hooks.c revision ef76e748faa823a738d632ee4c8ed9adaabc8a40
1/* 2 * NSA Security-Enhanced Linux (SELinux) security module 3 * 4 * This file contains the SELinux hook function implementations. 5 * 6 * Authors: Stephen Smalley, <sds@epoch.ncsc.mil> 7 * Chris Vance, <cvance@nai.com> 8 * Wayne Salamon, <wsalamon@nai.com> 9 * James Morris <jmorris@redhat.com> 10 * 11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc. 12 * Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com> 13 * Eric Paris <eparis@redhat.com> 14 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc. 15 * <dgoeddel@trustedcs.com> 16 * Copyright (C) 2006, 2007 Hewlett-Packard Development Company, L.P. 17 * Paul Moore <paul.moore@hp.com> 18 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd. 19 * Yuichi Nakamura <ynakam@hitachisoft.jp> 20 * 21 * This program is free software; you can redistribute it and/or modify 22 * it under the terms of the GNU General Public License version 2, 23 * as published by the Free Software Foundation. 24 */ 25 26#include <linux/init.h> 27#include <linux/kernel.h> 28#include <linux/tracehook.h> 29#include <linux/errno.h> 30#include <linux/sched.h> 31#include <linux/security.h> 32#include <linux/xattr.h> 33#include <linux/capability.h> 34#include <linux/unistd.h> 35#include <linux/mm.h> 36#include <linux/mman.h> 37#include <linux/slab.h> 38#include <linux/pagemap.h> 39#include <linux/swap.h> 40#include <linux/spinlock.h> 41#include <linux/syscalls.h> 42#include <linux/file.h> 43#include <linux/fdtable.h> 44#include <linux/namei.h> 45#include <linux/mount.h> 46#include <linux/proc_fs.h> 47#include <linux/netfilter_ipv4.h> 48#include <linux/netfilter_ipv6.h> 49#include <linux/tty.h> 50#include <net/icmp.h> 51#include <net/ip.h> /* for local_port_range[] */ 52#include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */ 53#include <net/net_namespace.h> 54#include <net/netlabel.h> 55#include <linux/uaccess.h> 56#include <asm/ioctls.h> 57#include <asm/atomic.h> 58#include <linux/bitops.h> 59#include <linux/interrupt.h> 60#include <linux/netdevice.h> /* for network interface checks */ 61#include <linux/netlink.h> 62#include <linux/tcp.h> 63#include <linux/udp.h> 64#include <linux/dccp.h> 65#include <linux/quota.h> 66#include <linux/un.h> /* for Unix socket types */ 67#include <net/af_unix.h> /* for Unix socket types */ 68#include <linux/parser.h> 69#include <linux/nfs_mount.h> 70#include <net/ipv6.h> 71#include <linux/hugetlb.h> 72#include <linux/personality.h> 73#include <linux/sysctl.h> 74#include <linux/audit.h> 75#include <linux/string.h> 76#include <linux/selinux.h> 77#include <linux/mutex.h> 78#include <linux/posix-timers.h> 79 80#include "avc.h" 81#include "objsec.h" 82#include "netif.h" 83#include "netnode.h" 84#include "netport.h" 85#include "xfrm.h" 86#include "netlabel.h" 87#include "audit.h" 88 89#define XATTR_SELINUX_SUFFIX "selinux" 90#define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX 91 92#define NUM_SEL_MNT_OPTS 5 93 94extern unsigned int policydb_loaded_version; 95extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm); 96extern int selinux_compat_net; 97extern struct security_operations *security_ops; 98 99/* SECMARK reference count */ 100atomic_t selinux_secmark_refcount = ATOMIC_INIT(0); 101 102#ifdef CONFIG_SECURITY_SELINUX_DEVELOP 103int selinux_enforcing; 104 105static int __init enforcing_setup(char *str) 106{ 107 unsigned long enforcing; 108 if (!strict_strtoul(str, 0, &enforcing)) 109 selinux_enforcing = enforcing ? 1 : 0; 110 return 1; 111} 112__setup("enforcing=", enforcing_setup); 113#endif 114 115#ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM 116int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE; 117 118static int __init selinux_enabled_setup(char *str) 119{ 120 unsigned long enabled; 121 if (!strict_strtoul(str, 0, &enabled)) 122 selinux_enabled = enabled ? 1 : 0; 123 return 1; 124} 125__setup("selinux=", selinux_enabled_setup); 126#else 127int selinux_enabled = 1; 128#endif 129 130 131/* 132 * Minimal support for a secondary security module, 133 * just to allow the use of the capability module. 134 */ 135static struct security_operations *secondary_ops; 136 137/* Lists of inode and superblock security structures initialized 138 before the policy was loaded. */ 139static LIST_HEAD(superblock_security_head); 140static DEFINE_SPINLOCK(sb_security_lock); 141 142static struct kmem_cache *sel_inode_cache; 143 144/** 145 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled 146 * 147 * Description: 148 * This function checks the SECMARK reference counter to see if any SECMARK 149 * targets are currently configured, if the reference counter is greater than 150 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is 151 * enabled, false (0) if SECMARK is disabled. 152 * 153 */ 154static int selinux_secmark_enabled(void) 155{ 156 return (atomic_read(&selinux_secmark_refcount) > 0); 157} 158 159/* 160 * initialise the security for the init task 161 */ 162static void cred_init_security(void) 163{ 164 struct cred *cred = (struct cred *) current->real_cred; 165 struct task_security_struct *tsec; 166 167 tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL); 168 if (!tsec) 169 panic("SELinux: Failed to initialize initial task.\n"); 170 171 tsec->osid = tsec->sid = SECINITSID_KERNEL; 172 cred->security = tsec; 173} 174 175/* 176 * get the security ID of a set of credentials 177 */ 178static inline u32 cred_sid(const struct cred *cred) 179{ 180 const struct task_security_struct *tsec; 181 182 tsec = cred->security; 183 return tsec->sid; 184} 185 186/* 187 * get the objective security ID of a task 188 */ 189static inline u32 task_sid(const struct task_struct *task) 190{ 191 u32 sid; 192 193 rcu_read_lock(); 194 sid = cred_sid(__task_cred(task)); 195 rcu_read_unlock(); 196 return sid; 197} 198 199/* 200 * get the subjective security ID of the current task 201 */ 202static inline u32 current_sid(void) 203{ 204 const struct task_security_struct *tsec = current_cred()->security; 205 206 return tsec->sid; 207} 208 209/* Allocate and free functions for each kind of security blob. */ 210 211static int inode_alloc_security(struct inode *inode) 212{ 213 struct inode_security_struct *isec; 214 u32 sid = current_sid(); 215 216 isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS); 217 if (!isec) 218 return -ENOMEM; 219 220 mutex_init(&isec->lock); 221 INIT_LIST_HEAD(&isec->list); 222 isec->inode = inode; 223 isec->sid = SECINITSID_UNLABELED; 224 isec->sclass = SECCLASS_FILE; 225 isec->task_sid = sid; 226 inode->i_security = isec; 227 228 return 0; 229} 230 231static void inode_free_security(struct inode *inode) 232{ 233 struct inode_security_struct *isec = inode->i_security; 234 struct superblock_security_struct *sbsec = inode->i_sb->s_security; 235 236 spin_lock(&sbsec->isec_lock); 237 if (!list_empty(&isec->list)) 238 list_del_init(&isec->list); 239 spin_unlock(&sbsec->isec_lock); 240 241 inode->i_security = NULL; 242 kmem_cache_free(sel_inode_cache, isec); 243} 244 245static int file_alloc_security(struct file *file) 246{ 247 struct file_security_struct *fsec; 248 u32 sid = current_sid(); 249 250 fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL); 251 if (!fsec) 252 return -ENOMEM; 253 254 fsec->sid = sid; 255 fsec->fown_sid = sid; 256 file->f_security = fsec; 257 258 return 0; 259} 260 261static void file_free_security(struct file *file) 262{ 263 struct file_security_struct *fsec = file->f_security; 264 file->f_security = NULL; 265 kfree(fsec); 266} 267 268static int superblock_alloc_security(struct super_block *sb) 269{ 270 struct superblock_security_struct *sbsec; 271 272 sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL); 273 if (!sbsec) 274 return -ENOMEM; 275 276 mutex_init(&sbsec->lock); 277 INIT_LIST_HEAD(&sbsec->list); 278 INIT_LIST_HEAD(&sbsec->isec_head); 279 spin_lock_init(&sbsec->isec_lock); 280 sbsec->sb = sb; 281 sbsec->sid = SECINITSID_UNLABELED; 282 sbsec->def_sid = SECINITSID_FILE; 283 sbsec->mntpoint_sid = SECINITSID_UNLABELED; 284 sb->s_security = sbsec; 285 286 return 0; 287} 288 289static void superblock_free_security(struct super_block *sb) 290{ 291 struct superblock_security_struct *sbsec = sb->s_security; 292 293 spin_lock(&sb_security_lock); 294 if (!list_empty(&sbsec->list)) 295 list_del_init(&sbsec->list); 296 spin_unlock(&sb_security_lock); 297 298 sb->s_security = NULL; 299 kfree(sbsec); 300} 301 302static int sk_alloc_security(struct sock *sk, int family, gfp_t priority) 303{ 304 struct sk_security_struct *ssec; 305 306 ssec = kzalloc(sizeof(*ssec), priority); 307 if (!ssec) 308 return -ENOMEM; 309 310 ssec->peer_sid = SECINITSID_UNLABELED; 311 ssec->sid = SECINITSID_UNLABELED; 312 sk->sk_security = ssec; 313 314 selinux_netlbl_sk_security_reset(ssec, family); 315 316 return 0; 317} 318 319static void sk_free_security(struct sock *sk) 320{ 321 struct sk_security_struct *ssec = sk->sk_security; 322 323 sk->sk_security = NULL; 324 selinux_netlbl_sk_security_free(ssec); 325 kfree(ssec); 326} 327 328/* The security server must be initialized before 329 any labeling or access decisions can be provided. */ 330extern int ss_initialized; 331 332/* The file system's label must be initialized prior to use. */ 333 334static char *labeling_behaviors[6] = { 335 "uses xattr", 336 "uses transition SIDs", 337 "uses task SIDs", 338 "uses genfs_contexts", 339 "not configured for labeling", 340 "uses mountpoint labeling", 341}; 342 343static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry); 344 345static inline int inode_doinit(struct inode *inode) 346{ 347 return inode_doinit_with_dentry(inode, NULL); 348} 349 350enum { 351 Opt_error = -1, 352 Opt_context = 1, 353 Opt_fscontext = 2, 354 Opt_defcontext = 3, 355 Opt_rootcontext = 4, 356 Opt_labelsupport = 5, 357}; 358 359static const match_table_t tokens = { 360 {Opt_context, CONTEXT_STR "%s"}, 361 {Opt_fscontext, FSCONTEXT_STR "%s"}, 362 {Opt_defcontext, DEFCONTEXT_STR "%s"}, 363 {Opt_rootcontext, ROOTCONTEXT_STR "%s"}, 364 {Opt_labelsupport, LABELSUPP_STR}, 365 {Opt_error, NULL}, 366}; 367 368#define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n" 369 370static int may_context_mount_sb_relabel(u32 sid, 371 struct superblock_security_struct *sbsec, 372 const struct cred *cred) 373{ 374 const struct task_security_struct *tsec = cred->security; 375 int rc; 376 377 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM, 378 FILESYSTEM__RELABELFROM, NULL); 379 if (rc) 380 return rc; 381 382 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM, 383 FILESYSTEM__RELABELTO, NULL); 384 return rc; 385} 386 387static int may_context_mount_inode_relabel(u32 sid, 388 struct superblock_security_struct *sbsec, 389 const struct cred *cred) 390{ 391 const struct task_security_struct *tsec = cred->security; 392 int rc; 393 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM, 394 FILESYSTEM__RELABELFROM, NULL); 395 if (rc) 396 return rc; 397 398 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, 399 FILESYSTEM__ASSOCIATE, NULL); 400 return rc; 401} 402 403static int sb_finish_set_opts(struct super_block *sb) 404{ 405 struct superblock_security_struct *sbsec = sb->s_security; 406 struct dentry *root = sb->s_root; 407 struct inode *root_inode = root->d_inode; 408 int rc = 0; 409 410 if (sbsec->behavior == SECURITY_FS_USE_XATTR) { 411 /* Make sure that the xattr handler exists and that no 412 error other than -ENODATA is returned by getxattr on 413 the root directory. -ENODATA is ok, as this may be 414 the first boot of the SELinux kernel before we have 415 assigned xattr values to the filesystem. */ 416 if (!root_inode->i_op->getxattr) { 417 printk(KERN_WARNING "SELinux: (dev %s, type %s) has no " 418 "xattr support\n", sb->s_id, sb->s_type->name); 419 rc = -EOPNOTSUPP; 420 goto out; 421 } 422 rc = root_inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0); 423 if (rc < 0 && rc != -ENODATA) { 424 if (rc == -EOPNOTSUPP) 425 printk(KERN_WARNING "SELinux: (dev %s, type " 426 "%s) has no security xattr handler\n", 427 sb->s_id, sb->s_type->name); 428 else 429 printk(KERN_WARNING "SELinux: (dev %s, type " 430 "%s) getxattr errno %d\n", sb->s_id, 431 sb->s_type->name, -rc); 432 goto out; 433 } 434 } 435 436 sbsec->flags |= (SE_SBINITIALIZED | SE_SBLABELSUPP); 437 438 if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors)) 439 printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n", 440 sb->s_id, sb->s_type->name); 441 else 442 printk(KERN_DEBUG "SELinux: initialized (dev %s, type %s), %s\n", 443 sb->s_id, sb->s_type->name, 444 labeling_behaviors[sbsec->behavior-1]); 445 446 if (sbsec->behavior == SECURITY_FS_USE_GENFS || 447 sbsec->behavior == SECURITY_FS_USE_MNTPOINT || 448 sbsec->behavior == SECURITY_FS_USE_NONE || 449 sbsec->behavior > ARRAY_SIZE(labeling_behaviors)) 450 sbsec->flags &= ~SE_SBLABELSUPP; 451 452 /* Initialize the root inode. */ 453 rc = inode_doinit_with_dentry(root_inode, root); 454 455 /* Initialize any other inodes associated with the superblock, e.g. 456 inodes created prior to initial policy load or inodes created 457 during get_sb by a pseudo filesystem that directly 458 populates itself. */ 459 spin_lock(&sbsec->isec_lock); 460next_inode: 461 if (!list_empty(&sbsec->isec_head)) { 462 struct inode_security_struct *isec = 463 list_entry(sbsec->isec_head.next, 464 struct inode_security_struct, list); 465 struct inode *inode = isec->inode; 466 spin_unlock(&sbsec->isec_lock); 467 inode = igrab(inode); 468 if (inode) { 469 if (!IS_PRIVATE(inode)) 470 inode_doinit(inode); 471 iput(inode); 472 } 473 spin_lock(&sbsec->isec_lock); 474 list_del_init(&isec->list); 475 goto next_inode; 476 } 477 spin_unlock(&sbsec->isec_lock); 478out: 479 return rc; 480} 481 482/* 483 * This function should allow an FS to ask what it's mount security 484 * options were so it can use those later for submounts, displaying 485 * mount options, or whatever. 486 */ 487static int selinux_get_mnt_opts(const struct super_block *sb, 488 struct security_mnt_opts *opts) 489{ 490 int rc = 0, i; 491 struct superblock_security_struct *sbsec = sb->s_security; 492 char *context = NULL; 493 u32 len; 494 char tmp; 495 496 security_init_mnt_opts(opts); 497 498 if (!(sbsec->flags & SE_SBINITIALIZED)) 499 return -EINVAL; 500 501 if (!ss_initialized) 502 return -EINVAL; 503 504 tmp = sbsec->flags & SE_MNTMASK; 505 /* count the number of mount options for this sb */ 506 for (i = 0; i < 8; i++) { 507 if (tmp & 0x01) 508 opts->num_mnt_opts++; 509 tmp >>= 1; 510 } 511 /* Check if the Label support flag is set */ 512 if (sbsec->flags & SE_SBLABELSUPP) 513 opts->num_mnt_opts++; 514 515 opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC); 516 if (!opts->mnt_opts) { 517 rc = -ENOMEM; 518 goto out_free; 519 } 520 521 opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC); 522 if (!opts->mnt_opts_flags) { 523 rc = -ENOMEM; 524 goto out_free; 525 } 526 527 i = 0; 528 if (sbsec->flags & FSCONTEXT_MNT) { 529 rc = security_sid_to_context(sbsec->sid, &context, &len); 530 if (rc) 531 goto out_free; 532 opts->mnt_opts[i] = context; 533 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT; 534 } 535 if (sbsec->flags & CONTEXT_MNT) { 536 rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len); 537 if (rc) 538 goto out_free; 539 opts->mnt_opts[i] = context; 540 opts->mnt_opts_flags[i++] = CONTEXT_MNT; 541 } 542 if (sbsec->flags & DEFCONTEXT_MNT) { 543 rc = security_sid_to_context(sbsec->def_sid, &context, &len); 544 if (rc) 545 goto out_free; 546 opts->mnt_opts[i] = context; 547 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT; 548 } 549 if (sbsec->flags & ROOTCONTEXT_MNT) { 550 struct inode *root = sbsec->sb->s_root->d_inode; 551 struct inode_security_struct *isec = root->i_security; 552 553 rc = security_sid_to_context(isec->sid, &context, &len); 554 if (rc) 555 goto out_free; 556 opts->mnt_opts[i] = context; 557 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT; 558 } 559 if (sbsec->flags & SE_SBLABELSUPP) { 560 opts->mnt_opts[i] = NULL; 561 opts->mnt_opts_flags[i++] = SE_SBLABELSUPP; 562 } 563 564 BUG_ON(i != opts->num_mnt_opts); 565 566 return 0; 567 568out_free: 569 security_free_mnt_opts(opts); 570 return rc; 571} 572 573static int bad_option(struct superblock_security_struct *sbsec, char flag, 574 u32 old_sid, u32 new_sid) 575{ 576 char mnt_flags = sbsec->flags & SE_MNTMASK; 577 578 /* check if the old mount command had the same options */ 579 if (sbsec->flags & SE_SBINITIALIZED) 580 if (!(sbsec->flags & flag) || 581 (old_sid != new_sid)) 582 return 1; 583 584 /* check if we were passed the same options twice, 585 * aka someone passed context=a,context=b 586 */ 587 if (!(sbsec->flags & SE_SBINITIALIZED)) 588 if (mnt_flags & flag) 589 return 1; 590 return 0; 591} 592 593/* 594 * Allow filesystems with binary mount data to explicitly set mount point 595 * labeling information. 596 */ 597static int selinux_set_mnt_opts(struct super_block *sb, 598 struct security_mnt_opts *opts) 599{ 600 const struct cred *cred = current_cred(); 601 int rc = 0, i; 602 struct superblock_security_struct *sbsec = sb->s_security; 603 const char *name = sb->s_type->name; 604 struct inode *inode = sbsec->sb->s_root->d_inode; 605 struct inode_security_struct *root_isec = inode->i_security; 606 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0; 607 u32 defcontext_sid = 0; 608 char **mount_options = opts->mnt_opts; 609 int *flags = opts->mnt_opts_flags; 610 int num_opts = opts->num_mnt_opts; 611 612 mutex_lock(&sbsec->lock); 613 614 if (!ss_initialized) { 615 if (!num_opts) { 616 /* Defer initialization until selinux_complete_init, 617 after the initial policy is loaded and the security 618 server is ready to handle calls. */ 619 spin_lock(&sb_security_lock); 620 if (list_empty(&sbsec->list)) 621 list_add(&sbsec->list, &superblock_security_head); 622 spin_unlock(&sb_security_lock); 623 goto out; 624 } 625 rc = -EINVAL; 626 printk(KERN_WARNING "SELinux: Unable to set superblock options " 627 "before the security server is initialized\n"); 628 goto out; 629 } 630 631 /* 632 * Binary mount data FS will come through this function twice. Once 633 * from an explicit call and once from the generic calls from the vfs. 634 * Since the generic VFS calls will not contain any security mount data 635 * we need to skip the double mount verification. 636 * 637 * This does open a hole in which we will not notice if the first 638 * mount using this sb set explict options and a second mount using 639 * this sb does not set any security options. (The first options 640 * will be used for both mounts) 641 */ 642 if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA) 643 && (num_opts == 0)) 644 goto out; 645 646 /* 647 * parse the mount options, check if they are valid sids. 648 * also check if someone is trying to mount the same sb more 649 * than once with different security options. 650 */ 651 for (i = 0; i < num_opts; i++) { 652 u32 sid; 653 654 if (flags[i] == SE_SBLABELSUPP) 655 continue; 656 rc = security_context_to_sid(mount_options[i], 657 strlen(mount_options[i]), &sid); 658 if (rc) { 659 printk(KERN_WARNING "SELinux: security_context_to_sid" 660 "(%s) failed for (dev %s, type %s) errno=%d\n", 661 mount_options[i], sb->s_id, name, rc); 662 goto out; 663 } 664 switch (flags[i]) { 665 case FSCONTEXT_MNT: 666 fscontext_sid = sid; 667 668 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, 669 fscontext_sid)) 670 goto out_double_mount; 671 672 sbsec->flags |= FSCONTEXT_MNT; 673 break; 674 case CONTEXT_MNT: 675 context_sid = sid; 676 677 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, 678 context_sid)) 679 goto out_double_mount; 680 681 sbsec->flags |= CONTEXT_MNT; 682 break; 683 case ROOTCONTEXT_MNT: 684 rootcontext_sid = sid; 685 686 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, 687 rootcontext_sid)) 688 goto out_double_mount; 689 690 sbsec->flags |= ROOTCONTEXT_MNT; 691 692 break; 693 case DEFCONTEXT_MNT: 694 defcontext_sid = sid; 695 696 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, 697 defcontext_sid)) 698 goto out_double_mount; 699 700 sbsec->flags |= DEFCONTEXT_MNT; 701 702 break; 703 default: 704 rc = -EINVAL; 705 goto out; 706 } 707 } 708 709 if (sbsec->flags & SE_SBINITIALIZED) { 710 /* previously mounted with options, but not on this attempt? */ 711 if ((sbsec->flags & SE_MNTMASK) && !num_opts) 712 goto out_double_mount; 713 rc = 0; 714 goto out; 715 } 716 717 if (strcmp(sb->s_type->name, "proc") == 0) 718 sbsec->flags |= SE_SBPROC; 719 720 /* Determine the labeling behavior to use for this filesystem type. */ 721 rc = security_fs_use((sbsec->flags & SE_SBPROC) ? "proc" : sb->s_type->name, &sbsec->behavior, &sbsec->sid); 722 if (rc) { 723 printk(KERN_WARNING "%s: security_fs_use(%s) returned %d\n", 724 __func__, sb->s_type->name, rc); 725 goto out; 726 } 727 728 /* sets the context of the superblock for the fs being mounted. */ 729 if (fscontext_sid) { 730 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred); 731 if (rc) 732 goto out; 733 734 sbsec->sid = fscontext_sid; 735 } 736 737 /* 738 * Switch to using mount point labeling behavior. 