *file)
2995 {
2996 return file_alloc_security(file);
2997 }
2998
2999 static void selinux_file_free_security(struct file *file)
3000 {
3001 file_free_security(file);
3002 }
3003
3004 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
3005 unsigned long arg)
3006 {
3007 const struct cred *cred = current_cred();
3008 int error = 0;
3009
3010 switch (cmd) {
3011 case FIONREAD:
3012 /* fall through */
3013 case FIBMAP:
3014 /* fall through */
3015 case FIGETBSZ:
3016 /* fall through */
3017 case FS_IOC_GETFLAGS:
3018 /* fall through */
3019 case FS_IOC_GETVERSION:
3020 error = file_has_perm(cred, file, FILE__GETATTR);
3021 break;
3022
3023 case FS_IOC_SETFLAGS:
3024 /* fall through */
3025 case FS_IOC_SETVERSION:
3026 error = file_has_perm(cred, file, FILE__SETATTR);
3027 break;
3028
3029 /* sys_ioctl() checks */
3030 case FIONBIO:
3031 /* fall through */
3032 case FIOASYNC:
3033 error = file_has_perm(cred, file, 0);
3034 break;
3035
3036 case KDSKBENT:
3037 case KDSKBSENT:
3038 error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG,
3039 SECURITY_CAP_AUDIT);
3040 break;
3041
3042 /* default case assumes that the command will go
3043 * to the file's ioctl() function.
3044 */
3045 default:
3046 error = file_has_perm(cred, file, FILE__IOCTL);
3047 }
3048 return error;
3049 }
3050
3051 static int default_noexec;
3052
3053 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
3054 {
3055 const struct cred *cred = current_cred();
3056 int rc = 0;
3057
3058 if (default_noexec &&
3059 (prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
3060 /*
3061 * We are making executable an anonymous mapping or a
3062 * private file mapping that will also be writable.
3063 * This has an additional check.
3064 */
3065 rc = cred_has_perm(cred, cred, PROCESS__EXECMEM);
3066 if (rc)
3067 goto error;
3068 }
3069
3070 if (file) {
3071 /* read access is always possible with a mapping */
3072 u32 av = FILE__READ;
3073
3074 /* write access only matters if the mapping is shared */
3075 if (shared && (prot & PROT_WRITE))
3076 av |= FILE__WRITE;
3077
3078 if (prot & PROT_EXEC)
3079 av |= FILE__EXECUTE;
3080
3081 return file_has_perm(cred, file, av);
3082 }
3083
3084 error:
3085 return rc;
3086 }
3087
3088 static int selinux_mmap_addr(unsigned long addr)
3089 {
3090 int rc = 0;
3091 u32 sid = current_sid();
3092
3093 /*
3094 * notice that we are intentionally putting the SELinux check before
3095 * the secondary cap_file_mmap check. This is such a likely attempt
3096 * at bad behaviour/exploit that we always want to get the AVC, even
3097 * if DAC would have also denied the operation.
3098 */
3099 if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
3100 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
3101 MEMPROTECT__MMAP_ZERO, NULL);
3102 if (rc)
3103 return rc;
3104 }
3105
3106 /* do DAC check on address space usage */
3107 return cap_mmap_addr(addr);
3108 }
3109
3110 static int selinux_mmap_file(struct file *file, unsigned long reqprot,
3111 unsigned long prot, unsigned long flags)
3112 {
3113 if (selinux_checkreqprot)
3114 prot = reqprot;
3115
3116 return file_map_prot_check(file, prot,
3117 (flags & MAP_TYPE) == MAP_SHARED);
3118 }
3119
3120 static int selinux_file_mprotect(struct vm_area_struct *vma,
3121 unsigned long reqprot,
3122 unsigned long prot)
3123 {
3124 const struct cred *cred = current_cred();
3125
3126 if (selinux_checkreqprot)
3127 prot = reqprot;
3128
3129 if (default_noexec &&
3130 (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
3131 int rc = 0;
3132 if (vma->vm_start >= vma->vm_mm->start_brk &&
3133 vma->vm_end <= vma->vm_mm->brk) {
3134 rc = cred_has_perm(cred, cred, PROCESS__EXECHEAP);
3135 } else if (!vma->vm_file &&
3136 vma->vm_start <= vma->vm_mm->start_stack &&
3137 vma->vm_end >= vma->vm_mm->start_stack) {
3138 rc = current_has_perm(current, PROCESS__EXECSTACK);
3139 } else if (vma->vm_file && vma->anon_vma) {
3140 /*
3141 * We are making executable a file mapping that has
3142 * had some COW done. Since pages might have been
3143 * written, check ability to execute the possibly
3144 * modified content. This typically should only
3145 * occur for text relocations.
3146 */
3147 rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD);
3148 }
3149 if (rc)
3150 return rc;
3151 }
3152
3153 return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
3154 }
3155
3156 static int selinux_file_lock(struct file *file, unsigned int cmd)
3157 {
3158 const struct cred *cred = current_cred();
3159
3160 return file_has_perm(cred, file, FILE__LOCK);
3161 }
3162
3163 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
3164 unsigned long arg)
3165 {
3166 const struct cred *cred = current_cred();
3167 int err = 0;
3168
3169 switch (cmd) {
3170 case F_SETFL:
3171 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
3172 err = file_has_perm(cred, file, FILE__WRITE);
3173 break;
3174 }
3175 /* fall through */
3176 case F_SETOWN:
3177 case F_SETSIG:
3178 case F_GETFL:
3179 case F_GETOWN:
3180 case F_GETSIG:
3181 case F_GETOWNER_UIDS:
3182 /* Just check FD__USE permission */
3183 err = file_has_perm(cred, file, 0);
3184 break;
3185 case F_GETLK:
3186 case F_SETLK:
3187 case F_SETLKW:
3188 #if BITS_PER_LONG == 32
3189 case F_GETLK64:
3190 case F_SETLK64:
3191 case F_SETLKW64:
3192 #endif
3193 err = file_has_perm(cred, file, FILE__LOCK);
3194 break;
3195 }
3196
3197 return err;
3198 }
3199
3200 static int selinux_file_set_fowner(struct file *file)
3201 {
3202 struct file_security_struct *fsec;
3203
3204 fsec = file->f_security;
3205 fsec->fown_sid = current_sid();
3206
3207 return 0;
3208 }
3209
3210 static int selinux_file_send_sigiotask(struct task_struct *tsk,
3211 struct fown_struct *fown, int signum)
3212 {
3213 struct file *file;
3214 u32 sid = task_sid(tsk);
3215 u32 perm;
3216 struct file_security_struct *fsec;
3217
3218 /* struct fown_struct is never outside the context of a struct file */
3219 file = container_of(fown, struct file, f_owner);
3220
3221 fsec = file->f_security;
3222
3223 if (!signum)
3224 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
3225 else
3226 perm = signal_to_av(signum);
3227
3228 return avc_has_perm(fsec->fown_sid, sid,
3229 SECCLASS_PROCESS, perm, NULL);
3230 }
3231
3232 static int selinux_file_receive(struct file *file)
3233 {
3234 const struct cred *cred = current_cred();
3235
3236 return file_has_perm(cred, file, file_to_av(file));
3237 }
3238
3239 static int selinux_file_open(struct file *file, const struct cred *cred)
3240 {
3241 struct file_security_struct *fsec;
3242 struct inode_security_struct *isec;
3243
3244 fsec = file->f_security;
3245 isec = file_inode(file)->i_security;
3246 /*
3247 * Save inode label and policy sequence number
3248 * at open-time so that selinux_file_permission
3249 * can determine whether revalidation is necessary.
3250 * Task label is already saved in the file security
3251 * struct as its SID.
3252 */
3253 fsec->isid = isec->sid;
3254 fsec->pseqno = avc_policy_seqno();
3255 /*
3256 * Since the inode label or policy seqno may have changed
3257 * between the selinux_inode_permission check and the saving
3258 * of state above, recheck that access is still permitted.
3259 * Otherwise, access might never be revalidated against the
3260 * new inode label or new policy.
3261 * This check is not redundant - do not remove.
3262 */
3263 return path_has_perm(cred, &file->f_path, open_file_to_av(file));
3264 }
3265
3266 /* task security operations */
3267
3268 static int selinux_task_create(unsigned long clone_flags)
3269 {
3270 return current_has_perm(current, PROCESS__FORK);
3271 }
3272
3273 /*
3274 * allocate the SELinux part of blank credentials
3275 */
3276 static int selinux_cred_alloc_blank(struct cred *cred, gfp_t gfp)
3277 {
3278 struct task_security_struct *tsec;
3279
3280 tsec = kzalloc(sizeof(struct task_security_struct), gfp);
3281 if (!tsec)
3282 return -ENOMEM;
3283
3284 cred->security = tsec;
3285 return 0;
3286 }
3287
3288 /*
3289 * detach and free the LSM part of a set of credentials
3290 */
3291 static void selinux_cred_free(struct cred *cred)
3292 {
3293 struct task_security_struct *tsec = cred->security;
3294
3295 /*
3296 * cred->security == NULL if security_cred_alloc_blank() or
3297 * security_prepare_creds() returned an error.
3298 */
3299 BUG_ON(cred->security && (unsigned long) cred->security < PAGE_SIZE);
3300 cred->security = (void *) 0x7UL;
3301 kfree(tsec);
3302 }
3303
3304 /*
3305 * prepare a new set of credentials for modification
3306 */
3307 static int selinux_cred_prepare(struct cred *new, const struct cred *old,
3308 gfp_t gfp)
3309 {
3310 const struct task_security_struct *old_tsec;
3311 struct task_security_struct *tsec;
3312
3313 old_tsec = old->security;
3314
3315 tsec = kmemdup(old_tsec, sizeof(struct task_security_struct), gfp);
3316 if (!tsec)
3317 return -ENOMEM;
3318
3319 new->security = tsec;
3320 return 0;
3321 }
3322
3323 /*
3324 * transfer the SELinux data to a blank set of creds
3325 */
3326 static void selinux_cred_transfer(struct cred *new, const struct cred *old)
3327 {
3328 const struct task_security_struct *old_tsec = old->security;
3329 struct task_security_struct *tsec = new->security;
3330
3331 *tsec = *old_tsec;
3332 }
3333
3334 /*
3335 * set the security data for a kernel service
3336 * - all the creation contexts are set to unlabelled
3337 */
3338 static int selinux_kernel_act_as(struct cred *new, u32 secid)
3339 {
3340 struct task_security_struct *tsec = new->security;
3341 u32 sid = current_sid();
3342 int ret;
3343
3344 ret = avc_has_perm(sid, secid,
3345 SECCLASS_KERNEL_SERVICE,
3346 KERNEL_SERVICE__USE_AS_OVERRIDE,
3347 NULL);
3348 if (ret == 0) {
3349 tsec->sid = secid;
3350 tsec->create_sid = 0;
3351 tsec->keycreate_sid = 0;
3352 tsec->sockcreate_sid = 0;
3353 }
3354 return ret;
3355 }
3356
3357 /*
3358 * set the file creation context in a security record to the same as the
3359 * objective context of the specified inode
3360 */
3361 static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode)
3362 {
3363 struct inode_security_struct *isec = inode->i_security;
3364 struct task_security_struct *tsec = new->security;
3365 u32 sid = current_sid();
3366 int ret;
3367
3368 ret = avc_has_perm(sid, isec->sid,
3369 SECCLASS_KERNEL_SERVICE,
3370 KERNEL_SERVICE__CREATE_FILES_AS,
3371 NULL);
3372
3373 if (ret == 0)
3374 tsec->create_sid = isec->sid;
3375 return ret;
3376 }
3377
3378 static int selinux_kernel_module_request(char *kmod_name)
3379 {
3380 u32 sid;
3381 struct common_audit_data ad;
3382
3383 sid = task_sid(current);
3384
3385 ad.type = LSM_AUDIT_DATA_KMOD;
3386 ad.u.kmod_name = kmod_name;
3387
3388 return avc_has_perm(sid, SECINITSID_KERNEL, SECCLASS_SYSTEM,
3389 SYSTEM__MODULE_REQUEST, &ad);
3390 }
3391
3392 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
3393 {
3394 return current_has_perm(p, PROCESS__SETPGID);
3395 }
3396
3397 static int selinux_task_getpgid(struct task_struct *p)
3398 {
3399 return current_has_perm(p, PROCESS__GETPGID);
3400 }
3401
3402 static int selinux_task_getsid(struct task_struct *p)
3403 {
3404 return current_has_perm(p, PROCESS__GETSESSION);
3405 }
3406
3407 static void selinux_task_getsecid(struct task_struct *p, u32 *secid)
3408 {
3409 *secid = task_sid(p);
3410 }
3411
3412 static int selinux_task_setnice(struct task_struct *p, int nice)
3413 {
3414 int rc;
3415
3416 rc = cap_task_setnice(p, nice);
3417 if (rc)
3418 return rc;
3419
3420 return current_has_perm(p, PROCESS__SETSCHED);
3421 }
3422
3423 static int selinux_task_setioprio(struct task_struct *p, int ioprio)
3424 {
3425 int rc;
3426
3427 rc = cap_task_setioprio(p, ioprio);
3428 if (rc)
3429 return rc;
3430
3431 return current_has_perm(p, PROCESS__SETSCHED);
3432 }
3433
3434 static int selinux_task_getioprio(struct task_struct *p)
3435 {
3436 return current_has_perm(p, PROCESS__GETSCHED);
3437 }
3438
3439 static int selinux_task_setrlimit(struct task_struct *p, unsigned int resource,
3440 struct rlimit *new_rlim)
3441 {
3442 struct rlimit *old_rlim = p->signal->rlim + resource;
3443
3444 /* Control the ability to change the hard limit (whether
3445 lowering or raising it), so that the hard limit can
3446 later be used as a safe reset point for the soft limit
3447 upon context transitions. See selinux_bprm_committing_creds. */
3448 if (old_rlim->rlim_max != new_rlim->rlim_max)
3449 return current_has_perm(p, PROCESS__SETRLIMIT);
3450
3451 return 0;
3452 }
3453
3454 static int selinux_task_setscheduler(struct task_struct *p)
3455 {
3456 int rc;
3457
3458 rc = cap_task_setscheduler(p);
3459 if (rc)
3460 return rc;
3461
3462 return current_has_perm(p, PROCESS__SETSCHED);
3463 }
3464
3465 static int selinux_task_getscheduler(struct task_struct *p)
3466 {
3467 return current_has_perm(p, PROCESS__GETSCHED);
3468 }
3469
3470 static int selinux_task_movememory(struct task_struct *p)
3471 {
3472 return current_has_perm(p, PROCESS__SETSCHED);
3473 }
3474
3475 static int selinux_task_kill(struct task_struct *p, struct siginfo *info,
3476 int sig, u32 secid)
3477 {
3478 u32 perm;
3479 int rc;
3480
3481 if (!sig)
3482 perm = PROCESS__SIGNULL; /* null signal; existence test */
3483 else
3484 perm = signal_to_av(sig);
3485 if (secid)
3486 rc = avc_has_perm(secid, task_sid(p),
3487 SECCLASS_PROCESS, perm, NULL);
3488 else
3489 rc = current_has_perm(p, perm);
3490 return rc;
3491 }
3492
3493 static int selinux_task_wait(struct task_struct *p)
3494 {
3495 return task_has_perm(p, current, PROCESS__SIGCHLD);
3496 }
3497
3498 static void selinux_task_to_inode(struct task_struct *p,
3499 struct inode *inode)
3500 {
3501 struct inode_security_struct *isec = inode->i_security;
3502 u32 sid = task_sid(p);
3503
3504 isec->sid = sid;
3505 isec->initialized = 1;
3506 }
3507
3508 /* Returns error only if unable to parse addresses */
3509 static int selinux_parse_skb_ipv4(struct sk_buff *skb,
3510 struct common_audit_data *ad, u8 *proto)
3511 {
3512 int offset, ihlen, ret = -EINVAL;
3513 struct iphdr _iph, *ih;
3514
3515 offset = skb_network_offset(skb);
3516 ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
3517 if (ih == NULL)
3518 goto out;
3519
3520 ihlen = ih->ihl * 4;
3521 if (ihlen < sizeof(_iph))
3522 goto out;
3523
3524 ad->u.net->v4info.saddr = ih->saddr;
3525 ad->u.net->v4info.daddr = ih->daddr;
3526 ret = 0;
3527
3528 if (proto)
3529 *proto = ih->protocol;
3530
3531 switch (ih->protocol) {
3532 case IPPROTO_TCP: {
3533 struct tcphdr _tcph, *th;
3534
3535 if (ntohs(ih->frag_off) & IP_OFFSET)
3536 break;
3537
3538 offset += ihlen;
3539 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3540 if (th == NULL)
3541 break;
3542
3543 ad->u.net->sport = th->source;
3544 ad->u.net->dport = th->dest;
3545 break;
3546 }
3547
3548 case IPPROTO_UDP: {
3549 struct udphdr _udph, *uh;
3550
3551 if (ntohs(ih->frag_off) & IP_OFFSET)
3552 break;
3553
3554 offset += ihlen;
3555 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3556 if (uh == NULL)
3557 break;
3558
3559 ad->u.net->sport = uh->source;
3560 ad->u.net->dport = uh->dest;
3561 break;
3562 }
3563
3564 case IPPROTO_DCCP: {
3565 struct dccp_hdr _dccph, *dh;
3566
3567 if (ntohs(ih->frag_off) & IP_OFFSET)
3568 break;
3569
3570 offset += ihlen;
3571 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3572 if (dh == NULL)
3573 break;
3574
3575 ad->u.net->sport = dh->dccph_sport;
3576 ad->u.net->dport = dh->dccph_dport;
3577 break;
3578 }
3579
3580 default:
3581 break;
3582 }
3583 out:
3584 return ret;
3585 }
3586
3587 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3588
3589 /* Returns error only if unable to parse addresses */
3590 static int selinux_parse_skb_ipv6(struct sk_buff *skb,
3591 struct common_audit_data *ad, u8 *proto)
3592 {
3593 u8 nexthdr;
3594 int ret = -EINVAL, offset;
3595 struct ipv6hdr _ipv6h, *ip6;
3596 __be16 frag_off;
3597
3598 offset = skb_network_offset(skb);
3599 ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
3600 if (ip6 == NULL)
3601 goto out;
3602
3603 ad->u.net->v6info.saddr = ip6->saddr;
3604 ad->u.net->v6info.daddr = ip6->daddr;
3605 ret = 0;
3606
3607 nexthdr = ip6->nexthdr;
3608 offset += sizeof(_ipv6h);
3609 offset = ipv6_skip_exthdr(skb, offset, &nexthdr, &frag_off);
3610 if (offset < 0)
3611 goto out;
3612
3613 if (proto)
3614 *proto = nexthdr;
3615
3616 switch (nexthdr) {
3617 case IPPROTO_TCP: {
3618 struct tcphdr _tcph, *th;
3619
3620 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3621 if (th == NULL)
3622 break;
3623
3624 ad->u.net->sport = th->source;
3625 ad->u.net->dport = th->dest;
3626 break;
3627 }
3628
3629 case IPPROTO_UDP: {
3630 struct udphdr _udph, *uh;
3631
3632 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3633 if (uh == NULL)
3634 break;
3635
3636 ad->u.net->sport = uh->source;
3637 ad->u.net->dport = uh->dest;
3638 break;
3639 }
3640
3641 case IPPROTO_DCCP: {
3642 struct dccp_hdr _dccph, *dh;
3643
3644 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3645 if (dh == NULL)
3646 break;
3647
3648 ad->u.net->sport = dh->dccph_sport;
3649 ad->u.net->dport = dh->dccph_dport;
3650 break;
3651 }
3652
3653 /* includes fragments */
3654 default:
3655 break;
3656 }
3657 out:
3658 return ret;
3659 }
3660
3661 #endif /* IPV6 */
3662
3663 static int selinux_parse_skb(struct sk_buff *skb, struct common_audit_data *ad,
3664 char **_addrp, int src, u8 *proto)
3665 {
3666 char *addrp;
3667 int ret;
3668
3669 switch (ad->u.net->family) {
3670 case PF_INET:
3671 ret = selinux_parse_skb_ipv4(skb, ad, proto);
3672 if (ret)
3673 goto parse_error;
3674 addrp = (char *)(src ? &ad->u.net->v4info.saddr :
3675 &ad->u.net->v4info.daddr);
3676 goto okay;
3677
3678 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3679 case PF_INET6:
3680 ret = selinux_parse_skb_ipv6(skb, ad, proto);
3681 if (ret)
3682 goto parse_error;
3683 addrp = (char *)(src ? &ad->u.net->v6info.saddr :
3684 &ad->u.net->v6info.daddr);
3685 goto okay;
3686 #endif /* IPV6 */
3687 default:
3688 addrp = NULL;
3689 goto okay;
3690 }
3691
3692 parse_error:
3693 printk(KERN_WARNING
3694 "SELinux: failure in selinux_parse_skb(),"
3695 " unable to parse packet\n");
3696 return ret;
3697
3698 okay:
3699 if (_addrp)
3700 *_addrp = addrp;
3701 return 0;
3702 }
3703
3704 /**
3705 * selinux_skb_peerlbl_sid - Determine the peer label of a packet
3706 * @skb: the packet
3707 * @family: protocol family
3708 * @sid: the packet's peer label SID
3709 *
3710 * Description:
3711 * Check the various different forms of network peer labeling and determine
3712 * the peer label/SID for the packet; most of the magic actually occurs in
3713 * the security server function security_net_peersid_cmp(). The function
3714 * returns zero if the value in @sid is valid (although it may be SECSID_NULL)
3715 * or -EACCES if @sid is invalid due to inconsistencies with the different
3716 * peer labels.
3717 *
3718 */
3719 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
3720 {
3721 int err;
3722 u32 xfrm_sid;
3723 u32 nlbl_sid;
3724 u32 nlbl_type;
3725
3726 selinux_xfrm_skb_sid(skb, &xfrm_sid);
3727 selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid);
3728
3729 err = security_net_peersid_resolve(nlbl_sid, nlbl_type, xfrm_sid, sid);
3730 if (unlikely(err)) {
3731 printk(KERN_WARNING
3732 "SELinux: failure in selinux_skb_peerlbl_sid(),"
3733 " unable to determine packet's peer label\n");
3734 return -EACCES;
3735 }
3736
3737 return 0;
3738 }
3739
3740 /**
3741 * selinux_conn_sid - Determine the child socket label for a connection
3742 * @sk_sid: the parent socket's SID
3743 * @skb_sid: the packet's SID
3744 * @conn_sid: the resulting connection SID
3745 *
3746 * If @skb_sid is valid then the user:role:type information from @sk_sid is
3747 * combined with the MLS information from @skb_sid in order to create
3748 * @conn_sid. If @skb_sid is not valid then then @conn_sid is simply a copy
3749 * of @sk_sid. Returns zero on success, negative values on failure.
3750 *
3751 */
3752 static int selinux_conn_sid(u32 sk_sid, u32 skb_sid, u32 *conn_sid)
3753 {
3754 int err = 0;
3755
3756 if (skb_sid != SECSID_NULL)
3757 err = security_sid_mls_copy(sk_sid, skb_sid, conn_sid);
3758 else
3759 *conn_sid = sk_sid;
3760
3761 return err;
3762 }
3763
3764 /* socket security operations */
3765
3766 static int socket_sockcreate_sid(const struct task_security_struct *tsec,
3767 u16 secclass, u32 *socksid)
3768 {
3769 if (tsec->sockcreate_sid > SECSID_NULL) {
3770 *socksid = tsec->sockcreate_sid;
3771 return 0;
3772 }
3773
3774 return security_transition_sid(tsec->sid, tsec->sid, secclass, NULL,
3775 socksid);
3776 }
3777
3778 static int sock_has_perm(struct task_struct *task, struct sock *sk, u32 perms)
3779 {
3780 struct sk_security_struct *sksec = sk->sk_security;
3781 struct common_audit_data ad;
3782 struct lsm_network_audit net = {0,};
3783 u32 tsid = task_sid(task);
3784
3785 if (sksec->sid == SECINITSID_KERNEL)
3786 return 0;
3787
3788 ad.type = LSM_AUDIT_DATA_NET;
3789 ad.u.net = &net;
3790 ad.u.net->sk = sk;
3791
3792 return avc_has_perm(tsid, sksec->sid, sksec->sclass, perms, &ad);
3793 }
3794
3795 static int selinux_socket_create(int family, int type,
3796 int protocol, int kern)
3797 {
3798 const struct task_security_struct *tsec = current_security();
3799 u32 newsid;
3800 u16 secclass;
3801 int rc;
3802
3803 if (kern)
3804 return 0;
3805
3806 secclass = socket_type_to_security_class(family, type, protocol);
3807 rc = socket_sockcreate_sid(tsec, secclass, &newsid);
3808 if (rc)
3809 return rc;
3810
3811 return avc_has_perm(tsec->sid, newsid, secclass, SOCKET__CREATE, NULL);
3812 }
3813
3814 static int selinux_socket_post_create(struct socket *sock, int family,
3815 int type, int protocol, int kern)
3816 {
3817 const struct task_security_struct *tsec = current_security();
3818 struct inode_security_struct *isec = SOCK_INODE(sock)->i_security;
3819 struct sk_security_struct *sksec;
3820 int err = 0;
3821
3822 isec->sclass = socket_type_to_security_class(family, type, protocol);
3823
3824 if (kern)
3825 isec->sid = SECINITSID_KERNEL;
3826 else {
3827 err = socket_sockcreate_sid(tsec, isec->sclass, &(isec->sid));
3828 if (err)
3829 return err;
3830 }
3831
3832 isec->initialized = 1;
3833
3834 if (sock->sk) {
3835 sksec = sock->sk->sk_security;
3836 sksec->sid = isec->sid;
3837 sksec->sclass = isec->sclass;
3838 err = selinux_netlbl_socket_post_create(sock->sk, family);
3839 }
3840
3841 return err;
3842 }
3843
3844 /* Range of port numbers used to automatically bind.