739 * sets the label used on all file below the mountpoint, and will set 740 * the superblock context if not already set. 741 */ 742 if (context_sid) { 743 if (!fscontext_sid) { 744 rc = may_context_mount_sb_relabel(context_sid, sbsec, 745 cred); 746 if (rc) 747 goto out; 748 sbsec->sid = context_sid; 749 } else { 750 rc = may_context_mount_inode_relabel(context_sid, sbsec, 751 cred); 752 if (rc) 753 goto out; 754 } 755 if (!rootcontext_sid) 756 rootcontext_sid = context_sid; 757 758 sbsec->mntpoint_sid = context_sid; 759 sbsec->behavior = SECURITY_FS_USE_MNTPOINT; 760 } 761 762 if (rootcontext_sid) { 763 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec, 764 cred); 765 if (rc) 766 goto out; 767 768 root_isec->sid = rootcontext_sid; 769 root_isec->initialized = 1; 770 } 771 772 if (defcontext_sid) { 773 if (sbsec->behavior != SECURITY_FS_USE_XATTR) { 774 rc = -EINVAL; 775 printk(KERN_WARNING "SELinux: defcontext option is " 776 "invalid for this filesystem type\n"); 777 goto out; 778 } 779 780 if (defcontext_sid != sbsec->def_sid) { 781 rc = may_context_mount_inode_relabel(defcontext_sid, 782 sbsec, cred); 783 if (rc) 784 goto out; 785 } 786 787 sbsec->def_sid = defcontext_sid; 788 } 789 790 rc = sb_finish_set_opts(sb); 791out: 792 mutex_unlock(&sbsec->lock); 793 return rc; 794out_double_mount: 795 rc = -EINVAL; 796 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, different " 797 "security settings for (dev %s, type %s)\n", sb->s_id, name); 798 goto out; 799} 800 801static void selinux_sb_clone_mnt_opts(const struct super_block *oldsb, 802 struct super_block *newsb) 803{ 804 const struct superblock_security_struct *oldsbsec = oldsb->s_security; 805 struct superblock_security_struct *newsbsec = newsb->s_security; 806 807 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT); 808 int set_context = (oldsbsec->flags & CONTEXT_MNT); 809 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT); 810 811 /* 812 * if the parent was able to be mounted it clearly had no special lsm 813 * mount options. thus we can safely put this sb on the list and deal 814 * with it later 815 */ 816 if (!ss_initialized) { 817 spin_lock(&sb_security_lock); 818 if (list_empty(&newsbsec->list)) 819 list_add(&newsbsec->list, &superblock_security_head); 820 spin_unlock(&sb_security_lock); 821 return; 822 } 823 824 /* how can we clone if the old one wasn't set up?? */ 825 BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED)); 826 827 /* if fs is reusing a sb, just let its options stand... */ 828 if (newsbsec->flags & SE_SBINITIALIZED) 829 return; 830 831 mutex_lock(&newsbsec->lock); 832 833 newsbsec->flags = oldsbsec->flags; 834 835 newsbsec->sid = oldsbsec->sid; 836 newsbsec->def_sid = oldsbsec->def_sid; 837 newsbsec->behavior = oldsbsec->behavior; 838 839 if (set_context) { 840 u32 sid = oldsbsec->mntpoint_sid; 841 842 if (!set_fscontext) 843 newsbsec->sid = sid; 844 if (!set_rootcontext) { 845 struct inode *newinode = newsb->s_root->d_inode; 846 struct inode_security_struct *newisec = newinode->i_security; 847 newisec->sid = sid; 848 } 849 newsbsec->mntpoint_sid = sid; 850 } 851 if (set_rootcontext) { 852 const struct inode *oldinode = oldsb->s_root->d_inode; 853 const struct inode_security_struct *oldisec = oldinode->i_security; 854 struct inode *newinode = newsb->s_root->d_inode; 855 struct inode_security_struct *newisec = newinode->i_security; 856 857 newisec->sid = oldisec->sid; 858 } 859 860 sb_finish_set_opts(newsb); 861 mutex_unlock(&newsbsec->lock); 862} 863 864static int selinux_parse_opts_str(char *options, 865 struct security_mnt_opts *opts) 866{ 867 char *p; 868 char *context = NULL, *defcontext = NULL; 869 char *fscontext = NULL, *rootcontext = NULL; 870 int rc, num_mnt_opts = 0; 871 872 opts->num_mnt_opts = 0; 873 874 /* Standard string-based options. */ 875 while ((p = strsep(&options, "|")) != NULL) { 876 int token; 877 substring_t args[MAX_OPT_ARGS]; 878 879 if (!*p) 880 continue; 881 882 token = match_token(p, tokens, args); 883 884 switch (token) { 885 case Opt_context: 886 if (context || defcontext) { 887 rc = -EINVAL; 888 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG); 889 goto out_err; 890 } 891 context = match_strdup(&args[0]); 892 if (!context) { 893 rc = -ENOMEM; 894 goto out_err; 895 } 896 break; 897 898 case Opt_fscontext: 899 if (fscontext) { 900 rc = -EINVAL; 901 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG); 902 goto out_err; 903 } 904 fscontext = match_strdup(&args[0]); 905 if (!fscontext) { 906 rc = -ENOMEM; 907 goto out_err; 908 } 909 break; 910 911 case Opt_rootcontext: 912 if (rootcontext) { 913 rc = -EINVAL; 914 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG); 915 goto out_err; 916 } 917 rootcontext = match_strdup(&args[0]); 918 if (!rootcontext) { 919 rc = -ENOMEM; 920 goto out_err; 921 } 922 break; 923 924 case Opt_defcontext: 925 if (context || defcontext) { 926 rc = -EINVAL; 927 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG); 928 goto out_err; 929 } 930 defcontext = match_strdup(&args[0]); 931 if (!defcontext) { 932 rc = -ENOMEM; 933 goto out_err; 934 } 935 break; 936 case Opt_labelsupport: 937 break; 938 default: 939 rc = -EINVAL; 940 printk(KERN_WARNING "SELinux: unknown mount option\n"); 941 goto out_err; 942 943 } 944 } 945 946 rc = -ENOMEM; 947 opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_ATOMIC); 948 if (!opts->mnt_opts) 949 goto out_err; 950 951 opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int), GFP_ATOMIC); 952 if (!opts->mnt_opts_flags) { 953 kfree(opts->mnt_opts); 954 goto out_err; 955 } 956 957 if (fscontext) { 958 opts->mnt_opts[num_mnt_opts] = fscontext; 959 opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT; 960 } 961 if (context) { 962 opts->mnt_opts[num_mnt_opts] = context; 963 opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT; 964 } 965 if (rootcontext) { 966 opts->mnt_opts[num_mnt_opts] = rootcontext; 967 opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT; 968 } 969 if (defcontext) { 970 opts->mnt_opts[num_mnt_opts] = defcontext; 971 opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT; 972 } 973 974 opts->num_mnt_opts = num_mnt_opts; 975 return 0; 976 977out_err: 978 kfree(context); 979 kfree(defcontext); 980 kfree(fscontext); 981 kfree(rootcontext); 982 return rc; 983} 984/* 985 * string mount options parsing and call set the sbsec 986 */ 987static int superblock_doinit(struct super_block *sb, void *data) 988{ 989 int rc = 0; 990 char *options = data; 991 struct security_mnt_opts opts; 992 993 security_init_mnt_opts(&opts); 994 995 if (!data) 996 goto out; 997 998 BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA); 999 1000 rc = selinux_parse_opts_str(options, &opts); 1001 if (rc) 1002 goto out_err; 1003 1004out: 1005 rc = selinux_set_mnt_opts(sb, &opts); 1006 1007out_err: 1008 security_free_mnt_opts(&opts); 1009 return rc; 1010} 1011 1012static void selinux_write_opts(struct seq_file *m, 1013 struct security_mnt_opts *opts) 1014{ 1015 int i; 1016 char *prefix; 1017 1018 for (i = 0; i < opts->num_mnt_opts; i++) { 1019 char *has_comma; 1020 1021 if (opts->mnt_opts[i]) 1022 has_comma = strchr(opts->mnt_opts[i], ','); 1023 else 1024 has_comma = NULL; 1025 1026 switch (opts->mnt_opts_flags[i]) { 1027 case CONTEXT_MNT: 1028 prefix = CONTEXT_STR; 1029 break; 1030 case FSCONTEXT_MNT: 1031 prefix = FSCONTEXT_STR; 1032 break; 1033 case ROOTCONTEXT_MNT: 1034 prefix = ROOTCONTEXT_STR; 1035 break; 1036 case DEFCONTEXT_MNT: 1037 prefix = DEFCONTEXT_STR; 1038 break; 1039 case SE_SBLABELSUPP: 1040 seq_putc(m, ','); 1041 seq_puts(m, LABELSUPP_STR); 1042 continue; 1043 default: 1044 BUG(); 1045 }; 1046 /* we need a comma before each option */ 1047 seq_putc(m, ','); 1048 seq_puts(m, prefix); 1049 if (has_comma) 1050 seq_putc(m, '\"'); 1051 seq_puts(m, opts->mnt_opts[i]); 1052 if (has_comma) 1053 seq_putc(m, '\"'); 1054 } 1055} 1056 1057static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb) 1058{ 1059 struct security_mnt_opts opts; 1060 int rc; 1061 1062 rc = selinux_get_mnt_opts(sb, &opts); 1063 if (rc) { 1064 /* before policy load we may get EINVAL, don't show anything */ 1065 if (rc == -EINVAL) 1066 rc = 0; 1067 return rc; 1068 } 1069 1070 selinux_write_opts(m, &opts); 1071 1072 security_free_mnt_opts(&opts); 1073 1074 return rc; 1075} 1076 1077static inline u16 inode_mode_to_security_class(umode_t mode) 1078{ 1079 switch (mode & S_IFMT) { 1080 case S_IFSOCK: 1081 return SECCLASS_SOCK_FILE; 1082 case S_IFLNK: 1083 return SECCLASS_LNK_FILE; 1084 case S_IFREG: 1085 return SECCLASS_FILE; 1086 case S_IFBLK: 1087 return SECCLASS_BLK_FILE; 1088 case S_IFDIR: 1089 return SECCLASS_DIR; 1090 case S_IFCHR: 1091 return SECCLASS_CHR_FILE; 1092 case S_IFIFO: 1093 return SECCLASS_FIFO_FILE; 1094 1095 } 1096 1097 return SECCLASS_FILE; 1098} 1099 1100static inline int default_protocol_stream(int protocol) 1101{ 1102 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP); 1103} 1104 1105static inline int default_protocol_dgram(int protocol) 1106{ 1107 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP); 1108} 1109 1110static inline u16 socket_type_to_security_class(int family, int type, int protocol) 1111{ 1112 switch (family) { 1113 case PF_UNIX: 1114 switch (type) { 1115 case SOCK_STREAM: 1116 case SOCK_SEQPACKET: 1117 return SECCLASS_UNIX_STREAM_SOCKET; 1118 case SOCK_DGRAM: 1119 return SECCLASS_UNIX_DGRAM_SOCKET; 1120 } 1121 break; 1122 case PF_INET: 1123 case PF_INET6: 1124 switch (type) { 1125 case SOCK_STREAM: 1126 if (default_protocol_stream(protocol)) 1127 return SECCLASS_TCP_SOCKET; 1128 else 1129 return SECCLASS_RAWIP_SOCKET; 1130 case SOCK_DGRAM: 1131 if (default_protocol_dgram(protocol)) 1132 return SECCLASS_UDP_SOCKET; 1133 else 1134 return SECCLASS_RAWIP_SOCKET; 1135 case SOCK_DCCP: 1136 return SECCLASS_DCCP_SOCKET; 1137 default: 1138 return SECCLASS_RAWIP_SOCKET; 1139 } 1140 break; 1141 case PF_NETLINK: 1142 switch (protocol) { 1143 case NETLINK_ROUTE: 1144 return SECCLASS_NETLINK_ROUTE_SOCKET; 1145 case NETLINK_FIREWALL: 1146 return SECCLASS_NETLINK_FIREWALL_SOCKET; 1147 case NETLINK_INET_DIAG: 1148 return SECCLASS_NETLINK_TCPDIAG_SOCKET; 1149 case NETLINK_NFLOG: 1150 return SECCLASS_NETLINK_NFLOG_SOCKET; 1151 case NETLINK_XFRM: 1152 return SECCLASS_NETLINK_XFRM_SOCKET; 1153 case NETLINK_SELINUX: 1154 return SECCLASS_NETLINK_SELINUX_SOCKET; 1155 case NETLINK_AUDIT: 1156 return SECCLASS_NETLINK_AUDIT_SOCKET; 1157 case NETLINK_IP6_FW: 1158 return SECCLASS_NETLINK_IP6FW_SOCKET; 1159 case NETLINK_DNRTMSG: 1160 return SECCLASS_NETLINK_DNRT_SOCKET; 1161 case NETLINK_KOBJECT_UEVENT: 1162 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET; 1163 default: 1164 return SECCLASS_NETLINK_SOCKET; 1165 } 1166 case PF_PACKET: 1167 return SECCLASS_PACKET_SOCKET; 1168 case PF_KEY: 1169 return SECCLASS_KEY_SOCKET; 1170 case PF_APPLETALK: 1171 return SECCLASS_APPLETALK_SOCKET; 1172 } 1173 1174 return SECCLASS_SOCKET; 1175} 1176 1177#ifdef CONFIG_PROC_FS 1178static int selinux_proc_get_sid(struct proc_dir_entry *de, 1179 u16 tclass, 1180 u32 *sid) 1181{ 1182 int buflen, rc; 1183 char *buffer, *path, *end; 1184 1185 buffer = (char *)__get_free_page(GFP_KERNEL); 1186 if (!buffer) 1187 return -ENOMEM; 1188 1189 buflen = PAGE_SIZE; 1190 end = buffer+buflen; 1191 *--end = '\0'; 1192 buflen--; 1193 path = end-1; 1194 *path = '/'; 1195 while (de && de != de->parent) { 1196 buflen -= de->namelen + 1; 1197 if (buflen < 0) 1198 break; 1199 end -= de->namelen; 1200 memcpy(end, de->name, de->namelen); 1201 *--end = '/'; 1202 path = end; 1203 de = de->parent; 1204 } 1205 rc = security_genfs_sid("proc", path, tclass, sid); 1206 free_page((unsigned long)buffer); 1207 return rc; 1208} 1209#else 1210static int selinux_proc_get_sid(struct proc_dir_entry *de, 1211 u16 tclass, 1212 u32 *sid) 1213{ 1214 return -EINVAL; 1215} 1216#endif 1217 1218/* The inode's security attributes must be initialized before first use. */ 1219static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry) 1220{ 1221 struct superblock_security_struct *sbsec = NULL; 1222 struct inode_security_struct *isec = inode->i_security; 1223 u32 sid; 1224 struct dentry *dentry; 1225#define INITCONTEXTLEN 255 1226 char *context = NULL; 1227 unsigned len = 0; 1228 int rc = 0; 1229 1230 if (isec->initialized) 1231 goto out; 1232 1233 mutex_lock(&isec->lock); 1234 if (isec->initialized) 1235 goto out_unlock; 1236 1237 sbsec = inode->i_sb->s_security; 1238 if (!(sbsec->flags & SE_SBINITIALIZED)) { 1239 /* Defer initialization until selinux_complete_init, 1240 after the initial policy is loaded and the security 1241 server is ready to handle calls. */ 1242 spin_lock(&sbsec->isec_lock); 1243 if (list_empty(&isec->list)) 1244 list_add(&isec->list, &sbsec->isec_head); 1245 spin_unlock(&sbsec->isec_lock); 1246 goto out_unlock; 1247 } 1248 1249 switch (sbsec->behavior) { 1250 case SECURITY_FS_USE_XATTR: 1251 if (!inode->i_op->getxattr) { 1252 isec->sid = sbsec->def_sid; 1253 break; 1254 } 1255 1256 /* Need a dentry, since the xattr API requires one. 1257 Life would be simpler if we could just pass the inode. */ 1258 if (opt_dentry) { 1259 /* Called from d_instantiate or d_splice_alias. */ 1260 dentry = dget(opt_dentry); 1261 } else { 1262 /* Called from selinux_complete_init, try to find a dentry. */ 1263 dentry = d_find_alias(inode); 1264 } 1265 if (!dentry) { 1266 printk(KERN_WARNING "SELinux: %s: no dentry for dev=%s " 1267 "ino=%ld\n", __func__, inode->i_sb->s_id, 1268 inode->i_ino); 1269 goto out_unlock; 1270 } 1271 1272 len = INITCONTEXTLEN; 1273 context = kmalloc(len, GFP_NOFS); 1274 if (!context) { 1275 rc = -ENOMEM; 1276 dput(dentry); 1277 goto out_unlock; 1278 } 1279 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX, 1280 context, len); 1281 if (rc == -ERANGE) { 1282 /* Need a larger buffer. Query for the right size. */ 1283 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX, 1284 NULL, 0); 1285 if (rc < 0) { 1286 dput(dentry); 1287 goto out_unlock; 1288 } 1289 kfree(context); 1290 len = rc; 1291 context = kmalloc(len, GFP_NOFS); 1292 if (!context) { 1293 rc = -ENOMEM; 1294 dput(dentry); 1295 goto out_unlock; 1296 } 1297 rc = inode->i_op->getxattr(dentry, 1298 XATTR_NAME_SELINUX, 1299 context, len); 1300 } 1301 dput(dentry); 1302 if (rc < 0) { 1303 if (rc != -ENODATA) { 1304 printk(KERN_WARNING "SELinux: %s: getxattr returned " 1305 "%d for dev=%s ino=%ld\n", __func__, 1306 -rc, inode->i_sb->s_id, inode->i_ino); 1307 kfree(context); 1308 goto out_unlock; 1309 } 1310 /* Map ENODATA to the default file SID */ 1311 sid = sbsec->def_sid; 1312 rc = 0; 1313 } else { 1314 rc = security_context_to_sid_default(context, rc, &sid, 1315 sbsec->def_sid, 1316 GFP_NOFS); 1317 if (rc) { 1318 printk(KERN_WARNING "SELinux: %s: context_to_sid(%s) " 1319 "returned %d for dev=%s ino=%ld\n", 1320 __func__, context, -rc, 1321 inode->i_sb->s_id, inode->i_ino); 1322 kfree(context); 1323 /* Leave with the unlabeled SID */ 1324 rc = 0; 1325 break; 1326 } 1327 } 1328 kfree(context); 1329 isec->sid = sid; 1330 break; 1331 case SECURITY_FS_USE_TASK: 1332 isec->sid = isec->task_sid; 1333 break; 1334 case SECURITY_FS_USE_TRANS: 1335 /* Default to the fs SID. */ 1336 isec->sid = sbsec->sid; 1337 1338 /* Try to obtain a transition SID. */ 1339 isec->sclass = inode_mode_to_security_class(inode->i_mode); 1340 rc = security_transition_sid(isec->task_sid, 1341 sbsec->sid, 1342 isec->sclass, 1343 &sid); 1344 if (rc) 1345 goto out_unlock; 1346 isec->sid = sid; 1347 break; 1348 case SECURITY_FS_USE_MNTPOINT: 1349 isec->sid = sbsec->mntpoint_sid; 1350 break; 1351 default: 1352 /* Default to the fs superblock SID. */ 1353 isec->sid = sbsec->sid; 1354 1355 if ((sbsec->flags & SE_SBPROC) && !S_ISLNK(inode->i_mode)) { 1356 struct proc_inode *proci = PROC_I(inode); 1357 if (proci->pde) { 1358 isec->sclass = inode_mode_to_security_class(inode->i_mode); 1359 rc = selinux_proc_get_sid(proci->pde, 1360 isec->sclass, 1361 &sid); 1362 if (rc) 1363 goto out_unlock; 1364 isec->sid = sid; 1365 } 1366 } 1367 break; 1368 } 1369 1370 isec->initialized = 1; 1371 1372out_unlock: 1373 mutex_unlock(&isec->lock); 1374out: 1375 if (isec->sclass == SECCLASS_FILE) 1376 isec->sclass = inode_mode_to_security_class(inode->i_mode); 1377 return rc; 1378} 1379 1380/* Convert a Linux signal to an access vector. */ 1381static inline u32 signal_to_av(int sig) 1382{ 1383 u32 perm = 0; 1384 1385 switch (sig) { 1386 case SIGCHLD: 1387 /* Commonly granted from child to parent. */ 1388 perm = PROCESS__SIGCHLD; 1389 break; 1390 case SIGKILL: 1391 /* Cannot be caught or ignored */ 1392 perm = PROCESS__SIGKILL; 1393 break; 1394 case SIGSTOP: 1395 /* Cannot be caught or ignored */ 1396 perm = PROCESS__SIGSTOP; 1397 break; 1398 default: 1399 /* All other signals. */ 1400 perm = PROCESS__SIGNAL; 1401 break; 1402 } 1403 1404 return perm; 1405} 1406 1407/* 1408 * Check permission between a pair of credentials 1409 * fork check, ptrace check, etc. 1410 */ 1411static int cred_has_perm(const struct cred *actor, 1412 const struct cred *target, 1413 u32 perms) 1414{ 1415 u32 asid = cred_sid(actor), tsid = cred_sid(target); 1416 1417 return avc_has_perm(asid, tsid, SECCLASS_PROCESS, perms, NULL); 1418} 1419 1420/* 1421 * Check permission between a pair of tasks, e.g. signal checks, 1422 * fork check, ptrace check, etc. 1423 * tsk1 is the actor and tsk2 is the target 1424 * - this uses the default subjective creds of tsk1 1425 */ 1426static int task_has_perm(const struct task_struct *tsk1, 1427 const struct task_struct *tsk2, 1428 u32 perms) 1429{ 1430 const struct task_security_struct *__tsec1, *__tsec2; 1431 u32 sid1, sid2; 1432 1433 rcu_read_lock(); 1434 __tsec1 = __task_cred(tsk1)->security; sid1 = __tsec1->sid; 1435 __tsec2 = __task_cred(tsk2)->security; sid2 = __tsec2->sid; 1436 rcu_read_unlock(); 1437 return avc_has_perm(sid1, sid2, SECCLASS_PROCESS, perms, NULL); 1438} 1439 1440/* 1441 * Check permission between current and another task, e.g. signal checks, 1442 * fork check, ptrace check, etc. 1443 * current is the actor and tsk2 is the target 1444 * - this uses current's subjective creds 1445 */ 1446static int current_has_perm(const struct task_struct *tsk, 1447 u32 perms) 1448{ 1449 u32 sid, tsid; 1450 1451 sid = current_sid(); 1452 tsid = task_sid(tsk); 1453 return avc_has_perm(sid, tsid, SECCLASS_PROCESS, perms, NULL); 1454} 1455 1456#if CAP_LAST_CAP > 63 1457#error Fix SELinux to handle capabilities > 63. 1458#endif 1459 1460/* Check whether a task is allowed to use a capability. */ 1461static int task_has_capability(struct task_struct *tsk, 1462 const struct cred *cred, 1463 int cap, int audit) 1464{ 1465 struct avc_audit_data ad; 1466 struct av_decision avd; 1467 u16 sclass; 1468 u32 sid = cred_sid(cred); 1469 u32 av = CAP_TO_MASK(cap); 1470 int rc; 1471 1472 AVC_AUDIT_DATA_INIT(&ad, CAP); 1473 ad.tsk = tsk; 1474 ad.u.cap = cap; 1475 1476 switch (CAP_TO_INDEX(cap)) { 1477 case 0: 1478 sclass = SECCLASS_CAPABILITY; 1479 break; 1480 case 1: 1481 sclass = SECCLASS_CAPABILITY2; 1482 break; 1483 default: 1484 printk(KERN_ERR 1485 "SELinux: out of range capability %d\n", cap); 1486 BUG(); 1487 } 1488 1489 rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd); 1490 if (audit == SECURITY_CAP_AUDIT) 1491 avc_audit(sid, sid, sclass, av, &avd, rc, &ad); 1492 return rc; 1493} 1494 1495/* Check whether a task is allowed to use a system operation. */ 1496static int task_has_system(struct task_struct *tsk, 1497 u32 perms) 1498{ 1499 u32 sid = task_sid(tsk); 1500 1501 return avc_has_perm(sid, SECINITSID_KERNEL, 1502 SECCLASS_SYSTEM, perms, NULL); 1503} 1504 1505/* Check whether a task has a particular permission to an inode. 1506 The 'adp' parameter is optional and allows other audit 1507 data to be passed (e.g. the dentry). */ 1508static int inode_has_perm(const struct cred *cred, 1509 struct inode *inode, 1510 u32 perms, 1511 struct avc_audit_data *adp) 1512{ 1513 struct inode_security_struct *isec; 1514 struct avc_audit_data ad; 1515 u32 sid; 1516 1517 if (unlikely(IS_PRIVATE(inode))) 1518 return 0; 1519 1520 sid = cred_sid(cred); 1521 isec = inode->i_security; 1522 1523 if (!adp) { 1524 adp = &ad; 1525 AVC_AUDIT_DATA_INIT(&ad, FS); 1526 ad.u.fs.inode = inode; 1527 } 1528 1529 return avc_has_perm(sid, isec->sid, isec->sclass, perms, adp); 1530} 1531 1532/* Same as inode_has_perm, but pass explicit audit data containing 1533 the dentry to help the auditing code to more easily generate the 1534 pathname if needed. */ 1535static inline int dentry_has_perm(const struct cred *cred, 1536 struct vfsmount *mnt, 1537 struct dentry *dentry, 1538 u32 av) 1539{ 1540 struct inode *inode = dentry->d_inode; 1541 struct avc_audit_data ad; 1542 1543 AVC_AUDIT_DATA_INIT(&ad, FS); 1544 ad.u.fs.path.mnt = mnt; 1545 ad.u.fs.path.dentry = dentry; 1546 return inode_has_perm(cred, inode, av, &ad); 1547} 1548 1549/* Check whether a task can use an open file descriptor to 1550 access an inode in a given way. Check access to the 1551 descriptor itself, and then use dentry_has_perm to 1552 check a particular permission to the file. 1553 Access to the descriptor is implicitly granted if it 1554 has the same SID as the process. If av is zero, then 1555 access to the file is not checked, e.g. for cases 1556 where only the descriptor is affected like seek. */ 1557static int file_has_perm(const struct cred *cred, 1558 struct file *file, 1559 u32 av) 1560{ 1561 struct file_security_struct *fsec = file->f_security; 1562 struct inode *inode = file->f_path.dentry->d_inode; 1563 struct avc_audit_data ad; 1564 u32 sid = cred_sid(cred); 1565 int rc; 1566 1567 AVC_AUDIT_DATA_INIT(&ad, FS); 1568 ad.u.fs.path = file->f_path; 1569 1570 if (sid != fsec->sid) { 1571 rc = avc_has_perm(sid, fsec->sid, 1572 SECCLASS_FD, 1573 FD__USE, 1574 &ad); 1575 if (rc) 1576 goto out; 1577 } 1578 1579 /* av is zero if only checking access to the descriptor. */ 1580 rc = 0; 1581 if (av) 1582 rc = inode_has_perm(cred, inode, av, &ad); 1583 1584out: 1585 return rc; 1586} 1587 1588/* Check whether a task can create a file. */ 1589static int may_create(struct inode *dir, 1590 struct dentry *dentry, 1591 u16 tclass) 1592{ 1593 const struct cred *cred = current_cred(); 1594 const struct task_security_struct *tsec = cred->security; 1595 struct inode_security_struct *dsec; 1596 struct superblock_security_struct *sbsec; 1597 u32 sid, newsid; 1598 struct avc_audit_data ad; 1599 int rc; 1600 1601 dsec = dir->i_security; 1602 sbsec = dir->i_sb->s_security; 1603 1604 sid = tsec->sid; 1605 newsid = tsec->create_sid; 1606 1607 AVC_AUDIT_DATA_INIT(&ad, FS); 1608 ad.u.fs.path.dentry = dentry; 1609 1610 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, 1611 DIR__ADD_NAME | DIR__SEARCH, 1612 &ad); 1613 if (rc) 1614 return rc; 1615 1616 if (!newsid || !(sbsec->flags & SE_SBLABELSUPP)) { 1617 rc = security_transition_sid(sid, dsec->sid, tclass, &newsid); 1618 if (rc) 1619 return rc; 1620 } 1621 1622 rc = avc_has_perm(sid, newsid, tclass, FILE__CREATE, &ad); 1623 if (rc) 1624 return rc; 1625 1626 return avc_has_perm(newsid, sbsec->sid, 1627 SECCLASS_FILESYSTEM, 1628 FILESYSTEM__ASSOCIATE, &ad); 1629} 1630 1631/* Check whether a task can create a key. */ 1632static int may_create_key(u32 ksid, 1633 struct task_struct *ctx) 1634{ 1635 u32 sid = task_sid(ctx); 1636 1637 return avc_has_perm(sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL); 1638} 1639 1640#define MAY_LINK 0 1641#define MAY_UNLINK 1 1642#define MAY_RMDIR 2 1643 1644/* Check whether a task can link, unlink, or rmdir a file/directory. */ 1645static int may_link(struct inode *dir, 1646 struct dentry *dentry, 1647 int kind) 1648 1649{ 1650 struct inode_security_struct *dsec, *isec; 1651 struct avc_audit_data ad; 1652 u32 sid = current_sid(); 1653 u32 av; 1654 int rc; 1655 1656 dsec = dir->i_security; 1657 isec = dentry->d_inode->i_security; 1658 1659 AVC_AUDIT_DATA_INIT(&ad, FS); 1660 ad.u.fs.path.dentry = dentry; 1661 1662 av = DIR__SEARCH; 1663 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME); 1664 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, av, &ad); 1665 if (rc) 1666 return rc; 1667 1668 switch (kind) { 1669 case MAY_LINK: 1670 av = FILE__LINK; 1671 break; 1672 case MAY_UNLINK: 1673 av = FILE__UNLINK; 1674 break; 1675 case MAY_RMDIR: 1676 av = DIR__RMDIR; 1677 break; 1678 default: 1679 printk(KERN_WARNING "SELinux: %s: unrecognized kind %d\n", 1680 __func__, kind); 1681 return 0; 1682 } 1683 1684 rc = avc_has_perm(sid, isec->sid, isec->sclass, av, &ad); 1685 return rc; 1686} 1687 1688static inline int may_rename(struct inode *old_dir, 1689 struct dentry *old_dentry, 1690 struct inode *new_dir, 1691 struct dentry *new_dentry) 1692{ 1693 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec; 1694 struct avc_audit_data ad; 1695 u32 sid = current_sid(); 1696 u32 av; 1697 int old_is_dir, new_is_dir; 1698 int rc; 1699 1700 old_dsec = old_dir->i_security; 1701 old_isec = old_dentry->d_inode->i_security; 1702 old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode); 1703 new_dsec = new_dir->i_security; 1704 1705 AVC_AUDIT_DATA_INIT(&ad, FS); 1706 1707 ad.u.fs.path.dentry = old_dentry; 1708 rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR, 1709 DIR__REMOVE_NAME | DIR__SEARCH, &ad); 1710 if (rc) 1711 return rc; 1712 rc = avc_has_perm(sid, old_isec->sid, 1713 old_isec->sclass, FILE__RENAME, &ad); 1714 if (rc) 1715 return rc; 1716 if (old_is_dir && new_dir != old_dir) { 1717 rc = avc_has_perm(sid, old_isec->sid, 1718 old_isec->sclass, DIR__REPARENT, &ad); 1719 if (rc) 1720 return rc; 1721 } 1722 1723 ad.u.fs.path.dentry = new_dentry; 1724 av = DIR__ADD_NAME | DIR__SEARCH; 1725 if (new_dentry->d_inode) 1726 av |= DIR__REMOVE_NAME; 1727 rc = avc_has_perm(sid, new_dsec->sid, SECCLASS_DIR, av, &ad); 1728 if (rc) 1729 return rc; 1730 if (new_dentry->d_inode) { 1731 new_isec = new_dentry->d_inode->i_security; 1732 new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode); 1733 rc = avc_has_perm(sid, new_isec->sid, 1734 new_isec->sclass, 1735 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad); 1736 if (rc) 1737 return rc; 1738 } 1739 1740 return 0; 1741} 1742 1743/* Check whether a task can perform a filesystem operation. */ 1744static int superblock_has_perm(const struct cred *cred, 1745 struct super_block *sb, 1746 u32 perms, 1747 struct avc_audit_data *ad) 1748{ 1749 struct superblock_security_struct *sbsec; 1750 u32 sid = cred_sid(cred); 1751 1752 sbsec = sb->s_security; 1753 return avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad); 1754} 1755 1756/* Convert a Linux mode and permission mask to an access vector. */ 1757static inline u32 file_mask_to_av(int mode, int mask) 1758{ 1759 u32 av = 0; 1760 1761 if ((mode & S_IFMT) != S_IFDIR) { 1762 if (mask & MAY_EXEC) 1763 av |= FILE__EXECUTE; 1764 if (mask & MAY_READ) 1765 av |= FILE__READ; 1766 1767 if (mask & MAY_APPEND) 1768 av |= FILE__APPEND; 1769 else if (mask & MAY_WRITE) 1770 av |= FILE__WRITE; 1771 1772 } else { 1773 if (mask & MAY_EXEC) 1774 av |= DIR__SEARCH; 1775 if (mask & MAY_WRITE) 1776 av |= DIR__WRITE; 1777 if (mask & MAY_READ) 1778 av |= DIR__READ; 1779 } 1780 1781 return av; 1782} 1783 1784/* Convert a Linux file to an access vector. */ 1785static inline u32 file_to_av(struct file *file) 1786{ 1787 u32 av = 0; 1788 1789 if (file->f_mode & FMODE_READ) 1790 av |= FILE__READ; 1791 if (file->f_mode & FMODE_WRITE) { 1792 if (file->f_flags & O_APPEND) 1793 av |= FILE__APPEND; 1794 else 1795 av |= FILE__WRITE; 1796 } 1797 if (!av) { 1798 /* 1799 * Special file opened with flags 3 for ioctl-only use. 1800 */ 1801 av = FILE__IOCTL; 1802 } 1803 1804 return av; 1805} 1806 1807/* 1808 * Convert a file to an access vector and include the correct open 1809 * open permission. 1810 */ 1811static inline u32 open_file_to_av(struct file *file) 1812{ 1813 u32 av = file_to_av(file); 1814 1815 if (selinux_policycap_openperm) { 1816 mode_t mode = file->f_path.dentry->d_inode->i_mode; 1817 /* 1818 * lnk files and socks do not really have an 'open' 1819 */ 1820 if (S_ISREG(mode)) 1821 av |= FILE__OPEN; 1822 else if (S_ISCHR(mode)) 1823 av |= CHR_FILE__OPEN; 1824 else if (S_ISBLK(mode)) 1825 av |= BLK_FILE__OPEN; 1826 else if (S_ISFIFO(mode)) 1827 av |= FIFO_FILE__OPEN; 1828 else if (S_ISDIR(mode)) 1829 av |= DIR__OPEN; 1830 else 1831 printk(KERN_ERR "SELinux: WARNING: inside %s with " 1832 "unknown mode:%o\n", __func__, mode); 1833 } 1834 return av; 1835} 1836 1837/* Hook functions begin here. */ 1838 1839static int selinux_ptrace_may_access(struct task_struct *child, 1840 unsigned int mode) 1841{ 1842 int rc; 1843 1844 rc = secondary_ops->ptrace_may_access(child, mode); 1845 if (rc) 1846 return rc; 1847 1848 if (mode == PTRACE_MODE_READ) { 1849 u32 sid = current_sid(); 1850 u32 csid = task_sid(child); 1851 return avc_has_perm(sid, csid, SECCLASS_FILE, FILE__READ, NULL); 1852 } 1853 1854 return current_has_perm(child, PROCESS__PTRACE); 1855} 1856 1857static int selinux_ptrace_traceme(struct task_struct *parent) 1858{ 1859 int rc; 1860 1861 rc = secondary_ops->ptrace_traceme(parent); 1862 if (rc) 1863 return rc; 1864 1865 return task_has_perm(parent, current, PROCESS__PTRACE); 1866} 1867 1868static int selinux_capget(struct task_struct *target, kernel_cap_t *effective, 1869 kernel_cap_t *inheritable, kernel_cap_t *permitted) 1870{ 1871 int error; 1872 1873 error = current_has_perm(target, PROCESS__GETCAP); 1874 if (error) 1875 return error; 1876 1877 return secondary_ops->capget(target, effective, inheritable, permitted); 1878} 1879 1880static int selinux_capset(struct cred *new, const struct cred *old, 1881 const kernel_cap_t *effective, 1882 const kernel_cap_t *inheritable, 1883 const kernel_cap_t *permitted) 1884{ 1885 int error; 1886 1887 error = secondary_ops->capset(new, old, 1888 effective, inheritable, permitted); 1889 if (error) 1890 return error; 1891 1892 return cred_has_perm(old, new, PROCESS__SETCAP); 1893} 1894 1895static int selinux_capable(struct task_struct *tsk, const struct cred *cred, 1896 int cap, int audit) 1897{ 1898 int rc; 1899 1900 rc = secondary_ops->capable(tsk, cred, cap, audit); 1901 if (rc) 1902 return rc; 1903 1904 return task_has_capability(tsk, cred, cap, audit); 1905} 1906 1907static int selinux_sysctl_get_sid(ctl_table *table, u16 tclass, u32 *sid) 1908{ 1909 int buflen, rc; 1910 char *buffer, *path, *end; 1911 1912 rc = -ENOMEM; 1913 buffer = (char *)__get_free_page(GFP_KERNEL); 1914 if (!buffer) 1915 goto out; 1916 1917 buflen = PAGE_SIZE; 1918 end = buffer+buflen; 1919 *--end = '\0'; 1920 buflen--; 1921 path = end-1; 1922 *path = '/'; 1923 while (table) { 1924 const char *name = table->procname; 1925 size_t namelen = strlen(name); 1926 buflen -= namelen + 1; 1927 if (buflen < 0) 1928 goto out_free; 1929 end -= namelen; 1930 memcpy(end, name, namelen); 1931 *--end = '/'; 1932 path = end; 1933 table = table->parent; 1934 } 1935 buflen -= 4; 1936 if (buflen < 0) 1937 goto out_free; 1938 end -= 4; 1939 memcpy(end, "/sys", 4); 1940 path = end; 1941 rc = security_genfs_sid("proc", path, tclass, sid); 1942out_free: 1943 free_page((unsigned long)buffer); 1944out: 1945 return rc; 1946} 1947 1948static int selinux_sysctl(ctl_table *table, int op) 1949{ 1950 int error = 0; 1951 u32 av; 1952 u32 tsid, sid; 1953 int rc; 1954 1955 rc = secondary_ops->sysctl(table, op); 1956 if (rc) 1957 return rc; 1958 1959 sid = current_sid(); 1960 1961 rc = selinux_sysctl_get_sid(table, (op == 0001) ? 1962 SECCLASS_DIR : SECCLASS_FILE, &tsid); 1963 if (rc) { 1964 /* Default to the well-defined sysctl SID. */ 1965 tsid = SECINITSID_SYSCTL; 1966 } 1967 1968 /* The op values are "defined" in sysctl.c, thereby creating 1969 * a bad coupling between this module and sysctl.c */ 1970 if (op == 001) { 1971 error = avc_has_perm(sid, tsid, 1972 SECCLASS_DIR, DIR__SEARCH, NULL); 1973 } else { 1974 av = 0; 1975 if (op & 004) 1976 av |= FILE__READ; 1977 if (op & 002) 1978 av |= FILE__WRITE; 1979 if (av) 1980 error = avc_has_perm(sid, tsid, 1981 SECCLASS_FILE, av, NULL); 1982 } 1983 1984 return error; 1985} 1986 1987static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb) 1988{ 1989 const struct cred *cred = current_cred(); 1990 int rc = 0; 1991 1992 if (!sb) 1993 return 0; 1994 1995 switch (cmds) { 1996 case Q_SYNC: 1997 case Q_QUOTAON: 1998 case Q_QUOTAOFF: 1999 case Q_SETINFO: 2000 case Q_SETQUOTA: 2001 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL); 2002 break; 2003 case Q_GETFMT: 2004 case Q_GETINFO: 2005 case Q_GETQUOTA: 2006 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL); 2007 break; 2008 default: 2009 rc = 0; /* let the kernel handle invalid cmds */ 2010 break; 2011 } 2012 return rc; 2013} 2014 2015static int selinux_quota_on(struct dentry *dentry) 2016{ 2017 const struct cred *cred = current_cred(); 2018 2019 return dentry_has_perm(cred, NULL, dentry, FILE__QUOTAON); 2020} 2021 2022static int selinux_syslog(int type) 2023{ 2024 int rc; 2025 2026 rc = secondary_ops->syslog(type); 2027 if (rc) 2028 return rc; 2029 2030 switch (type) { 2031 case 3: /* Read last kernel messages */ 2032 case 10: /* Return size of the log buffer */ 2033 rc = task_has_system(current, SYSTEM__SYSLOG_READ); 2034 break; 2035 case 6: /* Disable logging to console */ 2036 case 7: /* Enable logging to console */ 2037 case 8: /* Set level of messages printed to console */ 2038 rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE); 2039 break; 2040 case 0: /* Close log */ 2041 case 1: /* Open log */ 2042 case 2: /* Read from log */ 2043 case 4: /* Read/clear last kernel messages */ 2044 case 5: /* Clear ring buffer */ 2045 default: 2046 rc = task_has_system(current, SYSTEM__SYSLOG_MOD); 2047 break; 2048 } 2049 return rc; 2050} 2051 2052/* 2053 * Check that a process has enough memory to allocate a new virtual 2054 * mapping. 0 means there is enough memory for the allocation to 2055 * succeed and -ENOMEM implies there is not. 2056 * 2057 * Note that secondary_ops->capable and task_has_perm_noaudit return 0 2058 * if the capability is granted, but __vm_enough_memory requires 1 if 2059 * the capability is granted. 2060 * 2061 * Do not audit the selinux permission check, as this is applied to all 2062 * processes that allocate mappings. 2063 */ 2064static int selinux_vm_enough_memory(struct mm_struct *mm, long pages) 2065{ 2066 int rc, cap_sys_admin = 0; 2067 2068 rc = selinux_capable(current, current_cred(), CAP_SYS_ADMIN, 2069 SECURITY_CAP_NOAUDIT); 2070 if (rc == 0) 2071 cap_sys_admin = 1; 2072 2073 return __vm_enough_memory(mm, pages, cap_sys_admin); 2074} 2075 2076/* binprm security operations */ 2077 2078static int selinux_bprm_set_creds(struct linux_binprm *bprm) 2079{ 2080 const struct task_security_struct *old_tsec; 2081 struct task_security_struct *new_tsec; 2082 struct inode_security_struct *isec; 2083 struct avc_audit_data ad; 2084 struct inode *inode = bprm->file->f_path.dentry->d_inode; 2085 int rc; 2086 2087 rc = secondary_ops->bprm_set_creds(bprm); 2088 if (rc) 2089 return rc; 2090 2091 /* SELinux context only depends on initial program or script and not 2092 * the script interpreter */ 2093 if (bprm->cred_prepared) 2094 return 0; 2095 2096 old_tsec = current_security(); 2097 new_tsec = bprm->cred->security; 2098 isec = inode->i_security; 2099 2100 /* Default to the current task SID. */ 2101 new_tsec->sid = old_tsec->sid; 2102 new_tsec->osid = old_tsec->sid; 2103 2104 /* Reset fs, key, and sock SIDs on execve. */ 2105 new_tsec->create_sid = 0; 2106 new_tsec->keycreate_sid = 0; 2107 new_tsec->sockcreate_sid = 0; 2108 2109 if (old_tsec->exec_sid) { 2110 new_tsec->sid = old_tsec->exec_sid; 2111 /* Reset exec SID on execve. */ 2112 new_tsec->exec_sid = 0; 2113 } else { 2114 /* Check for a default transition on this program. */ 2115 rc = security_transition_sid(old_tsec->sid, isec->sid, 2116 SECCLASS_PROCESS, &new_tsec->sid); 2117 if (rc) 2118 return rc; 2119 } 2120 2121 AVC_AUDIT_DATA_INIT(&ad, FS); 2122 ad.u.fs.path = bprm->file->f_path; 2123 2124 if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID) 2125 new_tsec->sid = old_tsec->sid; 2126 2127 if (new_tsec->sid == old_tsec->sid) { 2128 rc = avc_has_perm(old_tsec->sid, isec->sid, 2129 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad); 2130 if (rc) 2131 return rc; 2132 } else { 2133 /* Check permissions for the transition. */ 2134 rc = avc_has_perm(old_tsec->sid, new_tsec->sid, 2135 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad); 2136 if (rc) 2137 return rc; 2138 2139 rc = avc_has_perm(new_tsec->sid, isec->sid, 2140 SECCLASS_FILE, FILE__ENTRYPOINT, &ad); 2141 if (rc) 2142 return rc; 2143 2144 /* Check for shared state */ 2145 if (bprm->unsafe & LSM_UNSAFE_SHARE) { 2146 rc = avc_has_perm(old_tsec->sid, new_tsec->sid, 2147 SECCLASS_PROCESS, PROCESS__SHARE, 2148 NULL); 2149 if (rc) 2150 return -EPERM; 2151 } 2152 2153 /* Make sure that anyone attempting to ptrace over a task that 2154 * changes its SID has the appropriate permit */ 2155 if (bprm->unsafe & 2156 (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) { 2157 struct task_struct *tracer; 2158 struct task_security_struct *sec; 2159 u32 ptsid = 0; 2160 2161 rcu_read_lock(); 2162 tracer = tracehook_tracer_task(current); 2163 if (likely(tracer != NULL)) { 2164 sec = __task_cred(tracer)->security; 2165 ptsid = sec->sid; 2166 } 2167 rcu_read_unlock(); 2168 2169 if (ptsid != 0) { 2170 rc = avc_has_perm(ptsid, new_tsec->sid, 2171 SECCLASS_PROCESS, 2172 PROCESS__PTRACE, NULL); 2173 if (rc) 2174 return -EPERM; 2175 } 2176 } 2177 2178 /* Clear any possibly unsafe personality bits on exec: */ 2179 bprm->per_clear |= PER_CLEAR_ON_SETID; 2180 } 2181 2182 return 0; 2183} 2184 2185static int selinux_bprm_secureexec(struct linux_binprm *bprm) 2186{ 2187 const struct cred *cred = current_cred(); 2188 const struct task_security_struct *tsec = cred->security; 2189 u32 sid, osid; 2190 int atsecure = 0; 2191 2192 sid = tsec->sid; 2193 osid = tsec->osid; 2194 2195 if (osid != sid) { 2196 /* Enable secure mode for SIDs transitions unless 2197 the noatsecure permission is granted between 2198 the two SIDs, i.e. ahp returns 0. */ 2199 atsecure = avc_has_perm(osid, sid, 2200 SECCLASS_PROCESS, 2201 PROCESS__NOATSECURE, NULL); 2202 } 2203 2204 return (atsecure || secondary_ops->bprm_secureexec(bprm)); 2205} 2206 2207extern struct vfsmount *selinuxfs_mount; 2208extern struct dentry *selinux_null; 2209 2210/* Derived from fs/exec.c:flush_old_files. */ 2211static inline void flush_unauthorized_files(const struct cred *cred, 2212 struct files_struct *files) 2213{ 2214 struct avc_audit_data ad; 2215 struct file *file, *devnull = NULL; 2216 struct tty_struct *tty; 2217 struct fdtable *fdt; 2218 long j = -1; 2219 int drop_tty = 0; 2220 2221 tty = get_current_tty(); 2222 if (tty) { 2223 file_list_lock(); 2224 if (!list_empty(&tty->tty_files)) { 2225 struct inode *inode; 2226 2227 /* Revalidate access to controlling tty. 2228 Use inode_has_perm on the tty inode directly rather 2229 than using file_has_perm, as this particular open 2230 file may belong to another process and we are only 2231 interested in the inode-based check here. */ 2232 file = list_first_entry(&tty->tty_files, struct file, f_u.fu_list); 2233 inode = file->f_path.dentry->d_inode; 2234 if (inode_has_perm(cred, inode, 2235 FILE__READ | FILE__WRITE, NULL)) { 2236 drop_tty = 1; 2237 } 2238 } 2239 file_list_unlock(); 2240 tty_kref_put(tty); 2241 } 2242 /* Reset controlling tty. */ 2243 if (drop_tty) 2244 no_tty(); 2245 2246 /* Revalidate access to inherited open files. */ 2247 2248 AVC_AUDIT_DATA_INIT(&ad, FS); 2249 2250 spin_lock(&files->file_lock); 2251 for (;;) { 2252 unsigned long set, i; 2253 int fd; 2254 2255 j++; 2256 i = j * __NFDBITS; 2257 fdt = files_fdtable(files); 2258 if (i >= fdt->max_fds) 2259 break; 2260 set = fdt->open_fds->fds_bits[j]; 2261 if (!set) 2262 continue; 2263 spin_unlock(&files->file_lock); 2264 for ( ; set ; i++, set >>= 1) { 2265 if (set & 1) { 2266 file = fget(i); 2267 if (!file) 2268 continue; 2269 if (file_has_perm(cred, 2270 file, 2271 file_to_av(file))) { 2272 sys_close(i); 2273 fd = get_unused_fd(); 2274 if (fd != i) { 2275 if (fd >= 0) 2276 put_unused_fd(fd); 2277 fput(file); 2278 continue; 2279 } 2280 if (devnull) { 2281 get_file(devnull); 2282 } else { 2283 devnull = dentry_open( 2284 dget(selinux_null), 2285 mntget(selinuxfs_mount), 2286 O_RDWR, cred); 2287 if (IS_ERR(devnull)) { 2288 devnull = NULL; 2289 put_unused_fd(fd); 2290 fput(file); 2291 continue; 2292 } 2293 } 2294 fd_install(fd, devnull); 2295 } 2296 fput(file); 2297 } 2298 } 2299 spin_lock(&files->file_lock); 2300 2301 } 2302 spin_unlock(&files->file_lock); 2303} 2304 2305/* 2306 * Prepare a process for imminent new credential changes due to exec 2307 */ 2308static void selinux_bprm_committing_creds(struct linux_binprm *bprm) 2309{ 2310 struct task_security_struct *new_tsec; 2311 struct rlimit *rlim, *initrlim; 2312 int rc, i; 2313 2314 new_tsec = bprm->cred->security; 2315 if (new_tsec->sid == new_tsec->osid) 2316 return; 2317 2318 /* Close files for which the new task SID is not authorized. */ 2319 flush_unauthorized_files(bprm->cred, current->files); 2320 2321 /* Always clear parent death signal on SID transitions. */ 2322 current->pdeath_signal = 0; 2323 2324 /* Check whether the new SID can inherit resource limits from the old 2325 * SID. If not, reset all soft limits to the lower of the current 2326 * task's hard limit and the init task's soft limit. 