3845 Need to determine whether we should perform a name_bind
3846 permission check between the socket and the port number. */
3847
3848 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
3849 {
3850 struct sock *sk = sock->sk;
3851 u16 family;
3852 int err;
3853
3854 err = sock_has_perm(current, sk, SOCKET__BIND);
3855 if (err)
3856 goto out;
3857
3858 /*
3859 * If PF_INET or PF_INET6, check name_bind permission for the port.
3860 * Multiple address binding for SCTP is not supported yet: we just
3861 * check the first address now.
3862 */
3863 family = sk->sk_family;
3864 if (family == PF_INET || family == PF_INET6) {
3865 char *addrp;
3866 struct sk_security_struct *sksec = sk->sk_security;
3867 struct common_audit_data ad;
3868 struct lsm_network_audit net = {0,};
3869 struct sockaddr_in *addr4 = NULL;
3870 struct sockaddr_in6 *addr6 = NULL;
3871 unsigned short snum;
3872 u32 sid, node_perm;
3873
3874 if (family == PF_INET) {
3875 addr4 = (struct sockaddr_in *)address;
3876 snum = ntohs(addr4->sin_port);
3877 addrp = (char *)&addr4->sin_addr.s_addr;
3878 } else {
3879 addr6 = (struct sockaddr_in6 *)address;
3880 snum = ntohs(addr6->sin6_port);
3881 addrp = (char *)&addr6->sin6_addr.s6_addr;
3882 }
3883
3884 if (snum) {
3885 int low, high;
3886
3887 inet_get_local_port_range(&low, &high);
3888
3889 if (snum < max(PROT_SOCK, low) || snum > high) {
3890 err = sel_netport_sid(sk->sk_protocol,
3891 snum, &sid);
3892 if (err)
3893 goto out;
3894 ad.type = LSM_AUDIT_DATA_NET;
3895 ad.u.net = &net;
3896 ad.u.net->sport = htons(snum);
3897 ad.u.net->family = family;
3898 err = avc_has_perm(sksec->sid, sid,
3899 sksec->sclass,
3900 SOCKET__NAME_BIND, &ad);
3901 if (err)
3902 goto out;
3903 }
3904 }
3905
3906 switch (sksec->sclass) {
3907 case SECCLASS_TCP_SOCKET:
3908 node_perm = TCP_SOCKET__NODE_BIND;
3909 break;
3910
3911 case SECCLASS_UDP_SOCKET:
3912 node_perm = UDP_SOCKET__NODE_BIND;
3913 break;
3914
3915 case SECCLASS_DCCP_SOCKET:
3916 node_perm = DCCP_SOCKET__NODE_BIND;
3917 break;
3918
3919 default:
3920 node_perm = RAWIP_SOCKET__NODE_BIND;
3921 break;
3922 }
3923
3924 err = sel_netnode_sid(addrp, family, &sid);
3925 if (err)
3926 goto out;
3927
3928 ad.type = LSM_AUDIT_DATA_NET;
3929 ad.u.net = &net;
3930 ad.u.net->sport = htons(snum);
3931 ad.u.net->family = family;
3932
3933 if (family == PF_INET)
3934 ad.u.net->v4info.saddr = addr4->sin_addr.s_addr;
3935 else
3936 ad.u.net->v6info.saddr = addr6->sin6_addr;
3937
3938 err = avc_has_perm(sksec->sid, sid,
3939 sksec->sclass, node_perm, &ad);
3940 if (err)
3941 goto out;
3942 }
3943 out:
3944 return err;
3945 }
3946
3947 static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
3948 {
3949 struct sock *sk = sock->sk;
3950 struct sk_security_struct *sksec = sk->sk_security;
3951 int err;
3952
3953 err = sock_has_perm(current, sk, SOCKET__CONNECT);
3954 if (err)
3955 return err;
3956
3957 /*
3958 * If a TCP or DCCP socket, check name_connect permission for the port.
3959 */
3960 if (sksec->sclass == SECCLASS_TCP_SOCKET ||
3961 sksec->sclass == SECCLASS_DCCP_SOCKET) {
3962 struct common_audit_data ad;
3963 struct lsm_network_audit net = {0,};
3964 struct sockaddr_in *addr4 = NULL;
3965 struct sockaddr_in6 *addr6 = NULL;
3966 unsigned short snum;
3967 u32 sid, perm;
3968
3969 if (sk->sk_family == PF_INET) {
3970 addr4 = (struct sockaddr_in *)address;
3971 if (addrlen < sizeof(struct sockaddr_in))
3972 return -EINVAL;
3973 snum = ntohs(addr4->sin_port);
3974 } else {
3975 addr6 = (struct sockaddr_in6 *)address;
3976 if (addrlen < SIN6_LEN_RFC2133)
3977 return -EINVAL;
3978 snum = ntohs(addr6->sin6_port);
3979 }
3980
3981 err = sel_netport_sid(sk->sk_protocol, snum, &sid);
3982 if (err)
3983 goto out;
3984
3985 perm = (sksec->sclass == SECCLASS_TCP_SOCKET) ?
3986 TCP_SOCKET__NAME_CONNECT : DCCP_SOCKET__NAME_CONNECT;
3987
3988 ad.type = LSM_AUDIT_DATA_NET;
3989 ad.u.net = &net;
3990 ad.u.net->dport = htons(snum);
3991 ad.u.net->family = sk->sk_family;
3992 err = avc_has_perm(sksec->sid, sid, sksec->sclass, perm, &ad);
3993 if (err)
3994 goto out;
3995 }
3996
3997 err = selinux_netlbl_socket_connect(sk, address);
3998
3999 out:
4000 return err;
4001 }
4002
4003 static int selinux_socket_listen(struct socket *sock, int backlog)
4004 {
4005 return sock_has_perm(current, sock->sk, SOCKET__LISTEN);
4006 }
4007
4008 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
4009 {
4010 int err;
4011 struct inode_security_struct *isec;
4012 struct inode_security_struct *newisec;
4013
4014 err = sock_has_perm(current, sock->sk, SOCKET__ACCEPT);
4015 if (err)
4016 return err;
4017
4018 newisec = SOCK_INODE(newsock)->i_security;
4019
4020 isec = SOCK_INODE(sock)->i_security;
4021 newisec->sclass = isec->sclass;
4022 newisec->sid = isec->sid;
4023 newisec->initialized = 1;
4024
4025 return 0;
4026 }
4027
4028 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
4029 int size)
4030 {
4031 return sock_has_perm(current, sock->sk, SOCKET__WRITE);
4032 }
4033
4034 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
4035 int size, int flags)
4036 {
4037 return sock_has_perm(current, sock->sk, SOCKET__READ);
4038 }
4039
4040 static int selinux_socket_getsockname(struct socket *sock)
4041 {
4042 return sock_has_perm(current, sock->sk, SOCKET__GETATTR);
4043 }
4044
4045 static int selinux_socket_getpeername(struct socket *sock)
4046 {
4047 return sock_has_perm(current, sock->sk, SOCKET__GETATTR);
4048 }
4049
4050 static int selinux_socket_setsockopt(struct socket *sock, int level, int optname)
4051 {
4052 int err;
4053
4054 err = sock_has_perm(current, sock->sk, SOCKET__SETOPT);
4055 if (err)
4056 return err;
4057
4058 return selinux_netlbl_socket_setsockopt(sock, level, optname);
4059 }
4060
4061 static int selinux_socket_getsockopt(struct socket *sock, int level,
4062 int optname)
4063 {
4064 return sock_has_perm(current, sock->sk, SOCKET__GETOPT);
4065 }
4066
4067 static int selinux_socket_shutdown(struct socket *sock, int how)
4068 {
4069 return sock_has_perm(current, sock->sk, SOCKET__SHUTDOWN);
4070 }
4071
4072 static int selinux_socket_unix_stream_connect(struct sock *sock,
4073 struct sock *other,
4074 struct sock *newsk)
4075 {
4076 struct sk_security_struct *sksec_sock = sock->sk_security;
4077 struct sk_security_struct *sksec_other = other->sk_security;
4078 struct sk_security_struct *sksec_new = newsk->sk_security;
4079 struct common_audit_data ad;
4080 struct lsm_network_audit net = {0,};
4081 int err;
4082
4083 ad.type = LSM_AUDIT_DATA_NET;
4084 ad.u.net = &net;
4085 ad.u.net->sk = other;
4086
4087 err = avc_has_perm(sksec_sock->sid, sksec_other->sid,
4088 sksec_other->sclass,
4089 UNIX_STREAM_SOCKET__CONNECTTO, &ad);
4090 if (err)
4091 return err;
4092
4093 /* server child socket */
4094 sksec_new->peer_sid = sksec_sock->sid;
4095 err = security_sid_mls_copy(sksec_other->sid, sksec_sock->sid,
4096 &sksec_new->sid);
4097 if (err)
4098 return err;
4099
4100 /* connecting socket */
4101 sksec_sock->peer_sid = sksec_new->sid;
4102
4103 return 0;
4104 }
4105
4106 static int selinux_socket_unix_may_send(struct socket *sock,
4107 struct socket *other)
4108 {
4109 struct sk_security_struct *ssec = sock->sk->sk_security;
4110 struct sk_security_struct *osec = other->sk->sk_security;
4111 struct common_audit_data ad;
4112 struct lsm_network_audit net = {0,};
4113
4114 ad.type = LSM_AUDIT_DATA_NET;
4115 ad.u.net = &net;
4116 ad.u.net->sk = other->sk;
4117
4118 return avc_has_perm(ssec->sid, osec->sid, osec->sclass, SOCKET__SENDTO,
4119 &ad);
4120 }
4121
4122 static int selinux_inet_sys_rcv_skb(int ifindex, char *addrp, u16 family,
4123 u32 peer_sid,
4124 struct common_audit_data *ad)
4125 {
4126 int err;
4127 u32 if_sid;
4128 u32 node_sid;
4129
4130 err = sel_netif_sid(ifindex, &if_sid);
4131 if (err)
4132 return err;
4133 err = avc_has_perm(peer_sid, if_sid,
4134 SECCLASS_NETIF, NETIF__INGRESS, ad);
4135 if (err)
4136 return err;
4137
4138 err = sel_netnode_sid(addrp, family, &node_sid);
4139 if (err)
4140 return err;
4141 return avc_has_perm(peer_sid, node_sid,
4142 SECCLASS_NODE, NODE__RECVFROM, ad);
4143 }
4144
4145 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
4146 u16 family)
4147 {
4148 int err = 0;
4149 struct sk_security_struct *sksec = sk->sk_security;
4150 u32 sk_sid = sksec->sid;
4151 struct common_audit_data ad;
4152 struct lsm_network_audit net = {0,};
4153 char *addrp;
4154
4155 ad.type = LSM_AUDIT_DATA_NET;
4156 ad.u.net = &net;
4157 ad.u.net->netif = skb->skb_iif;
4158 ad.u.net->family = family;
4159 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4160 if (err)
4161 return err;
4162
4163 if (selinux_secmark_enabled()) {
4164 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4165 PACKET__RECV, &ad);
4166 if (err)
4167 return err;
4168 }
4169
4170 err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, &ad);
4171 if (err)
4172 return err;
4173 err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad);
4174
4175 return err;
4176 }
4177
4178 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
4179 {
4180 int err;
4181 struct sk_security_struct *sksec = sk->sk_security;
4182 u16 family = sk->sk_family;
4183 u32 sk_sid = sksec->sid;
4184 struct common_audit_data ad;
4185 struct lsm_network_audit net = {0,};
4186 char *addrp;
4187 u8 secmark_active;
4188 u8 peerlbl_active;
4189
4190 if (family != PF_INET && family != PF_INET6)
4191 return 0;
4192
4193 /* Handle mapped IPv4 packets arriving via IPv6 sockets */
4194 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4195 family = PF_INET;
4196
4197 /* If any sort of compatibility mode is enabled then handoff processing
4198 * to the selinux_sock_rcv_skb_compat() function to deal with the
4199 * special handling. We do this in an attempt to keep this function
4200 * as fast and as clean as possible. */
4201 if (!selinux_policycap_netpeer)
4202 return selinux_sock_rcv_skb_compat(sk, skb, family);
4203
4204 secmark_active = selinux_secmark_enabled();
4205 peerlbl_active = netlbl_enabled() || selinux_xfrm_enabled();
4206 if (!secmark_active && !peerlbl_active)
4207 return 0;
4208
4209 ad.type = LSM_AUDIT_DATA_NET;
4210 ad.u.net = &net;
4211 ad.u.net->netif = skb->skb_iif;
4212 ad.u.net->family = family;
4213 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4214 if (err)
4215 return err;
4216
4217 if (peerlbl_active) {
4218 u32 peer_sid;
4219
4220 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
4221 if (err)
4222 return err;
4223 err = selinux_inet_sys_rcv_skb(skb->skb_iif, addrp, family,
4224 peer_sid, &ad);
4225 if (err) {
4226 selinux_netlbl_err(skb, err, 0);
4227 return err;
4228 }
4229 err = avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER,
4230 PEER__RECV, &ad);
4231 if (err) {
4232 selinux_netlbl_err(skb, err, 0);
4233 return err;
4234 }
4235 }
4236
4237 if (secmark_active) {
4238 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4239 PACKET__RECV, &ad);
4240 if (err)
4241 return err;
4242 }
4243
4244 return err;
4245 }
4246
4247 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval,
4248 int __user *optlen, unsigned len)
4249 {
4250 int err = 0;
4251 char *scontext;
4252 u32 scontext_len;
4253 struct sk_security_struct *sksec = sock->sk->sk_security;
4254 u32 peer_sid = SECSID_NULL;
4255
4256 if (sksec->sclass == SECCLASS_UNIX_STREAM_SOCKET ||
4257 sksec->sclass == SECCLASS_TCP_SOCKET)
4258 peer_sid = sksec->peer_sid;
4259 if (peer_sid == SECSID_NULL)
4260 return -ENOPROTOOPT;
4261
4262 err = security_sid_to_context(peer_sid, &scontext, &scontext_len);
4263 if (err)
4264 return err;
4265
4266 if (scontext_len > len) {