2327 * 2328 * Note that the setting of hard limits (even to lower them) can be 2329 * controlled by the setrlimit check. The inclusion of the init task's 2330 * soft limit into the computation is to avoid resetting soft limits 2331 * higher than the default soft limit for cases where the default is 2332 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK. 2333 */ 2334 rc = avc_has_perm(new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS, 2335 PROCESS__RLIMITINH, NULL); 2336 if (rc) { 2337 for (i = 0; i < RLIM_NLIMITS; i++) { 2338 rlim = current->signal->rlim + i; 2339 initrlim = init_task.signal->rlim + i; 2340 rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur); 2341 } 2342 update_rlimit_cpu(rlim->rlim_cur); 2343 } 2344} 2345 2346/* 2347 * Clean up the process immediately after the installation of new credentials 2348 * due to exec 2349 */ 2350static void selinux_bprm_committed_creds(struct linux_binprm *bprm) 2351{ 2352 const struct task_security_struct *tsec = current_security(); 2353 struct itimerval itimer; 2354 struct sighand_struct *psig; 2355 u32 osid, sid; 2356 int rc, i; 2357 unsigned long flags; 2358 2359 osid = tsec->osid; 2360 sid = tsec->sid; 2361 2362 if (sid == osid) 2363 return; 2364 2365 /* Check whether the new SID can inherit signal state from the old SID. 2366 * If not, clear itimers to avoid subsequent signal generation and 2367 * flush and unblock signals. 2368 * 2369 * This must occur _after_ the task SID has been updated so that any 2370 * kill done after the flush will be checked against the new SID. 2371 */ 2372 rc = avc_has_perm(osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL); 2373 if (rc) { 2374 memset(&itimer, 0, sizeof itimer); 2375 for (i = 0; i < 3; i++) 2376 do_setitimer(i, &itimer, NULL); 2377 flush_signals(current); 2378 spin_lock_irq(¤t->sighand->siglock); 2379 flush_signal_handlers(current, 1); 2380 sigemptyset(¤t->blocked); 2381 recalc_sigpending(); 2382 spin_unlock_irq(¤t->sighand->siglock); 2383 } 2384 2385 /* Wake up the parent if it is waiting so that it can recheck 2386 * wait permission to the new task SID. */ 2387 read_lock_irq(&tasklist_lock); 2388 psig = current->parent->sighand; 2389 spin_lock_irqsave(&psig->siglock, flags); 2390 wake_up_interruptible(¤t->parent->signal->wait_chldexit); 2391 spin_unlock_irqrestore(&psig->siglock, flags); 2392 read_unlock_irq(&tasklist_lock); 2393} 2394 2395/* superblock security operations */ 2396 2397static int selinux_sb_alloc_security(struct super_block *sb) 2398{ 2399 return superblock_alloc_security(sb); 2400} 2401 2402static void selinux_sb_free_security(struct super_block *sb) 2403{ 2404 superblock_free_security(sb); 2405} 2406 2407static inline int match_prefix(char *prefix, int plen, char *option, int olen) 2408{ 2409 if (plen > olen) 2410 return 0; 2411 2412 return !memcmp(prefix, option, plen); 2413} 2414 2415static inline int selinux_option(char *option, int len) 2416{ 2417 return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) || 2418 match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) || 2419 match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) || 2420 match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len) || 2421 match_prefix(LABELSUPP_STR, sizeof(LABELSUPP_STR)-1, option, len)); 2422} 2423 2424static inline void take_option(char **to, char *from, int *first, int len) 2425{ 2426 if (!*first) { 2427 **to = ','; 2428 *to += 1; 2429 } else 2430 *first = 0; 2431 memcpy(*to, from, len); 2432 *to += len; 2433} 2434 2435static inline void take_selinux_option(char **to, char *from, int *first, 2436 int len) 2437{ 2438 int current_size = 0; 2439 2440 if (!*first) { 2441 **to = '|'; 2442 *to += 1; 2443 } else 2444 *first = 0; 2445 2446 while (current_size < len) { 2447 if (*from != '"') { 2448 **to = *from; 2449 *to += 1; 2450 } 2451 from += 1; 2452 current_size += 1; 2453 } 2454} 2455 2456static int selinux_sb_copy_data(char *orig, char *copy) 2457{ 2458 int fnosec, fsec, rc = 0; 2459 char *in_save, *in_curr, *in_end; 2460 char *sec_curr, *nosec_save, *nosec; 2461 int open_quote = 0; 2462 2463 in_curr = orig; 2464 sec_curr = copy; 2465 2466 nosec = (char *)get_zeroed_page(GFP_KERNEL); 2467 if (!nosec) { 2468 rc = -ENOMEM; 2469 goto out; 2470 } 2471 2472 nosec_save = nosec; 2473 fnosec = fsec = 1; 2474 in_save = in_end = orig; 2475 2476 do { 2477 if (*in_end == '"') 2478 open_quote = !open_quote; 2479 if ((*in_end == ',' && open_quote == 0) || 2480 *in_end == '\0') { 2481 int len = in_end - in_curr; 2482 2483 if (selinux_option(in_curr, len)) 2484 take_selinux_option(&sec_curr, in_curr, &fsec, len); 2485 else 2486 take_option(&nosec, in_curr, &fnosec, len); 2487 2488 in_curr = in_end + 1; 2489 } 2490 } while (*in_end++); 2491 2492 strcpy(in_save, nosec_save); 2493 free_page((unsigned long)nosec_save); 2494out: 2495 return rc; 2496} 2497 2498static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data) 2499{ 2500 const struct cred *cred = current_cred(); 2501 struct avc_audit_data ad; 2502 int rc; 2503 2504 rc = superblock_doinit(sb, data); 2505 if (rc) 2506 return rc; 2507 2508 /* Allow all mounts performed by the kernel */ 2509 if (flags & MS_KERNMOUNT) 2510 return 0; 2511 2512 AVC_AUDIT_DATA_INIT(&ad, FS); 2513 ad.u.fs.path.dentry = sb->s_root; 2514 return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad); 2515} 2516 2517static int selinux_sb_statfs(struct dentry *dentry) 2518{ 2519 const struct cred *cred = current_cred(); 2520 struct avc_audit_data ad; 2521 2522 AVC_AUDIT_DATA_INIT(&ad, FS); 2523 ad.u.fs.path.dentry = dentry->d_sb->s_root; 2524 return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad); 2525} 2526 2527static int selinux_mount(char *dev_name, 2528 struct path *path, 2529 char *type, 2530 unsigned long flags, 2531 void *data) 2532{ 2533 const struct cred *cred = current_cred(); 2534 2535 if (flags & MS_REMOUNT) 2536 return superblock_has_perm(cred, path->mnt->mnt_sb, 2537 FILESYSTEM__REMOUNT, NULL); 2538 else 2539 return dentry_has_perm(cred, path->mnt, path->dentry, 2540 FILE__MOUNTON); 2541} 2542 2543static int selinux_umount(struct vfsmount *mnt, int flags) 2544{ 2545 const struct cred *cred = current_cred(); 2546 2547 return superblock_has_perm(cred, mnt->mnt_sb, 2548 FILESYSTEM__UNMOUNT, NULL); 2549} 2550 2551/* inode security operations */ 2552 2553static int selinux_inode_alloc_security(struct inode *inode) 2554{ 2555 return inode_alloc_security(inode); 2556} 2557 2558static void selinux_inode_free_security(struct inode *inode) 2559{ 2560 inode_free_security(inode); 2561} 2562 2563static int selinux_inode_init_security(struct inode *inode, struct inode *dir, 2564 char **name, void **value, 2565 size_t *len) 2566{ 2567 const struct cred *cred = current_cred(); 2568 const struct task_security_struct *tsec = cred->security; 2569 struct inode_security_struct *dsec; 2570 struct superblock_security_struct *sbsec; 2571 u32 sid, newsid, clen; 2572 int rc; 2573 char *namep = NULL, *context; 2574 2575 dsec = dir->i_security; 2576 sbsec = dir->i_sb->s_security; 2577 2578 sid = tsec->sid; 2579 newsid = tsec->create_sid; 2580 2581 if (!newsid || !(sbsec->flags & SE_SBLABELSUPP)) { 2582 rc = security_transition_sid(sid, dsec->sid, 2583 inode_mode_to_security_class(inode->i_mode), 2584 &newsid); 2585 if (rc) { 2586 printk(KERN_WARNING "%s: " 2587 "security_transition_sid failed, rc=%d (dev=%s " 2588 "ino=%ld)\n", 2589 __func__, 2590 -rc, inode->i_sb->s_id, inode->i_ino); 2591 return rc; 2592 } 2593 } 2594 2595 /* Possibly defer initialization to selinux_complete_init. */ 2596 if (sbsec->flags & SE_SBINITIALIZED) { 2597 struct inode_security_struct *isec = inode->i_security; 2598 isec->sclass = inode_mode_to_security_class(inode->i_mode); 2599 isec->sid = newsid; 2600 isec->initialized = 1; 2601 } 2602 2603 if (!ss_initialized || !(sbsec->flags & SE_SBLABELSUPP)) 2604 return -EOPNOTSUPP; 2605 2606 if (name) { 2607 namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_NOFS); 2608 if (!namep) 2609 return -ENOMEM; 2610 *name = namep; 2611 } 2612 2613 if (value && len) { 2614 rc = security_sid_to_context_force(newsid, &context, &clen); 2615 if (rc) { 2616 kfree(namep); 2617 return rc; 2618 } 2619 *value = context; 2620 *len = clen; 2621 } 2622 2623 return 0; 2624} 2625 2626static int selinux_inode_create(struct inode *dir, struct dentry *dentry, int mask) 2627{ 2628 return may_create(dir, dentry, SECCLASS_FILE); 2629} 2630 2631static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry) 2632{ 2633 return may_link(dir, old_dentry, MAY_LINK); 2634} 2635 2636static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry) 2637{ 2638 return may_link(dir, dentry, MAY_UNLINK); 2639} 2640 2641static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name) 2642{ 2643 return may_create(dir, dentry, SECCLASS_LNK_FILE); 2644} 2645 2646static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, int mask) 2647{ 2648 return may_create(dir, dentry, SECCLASS_DIR); 2649} 2650 2651static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry) 2652{ 2653 return may_link(dir, dentry, MAY_RMDIR); 2654} 2655 2656static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev) 2657{ 2658 return may_create(dir, dentry, inode_mode_to_security_class(mode)); 2659} 2660 2661static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry, 2662 struct inode *new_inode, struct dentry *new_dentry) 2663{ 2664 return may_rename(old_inode, old_dentry, new_inode, new_dentry); 2665} 2666 2667static int selinux_inode_readlink(struct dentry *dentry) 2668{ 2669 const struct cred *cred = current_cred(); 2670 2671 return dentry_has_perm(cred, NULL, dentry, FILE__READ); 2672} 2673 2674static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata) 2675{ 2676 const struct cred *cred = current_cred(); 2677 2678 return dentry_has_perm(cred, NULL, dentry, FILE__READ); 2679} 2680 2681static int selinux_inode_permission(struct inode *inode, int mask) 2682{ 2683 const struct cred *cred = current_cred(); 2684 2685 if (!mask) { 2686 /* No permission to check. Existence test. */ 2687 return 0; 2688 } 2689 2690 return inode_has_perm(cred, inode, 2691 file_mask_to_av(inode->i_mode, mask), NULL); 2692} 2693 2694static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr) 2695{ 2696 const struct cred *cred = current_cred(); 2697 2698 if (iattr->ia_valid & ATTR_FORCE) 2699 return 0; 2700 2701 if (iattr->ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID | 2702 ATTR_ATIME_SET | ATTR_MTIME_SET)) 2703 return dentry_has_perm(cred, NULL, dentry, FILE__SETATTR); 2704 2705 return dentry_has_perm(cred, NULL, dentry, FILE__WRITE); 2706} 2707 2708static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry) 2709{ 2710 const struct cred *cred = current_cred(); 2711 2712 return dentry_has_perm(cred, mnt, dentry, FILE__GETATTR); 2713} 2714 2715static int selinux_inode_setotherxattr(struct dentry *dentry, const char *name) 2716{ 2717 const struct cred *cred = current_cred(); 2718 2719 if (!strncmp(name, XATTR_SECURITY_PREFIX, 2720 sizeof XATTR_SECURITY_PREFIX - 1)) { 2721 if (!strcmp(name, XATTR_NAME_CAPS)) { 2722 if (!capable(CAP_SETFCAP)) 2723 return -EPERM; 2724 } else if (!capable(CAP_SYS_ADMIN)) { 2725 /* A different attribute in the security namespace. 2726 Restrict to administrator. */ 2727 return -EPERM; 2728 } 2729 } 2730 2731 /* Not an attribute we recognize, so just check the 2732 ordinary setattr permission. */ 2733 return dentry_has_perm(cred, NULL, dentry, FILE__SETATTR); 2734} 2735 2736static int selinux_inode_setxattr(struct dentry *dentry, const char *name, 2737 const void *value, size_t size, int flags) 2738{ 2739 struct inode *inode = dentry->d_inode; 2740 struct inode_security_struct *isec = inode->i_security; 2741 struct superblock_security_struct *sbsec; 2742 struct avc_audit_data ad; 2743 u32 newsid, sid = current_sid(); 2744 int rc = 0; 2745 2746 if (strcmp(name, XATTR_NAME_SELINUX)) 2747 return selinux_inode_setotherxattr(dentry, name); 2748 2749 sbsec = inode->i_sb->s_security; 2750 if (!(sbsec->flags & SE_SBLABELSUPP)) 2751 return -EOPNOTSUPP; 2752 2753 if (!is_owner_or_cap(inode)) 2754 return -EPERM; 2755 2756 AVC_AUDIT_DATA_INIT(&ad, FS); 2757 ad.u.fs.path.dentry = dentry; 2758 2759 rc = avc_has_perm(sid, isec->sid, isec->sclass, 2760 FILE__RELABELFROM, &ad); 2761 if (rc) 2762 return rc; 2763 2764 rc = security_context_to_sid(value, size, &newsid); 2765 if (rc == -EINVAL) { 2766 if (!capable(CAP_MAC_ADMIN)) 2767 return rc; 2768 rc = security_context_to_sid_force(value, size, &newsid); 2769 } 2770 if (rc) 2771 return rc; 2772 2773 rc = avc_has_perm(sid, newsid, isec->sclass, 2774 FILE__RELABELTO, &ad); 2775 if (rc) 2776 return rc; 2777 2778 rc = security_validate_transition(isec->sid, newsid, sid, 2779 isec->sclass); 2780 if (rc) 2781 return rc; 2782 2783 return avc_has_perm(newsid, 2784 sbsec->sid, 2785 SECCLASS_FILESYSTEM, 2786 FILESYSTEM__ASSOCIATE, 2787 &ad); 2788} 2789 2790static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name, 2791 const void *value, size_t size, 2792 int flags) 2793{ 2794 struct inode *inode = dentry->d_inode; 2795 struct inode_security_struct *isec = inode->i_security; 2796 u32 newsid; 2797 int rc; 2798 2799 if (strcmp(name, XATTR_NAME_SELINUX)) { 2800 /* Not an attribute we recognize, so nothing to do. */ 2801 return; 2802 } 2803 2804 rc = security_context_to_sid_force(value, size, &newsid); 2805 if (rc) { 2806 printk(KERN_ERR "SELinux: unable to map context to SID" 2807 "for (%s, %lu), rc=%d\n", 2808 inode->i_sb->s_id, inode->i_ino, -rc); 2809 return; 2810 } 2811 2812 isec->sid = newsid; 2813 return; 2814} 2815 2816static int selinux_inode_getxattr(struct dentry *dentry, const char *name) 2817{ 2818 const struct cred *cred = current_cred(); 2819 2820 return dentry_has_perm(cred, NULL, dentry, FILE__GETATTR); 2821} 2822 2823static int selinux_inode_listxattr(struct dentry *dentry) 2824{ 2825 const struct cred *cred = current_cred(); 2826 2827 return dentry_has_perm(cred, NULL, dentry, FILE__GETATTR); 2828} 2829 2830static int selinux_inode_removexattr(struct dentry *dentry, const char *name) 2831{ 2832 if (strcmp(name, XATTR_NAME_SELINUX)) 2833 return selinux_inode_setotherxattr(dentry, name); 2834 2835 /* No one is allowed to remove a SELinux security label. 2836 You can change the label, but all data must be labeled. */ 2837 return -EACCES; 2838} 2839 2840/* 2841 * Copy the inode security context value to the user. 2842 * 2843 * Permission check is handled by selinux_inode_getxattr hook. 2844 */ 2845static int selinux_inode_getsecurity(const struct inode *inode, const char *name, void **buffer, bool alloc) 2846{ 2847 u32 size; 2848 int error; 2849 char *context = NULL; 2850 struct inode_security_struct *isec = inode->i_security; 2851 2852 if (strcmp(name, XATTR_SELINUX_SUFFIX)) 2853 return -EOPNOTSUPP; 2854 2855 /* 2856 * If the caller has CAP_MAC_ADMIN, then get the raw context 2857 * value even if it is not defined by current policy; otherwise, 2858 * use the in-core value under current policy. 2859 * Use the non-auditing forms of the permission checks since 2860 * getxattr may be called by unprivileged processes commonly 2861 * and lack of permission just means that we fall back to the 2862 * in-core context value, not a denial. 2863 */ 2864 error = selinux_capable(current, current_cred(), CAP_MAC_ADMIN, 2865 SECURITY_CAP_NOAUDIT); 2866 if (!error) 2867 error = security_sid_to_context_force(isec->sid, &context, 2868 &size); 2869 else 2870 error = security_sid_to_context(isec->sid, &context, &size); 2871 if (error) 2872 return error; 2873 error = size; 2874 if (alloc) { 2875 *buffer = context; 2876 goto out_nofree; 2877 } 2878 kfree(context); 2879out_nofree: 2880 return error; 2881} 2882 2883static int selinux_inode_setsecurity(struct inode *inode, const char *name, 2884 const void *value, size_t size, int flags) 2885{ 2886 struct inode_security_struct *isec = inode->i_security; 2887 u32 newsid; 2888 int rc; 2889 2890 if (strcmp(name, XATTR_SELINUX_SUFFIX)) 2891 return -EOPNOTSUPP; 2892 2893 if (!value || !size) 2894 return -EACCES; 2895 2896 rc = security_context_to_sid((void *)value, size, &newsid); 2897 if (rc) 2898 return rc; 2899 2900 isec->sid = newsid; 2901 return 0; 2902} 2903 2904static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size) 2905{ 2906 const int len = sizeof(XATTR_NAME_SELINUX); 2907 if (buffer && len <= buffer_size) 2908 memcpy(buffer, XATTR_NAME_SELINUX, len); 2909 return len; 2910} 2911 2912static int selinux_inode_need_killpriv(struct dentry *dentry) 2913{ 2914 return secondary_ops->inode_need_killpriv(dentry); 2915} 2916 2917static int selinux_inode_killpriv(struct dentry *dentry) 2918{ 2919 return secondary_ops->inode_killpriv(dentry); 2920} 2921 2922static void selinux_inode_getsecid(const struct inode *inode, u32 *secid) 2923{ 2924 struct inode_security_struct *isec = inode->i_security; 2925 *secid = isec->sid; 2926} 2927 2928/* file security operations */ 2929 2930static int selinux_revalidate_file_permission(struct file *file, int mask) 2931{ 2932 const struct cred *cred = current_cred(); 2933 int rc; 2934 struct inode *inode = file->f_path.dentry->d_inode; 2935 2936 if (!mask) { 2937 /* No permission to check. Existence test. */ 2938 return 0; 2939 } 2940 2941 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */ 2942 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE)) 2943 mask |= MAY_APPEND; 2944 2945 rc = file_has_perm(cred, file, 2946 file_mask_to_av(inode->i_mode, mask)); 2947 if (rc) 2948 return rc; 2949 2950 return selinux_netlbl_inode_permission(inode, mask); 2951} 2952 2953static int selinux_file_permission(struct file *file, int mask) 2954{ 2955 struct inode *inode = file->f_path.dentry->d_inode; 2956 struct file_security_struct *fsec = file->f_security; 2957 struct inode_security_struct *isec = inode->i_security; 2958 u32 sid = current_sid(); 2959 2960 if (!mask) { 2961 /* No permission to check. Existence test. */ 2962 return 0; 2963 } 2964 2965 if (sid == fsec->sid && fsec->isid == isec->sid 2966 && fsec->pseqno == avc_policy_seqno()) 2967 return selinux_netlbl_inode_permission(inode, mask); 2968 2969 return selinux_revalidate_file_permission(file, mask); 2970} 2971 2972static int selinux_file_alloc_security(struct file *file) 2973{ 2974 return file_alloc_security(file); 2975} 2976 2977static void selinux_file_free_security(struct file *file) 2978{ 2979 file_free_security(file); 2980} 2981 2982static int selinux_file_ioctl(struct file *file, unsigned int cmd, 2983 unsigned long arg) 2984{ 2985 const struct cred *cred = current_cred(); 2986 u32 av = 0; 2987 2988 if (_IOC_DIR(cmd) & _IOC_WRITE) 2989 av |= FILE__WRITE; 2990 if (_IOC_DIR(cmd) & _IOC_READ) 2991 av |= FILE__READ; 2992 if (!av) 2993 av = FILE__IOCTL; 2994 2995 return file_has_perm(cred, file, av); 2996} 2997 2998static int file_map_prot_check(struct file *file, unsigned long prot, int shared) 2999{ 3000 const struct cred *cred = current_cred(); 3001 int rc = 0; 3002 3003#ifndef CONFIG_PPC32 3004 if ((prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) { 3005 /* 3006 * We are making executable an anonymous mapping or a 3007 * private file mapping that will also be writable. 3008 * This has an additional check. 3009 */ 3010 rc = cred_has_perm(cred, cred, PROCESS__EXECMEM); 3011 if (rc) 3012 goto error; 3013 } 3014#endif 3015 3016 if (file) { 3017 /* read access is always possible with a mapping */ 3018 u32 av = FILE__READ; 3019 3020 /* write access only matters if the mapping is shared */ 3021 if (shared && (prot & PROT_WRITE)) 3022 av |= FILE__WRITE; 3023 3024 if (prot & PROT_EXEC) 3025 av |= FILE__EXECUTE; 3026 3027 return file_has_perm(cred, file, av); 3028 } 3029 3030error: 3031 return rc; 3032} 3033 3034static int selinux_file_mmap(struct file *file, unsigned long reqprot, 3035 unsigned long prot, unsigned long flags, 3036 unsigned long addr, unsigned long addr_only) 3037{ 3038 int rc = 0; 3039 u32 sid = current_sid(); 3040 3041 if (addr < mmap_min_addr) 3042 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT, 3043 MEMPROTECT__MMAP_ZERO, NULL); 3044 if (rc || addr_only) 3045 return rc; 3046 3047 if (selinux_checkreqprot) 3048 prot = reqprot; 3049 3050 return file_map_prot_check(file, prot, 3051 (flags & MAP_TYPE) == MAP_SHARED); 3052} 3053 3054static int selinux_file_mprotect(struct vm_area_struct *vma, 3055 unsigned long reqprot, 3056 unsigned long prot) 3057{ 3058 const struct cred *cred = current_cred(); 3059 3060 if (selinux_checkreqprot) 3061 prot = reqprot; 3062 3063#ifndef CONFIG_PPC32 3064 if ((prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) { 3065 int rc = 0; 3066 if (vma->vm_start >= vma->vm_mm->start_brk && 3067 vma->vm_end <= vma->vm_mm->brk) { 3068 rc = cred_has_perm(cred, cred, PROCESS__EXECHEAP); 3069 } else if (!vma->vm_file && 3070 vma->vm_start <= vma->vm_mm->start_stack && 3071 vma->vm_end >= vma->vm_mm->start_stack) { 3072 rc = current_has_perm(current, PROCESS__EXECSTACK); 3073 } else if (vma->vm_file && vma->anon_vma) { 3074 /* 3075 * We are making executable a file mapping that has 3076 * had some COW done. Since pages might have been 3077 * written, check ability to execute the possibly 3078 * modified content. This typically should only 3079 * occur for text relocations. 3080 */ 3081 rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD); 3082 } 3083 if (rc) 3084 return rc; 3085 } 3086#endif 3087 3088 return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED); 3089} 3090 3091static int selinux_file_lock(struct file *file, unsigned int cmd) 3092{ 3093 const struct cred *cred = current_cred(); 3094 3095 return file_has_perm(cred, file, FILE__LOCK); 3096} 3097 3098static int selinux_file_fcntl(struct file *file, unsigned int cmd, 3099 unsigned long arg) 3100{ 3101 const struct cred *cred = current_cred(); 3102 int err = 0; 3103 3104 switch (cmd) { 3105 case F_SETFL: 3106 if (!file->f_path.dentry || !file->f_path.dentry->d_inode) { 3107 err = -EINVAL; 3108 break; 3109 } 3110 3111 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) { 3112 err = file_has_perm(cred, file, FILE__WRITE); 3113 break; 3114 } 3115 /* fall through */ 3116 case F_SETOWN: 3117 case F_SETSIG: 3118 case F_GETFL: 3119 case F_GETOWN: 3120 case F_GETSIG: 3121 /* Just check FD__USE permission */ 3122 err = file_has_perm(cred, file, 0); 3123 break; 3124 case F_GETLK: 3125 case F_SETLK: 3126 case F_SETLKW: 3127#if BITS_PER_LONG == 32 3128 case F_GETLK64: 3129 case F_SETLK64: 3130 case F_SETLKW64: 3131#endif 3132 if (!file->f_path.dentry || !file->f_path.dentry->d_inode) { 3133 err = -EINVAL; 3134 break; 3135 } 3136 err = file_has_perm(cred, file, FILE__LOCK); 3137 break; 3138 } 3139 3140 return err; 3141} 3142 3143static int selinux_file_set_fowner(struct file *file) 3144{ 3145 struct file_security_struct *fsec; 3146 3147 fsec = file->f_security; 3148 fsec->fown_sid = current_sid(); 3149 3150 return 0; 3151} 3152 3153static int selinux_file_send_sigiotask(struct task_struct *tsk, 3154 struct fown_struct *fown, int signum) 3155{ 3156 struct file *file; 3157 u32 sid = current_sid(); 3158 u32 perm; 3159 struct file_security_struct *fsec; 3160 3161 /* struct fown_struct is never outside the context of a struct file */ 3162 file = container_of(fown, struct file, f_owner); 3163 3164 fsec = file->f_security; 3165 3166 if (!signum) 3167 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */ 3168 else 3169 perm = signal_to_av(signum); 3170 3171 return avc_has_perm(fsec->fown_sid, sid, 3172 SECCLASS_PROCESS, perm, NULL); 3173} 3174 3175static int selinux_file_receive(struct file *file) 3176{ 3177 const struct cred *cred = current_cred(); 3178 3179 return file_has_perm(cred, file, file_to_av(file)); 3180} 3181 3182static int selinux_dentry_open(struct file *file, const struct cred *cred) 3183{ 3184 struct file_security_struct *fsec; 3185 struct inode *inode; 3186 struct inode_security_struct *isec; 3187 3188 inode = file->f_path.dentry->d_inode; 3189 fsec = file->f_security; 3190 isec = inode->i_security; 3191 /* 3192 * Save inode label and policy sequence number 3193 * at open-time so that selinux_file_permission 3194 * can determine whether revalidation is necessary. 3195 * Task label is already saved in the file security 3196 * struct as its SID. 3197 */ 3198 fsec->isid = isec->sid; 3199 fsec->pseqno = avc_policy_seqno(); 3200 /* 3201 * Since the inode label or policy seqno may have changed 3202 * between the selinux_inode_permission check and the saving 3203 * of state above, recheck that access is still permitted. 3204 * Otherwise, access might never be revalidated against the 3205 * new inode label or new policy. 3206 * This check is not redundant - do not remove. 3207 */ 3208 return inode_has_perm(cred, inode, open_file_to_av(file), NULL); 3209} 3210 3211/* task security operations */ 3212 3213static int selinux_task_create(unsigned long clone_flags) 3214{ 3215 return current_has_perm(current, PROCESS__FORK); 3216} 3217 3218/* 3219 * detach and free the LSM part of a set of credentials 3220 */ 3221static void selinux_cred_free(struct cred *cred) 3222{ 3223 struct task_security_struct *tsec = cred->security; 3224 cred->security = NULL; 3225 kfree(tsec); 3226} 3227 3228/* 3229 * prepare a new set of credentials for modification 3230 */ 3231static int selinux_cred_prepare(struct cred *new, const struct cred *old, 3232 gfp_t gfp) 3233{ 3234 const struct task_security_struct *old_tsec; 3235 struct task_security_struct *tsec; 3236 3237 old_tsec = old->security; 3238 3239 tsec = kmemdup(old_tsec, sizeof(struct task_security_struct), gfp); 3240 if (!tsec) 3241 return -ENOMEM; 3242 3243 new->security = tsec; 3244 return 0; 3245} 3246 3247/* 3248 * set the security data for a kernel service 3249 * - all the creation contexts are set to unlabelled 3250 */ 3251static int selinux_kernel_act_as(struct cred *new, u32 secid) 3252{ 3253 struct task_security_struct *tsec = new->security; 3254 u32 sid = current_sid(); 3255 int ret; 3256 3257 ret = avc_has_perm(sid, secid, 3258 SECCLASS_KERNEL_SERVICE, 3259 KERNEL_SERVICE__USE_AS_OVERRIDE, 3260 NULL); 3261 if (ret == 0) { 3262 tsec->sid = secid; 3263 tsec->create_sid = 0; 3264 tsec->keycreate_sid = 0; 3265 tsec->sockcreate_sid = 0; 3266 } 3267 return ret; 3268} 3269 3270/* 3271 * set the file creation context in a security record to the same as the 3272 * objective context of the specified inode 3273 */ 3274static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode) 3275{ 3276 struct inode_security_struct *isec = inode->i_security; 3277 struct task_security_struct *tsec = new->security; 3278 u32 sid = current_sid(); 3279 int ret; 3280 3281 ret = avc_has_perm(sid, isec->sid, 3282 SECCLASS_KERNEL_SERVICE, 3283 KERNEL_SERVICE__CREATE_FILES_AS, 3284 NULL); 3285 3286 if (ret == 0) 3287 tsec->create_sid = isec->sid; 3288 return 0; 3289} 3290 3291static int selinux_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags) 3292{ 3293 /* Since setuid only affects the current process, and 3294 since the SELinux controls are not based on the Linux 3295 identity attributes, SELinux does not need to control 3296 this operation. However, SELinux does control the use 3297 of the CAP_SETUID and CAP_SETGID capabilities using the 3298 capable hook. */ 3299 return 0; 3300} 3301 3302static int selinux_task_fix_setuid(struct cred *new, const struct cred *old, 3303 int flags) 3304{ 3305 return secondary_ops->task_fix_setuid(new, old, flags); 3306} 3307 3308static int selinux_task_setgid(gid_t id0, gid_t id1, gid_t id2, int flags) 3309{ 3310 /* See the comment for setuid above. */ 3311 return 0; 3312} 3313 3314static int selinux_task_setpgid(struct task_struct *p, pid_t pgid) 3315{ 3316 return current_has_perm(p, PROCESS__SETPGID); 3317} 3318 3319static int selinux_task_getpgid(struct task_struct *p) 3320{ 3321 return current_has_perm(p, PROCESS__GETPGID); 3322} 3323 3324static int selinux_task_getsid(struct task_struct *p) 3325{ 3326 return current_has_perm(p, PROCESS__GETSESSION); 3327} 3328 3329static void selinux_task_getsecid(struct task_struct *p, u32 *secid) 3330{ 3331 *secid = task_sid(p); 3332} 3333 3334static int selinux_task_setgroups(struct group_info *group_info) 3335{ 3336 /* See the comment for setuid above. */ 3337 return 0; 3338} 3339 3340static int selinux_task_setnice(struct task_struct *p, int nice) 3341{ 3342 int rc; 3343 3344 rc = secondary_ops->task_setnice(p, nice); 3345 if (rc) 3346 return rc; 3347 3348 return current_has_perm(p, PROCESS__SETSCHED); 3349} 3350 3351static int selinux_task_setioprio(struct task_struct *p, int ioprio) 3352{ 3353 int rc; 3354 3355 rc = secondary_ops->task_setioprio(p, ioprio); 3356 if (rc) 3357 return rc; 3358 3359 return current_has_perm(p, PROCESS__SETSCHED); 3360} 3361 3362static int selinux_task_getioprio(struct task_struct *p) 3363{ 3364 return current_has_perm(p, PROCESS__GETSCHED); 3365} 3366 3367static int selinux_task_setrlimit(unsigned int resource, struct rlimit *new_rlim) 3368{ 3369 struct rlimit *old_rlim = current->signal->rlim + resource; 3370 3371 /* Control the ability to change the hard limit (whether 3372 lowering or raising it), so that the hard limit can 3373 later be used as a safe reset point for the soft limit 3374 upon context transitions. See selinux_bprm_committing_creds. */ 3375 if (old_rlim->rlim_max != new_rlim->rlim_max) 3376 return current_has_perm(current, PROCESS__SETRLIMIT); 3377 3378 return 0; 3379} 3380 3381static int selinux_task_setscheduler(struct task_struct *p, int policy, struct sched_param *lp) 3382{ 3383 int rc; 3384 3385 rc = secondary_ops->task_setscheduler(p, policy, lp); 3386 if (rc) 3387 return rc; 3388 3389 return current_has_perm(p, PROCESS__SETSCHED); 3390} 3391 3392static int selinux_task_getscheduler(struct task_struct *p) 3393{ 3394 return current_has_perm(p, PROCESS__GETSCHED); 3395} 3396 3397static int selinux_task_movememory(struct task_struct *p) 3398{ 3399 return current_has_perm(p, PROCESS__SETSCHED); 3400} 3401 3402static int selinux_task_kill(struct task_struct *p, struct siginfo *info, 3403 int sig, u32 secid) 3404{ 3405 u32 perm; 3406 int rc; 3407 3408 rc = secondary_ops->task_kill(p, info, sig, secid); 3409 if (rc) 3410 return rc; 3411 3412 if (!sig) 3413 perm = PROCESS__SIGNULL; /* null signal; existence test */ 3414 else 3415 perm = signal_to_av(sig); 3416 if (secid) 3417 rc = avc_has_perm(secid, task_sid(p), 3418 SECCLASS_PROCESS, perm, NULL); 3419 else 3420 rc = current_has_perm(p, perm); 3421 return rc; 3422} 3423 3424static int selinux_task_prctl(int option, 3425 unsigned long arg2, 3426 unsigned long arg3, 3427 unsigned long arg4, 3428 unsigned long arg5) 3429{ 3430 /* The current prctl operations do not appear to require 3431 any SELinux controls since they merely observe or modify 3432 the state of the current process. */ 3433 return secondary_ops->task_prctl(option, arg2, arg3, arg4, arg5); 3434} 3435 3436static int selinux_task_wait(struct task_struct *p) 3437{ 3438 return task_has_perm(p, current, PROCESS__SIGCHLD); 3439} 3440 3441static void selinux_task_to_inode(struct task_struct *p, 3442 struct inode *inode) 3443{ 3444 struct inode_security_struct *isec = inode->i_security; 3445 u32 sid = task_sid(p); 3446 3447 isec->sid = sid; 3448 isec->initialized = 1; 3449} 3450 3451/* Returns error only if unable to parse addresses */ 3452static int selinux_parse_skb_ipv4(struct sk_buff *skb, 3453 struct avc_audit_data *ad, u8 *proto) 3454{ 3455 int offset, ihlen, ret = -EINVAL; 3456 struct iphdr _iph, *ih; 3457 3458 offset = skb_network_offset(skb); 3459 ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph); 3460 if (ih == NULL) 3461 goto out; 3462 3463 ihlen = ih->ihl * 4; 3464 if (ihlen < sizeof(_iph)) 3465 goto out; 3466 3467 ad->u.net.v4info.saddr = ih->saddr; 3468 ad->u.net.v4info.daddr = ih->daddr; 3469 ret = 0; 3470 3471 if (proto) 3472 *proto = ih->protocol; 3473 3474 switch (ih->protocol) { 3475 case IPPROTO_TCP: { 3476 struct tcphdr _tcph, *th; 3477 3478 if (ntohs(ih->frag_off) & IP_OFFSET) 3479 break; 3480 3481 offset += ihlen; 3482 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph); 3483 if (th == NULL) 3484 break; 3485 3486 ad->u.net.sport = th->source; 3487 ad->u.net.dport = th->dest; 3488 break; 3489 } 3490 3491 case IPPROTO_UDP: { 3492 struct udphdr _udph, *uh; 3493 3494 if (ntohs(ih->frag_off) & IP_OFFSET) 3495 break; 3496 3497 offset += ihlen; 3498 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph); 3499 if (uh == NULL) 3500 break; 3501 3502 ad->u.net.sport = uh->source; 3503 ad->u.net.dport = uh->dest; 3504 break; 3505 } 3506 3507 case IPPROTO_DCCP: { 3508 struct dccp_hdr _dccph, *dh; 3509 3510 if (ntohs(ih->frag_off) & IP_OFFSET) 3511 break; 3512 3513 offset += ihlen; 3514 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph); 3515 if (dh == NULL) 3516 break; 3517 3518 ad->u.net.sport = dh->dccph_sport; 3519 ad->u.net.dport = dh->dccph_dport; 3520 break; 3521 } 3522 3523 default: 3524 break; 3525 } 3526out: 3527 return ret; 3528} 3529 3530#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) 3531 3532/* Returns error only if unable to parse addresses */ 3533static int selinux_parse_skb_ipv6(struct sk_buff *skb, 3534 struct avc_audit_data *ad, u8 *proto) 3535{ 3536 u8 nexthdr; 3537 int ret = -EINVAL, offset; 3538 struct ipv6hdr _ipv6h, *ip6; 3539 3540 offset = skb_network_offset(skb); 3541 ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h); 3542 if (ip6 == NULL) 3543 goto out; 3544 3545 ipv6_addr_copy(&ad->u.net.v6info.saddr, &ip6->saddr); 3546 ipv6_addr_copy(&ad->u.net.v6info.daddr, &ip6->daddr); 3547 ret = 0; 3548 3549 nexthdr = ip6->nexthdr; 3550 offset += sizeof(_ipv6h); 3551 offset = ipv6_skip_exthdr(skb, offset, &nexthdr); 3552 if (offset < 0) 3553 goto out; 3554 3555 if (proto) 3556 *proto = nexthdr; 3557 3558 switch (nexthdr) { 3559 case IPPROTO_TCP: { 3560 struct tcphdr _tcph, *th; 3561 3562 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph); 3563 if (th == NULL) 3564 break; 3565 3566 ad->u.net.sport = th->source; 3567 ad->u.net.dport = th->dest; 3568 break; 3569 } 3570 3571 case IPPROTO_UDP: { 3572 struct udphdr _udph, *uh; 3573 3574 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph); 3575 if (uh == NULL) 3576 break; 3577 3578 ad->u.net.sport = uh->source; 3579 ad->u.net.dport = uh->dest; 3580 break; 3581 } 3582 3583 case IPPROTO_DCCP: { 3584 struct dccp_hdr _dccph, *dh; 3585 3586 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph); 3587 if (dh == NULL) 3588 break; 3589 3590 ad->u.net.sport = dh->dccph_sport; 3591 ad->u.net.dport = dh->dccph_dport; 3592 break; 3593 } 3594 3595 /* includes fragments */ 3596 default: 3597 break; 3598 } 3599out: 3600 return ret; 3601} 3602 3603#endif /* IPV6 */ 3604 3605static int selinux_parse_skb(struct sk_buff *skb, struct avc_audit_data *ad, 3606 char **_addrp, int src, u8 *proto) 3607{ 3608 char *addrp; 3609 int ret; 3610 3611 switch (ad->u.net.family) { 3612 case PF_INET: 3613 ret = selinux_parse_skb_ipv4(skb, ad, proto); 3614 if (ret) 3615 goto parse_error; 3616 addrp = (char *)(src ? &ad->u.net.v4info.saddr : 3617 &ad->u.net.v4info.daddr); 3618 goto okay; 3619 3620#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) 3621 case PF_INET6: 3622 ret = selinux_parse_skb_ipv6(skb, ad, proto); 3623 if (ret) 3624 goto parse_error; 3625 addrp = (char *)(src ? &ad->u.net.v6info.saddr : 3626 &ad->u.net.v6info.daddr); 3627 goto okay; 3628#endif /* IPV6 */ 3629 default: 3630 addrp = NULL; 3631 goto okay; 3632 } 3633 3634parse_error: 3635 printk(KERN_WARNING 3636 "SELinux: failure in selinux_parse_skb()," 3637 " unable to parse packet\n"); 3638 return ret; 3639 3640okay: 3641 if (_addrp) 3642 *_addrp = addrp; 3643 return 0; 3644} 3645 3646/** 3647 * selinux_skb_peerlbl_sid - Determine the peer label of a packet 3648 * @skb: the packet 3649 * @family: protocol family 3650 * @sid: the packet's peer label SID 3651 * 3652 * Description: 3653 * Check the various different forms of network peer labeling and determine 3654 * the peer label/SID for the packet; most of the magic actually occurs in 3655 * the security server function security_net_peersid_cmp(). The function 3656 * returns zero if the value in @sid is valid (although it may be SECSID_NULL) 3657 * or -EACCES if @sid is invalid due to inconsistencies with the different 3658 * peer labels. 