4267 err = -ERANGE;
4268 goto out_len;
4269 }
4270
4271 if (copy_to_user(optval, scontext, scontext_len))
4272 err = -EFAULT;
4273
4274 out_len:
4275 if (put_user(scontext_len, optlen))
4276 err = -EFAULT;
4277 kfree(scontext);
4278 return err;
4279 }
4280
4281 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
4282 {
4283 u32 peer_secid = SECSID_NULL;
4284 u16 family;
4285
4286 if (skb && skb->protocol == htons(ETH_P_IP))
4287 family = PF_INET;
4288 else if (skb && skb->protocol == htons(ETH_P_IPV6))
4289 family = PF_INET6;
4290 else if (sock)
4291 family = sock->sk->sk_family;
4292 else
4293 goto out;
4294
4295 if (sock && family == PF_UNIX)
4296 selinux_inode_getsecid(SOCK_INODE(sock), &peer_secid);
4297 else if (skb)
4298 selinux_skb_peerlbl_sid(skb, family, &peer_secid);
4299
4300 out:
4301 *secid = peer_secid;
4302 if (peer_secid == SECSID_NULL)
4303 return -EINVAL;
4304 return 0;
4305 }
4306
4307 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
4308 {
4309 struct sk_security_struct *sksec;
4310
4311 sksec = kzalloc(sizeof(*sksec), priority);
4312 if (!sksec)
4313 return -ENOMEM;
4314
4315 sksec->peer_sid = SECINITSID_UNLABELED;
4316 sksec->sid = SECINITSID_UNLABELED;
4317 selinux_netlbl_sk_security_reset(sksec);
4318 sk->sk_security = sksec;
4319
4320 return 0;
4321 }
4322
4323 static void selinux_sk_free_security(struct sock *sk)
4324 {
4325 struct sk_security_struct *sksec = sk->sk_security;
4326
4327 sk->sk_security = NULL;
4328 selinux_netlbl_sk_security_free(sksec);
4329 kfree(sksec);
4330 }
4331
4332 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
4333 {
4334 struct sk_security_struct *sksec = sk->sk_security;
4335 struct sk_security_struct *newsksec = newsk->sk_security;
4336
4337 newsksec->sid = sksec->sid;
4338 newsksec->peer_sid = sksec->peer_sid;
4339 newsksec->sclass = sksec->sclass;
4340
4341 selinux_netlbl_sk_security_reset(newsksec);
4342 }
4343
4344 static void selinux_sk_getsecid(struct sock *sk, u32 *secid)
4345 {
4346 if (!sk)
4347 *secid = SECINITSID_ANY_SOCKET;
4348 else {
4349 struct sk_security_struct *sksec = sk->sk_security;
4350
4351 *secid = sksec->sid;
4352 }
4353 }
4354
4355 static void selinux_sock_graft(struct sock *sk, struct socket *parent)
4356 {
4357 struct inode_security_struct *isec = SOCK_INODE(parent)->i_security;
4358 struct sk_security_struct *sksec = sk->sk_security;
4359
4360 if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
4361 sk->sk_family == PF_UNIX)
4362 isec->sid = sksec->sid;
4363 sksec->sclass = isec->sclass;
4364 }
4365
4366 static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
4367 struct request_sock *req)
4368 {
4369 struct sk_security_struct *sksec = sk->sk_security;
4370 int err;
4371 u16 family = sk->sk_family;
4372 u32 connsid;
4373 u32 peersid;
4374
4375 /* handle mapped IPv4 packets arriving via IPv6 sockets */
4376 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4377 family = PF_INET;
4378
4379 err = selinux_skb_peerlbl_sid(skb, family, &peersid);
4380 if (err)
4381 return err;
4382 err = selinux_conn_sid(sksec->sid, peersid, &connsid);
4383 if (err)
4384 return err;
4385 req->secid = connsid;
4386 req->peer_secid = peersid;
4387
4388 return selinux_netlbl_inet_conn_request(req, family);
4389 }
4390
4391 static void selinux_inet_csk_clone(struct sock *newsk,
4392 const struct request_sock *req)
4393 {
4394 struct sk_security_struct *newsksec = newsk->sk_security;
4395
4396 newsksec->sid = req->secid;
4397 newsksec->peer_sid = req->peer_secid;
4398 /* NOTE: Ideally, we should also get the isec->sid for the
4399 new socket in sync, but we don't have the isec available yet.
4400 So we will wait until sock_graft to do it, by which
4401 time it will have been created and available. */
4402
4403 /* We don't need to take any sort of lock here as we are the only
4404 * thread with access to newsksec */
4405 selinux_netlbl_inet_csk_clone(newsk, req->rsk_ops->family);
4406 }
4407
4408 static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb)
4409 {
4410 u16 family = sk->sk_family;
4411 struct sk_security_struct *sksec = sk->sk_security;
4412
4413 /* handle mapped IPv4 packets arriving via IPv6 sockets */
4414 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4415 family = PF_INET;
4416
4417 selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid);
4418 }
4419
4420 static void selinux_skb_owned_by(struct sk_buff *skb, struct sock *sk)
4421 {
4422 skb_set_owner_w(skb, sk);
4423 }
4424
4425 static int selinux_secmark_relabel_packet(u32 sid)
4426 {
4427 const struct task_security_struct *__tsec;
4428 u32 tsid;
4429
4430 __tsec = current_security();
4431 tsid = __tsec->sid;
4432
4433 return avc_has_perm(tsid, sid, SECCLASS_PACKET, PACKET__RELABELTO, NULL);
4434 }
4435
4436 static void selinux_secmark_refcount_inc(void)
4437 {
4438 atomic_inc(&selinux_secmark_refcount);
4439 }
4440
4441 static void selinux_secmark_refcount_dec(void)
4442 {
4443 atomic_dec(&selinux_secmark_refcount);
4444 }
4445
4446 static void selinux_req_classify_flow(const struct request_sock *req,
4447 struct flowi *fl)
4448 {
4449 fl->flowi_secid = req->secid;
4450 }
4451
4452 static int selinux_tun_dev_alloc_security(void **security)
4453 {
4454 struct tun_security_struct *tunsec;
4455
4456 tunsec = kzalloc(sizeof(*tunsec), GFP_KERNEL);
4457 if (!tunsec)
4458 return -ENOMEM;
4459 tunsec->sid = current_sid();
4460
4461 *security = tunsec;
4462 return 0;
4463 }
4464
4465 static void selinux_tun_dev_free_security(void *security)
4466 {
4467 kfree(security);
4468 }
4469
4470 static int selinux_tun_dev_create(void)
4471 {
4472 u32 sid = current_sid();
4473
4474 /* we aren't taking into account the "sockcreate" SID since the socket
4475 * that is being created here is not a socket in the traditional sense,
4476 * instead it is a private sock, accessible only to the kernel, and
4477 * representing a wide range of network traffic spanning multiple
4478 * connections unlike traditional sockets - check the TUN driver to
4479 * get a better understanding of why this socket is special */
4480
4481 return avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET, TUN_SOCKET__CREATE,
4482 NULL);
4483 }
4484
4485 static int selinux_tun_dev_attach_queue(void *security)
4486 {
4487 struct tun_security_struct *tunsec = security;
4488
4489 return avc_has_perm(current_sid(), tunsec->sid, SECCLASS_TUN_SOCKET,
4490 TUN_SOCKET__ATTACH_QUEUE, NULL);
4491 }
4492
4493 static int selinux_tun_dev_attach(struct sock *sk, void *security)
4494 {
4495 struct tun_security_struct *tunsec = security;
4496 struct sk_security_struct *sksec = sk->sk_security;
4497
4498 /* we don't currently perform any NetLabel based labeling here and it
4499 * isn't clear that we would want to do so anyway; while we could apply
4500 * labeling without the support of the TUN user the resulting labeled
4501 * traffic from the other end of the connection would almost certainly
4502 * cause confusion to the TUN user that had no idea network labeling
4503 * protocols were being used */
4504
4505 sksec->sid = tunsec->sid;
4506 sksec->sclass = SECCLASS_TUN_SOCKET;
4507
4508 return 0;
4509 }
4510
4511 static int selinux_tun_dev_open(void *security)
4512 {
4513 struct tun_security_struct *tunsec = security;
4514 u32 sid = current_sid();
4515 int err;
4516
4517 err = avc_has_perm(sid, tunsec->sid, SECCLASS_TUN_SOCKET,
4518 TUN_SOCKET__RELABELFROM, NULL);
4519 if (err)
4520 return err;
4521 err = avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET,
4522 TUN_SOCKET__RELABELTO, NULL);
4523 if (err)
4524 return err;
4525 tunsec->sid = sid;
4526
4527 return 0;
4528 }
4529
4530 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
4531 {
4532 int err = 0;
4533 u32 perm;
4534 struct nlmsghdr *nlh;
4535 struct sk_security_struct *sksec = sk->sk_security;
4536
4537 if (skb->len < NLMSG_HDRLEN) {
4538 err = -EINVAL;
4539 goto out;
4540 }
4541 nlh = nlmsg_hdr(skb);
4542
4543 err = selinux_nlmsg_lookup(sksec->sclass, nlh->nlmsg_type, &perm);
4544 if (err) {
4545 if (err == -EINVAL) {
4546 audit_log(current->audit_context, GFP_KERNEL, AUDIT_SELINUX_ERR,
4547 "SELinux: unrecognized netlink message"
4548 " type=%hu for sclass=%hu\n",
4549 nlh->nlmsg_type, sksec->sclass);
4550 if (!selinux_enforcing || security_get_allow_unknown())
4551 err = 0;
4552 }
4553
4554 /* Ignore */
4555 if (err == -ENOENT)
4556 err = 0;
4557 goto out;
4558 }
4559
4560 err = sock_has_perm(current, sk, perm);
4561 out:
4562 return err;
4563 }
4564
4565 #ifdef CONFIG_NETFILTER
4566
4567 static unsigned int selinux_ip_forward(struct sk_buff *skb, int ifindex,
4568 u16 family)
4569 {
4570 int err;
4571 char *addrp;
4572 u32 peer_sid;
4573 struct common_audit_data ad;
4574 struct lsm_network_audit net = {0,};
4575 u8 secmark_active;
4576 u8 netlbl_active;
4577 u8 peerlbl_active;
4578
4579 if (!selinux_policycap_netpeer)
4580 return NF_ACCEPT;
4581
4582 secmark_active = selinux_secmark_enabled();
4583 netlbl_active = netlbl_enabled();
4584 peerlbl_active = netlbl_active || selinux_xfrm_enabled();
4585 if (!secmark_active && !peerlbl_active)
4586 return NF_ACCEPT;
4587
4588 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0)
4589 return NF_DROP;
4590
4591 ad.type = LSM_AUDIT_DATA_NET;
4592 ad.u.net = &net;
4593 ad.u.net->netif = ifindex;
4594 ad.u.net->family = family;
4595 if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0)
4596 return NF_DROP;
4597
4598 if (peerlbl_active) {
4599 err = selinux_inet_sys_rcv_skb(ifindex, addrp, family,
4600 peer_sid, &ad);
4601 if (err) {
4602 selinux_netlbl_err(skb, err, 1);
4603 return NF_DROP;
4604 }
4605 }
4606
4607 if (secmark_active)
4608 if (avc_has_perm(peer_sid, skb->secmark,
4609 SECCLASS_PACKET, PACKET__FORWARD_IN, &ad))
4610 return NF_DROP;
4611
4612 if (netlbl_active)
4613 /* we do this in the FORWARD path and not the POST_ROUTING
4614 * path because we want to make sure we apply the necessary
4615 * labeling before IPsec is applied so we can leverage AH
4616 * protection */
4617 if (selinux_netlbl_skbuff_setsid(skb, family, peer_sid) != 0)
4618 return NF_DROP;
4619
4620 return NF_ACCEPT;
4621 }
4622
4623 static unsigned int selinux_ipv4_forward(unsigned int hooknum,
4624 struct sk_buff *skb,
4625 const struct net_device *in,
4626 const struct net_device *out,
4627 int (*okfn)(struct sk_buff *))
4628 {
4629 return selinux_ip_forward(skb, in->ifindex, PF_INET);
4630 }
4631
4632 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4633 static unsigned int selinux_ipv6_forward(unsigned int hooknum,
4634 struct sk_buff *skb,
4635 const struct net_device *in,
4636 const struct net_device *out,
4637 int (*okfn)(struct sk_buff *))
4638 {
4639 return selinux_ip_forward(skb, in->ifindex, PF_INET6);
4640 }
4641 #endif /* IPV6 */
4642
4643 static unsigned int selinux_ip_output(struct sk_buff *skb,
4644 u16 family)
4645 {
4646 struct sock *sk;
4647 u32 sid;
4648
4649 if (!netlbl_enabled())
4650 return NF_ACCEPT;
4651
4652 /* we do this in the LOCAL_OUT path and not the POST_ROUTING path
4653 * because we want to make sure we apply the necessary labeling
4654 * before IPsec is applied so we can leverage AH protection */
4655 sk = skb->sk;
4656 if (sk) {
4657 struct sk_security_struct *sksec;
4658
4659 if (sk->sk_state == TCP_LISTEN)
4660 /* if the socket is the listening state then this
4661 * packet is a SYN-ACK packet which means it needs to
4662 * be labeled based on the connection/request_sock and
4663 * not the parent socket. unfortunately, we can't
4664 * lookup the request_sock yet as it isn't queued on
4665 * the parent socket until after the SYN-ACK is sent.