3659 * 3660 */ 3661static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid) 3662{ 3663 int err; 3664 u32 xfrm_sid; 3665 u32 nlbl_sid; 3666 u32 nlbl_type; 3667 3668 selinux_skb_xfrm_sid(skb, &xfrm_sid); 3669 selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid); 3670 3671 err = security_net_peersid_resolve(nlbl_sid, nlbl_type, xfrm_sid, sid); 3672 if (unlikely(err)) { 3673 printk(KERN_WARNING 3674 "SELinux: failure in selinux_skb_peerlbl_sid()," 3675 " unable to determine packet's peer label\n"); 3676 return -EACCES; 3677 } 3678 3679 return 0; 3680} 3681 3682/* socket security operations */ 3683static int socket_has_perm(struct task_struct *task, struct socket *sock, 3684 u32 perms) 3685{ 3686 struct inode_security_struct *isec; 3687 struct avc_audit_data ad; 3688 u32 sid; 3689 int err = 0; 3690 3691 isec = SOCK_INODE(sock)->i_security; 3692 3693 if (isec->sid == SECINITSID_KERNEL) 3694 goto out; 3695 sid = task_sid(task); 3696 3697 AVC_AUDIT_DATA_INIT(&ad, NET); 3698 ad.u.net.sk = sock->sk; 3699 err = avc_has_perm(sid, isec->sid, isec->sclass, perms, &ad); 3700 3701out: 3702 return err; 3703} 3704 3705static int selinux_socket_create(int family, int type, 3706 int protocol, int kern) 3707{ 3708 const struct cred *cred = current_cred(); 3709 const struct task_security_struct *tsec = cred->security; 3710 u32 sid, newsid; 3711 u16 secclass; 3712 int err = 0; 3713 3714 if (kern) 3715 goto out; 3716 3717 sid = tsec->sid; 3718 newsid = tsec->sockcreate_sid ?: sid; 3719 3720 secclass = socket_type_to_security_class(family, type, protocol); 3721 err = avc_has_perm(sid, newsid, secclass, SOCKET__CREATE, NULL); 3722 3723out: 3724 return err; 3725} 3726 3727static int selinux_socket_post_create(struct socket *sock, int family, 3728 int type, int protocol, int kern) 3729{ 3730 const struct cred *cred = current_cred(); 3731 const struct task_security_struct *tsec = cred->security; 3732 struct inode_security_struct *isec; 3733 struct sk_security_struct *sksec; 3734 u32 sid, newsid; 3735 int err = 0; 3736 3737 sid = tsec->sid; 3738 newsid = tsec->sockcreate_sid; 3739 3740 isec = SOCK_INODE(sock)->i_security; 3741 3742 if (kern) 3743 isec->sid = SECINITSID_KERNEL; 3744 else if (newsid) 3745 isec->sid = newsid; 3746 else 3747 isec->sid = sid; 3748 3749 isec->sclass = socket_type_to_security_class(family, type, protocol); 3750 isec->initialized = 1; 3751 3752 if (sock->sk) { 3753 sksec = sock->sk->sk_security; 3754 sksec->sid = isec->sid; 3755 sksec->sclass = isec->sclass; 3756 err = selinux_netlbl_socket_post_create(sock); 3757 } 3758 3759 return err; 3760} 3761 3762/* Range of port numbers used to automatically bind. 3763 Need to determine whether we should perform a name_bind 3764 permission check between the socket and the port number. */ 3765 3766static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen) 3767{ 3768 u16 family; 3769 int err; 3770 3771 err = socket_has_perm(current, sock, SOCKET__BIND); 3772 if (err) 3773 goto out; 3774 3775 /* 3776 * If PF_INET or PF_INET6, check name_bind permission for the port. 3777 * Multiple address binding for SCTP is not supported yet: we just 3778 * check the first address now. 3779 */ 3780 family = sock->sk->sk_family; 3781 if (family == PF_INET || family == PF_INET6) { 3782 char *addrp; 3783 struct inode_security_struct *isec; 3784 struct avc_audit_data ad; 3785 struct sockaddr_in *addr4 = NULL; 3786 struct sockaddr_in6 *addr6 = NULL; 3787 unsigned short snum; 3788 struct sock *sk = sock->sk; 3789 u32 sid, node_perm; 3790 3791 isec = SOCK_INODE(sock)->i_security; 3792 3793 if (family == PF_INET) { 3794 addr4 = (struct sockaddr_in *)address; 3795 snum = ntohs(addr4->sin_port); 3796 addrp = (char *)&addr4->sin_addr.s_addr; 3797 } else { 3798 addr6 = (struct sockaddr_in6 *)address; 3799 snum = ntohs(addr6->sin6_port); 3800 addrp = (char *)&addr6->sin6_addr.s6_addr; 3801 } 3802 3803 if (snum) { 3804 int low, high; 3805 3806 inet_get_local_port_range(&low, &high); 3807 3808 if (snum < max(PROT_SOCK, low) || snum > high) { 3809 err = sel_netport_sid(sk->sk_protocol, 3810 snum, &sid); 3811 if (err) 3812 goto out; 3813 AVC_AUDIT_DATA_INIT(&ad, NET); 3814 ad.u.net.sport = htons(snum); 3815 ad.u.net.family = family; 3816 err = avc_has_perm(isec->sid, sid, 3817 isec->sclass, 3818 SOCKET__NAME_BIND, &ad); 3819 if (err) 3820 goto out; 3821 } 3822 } 3823 3824 switch (isec->sclass) { 3825 case SECCLASS_TCP_SOCKET: 3826 node_perm = TCP_SOCKET__NODE_BIND; 3827 break; 3828 3829 case SECCLASS_UDP_SOCKET: 3830 node_perm = UDP_SOCKET__NODE_BIND; 3831 break; 3832 3833 case SECCLASS_DCCP_SOCKET: 3834 node_perm = DCCP_SOCKET__NODE_BIND; 3835 break; 3836 3837 default: 3838 node_perm = RAWIP_SOCKET__NODE_BIND; 3839 break; 3840 } 3841 3842 err = sel_netnode_sid(addrp, family, &sid); 3843 if (err) 3844 goto out; 3845 3846 AVC_AUDIT_DATA_INIT(&ad, NET); 3847 ad.u.net.sport = htons(snum); 3848 ad.u.net.family = family; 3849 3850 if (family == PF_INET) 3851 ad.u.net.v4info.saddr = addr4->sin_addr.s_addr; 3852 else 3853 ipv6_addr_copy(&ad.u.net.v6info.saddr, &addr6->sin6_addr); 3854 3855 err = avc_has_perm(isec->sid, sid, 3856 isec->sclass, node_perm, &ad); 3857 if (err) 3858 goto out; 3859 } 3860out: 3861 return err; 3862} 3863 3864static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen) 3865{ 3866 struct sock *sk = sock->sk; 3867 struct inode_security_struct *isec; 3868 int err; 3869 3870 err = socket_has_perm(current, sock, SOCKET__CONNECT); 3871 if (err) 3872 return err; 3873 3874 /* 3875 * If a TCP or DCCP socket, check name_connect permission for the port. 3876 */ 3877 isec = SOCK_INODE(sock)->i_security; 3878 if (isec->sclass == SECCLASS_TCP_SOCKET || 3879 isec->sclass == SECCLASS_DCCP_SOCKET) { 3880 struct avc_audit_data ad; 3881 struct sockaddr_in *addr4 = NULL; 3882 struct sockaddr_in6 *addr6 = NULL; 3883 unsigned short snum; 3884 u32 sid, perm; 3885 3886 if (sk->sk_family == PF_INET) { 3887 addr4 = (struct sockaddr_in *)address; 3888 if (addrlen < sizeof(struct sockaddr_in)) 3889 return -EINVAL; 3890 snum = ntohs(addr4->sin_port); 3891 } else { 3892 addr6 = (struct sockaddr_in6 *)address; 3893 if (addrlen < SIN6_LEN_RFC2133) 3894 return -EINVAL; 3895 snum = ntohs(addr6->sin6_port); 3896 } 3897 3898 err = sel_netport_sid(sk->sk_protocol, snum, &sid); 3899 if (err) 3900 goto out; 3901 3902 perm = (isec->sclass == SECCLASS_TCP_SOCKET) ? 3903 TCP_SOCKET__NAME_CONNECT : DCCP_SOCKET__NAME_CONNECT; 3904 3905 AVC_AUDIT_DATA_INIT(&ad, NET); 3906 ad.u.net.dport = htons(snum); 3907 ad.u.net.family = sk->sk_family; 3908 err = avc_has_perm(isec->sid, sid, isec->sclass, perm, &ad); 3909 if (err) 3910 goto out; 3911 } 3912 3913 err = selinux_netlbl_socket_connect(sk, address); 3914 3915out: 3916 return err; 3917} 3918 3919static int selinux_socket_listen(struct socket *sock, int backlog) 3920{ 3921 return socket_has_perm(current, sock, SOCKET__LISTEN); 3922} 3923 3924static int selinux_socket_accept(struct socket *sock, struct socket *newsock) 3925{ 3926 int err; 3927 struct inode_security_struct *isec; 3928 struct inode_security_struct *newisec; 3929 3930 err = socket_has_perm(current, sock, SOCKET__ACCEPT); 3931 if (err) 3932 return err; 3933 3934 newisec = SOCK_INODE(newsock)->i_security; 3935 3936 isec = SOCK_INODE(sock)->i_security; 3937 newisec->sclass = isec->sclass; 3938 newisec->sid = isec->sid; 3939 newisec->initialized = 1; 3940 3941 return 0; 3942} 3943 3944static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg, 3945 int size) 3946{ 3947 int rc; 3948 3949 rc = socket_has_perm(current, sock, SOCKET__WRITE); 3950 if (rc) 3951 return rc; 3952 3953 return selinux_netlbl_inode_permission(SOCK_INODE(sock), MAY_WRITE); 3954} 3955 3956static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg, 3957 int size, int flags) 3958{ 3959 return socket_has_perm(current, sock, SOCKET__READ); 3960} 3961 3962static int selinux_socket_getsockname(struct socket *sock) 3963{ 3964 return socket_has_perm(current, sock, SOCKET__GETATTR); 3965} 3966 3967static int selinux_socket_getpeername(struct socket *sock) 3968{ 3969 return socket_has_perm(current, sock, SOCKET__GETATTR); 3970} 3971 3972static int selinux_socket_setsockopt(struct socket *sock, int level, int optname) 3973{ 3974 int err; 3975 3976 err = socket_has_perm(current, sock, SOCKET__SETOPT); 3977 if (err) 3978 return err; 3979 3980 return selinux_netlbl_socket_setsockopt(sock, level, optname); 3981} 3982 3983static int selinux_socket_getsockopt(struct socket *sock, int level, 3984 int optname) 3985{ 3986 return socket_has_perm(current, sock, SOCKET__GETOPT); 3987} 3988 3989static int selinux_socket_shutdown(struct socket *sock, int how) 3990{ 3991 return socket_has_perm(current, sock, SOCKET__SHUTDOWN); 3992} 3993 3994static int selinux_socket_unix_stream_connect(struct socket *sock, 3995 struct socket *other, 3996 struct sock *newsk) 3997{ 3998 struct sk_security_struct *ssec; 3999 struct inode_security_struct *isec; 4000 struct inode_security_struct *other_isec; 4001 struct avc_audit_data ad; 4002 int err; 4003 4004 err = secondary_ops->unix_stream_connect(sock, other, newsk); 4005 if (err) 4006 return err; 4007 4008 isec = SOCK_INODE(sock)->i_security; 4009 other_isec = SOCK_INODE(other)->i_security; 4010 4011 AVC_AUDIT_DATA_INIT(&ad, NET); 4012 ad.u.net.sk = other->sk; 4013 4014 err = avc_has_perm(isec->sid, other_isec->sid, 4015 isec->sclass, 4016 UNIX_STREAM_SOCKET__CONNECTTO, &ad); 4017 if (err) 4018 return err; 4019 4020 /* connecting socket */ 4021 ssec = sock->sk->sk_security; 4022 ssec->peer_sid = other_isec->sid; 4023 4024 /* server child socket */ 4025 ssec = newsk->sk_security; 4026 ssec->peer_sid = isec->sid; 4027 err = security_sid_mls_copy(other_isec->sid, ssec->peer_sid, &ssec->sid); 4028 4029 return err; 4030} 4031 4032static int selinux_socket_unix_may_send(struct socket *sock, 4033 struct socket *other) 4034{ 4035 struct inode_security_struct *isec; 4036 struct inode_security_struct *other_isec; 4037 struct avc_audit_data ad; 4038 int err; 4039 4040 isec = SOCK_INODE(sock)->i_security; 4041 other_isec = SOCK_INODE(other)->i_security; 4042 4043 AVC_AUDIT_DATA_INIT(&ad, NET); 4044 ad.u.net.sk = other->sk; 4045 4046 err = avc_has_perm(isec->sid, other_isec->sid, 4047 isec->sclass, SOCKET__SENDTO, &ad); 4048 if (err) 4049 return err; 4050 4051 return 0; 4052} 4053 4054static int selinux_inet_sys_rcv_skb(int ifindex, char *addrp, u16 family, 4055 u32 peer_sid, 4056 struct avc_audit_data *ad) 4057{ 4058 int err; 4059 u32 if_sid; 4060 u32 node_sid; 4061 4062 err = sel_netif_sid(ifindex, &if_sid); 4063 if (err) 4064 return err; 4065 err = avc_has_perm(peer_sid, if_sid, 4066 SECCLASS_NETIF, NETIF__INGRESS, ad); 4067 if (err) 4068 return err; 4069 4070 err = sel_netnode_sid(addrp, family, &node_sid); 4071 if (err) 4072 return err; 4073 return avc_has_perm(peer_sid, node_sid, 4074 SECCLASS_NODE, NODE__RECVFROM, ad); 4075} 4076 4077static int selinux_sock_rcv_skb_iptables_compat(struct sock *sk, 4078 struct sk_buff *skb, 4079 struct avc_audit_data *ad, 4080 u16 family, 4081 char *addrp) 4082{ 4083 int err; 4084 struct sk_security_struct *sksec = sk->sk_security; 4085 u16 sk_class; 4086 u32 netif_perm, node_perm, recv_perm; 4087 u32 port_sid, node_sid, if_sid, sk_sid; 4088 4089 sk_sid = sksec->sid; 4090 sk_class = sksec->sclass; 4091 4092 switch (sk_class) { 4093 case SECCLASS_UDP_SOCKET: 4094 netif_perm = NETIF__UDP_RECV; 4095 node_perm = NODE__UDP_RECV; 4096 recv_perm = UDP_SOCKET__RECV_MSG; 4097 break; 4098 case SECCLASS_TCP_SOCKET: 4099 netif_perm = NETIF__TCP_RECV; 4100 node_perm = NODE__TCP_RECV; 4101 recv_perm = TCP_SOCKET__RECV_MSG; 4102 break; 4103 case SECCLASS_DCCP_SOCKET: 4104 netif_perm = NETIF__DCCP_RECV; 4105 node_perm = NODE__DCCP_RECV; 4106 recv_perm = DCCP_SOCKET__RECV_MSG; 4107 break; 4108 default: 4109 netif_perm = NETIF__RAWIP_RECV; 4110 node_perm = NODE__RAWIP_RECV; 4111 recv_perm = 0; 4112 break; 4113 } 4114 4115 err = sel_netif_sid(skb->iif, &if_sid); 4116 if (err) 4117 return err; 4118 err = avc_has_perm(sk_sid, if_sid, SECCLASS_NETIF, netif_perm, ad); 4119 if (err) 4120 return err; 4121 4122 err = sel_netnode_sid(addrp, family, &node_sid); 4123 if (err) 4124 return err; 4125 err = avc_has_perm(sk_sid, node_sid, SECCLASS_NODE, node_perm, ad); 4126 if (err) 4127 return err; 4128 4129 if (!recv_perm) 4130 return 0; 4131 err = sel_netport_sid(sk->sk_protocol, 4132 ntohs(ad->u.net.sport), &port_sid); 4133 if (unlikely(err)) { 4134 printk(KERN_WARNING 4135 "SELinux: failure in" 4136 " selinux_sock_rcv_skb_iptables_compat()," 4137 " network port label not found\n"); 4138 return err; 4139 } 4140 return avc_has_perm(sk_sid, port_sid, sk_class, recv_perm, ad); 4141} 4142 4143static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb, 4144 u16 family) 4145{ 4146 int err = 0; 4147 struct sk_security_struct *sksec = sk->sk_security; 4148 u32 peer_sid; 4149 u32 sk_sid = sksec->sid; 4150 struct avc_audit_data ad; 4151 char *addrp; 4152 4153 AVC_AUDIT_DATA_INIT(&ad, NET); 4154 ad.u.net.netif = skb->iif; 4155 ad.u.net.family = family; 4156 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL); 4157 if (err) 4158 return err; 4159 4160 if (selinux_compat_net) 4161 err = selinux_sock_rcv_skb_iptables_compat(sk, skb, &ad, 4162 family, addrp); 4163 else if (selinux_secmark_enabled()) 4164 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET, 4165 PACKET__RECV, &ad); 4166 if (err) 4167 return err; 4168 4169 if (selinux_policycap_netpeer) { 4170 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid); 4171 if (err) 4172 return err; 4173 err = avc_has_perm(sk_sid, peer_sid, 4174 SECCLASS_PEER, PEER__RECV, &ad); 4175 if (err) 4176 selinux_netlbl_err(skb, err, 0); 4177 } else { 4178 err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, &ad); 4179 if (err) 4180 return err; 4181 err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad); 4182 } 4183 4184 return err; 4185} 4186 4187static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb) 4188{ 4189 int err; 4190 struct sk_security_struct *sksec = sk->sk_security; 4191 u16 family = sk->sk_family; 4192 u32 sk_sid = sksec->sid; 4193 struct avc_audit_data ad; 4194 char *addrp; 4195 u8 secmark_active; 4196 u8 peerlbl_active; 4197 4198 if (family != PF_INET && family != PF_INET6) 4199 return 0; 4200 4201 /* Handle mapped IPv4 packets arriving via IPv6 sockets */ 4202 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP)) 4203 family = PF_INET; 4204 4205 /* If any sort of compatibility mode is enabled then handoff processing 4206 * to the selinux_sock_rcv_skb_compat() function to deal with the 4207 * special handling. We do this in an attempt to keep this function 4208 * as fast and as clean as possible. */ 4209 if (selinux_compat_net || !selinux_policycap_netpeer) 4210 return selinux_sock_rcv_skb_compat(sk, skb, family); 4211 4212 secmark_active = selinux_secmark_enabled(); 4213 peerlbl_active = netlbl_enabled() || selinux_xfrm_enabled(); 4214 if (!secmark_active && !peerlbl_active) 4215 return 0; 4216 4217 AVC_AUDIT_DATA_INIT(&ad, NET); 4218 ad.u.net.netif = skb->iif; 4219 ad.u.net.family = family; 4220 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL); 4221 if (err) 4222 return err; 4223 4224 if (peerlbl_active) { 4225 u32 peer_sid; 4226 4227 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid); 4228 if (err) 4229 return err; 4230 err = selinux_inet_sys_rcv_skb(skb->iif, addrp, family, 4231 peer_sid, &ad); 4232 if (err) { 4233 selinux_netlbl_err(skb, err, 0); 4234 return err; 4235 } 4236 err = avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER, 4237 PEER__RECV, &ad); 4238 if (err) 4239 selinux_netlbl_err(skb, err, 0); 4240 } 4241 4242 if (secmark_active) { 4243 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET, 4244 PACKET__RECV, &ad); 4245 if (err) 4246 return err; 4247 } 4248 4249 return err; 4250} 4251 4252static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval, 4253 int __user *optlen, unsigned len) 4254{ 4255 int err = 0; 4256 char *scontext; 4257 u32 scontext_len; 4258 struct sk_security_struct *ssec; 4259 struct inode_security_struct *isec; 4260 u32 peer_sid = SECSID_NULL; 4261 4262 isec = SOCK_INODE(sock)->i_security; 4263 4264 if (isec->sclass == SECCLASS_UNIX_STREAM_SOCKET || 4265 isec->sclass == SECCLASS_TCP_SOCKET) { 4266 ssec = sock->sk->sk_security; 4267 peer_sid = ssec->peer_sid; 4268 } 4269 if (peer_sid == SECSID_NULL) { 4270 err = -ENOPROTOOPT; 4271 goto out; 4272 } 4273 4274 err = security_sid_to_context(peer_sid, &scontext, &scontext_len); 4275 4276 if (err) 4277 goto out; 4278 4279 if (scontext_len > len) { 4280 err = -ERANGE; 4281 goto out_len; 4282 } 4283 4284 if (copy_to_user(optval, scontext, scontext_len)) 4285 err = -EFAULT; 4286 4287out_len: 4288 if (put_user(scontext_len, optlen)) 4289 err = -EFAULT; 4290 4291 kfree(scontext); 4292out: 4293 return err; 4294} 4295 4296static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid) 4297{ 4298 u32 peer_secid = SECSID_NULL; 4299 u16 family; 4300 4301 if (skb && skb->protocol == htons(ETH_P_IP)) 4302 family = PF_INET; 4303 else if (skb && skb->protocol == htons(ETH_P_IPV6)) 4304 family = PF_INET6; 4305 else if (sock) 4306 family = sock->sk->sk_family; 4307 else 4308 goto out; 4309 4310 if (sock && family == PF_UNIX) 4311 selinux_inode_getsecid(SOCK_INODE(sock), &peer_secid); 4312 else if (skb) 4313 selinux_skb_peerlbl_sid(skb, family, &peer_secid); 4314 4315out: 4316 *secid = peer_secid; 4317 if (peer_secid == SECSID_NULL) 4318 return -EINVAL; 4319 return 0; 4320} 4321 4322static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority) 4323{ 4324 return sk_alloc_security(sk, family, priority); 4325} 4326 4327static void selinux_sk_free_security(struct sock *sk) 4328{ 4329 sk_free_security(sk); 4330} 4331 4332static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk) 4333{ 4334 struct sk_security_struct *ssec = sk->sk_security; 4335 struct sk_security_struct *newssec = newsk->sk_security; 4336 4337 newssec->sid = ssec->sid; 4338 newssec->peer_sid = ssec->peer_sid; 4339 newssec->sclass = ssec->sclass; 4340 4341 selinux_netlbl_sk_security_reset(newssec, newsk->sk_family); 4342} 4343 4344static void selinux_sk_getsecid(struct sock *sk, u32 *secid) 4345{ 4346 if (!sk) 4347 *secid = SECINITSID_ANY_SOCKET; 4348 else { 4349 struct sk_security_struct *sksec = sk->sk_security; 4350 4351 *secid = sksec->sid; 4352 } 4353} 4354 4355static void selinux_sock_graft(struct sock *sk, struct socket *parent) 4356{ 4357 struct inode_security_struct *isec = SOCK_INODE(parent)->i_security; 4358 struct sk_security_struct *sksec = sk->sk_security; 4359 4360 if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 || 4361 sk->sk_family == PF_UNIX) 4362 isec->sid = sksec->sid; 4363 sksec->sclass = isec->sclass; 4364} 4365 4366static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb, 4367 struct request_sock *req) 4368{ 4369 struct sk_security_struct *sksec = sk->sk_security; 4370 int err; 4371 u16 family = sk->sk_family; 4372 u32 newsid; 4373 u32 peersid; 4374 4375 /* handle mapped IPv4 packets arriving via IPv6 sockets */ 4376 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP)) 4377 family = PF_INET; 4378 4379 err = selinux_skb_peerlbl_sid(skb, family, &peersid); 4380 if (err) 4381 return err; 4382 if (peersid == SECSID_NULL) { 4383 req->secid = sksec->sid; 4384 req->peer_secid = SECSID_NULL; 4385 return 0; 4386 } 4387 4388 err = security_sid_mls_copy(sksec->sid, peersid, &newsid); 4389 if (err) 4390 return err; 4391 4392 req->secid = newsid; 4393 req->peer_secid = peersid; 4394 return 0; 4395} 4396 4397static void selinux_inet_csk_clone(struct sock *newsk, 4398 const struct request_sock *req) 4399{ 4400 struct sk_security_struct *newsksec = newsk->sk_security; 4401 4402 newsksec->sid = req->secid; 4403 newsksec->peer_sid = req->peer_secid; 4404 /* NOTE: Ideally, we should also get the isec->sid for the 4405 new socket in sync, but we don't have the isec available yet. 4406 So we will wait until sock_graft to do it, by which 4407 time it will have been created and available. */ 4408 4409 /* We don't need to take any sort of lock here as we are the only 4410 * thread with access to newsksec */ 4411 selinux_netlbl_sk_security_reset(newsksec, req->rsk_ops->family); 4412} 4413 4414static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb) 4415{ 4416 u16 family = sk->sk_family; 4417 struct sk_security_struct *sksec = sk->sk_security; 4418 4419 /* handle mapped IPv4 packets arriving via IPv6 sockets */ 4420 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP)) 4421 family = PF_INET; 4422 4423 selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid); 4424 4425 selinux_netlbl_inet_conn_established(sk, family); 4426} 4427 4428static void selinux_req_classify_flow(const struct request_sock *req, 4429 struct flowi *fl) 4430{ 4431 fl->secid = req->secid; 4432} 4433 4434static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb) 4435{ 4436 int err = 0; 4437 u32 perm; 4438 struct nlmsghdr *nlh; 4439 struct socket *sock = sk->sk_socket; 4440 struct inode_security_struct *isec = SOCK_INODE(sock)->i_security; 4441 4442 if (skb->len < NLMSG_SPACE(0)) { 4443 err = -EINVAL; 4444 goto out; 4445 } 4446 nlh = nlmsg_hdr(skb); 4447 4448 err = selinux_nlmsg_lookup(isec->sclass, nlh->nlmsg_type, &perm); 4449 if (err) { 4450 if (err == -EINVAL) { 4451 audit_log(current->audit_context, GFP_KERNEL, AUDIT_SELINUX_ERR, 4452 "SELinux: unrecognized netlink message" 4453 " type=%hu for sclass=%hu\n", 4454 nlh->nlmsg_type, isec->sclass); 4455 if (!selinux_enforcing || security_get_allow_unknown()) 4456 err = 0; 4457 } 4458 4459 /* Ignore */ 4460 if (err == -ENOENT) 4461 err = 0; 4462 goto out; 4463 } 4464 4465 err = socket_has_perm(current, sock, perm); 4466out: 4467 return err; 4468} 4469 4470#ifdef CONFIG_NETFILTER 4471 4472static unsigned int selinux_ip_forward(struct sk_buff *skb, int ifindex, 4473 u16 family) 4474{ 4475 int err; 4476 char *addrp; 4477 u32 peer_sid; 4478 struct avc_audit_data ad; 4479 u8 secmark_active; 4480 u8 netlbl_active; 4481 u8 peerlbl_active; 4482 4483 if (!selinux_policycap_netpeer) 4484 return NF_ACCEPT; 4485 4486 secmark_active = selinux_secmark_enabled(); 4487 netlbl_active = netlbl_enabled(); 4488 peerlbl_active = netlbl_active || selinux_xfrm_enabled(); 4489 if (!secmark_active && !peerlbl_active) 4490 return NF_ACCEPT; 4491 4492 