4666 * the "solution" is to simply pass the packet as-is
4667 * as any IP option based labeling should be copied
4668 * from the initial connection request (in the IP
4669 * layer). it is far from ideal, but until we get a
4670 * security label in the packet itself this is the
4671 * best we can do. */
4672 return NF_ACCEPT;
4673
4674 /* standard practice, label using the parent socket */
4675 sksec = sk->sk_security;
4676 sid = sksec->sid;
4677 } else
4678 sid = SECINITSID_KERNEL;
4679 if (selinux_netlbl_skbuff_setsid(skb, family, sid) != 0)
4680 return NF_DROP;
4681
4682 return NF_ACCEPT;
4683 }
4684
4685 static unsigned int selinux_ipv4_output(unsigned int hooknum,
4686 struct sk_buff *skb,
4687 const struct net_device *in,
4688 const struct net_device *out,
4689 int (*okfn)(struct sk_buff *))
4690 {
4691 return selinux_ip_output(skb, PF_INET);
4692 }
4693
4694 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
4695 int ifindex,
4696 u16 family)
4697 {
4698 struct sock *sk = skb->sk;
4699 struct sk_security_struct *sksec;
4700 struct common_audit_data ad;
4701 struct lsm_network_audit net = {0,};
4702 char *addrp;
4703 u8 proto;
4704
4705 if (sk == NULL)
4706 return NF_ACCEPT;
4707 sksec = sk->sk_security;
4708
4709 ad.type = LSM_AUDIT_DATA_NET;
4710 ad.u.net = &net;
4711 ad.u.net->netif = ifindex;
4712 ad.u.net->family = family;
4713 if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto))
4714 return NF_DROP;
4715
4716 if (selinux_secmark_enabled())
4717 if (avc_has_perm(sksec->sid, skb->secmark,
4718 SECCLASS_PACKET, PACKET__SEND, &ad))
4719 return NF_DROP_ERR(-ECONNREFUSED);
4720
4721 if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto))
4722 return NF_DROP_ERR(-ECONNREFUSED);
4723
4724 return NF_ACCEPT;
4725 }
4726
4727 static unsigned int selinux_ip_postroute(struct sk_buff *skb, int ifindex,
4728 u16 family)
4729 {
4730 u32 secmark_perm;
4731 u32 peer_sid;
4732 struct sock *sk;
4733 struct common_audit_data ad;
4734 struct lsm_network_audit net = {0,};
4735 char *addrp;
4736 u8 secmark_active;
4737 u8 peerlbl_active;
4738
4739 /* If any sort of compatibility mode is enabled then handoff processing
4740 * to the selinux_ip_postroute_compat() function to deal with the
4741 * special handling. We do this in an attempt to keep this function
4742 * as fast and as clean as possible. */
4743 if (!selinux_policycap_netpeer)
4744 return selinux_ip_postroute_compat(skb, ifindex, family);
4745
4746 secmark_active = selinux_secmark_enabled();
4747 peerlbl_active = netlbl_enabled() || selinux_xfrm_enabled();
4748 if (!secmark_active && !peerlbl_active)
4749 return NF_ACCEPT;
4750
4751 sk = skb->sk;
4752
4753 #ifdef CONFIG_XFRM
4754 /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec
4755 * packet transformation so allow the packet to pass without any checks
4756 * since we'll have another chance to perform access control checks
4757 * when the packet is on it's final way out.
4758 * NOTE: there appear to be some IPv6 multicast cases where skb->dst
4759 * is NULL, in this case go ahead and apply access control.
4760 * is NULL, in this case go ahead and apply access control.
4761 * NOTE: if this is a local socket (skb->sk != NULL) that is in the
4762 * TCP listening state we cannot wait until the XFRM processing
4763 * is done as we will miss out on the SA label if we do;
4764 * unfortunately, this means more work, but it is only once per
4765 * connection. */
4766 if (skb_dst(skb) != NULL && skb_dst(skb)->xfrm != NULL &&
4767 !(sk != NULL && sk->sk_state == TCP_LISTEN))
4768 return NF_ACCEPT;
4769 #endif
4770
4771 if (sk == NULL) {
4772 /* Without an associated socket the packet is either coming
4773 * from the kernel or it is being forwarded; check the packet
4774 * to determine which and if the packet is being forwarded
4775 * query the packet directly to determine the security label. */
4776 if (skb->skb_iif) {
4777 secmark_perm = PACKET__FORWARD_OUT;
4778 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid))
4779 return NF_DROP;
4780 } else {
4781 secmark_perm = PACKET__SEND;
4782 peer_sid = SECINITSID_KERNEL;
4783 }
4784 } else if (sk->sk_state == TCP_LISTEN) {
4785 /* Locally generated packet but the associated socket is in the
4786 * listening state which means this is a SYN-ACK packet. In
4787 * this particular case the correct security label is assigned
4788 * to the connection/request_sock but unfortunately we can't
4789 * query the request_sock as it isn't queued on the parent
4790 * socket until after the SYN-ACK packet is sent; the only
4791 * viable choice is to regenerate the label like we do in
4792 * selinux_inet_conn_request(). See also selinux_ip_output()
4793 * for similar problems. */
4794 u32 skb_sid;
4795 struct sk_security_struct *sksec = sk->sk_security;
4796 if (selinux_skb_peerlbl_sid(skb, family, &skb_sid))
4797 return NF_DROP;
4798 /* At this point, if the returned skb peerlbl is SECSID_NULL
4799 * and the packet has been through at least one XFRM
4800 * transformation then we must be dealing with the "final"
4801 * form of labeled IPsec packet; since we've already applied
4802 * all of our access controls on this packet we can safely
4803 * pass the packet. */
4804 if (skb_sid == SECSID_NULL) {
4805 switch (family) {
4806 case PF_INET:
4807 if (IPCB(skb)->flags & IPSKB_XFRM_TRANSFORMED)
4808 return NF_ACCEPT;
4809 break;
4810 case PF_INET6:
4811 if (IP6CB(skb)->flags & IP6SKB_XFRM_TRANSFORMED)
4812 return NF_ACCEPT;
4813 default:
4814 return NF_DROP_ERR(-ECONNREFUSED);
4815 }
4816 }
4817 if (selinux_conn_sid(sksec->sid, skb_sid, &peer_sid))
4818 return NF_DROP;
4819 secmark_perm = PACKET__SEND;
4820 } else {
4821 /* Locally generated packet, fetch the security label from the
4822 * associated socket. */
4823 struct sk_security_struct *sksec = sk->sk_security;
4824 peer_sid = sksec->sid;
4825 secmark_perm = PACKET__SEND;
4826 }
4827
4828 ad.type = LSM_AUDIT_DATA_NET;
4829 ad.u.net = &net;
4830 ad.u.net->netif = ifindex;
4831 ad.u.net->family = family;
4832 if (selinux_parse_skb(skb, &ad, &addrp, 0, NULL))
4833 return NF_DROP;
4834
4835 if (secmark_active)
4836 if (avc_has_perm(peer_sid, skb->secmark,
4837 SECCLASS_PACKET, secmark_perm, &ad))
4838 return NF_DROP_ERR(-ECONNREFUSED);
4839
4840 if (peerlbl_active) {
4841 u32 if_sid;
4842 u32 node_sid;
4843
4844 if (sel_netif_sid(ifindex, &if_sid))
4845 return NF_DROP;
4846 if (avc_has_perm(peer_sid, if_sid,
4847 SECCLASS_NETIF, NETIF__EGRESS, &ad))
4848 return NF_DROP_ERR(-ECONNREFUSED);
4849
4850 if (sel_netnode_sid(addrp, family, &node_sid))
4851 return NF_DROP;
4852 if (avc_has_perm(peer_sid, node_sid,
4853 SECCLASS_NODE, NODE__SENDTO, &ad))
4854 return NF_DROP_ERR(-ECONNREFUSED);
4855 }
4856
4857 return NF_ACCEPT;
4858 }
4859
4860 static unsigned int selinux_ipv4_postroute(unsigned int hooknum,
4861 struct sk_buff *skb,
4862 const struct net_device *in,
4863 const struct net_device *out,
4864 int (*okfn)(struct sk_buff *))
4865 {
4866 return selinux_ip_postroute(skb, out->ifindex, PF_INET);
4867 }
4868
4869 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4870 static unsigned int selinux_ipv6_postroute(unsigned int hooknum,
4871 struct sk_buff *skb,
4872 const struct net_device *in,
4873 const struct net_device *out,
4874 int (*okfn)(struct sk_buff *))
4875 {
4876 return selinux_ip_postroute(skb, out->ifindex, PF_INET6);
4877 }
4878 #endif /* IPV6 */
4879
4880 #endif /* CONFIG_NETFILTER */
4881
4882 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
4883 {
4884 int err;
4885
4886 err = cap_netlink_send(sk, skb);
4887 if (err)
4888 return err;
4889
4890 return selinux_nlmsg_perm(sk, skb);
4891 }
4892
4893 static int ipc_alloc_security(struct task_struct *task,
4894 struct kern_ipc_perm *perm,
4895 u16 sclass)
4896 {
4897 struct ipc_security_struct *isec;
4898 u32 sid;
4899
4900 isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL);
4901 if (!isec)
4902 return -ENOMEM;
4903
4904 sid = task_sid(task);
4905 isec->sclass = sclass;
4906 isec->sid = sid;
4907 perm->security = isec;
4908
4909 return 0;
4910 }
4911
4912 static void ipc_free_security(struct kern_ipc_perm *perm)
4913 {
4914 struct ipc_security_struct *isec = perm->security;
4915 perm->security = NULL;
4916 kfree(isec);
4917 }
4918
4919 static int msg_msg_alloc_security(struct msg_msg *msg)
4920 {
4921 struct msg_security_struct *msec;
4922
4923 msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL);
4924 if (!msec)
4925 return -ENOMEM;
4926
4927 msec->sid = SECINITSID_UNLABELED;
4928 msg->security = msec;
4929
4930 return 0;
4931 }
4932
4933 static void msg_msg_free_security(struct msg_msg *msg)
4934 {
4935 struct msg_security_struct *msec = msg->security;
4936
4937 msg->security = NULL;
4938 kfree(msec);
4939 }
4940
4941 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
4942 u32 perms)
4943 {
4944 struct ipc_security_struct *isec;
4945 struct common_audit_data ad;
4946 u32 sid = current_sid();
4947
4948 isec = ipc_perms->security;
4949
4950 ad.type = LSM_AUDIT_DATA_IPC;
4951 ad.u.ipc_id = ipc_perms->key;
4952
4953 return avc_has_perm(sid, isec->sid, isec->sclass, perms, &ad);
4954 }
4955
4956 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
4957 {
4958 return msg_msg_alloc_security(msg);
4959 }
4960
4961 static void selinux_msg_msg_free_security(struct msg_msg *msg)
4962 {
4963 msg_msg_free_security(msg);
4964 }
4965
4966 /* message queue security operations */
4967 static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
4968 {
4969 struct ipc_security_struct *isec;
4970 struct common_audit_data ad;
4971 u32 sid = current_sid();
4972 int rc;
4973
4974 rc = ipc_alloc_security(current, &msq->q_perm, SECCLASS_MSGQ);
4975 if (rc)
4976 return rc;
4977
4978 isec = msq->q_perm.security;
4979
4980 ad.type = LSM_AUDIT_DATA_IPC;
4981 ad.u.ipc_id = msq->q_perm.key;
4982
4983 rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
4984 MSGQ__CREATE, &ad);
4985 if (rc) {
4986 ipc_free_security(&msq->q_perm);
4987 return rc;
4988 }
4989 return 0;
4990 }
4991
4992 static void selinux_msg_queue_free_security(struct msg_queue *msq)
4993 {
4994 ipc_free_security(&msq->q_perm);
4995 }
4996
4997 static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg)
4998 {
4999 struct ipc_security_struct *isec;
5000 struct common_audit_data ad;
5001 u32 sid = current_sid();
5002
5003 isec = msq->q_perm.security;
5004
5005 ad.type = LSM_AUDIT_DATA_IPC;
5006 ad.u.ipc_id = msq->q_perm.key;
5007
5008 return avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
5009 MSGQ__ASSOCIATE, &ad);
5010 }
5011
5012 static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd)
5013 {
5014 int err;
5015 int perms;
5016
5017 switch (cmd) {
5018 case IPC_INFO:
5019 case MSG_INFO:
5020 /* No specific object, just general system-wide information. */
5021 return task_has_system(current, SYSTEM__IPC_INFO);
5022 case IPC_STAT:
5023 case MSG_STAT:
5024 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
5025 break;
5026 case IPC_SET:
5027 perms = MSGQ__SETATTR;
5028 break;
5029 case IPC_RMID:
5030 perms = MSGQ__DESTROY;
5031 break;
5032 default:
5033 return 0;
5034 }
5035
5036 err = ipc_has_perm(&msq->q_perm, perms);
5037 return err;
5038 }
5039
5040 static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg)
5041 {
5042 struct ipc_security_struct *isec;
5043 struct msg_security_struct *msec;
5044 struct common_audit_data ad;
5045 u32 sid = current_sid();
5046 int rc;
5047
5048 isec = msq->q_perm.security;
5049 msec = msg->security;
5050
5051 /*
5052 * First time through, need to assign label to the message
5053 */
5054 if (msec->sid == SECINITSID_UNLABELED) {
5055 /*
5056 * Compute new sid based on current process and
5057 * message queue this message will be stored in
5058 */
5059 rc = security_transition_sid(sid, isec->sid, SECCLASS_MSG,
5060 NULL, &msec->sid);
5061 if (rc)
5062 return rc;
5063 }
5064
5065 ad.type = LSM_AUDIT_DATA_IPC;
5066 ad.u.ipc_id = msq->q_perm.key;
5067
5068 /* Can this process write to the queue? */
5069 rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
5070 MSGQ__WRITE, &ad);
5071 if (!rc)
5072 /* Can this process send the message */
5073 rc = avc_has_perm(sid, msec->sid, SECCLASS_MSG,
5074 MSG__SEND, &ad);
5075 if (!rc)
5076 /* Can the message be put in the queue? */
5077 rc = avc_has_perm(msec->sid, isec->sid, SECCLASS_MSGQ,
5078 MSGQ__ENQUEUE, &ad);
5079
5080 return rc;
5081 }
5082
5083 static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
5084 struct task_struct *target,
5085 long type, int mode)
5086 {
5087 struct ipc_security_struct *isec;
5088 struct msg_security_struct *msec;
5089 struct common_audit_data ad;
5090 u32 sid = task_sid(target);
5091 int rc;
5092
5093 isec = msq->q_perm.security;
5094 msec = msg->security;
5095
5096 ad.type = LSM_AUDIT_DATA_IPC;
5097 ad.u.ipc_id = msq->q_perm.key;
5098
5099 rc = avc_has_perm(sid, isec->sid,
5100 SECCLASS_MSGQ, MSGQ__READ, &ad);
5101 if (!rc)
5102 rc = avc_has_perm(sid, msec->sid,
5103 SECCLASS_MSG, MSG__RECEIVE, &ad);
5104 return rc;
5105 }
5106
5107 /* Shared Memory security operations */
5108 static int selinux_shm_alloc_security(struct shmid_kernel *shp)
5109 {
5110 struct ipc_security_struct *isec;
5111 struct common_audit_data ad;
5112 u32 sid = current_sid();
5113 int rc;
5114
5115 rc = ipc_alloc_security(current, &shp->shm_perm, SECCLASS_SHM);
5116 if (rc)
5117 return rc;
5118
5119 isec = shp->shm_perm.security;
5120
5121 ad.type = LSM_AUDIT_DATA_IPC;
5122 ad.u.ipc_id = shp->shm_perm.key;
5123
5124 rc = avc_has_perm(sid, isec->sid, SECCLASS_SHM,
5125 SHM__CREATE, &ad);
5126 if (rc) {
5127 ipc_free_security(&shp->shm_perm);
5128 return rc;
5129 }
5130 return 0;
5131 }
5132
5133 static void selinux_shm_free_security(struct shmid_kernel *shp)
5134 {
5135 ipc_free_security(&shp->shm_perm);
5136 }
5137
5138 static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg)
5139 {
5140 struct ipc_security_struct *isec;
5141 struct common_audit_data ad;
5142 u32 sid = current_sid();
5143
5144 isec = shp->shm_perm.security;
5145
5146 ad.type = LSM_AUDIT_DATA_IPC;
5147 ad.u.ipc_id = shp->shm_perm.key;
5148
5149 return avc_has_perm(sid, isec->sid, SECCLASS_SHM,
5150 SHM__ASSOCIATE, &ad);
5151 }
5152
5153 /* Note, at this point, shp is locked down */
5154 static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd)
5155 {
5156 int perms;
5157 int err;
5158
5159 switch (cmd) {
5160 case IPC_INFO:
5161 case SHM_INFO:
5162 /* No specific object, just general system-wide information. */
5163 return task_has_system(current, SYSTEM__IPC_INFO);
5164 case IPC_STAT:
5165 case SHM_STAT:
5166 perms = SHM__GETATTR | SHM__ASSOCIATE;
5167 break;
5168 case IPC_SET:
5169 perms = SHM__SETATTR;
5170 break;
5171 case SHM_LOCK:
5172 case SHM_UNLOCK:
5173 perms = SHM__LOCK;
5174 break;
5175 case IPC_RMID:
5176 perms = SHM__DESTROY;
5177 break;
5178 default:
5179 return 0;
5180 }
5181
5182 err = ipc_has_perm(&shp->shm_perm, perms);
5183 return err;
5184 }
5185
5186 static int selinux_shm_shmat(struct shmid_kernel *shp,
5187 char __user *shmaddr, int shmflg)
5188 {
5189 u32 perms;
5190
5191 if (shmflg & SHM_RDONLY)
5192 perms = SHM__READ;
5193 else
5194 perms = SHM__READ | SHM__WRITE;
5195
5196 return ipc_has_perm(&shp->shm_perm, perms);
5197 }
5198
5199 /* Semaphore security operations */
5200 static int selinux_sem_alloc_security(struct sem_array *sma)
5201 {
5202 struct ipc_security_struct *isec;
5203 struct common_audit_data ad;
5204 u32 sid = current_sid();
5205 int rc;
5206
5207 rc = ipc_alloc_security(current, &sma->sem_perm, SECCLASS_SEM);
5208 if (rc)
5209 return rc;
5210
5211 isec = sma->sem_perm.security;
5212
5213 ad.type = LSM_AUDIT_DATA_IPC;
5214 ad.u.ipc_id = sma->sem_perm.key;
5215
5216 rc = avc_has_perm(sid, isec->sid, SECCLASS_SEM,
5217 SEM__CREATE, &ad);
5218 if (rc) {
5219 ipc_free_security(&sma->sem_perm);
5220 return rc;
5221 }
5222 return 0;
5223 }
5224
5225 static void selinux_sem_free_security(struct sem_array *sma)
5226 {
5227 ipc_free_security(&sma->sem_perm);
5228 }
5229
5230 static int selinux_sem_associate(struct sem_array *sma, int semflg)
5231 {
5232 struct ipc_security_struct *isec;
5233 struct common_audit_data ad;
5234 u32 sid = current_sid();
5235
5236 isec = sma->sem_perm.security;
5237
5238 ad.type = LSM_AUDIT_DATA_IPC;
5239 ad.u.ipc_id = sma->sem_perm.key;
5240
5241 return avc_has_perm(sid, isec->sid, SECCLASS_SEM,
5242 SEM__ASSOCIATE, &ad);
5243 }
5244
5245 /* Note, at this point, sma is locked down */
5246 static int selinux_sem_semctl(struct sem_array *sma, int cmd)
5247 {
5248 int err;
5249 u32 perms;
5250
5251 switch (cmd) {
5252 case IPC_INFO:
5253 case SEM_INFO:
5254 /* No specific object, just general system-wide information. */
5255 return task_has_system(current, SYSTEM__IPC_INFO);
5256 case GETPID:
5257 case GETNCNT:
5258 case GETZCNT:
5259 perms = SEM__GETATTR;
5260 break;
5261 case GETVAL:
5262 case GETALL:
5263 perms = SEM__READ;
5264 break;
5265 case SETVAL:
5266 case SETALL:
5267 perms = SEM__WRITE;
5268 break;
5269 case IPC_RMID:
5270 perms = SEM__DESTROY;
5271 break;
5272 case IPC_SET:
5273 perms = SEM__SETATTR;
5274 break;
5275 case IPC_STAT:
5276 case SEM_STAT:
5277 perms = SEM__GETATTR | SEM__ASSOCIATE;
5278 break;
5279 default:
5280 return 0;
5281 }
5282
5283 err = ipc_has_perm(&sma->sem_perm, perms);
5284 return err;
5285 }
5286
5287 static int selinux_sem_semop(struct sem_array *sma,
5288 struct sembuf *sops, unsigned nsops, int alter)
5289 {
5290 u32 perms;
5291
5292 if (alter)
5293 perms = SEM__READ | SEM__WRITE;
5294 else
5295 perms = SEM__READ;
5296
5297 return ipc_has_perm(&sma->sem_perm, perms);
5298 }
5299
5300 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
5301 {
5302 u32 av = 0;
5303
5304 av = 0;
5305 if (flag & S_IRUGO)
5306 av |= IPC__UNIX_READ;
5307 if (flag & S_IWUGO)
5308 av |= IPC__UNIX_WRITE;
5309
5310 if (av == 0)
5311 return 0;
5312
5313 return ipc_has_perm(ipcp, av);
5314 }
5315
5316 static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
5317 {
5318 struct ipc_security_struct *isec = ipcp->security;
5319 *secid = isec->sid;
5320 }
5321
5322 static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode)
5323 {
5324 if (inode)
5325 inode_doinit_with_dentry(inode, dentry);
5326 }
5327
5328 static int selinux_getprocattr(struct task_struct *p,
5329 char *name, char **value)
5330 {
5331 const struct task_security_struct *__tsec;
5332 u32 sid;
5333 int error;
5334 unsigned len;
5335
5336 if (current != p) {
5337 error = current_has_perm(p, PROCESS__GETATTR);
5338 if (error)
5339 return error;
5340 }
5341
5342 rcu_read_lock();
5343 __tsec = __task_cred(p)->security;
5344
5345 if (!strcmp(name, "current"))
5346 sid = __tsec->sid;
5347 else if (!strcmp(name, "prev"))
5348 sid = __tsec->osid;
5349 else if (!strcmp(name, "exec"))
5350 sid = __tsec->exec_sid;
5351 else if (!strcmp(name, "fscreate"))
5352 sid = __tsec->create_sid;
5353 else if (!strcmp(name, "keycreate"))
5354 sid = __tsec->keycreate_sid;
5355 else if (!strcmp(name, "sockcreate"))
5356 sid = __tsec->sockcreate_sid;
5357 else
5358 goto invalid;
5359 rcu_read_unlock();
5360
5361 if (!sid)
5362 return 0;
5363
5364 error = security_sid_to_context(sid, value, &len);
5365 if (error)
5366 return error;
5367 return len;
5368
5369 invalid:
5370 rcu_read_unlock();
5371 return -EINVAL;
5372 }
5373
5374 static int selinux_setprocattr(struct task_struct *p,
5375 char *name, void *value, size_t size)
5376 {
5377 struct task_security_struct *tsec;
5378 struct task_struct *tracer;
5379 struct cred *new;
5380 u32 sid = 0, ptsid;
5381 int error;
5382 char *str = value;
5383
5384 if (current != p) {
5385 /* SELinux only allows a process to change its own
5386 security attributes. */
5387 return -EACCES;
5388 }
5389
5390 /*
5391 * Basic control over ability to set these attributes at all.