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0) 4493 return NF_DROP; 4494 4495 AVC_AUDIT_DATA_INIT(&ad, NET); 4496 ad.u.net.netif = ifindex; 4497 ad.u.net.family = family; 4498 if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0) 4499 return NF_DROP; 4500 4501 if (peerlbl_active) { 4502 err = selinux_inet_sys_rcv_skb(ifindex, addrp, family, 4503 peer_sid, &ad); 4504 if (err) { 4505 selinux_netlbl_err(skb, err, 1); 4506 return NF_DROP; 4507 } 4508 } 4509 4510 if (secmark_active) 4511 if (avc_has_perm(peer_sid, skb->secmark, 4512 SECCLASS_PACKET, PACKET__FORWARD_IN, &ad)) 4513 return NF_DROP; 4514 4515 if (netlbl_active) 4516 /* we do this in the FORWARD path and not the POST_ROUTING 4517 * path because we want to make sure we apply the necessary 4518 * labeling before IPsec is applied so we can leverage AH 4519 * protection */ 4520 if (selinux_netlbl_skbuff_setsid(skb, family, peer_sid) != 0) 4521 return NF_DROP; 4522 4523 return NF_ACCEPT; 4524} 4525 4526static unsigned int selinux_ipv4_forward(unsigned int hooknum, 4527 struct sk_buff *skb, 4528 const struct net_device *in, 4529 const struct net_device *out, 4530 int (*okfn)(struct sk_buff *)) 4531{ 4532 return selinux_ip_forward(skb, in->ifindex, PF_INET); 4533} 4534 4535#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) 4536static unsigned int selinux_ipv6_forward(unsigned int hooknum, 4537 struct sk_buff *skb, 4538 const struct net_device *in, 4539 const struct net_device *out, 4540 int (*okfn)(struct sk_buff *)) 4541{ 4542 return selinux_ip_forward(skb, in->ifindex, PF_INET6); 4543} 4544#endif /* IPV6 */ 4545 4546static unsigned int selinux_ip_output(struct sk_buff *skb, 4547 u16 family) 4548{ 4549 u32 sid; 4550 4551 if (!netlbl_enabled()) 4552 return NF_ACCEPT; 4553 4554 /* we do this in the LOCAL_OUT path and not the POST_ROUTING path 4555 * because we want to make sure we apply the necessary labeling 4556 * before IPsec is applied so we can leverage AH protection */ 4557 if (skb->sk) { 4558 struct sk_security_struct *sksec = skb->sk->sk_security; 4559 sid = sksec->sid; 4560 } else 4561 sid = SECINITSID_KERNEL; 4562 if (selinux_netlbl_skbuff_setsid(skb, family, sid) != 0) 4563 return NF_DROP; 4564 4565 return NF_ACCEPT; 4566} 4567 4568static unsigned int selinux_ipv4_output(unsigned int hooknum, 4569 struct sk_buff *skb, 4570 const struct net_device *in, 4571 const struct net_device *out, 4572 int (*okfn)(struct sk_buff *)) 4573{ 4574 return selinux_ip_output(skb, PF_INET); 4575} 4576 4577static int selinux_ip_postroute_iptables_compat(struct sock *sk, 4578 int ifindex, 4579 struct avc_audit_data *ad, 4580 u16 family, char *addrp) 4581{ 4582 int err; 4583 struct sk_security_struct *sksec = sk->sk_security; 4584 u16 sk_class; 4585 u32 netif_perm, node_perm, send_perm; 4586 u32 port_sid, node_sid, if_sid, sk_sid; 4587 4588 sk_sid = sksec->sid; 4589 sk_class = sksec->sclass; 4590 4591 switch (sk_class) { 4592 case SECCLASS_UDP_SOCKET: 4593 netif_perm = NETIF__UDP_SEND; 4594 node_perm = NODE__UDP_SEND; 4595 send_perm = UDP_SOCKET__SEND_MSG; 4596 break; 4597 case SECCLASS_TCP_SOCKET: 4598 netif_perm = NETIF__TCP_SEND; 4599 node_perm = NODE__TCP_SEND; 4600 send_perm = TCP_SOCKET__SEND_MSG; 4601 break; 4602 case SECCLASS_DCCP_SOCKET: 4603 netif_perm = NETIF__DCCP_SEND; 4604 node_perm = NODE__DCCP_SEND; 4605 send_perm = DCCP_SOCKET__SEND_MSG; 4606 break; 4607 default: 4608 netif_perm = NETIF__RAWIP_SEND; 4609 node_perm = NODE__RAWIP_SEND; 4610 send_perm = 0; 4611 break; 4612 } 4613 4614 err = sel_netif_sid(ifindex, &if_sid); 4615 if (err) 4616 return err; 4617 err = avc_has_perm(sk_sid, if_sid, SECCLASS_NETIF, netif_perm, ad); 4618 return err; 4619 4620 err = sel_netnode_sid(addrp, family, &node_sid); 4621 if (err) 4622 return err; 4623 err = avc_has_perm(sk_sid, node_sid, SECCLASS_NODE, node_perm, ad); 4624 if (err) 4625 return err; 4626 4627 if (send_perm != 0) 4628 return 0; 4629 4630 err = sel_netport_sid(sk->sk_protocol, 4631 ntohs(ad->u.net.dport), &port_sid); 4632 if (unlikely(err)) { 4633 printk(KERN_WARNING 4634 "SELinux: failure in" 4635 " selinux_ip_postroute_iptables_compat()," 4636 " network port label not found\n"); 4637 return err; 4638 } 4639 return avc_has_perm(sk_sid, port_sid, sk_class, send_perm, ad); 4640} 4641 4642static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb, 4643 int ifindex, 4644 u16 family) 4645{ 4646 struct sock *sk = skb->sk; 4647 struct sk_security_struct *sksec; 4648 struct avc_audit_data ad; 4649 char *addrp; 4650 u8 proto; 4651 4652 if (sk == NULL) 4653 return NF_ACCEPT; 4654 sksec = sk->sk_security; 4655 4656 AVC_AUDIT_DATA_INIT(&ad, NET); 4657 ad.u.net.netif = ifindex; 4658 ad.u.net.family = family; 4659 if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto)) 4660 return NF_DROP; 4661 4662 if (selinux_compat_net) { 4663 if (selinux_ip_postroute_iptables_compat(skb->sk, ifindex, 4664 &ad, family, addrp)) 4665 return NF_DROP; 4666 } else if (selinux_secmark_enabled()) { 4667 if (avc_has_perm(sksec->sid, skb->secmark, 4668 SECCLASS_PACKET, PACKET__SEND, &ad)) 4669 return NF_DROP; 4670 } 4671 4672 if (selinux_policycap_netpeer) 4673 if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto)) 4674 return NF_DROP; 4675 4676 return NF_ACCEPT; 4677} 4678 4679static unsigned int selinux_ip_postroute(struct sk_buff *skb, int ifindex, 4680 u16 family) 4681{ 4682 u32 secmark_perm; 4683 u32 peer_sid; 4684 struct sock *sk; 4685 struct avc_audit_data ad; 4686 char *addrp; 4687 u8 secmark_active; 4688 u8 peerlbl_active; 4689 4690 /* If any sort of compatibility mode is enabled then handoff processing 4691 * to the selinux_ip_postroute_compat() function to deal with the 4692 * special handling. We do this in an attempt to keep this function 4693 * as fast and as clean as possible. */ 4694 if (selinux_compat_net || !selinux_policycap_netpeer) 4695 return selinux_ip_postroute_compat(skb, ifindex, family); 4696#ifdef CONFIG_XFRM 4697 /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec 4698 * packet transformation so allow the packet to pass without any checks 4699 * since we'll have another chance to perform access control checks 4700 * when the packet is on it's final way out. 4701 * NOTE: there appear to be some IPv6 multicast cases where skb->dst 4702 * is NULL, in this case go ahead and apply access control. */ 4703 if (skb->dst != NULL && skb->dst->xfrm != NULL) 4704 return NF_ACCEPT; 4705#endif 4706 secmark_active = selinux_secmark_enabled(); 4707 peerlbl_active = netlbl_enabled() || selinux_xfrm_enabled(); 4708 if (!secmark_active && !peerlbl_active) 4709 return NF_ACCEPT; 4710 4711 /* if the packet is being forwarded then get the peer label from the 4712 * packet itself; otherwise check to see if it is from a local 4713 * application or the kernel, if from an application get the peer label 4714 * from the sending socket, otherwise use the kernel's sid */ 4715 sk = skb->sk; 4716 if (sk == NULL) { 4717 switch (family) { 4718 case PF_INET: 4719 if (IPCB(skb)->flags & IPSKB_FORWARDED) 4720 secmark_perm = PACKET__FORWARD_OUT; 4721 else 4722 secmark_perm = PACKET__SEND; 4723 break; 4724 case PF_INET6: 4725 if (IP6CB(skb)->flags & IP6SKB_FORWARDED) 4726 secmark_perm = PACKET__FORWARD_OUT; 4727 else 4728 secmark_perm = PACKET__SEND; 4729 break; 4730 default: 4731 return NF_DROP; 4732 } 4733 if (secmark_perm == PACKET__FORWARD_OUT) { 4734 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid)) 4735 return NF_DROP; 4736 } else 4737 peer_sid = SECINITSID_KERNEL; 4738 } else { 4739 struct sk_security_struct *sksec = sk->sk_security; 4740 peer_sid = sksec->sid; 4741 secmark_perm = PACKET__SEND; 4742 } 4743 4744 AVC_AUDIT_DATA_INIT(&ad, NET); 4745 ad.u.net.netif = ifindex; 4746 ad.u.net.family = family; 4747 if (selinux_parse_skb(skb, &ad, &addrp, 0, NULL)) 4748 return NF_DROP; 4749 4750 if (secmark_active) 4751 if (avc_has_perm(peer_sid, skb->secmark, 4752 SECCLASS_PACKET, secmark_perm, &ad)) 4753 return NF_DROP; 4754 4755 if (peerlbl_active) { 4756 u32 if_sid; 4757 u32 node_sid; 4758 4759 if (sel_netif_sid(ifindex, &if_sid)) 4760 return NF_DROP; 4761 if (avc_has_perm(peer_sid, if_sid, 4762 SECCLASS_NETIF, NETIF__EGRESS, &ad)) 4763 return NF_DROP; 4764 4765 if (sel_netnode_sid(addrp, family, &node_sid)) 4766 return NF_DROP; 4767 if (avc_has_perm(peer_sid, node_sid, 4768 SECCLASS_NODE, NODE__SENDTO, &ad)) 4769 return NF_DROP; 4770 } 4771 4772 return NF_ACCEPT; 4773} 4774 4775static unsigned int selinux_ipv4_postroute(unsigned int hooknum, 4776 struct sk_buff *skb, 4777 const struct net_device *in, 4778 const struct net_device *out, 4779 int (*okfn)(struct sk_buff *)) 4780{ 4781 return selinux_ip_postroute(skb, out->ifindex, PF_INET); 4782} 4783 4784#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) 4785static unsigned int selinux_ipv6_postroute(unsigned int hooknum, 4786 struct sk_buff *skb, 4787 const struct net_device *in, 4788 const struct net_device *out, 4789 int (*okfn)(struct sk_buff *)) 4790{ 4791 return selinux_ip_postroute(skb, out->ifindex, PF_INET6); 4792} 4793#endif /* IPV6 */ 4794 4795#endif /* CONFIG_NETFILTER */ 4796 4797static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb) 4798{ 4799 int err; 4800 4801 err = secondary_ops->netlink_send(sk, skb); 4802 if (err) 4803 return err; 4804 4805 if (policydb_loaded_version >= POLICYDB_VERSION_NLCLASS) 4806 err = selinux_nlmsg_perm(sk, skb); 4807 4808 return err; 4809} 4810 4811static int selinux_netlink_recv(struct sk_buff *skb, int capability) 4812{ 4813 int err; 4814 struct avc_audit_data ad; 4815 4816 err = secondary_ops->netlink_recv(skb, capability); 4817 if (err) 4818 return err; 4819 4820 AVC_AUDIT_DATA_INIT(&ad, CAP); 4821 ad.u.cap = capability; 4822 4823 return avc_has_perm(NETLINK_CB(skb).sid, NETLINK_CB(skb).sid, 4824 SECCLASS_CAPABILITY, CAP_TO_MASK(capability), &ad); 4825} 4826 4827static int ipc_alloc_security(struct task_struct *task, 4828 struct kern_ipc_perm *perm, 4829 u16 sclass) 4830{ 4831 struct ipc_security_struct *isec; 4832 u32 sid; 4833 4834 isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL); 4835 if (!isec) 4836 return -ENOMEM; 4837 4838 sid = task_sid(task); 4839 isec->sclass = sclass; 4840 isec->sid = sid; 4841 perm->security = isec; 4842 4843 return 0; 4844} 4845 4846static void ipc_free_security(struct kern_ipc_perm *perm) 4847{ 4848 struct ipc_security_struct *isec = perm->security; 4849 perm->security = NULL; 4850 kfree(isec); 4851} 4852 4853static int msg_msg_alloc_security(struct msg_msg *msg) 4854{ 4855 struct msg_security_struct *msec; 4856 4857 msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL); 4858 if (!msec) 4859 return -ENOMEM; 4860 4861 msec->sid = SECINITSID_UNLABELED; 4862 msg->security = msec; 4863 4864 return 0; 4865} 4866 4867static void msg_msg_free_security(struct msg_msg *msg) 4868{ 4869 struct msg_security_struct *msec = msg->security; 4870 4871 msg->security = NULL; 4872 kfree(msec); 4873} 4874 4875static int ipc_has_perm(struct kern_ipc_perm *ipc_perms, 4876 u32 perms) 4877{ 4878 struct ipc_security_struct *isec; 4879 struct avc_audit_data ad; 4880 u32 sid = current_sid(); 4881 4882 isec = ipc_perms->security; 4883 4884 AVC_AUDIT_DATA_INIT(&ad, IPC); 4885 ad.u.ipc_id = ipc_perms->key; 4886 4887 return avc_has_perm(sid, isec->sid, isec->sclass, perms, &ad); 4888} 4889 4890static int selinux_msg_msg_alloc_security(struct msg_msg *msg) 4891{ 4892 return msg_msg_alloc_security(msg); 4893} 4894 4895static void selinux_msg_msg_free_security(struct msg_msg *msg) 4896{ 4897 msg_msg_free_security(msg); 4898} 4899 4900/* message queue security operations */ 4901static int selinux_msg_queue_alloc_security(struct msg_queue *msq) 4902{ 4903 struct ipc_security_struct *isec; 4904 struct avc_audit_data ad; 4905 u32 sid = current_sid(); 4906 int rc; 4907 4908 rc = ipc_alloc_security(current, &msq->q_perm, SECCLASS_MSGQ); 4909 if (rc) 4910 return rc; 4911 4912 isec = msq->q_perm.security; 4913 4914 AVC_AUDIT_DATA_INIT(&ad, IPC); 4915 ad.u.ipc_id = msq->q_perm.key; 4916 4917 rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ, 4918 MSGQ__CREATE, &ad); 4919 if (rc) { 4920 ipc_free_security(&msq->q_perm); 4921 return rc; 4922 } 4923 return 0; 4924} 4925 4926static void selinux_msg_queue_free_security(struct msg_queue *msq) 4927{ 4928 ipc_free_security(&msq->q_perm); 4929} 4930 4931static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg) 4932{ 4933 struct ipc_security_struct *isec; 4934 struct avc_audit_data ad; 4935 u32 sid = current_sid(); 4936 4937 isec = msq->q_perm.security; 4938 4939 AVC_AUDIT_DATA_INIT(&ad, IPC); 4940 ad.u.ipc_id = msq->q_perm.key; 4941 4942 return avc_has_perm(sid, isec->sid, SECCLASS_MSGQ, 4943 MSGQ__ASSOCIATE, &ad); 4944} 4945 4946static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd) 4947{ 4948 int err; 4949 int perms; 4950 4951 switch (cmd) { 4952 case IPC_INFO: 4953 case MSG_INFO: 4954 /* No specific object, just general system-wide information. */ 4955 return task_has_system(current, SYSTEM__IPC_INFO); 4956 case IPC_STAT: 4957 case MSG_STAT: 4958 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE; 4959 break; 4960 case IPC_SET: 4961 perms = MSGQ__SETATTR; 4962 break; 4963 case IPC_RMID: 4964 perms = MSGQ__DESTROY; 4965 break; 4966 default: 4967 return 0; 4968 } 4969 4970 err = ipc_has_perm(&msq->q_perm, perms); 4971 return err; 4972} 4973 4974static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg) 4975{ 4976 struct ipc_security_struct *isec; 4977 struct msg_security_struct *msec; 4978 struct avc_audit_data ad; 4979 u32 sid = current_sid(); 4980 int rc; 4981 4982 isec = msq->q_perm.security; 4983 msec = msg->security; 4984 4985 /* 4986 * First time through, need to assign label to the message 4987 */ 4988 if (msec->sid == SECINITSID_UNLABELED) { 4989 /* 4990 * Compute new sid based on current process and 4991 * message queue this message will be stored in 4992 */ 4993 rc = security_transition_sid(sid, isec->sid, SECCLASS_MSG, 4994 &msec->sid); 4995 if (rc) 4996 return rc; 4997 } 4998 4999 AVC_AUDIT_DATA_INIT(&ad, IPC); 5000 ad.u.ipc_id = msq->q_perm.key; 5001 5002 /* Can this process write to the queue? */ 5003 rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ, 5004 MSGQ__WRITE, &ad); 5005 if (!rc) 5006 /* Can this process send the message */ 5007 rc = avc_has_perm(sid, msec->sid, SECCLASS_MSG, 5008 MSG__SEND, &ad); 5009 if (!rc) 5010 /* Can the message be put in the queue? */ 5011 rc = avc_has_perm(msec->sid, isec->sid, SECCLASS_MSGQ, 5012 MSGQ__ENQUEUE, &ad); 5013 5014 return rc; 5015} 5016 5017static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg, 5018 struct task_struct *target, 5019 long type, int mode) 5020{ 5021 struct ipc_security_struct *isec; 5022 struct msg_security_struct *msec; 5023 struct avc_audit_data ad; 5024 u32 sid = task_sid(target); 5025 int rc; 5026 5027 isec = msq->q_perm.security; 5028 msec = msg->security; 5029 5030 AVC_AUDIT_DATA_INIT(&ad, IPC); 5031 ad.u.ipc_id = msq->q_perm.key; 5032 5033 rc = avc_has_perm(sid, isec->sid, 5034 SECCLASS_MSGQ, MSGQ__READ, &ad); 5035 if (!rc) 5036 rc = avc_has_perm(sid, msec->sid, 5037 SECCLASS_MSG, MSG__RECEIVE, &ad); 5038 return rc; 5039} 5040 5041/* Shared Memory security operations */ 5042static int selinux_shm_alloc_security(struct shmid_kernel *shp) 5043{ 5044 struct ipc_security_struct *isec; 5045 struct avc_audit_data ad; 5046 u32 sid = current_sid(); 5047 int rc; 5048 5049 rc = ipc_alloc_security(current, &shp->shm_perm, SECCLASS_SHM); 5050 if (rc) 5051 return rc; 5052 5053 isec = shp->shm_perm.security; 5054 5055 AVC_AUDIT_DATA_INIT(&ad, IPC); 5056 ad.u.ipc_id = shp->shm_perm.key; 5057 5058 rc = avc_has_perm(sid, isec->sid, SECCLASS_SHM, 5059 SHM__CREATE, &ad); 5060 if (rc) { 5061 ipc_free_security(&shp->shm_perm); 5062 return rc; 5063 } 5064 return 0; 5065} 5066 5067static void selinux_shm_free_security(struct shmid_kernel *shp) 5068{ 5069 ipc_free_security(&shp->shm_perm); 5070} 5071 5072static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg) 5073{ 5074 struct ipc_security_struct *isec; 5075 struct avc_audit_data ad; 5076 u32 sid = current_sid(); 5077 5078 isec = shp->shm_perm.security; 5079 5080 AVC_AUDIT_DATA_INIT(&ad, IPC); 5081 ad.u.ipc_id = shp->shm_perm.key; 5082 5083 return avc_has_perm(sid, isec->sid, SECCLASS_SHM, 5084 SHM__ASSOCIATE, &ad); 5085} 5086 5087/* Note, at this point, shp is locked down */ 5088static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd) 5089{ 5090 int perms; 5091 int err; 5092 5093 switch (cmd) { 5094 case IPC_INFO: 5095 case SHM_INFO: 5096 /* No specific object, just general system-wide information. */ 5097 return task_has_system(current, SYSTEM__IPC_INFO); 5098 case IPC_STAT: 5099 case SHM_STAT: 5100 perms = SHM__GETATTR | SHM__ASSOCIATE; 5101 break; 5102 case IPC_SET: 5103 perms = SHM__SETATTR; 5104 break; 5105 case SHM_LOCK: 5106 case SHM_UNLOCK: 5107 perms = SHM__LOCK; 5108 break; 5109 case IPC_RMID: 5110 perms = SHM__DESTROY; 5111 break; 5112 default: 5113 return 0; 5114 } 5115 5116 err = ipc_has_perm(&shp->shm_perm, perms); 5117 return err; 5118} 5119 5120static int selinux_shm_shmat(struct shmid_kernel *shp, 5121 char __user *shmaddr, int shmflg) 5122{ 5123 u32 perms; 5124 int rc; 5125 5126 rc = secondary_ops->shm_shmat(shp, shmaddr, shmflg); 5127 if (rc) 5128 return rc; 5129 5130 if (shmflg & SHM_RDONLY) 5131 perms = SHM__READ; 5132 else 5133 perms = SHM__READ | SHM__WRITE; 5134 5135 return ipc_has_perm(&shp->shm_perm, perms); 5136} 5137 5138/* Semaphore security operations */ 5139static int selinux_sem_alloc_security(struct sem_array *sma) 5140{ 5141 struct ipc_security_struct *isec; 5142 struct avc_audit_data ad; 5143 u32 sid = current_sid(); 5144 int rc; 5145 5146 rc = ipc_alloc_security(current, &sma->sem_perm, SECCLASS_SEM); 5147 if (rc) 5148 return rc; 5149 5150 isec = sma->sem_perm.security; 5151 5152 AVC_AUDIT_DATA_INIT(&ad, IPC); 5153 ad.u.ipc_id = sma->sem_perm.key; 5154 5155 rc = avc_has_perm(sid, isec->sid, SECCLASS_SEM, 5156 SEM__CREATE, &ad); 5157 if (rc) { 5158 ipc_free_security(&sma->sem_perm); 5159 return rc; 5160 } 5161 return 0; 5162} 5163 5164static void selinux_sem_free_security(struct sem_array *sma) 5165{ 5166 ipc_free_security(&sma->sem_perm); 5167} 5168 5169static int selinux_sem_associate(struct sem_array *sma, int semflg) 5170{ 5171 struct ipc_security_struct *isec; 5172 struct avc_audit_data ad; 5173 u32 sid = current_sid(); 5174 5175 isec = sma->sem_perm.security; 5176 5177 AVC_AUDIT_DATA_INIT(&ad, IPC); 5178 ad.u.ipc_id = sma->sem_perm.key; 5179 5180 return avc_has_perm(sid, isec->sid, SECCLASS_SEM, 5181 SEM__ASSOCIATE, &ad); 5182} 5183 5184/* Note, at this point, sma is locked down */ 5185static int selinux_sem_semctl(struct sem_array *sma, int cmd) 5186{ 5187 int err; 5188 u32 perms; 5189 5190 switch (cmd) { 5191 case IPC_INFO: 5192 case SEM_INFO: 5193 /* No specific object, just general system-wide information. */ 5194 return task_has_system(current, SYSTEM__IPC_INFO); 5195 case GETPID: 5196 case GETNCNT: 5197 case GETZCNT: 5198 perms = SEM__GETATTR; 5199 break; 5200 case GETVAL: 5201 case GETALL: 5202 perms = SEM__READ; 5203 break; 5204 case SETVAL: 5205 case SETALL: 5206 perms = SEM__WRITE; 5207 break; 5208 case IPC_RMID: 5209 perms = SEM__DESTROY; 5210 break; 5211 case IPC_SET: 5212 perms = SEM__SETATTR; 5213 break; 5214 case IPC_STAT: 5215 case SEM_STAT: 5216 perms = SEM__GETATTR | SEM__ASSOCIATE; 5217 break; 5218 default: 5219 return 0; 5220 } 5221 5222 err = ipc_has_perm(&sma->sem_perm, perms); 5223 return err; 5224} 5225 5226static int selinux_sem_semop(struct sem_array *sma, 5227 struct sembuf *sops, unsigned nsops, int alter) 5228{ 5229 u32 perms; 5230 5231 if (alter) 5232 perms = SEM__READ | SEM__WRITE; 5233 else 5234 perms = SEM__READ; 5235 5236 return ipc_has_perm(&sma->sem_perm, perms); 5237} 5238 5239static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag) 5240{ 5241 u32 av = 0; 5242 5243 av = 0; 5244 if (flag & S_IRUGO) 5245 av |= IPC__UNIX_READ; 5246 if (flag & S_IWUGO) 5247 av |= IPC__UNIX_WRITE; 5248 5249 if (av == 0) 5250 return 0; 5251 5252 return ipc_has_perm(ipcp, av); 5253} 5254 5255static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid) 5256{ 5257 struct ipc_security_struct *isec = ipcp->security; 5258 *secid = isec->sid; 5259} 5260 5261static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode) 5262{ 5263 if (inode) 5264 inode_doinit_with_dentry(inode, dentry); 5265} 5266 5267static int selinux_getprocattr(struct task_struct *p, 5268 char *name, char **value) 5269{ 5270 const struct task_security_struct *__tsec; 5271 u32 sid; 5272 int error; 5273 unsigned len; 5274 5275 if (current != p) { 5276 error = current_has_perm(p, PROCESS__GETATTR); 5277 if (error) 5278 return error; 5279 } 5280 5281 rcu_read_lock(); 5282 __tsec = __task_cred(p)->security; 5283 5284 if (!strcmp(name, "current")) 5285 sid = __tsec->sid; 5286 else if (!strcmp(name, "prev")) 5287 sid = __tsec->osid; 5288 else if (!strcmp(name, "exec")) 5289 sid = __tsec->exec_sid; 5290 else if (!strcmp(name, "fscreate")) 5291 sid = __tsec->create_sid; 5292 else if (!strcmp(name, "keycreate")) 5293 sid = __tsec->keycreate_sid; 5294 else if (!strcmp(name, "sockcreate")) 5295 sid = __tsec->sockcreate_sid; 5296 else 5297 goto invalid; 5298 rcu_read_unlock(); 5299 5300 if (!sid) 5301 return 0; 5302 5303 error = security_sid_to_context(sid, value, &len); 5304 if (error) 5305 return error; 5306 return len; 5307 5308invalid: 5309 rcu_read_unlock(); 5310 return -EINVAL; 5311} 5312 5313static int selinux_setprocattr(struct task_struct *p, 5314 char *name, void *value, size_t size) 5315{ 5316 struct task_security_struct *tsec; 5317 struct task_struct *tracer; 5318 struct cred *new; 5319 u32 sid = 0, ptsid; 5320 int error; 5321 char *str = value; 5322 5323 if (current != p) { 5324 /* SELinux only allows a process to change its own 5325 security attributes. */ 5326 return -EACCES; 5327 } 5328 5329 /* 5330 * Basic control over ability to set these attributes at all. 5331 * current == p, but we'll pass them separately in case the 5332 * above restriction is ever removed. 