5392 * current == p, but we'll pass them separately in case the
5393 * above restriction is ever removed.
5394 */
5395 if (!strcmp(name, "exec"))
5396 error = current_has_perm(p, PROCESS__SETEXEC);
5397 else if (!strcmp(name, "fscreate"))
5398 error = current_has_perm(p, PROCESS__SETFSCREATE);
5399 else if (!strcmp(name, "keycreate"))
5400 error = current_has_perm(p, PROCESS__SETKEYCREATE);
5401 else if (!strcmp(name, "sockcreate"))
5402 error = current_has_perm(p, PROCESS__SETSOCKCREATE);
5403 else if (!strcmp(name, "current"))
5404 error = current_has_perm(p, PROCESS__SETCURRENT);
5405 else
5406 error = -EINVAL;
5407 if (error)
5408 return error;
5409
5410 /* Obtain a SID for the context, if one was specified. */
5411 if (size && str[1] && str[1] != '\n') {
5412 if (str[size-1] == '\n') {
5413 str[size-1] = 0;
5414 size--;
5415 }
5416 error = security_context_to_sid(value, size, &sid);
5417 if (error == -EINVAL && !strcmp(name, "fscreate")) {
5418 if (!capable(CAP_MAC_ADMIN)) {
5419 struct audit_buffer *ab;
5420 size_t audit_size;
5421
5422 /* We strip a nul only if it is at the end, otherwise the
5423 * context contains a nul and we should audit that */
5424 if (str[size - 1] == '\0')
5425 audit_size = size - 1;
5426 else
5427 audit_size = size;
5428 ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR);
5429 audit_log_format(ab, "op=fscreate invalid_context=");
5430 audit_log_n_untrustedstring(ab, value, audit_size);
5431 audit_log_end(ab);
5432
5433 return error;
5434 }
5435 error = security_context_to_sid_force(value, size,
5436 &sid);
5437 }
5438 if (error)
5439 return error;
5440 }
5441
5442 new = prepare_creds();
5443 if (!new)
5444 return -ENOMEM;
5445
5446 /* Permission checking based on the specified context is
5447 performed during the actual operation (execve,
5448 open/mkdir/...), when we know the full context of the
5449 operation. See selinux_bprm_set_creds for the execve
5450 checks and may_create for the file creation checks. The
5451 operation will then fail if the context is not permitted. */
5452 tsec = new->security;
5453 if (!strcmp(name, "exec")) {
5454 tsec->exec_sid = sid;
5455 } else if (!strcmp(name, "fscreate")) {
5456 tsec->create_sid = sid;
5457 } else if (!strcmp(name, "keycreate")) {
5458 error = may_create_key(sid, p);
5459 if (error)
5460 goto abort_change;
5461 tsec->keycreate_sid = sid;
5462 } else if (!strcmp(name, "sockcreate")) {
5463 tsec->sockcreate_sid = sid;
5464 } else if (!strcmp(name, "current")) {
5465 error = -EINVAL;
5466 if (sid == 0)
5467 goto abort_change;
5468
5469 /* Only allow single threaded processes to change context */
5470 error = -EPERM;
5471 if (!current_is_single_threaded()) {
5472 error = security_bounded_transition(tsec->sid, sid);
5473 if (error)
5474 goto abort_change;
5475 }
5476
5477 /* Check permissions for the transition. */
5478 error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
5479 PROCESS__DYNTRANSITION, NULL);
5480 if (error)
5481 goto abort_change;
5482
5483 /* Check for ptracing, and update the task SID if ok.
5484 Otherwise, leave SID unchanged and fail. */
5485 ptsid = 0;
5486 rcu_read_lock();
5487 tracer = ptrace_parent(p);
5488 if (tracer)
5489 ptsid = task_sid(tracer);
5490 rcu_read_unlock();
5491
5492 if (tracer) {
5493 error = avc_has_perm(ptsid, sid, SECCLASS_PROCESS,
5494 PROCESS__PTRACE, NULL);
5495 if (error)
5496 goto abort_change;
5497 }
5498
5499 tsec->sid = sid;
5500 } else {
5501 error = -EINVAL;
5502 goto abort_change;
5503 }
5504
5505 commit_creds(new);
5506 return size;
5507
5508 abort_change:
5509 abort_creds(new);
5510 return error;
5511 }
5512
5513 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
5514 {
5515 return security_sid_to_context(secid, secdata, seclen);
5516 }
5517
5518 static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
5519 {
5520 return security_context_to_sid(secdata, seclen, secid);
5521 }
5522
5523 static void selinux_release_secctx(char *secdata, u32 seclen)
5524 {
5525 kfree(secdata);
5526 }
5527
5528 /*
5529 * called with inode->i_mutex locked
5530 */
5531 static int selinux_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen)
5532 {
5533 return selinux_inode_setsecurity(inode, XATTR_SELINUX_SUFFIX, ctx, ctxlen, 0);
5534 }
5535
5536 /*
5537 * called with inode->i_mutex locked
5538 */
5539 static int selinux_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen)
5540 {
5541 return __vfs_setxattr_noperm(dentry, XATTR_NAME_SELINUX, ctx, ctxlen, 0);
5542 }
5543
5544 static int selinux_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen)
5545 {
5546 int len = 0;
5547 len = selinux_inode_getsecurity(inode, XATTR_SELINUX_SUFFIX,
5548 ctx, true);
5549 if (len < 0)
5550 return len;
5551 *ctxlen = len;
5552 return 0;
5553 }
5554 #ifdef CONFIG_KEYS
5555
5556 static int selinux_key_alloc(struct key *k, const struct cred *cred,
5557 unsigned long flags)
5558 {
5559 const struct task_security_struct *tsec;
5560 struct key_security_struct *ksec;
5561
5562 ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL);
5563 if (!ksec)
5564 return -ENOMEM;
5565
5566 tsec = cred->security;
5567 if (tsec->keycreate_sid)
5568 ksec->sid = tsec->keycreate_sid;
5569 else
5570 ksec->sid = tsec->sid;
5571
5572 k->security = ksec;
5573 return 0;
5574 }
5575
5576 static void selinux_key_free(struct key *k)
5577 {
5578 struct key_security_struct *ksec = k->security;
5579
5580 k->security = NULL;
5581 kfree(ksec);
5582 }
5583
5584 static int selinux_key_permission(key_ref_t key_ref,
5585 const struct cred *cred,
5586 key_perm_t perm)
5587 {
5588 struct key *key;
5589 struct key_security_struct *ksec;
5590 u32 sid;
5591
5592 /* if no specific permissions are requested, we skip the
5593 permission check. No serious, additional covert channels
5594 appear to be created. */
5595 if (perm == 0)
5596 return 0;
5597
5598 sid = cred_sid(cred);
5599
5600 key = key_ref_to_ptr(key_ref);
5601 ksec = key->security;
5602
5603 return avc_has_perm(sid, ksec->sid, SECCLASS_KEY, perm, NULL);
5604 }
5605
5606 static int selinux_key_getsecurity(struct key *key, char **_buffer)
5607 {
5608 struct key_security_struct *ksec = key->security;
5609 char *context = NULL;
5610 unsigned len;
5611 int rc;
5612
5613 rc = security_sid_to_context(ksec->sid, &context, &len);
5614 if (!rc)
5615 rc = len;
5616 *_buffer = context;
5617 return rc;
5618 }
5619
5620 #endif
5621
5622 static struct security_operations selinux_ops = {
5623 .name = "selinux",
5624
5625 .ptrace_access_check = selinux_ptrace_access_check,
5626 .ptrace_traceme = selinux_ptrace_traceme,
5627 .capget = selinux_capget,
5628 .capset = selinux_capset,
5629 .capable = selinux_capable,
5630 .quotactl = selinux_quotactl,
5631 .quota_on = selinux_quota_on,
5632 .syslog = selinux_syslog,
5633 .vm_enough_memory = selinux_vm_enough_memory,
5634
5635 .netlink_send = selinux_netlink_send,
5636
5637 .bprm_set_creds = selinux_bprm_set_creds,
5638 .bprm_committing_creds = selinux_bprm_committing_creds,
5639 .bprm_committed_creds = selinux_bprm_committed_creds,
5640 .bprm_secureexec = selinux_bprm_secureexec,
5641
5642 .sb_alloc_security = selinux_sb_alloc_security,
5643 .sb_free_security = selinux_sb_free_security,
5644 .sb_copy_data = selinux_sb_copy_data,
5645 .sb_remount = selinux_sb_remount,
5646 .sb_kern_mount = selinux_sb_kern_mount,
5647 .sb_show_options = selinux_sb_show_options,
5648 .sb_statfs = selinux_sb_statfs,
5649 .sb_mount = selinux_mount,
5650 .sb_umount = selinux_umount,
5651 .sb_set_mnt_opts = selinux_set_mnt_opts,
5652 .sb_clone_mnt_opts = selinux_sb_clone_mnt_opts,
5653 .sb_parse_opts_str = selinux_parse_opts_str,
5654
5655
5656 .inode_alloc_security = selinux_inode_alloc_security,
5657 .inode_free_security = selinux_inode_free_security,
5658 .inode_init_security = selinux_inode_init_security,
5659 .inode_create = selinux_inode_create,
5660 .inode_link = selinux_inode_link,
5661 .inode_unlink = selinux_inode_unlink,
5662 .inode_symlink = selinux_inode_symlink,
5663 .inode_mkdir = selinux_inode_mkdir,
5664 .inode_rmdir = selinux_inode_rmdir,
5665 .inode_mknod = selinux_inode_mknod,
5666 .inode_rename = selinux_inode_rename,
5667 .inode_readlink = selinux_inode_readlink,
5668 .inode_follow_link = selinux_inode_follow_link,
5669 .inode_permission = selinux_inode_permission,
5670 .inode_setattr = selinux_inode_setattr,
5671 .inode_getattr = selinux_inode_getattr,
5672 .inode_setxattr = selinux_inode_setxattr,
5673 .inode_post_setxattr = selinux_inode_post_setxattr,
5674 .inode_getxattr = selinux_inode_getxattr,
5675 .inode_listxattr = selinux_inode_listxattr,
5676 .inode_removexattr = selinux_inode_removexattr,
5677 .inode_getsecurity = selinux_inode_getsecurity,
5678 .inode_setsecurity = selinux_inode_setsecurity,
5679 .inode_listsecurity = selinux_inode_listsecurity,
5680 .inode_getsecid = selinux_inode_getsecid,
5681
5682 .file_permission = selinux_file_permission,
5683 .file_alloc_security = selinux_file_alloc_security,
5684 .file_free_security = selinux_file_free_security,
5685 .file_ioctl = selinux_file_ioctl,
5686 .mmap_file = selinux_mmap_file,
5687 .mmap_addr = selinux_mmap_addr,
5688 .file_mprotect = selinux_file_mprotect,
5689 .file_lock = selinux_file_lock,
5690 .file_fcntl = selinux_file_fcntl,
5691 .file_set_fowner = selinux_file_set_fowner,
5692 .file_send_sigiotask = selinux_file_send_sigiotask,
5693 .file_receive = selinux_file_receive,
5694
5695 .file_open = selinux_file_open,
5696
5697 .task_create = selinux_task_create,
5698 .cred_alloc_blank = selinux_cred_alloc_blank,
5699 .cred_free = selinux_cred_free,
5700 .cred_prepare = selinux_cred_prepare,
5701 .cred_transfer = selinux_cred_transfer,
5702 .kernel_act_as = selinux_kernel_act_as,
5703 .kernel_create_files_as = selinux_kernel_create_files_as,
5704 .kernel_module_request = selinux_kernel_module_request,
5705 .task_setpgid = selinux_task_setpgid,