5333 */ 5334 if (!strcmp(name, "exec")) 5335 error = current_has_perm(p, PROCESS__SETEXEC); 5336 else if (!strcmp(name, "fscreate")) 5337 error = current_has_perm(p, PROCESS__SETFSCREATE); 5338 else if (!strcmp(name, "keycreate")) 5339 error = current_has_perm(p, PROCESS__SETKEYCREATE); 5340 else if (!strcmp(name, "sockcreate")) 5341 error = current_has_perm(p, PROCESS__SETSOCKCREATE); 5342 else if (!strcmp(name, "current")) 5343 error = current_has_perm(p, PROCESS__SETCURRENT); 5344 else 5345 error = -EINVAL; 5346 if (error) 5347 return error; 5348 5349 /* Obtain a SID for the context, if one was specified. */ 5350 if (size && str[1] && str[1] != '\n') { 5351 if (str[size-1] == '\n') { 5352 str[size-1] = 0; 5353 size--; 5354 } 5355 error = security_context_to_sid(value, size, &sid); 5356 if (error == -EINVAL && !strcmp(name, "fscreate")) { 5357 if (!capable(CAP_MAC_ADMIN)) 5358 return error; 5359 error = security_context_to_sid_force(value, size, 5360 &sid); 5361 } 5362 if (error) 5363 return error; 5364 } 5365 5366 new = prepare_creds(); 5367 if (!new) 5368 return -ENOMEM; 5369 5370 /* Permission checking based on the specified context is 5371 performed during the actual operation (execve, 5372 open/mkdir/...), when we know the full context of the 5373 operation. See selinux_bprm_set_creds for the execve 5374 checks and may_create for the file creation checks. The 5375 operation will then fail if the context is not permitted. */ 5376 tsec = new->security; 5377 if (!strcmp(name, "exec")) { 5378 tsec->exec_sid = sid; 5379 } else if (!strcmp(name, "fscreate")) { 5380 tsec->create_sid = sid; 5381 } else if (!strcmp(name, "keycreate")) { 5382 error = may_create_key(sid, p); 5383 if (error) 5384 goto abort_change; 5385 tsec->keycreate_sid = sid; 5386 } else if (!strcmp(name, "sockcreate")) { 5387 tsec->sockcreate_sid = sid; 5388 } else if (!strcmp(name, "current")) { 5389 error = -EINVAL; 5390 if (sid == 0) 5391 goto abort_change; 5392 5393 /* Only allow single threaded processes to change context */ 5394 error = -EPERM; 5395 if (!is_single_threaded(p)) { 5396 error = security_bounded_transition(tsec->sid, sid); 5397 if (error) 5398 goto abort_change; 5399 } 5400 5401 /* Check permissions for the transition. */ 5402 error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS, 5403 PROCESS__DYNTRANSITION, NULL); 5404 if (error) 5405 goto abort_change; 5406 5407 /* Check for ptracing, and update the task SID if ok. 5408 Otherwise, leave SID unchanged and fail. */ 5409 ptsid = 0; 5410 task_lock(p); 5411 tracer = tracehook_tracer_task(p); 5412 if (tracer) 5413 ptsid = task_sid(tracer); 5414 task_unlock(p); 5415 5416 if (tracer) { 5417 error = avc_has_perm(ptsid, sid, SECCLASS_PROCESS, 5418 PROCESS__PTRACE, NULL); 5419 if (error) 5420 goto abort_change; 5421 } 5422 5423 tsec->sid = sid; 5424 } else { 5425 error = -EINVAL; 5426 goto abort_change; 5427 } 5428 5429 commit_creds(new); 5430 return size; 5431 5432abort_change: 5433 abort_creds(new); 5434 return error; 5435} 5436 5437static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen) 5438{ 5439 return security_sid_to_context(secid, secdata, seclen); 5440} 5441 5442static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid) 5443{ 5444 return security_context_to_sid(secdata, seclen, secid); 5445} 5446 5447static void selinux_release_secctx(char *secdata, u32 seclen) 5448{ 5449 kfree(secdata); 5450} 5451 5452#ifdef CONFIG_KEYS 5453 5454static int selinux_key_alloc(struct key *k, const struct cred *cred, 5455 unsigned long flags) 5456{ 5457 const struct task_security_struct *tsec; 5458 struct key_security_struct *ksec; 5459 5460 ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL); 5461 if (!ksec) 5462 return -ENOMEM; 5463 5464 tsec = cred->security; 5465 if (tsec->keycreate_sid) 5466 ksec->sid = tsec->keycreate_sid; 5467 else 5468 ksec->sid = tsec->sid; 5469 5470 k->security = ksec; 5471 return 0; 5472} 5473 5474static void selinux_key_free(struct key *k) 5475{ 5476 struct key_security_struct *ksec = k->security; 5477 5478 k->security = NULL; 5479 kfree(ksec); 5480} 5481 5482static int selinux_key_permission(key_ref_t key_ref, 5483 const struct cred *cred, 5484 key_perm_t perm) 5485{ 5486 struct key *key; 5487 struct key_security_struct *ksec; 5488 u32 sid; 5489 5490 /* if no specific permissions are requested, we skip the 5491 permission check. No serious, additional covert channels 5492 appear to be created. */ 5493 if (perm == 0) 5494 return 0; 5495 5496 sid = cred_sid(cred); 5497 5498 key = key_ref_to_ptr(key_ref); 5499 ksec = key->security; 5500 5501 return avc_has_perm(sid, ksec->sid, SECCLASS_KEY, perm, NULL); 5502} 5503 5504static int selinux_key_getsecurity(struct key *key, char **_buffer) 5505{ 5506 struct key_security_struct *ksec = key->security; 5507 char *context = NULL; 5508 unsigned len; 5509 int rc; 5510 5511 rc = security_sid_to_context(ksec->sid, &context, &len); 5512 if (!rc) 5513 rc = len; 5514 *_buffer = context; 5515 return rc; 5516} 5517 5518#endif 5519 5520static struct security_operations selinux_ops = { 5521 .name = "selinux", 5522 5523 .ptrace_may_access = selinux_ptrace_may_access, 5524 .ptrace_traceme = selinux_ptrace_traceme, 5525 .capget = selinux_capget, 5526 .capset = selinux_capset, 5527 .sysctl = selinux_sysctl, 5528 .capable = selinux_capable, 5529 .quotactl = selinux_quotactl, 5530 .quota_on = selinux_quota_on, 5531 .syslog = selinux_syslog, 5532 .vm_enough_memory = selinux_vm_enough_memory, 5533 5534 .netlink_send = selinux_netlink_send, 5535 .netlink_recv = selinux_netlink_recv, 5536 5537 .bprm_set_creds = selinux_bprm_set_creds, 5538 .bprm_committing_creds = selinux_bprm_committing_creds, 5539 .bprm_committed_creds = selinux_bprm_committed_creds, 5540 .bprm_secureexec = selinux_bprm_secureexec, 5541 5542 .sb_alloc_security = selinux_sb_alloc_security, 5543 .sb_free_security = selinux_sb_free_security, 5544 .sb_copy_data = selinux_sb_copy_data, 5545 .sb_kern_mount = selinux_sb_kern_mount, 5546 .sb_show_options = selinux_sb_show_options, 5547 .sb_statfs = selinux_sb_statfs, 5548 .sb_mount = selinux_mount, 5549 .sb_umount = selinux_umount, 5550 .sb_set_mnt_opts = selinux_set_mnt_opts, 5551 .sb_clone_mnt_opts = selinux_sb_clone_mnt_opts, 5552 .sb_parse_opts_str = selinux_parse_opts_str, 5553 5554 5555 .inode_alloc_security = selinux_inode_alloc_security, 5556 .inode_free_security = selinux_inode_free_security, 5557 .inode_init_security = selinux_inode_init_security, 5558 .inode_create = selinux_inode_create, 5559 .inode_link = selinux_inode_link, 5560 .inode_unlink = selinux_inode_unlink, 5561 .inode_symlink = selinux_inode_symlink, 5562 .inode_mkdir = selinux_inode_mkdir, 5563 .inode_rmdir = selinux_inode_rmdir, 5564 .inode_mknod = selinux_inode_mknod, 5565 .inode_rename = selinux_inode_rename, 5566 .inode_readlink = selinux_inode_readlink, 5567 .inode_follow_link = selinux_inode_follow_link, 5568 .inode_permission = selinux_inode_permission, 5569 .inode_setattr = selinux_inode_setattr, 5570 .inode_getattr = selinux_inode_getattr, 5571 .inode_setxattr = selinux_inode_setxattr, 5572 .inode_post_setxattr = selinux_inode_post_setxattr, 5573 .inode_getxattr = selinux_inode_getxattr, 5574 .inode_listxattr = selinux_inode_listxattr, 5575 .inode_removexattr = selinux_inode_removexattr, 5576 .inode_getsecurity = selinux_inode_getsecurity, 5577 .inode_setsecurity = selinux_inode_setsecurity, 5578 .inode_listsecurity = selinux_inode_listsecurity, 5579 .inode_need_killpriv = selinux_inode_need_killpriv, 5580 .inode_killpriv = selinux_inode_killpriv, 5581 .inode_getsecid = selinux_inode_getsecid, 5582 5583 .file_permission = selinux_file_permission, 5584 .file_alloc_security = selinux_file_alloc_security, 5585 .file_free_security = selinux_file_free_security, 5586 .file_ioctl = selinux_file_ioctl, 5587 .file_mmap = selinux_file_mmap, 5588 .file_mprotect = selinux_file_mprotect, 5589 .file_lock = selinux_file_lock, 5590 .file_fcntl = selinux_file_fcntl, 5591 .file_set_fowner = selinux_file_set_fowner, 5592 .file_send_sigiotask = selinux_file_send_sigiotask, 5593 .file_receive = selinux_file_receive, 5594 5595 .dentry_open = selinux_dentry_open, 5596 5597 .task_create = selinux_task_create, 5598 .cred_free = selinux_cred_free, 5599 .cred_prepare = selinux_cred_prepare, 5600 .kernel_act_as = selinux_kernel_act_as, 5601 .kernel_create_files_as = selinux_kernel_create_files_as, 5602 .task_setuid = selinux_task_setuid, 5603 .task_fix_setuid = selinux_task_fix_setuid, 5604 .task_setgid = selinux_task_setgid, 5605 .task_setpgid = selinux_task_setpgid, 5606 .task_getpgid = selinux_task_getpgid, 5607 .task_getsid = selinux_task_getsid, 5608 .task_getsecid = selinux_task_getsecid, 5609 .task_setgroups = selinux_task_setgroups, 5610 .task_setnice = selinux_task_setnice, 5611 .task_setioprio = selinux_task_setioprio, 5612 .task_getioprio = selinux_task_getioprio, 5613 .task_setrlimit = selinux_task_setrlimit, 5614 .task_setscheduler = selinux_task_setscheduler, 5615 .task_getscheduler = selinux_task_getscheduler, 5616 .task_movememory = selinux_task_movememory, 5617 .task_kill = selinux_task_kill, 5618 .task_wait = selinux_task_wait, 5619 .task_prctl = selinux_task_prctl, 5620 .task_to_inode = selinux_task_to_inode, 5621 5622 .ipc_permission = selinux_ipc_permission, 5623 .ipc_getsecid = selinux_ipc_getsecid, 5624 5625 .msg_msg_alloc_security = selinux_msg_msg_alloc_security, 5626 .msg_msg_free_security = selinux_msg_msg_free_security, 5627 5628 .msg_queue_alloc_security = selinux_msg_queue_alloc_security, 5629 .msg_queue_free_security = selinux_msg_queue_free_security, 5630 .msg_queue_associate = selinux_msg_queue_associate, 5631 .msg_queue_msgctl = selinux_msg_queue_msgctl, 5632 .msg_queue_msgsnd = selinux_msg_queue_msgsnd, 5633 .msg_queue_msgrcv = selinux_msg_queue_msgrcv, 5634 5635 .shm_alloc_security = selinux_shm_alloc_security, 5636 .shm_free_security = selinux_shm_free_security, 5637 .shm_associate = selinux_shm_associate, 5638 .shm_shmctl = selinux_shm_shmctl, 5639 .shm_shmat = selinux_shm_shmat, 5640 5641 .sem_alloc_security = selinux_sem_alloc_security, 5642 .sem_free_security = selinux_sem_free_security, 5643 .sem_associate = selinux_sem_associate, 5644 .sem_semctl = selinux_sem_semctl, 5645 .sem_semop = selinux_sem_semop, 5646 5647 .d_instantiate = selinux_d_instantiate, 5648 5649 .getprocattr = selinux_getprocattr, 5650 .setprocattr = selinux_setprocattr, 5651 5652 .secid_to_secctx = selinux_secid_to_secctx, 5653 .secctx_to_secid = selinux_secctx_to_secid, 5654 .release_secctx = selinux_release_secctx, 5655 5656 .unix_stream_connect = selinux_socket_unix_stream_connect, 5657 .unix_may_send = selinux_socket_unix_may_send, 5658 5659 .socket_create = selinux_socket_create, 5660 .socket_post_create = selinux_socket_post_create, 5661 .socket_bind = selinux_socket_bind, 5662 .socket_connect = selinux_socket_connect, 5663 .socket_listen = selinux_socket_listen, 5664 .socket_accept = selinux_socket_accept, 5665 .socket_sendmsg = selinux_socket_sendmsg, 5666 .socket_recvmsg = selinux_socket_recvmsg, 5667 .socket_getsockname = selinux_socket_getsockname, 5668 .socket_getpeername = selinux_socket_getpeername, 5669 .socket_getsockopt = selinux_socket_getsockopt, 5670 .socket_setsockopt = selinux_socket_setsockopt, 5671 .socket_shutdown = selinux_socket_shutdown, 5672 .socket_sock_rcv_skb = selinux_socket_sock_rcv_skb, 5673 .socket_getpeersec_stream = selinux_socket_getpeersec_stream, 5674 .socket_getpeersec_dgram = selinux_socket_getpeersec_dgram, 5675 .sk_alloc_security = selinux_sk_alloc_security, 5676 .sk_free_security = selinux_sk_free_security, 5677 .sk_clone_security = selinux_sk_clone_security, 5678 .sk_getsecid = selinux_sk_getsecid, 5679 .sock_graft = selinux_sock_graft, 5680 .inet_conn_request = selinux_inet_conn_request, 5681 .inet_csk_clone = selinux_inet_csk_clone, 5682 .inet_conn_established = selinux_inet_conn_established, 5683 .req_classify_flow = selinux_req_classify_flow, 5684 5685#ifdef CONFIG_SECURITY_NETWORK_XFRM 5686 .xfrm_policy_alloc_security = selinux_xfrm_policy_alloc, 5687 .xfrm_policy_clone_security = selinux_xfrm_policy_clone, 5688 .xfrm_policy_free_security = selinux_xfrm_policy_free, 5689 .xfrm_policy_delete_security = selinux_xfrm_policy_delete, 5690 .xfrm_state_alloc_security = selinux_xfrm_state_alloc, 5691 .xfrm_state_free_security = selinux_xfrm_state_free, 5692 .xfrm_state_delete_security = selinux_xfrm_state_delete, 5693 .xfrm_policy_lookup = selinux_xfrm_policy_lookup, 5694 .xfrm_state_pol_flow_match = selinux_xfrm_state_pol_flow_match, 5695 .xfrm_decode_session = selinux_xfrm_decode_session, 5696#endif 5697 5698#ifdef CONFIG_KEYS 5699 .key_alloc = selinux_key_alloc, 5700 .key_free = selinux_key_free, 5701 .key_permission = selinux_key_permission, 5702 .key_getsecurity = selinux_key_getsecurity, 5703#endif 5704 5705#ifdef CONFIG_AUDIT 5706 .audit_rule_init = selinux_audit_rule_init, 5707 .audit_rule_known = selinux_audit_rule_known, 5708 .audit_rule_match = selinux_audit_rule_match, 5709 .audit_rule_free = selinux_audit_rule_free, 5710#endif 5711}; 5712 5713static __init int selinux_init(void) 5714{ 5715 if (!security_module_enable(&selinux_ops)) { 5716 selinux_enabled = 0; 5717 return 0; 5718 } 5719 5720 if (!selinux_enabled) { 5721 printk(KERN_INFO "SELinux: Disabled at boot.\n"); 5722 return 0; 5723 } 5724 5725 printk(KERN_INFO "SELinux: Initializing.\n"); 5726 5727 /* Set the security state for the initial task. */ 5728 cred_init_security(); 5729 5730 sel_inode_cache = kmem_cache_create("selinux_inode_security", 5731 sizeof(struct inode_security_struct), 5732 0, SLAB_PANIC, NULL); 5733 avc_init(); 5734 5735 secondary_ops = security_ops; 5736 if (!secondary_ops) 5737 panic("SELinux: No initial security operations\n"); 5738 if (register_security(&selinux_ops)) 5739 panic("SELinux: Unable to register with kernel.\n"); 5740 5741 if (selinux_enforcing) 5742 printk(KERN_DEBUG "SELinux: Starting in enforcing mode\n"); 5743 else 5744 printk(KERN_DEBUG "SELinux: Starting in permissive mode\n"); 5745 5746 return 0; 5747} 5748 5749void selinux_complete_init(void) 5750{ 5751 printk(KERN_DEBUG "SELinux: Completing initialization.\n"); 5752 5753 /* Set up any superblocks initialized prior to the policy load. */ 5754 printk(KERN_DEBUG "SELinux: Setting up existing superblocks.\n"); 5755 spin_lock(&sb_lock); 5756 spin_lock(&sb_security_lock); 5757next_sb: 5758 if (!list_empty(&superblock_security_head)) { 5759 struct superblock_security_struct *sbsec = 5760 list_entry(superblock_security_head.next, 5761 struct superblock_security_struct, 5762 list); 5763 struct super_block *sb = sbsec->sb; 5764 sb->s_count++; 5765 spin_unlock(&sb_security_lock); 5766 spin_unlock(&sb_lock); 5767 down_read(&sb->s_umount); 5768 if (sb->s_root) 5769 superblock_doinit(sb, NULL); 5770 drop_super(sb); 5771 spin_lock(&sb_lock); 5772 spin_lock(&sb_security_lock); 5773 list_del_init(&sbsec->list); 5774 goto next_sb; 5775 } 5776 spin_unlock(&sb_security_lock); 5777 spin_unlock(&sb_lock); 5778} 5779 5780/* SELinux requires early initialization in order to label 5781 all processes and objects when they are created. */ 5782security_initcall(selinux_init); 5783 5784#if defined(CONFIG_NETFILTER) 5785 5786static struct nf_hook_ops selinux_ipv4_ops[] = { 5787 { 5788 .hook = selinux_ipv4_postroute, 5789 .owner = THIS_MODULE, 5790 .pf = PF_INET, 5791 .hooknum = NF_INET_POST_ROUTING, 5792 .priority = NF_IP_PRI_SELINUX_LAST, 5793 }, 5794 { 5795 .hook = selinux_ipv4_forward, 5796 .owner = THIS_MODULE, 5797 .pf = PF_INET, 5798 .hooknum = NF_INET_FORWARD, 5799 .priority = NF_IP_PRI_SELINUX_FIRST, 5800 }, 5801 { 5802 .hook = selinux_ipv4_output, 5803 .owner = THIS_MODULE, 5804 .pf = PF_INET, 5805 .hooknum = NF_INET_LOCAL_OUT, 5806 .priority = NF_IP_PRI_SELINUX_FIRST, 5807 } 5808}; 5809 5810#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) 5811 5812static struct nf_hook_ops selinux_ipv6_ops[] = { 5813 { 5814 .hook = selinux_ipv6_postroute, 5815 .owner = THIS_MODULE, 5816 .pf = PF_INET6, 5817 .hooknum = NF_INET_POST_ROUTING, 5818 .priority = NF_IP6_PRI_SELINUX_LAST, 5819 }, 5820 { 5821 .hook = selinux_ipv6_forward, 5822 .owner = THIS_MODULE, 5823 .pf = PF_INET6, 5824 .hooknum = NF_INET_FORWARD, 5825 .priority = NF_IP6_PRI_SELINUX_FIRST, 5826 } 5827}; 5828 5829#endif /* IPV6 */ 5830 5831static int __init selinux_nf_ip_init(void) 5832{ 5833 int err = 0; 5834 5835 if (!selinux_enabled) 5836 goto out; 5837 5838 printk(KERN_DEBUG "SELinux: Registering netfilter hooks\n"); 5839 5840 err = nf_register_hooks(selinux_ipv4_ops, ARRAY_SIZE(selinux_ipv4_ops)); 5841 if (err) 5842 panic("SELinux: nf_register_hooks for IPv4: error %d\n", err); 5843 5844#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) 5845 err = nf_register_hooks(selinux_ipv6_ops, ARRAY_SIZE(selinux_ipv6_ops)); 5846 if (err) 5847 panic("SELinux: nf_register_hooks for IPv6: error %d\n", err); 5848#endif /* IPV6 */ 5849 5850out: 5851 return err; 5852} 5853 5854__initcall(selinux_nf_ip_init); 5855 5856#ifdef CONFIG_SECURITY_SELINUX_DISABLE 5857static void selinux_nf_ip_exit(void) 5858{ 5859 printk(KERN_DEBUG "SELinux: Unregistering netfilter hooks\n"); 5860 5861 nf_unregister_hooks(selinux_ipv4_ops, ARRAY_SIZE(selinux_ipv4_ops)); 5862#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) 5863 nf_unregister_hooks(selinux_ipv6_ops, ARRAY_SIZE(selinux_ipv6_ops)); 5864#endif /* IPV6 */ 5865} 5866#endif 5867 5868#else /* CONFIG_NETFILTER */ 5869 5870#ifdef CONFIG_SECURITY_SELINUX_DISABLE 5871#define selinux_nf_ip_exit() 5872#endif 5873 5874#endif /* CONFIG_NETFILTER */ 5875 5876#ifdef CONFIG_SECURITY_SELINUX_DISABLE 5877static int selinux_disabled; 5878 5879int selinux_disable(void) 5880{ 5881 extern void exit_sel_fs(void); 5882 5883 if (ss_initialized) { 5884 /* Not permitted after initial policy load. */ 5885 return -EINVAL; 5886 } 5887 5888 if (selinux_disabled) { 5889 /* Only do this once. */ 5890 return -EINVAL; 5891 } 5892 5893 printk(KERN_INFO "SELinux: Disabled at runtime.\n"); 5894 5895 selinux_disabled = 1; 5896 selinux_enabled = 0; 5897 5898 /* Reset security_ops to the secondary module, dummy or capability. */ 5899 security_ops = secondary_ops; 5900 5901 /* Unregister netfilter hooks. */ 5902 selinux_nf_ip_exit(); 5903 5904 /* Unregister selinuxfs. */ 5905 exit_sel_fs(); 5906 5907 return 0; 5908} 5909#endif 5910