5706 .task_getpgid = selinux_task_getpgid,
5707 .task_getsid = selinux_task_getsid,
5708 .task_getsecid = selinux_task_getsecid,
5709 .task_setnice = selinux_task_setnice,
5710 .task_setioprio = selinux_task_setioprio,
5711 .task_getioprio = selinux_task_getioprio,
5712 .task_setrlimit = selinux_task_setrlimit,
5713 .task_setscheduler = selinux_task_setscheduler,
5714 .task_getscheduler = selinux_task_getscheduler,
5715 .task_movememory = selinux_task_movememory,
5716 .task_kill = selinux_task_kill,
5717 .task_wait = selinux_task_wait,
5718 .task_to_inode = selinux_task_to_inode,
5719
5720 .ipc_permission = selinux_ipc_permission,
5721 .ipc_getsecid = selinux_ipc_getsecid,
5722
5723 .msg_msg_alloc_security = selinux_msg_msg_alloc_security,
5724 .msg_msg_free_security = selinux_msg_msg_free_security,
5725
5726 .msg_queue_alloc_security = selinux_msg_queue_alloc_security,
5727 .msg_queue_free_security = selinux_msg_queue_free_security,
5728 .msg_queue_associate = selinux_msg_queue_associate,
5729 .msg_queue_msgctl = selinux_msg_queue_msgctl,
5730 .msg_queue_msgsnd = selinux_msg_queue_msgsnd,
5731 .msg_queue_msgrcv = selinux_msg_queue_msgrcv,
5732
5733 .shm_alloc_security = selinux_shm_alloc_security,
5734 .shm_free_security = selinux_shm_free_security,
5735 .shm_associate = selinux_shm_associate,
5736 .shm_shmctl = selinux_shm_shmctl,
5737 .shm_shmat = selinux_shm_shmat,
5738
5739 .sem_alloc_security = selinux_sem_alloc_security,
5740 .sem_free_security = selinux_sem_free_security,
5741 .sem_associate = selinux_sem_associate,
5742 .sem_semctl = selinux_sem_semctl,
5743 .sem_semop = selinux_sem_semop,
5744
5745 .d_instantiate = selinux_d_instantiate,
5746
5747 .getprocattr = selinux_getprocattr,
5748 .setprocattr = selinux_setprocattr,
5749
5750 .secid_to_secctx = selinux_secid_to_secctx,
5751 .secctx_to_secid = selinux_secctx_to_secid,
5752 .release_secctx = selinux_release_secctx,
5753 .inode_notifysecctx = selinux_inode_notifysecctx,
5754 .inode_setsecctx = selinux_inode_setsecctx,
5755 .inode_getsecctx = selinux_inode_getsecctx,
5756
5757 .unix_stream_connect = selinux_socket_unix_stream_connect,
5758 .unix_may_send = selinux_socket_unix_may_send,
5759
5760 .socket_create = selinux_socket_create,
5761 .socket_post_create = selinux_socket_post_create,
5762 .socket_bind = selinux_socket_bind,
5763 .socket_connect = selinux_socket_connect,
5764 .socket_listen = selinux_socket_listen,
5765 .socket_accept = selinux_socket_accept,
5766 .socket_sendmsg = selinux_socket_sendmsg,
5767 .socket_recvmsg = selinux_socket_recvmsg,
5768 .socket_getsockname = selinux_socket_getsockname,
5769 .socket_getpeername = selinux_socket_getpeername,
5770 .socket_getsockopt = selinux_socket_getsockopt,
5771 .socket_setsockopt = selinux_socket_setsockopt,
5772 .socket_shutdown = selinux_socket_shutdown,
5773 .socket_sock_rcv_skb = selinux_socket_sock_rcv_skb,
5774 .socket_getpeersec_stream = selinux_socket_getpeersec_stream,
5775 .socket_getpeersec_dgram = selinux_socket_getpeersec_dgram,
5776 .sk_alloc_security = selinux_sk_alloc_security,
5777 .sk_free_security = selinux_sk_free_security,
5778 .sk_clone_security = selinux_sk_clone_security,
5779 .sk_getsecid = selinux_sk_getsecid,
5780 .sock_graft = selinux_sock_graft,
5781 .inet_conn_request = selinux_inet_conn_request,
5782 .inet_csk_clone = selinux_inet_csk_clone,
5783 .inet_conn_established = selinux_inet_conn_established,
5784 .secmark_relabel_packet = selinux_secmark_relabel_packet,
5785 .secmark_refcount_inc = selinux_secmark_refcount_inc,
5786 .secmark_refcount_dec = selinux_secmark_refcount_dec,
5787 .req_classify_flow = selinux_req_classify_flow,
5788 .tun_dev_alloc_security = selinux_tun_dev_alloc_security,
5789 .tun_dev_free_security = selinux_tun_dev_free_security,
5790 .tun_dev_create = selinux_tun_dev_create,
5791 .tun_dev_attach_queue = selinux_tun_dev_attach_queue,
5792 .tun_dev_attach = selinux_tun_dev_attach,
5793 .tun_dev_open = selinux_tun_dev_open,
5794 .skb_owned_by = selinux_skb_owned_by,
5795
5796 #ifdef CONFIG_SECURITY_NETWORK_XFRM
5797 .xfrm_policy_alloc_security = selinux_xfrm_policy_alloc,
5798 .xfrm_policy_clone_security = selinux_xfrm_policy_clone,
5799 .xfrm_policy_free_security = selinux_xfrm_policy_free,
5800 .xfrm_policy_delete_security = selinux_xfrm_policy_delete,
5801 .xfrm_state_alloc_security = selinux_xfrm_state_alloc,
5802 .xfrm_state_free_security = selinux_xfrm_state_free,
5803 .xfrm_state_delete_security = selinux_xfrm_state_delete,
5804 .xfrm_policy_lookup = selinux_xfrm_policy_lookup,
5805 .xfrm_state_pol_flow_match = selinux_xfrm_state_pol_flow_match,
5806 .xfrm_decode_session = selinux_xfrm_decode_session,
5807 #endif
5808
5809 #ifdef CONFIG_KEYS
5810 .key_alloc = selinux_key_alloc,
5811 .key_free = selinux_key_free,
5812 .key_permission = selinux_key_permission,
5813 .key_getsecurity = selinux_key_getsecurity,
5814 #endif
5815
5816 #ifdef CONFIG_AUDIT
5817 .audit_rule_init = selinux_audit_rule_init,
5818 .audit_rule_known = selinux_audit_rule_known,
5819 .audit_rule_match = selinux_audit_rule_match,
5820 .audit_rule_free = selinux_audit_rule_free,
5821 #endif
5822 };
5823
5824 static __init int selinux_init(void)
5825 {
5826 if (!security_module_enable(&selinux_ops)) {
5827 selinux_enabled = 0;
5828 return 0;
5829 }
5830
5831 if (!selinux_enabled) {
5832 printk(KERN_INFO "SELinux: Disabled at boot.\n");
5833 return 0;
5834 }
5835
5836 printk(KERN_INFO "SELinux: Initializing.\n");
5837
5838 /* Set the security state for the initial task. */
5839 cred_init_security();
5840
5841 default_noexec = !(VM_DATA_DEFAULT_FLAGS & VM_EXEC);
5842
5843 sel_inode_cache = kmem_cache_create("selinux_inode_security",
5844 sizeof(struct inode_security_struct),
5845 0, SLAB_PANIC, NULL);
5846 avc_init();
5847
5848 if (register_security(&selinux_ops))
5849 panic("SELinux: Unable to register with kernel.\n");
5850
5851 if (selinux_enforcing)
5852 printk(KERN_DEBUG "SELinux: Starting in enforcing mode\n");
5853 else
5854 printk(KERN_DEBUG "SELinux: Starting in permissive mode\n");
5855
5856 return 0;
5857 }
5858
5859 static void delayed_superblock_init(struct super_block *sb, void *unused)
5860 {
5861 superblock_doinit(sb, NULL);
5862 }
5863
5864 void selinux_complete_init(void)
5865 {
5866 printk(KERN_DEBUG "SELinux: Completing initialization.\n");
5867
5868 /* Set up any superblocks initialized prior to the policy load. */
5869 printk(KERN_DEBUG "SELinux: Setting up existing superblocks.\n");
5870 iterate_supers(delayed_superblock_init, NULL);
5871 }
5872
5873 /* SELinux requires early initialization in order to label
5874 all processes and objects when they are created. */
5875 security_initcall(selinux_init);
5876
5877 #if defined(CONFIG_NETFILTER)
5878
5879 static struct nf_hook_ops selinux_ipv4_ops[] = {
5880 {
5881 .hook = selinux_ipv4_postroute,
5882 .owner = THIS_MODULE,
5883 .pf = NFPROTO_IPV4,
5884 .hooknum = NF_INET_POST_ROUTING,
5885 .priority = NF_IP_PRI_SELINUX_LAST,
5886 },
5887 {
5888 .hook = selinux_ipv4_forward,
5889 .owner = THIS_MODULE,
5890 .pf = NFPROTO_IPV4,
5891 .hooknum = NF_INET_FORWARD,
5892 .priority = NF_IP_PRI_SELINUX_FIRST,
5893 },
5894 {
5895 .hook = selinux_ipv4_output,
5896 .owner = THIS_MODULE,
5897 .pf = NFPROTO_IPV4,
5898 .hooknum = NF_INET_LOCAL_OUT,
5899 .priority = NF_IP_PRI_SELINUX_FIRST,
5900 }
5901 };
5902
5903 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5904
5905 static struct nf_hook_ops selinux_ipv6_ops[] = {
5906 {
5907 .hook = selinux_ipv6_postroute,
5908 .owner = THIS_MODULE,
5909 .pf = NFPROTO_IPV6,
5910 .hooknum = NF_INET_POST_ROUTING,
5911 .priority = NF_IP6_PRI_SELINUX_LAST,
5912 },
5913 {
5914 .hook = selinux_ipv6_forward,
5915 .owner = THIS_MODULE,
5916 .pf = NFPROTO_IPV6,
5917 .hooknum = NF_INET_FORWARD,
5918 .priority = NF_IP6_PRI_SELINUX_FIRST,
5919 }
5920 };
5921
5922 #endif /* IPV6 */
5923
5924 static int __init selinux_nf_ip_init(void)
5925 {
5926 int err = 0;
5927
5928 if (!selinux_enabled)
5929 goto out;
5930
5931 printk(KERN_DEBUG "SELinux: Registering netfilter hooks\n");
5932
5933 err = nf_register_hooks(selinux_ipv4_ops, ARRAY_SIZE(selinux_ipv4_ops));
5934 if (err)
5935 panic("SELinux: nf_register_hooks for IPv4: error %d\n", err);
5936
5937 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5938 err = nf_register_hooks(selinux_ipv6_ops, ARRAY_SIZE(selinux_ipv6_ops));
5939 if (err)
5940 panic("SELinux: nf_register_hooks for IPv6: error %d\n", err);
5941 #endif /* IPV6 */
5942
5943 out:
5944 return err;
5945 }
5946
5947 __initcall(selinux_nf_ip_init);
5948
5949 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5950 static void selinux_nf_ip_exit(void)
5951 {
5952 printk(KERN_DEBUG "SELinux: Unregistering netfilter hooks\n");
5953
5954 nf_unregister_hooks(selinux_ipv4_ops, ARRAY_SIZE(selinux_ipv4_ops));
5955 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5956 nf_unregister_hooks(selinux_ipv6_ops, ARRAY_SIZE(selinux_ipv6_ops));
5957 #endif /* IPV6 */
5958 }
5959 #endif
5960
5961 #else /* CONFIG_NETFILTER */
5962
5963 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5964 #define selinux_nf_ip_exit()
5965 #endif
5966
5967 #endif /* CONFIG_NETFILTER */
5968
5969 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5970 static int selinux_disabled;
5971
5972 int selinux_disable(void)
5973 {
5974 if (ss_initialized) {
5975 /* Not permitted after initial policy load. */
5976 return -EINVAL;
5977 }
5978
5979 if (selinux_disabled) {
5980 /* Only do this once. */
5981 return -EINVAL;
5982 }
5983
5984 printk(KERN_INFO "SELinux: Disabled at runtime.\n");
5985
5986 selinux_disabled = 1;
5987 selinux_enabled = 0;
5988
5989 reset_security_ops();
5990
5991 /* Try to destroy the avc node cache */
5992 avc_disable();
5993
5994 /* Unregister netfilter hooks. */
5995 selinux_nf_ip_exit();
5996
5997 /* Unregister selinuxfs. */
5998 exit_sel_fs();
5999
6000 return 0;
6001 }
6002 #endif